diff options
Diffstat (limited to 'HISTORY')
-rw-r--r-- | HISTORY | 27248 |
1 files changed, 27248 insertions, 0 deletions
@@ -0,0 +1,27248 @@ +In addition to the names listed below, the following people provided +useful inputs on many occasions: Paul D. Robertson, Simon J. Mudd. +Apologies for any names omitted. + +19980105 + + The compiled-in default value for resolve_smtp_sender was + wrong (from the days that it was a boolean), causing smtpd + to dump core when the variable was not set in main.cf. + + The INSTALL instructions now have separate sections for + the three basic ways of running vmailer. + + The INSTALL instructions now have discusses how to deal + with chrooted processes. + + Ported to RedHat 5.0. My, these people have re-organized + their include files quite a bit, haven't they. + +19980106 + + On RedHat Linux 4.2/5.0, when a FIFO listener opens the + FIFO with mode O_RDONLY, the FIFO remains forever readable + after the writer has closed it. Workaround: open the FIFO + mode O_RDWR. + + Test program: util/fifo_rdonly_bug.c + + Unfortunately, the above fix triggers a bug on BSD/OS 3.1 + where opening the FIFO mode O_RDWR causes select() to claim + that the FIFO is readable even before any data is written + to it, causing read() to block or to fail. + + Test program: util/fifo_rdwr_bug.c + + printfck (check arguments of printf-like function calls) + found a missing argument in local/command.c + + Miscellaneous Makefile cleanups that I didn't finish before + the first alpha release. + +19980107 + + Sometimes the DNS will claim that a domain does not exist, + when in fact it does. Thus, it is a bad idea to reject mail + from apparently non-existent domains. I have changed the + smtpd so that it produces a soft error responses when a + resolve_smtp_sender test fails with HOST_NOT_FOUND. Note: + by default, this test is still disabled. + + The DB and DBM read routines will now automagically figure + out if (key, value) pairs were written including a terminating + null byte or not. The DB and DBM write routines will use + this result to determine how to write, and will fall back + to per-system defaults otherwise. + + Renamed the README to MUSINGS, and wrote up a README that + reflects the current status of the software. + + Added -d (don't disconnect) and -c (show running counter) + option to te smtp-source test program. These tools are + great torture tests for the mail software, and for the + system that it runs on. + + Turned down the process_limit parameter (# of parallel smtp + clients or servers) to avoid unpleasant surprises. You can + crank up the process_limit parameter in main.cf. + +19980111 + + Feature: when run by the superuser, mailq now shows the + mail queue even when the mail system is down. To this end, + mailq (sendmail -bp) runs the showq program directly instead + of connecting to the UNIX-domain service socket, and drops + privileges etc. as usual. + +19980119 + + Bugfix: Edwin Kremer spotted an oversight in the negated + host matching code (for name or address patterns prefixed + by !). + + Bugfix: upon receipt of a SIGHUP signal, the master now + disconnects from its child processes, so that the current + generation of child processes commits suicide, and so that + the next generation of child processes will use the new + configuration settings. + + Bugfix: the smtp server now skips the sender DNS domain + lookup test for foo@[address] + + Bugfix: don't append the local domain to foo@[address] + +19980120 + + Bugfix: old low-priority bug in some list walk code that + caused the master to drop core when a service was turned + off in master.cf. + + Robustness: the mail system should be able to start up and + to accept local postings even while the naming service is + down. For this reason, the mail system no longer uses + gethostbyname() to look up its own machine name. Sites + that use short hostnames will have to specify their FQDN + in main.cf (this will eventually be done by the system + installation/configuration procedure). Should the config + language support backticks so one can say `domainname`? + What about $name stuff between the backtics? + + Security: the master now creates FIFOs and UNIX-domain + sockets as the mail owner instead of as root, for better + protection against subverted mail systems. chmod() is + susceptible to race conditions. fchmod(), although safer, + often does not work on sockets. + + Portability: anticipate that all major UNIXes will create + UNIX-domain sockets with permissions modified by the process + umask (required by POSIX). For this reason, we always + chmod() UNIX-domain sockets, unless the system allows us + to use the safer fchmod() instead. + + Portability: the semi-resident servers now properly handle + EWOULDBLOCK returns from accept() in addition to EGAIN + (on some systems, EAGAIN and EWOULDBLOCK have different + values). + + Bugfix: the semi-resident servers now properly handle EINTR + returns From accept(). + + Bugfix: Edwin Kremer found that mynetworks() would compute + (32 - mask) instead of mask. + +19980121 + + Feature: /etc/vmailer/relocated is used by the local delivery + program and specifies what mail should be bounced with a + "user has moved to XXX" message. The main.cf configuration + parameter is "relocated_maps". Just like the "virtual_maps" + config parameter, this feature is off by default, and the + parameter can have values such as "files" or "files, nis" + (on hosts equipped with NIS). + +19980123 + + Cleanup: virtual domain support moved from the queue manager + to the resolve service, where it belongs. + + Feature: /etc/vmailer/canonical is used by the rewrite + service for all addresses, and maps a canonical address + (user@domain) to another address. Typical use is to generate + Firstname.Lastname@domain addresses, or to clean up dirty + addresses from non-RFC 822 mail systems. The main.cf + configuration parameter is "canonical_maps". Just like + the "virtual_maps" config parameter, this feature is off + by default, and the parameter can have values such as + "files" or "files, nis" (on hosts equipped with NIS). + +19980124 + + HPUX10 port and many little fixes from Pieter Schoenmakers. + + Bugfix: isolated an old mysterious bug that could make the + master deaf for new connections while no child process was + running. A typical result was that no pickup daemon would + be started after the previous one had terminated voluntarily. + + Bugfix: the NIS lookup code did not mystrdup() the NIS map + name and would access free()d memory. + +19980125 + + Bugfix: the vstream routines would sometimes ignore flushing + errors. The error would still be reported by vstream_fclose() + and vstream_ferror(). + + Feature: time limit on delivery to shell commands. Config + parameter: command_time_limit. Default value: 100 sec. The + idea is to prevent one bad .forward file or alias file + entry from slowly using up all local delivery process slots. + +19980126 + + Code cleanup: in preparation for SMTP extensions such as + SIZE, allow an extended SMTP command to have a variable + number of options. + +19980127 + + Bugfix: moved canonical map lookups away from the rewriting + module to the cleanup service, so that canonical map lookups + do not interfere with address rewriting on behalf of other + programs. Back to an older trivial-rewrite program version. + + Bugfix: moved virtual map lookups away from the resolver + back to the queue manager, so that virtual domain lookup + does not interfere with address resolution on behalf of + other programs. Back to an older qmgr program version. + +19980131 + + Feature: integrated and adapted Guido van Rooij's SIZE + option (RFC 1870), carefully avoiding potential problems + due to overflow (by multiplying large numbers) or unsigned + underflow (by subtracting numbers). + + Code cleanup: cleaned up the code that parses the server + response to the HELO/EHLO command, so that we can more + reliably recognize what options a server supports. + +19980201 + + Portability: integrated the IRIX 6 port by Oved Ben-Aroya. + + Portability: the software now figures out by itself if a + server should open its FIFO read-write or read-only, to + avoid getting stuck with a FIFO that stays readable forever. + + Bugfix: the cleanup service would terminate with a fatal + vstream_fseek() error when the queue file was too large. + + Bugfix: the cleanup service could be killed by a signal + when the queue file became too large. + +19980203 + + Portability: some systems have statfs(), some have statvfs(), + and the relevant include files are in a different place on + almost every system. + + Portability: the makedefs script now nukes the -O compiler + flag when building on AIX with IBM's own compiler... + +19980204 + + Portability: HP-UX 9.x support by Pieter Schoenmakers. + + Portability: added SYSV-style ulimit() file size limit + support for HP-UX 9.x. + + Portability: added some #includes that appeared to be + missing according to the Digital UNIX cc compiler. + + Bugfix: sys_defs.h now correctly specifies NIS support for + LINUX2, HPUX9 and HPUX10. + + Security: fixed a file descriptor leak in the local delivery + agent that could give shell commands access to the VMailer + IPC streams. This should not cause a vulnerability, given + the design and implementation of the mailer, but it would + be like asking for trouble. + + Bugfix: the sendmail -B (body type) option did not take a + value. + +19980205 + + Bugfix (SUNOS5): should not have deleted the SVID_GETTOD + definition from util/sys_defs.h. + + Bugfix (HPUX9): forgot to specify whether to use statfs() + or statvfs(). + + Bugfix (HPUX9): don't try to raise the file size ulimit. + + Bugfix (HPUX9): must specify file size limit in 512-blocks. + +19980207 + + Robustness: the master process now raises the file size + limit when it is started with a limit that is less than + VMailer's file size limit. File: util/file_limit.c. + + Security: the dns lookup routines now screen all result + names with valid_hostname(). Bad names are treated as + transient errors. + + Feature: qmail compatibility: when the home_mailbox parameter + is set, mail is delivered to ~/$home_mailbox instead of to + /var[/spool]/mail/username. This hopefully makes it easier + to lure people away from qmail :-) + + Robustness: several testers by accident configured relayhost + the same as myhostname. The programs now explicitly check + for this mistake. + + Bugfix: deliver_request_read() would free unallocated memory + when it received an incomplete delivery request from the + queue manager. + + Robustness: local_destination_concurrency=1 prevents parallel + delivery to the same user (with possibly disastrous effects + when that user has an expensive pipeline in the .forward + or procmail config file). Each transport can have its own + XXX_destination_concurrency parameter, to limit the number + of simultaneous deliveries to the same destination. + +19980208 + + Robustness: added "slow open" mode, to gradually increase + the number of simultaneous connections to the same site as + long as delivery succeeds, and to gradually decrease the + number of connections while delivery fails. Brad Knowles + provided the inspiration to do this. + + This also solves the "thundering herd" problem (making a + bunch of connections to a dead host when it was time to + retry that host). Let's see when other mailers fix this. + + Feature: Added $smtpd_banner and $mail_version, for those + who want to show the world what software version they are + running. + + Bugfix: vmailer-script now properly labels each syslog + entry. + +19980210 + + Portability: merged in NEXTSTEP 3 port from Pieter Schoenmakers + + Bugfix: the local delivery program now checks that a + destination is a regular file before locking it. + +19980211 + + Robustness: the local delivery agent sets HOME, LOGNAME, + and SHELL when delivering to a user shell command. PATH is + always set, and TZ is passed through if it is set. + +19980212 + + Feature: mailq (sendmail -bp) now also lists the maildrop + queue (with mail that hasn't been picked up yet). + +19980213 + + Feature: the smtpd now says: 502 HELP not implemented. This + should impress the heck out of the competition :-) + +19980214 + + Feature: local delivery to configurable system-wide command + (e.g. procmail) avoids the need for per-user ~/.forward + shell commands. Config parameter: mailbox_command. + +19980215 + + Performance: avoid running a shell when a command contains + no shell magic characters or built-in shell commands. This + speeds up delivery to all commands. File: util/exec_command.c. + + Bugfix: the local delivery agent, after reading EOF from + a child process, now sends SIGKILL only when the child does + not terminate within a limited amount of time. This avoids + some problems with procmail. File: util/timed_wait.c. + +19980217 + + Portability: folded in NetInfo support from Pieter + Schoenmakers. + +19980218 + + Feature: new vmlock command to run a command while keeping + an exclusive lock on a mailbox. + + Feature: with "recipient_delimiter = +", mail for local + address "user+foo" is delivered to "foo", with a "Delivered-To: + user+foo@domain" message header. Files: qmgr/qmgr_message.c, + local/recipient.c. This must be the cheapest feature. + +19980219 + + Code cleanup: moved error handling into functions that + should always succeed (non_blocking(), close_on_exec()). + +19980223 + + Bugfix: null pointer bug in the cleanup program after + processing a From: header with no mail address (or with + only a comment). + +19980226 + + Robustness: now detects when getpwnam() returns a name that + differs from the requested name. + + Feature: Added %p support to the vbuf_print formatting + module. + + Code cleanup: revamped the alias/include/.forward loop + detection and duplicate suppression code in the local + delivery agent. This must be the fourth iteration, and + again the code has been simplified. + +19980228 + + Robustness: don't treat anything starting with whitespace + as a header record. Instead, explicitly test for leading + whitespace where we permit it. Files: global/is_header.c, + bounce/bounce_flush_service.c, local/delivered.c. + +19980301 + + Compatibility: the sendmail program now accepts the -N + command-line option (delivery status notification) but + ignores it entirely, just like many other sendmail options. + + Bugfix: dns_lookup.c was too conservative with buffer sizes + and would incorrectly report "malformed name server reply". + +19980302 + + Bugfix: the local delivery agent was not null-byte clean. + +19980307 + + Feature: integrated Pieter Schoenmaker's code for transport + lookup tables that list (transport, nexthop) by destination. + +19980309 + + Bugfix: delivery agents no longer rename corrupt queue + files, because programs might fall over each other doing + so. Instead, when a delivery agent detects queue file + corruption, it chmods the queue file, simulates a soft + error, and lets the queue manager take care of the problem. + + Bugfix: the SMTP server implemented VRFY incorrectly. + + Feature: first shot at a pipe mailer, which can be used to + extend VMailer with external mail transports such as UUCP + (provided that the remote site understands domain addressing, + because VMailer version 1 does not rewrite addresses). + + Cleanup: extended the master/child interface so that the + service name (from master.cf) is passed on to the child. + The pipe mailer needs the service name so it can look up + service-specific configuration parameters (privilege level, + recipient limit, time limit, and so on). + +19980310-12 + + Cleanup: factored out the pipe_command() code, so it can + be shared between pipe mailer and local delivery agent. + +19980314 + + Compatibility: the sendmail program now parses each + command-line recipient as if it were an RFC 822 message + header; some MUAs specify comma-separated recipients in a + command-line argument; and some MUAs even specify "word + word <address>" forms as command-line arguments. + +19980315 + + Bugfix: VMailer's queue processing randomization wasn't + adequate for unloaded systems with small backlogs. + + Bugfix: smtpd now uses double-buffered stream I/O to prevent + loss of input sent ahead of responses. + +19980316 + + Bugfix: the smtpd anti-relay code didn't treat all hosts + listed in $mydestinations as local, so it would accept mail + only for hosts listed in $relay_domains (default: my own + domain). + + Bugfix: smtpd now replies with 502 when given an unknown + command. + +19980318 + + Cleanup: resolve/rewrite clients now automatically disconnect + after a configurable amount of idle time (ipc_idle). + +19980322 + + Tolerance: VRFY now permits user@domain, even though the + RFC requires that special characters such as @ be escaped. + +19980325 + + Bugfix: a recipient delimiter of "-" could interfere with + special addresses such as owner-xxx or double-bounce. + + Tolerance: the SMTP client now permits blank lines in SMTP + server responses. + + Tolerance: the SMTP client now falls back to SMTP when it + apparently mistook an SMTP server as ESMTP capable. + + Bugfix: eliminated strtok() calls in favor of mystrtok(). + Symptom: master.cf parsing would break if $inet_interfaces + was more than one word. + +19980328 + + Bugfix: user->addr patterns in canonical and virtual tables + matched only $myorigin, not hosts listed in $mydestination + or addresses listed in $inet_interfaces. The man pages + were wrong too. File: global/addr_match.c. + +19980401 + + Robustness: FIFO file permissions now default to 0622. On + some systems, opening a FIFO read-only could deafen the + pickup daemon. Only the listener end (which is opened as + root) needs read access anyway, so there should not be a + loss of functionality by making FIFOs non-readable for + non-mail processes. + +19980402 + + Compatibility: sendmail -I and -c options added. + +19980403 + + Feature: virtual lookups are now recursive. File: + qmgr/qmgr_message.c + +19980405 + + Implemented sendmail -bs (stand-alone) mode. This mode runs + as the user and therefore deposits into the maildrop queue. + +19980406 + + The pickup service now removes malformed maildrop files. + +19980407 + + The pickup service now guards against maildrop files with + time stamps dated into the future. + +19980408 + + Bugfix: in the canonical and