summaryrefslogtreecommitdiffstats
path: root/HISTORY
diff options
context:
space:
mode:
Diffstat (limited to 'HISTORY')
-rw-r--r--HISTORY27248
1 files changed, 27248 insertions, 0 deletions
diff --git a/HISTORY b/HISTORY
new file mode 100644
index 0000000..4041f3d
--- /dev/null
+++ b/HISTORY
@@ -0,0 +1,27248 @@
+In addition to the names listed below, the following people provided
+useful inputs on many occasions: Paul D. Robertson, Simon J. Mudd.
+Apologies for any names omitted.
+
+19980105
+
+ The compiled-in default value for resolve_smtp_sender was
+ wrong (from the days that it was a boolean), causing smtpd
+ to dump core when the variable was not set in main.cf.
+
+ The INSTALL instructions now have separate sections for
+ the three basic ways of running vmailer.
+
+ The INSTALL instructions now have discusses how to deal
+ with chrooted processes.
+
+ Ported to RedHat 5.0. My, these people have re-organized
+ their include files quite a bit, haven't they.
+
+19980106
+
+ On RedHat Linux 4.2/5.0, when a FIFO listener opens the
+ FIFO with mode O_RDONLY, the FIFO remains forever readable
+ after the writer has closed it. Workaround: open the FIFO
+ mode O_RDWR.
+
+ Test program: util/fifo_rdonly_bug.c
+
+ Unfortunately, the above fix triggers a bug on BSD/OS 3.1
+ where opening the FIFO mode O_RDWR causes select() to claim
+ that the FIFO is readable even before any data is written
+ to it, causing read() to block or to fail.
+
+ Test program: util/fifo_rdwr_bug.c
+
+ printfck (check arguments of printf-like function calls)
+ found a missing argument in local/command.c
+
+ Miscellaneous Makefile cleanups that I didn't finish before
+ the first alpha release.
+
+19980107
+
+ Sometimes the DNS will claim that a domain does not exist,
+ when in fact it does. Thus, it is a bad idea to reject mail
+ from apparently non-existent domains. I have changed the
+ smtpd so that it produces a soft error responses when a
+ resolve_smtp_sender test fails with HOST_NOT_FOUND. Note:
+ by default, this test is still disabled.
+
+ The DB and DBM read routines will now automagically figure
+ out if (key, value) pairs were written including a terminating
+ null byte or not. The DB and DBM write routines will use
+ this result to determine how to write, and will fall back
+ to per-system defaults otherwise.
+
+ Renamed the README to MUSINGS, and wrote up a README that
+ reflects the current status of the software.
+
+ Added -d (don't disconnect) and -c (show running counter)
+ option to te smtp-source test program. These tools are
+ great torture tests for the mail software, and for the
+ system that it runs on.
+
+ Turned down the process_limit parameter (# of parallel smtp
+ clients or servers) to avoid unpleasant surprises. You can
+ crank up the process_limit parameter in main.cf.
+
+19980111
+
+ Feature: when run by the superuser, mailq now shows the
+ mail queue even when the mail system is down. To this end,
+ mailq (sendmail -bp) runs the showq program directly instead
+ of connecting to the UNIX-domain service socket, and drops
+ privileges etc. as usual.
+
+19980119
+
+ Bugfix: Edwin Kremer spotted an oversight in the negated
+ host matching code (for name or address patterns prefixed
+ by !).
+
+ Bugfix: upon receipt of a SIGHUP signal, the master now
+ disconnects from its child processes, so that the current
+ generation of child processes commits suicide, and so that
+ the next generation of child processes will use the new
+ configuration settings.
+
+ Bugfix: the smtp server now skips the sender DNS domain
+ lookup test for foo@[address]
+
+ Bugfix: don't append the local domain to foo@[address]
+
+19980120
+
+ Bugfix: old low-priority bug in some list walk code that
+ caused the master to drop core when a service was turned
+ off in master.cf.
+
+ Robustness: the mail system should be able to start up and
+ to accept local postings even while the naming service is
+ down. For this reason, the mail system no longer uses
+ gethostbyname() to look up its own machine name. Sites
+ that use short hostnames will have to specify their FQDN
+ in main.cf (this will eventually be done by the system
+ installation/configuration procedure). Should the config
+ language support backticks so one can say `domainname`?
+ What about $name stuff between the backtics?
+
+ Security: the master now creates FIFOs and UNIX-domain
+ sockets as the mail owner instead of as root, for better
+ protection against subverted mail systems. chmod() is
+ susceptible to race conditions. fchmod(), although safer,
+ often does not work on sockets.
+
+ Portability: anticipate that all major UNIXes will create
+ UNIX-domain sockets with permissions modified by the process
+ umask (required by POSIX). For this reason, we always
+ chmod() UNIX-domain sockets, unless the system allows us
+ to use the safer fchmod() instead.
+
+ Portability: the semi-resident servers now properly handle
+ EWOULDBLOCK returns from accept() in addition to EGAIN
+ (on some systems, EAGAIN and EWOULDBLOCK have different
+ values).
+
+ Bugfix: the semi-resident servers now properly handle EINTR
+ returns From accept().
+
+ Bugfix: Edwin Kremer found that mynetworks() would compute
+ (32 - mask) instead of mask.
+
+19980121
+
+ Feature: /etc/vmailer/relocated is used by the local delivery
+ program and specifies what mail should be bounced with a
+ "user has moved to XXX" message. The main.cf configuration
+ parameter is "relocated_maps". Just like the "virtual_maps"
+ config parameter, this feature is off by default, and the
+ parameter can have values such as "files" or "files, nis"
+ (on hosts equipped with NIS).
+
+19980123
+
+ Cleanup: virtual domain support moved from the queue manager
+ to the resolve service, where it belongs.
+
+ Feature: /etc/vmailer/canonical is used by the rewrite
+ service for all addresses, and maps a canonical address
+ (user@domain) to another address. Typical use is to generate
+ Firstname.Lastname@domain addresses, or to clean up dirty
+ addresses from non-RFC 822 mail systems. The main.cf
+ configuration parameter is "canonical_maps". Just like
+ the "virtual_maps" config parameter, this feature is off
+ by default, and the parameter can have values such as
+ "files" or "files, nis" (on hosts equipped with NIS).
+
+19980124
+
+ HPUX10 port and many little fixes from Pieter Schoenmakers.
+
+ Bugfix: isolated an old mysterious bug that could make the
+ master deaf for new connections while no child process was
+ running. A typical result was that no pickup daemon would
+ be started after the previous one had terminated voluntarily.
+
+ Bugfix: the NIS lookup code did not mystrdup() the NIS map
+ name and would access free()d memory.
+
+19980125
+
+ Bugfix: the vstream routines would sometimes ignore flushing
+ errors. The error would still be reported by vstream_fclose()
+ and vstream_ferror().
+
+ Feature: time limit on delivery to shell commands. Config
+ parameter: command_time_limit. Default value: 100 sec. The
+ idea is to prevent one bad .forward file or alias file
+ entry from slowly using up all local delivery process slots.
+
+19980126
+
+ Code cleanup: in preparation for SMTP extensions such as
+ SIZE, allow an extended SMTP command to have a variable
+ number of options.
+
+19980127
+
+ Bugfix: moved canonical map lookups away from the rewriting
+ module to the cleanup service, so that canonical map lookups
+ do not interfere with address rewriting on behalf of other
+ programs. Back to an older trivial-rewrite program version.
+
+ Bugfix: moved virtual map lookups away from the resolver
+ back to the queue manager, so that virtual domain lookup
+ does not interfere with address resolution on behalf of
+ other programs. Back to an older qmgr program version.
+
+19980131
+
+ Feature: integrated and adapted Guido van Rooij's SIZE
+ option (RFC 1870), carefully avoiding potential problems
+ due to overflow (by multiplying large numbers) or unsigned
+ underflow (by subtracting numbers).
+
+ Code cleanup: cleaned up the code that parses the server
+ response to the HELO/EHLO command, so that we can more
+ reliably recognize what options a server supports.
+
+19980201
+
+ Portability: integrated the IRIX 6 port by Oved Ben-Aroya.
+
+ Portability: the software now figures out by itself if a
+ server should open its FIFO read-write or read-only, to
+ avoid getting stuck with a FIFO that stays readable forever.
+
+ Bugfix: the cleanup service would terminate with a fatal
+ vstream_fseek() error when the queue file was too large.
+
+ Bugfix: the cleanup service could be killed by a signal
+ when the queue file became too large.
+
+19980203
+
+ Portability: some systems have statfs(), some have statvfs(),
+ and the relevant include files are in a different place on
+ almost every system.
+
+ Portability: the makedefs script now nukes the -O compiler
+ flag when building on AIX with IBM's own compiler...
+
+19980204
+
+ Portability: HP-UX 9.x support by Pieter Schoenmakers.
+
+ Portability: added SYSV-style ulimit() file size limit
+ support for HP-UX 9.x.
+
+ Portability: added some #includes that appeared to be
+ missing according to the Digital UNIX cc compiler.
+
+ Bugfix: sys_defs.h now correctly specifies NIS support for
+ LINUX2, HPUX9 and HPUX10.
+
+ Security: fixed a file descriptor leak in the local delivery
+ agent that could give shell commands access to the VMailer
+ IPC streams. This should not cause a vulnerability, given
+ the design and implementation of the mailer, but it would
+ be like asking for trouble.
+
+ Bugfix: the sendmail -B (body type) option did not take a
+ value.
+
+19980205
+
+ Bugfix (SUNOS5): should not have deleted the SVID_GETTOD
+ definition from util/sys_defs.h.
+
+ Bugfix (HPUX9): forgot to specify whether to use statfs()
+ or statvfs().
+
+ Bugfix (HPUX9): don't try to raise the file size ulimit.
+
+ Bugfix (HPUX9): must specify file size limit in 512-blocks.
+
+19980207
+
+ Robustness: the master process now raises the file size
+ limit when it is started with a limit that is less than
+ VMailer's file size limit. File: util/file_limit.c.
+
+ Security: the dns lookup routines now screen all result
+ names with valid_hostname(). Bad names are treated as
+ transient errors.
+
+ Feature: qmail compatibility: when the home_mailbox parameter
+ is set, mail is delivered to ~/$home_mailbox instead of to
+ /var[/spool]/mail/username. This hopefully makes it easier
+ to lure people away from qmail :-)
+
+ Robustness: several testers by accident configured relayhost
+ the same as myhostname. The programs now explicitly check
+ for this mistake.
+
+ Bugfix: deliver_request_read() would free unallocated memory
+ when it received an incomplete delivery request from the
+ queue manager.
+
+ Robustness: local_destination_concurrency=1 prevents parallel
+ delivery to the same user (with possibly disastrous effects
+ when that user has an expensive pipeline in the .forward
+ or procmail config file). Each transport can have its own
+ XXX_destination_concurrency parameter, to limit the number
+ of simultaneous deliveries to the same destination.
+
+19980208
+
+ Robustness: added "slow open" mode, to gradually increase
+ the number of simultaneous connections to the same site as
+ long as delivery succeeds, and to gradually decrease the
+ number of connections while delivery fails. Brad Knowles
+ provided the inspiration to do this.
+
+ This also solves the "thundering herd" problem (making a
+ bunch of connections to a dead host when it was time to
+ retry that host). Let's see when other mailers fix this.
+
+ Feature: Added $smtpd_banner and $mail_version, for those
+ who want to show the world what software version they are
+ running.
+
+ Bugfix: vmailer-script now properly labels each syslog
+ entry.
+
+19980210
+
+ Portability: merged in NEXTSTEP 3 port from Pieter Schoenmakers
+
+ Bugfix: the local delivery program now checks that a
+ destination is a regular file before locking it.
+
+19980211
+
+ Robustness: the local delivery agent sets HOME, LOGNAME,
+ and SHELL when delivering to a user shell command. PATH is
+ always set, and TZ is passed through if it is set.
+
+19980212
+
+ Feature: mailq (sendmail -bp) now also lists the maildrop
+ queue (with mail that hasn't been picked up yet).
+
+19980213
+
+ Feature: the smtpd now says: 502 HELP not implemented. This
+ should impress the heck out of the competition :-)
+
+19980214
+
+ Feature: local delivery to configurable system-wide command
+ (e.g. procmail) avoids the need for per-user ~/.forward
+ shell commands. Config parameter: mailbox_command.
+
+19980215
+
+ Performance: avoid running a shell when a command contains
+ no shell magic characters or built-in shell commands. This
+ speeds up delivery to all commands. File: util/exec_command.c.
+
+ Bugfix: the local delivery agent, after reading EOF from
+ a child process, now sends SIGKILL only when the child does
+ not terminate within a limited amount of time. This avoids
+ some problems with procmail. File: util/timed_wait.c.
+
+19980217
+
+ Portability: folded in NetInfo support from Pieter
+ Schoenmakers.
+
+19980218
+
+ Feature: new vmlock command to run a command while keeping
+ an exclusive lock on a mailbox.
+
+ Feature: with "recipient_delimiter = +", mail for local
+ address "user+foo" is delivered to "foo", with a "Delivered-To:
+ user+foo@domain" message header. Files: qmgr/qmgr_message.c,
+ local/recipient.c. This must be the cheapest feature.
+
+19980219
+
+ Code cleanup: moved error handling into functions that
+ should always succeed (non_blocking(), close_on_exec()).
+
+19980223
+
+ Bugfix: null pointer bug in the cleanup program after
+ processing a From: header with no mail address (or with
+ only a comment).
+
+19980226
+
+ Robustness: now detects when getpwnam() returns a name that
+ differs from the requested name.
+
+ Feature: Added %p support to the vbuf_print formatting
+ module.
+
+ Code cleanup: revamped the alias/include/.forward loop
+ detection and duplicate suppression code in the local
+ delivery agent. This must be the fourth iteration, and
+ again the code has been simplified.
+
+19980228
+
+ Robustness: don't treat anything starting with whitespace
+ as a header record. Instead, explicitly test for leading
+ whitespace where we permit it. Files: global/is_header.c,
+ bounce/bounce_flush_service.c, local/delivered.c.
+
+19980301
+
+ Compatibility: the sendmail program now accepts the -N
+ command-line option (delivery status notification) but
+ ignores it entirely, just like many other sendmail options.
+
+ Bugfix: dns_lookup.c was too conservative with buffer sizes
+ and would incorrectly report "malformed name server reply".
+
+19980302
+
+ Bugfix: the local delivery agent was not null-byte clean.
+
+19980307
+
+ Feature: integrated Pieter Schoenmaker's code for transport
+ lookup tables that list (transport, nexthop) by destination.
+
+19980309
+
+ Bugfix: delivery agents no longer rename corrupt queue
+ files, because programs might fall over each other doing
+ so. Instead, when a delivery agent detects queue file
+ corruption, it chmods the queue file, simulates a soft
+ error, and lets the queue manager take care of the problem.
+
+ Bugfix: the SMTP server implemented VRFY incorrectly.
+
+ Feature: first shot at a pipe mailer, which can be used to
+ extend VMailer with external mail transports such as UUCP
+ (provided that the remote site understands domain addressing,
+ because VMailer version 1 does not rewrite addresses).
+
+ Cleanup: extended the master/child interface so that the
+ service name (from master.cf) is passed on to the child.
+ The pipe mailer needs the service name so it can look up
+ service-specific configuration parameters (privilege level,
+ recipient limit, time limit, and so on).
+
+19980310-12
+
+ Cleanup: factored out the pipe_command() code, so it can
+ be shared between pipe mailer and local delivery agent.
+
+19980314
+
+ Compatibility: the sendmail program now parses each
+ command-line recipient as if it were an RFC 822 message
+ header; some MUAs specify comma-separated recipients in a
+ command-line argument; and some MUAs even specify "word
+ word <address>" forms as command-line arguments.
+
+19980315
+
+ Bugfix: VMailer's queue processing randomization wasn't
+ adequate for unloaded systems with small backlogs.
+
+ Bugfix: smtpd now uses double-buffered stream I/O to prevent
+ loss of input sent ahead of responses.
+
+19980316
+
+ Bugfix: the smtpd anti-relay code didn't treat all hosts
+ listed in $mydestinations as local, so it would accept mail
+ only for hosts listed in $relay_domains (default: my own
+ domain).
+
+ Bugfix: smtpd now replies with 502 when given an unknown
+ command.
+
+19980318
+
+ Cleanup: resolve/rewrite clients now automatically disconnect
+ after a configurable amount of idle time (ipc_idle).
+
+19980322
+
+ Tolerance: VRFY now permits user@domain, even though the
+ RFC requires that special characters such as @ be escaped.
+
+19980325
+
+ Bugfix: a recipient delimiter of "-" could interfere with
+ special addresses such as owner-xxx or double-bounce.
+
+ Tolerance: the SMTP client now permits blank lines in SMTP
+ server responses.
+
+ Tolerance: the SMTP client now falls back to SMTP when it
+ apparently mistook an SMTP server as ESMTP capable.
+
+ Bugfix: eliminated strtok() calls in favor of mystrtok().
+ Symptom: master.cf parsing would break if $inet_interfaces
+ was more than one word.
+
+19980328
+
+ Bugfix: user->addr patterns in canonical and virtual tables
+ matched only $myorigin, not hosts listed in $mydestination
+ or addresses listed in $inet_interfaces. The man pages
+ were wrong too. File: global/addr_match.c.
+
+19980401
+
+ Robustness: FIFO file permissions now default to 0622. On
+ some systems, opening a FIFO read-only could deafen the
+ pickup daemon. Only the listener end (which is opened as
+ root) needs read access anyway, so there should not be a
+ loss of functionality by making FIFOs non-readable for
+ non-mail processes.
+
+19980402
+
+ Compatibility: sendmail -I and -c options added.
+
+19980403
+
+ Feature: virtual lookups are now recursive. File:
+ qmgr/qmgr_message.c
+
+19980405
+
+ Implemented sendmail -bs (stand-alone) mode. This mode runs
+ as the user and therefore deposits into the maildrop queue.
+
+19980406
+
+ The pickup service now removes malformed maildrop files.
+
+19980407
+
+ The pickup service now guards against maildrop files with
+ time stamps dated into the future.
+
+19980408
+
+ Bugfix: in the canonical and virtual maps, foo->address
+ would match foo@$myorigin only. This has been fixed to also
+ match hosts listed in main.cf:$mydestination and the
+ addresses listed in main.cf:$inet_interfaces.
+
+ Bugfix: added double buffering support to the VMailer SMTP
+ server. This makes the SMTP server robust against SMTP
+ clients that talk ahead of time, and should have been in
+ there from day one.
+
+19980409
+
+ Bugfix: the VMailer SMTP client now recognizes its own
+ hostname in the SMTP greeting banner only when that name
+ appears as the first word on the first line.
+
+19980410
+
+ Feature: smtpd now logs the local queue ID along with the
+ client name/address, and pickup now logs the local queue
+ ID along with the message owner.
+
+ Bugfix: still didn't do virtual/canonical lookups right
+ (code used the non-case-folded key instead of the case
+ folded one).
+
+19980418
+
+ Bugfix: the SMTP server did not flush the "250 OK queued
+ as XXXX" message from the SMTP conversation history.
+
+19980419
+
+ Bugfix: qmgr would not notice that a malformed message has
+ multiple senders, and would leak memory (Tom Ptacek).
+
+19980421
+
+ Portability: in the mantools scripts, the expr pattern no
+ longer has ^ at the beginning, and the scripts now use the
+ expand program instead of my own detab utility.
+
+19980425
+
+ NetBSD 1.x patch by Soren S. Jorvang.
+
+19980511
+
+ Feature: the SMTP server now logs the protocol (SMTP or
+ ESMTP) as part of the Received: header.
+
+ Feature: smtpd now logs the last command when a session is
+ aborted due to timeout, unexpected EOF, or too many client
+ errors.
+
+19980514
+
+ Bugfix: the queue manager did not update the counter for
+ in-core message structures, so the in-core message limit
+ had no effect. This can be bad when you have a large backlog
+ with many messages eligible for delivery.
+
+ Robustness: the queue manager now also limits the total
+ number of in-core recipient structures, so that it won't
+ use excessive amounts of memory on sites that have large
+ mailing lists.
+
+19980518
+
+ Bugfix: the SMTP client did not notice that the DNS client
+ received a truncated response. As a result, a backup MX
+ host could incorrectly claim that it was the best MX host
+ and declare a mailer loop.
+
+ Added start_msg/stop_msg entries to the vmailer startup
+ script, for easy installation.
+
+ Cleanup: VMailer databases are now explicitly specified as
+ type:name, for example, hash:/etc/aliases or nis:mail.aliases,
+ instead of implicitly as "files", "nis" and so on. Test
+ program: util/dict_open. This change allowed me to
+ eliminate a lot of redundant code from mkmap_xxx.c, and
+ from everything that does map lookups.
+
+19980525
+
+ Bugfix: local/dotforward.c compared the result of opening
+ a user's ~/.forward against the wrong error value.
+
+19980526
+
+ Bugfix: the smtpd VRFY command could look at free()d memory.
+
+ Robustness: the smtpd program had a fixed limit on the
+ number of token structures. The code now dynamically
+ allocates token structures.
+
+ Bugfix: the queue manager still used the deprecated parameter
+ name xxx_deliver_concurrency for concurrency control, but
+ the documentation talks about the preferred parameter name
+ xxx_destination_concurrency. Fix: try xxx_destination_concurrency
+ first, then fall back to xxx_deliver_concurrency.
+
+19980621-19980702
+
+ Cleanup: the string read routines now report the last
+ character read or VSTREAM_EOF. This change is necessary
+ for the implementation of the long SMTP line bugfix.
+
+ Bugfix: the smtp server exited the DATA command prematurely
+ when the client sent long lines. Reason: the smtp server
+ did not remember that it broke long lines, so that '.'
+ could appear to be the first character on a line when in
+ fact it wasn't.
+
+ Bugfix: the queue manager made lots of stupid errors while
+ reading $qmgr_message_recipient_limit chunks of recipients
+ from a queue file. This code has been restructured.
+
+19980706
+
+ Performance: the cleanup program now always adds return-receipt
+ and errors-to records to a queue file, so that the queue
+ manager does not have to plow through huge lists of
+ recipients.
+
+ Robustness: the initial destination concurrency now defaults
+ to 2, so that one bad message or one bad connection does
+ not stop all mail to a site. The configuration parameter
+ is called initial_destination_concurrency.
+
+ Performance: the per-message recipient limit is now enforced
+ by the queue manager instead of by the transport. Thus, a
+ large list of recipients for the same site is now mapped
+ onto several delivery requests which can be handled in
+ parallel, instead of being mapped onto one delivery request
+ that is sent to limited numbers of recipients, one group
+ after the other.
+
+19980707
+
+ Cleanup: the queue manager now does an additional recipient
+ sort after the recipients have been resolved, so that the
+ code can do better aggregation of recipients by next hop
+ destination.
+
+ Feature: lines in the master.cf file can now be continued
+ in the same manner as lines in the main.cf file, i.e. by
+ starting the next line with whitespace.
+
+ Feature: the smtp client now warns that a message may be
+ delivered multiple times when the response to "." is not
+ received (the problem described in RFC 1047).
+
+ Cleanup: when the queue manager changes its little mind
+ after contacting a delivery agent (for example, it decides
+ to skip the host because a transport or host goes bad),
+ the delivery agent no longer complains about premature EOF.
+ File: global/deliver_request.c
+
+19980709
+
+ Bugfix: when breaking long lines, the SMTP client did not
+ escape leading dots in secondary etc. line fragments. Fix:
+ don't break lines. This change makes VMailer line-length
+ transparent. Files: global/smtp_stream.c, smtp/smtp_proto.c.
+
+19980712
+
+ Cleanup: the queue manager to deliver agent protocol now
+ distinguishes between domain-specific soft errors and
+ recipient-specific soft errors. Result: many soft errors
+ with SMTP delivery no longer affect other mail the same
+ domain.
+
+19980713
+
+ Feature: the file modification time stamp of deferred queue
+ files is set to the nearest wakeup time of their recipient
+ hosts, or if delivery was deferred due to a non-host problem,
+ the time stamp is set into the future by the configurable
+ minimal backoff time.
+
+ Bugfix: the SMTP client and the MAILQ command would report
+ as message size the total queue file size. That would
+ grossly overestimate the size of a message with many
+ recipients.
+
+ Bugfix: the 19980709 fix screwed up locally-posted mail
+ that didn't end in newline.
+
+19980714
+
+ Robustness: the makedefs script now defaults to no optimization
+ when compiling for purify.
+
+19980715
+
+ Robustness: the makedefs script now defaults to no optimization
+ when compiling with gcc 2.8, until this compiler is known
+ to be OK.
+
+ Workaround: when sending multiple messages over the same
+ SMTP connection, some SMTP servers need an RSET command
+ before the second etc. MAIL FROM command. The VMailer SMTP
+ client now sends a redundant RSET command just in case.
+
+ The queue manager now logs explicitly when delivery is
+ deferred because of a "dead" message transport.
+
+19980716
+
+ Feature: mailq and mail bounces now finally report why mail
+ was deferred (the reason was logged to the syslog file
+ only). Changes were made to the bounce service (generalized
+ to be usable for defer logs), showq service (to show reasons)
+ and the queue manager.
+
+ As a result the defer directory (with one log per deferred
+ message) may contain many files; also, this directory is
+ accessed each time a message is let into the active queue,
+ in order to delete its old defer log. This means that hashed
+ directories are now a must.
+
+19980718-20
+
+ Feature: configurable timeout for establishing smtp
+ connections. Parameter: smtp_connect_timeout (default 0,
+ which means use the timeout as wired into the kernel).
+ Inspired by code from Lamont Jones. For a clean but far
+ from trivial implementation, see util/timed_connect.c
+
+ Cleaned up the interfaces that implement read/write deadlines.
+ Instead of returning -2, the routines now set errno to
+ ETIMEDOUT; the readable/writable tests are now separate.
+
+19980722
+
+ Feature: the default indexed file type (hash, btree, dbm)
+ is now configurable with the "database_type" parameter.
+ The default value for this parameter is system specific.
+
+ Feature: selectively turn on verbose logging for hosts that
+ match the patterns specified via the "debug_peer_list"
+ config parameter. Syntax is like the "bad_smtp_clients"
+ parameter (see global/peer_list.c). The verbose logging
+ level is specified with "debug_peer_level" (default 2).
+
+ Security: the local delivery agent no longer delivers to
+ files that have execute permission enabled.
+
+19980723
+
+ Workarounds for Solaris 2.x UNIX-domain sockets: they lose
+ data when you close them immediately after writing to them.
+ This could screw up the delivery agent to queue manager
+ protocol.
+
+19980724
+
+ Cleanup: spent most of the day cleaning up queue manager
+ code that defers mail when a site or transport dies, and
+ fixed a few obscure problems in the process.
+
+19980726
+
+ Feature: the admin can now configure what classes of problems
+ result in mail to the postmaster. Configuration parameter:
+ "notify_classes". Default is backwards compatible: bounce,
+ policy, protocol, resource, and software.
+
+19980726-28
+
+ Feature: the admin can now configure what smtp server access
+ control restrictions must be applied, and in what order.
+ Configuration parameters: smtpd_client_restrictions,
+ smtpd_helo_restrictions, smtpd_mail_restrictions and
+ smtpd_rcpt_restrictions. Defaults are intended to be
+ backwards compatible. The bad_senders and bad_clients lists
+ are gone and have become db (dbm, nis, etc) maps. Files:
+ smtpd/smtpd_check.c, config/main.cf.
+
+19980729-31
+
+ Feature: hashed queues. Rewrote parts of the mail queue
+ API. Configuration parameters: "hash_queue_names" specifies
+ what queue directories will be hashed (default: the defer
+ log directory), "hash_queue_depth" specifies the number of
+ subdirectories used for hashing (default 2).
+
+19980802
+
+ Bugfix: the pipe mailer should expand command-line arguments
+ with $recipient once for every recipient (producing one
+ command-line argument per recipient), instead of replacing
+ $recipient by of all recipients (i.e. producing only one
+ command-line argument). This is required for compatibility
+ with programs that expect to be run from sendmail, such as
+ uux. Thanks to Ollivier Robert for helping me to get this
+ right.
+
+ Code cleanup: for the above, cleaned up the macro expansion
+ code in dict.c and factored out the parsing into a separate
+ module, mac_parse.c.
+
+19980803
+
+ "|command" and /file/name destinations in alias databases
+ are now executed with the privileges of the database owner
+ (unless root or vmailer). Thus, with: "alias_maps =
+ hash:/etc/aliases, hash:/home/majordomo/aliases", and with
+ /home/majordomo/aliases* owned by the majordomo account,
+ you no longer need the majordomo set-uid wrapper program,
+ and you no longer need root privileges in order to install
+ a new mailing list.
+
+19980804
+
+ Added support for the real-time blackhole list. Example:
+ "client_restrictions = permit_mynetworks, reject_maps_rbl"
+
+ All SMTP server "reject" status codes are now configurable:
+ unknown_client_reject_code, mynetworks_reject_code,
+ invalid_hostname_reject_code, unknown_hostname_reject_code,
+ unknown_address_reject_code, relay_domains_reject_code,
+ access_map_reject_code, maps_rbl_reject_code. Default values
+ are documented in the smtpd/smtpd_check.c man page.
+
+19980806-8
+
+ Code cleanup: after eye balling line-by line diffs, started
+ deleting code that duplicated functionality because it was
+ at the wrong abstraction level (smtp_trouble.c), moved
+ functionality that was in the wrong place (dictionary
+ reference counts in maps.c instead of dict.c), simplified
+ code that was too complex (password-file structure cache)
+ and fixed some code that was just wrong.
+
+19980808
+
+ Robustness: the number of queue manager in-core structures
+ for dead hosts is limited; the limit scales with the limit
+ on the number of in-core recipient structures. The idea is
+ to not run out of memory under conditions of stress.
+
+19980809
+
+ Feature: mail to files and commands can now be restricted
+ by class: alias, forward file or include file. The default
+ restrictions are: "allow_mail_to_files = alias, forward"
+ and allow_mail_to_commands = alias, forward". The idea is
+ to protect against buggy mailing list managers that allow
+ intruders to subscribe /file/name or "|command".
+
+19980810-12
+
+ Cleanup: deleted a couple hundred lines of code from the
+ local delivery agent. It will never be a great program;
+ sendmail compatibility is asking a severe toll.
+
+19980814
+
+ Cleanup: made the program shut up about some benign error
+ conditions that were reported by Daniel Eisenbud.
+
+19980814-7
+
+ Documentation: made a start of HTML docs that describe all
+ configuration parameters.
+
+ Feature: while documenting things, added smtpd_helo_required.
+
+19980817
+
+ Bugfix: at startup the queue manager now updates the time
+ stamps of active queue files some time into the future.
+ This eliminates duplicate deliveries after "vmailer reload".
+
+ Bugfix: the local delivery agent now applies the recipient
+ delimiter after looking in the alias database, instead of
+ before.
+
+ Documentation bugfixes by Matt Shibla, Tom Limoncelli,
+ Eilon Gishri.
+
+19980819
+
+ GLIBC fixes from Myrdraal.
+
+ Bugfix: applied showq buffer reallocation workaround in
+ the wrong place.
+
+ Bugfix: can't use shorts in varargs lists. SunOS 4 has
+ short uid_t and gid_t. pipe_command() would complain.
+
+ Bugfix: can't use signed char in ctype macros. All ctype
+ arguments are now casted to unsigned char. Thanks, Casper
+ Dik.
+
+19980820
+
+ Bugfix: save the alias lookup result before looking up the
+ owner. The previous alpha release did this right.
+
+ Cleanup: mail_trigger() no longer complains when the trigger
+ FIFO or socket is unavailable. This change is necessary to
+ shut up the sendmail mail posting program, so that it can
+ be used on mail clients that mount their maildrop via NFS.
+
+ Experiment: pickup and pipe now run as vmailer most of the
+ time, and switch to user privileges only temporarily.
+ Files: util/set_eugid.c global/pipe_command.c pipe/pipe.c
+ pickup/pickup.c. Is this more secure/ What about someone
+ manipulating such a process while not root? It still has
+ ruid == 0.
+
+19980822
+
+ Portability: with GNU make, commands such as "(false;true)"
+ and "while :; do false; done" don't fail. Workaround: use
+ "set -e" all over the place. Problem found by Jeff Wolfe.
+
+ Feature: "check_XXX_access maptype:mapname" (XXX = client,
+ helo, sender, recipient). Now you can make recipient and
+ other SPAM restrictions dependent on client or sender access
+ tables lookup results.
+
+19980823
+
+ Bugfix: smtpd access table lookup keys were case sensitive.
+
+ Added "permit" and "reject" operators. These are useful at
+ the end of SPAM restriction lists (smtpd_XXX_restrictions).
+
+ Added a first implementation of the permit_mx_backup SPAM
+ restriction. This permits mail relaying to any domain that
+ lists this mail system as an MX host (including mail for
+ the local machine). Thanks to Ollivier Robert for useful
+ discussions.
+
+19980824
+
+ Bugfix: transport table lookup keys were case sensitive.
+
+19980825
+
+ Portability: sa_len is some ugly #define on some SGI systems,
+ so we must rename identifiers (file util/connect.c).
+
+ Bugfix: uucp delivery errors are now sent to the sender.
+ Thanks, Mark Delany.
+
+ Bugfix: the pipe delivery agent now replaces empty sender
+ by the mailer daemon address. Mark Delany, again.
+
+ Portability: GNU getopt looks at all command-line arguments.
+ Fix: insert -- into the pipe/uucp definition in master.cf.
+
+ Bugfix: the smtp server command tokenizer silently discarded
+ the [] around [text], so that HELO [x.x.x.x] was read as
+ if the client had sent: HELO x.x.x.x. Thanks, Peter Bivesand.
+
+ Bugfix: the HELO unknown hostname/bad hostname restrictions
+ would have treated [text] as a domain name anyway.
+
+ Bugfix: the $local_duplicate_filter_limit value was not
+ picked up by the local delivery agent. This means the local
+ delivery agent could run out of memory on large mailing
+ list deliveries.
+
+19980826
+
+ Performance: mkmap/mkalias now run with the same speed as
+ sendmail. VMailer now uses a 4096-entry cache with 1 Mbyte
+ of memory for DB lookups. File: util/dict_db.c.
+
+19980902
+
+ Robustness: the reject_unknown_hostname restriction for
+ HELO/EHLO hostnames will now permit names that have an MX
+ record instead of an A record.
+
+19980903
+
+ Feature: appending @$myorigin to an unqualified address is
+ configurable with the boolean append_at_myorigin parameter
+ (default: yes).
+
+ Feature: appending .$mydomain to user@host is configurable
+ with the boolean append_dot_mydomain parameter (default:
+ yes).
+
+ Feature: site!user is rewritten to user@site, under control
+ of the boolean parameter swap_bangpath (default: yes).
+
+ Feature: permit a naked IP address in HELO commands (i.e.
+ an address without the enclosing [] as required by the
+ RFC), by specifying "permit_naked_ip_address" as one of
+ the restrictions in the "smtpd_helo_restrictions" config
+ parameter.
+
+19980904
+
+ Code cleanup: when an SMTP client aborts a session after
+ sending MAIL FROM, the cleanup service no longer warns that
+ it is "skipping further client input". Files: cleanup/*.c.
+ Thanks, Daniel Eisenbud, for prodding.
+
+ Code cleanup: when an SMTP server disconnects in the middle
+ of a session, don't try to send QUIT over the non-existing
+ connection. Files: global/smtp_stream.c, smtp/smtp.c.
+ Thanks, Daniel Eisenbud, for prodding, again.
+
+ Code cleanup: the VMailer version number has moved from
+ mail_params.h (which is included by lots of modules) to a
+ separate file global/mail_version.h, so that a version
+ change no longer results in massive recompilation.
+
+ Bugfix: Errors-To was flagged as a sender address, so the
+ address never was picked up.
+
+ Code cleanup: support for Errors-To: headers completed.
+
+19980905
+
+ Feature: per-message exponential delivery backoff, by
+ looking at the amount of time a message has been queued.
+ Thanks, Mark Delany.
+
+19980906
+
+ Code cleanup: ripped out the per-host exponential backoff
+ code. It was broken by 19980818. It was probably a bad idea
+ anyway, because it required per-host, in-core, state kept
+ by the queue manager. All we do now is to keep state for
+ $minimal_backoff_time seconds, but only for a limited number
+ of hosts. Daniel Eisenbud spotted the problem.
+
+ Lost feature: the SMTP session transcripts now show who
+ said what. This feature was inadvertently dropped during
+ development. Thanks, Daniel Eisenbud, for reminding.
+
+ Documentation: the hard-coded rewriting process of the
+ trivial-rewrite program is described in html/rewrite.html.
+
+ Feature: the local delivery agent now does alias lookups
+ before and after chopping off the recipient subaddress.
+ This allows you to forward user-anything to another user,
+ without losing the ability to redirect specific user-foo
+ addresses.
+
+19980909
+
+ Feature: the smtp client now logs a warning that a server
+ sends a greeting banner with the client's hostname, which
+ could imply a mailer loop.
+
+19980910
+
+ Feature: separate canonical maps for sender and recipient
+ address rewriting, so that you can rewrite an ugly sender
+ address and still forward mail to that same ugly address
+ without creating a mailer loop. Files: cleanup_envelope.c,
+ cleanup_message.c, cleanup_rewrite.c.
+
+19980911
+
+ Feature: virtual maps now support multiple addresses on
+ the right-hand side. In the case of virtual domains this
+ can eliminate the need for address expansion via local
+ aliases, making virtual domains much easier to administer.
+ This required that I moved the virtual table lookups from
+ the queue manager to the cleanup service, so that every
+ recipient has an on-disk status record. Files: qmgr.c,
+ qmgr_message.c, cleanup_envelope.c, cleanup_rewrite.c,
+ cleanup_virtual.c.
+
+ Feature: sendmail/mailq/newaliases pass on the -v flag to
+ the program that they end up running, to make debugging a
+ little easier.
+
+19980914
+
+ Bugfix: some anti-spam measures didn't recognize some
+ addresses as local and would do too much work. File:
+ smtpd_check.c.
+
+ Bugfix: the smtp sender/recipient table lookup restriction
+ destroyed global data, so that other restrictions could
+ break. File: smtpd_check.c.
+
+ Bugfix: after vmailer reload, single-threaded servers could
+ exit before flushing unwritten data to the client. Example:
+ cleanup would exit before acking success to pickup, so the
+ message would be delivered twice. Bug reported by Brian
+ Candler.
+
+ Cleanup: removed spurious error output from vmailer-script.
+ Reported by Brian Candler.
+
+ Tolerance: ignore non-numeric SMTP server responses. There's
+ lot of brain damage out there on the net.
+
+19980915
+
+ Feature: the smtp-sink benchmark tool now announces itself
+ with a neutral name so that it can be run on the same
+ machine as VMailer, without causing Postfix to complain
+ about a mailer loop.
+
+ Robustness: on LINUX, vmailer-script now does chattr +S to
+ force synchronous directory updates. Fix developed with
+ Chris Wedgwood.
+
+19980916
+
+ Bugfix: when transforming an RFC 822 address to external
+ form, there is no need to quote " characters in comments.
+ This didn't break anything, it just looked ugly. File:
+ global/tok822_parse.c
+
+19980917
+
+ Workaround: with deliveries to /file/name, use fsync() and
+ ftruncate() only on regular files. File: local/file.c
+
+ Workaround: the plumbing code in master_spawn.c didn't
+ check if it was dup2()/close()ing a descriptor to itself
+ then closing it. Will have to redo the plumbing later.
+
+19980918
+
+ Workaround: on multiprocessor Solaris machines, one-second
+ rollover appears to happen on different CPUs at slightly
+ different times. Made the queue manager more tolerant for
+ such things. Problem reported by Daniel Eisenbud.
+
+ Workaround: in preparation for deployment with a network-shared
+ maildrop directory. make pickup more tolerant against clock
+ drift between clients and servers.
+
+19980921
+
+ New vstream_popen() module that opens a two-way channel
+ across a socketpair-based pipe. This module isn't being
+ used yet; it is here only to complete the vstream code.
+
+19980922
+
+ Code cleanup: the xxx_server_main() interface for master
+ child processes now uses a name-value argument list instead
+ of an ugly and inflexible data structure.
+
+ Bugfix: moved the test if a non-interactive process is run
+ by hand, so that the "don't do this" error message can be
+ printed to stderr before any significant processing.
+
+ Bugfix: smtpd now can talk to unix-domain sockets without
+ bailing out on a peer lookup problem. Files: smtpd/smtpd.c,
+ util/peer_name.c.
+
+ Safety: by default, the postmaster is no longer informed
+ of protocol problems, policy violations or bounces.
+
+ Safety: the SMTP server now sleeps before sending a [45]xx
+ error response, in order to prevent clients from hammering
+ the server with a connect/error/disconnect loop. Parameter:
+ smtpd_error_sleep_time (default: 5).
+
+ Feature: the logging facility is compile-time configurable
+ (e.g., make makefiles "CCARGS=-DLOG_FACILITY=LOG_LOCAL1").
+
+19980923
+
+ Bugfix: changed virtual/canonical map search order from
+ (user@domain, @domain, user) to (user@domain, user, @domain)
+ so the search order is most specific to least specific.
+ File: global/addr_map.c, lots of documentation.
+
+ Bugfix: after the change of 19980910, cleanup_message
+ extracted recipients from Reply-To: etc. headers. Found
+ by Lamont Jones.
+
+19980925
+
+ Bugfix: the change in virtual/canonical map search order
+ broke @domain entries; they would never be looked up if
+ the address matched $myorigin or $mydestinations. Found by
+ Chip Christian who now regrets asking for the change.
+
+ Bugfix: cleanup initialized an error mask incorrectly, so
+ that it would keep writing to a file larger than the queue
+ file size limit, and so it would treat the error as a
+ recoverable one instead of sending a bounce. Thanks, Pieter
+ Schoenmakers.
+
+ Bugfix: the "queue file cleanup on fatal error" action was
+ no longer enabled in the sendmail mail posting agent.
+
+ Feature: the sendmail mail posting program now returns
+ EX_UNAVAILABLE when the size of the input exceeds the queue
+ file size limit. NB THIS CHANGE HAS BEEN WITHDRAWN.
+
+19980926
+
+ Code cleanup: the dotlock file locking routine is no longer
+ derived from Eric Allman's 4.3BSD port of mail.local.
+
+ Code cleanup: the retry strategy of the file locking routines
+ dot_lockfile() and deliver_flock() is now configurable
+ (deliver_flock_attempts, deliver_flock_delay, deliver_flock_stale).
+
+ Code cleanup: the master.pid lock file is now created with
+ symlink paranoia, and is properly locked so that PID rollover
+ will not cause false matches.
+
+ Bugfix: the vbuf_print() formatting engine did not know
+ about the '+' format specifier.
+
+ Cleanup: replaced unnecessary instances of stdio calls by
+ vstream ones.
+
+19980929-19981002
+
+ Compatibility: added support for "sendmail -q". This required
+ a change to the queue manager trigger protocol, and a code
+ reorganization of the way queue scans were done. The queue
+ manager socket now has become public.
+
+19981002
+
+ SMTPD now logs "lost connection after end-of-message"
+ instead of "lost connection after DATA".
+
+19981005
+
+ More bullet proofing: timeouts on all triggers.
+
+19981006
+
+ Bugfix: make the number of cleanup processes unlimited, in
+ order to avoid deadlock. The number of instances needed is
+ one per smtp/pickup process, and an indeterminate number
+ per local delivery agent. Thanks, Thanks, David Miller and
+ Terry Lorrah for cleueing me in.
+
+ Bugfix: "sendmail -t" extracted recipients weren't subjected
+ to virtual mapping. Daniel Eisenbud strikes again.
+
+19981007
+
+ Compatibility: if the first input line ends in CRLF, the
+ sendmail posting agent will treat all CRLF as LF. Otherwise,
+ CRLF is left alone. This is a compromise between sendmail
+ compatibility (all lines end in CRLF) and binary transparency
+ (some, but not all, lines contain CRLF).
+
+19981008
+
+ Robustness: stop recursive virtual expansion when the
+ left-hand side appears in its own expansion.
+
+19981009
+
+ Portability: trigger servers such as pickup and qmgr can
+ now use either FIFOs or UNIX-domain sockets; hopefully at
+ least one of them works properly. Trigger clients were
+ already capable of using either form of local IPC.
+
+19981011
+
+ Feature: masquerading. Strip subdomains from domains listed
+ in $masquerade_domains. Exception: envelope recipients are
+ left alone, in order to not screw up routing.
+
+19981015
+
+ Code cleanup: moved the recipient duplicate filter from
+ the user-level sendmail posting agent to the semi-resident
+ cleanup service, so that the filter operates on the output
+ from address canonicalization and of virtual expansion,
+ instead of operating on their inputs.
+
+19981016
+
+ Bugfix: after kill()ing a bunch of child processes, wait()
+ sometimes fails before all children have been reaped, and
+ must be called again, or the master will SIGSEGV later.
+ Problem reported by Scott Cotton.
+
+ Workaround: don't log a complaint when an SMTP client goes
+ away without sending QUIT.
+
+19981018
+
+ Workaround: Solaris 2.5 ioctl SIOCGIFCONF returns a hard
+ error (EINVAL) when the result buffer is not large enough.
+ This can happen on systems with many real or virtual
+ interfaces. File: util/inet_addr_local.c. Problem reported
+ by Scott Cotton.
+
+ Workaround: the optional HELO/EHLO hostname syntax check
+ now allows a single trailing dot.
+
+ Workaround: with UNIX-domain sockets, LINUX connect() blocks
+ until the server calls accept(). File: qmgr/qmgr_transport.c.
+ Terry Lorrah and Scott Cotton provided the necessary
+ evidence.
+
+19981020
+
+ Robustness: recursive canonical mapping terminates when
+ the result stops changing.
+
+ Code cleanup: reorganized the address rewriting and mapping
+ code in the cleanup service, to make it easier to implement
+ the previous enhancement.
+
+19981022
+
+ Code cleanup: more general queue scanning programming
+ interface, in preparation for hashed queues. File:
+ qmgr/qmgr_scan.c.
+
+ Bugfix: a non-FIFO server with a process limit of 1 has a
+ too short listen queue. Until now this was not a problem
+ because only FIFO servers had a process limit of 1, and
+ FIFOs have no listen queue. Fix: always configure a listen
+ queue of proc_limit or more. File: master/master_listen.c.
+
+19981023
+
+ Feature: by popular request, mail delay is logged when
+ delivering, bouncing or deferring mail.
+
+19981024
+
+ Cleanup: double-bounce mail is now absorbed by the queue
+ manager, instead of the local delivery agent, so that the
+ mail system will not go mad when no local delivery agent
+ is configured.
+
+19981025
+
+ Cleanup: moved the relocated table from the local delivery
+ agent to the queue manager, so that the table can also be
+ used for virtual addresses.
+
+ Code reorg: in order for the queue manager to absorb
+ recipients, the queue file has to stay open until all
+ recipients have been assigned to a destination queue.
+
+19981026
+
+ vmlogger command, so that vmailer-script logging becomes
+ consistent with the rest of the VMailer system.
+
+ Code reorg: logger interface now can handle multiple output
+ handlers (e.g. syslog and stderr stream).
+
+ Bugfix: a first line starting with whitespace is no longer
+ treated as an extension of our own Received: header. Files:
+ smtpd/smtpd.c, pickup/pickup.c.
+
+19981027
+
+ Bugfix: the bang-path swapping code went into a loop on an
+ address consisting of just a single !. Eilon Gishri had
+ the privilege of finding this one.
+
+ Workaround: the non-blocking UNIX-domain socket connect is
+ now enabled only on systems that need it. It may cause
+ kernel trouble on Solaris 2.x.
+
+ Bugfix: the resolver didn't implement bangpath swapping,
+ so that mail for site!user@mydomain would be delivered to
+ a local user named "site!user".
+
+19981028
+
+ Cleanup: a VSTREAM can now use different file descriptors
+ for reading and writing. This was necessary to prevent
+ "sendmail -bs" and showq from writing to stdin. Eilon Gishri
+ observed the problem.
+
+19981029
+
+ The RFC 822 address manipulation routines no longer give
+ special attention to 8-bit data. Files: global/tok822_parse.c,
+ global/quote_822_local.c.
+
+ Bugfix: host:port and other non-domain stuff is no longer
+ allowed in mail addresses. File: qmgr/qmgr_message.c.
+
+ Workaround: LINUX accept() wakes up before the three-way
+ handshake is complete, so it can fail with ECONNRESET.
+ Files: master/single_server.c, master/multi_server.c.
+
+ Feature: when delivering to user+foo, try ~user/.forward+foo
+ before trying ~user/.forward.
+
+ Bugfix: smtpd in "sendmail -bs" (stand-alone) mode didn't
+ clean up when terminated by a signal.
+
+ Bugfix: smtpd in "sendmail -bs" (stand-alone) mode should
+ not try to enforce spam controls because it cannot access
+ the address rewriting machinery.
+
+ Cleanup: the percent hack (user%domain -> user@domain) is
+ now configurable (allow_percent_hack, default: yes).
+
+ Bugfix: daemons in -S (stand-alone) mode didn't change
+ directory to the queue. This was no problem with daemons
+ run by the sendmail compatibility program.
+
+19981030
+
+ Feature: when virtual/canonical/relocated lookup fails for
+ an address that contains the optional recipient delimiter
+ (e.g., user+foo@domain), the search is done again with the
+ unextended address (e.g., user@domain). File: global/addr_find.c.
+
+ Code reorg: the address searching is now implemented by a
+ separate module global/addr_find.c, so that the same code
+ can be used for both (non-mapping) relocated table lookups
+ and for canonical and virtual mapping. The actual mapping
+ is still done in the global/addr_map.c module.
+
+ Robustness: the SMTP client now skips hosts that don't send
+ greeting banner text. File: smtp/smtp_connect.c
+
+ Feature: preliminary support to disable delivered-to. This
+ is desirable for mailing list managers that don't want to
+ advertise internal aliases.
+
+ Generic support: when the recipient_feature_delimiter
+ configuration parameter is set, the local delivery agent
+ uses it to split the recipient localpart into fields. Any
+ field that has a known name such as "nodelivered" enables
+ the corresponding delivery feature.
+
+19981031
+
+ Code reorg: address splitting on recipient delimiter is
+ now centralized in global/split_addr.c, which knows about
+ all reserved names that should never be split.
+
+ Robustness: when a request for an internal service cannot
+ be satisfied because the master has terminated, terminate
+ instead of trying to reach the service every 30 seconds.
+
+ Safety: the local delivery agent now runs as vmailer most
+ of the time, just like pickup and pipe. Files: local/local.c,
+ local/mailbox.c
+
+19981101
+
+ Compatibility: the tokenizer for alias/forward/etc.
+ expansion now updates an optional counter with the number
+ of destinations found; If no destinations is found in a
+ .forward file, deliver to the mailbox instead. Thanks,
+ Daniel Eisenbud, for showing the way to go.
+
+ Robustness: the pickup daemon should always include a
+ posting-time record, even when the sendmail posting agent
+ didn't. However, just like before, user-provided posting
+ times will be ignored. Ollivier Robert found this one.
+
+ Robustness: duplicate entries in aliases or maps now cause
+ a warning instead of a fatal error (and an incomplete file).
+
+ Robustness: mkmap now prints a warning when an entry is in
+ "key: value" format, which is the format expected for alias
+ databases, not for maps.
+
+ Portability: on LINUX, prepend "+" to the getopt() options
+ string so that getopt() will stop at the first non-option
+ argument. Suggestion by Marco d'Itri.
+
+19981103
+
+ Cleaned up the set_eugid() and open_as() implementations,
+ and added stat_as() and fstat_as() so that the local delivery
+ agent would look up include files and .forward files with
+ the right privileges.
+
+19981104
+
+ Bugfix: the :include: routine now stat()s/open()s files
+ included by root-owned aliases as root, not as nobody.
+
+ Bugfix: the master crashed when a service with wakeup timer
+ was disabled or renamed. Fix: eliminate some pathological
+ coupling between process management and wakeup management.
+
+ Feature: partial implementation of ETRN (causes a full
+ deferred queue scan). Thanks Lamont Jones for reminding me
+ that things can be useful already before they are perfect.
+
+ Cleanup: simplified the SMTPD tokenizer.
+
+ Bugfix: sendmail -bs didn't properly notify the mail system
+ of new mail.
+
+ Compatibility: the MAIL FROM and RCPT TO commands now accept
+ the most common address forms without enclosing <>. The <>
+ is still needed for addresses that contain a "string", an
+ [address], or a colon (:).
+
+19981105
+
+ Bugfix: "master -t" would claim that the master runs when
+ in fact the pid directory does not exist, causing trouble
+ with first time startup (reported by several).
+
+ Portability: added a sane_accept() module that maps all
+ beneficial accept() error results to EAGAIN. According to
+ private communication with Alan Cox, Linux 2.0.x accept()
+ can return a variety of error conditions, so we play safe
+ and allow for any error that may happen because SYN+ACK
+ could not be sent.
+
+ Portability: NETBSD1 uses dotlock files (Perry Metzger).
+
+ Bugfix: the local delivery agent did not canonicalize
+ owner-foo sender addresses, so that local users would see
+ owner-foo instead of owner-foo@$myorigin (Perry Metzger).
+
+ OPENSTEP4 support, similar to NEXTSTEP3 (Gerben Wierda).
+
+19981106
+
+ Portability: the master startup would take a long time on
+ AIX because AIX has a very large per-process open file
+ limit. Fix is to check the status of only the first couple
+ hundred file descriptors instead. File: master/master.c.
+
+ Bugfix: mail to user@[net.work.addr.ess] was broken because
+ of a reversed test. File: qmgr/qmgr_message.c.
+
+19981107
+
+ Compatibility: don't clobber the envelope sender address
+ when an alias has no owner-foo alias (problem diagnosed by
+ Christophe Kalt).
+
+ Bugfix: mail to local users in include files would be
+ delivered directly if the alias didn't have an owner-foo
+ alias, and if the alias database and include file were
+ owned by root.
+
+ Feature: with user+foo addresses, any +foo address extension
+ that is not explicitly matched in canonical, virtual or
+ alias databases is propagated to the table lookup result.
+
+19981108
+
+ Bugfix: minor memory leak in the user+foo table lookup
+ code.
+
+ Configurability: specify virtual.domain in the virtual map,
+ and mail for unknown@virtual.domain will bounce automatically.
+ The $relay_domains default value now includes $virtual_maps,
+ so the SMTP server will accept mail for the domain. Marco
+ d'Itri put me on the right track.
+
+ Configurability: The mydestinations configuration parameter
+ now accepts /file/name expressions and type:name lookup
+ tables.
+
+ Code cleanup: in order to make the previous two enhancements
+ possible, revised the string/host/address matching engine
+ so it can handle any mixture of strings, /file/name patterns
+ and type:name lookup tables. Files: util/match_{list,ops}.c,
+ global/{domain,namadr,string}_list.c.
+
+19981110
+
+ Code cleanup: replaced remaining isxxx() calls by ISXXX().
+
+19981111
+
+ Bugfix: the "bounce unknown virtual user" code was in the
+ wrong place. Problem tackled with help of Chip Christian.
+
+ Portability: reportedly, Solaris 2.5.1 can hang waiting
+ for a UNIX-domain connection to be accepted, so it gets
+ the same workaround that was designed for LINUX. Problem
+ reported by Scott Cotton.
+
+19981112
+
+ Management: "vmailer stop" now allows delivery agents to
+ finish what they are doing, like "vmailer reload".
+
+ Management; "vmailer abort" causes immediate termination.
+
+ Workaround: zombie processes pile up with HP-UX. Reason:
+ select() does not return upon SIGCHLD when SA_RESTART is
+ specified to sigaction(). Workaround: shorten the select()
+ timer to 10 seconds, #ifdef BRAINDEAD_SELECT_RESTARTS.
+ Thanks, Lamont Jones.
+
+19981117
+
+ Rename: VMailer is now Postfix. Sigh.
+
+19981118
+
+ Cleanup: generalized the safe_open() routine so that it is
+ no longer limited to mailbox files, lock files, etc.
+
+ Bugfix (found during code review): vstream*printf() could
+ run off the end of a stream buffer after an I/O error,
+ because vbuf_print() ignored the result from VBUF_SPACE().
+
+ Bugfix (found during code review): resolve_local() could
+ clobber its argument, but the docs didn't say so.
+
+19981121
+
+ Cleanup: the is_header() routine now allows 8-bit data in
+ header labels.
+
+19981123
+
+ Bugfix (found during code review): the mail_queue_enter()
+ path argument wasn't optional. File: global/mail_queue.c
+
+19981124
+
+ Cleanup: eliminated redundant tests for a zero result from
+ vstream_fdopen(). Unlike the stdio fdopen() routine, the
+ vstream_fdopen() routine either succeeds or never returns.
+
+ Bugfix: the queue manager now looks at the clock before
+ examining a file time stamp, to avoid spurious complaints
+ about time warps on busy machines. File: qmgr/qmgr_active.c.
+
+19981125
+
+ Compatibility: allow trailing dot at the end of user@domain.
+ Address canonicalization now strips it off. Issue brought
+ forward by Eilon Gishri. File: trivial-rewrite/rewrite.c.
+
+ Robustness: changed DNS lookup order of MAIL FROM etc.
+ domains from MX then A to A then MX, just in case the MX
+ lookup fails with a server error.
+
+ Renamed vmcat, vmlock, vmlogger, vmtrigger to postcat,
+ postlock, postlog, postkick. Also renamed mkmap and mkalias
+ to postmap and postalias.
+
+19981126
+
+ Workaround: Lamont Jones found a way for HP-UX to terminate
+ select() after SIGCHLD. The code is #ifdef USE_SIG_RETURN.
+ Files: util/sys_defs.h, master/master_sig.c.
+
+ Bugfix: the Delivered-To: loop detection code had stopped
+ working, when long ago the is_header() routine was changed.
+ File: local/delivered.c.
+
+19981128
+
+ Bugfix: postcat opened queue files read-write, where only
+ read access was needed. File: postcat/postcat.c.
+
+19981129
+
+ Safety: added a sleep(1) to all fatal and panic exits.
+ File: util/msg.c.
+
+19981201
+
+ Robustness: postcat now insists that a file starts with a
+ time record.
+
+ Consistency: added "-c config_dir" command-line options
+ where appropriate.
+
+19981202
+
+ Man pages, on-line version.
+
+19981203
+
+ Man pages, html version; overview documentation.
+
+19981206
+
+ Sendmail silently accepted the unsupported -qRsite and
+ -qSsite options. It now prints an error message and
+ terminates.
+
+ Separated the contributed tree from the IBM code; moved
+ the LDAP and NEXTSTEP/OPENSTEP code to the contributed
+ source tree because obviously I didn't write it.
+
+19981206-9
+
+ Had to write a postconf configuration utility in order to
+ reliably find out about all configuration parameters and
+ their defaults.
+
+ Documentation bugfixes by Matt Shibla, Scott Drassinower,
+ Greg A. Woods.
+
+19981209
+
+ On machines with short hostnames, postconf -d cored while
+ reporting a fatal error. It should not report that error
+ in the first place. Thanks, Eilon Gishri.
+
+ Changed the FAQ entry about rejecting mail for *.my.domain
+ on a firewall. Chip Christian was right, I was wrong.
+
+19981214
+
+ Portability: with GNU getopt, optind is not initially 1,
+ breaking an assumption in sendmail/sendmail.c. Liviu Daia.
+
+ Annoyance: on non-networked systems, don't warn that only
+ one network interface was found. File: global/inet_addr_local.c.
+ Reported by several.
+
+ Bugfix: on non-networked systems, the smtp client assumed
+ that it was running in virtual host mode, and would bind
+ to the loopback interface. File smtp/smtp_connect.c. Liviu
+ Daia, again.
+
+19981220
+
+ Robustness: when looking up an A or MX record, do not give
+ up when the A query fails because of a server error. File
+ dns/dns_lookup.c. Reported by Scott Drassinower.
+
+19981221
+
+ Bugfix: "bounce mail for non-existent virtual user" didn't
+ work when a non-default relay host was configured in main.cf
+ or in the transport table. File: qmgr/qmgr_message.c.
+
+ Bugfix: the maildrop directory should not be world-readable.
+ Files: conf/postfix-script, showq/showq.c.
+
+ Documentation: fixed several omissions and errors.
+
+ Documentation: removed references to the broken recipient
+ feature delimiter configuration parameter.
+
+ Bugfix: write mailbox file as the recipient, so that file
+ quota work as expected.
+
+ Bugfix: pickup would die when it tried to remove a non-file
+ in the maildrop directory (Jeff Wolfe).
+
+19981222
+
+ Sendmail no longer logs the queue ID when it is unable to
+ notify the pickup daemon. This is a late addition to the
+ "unreadable maildrop queue" patch.
+
+ user.lock files are now created as root, so that postfix
+ needs no group directory write permission.
+
+19981224
+
+ Security: allow queue file link counts > 1, to avoid
+ non-delivery of maildrop files with links to a non-maildrop
+ directory. Files: global/mail_open_ok.c, and anything
+ that calls this code (qmgr, pickup, showq). If multiple
+ hard links are a problem, see the set-gid "postdrop" utility
+ below.
+
+19981225
+
+ Robustness: the queue manager no longer aborts when a queue
+ file suddenly disappears (e.g. because the file was removed
+ by hand).
+
+ Feature: when a writable maildrop directory is a problem,
+ sites can make the new "postdrop" utility set-gid. This
+ command is never used when the maildrop directory is
+ world-writable.
+
+ Robustness: make the queue file creation routine more
+ resistant against denial of service race attack. File:
+ global/mail_queue.c
+
+19981226
+
+ New suid_priv module to enable/disable privileges in a
+ set-uid/gid program. In the end I decided to not use it.
+
+19981228
+
+ Robustness: make the pickup daemon more resistant against
+ non-file race attack.
+
+ Cleanup: generic mail_stream.c interface for writing queue
+ file streams to files, daemons or commands. This simplifies
+ the code in smtpd and in sendmail that must be able to pipe
+ mail through the postdrop command. The cleanup daemon has
+ been modified to use the same interface. Result: less code.
+
+ Feature: smtpd now logs the only recipient in Received:
+ headers.
+
+ Feature: separate command and daemon directories. Both
+ default to $program_directory. Install conf/postfix-script
+ if you want to use this feature.
+
+19981230
+
+ Patch to avoid conflict with non-writable top-level Makefile
+ (Lamont Jones).
+
+19981231
+
+ Portability: port to UnixWare 7 by Ronald Joe Record, SCO.
+
+19990104
+
+ Bugfix: fencepost (Jon Ribbens, Oaktree Internet Solutions
+ Ltd.) Files: quote_82[12]_local.c.
+
+ Bugfix: wrong default for relay_domains (Juergen Kirschbaum,
+ Bayerische Landesbank). File: mail_params.h.
+
+ Bugfix: changed 5xx response for "too may recipients" to
+ 4xx. File: smtpd.c.
+
+19990106
+
+ Feature: defer_transports specifies the names of transports
+ that should be used only when "sendmail -q" (or equivalent)
+ is issued. For example, "defer_transports = smtp" is useful
+ for sites that are disconnected most of the time. File:
+ qmgr_message.c.
+
+19990107
+
+ Feature: local_command_shell specifies a non-default shell
+ for delivery to command by the local delivery agent. For
+ example, "local_command_shell = /some/where/smrsh -c"
+ restricts what may appear in "|command" destinations.
+ File: global/pipe_command.c.
+
+19990112-16
+
+ Feature: SMTP command pipelining support based on an initial
+ version by Jon Ribbens, Oaktree Internet Solutions Ltd.
+ This one took several days of massaging before I felt
+ comfortable about it. Files: smtp.c, smtp_proto.c.
+
+ Bugfix: the SMTP server would flush responses one-by-one,
+ which caused suboptimal performance with pipelined clients.
+ The vstream routines now flush the write buffer when the
+ read() routine is called, instead of flushing when the
+ application changes from writing to reading. Delayed flush
+ prevents the SMTP server from flushing responses one-by-one
+ and thus triggering Nagle's algorithm. File: util/vstream.c.
+
+19990117
+
+ Bugfixes and enhancements to the smtpstone tools by Drew
+ Derbyshire, Kendra Electronic Wonderworks: send helo command,
+ send message headers, format the message content to lines
+ < 80, work around NT stacks, make "." recognition more
+ robust. Files: smtp-source.c, smtp-sink.c.
+
+ Strategy: look at the deferred queue only when the incoming
+ queue is empty; limit the number of recipients read from
+ a queue file depending on the number of recipients already
+ in core. Files: qmgr.c, qmgr_message.c.
+
+ Feature: postponed anti-UCE restrictions. The decision to
+ reject junk mail on the basis of the client name/address,
+ HELO hostname or sender address can now be postponed until
+ the RCPT TO command (or HELO or MAIL FROM if you like).
+ File: smtpd_check.c.
+
+19990118
+
+ Feature: incremental updates of alias databases and of
+ other lookup tables. Both postalias and postmap now take
+ a -i option for incremental updates from standard input.
+ Files: global/mkmap_*.c, post{map,alias}/post{map,alias}.c.
+
+ Compatibility: newaliases can now update multiple alias
+ databases: list them in the "alias_database" parameter in
+ main.cf. By the same token, postalias can now update multiple
+ maps in one command. Files: post{map,alias}/post{map,alias}.c
+
+ Feature: mail to <> is now sent to the address specified
+ with the "empty_address_recipient" configuration parameter
+ which defaults to MAILER-DAEMON (idea by Lamont Jones,
+ Hewlett-Packard). File: cleanup/cleanup_envelope.c.
+
+ Compatibility: the transport table now uses .domain.name
+ to match subdomains, just like sendmail mailer tables (patch
+ by Lamont Jones, Hewlett-Packard).
+
+ Feature: mailq now ends with a total queue size summary
+ (Eilon Gishri, Israel Inter University Computation Center).
+
+19990119
+
+ Feature: address masquerade exceptions for user names listed
+ in the "masquerade_exceptions" configuration parameter.
+ File: cleanup/cleanup_masquerade.c.
+
+ Feature: qmail-style maildir support, based on initial code
+ by Kevin W. Brown, Quantum Internet Services Inc.
+
+ Workaround: Solaris 2.something connect() fails with
+ ECONNREFUSED when the system is busy (Chris Cappuccio,
+ Empire Net). File: global/mail_connect.c.
+
+ Feature: the cleanup service now adds a Return-Path: header
+ when none is present. This header is needed for some mail
+ delivery programs (see below). File: cleanup_message.c.
+
+ Feature: the pipe mailer now supports $user, $extension
+ and $mailbox macros in command-line expansions. This, plus
+ the Return-Path: header (see above), should be sufficient
+ to support cyrus IMAP out of the box. Based on initial
+ code by Joerg Henne, Cogito Informationssysteme GMBH.
+ File: pipe/pipe.c.
+
+ Bugfix: with address extensions enabled, canonical and
+ virtual lookups now are done in the proper order:
+ user+foo@domain, user@domain, user+foo, user, @domain.
+ File: global/mail_addr_find.c.
+
+19990119
+
+ Feature: the local mailer now prepends a Received: message
+ header with the queue ID to forwarded mail, in order to
+ make message tracing easier. File: local/forward.c.
+
+ Cleanup: after "postfix reload", no more broken pipe
+ complaints from resolve/rewrite clients.
+
+19990121
+
+ Feature: pickup (again) logs uid and sender address. On
+ repeated request by Scott Cotton, Internet Consultants
+ Group, Inc.
+
+ Portability: doze() function for systems without usleep().
+
+ Cleanup: clients are now consistently logged as host[address].
+
+19990122
+
+ Maildir support changed: specify "home_mailbox = Maildir/".
+ The magic is the trailing /. Suggested by Daniel Eisenbud,
+ University of California at Berkeley.
+
+ Maildir support from aliases, :include: and .forward files.
+ Specify /file/name/ - the trailing / is required. Suggested
+ by Daniel Eisenbud, University of California at Berkeley.
+
+ Workaround: watchdog timer to prevent the queue manager
+ from locking up on some systems.
+
+ Bugfix: in Received: headers, the "for <recipient>"
+ information was in the wrong place. Pointed out by Jon
+ Ribbens, Oaktree Internet Solutions Ltd.
+
+19990124
+
+ Portability: more workarounds for GNU getopt() by Liviu
+ Daia, Institute of Mathematics, Romanian Academy. File:
+ sendmail/sendmail.c.
+
+19990125
+
+ Bugfix: Postfix should not masquerade recipient addresses
+ extracted from message headers. Problem reported by David
+ Blacka, Network Solutions. File: cleanup/cleanup_message.c.
+
+19990126
+
+ Feature: smtpd_etrn_restrictions parameter to restrict who
+ may use ETRN and what domains may be specified. Example:
+ "smtpd_etrn_restrictions = permit_mynetworks, reject".
+ Requested by Jon Ribbens, Oaktree Internet Solutions Ltd.
+ File: smtpd/smtpd_check.c.
+
+19990127
+
+ Bugfix: in an attempt to shave some cycles, the anti junk
+ mail routines would use the wrong resolved address. This
+ "optimization" is now turned off. Problem reported by Sam
+ Eaton, Pavilion Internet Plc. File: smtpd/smtpd_check.c.
+
+ Feature: BIFF notifications. For compatibility reasons
+ this feature is on by default. This "protocol" can be a
+ real performance pig. Specify "biff = no" in main.cf if
+ your machine has lots of shell users. Feature requested by
+ Dan Farmer - it's one of the things one does for friends.
+ Files: local/mailbox.c, local/biff_notify.c.
+
+ Bugfix: another case sensitivity problem, this time with
+ virtual lookups to recognize unknown@virtual.domain.
+ Problem reported by Bo Kleve, Linkoping University. File:
+ qmgr/qmgr_message.c.
+
+19990128
+
+ Feature: with "soft_bounce = yes", defer delivery instead
+ of bouncing mail. This is a safety net for configuration
+ errors with delivery agents. It has no effect on errors in
+ virtual maps, canonical maps, or in junk mail restrictions.
+ Feature requested by Bennett Todd. File: global/bounce.c.
+
+19990129
+
+ Compatibility: the qmail maildir.5 documentation prescribes
+ maildir file names of the form time.pid.hostname, which is
+ wrong because Postfix processes perform multiple deliveries.
+ Elsewhere the qmail author has documented how maildir files
+ should be named under such conditions. Postfix has been
+ changed to be conformant. File: local/maildir.c.
+
+19990131
+
+ Feature: special treatment of owner-foo and foo-request
+ can be turned off. Specify "owner_request_special = no".
+ Requested by Matthew Green and others. Files: local/alias.c,
+ global/split_addr.c. This affects canonical, virtual and
+ alias lookups.
+
+19990204
+
+ Portability: signal handling for HP-UX 9 by Lamont Jones
+ of Hewlett Packard. File: master/master_sig.c.
+
+ Robustness: disable random walk inside a per-site queue to
+ avoid message starvation under heavy load. File: qmgr_entry.c.
+
+ Robustness: under some conditions the queue manager could
+ declare a host dead after just one delivery failure. File:
+ qmgr_queue.c.
+
+19990212
+
+ Feature: skip SMTP servers that greet us with a 4XX status
+ code. Example: "smtp_skip_4xx_greeting = yes". By default,
+ the Postfix SMTP client defers delivery when a server
+ declines talking to us. File: smtp/smtp_connect.c.
+
+ Robustness: upon startup the queue manager now moves active
+ queue files to the incoming queue instead of the deferred
+ queue, to avoid anomalous delivery delays on systems that
+ have a huge incoming queue. Files: qmgr/qmgr.c,
+ qmgr/qmgr_active.c, global/mail_flush.c, conf/postfix-script*
+
+19990213
+
+ Robustness: added watchdog timers to avoid getting stuck
+ on systems with broken select() socket implementations.
+ File: qmgr_transport.c, qmgr_deliver.c.
+
+19990218
+
+ Feature: NFS-friendly delivery to mailbox by avoiding the
+ use of root privileges as much as possible. With input by
+ Mike Muus, Army Research Lab, USA.
+
+ Feature: the smtp-sink test server now supports SMTP command
+ pipelining. To this end we had to generalize the timer and
+ vstream support. Poor performance is fixed 19990222.
+
+ Cleanup: timer event routines now have the same interface
+ as read/write event routines (event type + context). File:
+ util/events.c.
+
+ Feature: new vstream_peek() routine to tell how much unread
+ data is left in a VSTREAM buffer. This is the vstream
+ variant of the peekfd() routine for kernel read buffers.
+ File: util/vstream.c.
+
+ Feature: directory scanning support for hashed mail queue
+ directories. So far the results are disappointing: with
+ depth = 2 (16 directories with 16 subdirectories), mailq
+ takes 5 seconds with an empty queue unless all directories
+ happen to be cached in memory. We need a bit map before
+ hashed queue directories become practical. Depth=1 hashing
+ doesn't slow down mailq much, but doesn't help much either.
+ Files: util/scan_dir.c, global/mail_scan_dir.c.
+
+19990221
+
+ Workaround: with "ignore_mx_lookup_error = yes", the SMTP
+ client always performs an A lookup when an MX lookup could
+ not be completed, rather than treating MX lookup failure
+ as a temporary error condition. Unfortunately there are
+ many broken DNS servers on the Internet. File: smtp/smtp_addr.c.
+
+19990222
+
+ Performance: rewrote the guts of the smtp-sink test server
+ so it can do pipelining without losing performance.
+
+19990223
+
+ Workaround: hotmail.com sometimes drops the connection
+ after "." (causing misleading diagnostics to be logged) or
+ waits minutes after receiving QUIT. Solution: do not wait
+ for the response to QUIT. File: smtp/smtp_proto.c. This
+ is turned off with: "smtp_skip_quit_response = no".
+
+19990224
+
+ Feature: the pipe mailer accepts user=username:groupname,
+ based on code submitted by Philip A. Prindeville, Mirapoint,
+ Inc., USA. File: pipe/pipe.c.
+
+ Workaround: use file locking to prevent multiple processes
+ from select()ing on the same socket. This causes performance
+ problems on large BSD systems. Files: master/*_server.c.
+
+19990225
+
+ Bugfix: with "inet_interfaces = 127.0.0.1", don't bind to
+ the loopback interface. Problem reported by Steve Bellovin
+ of AT&T. File: smtp/smtp_addr.c.
+
+ Feature: "postsuper" command to remove stale queue files
+ to update queues after changes to the queue structure
+ parameters (hash_queue_names, hash_queue_depth). This
+ command is to be run from the postfix-script maintenance
+ shell script.
+
+19990301
+
+ Feature: new postconf -h (suppress `name = ' in output)
+ option to make the program easier to use in, e.g., shell
+ scripts.
+
+ Feature: dict_unix module so you can add the UNIX passwd
+ table to the SMTPD access control list.
+
+19990302
+
+ Feature: "luser_relay = destination" captures mail for
+ non-existent local recipients. This works only when the
+ local delivery agent does mailbox delivery (including
+ delivery via mailbox_command), not when mailbox delivery
+ is delegated to another message transport.
+
+ Feature: new reject_non_fqdn_{hostname,sender,recipient}
+ restrictions to require fully.qualified.domain forms in
+ HELO, MAIL FROM and RCPT TO commands (while still allowing
+ the <> sender address).
+
+19990304
+
+ Bugfix: backed out the 19990119 change to always insert
+ Return-Path: if that header is not present. The pipe and
+ local agents now are responsible for prepending Return-Path:.
+ Files: cleanup/cleanup_message.c, global/mail_copy.[hc],
+ pipe/pipe.c, global/header_opts.c. This causes an incompatible
+ change to the pipe flags parameter, because Return-Path:
+ now must be requested explicitly.
+
+19990305
+
+ Bugfix: showq (the mailq server) incorrectly assumed that
+ all recipients of a deferred message are listed in the
+ corresponding defer logfile. It now lists all recipients.
+ Files: showq/showq.c, cleanup/cleanup_envelope.c (ensure
+ that sender records always precede recipient records).
+
+ Cleanup: smtpd HELO restrictions validate [numerical] forms.
+ Files: util/valid_hostname.c, smtpd/smtpd_check.c. Initial
+ code by Philip A. Prindeville, Mirapoint, Inc., USA.
+
+19990306
+
+ Cleanup: re-vamped the valid_hostname module, and added a
+ maximal label length (63) requirement.
+
+ Feature: fallback_relay parameter to specify extra backup
+ hosts in case the regular relay hosts are not found or not
+ available. Files: smtp/smtp_addr.c.
+
+ Feature: "always_bcc = address" specifies where to send a
+ copy of each message that enters he system. However, if
+ that copy bounces, the sender will be informed of the
+ bounce. Files: smtpd/smtpd.c, pickup/pickup.c
+
+ Compatibility: the transport map will now route on top-level
+ domains, so you can dump all of .bitnet to a bitnet relay.
+
+19990307
+
+ Feature: LDAP lookups, updated by Jon Hensley, Merit Network,
+ USA.
+
+ Feature: regular expression (PCRE) support by Andrew
+ McNamara, connect.com.au Pty. Ltd., Australia. In order to
+ use this code specify pcre:/file/name. You can use this
+ anywhere you would use a DB or DBM file, NIS or LDAP. See:
+ PCRE_README for how to enable this code.
+
+ Feature: "delay_warning_time = 4" causes Postfix to send
+ a "your mail is delayed" notice after approx. 4 hours.
+ Daniel Eisenbud, University of California at Berkeley.
+ Files: qmgr/qmgr_active.c, qmgr/qmgr_message. Postmaster
+ notices for delayed mail are disabled by default. In order
+ to receive postmaster notices, specify "notify_classes =
+ ... delay ...".
+
+ Cleanup: do not send undeliverable bounced mail to postmaster.
+ This was causing lots of pain with junk mail from bogus
+ sender addresses to non-existent recipients. This change
+ was reversed 19990311.
+
+19990308
+
+ Bugfix: the dotforward routine was too eager with throwing
+ away extension information, so that the Delivered-To: info
+ would differ for \mailbox and |command. Problem reported
+ by Rafi Sadowski, Open University, Israel.
+
+ Bugfix: seems I never got around to fix the btree access
+ method. I finally did. Problem reported by: Matt Smith,
+ AvTel Communications Inc., USA.
+
+19990311
+
+ Back by popular demand: with "notify_classes = 2bounce ..."
+ Postfix will send undeliverable bounced mail to postmaster.
+ The default is to not send double bounces. This change
+ reverses a change made on 19990307.
+
+19990312
+
+ Feature: configurable exit handler for server skeletons.
+ Philip A. Prindeville, Mirapoint, Inc., USA. Files:
+ master/*server.c.
+
+ Feature: mail_spool_directory configuration parameter to
+ specify the UNIX mail spool directory. The default setting
+ is system dependent.
+
+19990313
+
+ Cleanup: share file descriptors for resolve and rewrite
+ client connections. This puts less strain on the trivial-rewrite
+ service.
+
+ Portability: support for UnixWare 2.1 by Dmitry E. Kiselyov,
+ Nizhny Novgorod City Health Emergency Station.
+
+ Feature: configurable delays in the smtpstone test programs.
+ With input by Philip A. Prindeville, Mirapoint, Inc., USA.
+ Files: smtpstone/*.c.
+
+ Bugfix: a "signal 11" problem in the trivial-rewrite program
+ that would occasionally happen after "postfix reload".
+ Reason: some rewrite clients would clobber their input,
+ and when they had to retransmit the query, the input would
+ be a zero-length string, which trivial-rewrite isn't supposed
+ to receive.
+
+19990314
+
+ Feature: "mailbox_transport = cyrus" delegates all local
+ mailbox delivery to a master.cf entry called "cyrus" (the
+ same trick for procmail), including users not found in the
+ UNIX passwd database. This gives the flexibility of $name
+ expansions by the pipe mailer, without losing local aliases
+ and ~/.forward processing. Result of discussions with Rupa
+ Schomaker, RS Consulting.
+
+19990315
+
+ Feature: the mydestination parameter can now be an empty
+ string, for hosts that don't receive any mail locally. Be
+ sure to specify a default route for mail that comes to the
+ machine or mail will loop.
+
+19990316
+
+ Bugfix: the SMTPD check scaffolding didn't apply the same
+ sanity checks as the production code. Problem reported by
+ Alain Thivillon, Herve Schauer Consultants, France. File:
+ smtpd/smtpd_check.c.
+
+ Portability: some systems can have more than 59 seconds in
+ a minute. Based on a fix by Liviu Daia, Institute of
+ Mathematics, Romanian Academy. File: global/mail_date.c.
+
+ Enhancement: include the client network address in the
+ rejected by RBL response. Lamont Jones, Hewlett-Packard.
+
+ Workaround: use fstat() to figure out if the maildrop is
+ world-writable. access() uses the real uid, which stinks.
+
+ Robustness: don't do partial address lookups (user@, domain,
+ user, @domain) with regexp-style tables.
+
+ Security: don't allow regexp-style tables to be used for
+ aliases. It would be too easy to slip in "|command" or
+ :include: or /file/name.
+
+19990317
+
+ Feature: "fallback_transport = cyrus" delegates non-UNIX
+ recipients to a master.cf entry called "cyrus", allowing
+ you to have both UNIX and non-UNIX mailboxes side by side.
+
+19990319
+
+ Workaround: on 4.4 BSD derivatives, fstat() can return
+ EBADF on an open file descriptor. Now, that was a surprise.
+ This caused std{out,err} from cron commands to not be
+ delivered.
+
+ Bugfix: "local -v" stopped working.
+
+ Workaround: more watchdog timers for postfix-unfriendly
+ systems. By now every Postfix daemon has one. Call it life
+ insurance.
+
+ Robustness: increased the maximal time to receive or deliver
+ mail from $ipc_timeout (default: 3600 seconds) to the more
+ generous $daemon_timeout (default: 18000 seconds). We don't
+ want false alarms.
+
+ Portability: IRIX 5.2 does not have usleep().
+
+19990320
+
+ Bugfix: \username was broken. Frank Dziuba was the first
+ to notice.
+
+19990321
+
+ Workaround: from now on, Postfix on Solaris uses stream
+ pipes instead of UNIX-domain sockets. Despite workarounds,
+ the latter were causing more trouble than anything else on
+ all systems combined.
+
+19990322
+
+ Portability: the makedefs would mis-identify IRIX 6.5.x as
+ IRIX 5.x. Fix by Brian Truelsen of Maersk Mc-Kinney Moller
+ Institute for Production Technology, Denmark.
+
+ Feature: reject_unknown_recipient_domain restriction for
+ recipient addresses. For the sake of symmetry, we now also
+ have reject_unknown_sender_domain. This means the old
+ reject_unknown_address restriction is being phased out.
+ Suggested by Rask Ingemann Lambertsen, Denmark Technical
+ University.
+
+ Feature: unknown sender/recipient domain restrictions now
+ distinguish between soft errors (always: 450) and hard
+ errors (configurable with the unknown_address_reject_code
+ parameter, default: 450; use 550 at your own risk).
+
+ Feature: no HELO junk mail restrictions means that no syntax
+ check will be done on HELO/EHLO hostname arguments.
+
+ Bugfix: the initial Solaris workaround for UNIX-domain
+ sockets could cause the queue manager to block if Postfix
+ ran into a delivery agent process limit. After another code
+ rewrite that problem is eliminated. Thanks to Chris
+ Cappuccio, Empire Net, for assistance with testing.
+
+19990323
+
+ Bugfix: too much forwarding when users list their own name
+ in their .forward file (e.g. mail to user@localhost would
+ go through .forward, would be forwarded to user@$myorigin,
+ and would go through .forward again). Problem reported by
+ Roman Dolejsi, Prague University of Economics.
+
+19990324
+
+ Bugfix: missing map name in check_xxx_access restrictions
+ could cause a segmentation error. Lamont Jones, Hewlett-
+ Packard.
+
+ Feature: forward_path configuration parameter (default:
+ $home/.forward$recipient_delimiter$extension,$home/.forward).
+ Based on initial code by Philip A. Prindeville, Mirapoint,
+ Inc., USA. Files: local/dotforward.c.
+
+19990325
+
+ Workaround: Solaris NIS alias maps need special entries
+ (YP_MASTER_NAME, YP_LAST_MODIFIED). What's worse, normal
+ keys/values include a null byte at the end, but the YP_XXX
+ ones don't. Problem reported by Walcir Fontanini, state
+ university of Campinas, Brazil. File: postalias/postalias.c.
+
+ Compatibility: Solaris NIS apparently does include a null
+ byte at the end of keys and values. File: util/sys_defs.h.
+
+ Feature: library support for config parameters that are
+ not $name expanded at program start-up. This was needed
+ for forward_path, and will also be needed to make message
+ headers customizable.
+
+ Bugfix: pcre didn't handle \\ right. Lamont Jones, Hewlett-
+ Packard. File: util/dict_pcre.c.
+
+19990326
+
+ Compatibility: Postfix now puts two spaces after the sender
+ in a "From sender date..." header. Found by John A. Martin,
+ fixed by Lamont Jones, Hewlett-Packard.
+
+ Bugfix: when a recipient appeared multiple times in a local
+ alias or include expansion, the delivery status could be
+ left uninitialized, causing the mail to be deferred and
+ delivered again. File: local/recipient.c.
+
+19990327
+
+ Cleanup: the dictionary routines now take an extra flag
+ argument to control such things as warning about duplicates,
+ and appending null bytes to key/value. The latter was needed
+ for a clean implementation of NIS master alias maps support.
+
+ Feature: POSIX regular expressions by Lamont Jones. See
+ config/sample-regexp.c. Right now, enabled on *BSD and
+ LINUX only.
+
+19990328
+
+ Code cleanup: dictionaries now have flags that say whether
+ lookup keys are fixed strings or whether keys are subjected
+ to pattern matching. This is needed to avoid passing partial
+ addresses to regexp-based lookup tables (user, @domain,
+ user@, domain). Files: util/dict*.c.
+
+ Bugfix: fixed memory leaks and core dumps in the regexp
+ and pcre routines (neither handled an empty pattern file).
+
+19990329
+
+ Code cleanup: the dictionary I/O routines now do their own
+ locking depending on dictionary flag settings. This means
+ that the low-level dict_get() interface can now be used
+ for safe dictionary lookups. This is needed for 19990328's
+ partial lookup key support. Files: util/dict*.c. global/maps.c.
+
+ Feature: regular expression matches are no longer limited
+ to user@domain address forms in access/canonical/virtual
+ maps, but can also be used for domains in transport maps.
+ This needed the partial lookup key support to avoid passing
+ partial addresses to regexp-based lookup tables (user,
+ @domain, user@, domain). Files: global/maps.c
+ global/mail_addr_find.c.
+
+ Feature: new dictionary types can be registered with
+ dict_open_register(). File: util/dict_open.c.
+
+19990330
+
+ Bug fix: match_list membership dictionary lookups were case
+ sensitive when they should not. Patch by Lutz Jaenicke,
+ BTU Cottbus, Germany.
+
+19990402
+
+ Feature: $domain macro support in forward_path. Philip A.
+ Prindeville, Mirapoint, Inc., USA. File: local/dotforward.c.
+
+ Feature: if an address extension (+foo) is explicitly
+ matched by the .forward+foo file name, do not propagate
+ the extension to recipient addresses. This is more consistent
+ with the way aliases are expanded. File: local/dotforward.c.
+
+19990404
+
+ Bugfix: after receiving mail, the SMTP server didn't reset
+ the cleanup error flag, so that multiple deliveries over
+ the same SMTP session could fail due to errors with previous
+ deliveries. Found by Lamont Jones, Hewlett-Packard.
+
+19990405
+
+ Feature: MIME-encapsulated bounces. Philip A. Prindeville,
+ Mirapoint, Inc., USA. File: bounce/bounce_notify_service.c
+
+ Cleanup: vstreams now properly look at the EOF flag before
+ attempting to read, eliminating the need for typing Ctrl-D
+ twice to test programs; the EOF flag is reset after each
+ unget or seek operation. Files: util/vstream.c, util/vbuf.c.
+
+ Feature: in preparation for configurable message headers
+ the mac_parse() routine now balances the parentheses in
+ ${name} or $(name). We need this in order to support
+ conditional expressions such as ${name?text} where `text'
+ contains other ${name} expressions.
+
+19990406
+
+ Cleanup: changed MIME header information to make bounces
+ more RFC 1892 compliant.
+
+19990407
+
+ Feature: "best_mx_transport = local" delivers mail locally
+ if the local machine is the best mail exchanger (by default,
+ mail is bounced with a "mail loops back to myself" error).
+
+ Config: in order to make feature tracking easier the source
+ code distribution now has a copy of the default settings
+ in conf/main.cf.default.
+
+ Feature: separate configurable postmaster addresses for
+ single bounces (bounce_notice_recipient), double bounces
+ (2bounce_notice_recipient), delayed mail (delay_notice_recipient),
+ and for other mailer errors (error_notice_recipient). The
+ default for all is "postmaster".
+
+19990408
+
+ Workaround: on Solaris 2.x, the master appears to lose its
+ exclusive lock on the master.pid file, so keep grabbing
+ the lock each time the master wakes up from select().
+
+ Robustness: don't flush VSTREAM buffers after I/O error.
+ This prevents surprises when calling vstream_fclose() after
+ truncating a mailbox to its original size.
+
+ Portability: on LINUX systems, if <db_185.h> exists, don't
+ look for <db/db.h>.
+
+ Workaround: specify "sun_mailtool_compatibility = yes" to
+ avoid clashes with the mailtool application. This disables
+ kernel locks on mailbox files. Use only where needed.
+
+ Portability: renamed readline to readlline, to avoid clashes
+ with mysql.
+
+19990409
+
+ Bugfix: ignore temp queue files that aren't old enough.
+ Problem reported by Vivek Khera, Khera Communications, Inc.
+
+ Bugfix: fixed typo in dict_db.c that caused processes to
+ not release DB shared locks.
+
+ Feature: auto-detection of changes to DB or DBM lookup
+ tables. This avoids the need to run "postfix reload" after
+ change to the smtp access table and other tables.
+
+ Feature: regular expression checks for message headers.
+ This requires support for POSIX or for PCRE regular
+ expressions. Specify "header_checks = regexp:/file/name"
+ or "header_checks = pcre:/file/name", and specify
+ "/^header-name: badstuff/ REJECT" in the pattern file
+ (patterns are case-insensitive by default). Code by Lamont
+ Jones, Hewlett-Packard. It is to be expected that full
+ content filtering will be delegated to an external command.
+
+19990410
+
+ Bugfix: auto-detection of changes to DB or DBM lookup tables
+ wasn't done for TCP connections.
+
+19990410
+
+ Feature: $recipient expansion in forward_path. Philip A.
+ Prindeville, Mirapoint, Inc., USA. File: local/dotforward.c
+
+ Feature: the smtp client consistently treats a numerical
+ hostname as an address. File: smtp/smtp_addr.c.
+
+19990414
+
+ Compatibility: support comment lines starting with # in
+ $mydestination include files. This makes Postfix more
+ compatible with sendmail.cw files. File: util/match_list.c.
+
+ Feature: if your machines have short host names, specify
+ "mydomain = domain.name", and you no longer have to specify
+ "myhostname = host.domain.name". Files: global/mail_params.c,
+ postconf/postconf.c.
+
+19990420
+
+ Cleanup: bounce mail when a mailbox goes over file quota,
+ instead of deferring delivery. File: local/mailbox.c.
+
+19990421
+
+ Feature: auto-detection of changes to DB or DBM lookup
+ tables now includes the case where a file is unlinked.
+ Philip A. Prindeville, Mirapoint, Inc., USA. File:
+ util/dict.c.
+
+19990422
+
+ Robustness: Lotus mail sends MAIL FROM: <@> instead of <>.
+ Problem reported by Erik Toubro Nielsen, IFAD, Denmark.
+ Files: trivial-rewrite/rewrite.c (@ becomes empty address)
+ and global/rewrite_clnt.c (allow empty response).
+
+ Bugfix: showq could segfault when writing to a broken pipe.
+ Problem reported by Bryan Fullerton, Canadian Broadcasting
+ Corporation. Files: util/vbuf_print.c.
+
+ Cleanup: got rid of the "fatal: write error: Broken pipe"
+ message when mailq output is piped into a program that
+ terminates early.
+
+ Cleanup: bounce messages are multipart/mixed with the error
+ report as part of the first message segment, because users
+ had trouble extracting the delivery error report from the
+ attachment.
+
+19990423
+
+ Cleanup: the default junk mail reject code is now 554
+ (service unavailable) rather than 550 (user unknown).
+
+ Folded in the updated dict_ldap.c module by John Hensley,
+ Merit Network, USA.
+
+ Folded in the vstream_popen.c updates by Philip A.
+ Prindeville, Mirapoint, Inc., USA. This copies a lot of
+ code from pipe_command(); the next step is to trim that
+ module.
+
+19990425
+
+ Workaround: renamed config.h to mail_conf.h etc. in order
+ to avoid name collisions with LINUX (yes, they have a system
+ include file called config.h). For compatibility with people
+ who have written software for Postfix, there's a config.h
+ that aliases the old names to the new ones. That file will
+ go away eventually.
+
+19990426
+
+ Feature: error mailer, in order to easily bounce mail for
+ specific destinations. In the transport table, specify:
+ "host.domain error:host.domain is unavailable". Too bad
+ that the transport table triggers on destination domain
+ only; it would be nice to bounce specific users as well.
+
+19990427
+
+ Cleanup: "disable_dns_lookups = yes" now should disable
+ all DNS lookups by the SMTP client.
+
+19990428
+
+ Bugfix: with DBM files, Postfix was watching the "dir" file
+ modification time for changes. It should be watching the
+ "pag" file instead.
+
+19990429
+
+ Cleanup: all callbacks in the master to server API now pass
+ on the service name and the application-specific argument
+ vector. Files: master/*server.c.
+
+19990504
+
+ Feature: conditional macro expansion. ${name?text} expands
+ to text when name is defined, otherwise the result is empty.
+ ${name:text} expands to text when name is undefined,
+ otherwise the result is empty. File: util/mac_expand.c.
+
+ Feature: conditional macro expansion of the forward_path
+ configuration parameters of $user, $home, $shell, $recipient,
+ $extension, $domain, $mailbox and $recipient_delimiter.
+ Files: local/dotforward.c, local/local_expand.c.
+
+19990506
+
+ Cleanup: eliminated misleading warnings about unknown HELO
+ etc. SMTPD restrictions when the HELO etc. information is
+ not available. File: smtpd/smtpd_check.c.
+
+19990507
+
+ Feature: all smtpd reject messages now contain the MAIL
+ FROM and RCPT TO addresses, if available.
+
+19990508
+
+ Feature: conditional macro expansion of the luser_relay
+ configuration parameter. It is no longer possible to specify
+ /file/name or "|command" destinations. File: local/unknown.c.
+
+ Cleanup: changed the mac_parse interface so that the
+ application callback routine can return status information.
+ Updated the dict_regexp and dict_pcre modules accordingly.
+
+ Cleanup: changed the mac_expand interface so that the caller
+ provides an attribute lookup routine, instead of having to
+ provide a copy of all attributes upfront. Files:
+ util/mac_expand.c, local/local_expand.c.
+
+ Feature: control over how address extensions are propagated
+ to other addresses. By default, propagation of unmatched
+ address extensions is now restricted to canonical and
+ virtual mappings. Specify "propagate_unmatched_extensions
+ = canonical, virtual, alias, forward, include" to restore
+ previous behavior.
+
+19990509
+
+ Feature: USER, EXTENSION, DOMAIN, RECIPIENT (entire address)
+ and MAILBOX (address localpart) environment variables are
+ exported to shell commands (including mailbox_command).
+
+ Feature: new command_expansion_filter parameter to control
+ what characters may appear in message attributes that are
+ exported via environment variables.
+
+ Cleanup: SMTPD reject messages are more informative, and
+ more complete sender/recipient information is logged for
+ the local sysadmin.
+
+19990510
+
+ Bugfix: missing MIME header in postmaster bounce notices.
+ Found by Samuel Tardieu, Ecole Nationale Superieure des
+ Telecommunications, France.
+
+ Feature: UCE restrictions are always delayed until RCPT
+ TO, VRFY or ETRN. To change back to the default specify
+ "smtpd_delay_reject = no" in /etc/postfix/main.cf.
+
+ Bugfix: missing duplicate filter call. This caused too many
+ deliveries when a user is listed multiple times in an alias.
+ Reported by Hideyuki Suzuki, School of Engineering, University
+ of Tokyo. Backed out on 19990512 because it caused problems.
+ Fixed 19990513 but needs further study.
+
+ Feature: it is now possible to move queue files back into
+ the maildrop queue, so that they can benefit from changes
+ in canonical and virtual mappings. In order to make this
+ possible, some restrictions on queue file contents were
+ relaxed. Files: pickup/pickup.c, cleanup/cleanup_extracted.c.
+
+ Feature: made a start with integrating Joerg Henne's
+ dictionary extensions to remove entries and to iterate over
+ entries. That code is almost four months old by now.
+
+19990511
+
+ Feature: added a "undeliverable postmaster notification
+ discarded" warning when mail is dropped on the floor.
+ Requested by Michael Hasenstein, SuSE, Germany.
+
+19990517
+
+ Bugfix: reject_non_fqdn_sender/recipient would pass
+ user@[ip_address] regardless of destination. Eric Cholet
+ had the honor of suffering from this one.
+
+19990527
+
+ More SMTP client logging for easier debugging: the smtp
+ client now logs hostname[ip.addr], and logs every failed
+ attempt to reach an MX host, not just the last one.
+
+19990601
+
+ Bugfix: emit a blank line before a MIME boundary; the line
+ is part of the boundary. File: bounce/bounce_notify_service.c.
+ Wolfgang Segmuller, IBM Research.
+
+19990610
+
+ Bugfix: the "is this the loopback interface" test was
+ broken. Reported by Claus Fischer @microworld.com. File:
+ smtp/smtp_connect.c.
+
+ Usability: added helpful warnings about restrictions that
+ are being ignored after check_relay_domains, etc.
+
+ Portability: Reliant Unix support by Gert-Jan Looy, Siemens,
+ the Netherlands.
+
+19990611
+
+ Robustness: the postfix-script start-up procedure now
+ detects a missing master program, avoiding misleading
+ warnings that the mail system is already running. Fix
+ suggested by David E. Smith @technopagan.org.
+
+ Portability: Mac OS X Server Port by Mark Miller @swoon.net.
+
+ Feature: on systems that use dotlock files for mailbox
+ locking, the local delivery agent now will attempt to use
+ dotlock files when delivering to user-specified files.
+ Dotlock files for user-specified destinations are created
+ with the privileges of the user. For backwards compatibility,
+ Postfix will attempt to create dotlocks for user-specified
+ destinations only when the user has parent directory write
+ permission.
+
+ Feature: specify "expand_owner_alias = yes" in order to
+ use the right-hand side of an owner- alias, instead of
+ using the left-hand side address. Needed by Juergen Georgi.
+
+19990622
+
+ Bugfix: the local delivery agent did not set user attributes
+ when delivering to root, so that forward_path did not expand
+ properly. Found by Jozsef Kadlecsik, KFKI Research Institute
+ for Particle and Nuclear Physics, Hungary. File:
+ local/dotforward.c.
+
+ Bugfix: the unix:passwd.byname mechanism is not suitable
+ for smtpd access control - the user name would have to end
+ in @, or the access control software would have to be
+ changed. Removed the example from the RELEASE_NOTES file.
+
+19990623
+
+ Bugfix: the smtp server did not reset the error flag after
+ ".". Found by James Ponder, Oaktree Internet Solutions Ltd.
+ File: smtpd/smtpd.c.
+
+ Bugfix: fencepost error in the doze() routine (an usleep()
+ replacement for systems without one). Found by Simon J
+ Mudd. File: util/doze.c.
+
+19990624
+
+ Portability: support for AIX 3.2.5 (!) by Florian Lohoff
+ @rfc822.org.
+
+ Portability: Ultrix 4.3 support by Christian von Roques
+ @pond.sub.org.
+
+ Feature: mysql support by Scott Cotton and Joshua Marcus,
+ Internet Consultants Group, Inc. Files: util/dict_myqsl.*.
+
+19990627
+
+ Bugfix: Postfix is now distributed under the new IBM Public
+ License (version 1, dated June 14, 1999).
+
+ Feature: the Delivered-To: header can be turned off for
+ delivery to command or file/mailbox. The default setting
+ is: "prepend_delivered_header = command, file, forward".
+ Turning off the Delivered-To: header when forwarding mail
+ is not recommended.
+
+19990628
+
+ Feature: the postlock command now returns EX_TEMPFAIL when
+ the destination file is locked by another process.
+
+19990705
+
+ Workaround: in the SMTP client, move the "mail loops back
+ to myself test" from the 220 greeting to the HELO response.
+ This change does not weaken the test, and makes Postfix
+ more robust against broken software that greets with the
+ client hostname.
+
+19990706
+
+ Workaround: in the INSTALL file, use `&&' instead of `;'
+ in (cd path; tar ...) pipelines because some UNIX re-invented
+ shells don't bail out when cd fails. Matthias Andree
+ @stud.uni-dortmund.de.
+
+19990709
+
+ Bugfix: $user was not set when delivering to a non-user.
+ Found by Vladimir Ulogov @ rohan.control.att.com when
+ configuring a luser_relay that contained $user.
+
+19990714
+
+ Robustness: add PATH statement to Solaris2 chroot setup
+ script to avoid running the ucb commands. Problem found by
+ Panagiotis Astithas @ ece.ntua.gr.
+
+19990721
+
+ Bugfix: don't claim a "mail loops to myself" error when
+ the best MX host was not found in the DNS. Found by Andrew
+ McNamara, connect.com.au Pty Ltd. File: smtp/smtp_addr.c.
+
+19990810
+
+ Feature: added "-c config_dir" support to the postconf
+ command. This probably means that "-f file" will never be
+ implemented.
+
+19990812
+
+ Bugfix: showq didn't print properly when listing a maildrop
+ file. Fix by: Andrew McNamara, connect.com.au Pty Ltd.
+ File: showq/showq.c.
+
+ Feature: added SENDER to the list of parameters exported
+ to external commands. File: local/command.c. Code by: Lars
+ Hecking, National Microelectronics Research Centre, Ireland.
+
+19990813
+
+ Bugfix: sendmail -t (extract recipients from headers) did
+ not work when the always_bcc feature was turned on. Reported
+ by: Denis Shaposhnikov @ neva.vlink.ru.
+
+19990813
+ Bugfix: "sendmail -bd" returns a bogus exit status (the
+ child process ID). Fix by Lamont Jones of Hewlett-Packard.
+ File: sendmail/sendmail.c.
+
+19990824
+
+ Bugfix: null pointer dereference while rejecting VRFY before
+ MAIL FROM. Found by Laurent Wacrenier @ fr.clara.net.
+
+19990826
+
+ Portability: more MacOS X Server patches; some NEXTSTEP/OPENSTEP
+ code that had been removed for the first public beta release;
+ NEXTSTEP/OPENSTEP now defaults to netinfo for the aliases
+ database. Submitted by Gerben Wierda.
+
+ Portability: workaround for a FreeBSD 3.x active network
+ interface without IP address by Pierre Beyssac @ enst.fr.
+ File: inet_addr_local.c.
+
+19990831
+
+ Workaround: sendmail now prints a warning when installed
+ set-uid or when run by a set-uid command. Reportedly, the
+ linuxconf software turns on the set-uid bit, which could
+ open up a security loophole. File: sendmail/sendmail.c.
+
+ Bugfix: Postfix daemons now temporarily lock DB/DBM files
+ while opening them, in order to avoid "invalid argument"
+ errors because some other process is changing the file.
+ Files: util/dict_db.c, util/dict_dbm.c.
+
+ Robustness: Postfix locks queue files during delivery, to
+ prevent duplicate delivery when "postfix reload" is
+ immediately followed by "sendmail -q". This involves a
+ change of the deliver_request interface: delivery agents
+ no longer need to open and close queue files explicitly.
+ Files: global/deliver_request.c, pipe/pipe.c, smtp/smtp.c,
+ local/local.c, qmgr/qmgr_active.c, qmgr/qmgr_message.c.
+
+ Feature: reject_unauth_destination SMTP recipient restriction
+ that rejects destinations not in $relay_domains. By Lamont
+ Jones of Hewlett-Packard. File: smtpd/smtpd_check.c.
+
+ Security: do not allow weird characters in the expansion
+ of $names that appear in $forward_path. Just like with
+ shell commands, replace bad characters in expansions by
+ underscores. Configuration parameter: forward_expansion_filter.
+
+19990902
+
+ Documentation: added a sample postfix alias to the examples
+ in the INSTALL document and in the conf/aliases file.
+ Reminded by Simon J. Mudd @ alltrading.com.
+
+19990903
+
+ Bugfix: in case of some error conditions the pickup daemon
+ could leak small amounts of memory.
+
+19990905
+
+ Bugfix: no more "skipping further client input" warnings
+ when a message header is rejected.
+
+ Feature: reject_unauth_pipelining SMTP restriction that
+ rejects mail from clients that improperly use SMTP command
+ pipelining.
+
+ Robustness: the LDAP client by default no longer looks up
+ names containing "*". See the lookup_wildcards feature in
+ LDAP_README. Update by John Hensley.
+
+ Documentation: address masquerading with exceptions FAQ by
+ Jim Seymour @ jimsun.LinxNet.com.
+
+ Bugfix: mysql reconnect after disconnect by Scott Cotton
+ Internet Consultants Group, Inc. File: util/dict_myqsl.c.
+
+ Portability: the Postfix to PCRE interface now expects
+ version 2.08. Postfix is no longer compatible with PCRE
+ versions before 2.6.
+
+19990906
+
+ Feature: INSTALL.sh script that makes Postfix installation
+ a bit less painful. This script can be used for installing
+ and for upgrading Postfix. It replaces files instead of
+ overwriting them, and leaves existing configuration and
+ queue files intact.
+
+19990907
+
+ Bugfix: reject_non_fqdn_sender used the wrong test to see
+ if a sender address was given and could dump core. This
+ must have been broken ever since the UCE tests were moved
+ to the RCPT TO stage in 19990510.
+
+ Bugfix: check_sender_access was recognized as a valid
+ restriction name only if a sender had been specified.
+
+19990908
+
+ Portability: Unixware has <sysexits.h> only after sendmail
+ is installed. Changed postlock.c to use global/sys_exits.h.
+
+19990909
+
+ Performance: added one-entry cache to the address rewriting
+ client and to the address resolving client. This is because
+ UCE restrictions tend to produce the same query repeatedly.
+ Files: global/rewrite_clnt.c, global/resolve_clnt.c.
+
+ Feature: the UCE restrictions are now fully recursive so
+ you can have per-client/helo/sender/recipient restrictions.
+ Instead of OK, REJECT or [45]xx, you can specify a sequence
+ of restrictions on the right-hand side of an SMTPD access
+ table. This means you can no longer use canonical/virtual/alias
+ maps as SMTPD access tables. But the loss is compensated
+ for. File: smtpd/smtpd_access.c.
+
+ Feature: restriction classes, essentially a short-hand for
+ restriction lists. These short hands are useful mostly on
+ the right-hand side of SMTPD access tables. You must use
+ restriction classes in order to have lookup tables on the
+ right-hand side of an SMTPD access table. File:
+ smtpd/smtpd_access.c.
+
+ Feature: "permit_recipient_map maptype:mapname" permits a
+ recipient address when it matches the specified table.
+ Lookups are done just as with canonical/virtual maps. With
+ this, you can also use passwd/aliases as SMTPD access maps.
+ File: smtpd/smtpd_access.c.
+
+19990910
+
+ Changed "permit_address_map" into "permit_recipient_map"
+ and added a test for the case that they specify a lookup
+ table on the right-hand side of an SMTPD access map. File:
+ smtpd/smtpd_access.c.
+
+ Cleanup: removed spurious sender address checks for <>.
+ File: smtpd/smtpd_check.c.
+
+ Cleanup: the smtp client now consistently logs host[address]
+ for all connection attempts.
+
+19990919
+
+ Feature: in an SMTPD access map, an all-numeric right-hand
+ side now means OK, for better cooperation with out-of-band
+ authentication mechanisms.
+
+19990922
+
+ Security: recipient addresses must not start with '-', in
+ order to protect external commands. The old behavior is
+ re-instated when main.cf specifies: "allow_min_user =
+ yes". Credits to Mads Kiilerich @ Kiilerich.com. File:
+ qmgr/qmgr_message.c.
+
+ Bugfix: after 19990831, the queue manager would throw away
+ defer logs after deferring mail to known-to-be-dead hosts
+ or message transports. This means that in some cases, mailq
+ would not show why mail is delayed, and that delayed mail
+ could be sent back with recipients missing from the error
+ report. Reported by Giulio Orsero @ tiscalinet.it.
+
+19990923
+
+ Bugfix: the above bugfix broke bounces of mail with bad
+ address syntax and relocated users. Problem diagnosed by
+ Dick Porter @ acm.org.
+
+ Documentation: added DO NOT EDIT THIS FILE. EDIT MAIN.CF
+ INSTEAD notices to the sample-xxx.cf files.
+
+19991007
+
+ Compatibility: ignore the sendmail -U (initial user
+ submission) option. Thomas Quinot @ cuivre.fr.eu.org.
+
+19991103
+
+ Code cleanup: don't send postmaster notifications when an
+ SMTP client sends a DATA command while no recipients were
+ accepted. This can happen when a pipelined client runs
+ into an UCE block. File: smtpd/smtpd.c.
+
+19991104
+
+ Robustness: do not apply UCE header checks to mail that is
+ generated by Postfix (bounces, forwarded mail etc.). Files:
+ smtpd/smtpd.c, pickup/pickup.c, cleanup/cleanup_message.c.
+
+ Robustness: new generic watchdog module that can deal with
+ clocks that jump occasionally. Files: util/watchdog.c,
+ master/master.c, master/{single,multi,trigger}_server.c.
+ This hopefully ends the false watchdog alarms that happen
+ when clocks are set or when laptops are resumed.
+
+ Code cleanup: BSMTP requires dot quoting as per RFC 821.
+ Based on code by Florian Lohoff @ rfc822.org. Files:
+ global/mail_copy.[hc], pipe/pipe.c.
+
+19991105
+
+ Bugfix: the crufty code in inet_addr_local() did not find
+ IP aliases. File: util/inet_addr_local.c.
+
+ Portability: the INSTALL.sh utility did not find users or
+ groups in NIS or Netinfo tables. The script no longer
+ searches the /etc/passwd and /etc/group files. Instead it
+ now queries the unix:passwd.byname and unix:group.byname
+ maps. For this, a -q (query) option was added to postmap
+ (and to postalias, for symmetry). Files: util/dict_unix.c,
+ postalias/postalias.c, postmap/postmap.c, INSTALL.sh.
+
+ Bugfix: LDAP lookup timeout settings were ignored. Patch
+ by John Hensley. File: util/dict_ldap.c.
+
+19991108
+
+ Bugfix: when doing a fresh install, INSTALL.sh didn't set
+ main.cf:mail_owner properly (Simon J. Mudd).
+
+19991109
+
+ Bugfix: when doing a fresh install, INSTALL.sh no longer
+ worked (missing main.cf file). Fix: add "-c" argument to
+ the postmap commands (Lars Hecking @ nmrc.ucc.ie).
+
+ Documentation: removed spurious "do not edit" comments from
+ the sample pcre and regexp configuration files.
+
+19991110-13
+
+ Code cleanup: greatly simplified the SMTPD command parser
+ and somewhat simplified the code that groks RFC 822-style
+ address syntax in MAIL FROM and RCPT TO commands.
+
+ New parameter: strict_rfc821_envelopes (default: no) to
+ reject RFC 822 address forms (with comments etc.) in SMTP
+ envelopes. By default, the Postfix SMTP server only logs
+ a warning.
+
+19991113
+
+ Oops, also updated the SMTP VRFY code in the light of
+ changes to the SMTPD command parser.
+
+ Cleanup: the local delivery agent now explicitly rejects
+ recipients with an empty username.
+
+19991114
+
+ Workaround: with some gawk versions, postconf/extract.awk
+ reportedly returns a non-zero exit status upon success.
+ Added an explicit exit(0) statement.
+
+19991115
+
+ Feature: DNS TXT record lookup support, based on initial
+ code by Simon J Mudd. File: dns/dns_lookup.c.
+
+ Feature: RBL TXT record lookups, based on initial code by
+ Simon J Mudd. File: smtpd/smtpd_check.c.
+
+ Feature: permit_auth_destination restriction based on code
+ by Jesper Skriver @ skriver.dk.
+
+ Code cleanup: the transport table now can override all
+ deliveries, including local ones.
+
+19991116
+
+ Code cleanup: a new "local_transports" configuration
+ parameter explicitly lists all transports that deliver mail
+ locally. The first name listed there is the default local
+ transport. This is the end of the "empty next-hop hostname"
+ hack to indicate that a destination is local. Files:
+ trivial-rewrite/resolve.c, global/local_transport.[hc]
+
+ Feature: "postconf -m" shows what lookup table types are
+ available. Code by Scott Cotton, Internet Consultants
+ Group, Inc.
+
+ Feature: "postconf -e" edits any number of main.cf parameters.
+ The edit is done on a copy, and the copy is renamed into
+ the place of the original. File: postconf/postconf.c,
+ util/readlline.[hc].
+
+19991117
+
+ Portability: SunOS 4 has no SA_RESTART. File: util/watchdog.c.
+
+ Feature: on systems with h_errno, the "reject_unknown_client"
+ restriction now distinguishes between soft errors (always
+ reply with 450) and hard errors (use the user-specified
+ reply code). This should lessen the load by broken mailers
+ that re-connect once a minute.
+
+ Feature: forward/reverse name/address check for SMTP client
+ hostnames. This fends off some hypothetical attacks by
+ spammers who are in control of their own reverse mapping.
+
+ Robustness: postconf no longer aborts when it can't figure
+ out the local domain name; it prints a warning instead.
+ This allows you to use "postconf -e" to fix the problem.
+
+19991118
+
+ Bugfix: the RFC822 address parser would misparse a leading
+ \ as an atom all by itself. Problem reported by Keith
+ Stevenson @ louisville.edu. File: global/tok822_parse.c.
+
+19991119
+
+ Bugfix: tiny memory leak in pipe_command() when fork()
+ fails. File: global/pipe_command.c.
+
+19991120
+
+ Bugfix: reversed test for all-numerical results in SMTPD
+ access maps. File: smtpd/smtpd_check.c.
+
+19991121
+
+ Robustness: INSTALL.sh no longer uses postmap for sanity
+ checks.
+
+ Feature: INSTALL.sh now has an install_root option.
+
+ Bugfix: INSTALL.sh now installs manual pages with proper
+ permissions and ownership.
+
+ Bugfix: the LDAP client did not properly escape special
+ characters in lookup keys (patch by John Hensley). File:
+ util/dict_ldap.c.
+
+19991122
+
+ Bugfix: missing absolute path in INSTALL.sh broke fresh
+ install.
+
+19991124
+
+ Bugfix: the local delivery agent's recipient duplicate
+ filter did not work when configured to use unlimited memory
+ (which is not a recommended setting). Patrik Rak @raxoft.cz.
+
+19991125
+
+ Bugfix: postconf didn't have an umask(022) call at the
+ beginning (problem experienced by Matthias Andree).
+
+19991126
+
+ Bugfix: DNS TXT records now have string lengths before text
+ (Mark Martinec @ nsc.ijs.si).
+
+19991127
+
+ Update: the LDAP client code now supports escapes as per
+ RFC2254 (John Hensley).
+
+19991207
+
+ Performance: one message with many recipients no longer
+ stops other mail from being delivered. The queue manager
+ now frees in-memory recipients as soon as a message is
+ delivered to one destination, rather than waiting until
+ all in-memory destinations of that message have been tried.
+ Patch by Patrik Rak @ raxoft.cz. Files: qmgr/qmgr_entry.c,
+ qmgr/qmgr_message.c.
+
+ Performance: when delivering mail to a huge list of
+ recipients, the queue manager now reads more recipients
+ from the queue file before delivery concurrency drops too
+ low. Files: qmgr/qmgr_entry.c, qmgr/qmgr_message.c.
+
+19991208
+
+ Updated LDAP client code by John Hensley with escape
+ sequences as per RFC 2254. File: util/dict_ldap.c.
+
+ Updated MYSQL client code by Scott Cotton. File: dict_mysql.c.
+
+ Feature: added -N/-n options to include/exclude terminating
+ nulls in keys and values in postmap/postalias DB or DBM
+ files. Normally, Postfix uses whatever is appropriate for
+ the host system. A non-default setting can be necessary
+ for inter-operability with third-party software.
+
+ Bugfix: the local delivery agent would deliver to the user
+ instead of the .forward file when the .forward file was
+ already visited via some non-recursive path. Patch by Patrik
+ Rak @ raxoft.cz. Files: global/been_here.c, local/dotforward.c.
+
+ Robustness: attempt to deliver all addresses in the expansion
+ of an alias or .forward file, even when some addresses must
+ be deferred. File: local/token.c.
+
+19991211
+
+ Performance: qmgr_fudge_factor controls what percentage of
+ delivery resources Postfix will devote to one message.
+ With 100%, delivery of one message does not begin before
+ delivery of the previous message is completed. This is good
+ for list performance, bad for one-to-one mail. With 10%,
+ response time for one-to-one mail improves much, but list
+ performance suffers. In the worst case, people near the
+ start of a mailing list get a burst of postings today,
+ while people near the end of the list get that same burst
+ of postings a whole day later. Files: qmgr/qmgr_message.c,
+ qmgr/qmgr_entry.c.
+
+ Bugfix: address rewriting would panic on a lone \ at the
+ end of a line where an address was expected. Jason Hoos @
+ thwack.net. File: global/rewrite_clnt.c.
+
+19991215
+
+ Bugfix: the strict RFC821 envelope address check should
+ not be applied to VRFY commands. File: smtpd/smtpd.c.
+
+ Cleanup: permit_recipient_maps is gone, because that could
+ only be used inside UCE restrictions.
+
+19991216
+
+ Feature: allow an empty inet_interfaces parameter, just
+ like an empty mydestination parameter. It's needed for true
+ null clients and for firewalls that deliver no local mail.
+
+ Feature: "disable_vrfy_command = yes" disables some forms
+ of address harvesting used by spammers.
+
+ Workaround: added the alias map parameter definition to
+ the smtpd code. This is a symptom of a general problem
+ with parameters that have non-empty default values: unless
+ a program explicitly defines such a parameter, the parameter
+ defaults to the empty string when used in other parameters.
+ There's also a problem with evaluation order.
+
+ Feature: the SMTP server rejects mail for unknown users in
+ virtual domains that are defined by Postfix virtual domain
+ files. File: smtpd/smtpd_check.c.
+
+ Feature: reject mail for unknown local users at the SMTP
+ port. The local_recipient_maps configuration parameter
+ specifies maps with all addresses that are local with
+ respect to $mydestination or $inet_interfaces. Example:
+ "local_recipient_maps = $alias_maps unix:passwd.byname".
+ This feature is disabled by default. You may have to copy
+ the passwd file into the chroot jail. File: smtpd/smtpd_check.c.
+
+ Feature: the sendmail -f option now understands '<user>'
+ and even understands address forms with RFC 822-style
+ comments.
+
+19991217
+
+ Cleanup: no more UCE checks for VRFY commands. It still
+ reports unknown local/virtual users. File: smtpd/smtpd_check.c.
+
+ Robustness: upon Postfix startup, report discrepancies
+ between system files inside and outside the chroot jail.
+ Files: conf/postfix-script-nosgid, conf/postfix-script-sgid.
+
+19991218
+
+ Cleanup: INSTALL.sh produces relative symlinks, which is
+ necessary when install_root is not /.
+
+19991219
+
+ Documentation: completely reorganized the FAQ and added
+ many new entries. Rewrote the UCE html documentation.
+
+ Cleanup: INSTALL.sh uses a configurable directory for
+ scratch files, so that it can install from a file system
+ that is not writable by the super-user.
+
+ Cleanup: INSTALL.sh gives helpful hints when the "mv"
+ command is unable to move symlinks across file system
+ boundaries.
+
+19991220
+
+ Cleanup: it is no longer necessary to list $virtual_maps
+ as part of the relay_domains definition. The SMTP server
+ now by default accepts mail for destinations that match
+ $inet_interfaces, $mydestination or $virtual_maps, whether
+ or not these are specified in relay_domains. We still need
+ the ugly "virtual.domain whatever" hack in the virtual
+ maps. Files: smtpd/smtpd_check.c and lots of documentation
+ and sample config files.
+
+19991221
+
+ Removed cyrus -q flag (ignore quotas) from the sample
+ master.cf file.
+
+19991223
+
+ Bugfix: smtpd should not check for unknown users when
+ running in stand-alone (sendmail -bs) mode. Problem
+ experienced by Chuck Mead. File: smtpd/smtpd.c.
+
+ Retraction: the "local_transports" configuration parameter
+ is gone. Adjusted code and documentation accordingly.
+ Instead, use just one "local_transport" parameter with the
+ name of the default local transport. Files: smtpd/smtpd_check.c,
+ qmgr/qmgr_message.c, trivial-rewrite/ resolve.c, local/resolve.c.
+
+ Feature: Postfix SMTPD now insists that the smtpd recipient
+ restrictions contain at least one restriction that by
+ default rejects mail. This should make it much more difficult
+ to change Postfix into an open relay. File: smtpd/smtpd_check.c.
+
+ Retraction: null-length inet_interfaces is too confusing.
+
+19991224
+
+ Bugfix: the relative symlink code in INSTALL.sh computed
+ the ../ prefix from the wrong pathname.
+
+1999122[5-7]
+
+ Feature: "allow_untrusted_routing = no" (default) prevents
+ forwarding of source-routed mail from untrusted clients to
+ destinations that are blessed by the relay_domains parameter
+ (example: user@domain2@domain1 etc.). This plugs a mail
+ relay loophole where a backup MX host forwards junk mail
+ to a primary MX host which forwards the junk to the Internet.
+ Files: global/quote_822_local.c, smtp/quote_821_local.c,
+ trivial-rewrite/rewrite.c, trivial-rewrite/resolve.c,
+ smtp/smtpd_check.c.
+
+ In order to make this possible, the Postfix resolver data
+ structure and protocol has changed, so that all resolver
+ clients need to be re-compiled.
+
+ Side effect from the above change: from now on, an address
+ with @ in the recipient localpart no longer bounces with
+ "user unknown" but instead is rejected with "relay access
+ denied" or "source-routed relay access denied".
+
+19991227
+
+ Workaround: the BSD/OS "mkdir -p" and "cmp -s" commands
+ misbehave on boundary cases: directory exists or file does
+ not exist. Those who re-invent...
+
+19991229
+
+ Added the no source routing info requirement to addresses
+ accepted by the permit_mx_backup UCE restriction.
+
+19991230
+
+ Added a spawn daemon (not compiled and installed by default)
+ to enable LMTP delivery over UNIX-domain sockets. The goal
+ is to simplify the experimental LMTP delivery agent by
+ ripping out the privileged code that forks the LMTP server.
+
+20000102
+
+ Clarified documentation after early feedback on the 19991231
+ release by Drew Derbyshire, Ollivier Robert, Khetan Gajjar.
+
+ Sanity check: a common error is to list Postfix virtual
+ domains in the mydestination parameter. This causes the
+ new optional local_recipient_maps feature to reject mail
+ for virtual users. The SMTP server now explicitly tests
+ for this common error and logs a warning instead of refusing
+ the mail. File: smtpd/smtpd_check.c.
+
+20000104
+
+ Bugfix: a case sensitivity bug had slipped through in the
+ anti-relaying code, causing mail for USER@VIRTUAL.DOMAIN
+ to be rejected with "relay access denied". This was found
+ by Jim Maenpaa @ jmm.com.
+
+ Questionable feature: set "smtp_skip_5xx_greeting = yes"
+ to make Postfix more sendmail compatible, even though this
+ is wrong, IMNSHO. File: smtp/smtp_connect.c.
+
+ Portability: Ultrix patch from Simon Burge @ thistledown.com.au.
+
+ Portability: Siemens Pyramid (dcosx) patch by Thomas D.
+ Knox @ vushta.com.
+
+ Performance: FreeBSD has bidirectional pipes that are faster
+ than socketpairs. Anticipating on more platform-specific
+ optimizations, all duplex pipe plumbing is now isolated in
+ a duplex_pipe.c module that provides a system-independent
+ interface.
+
+20000105
+
+ Cleanup: the INSTALL.sh script now updates the sample files
+ in /etc/postfix even when main.cf exists.
+
+20000106
+
+ Bugfix: the SMTP server should consult the relocated map
+ for virtual destinations (Denis Shaposhnikov). Files:
+ smtpd/smtpd.c smtpd/smtpd_check.c.
+
+20000108
+
+ Workaround: rename() over NFS can fail with ENOENT even
+ when the operation succeeds (Graham Orndorff @ WebTV). This
+ is not news. Any non-idempotent operation can fail over
+ NFS when the NFS server's acknowledgment is lost and the
+ NFS client code retries the operation (other examples are:
+ create, symlink, link, unlink, mkdir, rmdir). Postfix has
+ workarounds for the cases where this is most likely to
+ cause trouble. Files: util/sane_{rename,link}.[hc]. If
+ you want reliable mail system, do not use NFS.
+
+20000115
+
+ Workaround: better detection of bad hardware. Added SIGBUS
+ to the list of signals that the master will log before
+ exiting.
+
+20000122
+
+ Portability: preliminary SCO5 port Christopher Wong @
+ csports.com. This still needs to a workaround for "find"
+ not supporting "-type s" (actually, UNIX-domain sockets
+ have no unique representation in the file system and show
+ up as FIFOs).
+
+20000115-22
+
+ Bugfix: in case of a too long message header, don't extract
+ recipients from message headers. With the previous behavior,
+ Bcc information could be left in the message body, as one
+ person found out the hard way. Files: cleanup/cleanup.c,
+ cleanup/cleanup_extracted.c, global/cleanup_user.h.
+
+20000124
+
+ Whatever: RFC 1869 amends RFC 821 and specifies that code
+ 555 is to be used when a MAIL FROM or RCPT TO parameter is
+ not implemented or not recognized. Russ Allbery @stanford.edu.
+ This reply code is added to the list of reply codes that
+ cause the Postfix SMTP client to mail a transcript to the
+ postmaster. File: smtp/smtp_trouble.c.
+
+20000126
+
+ Emergency feature: qmgr_site_hog_factor (default: 90 percent)
+ limits the amount of resources that Postfix devotes to a
+ single destination. With less than 100, Postfix defers the
+ excess mail so that one site with a large backlog does not
+ block other deliveries. Files: qmgr/qmgr.c, qmgr/qmgr_message.c.
+
+20000128
+
+ Cleanup: the queue manager no longer replaces the nexthop
+ field by the recipient localpart when a destination matches
+ $mydestination/$inet_interfaces. The price is the introduction
+ of a new parameter local_destination_recipient_limit which
+ defaults to 1 in order to maintain backwards compatibility.
+ Files: qmgr/qmgr.c, qmgr/qmgr_message.c.
+
+20000129
+
+ Bugfix: extracted recipients were misfiled when a message
+ was moved back to the maildrop queue. But they still worked
+ due to a coincidence.
+
+ Feature: bounce_recip() bounces a recipient immediately
+ without accessing a bounce logfile. This is necessary for
+ VERP bounces, for bounces by delivery agents that change
+ the sender address, and for bounces that for some reason
+ must not use temporary logfiles. Files: global/bounce.c,
+ bounce/bounce_recip_service.c.
+
+20000130
+
+ Bugfix: the too long header fix of 20000115-22 lost mail
+ with too long headers that didn't need to extract recipients
+ from message headers.
+
+ Bugfix: the too long header fix of 20000115-22 lost mail
+ without (blank line + message body).
+
+ Code rewrite: reorganized the cleanup daemon source code
+ so that the cleanup service can be called one record at a
+ time (see cleanup/cleanup_api.c); also got rid of the global
+ state variables and fixed a couple bugs that were introduced
+ with 20000115-22.
+
+20000204
+
+ Feature: in daemon mode, the MAIL FROM size check can be
+ postponed until RCPT TO so that Postfix can log sender and
+ recipient. Simon J Mudd. Files: smtpd/smtpd.c
+
+ Robustness: limit the number of recipient addresses that
+ can be extracted from message headers. Parameter:
+ extract_recipient_limit (default: 10240). Files:
+ cleanup/cleanup_message.c, cleanup/cleanup_extracted.c.
+
+ Cleanup: the message header reject logging now includes
+ sender and recipient address (if possible), so that the
+ logging looks more like the other reject logging. File:
+ cleanup/cleanup_message.c.
+
+ Documentation: added sections on regular expression tables
+ to the access, canonical, virtual, transport and relocated
+ man pages, and write new man pages that are specific to
+ regular expressions: pcre_table.5 and regexp_table.5.
+
+20000214
+
+ Bugfix: postconf reported some parameters more than once
+ because the parameter extracting script didn't recognize
+ lines that differ in whitespace only. File: postconf/extract.awk.
+ Reported by Kenn Martin.
+
+20000221
+
+ Logging: the SMTP client now logs log host+port when it is
+ unable to connect to a non-MX host, just like it logs
+ host+port when unable to connect to an MX host.
+
+20000226
+
+ Bugfix: the SMTP server's "User unknown" test didn't notice
+ LDAP etc. dictionary access errors. The code now reports
+ a 450 status (try again instead of bounce) if the reply is
+ not definitive. File: smtp/smtpd_check.c.
+
+ Robustness: the smtp-source program could stall when making
+ hundreds of parallel connections to a Postfix system with
+ only one SMTP server process. The fix is to use non-blocking
+ connect() calls, very carefully. File: smtpstone/smtp-source.c.
+
+20000303
+
+ Feature: with smtp_always_send_ehlo the SMTP client will
+ send EHLO regardless of the content of the SMTP server's
+ greeting. File: smtp/smtp_proto.c.
+
+20000304
+
+ Feature: DICT_FLAG_SYNC_UPDATE flag for synchronous dictionary
+ updates, if supported by the underlying mechanism. Files:
+ util/dict.h, util/dict_open.c, util/dict_db.c.
+
+20000307
+
+ Cleanup: the manual pages in Postfix configuration files
+ no longer contain troff formatting codes. The text is now
+ generated from prototype files in a new "proto" subdirectory.
+ Requested by Matthias Andree @ stud.uni-dortmund.de.
+
+20000308
+
+ Bugfix: the unused db and dbm "delete" routines would
+ clobber the per-dictionary flags when called before reading
+ or writing the table. Files: util/dict_dbm.c, util/dict_db.c.
+ Lutz Jaenicke @ aet.TU-Cottbus.DE.
+
+ Bugfix: the SMTP server would produce a cryptic message
+ when a queue file write error happened before it had written
+ any recipients. Keith Stevenson. File: smtpd/smtpd.c.
+
+ Robustness: the db and dbm "delete" routines didn't adjust
+ to dictionaries with/without one trailing null in lookup
+ keys and values. Did a complete rewrite of the routines.
+ Files: util/dict_db.c, util/dict_dbm.c.
+
+ Feature: specify "-d key" to postalias or postmap in order
+ to remove one key. This still needs to be generalized to
+ multi-key removal (read stdin?). Files: postmap/postmap.c,
+ postalias/postalias.c.
+
+ Test: added test targets for the dictionary delete operations.
+ Files: util/Makefile.in, util/dict_test.{c,in,ref}.
+
+ Feature: added data offset and recipient count fields to
+ the first queue file record output from the cleanup daemon.
+ The recipient counts provides an initial estimate for a
+ more advanced queue manager scheduling algorithm. Files:
+ cleanup/cleanup_envelope.c, cleanup/cleanup_extracted.c.
+
+20000311
+
+ Portability: HP-UX awk can't handle bare { in regexps
+ (Lamont Jones. HP). File: postconf/extract.awk.
+
+ Compatibility: sendmail now recognizes '.' as end of input.
+ File: sendmail/sendmail.c.
+
+20000313
+
+ Compatibility: dtcm (CDE desktop calendar manager) leaks
+ a file descriptor into its child process, and requires that
+ sendmail closes the descriptor, otherwise mail notification
+ will hang. These GUI programmers never figured out that
+ the child process must close the writing end of a pipe.
+ File: sendmail/sendmail.c.
+
+20000314
+
+ Feature: SASL authentication in the SMTP server and client.
+ Based on code contributed by Till Franke, SuSE. Specify:
+ "smtpd_sasl_auth_enable = yes" and "smtp_sasl_auth_enable
+ = yes". The "permit_sasl_authenticated" UCE restriction
+ gives special treatment to authenticated clients.
+
+20000315
+
+ Workaround: added -blibpath option for AIX 4.x, to close
+ hole in case postdrop needs to be set-gid.
+
+20000320
+
+ Portability: FreeBSD 5.x added to the list of supported
+ systems (Mark Huizer).
+
+20000323
+
+ Portability: INSTALL.sh looks if sendmail is in /usr/lib
+ rather than in /usr/sbin.
+
+20000326
+
+ Bugfix: settings in one mysql configuration file would act
+ as the implicit defaults for the next one, which could be
+ confusing. Patch by Scott Cotton. File: util/dict_mysql.c.
+
+ Robustness: limit the number of "junk" commands that can
+ be issued in an SMTP session (ex.: NOOP, VRFY, ETRN, RSET).
+ Problem report by Michael Ju. Tokarev @ tls.msk.ru. Files:
+ global/mail_params.h, smtpd/smtpd.c.
+
+20000413
+
+ Portability: more MacOS X patches by Gerben Wierda.
+
+ Bugfix: RFC 822 requires the presence of at least one
+ destination message header. The cleanup daemon now generates
+ a generic "To: undisclosed-recipients:;" message header
+ when no destination header is present. The header content
+ is specified with the undisclosed_recipients_header parameter.
+ Problem pointed out by Geoff Gibbs, UK-Human Genome Mapping
+ Project-Resource Centre.
+
+20000416
+
+ Workaround: allow <(comment)> as SMTP MAIL FROM address.
+
+20000417
+
+ The SASL authentication in the SMTP server and client works,
+ but only on Linux and Solaris, neither of which I wish to
+ run on my laptop.
+
+20000418
+
+ Added LMTP support to the smtp-source and smtp-sink utilities
+ so that I don't have to install Cyrus IMAP just to test
+ LMTP.
+
+20000419
+
+ Bugfix: removed the () from the tokenized representation
+ of RFC 822 comments, so that comments with \( or \) can be
+ unparsed correctly. Problem reported by Bodo Moeller.
+
+20000423
+
+ Bugfix: mail_copy() could prepend > or . in the middle of
+ long lines. Found by code inspection.
+
+20000427
+
+ New code: unescape module that translates C escape sequences
+ into their equivalent character values. File: util/unescape.c.
+
+ Feature: the pipe mailer now has a way to specify the output
+ record delimiter (for example, eol=\r\n). This is necessary
+ for transports that require CRLF instead of UNIX-style LF.
+
+20000502
+
+ In order to support timeouts more conveniently, VSTREAMs
+ now have built into them the concept of timeout. Instead
+ of calling read() and write(), the low-level VSTREAM
+ interface now by default uses timed_read() and timed_write()
+ which receive a timeout parameter; vstream_ctl(stream,
+ VSTREAM_CTL_TIMEOUT...) sets the timeout deadline on a
+ stream, and vstream_ftimeout(stream) queries a stream for
+ timeout errors. This change simplified timeout handling
+ considerably. Files: util/vbuf.h, util/vstream.[hc],
+ global/smtp_stream.c, global/timed_ipc.c.
+
+20000504
+
+ Added application context to VSTREAMs, which is passed on
+ transparently to application-provided read/write routines.
+ vstream_ctl(stream, VSTREAM_CTL_CONTEXT...) sets the context.
+ Files: util/vstream.[hc].
+
+ Added vstream_setjmp() and vstream_longjmp() support to
+ make exception handling more convenient. Turn on exception
+ handling with vstream_ctl(stream, VSTREAM_CTL_EXCEPT...).
+ Files: util/vstream.[hc].
+
+ Cleaned up the smtp_stream module further and got rid of
+ the global state that limited the use of this module to
+ one stream per process. Files: global/smtp_stream.[hc].
+
+20000505
+
+ Bugfix: the SMTP server now flushes unwritten output before
+ tarpit delays, to avoid protocol timeouts in pipelined
+ sessions when a client causes lots of errors. Found by
+ Lamont Jones, HP. File: smtpd/smtpd_chat.c.
+
+ Finished the LMTP client, which is based on a modified
+ version of the SMTP client by Philippe Prindeville, Mirapoint,
+ Inc., later modified by Amos Gouaux, UTDallas, and then
+ Wietse ripped it all up again. Currently this talks LMTP
+ over TCP only.
+
+ Feature: override main.cf parameters in master.cf. Specify
+ "-o parameter=value" after the program name. This allows
+ you to selectively override myhostname etc. See also the
+ new smtp_bind_address parameter below.
+
+20000506
+
+ Convenience: the LMTP and SMTP clients now append the local
+ domain to unqualified nexthop destinations. This makes it
+ more convenient to set up transport maps. Files:
+ lmtp/lmtp_addr.c, smtp/smtp_addr.c.
+
+ Sendmail compatibility: the Postfix SMTP client now skips
+ servers that greet the client with a 4xx or 5xx status
+ code. To disable, set both smtp_skip_4xx_greeting and
+ smtp_skip_5xx_greeting to "no".
+
+20000507
+
+ Portability: NetBSD has migrated to /etc/mail/aliases. We
+ can expect to see this happen more often when systems start
+ shipping Sendmail 8.10. File: util/sys_defs.h
+
+ Updated LDAP code by John Hensley, with support for
+ dereferencing of LDAP aliases, which have nothing to do
+ with Postfix aliases.
+
+ Feature: "smtp_bind_address=x.x.x.x" specifies the source
+ IP address for SMTP client connections. Specify in master.cf
+ as "smtp -o smtp_bind_address=x.x.x.x" in order to give
+ different delivery agents different source addresses.
+
+20000510
+
+ Cleanup: mailbox_transport did not work with the lmtp
+ delivery agent. This dates back to when Postfix used empty
+ nexthop information to indicate that a destination was
+ local. File: global/deliver_pass.c.
+
+ Bugfix: configuration parameters for one mysql dictionary
+ would become default settings for the next one. File:
+ dict_mysql.c. This patch was merged into Postfix a while
+ back but apparently that Postfix version was nuked when
+ other parts were redesigned. Update by Scott Cotton.
+
+ Bugfix: some Postfix delivery agents would abort on addresses
+ of the form `stuff@.' which could be generated only locally.
+ Found by Patrik Rak. File: trivial-rewrite/resolve.c.
+
+ Third-party Berkeley DB support for HP-UX by Lamont Jones.
+ File: makedefs.
+
+20000511
+
+ Bugfix: Postfix would incorrectly reject domain names with
+ adjacent - characters. File: util/valid_hostname.c.
+
+ Bugfix: the 20000505 pipeline tarpit delay flush was wrong
+ and caused the client and server to get out of phase. Yuck!
+
+20000513
+
+ Feature: VSTREAMs now have the concept of last fill/flush
+ time, which is needed to prevent timeouts with pipelined
+ SMTP sessions as detailed in the next item.
+
+ Bugfix: delayed SMTP command/reply flushing to prevent
+ sender delays from accumulating too much and causing timeouts
+ with pipelined sessions. For example, client-side delays
+ happen when a client does DNS lookups to replace hostname
+ aliases in MAIL FROM or RCPT TO commands; server-side delays
+ happen when an UCE restriction involves a time-consuming
+ DNS lookup, or when a server generates tarpit delays.
+ Files: lmtp/lmtp_proto.c, smtp/smtp_proto.c, smtpd/smtpd_chat.c.
+
+ Portability: define ANAL_CAST for compilation environments
+ that reject explicit casts between pointers and integral
+ types. File: util/sys_defs.h, master/*server.c. Upon closer
+ investigation, this turned out to be the result of someone's
+ compiler configuration preferences. Therefore the change
+ is likely to go away after a code cleanup.
+
+20000514
+
+ Feature: mysql client support for multi-valued queries
+ (select email, email2 from aliastbl where username='$local')
+ By Loic Le Loarer @ m4x.org. File: util/dict_mysql.c.
+
+ Finalized the delayed SMTP command/reply flushing code in
+ the SMTP and LMTP clients after lots of testing and review.
+
+20000520
+
+ Robustness: upon receipt of mail, map the mailer-daemon
+ sender address back into the magic null string. File:
+ cleanup/cleanup_envelope.c.
+
+20000524
+
+ Bugfix: the code for masquerade_exceptions was case sensitive.
+ Reported by Eduard Vopicka. File: cleanup/cleanup_masquerade.c.
+
+20000526
+
+ Feature: experimental queue manager by Patrik Rak with a
+ fancy pre-emptive scheduling algorithm that improves delivery
+ performance of mail with few recipients. This queue manager
+ is made available as "nqmgr".
+
+20000528
+
+ Feature: the SMTP client SASL password file can contain
+ entries for destination domain names (the address remote
+ part) not just mail server hostnames. File: smtp_sasl_glue.c.
+
+ Feature: smtpd_sasl_local_domain parameter (default:
+ $myhostname) to specify the local SASL authentication realm.
+ File: smtpd_sasl_glue.c.
+
+ Feature: specify "body_checks=regexp:/file/name" for a very
+ crude one line at a time message body content filter. This
+ feature uses the same filtering syntax as the header_checks
+ feature. File: cleanup/cleanup_message.c. See also the
+ conf/sample-filter.cf file.
+
+20000530
+
+ Feature: full content filtering through external software.
+ This uses existing interfaces for sending mail to the
+ external content filter and for injecting it back into
+ Postfix. Details in FILTER_README. Files: pickup/pickup.c,
+ smtpd/smtpd.c, qmgr/qmgr_message.c.
+
+20000531
+
+ More SASL feedback by Liviu Daia, regarding the use of
+ authentication realms. File smtpd/smtpd_sasl_glue.c.
+
+ Added a simple shell-script based content filtering example
+ to the FILTER_README file.
+
+ Content filtering support for nqmgr by Patrik Rak. File:
+ nqmgr/qmgr_message.c.
+
+ Renamed "content inspection" etc. to "content filtering"
+ in anticipation of a new hook for content inspection that
+ only inspects mail without re-injecting it into Postfix.
+
+20000601
+
+ Feature: limit the size of pipe mailer deliveries with the
+ size=nnn command-line attribute. Patch by Andrew McNamara.
+
+20000603
+
+ Bugfix: don't try to do SASL authentication when running
+ in stand-alone (sendmail -bs) mode. Fix by Liviu Daia.
+
+ Bug: the unauthorized pipelining test fails with single
+ recipient mail when smtpd_delay_reject = yes.
+
+20000617
+
+ Bugfix: conf/sample-ldap.cf was no longer up to date with
+ reality. Patch by Lamont Jones, HP.
+
+ Bugfix: the maildir delivery routine left temporary files
+ lying around after unsuccessful delivery (problem reported
+ by Brian Laughton @ Corp.Axxent.Ca).
+
+20000621
+
+ AIX 4.x had POSIX regular expression support all the time
+ I was working on Postfix. Better find out late than never.
+
+20000623
+
+ Bugfix: the SMTP server did not reset the so-called junk
+ command counter after successful delivery (Mark Hoffman @
+ wallst.com). File: smtpd/smtpd.c.
+
+20000625
+
+ Cleanup: remove Content-Length from incoming mail. The
+ sender has no authority over the format of mail as stored
+ by the receiving system. File: global/header_opts.h.
+
+ Feature: rewrite Mail-Followup-To: as sender. Files:
+ global/header_opts.[hc].
+
+ Cleanup: rewrite Reply-To, Errors-To, Return-Receipt-To as
+ sender, so that address masquerading works as expected.
+ Files: global/header_opts.c.
+
+ Feature: specify "require_home_directory = yes" to prevent
+ mail from being delivered to a user whose home directory
+ is not mounted. File: local/dotforward.c.
+
+ Cleanup: the pipe deliver agent no longer appends a blank
+ line when the F flag (prepend From_ line) is specified.
+ Specify the B flag if you need that blank line. The local
+ delivery agent no longer appends a blank line to mail that
+ is delivered to external command. Files: pipe/pipe.c,
+ global/mail_copy.[hc].
+
+20000708
+
+ Portability: support for NEXT/OPENSTEP requires extra
+ include file in util/watchdog.c (Masaki Murase).
+
+20000715
+
+ Added macros to turn on vstream/vstring/etc. format string
+ checking by gcc, in addition to the checking that was
+ already implemented with printfck. File: util/sys_defs.h,
+ the macros for PRINTFLIKE and SCANFLIKE. Problem - unlike
+ the printfck tool, gcc finds format argument type mismatches
+ only in code that isn't #ifdef-ed out.
+
+20000718
+
+ Robustness: make_dirs() now continues when a missing
+ directory is created by another process.
+
+20000720
+
+ Feature: the queue manager now logs the number of recipients
+ when opening a queue file (a zero recipient count is logged
+ with older queue files). File: global/opened.c.
+
+20000726
+
+ Robustness: added watchdog_pat() routine to keep the watchdog
+ quiet if a client stays connected for a lot of time. Files:
+ util/watchdog.[hc], smtpd/smtpd.c.
+
+20000729
+
+ Robustness: if relayhost is specified but the host does
+ not exist, defer mail instead of bouncing it (which would
+ lose the mail if the bounce would have to be delivered to
+ that same non-existent relayhost). Problem reported by
+ Chris Cooper @ maths.ox.ac.uk. File: smtp/smtp_connect.c.
+
+20000821
+
+ Feature: added -r (replace key+value) option to postalias
+ and postmap.
+
+ Cleanup: smtpd now replies with 555 when the client sends
+ unrecognized RCPT TO parameters, as required by RFC 1869
+ (problem report by Robert Norris @ its.monash.edu.au).
+ File: smtpd/smtpd.c.
+
+20000822
+
+ Logging: the SMTP server's SASL code logs the authentication
+ method along with an authentication failure. Suggested by
+ Ronald F. Guilmette @ monkeys.com.
+
+ Workaround: some systems have file size resource limits
+ that cannot be represented with the off_t type that is used
+ by standard functions such as lseek(2). Problem reported
+ by Blaz Zupan @ amis.net.
+
+20000823
+
+ Feature: all this discussion about when to reject mail and
+ when not made me decide to implement a TCP-based map type
+ so that it becomes relatively simple to implement dynamic
+ access controls, for example, hold off mail from an unknown
+ client or sender until we have completed some investigation,
+ after which we will either reject or accept.
+
+ However, this code is turned off until it is finished.
+
+20000905
+
+ Robustness: the dns client now rejects malformed domain
+ names rather than depending on the DNS to report that the
+ name does not exist. Linux returns a rather misleading
+ server failure code as found out by Patrik Rak. File:
+ dns/dns_lookup.c.
+
+20000911
+
+ Feature: added IGNORE keyword to header_checks and body_checks
+ to pretend that certain data does not exist. File:
+ cleanup/cleanup_message.c.
+
+20000911
+
+ Bugfix: the SASL code did not allow MAIL FROM... AUTH=sender
+ without prior authentication. The RFC allows this, although
+ one wonders what the reasoning behind this is. File:
+ smtpd/smtpd_sasl_proto.c.
+
+20000913
+
+ Bugfix: the rmail script did not handle remote UUCP systems
+ that send a from_ line with unqualified envelope sender.
+ Reported by Luciano Mannucci.
+
+ Compatibility: don't insert Sender: header lines. Sendmail
+ has not done so for at least 10 years, if it ever did.
+ Problem reported by Brad Knowles. File: cleanup/cleanup_message.c.
+
+20000916
+
+ Bugfix: when propagating an address extension in a virtual
+ or canonical mapping, cleanup accesses memory that is no
+ longer allocated. This can happen when the result address
+ length is more than 100 characters. Problem reported by
+ Adi Prasaja @ satunet.com. File: global/mail_addr_crunch.c.
+
+ Bugfix: fixed a misleading error message when the cleanup
+ server reaches the queue file size limit. Fix by Robby
+ Griffin @ MIT.EDU. File: cleanup/cleanup_extracted.c.
+
+20000917
+
+ Bugfix: postalias -i would complain about duplicate entries
+ for the Sendmail-compatible @ entry and for the NIS-compatible
+ YP_LAST_MODIFIED and YP_MASTER_NAME entries.
+
+20000918
+
+ Gross hack: prevent looping on a bad recipient by always
+ forwarding recipients in :include: files to a new mail
+ delivery request, even when owner-listname is not set.
+ File: local/recipient.c.
+
+20000919
+
+ Convenience: INSTALL.sh now imports default settings from
+ the process environment, in order to make scripting easier.
+
+ Robustness: INSTALL.sh now systematically skips over CVS,
+ RCS and SCCS cruft.
+
+ Portability: another fix for NEXTSTEP (Masaki MURASE).
+ File: util/spawn_command.h.
+
+20000920
+
+ Cleanup: in a transport table entry, do not ignore port
+ numbers specified as [host]:port. In fact, this is now
+ becoming the preferred form, in order to avoid parsing
+ problems with IPV6 addresses. Postfix supports both forms,
+ but future versions will print a warning for the old form.
+ Problem reported by Claus Fischer @ werhats.at
+
+ Bugfix: missing initialization for state->sasl_method can
+ cause permit_sasl_authenticated to always succeed. Report
+ and fix by Lutz Jaenicke @ aet.TU-Cottbus.DE.
+
+ FAQ: added notes about how to delete, copy or restore queue
+ files in a safe manner.
+
+20000921
+
+ File reorganization. No code change except Makefiles. All
+ sources are pushed down by one directory level to keep file
+ listings usable. Released as 20000922, so that I have a
+ reference to run "diff -cr against.
+
+ Bugfix: the spawn service was installed without man pages.
+
+ Portability: MacOSX hints and tips by Joe Block, University
+ of Central Florida School of Optics/CREOL
+
+ Portability: The MacOSX gcc compiler does not understand
+ the new printf_like/scanf_like attributes. File: util/sys_defs.h.
+
+20000922
+
+ nqmgr update from Patrik Rak for the changed queue manager
+ to delivery agent protocol.
+
+ Lame feature: syslog_facility parameter to control where
+ syslogd sends Postfix logging (default: syslog_facility =
+ mail). However, errors during command-line parsing are
+ still logged with the default syslog facility, as are errors
+ while processing the main.cf file (surprise). Based on
+ code by Andrew McNamara.
+
+20000923
+
+ Cleanup: new bounce logfile API so that Postfix can change
+ to an extensible bounce logfile format with per-recipient
+ sender addresses (needed for VERP and for reporting local
+ list delivery problems to the list owner) and other
+ attributes. File: global/bounce_log.[hc].
+
+ Cleanup: replaced the ad-hoc logfile parsing code in showq
+ by something that uses the generic bounce logfile API.
+
+20000924
+
+ Feature: Postfix bounced mail and delayed mail notifications
+ now have the standard RFC 1894 form (DSN). The bounce
+ service now uses the generic bounce logfile API. File:
+ bounce/bounce_notify_service.c, bounce/bounce_notify_util.c.
+
+ Cleanup: deleted the per-recipient bounce protocol. Future
+ bounce logfiles will support per-recipient bounce addresses.
+ Files: global/bounce.c, bounce/bounce_recip_service.
+
+20000925
+
+ Workaround: sendmail allows MAIL FROM and RCPT TO envelope
+ addresses like <the dude <dude@site>> so we will never get
+ rid of them. To disallow, specify "strict_rfc821_envelopes
+ = yes". File: smtpd/smtpd.c.
+
+20000926-20001003
+
+ Feature: a "flush" server that keeps per-destination records
+ of deferred mail. It is the basis of a faster ETRN and
+ "sendmail -qRsite" implementation. This code was rewritten
+ half a dozen times.
+
+20000928
+
+ Bugfix: the stricter dns_lookup() argument checks revealed
+ that Postfix was doing DNS lookups for domain literals
+ ([ip.address]) when expanding aliases in MAIL FROM and RCPT
+ TO address parameters. Reported by Jim Littlefield. File:
+ smtp/smtp_unalias.c.
+
+ Documentation: added text on the biff=yes/no parameter to
+ conf/sample-local.cf (text provided by Paul Wagland,
+ relational-consultancy.com.
+
+ Robustness? Log errors from SASL library code as warnings
+ not as fatal errors. Files: smtp*/*glue.c.
+
+20001001
+
+ Feature: in master.cf, specify ? after wakeup time to avoid
+ waking up services that aren't being used.
+
+20001003
+
+ Feature: the fast flush refresh and purge time interval
+ parameters can now be specified in user-specified units by
+ providing an appropriate suffix: s (seconds), m (minutes),
+ h (hours), d (days), w (weeks). unit. This was needed so
+ that I could test the flush server code in a reasonable
+ way (its timeouts are normally specified in days or hours,
+ and I don't have that much time for testing). Other Postfix
+ time interval parameters will be migrated as time permits.
+ Files: conf/sample-flush.cf, global/mail_conf_time.c,
+ postconf/postconf.c.
+
+ Unfeature: qmgr_hog_factor is now disabled by default. It
+ was just too confusing. If you don't know what this means,
+ do not worry.
+
+20001005
+
+ Cleanup: after "postfix reload" do not penalize mail that
+ was in the active queue, but make it ready for immediate
+ delivery so that ETRN etc. works as intended. Files:
+ *qmgr/qmgr.c, *qmgr/qmgr_active.c.
+
+ Portability: Redhat 7 library interfaces have changed
+ incompatibly, which breaks existing software. File makedefs.
+
+ Consistency: the fallback_relay parameter did not understand
+ the [] or host:port syntax, and there was no way to suppress
+ MX record lookups. Files: smtp/smtp_addr.c, smtp/smtp_connect.c.
+
+ Convenience: you can now specify multiple SMTP destinations
+ in the relayhost or fallback_relay configuration parameters.
+ The specified destinations will be tried in the specified
+ order. File: smtp/smtp_connect.c.
+
+ Many typographical corrections by Matthias Andree.
+
+20001024
+
+ Documentation: the canonical, virtual etc. manual pages
+ did not document the effect of leading whitespace.
+
+20001025
+
+ Bugfix: virtual map expansion stopped too early with
+ self-referential aliases. Reported by Michael Douglass @
+ datafoundry.net. File: cleanup/cleanup_map1n.c.
+
+20001026
+
+ Horror: postmap and postalias (newaliases) silently lose
+ the file lock while building a lookup table with Berkeley
+ DB 2.x and later on Solaris, HP-UX, IRIX, and UNIXWARE.
+ The result is that table lookups fail while the table is
+ being built, so that mail is lost. In order to avoid this
+ misbehavior one has to use an undocumented feature that is
+ NOT available with the DB1.85 compatibility interface.
+ Therefore, Postfix now supports three Berkeley DB programming
+ interfaces of increasing complexity. File: util/dict_db.c.
+
+ Bugfix: some character manipulations were not portable for
+ signed/unsigned characters. Files: global/quote_821_local.c,
+ global/quote_822_local.c.
+
+ Workaround: apparently, some software sends SMTP mail that
+ begins with "From sender time-stamp". Sendmail silently
+ ignores such RFC violating garbage, and therefore Postfix
+ needs to jump another hoop. File: smtpd/smtpd.c.
+
+20001028
+
+ Bugfix: the flush server tried to access config files after
+ going to the chroot jail. Found by Lutz Jaenicke, TU-Cottbus.DE.
+ File: flush/flush.c.
+
+ Update: revised LDAP module from primary maintainer John
+ Hensley, with contributions from many other people. Files:
+ util/dict_ldap.c, LDAP_README.
+
+ Update: LINUX2 chroot setup script by Matthias Andree,
+ uni-dortmund.de.
+
+ Feature: specify unix:/path/name for LMTP connections over
+ UNIX-domain sockets, and specify inet:host or inet:host:port
+ for IPV4. If no unix: or inet: is specified, IPV4 is assumed.
+ File: lmtp/lmtp_connect.c.
+
+ Feature: added UNIX-domain support to the smtpstone test
+ programs in order to test the LMTP client UNIX-domain
+ support.
+
+20001030
+
+ Bugfix: further testing in preparation for 19991231-pl10
+ revealed that the DB map code was now broken for every
+ platform.
+
+20001031
+
+ Performance: the slow start (gradually increase number of
+ parallel connections to the same site) was too gentle and
+ Postfix would back off too quickly. Files: qmgr/qmgr_queue.c
+ and nqmgr/qmgr_queue.c.
+
+20001101
+
+ FAQ update by Ralph Hildebrandt.
+
+20001104
+
+ Portability: RedHat Linux has changed incompatibly, again.
+ Fixed with the help of Matthias Andree. File: makedefs.
+
+20001109
+
+ Cleanup: changed prototype of internal function that did
+ not return a useful result. File: src/util/vstream_popen.c.
+
+20001110
+
+ Workaround: the Debian post install script passes an open
+ file descriptor into the master server and waits forever.
+ Reported by Lamont Jones. File: master/master.c.
+
+20001114
+
+ Compatibility: added sendmail -G (gateway submission) option
+ for compatibility with the sendmail rmail command. Requested
+ by David Gilbert, Velocet Communications.
+
+20001116
+
+ Documentation: added MAILER-DAEMON to the list of sample
+ masquerade_exceptions settings in conf/sample-rewrite.cf.
+ Suggested by Karl O. Pinc, pop.artic.edu.
+
+ Performance: the slow start (gradually increase number of
+ parallel connections to the same site) was too gentle and
+ Postfix would back off too quickly. Files: qmgr/qmgr_queue.c
+ and nqmgr/qmgr_queue.c. Yup, changed the same code, again.
+ We now allow for a margin above the actual concurrency,
+ with the size of the initial destination concurrency.
+ Final solution by Patrik Rak.
+
+ Bugfix: the recipient home directory test broke mailbox_transport
+ support for non-UNIX recipients. File: local/recipient.c.
+
+20001117
+
+ Robustness: additional integrity tests for the nqmgr by
+ Patrik Rak. File: nqmgr/qmgr_message.c.
+
+20001118
+
+ Bugfix: the new LDAP client code did not work properly if
+ the new ldap_domain parameter was not specified. LaMont
+ Jones, HP. File: util/dict_ldap.c.
+
+ Feature: the soft_bounce safety net is extended to the SMTP
+ server. With "soft_bounce = yes", The SMTP server changes
+ all 5xx (reject) replies into 4xx (try again) replies.
+
+ Documentation: the virtual(5) man page now documents both
+ Postfix-style virtual domains and Sendmail-style virtual
+ domains, including their interaction with local usernames,
+ aliases and mailing lists. Hopefully, this ends some of
+ the confusion surrounding virtual domain support. Updated
+ several FAQ entries concerning virtual domain support.
+
+ Documentation: added FAQ entry for the biff service.
+
+20001119
+
+ Bugfix: per-destination queue names were case sensitive so
+ that the same site could have multiple queues. Reported
+ by Patrik Rak. Files: *qmgr/qmgr_message.c.
+
+20001120
+
+ Bugfix: per-destination deferred mail logfiles were case
+ sensitive so that the same site could have multiple deferred
+ mail logfiles, so that not all mail would be flushed with
+ ETRN. Reported by Ralph Hildebrandt. Files: flush/flush.c.
+
+ Portability: added (int) casts to printf-like arguments
+ that specify the width of %*letter conversions. On some
+ systems, sizeof and pointer difference expressions are
+ wider than an int. Reported by Valentin Nechayev @ lucky.net.
+
+20001121:
+
+ Compatibility: Postfix now retries delivery when an external
+ command is killed by a signal, because people expect such
+ behavior from Sendmail. File: global/pipe_command.c.
+
+20001123-30
+
+ Feature: mailbox locking is now configurable. The configuration
+ parameter name is "mailbox_delivery_lock". Depending on
+ the operating system one can specify one or more of "flock",
+ "fcntl" and "dotlock". Use "postconf -l" to find out what
+ locking methods Postfix supports. The default setting is
+ system dependent. All mailbox file opens are now done by
+ one central mbox_open() routine. This affects the operation
+ of the postlock command, and of local delivery to mailbox
+ or /file/name. Files: util/safe_open.c, util/myflock.c,
+ global/deliver_flock.c, global/mbox_conf.c, global/mbox_open.c.
+ local/mailbox.c, local/file.c, postlock/postlock.c.
+
+ Compatibility: the old sun_mailtool_compatibility parameter
+ is being phased out. It still works (by turning off
+ flock/fcntl locks), but logs a warning as a reminder that
+ it will go away.
+
+ Compatibility: when delivering to /file/name, the local
+ delivery agent now logs a warning when it is unable to
+ create a /file/name.lock file, and then delivers the mail
+ (older Postfix versions would silently deliver).
+
+20001202
+
+ Feature: specify "smtp_never_send_ehlo = no" to disable
+ ESMTP. Someone asked for this long ago. Files: smtp/smtp.c,
+ smtp/smtp_proto.c.
+
+ Feature? Bugfix? The smtp client now skips server replies
+ that do not start with "CODE SPACE" or with "CODE HYPHEN",
+ and flags them as protocol errors. Older versions silently
+ treat "CODE TEXT" as "CODE SPACE TEXT". File: smtp/smtp_chat.c.
+
+20001203
+
+ Documentation: postmap(1) and postalias(1) did not document
+ the process exit status for "-q key".
+
+20001204
+
+ Bugfix: the Postfix master daemon no longer imported
+ MAIL_CONF and some other necessary environment parameters.
+ Postfix now has explicit "import_environment" and
+ "export_environment" configuration parameters that control
+ what environment parameters are shared with non-Postfix
+ processes. Files: util/clean_env.c, util/spawn_command.c,
+ util/vstream_popen.c, global/pipe_command.c, and everything
+ that invokes this code.
+
+20001208
+
+ Bugfix: while processing massive amounts of one-recipient
+ mail, qmgr could deadlock for 10 seconds while sending a
+ bounce message. All queue manager bounce send requests are
+ now implemented asynchronously. Files: global/abounce.[hc]
+ (asynchronous bounce client), qmgr/qmgr_active.c. Problem
+ reported by El Bunzo (webpower.nl) and Tiger Technologies
+ (tigertech.com).
+
+20001209
+
+ Feature: mailbox_transport and fallback_transport can now
+ have the form transport:nexthop, with suitable defaults
+ when either transport or nexthop are omitted, just like in
+ the Postfix transport map. This allows you to specify for
+ example, "mailbox_transport = lmtp:unix:/file/name". File:
+ global/deliver_pass.c.
+
+20001210
+
+ Bugfix: the local_destination_concurrency_limit paramater
+ no longer worked as per-user concurrency limit but instead
+ worked as per-domain limit, so that the limit of "2" in
+ the default main.cf files resulted in poor local delivery
+ performance. Files: qmgr/qmgr_message.c, qmgr/qmgr_deliver.c.
+ Problem reported by David Schweikert (ee.ethz.ch) and Dallas
+ Wisehaupt (cynicism.com).
+
+20001210
+
+ Feature: support for MYSQL connections over UNIX-domain
+ sockets by Piotr Klaban. Files: util/dict_mysql.c,
+ MYSQL_README.
+
+20001211
+
+ Small dirt: postconf -m produced too much output due to a
+ missing "else", and the optional SASL code needed a fix
+ for the changed name_mask API.
+
+20001212
+
+ Workaround: due to an error, record type L for "filter
+ transport name" was the same as that for the already existing
+ record type L for "record not ending in newline", causing
+ the pickup daemon to discard all records not ending in
+ newline. The code cannot be changed without breaking
+ compatibility with queued mail, so the pickup server is
+ changed to discard type L records only from the message
+ envelope, not from the content. File: pickup/pickup.c.
+
+20001213
+
+ Bugfix: dict_ldap did not properly initialize a handle
+ after connection timeout. Problem reported by Alain Thivillon.
+ File: util/dict_ldap.c.
+
+20001214
+
+ Feature: local_transport and default_transport now also
+ understand the transport[:destination] notation, so that
+ all transport config parameters are similar again. File:
+ trivial-rewrite/resolve.c, trivial-rewrite/transport.c.
+
+ Code cleanup: mailbox_transport and fallback_transport no
+ longer allow the user to omit the transport part of a
+ transport:destination specification. That just did not make
+ any sense at all. The :destination part is still optional.
+ File: global/deliver_pass.c.
+
+ Feature: most time-related configuration parameters take
+ a one-letter suffix that specifies the time unit: s
+ (second), m (minutes), h (hours), d (days), w (weeks).
+ "postconf -d" output includes the default time unit. Files:
+ many.
+
+ Code cleanup: in a CONFIG_TIME_TABLE, the default time unit
+ is now always the last character of a default time value.
+ It is no longer necessary to specify the default time unit
+ separately. This change means that it will not be possible
+ to specify default values in the form of function calls,
+ but that was unused anyway. Files: global/mail_conf_time.c,
+ and user code.
+
+20001217
+
+ Bugfix: reorganized some code in the MYSQL client to end
+ a number of memory allocation/deallocation problems. This
+ code needs more work. File: dict_mysql.c.
+
+20001218
+
+ Bugfix: the MYSQL client did not provide function pointers
+ for unimplemented operations, causing "postmap -d" to dump
+ core instead if issuing an error message. This is what I
+ get for accepting code that I cannot test myself.
+
+20001221
+
+ Code cleanup: configuration parameters that are $name
+ expanded at run-time now have their own data type hierarchy
+ instead of being piggy-backed on top of strings that are
+ $name expanded at program initialization time. Files:
+ global/mail_conf.h, global/mail_conf_raw.c, and code that
+ calls it.
+
+20001230
+
+ Update: replaced the default rbl.maps.vix.com setting by
+ the current blackholes.mail-abuse.org.
+
+20010102
+
+ Code cleanup: the queue manager is a bit greedier with
+ allocating a delivery agent. Problem pointed out by Patrik
+ Rak. All bugs in the solution are mine. Files:
+ *qmgr/qmgr_active.c.
+
+20010105
+
+ Bugfix: the FILTER_README shell script example did not
+ correctly pass exit status to the parent.
+
+ Bugfix: soft errors in client hostname lookups would be
+ treated as hard errors. Fix by Michael Herrmann
+ (informatik.tu-muenchen.de). File: smtpd/smtpd_peer.c.
+
+20010110
+
+ Bugfix: the mkdir() EEXIST race condition workaround was
+ not complete. Matthias Andree, Daniel Roesen. Files:
+ global/mail_queue.c, util/make_dirs.c.
+
+20010111
+
+ Portability: IRIX 6.5.10 defines sa_len as a macro, causing
+ a name collision with a variable used by Postfix. Roberto
+ Totaro, enigma.ethz.ch. File: smtpstone/smtp-source.c.
+
+20010116
+
+ Bugfix: REJECT by header/body_checks was flagged in smtpd
+ as a bounce, should be policy, in order to make postmaster
+ notifications more consistent. File: smtpd/smtpd.c.
+
+ Merged updated chroot setup procedure by Matthias Andree.
+ Files: examples/chroot-setup/LINUX2.
+
+20010117
+
+ Formatting: changed the seconds and days formats in the
+ "your mail is delayed" text so that it does not switch to
+ scientific notation. File: bounce/bounce_notify_util.c.
+
+20010119
+
+ Feature: SASL support for the LMTP client. Recent CYRUS
+ software requires this for Postfix over TCP sockets.
+
+20010120
+
+ Bugfix: the 20001005 revised fallback_relay support caused
+ Postfix to send mail to the fallback even when the local
+ machine was an MX host for the final destination. Result:
+ mailer loop. Found by Laurent Wacrenier (teaser.fr). Files:
+ smtp/smtp_connect.c, smtp/smtp_addr.c.
+
+20010121
+
+ Workaround: specify "broken_sasl_auth_clients = yes" in
+ order to support old Microsoft clients that implement a
+ non-standard version of RFC 2554 (AUTH command).
+
+ Workaround: Lotus Domino 5.0.4 violates RFC 2554 and replies
+ to EHLO with AUTH=LOGIN. File: smtp/smtp_proto.c.
+
+20010125
+
+ Code cleanup: wrote creator/destructor for dictionary
+ objects that provides default methods that trap all attempts
+ to perform an unimplemented operation. Based on an ansatz
+ by Laurent Wacrenier (teaser.fr). Files: util/dict*.[hc].
+
+ Code cleanup: INSTALL.sh does not ask questions when stdin
+ is not connected to a tty (as in: make install</dev/null).
+ To automate a customized install, the script imports
+ environment variables for install_root etc.
+
+20010127
+
+ Workaround: randomize the delay between attempts to lock
+ a file, so that multiple bounce or defer servers are less
+ likely to retry all at the same time. likely. File:
+ util/rand_sleep.c, global/deliver_flock.c, global/dot_lockfile.c.
+
+20010128
+
+ Code cleanup: complaints about invalid or numeric hostnames
+ either provide specific context or are removed as redundant.
+ Files: util/valid_hostname.c dns/dns_lookup.c.
+
+ Code cleanup: new mailbox_size_limit parameter (default:
+ 20MB). Until now, the mailbox size limit was the same as
+ the message size limit, due to artefact of implementation.
+ Files: global/mail_params.h, local/local.c.
+
+ Bugfix: fix for the ldap_domains parameter, both semantics
+ and documentation by LaMont Jones. Files: LDAP_README,
+ conf/sample-ldap.cf, util/dict_ldap.c.
+
+ Update: merged in the virtual delivery agent by Andrew
+ McNamara. See VIRTUAL_README for detailed examples.
+
+ Update: merged a re-vamped nqmgr by Patrik Rak.
+
+20010129
+
+ Tweak: several little nqmgr tweaks by Patrik Rak. Files:
+ global/mail_params.h, nqmgr/qmgr_job.c.
+
+ Bugfix: the virtual delivery agent did not save maps_find()
+ results timely. J?rgen Thomsen, postfix.jth.net. File:
+ virtual/mailbox.c.
+
+ Security: disallow regexp tables in the virtual delivery
+ agent. The $1 etc. substitution mechanism gives too much
+ power to the sender. File: virtual/mailbox.c.
+
+ Cleanup: clarified documentation and boundary cases in the
+ random_sleep() routine.
+
+ Bugfix: the MISSING_USLEEP feature was used backwards.
+ Patrik Rak. File: util/random_sleep.c.
+
+20010130
+
+ Workaround: Linux usleep() is void, BSD/Solaris usleep()
+ returns int, don't use it. File util/random_sleep.c.
+
+ Made local maildir bounce/defer handling mode consistent
+ with local mailbox delivery. File local/maildir.c.
+
+ The smtp client now defers delivery when all MX hosts have
+ no A record. File: smtp/smtp_addr.c
+
+ Bundled the man2html and postlink quick hacks so people
+ can do their own manual page processing. See scripts in
+ the mantools directory.
+
+ Documentation: updated the reference to sendmail in the
+ html/index.html page.
+
+ Documentation: added note about the Cisco PIX "fixup smtp"
+ bug that causes mail delivery problems when "." and "CRLF"
+ arrive in separate packets. File: html/faq.html.
+
+20010201
+
+ Bugfix: another missing initialization in the mysql client.
+ File: util/dict_mysql.c.
+
+ Sanitized time routine by Patrik Rak, to make his nqmgr
+ robust against people who set their clock back. Files:
+ util/sane_time.[hc].
+
+ Bumped the default mailbox file size limits to 50MB.
+
+20010202
+
+ Bugfix: fixed the way the master resets the file size limit
+ to avoid problems when a Postfix daemon updates a queue
+ file. The file size limit is now increased to INT_MAX if
+ it is smaller than INT_MAX, so that it is less likely to
+ interfere than the old setting of message_size_limit.
+
+ Feature: disable mailbox size limits for the local and
+ virtual delivery agents by setting mailbox_size_limit or
+ virtual_mailbox_limit to zero.
+
+20010203
+
+ Update: null candidate patch from Patrik Rak. Files:
+ nqmgr/qmgr_entry.c nqmgr/qmgr_job.c nqmgr/qmgr_message.c.
+
+ Cleanup: added one gruesome command to the postlink script
+ for hyperlinking nroff manual page output. Word abbreviation
+ broke some <a href...> </a> instances across line boundaries.
+ sed(1) is an amazing tool. File: mantools/postlink.
+
+20010204
+
+ Laid the ground work for logging of table accesses. This
+ will give more insight into how Postfix uses its lookup
+ tables. User interface comes later. File: util/dict_debug.c.
+
+20010216
+
+ Bugfix: the pipe delivery agent expanded $size as if it
+ were a recipient, instead of expanding it as $nexthop or
+ as $sender. Reported by Michael Tokarev. File: pipe/pipe.c.
+
+20010221
+
+ Bugfix: poor LMTP performance for domains that are listed
+ in $mydestination, because Postfix would send one recipient
+ at a time, with multiple deliveries of recipients of the
+ same message in parallel; a similar problem could exist
+ with virus scanning and with firewall relay hosts that
+ forward mail for $mydestination to an inside machine. This
+ behavior is now changed to depend on the transport-specific
+ xxx_destination_recipient_limit parameter. This also means
+ that you can now get qmail behavior for SMTP deliveries by
+ setting smtp_destination_recipient_limit=1. File:
+ {qmgr,nqmgr}/qmgr_message.c.
+
+ Workaround: Solaris socketpair() can fail with EINTR. Added
+ a sane_socketpair.c module that joins the ranks of the
+ other sane_whatever workarounds. Reported by Andrew McNamara.
+ File: util/sane_socketpair.[hc]
+
+20010222
+
+ Documentation: the default main.cf file has a prominent
+ warning that mynetworks should be properly configured in
+ order to reject unauthorized mail relay requests from
+ strangers.
+
+ Documentation: the INSTALL document, section "mandatory
+ configuration file edits" has a section that explains that
+ mynetworks should be properly configured in order to reject
+ unauthorized mail relay requests from strangers.
+
+20010223
+
+ Documentation: the basic.html document has a section that
+ explains that mynetworks should be properly configured in
+ order to reject unauthorized mail relay requests from
+ strangers.
+
+ Feature: new "mynetworks_style" parameter that controls
+ how mynetworks (trusted networks) is derived from the
+ inet_interfaces (machine interfaces) setting. Specify
+ "class" for entire class A, B, C networks; "subnet" for
+ the local subnets only; or "host" for maximal privacy.
+ Files: util/inet_addr_local.[hc], global/own_inet_addr.[hc],
+ global/mynetworks.[hc], postconf/postconf.c.
+
+ Portability: MACOSX patches by Gerben Wierda.
+
+ Portability: Solaris /dev/null is a symlink, which tripped
+ up the code to safely open a file before local delivery.
+ We now grudgingly allow symlinks owned by root. File:
+ util/safe_open.c.
+
+20010224
+
+ Bugfix: "postconf mynetworks" ignored the inet_interfaces
+ setting. That was a very old one. File: postconf/postconf.c.
+
+ INCOMPATIBLE CHANGE: POSTFIX NO LONGER RELAYS MAIL FOR
+ CLIENTS IN THE ENTIRE CLASS A/B/C NETWORK. POSTFIX BY
+ DEFAULT RELAYS MAIL FOR CLIENTS IN THE LOCAL SUBNETWORK.
+ Specify "mynetworks_style = class" to get the old behavior.
+
+20010225
+
+ Portability: master sigchld handler based on writing to a
+ pipe, so that the master wakes up from select(). Based on
+ code by Erik Forsberg, Linkoping University, Sweden. File:
+ master/master_sig.c. Disabled until after the major release.
+
+ Code cleanup: Postfix should now run with no alias database.
+
+ Code cleanup: local_destination_recipient_limit and
+ local_destination_concurrency_limit have become first-class
+ configuration parameters. Files: global/mail_params.h,
+ *qmgr/qmgr.c, postconf/postconf.c.
+
+20010226
+
+ Documentation suggestions by Lars Hecking and Richard
+ Huxton, Matthias Andree and many others.
+
+ Code cleanup: some queue/transport operations need to be
+ moved, after the code cleanup of the recipient/concurrency
+ limit handling. Patrik Rak. Files: *qmgr/qmgr_message.c.
+
+20010301
+
+ Feature: configurable name in syslog output (default:
+ "syslog_name = postfix") so that different Postfix instances
+ can be recognized by their logging. File: global/mail_task.c.
+
+20010313
+
+ Workaround for logic mismatch in nqmgr that was exposed
+ with the introduction of the asynchronous bounce client.
+ Patrik Rak.
+
+20010313
+
+ Bugfix: the RFC 822 untokenizer quoted newlines inside
+ comments. File: global/tok822_parse.c.
+
+20010316
+
+ Cleanup: removed an extraneous warning when a queue file
+ write error happened.
+
+20010321
+
+ Workaround: LMTP connection caching never worked for
+ destinations starting with unix: or inet:. File:
+ lmtp/lmtp_connect.c.
+
+20010322
+
+ Portability: Solaris <2.6 does not have srandom() and
+ random() in libc. File: util/rand_sleep.c. It does not have
+ to be cryptographically strong.
+
+ Bugfix: the fast ETRN flush server could not handle [ipaddr]
+ or domain names with one-character hostname part. This
+ fix changes the destination to logfile name mapping, so
+ that you need to populate the new files with "sendmail -q".
+ The old files go away automatically. File: flush/flush.c.
+
+20010327
+
+ Speed up mailq (sendmail -bp) display by flushing output
+ after each file. File: showq/showq.c.
+
+ Portability: missing string.h includes, %p wants (void *),
+ Lamont Jones, HP.
+
+20010328
+
+ Bugfix: swapped logic caused cleanup to stall when the
+ queue file size exceeded the file size limit by less than
+ one the VSTREAM buffer size, so that the "file too big"
+ was detected after flushing the last queue file record.
+ File: cleanup/cleanup.c.
+
+20010329
+
+ Portability: workaround for missing prototype problem in
+ dict_ldap.c. This module should move to the global directory,
+ because it depends on Postfix main.cf parameter information.
+
+ Workaround: after sending a trigger message over a socket,
+ do not immediately close the client side, but close it from
+ a background thread that waits until the server closes the
+ socket first. This avoids trouble with socket implementations
+ that destroy a socket when the client closes a socket before
+ the server has received the client's data. Files:
+ util/{inet,unix,stream}_trigger.c, util/events.c,
+ master/master_trigger.c, postkick/postkick.c.
+
+20010403
+
+ Workaround: the mysql library can return null pointers
+ rather than zero-length strings. File: util/dict_mysql.c.
+
+20010404
+
+ Ergonomics: log additional information about the reason
+ why "mail for XXX loops back to myself" when the local
+ machine is the best MX host. File: smtp/smtp_addr.c.
+
+20010406
+
+ Changed some noisy LDAP client warnings into optional
+ logging. LaMont Jones, util/dict_ldap.c.
+
+20010411
+
+ Bugfix: the SMTP server now replies with 550 instead of
+ 503 when it receives the DATA command without having received
+ a valid recipient address. This is needed for the Sendmail
+ client-side pipelining implementation. Problem reported by
+ Lutz Jaenicke. File: smtpd/smtpd.c.
+
+ Cleanup: shut up if chattr fails on Reiserfs and other file
+ systems that do not support the respective attributes.
+ Files: conf/postfix-script-{no,}sgid.
+
+20010413
+
+ Ergonomics: Postfix applications now warn when a DB or DBM
+ file is out of date, and recommend to rebuild the table.
+ Files: util/dict_db.c, util/dict_dbm.c.
+
+20010414
+
+ Feature: specify a key of "-" to the postmap or postalias
+ -q or -d option, and the keys will be read from standard
+ input, one key per line. Files: postmap/postmap.c,
+ postalias/postalias.c.
+
+ Bugfix: with a non-default inet_interfaces setting, the
+ master ignored host information in master.cf host:port
+ settings. Fix by Jun-ichiro itojun Hagino @ iijlab.net.
+ Files: master/master.h, master/master_ent.c.
+
+20010426
+
+ Bugfix: the SMTP server did not parse invalid MAIL FROM or
+ RCPT TO addresses such as <first last <user@domain>> the
+ way it was supposed to do. I thought this was taken care
+ of years ago. File: smtpd/smtpd.c.
+
+20010427
+
+ Bugfix: smtpd would reject mail instead of replying with
+ a 4xx temporary error code when, for example, an LDAP or
+ mysql server was unavailable. Remotely based on a fix by
+ Robert Kiessling @ de.easynet.net. File: smtpd/smtpd_check.c.
+
+20010429
+
+ Feature: the Postfix SMTP client now by default randomly
+ shuffles destination IP addresses of equal preference.
+ Specify "smtp_randomize_addresses = no" to disable.
+ Shuffling code by Elias Levy @ SecurityFocus.com Files:
+ dns/dns_rr.c, smtp/smtp_addr.c.
+
+20010501
+
+ Bugfix: The SMTP server's 550 in reply to DATA should be
+ a 554 response. And it wasn't Sendmail. Claus Assman.
+
+ Bugfix: the INSTALL.sh test for non-interactive upgrade
+ broke rooted installations that specify settings via the
+ environment. Simon Mudd.
+
+ Bugfix: mailq output is now really flushed one message at
+ a time. File: sendmail/sendmail.c.
+
+ Feature: "postsuper -d queueID" deletes one message queue
+ file; "postsuper -d -" reads zero or more queue IDs from
+ standard input, and deletes one instance of each file.
+ File: postsuper/postsuper.c.
+
+ Code cleanup: in order to make postsuper -d safe with a
+ running Postfix mail system, some routines had to be made
+ tolerant for sudden queue file disappearances. Files:
+ global/deliver_request.c, *qmgr/qmgr_move.c.
+
+ Code cleanup: in order to make postsuper -d more usable,
+ the showq command was extended to safely list the possibly
+ world-writable maildrop directory. File: showq/showq.c.
+
+20010504
+
+ Feature: postsuper -d will also delete defer and bounce
+ logfiles when the named queue file is found.
+
+20010505
+
+ RFC 2821 feature: an SMTP server must reset all buffers
+ upon receipt of EHLO. File: smtpd/smtpd_check.c.
+
+ RFC 2821 feature: an SMTP server must accept a recipient
+ address of "postmaster" without domain name. File:
+ smtpd/smtpd_check.c.
+
+ RFC 2821 recommendation: reply with 503 to commands sent
+ after 554 greeting. File: smtpd/smtpd.c.
+
+ RFC 2821 recommendation: if VRFY is enabled, list it in
+ the EHLO response. File: smtpd/smtpd.c.
+
+ RFC 2821 recommendation: SMTP clients should use EHLO.
+ The default setting of smtp_always_send_ehlo has changed
+ from 0 (send EHLO if server greets with ESMTP) to 1 (always
+ send EHLO). In all cases, Postfix falls back to HELO if
+ the server does not support EHLO. File: smtp/smtp_proto.c.
+
+20010507
+
+ Bugfix: with soft_bounce=yes, the SMTP server would log
+ 5xx replies even though it would send 4xx replies to the
+ client (Phil Howard, ipal.net). File: smtpd/smtpd_check.c.
+
+20010515
+
+ Compatibility: Microsoft sends "AUTH=MBS_BASIC LOGIN".
+ Updated the parsing code in smtp/smtp_proto.c. Problem
+ reported by Ralf Tessmann, Godot GmbH.
+
+20010520
+
+ Standard: deleted the non-standard "via" portion from
+ Received: headers generated by Postfix bounce or other
+ notification processes. File: global/post_mail.c.
+
+ Robustness: eliminated stack-based recursion from the RFC
+ 822 address parser. File: global/tok822_parse.c.
+
+ Standard: annotated the source code with comments based on
+ RFC 2821 and 2822. Not all the RFC changes make sense.
+
+ RFC 2821 recommendation: treat a RCPT 552 reply as if the
+ server sent 452. Files: smtp/smtp_proto.c, lmtp/lmtp_proto.c.
+
+ Cleanup: moved ownership of the debug_peer parameters from
+ the applications to the library, so that a Postfix shared
+ library does not suffer from undefined references. Files:
+ smtp/smtp.c, lmtp/lmtp.c, smtpd/smtpd.c, global/mail_params.c.
+ LaMont Jones, for Debian.
+
+20010522
+
+ Feature: "postsuper -r queueID" re-queues a message, and
+ "postsuper -r ALL" re-queues all mail. The message is moved
+ to the maildrop queue so that the pickup daemon will copy
+ it to a new queue file, and so that address rewriting will
+ be done again. This is useful after changes of address
+ rewriting or virtual mappings.
+
+ Feature: "postsuper -d ALL [queue-name]" deletes a bunch
+ of mail.
+
+20010523
+
+ Feature: "postsuper -s" (which is done by default) renames
+ queue files whose name (queue ID) does not match the message
+ file inode number.
+
+ Bugfix: memory leak in the LDAP client module. Alain
+ Thivillon, France Teaser - Groupe Firstream.
+
+20010525
+
+ Portability: gcc 2.6.3 does not have __attribute__ (Clive
+ Jones, dgw.co.uk). File: util/sys_defs.h.
+
+ Bugfix: the SMTP and LMTP clients claimed that a queue file
+ needed to be delivered again (even when all recipients were
+ erased from the queue file) when no QUIT or RSET reply was
+ received (by default, this does not happen with SMTP mail
+ because the SMTP client does not wait for QUIT replies and
+ does not send RSET to deliver mail). As a result of the
+ same bug the LMTP client followed a dangling pointer when
+ sending QUIT after process idle timeout while the LMTP
+ server had disconnected. Files: smtp/smtp_proto.c,
+ lmtp/lmtp_proto.c.
+
+20010526
+
+ newaliases no longer complains when an empty list is
+ specified with the alias_database configuration parameter.
+ File: sendmail/sendmail.c.
+
+20010529
+
+ Workaround: old PIX firewall code messes up when the final
+ ".<CR><LF>" at the end of DATA spans a packet boundary.
+ When Postfix detects PIX SMTP fixup mode, Postfix flushes
+ the output buffers before sending the final ".<CR><LF>".
+ File: smtp/smtp_proto.c.
+
+20010530
+
+ Portability: updated code for Mac OS X, accounting for the
+ post-Beta changes. Code by Joe Block, UCF School of
+ Optics/CREOL.
+
+20010601
+
+ Safety: postdrop turns off interrupts when cleaning up
+ after interrupt. The additional safety does not hurt anyone.
+ File: src/postdrop/postdrop.c.
+
+20010607
+
+ Safety: dropped the RFC 2821 compliant code that treats
+ 552 RCPT TO replies as 452. It created more problems than
+ it solved. Files: smtp/smtp_proto.c, lmtp/lmtp_proto.c.
+
+ Logging: the SMTP server now logs a warning if RBL lookups
+ have problems other than "not found". file: smtpd/smtpd_check.c.
+
+20010610
+
+ Feature: address quoting and case folding flags for the
+ pipe(8) mailer.
+
+20010611
+
+ Workaround: some MTAs fall on their face when they receive
+ unexpectedly long lines. From now on, Postfix defaults to
+ breaking long lines at 2048 (like Sendmail so it has got
+ to be right). To get the old, content preserving, behavior
+ specify "smtp_truncate_lines = no". File: smtp/smtp_proto.c.
+
+20010614
+
+ Bugfix: did not really undo 2821 552->452 mapping.
+
+20010628
+
+ Bugfix: postfix-script used a hard-coded maildrop group
+ owner instead of using the install-time specified name
+ stored in /etc/postfix/install.cf. Problem reported by
+ David Terrell @ meat.net.
+
+20010701
+
+ Feature: mail_spool_directory ending in / causes maildir
+ style delivery.
+
+ Bugfix: the FreeBSD kernel parameters kern.ipc.nmbclusters
+ and kern.ipc.maxsockets cannot be set with sysctl commands.
+ File: html/faq.html. Len Conrad @ Go2France.com.
+
+ Cleanup: the virtual delivery agent was poorly integrated
+ so that the SMTP server and queue manager did not reject
+ mail for unknown users. Files: smtpd/smtpd_check.c.
+
+20010705
+
+ Feature: QMQP server, compatible with qmail and the ezmlm
+ list manager. Files: util/netstring.[hc], qmqpd/qmqpd*.c.
+
+20010706
+
+ Feature: QMQP stress test message generator program. Files:
+ smtpstone/qmqp-source.c, smtpstone/qmqp-sink.c.
+
+20010708
+
+ Bugfix: with disable_dns=yes, the SMTP client treated all
+ host lookup errors as permanent. File: smtp/smtp_addr.c.
+
+20010709
+
+ Feature: VERP support, based on a patch by Peng Yong, and
+ with the missing parts filled in so that the Postfix bounce
+ daemon can send one VERP bounce per undeliverable recipient.
+ Files: , sendmail/sendmail.c, smtpd/smtpd.c, qmgr/qmgr_deliver.c,
+ bounce/bounce_notify_verp.c, qmqpd/qmqpd.c, plus a couple
+ support routines in the global library.
+
+ Cleanup: with recipient_delimiter=+ (or any character other
+ than -) Postfix will now recognize address extensions even
+ with owner-foo+extension addresses. This is necessary to
+ make VERP work for mailing lists.
+
+20010710
+
+ Bugfix: potential memory leak in the queue managers with
+ the new VERP delimiter record. Fix by Patrik Rak.
+
+20010711
+
+ Cleanup: you can now specify the VERP delimiter characters
+ on the sendmail(1) command line, but they are still optional.
+
+ Safety: with maildir style delivery and with hashed mailboxes
+ the system mail spool directory must not be world writable.
+
+20010713
+
+ Safety: the verp_delimiter_filter parameter (default: -=+)
+ limits what characters Postfix accepts as VERP delimiter
+ characters.
+
+20010714
+
+ Logging: the queue manager now logs a "status=expired"
+ record when it returns a message that is too old. Files:
+ *qmgr/qmgr_active.c.
+
+20010719
+
+ Feature: stiffer coupling between mail receiving rates and
+ mail delivery rates, using a trivial token-based scheme,
+ implemented by reading and writing an in-memory pipe. The
+ queue manager produces one token when it retrieves mail
+ from the incoming queue. The cleanup daemon consumes one
+ token when it adds mail to the incoming queue. If no token
+ is available the cleanup server pauses for $in_flow_delay
+ seconds and proceeds anyway. The delay allows mail sending
+ process to catch up and access the disk while not blocking
+ inbound mail. Valid delays are 0..10 seconds.
+
+20010727
+
+ Bugfix: updated LDAP client module from LaMont Jones, HP.
+ This also introduces new LDAP query filter patterns: %u
+ (address localpart) and %d (domain part). Files:
+ conf/sample-ldap.cf, util/dict_ldap.c.
+
+20010729
+
+ Bugfix: recursive smtpd_whatever_restrictions clobbered
+ intermediate results when switching between sender and
+ recipient address restrictions. Problem found by Victor
+ Duchovni, morganstanley.com. In order to fix, introduced
+ address resolver result caching, which should also help to
+ speed up sender/recipient address restriction processing.
+
+ Bugfix: the not yet announced DUNNO access table lookup
+ result did not prevent lookups with substrings of the same
+ lookup key. Found by Victor Duchovni, morganstanley.com.
+
+20010730
+
+ Robustness: trim trailing whitespace from regexp and pcre
+ right-hand sides, for consistency with DB/DBM tables.
+ Files: util/dict_pcre.c, util/dict_regexp.c.
+
+20010731
+
+ Robustness: eliminate duplicate IP addresses after expansion
+ of hostnames in $inet_interfaces, so that Postfix does not
+ suddenly refuse to start up after someone changes the DNS.
+ Files: util/inet_addr_list.c global/own_inet_addr.c.
+
+ Feature: specify "disable_verp_bounces = yes" to have
+ Postfix send one RFC-standard, non-VERP, bounce report for
+ multi-recipient mail, even when VERP style delivery was
+ requested.
+
+20010801
+
+ Bugfix: postconf was using unexpanded values internally
+ for myhostname, inet_interfaces, and mynetworks_style.
+ This broke the "postconf -d" mynetworks computation. File:
+ postconf/postconf.c.
+
+20010803
+
+ Feature: masquerade_classes parameter for fine control of
+ address masquerading. The default setting is backwards
+ compatible: envelope_sender header_sender header_recipient.
+ Files: cleanup/whatever.c.
+
+20010822
+
+ Code cleanup: the bounce daemon complained about data that
+ it was not going to send back anyway. Fix: stop reading
+ the original message when the bounce message reaches the
+ bounce message size limit. File: bounce/bounce_notify_util.c.
+
+20010826
+
+ Logging: postsuper now logs the queue ID when it requeues
+ a message, or when it deletes a message from the mail queue.
+ File: postsuper/postsuper.c.
+
+20010830
+
+ Safety: the SMTP server now sends a 4xx (try again later)
+ response when an UCE restriction is misconfigured, instead
+ of ignoring the bad restriction and possibly accepting mail
+ that it should not accept. File: smtpd/smtpd_check.c.
+
+20010907
+
+ Workaround: the Postfix qmqp-source program produced mail
+ not ending in newline. qmail-qmqpd accepts such mail, but
+ qmail-remote is unable to deliver it. Matthias Andree,
+ uni-dortmund.de. File: smtpstone/qmqp-source.c.
+
+20010910
+
+ Bugfix: the smtp-sink stress test program broke when RCPT
+ TO commands crossed network packet boundaries. Problem
+ reported by Matthias Andree, uni-dortmund.de. File:
+ smtpstone/smtp-sink.c.
+
+20010917
+
+ Code cleanup: permit_mx_backup implements the old behavior
+ (accept mail if the local MTA is MX relay), and allows an
+ additional restriction via the permit_mx_backup_networks
+ parameter (accept mail only if the primary MX hosts match
+ the specified list of network blocks). This second restriction
+ is now entirely optional, for backwards compatibility.
+
+ Bugfix: an address extension could be appended multiple
+ times to the result of a canonical or virtual map lookup.
+ File: global/mail_addr_map.c. Fix by Victor Duchovni,
+ Morgan Stanley.
+
+ Bugfix: split_addr() would split an address even when there
+ was no data before the recipient delimiter. In combination
+ with the above bug, this could cause an address to grow
+ exponentially in size. Problem reported by Victor Duchovni,
+ Morgan Stanley. File: global/split_addr.c.
+
+20010918
+
+ Bugfix: the mail_addr_map() fix was almost but not quite
+ right. It took two clever people and several iterations of
+ email to really fix the mail_addr_map() problem. Thanks
+ to Victor Duchovni and Liviu Daia.
+
+20011006
+
+ Cleanup: Postfix no longer flushes the whole deferred queue
+ after an ETRN request for a random domain name (i.e. a
+ domain name not matched by $fast_flush_domains); the SMTP
+ server instead replies with "459 service unavailable".
+ Files: smtpd/smtpd.c, global/flush_clnt.c, flush/flush.c.
+
+20011008
+
+ Bugfix: there was a minute memory leak when an smtpd access
+ restriction was misconfigured. File: smtpd/smtpd_check.c.
+
+20011010
+
+ Code cleanup: Postfix daemons now print the name of the
+ UNIX-domain socket (instead of "unknown stream") in case
+ of a malformed client request. Files: master/*server.c.
+
+20011010-14
+
+ Code cleanup: replaced the ugly mail_print() and mail-scan()
+ protocols by (name,value) attribute lists. This gives better
+ error detection when we make changes to internal protocols,
+ and allows new attributes to be introduced without breaking
+ everything immediately. Files: util/attr_print.c util/attr_scan.c
+ global/mail_command_server.c global/mail_command_client.c
+ as wel as most Postfix applications and daemons.
+
+20011015
+
+ Put base 64 encoding into place on the replaced internal
+ protocols. Files: util/base64_code.[hc].
+
+ Feature: header/body REJECT rules can now provide text that
+ is sent to the originator. Files: cleanup/cleanup.c,
+ cleanup/cleanup_message.c, conf/sample-filter.cf.
+
+20011016
+
+ Bugfix: As of 20000625, Errors-To: was broken, because the
+ code to extract the address was not moved from recipient
+ address rewriting to sender address rewriting. Problem
+ reported by Roelof Osinga @ nisser.com. File:
+ cleanup/cleanup_message.c.
+
+20011029
+
+ Bugfix: virtual map expansion terminated early because the
+ detection of self-referential entries was flawed. File:
+ cleanup/cleanup_map1n.c.
+
+20011031
+
+ Bugfix: mail_date() mis-formatted negative time zone offsets
+ with fractional hours (-03-30 instead of -0330). Fix by
+ Chad House, greyfirst.ca. File: global/mail_date.c.
+
+20011102
+
+ Feature: new -f option to postmap and postalias (do not
+ lowercase the lookup key while creating a table). Files:
+ util/dict.h postmap/postmap.c postalias/postalias.c.
+
+ Code cleanup: simplified the attribute print/scan routines,
+ and removed the never-used support for sending and receiving
+ integer arrays and string arrays. Files: util/attr_print.c,
+ util/attr_scan.c.
+
+ Bugfix: qmqpd could read past the end of a string while
+ looking for qmail's VERP magic token in the envelope sender
+ address. File: qmqpd/qmqpd.c.
+
+ Code cleanup: finished testing the new internal protocols.
+ The only bug was with the flush server, which still needs
+ to support the old (string + null byte) protocol for triggers
+ from the Postfix master daemon.
+
+20011103
+
+ Bugfix: Postfix would log the wrong error text when locally
+ submitted mail was deferred due to "soft_bounce = yes".
+
+ Bugfix: The LDAP client dropped any entries that don't have
+ the result_attribute, but errored out when a DN didn't
+ exist. The behavior is now consistent: treat non-existant
+ DN's in a special result attribute expansion the same as
+ DN's with no attribute. LaMont Jones, HP.
+
+20011104
+
+ Bugfix: the new smtp-sink -n option (terminate after the
+ specified number of deliveries) wasn't optional.
+
+ Portability: updated Mac OS X documentation and install
+ scripts by Gerben Wierda.
+
+20011105
+
+ Bugfix: missing terminator in new attribute-based function
+ call caused signal 11. File: src/cleanup/cleanup.c.
+
+ Lame workaround for ESTALE errors with mail delivery over
+ NFS. Additional bandages were added to the local delivery
+ agent. However, Wietse maintains that Postfix offers no
+ guarantee for reliable delivery over NFS.
+
+ Feature: put "warn_if_reject" before an smtpd restriction,
+ and that restriction logs warnings without rejecting mail.
+ This makes it easier to test configurations "live" without
+ having to lose mail. File: smtpd/smtpd_check.c.
+
+20011107
+
+ Workaround: in order to get mail past PIX firewall bugs,
+ the Postfix SMTP client now blocks until the socket send
+ buffer is empty before sending the final ".<CR><LF>". Files:
+ util/sock_empty_wait.c, smtp/smtp_proto.c. Changed into
+ sleep(10) on 20011119. Sleep suggested by Hobbit.
+
+20011108
+
+ Feature: added string-null encoding for internal protocols.
+ Files: util/attr_print0.c, util/attr_scan0.c.
+
+ Feature: configurable parent domain matching for domain
+ and hostname/address match lists: either .domain or the
+ domain name itself. Files: util/match_ops.c util/match_list.c
+
+ Feature: added pretend-to-be-behind-PIX mode to the smtp-sink
+ test program, in order to stress test some PIX bug workaround
+ code.
+
+20011109
+
+ Workaround: Linux and Solaris systems have no reasonable
+ way to block until a socket drains. On these systems Postfix
+ simply waits for 10 seconds, in order to work around PIX
+ ".<CR><LF>" bugs. File: util/sock_empty_wait.c.
+
+20011114
+
+ Bugfix: reset the smtpd command transaction log between
+ deliveries. File: smtpd/smtpd.c.
+
+20011115
+
+ Feature: mailbox_command_maps no longer requires that every
+ user has an entry. If the user does not have a command
+ entry, the local delivery agent tries the other delivery
+ methods (mailbox_command, home_mailbox). File: local/mailbox.c.
+
+ Bugfix: reset the smtpd command transaction log between
+ non-deliveries. File: smtpd/smtpd.c.
+
+20011116
+
+ Bugfix: consolidated all the command transaction log resets
+ and eliminated one missing reset (Victor Duchovni, Morgan
+ Stanley). File: smtpd/smtpd.c.
+
+20011118
+
+ Cleanup: replaced unnecessary match_list wrapper code by
+ macros. Files: global/{string,domain,namadr}_list.[hc].
+
+20011119
+
+ Feature: configurable parent domain matching strategy for
+ transport map lookups. File: trivial-rewrite/transport.c.
+
+ New parent_domain_matches_subdomains parameter. This lists
+ all the Postfix features where a domain name matches itself
+ and all its subdomains (instead of requiring ".domain.name"
+ for subdomain matches). Planning for future backwards
+ compatibility :-) File: global/match_parent_style.c.
+
+ Workaround: simplified the PIX ".<CR><LF>" bug to always
+ sleep for 10 seconds. File: smtp/smtp_proto.c.
+
+20011120
+
+ Workaround: disable attribute string length restriction so
+ that trivial-rewrite does not refuse to rewrite broken mail
+ headers. Files: util/attr_scan*.c.
+
+20011121
+
+ Bugfix: missing long integer support in the new IPC protocols.
+ Files: util/attr_scan*.c, util/attr_print*.c.
+
+ Portability: AIX5 (Adrian P. van Bloois), MAC OS X 10.1.1
+ (Gerben Wierda).
+
+20011125
+
+ Bugfix: spurious postmaster notifications because some flag
+ was not reset.
+
+ Feature: new parameter smtpd_sender_login_maps that specifies
+ the (SASL) login name that owns a MAIL FROM address.
+ Specify a regexp table in order to require a simple one-to-one
+ mapping. This is used in the reject_sender_login_mismatch
+ sender anti-spoofing feature.
+
+ Feature: restriction reject_sender_login_mismatch refuses
+ a MAIL FROM address when $smtpd_sender_login_maps specifies
+ an owner but the client is not (SASL) logged in as the MAIL
+ FROM address owner, or when a client is (SASL) logged in
+ but the client login name does not own the MAIL FROM address
+ according to $smtpd_sender_login_maps. File: smtpd/smpd_check.c.
+
+ Documentation: added some redundancy to the LMTP_README
+ file so people can keep track of the difference between
+ the Postfix LMTP client and the non-Postfix LMTP server.
+
+20011126
+
+ Feature: smtpd_noop_commands specifies a list of commands
+ that are treated as NOOP (no operation) commands, without
+ syntax check or state change. File: smtpd/smtpd.c.
+
+ Bugfix: the "mark queue file as corrupt" code did not work
+ because it was never used. Files: global/mark_corrupt.c,
+ global/mail_copy.c, global/pipe_command.c, *qmgr/qmgr_active.c,
+ local/maildir.c, local/mailbox.c, local/command.c, pipe/pipe.c,
+ virtual/mailbox.c, virtual/maildir.c.
+
+ Bugfix: the bounce daemon broke in the unlikely case of a
+ non-existing queue file. File: bounce/bounce_notify_util.c.
+
+20011127
+
+ Feature: added WARN command to header/body_checks files as
+ proposed by Michael Tokarev. File: cleanup/cleanup_message.c.
+
+ Bugfix: the postdrop program was broken after the change
+ of Postfix internal protocols. This broke "sendmail -bs"
+ mail submissions with "secure" maildrop directory. Reported
+ by Craig Loomis, apo.nmsu.edu. File: postdrop/postdrop.c.
+
+ Feature: a first start at fault injection for testing
+ unlikely error scenarios (such as corrupt queue files).
+ Parameter: fault_injection_code, must be left at zero for
+ production use.
+
+20011128
+
+ Robustness: add a file size limit to the sendmail and
+ postdrop submission programs to stop run-away process
+ accidents. This is not a defense against DOS attack. Files:
+ sendmail/sendmail.c, postdrop/postdrop.c.
+
+ That resulted in a considerable amount of work to properly
+ propagate "file too large" conditions back to the sendmail
+ mail posting user interface. Took the opportunity to express
+ other mail submission fatal exits with the <sysexits.h>
+ exit status codes. Files: sendmail/sendmail.c,
+ postdrop/postdrop.c.
+
+20011129
+
+ Maintenance: dict_ldap.c wasn't updated after the revision
+ of the string matching routines. File: util/dict_ldap.c.
+
+20011208
+
+ Maintenance: LDAP module and documentation from LaMont
+ Jones. This version adds verbose logging for LDAP library
+ routines. Files: src/util/dict_ldap.[hc], LDAP_README,
+ conf/sample-ldap.cf
+
+ Portability: made memory alignment restrictions configurable.
+ File: util/mymalloc.c.
+
+ Bugfix? Avoid surprises with source routed destinations
+ and OK entries in SMTPD access maps. File: smtpd/smtpd_access.c.
+
+ Security: "postfix check" looks for damage by well-intended
+ but misguided use of "chown -R postfix /var/spool/postfix".
+ That would make chrooted Postfix less secure than non-chrooted
+ Postfix. These extra tests may cause complaints with
+ third-party patches such as TLS that introduce their own
+ files into the jail.
+
+ Feature: static map type that always returns the map name
+ as lookup value, regardless of lookup key value. Contributed
+ Jeff Miller (jeffm at ghostgun.com)
+
+ Feature: turn off the PIX <CR><LF>.<CR><LF> workaround for
+ the first mail delivery attempt, i.e. when mail is queued
+ for less than $smtp_pix_workaround_threshold_time (default:
+ 500) seconds. New parameter $smtp_pix_workaround_delay_time
+ to control the delay before sending .<CR><LF> (default: 10
+ seconds) when doing the PIX <CR><LF>.<CR><LF> workaround.
+
+20011210
+
+ Bugfix: the 20011128 change in sendmail and postdrop did
+ not handle the case of message_size_limit=0. Fix by Will
+ Day, Georgia Tech.
+
+20011212
+
+ Compatibility: The SMTP server now accepts <CR><CR><LF> as
+ if the client sent <CR><LF>. Reportedly, some badly written
+ windows software produces such garbage, and some badly
+ written windows anti-VIRUS software cannot handle such
+ garbage. File: global/smtp_stream.c.
+
+20011214
+
+ Bugfix: postmap/postalias queries ignored the -f flag.
+ Reported by Hamish Marson.
+
+20011217
+
+ Compatibility: Sendmail now has a -L option to set the
+ syslogging label. Postfix sendmail uses syslog_name instead,
+ and ignores the -L option.
+
+ Security: subtle hardening of the Postfix chroot jail,
+ Postfix queue file permissions and access methods, in case
+ someone compromises the postfix account. Michael Tokarev,
+ who received the insights from Solar Designer, who tested
+ Postfix with a kernel module that is paranoid about open()
+ calls. Files: master/master_wakeup.c, util/fifo_trigger.c,
+ postfix-script.
+
+ Convenience: issue a warning instead of aborting when the
+ local machine name is not in fully-qualified domain form.
+ This would otherwise break initial postfix installation
+ which needs the postconf command. File: global/mail_params.c.
+
+20011220
+
+ Added more garbage detection to postconf -e input processing.
+
+20011221
+
+ Feature: SMTPD access map lookups of null sender addresses.
+ If your access maps cannot store or look up null string
+ key values, specify "smtpd_null_access_lookup_key = <>"
+ and the null sender address will be looked up as <> instead.
+ File: smtpd/smtpd_access.c.
+
+20011223
+
+ Safety: configuration file comments no longer span multiple
+ lines when the next line begins with whitespace; multi-line
+ input is no longer terminated by a comment line, by an all
+ white space line, or by an empty line. Michael Tokarev made
+ the crucial suggestion to simplify the readline routine.
+ Files: util/readlline.c, postconf/postconf.c.
+
+ Cleanup: proper detection of big number overflow in EHLO
+ and MAIL FROM size announcements, with input from Victor
+ Duchovni, Morgan Stanley. Files: global/off_cvt.c,
+ smtpd/smtpd.c, smtp/smtp_proto.c, util/alldig.c.
+
+ Forward compatibility: added queue file record types for
+ original recipient and for generic named attributes.
+
+ Cleanup: safe_open() now returns sensible errno values so
+ that the fifo_trigger() external interface is restored.
+
+20011225
+
+ Upgrade: PCRE_README now describes PCRE version 3.x.
+
+ Cleanup: flush SMTPD command history upon receipt of EHLO,
+ RSET, and upon DATA completion, only if it exceeds
+ $smtpd_history_flush_threshold lines (default: 100).
+ Distant derivative of code by Michael Tokarev. File:
+ smtpd/smtpd.c.
+
+20011228
+
+ Bugfix: a readlline() error message showed less text than
+ intended. Christian von Roques.
+
+ Cleanup: postfix now installs with group-writable maildrop
+ directory and with a set-gid postdrop mail submission
+ command. The pickup service is now unprivileged. The
+ world-writable maildrop directory no longer exists.
+
+ The cleanup service is now public, in preparation for local
+ sendmail/postdrop mail submission that avoids the maildrop
+ queue directory while Postfix is up.
+
+ Cleanup: moved the main.cf/master.cf file editing from the
+ postfix-script file to the INSTALL.sh file.
+
+ Cleanup: INSTALL.sh no longer accepts "no" as the destination
+ of Postfix manual pages.
+
+20011230
+
+ Cleanup: the code for "mailq", "sendmail -q", and for
+ "sendmail -qRsite" was moved from the sendmail command to
+ a new set-gid postqueue command. The pickup and qmgr FIFOs
+ are no longer world writable. Files: sendmail/sendmail.c,
+ postqueue/postqueue.c.
+
+20020101
+
+ Security: new alternate_config_directories parameter that
+ specifies what directories a set-gid command will accept
+ as its configuration directory. The list must be specified
+ in the default main.cf file. File: global/mail_conf.c.
+
+ Cleanup: "sendmail -qRsite" is no longer implemented by
+ connecting to the SMTP port. It is now implemented by
+ talking to the fast flush service. File: postqueue/postqueue.c.
+
+20020203
+
+ Cleanup: INSTALL.sh now records all installation information
+ in the main.cf file. The now obsolete install.cf file is
+ used only when upgrading from an older Postfix release.
+
+ Cleanup: INSTALL.sh now takes name=value settings on the
+ command line, and has a new "-upgrade" command line option
+ to turn on non-interactive installation.
+
+ Security: additional run-time checks to discourage sharing
+ of Postfix user/group ID values with other accounts.
+
+20020105
+
+ Cleanup: SMTPD access maps now return DUNNO (undetermined)
+ instead of OK when a recipient address contains multiple
+ domains (user@dom1@dom2, etcetera). Victor Duchovni, Morgan
+ Stanley. File: smtpd/smtpd_check.c.
+
+20020106
+
+ Bugfix: SMTPD access maps did not handle address extensions.
+ File: smtpd/smtpd_check.c.
+
+20020107
+
+ Bugfix: postfix-script, when creating a missing maildrop
+ queue directory, still referenced install.cf when setting
+ maildrop directory group ownership; and the postfix command
+ did not export the setgid_group parameter to the postfix-script
+ shell script. Victor Duchovni.
+
+ Bugfix: postfix-script, when creating a missing public
+ queue directory, did not set group ownership of the public
+ directory.
+
+20020109
+
+ Cleanup: rewrote the Postfix installation procedure again.
+ It is now separated into 1) a primary installation script
+ (postfix-install) that installs files locally or that builds
+ a package for distribution and that stores file owner and
+ permission information in /etc/postfix/post-files, and 2)
+ a post-installation script (/etc/postfix/post-install) that
+ creates missing directories, that sets file/directory
+ ownership and permissions, and that upgrades existing
+ configuration files if necessary.
+
+20020110
+
+ Workaround: AIX null read() return on an empty but open
+ non-blocking pipe. File: master/master_flow.c. Report:
+ Hamish Marson.
+
+20020111
+
+ Feedback: feedback, bugfixes, and brain-dead shell workarounds
+ for the install scripts by Victor Duchovni and Simon Mudd.
+
+20020113
+
+ Rewrote postfix-install. The postfix-files file now controls
+ what is installed. Refined the semantics of many post-install
+ operations. post-install now auto-saves settings that
+ override main.cf.
+
+20020114
+
+ Bugfix: alternate_config_directories did not take comma or
+ whitespace as separators. File: global/mail_conf.c. Victor
+ Duchovni, Morgan Stanley.
+
+ Bugfix: the rewritten postfix-install script did not chattr
+ +S the Postfix queue.
+
+20020115
+
+ Cleanup: added sample_directory and readme_directory
+ installation parameters for sample configuration files and
+ for README files. Files: postconf.c, postfix-install,
+ conf/postfix-files, conf/post-install.
+
+ Robustness: the postfix command now exports all installation
+ parameter settings, and input filters the environment, so
+ that the startup shell scripts produce a consistent result.
+ Files: postconf.c.
+
+20020117
+
+ Portability: patch from LaMont Jones for compiling dict_ldap.c
+ with the Netscape SDK.
+
+ Feature: added "r" (recursive chown/chgrp) flag to the
+ postfix-files database, for more convenient change of
+ Postfix queue ownership. Files: conf/postfix-files,
+ conf/post-install.
+
+20020122
+
+ Documentation: lots of little fixes.
+
+ Documentation: updates for the VIRTUAL_README file by Victor
+ Duchovni, Morgan Stanley.
+
+ Bugfix: postqueue -s dereferenced a null pointer when given
+ a numerical domain argument. LaMont Jones, HP.
+
+ Cleanup: smtpd now logs a warning when permit_sasl_authenticated
+ is used while SASL authentication is disabled, instead of
+ simply ignoring the restriction. LaMont Jones, HP. File:
+ smtpd/smtpd.c.
+
+ Safety: when postmap creates a non-existent file, the new
+ file inherits group/other read permissions from the source
+ file. Based on code by LaMont Jones, HP. File:
+ postmap/postmap.c.
+
+20020123
+
+ Portability: some Linux systems install libnsl.so without
+ libnsl.a file, causing an yp_match undefined reference
+ problem. File: makedefs.
+
+20020124
+
+ Portability: post-install now requests that command_directory
+ is given on the command line when the postconf command is
+ in an unusual place.
+
+ Safety: extra code to detect and report Berkeley DB version
+ mismatches between compile time and run time. This test
+ is limited to mismatches in the major version number only.
+ File: util/dict_db.c. Based on code by Lawrence Greenfield,
+ Carnegie-Mellon university.
+
+ Safety: the postfix command and the master daemon abort if
+ they are running set-uid.
+
+ Documentation: the postmap manual page described an out of
+ date input file format.
+
+20020129
+
+ Workaround: SCO version 3.2 can't ioctl(FIONREAD) a pipe.
+ Therefore, input mail flow control is disabled by default.
+ Files: makedefs, global/mail_params.h, conf/main.cf.
+ Problem reported by Kurt Andersen, Agilent.
+
+20020201
+
+ Workaround: changed the default smtpd_null_access_lookup_key
+ setting to <>, because some Bezerkeloid DB implementations
+ can't handle null-length lookup keys. File: global/mail_params.h.
+
+ Bugfix: backed out a null-length address panic call by
+ ignoring the problem, like Postfix did in the past. File:
+ global/resolve_local.c.
+
+ Safety: "postfix check" will now warn if /usr/lib/sendmail
+ and /usr/sbin/sendmail differ, and will propose to replace
+ one by a symlink to the other. File: conf/postfix-script.
+
+20020204
+
+ Sanity: additional permission checks for "postfix check"
+ that warn for setgid_group group ownership mismatches. by
+ Matthias Andree, uni-dortmund.de. File: conf/postfix-script.
+
+ Bugfix: "postfix check" used a too simplistic way to
+ recognize file ownership (grepping ls output). It now uses
+ the recently discovered "find -prune". Peter Bieringer,
+ Matthias Andree. File: conf/postfix-script.
+
+20020218
+
+ Workaround: log a warning and disconnect when an SMTP client
+ ignores our negative replies and starts sending message
+ content without permission. File: smtpd/smtpd.c.
+
+20020220
+
+ Bugfix: mismatch in the file being locked by dict_dbm and
+ the file being locked by postmap, so that locks did not
+ work correctly. Victor Duchovni, Morgan Stanley.
+
+20020222
+
+ Workaround: Solaris bug 4380626: strcasecmp() and strncasecmp()
+ produce incorrect results with 8-bit characters. For example,
+ non-ASCII characters could compare equal to ASCII characters,
+ and that could result in any number of security problems.
+ Files: util/strcasecmp.c, COPYRIGHT (the BSD license).
+
+ Bugfix: off-by-one error, causing a null byte to be written
+ outside dynamically allocated memory in the queue manager
+ with addresses of exactly 100 bytes long, resulting in
+ SIGSEGV on systems with an "exact fit" malloc routine.
+ Experienced by Ralf Hildebrandt; diagnosed by Victor
+ Duchovni. Files: *qmgr/qmgr_message.c. This is not a
+ security problem.
+
+ Bugfix: make all recipient comparisons transitive, because
+ Solaris qsort() causes SIGSEGV errors otherwise. Victor
+ Duchovni, Morgan Stanley. File: *qmgr/qmgr_message.c.
+
+20020302
+
+ Bugfix: don't strip source route (@domain...:) when the
+ result would be an empty address. This avoids problems when
+ append_at_myorigin is set to "no" (which is not supported).
+ Problem reported by Charles McColgan, Big Fish Communications.
+ File: trivial-rewrite/rewrite.c.
+
+20020304
+
+ Cleanup: postqueue should not not complain when output
+ fails with "broken pipe".
+
+20020308
+
+ Bugfix? reply with 550 not 552 when content is rejected.
+ 552 is reserved for "too much mail".
+
+ Documentation: add note to sendmail manual page that running
+ "sendmail -bs" as $mail_owner enables SMTP server UCE and
+ access control checks. This is meant for use from inetd
+ etc. Matthias Andree.
+
+20020311
+
+ Bugfix: DBM maps should use different files for locking
+ and for change detection. Problem reported by Victor
+ Duchovni, Morgan Stanley. Files: util/dict.h util/dict.c
+ util/dict_db.c util/dict_dbm.c global/mkmap.c local/alias.c.
+
+20020313
+
+ Bugfix: mailq could show addresses with unusual characters
+ twice. Problem reported by Victor Duchovni, Morgan Stanley.
+ File: showq/showq.c.
+
+ Bugfix: null recipients weren't properly recorded in
+ bounce/defer logfiles. Such recipient addresses are not
+ accepted in SMTP mail, but they could appear within locally
+ submitted mail. File: bounce/bounce_append_service.c.
+
+20020318
+
+ Workaround: Berkeley DB can't handle null key lookups,
+ which happen with HELO names ending in ".". Victor Duchovni,
+ Morgan Stanley. File: smtpd/smtpd_check.c.
+
+ Logging: log a hint when mail is deferred because the
+ soft_bounce parameter is set. People sometimes forget to
+ turn it off. File: global/bounce.c.
+
+20020319
+
+ Cleanup: add a msg_warn() call when fork() fails in
+ pipe_command(), to make problems easier to investigate.
+ Chris Wedgwood. File: global/pipe_command.c.
+
+20020320
+
+ Feature: smtp_helo_name parameter to specify the hostname
+ or [ip.address] in HELO or EHLO commands. Files: smtp/smtp.c
+ smtp/smtp_proto.c.
+
+20020324
+
+ Cleanup: more graceful handling of long physical message
+ header lines upon input. Physical header lines can now
+ extend up to $header_size_limit characters. When a logical
+ message header is too long, the excess text is discarded
+ and Postfix no longer switches to body mode, to avoid
+ breaking MIME encapsulation. Based on code by Victor
+ Duchovni, Morgan Stanley. Files: cleanup/cleanup_out.c,
+ cleanup/cleanup_message.c.
+
+ Cleanup: more graceful handling of long physical message
+ header or body lines upon output by the SMTP client. The
+ SMTP client output line length is controlled by a new
+ parameter smtp_line_length_limit (default: 990; specify 0
+ to disable the limit). Long lines are folded by inserting
+ <CR> <LF> <SPACE>, to avoid breaking MIME encapsulation.
+ Based on code by Victor Duchovni, Morgan Stanley. File:
+ smtp/smtp_proto.c.
+
+20020325
+
+ Cleanup: allow additional text after a WARN command in a
+ header/body_checks pattern file, so that one can change
+ REJECT+text into WARN+text and vice versa. Based on code
+ by Fredrik Thulin, Stockholm University.
+
+ Cleanup: log a warning when an unknown command is found in
+ a header/body_checks pattern file, or when additional text
+ is found after a command that does not expect additional
+ text. Based on code by Fredrik Thulin, Stockholm University.
+
+ Bugfix: sendmail should not recognize "." as the end of
+ input when the current read operation started in the middle
+ of a line. Victor Duchovni, Morgan Stanley. File:
+ sendmail/sendmail.c.
+
+20020328
+
+ Portability fix for OPENSTEP and NEXTSTEP by Gerben Wierda.
+ File: util/sys_defs.h.
+
+20020329
+
+ Bugfix: defer_transports broke because the flush server
+ triggered mail delivery (as if ETRN was sent) while doing
+ some internal housekeeping of per-destination logfiles.
+ Problem experienced by LaMont Jones, HP. File: flush/flush.c.
+
+ Bugfix: virtual mapping broke for addresses with embedded
+ whitespace. Fix by Victor Duchovni, Morgan Stanley. File:
+ cleanup/cleanup_map1n.c.
+
+ Feature: configurable service name for the internal services:
+ bounce, cleanup, defer, error, flush, pickup, queue, rewrite,
+ showq. This allows you to specify, for example, a non-default
+ cleanup service (smtpd -o cleanup_service_name=alt_cleanup).
+ Files: global/mail_params.[hc].
+
+ Feature: SASL version 2 support by Jason Hoos. Files:
+ */*_sasl_glue.c, SASL_README, conf/sample-auth.cf.
+
+20020330
+
+ Bugfix: postqueue did not pass on non-default configuration
+ directory settings when running showq while the mail system
+ is down. The super-user is now exempted from environment
+ stripping in postqueue/postqueue.c. Problem reported by
+ Victor Duchovni, Morgan Stanley.
+
+20020402
+
+ Workaround: recognize more headers that are sent instead
+ of SMTP commands. File: smtpd/smtpd.c.
+
+20020413
+
+ Feature: new pipe delivery agent "D" flag to prepend a
+ Delivered-To: message header. This requires single recipient
+ deliveries. Based on code by Matthias Andree. File:
+ pipe/pipe.c.
+
+20020414
+
+ Portability: Postfix will no longer attempt to build with
+ gdbm support, because gdbm is broken. File: makedefs.
+
+20020415
+
+ Cleanup: the attribute list IPC code did not distinguish
+ between "disconnect" and "timeout" while reading an attribute
+ list, making trouble shooting more difficult than necessary.
+ Files: util/attr_scan0.c, util/attr_scan64.c.
+
+ Cleanup: install parameter defaults can now be overruled
+ from makedefs: sendmail_path, mailq_path, newaliases_path,
+ command_directory, daemon_directory. Based on code by Victor
+ Duchovni, Morgan Stanley. File: util/sys_defs.h.
+
+20020411
+
+ Cleanup: Use more robust quoting passing makedefs/Makefile
+ settings. This also simplifies the seven backslashes example
+ in the INSTALL file. Victor Duchovni, Morgan Stanley.
+ Files: makedefs, INSTALL.
+
+20020417
+
+ Bugfix: the post-install script failed to upgrade master.cf
+ settings from private to public if the service was explicitly
+ configured as private.
+
+20020418
+
+ Documentation: added CPU saving patterns for quickly skipping
+ base 64 encoded text in message bodies. Liviu Daia. Files:
+ {proto,conf}/pcre_table, {proto,conf}/regexp_table,
+ conf/sample_{regexp,pcre}_body.cf.
+
+20020426
+
+ Bugfix: the SMTP client forgot to quote whitespace etc.
+ in a sender/recipient address when DNS lookup was turned
+ off (disable_dns_lookups = yes). Problem experienced by
+ Chip Paswater. Files: smtp/smtp_proto.c.
+
+20020501
+
+ Feature: wildcard lookup in transport maps (lookup key
+ "*"). Code developed with Lamont Jones, HP.
+
+ Feature: a null transport:destination transport map entry
+ means proceed as if the transport map lookup failed. Code
+ developed with Lamont Jones, HP.
+
+ Feature: more efficient use of cache memory when a process
+ opens multiple Berkeley DB tables; and faster performance
+ creating large tables by using more buffer memory. Files:
+ util/dict_db.[hc], global/mkmap_db.c. Victor Duchovni,
+ Morgan Stanley.
+
+20020503
+
+ Cleanup: postqueue silently ignored command-line arguments
+ following -p or -f options, instead of complaining; postqueue
+ produced an incorrect error message (mail system down) when
+ the command was installed with incorrect privileges. File:
+ postqueue/postqueue.c.
+
+ Bugfix: while reporting a domain name or IP address syntax
+ error, postqueue could dereference a dangling pointer with
+ some getopt() implementations. LaMont Jones, HP. File:
+ postqueue/postqueue.c.
+
+ Safety: postalias and postmap now drop root privileges
+ while processing a non-root input file. Thus, the result
+ should be writable to the source file owner. Specify the
+ -o option if this is a problem. Files: postmap/postmap.c,
+ postalias/postalias.c.
+
+ Consistency: just like postmap, postalias now copies file
+ permissions from the source file when it creates a new
+ table for the first time. File: postalias/postalias.c.
+
+20020504
+
+ Portability: run-time test to avoid GDBM trouble. File:
+ util/dict_dbm.c.
+
+20020505
+
+ Cleanup: revised and simplified the transport map semantics.
+ Null transport or nexhop fields now mean: "do not change":
+ use what would be used if the transport map did not exist.
+ This change eliminated a lot of code. The incompatibility
+ is that a null transport field no longer defaults to
+ $default_transport, but to $local_transport or $default_transport
+ depending on the destination, and that a transport map only
+ overrides relayhost when the table specifies explicit
+ nexthop information. Files: trivial-rewrite/transport.c,
+ trivial-rewrite/resolve.c.
+
+ Cleanup: revised the user interface for controlling the
+ Berkeley DB create and read buffer size controls. Files:
+ util/dict_db.[hc], global/mail_params.[hc], global/mkmap_db.c.
+
+20020507
+
+ Cleanup: simplified the hash/btree cache management code.
+ The caches are now per table instead of shared, and the
+ default read cache size is reduced to 128 kBytes. File:
+ util/dict_db.c.
+
+20020508
+
+ Bugfix: close user@domain@postfix-style.virtual.domain
+ source routing relaying loophole involving postfix-style
+ virtual domains with @virtual.domain catch-all patterns.
+ Problem reported by Victor Duchovni. File: smtpd/smtpd_check.c.
+
+ Bugfix: mail_addr_map() used the "wrong" @ character in
+ addresses with multiple @. Victor Duchovni. File:
+ global/mail_addr_map.c.
+
+ Bugfix: for address localpart quoting, now quote @ as a
+ special character everywhere, except when resolving addresses.
+ Previously, the @ was nowhere quoted as a special character,
+ not even in SMTP commands. Files: global/quote_82[12]_local.c
+ and clients.
+
+20020509
+
+ Safety: don't allow an OK access rule lookup result for
+ user@domain@postfix-style.virtual.domain. Suggested by
+ Victor Duchovni, Morgan Stanley. File: smtpd/smtpd_check.c.
+
+ Bugfix: quote unquoted address localparts that need quoting.
+ Files: global/tok822_parse.c, global/quote_82[12]_local.c.
+
+ Documentation: simplified the advanced content filtering
+ example, and included a more advanced example for those
+ who want to squeeze out more performance without running
+ multiple Postfix instances. Text by Victor Duchovni, Morgan
+ Stanley. File: README_FILES/FILTER_README.
+
+20020510
+
+ Feature: header/body filters now log the origin of the
+ message that is being rejected. Files: smtpd/smtpd.c,
+ qmqpd/qmqpd.c, pickup/pickup.c, cleanup/cleanup_envelope.c,
+ cleanup/cleanup_message.c. Requested by Craig Sanders, if
+ I remember correctly.
+
+ Feature: the Postfix SMTP client now passes on MIME body
+ type information (8bit, 7bit) received via SMTP, via MIME
+ headers, or via the sendmail command line. Files:
+ global/deliver_request.c, smtpd/smtpd.c, sendmail/sendmail.c,
+ cleanup/cleanup_envelope.c, cleanup/cleanup_message.c,
+ cleanup/cleanup_extracted.c, *qmgr/qmgr_message.c,
+ *qmgr/qmgr_deliver.c, smtp/smtp_proto.c, lmtp/lmtp_proto.c.
+
+20020511
+
+ Feature: bounces now specify the proper MIME encoding (8bit,
+ 7bit), depending on the MIME body type information received
+ via SMTP, via MIME headers, or via the sendmail command
+ line. Files: global/bounce.c, global/defer.c, global/abounce.c,
+ bounce/bounce_service.c, bounce/bounce_notify_util.c.
+
+20020512
+
+ Cleanup: the SMTP client logged and bounced the CNAME
+ expanded recipient address, and thereby complicated trouble
+ shooting. File: smtp/smtp_proto.c.
+
+ Bugfix: the SMTP and LMTP clients bounced the quoted
+ recipient address, resulting in too much quoting in bounce
+ reports. Files: smtp/smtp_proto.c, lmtp/lmtp_proto.c.
+
+20020513
+
+ Bugfix: the LDAP client used the "wrong" @ character in
+ addresses with multiple @. LaMont Jones, HP. File:
+ util/dict_ldap.c.
+
+ Feature: lots of new LDAP stuff: result_filter (filter to
+ expand results from queries), chase_referrals, LaMont Jones,
+ HP. The LDAP bind timeout now works thanks to Victor
+ Duchovni, Morgan Stanley. File: util/dict_ldap.c.
+
+ Cleanup: specify "resolve_dequoted_address = no" to prevent
+ Postfix from looking inside quotes for extra @ etc. characters
+ when resolving an address. This behavior is technically
+ more correct, but it opens a mail relay loophole with "user
+ @domain"@domain when relaying mail to a Sendmail system.
+
+20020514
+
+ Bugfix: the new code for header address quoting sometimes
+ did not null terminate strings so that arbitrary garbage
+ could appear at the end of message headers. Reported by
+ Ralf Hildebrandt. File: global/tok822_parse.c.
+
+ Safety: user@domain@domain is no longer accepted by the
+ permit_mx_backup uce restriction (unless Postfix is configured
+ with "resolve_dequoted_address = no"). Victor Duchovni,
+ Morgan Stanley. File: smtpd/smtpd_check.c.
+
+20020515
+
+ Workaround: flush the SMTP client output buffer when no
+ output has happened for 10+ seconds. This prevents the
+ socket from timing out, in case DNS CNAME expansion is
+ slow. Problem experienced by Alex Erdelyi, peregrine.com.
+ File: smtp/smtp_chat.c. We did the same thing for the SMTP
+ server years ago, and one wonders why the coin didn't drop
+ at the time that the SMTP client could suffer from a similar
+ problem.
+
+20020516
+
+ Updated the FILTER_README file to turn off DNS lookups in
+ the SMTP client that feeds mail into a content filter.
+
+20020517
+
+ Cleanup: Mailbox-Line: message header labels should be
+ X-Mailbox-Line: labels. Files: smtpd/smtpd.c, qmqpd/qmqpd.c.
+
+20020515-21
+
+ Feature: new MIME parser, written from scratch, that
+ recognizes the structure of MIME encapsulated mail. Influenced
+ by comments from Victor Duchovni. This code can detect but
+ will not decode obscure MIME formats or obscure character
+ string encoding that Liviu Daia expresses concern about.
+
+ MIME header scanning now happens in header_checks, and is
+ faster than body_checks could ever be. This also eliminates
+ the problem with multi-line MIME headers being matched one
+ line at a time. Files: global/mime_state.[hc],
+ cleanup/cleanup_message.c.
+
+20020521-22
+
+ Feature: 8-bit to quoted-printable conversion. First use
+ in the Postfix SMTP client. File: smtp/smtp_proto.c.
+
+ Logging: the Postfix SMTP and LMTP clients now report the
+ the protocol stage when they report a server reply. File:
+ smtp/smtp_proto.c, lmtp/lmtp_proto.c.
+
+ Bugfix: the SMTP server warned about ignored client attributes
+ (these were introduced 20020510) in mail that was submitted
+ with "sendmail -bs". File: smtpd/smtpd.c.
+
+20020525
+
+ Feature: separation of header checks into header_checks
+ (all primary headers except MIME related headers),
+ mime_header_checks (all MIME headers including MIME headers
+ at the start of messages) and nested_header_checks (headers
+ of attached messages, except MIME related headers).
+
+ Cleanup: broke out the header value parser from the MIME
+ processor so that the code can be reused elsewhere. File:
+ global/header_token.c.
+
+ Compatibility: Postfix now recognizes "name :" as a valid
+ message header, but normalizes it to "name:" form or else
+ lots of things would break all over the place. Files:
+ global/is_header.c, global/mime_state.c.
+
+20020526
+
+ Bugfix: the SMTP server now disallows RCPT TO:<"">, just
+ like it disallows RCPT TO:<>. File: smtpd/smtpd.c.
+
+ Feature: disable_mime_input_processing=yes/no controls
+ whether Postfix recognizes (and optionally enforces) MIME
+ formats while receiving mail. Default is NO.
+
+ Feature: disable_mime_output_conversion=yes/no controls
+ whether Postfix will convert 8BITMIME to 7BIT mail when
+ delivering mail to an SMTP server that does not announce
+ 8BITMIME support. Default is NO.
+
+ Feature: strict_8bitmime=yes/no controls whether Postfix
+ rejects 8-bit characters in headers and 7-bit body parts.
+ This blocks mail from poorly written software, including
+ majordomo approval requests that contain a valid 8BITMIME
+ email message, as well as mail that is piped into ancient
+ /bin/mail implementations that do not MIME format 8-bit
+ content. Default is NO.
+
+ Feature: strict_mime_encoding_domain=yes/no controls whether
+ Postfix rejects illegal content transfer encodings for
+ multipart/* and message/*. This blocks mail from poorly
+ written software. Default is NO.
+
+20020527
+
+ Feature: "FILTER transport:nexthop" in header/body checks.
+ After the message is queued, the message is sent through
+ a content filter. This requires different cleanup servers
+ before and after the filter, with header/body checks turned
+ off in the second cleanup server.
+
+20020528
+
+ Feature: strict_7bit_headers and strict_8bitmime_body are
+ now separately available. To to turn on both, use
+ strict_8bitmime.
+
+ Cleanup: abandon the use of isspace(3) in the parsing of
+ RFC822 message headers. Files: global/lex_822.h and lots
+ of little places.
+
+ Documentation: replace domain.name by domain.tld in the
+ example config files. The domain exists. They were getting
+ mail from poorly configured Postfix boxes.
+
+ Bugfix: The Postfix sendmail command did not export the
+ MAIL_CONFIG environment setting to the postdrop command.
+ File: global/mail_config.h.
+
+ Incompatibility: by default, turn on the PCRE_DOTALL flag,
+ so that PCRE patterns will match multi-line message headers
+ without causing pain. Suggested by Michael Tokarev. Also
+ documented all those darned undocumented PCRE flags in the
+ pcre_table(5) manual page. Files: util/dict_pcre.c,
+ proto/pcre_table.
+
+20020529
+
+ Bugfix: mail rejected due to MIME errors was rejected
+ without proper logging. Files: global/mime_state.c,
+ cleanup/cleanup_message.c.
+
+20020531
+
+ Bugfix: the SMTP client code that prepends '.' to lines
+ starting with '.' had to be moved from its old place to
+ after the MIME output conversion. Problem found by Mark
+ Martinec. File: smtp/smtp_proto.c.
+
+20020601
+
+ Bugfix: the deliver_pass() routine needed updating for the
+ extra MIME encoding attribute that was introduced 20020510.
+ Patch by Sebastian Schaffert @ wastl.net. File:
+ global/deliver_pass.c.
+
+20020604
+
+ Workaround: Solaris non-blocking read() can fail on a socket
+ with unread data according to ioctl FIONREAD. Incredible.
+ Diagnosis by Max Pashkov. File: smtp/smtp-sink.c.
+
+ Weird feature: sender-based routing. This will become more
+ useful once per-address transport map entries are done.
+ File: src/*qmgr/qmgr_message.c.
+
+20020605
+
+ Safety: header_address_token_limit limits the amount of
+ memory and CPU that we're willing to spend while parsing
+ addresses in message headers. The limit is expressed as a
+ number of tokens. File: global/tok822_parse.c
+
+20020608
+
+ Feature: user@domain transport map lookup, based on code
+ by Scott Cotton, from several years ago. Adding this code
+ now was much less painful than it was in the past. Files:
+ global/strip_addr.c, trivial-rewrite/transport.c.
+
+20020610
+
+ Cleanup: making user@domain transport map lookups work with
+ sender-based routing was a bit tricky, because the null
+ address must be handled sensibly. Files: global/resolve_clnt.c,
+ trivial-rewrite/resolve.c. It ain't perfect yet, but close.
+
+20020613
+
+ Bugfix: postsuper -r was broken as of 20020510. The cleanup
+ daemon would discard mail with MIME type information. Moved
+ a bunch of sanity checks from the cleanup daemon to the
+ pickup daemon, so the checks are in one place. Problem
+ experienced by Pavol Luptak. Files: pickup/pickup.c,
+ cleanup/cleanup_extracted.c.
+
+20020705
+
+ Safety: log a warning when a domain is listed in mydestination
+ and (virtual_maps or virtual_mailbox_maps). This configuration
+ error causes the Postfix SMTP server to reject recipients
+ when the local_recipient_maps feature is enabled. File:
+ smtpd/smtpd_check.c.
+
+200207011
+
+ Portability: in the master daemon, the default now is to
+ enable the signal handler code that writes a byte into a
+ pipe, instead of the signal handler code that sets a global
+ flag and hopes that select() will somehow wake up. File:
+ master/master_sig.c. This is needed for some IRIX and
+ UnixWare versions, but it should also produce a robust
+ result on all other supported systems.
+
+ Performance: the default SMTP connection establishment
+ timeout is now 30 seconds, instead of the system default
+ which can be atrociously large.
+
+20020712
+
+ When DNS lookup fails while delivering mail, report not
+ only the domain name but also the DNS record type. This
+ should clue in people who ask why Postfix can't find a
+ domain while nslookup can. File: dns/dns_lookup.c.
+
+20020713
+
+ Bugfix: undo change made at 20020610 that causes the trivial
+ resolver client to loop when an address consists entirely
+ of @ and . characters. File: trivial-rewrite/resolve.c.
+
+ Cleanup: Postfix no longer strips multiple '.' at the end
+ of a domain name. One '.' is silently tolerated. Files:
+ trivial-rewrite/rewrite.c, trivial-rewrite/resolve.c,
+ global/resolve_local.c. This policy is too distributed.
+
+20020715
+
+ Feature: @domain.tld catch-all map entries for the virtual
+ mail delivery agent. Files: global/virtual8_maps_find.c,
+ virtual/mailbox.c, smtpd/smtpd_check.c.
+
+ Feature: the virtual mail delivery agent now accepts address
+ extensions (user+foo@domain.tld), ignores them when looking
+ up users in its tables, but displays them in Delivered-To:
+ message headers. File: global/virtual8_maps_find.c.
+
+20020716
+
+ Feature: domain names in a masquerade_domains list can now
+ be prefixed with !, in order to disable masquerading for
+ that domain name and for its subdomains. File:
+ cleanup/cleanup_masquerade.c.
+
+20020717
+
+ Bugfix: Mac OS X niscript (Netinfo) update by Gerben Wierda.
+ File: auxiliary/MacOSX/niscript.
+
+ Feature: The SMTP server reject_unknown_whatever restrictions
+ now also attempt to look up AAAA (IPV6 address) records.
+ Jun-ichiro itojun Hagino, IIJ labs. Files: smtpd/smtpd_check.c,
+ dns/dns_lookup.c.
+
+20020718
+
+ Bugfix: unnecessary lookups for extended addresses by the
+ virtual8_maps_find() routine. Victor Duchovni. His patch
+ did not work, nor did my own, but the present version should
+ be OK. File: global/virtual8_maps_find.c.
+
+20020719
+
+ Workaround: log a warning when an SMTP client name->address
+ lookup results in a numeric IP address, and set the client
+ hostname to "unknown". Some gethostbyname() implementations
+ will actually accept such garbage and thereby allow sites
+ to defeat the "reject_unknown_client" restriction. Problem
+ reported by Wolfgang Rupprecht, fix based on analysis (but
+ not code) by Victor Duchovni.
+
+ Bugfix: memory leaks in the LDAP client by Victor Duchovni.
+ File: util/dict_ldap.c.
+
+ Bugfix: garbage in verbose "flush" server logging. Victor
+ Duchovni. File: flush/flush.c.
+
+20020723
+
+ Incompatibility: smtpd_sasl_local_domain now defaults to
+ the null string. File: smtpd/smtpd.c, smtpd/smtpd_sasl_glue.c.
+
+20020726
+
+ Documentation: added GDB debugging instructions for sites
+ that do not have X installed on the Postfix machine. Henrik
+ Larsson, spambox.dk.
+
+20020729
+
+ Weird: installed RedHat 3.03 inside VMware, and no change
+ was needed to build Postfix, except to recognize the Linux
+ version.
+
+ Bugfix: some mailers will announce ESMTP features in their
+ HELO (not EHLO) response. Postfix did not ignore them.
+ File: smtp/smtp_proto.c.
+
+20020731
+
+ Cleanup: permit_naked_ip_address is unsafe (especially when
+ used with smtpd_recipient_restrictions) and will go away.
+ Postfix now logs a warning. File: smtpd/smtpd_check.c.
+
+20020801
+
+ Cleanup: the warning message for matched header/body content
+ was misleading. File: cleanup/cleanup_message.c.
+
+ Safety: moved the "postsuper -r ALL" operation after the
+ "postsuper -s" check that makes queue file names match
+ inode numbers. This avoids loss of mail in the unlikely
+ case that someone runs "postsuper -sr ALL" on a queue that
+ was copied from another place.
+
+ Feature: "postsuper -h" to put mail "on hold" and "postsuper
+ -H" to release mail that was placed "on hold". This involves
+ a new queue, which is appropriately named "hold". Files:
+ postsuper/postsuper.c, showq/showq.c.
+
+20020803
+
+ Feature: when a Delivered-To: mail delivery loop is detected,
+ send the bounce to the mailing list owner. This required
+ changes to the local delivery agent, a new bounce client
+ stub, and a new bounce server stub and support routines
+ for one recipient bouncing. Files: local/recipient.c,
+ global/bounce_log.c, global/bounce.c, bounce/bounce.c,
+ bounce/bounce_notify_util.c, bounce/bounce_one_service.c.
+
+20020809
+
+ Bugfix: the 20020531 bugfix could prepend '.' to lines when
+ it shouldn't (but only when converting 8-bit mail to 7-bit).
+ Problem experienced by Ralf Hildebrandt. File:
+ smtp/smtp_proto.c.
+
+ Bugfix: smtpd_sender_login_maps did not do the @domain etc.
+ wild-card lookups that were promised. Problem experienced
+ by Sven Michels. File: smtpd/smtpd_check.c.
+
+20020810
+
+ Feature: new smtp-sink command-line options to specify the
+ SMTP hostname, to disable ESMTP protocol support, to disable
+ 8BITMIME support, and to syslog selected commands. File:
+ smtpstone/smtp-sink.c.
+
+20020814
+
+ Feature: the queue manager now warns when mail for some
+ destination is piling up in the active queue, and suggests
+ a variety of remedies. The qmgr_clog_warn_time parameter
+ controls the time between warnings, mainly so that I could
+ test the code. To disable these warnings, specify
+ "qmgr_clog_warn_time = 0". Files: *qmgr/qmgr_entry.c.
+
+20020815
+
+ Paranoia: truncate the DNS response length result value in
+ case it is larger than the result buffer length (the resolver
+ documentation is vague about this). File: dns/dns_lookup.c.
+
+20020816
+
+ Cleanup: "postqueue -f" now also triggers delivery of mail
+ in the maildrop directory. This is needed when the master
+ does not frequently wake up the pickup service. Files:
+ global/mail_flush.c, postqueue/postqueue.c.
+
+20020818
+
+ Cleanup: the qmgr_site_hog_factor feature is gone (defer
+ mail if a site uses up too much space in the active queue).
+ Instead, the qmgr_clog_warn_time feature provides better
+ solutions. File: qmgr/qmgr_message.c.
+
+20020819
+
+ Feature: new header/body_checks HOLD pattern that causes
+ mail to be placed on the "hold" queue for manual inspection.
+ Files: global/hold_message.[hc], cleanup/cleanup_message.c.
+
+20020820
+
+ Bugfix: yesterday's HOLD pattern code did not update the
+ cleanup server's idea of the queue file name for error
+ recovery and for error reporting purposes, so that incomplete
+ or content rejected mail would not be deleted from the
+ queue, and so that the bouncer would not find the queue
+ file.
+
+ Bugfix: the #ifdef that detects too old LDAP libraries was
+ in the wrong place. Victor Duchovni. File: util/dict_ldap.c.
+
+ Feature: new header/body_checks DISCARD pattern that causes
+ mail to be silently discarded. Files: global/cleanup_user.h,
+ cleanup/cleanup_message.c, cleanup/cleanup_api.c.
+
+ Bugfix: the local delivery agent's mailbox duplicate delivery
+ eliminator was not updated in the days that address extensions
+ were added to Postfix. The other local duplicate eliminators
+ probably need revision as well. File: local/mailbox.c.
+
+20020821
+
+ Feature: HOLD and DISCARD actions in SMTPD access tables.
+ These requests are propagated to the cleanup daemon. Files:
+ cleanup/cleanup_envelope.c smtpd/smtpd_check.c.
+
+ Cleanup: eliminate unnecessary references to the obsolete
+ program_directory configuration parameter (but keep the
+ parameter so as to not break existing installations).
+ Matthias Andree, many little changes in documentation.
+
+20020822
+
+ Bit Rot: OpenLDAP incompatible change with URL parsing.
+ Patches by Will Day, Georgia Tech, and Carsten Hoeger,
+ SUSE. File: util/dict_ldap.c.
+
+20020823
+
+ Bugfix: added a missing memset() call to wipe the lookup
+ key in dict_db_delete(). This is needed by some Berkeley
+ DB implementations. Patch by Katsu Yamamoto, Fujitsu.
+
+ Bugfix: when permit_mx_backup is unable to make a decision
+ due to DNS problems, set the "defer if reject" flag so that
+ other restrictions will not cause mail to be rejected.
+ File: smtpd/smtpd_check.c.
+
+ Feature: instead of giving up immediately after DNS failure,
+ turn on the "defer_if_permit" flag when reject_unknown_hostname,
+ reject_unknown_sender_domain or reject_unknown_recipient_domain
+ are unable to make a decision, and see if any subsequent
+ restrictions would still cause the mail to be rejected.
+ File: smtpd/smtpd_check.c.
+
+ Feature: "FILTER transport:nexthop" is now also available
+ in SMTPD access tables.
+
+20020826
+
+ Workaround: HP-UX 11 accept() fails with ENOBUFS when the
+ client disconnects early. File: sane_accept.c.
+
+20020901
+
+ Cleanup: postfix-install no longer installs all the manual
+ pages under $POSTFIXSOURCE/man, so we can generate manual
+ pages for smtp-sink etc. File: man/Makefile.in.
+
+20020903
+
+ Bugfix: the rmail script should have been updated when
+ Postfix sendmail was changed to recognize `.' as the end
+ of input. Problem fix by Christian Kratzer, cksoft.de.
+ File: auxiliary/rmail/rmail.
+
+ Feature: specify "maximal_queue_lifetime = 0" for mail that
+ should be returned immediately after the first unsuccessful
+ delivery attempt. Files: qmgr/qmgr.c, nqmgr/nqmgr.c.
+
+20020904
+
+ Bugfix: qmail compatibility: qmqpd should support any
+ character at the end of the VERP prefix in prefix@host-@[].
+ Based on a patch by LaMont Jones, HP.
+
+20020905
+
+ Feature: "smtpd_data_restrictions = reject_unauth_pipelining"
+ blocks mail from SMTP clients that send message content
+ before Postfix has replied to the DATA command. File:
+ smtpd/smtpd.c, smtpd/smtpd_check.c.
+
+ Bugfix: the LDAP client dumped core in verbose mode.
+ Reported by Will Day and others. File: util/dict_ldap.c.
+
+20020906
+
+ Cleanup: dict_regexp module speedups by avoiding unnecessary
+ substring overhead while matching strings. Based on a
+ suggestion by Liviu Daia. This involved major rewriting of
+ the regexp map code. File: util/dict_regexp.c.
+
+20020907
+
+ Feature: IF..ENDIF support based on code by Bert Driehuis.
+ This involved a further rewrite of the regexp map code.
+ File: util/dict_regexp.c.
+
+200209010
+
+ Bugfix: the SMTP client produced suprious warnings about
+ trouble with fallback_relay hosts. File: smtp/smtp_connect.c.
+
+ Robustness: don't wait with detecting broken SMTP connections
+ until reading input. Leandro Santi. File: smtpd/smtpd_chat.c.
+
+200209011
+
+ Workaround: IRIX 6 can't do ioctl FIONREAD on pipes. This
+ breaks the in_flow_delay feature. File: util/sys_defs.h.
+
+20020912
+
+ Bugfix: canonical/virtual mapping core dump with a null
+ right-hand side address. Report by Jussi Silvennoinen.
+ File: global/mail-addr_crunch.c.
+
+ Feature: IF..ENDIF support based on code by Bert Driehuis.
+ This involved a rewrite of the pcre map code similar to
+ the regexp map code. File: util/dict_pcre.c.
+
+20020917
+
+ Feature: on Linux, support for PCRE lookup tables is now
+ compiled in if the PCRE library code is found under
+ /usr/include and /usr/lib. File: makedefs.
+
+20020918
+
+ Documentation: postsuper(1) did not document the -c option.
+
+ Bugfix: possible longjump() before setjmp(). File:
+ smtpd/smtpd.c.
+
+ Bugfix: pickup should not preserve INSPECT or FILTER records
+ from "postsuper -r". File: pickup/pickup.c.
+
+20020919
+
+ Feature: "reject_rbl <domain>" for client address blacklisting
+ by LaMont Jones, including $name expansion for per-domain
+ customized response messages. The obsolete reject_maps_rbl
+ is now a wrapper that uses the new code.
+
+20020921
+
+ Internal: added caching and factored out common code that
+ will be used for both reject_rbl and for the upcoming
+ reject_rhsbl restriction.
+
+20020922
+
+ Feature: "reject_rhsbl <domain>" for sender domain
+ blacklisting. Provides the same per-domain customized
+ response message mechanisms with $name expansion as
+ reject_rbl.
+
+ Safety: the smtpd_expansion_filter parameter controls what
+ characters are allowed in the expansion of $name macros in
+ template RBL responses.
+
+ Cleanup. In order to make sensible warnings possible when
+ expanding a non-existent $name in RBL reply templates,
+ mac_expand() had to be changed so that an empty string
+ result (i.e. the name does exist) will no longer cause
+ ${name?text} to succeed. File: util/mac_expand.c.
+
+20020923
+
+ Cleanup. Renamed the RBL features according to a scheme
+ that was suggested by Liviu Daia in October 2001. The names
+ are reject_rbl_client and reject_rhsbl_sender, respectively.
+ Added domain name based reject_rhsbl_client and
+ reject_rhsbl_recipient restrictions for completeness. The
+ reject_rbl restriction name is still recognized for
+ compatibility with systems maintained by LaMont Jones.
+
+20020924
+
+ Bugfix: reject_rhsbl_<mumble> was broken when <mumble> was
+ unavailable, causing the restrictions parser to get out if
+ sync. Spotted by Ralf Hildebrandt. File: smtpd/smtpd_check.c.
+
+20020928
+
+ Bugfix: missing %s in the 20020923 RBL code. This was not
+ exploitable because Postfix implements only a safe subset
+ of all printf format operators and because memory for the
+ result is dynamically allocated. Victor Duchovni. File:
+ smtpd/smtpd_check.c.
+
+20020929
+
+ Updated MacOSX support scripts from Gerben Wierda. Files:
+ auxiliary/MacOSX/*.
+
+20021009
+
+ Bugfix: SIZE errors should be reported at MAIL FROM time,
+ and should not be postponed (with smtpd_delay_reject = yes)
+ until RCPT TO time. Reported by Jeroen Scheerder, Utrecht
+ University. Files: smtpd/smtpd.c smtpd/smtpd_check.c.
+
+20021013
+
+ When Postfix development started, Linux mail delivery
+ software such as procmail did not use kernel locks, and
+ Postfix picked one that seemed plausible, namely, flock().
+ In the mean time, Linux mail delivery software seems to
+ have standardized on fcntl() locks. File: util/sys_defs.h.
+
+ Feature: body_checks_size_limit parameter to specify how
+ much of a message body segment (or attachment, if you prefer
+ to use that term) is subjected to body_checks inspection.
+ Default limit: 50 kbytes. Files: global/mime_state.c,
+ cleanup/cleanup_message.c.
+
+20021015
+
+ Bugfix: the code for missing postmaster/mailer-daemon
+ aliases had to be moved after the code that implements the
+ luser_relay feature. Files: local/alias.c, local/unknown.c.
+
+ Weird? The LMTP client lowercased the MAIL FROM and RCPT
+ TO addresses. Some remnant of code that someone put in
+ there long ago. File: lmtp/lmtp_proto.c.
+
+20021024
+
+ Feature: proxy_interfaces parameter. Specify your NAT or
+ other proxy addresses here to avoid mail delivery loops.
+ Files: global/mail_params.[hc] global/own_inet_addr.[hc]
+ global/resolve_local.c smtp/smtp_addr.c smtpd/smtpd_check.c.
+
+ Paranoia: defend against a very unlikely false alarm in
+ safe_open().
+
+20021025
+
+ Feature: X-Original-To: message headers with the raw original
+ envelope recipient.
+
+ Logging: status=sent/deferred/bounced/ logging now includes
+ the original recipient address if it differs from the final
+ address.
+
+20021026
+
+ Logging: SMTP UCE reject/warn/hold/discard logging now
+ includes queue ID. This will break some logfile analyzers.
+
+ Logging: SMTP UCE reject/warn/hold/discard logging now
+ includes the protocol name and, if available, the hostname
+ given in the SMTP HELO or EHLO command.
+
+ Logging: header/body_checks reject/warn/hold/discard logging
+ now includes the protocol name and, if available, the
+ hostname given in the SMTP HELO or EHLO command.
+
+20021028
+
+ Bugfix: don't reset state after rejected EHLO. Reset state
+ after HELO. Reported by Karthikeyan Bhargavan, upenn.edu.
+ Files: smtpd/smtpd.c.
+
+20021029
+
+ Bugfix: local(8) did not prepend an X-Original-To: message
+ header while delivering to command, and local(8) did not
+ document the X-Original-To: message header.
+
+ Workaround: DJBDNS produces a bogus A record when given a
+ numerical hostname. File: dns/dns_lookup.c.
+
+20021030
+
+ Portability: support for Berkeley DB version 4.0 but not
+ for Berkeley DB version 4.1 (yes, the API is different).
+ Postfix is now going to be paranoid about the minor version
+ number, too. File: util/dict_db.c.
+
+ Documentation: updated LMTP_README file by Amos Gouaux.
+
+20021031
+
+ Bugfix: (bug introduced 20021026) log NOQUEUE when rejecting
+ ETRN, instead of trying to log a non-existent queue ID.
+ Victor Duchovni, Morgan Stanley. File: smtpd/smtpd_check.c.
+
+ Cleanup: allow optional text after commands in SMTPD access
+ maps. Based on initial effort by Victor Duchovni, Morgan
+ Stanley. File: smtpd/smtpd_check.c.
+
+ Portability: support for Berkeley DB version 4.1. This
+ version refuses to open zero-length files. This complicates
+ lock management and requires extra code to remove broken
+ files. Files: util/dict_db.c, global/mkmap*.[hc].
+
+20021101
+
+ Bugfix: don't complain about out-of-order original recipient
+ records for finished recipients. Files: *qmgr/qmgr_message.c,
+ cleanup/cleanup_envelope.c, cleanup/cleanup_extracted.c.
+
+ Cleanup: further simplified the mkmap wrapper (used by
+ postmap and postalias only) to remove some hurdles for
+ Michael Tokarev's CDB support. Files: global/mkmap*.[hc].
+
+20021105
+
+ Postalias now produces YP_LAST_MODIFIED and YP_MASTER_NAME
+ records only when NIS support is compiled in. File:
+ postalias.c.
+
+20021106
+
+ Postalias now puts $myhostname in the YP_MASTER_NAME record,
+ instead of the possibly bogus gethostname() result. File:
+ postalias.c.
+
+ The PCRE map code did not reject non-numeric replacement
+ indices in replacement text, and silently treated $text as
+ $0. Found by Michael Tokarev. File: dict_pcre.c.
+
+20021108
+
+ Cleanup: the behavior of the SMTP server's defer_if_permit
+ flag was changed, in order to maximize the opportunity to
+ permanently reject mail without opening opportunities for
+ losing legitimate mail. This was done in cooperation with
+ Victor Duchovni, Morgan Stanley. File: smtpd/smtpd_check.c.
+
+ The defer_if_permit flag is still set when an UCE reject
+ restriction fails due to a temporary (e.g., DNS) problem,
+ to prevent unwanted mail from slipping through. However,
+ the flag is no longer tested at the end of client, helo or
+ sender restrictions. Instead, the flag is now tested at
+ the end of the ETRN and recipient restrictions only.
+
+ The behavior of the warn_if_reject restriction has changed.
+ It no longer activates any already made defer_if_permit or
+ defer_if_reject decisions (the defer_if_reject flag is set
+ when some UCE permit restriction fails due to a temporary
+ (DNS) problem, to avoid loss of legitimate mail).
+
+ Bugfix: instead of setting the defer_if_permit flag, a
+ failing reject restriction after warn_if_reject now merely
+ logs that it would have caused mail to be deferred.
+
+ A failing permit restriction after warn_if_reject still
+ raises the defer_if_reject flag, to avoid loss of legitimate
+ mail.
+
+20021109
+
+ Bugfix: a misguided change to the .forward macro expansion
+ filter broke .forward file lookup.
+
+ Bugfix: missing defer_if_permit test in smtpd_data_restrictions.
+ Victor Duchovni. File: smtpd/smtpd_check.c.
+
+20021112
+
+ Robustness: increase the mime_nesting_limit from 20 to 100,
+ so that bounces can't loop. Each bounces increases the MIME
+ nesting level by one. Ralf Hildebrandt and Victor Duchovni.
+
+20021113
+
+ Robustness: reinstated SMTP client command flushing to
+ avoid pipeline stalls. File: smtp/smtp_chat.c.
+
+20021114
+
+ Robustness: distinguish between timeout and "lost connection"
+ when the SMTP server is unable to send a reply to the remote
+ client. File: smtpd/smtpd_chat.c.
+
+20021115
+
+ Bugfix: initialization error with "*" transport table
+ lookup, reported by LaMont Jones. The transport map lookup
+ code had grown into a monster and needed to be replaced.
+ trivial-rewrite/transport.c.
+
+20021115
+
+ Start implementing recipient verification. For now this is
+ done by adding trace flags to queue files. In case of a
+ verification request, a delivery agent does not deliver,
+ deliver, it just records what would happen.
+
+ This required instrumenting the bounce/defer/sent logging
+ routines to send their data to the right place depending
+ on the type of delivery request.
+
+20021116
+
+ New trace service. This is used for reporting if a recipient
+ is deliverable (sendmail -bv) and for producing a record
+ of delivery attempts (sendmail -v). The report is sent via
+ email, using the bounce daemon. Files: global/trace.[hc].
+
+ This required replacing the bounce/defer logfile format by
+ an extensible name=value format. Files: global/bounce_log.c,
+ bounce/bounce_append_service.c.
+
+20021117
+
+ New address verification service with simple expiration
+ and refresh policy. Storage can be in-core or in permanent
+ table. The daemon is appropriately called "verify". Files:
+ global/verify_clnt.[hc], verify/verify.c.
+
+20021118
+
+ Cleaning up the code for tracing and verification. Files:
+ global/{log_adhoc,bounce,defer,trace,verify}.[hc].
+
+20021119
+
+ New address_verification_negative_cache = yes/no parameter
+ controls whether Postfix stores the result of negative
+ address verification probes. This reduces cache pollution
+ but causes Postfix to send a probe for each address
+ verification service query. File: verify/verify.c.
+
+ Added optimistic caching to the verify daemon, so that one
+ failed probe will not clobber a known to be good address.
+ As long as some probes succeeed, a good address will stay
+ cached as OK.
+
+ Cleaning up of the bounce daemon's code for bounce, delayed
+ mail warning and trace notification. Files: bounce/*.[hc],
+ global/bounce_log.c.
+
+20021120
+
+ Changed the probe's sender address to "postmaster" so that
+ we get better information about the address we're testing.
+ File: verify/verify.c.
+
+ Added some paranoia to the routine that reads data from
+ the address verification cache. Ignore data that is obviously
+ bogus. File: verify/verify.c.
+
+20021121
+
+ Bugfix: garbage in "user@garbage"@domain address forms may
+ cause the SMTP or LMTP client to terminate with a fatal
+ error exit because garbage/tcp is not an existing service.
+ This cannot be abused to cause the SMTP or LMTP client to
+ send data into unauthorized ports. Files: *qmgr/qmgr_message.c,
+ trivial-rewrite/resolve.c.
+
+20021124
+
+ Bugfix: don't use same VSTRING buffer for reading and
+ writing. File: verify/verify.c.
+
+20021128
+
+ Feature: hashed hold queue support, with hashing turned on
+ by default. Omission spotted by Victor Duchovni, Morgan
+ Stanley. Files: global/hold_message.c, global/mail_params.h.
+
+ Bugfix: the LMTP client lost the port(service) information
+ when parsing host:port information. Victor Duchovni, Morgan
+ Stanley. Fix is to have a new host_port(3) module that does
+ the parsing for the SMTP and LMTP clients.
+
+ Cleanup: host_port() routine that parses host/port information
+ more consistently than the existing code in the LMTP and
+ SMTP clients. Files: smtp/smtp_connect.c, lmtp/lmtp_connect.c,
+ util/host_port.[hc].
+
+20021130
+
+ Cleanup: defer mail when recipient verification takes too
+ long. File: smtpd/smtpd_proto.c.
+
+ Feature: new reject_multi_recipient_bounce restriction, to
+ reject "MAIL FROM: <>" with multiple recipients. File:
+ smtpd/smtpd_check.c.
+
+20021201
+
+ Compatibility: ignore the new Sendmail -A option. File:
+ sendmail/sendmail.c.
+
+ Workaround: sendmail -v now produces no output. You need
+ to specify -v -v instead. This is to avoid problems when
+ people request verbose mail delivery in their mail.rc file.
+ File: sendmail/sendmail.c.
+
+20021202
+
+ Cleanup: hash_queue_depth now defaults to 1 level of
+ subdirectories. This makes "mailq" faster on most systems,
+ but will result in poorer worst-case performance when lots
+ of mail is queued.
+
+ The check_relay_domains restriction is going away. The SMTP
+ server logs a warning and suggests using reject_unauth_destination
+ instead.
+
+ Cleanup: the local(8) and virtual(8) delivery agents did
+ not prepend X-Original-To: addresses to maildir files.
+ Omission spotted by Matthias Andree.
+
+ Specify "address_verify_sender=" or "address_verify_sender=<>"
+ to use a null sender address while doing address verification
+ probes. Beware, doing so may trigger false negatives
+ because some sites reject mail from the null sender, even
+ though this is required by RFC standards.
+
+ Bugfix: too many levels of dereferencing while testing for
+ missing reject_rbl_mumble domain names. Patrik Rak. File:
+ smtpd/smtpd_check.c.
+
+20021203
+
+ Bugfix: the FILTER access table action included the FILTER
+ command in the filter request, where only the transport+destination
+ were expected. Noel Jones. File smtpd/smtpd_check.c.
+
+ Cleanup: virtual_maps is now called virtual_alias_maps, in
+ order to better distinguish it from virtual_mailbox_maps.
+ The default value is $virtual_maps for backwards compatibility.
+
+ New parameters virtual_alias_domains and virtual_mailbox_domains
+ for the "domain.tld whatever" lookups. These use the same
+ syntax as the mydestination parameter. Default settings
+ are backwards compatible with Postfix 1.1.
+
+ Concept: just like $mydestination+$inet_interfaces control
+ what routes to $local_transport, $virtual_mailbox_domains
+ now controls what routes to $virtual_transport (default
+ transport: virtual), and $relay_domains now controls what
+ routes to $relay_transport (default transport: relay, a
+ clone of the smtp transport). Everything else routes to
+ $default_transport as before. This eliminates the need
+ for transport map entries for every virtual(8) domain, and
+ avoids performance problems with inbound relay mail. This
+ was improvement was suggested by Victor Duchovni. File:
+ trivial-rewrite/resolve.c.
+
+20021206
+
+ Cleanup: do allow regexps in aliases, virtual mailbox maps
+ but do not allow regular expression substitutions. Files:
+ util/dict.h, util/dict_regexp.c, util/dict_pcre.c.
+
+20021207
+
+ Cleanup: deleted the description of sendmail-style virtual
+ domains from the virtual(5) manual page. This part of
+ Postfix was too confusing.
+
+ Performance: RFC 2821 blesses the use of CNAME domain names
+ in MAIL FROM and RCPT TO. Not having to expand CNAME domain
+ names speeds things up a bit. File: smtp/smtp_proto.c.
+
+ Workaround: exclude error mailer destinations from transport
+ mapping lookups :-(. File: trivial-rewrite/resolve.c.
+
+ Cleanup: relocated_maps lookups are now moved to the
+ trivial-rewrite server. As of now, the queue manager no
+ longer does any map lookups, so it won't restart when maps
+ change. Files: *qmgr/qmgr_message.c, trivial-rewrite/resolve.c.
+
+ Robustness: because the trivial-rewrite server now does
+ many more table lookups, some of which are often LDAP or
+ SQL based, trivial-rewrite clients must be be prepared for
+ the case that the resolver reports a failure while processing
+ a request (when it was unable to access a lookup table).