virtual maps, foo->address + would match foo@$myorigin only. This has been fixed to also + match hosts listed in main.cf:$mydestination and the + addresses listed in main.cf:$inet_interfaces. + + Bugfix: added double buffering support to the VMailer SMTP + server. This makes the SMTP server robust against SMTP + clients that talk ahead of time, and should have been in + there from day one. + +19980409 + + Bugfix: the VMailer SMTP client now recognizes its own + hostname in the SMTP greeting banner only when that name + appears as the first word on the first line. + +19980410 + + Feature: smtpd now logs the local queue ID along with the + client name/address, and pickup now logs the local queue + ID along with the message owner. + + Bugfix: still didn't do virtual/canonical lookups right + (code used the non-case-folded key instead of the case + folded one). + +19980418 + + Bugfix: the SMTP server did not flush the "250 OK queued + as XXXX" message from the SMTP conversation history. + +19980419 + + Bugfix: qmgr would not notice that a malformed message has + multiple senders, and would leak memory (Tom Ptacek). + +19980421 + + Portability: in the mantools scripts, the expr pattern no + longer has ^ at the beginning, and the scripts now use the + expand program instead of my own detab utility. + +19980425 + + NetBSD 1.x patch by Soren S. Jorvang. + +19980511 + + Feature: the SMTP server now logs the protocol (SMTP or + ESMTP) as part of the Received: header. + + Feature: smtpd now logs the last command when a session is + aborted due to timeout, unexpected EOF, or too many client + errors. + +19980514 + + Bugfix: the queue manager did not update the counter for + in-core message structures, so the in-core message limit + had no effect. This can be bad when you have a large backlog + with many messages eligible for delivery. + + Robustness: the queue manager now also limits the total + number of in-core recipient structures, so that it won't + use excessive amounts of memory on sites that have large + mailing lists. + +19980518 + + Bugfix: the SMTP client did not notice that the DNS client + received a truncated response. As a result, a backup MX + host could incorrectly claim that it was the best MX host + and declare a mailer loop. + + Added start_msg/stop_msg entries to the vmailer startup + script, for easy installation. + + Cleanup: VMailer databases are now explicitly specified as + type:name, for example, hash:/etc/aliases or nis:mail.aliases, + instead of implicitly as "files", "nis" and so on. Test + program: util/dict_open. This change allowed me to + eliminate a lot of redundant code from mkmap_xxx.c, and + from everything that does map lookups. + +19980525 + + Bugfix: local/dotforward.c compared the result of opening + a user's ~/.forward against the wrong error value. + +19980526 + + Bugfix: the smtpd VRFY command could look at free()d memory. + + Robustness: the smtpd program had a fixed limit on the + number of token structures. The code now dynamically + allocates token structures. + + Bugfix: the queue manager still used the deprecated parameter + name xxx_deliver_concurrency for concurrency control, but + the documentation talks about the preferred parameter name + xxx_destination_concurrency. Fix: try xxx_destination_concurrency + first, then fall back to xxx_deliver_concurrency. + +19980621-19980702 + + Cleanup: the string read routines now report the last + character read or VSTREAM_EOF. This change is necessary + for the implementation of the long SMTP line bugfix. + + Bugfix: the smtp server exited the DATA command prematurely + when the client sent long lines. Reason: the smtp server + did not remember that it broke long lines, so that '.' + could appear to be the first character on a line when in + fact it wasn't. + + Bugfix: the queue manager made lots of stupid errors while + reading $qmgr_message_recipient_limit chunks of recipients + from a queue file. This code has been restructured. + +19980706 + + Performance: the cleanup program now always adds return-receipt + and errors-to records to a queue file, so that the queue + manager does not have to plow through huge lists of + recipients. + + Robustness: the initial destination concurrency now defaults + to 2, so that one bad message or one bad connection does + not stop all mail to a site. The configuration parameter + is called initial_destination_concurrency. + + Performance: the per-message recipient limit is now enforced + by the queue manager instead of by the transport. Thus, a + large list of recipients for the same site is now mapped + onto several delivery requests which can be handled in + parallel, instead of being mapped onto one delivery request + that is sent to limited numbers of recipients, one group + after the other. + +19980707 + + Cleanup: the queue manager now does an additional recipient + sort after the recipients have been resolved, so that the + code can do better aggregation of recipients by next hop + destination. + + Feature: lines in the master.cf file can now be continued + in the same manner as lines in the main.cf file, i.e. by + starting the next line with whitespace. + + Feature: the smtp client now warns that a message may be + delivered multiple times when the response to "." is not + received (the problem described in RFC 1047). + + Cleanup: when the queue manager changes its little mind + after contacting a delivery agent (for example, it decides + to skip the host because a transport or host goes bad), + the delivery agent no longer complains about premature EOF. + File: global/deliver_request.c + +19980709 + + Bugfix: when breaking long lines, the SMTP client did not + escape leading dots in secondary etc. line fragments. Fix: + don't break lines. This change makes VMailer line-length + transparent. Files: global/smtp_stream.c, smtp/smtp_proto.c. + +19980712 + + Cleanup: the queue manager to deliver agent protocol now + distinguishes between domain-specific soft errors and + recipient-specific soft errors. Result: many soft errors + with SMTP delivery no longer affect other mail the same + domain. + +19980713 + + Feature: the file modification time stamp of deferred queue + files is set to the nearest wakeup time of their recipient + hosts, or if delivery was deferred due to a non-host problem, + the time stamp is set into the future by the configurable + minimal backoff time. + + Bugfix: the SMTP client and the MAILQ command would report + as message size the total queue file size. That would + grossly overestimate the size of a message with many + recipients. + + Bugfix: the 19980709 fix screwed up locally-posted mail + that didn't end in newline. + +19980714 + + Robustness: the makedefs script now defaults to no optimization + when compiling for purify. + +19980715 + + Robustness: the makedefs script now defaults to no optimization + when compiling with gcc 2.8, until this compiler is known + to be OK. + + Workaround: when sending multiple messages over the same + SMTP connection, some SMTP servers need an RSET command + before the second etc. MAIL FROM command. The VMailer SMTP + client now sends a redundant RSET command just in case. + + The queue manager now logs explicitly when delivery is + deferred because of a "dead" message transport. + +19980716 + + Feature: mailq and mail bounces now finally report why mail + was deferred (the reason was logged to the syslog file + only). Changes were made to the bounce service (generalized + to be usable for defer logs), showq service (to show reasons) + and the queue manager. + + As a result the defer directory (with one log per deferred + message) may contain many files; also, this directory is + accessed each time a message is let into the active queue, + in order to delete its old defer log. This means that hashed + directories are now a must. + +19980718-20 + + Feature: configurable timeout for establishing smtp + connections. Parameter: smtp_connect_timeout (default 0, + which means use the timeout as wired into the kernel). + Inspired by code from Lamont Jones. For a clean but far + from trivial implementation, see util/timed_connect.c + + Cleaned up the interfaces that implement read/write deadlines. + Instead of returning -2, the routines now set errno to + ETIMEDOUT; the readable/writable tests are now separate. + +19980722 + + Feature: the default indexed file type (hash, btree, dbm) + is now configurable with the "database_type" parameter. + The default value for this parameter is system specific. + + Feature: selectively turn on verbose logging for hosts that + match the patterns specified via the "debug_peer_list" + config parameter. Syntax is like the "bad_smtp_clients" + parameter (see global/peer_list.c). The verbose logging + level is specified with "debug_peer_level" (default 2). + + Security: the local delivery agent no longer delivers to + files that have execute permission enabled. + +19980723 + + Workarounds for Solaris 2.x UNIX-domain sockets: they lose + data when you close them immediately after writing to them. + This could screw up the delivery agent to queue manager + protocol. + +19980724 + + Cleanup: spent most of the day cleaning up queue manager + code that defers mail when a site or transport dies, and + fixed a few obscure problems in the process. + +19980726 + + Feature: the admin can now configure what classes of problems + result in mail to the postmaster. Configuration parameter: + "notify_classes". Default is backwards compatible: bounce, + policy, protocol, resource, and software. + +19980726-28 + + Feature: the admin can now configure what smtp server access + control restrictions must be applied, and in what order. + Configuration parameters: smtpd_client_restrictions, + smtpd_helo_restrictions, smtpd_mail_restrictions and + smtpd_rcpt_restrictions. Defaults are intended to be + backwards compatible. The bad_senders and bad_clients lists + are gone and have become db (dbm, nis, etc) maps. Files: + smtpd/smtpd_check.c, config/main.cf. + +19980729-31 + + Feature: hashed queues. Rewrote parts of the mail queue + API. Configuration parameters: "hash_queue_names" specifies + what queue directories will be hashed (default: the defer + log directory), "hash_queue_depth" specifies the number of + subdirectories used for hashing (default 2). + +19980802 + + Bugfix: the pipe mailer should expand command-line arguments + with $recipient once for every recipient (producing one + command-line argument per recipient), instead of replacing + $recipient by of all recipients (i.e. producing only one + command-line argument). This is required for compatibility + with programs that expect to be run from sendmail, such as + uux. Thanks to Ollivier Robert for helping me to get this + right. + + Code cleanup: for the above, cleaned up the macro expansion + code in dict.c and factored out the parsing into a separate + module, mac_parse.c. + +19980803 + + "|command" and /file/name destinations in alias databases + are now executed with the privileges of the database owner + (unless root or vmailer). Thus, with: "alias_maps = + hash:/etc/aliases, hash:/home/majordomo/aliases", and with + /home/majordomo/aliases* owned by the majordomo account, + you no longer need the majordomo set-uid wrapper program, + and you no longer need root privileges in order to install + a new mailing list. + +19980804 + + Added support for the real-time blackhole list. Example: + "client_restrictions = permit_mynetworks, reject_maps_rbl" + + All SMTP server "reject" status codes are now configurable: + unknown_client_reject_code, mynetworks_reject_code, + invalid_hostname_reject_code, unknown_hostname_reject_code, + unknown_address_reject_code, relay_domains_reject_code, + access_map_reject_code, maps_rbl_reject_code. Default values + are documented in the smtpd/smtpd_check.c man page. + +19980806-8 + + Code cleanup: after eye balling line-by line diffs, started + deleting code that duplicated functionality because it was + at the wrong abstraction level (smtp_trouble.c), moved + functionality that was in the wrong place (dictionary + reference counts in maps.c instead of dict.c), simplified + code that was too complex (password-file structure cache) + and fixed some code that was just wrong. + +19980808 + + Robustness: the number of queue manager in-core structures + for dead hosts is limited; the limit scales with the limit + on the number of in-core recipient structures. The idea is + to not run out of memory under conditions of stress. + +19980809 + + Feature: mail to files and commands can now be restricted + by class: alias, forward file or include file. The default + restrictions are: "allow_mail_to_files = alias, forward" + and allow_mail_to_commands = alias, forward". The idea is + to protect against buggy mailing list managers that allow + intruders to subscribe /file/name or "|command". + +19980810-12 + + Cleanup: deleted a couple hundred lines of code from the + local delivery agent. It will never be a great program; + sendmail compatibility is asking a severe toll. + +19980814 + + Cleanup: made the program shut up about some benign error + conditions that were reported by Daniel Eisenbud. + +19980814-7 + + Documentation: made a start of HTML docs that describe all + configuration parameters. + + Feature: while documenting things, added smtpd_helo_required. + +19980817 + + Bugfix: at startup the queue manager now updates the time + stamps of active queue files some time into the future. + This eliminates duplicate deliveries after "vmailer reload". + + Bugfix: the local delivery agent now applies the recipient + delimiter after looking in the alias database, instead of + before. + + Documentation bugfixes by Matt Shibla, Tom Limoncelli, + Eilon Gishri. + +19980819 + + GLIBC fixes from Myrdraal. + + Bugfix: applied showq buffer reallocation workaround in + the wrong place. + + Bugfix: can't use shorts in varargs lists. SunOS 4 has + short uid_t and gid_t. pipe_command() would complain. + + Bugfix: can't use signed char in ctype macros. All ctype + arguments are now casted to unsigned char. Thanks, Casper + Dik. + +19980820 + + Bugfix: save the alias lookup result before looking up the + owner. The previous alpha release did this right. + + Cleanup: mail_trigger() no longer complains when the trigger + FIFO or socket is unavailable. This change is necessary to + shut up the sendmail mail posting program, so that it can + be used on mail clients that mount their maildrop via NFS. + + Experiment: pickup and pipe now run as vmailer most of the + time, and switch to user privileges only temporarily. + Files: util/set_eugid.c global/pipe_command.c pipe/pipe.c + pickup/pickup.c. Is this more secure/ What about someone + manipulating such a process while not root? It still has + ruid == 0. + +19980822 + + Portability: with GNU make, commands such as "(false;true)" + and "while :; do false; done" don't fail. Workaround: use + "set -e" all over the place. Problem found by Jeff Wolfe. + + Feature: "check_XXX_access maptype:mapname" (XXX = client, + helo, sender, recipient). Now you can make recipient and + other SPAM restrictions dependent on client or sender access + tables lookup results. + +19980823 + + Bugfix: smtpd access table lookup keys were case sensitive. + + Added "permit" and "reject" operators. These are useful at + the end of SPAM restriction lists (smtpd_XXX_restrictions). + + Added a first implementation of the permit_mx_backup SPAM + restriction. This permits mail relaying to any domain that + lists this mail system as an MX host (including mail for + the local machine). Thanks to Ollivier Robert for useful + discussions. + +19980824 + + Bugfix: transport table lookup keys were case sensitive. + +19980825 + + Portability: sa_len is some ugly #define on some SGI systems, + so we must rename identifiers (file util/connect.c). + + Bugfix: uucp delivery errors are now sent to the sender. + Thanks, Mark Delany. + + Bugfix: the pipe delivery agent now replaces empty sender + by the mailer daemon address. Mark Delany, again. + + Portability: GNU getopt looks at all command-line arguments. + Fix: insert -- into the pipe/uucp definition in master.cf. + + Bugfix: the smtp server command tokenizer silently discarded + the [] around [text], so that HELO [x.x.x.x] was read as + if the client had sent: HELO x.x.x.x. Thanks, Peter Bivesand. + + Bugfix: the HELO unknown hostname/bad hostname restrictions + would have treated [text] as a domain name anyway. + + Bugfix: the $local_duplicate_filter_limit value was not + picked up by the local delivery agent. This means the local + delivery agent could run out of memory on large mailing + list deliveries. + +19980826 + + Performance: mkmap/mkalias now run with the same speed as + sendmail. VMailer now uses a 4096-entry cache with 1 Mbyte + of memory for DB lookups. File: util/dict_db.c. + +19980902 + + Robustness: the reject_unknown_hostname restriction for + HELO/EHLO hostnames will now permit names that have an MX + record instead of an A record. + +19980903 + + Feature: appending @$myorigin to an unqualified address is + configurable with the boolean append_at_myorigin parameter + (default: yes). + + Feature: appending .