+ Files: trivial-rewrite/resolve.c, local/resolve.c,
+ smtpd/smtpd_check.c.
+
+ Robustness: moving possible LDAP or SQL table lookups into
+ the trivial-rewrite server also required that trivial-rewrite
+ be running as multiple processes to reduce lookup latencies.
+ Files: master/multi-server.c.
+
+ Workaround: don't discard all the DNS lookup results when
+ only one of the results has a malformed name or address.
+ File: dns/dns_lookup.c.
+
+20021208
+
+ Cleanup: with the preliminary address domain classification
+ concept as implemented by the trivial-rewrite address
+ resolver, a lot of table lookups could be eliminated from
+ the SMTP server. Files: smtpd/smtpd_check.c.
+
+ Feature: new relay_recipient_maps parameter, for optional
+ maps with all the recipients in the domains that match
+ $relay_domains (so you can reject mail for unknown relay
+ recipients). This is for consistency with virtual_xx_maps
+ and virtual_xx_domains, and with local_recipient_maps and
+ the local delivery agent. File: smtpd/smtpd_check.c.
+
+ Cleanup: removed support for obsolete #number domain forms.
+ File: smtpd/smtpd_check.c.
+
+20021209
+
+ The Postfix installation procedure no longer sets the
+ "chattr +S" bit on Linux queue directories. Wietse has
+ gotten too annoyed with naive reviewers who complain about
+ performance without having a clue of what they are comparing.
+
+ "Security": local_recipient_maps is now turned on by default,
+ to reject mail for non-existent users at the SMTP port.
+ See conf/main.cf for instructions, section REJECTING UNKNOWN
+ LOCAL USERS.
+
+ Safety: detection of missing or inaccessible passwd file
+ database, to prevent massive complaints from people who
+ suddenly lose all their mail because local_recipient_maps
+ is now turned on by default.
+
+20021210
+
+ Feature: recipient address verification, using the code
+ that already implements sender address verification. Based
+ on suggestion by Matthias Andree. Files: src/smtpd/smtpd.c,
+ src/smtpd/smtpd_check.c.
+
+20021211
+
+ Performance: doubled the default process limit (50->100)
+ and default queue manager active queue message/recipient
+ limits (10k->20k). File: global/mail_params.h.
+
+ Bugfix: the change that begot us multiple trivial-rewrite
+ processes (good) also gave us multiple verify daemons (bad).
+ File: conf/post-install.
+
+20021212
+
+ Cleanup: allow transport map lookups to override error
+ mailer results (to avoid breaking existing installations),
+ and do transport map lookups before relocated map lookups.
+ Files: trivial-rewrite/resolve.c, trivial-rewrite/transport.c.
+
+ Shortened the verify server's negative cache refresh time
+ from 12 hours to 2 hours. File: global/mail_params.h.
+
+ Admin friendliness: the SMTP server now reports "User
+ unknown in {local recipient | virtual alias | virtual
+ mailbox | relay recipient} table". This will make trouble
+ shooting a little easier. Files: smtpd/smtpd_check.c,
+ trivial-rewrite/resolve.c.
+
+20021213
+
+ Cleanup: transport map entries with null nexthop ignored
+ relayhost settings. Making the code simpler also made it
+ more correct. Files: trivial-rewrite/resolve.c,
+ trivial-rewrite/transport.c.
+
+ Feature: "helpful_warnings" (default: yes) that can be
+ turned off if you really know what you're doing and want
+ to eliminate some unnecessary work.
+
+ Feature: enforcement of master.cf process limits for
+ processes such as qmgr and pickup that must run alone, and
+ processes such as cleanup and bounce that must run without
+ explicit process count limit. If an incorrect process limit
+ is specified in master.cf the service aborts.
+
+20021214
+
+ Cleanup: it looks like we finally get it right with transport
+ lookup table entries that either override or specify an
+ error transport without updating the nexthop information.
+ File: trivial-rewrite/resolve.c.
+
+ Robustness: don't probe the sender address when probed for
+ our own address verification probe sender address. File:
+ smtpd/smtpd_check.c.
+
+ Performance: don't do UCE checks (which may result in 4xx
+ SMTP reply codes, and thus, repeated delivery attempts)
+ when we already know that the recipient does not exist.
+ Files: smtpd/smtpd.c, smtpd/smtpd_check.c.
+
+20021215
+
+ Cleanup: further simplification of transport map handling
+ after some really fine hair splitting with Victor Duchovni.
+ Files: trivial-rewrite/resolve.c, trivial-rewrite/transport.c.
+
+20021216
+
+ Workaround: transform the address local-part into unquoted
+ form only when the address domain is local and the local-part
+ contains routing operators. Otherwise, we may damage the
+ address local-part by inserting space between non-operator
+ tokens. Some people use weird addresses and expect them to
+ be handled without damage. File: trivial-rewrite/resolve.c.
+
+ Robustness: scan the resolved recipient address for routing
+ operators in the address local-part, even when the local
+ MTA does not recognize ! and % as valid operators. File:
+ trivial-rewrite/resolve.c.
+
+ Cleanup: the address rewriting code no longer tries to
+ rewrite broken user@ or user@. address forms into even more
+ broken forms. bother. File: trivial-rewrite/rewrite.c.
+
+ Cleanup: the address resolver code now treats forms ending
+ in @ in a more rational manner (because the address rewriting
+ code no longer messes up by appending .my.domain).
+
+ Bugfix: a null address local-part before @domain now is
+ properly quoted just like the null address. File:
+ global/quote_82[12]_local.c.
+
+20021217
+
+ Cleanup: more work on the trivial-rewrite address rewriting
+ and address resolving code. New regression tests for address
+ rewriting and resolving that make some assumptions about
+ main.cf settings. Files: global/Makefile.in (assumptions),
+ global/rewrite_clnt.in, global/rewrite_clnt.ref,
+ global/resolve_clnt.in, global/resolve_clnt.ref.
+
+ Safety: configurable SMTPD reject codes for recipients not
+ in {local,relay}_recipient,virtual_{alias,mailbox}}_maps,
+ aptly named unknown_mumble_reject_code. Postfix installs
+ with unknown_local_recipient_reject_code=450, unless the
+ site already ran Postfix with local_recipient_maps enabled.
+ Files: smtpd/smtpd.c, smtpd/smtpd_check.c, conf/post-install.
+
+20021218
+
+ Feature: specify unverified_recipient_reject_code=250 or
+ unverified_sender_reject_code=250 to accept mail for an
+ address that is known to bounce. File: smtpd/smtpd_check.c.
+
+20021219
+
+ Bugfix: longjmp() while sending "go away" without setjmp()
+ in the QMQP server. Patrik Rak. File: qmqpd/qmqpd.c.
+
+ Safety: the XVERP extension is restricted to clients listed
+ in the authorized_verp_clients list (default: $mynetworks).
+ File: smtpd/smtpd.c.
+
+ Workaround: preliminary IPV6 support in valid_hostliteral().
+ File: util/valid_hostname.c.
+
+20021220
+
+ Bugfix: the reject_multi_recipient_bounce restriction had
+ an off-by-one error when used in smtpd_data_restrictions.
+ File: smtpd/smtpd_check.c.
+
+ Feature: new check_recipient_maps restriction that gives
+ finer control over when unknown recipients are rejected.
+ As with Postfix 1.1, the default is to do this at the end
+ of the recipient restrictions. Sites that want to improve
+ performance can put check_recipient_maps at the start of
+ the smtpd_client_restrictions list and avoid doing unnecessary
+ RBL lookups etc. File: smtpd/smtpd_check.c.
+
+ Feature: new show_user_unknown_recipient_table parameter
+ controls whether or not to reveal the lookup table name in
+ "User unknown" responses. The extra detail makes trouble
+ shooting easier but also reveals information that is nobody
+ elses business.
+
+20021221
+
+ Workaround: don't allow the transport map to override the
+ virtual alias class (error:User unknown) result. File:
+ trivial-rewrite/transport.c.
+
+20030101
+
+ Documentation update: new-style virtual domains broke the
+ advanced content filtering example. Files: FILTER_README,
+ RELEASE_NOTES-2.0.
+
+20030102
+
+ Cleanup: use different client instances when the same map
+ is opened with different flags. File: global/maps.c.
+
+ Feature: proxymap server for Postfix table lookups. This
+ helps to consolidate the number of open lookup tables (such
+ as MYSQL or LDAP), or to overcome chroot restrictions
+ (example: specify proxy:unix:passwd.byname to avoid the
+ need for a copy of the UNIX passwd file in chroot jails).
+ Files: global/dict_proxy.[hc], proxymap/proxymap.c
+
+ Cleanup: multiservers such as trivial-rewrite and the new
+ proxymap server now enforce the max_use total client number
+ limit more agressively, by not accepting new connections
+ after the limit is reached. Based on a patch by Victor
+ Duchovni, Morgan Stanley. File: master/multi_server.c.
+
+20030103
+
+ Cleanup: client stream endpoints not only have an idle time
+ limit ($ipc_idle) before a connection is closed, they now
+ also have a time to live ($ipc_ttl) to prevent connections
+ from becoming too persistent. This allows multi-servers
+ such as trivial-rewrite or the proxymap server to refresh
+ more frequently on busy systems. File: global/clnt_stream.c.
+
+20030104
+
+ Cleanup: avoid warnings about flag mismatches when the same
+ lookup table is listed under both virtual_alias_maps and
+ virtual_mailbox_maps. Files: global/virtual8.h, virtual/virtual.c.
+
+ Bugfix: an obscure memory leak that puzzled me for more
+ than a year until I found out how to reproduce it. File:
+ util/vstream.c.
+
+20030105
+
+ Cleanup: removed the address syntax check from the queue
+ manager, since a better test was implemented recently in
+ the trivial-rewrite server. Files: *qmgr/qmgr_message.c.
+
+ Bugfix: redirect bounce/defer to the address verification
+ service where appropriate. Files: *qmgr/qmgr_bounce.c,
+ *qmgr/qmgr_defer.c.
+
+ Bugfix: "no such file or directory" warnings after "postfix
+ reload" when a chrooted smtpd reconnects to the proxy
+ service. Fix: use "private/proxymap" if possible, otherwise
+ use "$queue_dir/private/proxymap". File: global/dict_proxy.c.
+
+ Robustness: daemons now chdir() to the queue directory
+ before running the pre-jail initialization code, so that
+ daemons running in stand-alone mode produce more consistent
+ results. Files: master/single_server.c, master/multi_server.c.
+ master/trigger_server.c.
+
+ Bugfix: "sendmail -bs" tried to access the proxymap service.
+ It should not try to open any user/domain/uce related tables
+ at all. File: smtpd/smtpd.c.
+
+20030106
+
+ Bugfix: bouncing to owner-alias was broken, i.e. the mail
+ kept being deferred, and when that was fixed, another buglet
+ came to light. File: bounce/bounce.c.
+
+ Robustness: the master no longer aborts with "address
+ already in use" when inet_interfaces specifies the same IP
+ address multiple times, or when a TCP service in master.cf
+ specifies a hostname for which the same IP address is listed
+ multiple times. File: master/master_ent.c.
+
+20030107
+
+ Robustness: check that FILTER actions in SMTPD access maps
+ or cleanup header/body_checks have plausible syntax. Files:
+ smtpd/smtpd_check.c, cleanup/cleanup_message.c.
+
+20030109
+
+ Cleanup: unnecessary "premature end of file on xxx while
+ reading yyy" warnings became exposed after some code
+ simplification. Files" global/*_clnt.c, global/dict_proxy.c
+
+ Robustness: undo the change that causes a multi-server
+ process to stop accepting new connections while it still
+ services existing clients for an extended amount of time.
+ We need a better process retirement strategy. File:
+ master/multi_server.c.
+
+20030110
+
+ Cleanup: the virtual_mailbox_maps parameter is now optional
+ even when virtual_mailbox_domains is. This makes virtual
+ mailbox domains more like relay domains and the local
+ domain.
+
+ Portability: the makedefs script now uses the pcre-config
+ utility to find out where things are installed.
+
+ Bugfix: the SMTP server did not recognize the local built-in
+ double bounce address as local. Reported by Matthias Andree.
+ For safety sake, threw in the local postmaster address as
+ well. File: smtpd/smtpd_check.c.
+
+20030113
+
+ Added MAILER-DAEMON to the list of always recognized local
+ addresses, since it is generated by Postfix bounces. File:
+ smtpd/smtpd_check.c.
+
+20030114
+
+ Bugfix: transport_errno was not reset upon successful
+ transport map wildcard lookup after an earlier failure.
+ Reported by Victor Duchovni. File: trivial-rewrite/transport.c.
+
+ Cleanup: unnecessary warnings from the proxymap client
+ after proxymap server disconnect. File: global/dict_proxy.c.
+
+ Cleanup: Patrik Rak found a few more chattr invocations
+ that were missed 20021209. Files: postfix-install,
+ conf/post-install.
+
+ Cleanup: the pcre-config command can produce null outputs.
+ Matthias Andree. File: makedefs.
+
+ Bugfix: the virtual(8) Makefile included $(AUXLIBS) in the
+ dependencies.
+
+20030118
+
+ Typos: some hyperlinks referred to flushd, which is the
+ name that was used before the flush service was released.
+ Reported by Victor Duchovni.
+
+ Cleanup: smtpd no longer needed to open relocated_maps.
+
+20030119
+
+ Cleanup: bounce messages used "X-Postfix" even when mail_name
+ was set to something other than the default "Postfix" name.
+ File: bounce/bounce-notify_util.c.
+
+20030120
+
+ Bugfix: wrong FILTER_README instructions for disabling
+ virtual alias mapping in the cleanup server before the
+ content filter.
+
+ Bugfix: wrong FILTER_README instructions for destination-dependent
+ filtering, because relay_domains was specified incorrectly.
+
+20030122
+
+ Bugfix: 20021207 (move relocated table lookup from queue
+ manager to trivial-rewrite server) broke relocated table
+ lookup results with mail not rejected at the SMTP port.
+ Files: *qmgr/qmgr_deliver.c, *qmgr/qmgr_message.c.
+
+20030123
+
+ Bugfix: a widely used maildir filename algorithm was broken.
+ Postfix now uses TIME.DEVICE_INODE.HOST. Files: local/maildir.c,
+ virtual/maildir.c.
+
+20030124
+
+ Cleanup: queue structures no longer overload queue name
+ and nexthop destination. Files: *qmgr/qmgr_message.c,
+ *qmgr/qmgr_queue.c, *qmgr/qmgr_deliver.c.
+
+20030125
+
+ Feature: "REDIRECT user@domain" action in access maps or
+ in header/body_checks causes mail to be sent to the specified
+ address instead of the intended recipient(s). I would never
+ recommend that people use this to redirect (bounced) SPAM
+ to the beneficiaries of an advertisement campaign. Files:
+ smtpd/smtpd_check.c, cleanup/cleanup_message.c,
+ *qmgr/qmgr_message.c.
+
+20030126
+
+ Update: maildir filename algorithm updated according to
+ today's version of http://cr.yp.to/proto/maildir.html.
+
+20030127
+
+ Cleanup: use separate error messages for separate problems
+ with computing the list of SASL authentication mechanisms.
+ File: smtpd/smtpd_sasl_glue.c.
+
+20030130
+
+ Bugfix: allow $name in default time values. File:
+ global/mail_conf_time.c.
+
+20030205
+
+ Feature: allow !, /file/name and map:name in masquerade_exceptions.
+ By Liviu Daia. Files:cleanup_init.c, cleanup.h,
+ cleanup_masquerade.c.
+
+20030219
+
+ Bugfix: the local pickup daemon skipped unterminated records,
+ since they happened to have the same record type code as
+ content filtering instructions. Victor Duchovni. Files:
+ global/rec_type.h, pickup/pickup.c.
+
+ Portability: Postfix could block, and thus not enforce
+ command execution time limits, while delivering mail to
+ command. File: global/pipe_command.c.
+
+ Bugfix: command execution time limits were not enforced
+ because the child process killing code in pipe_command()
+ was running with the wrong privileges. Problem reported by
+ Ben Rosengart, Panix. File: global/pipe_command.c.
+
+ Bugfix: duplicate recipient filtering in the cleanup server
+ did not eliminate virtual expansion duplicates with the
+ same original recipient. File: cleanup/cleanup_out_recipient.c.
+
+20030223
+
+ Cleanup: added postmap/postalias -p option (do not inherit
+ the source file permissions when creating a new file), for
+ completeness. A feature that can't be turned off is a bug.
+ Files: postmap/postmap.c, postalias/postalias.c.
+
+ Bugfix: smtpd_hard/soft_error_limit off-by-one error, so
+ that the real limit was one larger than the configured
+ value. File: smtpd/smtpd.c, smtpd/smtpd_chat.c.
+
+20030226
+
+ Safety: proxymap server defense against potential deadlock
+ when some library routine wants to open a proxied table.
+ Instead, proxymap opens the requested table directly. File:
+ proxymap/proxymap.c.
+
+ Portability: updated AIX 5.x system dependent definitions.
+ File: util/sys_defs.h.
+
+20030227
+
+ Bugfix: added mynetworks to the list of proxy_read_maps
+ parameter settings that are pre-authorized to use proxied
+ table lookups. File: global/mail_params.h.
+
+ Cleanup: daemons now log what table has changed before
+ restarting. Files: dict.c, and anything that invoked
+ dict_changed().
+
+ Cleanup: more consistency in the naming of lookup table
+ handles as generated by maps(3) and by match_list(3).
+
+20030305
+
+ Workaround: Postfix removes too long non-address text from
+ message headers in order to protect vulnerable Sendmail
+ systems against exploitation of the remote buffer overflow
+ vulnerability described in CERT advisory CA-2003-07.
+
+20030311-19
+
+ Bugfix: the access map actions HOLD, DISCARD, FILTER and
+ REDIRECT were broken with smtpd_delay_reject=no and with
+ ETRN. This required re-architecting of the actions code.
+ Files: smtpd/smtpd.[hc], smtpd/smtpd_check.c, smtpd/smtpd_state.c.
+
+20030315
+
+ Bugfix: the postsuper manual page documented support for
+ the -c command line option, but it was not implemented.
+ File: postsuper/postsuper.c.
+
+ Bugfix: the Postfix 2.0 recipient map checking code broke
+ the VRFY command, causing it to reply with status code 252
+ for non-existent addresses. This required re-architecting
+ the recipient table lookup code. File: smtpd/smtpd_check.c.
+
+20030319
+
+ Feature: configurable limit on virtual alias expansion size
+ and nesting depth, via the virtual_alias_expansion_limit
+ and virtual_alias_recursion_limit parameters. The default
+ limits are compatible with past Postfix versions. Victor
+ Duchovni, Morgan Stanley. Files: /sample-resource.cf,
+ html/resource.html, cleanup/cleanup.c, cleanup/cleanup_init.c,
+ cleanup/cleanup_map1n.c.
+
+ Feature: the installation procedure records build information
+ (by default: in /etc/postfix/makedefs.out).
+
+20030324
+
+ Bugfix: smtp-source flushed too often, causing suboptimal
+ performance with smtp-source sending directly into smtp-sink.
+ Files: smtpstone/smtp-source.c.
+
+20030410
+
+ Safety: log a fatal error when a net/mask pattern has a
+ non-zero host part, so that mail delivery is deferred.
+ File: util/match_ops.c.
+
+20030411
+
+ Bugfix: extraneous warning about out-of-order original
+ recipient records by Patrik Rak. Files: *qmgr/qmgr_message.c.
+
+20030412
+
+ Workaround: log a warning and reset the queue file time
+ stamps when the file system clock is ahead of the local
+ clock. File: global/mail_stream.c.
+
+20030414
+
+ Feature: PostgreSQL client module, adopted by LaMont Jones.
+ Files: README_FILES/PGSQL_README, util/dict_pgsql.c,
+ util/dict_pgsql.h, conf/sample-pgsql-aliases.cf.
+
+ Cleanup: the generic smtp client/server code in smtp_stream.c
+ now has an explicit flush operation, and the smtp-source/sink
+ programs are updated to take advantage of this.
+
+ Cleanup: the file system clock drift detection code now
+ runs only once per process instance, to minimize the
+ performance impact. File: global/mail_stream.c.
+
+ Robustness: avoid TIME_WAIT state with smtp/qmqp-source
+ client sockets. This puts less strain on local system
+ resources.
+
+20030415
+
+ Cleanup: the file system clock drift detection code now
+ runs only for incoming mail. File: global/mail_stream.c.
+
+20030416
+
+ Bugfix: missing partial last line when 1) someone submits
+ 8-bit mail not ending in newline via /usr/sbin/sendmail
+ and 2) MIME input processing is turned off, and 3) MIME
+ 8bit->7bit conversion is requested upon delivery via SMTP.
+
+ Cleanup: auto-bcc recipients are now added in one place
+ (the cleanup server) instead of by individual front-end
+ servers (pickup, smtpd, qmqpd). This makes it easier to
+ add auto-bcc features that trigger on sender or recipient
+ addresses.
+
+ Cleanup: "sendmail -t" (recipients from headers) is now
+ implemented by the sendmail command instead of by the
+ cleanup server. This means that the extract_recipient_limit
+ configuration parameter is no longer needed. Files:
+ sendmail/sendmail.c, cleanup/cleanup_message.c,
+ cleanup/cleanup_extracted.c.
+
+ Compatibility: "sendmail -t" (recipients from headers) now
+ accepts command-line recipients instead of complaining.
+ The extracted header recipients are added to the command-line
+ recipients.
+
+ Feature: sender/recipient_bcc_maps. These are indexed by
+ sender/recipient address and are examined when mail enters
+ from outside of Postfix. Files: cleanup/cleanup_addr.c.
+ cleanup/cleanup_envelope.c cleanup/cleanup_extracted.c.
+
+20030417
+
+ Feature: the SMTP client now falls back to native name
+ service lookups (including /etc/hosts) when a host cannot
+ be found in the DNS. This is controlled by a new parameter
+ smtp_host_lookup (default: dns, native). Files: smtp/smtp.c,
+ smtp/smtp_addr.c.
+
+20030418
+
+ Bugfix: "sendmail -t" broke with unrecognized message
+ headers.
+
+20030419
+
+ Feature: "postcat -q" searches the queue for the named
+ file.
+
+ Cleanup: made postcat "record names" output more consistent.
+
+20030421
+
+ Debugging: added some extra detailed error logging to the
+ pipe-to-command delivery, to help folks with bizarre file
+ truncation problems. File: global/pipe_command.c.
+
+20030424
+
+ Cleanup: readlline() did not terminate the result before
+ complaining about lines starting with whitespace.
+
+ Cleanup: eliminated valid_hostname warning for invalid
+ queue file names. File: global/mail_queue.c.
+
+ Bugfix: lost three lines of code when readying the postcat
+ command for release, which broke postcat -q. File:
+ postcat/postcat.c.
+
+ Bugfix: the Postfix sendmail command applied the message
+ size limit when running as newaliases. The limiting code
+ is now moved to the message enqueuing branch of the code.
+ File: sendmail/sendmail.c.
+
+ Documentation: start of documentation for the algorithm of
+ Patrik Rak's clever queue manager scheduler (nqmgr). Files:
+ conf/sample-scheduler.cf, README_FILES/SCHEDULER_README.
+
+20030429
+
+ Bugfix: while verifying an address, the LMTP client entered
+ a forbidden "next" sender state after the last recipient.
+ Fix by Vladimir Davydoff. File: lmtp/lmtp_proto.c.
+
+ Bugfix: "," was not recognized in proxy_read_maps settings.
+ Fix by Leandro Santi. File: proxymap/proxymap.c.
+
+20030502
+
+ Bugfix: defer delivery after .forward etc. file read error.
+ File: local/token.c. Problem reported by Ben Rosengart,
+ Panix.
+
+20030503
+
+ Bugfix: the Postfix LMTP client used the wrong service
+ name, causing trouble with SASL 2.1.13. Daniel Schales,
+ Louisiana Tech. File: lmtp/lmtp_sasl_glue.c.
+
+20030518
+
+ Workaround: IRIX select() reports that a non-blocking file
+ descriptor is writable while write() transfers zero bytes.
+ File: util/vstream.c. Superseded by change 20030523.
+
+20030520
+
+ Cleanup: future time stamps in Received: headers and negative
+ delays in delivery agent logging after "postdrop -r",
+ because deferred queue files had future file modification
+ times. File: src/postsuper/postsuper.c.
+
+20030521
+
+ Cleanup: nqmgr warnings about "recipient count mismatch"
+ after "postdrop -r", because the cleanup server did not
+ count the "already done" recipients. Problem reported by
+ Richard Stockton, Gramma Software. Files:
+ cleanup/cleanup_envelope.c, cleanup/cleanup_extracted.c.
+
+20030523
+
+ Workaround: IRIX select() reports that a non-blocking file
+ descriptor is writable while write() transfers zero bytes.
+ File: global/pipe_command.c.
+
+20030523-20030605
+
+ Cleanup: rewrote the queue file record processing loops in
+ pickup, cleanup and in [n]qmgr. This code had deteriorated
+ a lot as the result of small changes over the years. This
+ change brings the code closer to "obviously correct". Files:
+ cleanup/cleanup_envelope.c, cleanup/cleanup_extracted.c,
+ *qmgr/qmgr_message.c.
+
+ Cleanup: Postfix no longer produces queue files with
+ backwards compatibility data for Postfix versions < 1.0
+ (a.k.a. 20010228). Files: cleanup/cleanup_extracted.c,
+ showq/showq.c.
+
+ Performance: the queue manager no longer has to examine
+ every queue file record before it can start deliveries.
+ This helps to avoid thrashing with very large mailing lists.
+ Postfix queue files have an extra field in the size record
+ with queue manager processing hints. This change is backward
+ and forward compatible. Files: cleanup/cleanup_envelope.c,
+ cleanup/cleanup_extracted.c, *qmgr/qmgr_message.c.
+
+20030528
+
+ Compatibility: "sendmail -q<time>" without -bd option now
+ exits immediately, instead of waiting for input on the
+ standard input stream and screwing up system boot sequences.
+ File: sendmail/sendmail.c.
+
+20030530
+
+ Bugfix: client access denied with smtpd_delay_reject=no
+ broke "sendmail -bs". Fix by Victor Duchovni, Morgan Stanley.
+ File: smtpd/smtpd.c.
+
+20030531
+
+ Compatibility: allow <@site,@site:address> route addresses
+ in SMTP commands. File: smtpd/smtpd.c.
+
+20030605
+
+ Cleanup: input checks moved from the pickup daemon to the
+ postdrop mail submission command; this is to prepare for
+ direct mail submission from postdrop->cleanup without going
+ through the maildrop directory and the pickup service.
+ Files: pickup/pickup.c, postdrop/postdrop.c.
+
+ Bugfix: the "dead host" backoff timer in the MySQL client
+ didn't work. Fix by Leandro Santi. File: util/dict_mysql.c.
+
+ Bugfix: same problem in the PostgreSQL client. File:
+ util/dict_pgsql.c.
+
+ Workaround: turned off non-blocking write to pipe because
+ too many systems give a weird write() result. File:
+ global/pipe_command.c.
+
+ Cleanup: added support for vstream_fseek(.., .., SEEK_END).
+ File: util/vstream.c.
+
+20030608
+
+ Feature: separate address resolver controls for address
+ verification probe messages: address_verify_{local,virtual,
+ relay,default}_transport, address_verify_relayhost, and
+ address_verify_transport_maps. The default values are the
+ regular versions of the same controls. Files: trivial-rewrite/*,
+ global/resolve_clnt.[hc], *qmgr/qmgr_message.c.
+
+20030609
+
+ Workaround: Solaris blocking socket read() may hang. Hernan
+ Perez Masci and Leandro Santi. File: smtpd/smtpd.c.
+
+ Bugfix: the "unread recipient" counter needs to be restored
+ after the queue manager has a problem reading a queue file.
+ Fix by Patrik Rak. File: nqmgr/qmgr_message.c.
+
+20030610
+
+ Cleanup: the verify server now uses asynchronous submission
+ of mail probes, so it will no longer block for in_flow_delay
+ seconds when mail arrives faster than it is delivered.
+ Still need to make mail_stream_finish() asynchronous in
+ order to avoid blocking for trigger_timeout seconds when
+ the queue manager is overwhelmed. Files: global/post_mail.c,
+ verify/verify.c.
+
+ Bugfix: removed extraneous sleep() after the last attempt
+ to retrieve address verification status. File: smtpd/smtpd.c.
+
+20030611
+
+ Bugfix: the stricter postdrop input filter broke "sendmail
+ -bs". Found by Lutz Jaenicke. File: smtpd/smtpd.c.
+
+20030614
+
+ Portability: Dropped support for client side LDAP caching.
+ As of release 2.1.13 OpenLDAP no longer supports client
+ side caching, it has been deprecated for some time, and
+ never worked well. Implemented by Victor Duchovni, Morgan
+ Stanley, and further enhanced by Lamont Jones, HP. Files:
+ src/util/dict_ldap.c, conf/sample-ldap.cf,
+ README_FILES/LDAP_README.
+
+ Safety: Given suitable invalid database contents, LDAP
+ lookups can produce too many results, enter an infinite
+ loop in the expansion of "special result attributes" (LDAP
+ DNs and LDAP URLs) or just consume excessive server resources
+ returning large result sets. Three new (per LDAP map)
+ configuration parameters enable one to set limits on
+ recursive nesting, result expansion and the server response
+ "entry" count. Implemented by Victor Duchovni, Morgan
+ Stanley, further enanced by Lamont Jones, HP. Files:
+ src/util/dict_ldap.c, conf/sample-ldap.cf,
+ README_FILES/LDAP_README.
+
+20030616
+
+ Feature: in mail delivery status reports, report the sender
+ address as X-Postfix-Sender. Matthias Andree. File:
+ bounce/bounce_notify_util.c.
+
+ Cleanup: in mail delivery status reports, transform the
+ original recipient into xtext format as required by RFC
+ 1891. Files: bounce/bounce_notify_util.c, util/xtext.[hc].
+
+ Cleanup: more accurate "postfix check" warning for files
+ that miss one or more of the required mode 02111 execute
+ permission bits. Matthias Andree. File: conf/postfix-script.
+
+20030618
+
+ After "postfix reload", the master daemon now warns when
+ inet_interfaces has changed, and ignores the change, instead
+ of passing incorrect information to the smtp server. File:
+ master/master_ent.c.
+
+20030619
+
+ Feature: the Postfix SMTP server can send all mail into a
+ proxy server, for example a real-time SPAM filter. This
+ proxy is supposed to send the mail into another Postfix
+ SMTP server process for normal delivery. Files: smtpd/smtpd.c
+ smtpd/smtpd_proxy.[hc].
+
+20030620
+
+ Bugfix: a cut-and-paste error caused the proxy server's
+ 354 status code to be reported when a proxy connection
+ broke during the DATA phase. File: smtpd.c.
+
+20030620
+
+ Bugfix: after the last change to postdrop, postcat no longer
+ recognized maildrop files as valid. File: postcat/postcat.c.
+
+ Bugfix: after moving "sendmail -t" address extraction to
+ sendmail, "-t" broke multi-line recipient headers. Victor
+ Duchovni, Morgan Stanley. File: sendmail/sendmail.c.
+
+20030621
+
+ Workaround: the safe_open(O_CREAT) race condition exploit
+ avoiding code tries a little harder when it encounters a
+ race condition. File: util/safe_open.c.
+
+20030624
+
+ Bugfix: reject_unverified_address() set the defer_if_reject
+ flag when the verify service was unavailable (which never
+ happens). Victor Duchovni, Morgan Stanley. File:
+ smtpd/smtpd_check.c.
+
+ New parameters address_verify_poll_{count,delay} that
+ control how often to poll the address verification service
+ for the completion of an address verification request.
+ Specify address_verify_poll_count=1 to implement a crude
+ form of greylisting, that is, always defer the first delivery
+ attempt for an unknown address. File: smtpd/smtpd_check.c.
+
+ Bugfix: after the last change to postdrop, postcat no longer
+ recognized non-maildrop queue files as valid. File:
+ postcat/postcat.c.
+
+20030629
+
+ Cleanup: replaced references to "simulated virtual domains"
+ by "virtual alias domains". Victor Duchovni, Morgan Stanley.
+
+20030630
+
+ Feature: smtp_quote_rfc821_envelope=(yes|no) to control
+ RFC 821 style quoting of MAIL FROM and RCPT TO addresses.
+ Files: global/mail_params.h, smtp/smtp.c, smtp/smtp_proto.c.
+
+20030701
+
+ Bugfix: multi-recipient probes triggered a bug in the SMTP
+ client. File: smtp/smtp_proto.c.
+
+ Feature: enable_original_recipient (default: yes) to control
+ whether Postfix keeps track of original recipient address
+ information. Victor Duchovni, Morgan Stanley. Files:
+ cleanup/cleanup.c, cleanup/cleanup_init.c,
+ cleanup/cleanup_out_recipient.c, global/log_adhoc.c,
+ global/mail_copy.c, *qmgr/qmgr_message.c.
+
+ Feature: !/pattern/ support for PCRE lookup tables. Victor
+ Duchovni, Morgan Stanley. Files: util/dict_pcre.c.
+
+ Cleanup: allow whitespace after patterns in repexp and pcre
+ tables. Victor Duchovni, Morgan Stanley. Files:
+ util/dict_pcre.c, util/dict_regexp.c.
+
+20030702
+
+ Feature: CIDR lookup table support, very remotely based on
+ code by Jozsef Kadlecsik. Files: proto/cidr_table,
+ util/dict_cidr.[hc].
+
+ Feature: TCP lookup table support, finally finished. Files:
+ proto/tcp_table, proto/dict_tcp.[hc].
+
+20030705
+
+ Feature: new receive_override_options parameter controls
+ what happens before or after an external content filter:
+ rejecting unknown recipients, canonical and virtual address
+ mapping, address masquerading, automatic BCC recipients
+ and header/body checks. This eliminates the need to configure
+ multiple cleanup services in the master.cf file.
+
+20030707
+
+ Feature: context dependent SASL security options (i.e.
+ different options when TLS is enabled/disabled). Lutz
+ Jaenicke. Files: */*sasl_glue.[hc].
+
+20030708
+
+ Hardened the attr_scan routines for exposure to an untrusted
+ environment, in preparation for possible use with SMTP
+ policy delegation to an external server.
+
+ Feature: address filter for RBL lookups, for use with
+ multi-valued RBL services. File: smtpd/smtpd_check.c.
+
+20030709
+
+ Cleanup: use off_t instead of int for VSTREAM file offsets.
+ This was needed for mailboxes > 2GB on 32-bit systems.
+ Files: util/vstream.c, global/mail_copy.c.
+
+20030710
+
+ Support for multiple A and TXT results in RBL lookups.
+ Victor Duchovni, Morgan Stanley. File: smtpd/smtpd_check.c.
+
+ Support for attribute-based query-reply protocols. Files:
+ util/attr_clnt.[hc], util/auto_clnt.[hc].
+
+20030711
+
+ Support for plain "name=value\n" attribute protocol. Files:
+ util/attr_{scan,print}_plain.c.
+
+ Bugfix: the LMTP session caching code did not reset the
+ EHLO server feature list when it needed to reconnect.
+ Problem found by Tobias Erbsland.
+
+20030712
+
+ Feature: delegated SMTP policy server. As an example, see
+ the greylisting server in examples/smtpd-policy. Specify
+ "check_smtpd_policy_service" in smtpd_mumble_restrictions.
+ See SMTPD_POLICY_SERVICE_README for details.
+
+20030716
+
+ Bugfix: in the sample policy server, changed "ok" into
+ "dunno" so the server can be used in the middle of a
+ restriction list.
+
+ Cleanup: when an RBL reply has multiple TXT records,
+ concatenate them up to some reasonable limit, instead of
+ selecting one randomly. File: smtpd/smtpd_check.c.
+
+ Safety: always truncate SMTP server error replies to 512
+ bytes. File: smtpd/smtpd_check.c.
+
+20030717
+
+ Documentation: added description of policy_time_limit to
+ the SMTPD_POLICY_README document.
+
+ Documentation: corrected the command time limit parameter
+ syntax in the spawn(8) manual page.
+
+ Feature: defer_if_permit and defer_if_reject actions in
+ access tables, mainly for use by the delegated policy
+ server. Files: smtpd/smtpd_check.c, proto/access.
+
+20030725
+
+ The dict_pgsql module did not use dict_alloc() and dict_free(),
+ causing improper initialization and a memory leak. Leandro
+ Santi. File: util/dict_pgsql.c.
+
+ Cleanup: added open_flags sanity checks to the dict_pgsql
+ and dict_mysql modules. These maps must be opened in
+ read-only mode.
+
+20030731
+
+ Bugfix: virtual(8) was changed to use mail_addr_find()
+ instead of virtual8_maps_find(), but the SMTP server's
+ virtual mailbox recipient validation was not updated.
+
+20030804
+
+ Bugfix: the 20030712 safety against invalid DNS results
+ was broken. Reported by Ralf Hildebrandt. File:
+ dns/dns_lookup.c.
+
+20030805-12
+
+ Safety: the pipe daemon now defers delivery with a warning
+ when it is given a non-existent command-line macro name.
+ File: pipe/pipe.c.
+
+20030810
+
+ Bugfix: dict_ldap had a few harmless memory leaks. By
+ Liviu Daia. File: util/dict_ldap.c.
+
+ Feature: support for LDAP URLs in the LDAP parameter
+ "server_host", if Postfix is linked against OpenLDAP. This
+ allows Postfix to connect to LDAP SSL sources. By Liviu
+ Daia. File: util/dict_ldap.c.
+
+20030811
+
+ Cleanup: produce a warning when host:port specifies a badly
+ formatted numerical port. Files: util/find_inet.c,
+ smtp/smtp_connect.c, lmtp/lmtp_connect.c.
+
+20030822
+
+ Feature: the export_environment and import_environment
+ parameters now accept name=value information that will be
+ entered into the new environment. File: util/clean_env.c.
+
+20030823
+
+ Feature: smtpd_sasl_exceptions_networks parameter to prevent
+ Postfix from offering AUTH to clients that match the listed
+ networks. Based on code by Ben Rosengart, Panix. Files:
+ conf/sample-auth.cf, smtpd/smtpd.c.
+
+20030902
+
+ Portability: the Postfix master resets the file size to
+ the largest possible off_t value when the actual limit
+ appears to overflow the off_t range. Files: util/sys_defs.h,
+ util/file_limit.c. A fine sample of bit banging.
+
+20030905
+
+ Workaround: Solaris 8 select() claims that a non-blocking
+ socket is readable and then read() fails with EAGAIN. Files:
+ util/timed_read.c and as precautionary measure,
+ util/timed_write.c.
+
+ Bugfix: dict_register() should not be called from dict_open()
+ in dict_mysql and dict_pgsql. Liviu Daia. Files:
+ util/dict_mysql.c, util/dict_pgsql.c.
+
+ Feature: LDAP parameters can now be specified in external
+ files. This makes it possible to securely store bind
+ passwords for plain auth outside of main.cf (which is world
+ readable). By Liviu Daia, based on a suggestion by Victor
+ Duchovni and Lamont Jones. File: util/dict_ldap.c.
+
+ Feature: STARTTLS option for LDAP, if Postfix is linked
+ against OpenLDAP. By Liviu Daia, amended by Victor Duchovni.
+ File: util/dict_ldap.c.
+
+ Cleanup: connections to LDAP sources are now postponed
+ until they are actually needed. By Liviu Daia. File:
+ util/dict_ldap.c.
+
+20030908
+
+ The 20030905 Solaris workaround triggers too many warnings.
+ TCP sockets are back to blocking, and keepalives are turned
+ on to kill off dead sockets, as suggested by Leandro Santi.
+ Files: master/{single,multi}_server.c, smtpd/smtpd.c,
+ util/sys_defs.h.
+
+20030909
+
+ Bugfix: the LMTP session caching code had problems with
+ SASL authentication after the first connection, and pipelining
+ was working poorly. Fix by Victor Duchovni, Morgan Stanley.
+ Files: lmtp/lmtp.c, lmtp/lmtp_proto.c.
+
+20030912
+
+ Workaround: besides SMTP server sockets, SMTP client sockets
+ can also hang on Solaris, as reported by Leandro Santi. In
+ order to deal with this at the root, all connection management
+ is now done by sane_accept() and sane_connect(). Both turn
+ on keepalives on Solaris.
+
+20030913
+
+ Safety: set-gid commands don't trust TZ. File: msg_syslog.c.
+
+20030914
+
+ Address extension propagation wasn't documented enough when
+ it was added to Postfix. Based on patches by Roman Neuhauser.
+
+ Added clarifying notes to main.cf, master.cf and access by
+ Dean Gibson.
+
+ In header/body_checks, DUNNO is now the preferred action
+ instead of the now deprecated OK. This may confuse fewer
+ people.
+
+ In header/body_checks, allow text after IGNORE and DUNNO,
+ suggested by Victor Duchovni, Morgan Stanley. File:
+ src/cleanup/cleanup_message.c.
+
+ Feature: reject_rhsbl_helo. File: smtpd/smtpd_check.c.
+
+ Bugfix? The LMTP and SMTP clients now send "MAIL FROM:<sender>
+ AUTH=<>" when SASL authenticated. Suggested by by Victor
+ Duchovni, Morgan Stanley. Files: smtp/smtp_proto.c,
+ lmtp/lmtp_proto.c.
+
+20030915
+
+ Bugfix: mail rejected by the before-queue content filter
+ was mis-labeled as a software error; it should be labeled
+ as a policy error instead. File: smtpd/smtpd.c.
+
+ Cleanup: postcat is now null-byte transparent. File:
+ postcat/postcat.c.
+
+20030916
+
+ Feature: ``check_{sender,recipient}_mx_access maptype:mapname''
+ applies the named Postfix access table to the MX host name
+ and IP addresses for the sender or recipient address. If
+ no MX record is found, the A record is used instead. File:
+ smtpd/smtpd_check.c.
+
+ Feature: ``check_{sender,recipient}_ns_access maptype:mapname''
+ applies the named Postfix access table to the DNS server
+ hostname and IP addresses for the sender or recipient
+ address. If no NS record is found, the parent domain is
+ used instead. File: smtpd/smtpd_check.c.
+
+20030917
+
+ Feature: ``check_helo_{ns,mx}_access maptype:mapname'',
+ same semantics as sender and recipient.
+
+ Multiple LDAP lookup tables in the one Postfix process now
+ share one LDAP connection. Code by Victor Duchovni, Morgan
+ Stanley. File: util/dict_ldap.c.
+
+ Performance: with prefix_domain specified for an LDAP lookup
+ table, lookups of @domain are skipped. Code by Victor
+ Duchovni, Morgan Stanley. File: util/dict_ldap.c.
+
+ Safety: check_mumble_{mx,ns}_access refuses to be used for
+ whitelisting. The Postfix SMTP server will reject the
+ request with "451 server configuration error" and will log
+ a warning explaining why. File: smtpd/smtpd_check.c.
+
+20030918
+
+ Bugfix: check_mumble_ns_access did not correctly look up
+ NS records of parent domains, causing mail to be deferred
+ with a 450 status code. File: smtpd/smtpd_check.c.
+
+20030919
+
+ Robustness: check_mumble_{mx,ns}_access skip over DNS lookup
+ failures instead of deferring mail. This is not as bad as
+ it appears to be because the restrictions can't be used
+ for whitelisting. File: smtpd/smtpd_check.c.
+
+20030920
+
+ Bugfix: the 20030917 LDAP connection sharing code introduced
+ a compilation problem with non-OpenLDAP implementations.
+ Fix by Liviu Daia. File: util/dict_ldap.c
+
+ Compatibility: the LDAP server_host parameter now supports
+ all the usual Postfix list element delimiters. Some LDAP
+ libraries support just SPACE, others SPACE and ",". Postfix
+ now normalizes the host list into a space separated format.
+ This is less surprising to Postfix users used to the full
+ range of delimiters in other contexts. Implemented by Liviu
+ Daia. File: util/dict_ldap.c
+
+ Bugfix: after returning too old mail, the bounce daemon
+ now locks the original queue file and deletes deferred
+ recipients, to avoid repeated bounce notifications when
+ the queue manager is restarted. Files: bounce/*.[hc],
+ global/bounce_log.[hc], global/{bounce,defer}.[hc] and
+ everything that invokes these routines including queue
+ manager and delivery agents.
+
+20030922
+
+ Feature: "XADDR address hostname" SMTP command, for SMTPD
+ restriction debugging, and for sites with fetchmail-like
+ software that extracts client information from the first
+ Received: header. The smtpd_authorized_xaddr_clients
+ parameter specifies what clients are allowed to use XADDR
+ (default: none). Files: smtpd/smtpd.c.
+
+20031015
+
+ Workaround: smtpd access maps should not apply subdomain
+ name magic to numerical hostnames. File: smtpd/smtpd_check.c.
+
+ Safety: the local delivery agent now defers delivery when
+ alias lookup produces an empty result. File: local/alias.c.
+
+20031019
+
+ Workaround: disable request/reply size limit in attr_scan*.c
+ to prevent mail from getting stuck when rewriting a malformed
+ message header. This limit was turned on with snapshot
+ 20030715 to harden the protocol that is used by SMTPD policy
+ delegation. A "no code change" workaround is to specify
+ "header_size_limit = $line_length_limit". The proper fix
+ is to enforce request/reply size limits only for data from
+ outside of Postfix. Problem reported by Brandon Mullenberg,
+ Dialup USA. Files: util/attr_scan*.c.
+
+ Feature: "XLOGINFO address hostname" SMTP command, so that
+ Postfix daemons behind SMTPD pass-through proxies log useful
+ client name/address information instead of localhost[127.0.0.1].
+ The smtpd_authorized_xloginfo_clients parameter specifies
+ what clients are allowed to use XLOGINFO (default: none).
+ Files: smtpd/smtpd.c.
+
+ Cleanup: renamed the authorized_verp_clients parameter to
+ smtpd_authorized_verp_clients for consistency.
+
+20031021
+
+ Workaround: the demo greylist script now uses BTREE instead
+ of HASH files for hopefully better stability. The real fix
+ is to use a single updater process that serves multiple
+ clients. That approach seems to work well with the verify
+ daemon. File: examples/smtpd-policy/smtpd-policy.pl.
+
+20031022
+
+ Safety: the SMTP server now warns when the queue_minfree
+ value is less than twice the message size limit. File:
+ smtpd/smtpd.c.
+
+ Safety: the SMTP server no longer accepts mail when the
+ amount of free space is less than twice the message size
+ limit. File: smtpd/smtpd_check.c.
+
+ Safety: log a warning and defer mail when canonical or
+ virtual lookups return a non-address result (like a string
+ that contains no address). File: global/mail_addr_map.c.
+
+ Safety: log a warning and defer mail when any map lookup
+ returns an empty string result, and explain that "no result"
+ is expected in case of a "not found" condition. This happens
+ with incorrectly implemented SQL or LDAP tables. File:
+ global/maps_find.c.
+
+20031023
+
+ Bugfix: the MYSQL and PGSQL modules invoked dict_register().
+ This was fixed a while ago but never made it into the
+ distribution. Files: util/dict*sql.c.
+
+ Robustness: added three ISSPACE() calls in the smtpd proxy
+ parser. File: smtpd/smtpd_proxy.c.
+
+20031024
+
+ Portability: added localhost to mydestination for sites
+ that turn off append_dot_mydomain. File: global/mail_params.h.
+
+20031027
+
+ Portability: MacOS X Bind8 compatibility. File: makedefs.
+
+20031103
+
+ Robustness: flush pipelined "." and "quit" replies to avoid
+ repeated deliveries in case of a program crash (you know,
+ the kind of thing that happens before Postfix release :-).
+ File: smtpd/smtpd.c.
+
+20031105
+
+ Portability: turn off NETINFO support for MacOS X Panther
+ by default. Files: makedefs, util/sys_defs.h.
+
+20031106
+
+ Feature: the sample greylist policy server is now case
+ insensitive. File: examples/smtpd-policy/smtpd-policy.pl.
+
+20031103-20031110
+
+ Feature: preliminary defense against SMTP clients that
+ hammer the SMTP server with too many simultaneous or
+ successive connection attempts, with a whitelist capability
+ to disable the restriction for authorized clients. Most
+ work is implemented by a new "anvil" server. Parameters:
+ smtpd_client_connection_count_limit, smtpd_client_connection-
+ _rate_limit, smtpd_client_connection_limit_exceptions, and
+ client_connection_rate_time_unit. Documentation: smtpd(8),
+ anvil(8), sample-smtpd.cf. Files: smtpd/smtpd.c,
+ global/anvil_clnt.[hc], anvil/anvil.c. The anvil server
+ logs peak count and rate information per client when it
+ terminates after running out of work or after "postfix
+ reload".
+
+20031110
+
+ Cleanup: Postfix now supports the /0 netmask (match every
+ address). This is useful as a catch-all pattern at the
+ end of a table. Files: util/dict_cidr.c, util/match_ops.c.
+
+ Cleanup: don't report that $queue_directory/etc/filename
+ differs from /etc/filename when /etc/filename does not
+ exist. File: conf/postfix-script.
+
+20031112
+
+ Feature: client_connection_status_update_time parameter
+ controls periodic logging of maximal connection counts or
+ rates. The default logging interval is 10 minutes.
+
+ Feature: "make makefiles WARN=stuff..." overrides the
+ built-in GCC warning options that are used when "make" is
+ invoked from within a source subdirectory. Files: makedefs,
+ */Makefile.in.
+
+20031125
+
+ Feature: qmgr logs "queueid: deleted", just like postsuper,
+ when it removes a message from the mail queue.
+
+ Performance: smtpd connects to the cleanup or proxy server
+ AFTER the first valid RCPT TO command, instead of after
+ the first valid MAIL FROM command. This avoid wasting
+ real-time proxy filter resources when mail is stopped by
+ the SMTP server's access blocks. File: smtpd/smtpd.c.
+
+20031126
+
+ Bugfix: "panic: mymalloc: requested length 0" when master.cf
+ specified an invalid host name or address. Postfix now
+ logs more specific information. File: master/master_ent.c.
+ Reported by several people.
+
+20031125-20031201
+
+ Feature: XCLIENT support to override the SMTP server's
+ client information for logging and/or access control. This
+ replaces the short-lived XADDR and XLOGINFO extensions.
+ Remotely based on code by Victor Duchovni. See FILTER_README
+ and SMTPD_PROXY_README for usage details. Files:
+ smtpd/{smtpd,smtpd_check,smtpd_proxy,smtpd_xclient}.c
+ smtp/smtp_smtp_proto.c, *qmgr/qmgr_message.c,
+ global/deliver_request.c.
+
+20031202
+
+ Cleanup: postfix-files now has support for files that are
+ no longer part of Postfix. When upgrading Postfix, the
+ post-install script gives the user a reminder. Files:
+ conf/postfix-files, conf/post-install.
+
+20031203
+
+ Support for SMTPD access map actions (FILTER, REDIRECT,
+ HOLD or DISCARD) that are delegated to the cleanup server,
+ but can trigger before the first valid recipient address
+ is accepted (and thus, before a cleanup server connection
+ is available). Files: smtpd/{smtpd,smtpd_state,smtpd_check}.c.
+
+20031204
+
+ Bugfix: conf/post-install didn't skip non-existent obsolete
+ files. Victor Duchovni.
+
+ Minor cleanups of the xclient error messages; xclient
+ command lookup tables. File: smtpd/smtpd.c.
+
+20031206
+
+ Feature: reject_sender_login_mismatch allows multiple owners
+ of a sender address. Code by Liviu Daia. Files:
+ smtpd/smtpd_check.c and documentation.
+
+ reject_sender_login_mismatch is now implemented by elementary
+ features reject_unauthenticated_sender_login_mismatch
+ (reject if the client is not SASL logged in but the sender
+ address has an owner in smtpd_sender_login_maps) and
+ reject_authenticated_sender_login_mismatch (reject if the
+ client is SASL logged in but does not own the sender
+ address). Code by Liviu Daia. Files: smtpd/smtpd_check.c
+ and documentation.
+
+20031207
+
+ Bugfix: fallback_transport and mailbox_transport were broken
+ because the deliver_pass.c module was not updated for the
+ changed message delivery protocol.
+
+20031211
+
+ Safety: in dynamically growing data structures, update the
+ length info after (instead of before) updating the data
+ size. Files: util/argv.c, util/inet_addrlist.c, util/intv.c,
+ util/mvect.c, util/vstring.c, global/recipient_list.c,
+ *qmgr/qmgr_rcpt_list.c.
+
+20031212
+
+ Cleanup: separate extensions XCLIENT (impersonate SMTP
+ client) and XFORWARD (down-stream logging of up-stream MTA
+ and/or message information, not necessarily SMTP related).
+ The protocol is extensible: the server advertises what
+ attributes XCLIENT or XFORWARD will accept, and it is an
+ error to send an unsupported attribute. No xtext encoding
+ is used, since no attribute currently needs it. See also:
+ XCLIENT_README and XFORWARD_README.
+
+20031214
+
+ Feature: XFORWARD support in the LMTP client.
+
+20031215
+
+ Safety: updated mail_queue_id_ok() for long fast flush
+ logfile names. File: global/mail_queue.c.
+
+ Robustness: save and restore the resolver _res.options
+ settings before and after DNS lookup, to avoid surprises
+ in third-party code. This may eliminate some "localhost
+ not found" problems. File: dns/dns_lookup.c.
+
+20031216
+
+ Cleanup: easier to parse mailq output (no more space
+ between short queue ID and message status). File:
+ showq/showq.c.
+
+20031216-21
+
+ Cleanup: the SMTP client now moves on to the next MX host
+ or fallback relay when delivery fails in the middle of an
+ SMTP session. This includes both broken connections and
+ 4xx SMTP server replies. Files: smtp/smtp.c, smtp_rcpt.c,
+ smtp/smtp_connect.c, smtp_trouble.c.
+
+ Configuration parameters: smtp_mx_address_limit (limit the
+ list of IP addresses from MX lookup), and smtp_mx_session_limit
+ (limit the number of actual SMTP sessions per delivery
+ attempt, ignoring unusable MX IP addresses).
+
+ The new code centers around a mark-and-sweep algorithm
+ (replacing code that twiddled the rcpt->offset structure
+ member), with paranoid sanity checks to ensure that every
+ recipient is explicitly accounted for.
+
+20031217
+
+ Update: LDAP client logging (Liviu Daia) and LDAP client
+ documentation (Victor Duchovni). Files: util/dict_ldap.c,
+ conf/sample-ldap.cf, README_FILES/LDAP_README.
+
+20031222
+
+ Cleanup: shaved half the worst-case bits off the cleanup
+ duplicate address filter footprint. After discussion with
+ Victor Duchovni. File: cleanup/cleanup_out_recipient.c.
+
+ Safety: added "mail loops to myself" logic for destinations
+ that don't have an MX host. File: smtp/smtp_addr.c.
+
+20031223
+
+ Workaround: turn off "mail loops to myself" for non-MX
+ destinations because it breaks SMTP-based content filters.
+ Fix is to turn off loop detection when a non-default TCP
+ port is specified. File: smtp/smtp_addr.c.
+
+ Bugfix: restore errno after write failure in SIGCHLD handler.
+ Leandro Santi (who got the idea from Hernan Perez Masci).
+ File: master/master_sig.c.
+
+ Bugfix: the auto_clnt module disconnected too early, causing
+ unnecessary work by the anvil server.
+
+ Cleanup: eliminated binary hashes from anvil server. Anvil
+ client information is now stored on top of its VSTREAM.
+
+20031226
+
+ Feature: bounce_queue_lifetime parameter (default:
+ $maximal_queue_life_time) that bounds the time that
+ MAILER-DAEMON messages spend in the queue before they are
+ considered undeliverable.
+
+ Feature: disable "mail loops back to myself" protection
+ when SMTP mail is sent to a non-standard port. This makes
+ setting up content filters less painful.
+
+ Cleanup: disallow bare x.x.x.x numeric IP addresses in
+ email addresses. The form user@[x.x.x.x] is still allowed.
+
+ Cleanup: cleaned up the naming of internal symbols in the
+ SMTP client.
+
+20031231
+
+ Bugfix: stricter address syntax test broke "sendmail -bs".
+ File: smtpd/smtpd.c.
+
+20040101
+
+ Cleanup: the Postfix SMTP server rejects a MAIL FROM address
+ that matches a local, virtual or relay domain, while the
+ address is not listed in the corresponding local, virtual
+ or relay recipient table.
+
+ Feature: the reject_unlisted_sender(recipient) SMTPD access
+ restriction rejects an address that matches a local, virtual
+ or relay domain, while the address is not listed in the
+ corresponding local, virtual or relay recipient table.
+
+ Compatibility: the check_recipient_maps restriction works
+ like reject_unlisted_recipient, but will eventually be
+ removed from Postfix.
+
+20040102
+
+ Misc documentation cleanup by Loic Minier.
+
+20040104
+
+ Workaround: MacOSX dumps core on the 20030913 TZ censoring
+ code. We explicitly set TZ=UTC, which will produce incorrect
+ results when "mailq" formatting is moved from the showq
+ daemon to the postqueue command. File: msg_syslog.c.
+
+ Feature: after mail is requeued with "postsuper -r", the
+ pickup server logs the old queue ID together with the new
+ queue ID. Victor Duchovni. File: pickup/pickup.c.
+
+ Feature: smtpd_sasl_application_name parameter (default:
+ smtpd) to control the name of the SASL configuration file
+ used by the Postfix SMTP server. Liviu Daia. Files:
+ mail_params.h, smtpd.c, smtpd_sasl_glue.c.
+
+ Cleanup: the LDAP client configuration parser is now shared
+ between the LDAP, MySQL, and PGSQL clients. Liviu Daia.
+ Files: global/cfgparser.[hc], global/dict_ldap.c,
+ global/dict_mysql.c, global/dict_pgsql.c and documentation.
+
+ Cleanup: moved "util" modules with dependencies on higher-level
+ "global" code from the util directory to the global directory:
+ util/dict_open.c, global/cfgparser.[hc], global/dict_ldap.c,
+ global/dict_mysql.c, global/dict_pgsql.c, global/mail_dict.c.
+
+ Cleanup: the new queue manager nqmgr replaces the default
+ queue manager qmgr, leaving behind a hard link for backwards
+ compatibility. The old queue manager remains available as
+ as oqmgr but will eventually be removed.
+
+ Bugfix: vstring_get() etc. now return VSTREAM_EOF when they
+ terminate prematurely, instead of returning the last
+ character stored. This avoids mis-leading warnings. File:
+ global/vstring_vstream.c.
+
+20040105
+
+ Cleanup: don't bother the flush daemon while deferring mail
+ if the destination is not "fast flush" eligible. File:
+ global/flush_clnt.c.
+
+ Safety: the SMTP server flushes recipients to the cleanup
+ server in order to avoid SMTP timeouts when virtual or
+ canonical expansions take a lot of time. File smtpd/smtpd.c.
+
+ Safety: add warnings to postmap and postalias when table
+ lookup results in an empty string.
+
+20040110
+
+ Example: script to run qmail-local from Postfix by Ron
+ Bickers.
+
+ Change: queue minfree limit is now 1.5 * message size limit.
+ File: smtpd/smtpd_check.c.
+
+ Bugfix: apply hostname restriction even when host address
+ lookup fails in check_{sender,recipient}_{ns,mx}_access.
+ File: smtpd/smtpd_check.c.
+
+20040115
+
+ Performance: allow delivery concurrency to increase even
+ while mail is deferred, as long as the delivery agent does
+ not report really serious trouble with the destination.
+ Files: *qmgr/qmgr_deliver.c.
+
+ Cleanup: in postfix-files, symbolic links and hard links
+ are now first-class citizens with explicit mention of source
+ and destination pathnames. Files: postfix-install,
+ conf/postfix-files, conf/post-install.
+
+20040116
+
+ Cleanup: sendmail -v caused one mail delivery report upon
+ every delivery attempt, not just the first one. The fix is
+ to "kill" a queue file record after the first delivery
+ attempt. This means a new record type. Files: *qmgr/qmgr_active.c,
+ *qmgr/qmgr_message.c, global/rec_type.c.
+
+ Cleanup: in anticipation of other built-in rate limiters,
+ the client_connection_rate_time_unit parameter is renamed
+ to client_rate_time_unit.
+
+ Documentation: finished the HOSTING_README file with an
+ overview of methods to host domains with Postfix.
+
+20040119
+
+ Bugfix: anvil (count and rate limiting) server race condition
+ could result in dangling pointer. Postfix erases memory
+ after allocating and before freeing, so it is extremely
+ unlikely that this could be used to bring harmful data into
+ the anvil server. File anvil/anvil.c.
+
+20040120
+
+ Cleanup: new header_checks(5) and body_checks(5) manual
+ pages. The sample-regexp* and sample-pcre* files are no
+ longer needed and have been removed, as are the default
+ *_table configuration files.
+
+ Cleanup: support for the non-standard Errors-To: header is
+ removed. File: cleanup/cleanup_message.c.
+
+20040121
+
+ Feature: "PREPEND headername: headervalue" action in Postfix
+ access maps, to facilitate external policy servers that
+ label mail instead of rejecting it. Files: smtpd/smtpd.c,
+ smtpd/smtpd_check.c.
+
+20040122
+
+ UNDO the 20040104 change (vstring_get() etc. return
+ VSTREAM_EOF when they terminate prematurely, instead of
+ returning the last character stored, to avoid mis-leading
+ warnings). File: global/vstring_vstream.c.
+
+ Portability: test -e is not portable. File: conf/postfix-script.
+
+ Misc. documentation fixes by Victor Duchovni.
+
+ Documentation: the README files are now hyperlinked, and
+ are referenced in the on-line manual pages.
+
+ Bugfix: the pickup daemon now strokes the watchdog frequently
+ to prevent the watchdog from barking when mail arrives
+ faster than it can be picked up. File: pickup/pickup.c.
+
+20040123
+
+ Feature: set smtpd_reject_unlisted_{sender,recipient}=no
+ to turn off automatic rejection of non-existent local,
+ virtual or relay addresses. This way it can be made
+ conditional for local clients, always on for remote clients.
+ Files: global/mail_params.h, smtpd/smtpd.c, smtpd/smtpd_check.c.
+
+20040124
+
+ Feature: PREPEND in header/body_checks, for message tagging.
+ File: cleanup/cleanup_message.c.
+
+20040126
+
+ Safety: handle the case that main.cf is updated while it
+ is being read. File: util/dict.c.
+
+ Feature: "instance" attribute that links policy etc. queries
+ to the same message instance.
+
+ Cleanup: the mynetworks setting may now be empty. File:
+ global/mail_params.c.
+
+20040127
+
+ Bugfix: missing flush_init() call. Introduced 20040105.
+ File: postqueue/postqueue.c.
+
+20040128
+
+ Cleanup: clnt_stream derived classes now try to detect that
+ the server has disconnected before sending data and warning
+ about an error. File: global/clnt_stream.c.
+
+20040202
+
+ Bugfix: changed mis-leading warning about text>4096 characters
+ into "unexpected end-of-input". File: util/attr_scan0.c.
+
+20040201
+
+ Feature: sasl_method, sasl_username and sasl_sender attributes
+ in smtpd policy queries. Files: src/smtpd/smtpd_check.c.
+
+20040204
+
+ Safety: smtpd_soft_error_limit now determines when
+ $smtpd_error_sleep_time starts to take effect.
+
+ Cleanup: local(8) and virtual(8) will now create maildirs
+ in a world-writable directory. Files: util/make_dirs.c.
+
+ Bugfix: don't panic on a corrupt queue file. File:
+ *qmgr/qmgr_message.c.
+
+20040205
+
+ Cleanup: sample-filter.cf is gone. Better documentation is
+ available with "man header_checks".
+
+20040209
+
+ Bugfix: when delivery to smtpd_proxy_filter fails, report
+ "451 Queue file write error" instead of repeating the
+ previous "354 End data with <CR><LF>.<CR><LF>" response.
+ File: smtpd/smtpd.c.
+
+20040220
+
+ Compatibility: accept and ignore the sendmail -bh and -bH
+ mode of operation requests.
+
+20040302
+
+ Bugfix: SMTPD proxy didn't send QUIT as the result of code
+ duplication. Evidence reported by Mark Martinec. File:
+ smtpd/smtpd.c.
+
+20040311
+
+ Bugfix: bad address syntax was passed to transport map
+ lookups. Problem reported by Andrei Koulik. File:
+ util/match_ops.c, trivial-rewrite/resolve.c.
+
+20040324
+
+ Portability: ekkoBSD support by Philip Reynolds. Files:
+ makedefs, util/sys_defs.h.
+
+20040325
+
+ Cleanup: smtp_skip_4xx_greeting and smtp_skip_5xx_greeting
+ functionality is moved from connection management to SMTP
+ protocol processing, so that Postfix now logs the server
+ response when a server refuses to provide service. Files:
+ smtp/smtp_connect.c, smtp/smtp_proto.c.
+
+ Cleanup: smtp_skip_4xx_greeting is no longer configurable;
+ it is now permanently turned on.
+
+20040326
+
+ Workaround: in the trivial-rewrite server, turn on the code
+ to strip trailing "." while rewriting addresses, and change
+ the address resolver to strip trailing "." in a compatible
+ manner. This does not eliminate the problem that the SMTP
+ server may use a different address for recipient validation
+ than what the cleanup server uses for virtual alias mapping.
+
+20040329
+
+ Bugfix: the SMTP server did not log client (and SASL)
+ information with the real-time content filter was enabled.
+ Files: smtpd/smtpd.c, smtpd/smtpd_sasl_proto.c.
+
+ Compatibility: smtpd_reject_unlisted_sender is turned off
+ by default, to avoid trouble with with in-house software
+ that sends out mail software with an unreplyable address.
+
+20040331
+
+ Bugfix: postdrop should not abandon mail submission after
+ receiving a SIGHUP signal when SIGHUP was ignored by the
+ parent process. Victor Duchovni, Morgan Stanley. File:
+ postdrop/postdrop.c.
+
+ Bugfix: parsing bug in PgSQL dictionaries causing UNIX
+ sockets to be ignored. Liviu Daia. Files: global/dict*sql.c.
+
+ Performance: allow MySQL and PgSQL database connections to
+ be closed when idle for more than 1 minute; Liviu Daia.
+ Files: global/dict*sql.c.
+
+20040401
+
+ Sanity: the SMTP server no longer accepts sender or recipient
+ addresses that end in the "@" null domain, as well as
+ addresses that rewrite into such a form. Specify
+ "resolve_null_domain=yes" to get the old behavior back.
+ File: trivial-rewrite/resolve.c.
+
+20040402
+
+ Cleanup: added WARN action support for access maps, for
+ consistency with the WARN action in header and body checks.
+ File: smtpd/smtpd_check.c.
+
+20040407
+
+ Bugfix: missing return statement at the end of the
+ FREE_MEMORY_AND_RETURN error handling macro. Adi Prasaja.
+ File: trivial-rewrite/resolve.c.
+
+20040411
+
+ Future proofing: client_rate_time_unit is renamed to
+ anvil_rate_time_unit, so that it is no longer limited to
+ clients only. File: src/global/mail_params.h.
+
+ Cleanup: postalias and postmap now log problems to syslogd.
+ Files: postalias/postalias.c, postmap/postmap.c.
+
+20040413
+
+ Feature: "postfix set-permissions" (re)sets ownership and
+ access permissions of Postfix files and directories.
+
+ Feature: "postfix upgrade-configuration" updates main.cf
+ and master.cf. This is for people who people copy over
+ their old files after installing a newer Postfix version.
+
+ Feature: HTML files are now optionally installed under
+ control of the html_directory configuration parameter.
+ Files: postfix-install, conf/postfix-files, conf/post-install.
+
+ Cleanup: README file installation is now optional. Files:
+ postfix-install, conf/postfix-files, conf/post-install.
+
+20040414
+
+ Cleanup: references to sample-mumble.cf files removed,
+ conf/mumble_table files removed, new commands added to
+ conf/postfix-script.
+
+ Cleanups: function declared int but used as void, missing
+ include file, missing const qualifier, unused variable.
+ Matthias Andree. Files: bounce/bounce_notify_util.c,
+ bounce/bounce_service.h, postlog/postlog.c, smtpd/smtpd_check.c,
+ util/attr_scan64.c.
+
+ Bugfix: more robust version of SIGHUP test of 20040331.
+ Victor Duchovni, Morgan Stanley. File: postdrop/postdrop.c.
+
+ Safety: added NOCLOBBER qualifiers to local variables that
+ might be clobbered by longjmp(). Files: util/sys_defs.h,
+ smtp/smtp_proto.c, lmtp/lmtp_proto.c, smtpd/smtpd_check.c,
+ smtpstone/smtp-source.c.
+
+ Bugfix: sub-level Makefiles no longer turned on the extra
+ compiler warnings. Files: Makefile.in.*, makedefs.*.
+
+20040415
+
+ Bugfix: the LMTP client attempted to reuse a connection
+ after timeout, causing protocol synchronization errors.
+ Reported by Rob Mueller. File: lmtp/lmtp.c.
+
+20040416
+
+ Cleanup: non-delivery reports now include the original
+ recipient information. File: bounce/bounce_notify_util.c.
+
+20040415-18
+
+ Typos: many documentation fixes by Rob Foehl.
+
+20040418
+
+ Cleanup: "int" versus "const int" prototype mismatch between
+ the DICT sequence method prototype and possible implementations.
+ Files: util/dict_db.c, util/dict_dbm.c.
+
+20040419
+
+ Bugfix: the code that rejects client/helo RESTRICTIONS with
+ smtpd_delay_reject=no looked at the wrong evidence and
+ rejected client/helo ACCESS MAP lookups instead. Michael
+ Tokarev. Files: smtpd/smtpd.c, smtpd/smtpd_check.c.
+
+ Bugfix: missing # in master.cf in optional submission
+ service.
+
+20040420
+
+ Bugfix: smtpd logged the client too often. Michael Tokarev.
+ File: smtpd/smtpd.c.
+
+ Cleanup: client_event_status_update_time renamed to
+ anvil_status_update_time. Files: mantools/postlink,
+ proto/postconf.proto, anvil/anvil.c.
+
+20040421
+
+ Workaround: allow pipelined SMTP clients to overshoot the
+ SMTP server recipient limit without triggering the server
+ hard error limit. The SMTP server does not count "too many
+ recipients" towards the hard error limit, as long as the
+ number of excess recipients stays within a configurable
+ overshoot limit (default: smtpd_recipient_overshoot_limit
+ = 1000). Solution in cooperation with Victor Duchovni.
+ Files: smtpd/smtpd.c, smtpd/smtpd_state.c, smtpd/smtpd.h.
+
+20040502
+
+ Missing test for a never used flag (the problematic and
+ thus never completed INSPECT feature that doesn't re-inject
+ mail into Postfix). Victor Duchovni, Morgan Stanley. File:
+ virtual/virtual.c.
+
+20040503
+
+ Bugfix: missing "sasl enabled" guard in the SMTPD policy
+ client. File: smtpd/smtpd_check.c.
+
+20040606
+
+ Portability. UnixWare has strcasecmp() in strings.h. Patch
+ by Andreas Winkelmann. File: util/sys_defs.h.
+
+ Portability. The postlink script is transformed from sed(1)
+ to perl(1).
+
+20040608
+
+ Portability. Introduced SET_H_ERRNO() macro for compilation
+ environments where h_errno can't be used as an lvalue.
+ Files: util/sys_defs.h, dns/dns_lookup.c.
+
+ Portability. Eliminate assumption on bits per byte from
+ vbuf_print.c.
+
+20040614
+
+ Bugfix: the SMTP client did not reset per-session EHLO,
+ SASL, and history information when opening a connection to
+ an alternate SMTP server. This is the result of abstraction
+ no longer matching function. Reported and diagnosed by
+ Victor Duchovni, Morgan Stanley.
+
+ Bugfix: non-portable reuse of variadic argument lists.
+ Fix by Victor Duchovni, Morgan Stanley. Files: global/bounce.c,
+ global/defer.c, global/sent.c, global/trace.c, global/verify.c.
+
+ Portability: NetBSD 2.0 has changed from statfs to statvfs.
+ John Heasley. File: util/sys_defs.h.
+
+ Documentation: typo fixes by IKEDA Nozomu.
+
+20040616
+
+ Bugfix: one missed variadic argument list fix. Victor
+ Duchovni, Morgan Stanley. File: global/verify.c.
+
+ Bugfix: the resolver client cache should be context dependent
+ because address verification probes may use a different
+ route than normal mail deliveries. File: global/resolve_clnt.c.
+
+ Safety: added similar context dependence to the address
+ rewriting client in order to avoid trouble when Postfix is
+ changed. File: global/rewrite_clnt.c.
+
+ Bugfix: space in HELO commands could end up in XFORWARD
+ commands. File: smtpd/smtpd.c.
+
+20040619
+
+ Code reorganization: in preparation for SMTP session caching,
+ the SMTP client data structures were changed from the
+ original "one session per delivery request" model to an
+ explicit "multiple sessions per delivery request" model.
+ This uncovered ESMTP and SASL missing re-initialization
+ problems that were fixed in past week. Design by Victor
+ and Wietse, initial implementation by Victor Duchovni.
+
+20040620
+
+ Future proofing: after the reorganization of SMTP request
+ state and session state, added code to the smtp client
+ error handling routines to more consistently deal with the
+ possibility that session information is not available.
+
+20040621
+
+ Feature: directory=pathname option for the pipe(8) delivery
+ agent. This allows a command to run from a fixed directory.
+ Failure to change directory causes delivery to be deferred.
+ Files: pipe/pipe.c.
+
+ Feature: command_execution_directory for local(8) delivery
+ to external command. This supports the usual $home etc.
+ expansions, subject to filtering with the character set
+ specified with $execution_directory_expansion_filter.
+ Failure to change directory causes delivery to be deferred.
+ Files: global/mail_params.h, local/command.c.
+
+ Support for external command execution directory. Files:
+ global/pipe_command.[hc].
+
+20040622
+
+ Safety: when mail is delivered to a transport with per-delivery
+ recipient limit of 1, split the recipient address on the
+ recipient delimiter if one is defined, so that extended
+ addresses don't get extra delivery concurrency slots.
+ Files: *qmgr/qmgr_message.c.
+
+20040623
+
+ Workaround for fragile clients: add microsecond time to
+ maildir filename. Files: virtual/maildir.c, local/maildir.c.
+
+20040628-20040701
+
+ SMTP connection caching work with Victor Duchovni.
+
+ New module (later renamed to global/scache_single.c) for
+ protocol-independent session caching. The initial
+ implementation supports in-process, single-session caching
+ only. A later version will support a central session cache
+ daemon. Some more work is needed for passivation/activation
+ of session attributes.
+
+ New function vstream_fdclose() to destroy a VSTREAM while
+ leaving the underlying file(s) open. Files: util/vstream.[hc].
+
+ New function dns_rr_remove() to remove one record from a
+ resource record list. Some more work is needed to turn the
+ list into a doubly-linked one. Files: dns/dns.h, dns/dns_rr.c.
+
+ Restructuring of the SMTP protocol engine for session
+ caching. File: smtp/smtp_proto.c.
+
+ Restructuring of the connection management module, and
+ first implementation of SMTP connection caching. To enable,
+ specify an smtp_connection_cache_time value greater than
+ zero. The time unit is seconds. File: smtp/smtp_connect.c.
+
+ New code to passivate and re-activate SMTP_SESSION objects,
+ and isolation of session save/lookup in its own module.
+ Files: smtp/smtp_session.c, smtp/smtp_reuse.c.
+
+ Refinement: smtp_cache_reuse_limit parameter to bound the
+ number of times a session may be reused.
+
+ Refinements: when a session comes from the cache, give it
+ back to the cache anyway (even when it will not be listed
+ under the next-hop destination name).
+
+ Future refinements should also include a bound on the number
+ of consecutive and total non-delivering uses and other
+ statistics.
+
+20040714
+
+ Bugfix: the code to eliminate the local MTA from the MX
+ address list did not handle the case that inet_interfaces
+ produced a less preferred match than proxy_interfaces.
+ Victor Duchovni, Morgan Stanley. File: smtp/smtp_addr.c.
+
+20040715
+
+ Resume work on SMTP session caching. All good sessions
+ are now cached under their IP address. As before, only the
+ first good session per delivery request is cached under
+ the original next-hop destination.
+
+ At this point, SMTP session caching works, with a session
+ cache client module that uses in-process session caching.
+ This is sufficient to demonstrate that the SMTP client is
+ ready for session caching.
+
+20040716
+
+ New modules to send file descriptors from one process into
+ another one. This will be needed for implementing a central
+ connection cache manager daemon. Most systems use UNIX-domain
+ sockets as the transport for this. On Solaris we use streams
+ instead. Applications are supposed to invoke LOCAL_SEND_FD()
+ and LOCAL_RECV_FD(). Files: {unix,streams}_{send,recv}_fd.c.
+
+20040717
+
+ First implementation of a session caching client API that
+ actually sends to/receives from a caching server process.
+ The old in-process, single-session caching functionality
+ is preserved as global/scache_single.c, so that we can use
+ it for bootstrapping the session cache server. File:
+ global/scache_clnt.c.
+
+ First implementation of the scache session cache server,
+ using the same in-process session caching code that was
+ used to bootstrap the SMTP client. File: scache/scache.c.
+
+20040718
+
+ Performance: the default RSET timeouts are reduced from
+ 120s to 20s. Perhaps there should be different RSET timeout
+ for address probes and for session cache checks. File:
+ global/mail_params.h.
+
+20040719
+
+ Multi-session connection cache module. Implementing this
+ was actually the easiest part of the entire connection
+ caching project. File: global/scache_multi.c.
+
+20040720
+
+ Bugfix: event_drain() falsely reported a single-entry timer
+ queue as empty. File: util/events.c.
+
+ Completed the multi-session cache support for SMTP. The
+ code can be stress tested with a driver program that reads
+ commands from a script. It is not practical to manually
+ test the effects of collisions in the time or in name space
+ domains. File: global/scache.c.
+
+20040721
+
+ Feature: the session cache server now logs cache hit and
+ miss statistics every $session_cache_status_update_time
+ seconds (default: 600s), as well as upon process exit.
+ File: scache/scache.c.
+
+20040722
+
+ Workaround: LINUX 2.4 has trouble with mixed data and file
+ descriptor traffic on UNIX-domain stream sockets.
+ Specifically, it cannot handle data write (read) followed
+ by file descriptor send (receive): the receiver hangs in
+ recvmsg(). Workaround is to insert an intervening read
+ (write) operation. Presumably, LINUX 2.4 is confusing the
+ data and file descriptor. Lucky Ralf Hildebrandt. Files:
+ util/sys_defs.h, global/scache_clnt.c, scache/scache.c.
+
+20040723
+
+ Safety: spawn(8) now rejects a user with the -1 UID or GID
+ value, so that commands will not end up running as root.
+ Files: util/spawn_command.c, spawn/spawn.c.
+
+ User interface: parameter smtp_connection_cache_domains
+ renamed to smtp_connection_cache_destinations. Destinations
+ listed here must be specified without [] or :port. File:
+ smtp/smtp_connect.c.
+
+ Bugfix: "421 Timeout exceeded" wasn't guarded by setjmp().
+ Victor Duchovni, Morgan Stanley. File: smtpd/smtpd.c.
+
+20040729
+
+ Feature: enable SMTP session caching temporarily while a
+ postfix is able to schedule back-to-back deliveries.
+ Parameter: smtp_connection_cache_on_demand (default:
+ yes). Files: smtp/smtp_connect.c, *qmgr/qmgr_entry.c,
+ *qmgr/qmgr_queue.c, *qmgr/qmgr_deliver.c.
+
+ Feature: smtp-source -N option to generate unique recipient
+ addresses for (trivial-rewrite) stress testing. Victor
+ Duchovni, Morgan Stanley. File: smtpstone/smtp-source.c.
+
+20040730
+
+ Safety: disallow "opportunistic session caching" when the
+ queue manager is unable to schedule back-to-back deliveries.
+ File: *qmgr/qmgr_entry.c.
+
+20040731
+
+ Hysteresis: turn on "opportunistic session caching" when
+ back-to-back deliveries happen, but don't turn if off
+ until both concurrent and back-to-back delivery ends.
+
+20040801
+
+ Workaround: disable session caching for Linux < 2.2 (does
+ not work) or Glibc < 2 (does not compile). Files:
+ util/sys_defs.h, util/unix_{recv,send}_fd.c.
+
+ Portability: h_errno is not an lvalue in the UnixWare 7.1
+ multi-threaded environment. Olivier PRENANT.
+
+20040812
+
+ Bugfix: update SMTP server error counter when a client is
+ denied access with smtpd_delay_reject=no.
+
+20040816
+
+ Bugfix: The smtp_chat_cmd() forced output flushing code in
+ the SMTP client could run before an I/O error handler was
+ set up. Problem diagnosed by Victor Duchovni, Morgan
+ Stanley. The fix is to disable the smtp_chat_cmd() forced
+ output flushing code as it duplicates better code in
+ smtp_loop(). File: smtp/smtp_chat.c.
+
+ Safety: set up an I/O error handler before the smtp_loop()
+ protocol engine starts; this handler logs a warning in case
+ it ever runs, because that means someone broke ESMTP command
+ pipelining. File: smtp/smtp_proto.c.
+
+ Feature: canonical_classes parameter by Kimmo Suominen, to
+ control what addresses are rewritten by canonical_maps.
+ Files: cleanup/cleanup_addr.c, cleanup/cleanup_message.c.
+
+20040817
+
+ Bugfix: update the vstream I/O time AFTER the completion
+ of an I/O request, so that time-sensitive applications
+ don't force flush output too soon and possibly trigger
+ NAGLE delays. Problem diagnosed by Victor Duchovni, Morgan
+ Stanley. File: util/vstream.c.
+
+ Portability: avoid postmap/postalias test file name clashes
+ on Windows. Ian Lance Taylor (of Taylor UUCP fame).
+
+20040823
+
+ Bugfix: vstream_popen() did not close the child pipe
+ after failure to fork(). File: util/vstream_popen.c.
+
+20040826
+
+ Feature: support for systems with closefrom(), and emulation
+ for those without. Andrew Brown. Files: util/sys_defs.h,
+ util/sys_compat.c.
+
+20040827
+
+ Feature: {sender,recipient}_canonical_classes parameters,
+ which give better control than sender_canonical_classes.
+ Files: cleanup/cleanup_addr.c, cleanup/cleanup_message.c.
+
+ Feature: the proxymap client now recognizes when a map
+ can't be proxied, and will open it directly instead. This
+ makes proxy maps easier to use for virtual mailbox domains.
+ File: global/dict_proxy.c.
+
+ Feature: smtp_sasl_mechanism_filter restricts what remote
+ SMTP server mechanism names the Postfix SMTP client passes
+ on to the SASL library. Victor Duchovni, Morgan Stanley.
+ Files: smtp/smtp.c. smtp/smtp_sasl_glue.c, smtp/smtp_sasl_proto.c.
+
+20040828
+
+ User interface: when no recipients are specified, the
+ Postfix sendmail command now terminates with status EX_USAGE
+ instead of accepting the mail first and bouncing it later.
+ This gives more direct feedback in case of a common client
+ configuration error. File: sendmail/sendmail.c.
+
+20040829
+
+ Portability: Solaris closefrom() support didn't work for
+ non-SUN compilers. Victor Duchovni, Morgan Stanley.
+
+20040830
+
+ Feature: the scache(8) session cache manager now logs the
+ peak counts of destinations, endpoints and sessions. Files:
+ scache/scache.c, global/scache*c.
+
+20040831
+
+ Portability: disable session caching support on SCO 5
+ because of incompatible sockets API. File: util/sys_defs.h.
+
+20040913
+
+ Bugfix (introduced 20020803): sent the wrong bounce message
+ type when a Delivered-To: loop was detected for a mailing
+ list alias. Nicolas Riendeau. File: bounce_notify_util.c.
+
+20040918
+
+ Feature: authorized_flush_users, authorized_mailq_users,
+ authorized_submit_users to restrict what users can flush
+ the queue, list the queue, or submit mail locally. Based
+ on code by Victor Duchovni, Morgan Stanley. Files:
+ sendmail/sendmail.c, postdrop/postdrop.c, postqueue/postqueue.c,
+ global/user_acl.[hc].
+
+ Feature: discard(8) mail delivery agent. Victor Duchovni,
+ Morgan Stanley. File: discard/discard.c.
+
+20041002
+
+ Long overdue, a master(5) manual page based on an initial
+ version by Magnus Baeck.
+
+ By popular demand, a postfix-manuals.html web page with
+ totally useless links to UNIX-style manual pages (the same
+ information should already be available simply by typing
+ "apropos postfix"). To keep newbies from getting completely
+ lost due to information overload, the document starts with
+ a list of actually useful pointers to Postfix introductions,
+ duplicated from the already existing documents.html.
+
+20041006
+
+ Bugfix: "sendmail -bv" did not reject the -t option. File:
+ sendmail/sendmail.c.
+
+20041007
+
+ Feature: SASL authentication attributes are now stored in
+ queue files and passed on to delivery agents, by Leandro
+ Santi. Files: deliver_pass.c, deliver_request.c,
+ qmgr_deliver.c, qmgr_message.c, pipe.c, smtpd.c.
+
+20041009
+
+ Feature: per SMTP client message rate limit and recipient
+ rate limit, by Ragnar Lonn, GHN network technologies.
+ Files: smtpd/smtpd.c, anvil/anvil.c, global/anvil_clnt.[hc].
+
+ Incompatibility: smtpd_client_connection_limit_exceptions
+ renamed to smtpd_client_event_limit_exceptions, because it
+ now also controls message and recipient rate limit control.
+
+20041013
+
+ Portability: AIX 5.1/GCC.
+
+20041014-23
+
+ Postfix no longer appends the local domain to header
+ addresses from remote clients. Instead, Postfix either
+ does not rewrite those headers at all, or it appends the
+ domain specified with the new remote_header_rewrite_domain
+ parameter.
+
+ Postfix still appends $@myorigin or .$mydomain to headers
+ from the Postfix sendmail command, or from clients listed
+ with the new local_header_rewrite_clients parameter (default:
+ permit_mynetworks, permit_sasl_authenticated).
+
+ These changes affect the SMTP server (including XFORWARD
+ support), the cleanup server (do or don't rewrite headers),
+ the trivial-rewrite server (append local domain or surrogate
+ remote domain to incomplete addresses), the queue manager
+ (send additional attributes to delivery agents), the LMTP
+ and SMTP clients (XFORWARD support), and the local delivery
+ agent (preserve XFORWARD attributes when forwarding mail).
+
+20041016
+
+ Bugfix: attr_clnt_request() did not properly skip hash
+ table arguments. Luc Pardon, Skopos Consulting. File:
+ util/attr_clnt.c.
+
+20041018
+
+ The NIS+ module by Geoff Gibbs is now part of Postfix.
+ Files: util/dict_nisplus.c, proto/nisplus_table.
+
+20041019
+
+ Support for Errors-To: is permanently removed.
+
+20041022
+
+ Bugfix: "smtp_connection_cache_on_demand=no" could crash
+ the SMTP client. File: smtp/smtp_connect.c.
+
+ Robustness: extra sanity checks. Files: util/dict_db.c,
+ util/dict_dbm.c, dict_nis.c.
+
+20041025
+
+ Initial merge of Lutz Jaenicke's TLS patch. Initial rewrite
+ of tlsmgr to eliminate some code duplication and to postpone
+ calls into OpenSSL until after dropping privileges.
+
+20041030
+
+ Compatibility: "session cache" renamed to "connection cache"
+ to avoid confusion with the TLS session cache.
+
+20041102
+
+ Feature: smtpd_end_of_data_restrictions allow you to specify
+ restrictions at the end of the SMTP DATA command. The syntax
+ is identical to that of the smtpd_data_restrictions feature.
+ This introduces a new END-OF-DATA protocol state for the
+ external policy server. Files: proto/SMTPD_POLICY_README.html,
+ proto/SMTPD_ACCESS_README.html, smtpd/smtpd_check.c.
+
+20041111
+
+ Cleanup: terminate the dict_eval() result buffer for verbose
+ logging. Victor Duchovni, Morgan Stanley. File: util/dict.c.
+
+20041112
+
+ Cleanup: be more careful when saving and restoring resolver(3)
+ options to avoid problems with an HP-UX security patch
+ (change introduced 20031215). File: dns/dns_lookup.c.
+
+20041115
+
+ Bugfix: the test for "no debugger_command" was wrong.
+ Leandro Santi. File: global/debugger_command.c.
+
+20041117
+
+ Robustness: the master-child protocol now includes a process
+ generation number besides the child process ID. The process
+ generation number is incremented by one each time the master
+ creates a child process. Child-to-master status updates
+ with the wrong generation number are ignored, instead of
+ triggering a consistency error in the master server. Files:
+ master/*server.c, master/master_status.c, master/master_spawn.c.
+
+20041118
+
+ Bugfix: the "local_header_rewrite_clients" feature (20041023)
+ did not recognize "bare" lookup tables as documented. Victor
+ Duchovni, Morgan Stanley. File: smtpd/smtpd_check.c.
+
+ Bugfix: the "local_header_rewrite_clients" feature (20041023)
+ was broken because the local delivery agent passed on a
+ bogus attribute value when forwarding internally generated
+ mail, causing the mail to be rejected by the cleanup server.
+ File: local/dotforward.c.
+
+ Bugfix: the "local_header_rewrite_clients" feature (20041023)
+ was broken because the pickup server always overwrote origin
+ information. Files: pickup/pickup.c, cleanup/cleanup_state.c,
+ *qmgr/qmgr_message.c.
+
+ Workaround: enable the "can't write before sending a file
+ descriptor" workaround for Solaris. Problem reported by
+ Victor Duchovni for Solaris 2.5.1, but we play safe and
+ enable it unconditionally.
+
+20041120
+
+ The TLS support routines are moved to a "tls" directory,
+ and are published via the "libtls.a" object library.
+
+20041122
+
+ Infrastructure: support for binary attribute values
+ (ATTR_TYPE_DATA) in Postfix IPC messages. Files:
+ util/attr_scan*c, util/attr_print*c.
+
+20041123-20041205
+
+ TLS support: via a process of gradual transformation,
+ decomposed Lutz Jaenicke's pfixtls.c into separate modules
+ for clients, servers, certificate verification, session
+ caching, and PRNG management. Global variables were eliminated
+ so that the code now supports multiple client and/or server
+ contexts in the same process. Files: tls/*.[hc].
+
+20041205
+
+ TLS support: eliminated shared access (and locking) of the
+ TLS PRNG exchange file and TLS session caches. Instead,
+ Postfix uses a client-server protocol, and the tlsmgr
+ becomes the sole mediator. This eliminated the need for
+ 1000+ lines of SDBM support, and eliminated the need for
+ running a persistent tlsmgr process on systems don't enable
+ TLS in main.cf.
+
+20041124
+
+ Feature: configurable list of forbidden SMTP commands
+ (default: smtpd_forbidden_commands = CONNECT, GET, POST)
+ after which the Postfix SMTP server disconnects immediately.
+ The SMTP server always disconnects immediately when the
+ client sends a message header instead of an SMTP command.
+ Magnus Baeck. File: smtpd/smtpd.c.
+
+20041207
+
+ CDB support by Michael Tokarev, documentation by Victor
+ Duchovni. Files: util/dict_cdb.[hc], global/mkmap_cdb.c.
+
+20041209
+
+ Completed support for the Berkeley DB sequence operator.
+ This is needed for finding and deleting old entries in TLS
+ session databases. File: util/dict_db.c.
+
+ Bugfix: the DBM client's sequence operator used exclusive
+ locking instead of shared locking. File: util/dict_dbm.c.
+
+ Feature: dump an entire database with the new postmap/postalias
+ "-s" option. This works only for database types with Postfix
+ sequence operator support: hash, btree, dbm, and sdbm.
+ Files: postmap/postmap.c, postalias/postalias.c.
+
+20041212
+
+ Solaris 10/ix86 chroot setup script update by J.D. Bronson.
+
+ TLS support: cosmetic changes to comments and messages;
+ completed the code for the master -> tlsmgr trigger handshake,
+ so that the master no longer complains about trigger
+ responses timing out.
+
+20041213
+
+ Updated the SDBM dictionary interface. It had fallen behind
+ with the Postfix dictionary interfaces that were already
+ bundled with Postfix. Files: util/dict_sdbm.[hc].
+
+ Cleanup: "postconf -m" (show all available map types) now
+ produces sorted output. File: util/dict_open.c.
+
+20041215
+
+ No bugfix: tests with the new "postmap -s" feature show
+ that SDBM first/next operations never worked with Postfix/TLS
+ patch 20040829 (verified with the 20040829 dict_sdbm.c
+ module on Linux and FreeBSD). The code stops after finding
+ one database element. Other SDBM versions found on the
+ Internet will find all database entries, but report an I/O
+ error after the last database element is found. All this
+ would be easy enough to fix, but the SDBM library is not
+ part of Postfix, and never will be.
+
+ Bugfix: the sequence operator in the DBM and SDBM clients
+ released the shared lock after reading the next key but
+ before reading the corresponding value. This was never a
+ problem, because the sequence operator was used only in
+ the Postfix/TLS patch. This used the SDBM sequence operator
+ which didn't work as discussed above. Files: util/dict_dbm.c,
+ util/dict_sdbm.c.
+
+ Feature: the local(8) and pipe(8) delivery agents now make
+ the following attributes available upon delivery (with
+ local(8) names must be spelled in upper case): client_hostname,
+ client_address, client_protocol, client_helo, sasl_method,
+ sasl_sender, sasl_username. Files: local/command.c,
+ pipe/pipe.c, and lots of documentation.
+
+20041216
+
+ "postcat -o" now prints queue file record offsets; this is
+ useful for debugging. File: postcat/postcat.c.
+
+ NON-PRODUCTION Bugfix: (bug introduced while adopting the
+ Postfix/TLS patch): the new TLS certification call-back
+ routine expects that the peer hostname is in
+ tlscontext->peername_save, but the TLS server code never
+ updated this field. File: tls/tls_server.c.
+
+20041218
+
+ Feature: selective suppression of SMTP extensions (pipelining,
+ starttls, auth, etc.); this is useful to work around broken
+ clients or servers. Specify a list of EHLO keywords with
+ the smtp(d)_discard_ehlo_keywords parameters, or specify
+ one or more lookup tables, indexed by remote network address,
+ with the smtp(d)_discard_ehlo_keyword_address_maps parameters.
+ EHLO keyword lists are case insensitive. Files:
+ util/name_mask.[hc], global/ehlo_mask.[hc], smtpd/smtpd.c,
+ smtp/smtp.c, smtp/smtp_proto.c.
+
+20041219
+
+ Bugfix: postcat without -o was broken. File: postcat/postcat.c.
+
+20041220
+
+ NON-PRODUCTION Bugfix: (bug introduced while adopting
+ Postfix/TLS patch): don't call smtp_flush() after return
+ from vstream_setjmp(), we'll call you. File: smtpd/smtpd.c.
+
+ Dummy VSTREAM read-write routines. Files: util/dummy_read.c,
+ util/dummy_write.c.
+
+20041221
+
+ Fixes for TLS_README by Victor Duchovni. File:
+ proto/TLS_README.html.
+
+ NON-PRODUCTION Bugfix: (bug introduced while adopting
+ Postfix/TLS patch). The client code had become too similar
+ to the server implementation, and also required a host
+ certificate and key. Fix by Victor Duchovni. File:
+ tls/tls_client.c.
+
+20041221
+
+ Bugfix: further postcat corner cases.
+
+20041223
+
+ Cosmetic: don't log disconnect events as I/O errors.
+ File: tls/tls_bio_ops.c.
+
+20041221-9
+
+ Infrastructure: unified IPv4/IPv6 name/address API so that
+ Postfix can support IPv6 without #ifdef INET6 everywhere.
+ In particular, we allow #ifdef in libraries but avoid it
+ in applications. Files: util/myaddrinfo.[hc],
+ util/sock_addr.[hc], dns/dns_rr_to_pa.c, dns/dns_sa_to_rr.c,
+ dns/dns_rr_eq_sa.c, dns/dns_rr_to_sa.c, inet_proto.[hc].
+
+ Postfix no longer attempts to deliver mail via IPv6 when
+ the system has no IPv6 connectivity. Network protocol
+ support is now selected with the "inet_protocols" configuration
+ parameter, instead of "inet_interfaces". The "inet_protocols"
+ parameter also controls what DNS lookups Postfix will do.
+
+ Infrastructure: eliminated two host/port parsing routines.
+ Only one survives: host_port(), in an extended form that
+ allows for missing host or missing service information but
+ not both. File: util/host_port.c.
+
+20041229
+
+ Milestone: Postfix with the unified IPv4/IPv6 socket/name
+ API builds without compiler error on IPv4-only system and
+ actually works.
+
+20041228
+
+ Bugfix: SMTPD_PROXY_README incorrectly claimed that ":port"
+ in master.cf causes a server to listen only on "localhost"
+ without exposing the service to the network. Instead,
+ ":port" causes a client to connect to "localhost".
+
+20041231
+
+ Linux workaround: when mynetworks isn't set, a chrooted
+ process could not read the IPv6 address information from
+ /proc. We now invoke own_inet_addr() before chrooting,
+ while processing main.cf. File: global/mail_params.c.
+
+20050101
+
+ Workaround for (Linux) systems without IPV6_V6ONLY support
+ (RFC 3493). When Postfix listened on an IPv4 wild-card
+ smtp socket, the IPv6 wild-card smtp listener would fail
+ with EADDRINUSE (and vice versa). File: util/myaddrinfo.c.
+
+20050103
+
+ Safety: when the IPV6 netmask can't be determined, assume
+ /128 (host only). File: util/inet_addr_local.c.
+
+20050104
+
+ Re-implemented IPv6 support for net/mask pattern matching.
+ Files: util/cidr_match.[hc], util/dict_cidr.c,
+ util/match_ops.[hc], proto/cidr_table.
+
+20050105
+
+ Moved mask_addr() to its own module so that it could also
+ be called by mynetworks() and inet_addr_local() to remove
+ non-zero host bits from IPv6 network/mask patterns. File:
+ util/mask_addr.c.
+
+20050108
+
+ Re-implemented IPv6 support for network interface lookup
+ via the Linux /proc file system. File: util/inet_addr_local.c.
+
+20050111
+
+ Feature: specify "inet_interfaces = loopback-only" for
+ servers that must listen on local interfaces only, without
+ having to specify IPv4 and/or IPv6 addresses in main.cf or
+ master.cf. File: global/own_inet_addr.c.
+
+ Workaround: AIX 5.1 getaddrinfo() can't handle a null host
+ argument with AI_PASSIVE. Instead we specify an explicit
+ protocol family, a host of "::" or "0.0.0.0", and turn off
+ IPV6_V6ONLY. Files: util_myaddrinfo.c, util/inet_listen.c.
+
+ Workaround: AIX 5.1 getaddrinfo() can't handle a "0" service
+ argument. Instead we specify "1". Files: util/inet_addr_host.c.
+
+20050113
+
+ Cleanup: now that the over-all structure is proving itself,
+ clean up some internal APIs to increase robustness and get
+ rid of some clumsiness. Mainly, the getaddrinfo(3) interface.
+
+ Start-up performance: the hash_queue_names default setting
+ is reduced from eight directories to just defer and deferred.
+ This reduces time for checking the Postfix queue. Files:
+ conf/post-install, global/mail_params.h.
+
+20050114
+
+ Further cleanup: eliminate duplicate IPv6 results when the
+ mynetworks value is generated by Postfix. More documentation
+ of the new internal APIs.
+
+ Performance: reduced start-up delay by moving warning-only
+ startup checks into the background. File: conf/postfix-script.
+
+20050115
+
+ Further hardening of the IPv6 support: don't trust system
+ libraries to protect Postfix against malformed IPv6 address
+ literals. Their syntax is complex enough that errors are
+ likely. Files: global/resolve_local.c, util/valid_hostname.c.
+
+ Further cleanup: RFC 2821 requires the IPv6: prefix with
+ IPv6 address strings. The smtp and qmqp servers maintain
+ separate address instances, the bare address and the RFC
+ 2821 compatible form, and use each where appropriate. This
+ strict separation simplifies address syntax checks as well
+ as the implementation of XCLIENT and XFORWARD.
+
+20050116
+
+ Infrastructure: new valid_mailhost_addr() routine to verify
+ that an address literal satisfies RFC 2821. An IPv4 address
+ is in dotted-quad decimal form, and an IPv6 address is in
+ hexadecimal form, with the "IPv6:" prefix. Files:
+ global/valid_mailhost_addr.[hc].
+
+ Further cleanup: valid_hostname() no longer allows network
+ addresses or numerical domain names. While it made some
+ sense with IPv4 dotted quad decimal forms, with IPv6 it
+ just made no sense anymore. Again, being stricter actually
+ simplifies code. Files: util/valid_hostname.c and a
+ surprisingly small number of valid_hostname() callers that
+ did not reject numerical forms.
+
+ Bugfix: in the Postfix 2.2 SMTP client, the debug_peer_init()
+ call was moved to the after-chroot initialization.
+
+20050117
+
+ Performance: reduced start-up delay by moving warning-only
+ startup checks into the background; they now start after
+ one minute to allow the system to finish booting. File:
+ conf/postfix-script.
+
+ Milestone: first non-non-production snapshot with IPv6.
+
+20050119
+
+ Milestone: first non-non-production snapshot with TLS.
+
+20050124
+
+ Workaround: don't send mail to $fallback_relay if Postfix
+ is MX host for the next-hop destination. This is, however,
+ a partial solution. The documentation has been updated to
+ cover all the cases where a fallback_relay could interfere
+ with the operation of a backup or primary MX host. Files:
+ smtp/smtp_addr.c, smtp/smtp_connect.c.
+
+20050127
+
+ Configuration: Postfix daemons that need privileged operation
+ (such as local, pipe, or spawn) now log a fatal error when
+ they are configured in master.cf as unprivileged.
+
+20050130
+
+ Cleanup: simplified the handling of receive_override_options
+ settings. Files: pickup/pickup.c, smtpd/smtpd.c, qmqpd/qmqpd.c,
+ global/input_transp.c.
+
+ Feature: permit_inet_interfaces allows a request when the
+ client matches $inet_interfaces. This is used for generic
+ access restrictions and for header address rewriting control.
+ Files: global/mail_params.h, smtpd/smtpd_check.c.
+
+ Cleanup: by default, message header address rewriting is
+ now enabled only for mail that originates from the machine
+ itself. Files: global/mail_params.h, smtpd/smtpd_check.c.
+
+20050131
+
+ Bugfix: when extracting recipients from message headers,
+ the Postfix sendmail command produced output records longer
+ than $line_length_limit, causing postdrop to reject the
+ mail. Diagnosis by Victor Duchovni. File: sendmail/sendmail.c.
+
+20050202
+
+ Cleanup: explicit Makefile targets for "make package" and
+ "make non-interactive-package" to create ready-to-install
+ packages for distribution to other systems. Added extra
+ sanity checks to prevent attempts to overwrite your running
+ Postfix instance. Files: Makefile.in, proto/PACKAGE_README.
+
+ Cleanup: when bounce_queue_lifetime > maximal_queue_lifetime,
+ it is adjusted to maximal_queue_lifetime, and a warning is
+ logged. Files: *qmgr/qmgr.c.
+
+20050203
+
+ Cleanup: trivial-rewrite now restarts more timely after
+ changes in lookup tables. Of the all the alternatives
+ tested, the simplest one produces the most bang for the
+ buck. The other code is left in place for illustrative
+ purposes. File: trivial-rewrite/trivial-rewrite.c.
+
+ Cleanup: sendmail no longer ignores null command-line
+ recipients. File: sendmail/sendmail.c.
+
+ Cleanup: "postfix start" background checks moved back to
+ the foreground so they can be stopped more easily. File:
+ conf/postfix-script.
+
+20050204
+
+ Feature: REPLACE command in header/body_checks (implemented
+ as a combination of PREPEND and IGNORE) by Bastiaan Bakker.
+ File: cleanup/cleanup_message.c.
+
+ Cleanup: linted the manual pages for consistency in the
+ way manuals are referenced, and in the presentation of
+ command examples. Files: mantools/manlint, mantools/fixman,
+ mantools/postconf2man.
+
+20050205
+
+ Cleanup: updated the mass-deletion example in the postsuper
+ manual.
+
+20050206
+
+ Cleanup: don't count a [45]XX SMTP server greeting towards
+ the mx_session_limit setting. File: smtp/smtp_connect.c.
+
+ Feature: output address rewriting in the SMTP client. The
+ smtp_generic_maps parameter specifies an address mapping
+ that happens only when mail is delivered via SMTP. This is
+ typically used for hosts without a valid domain name, that
+ use something like localdomain.local instead. This feature
+ can replace local mail addresses by valid Internet mail
+ addresses when mail needs to go across the Internet, but
+ not when mail is sent between accounts on the local machine.
+ Files: smtp/smtp_proto.c, smtp/smtp_map11.c.
+
+ Cleanup: don't panic in mymalloc() when master can't find
+ any IP addresses. LaMont Jones. File: master/master_ent.c.
+
+20050207
+
+ Documentation: added a generic(5) manual page for consistency
+ with the already existing table driven mechanisms, added
+ references to or examples of the new generic mapping.
+
+ Bugfix: the header_checks REPLACE action mis-handled
+ multi-line replacement text in message headers, for example:
+ /(.*)/ REPLACE X-$1. File: cleanup/cleanup_message.c.
+
+ Bugfix: the header_checks REPLACE action should not drop
+ the input when the action is NOT executed. File:
+ cleanup/cleanup_message.c.
+
+ Bugfix? Cleanup? Documentation? main.cf now implements
+ ${name[?:]value} as promised in the postconf(5) manual.
+ Implemented by deleting the macro processor in dict_eval(),
+ and using the one in mac_expand() instead. File: util/dict.c.
+
+20050208
+
+ Feature: check_ccert_access maptype:mapname for access(5)
+ control, based on code by Victor Duchovni. File:
+ smtpd/smtpd_check.c and documentation.
+
+ Safety: don't allow unlimited message size with limited
+ mailbox size. File: local/local.c, virtual/virtual.c.
+
+ Feature: new smtpd policy attributes ccert_subject,
+ ccert_issuer and ccert_fingerprint, with TLS client
+ certificate information, but only when verification was
+ successful. Files: src/smtpd/smtpd_check.c.
+
+ Cleanup: corrected the address verification data flow in
+ the ADDRESS_VERIFICATION_README illustration.
+
+20050209
+
+ Cleanup: the smtp generic mapping did syntax check on the
+ input address instead of the result. These tests were not
+ going to be useful in any case, because mail_addr_map()
+ canonicalizes the lookup result, including @dom1->@dom2
+ mapping. File: smtp_map11.c.
+
+ Cleanup: made the generic mapping documentation consistent
+ with the implementation.
+
+ Cleanup: documented the myorigin/mydomain address rewriting
+ in canonical, generic and virtual alias maps.
+
+ Feature: updated LDAP and *SQL query interfaces using a
+ common infrastructure so that all have the same feature set
+ where possible. Victor Duchovni and many others. This code
+ was tested separately and was merged into the main stream
+ 20050308. Files: global/db_common.[hc], global/dict_ldap.c,
+ global/dict_mysql.c, global/dict_pgsql.c, plus documentation.
+
+20050210
+
+ Bugfix: spurious fallback_relay warnings after 20050202.
+ Victor Duchovni. File: smtp/smtp_connect.c.
+
+ Bugfix: (introduced while adopting Postfix/TLS patch) the
+ TLS cache scan stopped after expiring one entry. Victor
+ Duchovni. File: tls/tls_scache.c.
+
+ Safety: delete-behind when removing expired entries from
+ TLS session caches. With some maps the enumeration method
+ mis-behaves when the current entry is deleted. File:
+ tls/tls_scache.c.
+
+20050211
+
+ Cleanup: the "generics" feature (output address rewriting)
+ is renamed to "generic", for consistency with "canonical"
+ and "virtual".
+
+20050212
+
+ Cleanup: remove old trace(8) logfile before attempting
+ delivery (and after locking the message file exclusively).
+ Files: *qmgr/qmgr_message.c.
+
+ Cleanup: don't parse-then-regenerate message headers when
+ no address is changed by address rewriting operations. This
+ behavior was copied from the SMTP client's generic mapping
+ code. Files: cleanup/cleanup_rewrite.c, cleanup/cleanup_map11.c,
+ cleanup/cleanup_masquerade.c, cleanup/cleanup_message.c..
+
+20050215
+
+ Bugfix: don't chmod queue files while running "postfix
+ set-permissions". This prevents mail from being labeled as
+ "corrupt" when a live Postfix system is upgraded. Found
+ by Victor Duchovni. File: conf/post-install.
+
+20050216
+
+ Feature: in smtpd?_discard_ehlo_keyword(s|_address_maps)
+ specify the pseudo keyword "silent-discard" in order to
+ avoid logging that some EHLO keyword is being suppressed.
+ File: global/ehlo_mask.[hc].
+
+20050217
+
+ Bugfix: typo in tls_server.c, breaking CApath. Fix by
+ Philipp Morger. File: tls/tls_server.c.
+
+20050227
+
+ Bugfix (bug introduced 20040331): with SIGHUP ignored, the
+ postdrop signal handler would effectively ignore SIGINT,
+ SIGQUIT and SIGTERM. Simplified the overly-conservative
+ protection against nested signals in postdrop, and added
+ some future proofing comments. File: postdrop/postdrop.c
+
+ Cleanup: when address rewriting is enabled, don't change
+ the capitalization of header labels, i.e. don't replace
+ FROM: or CC: by From: or Cc:. Files: cleanup/cleanup_message.c,
+ smtp/smtp_proto.c.
+
+20050228
+
+ Cleanup/portability: missing #includes and bad prototypes.
+ Matthias Andree, Carsten Hoeger, and others.
+
+20050302
+
+ Workaround: make TLS session caching work with perverse
+ sites that have multiple servers per hostname or even
+ multiple servers per IP address, but no shared TLS session
+ cache. The SMTP client TLS session cache is now indexed by
+ (server hostname, server address, server port, server helo
+ hostname). After an idea by Victor Duchovni. Files:
+ smtp/smtp_proto.c, tls/tls_client.c.
+
+20050303
+
+ Bugfix (bug inherited from Postfix/TLS patch): a rare 9kbyte
+ memory leak when in-memory TLS session information expires;
+ found by setting the expiry time shorter than the time to
+ deliver one or two messages with a very slow machine. This
+ was due to a missing SSL_SESSION_free() call in the "new
+ session" call-back routines. Found by Victor Duchovni.
+ Files: tls/tls_client.c, tls/tls_server.c.
+
+ Workaround: OpenSSL is overly agressive when purging a
+ not-yet expired entry from a full in-memory cache: it also
+ purges the entry from the on-disk server session cache.
+ Workaround is to let only the tlsmgr purge entries from the
+ on-disk server session cache. Found by Victor Duchovni.
+ File: tls/tls_server.c.
+
+20050304
+
+ Postfix releases are now signed with Wietse's new PGP key.
+ The old key was getting a bit short for today's standards.
+ The new public key can be found on the Postfix download
+ webpage. As proof of authenticity the new PGP key is signed
+ with Wietse's old PGP key.
+
+ Cleanup: check_mumble_{ns,mx}_access no longer attempt to
+ do MX or NS lookups for address literals. An address literal
+ is treated as its own MX host; there is no meaningful
+ equivalent for NS access control. File: smtpd/smtpd_check.c.
+
+20050310
+
+ Bugfix: the AIX and SUN compilers rightfully complained
+ about non-portable code in the "new" LDAP/SQL client. File:
+ global/db_common.c.
+
+ Workaround: some systems no longer recognize "tail +2" as
+ valid command syntax. Instead they require "improved" syntax
+ that is not valid on several other systems that Postfix
+ builds on. So we have to stop using the tail command.
+ Files: Makefile.in, src/*/Makefile.in.
+
+20050312
+
+ Bugfix: the TLS session cache cleaning code didn't always
+ delete the right entry. Problem found by Victor Duchovni,
+ more problems found by Wietse. File: tls/tls_scache.c.
+
+20050314
+
+ Portability: Berkeley DB changed API from version 2.5 to
+ 2.6. Rob Foehl. File: util/dict_db.c.
+
+20050315
+
+ Bugfix: when <unistd.h> is included, read is a reserved
+ identifier. File: smtpstone/smtp-source.c.
+
+20050321-27
+
+ Support for RFC 3463 enhanced status codes. See also the
+ ENHANCED_STATUS_README (a hacker's guide) for background.
+
+ New module to pass around (status code + text) instead of
+ just text. File: Files: global/dsn_util.c.
+
+ Status-related lookup tables now have an extra column for
+ enhanced status codes. Files: global/sys_exits.c,
+ global/cleanup_strerror.c.
+
+ Cleanup: centralized mapping of errno values to delivery
+ status codes after failed delivery to mailbox, maildir, or
+ file. Error codes EAGAIN, and ESTALE are 4.2.0 temporary
+ errors; ENOSPC is a 4.3.0 temporary error; and EDQUOT and
+ EFBIG are 5.2.2 hard errors. For backwards compatibility,
+ the result of other errors depends on the delivery agent:
+ with local(8) everything else is a 5.2.0 hard error, and
+ with virtual(8) everything else is soft 4.2.0 error. File:
+ global/mbox_open.c.
+
+20050324
+
+ Workaround: gcc -W (version 3.4.2 [FreeBSD] 20040728) no
+ longer warns about missing return statements. What a time
+ waste.
+
+ Workaround: gcc -E (version 3.4.2 [FreeBSD] 20040728) output
+ has changed, causing too much "make depend" output.
+
+20050325
+
+ Bugfix: when bouncing mail that was submitted with Postfix
+ sendmail, the cleanup daemon ignored the reason specified
+ in header/body_checks, and always produced a generic reason.
+ File: cleanup/cleanup_api.c.
+
+ Workaround: don't announce pipelining support when the
+ smtp-sink test program is configured to fail specific
+ commands with -r or -f (the fix is to build a proper SMTP
+ state engine into the smtp-sink test program). File:
+ smtpstone/smtp-sink.c.
+
+20050326
+
+ Update: more PCRE error codes. File: util/dict_pcre.c.
+
+20050327
+
+ Bugfix: the SMTP and LMTP clients did not ask the queue
+ manager to reduce destination concurrency when "lost
+ connection" or "connection timed out" happened AFTER Postfix
+ received the server greeting. Files: smtp/smtp_trouble.c,
+ lmtp/lmtp-trouble.c.
+
+ Workaround: FreeBSD has incompatibly changed the output
+ format from "od", breaking regression test portability.
+
+ The TLS client session cache ID is now derived from the
+ server IP address, TCP Port, and server HELO hostname
+ if available. File: smtp/smtp_proto.c.
+
+20050328
+
+ Cleanup: the REPLACE action is no longer implemented as
+ PREPEND+IGNORE. The result remains in the input stream,
+ and is subject to address rewriting and other processing
+ where applicable. File: cleanup/cleanup_message.c.
+
+ Feature: the TLS server name verification status is moved
+ out of the TLS session cache. This not only simplifies the
+ client-side TLS cache implementation, but also provides
+ better cache support for clients that connect to multiple
+ independent MTAs under the same DNS hostname or IP address,
+ provided that each MTA replies with a unique name in the
+ EHLO response. Patch by Victor Duchovni. Files: tlsmgr/tlsmgr.c,
+ tls/tls_verify.c, tls/tls_session.c, tls/tls_server.c,
+ tls/tls_scache.h, tls/tls_scache.c, tls/tls_misc.c,
+ tls/tls_mgr.h, tls/tls_mgr.c, tls/tls_client.c, tls/tls.h,
+ smtp/smtp_proto.c.
+
+20050330
+
+ Bugfix: in some compilation environments the SMTP and LMTP
+ clients could ignore enhanced status codes in server replies.
+ Bug introduced 20050329 while polishing working code. Files:
+ smtp/smtp_chat.c, lmtp/lmtp_chat.c.
+
+ Feature: add enhanced status code support to the smtp-sink
+ test program. File: smtpstone/smtp-sink.c.
+
+20050331
+
+ Workarounds for ancient gcc compilers that can't handle
+ valid C. Bugs reported by Victor Duchovni. Files:
+ util/sys_defs.h, global/dsn_util.h, tls/tls_client.c.
+
+ Bugfix: when delivery to command failed, command output was
+ not reported. Fix was to enable format checks for the new
+ dsn_vstring_update() module. File: global/dsn_util.h,
+ global/pipe_command.c.
+
+20050401
+
+ Cleanup: ignore incorrect enhanced status codes (such as
+ 5xx reply followed by a 4.x.x status), and don't look for
+ enhanced status codes unless the server replies with a
+ [245]XX reply. Files: smtp/smtp_chat.c, lmtp/lmtp_chat.c.
+
+20050402
+
+ Feature: enhanced status code support for errors found by
+ the MIME processor. Files: global/mime_state.c,
+ cleanup/cleanup_message.c, smtp/smtp_proto.c.
+
+ Cleanup: updated error messages about MIME processing errors
+ in the SMTP client. These errors are no longer specific to
+ 8bit->7bit conversion; they can also happen with generic
+ address mapping. File: smtp/smtp_proto.c.
+
+ Safety: SASL 2.1.19 has a version lookup routine that we
+ can use to detect compile time / run time version mis-matches
+ (also known as DLL hell). Files: src/smtpd/smtpd_sasl_glue.c,
+ src/smtp/smtp_sasl_glue.c, src/lmtp/lmtp_sasl_glue.c.
+
+20050404
+
+ Typo: missing comma after dsn=x.yy.zz logging. File:
+ global/log_adhoc.c.
+
+ Feature: specify "smtpd_sasl_authenticated_header = yes"
+ to report the SASL login name in the Received: message
+ header, so that the login name is shared with the whole
+ world. Based on code by Branko F. Gracnar. Files:
+ smtpd/smtpd.c, and documentation.
+
+20050407
+
+ @%^!#& Thanks to inadequate SASL documentation the client
+ could negotiate a security layer where none was desired.
+ Better documentation has become available since Postfix
+ SASL support was implemented, and now Postfix needs to be
+ fixed. Files: */*_sasl_glue.c.
+
+20050409
+
+ Safety: the CDB map now logs a warning when the source file
+ is newer than the indexed file, just like the Berkeley DB
+ and DBM maps. Michael Tokarev. File: util/dict_cdb.c.
+
+20040411
+
+ Portability: put the SASL DLL Hell guard after the declarations
+ instead of before. Reported by Marcus Grando. Files:
+ smtp/smtp_sasl_glue.c, lmtp/lmtp_sasl_glue.c.
+
+20050412
+
+ Infrastructure: change the disposition or other properties
+ of an embryonic queue file. This is currently used only to
+ place mail on hold. After code by Victor Duchovni. Files:
+ global/mail_stream.[hc], cleanup/cleanup_api.c.
+
+ Bugfix: while updating the cleanup_flush() infrastructure
+ eliminated a portability problem that was introduced when
+ "REJECT text" support was added. File: cleanup/cleanup.c.
+
+20050413
+
+ Portability: don't mix socket message send/receive calls
+ with socket stream read/write calls. The fact that you can
+ get away with it only on some stacks implies that there is
+ no long-term guarantee. Specify -DCAN_WRITE_BEFORE_SENDING_FD
+ if you feel brave. File: util/sys_defs.h.
+
+ Robustness: re-compile all object files after the "make
+ makefiles" options have changed. Files: src/*/Makefile.in.
+
+ Tweaking: reply with 5.3.4 when the message size exceeds
+ the mail system message_size_limit, instead of 5.2.3 which
+ is a mailbox specific status. File: smtpd/smtpd_check.c.
+
+20050417
+
+ Safety: don't call syslog from a user-triggered signal
+ handler. File: postdrop/postdrop.c.
+
+20050421
+
+ Bugfix: don't panic when the fall-back relay can't be used
+ because the local MTA is MX for the destination. File:
+ smtp/smtp_connect.c.
+
+20050422
+
+ Bugfix: don't panic when the fall-back relay can't be used
+ because it was already tried via a cached session. Produce
+ a default excuse instead. File: smtp/smtp_connect.c.
+
+ Bugfix: postsuper could lose an error message after reporting
+ a fatal error. File: postsuper/postsuper.c.
+
+20050426
+
+ Bugfix: simplified and improved the 20050422 fall-back relay
+ fix. File: smtp/smtp_connect.c.
+
+20050427
+
+ Final solution for the 20050422 fall-back relay problem:
+ truncate the fall-back host list when the local MTA is MX
+ for some destination. Files: util/argv.c, smtp/smtp_connect.c.
+
+ Cleanup: extra dsn_vstring_update_dsn() routine to shut up
+ GCC complaints about valid code. Files: src/global/dsn_util.c,
+ src/global/mbox_open.c, src/lmtp/lmtp_addr.c, src/smtp/smtp_addr.c,
+ src/smtp/smtp_connect.c.
+
+20050429
+
+ The Postfix SMTP server now announces ENHANCEDSTATUSCODES
+ support in the EHLO response, as described in RFC 2034.
+ File: smtpd/smtpd.c.
+
+20050503
+
+ Propagate enhanced status code from error(8) mailer to SMTP
+ server replies. File: smtpd/smtpd_check.c.
+
+ Cleanup: more consistent format of smtpd warning logging,
+ so that it is easier to sort. Files: smtpd/smtpd.c,
+ smtpd/smtpd_check.c.
+
+20050504
+
+ Yikes. People are exposing the smtp-sink test program to
+ hostile environments, while it was designed for controlled
+ environments. Completed the support for write timeouts,
+ added support for read timeouts, and added a missing exception
+ handler for the 220 server greeting. File: smtpstone/smtp-sink.c.
+
+20050506
+
+ Cleanup: with "REJECT 4.X.Y ..." actions in header/body_checks,
+ change the SMTP server reply code from 550 into 450, instead
+ of having the SMTP server change the DSN into 5.X.Y. File:
+ smtpd/smtpd.c.
+
+20050510
+
+ Usability: when reporting a sender address problem, transform
+ a recipient DSN status (e.g., 4.1.1-4.1.6) into the
+ corresponding sender DSN status, and vice versa; and when
+ reporting a non-address problem, transform a sender or
+ recipient DSN status into a generic non-address DSN status
+ (e.g., 4.0.0). This transformation may be needed when the
+ same access table or RBL reply template are used for client,
+ helo, sender, or recipient restrictions; or when the same
+ error mailer information is used for senders or recipients.
+ Files: smtpd/smtpd_check.c, smtpd/smtpd_dsn_fix.[hc].
+
+20050512
+
+ Feature: support for more SASL logging call-backs, if these
+ are defined in the compile-time environment. Files:
+ smtpd/smtpd_sasl_glue.c, smtp/smtp_sasl_glue.c.
+
+20050513
+
+ Workaround: Postfix now uses "localdomain" as the default
+ domain name when $myhostname is not in "host.domain" form.
+ Files: global/mail_params.[hc].
+
+---------
+
+20050415-20050615
+
+ As of 20050525, DSN support does not involve new queue file
+ record types, so you can switch back to older Postfix
+ versions. Older non-production releases did introduce queue
+ file incompatibility.
+
+ DSN support is selected via the SMTP port by extra parameters
+ to the MAIL FROM and RCPT TO commands, and with the Postfix
+ sendmail command with new command-line options: -N (specify
+ notification options such as "never", "success", "delay"
+ or "failure") and -V (specify an envelope ID that identifies
+ the mail submission transaction). VERP support now uses
+ -XV instead of -V.
+
+ The implementation piggy-backs on the trace(8) service that
+ was already used for "sendmail -v" (verbose delivery) and
+ for "sendmail -bv" (what-if) reports. You can no longer
+ requests these functions together with DSN support.
+
+ All this means revision of bounce/defer/trace client
+ interfaces, of the bounce service, the record reading loops
+ in postdrop, cleanup(8) and qmgr(8), the queue manager to
+ delivery agent protocol, and some extra SMTP protocol
+ parameters in smtpd(8), lmtp(8) and smtp(8).
+
+ New code module: global/dsn_smtp.[hc] for RFC 3461 related
+ information (but this may still change).
+
+ Feature: "sendmail -G" is no longer a no-op. Message headers
+ are treated as if the message has a remote origin. Files:
+ sendmail/sendmail.c, postdrop/postdrop.c.
+
+ Feature: automatic BCC senders are now created as if they
+ were received with NOTIFY=NEVER, in case it helps. File:
+ cleanup/cleanup_addr.c
+
+ Compatibility: with large bounces, send message headers
+ only, instead of truncating MIME messages in the middle.
+
+20050517
+
+ Bugfix: in a DSN report, the original recipient should not
+ be xtext encoded. File: bounce/bounce_notify_util.c.
+
+20050523
+
+ Bugfix: mymalloc() panic with mistyped server host list.
+ File: global/dict_pgsql.c.
+
+20050525
+
+ Feature: specify delay_warning_time=1 to get immediate
+ notification of delay. File: qmgr/qmgr_active.c.
+
+20050526
+
+ Reset the Postfix original recipient when delivering to
+ mailing list.
+
+20050601
+
+ Modified the master backgrounding procedure to not abort
+ when the master is already a process group leader. This
+ happens when people bypass or modify the official Postfix
+ start-up procedure. Jacek Konieczny. File: master/master.c.
+
+20050602
+
+ Sanity check: don't report "address in use" when some Postfix
+ socket is a directory. File: util/unix_listen.c.
+
+20050613
+
+ Now that the over-all structure of the code is proving
+ itself, interfaces can be cleaned up. This means nicer names
+ for variables, functions and data structures, and dedicated
+ read/write routines for recipient and DSN information.
+ These remove a lot of clutter from the bounce client and
+ server code. Files: dsn_print.c dsb_scan.c, rcpt_print.c,
+ rcpt_buf.c.
+
+ For Sendmail compatibility, the Postfix sendmail -V option
+ no longer controls VERP usage, but is used to specify the
+ DSN envelope ID. In order to provide a smooth transition,
+ backwards compatibility code recognizes when -V is being
+ used for VERP control. It will do the right thing, and
+ warns the user to use -XV instead. File: sendmail/sendmail.c.
+
+20050614
+
+ The cleanup server writes bounce (delivery failure) and
+ trace (success) records, but it no longer requests sender
+ notification. That is now handled by the queue manager.
+ The reason is that the cleanup server must be able to abort
+ a request including its bounce and trace logfiles, so it
+ must not take actions that can't be undone.
+
+20050615
+
+ Cleanup: the SMTP client now sends QUIT when the initial
+ HELO handshake fails. it still doesn't send QUIT when the
+ server greets with a [45]XX code, as that is handled in the
+ connection management code before a session context exists.
+ File: smtp/smtp_connect.c.
+
+ Cleanup: made the quote_821_local() routine "const" clean.
+ File: global/quote_821_local.[hc].
+
+20050616
+
+ Bugfix: missing or mis-placed va_end() macros, found in
+ Postfix 2.3 code review. Files: util/netstring.c,
+ util/myaddrinfo.c, util/attr_clnt.c, util/vstream.c.
+
+ Bugfix: the SMTP server now separates the message size check
+ from the queue space check, so that the size check can be
+ done before an SMTPD proxy filter. Files: smtpd/smtpd.c,
+ smtpd/smtpd_check.c.
+
+20050617
+
+ Postdrop didn't recognize the new recipient attributes.
+ File: postdrop/postdrop.c.
+
+ Feature: configurable MAILER-DAEMON replacement for the
+ null sender address that is used by the pipe(8) delivery
+ agent on the command line and in message headers. Command-line
+ address quoting is disabled when the replacement is empty.
+ File: pipe/pipe.c.
+
+20050618
+
+ With virtual aliasing enabled, Postfix would always report
+ successful alias expansion, even when no alias was expanded.
+ File: cleanup/cleanup_out_recipient.c.
+
+20050621
+
+ Portability: file descriptor passing is available for Tru64
+ UNIX, but not for AIX4 and IRIX6. Albert Chin. File:
+ util/sys_defs.h.
+
+20050622
+
+ Cleanup: the DNS lookup code now accommodates name server
+ replies longer than 4 kbytes, with a hard upper limit of
+ 32kbytes. For safety reasons, the number of MX host addresses
+ that the SMTP client will try was reduced from unlimited
+ to just 5, so that Postfix won't spend forever trying to
+ connect to dozens and dozens of bogus MX hosts. Files:
+ dns/dns_lookup.c, global/mail_params.h.
+
+ Cleanup: the code that handles a 4xx or 5xx SMTP server
+ greeting was moved from the connection management module
+ to the protocol engine, for cleaner error handling. This
+ means that the failed session now counts towards the limit
+ on the total number of SMTP sessions per domain name (default:
+ smtp_mx_session_limit = 2). Files: smtp/smtp_connect.c,
+ smtp/smtp_proto.c.
+
+20050623
+
+ Cleanup: generalized the delegated attribute scan/print
+ interfaces, and updated the deliver_pass module with delegated
+ attribute scan/print support. Files: util/attr_scan0.c,
+ util/attr_print0.c, global/dsb_scan.c, global/dsn_print.c,
+ global/rcpt_buf,c global/rcpt_print.c, global/deliver_pass.c.
+
+ Added delegated attribute scan/print function support to
+ the base64 and plain attribute I/O encodings. Files:
+ util/attr_scan_plain.c util/attr_print_plain.c.
+
+20050624
+
+ Added "." to the list commands that smtp-sink can "break"
+ (by disconnecting, or by responding with a 4XX or 5XX reply
+ code). File: smtpstone/smtp-sink.c.
+
+20050625
+
+ Safety: allow only 4.x.x and 5.x.x enhanced status codes
+ in header/body_checks REJECT actions. File:
+ cleanup/cleanup_message.c.
+
+20050627
+
+ Code cleanup: generalized the smtp-sink code that simulates
+ server errors. File: smtpstone/smtp-sink.c.
+
+20050629
+
+ Code cleanup: the smtp_mx_session_limit setting (per delivery
+ request session count limit) now ignores sessions that fail
+ to complete the TCP, SMTP, EHLO or TLS handshake (was: TCP
+ and SMTP). File: smtp/smtp_proto.c.
+
+20050630
+
+ Updated the example spf.pl script to version 1.06.
+
+ Portability: the file descriptor passing code broke on LP64
+ systems (inherited from Stevens Network Programming). Files:
+ util/unix_send_fd.c, util/unix_recv_fd.c.
+
+20050706
+
+ Robustness: the SMTP client now disables connection caching
+ when it is unable to communicate with the scache(8) server,
+ instead of looping forever. File: global/scache_clnt.c.
+
+ Portability: after sending a socket, the scache(8) server
+ now waits for an ACK from the connection cache client before
+ closing the socket that it just sent. Files: scache/scache.c,
+ global/scache_clnt.c.
+
+20050708
+
+ Bugfix: missing returns in 20050706 caching disabling code
+ (in error handling code that never executes). File:
+ global/scache_clnt.c.
+
+ Portability: use explicitly unsigned operands when doing
+ bit-wise shift operations on data larger than a character.
+
+20050709-15
+
+ Migration of data object sizes and offsets from int->ssize_t
+ and unsigned->size_t for better portability to LP64 and
+ LLP64 systems where *size_t is 64 bits wide. This change
+ has no effect on 32-bit systems.
+
+ This change not only eliminated some obscure portability
+ bugs (see two paragraphs down), it also eliminated many
+ unnecessary conversions back and forth between 32-bit and
+ 64-bit integers, because all relevant system library functions
+ take *size_t arguments or return *size_t results.
+
+ Simply changing every data object size or offset to size_t
+ (which is unsigned!) would be dangerous. A lot of code was
+ written assuming signed arithmetic and rejects negative
+ lengths, which can happen as the result of integer overflow.
+
+ Portability: on LP64 systems, integer expressions are int,
+ but sizeof() and pointer difference expressions are larger.
+ The above changes fixed a few discrepancies with function
+ calls where *size_t was passed while the old code expected
+ an int: clean_env() versus argv_addn(), and code that sent
+ binary blobs via the TLS session cache manager protocol.
+
+20050711
+
+ Bugfix: don't include <> when auto-generating an ORCPT
+ address from a client RCPT TO command. File: smtpd.c.
+
+20050712
+
+ Cleanup: cleanup_out_recipient() still generated DSN records
+ that were incompatible with pre-DSN Postfix versions. File:
+ cleanup/cleanup_out_recipient.c.
+
+20050716
+
+ Bugfix: the smtpd_sasl_authenticated_header code did not
+ check if SASL was actually enabled. File: smtpd/smtpd.c.
+
+20050720
+
+ Feature: reverse client hostname. This is set at connection
+ time with information from the SMTP client address->name
+ mapping, and can be overruled with the REVERSE_NAME attribute
+ in the XCLIENT command. File: smtpd/smtpd_peer.c.
+
+ Cleanup: renaming of several confusing restriction names:
+ reject_unknown_client -> reject_unknown_client_hostname,
+ reject_unknown_hostname -> reject_unknown_helo_hostname,
+ reject_invalid_hostname -> reject_invalid_helo_hostname,
+ and reject_non_fqdn_hostname -> reject_non_fqdn_helo_hostname.
+ The old names are still recognized and documented. Files:
+ global/mail_params.h, smtpd/smtpd.c, smtpd/smtpd_check.c.
+
+ Feature: reject_unknown_reverse_client_hostname. This rejects
+ clients that have no address to name mapping (unlike the
+ reject_unknown_client_hostname feature which requires that
+ the address->name and name->address mappings resolve to the
+ client IP address). Files: global/mail_params.h,
+ smtpd/smtpd_peer.c, smtpd/smtpd.c, smtpd/smtpd_check.c.
+
+20050726
+
+ Horror: total rewrite of DNS client error handling because
+ some misguided proposal attempts to give special meaning
+ to some syntactically invalid MX hostname lookup result.
+ Not only that, people expect sensible results with
+ reject_unknown_sender_domain etc. Files: dns/dns_lookup.c,
+ smtp/smtp_addr.c smtpd/smtpd_check.c, lmtp/lmtp_addr.c.
+
+ Cleanup: HOLD action executes only once, to reduce noise
+ in the logfile. Files: cleanup/cleanup_message.c, smtpd/smtpd.c.
+
+20050806
+
+ Workaround: accept(2) fails with EPROTO when the client
+ already disconnected (SunOS 5.5.1). File: sane_accept.c.
+
+20050815
+
+ Workaround: old Solaris compilers can't link an archive
+ without globally visible symbols. File: tls/tls_misc.c.
+
+20050825
+
+ Feature: message_reject_characters and message_strip_characters
+ specify what characters in message content Postfix will
+ reject or remove. Based on patch by John Fawcett. Files:
+ cleanup/cleanup_message.c, cleanup/cleanup_init.c.
+
+ Safety: when the cleanup server rejects the content of mail
+ that is submitted with the Postfix sendmail command, or
+ re-queued with "postsuper -r", strip the message body from
+ the bounce message to reduce the risks from harmful content.
+ Files: cleanup/cleanup_envelope.c, cleanup/cleanup_bounce.c.
+
+ Feature: the smtpd_proxy_filter parameter value can now be
+ prefixed with "unix:" (for UNIX-domain socket) and "inet:"
+ (for TCP socket). TCP sockets are the default. Patch by
+ Edwin Kremer. File: smtpd/smtpd_proxy.c.
+
+20050828
+
+ Bugfix: after adding DSN support, error notification was
+ broken for too large mail that was submitted with the Postfix
+ sendmail command, forwarded by the local(8) delivery agent,
+ or re-queued with "postsuper -r". The message would be saved
+ to the "corrupt" queue.
+
+ The mistake was to leave the truncated message in the
+ incoming queue and to ask the queue manager to notify the
+ sender; this was not possible because the queue manager
+ cannot (and should not) handle truncated queue files.
+
+ The fix is to have the cleanup server send the bounce
+ message, just like it did before DSN support was added. As
+ a side effect, Postfix will no longer send DSN_SUCCESS
+ notices after virtual aliasing, when the cleanup server
+ bounces all the recipients of the message anyway. This
+ could be called a feature. File: cleanup/cleanup_bounce.c.
+
+ Also needed for this fix: a new vstream_fpurge() routine
+ that discards unread/written data from a VSTREAM. It's
+ needed before cleanup_bounce() can seek to the start of the
+ queue file after a file size error. File: util/vstream.c.
+
+20050920
+
+ Cleanup: removed the legacy "tls_info" structure, factored
+ out common code for peer_CN and issuer_CN lookup, and added
+ sanity check to not verify subject common names that contain
+ nulls or that are excessively long. Patch by Victor Duchovni.
+ Files: tls_client.c, tls_server.c, tls_session.c, tls_misc.c,
+ tls_verify.c.
+
+20050922
+
+ Bugfix: the *SQL clients did not uniformly choose the
+ database host from the available pool of servers due to an
+ off-by-one error, so that the "last" available server was
+ not selected. Leandro Santi. Files: dict_mysql.c, dict_pgsql.c.
+
+ Update: common code factored out into db_common.c, and
+ adoption of Liviu Daia's connection aware MySQL quoting.
+ Patch by Victor Duchovni. Files: dict_ldap.c, dict_mysql.c,
+ dict_pgsql.c, db_common.c.
+
+20050923
+
+ Safety: don't update the local(8) delivery agent's idea of
+ the Delivered-To: address while expanding aliases or .forward
+ files. When an alias or .forward file changes the Delivered-To:
+ address, it ties up one queue file and one cleanup process
+ instance while mail is being forwarded. To get the old
+ behavior, specify "frozen_delivered_to = no". Problem
+ reported by Michael Tokarev, but found independently by
+ others. Files: local/local.c, local/aliases.c, local/dotforward.c,
+ local/mailbox.c, local/maildir.c.
+
+ Logging: additional SASL debug logging by Andreas Winkelmann.
+ Files: */*sasl_glue.c.
+
+20050929
+
+ Paranoia: don't ignore garbage in SMTP or LMTP server replies
+ when ESMTP command pipelining is turned on. For example,
+ after sending ".<CR><LF>QUIT<CR><LF>", Postfix could recognize
+ the server's 2XX QUIT reply as a 2XX END-OF-DATA reply after
+ garbage, causing mail to be lost. The SMTP and LMTP clients
+ now report a remote protocol error and defer delivery.
+ Files: smtp/smtp_chat.c, smtp/smtp_trouble.c, lmtp/lmtp_chat.c,
+ lmtp/lmtp_trouble.c.
+
+ Performance: specify "smtpd_peername_lookup = no" to disable
+ client hostname lookups in the SMTP server. All clients are
+ treated as "unknown". This should be used only under extreme
+ conditions where DNS lookup latencies are critical. File:
+ smtpd/smtpd_peer.c.
+
+20051010
+
+ Feature: smtpd_client_new_tls_session_rate_limit parameter
+ to limit the number of new (i.e. uncached) TLS sessions
+ that a remote SMTP client may negotiate per unit time. This
+ feature, which is off by default, can limit the CPU load
+ due to expensive crypto operations. Files: global/anvil_clnt.c,
+ anvil/anvil.c, smtpd/smtpd.c.
+
+ Cleanup: eliminated massive code duplication in the anvil
+ server that resulted from adding similar features one at a
+ time. File: anvil/anvil.c.
+
+20051011
+
+ Bugfix: raise the "policy violation" flag when a client
+ request exceeds a concurrency or rate limit. File:
+ smtpd/smtpd.c.
+
+ Bugfix (cut-and-paste error): don't reply with 421 (too
+ many MAIL FROM or RCPT TO commands) when we aren't closing
+ the connection. File: smtpd/smtpd.c.
+
+20051012
+
+ Polishing: content of comments and sequence of code blocks
+ in the anvil server, TLS request rate error message in the
+ smtp server, and documentation, but no changes in code.
+ Files: anvil/anvil.c, smtpd/smtpd.c.
+
+20051013
+
+ Horror: some systems have basename() and dirname() and some
+ don't; some implementations modify their input and some
+ don't; and some implementations use a private buffer that
+ is overwritten upon the next call. Postfix will use its own
+ safer versions called sane_basename() and sane_dirname().
+ These never modify the input, and allow the caller to control
+ how memory is allocated for the result. File:
+ util/sane_basename.c.
+
+ Feature: "sendmail -C path-to-main.cf" and "sendmail -C
+ config_directory" now do what one would expect. File:
+ sendmail/sendmail.c.
+
+ Bugfix: don't do smtpd_end_of_data_restrictions after the
+ transaction failed due to, e.g., a write error. File:
+ smtpd/smtpd.c.
+
+ Cleanup: the SMTP server now enforces the message_size_limit
+ even when the client did not send SIZE information with the
+ MAIL FROM command. This protects before-queue content
+ filters against over-size messages. File: smtpd/smtpd.c.
+
+20051017
+
+ Bugfix: after DSN support was added, smtp_skip_5xx_greeting
+ no longer recognized a 5xx SMTP status as a 4xx one. Found
+ by Ralf Hildebrandt. Fix: use the enhanced status code
+ instead of the SMTP reply code to choose between permanent
+ or transient errors. File: smtp/smtp_trouble.c.
+
+ Feature: smtp-sink can hard-reject, soft-reject or simply
+ drop connection requests. File: smtpstone/smtp-sink.c.
+
+ Documentation: clarified the processing of server replies,
+ specifically the reply code and the enhanced status code,
+ in smtp_chat.c.
+
+20051024
+
+ Performance: new smtp_connection_reuse_time_limit parameter to
+ limit connection reuse by elapsed time, instead of limiting
+ the number of deliveries per connection. Bounding by time
+ favors delivery over connections that perform well, while
+ bounding by number of deliveries allows slow connections
+ to drag down the performance. Insight and initial
+ implementation by Victor Duchovni, Morgan Stanley. Files:
+ smtp_connect.c, smtp_session.c,
+
+ Bugfix: the next-hop logical destination information for
+ connection caching was reset only after a good non-TLS
+ connection, so that cached connections to non-TLS backup
+ servers could suck away traffic from TLS primary servers
+ (the Postfix SMTP client cannot cache an open TLS connection).
+ Found during code review. This is fixed with multi-valued
+ connection caching state: expired, cachable, non-cachable,
+ and bad. Files: smtp_connect.c, smtp_trouble.c.
+
+ Bugfix: adding support for "sendmail -C" broke "sendmail
+ -q". File: sendmail/sendmail.c.
+
+20051101
+
+ Migration from a single "arrival time" stamp to a structure
+ with time stamps from different stages of message delivery.
+ The first iteration merely replaces "arrival time" stamps
+ by a structure or pointer to structure, and uses only the
+ arrival time field of that structure. This is an extensive
+ but straightforward transformation, based on example by
+ Victor Duchovni, Morgan Stanley. Files: anything that
+ invokes bounce_append etc., the log_adhoc module, and
+ anything that sends or receives a delivery request.
+
+20051102
+
+ Completion of support for time stamps from different stages
+ of message delivery. The information is now logged as
+ "delays=a/b/c/d" where a=time before queue manager, including
+ message transmission; b=time in queue manager; c=connection
+ setup including DNS, HELO and TLS; d=message transmission
+ time. Unlike Victor's example which used time differences,
+ this implementation uses absolute times. The decision of
+ what numbers to subtract actually depends on program history,
+ so we want to do it in one place. Files: global/log_adhoc.c,
+ smtp/smtp_connect.c, smtp/smtp_proto.c, smtp/smtp_trouble.c,
+ lmtp/lmtp_proto.c, lmtp/lmtp_trouble.c.
+
+20051103
+
+ Refinement of time stamping and delays formatting. The
+ hand-off time is now stamped in the delivery agent, so that
+ time is properly attributed when a transport is saturated
+ or throttled. Delays are now logged if larger than 0.01
+ second. Files: *qmgr/qmgr_deliver.c, global/deliver_request.c,
+ global/log_adhoc.c.
+
+20051104
+
+ New parameter delay_logging_time_resolution (default: 10000
+ microseconds, or 0.01 second) that controls the detail in
+ the new "delays=a/b/c/d" logging. Specify a power of 10
+ in the range from 1 to 100000. File: global/log_adhoc.c.
+ Parameter renamed 20051108.
+
+20051105
+
+ All delay logging now has sub-second resolution. This means
+ updating all code that reads or updates the records that
+ specify when mail arrived, and ensuring that mail submitted
+ with older Postfix versions produces sensible results.
+ Files: global/post_mail.c, global/mail_timeofday.[hc],
+ global/log_adhoc.c, postdrop/postdrop.c, pickup/pickup.c,
+ cleanup/cleanup_envelope.c, cleanup/cleanup_message.c,
+ smtpd/smtpd.c, qmqpd/qmqpd.c, *qmgr/qmgr_message.c,
+ *qmgr/qmgr_active.c, local/forward.c.
+
+20051106
+
+ The SMTP client logs the remote server port in the form of
+ relay=hostname[hostaddr]:port to the local maillog file.
+ The port number is NOT included in DSN status reports,
+ because remote users have no need to know such internal
+ information. Files: smtp/smtp_session.c, smtp/smtp_proto.c,
+ smtp/smtp_trouble.c.
+
+ Cleanup: encapsulated queue file time read/write operations
+ with a few simple macros, to make future changes in time
+ representation less painful.
+
+20051108
+
+ Cleanup: eliminated floating point operations from the
+ ad-hoc delay logging code. Files: util/format_tv.[hc],
+ global/log_adhoc.c.
+
+ The delay logging resolution is now controlled with the
+ delay_logging_resolution_limit parameter, which specifies
+ the maximal number of digits after the decimal point.
+
+ Bugfix: two messages could get the same message ID due to
+ a race condition. This time window was increased when queue
+ file creation was postponed from MAIL FROM until the first
+ accepted RCPT TO. The window is closed again. Found by
+ Victor. Files: global/mail_stream.c, global/mail_queue.c,
+ cleanup/cleanup_message.c.
+
+20051109
+
+ qshape.pl updated for extra microsecond time field in Postfix
+ queue files.
+
+ Cleanup: removed obsolete code that handles rejected/dropped
+ connections before the HELO handshake. File: smtp/smtp_connect.c.
+
+ Bugfix: XCLIENT broke when reverse hostname support was added.
+ Fix by Tomoyuki Sakurai. File: smtpd/smtpd.c.
+
+20051110
+
+ Workaround: don't set the delay warning timer for messages
+ from inside or from outside that have the null sender as
+ recipient. This was a waste of time, because the warning
+ would always be discarded. File: cleanup/cleanup_envelope.c.
+
+ Feature: the built-in mail delivery status notification
+ text is now implemented by built-in templates. Files:
+ bounce/bounce_template.c, bounce/bounce_notify_util.c.
+
+20051112
+
+ Feature: configurable bounce message templates based on
+ contribution by Nicolas Riendeau. I kept the general format
+ of his templates, but placed them together in one file to
+ reduce process initialization overhead (most requests to
+ the bounce daemon are not for sending bounce messages).
+ Files: bounce/bounce_template.c, bounce/dict_ml.c (to be
+ moved to library if useful enough). A sample bounce message
+ template file is installed as $config_directory/bounce.cf.default.
+
+20051113
+
+ Feature: "postconf -b filename" to preview the non-default
+ bounce message templates with $name expansions in the text.
+ The actual work is of course done by the bounce daemon.
+
+20051114
+
+ Feature: -V option to make Postfix daemons to log to stderr.
+ This is used when a daemon is invoked in stand-alone mode
+ by a (non-daemon) command.
+
+ Feature: "postconf -t" displays DSN templates, headers and
+ all; use postconf -t ''" to view built-ins.
+
+ Cleanup: renamed fail_template into failure_template.
+
+20051117
+
+ Cleanup: bounce template code reorg, no functionality change.
+ Files: bounce/bounce_template.[hc], bounce/bounce_templates.c,
+ bounce/bounce_notify_util.c.
+
+20051118
+
+ Bugfix: new bounce template code did not return after
+ template syntax error. File: bounce/bounce_template.c
+
+ Safety: permit_mx_backup now requires that the local MTA
+ is not listed as primary MX for the recipient domain. This
+ prevents mail loops when someone points the primary MX
+ record to Postfix.
+
+20051119
+
+ Workaround: some SMTP servers announce multiple but different
+ lists of SASL methods. Postfix now concatenates the lists
+ instead of logging a warning and remembering only one. File:
+ smtp/smtp_sasl_proto.c.
+
+ Bugfix: the queue manager did not write a per-recipient
+ defer logfile record when the delivery agent crashed between
+ receiving a delivery request, and reporting the delivery
+ status to the queue manager. Found while redesigning the
+ code that handles unavailable transports or destinations.
+ Files: *qmgr/qmgr_deliver.c.
+
+20051121
+
+ Workaround: do not build the bounce.cf.default template
+ while compiling Postfix - it breaks when the default
+ mail_owner etc. accounts don't exist. Reported by Liviu
+ Daia.
+
+ Compatibility: added permit_auth_destination emulation to
+ the permit_mx_backup feature. This avoids surprises with
+ sites that used permit_mx_backup to authorize all their
+ incoming mail.
+
+20051122-24
+
+ Feature: sender_dependent_relayhost_maps, lookup tables that specify
+ a sender-dependent override for the relayhost parameter
+ setting. The lookup is done in the trivial-rewrite server,
+ instead of the queue manager where it does not belong.
+ Files: global/resolve_clnt.c, global/tok822_resolve.c,
+ trivial-rewrite/resolve.c, trivial-rewrite/transport.c,
+ *qmgr/qmgr_message.c.
+
+ Also: address_verify_sender_dependent_relayhost_maps for
+ completeness.
+
+20051124
+
+ Feature: specify "smtp_sender_dependent_authentication =
+ yes" to enable sender-dependent SASL passwords. This disables
+ SMTP connection caching to ensure that mail from different
+ senders is delivered with the appropriate credentials. This
+ is an extended version of a patch by Mathias Hasselmann.
+ Files: smtp/smtp_connect.c, smtp/smtp_sasl_glue.c.
+
+20051126
+
+ Workaround: log warning when REDIRECT or FILTER are used
+ in smtpd_end_of_data_restrictions. File: smtpd/smtpd_check.c.
+
+ Log warning when REDIRECT, FILTER, HOLD and DISCARD are
+ used in smtpd_etrn_restrictions. File: smtpd/smtpd_check.c.
+
+20051128
+
+ Bugfix: moved code around from one place to another to make
+ REDIRECT, FILTER, HOLD and DISCARD access(5) table actions
+ work in smtpd_end_of_data_restrictions. PREPEND will not
+ be fixed; it must be specified before the message content
+ is received. Files: smtpd/smtpd.c, smtpd/smtpd_check.c,
+ cleanup/cleanup_extracted.c, pickup/pickup.c.
+
+ Safety: abort if the SMTP or QMQP server runs with non-postfix
+ privileges while it's connected to the network. Files:
+ smtpd/smtpd_peer.c, qmqpd/qmqpd_peer.c.
+
+20051201
+
+ Bugfix: the LMTP client would reuse a session after negative
+ reply to the RSET command (which may happen when client and
+ server somehow get out of sync). Problem found by Christian
+ Theune. Files: lmtp/lmtp.c, lmtp/lmtp_proto.c.
+
+20051202
+
+ Bugfix: the 20051128 code move for "smtpd_end_of_data_restrictions"
+ broke "postsuper -r".
+
+20051202-3
+
+ Cleanup: the SMTP client now also implements the LMTP
+ protocol. Files: smtp/smtp.c, smtp/smtp_connect.c,
+ smtp/smtp_proto.c, smtp/smtp_dsn.c, smtp_state.c,
+ smtp_sasl_glue.c.
+
+ As before, the LMTP behavior is controlled with parameters
+ named lmtp_xxx instead of smtp_xxx. However there are now
+ a lot more lmtp_xxx parameters :-) With few exceptions, all
+ SMTP features are now also available with LMTP. The exceptions
+ are related to the HELO and EHLO commands, which exist in
+ SMTP only. There are equivalent LHLO command parameters
+ where it makes sense.
+
+20051206
+
+ SMTP+LMTP client connection management code rewritten to
+ support UNIX-domain socket connections.
+
+20051207
+
+ Bugfix: race condition in the connection caching protocol,
+ found while adding connection caching for UNIX-domain sockets
+ (used for LMTP delivery). This was introduced with the
+ 20050706 workaround, and may the same problem that Jussi
+ Silvennoinen experienced (in Postfix 2.2.6) with SMTP after
+ an upgrade. Files: scache/scache.c.
+
+ Bugfix: smtp-sink and qmqp-sink didn't ignore SIGPIPE.
+
+20051208
+
+ Robustness: reduced timeouts in the connection caching
+ client, so that a malfunctioning service does not prevent
+ mail delivery. This uses similar code that already exists
+ for the anvil(8) client and the tlsmgr(8) client. Files:
+ global/scache_clnt.c, smtp/smtp.c.
+
+ To make reduced connection caching client timeouts possible,
+ connection management was moved from the attr_clnt(3) module
+ to the auto_clnt(3) module where it belongs. The auto_clnt(3)
+ module is now a full alternative for the clnt_stream(3)
+ module. Files: util/auto_clnt.c, util/attr_clnt.c.
+
+ Bugfix: the best_mx_transport, mailbox_transport and
+ fallback_transport features did not write a per-recipient
+ defer logfile record when the target delivery agent was
+ broken. This the analog of queue manager bugfix 20051119.
+ Files: global/deliver_pass.c.
+
+20051210
+
+ Cleanup: simplified the SMTP/LMTP connection management
+ logic for address list and fallback relay processing.
+ Still need to simplify deferred recipient handling.
+
+20051212
+
+ Bugfix: after a failed TLS session, the 20051210 SMTP client
+ code cleanup broke sessions with backup servers, causing the
+ client to get out of step with the backup server. This in
+ turn exposed a one-year old missing exception handling
+ context in the EHLO handstake after sending STARTTLS. Victim
+ was Ralf Hildebrandt, detectives Victor Duchovni and Wietse.
+ File: smtp/smtp_proto.c.
+
+20051213
+
+ Bugfix: *SQL, proxy and LDAP map types were not defined in
+ user-land commands such as postqueue. Leandro Santi. File:
+ postqueue/postqueue.c.
+
+20051212-14
+
+ Server-side plug-in interface for SASL authentication. This
+ uses Cyrus SASL by default, so nothing has changed except
+ error messages may be more informative. Files:
+ smtpd/smtpd_sasl_proto.c smtpd/smtpd_sasl_glue.c,
+ xsasl/xsasl_server.[hc], xsasl/cyrus_server.[hc]
+ xsasl/cyrus_strerror.c, xsasl/cyrus_log.c, xsasl/cyrus_security.c.
+
+20051215
+
+ Portability: IRIX 6.5.28 defines sa_len as a macro, so it
+ can't be used as a variable identifier. Zach McDanel. Files:
+ dns/dns_rr_to_sa.c, smtpd/smtpd_peer.c, qmqpd/qmqpd_peer.c.
+
+20051216
+
+ Cleanup: removed some scar tissue that was introduced with
+ server-side SASL plug-in support. Files: smtpd_sasl_proto.c,
+ smtpd_sasl_glue.c.
+
+ Client-side plug-in interface for SASL authentication. This
+ uses Cyrus SASL by default, so nothing has changed except
+ error messages may be more informative. Files: smtp_sasl_glue.c,
+ xsasl/xsasl_client.[hc], xsasl/cyrus_client.[hc].
+
+20051217
+
+ Bugfix: when a SASL client password is required by a specific
+ server, defer delivery when no server-announced mechanism
+ survives the smtp_sasl_mechanism_filter, instead of ignoring
+ the SASL announcement and trying to deliver the mail over
+ an unauthenticated connection and risking that mail will
+ be rejected. File: smtp/smtp_sasl_proto.c, smtp/smtp_proto.c.
+
+ Portability: zero the "struct msg" just in case. Both purify
+ (Linux) and valgrind (FreeBSD) complain about uninitialized
+ bits. Files: util/unix_{send,recv}_fd.c.
+
+20051219
+
+ Cleanup: generic smtpd_sasl_path, smtp_sasl_path and
+ lmtp_sasl_path configuration parameters; simplified the
+ SASL plug-in API, and made initial provisions for SASL
+ session encryption. Files: xsasl/*.[hc].
+
+ Feature: "postconf -a" lists the available SASL server
+ plug-in types, and "postconf -A" does the same for the
+ client. Files: postconf.c, xsasl_{client,server}.c.
+
+ Feature: new SMTPD policy attributes "encryption_protocol",
+ "encryption_cipher" and "encryption_keysize", to distinguish
+ plaintext from encrypted connections.
+
+20051221
+
+ Privacy: the new Cyrus SASL server plug-in replaces "no
+ user" errors by "authentication failed" errors. File:
+ xsasl/xsasl_cyrus_server.c.
+
+ Safety: the Postfix SMTP client no longer uses CNAME expanded
+ hostnames for logging, SASL password lookup, TLS policy
+ decisions, or TLS certificate verification. Instead it
+ uses the name of the recipient domain, or the host or domain
+ name specified in Postfix configuration files. Of course
+ this won't prevent cheating with hostnames that appear in
+ MX lookup results. To avoid that you will have to suppress
+ MX lookups with explicit [hostname] entries in transport
+ maps. Files: dns/dns_lookup.c, dns/dns_rr.c.
+
+20051222
+
+ Feature: Dovecot SASL authentication (server side) plug-in
+ by Timo Sirainen. This builds without external library
+ dependencies and is therefore compiled in by default.
+ Files: xsasl/xsasl_dovecot_server.[hc].
+
+ Safety: set the default LANG=C, instead of deleting LANG
+ from the environment and assuming the right thing will
+ happen. File: global/mail_params.h.
+
+ Safety: always add the ISASCII() requirement to the ISXXX()
+ macros, because they are used for protocol and policy
+ enforcement. File: util/sys_defs.h.
+
+ Bugfix: null pointer in the 20051219 policy delegation
+ crypto attributes. File: smtpd/smtpd_check.c.
+
+ Compatibility: "resolve_numeric_domain = yes" will accept
+ addresses with numeric domains instead of rejecting them as
+ invalid. Files: trivial-rewrite/resolve.c, util/vstring.c.
+
+ Bugfix: 20051219 "postconf -A" produced "postconf -a" output.
+ Andreas Winkelmann.
+
+20051225
+
+ Bugfix: the regexp map cleverly avoided scanning constant
+ lookup results for non-existent $number expressions, but
+ failed to subject those results to the necessary $$ -> $
+ replacement. Files: util/dict_regexp.c.
+
+ Performance: the pcre map did not optimize constant lookup
+ results; they were always scanned for non-existent $number
+ expressions. File: util/dict_pcre.c.
+
+ This round of edits eliminates architectural differences
+ between the pcre and regexp table implementations. The
+ remaining difference is that regexp tables still support
+ the obsolete "/pattern1/!/pattern2/ action" syntax, for
+ backwards compatibility with Postfix 2.0 and earlier.
+
+20051227
+
+ Bugfix: the 20051222 ISASCII paranoia broke the strcasecmp()
+ workaround for Solaris. File: util/strcasecmp.c.
+
+ Bitrot: SunOS4 pre-dates size_t, ssize_t, getsid(). File:
+ src/util/sys_defs.h. The SunOS4 tests had been suspended
+ due to what turned out to be a broken AUI-to-UTP transceiver.
+
+ Bugfix: the 20061226 cosmetic change broke non-IPV6 support
+ (example: sockaddr_to_hostaddr: Unknown error: success).
+ File: util/myaddrinfo.c.
+
+20051229
+
+ The following workaround was removed 20060103.
+
+ Workaround: when mail is still queued after 3000 seconds,
+ the SMTP client no longer pipelines the DOT+QUIT commands.
+ The 20050929 paranoia about malformed server replies
+ eliminated a rare occurrence of "lost mail" with sites that
+ mis-implement DOT+QUIT pipelining, but resulted in a larger
+ occurrence of repeated deliveries to sites with a different
+ DOT+QUIT pipelining bug. The time threshold is set with the
+ smtp_dot_quit_workaround_threshold_time parameter. Files:
+ smtp/smtp_proto.c, smtp/smtp.c.
+
+ Feature: mailbox_transport_maps and fallback_transport_maps
+ to search delivery transports by recipient name. Files:
+ local/mailbox.c, local/unknown.c.
+
+ Feature: the master daemon now logs a warning when all
+ servers are busy that may accept remote connections, and
+ suggests to either increase the process count or to reduce
+ the service time per client. Files: master/master_ent.c,
+ master/master_avail.c.
+
+20051231
+
+ Bugfix: the anvil server would terminate after "max_idle"
+ seconds, even when this was less than the anvil_rate_time_unit
+ interval. File: anvil/anvil.c.
+
+20060102
+
+ Deleted the 20051229 dot-quit bug workaround. Automatically
+ deferring delivery created "no delivery" and "repeated
+ delivery" problems; and automatically turning off pipelining
+ for delayed mail was a bad workaround for a bad workaround.
+ The administrator still has the option to turn off pipelining
+ by hand if loss of mail is a concern.
+
+20060103
+
+ Bugfix: the 20051217 fix (when a SASL client password is
+ found, defer delivery when no server-announced mechanism
+ survives the smtp_sasl_mechanism_filter) did the mechanism
+ test too early, so that it could trip up with deliveries
+ to servers that we don't have a SASL password for. Files:
+ smtp/smtp_sasl_proto.c, smtp/smtp_proto.c.
+
+20060104
+
+ Safety: new "smtp_cname_overrides_servername" parameter.
+ The default value ("no") is NOT backwards compatible. This
+ avoids surprises with the hostname that is used for logging,
+ SASL password lookup, TLS policy decisions, or TLS certificate
+ verification. The change makes the 20051221 behavior more
+ configurable. Files: smtp/smtp_addr.c, smtp/smtp_connect.c,
+ proto/postconf.proto.
+
+20060105
+
+ Cleanup: removed the unused DSN "code" attribute; removed
+ surrogate SMTP replies for errors that were not reported
+ by a remote SMTP server, making several DSN-related functions
+ and macros redundant; cleaned up some bizarre code for DSN
+ attribute memory management in the SMTP client.
+
+20060106
+
+ Cleanup: eliminated the global smtp_errno variable, which
+ had become redundant after introducing DSN support. Files:
+ smtp/smtp_addr.c, smtp/smtp_connect.c.
+
+20060107
+
+ Cleanup: removed more bizarre code for DSN attribute memory
+ management in the queue manager, bounce server, and in
+ delivery agents.
+
+20060109
+
+ Bugfix: smtp_sasl_tls_opts was unimplemented. File:
+ smtp/smtp_sasl_proto.c.
+
+ Cleanup: more bounce logfile code cleanup. Files:
+ global/bounce_log.c, bounce/bounce_notify_util.c,
+ bounce/bounce.c, bounce/bounce_notify_verp.c,
+ bounce/bounce_one_service.c, showq/showq.c
+
+20060110
+
+ Cleanup: more bounce logfile code cleanup. Files:
+ global/bounce_log.c, bounce/bounce_notify_util.c.
+
+ Bugfix: the VERP bouncer never handled the case of a missing
+ bounce logfile. Found while doing more logfile code cleanup.
+ File: bounce/bounce_notify_verp.c.
+
+ Feature: smtp_sasl_tls_verified_security_options for
+ connections where the server certificate passed verification.
+ The default value is $smtp_sasl_tls_security_options, which
+ in turn defaults to $smtp_sasl_security_options.
+
+20060111
+
+ Optimization: mystrdup() and mystrndup() now return a pointer
+ to a fixed read-only memory location instead of allocating
+ memory for zero-length null-terminated strings. This saves
+ lots of memory for unused recipient attributes. If this
+ change causes problems (for example, you have an ancient
+ sscanf() implementation that writes to its input) then
+ compile Postfix with -DNO_SHARED_EMPTY_STRINGS.
+
+ Cleanup: eliminated null pointer members in DSN structures.
+ Instead we now use the optimized mystrdup() for empty
+ strings. For safety sake we keep the tests for null pointers
+ in input, but we always produce empty strings on output.
+ Files: global/dsn.c, global/dsn.h, global/dsn_buf.h,
+ global/dsn_print.c.
+
+ Cleanup: eliminated ad-hoc code for passing recipients in
+ the queue manager delivery request protocol. Postfix now
+ uses proper object activation/passivation instead. Files:
+ *qmgr/qmgr_deliver.c, global/deliver_request.c,
+ global/deliver_pass.c.
+
+20060112
+
+ Feature: to simplify debugging the bounce server logs the
+ old and new queue ID when notifying the sender or postmaster.
+ Files: global/post_mail.c, bounce/bounce_notify_service.c,
+ bounce/bounce_one_service.c, bounce/bounce_notify_verp.c,
+ bounce/bounce_warn_service.c, bounce/bounce_trace_service.c.
+
+ Fudge: when translating recipient DSN codes into sender DSN
+ codes, map sender address problems that have no DSN code
+ to *.1.7 (Bad sender's mailbox address syntax) instead of
+ *.1.0 (Other address status) because that loses the distinction
+ between sender and recipient. File: smtpd/smtpd_dsn_fix.c.
+
+20060113
+
+ Cleanup: preserve upper case information of address localpart
+ or extension when mapping one address to another with
+ non-regexp/pcre tables. Files: global/mail_addr_find.c,
+ global/maps_find.c.
+
+20060115
+
+ Bugfix: don't ignore the per-site policy when SSL library
+ initialization fails. Introduced after adopting the TLS
+ patch. File: smtp/smtp_session.c.
+
+20060117
+
+ [withdrawn 20060126] Safety: daemon processes that need no
+ privileges now insist that they are configured to run without
+ privileges. Files: master/single_server.c, master/multi_server.c,
+ master/trigger_server.c.
+
+ Cleanup: preserve upper case information of address localpart
+ or extension when mapping addresses via regexp/pcre tables.
+ This requires that Postfix does not case fold the search
+ string when searching regexp or pcre tables, so that $number
+ substitutions produce the expected result.
+
+ In order to get a consistent handling of table operations,
+ the search string case folding logic was moved from the
+ application to the individual lookup table modules; the
+ application specifies its case folding preference when it
+ opens a table, and the table folds the search or update
+ string as needed.
+
+ Files: everything that opens a map or multiple maps (to
+ specify the case folding preference), and everything that
+ contained ad-hoc code to lowercase search strings (which
+ is no longer needed).
+
+ Bugfix: as a side effect of this revision of all code that
+ opens tables, the postmap/postalias -n/-N options are no
+ longer silently ignored when the -q (query) and -d (delete)
+ options are specified. Files: postmap/postmap.c,
+ postalias/postalias.c.
+
+ Safety: don't allow $number substitution in transport maps
+ or sender-dependent relayhost maps.
+
+ Cleanup: smtp_sasl_passwd_maps lookup keys are folded to
+ lowercase before searching tables such as btree:, dbm: or
+ hash: that have fixed-case fields. File: smtp/smtp_sasl_glue.c.
+
+ Bugfix: per-sender relayhost maps were not locked for shared
+ access.
+
+20060119
+
+ Cleanup: don't look up parent domain substrings in regexp/pcre
+ like tables while searching a hostname in a domain/namaddr_list.
+ File: util/match_ops.c.
+
+20060120
+
+ Cleanup: multiple boolean variables were replaced by a
+ single TLS enforcement level (none, may, encrypt, verify).
+ With Victor Duchovni. Files: smtp_session.c, smtp_proto.c,
+ smtp.h.
+
+ Cleanup: the SMTP per-site policy table was re-implemented
+ in terms of enforcement levels instead of multiple boolean
+ variables. This greatly simplified the code and led to the
+ elimination of non-intuitive behavior as documented next.
+ With Victor Duchovni. Files: smtp_session.c, smtp.h.
+
+ Bugfix: a TLS per-site MUST_NOPEERMATCH policy could not
+ override a main.cf MUST (with peer match) policy, while a
+ per-site NONE policy could.
+
+ Bugfix: a combined TLS per-site (host, next-hop) policy of
+ (NONE, MAY) would change the strongest main.cf MUST policy
+ into NONE, while it changed all weaker main.cf policies
+ into MAY. The result is now NONE for all main.cf policy
+ settings.
+
+20060123
+
+ Feature: recipient_count attribute in SMTPD policy protocol.
+ This is available only in the DATA and END-OF-MESSAGE stage.
+ Based on code by Guo Black. Files: smtpd_check.c.
+
+ Cleanup: renamed MUMBLE_NUM to MUMBLE_INT to make type
+ discrepancies more explicit.
+
+ Bugfix: change 20051208 broke when a connection could not
+ be established. File: util/auto_clnt.c.
+
+20060124
+
+ Bugfix: the virtual(8) delivery agent did not insist on
+ privileged operation as it should; this broke change 20060117.
+ Ralf Hildebrandt. File: virtual/virtual.c.
+
+ Bugfix: the TLS sasl security options (change 20060110)
+ should also be #ifdef USE_TLS, and not only #ifdef
+ USE_SASL_AUTH. Such feature interference is difficult to
+ find in testing. Liviu Daia. File: smtp/smtp_sasl_proto.c.
+
+20060126
+
+ Undo: change 20060117 (unprivileged operation test) broke
+ "sendmail -bs", "postconf -b", "postconf -t", and probably
+ more. Files: master/{single,multi,trigger}_server.c.
+
+20060130
+
+ Bugfix: an empty remote_header_rewrite_domain value caused
+ trivial-rewrite to dereference a null pointer, but only in
+ regression tests, not in production. Envelope addresses are
+ by definition rewritten in the local domain context, because
+ an address without domain is equivalent to an address in
+ the local domain; and header addresses are rewritten in the
+ remote context only when remote_header_rewrite_domain is
+ non-empty. File: trivial-rewrite/rewrite.c.
+
+20060131
+
+ Cleanup: regression tests are now separated into "make
+ tests" for unprivileged tests, and "make root_tests" for
+ tests that require privileges to connect to the Postfix
+ internal sockets. Files Makefile.in, src/*/Makefile.in.
+
+20060201
+
+ Bugfix: despite efforts to treat malformed domain names as
+ hard errors (change 20050726) they were still processed as
+ soft errors. File: dns/dns_lookup.c.
+
+20060203
+
+ Bugfix: smtpd core dump when SASL was compiled in, turned
+ off (smtpd_sasl_auth_enable = no) and permit_sasl_authenticated
+ was specified in local_header_rewrite_clients. Victor
+ Duchovni. File: smtpd/smtpd_check.c.
+
+ Cleanup: don't complain about useless SASL or TLS "permit"
+ restrictions when SASL or TLS aren't compiled in, but do
+ reject mail when reject_plaintext_session is specified while
+ TLS isn't compiled in. File: smtpd/smtpd_check.c.
+
+20060204
+
+ Bugfix: disable the content_filter feature for user-requested
+ "sendmail -bv" probes, just like it is disabled for probes
+ generated by Postfix itself. File: *qmgr/qmgr_message.c.
+
+20060207
+
+ Robustness: place the "do we have TLS" guards within method
+ implementations, instead of putting them around method
+ invocations. File: smtpd/smtpd_check.c.
+
+ Bugfix: duplicate the cleanup(8) DSN envelope ID syntax
+ check in smtpd(8), so that clients get better error replies.
+ File: smtpd/smtpd_check.c.
+
+ Bugfix: change 20060203 broke the reject_plaintext_session
+ feature.
+
+ The trivial-rewrite and proxymap multi-server processes now
+ terminate soon after all their clients disconnect, instead
+ of waiting for another 100 seconds. This allows the processes
+ to refresh more frequently on low-traffic systems.
+
+ Cleanup: smtpd_delay_open_until_valid_rcpt (default: yes)
+ controls whether Postfix delays the start of a mail transaction
+ until after the first valid recipient, or if it starts a
+ transaction immediately after MAIL FROM. File: smtpd/smtpd.c.
+
+20060217
+
+ Bugfix: don't terminate with a non-standard exit status
+ when the pipe-to-command feature has a problem before it
+ executes the command. File: global/pipe_command.c.
+
+20060223
+
+ Bugfix: detect integer overflow when multiplying time values
+ with non-trivial time units. File: global/conv_time.c.
+
+20060307
+
+ Bugfix: reset the msg_cleanup() fatal error handler in child
+ processes. See also change 20060217. Files: postlock/postlock.c,
+ master/multi_server.c, global/mail_run.c, util/vstream_popen.c.
+
+20060310
+
+ Bugfix: the MIME processor assumed that input was null
+ terminated. This broke with CRLF input to the "sendmail -t"
+ command in Postfix 2.1 and later (see change 20030416).
+ Found by Leandro Santi. Based on patch by Victor Duchovni.
+ Files: global/mime_state.c, global/is_header.c.
+
+20060313
+
+ Cleanup: the message arrival time (start of the receive
+ transaction) no longer controls message expiration or
+ delivery attempts. Instead, expiration and delivery are
+ now controlled by the time when the cleanup server creates
+ a queue file. This closes a problem that was introduced
+ with the 20051104 change that introduced higher-resolution
+ delay time keeping: as a result, "postsuper -r" could no
+ longer manipulate the mail expiration schedule, so that
+ mail "on hold" could expire too soon.
+
+20060315
+
+ Workaround. the PCRE library reports an inappropriate error
+ code (invalid substring) when $number refers to a valid ()
+ expression that matches the null string. This caused fatal
+ run-time errors. File: dict_pcre.c.
+
+20060324
+
+ Cleanup: eliminated name collisions between global and local
+ variables, and other forms of shadowing. Documented switch
+ fall-throughs with /* FALLTHROUGH */ where this wasn't
+ already done. Replaced (var = expr) by (var = expr) != 0
+ where this wasn't already done.
+
+20060324
+
+ Bugfix: mis-placed parenthesis in a before-filter error
+ test. A filter timeout was mis-reported as lost connection.
+ Found in code review. File: smtpd/smtpd_proxy.c.
+
+20060327
+
+ Cleanup: the SQL and LDAP clients now log a warning when
+ they skip an empty lookup result, so that humans don't have
+ to wonder why Postfix doesn't find all the database entries.
+ File: global/db_common.c.
+
+ Moved SMTP/LMTP parameter initialization from global/mail_params.c
+ to the combined smtp/lmtp delivery agent. Added missing
+ lmtp parameters.
+
+20060328
+
+ Feature: configurable chroot directive for the pipe(8)
+ delivery agent, by Przemyslaw Wegrzyn. Files:
+ global/pipe_command.c, pipe/pipe.c.
+
+ Bugfix: cut-and-paste error: lmtp_connection_cache_limit
+ was left with the name of smtp_connection_cache_limit.
+ Reported by Victor? File: src/global/mail_params.h.
+
+20060329
+
+ More extensible interface for TLS client/server library,
+ now passes property structures that combine all the relevant
+ parameters in one type-safe structure.
+
+ TLS session cache activity logging now takes place at TLS
+ log level 2 or greater.
+
+20060403
+
+ Cleanup: made fcntl/flock handling consistent with respect
+ to EINTR (reported by Carlo Contavalli). However, Postfix
+ is not meant to be signal safe. Only the master daemon
+ handles signals without terminating, and it uses only a
+ small subset of Postfix library routines. File: util/myflock.c.
+
+ Bugfix: the pipe-to-command error message was lost when the
+ command could not be executed. File: global/pipe_command.c.
+
+20060404
+
+ Bugfix in sanity check: after reading a record from the
+ address verification database, a sanity check did not reject
+ a record with all-zero time stamp fields. Such records are
+ never written; the test is there just in case something is
+ broken, so that Postfix will not blindly march on and create
+ chaos. The sanity check tested pointer values, instead of
+ dereferencing the pointers. Found by Coverity. File:
+ verify/verify.c.
+
+ Bugfix in sanity check: when the maildir delivery routine
+ opens an output file it looks up the file attributes via
+ the file handle it just got. There is a sanity check that
+ detects if the attribute lookup fails, an error that never
+ happens. The code that handles the impossible error did not
+ close the output file. This would cause a virtual or local
+ delivery agent to waste up to 100 file descriptors. But
+ for that error to happen the system would have to be so
+ sick that you would have more serious problems than a file
+ descriptor leak. Found by Coverity. Files: local/maildir.c,
+ virtual/maildir.c.
+
+20060405
+
+ Bugfix: the MIME parser assumed input is null terminated
+ when reporting errors. Fix by Leandro Santi. Files:
+ global/mime_state.c, cleanup/cleanup_message.c.
+
+20060411
+
+ Bugfix: the SMTP server logged no warning when for some
+ reason the TLS engine was unavailable in wrappermode. Victor
+ Duchovni. File: smtpd/smtpd.c.
+
+20060417
+
+ Cleanup: when SMTP access table lookup fails, reply with
+ 4xx instead of aborting with a fatal run-time error. The
+ old behavior assumes local file access, and is inappropriate
+ with deployment of LDAP and SQL tables. File: smtpd/smtpd_check.c.
+
+20060423
+
+ Bugfix: postcat did not print the attribute value of records
+ containing a named attribute. File: postcat/postcat.c.
+
+20060430
+
+ Bugfix: dangling pointer in a function that has no caller.
+ Found by Coverity. File: tls/tls_prng_exch.c.
+
+ Bugfix: the workaround for CA-2003-07 (Sendmail) did not
+ null terminate the address before logging a warning. Reported
+ by Kris Kennaway. File: global/tok822_parse.c.
+
+20060301-20060515
+
+ Sendmail 8 Milter support, distributed across the smtpd(8)
+ server for SMTP commands, and the cleanup(8) server for
+ content inspection and manipulation. The code supports all
+ requests to add/delete recipients, and to add/delete/replace
+ message headers, but does not yet support requests to replace
+ the message body. See MILTER_README for more. Files:
+ smtpd/smtpd.c, smtpd/smtpd_milter.c, cleanup/cleanup_api.c,
+ cleanup/cleanup_envelope.c, cleanup/cleanup_extracted.c,
+ cleanup/cleanup_milter.c, milter/milter.c, milter/milter8.c.
+
+ That's 89 lines in smtpd, 1010 lines in cleanup, and 2449
+ lines of library support, comments not included.
+
+ A simple test Milter application for use in regression tests
+ is in src/milter/test-milter.c. Queue file modifications are
+ tested with a driver at the end src/cleanup/cleanup_milter.c
+ that reads commands from a script.
+
+ To make debugging easier, uncomment the "#define msg_verbose
+ 2" lines at the top of cleanup_milter.c or milter8.c. This
+ produces logging without making everything else verbose.
+
+20060510
+
+ Preliminary TLS_README and postconf(5) changes completed.
+ Victor Duchovni.
+
+ Added smtp_tls_policy_maps and smtp_tls_protocols features
+ to the smtp/lmtp client, changed smtp_tls_cipherlist to
+ only apply when TLS is mandatory. Victor Duchovni.
+
+20060512
+
+ Destinations that share a common server may have distinct
+ TLS protocol and cipherlist requirements, with mandatory
+ TLS add the protocol and cipherlist values to the TLS session
+ lookup key. Victor Duchovni.
+
+20060516
+
+ Portability: __float80 alignment, by Albert Chin. File:
+ util/sys_defs.h.
+
+ Further testing of Milter support uncovered typos; a missing
+ null pointer test while cleaning up after content miltering;
+ the need for a workaround to not bounce+delete local
+ submission after it triggers a temporary reject Milter
+ action.
+
+ Workaround: don't bounce+delete a local submission after
+ it triggers a "reject 4.x.x" action in header/body_checks.
+ This means an SMTP client now sees "queue file write error"
+ instead of the text from the "reject 4.x.x text" action.
+ File: cleanup/cleanup_message.c.
+
+ Workaround: OpenSSL 0.9.8[ab] with zlib support interoperability
+ problem. Victor Duchovni. Files: tls/tls_client.c,
+ tls/tls_misc.c, tls/tls_server.c.
+
+ Added smtpd_tls_protocols parameter to complement
+ smtp_tls_protocols. Victor Duchovni.
+
+20060517
+
+ The smtp_tls_policy_maps table now implements parent domain
+ matching for destinations that are bare domains (without
+ enclosing [] or optional :port suffix). This allows one to
+ set TLS policy for a domain and all sub-domains. Victor
+ Duchovni.
+
+20060519
+
+ The same parameter can bind to different variables in
+ different daemons. Ignore the variable name when eliminating
+ duplicates in extract.awk. Victor Duchovni.
+
+20060523
+
+ Improved handling of smtp_tls_protocols and smtpd_tls_protocols,
+ names now processed via name_mask(3) and canonicalized prior
+ to use in the SMTP/LMTP client TLS session lookup key. Also
+ simplifies the corresponding code in the TLS driver. Victor
+ Duchovni.
+
+20060524
+
+ Cleanup: send ETRN command parameter when using check_policy
+ in the context of an ETRN command. Joshua Goodall. File:
+ smtpd/smtpd_check.c.
+
+20060601
+
+ Bugfix (bug introduced 20051118): permit_mx_backup authorized
+ domains without secondary MX records. Joshua Goodall. File:
+ smtpd/smtpd_check.c.
+
+20060601
+
+ Fixed default value of LMTP TLS client certificate parameters,
+ using the SMTP values as a default was wrong. Victor Duchovni.
+
+20060603
+
+ Different transports may have different CAfile or CApath
+ settings. We need to add the transport name to the TLS
+ session lookup key so that sessions verified with one set
+ of trusted roots are not inadvertantly considered verified
+ for another. Victor Duchovni.
+
+20060604
+
+ Cleanup: minor fluff found with the BEAM source code analyzer.
+ Files: global/quote_821_local.c, global/quote_822_local.c,
+ master/master_spawn.c, pickup/pickup.c, util/match_ops.c,
+ util/safe_open.c, xsasl/xsasl_cyrus_client.c.
+
+20060606
+
+ Safety: mail receiving daemons (smtpd, qmqpd) now pass
+ actual client name/address/helo attributes in addition to
+ the attributes used for logging (xforward). This prevents
+ Milter applications from treating qmqpd mail as if it
+ originated locally, and prevents incorrect Milter decisions
+ after "postsuper -r". Files: smtpd/smtpd.c, qmqpd/qmqpd.c,
+ cleanup/cleanup_envelope.c, cleanup/cleanup_milter.c,
+ cleanup/cleanup_state.c, global/post_mail.c, *qmgr/qmgr_message.c,
+ *qmgr/qmgr_deliver.c, global/deliver_request.c,
+ global/deliver_pass.c, local/forward.c.
+
+ Bugfix: qmgr panic after queue file corruption by Mailscanner.
+ Files: *qmgr/qmgr_message.c.
+
+ Bugfix: XCLIENT didn't work with smtpd_delay_reject=no
+ (problem reported by Joshua Goodall). To make XCLIENT work
+ correctly with built-in restrictions and with Milter
+ applications, the SMTP server now jumps back to the very
+ start (the 220 phase) of an SMTP session. File: smtpd/smtpd.c.
+
+20060606
+
+ Portability: Some systems no longer support the traditional
+ "sort +0 -2 +3". Victor Duchovni.
+
+20060607
+
+ Portability: Found by BEAM static code analyzer. SSL options
+ (long) were stored as int.
+
+20060610
+
+ Cleanup: XCLIENT and XFORWARD attribute values are now sent
+ as xtext encoded strings. For backwards compatibility,
+ Postfix will still accept unencoded attribute values. Files:
+ smtpd/smtpd.c, smtpd/smtpd_proxy.c, smtp/smtp_proto.c.
+
+20060611
+
+ Robustness: additional sanity checks for common database
+ routines. Viktor Dukhovni. File: global/db_common.c.
+
+ Portability: LDAP 2.3 API support. Viktor Dukhovni. File:
+ global/dict_ldap.c.
+
+ Security: the PostgreSQL client was updated after the
+ PostgreSQL developers made major database API changes in
+ response to PostgreSQL security issues. This breaks support
+ for PGSQL versions prior to 8.1.4, 8.0.8, 7.4.13, and 7.3.15.
+ Support for these requires major code changes which are not
+ possible in the time that is left for the Postfix 2.3 stable
+ release.
+
+ Specific PostgreSQL client changes: use connection-aware
+ quoting, and more robust PQexec() result handling. Previous
+ versions of the dict_pgsql driver didn't check the status
+ of the result pointer, and certain exceptional events can
+ be mis-interpreted as an empty result set. Fixes by Leandro
+ Santi. File: global/dict_pgsql.c.
+
+20060612
+
+ Changed smtp security level parsing and level->name conversion
+ to use name_code(3). Victor Duchovni.
+
+ Implemented new smtp_tls_security_level parameter, to replace
+ the unnecessarily complex smtp_use_tls, smtp_enforce_tls
+ and smtp_tls_enforce_peername parameters. The main.cf
+ security level settings are now consistent with the new
+ policy table. Victor Duchovni.
+
+ The smtp_sasl_tls_verified_security_options feature is not
+ yet complete, added #ifdef SNAPSHOT and changed documentation
+ to delay introduction until Postfix 2.4. Victor Duchovni.
+
+20060614
+
+ Merged in Victor's work including the new TLS policy table
+ and a complete set of configuration parameters for the LMTP
+ personality of the unified SMTP/LMTP client.
+
+ Allow mandatory TLS encryption with LMTP over UNIX-domain
+ sockets. Victor Duchovni.
+
+ Safety: improved code to avoid I/O on connections after the
+ TLS handshake fails. Victor Duchovni.
+
+20060615
+
+ Cosmetic patch for const strings. Stefan Huehner.
+
+ Other cosmetic changes, mainly whitespace.
+
+20060616
+
+ The qshape.pl script was updated for the pointer records
+ that were introduced to support message content modification
+ by Milter applications. Victor Duchovni.
+
+20060620
+
+ Feature: Substantially better cipherlist specification
+ interface and support for anonymous ciphers when certificates
+ are not needed. The primary interface in main.cf and the
+ policy table selects one of 5 grades for mandatory TLS with
+ smtp(8) or lmtp(8) or for all TLS sessions with smtpd(8).
+ The levels are "high", "medium" (or better), "low" (or
+ better), "export" (or better) and "null". The underlying
+ definitions of these levels are configurable, but users are
+ strongly encouraged to not change those definitions. Victor
+ Duchovni.
+
+20060626
+
+ Bugfix: the Milter reply syntax checker was off by one.
+ File: milter/milter8.c.
+
+ Workaround: disable SMTP connection cache lookup by server
+ IP address when the tls_per_site policy table is enabled.
+ This is a workaround for a shortcoming in the SMTP connection
+ cache implementation, which retrieves the server hostname
+ from the cached connection. Since this server name is not
+ obtained in a secure manner, it must not be allowed to
+ control the tls_per_site policy. File: smtp/smtp_reuse.c.
+
+20060627
+
+ Cleanup: mumble_mandatory_tls_mumble parameters renamed to
+ mumble_tls_mandatory_mumble; added _mandatory_ qualifier
+ to names of parameters that affect only mandatory TLS.
+
+20060630
+
+ Features promoted from SNAPSHOT to STABLE: the "sleep"
+ pseudo restriction; Postfix daemons now read the local
+ timezone file before chrooting; trivial-rewrite now detects
+ table changes every 10 seconds, so it restarts more timely.
+
+ Features that stay #ifdef SNAPSHOT: tcp_table,
+ lmtp_sasl_tls_verified_security_options, and
+ smtp_sasl_tls_verified_security_options.
+
+ Compatibility: Sendmail does not send its own Received:
+ header to Milter applications. Offsets in header replace
+ requests are relative to the message content as received
+ (i.e. without our own Received: header), while offsets in
+ header insert requests are relative to the message as
+ delivered (i.e. they include our own Received: header).
+ This explains why dk-filter would sign our own Received:
+ header but place the signature between our own Received:
+ header and the rest of the message, violating the draft
+ domainkeys spec.
+
+20060702
+
+ Cleanup: more graceful handling of queue file read/write
+ errors while processing milter message modification requests.
+ Files: cleanup/cleanup_milter.c, milter/milter8.c.
+
+20060703
+
+ Debugging: the Postfix milter client gives more context
+ when it experiences trouble while talking to an uncooperative
+ Milter application. File: milter/milter8.c.
+
+ Compatibility: with OpenBSD 2.7 and later, the alias file
+ is now in /etc/mail/aliases.
+
+20060704
+
+ Bugfix: the Milter client skipped zero-length body lines.
+ File: milter/milter8.c.
+
+ Feature (just this one): RFC 3834 "Auto-Submitted:" message
+ header in DSNs. File: bounce/bounce_notify_util.c.
+
+20060705
+
+ Portability: LP64 systems required a few ssize_t->int casts
+ in debug logging statements. Files: milter/test_milter.c,
+ cleanup/cleanup_milter.c.
+
+ Cleanup: comments, error messages, and crumbling interfaces.
+
+20060707
+
+ Workaround: apparently, Solaris gettimeofday() can return
+ out-of range microsecond values. File: src/global/log_adhoc.c.
+
+ Robustness: the SMTPD policy client now encodes the
+ ccert_subject and ccert-issuer attributes as xtext. Some
+ characters are replaced by +XX, where XX is the two-digit
+ hexadecimal code for the character value. File:
+ smtpd/smtpd_check.c.
+
+ Safety: the SMTP/LMTP client now defers delivery when a
+ SASL password exists, but the server does not offer SASL
+ authentication. Mail could be rejected otherwise. This may
+ become an issue now that Postfix retries delivery in plaintext
+ after an opportunistic TLS handshake fails. Specify
+ "smtp_sasl_auth_enforce = no" to deliver mail anyway. File:
+ smtp/smtp_proto.c. See workaround 20060711 for sender-dependent
+ SASL passwords. This was undone with the 20060719 workaround.
+
+20060709
+
+ Cleanup: the new single smtpd_tls_security_level parameter
+ obsoletes the multiple smtpd_use_tls and smtpd_enforce_tls
+ parameters. This is done for consistency with the Postfix
+ SMTP client. In the Postfix SMTP server, the levels "verify"
+ and "secure" are currently not applicable, and are treated
+ as "encrypt", after logging a warning. Files: smtpd/smtpd.c,
+ tls/tls_level.c, smtp/smtp_session.c.
+
+ Compatibility: don't send the first (blank) body line to
+ Milter applications. This broke domain key etc. signatures
+ when verified by non-Postfix MTAs. File: milter/milter8.c.
+
+20060710
+
+ Cleanup: more consistency between smtpd(8) and smtp(8) TLS
+ configuration interfaces: smtpd_tls_mandatory_exclude_ciphers,
+ smtpd_tls_mandatory_ciphers, smtpd_tls_mandatory_protocols.
+ By Victor. Files:smtpd/smtpd.c.
+
+ Cleanup: to support domainkey signing of bounces and
+ Postmaster notices, enable content inspection of Postfix-
+ generated mail with the new internal_mail_filter_classes
+ feature. This is disabled by default, because it is not
+ yet safe enough. Files: global/int_filt.[hc] and everything
+ that calls post_mail_fopen*().
+
+20060711
+
+ Cleanup: smtpd_tls_mumble -> smtpd_tls_mandatory_mumble,
+ and finer control over the Postfix SMTP server TLS ciphers,
+ all this for consistency with the same functionality in the
+ Postfix SMTP client. Victor Duchovni.
+
+ Compatibility: Sendmail's milter client handles whitespace
+ after the header label and ":" in an interesting manner.
+ It eats one space (not tab). File: milter/milter8.c.
+
+ Workaround: if sender-dependent SASL passwords are enabled,
+ don't defer delivery when a SASL password exists but the
+ server doesn't announce SASL support. File: smtp/smtp_proto.c.
+ This was undone with the 20060719 workaround.
+
+ Cleanup: format of cleanup milter reject messages. File:
+ cleanup_milter.c.
+
+ Bugfix: file/memory leak if a transfer of multiple milters
+ from smtpd to cleanup broke in the middle. Found by Coverity.
+ File: milter/milter.c.
+
+20060716
+
+ Bugfix: "sendmail -bs" panic caused by a missing
+ SMTPD_STATE_ALONE() guard before a milter_abort() call.
+ File: smtpd/smtpd.c.
+
+ Bugfix (bug introduced with Postfix 2.2): the Postfix SMTP
+ client enforced Mandatory TLS only when talking to an ESMTP
+ server; enforcement did not happen if Postfix could somehow
+ be forced to send HELO instead of EHLO. Victor Duchovni.
+ File: src/smtp/smtp_proto.c.
+
+20060718
+
+ Bugfix (bug introduced 20060711): null pointer bug when
+ rejecting SMTP mail with Milter application. File:
+ cleanup/cleanup_milter.c.
+
+ Workaround (problem introduced in 200605/200606 TLS update):
+ the Postfix SMTP server now issues TLS session IDs even
+ when TLS session caching is turned off, otherwise MS Outlook
+ fails to deliver mail. There may also be interoperability
+ issues with other MTAs that we haven't discovered yet.
+ Specify "smtpd_tls_always_issue_session_ids = no" to disable
+ the workaround. Victor Duchovni. Files: smtpd/smtpd.c,
+ tls/tls_server.c.
+
+20060719
+
+ Cleanup: the smtp_sasl_auth_enforce feature is gone. It was
+ meant to work around a problem that was introduced with
+ plaintext fallback after a failed TLS handshake. Unfortunately,
+ it created more problems than it solved. We now address the
+ underlying problem more directly as described next. File:
+ smtp/smtp_proto.c.
+
+ Safety: don't fall back to plaintext delivery after failed
+ TLS handshake, when the Postfix SMTP client would have
+ attempted to log in with SASL after successful TLS handshake.
+ This avoids undesirable behavior regardless of whether the
+ server does support SASL over plaintext (unexpected password
+ disclosure) and whether the server doesn't support SASL
+ over plaintext (insufficient mail relay permission). Files:
+ smtp/smtp_connect.c, smtp/smtp_session.c, smtp/smtp_proto.c.
+
+20060720
+
+ Compatibility: replace %% in milter replies by %, and strip
+ single (i.e. invalid) % characters. File: milter/milter8.c.
+
+ Compatibility: $_ macro support for Milter applications.
+ Files: smtpd/smtpd.c, smtpd/smtpd_milter.c,
+ cleanup/cleanup_state.c, cleanup/cleanup_milter.c.
+
+20060721
+
+ Safety: disable Milter processing after "postsuper -r". If
+ the mail has been filtered there is no need to do it again.
+ Moreover, when mail has passed through an external content
+ filter, we don't have sufficient information to reproduce
+ the exact same SMTP events and Sendmail macros that Milters
+ received when the mail originally arrived in Postfix. This
+ change does not affect Milter applications that run behind
+ an after-queue content filter. File: pickup/pickup.c.
+
+ Bugfix: Milters received a truncated ORCPT=xxx parameter
+ due to destructive parsing of something that didn't have
+ to be preserved before Milter support was added to Postfix.
+ File: smtpd/smtpd.c.
+
+20060724
+
+ Bugfix: when updating the same header multiple times, the
+ Postfix Milter client created a queue file that caused
+ delivery agents to loop. File: cleanup/cleanup_milter.c.
+
+20060725
+
+ Bugfix: damaged queue file record after a Milter request
+ to modify a message header when 1) it was the last header
+ in the unmodified message, and 2) the old header was less
+ than 15 characters long. File: cleanup/cleanup_milter.c.
+
+ Bugfix: don't panic in smtp_rcpt_cleanup() after detecting
+ a damaged queue file record. File: smtp/smtp_proto.c.
+
+20060726
+
+ Bugfix: the 20051013 change to enforce the message size
+ limit in the SMTP server didn't work for size limits close
+ enough to INT_MAX. File: smtpd/smtpd.c.
+
+ Bugfix (introduced Postfix 2.3): after an SMTP client was
+ rejected with "smtpd_delay_reject = no", the SMTP server
+ would panic as it generated spurious Milter requests for
+ unrecognized commands. File: smtpd/smtpd.c.
+
+20060727
+
+ Cleanup: change redundant milter_abort() and milter_disc_event()
+ calls into NO-OPs. This avoids unnecessary panic() events
+ for completely harmless conditions. File: milter/milter8.c.
+
+20060805
+
+ Bugfix (introduced Postfix 2.3): #ifdef damage caused
+ smtp_sasl_start() to be invoked twice. Reported by C-J
+ Lofstedt. File: smtp/smtp_sasl_proto.c.
+
+20060806
+
+ Postfix no longer announces its name in delivery status
+ notifications. Users believe that Wietse provides a free
+ helpdesk service that solves all their email problems.
+ Credits to Jonathan Balester. File: bounce/bounce_templates.c.
+
+20060807
+
+ Bugfix (introduced Postfix 2.2): when upgrading from Postfix
+ < 2.2 with the third-party TLS patch, the post-install
+ upgrade procedure didn't put a "?" in the existing tlsmgr
+ entry, causing tlsmgr to repeatedly start and exit when TLS
+ support was not compiled in. File: conf/post-install.
+
+20060812
+
+ Bugfix (introduced < Postfix alpha): safety mechanism in
+ mail_date() didn't work. Found in code review. File:
+ global/mail_date.c.
+
+20060817
+
+ Test programs for host address->name and name->address
+ lookups to debug name service inconsistencies, typically
+ when the Postfix SMTP server claims that a hostname is
+ "unknown". Files: auxiliary/name-addr-test/*.
+
+20060822
+
+ Added missing logging for "message to large" etc. Files:
+ smtpd/smtpd.c, cleanup/cleanup_milter.c.
+
+20060823
+
+ Bugfix (introduced Postfix 2.2): segfault when vstream_fclose()
+ attempted to flush unwritten output, after vstream_fdclose()
+ had already disconnected the stream from its file descriptor.
+ File: util/vstream.c.
+
+ Bugfix (introduced Postfix 2.2): vstream_fdclose() did not
+ flush unwritten output before disconnecting a stream from
+ its file descriptor(s). File: util/vstream.c.
+
+ Feature: smtp-sink can capture mail to file, either as one
+ individual message per file, or as multiple messages per
+ file. After an initial implementation by Weidong Cui. File:
+ smtpstone/smtp-sink.c.
+
+ Bugfix (introduced < Postfix alpha): smtp-sink did not
+ correctly recognize DOT-CR-LF immediately after DATA. File:
+ smtpstone/smtp-sink.c.
+
+ Cleanup: smtp-sink now requires that MAIL FROM, RCPT TO and
+ DATA be send in the correct order. This simplified the
+ implementation of the capture to file feature. File:
+ smtpstone/smtp-sink.c.
+
+20050824
+
+ Portability: inside functions, GCC 4 refuses forward
+ declarations of static functions. File: smtpstone/smtp-sink.c.
+
+20060825
+
+ Bugfix (introduced Postfix 2.3): with headers-only mail, a
+ Milter "header insert" action corrupted the queue file. The
+ cleanup server executed some end-of-body action before the
+ end-of-header actions. File: cleanup/cleanup_message.c.
+
+ Robustness: mail delivery agents now detect loops in queue
+ files. Files with too many backward jumps are saved to the
+ "corrupt" directory. File: global/record.c.
+
+20060831
+
+ Bugfix (introduced with initial implementation): missing
+ "dict_errno = 0" caused mis-leading error messages after
+ non-error lookup failure. Victor Duchovni. File:
+ util/dict_cidr.c.
+
+ Robustness: the default TLS cipher lists were changed from
+ !foo:ALL into ALL:!foo. Victor Duchovni. Files:
+ global/mail_params.h and documentation.
+
+20060902
+
+ Bugfix (introduced Postfix 2.3): the LMTP client stripped
+ "inet": from the next-hop destination, but still used the
+ complete next-hop from the delivery request. File:
+ smtp/smtp_connect.c.
+
+20060903
+
+ Cleanup: record loop detection. File: global/record.c.
+
+20060929
+
+ Workaround: AIX 5.[1-3] getaddrinfo() creates socket address
+ structures with a non-zero port value. This breaks the
+ smtp_bind_address etc. features, and breaks inet_interfaces
+ settings with only one IP address. Problem reported by
+ Hamish Marson. Files: util/sock_addr.[hc], util/myaddrinfo.c.
+
+ Bugfix (introduced with the Postfix TLS patch): memory leak
+ in verify_extract_peer(). The OpenSSL documentation provides
+ no information on how subjectAltNames are managed. Sam
+ Rushing, ironport. File: tls/tls_client.c.
+
+ Bugfix (introduced with Postfix 2.2): smtp_generic_maps
+ turned on MIME conversion. File: smtp/smtp_proto.c.
+
+ Workaround: don't send SIZE information in the MAIL FROM
+ command when message content will be subject to 8bit ->
+ quoted-printable conversion. File: smtp/smtp_proto.c.
+
+20061002
+
+ Compatibility: Sendmail now invokes the Milter connect
+ action with the verified hostname instead of the name
+ obtained with PTR lookup. File: smtpd/smtpd.c.
+
+20061004
+
+ Cleanup: force space between mailq queueid+status and file
+ size items. File: showq/showq.c.
+
+20061005
+
+ Cleanup: make CISCO PIX bug workarounds configurable. This
+ introduces new parameters: smtp_pix_workarounds (default:
+ disable_esmtp, delay_dotcrlf) and smtp_pix_workaround_maps
+ (workarounds indexed by server IP address). The default
+ settings are backwards compatible. File: smtp/smtp.c,
+ smtp/smtp_proto.c.
+
+20061006
+
+ Workaround: include the smtpd(8) service name when searching
+ the TLS session cache, to avoid cross-talk between multiple
+ master.cf entries. This does not eliminate cross-talk between
+ multiple (x)inetd.conf entries. Victor Duchovni. Files:
+ smtpd/smtpd.c, tls/tls_server.c.
+
+20061015
+
+ Cleanup: convert the Milter {mail_addr} and {rcpt_addr}
+ macro values to external form. File: smtpd/smtpd_milter.c.
+
+ Cleanup: the Milter {mail_addr} and {rcpt_addr} macros are
+ now available with non-SMTP mail. File: cleanup/cleanup_milter.c.
+
+ Cleanup: convert addresses in Milter recipient add/delete
+ requests to internal form. File: cleanup/cleanup_milter.c.
+
+ Cleanup: with non-SMTP mail, convert addresses in simulated
+ MAIL FROM and RCPT TO events to external form. File:
+ cleanup/cleanup_milter.c.
+
+20061017
+
+ Cleanup: removed spurious warning when the cleanup server
+ attempts to bounce mail with soft_bounce=yes. Problem
+ reported by Ralf Hildebrandt. File: cleanup/cleanup_bounce.c.
+
+ Bugfix: null pointer bug when receiving a non-protocol
+ response on a cached SMTP/LMTP connection. Report by Brian
+ Kantor. Fix by Victor Duchovni. File: smtp/smtp_reuse.c.
+
+20061106
+
+ Feature: new retry delivery agent, to avoid the synchronous
+ defer service client in the queue manager. This code is
+ co-located with the error(8) server. File: error/error.c.
+
+ Performance: the queue manager could spend too much time
+ in the synchronous defer service client, causing the watchdog
+ timer to go off. Where possible, the queue manager now
+ bounces or defers recipients asynchronously, by routing
+ them to the error or the retry delivery agent. Code by
+ Wietse and Patrik Rak. Files: global/recipient_list.c,
+ *qmgr/qmgr_error.c, *qmgr/qmgr_defer.c, *qmgr/qmgr_entry.c,
+ *qmgr/qmgr_deliver.c, *qmgr/qmgr_message.c.
+
+ Performance: refined recipient and job grouping, and more
+ agressive early refill of in-memory recipients to prevent
+ a worst-case scenario where the queue manager became starved
+ until after the last batch of slow in-memory recipients of
+ jumbo multi-recipient mail. Code by Patrik Rak. Files:
+ global/mail_conf_time.c, qmgr/qmgr_message.c, qmgr/qmgr.c,
+ qmgr/qmgr.h, qmgr/qmgr_entry.c, qmgr/qmgr_job.c,
+ qmgr/qmgr_message.c, qmgr/qmgr_transport.c.
+
+20061113
+
+ Bugfix: the Postfix install/upgrade procedure broke with
+ non-default config_directory. File: conf/post-install.
+
+20061115
+
+ Bugfix: null pointer bug in end-of-header Milter action
+ when the last header line is too large. Reported by Mark
+ Martinec. The root of the problem is that the MIME state
+ engine may execute up to three call-back functions when it
+ reaches the end of the headers, before it returns to the
+ caller; as long as call-backs return no result, each call-back
+ has to check for itself if a previous call-back ran into a
+ problem. File: milter/milter8.c.
+
+ Workaround: reduce effective header_size_limit to 60000
+ when Milter inspection is enabled, to avoid breaking the
+ Milter protocol request length limit. File:
+ cleanup/cleanup_message.c.
+
+20061123
+
+ Safety: don't read more than 5000 recipients at a time, to
+ avoid spending too much time away from interrupts. File:
+ qmgr/qmgr_message.c.
+
+20061201
+
+ Workaround: don't complain with "Error 0" in the trivial-rewrite,
+ verify, proxymap or connection cache client when the server
+ exits after the client sends its request. We still complain,
+ however, when the problem persists. Files: global/rewrite_clnt.c,
+ global/resolve_clnt.c, global/verify_clnt.c, global/scache_clnt.c,
+ global/dict_proxy.c.
+
+ Safety: the header_size_limit is now enforced more strictly,
+ to avoid inter-operability problems with the Milter protocol.
+ Long headers are truncated at a line boundary if possible,
+ otherwise they are cut between line boundaries. File:
+ cleanup/cleanup_out.c.
+
+20061203
+
+ Bugfix (introduced with Postfix 2.2): with SMTP server
+ tarpit delays of smtp_rset_timeout or larger, the SMTP
+ client could get out of sync with the server while reusing
+ a connection. The symptoms were "recipient rejected .. in
+ reply to DATA". Fix by Victor Duchovni and Wietse. Files:
+ smtp/smtp_proto.c, smtp/smtp_connect.c.
+
+ Robustness: the vbuf and vstream documentation claimed that
+ their *error() macros reported timeout errors, but they
+ didn't really. The implementation was fixed, and redundant
+ vstream_ftimeout() calls were removed. As a result, many
+ Postfix daemons now properly detect write timeout errors
+ on internal connections. Files: util/vbuf.h.
+
+ Workaround: some broken SMTP servers reply and hang up in
+ the middle of DATA. The Postfix SMTP client now stops sending
+ and tries to receive the server response. This can help to
+ avoid repeated delivery attempts. Initial implementation
+ by Wietse, later work by Victor Duchovni. Files:
+ smtp/smtp_proto.c, smtpstone/smtp-sink.c, util/vstream.c,
+ plus trivial mods for code thatr calls vstream_fpurge().
+
+20061204
+
+ Compatibility: The Postfix installation/upgrade procedure
+ no longer sets "unknown_local_recipient_code = 450" in
+ main.cf. This was a safety net for upgrades from Postfix
+ 1.x. Four years later is no longer needed. File:
+ conf/post-install.
+
+ Cleanup: removed vstream_fclose() error warning in the code
+ that disconnects from a delivery agent. There is no need
+ to report errors here because they would already be reported
+ earlier. Files: *qmgr/qmgr_deliver.c.
+
+ Robustness: "kill me after N seconds" feature to ensure
+ that a daemon process does not get stuck while preparing
+ for exit after signal arrival. File: util/killme_after.[hc],
+ util/watchdog.c, master/master_sig.c.
+
+20061206
+
+ Robustness: low-cost re-entrancy guard that allows daemons
+ to safely call msg_fatal() etc. from a signal handler,
+ without risking memory corruption, or deadlock on Redhat
+ Linux. This works provided that the signal handler terminates
+ the process. In that special case we need not guarantee
+ after-the-fact consistency of the thread that was interrupted.
+ File: util/msg_output.c.
+
+ Robustness: replace exit() calls by _exit(). File: util/msg.c,
+ bounce/bounce_cleanup.c.
+
+20061207
+
+ Workaround: on systems with usable futimes() or equivalent
+ (Solaris, *BSD, MacOS, but not Linux), always explicitly
+ set the queue file last modification time stamps while
+ creating a queue file. With this, Postfix can avoid logging
+ warnings when the file system clock is ahead of the local
+ clock. Clock skew can be a problem, because Postfix does
+ not deliver mail until the local clock catches up with the
+ queue file's last modification time stamp. File:
+ global/mail_stream.c.
+
+ Workaround: on systems without usable futimes() or equivalent,
+ log a warning when the file system clock is more than 100
+ seconds behind the local clock. This does not cause mail
+ delivery problems, but it just looks silly in message
+ headers. File: global/mail_stream.c.
+
+ On systems without usable futimes() (Linux, and ancient
+ versions of Solaris, SunOS and *BSD) Postfix will keep using
+ the slower utime() system call to update queue file time
+ stamps when the file system clock is off with respect to
+ the local system clock.
+
+ Compatibility with Postfix < 2.3: undo the change to bounce
+ instead of defer after pipe-to-command delivery fails with
+ a signal. File: global/pipe_command.c.
+
+20061208
+
+ Workaround: apparently, some mail software removes or hides
+ "<postmaster>" in the Postfix bounce text, because it
+ processes the text as if it were HTML. This confuses users.
+ The bounce template has been updated to remove the < and
+ >. File: bounce/bounce_templates.c.
+
+ Cleanup: when smtp_generic_maps is turned on, don't parse
+ MIME structures in the message body. Victor Duchovni. File:
+ smtp/smtp_proto.c.
+
+20061210
+
+ Cleanup: streamline the signal handler reentrancy protections,
+ and document under what conditions these protections work,
+ with REENTRANCY sections in the relevant man pages. Files:
+ util/vbuf_print.c. util/msg.c, util/msg_output.c.
+
+20061211
+
+ Cleanup: when doing server access control by the remote TLS
+ client fingerprint, do not require client certificate
+ verification. Victor Duchovni. File: smtpd/smtpd_check.c.
+
+ Safety: when the remote TLS client certificate isn't verified,
+ don't send ccert_subject and ccert_issuer attributes in
+ check_policy_service requests. Victor Duchovni. File:
+ smtpd/smtpd_check.c.
+
+ Bugfix: the postconf command still complained about an
+ unqualified machine name, because it was not updated with
+ the 20050513 change that introduced a default "mydomain =
+ localdomain". File: postconf/postconf.c.
+
+20061213
+
+ Bugfix: race condition in "ETRN site", "sendmail -qRsite"
+ and "postqueue -s site". When the command arrived while an
+ incoming queue scan was already in progress, mail could
+ stay deferred instead of being flushed. The fix was to
+ unthrottle the queue manager before moving files from the
+ deferred queue to the incoming queue. Files: flush/flush.c,
+ qmgr/qmgr_scan.c.
+
+ Cleanup: the sendmail and postqueue commands no longer
+ terminate with a non-standard error status after a run-time
+ error in some Postfix internal routine (typically, some
+ essential file is not accessible, or the system is out of
+ memory). Files: sendmail/sendmail.c, postqueue/postqueue.c.
+
+ Feature: "sendmail -qIqueueid" and "postqueue -i queueid"
+ to flush a specific queue file. Files: sendmail/sendmail.c,
+ postqueue/postqueue.c, global/flush_clnt.c, flush/flush.c.
+
+20061214
+
+ Performance: "sendmail -qIqueueid" and "postqueue -i queueid"
+ unthrottle only the necessary message delivery transports
+ and queues. The unthrottle request now is propagated to the
+ queue manager via queue file group read permission bits.
+ Based on initial implementation by Victor Duchovni. Files:
+ flush/flush.c, *qmgr/qmgr.c, *qmgr/qmgr_scan.c,
+ *qmgr/qmgr_active.c, *qmgr/qmgr_message.c.
+
+20061220
+
+ Workaround: PMilter 0.95 does not deliver SMFIC_EOB+data
+ to the application as SMFIC_BODY+data followed by SMFIC_EOB.
+ To avoid compatibility problems, Postfix now sends
+ SMFIC_BODY+data followed by SMFIC_EOB. File: milter/milter8.c.
+
+ Bugfix (introduced with Postfix 2.3): when inserting
+ Milter-generated headers at increasing positions in a
+ message, a later header could end up at a previously used
+ insertion point. Thus, inserting headers at positions (N,
+ N+M) could work as if (N, N) had been specified. Problem
+ reported by Mark Martinec. File: milter/milter8.c.
+
+20061221
+
+ Feature: time unit suffix support in _command_time_limit.
+ Files: pipe/pipe.c, spawn/spawn.c.
+
+20061227
+
+ Bugfix (introduced with Postfix 2.3): the MX hostname syntax
+ check was skipped with reject_unknown_helo_hostname and
+ reject_unknown_sender/recipient_domain, so that Postfix
+ would still accept mail from domains with a zero-length MX
+ hostname. File: smtpd/smtpd_check.c.
+
+20061229
+
+ Cleanup: use separate TLS_LEGACY_README to document the old
+ TLS user interface. This will simplify TLS_README dramatically.
+
+ Cleanup: untangled spaghetti code. File: util/inet_listen.c.
+
+20070104
+
+ Bugfix (introduced Postfix 2.3): when creating an alias map
+ on a NIS-enabled system, don't case-fold the YP_MASTER_NAME
+ and YP_LAST_MODIFIED lookup keys. This requires that an
+ application can turn on/off case folding on the fly. Files:
+ postalias/postalias.c, global/dict_mumble.c, util/dict_mumble.c,
+ proxymap/proxymap.c.
+
+ Cleanup: after the above revision of the proxymap protocol,
+ the proxymap server can now share the same map with clients
+ that have only minor differences in dictionary open/access
+ options.
+
+20070105
+
+ Performance: pipeline of pending delivery agent connections,
+ to improve Linux/Solaris mail delivery performance by another
+ 10% while going down-hill with the wind from behind. Design
+ and implementation Victor and Wietse. Files: *qmgr/qmgr.c,
+ *qmgr/qmgr.h, *qmgr/qmgr_transport.c.
+
+20070106
+
+ Cleanup: eliminate the Linux/Solaris "wait for accept()"
+ stage from the queue manager to delivery agent protocol.
+ This alone achieves 99.99% of the Linux/Solaris speed up
+ from the preceding change. The pending connection pipeline
+ takes care of the rest. Tested on Linux kernels dating
+ back to 2.0.27 (that's more than 10 years ago). Files:
+ *qmgr/qmgr_transport.c.
+
+20070112
+
+ Bugfix (introduced 20011008): after return from nested
+ access restriction, possible longjump into exited stack
+ frame upon configuration error or table lookup error. Victor
+ Duchovni. Files: smtpd/smtpd_check.c.
+
+ Workaround: don't insert header/body blank line separator
+ in malformed attachments, to avoid breaking digital signatures.
+ Switch from header to body state, for robust MIME parsing.
+ People concerned about MIME evasion can use a MIME normalizer
+ to corrupt their user's legitimate email. File:
+ global/mime_state.c.
+
+20070114
+
+ Feature: body replacement support for Milter applications.
+ Postfix 2.3 and older 2.4 versions will be able to deliver
+ body-replaced queue files, but will report the message size
+ as it was before the body was replaced. Files: milter/milter8.c,
+ cleanup/cleanup_milter.c, cleanup/cleanup_body_region.c.
+
+20070117
+
+ Cleanup: reusable infrastructure for body replacement.
+ Files: cleanup/cleanup_body_edit.c, cleanup/cleanup_region.c.
+
+20070118
+
+ Bugfix: match lists didn't implement ![ipv6address]. Problem
+ reported by Paulo Pacheco. File: util/match_list.c.
+
+ Cleanup: revised the matchlist "!" support, added support
+ for !/file/name, and updated the documentation. File:
+ util/match_list.c.
+
+20070119-21
+
+ Cleanup: pad short message headers with a filler record,
+ so that the result is never shorter than a pointer record.
+ This immensely simplified the support for Milter header
+ modification requests: three complex loops could be replaced
+ by one simpler loop. The DTXT record type was re-purposed
+ from "deleted header text" to "short header padding", keeping
+ the change backwards compatible. Files: cleanup/cleanup_out.c,
+ cleanup/cleanup_milter.c, global/record.c.
+
+ Cleanup: the Milter "add recipient" action always added the
+ recipient to the initial envelope segment, causing added
+ recipients to be separate from "sendmail -t" recipients.
+ This violated design, without impact on delivery (always_bcc
+ recipient are always at the end of the queue file even when
+ all other recipients are in the initial segment). File:
+ global/rec_types.h.
+
+20070123
+
+ Workaround: OpenSSL falsely concludes that AES256 support
+ is present when only AES128 is available. Code by Victor
+ Duchovni. File: tls/tls_misc.c.
+
+20070125
+
+ Disable workaround pending completion of updated TLS]
+ support in non-production releases.
+
+20070131
+
+ Assorted code cleanup, portability fixes/workarounds, and
+ minor updates: global/dict_ldap.c, mantools/postlink,
+ tlsmgs/tlsmgr.c, conf/master.cf. LaMont Jones.
+
+20070101
+
+ Portability: GNU Hurd support for multiple kernel environments.
+ LaMont Jones. Files: util/sys_defs.h, makedefs.
+
+ Cleanup: some default settings were adjusted to better fit
+ today's environment: queue_run_delay and minimal_backoff_time
+ were reduced from 1000s to 300s, so that deliveries are
+ retried earlier after the first failure; ipc_idle was reduced
+ from 100s to 5s, so that tlsmgr and scache clients will
+ more quickly release unused file handles. Files:
+ global/mail_params.h, proto/postconf.5.html
+
+20070202
+
+ Catch-up: FreeBSD kqueue support. File: util/events.c.
+
+20070205
+
+ System-V poll(2) support. This is now the preferred method
+ to test a single file descriptor on sufficiently recent
+ versions of FreeBSD, NetBSD, OpenBSD, Solaris and Linux;
+ other systems will be added as evidence becomes available
+ of usable poll(2) implementations. Files: util/read_wait.c,
+ util/write_wait.c, util/readble.c, util/writable.c.
+
+ Streamlined the event_enable_read/write implementation to
+ speed up smtp-source performance, by eliminating expensive
+ kqueue/devpoll/epoll system calls when only the application
+ call-back information changes. On FreeBSD, smtp-sink/source
+ tests now run 5% faster than with the old select(2) based
+ implementation. File util/events.c.
+
+20070206
+
+ Catch-up: Solaris /dev/poll support. File: util/events.c.
+
+ Bugfix (introduced 20060823): initial state was not in state
+ machine, causing memory access outside the lookup table.
+ File: smtpstone/smtp-sink.c.
+
+20070210
+
+ Catch-up: Linux epoll support. File: util/events.c.
+
+20070211
+
+ Polished the kqueue/devpoll/epoll support; this is now
+ enabled by default on sufficiently recent versions of
+ FreeBSD, NetBSD, OpenBSD, Solaris and Linux; other systems
+ will be added as evidence becomes available of usable
+ implementations. File: util/events.c.
+
+20070212
+
+ Further polish: removed some typos from new code in the
+ events.c handler, undid some unnecessary changes to the
+ {read,write}{_wait,able}.c modules, and addressed Victor's
+ paranoia for multi-client servers with a thousand clients
+ while linked with library routines that can't handle file
+ descriptors >= FD_SETSIZE.
+
+ Cleanup: while debugging the new events.c handler, removed
+ an unnecessary "write after connect" call-back event. File:
+ global/post_mail.c.
+
+20070214
+
+ Robustness: in the queue manager keep a number of free file
+ descriptor slots at the low end, to work around library
+ routines that can't handle file descriptors >= FD_SETSIZE.
+ Files: *qmgr/qmgr_transport.c, util/vstream.[hc]
+
+20070215
+
+ Bugfix (introduced 20070114 with Milter body edit support):
+ the cleanup server terminated with a fatal error when SMTP
+ mail exceeded the message size limit, instead of handling
+ it as a non-fatal error. Files: cleanup/cleanup_extracted.c,
+ cleanup/cleanup_final.c, cleanup/cleanup_bounce.c,
+ cleanup/cleanup_api.c.
+
+20070217
+
+ Streamline the compile time selection of event handling
+ styles, replacing multiple on/off macros by just one
+ multi-valued macro. Files: util/sys_defs.h, util/events.c,
+ master/multi_server.c, *qmgr/qmgr_transport.c.
+
+20070220
+
+ Work-around: Disable SSL/TLS ciphers when the underlying
+ symmetric algorithm is not available in the OpenSSL crypto
+ library at the required bit strength. Problem observed with
+ SunOS 5.10's bundled OpenSSL 0.9.7 and AES 256. Also possible
+ with OpenSSL 0.9.8 and CAMELLIA 256. Root cause fixed in
+ upcoming OpenSSL 0.9.7m, 0.9.8e and 0.9.9 releases. Victor
+ Duchovni, Morgan Stanley. Files: src/smtp/smtp_proto.c,
+ src/smtpd/smtpd.c, src/tls/tls.h, src/tls/tls_client.c,
+ src/tls/tls_misc.c and src/tls/tls_server.c.
+
+20070222
+
+ Workaround: delayed "postfix reload" with ancient FreeBSD4
+ kqueue implementations, causing the first external or
+ internal clients after "postfix reload" to experience a
+ quick disconnect. Apparently, these kqueue implementations
+ do not deliver a read notification when the master closes
+ the per-service shared master/child status pipe (even when
+ there is only one child; note that the master keeps a handle
+ to both ends of each status pipe). A child process remains
+ ignorant that the status pipe was closed until the arrival
+ of the next client request, and then terminates. The
+ workaround is to ignore master status write errors before
+ handling a service request. Files: master/*_server.c.
+
+ Cleanup: fix race condition that caused unnecessary "premature
+ end-of-input" warning messages when "postfix reload" was
+ issued on a busy mail server. Files: util/attr_scan*c.
+
+20070223
+
+ Cleanup: syslog_name now works as documented with both
+ daemons and commands (including set-gid commands). Files:
+ global/mail_task.c postlog/postlog.c, global/mail_version.h,
+ sendmail/sendmail.c, postsuper/postsuper.c, postalias/postalias.c,
+ postmap/postmap.c, postqueue/postqueue.c, postdrop/postdrop.c,
+ master/trigger_server.c, master/single_server.c,
+ master/multi_server.c.
+
+20070224
+
+ Workaround: GNU POP3D creates a new mailbox and deletes the
+ old one. Postfix now backs off and retries delivery later,
+ instead of appending mail to a deleted file. To minimize
+ the use of this workaround, Postfix now by default creates
+ mailbox dotlock files on all systems, and creates dotlock
+ files before opening mailbox files. Files: util/sys_defs.h,
+ global/mbox_open.c.
+
+20070301
+
+ Workaround: updated workaround for broken Solaris accept().
+ File: util/inet_listen.c.
+
+ Workaround: on some FreeBSD versions, accept(2) can fail
+ with a bogus EINVAL error. We now allow accept(2) to fail
+ for a limited number of times before terminating the process.
+ Files: master/single_server.c, master/multi_server.c.
+
+20070306
+
+ Bugfix (introduced with Postfix 2.3 Milter support): postdrop
+ reported "illegal seek" instead of "file too large". File:
+ postdrop/postdrop.c.
+
+20070310
+
+ Cleanup: specify "undisclosed_recipients_header =" to disable
+ Postfix's "To: undisclosed-recipients:;" header for mail
+ that lists no recipient. The To: header is not required as
+ of RFC 2822. The undisclosed_recipients_header parameter
+ value can now be an empty string, a value that was not
+ allowed with earlier Postfix versions. With Postfix 2.5 it
+ will be empty by default. Files: cleanup/cleanup.c,
+ cleanup/cleanup_message.c.
+
+20070312
+
+ Backwards compatibility: don't pad short message header
+ records when Milter support is turned off. This maintains
+ compatibility with Postfix versions that pre-date Milter
+ support. File: cleanup/cleanup_out.c.
+
+20070314
+
+ Bitrot: move the "don't run this daemon by hand" message
+ before other tests. Files: master/*server.c.
+
+20070315
+
+ Bitrot: New OpenLDAP APIs deprecate simplified interfaces,
+ that are the only ones available in Sun's LDAP SDK. Define
+ suitable macros that work with new OpenLDAP and Sun's code.
+ Victor Duchovni, Morgan Stanley. File: src/global/dict_ldap.c
+
+ Cleanup: new "leaf" and "terminal" result attributes support
+ fine-tuning of LDAP group expansion, and provide a solution
+ for the problem case where DN recursion returns both the
+ group address and the addresses of the member objects.
+ Victor Duchovni, Morgan Stanley. Files: src/global/dict_ldap.c,
+ proto/LDAP_README.html, proto/ldap_table
+
+20070317
+
+ Idioten Sicherheit: stamp every executable file and every
+ core dump file with "mail_version=xxxxx". Adding version
+ stamps and checks to every IPC message is too much change
+ after code freeze, and requires too much time for testing.
+ File: src/global/mail_version.h and every main program file.
+
+20070320
+
+ Bugfix (introduced between 20070120 and 20070121): the
+ cleanup server stored no "delayed mail warning" queue file
+ records with "sendmail -t", and no header_checks filter/redirect
+ records or content encoding records with other mail. File:
+ global/rec_type.h.
+
+20070321
+
+ Bugfix (introduced 20070224): local(8) or virtual(8) could
+ log a misleading error message after failure to open a
+ mailbox file. File: global/mbox_open.c.
+
+ Bugfix (code should have been updated 20070104): the proxymap
+ client did not propagate changes in case folding flags.
+ Currently, nothing in Postfix uses this functionality.
+ File: global/dict_proxy.c.
+
+20070325
+
+ Bugfix: postfix-install didn't work for symlink or hardlink
+ targets, when the parent directory had a value of "no".
+
+20070326
+
+ Workaround: Eric Raymond's man page formatters don't handle
+ low-level *roff .in or .ti controls. We now use .nf and .fi
+ instead. Files: many.
+
+20070331
+
+ Bugfix (introduced Postfix 2.3): segfault with HOLD action
+ in access/header_checks/body_checks on 64-bit platforms.
+ File: cleanup/cleanup_api.c.
+
+20070402
+
+ Portability (introduced 20070325): the fix for hardlinks
+ and symlinks in postfix-install forgot to work around shells
+ where "IFS=/ command" makes the IFS setting permanent. This
+ is allowed by some broken standard, and affects Solaris.
+ File: postfix-install.
+
+ Portability (introduced 20070212): the workaround for
+ non-existent library bugs with descriptors >= FD_SETSIZE
+ broke with "fcntl F_DUPFD: Invalid argument" on 64-bit
+ Solaris. Files: master/multi_server.c, *qmgr/qmgr_transport.c.
+
+20070405
+
+ Feature: BCC access/policy action, to demonstrate that this
+ is not a good feature. The action's behavior is non-intuitive
+ and requires too much documentation to explain. It's
+ therefore snapshot only. File: smtpd/smtpd_check.c.
+
+20070414
+
+ Cleanup: expire cached results from address rewriting, address
+ resolution, and from transport map lookups. Results expire
+ after 30 seconds; short enough that it doesn't freak out
+ people who run the same test repeatedly, and long enough
+ that it doesn't upset other people with continuous streams
+ of "*" transport map lookups. Files: global/rewrite_clnt.c,
+ global/resolve_clnt.c, trivial-rewrite/transport.c.
+
+20070421
+
+ Cleanup: on (Linux) platforms that cripple signal handlers
+ with deadlock, "postfix stop" now forcefully stops all the
+ processes in the master's process group, not just the master
+ process alone. File: conf/postfix-script.
+
+20070422
+
+ Cleanup: the "Delivered-To:" loop detection implementation
+ was moved from the local(8) delivery agent to the library,
+ where it can also be used by other delivery agents. Files:
+ global/delivered_hdr.[hc].
+
+ Safety: the "Delivered-To:" loop detection implementation
+ keeps state for no more than 1000 "Delivered-To:" headers.
+
+ Feature: $domain command-line macro support, to get access
+ to the recipient address domain portion. Based on code by
+ Koen Vermeer. File: pipe/pipe.c.
+
+ Cleanup: support for "Delivered-To:" loop detection in the
+ pipe(8) delivery agent. This follows a general principle:
+ if a program creates the "Delivered-To:" header, then it
+ is also responsible for "Delivered-To:" loop detection.
+ File pipe/pipe.c.
+
+20070423
+
+ The cache expiring transport map lookups did not distinguish
+ between wildcard transport map entry with an "empty" transport
+ field, or no wildcard transport map entry.
+
+20070424
+
+ Cleanup: making hard-coded behavior configurable. In this
+ case, extracting 8BITMIME encoding information from
+ Content-Transfer-Encoding: message headers. The default
+ behavior, "detect_8bit_encoding_header = yes", is backwards
+ compatible. This behavior was introduced to generate
+ RFC-compliant bounce messages before Postfix supported the
+ 8BITMIME option in the MAIL FROM command and on the Postfix
+ sendmail command line. Files: cleanup/cleanup_init.c,
+ cleanup/cleanup_message.c, global/mail_params.h.
+
+20070425
+
+ Bugfix: don't falsely report "lost connection from
+ localhost[127.0.0.1]" when Postfix is being portscanned.
+ Files: smtpd/smtpd_peer.c, qmqpd/qmqpd_peer.c.
+
+20070429
+
+ Feature: "postfix status" to report whether Postfix is
+ running. By Mike Cappella.
+
+ Cleanup: configurable address case folding moved from the
+ pipe(8) delivery agent to the library, where it can also
+ be used by other delivery agents. Files: global/fold_addr.[hc].
+
+20070430
+
+ Robustness: recommend a "0" process limit for policy servers
+ to avoid "connection refused" problems when the smtpd process
+ limit exceeds the default process limit. File:
+ proto/SMTPD_POLICY_README.html.
+
+20070501
+
+ Workaround: turn on KEEPALIVE probes to avoided "lost
+ connection after sending end-of-data" problems when some
+ stateful (NAT) filter expires an idle connection too soon.
+ This requires that the kernel's TCP keepalive timer be set
+ to a sufficiently short time (perhaps 100s or less). Files:
+ util/sane_accept.c, util/sane_connect.c.
+
+ Safety: when IPv6 (or IPv4) is turned off, don't treat an
+ IPv6 (or IPv4) connection from e.g. inetd as if it comes
+ from localhost[127.0.0.1]. Files: smtpd/smtpd_peer.c,
+ qmqpd/qmqpd_peer.c.
+
+20070502
+
+ Workaround: build without EPOLL support when an epoll-enabled
+ kernel sits underneath a retarded libc. File: makedefs.
+
+ Cleanup: missing support for SASL security properties with
+ Dovecot SASL authentication. Based on an initial version
+ by Lev A. Serebryakov. File: xsasl/xsasl_dovecot_server.c.
+
+20070503
+
+ Cleanup: changed the default address verification sender
+ from "postmaster" to "double-bounce", so that the Postfix
+ SMTP server no longer surprises unsuspecting people by
+ excluding "postmaster" from SMTPD access controls. File:
+ global/mail_params.h.
+
+20070508
+
+ Bugfix: Content-Transfer-Encoding: attribute values are
+ case insensitive. File: src/cleanup/cleanup_message.c.
+
+20070514
+
+ Bugfix: the makedefs EPOLL workaround broke any attempt to
+ build on a 2.6 kernel. And that two weeks after the workaround
+ had been posted to the mailing list. File: makedefs.
+
+ Bugfix: mailbox_transport(_maps) and fallback_transport(_maps)
+ were broken when used with the error(8) or discard(8)
+ transports. Cause: insufficient documentation. Files:
+ error/error.c, discard/discard.c.
+
+20070520
+
+ Bugfix (problem introduced Postfix 2.3): when DSN support
+ was introduced it broke "agressive" recipient duplicate
+ elimination with "enable_original_recipient = no". File:
+ cleanup/cleanup_out_recipient.c.
+
+20070523
+
+ Feature: cyrus_sasl_config_path to specify a search path
+ for Cyrus SASL configuration files (currently used only to
+ locate the smtpd.conf file). Based on code by Victor
+ Duchovni. Files: smtpd/smtpd.c xsasl/xsasl_cyrus_server.c,
+ (and xsasl/xsasl_cyrus_client.c for future expansion).
+
+20070525
+
+ Bugfix (introduced 20070523): the sasl_set_path() function
+ name was mis-speeled.
+
+20070529
+
+ Bugfix (introduced Postfix 2.3): the sendmail/postdrop
+ commands would hang when trying to submit a message larger
+ than the per-message size limit. File: postdrop/postdrop.c.
+
+20070530
+
+ Sabotage the saboteur who insists on breaking Postfix by
+ adding gethostbyname() calls that cause maildir delivery
+ to fail when the machine name is not found in /etc/hosts,
+ or that cause Postfix processes to hang when the network
+ is down.
+
+20070531
+
+ Portability: Victor helpfully pointed out that change
+ 20070425 broke on non-IPv6 systems. Files: smtpd/smtpd_peer.c,
+ qmqpd/qmqpd_peer.c.
+
+20070610
+
+ Isolation: don't allow the pipe(8) delivery agent to leak
+ postdrop group privileges with "user=xxx:postdrop". File:
+ pipe/pipe.c.
+
+20070613
+
+ Bugfix: the Milter client assumed that a Milter application
+ does not modify the message header or envelope, after that
+ same Milter application has modified the message body of
+ that same email message. This is not a problem with updates
+ by different Milter applications. Problem was triggered
+ by Jose-Marcio Martins da Cruz. Also simplified the handling
+ of queue file update errors. File: milter/milter8.c.
+
+20070614
+
+ Workaround: some non-Cyrus SASL SMTP servers require SASL
+ login without authzid (authoriZation ID), i.e. the client
+ must send only the authcid (authentiCation ID) + the authcid's
+ password. In this case the server is supposed to derive
+ the authzid from the authcid. This works as expected when
+ authenticating to a Cyrus SASL SMTP server. To get the old
+ behavior specify "send_cyrus_sasl_authzid = yes", in which
+ case Postfix sends the (authzid, authcid, password), with
+ the authzid equal to the authcid. File: xsasl/xsasl_cyrus_client.c.
+
+20070619
+
+ Portability: /dev/poll support for Solaris chroot jail setup
+ scripts. Files: examples/chroot-setup/Solaris8,
+ examples/chroot-setup/Solaris10.
+
+20070713
+
+ The RFC documents at www.faqs.org are being polluted with
+ "feedback" spam. The Postfix hypertext documentation now
+ points to tools.ietf.org. File: mantools/postlink.
+
+20070719
+
+ Feature: updated smtp-sink with new options to send a
+ pre-formatted message from file, and to handle replies other
+ than the expected 2xx or 3xx. File: smtpstone/smtp-source.c.
+
+ Cleanup: Milter client error handling, so that the (Postfix
+ SMTP server's Milter client) does not get out of sync with
+ Milter applications after the (cleanup server's Milter
+ client) encounters some non-recoverable problem. Files:
+ milter/milter8.c, smtpd/smtpd.c.
+
+20070720
+
+ Support for RFC 4954 (SASL AUTH, updates RFC 2554, refines
+ some reply codes and introduces DSN enhanced status codes)
+ and RFC 3848 ("Received ... with ESMTPS?A? ...). Currently,
+ support for the latter is always on. Files: smtpd/smtpd.c,
+ smtpd/smtpd_sasl_proto.c, smtpd/smtpd_sasl_glue.c.
+
+20070727
+
+ Workaround: the queue manager no longer logs a warning for
+ mail sent to the local double-bounce address (normally, the
+ this is used as the sender while reporting an undeliverable
+ bounce message to the local postmaster). As of 20070503
+ the local double-bounce address is the default sender for
+ sender/recipient address verification probes, and it now
+ shows up as a spam target. Files: *qmgr/qmgr_message.c.
+
+20070729
+
+ Performance: fix for poor TCP performance for loopback
+ (127.0.0.1) connections. Problem reported by Mark Martinec.
+ Files: util/vstream.c, util/vstream_tweak.c, milter/milter8.c,
+ smtp/smtp_connect.c, smtpstone/*source.c.
+
+20070730
+
+ Bugfix: when a milter replied with ACCEPT at or before the
+ first RCPT command, the cleanup server would apply the
+ non_smtpd_milters setting as if the message was a local
+ submission. Problem reported by Jukka Salmi. Also, the
+ cleanup server would get out of sync with the milter when
+ a milter replied with ACCEPT at the DATA command. Files:
+ cleanup/cleanup_envelope.c, smtpd/smtpd.c, milter/milters.c.
+
+20070811
+
+ Cleanup: unlike smtpd_mumble_restrictions, the Postfix SMTP
+ server Milter reject logging did not show the (helo argument,
+ sender address, or recipient address) that was being rejected.
+ File: smtpd/smtpd.c.
+
+20070824
+
+ Bugfix (introduced snapshot 20070429): the pipe(8) delivery
+ agent 'q' flag (quote address local-part) used the same bit
+ mask as the 'B' flag (append blank line). Setting one flag
+ also turned on the other. File: pipe/pipe.c.
+
+ Feature: specify the 'X' flag to indicate that the pipe(8)
+ delivery agent performs final delivery. This changes the
+ status in DSN "success" messages from "relayed" into
+ "delivered". File: pipe/pipe.c.
+
+20070904-6
+
+ Feature: stress-adaptive behavior. When a "public" network
+ service runs into an "all processes are busy" condition,
+ the master(8) daemon logs a warning, restarts the service,
+ and runs it with "-o stress=yes" on the command line (normally
+ it runs the service with "-o stress="). This can be used
+ to make main.cf parameter settings stress dependent.
+ Examples: "smtpd_timeout = ${stress?10}${stress:300}" and
+ "smtpd_hard_error_limit = ${stress?1}${stress:20}". Files:
+ master/master_avail.c, master/master_spawn.c, master/master_ent.c.
+
+20070911
+
+ Bugfix (introduced Postfix 2.2.11): TLS client certificate
+ with unparsable canonical name caused the SMTP server's
+ policy client to allocate zero-length memory, triggering
+ an assertion that it shouldn't do such things. File:
+ smtpd/smtpd_check.c.
+
+20070912
+
+ Bugfix (introduced Postfix 2.4) missing initialization of
+ event mask in the event_mask_drain() routine (used by the
+ obsolete postkick(1) command). Found by Coverity. File:
+ util/events.c.
+
+20070917
+
+ Workaround: the flush daemon forces an access time update
+ for the per-destination logfile, to prevent an excessive
+ rate of delivery attempts when the queue file system is
+ mounted with "noatime". File: flush/flush.c.
+
+20070923
+
+ Cleanup: don't complain when a "corrupt" queue file is
+ deleted before it can be saved to the "corrupt" queue.
+ Files: *qmgr/qmgr_active.c.
+
+20071003
+
+ Logging: the Postfix SMTP server now logs the number of
+ bytes received after the DATA command when a connection
+ breaks before mail delivery completes. This may help finding
+ the cause of the problem: packet loss, MTU, or other. File:
+ smtpd/smtpd.c.
+
+20071004
+
+ Logging: all daemons now log the TCP port number of remote
+ SMTP or QMQP clients. The information is overruled with
+ the SMTP XCLIENT command, is propagated through SMTP-based
+ content filters with XFORWARD, and is sent to Milter
+ applications. Files: smtpd/smtpd_peer.c, smtpd/smtpd.c,
+ smtpd/smtpd_proxy.c, smtpd/smtpd_milter.c, qmqpd/qmqpd_peer.c,
+ cleanup/cleanup_milter.c, *qmgr/qmgr_message.c,
+ *qmgr/qmgr_deliver.c, smtp/smtp_proto.c, pipe/pipe.c,
+ global/deliver_request.c, global/deliver_pass.c,
+ proto/XFORWARD_README, proto/XCLIENT_README.
+
+ Feature: per-command delays in smtp-sink. File:
+ smtpstone/smtp-sink.c. Victor Duchovni.
+
+20071006
+
+ Cleanup: updated a bunch of hard-coded host[addr] logging
+ statements. Files: smtpd/smtpd.c, smtpd/smtpd_chat.c,
+ smtpd/smtpd_sasl_glue.c.
+
+ Cleanup: client port logging is now configurable (off by
+ default). Parameters: smtpd_client_port_logging and
+ qmqpd_client_port_logging. Files: smtpd/smtpd_peer.c,
+ qmqpd/qmqpd_peer.c.
+
+ Cleanup: send client port information "0" instead of "unknown"
+ to Milter applications. Files: smtpd/smtpd.c, smtpd/smtpd_milter.c,
+ cleanup/cleanup_milter.c.
+
+20071025
+
+ Portability: on Linux we no longer need /proc to find out
+ local IPv6 interface address information. LaMont Jones.
+ Files: util/sys_defs.h.
+
+20071030
+
+ Bugfix (introduced Postfix 2.3): Postfix mistakenly enforced
+ the 64kbyte limit (for sending body parts TO Milter
+ applications) also while receiving packets FROM Milter
+ applications. The limit is now at least 1GB. File:
+ milter/milter8.c.
+
+20071105
+
+ Feature: ORIGINAL_RECIPIENT environment variable. Corey
+ Hickey. File: local/local.c.
+
+20071108-10
+
+ Feature: general-purpose header/body_checks library module,
+ first used in the SMTP client. Actions that change the
+ message delivery time or destination can be implemented
+ with a simple extension mechanism (they make sense only in
+ before-queue filters). Configuration parameters:
+ smtp_header_checks, smtp_mime_header_checks,
+ smtp_nested_header_checks, smtp_body_checks. Unlike the
+ cleanup server, the mime and nested header checks don't by
+ default assume the header_checks value. Files:
+ global/header_body_checks.[hc], smtp/smtp_proto.c,
+ smtp/smtp_session.c.
+
+20071110
+
+ Feature: ${original_recipient} command-line macro. Corey
+ Hickey. File: pipe/pipe.c.
+
+ Bugfix (introduced: 20071004) missing exception handling
+ in smtp-sink per-command delay feature. Victor Duchovni.
+ File: smtpstone/smtp-sink.c.
+
+2007117-20
+
+ Revised queue manager with separate mechanisms for
+ per-destination concurrency control and dead destination
+ detection. The concurrency control supports non-integer
+ feedback for more gradual concurrency adjustments, and uses
+ hysteresis to avoid rapid oscillations. A destination is
+ declared "dead" after a configurable number of pseudo-cohorts
+ (number of deliveries equal to a destination's concurrency)
+ reports connection or handshake failure. This work began
+ with a discussion that Wietse started with Patrik Rak and
+ Victor Duchovni late January 2004, and that Victor revived
+ late October 2007. To establish a baseline for further
+ improvement, Wietse implemented a few simple mechanisms.
+
+ Configuration parameters for debugging, positive/negative
+ hysteresis, and positive/negative feedback. Some have since
+ been removed or renamed, so no point naming them here.
+ Files: global/mail_params.h, qmgr/qmgr_queue.c,
+ qmgr/qmgr_deliver.c.
+
+20071121
+
+ Boundary condition: Patrik Rak pointed out that handling
+ of negative feedback with concurrency window 1 could
+ be improved.
+
+ Feature: support to look up null sender addresses in
+ sender-dependent relayhost maps. Parameter name:
+ empty_address_relayhost_maps_lookup_key (default; <>).
+ Keean Schupke. File: trivial-rewrite/resolve.c.
+
+20071127-9
+
+ Revision 2 of queue manager scheduler interface, allowing
+ feedback parameter settings with constants and variables
+ such as 1/8 or 1/concurrency. Some experimental parameters
+ were removed and others were renamed. The new names are:
+ default_destination_concurrency_negative_feedback,
+ default_destination_concurrency_positive_feedback,
+ default_destination_concurrency_failed_cohort_limit,
+ destination_concurrency_feedback_debug.
+
+ Also available are transport-specific overrides:
+ <transport>_initial_destination_concurrency,
+ <transport>_destination_concurrency_negative_feedback,
+ <transport>_destination_concurrency_positive_feedback,
+ <transport>_destination_concurrency_failed_cohort_limit.
+
+ Files: global/mail_params.h, *qmgr/qmgr.c, *qmgr/qmgr_transport.c,
+ *qmgr/qmgr_queue.c, *qmgr/qmgr_feedback.c, postconf/auto.awk.
+
+20071202
+
+ Feature: output rate control. For example, specify
+ "smtp_destination_rate_delay = 5m" to insert a five-minute
+ delay between deliveries. This was an opportunity to define
+ the mutually exclusive states that a queue can have, and
+ to detect invalid transitions. This will make adding new
+ features code easier. Files: *qmgr/qmgr_transport.c,
+ *qmgr/qmgr_queue.c, *qmgr/qmgr_entry.c.
+
+ Bugfix (introduced Postfix 2.2): don't update the back-to-back
+ delivery time stamp while deferring mail. File: *qmgr/qmgr_entry.c.
+
+20071203
+
+ Feature: support for read-write tables in the proxymap
+ service. This is implemented with a separate master.cf entry
+ named "proxywrite" that should run with process limit of 1
+ if you want to update Berkeley DB like tables. This feature
+ requires that tables be authorized with the proxy_write_maps
+ configuration parameter. Files: global/dict_procy.[hc],
+ proxymap/proxymap.c.
+
+ Human factors: the postmap and postalias commands now produce
+ nicer diagnostics when asked to do something with a proxied
+ map that they can't do. Files: postmap/postmap.c,
+ postalias/postalias.c.
+
+ Bugfix: the proxymap client didn't properly propagate user
+ options to the proxymap server. File: util/dict.h.
+
+ Workaround: force synchronous updates in the proxymap server
+ so that maps will be in a consistent state between updates.
+ File: proxymap/proxymap.c.
+
+ Bugfix: an empty rate-limited queue wasn't removed after
+ timer expiry. Files: *qmgr/qmgr_queue.c.
+
+20071204
+
+ Use different sockets for proxymap (read-only) and proxywrite
+ (read-write) services in the proxy: client. Victor Duchovni.
+ File: global/dict_proxy.c.
+
+ Feature: proxymap delete support by Victor Duchovni. Files:
+ global/dict_proxy.c, proxymap/proxymap.c.
+
+ Feature: proxymap delete support. Files: postmap/postmap.c
+ postalias/postalias.c.
+
+ Cleanup: the Postfix sendmail command did not include the
+ user (name/uid) information in all error messages. File:
+ sendmail/sendmail.c.
+
+ Feature: data_directory configuration parameter for
+ Postfix-writable data such as caches and random numbers.
+ Files: postfix-install, conf/postfix-files.
+
+20071206
+
+ Security: tlsmgr(8) and verify(8) no longer use root
+ privileges when opening their cache files. This avoids a
+ potential security loophole where the ownership of a file
+ (or directory) does not match the trust level of the content
+ of that file (or directory). See RELEASE_NOTES for how to
+ use pre-existing data. Files: util/set_eugid.[hc],
+ tlsmgr/tlsmgr.c, verify/verify.c.
+
+ Compatibility: as a migration tool, redirect attempts by
+ tlsmgr(8) or verify(8) to open files in non-Postfix directories
+ to the Postfix-owned data_directory. File: global/data_redirect.c.
+
+ Lots of pathname fixes in the examples of TLS_README and
+ postconf(5); -lm library screw-up in queue manager Makefiles.
+
+20071207
+
+ Cleanup: pathname fixes in documentation; unnecessary queue
+ scan in the queue manager rate limiter; inverse square root
+ feedback in the queue manager concurrency scheduler. Files:
+ mantools/postlink, proto/TLS_README.html, *qmgr/qmgr_queue.c.
+
+ All changes up to this point should be ready for Postfix 2.5.
+
+ Documentation: updated nqmgr preemptive scheduler documentation
+ by Patrik Rak. File: proto/SCHEDULER_README.html.
+
+20071211
+
+ Bugfix (introduced 19980315): the "write" equivalent of
+ bugfix 20030104. File: util/vstream.c.
+
+20071212
+
+ Feature: "stress=" or "stress=yes" attribute in the SMTPD
+ policy delegation protocol. File: smtp/smtpd_check.c.
+
+ Cleanup: allow_min_user now rejects recipients (and senders)
+ starting with '-' at SMTP session time. To make this possible
+ the feature was moved from qmgr(8) to trivial-rewrite(8).
+ Files: *qmgr/qmgr_message.c, trivial-rewrite/resolve.c.
+
+20071213:
+
+ Cleanup: the queue manager and SMTP client now distinguish
+ between connection cache store and retrieve hints. Once the
+ queue manager enables connection caching (store and load)
+ hints on a per-destination queue, it keeps sending connection
+ cache retrieve hints to the delivery agent even after it
+ stops sending connection cache store hints. This prevents
+ the SMTP client from making a new connection without checking
+ the connection cache first. Victor Duchovni. Files:
+ *qmgr/qmgr_entry.c, smtp/smtp_connect.c.
+
+ Bugfix (introduced Postfix 2.3): the SMTP client never
+ marked corrupt files as corrupt. Victor Duchovni. File:
+ smtp/smtp_proto.c.
+
+ Cleanup: the SMTP client won't mark a destination as
+ unavailable when at least one SMTP session was completed
+ without connect or handshake error. Victor Duchovni. Files:
+ smtp/smtp_connect.c, smtp/smtp_session.c, smtp/smtp_proto.c,
+ smtp/smtp_trouble.c.
+
+20071215
+
+ Documentation and code cleanup. Files: global/deliver_request.h,
+ *qmgr/qmgr_entry.c, smtp/smtp_connect.c,
+ proto/SCHEDULER_README.html.
+
+ Bugfix (introduced snapshot 20071006): qmqpd ignored the
+ qmqpd_client_port_logging parameter setting. File:
+ qmqpd/qmqpd.c.
+
+20071216
+
+ Cleanup: show the remote SMTP server port in verbose logging,
+ warnings and postmaster notices. Still don't show the port
+ in delivery status notifications. Files: smtp/smtp_chat.c,
+ smtp/smtp_sasl_glue.c, smtp/smtp_sasl_proto.c.
+
+ The "tls_require_cert" is now compatible with OpenLDAP 2.1
+ and later. Victor Duchovni. Files: proto/ldap_table,
+ global/dict_ldap.c.
+
+20071218
+
+ Cleanup: removed the "#ifdef USE_LIBMILTER_INCLUDES"
+ dependencies on system-installed Milter protocol include
+ files. Verified that the object code has not changed. File:
+ milter/milter8.c.
+
+ Sanity check: idiot filter to detect attempts to use the
+ same database file for different TLS session caches. File:
+ tlsmgr/tlsmgr.c.
+
+ Cleanup: updated the spell check stoplist and the spell
+ check script. Files: mantools/spell, proto/stop.
+
+ Cleanup: replaced documentation references to xxgdb by ddd.
+ The xxgdb program hasn't been updated in more than 10 years.
+ Files: proto/postconf.proto, conf/main.cf.
+
+20071219-20
+
+ Feature: support for all new Sendmail 8.14 Milter features
+ except SMFIR_SKIP (skip further events of this type),
+ SMFIP_RCPT_REJ (report rejected recipients to the mail
+ filter), SMFIR_CHGFROM (replace sender, with optional ESMTP
+ command parameters), and SMFIR_ADDRCPT_PAR (add recipient,
+ with optional ESMTP command parameters). Files: milter/milters.c,
+ milter/milter8.c, milter/test-milter.c, cleanup/cleanup_milter.c.
+
+20071221
+
+ Feature: support for Sendmail 8.14 Milter SMFIR_SKIP (skip
+ further events of this type). Files: milter/milter8.c,
+ milter/test-milter.c.
+
+ Cleanup: don't try sending HELO after a 421 EHLO reply.
+ File: smtp/smtp_proto.c.
+
+20071221-nonprod
+
+ Using 20071221 as reference point.
+
+ Cleanup: Simplified TLS library cipher and protocol API to
+ just pass string-valued properties to tls_client_init() and
+ tls_client_start(). The client is now agnostic of the
+ mechanics of cipher management internal to the library. The
+ main.cf parameters used internally in the library are now
+ loaded by the library, not the caller. Files:
+ src/smtp/lmtp_params.c, src/smtp/smtp.c, src/smtp/smtp.h,
+ src/smtp/smtp_params.c, src/smtp/smtp_proto.c,
+ src/smtp/smtp_session.c, src/smtpd/smtpd.c, src/tls/tls.h,
+ src/tls/tls_client.c, src/tls/tls_level.c, src/tls/tls_misc.c,
+ src/tls/tls_server.c, src/tls/tls_session.c, src/tls/tls_verify.c
+ and src/tlsmgr/tlsmgr.c
+
+ Cleanup: Client session lookup key "salting" is now handled
+ internally in the tls library. Files: src/tls/tls_client.c
+
+ Cleanup: Cipher state is cached, and only updated when
+ necessary. Files: src/tls/tls_misc.c
+
+ Feature: Extended the syntax of protocol selection to allow
+ exclusions as well as inclusions. Files: src/tls/tls_misc.c
+
+ Cleanup: Updated default verification depth to match reality:
+ default is 9 in OpenSSL and we don't yet override it. When
+ we do (soon), the default will match previous behavior.
+ Files: src/global/mail_params.h
+
+ Bugfix: Reference to obsolete "pfixtls" code won't compile
+ inside #ifdef for OpenSSL <= 0.9.5a. Using an OpenSSL release
+ that old has not been tested for some time, but may now
+ work. Files: src/tls/tls_bio_ops.c.
+
+ Replaced "void *" TLS library application handles by explicit
+ pointer types, while hiding data structure implementation
+ details from the TLS library users. Files: tls/tls_client.c,
+ tls/tls_server.c, smtp/smtp.c, smtpd/smtpd.c.
+
+ The TLS library no longer modifies VSTRINGs passed in by
+ the caller. Where possible, information is passed as "const"
+ from application to library. Files: smtp/smtp_proto.c,
+ tls/tls_client.c.
+
+20071227-nonprod
+
+ Replaced explicit initialization of props structures by
+ emulating function calls with named parameter lists. Files:
+ tls/tls.h, smtp/smtp.c, smtp/smtp_proto.c, smtpd/smtpd.c.
+
+20071222
+
+ Further polishing of the Milter code and logging. File:
+ milter/milter8.c.
+
+20071123
+
+ Further polishing of the Milter code. With SETSYMLIST, each
+ Milter can now update its own macros instead of clobbering
+ the global copy that is shared with other Milters. Also an
+ opportunity to clean up some ad-hoc code for sending macro
+ lists from smtpd(8) to cleanup(8). Files: milter/milter.c,
+ milter/milter8.c, milter/milter_macros.c.
+
+20071224
+
+ Further polishing of the Milter code. Eliminated unnecessary
+ steps from the initial smtpd/cleanup Milter handshake. Files:
+ milter/milter.c, milter/milter8.c, milter/milter_macros.c.
+
+ Cleanup: name_code(3) and name_mask(3) now support read-only
+ tables. Files: util/name_code.[hc], util/name_mask.[hc].
+
+20071227
+
+ Cleanup: further refinements of the Milter code, allowing
+ for multiple macro overrides. The code is now ready for
+ serious testing. File: milter/milter8.c.
+
+20071229
+
+ Bugfix: the Milter client did not replace the Postfix-specific
+ form for unknown host names by the Sendmail-specific form.
+ File: milter/milter8.c.
+
+ Cleanup: when a cleanup milter reports a problem don't log
+ generic "4.3.0 Sevice unavailable", but log the text for
+ the actual error. File: cleanup/cleanup_milter.c.
+
+20080102-nonprod
+
+ SMTP client fingerprint security level support and configurable
+ fingerprint digest algorithm. Victor Duchovni. Files:
+ smtp/lmtp_params.c, smtp/smtp.c, smtp/smtp.h,
+ src/smtp/smtp_params.c, src/smtp/smtp_proto.c,
+ src/smtp/smtp_session.c, tls/tls_client.c, tls/tls_level.c,
+ tls/tls_verify.c.
+
+20080103-nonprod
+
+ Missed "invalid TLS configuration" patch for SMTP client.
+ Victor Duchovni. File: smtp/smtp_proto.c.
+
+ SMTP server configurable fingerprint digest algorithm.
+ Victor Duchovni. Files: smtpd/smtpd.c, tls/tls.h,
+ tls/tls_server.c, tls/tls_verify.c.
+
+20080104-nonprod
+
+ Cleanup: finally implemented certificate verification depth
+ limit parameters. Prior to Postfix 2.5 these were ignored.
+ For backwards compatibility, the default verification depth
+ limit is now 9, the OpenSSL default. Victor Duchovni. Files:
+ src/tls/tls_client.c, src/tls/tls_server.c, src/tls/tls_verify.c.
+
+ Robustness: Avoid possibility of NULL pointer issues in
+ application code that checks certificate names, by providing
+ "empty string" values when no data is available. Victor
+ Duchovni. Files: src/tls/tls_verify.c, src/tls/tls_client.c,
+ src/tls/tls_server.c, src/smtpd/smtpd_check.c, src/smtpd/smtpd.c.
+
+ Cleanup: separation of TLS handshake from security level
+ enforcement. The library shakes hands; the application
+ decides if the resulting security is acceptable. Victor
+ Duchovni. Files: smtpd/smtpd.c, smtpd/smtpd_proto.c,
+ tls/tls_server.c, tls/tls_client.c, tls/tls_verify.c.
+
+ Robustness: more robust processing of ASN.1 string attributes
+ in x509v3 certificates, plus additional sanity checks (e.g.
+ embedded null characters). Victor Duchovni. File:
+ src/tls/tls_verify.c.
+
+20080104
+
+ Workaround: minor change to the Dovecot AUTH request to
+ prevent dovecot-auth memory wastage. Timo Sirainen. File:
+ xsasl/xsasl_dovecot_server.c.
+
+20080105-nonprod
+
+ Cleanup: renamed TLS-related symbols for consistency (always
+ include the init, start, stop prefix in the TLS library
+ function and data structure names; consistently distinguish
+ between per-application TLS state and per-session TLS state;
+ consistently use the fpt prefix for fingerprint related
+ variables and structure members; consistent use of monocase
+ typedef-ed names).
+
+20080106-nonprod
+
+ Cleanup: consistent use of <pre> and <blockquote> in examples;
+ instead of emphasizing new Postfix 2.5 behavior in reference
+ documentation, describe the new behavior as "current", with
+ historical behavior as a supplemental note.
+
+20080107
+
+ Feature: new "pass" service type (in addition to "inet",
+ "unix" and "fifo"). The "pass" service type supports
+ front-end daemons that accept all inbound connections and
+ that permit only well-behaved clients to talk to the MTA.
+ This service type had been sitting in the master daemon for
+ years but was disabled by default. Actual applications for
+ this will have to be developed later. Files: util/upass_connect.c,
+ util/upass_trigger.c.
+
+20080108
+
+ Cleanup: where possible, store data structures in read-only
+ memory. Besides the security advantage of no write access,
+ this also gives slightly better memory utilization when
+ many processes execute the same file. Files: pretty much
+ everything that has a static table, except for a few tables
+ in the benchmark tools with flags that are controlled by
+ command-line information.
+
+20080109
+
+ Cleanup: more read-only data. Files: everything that passes
+ around a HEADER_OPTS pointer.
+
+20080112
+
+ Safety: optional lookup table to prevent the Postfix SMTP
+ client from making repeated SASL login failures with the
+ same hostname, username and password. This introduces new
+ parameters: smtp_sasl_auth_cache_name, smtp_sasl_auth_cache_time.
+ Based on code by Keean Schupke. Files: smtp/smtp_sasl_glue.c,
+ smtp/smtp_sasl_auth_cache.c.
+
+ Safety: the Postfix SMTP client now by default defers mail
+ after the server rejects a SASL login attempt with a 535
+ status code. Specify "smtp_sasl_auth_soft_bounce = no" to
+ get the earlier behavior. Based on code by Keean Schupke.
+ Files: smtp/smtp_sasl_glue.c.
+
+20080114
+
+ Safety: the smtpd_client_new_tls_session_rate_limit setting
+ now also limits the number of failed TLS handshakes. This
+ limits the impact of broken configurations. File: smtpd/smtpd.c.
+
+20080115
+
+ Bugfix (introduced 20080112): Patrik Rak found two bugs
+ that largely canceled each other out, causing Postfix not
+ to complain about a missing "proxy:" prefix with the new
+ smtp_sasl_auth_cache_name parameter setting. File:
+ smtp/smtp_sasl_glue.c.
+
+ Documentation: new SOHO_README file for small/home offices.
+ The text is automatically generated from bits and pieces of
+ information that are scattered across other documents.
+ File: mantools/make_soho_readme.
+
+20080116
+
+ Bugfix (introduced 20080112): missing #ifdef for the SASL
+ login failure cache. File: smtp/smtp_sasl_auth_cache.h.
+
+20080123
+
+ Name fix: renamed the mumble_delivery_rate_delay parameter
+ to mumble_destination_rate_delay, because it really is a
+ per-destination feature. With this change we keep the option
+ of implementing a future per-transport rate delay.
+
+20080125
+
+ Bugfix (introduced 20071216): missing {} in the LDAP client
+ broke OpenLDAP TLS. The setting tls_require_cert=no was
+ further broken because Postfix used OpenLDAP incorrectly.
+ Victor Duchovni. This broke tls_require_cert=no File:
+ global/dict_ldap.c.
+
+20080126
+
+ Cleanup: the post-install script now requires that it is
+ invoked via the postfix(1) command. This was the intended
+ use since Postfix 2.1, but it was never enforced. The
+ documentation for package maintainers has been updated
+ accordingly. File: conf/post-install.
+
+20080130
+
+ Bugfix (introduced 20071204): wrong proxywrite process limit
+ in the default master.cf file. File: conf/master.cf.
+
+20080131
+
+ Bugfix (introduced 20080126): the new "do not execute
+ directly" test in post-install got broken during code
+ cleanup. File: conf/post-install.
+
+20080201
+
+ Workaround: undo the changes that require that post-install
+ is invoked via the postfix command, because this breaks
+ when "postfix start" is invoked with an obsolete postfix
+ command that doesn't export the new data_directory parameter.
+
+ Workaround: pick up a missing data_directory setting from
+ main.cf when "postfix start" is invoked with an obsolete
+ postfix command. File: conf/post-install.
+
+20080207
+
+ Cleanup: soft_bounce support for multi-line Milter replies.
+ File: src/milter/milter8.c.
+
+ Cleanup: preserve multi-line format of header/body Milter
+ replies. Files: cleanup/cleanup_milter.c, smtpd/smtpd.c.
+
+ Cleanup: multi-line support in SMTP server replies. File:
+ smtpd/smtpd_chat.c.
+
+ SAFETY: postfix-script, postfix-files and post-install are
+ moved away from /etc/postfix to $daemon_directory. There
+ were too many accidents where people clobbered these files
+ with versions from an older Postfix release and ended up
+ with an unusable Postfix setup. Files: postfix-install,
+ Makefile.in, postfix/postfix.c, conf/postfix-files,
+ conf/postfix-script, conf/post-install.
+
+20080212
+
+ Feature: check_reverse_client_hostname_access, to make
+ access decisions based on the unverified client hostname.
+ For safety reasons an OK result is not allowed. Noel Jones.
+ Files: smtpd/smtpd_check.c plus header files and documentation.
+
+20080215
+
+ Safety: break SASL loop in case both the SASL library and
+ the remote SMTP server are confused. File: smtp/smtp_sasl_glue.c.
+
+20080220
+
+ Safety: the master daemon now sets an exclusive lock on a
+ file $data_directory/master.lock, so that the data directory
+ can't be shared between multiple Postfix instances. This
+ would corrupt files that rely on single-writer updates
+ (examples: verify(8) cache, tlsmgr(8) caches, etc.). File:
+ master/master.c.
+
+20080226
+
+ Cleanup: the postfix command did not set argv[0] to a sane
+ value when invoking postfix-script. Reported by Victor
+ Duchovni. File: postfix/postfix.c.
+
+20080228
+
+ Bugfix: bounce(8) segfault on one-line template text.
+ Problem found by Sacha Chlytor. File: bounce/bounce_template.c.
+
+20080310
+
+ Safety: the SMTP server's Dovecot authentication client now
+ enforces the SASL mechanism output filter also on client
+ command input. File: src/xsasl/xsasl_dovecot_server.c.
+
+20080311
+
+ Bugfix (introduced 20070811): the MAIL and RCPT Milter
+ application call-backs no longer received {mail_addr} or
+ {rcpt_addr} information. Problem reported by Anton Yuzhaninov.
+ File: smtpd/smtpd.c.
+
+ Bugfix (introduced 20080207): "cleanup -v" panic because
+ the new "SMTP reply" request flag did not have a printable
+ name. File: global/cleanup_strflags.c.
+
+20080318
+
+ Human factors: the PCRE and regexp maps now give more
+ comprehensible error messages when people make the common
+ mistake of indenting if/endif blocks. Files: util/dict_pcre.c,
+ util/dict_regexp.c.
+
+20080324
+
+ Cleanup: the event_drain() function is now a proper event
+ processing loop. File: util/events.c
+
+ Feature: when the "postmap -q -" command reads lookup keys
+ from standard input, it now understands RFC822 and MIME
+ message format. Specify -h or -b to use headers or body
+ lines as lookup keys, and specify -hm or -bm to simulate
+ header_checks or body_checks. The postmap -h option (without
+ -m) will be compatible with a future postcat -h option.
+ File: postmap/postmap.c.
+
+20080411
+
+ Bugfix (introduced Postfix 2.0): after "warn_if_reject
+ reject_unlisted_recipient/sender", the SMTP server mistakenly
+ remembered that recipient/sender validation was already
+ done. File: smtpd/smtpd_check.c.
+
+ Bugfix (introduced Postfix 2.3): the queue manager would
+ initialize missing client logging attributes (from xforward)
+ with real client attributes. Fix: enable this backwards
+ compatibility feature only with queue files that don't
+ contain logging attributes. Problem reported by Liviu Daia.
+ Files *qmgr/qmgr_message.c.
+
+20080424
+
+ Cleanup: some warning messages said "regexp" or "regexp
+ map" instead of "pcre map". File: util/dict_pcre.c.
+
+20080426
+
+ Feature: finer control over address verification error
+ handling and amount of information disclosed in the SMTP
+ reject message. Parameters: unverified_recipient_defer_code,
+ unverified_recipient_reject_reason, unverified_sender_defer_code,
+ unverified_sender_reject_reason. If I don't do this properly,
+ then someone will do it anyway. File: src/smtpd/smtpd_check.c.
+
+20080428
+
+ Cleanup: the proxy_read_maps (Postfix 2.0) default setting
+ was not updated when adding sender/recipient_bcc_maps
+ (Postfix 2.1) and smtp/lmtp_generic_maps (Postfix 2.3).