$mydomain to user@host is configurable + with the boolean append_dot_mydomain parameter (default: + yes). + + Feature: site!user is rewritten to user@site, under control + of the boolean parameter swap_bangpath (default: yes). + + Feature: permit a naked IP address in HELO commands (i.e. + an address without the enclosing [] as required by the + RFC), by specifying "permit_naked_ip_address" as one of + the restrictions in the "smtpd_helo_restrictions" config + parameter. + +19980904 + + Code cleanup: when an SMTP client aborts a session after + sending MAIL FROM, the cleanup service no longer warns that + it is "skipping further client input". Files: cleanup/*.c. + Thanks, Daniel Eisenbud, for prodding. + + Code cleanup: when an SMTP server disconnects in the middle + of a session, don't try to send QUIT over the non-existing + connection. Files: global/smtp_stream.c, smtp/smtp.c. + Thanks, Daniel Eisenbud, for prodding, again. + + Code cleanup: the VMailer version number has moved from + mail_params.h (which is included by lots of modules) to a + separate file global/mail_version.h, so that a version + change no longer results in massive recompilation. + + Bugfix: Errors-To was flagged as a sender address, so the + address never was picked up. + + Code cleanup: support for Errors-To: headers completed. + +19980905 + + Feature: per-message exponential delivery backoff, by + looking at the amount of time a message has been queued. + Thanks, Mark Delany. + +19980906 + + Code cleanup: ripped out the per-host exponential backoff + code. It was broken by 19980818. It was probably a bad idea + anyway, because it required per-host, in-core, state kept + by the queue manager. All we do now is to keep state for + $minimal_backoff_time seconds, but only for a limited number + of hosts. Daniel Eisenbud spotted the problem. + + Lost feature: the SMTP session transcripts now show who + said what. This feature was inadvertently dropped during + development. Thanks, Daniel Eisenbud, for reminding. + + Documentation: the hard-coded rewriting process of the + trivial-rewrite program is described in html/rewrite.html. + + Feature: the local delivery agent now does alias lookups + before and after chopping off the recipient subaddress. + This allows you to forward user-anything to another user, + without losing the ability to redirect specific user-foo + addresses. + +19980909 + + Feature: the smtp client now logs a warning that a server + sends a greeting banner with the client's hostname, which + could imply a mailer loop. + +19980910 + + Feature: separate canonical maps for sender and recipient + address rewriting, so that you can rewrite an ugly sender + address and still forward mail to that same ugly address + without creating a mailer loop. Files: cleanup_envelope.c, + cleanup_message.c, cleanup_rewrite.c. + +19980911 + + Feature: virtual maps now support multiple addresses on + the right-hand side. In the case of virtual domains this + can eliminate the need for address expansion via local + aliases, making virtual domains much easier to administer. + This required that I moved the virtual table lookups from + the queue manager to the cleanup service, so that every + recipient has an on-disk status record. Files: qmgr.c, + qmgr_message.c, cleanup_envelope.c, cleanup_rewrite.c, + cleanup_virtual.c. + + Feature: sendmail/mailq/newaliases pass on the -v flag to + the program that they end up running, to make debugging a + little easier. + +19980914 + + Bugfix: some anti-spam measures didn't recognize some + addresses as local and would do too much work. File: + smtpd_check.c. + + Bugfix: the smtp sender/recipient table lookup restriction + destroyed global data, so that other restrictions could + break. File: smtpd_check.c. + + Bugfix: after vmailer reload, single-threaded servers could + exit before flushing unwritten data to the client. Example: + cleanup would exit before acking success to pickup, so the + message would be delivered twice. Bug reported by Brian + Candler. + + Cleanup: removed spurious error output from vmailer-script. + Reported by Brian Candler. + + Tolerance: ignore non-numeric SMTP server responses. There's + lot of brain damage out there on the net. + +19980915 + + Feature: the smtp-sink benchmark tool now announces itself + with a neutral name so that it can be run on the same + machine as VMailer, without causing Postfix to complain + about a mailer loop. + + Robustness: on LINUX, vmailer-script now does chattr +S to + force synchronous directory updates. Fix developed with + Chris Wedgwood. + +19980916 + + Bugfix: when transforming an RFC 822 address to external + form, there is no need to quote " characters in comments. + This didn't break anything, it just looked ugly. File: + global/tok822_parse.c + +19980917 + + Workaround: with deliveries to /file/name, use fsync() and + ftruncate() only on regular files. File: local/file.c + + Workaround: the plumbing code in master_spawn.c didn't + check if it was dup2()/close()ing a descriptor to itself + then closing it. Will have to redo the plumbing later. + +19980918 + + Workaround: on multiprocessor Solaris machines, one-second + rollover appears to happen on different CPUs at slightly + different times. Made the queue manager more tolerant for + such things. Problem reported by Daniel Eisenbud. + + Workaround: in preparation for deployment with a network-shared + maildrop directory. make pickup more tolerant against clock + drift between clients and servers. + +19980921 + + New vstream_popen() module that opens a two-way channel + across a socketpair-based pipe. This module isn't being + used yet; it is here only to complete the vstream code. + +19980922 + + Code cleanup: the xxx_server_main() interface for master + child processes now uses a name-value argument list instead + of an ugly and inflexible data structure. + + Bugfix: moved the test if a non-interactive process is run + by hand, so that the "don't do this" error message can be + printed to stderr before any significant processing. + + Bugfix: smtpd now can talk to unix-domain sockets without + bailing out on a peer lookup problem. Files: smtpd/smtpd.c, + util/peer_name.c. + + Safety: by default, the postmaster is no longer informed + of protocol problems, policy violations or bounces. + + Safety: the SMTP server now sleeps before sending a [45]xx + error response, in order to prevent clients from hammering + the server with a connect/error/disconnect loop. Parameter: + smtpd_error_sleep_time (default: 5). + + Feature: the logging facility is compile-time configurable + (e.g., make makefiles "CCARGS=-DLOG_FACILITY=LOG_LOCAL1"). + +19980923 + + Bugfix: changed virtual/canonical map search order from + (user@domain, @domain, user) to (user@domain, user, @domain) + so the search order is most specific to least specific. + File: global/addr_map.c, lots of documentation. + + Bugfix: after the change of 19980910, cleanup_message + extracted recipients from Reply-To: etc. headers. Found + by Lamont Jones. + +19980925 + + Bugfix: the change in virtual/canonical map search order + broke @domain entries; they would never be looked up if + the address matched $myorigin or $mydestinations. Found by + Chip Christian who now regrets asking for the change. + + Bugfix: cleanup initialized an error mask incorrectly, so + that it would keep writing to a file larger than the queue + file size limit, and so it would treat the error as a + recoverable one instead of sending a bounce. Thanks, Pieter + Schoenmakers. + + Bugfix: the "queue file cleanup on fatal error" action was + no longer enabled in the sendmail mail posting agent. + + Feature: the sendmail mail posting program now returns + EX_UNAVAILABLE when the size of the input exceeds the queue + file size limit. NB THIS CHANGE HAS BEEN WITHDRAWN. + +19980926 + + Code cleanup: the dotlock file locking routine is no longer + derived from Eric Allman's 4.3BSD port of mail.local. + + Code cleanup: the retry strategy of the file locking routines + dot_lockfile() and deliver_flock() is now configurable + (deliver_flock_attempts, deliver_flock_delay, deliver_flock_stale). + + Code cleanup: the master.pid lock file is now created with + symlink paranoia, and is properly locked so that PID rollover + will not cause false matches. + + Bugfix: the vbuf_print() formatting engine did not know + about the '+' format specifier. + + Cleanup: replaced unnecessary instances of stdio calls by + vstream ones. + +19980929-19981002 + + Compatibility: added support for "sendmail -q". This required + a change to the queue manager trigger protocol, and a code + reorganization of the way queue scans were done. The queue + manager socket now has become public. + +19981002 + + SMTPD now logs "lost connection after end-of-message" + instead of "lost connection after DATA". + +19981005 + + More bullet proofing: timeouts on all triggers. + +19981006 + + Bugfix: make the number of cleanup processes unlimited, in + order to avoid deadlock. The number of instances needed is + one per smtp/pickup process, and an indeterminate number + per local delivery agent. Thanks, Thanks, David Miller and + Terry Lorrah for cleueing me in. + + Bugfix: "sendmail -t" extracted recipients weren't subjected + to virtual mapping. Daniel Eisenbud strikes again. + +19981007 + + Compatibility: if the first input line ends in CRLF, the + sendmail posting agent will treat all CRLF as LF. Otherwise, + CRLF is left alone. This is a compromise between sendmail + compatibility (all lines end in CRLF) and binary transparency + (some, but not all, lines contain CRLF). + +19981008 + + Robustness: stop recursive virtual expansion when the + left-hand side appears in its own expansion. + +19981009 + + Portability: trigger servers such as pickup and qmgr can + now use either FIFOs or UNIX-domain sockets; hopefully at + least one of them works properly. Trigger clients were + already capable of using either form of local IPC. + +19981011 + + Feature: masquerading. Strip subdomains from domains listed + in $masquerade_domains. Exception: envelope recipients are + left alone, in order to not screw up routing. + +19981015 + + Code cleanup: moved the recipient duplicate filter from + the user-level sendmail posting agent to the semi-resident + cleanup service, so that the filter operates on the output + from address canonicalization and of virtual expansion, + instead of operating on their inputs. + +19981016 + + Bugfix: after kill()ing a bunch of child processes, wait() + sometimes fails before all children have been reaped, and + must be called again, or the master will SIGSEGV later. + Problem reported by Scott Cotton. + + Workaround: don't log a complaint when an SMTP client goes + away without sending QUIT. + +19981018 + + Workaround: Solaris 2.5 ioctl SIOCGIFCONF returns a hard + error (EINVAL) when the result buffer is not large enough. + This can happen on systems with many real or virtual + interfaces. File: util/inet_addr_local.c. Problem reported + by Scott Cotton. + + Workaround: the optional HELO/EHLO hostname syntax check + now allows a single trailing dot. + + Workaround: with UNIX-domain sockets, LINUX connect() blocks + until the server calls accept(). File: qmgr/qmgr_transport.c. + Terry Lorrah and Scott Cotton provided the necessary + evidence. + +19981020 + + Robustness: recursive canonical mapping terminates when + the result stops changing. + + Code cleanup: reorganized the address rewriting and mapping + code in the cleanup service, to make it easier to implement + the previous enhancement. + +19981022 + + Code cleanup: more general queue scanning programming + interface, in preparation for hashed queues. File: + qmgr/qmgr_scan.c. + + Bugfix: a non-FIFO server with a process limit of 1 has a + too short listen queue. Until now this was not a problem + because only FIFO servers had a process limit of 1, and + FIFOs have no listen queue. Fix: always configure a listen + queue of proc_limit or more. File: master/master_listen.c. + +19981023 + + Feature: by popular request, mail delay is logged when + delivering, bouncing or deferring mail. + +19981024 + + Cleanup: double-bounce mail is now absorbed by the queue + manager, instead of the local delivery agent, so that the + mail system will not go mad when no local delivery agent + is configured. + +19981025 + + Cleanup: moved the relocated table from the local delivery + agent to the queue manager, so that the table can also be + used for virtual addresses. + + Code reorg: in order for the queue manager to absorb + recipients, the queue file has to stay open until all + recipients have been assigned to a destination queue. + +19981026 + + vmlogger command, so that vmailer-script logging becomes + consistent with the rest of the VMailer system. + + Code reorg: logger interface now can handle multiple output + handlers (e.g. syslog and stderr stream). + + Bugfix: a first line starting with whitespace is no longer + treated as an extension of our own Received: header. Files: + smtpd/smtpd.c, pickup/pickup.c. + +19981027 + + Bugfix: the bang-path swapping code went into a loop on an + address consisting of just a single !. Eilon Gishri had + the privilege of finding this one. + + Workaround: the non-blocking UNIX-domain socket connect is + now enabled only on systems that need it. It may cause + kernel trouble on Solaris 2.x. + + Bugfix: the resolver didn't implement bangpath swapping, + so that mail for site!user@mydomain would be delivered to + a local user named "site!user". + +19981028 + + Cleanup: a VSTREAM can now use different file descriptors + for reading and writing. This was necessary to prevent + "sendmail -bs" and showq from writing to stdin. Eilon Gishri + observed the problem. + +19981029 + + The RFC 822 address manipulation routines no longer give + special attention to 8-bit data. Files: global/tok822_parse.c, + global/quote_822_local.c. + + Bugfix: host:port and other non-domain stuff is no longer + allowed in mail addresses. File: qmgr/qmgr_message.c. + + Workaround: LINUX accept() wakes up before the three-way + handshake is complete, so it can fail with ECONNRESET. + Files: master/single_server.c, master/multi_server.c. + + Feature: when delivering to user+foo, try ~user/.forward+foo + before trying ~user/.forward. + + Bugfix: smtpd in "sendmail -bs" (stand-alone) mode didn't + clean up when terminated by a signal. + + Bugfix: smtpd in "sendmail -bs" (stand-alone) mode should + not try to enforce spam controls because it cannot access + the address rewriting machinery. + + Cleanup: the percent hack (user%domain -> user@domain) is + now configurable (allow_percent_hack, default: yes). + + Bugfix: daemons in -S (stand-alone) mode didn't change + directory to the queue. This was no problem with daemons + run by the sendmail compatibility program. + +19981030 + + Feature: when virtual/canonical/relocated lookup fails for + an address that contains the optional recipient delimiter + (e.g., user+foo@domain), the search is done again with the + unextended address (e.g., user@domain). File: global/addr_find.c. + + Code reorg: the address searching is now implemented by a + separate module global/addr_find.c, so that the same code + can be used for both (non-mapping) relocated table lookups + and for canonical and virtual mapping. The actual mapping + is still done in the global/addr_map.c module. + + Robustness: the SMTP client now skips hosts that don't send + greeting banner text. File: smtp/smtp_connect.c + + Feature: preliminary support to disable delivered-to. This + is desirable for mailing list managers that don't want to + advertise internal aliases. + + Generic support: when the recipient_feature_delimiter + configuration parameter is set, the local delivery agent + uses it to split the recipient localpart into fields. Any + field that has a known name such as "nodelivered" enables + the corresponding delivery feature. + +19981031 + + Code reorg: address splitting on recipient delimiter is + now centralized in global/split_addr.c, which knows about + all reserved names that should never be split. + + Robustness: when a request for an internal service cannot + be satisfied because the master has terminated, terminate + instead of trying to reach the service every 30 seconds. + + Safety: the local delivery agent now runs as vmailer most + of the time, just like pickup and pipe. Files: local/local.c, + local/mailbox.c + +19981101 + + Compatibility: the tokenizer for alias/forward/etc. + expansion now updates an optional counter with the number + of destinations found; If no destinations is found in a + .forward file, deliver to the mailbox instead. Thanks, + Daniel Eisenbud, for showing the way to go. + + Robustness: the pickup daemon should always include a + posting-time record, even when the sendmail posting agent + didn't. However, just like before, user-provided posting + times will be ignored. Ollivier Robert found this one. + + Robustness: duplicate entries in aliases or maps now cause + a warning instead of a fatal error (and an incomplete file). + + Robustness: mkmap now prints a warning when an entry is in + "key: value" format, which is the format expected for alias + databases, not for maps. + + Portability: on LINUX, prepend "+" to the getopt() options + string so that getopt() will stop at the first non-option + argument. Suggestion by Marco d'Itri. + +19981103 + + Cleaned up the set_eugid() and open_as() implementations, + and added stat_as() and fstat_as() so that the local delivery + agent would look up include files and .forward files with + the right privileges. + +19981104 + + Bugfix: the :include: routine now stat()s/open()s files + included by root-owned aliases as root, not as nobody. + + Bugfix: the master crashed when a service with wakeup timer + was disabled or renamed. Fix: eliminate some pathological + coupling between process management and wakeup management. + + Feature: partial implementation of ETRN (causes a full + deferred queue scan). Thanks Lamont Jones for reminding me + that things can be useful already before they are perfect. + + Cleanup: simplified the SMTPD tokenizer. + + Bugfix: sendmail -bs didn't properly notify the mail system + of new mail. + + Compatibility: the MAIL FROM and RCPT TO commands now accept + the most common address forms without enclosing <>. The <> + is still needed for addresses that contain a "string", an + [address], or a colon (:). + +19981105 + + Bugfix: "master -t" would claim that the master runs when + in fact the pid directory does not exist, causing trouble + with first time startup (reported by several). + + Portability: added a sane_accept() module that maps all + beneficial accept() error results to EAGAIN. According to + private communication with Alan Cox, Linux 2.0.x accept() + can return a variety of error conditions, so we play safe + and allow for any error that may happen because SYN+ACK + could not be sent. + + Portability: NETBSD1 uses dotlock files (Perry Metzger). + + Bugfix: the local delivery agent did not canonicalize + owner-foo sender addresses, so that local users would see + owner-foo instead of owner-foo@$myorigin (Perry Metzger). + + OPENSTEP4 support, similar to NEXTSTEP3 (Gerben Wierda). + +19981106 + + Portability: the master startup would take a long time on + AIX because AIX has a very large per-process open file + limit. Fix is to check the status of only the first couple + hundred file descriptors instead. File: master/master.c. + + Bugfix: mail to user@[net.work.addr.ess] was broken because + of