+ File: global/mail_params.h.
+
+ Cleanup: the SMTP server's XFORWARD and XCLIENT support was
+ not updated when the smtpd_client_port_logging configuration
+ parameter was added. Code by Victor Duchovni. Files:
+ smtpd/smtpd.c, smtpd/smtpd_peer.c.
+
+20080508
+
+ Cleanup: delivery status notifications now prepend a
+ Return-Path: message header to the returned message.
+ File: bounce/bounce_notify_util.c.
+
+20080509
+
+ Bugfix: null-terminate CN comment string after sanitization.
+ File: smtpd/smtpd.c.
+
+20080510
+
+ Cleanup: when extracting peer and issuer common name from
+ TLS certificates, convert the result into UTF-8, and use
+ RFC 2047 encoding when logging these as Received: header
+ comment fields. Based remotely on code by Victor Duchovni.
+ Files: smtpd/smtpd.c, tls/tls_verify.c.
+
+20080511
+
+ Cleanup: the RFC 2047 encoding of RFC*822 comments is too
+ problematic. The text that explains the problems is as
+ long as the code itself. That is usually a good indication
+ that code is not ready for use. File: smtpd/smtpd.c.
+
+ Cleanup: block non-printable ASCII text in UTF8 encoded TLS
+ peer and issuer common names. File: tls/tls_verify.c.
+
+20080602
+
+ Workaround: avoid watchdog timeout in the local pickup
+ daemon when the cleanup server expands a very large virtual
+ alias list. Files: master/trigger_server.c, pickup/pickup.c.
+
+20080603
+
+ Workaround: avoid "bad address pattern" errors with non-address
+ patterns in namadr_list_match() calls. File: util/match_ops.c.
+
+ Feature: print fsstone elapsed time with sub-second time
+ resolution. Kenji Kikuchi. File: fsstone/fsstone.c.
+
+20080606
+
+ Bitrot: "make test" was broken due to recent changes in
+ code and due to recent changes at mail-abuse.org.
+
+20080618
+
+ Add a note to SMTP session transcript email messages that
+ other details may be found in the maillog file. Files:
+ smtpd/smtpd_chat.c, smtp/smtp_chat.c.
+
+20080620
+
+ Cleanup: with the "Before-queue content filter", RFC3848
+ information was not added to the headers. Carlos Velasco.
+ File smtpd/smtpd.c.
+
+20080621
+
+ Cleanup: include unread byte count in the SMTP server's "lost
+ connection after DATA (xx bytes)" logging. Files: smtpd/smtpd.c.
+
+20080629
+
+ Bugfix (introduced Postfix 2.2): multiple inconsistencies
+ in SASL support after introduction of TLS. The Postfix
+ SMTP server 1) complained about plain-text SASL configuration
+ details when SASL was forbidden for plain-text sessions,
+ and 2) ignored the smtpd_tls_auth_only parameter setting
+ when built without TLS support. Files: smtpd/smtpd.c,
+ smtpd/smtpd_check.c, smtpd/smtpd_sasl_glue.[hc],
+ smtpd/smtpd_state.c.
+
+ Some clarification about recipient address versus domain,
+ and recipients per message versus session. File:
+ proto/postconf.proto.
+
+ The description of SASL authentication attributes was
+ garbled. File: pipe/pipe.c.
+
+ Information: the master(8) server now logs the version
+ besides the configuration directory upon "postfix reload".
+ File: master/master.c.
+
+20080717
+
+ Cleanup: a poorly-implemented integer overflow check for
+ TCP MSS calculation had the unexpected effect that people
+ broke Postfix on LP64 systems while attempting to silence
+ a compiler warning. File: util/vstream_tweak.c.
+
+20080721
+
+ The cleanup server now rejects undisclosed_recipients_header
+ parameter values with invalid message header syntax.
+ File: cleanup/cleanup_message.c.
+
+20080725
+
+ Paranoia: defer delivery when a mailbox file is not owned
+ by the recipient. Sebastian Krahmer, SuSE. Files:
+ local/mailbox.c, virtual/mailbox.c.
+
+20080804
+
+ Bugfix: dangling pointer in vstring_sprintf_prepend().
+ File: util/vstring.c.
+
+20080814
+
+ Security: some systems have changed their link() semantics,
+ and will hardlink a symlink, contrary to POSIX and XPG4.
+ Sebastian Krahmer, SuSE. File: util/safe_open.c.
+
+ The solution introduces the following incompatible change:
+ when the target of mail delivery is a symlink, the parent
+ directory of that symlink must now be writable by root only
+ (in addition to the already existing requirement that the
+ symlink itself is owned by root). This change will break
+ legitimate configurations that deliver mail to a symbolic
+ link in a directory with less restrictive permissions.
+
+20080815
+
+ Feature: the milter_default_action parameter now accepts
+ the "quarantine" action. This works like "accept" but also
+ freezes the mail in the "hold" queue. File: milter/milter8.c.
+
+ Robustness: transition from setjmp()/longjmp() to the signal
+ mask saving/restoring versions sigsetjmp()/siglongjmp().
+ These functions have been around for 15 years, but they
+ have had bugs on supported platforms, so makedefs tests for
+ them. Files: makedefs, util/sys_defs.h, util/vstream.h.
+
+20080822
+
+ Cleanup: the proxymap_service_name and proxywrite_service_name
+ parameters make the proxymap service names configurable.
+ This paves the way for a future option where the proxymap
+ services are accessible via TCP so that they can be shared
+ among multiple Postfix hosts. File: global/dict_proxy.c.
+
+ Feature: MacOS X support for kqueue style event handling,
+ with workaround for broken MacOS X versions. Files:
+ util/sys_defs.h, makedefs.
+
+ Cleanup: the makedefs script now keeps its test programs
+ in a directory makedefs.d, instead of inlining them as
+ fragile "here documents". Files: makedefs, makedefs.d/*.
+
+20080823
+
+ Feature: IPv6 dns blocklist lookup. File: smtpd/smtpd_check.c.
+
+20080824
+
+ Cleanup: untangled the MacOS X version dependent sections
+ in the makedefs script, to make future updates easier. File:
+ makedefs.
+
+ Cleanup: don't log multiple Milter "hold" actions for the
+ same email message. File: cleanup/cleanup_milter.c.
+
+20080826
+
+ Cleanup: moving test programs from makedefs into a makedefs.d
+ directory brought more pain than gain.
+
+ Cleanup: untangled the Linux version dependent sections in
+ the makedefs script, to make future updates easier. File:
+ makedefs.
+
+ Documentation: MacOS process limit configuration by Quanah
+ Gibson-Mount. File: proto/TUNING_README.html.
+
+ Feature: smtp-sink -M option to terminate after receiving
+ a specified number of messages. Laurent Gentil. File:
+ smtpstone/smtp-sink.c.
+
+ Bugfix (introduced Postfix 2.4): epoll file descriptor leak.
+ With Postfix >= 2.4 on Linux >= 2.6, Postfix has an epoll
+ file descriptor leak when it executes non-Postfix commands
+ in, for example, user-controlled $HOME/.forward files. A
+ local user can access a leaked epoll file descriptor to
+ implement a denial of service attack on Postfix. Data
+ confidentiality and integrity are not affected. File:
+ util/events.c.
+
+20080903
+
+ Don't enable kqueue (which requires poll) support on
+ MacOS X. File: makedefs.
+
+ Cleanup: remove obsolete Rhapsody and MacOS targets from
+ makedefs.
+
+20080929
+
+ Workaround: don't log "file has 2 links" warnings when the
+ condition appears to be temporary. As kernels have evolved
+ from non-interruptible system calls towards fine-grained
+ locks, the showq command has become likely to observe a
+ file while the queue manager is in the middle of a rename
+ operation, when the file has links to both the old and new
+ name. File: global/mail_open_ok.c.
+
+ Workaround: don't loop forever when write() fails with a
+ persistent EAGAIN error on a writable file descriptor.
+ File: util/write_buf.c.
+
+20081003
+
+ Bugfix (introduced Postfix 2.1): when XFORWARD support was
+ introduced with Postfix 2.1, the specification failed to
+ clearly distinguish between missing and non-existent client
+ information. This ambiguity affected the implementation:
+ in $name expansions by delivery agents, unknown client
+ hostnames could became empty strings (as if a submission
+ was local), and local submissions could appear to originate
+ from an SMTP-based content filter. This was fixed with a
+ a minor semantic change to the XFORWARD protocol. Files:
+ smtpd/smtpd.c, qmqpd/qmqpd.c, smtp/smtp_proto.c,
+ cleanup/cleanup_envelope.c, proto/XFORWARD.html. Note: the
+ changes to propagate local submission details were undone
+ 20082012.
+
+ Feature: a DUNNO lookup result in per_sender_relayhost_maps
+ stops the search without replacing the next-hop destination.
+ File: trivial-rewrite/resolve.c.
+
+20081005
+
+ Bugfix: further refinements to the handling of missing or
+ non-existent remote client attributes. Files: smtpd/smtpd.c,
+ smtpd/smtpd.h.
+
+ Documentation: the XFORWARD specification of the ADDR
+ attribute did not agree with the actual on-the-wire protocol.
+ Since we can't change already existing deployments, the
+ spec has been updated. File: proto/XFORWARD_README.html.
+
+20081006
+
+ Bugfix: further refinements to the handling of remote client
+ attributes. Introduced a dummy "we have forwarded client
+ info" record, to eliminate the need for the backwards
+ incompatible queue file change that was introduced 20081003.
+ Files: smtpd/smtpd.c, cleanup/cleanup_envelope.c,
+ *qmgr/qmgr_message.c.
+
+ Security: hardened the proxymap client, in case it ever
+ ends up in a set-gid program. File: global/dict_proxy.c.
+
+20081007
+
+ Workaround: undo the proxymap client change. It broke
+ chrooted servers when they attempted to reconnect to the
+ proxy read/write service. File: global/dict_proxy.c.
+
+20081008
+
+ Safety: added checks that $queue_directory/pid is owned by
+ root, and that $queue_directory/saved is owned by $mail_owner.
+ File: conf/postfix-script.
+
+20081010
+
+ Feature: controls for opportunistic TLS protocols and
+ ciphers. The smtp_tls_protocols, smtp_tls_ciphers, and
+ equivalent parameters for lmtp and smtpd provide global
+ settings; the SMTP client TLS policy table provides ciphers
+ and protocols settings for specific peers. Code by Victor
+ Duchovni. Files: smtp/smtp.c, smtp/smtp_session.c, smtpd/smtpd.c
+ and documentation.
+
+20081012
+
+ Cleanup: simplify the 20081003 changes and don't try to
+ propagate local submission information through XFORWARD.
+ Files: smtpd/smtpd.c, qmqpd/qmqpd.c, smtp/smtp_proto.c,
+ cleanup/cleanup_envelope.c, proto/XFORWARD.html.
+
+20081015
+
+ Bugfix: GLIBC API version detection. Rob Foehl. File:
+ util/sys_defs.h.
+
+20081022
+
+ Documentation: removed inapplicable daemon_timeout reference
+ from qmgr(8), oqmgr(8), pickup(8). These daemons need to
+ use a much shorter watchdog timer.
+
+20081108
+
+ Feature: smtp_sasl_tls_verified_security_options is no
+ longer #ifdef SNAPSHOT.
+
+ Feature: elliptic curve support. This requires OpenSSL
+ version 0.9.9 or later. Victor Duchovni. Files: TLS_README,
+ smtpd/smtpd.c, smtp/smtp.c, tls/tls_dh.c, tls/tls_certkey.c,
+ tls/tls_server.c, tls/tls_client.c, tls/tls.h, tls/tls_misc.c.
+
+ Bugfix (introduced Postfix 2.5): the Postfix SMTP server
+ did not ask for a client certificate with "smtpd_tls_req_ccert
+ = yes". Reported by Rob Foehl. File: smtpd/smtpd.c.
+
+20081109
+
+ Cleanup: confusing names of variables. File: smtpd/smtpd.c.
+
+20081126
+
+ Documentation: pcre_table(5) incorrectly claimed that the
+ 'x' flag supports #comment after text. File: proto/pcre_table.
+
+20081202
+
+ Cleanup: vstream_bufstat() provides a more systematic
+ approach to get information about VSTREAM buffers. The
+ vstream_peek() function is now a backwards compatibility
+ wrapper. Files: util/vstream.[hc].
+
+ Cleanup: the SMTP server should warn about "lost connection
+ after QUIT" only when the "." reply was pipelined together
+ with the "QUIT" reply. File: smtpd/smtpd.c.
+
+ Cleanup: the SMTP client's code was duplicating buffer
+ management that was already done in the VSTREAM module.
+ File: smtp/smtp_proto.c.
+
+20081203
+
+ Cleanup: adjust the VSTREAM buffer strategy when reusing
+ an SMTP connection with a large TCP MSS value. File:
+ smtp/smtp_reuse.c.
+
+20081204
+
+ Cleanup: state the SMTP client PIPELINING implementation's
+ dependency on monotonic VSTREAM buffer size behavior, and
+ add some checks for boundary cases with VSTREAM buffer size
+ change requests. Files: util/vstream.c, smtp/smtp_proto.c.
+
+20081205
+
+ Fix 20081202 flush code. Victor Duchovni. File: smtpd/smtpd.c.
+
+ Safety: add another check to "postfix check", in this case
+ for group or other writable queue_directory. File:
+ conf/postfix-script.
+
+20081217
+
+ Debugging: ad-hoc code to log the TLS error stack after
+ VSTREAM read/write error. File: tls/tls_bio_ops.c. In a
+ better implementation, each I/O "object" would provide an
+ optional error reporting method (besides timed_read and
+ timed_write) that could be queried via the vstream module.
+
+20081222
+
+ Documentation: log the "*" pattern as the last transport
+ map lookup. File: proto/transport.
+
+20090103
+
+ Documentation: rewrote NFS_README, to clarify the support
+ status of Postfix and NFS, and to describe the NFS workarounds
+ that Postfix actually implements.
+
+20090106
+
+ Feature: "postconf -# parametername ..." to comment out
+ named parameter entries. Victor Duchovni. File:
+ postconf/postconf.c.
+
+20090107
+
+ Library: edit_file(3) module for cooperative editing of a
+ file. Inspired by the postconf command, this creates a new
+ version under a deterministic temporary name and renames
+ it into place. The implementation uses an open/lock/stat
+ protocol before updating the new file, and rename/unlock/close
+ afterwards. Based on pieces of code by Victor Duchovni,
+ with minor improvements by Wietse. Files: util/edit_file.[hc].
+
+ Cleanup: the postconf command now uses the edit_file(3)
+ module to manage collisions when multiple processes attempt
+ to update the main.cf file.
+
+20090108
+
+ Feature: master_service_disable parameter (default: empty)
+ to easily turn off/on master.cf services by type or by name
+ and type. For example, to turn off the main SMTP listener
+ use "master_service_disable = smtp.inet", and to turn off
+ all TCP/IP listeners use "master_service_disable = inet".
+ This immediately terminates all processes that provide the
+ specified services. The master_service_disable feature does
+ not distinguish services by their privacy property; some
+ day, clients will not need to specify that anymore. Files:
+ global/mail_params.h, master/master.c, master/master_vars.c,
+ master/master_ent.c.
+
+ Bugfix (introduced May 19, 1997): removing a parameter
+ setting from main.cf did not reset the parameter to its
+ default value. This was a problem only in the master daemon.
+ File: global/mail_conf.c, master/master_vars.c.
+
+20090109
+
+ Cleanup: "defer" action in access maps, and a corresponding
+ access_map_defer_code parameter. No idea what was behind
+ this omission. Files: global/mail_params.h, smtpd/smtpd.c,
+ smtpd/smtpd_check.c, proto/access.
+
+ Workaround: specify "tcp_windowsize = 65535" (or less) to
+ work around broken TCP window scaling implementations. This
+ is perhaps easier than collecting tcpdump output and tuning
+ kernel parameters by hand. See RELEASE_NOTES for how to
+ change this setting without stopping Postfix. Files:
+ util/inet_connect.c, inet_listen.c, global/mail_params.[hc].
+
+20090110
+
+ Cleanup: create separate code modules for TCP window size
+ handling, master.cf service name matching, and main.cf
+ change monitoring. Files: util/inet_windowsize.c,
+ global/match_service.c, master/master_watch.c.
+
+ Feature: TCP window size override for the Postfix SMTP/LMTP
+ client, and for the smtp-source and smtp-sink test programs.
+ Files: smtp/smtp_connect.c, smtpstone/smtp-source.c,
+ smtpstone/smtp-sink.c.
+
+20090114
+
+ Bugfix: VERP now uses the Postfix original recipient, if
+ available, because that is what the VERP consumer expects.
+ Files: *qmgr/qmgr_deliver.c, bounce/bounce_notify_verp.c.
+
+ Safety: extra check for broken third-party patches that
+ allow file size limit < message size limit. This can cause
+ mail to be stuck in the queue forever.
+
+ Invisible change, in preparation for multi-instance support.
+ Except for main.cf and master.cf, all files are optional
+ for non-default Postfix configuration directories. File:
+ conf/postfix-files.
+
+20090115
+
+ Cleanup: rewrote the 20090114 VERP bugfix, to replace code
+ that "works" by code that is "right". Files: *qmgr/qmgr_deliver.c,
+ bounce/bounce_notify_verp.c, global/verp_sender.c.
+
+20090118
+
+ Documentation: some URLs to enable/disable client-side TLS
+ jumped into the middle of an enumeration. File:
+ proto/TLS_README.html.
+
+20090119-21
+
+ Feature: multi-instance manager plug-in API. A sample
+ multi-instance manager with instructions is available as
+ $daemon_directory/postfix-wrapper. The plug-in API itself
+ is described in postfix-wrapper(5). Files: postfix/postfix.c,
+ global/mail_params.[hc], proto/postfix-wrapper,
+ conf/postfix-wrapper, conf/postfix-script, conf/postfix-files.
+
+ Support to check/update shared files only in the context
+ of the default Postfix instance. Files: conf/post-install,
+ conf/postfix-script.
+
+20090122
+
+ Refinements: the multi-instance manager always replaces
+ "start" by "check" when a Postfix instance is multi-instance
+ disabled, so that problems will still be reported; polish
+ documentation; delete unnecessary multi_instance_order
+ parameter. Files: conf/postfix-wrapper, proto/postfix-wrapper,
+ global/mail_params.[hc] and documentation.
+
+ Bugfix: the data_directory was not automatically created!
+ File: conf/postfix-files.
+
+20090123
+
+ More little fixes in the "trivial but useful" postfix-wrapper
+ including instructions. It's ready for testing in the field.
+ File: conf/postfix-wrapper.
+
+20090125
+
+ Documentation: more precise description of multi-instance
+ manager API, and minor edits of the example program. Files:
+ conf/postfix-wrapper, proto/postfix-wrapper.
+
+20090208
+
+ Cleanup: enable multi-instance shared-file logic only when
+ the instance is listed in multi_instance_directories. Files:
+ conf/post-install, conf/postfix-script.
+
+20090210
+
+ Feature: specify "reject_tempfail_action = defer" to
+ immediately defer a remote SMTP client request after a
+ reject-type restriction fails with a temporary error. Based
+ on code by Rob Foehl. File: smtpd/smtpd_check.c.
+
+ Feature: finer control of reject_tempfail_action with
+ unknown_address_tempfail_action, unverified_sender_tempfail_action
+ unverified_recipient_tempfail_action, and
+ unknown_helo_hostname_tempfail_action. See documentation
+ for details. File: smtpd/smtpd_check.c.
+
+20090211
+
+ Workaround: pass the SMTP server socket's local and remote
+ peer address information to the Dovecot authentication server.
+ This is incomplete code: it ignores XCLIENT server address
+ overrides. File: xsasl/xsasl_dovecot_server.c.
+
+20090212
+
+ Testing revealed that with mumble_tempfail_action=defer,
+ the "defer" action was ignored. Cause: the DEFER_IF_PERMIT[0-9]
+ macros lost the SMTPD_CHECK_REJECT result value. File:
+ smtpd/smtpd_check.c.
+
+ Feature: stress-dependent smtpd_timeout (normal: 300s,
+ overload: 10s), smtpd_hard_error_limit (normal: 20, overload:
+ 1) and smtpd_junk_command_limit (normal: 100, overload: 1).
+ Files: global/mail_params.h, global/mail_conf_nint.c,
+ master/*_server.c, smtpd/smtpd.c.
+
+20090213
+
+ Fine tuning: don't enforce smtpd_junk_command_limit for
+ XCLIENT and XFORWARD commands. These commands can be issued
+ only by authorized clients. File: src/smtpd/smtpd.c.
+
+20090215
+
+ Feature: the Postfix SMTP server hangs up after replying
+ with "521". This makes overload handling more effective.
+ See also RFC 1846. File: smtpd/smtpd.c.
+
+ Feature: postmulti mult-instance manager command, very
+ lightly tested. The MULTI_INSTANCE_README still needs to
+ be proofread. Originally by Victor Duchovni. Files:
+ src/postmulti/*, proto/MULTI_INSTANCE_README.html,
+ conf/postmulti-script.
+
+20090216-24
+
+ Cleanup: assorted code cleanups in postmulti. File:
+ src/postmulti/postmulti.c.
+
+20090223
+
+ Cleanup: multiple instances of the same global. Files:
+ util/inet_windowsize.c, util/inet_listen.c.
+
+20090228
+
+ Cleanup: the Postfix SMTP server now maintains a per-session
+ "improper command pipelining detected" flag. This flag can
+ be tested at any time with reject_unauth_pipelining, and
+ is raised whenever a client command is followed by unexpected
+ commands or message content. Files: smtpd/smtpd.c,
+ smtpd/smtpd_check.c.
+
+ Logging: the Postfix SMTP server now logs the first command
+ pipelining transgression as "improper command pipelining
+ after <command> from <hostname>[<hostaddress>]".
+
+ Cleanup: after DATA command failure, log "(approximately
+ XX bytes)" only if Postfix actually accepted the DATA
+ command. File: smtpd/smtpd.c.
+
+20090303
+
+ Cleanup: word smithing of "sendmail -bv" probe message.
+ File: sendmail/sendmail.c.
+
+ Cleanup: OpenLDAP now provides a sane solution for conflicts
+ with PAM ldap-over-tls. Victor Duchovni. File: global/dict_ldap.c.
+
+20090304
+
+ Cleanup: skip over suspended or throttled queues while
+ looking for delivery requests. File: *qmgr/qmgr_transport.c.
+
+20090305
+
+ Bugfix: in the "new queue manager", the _destination_rate_delay
+ code needed to postpone the job scheduler updates after
+ delivery completion, otherwise the scheduler could loop on
+ blocked jobs. Victor & Wietse. File: qmgr/qmgr_entry.c,
+ qmgr/qmgr_queue.c, qmgr/qmgr_job.c.
+
+ Cleanup: report a "queue file write error", instead of
+ passing though bogus 2xx replies from proxy filters to SMTP
+ clients. File: smtpd/smtpd_proxy.c.
+
+20090307
+
+ Cleanup: with "lmtp_assume_final = yes", the Postfix LMTP
+ delivery agent assumes that delivery is final when talking
+ to an LMTP server that announces no DSN support. Otherwise,
+ the Postfix LMTP delivery agent assumes that delivery is
+ "relayed", to maintain compatibility with simple LMTP-based
+ content filters. Based on code by Michel Sebastien, ATOS
+ Origin. File: smtp/smtp_rcpt.c.
+
+20090310
+
+ Bugfix: Postfix used mumble_concurrency_failed_cohort_limit
+ instead of mumble_destination_concurrency_failed_cohort_limit
+ as documented. File: global/mail_params.h.
+
+20090330
+
+ Cleanup: add (Resent-) From:, Date:, Message-ID: or To:
+ headers only when clients match $local_header_rewrite_clients.
+ Specify "always_add_missing_headers = yes" for backwards
+ compatibility. Adding such headers to remote mail can break
+ DKIM signatures that cover headers that are not present.
+ File: cleanup/cleanup_message.c.
+
+20090415
+
+ Workaround: to avoid unnecessary "fatal" delivery agent
+ exits, delivery agents retry getting a shared lock on a
+ queue file. This is necessary since the queue manager's
+ behavior was changed years ago to refill the in-memory
+ recipient list before it was completely empty. File:
+ global/deliver_request.c.
+
+ Documentation: updated STRESS_README.
+
+20090416
+
+ Workaround: some AWK implementations have a limit of 10
+ output files and lack a working close() function. It is too
+ much trouble to find out what systems have this limitation,
+ and where, if any, such systems store their XPG4-compatible
+ AWK program. So instead we generate a stream of here
+ documents and let the shell split the stream into files.
+ File: postconf/extract.awk.
+
+ Documentation: clarification of certificate file usage.
+ Victor Duchovni. Files: proto/postconf.proto,
+ proto/TLS_README.html.
+
+ Feature: pass a "TLS is active" flag to the server-side
+ SASL support. Based on code by Timo Sirainen, except that
+ the implementation uses an extensible API so that it will
+ be less painful to add more attributes in future Postfix
+ versions. Files: xsasl/xsasl.h, xsasl/xsasl_*server.c,
+ smtpd/smtpd_sasl_glue.c.
+
+20090417
+
+ Documentation: re-generate READMEs and manpages for updated
+ hyperlinks.
+
+ Documentation: missing hyperlinks and missing parameters
+ in manpages. File: mantools/postlink, mantools/check-postlink.
+
+20090418
+
+ Cleanup: use the extensible API to pass SMTP client address
+ information to the dovecot SASL plugin, and prepare for
+ passing server address information. Files: xsasl/xsasl.h,
+ xsasl/xsasl_dovecot_server.c, smtpd/smtpd_sasl_glue.c.
+
+ Same extensible API transformation for the SASL client-side
+ code to make future extensions less painful. Files:
+ xsasl/xsasl.h, xsasl/xsasl*client.c, smtp/smtp_sasl_glue.c.
+
+ More postlink fixes. File: mantools/postlink.
+
+20090419
+
+ Bugfix: don't re-enable SIGHUP if it is ignored in the
+ parent. This may cause random "Postfix integrity check
+ failed" errors at boot time (POSIX SIGHUP death), causing
+ Postfix not to start. We duplicate code from postdrop and
+ thus avoid past mistakes. File: postsuper/postsuper.c.
+
+ Robustness: don't re-enable SIGTERM if it is ignored in the
+ parent. Files: postsuper/postsuper.c, postdrop/postdrop.c.
+
+20090422
+
+ Undo delivery agent change 20090415. The queue manager never
+ locks a queue file to read additional recipients into memory,
+ so if a delivery agent runs into a locked file, then something
+ is seriously wrong. File: global/deliver_request.c.
+
+20090424
+
+ Compatibility: the Postfix SMTP client no longer uses the
+ obsolete SSLv2 by default for opportunistic encryption.
+ This has nothing to do with security (we're willing to send
+ plaintext over an unauthenticated connection) but with the
+ loss of advanced options that give better performance.
+ Victor Duchovni. Files: proto/postconf.proto, global/mail_params.h.
+
+20090426
+
+ Feature: more accurate support for Milter macros {mail_addr}
+ and {rcpt_addr}, and new support for Milter macros {mail_host},
+ {mail_mailer}, {rcpt_host}, and {rcpt_mailer}. Files:
+ milter/milter.[hc], smtpd/smtpd.[hc], smtpd/smtpd_milter.c,
+ smtpd/smtpd_resolve.c.
+
+ Feature: support to report rejected recipients to Milters
+ (SMFIP_RCPT_REJ). Postfix reports the event as decribed in
+ Sendmail 8.14.0 documentation: {rcpt_mailer} = "error",
+ {rcpt_host} = enhanced status code (e.g., "5.7.1"), and
+ {rcpt_addr} = reason to reject (e.g., "Relay access denied").
+ Files: milter/milter.[hc], milter/milter8.c, smtpd/smtpd.[hc],
+ smtpd/smtpd_milter.c.
+
+20090427
+
+ Feature: Milter support for replacing the envelope sender
+ and adding recipients (SMFIR_CHGFROM, SMFIR_ADDRCPT_PAR).
+ This support currently ignores ESMTP command parameters.
+ Files: milter/milter8.c, cleanup/cleanup_milter.c.
+
+20090428
+
+ Compatibility: to make all the new Milter features usable,
+ raise the default milter_protocol setting from 2 to 6.
+ This has been tested with a Sendmail 8.14 libmilter.
+ File: global/mail_params.h.
+
+ Bugfix: don't disable MIME parsing with smtp_header_checks,
+ smtp_mime_header_checks, smtp_nested_header_checks or with
+ smtp_body_checks. Bug reported by Victor. File: smtp/smtp_proto.c.
+
+ Code cleanups: respect VSTRING invariants by using VSTRING_RESET
+ and VSTRING_TERMINATE instead of directly groping the
+ underlying character buffer. Files: global/dsn_buf.c,
+ milter/milter8.c.
+
+20090507
+
+ main.cf:tls_random_source now defaults to /dev/arandom on
+ OpenBSD. This device was introduced before Postfix development
+ began. Files: util/sys_defs.h, global/mail_params.h.
+
+20090510
+
+ Code cleanups: while emulating SMTP client requests for
+ Milter applications, use user@domain form addresses as
+ required by the SMTP protocol, instead of bare usernames.
+ This avoids hard to debug errors from some Milter applications.
+ Files: cleanup/cleanup_envelope.c, cleanup/cleanup_extracted.c,
+ cleanup/cleanup_addr.c.
+
+20090511
+
+ Code cleanups: don't clobber -o command-line arguments so
+ that Linux people can debug daemon command lines more easily.
+ Files: master/*server.c.
+
+20090513
+
+ Code cleanups: better parsing of Postfix daemon "-o"
+ command-line options, with better error handling. Files:
+ master/*server.c.
+
+20090518
+
+ Documentation: missing dummy entries for lmtp_mumble_checks.
+ File: proto/postconf.proto.
+
+20090519
+
+ Bugfix (introduced: Postfix 2.3, but did not cause trouble
+ until 20090427). Queue file corruption with (smtpd_milters
+ or non_smtpd_milters) enabled, AND with delay_warning_time
+ enabled, AND with short envelope sender addresses (e.g.,
+ local submissions with bare usernames, but not bounces).
+ The queue file would be corrupted when the delay_warning_time
+ record was marked as "done" after sending the "your mail
+ is delayed" notice. File: qmgr/qmgr_message.c.
+
+20090522
+
+ Bugfix (introduced: Postfix 2.3). The cleanup server
+ rejected mail with records of type REC_TYPE_DRCP (recipient
+ deleted by Milter), but such records could be present in
+ mail re-submitted with "postsuper -r". Found during code
+ review. Files: global/record.h, cleanup/cleanup_envelope.c.
+
+20090524
+
+ Feature: new postcat options: -e (print envelope), -h (print
+ header), and -b (print body). Specify "postcat -bh" to
+ suppress information about envelope records, and "postcat
+ -h" to get the message header only. With large messages,
+ "postcat -h" is much faster than manually stripping the
+ message body from the output. File: postcat/postcat.c.
+
+20090528
+
+ Bugfix (introduced: Postfix 2.6 change 20080629): with
+ plaintext sessions, smtpd_tls_auth_only=yes caused spurious
+ warnings with reject_authenticated_sender_login_mismatch,
+ and broke reject_unauthenticated_sender_login_mismatch and
+ reject_sender_login_mismatch. Based on fix by Victor
+ Duchovni. File: smtpd/smtpd_check.c.
+
+20090603
+
+ Cleanup: Postfix 2.3 adopted a file descriptor passing
+ workaround for OpenBSD. This workaround was hard-coded for
+ all platforms because there were no have adverse effects.
+ This is no longer the case: OpenBSD is fixed, and NetBSD
+ does not like the workaround. We now default back to the
+ non-workaround code and turn on the workaround dynamically.
+ Files: util/unix_send_fd.c, unix_recv_fd.c, unix_pass_fd_fix.c.
+
+20090605
+
+ Portability: modern kernels below ancient user-land. File:
+ makedefs.
+
+20090606
+
+ Feature: post-Milter header checks, with all actions except
+ PREPEND. To enable, specify for example "milter_header_checks
+ = pcre:/path/to/file". Files: cleanup/cleanup_init.c,
+ cleanup/cleanup_milter.c, cleanup/cleanup_extracted.c,
+ cleanup/cleanup_state.c.
+
+ Bugfix: non-portable command pathname in postmulti-script.
+
+ Safety: "postmulti -e destroy" no longer attempts to remove
+ files that are created AFTER "postmulti -e create". Rationale:
+ by design, postfix queue/data directories are not trusted;
+ actions within those directory trees must not affect files
+ outside those those trees (e.g. by symlink race attacks).
+ We don't want to be nailed with a bunch of CVEs for unsafe
+ pathname handling. File: conf/postmulti-script.
+
+20090607
+
+ Cleanup: revise milter_header_checks action implementation,
+ and avoid redundant logging and work when milter_header_checks
+ and Milters make redundant or conflicting decisions. File:
+ cleanup_milter.c.
+
+20090614
+
+ Preliminary postscreen triage server for all inbound SMTP
+ connections. This is not a proxy: it rejects bad clients
+ and forwards the rest of the connections to a real Postfix
+ SMTP server. The initial version does a simple "friend or
+ foe" based on whether the client starts talking too soon.
+ Decisions are cached, so "good" clients have no overhead.
+ File: postscreen/postscreen.c.
+
+ Cleanup: more robust code for receiving file descriptors
+ via the "pass" master service protocol. File:
+ util/upass_listen.c.
+
+20090617
+
+ Temporary helper daemon that does parallel DNSBL lookups
+ for postscreen(8). It logs successful lookups to the maillog
+ file without blocking the client. postscreen(8) will use
+ the results in a later non-production version. To enable
+ DNSBL lookups, specify "postscreen_dnsbl_sites = name,
+ name, etc". and restart postscreen(8) with "postfix reload".
+ File: src/dnsblog/dnblog.c.
+
+20090618
+
+ postscreen(8) logging and actions are now documented in the
+ postscreen(8) manpage. When a client is listed in DNSBLs
+ specified with postscreen_dnsbl_sites, it is no longer
+ whitelisted. Instead the number of blocklist hits is logged.
+ File: postscreen/postscreen.c.
+
+20090619
+
+ postscreen(8) by default no longer immediately drops
+ connections. Specify "postscreen_greet_action = drop" and
+ "postscreen_hangup_action = drop" for the old behavior.
+ There is also a new postscreen_dnsbl_action parameter, for
+ completeness. File: postscreen/postscreen.c.
+
+20090708
+
+ Portability: FreeBSD 8 has closefrom(). File: uti/sys_defs.h.
+
+20090710
+
+ Bugfix (introduced Postfix 2.3): Postfix got out of sync
+ with a Milter application after the application sent a
+ "quarantine" request at end-of-message time. The milter
+ application would still be in the end-of-message state,
+ while Postfix would already be working on the next SMTP
+ event (typically, QUIT or MAIL FROM). Problem diagnosed
+ with help from Alban Deniz. File: milter/milter8.c.
+
+20090711-2
+
+ New "event_server" Postfix server framework. It is similar
+ to the "multi_server" framework but does not manage client
+ I/O events. This framework is suitable for servers such
+ as postscreen that have complex event management requirements.
+ File: master/event_server.c.
+
+ New event_fork() primitive to resume event processing in a
+ child process after it is created with fork(). This is
+ needed by postscreen to complete work-in-progress in the
+ background after "postfix reload". File: util/events.c.
+
+ Cleanup: postscreen migrated to the "event_server" framework.
+ File: postscreen/postscreen.c.
+
+20090712
+
+ Cleanup: ${multi_instance_name:postfix}${multi_instance_name
+ ?$multi_instance_name} garbage in Postfix logging is now
+ hopefully gone. File: global/mail_task.c.
+
+20090715
+
+ Documentation: as of Postfix 2.6, the reject_unauth_pipelining
+ feature can be used meaningfully at any protocol stage.
+ File: proto/postconf.proto.
+
+20090717
+
+ Cleanup: postscreen PREGREET detection now uses non-destructive
+ read, so that the real SMTP server can still receive the
+ HELO command (apparently some sites allow pregreeters to
+ talk to their servers). File: postscreen/postscreen.c.
+
+20090805
+
+ Bugfix: don't panic when an unexpected smtpd access map is
+ specified. File: smtpd/smtpd_check.c.
+
+20090918
+
+ Bugfix (introduced Postfix 2.3): with Milter RCPT TO replies
+ turned off, there was no automatic flush-before-read on the
+ smtpd-to-milter stream, because the read was done on the
+ cleanup-to-milter stream. Problem reported by Stephen Warren.
+ File: milter/milter8.c.
+
+20091005
+
+ Bugfix: core dump while printing error message for malformed
+ %<letter> sequence in LDAP, MySQL or PostgreSQL configuration.
+ File: global/db_common.c. Fix by Victor Duchovni.
+
+20091006
+
+ Feature: "postscreen_whitelist_networks = $mynetworks" (the
+ default) to avoid problems with buggy SMTP implementations
+ in network appliances. Note: this feature never uses the
+ remote SMTP client hostname. Files: global/addr_match_list.[hc],
+ postscreen/postscreen.c.
+
+ Feature: postscreen_blacklist_networks (default: empty) to
+ permanently blacklist hosts or networks. Address syntax is
+ as with mynetworks. Note: this feature never uses the remote
+ SMTP client hostname. File: postscreen/postscreen.c.
+
+ Feature: postscreen_blacklist_action (default: continue)
+ to control what happens with a permanently blacklisted
+ client. File: postscreen/postscreen.c.
+
+20091007
+
+ Feature: hostname-based check_client_{mx,ns}_access,
+ check_reverse_client_hostname_{mx,ns}_access (the client
+ IP address is not used). Rob Foehl. Files: smtpd/smtpd_check.c,
+ global/mail_params.h, proto/postconf.proto, mantools/postlink.
+
+20091008
+
+ Documentation: restructured the postscreen(8) manpage
+ as a sequence of tests. File: postscreen/postscreen.c.
+
+20091012
+
+ Bugfix: postmulti did not skip commands with -p. Luca
+ Berra. File: postmulti/postmulti.c.
+
+20091023
+
+ Feature: specify "smtpd_command_filter = pcre:/file/name"
+ to replace remote SMTP client commands before they are
+ executed by the Postfix SMTP server. This a last-resort
+ tool to fix inter-operability problems. See examples in
+ the postconf(5) manual page. File: smtpd/smtpd.c.
+
+20091026
+
+ Cleanup: changed parameter evaluation order so that the
+ multi_instance_wrapper parameter value is evaluated after
+ the command and daemon directory parameters. File:
+ global/mail_params.h.
+
+20091101
+
+ Performance: specify "smtpd_proxy_options = speed_adjust"
+ to receive an entire message before sending it through a
+ before-queue content filter. This reduces the number of
+ simultaneous content filtering processes, and thus, the
+ system memory requirements. Files: smtpd/smtpd.[hc],
+ smtpd/smtpd_proxy.[hc].
+
+20091103-4
+
+ Cleaned up the speed-adjust code, streamlined the error
+ handling, and updated documentation. Files: smtpd/smtpd.[hc],
+ smtpd/smtpd_proxy.[hc], proto/SMTPD_PROXY_README.html.
+
+20091105
+
+ Cleaning up after speed_adjust introduction: smtpd segfault
+ caused by an incomplete API change; refined the queue space
+ check; release scratch space immediately after delivering
+ mail to the before-queue filter. Files: smtpd.c, smtpd_proxy.c.
+
+20091110
+
+ Workaround: specify "smtp_tls_block_early_mail_reply = yes"
+ to detect a mail hijacking attack based on a TLS protocol
+ vulnerability (CVE-2009-3555). The attack involves prepending
+ malicious HELO/MAIL/RCPT/DATA commands to a Postfix SMTP
+ client TLS session. The attack would succeed with non-Postfix
+ SMTP servers that reply to the malicious commands after
+ negotiating the Postfix SMTP client TLS session. File:
+ smtp/smtp_proto.c.
+
+20091113
+
+ Workaround: skip interfaces without netmask, to avoid
+ segfaults (reported by Dmitry Karasik). Don't supply a dummy
+ null netmask, as that would turn Postfix into an open relay
+ (mynetworks = 0.0.0.0/0). File: util/inet_addr_local.c.
+
+ Bugfix: forgot to flush output to the smtpd_proxy speed-adjust
+ buffer before truncating the file. Reported by Mark Martinec,
+ fix by Victor Duchovni. File: smtpd/smtpd_proxy.c.
+
+20091114
+
+ Feature: specify "smtp_reply_filter = pcre:/file/name" to
+ replace remote SMTP server reply lines before they are
+ parsed by the Postfix SMTP client. This a last-resort tool
+ to fix inter-operability problems. See examples in the
+ postconf(5) manual page. File: smtp/smtp_chat.c.
+
+ Safety: don't send postmaster notifications to report
+ problems delivering (possible) postmaster notifications.
+ File: smtp/smtp_connect.c.
+
+20091121
+
+ Feature: sender_dependent_default_transport_maps, to override
+ the default transport in a sender-dependent manner. This
+ is not a transport_maps override, and therefore it does not
+ use the transport_maps syntax for null transport, null
+ nexthop, or null email address.
+
+20091127
+
+ Usability: the Postfix SMTP client now logs a warning that
+ wrappermode TLS is not supported, when configured to connect
+ to port smtps/465. File: smtp/smtp_connect.c.
+
+20091203
+
+ Safety: the postscreen daemon logs a warning when table
+ lookup is slow. Slow lookups cause postscreen to fall behind,
+ and worse, to catch up in bursts, which results in overload
+ elsewhere. File: postscreen/postscreen.c.
+
+20091206
+
+ Feature: by popular demand, the Postfix SMTP server now
+ logs the before-queue content filter's end-of-message
+ accept/reject response. File: smtpd/smtpd.c.
+
+20091209
+
+ Portability: as the result of continuous improvement,
+ Berkeley DB no longer allows fork-then-close. File:
+ postscreen/postscreen.c.
+
+ Bugfix: sender_dependent_relayhost_maps did not reject an
+ empty lookup result, and did not recognize lookup errors,
+ thus treating errors as "not found". Problem found during
+ code maintenance. File: trivial-rewrite/resolve.c.
+
+ Cleanup: the postscreen daemon now applies the permanent
+ whitelist first. It is a safety feature that prevents mail
+ from being blocked. File: postscreen/postscreen.c.
+
+20091224
+
+ Bugfix (introduced 20041215): dict_dbm_sequence() did not
+ release the shared lock when the end of the sequence was
+ reached. File: util/dict_dbm.c.
+
+20091227
+
+ Cleanup: postscreen and verify periodic cache cleanup
+ (default: 12 hours after the previous cache cleanup run).
+ This is based on a new dict_cache(3) module that implements
+ a generalized version of the tlsmgr(8) cache maintenance
+ code. Once the new dict_cache(3) code is burned in, the
+ tlsmgr(8) will be migrated to it. See the RELEASE_NOTES for
+ user interface details. Files: util/htable.[hc], util/dict_ht.c,
+ util/dict_cache.[hc], postscreen/postscreen.c, verify/verify.c.
+
+ Bugfix: the event handler starved I/O events when a timer
+ call-back routine scheduled a zero-delay timer request.
+ This bug was exposed when adding the new dict_cache(3)
+ module for cache expiration. File: util/events.c.
+
+20091228
+
+ Cleanup: postscreen and verify periodic cache cleanup is
+ now optional (specify a null time interval between cache
+ cleanup runs).
+
+20091229
+
+ Cleanup: the address_verify_poll_count default parameter
+ value is now stress-dependent, so that the Postfix SMTP
+ server will not wait (up to 6 seconds) for the address
+ verification result. File: global/mail_params.h.
+
+ Final solution for the I/O event starvation problem when a
+ timer call-back schedules a zero-delay timer request. File:
+ util/events.c.
+
+20091231
+
+ Cleanup: the non-shared, in-memory hash table is now
+ accessible as the "internal:" map type. This simplifies
+ code by eliminating some special cases. Files: util/dict_ht.c,
+ util/dict_open.c, and documentation.
+
+20100101
+
+ Bugfix: the mantools/postlink script applied hyperlinks
+ for the "virtual:" transport to "/etc/postfix/virtual:".
+ Symptom reported by Christoph Anton Mitterer.
+
+20100102
+
+ Workaround: don't report bogus Berkeley DB close errors as
+ fatal errors. All operations before close are already error
+ checked, so the data is known to be safe. File: util/dict_db.c.
+
+20100107
+
+ Documentation: the access(5) manual page did not document
+ the "send 521 and disconnect" behavior in the Postfix SMTP
+ server (introduced with Postfix 2.6). File: proto/access.
+
+ Bugfix: the pickup daemon did not discard messages that
+ were requeued after all recipients were delivered (or
+ bounced), and the cleanup server tried to bounce such
+ messages. Files: pickup/pickup.c, global/cleanup_user.h.
+
+ Future proofing: redundant code in postdrop to reject a
+ submission without recipient record. File: postdrop/postdrop.c.
+
+20100109
+
+ Cleanup: "postcat -q" will now access files in the "saved"
+ queue directory (for corrupted queue files). As before, the
+ "postsuper" command will not, to avoid suddenly deleting
+ such files. Files: global/mail_queue.h postcat/postcat.c.
+
+20100113
+
+ Cleanup: don't supply the "-o stress" command-line option
+ with a single-process service. File: master/master_ent.c.
+
+20100115
+
+ Bugfix: the valid_hostname() fuction did not set the
+ "non-numeric" flag after encountering the '-' character.
+ Reported by Jan Schampera. File: util/valid_hostname.c.
+
+20100116
+
+ Documentation: the content_filter and FILTER features never
+ supported the special cases of transport_maps. References
+ to transport_maps syntax are now removed from content filter
+ discussions. Files: proto/postconf.proto, proto/FILTER_README.
+
+ Workaround: as of Postfix 2.3 the VRFY command did not allow
+ a mailbox address inside <>, which broke expectations. RFC
+ 2821 (and 5321) is vague about the VRFY request format, but
+ spends lots of text on the reply format. File: smtpd/smtpd.c.
+
+20100117
+
+ Cleanup: when a content_filter parameter or FILTER command
+ specifies an empty next-hop destination, the queue manager
+ now uses the recipient domain instead of $myhostname. Specify
+ "default_filter_nexthop = $myhostname" for compatibility
+ with Postfix 2.6 and earlier, or specify a non-empty next-hop
+ filter destination. Files: *qmgr/qmgr_message.c proto/access,
+ proto/header_checks, proto/postconf.proto, proto/FILTER_README.
+
+20100120
+
+ Cleanup: detect illegal pipelining after HELO, EHLO. File:
+ smtpd/smtpd.c.
+
+20100128
+
+ Documentation: streamlined the decriptions of protocol and
+ cipher tweaks. Victor Duchovni. Files: proto/TLS_README,
+ proto/postconf.proto.
+
+20100131
+
+ Documentation: the address verification database is now
+ persistent by default. This, combined with the now default
+ stress-dependent configuration, improves the performance
+ limits and simplifies database maintenance. Files:
+ proto/ADDRESS_VERIFICATION_README, verify/verify.c.
+
+ Cleanup: undo the proxymap and trivial-rewrite max_idle=1s
+ override that was introduced with Postfix 2.3. It did not
+ help to retire long-lived proxymap or trivial-rewrite
+ processes on busy servers, and worsened performance on
+ low-traffic servers. The reduced ipc_ttl value (introduced
+ with Postfix 2.4) already solves the problem of retiring
+ long-lived proxymap or trivial-rewrite processes. Files:
+ proxymap/proxymap.c, trivial-rewrite/trivial-rewrite.c.
+
+20100202
+
+ Documentation: major revision of SASL_README with many
+ details on how to configure Cyrus SASL internals. Patrick
+ Koetter. File: proto/SASL_README.html
+
+20100204
+
+ Feature: added "forward_secrecy" option for Cyrus SASL.
+ File: xsasl/xsasl_cyrus_security.c.
+
+20100206
+
+ Bugfix (from day zero): the local delivery agent returned
+ undeliverable mail to the envelope sender instead of the
+ owner- alias, when delivering to command or file. This
+ reuses the workaround that was implemented to report a
+ Delivered-To: loop. Files: local/file.c, local/command.c,
+ local/recipient.c, local/bounce_workaround.c.
+
+20100209
+
+ The tcp_table(5) interface is now part of the stable release.
+ The last protocol change was in Postfix 2.1. File:
+ util/dict_open.c.
+
+20100305
+
+ Feature: reject_rhsbl_reverse_client, to reject a remote
+ SMTP client based on its unverified reverse hostname. Code
+ by Noel Jones. Files: smtpd/smtpd_check.c, proto/postconf.proto.
+
+ Feature: smtp_address_preference (default: ipv6) to control
+ the order in which the Postfix SMTP client will connect to
+ a destination that has IPv6 and IPv4 addresses with equal
+ MX preference. Files: global/mail_params.h, smtp/smtp.c,
+ smtp/smtp_params.c, smtp/smtp_addr.c, dns/dns_rr.c,
+ and documentation.
+
+20100321
+
+ Feature: allow Milter applications to use a lower protocol
+ version than the version that Postfix is configured for.
+ Based on an idea by Kouhei Sutou. File: milter/milter8.c.
+
+20100322
+
+ Bugfix (introduced 20100305) the new smtp_address_preference
+ feature was not tested with LMTP support. Problem reported
+ by Stefan Foerster. File: smtp/smtp.c.
+
+20100407
+
+ Bugfix (introduced 20100305): reject_rhsbl_reverse_client
+ was skipped if the forward-confirmed reverse DNS (FCRDNS)
+ remote SMTP client hostname was "unknown". Victor Duchovni.
+ File: smtpd/smtpd_check.c.
+
+20100422
+
+ Workaround (introduced: postfix-19990906 a.k.a. Postfix
+ 0.8.0). The Postfix local delivery agent did not properly
+ distinguish between "address has no extension" and "address
+ has an extension, but the extension is invalid". In both
+ cases it would run only the full recipient local-part through
+ the alias maps. Instead, it now drops the faulty extension
+ from the recipient address local-part (it would be too
+ error-prone to replace all tests for "no extension" by tests
+ for "no valid extension". File: local/recipient.c.
+
+20100430
+
+ Feature: customized hard/soft reject responses by Jason
+ Parsons. File: smtpstone/smtp-sink.c.
+
+20100515
+
+ Bugfix (introduced Postfix 2.6): the Postfix SMTP client
+ XFORWARD implementation did not skip "unknown" SMTP client
+ attributes, causing a syntax error when sending a PORT
+ attribute. Reported by Victor Duchovni. File: smtp/smtp_proto.c.
+
+20100526
+
+ Cleanup: a unit-test driver was not updated after an internal
+ API change. Vesa-Matti J Kari File: milter/milter.c.
+
+20100529
+
+ Portability: OpenSSL 1.0.0 changes the priority of anonymous
+ cyphers. Victor Duchovni. Files: postconf.proto,
+ global/mail_params.h, tls/tls_certkey.c, tls/tls_client.c,
+ tls/tls_dh.c, tls/tls_server.c.
+
+ Portability: Mac OS 10.6.3 requires <arpa/nameser_compat.h>
+ instead of <nameser8_compat.h>. Files: makedefs, util/sys_defs.h,
+ dns/dns.h.
+
+20100531
+
+ Robustness: skip LDAP queries with non-UTF-8 search strings
+ (in anticipation of UTF8SMTP support). File: global/dict_ldap.c.
+
+ Strict UTF-8 validator per RFC 3629. File: util/valid_utf8_string.c.
+
+20100601
+
+ Cleanup: Postfix LDAP client support for RFC 2255 LDAP URLs.
+ Victor Duchovni. Files: proto/ldap_table global/dict_ldap.c.
+
+ Safety: Postfix processes log a warning when a matchlist
+ has a #comment at the end of a line (for example mynetworks
+ or relay_domains). File: util/match_list.c.
+
+ Portability: Berkeley DB 5.x has the same API as Berkeley
+ DB 4.1 and later. File: util/dict_db.c.
+
+20100610
+
+ Bugfix (introduced Postfix 2.2): Postfix no longer appends
+ the system default CA certificates to the lists specified
+ with *_tls_CAfile or with *_tls_CApath. This prevents
+ third-party certificates from getting mail relay permission
+ with the permit_tls_all_clientcerts feature. Unfortunately
+ this may cause compatibility problems with configurations
+ that rely on certificate verification for other purposes.
+ To get the old behavior, specify "tls_append_default_CA =
+ yes". Files: tls/tls_certkey.c, tls/tls_misc.c,
+ global/mail_params.h. proto/postconf.proto, mantools/postlink.
+
+20100615
+
+ Cleanup: the master no longer logs "process P killed with
+ signal S" when it shuts down a running service (for example,
+ the service is removed from master.cf, or the service is
+ disabled via the main.cf master_service_disable parameter).
+ File: master/master_spawn.c.
+
+20100617
+
+ Feature: read-only sqlite support based on code by Axel
+ Steiner and documentation by Jesus Garcia Crespo. Files:
+ conf/postfix-files, mantools/postlink, proto/DATABASE_README.html,
+ proto/Makefile.in, proto/INSTALL.html, proto/mysql_table,
+ proto/pgsql_table, proto/sqlite_table, proto/SQLITE_README.html,
+ global/Makefile.in, global/mail_dict.c, global/dict_sqlite.c,
+ global/dict_sqlite.h, postconf/postconf.c, postfix/postfix.c.
+
+20100618
+
+ Cleanup: SQLite read-only driver and documentation. Files:
+ global/dict_sqlite.c, proto/mysql_table, proto/SQLITE_README.html.
+
+20100707
+
+ Completed the 20100610 bugfix. File: tls/tls_misc.c.
+
+20100714
+
+ Compatibility with Postfix < 2.3: fix 20061207 was incomplete
+ (undoing the change to bounce instead of defer after
+ pipe-to-command delivery fails with a signal). Fix by Thomas
+ Arnett. File: global/pipe_command.c.
+
+20100715
+
+ Convenience: "postconf name=value ..." is now equivalent to
+ "postconf -e name=value ...". File: postconf/postconf.c.
+
+20100724
+
+ Feature: INFO header/body_checks action for non-warning
+ messages (for example, to log all Milter-inserted headers).
+ File: global/header_body_checks.c, proto/header_checks.
+
+ Cleanup: after-filter Postfix SMTP servers now log before-filter
+ queue IDs. For this, the XFORWARD protocol was extended
+ with an IDENT attribute for the before-filter queue ID.
+ This code was started in Postfix 2.1, but it was never
+ finished due to time constraints. Files: smtpd/smtpd.[hc]
+ smtpd/smtpd_proxy.c, smtpd/smtpd_sasl_proto.c,
+ *qmgr/qmgr_message.c, *qmgr/qmgr_deliver.c,
+ global/deliver_request.[hc], global/mail_proto.h,
+ global/deliver_pass.c, smtp/smtp_proto.c.
+
+20100727
+
+ Bugfix: the milter_header_checks parser provided only the
+ actions that change the message flow (reject, filter,
+ discard, redirect) but disabled the non-flow actions (warn,
+ replace, prepend, ignore, dunno, ok). File:
+ cleanup/cleanup_milter.c.
+
+20100827
+
+ Performance: fix for poor smtpd_proxy_filter TCP performance
+ over loopback (127.0.0.1) connections. Problem reported by
+ Mark Martinec. Files: smtpd/smtpd_proxy.c.
+
+ Bugfix: the Postfix SMTP client no longer appends the local
+ domain when looking up a DNS name without ".". Specify
+ "smtp_dns_resolver_options = res_defnames" to get the old
+ behavior, which can produce unexpected results. Files:
+ smtp/smtp.c, smtp/smtp_params.c, smtp/smtp_addr.c.
+
+20100828
+
+ Refactoring: postscreen source code broken up into multiple
+ files, and identifiers updated to match changes in their
+ purpose. This will be the baseline for adding support for
+ DNSBL weighting, then a dummy engine to collect forensic
+ evidence with the option of future protocol checks. Files:
+ postscreen/*.[hc], Makefile.in.
+
+20100829
+
+ Postscreen DNSBL support for optional fixed-string filters
+ and optional integral weight factors (use negative weights
+ for whitelisting). See RELEASE_NOTES and postconf(5) for
+ details. Files: postscreen/postscreen_dnsbl.c,
+ proto/postconf.proto, mantools.postlink, global/mail_params.h.
+
+ Incompatibility: the postscreen-to-dnsblog protocol was
+ changed to support DNSBL query result filters. Use "postfix
+ reload" after installing the new version otherwise the
+ dnsblog(8) server may complain.
+
+20100830
+
+ Polished the postscreen documentation and comments to clarify
+ the user interface and implementation. No code changes.
+
+20100831-910
+
+ Restructured postscreen and added support for a dummy SMTP
+ protocol engine. This engine logs rejected attempts to
+ deliver mail with helo/sender/recipient information, and
+ implements deep protocol tests. The first deep protocol
+ test is for command pipelining, where a client sends multiple
+ commands instead of waiting for the server to respond to
+ each command. The second one implements the Postfix SMTP
+ server's smtpd_forbidden_commands feature. Files:
+ postscreen/*.[hc]. See RELEASE_NOTES, postconf(5) and
+ postscreen(8) for incompatibilities, features, and configuration
+ parameters.
+
+20100910
+
+ Feature: boolean configuration parameters with string-valued
+ defaults, so that they can be subject to macro expansions.
+ This was needed to make some postscreen parameter defaults
+ to the values of the corresponding smtpd parameters. Files:
+ global/mail_conf.h, global/mail_conf_nbool.c,
+ master/event_server.c, master/mail_server.h, master/multi_server.c,
+ master/single_server.c, master/trigger_server.c,
+ postconf/extract.awk, postconf/postconf.c.
+
+20100911
+
+ Feature: texthash read-only database. This is similar to
+ hash: files, except that you don't need to run the postmap(1)
+ command before you can use the file, and that it does not
+ detect changes after the file is read. All information is
+ read into memory. Files: util/dict_open.c, util/dict_thash.[hc],
+ proto/DATABASE_README.html, postconf/postconf.c
+
+20100912
+
+ Feature: bare newline detection in postscreen. Real spambots
+ don't make this mistake anymore, but poorly-written software
+ still does. File: postscreen/smtpd.c.
+
+ Documentation: POSTSCREEN_README including instructions for
+ turning postscreen(8) on without blocking mail, and more.
+ Trimmed the text in the postscreen(8) manpage. File:
+ proto/POSTSCREEN_README.html, postscreen/postscreen.c.
+
+20100914
+
+ Cleanup: the "postscreen_greet_wait" delay now ends as soon
+ as both the pregreet and DNSBL tests complete (the postscreen
+ documentation mentions in history/credits that the program
+ started as a crude prototype). The default postscreen_dnsbl_ttl
+ caching time is now reduced to 1h from 24h, allowing
+ postscreen to catch up on DNSBL updates more quickly. If
+ this increases the database update frequency too much then
+ we'll need to make dnsbl result non-cachable. Files:
+ postscreen/postscreen_dnsbl.c, global/mail_params.h.
+
+20100915
+
+ Bugfix (introduced 20100914): missing precondition for
+ call-back notification. File: postscreen/postscreen_dnsbl.c.
+
+ Bugfix (introduced 20100914): the "postscreen_greet_wait"
+ delay speedup worked only for DNSBL listed sites. File:
+ postscreen/postscreen_dnsbl.c.
+
+ Workaround: better handling of pregreeting spambots. The
+ postscreen built-in SMTP engine no longer sends a 220 banner
+ to a client that falls into the pregreet trap. This eliminates
+ many "NON-SMTP COMMAND" records in postscreen logging, as
+ the SMTP client and server no longer get out of sync. It
+ also results in better logging of sender/recipient information.
+ File: postscreen/postscreen_smtpd.c.
+
+20100916
+
+ Cleanup: postscreen now uses the first responding DNSBL
+ name in the "5.7.1 Service unavailable" reply, instead of
+ the last responding one. File: postscreen/postscreen_dnsbl.c.
+
+ Cleanup: the 20100914 "postscreen_greet_wait" speedup did
+ not happen as often as it should, because some older code
+ still turned on PREGREET tests gratuitously, causing a full
+ greet-wait delay. File: postscreen/postscreen_tests.c.
+
+ Cleanup: to avoid "address in use" problems, postscreen now
+ closes the listening socket after "postfix stop". It also
+ closes the socket after "postfix reload" but that does not
+ hurt. Files: master/event_server.c, master/multi_server.c.
+
+ Cleanup: postscreen now logs CONNECT and DISCONNECT events.
+ Files: postscreen/postscreen.c, postscreen/postscreen_misc.c.
+
+20100917
+
+ Bugfix: cut-and-paste error. Postscreen used pregreet_ttl
+ instead of dnsbnl_ttl. File: postscreen/postscreen_early.c.
+
+20100920
+
+ Cleanup: minor cleanups and invisible fixes. Files:
+ postscreen/postscreen_misc.c, postscreen/postscreen.h,
+ postscreen/postscreen_tests.c.
+
+ Feature: preliminary postscreen penalty mechanism. Basic
+ idea: when a client exceeds some threshold, don't allow it
+ to pass any tests until the penalty expires. Penalties
+ provide a way to slow down clients without blocking mail
+ permanently. Files: postscreen/postscreen_misc.c,
+ postscreen/postscreen_tests.c, postscreen/postscreen.c.
+
+ A first application of the postscreen penalty mechanism
+ triggers on clients that make brief connections to find out
+ if the mail server is up. With "postscreen_early_hangup_penalty
+ = 600" they will disqualify themselves for 10 minutes.
+ Unfortunately, this behavior is used by legitimate bulk
+ mail services. This application was removed 20101103. The
+ penalty mechanism itself is left in place as #ifdef NONPROD.
+
+20100923
+
+ Cleanup: renamed MUMBLE_FLAG_MUMBLE aggregates to
+ MUMBLE_MASK_MUMBLE for consistency with other Postfix code.
+ Files: postscreen/*.[hc].
+
+20100930
+
+ Cleanup: flag PIPELINING errors with NOOP and VRFY. File:
+ smtpd/smtpd.c.
+
+20101006
+
+ Bugfix (introduced: 20100914) dangling pointer when a client
+ makes N > 1 simultaneous connections and closes M < N
+ connections before postscreen has delivered the DNSBL score
+ to the corresponding pseudothreads. In practice the pointer
+ will refer to a block of 0xff bytes; the program terminates
+ with a segmentation violation, and is restarted immediately
+ by the master daemon. Files: postscreen/postscreen_early.c,
+ postscreen/postscreen_dnsbl.c.
+
+ Cleanup: avoid repeated delivery to mailing list members
+ with pathological nested alias configurations. The local(8)
+ delivery agent now keeps the owner-alias attribute of the
+ parent alias, when delivering mail to a child alias that
+ does not have its own owner alias. With this change, local
+ addresses from that child alias will be written to a new
+ queue file, and a temporary error with one local address
+ will no longer result in repeated delivery to other mailing
+ list members. Specify "reset_owner_alias = yes" for the
+ older behavior. File: local/alias.c.
+
+20101007
+
+ Bugfix (introduced: 2100923): duplicate "PASS OLD" logging.
+ File: postscreen/postscreen_misc.c.
+
+20101008
+
+ Cleanup: dnsblog now logs "addr X listed by domain Y as Z"
+ instead of "addr X blocked by domain Y as Z", because the
+ service may be used for whitelist lookups. File:
+ dnsblog/dnsblog.c.
+
+20101023
+
+ Cleanup: don't apply reject_rhsbl_helo to non-domain forms
+ such as network addresses. This would cause false positives
+ with dbl.spamhaus.org. File: smtpd/smtpd_check.c.
+
+20101103
+
+ Cleanup: new qmgr_ipc_timeout parameter (default: 60s) to
+ override the system-wide ipc_timeout setting (default:
+ 3600s). The shorter timeout allows the queue manager to
+ reset a deadlocked IPC connection before the watchdog timer
+ goes off. Files: *qmgr/qmgr.c.
+
+ Cleanup: new qmgr_daemon_timeout parameter (default: 1000s)
+ to make the hard-coded 1000s watchdog timeout configurable.
+ Files: *qmgr/qmgr.c.
+
+ Cleanup: request default DSN notification when adding a
+ recipient with smfi_addrcpt, instead of requesting "never
+ notify" as with Postfix automatically-added BCC recipients.
+ Files: cleanup/cleanup_addr.c, cleanup/cleanup.h,
+ cleanup/cleanup_milter.c.
+
+20101105
+
+ Feature: DNS whitelist support in the Postfix SMTP server.
+ permit_dnswl_client whitelists a client by IP address, and
+ permit_rhswl_client whitelists a client by its hostname.
+ The syntax is the same as reject_rbl_client etc., but the
+ result is PERMIT instead of REJECT. For safety reasons,
+ permit_xxx_client are silently ignored when they would
+ override reject_unauth_destination. The result is
+ DEFER_IF_REJECT when DNSWL lookup fails. The implementation
+ is based on a design documented by Noel Jones (August 2010).
+ File: smtpd/smtpd_check.c.
+
+20101108
+
+ Workaround: strip off IPv6 datalink suffix from peer address
+ to avoid problems with strict address checking code. Files:
+ smtpd/smtpd_peer.c, qmqpd/qmqpd_peer.c.
+
+20101114
+
+ Robustness: postscreen(8) now implements a time limit on
+ reading an entire command, instead of a time limit for
+ reading individual characters. File: postscreen/postscreen_smtpd.c.
+
+20101023
+
+ Cleanup: don't apply reject_rhsbl_helo to non-domain forms
+ such as network addresses. This would cause false positives
+ with dbl.spamhaus.org. File: smtpd/smtpd_check.c.
+
+20101117
+
+ Bugfix: the "421" reply after Milter error was overruled
+ by Postfix 1.1 code that replied with "503" for RFC 2821
+ compliance. We now make an exception for "final" replies,
+ as permitted by RFC. Solution by Victor Duchovni. File:
+ smtpd/smtpd.c.
+
+20101124-6
+
+ Feature: pattern matching for DNSWL/DNSBL responses. For
+ example, with "reject_rbl_client example.com=d.d.d.d", each
+ "d" can now be a pattern inside "[]" that contains one or
+ more comma-separated decimal numbers or number..number
+ ranges. Files: smtpd/smtpd_check.c, postscreen/postscreen_dnsbl.c,
+ util/ip_match.c, util/ip_match.h.
+
+20101126
+
+ Cleanup: don't log "blocked using example.com=127.0.0.1",
+ just log the domain name. File: smtpd/smtpd_check.c.
+
+20101129
+
+ Cleanup: postscreen_client_connection_count_limit (default:
+ $smtpd_client_connection_count_limit) to limit the number
+ of connections from the same IP address to the postscreen(8)
+ daemon. Files: postscreen/postscreen.c, postscreen/postscreen.h,
+ postscreen/postscreen_state.c.
+
+20101130
+
+ Cleanup: all postscreen(8) logging now reports the client
+ as [address]:port. This requires an update of tools that
+ process postscreen logging. Files: postscreen/*.c,
+ proto/POSTSCREEN_README.html.
+
+ Cleanup: polishing recent documentation and code. Files:
+ postscreen/postscreen_dnsbl.c, util/ip_match.c.
+
+20101201
+
+ Bugfix (introduced 20101129): broken default value for
+ postscreen_client_connection_count_limit if the
+ smtpd_client_connection_count_limit parameter was left at
+ its default. File: postscreen/postscreen.c.
+
+ Workaround: BSD-ish mkdir() ignores the effective GID
+ and copies group ownership from the parent directory.
+ File: util/make_dirs.c.
+
+20101202
+
+ Feature: the LDAP client can now authenticate to LDAP servers
+ via SASL. This is tested with SASL GSSAPI and Kerberos 5.
+ Original code by Quanah Gibson-Mount adapted by Victor
+ Duchovni. Files: global/dict_ldap.c, proto/LDAP_README.html,
+ proto/ldap_table.
+
+ Cleanup: the cleanup server now reports a temporary delivery
+ error when it reaches the virtual_alias_expansion_limit or
+ virtual_alias_recursion_limit. Previously, it would silently
+ ignore the excess recipients and deliver the message. File:
+ cleanup/cleanup_map1n.c.
+
+20101205
+
+ Cleanup: sache_clnt_create() had an unnecessary data
+ dependency on the non-library var_scache_service variable,
+ causing problems with shared library builds. Instead, it
+ should use its service argument (which has the same value).
+ File: global/scache.c.
+
+ Cleanup: pipe_command.c had an unnecessary data dependency
+ on the non-library var_command_maxtime variable, causing
+ problems with shared library builds. The dependency was not
+ necessary because the callers already specify an explicit
+ time limit. File: global/pipe_command.c.
+
+20101206
+
+ Bugfix (introduced 20101205): postscreen hung up due to
+ incorrect output error test. File: postscreen/postscreen_send.c.
+
+20101207
+
+ Cleanup: the undisclosed_recipients_header default value
+ is now the empty string. The Internet mail RFCs have supported
+ messages without recipient header for almost 10 years now.
+ File: global/mail_params.h.
+
+ Cleanup: use strtol() instead of sscanf() for consistent
+ handling of out-of-range numbers. Files: global/cfg_parser.c,
+ global/conv_time.c, global/mail_conf_int.c,
+ global/mail_conf_long.c, global/mail_conf_nint.c.
+
+20101217
+
+ Cleanup: eliminated the code that copied TLS protocol
+ messages between the OpenSSL TLS engine and the network.
+ This change hopefully simplifies the TLS library enough
+ that it can be used in an event-driven TLS proxy in front
+ of postscreen. Files: tls/tls_bio.c, tls/tls_server.c,
+ tls/tls_client.c.
+
+ This change eliminates an obscure bug where the SMTP server
+ would wait for another $smtpd_timeout seconds after sending
+ the "421 Error: timeout exceeded" message to the client.
+
+20101221
+
+ Cleanup: simplified the VSTREAM "large buffer" support by
+ dropping the Postfix 2.4 "binary compatibility" requirement.
+ Files: util/vstream.c, util/vstream.h.
+
+20101222
+
+ Cleanup: the SMTP client PIPELINING code did not account
+ for TLS protocol overhead. This could (only in theory)
+ result in deadlock when the remote SMTP server announces a
+ very small receive window after the client and server have
+ synchronized their SMTP state. Victor Duchovni. File:
+ smtp/smtp_proto.c.
+
+20101223
+
+ Feature: with "tls_preempt_cipherlist = yes" the Postfix
+ SMTP server will preempt the remote SMTP client's cipher
+ preference order. This requires OpenSSL 0.9.7 and later.
+ Victor Duchovni. Files: src/smtpd/smtpd.c, src/tls/tls_server.c,
+ proto/TLS_README.html, proto/postconf.proto.
+
+ Future proofing: specify "tls_disable_workarounds = a list
+ or bit-mask of OpenSSL bug work-arounds to disable". This
+ may become necessary when a bug workaround is found to cause
+ problems (security or interoperability). Victor Duchovni.
+ Files: tls/tls_misc.c, proto/TLS_README.html, proto/postconf.proto.
+
+ Infrastructure: extended name_mask module feature set with
+ extensive documentation and 32-bit regression tests. Victor
+ and Wietse. File: util/name_mask.[hc].
+
+20101224
+
+ Cleanup: sanitized the name_mask API so that errors will be
+ ignored only upon explicit request. Files: util/name_mask.[hc],
+ src/global/ehlo_mask.c, src/smtp/smtp_proto.c,
+ src/util/name_mask.c, src/xsasl/xsasl_dovecot_server.c.
+
+ Cleanup: more TLS overhead horrors for the SMTP client's
+ PIPELINING engine. Wietse and Victor. File: smtp/smtp_proto.c.
+
+20101226
+
+ Cleanup: the SMTP client logic for pipelining the "." and
+ "QUIT" commands was bogus - the pipelining engine could not
+ know how much unacknowledged data is pending in the local
+ TCP stack. We now ignore the buffer check for sending
+ "QUIT" after ".". Wietse and Victor. File: smtp/smtp_proto.c.
+
+20110101
+
+ Cleanup: the Postfix SMTP server now always refreshes the
+ SASL authentication mechanism list after STARTTLS. Some
+ Dovecot versions may change their responses when they know
+ that the SMTP connection is encrypted. File: smtpd/smtpd.c.
+
+ Cleanup: the smtpd_starttls_timeout default value is now
+ stress-dependent. Files: global/mail_params.h,
+ proto/postconf.proto.
+
+ Compatibility: postscreen_discard_ehlo_keyword(s|maps)
+ support for compatibility with smtpd_discard_ehlo_keyword(s|maps).
+ Files: postscreen/postscreen_smtpd.c.
+
+20110102
+
+ Feature: STARTTLS support for the postscreen(8) daemon.
+ With early testing feedback from Victor Duchovni and Ralf
+ Hildebrandt. Files: postscreen/postscreen_smtpd,
+ postscreen/postscreen_starttls.c.
+
+ Feature: event-driven tlsproxy(8) daemon that translates
+ TLS <=> plaintext for postscreen(8). One tlsproxy(8) process
+ can translate traffic for multiple remote SMTP clients.
+ With early testing feedback from Victor Duchovni and Christian
+ Roessner. Files: util/nbbio.[hc], tlsproxy/*.[hc],
+ postscreen/postscreen_starttlsd.c, postscreen/postscreen_smtpd.c.
+
+20110103
+
+ Cleanup: missing tls_level support in tlsproxy (it has no
+ way to send plaintext, but perhaps an informative error
+ message is in order anyway). File: tlsproxy/tlsproxy.c.
+
+ Cleanup: simplified the handling of throttled output (i.e.
+ output that can't be sent because the receiver tries to be
+ nasty). File: postscreen/postscreen_send.c.
+
+20110104
+
+ Feature: add contact information to each SMTP server reject
+ message. For example, "smtpd_reject_footer = call 800-555-0101
+ for assistance", with macro expansion and with multi-line
+ support. Files: global/mail_params.h, mantools/postlink,
+ proto/postconf.proto, smtpd/smtpd.c, smtpd/smtpd_chat.c,
+ smtpd/smtpd_expand.[hc], util/mac_expand.[hc].
+
+20110105
+
+ Cleanup: the forest of TLS-related booleans was shrunk.
+ Victor Duchovni. Files: smtpd/smtpd.c, postscreen/postscreen.c,
+ postscreen/postscreen_smtpd.c, tlsproxy/tlsproxy.c.
+
+ Non-production: tlsproxy support in the Postfix SMTP server
+ for stress testing of the tlsproxy daemon (#ifdef TLSPROXY).
+ Seen from outside, Postfix works just as if it has TLS
+ support built into in smtpd(8). Files: smtpd/smtpd.c,
+ tls/tls_proxy*.[hc], tlsproxy/tlsproxy.c, util/vstream.[hc].
+
+ Bugfix (introduced with the Postfix TLS patch): discard
+ plaintext following the STARTTLS command or response. This
+ matters only for the minority of SMTP clients that actually
+ verify server certificates. Files: smtpd/smtpd.c,
+ smtp/smtp_proto.c.
+
+20110106
+
+ Non-production: cleaned up the tlsproxy support in the
+ Postfix SMTP server for stress testing of the tlsproxy
+ daemon (still #ifdef TLSPROXY). File: smtpd/smtpd.c.
+
+20110107
+
+ Cleanup: smtpd_reject_contact_information is renamed to
+ smtpd_reject_footer, because it can be used for non-contact
+ information.
+
+ Compatibility: postscreen_reject_footer support for
+ compatibility with smtpd_reject_footer. Files:
+ global/smtp_reply_footer.[hc], global/mail_conf.[hc],
+ postscreen/postscreen_expand.c, postscreen/postscreen_send.c,
+ postscreen/postscreen.c, smtpd/smtpd_chat.c.
+
+ Compatibility: postscreen_command_filter support for
+ compatibility with smtpd_command_filter. Files:
+ postscreen/postscreen_dict.c, postscreen/postscreen_smtpd.c
+
+20110108
+
+ Cleanup: postscreen(8) now displays control characters in
+ PREGREET responses as C-style \letter escapes, instead of
+ "?". File: postscreen/postscreen_early.c.
+
+20110109
+
+ Cleanup: Solaris support for "pass" (file descriptor passing
+ based) services in master.cf. This was needed by postscreen(8).
+ Also, renamed upass_xxx.c to unix_pass_xxx.c. One-character
+ prefixes are too short. Removed upass_connect.c because it
+ was useless code. Files: util/stream_pass_connect.c,
+ util/unix_pass_listen.c, util/unix_pass_trigger.c.
+
+ Bugfix (introduced Postfix 2.4): on Solaris the Postfix
+ event engine was deaf for SIGHUP and SIGALRM signals after
+ the switch to /dev/poll. Symptoms were delayed "postfix
+ reload" response, and killed processes when the watchdog
+ timeout was less than max_idle. The fix is to set up SIGHUP
+ and SIGALRM handlers that write to a pipe, and to monitor
+ that pipe for read events via the Postfix event engine.
+ Files: master/master_sig.c, util/watchdog.c, util/sys_defs.h.
+
+20110111
+
+ Cleanup: replaced the postscreen(8) separate blacklist and
+ whitelist lookup tables by one postscreen_access_list table.
+ See postconf(5) and POSTSCREEN_README for examples. Files:
+ postscreen/postscreen_access.c, postscreen/postscreen.c,
+ proto/postconf.proto, proto/POSTSCREEN_README.html.
+
+20110112
+
+ Cleanup: suspend/resume logic for postscreen(8) SMTP sessions
+ that temporarily switch control to an external program such
+ as tlsproxy, or perhaps a future policy plugin. Files:
+ postscreen/postscreen_smtpd, postscreen/postscreen_starttls.c.
+
+20110113
+
+ Cleanup: ps_cache and psc_cache are now postscreen_cache.
+ There is no need for obscure name abbrevations. File:
+ src/global/mail_params.h.
+
+20110115
+
+ Workaround: malloc fuzz (safety margin for malloc requests).
+ Files: util/sys_defs.h, util/mymalloc.c.
+
+ Cleanup: dnsblog_service_name and tlsproxy_service_name are
+ now configurable, in case someone needs this. Files:
+ global/mail_params.h, postscreen/postscreen.c, mantools/postlink,
+ proto/postconf.proto.
+
+20110116
+
+ Cleanup: soft_bounce support for postscreen(8). Files:
+ postscreen/postscreen_smtpd.c, postscreen/postscreen_send.c.
+
+ Cleanup: for smtpd(8) compatibility, postscreen(8) now
+ strips deprecated route address prefixes from email addresses
+ (@here,@there:user@example becomes user@example). This is
+ primarily to make postscreen(8) logging more similar to
+ that of smtpd(8). File: postscreen/postscreen_smtpd.c.
+
+ Cleanup: documentation, in preparation for the Postfix 2.8
+ stable release.
+
+20110117
+
+ Bugfix (introduced Postfix alpha, or thereabouts): on HP-UX
+ the Postfix event engine was deaf for SIGALRM signals.
+ Symptoms were killed processes when the watchdog timeout
+ was less than max_idle. The fix is the same as Solaris fix
+ 20110109. Since we can't know what other systems need this,
+ the workaround is enabled by default. Files: util/sys_defs.h.
+
+ Cleanup: "smtpd_tls_eecdh_grade = strong" by default, instead
+ of snapshot-only. File: global/mail_params.h, proto/postconf.proto.
+
+ Cleanup: missing "#include <errno.h>" in util/watchdog.c.
+
+ Bugfix: when compiled without -DUSE_TLS, tlsproxy used the
+ wrong server skeleton (multi_server instead of event_server).
+ File: tlsproxy/tlsproxy.c.
+
+ Workaround: added a panic check for code that is mis-compiled
+ by the HP-UX compiler. File: postscreen/postscreen.c,
+ postscreen/postscreen.h, postscreen/postscreen_state.c.
+
+20110118
+
+ Bugfix: the tls_disable_workarounds word list only included
+ workarounds in SSL_OP_ALL. Problem report by Steve Jenkins,
+ problem fix by Victor Duchovni. File: tls/tls_misc.c.
+
+ Last-minute incompatible syntax change: Postfix now uses
+ ";" instead of "," to separate DNSBL/DNSWL address filter
+ fields inside "[]". The compatibility break is not an issue,
+ because the syntax never worked in main.cf. Problem reported
+ by Mark Martinec. Files: util/ip_match.c, util/ip_match.in,
+ util/ip_match.ref, proto/postconf.proto.
+
+ Cleanup: postscreen now monitors the AVERAGE latency of
+ table access, and complains at most once per minute. File:
+ postscreen/postscreen_dict.c.
+
+ Bugfix: support for the "dunno" command somehow disappeared
+ from the postscreen_access_list implementation. File:
+ postscreen/postscreen_access.c.
+
+20110123
+
+ Feature: read/write deadlines. Deadlines were introduced
+ with postscreen's dummy SMTP engine. In the Postfix SMTP
+ client and server, deadlines limit the total amount of time
+ to read or write one command line, one response line, or
+ one line of message content. This reduces the impact of
+ application exhaustion attacks that trickle data one byte
+ at a time. Files: util/vstream.[hc], global/smtp_stream.c.
+
+ Cleanup: remove #ifdef MIGRATION_WARNING transitional code
+ from postscreen. File: postscreen/postscreen.c.
+
+20110125
+
+ Cleaned up and finalized read/write deadline support. Once
+ this code has been fielded it can go into Postfix 2.8.1,
+ and made available as optional patch for earlier releases.
+ Further refinements have only diminishing returns and can
+ evolve in the 2.9 release cycle. File: util/vstream.c.
+
+20110128
+
+ Infrastructure: separate VSTREAM flags for read or write
+ errors. Files: util/vbuf.[hc], util/vstream.[hc].
+
+ Cleanup: after write error, the smtp_stream routines now
+ disable further network writes. This eliminates the need
+ for clumsy code to avoid unwanted I/O while shutting down
+ a TLS engine or closing a VSTREAM. File: util/smtp_stream.c.
+
+20110201
+
+ Cleanup: when verifying that the client_address->client_name
+ lookup result resolves to the client_address, request
+ hostname->address lookup with the same protocol family (IPv4
+ or IPv6) as the client_address. Files: util/myaddrinfo.[hc],
+ smtpd/smtpd_peer.c, qmqpd/qmqpd_peer.c.
+
+20110205
+
+ Infrastructure: vstream_peek_data() primitive to look ahead
+ at buffered input. Use vstream_peek() to find out how much,
+ and escape() for human presentation. Files: util/vstream.[hc].
+
+ Cleanup: smtpd(8) and postscreen(8) now log the input that
+ triggers an SMTP command pipelining violation. File:
+ postscreen/postscreen_smtpd.c, smtpd/smtpd.c.
+
+ Infrastructure: smtp_get() option to skip over input in
+ excess of the line length limit. Files: smtp/smtp_stream.[hc].
+
+ Cleanup: handle excessively-long client requests and server
+ responses more gracefully, i.e. without losing synchronization.
+ Files: smtpd/smtpd_chat.c, smtpd/smtpd_proxy.c, smtp/smtp_chat.c,
+ smtpstone/smtp-source.c.
+
+20110207
+
+ Bugfix (introduced Postfix 2.8): segfault with smtpd_tls_loglevel
+ >= 3. Files: tls/tls_server.c, tls.h, smtpd.c, tlsproxy.c.
+
+ Cleanup: read/write deadline support for single_server TLS
+ applications (i.e. smtpd(8), smtp(8)). File: tls/tls_bio_ops.c.
+
+20110212
+
+ Infrastructure: run-time switch for read/write deadline
+ support. Files: util/vstream.[hc], global/smtp_stream.[hc],
+ tls/tls_bio_ops.c.
+
+ Cleanup: configurable read/write deadline support with
+ smtpd_per_record_deadline (normal: "no", overload: "yes")
+ and smtp_per_record_deadline (default: "no"). Files:
+ global/mail_params.h, smtpd/smtpd.c, smtp/smtp.c,
+ smtp/smtp_proto.c, proto/postconf.proto, mantools/postlink.
+
+20110213
+
+ Workaround: the TLS library passes the same information via
+ different function arguments, and this same information is
+ maintained by different functions, so things get out of
+ step when code is updated. As of 20110212, tls_client_start()
+ needs to set the VSTREAM property of the TLS session object.
+ File: tls/tls_client.c.
+
+20110215
+
+ Human factors: the FCRDNS (forward-confirmed reverse DNS)
+ checking code now logs "hostname X does not resolve to
+ address Y", when a "reverse hostname" lookup result does
+ not resolve to the client IP address. Files: smtpd/smtpd_peer.c,
+ qmqpr/qmqpd_peer.c.
+
+20110216
+
+ Cleanup: don't log a "connection reset by peer" error when
+ postscreen(8) tries to send a server response. File:
+ postscreen/postscreen_send.c.
+
+20110218
+
+ Cleanup: Postfix now uses long integers for message_size_limit,
+ mailbox_size_limit and virtual_mailbox_limit. On LP64 (64-bit
+ long and pointer, but 32-bit integer) systems, these message
+ and mailbox limits can now exceed 2GB. Files: global/mail_params.c
+ global/mail_params.h local/local.c master/event_server.c
+ master/mail_server.h master/multi_server.c master/single_server.c
+ master/trigger_server.c virtual/virtual.c postconf/extract.awk
+ postconf/postconf.c.
+
+20110220
+
+ Cleanup: compiler gripe. File: util/vstream.c.
+
+20110223
+
+ Cleanup: Debian build tool gripe. File: smtpstone/smtp-sink.c.
+
+20110224
+
+ postscreen(8) support to enforce proper client MX lookup
+ policy. Some spambots connect first to a backup MX address
+ in the hope that the server has a weaker anti-spam policy.
+ By listening on both primary and backup MX addresses,
+ postscreen(8) can deny the temporary whitelist status to
+ clients that connect only to backup MX hosts, and prevent
+ them from talking to a Postfix SMTP server process.
+
+ For example, when 1.2.3.4 is a local backup IP address,
+ specify "postscreen_whitelist_interfaces = !1.2.3.4 static:all"
+ to disable dynamic whitelisting for clients that connect
+ (only) to the backup MX address. Files: mantools/postlink,
+ proto/postconf.proto, proto/POSTSCREEN_README.html,
+ global/mail_params.h, postscreen/postscreen.c,
+ postscreen/postscreen.h, postscreen/postscreen_state.c.
+
+20110225
+
+ Workaround (problem introduced with IPv6 support in Postfix
+ 2.2): the SMTP client did not support mail to [ipv6:ipv6addr].
+ Fix based on a patch by Gurusamy Sarathy (Sophos). File:
+ util/host_port.c and regression test files.
+
+20110227
+
+ Portability: FreeBSD closefrom() support time window. Sahil
+ Tandon. File: util/sys_defs.h.
+
+ Cleanup: each lookup table now has an owner status and UID
+ attributes for provenance purposes, even memory-resident
+ tables such as pcre, regexp and cidr. This fixes a problem
+ where local(8) ignored the non-root ownership of a regular
+ expression-based aliases(5) file. The table owner status
+ is TRUSTED (data straight from root-owned configuration
+ file), UNKNOWN (unauthenticated data from proxy or tcp) or
+ KNOWN (we actually have an owner UID). With most tables,
+ the owner UID is the file owner UID. With LDAP and *SQL,
+ the owner UID is the Postfix configuration file owner.
+ Files: src/util/dict_unix.c src/util/dict_thash.c
+ src/util/dict_static.c src/util/dict_sdbm.c src/util/dict_regexp.c
+ src/util/dict_pcre.c src/util/dict_nisplus.c src/util/dict_nis.c
+ src/util/dict_ni.c src/util/dict_ht.c src/util/dict_env.c
+ src/util/dict_dbm.c src/util/dict_db.c src/util/dict_cidr.c
+ src/util/dict_cdb.c src/util/dict_alloc.c src/util/dict.h
+ src/util/dict.c src/local/alias.c src/global/dict_sqlite.c
+ src/global/dict_pgsql.c src/global/dict_mysql.c
+ src/global/dict_ldap.c src/global/cfg_parser.h
+ src/global/cfg_parser.c.
+
+20110311
+
+ Feature: Base 32 encoder/decoder per RFC 4648. This code
+ was going to be used for long queue IDs, but plans were
+ changed. Files: src/util/base32_code.[hc].
+
+20110313
+
+ Bugfix (introduced Postfix 2.8): postscreen DNSBL scoring
+ error. When a client disconnected and then reconnected
+ before all DNSBL results for the earlier session arrived,
+ DNSBL results for the earlier session would be added to the
+ score for the later session. Problem report by Larry Vaden.
+ Files: dnsblog/dnsblog.c, postscreen/postscreen_dnsbl.c.
+
+ Cleanup: protocol description in dnsblog(8) manpage. File:
+ dnsblog/dnsblog.c.
+
+20110314
+
+ Portability: the SUN compiler had trouble with a pointer
+ expression of the form ``("text1" "text2") + constant'' so
+ we don't try to be so clever. Fix by Victor Duchovni. File:
+ global/mail_params.h.
+
+20110320
+
+ Feature: specify "enable_long_queue_ids = yes" to enable
+ support for non-repeating queue IDs (also used as queue
+ file names). These queue IDs encode the time and inode
+ number with a safe alphabet of the 52 characters 0-9B-Zb-z.
+ The alphabet excludes vowels (AEIOUaeiou) to avoid creating
+ real words. The queue ID format is: time in seconds, time
+ in microseconds, 'z', inode number (the inode number is
+ encoded without using the 'z' character of the safe alphabet).
+ Turning on long queue IDs changes the width of the first
+ output column of the mailq (postqueue -p) command, and
+ changes the appearance of Postfix Message-ID headers to
+ queueID@myhostname. Files: global/file_id.[hc],
+ global/safe_ultostr.[hc], global/mail_queue.[hc],
+ postsuper/postsuper.c, showq/showq.c
+
+20110321
+
+ Performance: with long queue file names, queue hashing now
+ produces the same result as with short names. Postfix uses
+ the hexadecimal representation of the file creation time
+ in microseconds, instead of the beginning of the file name
+ which changes once every year or so, a problem that was
+ reported by Victor Duchovni. The base 16 encoding gives
+ finer control over the number of directories than possible
+ with base 52 encoding. Files: global/mail_queue.[hc]. This
+ change requires "postfix reload".
+
+20110322
+
+ Cleanup: preserve the microseconds value when renaming
+ long->short or short->short queue file names. As a side
+ benefit, renaming long->short queue IDs will not change the
+ result from queue hashing. File: postsuper/postsuper.c.
+
+20110323
+
+ Bitrot: qshape regexp pattern for long queue file names.
+ Ralf Hildebrandt. File: auxiliary/qshape/qshape.pl.
+
+ Bitrot: text about queue ID reuse in the postsuper manpage.
+ File: postsuper/postsuper.c.
+
+20110328
+
+ Cleanup: don't log warnings about socket shutdown() errors
+ after a connection breaks. Postfix calls shutdown() to avoid
+ unnecessary socket write timeouts. This is only an optimization,
+ and failure is not critical. File: global/smtp_stream.c.
+
+20110411
+
+ Cleanup: postscreen(8) and verify(8) daemons now lock their
+ respective cache file exclusively upon open, to avoid massive
+ cache corruption by unsupported sharing. Files: util/dict.h,
+ util/dict_open.c, verify/verify.c, postscreen/postscreen.c.
+
+20110414
+
+ Bugfix (introduced with Postfix SASL patch 20000314): don't
+ reuse a server Cyrus SASL handle after authentication
+ failure. File: smtpd/smtpd_proto.c.
+
+20110418
+
+ Bugfix (introduced Postfix 2.3 and Postfix 2.7): the Milter
+ client reported some "file too large" errors as temporary
+ errors. Problem reported by Michael Tokarev. Files:
+ milter/milter8.c, cleanup/cleanup_milter.c.
+
+20110420
+
+ Performance: a high load of DSN success notification requests
+ could stall the queue manager. Solution: make the trace
+ client asynchronous, just like the bounce and defer clients.
+ Problem reported by Eduardo M. Stelmaszczyk of terra.com.br.
+ Files: global/abounce.[hc], *qmgr/qmgr_active.c (the
+ qmgr_active.c files are identical).
+
+20110421
+
+ Cleanup: updated abounce warning message, and added a safety
+ timeout to abounce() etc. requests. File: global/abounce.c.
+
+20110426
+
+ Bugfix (introduced in Postfix 1.1, duplicated in Postfix
+ 2.3, unrelated mistake in Postfix 2.7): the local(8) delivery
+ agent ignored table lookup errors in mailbox_command_maps,
+ mailbox_transport_maps, fallback_transport_maps and (while
+ bouncing mail to alias) alias owner lookup. Problem reported
+ by William Ono. Files: local/command.c, local/mailbox.c,
+ local/unknown.c, local/bounce_workaround.c.
+
+20110516
+
+ Update the warning when permit_naked_ip_address is used,
+ and add permit_sasl_authenticated to the list of suggested
+ alternatives. File: smtpd/smtpd_check.c.
+
+20110601
+
+ Bugfix (introduced Postfix 2.6 with master_service_disable)
+ loop control error when parsing a malformed master.cf file.
+ Found by Coverity. File: master/master_ent.c.
+
+20110602
+
+ Bugfix (introduced: Postfix 2.7): "sendmail -t" reported
+ "protocol error" after queue file write error. File:
+ postdrop/postdrop.c.
+
+20110605
+
+ Cleanup: removed the PSC_STATE_FLAG_CACHE_EXPIRED flag.
+ Nothing uses this anymore. Files: postscreen/postscreen.h,
+ postscreen/postscreen_state.c, postscreen/postscreen_tests.c.
+
+20110614
+
+ Linux kernel version 3 support. Linus Torvalds has reset
+ the counters for reasons not related to changes in code.
+ Files: makedefs, util/sys_defs.h.
+
+20110615
+
+ Workaround: some Spamhaus RHSBL rejects lookups with "No
+ IP queries" even if the name has an alphanumerical prefix.
+ We play safe, and skip both RHSBL and RHSWL queries for
+ names ending in a numerical suffix. File: smtpd/smtpd_check.c.
+
+20110624
+
+ Cleanup: added error checks for smtpd access primitives
+ that don't automatically terminate the program after table
+ lookup error: these primitives are permit_tls_clientcerts,
+ permit_tls_all_clientcerts, and check_address_map (the last
+ one is used in local_header_rewrite_clients only). File:
+ smtpd/smtpd_check.c.
+
+20110729
+
+ Workaround: some getpwnam() and getpwuid() implementations
+ cause mail to bounce ("user unknown") after LDAP etc. lookup
+ error. Postfix now uses POSIX getpwnam_r() and getpwuid_r()
+ where available. Initially, this workaround supports FreeBSD,
+ Solaris and Linux. Files: makedefs, util/sys_defs.h,
+ global/mypwd.[hc], local/alias.c, local/dotforward.c,
+ local/include.c, local/mailbox.c, local/recipient.c.
+
+20110731
+
+ MacOS X 10.5 supports POSIX getpwnam_r() and getpwuid_r()
+ (source: MacOS manpages at www.freebsd.org). If MacOS turns
+ out to make a false promise, then we will undo this change.
+ Files: makedefs, util/sys_defs.h.
+
+20110810
+
+ Cleanup: optimize an optimization to avoid uid->name lookup
+ when all users are authorized with authorized_submit_users,
+ authorized_mailq_users, authorized_flush_users. File:
+ global/user_acl.c.
+
+20110811
+
+ Workaround: report a {client_connections} Milter macro value
+ of zero instead of garbage, when the remote SMTP client is
+ not subject to any smtpd_client_* limits. Problem reported
+ by Christian Roessner. Files: smtpd/smtpd_state.c,
+ proto/MILTER_README.html.
+
+20110817
+
+ Cleanup: avoid misleading error messages after future code
+ change. The tls_bio_ops(3) module now returns non-zero errno
+ values only when requests fail due to a system-call error.
+ File: tls/tls_bio_ops.c.
+
+ Cleanup: TLS handshake error messages. The SMTP client and
+ server now report STARTTLS network errors as "connection
+ timed out", "connection reset by peer", etc., instead of
+ reporting TLS error number 0. Files: tls/tls_bio_ops.c,
+ tls/tls_server.c, tls/tls_client.c.
+
+20110818
+
+ Cleanup: VSTREAM-over-TLS error return values, for robustness
+ against future change. For consistency with VSTREAM internal
+ interfaces, the tls_stream(3) read/write routines now return
+ -1 instead of unspecified negative OpenSSL results. File:
+ tls/tls_stream.c.
+
+20110819
+
+ Cleanup: further TLS code cleanups, for robustness against
+ future change. Unexpected TLS errors are no longer silently
+ treated as ordinary errors, and one corner-case error in TLS
+ timeout handling was fixed before it could cause trouble.
+ File: tls/tls_bio_ops.c.
+
+20110821-24
+
+ Cleanup: simplified the TLS read/write deadline implementation,
+ and documented why this same simplification is not possible
+ higher-up, at the VSTREAM level. Files: tls/tls_bio_ops.c,
+ util/vstream.c.
+
+20110831
+
+ Bugfix: allow for Milters that send an SMTP server reply
+ without RFC 3463 enhanced status code. Reported by Vladimir
+ Vassiliev. File: milter/milter8.c.
+
+20110902
+
+ Cleanup: don't log vstream_tweak "connection reset by peer"
+ errors. File: util/vstream_tweak.c.
+
+20110904-7
+
+ Bugfix: master daemon panic with "master_spawn: at process
+ limit", when "postfix reload" reduces the process limit
+ from (a value larger than the current process count for
+ some service) to (a value <= the current process count),
+ and then a new connection is made to that service. This
+ structural solution centralizes the decision to monitor a
+ service port (or not). To improve robustness against future
+ code changes, it clarifies some of the internal dependencies
+ that exist inside the master daemon. Files: master/master.h,
+ master/master_avail.c, master/master_conf.c,
+ master/master_service.c, master/master_spawn.c.
+
+20110911
+
+ Debugging: report the request size when memory allocation
+ fails. File util/mymalloc.c.
+
+20110914
+
+ Incompatibility: the default inet_protocols value is now
+ "all" instead of "ipv4", meaning use both IPv4 and IPv6.
+ As a compatibility workaround for sites without global IPv6
+ connectivity, the commands "make upgrade" and "postfix
+ upgrade-configuration" append "inet_protocols = ipv4" to
+ main.cf when no explicit setting is present. This compatibility
+ workaround will be phased out in a future release. Files:
+ util/sys_defs.h, conf/post-install, proto/postconf.proto.
+
+ Incompatibility: the default smtp_address_preference value
+ is now "any" instead of "ipv6", meaning choose randomly
+ between IPv6 and IPv4. With this the Postfix SMTP client
+ will have more success delivering mail to sites that have
+ problematic IPv6 configurations. Files: global/mail_params.h,
+ proto/postconf.proto.
+
+20110918
+
+ Workaround for multiple ancient FreeBSD getsockopt() bugs
+ after non-blocking connect fails with 'host unreachable'
+ that resulted in a unreasonable memory allocation request.
+ File: util/vstream_tweak.c.
+
+20110921
+
+ Bugfix (introduced: Postfix 1.1): smtpd(8) did not sanitize
+ newline characters in cleanup(8) REJECT messages, causing
+ them to be sent out via SMTP as bare newline characters.
+ This happened when a REJECT pattern matched multi-line
+ header text. Discovered by Kevin Locke. File: smtpd/smtpd.c.
+
+20110922
+
+ Bugfix (introduced: Postfix 2.1): smtpd(8) sent multi-line
+ responses from a before-queue content filter as text with
+ bare <LF> instead of <CR><LF>. Found during code maintenance.
+ File: smtpd/smtpd_proxy.c.
+
+20111011
+
+ Cleanup: for consistency with the SMTP standard, the
+ smtp_line_length_limit default value was increased from 990
+ characters to 998 (i.e. 1000 characters including <CR><LF>).
+ File: global/mail_params.h, proto/postconf.proto.
+
+ Cleanup: the Postfix sendmail command now always transforms
+ all input lines ending in <CR><LF> into UNIX format (lines
+ ending in <LF>). This simplifies integration with third-party
+ mail generating applications. Specify "sendmail_fix_line_endings
+ = strict" to restore historical Postfix behavior (i.e. convert
+ all input lines ending in <CR><LF> only if the first input
+ line ends in <CR><LF>). Files: sendmail/sendmail.c,
+ global/mail_params.h, proto/postconf.proto.
+
+20111017
+
+ Cleanup: refined the heuristic that automagically transforms
+ legacy "sendmail -V" VERP requests into contemporary "sendmail
+ -XV" syntax. File: sendmail/sendmail.c.
+
+ Cleanup: when the cleanup daemon goes into discard mode,
+ don't get stuck when it runs onto milter file descriptor
+ information. File: cleanup/cleanup.c.
+
+20111020
+
+ EAI Future-proofing: don't apply strict_mime_encoding_domain
+ checks to unknown message subtypes such as message/global*.
+ File: global/mime_state.c.
+
+20111025
+
+ Bugfix (introduced: Postfix 2.8): postscreen sent non-compliant
+ SMTP responses (220- followed by 421) when it could not
+ hand off a connection to a real smtpd process, causing some
+ remote SMTP clients to bounce mail. The fix redirects the
+ client to the dummy SMTP engine which sends the 421 reply
+ at the first legitimate opportunity. Problem reported by
+ Ralf Hildebrandt. Files: postscreen/postscreen_send.c,
+ postscreen/postscreen_smtpd.c, postscreen/postscreen.h.
+
+20111102
+
+ Workaround: to improve inter-operability with broken remote
+ SMTP servers, the Postfix SMTP client by default no longer
+ appends the "AUTH=<>" option to the MAIL FROM command.
+ Specify "smtp_send_dummy_mail_auth = yes" to restore the
+ old behavior.
+
+20111106
+
+ Feature: "postconf -M" support to show Postfix's idea of
+ what is in the master.cf file. File: postconf/postconf.c.
+
+ Feature: postconf "-f" option to "nicely" format long lines
+ from main.cf or master.cf. File: postconf/postconf.c.
+
+20111108
+
+ Cleanup: postconf finally supports dynamic configuration
+ parameter names: parameters whose name depend on a mail
+ delivery transport or spawn service in master.cf, and
+ parameters whose names are specified with smtpd_restriction_classes
+ in main.cf. This adds 70 parameters to the "postconf" output,
+ more if additional mail delivery transports are defined in
+ master.cf. File: postconf/postconf.c.
+
+20111109
+
+ Cleanup: account for "," in smtpd_restriction_classes
+ value (Victor Duchovni). File: postconf/postconf.c.
+
+20111112
+
+ Cleanup: postconf finally warns about possible mis-typed
+ main.cf and master.cf parameter names (i.e. parameters that
+ aren't used anywhere), and it finally displays user-defined
+ main.cf parameters that *are* used. File: postconf/postconf.c.
+
+20111113
+
+ Portability: specify ``make makefiles "CCARGS=-DNO_NIS
+ ..."'' to build on systems without NIS support. Files:
+ makedefs, util/sys_defs.h.
+
+ Cleanup: documented the postconf algorithms and their
+ limitations, and added regression tests to speed up future
+ development. File: postconf/postconf.c
+
+20111117
+
+ Cleanup: postconf didn't "bless" type "inet" service names.
+
+ Cleanup: with pipelined sessions, smtp-sink flushed the
+ output too often. Reported by Mark Martinec. File:
+ smtpstone/smtp-sink.c.
+
+ Workaround: don't use IPv6 at build time. File: conf/main.cf.
+
+ Workaround: don't abort when IPv6 is present but busted.
+ File: util/inet_proto.c.
+
+ Portability: the Dovecot 2.0 authentication server supports
+ more socket types for its authentication server. File:
+ xsasl/xsasl_dovecot_server.c.
+
+ Documentation: the Dovecot 2.0 authentication server supports
+ communication over TCP sockets. Patrick Ben Koetter. File:
+ proto/SASL_README.html.
+
+20111118
+
+ Cleanup: "postconf -M" now supports filtering. For example,
+ "postconf -M inet" shows only services that listen on the
+ network, and "postconf -M smtp.unix" shows the SMTP delivery
+ agent. File: postconf.c.
+
+20111119
+
+ Cleanup: "postconf" commands in postfix-install needed to
+ be updated before master.cf was installed. Reported by
+ Sahil Tandon. File: postfix-install.
+
+20111120
+
+ Cleanup: support for parameter name spaces for master.cf
+ entries. With this, postconf should no longer log false
+ warnings for "-o user-defined-name=value" in master.cf. As
+ a benefit, it will warn for user-defined parameters with
+ "name=value" entries that are unused because they are hidden
+ by master.cf "-o name=value" entries with the same parameter
+ name. File: postconf/postconf.c.
+
+20111121
+
+ Cleanup: documentation fixes. File: postconf/postconf.c.
+
+ Cleanup: in postconf "main.cf management" mode, errors
+ opening master.cf are non-fatal. File: postconf/postconf.c.
+
+20111122
+
+ Documentation: examples to request VERP-style delivery at
+ SMTP time with the smtpd_command_filter feature. Files:
+ proto/VERP_README.html, proto/postconf.proto.
+
+ Feature: TLS certificate public-key fingerprint matching
+ (SMTP server and client), and TLS logging cleanup. Victor
+ Duchovni. Files: proto/SMTPD_POLICY_README.html,
+ proto/TLS_README.html, proto/postconf.proto, global/mail_proto.h,
+ smtpd/smtpd_check.c, tls/tls.h, tls/tls_client.c, tls/tls_misc.c,
+ tls/tls_proxy_print.c, tls/tls_proxy_scan.c, tls/tls_server.c,
+ tls/tls_stream.c, tls/tls_verify.c.
+
+ Documentation: complete list of "make makefiles" overrides.
+ File: proto/INSTALL.html.
+
+ Cleanup: postscreen now logs more than the first word of
+ non-SMTP commands. File: postscreen/postscreen_smtpd.c.
+
+20111124
+
+ Cleanup: eliminated false postconf "unused parameter"
+ warnings with legacy parameters such as $virtual_maps, and
+ with non-default parameter values for smtpd_expansion_filter
+ that can contain legitimate "$" without a macro name.
+
+ Cleanup: split postconf source into separate modules.
+ Files: postconf/postconf.c, postconf/postconf_builtin.c,
+ postconf/postconf_edit.c, postconf/postconf_main.c,
+ postconf/postconf_master.c, postconf/postconf_misc.c,
+ postconf/postconf_node.c, postconf/postconf_other.c,
+ postconf/postconf_service.c postconf/postconf_unused.c,
+ postconf/postconf_user.c, postconf/postconf.h.
+
+20111126
+
+ Bitrot: changes in error reporting to the under-documented
+ OpenLDAP API. Problem reported by Quanah Gibson-Mount. Fix
+ by Viktor Dukhovni. File: global/dict_ldap.c.
+
+ Cleanup: four-space indentation had become a tab character.
+ Files: postconf/postconf.h, postconf/test20.ref,
+ postconf/test21.ref.
+
+20111127
+
+ Cleanup: documented <transport>_suffix parameters that don't
+ show in postconf command output of earlier Postfix versions.
+ Files: proto/SMTPD_POLICY_README.html, proto/postconf.proto,
+ proto/SCHEDULER_README.html.
+
+ Cleanup: added the pipe(8) delivery agent to the list of
+ programs that implement transport_time_limit parameters.
+ File: postconf/postconf_service.c, postconf/test6.ref,
+ postconf/test22.ref.
+
+20111128
+
+ Feature: "postconf -C class,..." support to print parameters
+ in one or more classes (builtin= built-in parameter names,
+ service=service-defined parameter names, user=user-defined
+ parameter names). Files: postconf/postconf.c, postconf/postconf.h,
+ postconf_service.c, postconf/postconf_user.c.
+
+20111129
+
+ Cleanup: TLS logging level configuration. Files:
+ global/mail_params.h, smtp/lmtp_params.c, smtp/smtp.c,
+ smtp/smtp_params.c, smtp/smtp_proto.c, smtpd/smtpd.c,
+ tls/tls.h, tls/tls_client.c, tls/tls_misc.c, tls/tls_server.c,
+ tlsmgr/tlsmgr.c, tlsproxy/tlsproxy.c.
+
+20111203
+
+ Cleanup: time-dependent sender addresses of address
+ verification probes. Specify an address_verify_sender_ttl
+ value of several hours or more to frustrate address harvesting.
+ Files: global/verify_sender_addr.[hc], smtpd/smtpd.c,
+ smtpd/smtpd_check.c, verify/verify.c, proto/postconf.proto,
+ proto/ADDRESS_VERIFICATION_README.html.
+
+20111204
+
+ Cleanup: removed the log_level arguments from tls_client_start()
+ and tls_server_start() calls. This information is already
+ given to tls_client_init() and tls_server_init(). Files:
+ smtpd/smtpd.c, tlsproxy/tlsproxy.c, smtp/smtp_proto.c,
+ tls/tls.h, tls/tls_client.c, tls/tls_server.c, tls/tls_misc.c.
+
+20111205
+
+ Documentation: made the postconf(5) manpage more precise
+ in its use of "client" and "server"; reorganized the
+ TLS_README presentation of client configuration so that
+ most relevant information is presented earlier. Files:
+ proto/postconf.proto, proto/TLS_README.html.
+
+ Bugfix: tlsproxy(8) stored TLS sessions with a serverID of
+ "tlsproxy" instead of "smtpd", wasting an opportunity for
+ session reuse. File: tlsproxy/tlsproxy.c.
+
+20111206
+
+ Documentation: removed descriptions of Postfix < 2.3 user
+ interface from TLS_README. Users of earlier releases are
+ referred to TLS_LEGACY_README. File: proto/TLS_README.html.
+
+20111207
+
+ Cleanup: tlsproxy(8) now receives the session cache serverID
+ from its client (postscreen(8)). Files: global/mail_proto.h,
+ postscreen/postscreen_starttls.c, tlsproxy/tlsproxy.[hc],
+ tlsproxy_state.c.
+
+ Cleanup: the postscreen(8) daemon did not support a zero
+ cache cleanup interval. This is needed for memcache support.
+ File: postscreen/postscreen.c.
+
+ Bugfix (introduced: 20110227): null pointer bug while
+ updating dictionary owner attributes, after reading an empty
+ (database) configuration file. File: util/dict.c.
+
+20111208
+
+ Cleanup: db_common_parse_domain() could not be called without
+ preceding db_common_parse() call. Files: global/db_common.[hc].
+
+20111209
+
+ Feature: memcache client support. This implementation is
+ based on the under-documented libmemcache library, and
+ therefore supports only libmemcache version 1.4.0. Files:
+ conf/postfix-files, global/dict_memcache.[hc], global/mail_dict.c,
+ html/index.html, mantools/postlink, postconf/postconf.c,
+ postfix/postfix.c, proto/DATABASE_README.html,
+ proto/MEMCACHE_README.html, proto/memcache_table.
+
+20111209
+
+ Cleanup: support for scripted and manual database tests with
+ LDAP, *SQL, and memcache. Files: util/dict_test.c, util/dict.c,
+ global/mail_dict.c.
+
+ Workaround: apparently, some distributions use Postfix
+ shared libraries without proper so-number versioning. This
+ causes programs to fail mysteriously, after an update
+ replaces the Postfix library but not the program (someone
+ experienced this with an extra copy of the Postfix SMTP
+ server). Files: global/mail_version.[hc], master/*server.c,
+ master/master.c, src/postalias/postalias.c,
+ src/postdrop/postdrop.c, src/postfix/postfix.c,
+ src/postlog/postlog.c, src/postmap/postmap.c,
+ src/postmulti/postmulti.c, src/postqueue/postqueue.c,
+ src/postsuper/postsuper.c, src/sendmail/sendmail.c.
+
+20111211
+
+ Feature: first/next (sequence) support in the proxymap
+ protocol. This is needed for cache cleanup of a proxied
+ postscreen or verify persistent cache. Files:
+ global/dict_proxy.[hc], proxymap/proxymap.c.
+
+ Feature: memcache client support without libmemcache
+ dependencies. Files: global/memcache_proto.[hc],
+ global/dict_memcache.c.
+
+ Bugfix: missing lookup table entry and terminator, causing
+ proxymap(8) server segfault when postscreen(8) or verify(8)
+ attempted to access their cache via the proxymap(8) server.
+ This could never have worked anyway, because the Postfix
+ proxymap protocol did not support cache cleanup. File
+ util/dict.c.
+
+ Feature: support for persistent backup database in the
+ memcache client. The database can be shared with the proxymap
+ service, but it needs to be listed as "proxy:maptype:mapname"
+ in the proxy_read_maps or proxy_write_maps parameter value
+ (depending on whether the access is read-only or read-write).
+ Support for proxymap-over-tcp (proxy:maptype:mapname@host:port)
+ is under development. File: global/dict_memcache.c.
+
+20111214
+
+ Documentation: updated the submission and smtps examples
+ in the sample master.cf file, so that their logging is
+ easier to recognize. File: conf/master.cf.
+
+20111215
+
+ Documentation: use different hosts to separate MUA "port
+ 25" traffic from the "port 25" MX service. Files:
+ postscreen/postscreen.c, proto/POSTSCREEN_README.html.
+
+20111216
+
+ Cleanup: the proxymap client did not correctly propagate
+ the "open_lock" flag, causing the proxymap service to open
+ postscreen(8) and verify(8) caches twice, instead of once.
+ File: global/dict_proxy.c.
+
+ Cleanup: the verify and postscreen caches were not listed
+ as "authorized" for access via the proxywrite service. File:
+ global/mail_params.h.
+
+ Refactoring: the postscreen permanent access list code is
+ now a library module, so that it can be also used for remote
+ access to the proxymap server. Files: global/server_acl.[hc].
+
+ Hardening: read/write deadlines, to make the proxymap server
+ suitable for remote access. File: proxymap/proxymap.c.
+
+20111217
+
+ Cleanup: more orthogonal definition of when the proxymap
+ server can/cannot share a single map instance among multiple
+ requestors, and corresponding code cleanup in the proxymap
+ client and server. Files: util/dict.h, util/dict_test.c,
+ global/dict_proxy.c, proxymap/proxymap.c.
+
+ Human factors: the postscreen/verify cache manager now logs
+ the full database name including the proxy: prefix, to avoid
+ WTF surprises. File: util/dict_cache.c.
+
+20111218
+
+ Cleanup: more configurable memcache client error handling.
+ Files: global/dict_memcache.c, proto/memcache_table.
+
+ Feature: the Postfix SMTP server XCLIENT command now supports
+ the LOGIN attribute (e.g., login information from nginx).
+ Based on the nginx:xclient-login-patch from citrin.ru (Anton
+ Yuzhis). The patch was further enhanced to support SASL
+ login information everywhere in the Postfix SMTP server
+ without having to specify "smtpd_sasl_auth_enable = yes"
+ in main.cf. Files: smtpd.[hc], smtpd_sasl_glue.[hc],
+ smtpd_check.c, smtpd_sasl_proto.[hc], smtpd_state.c,
+ proto/XCLIENT_README.html.
+
+ Incompatibility: the Postfix SMTP server now always checks
+ the smtpd_sender_login_maps table, even without having
+ "smtpd_sasl_auth_enable = yes" in main.cf.
+
+20111219
+
+ Cleanup: the match_list-based primitives now provide an
+ option to return an error result instead of terminating the
+ process with a fatal error. Files: util/match_ops.[hc],
+ util/match_list.c, global/addr_list_match.c, domain_list.c,
+ string_list.c, namadr_list.c.
+
+ Cleanup: a "fail:" database type that reliably fails all
+ requests. The lookup table name specifies the internal error
+ result code. having this table facilitates a systematic
+ review of all Postfix table lookup error handling.
+
+ Cleanup: trivial-rewrite now "catches" errors with implicit
+ database lookups in virtual_alias_domains, relay_domains,
+ virtual_mailbox_domains, just like it already caught explicit
+ database lookup errors. This means there are fewer occasions
+ where trivial-rewrite clients will appear to hang. File:
+ trivial-rewrite/resolve.c.
+
+ Cleanup: a broken relay_domains table would cause many
+ Postfix processes to terminate with fatal error as they
+ initialized the flush() client (used by defer_append()
+ etc.). Postfix now logs a warning instead. File:
+ global/flush_clnt.c.
+
+ Cleanup: the Postfix SMTP server now "catches" errors with
+ implicit database lookups in mynetworks, TLS client certificate
+ tables, and local_header_rewrite_clients, and reports "server
+ configuration error" or "table lookup error" instead of
+ terminating with a fatal error. This is work in progress;
+ errors with opening a database may be covered later. Files:
+ smtpd/smtpd.c, smtpd/smtpd_check.c.
+
+20111220
+
+ Cleanup: the Postfix SMTP server now "catches" errors with
+ implicit database lookups in mynetworks, debug_peer_list,
+ smtpd_client_event_limit_exceptions, permit_mx_backup_networks.
+ This continues work started 20111219, and does not cover
+ errors with opening a database. Files: smtpd/smtpd.c,
+ smtpd/smtpd_checks.c, smtpd/smtpd_error.in, smtpd/smtpd_error.ref.
+
+ Cleanup: memory leak testing of error handling. File:
+ util/name_mask.c.
+
+20111222
+
+ Cleanup: memory leak testing of error handling. File:
+ util/name_mask.c.
+
+ Cleanup: simplified the match_list error reporting, thereby
+ reducing the footprint of the changes to "catch" errors
+ with implicit database lookups in mynetworks, and other
+ lists. Files: util/match_ops.[hc], util/match_list.c,
+ global/addr_list_match.c, domain_list.c, string_list.c,
+ namadr_list.c, trivial-rewrite/resolve.c, smtpd/smtpd.c,
+ smtpd/smtpd_check.c, global/flush_clnt.c, flush/flush.c.
+
+20111224
+
+ Cleanup: eliminated the global dict_errno variable that
+ made error reporting convenient but not necessarily precise.
+ This was a straightforward change except in the few modules
+ that propagate errors from one dictionary API to another:
+ dict_cache.c, dict_debug.c, maps.c, dict_memcache.c. Files:
+ src/cleanup/cleanup_map11.c, src/cleanup/cleanup_map1n.c,
+ src/global/addr_match_list.c, src/global/dict_ldap.c,
+ src/global/dict_memcache.c, src/global/dict_mysql.c,
+ src/global/dict_pgsql.c, src/global/dict_proxy.c,
+ src/global/dict_sqlite.c, src/global/domain_list.c,
+ src/global/flush_clnt.c, src/global/mail_addr_find.c,
+ src/global/mail_addr_map.c, src/global/maps.c, src/global/maps.h,
+ src/global/match_parent_style.h, src/global/namadr_list.c,
+ src/global/resolve_local.c, src/global/resolve_local.h,
+ src/global/server_acl.c, src/global/string_list.c,
+ src/local/alias.c, src/local/bounce_workaround.c,
+ src/local/mailbox.c, src/local/unknown.c, src/proxymap/proxymap.c,
+ src/qmqpd/qmqpd.c, src/smtp/smtp_map11.c, src/smtpd/smtpd_check.c,
+ src/trivial-rewrite/resolve.c, src/trivial-rewrite/transport.c,
+ src/util/dict.h, src/util/dict_alloc.c, src/util/dict_cache.c,
+ src/util/dict_cidr.c, src/util/dict_db.c, src/util/dict_debug.c,
+ src/util/dict_env.c, src/util/dict_fail.c, src/util/dict_ht.c,
+ src/util/dict_pcre.c, src/util/dict_regexp.c,
+ src/util/dict_static.c, src/util/dict_tcp.c, src/util/dict_test.c,
+ src/util/dict_thash.c, src/util/dict_unix.c, src/util/match_list.c,
+ src/util/match_list.h, src/util/match_ops.c, src/virtual/mailbox.c.
+
+20111226
+
+ Bugfix (introduced 20110426): after lookup error with
+ mailbox_transport_maps, mailbox_command_maps or
+ fallback_transport_maps, the local delivery agent did not
+ log the problem before deferring mail, and produced no defer
+ logfile record. Files: local/mailbox.c, local/unknown.c.
+
+20120102
+
+ Workaround: degrade gracefully when the network protocols
+ specified with inet_protocols are unavailable. Files:
+ global/mail_params.c, global/mynetworks.c, global/own_inet_addr.c
+ master/master_ent.c, master/master_vars.c, postscreen/postscreen.c,
+ qmqpd/qmqpd.c, smtp/smtp_connect.c, smtpd/smtpd.c,
+ util/inet_proto.c.
+
+20120107
+
+ Workaround: degrade gracefully when the "domain" feature
+ of LDAP, *SQL and memcache databases has a table lookup
+ problem. Files: global/db_common.c, global/dict_ldap.c,
+ global/dict*sql*.c, global/dict_memcache.c.
+
+ Cleanup: fixed memcache client error handling for things
+ that never happen. global/dict_memcache.c.
+
+ Future proofing: prepare postmap/postalias error logging
+ for future changes to database code. Files: postalias/postalias.c,
+ postmap/postmap.c.
+
+20120108
+
+ Cleanup: the postscreen(8) and verify(8) cache managers log
+ warnings at a reduced rate of one per second per cache
+ operation, to avoid logging large numbers of warnings about
+ a problem with low-value information. File: util/msg_rate_delay.c,
+ util/dict_cache.c.
+
+20120110
+
+ Cleanup: added logging for failed table lookups, and replaced
+ some "fatal" errors by warnings. Files: cleanup/cleanup_addr.c,
+ cleanup/cleanup_message.c, cleanup/cleanup_milter.c,
+ cleanup/cleanup_masquerade.c, global/header_body_checks.c,
+ global/smtp_stream.c, postscreen/postscreen_dnsbl.c,
+ postscreen/postscreen_smtpd.c, smtp/smtp_chat.c,
+ smtp/smtp_proto.c, smtp/smtp_sasl_auth_cache.c,
+ smtp/smtp_sasl_glue.c, smtp/smtp_session.c, smtp/smtp_trouble.c,
+ smtpd/smtpd.c, smtpd/smtpd_check.c.
+
+20120114
+
+ Cleanup: gradual degradation after database file open errors.
+ Instead of terminating immediately with a "fatal" error, a
+ Postfix daemon logs an error and continues execution with
+ reduced functionality. In other words, features that don't
+ depend on the unavailable table will keep working. However,
+ for the sake of sanity, the number of such errors over the
+ life of a process is limited to 13. Files:
+ src/global/cfg_parser.c, src/util/dict_thash.c,
+ src/util/dict_cidr.c, src/util/dict_nis.c, src/util/dict_nisplus.c,
+ src/global/dict_ldap.c, src/global/dict_mysql.c,
+ src/global/dict_pgsql.c, src/global/dict_sqlite.c,
+ src/postconf/postconf_main.c, src/global/mail_conf.c,
+ src/util/dict.h, src/util/dict.c, src/global/dict_memcache.c,
+ src/util/dict_tcp.c, src/util/dict_unix.c, src/util/dict_pcre.c,
+ src/util/dict_regexp.c, src/master/trigger_server.c,
+ src/master/single_server.c, src/master/multi_server.c,
+ src/master/event_server.c, src/util/dict_test.c,
+ src/util/dict_surrogate.c, src/util/dict_alloc.c, src/util/msg.c,
+ src/util/dict_cdb.c, src/util/dict_dbm.c, src/util/msg.h,
+ src/util/dict_db.c.
+
+ Incompatibility: the Postfix SMTP server no longer reports
+ transcripts of sessions where a client command is rejected
+ because a table is unavailable. To receive such reports,
+ add the new "data" class to the notify_classes parameter
+ value. The reports will be sent to the error_notice_recipient
+ address as before. This class is also used by the Postfix
+ SMTP client to report about sessions that fail because a
+ table is unavailable. Files: global/mail_error.[hc],
+ smtpd/smtpd_check.c, smtp/smtp_trouble.c.
+
+20120115
+
+ Fine tuning: SMTP server error messages. File: smtpd/smtpd.c.
+
+ Fine tuning: documentation. Files: proto/MEMCACHE_README.html.
+ proto/memcache_table.html.
+
+ Apply "gradual degradation" also when an unsupported database
+ *type* is specified. File: util/dict_open.c.
+
+ Cleanup: tiny memory leaks after surrogate database opens.
+ Files: util/dict_cidr.c, util/dict_db.c.
+
+20120117
+
+ Cleanup: support for legacy-style database configuration
+ where parameter names are generated by appending suffixes
+ to the database name. Files: postconf/postconf_dbms.c.
+
+ Other: build without Berkeley DB support (make makefiles
+ "CCARGS=$CCARGS -DNO_DB"). Files: makedefs, util/sys_defs.h,
+ proto/DB_README.html, proto/INSTALL.html.
+
+20120120
+
+ Compatibility: added file pflogsumm_quickfix.txt with quick
+ patches for pflogsumm that handle the new default master.cf
+ entries for the submission and smtps services.
+
+20120121
+
+ Cleanup: getopt(3) compatibility in the postconf(1) master.cf
+ parser. Process "--" as the end-of-options indicator, and
+ process "-oname=value" as "-o name=value". Files:
+ util/argv.[hc], postconf/postconf_master.cf,
+ postconf/postconf_user.c.
+
+20120122
+
+ Workaround: log a warning and suggested solution for common
+ stat()/fstat()/lstat() problems caused by 32-bit overflow.
+ This is a real stinker that causes Postfix to fail without
+ any prior warning. File: util/warn_stat.[hc], and everything
+ that directly calls stat(), fstat() or lstat().
+
+20120127
+
+ Bugfix (introduced: Postfix 2.8): the Postfix client sqlite
+ quoting routine returned the unquoted result instead of the
+ quoted text. The opportunities for misuse are limited,
+ because Postfix sqlite files are usually owned by root, and
+ Postfix daemons usually run with non-root privileges so
+ they can't corrupt the database. Problem reported by Rob
+ McGee (rob0). File: global/dict_sqlite.c.
+
+20120130
+
+ Bugfix (introduced: Postfix 2.3): the trace service did not
+ distinguish between DSN SUCCESS notifications for a non-bounce
+ or a bounce message. This code pre-dates DSN support and
+ should have been updated when it was re-purposed to handle
+ DSN SUCCESS notifications. Problem reported by Sabahattin
+ Gucukoglu. File: bounce/bounce_trace_service.c.
+
+20120202
+
+ Bugfix (introduced: Postfix 2.3): the "change header" milter
+ request could replace the wrong header. A long header name
+ could match a shorter one, because a length check was done
+ on the wrong string. Reported by Vladimir Vassiliev. File:
+ cleanup/cleanup_milter.c.
+
+20120214
+
+ Bugfix (introduced: Postfix 2.4): extraneous null assignment
+ caused core dump when postlog emitted the "usage" message.
+ Reported by Kant (fnord.hammer). File: postlog/postlog.c.
+
+20120217
+
+ Bugfix (introduced 20111219): sendmail -bs segfault, due
+ to a missing guard statement after an smtpd_check_rewrite()
+ call was moved closer to the command processor loop. Fix
+ by Bartek Szady. File: smtpd/smtpd.c.
+
+20120220
+
+ Cleanup: documentation of how to use only system-supplied
+ certificates with *CAfile and *CApath. File: proto/postconf.proto.
+
+ Cleanup: documentation of smtp_sasl_mechanism_filter. File:
+ proto/postconf.proto.
+
+20120222
+
+ Cleanup: when multiple DNSBLs block an SMTP client, the
+ postscreen "reject" message now gives credit to the DNSBL
+ with the largest weight, instead of the DNSBL that replies
+ first. File: postscreen/postscreen_dnsbl.c.
+
+ Cleanup: memcache_table(5) manpage. File proto/memcache_table.
+
+20120225
+
+ Cleanup: eliminated the build-time Perl dependency. File:
+ bounce/annotate.sh.
+
+ Cleanup: when -DNO_DB support was added, the makedefs script
+ was not updated to skip the Linux Berkeley DB tests.
+
+ FreeBSD9 is now a supported platform. Files: makedefs,
+ util/sys_defs.h.
+
+20120226
+
+ Cleanup: documentation in postfix-install.
+
+20120229
+
+ Feature: smtpd_log_access_permit_actions to enable logging
+ of specific permit-like actions in Postfix SMTP server
+ access lists. Files: mantools/postlink, proto/postconf.proto,
+ global/mail_params.h, smtpd/smtpd.c, smtpd/smtpd_check.c.
+
+20120306
+
+ To improve the interaction with start-up scripts, "postfix
+ start" now waits for master daemon process initialization
+ to complete, and returns a non-zero exit status if daemon
+ initialization failed or if it did not complete in a
+ reasonable amount of time. This involves a new "-w" master
+ option. Files: conf/postfix-script, master/master.c,
+ master/master.h. master/master_monitor.c.
+
+20120307
+
+ postconf -X option to exclude parameters from main.cf
+ (require two-finger action, because this is irreversible).
+ Files: postconf/postconf.[hc], postconf/postconf_edit.c.
+
+20120317
+
+ Feature: Sendmail-style socketmap. Files: util/dict_sockmap.[hc],
+ util/netstring.[hc], proto/DATABASE_README.html,
+ postconf/postconf.c.
+
+20120330
+
+ Workaround: specify "\c" at the start of an smtpd_reject_footer
+ template to suppress the line break between the reply text
+ and the footer text. Files: global/smtp_reply_footer.c,
+ proto/postconf.proto.
+
+20120401
+
+ Bugfix (introduced Postfix 2.6): irrelevant memory leak
+ that was introduced with postconf -#. File:
+ postconf/postconf_edit.c.
+
+ Bitrot: shut up useless warnings about Cyrus SASL call-back
+ function pointer type mis-matches. Files: xsasl/xsasl_cyrus.h,
+ xsasl/xsasl_cyrus_server.c, xsasl/xsasl_client.c.
+
+20120404
+
+ Cleanup: added smtpd_sender_login_maps to the default
+ proxy_read_maps value. Files: global/mail_params.h,
+ proxymap/proxymap.c.
+
+ Cleanup: weed out stale TODO's from the WISHLIST, and moved
+ some CYA text from WISHLIST into the code. Files: WISHLIST,
+ smtpd/smtpd_proxy.c.
+
+20120407
+
+ Bugfix (introduced: 20120330): don't replace <reply-code>
+ <space> by <reply-code> <hyphen> when a reply footer starts
+ with \c and contains no \n. File: global/smtp_reply_footer.c.
+
+20120422
+
+ Bit-rot: OpenSSL 1.0.1 introduces new protocols. Update the
+ known TLS protocol list so that protocols can be turned off
+ selectively to work around implementation bugs. Based on
+ a patch by Victor Duchovni. Files: proto/TLS_README.html,
+ proto/postconf.proto, tls/tls.h, tls/tls_misc.c, tls/tls_client.c,
+ tls/tls_server.c.
+
+20120425
+
+ Workaround: bugs in 10-year old gcc versions break compilation
+ with #ifdef inside a macro invocation (NOT: definition).
+ Files: tls/tls.h, tls/tls_client.c, tls/tls_server.c.
+
+20120426
+
+ Bugfix (introduced Postfix 2.9): the postconf command flagged
+ parameters defined in master.cf as "unused" when they were
+ used only in main.cf. Problem reported by Michael Tokarev.
+ Files: postconf/postconf_user.c, postconf/test4b.ref,
+ postconf Makefile.in.
+
+20120513
+
+ Cleanup: report both the first and last line number when a
+ malformed main.cf entry spans multiple lines, instead of
+ reporting the last line number only. File: util/dict.c,
+ util/line_number.[hc].
+
+20120516
+
+ Workaround: apparently, FreeBSD 8.3 kqueue notifications
+ sometimes break when a dnsblog(8) process loses an accept()
+ race on a shared socket, resulting in repeated "connect to
+ private/dnsblog service: Connection refused" warnings. This
+ condition is unique to dnsblog(8). The postscreen(8) daemon
+ closes a postscreen-to-dnsblog connection as soon as it
+ receives a dnsblog(8) reply, resulting in hundreds or
+ thousands of connection requests per second. All other
+ multi-server daemons such as anvil(8) or proxymap(8) have
+ connection lifetimes ranging from 5s to 1000s depending on
+ server load. The workaround is for dnsblog to use the
+ single_server driver instead of the multi_server driver.
+ This one-line code change eliminates the accept() race
+ without any Postfix performance impact. Problem reported
+ by Sahil Tandon. File: dnsblog/dnsblog.c.
+
+ Logging: postscreen now logs a warning when a dnsblog(8)
+ request takes longer than the hard-coded time limit of 10s.
+ File: postscreen/postscreen_dnsbl.c.
+
+20120517
+
+ Workaround: to avoid crashes when the OpenSSL library is
+ updated without "postfix reload", the Postfix TLS session
+ cache ID now includes the OpenSSL library version number.
+ Note: this problem cannot be fixed in tlsmgr(8). Code by
+ Victor Duchovni. Files: tls/tls_server.c, tls_client.c.
+
+20120520
+
+ Bugfix (introduced Postfix 2.4): the event_drain() function
+ was comparing bitmasks incorrectly causing the program to
+ always wait for the full time limit. This error affected
+ the unused postkick command, but only after s/fifo/unix/
+ in master.cf. File: util/events.c.
+
+ Cleanup: laptop users have always been able to avoid
+ unnecessary disk spin-up by doing s/fifo/unix/ in master.cf
+ (this is currently not supported on Solaris systems).
+ However, to make this work reliably, the "postqueue -f"
+ command must wait until its requests have reached the pickup
+ and qmgr servers before closing the UNIX-domain request
+ sockets. Files: postqueue/postqueue.c, postqueue/Makefile.in.
+
+20120522
+
+ Robustness: set LC_ALL=C in post-install to avoid surprises
+ when parsing output from Postfix or non-Postfix commands.
+ File: postfix-install.
+
+20120611
+
+ Bugfix (introduced: 20031216-21): with soft_bounce=yes, the
+ SMTP client did not move on to the next MX host or fallback
+ relay after a 5xx reply. File: smtp/smtp_trouble.c.
+
+20120527-8
+
+ Infrastructure: limited support to shrink VSTREAM buffers.
+ The change takes place when reading from (a stream for the
+ first time | an empty buffer) or when writing to (a stream
+ for the first time | a full buffer). TODO: the change should
+ also happen after purging or flushing a buffer. File:
+ util/vstream.c.
+
+20120531-617
+
+ Feature: haproxy support in postscreen(8) and smtpd(8). To
+ enable, specify "smtpd_upstream_proxy_protocol = haproxy"
+ or "postscreen_upstream_proxy_protocol = haproxy". Files:
+ mantools/postlink, proto/postconf.proto, global/Makefile.in,
+ global/haproxy_srvr.c, global/haproxy_srvr.h, global/mail_params.h,
+ global/mail_proto.h, master/single_server.c, master/multi_server.c,
+ master/event_server.c, postscreen/Makefile.in,
+ postscreen/postscreen.c, postscreen/postscreen.h,
+ postscreen/postscreen_endpt.c, postscreen/postscreen_haproxy.c,
+ postscreen/postscreen_haproxy.h, postscreen/postscreen_send.c,
+ postscreen/postscreen_state.c, smtpd/Makefile.in, smtpd/smtpd.h,
+ smtpd/smtpd_peer.c, smtpd/smtpd_sasl_glue.c, smtpd/smtpd_haproxy.c,
+ util/Makefile.in, util/listen.h, util/recv_pass_attr.c,
+ util/stream_listen.c, util/sys_defs.h, util/unix_pass_listen.c.
+
+20120618
+
+ Cleanup: made the postscreen-to-smtpd haproxy attribute
+ transmission more robust for Solaris. Files: util/sys_defs.h,
+ util/connect.h, util/steam_listen.c, postscreen/postscreen_send.c.
+
+ Cleanup: simplified the "stream used" workaround. Files:
+ util/vstream.h, master/event_server.c, master/multi_server.c.
+
+20120621
+
+ Cleanup: simplified workarounds for Solaris streams versus
+ UNIX-domain sockets. Files: util/pass_accept.c (new),
+ util/pass_trigger.c (new), util/stream_pass_connect.c
+ (deleted), util/unix_pass_listen.c (deleted),
+ util/unix_pass_trigger.c (deleted), updated header files,
+ and replaced PASS_XXX macros by pass_xxx function calls.
+
+ Cleanup: don't clobber errno when logging a problem.
+ File util/msg_output.c.
+
+20120627
+
+ Bugfix (introduced: 20120531-617): in the postscreen module
+ for HAproxy sypport, a VSTREAM buffer size request was not
+ LP64-clean. File: postscreen/postscreen_haproxy.c.
+
+ Cleanup: avoid single-character reads in the postscreen
+ HAproxy module. File: postscreen/postscreen_haproxy.c.
+
+20120628
+
+ Workaround: heuristic to detect missing (ssize_t) type-cast
+ in VSTREAM buffer size requests. File: util/vstream.c.
+
+20120629
+
+ Workaround: "sendmail -bl" emulation. File: sendmail/sendmail.c.
+
+20120630
+
+ Cleanup: sub-optimal hash performance on systems where the
+ "char" type is signed. Files: util/htable.c, util/binhash.c.
+
+20120702
+
+ Bugfix (introduced: 19990127): the BIFF client leaked an
+ unprivileged UDP socket. Fix by Jaroslav Skarvada. File:
+ local/biff_notify.c.
+
+20120713
+
+ Bugfix (introduced: 20120527-8): infrastructure to specify
+ a smaller-than-default VSTREAM buffer, without the complex
+ run-time checks. File: util/vstream.c, vstream_tweak.c.
+
+20120714
+
+ Cleanup: semantics of requests to query or modify the VSTREAM
+ buffer size that will be used with the next read(2) or
+ write(2) operation. Files: util/vstream.c, util/vstream.h,
+ util/vstream_tweak.c.
+
+20120717
+
+ Documentation: update to RFC5321.
+
+20120730
+
+ Bugfix (introduced: 20000314): AUTH is not allowed after
+ MAIL. Timo Sirainen. Files: smtpd/smtpd.c, smtpd/smtpd.h,
+ smtpd/smtpd_sasl_proto.c.
+
+20120801
+
+ Documentation: point of what virtual_xxx parameters are
+ specific to the virtual(8) delivery agent, and will have
+ no effect when mail is delivered with a different program.
+ Files: proto/postconf.proto, proto/VIRTUAL_README.html.
+
+20120824
+
+ Feature: support for "sendmail -R hdrs|full". Jan Kundr?t.
+ File: sendmail/sendmail.c.
+
+20120902
+
+ Documentation: updated TUNING_README with new pointers to
+ the STRESS_README and POSTSCREEN_README documents. Miscellaneous
+ documentation clarifications based on postfix-users discussions.
+
+20120903
+
+ Bugfix (introduced 20120317): the socketmap client should
+ not share unrelated client endpoint handles. File:
+ util/dict_sockmap.c.
+
+20120907
+
+ Cleanup (for change 20120824): the DSN RET attribute should
+ not be stored once per recipient. It is a message property
+ just like DSN ENVID. File: sendmail/sendmail.c.
+
+20120911
+
+ Documentation: more explicit enumeration of what happens
+ when setting a per-destination recipient limit value to 1.
+ File: proto/postconf.proto.
+
+20120918
+
+ Documentation: clarified the bounce/queue_life-time parameter
+ descriptions. File: proto/postconf.proto.
+
+20120920
+
+ Documentation: the postscreen_whitelist_interfaces parameter
+ syntax was defined only by example. File: proto/postconf.proto.
+
+20120923
+
+ Infrastructure: cleaned up the support for database
+ lock-on-open. This is needed for databases that are not
+ multi-updater safe. Files: util/dict_alloc.c, util/dict.c,
+ util/dict_open.c, util/dict.h. tls/tls_scache.c.
+
+20120924
+
+ Documentation: some people are read-challenged distribute
+ their own incorrect understanding of master.cf syntax.
+ File: proto/master.
+
+ Cleanup: don't emulate UNIX-domain sockets over FIFOs on
+ Solaris systems less than 10 years old. This allows us to
+ globally s/fifo/unix/ in master.cf. Files: makedefs,
+ util/sys_defs.h.
+
+ Laptop-friendliness: avoid disk spin-up on idle systems by
+ s/fifo/unix/ in master.cf. Files: conf/master.cf.
+
+20120928-30
+
+ Feature: smtpd_relay_restrictions, proposed long ago by
+ Victor. The idea is to separate the mail relay policy from
+ the spam blocking policy, so that a permissive spam blocking
+ policy under smtpd_recipient_restrictions will no longer
+ unexpectedly result in a permissive mail relay policy.
+
+ This involves a change in default settings. Similar to the
+ way that local_recipient_maps was introduced, there is a
+ safety net that prevents unexpected mail bounces when a
+ site upgrades to Postfix 2.10 or later, and there is no
+ change in documented smtpd_recipient_restrictions behavior.
+ See the RELEASE_NOTES file for details. Files:
+ global/mail_params.h, smtpd/smtpd.c, smtpd/smtpd_check.c,
+ proto/postconf.proto, proto/SMTPD_ACCESS_README.html,
+ mantools/postlink, conf/post-install, RELEASE_NOTES.
+
+20120931-1001
+
+ Documentation: updated the remainder of the README files
+ and manual pages that discuss smtpd_recipient_restrictions.
+
+20121001
+
+ Cleanup: prepend 5.1.1 status code to "User unknown in
+ virtual alias table". File: trivial-rewrite/resolve.c.
+
+20121003
+
+ Bugfix: the postscreen_access_list feature was case-sensitive
+ in the first character of permit, reject, etc. Reported by
+ Francis Picabia. File: global/server_acl.c.
+
+20121009
+
+ Documentation: interaction between delay_warning_time,
+ notify_classes and delay_notice_recipient. File:
+ proto/postconf.proto.
+
+20101009
+
+ Human factors: log a warning that the postcat option -m
+ without -h or -b has no effect. File: postcat/postcat.c.
+
+20121010
+
+ Bugfix (introduced: Postfix 2.5): memory leak in program
+ initialization. Reported by Coverity. File: tls/tls_misc.c.
+
+ Bugfix (introduced: Postfix 2.3): memory leak in the unused
+ oqmgr program. Reported by Coverity. File: oqmgr/qmgr_message.c.
+
+20121011
+
+ Documentation: how to enable /etc/hosts multi-record lookups
+ with main.cf settings. File: proto/LINUX_README.html.
+
+ Documentation: clarified the postscreen-tlsproxy interface.
+ File: tlsproxy/tlsproxy.c.
+
+20121012
+
+ Documentation: a simpler null-client example. File:
+ proto/STANDARD_CONFIGURATION_README.html
+
+20121013
+
+ Cleanup: to compute the LDAP connection cache lookup key,
+ join the numeric fields with null, just like string fields.
+ Viktor Dukhovni. File: global/dict_ldap.c.
+
+20121015
+
+ Documentation: added section on regular-expression tables
+ to the aliases(5) manpage. File: proto/aliases.
+
+ Documentation: why "smtp_address_preference = any" is the
+ preferred setting. File: proto/postconf.proto.
+
+20121022
+
+ Bugfix (introduced 20101009) don't complain about stray -m
+ option if none of -[bhm] is specified. Ralf Hildebrandt.
+ File: postmap/postmap.c.
+
+20121029
+
+ Workaround: strip datalink suffix from IPv6 addresses
+ returned by the system getaddrinfo() routine. Such suffixes
+ mess up the default mynetworks value, host name/address
+ verification and possibly more. This change obsoletes the
+ 20101108 change that removes datalink suffixes in the SMTP
+ and QMQP servers. Files: util/myaddrinfo.c, smtpd/smtpd_peer.c,
+ qmqpd/qmqpd_peer.c.
+
+20121031
+
+ Bugfix: smtpd_relay_restrictions compatibility shim did not
+ detect "empty" value. Sahil Tandon. The same problem existed
+ with the inet_protocols shim. File: conf/post-install.
+
+20121105
+
+ Cleanup: the postscreen(8) "deep protocol" tests now log
+ the SMTP command that precedes a protocol violation. Files:
+ postscreen/postscreen_smtpd.c, proto/POSTSCREEN_README.html.
+
+ Bugfix (introduced: Postfix 1.1): wrong string termination
+ when handling an MBOX From_ line at the start of a message.
+ File: qmqpd/qmqpd.c.
+
+20121110
+
+ Cleanup: specify $(WARN) on the MacOS X compiler command
+ line to suppress "nested comment" and possibly other unwanted
+ warnings. Problem reported by Jim Reid. File: makedefs,
+ Makefile.in.
+
+20121119
+
+ Documentation: added a note that key_format is required
+ when postscreen(8) and verify(8) share the same memcache
+ (with different persistent backup databases, or course)
+ otherwise automatic cache cleanup breaks due to a name
+ collision for the "last cache cleanup" database record.
+ File: proto/memcache.
+
+20121122
+
+ Cleanup: the safety-check for smtpd_recipient_restrictions
+ and smtpd_relay_restrictions now detects permit before
+ reject. File: smtpd/smtpd_check.c.
+
+ Cleanup: the safety-check for smtpd_recipient_restrictions
+ and smtpd_relay_restrictions is no longer case-sensitive.
+ File: smtpd/smtpd_check.c.
+
+20121123
+
+ Cleanup: consistent escaping of commands in postscreen deep
+ protocol test logging. File: postscreen/postscreen_smtpd.c.
+
+20121124
+
+ Documentation: the bounce behavior for automatically-added
+ BCC recipients has changed with Postfix 2.3 when DSN support
+ was introduced. File: proto/postconf.proto.
+
+20121203
+
+ Documentation: added explicit example for -o name=value.
+ File: proto/master.
+
+20121210
+
+ Bugfix (introduced: Postfix 2.9) nesting count error while
+ stripping the optional [] around a DNS[BW]L address pattern.
+ This part of the code is not documented and had escaped
+ testing. Files: util/ip_match.c, util/ip_match.in,
+ util/ip_match.ref.
+
+20121215
+
+ Bugfix (introduced: 19980218, when recipient_delimiter
+ support was added): The error message for unknown local
+ users (or missing required aliases) should report the user
+ name instead of the full localpart which may contain an
+ address extension. Problem reported by Christian Holler.
+ File: local/unknown.c.
+
+20121221
+
+ Feature: "postconf -x" support to expand $name in main.cf
+ parameter values. Files: postconf/postconf_main.c,
+ postconf/postconf.h, postconf/postconf_node.c, postconf/postconf.c.
+
+20121222
+
+ Feature: postconf support to warn about an attempt to modify
+ a read-only parameter (process_name etc.) in main.cf or
+ master.cf. Files: postconf/postconf_readonly.c,
+ postconf/postconf_builtin.c.
+
+20121223
+
+ Feature: postconf support to warn about an undefined $name
+ in a parameter value in main.cf or master.cf (except for
+ backwards-compatibility parameters such as $virtual_maps)
+ Files: postconf/postconf_user.c, postconf_dbms.c,
+ postconf_builtin.c, util/dict_ht.c, util/htable.c.
+
+ Feature: "postconf -Mx" support to expand $name in master.cf
+ parameter values. Files: postconf/postconf_master.c,
+ postconf/postconf_lookup.c, postconf/postconf_main.c,
+ postconf/postconf.c.
+
+20121224
+
+ Feature: "postconf -Mn" support to print only master.cf
+ entries that have "-o name=value" parameter setttings.
+ Files: postconf/postconf_master.c.
+
+20121226
+
+ Miscellaneous cleanups of postconf internal APIs, identifiers
+ and comments. No changes in behavior.
+
+ Bugfix (omission in feature 20111203): the SMTP server only
+ supported time-dependent address-verification sender addresses
+ with RCPT TO but not with MAIL FROM. File: smtpd/smtpd.c.
+
+20121227
+
+ Feature: "postconf -o name=value" support to override main.cf
+ settings (for example, "postconf -x -o stress=whatever"
+ shows effective settings under overload). Files:
+ postconf/postconf.c, postconf/postconf_main.c.
+
+20121230
+
+ Cleanup: postconf(1) master.cf options parser. Files:
+ postconf/postconf_master.c, postconf/postconf_user.c.
+
+ Bugfix (omission in feature 20111106): the postconf(1)
+ master.cf options parser didn't support "clusters" of
+ command-line option letters. Files: postconf/postconf_master.c,
+ postconf/test40.ref.
+
+20130105
+
+ Undo a change made around 20121224, and always whitelist
+ configuration parameter names for legacy-style proxy:ldap:prefix
+ etc. lookup tables. Files: postconf/postconf_dbms.c,
+ postconf/test28.ref, postconf/test29.ref, postconf/Makefile.in.
+
+20130107
+
+ Factor out the master.cf line parser so that it can be
+ reused for "postconf -Me". File: postconf/postconf_master.c.
+
+20130113
+
+ Feature: master.cf attribute namespace. "postconf -F" shows
+ individual master.cf fields as "service/type/attribute =
+ value", where attribute is "service", "type", "private",
+ "unprivileged", "wakeup", "process_limit", or "command".
+
+20130121
+
+ Bugfix (introduced 20120307): the postconf -X option erased
+ other options. File: postconf/postconf.c.
+
+20130131
+
+ Bugfix: the local(8) delivery agent dereferenced a null
+ pointer while delivering to null command (for example, "|"
+ in a .forward file). Reported by Gilles Chehade.
+
+20130203
+
+ Bugfix: the undocumented OpenSSL X509_pubkey_digest()
+ function is unsuitable for computing certificate PUBLIC KEY
+ fingerprints. Postfix now provides a correct procedure
+ that accounts for the algorithm and parameters in addition
+ to the key data. Specify "tls_legacy_public_key_fingerprints
+ = yes" if you need backwards compatibility. Fix by Victor
+ Duchovni, BC added by Wietse. Files: tls/tls_verify.c,
+ tls/tls_misc.c, proto/TLS_README.html, global/mail_params.h.
+
+20130210
+
+ Bugfix: an error handler for smtp_tls_policy_maps lookups
+ was never invoked. File: smtp/smtp_session.c.
+
+20130212
+
+ Cleanup: logfile message formatting (X: subject_CN=X,
+ issuer_CN=X, fingerprint=X, pkey_fingerprint=X). File:
+ tls/tls_client.c.
+
+20130315
+
+ Feature: LMDB (memory-mapped persistent file) support by
+ Howard Chu. This implementation has unexpected failure modes
+ that don't exist with other Postfix databases, so don't
+ just yet abandon CDB. See LMDB_README for details. Files:
+ proto/postconf.proto, proto/LMDB_README.html,
+ proto/DATABASE_README.html, proto/INSTALL.html util/dict_lmdb.[hc],
+ util/dict_open.c, global/mkmap_lmdb.[hc], global/mkmap_open.c,
+ postconf/postconf.c.
+
+20130316
+
+ Cleanup: new Postfix dictionary API flag to control the use
+ of (LMDB) bulk database transactions. With this, LMDB
+ databases no longer fail to commit any transactions with
+ tlsmgr(8), and LMDB databases no longer perform glacially
+ slow with postmap -i/postalias -i. Files: util/dict.h,
+ util/dict_lmdb.c, postmap/postmap.c, postalias/postalias.c.
+
+20130317
+
+ Debugging: generalized setting of dictionary API flags.
+ File: util/dict.[hc], util/dict_test.c.
+
+ Robustness: Postfix programs can now recover from LMDB
+ "database full" errors without requiring human intervention.
+ When a program opens an LMDB file larger than lmdb_map_size/3,
+ it logs a warning and uses a larger size limit instead.
+ Files: util/dict_lmdb.c, proto/LMDB_README.html.
+
+20130318
+
+ Portability: botched #ifdef. File: util/dict_lmdb.c.
+
+20130319
+
+ Postfix support for LMDB databases is suspended due to the
+ existence of a hard limit (an "out of storage" failure mode
+ that cannot be resolved by increasing the database size).
+
+ Postfix may support LMDB again when it no longer limits the
+ size of Postfix transactions, whether the limit is built
+ into LMDB itself, or implicit by requiring an unbounded
+ amount of memory to handle a large transaction.
+
+20130322
+
+ Documentation: smtp_skip_5xx_greeting wording updated to
+ reflect text in RFC 2821, which appears to say that a 554
+ greeting is not a hard delivery error (note that RFC 2821
+ was published later than smtp_skip_5xx_greeting). File:
+ proto/postconf.proto.
+
+20130324
+
+ Workaround: MacOS 10.8 (Darwin 12) getrlimit(RLIMIT_NOFILE)
+ incorrectly reports that rlim_max, the hard limit on the
+ number of open files per process, is equal to RLIM_INFINITY
+ (i.e. no limit is enforced). In reality, setrlimit(RLIMIT_NOFILE)
+ rejects requests where rlim_cur, the current limit, contains
+ any value > kern.maxfilesperproc. Axel Luttgens. File:
+ util/open_limit.c.
+
+ Portability: MacOS 10.8 (Darwin 12) kqueue support works.
+ Axel Luttgens. Files: makedefs.
+
+20130324
+
+ Support for anonymous certificates. Viktor Dukhovni. File:
+ tls/tls_verify.c.
+
+ Feature: support for DNSSEC-validated lookups and TLSA
+ RRsets. Viktor Dukhovni. Files: dns/Makefile.in, dns/dns.h,
+ dns/dns_lookup.c, dns/dns_rr.c, dns/dns_strtype.c,
+ dns/test_dns_lookup.c,
+
+ Cleanup: the personality switch between "smtp" and "lmtp".
+ This streamlines the switch in the SMTP/LMTP protocol, DNS
+ MX lookups, and configuration parameter names in error
+ messages. Viktor Dukhovni. Files: smtp/smtp.c, smtp/smtp.h,
+ smtp/smtp_chat.c, smtp/smtp_connect.c, smtp/smtp_proto.c,
+ smtp/smtp_rcpt.c, smtp/smtp_sasl_glue.c, smtp/smtp_sasl_proto.c,
+ smtp/smtp_session.c, smtp/smtp_state.c.
+
+ Feature: replace disable_dns_lookups with smtp_dns_support_level,
+ enable secure DNSSEC lookups in the Postfix SMTP client,
+ and use the DNSSEC-validated remote SMTP server name to
+ select the SMTP and TLS policies. Viktor Dukhovni. Files:
+ dns/Makefile.in, dns/dns.h, dns/dns_lookup.c, dns/dns_rr.c,
+ dns/dns_strtype.c, dns/test_dns_lookup.c.
+
+20130325
+
+ Portability: on MacOS X, use kqueue() for event handling
+ but use select() instead of poll() for read/write timeouts
+ (with a workaround to handle file decriptors >=FD_SETSIZE).
+ Files: util/sys_defs.h, util/readable.c, util/writable.c,
+ util/read_wait.c, util/write_wait.c.
+
+ Portability: support for NetBSD 5.x, NetBSD 6.x and DragonFly
+ BSD. Viktor Dukhovni. Files: makedefs, util/sys_defs.h.
+
+20130326
+
+ Cleanup: new module that consolidates all system-dependent
+ code to enforce read/write timeouts. This includes a final
+ workaround for MacOS X that uses poll() first, and select()
+ if that fails. This makes their /dev/urandom workaround
+ unnecessary. Files: util/poll_fd.c, util/iostuff.h. Removed:
+ util/readable.c, util/writable.c, util/read_wait.c,
+ util/write_wait.c.
+
+ Cleanup: refactor TLS digest functions, improved signature
+ for TLS session cache. Viktor Dukhovni. Files: smtp/smtp.c,
+ smtp/smtp_proto.c, smtpd/smtpd.c, tls/Makefile.in, tls/tls.h,
+ tls/tls_client.c, tls/tls_fprint.c, tls/tls_level.c,
+ tls/tls_misc.c, tls/tls_server.c, tls/tls_verify.c,
+ tlsproxy/tlsproxy.c.
+
+20130327
+
+ Cleanup: final polish for MacOSX workarounds; replaced
+ #ifdef MacOSX by feature test as required by PORTING document.
+ Files: util/poll_fd.c, util/open_limit.c.
+
+ Export tls_fprint() and tls_digest_encode() for use in DANE.
+ Viktor Dukhovni. Files: tls/tls.h, tls/tls_fprint.c.
+
+20130331
+
+ Refactoring: TLS verification callback processing in
+ preparation for DANE support. Viktor Dukhovni. Files:
+ tls/tls.h, tls/tls_client.c, tls/tls_misc.c, tls/tls_verify.c.
+
+ Refactoring: split off SMTP client per-session TLS policy
+ data and code in preparation for DANE support. Viktor
+ Dukhovni. Files: smtp/Makefile.in, smtp/smtp.h,
+ smtp/smtp_connect.c, smtp/smtp_proto.c, smtp/smtp_reuse.c,
+ smtp/smtp_session.c, smtp/smtp_tls_sess.c.
+
+ Cleanup: "zero time limit" corner case in read_wait() and
+ write_wait() emulation. Files: util/poll_fd.c, util/iostuff.h.
+
+20130401
+
+ Refactoring: allow smtp_session_alloc() to fail gracefully
+ and report an error.
+
+20130403
+
+ Documentation: in smtpd.c, the comment that justifies the
+ 454 reply for "TLS unavailable" cited the wrong RFC.
+
+20130404
+
+ Human factors: warning when a main.cf parameter has multiple
+ entries with different values. File: util/dict.c.
+
+20130405
+
+ Feature: the recipient_delimiter parameter can now specify
+ a set of characters. A user name is now separated from its
+ address extension by the first character that matches the
+ recipient_delimiter set. Files: proto/postconf.proto,
+ src/global/mail_addr_find.c, src/global/mail_params.c,
+ src/global/split_addr.c, src/global/split_addr.h,
+ src/global/strip_addr.c, src/global/strip_addr.h,
+ src/global/strip_addr.ref, src/local/bounce_workaround.c,
+ src/local/local.c, src/local/local_expand.c, src/local/recipient.c,
+ src/local/resolve.c, src/oqmgr/qmgr_message.c, src/pipe/pipe.c,
+ src/qmgr/qmgr_message.c, src/smtpd/smtpd.c,
+ src/smtpd/smtpd_check.c, src/trivial-rewrite/transport.c,
+ src/trivial-rewrite/trivial-rewrite.c.
+
+ Feature: support for trust anchors, i.e. CA certificates
+ or public keys that will be used instead of conventional
+ root certificates, and revised fingerprint support. This
+ can be used by itself, and this provides support for an
+ upcoming DANE implementation. Victor Duchovni. Files:
+ mantools/postlink, proto/TLS_README.html, proto/postconf.proto,
+ global/mail_params.h, smtp/lmtp_params.c, smtp/smtp.c,
+ smtp/smtp.h, smtp/smtp_params.c, smtp/smtp_proto.c,
+ smtp/smtp_session.c, smtp/smtp_state.c, smtp/smtp_tls_sess.c,
+ tls/Makefile.in, tls/tls.h, tls/tls_client.c, tls/tls_dane.c,
+ tls/tls_fprint.c, tls/tls_misc.c, tls/tls_verify.c,
+ util/argv.c, util/argv.h.
+
+20130409
+
+ Documentation: pointers to other actions under "ACCEPT
+ ACTIONS" and "REJECT ACTIONS". File: proto/access.
+
+20130410
+
+ Cleanup: more uniform permutation in dns_rr() by Victor
+ Duchovni & Son. File: dns/dns_rr.c.
+
+20130411
+
+ Documentation: clarified text about result formats. Files:
+ proto/canonical, proto/virtual.
+
+20130414
+
+ Cleanup: the SMTP client connection management code now
+ maintains iterator state with a structure that contains
+ next-hop, host name, address, port and other information.
+ This iterator structure replaces random variables that were
+ updated by add-hoc code, and replaces random function
+ argument lists. The more structured approach is easier to
+ maintain and has already paid off by exposing opportunities
+ to improve SMTP connection cache usage. Wietse Venema.
+ Files: smtp/smtp.h, smtp/smtp_connect.c, smtp/smtp_session.c,
+ smtp_reuse.c.
+
+ Cleanup: eliminated minor false SMTP connection cache-sharing
+ problems due to mis-aligned lookup keys for caches and
+ lookup tables (for example some used the nexthop, and some
+ the domain name). Information that is used in more than
+ one lookup key is now generated by a centralized function.
+ This replaces ad-hoc code in random places that was
+ concatenating ad-hoc data to construct lookup keys. The
+ more structured approach is easier to maintain and makes
+ future cache-sharing issues easier to prevent. Wietse
+ Venema. Files: smtp/smtp.h, smtp/smtp_connect.c, smtp_reuse.c,
+ smtp_key.c, smtp_tls_sess.c.
+
+ Cleanup and fix of non-production code: the trust anchor-digest
+ code and smtp_sess_tls_required() function. Victor Duchovni.
+ Files: smtp/smtp_connect.c, smtp/smtp_proto.c,
+ smtp/smtp_tls_sess.c, tls/tls.h, tls/tls_client.c,
+ tls/tls_dane.c, tls/tls_level.c, tls/tls_verify.c.
+
+20130417
+
+ Cleanup and fix of non-production code: add the SASL
+ credentials or absence thereof to the connection cache
+ endpoint label; better reuse of SASL-authenticated connections
+ over UNIX-domains sockets, however unlikely these may be;
+ a first step towards refinement of connection cache lookup
+ by IP address for plaintext or SASL-unauthenticated connections.
+ Files: smtp/smtp.h smtp/smtp_connect.c, smtp/smtp_reuse.c,
+ smtp/smtp_key.c, smtp/smtp_tls_sess.s.
+
+20130418
+
+ Cleanup: configurable field delimiter and optional "not
+ available" field place holder for cache and table lookup
+ keys; automatic base64 encoding for key fields that contain
+ these. Files: smtp/smtp_key,c, smtp/smtp_reuse.c,
+ smtp/smtp_proto.c, smtp/smtp_tls_sess.c.
+
+20130420-21
+
+ Documentation: "dane" TLS security level and parameters.
+ Viktor Dukhovni. Files: mantools/postlink, proto/TLS_README.html,
+ proto/postconf.proto.
+
+ Feature: implemented and enabled DNS-based DANE security
+ level. Viktor Dukhovni. Files: global/mail_params.h,
+ smtp/lmtp_params.c, smtp/smtp.c, smtp/smtp.h, smtp/smtp_params.c,
+ smtp/smtp_proto.c, smtp/smtp_tls_sess.c, tls/tls.h,
+ tls/tls_client.c, tls/tls_dane.c, tls/tls_fprint.c,
+ tls/tls_level.c, tls/tls_misc.c, util/Makefile.in,
+ util/ctable.c, util/ctable.h, util/timecmp.c, util/timecmp.h.
+
+ Cleanup: rename (unchanged) smtp_tls_sess.c to smtp_tls_policy.c.
+ Viktor Dukhovni. Files: smtp/Makefile.in, smtp/smtp_tls_policy.c,
+ smtp/smtp_tls_sess.c.
+
+ Portability: OpenSSL workarounds for versions before 0.9.7
+ are removed from the source code. Viktor Dukhovni. Files:
+ tls/tls.h, tls/tls_bio_ops.c, tls/tls_client.c.
+
+ Non-production fixes: when falling back from opportunistic
+ TLS to plaintext, don't modify the cached TLS policy "retry
+ as plaintext" and "level" members. Files: smtp/smtp_session.c.
+
+ Non-production fixes: move TLS policy lookup to the main
+ connection iterator loop, so that the policy is known before
+ attempting connection reuse and before SMTP connection
+ creation. Temporarily link session->tls to state->tls.
+ Files: smtp/smtp.h, smtp/smtp_connect.c, smtp/smtp_reuse.c,
+ smtp/smtp_tls_policy.c.
+
+20130422
+
+ Feature: smtptls-finger test program for SMTP over TLS.
+ Viktor Dukhovni. Files: Makefile.in, html/Makefile.in,
+ man/Makefile.in, mantools/postlink, posttls-finger/.indent.pro,
+ posttls-finger/Makefile.in, posttls-finger/posttls-finger.c,
+ posttls-finger/tlsmgrmem.c, posttls-finger/tlsmgrmem.h,
+ tls/tls.h, tls/tls_misc.c.
+
+20130423
+
+ Bugfix (introduced: Postfix 2.0): when myhostname is not
+ listed in mydestination, the trivial-rewrite resolver may
+ log "do not list <myhostname value> in both mydestination
+ and <name of non-mydestination domain list>". The fix is
+ to re-resolve a domain-less address after adding $myhostname
+ as the surrogate domain, so that it pops out with the right
+ address-class label. Problem reported by Quanah Gibson-Mount.
+ File: trivial-rewrite/resolve.c.
+
+20130425
+
+ Non-production fixes: revert to using proxies (sender,
+ nexthop, hostname) to distinguish between different SASL
+ credentials for connections to the same IP address and port.
+ Files: smtp/smtp.h smtp/smtp_connect.c, smtp/smtp_key.c.
+
+ Non-production cleanup: documentation, identifiers. Viktor
+ Dukhovni. Files: proto/postconf.proto, src/dns/dns.h,
+ src/dns/dns_lookup.c, src/dns/dns_rr.c, src/dns/test_dns_lookup.c,
+ src/global/mail_proto.h, src/posttls-finger/posttls-finger.c,
+ src/smtp/smtp.h, src/smtp/smtp_addr.c, src/smtp/smtp_connect.c,
+ src/smtp/smtp_session.c, src/smtp/smtp_tls_policy.c,
+ src/smtpd/smtpd_check.c, src/tls/tls.h, src/tls/tls_client.c,
+ src/tls/tls_dane.c, src/tls/tls_fprint.c, src/tls/tls_misc.c,
+ src/tls/tls_proxy_clnt.c, src/tls/tls_proxy_print.c,
+ src/tls/tls_proxy_scan.c, src/tls/tls_server.c,
+ src/tls/tls_verify.c.
+
+20130426
+
+ Non-production fixes: refinement of SASL-dependent context
+ for connection-cache reuse, documentation. Viktor Dukhovni
+ and Wietse Venema. Files: smtp/smtp.h, smtp/smtp_key.c,
+ tls/tls_client.c.
+
+20130506
+
+ Non-production bugfix: macros must use distinct names for
+ temporary variables, to avoid name collision problems.
+ Problem report: Ralf Hildebrandt. Problem fix: Viktor
+ Dukhovni. File: smtp/smtp.h.
+
+ Non-production cleanup: simplified "dane" user interface,
+ replacing one "dane" security level plus multiple fall-back
+ options, with two "dane" security levels, one opportunistic
+ and one mandatory. Viktor Dukhovni. Files: proto/TLS_README.html,
+ proto/postconf.proto, mantools/postlink, proto/TLS_README.html,
+ proto/postconf.proto, global/mail_params.h,
+ posttls-finger/posttls-finger.c, smtp/lmtp_params.c,
+ smtp/smtp.c, smtp/smtp.h, smtp/smtp_params.c,
+ smtp/smtp_tls_policy.c, tls/tls.h, tls/tls_level.c.
+
+20130512
+
+ Feature: allow an SMTP client to skip postscreen(8) tests
+ before or after the 220 greeting, based on its DNSBL score.
+ Suggested by Rob McGee (/dev/rob0). Files: mantools/postlink,
+ proto/postconf.proto, global/mail_params.h,
+ postscreen/postscreen.c, postscreen/postscreen.h,
+ postscreen/postscreen_early.c, postscreen/postscreen_state.c,
+ postscreen/postscreen_tests.c.
+
+20130513
+
+ Bugfix (introduced: 20130512): postscreen logged no "PASS
+ NEW" event when the pregreet tests were turned off and the
+ postscreen_dnsbl_whitelist_treshold feature was turned on.
+ Reported by Rob McGee (/dev/rob0). Files: postscreen/postscreen.h,
+ postscreen/postscreen_early.c.
+
+ Bugfix (introduced: 20130512): postscreen panic because the
+ logic for dnsbl result retrieval was changed. Reported by
+ Noel Jones. File: postscreen/postscreen_early.c.
+
+20130517
+
+ Cleanup: just like the postscreen DNS block test will use
+ partial scores when some DNS lookup result is unavailable,
+ the postscreen_dnsbl_whitelist_treshold feature will now
+ use partial scores instead of ignoring them. File:
+ postscreen/postscreen_early.c.
+
+20130518
+
+ Bugfix (introduced: 1997): memory leak after error while
+ forwarding mail through the cleanup server. Viktor found
+ one, Wietse eliminated the rest. File: local/forward.c.
+
+ Feature: posttls-finger protocol and cipher grade selection
+ options. Leave protocol debug flags active across reconnects,
+ only suppress redundant logging of the certificate details.
+ Viktor Dukhovni. File: posttls-finger/posttls-finger.c.
+
+ Robustness: send SNI even when trying to reuse a DANE
+ session, because a new session may be negotiated anyway.
+ Viktor Dukhovni. File: tls/tls_client.c.
+
+ Cleanup: eliminate variable that is redundant with respect
+ to more authoritative state. Viktor Dukhovni. File:
+ posttls-finger/posttls-finger.c.
+
+ Feature: new tls_ssl_options parameter to enable OpenSSL
+ features (as opposed to tls_disable_workarounds which is
+ disables bug workarounds that are on by default). Viktor
+ Dukhovni. Files: proto/TLS_README.html, proto/postconf.proto,
+ src/global/mail_params.h, src/tls/tls.h, src/tls/tls_client.c,
+ src/tls/tls_misc.c.
+
+20130520
+
+ Documentation: removed resolve_null_domain from the list
+ of smtpd(8) parameters. File: smtpd/smtpd.c.
+
+20130523
+
+ Documentation: add cidr: and texthash: to the list of maps
+ that don't have automatic change detection. File:
+ proto/DATABASE_README.html.
+
+ Documentation: define the netmask format of CIDR maps.
+ File: proto/cidr_table.
+
+20130530
+
+ Cleanup: replace alloca() with mymalloc()/myfree() for
+ better error handling. Reported by Bill Parker. File:
+ util/dict_ni.c (does anyone still use this code?).
+
+20130531
+
+ Feature: tls_wildcard_matches_multiple_labels (default:
+ yes) to match multiple DNS labels with "*" in wildcard
+ certificates. Viktor Dukhovni. Files: proto/postconf.proto,
+ mantools/postlink, global/mail_params.h, tls/tls_client.c,
+ tls/tls_misc.c.
+
+20130607
+
+ Bugfix (DANE support): with multiple TLSA RR that carry "x
+ 0 0" certificates or "x 1 0" keys, Postfix failed to reset
+ the cert/key pointer before calling d2i_mumble(), causing
+ OpenSSL to clobber the previous cert or key. Viktor Dukhovni.
+ tls/tls_dane.c.
+
+ Robustness: check that TLSA-supplied certs have valid keys.
+ It is not clear whether that check is performed in d2i().
+ Viktor Dukhovni. tls/tls_dane.c.
+
+20130608
+
+ Cleanup (DANE support): be more explicit in the logging of
+ object digests. Viktor Dukhovni. tls/tls_dane.c.
+
+20100613
+
+ Workaround: unhelpful down-stream maintainers fail to install
+ the new smtpd_relay_restrictions safety net, causing breakage
+ that could have been avoided. We now hard-code the safety
+ net instead. Files: global/mail_params.h, conf/post-install,
+ RELEASE_NOTES_2.10.
+
+ Bugfix (DANE support): when TLSA records are insecure,
+ report that none are found. Viktor Dukhovni. Files:
+ posttls-finger/posttls-finger.c, smtp/smtp_tls_policy.c,
+ tls/tls_dane.c.
+
+20130615
+
+ TLS Interoperability: turn on SHA-2 digests by force. This
+ improves interoperability with clients and servers that
+ deploy SHA-2 digests without the required support for
+ TLSv1.2-style digest negotiation. Based on patch by Viktor
+ Dukhovni. Files: tls/tls_client.c, tls/tls_server.c.
+
+20130616
+
+ Workaround: The Postfix SMTP server TLS session cache was
+ broken because OpenSSL now enables session tickets by
+ default, resulting in different ticket encryption key for
+ each smtpd(8) process. the workaround turns off session
+ tickets. In 2.11 we'll enable session tickets properly.
+ Viktor Dukhovni. File: tls/tls_server.c.
+
+ Updated DANE support (trust in DNS instead of PKI). With
+ OpenSSL 1.0.2 (under development) trusted certificates don't
+ need to be self-signed roots. Otherwise we use an ephemeral
+ root certificate to sign the trust anchor. Viktor Dukhovni.
+ Files: posttls-finger/posttls-finger.c, smtp/smtp_proto.c,
+ smtp/smtp_tls_policy.c, tls/tls.h, tls/tls_client.c,
+ tls/tls_dane.c, tls/tls_fprint.c, tls/tls_misc.c,
+ tls/tls_verify.c.
+
+20130619
+
+ Documentation: troff lint. Patch by ES Raymond's bot. File:
+ proto/header_checks.
+
+ Cleanup: enforce smtpd_client_recipient_rate_limit for VRFY
+ commands. File: smtpd/smtpd.c.
+
+20130622
+
+ Bugfix: typo in the 20130613 smtpd_relay_restrictions default
+ setting. File: global/mail_params.h.
+
+20130623
+
+ Cleanup: configurable tlsmgr(8) service name. Files:
+ mantools/postlink, proto/postconf.proto, tls/tls_mgr.c,
+ tls/tls_misc.c, tlsproxy/tls-proxy.c, smtp/smtp.c,
+ smtpd/smtpd.c.
+
+20130629
+
+ Cleanup: documentation. Files: proto/CONNECTION_CACHE_README.html,
+ proto/SCHEDULER_README.html.
+
+20130708
+
+ Cleanup: postscreen_upstream_proxy_protocol setting. Files:
+ global/mail_params.h, postscreen/postscreen_endpt.c.
+
+20130709
+
+ Cleanup: qmgr documentation clarification by Patrik Rak.
+ Files: proto/SCHEDULER_README.html, qmgr/qmgr_job.c.
+
+ Cleanup: re-indented code. File: qmgr/qmgr_job.c.
+
+ Logging: minimal DNAME support. Viktor Dukhovni. dns/dns.h,
+ dns/dns_lookup.c, dns/dns_strtype.c, dns/test_dns_lookup.c.
+
+20130710
+
+ Workaround: smtp_connection_reuse_count_limit (default 0,
+ i.e. unlimited) for sites that must deal with hostile
+ connection reuse policies. The documentation comes with a
+ warning that this feature introduces a "fatal attractor"
+ failure mode. Files: global/mail_params.h, mantools/postlink,
+ proto/postconf.proto, smtp/smtp.c, smtp/smtp_params.c,
+ smtp/lmtp_params.c, smtp/smtp.h.
+
+ Workaround: FreeBSD9 nroff outputs ANSI escape sequences
+ instead of overstrike sequences. To make matters worse, it
+ uses the ESC[0m sequence sometimes for end-of-bold and
+ sometimes for end-of-italic. File: mantools/man2html.
+
+20130714
+
+ Cleanup: added smtpd_relay_restrictions entries to the
+ default master.cf file, so that main.cf settings won't
+ affect the submission and smtps services. Simon Matter.
+ File: conf/master.cf.
+
+20130728
+
+ Cleanup: wrong function name in error message. John Fawcett.
+ File: util/vstring_vstream.c.
+
+20130801
+
+ Cleanup: with ``make makefiles CCARGS="-DHAS_DB...'', the
+ makedefs script no longer tries to locate the Linux Berkeley
+ DB include and library files. Instead it assumes that the
+ locations are given on the command line, as shown in the
+ DB_README examples. Leo Baltus. File: makedefs.
+
+20130805
+
+ Documentation: clarified reject_non_fqdn_helo_hostname.
+ File: proto/postconf.proto.
+
+20130809
+
+ Cleanup: the lmdb_map_size parameter is now a long integer.
+ Howard Chu. Files: global/mail_params.[hc].
+
+20130815
+
+ Documentation: added pointer to Dovecot 2 configuration.
+ File: proto/SASL_README.html
+
+20130818
+
+ Update: LMDB client updated to LMDB 0.9.7, which hopefully
+ fixes the unrecoverable "transaction full" error. With a
+ new MDB_MAP_FULL workaround by Howard Chu that ensures that
+ postfix will make progress as long as the disk is not full.
+ File: util/dict_lmdb.c.
+
+20130822
+
+ The status of LMDB databases is "not recommended". Unlike
+ other Postfix databases, LMDB does not grow beyond a specified
+ limit even when the file system has room. This show-stopper
+ bug breaks applications whose requirements grow with load:
+ postscreen(8), greylisting, tlsmgr(8) and verify(8).
+
+20130825
+
+ Bitrot: Arrange for shared keys in SMTP server session
+ tickets. Otherwise, with clients that enable session
+ tickets, the SMTP session cache is per-process and largely
+ ineffective. Older releases should add SSL_OP_NO_TICKET
+ to the SSL options bit mask in the SMTP server only. The
+ session ticket key validity interval (sum of initial issuing
+ and retired key validation intervals) must not exceed the
+ SSL session lifetime. Otherwise, clients may send valid
+ tickets for expired sessions, which the OpenSSL server code
+ mishandles (does not send a replacement ticket, patch
+ pending...).
+
+ We set the session lifetime to 2 times the configured cache
+ lifetime which is also the ticket issuing and retired
+ validation lifetime, so ticketed sessions last 1 to 2 times
+ the configured session lifetime and never longer than a
+ session's expiration time.
+
+ Code by Viktor Dukhovni. Files: .indent.pro, mantools/postlink,
+ proto/TLS_README.html, proto/postconf.proto, global/mail_params.h,
+ posttls-finger/posttls-finger.c, posttls-finger/tlsmgrmem.c,
+ smtpd/smtpd.c, tls/tls.h, tls/tls_client.c, tls/tls_mgr.c,
+ tls/tls_mgr.h, tls/tls_scache.c, tls/tls_scache.h,
+ tls/tls_server.c, tlsmgr/tlsmgr.c, tlsproxy/tlsproxy.c.
+
+ Robustness: Search for TLSA RRs at the resolved server name
+ (rname) and failing that request server name (qname), and
+ use whichever was found as the TLSA base domain for certificate
+ matching.
+
+ When we find a DNSSEC validated MX RRset, and the initial
+ next-hop domain is a CNAME, include both the initial and
+ final (the one with the actual MX RRs) domains in the list
+ of valid server certificate names.
+
+ When we find no MX records, then the initial next-hop domain
+ is obtained securely from the recipient domain or transport
+ next-hop. Without MX records, this is a destination hostname,
+ so we should generally do a TLSA lookup. If however the
+ address lookup yields an insecure result, and its rname is
+ equal to its qname (no CNAMEs), we reasonably assume that
+ the its child "_port._tcp" sub-domain is likewise insecure
+ (security here would require DLV just for this sub-domain).
+ This allows us to skip futile TLSA queries for most non-MX
+ destinations (those that are in insecure zones and are not
+ CNAMEs). This heuristic can be disabled by setting the new
+ main.cf parameter smtp_tls_force_insecure_host_tlsa_lookup
+ to "yes", the default is "no".
+
+ Finally, with MX hostnames, if the MX RRset is secure, we
+ look for TLSA RRs at the qname only when the MX host is an
+ alias with an insecure rname. If both the qname and the
+ rname are secure, as before we prefer the rname, but when
+ nothing is found there, fall back to the qname.
+
+ Code by Viktor Dukhovni. Files: mantools/postlink,
+ proto/postconf.proto, src/global/mail_params.h,
+ src/posttls-finger/posttls-finger.c, src/smtp/lmtp_params.c,
+ src/smtp/smtp.c, src/smtp/smtp.h, src/smtp/smtp_addr.c,
+ src/smtp/smtp_addr.h, src/smtp/smtp_connect.c,
+ src/smtp/smtp_params.c, src/smtp/smtp_tls_policy.c,
+ src/tls/tls.h, src/tls/tls_dane.c.
+
+20130826
+
+ Documentation: re-ordered STRESS_README, now that all
+ supported releases have stress-adaptive behavior built in.
+ File: proto/STRESS_README.html.
+
+20130903
+
+ Cleanup: made the default_database_type compile-time
+ configurable. Files: util/sys_defs.h, makedefs, proto/INSTALL.
+
+20130916
+
+ Feature: reject_known_sender_login_mismatch, which applies
+ reject_sender_login_mismatch only to MAIL FROM addresses
+ that are known in $smtpd_sender_login_maps. Viktor & Wietse.
+ Files: mantools/postlink, proto/SASL_README.html,
+ proto/postconf.proto, global/mail_params.h, smtpd/smtpd_check.c.
+
+20130927
+
+ Cleanup: no more LMDB "database full" errors. Postfix now
+ requires LMDB >= 0.9.8 which supports on-the-fly database
+ resizing. When a database becomes full, its size limit is
+ automatically doubled, and other processes automatically
+ pick up the new database size limit. Files: util/dict.h,
+ util/dict_open.c, util/dict_alloc.c, util/dict_lmdb.c,
+ postmap/postmap.c, postalias/postalias.c, proto/LMDB_README.html,
+ proto/postconf.proto.
+
+20130928
+
+ Cleanup: the lmdb_max_readers property is now configurable.
+ This is a hard limit built into the OpenLDAP library that
+ causes requests to fail when the number of open read
+ transactions exceeds the limit. When this happens the LMDB
+ client logs an MDB_READERS_FULL warning and continues with
+ reduced performance. Files: util/dict_lmdb.c, util/dict_lmdb.h,
+ global/mail_params.h, global/mail_params.c, proto/postconf.proto,
+ proto/LMDB_README.html.
+
+20130929
+
+ Security violation: LMDB opens files with read/write access
+ for lock management purposes. This gives unprivileged
+ daemon processes read/write file handles for root-owned
+ files under /etc/postfix. This also breaks when a non-root
+ process needs to access a root-owned database. Even if
+ LMDB lock files were world-writable, and kept in a dedicated
+ directory, they would still violate the principle of least
+ privilege. For all these reasons, support to create LMDB
+ files is removed from the postmap and postalias commands.
+ LMDB files can still be created by unprivileged Postfix
+ daemon processes under the postfix-owned data_directory.
+ Files: proto/LMDB_README.html, global/mkmap.c.
+
+20131001
+
+ Cleanup: LMDB support is forbidden due to problems with
+ LMDB lock management. These problems hinder error recovery
+ in multi-programmed systems, and prohibit database sharing
+ between privileged writer processes and unprivileged reader
+ processes.
+
+20131009
+
+ Documentation: inet_protols description was not updated
+ when smtp_address_preference was added. File: proto/postconf.proto
+
+20131013
+
+ Documentation: why postscreen(8) uses hash-table lookups
+ instead of direct pointers to find the DNSBL lookup result
+ for a specific session. File: postscreen/postscreen_early.c.
+
+20131022
+
+ Cleanup: add more &code; to postconf2man. Someone has been
+ writing documentation without checking the result, File:
+ mantools/postconf2man.
+
+ Documentation: in the discard(8) manpage, the reason is not
+ a host or domain name. File: discard/discard.c.
+
+20131025
+
+ Documentation: specify the expected result format with
+ "list" tables. File: proto/DATABASE_README.html.
+
+20131026
+
+ Future proofing: API changes in the PCRE library. File:
+ util/dict_pcre.c.
+
+20131028
+
+ Feature: check_sasl_access to block hijacked logins. Files:
+ mantools/postlink, proto/postconf.proto, global/mail_params.h,
+ smtpd/smtpd_check.c, smtpd/smtpd_dsn_fix.h.
+
+20131029-31
+
+ Cleanup: slmdb(3) simplified LMDB API that hides recoverable
+ LMDB errors from applications so that they can focus on
+ their own job. Files: util/slmdb.[hc].
+
+ Cleanup: LMDB functionality restored, after elimination of
+ 1) world-writable lockfiles, 2) hard limits on the number
+ of concurrent readers, and 3) hard-coded database file inode
+ numbers in lockfiles that can prevent automatic crash
+ recovery. Files: proto/LMDB_README.html, proto/postconf.proto,
+ mantools/postlink, util/dict_lmdb.c.
+
+20131101
+
+ Cleanup: restore ability to build without LMDB support;
+ further slmdb API streamlining. Files: util/slmdb.[hc],
+ util/dict_lmdb.c.
+
+ Bugfix: uninitialized variable. File: util/slmdb.c.
+
+ Documentation: added SASL_README example for check_sasl_access.
+ File: proto/SASL_README.html.
+
+20131102-3
+
+ Security violation: by default, LMDB 0.9.9 writes uninitialized
+ heap memory to a world-readable database file, as chunks
+ of up to 4096 bytes. This is a huge memory disclosure
+ vulnerability: memory content that a program does not intend
+ to share ends up in a world-readable file. The content of
+ uninitialized heap memory depends on program execution
+ history. That history includes code execution in other
+ libraries that are linked into the program.
+
+ This is a problem whenever the user who writes the database
+ file differs from the user who reads the database file. For
+ example, a privileged writer and an unprivileged reader.
+ In the case of Postfix, the postmap(1) and postalias(1)
+ commands would leak uninitialized heap memory, as chunks
+ of up to 4096 bytes, from a root-privileged process that
+ writes to a database file, to unprivileged processes that
+ read from that database file.
+
+ To work around this problem the postmap(1) and postalias(1)
+ commands disable the use of malloc() in LMDB. However, that
+ does not address several disclosures of stack memory. Other
+ Postfix databases do not need this workaround: those databases
+ are maintained by Postfix daemon processes, and are accessible
+ only by the postfix user. File: util/dict_lmdb.c.
+
+20131102-3
+
+ Cleanup: expand TAB characters when generating documentation.
+ This was primarily an issue with non-HTML output, but it does
+ not hurt to do this also for HTML. Files: proto/Makefile.in,
+ proto/MULTI_INSTANCE_README.html.
+
+20131104
+
+ Feature: ${queue_id} macro support for the pipe(8) delivery
+ agent by Andreas Schulze. File: pipe/pipe.c.
+
+20131107
+
+ Cleanup: after 16 years the SKIP() and TRIM() macros were
+ triggering compiler warnings. Files: global/mail_params.c,
+ smtpstone/smtp-sink.c, util/mac_parse.c, util/split_nameval.c.
+
+20131110
+
+ Bugfix (introduced Oct 26 1997): don't clobber errno before
+ expanding %m. File: util/vbuf_print.c.
+
+20131114
+
+ Cleanup: LMDB >= 0.9.10 does not need the MDB_WRITEMAP
+ workaround to avoid heap memory information leaks. File:
+ util/dict_lmdb.c.
+
+20131114
+
+ Cleanup: Coverity found a harmless memory leak in the
+ postconf master.cf parser. Reported by Christos Zoulas,
+ NetBSD. File: postconf/postconf_master.c.
+
+ Cleanup: graceful degradation after database open() error.
+ Several instances of that code introduced a harmless memory
+ leak, and Coverity complained about one of them (Christos
+ Zoulas, NetBSD). Instead of adding random code in random
+ places, restructured dict_foo_open() routines with consistent
+ code to dispose of memory or file handles. Files: dict_thash.c,
+ dict_sockmap.c, dict_regexp.c, dict_pcre.c, dict_lmdb.c,
+ dict_dbm.c, dict_cidr.c, dict_cdb.c.
+
+ Cleanup: warning message after canonical/virtual/etc.
+ table lookup error. Files: cleanup/cleanup_addr.c,
+ cleanup/cleanup_map11.c, cleanup/cleanup_map1n.c,
+ cleanup/cleanup_masquerade.c, cleanup/cleanup_message.c,
+ cleanup/cleanup_milter.c.
+
+20131116
+
+ Feature: MySQL client support for option_file, option_group,
+ tls_cert_file, tls_key_file, tls_CAfile, tls_CApath,
+ tls_verify_cert. See mysql_table(5). Code by Gareth Palmer.
+ Files: proto/mysql_table, global/dict_mysql.c.
+
+ Cleanup: DANE support. Keep the attributes of TA certificates
+ obtained via "IN TLSA 2 0 X" RRs, while continuing to only
+ use the key from "IN TLSA 2 1 X" RRs. This means in the
+ "2 0 X" case that we re-sign the TA certificate in place,
+ rather than synthesize a vanilla cert around just the key.
+ Viktor Dukhovni. File: tls/tls_dane.c.
+
+ Bugfix: posttls-finger parsing of destination and optional
+ match values. Viktor Dukhovni. File:
+ posttls-finger/posttls-finger.c.
+
+ Cleanup: When wrap_signed is false (OpenSSL 1.0.2 some day),
+ we don't have to sign trust anchors, and don't generate a
+ key to do so. Thus don't attempt to re-sign trust-anchor
+ certificates (IN TLSA 2 0 X) in this case. Viktor Dukhovni.
+ File: tls/tls_dane.c.
+
+ Feature: configurable DANE digest algorithm priority. Use
+ only the most-preferred, shared, digest algorithm for any
+ give (usage, selector) combination. Viktor Dukhovni.
+ mantools/postlink, proto/postconf.proto, global/mail_params.h,
+ tls/tls_dane.c, tls/tls_misc.c.
+
+ Bugfix: FreeBSD nroff workaround messed up. File:
+ mantools/postlink.
+
+20131118
+
+ Cleanup: FreeBSD nroff workaround. Files: man/Makefile.in,
+ proto/Makefile.in.
+
+ Cleanup: the smtpd_proxy_filter client now sends QUIT before
+ closing the connection to a content filter. Files:
+ smtpd/smtpd_proxy.c, smtpd/smtpd.c.
+
+ Portability: C99 va_copy() compatibility, in case some
+ implementation does not permit multiple va_start() calls
+ on the same argument list. Files: global/memcache_proto.c,
+ milter/milter8.c, smtpstone/smtp-source.c, util/attr_clnt.c,
+ util/concatenate.c, util/dict_surrogate.c, util/netstring.c,
+ util/compat_va_copy.h.
+
+ Cleanup: comment formatting. Viktor Dukhovni. File: dns/dns.h.
+
+ Cleanup: removed redundant sort operation. Viktor Dukhovni.
+ File: tls/tls_dane.c.
+
+20131119
+
+ Feature: a Postfix LMDB database can now be used as shared
+ persistent cache with multiple postscreen(8) or verify(8)
+ daemons (but not both), without the need for a shared
+ proxymap server. Files: util/dict.h, util/dict_alloc.c,
+ util/dict_open.c, util/dict_lmdb.c.
+
+ Internal: DNS client support to report reply RCODE information,
+ in addition to the simplified DNS_NOTFOUND, DNS_RETRY etc.
+ Portability note: this requires the C99 __VA_ARGS__ feature.
+ Files: dns/dns.h. dns/dns_lookup.c, dns/test_dns_lookup.c.
+
+20131120
+
+ Cleanup: reduced the code footprint for the LMDB < 0.9.10
+ heap-to-file information leak workaround, and simplified
+ the implementation to "good enough". Files: util/dict.h,
+ util/dict.c, util/dict_lmdb.c, postalias/postalias.c,
+ postmap/postmap.c.
+
+ Cleanup: reduced the code footprint for the handling of
+ multi-writer safe maps. A map only needs to assert that it
+ is multi-writer safe, and the rest just happens. Files:
+ util/dict.h, util/dict_open.c, util/dict_lmdb.c,
+ global/dict_memcache.c.
+
+ Cleanup: Postfix daemons no longer restart when a multi-writer
+ safe map is updated. File: util/dict.c.
+
+ Documentation: sharing an LMDB cache between multiple
+ verify(8) or postscreen(8) servers (but not both). Files:
+ proto/ADDRESS_VERIFICATION_README.html,
+ proto/POSTSCREEN_README.html.
+
+ Cleanup: improve suppression of TLSA lookups in insecure
+ zones. This is now applied not only to non-MX destinations,
+ but also to each MX record. Viktor Dukhovni. Files:
+ src/posttls-finger/posttls-finger.c, src/smtp/smtp_tls_policy.c,
+ src/tls/tls.h, src/tls/tls_dane.c.
+
+ Workaround: increased the 5s connection timeout to 30s.
+ Viktor Dukhovni. File: posttls-finger/posttls-finger.c.
+
+20131121
+
+ Documentation: new socketmap_table(5) and lmdb_table(5)
+ manpages. Files: mantools/postlink, conf/postfix-files,
+ html/Makefile.in, man/Makefile.in, proto/DATABASE_README.html,
+ postconf/postconf.c, proto/socketmap_table, proto/lmdb_table.
+
+20131122
+
+ Documentation: missing database hyperlinks, refined text
+ about partial lookup keys. Files: mantools/postlink,
+ proto/DATABASE_README.html, proto/lmdb_table,
+ proto/socketmap_table.
+
+20131123
+
+ Feature: support for NOTIFY parameter in the Milter
+ SMFIR_ADDRCPT_PAR request. Contributed by by Andrew Ayer.
+ Wietse added support for ORCPT. Files: cleanup/cleanup.h,
+ cleanup/cleanup_milter.c, cleanup/cleanup_state.c,
+ global/xtext.c, global/xtext.h, milter/test-milter.c.
+
+20131122
+
+ Feature: "postconf -Fe service/type/attribute = value" edits
+ master.cf attribute values. The -e is optional. Example:
+ use "postconf -F "*/*/chroot = n" to turn off chroot on all
+ master.cf services. Files: postconf/postconf.h,
+ postconf/postconf.c, postconf/postcof_master.c,
+ postconf/postconf_edit.c.
+
+20131124
+
+ Cleanup: remove extra blank line from ccformat output,
+ making it compatible with the script that Wietse actually
+ uses (this line was part of a test to detect file truncation,
+ but it is now obsolete). File: mantools/ccformat.
+
+ Feature: master.cf parameter namespace. "postconf -P" shows
+ master.cf parameter settings as "service/type/parameter =
+ value". This is applicable only to parameter settings in
+ master.cf. Files: postconf/postconf.h, postconf/postconf.c,
+ postconf/postcof_master.c, postconf/postconf_print.c.
+
+ Incompatibility: the master_service_disable syntax has
+ changed: use "service/type" instead of "service.type". The
+ new form is consistent with master.cf parameter namespaces.
+ The old form is still supported to avoid breaking existing
+ configurations. Files: global/master_service.c,
+ master/master_ent.c.
+
+20131125
+
+ Feature: change, add or delete "-o parameter=value" setting
+ in master.cf. Examples: "postconf -P smtp/inet/parameter=value"
+ (add or modify "-o name=value" setting) and "postconf -P
+ smtp/inet/parameter" (delete "-o parameter=value" setting).
+ Files: util/argv.[hc], postconf/postconf.h,
+ postconf/postconf_edit.c, postconf_master.c.
+
+20131126
+
+ Cleanup: Leave SSLv3 enabled with DANE. Viktor Dukhovni.
+ Files: proto/TLS_README.html proto/postconf.proto
+ tls/tls_client.c.
+
+ Cleanup: DANE support: Drop support for usage 0. It SHOULD
+ NOT be supported in DANE with SMTP, and we already don't
+ support digest TLSA RRs in this case, while full content
+ TLSA RRs are not recommended for DNS bloat reasons. Viktor
+ Dukhovni. Files: proto/postconf.proto src/global/mail_params.h
+ src/smtp/smtp.c src/tls/tls_dane.c src/tls/tls_misc.c.
+
+ Feature: TLS support: Support future digest algorithms
+ without re-compilation. Viktor Dukhovni. Files: .indent.pro
+ proto/postconf.proto src/tls/tls_dane.c.
+
+ Feature: DNS support: New configurable digest agility.
+ Viktor Dukhovni. Files: .indent.pro proto/TLS_README.html
+ proto/postconf.proto src/global/mail_params.h src/tls/tls_dane.c
+ src/tls/tls_misc.c.
+
+20131127
+
+ Bugfix (introduced: 20090106): the postconf '-#' option
+ erased prior options. File: postconf/postconf.c.
+
+20131129
+
+ Bugfix: Makefile example in MULTI_INSTANCE_README. Viktor
+ Dukhovni. File: proto/MULTI_INSTANCE_README.html.
+
+20131130
+
+ Cleanup: simplify fingerprint security level implementation
+ in new DANE code. Viktor Dukhovni. Files: src/tls/tls.h
+ src/smtp/smtp_tls_policy.c src/tls/tls_dane.c
+ src/posttls-finger/posttls-finger.c.
+
+20131209
+
+ Cleanup: safe_strtoul() did not report an error for empty
+ or all-space input (the code to report this was in the wrong
+ place). This was not a problem as long as safe_strtoul()
+ was used only for output from safe_ultostr(). Files:
+ global/safe_ultostr.c, global/safe_ultostr.in,
+ global/safe_ultostr.ref.
+
+20131210
+
+ Documentation: updated description of SSL protocol controls.
+ In particular, enabled protocols are part of a contiguous
+ range. Viktor Dukhovni. Files: proto/TLS_README.html,
+ proto/postconf.proto.
+
+ Bugfix: DANE support: handle OpenSSL memory allocation
+ error. Viktor Dukhovni. File: tls/tls_dane.c.
+
+ Cleanup: LMDB_README was not installed. File: conf/postfix-files.
+
+20131214
+
+ Portability: on some platforms posttls-finger now requires
+ explicitly linking libdl. File: posttls-finger/Makefile.in.
+
+ Cleanup: DANE support: extension gymnastics. Viktor Dukhovni.
+ File: tls/tls_dane.c.
+
+ Bugfix: DANE support: the wrap_cert() and wrap_key() calls
+ should never fail, but some callers ignored the return
+ value. The only failure is for lack of memory, so we use
+ msg_fatal() internally and change wrap_cert() and wrap_key()
+ to return void. Viktor Dukhovni. File: tls/tls_dane.c.
+
+ Bugfix: DANE support: avoid making DANE certificates with
+ replaced public-keys appear as if they were self-signed.
+ Viktor Dukhovni. File: tls/tls_dane.c.
+
+ Cleanup: DANE support: simplify grow_chain() to always apply
+ trust consistently. Viktor Dukhovni. File: tls/tls_dane.c.
+
+ Bugfix: DANE support: backport fixes from OpenSSL DANE
+ testing. Discard errors generated by raw TA key signature
+ checks. Record the tadepth as zero with self-signed depth
+ 0 TAs. Robustness: Though it should never happen, don't
+ update the tadepth if already set. Viktor Dukhovni. Files:
+ tls/tls_dane.c, tls/tls_server.c.
+
+20131215
+
+ Cleanup: OpenSSL "const" declarations have changed over
+ time. Viktor Dukhovni. Files: src/tls/tls.h, src/tls/tls_client.c,
+ src/tls/tls_dane.c, src/tls/tls_server.c.
+
+20131216
+
+ Cleanup: TLS support. Eliminate calls of deprecated functions
+ before they are removed from OpenSSL. CRYPTO_thread_id is
+ deprecated and we don't need it. Replace the deprecated
+ ERR_remove_state() call with ERR_remove_thread_state(), and
+ use RSA_generate_key_ex(). Viktor Dukhovni. Files:
+ posttls-finger/posttls-finger.c, tls/tls_misc.c, tls/tls_rsa.c.
+
+ Cleanup: DANE support: Reduce #ifdef clutter to improve
+ redability and maintainability. Viktor Dukhovni. File:
+ tls/tls_dane.c.
+
+ Future proofing: Tolerate disappearance of named bug-workaround
+ bits without invalidating user configurations. When support
+ for a bug workaround is removed from OpenSSL, the corresponding
+ bit is defined as zero (i.e. NOOP) instead of causing
+ programs to break. Viktor Dukhovni. File: tls/tls_misc.c.
+
+20131217
+
+ Portability: RSA_generate_key_ex() is not available on all
+ supported platforms, so this change is made conditional.
+ Enforce that this function will be used only for creating
+ a 512-bit ephemeral RSA key. Viktor Dukhovni. File:
+ tls/tls_rsa.c.
+
+20131218
+
+ Documentation: new document FORWARD_SECRECY_README that
+ describes how different versions of Postfix >= 2.2 implement
+ "perfect" forward secrecy. Viktor Dukhovni. File:
+ proto/FORWARD_SECRECY_README.html, proto/Makefile.in,
+ conf/postfix-files, html/index.html.
+
+20131219
+
+ Cleanup: renamed postconf(1) internal identifiers according
+ to a consistent scheme, to avoid future name conflicts as
+ Postfix evolves. This is a no-feature change. Files:
+ postconf/*.[hc], postconf/extract.awk.
+
+ Documentation: linearized the order of exposition in
+ FORWARD_SECRECY_README. File: proto/FORWARD_SECRECY_README.html.
+
+20131220
+
+ Bugfix: DANE support: segfault. Viktor Dukhovni. File:
+ tls/tls_dane.c.
+
+ Documentation: typo in SASL_README. Patrick Ben Koetter.
+ File: proto/SASL_README.html.
+
+ Documentation: increased the *.[0-9].html manpage width
+ from the historical 65 columns to the more contemporary 78
+ columns, and future-proofed the pattern that eliminates
+ redundant text from the "README FILES" section. Files:
+ mantools/postlink, mantools/man2html, man/Makefile.in.
+
+ Documentation: misc manual page cleanups. Files:
+ postconf/postconf.c, postmulti/postmulti.c.
+
+20131221
+
+ Testbed: TLS support. Viktor Dukhovni. Files: tls/Makefile.in,
+ tls/tls_dane.c, tls/tls_dane.sh, tls/tls_mgr.c, .indent.pro.
+
+ Documentation: added section on how to verify that forward
+ secrecy works. File: proto/FORWARD_SECRECY_README.html.
+
+20131222
+
+ Documentation: forward secrecy, with feedback from Adam
+ Shostack. Viktor Dukhovni and Wietse Venema. File:
+ proto/FORWARD_SECRECY_README.html.
+
+20131224
+
+ Feature: smtpd_sasl_service (until now, this was hard-coded
+ internally as "smtp"). On request by Michal (sksoft.cz).
+ Files: global/mail_params.h, proto/postconf.proto,
+ mantools/postlink, smtpd/smtpd.c, smtpd/smtpd_sasl_glue.c.
+
+ Documentation: updated example to Dovecot version 2 syntax.
+ File: proto/SASL_README/html.
+
+20131228
+
+ Cleanup: DANE support: test script. Viktor Dukhovni. File
+ tls/tls_dane.sh.
+
+ Debugging: test driver for LMDB debugging and stress testing.
+ Shockingly, LMDB terminates the postscreen daemon without
+ logfile record. File: util/dict_cache.c.
+
+20140102
+
+ Bugfix: close the LMDB database cursor's read transaction
+ before writing with MDB_NOLOCK and before changing the
+ database memory map size. File: util/slmdb.c.
+
+20140103
+
+ Cleanup: eliminated data duplication from the new SMTP_ITERATOR
+ structure to the old SMTP_SESSION structure. The SMTP_ITERATOR
+ structure now maintains the sole copy. Files: smtp/smtp.h,
+ smtp_sasl_auth_cache.c, smtp_reuse.c, smtp_sasl_glue.c,
+ smtp_rcpt.c, smtp_session.c, smtp_chat.c, smtp_proto.c,
+ smtp_connect.c.
+
+20140104
+
+ Feature: support for optional configuration files
+ "$daemon-directory/postfix-files.d/*". These are processed
+ in sorted order after "$daemon-directory/postfix-files",
+ This avoids breaking "postfix set-permissions" etc. when a
+ Postfix distribution comes in multiple packages. File:
+ conf/post-install.
+
+20140107
+
+ Feature: LMDB 0.9.11 allows Postfix daemons to log an LMDB
+ error message, instead of falling out of the sky without
+ any notification. Files: util/slmdb.[hc], util/dict_lmdb.c.
+
+20140108
+
+ Bugfix: every Postfix LMDB transaction is now protected by
+ an external lock for its entire life time. File: util/slmdb.c.
+
+20140109
+
+ Cleanup: turn off DNSSEC lookup after CNAME redirection to
+ an insecure zone. This is an optimization for resolvers
+ that do not automatically resolve CNAME chains. Viktor
+ Dukhovni. File: dns/dns_lookup.c.
+
+ Cleanup: do not salt the SMTP TLS policy lookup cache key
+ with the DNSSEC status. The DNSSEC status will not change
+ when the same nexthop/host pair is looked up repeatedly.
+ Viktor Dukhovni. File: smtp/smtp_tls_policy.c.
+
+ Robustness: Suppress TLSA lookups only when the qname zone
+ is insecure, not just because the rname zone is insecure.
+ This requires an extra T_CNAME lookup for the qname, since
+ nameservers are often "too helpful" and report CNAME records
+ together with the CNAME targets. When the targets are
+ insecure the whole reply is marked as insecure. Viktor
+ Dukhovni. File: tls/tls_dane.c.
+
+ Cleanup: Unify/simplify reporting of configuration or other
+ conditions that prevent DANE security. Viktor Dukhovni.
+ Files: global/dsn_buf.[hc], tls/tls_dane.c, smtp/smtp_tls_policy.c.
+
+20140110-15
+
+ Miscellaneous documentation cleanups.
+
+20140116
+
+ Workaround: prepend "-I. -I../../include" to CCARGS, to
+ avoid name clashes with non-Postfix header files. File:
+ makedefs.
+
+20140125
+
+ Cleanup: assorted documentation glitches.
+
+20140209
+
+ Workaround: the Postfix SMTP client now also falls back to
+ plaintext when TLS fails after the TLS protocol handshake.
+ Files: smtp/smtp.h, smtp/smtp_connect.c, smtp/smtp_trouble.c.
+
+ Testbed: unsupported HANGUP access map action that drops
+ the connection without responding to the remote SMTP client.
+ File: smtpd/smtpd_check.c.
+
+20140214
+
+ Workaround: apparently some buggy kernels report WIFSTOPPED
+ events to the parent process (master daemon) instead of the
+ tracing process (e.g., gdb). File: master/master_spawn.c.
+
+20140218
+
+ Workaround: require that a queue file is older than
+ $minimal_backoff_time, before falling back from failed TLS
+ to plaintext (both during or after the TLS handshake).
+ Viktor Dukhovni. Files: smtp/smtp.h, smtp/smtp.c,
+ smtp/lmtp_params.c, smtp/smtp_params.c.
+
+20140220
+
+ Workaround: in case "minimal_backoff_time = $queue_run_delay".
+ Files: smtp/smtp.c, smtp/smtp_params.c, smtp/lmtp_params.c.
+
+ Cleanup: consolidate the code to log the start of a new
+ mail transaction in one place, so that code can easily be
+ added to log TLS status information in addition to the
+ existing client and SASL status information. Files:
+ smtpd/smtpd_sasl_proto.h, smtpd/smtpd_sasl_proto.c,
+ smtpd/smtpd.c.
+
+20140223
+
+ Workaround: when a session breaks after the TLS handshake,
+ do not fall back from TLS to plaintext when all recipients
+ were deferred or rejected during the TLS phase. Files:
+ smtp/smtp.h, smtp/smtp_rcpt.c.
+
+ Logging: the TLS client logged that an "Untrusted" TLS
+ connection was established instead of "Anonymous". Viktor
+ Dukhovni. File: tls/tls_client.c.
+
+ Documentation: new self-signed certificate example and
+ updated private CA example. File: proto/TLS_README.html.
+
+20140224
+
+ Bugfix (introduced: 20061106): when the "retry" transport
+ was added to Postfix, it was not given special status like
+ the "error" transport. The Postfix SMTP server did not defer
+ mail that resolves to the "retry" transport, and the
+ trivial-rewrite daemon would override the null nexthop
+ destination in "retry:" with the current nexthop destination.
+ Files: smtpd/smtpd_check.c, trivial-rewrite/transport.c.
+
+20140227
+
+ Bugfix: Enforce TLS when TLSA records exist, but all are
+ unusable; Don't leak dane handle when all TLSA records are
+ unusable. Viktor Dukhovni. File: smtp/smtp_tls_policy.c.
+
+ Cleanup: log TLS policy lookup errors as warnings. Viktor
+ Dukhovni. File: smtp/smtp_connect.c.
+
+20140316
+
+ Feature: preliminary support to change arbitrary hard
+ delivery errors into soft errors and vice versa, or to
+ replace the descriptive text of non-delivery notifications.
+ This was originally introduced for sites that want to bounce
+ mail when no remote SMTP server announces TLS support. New
+ parameters: {default,smtp,pipe,virtual}_bounce_defer_filter.
+ Files: proto/postconf.proto, mantools/postlink, global/bounce.[hc],
+ bounce/defer.[hc], global/ndr_filter.[hc], global/mail_params.[hc],
+ master/event_server.c, master/multi_server.c,
+ master/single_server.c, master/trigger_server.c, smtp/smtp.c,
+ pipe/pipe.c, virtual/virtual.c.
+
+20140317
+
+ Feature: local_bounce_defer_filter support. Files:
+ global/bounce.[hc], global/defer.[hc], local/command.c,
+ local/file.c, local/bounce_workaround.c, local/local.c,
+ global/mail_params.h, mantools/postlink.
+
+20140318
+
+ Refinement: don't throttle an SMTP destination when the new
+ smtp_bounce_defer_filter feature turns a soft bounce into
+ a hard bounce. File: smtp/smtp_trouble.c.
+
+20140320
+
+ Feature: support to replace successful delivery status code
+ and explanatory text. This can be used to to hide local
+ details such as destination commands or file names when a
+ remote sender requests confirmation of delivery. As of now
+ *_bounce_defer_filter is renamed into *_delivery_status_filter.
+ Files: global/bounce.c, global/bounce.h, global/defer.c,
+ global/defer.h, global/dsn_filter.c, global/dsn_filter.h,
+ global/mail_params.c, global/mail_params.h, global/sent.c,
+ local/local.c, master/event_server.c, master/multi_server.c,
+ master/single_server.c, master/trigger_server.c, pipe/pipe.c,
+ smtp/lmtp_params.c, smtp/smtp.c, smtp/smtp_params.c,
+ virtual/virtual.c, mantools/postlink.
+
+20140322
+
+ Cleanup: code comments and identifier names to reflect the
+ evolution from "NDR filter" to "delivery status filter".
+ Files: global/mail_params.h, smtp/smtp.c, global/dsn_filter.c,
+ global/dsn_filter.h, local/local.c, pipe/pipe.c,
+ smtp/lmtp_params.c, smtp/smtp_params.c, virtual/virtual.c,
+ global/bounce.c.
+
+20140323
+
+ Feature: initial merge of Debian-style dynamic linking.
+ Viktor Dukhovni.
+
+20140406
+
+ Bugfix: when testing session caching, stop reconnecting
+ after encountering a previously-used server (when the session
+ is re-used or not). Viktor Dukhovni. File:
+ posttls-finger/posttls-finger.c.
+
+ Feature: configurable TLS session-ticket cipher (default:
+ tls_session_ticket_cipher = aes-128-cbc). Viktor Dukhovni
+ and Wietse. Files: mantools/postlink, smtpd/smtpd.c,
+ proto/postconf.proto, global/mail_params.h, tls/tls_misc.c,
+ tls/tls_scache.h, tls/tls_server.c.
+
+20140416
+
+ Cleanup: replace "~0 << positive" with "~0U << positive"
+ even if we use only the lower bytes. Jeffrey Walton. File:
+ util/mask_addr.c.
+
+20140407
+
+ Documentation: the documentation for Postfix > 2.8 TLS
+ activity logging was incorrect. Loglevel 0 produces no
+ logging. Instead, information is logged only with loglevel
+ 1 or higher. Viktor Dukhovni. Files: proto/TLS_README.html,
+ proto/postconf.proto.
+
+20140501
+
+ Cleanup: postscreen_dnsbl_timeout parameter. Files:
+ mantools/postlink, proto/postconf.proto, global/mail_params.h,
+ postscreen/postscreen.c, postscreen/postscreen_dnsbl.c.
+
+ Cleanup: added table search order information to the
+ postconf(5) manpage. File: proto/postconf.proto.
+
+20140505
+
+ Cleanup: added a client port attribute to the policy
+ delegation protocol. Jernej Porenta. File: smtpd/smtpd_check.c.
+
+20140507
+
+ Bugfix (introduced: Postfix 2.11): with connection caching
+ enabled (the default), recipients could be given to the
+ wrong mail server. Root cause: due to an incorrect predicate,
+ the Postfix SMTP client could save and restore plaintext
+ connections that should not be cached, under nonsensical
+ lookup keys that did not distinguish by destination. Problem
+ reported by Sahil Tandon, predicate error found by Viktor,
+ redundant connection restore request eliminated by Wietse.
+ File: smtp/smtp_connect.c.
+
+ Cleanup: the macros that control SMTP connection reuse
+ poorly reflected their purpose. "DEAD" is replaced with
+ "FORBIDDEN" (no I/O allowed) and "BAD" is replaced with
+ "THROTTLED" (anything that causes the queue manager to back
+ off from some destination). Files: smtp.h, smtp_connect.c,
+ smtp_proto.c, smtp_trouble.c.
+
+ Cleanup: enable SMTP connection cache lookup by destination
+ name while a surge of mail dries up. File: smtp_connect.c.
+
+20140505
+
+ Bugfix: the postdrop authorized_submit_users feature requires
+ that lookup table support is initialized so that it can use
+ libglobal or dynamicmaps maps. File: postdrop/postdrop.c.
+
+ Cleanup: moved dynamicmaps initialization from parameter
+ initialization (mail_conf_suck()) to dictionary initialization
+ (mail_dict_init()). A benefit of this is that dynamicmaps.cf
+ is no longer read by programs that don't use Postfix lookup
+ tables. Files: global/mail_conf.[hc], global/mail_dict.c.
+
+ Cleanup: move the mail_dict_init() call after the
+ mail_conf_read() or mail_params_init() call, to prepare for
+ a configurable dynamicmaps.cf directory. Files:
+ master/event_server.c, master/multi_server.c,
+ master/single_server.c, master/trigger_server.c.
+
+20140506
+
+ Cleanup: you can now specify "make makefiles parameter=value"
+ for selected compile-time parameter default overrides. The
+ old "make makefiles 'CCARGS=-DDEF_MUMBLE=\"mumble\"'"
+ approach remains supported. File: makedefs.
+
+20140508
+
+ Cleanup: dynamicmaps.cf is now installed into $daemon_directory
+ because the file is shared among Postfix instances just
+ like postfix-files and other files. Files: conf/dynamicmaps.cf,
+ Makefile.in, conf/postfix-files.
+
+ Cleanup: INSTALL is now plain ASCII instead of README format,
+ to avoid a chicken-and-egg problem (the instructions to
+ print/view README-format files are in the INSTALL file).
+
+ Documentation: updated INSTALL instructions and RELEASE_NOTES.
+
+20140512
+
+ Portability: Berkeley DB6 support. File: util/dict_db.c.
+
+20140514
+
+ Cleanup: replace #ifdef/endif containing hard-coded calls
+ of dynamicmaps functions with an extension mechanism that
+ dynamicmaps functions invoke instead. Files: util/dict.h,
+ util/dict_open.c, global/dynamicmaps.[hc], global/mkmap.h,
+ global/mkmap_open.c.
+
+20140515
+
+ Bugfix (introduced: 20140320): missing initialization.
+ Viktor Dukhovni. File pipe/pipe.c.
+
+ Cleanup: mkmap_open() now caches a dynamically-loaded
+ function. This is useful because postmap/postalias may open
+ the same database type multiple times. Files: global/mkmap.h,
+ global/mkmap_open.c.
+
+ Security: the dynamicmaps.cf file and its and shared-object
+ files must not be writable by non-root users. File:
+ global/dynamicmaps.c.
+
+20140517
+
+ Cleanup: dynamic linking and hooking. Files: util/dict.h,
+ util/load_lib.[hc], global/dynamicmaps.c.
+
+20140518
+
+ Preliminary "make plugins" support. Todo: macros to dynamically
+ remove pluggable maps from compile-time tables in dict_open.c
+ and mkmap_open.c, and from the OBJS lists in Makefile.in.
+
+20140522
+
+ Support for "make shared=yes" and "make dynamicmaps=yes".
+ New plugin_directory parameter for the location of the
+ dynamicmaps.cf file and for plugins with a relative pathname.
+ See RELEASE_NOTES and INSTALL for details. Files: postfix.c,
+ mail_params.[hc], dynamicmaps.c, mail_dict.c, makedefs,
+ postfix-files, dynamicmaps.cf, Makefile.in, util/Makefile.in,
+ global/Makefile.in, postlink, postconf.proto. INSTALL.html,
+ RELEASE_NOTES.
+
+20140523
+
+ Cleanup: don't install plugins for unsupported databases,
+ and don't make dynamicmaps.cf entries for them. Files:
+ makedefs, Makefile.in, util/Makefile.in, global/Makefile.in.
+
+ Cleanup: added support for symlinks where the "source" is
+ specified as a relative pathname. File: postfix-install.
+
+ Cleanup: moved instructions from RELEASE_NOTES to INSTALL
+ to avoid duplication. Files: RELEASE_NOTES, proto/INSTALL.html.
+
+ Cleanup: include <dict_lmdb.h> unconditionally so that
+ dict_lmdb_map_size is always defined. Files: mail_params.c,
+ dict_test.c.
+
+ Cleanup: port for ancient Solaris9 revealed some non-portability.
+ Files: master/Makefile.in, makedefs, sys_defs.h.
+
+20140524
+
+ Cleanup: specify database library dependencies with variables
+ named AUXLIBS_CDB, AUXLIBS_LDAP, etc. The global AUXLIBS
+ variable is still supported, but the new variables are
+ required when building dynamically-loadable building database
+ plugins. Files: RELEASE_NOTES, INSTALL.html, CDB_README.html,
+ LDAP_README.html, LMDB_README.html, MYSQL_README.html,
+ PCRE_README.html, PGSQL_README.html, SQLITE_README.html,
+ makedefs, util/Makefile.in, global/Makefile.in.
+
+ Workaround: reportedly, MacOS can fail to move a symlink
+ with a relative target across file system boundaries, because
+ it examines the symlink with stat() instead of lstat().
+ Files: makedefs, Makefile.in.
+
+ Cleanup: use readlink to verify symlink target. File:
+ postfix-install.
+
+20140528
+
+ Cleanup: the configuration file dynamicmaps.cf will now
+ automatically include files under the directory dynamicmaps.cf.d,
+ just like the configuration file postfix-files will
+ automatically include files under the directory postfix-files.d.
+ See INSTALL section "Building with Postfix shared libraries
+ and database plugins". File: dynamicmaps.c.
+
+20140530
+
+ Cleanup: add shlib_directory and plugin_directory to the
+ postmulti-script list of shared parameters. Viktor Dukhovni.
+ File: postmulti-script.
+
+ Cleanup: to avoid "postfix set-permission" errors, don't
+ create postfix-files entries for non-existent database
+ plugins. Problem reported by Viktor. File: Makefile.in.
+
+ Bugfix: we can't use "mv" to replace a symlink-to-directory.
+ Instead we now create all symlinks in place. Unfortunately
+ the "ln -n" option is not universally implemented, so we
+ remove the old symlink first. Problem reported by Viktor.
+ File: postfix-install.
+
+20140603
+
+ Cleanup: use the OpenSSL session id accessor (available
+ since OpenSSL 0.9.8 or so) instead of groping a session
+ object directly. Viktor Dukhovni. File: tls_server.c.
+
+20140605
+
+ Feature: the pipe(8) daemon logs some command output after
+ successful delivery as "dsn=2.0.0, status=sent (delivered
+ via XXX service (YYY))" where XXX is the master.cf service
+ name, and YYY is command output. Files: pipe/command.c,
+ pipe.c.
+
+20140613
+
+ Feature: the "pipeline" table implements a table pipeline.
+ Example "pipeline:!type_1:name_1!...!type_n:name_n". The
+ ASCII character after "pipeline:" will be used as the
+ separator between the lookup tables that follow (do not use
+ space, ",", ":" or non-ASCII). Each "pipeline:" query is
+ given to the first table. Each lookup result becomes the
+ query for the next table in the pipeline, and the last table
+ produces the final result. When any table lookup produces
+ no result, the pipeline produces no result. Files:
+ dict_pipe.[hc], dict_open.c, postlink, DATABASE_README.html,
+ postconf.c.
+
+20140617
+
+ Feature: the "random" table performs random selection.
+ Example: "random:!result_1!...!result_n". Each table query
+ returns a random choice from the specified results. The
+ ASCII character after "random:" will be used as the separator
+ between the results that follow (do not use space, ",", ":"
+ or non-ASCII). Files: dict_random.[hc], dict_open.c,
+ postlink, DATABASE_README.html, postconf.c.
+
+20140618
+
+ Cleanup: INFO action in access(5) tables, for consistency
+ with header/body_checks. Viktor Dukhovni. Files:
+ smtpd/smtpd_check.c, proto/access.
+
+20140619
+
+ Cleanup: process LaMont Jones feedback for shared-library
+ and database-plugin builds. Changes: 1) move non-executable
+ files from $daemon_directory to the default $config_directory
+ (postfix-files*, dynamicmaps.cf*, main.cf.proto/master.cf.proto
+ for multi-instance support); 2) add foo.so -> foo.so.version
+ symlinks; 3) change $shlib_directory and $plugin_directory
+ defaults to /usr/lib/postfix to reduce sprawl. Files:
+ conf/main.cf.proto, conf/master.cf.proto, conf/postfix-files.proto,
+ conf/post-install, conf/postmulti-script, makedefs,
+ postfix-install, proto/INSTALL.html, global/dynamicmaps.c,
+ global/dynamicmaps.h, global/mail_dict.c, global/mail_params.h,
+ postmulti/postmulti.c.
+
+ Bugfix (introduced: 2001): qmqpd null pointer bug when it
+ logs a lost connection while not in a mail transaction.
+ Reported by Michal Adamek. File: qmqpd/qmqpd.c.
+
+ Cleanup: filter non-printable characters in X509 subject
+ or issuer names. Viktor Dukhovni. File: tls/tls_server.c.
+
+20140620
+
+ Cleanup: for compliance with file system policies, some
+ files have been moved from $daemon-directory to the directory
+ specified with the new meta_directory parameter which has
+ the same default value as config_directory. This change
+ affects non-executable files that are shared among multiple
+ Postfix instances, such as postfix-files, dynamicmaps.cf,
+ and multi-instance template files.
+
+ For backwards compatibility with Postfix 2.6..2.11, specify
+ "meta_directory = $daemon_directory" in main.cf before
+ installing Postfix, or specify "meta_directory = /path/name"
+ on the "make makefiles", "make install" or "make upgrade"
+ command line.
+
+ Files: Makefile.in, RELEASE_NOTES, conf/post-install,
+ conf/postfix-files.proto, conf/postmulti-script, makedefs,
+ mantools/postlink, postfix-install, proto/INSTALL.html,
+ proto/postconf.proto, global/mail_params.c, global/mail_params.h,
+ postfix/postfix.c, postmulti/postmulti.c.
+
+ Feature: check_xxx_a_access (for xxx in client, reverse_client,
+ helo, sender, recipient) implements access control on all
+ A and AAAA IP addresses for the client hostname, helo
+ parameter, sender domain or recipient domain. Some spam has
+ sender domains with the same IP address but different MX
+ hosts. Files: global/mail_params.h, smtpd/smtpd_check.c,
+ proto/postconf.proto.
+
+20140622
+
+ Cleanup: eliminated plugin_directory to reduce configuration
+ parameter sprawl. Files: Makefile.in, RELEASE_NOTES,
+ conf/post-install, conf/postfix-files.proto, conf/postfix-script,
+ conf/postmulti-script, makedefs, mantools/postlink,
+ postfix-install, proto/INSTALL.html, proto/postconf.proto,
+ global/Makefile.in, global/mail_dict.c, global/mail_params.c,
+ global/mail_params.h, global/mail_version.h, postfix/postfix.c,
+ postmulti/postmulti.c, smtpd/smtpd_check.c, util/Makefile.in.
+
+20140623
+
+ Cleanup: eliminated the use of Postfix release versions as
+ file name suffixes for shared libraries, database plugins
+ and dynamicmaps.cf. The shared-library version suffixes
+ were fighting against assumptions and conventions in run-time
+ linkers, including the assumption that ABIs are preserved
+ from one version to the next. The Postfix version can now
+ be embedded in the shlib_directory parameter. As this is
+ sufficient to permit upgrade of a running Postfix system
+ without risking that old binaries will link against newer
+ shared objects, we no longer need a version suffix for
+ dynamicmaps.cf. Files: Makefile.in, RELEASE_NOTES,
+ conf/postfix-files.proto, makedefs, proto/INSTALL.html,
+ proto/postconf.proto, global/mail_params.h, global/mail_version.h,
+
+20140624
+
+ Cleanup: the commands "make (makefiles|install|upgrade|package)
+ parameter=value" now replace the string MAIL_VERSION in a
+ configuration parameter value with the Postfix release
+ version. Unfortunately, the more obvious approach, a
+ parameter value with the unexpanded '$mail_version', produces
+ inconsistent results with different make implementations.
+ Files: makedefs, Makefile.in, postfix-install, proto/INSTALL.html,
+ proto/PACKAGE_README.html
+
+ Cleanup: postmulti now requires "postmulti -e init" before
+ accepting other multi-instance requests. Viktor Dukhovni.
+ File: conf/postmulti-script.
+
+20140625
+
+ Kludge: moved dict_db_cache_size away from dict_db.c in
+ preparation for Berkeley DB database plugin support (a
+ similar kludge was implemented for LMDB). Files:
+ util/dict_db.[hc], util/dict_test.c, global/mail_params.c.
+
+ Cleanup: don't leak build directory information via SHLIB_ENV
+ in makedefs.out. Files: Makefile.in, conf/postfix-files.
+
+20140626
+
+ Cleanup: construction debris. Files: Makefile.in,
+ conf/postfix-script.
+
+ Cleanup: replace the result of MAIL_VERSION expansion with
+ $mail_version in main.cf installation parameter settings,
+ to permit safe upgrade of a running mail system. File:
+ postfix-install.
+
+ Cleanup: replace the result of MAIL_VERSION expansion with
+ $mail_version in built-in default installation parameter
+ settings, for consistency with main.cf. File: makedefs,
+ postfix-install, conf/post-install.
+
+ Cleanup: removed $mail_version from the default shlib_directory
+ value. Files: global/mail_params.h, proto/INSTALL.html.
+
+ Cleanup: in postfix-script, use find instead of ls to
+ determine permissions or ownership, and group some checks
+ with "pathname/." and "pathname/*" into one. Downside:
+ more warnings will now have "/./" in the middle of a pathname.
+ File: conf/postfix-script.
+
+ Cleanup: need to evaluate mail_version before evaluating
+ parameters that may contain $mail_version. File:
+ global/mail_params.c.
+
+ Cleanup: the postmulti command now exercises the postconf
+ "-x" option to expand $parameter_name in secondary-instance
+ parameter values. File: postmulti/postmulti.c.
+
+ Cleanup: post-install also needed to replace the result of
+ MAIL_VERSION expansion with $mail_version, for the same
+ reasons as postfix-script. Viktor Dukhovni. File:
+ conf/post-install.
+
+20140627
+
+ Bugfix (introduced: 20140626) broken build and broken install
+ with default shlib_directory. Files: makedefs.
+
+ Bugfix (introduced: 20140627) "make install" stopped with
+ a bogus error when there was no real "make install name=value"
+ parameter override. Files: conf/post-install.
+
+ Cleanup: support MAIL_VERSION magic (see INSTALL) only at
+ the end of a parameter value. Files: proto/INSTALL.html
+ makedefs, postfix-install, conf/postfix-files.
+
+ Cleanup: use ${mail_version} as the MAIL_VERSION-unexpanded
+ form. Viktor Dukhovni. Files: makedefs, postfix-install,
+ conf/postfix-files.
+
+20140630
+
+ Cleanup: the pipeline and random lookup tables are now
+ called pipemap and randmap, respectively. These names are
+ more specific. The old names remain available, at least
+ temporarily. Files: util/dict_pipe.[hc], util/dict_random.[hc],
+ postconf/postconf.c, mantools/postlink, proto/DATABASE_README.html.
+
+ Feature: smtpd_policy_service_request_limit to limit the
+ number of requests per Postfix SMTP server policy connection.
+ This is a workaround to avoid error-recovery delays with
+ policy servers that cannot maintain a persistent connection.
+ Based on code by Markus Benning. Files: global/mail_params.h,
+ mantools/postlink, proto/SMTPD_POLICY_README.html,
+ proto/postconf.proto, smtpd/smtpd.c, smtpd/smtpd_check.c,
+ util/attr_clnt.[hc].
+
+20140701
+
+ Cleanup: documented how Postfix maintains dictionary
+ provenance. Provenance matters: for example, the owner UID
+ of an aliases(5) database file determines the execution
+ privileges for delivery to |command or /file/name. Refined
+ the algorithm that computes the provenance of a pipemap,
+ based on the provenance of its constituent lookup tables.
+ Files: util/dict.[hc], util/dict_pipe.c.
+
+ Cleanup: made mail_spool_directory configurable with "make
+ makefiles mail_spool_directory=/path/name". This allows
+ Postfix to be built without any pathnames that reference
+ system directories. This is useful for testing and sandboxing.
+ Files: global/mail_params.h, makedefs.
+
+ Cleanup: configurable attr_clnt(3) retry strategy (try limit
+ and retry delay). Files: util/attr_clnt.[hc].
+
+ Feature: control over SMTPD policy lookup error handling:
+ smtpd_policy_service_try_limit, smtpd_policy_service_retry_delay,
+ smtpd_policy_service_default_action determine how many times
+ to try to send a policy request before giving up, the delay
+ before resending a failed policy request, and a default
+ action when giving up. The defaults are backwards-compatible.
+ Files: global/mail_params.h, mantools/postlink,
+ proto/postconf.proto, smtpd/smtpd.c, smtpd/smtpd_check.c.
+
+20140709
+
+ Cleanup: bitrot in unused function. File: global/defer.c.
+
+ Cleanup: add SYSLIBS minus static libraries while building
+ Postfix shared-library objects. Files: makedefs, util/Makefile.in,
+ global/Makefile.in, dns/Makefile.in, master/Makefile.in/.
+
+20140708
+
+ Bugfix (introduced 20140701): did not restore jumpbuf while
+ evaluatingsmtpd_policy_service_default_action. Viktor
+ Dukhovni. File: smtpd/smtpd_check.c.
+
+ Feature: VERY PRELIMINARY support for SMTPUTF8 based on an
+ initial implementation by Arnt Gulbrandsen, funded by CNNIC.
+ This implements the syntax of SMTP commands and DSN delivery
+ status notifications. It does not address the problem that
+ the same domain name may show up in different forms: an
+ UTF8-encoded name with non-ASCII characters, or an IDNA-encoded
+ (xn--mumble) name with ASCII-only characters. This means
+ that access policies, mydestination, virtual_*_domains and
+ relay_domans will have to understand both forms in order
+ to provide complete coverage. For now, SMTPUTF8 support
+ must not be enabled except for testing.
+
+20140710
+
+ Portability: add '-Wl,--enable-new-dtags' to the linker
+ command line with building with Postfix shared libraries
+ on Linux. Viktor Dukhovni. file: makedefs.
+
+20140711
+
+ Background: What is SMTPUTF8 autodetection? Postfix cannot
+ rely solely on the sender's declaration that a message
+ requires SMTPUTF8 support, because UTF8 may be introduced
+ during local processing (for example, the client hostname
+ in Postfix's Received: header, adding @$myorigin or .$mydomain
+ to an incomplete address, address rewriting, alias expansion,
+ automatic BCC recipients, local forwarding, and modifications
+ made by header checks or Milter applications). This means
+ that some form of autodetection is needed that a message
+ requires SMTPUTF8 support.
+
+ Cleanup: don't try to distinguish between UTF that is already
+ present in a message or envelope, and UTF8 that is introduced
+ during local processing (see above). Maintaining this
+ distinction is too problematic.
+
+ Cleanup: mailing list friendliness. Allow delivery of
+ SMTPUTF8 mail to non-SMTPUTF8 servers when a message has
+ no UTF8 headers, no UTF8 envelope sender, and when the
+ specific delivery request contains no UTF8 envelope recipient.
+ This is needed for mailing lists that may have a mix of
+ UTF8 and non-UTF8 subscriber addresses. File: global/smtputf8.h,
+ smtp/smtp_proto.c.
+
+ Cleanup: moved all SMTPUTF8 detection to the cleanup server,
+ so that it can apply equally to sendmail command-line
+ submission, forwarded mail, postmaster notifications,
+ delivery status notifications, mail received with the qmqpd
+ server, address verification probes, as well as UTF8
+ introduced during local processing (see above). Files:
+ cleanup/cleanup_out.c, cleanup/cleanup_addr.c.
+
+ Cleanup: store the SMTPUTF8 message (i.e. non-recipient)
+ flags in the first queue file record, so that the queue
+ manager can find the information without having to read
+ every queue file record. Files: cleanup/cleanup_final.c,
+ *qmgr/qmgr_message.c.
+
+20140713
+
+ Interoperability: new parameter smtputf8_autodetect_classes
+ for selective autodetection that a message requires UTF8SMTP
+ support. During the initial SMTPUTF8 rollout, this is limited
+ by default to Postfix sendmail command-line submissions and
+ address verification probes. Sites that introduce UTF8
+ during local processing (see above) will have to enable
+ SMTPUTF8 autodetection for all mail sources. This feature
+ shares infrastructure with the older internal_filter_classes
+ feature. Files: bounce/bounce_notify_service.c,
+ bounce/bounce_notify_verp.c, bounce/bounce_one_service.c,
+ bounce/bounce_trace_service.c, bounce/bounce_warn_service.c,
+ global/int_filt.c, global/mail_proto.h, global/smtputf8.c,
+ local/forward.c, pickup/pickup.c, qmqpd/qmqpd.c, smtp/smtp_chat.c,
+ smtpd/smtpd.c, smtpd/smtpd_chat.c, verify/verify.c.
+
+ Feature: preliminary message/global support. This does not
+ yet parse encoded message/global (such as message/global
+ sent through an non-8BITMIME system). Such mail cannot yet
+ be inspected with header_checks. File: global/mime_state.c.
+
+20140714
+
+ Cleanup: update the "smtputf8" delivery request flags when
+ VERP expansion causes an UTF8 recipient address to appear
+ in the envelope sender address. Files: *qmgr/qmgr_deliver.c.
+
+ Cleanup: emit the correct content transfer encoding name
+ when downgrading message/global as quoted-printable. File:
+ global/mime_state.c.
+
+ Cleanup: generate a bounce message with MIME type *global*
+ only when the original message requested SMTPUTF8 support.
+ File: bounce/bounce_notify_util.c.
+
+ Cleanup: propagate the "SMTPUTF8 support requested" flag
+ when bouncing a message or when forwarding a message through
+ a local alias or .forward file. Files: local/forward.c,
+ bounce/bounce_notify_util.c, src/global/post_mail.[hc], and
+ specify a dummy argument SMTPUTF8_FLAGS_NONE in all other
+ programs that programs that invoke post_mail_fopen*(),
+
+20140715
+
+ Cleanup: change extract_addr() API to indicate that an
+ address is parsed in SMTPUTF8 context. File: smtpd/smtpd.c.
+
+ Cleanup: shared-library build fixes. Viktor Dukhovni. Files:
+ makedefs, dns/Makefile.in, global/Makefile.in, master/Makefile.in,
+ tls/Makefile.in, util/Makefile.in.
+
+ First general release with SMTPUTF8 support; see RELEASE_NOTES
+ for an initial writeup. The last pre-SMTPUTF8 release is
+ snapshot 20140713.
+
+20140716
+
+ Paranoia: validate UTF8 before exposing it to libicuuc.
+ File: util/midna.c.
+
+ Typo: Postfix did not warn when smtputf8_enable=yes while
+ UTF-8 support is not compiled in. File: global/mail_params.c.
+
+ Cleanup: hard-coded GCC dependencies. Eray Aslan. File:
+ makedefs.
+
+20140717
+
+ Safety: manipulate unsigned characters while decoding.
+ Files: global/xtext.c, global/uxtext.c.
+
+ Infrastructure: ACE label to UTF-8 conversion. Files:
+ util/midna.[hc].
+
+ Infrastructure: macro expansion with printable() filter.
+ Files: util/mac_expand.[hc].
+
+ Feature: when expanding myhostname or mydomain in bounce
+ template messages, and smtputf8_enable=yes, convert ACE
+ (xn--mumble) labels into UTF-8. bounce/bounce_template.c.
+
+20140720
+
+ Cleanup: charset selection and content-transfer encoding
+ in bounce messages (work in progress). The proper solution
+ requires separate handling of the returned-message MIME
+ properties and of the (boiler-plate text, delivery status)
+ MIME properties. File: bounce/bounce_notify_util.c.
+
+20140722
+
+ Documentation: the TLS_README example for creating a
+ self-signed certificate was incomplete. Also, added
+ "smtp_tls_loglevel = 1" and "smtpd_tls_loglevel = 1" settings
+ to cookbook recipes, so that TLS handshake results will be
+ logged. Viktor Dukhovni. File: proto/TLS_README.html.
+
+ Documentation: update Perl MIME::Base64 example. File:
+ proto/SASL_README.html.
+
+ Documentation: update pointer to Bennett Todd's SMTP proxy.
+ File: proto/SMTPD_PROXY_README.html.
+
+20140725
+
+ Documentation: describe what features are controlled by
+ parent_domain_matches_subdomains, both in the description
+ of the controlled feature, and in the description of
+ parent_domain_matches_subdomains. File: proto/postconf.proto.
+
+ Cleanup: smtpd_client_event_limit_exceptions is now controlled
+ with parent_domain_matches_subdomains, with backwards-compatible
+ default (specify .example.com in order to match subdomains
+ of example.com). Files: smtpd/smtpd.c.
+
+ Documentation: SMTPUTF8_README, an updated version of text
+ that was originally part of the RELEASE_NOTES file. Files:
+ proto/SMTPUTF8_README.html, proto/Makefile.in, html/index.html.
+
+20140731
+
+ Feature: the Postfix SMTP server now logs at the end of a
+ session how many times each SMTP command was successfully
+ invoked, followed by the total number of invocations if it
+ is different. File: smtpd/smtpd.c.
+
+20140802
+
+ Workaround: detect mis-configuration where Postfix talks
+ to the Dovecot master socket instead of the Dovecot userdb
+ socket. Timo Sirainen. File: xsasl/xsasl_dovecot_server.c.
+
+20140904
+
+ Logging: the MySQL client now logs a warning when a match
+ against the "domain" list fails due to table lookup error
+ (the underlying mechanism already logs a warning, but it
+ has less context information). File: global/dict_mysql.c.
+
+20140907
+
+ Feature: with "confirm_delay_cleared = yes", Postfix informs
+ the sender when delayed mail leaves the queue. This can
+ result in a sudden burst of notifications at the end of a
+ prolonged network outage, and is therefore disabled by
+ default. Files: mantools/postlink, proto/postconf.proto,
+ global/deliver_request.h, global/mail_params.h, global/sent.c,
+ *qmgr/qmgr.c, *qmgr/qmgr_active.c, *qmgr/qmgr_message.c.
+
+20140908-14
+
+ Feature: for the first time in 17 years, support for
+ ${name?if-nonempty:if-empty} macro expressions, and for
+ logical expressions ${logical-expr?if-true:if-false}. In
+ preparation for configurable message headers and logging.
+ Files: util/mac_expand.c.
+
+20140914
+
+ Bugfix (introduced: 19971026): a zero precision value in
+ %.*s and $.<digits>s was implemented as if no precision
+ value was specified, i.e. print the entire string. This was
+ not harmful, it just looked weird. File: util/vbuf_print.c.
+
+20140917
+
+ Feature: RFC 7372 enhanced status code for unknown SMTP
+ client hostnames. File: smtpd/smtpd_check.c
+
+ Bugfix: the accept() calls in test progams escaped attention
+ when Postfix 2.2 was ported to IPv6. Problem found by Mark
+ Martinec. Files: smtpstone/smtp-sink.c, smtpstone/qmqp-sink.c.
+
+20140918
+
+ Cleanup: log a warning when the cleanup server detects too
+ many hops. smtpd(8) does not log any of the CLEANUP_STAT_XXX
+ results. The pickup server logs some because there is no
+ client to send the problem description to. This logic of
+ who logs what needs to be revisited. File:
+ cleanup/cleanup_message.c.
+
+20140919
+
+ Usability: randmap and pipemap syntax, for example,
+ pipemap:{type_1:name_1, ..., type_n:name_n}. This required
+ small updates to code that parses input into lookup table
+ names. Files: global/data_redirect.c, global/maps.c,
+ global/server_acl.c, postconf/postconf.c, postconf/postconf_dbms.c,
+ postconf/test58.ref, proto/DATABASE_README.html,
+ proxymap/proxymap.c, smtpd/smtpd_check.c, util/argv.h,
+ util/balpar.c, util/dict_pipe.c, util/dict_random.c,
+ util/match_list.c, util/mystrtok.c, util/argv_splitq.c,
+ util/stringops.h.
+
+ Cleanup: added PRINTFLIKE() to enable missing format string
+ checks. Files: bounce/bounce_template.h, global/memcache_proto.h,
+ global/dict_memcache, postconf/postconf.h, util/dict.h,
+ util/msg.h.
+
+20140920
+
+ Bugfix (introduced: 20080212): incorrect client name in
+ reject messages from check_reverse_client_hostname_access
+ and check_reverse_client_hostname_{a,mx,ns}_access. They
+ replied with the verified client name, instead of the name
+ that was rejected. Problem reported by Reindl Harald. File:
+ smtpd/smtpd_check.c.
+
+20140921
+
+ Cleanup: postconf code to determine the default mydomain
+ value had not evolved since 1997, while the rest of Postfix
+ changed in 2000. File: postconf/postconf-dbms.c.
+
+20140922
+
+ Cleanup: the confirm_delay_cleared feature now sends no
+ notification when the sender requests NOTIFY options that
+ do not include NOTIFY=DELAY. Files: global/deliver_request,h,
+ global/sent.c, *qmgr/qmgr_active.c, *qmgr/qmgr_message.c.
+
+ Bugfix (introduced: yesterday): missing print arguments.
+ File: postconf/postconf_dbms.c.
+
+ Cleanup: simplified "nested" lookup table checks.
+
+ Cleanup: replace stress-dependent main.cf defaults with the
+ ternary form: "${stress?{x}:{y}}" File: global/mail_params.h,
+ proto/postconf.proto, postscreen/postscreen.c (comments).
+
+20140923
+
+ Cleanup: dict_db and dict_lmdb global settings. Files:
+ global/mail_params.c, util/dict_open.c.
+
+ Feature: unionmap, based on contribution by Roel van Meer.
+ Files: mantools/postlink, postconf/postconf.c (manpage),
+ proto/DATABASE_README.html, util/dict_open.c, util/dict_union.[hc].
+
+20140924
+
+ Bugfix (introduced: 20060117): the escape function didn't
+ correctly convert non-ASCII. File: util/unescape.c.
+
+ Bugfix (introduced: 201407): missing conversions for non-ASCII
+ domain names in permit_mx_backup, check_mumble_{a,mx,ns}_access
+ and reject_unknown_{sender,recipient}_domain. Mark Martinec.
+ File: smtpd/smtpd_check.c.
+
+20140925
+
+ Cleanup: support for per-Milter settings, for example:
+ smtpd_milters = {inet:host:port, default_action=accept,
+ ...}. Specify the Milter endpoint address followed by zero
+ or more attribute=value pairs separated by comma or space.
+ The supported attributes are command_timeout, connect_timeout,
+ content_timeout, default_action, and protocol. These have
+ the same names as the corresponding main.cf parameters,
+ minus the "milter_" prefix. Files: global/mail_conf_over.c,
+ global/mail_conf_str.c, global/mail_conf_time.c,
+ global/mail_conf.h, milter/milters.c.
+
+20140927
+
+ Cleanup: specify { name = value } in per-Milter settings,
+ to support space around the "=" or comma/space within the
+ value. Files: global/attr_over.[hc].
+
+ Cleanup: "postconf -n" now only shows config_directory when
+ an override is in effect (environment, -c or -o).
+
+ Cleanup: support for master.cf arguments inside {}, to
+ protect arguments that contain whitespace. File:
+ master/master_ent.c, postconf/postconf_master.c,
+ postconf/test59.ref.
+
+ Cleanup: support for per-policy client settings, for example:
+ check_policy_service {inet:host:port, default_action=dunno,
+ timeout=50s, ...}. Specify the policy server endpoint address
+ followed by zero or more attribute=value pairs separated
+ by comma or space. Specify { name = value } for attributes
+ that contain whitespace; otherwise, space is not allowed
+ around the "=". The supported attributes are default_action,
+ max_idle, max_ttl, request_limit, retry_delay, timeout, and
+ try_limit. These have the same names as the corresponding
+ main.cf parameters, minus the "smtpd_policy_service_" prefix.
+ Files: global/mail_conf_int.c, global/mail_conf.h,
+ global/attr_override.[hc], smtpd/smtpd_check.c.
+
+20140928
+
+ Cleanup: extpar.c module to reduce code duplication. Files:
+ global/attr_override.c, master/master_ent.c, milter/milter.c,
+ postconf/postconf_dbms.c, postconf/postconf_master.c,
+ smtpd/smtpd_check.c, util/extpar.c, util/stringops.h.
+
+ Cleanup: the table-driven code for per-Milter and per-policy
+ overrides now updates stack-based variables, instead of
+ (ugh) statically-allocated variables. Files:
+ global/attr_override.[hc], smtpd/smtpd_check.c, milter/milter.c.
+
+ Documentation: added advanced configuration sections for
+ how to use per-Milter and per-policy settings. Files:
+ proto/SMTPD_POLICY_README.html, proto/MILTER_README.html.
+
+ Cleanup: force LANG=C to prevent groff from outputting
+ non-ASCII cruft into the HTML-ized manpages. Files:
+ html/Makefile.in, proto/Makefile.in, many HTML output files.
+
+20140929
+
+ Cleanup: the table-driven code for per-Milter and per-policy
+ overrides now updates arbitrary variables, so that it can
+ also be used for, say, TLS policies. Files:
+ global/attr_override.[hc], smtpd/smtpd_check.c, milter/milter.c.
+
+ Documentation: support for "{ argument with whitespace }"
+ in master(5) and pipe(8). Files: proto/master, src/pipe/pipe.c.
+
+ Documentation: in ADDRES_VERIFY_README, replaced "nearest
+ MTA" with "preferred MTA". The SMTP client was changed years
+ ago to try alternate MXes after a 4XX SMTP server response.
+ File: proto/ADDRES_VERIFY_README.html.
+
+20141001
+
+ Safety: backwards-compatibility safety net that forces
+ Postfix to run with backwards-compatible default settings
+ after an upgrade to a newer Postfix version. Postfix logs
+ all uses of those backwards-compatible default settings so
+ that the system administator can determine whether or not
+ some backwards-compatible default settings need to be made
+ permanent in main.cf or master.cf. All this is controlled
+ with a new compatibility_level parameter, default value 0.
+ Files: global/mail_params.[hc], trivial-rewrite/rewrite.c,
+ master/master_ent.c, smtpd/smtpd.c, postfix/postfix.c.
+
+ New defaults for master.cf chroot (n), append_dot_mydomain
+ (no) and smtputf8_enable (yes). File: global/mail_params.h,
+ global/mail_params.c, smtp/smtp.c (manpage), smtpd/smtpd.c
+ (manpage), trivial-rewrite/trivial-rewrite.c.
+
+ Simple relational expression evaluator so that main.cf
+ defaults can be made dependent on comparisons with the
+ compatibility_level parameter value. File: util/mac_expand.c.
+
+ Bugfix: do not reset the mail transaction after receiving
+ a non-ASCII recipient. File: smtpd/smtpd.c.
+
+20141002
+
+ Cleanup: moved the details of BC safety-net messages from
+ RELEASE_NOTES to postconf(5) manpage, and changed the wording
+ of the BC messages. Files: RELEASE_NOTES, proto/postconf.proto,
+ master/master_ent.c, smtpd/smtpd.c, trivial-rewrite/rewrite.c.
+
+20141003
+
+ Workaround: kludge for multiple paragraphs of text in
+ indented paragraphs. Files: mantools/postconf2html,
+ mantools/postconf2man, proto/Makefile.in, proto/postconf.proto
+
+20141005
+
+ Cleanup: CHARSET_COMMA_SP, CHARSET_SPACE and CHARSET_BRACE
+ to prepare for the elimination of ad-hoc string constants.
+ File: util/sys_defs.h.
+
+ Cleanup: allow "{ name=value }" to protect whitespace in
+ import_environment and export_environment. Files:
+ proto/postconf.proto, global/mail_parm_split.c, global
+ /mail_parm_split.h, global/mail_stream.c, local/command.c,
+ master/master.c, pipe/pipe.c, postdrop/postdrop.c,
+ postfix/postfix.c, postmulti/postmulti.c, postqueue/postqueue.c,
+ spawn/spawn.c.
+
+20141006
+
+ Backwards compatibility: log a helpful message when "localhost"
+ is missing from mydestination. Files: trivial_rewrite/rewrite.c,
+ trivial_rewrite/resolve.c, trivial-rewrite/trivial-rewrite.h,
+ proto/postconf.proto.
+
+ Cleanup: message_drop_header for configurable header dropping
+ (default: bcc, content-length, resent-bcc, return-path).
+ The list of supported header names covers RFC 5321, 5322,
+ MIME RFCs, and some historical names. File: global/header_opts.c,
+ global/mail_params.[hc], cleanup/cleanup.c (manpage),
+ proto/postconf.proto, mantools/postlink.
+
+20141008
+
+ New defaults: "relayhost=" and "mynetworks_style = host",
+ plus a backwards-compatibility safety net that warns when
+ the change in defaults could result in rejection of mail
+ (with mynetworks_style this requires that Postfix evaluates
+ both old and new default values). Files: proto/postconf.proto,
+ global/flush_clnt.c, global/mail_params.c, global/mail_params.h,
+ global/mynetworks.c, global/mynetworks.h, global/server_acl.c,
+ postconf/postconf_builtin.c, smtpd/smtpd.c, smtpd/smtpd_check.c.
+
+20141009
+
+ Documentation: moved the gory details from postconf(5) to
+ a new COMPATIBILITY_README document. Files: proto/postconf.proto,
+ proto/COMPATIBILITY_README.html html/index.html.
+
+ Documentation: update the conf/main.cf compatibility_level
+ setting for new Postfix installs, and updated a reminder
+ in mail_params.h.
+
+20141010
+
+ Cleanup: make "const char myname[]" declarations static.
+ global/attr_override.c, global/bounce.c, global/dsn_filter.c,
+ global/dynamicmaps.c, global/mkmap_open.c, global/smtputf8.c,
+ smtp/smtp_key.c, smtpd/smtpd_check.c, util/dict_pipe.c,
+ util/dict_union.c, util/mac_expand.c, util/midna.c,
+ util/valid_utf8_hostname.c.
+
+ Documentation: summarize the user-specified "make makefiles"
+ settings at the top of makedefs.out. This file now has so
+ many internal variables that people would get lost.
+
+20141011
+
+ Cleanup: replaced cryptic macros X_SMTP() and SMTP_X() with
+ more descriptive names: LMTP_SMTP_SUFFIX() and VAR_LMTP_SMTP().
+ Files: smtp/smtp.c, smtp/smtp.h, smtp/smtp_chat.c,
+ smtp/smtp_connect.c, smtp/smtp_proto.c, smtp/smtp_sasl_glue.c,
+ smtp/smtp_sasl_proto.c, smtp/smtp_tls_policy.c.
+
+20141012
+
+ Cleanup: missing format-string checks. Files: master/master_ent.c,
+ posttls-finger/posttls-finger.c, smtpd/smtpd_proxy.c.
+
+ Bugfix (introduced: Postfix 2.3): the PREPEND access/policy
+ action added headers ABOVE Postfix's own Received: header,
+ exposing Postfix's own Received: header to Milters (protocol
+ violation) and hiding the PREPENDed header from Milters.
+ The latter caused problems for DMARC implementations with
+ SPF policy plus DKIM Milter. PREPENDed headers are now
+ added BELOW Postfix's own Received: header and remain visible
+ to Milters. File: smtpd/smtpd.c.
+
+20141013
+
+ Cleanup: configuration file line numbers in error/warning
+ messages could point to comment lines before or after the
+ problem. Files: util/readlline.[hc], master/master_ent.c,
+ postalias/postalias.c, postmap/postmap.c, util/dict.c,
+ util/dict_cidr.c, util/dict_pcre.e, util/dict_regexp.c,
+ util/dict_thash.c, postconf/postconf_master.c.
+
+20141014
+
+ Portability: Darwin 11.x needs to link with -lresolv. Viktor
+ Dukhovni. File: makedefs.
+
+ Documentation: ICU (unicode) library package names. File:
+ proto/SMTPUTF*_README.html.
+
+20141015
+
+ Cleanup: master.cf line number reporting made more consistent
+ with similar code elsewhere. File: master/master_ent.c.
+
+ Backed out SMTP client TLS fallback due to multiple problems.
+
+20141018
+
+ Bugfix (introduced: Postfix 2.3): when a Milter inserted a
+ header ABOVE Postfix's own Received: header, Postfix would
+ expose its own Received: header to Milters (violating
+ protocol) and hide the Milter-inserted header from Milters
+ (wtf). Files: cleanup/cleanup.h, cleanup/cleanup_message.c,
+ cleanup/cleanup_state.c, milter/milter.[hc], milter/milter8.c.
+
+ Cleanup: revert the workaround that places headers inserted
+ with PREPEND actions or policy requests BELOW Postfix's own
+ Received: message header. File: smtpd/smtpd.c.
+
+20141019
+
+ Cleanup: replace dozens and dozens of ad-hoc string constants
+ with CHARS_SPACE, CHARS_COMMA_SP, and CHARS_BRACE. Files:
+ 52, too many files to mention here.
+
+ Bugfix: the recently-introduced randmap, pipemap, and
+ unionmap did not check for all possible forms of "empty
+ list". Files: util/dict_random.c, util/dict_pipe.c,
+ util/dict_union.c.
+
+ Documentation: word smithing. File: proto/master.
+
+ Cleanup: the last remaining remnants of the withdrawn
+ smtp_tls_fallback_level feature. Files: mantools/postlink,
+ global/mail_params.h.
+
+20141021
+
+ Per IETF TLS WG consensus, the tls_session_ticket_cipher
+ default setting was changed from aes-128-cbc to aes-256-cbc.
+ Take that, you quantum computer attackers! Viktor Dukhovni.
+ Files: proto/postconf.proto, global/mail_params.h.
+
+20141024
+
+ Cleanup: added $smtpd_mumble_restrictions to the proxy_read_maps
+ default setting. File: global/mail_params.h.
+
+ Documentation: different header/body checks for MX service
+ and SMTP submissions. File: proto/BUILTIN_FILTER_README.html.
+
+ Cleanup: don't send "bare" original recipient in SMTP DSN
+ attributes. File: cleanup/cleanup_addr.c.
+
+ Feature: smtp-sink -N option to suppress DSN announcement.
+ File: smtpstone/smtp-sink.c.
+
+20141025
+
+ Bugfix (introduced: Postfix 2,11): core dump when
+ smtp_policy_maps specifies an invalid TLS level. Viktor
+ Dukhovni. File: smtp/smtp_tls_policy.c.
+
+20141103
+
+ Logging: when a connection is closed, log the request counts
+ for unimplemented STARTTLS or AUTH commands separately,
+ instead of logging such commands as "unknown". File:
+ smtpd/smtpd.c.
+
+20141106
+
+ Cleanup: set errno to ETIMEDOUT after postscreen handshake
+ timeout event, so that warnings report the correct error.
+ File: tlsproxy/tlsproxy.c.
+
+20141112
+
+ Documentation: 24 identical typos. File: proto/postconf.proto.
+
+ Workaround: support space after "MAIL FROM:" and "RCPT TO:"
+ in smtpd_command_filter examples. Reportedly, cashedge.com's
+ software (used by banks) needs this (source: Claus Assmann).
+ File: proto/postconf.proto.
+
+20141117
+
+ Cleanup: use ~0U instead of (unsigned) -1. Based on
+ complaints from the BEAM static analyzer. Files:
+ global/mynetworks.c, postconf/postconf.c, util/cidr_match.c.
+
+ Cleanup: forgot the "do" in "do { stuff } while (0)" macros.
+ Luckily, this had caused no problem. Based on complaints
+ from the BEAM static analyzer. Files: util/dict_cdb.c,
+ util/dict_dbm.c, util/dict_lmdb.c, util/dict_pcre.c,
+ util/dict_regexp.c, util/dict_sockmap.c, util/dict_thash.c.
+
+ Bugfix (introduced: Postfix 2.9): lockfile descriptor leak
+ after error. Based on complaints from the BEAM static
+ analyzer. File: util/dict_db.c.
+
+ Bugfix (introduced: Postfix 1.1): don't "set" the null byte
+ element in the base64 and base32 decoding maps. Based on
+ complaints from the BEAM static analyzer. Files: util/base64_code,
+ util/base32_code.c.
+
+ Cleanup: don't exit(0) after failing to run showq(8). Based
+ on complaints from the BEAM static analyzer. File:
+ postqueue/postqueue.c.
+
+ Bugfix: memory leak when getaddrinfo() returns a result
+ that is neither IPv4 nor IPv6. Based on complaints from
+ the BEAM static analyzer. File: smtp/smtp_addr.c.
+
+ Cleanup: use more meaningful name for global variable so
+ that it isn't shadowed by a local variable. Based on
+ complaints from the BEAM static analyzer. smtpstone/smtp-sink.c.
+
+20141119
+
+ Cleanup: base64 test driver. File: base64_code.c.
+
+ Cleanup: make the CONST_CHAR_STAR typedef project-wide.
+ Files: global/attr_override.h, util/sys_defs.h.
+
+ Feature: BCC action in header/body_checks and milter_header_checks.
+ Files: proto/header_checks, cleanup/cleanup.h,
+ cleanup/cleanup_extracted.c, cleanup/cleanup_message.c,
+ cleanup/cleanup_milter.c, cleanup/cleanup_milter.in16a,
+ cleanup/cleanup_milter.ref16a1, cleanup/cleanup_milter.ref16a2,
+ cleanup/cleanup_milter.reg16a, cleanup/cleanup_state.c,
+ cleanup/test-queue-file16, global/attr_override.h,
+ global/cleanup_strflags.c, global/cleanup_user.h,
+ util/sys_defs.h.
+
+ Cleanup: don't write back-to-back queue file pointer records
+ when the "add recipient" action was a NOOP (e.g., because
+ the recipient was a duplicate). File: cleanup/cleanup_milter.c.
+
+20141120
+
+ Documentation: COMPATIBILITY_README now has "purpose of
+ this document" section, plus a separate section for turning
+ off the safety net. File: proto/COMPATIBILITY_README.html
+
+20131121
+
+ Cleanup: replace mua_mumble with msa_mumble in master.cf
+ submission and smtps service parameter overrides. File:
+ proto/BUILTIN_FILTER_README.html.
+
+ Feature: "static:{ text with whitespace }". This could be
+ used as check_mumble_access static:{reject text...} at the
+ end of smtpd_mumble_restrictions. Files: util/dict_static.c,
+ util/Makefile.in, util/dict_static_test.ref,
+ proto/DATABASE_README.html. postconf/postconf.c (manpage).
+
+20141126
+
+ Feature: "inline:{key=value, { key = text with comma/space}}"
+ avoids the need to create a database for just a few entries.
+ Files: util/dict_inline.[hc], mantools/postlink,
+ proto/DATABASE_README.html. postconf/postconf.c (manpage),
+ util/dict_inline.[hc], util/dict_open.c, util/Makefile.in,
+ util/dict_inline_test.ref.
+
+ Cleanup: report nullmx DNS records as "domain does not
+ accept mail", instead of "invalid DNS response". The Postfix
+ SMTP client already bounced mail for such domains, and the
+ Postfix SMTP server already rejected such domains with
+ reject_unknown_sender/recipient_domain. This introduces a
+ new SMTP server configuration parameter nullmx_reject_code
+ (default: 556). Files: src/dns/dns_lookup.[hc], dns/Makefile,in,
+ dns/nullmx_test.ref, src/smtp/smtp_addr.c, smtpd/smtpd_check.c,
+ smtpd/smtpd_check_nullmx.in, smtpd/smtpd_check_nullmx.ref,
+ mantools/postlink, proto/postconf.proto, smtpd/smtpd.c.
+
+ Cleanup: added some missing libdns tests: dns/Makefile,in,
+ dns/mxonly_test,ref, dns/nxdomain_test.ref
+
+ Cleanup: libglobal "make test" had suffered from bitrot.
+ Files: global/mime_state.c, global/header_body_checks.c.
+
+20141127
+
+ Feature: DNS reply filter, configured with smtp_dns_reply_filter,
+ smtpd_dns_reply_filter, and lmtp_dns_reply_filter. Files:
+ mantools/postlink, proto/postconf.proto, dns/dns.h,
+ dns/dns_lookup.c, dns/dns_rr_filter.c, dns/dns_strrecord.c,
+ dns/error.ref, dns/error.reg, dns/mxonly_test.ref, dns/no-a.ref,
+ dns/no-a.reg, dns/no-aaaa.ref, dns/no-aaaa.reg, dns/no-mx.ref,
+ dns/no-mx.reg, dns/nullmx_test.ref, dns/test_dns_lookup.c,
+ global/mail_params.h, smtp/lmtp_params.c, smtp/smtp.c,
+ smtp/smtp_addr.c, smtp/smtp_params.c, smtpd/smtpd.c,
+ smtpd/smtpd_check.c, smtpd/smtpd_dns_filter.{in,ref}.
+
+20141130
+
+ Cleanup: when searching multiple DNS record types for a
+ specific name, and not all queries return the same result
+ status, do not blindly return the last query's rcode and
+ diagnostic text. Instead, return rcode and text that is
+ consistent with the aggregate result status.
+
+ Cleanup: un-broke several smtpd regression tests (work in
+ progress, with three more to go). Files: smtpd/smtpd_check.c,
+ smtpd/smtpd_server.{in,ref}, smtpd/smtpd_exp.{in,ref}.
+ smtpd/smtpd_dnswl.{in,ref}.
+
+ Documentation: added note on Milter-signing bounces.
+
+20141201
+
+ Bugfix (introduced: 20141130): memory leak. File: dns_lookup.c.
+
+ Cleanup: un-broke several dns regression tests by sorting
+ getaddrinfo() results by address family. Files: dns/dns_rr_eq_sa.c,
+ dns/dns_rr_eq_sa.ref, dns/dns_sa_to_rr.c, dns/dns_sa_to_rr.ref.
+
+ Cleanup: missing #ifdef in smtpd_check test driver. File:
+ smtpd/smtpd_check.c.
+
+ Cleanup: fix google.com regexp in smtp_dns_reply_filter
+ example. Viktor Dukhovni. File: proto/postconf.proto.
+
+ Cleanup: in the ASCII form of DNS resource records, add
+ space after the TLSA match-type field. Viktor Dukhovni.
+ File: dns/dns_strrecord.c.
+
+20141202
+
+ Cleanup: to increase clarity. rename DNS result status from
+ DNS_UNAVAIL to DNS_NULLMX. If someone uses the same zero-length
+ name trick with some other resource type, then we will worry
+ about that later. Files: smtpd/smtpd_check.c, smtp/smtp_addr.c,
+ dns/dns.h, dns/dns_lookup.c.
+
+ Cleanup: eliminate TLS state duplication from state->tls
+ to session->tls. Viktor Dukhovni. Files: src/smtp/smtp.h,
+ src/smtp/smtp_connect.c, src/smtp/smtp_proto.c,
+ src/smtp/smtp_reuse.c, src/smtp/smtp_session.c.
+
+20141203
+
+ Feature: support to match UTF8 domain names against ASCII
+ names in TLS certificates. Viktor Dukhovni. Files:
+ posttls-finger/posttls-finger.c, tls/tls_client.c.