a reversed test. File: qmgr/qmgr_message.c. + +19981107 + + Compatibility: don't clobber the envelope sender address + when an alias has no owner-foo alias (problem diagnosed by + Christophe Kalt). + + Bugfix: mail to local users in include files would be + delivered directly if the alias didn't have an owner-foo + alias, and if the alias database and include file were + owned by root. + + Feature: with user+foo addresses, any +foo address extension + that is not explicitly matched in canonical, virtual or + alias databases is propagated to the table lookup result. + +19981108 + + Bugfix: minor memory leak in the user+foo table lookup + code. + + Configurability: specify virtual.domain in the virtual map, + and mail for unknown@virtual.domain will bounce automatically. + The $relay_domains default value now includes $virtual_maps, + so the SMTP server will accept mail for the domain. Marco + d'Itri put me on the right track. + + Configurability: The mydestinations configuration parameter + now accepts /file/name expressions and type:name lookup + tables. + + Code cleanup: in order to make the previous two enhancements + possible, revised the string/host/address matching engine + so it can handle any mixture of strings, /file/name patterns + and type:name lookup tables. Files: util/match_{list,ops}.c, + global/{domain,namadr,string}_list.c. + +19981110 + + Code cleanup: replaced remaining isxxx() calls by ISXXX(). + +19981111 + + Bugfix: the "bounce unknown virtual user" code was in the + wrong place. Problem tackled with help of Chip Christian. + + Portability: reportedly, Solaris 2.5.1 can hang waiting + for a UNIX-domain connection to be accepted, so it gets + the same workaround that was designed for LINUX. Problem + reported by Scott Cotton. + +19981112 + + Management: "vmailer stop" now allows delivery agents to + finish what they are doing, like "vmailer reload". + + Management; "vmailer abort" causes immediate termination. + + Workaround: zombie processes pile up with HP-UX. Reason: + select() does not return upon SIGCHLD when SA_RESTART is + specified to sigaction(). Workaround: shorten the select() + timer to 10 seconds, #ifdef BRAINDEAD_SELECT_RESTARTS. + Thanks, Lamont Jones. + +19981117 + + Rename: VMailer is now Postfix. Sigh. + +19981118 + + Cleanup: generalized the safe_open() routine so that it is + no longer limited to mailbox files, lock files, etc. + + Bugfix (found during code review): vstream*printf() could + run off the end of a stream buffer after an I/O error, + because vbuf_print() ignored the result from VBUF_SPACE(). + + Bugfix (found during code review): resolve_local() could + clobber its argument, but the docs didn't say so. + +19981121 + + Cleanup: the is_header() routine now allows 8-bit data in + header labels. + +19981123 + + Bugfix (found during code review): the mail_queue_enter() + path argument wasn't optional. File: global/mail_queue.c + +19981124 + + Cleanup: eliminated redundant tests for a zero result from + vstream_fdopen(). Unlike the stdio fdopen() routine, the + vstream_fdopen() routine either succeeds or never returns. + + Bugfix: the queue manager now looks at the clock before + examining a file time stamp, to avoid spurious complaints + about time warps on busy machines. File: qmgr/qmgr_active.c. + +19981125 + + Compatibility: allow trailing dot at the end of user@domain. + Address canonicalization now strips it off. Issue brought + forward by Eilon Gishri. File: trivial-rewrite/rewrite.c. + + Robustness: changed DNS lookup order of MAIL FROM etc. + domains from MX then A to A then MX, just in case the MX + lookup fails with a server error. + + Renamed vmcat, vmlock, vmlogger, vmtrigger to postcat, + postlock, postlog, postkick. Also renamed mkmap and mkalias + to postmap and postalias. + +19981126 + + Workaround: Lamont Jones found a way for HP-UX to terminate + select() after SIGCHLD. The code is #ifdef USE_SIG_RETURN. + Files: util/sys_defs.h, master/master_sig.c. + + Bugfix: the Delivered-To: loop detection code had stopped + working, when long ago the is_header() routine was changed. + File: local/delivered.c. + +19981128 + + Bugfix: postcat opened queue files read-write, where only + read access was needed. File: postcat/postcat.c. + +19981129 + + Safety: added a sleep(1) to all fatal and panic exits. + File: util/msg.c. + +19981201 + + Robustness: postcat now insists that a file starts with a + time record. + + Consistency: added "-c config_dir" command-line options + where appropriate. + +19981202 + + Man pages, on-line version. + +19981203 + + Man pages, html version; overview documentation. + +19981206 + + Sendmail silently accepted the unsupported -qRsite and + -qSsite options. It now prints an error message and + terminates. + + Separated the contributed tree from the IBM code; moved + the LDAP and NEXTSTEP/OPENSTEP code to the contributed + source tree because obviously I didn't write it. + +19981206-9 + + Had to write a postconf configuration utility in order to + reliably find out about all configuration parameters and + their defaults. + + Documentation bugfixes by Matt Shibla, Scott Drassinower, + Greg A. Woods. + +19981209 + + On machines with short hostnames, postconf -d cored while + reporting a fatal error. It should not report that error + in the first place. Thanks, Eilon Gishri. + + Changed the FAQ entry about rejecting mail for *.my.domain + on a firewall. Chip Christian was right, I was wrong. + +19981214 + + Portability: with GNU getopt, optind is not initially 1, + breaking an assumption in sendmail/sendmail.c. Liviu Daia. + + Annoyance: on non-networked systems, don't warn that only + one network interface was found. File: global/inet_addr_local.c. + Reported by several. + + Bugfix: on non-networked systems, the smtp client assumed + that it was running in virtual host mode, and would bind + to the loopback interface. File smtp/smtp_connect.c. Liviu + Daia, again. + +19981220 + + Robustness: when looking up an A or MX record, do not give + up when the A query fails because of a server error. File + dns/dns_lookup.c. Reported by Scott Drassinower. + +19981221 + + Bugfix: "bounce mail for non-existent virtual user" didn't + work when a non-default relay host was configured in main.cf + or in the transport table. File: qmgr/qmgr_message.c. + + Bugfix: the maildrop directory should not be world-readable. + Files: conf/postfix-script, showq/showq.c. + + Documentation: fixed several omissions and errors. + + Documentation: removed references to the broken recipient + feature delimiter configuration parameter. + + Bugfix: write mailbox file as the recipient, so that file + quota work as expected. + + Bugfix: pickup would die when it tried to remove a non-file + in the maildrop directory (Jeff Wolfe). + +19981222 + + Sendmail no longer logs the queue ID when it is unable to + notify the pickup daemon. This is a late addition to the + "unreadable maildrop queue" patch. + + user.lock files are now created as root, so that postfix + needs no group directory write permission. + +19981224 + + Security: allow queue file link counts > 1, to avoid + non-delivery of maildrop files with links to a non-maildrop + directory. Files: global/mail_open_ok.c, and anything + that calls this code (qmgr, pickup, showq). If multiple + hard links are a problem, see the set-gid "postdrop" utility + below. + +19981225 + + Robustness: the queue manager no longer aborts when a queue + file suddenly disappears (e.g. because the file was removed + by hand). + + Feature: when a writable maildrop directory is a problem, + sites can make the new "postdrop" utility set-gid. This + command is never used when the maildrop directory is + world-writable. + + Robustness: make the queue file creation routine more + resistant against denial of service race attack. File: + global/mail_queue.c + +19981226 + + New suid_priv module to enable/disable privileges in a + set-uid/gid program. In the end I decided to not use it. + +19981228 + + Robustness: make the pickup daemon more resistant against + non-file race attack. + + Cleanup: generic mail_stream.c interface for writing queue + file streams to files, daemons or commands. This simplifies + the code in smtpd and in sendmail that must be able to pipe + mail through the postdrop command. The cleanup daemon has + been modified to use the same interface. Result: less code. + + Feature: smtpd now logs the only recipient in Received: + headers. + + Feature: separate command and daemon directories. Both + default to $program_directory. Install conf/postfix-script + if you want to use this feature. + +19981230 + + Patch to avoid conflict with non-writable top-level Makefile + (Lamont Jones). + +19981231 + + Portability: port to UnixWare 7 by Ronald Joe Record, SCO. + +19990104 + + Bugfix: fencepost (Jon Ribbens, Oaktree Internet Solutions + Ltd.) Files: quote_82[12]_local.c. + + Bugfix: wrong default for relay_domains (Juergen Kirschbaum, + Bayerische Landesbank). File: mail_params.h. + + Bugfix: changed 5xx response for "too may recipients" to + 4xx. File: smtpd.c. + +19990106 + + Feature: defer_transports specifies the names of transports + that should be used only when "sendmail -q" (or equivalent) + is issued. For example, "defer_transports = smtp" is useful + for sites that are disconnected most of the time. File: + qmgr_message.c. + +19990107 + + Feature: local_command_shell specifies a non-default shell + for delivery to command by the local delivery agent. For + example, "local_command_shell = /some/where/smrsh -c" + restricts what may appear in "|command" destinations. + File: global/pipe_command.c. + +19990112-16 + + Feature: SMTP command pipelining support based on an initial + version by Jon Ribbens, Oaktree Internet Solutions Ltd. + This one took several days of massaging before I felt + comfortable about it. Files: smtp.c, smtp_proto.c. + + Bugfix: the SMTP server would flush responses one-by-one, + which caused suboptimal performance with pipelined clients. + The vstream routines now flush the write buffer when the + read() routine is called, instead of flushing when the + application changes from writing to reading. Delayed flush + prevents the SMTP server from flushing responses one-by-one + and thus triggering Nagle's algorithm. File: util/vstream.c. + +19990117 + + Bugfixes and enhancements to the smtpstone tools by Drew + Derbyshire, Kendra Electronic Wonderworks: send helo command, + send message headers, format the message content to lines + < 80, work around NT stacks, make "." recognition more + robust. Files: smtp-source.c, smtp-sink.c. + + Strategy: look at the deferred queue only when the incoming + queue is empty; limit the number of recipients read from + a queue file depending on the number of recipients already + in core. Files: qmgr.c, qmgr_message.c. + + Feature: postponed anti-UCE restrictions. The decision to + reject junk mail on the basis of the client name/address, + HELO hostname or sender address can now be postponed until + the RCPT TO command (or HELO or MAIL FROM if you like). + File: smtpd_check.c. + +19990118 + + Feature: incremental updates of alias databases and of + other lookup tables. Both postalias and postmap now take + a -i option for incremental updates from standard input. + Files: global/mkmap_*.c, post{map,alias}/post{map,alias}.c. + + Compatibility: newaliases can now update multiple alias + databases: list them in the "alias_database" parameter in + main.cf. By the same token, postalias can now update multiple + maps in one command. Files: post{map,alias}/post{map,alias}.c + + Feature: mail to <> is now sent to the address specified + with the "empty_address_recipient" configuration parameter + which defaults to MAILER-DAEMON (idea by Lamont Jones, + Hewlett-Packard). File: cleanup/cleanup_envelope.c. + + Compatibility: the transport table now uses .domain.name + to match subdomains, just like sendmail mailer tables (patch + by Lamont Jones, Hewlett-Packard). + + Feature: mailq now ends with a total queue size summary + (Eilon Gishri, Israel Inter University Computation Center). + +19990119 + + Feature: address masquerade exceptions for user names listed + in the "masquerade_exceptions" configuration parameter. + File: cleanup/cleanup_masquerade.c. + + Feature: qmail-style maildir support, based on initial code + by Kevin W. Brown, Quantum Internet Services Inc. + + Workaround: Solaris 2.something connect() fails with + ECONNREFUSED when the system is busy (Chris Cappuccio, + Empire Net). File: global/mail_connect.c. + + Feature: the cleanup service now adds a Return-Path: header + when none is present. This header is needed for some mail + delivery programs (see below). File: cleanup_message.c. + + Feature: the pipe mailer now supports $user, $extension + and $mailbox macros in command-line expansions. This, plus + the Return-Path: header (see above), should be sufficient + to support cyrus IMAP out of the box. Based on initial + code by Joerg Henne, Cogito Informationssysteme GMBH. + File: pipe/pipe.c. + + Bugfix: with address extensions enabled, canonical and + virtual lookups now are done in the proper order: + user+foo@domain, user@domain, user+foo, user, @domain. + File: global/mail_addr_find.c. + +19990119 + + Feature: the local mailer now prepends a Received: message + header with the queue ID to forwarded mail, in order to + make message tracing easier. File: local/forward.c. + + Cleanup: after "postfix reload", no more broken pipe + complaints from resolve/rewrite clients. + +19990121 + + Feature: pickup (again) logs uid and sender address. On + repeated request by Scott Cotton, Internet Consultants + Group, Inc. + + Portability: doze() function for systems without usleep(). + + Cleanup: clients are now consistently logged as host[address]. + +19990122 + + Maildir support changed: specify "home_mailbox = Maildir/". + The magic is the trailing /. Suggested by Daniel Eisenbud, + University of California at Berkeley. + + Maildir support from aliases, :include: and .forward files. + Specify /file/name/ - the trailing / is required. Suggested + by Daniel Eisenbud, University of California at Berkeley. + + Workaround: watchdog timer to prevent the queue manager + from locking up on some systems. + + Bugfix: in Received: headers, the "for <recipient>" + information was in the wrong place. Pointed out by Jon + Ribbens, Oaktree Internet Solutions Ltd. + +19990124 + + Portability: more workarounds for GNU getopt() by Liviu + Daia, Institute of Mathematics, Romanian Academy. File: + sendmail/sendmail.c. + +19990125 + + Bugfix: Postfix should not masquerade recipient addresses + extracted from message headers. Problem reported by David + Blacka, Network Solutions. File: cleanup/cleanup_message.c. + +19990126 + + Feature: smtpd_etrn_restrictions parameter to restrict who + may use ETRN and what domains may be specified. Example: + "smtpd_etrn_restrictions = permit_mynetworks, reject". + Requested by Jon Ribbens, Oaktree Internet Solutions Ltd. + File: smtpd/smtpd_check.c. + +19990127 + + Bugfix: in an attempt to shave some cycles, the anti junk + mail routines would use the wrong resolved address. This + "optimization" is now turned off. Problem reported by Sam + Eaton, Pavilion Internet Plc. File: smtpd/smtpd_check.c. + + Feature: BIFF notifications. For compatibility reasons + this feature is on by default. This "protocol" can be a + real performance pig. Specify "biff = no" in main.cf if + your machine has lots of shell users. Feature requested by + Dan Farmer - it's one of the things one does for friends. + Files: local/mailbox.c, local/biff_notify.c. + + Bugfix: another case sensitivity problem, this time with + virtual lookups to recognize unknown@virtual.domain. + Problem reported by Bo Kleve, Linkoping University. File: + qmgr/qmgr_message.c. + +19990128 + + Feature: with "soft_bounce = yes", defer delivery instead + of bouncing mail. This is a safety net for configuration + errors with delivery agents. It has no effect on errors in + virtual maps, canonical maps, or in junk mail restrictions. + Feature requested by Bennett Todd. File: global/bounce.c. + +19990129 + + Compatibility: the qmail maildir.5 documentation prescribes + maildir file names of the form time.pid.hostname, which is + wrong because Postfix processes perform multiple deliveries. + Elsewhere the qmail author has documented how maildir files + should be named under such conditions. Postfix has been + changed to be conformant. File: local/maildir.c. + +19990131 + + Feature: special treatment of owner-foo and foo-request + can be turned off. Specify "owner_request_special = no". + Requested by Matthew Green and others. Files: local/alias.c, + global/split_addr.c. This affects canonical, virtual and + alias lookups. + +19990204 + + Portability: signal handling for HP-UX 9 by Lamont Jones + of Hewlett Packard. File: master/master_sig.c. + + Robustness: disable random walk inside a per-site queue to + avoid message starvation under heavy load. File: qmgr_entry.c. + + Robustness: under some conditions the queue manager could + declare a host dead after just one delivery failure. File: + qmgr_queue.c. + +19990212 + + Feature: skip SMTP servers that greet us with a 4XX status + code. Example: "smtp_skip_4xx_greeting = yes". By default, + the Postfix SMTP client defers delivery when a server + declines talking to us. File: smtp/smtp_connect.c. + + Robustness: upon startup the queue manager now moves active + queue files to the incoming queue instead of the deferred + queue, to avoid anomalous delivery delays on systems that + have a huge incoming queue. Files: qmgr/qmgr.c, + qmgr/qmgr_active.c, global/mail_flush.c, conf/postfix-script* + +19990213 + + Robustness: added watchdog timers to avoid getting stuck + on systems with broken select() socket implementations. + File: qmgr_transport.c, qmgr_deliver.c. + +19990218 + + Feature: NFS-friendly delivery to mailbox by avoiding the + use of root privileges as much as possible. With input by + Mike Muus, Army Research Lab, USA. + + Feature: the smtp-sink test server now supports SMTP command + pipelining. To this end we had to generalize the timer and + vstream support. Poor performance is fixed 19990222. + + Cleanup: timer event routines now have the same interface + as read/write event routines (event type + context). File: + util/events.c. + + Feature: new vstream_peek() routine to tell how much unread + data is left in a VSTREAM buffer. This is the vstream + variant of the peekfd() routine for kernel read buffers. + File: util/vstream.c. + + Feature: directory scanning support for hashed mail queue + directories. So far the results are disappointing: with + depth = 2 (16 directories with 16 subdirectories), mailq + takes 5 seconds with an empty queue unless all directories + happen to be cached in memory. We need a bit map before + hashed queue directories become practical. Depth=1 hashing + doesn't slow down mailq much, but doesn't help much either. + Files: util/scan_dir.c, global/mail_scan_dir.c. + +19990221 + + Workaround: with "ignore_mx_lookup_error = yes", the SMTP + client always performs an A lookup when an MX lookup could + not be completed, rather than treating MX lookup failure + as a temporary error condition. Unfortunately there are + many broken DNS servers on the Internet. File: smtp/smtp_addr.c. + +19990222 + + Performance: rewrote the guts of the smtp-sink test server + so it can do pipelining without losing performance. + +19990223 + + Workaround: hotmail.com sometimes drops the connection + after "." (causing misleading diagnostics to be logged) or + waits minutes after receiving QUIT. Solution: do not wait + for the response to QUIT. File: smtp/smtp_proto.c. This + is turned off with: "smtp_skip_quit_response = no". + +19990224 + + Feature: the pipe mailer accepts user=username:groupname, + based on code submitted by Philip A. Prindeville, Mirapoint, + Inc., USA. File: pipe/pipe.c. + + Workaround: use file locking to prevent multiple processes + from select()ing on the same socket. This causes performance + problems on large BSD systems. Files: master/*_server.c. + +19990225 + + Bugfix: with "inet_interfaces = 127.0.0.1", don't bind to + the loopback interface. Problem reported by Steve Bellovin + of AT&T. File: smtp/smtp_addr.c. + + Feature: "postsuper" command to remove stale queue files + to update queues after changes to the queue structure + parameters (hash_queue_names, hash_queue_depth). This + command is to be run from the postfix-script maintenance + shell script. + +19990301 + + Feature: new postconf -h (suppress `name = ' in output) + option to make the program easier to use in, e.g., shell + scripts. + + Feature: dict_unix module so you can add the UNIX passwd + table to the SMTPD access control list. + +19990302 + + Feature: "luser_relay = destination" captures mail for + non-existent local recipients. This works only when the + local delivery agent does mailbox delivery (including + delivery via mailbox_command), not when mailbox delivery + is delegated to another message transport. + + Feature: new reject_non_fqdn_{hostname,sender,recipient} + restrictions to require fully.qualified.domain forms in + HELO, MAIL FROM and RCPT TO commands (while still allowing + the <> sender address). + +19990304 + + Bugfix: backed out the 19990119 change to always insert + Return-Path: if that header is not present. The pipe and + local agents now are responsible for prepending Return-Path:. + Files: cleanup/cleanup_message.c, global/mail_copy.[hc], + pipe/pipe.c, global/header_opts.c. This causes an incompatible + change to the pipe flags parameter, because Return-Path: + now must be requested explicitly. + +19990305 + + Bugfix: showq (the mailq server) incorrectly assumed that + all recipients of a deferred message are listed in the + corresponding defer logfile. It now lists all recipients. + Files: showq/showq.c, cleanup/cleanup_envelope.c (ensure + that sender records always precede recipient records). + + Cleanup: smtpd HELO restrictions validate [numerical] forms. + Files: util/valid_hostname.c, smtpd/smtpd_check.c. Initial + code by Philip A. Prindeville, Mirapoint, Inc., USA. + +19990306 + + Cleanup: re-vamped the valid_hostname module, and added a + maximal label length (63) requirement. + + Feature: fallback_relay parameter to specify extra backup + hosts in case the regular relay hosts are not found or not + available. Files: smtp/smtp_addr.c. + + Feature: "always_bcc = address" specifies where to send a + copy of each message that enters he system. However, if + that copy bounces, the sender will be informed of the + bounce. Files: smtpd/smtpd.c, pickup/pickup.c + + Compatibility: the transport map will now route on top-level + domains, so you can dump all of .bitnet to a bitnet relay. + +19990307 + + Feature: LDAP lookups, updated by Jon Hensley, Merit Network, + USA. + + Feature: regular expression (PCRE) support by Andrew + McNamara, connect.com.au Pty. Ltd., Australia. In order to + use this code specify pcre:/file/name. You can use this + anywhere you would use a DB or DBM file, NIS or LDAP. See: + PCRE_README for how to enable this code. + + Feature: "delay_warning_time = 4" causes Postfix to send + a "your mail is delayed" notice after approx. 4 hours. + Daniel Eisenbud, University of California at Berkeley. + Files: qmgr/qmgr_active.c, qmgr/qmgr_message. Postmaster + notices for delayed mail are disabled by default. In order + to receive postmaster notices, specify "notify_classes = + ... delay ...". + + Cleanup: do not send undeliverable bounced mail to postmaster. + This was causing lots of pain with junk mail from bogus + sender addresses to non-existent recipients. This change + was reversed 19990311. + +19990308 + + Bugfix: the dotforward routine was too eager with throwing + away extension information, so that the Delivered-To: info + would differ for \mailbox and |command. Problem reported + by Rafi Sadowski, Open University, Israel. + + Bugfix: seems I never got around to fix the btree access + method. I finally did. Problem reported by: Matt Smith, + AvTel Communications Inc., USA. + +19990311 + + Back by popular demand: with "notify_classes = 2bounce ..." + Postfix will send undeliverable bounced mail to postmaster. + The default is to not send double bounces. This change + reverses a change made on 19990307. + +19990312 + + Feature: configurable exit handler for server skeletons. + Philip A. Prindeville, Mirapoint, Inc., USA. Files: + master/*server.c. + + Feature: mail_spool_directory configuration parameter to + specify the UNIX mail spool directory. The default setting + is system dependent. + +19990313 + + Cleanup: share file descriptors for resolve and rewrite + client connections. This puts less strain on the trivial-rewrite + service. + + Portability: support for UnixWare 2.1 by Dmitry E. Kiselyov, + Nizhny Novgorod City Health Emergency Station. + + Feature: configurable delays in the smtpstone test programs. + With input by Philip A. Prindeville, Mirapoint, Inc., USA. + Files: smtpstone/*.c. + + Bugfix: a "signal 11" problem in the trivial-rewrite program + that would occasionally happen after "postfix reload". + Reason: some rewrite clients would clobber their input, + and when they had to retransmit the query, the input would + be a zero-length string, which trivial-rewrite isn't supposed + to receive. + +19990314 + + Feature: "mailbox_transport = cyrus" delegates all local + mailbox delivery to a master.cf entry called "cyrus" (the + same trick for procmail), including users not found in the + UNIX passwd database. This gives the flexibility of $name + expansions by the pipe mailer, without losing local aliases + and ~/.forward processing. Result of discussions with Rupa + Schomaker, RS Consulting. + +19990315 + + Feature: the mydestination parameter can now be an empty + string, for hosts that don't receive any mail locally. Be + sure to specify a default route for mail that comes to the + machine or mail will loop. + +19990316 + + Bugfix: the SMTPD check scaffolding didn't apply the same + sanity checks as the production code. Problem reported by + Alain Thivillon, Herve Schauer Consultants, France. File: + smtpd/smtpd_check.c. + + Portability: some systems can have more than 59 seconds in + a minute. Based on a fix by Liviu Daia, Institute of + Mathematics, Romanian Academy. File: global/mail_date.c. + + Enhancement: include the client network address in the + rejected by RBL response. Lamont Jones, Hewlett-Packard. + + Workaround: use fstat() to figure out if the maildrop is + world-writable. access() uses the real uid, which stinks. + + Robustness: don't do partial address lookups (user@, domain, + user, @domain) with regexp-style tables. + + Security: don't allow regexp-style tables to be used for + aliases. It would be too easy to slip in "|command" or + :include: or /file/name. + +19990317 + + Feature: "fallback_transport = cyrus" delegates non-UNIX + recipients to a master.cf entry called "cyrus", allowing + you to have both UNIX and non-UNIX mailboxes side by side. + +19990319 + + Workaround: on 4.4 BSD derivatives, fstat() can return + EBADF on an open file descriptor. Now, that was a surprise. + This caused std{out,err} from cron commands to not be + delivered. + + Bugfix: "local -v" stopped working. + + Workaround: more watchdog timers for postfix-unfriendly + systems. By now every Postfix daemon has one. Call it life + insurance. + + Robustness: increased the maximal time to receive or deliver + mail from $ipc_timeout (default: 3600 seconds) to the more + generous $daemon_timeout (default: 18000 seconds). We don't + want false alarms. + + Portability: IRIX 5.2 does not have usleep(). + +19990320 + + Bugfix: \username was broken. Frank Dziuba was the first + to notice. + +19990321 + + Workaround: from now on, Postfix on Solaris uses stream + pipes instead of UNIX-domain sockets. Despite workarounds, + the latter were causing more trouble than anything else on + all systems combined. + +19990322 + + Portability: the makedefs would mis-identify IRIX 6.5.x as + IRIX 5.x. Fix by Brian Truelsen of Maersk Mc-Kinney Moller + Institute for Production Technology, Denmark. + + Feature: reject_unknown_recipient_domain restriction for + recipient addresses. For the sake of symmetry, we now also + have reject_unknown_sender_domain. This means the old + reject_unknown_address restriction is being phased out. + Suggested by Rask Ingemann Lambertsen, Denmark Technical + University. + + Feature: unknown sender/recipient domain restrictions now + distinguish between soft errors (always: 450) and hard + errors (configurable with the unknown_address_reject_code + parameter, default: 450; use 550 at your own risk). + + Feature: no HELO junk mail restrictions means that no syntax + check will be done on HELO/EHLO hostname arguments. + + Bugfix: the initial Solaris workaround for UNIX-domain + sockets could cause the queue manager to block if Postfix + ran into a delivery agent process limit. After another code + rewrite that problem is eliminated. Thanks to Chris + Cappuccio, Empire Net, for assistance with testing. + +19990323 + + Bugfix: too much forwarding when users list their own name + in their .forward file (e.g. mail to user@localhost would + go through .forward, would be forwarded to user@$myorigin, + and would go through .forward again). Problem reported by + Roman Dolejsi, Prague University of Economics. + +19990324 + + Bugfix: missing map name in check_xxx_access restrictions + could cause a segmentation error. Lamont Jones, Hewlett- + Packard. + + Feature: forward_path configuration parameter (default: + $home/.forward$recipient_delimiter$extension,$home/.forward). + Based on initial code by Philip A. Prindeville, Mirapoint, + Inc., USA. Files: local/dotforward.c. + +19990325 + + Workaround: Solaris NIS alias maps need special entries + (YP_MASTER_NAME, YP_LAST_MODIFIED). What's worse, normal + keys/values include a null byte at the end, but the YP_XXX + ones don't. Problem reported by Walcir Fontanini, state + university of Campinas, Brazil. File: postalias/postalias.c. + + Compatibility: Solaris NIS apparently does include a null + byte at the end of keys and values. File: util/sys_defs.h. + + Feature: library support for config parameters that are + not $name expanded at program start-up. This was needed + for forward_path, and will also be needed to make message + headers customizable. + + Bugfix: pcre didn't handle \\ right. Lamont Jones, Hewlett- + Packard. File: util/dict_pcre.c. + +19990326 + + Compatibility: Postfix now puts two spaces after the sender + in a "From sender date..." header. Found by John A. Martin, + fixed by Lamont Jones, Hewlett-Packard. + + Bugfix: when a recipient appeared multiple times in a local + alias or include expansion, the delivery status could be + left uninitialized, causing the mail to be deferred and + delivered again. File: local/recipient.c. + +19990327 + + Cleanup: the dictionary routines now take an extra flag + argument to control such things as warning about duplicates, + and appending null bytes to key/value. The latter was needed + for a clean implementation of NIS master alias maps support. + + Feature: POSIX regular expressions by Lamont Jones. See + config/sample-regexp.c. Right now, enabled on *BSD and + LINUX only. + +19990328 + + Code cleanup: dictionaries now have flags that say whether + lookup keys are fixed strings or whether keys are subjected + to pattern matching. This is needed to avoid passing partial + addresses to regexp-based lookup tables (user, @domain, + user@, domain). Files: util/dict*.c. + + Bugfix: fixed memory leaks and core dumps in the regexp + and pcre routines (neither handled an empty pattern file). + +19990329 + + Code cleanup: the dictionary I/O routines now do their own + locking depending on dictionary flag settings. This means + that the low-level dict_get() interface can now be used + for safe dictionary lookups. This is needed for 19990328's + partial lookup key support. Files: util/dict*.c. global/maps.c. + + Feature: regular expression matches are no longer limited + to user@domain address forms in access/canonical/virtual + maps, but can also be used for domains in transport maps. + This needed the partial lookup key support to avoid passing + partial addresses to regexp-based lookup tables (user, + @domain, user@, domain). Files: global/maps.c + global/mail_addr_find.c. + + Feature: new dictionary types can be registered with + dict_open_register(). File: util/dict_open.c. + +19990330 + + Bug fix: match_list membership dictionary lookups were case + sensitive when they should not. Patch by Lutz Jaenicke, + BTU Cottbus, Germany. + +19990402 + + Feature: $domain macro support in forward_path. Philip A. + Prindeville, Mirapoint, Inc., USA. File: local/dotforward.c. + + Feature: if an address extension (+foo) is explicitly + matched by the .forward+foo file name, do not propagate + the extension to recipient addresses. This is more consistent + with the way aliases are expanded. File: local/dotforward.c. + +19990404 + + Bugfix: after receiving mail, the SMTP server didn't reset + the cleanup error flag, so that multiple deliveries over + the same SMTP session could fail due to errors with previous + deliveries. Found by Lamont Jones, Hewlett-Packard. + +19990405 + + Feature: MIME-encapsulated bounces. Philip A. Prindeville, + Mirapoint, Inc., USA. File: bounce/bounce_notify_service.c + + Cleanup: vstreams now properly look at the EOF flag before + attempting to read, eliminating the need for typing Ctrl-D + twice to test programs; the EOF flag is reset after each + unget or seek operation. Files: util/vstream.c, util/vbuf.c. + + Feature: in preparation for configurable message headers + the mac_parse() routine now balances the parentheses in + ${name} or $(name). We need this in order to support + conditional expressions such as ${name?text} where `text' + contains other ${name} expressions. + +19990406 + + Cleanup: changed MIME header information to make bounces + more RFC 1892 compliant. + +19990407 + + Feature: "best_mx_transport = local" delivers mail locally + if the local machine is the best mail exchanger (by default, + mail is bounced with a "mail loops back to myself" error). + + Config: in order to make feature tracking easier the source + code distribution now has a copy of the default settings + in conf/main.cf.default. + + Feature: separate configurable postmaster addresses for + single bounces (bounce_notice_recipient), double bounces + (2bounce_notice_recipient), delayed mail (delay_notice_recipient), + and for other mailer errors (error_notice_recipient). The + default for all is "postmaster". + +19990408 + + Workaround: on Solaris 2.x, the master appears to lose its + exclusive lock on the master.pid file, so keep grabbing + the lock each time the master wakes up from select(). + + Robustness: don't flush VSTREAM buffers after I/O error. + This prevents surprises when calling vstream_fclose() after + truncating a mailbox to its original size. + + Portability: on LINUX systems, if <db_185.h> exists, don't + look for <db/db.h>. + + Workaround: specify "sun_mailtool_compatibility = yes" to + avoid clashes with the mailtool application. This disables + kernel locks on mailbox files. Use only where needed. + + Portability: renamed readline to readlline, to avoid clashes + with mysql. + +19990409 + + Bugfix: ignore temp queue files that aren't old enough. + Problem reported by Vivek Khera, Khera Communications, Inc. + + Bugfix: fixed typo in dict_db.c that caused processes to + not release DB shared locks. + + Feature: auto-detection of changes to DB or DBM lookup + tables. This avoids the need to run "postfix reload" after + change to the smtp access table and other tables. + + Feature: regular expression checks for message headers. + This requires support for POSIX or for PCRE regular + expressions. Specify "header_checks = regexp:/file/name" + or "header_checks = pcre:/file/name", and specify + "/^header-name: badstuff/ REJECT" in the pattern file + (patterns are case-insensitive by default). Code by Lamont + Jones, Hewlett-Packard. It is to be expected that full + content filtering will be delegated to an external command. + +19990410 + + Bugfix: auto-detection of changes to DB or DBM lookup tables + wasn't done for TCP connections. + +19990410 + + Feature: $recipient expansion in forward_path. Philip A. + Prindeville, Mirapoint, Inc., USA. File: local/dotforward.c + + Feature: the smtp client consistently treats a numerical + hostname as an address. File: smtp/smtp_addr.c. + +19990414 + + Compatibility: support comment lines starting with # in + $mydestination include files. This