+
+20141206
+
+ Cleanup: use (char *) only for strings, not for data. The
+ "void *" type was not fully portable during initial Postfix
+ development, but we no longer have that problem. Also started
+ the migration of data structure sizes/counters to ssize_t/size_t
+ (the IBM Beam analyzer identified lots of unnecessary 64-bit
+ to 32-bit conversions). The transformation and verification
+ were mostly mechanical with manual supervision. Files:
+ anvil/anvil.c, bounce/bounce.c, bounce/bounce_notify_util.c,
+ bounce/bounce_template.c, bounce/bounce_templates.c,
+ cleanup/cleanup_message.c, cleanup/cleanup_region.c,
+ cleanup/cleanup_state.c, dns/dns_lookup.c, dns/dns_rr.c,
+ dns/dns_rr_eq_sa.c, dns/dns_rr_to_sa.c, dns/test_dns_lookup.c,
+ flush/flush.c, global/abounce.c, global/abounce.h,
+ global/been_here.c, global/bounce_log.c, global/clnt_stream.c,
+ global/db_common.c, global/deliver_request.c,
+ global/delivered_hdr.c, global/dict_ldap.c, global/dict_mysql.c,
+ global/dict_pgsql.c, global/dsn.c, global/dsn_buf.c,
+ global/dsn_filter.c, global/dynamicmaps.c,
+ global/header_body_checks.c, global/header_opts.c,
+ global/mail_addr_crunch.c, global/mail_stream.c,
+ global/mail_version.c, global/maps.c, global/mbox_open.c,
+ global/mime_state.c, global/mkmap_open.c, global/msg_stats_scan.c,
+ global/mypwd.c, global/post_mail.c, global/rcpt_buf.c,
+ global/recipient_list.c, global/scache_clnt.c,
+ global/scache_multi.c, global/scache_single.c,
+ global/smtp_reply_footer.c, global/smtp_reply_footer.h,
+ global/tok822_node.c, local/biff_notify.c, local/forward.c,
+ local/local_expand.c, local/unknown.c, master/event_server.c,
+ master/master.c, master/master_avail.c, master/master_ent.c,
+ master/master_monitor.c, master/master_proto.c,
+ master/master_sig.c, master/master_spawn.c, master/master_status.c,
+ master/master_vars.c, master/master_wakeup.c,
+ master/multi_server.c, master/single_server.c,
+ master/trigger_server.c, milter/milter.c, milter/milter8.c,
+ milter/milter_macros.c, oqmgr/qmgr.c, oqmgr/qmgr_active.c,
+ oqmgr/qmgr_deliver.c, oqmgr/qmgr_entry.c, oqmgr/qmgr_message.c,
+ oqmgr/qmgr_queue.c, oqmgr/qmgr_transport.c, pipe/pipe.c,
+ postalias/postalias.c, postconf/postconf.h,
+ postconf/postconf_builtin.c, postconf/postconf_edit.c,
+ postconf/postconf_lookup.c, postconf/postconf_main.c,
+ postconf/postconf_master.c, postconf/postconf_node.c,
+ postconf/postconf_service.c, postconf/postconf_user.c,
+ postmap/postmap.c, postmulti/postmulti.c, postscreen/postscreen.c,
+ postscreen/postscreen.h, postscreen/postscreen_dnsbl.c,
+ postscreen/postscreen_early.c, postscreen/postscreen_expand.c,
+ postscreen/postscreen_haproxy.c, postscreen/postscreen_send.c,
+ postscreen/postscreen_smtpd.c, postscreen/postscreen_starttls.c,
+ postscreen/postscreen_state.c, posttls-finger/posttls-finger.c,
+ posttls-finger/tlsmgrmem.c, proxymap/proxymap.c, qmgr/qmgr.c,
+ qmgr/qmgr_active.c, qmgr/qmgr_deliver.c, qmgr/qmgr_entry.c,
+ qmgr/qmgr_job.c, qmgr/qmgr_message.c, qmgr/qmgr_peer.c,
+ qmgr/qmgr_queue.c, qmgr/qmgr_transport.c, qmqpd/qmqpd_peer.c,
+ qmqpd/qmqpd_state.c, scache/scache.c, sendmail/sendmail.c,
+ showq/showq.c, smtp/smtp_chat.c, smtp/smtp_connect.c,
+ smtp/smtp_proto.c, smtp/smtp_reuse.c, smtp/smtp_session.c,
+ smtp/smtp_state.c, smtp/smtp_tls_policy.c, smtpd/smtpd.c,
+ smtpd/smtpd_chat.c, smtpd/smtpd_check.c, smtpd/smtpd_expand.c,
+ smtpd/smtpd_expand.h, smtpd/smtpd_peer.c, smtpd/smtpd_proxy.c,
+ smtpstone/qmqp-sink.c, smtpstone/qmqp-source.c,
+ smtpstone/smtp-sink.c, smtpstone/smtp-source.c, tls/tls_dane.c,
+ tls/tls_mgr.c, tls/tls_misc.c, tls/tls_prng_dev.c,
+ tls/tls_prng_egd.c, tls/tls_prng_exch.c, tls/tls_prng_file.c,
+ tls/tls_proxy_clnt.c, tls/tls_scache.c, tls/tls_server.c,
+ tlsmgr/tlsmgr.c, tlsproxy/tlsproxy.c, tlsproxy/tlsproxy_state.c,
+ trivial-rewrite/transport.c, trivial-rewrite/trivial-rewrite.c,
+ util/argv.c, util/attr_clnt.c, util/attr_print0.c,
+ util/attr_print64.c, util/attr_print_plain.c, util/attr_scan0.c,
+ util/attr_scan64.c, util/attr_scan_plain.c, util/auto_clnt.c,
+ util/binhash.c, util/binhash.h, util/ctable.c, util/ctable.h,
+ util/dict.c, util/dict.h, util/dict_alloc.c, util/dict_cache.c,
+ util/dict_cache.h, util/dict_cidr.c, util/dict_db.c,
+ util/dict_ht.c, util/dict_open.c, util/dict_pcre.c,
+ util/dict_regexp.c, util/dict_sockmap.c, util/dict_surrogate.c,
+ util/dict_thash.c, util/edit_file.c, util/events.c,
+ util/events.h, util/fifo_trigger.c, util/find_inet.c,
+ util/htable.c, util/htable.h, util/inet_addr_host.c,
+ util/inet_addr_list.c, util/inet_addr_local.c, util/inet_listen.c,
+ util/inet_proto.c, util/inet_trigger.c, util/inet_windowsize.c,
+ util/iostuff.h, util/line_wrap.c, util/line_wrap.h,
+ util/mac_expand.c, util/mac_expand.h, util/mac_parse.c,
+ util/mac_parse.h, util/match_list.c, util/msg_output.c,
+ util/mvect.c, util/myaddrinfo.c, util/myflock.c, util/mymalloc.c,
+ util/mymalloc.h, util/nbbio.c, util/nbbio.h, util/netstring.c,
+ util/nvtable.c, util/nvtable.h, util/pass_trigger.c,
+ util/sane_accept.c, util/sane_connect.c, util/scan_dir.c,
+ util/sock_addr.c, util/stream_trigger.c, util/sys_compat.c,
+ util/sys_defs.h, util/timecmp.c, util/timed_connect.c,
+ util/timed_write.c, util/unix_connect.c, util/unix_listen.c,
+ util/unix_recv_fd.c, util/unix_send_fd.c, util/unix_trigger.c,
+ util/vbuf.c, util/vbuf.h, util/vstream.c, util/vstream_tweak.c,
+ util/vstring.c, util/watchdog.c, verify/verify.c,
+ xsasl/xsasl_cyrus_client.c, xsasl/xsasl_cyrus_server.c,
+ xsasl/xsasl_dovecot_server.c.
+
+ Cleanup: removed unnecessary casts. File: global/cfg_parser.c.
+
+ Cleanup: dont cast away "const". File: global/dict_sqlite.c.
+
+20141208
+
+ Bugfix (introduced: 20141207): in new #ifdef, && should be
+ ||. File: smtpd.c.
+
+20141210
+
+ Cleanup: the "inline" table now supports case-insensitive
+ search, and an iterator. File: util/dict_inline.c.
+
+ Cleanup: minuscule memory leaks in graceful degradation
+ after lookup table open error. Files: util/dict_inline.c,
+ util/dict_static.c.
+
+20141211
+
+ Cleanup: memory leaks in unit-test driver programs (i.e.
+ code used only during development). Files:
+ cleanup/cleanup_milter.c, util/base64_code.c.
+
+ Bugfix (introduced 20141001): mac_expand() error message
+ with "??" due to dangling pointer. File: util/mac_expand.c.
+
+ Portability: unit-test driver programs. Files: util/myaddrinfo.c,
+ util/myaddrinfo.ref.
+
+ Portability: Clang support. Files: makedefs, util/sys_defs.h.
+
+ Portability: FreeBSD 10 support. Files: makedefs,
+ util/sys_defs.h.
+
+ Cleanup: in makedefs, the CC and WARN features are now
+ independent. File: makedefs.
+
+ Shut up some Clang format-string nags: util/events.c.
+
+ Cleanup: eliminated unnecessary 64->32bit (and back)
+ conversions on LP64 platforms. Files: util/htable.c,
+ util/binhash.c util/mvect.[hc], util/name_mask.c,
+ util/sane_time.c, util/unix_listen.c, util/unix_connect.c,
+ util/stringops.h, util/trimblanks.c, and dependent code in
+ smtpd/smtpd_token.c.
+
+ Cleanup: unused inet_proto_init() results. Files:
+ global/mail_params.c, postconf/postconf_builtin.c,
+ smtpstone/qmqp-sink.c, smtpstone/qmqp-source.c,
+ smtpstone/smtp-source.c/
+
+ Shut up some Clang nags about unused functions in network
+ interface API selection. File: util/inet_addr_local.c.
+
+ Portability: a historical compiler lacks printf-like
+ format-string checks for function pointers. Files: util/msg.h,
+ bounce/bounce_template.h.
+
+20141212
+
+ Shut up some Clang format-string nags: util/line_number.c,
+ sendmail/sendmail.c, smtpd/smtpd_proxy.c, smtp/smtp_sasl_proto.c.
+
+ Cleanup: eliminated unnecessary 64->32bit (and back)
+ conversions on LP64 platforms. Files: dict_memcache.c,
+ header_body_checks.[hc], log_adhoc.c, pipe_command.c,
+ record.[hc], smtp_reply_footer.c, split_addr.c.
+ cleanup/cleanup_milter.c, master/mail_server.h,
+ src/master/trigger_server.c, oqmgr/qmgr.c, qmgr/qmgr.c,
+ pickup/pickup.c.
+
+ Cleanup: nullmx SMTP reply codes 550 and 556, and enhanced
+ status codes X.1.10 and X.7.27. The nullmx SMTP reply codes
+ are no longer configurable. Files: global/mail_params.h,
+ smtpd/smtpd.c, smtpd/smtpd_check.c.
+
+ Portability: default table owner UID for testing. Files:
+ util/dict_alloc.c, util/dict_open.c.
+
+ Shut up Clang unused assignment nag: global/mail_queue.h.
+ sendmail/sendmail.c, smtpd/smtpd_proxy.c, smtp/smtp_sasl_proto.c.
+
+20141214
+
+ Bugfix (introduced: 20141212): typo in Clang function pointer
+ format check, making it a noop. Viktor Dukhovni. File:
+ util/sys_defs.h.
+
+ Maintainability: compile-time argument typechecking for
+ variadic attribute-value read/write functions. Files:
+ anvil/anvil.c, bounce/bounce.c, cleanup/cleanup.c,
+ dnsblog/dnsblog.c, flush/flush.c, global/abounce.c,
+ global/anvil_clnt.c, global/bounce.c, global/defer.c,
+ global/deliver_pass.c, global/deliver_request.c,
+ global/dict_proxy.c, global/dsb_scan.c, global/dsn_print.c,
+ global/flush_clnt.c, global/mail_command_client.c,
+ global/mail_stream.c, global/msg_stats_print.c,
+ global/msg_stats_scan.c, global/post_mail.c, global/rcpt_buf.c,
+ global/rcpt_print.c, global/resolve_clnt.c, global/rewrite_clnt.c,
+ global/scache_clnt.c, global/trace.c, global/verify_clnt.c,
+ local/forward.c, milter/milter.c, milter/milter8.c,
+ milter/milter_macros.c, oqmgr/qmgr_deliver.c, pickup/pickup.c,
+ postdrop/postdrop.c, postscreen/postscreen_dnsbl.c,
+ postscreen/postscreen_send.c, postscreen/postscreen_starttls.c,
+ proxymap/proxymap.c, qmgr/qmgr_deliver.c, qmqpd/qmqpd.c,
+ scache/scache.c, smtpd/smtpd.c, smtpd/smtpd_check.c,
+ tls/tls_mgr.c, tls/tls_proxy_clnt.c, tls/tls_proxy_print.c,
+ tls/tls_proxy_scan.c, tlsmgr/tlsmgr.c, tlsproxy/tlsproxy.c,
+ trivial-rewrite/resolve.c, trivial-rewrite/rewrite.c,
+ trivial-rewrite/trivial-rewrite.c, util/attr.h.
+
+20141217
+
+ Replaced compile-time argument typechecking based on inline
+ functions with an implementation based on ternary expressions
+ with unreachable assignments to dummy variables. This
+ should produce the exact same result as the approach based
+ on inline functions (which were standardized with C99).
+ Files: util/check_arg.h, util/attr.h, util/attr.c.
+
+20141221
+
+ Portability: proof-of-concept template for OpenBSD build
+ with shared libpostfix etc. libraries. File: makedefs.
+
+20141223
+
+ Cleanup: compile-time variadic argument type checking for
+ attribute-value APIs of vstream, vstream_popen, vstring,
+ pipe_command, spawn_command, attr_override, and mail_server
+ skeletons. Based on mostly automatic conversion and checking,
+ with a manual inspection of the remainder. Files:
+ anvil/anvil.c, bounce/bounce.c, cleanup/cleanup.c,
+ cleanup/cleanup_api.c, discard/discard.c, dnsblog/dnsblog.c,
+ error/error.c, flush/flush.c, global/attr_override.c,
+ global/attr_override.h, global/mail_connect.c, global/mail_queue.c,
+ global/mail_stream.c, global/mail_stream.h, global/pipe_command.c,
+ global/pipe_command.h, global/smtp_stream.c, global/timed_ipc.c,
+ local/command.c, local/local.c, master/event_server.c,
+ master/mail_server.h, master/multi_server.c,
+ master/single_server.c, milter/milter.c, milter/milter8.c,
+ oqmgr/qmgr.c, oqmgr/qmgr_transport.c, pickup/pickup.c,
+ pipe/pipe.c, postalias/postalias.c, postcat/postcat.c,
+ postdrop/postdrop.c, postmap/postmap.c, postscreen/postscreen.c,
+ postscreen/postscreen_dnsbl.c, postscreen/postscreen_haproxy.c,
+ postscreen/postscreen_starttls.c, posttls-finger/posttls-finger.c,
+ proxymap/proxymap.c, qmgr/qmgr.c, qmgr/qmgr_transport.c,
+ qmqpd/qmqpd.c, scache/scache.c, showq/showq.c, smtp/smtp.c,
+ smtpd/smtpd.c, smtpd/smtpd_check.c, smtpd/smtpd_proxy.c,
+ smtpstone/smtp-source.c, spawn/spawn.c, tls/tls_proxy_clnt.c,
+ tls/tls_stream.c, tlsmgr/tlsmgr.c, tlsproxy/tlsproxy.c,
+ trivial-rewrite/trivial-rewrite.c, util/auto_clnt.c,
+ util/ctable.c, util/dict_cache.c, util/dict_cache.h,
+ util/dict_lmdb.c, util/dict_tcp.c, util/netstring.c,
+ util/recv_pass_attr.c, util/slmdb.c, util/slmdb.h,
+ util/spawn_command.c, util/spawn_command.h, util/vstream.c,
+ util/vstream.h, util/vstream_popen.c, util/vstream_tweak.c,
+ util/vstring.c, util/vstring.h, verify/verify.c,
+ virtual/virtual.c, xsasl/xsasl_dovecot_server.c.
+
+20141224
+
+ Cleanup: the compile-time argument typechecks for attribute-value
+ APIs are now by default implemented with inline functions.
+ Compile with -DNO_INLINE to implement the argument typechecks
+ with ternary operators and unreachable assignments. Files:
+ util/check_arg.h and its consumers.
+
+20141226
+
+ NetBSD6/7 dynamic linking support. Viktor Dukhovni.
+
+ Cleanup: instead of making up new names, use a consistent
+ CA_ prefix for macros that implement compile-time argument
+ typechecks for non-protocol attribute-value APIs. This
+ transformation and its verification are mechanical.
+
+ Bugfix (introduced: Postfix 1.1, but latent before 3.0):
+ "postfix-install: daemon_directory: not found" error with
+ an ancient Solaris shell. Fixed by ALSO resetting IFS after
+ the end of a ``while IFS=foo command'' loop; counter to
+ expectation, the IFS reset in the loop body executed in a
+ child process. Background: some shells implement "IFS=foo
+ command" as a permanent IFS change; this was allowed by
+ standards at some point in time. File: postfix-install.
+
+20141227
+
+ Feature: smtp_address_verify_target (default: rcpt) that
+ determines what protocol stage decides if a recipient is
+ valid. Specify "data" for servers that reject recipients
+ after the DATA command. Files: mantools/postlink,
+ proto/postconf.proto, proto/ADDRESS_VERIFICATION_README.html,
+ global/mail_params.h, smtp/lmtp_params.c, smtp/smtp.c,
+ smtp/smtp.h, smtp/smtp_params.c, smtp/smtp_proto.c.
+
+20141228
+
+ Cleanup: the IDNA conversion routines now accept both ASCII
+ and UTF8 inputs. The functions als verify that either their
+ result is a valid ASCII domain name or that it converts
+ into a valid ASCII domain name. Files: util/midna.c,
+ util/midna_test.in, util/midna_test.ref.
+
+20141230
+
+ Cleanup: s/midna/midna_domain/ for better specificity,
+ because we also need functions that act only on the domain
+ portion of an email address. Files: bounce/bounce_template.c,
+ global/midna_adomain.c, posttls-finger/posttls-finger.c,
+ smtp/smtp_addr.c, smtpd/smtpd_check.c, tls/tls_client.c,
+ util/midna_domain.[hc], util/valid_utf8_hostname.c.
+
+ Infrastructure: function midna_adomain_to_utf8() (and
+ midna_adomain_to_ascii) to convert the domain portion of
+ an email address before table lookup. Files:
+ global/midna_adomain.[hc].
+
+20141230-20140109
+
+ What is described here is the result of four iterations to
+ deal with malformed UTF-8 without massively contaminating
+ every Postfix program with new error-handling code paths,
+ in particular without triggering fatal errors that didn't
+ happen before.
+
+ Infrastructure: function casefold() to support caseless
+ string comparison, primarily for table lookups. This function
+ supports two modes: case folding a la lowercase() for ASCII
+ byte values, and UTF-8 case folding. As recommended at
+ http://www.w3.org/International/wiki/Case_folding for
+ caseless string comparison, this uses the en_US locale to
+ avoid surprises. The implementatin handles the entire RFC
+ 3629 Unicode range (code points U+0000..U+10FFFF including
+ surrogates) and is chroot(2) safe. Files: casefold.c,
+ stringops.h.
+
+ Infrastructure: revised the midna_domain_to_ascii and
+ midna_domain_to_utf8 domain name conversion functions after
+ careful reading of the UTS #46 specification, and after
+ observing that ICU 4.8 library functions indeed implement
+ this spec, at least with default options. In particular,
+ midna_domain_to_utf8 takes an UTF-8 domain name and verifies
+ that its A-label form will pass the valid_hostname() test.
+ File: util/midna_domain.c.
+
+ Infrastructure: handle UTF-8 errors in lookup table keys
+ or values without massively contaminating every Postfix
+ program with new error-handling code paths, in particular
+ without triggering fatal errors that didn't happen before.
+ The lookup/update/delete functions log a warning and ignore
+ a request with a bad key (it cannot exist); the update
+ functions ignore a request to store a bad value (it cannot
+ exist); and the lookup function reports a bad value as a
+ configuration error (it should not exist, but there it is).
+ Table iterators still report all (key, value) pairs in a
+ table. Files: util/dict.h, util/dict_open.c, util/dict_utf8.c,
+ global/mkmap_open.c.
+
+ Note that with SMTPUTF8 turned on, each table-driven mechanism
+ (access, aliases, etc.) needs to make its own decision
+ whether UTF-8 syntax is required. We cannot blindly require
+ that everything has valid UTF-8 syntax. That would make
+ header/body_checks useless for content inspection, because
+ headers may be malformed and bodies may contain legitimate
+ binary content that isn't UTF-8.
+
+ Note that with SMTPUTF8 turned off, Postfix must remain
+ 8-bit clean as it always has been. Table operations must
+ not complain that something violates UTF-8 syntax rules.
+
+ UTF-8 sanitization in the Postfix SMTP server. With
+ smtputf8_enable=yes, SMTP commands with UTF-8 syntax errors
+ are rejected, table lookup results with invalid UTF-8 syntax
+ are handled as configuration errors, and UTF-8 syntax errors
+ in policy server replies result in execution of the policy
+ server's default action.
+
+20150102
+
+ Cleanup: propagate DICT_ERR_CONFIG through the proxymap
+ protocol. Files: global/dict_proxy.[hc], proxymap/proxymap.c.
+
+20150106
+
+ Robustness: don't segfault due to excessive recursion in
+ tok822_free_tree() after a faulty configuration runs into
+ the virtual_alias_recursion_limit. File: global/tok822_tree.c.
+
+20150109
+
+ Cleanup: the dict debug module now proxies dict flags.
+ File: util/dict_debug.c.
+
+ With "smtputf8_enable = yes", the postmap and postalias
+ commands now enable UTF-8 by default (use "-u" to disable)
+ with one exception: UTF-8 remains disabled for header/body_checks
+ emulation (use "-U" to enable). Files: postmap/postmap.c,
+ postalias/postalias.c.
+
+20150110
+
+ Cleanup: the "inline" and "texthash" implementations now
+ reuse the "internal" database instead of reinventing the
+ wheel. Files: util/dict_inline.c, util/dict_thash.c.
+
+ As a first step, with "smtputf8_enable = yes" all features
+ based on Postfix matchlists enable UTF-8 syntax checks and
+ UTF-8 casefolding for table patterns, but NOT YET for string
+ patterns. The list of features includes authorized_flush_users,
+ authorized_mailq_users, authorized_submit_users, debug_peer_list,
+ fast_flush_domains, mydestination, permit_mx_backup_networks,
+ qmqpd_authorized_clients, smtp_connection_cache_destinations,
+ smtpd_authorized_verp_clients, smtpd_authorized_xclient_hosts,
+ smtpd_authorized_xforward_hosts,
+ smtpd_client_event_limit_exceptions,
+ smtpd_log_access_permit_actions, smtpd_sasl_exceptions_networks,
+ the "domains" feature in ldap_table(5), memcache_table(5)
+ mysql_table(5), pgsql_table(5) and sqlite_table(5),
+ virtual_alias_domains, virtual_mailbox_domains.
+
+20150111
+
+ Cleanup: simplified the interposition layer that adds UTF-8
+ support to Postfix lookup tables. Files: util/dict_utf8.c.
+
+ With "smtputf8_enable = yes", Enable UTF-8 syntax checks
+ and UTF-8 casefolding for SMTP server access maps, alias_maps,
+ canonical_maps, fallback_transport_maps,
+ lmtp_tls_session_cache_database, local_recipient_maps,
+ mailbox_command_maps, mailbox_transport_maps, rbl_reply_maps,
+ recipient_bcc_maps, recipient_canonical_maps, relay_recipient_maps,
+ relocated_maps, sender_bcc_maps, sender_canonical_maps,
+ sender_dependent_relayhost_maps, sender_dependent_transport_maps,
+ smtp_generic_maps, smtp_sasl_auth_cache_name,
+ smtp_sasl_password_maps, smtp_tls_per_site, smtp_tls_policy_maps,
+ smtp_tls_session_cache_database, smtpd_sender_login_maps,
+ smtpd_tls_session_cache_database, transport_maps,
+ virtual_alias_maps, virtual_gid_maps, virtual_mailbox_maps,
+ virtual_uid_maps.
+
+20150112
+
+ Infrastructure: support for UTF-8 casefolding in match_lists.
+ Instead of using strcasecmp(), casefold all fixed-string
+ patterns during initialization, casefold a search string
+ at the beginning of the search, and use strcmp() for
+ comparison. Files: util/casefold.c util/dict.h, util/dict_utf8.c,
+ util/match_list.c, util/match_list.h, util/match_ops.c,
+ util/stringops.h, global/addr_match_list.c, global/domain_list.c,
+ global/namadr_list.c, global/string_list.c.
+
+20150113
+
+ Cleanup: show the configuration parameter name in error
+ messages while parsing or searching match_list-based features
+ such as mydestination, relay_domains and a few dozen more.
+ Files: cleanup/cleanup_init.c, flush/flush.c,
+ global/addr_match_list.c, global/debug_peer.c,
+ global/domain_list.c, global/flush_clnt.c,
+ global/match_parent_style.c, global/namadr_list.c,
+ global/resolve_local.c, global/string_list.c, global/user_acl.[hc],
+ postdrop/postdrop.c, postqueue/postqueue.c,
+ postscreen/postscreen.c, qmqpd/qmqpd.c, sendmail/sendmail.c.,
+ smtp/smtp.c, smtp/smtp_sasl_glue.c, smtpd/smtpd.c,
+ smtpd/smtpd_check.c, trivial-rewrite/resolve.c,
+ util/match_list.[hc], util/match_ops.c.
+
+ Cleanup: apply printable() to all bounce(8) service
+ string-valued protocol fields. File: bounce/bounce.c.
+
+ Apparently the UCI 4.8 ucasemap_utf8FoldCase() function does
+ not complain about UTF-8 syntax errors, so we add our own
+ redundant check. File: util/casefold.c.
+
+20150115
+
+ Bitrot: prepare for future changes in OpenSSL. Viktor
+ Dukhovni. Files: tls/tls.h, tls/tls_dh.c, tls/tls_misc.c,
+ tls/tls_rsa.c, tls/tls_server.c.
+
+ Documentation: "avoid hash files here, use btree or lmdb
+ instead". File: proto/ADDRESS_VERIFICATION_README.html.
+
+ Safety: virtual_alias_address_length_limit (default: 1000)
+ to stop aliasing loops that exponentially increase the
+ address length with each iteration. Files: global/mail_params.h,
+ mantools/postlink, proto/postconf.proto, cleanup/cleanup.c,
+ cleanup/cleanup_init.c, cleanup/cleanup_map1n.c.
+
+20150116
+
+ TLS wrappermode in the Postfix smtp(8) client. This introduces
+ a new parameter "smtp_tls_wrappermode" (default: no). Files:
+ global/mail_params.h, mantools/postlink, proto/postconf.proto,
+ smtp/lmtp_params.c, smtp/smtp.[hc], smtp/smtp_connect.c,
+ smtp/smtp_params.c, smtp/smtp_proto.c.
+
+ TLS wrappermode in posttls-finger(1), and some DANE-related
+ cleanups. This introduces a new option "-w". Viktor Dukhovni.
+ Files: posttls-finger/posttls-finger.c, smtp/smtp_tls_policy.c,
+ tls/tls.h, tls/tls_client.c, tls/tls_fprint.c.
+
+20150117
+
+ Cleanup: missing " in \%s\" in postscreen(8) fatal error
+ messages. Iain Hibbert. File: postconf/postconf_master.c.
+
+20150118
+
+ Bugfix (introduced: 20140731): when a connection timed out
+ before any command was received, the Postfix SMTP server
+ "disconnect from" logging would show the content of the
+ last SMTP server response (421 4.4.2 $myhostname error:
+ timeout exceeded) instead of per-command statistics, because
+ there were no statistics to report. The Postfix SMTP server
+ now always logs the total number of commands (commands=x/y)
+ even when the client did not send any. This helps logfile
+ analyzers to recognize sessions without commands. File:
+ smtpd/smtpd.c.
+
+20150120
+
+ Bugfix (introduced: 20141230-20140109): do not reallocate
+ a dictionary handle after it is initialized. This breaks
+ CDB. Problem reported by Andreas Schulze. Files: util/dict.h,
+ util/dict_alloc.c, util/dict_utf8.c.
+
+ Cleanup: simplified the dict_utf8 wrapper implementation.
+ Files: util/dict.h, util/dict_alloc.c, util/dict_utf8.c.
+
+20150121
+
+ Cleanup: undo changes in check_mumble_access() that replaced
+ error handling with longjmp() calls. This could introduce
+ memory leaks in check_mumble_access() callers. Files:
+ smtpd/smtpd_check.c, smtpd/smtpd_error.ref.
+
+20150122
+
+ Cleanup: miscellaneous cruft, typos, comments, error messages.
+ proto/COMPATIBILITY_README.html, global/addr_match_list.c,
+ global/domain_list.c, global/namadr_list.c, global/string_list.c,
+ global/user_acl.c, postalias/postalias.c, postmap/postmap.c,
+ tls/tls_client.c, util/dict_alloc.c, util/dict_open.c,
+ util/match_list.c.
+
+20150124
+
+ Workaround: nroff has been improved so that "-" comes out as
+ some non-ASCII character, unlike HTML where it comes out
+ as itself. Andreas Schulze. This requires jumping a few
+ hops to generate HTML and nroff input from the same source
+ text. Files; mantools/srctoman, mantools/postconf2man.
+
+ Cleanup: UTF-8 support in masquerade_domains. File:
+ cleanup/cleanup_masquerade.c.
+
+20150125
+
+ Cleanup: simplified the casefold() API: no input-dependent
+ failure modes. Files: cleanup/cleanup_masquerade.c,
+ util/casefold.c, util/dict_utf8.c, util/match_list.c,
+ util/strcasecmp_utf8.c, util/stringops.h.
+
+ Cleanup: replaced str*casecmp() calls with UTF8-enabled
+ versions. Files: bounce/bounce.c, bounce/bounce_append_service.c,
+ bounce/bounce_notify_service.c, bounce/bounce_notify_verp.c,
+ bounce/bounce_one_service.c, bounce/bounce_trace_service.c,
+ bounce/bounce_warn_service.c, cleanup/cleanup_addr.c,
+ cleanup/cleanup_map11.c, cleanup/cleanup_map1n.c,
+ global/log_adhoc.c, global/mail_addr_find.c, global/mail_params.c,
+ global/split_addr.c, global/verify.c, global/verify_sender_addr.c,
+ local/alias.c, local/recipient.c, oqmgr/qmgr_message.c,
+ qmgr/qmgr_message.c, smtp/smtp_tls_policy.c, smtpd/smtpd_check.c,
+ smtpd/smtpd_milter.c, trivial-rewrite/resolve.c,
+ util/strcasecmp_utf8.c, util/stringops.h.
+
+20150126
+
+ Portability: added missing #ifdef STRCASECMP_IN_STRINGS_H
+ for platforms that require it. Files: dns/dns_rr_filter.c,
+ milter/milter8.c, posttls-finger/posttls-finger.c,
+ tls/tls_dane.c, tlsproxy/tlsproxy.c, util/dict_test.c.
+
+ Cleanup: replaced lowercase() calls with UTF-8-enabled
+ versions. Files: flush/flush.c, global/been_here.c,
+ global/delivered_hdr.c, global/fold_addr.c, global/fold_addr.h,
+ local/forward.c, local/recipient.c, pipe/pipe.c,
+ smtpd/smtpd_resolve.c, util/casefold.c, util/stringops.h,
+ virtual/recipient.c.
+
+20150127
+
+ Cleanup: simplified the 20150125 and 20150126 APIs, replacing
+ the most-common use cases with convenience macros that have
+ fewer arguments. Files: anything that implements or invokes
+ casefold*() or str*casecmp().
+
+ Documentation: missing words and typos. Matthew Selsky. Files:
+ proto/SMTPUTF8_README.html, util/dict_open.c, util/vstream.c.
+
+20150128
+
+ Bugfix: the ICU casemapping API can report success, while
+ producing output that is not null-terminated. But we can
+ deal with that. File: util/casefold.c.
+
+ Cleanup: unnecessary buffers. File: util/strcasecmp_utf8.c.
+
+ Cleanup: whitespace in source-code documentation has gotten
+ damaged through the years. Files: util/iostuff.h,
+ util/msg_vstream.h, util/msg_syslog.h, util/msg_output.h,
+ util/msg.h, util/inet_proto.c, trivial-rewrite/trivial-rewrite.c,
+ tls/tls.h, postconf/postconf.c, master/multi_server.c,
+ master/event_server.c, global/memcache_proto.h,
+ global/dict_mysql.c, global/dict_ldap.c, discard/discard.c,
+ error/error.c, global/dict_proxy.c, global/mail_conf_int.c,
+ global/match_parent_style.c, global/scache.c, global/scache.h,
+ qmgr/qmgr_entry.c, qmgr/qmgr_peer.c, smtp/smtp_rcpt.c,
+ smtpd/smtpd_peer.c, tls/tls_mgr.c, util/attr_scan0.c,
+ util/dict_tcp.c, util/hex_code.c, util/valid_hostname.c.
+
+ Cleanup: typos. Files: proto/socketmap_table, proto/mysql_table,
+ global/dict_mysql.c, proto/lmdb_table, smtpstone/smtp-sink.c,
+ posttls-finger/posttls-finger.c.
+
+ Bugfix: restart the Postfix SMTP server SASL client after
+ XCLIENT may have changed the client IP address. Matthew
+ Via. File: smtpd/smtpd.c.
+
+20150129
+
+ More whitespace in source-code comment regressions. Viktor
+ (mostly) and Wietse. smtpd/smtpd_proxy.c, util/format_tv.c,
+ util/line_wrap.c, util/slmdb.c, qmgr/qmgr_peer.c,
+ smtp/smtp_rcpt.c, smtpd/smtpd_peer.c, tls/tls_mgr.c,
+ trivial-rewrite/trivial-rewrite.c, util/attr_scan0.c,
+ util/dict_tcp.c, util/hex_code.c, util/valid_hostname.c,
+ discard/discard.c, error/error.c, global/dict_proxy.c,
+ global/mail_conf_int.c, global/match_parent_style.c,
+ global/scache.c, qmgr/qmgr_entry.c, global/dict_ldap.c,
+ global/dict_mysql.c, posttls-finger/posttls-finger.c,
+ smtp/smtp.c, tls/tls_certkey.c.
+
+ Cleanup: avoid hidden buffer allocation in casefold().
+ Files: local/forward.c, local/recipient.c, virtual/recipient.c.
+
+ Cleanup: HTML validator errors. Files: proto/postconf.proto,
+ proto/TLS_README.html, proto/MILTER_README.html.
+
+ Great rename from 2.12 to 3.0. Lots of files, 99% mechanical.
+
+ Cleanup: HTML entities in *roff manpage source. File:
+ mantools/fixman, proto/postconf.proto, smtpd/smtpd.c,
+ trivial-rewrite/trivial-rewrite.c.
+
+20150201
+
+ Usability: in error messages, print the CAfile and CApath
+ value in double quotes, to clue in people who specify quoted
+ pathnames in main.cf. Viktor Dukhovni. Files: tls/tls_certkey.c
+ and testing code in posttls-finger/posttls-finger.c.
+
+20150202
+
+ Cleanup: make posttls-finger -k/-K documentation consistent
+ with behavior. File: posttls-finger/posttls-finger.c.
+
+20150203
+
+ Cleanup: API minimization, by making some functions static.
+ Files: util/dict.h, util/dict_utf8.c.
+
+20150205
+
+ Preliminary feature: support for building position-independent
+ executables (PIE), tested on Fedora Core 20, Ubuntu 14.04,
+ FreeBSD 9 and 10, and NetBSD 6. See INSTALL section 4.3 for
+ details and limitations. Files: makedefs, proto/INSTALL.html,
+ RELEASE_NOTES-3.0.
+
+20150208
+
+ Cleanup: after many years, the access(5) map BCC action is
+ part of the stable release. Files: smtpd/smtpd_check.c,
+ proto/acces.
+
+20150210
+
+ Cleanup: socketmap documentation. File: proto/socketmap_table.
+
+20150211
+
+ Cleanup: strncasecmp_utf8() streamlining. Files: util/stringops.h,
+ util/allascii.c, util/strcasecmp_utf8.c.
+
+20150212
+
+ Cleanup: in code after reading main.cf, removed bogus guard
+ before re-evaluating the mail_task() syslog prefix. File:
+ postlog/postlog.c.
+
+20150214
+
+ Bugfix (introduced: Postfix 3.0): missing #ifdef USE_TLS
+ inside #ifdef USE_SASL_AUTH broke the build. Viktor Dukhovni.
+ File: smtpd/smtpd.c.
+
+ Cleanup: missing errno logging in bounce daemon clients.
+ This made troubleshooting significantly more difficult.
+ File: global/mail_command_client.c.
+
+20150216
+
+ Cleanup: documented that mail_connect() produces no errno
+ logging. The functions that call it should log the error
+ (and the majority does). File: global/mail_connect.c.
+
+ Cleanup: added errno logging after mail_connect() failure.
+ Files: global/post_mail.c, local/forward.c.
+
+ Cleanup: in code after reading main.cf, removed bogus guard
+ before re-evaluating the mail_task() syslog prefix. Files:
+ postalias/postalias.c, postdrop/postdrop.c, postmap/postmap.c,
+ postqueue/postqueue.c, postsuper/postsuper.c, sendmail/sendmail.c.
+
+20150218
+
+ Documentation: header/body_checks additional text about whether
+ an action stops further inspection of the input stream. File:
+ proto/header_checks.
+
+ Robustness: reject installation pathnames with whitespace.
+ File: postfix-install.
+
+20150217
+
+ Cleanup: missing <string.h> include. File: util/allascii.c.
+
+20150221
+
+ Bugfix (introduced: Postfix 3.0): don't append '.' to the
+ DNS resource record value, when converting TXT records to
+ the string form that is used used by xxx_dns_reply_filter.
+ File: dns/dns_strrecord.c.
+
+20150313
+
+ Documentation: incorrect Postfix version number for
+ postscreen_dnsbl_timeout. Quanah Gibson-Mount. File:
+ postscreen/postscreen.c.
+
+20150320
+
+ Cleanup: better sorting order for the default tls_*_cipherlist
+ settings. OpenSSL does not order "ALL" quite right: some
+ MEDIUM ciphers (SEED and IDEA) sneak up above some 128-bit
+ HIGH ciphers. Also previously, when we prefer "aNULL" we
+ moved MEDIUM with aNULL above same bit-length HIGH but not
+ aNULL. Viktor Dukhovni. File: global/mail_params.h.
+
+20150324
+
+ Bugfix (introduced: Postfix 2.6): sender_dependent_relayhost_maps
+ ignored the relayhost setting in the case of a DUNNO lookup
+ result. It would use the recipient domain instead. Viktor
+ Dukhovni. Wietse took the pieces of code that enforce the
+ precedence of a sender-dependent relayhost, the global
+ relayhost, and the recipient domain, and put that code
+ together in once place so that it is easier to maintain.
+ File: trivial-rewrite/resolve.c.
+
+20150326
+
+ Feature: lmtp_fallback_relay, limited to TCP destinations
+ only. Viktor Dukhovni. Wietse updated the postlink, smtp.c,
+ and smtp-only files, and added a warning when lmtp_fallback_relay
+ is specified for a non-TCP destination. Files: mantools/postlink,
+ smtp/smtp.c, smtp/smtp-only, smtp/smtp_connect.c,
+ smtp/smtp_params.c, global/mail_params.h, proto/postconf.proto.
+
+20150328
+
+ Bugfix (introduced: Postfix 1.1.0): post-install expanded
+ macros in parameter values when trying to detect parameter
+ overrides, causing unnecessary main.cf updates during Postfix
+ start-up. Julian Reich, Viktor Dukhovni, and Wietse. File:
+ conf/post-install.
+
+20150330
+
+ Bitrot: prepare for future changes in OpenSSL API. Viktor
+ Dukhovni. File: tls_dane.c.
+
+ Safety: instead of bouncing mail, report a soft error when
+ SASL infrastucture breaks. Viktor Dukhovni, Emmanuel Fuste.
+ Files: smtpd/smtpd_sasl_glue.c, xsasl/xsasl.h,
+ xsasl/xsasl_cyrus_server.c, xsasl/xsasl_dovecot_server.c.
+
+20150401
+
+ Documentation: update the mydestination default value in
+ the stock main.cf file. File: conf/main.cf.
+
+20150404
+
+ Documentation: add "postconf -m" output to problem reports. File:
+ proto/DEBUG_README.html.
+
+20150418
+
+ Portability: use the icu-config utility to locate the ICU
+ include and library files. With this, Postfix builds out
+ of the box on MacOS X. File: makedefs.
+
+20150421
+
+ Bugfix (introduced: 19970309): reset errno before calling
+ readdir(), in order to distinguish between end-of-directory and
+ an error condition. File: scandir.c.
+
+20150426
+
+ Cleanup: when transmitting an attribute-value sequence
+ between Postfix processes, a hash table may now appear at
+ any position instead of only at the end. Files:
+ util/attr_scan{0,64,plain}.c, util/attr_print{0,64,plain}.c,
+ util/attr_scan{0,64,plain}.ref.
+
+ Feature: milter_macro_defaults, an optional list of macro
+ name=value pairs that specify default values for Milter
+ macros. When a macro is to be sent to a Milter application,
+ Postfix will send its default value when no value is available
+ from the mail delivery context. For example, with
+ "milter_macro_defaults = auth_type=TLS", Postfix will send
+ an auth_type of "TLS" unless a remote client authenticates
+ with SASL. Files: mantools/postlink, proto/MILTER_README.html,
+ proto/postconf.proto, cleanup/cleanup.c, cleanup/cleanup_init.c,
+ cleanup/cleanup_milter.c, global/mail_params.h, milter/milter.c,
+ milter/milter.h, smtpd/smtpd.c, smtpd/smtpd_milter.c.
+
+20150501
+
+ Support for Linux 4.*, and some simplification for future
+ makedefs files. Files: makedefs, util/sys_defs.h.
+
+20150502
+
+ Cleanup: updated the examples in MILTER_README. File:
+ proto/MILTER_README.html
+
+20150529
+
+ Support for DNS reply TTL values in dnsblog and postscreen.
+ Files: dnsblog/dnsblog.c, postscreen/postscreen_early.c,
+ postscreen/postscreen_dnsbl.c.
+
+20150607
+
+ Support for DNS reply TTL values for "not found" responses
+ (negative reply caching). The postscreen daemon needs this to
+ accurately whitelist an SMTP client that is not found on any
+ DNSBL. Files: dns/dns_lookup.c, dns/dns_strrecord.c, dns/dns.h,
+ dns/test_dns_lookup.c.
+
+20150615
+
+ Two new parameters to limit how long a DNSBL or DNSWL lookup
+ result remains valid: postscreen_dnsbl_max_ttl is an upper
+ limit for the TTL from a DNS query, and postscreen_dnsbl_min_ttl
+ is a lower limit. The old postscreen_dnsbl_ttl provides a
+ backwards-compatible default for postscreen_dnsbl_max_ttl.
+ Files: global/mail_params.h, postscreen/postscreen.c,
+ postscreen/postscreen_early.c, mantools/postlink,
+ proto/postconf.proto.
+
+20150616
+
+ Refinement: the postscreen daemon now computes two combined
+ DNS reply TTLs: one combined TTL for replies that the client
+ should be blocked, and one combined TTL for replies that the
+ client should be allowed. This is more conservative than
+ simply combining all reply TTLs into one number. File:
+ postscreen/postscreen_dnsbl.c.
+
+20150621
+
+ Feature: default_transport_rate_delay (and the transport-specific
+ *transport*_transport_rate_delay) to enforce a destination-
+ independent rate limit on deliveries. Files: mantools/postlink,
+ proto/postconf.proto, *qmgr/qmgr.h, *qmgr/qmgr_transport.c,
+ *qmgr/qmgr_deliver.c, *qmgr/qmgr.c.
+
+20150707
+
+ Workaround: some DNS servers reply with NXDOMAIN for type
+ NS queries with names that actually have an A record. This
+ broke check_mumble_ns_access. File: smtpd/smtpd_check.c.
+
+20150711
+
+ Workaround: conditional time default value can result in
+ multiple time unit suffixes. Files: global/conv_time.c
+ global/mail_conf_time.c.
+
+20150712
+
+ Cleanup: configurable workaround (dns_ncache_ttl_fix_enable)
+ in case some future libc change breaks a promise made by
+ current resolver(3) documentation. Files: global/mail_params.[hc].
+
+ Cleanup: removed unused libdns dependencies. No-one remembers
+ why they were introduced. Files: postscreen/Makefile.in,
+ qmqpd/Makefile.in, smtpd/Makefile.in, tlsmgr/Makefile.in.
+
+ Cleanup: code indentation. Viktor Dukhovni. File:
+ smtp/smtp_addr.c.
+
+ Workaround: With Solaris10, write_wait() hangs in poll()
+ until timeout, when invoked after peekfd() has received an
+ ECONNRESET error indication. This happens when a client
+ sends QUIT and closes the connection immediately. File:
+ util/peekfd.c.
+
+20150715
+
+ Security: updated default Diffie-Hellman export (512 bit)
+ primes and non-export (from 1024 to 2048 bit) primes, and
+ updated text on non-export DH primes. Viktor Dukhovni.
+ Files: tls/tls_dh.c, proto/FORWARD_SECRECY_README.html.
+
+20150718
+
+ Security: opportunistic TLS by default uses "medium" or
+ stronger ciphers instead of "export" or stronger. See the
+ RELEASE_NOTES file for how to get the old settings back.
+ Files: global/mail_params.h, proto/TLS_README.html,
+ proto/postconf.proto, and files derived from those.
+
+20150719
+
+ Security: Postfix TLS support by default no longer uses
+ SSLv2 or SSLv3. See the RELEASE_NOTES file for how to get
+ the old settings back. Files: global/mail_params.h,
+ proto/postconf.proto, and files derived from those.
+
+20150722
+
+ Cleanup: the COMPATIBILITY_README* files were not installed.
+ File: conf/postfix-files.
+
+20150726
+
+ Cleanup: some lost edits for the SASL_README file. File:
+ proto/SASL_README.html.
+
+20150816
+
+ Workaround: updated the 20150707 fix for DNS servers that
+ reply with NXDOMAIN for type NS queries instead of (NOERROR,
+ zero answers). File: smtpd/smtpd_check.c.
+
+20150829
+
+ Documentation: TLS session tickets are preferred over the
+ local server-side smtpd_tls_session_cache_database storage.
+ TLS session tickets are supported as of OpenSSL 0.9.8h (May
+ 2008). Files: mantools/postlink, proto/TLS_README.html,
+ proto/postconf.proto.
+
+20150831
+
+ Cleanup: obsolete comments in Makefile.init.
+
+20150903
+
+ Workaround: disable DNSSEC support for AIX 7x and earlier.
+ The AIX 6/7 resolver(5) API defines RES_USE_DNSSEC without
+ defining the "ad" bit. Viktor Dukhovni. Files: makedefs,
+ proto/INSTALL.html, dns/dns.h.
+
+20150912
+
+ Future-proofing and code cleanup: exploit GCC and Clang
+ "warn_unused_result" feature to flag missing error checks.
+ Files: util/sys_defs.h, util/attr.h, util/edit_file.h,
+ util/listen.h, util/lstat_as.h, util/mac_expand.h,
+ util/mac_parse.h, util/myaddrinfo.h, util/myflock.h,
+ util/sane_fsops.h, util/sane_socketpair.h, util/stat_as.h,
+ util/base32_code.h, util/base64_code.h, util/hex_code.h,
+ util/timed_wait.h, util/vstream.h, src/util/vstring_vstream.h.
+
+ Cleanup: incomplete error check. Found with WARN_UNUSED_RESULT
+ check. File: util/recv_pass_attr.c.
+
+ Future-proofing: added type mis-match detection for
+ ATTR_TYPE_FUNC function-pointer arguments. File: util/attr.h.
+
+ Cleanup: don't ignore seek-to-end-of-file errors. File:
+ global/record.c.
+
+ Cleanup: use vstream_fpurge() to purge VSTREAM buffers,
+ instead of calling vstream_fseek() and ignoring ESPIPE
+ errors. File: smtpstone/qmqp-sink.c.
+
+20150913
+
+ Feature: SMTPD policy service "policy_context" attribute
+ and smtpd_policy_service_policy_context main.cf parameter.
+ Originally, to share the same SMTPD policy service endpoint
+ among multiple check_policy_service clients. Markus Benning.
+ Files: mantools/postlink, proto/SMTPD_POLICY_README.html,
+ proto/postconf.proto, global/mail_params.h, global/mail_proto.h,
+ smtpd/smtpd.c, smtpd/smtpd_check.c.
+
+20150923
+
+ Bugfix (introduced: 20120531-617): the Postfix SMTP server
+ used a larger-than-1 VSTREAM buffer to read the HAProxy
+ connection hand-off information. This broke TLS wrappermode,
+ as the TLS helo packet would end up in the plaintext VSTREAM
+ buffer. Reported by Lukas Erlacher. File: smtpd/smtpd_haproxy.c.
+
+20150924
+
+ Cleanup (introduced: 20060510, exposed 20150912): eliminated
+ a harmless warning message "seek error after reading END
+ record: Illegal seek" from the cleanup server after a
+ check_sender_access DISCARD action. File: cleanup/cleanup.c.
+
+ Bugfix (introduced: 20090216-24): incorrect postmulti error
+ message. Reported by Patrik Koetter. Fix by Viktor Dukhovni.
+ File: postmulti/postmulti.c.
+
+ Workaround: don't create a new instance when the template
+ main.cf and master.cf files are missing, as happens on
+ Debian-like systems. Viktor Dukhovni. File: conf/postmulti-script.
+
+20150930
+
+ Bugfix (introduced: 20040124): Milter client panic while
+ adding a header, because the PREPEND action used the same
+ output function for header_checks and body_checks. Viktor
+ Dukhovni and Wietse. File: cleanup/cleanup_message.c.
+
+ Bugfix (introduced: 20031128): xtext_unquote() did not
+ propagate error reports from xtext_unquote_append(), causing
+ the decoder to return partial output, instead of rejecting
+ malformed input. Fix by Krzysztof Wojta. File: global/xtext.c.
+
+20151003
+
+ Bugfix (copied from xtext): uxtext_unquote() did not propagate
+ error reports from uxtext_unquote_append(), causing the
+ decoder to return partial output, instead of rejecting
+ malformed input. Found by searching the code for similar
+ error patterns as with xtext_unquote(). File: global/uxtext.c.
+
+ Cleanup: added missing "negative" unit tests. Files:
+ global/xtext.c, global/uxtext.c.
+
+20151004
+
+ Future proofing: use a real VSTRING in the 20150930 header
+ PREPEND fix. File: cleanup/cleanup_message.c.
+
+ Future proofing: make vstring_import() consistent with
+ vstring_alloc(). The alternative would be to remove the
+ function as it is unused and exists only for symmetry with
+ vstring_export(). File: usr/vstring.c.
+
+20151010
+
+ Cleanup: the 20150903 workaround for AIX DNSSEC used the
+ wrong name in #ifdef. File: dns/dns.h.
+
+20151011
+
+ Cleanup: in the PCRE client, turn fatal lookup errors into
+ warnings, and skip the failing pattern as in dict_regexp.c.
+ Also, fixed the error text when running into the matcher's
+ backtracking limit. File: util/dict_pcre.c.
+
+20151017
+
+ Feature: smtpd_client_auth_rate_limit enforces a rate
+ limit on the number of AUTH commands per client IP address.
+ mantools/postlink, proto/postconf.proto, anvil/anvil.c,
+ global/anvil_clnt.c, global/anvil_clnt.h, global/mail_params.h,
+ smtpd/smtpd.c.
+
+20151018
+
+ Added RFC 7672 (SMTP security via opportunistic DANE TLS)
+ and RFC 7505 ("Null MX" No Service Resource Record) to the
+ lists of supported RFCs in manpages. Viktor Dukhovni. Files:
+ smtp/smtp.c, smtpd/smtpd.c.
+
+20151031
+
+ Bitrot: OpenSSL API cleanups. Viktor Dukhovni. Files:
+ .indent.pro, tls/tls.h, tls/tls_dane.c, tls/tls_fprint.c,
+ tls/tls_misc.c, tls/tls_server.c, tls/tls_verify.c.
+
+20151124
+
+ Bugfix (introduced: Postfix 3.0): don't throttle a destination
+ after opportunistic TLS failure. Viktor Dukhovni and Wietse.
+ Files: smtp/smtp_proto.c, smtp/smtp.h, smtp/smtp_trouble.c.
+
+20151128
+
+ Feature: JSON-formatted queue listing with "postqueue -j".
+ Output is a stream of JSON objects, one per queue file. To
+ simplify stream-mode parsing, each JSON object is followed by
+ a newline character. Files: postqueue/postqueue.c,
+ postqueue/postqueue.h, postqueue/showq_compat.c,
+ postqueue/showq_json.c, showq/showq.c.
+
+20151216
+
+ Bugfix (introduced: 20151128) bogus queue file parsing error.
+ File: showq/showq.c.
+
+20151226
+
+ Cleanup: postlog(1) now pauses for 1s after reporting a
+ fatal or panic error. This makes behavior of scripts such
+ as postfix-script consistent with built-in error messages.
+ File: postlog/postlog.c.
+
+20151227
+
+ Robustness: don't allow for whitespace in command-line
+ arguments. Files; postfix-install, conf/post-install.
+
+ Robustness: added a comment to discourage people who keep
+ adding code that calls gethostbyname() to determine the
+ default myhostname setting. This is a mistake: all Postfix
+ programs will hang when the DNS is unavailable. File:
+ global/mail_params.c.
+
+ Safety: a limit on the number of address verification probes
+ in the active queue (address_verify_pending_request_limit),
+ by default 1/4 of the active queue maximum size. The queue
+ manager tempfails probe messages that exceed the limit.
+ Files: mantools/postlink, proto/postconf.proto, cleanup/cleanup.h,
+ cleanup/cleanup_envelope.c, cleanup/cleanup_out_recipient.c,
+ cleanup/cleanup_state.c, global/mail_params.h, global/post_mail.c,
+ global/post_mail.h, global/verify.c, oqmgr/qmgr.c, oqmgr/qmgr.h,
+ oqmgr/qmgr_message.c, qmgr/qmgr.c, qmgr/qmgr.h,
+ qmgr/qmgr_message.c, verify/verify.c.
+
+20160102
+
+ Workaround: MacOS/X 10.11.x /bin/sh unsets DYLD_LIBRARY_PATH,
+ which breaks the build and install. Viktor Dukhovni and
+ Wietse. Files: makedefs, postfix-install, Makefile.in.
+
+ Bitrot: OpenSSL 1.1.0-dev drops support for EXPORT ciphers
+ and ephemeral RSA. Viktor Dukhovni. Files: tls/tls_client.c,
+ tls/tls_rsa.c, tls/tls_server.c.
+
+ Bugfix: memory leak in tls_set_eecdh_curve(). Viktor Dukhovni.
+ File: tls/tls_dh.c.
+
+ Bugfix (introduced 20150326): when lmtp_fallback_relay
+ support was added, the code that generates lmtp_mumble
+ parameters from smtp_mumble parameters wasn't updated. File:
+ smtp/smtp-only.
+
+ Bugfix (introduced 20151017): the smtpd_client_auth_rate_limit
+ implementation was not guarded with #ifdef USE_SASL_AUTH.
+ File: smtpd/smtpd.c.
+
+20160103
+
+ Feature: enable DANE policies when an MX host has a secure
+ TLSA DNS record, even if the MX DNS record was obtained
+ with insecure lookups. The existence of a secure TLSA record
+ implies that the host wants to talk TLS and not plaintext.
+ This behavior is controlled with smtp_tls_dane_insecure_mx_policy
+ (default: "dane", other settings: "encrypt" and "may"; the
+ latter is backwards-compatible with earlier Postfix releases).
+ Viktor Dukhovni. Files: mantools/postlink, proto/postconf.proto,
+ src/global/mail_params.h, src/posttls-finger/posttls-finger.c,
+ src/smtp/smtp-only, src/smtp/smtp.c, src/smtp/smtp.h,
+ src/smtp/smtp_addr.c, src/smtp/smtp_params.c,
+ src/smtp/smtp_tls_policy.c, src/tls/tls.h, src/tls/tls_client.c.
+
+20160104
+
+ Cleanup: distinct TLS levels for "full" DANE and for DANE
+ with insecure MX records. Viktor Dukhovni. Files:
+ posttls-finger/posttls-finger.c, smtp/smtp_tls_policy.c,
+ tls/tls.h, tls/tls_client.c, tls/tls_level.c.
+
+20160108
+
+ Cleanup: smtp_reply_footer() now restores state in case of
+ input error; unit tests that cover most if not all error
+ and non-error cases. Files: global/smtp_reply_footer.c,
+ global/smtp_reply_footer.ref.
+
+20160110
+
+ Bitrot: const-ification for OpenSSL 1.1.0. Viktor Dukhovni.
+ File: tls/tls_misc.c.
+
+20160116
+
+ "postconf -H" support (show names without the =value).
+ Initial use case: mass reversal of TLS-related main.cf
+ parameters (postconf -nH | grep _tls_ | xargs postconf -X).
+ This flag also works with "postconf -F" and "postconf -P".
+ Added missing documentation that -h works with "postconf
+ -F" and "postconf -P". Files: postconf.c, postconf.h,
+ postconf_master.c, postconf_main.c.
+
+ Robustness: force html2text to produce ASCII output. File:
+ mantools/html2readme.
+
+ Feature: "postfix tls" commands to enable opportunistic TLS
+ in the Postfix SMTP client or server, or generate or replace
+ Postfix SMTP server TLS private keys and server certificates.
+ Viktor Dukhovni, Wietse. Files: conf/postfix-files,
+ conf/postfix-script, conf/postfix-tls-script, makedefs,
+ proto/INSTALL.html, proto/postconf.proto, global/mail_params.h,
+ postfix/postfix.c, tls/tls_misc.c.
+
+ Portability: added a tls_random_source default setting for
+ MacOS X. Viktor Dukhovni. File: util/sys_defs.h.
+
+20160118
+
+ Bitrot: OpenSSL 1.1.0-dev (aka the "master" branch) has new
+ security levels ranging from 0 to 5. Level "0" is backwards
+ compatible, and other levels are increasingly restrictive.
+ Viktor Dukhovni. Files: tls/tls_server.c, tls/tls_client.c.
+
+20160205
+
+ Portability: Postfix TLS support uses /dev/urandom if
+ available and no system-specific setting exists in sys_defs.h.
+ Files: makedefs, util/sys_defs.h.
+
+20160208
+
+ Cleanup: building the INSTALL file had failed, added
+ hyperlinks for "postfix tls". Files: mantools/postlink.
+
+20160210
+
+ Feature: all-default-client and all-default-server subcommands.
+ Eray Aslan. File: conf/postfix-tls-script.
+
+ Bugfix: the postqueue(1) JSON formatter wrote a spurious
+ comma after the delay reason. Reported by Christian Roessner.
+ File: postqueue/showq_json.c.
+
+20160212
+
+ Cleanup: Bold/Italic cleanup in manpages.
+
+20160213
+
+ Added Google credits to external manpages.
+
+20160214
+
+ More manpage cleanups. Viktor, Wietse.
+
+20160215
+
+ Cleanup: "match_list_match: permit_mynetworks: no match" after
+ a SUCCESSFUL permit_mynetworks match of a client IP address was
+ complicating troubleshooting. The fix is to log additional
+ context to clarify that this "no match" condition is for
+ smtpd_log_access_permit_actions. File: smtpd/smtpd_check.c.
+
+20160224
+
+ Cleanup: un-break some DNS unit tests by replacing non-portable
+ numerical flags with portable symbolic names in the verbose
+ command output. Files: dns/dns_str_resflags.c, dns/dns_lookup.c,
+ dns/Makefile.in, many *.ref files.
+
+20160227
+
+ Cleanup: remember multiple BCC actions in access maps.
+ Files: smtpd/smtpd.h, smtpd/smtpd.c, smtpd/smtpd_check.c,
+ smtpd/smtpd_state.c, proto/access.
+
+20160228
+
+ Documentation: STRESS_README. File: proto/STRESS_README.html.
+
+20160229
+
+ Documentation: postmulti manpage. File: postmulti/postmulti.c.
+
+20160305
+
+ Future-proofing: detect integer overflow before it happens.
+ After-the-fact detection relies on assumptions about
+ undefined behavior that are invalidated by compilers. Files:
+ util/mymalloc.c, util/vstring.c.
+
+20160310
+
+ Bugfix (introduced: Postfix 2.6): the Milter SMFIR_CHGFROM
+ (replace sender) request lost the sender_bcc_maps address.
+ Fixed by moving some record keeping to the sender output
+ function. Files: cleanup/cleanup_envelope.c,
+ cleanup/cleanup_addr.c, cleanup/cleanup_milter.c,
+ cleanup/cleanup.h, regression tests.
+
+20160314
+
+ Future-proofing: revised off_t integer conversion (detect off_t
+ overflow before it happens). After-the-fact detection relies
+ on assumptions about undefined behavior that are invalidated by
+ compilers. Files: global/off_cvt.c.
+
+ Cleanup: include <sys/types.h> once, instead of making it
+ system-dependent. File: util/sys_defs.h.
+
+ Cleanup: make sorting in "make depend" locale-independent.
+ Files: */Makefile.in.
+
+ Cleanup: postmulti manpage. File: postmulti/postmulti.c.
+
+20160319
+
+ Future-proofing: revised format-string width or precision integer
+ conversion (detect integer overflow before it happens), plus
+ some tests to ensure that format-string widths and precisions
+ are parsed correctly, and that output buffers are sized
+ correctly. Files: util/vbuf_print.c, util/vbuf_print_test.in,
+ util/vbuf_print_test.ref.
+
+20160320
+
+ Testing: exact-size VSTRING allocation. Files: util/vstring.[hc].
+
+ Cleanup: switch to snprintf() for redundancy, keeping
+ existing code in place to censor unnecessary format-string
+ features. Specify "make makefiles CCARGS=-DNO_SNPRINTF" for
+ ancient systems. File: vbuf_print.c, makedefs, util/sys_defs.h,
+ proto/INSTALL.html.
+
+20160324
+
+ Future-proofing: revised netstring length integer conversion
+ (detect integer overflow before it happens). File:
+ util/netstring.c.
+
+ Cleanup: report unsupported usage of '%ls' and '%lc' in
+ format strings. File: util/vbuf_print.c.
+
+20160326
+
+ Future-proofing: regression test for global/off_cvt.c.
+ Files: global/off_cvt.in, global/off_cvt.ref.
+
+20160327
+
+ Cleanup: postconf(1) manpage. File: postconf/postconf.c.
+
+ Cleanup: un-broke regression tests. Files: dns/mxonly_test.ref,
+ dns/no-mx.ref, smtpd/smtpd_server.ref, smtpd/smtpd_server.in.
+
+ Added Postfix version information to the "postconf -m" manpage
+ section. File: postconf/postconf.c.
+
+20160330
+
+ The collate.pl script by Viktor Dukhovni for grouping Postfix
+ logfile records into "sessions" based on queue ID and process
+ ID information. Files: auxiliary/collate/*.
+
+20160407
+
+ Treat SASL_FAIL and SASL_NOMEM as temporary errors.
+ Markus Benning. File: xsasl/xsasl_cyrus_server.c.
+
+20160410
+
+ Bugfix (introduced: Postfix 2.6): the "bad filetype"
+ header_checks pattern falsely rejected Content-Mumble headers
+ with ``name="example"; x-apple-part-url="example.com"''.
+ Fixed by respecting the ";" separator between content
+ attribute values. Reported by Cedric Knight. File:
+ proto/header_checks.
+
+20160515
+
+ Portability: OpenBSD 6.0. Files: makedefs, util/sys_defs.h,
+ dns/dns_str_resflags.c.
+
+20160521
+
+ Bugfix (introduced: Postfix beta): the never-used function
+ mvect_free() attempted to free memory that it has not
+ allocated. File: util/mvect.c.
+
+ Cleanup: existing if/endif support for pcre and regexp
+ tables, in preparation for new if/endif support for cidr
+ tables. Files: util/dict_regexp.c, util/dict_pcre.c.
+
+20160526
+
+ Feature: cidr tables now support if/endif and negation (by
+ prepending "!" to a pattern), just like regexp and pcre
+ tables. The primarily purpose is to improve readability of
+ complex tables. Files: util/cidr_match.[hc], util/dict_cidr.c,
+ proto/cidr_table.
+
+ Cleanup: make regexp: and pcre: parser warning messages more
+ similar. Files: dict_regexp.c, dict_pcre.c.
+
+20160601
+
+ Cleanup: moved parsing of '!' operators from cidr_match.c
+ to dict_cidr.c. Files: util/cidr_match.[hc], util/dict_cidr.c,
+ util/match_ops.c.
+
+20160604
+
+ Cleanup: made parsing of '!' operators in regexp and pcre
+ tables consistent with cidr tables. Files: util/dict_regexp.c,
+ util/dict_pcre.c.
+
+20160605
+
+ Cleanup: integer wrap-around detection in the MySQL and
+ PostgreSQL clients. This is totally non-critical because
+ Postfix strings are size-limited by design. Files:
+ global/dict_mysqql.c, global/dict_pgsql.c.
+
+20160607
+
+ Documentation: dnsblog.
+
+20160609
+
+ Documentation: postsuper(1) manpage text for multiple -[dhH]
+ options. File: postsuper/postsuper.c.
+
+20160611
+
+ Cleanup: Postfix SMTP server local IP address and port
+ attributes in the policy delegation protocol (attribute
+ names: server_address, server_port), in the Milter protocol
+ (macro names: {daemon_addr}, {daemon_port}) and in the
+ XCLIENT protocol (attribute names: DESTADDR, DESTPORT).
+ Files: proto/MILTER_README.html, proto/SMTPD_POLICY_README.html,
+ cleanup/cleanup.h, cleanup/cleanup_milter.c, global/mail_proto.h,
+ milter/milter.h, smtpd/smtpd.c, smtpd/smtpd.h, smtpd/smtpd_check.c,
+ smtpd/smtpd_haproxy.c, smtpd/smtpd_milter.c, smtpd/smtpd_peer.c.
+
+20160612
+
+ Bugfix (introduced: 20090211): missing server address
+ conversion for non-proxy, non-postscreen connections. File:
+ smtpd/smtpd_peer.c.
+
+ Bugfix (introduced: 20160611) missing server port conversion
+ for non-proxy, non-postscreen connections, because there was
+ no server address conversion. File: smtpd/smtpd_peer.c.
+
+20160618
+
+ Bugfix (introduced: 20091121): with the introduction of
+ sender_dependent_default_transport_maps, the SMTP daemon
+ was not updated. This resulted in false rejects with
+ sender-dependent "error" transports. Based on a fix by
+ Russell Yanofsky. Files: global/resolve_clnt.c,
+ global/resolve_clnt.h, smtpd/smtpd_check.c, smtpd/smtpd_check.h,
+ smtpd/smtpd_milter.c, smtpd/smtpd_resolve.c, smtpd/smtpd_resolve.h.
+
+20160619
+
+ Refinements to the 20160618 fix. For more consistent results
+ with sender address validation, use the recipient address
+ (if available) as the sender-dependent address resolver
+ context. For better caching, pass sender context with all
+ attempts to resolve an email address. File: smtpd/smtpd.c,
+ smtpd/smtpd_check.c, smtpd/smtpd_milter.c.
+
+20160625
+
+ Cleanup: the Postfix SMTP server now passes network address
+ and port information to the Cyrus SASL library. Build with
+ ``make makefiles "CCARGS=$CCARGS -DNO_IP_CYRUS_SASL_AUTH"''
+ for backwards compatibility. Files: makedefs,
+ smtpd/smtpd_sasl_glue.c, xsasl/xsasl.h, xsasl/xsasl_cyrus_server.c,
+ xsasl/xsasl_server.c.
+
+ Cleanup: dnsblog manpage. File: dnsblog/dnsblog.c.
+
+20160717
+
+ Bugfix (introduced: Postfix 1.1): the virtual(8) delivery
+ agent discarded the error result from vstream_fseek().
+
+20160728
+
+ Bugfix (introduced: 20090614): with concurrent connections
+ from the same client IP address, and after-220 tests enabled,
+ postscreen could overwrite the cached "all tests completed"
+ result of one connection that completed the after-220 tests,
+ with the "some tests not completed" result of a concurrent
+ connection where the client hung up before completing the
+ after-220 tests. Files: postscreen_misc.c, postscreen_state.c,
+ postscreen.h, postscreen_tests.c, postscreen.c, postscreen_smtpd.c,
+ postscreen_early.c.
+
+20160730
+
+ Cleanup: don't try to optimize away postscreen cache updates.
+ File: postscreen_misc.c.
+
+ Cleanup: removed compatibility crutches that emulated a
+ historical data organization from four years ago. Files:
+ postscreen/postscreen.[hc], postscreen/postscreen_early.c,
+ postscreen/postscreen_smtpd.c, postscreen/postscreen_tests.c.
+
+20160808
+
+ Cleanup: preserve the new file mtimes when installing Postfix.
+ Ondřej Lysoněk. File: postfix-install.
+ REVERTED 20160828.
+
+20160819
+
+ Bugfix (introduced: Postfix 3.0): the makedefs script ignored
+ readme_directory=pathname overrides. Fix by Todd C. Olson.
+ File: makedefs.
+
+20160821
+
+ Bugfix (introduced: Postfix 3.0): the tls_session_ticket_cipher
+ documentation says aes-256-cbc, but the implementation was
+ using aes-128-cbc (note that Postfix session ticket keys
+ are rotated after 1/2 hour, to limit the impact of attacks
+ on session ticket keys).
+
+20160828
+
+ Bitrot: fixes for incompatible OpenSSL 1.1.0 API changes.
+ Viktor Dukhovni. Files: posttls-finger/posttls-finger.c,
+ tls/tls.h, tls/tls_dane.c, tls/tls_verify.c, tls/tls_server.c,
+ tls/tls_client.c.
+
+ Cleanup: disable reuse of ECDH ephemeral keys. Viktor
+ Dukhovni. File: tls/tls_misc.h.
+
+20160908
+
+ Documentation: add a pointer to hosts(5) and services(5)
+ for symbolic host and port syntax. File: proto/master.
+
+20160911
+
+ Bugfix (introduced: Postfix 3.0): the SMTP daemon did not
+ reset a previous session's command counts before rejecting
+ a client that exceeds request or concurrency rates. File:
+ smtpd/smtpd.c.
+
+20160912
+
+ Feature: preserve the new file mtimes when installing
+ Postfix. Ondřej Lysoněk. Wietse made this conditional on
+ the presence of a new -keep-new-mtime flag. File: postfix-install.
+ [this flag was renamed to "-keep-build-mtime" on 20161126]
+
+20160917
+
+ Bugfix (introduced: Postfix 3.0): the unionmap did not
+ propagate table lookup errors. Based on patch by Roel van
+ Meer. Files: util/dict_union.c, util/dict_union_test.*.
+
+ Cleanup: added unit test for pipemap. Files: util/dict_pipe.c,
+ util/dict_pipe_test.*.
+
+ Documentation: added a note about the order of search
+ patterns and table lookup order. Files: proto/canonical,
+ proto/generic, proto/virtual.
+
+ Documentation: bitrot in postsuper(1) example. Different
+ groff versions produce different results; some systems no
+ longer support historical "tail -number" command syntax.
+ Fix by Geert Stappers. File: postsuper/postsuper.c.
+
+20160918
+
+ Logging: the Postfix SMTP server logs the sasl_username
+ after rejected SMTP commands. As before, the SMTP server
+ does not forward SASL login information to other Postfix
+ subsystems, and it does not receive SASL login information
+ in XFORWARD commands. File/smtpd/smtpd.c.
+
+20160925
+
+ Bugfix (introduced: Postfix 2.11): changed the default MySQL
+ option_group value to "client" to enable the reading of
+ "client" option group settings in the MySQL option file.
+ This fixes false "not found" errors with Postfix queries
+ that contain UTF8-encoded text. Fix by John Fawcett.
+ Specify an empty option_group value to get backwards-compatible
+ behavior. Files: global/dict_mysql.c, proto/mysql_table.
+
+20161007
+
+ Bitrot: API for the ersatz inet_ntop() function, when
+ compiling with -DNO_IPV6 (which exists only for debugging).
+ Files: util/sys_defs.h, util/sys_compat.c.
+
+20161008
+
+ Feature: smtp_tcp_port, similar to the existing lmtp_tcp_port.
+ Files: mantools/postlink, proto/postconf.proto,
+ global/mail_params.h, smtp/smtp.c, smtp/smtp_connect.c,
+ smtp/smtp_params.c.
+
+ Feature: "PASS" and "STRIP" actions in header/body_checks.
+ "STRIP" is similar to "IGNORE" but also logs the action,
+ and "PASS" disables header, body, and Milter inspection for
+ the remainder of the message content. Contributed by Hobbit.
+ Files: cleanup/cleanup_message.c, global/header_body_checks.c.
+
+20161024
+
+ Feature: smtpd_milter_maps, per-client Milter configuration
+ that overrides smtpd_milters, and that has the same syntax.
+ Files: mantools/postlink, proto/MILTER_README.html,
+ proto/postconf.proto, global/mail_params.h, smtpd/smtpd.c,
+ smtpd/smtpd.h, smtpd/smtpd_sasl_proto.c, smtpd/smtpd_state.c.
+
+20161103
+
+ Cleanup: error reporting for IDNA (non-ASCII domain name)
+ conversion errors. File: util/midna_domain.c.
+
+ Cleanup: non-transitional conversion of UTF8 to/from ASCII
+ domain name labels used in DNS queries. This disables
+ 'transitional' compatibility between IDNA2003 and IDNA2008,
+ and affects some corner cases such as German sz and Greek
+ zeta. Specify "enable_idna2003_compatibility = yes" to
+ restore historical behavior. Files: util/midna_domain.[hc],
+ mantools/postlink, global/mail_params.[hc], proto/postconf.proto,
+ proto/SMTPUTF8_README.html.
+
+20161105
+
+ Bugfix (introduced: Postfix 1.1): the postsuper command did
+ not count a successful rename operation after error recovery.
+ Problem reported by Markus Schönhaber. File: postsuper/postsuper.c.
+
+ Cleanup: error reporting for IDNA (non-ASCII domain name)
+ conversion errors, and enable_idna2003_compatibility
+ configuration. File: util/midna_domain.c.
+
+20161106
+
+ Documentation: specify the minimum ICU library version (4.6).
+ File: proto/SMTPUTF8_README.html.
+
+20161109
+
+ Portability: force LC_ALL=C in dict_utf8 test. This should
+ probably be in every shell script.
+
+20161120
+
+ Documentation: clarified the syntax of $name and ${name...}
+ in parameter values, and some wordsmithing. Files:
+ proto/postconf.html.prolog, proto/postconf.man.prolog.
+
+20161123
+
+ Documentation: clarified reject_non_fqdn_{sender,recipient}.
+ The syntax check applies only for domains that are actually
+ specified, not for missing domains. File: proto/postconf.proto.
+
+20161126
+
+ Cleanup: the postfix-install option "-keep-new-mtime" was
+ renamed to "-keep-build-mtime". File: postfix-install.
+
+ Feature: "make makefiles POSTFIX_INSTALL_OPTS=-keep-build-mtime"
+ to set the installed file mtimes to their build time instead
+ of their installation time. Based on code by Ondřej Lysoněk.
+ Wietse added a guard to prevent POSTFIX_INSTALL_OPTS from
+ passing arbitrary options. Files: makedefs, Makefile.in,
+ proto/INSTALL.html.
+
+20161201
+
+ Documentation: add 'smtpd_tls_auth_only=yes' to the master.cf
+ submission service example. File: conf/master.cf.
+
+20161202
+
+ Documentation: typos in postconf(1) manpage. File:
+ postconf/postconf.c.
+
+20161204
+
+ Cleanup: properly report numerical conversion errors in
+ ${{number} relational-operator ${number}}, and wordsmithing.
+ File: util/mac_expand.c.
+
+ Updated auxiliary/collate/collate.pl with Viktor's suggestion
+ in <98D25E24-EAB1-42BB-82FD-794F5DDD4E7F@dukhovni.org> for
+ better tracking of message flows.
+
+ Cleanup: remove tentative features that were implemented
+ before the DANE spec was finalized: support for certificate
+ usage PKIX-EE(1), the ability to disable digest agility
+ (Postfix now behaves as if "tls_dane_digest_agility = on"),
+ and the ability to disable support for "TLSA 2 [01] [12]"
+ records that specify the digest of a trust anchor (Postfix
+ now behaves as if "tls_dane_trust_anchor_digest_enable =
+ yes). Viktor Dukhovni. Files: mantools/postlink,
+ proto/postconf.proto, proto/TLS_README.html, tls/tls.h,
+ tls/tls_dane.c, smtp/smtp.c.
+
+ Bugfix (introduced: Postfix 3.1): cut-and-paste error in
+ the "postfix tls deploy-server-cert" command, causing the
+ wrong certfile and keyfile to be used. Viktor Dukhovni.
+ File: conf/postfix-tls-script.
+
+ Robustness: create a new keyfile when "postfix tls
+ new-server-cert" is invoked, and main.cf specifies a
+ non-existent keyfile. Viktor Dukhovni. File:
+ conf/postfix-tls-script.
+
+20161205
+
+ Cleanup: log the sender address when rejecting a too large
+ message size in a "MAIL FROM:<sender> SIZE=nnn" command.
+ File: smtpd/smtpd.c.
+
+20161206
+
+ Bugfix (introduced: Postfix 3.0): when receiving a MAIL
+ FROM...SMTPUTF8 command while smtpd_delay_reject=no, enable
+ SMTPUTF8 support before processing smtpd_sender_restrictions.
+ Problem reported by Viktor Dukhovni. File: smtpd/smtpd.c.
+
+ Bugfix (introduced: Postfix 3.0): when receiving a
+ VRFY...SMTPUTF8 command, enable SMTPUTF8 support while
+ processing smtpd_recipient_restrictions. File: smtpd/smtpd.c.
+
+20161220
+
+ Bugfix (introduced: Postfix 2.1.0): the Postfix SMTP daemon
+ did not query sender_canonical_maps when rejecting unknown
+ senders with "smtpd_reject_unlisted_recipient = yes" or
+ with reject_unlisted_sender. Stephen R. van den Berg (Mr.
+ procmail). Files: smtpd/smtpd.c, smtpd/smtpd_check.c.
+
+20161217
+
+ Enable elliptic curve negotiation with OpenSSL >= 1.0.2.
+ This changes the default smtpd_tls_eecdh_grade setting to
+ "auto", and introduces a new parameter tls_eecdh_auto_curves
+ with the names of curves that may be negotiated. The default
+ tls_eecdh_auto_curves setting is determined at compile time,
+ and depends on the Postfix and OpenSSL versions. At runtime,
+ Postfix will skip curve names that aren't supported by the
+ OpenSSL library. Viktor Dukhovni. Files: mantools/postlink,
+ proto/FORWARD_SECRECY_README.html, proto/TLS_README.html,
+ proto/postconf.proto, global/mail_params.h, smtpd/smtpd.c,
+ tls/tls.h, tls/tls_client.c, tls/tls_dh.c, tls/tls_misc.c,
+ tls/tls_server.c.
+
+ Feature: stored-procedure support for MySQL databases.
+ John Fawcett. Files: global/dict_mysql.c, proto/mysql_table.
+
+20161223
+
+ Bugfix (introduced: Postfix 3.2 snapshots): the makedefs
+ script produced a garbled CCARGS setting when no suitable
+ ICU library was found. File: makedefs.
+
+20161225
+
+ Cleanup: simplified handling of unsupported curve names in
+ the tls_eecdh_auto_curves parameter value. File: tls/tls_dh.c.
+
+ Cleanup: simplified code structure in the MySQL client
+ support for stored procedures. File: global/dict_mysql.c.
+
+20161226
+
+ Cleanup: more MySQL client code simplification, better error
+ messages, new per-database "require_result_set" parameter
+ (default: yes) which can be set to "no" to avoid the need
+ for dummy SELECT statements in stored procedures. Files:
+ global/dict_mysql.c, proto/mysql_table, postconf/postconf_dbms.c.
+
+ Portability: SSL_CTX_set_ecdh_auto() is part of the deprecated
+ OpenSSL API, so it must be used under #ifdef. Viktor Dukhovni.
+ File: src/tls/tls_dh.c.
+
+20161227
+
+ Safety: the sendmail -C option must specify an authorized
+ configuration directory: the default configuration directory,
+ a directory that is listed in the default main.cf file with
+ alternate_config_directories or multi_instance_directories,
+ or the command must be invoked with root privileges. This
+ mitigates a problem with the PHP mail() function. Files:
+ global/mail_conf.[hc], sendmail/sendmail.c.
+
+20161228
+
+ Documentation: moved the "BACKWARDS COMPATIBILITY" sections
+ to the end of ldap_table, mysql_table, pgsql_table, and
+ sqlite_table, renamed to "OBSOLETE MAIN.CF PARAMETERS".
+
+20161231
+
+ Bugfix (introduced: 20160521): segfault (null pointer) in
+ cidr, pcre, and regexp table when an input does not match
+ an ENDIF-less IF operator. Found during code maintenance.
+ File: util/cidr_map.c, util/dict_regexp.c, util/dict_pcre.c.
+
+20170101
+
+ Portability; SunOS5 builds broke after moving the sys/types.h
+ include statement to the top of sys_defs.h.
+
+ Portability: declaration after code is GNU dialect. File:
+ util/vbuf_print.c.
+
+ Portability: compatibility macros for SSLv23_client_method()
+ etc. deprecation. Files: tls/tls.h, tls/tls_client.c,
+ tls/tls_dane.c, tls_server.c.
+
+201606-20170108
+
+ Cleanup: handling of address extensions with email addresses
+ that contain spaces. The virtual_alias_maps, canonical_maps,
+ and smtp_generic_maps features now correctly propagate an
+ address extension from "aa bb+ext"@example.com to "cc
+ dd+ext"@other.example, instead of producing broken output.
+
+ Files updated to support conversion between unquoted and
+ quoted address forms, as required for addresses that contain
+ spaces: global/mail_addr_map.*, global/mail_addr_find.* and
+ global/mail_addr_crunch.*.
+
+ Files updated to enable these address conversions to correctly
+ propagate address extensions: cleanup/cleanup_map11.c
+ (canonical_maps), cleanup/cleanup_map1n.c (virtual_alias_maps),
+ and smtp/smtp_generic.c (smtp_generic_maps).
+
+ Files updated to rename functions to better reflect their
+ input and output forms: global/split_addr.*, global/strip_addr.*.
+
+ Files updated to support quoted lookup keys: util/dict_inline.c,
+ util/dict_thash.c, postmap/postmap.c.
+
+ Files updated to invoke a backwards-compatible mail_addr_find()
+ version that disables quoted/unquoted address conversions:
+ smtp/smtp/smtp_sasl_glue.c (smtp_sasl_password_maps),
+ smtpd/smtpd_check.c (SMTP server address validation),
+ cleanup/cleanup_addr.c (sender_bcc_maps and recipient_bcc_maps),
+ virtual/mailbox.c (user-related table lookups),
+ trivial-rewrite/transport.c (transport_maps),
+ trivial-rewrite/resolve.c (sender_dependent_mumble_maps,
+ relocated_maps). These features may be migrated later to
+ enable quoted-form address lookup keys, for consistency
+ with other Postfix features.
+
+20170109
+
+ Cleanup: reduce the number of modified files relative to
+ the last regular release, to make a back-port more feasible.
+ This renames the new mail_addr_find() to mail_addr_find_opt(),
+ and renames the backwards_compatibility mail_addr_find_noconv()
+ to its old name mail_addr_find(). Added backwards-compatible
+ aliases {split,strip}_addr() for {split,strip}_addr_local().
+ To ensure correctness these edits were done mechanically,
+ and verified mechanically.
+
+20170111
+
+ Documentation: when (smtp|lmtp)_delivery_status_filter is
+ applied. File: proto/postconf.proto.
+
+20170114
+
+ Cleanup: careful handling of local-parts that contain '@',
+ as they are converted into quoted form. Files:
+ global/mail_addr_find.*, global/quote_822_local.*,
+ global/quote_flags.*.
+
+ Cleanup: added unit tests for malformed inputs. Files:
+ util/dict_thash{in,ref}.
+
+ Cleanup: minimize the patch size of the quoting fixes, and
+ a preliminary back-port to Postfix 3.1.4.
+
+20170115
+
+ Cleanup: enable "externalized" address lookup by default,
+ with legacy-style "internalized" lookup for backwards
+ compatibility, for sender_bcc_maps, recipient_bcc_maps,
+ smtp_sasl_passwd_maps, smtpd_sender_login_maps, relocated_maps,
+ sender_dependent_mumble_maps, virtual_{mailbox,uid,gid}_maps.
+ File: global/mail_addr_find.c.
+
+ Cleanup: enable "externalized" address lookup by default,
+ with legacy-style "internalized" lookup for backwards
+ compatibility, for transport_maps. Files: global/mail_addr_find.*,
+ trivial-rewrite/transport.*.
+
+ Cleanup: mail_addr_find_() now has a configurable strategy
+ for full and partial address lookup, so that it may also
+ be used for localpart lookup in access maps.
+
+20170116:
+
+ Cleanup: parent domain matching is now implemented in the
+ mail_addr_find() engine. Simplified the transport_maps
+ lookup to just one mail_addr_find_() call. Files:
+ global/mail_addr_find.*, trivial-rewrite/transport.*.
+
+ Cleanup: enabled "externalized" address lookup by default,
+ with legacy-style "internalized" lookup for backwards
+ compatibility, for check_sender_access and check_recipient_access.
+ This now uses 'user@' lookup support in the mail_addr_find()
+ engine. File: global/mail_addr_find.*, smtpd/smtpd_check.c.
+
+20170122
+
+ Cleanup: separated the database query form from the address
+ form that is input to mail_addr_find_() or mail_addr_map*(),
+ in attempt to make code more obviously correct. Files:
+ global/mail_addr_find.c, global/mail_addr_map.c.
+
+ Abandoned an experiment that used internal-form queries for
+ all maps, because it would be very difficult to test. The
+ tests inputs would have to compensate for multiple levels
+ of unquoting by postmap, C compilers, or shell interpreters.
+
+ Cleanup: moved the backwards-compatibility lookup strategy
+ (try the external address form first, then the internal
+ address form if it is different) inside the loop that
+ iterates over full and partial address forms. File:
+ global/mail_addr_find.c.
+
+20170125
+
+ Cleanup: mail_addr_find test scripting. Eliminate main.cf
+ dependencies, and allow all tests to run in one process.
+ Files: global/mail_addr_find.*
+
+20170127
+
+ Cleanup: mail_addr_find and mail_addr_form named constants.
+ Files: global/mail_addr_form.h, mail_addr_find.h, and
+ dependents.
+
+20170128
+
+ Cleanup: smtp_generic_maps implementation. Reduced the
+ number of internal<->external form address conversions,
+ added more rigorous tests, and eliminated the main.cf and
+ trivial-rewrite dependencies. Files: smtp_map11.*.
+
+20170129
+
+ Cleanup: bogus UTC timezone setting for postqueue/mailq
+ command output, and other environment settings for root and
+ non-root users in set-gid programs. File: postqueue/postqueue.c
+ (enforce import_environment name=value overrides for root
+ users), util/msg_syslog_init.c (don't override non-existent
+ TZ settings with UTC), util/unsafe.c (exclude uid==0, euid==0
+ super-user from privilege escalation concerns).
+
+20170131
+
+ Cleanup: more complete VALGRIND coverage for test build targets
+ and scripts. Files: postalias/fail_test.in, postmap/fail_test.in,
+ postmap/quote_test.in, util/dict_pipe_test.in,
+ util/dict_union_test.in, util/dict_utf8_test.in.
+
+
+20170201
+
+ Portability: unsetenv() for ancient platforms. File:
+ makedefs, util/sys_compat.c.
+
+20170205
+
+ Cleanup: security checks for config_directory overrides.
+ File: global/mail_conf.c.
+
+ Cleanup: enforce import_environment name=value settings in
+ command-line utilities, for consistency with Postfix daemons (but
+ without removing environment variables). This is not enforced
+ in the postconf command which must be able to process main.cf
+ files with incomplete settings. Files: postalias/postalias.c,
+ postcat/postcat.c, postkick/postkick.c, postlock/postlock.c,
+ postlog/postlog.c, postmap/postmap.c, postsuper/postsuper.c,
+ posttls-finger/posttls-finger.c, sendmail/sendmail.c,
+ util/clean_env.[hc].
+
+20170206
+
+ Bugfix (introduced: Postfix 3.0): check_mumble_a_access
+ did not handle [ipaddress], unlike check_mumble_mx_access.
+ When check_mumble_a_access was introduced, some condition
+ was not updated. Reported by James (postfix_tracker). File:
+ smtpd/smtpd_check.c.
+
+20170207
+
+ Cleanup: rephrased paranoia precondition. File: global/mail_conf.c.
+
+20170211
+
+ Cleanup: rephrased paranoia precondition. File: util/unsafe.c.
+
+20170218
+
+ Cleanup: typofixes from klemens. The only change in compiled
+ code is in one identical mysql error message that also
+ appears in the pgsql client. Files: about 50.
+
+20170221
+
+ Compatibility fix (introduced: Postfix 3.1): some Milter
+ applications do not recognize macros sent as {name} when macros
+ have single-character names. Postfix now sends such macros
+ without {} as it has done historically. Viktor Dukhovni. File:
+ milter/milter.c.
+
+20170228
+
+ Documentation: re-word scary warnings at the top of SASL_README
+ and TLS_README.
+
+20170402
+
+ Bugfix (introduced: Postfix 3.2): restore the SMTP server
+ receive override options at the end of an SMTP session,
+ after the options may have been modified by an smtpd_milter_maps
+ setting of "DISABLE". Problem report by Christian Rößner,
+ root cause analysis by Viktor Dukhovni. File: smtpd/smtpd.c.
+
+20170430
+
+ Safety net: append a null byte to vstring buffers, so that
+ C-style string operations won't scribble past the end. File:
+ vstring.[hc].
+
+20170505
+
+ Workaround for a current problem where some destination
+ announces primarily IPv6 MX addresses, the smtp_address_limit
+ eliminates most or all IPv4 addresses, and the destination
+ is not reachable over IPv6. This workaround is enabled with
+ "smtp_balance_mx_inet_protocols = yes", which is the default.
+ Files: smtp/smtp.c, smtp/smtp_params.c, smtp/smtp_addr.c,
+ global/mail_params.h, proto/postconf.proto.
+
+20170506
+
+ A last-minute cosmetic fix had introduced a bug in
+ smtp/smtp_addr.c.
+
+20170512
+
+ Bugfix (introduced: Postfix 2.0): the MIME nesting level
+ counter was not initialized (i.e. left at the memory fill
+ pattern 0xffffffff which equals -1). This broke unit tests
+ with a different memory allocator. Changing the value to
+ zero would break backwards compatibility (reject mail that
+ was previously not rejected). Files: global/mime_state.c.
+
+20170531
+
+ Bugfix (introduced: Postfix 3.2): after the table lookup
+ overhaul, the check_sender_access and check_recipient_access
+ features ignored the parent_domain_matches_subdomains
+ setting. Reported by Henrik Larsson. File: smtpd/smtpd_check.c.
+
+ Workaround (introduced: Postfix 3.2): mail_addr_find() logs
+ a warning that it does not support both parent-domain and
+ dot-parent-domain style lookups in the same call. File:
+ global/mail_addr_find.c
+
+20170610
+
+ Workaround (introduced: Postfix 3.0 20140718): prevent MIME
+ downgrade of Postfix-generated message/delivery-status.
+ It's supposed to be 7bit, therefore quoted-printable encoding
+ is not expected. Problem reported by Griff. File:
+ bounce/bounce_notify_util.c.
+
+ Documentation: indicate that the transport_mumble parameters
+ are implemented by the queue manager, not by delivery agents.
+ Files: mantools/postlink, local/local.c, pipe/pipe.c,
+ *qmgr/qmgr.c, smtp/smtp.c, virtual/virtual.c.
+
+20170611
+
+ Security: Berkeley DB 2 and later try to read settings from
+ a file DB_CONFIG in the current directory. This undocumented
+ feature may introduce undisclosed vulnerabilities resulting
+ in privilege escalation with Postfix set-gid programs
+ (postdrop, postqueue) before they chdir to the Postfix queue
+ directory, and with the postmap and postalias commands
+ depending on whether the user's current directory is writable
+ by other users. This fix does not change Postfix behavior
+ for Berkeley DB < 3, but reduces file create performance
+ for Berkeley DB 3 .. 4.6. File: util/dict_db.c.
+
+20170617
+
+ Cleanup: the postconf command warns about unknown parameter
+ names in a database configuration file, specified as an
+ absolute pathname (for example, ldap:/path/to/file). This
+ code was mostly written in January 2017, and it still is a
+ partial implementation. Files: postconf/postconf_dbms.c,
+ postconf/Makefile.in, postconf/test66.ref.
+
+20170618
+
+ Cleanup: added missing "defined(__GLIBC__)" guards for
+ GLIBC version tests. File: util/sys_defs.h.
+
+20170620
+
+ Bugfix (introduced: Postfix 3.2) extension propagation was
+ broken with "recipient_delimiter = .". This change reverts
+ a change that was trying to be too clever. Files:
+ global/mail_adr_crunch.c, global/mail_addr_crunch.ref.
+
+20170704
+
+ Typos (introduced: Postfix 2.10): in comments about
+ IPv4-in-IPv6 addresses, replace :ffff::1.2.3.4 with the
+ correct form ::ffff:1.2.3.4. Incorrect or misleading comments
+ are worse than no comments. Files: smtpd/smtpd_haproxy.c,
+ postscreen/postscreen_haproxy.c.
+
+20170721
+
+ Bitrot: updated postconf LDAP database configuration check with
+ SASL and TLS-related parameters. Reported by Ralf Hildebrandt.
+ File: postconf/postconf_dbms.c.
+
+20170722
+
+ Cleanup: don't log the 'delay_dotcrlf' workaround for CISCO
+ PIX bugs before the smtp_pix_workaround_threshold_time has
+ passed. Reported by Ralf Hildebrandt. File: smtp/smtp_proto.c.
+
+20170727
+
+ Cleanup: the postconf command now uses mechanically-generated
+ lists of DBMS parameter names. This eliminates false positives
+ with mysql databases. Files: postconf/Makefile.in,
+ postconf/extract_cfg.sh, postconf/postconf_dbms.c.
+
+ Cleanup: removed `#if 0/#endif' dead code from dict_ldap.c,
+ to avoid spurious output from the extract_cfg.sh parameter name
+ extraction tool.
+
+20170728
+
+ Documentation: added warnings that "enable_original_recipient
+ = no" prevents Postfix <= 3.2 from saving the address
+ verification result under the original probe destination
+ address, if it is changed by aliasing or canonical mapping.
+ Files: proto/ADDRESS_VERIFICATION_README.html,
+ proto/postconf.proto.
+
+ Cleanup: don't store an empty address in the verify cache
+ (this could happen with "enable_original_recipient = no").
+ File: global/verify.c.
+
+20170729
+
+ Cleanup: the setting "enable_original_recipient = no" no
+ longer breaks address verification for aliased addresses.
+ This does not change the behavior of the X-Original-To
+ header and of recipient deduplication. The fix is to always
+ store the original recipient in queue files. Some other
+ changes were needed to move ownership of the var_enable_orcpt
+ parameter from the cleanup daemon to the global library.
+ Files: cleanup/cleanup_init.c, cleanup/cleanup_milter.c,
+ cleanup_out_recipient.c, global/mail_params.c, global/mail_copy.c,
+ proto/postconf.proto proto/ADDRESS_VERIFICATION_README.html,
+ local/local.c, virtual/virtual.c, pipe/pipe.c.
+
+20170730
+
+ Bugfix (introduced: yesterday): revert global/verify.c code
+ to always store the verify result under the original address,
+ and to conditionally store it under the rewritten address.
+ File: global/verify.c.
+
+20170827
+
+ Safety: in vstream_buf_space(), add a sanity check to reject
+ negative request sizes, instead of letting the program fail
+ later. File: util/vstream.c
+
+ Bugfix: in tests that enable the VSTRING_FLAG_EXACT flag,
+ vstring_buf_put_ready() could fail to extend the buffer,
+ causing infinite recursion in VBUF_PUT(). File: util/vstring.c.
+
+20170830
+
+ Bugfix: in vbuf_print(), save the parser-produced format
+ string before calling msg_panic(), so that the panic message
+ will not display its own format string. File: util/vbuf_print.c.
+
+20170831
+
+ Undefined behavior (introduced Postfix 1.0): after subtracting
+ a larger unsigned integer from a smaller one, do not assign
+ the result to a signed integer. File: postqueue/showq_compat.c.
+
+20170910
+
+ Safety: restore sanity checks for dynamically-specified
+ width and precision in format strings (%*, %.*, and %*.*).
+ These checks were lost with the Postfix 3.2 rewrite of
+ the vbuf_print formatter. File: vbuf_print.c.
+
+ Bugfix (introduced: postfix-alpha): improve the 'fatal:
+ invalid option' message to show the optopt value instead of
+ the getopt() result. Files: master/*server.c.
+
+20170923
+
+ Bugfix (introduced: Postfix 3.2): panic in the postqueue
+ command after output write error while listing the queue.
+ This change restores a write error check that was lost with
+ the Postfix 3.2 rewrite of the vbuf_print formatter.
+ Problem reported by Andreas Schulze. File: util/vbuf_print.c.
+
+20170924
+
+ Cleanup: terminate early after output write error. Files:
+ showq/show_compat.c, showq/show_json.c.
+
+20171009
+
+ Bugfix (introduced: Postfix 3.1): DANE support. Postfix
+ builds with OpenSSL 1.0.0 or 1.0.1 failed to send email to
+ some sites with "TLSA 2 X X" records associated with an
+ intermediate CA certificate. Problem report and initial
+ fix by Erwan Legrand. File: src/tls/tls_dane.c.
+
+20171024
+
+ Bugfix (introduced: Postfix 3.0) missing dynamicmaps support
+ in the Postfix sendmail command broke authorized_submit_users
+ with a dynamically-loaded map type. File: sendmail/sendmail.c.
+
+20171116
+
+ Bugfix (introduced: Postfix 2.1): don't log warnings
+ that some restriction returns OK, when the access map
+ DISCARD feature is in effect. File: smtpd/smtpd_check.c.
+
+20171209
+
+ Documentation: the effects of owner_request_special and
+ reset_owner_alias on alias expansion. Files: proto/aliases,
+ proto/postconf.proto.
+
+20171215
+
+ Bugfix (introduced: 20170611): the DB_CONFIG bugfix broke
+ Berkeley DB configurations with a relative pathname. File:
+ util/dict_db.c.
+
+20171218
+
+ Workaround: reportedly, some res_query(3) implementation
+ can return -1 with h_errno==0. Instead of terminating with
+ a panic, the Postfix DNS client now logs a warning and sets
+ h_errno to TRY_AGAIN. File: dns/dns_lookup.c.
+
+ Cleanup: allow XCLIENT before STARTTLS, when TLS is required.
+ File: smtpd/smtpd.c.
+
+20171219
+
+ Feature: preliminary support to run Postfix in the foreground.
+ This requires that multi-instance support is disabled.
+ Files: conf/postfix-script, postfix/postfix.c.
+
+20171223
+
+ Feature: Milters can now send RET and ENVID arguments in
+ SMFIR_CHGFROM requests. Files: cleanup/Makefile.in,
+ cleanup/cleanup.h, cleanup/cleanup_envelope.c,
+ cleanup/cleanup_milter.c, cleanup/cleanup_milter.in13h,
+ cleanup/cleanup_milter.in13i, cleanup/cleanup_milter.ref13c,
+ cleanup/cleanup_milter.ref13d, cleanup/cleanup_milter.ref13f,
+ cleanup/cleanup_milter.ref13g, cleanup/cleanup_milter.ref13h,
+ cleanup/cleanup_milter.ref13i, cleanup/cleanup_state.c,
+ cleanup/test-queue-file13h, cleanup/test-queue-file13i,
+ oqmgr/qmgr_message.c, qmgr/qmgr_message.c.
+
+20171226
+
+ Documentation patches by Sven Neuhaus. Files:
+ proto/FORWARD_SECRECY_README.html, proto/MILTER_README.html,
+ proto/SMTPD_ACCESS_README.html.
+
+20171227
+
+ Feature: postgresql:// URI support by Magosányi Árpád.
+ Files: global/dict_pgsql.c, proto/pgsql_table.
+
+ Cleanup: added employer attributions for non-trivial changes
+ after Wietse changed employers.
+
+20180106
+
+ Compatibility: with compatibility_level < 1, the SMTP server
+ now warns for mail that would be blocked by the Postfix
+ 2.10 smtpd_relay_restrictions feature. This extends the
+ safety net for sites that upgrade from earlier Postfix
+ versions (questions on the postfix-users list show a steady
+ trickle). Files: proto/COMPATIBILITY_README.html,
+ global/mail_params[hc], smtpd/smtpd_check.c.
+
+ Cleanup: reset compatibility_level warnings after 'postfix
+ reload'. This is relevant primarily for the master daemon.
+ File: global/mail_params.c.
+
+ Cleanup: missing mailbox seek-to-end error check in the
+ local(8) delivery agent. File: local/mailbox.c.
+
+ Cleanup: incorrect mailbox seek-to-end error message in the
+ virtual(8) delivery agent. File: virtual/mailbox.c.
+
+20180107
+
+ Cleanup: Postfix-generated From: headers with 'full name'
+ information are now formatted as "From: name <address>" by
+ default. Specify "header_from_format = obsolete" for the
+ earlier form "From: address (name)". Files: proto/postconf.proto,
+ cleanup/cleanup.h, cleanup_init.c, cleanup_message.c,
+ mail_params.h.
+
+20180113
+
+ Bugfix: "postconf -M" commands did not warn about unused
+ name=value settings in master.cf. File: postconf/postconf.c.
+
+ Bugfix: "postconf -xM" now expands $process_name using the
+ daemon file name in master.cf, instead of the "postconf"
+ command process name. Files: postconf/postconf.h,
+ postconf/postconf_lookup.c, postconf/postconf_master.c.
+
+ Feature: read-only service_name parameter that contains the
+ master.cf service name. This allows, for example, setting
+ the syslog_name with "-o syslog_name=postfix/$service_name"
+ for the "submission" and "smtps" services. Files:
+ proto/postconf.proto global/mail_params.h, global/mail_params.c,
+ master/single_server.c, master/multi_server.c,
+ master/trigger_server.c, master/event_server.c,
+ postconf/postconf_master.c, postconf/postconf_builtin.c,
+ and daemon manpages.
+
+20180114
+
+ Paranoia: censor the postqueue process name, similar to the
+ set-gid postdrop program. File: postqueue/postqueue.c.
+
+ Cleanup: the new "service_name" parameter is applicable
+ only to Postfix daemons configured in master.cf; hyperlink
+ the parameter name in documentation. Files: proto/postconf.proto,
+ mantools/postlink, daemon manpages.
+
+ Cleanup: allow whitespace between $[{(], parameter name,
+ and [:?)}]. This allows making complex expressions more
+ readable with line breaks. File: util/mac_expand.c.
+
+ Cleanup: don't initialize the service_name parameter with
+ the process_name value. Files: postconf/postconf.[hc],
+ postconf/postconf_builtin.c.
+
+20180121
+
+ Bugfix (introduced: 20180106): too many arguments for format
+ string. File: local/mailbox.c.
+
+20180128
+
+ Documentation: the tcp_table(5) manpage now documents the
+ absence of substring lookups. File: proto/tcp_table.
+
+20180203
+
+ Licence: in addition to the historical IBM Public License
+ 1.0, this software is now also distributed with the more
+ recent Eclipse Public License 2.0. Recipients can choose
+ to take the software under the license of their choice.
+ Those who are more comfortable with the IPL can continue
+ with that license. File: LICENSE.
+
+20180217
+
+ Cleanup: added 22 missing *_maps parameters to the default
+ proxy_read_maps setting. Files: global/mail_params.h,
+ mantools/missing-proxy-read-maps.
+
+20180218
+
+ Cleanup: back-ported the missing-proxy-read-maps script to
+ older Postfix releases, and added error checks. Undid some
+ of the 20180217 changes in mail_params.h that are no longer
+ needed.
+
+ Bugfix (introduced: 20120117): postconf should scan only
+ built-in or service-defined parameters for ldap, *sql, etc.
+ database names. Problem reported by Christian Rößner. Files:
+ postconf/postconf_user.c.
+
+20180224
+
+ Workaround: postconf build did not abort if the m4 command
+ is not installed (on a system that does have the make command,
+ the awk command, the perl command, and the C compiler?!).
+ File: postconf/extract_cfg.sh.
+
+20180303
+
+ Portability: slight differences between MySQL and MariaDB.
+ Olli Hauer. File: global/dict_mysql.c.
+
+20180306
+
+ Bugfix (introduced: 19990302): when luser_relay specifies
+ a non-existent local address, the luser_relay feature becomes
+ a black hole. Reported by Jørgen Thomsen. File: local/unknown.c.
+
+ Portability: FreeBSD 11 is supported. Files: makedefs,
+ util/sys_defs.h.
+
+20180403
+
+ Containers: "postfix start-fg" will now attempt to run the
+ master daemon as PID 1, and "postfix stop" will use a
+ stronger signal if the master does not stop. Files:
+ conf/postfix-script, master/master.c, master/master_sig.c,
+ postfix/postfix.c.
+
+20180404
+
+ Containers: "postfix start-fg" running as PID=1 will now
+ properly terminate after "postfix stop". With assistance
+ from Andreas Schulze and Eray Aslan. Files: master/master.c,
+ master/master.h, master/master_sig.c.
+
+20180421
+
+ Documentation: in the protocol description mention early
+ on that a policy server must not close the connection unless
+ there is an error. File: proto/SMTPD_POLICY_README.html.
+
+20180422
+
+ Undocumented: when running in PID=1 mode on Linux, a signal
+ won't be delivered unless the process specifies a handler.
+ Conveniently, _exit() can be used directly as a signal
+ handler. This changes the wait status that a parent would
+ see, but in the case of PID=1 mode on Linux, no-one would
+ care. Viktor Dukhovni. File: util/killme_after.c.
+
+ Bugfix (introduced: Postfix 2.8): missing tls_server_start()
+ error propagation in tlsproxy(8) resulting in segfault after
+ TLS handshake error. Found during code maintenance. File:
+ tlsproxy/tlsproxy.c.
+
+ Connection reuse for TLS-encrypted SMTP sessions. This is
+ work-in-progress, #ifdef USE_TLSPROXY, to avoid contamination
+ of existing code.
+
+ The idea is to have smtp(8) talk plaintext while tlsproxy(8)
+ converts between local plaintext and remote ciphertext.
+ Then, smtp(8) can save plaintext connections to the cache,
+ and scache(8) holds the handles to the tlsproxy(8) processes.
+
+ This preliminary implementation does not yet support proxying
+ of DANE attributes from smtp(8) to tlsproxy(8). tlsproxy(8)
+ does not have permissions to read private key files that
+ smtp(8) can read. And the name of a connection cache entry
+ does not yet depend on whether the cached connection uses
+ TLS, nor does it depend on DANE information.
+
+ Files: global/mail_proto.h, postscreen/postscreen_starttls.c,
+ posttls-finger/posttls-finger.c, smtp/smtp.c, smtp/smtp.h,
+ smtp/smtp_params.c, smtp/smtp_proto.c, smtp/smtp_session.c,
+ smtpd/smtpd.c, tls/tls.h, tls/tls_client.c, tls/tls_proxy.h,
+ tls/tls_proxy_client_init_print.c,
+ tls/tls_proxy_client_init_scan.c,
+ tls/tls_proxy_client_start_print.c,
+ tls/tls_proxy_client_start_scan.c, tls/tls_proxy_clnt.c,
+ tls/tls_proxy_context_print.c, tls/tls_proxy_context_scan.c,
+ tls/tls_proxy_server_init_print.c,
+ tls/tls_proxy_server_init_scan.c,
+ tls/tls_proxy_server_start_print.c,
+ tls/tls_proxy_server_start_scan.c, tlsproxy/tlsproxy.c,
+ tlsproxy/tlsproxy.h, tlsproxy/tlsproxy_state.c, util/argv_attr.h,
+ util/argv_attr_print.c, util/argv_attr_scan.c.
+
+20180425
+
+ Cleanup: dnsblog proccesses now retire voluntarily after
+ max_use*max_idle seconds. Files: master/mail_server.h,
+ master/single_server.c, dnsblog/dnsblog.c.
+
+20180429
+
+ Documentation: smtpd_relay_restrictions was incorrectly
+ listed before smtpd_recipient_restrictions. File:
+ proto/SMTPD_ACCESS_README.html.
+
+20180509
+
+ Bugfix (introduced: 20170617): postconf(1) command segfault
+ if unable to open a Postfix database configuration file due
+ to a file permission error. Report by Andreas Hasenack, fix
+ by Viktor Dukhovni. File: postconf/postconf_dbms.c.
+
+20180519
+
+ Documentation: updated descriptions of PID 1 mode in manpages
+ and source-code comments. Files: postfix/postfix.c,
+ master/master.c, master/master_sig.c, util/killme_after.c.
+
+ Documentation: document non-iterative lookup behavior
+ in postmap(1) and postalias(1) manpages. Files: postmap/postmap.c,
+ postalias/postalias.c.
+
+ Cleanup: the init-mode change should not forbid the combined
+ use of -D, -d and -w. File: master/master.c.
+
+20180520
+
+ Documentation: add backscatter remediation to the virtual(5)
+ and canonical(5) manpages. Files: proto/virtual, proto/canonical.
+
+ Bugfix (introduced: 20180425): broken implementation of
+ voluntary dnsblog retirement after max_use*max_idle seconds.
+ File: master/single_server.c.
+
+20180531
+
+ Documentation: bash syntax to eliminate or view default
+ settings in "postconf -n" output. File: postconf/postconf.c.
+ Contributed by various postfix-users list members.
+
+20180603
+
+ TLS reuse: serializer/deserializer support for TLS_DANE and
+ related data structures. Files: tls/tls_proxy_client_print.c,
+ tls/tls_proxy_client_scan.c, tls/tls_proxy.h, util/argv_attr.h,
+ util/argv_attr_print.c, util/argv_attr_scan.c.
+
+ TLS reuse: posttls-finger -X test flag for quick tests.
+ File: posttls-finger/posttls-finger.c.
+
+ TLS reuse: smtp_use_tlsproxy boolean parameter. This is a
+ preliminary implementation that should support override via
+ smtp_tls_policy_maps. Files: smtp.c, smtp_connect.c,
+ smtp_params.c, smtp_proto.c, smtp_session.c.
+
+ TLS reuse: the SMTP client now includes the requested TLS
+ security level in the scache(8) key.
+
+ TLS reuse: address-based reuse is allowed only for TLS
+ levels that require no certificate checks. Perhaps it still
+ makes sense to save such sessions for reuse by less sensitive
+ deliveries. Files: smtp/smtp.h smtp/smtp_reuse.c.
+
+20180604
+
+ TLS reuse: smtp_tls_connection_reuse boolean parameter, and
+ corresponding override with "connection_reuse" boolean
+ attribute in smtp_policy_maps. Files: global/mail_params.h,
+ smtp.c, smtp.h, smtp_params.c, smtp_proto.c, smtp_session.c,
+ smtp_tls_policy.c. proto/postconf.proto. mantools/postlink.
+
+20180605
+
+ TLS reuse: updated TLS_README and CONNECTION_CACHE_README,
+ added comments in tlsproxy.c to explain why it works.
+
+20180617
+
+ Bugfix (introduced: Postfix 2.11): minor memory leak when
+ minting issuer certs. This affects a tiny minority of use
+ cases. Fix by Viktor Dukhovni, based on a fix by Juan
+ Altmayer Pizzorno for Viktor's ssl_dane library.
+
+ Cleanup: support for longer timeouts after the TLS handshake,
+ so that the tlsproxy server won't time out too soon, while
+ the SMTP client waits for the end-of-data response. This
+ tlxproxy timeout is a redundant safety feature for the case
+ that the SMTP client does not enforce the SMTP-level time
+ limit. Files: tls/tls_proxy.h, tls/tls_proxy_clnt.c,
+ tlsproxy/tlsproxy.c, posttls-finger/posttls-finger.c,
+ postcreen/postscreen_starttls.c, smtp/smtp_proto.c.
+
+ Cleanup: earlier purging of unexpected plaintext. Files:
+ posttls-finger/posttls-finger.c, smtp/smtp_proto.c.
+
+ Release: first production snapshot with multiple outbound
+ deliveries per TLS-encrypted connection.
+
+20180618
+
+ Quick tlsproxy workaround: after the remote TLS peer shuts
+ down TLS, allow unsent inbound plaintext to trickle out
+ before tearing down the proxied connection. This addresses
+ a sporadic "lost connection after end-of-data" error in the
+ Postfix SMTP client, and addresses a sporadic "lost connection
+ after sending QUIT" error with "posttls-finger -X". File:
+ tlsproxy/tlsproxy.c.
+
+20180619
+
+ Segfault: don't lookup the TLS security level for nexthop-based
+ connection cache storage keys. The combination of (service,
+ nexthop, etc.) should be stable enough over the time range
+ of interest, and the policy is still enforced on an individual
+ connection to an MX host, before that connection is stored
+ under a nexthop- or host-based storage key. Files:
+ smtp/smtp_connect.c, smtp/smtp.h.
+
+20180620
+
+ TLS connection reuse: save and restore the TLS level for a
+ reused connection, so that the reused connection will be
+ saved under a key that matches the connection's original
+ TLS level. This was not a problem for destinations that
+ require certificate verification, because we currently reuse
+ connections that require certificate checks only if they
+ are looked up by their nexthop destination. File:
+ smtp/smtp_session.c.
+
+ TLS connection reuse: with TLS level > encrypt, prohibit
+ sharing of the same connection endpoint under different
+ nexthops, by making the nexthop part of the endpoint-based
+ connection cache lookup key. File: smtp/smtp.h.
+
+20180623
+
+ TLS connection reuse: replaced random logic with TLS_MUST_MATCH()
+ when deciding under what conditions an authenticated
+ connection may be reused. Files: smtp/smtp_proto.c,
+ smtp/smtp.h.
+
+ TLS connection reuse: a tlsproxy(8) process will retire
+ after max_idle*max_use, or some sane constant if either is
+ set to zero. Files: master/event_server.c, tlsproxy/tlsproxy.c.
+
+ Documentation: automatic retirement. File: master/single_server.c.
+
+ Documentation: the connection caching limitation for SMTP
+ over TLS is now obsolete. File: proto/CONNECTION_CACHE_README.html.
+
+20180701
+
+ Incompatibility: the tlsproxy(8) daemon now requires a zero
+ process limit in master.cf (this setting is provided with
+ the default master.cf file). See RELEASE_NOTES for how to
+ change the tlsproxy process limit. File: tlsproxy/tlsproxy.c.
+
+20180707
+
+ Bugfix (introduced: Postfix 3.0): with smtputf8_enable=yes,
+ table lookups could casefold the search string when searching
+ a lookup table that does not use fixed-string keys (regexp,
+ pcre, tcp, etc.). Historically, Postfix would not case-fold
+ the search string with such tables. File: util/dict_utf8.c.
+
+ Cleanup: removed unimplemented VSTRING support to enforce
+ a buffer size limit (by returning an error of sorts). In
+ practice, the limit was enforced in smtp_get(). Also made
+ the VSTRING inplementation more VSTREAM-compatible. Files:
+ util/vstring.[hc], posttls-finger/posttls-finger.c,
+ smtpstone/smtp-source.c.
+
+ Cleanup: unused variable. File: postqueue/postqueue.c.
+
+ Feature: VSTREAM support to "open" a VSTRING for read, write
+ or append mode, enabling the reuse of existing stream-based
+ code to serialize/deserialize Postfix data structures to/from
+ memory. File: vstream.[hc].
+
+ Cleanup: "make manpages" now generates a makedefs(1) manpage
+ for publication on the web. Also cleaned up some makedefs(1)
+ content. Files: man/Makefile.in, man/man1/makedefs.1,
+ html/Makefile.in, html/makedefs.1.html.
+
+20180708
+
+ Cleanup: VSTREAM support to "open" a VSTRING: added
+ vstream_ftell() support; documented what changes are needed
+ before this can support vstream_fseek(), without breaking a
+ VSTRING during vstream_fflush(); added a simple 'allow'
+ filter for vstream_control() requests; added a unit test.
+ File: util/vstream.c.
+
+20180812
+
+ Feature: smtpd_reject_footer_maps (as well as the postscreen
+ variant postscreen_reject_footer_maps). This is indexed
+ with the SMTP server response text, and overrides the footer
+ specified with smtpd_reject_footer. Files: global/mail_params.h,
+ mantools/postlink, postscreen/postscreen.c,
+ postscreen/postscreen_send.c, postscreen/postscreen_smtpd.c,
+ proto/postconf.proto, smtpd/smtpd.c, smtpd/smtpd_chat.c.
+
+ Minor wordsmithing. File: makedefs.
+
+20180823
+
+ Bugfix (introduced: 20180812): postscreen_send.c did not
+ build without warnings. Viktor Dukhovni.
+
+20180824
+
+ Cleanup: with SMTPUTF8 turned off, the MySQL and PgSQL maps
+ accept only well-formed UTF-8 queries, and return NOT FOUND
+ otherwise. This was in introduced in Postfix 3.0 for LDAP
+ and SQLite, with no complaints coming forth. Files:
+ global/dict_mysql.c, global/dict_pgsql.c.
+
+20180805-20180825 Chunking support
+
+ Cleanup: vbuf_get() now sets the EOF flag, so that reading
+ from a VSTRING stream works as expected. File: util/vbuf.c.
+
+ Cleanup: added an append-mode flag to functions that read
+ a VSTRING from a stream. The historical APIs are preserved
+ in the form of aliases. Files: util/vstring_vstream.[hc],
+ global/smtp_stream.[hc].
+
+ SMTP server support for CHUNKING (BDAT) per RFC 3030. The
+ SMTP server is the only program that knows the difference
+ between mail received with BDAT or DATA. Both use the same
+ smtpd_data_restrictions and smtpd_end_of_data_restrictions,
+ both send one Milter DATA event per mail transaction, and
+ both send one DATA command ending in <CR><LF>.<CR><LF>
+ to an smtpd_proxy_filter. Files: global/ehlo_mask.h,
+ global/smtp_stream.c, global/smtp_stream.c, global/smtp_stream.h,
+ postscreen/postscreen_smtpd.c, smtpd/smtpd.c, smtpd/smtpd.h,
+ smtpd/smtpd_chat.c, smtpd/smtpd_chat.h, smtpd/smtpd_state.c.
+
+ Cleanup: the postscreen(8) daemon now hangs up after receiving
+ the DATA command. Justification: it should never receive DATA
+ from a legitimate client, because 1) postscreen(8) rejects all
+ recipients, and 2) postscreen(8) does not announce PIPELINING.
+ This makes postscreen(8) DATA and BDAT behavior more
+ consistent. File: postscreen/postscreen_smtpd.c.
+
+ BDAT final touches: report accurate BDAT byte counts after
+ timeout or lost connection; send DATA instead of BDAT in
+ policy delegation protocol. Files: smtpd/smtpd.[hc],
+ smtpd/smtpd_check.c.
+
+ BDAT final touches: if the BDAT EHLO announcement is disabled,
+ then smtpd(8) and postscreen(8) will not accept BDAT commands.
+ Files: smtpd/smtpd.c, postscreen/postscreen_smtpd.c.
+
+20180826
+
+ Cleanup: with GSSAPI, the Postfix SMTP client's initial
+ SASL response may be as large as 12288 bytes. When the "AUTH
+ <method> <initial-response>" command would exceed the SMTP
+ command length of 512 bytes, send the initial response
+ during the SASL dialog. Viktor Dukhovni. File:
+ smtp/smtp_sasl_glue.c.
+
+ Cleanup: prepare the Postfix SMTP server needs to receive
+ SASL responses that exceed the line_length_limit value.
+ This introduces a new parameter smtpd_sasl_response_limit
+ (default: 12288). Viktor Dukhovni. Files: mantools/postlink,
+ proto/postconf.proto, global/mail_params.h, smtpd/smtpd.c,
+ smtpd/smtpd_chat.c, smtpd/smtpd_chat.h, smtpd/smtpd_sasl_glue.c.
+
+20180827
+
+ Miscellaneous documentation updates, and a correction in
+ the byte count for sending a large SASL initial response.
+
+20181014
+
+ Cleanup: figured out why vstring_get() did not return
+ VSTREAM_EOF in APPEND mode. File: util/vstring_vstream.c.
+
+20180903
+
+ Bugfix (introduced: 20180825): postscreen falsely claimed
+ that the remote SMTP client was pipelining after sending
+ BDAT. Found by Ralf Hildebrandt. File:
+ postscreen/postscreen_smtpd.c.
+
+20180904
+
+ Bugfix (introduced: 20180812): parameter name error
+ (postscreen_reject_footer should have been
+ postscreen_reject_footer_maps). Noel Jones (finder) and
+ Viktor Dukhovni (fixer).
+
+20181104
+
+ Multiple 'bit rot' fixes for OpenSSL API changes, including
+ support to disable TLSv1.3, to avoid issuing multiple session
+ tickets, and to allow OpenSSL >= 1.1.0 run-time micro version
+ bumps without complaining about library version mismatches.
+ Viktor Dukhovni. Files: proto/postconf.proto,
+ proto/TLS_README.html, tls/tls.h, tls/tls_dane.c,
+ tls/tls_server.c, tls/tls_misc.c
+
+20181105
+
+ Feature: "postmap -F" reads a source file with (key, filename)
+ entries, and creates database records with (key, base64-encoded
+ filecontent). This feature will be used for SNI lookup
+ table support, where each key will be a domainname, and
+ each value will contain a sequence of (private key, certificate
+ hierarchy) for that domainname. The same 'value is filename'
+ behavior is implemented in cidr:, inline:, pcre:, randmap:,
+ regexp:, and static: maps if the application sets the flag
+ DICT_FLAG_RHS_IS_FILE. In the forseeable future, this will
+ be used for specific TLS features. Files: postmap/postmap.c,
+ util/dict.c, util/dict.h, util/dict_cidr.c, util/dict_file.c,
+ util/dict_inline.c, util/dict_pcre.c, util/dict_random.c,
+ util/dict_regexp.c, util/dict_static.c.
+
+20181106
+
+ Bugfix (introduced: 3.0): smtpd_discard_ehlo_keywords could
+ not disable "SMTPUTF8". because the lookup table was using
+ "EHLO_MASK_SMTPUTF8" instead. File: global/ehlo_mask.c.
+
+ Documentation: the postmap(1) manpage no longer refers to
+ compatibility with Sendmail's makemap command. File:
+ postmap/postmap.c.
+
+ Cleanup: don't use ssize_t for boolean result. File:
+ global/smtp_stream.c.
+
+ Cleanup: memory leak caused by missing dbenv->close() call
+ after failing to open a Berkeley DB table. File: util/dict_db.c.
+
+20181112
+
+ Improved logging of TLS 1.3 summary information, and improved
+ reporting of the same info in Received: message headers.
+ Viktor Dukhovni. Files: proto/FORWARD_SECRECY_README.html,
+ smtpd/smtpd.c, tls/tls.h, tls/tls_client.c, tls/tls_misc.c,
+ tls/tls_proxy.h, tls/tls_proxy_context_print.c,
+ tls/tls_proxy_context_scan.c, tls/tls_server.c.
+
+20181116
+
+ Library function to log TLS 1.3 summary information, and
+ some wordsmithing of TLS context member names. Viktor
+ Dukhovni. Files: tls/tls.h, tls/tls_misc.c, tls/tls_proxy.h,
+ tls/tls_proxy_context_print.c, tls/tls_proxy_context_scan.c,
+ tls/tls_client.c, tls/tls_server.c, smtpd/smtpd.c,
+ posttls-finger/posttls-finger.c.
+
+ Cleanup: vstream_memopen() flags handling. File:
+ util/vstream.c.
+
+ Cleanup: the SMTP client now uses 'attr_print_plain'
+ serialization and 'attr_scan_plain' deserialization for
+ connection cache lookup keys, which now contain a serialized
+ version of the TLS context. File: smtp/smtp_session.c.
+
+20181117
+
+ The Postfix SMTP client now logs whether an SMTP-over-TLS
+ connection is newly established ("TLS connection established")
+ or whether the connection is reused ("TLS connection reused").
+ Files: smtp/smtp.h, smtp/smtp_proto.c, smtp/smtp_session.c.
+
+ (20181117-nonprod) Unified summary logging in the SMTP
+ client, SMTP server, and posttls-finger. Viktor Dukhovni.
+ Files: tls/tls.h, tls/tls_misc.c, tls/tls_proxy.h,
+ tls/tls_proxy_context_print.c, tls/tls_proxy_context_scan.c,
+ tls/tls_client.c, src/tls/tls_server.c, smtpd/smtpd.c,
+ posttls-finger/posttls-finger.c.
+
+ (20181117-nonprod) Improved logging of TLS 1.3 summary
+ information. On the server side this also affects the TLS
+ information optionally recorded in "Received" headers.
+ Viktor Dukhovni. Files: smtpd/smtpd.c, tls/tls.h,
+ tls/tls_client.c, tls/tls_misc.c, tls/tls_proxy.h,
+ tls/tls_proxy_context_print.c, tls/tls_proxy_context_scan.c,
+ tls/tls_server.c.
+
+ (20181117-nonprod) FORWARD_SECRECY examples with TLS 1.3
+ logging. Viktor Dukhovni. File: proto/FORWARD_SECRECY_README.html.
+
+20181118
+
+ Cleanup, no behavior change: updated comments concerning
+ connection reuse, and updated some identifiers to reflect
+ current reality. Files: smtp_reuse.c, smtp_key.c, smtp_proto.c,
+ smtp_tls_policy.c, smtp.h, smtp_connect.c.
+
+20181119
+
+ Bitrot: makedefs will use "pkg-config" to locate ICU build
+ information, falling back to "icu-config" if "pkg-config"
+ is not found. File: makedefs.
+
+20181122
+
+ Cleanup: tlsproxy loads the same TLS client configuration
+ at pre-jail time as the Postfix SMTP client, so that secret
+ keys can remain read-only for root. This is sufficient for
+ MTAs that have a fixed TLS client identity. tlsproxy will
+ log a warning if it is requested to assume a different TLS
+ client identity, and will log suggestions for a workaround.
+ The long-term solution is to stop loading certs/keys from
+ files, and to use the same approach as planned for server-side
+ SNI support: open a cert/key map at pre-jail time, and read
+ cert/key information on-the-fly at post-jail time. Files:
+ proto/postconf.proto, mantools/postlink, global/mail_params.h,
+ tlsproxy/tlsproxy.c.
+
+20181123
+
+ Cleanup: tlsproxy now logs better instructions when a
+ tls_client_init request specifies an unexpected client
+ identity, and the test for that condition is now moved to
+ the right place. File: tlsproxy/tlsproxy.c.
+
+20181124
+
+ Documentation: clarified the behavior of whitespace within
+ "{}". Files: proto/DATABASE_README.html, proto/postconf.proto,
+ pipe/pipe.c, postconf/postconf.c,
+
+20181125
+
+ Cleanup: dict_file_to_xxx() takes a list of file names
+ separated by CHARS_COMMA_SP. Shoe-horned into the existing
+ API, make it nicer when there is time. File: util/dict_file.c.
+
+20181127
+
+ Cleanup: encapsulated clumsy 'read into VSTRING' code with
+ easier-to-use vstream_fread_buf() and vstream_fread_app()
+ primitives. Files: global/memcache_proto.c, global/record.c,
+ global/smtp_stream.c, global/smtp_stream.h, global/uxtext.c,
+ global/xtext.c, milter/milter8.c, util/dict_file.c,
+ util/hex_quote.c, util/netstring.c, util/vstream.c,
+ util/vstream.h. Verified with "make tests".
+
+ Cleanup: simplified the smtp_fread() API (introduced for
+ BDAT support), and changed the name to smtp_fread_buf().
+ Files: global/smtp_stream.c, smtpd/smtpd.c. Verified with
+ ~megabyte BDAT commands.
+
+ Cleanup: simplified a tlsproxy-internal API. File:
+ tlsproxy/tlsproxy.c.
+
+20181128
+
+ Initial support for key/certificate chain files that will
+ replace the proliferation of separate parameters for
+ RSA/DSA/ECC/etc. key and certificate files. Viktor
+ Dukhovni.
+
+20181201
+
+ Cleanup: replaced the remaining unsafe VSTRING_AT_OFFSET()
+ calls with safe vstring_set_payload_size() calls, in code
+ that directly writes into VSTRING. Files: tls/tls_session.c,
+ tlsmgr/tlsmgr.c, util/casefold.c, util/vstring.c, util/vstring.h,
+ xsasl/xsasl_cyrus_client.c.
+
+ Cleanup: postscreen_command_time_limit did not need to be
+ a 'raw' parameter. This makes "postconf -x" behavior more
+ consistent. Files: global/mail_params.h, postscreen/postscreen.c.
+
+ Documentation: added text that the following parameter
+ values are not subject to Postfix parameter $name expansion:
+ default_rbl_reply, command_execution_directory, luser_relay,
+ smtpd_reject_footer. These have their own documented $name
+ substitution mechanism. File: proto/postconf.proto.
+
+20181202
+
+ Bugfix: posttls-finger reported an error for UNIX-domain
+ connections, even if they did not fail. Found by Coverity.
+ File: posttls-finger/posttls-finger.c.
+
+20181208
+
+ Documentation: add even more redundancy to the rate-delay
+ description. File: proto/postconf.proto.
+
+20181210
+
+ Cleanup: code deduplication. File: util/dict_file.c.
+
+20181226
+
+ Cleanup: code deduplication and better encapsulation with
+ PSC_DEL_CLIENT_STATE() and PSC_DEL_SERVER_STATE() macros.
+ Files: postscreen/postscreen.h, postscreen/postscreen_state.c.
+
+ Documentation: POSTSCREEN_README did not describe the
+ postscreen_post_queue_limit, and attributed the wrong reject
+ message to the postscreen_pre_queue_limit. Problem reported
+ by Michael Orlitzky. File: proto/POSTSCREEN_README.html.
+
+ (20181226-nonprod) Compatibility: removed support for OpenSSL
+ 1.0.1 (not supported since December 31, 2016) and earlier
+ releases. This eliminated a large number of #ifdefs with
+ bitrot workarounds. Viktor Dukhovni. Files: global/mail_params.h,
+ posttls-finger/posttls-finger.c, tls/tls.h, tls/tls_certkey.c,
+ tls/tls_client.c, tls/tls_dane.c, tls/tls_dh.c, tls/tls_misc.c,
+ tls/tls_proxy_client_scan.c, tls/tls_rsa.c, tls/tls_server.c,
+ tls/tls_session.c.
+
+ (20181226-nonprod) Use the OpenSSL 1.0.2 and later API for
+ setting ECDHE curves. Viktor Dukhovni. Files: tls/tls.h,
+ tls/tls_client.c, tls/tls_dh.c.
+
+ (20181226-nonprod) Documentation update for TLS support.
+ Viktor Dukhovni. Files: mantools/postlink, proto/TLS_README.html,
+ proto/postconf.proto, src/sendmail/sendmail.c, src/smtpd/smtpd.c.
+
+20181229
+
+ Explicit maps_file_find() and dict_file_lookup() methods
+ that decode base64 content. Decoding content is not built
+ into the dict->lookup() method, because that would complicate
+ the implementation of map nesting (inline, thash), map
+ composition (pipemap, unionmap), and map proxying. For
+ consistency, decoding base64 file content is also not built
+ into the maps_find() method. Files: util/dict.h.
+ util/dict_file.c, global/maps.[hc], postmap/postmap.c.
+
+20190106
+
+ Documentation: documented the SRC_RHS_IS_FILE flag in
+ dict_open.c, and updated the -F description in the postmap
+ manpage. Files: util/dict_open.c, postmap/postmap.c.
+
+ (20190106-nonprod) Feature: support for files that combine
+ multiple (key, certificate, trust chain) instances in one
+ file, to avoid separate files for RSA, DSA, Elliptic Curve,
+ and so on. Viktor Dukhovni. Files: .indent.pro,
+ global/mail_params.h, posttls-finger/posttls-finger.c,
+ smtp/lmtp_params.c, smtp/smtp.c, smtp/smtp_params.c,
+ smtp/smtp_proto.c, smtpd/smtpd.c, tls/tls.h, tls/tls_certkey.c,
+ tls/tls_client.c, tls/tls_proxy.h, tls/tls_proxy_client_print.c,
+ tls/tls_proxy_client_scan.c, tls/tls_proxy_server_print.c,
+ tls/tls_proxy_server_scan.c, tls/tls_server.c, tlsproxy/tlsproxy.c.
+
+ (20190106-nonprod) Create a second, no-key no-cert, SSL_CTX
+ for use with SNI. Viktor Dukhovni. Files: src/tls/tls.h,
+ src/tls/tls_client.c, src/tls/tls_misc.c, src/tls/tls_server.c.
+
+ (20190106-nonprod) Server-side SNI support. Viktor Dukhovni.
+ Files: src/global/mail_params.h, src/smtp/smtp.c,
+ src/smtpd/smtpd.c, src/tls/tls.h, src/tls/tls_certkey.c,
+ src/tls/tls_misc.c, src/tlsproxy/tlsproxy.c,
+
+ (20190106-nonprod) Configurable client-side SNI signal.
+ Viktor Dukhovni. Files: global/mail_params.h,
+ posttls-finger/posttls-finger.c, smtp/lmtp_params.c,
+ smtp/smtp.c, smtp/smtp.h, smtp/smtp_params.c, smtp/smtp_proto.c,
+ smtp/smtp_tls_policy.c, tls/tls.h, tls/tls_client.c,
+ tls/tls_proxy.h, tls/tls_proxy_client_print.c,
+ tls/tls_proxy_client_scan.c.
+
+20190121
+
+ Logging: support for internal logging file, without using
+ syslog (it uses the new postlogd daemon instead). This
+ solves a usability problem for MacOS, may help getting
+ around systemd, and solves 99% of the problem for logging
+ to stdout in a container (hopefully we have 100% soon).
+ Enable by setting, for example, "maillog_file =
+ /var/log/postfix.log"). This works fine for daemons, and
+ with some limitations for non-daemon programs. See
+ RELEASE_NOTES for more details. Files: conf/master.cf,
+ conf/post-install, conf/postfix-files, conf/postfix-script,
+ mantools/postlink, proto/master, proto/postconf.proto,
+ global/mail_params.c, global/mail_params.h, global/mail_proto.h,
+ global/maillog_client.c, global/maillog_client.h,
+ master/dgram_server.c, master/event_server.c, master/mail_server.h,
+ master/master.c, master/master.h, master/master_ent.c,
+ master/master_listen.c, master/master_proto.h,
+ master/master_wakeup.c, master/multi_server.c,
+ master/single_server.c, master/trigger_server.c,
+ postalias/postalias.c, postconf/postconf_master.c,
+ postdrop/postdrop.c, postfix/postfix.c, postkick/postkick.c,
+ postlog/postlog.c, postlogd/postlogd.c, postmap/postmap.c,
+ postmulti/postmulti.c, postqueue/postqueue.c,
+ postsuper/postsuper.c, sendmail/sendmail.c, util/connect.h,
+ util/listen.h, util/logwriter.c, util/logwriter.h,
+ util/msg_logger.c, util/msg_logger.h, util/msg_output.c,
+ util/msg_output.h, util/unix_dgram_connect.c,
+ util/unix_dgram_listen.c.
+
+ Cleanup: cert/key/chain loading, plus unit tests to exercise
+ non-error and error cases. Viktor Dukhovni. Files: tls/*.pem,
+ tls*.pem.ref, tls/tls_certkey.c.
+
+20190126
+
+ Safety: Postfix programs will log to either syslog or postlog
+ but not both; and postlogd forwards postlog logging to
+ syslog, when a configuration change removes the maillog_file
+ pathname, but some programs still use the old configuration.
+ Files: util/msg_syslog.[hc], util/msg_logger.c,
+ global/maillog_client.c, postlogd/postlogd.c,
+
+ Bugfix (introduced: Postfix 20110109, Postfix 2.10): watchdog
+ pipe file descriptor leak. This pipe provides one source
+ of liveness, data from this pipe is discarded, and therefore
+ this does not enable privilege escalation or DOS. File:
+ util/watchdog.c.
+
+ Feature: stdout logging support; requires "postfix start-fg"
+ and "maillog_file = /dev/stdout". Files: master/master.c,
+ conf/postfix-script.
+
+20190127
+
+ Safety: when maillog_file is specified, 'postfix check' now
+ requires that the postlog service is enabled in master.cf.
+ Otherwise 'postfix start' etc. will log a fatal error. File:
+ conf/postfix-script.
+
+ Documentation: added policy_context example. File:
+ proto/SMTPD_POLICY_README.html.
+
+20190128
+
+ Testing: run libtls tests under Valgrind. File tls/Makefile.in.
+
+20190129
+
+ Safety: require that $maillog_file matches one of the
+ pathname prefixes specified in $maillog_file_prefixes. The
+ maillog file is created by root, and the prefixes limit the
+ damage from a single configuration error. Files:
+ global/mail_params.[hc], global/maillog_client.c.
+
+20191201
+
+ Feature: "postfix logrotate" command with configurable
+ compression program and datestamp filename suffix. File:
+ conf/postfix-script.
+
+20190202
+
+ Cleanup: log a warning when the client sends a malformed
+ SNI; log an info message when the client sends a valid SNI
+ that does not match the SNI lookup tables; update the
+ FORWARD_SECRECY_README logging examples. Viktor Dukhovni.
+ Files: proto/FORWARD_SECRECY_README.html, tls/tls.h,
+ tls/tls_client.c, tls/tls_misc.c.
+
+20190208
+
+ Debugging: the master(8) daemon now logs a warning if a
+ master.cf entry is defined multiple times. File:
+ src/master/master_conf.c.
+
+20190209
+
+ Debugging: tlsproxy(8) now logs more details about unexpected
+ configuration differences between the Postfix SMTP client
+ and the tlsproxy(8) daemon.
+
+20190210
+
+ Documentation: Postfix 3.4.0 RELEASE NOTES.
+
+ Documentation: added BDAT_README.
+
+ Documentation: global TLS settings. Files: mantools/postlink,
+ smtp/smtp.c, tlsproxy/tlsproxy.c.
+
+20190211
+
+ Cleanup: removed obsolete parameters: tls_dane_digest_agility,
+ tls_dane_trust_anchor_digest_enable; removed openssl_path
+ parameter from configuration difference checks in tlsproxy.
+ Files: global/mail_params.h, tls/tls_misc.c,
+ tls/tls_proxy_client_misc.c, tls/tls_proxy_client_print.c,
+ tls/tls_proxy_client_scan.c, tls/tls_proxy.h.
+
+20190212
+
+ Cleanup: missing #ifdef USE_TLS. Files: smtp/smtp_session.c,
+ posttls-finger/posttls-finger.c.
+
+20190217
+
+ Cleanup: when the master daemon runs with PID=1 (init mode),
+ reap orhpan processes from non-Postfix code running in the
+ same container, instead of terminating with a panic. File:
+ master/master_spawn.c.
+
+20190218
+
+ Bugfix: tlsproxy did not enable DANE-style PKI because
+ libtls seems to have to accreted multiple init functions
+ instead of reusing the tls_client_init() and tls_client_start()
+ API. And some functions that do initialization don't even
+ have init in their name! Problem report by Andreas Schulze.
+ Viktor Dukhovni. Files: tls/tls_misc.c, tlsproxy/tlsproxy.c.
+
+ Workaround: Postfix libtls makes DANE-specific changes to
+ the shared SSL_CTX. To avoid false sharing, tlsproxy needs
+ to label the SSL_CTX cache with DANE bits until we can
+ remove the code that modifies SSL_CTX. File: tlsproxy/tlsproxy.c.
+
+ Cleanup: Postfix libtls changed the shared SSL_CTX to
+ override ciphers. instead of changing the SSL handle. To
+ avoid false sharing in tlsproxy, the changes are now made
+ to the SSL handle. Viktor Dukhovni. Files: tls/tls.h,
+ tls/tls_client.c, tls/tls_misc.c, tls/tls_server.c.
+
+20190219
+
+ Bugfix: in the Postfix SMTP client, TLS wrappermode was not
+ tested in tlsproxy mode. It needed some setup for buffering
+ and timeouts. Problem report by Andreas Schulze. File:
+ smtp/smtp_proto.c.
+
+20190226
+
+ Documentation: postconf(1) and DATABASE_README were out of
+ sync. Added a note that this should be deduplicated. File:
+ proto/DATABASE_README.html.
+
+20190227
+
+ Documentation: strict_smtputf8 in SMTPUTF8_README.
+
+20190304
+
+ Bugfix: a reversed test broke TLS configurations that specify
+ the same filename for a private key and certificate. Reported
+ by Mike Kazantsev. Fix by Viktor Dukhovni. Wietse fixed the
+ test. Files: tls/tls_certkey.c, tls/Makefile.in.
+
+20190310
+
+ Bitrot: LINUX5s support, after some sanity checks with a
+ rawhide prerelease version. Files: makedefs, util/sys_defs.h.
+
+ Bugfix (introduced: 20181226): broken DANE trust anchor
+ file support, caused by left-over debris from the 20181226
+ TLS library overhaul. By intrigeri. File: tls/tls_dane.c.
+
+ Bugfix (introduced: Postfix-1.0.1): null pointer read, while
+ logging a warning after reading a corrupted bounce log file.
+ File: global/bounce_log.c.
+
+ Bugfix (introduced: Postfix-2.9.0): null pointer read, while
+ logging a warning after a postscreen_command_filter read
+ error. File: postscreen/postscreen_smtpd.c.
+
+20190312
+
+ Bugfix (introduced: Postfix 2.2): reject_multi_recipient_bounce
+ has been producing false rejects starting with the Postfix
+ 2.2 smtpd_end_of_data_restrictons, and for the same reasons,
+ did the same with the Postfix 3.4 BDAT command. The latter
+ was reported by Andreas Schulze. File: smtpd/smtpd_check.c.
+
+20190319
+
+ With message_size_limit=0 (which is NOT DOCUMENTED), BDAT
+ chunks were always too large. Reported by Thorben Thuermer.
+ fix by Viktor Dukhovni. File: src/smtpd/smtpd.c.
+
+20190328
+
+ Bugfix (introduced: Postfix 3.0): LMTP connections over
+ UNIX-domain sockets were cached but not reused, due to a
+ cache lookup key mismatch. Therefore, idle cached connections
+ could exhaust LMTP server resources, resulting in two-second
+ pauses between email deliveries. This problem was investigated
+ by Juliana Rodrigueiro. File: smtp/smtp_connect.c.
+
+20190331
+
+ Documentation: tlsext_padding is not a tls_ssl_options
+ feature. File: proto/postconf.proto.
+
+20190401
+
+ Portability: to avoid a compile-time error on Solaris, added
+ "#undef sun" to util/unix_dgram_connect.c.
+
+20190403
+
+ Bugfix (introduced: Postfix 2.3): a censoring filter broke
+ multiline Milter responses for header/body events. Problem
+ report by Andreas Thienemann. Files: util/printable.c,
+ util/stringops.h, smtpd/smtpd.c.
+
+ Bugfix (introduced: Postfix 3.3): "smtp_mx_address_limit = 0"
+ no longer meant 'unlimited'. Problem report by Luc Pardon.
+ File: smtp/smtp_addr.c.
+
+20190427
+
+ Cleanup: normalize the IP address string forms received with
+ XCLIENT, XFORWARD, and HaProxy, for consistency with address
+ information for direct connections to Postfix, and add unit
+ tests. This casefolds and removes redundant nulls from the
+ string representation of an IPv6 address, normalizes the
+ "IPv6:" address prefix of RFC 2821 IPv6 address forms, and
+ converts IPv4 address octets with leading zeros (octal form)
+ into decimal form. Files: global/haproxy.c,
+ global/normalize_mailhost_addr.[hc], smtpd/smtpd.c.
+
+ Incompatibility: this may change the appearance of logging,
+ and the way that check_client_access will match subnets of
+ an IPv6 address.
+
+20190428
+
+ Cleanup: replace "(whatever *) 0" with meaningfully-named
+ constants. Sheesh. File: smtpd/smtpd.c.
+
+ Documentation: BASIC_CONFIGURATION_README example default
+ setting was not updated after Postfix 3.0 change. File:
+ proto/BASIC_CONFIGURATION_README.html
+
+20190505
+
+ Workaround: uClibc has no res_send. Log a warning if this
+ code path would be used, and ignore dns_ncache_ttl_fix_enable.
+ Files: util/sys_defs.h, dns/dns_lookup.c, TODO: makedefs
+ and INSTALL documentation.
+
+20190516
+
+ Initial search order support for check_ccert_access. The
+ default behavior is backwards-compatible. This is work in
+ progress; see the RELEASE_NOTES for examples. Files:
+ global/map_search.[hc], smtpd/smtpd_check.c.
+
+20190517
+
+ Bugfix: postconf mis-parsed text starting with "{" such as
+ "check_ccert_access { inline:{a=b} { search_order=c,d } }".
+ Fixed by adding another level of recursion. File:
+ postconf/postconf_dbms.c.
+
+20190525
+
+ Infrastructure: reject_deliver_request() to reject an entire
+ delivery request and bounce or defer all its recipients.
+ File: global/reject_deliver_request.c.
+
+20190609
+
+ Infrastructure: byte_mask() to convert "flags=mumble" into
+ a byte mask. This is similar to name_mask(). Files:
+ util/byte_mask.[hc] and tests.
+
+20190615
+
+ Dovecot usability: SMTP/LMTP client support for 'D', 'O',
+ 'R', 'X' flags similar to the pipe(8) daemon, to produce
+ Delivered-To, X-Original-To, and Return-Path headers, and
+ to indicate final delivery. Files: smtp/smtp.c, smtp/smtp.h,
+ smtp/smtp_misc.c, smtp/smtp_proto.c, smtp/smtp_rcpt.c.
+
+ Workaround for implementations that hang Postfix while
+ shutting down a TLS session, until Postfix times out. With
+ "tls_fast_shutdown_enable = yes" (the default), Postfix no
+ longer waits for the TLS peer to respond to a TLS 'close'
+ request. This is recommended with TLSv1.0 and later. Files:
+ global/mail_params.h, tls/tls_session.c, and documentation.
+
+20190618
+
+ Documentation: corrected comments about the code change to
+ not wait for the TLS peer's response after sending a TLS
+ 'close' notification. Viktor Dukhovni. Files: HISTORY,
+ RELEASE_NOTES, proto/postconf.proto smtp/smtp.c smtpd/smtpd.c
+ tlsproxy/tlsproxy.c
+
+20190621
+
+ Workaround: don't reuse an SMTP connection after an SMTP
+ protocol error. This limits the impact of, for example,
+ pipelining synchronization errors. File: smtp/smtp_trouble.c.
+
+ Bugfix (introduced: Postfix 3.0): the code to reset Postfix
+ SMTP server command counts was not called after a HaProxy
+ handshake failure, causing stale numbers to be reported.
+ The command counts are now reset in the function that reports
+ the counts. Problem report by Joseph Ward. File: smtpd/smtpd.c.
+
+20190719
+
+ Bitrot: OpenBSD stopped having /dev/arandom 8 years ago.
+ Brad Smith. File: util/sys_defs.h.
+
+20190723
+
+ Bugfix: the documentation said tls_fast_shutdown_enable,
+ but the code said tls_fast_shutdown. Viktor Dukhovni. Changed
+ the code because no-one is expected to override the default.
+ File: global/mail_params.h.
+
+20190724
+
+ Cleanup: proxymap(8) support for table search order syntax.
+ File: proxymap/proxymap.c.
+
+ Safety: vstring_set_payload_size() now checks that the
+ payload has not overwritten the safety terminator at the
+ end of the VSTRING buffer. File: util/vstring.c.
+
+20190813
+
+ Documentation: access(5) map network address pattern syntax.
+ File: proto/access.
+
+20190820
+
+ Workaround for poor TCP loopback performance on LINUX, where
+ getsockopt(..., TCP_MAXSEG, ..) reports a TCP maximal segment
+ size that is 1/2 to 1/3 of the MTU. For example, with kernel
+ 5.1.16-300.fc30.x86_64 the TCP client and server announce
+ an mss of 65495 in the TCP handshake, but getsockopt()
+ returns 32741 (less than half). As a matter of principle,
+ Postfix won't turn on client-side TCP_NODELAY because that
+ hides application performance bugs, and because that still
+ suffers from server-side delayed ACKs. Instead, Postfix
+ avoids sending "small" writes back-to-back, by choosing a
+ VSTREAM buffer size that is a multiple of the reported MSS.
+ This workaround bumps the multiplier from 2x to 4x. File:
+ util/vstream_tweak.c.
+
+20190825
+
+ Bugfix (introduced: 20051222): the Dovecot client could
+ segfault (null pointer read) or cause an SMTP server assertion
+ to fail when talking to a fake Dovecot server. The client
+ now logs a proper error instead. Problem reported by Tim
+ Düsterhus. File: xsasl/xsasl_dovecot_server.c.
+
+20190908
+
+ Documentation: updated postconf(5) description of the
+ tls_server_sni_maps configuration parameter. Viktor Dukhovni.
+ File: proto/postconf.proto.
+
+20190914
+
+ Bugfix (introduced: Postfix 3.4): don't whitewash OpenSSL
+ error results after a plaintext output error. The code could
+ loop, and with some OpenSSL error results could flood the
+ log with error messages (see below for a specific case).
+ Problem reported by Andreas Schulze. File: tlsproxy/tlsproxy.c.
+
+ Bitrot: don't invoke SSL_shutdown() when the SSL engine
+ thinks it is processing a TLS handshake. The commit at
+ https://github.com/openssl/openssl/commit/64193c8218540499984cd63cda41f3cd491f3f59
+ changed the error status, incompatibly, from SSL_ERROR_NONE
+ into SSL_ERROR_SSL. File: tlsproxy/tlsproxxy.c.
+
+20190918
+
+ Cleanup: the nbbio(3) library now accepts a sequence of
+ nbbio_enable_read() calls or a sequence of nbbio_enable_write()
+ calls. This allows tlsproxy(8) to reset an I/O timer after
+ each event without having to make an nbbio_disable_readwrite()
+ call. Files: util/nbbio.c, tlsproxy/tlsproxy.c.
+
+20191013
+
+ Cleanup: code pattern ENFORCING_SIZE_LIMIT() for more
+ consistent enforcement of the 'no size limit' case (it now
+ requires "> 0" where previous code used "!= 0" or "> 0").
+ More relevant, this explicit pattern will help finding code
+ that does not implement the 'no size limit' case with
+ var_message_limit, etc. Files: cleanup/cleanup_init.c,
+ local/local.c, postdrop/postdrop.c, postscreen/postscreen_smtpd.c,
+ sendmail/sendmail.c, smtpd/smtpd.c, smtpd/smtpd_check.c,
+ util/netstring.c, util/sys_defs.h, virtual/virtual.c.
+
+ Cleanup; with message_size_limit>0, local(8) and virtual(8)
+ mailbox size limit checks would produce a misleading error
+ message when the mailbox size was unlimited. Files:
+ local/local.c, virtual/virtual.c.
+
+ Cleanup: queue_minfree changed from 'int' to 'long'. File:
+ global/mail_params.h, src/smtpd/smtpd.c.
+
+ Attribution: updated AUTHOR in file headers. Files:
+ global/bounce_log.c, global/deliver_request.h, smtp/smtp_chat.c,
+ smtp/smtp_rcpt.c, tls/tls_certkey.c, util/nbbio.c,
+ util/vstream_tweak.c.
+
+20191014
+
+ Bugfix (introduced: Postfix 2.8): don't gratuitously enable
+ all after-220 tests when only one such test is enabled.
+ This made selective tests impossible with 'good' clients.
+ File: postscreen/postscreen_smtpd.c.
+
+ Bugfix: the 20180903 postscreen fix for a misleading
+ "PIPELINING after BDAT" warning looked at the wrong variable.
+ The warning now says "BDAT without valid RCPT", and the
+ error is no longer treated as a command PIPELINING error
+ (but sending BDAT is still a client error, because postscreen
+ rejects all RCPT commands and does not announce PIPELINING
+ support). File: postscreen/postscreen_smtpd.c.
+
+20190922
+
+ Documentation: replaced the link to "Suite B" cryptography
+ with a link to web.archive.org. File: proto/postconf.proto.
+
+20191109
+
+ Cleanup: Postfix daemon processes now log the from= and to=
+ addresses in external (quoted) form in non-debug logging
+ (info, warning, etc.). This is consistent with the address
+ form that Postfix 3.2 and later prefer for table lookups.
+ It is therefore the more useful form for non-debug logging.
+ Files: cleanup/cleanup.c, cleanup/cleanup_message.c,
+ cleanup/cleanup_milter.c, global/info_log_addr_form.c,
+ global/info_log_addr_form.h, global/log_adhoc.c,
+ global/mail_params.c, global/mail_params.h, global/opened.c,
+ local/local.c, oqmgr/qmgr.c, oqmgr/qmgr_active.c,
+ pickup/pickup.c, pipe/pipe.c, postscreen/postscreen.c,
+ postscreen/postscreen_smtpd.c, proto/postconf.proto,
+ qmgr/qmgr.c, qmgr/qmgr_active.c, smtp/smtp.c, smtpd/smtpd.c,
+ smtpd/smtpd_check.c, virtual/virtual.c.
+
+ Usability: the parser for key/certificate chain files
+ rejected inputs that contain an EC PARAMETERS object. While
+ this is technically correct (the documentation says what
+ types are allowed) this is surprising behavior because the
+ legacy cert/key parameters will accept such inputs. For
+ now, the parser skips object types that it does not know
+ about usability, and logs a warning because ignoring inputs
+ is not kosher. Viktor and Wietse. File: tls/tls_certkey.c.
+
+20191201
+
+ Compatibility: added '_' to the milter_connect_macros default
+ value. Reportedly some software produces an ugly warning
+ message if Postfix does not send the macro, and there is
+ no harm in sending it. File: global/mail_params.h.
+
+20191214
+
+ Bugfix (introduced: Postfix 3.1): support for
+ smtp_dns_resolver_options was broken while adding support
+ for negative DNS response caching in postscreen. Postfix
+ was inadvertently changed to call res_query() instead of
+ res_search(). Reported by Jaroslav Skarvada. File:
+ dns/dns_lookup.c.
+
+ Bugfix: sanitize server responses before storing them in
+ the verify database, to avoid Postfix warnings about malformed
+ UTF8. File: verify/verify.c.
+
+20191215
+
+ Future proofing: the Postfix DNS library logs a warning if
+ the DNS_REQ_FLAG_NCACHE_TTL dns_lookup flag is set and the
+ RES_DNSRCH or RES_DEFNAMES resolver flags are set, and
+ disables those resolver flags. File: dns/dns_lookup.c.
+
+20191230
+
+ Documentation: added the 'X' flag (final delivery) to the
+ pipe-based final delivery examples in the default master.cf
+ file. File: conf/master.cf
+
+20201005
+
+ Workaround: postlog clients open the socket before entering
+ the chroot jail and before dropping privileges. This is needed
+ on MacOS and would not hurt otherwise. Files: util/msg_logger.[hc],
+ global/maillog_client.c.
+
+20200108
+
+ UI cleanup: SMTP (and LMTP) client support for a list of
+ nexthop destinations separated by comma or whitespace. These
+ will be tried in the specified order. The list form can be
+ specified in relayhost, transport_maps, default_transport,
+ and sender_dependent_default_transport_maps. Examples:
+ "relayhost = foo.example, bar.example", and "default_transport
+ = smtp:foo.example, bar.example". Files: smtp/smtp.c,
+ smtp/smtp_connect.c, trivial-rewrite/resolve.c, proto/transport,
+ proto/postconf.proto, global/mail_params.c.
+
+20200112
+
+ [initially released as part of postfix-20200101-nonprod]
+ Refactored the haproxy infrastructure in preparation for
+ haproxy version 2 support. This is necessary because version
+ 2 introduces a dependency of the reader on the parser.
+ Additionally, version 2 introduces support for non-proxied
+ connections (used by health checks). Files: global/haproxy_srvr.c,
+ smtpd/smtpd_peer.c, smtpd/smtpd_haproxy.c, smtpd/smtpd.h,
+ postscreen/postscreen.h, postscreen/postscreen_endpt.c,
+ postscreen/postscreen_haproxy.c, postscreen/postscreen_haproxy.h,
+ global/haproxy_srvr.h. Initial release 3.5-20200101-nonprod.
+
+ [initially released as part of postfix-20200105-nonprod]
+ Support for the haproxy v2 protocol. The haproxy v2 protocol
+ support is limited to TCP over IPv4 and TCP over IPv6. It
+ also supports non-proxied connections (typically used for
+ heartbeat tests). File: global/haproxy_srvr.c.
+
+ [initially released as part of postfix-20200105-nonprod]
+ Cleanup: after haproxy handshake error, the Postfix SMTP
+ daemon now logs the proxy connection information instead
+ of unknown/unknown, and replies with "421 4.3.0 $myhostname
+ Server local error" instead of just hanging up. Error
+ details are logged to the maillog file. File: smtpd/smtpd.c.
+
+ Cleanup: miscellaneous comments, constants, error checks,
+ no normal behavior change. Files: global/haproxy_srvr.c,
+ postscreen/postscreen_haproxy.c.
+
+20200126
+
+ Cleanup: missing 'extern' declarations in some header files.
+ Eray Aslan. Files: global/mail_params.h, postconf/postconf.h,
+ smtpd/smtpd_expand.h, trivial-rewrite/trivial-rewrite.h
+
+ Typos: Viktor Dukhovni. File: HISTORY.
+
+ Documentation: haproxy2 support. File: proto/postconf.proto.
+
+20200120
+
+ [initially released as part of postfix-20200125-nonprod]
+ Feature: forced message expiration. The "postsuper -e"
+ option sets an 'expired' bit on one or more messages selected
+ by their message ID. The queue manager returns a message
+ as undeliverable when it moves the message to the active
+ queue. Messages in the hold queue stay in that queue.
+
+ If a force-expired message was deferred, then it is returned
+ with the reason for the delay. Otherwise, the message is
+ returned with "message is administratively expired". Design
+ by Wietse; Viktor suggested using the group execute permission
+ bit. Files: global/mail_queue.h, *qmgr/qmgr.h, *qmgr/qmgr_active.c,
+ *qmgr/qmgr_message.c, postsuper/Makefile.in, postsuper/postsuper.c.
+
+20200125
+
+ [initially released as part of postfix-20200125-nonprod]
+ Added support for "postsuper -f" to expire and optionally
+ release a message. Restructured the postsuper command so
+ that it will execute actions in the order of the -[defhr]
+ flags, instead of using an invisible fixed internal order.
+ The -e and -f options are idempotent (just like -h and -H).
+ Adjusted the summary at the end to make this more clear.
+ File: postsuper/postsuper.c.
+
+20200126
+
+ [initially released as part of postfix-20200126-nonprod]
+ Updated the mailq/postqueue commands to make forced message
+ expiration status available. In ASCII ouput this is indicated
+ with "#" appended to the queue file name, and in JSON output
+ this is indicated with the boolean "force_expired" attribute.
+ Files: showq/showq.c, postqueue/showq_compat.c,
+ postqueue/showq_json.c.
+
+ [initially released as part of postfix-20200126-nonprod]
+ Cleanup: minor tweaks to comments and code.
+
+ Safety: give maildrop queue files more time (week instead
+ of day) to reach completion, in case a message is submitted
+ by a really long-running program. File: postsuper/postsuper.c.
+
+ Cleanup: postsuper manpage indentation, word abbreviation.
+ Files: mantools/postlink, postsuper/postsuper.c.
+
+20200202
+
+ Cleanup: nags about strcpy()/sprintf() from naive checkers.
+ Files: global/mail_conf_int.c, global/mail_conf_long.c,
+ global/mail_conf_nint.c, global/mail_conf_time.c,
+ global/maillog_client.c, util/mymalloc.c.
+
+ Documentation: rephrased the postconf(5) manual page entry
+ for milter_default_action. File: proto/postconf.proto.
+
+ Bugfix (introduced: Postfix 2.5): Milter SMTP connect event
+ macros were evaluated before the Postfix-to-Milter connection
+ had been negotiated. Problem reported by David Bürgin.
+ Files: milter/milter.h, milter/milter.c, milter/milter8.c
+
+20200308
+
+ Cleanup: spellchecks, attributions. Files: HISTORY,
+ auxiliary/name-addr-test/gethostbyaddr.c,
+ auxiliary/name-addr-test/getnameinfo.c, proto/postconf.proto,
+ global/haproxy_srvr.c, global/mail_version.h, global/map_search.c,
+ global/map_search.h, postsuper/postsuper.c, smtp/smtp.c,
+ smtp/smtp_misc.c, smtpd/smtpd.c, smtpd/smtpd_check.c,
+ smtpd/smtpd_expand.h, tls/tls_client.c, tls/tls_server.c,
+ tlsproxy/tlsproxy.c, trivial-rewrite/trivial-rewrite.h,
+ util/byte_mask.c, util/vstream_tweak.c.
+
+ Cleanup: bitrot in tests. File: cleanup/cleanup_milter.c.
+
+ Cleanup: harmless memory leak in postconf. File:
+ postconf/postconf_master.c.
+
+ Bugfix (introduced: Postfix 2.3): panic with Postfix
+ multi-Milter configuration during MAIL FROM. Milter client
+ state was not properly reset after one of the Milters failed.
+ Reported by WeiYu Wu.
+
+20200312
+
+ Usability: the Postfix SMTP server now logs a warning when
+ a configuration requests access control by client certificate,
+ but "smtpd_tls_ask_ccert = no". Files: proto/postconf.proto,
+ smtpd/smtpd_check.c.
+
+20200316
+
+ Removed the issuer_cn and subject_cn matches from
+ check_ccert_access. Files: smtpd/smtpd_check.c,
+ proto/postconf.proto.
+
+20200407
+
+ Helper script by Viktor Dukhovni to report TLS information
+ per message delivery. This processes output from the
+ collate.pl script. Files: auxiliary/collate/README.tlstype,
+ auxiliary/collate/tlstype.pl.
+
+20200416
+
+ Workaround for broken builds after an incompatible change
+ in GCC 10. Files: makedefs, Makefile.in.
+
+ Workaround for broken DANE support after an incompatible
+ change in GLIBC 2.31. This avoids the need for new options
+ in /etc/resolv.conf. Files: dns/dns.h, dns/dns_lookup.c.
+
+ Misc fixes for gcc 'multiple definition' errors. Files:
+ master/master_vars.c, smtp/smtp.c, proxymap/proxymap.c.
+
+20200419
+
+ Bugfix (introduced: Postfix 3.4): segfault in the tlsproxy
+ client role when the server role was disabled. This typically
+ happens with a first-time Postfix install and after configuring
+ only outbound TLS. Found during program maintenance. File:
+ tlsproxy/tlsproxy.c.
+
+20200420
+
+ Noise suppression: shut up a compiler that special-cases
+ string literals. Viktor Dukhovni. File milter/milter.c.
+
+20200422
+
+ Security: disable DANE support on Alpine Linux because
+ libc-musl provides no indication whether DNS responses are
+ authentic. This broke DANE support without a clear explanation.
+ File: makedefs.
+
+20200425
+
+ Robustness: enable the socket option SO_REUSEPORT_LB or
+ SO_REUSEPORT on systems that support it. It allows multiple
+ processes to create distinct listen sockets for the same
+ address and port, and makes Postfix easier to restart.
+ However, with a SHARED listen socket as used in Postfix,
+ kernel-based load balancing does not help, and Postfix still
+ requires locking to avoid waking up multiple processes when
+ a connection arrives. Files: util/inet_listen.c,
+
+20200502
+
+ Documentation: update SNI support status in TLS_README.
+ File: proto/TLS_READNE.html.
+
+20200503
+
+ Portability: declaration should be before executable
+ statement. File: util/msg_logger.c.
+
+ Portability: replace res_xxx() calls with res_nxxx() not
+ because those are threadsafe, but because new features are
+ being added there. To build old style, build with "make
+ makefiles CCARGS="-DNO_RES_NCALLS...". Files: makedefs.
+ util/sys_defs.h, dns/dns_lookup.c.
+
+ Portability: libc-musl does not have res_nxxx() support,
+ so it builds with -DNO_RES_NCALLS.
+
+20200505
+
+ Noise suppression: shut up a compiler that special-cases
+ string literals. Viktor Dukhovni. File smtpd/smtpd_check.c.
+
+ Portability: not all supported systems have ldd(1). Viktor
+ Dukhovni. File: makedefs.
+
+20200509
+
+ Bugfix (introduced: Postfix 3.4): maillog_file_rotate_suffix
+ default value used the minute instead of the month. Reported
+ by Larry Stone. Files: conf/postfix-tls-script,
+ proto/MAILLOG_README.html, proto/postconf.proto.
+
+20200510
+
+ Bitrot: avoid U_FILE_ACCESS_ERROR after chroot(), by
+ initializing the ICU library before making the chroot()
+ call. Files: util/midna_domain.[hc], global/mail_params.c.
+
+20200511
+
+ Noise suppression: avoid "SSL_Shutdown:shutdown while in
+ init" warnings. File: tls/tls_session.c.
+
+ Debugging: with a single -v, the cleanup server now also
+ logs output envelope records, so that one -v option shows
+ the input and output. File: cleanup_out.c.
+
+20200515
+
+ Bugfix (introduced: Postfix 2.2): a TLS error for a PostgreSQL
+ client caused a false 'lost connection' error for an SMTP
+ over TLS session in the same Postfix process. Reported by
+ Alexander Vasarab, diagnosed by Viktor Dukhovni. File:
+ tls/tls_bio_ops.c.
+
+ Bugfix (introduced: Postfix 2.8): a TLS error for one TLS
+ session may cause a false 'lost connection' error for a
+ concurrent TLS session in the same tlsproxy process. File:
+ tlsproxy/tlsproxy.c.
+
+20200518
+
+ Documentation: updated the wording of recent HISTORY entries,
+ based on the text in the 20200516 stable releases.
+
+20200521
+
+ Cleanup: the value of __RES (defined in resolv.h) determines
+ whether the res_nxxx() API is available. Credit to Rich
+ Felker. Files: util/sys_defs.h, dns/dns_lookup.c.
+
+20200522
+
+ Cleanup: the postconf command builds with -fno-common.
+ Files: makedefs, Makefile.in, postconf/extract.awk,
+ postconf/install_vars.h.
+
+20200523
+
+ Cleanup: the 20200503 change did not prevent direct access
+ to the obsolete h_errno variable in smtpd_checks.c. This
+ variable may still be updated, but we should not count on
+ that. Files: dns/dns.h, dns/dns_lookup.c, smtpd/smtpd_check.c.
+
+ Cleanup: unit tests now build with -fno-common. Files:
+ global/server_acl.c, smtpd/smtpd_check.c, global/strip_addr.c,
+ proxymap/proxymap.c.
+
+20200525
+
+ Documentation: revised text about TLS connection reuse.
+ File: proto/CONNECTION_CACHE_README.html
+
+20200530
+
+ Bugfix (introduced: Postfix 3.1): "postfix tls deploy-server-cert"
+ did not handle a missing optional argument. File:
+ conf/postfix-tls-script.
+
+20200531
+
+ Debugging: per-nexthop SMTP client "debug peer" logging so
+ that we can also see what happens before, between, and after
+ SMTP sessions; add explicit SMTP client debug logging for
+ non-DNS host lookups. Files: smtp/smtp.c, proto/postconf.proto,
+ smtp/smtp_addr.c, smtp/smtp.c, smtp/smtp.h, smtp/smtp_session.c,
+ smtp/smtp_state.c.
+
+ Postfix delivery agents now log an explicit record when
+ delegating delivery to a different Postfix delivery agent.
+ Example: "postfix/smtp[pid] queueid: passing <recipient>
+ to transport=local". This makes the delegating delivery
+ agent visible, where it would otherwise have remained
+ invisible, which would complicate troubleshooting. File:
+ global/deliver_pass.c.
+
+20200610
+
+ Respectful code: replace 'slave' in internal identifiers
+ and comments, and make the master(5) description more
+ consistent with that in master(8). Postfix does not have a
+ master/slave architecture, and these identifiers and comments
+ were just poorly worded. Files: conf/postmulti-script,
+ html/master.5.html, man/man5/master.5, proto/master,
+ global/dsb_scan.c, global/dsb_scan.h, global/dsn_print.c,
+ global/dsn_print.h, global/msg_stats.h, global/msg_stats_print.c,
+ global/msg_stats_scan.c, global/rcpt_buf.c, global/rcpt_buf.h,
+ global/rcpt_print.c, global/rcpt_print.h, milter/milter.h,
+ milter/milter_macros.c, tls/tls_proxy.h,
+ tls/tls_proxy_client_print.c, tls/tls_proxy_client_scan.c,
+ tls/tls_proxy_context_print.c, tls/tls_proxy_context_scan.c,
+ tls/tls_proxy_server_print.c, tls/tls_proxy_server_scan.c,
+ util/argv_attr.h, util/argv_attr_print.c, util/argv_attr_scan.c,
+ util/attr.h, util/attr_print0.c, util/attr_print64.c,
+ util/attr_print_plain.c, util/attr_scan0.c, util/attr_scan64.c,
+ util/attr_scan_plain.c.
+
+ Bugfix (introduced: Postfix 3.4): in the Postfix SMTP server,
+ the SNI callback reported an error when it was called a
+ second time. This happened after the server-side TLS engine
+ sent a TLSv1.3 HelloRetryRequest (HRR) to a remote SMTP
+ client. Reported by Ján Máté, fixed by Viktor Dukhovni.
+ File: tls/tls_misc.c.
+
+20200617
+
+ Bugfix (introduced: Postfix 3.4): the connection_reuse
+ attribute in smtp_tls_policy_maps resulted in an "invalid
+ attribute name" error. Fix by Thorsten Habich. File:
+ smtp/smtp_tls_policy.c.
+
+20200618
+
+ Documentation: documented that smtp_line_length_limit=0
+ disables the feature, and made this more explicit in the
+ code by using the ENFORCING_SIZE_LIMIT macro. Files:
+ proto/postconf.proto, smtp/smtp_proto.c.
+
+20200619
+
+ Bugfix (introduced: Postfix 3.4): SMTP over TLS connection
+ reuse was broken for configurations that use explicit trust
+ anchors. Reported by Thorsten Habich. Cause: the tlsproxy
+ client was sending a zero certificate length. File:
+ tls/tls_proxy_client_print.c.
+
+ Bugfix: posttls-finger reported a conflict betwen -X and
+ -r when only -X was used. File: posttls-finger/posttls-finger.c.
+
+20200620
+
+ Bugfix (introduced: Postfix 3.4): SMTP over TLS connection
+ reuse was broken for configurations that use explicit trust
+ anchors. Reported by Thorsten Habich. Fixed by calling DANE
+ initialization unconditionally (WTF). File: tlsproxy/tlsproxy.c.
+
+20200626
+
+ Typo: in postconf(5) documentation, AAAAA should be AAAA.
+ Christian Franke. File: proto/postconf.proto.
+
+ Bugfix (introduced: Postfix 2.11): The Postfix smtp(8)
+ client did not send the right SNI name when the TLSA base
+ domain was a secure CNAME expansion of the MX hostname (or
+ non-MX nexthop domain). Domains with CNAME expanded MX hosts
+ are not conformant with RFC5321, and so are rare. Even more
+ rare are MX hosts with TLSA records for their CNAME expansion.
+ For this to matter, the remote SMTP server would also have
+ to select its certificate based on the SNI name in such a
+ way that the original MX host would yield a different
+ certificate. Among the ~2 million hosts in the DANE survey,
+ none meet the conditions for returning a different certificate
+ for the expanded CNAME. Therefore, sending the correct SNI
+ name should not break existing mail flows. Fixed by Viktor
+ Dukhovni. File: src/tls/tls_client.c.
+
+20200705
+
+ Cleanup: OpenSSL-1.1.1 is the minimum supported version.
+ This is an LTS (long-term support) version that will reach
+ the end of life by 2023-09-11. This removes support for
+ export ciphers.
+
+ This also changes the Postfix default fingerprint digest
+ from MD5 to SHA256, but only when the compatibility_level
+ is set to '3' or higher.
+
+ Code by Viktor Dukhovni. Files: global/mail_params.c,
+ global/mail_params.h, posttls-finger/posttls-finger.c,
+ proto/COMPATIBILITY_README.html, proto/TLS_README.html,
+ proto/postconf.proto, smtp/smtp.c, smtp/smtp_tls_policy.c,
+ smtpd/smtpd.c, smtpd/smtpd_check.c, tls/Makefile.in,
+ tls/tls.h, tls/tls_certkey.c, tls/tls_client.c, tls/tls_dane.c,
+ tls/tls_dh.c, tls/tls_misc.c, tls/tls_rsa.c, tls/tls_server.c,
+ tls/tls_verify.c.
+
+20200710
+
+ Security: added a section to the sendmail(1) manpage for
+ security researchers and application developers, with an
+ example of using '--' to disable command option processing
+ for user-specified data. File sendmail/sendmail.c.
+
+ Error reporting: added '--' to a postalias command line to
+ make an obsecure error message less confusing. File
+ sendmail/sendmail.c.
+
+ Conversion from Postfix built-in DANE support to OpenSSL
+ DANE support. Code by Viktor Dukhovni. Files:
+ posttls-finger/posttls-finger.c, proto/postconf.proto,
+ smtp/smtp.c, smtp/smtp_proto.c, smtp/smtp_tls_policy.c,
+ tls/Makefile.in, tlsproxy/tlsproxy.c, tls/tls_client.c,
+ tls/tls_dane.c, tls/tls_fprint.c, tls/tls.h, tls/tls_misc.c,
+ tls/tls_proxy_client_print.c, tls/tls_proxy_client_scan.c,
+ tls/tls_proxy_context_print.c, tls/tls_proxy_context_scan.c,
+ tls/tls_proxy.h, tls/tls_verify.c, util/hex_code.c.
+
+ Bugfix (introduced: Postfix 3.0): minor memory leaks in the
+ Postfix TLS library, found during tests. File: tls/tls_misc.c.
+
+20200712
+
+ Cleanup: non-TLS builds were failing. File: util/tls_misc.c.
+
+ Bugfix (introduced: Postfix 3.0): 4kbyte per session memory
+ leak in the Postfix TLS library, found during tests. File:
+ tls/tls_misc.c.
+
+20200718
+
+ Cleanup TLS library: coding style, additional error message,
+ additional handling of internationalized domain name, and
+ dropping an unused variable. Files: tls.h, tls_dane.c,
+ tls_proxy_client_scan.c, tls_client.c.
+
+ Noise suppression: shut up compilers that warn about
+ sizeof("text"). File: smtpstone/smtp-sink.c.
+
+20200719
+
+ Cleanup old API: mymemdup() should return "void *", the
+ same value type as its main argument, and the same result
+ type as mymalloc(). In a future update we can remove all
+ the noisy but unnecessary casts of their result values to
+ character pointer. Files: util/mymalloc.c, util/mymalloc.h.
+
+ Cleanup: don't split the sendmail -oA option value on comma
+ or whitespace, before passing the value to the postalias
+ command line. This results in unexpected behavior. File:
+ sendmail/sendmail.c.
+
+ Documentation: updated the manpage of the unprivileged(!)
+ sendmail(1) command with instructions to avoid privilege
+ esclation attacks in naive programs that run Postfix programs
+ with user-specified arguments. File: sendmail/sendmail.c.
+
+20200720
+
+ Bugfix (introduced: postfix 3.4): nullpointer dereference
+ in debug logging when tlsproxy is unavailable. File:
+ posttls-finger/posttls-finger.c.
+
+ Final cleanups of the peername matching code. File:
+ tls/tls_client.c.
+
+202000725
+
+ Documentation of how to set the minimum and maximum allowed
+ TLS protocol versions (these override system-wide OpenSSL
+ configuration), some related code cleanups including better
+ warning messages. Viktor Dukhovni. Files: proto/TLS_README.html,
+ proto/postconf.proto, global/mail_params.h,
+ posttls-finger/posttls-finger.c, tls/tls.h, tls/tls_client.c,
+ tls/tls_fprint.c, tls/tls_misc.c, tls/tls_server.c.
+
+ The Postfix TLS library did not override the system-wide
+ OpenSSL configuration of allowed TLS protocol versions, for
+ sessions where the remote SMTP client sends SNI. File:
+ tls/tls_server.c.
+
+20200726
+
+ Code health: the tls_get_signature_params() function reused
+ variable names for different objects that have up to three
+ different life-cycle management models. To avoid more
+ accidents we now use distinct names for distinct purposes.
+ File: tls/tls_misc.c.
+
+20200727
+
+ Code health: inet_proto_info() should return a const pointer.
+ This is global data that callers should not change. Files:
+ cleanup/cleanup_milter.c, global/haproxy_srvr.c,
+ global/mynetworks.c, global/normalize_mailhost_addr.c,
+ global/own_inet_addr.c, postscreen/postscreen_endpt.c,
+ posttls-finger/posttls-finger.c, qmqpd/qmqpd_peer.c,
+ smtpd/smtpd_check.c, smtpd/smtpd_peer.c, smtp/smtp_addr.c,
+ smtpstone/smtp-sink.c, util/inet_addr_host.c,
+ util/inet_addr_list.c, util/inet_addr_local.c, util/inet_connect.c,
+ util/inet_listen.c, util/inet_proto.c, util/inet_proto.h.
+
+20200728
+
+ Code health: deleted a mis-spelled macro from code and
+ documentation. Files: bounce/bounce_template.[hc].
+
+20200829
+
+ Other debt: updated the encoding in HTML from us-ascii to
+ utf-8. Files: mantools/makemanidx, mantools/make_soho_readme,
+ mantools/man2html, mantools/readme2html, proto/*_README.html,
+ proto/INSTALL.html, proto/postconf.html.prolog, html/index.html.
+
+20200830
+
+ Refactor: moved the SASL mechanism filter code from the
+ Postfix SMTP client to a library module, so that it can be
+ reused in the Postfix SMTP server. Files: smtp/smtp_sasl_proto.c,
+ global/sacl_mech_filter.[hc].
+
+ Bugfix (introduced: Postfix 2.0): smtp_sasl_mechanism_filter
+ ignored table lookup errors, treating them as 'not found'.
+ Found while refactoring code. File: smtp/smtp_sasl_proto.c.
+
+ Feature: smtpd_sasl_mechanism_list (default: !external,
+ static:rest) to avoid confusing errors when a SASL backend
+ wants to anounce EXTERNAL support for which Postfix support
+ does not exist. Files: smtpd/smtpd.[hc], smtpd_sasl_glue.[hc],
+ global/mail_params.h, proto/postconf.proto, mantools/postlink.
+
+20200906
+
+ Cleanup: missing file. File: src/postqueue/.indent.pro.
+
+ Cleanup: uninitialized value in unit test code. File:
+ global/haproxy_srvr.c.
+
+ Cleanup: duplicate 'const' in argument declaration. File:
+ src/global/sasl_mech_filter.c.
+
+20200906-18
+
+ Other debt: internal protocol identification. Each server
+ sends the name of the internal protocol that it implements,
+ and each client logs a warning if it receives the wrong
+ protocol name. With this, a client-server mismatch results
+ in a better error message. It is a good idea to "postfix
+ stop" before updating, or before backing out to an earlier
+ relase. To make this work consistently, a few internal
+ protocols were converted from "client speaks first" to
+ "server speaks first". Files: anvil/anvil.c, bounce/bounce.c,
+ cleanup/cleanup.c, flush/flush.c, global/abounce.c,
+ global/anvil_clnt.c, global/bounce.c, global/clnt_stream.c,
+ global/clnt_stream.h, global/defer.c, global/deliver_pass.c,
+ global/deliver_request.c, global/dict_proxy.c, global/flush_clnt.c,
+ global/mail_command_client.c, global/mail_proto.h,
+ global/mail_stream.c, global/mail_version.h, global/post_mail.c,
+ global/resolve_clnt.c, global/rewrite_clnt.c, global/scache_clnt.c,
+ global/trace.c, global/verify_clnt.c, local/forward.c,
+ master/event_server.c, master/mail_server.h, master/multi_server.c,
+ oqmgr/qmgr_deliver.c, pickup/pickup.c, postdrop/postdrop.c,
+ postqueue/postqueue.c, postscreen/postscreen_starttls.c,
+ proxymap/proxymap.c, qmgr/qmgr_deliver.c, scache/scache.c,
+ showq/showq.c, tls/tls_mgr.c, tls/tls_proxy_clnt.c,
+ tlsmgr/tlsmgr.c, tlsproxy/tlsproxy.c,
+ trivial-rewrite/trivial-rewrite.c, util/attr.h, util/attr_clnt.c,
+ util/attr_clnt.h, util/attr_print0.c, util/attr_print64.c,
+ util/attr_print_plain.c, util/attr_scan0.c, util/attr_scan64.c,
+ util/attr_scan_plain.c, util/auto_clnt.c, util/auto_clnt.h,
+ verify/verify.c.
+
+ Debt: during the conversion of some internal protocols to
+ "server speaks first", took the opportunity to improve how
+ event-driven client implementations handle a server that
+ is locked up. Files: global/abounce.c,
+ postscreen/postscreen_starttls.c.
+
+20200919
+
+ Cleanup: eliminated a silly optimization for lazy clients
+ that read the "server speaks first" protocol announcement
+ after sending a client request. Files: src/anvil/anvil.c,
+ src/bounce/bounce.c, src/flush/flush.c, src/global/abounce.c,
+ src/global/anvil_clnt.c, src/global/deliver_pass.c,
+ src/global/deliver_request.c, src/global/dict_proxy.c,
+ src/global/mail_command_client.c, src/global/mail_stream.c,
+ src/global/resolve_clnt.c, src/global/rewrite_clnt.c,
+ src/global/scache_clnt.c, src/global/verify_clnt.c,
+ src/local/forward.c, src/oqmgr/qmgr_deliver.c, src/pickup/pickup.c,
+ src/postqueue/postqueue.c, src/postscreen/postscreen_starttls.c,
+ src/proxymap/proxymap.c, src/qmgr/qmgr_deliver.c,
+ src/scache/scache.c, src/showq/showq.c, src/tlsmgr/tlsmgr.c,
+ src/tlsproxy/tlsproxy.c, src/tls/tls_mgr.c,
+ src/tls/tls_proxy_clnt.c, src/trivial-rewrite/trivial-rewrite.c,
+ src/verify/verify.c.
+
+ Cleanup: factored out some duplicate showq client code.
+ File: postqueue/postqueue.c.
+
+20200920
+
+ Cleanup: deleted the percentm module. It was obsoleted in
+ 19971027 by the vbuf_print() string formatter for VSTREAM
+ and VSTRING objects. Files: util/percentm.[hc].
+
+ Cleanup: replaced hard-coded 'private' with named constant.
+ File: global/scache_clnt.c.
+
+ Bugfix (introduced: Postfix 2.3): when deleting a recipient
+ with a milter, delete the recipient from the duplicate
+ filter, so that the recipient can be added back. Files:
+ global/been_here.[hc], cleanup/cleanup_milter.c,
+ cleanup/Makefile.in, lots of cleanup unit test files.
+
+20200925
+
+ Cleanup: vstream_fseek() support for reading or writing
+ memory buffer streams, and minor cleanups in VSTREAM support
+ for reading/writing VSTRINGs. Also added unit tests. Files:
+ util/vstream.c, util/vstring.h.
+
+ Bugfix (introduced: before Postfix alpha): the code that
+ looks for Delivered-To: headers ignored headers longer than
+ $line_length_limit. Also added unit tests. File:
+ global/delivered_hdr.c.
+
+20200930
+
+ Feature: when a Postfix program makes a DNS query that
+ requests DNSSEC validation (usually for Postfix DANE support)
+ but the DNS response is not DNSSEC validated, Postfix will
+ send a DNS query configured with the "dnssec_probe" parameter
+ to determine if DNSSEC support is available, and logs a
+ warning if it is not. By default, the probe has type "ns"
+ and domain name ".". The probe is sent once per process
+ lifetime. Files: dns/dns.h, dns/dns_lookup.c, dns/dns_sec.c,
+ test_dns_lookup.c, global/mail_params.[hc], mantools/postlink..
+
+20201003
+
+ The makedefs script no longer disables DNSSEC when Postfix
+ is built with libc-musl. Instead Postfix will rely on the
+ new dnssec_probe feature, and will log a warning when Postfix
+ requests DNSSEC validation, but the infrastructure does not
+ validate DNSSEC signatures. File: makedefs.
+
+ Cleanup: some wordsmithing of warnings when DNSSEC validation
+ is unavailable. File: dns/dns_sec.c.
+
+ Cleanup: add missing warnings for libpostfix version
+ mismatches. This will help folks with build processes that
+ mistakenly run newly-built Postfix installation commands
+ with previously-installed libpostfix files. Files:
+ postcat/postcat.c, postconf/postconf.c, postkick/postkick.c,
+ postlock/postlock.c.
+
+ Documentation: hyperlink occurrences of the info_log_address_format
+ parameter name in daemon manpages.
+
+20201005
+
+ Cleanup: move the submit_users check after the postdrop
+ initializations that strip the environment, set up signal
+ handlers, etc. File: postdrop/postdrop.c.
+
+ Documentation: descriptions of Postfix TLS wrappermode
+ support. File: proto/TLS_README.html, proto/SASL_README.html.
+
+20201011
+
+ Bugfix (introduced: Postfix 2.8): save a copy of the
+ postscreen_dnsbl_reply_map lookup result. This has no effect
+ when the recommended texthash: look table is used, but it
+ may avoid stale data with other lookup tables. File:
+ postscreen/postscreen_dnsbl.c.
+
+20201015
+
+ Documentation: simplified the recipient_delimiter
+ description. File: proto/postconf.proto.
+
+20201022
+
+ Bugfix (introduced: Postfix 2.2): after processing an
+ XCLIENT command, the smtps service was waiting for a TLS
+ handshake. Found by Aki Tuomi. File: smtpd/smtpd.c.
+
+20201025
+
+ Feature: local_login_sender_maps to lock down the envelope
+ sender addresses that the postdrop command will accept. The
+ default is backwards compatible. Developed with input from
+ Demi M. Obenour. Files: postdrop/postdrop.c, global/mail_params.h,
+ global/local_sender_login_match.[hc],
+ global/local_sender_login_match.in,
+ global/local_sender_login_match.ref, global/quote_822_local.c,
+ global/quote_822_local.in, global/quote_822_local.ref,
+ mantools/postlink, proto/postconf.proto.
+
+ Bugfix (introduced: Postfix 2.3): static maps did not free
+ their casefolding buffer. File: util/dict_static.c.
+
+20201026
+
+ Cleanup: changed the postdrop numerical UID prefix from "#"
+ to "uid:", and tweaked some local_login_sender_maps
+ documentation. Files: proto/postconf.proto, postdrop/postdrop.c.
+
+20201031
+
+ Cleanup: don't split a space-comma separated address list
+ on space or comma inside a quoted string. Files: util/mystrtok.c,
+ util/mystrtok.ref, global/login_sender_match.c.
+
+20201101
+
+ Cleanup: the default "smtp_tls_dane_insecure_mx_policy = dane"
+ was forcing too many A/AAAA lookups for MX hosts in DANE mode.
+ The default is now "dane" when smtp_tls_security_level is "dane".
+ otherwise it is "may". File: global/mail_params.h.
+
+20201104
+
+ Bugfix (introduced: Postfix 3.5): the Postfix SMTP client
+ broke message headers longer than $line_length_limit, causing
+ subsequent header content to become message body content.
+ Reported by Andreas Weigel, fix by Viktor Dukhovni. File:
+ smtp/smtp_proto.c.
+
+ Added missing employer attributions to .c and .h files.
+
+20201116
+
+ Documentation: document that check_mumble_mx_access will
+ look up A or AAAA records when a domain name has no MX
+ record, just like the Postfix SMTP client would. File:
+ proto/postconf.proto.
+
+20201122
+
+ Cleanup: log "Application error" instead of "Success" or
+ "Unknown error: 0" when an operation fails with errno ==
+ 0. File: util/vbuf_print.c.
+
+20201125
+
+ Documentation: in the cleanup(8) description of message
+ transformations, mention how some transformations are
+ controlled with the local_header_rewrite_clients,
+ always_add_missing_headers, and message_drop_headers parameter
+ settings. File: cleanup/cleanup.c.
+
+20201129
+
+ Cleanup: future-proofing a condition in delivered_hdr_init().
+ The code was not wrong, but the new code is more consistent
+ with new code in the bounce daemon where the difference does
+ matter. File: global/delivered_hdr.c
+
+20201205
+
+ Testing: generic test_main() routine to initialize configuration
+ parameters before running a test routine. Files:
+ global/test_main.[hc].
+
+ Feature: specify "enable_threaded_bounces = yes" to enable
+ bounce messages that link to the original message with a
+ References: and In-Reply_to: header. Based on code by Andreas
+ Thienemann. See RELEASE_NOTES for caveats. Files:
+ proto/postconf.proto, bounce/bounce_notify_tester.c, many
+ test data files to exercise corner cases.
+
+20201220
+
+ Infrastructure: support to add custom comparison operators
+ for Postfix configuration files. This will be used to implement
+ custom comparison operators for compatibility_level values
+ that contain both the Postfix major and minor version and
+ maybe patchlevel. Files: util/alldig.c, util/stringops.h,
+ util/mac_expand.[hc] and test files.
+
+20210102
+
+ Infrastructure: support for the <=level, <level, and other
+ operators to compare compatibility levels. With the standard
+ <=, <, etc. operators, compatibility level 3.10 would be
+ less than 3.9 which is undesirable. Files: global/compat_level.[hc]
+ and test files.
+
+20210107
+
+ Documentation: added lmdb to the postmap/postalias pages.
+ Files: postmap/postmap.c, postalias/postalias.c.
+
+20210109
+
+ Feature: support for compatibility levels of the form
+ "major.minor.patch". Files: global/mail_params.[hc],
+ master/master_ent.c, postconf/postconf.c, postfix/postfix.c,
+ proto/COMPATIBILITY_README.html, proto/postconf.proto.
+
+20210110
+
+ Documentation: the postfix(1) manpage missed some changes
+ that were introduced in the Postfix 3.0 development
+ cycle. File:postfix/postfix.c.
+
+ Bugfix: the 20210109 change broke 'postfix reload' for the
+ master daemon. File: global/mail_params.c.
+
+20210111
+
+ Cleanup: compiler warning for casting '0' to the wrong type
+ (zero impact). File: dns/dns_sec.c .
+
+ Cleanup: after back-porting the dnssec_probe implementation
+ to Postfix 3.5 and earlier versions, forward-ported some
+ comment and documentation changes to the 3.6 releases.
+ Files: proto/postconf.proto, RELEASE_NOTES, dns/dns.h.
+
+20210113
+
+ Workaround: STRREF() macro to shut up compiler warnings for
+ legitimate expressions involving string constants. Files:
+ util.stringops.h, flush/flush.c.
+
+20210130
+
+ Feature: with smtpd_relay_before_recipient_restrictions=yes,
+ the Postfix SMTP server will evaluate smtpd_relay_restrictions
+ before smtpd_recipient_restrictions. This is the default
+ behavior with compatibility_level >= 3.6. This makes the
+ implemented behavior consistent with existing documentation.
+ There is a backwards-compatibility warning that allows users
+ to freeze historical behavior. Files: mantools/postlink,
+ proto/COMPATIBILITY_README.html, proto/postconf.proto,
+ global/mail_params.c, global/mail_params.h, smtpd/smtpd.c,
+ smtpd/smtpd_check.c.
+
+20210201
+
+ Flipped a bit in the smtpd_relay_before_recipient_restrictions
+ implementation. File: smtpd/smtpd_check.c.
+
+20210206
+
+ Documentation: the inet_protocols default setting is compile-time
+ dependent. Files: proto/postconf.proto, proto/IPV6_README.html,
+ and documentation in smtpd/smtpd.c, smtp/smtp.c, master/master.c.
+
+20210212
+
+ Documentation: added a jq example to the postsuper(1) manpage.
+ File: postsuper/postsuper.c.
+
+20210216
+
+ Respectful code: avoid using terminology that implies white
+ is better than black. Instead, use 'allowlist', 'denylist',
+ and variations on those words. This continues work started
+ with Noel Jones a year ago.
+
+ Documentation: replaced white/blacklist with allow/denylist,
+ except in parameter names and logging. Files:
+ proto/ADDRESS_VERIFICATION_README.html, proto/cidr_table,
+ proto/OVERVIEW.html, proto/postconf.proto,
+ proto/POSTSCREEN_README.html, proto/SMTPD_ACCESS_README.html,
+ proto/SMTPD_POLICY_README.html, proto/STRESS_README.html,
+ dns/dns_lookup.c, dnsblog/dnsblog.c, global/server_acl.c,
+ postfix/postfix.c, postscreen/postscreen.c,
+ postscreen/postscreen_dnsbl.c, postscreen/postscreen_early.c,
+ postscreen/postscreen.h, postscreen/postscreen_misc.c,
+ postscreen/postscreen_smtpd.c, postscreen/postscreen_tests.c,
+ proxymap/proxymap.c, smtpd/smtpd.c, smtpd/smtpd_check.c,
+ smtpd/smtpd_dnswl.in, smtpd/smtpd_dnswl.ref, tlsproxy/tlsproxy.c,
+ verify/verify.c.
+
+20210220
+
+ Renamed postscreen_dnsbl_whitelist_threshold,
+ postscreen_blacklist_action, and postscreen_whitelist_interfaces,
+ with backwards-compatible default settings, and updated
+ documentation.
+
+ Forked POSTSCREEN_README for readability, to avoid deprecated
+ parameter names and logging examples. The historical parameter
+ names and logging are still described in POSTSCREEN_3_5_README.
+ Files: proto/Makefile.in, proto/POSTSCREEN_3_5_README.html,
+ proto/POSTSCREEN_README.html.
+
+ Renamed internal variables with names that contain 'white' or
+ 'black'. Files: postscreen/postscreen.c, postscreen/postscreen.h.
+
+ Feature: respectful_logging configuration parameter (the
+ default depends on the compatibility_level) to choose
+ between respectful and deprecated logging formats. Files:
+ mantools/postlink, proto/postconf.proto, global/mail_params.[hc],
+ postscreen/postscreen.c, proto/COMPATIBILITY_README.
+
+20210224
+
+ Typo: the "respectful_logging" parameter had a typo and a
+ "postscreen_" prefix that should have been deleted. File:
+ global/mail_params.h
+
+20210313
+
+ Documentation: enable_threaded_bounces also applies to
+ "success" and "delay" delivery status notiifications. File:
+ proto/postconf.proto.
+
+20210403
+
+ Missing null pointer checks (introduced: Postfix 3.4) after
+ an internal I/O error during the smtp(8) to tlsproxy(8)
+ handshake. Found by Coverity, reported by Jaroslav Skarvada.
+ Based on fix by Viktor Dukhovni. File: tls/tls_proxy_client_scan.c.
+
+ Null pointer bug (introduced: Postfix 3.0) and memory leak
+ (introduced: Postfix 3.4) after an inline: table syntax
+ error in main.cf or master.cf. Found by Coverity, reported
+ by Jaroslav Skarvada. Based on fix by Viktor Dukhovni. File:
+ util/dict_inline.c.
+
+ Incomplete null pointer check (introduced: Postfix 2.10)
+ after truncated HaProxy version 1 handshake message. Found
+ by Coverity, reported by Jaroslav Skarvada. Fix by Viktor
+ Dukhovni. File: global/haproxy_srvr.c.
+
+20210404
+
+ Unbroke a ton of regression tests after DNS-related changes.
+
+20210406
+
+ More specific warnings for incorrect net/mask syntax. Files:
+ util/cidr_match.c, util/dict_cidr.ref.
+
+20210410
+
+ Documentation: updated containerization suggestions in
+ the postfix(1) manpage. File: postfix/postfix.c.
+
+ Documentation: added text and ASCII art to illustrate how
+ tlsproxy(8) is used for outbound SMTP connection caching
+ and for inbound postscreen(8) TLS support. File:
+ proto/OVERVIEW.html.
+
+ Documentation: added text and ASCII art to illustrate how
+ postlogd(8) provides an alternative to syslog logging.
+ File: proto/OVERVIEW.html.
+
+20210411
+
+ Updated the missing null pointer check (introduced: Postfix
+ alpha) after null argv[0] value. File: global/mail_task.c.
+
+ Cleanup: added a test case for a missing haproxy v1 protocol
+ type, and improved the haproxy parser error messages. File:
+ global/haproxy_srvr.c.
+
+ Documentation: updated examples and TLS configuration. File
+ proto/CONNECTION_CACHE_README.html.
+
+20210418
+
+ Bitrot: new "known_tcp_ports" configuration parameter to
+ reduce Postfix dependency on the services(5) database.
+ There is no agreement about the name of the port 465 service:
+ the intersection of different systems is reportedly empty.
+ By default, Postfix now "knows" the port numbers for SMTP
+ services. Files: proto/postconf.proto, global/Makefile.in,
+ global/config_known_tcp_ports.c, global/config_known_tcp_ports.h,
+ global/config_known_tcp_ports.ref, global/mail_params.c,
+ global/mail_params.h, global/mail_version.h,
+ global/namadr_list.ref, master/master.c,
+ posttls-finger/Makefile.in, posttls-finger/posttls-finger.c,
+ smtp/Makefile.in, smtp/smtp.c, smtp/smtp_connect.c,
+ smtpd/smtpd.c, util/Makefile.in, util/find_inet.c,
+ util/known_tcp_ports.c, util/known_tcp_ports.h,
+ util/known_tcp_ports.ref, util/myaddrinfo.c.
+
+20210419
+
+ Bugfix (bug introduced 20210102): panic in some postconf
+ commands due to duplicate initialization of compatibility
+ level comparison operators. File: global/compat_level.c.
+
+ Cleanup: stricter parsing of known_tcp_port settings. Files:
+ util/argv_split_at.c, util/argv.h, global/config_known_tcp_ports.c.
+
+20210420
+
+ Documentation: typofixes by Paul Menzel. File: RELEASE_NOTES.
+
+ Documentation: numeric IP address examples. File: conf/master.cf.
+
+ Documentation: added "-Wl,-R,/path/to/directory" hints to
+ optional build instructions. Files: proto/DB_README.html,
+ proto/LDAP_README.html, proto/LMDB_README.html,
+ proto/MYSQL_README.html, proto/PGSQL_README.html,
+ proto/SASL_README.html, proto/SQLITE_README.html,
+ proto/TLS_README.html.
+
+20210422
+
+ Cleanup: in the Postfix SMTP and LMTP client, prepend Return-Path
+ and other headers in the same order as in other Postfix delivery
+ agents. Adi Prasaja. File: smtp/smtp_proto.c.
+
+20210428
+
+ Documentation: update by Paul Menzel. File: proto/SASL_README.html.
+
+20210529
+
+ Cleanup: simplified master.cf stanzas for the submission
+ and submissions (formerly: smtps) services, to avoid
+ surprising warnings for undefined mua_smtpd_xxx_restrictions
+ parameters. File: conf/master.cf.
+
+ Bugfix (introduced: Postfix 2.11): "postmap lmdb:/file/name"
+ handled duplicate keys ungracefully, with a dangling pointer
+ resulting in a double free() call with lmdb versions 0.9.17
+ and later. Reported by Adi Prasaja, root cause analysis by
+ Howard Chu. In addition, "postmap lmdb:/file/name" forgot
+ entries stored up to and including the duplicate key. File:
+ util/slmdb.c.
+
+20210605
+
+ Fixed a few more potential dangling pointer cases in the
+ LMDB client, future-proofing code paths that sofar aren't
+ used. File: util/slmdb.c.
+
+ Added LMDB integration tests using the postmmap command.
+ Files: postmap/Makefile.in, postmap/lmdb_abb, postmap/lmdb_abb.ref.
+
+ Cleanup: reset errno in the fail: database methods for
+ consistent error messages. File: util/dict_fail.c.
+
+ Cleanup: new vstream_control() option to give a memory stream
+ ownership of the underlying VSTRING. This simplifies resource
+ management for read-only streams. Files: util/vstream.[hc].
+
+ Cleanup: extpar() returns an error in case of a missing
+ initial '{', instead of aborting. This simplifies the
+ implementation of some callers. File: util/extpar.c.
+
+ Feature: inline pcre, regexp, and cidr table definition in main.cf
+ or master.cf, to improve their usability in matchlists. Files:
+ util/dict_stream.c, util/dict.h, util/dict_pcre.c,
+ util/dict_regexp.c, util/dict_cidr.c, and test files.
+
+ The smtpd_forbidden_commands default setting now also inludes
+ a regular expression regexp:{{/^[^A-Z]/ Bogus}} for bogus inputs.
+ File: global/mail_params.h.
+
+20210606
+
+ Cleanup: "Postfix is running with backwards-compatible..."
+ did not make sense when Postfix is down. File: postfix/postfix.c.
+
+ Cleanup: the postscreen BDAT handler now replies with "need
+ MAIL command" when the client did not provide a sender address.
+ File: postscreen/postscreen_smtpd.c.
+
+ Typo: silent_discard should be silent-discard. File:
+ proto/BDAT_README.html.
+
+20210610
+
+ Cleanup: escape non-printable characters in non-SMTP commands,
+ instead of replacing them with '?'. File: smtpd/smtpd.c.
+
+ Misc typofixes by Viktor Dukhovni. Files: conf/master.cf,
+ proto/regexp_table, proto/cidr_table.
+
+ Cleanup: simplify the LMDB error recovery code. File:
+ util/slmdb.c.
+
+20210615
+
+ Bugfix (introduced: Postfix 3.4): the texthash: map
+ implementation did not support "postmap -F" behavior.
+ Reported by Christopher Gurnee, who also found the missing
+ code in the postmap source. File: util/dict_thash.c.
+
+ Cleanup: documentation for the postmap -F option. File:
+ postmap/postmap.c.
+
+ Cleanup: simplify the LMDB error recovery code. File:
+ util/slmdb.c.
+
+20210623
+
+ Cleanup: the known_tcp_ports parameter was not hyperlinked.
+ File: mantools/postlink.
+
+ Bugfix: some strtou?l() calls had no 'errno=0' statement
+ before the call. Fixed with strtou?l() wrapper functions
+ that reset errno before calling strtou?l(), and calling
+ these from code that did not explicitly reset errno. Other
+ strtou?l() can be migrated later. Problem reported by David
+ Bohman. Files: util/sane_strtol.[hc], global/compat_level.c,
+ postscreen/postscreen_tests.c, util/mac_expand.c.
+
+20210705
+
+ Bugfix (introduced: Postfix 3.3): "null pointer read" error
+ in the cleanup daemon when "header_from_format = standard"
+ (the default as of Postfix 3.3) and email was submitted
+ with /usr/sbin/sendmail without From: header, and an all-space
+ full name was specified in 1) the password file, 2) with
+ "sendmail -F", or 3) with the NAME environment variable.
+ Found by Renaud Metrich. File: cleanup/cleanup_message.c.
+
+20210708
+
+ Bugfix (introduced: 1999): the Postfix SMTP server was
+ sending all session transcripts to the error_notice_recipient,
+ instead of sending transcripts of bounced mail to the
+ bounce_notice_recipient. Reported by Hans van Zijst. File:
+ smtpd/smtpd_chat.c.
+
+20210713
+
+ Bugfix (introduced: Postfix 2.4): false "too many reverse
+ jump" warnings in the showq daemon. The loop detection code
+ was comparing memory addresses instead of queue file names.
+ It now properly compares strings. Reported by Mehmet Avcioglu.
+ File: global/record.c.
+
+20210724
+
+ Cleanup: missing const in the 20210713 bugfix. File:
+ global/record.c.
+
+20210728
+
+ Bitrot: GLIBC 2.34 has closefrom(), and of course their
+ interface is different. File: util/sys_defs.h.
+
+20210804
+
+ Cleanup: replace ad-hoc object-to-VSTRING serialization with
+ attr_print*() based serialization. Files: tls/tls_proxy.h,
+ tls/tls_proxy_client_misc.c, tlsproxy.c/tlsproxy.c.
+
+ Cleanup: left-over code from a DANE on/off workaround. File:
+ tlsproxy.c/tlsproxy.c.
+
+20210806
+
+ Constified the object argument of functions that write objects
+ to VSTREAM. Files: global/bounce.c, global/defer.c,
+ global/deliver_pass.c, global/deliver_request.c,
+ global/dsn_print.c, global/dsn_print.h,
+ global/msg_stats.h, global/msg_stats_print.c,
+ global/rcpt_print.c, global/rcpt_print.h, global/trace.c,
+ milter/milter8.c, milter/milter.c, milter/milter.h,
+ milter/milter_macros.c, oqmgr/qmgr_deliver.c,
+ qmgr/qmgr_deliver.c, tls/tls_proxy_client_misc.c,
+ tls/tls_proxy_client_print.c, tls/tls_proxy_context_print.c,
+ tls/tls_proxy.h, tls/tls_proxy_server_print.c, util/argv_attr.h,
+ util/argv_attr_print.c, util/attr.h.
+
+20210810
+
+ Pedantism: the Postfix SMTP server now replies with status
+ 500 when a command is not recogized (status 502 is applicable
+ when a command is recognized but not implemented). File:
+ smtpd/smtpd.c.
+
+ Wordsmithing: in inet_connect() replaced "host/service xxx/yyy
+ not found" with "host or service xxx:yyy not found". The former
+ suggests UNIX-domain pathname syntax which is confusing. File:
+ until/inet_connect.c.
+
+20210815
+
+ To make the maillog_file feature more useful, the postlog(1)
+ command is now set-gid postdrop, so that unprivileged
+ programs can write logging through the postlogd(8) daemon.
+ Adopted some code from postqueue(1) and postdrop(1) to
+ harden postlog(1) against privilege escalation attacks.
+ Files: postlog/postlog.c, conf/postfix-files.
+
+ Hardening: specify smtpd_per_request_deadline=yes to limit
+ the combined amount of time to receive a complete SMTP
+ request and to send a complete SMTP response. Specify
+ smtpd_min_data_rate to enforce a minimum data rate during
+ DATA and BDAT. This replaces smtpd_per_record_deadline; the
+ new smtpd_per_request_deadline parameter has a backwards-
+ compatible default value.
+
+ Hardening: specify {smtp,lmtp}_per_request_deadline=yes to
+ limit the combined amount of time to send a complete SMTP
+ request and to receive a complete SMTP response. Specify
+ {smtp,lmtp}_min_data_rate to enforce a minimum data rate
+ during DATA. This replaces {smtp,lmtp}_per_record_deadline.
+ The new {smtp,lmtp}_per_request_deadline parameters have a
+ backwards-compatible default value.
+
+ Minor text and code cleanups. File: postlog/postlog.c.
+
+20210925
+
+ Prevent sharing of xxx_tls_session_cache_database instances
+ between different Postfix instances when a database is
+ not multi-writer safe. Like postscreen(8) and verify(8),
+ open such a database with a permanent lock, and raise
+ a fatal error when that database is already opened as
+ xxx_tls_session_cache_database. File: src/tls/tls_scache.c.
+
+ Bugfix (bug introduced: Postfix 2.10): postconf -x produced
+ incorrect output, because different functions were implicitly
+ sharing a buffer for intermediate results. Reported by raf, root
+ cause analysis by Viktor Dukhovni, and Wietse eliminated the
+ underlying anti-pattern. Files: postconf/postconf_builtin.c,
+ postconf/postconf_dbms.c, postconf/postconf_lookup.c,
+ postconf/postconf_main.c, postconf/postconf_master.c.
+
+ Documentation: missing lmtp_tls_wrappermode parameter
+ documentation. Viktor Dukhovni. Files: mantools/postlink,
+ proto/postconf.proto.
+
+20210926
+
+ OpenSSL 3.0.0 feature and bitrot updates. Viktor Dukhovni.
+ Files: proto/FORWARD_SECRECY_README.html, proto/postconf.proto,
+ tls/tls_client.c, tls/tls_dh.c, tls/tls.h, tls/tls_misc.c,
+ tls/tls_server.c/^+
+
+ Cleanup: don't hyperlink text that is already hyperlinked.
+ File: mantools/postlink.
+
+20211002
+
+ Bugfix (introduced: Postfix 3.3): the header_from_format
+ feature was not implemented for From: headers from the
+ bounce daemon, and for Postfix SMTP server and client
+ postmaster notifications. Reported by Vladimir Mishonov.
+ Files: bounce/bounce.c, bounce/bounce_notify_util_tester.c,
+ bounce/bounce_service.h, bounce/bounce_template.c,
+ bounce/bounce_template.h, bounce/bounce_templates.c,
+ cleanup/cleanup.h, cleanup/cleanup_init.c,
+ cleanup/cleanup_message.c, smtp/lmtp_params.c, smtp/smtp.c,
+ smtp/smtp.h, smtp/smtp_chat.c, smtp/smtp_params.c,
+ smtpd/smtpd.c, smtpd/smtpd.h, smtpd/smtpd_chat.c, and test
+ data.
+
+20211006
+
+ Documentation: http://tools.ietf.org/html/rfc[0-9]+ sometimes
+ does not redirect to the https site. Max-Julian Pogner.
+ Fixed by updating mantools/postlink and rebuilding the HTML
+ files that reference RFCs.
+
+20211016
+
+ Documentation: clarified the difference between private and
+ public services in master.cf. File: proto/master.
+
+20211022
+
+ Bugfix (introduced: Postfix 3.6): the known_tcp_ports setting
+ had no effect. Reported by Peter. The feature wasn't fully
+ implemented. Files: config_known_tcp_ports.c, mail_params.c,
+ posttls-finger/posttls-finger.c, smtp/smtp_connect.c,
+ util/find_inet.c, util/myaddrinfo.c.
+
+20211023
+
+ Documentation: fixed a jq example in the postsuper manpage, to
+ delete the quotes around a queue ID. File: postsuper/postsuper.c.
+
+ Cleanup: with "smtputf8_enable = yes" (the default), the
+ postscreen(8) dummy SMTP engine will no longer log a "non-UTF-8
+ key" warning when a remote SMTP client sends garbage. Instead,
+ postscreen(8) will reject the command with the same server
+ response as smtpd(8). File: postscreen/postscreen_smtpd.c.
+
+20211025
+
+ Bugfix (introduced: Postfix 3.6): mangled warning where a
+ hostname and warning message ran together. Viktor Dukhovni.
+ File: tls/tls_dane.c.
+
+20211026
+
+ Feature: with "smtp_bind_address_enforce = yes" the Postfix
+ SMTP client will defer delivery when it is unable to apply
+ the smtp_bind_address or smtp_bind_address6 setting. By
+ default, the Postfix SMTP client continues with delivery,
+ after logging a warning. File: src/smtp/smtp_connect.c.
+
+20211027
+
+ Documentation: readability fix for the text about automatic
+ or explicit daemon restart (postfix reload) after LMDB table
+ change. raj. File: proto/lmdb_table.
+
+ Safety: the postqueue command now sanitizes strings before they
+ are formatted as json output or legacy output. These outputs are
+ piped into other programs that are run by administrative
+ users. This closes a hypothetical opportunity for privilege
+ escalation. Files: util/attr.h, util/attr_scan*.c,
+ postqueue/showq_json.c, postqueue/showq_compat.c.
+
+20211030
+
+ Bugfix: check_ccert_access worked as expected, but produced
+ a spurious warning when Postfix was built without SASL
+ support. Fix by Brad Barden. File: smtpd/smtpd_check.c.
+
+20211102
+
+ Bugfix for smtp_bind_address_enforce (change 20211026), file
+ descriptor leak. Found by Viktor. File: smtp/smtp_connect.c.
+
+20211105
+
+ Bugfix (introduced: Postfix 2.4): queue file corruption
+ after a Milter (for example, MIMEDefang) made a request to
+ replace the message body with a copy of that message body
+ plus additional text (for example, a SpamAssassin report).
+
+ The most likely impacts were a) the queue manager reporting
+ a fatal error resulting in email delivery delays, or b) the
+ queue manager reporting the corruption and moving the message
+ to the corrupt queue for damaged messages.
+
+ However, a determined adversary could craft an email message
+ that would trigger the bug, and insert a content filter
+ destination or a redirect email address into its queue file.
+ Postfix would then deliver the message headers there, in
+ most cases without delivering the message body. With enough
+ experimentation, an attacker could make Postfix deliver
+ both the message headers and body.
+
+ The details of a successful attack depend on the Milter
+ implementation, and on the Postfix and Milter configuration
+ details; these can be determined remotely through
+ experimentation. Failed experiments may be detected when
+ the queue manager terminates with a fatal error, or when
+ the queue manager moves damaged files to the "corrupt" queue
+ as evidence.
+
+ Technical details: when Postfix executes a "replace body"
+ Milter request it will reuse queue file storage that was
+ used by the existing email message body. If the new body
+ is larger, Postfix will append body content to the end of
+ the queue file. The corruption happened when a Milter (for
+ example, MIMEDefang) made a request to replace the body of
+ a message with a new body that contained a copy of the
+ original body plus some new text, and the original body
+ contained a line longer than $line_length_limit bytes (for
+ example, an image encoded in base64 without hard or soft
+ line breaks). In queue files, Postfix stores a long text
+ line as multiple records with up to $line_length_limit bytes
+ each. Unfortunately, Postfix's "replace body" support did
+ not account for the additional queue file space needed to
+ store the second etc. record headers. And thus, the last
+ record(s) of a long text line could overwrite one or more
+ queue file records immediately after the space that was
+ previously occupied by the original message body.
+
+ Problem report by Benoît Panizzon.
+
+20211107
+
+ Additional postcat flags for debuging a corrupted queue
+ file (-s: skip to offset; -r: don't follow pointer records).
+ File: postcat/postcat.c.
+
+20211110
+
+ Minor edits of 20211107 postcat changes. File: postcat.c.
+
+ Regression prevention: added sanity check in the queue file
+ editing code. File: cleanup/cleanup_body_edit.c
+
+ Regression prevention: copied a queue file record typecheck
+ from the pickup daemon. Files: *qmgr/qmgr_message.c.
+
+20211115
+
+ Bugfix (introduced: 20210708): duplicate bounce_notice_recipient
+ entries in postconf output. The fix to send SMTP session
+ transcripts to bounce_notice_recipient was incomplete.
+ Reported by Vincent Lefevre. File: smtpd/smtpd.c.
+
+20211127
+
+ Feature: support for the pcre2 library (the legacy pcre
+ library is still supported). See RELEASE_NOTES for details.
+ Files: makedefs, util/dict_open.c, util.dict_pcre.c,
+ proto/pcre_table, proto/PCRE_README.html.
+
+20211129
+
+ Portability: defines for FreeBSD <= 14.x, OpenBSD 7.x, NetBSD <=
+ 10.x. Brad Smith. Files: makedefs, util/sys_defs.h.
+
+20211202
+
+ Cleanup: warning messages when a Diffie-Hellman parameter
+ file cannot be opened or parsed. Viktor Dukhovni. File:
+ tls/tls_dh.c.
+
+20211204
+
+ Cleanup: parameter descriptions in manpages were frozen in the
+ past. Files: proto/aliases, src/local/local.c, src/pipe/pipe.c,
+ src/qmqpd/qmqpd.c, src/trivial-rewrite/trivial-rewrite.c.
+
+ Documentation: added a "howto tip" to the stock main.cf
+ file. File: conf/main.cf
+
+20211211
+
+ Logging: the Postfix SMTP client logs an info message when it
+ breaks a long line with "<CR><LF><SP>".
+
+20211216
+
+ Bugfix (introduced: Postfix 3.0): the proxymap daemon did not
+ automatically authorize proxied maps inside pipemap (example:
+ pipemap:{proxy:maptype:mapname, ...}) or inside unionmap. Problem
+ reported by Mirko Vogt. Files: proxymap/proxymap.c.
+
+20211218
+
+ Typo fixes based on automated scans of C source code comments.
+ Verified that the .o files have not changed. Files:
+ bounce/bounce_notify_util.c, cleanup/cleanup_api.c,
+ cleanup/cleanup_message.c, dns/dns_lookup.c, flush/flush.c,
+ global/compat_level.c, global/db_common.c,
+ global/deliver_request.c, global/dict_ldap.c, global/dict_sqlite.c,
+ global/dynamicmaps.c, global/mail_conf_time.c, global/mail_copy.c,
+ global/mail_params.h, global/mail_proto.h, global/memcache_proto.c,
+ global/normalize_mailhost_addr.c, global/quote_822_local.c,
+ global/test_main.c, global/verify.c, global/verify_sender_addr.c,
+ local/unknown.c, master/dgram_server.c, master/event_server.c,
+ master/multi_server.c, master/single_server.c,
+ master/trigger_server.c, oqmgr/qmgr_entry.c,
+ postconf/postconf_dbms.c, postconf/postconf_master.c,
+ postconf/postconf_user.c, postdrop/postdrop.c, postmap/postmap.c,
+ postmulti/postmulti.c, postqueue/showq_compat.c,
+ postscreen/postscreen_smtpd.c, postscreen/postscreen_starttls.c,
+ posttls-finger/posttls-finger.c, proxymap/proxymap.c,
+ qmgr/qmgr_entry.c, qmqpd/qmqpd_peer.c, smtp/smtp.h,
+ smtp/smtp_proto.c, smtpd/smtpd_check.c, smtpd/smtpd_peer.c,
+ tls/tls_certkey.c, tls/tls_client.c, tls/tls_fprint.c,
+ tls/tls_misc.c, tls/tls_server.c, tlsmgr/tlsmgr.c,
+ tlsproxy/tlsproxy.c, trivial-rewrite/resolve.c,
+ trivial-rewrite/transport.c, trivial-rewrite/trivial-rewrite.c,
+ util/argv.c, util/dict_cache.c, util/dict_cdb.c, util/dict_file.c,
+ util/dict_random.c, util/dict_random.h, util/dict_thash.c,
+ util/dup2_pass_on_exec.c, util/edit_file.c, util/extpar.c,
+ util/gccw.c, util/mac_expand.c, util/mac_expand.h,
+ util/myaddrinfo.c, util/name_mask.c, util/sane_link.c,
+ util/sane_rename.c, util/unix_dgram_connect.c,
+ util/unix_dgram_listen.c, util/unix_pass_fd_fix.c,
+ util/vstring.c, xsasl/xsasl_dovecot_server.c.
+
+ Typo fixes based on automated scans of other files. Files:
+ auxiliary/qshape/qshape.pl, conf/post-install,
+ conf/postmulti-script, makedefs, postfix-install,
+ proto/postconf.proto, TLS_ACKNOWLEDGEMENTS, TLS_CHANGES.
+
+ Documentation: added a note to the cidr_table manpage that
+ with an inline CIDR map, "$" needs to be specified as "$$"
+ to avoid $name expansion surprises. File: proto/cidr_table.
+
+20211220
+
+ Bugfix (introduced: Postfix 2.5): off-by-one error while
+ writing a string terminator. This code had passed all memory
+ corruption tests, presumably because it wrote over an
+ alignment padding byte, or over an adjacent character byte
+ that was never read. Reported by Robert Siemer. Files:
+ *qmgr/qmgr_feedback.c.
+
+ Typo fixes from Raf, based on manual inspection. Verified
+ that the .o files have not changed. Files: conf/main.cf,
+ mantools/postlink, proto/ADDRESS_REWRITING_README.html,
+ proto/BACKSCATTER_README.html,
+ proto/BASIC_CONFIGURATION_README.html, proto/BDAT_README.html,
+ proto/BUILTIN_FILTER_README.html, proto/COMPATIBILITY_README.html,
+ proto/CONNECTION_CACHE_README.html, proto/DATABASE_README.html,
+ proto/DEBUG_README.html, proto/FORWARD_SECRECY_README.html,
+ proto/INSTALL.html, proto/IPV6_README.html, proto/LDAP_README.html,
+ proto/LINUX_README.html, proto/MAILLOG_README.html,
+ proto/MILTER_README.html, proto/MULTI_INSTANCE_README.html,
+ proto/MYSQL_README.html, proto/POSTSCREEN_3_5_README.html,
+ proto/POSTSCREEN_README.html, proto/QSHAPE_README.html,
+ proto/SASL_README.html, proto/SCHEDULER_README.html,
+ proto/SMTPD_ACCESS_README.html, proto/SMTPD_POLICY_README.html,
+ proto/SMTPD_PROXY_README.html, proto/SMTPUTF8_README.html,
+ proto/SQLITE_README.html, proto/STANDARD_CONFIGURATION_README.html,
+ proto/STRESS_README.html, proto/TLS_LEGACY_README.html,
+ proto/TLS_README.html, proto/TUNING_README.html,
+ proto/VIRTUAL_README.html, proto/access, proto/canonical,
+ proto/generic, proto/ldap_table, proto/master, proto/mysql_table,
+ proto/pgsql_table, proto/postconf.proto, proto/relocated,
+ proto/sqlite_table, proto/transport, proto/virtual,
+ global/mail_version.h, local/local.c, pipe/pipe.c,
+ postalias/postalias.c, postconf/postconf.c, postfix/postfix.c,
+ postmap/postmap.c, postmulti/postmulti.c,
+ posttls-finger/posttls-finger.c, sendmail/sendmail.c,
+ smtpstone/smtp-sink.c, tlsproxy/tlsproxy.c,
+ trivial-rewrite/trivial-rewrite.c, virtual/virtual.c.
+
+20211221
+
+ Documentation: reverted some postconf(5) changes from
+ "Specify a non-zero time value" to "Specify a non-negative
+ time value". File: proto/postconf.proto.
+
+ Documentation: reverted "destination concurrency limit" to
+ "destination recipient limit". File: proto/SCHEDULER_README.html.
+
+ Documentation: rephrased conditional $name expositions for
+ forward_path and command_execution_directory. File:
+ local/local.c.
+
+ Documentation: added Postfix 3.0 syntax to postconf(5)
+ descriptions of command_execution_directory, default_rbl_reply,
+ forward_path, luser_relay, recipient_delimiter. File:
+ proto/postconf.proto.
+
+ Documentation: updated descriptions of smtpd_error_sleep_time
+ and smtpd_soft_error_limit. File: proto/postconf.proto.
+
+ Fixed non-UTF8 quotes in TLS_CHANGES that caused nvi to
+ truncate the file.
+
+ Fixed a remaining typo in util/load_lib.c.
+
+20211222
+
+ Added a top-level 'make typo-check' target to automate
+ the typo checks (this only works on Wietse's development
+ system, because it depends on specific implementations of
+ spell and lynx). Files: Makefile.in, mantools/comment.c,
+ mantools/deroff, mantools/check-double-cc,
+ mantools/check-double-install-proto-text,
+ mantools/check-double-proto-html, mantools/check-spell-cc,
+ mantools/check-spell-install-proto-text,
+ mantools/check-spell-proto-html, proto/stop, proto/stop.double-cc,
+ proto/stop.double-install-proto-text, proto/stop.double-proto-html,
+ proto/stop.spell-cc, proto/stop.spell-proto-html.
+
+ Cleanup: manpages don't need \' - that causes groff to emit
+ non-ASCII text (depending on the locale). Christian Goettsche.
+ Files: sendmail/sendmail.c, spawn/spawn.c.
+
+20211223
+
+ Report unsupported usage. Do not link Postfix database
+ plugins against libpostfix-util or libpostfix-global. This
+ introduces false build dependencies. File: makedefs.
+
+ Report unsupported usage. Do not build with LD_LIBRARY_PATH.
+ File: makedefs.
+
+ Documented the implementation-dependent mailbox_size_limit
+ and message_size_limit maximal values. File: proto/postconf.proto.
+
+ Cleanup: make typo-check tests portable across differernt
+ spellcheck implementations. Files: proto/stop.spell-proto-html,
+ proto/stop.spell-cc.
+
+ Cleanup: added missing parameters to the mantools/postlink
+ script, based on output from the mantools/check-postlink
+ script.
+
+ Cleanup: added missing _maps parameter names to the
+ proxy_read_maps default value, based on output from the
+ mantools/missing-proxy-read-maps script. File:
+ global/mail_params.h.
+
+ Sanity: added LANG=C to the typo-check scripts to get
+ consistent output. Files: mantools/check-spell-proto-html,
+ mantools/check-spell-install-proto-text, mantools/check-spell-cc,
+ mantools/check-double-proto-html,
+ mantools/check-double-install-proto-text, mantools/check-double-cc.
+
+20211224
+
+ Cleanup: some compilter complains about indentation in a
+ multiline macro. File: util/dict_db.c.
+
+20211231
+
+ Cleanup: informative error message after failure to connect
+ to 'dovecot' socket. File: src/xsasl/xsasl_dovecot_server.c.
+
+20220101
+
+ Cleanup: AppArmor may return EPERM for permission errors.
+ This could result in a false "mail system is down" error
+ message from the postqueue command. File: postqueue/postqueue.c.
+
+202220102
+
+ Cleanup: log the reason why the postqueue command thinks
+ that the mail system is down, in case some security software
+ or kernel bug emits a weird error. File: postqueue/postqueue.c.
+
+ Robustness: randomize the initial state of Postfix in-memory
+ hash tables, to defend against collision attacks involving
+ a large number of attacker-chosen lookup keys. Presently,
+ the only known opportunity for such attacks involves remote
+ SMTP client IPv6 addresses in the anvil service. Other
+ tables with attacker-chosen lookup keys are limited in size.
+ The fix is cheap, and therefore implemented for all Postfix
+ in-memory hash tables. Problem reported by Pascal Junod.
+ File: util/htable.c.
+
+20210103
+
+ Documentation: CIDR example for mynetworks. Scott Kitterman.
+ File: proto/postconf.proto.
+
+ Updated the hash function to make the distance between
+ colliding inputs seed-dependent, which is really the only
+ property that we needed. File: util/htable.c.
+
+20210105
+
+ Cleanup: deleting the \ before \' broke other things. Now
+ we need to escape \ at the start of an nroff input line.
+ Files: mantools/postconf2man, mantools/srctoman.
+
+20220107
+
+ Updated the hash function to avoid losing state when an
+ input byte is 0 (can never happen with a null-terminated
+ string, but makes the hash function usable in other contexts.
+ File: util/htable.c.
+
+20220116
+
+ Added more pre-release checks: missing postlink rules,
+ missing maps in proxy_read_maps. File: Makefile.in.
+
+20220117
+
+ Cleanup: the nullmx_reject_code parameter was removed from
+ Postfix 3.0 before it was released, but the manpage was not
+ updated. File: proto/postconf.proto.
+
+ Cleanup: after seeking past the end of a writable memory-backed
+ VSTREAM (i.e. backed by a VSTRING), write nulls over the
+ newly allocated bytes. This behavior is compatible with
+ seeking past the end of a writable regular file. File:
+ util/vstream.c.
+
+ Cleanup: unit tests. File: cleanup/cleanup_milter.c.
+
+ Cleanup: disable hash-table seed in unit tests. Many
+ Makefiles, some unit test 'reference' files.
+
+ Bugfix (documented but not implemented since Postfix 2.2):
+ missing support for [address] in smtp_bind_address and
+ smtp_bind_address6. Reported by Vincent Pelletier. File:
+ smtp/smtp_connect.c.
+
+20220119
+
+ Cleanup: the 20211211 change could result in logfile spam.
+ Added a 1-bit counter to log "breaking long line" only once per
+ delivery request. File: smtp/smtp_proto.c.
+
+20220121
+
+ Cleanup: added a pre-release check for missing entries
+ in postfix-files. Problem reported by Jaroslav Skarvada.
+ Files: Makefile.in, conf/postfix-files,
+ mantools/check-postfix-files. Deleted: CYRUS_README.
+
+ Cleanup: added the RELEASE_NOTES file to the pre-release
+ checks, after Viktor Dukhovni reported a typo. Files:
+ mantools/check-double-install-proto-text,
+ mantools/check-spell-install-proto-text.
+
+ Cleanup: for consistent parameter naming (tlsproxy_client_xxx
+ corresponds to smtp_tls_xxx), renamed tlsproxy_client_level
+ to tlsproxy_client_security_level, and tlsproxy_client_policy
+ to tlsproxy_client_policy_maps, with backwards-compatible
+ defaults and updated documentation. Problem reported by
+ Raf. Files: global/mail_params.h, mantools/postlink,
+ postconf/postconf_builtin.c.
+
+20220123
+
+ Documentation: added LINUX_README sections for logging in
+ a container, and for systemd logging workarounds. File:
+ proto/LINUX_README.hmtl.
+
+20220126
+
+ Added defensive logging while waiting for the master daemon
+ to initialize in the background. File: master/master_monitor.c.
+
+20220127
+
+ Cleanup: smtpprox hyperlink. File: proto/FILTER_README.html.
+
+20220128
+
+ Cleanup: standardize on FNV hash, after having verified
+ that collisions will change with the hash seed value, and
+ that the collision rate is low. Files: util/htable.c,
+ util/hash_fnv.[hc].
+
+20220129
+
+ Cleanup: factored out the non-cryptographic seeder. Files:
+ ldseed.[hc].
+
+20220130
+
+ Cleanup: added a binhash unit test, and updated the htable
+ unit test. Files: util/Makefile.in, util/binhash.[hc],
+ util/htable.c.
+
+ Cleanup: names of hash_fnv(3) build options. File: hash:fnv.c.
+
+20220202
+
+ Bitrot: Berkeley DB 18 is like Berkeley DB 6. Yasuhiro
+ Kimura. File: util/dict_db.c.
+
+20220204
+
+ Updated collate.pl script for better tracking when a
+ Milter rejects, discards, or quarantines a message. Viktor
+ Dukhovni. File: auxiliary/collate/collate.pl.
+
+20220212
+
+ Cleanup: removed WISHLIST items that were recently fixed.
+
+20220217
+
+ Typo: "pcre2 --libs" should be "pcre2 --libs8". Reported by
+ Carlos Velasco. File proto/PCRE_README.html.
+
+ Future proofing: added comments on the purpose of address
+ sanitization. File: showq/showq.c.
+
+20220220
+
+ Added a hash_fnvz() function to eliminate unnecessary strlen()
+ calls, and added regression tests. File: util/hash_fnv.c,
+ util/htable.c.
+
+ Cleanup: unused initialization. File: util/make_dirs.c
+
+20220222
+
+ Documentation: updated comment text. File: util/hash_fnv.c.
+
+20220312
+
+ Cleanup: when a main.cf like file may have changed while
+ it was read, forget the settings before re-reading the file.
+ File: util/dict.c.
+
+20220322
+
+ Cleanup: added missing _checks, _reply_footer, _reply_filter,
+ _command_filter, and _delivery_status_filter parameter names
+ to the proxy_read_maps default value. Files: global/mail_params.h,
+ mantools/missing-proxy-read-maps.
+
+20220325
+
+ Documentation: how to stop recursion in virtual_alias_maps.
+ File: proto/virtual.
+
+20220330
+
+ Documentation: updated the postlogd(8) daemon manpage,
+ adding that the Postfix >= 3.7 postlog(1) command can run
+ with setgid permissions. File: postlogd/postlogd.c.
+
+20220403
+
+ (Rolled back because there was too much collateral damage)
+ Cleanup: milter_header_checks maps are now opened before the
+ cleanup server enters the chroot jail. Files: cleanup/cleanup.h,
+ cleanup/cleanup_init.c, cleanup/cleanup_milter.c,
+ global/header_body_checks.c, global/header_body_checks.h,
+ global/maps.c, global/maps.h, smtp/smtp.c.
+
+20220404
+
+ Bugfix: in an internal client module, "host or service not
+ found" was a fatal error, causing the milter_default_action
+ setting to be ignored. It is now a non-fatal error. The
+ same client is used by many Postfix clients (smtpd_proxy,
+ dovecot auth, tcp_table, memcache, socketmap, and so on).
+ Problem reported by Christian Degenkolb. File: util/inet_connect.c.
+
+20220407
+
+ Documentation: updated the firewall/gateway example to use
+ the "relay" transport to forward inbound messages. File:
+ proto/STANDARD_CONFIGURATION_README.html
+
+ Documentation: updated smtp_fallback_relay description.
+ The text was based on an early Postfix implementation.
+ File: proto/postconf.proto.
+
+ Cleanup (problem introduced: Postfix 2.7): milter_header_checks
+ maps are now opened before the cleanup server enters the
+ chroot jail. Problem reported by Jesper Dybdal. Files:
+ cleanup/cleanup.h, cleanup/cleanup_init.c,
+ cleanup/cleanup_milter.c, cleanup/cleanup_state.c.
+
+20220407
+
+ Feature: the policy delegation protocol now sends a
+ "compatibility_level" attribute with the value of the
+ compatibility_level configuration parameter. Files:
+ global/mail_proto.h, smtpd/smtpd_check.c,
+ proto/SMTPD_POLICY_README.html.
+
+20220415
+
+ Cleanup (problem introduced: Postfix 3.0): with dynamic map
+ loading enabled, an attempt to create a map with "postmap
+ regexp:path" would result in a bogus error message "Is the
+ postfix-regexp package installed?" instead of "unsupported
+ map type for this operation". This happened with all built-in
+ map types (static, cidr, etc.) that have no 'bulk create'
+ support. Problem reported by Greg Klanderman. File:
+ global/dynamicmaps.c.
+
+20220417
+
+ Bugfix (introduced: 20220406): reset the milter_header_checks
+ response buffer, so that a negative response for one email
+ message will not be applied to a later email message that is
+ handled by the same cleanup process. File:
+ cleanup/cleanup_milter.c.
+
+20220421
+
+ Bugfix (introduced: Postfix 3.7): reverted an overly complex
+ change in the postscreen SMTP engine from 20211023, and
+ replaced it with a much simpler change. The bad change was
+ segfaulting on some systems after receiving malformed input
+ (for example, TLS "hello"). File: postscreen/postscreen_smtpd.c.
+
+ Under conditions described below, the postscreen program
+ attempted to read through an uninitialized 'const' pointer.
+ The pointer value depended on the compiler type and compiler
+ options, but crucially, it did not depend on network inputs.
+
+ The conditions were that SMTPUTF8 support was enabled (the
+ default), and that postscreen received non-UTF8 input, for
+ example, a TLS or RDP handshake request.
+
+ Depending on compiler details, the result of the read
+ operation could be uninteresting, a combined memory leak
+ and file handle leak, or a segmentation violation (signal
+ 11).
+
+ The segmentation violation result was reported by Michael
+ Grimm who used a FreeBSD 13.1 early version. The result was
+ "uninteresting" with FreeBSD 13.0. Both FreeBSD systems use
+ Clang instead of GCC. The result was also "uninteresting"
+ on Linux-based systems that use GCC, or on a few older
+ systems that use GCC.
+
+20220427
+
+ Cleanup: incorrect error message after postscreen received
+ a STARTTLS command with too many arguments. File:
+ postscreen/postscreen_smtpd.c.
+
+20220429
+
+ Noise: shut up a useless warning. File: cleanup_map1n.c.
+
+ Documentation: IPv6 support, by Pau Amma. Files: proto/INSTALL,
+ proto/IPV6_README.html.
+
+20220501
+
+ Cleanup: merged the infrastructure that "knows" which tables
+ are created with "postmap" or "postalias", with infrastructure
+ that has other information about lookup tables. The old design
+ pre-dated dynamically-loaded table drivers, and was difficult
+ to maintain.
+
+ The following files were moved from the "global" directory to
+ the "util" directory: src/util/mkmap.h, src/util/mkmap_cdb.c,
+ src/util/mkmap_db.c, src/util/mkmap_dbm.c, src/util/mkmap_fail.c,
+ src/util/mkmap_lmdb.c, src/util/mkmap_open.c,
+ src/util/mkmap_sdbm.c.
+
+ The corresponding postfix-xxx.so shared objects are now created
+ by util/Makefile instead of global/Makefile. There is no change
+ in how these files are installed or deployed.
+
+ Other files affected by this change: src/util/dict_open.c,
+ src/global/dynamicmaps.c, src/global/mail_version.h,
+ src/global/header_body_checks.h, src/global/maps.c,
+ src/global/dict_proxy.h, src/util/dict.c, src/util/dict_dbm.h,
+ src/util/dict_fail.h, src/util/dict_db.h, src/util/dict_lmdb.h,
+ src/util/dict_cdb.h, src/util/dict_sdbm.h, src/util/dict.h,
+ src/global/mail_dict.c, src/postalias/postalias.c,
+ src/postmap/postmap.c.
+
+ Portability: variable declaration after code. File:
+ global/compat_level.c.
+
+20220504
+
+ Documentation: dymap_init() description. File:
+ global/dynamicmaps.c.
+
+20220506
+
+ Added an argv_uniq() function to deduplicate same-value
+ adjacent array elements. Added a ton of tests to validate
+ the argv implementation. File: util/argv.c.
+
+ Cleanup: the dict_mapnames() function (used in "postconf
+ -m") now deduplicates dictionary type names. File:
+ util/dict_open.c.
+
+20220507
+
+ Documentation: inverted the paragraph about "known" addresses,
+ in the descriptions of smtpd_reject_unlisted_sender and
+ smtpd_reject_unlisted_recipient. File: proto/postconf.proto.
+
+ Documentation: added the HISTORY file to the pre-release-checks.
+ Files: mantools/check-double-history, mantools/check-spell-history,
+ proto/stop.double-history, proto/stop.spell-history.
+
+ Documentation: added POSTLOG_SERVICE and POSTLOG_HOSTNAME
+ to the import_environment description. File: proto/postconf.proto.
+
+20220509
+
+ Cleanup: the pgsql: client encoding is now configurable
+ with the "encoding" configuration file attribute. The default
+ is "UTF8". Previously the encoding was hard-coded as "LATIN1".
+ Files: global/dict_pgsql,c, proto/pgsql_table.
+
+20220512
+
+ Documentation: in the text for smtpd_reject_unlisted_sender
+ and smtpd_reject_unlisted_recipient, refer to the address
+ class validation in ADDRESS_CLASS_README, instead of repeating
+ that information in postconf(5). File: proto/postconf.proto.
+
+20220515
+
+ Documentation: the text for reject_xxx_sender_login_mismatch
+ was not optimal for clarity. As new features were added
+ over time, they were documented in terms of the existing
+ features. File: proto/postconf.proto.
+
+ Documentation: minor tweaks in ADDRESS_CLASS_README. File:
+ proto/ADDRESS_CLASS_README.html.
+
+20220523
+
+ Documentation: add the Postfix >= 3.7 postlog(1) command
+ to the list of programs that can have set-gid permissions.
+ File: proto/MAILLOG_README.html.
+
+20220527
+
+ Internal documentation: update the timeline annotations of
+ Milter protocol features. File: milter/milter8.c.
+
+ Documentation: edit text for clarity. File:
+ proto/MILTER_README.html.
+
+20220529
+
+ Documentation: Cyrus SASL configuration file location.
+ Viktor Dukhovni. File: proto/SASL_README.html.
+
+20220617
+
+ Cleanup: missing <stdio.h> include was causing a warning
+ on some platform. posttls-finger/posttls-finger.c.
+
+20220620
+
+ Documentation: inet_interfaces and proxy_interfaces
+ descriptions. File: proto/postconf.proto.
+
+
+20220719
+
+ Cleanup: Postfix 3.5.0 introduced debug logging noise in
+ map_search_create(). Files: global/map_search.c,
+ global/map_search.ref.
+
+20220724
+
+ Workaround: in a TLS server disable Postfix's 1-element
+ internal session cache, to work around an OpenSSL 3.0
+ regression that broke TLS handshakes. It is rarely useful.
+ Report by Spil Oss, fix by Viktor Dukhovni. File:
+ tls/tls_server.c.
+
+20220802
+
+ Documentation: in the aliases(5) manpage, more specific
+ pointers to the local(8) manpage sections for delivery to
+ file, command execution, and delivery rights. File:
+ proto/aliases.
+
+20220805
+
+ Feature: "mail_version" attribute in the SMTPD policy
+ protocol, with the value of the "mail_version" configuration
+ parameter. This differs from the "compatibility_level"
+ attribute, because "mail_version" indicates the presence
+ of new features, while "compatibility_level" concerns changes
+ in default settings. Files: global/mail_proto.h,
+ proto/SMTPD_POLICY_README.html, smtpd/smtpd_check.c.
+
+20220808
+
+ Documentation: some Debian releases hard-code the search
+ path for Cyrus SASL application configuration files,
+ overriding the cyrus_sasl_config_path setting. Viktor
+ Dukhovni. File: proto/SASL_README.html.
+
+20220815
+
+ Updated the postscreen_dnsbl_sites documentation, based
+ on questions on the postfix-users mailing list. File:
+ proto/postconf.proto.
+
+20220905
+
+ Cleanup: uninitialized verify_append() request status in case
+ of a null original recipient address. File: global/verify.c.
+
+20220907
+
+ Support for Linux 6.x. Eray Aslan. Files: makedefs,
+ util/sys_defs.h.
+
+20220930
+
+ Documented the use of the JSON LINES format in the postqueue(1)
+ manpage. File: postqueue/postqueue.c.
+
+20221006
+
+ Bugfix (introduced: Postfix 3.7.0). A message could falsely
+ be flagged as corrupt with "warning: Unexpected record type
+ 'X'. Such messages were moved to the "corrupt" queue
+ directory, where they may still be found. See below for
+ instructions to deal with these falsely flagged messages.
+
+ This could happen for messages with 5000 or more recipients,
+ or with fewer recipients on a busy mail server. Problem
+ reported by Frank Brendel, reproduced by John Alex. Files:
+ qmgr/qmgr_message.c, oqmgr/qmgr_message.c.
+
+ A file in the "corrupt" queue directory may be inspected
+ with the command "postcat /var/spool/postfix/corrupt/<filename>.
+ If delivery of the file is still desired, the file can be
+ moved back to /var/spool/postfix/incoming after updating
+ Postfix and executing "postfix reload".
+
+20221007
+
+ Ran "make manpages", updated the change log and release
+ notes for consistency with new stable releases, update
+ pre-release-checks stop filters. Files: RELEASE_NOTES,
+ HISTORY, stop.spell-history, stop.double-history,
+ stop.spell-proto-html, postqueue.1, postqueue.1.html.
+
+20221008
+
+ Cleanup: in the default master.cf file, unconditionally
+ enable header rewriting and missing header insertion, for
+ the submission and smtps services. Dan Mahoney. File
+ conf/master.cf.
+
+20221017
+
+ Robustness: unconditionally disable a CPU resource attack
+ requesting TLS renegotiation. There's no good reason to
+ support this in the middle of an SMTP connection. Viktor
+ Dukhovni. File: tls/tls_misc.c.
+
+20221023
+
+ Documentation: describe limitations of smtpd(8) features
+ that cannot work with smtpd_proxy_filter. File:
+ proto/SMTPD_PROXY_README.html.
+
+ Documentation: the local_header_rewrite_clients and
+ remote_header_rewrite_domain features also enable adding
+ missing headers. File: proto/postconf.proto.
+
+20221125
+
+ Bugfix (introduced: Postfix 3.6): the Postfix TLS client
+ logged a TLS connection as 'Untrusted' instead of 'Trusted',
+ when a matching DANE record was found but the MX RRset was
+ insecure. Fix by Viktor Dukhovni. File: tls/tls_client.c.
+
+20221128
+
+ Bugfix (introduced: Postfix 2.2): the smtpd_proxy_client
+ code mis-parsed the last XFORWARD attribute name in the
+ SMTP server's EHLO response. The result was that the
+ smtpd_proxy_client code failed to forward the IDENT attribute.
+ Fix by Andreas Weigel. File: smtpd/smtpd_proxy.c.
+
+ Typo in MAILLOG_README. Paul Menzel.
+
+20221207
+
+ Workaround: OpenSSL 3.x EVP_get_digestbyname() can return
+ lazily bound handles that may fail to work when one attempts
+ to use them, because no provider search happens until one
+ constructs an actual operation context. In sufficiently
+ hostile configurations, Postfix could mistakenly believe
+ that an algorithm is available, when in fact it is not. A
+ similar workaround may be needed for EVP_get_cipherbyname().
+ Fix by Viktor Dukhovni. Files: tls/tls.h, tls/tls_dane.c,
+ tls/tls_fprint.c, tls/tls_misc.c.
+
+ Bugfix (introduced: Postfix 2.11): the checkok() macro in
+ tls/tls_fprint.c evaluated its argument unconditionally;
+ it should evaluate the argument only if there was no prior
+ error. Found during code review. File: tls/tls_fprint.c.
+
+20221215
+
+ Foolproofing: postscreen segfault with postscreen_dnsbl_threshold
+ < 1. It should reject such input with a fatal error instead.
+ Discovered by Benny Pedersen. File: postscreen/postscreen.c.
+
+ Documentation: replaced instances of '.domain' in some
+ examples; clarified that bcc maps are indexed by envelope
+ address; lmtp_line_length_limit default wasn't updated to
+ 998. File: proto/postconf.proto.
+
+20221227
+
+ Documentation: the mysql_table(5) manpage did not document
+ the tls_ciphers feature that was added in Postfix 2.11.
+ File: proto/mysql_table.
+
+ Cleanup: added a pre-release check that the parameter lists
+ in the proto/*_table documentation match the global/dict*.c
+ implementations. Files: Makefile.in, mantools/check-table-proto
+
+ Documentation: consistent xxxx_table formatting to make
+ parameter documentation easier to match against the
+ corresponding implementation. Files: proto/mysql_table,
+ proto/pgsql_table, proto/ldap_table.
+
+ Typofixes for changes made 20221207. File: tls/tls_fprint.c.
+
+20221228
+
+ Long ago, a committee decided that "grep -E" and "grep -F"
+ are better than "egrep" and "fgrep". This could not be an
+ optimization for ease of use: the new command syntax requires
+ mixed case for common usage, and the new command is longer.
+ To make things better, some implementation now warns when
+ the "obsolete" syntax is used. To address this, all Postfix
+ code and documentation has been converted; a script
+ auxiliary/fix-grep/fix-grep.sh can revert the syntax if you
+ want to build Postfix on an older platform. Files: too many
+ to mention here.
+
+20230101
+
+ Documentation: add text that cidr:, pcre: and regexp: tables
+ support inline specification only in Postfix 3.7 and later.
+ Files: proto/cidr_table, proto/pcre_table, proto/regexp_table.
+
+20230102
+
+ Cleanup: in internal documentation, text about DHE was under
+ the corresponding ECDHE function. Viktor Dukhovni. File:
+ tls/tls_dh.c.
+
+20230103
+
+ Bugfix (introduced: Postfix 2.7): the verify daemon logged
+ a garbled cache name when terminating a cache scan in
+ progress. Reported by Phil Biggs, fix by Viktor Dukhovni.
+ File: util/dict_cache.c.
+
+20230104
+
+ Feature: configuration parameter tls_ffdhe_auto_groups for
+ FFDHE support in TLS 1.3 with OpenSSL 3.0. Viktor Dukhovni.
+ Files: mantools/postlink, proto/FORWARD_SECRECY_README.html,
+ proto/postconf.proto, src/tlsproxy/tlsproxy.c, src/smtpd/smtpd.c,
+ src/tls/tls.h, src/tls/tls_proxy_client_misc.c, src/tls/tls_misc.c,
+ src/tls/tls_dh.c, src/tls/tls_proxy_client_scan.c,
+ src/tls/tls_server.c, src/tls/tls_client.c,
+ src/tls/tls_proxy_client_print.c, src/tls/tls_proxy.h,
+ src/global/mail_params.h, src/smtp/smtp.c.
+
+ Documentation: remove text for behavior that is no longer
+ implemented in Postfix or in other relevant systems. Viktor
+ Dukhovni. File: proto/FORWARD_SECRECY_README.html.
+
+ Bitrot: fixes for linker warnings from newer Darwin (MacOS)
+ versions. Viktor Dukhovni. File: makedefs.
+
+20230108
+
+ Minor wordsmithing. Files: text in proto/postconf.proto,
+ warning message tls.tls_dh.c.
+
+20230115
+
+ Workaround for a breaking change in OpenSSL 3: always turn
+ on SSL_OP_IGNORE_UNEXPECTED_EOF, to avoid warning messages
+ and missed opportunities for TLS session reuse. This is
+ safe because the SMTP protocol implements application-level
+ framing, and is therefore not affected by TLS truncation
+ attacks. Fix by Viktor Dukhovni. Files: tls/tls.h, tls_client.c,
+ tls/tls_server.c.
+
+20230121
+
+ Documentation: describe when Postfix and Milters inspect
+ SMTP commands or header/body content. File:
+ proto/MILTER_README.html.
+
+20230127
+
+ Bugfix (introduced: Postfix 3.4): the posttls-finger command
+ failed to detect that a connection was resumed in the case
+ that a server did not return a certificate. Viktor Dukhovni.
+ File: posttls-finger/posttls-finger.c.
+
+ Workaround: OpenSSL 3.x EVP_get_cipherbyname() can return
+ lazily-bound handles. Postfix now checks that the expected
+ functionality will be available instead of failing later.
+ Fix by Viktor Dukhovni. File: tls/tls_server.c.
+
+ Portability: MacOS support for the postfix-env.sh test
+ script.
+
+20230129
+
+ Documentation: in the postconf(5) manpage, the text for
+ append_dot_mydomain described old default behavior. File:
+ proto/postconf.proto.
+
+ Documentation: in the smtpd(8) manpage, the text for the
+ info_log_address_format parameter was in the wrong place.
+ File: smtpd/smtpd.c.
+
+20230202
+
+ Documentation: fixed a broken HTML tag in SASL_README.html.
+
+20230209
+
+ Cleanup: noise suppression for resolver-related macros.
+ Viktor Dukhovni. Files: dns/dns_str_resflags.c, util/sys_defs.h.
+
+20230212
+
+ Cleanup: valgrind complained about uninitialized padding.
+ File: util/unix_send_fd.c
+
+20230213
+
+ Feature: SRV lookup support in the Postfix SMTP/LMTP client.
+ See https://www.postfix.org/postconf.5.html#use_srv_lookup.
+ Based on code by Tomas Korbar (Red Hat). Files: proto/stop,
+ proto/stop.spell-proto-html, dns/dns.h, dns/dns_lookup.c,
+ dns/dns_rr.c, dns/dns_sa_to_rr.c, dns/dns_strrecord.c,
+ dns/dns_strtype.c, global/mail_params.h, smtp/lmtp_params.c,
+ smtp/smtp_addr.c, smtp/smtp_addr.h, smtp/smtp.c,
+ smtp/smtp_connect.c, smtp/smtp.h, smtp/smtp_params.c,
+ smtp/smtp_session.c, smtpd/smtpd_check.c, util/attr.h,
+ util/unix_send_fd.c, mantools/postlink, proto/postconf.proto.
+
+20230214
+
+ SRV lookup: propagate preference and port information when
+ converting a numerical hostname to IP address. File:
+ smtp/smtp_addr.c.
+
+ SRV lookup: add SRV support to the posttls-finger command.
+ File: posttls-finger/posttls-finger.c.
+
+ SRV lookup: updated documentation examples. File:
+ proto/postconf.proto.
+
+20230219
+
+ Code health: replaced a proliferation of 'bare' zero arguments
+ with named constants: DNS_RR_NOPREF, DNS_RR_NOWEIGHT,
+ DNS_RR_NOPORT, and added convenience wrappers for
+ dns_rr_create(), to simplify code that needs to specify
+ only a subset of all arguments. Files: src/dns/dns.h,
+ src/dns/dns_rr_eq_sa.c, src/dns/dns_sa_to_rr.c,
+ src/smtpd/smtpd_check.c.
+
+ Code health: updated internal documentation. Files:
+ dns/dns_rr.c, smtp/smtp_connect.c.
+
+ Compatibility: downgraded some modernisms to avoid breaking
+ builds on older test systems. File: dns/dns_rr.c.
+
+ Code health: simplified the SRV record priority grouping
+ and record ordering code. Eliminated some special-case
+ handling of zero-weight records (that was already started
+ in the initial implementation). File: dns/dns_rr.c.
+
+20230224
+
+ Documentation fix (error introduced: Postfix 2.7): In a
+ "make makefiles" example in SASL_README, a backslash-newline
+ inside single quotes produced a broken Makefile. Problem
+ reported by James Brown (Bordo International). Updated "make
+ makefiles" examples, replacing single quotes with double
+ quotes, and inside those quotes replacing \" with \\\" to
+ protect a string-valued macro definition. Files:
+ proto/INSTALL.html, proto/MYSQL_README.html,
+ proto/PGSQL_README.html, proto/postconf.proto,
+ proto/SASL_README.html, proto/SQLITE_README.html.
+
+20230303
+
+ Cleanup: Postfix TLS configuration. Treat "export" and "low"
+ cipher grades as "medium", and ignore "export" and "low"
+ cipherlist settings. These grades are no longer supported
+ in OpenSSL 1.1.1, the minimum version that Postfix requires.
+ Also, update Postfix default settings to exclude the following
+ deprecated or unused ciphers (SEED, IDEA, 3DES, RC2, RC4,
+ RC5), digest (MD5), key exchange algorithms (DH, ECDH), and
+ public key algorithm (DSS). Viktor Dukhovni. Files:
+ proto/postconf.proto, global/mail_params.h, smtp/smtp.c,
+ smtpd/smtpd.c, tls/tls_misc.c, tls/tls_proxy_client_misc.c,
+ tls/tls_proxy_client_print.c, tls/tls_proxy_client_scan.c,
+ tls/tls_proxy.h, tlsproxy/tlsproxy.c.
+
+20230308
+
+ Documentation: basic style sheet. Files: conf/postfix-files,
+ html/postfix-doc.css, mantools/make_soho_readme,
+ mantools/makemanidx, mantools/man2html, proto/[A-Z]*.html,
+ proto/postconf.html.prolog.
+
+ Cleanup: the postfix(1) and postlog(1) commands now produce
+ stderr output even when stderr is not connected to a terminal.
+ This eliminates an inconsistency, and makes these programs
+ easier to use in some automated procedures. The canonical
+ example is to capture output from "postmulti -p status" to
+ figure out which instances are or are not running. Files:
+ postfix/postfix.c, postlog/postlog.c.
+
+20230209
+
+ Cleanup: in smtp_service_addr() refined the loop detection
+ code for SRV lookup. File: smtp/smtp_addr.c.
+
+ Cleanup: renamed macros with invisible side effects and
+ implicit inputs to upper case. Verified that the compiled
+ code did not change. File: tls_fprint.c.
+
+20230310
+
+ Cleanup: the milter header/body checks logged less text (up
+ to 60 bytes) than the 'original' header/body checks (up to
+ 200 bytes). Problem reported by Aleksandr Stankevic. Fixed
+ the same inconsistency in the Postfix SMTP client. Files:
+ cleanup/cleanup_milter.c, smtp/smtp_proto.c.
+
+20230311
+
+ Hardening: the Postfix SMTP server can now aggregate
+ smtpd_client_*_rate and smtpd_client_*_count statistics by
+ network block, as specified with smtpd_client_ipv4_prefix_length
+ (default 32, no aggregation) and smtpd_client_ipv6_prefix_length
+ (default 72, aggregation by /72 network blocks). The latter
+ raises the bar for a memory exhaustion attack. Files:
+ util/inet_prefix_top.[hc], smtpd/smtpd.c, smtpd/smtpd_peer.c,
+ mantools/postlink, proto/postconf.proto.
+
+20230313
+
+ Factored out a function that may be generally useful, and
+ made a vstring_alloc() argument more precise to avoid memory
+ reallocation. Files: util/inet_prefix_top.c,
+ util/inet_addr_sizes.[hc].
+
+20230314
+
+ Bugfix (introduced: Postfix 3.5): check_ccert_access did
+ not parse inline map specifications. Report and fix by
+ Sean Gallagher. File: global/map_search.c.
+
+ Cleanup: don't do smtpd_client_*_rate and smtpd_client_*_count
+ address range computations when "/usr/sbin/sendmail -bs"
+ is not talking to a network client. File: smtpd/smtpd_peer.c.
+
+ Cleanup: renamed net_mask_top.* to inet_prefix_top.*.
+
+ Cleanup: updated unit tests. Files: smtpd/smtpd_check.c,
+ smtpd/smtpd_server.in, smtpd/smtpd_server.ref.
+
+ Increased the smtpd_client_ipv6_prefix_length to 84 bits,
+ which should prevent anvil exhaustion attacks from a typical
+ /64 consumer network, without penalizing legitimate usage.
+
+20230319
+
+ Shut up a compiler waning triggered by an extreme setting.
+ File: smtp/smtp.h.
+
+20230328
+
+ Cleanup: replaced ``argv_split_append(x, y, "")'' with
+ ``argv_add(x, y, , ARGV_END)'', in two places. File:
+ posttls-finger/posttls-finger.c.
+
+20230330
+
+ Safety: the long form { name = value } in import_environment
+ or export_environment is not documented, but it is accepted,
+ and it was stored in the process environment as the invalid
+ form "name = value, thus not setting or overriding an entry
+ for "name". This form is now stored as the expected
+ "name=value". Found during code maintenance. Also refined
+ the "missing attribute name" detection. Files: clean_env.c,
+ split_nameval.c.
+
+20230402
+
+ Cleanup: changed the DNS_RR data structure so that it remains
+ ABI-compatible when new fields are added at the end. This
+ avoids crashing programs that are started while Postfix is
+ being updated. However, *this* specific change cannot be
+ ABI-compatible. Files: dns/dns_rr.c.
+
+ Cleanup: added missing Valgrind test support. Files:
+ dns/Makefile.in, util/Makefile.in.
+
+ Documentation: fixed a `whitelist' instance in the postscreen(8)
+ manpage. File: postscreen/postscreen.c.
+
+ Cleanup: support for multiline entities in match lists, for
+ example, inline maps. Added Valgrind support to the namadr_list
+ unit test. Files: util/match_list.c, global/namadr_list.in,
+ util/Makefile.in.
+
+20240406
+
+ Bugfix (introduced: 20230402): after a change in the DNS_RR
+ structure, the dns_rr_copy() function had not been updated,
+ causing the Postfix SMTP client to panic as it detected a
+ double-free() attempt. Reported by Florian Piekert. File:
+ dns/dns_rr.c.
+
+ Usability: The postconf command now warns for trailing
+ comments in Postfix parameter values. Also refactored comment
+ warnings in match lists. Files: util/mystrtok.c,
+ util/mystrtok.ref, util/match_list.c, global/namadr_list.ref,
+ postconf/postconf_dbms.c, postconf/test71.ref.
+
+ Cleanup: some postconf warnings did not include the full
+ main.cf or master.cf pathname, complicating the analysis
+ of multi-instance configurations. Also refactored ad-hoc
+ code that computed full main.cf or master.cf pathnames.
+ Files: postconf/postconf.h, postconf/postconf_dbms.c,
+ postconf/postconf_edit.c, postconf/postconf_main.c,
+ postconf/postconf_master.c, postconf/postconf_misc.c.
+
+ Cleanup: eliminated unused libdns dependencies. Files:
+ postlogd/Makefile.in.
+
+ Cleanup: added inet_prefix_top() tests. File:
+ util/inet_prefix_top.c.
+
+20230413
+
+ Cleanup: in postconf source, removed redundant pcf_set_config_dir()
+ calls as these are made automatically when a config file
+ pathname cache is queried. Files: postconf/postconf_edit.c,
+ postconf/postconf_main.c, postconf/postconf_master.c.
+
+ Cleanup: in source-code comments, replaced redundant (and
+ sometimes incomplete) lookup table configuration info with
+ a reference to the corresponding *_table(5) manpage.
+
+20230418
+
+ Bugfix defect (introduced: Postfix 3.2): the MySQL client
+ could return "not found" instead of "error" (for example,
+ resulting in a 5XX SMTP status instead of 4XX) during the
+ time that all MySQL server connections were turned down
+ after error. Found during code maintenance. File:
+ global/dict_mysql.c.
+
+20230428
+
+ Bugfix (defect introduced: Postfix 1.0): the command "postconf
+ .. name=v1 .. name=v2 .." (multiple instances of the same
+ parameter name) created multiple name=value entries with
+ the same parameter name. It now logs a warning and skips
+ the earlier update. Found during code maintenance. File:
+ postconf/postconf_edit.c
+
+ Bugfix (defect introduced: Postfix 3.3): the command "postconf
+ -M name1/type1='name2 type2 ...'" died with a segmentation
+ violation when the request matched multiple master.cf
+ entries. The master.cf file was not damaged. Problem reported
+ by SATOH Fumiyasu. File: postconf/postconf_master.c.
+
+20230502
+
+ Bugfix (defect introduced: Postfix 2.11): the command
+ "postconf -M name1/type1='name2 type2 ...'" could add a
+ service definition to master.cf that conflicted with an
+ already existing service definition. It now replaces all
+ existing service definitions that match the service pattern
+ 'name1/type1' or the service name and type in 'name2 type2
+ ...' with a single service definition 'name2 type2 ...'.
+ Problem reported by SATOH Fumiyasu. File: postconf/postconf_edit.c.
+
+20230517
+
+ Bugfix (defect introduced: Postfix 3.8) the posttls-finger
+ command could access uninitialized memory when reconnecting.
+ This also fixes a warning message when a destination contains
+ ":service" information. Reported by Thomas Korbar. File:
+ posttls-finger/posttls-finger.c.
+
+20230519
+
+ Bitrot: preliminary support for OpenSSL configuration files,
+ primarily OpenSSL 1.1.1b and later. This introduces new
+ parameters "tls_config_file" and "tls_config_name", which
+ can be used to limit collateral damage from OS distributions
+ that crank up security to 11, increasing the number of
+ plaintext email deliveries. Details are in the postconf(5)
+ manpage under "tls_config_file" and "tls_config_name".
+ Viktor Dukhovni. Files: mantools/postlink, proto/postconf.proto,
+ global/mail_params.h, posttls-finger/posttls-finger.c,
+ smtp/smtp.c, smtp/smtp_proto.c, tls/tls_client.c, tls/tls.h,
+ tls/tls_misc.c, tls/tls_proxy_client_print.c,
+ tls/tls_proxy_client_scan.c, tls/tls_proxy.h, tls/tls_server.c,
+ tlsproxy/tlsproxy.c.
+
+20230523
+
+ Cleanup: use TLS_CLIENT_PARAMS to pass the OpensSSL 'init'
+ configurations. This information is independent from the
+ client or server TLS context, and therefore does not belong
+ in tls_*_init() or tls_*_start() calls. The tlsproxy(8)
+ server uses TLS_CLIENT_PARAMS to report differences between
+ its own global TLS settings, and those from its clients.
+ Files: posttls-finger/posttls-finger.c, smtp/smtp.c,
+ smtp/smtp_proto.c, tls/tls.h, tls/tls_proxy_client_misc.c,
+ tls/tls_proxy_client_print.c, tls/tls_proxy_client_scan.c,
+ tls/tls_proxy.h, tlsproxy/tlsproxy.c.
+
+20230524
+
+ Cleanup: reverted cosmetic-only changes to minimize the
+ patch footprint for OpenSSL INI file support; updated daemon
+ manpages with the new tls_config_file and tls_config_name
+ configuration parameters. Files: smtp/smtp.c, smtpd/smtpd.c,
+ tls/tls_client.c, tls/tls.h, tls/tls_server.c, tlsproxy/tlsproxy.c,
+
+20230529
+
+ Cleanup: made OpenSSL 'default' INI file support error
+ handling consistent with OpenSSL default behavior. Viktor
+ Dukhovni. Files: proto/postconf.proto, tls/tls_misc.c.
+
+20230602
+
+ Backwards compatibility for stable releases that originally
+ had no OpenSSL INI support. Skip the new OpenSSL INI support
+ code, unless the Postfix configuration actually specifies
+ non-default tls_config_xxx settings. File: tls/tls_misc.c.
+
+ Cleanup: added a multiple initialization guard in the
+ tls_library_init() function, and made an initialization
+ error sticky. File: tls/tls_misc.c.
+
+20230605
+
+ Security: new parameter smtpd_forbid_unauth_pipelining
+ (default: no) to disconnect remote SMTP clients that violate
+ RFC 2920 (or 5321) command pipelining constraints. Files:
+ global/mail_params.h, smtpd/smtpd.c, proto/postconf.proto.
+
+20230815
+
+ Bugfix (bug introduced: 20140218): when opportunistic TLS fails
+ during or after the handshake, don't require that a probe
+ message spent a minimum time-in-queue before falling back to
+ plaintext. Problem reported by Serg. File: smtp/smtp.h.
+
+20230819
+
+ Bugfix (defect introduced: 19980207): the valid_hostname()
+ check in the Postfix DNS client library was blocking unusual
+ but legitimate wildcard names (*.name) in some DNS lookup
+ results and lookup requests. Examples:
+
+ name class/type value
+ *.one.example IN CNAME *.other.example
+ *.other.example IN A 10.0.0.1
+ *.other.example IN TLSA ..certificate info...
+
+ Such syntax is blesed in RFC 1034 section 4.3.3.
+
+ This problem was reported first in the context of TLSA
+ record lookups. Files: util/valid_hostname.[hc],
+ dns/dns_lookup.c.
+
+20230929
+
+ Bugfix (defect introduced Postfix 2.5, 20080104): the Postfix
+ SMTP server was waiting for a client command instead of
+ replying immediately, after a client certificate verification
+ error in TLS wrappermode. Reported by Andreas Kinzler. File:
+ smtpd/smtpd.c.
+
+20231006
+
+ Usability: the Postfix SMTP server now attempts to log the
+ SASL username after authentication failure. In Postfix
+ logging, this appends ", sasl_username=xxx" after the reason
+ for SASL authentication failure. The logging replaces an
+ unavailable reason with "(reason unavailable)", and replaces
+ an unavailable sasl_username with "(unavailable)". Based
+ on code by Jozsef Kadlecsik. Files: xsasl/xsasl_server.c,
+ xsasl/xsasl_cyrus_server.c, smtpd/smtpd_sasl_glue.c.
+
+20231026
+
+ Bugfix (defect introduced: Postfix 2.11): in forward_path,
+ the expression ${recipient_delimiter} would expand to an
+ empty string when a recipient address had no recipient
+ delimiter. Fixed by restoring Postfix 2.10 behavior to use
+ a configured recipient delimiter value. Reported by Tod
+ A. Sandman. Files: proto/postconf.proto, local/local_expand.c.
+
+20240109
+
+ Security (outbound SMTP smuggling): with the default setting
+ "cleanup_replace_stray_cr_lf = yes" Postfix will replace
+ stray <CR> or <LF> characters in message content with a
+ space character. This prevents Postfix from enabling
+ outbound (remote) SMTP smuggling, and it also makes evaluation
+ of Postfix-added DKIM etc. signatures independent from how
+ a remote mail server handles stray <CR> or <LF> characters.
+ Files: global/mail_params.h, cleanup/cleanup.c,
+ cleanup/cleanup_message.c, mantools/postlink, proto/postconf.proto.
+
+20240112
+
+ Security (inbound SMTP smuggling): with "smtpd_forbid_bare_newline
+ = normalize" (default "no" for Postfix < 3.9), the Postfix
+ SMTP server requires the standard End-of-DATA sequence
+ <CR><LF>.<CR><LF>, and otherwise allows command or message
+ content lines ending in the non-standard <LF>, processing
+ them as if the client sent the standard <CR><LF>.
+
+ The alternative setting, "smtpd_forbid_bare_newline = reject"
+ will reject any command or message that contains a bare
+ <LF>, and is more likely to cause problems with legitimate
+ clients.
+
+ For backwards compatibility, local clients are excluded by
+ default with "smtpd_forbid_bare_newline_exclusions =
+ $mynetworks".
+
+ Files: mantools/postlink, proto/postconf.proto,
+ global/mail_params.h, global/smtp_stream.c, global/smtp_stream.h,
+ smtpd/smtpd.c, smtpd/smtpd_check.[hc].