makes Postfix more + compatible with sendmail.cw files. File: util/match_list.c. + + Feature: if your machines have short host names, specify + "mydomain = domain.name", and you no longer have to specify + "myhostname = host.domain.name". Files: global/mail_params.c, + postconf/postconf.c. + +19990420 + + Cleanup: bounce mail when a mailbox goes over file quota, + instead of deferring delivery. File: local/mailbox.c. + +19990421 + + Feature: auto-detection of changes to DB or DBM lookup + tables now includes the case where a file is unlinked. + Philip A. Prindeville, Mirapoint, Inc., USA. File: + util/dict.c. + +19990422 + + Robustness: Lotus mail sends MAIL FROM: <@> instead of <>. + Problem reported by Erik Toubro Nielsen, IFAD, Denmark. + Files: trivial-rewrite/rewrite.c (@ becomes empty address) + and global/rewrite_clnt.c (allow empty response). + + Bugfix: showq could segfault when writing to a broken pipe. + Problem reported by Bryan Fullerton, Canadian Broadcasting + Corporation. Files: util/vbuf_print.c. + + Cleanup: got rid of the "fatal: write error: Broken pipe" + message when mailq output is piped into a program that + terminates early. + + Cleanup: bounce messages are multipart/mixed with the error + report as part of the first message segment, because users + had trouble extracting the delivery error report from the + attachment. + +19990423 + + Cleanup: the default junk mail reject code is now 554 + (service unavailable) rather than 550 (user unknown). + + Folded in the updated dict_ldap.c module by John Hensley, + Merit Network, USA. + + Folded in the vstream_popen.c updates by Philip A. + Prindeville, Mirapoint, Inc., USA. This copies a lot of + code from pipe_command(); the next step is to trim that + module. + +19990425 + + Workaround: renamed config.h to mail_conf.h etc. in order + to avoid name collisions with LINUX (yes, they have a system + include file called config.h). For compatibility with people + who have written software for Postfix, there's a config.h + that aliases the old names to the new ones. That file will + go away eventually. + +19990426 + + Feature: error mailer, in order to easily bounce mail for + specific destinations. In the transport table, specify: + "host.domain error:host.domain is unavailable". Too bad + that the transport table triggers on destination domain + only; it would be nice to bounce specific users as well. + +19990427 + + Cleanup: "disable_dns_lookups = yes" now should disable + all DNS lookups by the SMTP client. + +19990428 + + Bugfix: with DBM files, Postfix was watching the "dir" file + modification time for changes. It should be watching the + "pag" file instead. + +19990429 + + Cleanup: all callbacks in the master to server API now pass + on the service name and the application-specific argument + vector. Files: master/*server.c. + +19990504 + + Feature: conditional macro expansion. ${name?text} expands + to text when name is defined, otherwise the result is empty. + ${name:text} expands to text when name is undefined, + otherwise the result is empty. File: util/mac_expand.c. + + Feature: conditional macro expansion of the forward_path + configuration parameters of $user, $home, $shell, $recipient, + $extension, $domain, $mailbox and $recipient_delimiter. + Files: local/dotforward.c, local/local_expand.c. + +19990506 + + Cleanup: eliminated misleading warnings about unknown HELO + etc. SMTPD restrictions when the HELO etc. information is + not available. File: smtpd/smtpd_check.c. + +19990507 + + Feature: all smtpd reject messages now contain the MAIL + FROM and RCPT TO addresses, if available. + +19990508 + + Feature: conditional macro expansion of the luser_relay + configuration parameter. It is no longer possible to specify + /file/name or "|command" destinations. File: local/unknown.c. + + Cleanup: changed the mac_parse interface so that the + application callback routine can return status information. + Updated the dict_regexp and dict_pcre modules accordingly. + + Cleanup: changed the mac_expand interface so that the caller + provides an attribute lookup routine, instead of having to + provide a copy of all attributes upfront. Files: + util/mac_expand.c, local/local_expand.c. + + Feature: control over how address extensions are propagated + to other addresses. By default, propagation of unmatched + address extensions is now restricted to canonical and + virtual mappings. Specify "propagate_unmatched_extensions + = canonical, virtual, alias, forward, include" to restore + previous behavior. + +19990509 + + Feature: USER, EXTENSION, DOMAIN, RECIPIENT (entire address) + and MAILBOX (address localpart) environment variables are + exported to shell commands (including mailbox_command). + + Feature: new command_expansion_filter parameter to control + what characters may appear in message attributes that are + exported via environment variables. + + Cleanup: SMTPD reject messages are more informative, and + more complete sender/recipient information is logged for + the local sysadmin. + +19990510 + + Bugfix: missing MIME header in postmaster bounce notices. + Found by Samuel Tardieu, Ecole Nationale Superieure des + Telecommunications, France. + + Feature: UCE restrictions are always delayed until RCPT + TO, VRFY or ETRN. To change back to the default specify + "smtpd_delay_reject = no" in /etc/postfix/main.cf. + + Bugfix: missing duplicate filter call. This caused too many + deliveries when a user is listed multiple times in an alias. + Reported by Hideyuki Suzuki, School of Engineering, University + of Tokyo. Backed out on 19990512 because it caused problems. + Fixed 19990513 but needs further study. + + Feature: it is now possible to move queue files back into + the maildrop queue, so that they can benefit from changes + in canonical and virtual mappings. In order to make this + possible, some restrictions on queue file contents were + relaxed. Files: pickup/pickup.c, cleanup/cleanup_extracted.c. + + Feature: made a start with integrating Joerg Henne's + dictionary extensions to remove entries and to iterate over + entries. That code is almost four months old by now. + +19990511 + + Feature: added a "undeliverable postmaster notification + discarded" warning when mail is dropped on the floor. + Requested by Michael Hasenstein, SuSE, Germany. + +19990517 + + Bugfix: reject_non_fqdn_sender/recipient would pass + user@[ip_address] regardless of destination. Eric Cholet + had the honor of suffering from this one. + +19990527 + + More SMTP client logging for easier debugging: the smtp + client now logs hostname[ip.addr], and logs every failed + attempt to reach an MX host, not just the last one. + +19990601 + + Bugfix: emit a blank line before a MIME boundary; the line + is part of the boundary. File: bounce/bounce_notify_service.c. + Wolfgang Segmuller, IBM Research. + +19990610 + + Bugfix: the "is this the loopback interface" test was + broken. Reported by Claus Fischer @microworld.com. File: + smtp/smtp_connect.c. + + Usability: added helpful warnings about restrictions that + are being ignored after check_relay_domains, etc. + + Portability: Reliant Unix support by Gert-Jan Looy, Siemens, + the Netherlands. + +19990611 + + Robustness: the postfix-script start-up procedure now + detects a missing master program, avoiding misleading + warnings that the mail system is already running. Fix + suggested by David E. Smith @technopagan.org. + + Portability: Mac OS X Server Port by Mark Miller @swoon.net. + + Feature: on systems that use dotlock files for mailbox + locking, the local delivery agent now will attempt to use + dotlock files when delivering to user-specified files. + Dotlock files for user-specified destinations are created + with the privileges of the user. For backwards compatibility, + Postfix will attempt to create dotlocks for user-specified + destinations only when the user has parent directory write + permission. + + Feature: specify "expand_owner_alias = yes" in order to + use the right-hand side of an owner- alias, instead of + using the left-hand side address. Needed by Juergen Georgi. + +19990622 + + Bugfix: the local delivery agent did not set user attributes + when delivering to root, so that forward_path did not expand + properly. Found by Jozsef Kadlecsik, KFKI Research Institute + for Particle and Nuclear Physics, Hungary. File: + local/dotforward.c. + + Bugfix: the unix:passwd.byname mechanism is not suitable + for smtpd access control - the user name would have to end + in @, or the access control software would have to be + changed. Removed the example from the RELEASE_NOTES file. + +19990623 + + Bugfix: the smtp server did not reset the error flag after + ".". Found by James Ponder, Oaktree Internet Solutions Ltd. + File: smtpd/smtpd.c. + + Bugfix: fencepost error in the doze() routine (an usleep() + replacement for systems without one). Found by Simon J + Mudd. File: util/doze.c. + +19990624 + + Portability: support for AIX 3.2.5 (!) by Florian Lohoff + @rfc822.org. + + Portability: Ultrix 4.3 support by Christian von Roques + @pond.sub.org. + + Feature: mysql support by Scott Cotton and Joshua Marcus, + Internet Consultants Group, Inc. Files: util/dict_myqsl.*. + +19990627 + + Bugfix: Postfix is now distributed under the new IBM Public + License (version 1, dated June 14, 1999). + + Feature: the Delivered-To: header can be turned off for + delivery to command or file/mailbox. The default setting + is: "prepend_delivered_header = command, file, forward". + Turning off the Delivered-To: header when forwarding mail + is not recommended. + +19990628 + + Feature: the postlock command now returns EX_TEMPFAIL when + the destination file is locked by another process. + +19990705 + + Workaround: in the SMTP client, move the "mail loops back + to myself test" from the 220 greeting to the HELO response. + This change does not weaken the test, and makes Postfix + more robust against broken software that greets with the + client hostname. + +19990706 + + Workaround: in the INSTALL file, use `&&' instead of `;' + in (cd path; tar ...) pipelines because some UNIX re-invented + shells don't bail out when cd fails. Matthias Andree + @stud.uni-dortmund.de. + +19990709 + + Bugfix: $user was not set when delivering to a non-user. + Found by Vladimir Ulogov @ rohan.control.att.com when + configuring a luser_relay that contained $user. + +19990714 + + Robustness: add PATH statement to Solaris2 chroot setup + script to avoid running the ucb commands. Problem found by + Panagiotis Astithas @ ece.ntua.gr. + +19990721 + + Bugfix: don't claim a "mail loops to myself" error when + the best MX host was not found in the DNS. Found by Andrew + McNamara, connect.com.au Pty Ltd. File: smtp/smtp_addr.c. + +19990810 + + Feature: added "-c config_dir" support to the postconf + command. This probably means that "-f file" will never be + implemented. + +19990812 + + Bugfix: showq didn't print properly when listing a maildrop + file. Fix by: Andrew McNamara, connect.com.au Pty Ltd. + File: showq/showq.c. + + Feature: added SENDER to the list of parameters exported + to external commands. File: local/command.c. Code by: Lars + Hecking, National Microelectronics Research Centre, Ireland. + +19990813 + + Bugfix: sendmail -t (extract recipients from headers) did + not work when the always_bcc feature was turned on. Reported + by: Denis Shaposhnikov @ neva.vlink.ru. + +19990813 + Bugfix: "sendmail -bd" returns a bogus exit status (the + child process ID). Fix by Lamont Jones of Hewlett-Packard. + File: sendmail/sendmail.c. + +19990824 + + Bugfix: null pointer dereference while rejecting VRFY before + MAIL FROM. Found by Laurent Wacrenier @ fr.clara.net. + +19990826 + + Portability: more MacOS X Server patches; some NEXTSTEP/OPENSTEP + code that had been removed for the first public beta release; + NEXTSTEP/OPENSTEP now defaults to netinfo for the aliases + database. Submitted by Gerben Wierda. + + Portability: workaround for a FreeBSD 3.x active network + interface without IP address by Pierre Beyssac @ enst.fr. + File: inet_addr_local.c. + +19990831 + + Workaround: sendmail now prints a warning when installed + set-uid or when run by a set-uid command. Reportedly, the + linuxconf software turns on the set-uid bit, which could + open up a security loophole. File: sendmail/sendmail.c. + + Bugfix: Postfix daemons now temporarily lock DB/DBM files + while opening them, in order to avoid "invalid argument" + errors because some other process is changing the file. + Files: util/dict_db.c, util/dict_dbm.c. + + Robustness: Postfix locks queue files during delivery, to + prevent duplicate delivery when "postfix reload" is + immediately followed by "sendmail -q". This involves a + change of the deliver_request interface: delivery agents + no longer need to open and close queue files explicitly. + Files: global/deliver_request.c, pipe/pipe.c, smtp/smtp.c, + local/local.c, qmgr/qmgr_active.c, qmgr/qmgr_message.c. + + Feature: reject_unauth_destination SMTP recipient restriction + that rejects destinations not in $relay_domains. By Lamont + Jones of Hewlett-Packard. File: smtpd/smtpd_check.c. + + Security: do not allow weird characters in the expansion + of $names that appear in $forward_path. Just like with + shell commands, replace bad characters in expansions by + underscores. Configuration parameter: forward_expansion_filter. + +19990902 + + Documentation: added a sample postfix alias to the examples + in the INSTALL document and in the conf/aliases file. + Reminded by Simon J. Mudd @ alltrading.com. + +19990903 + + Bugfix: in case of some error conditions the pickup daemon + could leak small amounts of memory. + +19990905 + + Bugfix: no more "skipping further client input" warnings + when a message header is rejected. + + Feature: reject_unauth_pipelining SMTP restriction that + rejects mail from clients that improperly use SMTP command + pipelining. + + Robustness: the LDAP client by default no longer looks up + names containing "*". See the lookup_wildcards feature in + LDAP_README. Update by John Hensley. + + Documentation: address masquerading with exceptions FAQ by + Jim Seymour @ jimsun.LinxNet.com. + + Bugfix: mysql reconnect after disconnect by Scott Cotton + Internet Consultants Group, Inc. File: util/dict_myqsl.c. + + Portability: the Postfix to PCRE interface now expects + version 2.08. Postfix is no longer compatible with PCRE + versions before 2.6. + +19990906 + + Feature: INSTALL.sh script that makes Postfix installation + a bit less painful. This script can be used for installing + and for upgrading Postfix. It replaces files instead of + overwriting them, and leaves existing configuration and + queue files intact. + +19990907 + + Bugfix: reject_non_fqdn_sender used the wrong test to see + if a sender address was given and could dump core. This + must have been broken ever since the UCE tests were moved + to the RCPT TO stage in 19990510. + + Bugfix: check_sender_access was recognized as a valid + restriction name only if a sender had been specified. + +19990908 + + Portability: Unixware has <sysexits.h> only after sendmail + is installed. Changed postlock.c to use global/sys_exits.h. + +19990909 + + Performance: added one-entry cache to the address rewriting + client and to the address resolving client. This is because + UCE restrictions tend to produce the same query repeatedly. + Files: global/rewrite_clnt.c, global/resolve_clnt.c. + + Feature: the UCE restrictions are now fully recursive so + you can have per-client/helo/sender/recipient restrictions. + Instead of OK, REJECT or [45]xx, you can specify a sequence + of restrictions on the right-hand side of an SMTPD access + table. This means you can no longer use canonical/virtual/alias + maps as SMTPD access tables. But the loss is compensated + for. File: smtpd/smtpd_access.c. + + Feature: restriction classes, essentially a short-hand for + restriction lists. These short hands are useful mostly on + the right-hand side of SMTPD access tables. You must use + restriction classes in order to have lookup tables on the + right-hand side of an SMTPD access table. File: + smtpd/smtpd_access.c. + + Feature: "permit_recipient_map maptype:mapname" permits a + recipient address when it matches the specified table. + Lookups are done just as with canonical/virtual maps. With + this, you can also use passwd/aliases as SMTPD access maps. + File: smtpd/smtpd_access.c. + +19990910 + + Changed "permit_address_map" into "permit_recipient_map" + and added a test for the case that they specify a lookup + table on the right-hand side of an SMTPD access map. File: + smtpd/smtpd_access.c. + + Cleanup: removed spurious sender address checks for <>. + File: smtpd/smtpd_check.c. + + Cleanup: the smtp client now consistently logs host[address] + for all connection attempts. + +19990919 + + Feature: in an SMTPD access map, an all-numeric right-hand + side now means OK, for better cooperation with out-of-band + authentication mechanisms. + +19990922 + + Security: recipient addresses must not start with '-', in + order to protect external commands. The old behavior is + re-instated when main.cf specifies: "allow_min_user = + yes". Credits to Mads Kiilerich @ Kiilerich.com. File: + qmgr/qmgr_message.c. + + Bugfix: after 19990831, the queue manager would throw away + defer logs after deferring mail to known-to-be-dead hosts + or message transports. This means that in some cases, mailq + would not show why mail is delayed, and that delayed mail + could be sent back with recipients missing from the error + report. Reported by Giulio Orsero @ tiscalinet.it. + +19990923 + + Bugfix: the above bugfix broke bounces of mail with bad + address syntax and relocated users. Problem diagnosed by + Dick Porter @ acm.org. + + Documentation: added DO NOT EDIT THIS FILE. EDIT MAIN.CF + INSTEAD notices to the sample-xxx.cf files. + +19991007 + + Compatibility: ignore the sendmail -U (initial user + submission) option. Thomas Quinot @ cuivre.fr.eu.org. + +19991103 + + Code cleanup: don't send postmaster notifications when an + SMTP client sends a DATA command while no recipients were + accepted. This can happen when a pipelined client runs + into an UCE block. File: smtpd/smtpd.c. + +19991104 + + Robustness: do not apply UCE header checks to mail that is + generated by Postfix (bounces, forwarded mail etc.). Files: + smtpd/smtpd.c, pickup/pickup.c, cleanup/cleanup_message.c. + + Robustness: new generic watchdog module that can deal with + clocks that jump occasionally. Files: util/watchdog.c, + master/master.c, master/{single,multi,trigger}_server.c. + This hopefully ends the false watchdog alarms that happen + when clocks are set or when laptops are resumed. + + Code cleanup: BSMTP requires dot quoting as per RFC 821. + Based on code by Florian Lohoff @ rfc822.org. Files: + global/mail_copy.[hc], pipe/pipe.c. + +19991105 + + Bugfix: the crufty code in inet_addr_local() did not find + IP aliases. File: util/inet_addr_local.c. + + Portability: the INSTALL.sh utility did not find users or + groups in NIS or Netinfo tables. The script no longer + searches the /etc/passwd and /etc/group files. Instead it + now queries the unix:passwd.byname and unix:group.byname + maps. For this, a -q (query) option was added to postmap + (and to postalias, for symmetry). Files: util/dict_unix.c, + postalias/postalias.c, postmap/postmap.c, INSTALL.sh. + + Bugfix: LDAP lookup timeout settings were ignored. Patch + by John Hensley. File: util/dict_ldap.c. + +19991108 + + Bugfix: when doing a fresh install, INSTALL.sh didn't set + main.cf:mail_owner properly (Simon J. Mudd). + +19991109 + + Bugfix: when doing a fresh install, INSTALL.sh no longer + worked (missing main.cf file). Fix: add "-c" argument to + the postmap commands (Lars Hecking @ nmrc.ucc.ie). + + Documentation: removed spurious "do not edit" comments from + the sample pcre and regexp configuration files. + +19991110-13 + + Code cleanup: greatly simplified the SMTPD command parser + and somewhat simplified the code that groks RFC 822-style + address syntax in MAIL FROM and RCPT TO commands. + + New parameter: strict_rfc821_envelopes (default: no) to + reject RFC 822 address forms (with comments etc.) in SMTP + envelopes. By default, the Postfix SMTP server only logs + a warning. + +19991113 + + Oops, also updated the SMTP VRFY code in the light of + changes to the SMTPD command parser. + + Cleanup: the local delivery agent now explicitly rejects + recipients with an empty username. + +19991114 + + Workaround: with some gawk versions, postconf/extract.awk + reportedly returns a non-zero exit status upon success. + Added an explicit exit(0) statement. + +19991115 + + Feature: DNS TXT record lookup support, based on initial + code by Simon J Mudd. File: dns/dns_lookup.c. + + Feature: RBL TXT record lookups, based on initial code by + Simon J Mudd. File: smtpd/smtpd_check.c. + + Feature: permit_auth_destination restriction based on code + by Jesper Skriver @ skriver.dk. + + Code cleanup: the transport table now can override all + deliveries, including local ones. + +19991116 + + Code cleanup: a new "local_transports" configuration + parameter explicitly lists all transports that deliver mail + locally. The first name listed there is the default local + transport. This is the end of the "empty next-hop hostname" + hack to indicate that a destination is local. Files: + trivial-rewrite/resolve.c, global/local_transport.[hc] + + Feature: "postconf -m" shows what lookup table types are + available. Code by Scott Cotton, Internet Consultants + Group, Inc. + + Feature: "postconf -e" edits any number of main.cf parameters. + The edit is done on a copy, and the copy is renamed into + the place of the original. File: postconf/postconf.c, + util/readlline.[hc]. + +19991117 + + Portability: SunOS 4 has no SA_RESTART. File: util/watchdog.c. + + Feature: on systems with h_errno, the "reject_unknown_client" + restriction now distinguishes between soft errors (always + reply with 450) and hard errors (use the user-specified + reply code). This should lessen the load by broken mailers + that re-connect once a minute. + + Feature: forward/reverse name/address check for SMTP client + hostnames. This fends off some hypothetical attacks by + spammers who are in control of their own reverse mapping. + + Robustness: postconf no longer aborts when it can't figure + out the local domain name; it prints a warning instead. + This allows you to use "postconf -e" to fix the problem. + +19991118 + + Bugfix: the RFC822 address parser would misparse a leading + \ as an atom all by itself. Problem reported by Keith + Stevenson @ louisville.edu. File: global/tok822_parse.c. + +19991119 + + Bugfix: tiny memory leak in pipe_command() when fork() + fails. File: global/pipe_command.c. + +19991120 + + Bugfix: reversed test for all-numerical results in SMTPD + access maps. File: smtpd/smtpd_check.c. + +19991121 + + Robustness: INSTALL.sh no longer uses postmap for sanity + checks. + + Feature: INSTALL.sh now has an install_root option. + + Bugfix: INSTALL.sh now installs manual pages with proper + permissions and ownership. + + Bugfix: the LDAP client did not properly escape special + characters in lookup keys (patch by John Hensley). File: + util/dict_ldap.c. + +19991122 + + Bugfix: missing absolute path in INSTALL.sh broke fresh + install. + +19991124 + + Bugfix: the local delivery agent's recipient duplicate + filter did not work when configured to use unlimited memory + (which is not a recommended setting). Patrik Rak @raxoft.cz. + +19991125 + + Bugfix: postconf didn't have an umask(022) call at the + beginning (problem experienced by Matthias Andree). + +19991126 + + Bugfix: DNS TXT records now have string lengths before text + (Mark Martinec @ nsc.ijs.si). + +19991127 + + Update: the LDAP client code now supports escapes as per + RFC2254 (John Hensley). + +19991207 + + Performance: one message with many recipients no longer + stops other mail from being delivered. The queue manager + now frees in-memory recipients as soon as a message is + delivered to one destination, rather than waiting until + all in-memory destinations of that message have been tried. + Patch by Patrik Rak @ raxoft.cz. Files: qmgr/qmgr_entry.c, + qmgr/qmgr_message.c. + + Performance: when delivering mail to a huge list of + recipients, the queue manager now reads more recipients + from the queue file before delivery concurrency drops too + low. Files: qmgr/qmgr_entry.c, qmgr/qmgr_message.c. + +19991208 + + Updated LDAP client code by John Hensley with escape + sequences as per RFC 2254. File: util/dict_ldap.c. + + Updated MYSQL client code by Scott Cotton. File: dict_mysql.c. + + Feature: added -N/-n options to include/exclude terminating + nulls in keys and values in postmap/postalias DB or DBM + files. Normally, Postfix uses whatever is appropriate for + the host system. A non-default setting can be necessary + for inter-operability with third-party software. + + Bugfix: the local delivery agent would deliver to the user + instead of the .forward file when the .forward file was + already visited via some non-recursive path. Patch by Patrik + Rak @ raxoft.cz. Files: global/been_here.c, local/dotforward.c. + + Robustness: attempt to deliver all addresses in the expansion + of an alias or .forward file, even when some addresses must + be deferred. File: local/token.c. + +19991211 + + Performance: qmgr_fudge_factor controls what percentage of + delivery resources Postfix will devote to one message. + With 100%, delivery of one message does not begin before + delivery of the previous message is completed. This is good + for list performance, bad for one-to-one mail. With 10%, + response time for one-to-one mail improves much, but list + performance suffers. In the worst case, people near the + start of a mailing list get a burst of postings today, + while people near the end of the list get that same burst + of postings a whole day later. Files: qmgr/qmgr_message.c, + qmgr/qmgr_entry.c. + + Bugfix: address rewriting would panic on a lone \ at the + end of a line where an address was expected. Jason Hoos @ + thwack.net. File: global/rewrite_clnt.c. + +19991215 + + Bugfix: the strict RFC821 envelope address check should + not be applied to VRFY commands. File: smtpd/smtpd.c. + + Cleanup: permit_recipient_maps is gone, because that could + only be used inside UCE restrictions. + +19991216 + + Feature: allow an empty inet_interfaces parameter, just + like an empty mydestination parameter. It's needed for true + null clients and for firewalls that deliver no local mail. + + Feature: "disable_vrfy_command = yes" disables some forms + of address harvesting used by spammers. + + Workaround: added the alias map parameter definition to + the smtpd code. This is a symptom of a general problem + with parameters that have non-empty default values: unless + a program explicitly defines such a parameter, the parameter + defaults to the empty string when used in other parameters. + There's also a problem with evaluation order. + + Feature: the SMTP server rejects mail for unknown users in + virtual domains that are defined by Postfix virtual domain + files. File: smtpd/smtpd_check.c. + + Feature: reject mail for unknown local users at the SMTP + port. The local_recipient_maps configuration parameter + specifies maps with all addresses that are local with + respect to $mydestination or $inet_interfaces. Example: + "local_recipient_maps = $alias_maps unix:passwd.byname". + This feature is disabled by default. You may have to copy + the passwd file into the chroot jail. File: smtpd/smtpd_check.c. + + Feature: the sendmail -f option now understands '<user>' + and even understands address forms with RFC 822-style + comments. + +19991217 + + Cleanup: no more UCE checks for VRFY commands. It still + reports unknown local/virtual users. File: smtpd/smtpd_check.c. + + Robustness: upon Postfix startup, report discrepancies + between system files inside and outside the chroot jail. + Files: conf/postfix-script-nosgid, conf/postfix-script-sgid. + +19991218 + + Cleanup: INSTALL.sh produces relative symlinks, which is + necessary when install_root is not /. + +19991219 + + Documentation: completely reorganized the FAQ and added + many new entries. Rewrote the UCE html documentation. + + Cleanup: INSTALL.sh uses a configurable directory for + scratch files, so that it can install from a file system + that is not writable by the super-user. + + Cleanup: INSTALL.sh gives helpful hints when the "mv" + command is unable to move symlinks across file system + boundaries. + +19991220 + + Cleanup: it is no longer necessary to list $virtual_maps + as part of the relay_domains definition. The SMTP server + now by default accepts mail for destinations that match + $inet_interfaces, $mydestination or $virtual_maps, whether + or not these are specified in relay_domains. We still need + the ugly "virtual.domain whatever" hack in the virtual + maps. Files: smtpd/smtpd_check.c and lots of documentation + and sample config files. + +19991221 + + Removed cyrus -q flag (ignore quotas) from the sample + master.cf file. + +19991223 + + Bugfix: smtpd should not check for unknown users when + running in stand-alone (sendmail -bs) mode. Problem + experienced by Chuck Mead. File: smtpd/smtpd.c. + + Retraction: the "local_transports" configuration parameter + is gone. Adjusted code and documentation accordingly. + Instead, use just one "local_transport" parameter with the + name of the default local transport. Files: smtpd/smtpd_check.c, + qmgr/qmgr_message.c, trivial-rewrite/ resolve.c, local/resolve.c. + + Feature: Postfix SMTPD now insists that the smtpd recipient + restrictions contain at least one restriction that by + default rejects mail. This should make it much more difficult + to change Postfix into an open relay. File: smtpd/smtpd_check.c. + + Retraction: null-length inet_interfaces is too confusing. + +19991224 + + Bugfix: the relative symlink code in INSTALL.sh computed + the ../ prefix from the wrong pathname. + +1999122[5-7] + + Feature: "allow_untrusted_routing = no" (default) prevents + forwarding of source-routed mail from untrusted clients to + destinations that are blessed by the relay_domains parameter + (example: user@domain2@domain1 etc.). This plugs a mail + relay loophole where a backup MX host forwards junk mail + to a primary MX host which forwards the junk to the Internet. + Files: global/quote_822_local.c, smtp/quote_821_local.c, + trivial-rewrite/rewrite.c, trivial-rewrite/resolve.c, + smtp/smtpd_check.c. + + In order to make this possible, the Postfix resolver data + structure and protocol has changed, so that all resolver + clients need to be re-compiled. + + Side effect from the above change: from now on, an address + with @ in the recipient localpart no longer bounces with + "user unknown" but instead is rejected with "relay access + denied" or "source-routed relay access denied". + +19991227 + + Workaround: the BSD/OS "mkdir -p" and "cmp -s" commands + misbehave on boundary cases: directory exists or file does + not exist. Those who re-invent... + +19991229 + + Added the no source routing info requirement to addresses + accepted by the permit_mx_backup UCE restriction. + +19991230 + + Added a spawn daemon (not compiled and installed by default) + to enable LMTP delivery over UNIX-domain sockets. The goal + is to simplify the experimental LMTP delivery agent by + ripping out the privileged code that forks the LMTP server. + +20000102 + + Clarified documentation after early feedback on the 19991231 + release by Drew Derbyshire, Ollivier Robert, Khetan Gajjar. + + Sanity check: a common error is to list Postfix virtual + domains in the mydestination parameter. This causes the + new optional local_recipient_maps feature to reject mail + for virtual users. The SMTP server now explicitly tests + for this common error and logs a warning instead of refusing + the mail. File: smtpd/smtpd_check.c. + +20000104 + + Bugfix: a case sensitivity bug had slipped through in the + anti-relaying code, causing mail for USER@VIRTUAL.DOMAIN + to be rejected with "relay access denied". This was found + by Jim Maenpaa @ jmm.com. + + Questionable feature: set "smtp_skip_5xx_greeting = yes" + to make Postfix more sendmail compatible, even though this + is wrong, IMNSHO. File: smtp/smtp_connect.c. + + Portability: Ultrix patch from Simon Burge @ thistledown.com.au. + + Portability: Siemens Pyramid (dcosx) patch by Thomas D. + Knox @ vushta.com. + + Performance: FreeBSD has bidirectional pipes that are faster + than socketpairs. Anticipating on more platform-specific + optimizations, all duplex pipe plumbing is now isolated in + a duplex_pipe.c module that provides a system-independent + interface. + +20000105 + + Cleanup: the INSTALL.sh script now updates the sample files + in /etc/postfix even when main.cf exists. + +20000106 + + Bugfix: the SMTP server should consult the relocated map + for virtual destinations (Denis Shaposhnikov). Files: + smtpd/smtpd.c smtpd/smtpd_check.c. + +20000108 + + Workaround: rename() over NFS can fail with ENOENT even + when the operation succeeds (Graham Orndorff @ WebTV). This + is not news. Any non-idempotent operation can fail over + NFS when the NFS server's acknowledgment is lost and the + NFS client code retries the operation (other examples are: + create, symlink, link, unlink, mkdir, rmdir). Postfix has + workarounds for the cases where this is most likely to + cause trouble. Files: util/sane_{rename,link}.[hc]. If + you want reliable mail system, do not use NFS. + +20000115 + + Workaround: better detection of bad hardware. Added SIGBUS + to the list of signals that the master will log before + exiting. + +20000122 + + Portability: preliminary SCO5 port Christopher Wong @ + csports.com. This still needs to a workaround for "find" + not supporting "-type s" (actually, UNIX-domain sockets + have no unique representation in the file system and show + up as FIFOs). + +20000115-22 + + Bugfix: in case of a too long message header, don't extract + recipients from message headers. With the previous behavior, + Bcc information could be left in the message body, as one + person found out the hard way. Files: cleanup/cleanup.c, + cleanup/cleanup_extracted.c, global/cleanup_user.h. + +20000124 + + Whatever: RFC 1869 amends RFC 821 and specifies that code + 555 is to be used when a MAIL FROM or RCPT TO parameter is + not implemented or not recognized. Russ Allbery @stanford.edu. + This reply code is added to the list of reply codes that + cause the Postfix SMTP client to mail a transcript to the + postmaster. File: smtp/smtp_trouble.c. + +20000126 + + Emergency feature: qmgr_site_hog_factor (default: 90 percent) + limits the amount of resources that Postfix devotes to a + single destination. With less than 100, Postfix defers the + excess mail so that one site with a large backlog does not + block other deliveries. Files: qmgr/qmgr.c, qmgr/qmgr_message.c. + +20000128 + + Cleanup: the queue manager no longer replaces the nexthop + field by the recipient localpart when a destination matches + $mydestination/$inet_interfaces. The price is the introduction + of a new parameter local_destination_recipient_limit which + defaults to 1 in order to maintain backwards compatibility. + Files: qmgr/qmgr.c, qmgr/qmgr_message.c. + +20000129 + + Bugfix: extracted recipients were misfiled when a message + was moved back to the maildrop queue. But they still worked + due to a coincidence. + + Feature: bounce_recip() bounces a recipient immediately + without accessing a bounce logfile. This is necessary for + VERP bounces, for bounces by delivery agents that change + the sender address, and for bounces that for some reason + must not use temporary logfiles. Files: global/bounce.c, + bounce/bounce_recip_service.c. + +20000130 + + Bugfix: the too long header fix of 20000115-22 lost mail + with too long headers that didn't need to extract recipients + from message headers. + + Bugfix: the too long header fix of 20000115-22 lost mail + without (blank line + message body). + + Code rewrite: reorganized the cleanup daemon source code + so that the cleanup service can be called one record at a + time (see cleanup/cleanup_api.c); also got rid of the global + state variables and fixed a couple bugs that were introduced + with 20000115-22. + +20000204 + + Feature: in daemon mode, the MAIL FROM size check can be + postponed until RCPT TO so that Postfix can log sender and + recipient. Simon J Mudd. Files: smtpd/smtpd.c + + Robustness: limit the number of recipient addresses that + can be extracted from message headers. Parameter: + extract_recipient_limit (default: 10240). Files: + cleanup/cleanup_message.c, cleanup/cleanup_extracted.c. + + Cleanup: the message header reject logging now includes + sender and recipient address (if possible), so that the + logging looks more like the other reject logging. File: + cleanup/cleanup_message.c. + + Documentation: added sections on regular expression tables + to the access, canonical, virtual, transport and relocated + man pages, and write new man pages that are specific to + regular expressions: pcre_table.5 and regexp_table.5. + +20000214 + + Bugfix: postconf reported some parameters more than once + because the parameter extracting script didn't recognize + lines that differ in whitespace only. File: postconf/extract.awk. + Reported by Kenn Martin. + +20000221 + + Logging: the SMTP client now logs log host+port when it is + unable to connect to a non-MX host, just like it logs + host+port when unable to connect to an MX host. + +20000226 + + Bugfix: the SMTP server's "User unknown" test didn't notice + LDAP etc. dictionary access errors. The code now reports + a 450 status (try again instead of bounce) if the reply is + not definitive. File: smtp/smtpd_check.c. + + Robustness: the smtp-source program could stall when making + hundreds of parallel connections to a Postfix system with + only one SMTP server process. The fix is to use non-blocking + connect() calls, very carefully. File: smtpstone/smtp-source.c. + +20000303 + + Feature: with smtp_always_send_ehlo the SMTP client will + send EHLO regardless of the content of the SMTP server's + greeting. File: smtp/smtp_proto.c. + +20000304 + + Feature: DICT_FLAG_SYNC_UPDATE flag for synchronous dictionary + updates, if supported by the underlying mechanism. Files: + util/dict.h, util/dict_open.c, util/dict_db.c. + +20000307 + + Cleanup: the manual pages in Postfix configuration files + no longer contain troff formatting codes. The text is now + generated from prototype files in a new "proto" subdirectory. + Requested by Matthias Andree @ stud.uni-dortmund.de. + +20000308 + + Bugfix: the unused db and dbm "delete" routines would + clobber the per-dictionary flags when called before reading + or writing the table. Files: util/dict_dbm.c, util/dict_db.c. + Lutz Jaenicke @ aet.TU-Cottbus.DE. + + Bugfix: the SMTP server would produce a cryptic message + when a queue file write error happened before it had written + any recipients. Keith Stevenson. File: smtpd/smtpd.c. + + Robustness: the db and dbm "delete" routines didn't adjust + to dictionaries with/without one trailing null in lookup + keys and values. Did a complete rewrite of the routines. + Files: util/dict_db.c, util/dict_dbm.c. + + Feature: specify "-d key" to postalias or postmap in order + to remove one key. This still needs to be generalized to + multi-key removal (read stdin?). Files: postmap/postmap.c, + postalias/postalias.c. + + Test: added test targets for the dictionary delete operations. + Files: util/Makefile.in, util/dict_test.{c,in,ref}. + + Feature: added data offset and recipient count fields to + the first queue file record output from the cleanup daemon. + The recipient counts provides an initial estimate for a + more advanced queue manager scheduling algorithm. Files: + cleanup/cleanup_envelope.c, cleanup/cleanup_extracted.c. + +20000311 + + Portability: HP-UX awk can't handle bare { in regexps + (Lamont Jones. HP). File: postconf/extract.awk. + + Compatibility: sendmail now recognizes '.' as end of input. + File: sendmail/sendmail.c. + +20000313 + + Compatibility: dtcm (CDE desktop calendar manager) leaks + a file descriptor into its child process, and requires that + sendmail closes the descriptor, otherwise mail notification + will hang. These GUI programmers never figured out that + the child process must close the writing end of a pipe. + File: sendmail/sendmail.c. + +20000314 + + Feature: SASL authentication in the SMTP server and client. + Based on code contributed by Till Franke, SuSE. Specify: + "smtpd_sasl_auth_enable = yes" and "smtp_sasl_auth_enable + = yes". The "permit_sasl_authenticated" UCE restriction + gives special treatment to authenticated clients. + +20000315 + + Workaround: added -blibpath option for AIX 4.x, to close + hole in case postdrop needs to be set-gid. + +20000320 + + Portability: FreeBSD 5.x added to the list of supported + systems (Mark Huizer). + +20000323 + + Portability: INSTALL.sh looks if sendmail is in /usr/lib + rather than in /usr/sbin. + +20000326 + + Bugfix: settings in one mysql configuration file would act + as the implicit defaults for the next one, which could be + confusing. Patch by Scott Cotton. File: util/dict_mysql.c. + + Robustness: limit the number of "junk" commands that can + be issued in an SMTP session (ex.: NOOP, VRFY, ETRN, RSET). + Problem report by Michael Ju. Tokarev @ tls.msk.ru. Files: + global/mail_params.h, smtpd/smtpd.c. + +20000413 + + Portability: more MacOS X patches by Gerben Wierda. + + Bugfix: RFC 822 requires the presence of at least one + destination message header. The cleanup daemon now generates + a generic "To: undisclosed-recipients:;" message header + when no destination header is present. The header content + is specified with the undisclosed_recipients_header parameter. + Problem pointed out by Geoff Gibbs, UK-Human Genome Mapping + Project-Resource Centre. + +20000416 + + Workaround: allow <(comment)> as SMTP MAIL FROM address. + +20000417 + + The SASL authentication in the SMTP server and client works, + but only on Linux and Solaris, neither of which I wish to + run on my laptop. + +20000418 + + Added LMTP support to the smtp-source and smtp-sink utilities + so that I don't have to install Cyrus IMAP just to test + LMTP. + +20000419 + + Bugfix: removed the () from the tokenized representation + of RFC 822 comments, so that comments with \( or \) can be + unparsed correctly. Problem reported by Bodo Moeller. + +20000423 + + Bugfix: mail_copy() could prepend > or . in the middle of + long lines. Found by code inspection. + +20000427 + + New code: unescape module that translates C escape sequences + into their equivalent character values. File: util/unescape.c. + + Feature: the pipe mailer now has a way to specify the output + record delimiter (for example, eol=\r\n). This is necessary + for transports that require CRLF instead of UNIX-style LF. + +20000502 + + In order to support timeouts more conveniently, VSTREAMs + now have built into them the concept of timeout. Instead + of calling read() and write(), the low-level VSTREAM + interface now by default uses timed_read() and timed_write() + which receive a timeout parameter; vstream_ctl(stream, + VSTREAM_CTL_TIMEOUT...) sets the timeout deadline on a + stream, and vstream_ftimeout(stream) queries a stream for + timeout errors. This change simplified timeout handling + considerably. Files: util/vbuf.h, util/vstream.[hc], + global/smtp_stream.c, global/timed_ipc.c. + +20000504 + + Added application context to VSTREAMs, which is passed on + transparently to application-provided read/write routines. + vstream_ctl(stream, VSTREAM_CTL_CONTEXT...) sets the context. + Files: util/vstream.[hc]. + + Added vstream_setjmp() and vstream_longjmp() support to + make exception handling more convenient. Turn on exception + handling with vstream_ctl(stream, VSTREAM_CTL_EXCEPT...). + Files: util/vstream.[hc]. + + Cleaned up the smtp_stream module further and got rid of + the global state that limited the use of this module to + one stream per process. Files: global/smtp_stream.[hc]. + +20000505 + + Bugfix: the SMTP server now flushes unwritten output before + tarpit delays, to avoid protocol timeouts in pipelined + sessions when a client causes lots of errors. Found by + Lamont Jones, HP. File: smtpd/smtpd_chat.c. + + Finished the LMTP client, which is based on a modified + version of the SMTP client by Philippe Prindeville, Mirapoint, + Inc., later modified by Amos Gouaux, UTDallas, and then + Wietse ripped it all up again. Currently this talks LMTP + over TCP only. + + Feature: override main.cf parameters in master.cf. Specify + "-o parameter=value" after the program name. This allows + you to selectively override myhostname etc. See also the + new smtp_bind_address parameter below. + +20000506 + + Convenience: the LMTP and SMTP clients now append the local + domain to unqualified nexthop destinations. This makes it + more convenient to set up transport maps. Files: + lmtp/lmtp_addr.c, smtp/smtp_addr.c. + + Sendmail compatibility: the Postfix SMTP client now skips + servers that greet the client with a 4xx or 5xx status + code. To disable, set both smtp_skip_4xx_greeting and + smtp_skip_5xx_greeting to "no". + +20000507 + + Portability: NetBSD has migrated to /etc/mail/aliases. We + can expect to see this happen more often when systems start + shipping Sendmail 8.10. File: util/sys_defs.h + + Updated LDAP code by John Hensley, with support for + dereferencing of LDAP aliases, which have nothing to do + with Postfix aliases. + + Feature: "smtp_bind_address=x.x.x.x" specifies the source + IP address for SMTP client connections. Specify in master.cf + as "smtp -o smtp_bind_address=x.x.x.x" in order to give + different delivery agents different source addresses. + +20000510 + + Cleanup: mailbox_transport did not work with the lmtp + delivery agent. This dates back to when Postfix used empty + nexthop information to indicate that a destination was + local. File: global/deliver_pass.c. + + Bugfix: configuration parameters for one mysql dictionary + would become default settings for the next one. File: + dict_mysql.c. This patch was merged into Postfix a while + back but apparently that Postfix version was nuked when + other parts were redesigned. Update by Scott Cotton. + + Bugfix: some Postfix delivery agents would abort on addresses + of the form `stuff@.' which could be generated only locally. + Found by Patrik Rak. File: trivial-rewrite/resolve.c. + + Third-party Berkeley DB support for HP-UX by Lamont Jones. + File: makedefs. + +20000511 + + Bugfix: Postfix would incorrectly reject domain names with + adjacent - characters. File: util/valid_hostname.c. + + Bugfix: the 20000505 pipeline tarpit delay flush was wrong + and caused the client and server to get out of phase. Yuck! + +20000513 + + Feature: VSTREAMs now have the concept of last fill/flush + time, which is needed to prevent timeouts with pipelined + SMTP sessions as detailed in the next item. + + Bugfix: delayed SMTP command/reply flushing to prevent + sender delays from accumulating too much and causing timeouts + with pipelined sessions. For example, client-side delays + happen when a client does DNS lookups to replace hostname + aliases in MAIL FROM or RCPT TO commands; server-side delays + happen when an UCE restriction involves a time-consuming + DNS lookup, or when a server generates tarpit delays. + Files: lmtp/lmtp_proto.c, smtp/smtp_proto.c, smtpd/smtpd_chat.c. + + Portability: define ANAL_CAST for compilation environments + that reject explicit casts between pointers and integral + types. File: util/sys_defs.h, master/*server.c. Upon closer + investigation, this turned out to be the result of someone's + compiler configuration preferences. Therefore the change + is likely to go away after a code cleanup. + +20000514 + + Feature: mysql client support for multi-valued queries + (select email, email2 from aliastbl where username='$local') + By Loic Le Loarer @ m4x.org. File: util/dict_mysql.c. + + Finalized the delayed SMTP command/reply flushing code in + the SMTP and LMTP clients after lots of testing and review. + +20000520 + + Robustness: upon receipt of mail, map the mailer-daemon + sender address back into the magic null string. File: + cleanup/cleanup_envelope.c. + +20000524 + + Bugfix: the code for masquerade_exceptions was case sensitive. + Reported by Eduard Vopicka. File: cleanup/cleanup_masquerade.c. + +20000526 + + Feature: experimental queue manager by Patrik Rak with a + fancy pre-emptive scheduling algorithm that improves delivery + performance of mail with few recipients. This queue manager + is made available as "nqmgr". + +20000528 + + Feature: the SMTP client SASL password file can contain + entries for destination domain names (the address remote + part) not just mail server hostnames. File: smtp_sasl_glue.c. + + Feature: smtpd_sasl_local_domain parameter (default: + $myhostname) to specify the local SASL authentication realm. + File: smtpd_sasl_glue.c. + + Feature: specify "body_checks=regexp:/file/name" for a very + crude one line at a time message body content filter. This + feature uses the same filtering syntax as the header_checks + feature. File: cleanup/cleanup_message.c. See also the + conf/sample-filter.cf file. + +20000530 + + Feature: full content filtering through external software. + This uses existing interfaces for sending mail to the + external content filter and for injecting it back into + Postfix. Details in FILTER_README. Files: pickup/pickup.c, + smtpd/smtpd.c, qmgr/qmgr_message.c. + +20000531 + + More SASL feedback by Liviu Daia, regarding the use of + authentication realms. File smtpd/smtpd_sasl_glue.c. + + Added a simple shell-script based content filtering example + to the FILTER_README file. + + Content filtering support for nqmgr by Patrik Rak. File: + nqmgr/qmgr_message.c. + + Renamed "content inspection" etc. to "content filtering" + in anticipation of a new hook for content inspection that + only inspects mail without re-injecting it into Postfix. + +20000601 + + Feature: limit the size of pipe mailer deliveries with the + size=nnn command-line attribute. Patch by Andrew McNamara. + +20000603 + + Bugfix: don't try to do SASL authentication when running + in stand-alone (sendmail -bs) mode. Fix by Liviu Daia. + + Bug: the unauthorized pipelining test fails with single + recipient mail when smtpd_delay_reject = yes. + +20000617 + + Bugfix: conf/sample-ldap.cf was no longer up to date with + reality. Patch by Lamont Jones, HP. + + Bugfix: the maildir delivery routine left temporary files + lying around after unsuccessful delivery (problem reported + by Brian Laughton @ Corp.Axxent.Ca). + +20000621 + + AIX 4.x had POSIX regular expression support all the time + I was working on Postfix. Better find out late than never. + +20000623 + + Bugfix: the SMTP server did not reset the so-called junk + command counter after successful delivery (Mark Hoffman @ + wallst.com). File: smtpd/smtpd.c. + +20000625 + + Cleanup: remove Content-Length from incoming mail. The + sender has no authority over the format of mail as stored + by the receiving system. File: global/header_opts.h. + + Feature: rewrite Mail-Followup-To: as sender. Files: + global/header_opts.[hc]. + + Cleanup: rewrite Reply-To, Errors-To, Return-Receipt-To as + sender, so that address masquerading works as expected. + Files: global/header_opts.c. + + Feature: specify "require_home_directory = yes" to prevent + mail from being delivered to a user whose home directory + is not mounted. File: local/dotforward.c. + + Cleanup: the pipe deliver agent no longer appends a blank + line when the F flag (prepend From_ line) is specified. + Specify the B flag if you need that blank line. The local + delivery agent no longer appends a blank line to mail that + is delivered to external command. Files: pipe/pipe.c, + global/mail_copy.[hc]. + +20000708 + + Portability: support for NEXT/OPENSTEP requires extra + include file in util/watchdog.c (Masaki Murase). + +20000715 + + Added macros to turn on vstream/vstring/etc. format string + checking by gcc, in addition to the checking that was + already implemented with printfck. File: util/sys_defs.h, + the macros for PRINTFLIKE and SCANFLIKE. Problem - unlike + the printfck tool, gcc finds format argument type mismatches + only in code that isn't #ifdef-ed out. + +20000718 + + Robustness: make_dirs() now continues when a missing + directory is created by another process. + +20000720 + + Feature: the queue manager now logs the number of recipients + when opening a queue file (a zero recipient count is logged + with older queue files). File: global/opened.c. + +20000726 + + Robustness: added watchdog_pat() routine to keep the watchdog + quiet if a client stays connected for a lot of time. Files: + util/watchdog.[hc], smtpd/smtpd.c. + +20000729 + + Robustness: if relayhost is specified but the host does + not exist, defer mail instead of bouncing it (which would + lose the mail if the bounce would have to be delivered to + that same non-existent relayhost). Problem reported by + Chris Cooper @ maths.ox.ac.uk. File: smtp/smtp_connect.c. + +20000821 + + Feature: added -r (replace key+value) option to postalias + and postmap. + + Cleanup: smtpd now replies with 555 when the client sends + unrecognized RCPT TO parameters, as required by RFC 1869 + (problem report by Robert Norris @ its.monash.edu.au). + File: smtpd/smtpd.c. + +20000822 + + Logging: the SMTP server's SASL code logs the authentication + method along with an authentication failure. Suggested by + Ronald F. Guilmette @ monkeys.com. + + Workaround: some systems have file size resource limits + that cannot be represented with the off_t type that is used + by standard functions such as lseek(2). Problem reported + by Blaz Zupan @ amis.net. + +20000823 + + Feature: all this discussion about when to reject mail and + when not made me decide to implement a TCP-based map type + so that it becomes relatively simple to implement dynamic + access controls, for example, hold off mail from an unknown + client or sender until we have completed some investigation, + after which we will either reject or accept. + + However, this code is turned off until it is finished. + +20000905 + + Robustness: the dns client now rejects malformed domain + names rather than depending on the DNS to report that the + name does not exist. Linux returns a rather misleading + server failure code as found out by Patrik Rak. File: + dns/dns_lookup.c. + +20000911 + + Feature: added IGNORE keyword to header_checks and body_checks + to pretend that certain data does not exist. File: + cleanup/cleanup_message.c. + +20000911 + + Bugfix: the SASL code did not allow MAIL FROM... AUTH=sender + without prior authentication. The RFC allows this, although + one wonders what the reasoning behind this is. File: + smtpd/smtpd_sasl_proto.c. + +20000913 + + Bugfix: the rmail script did not handle remote UUCP systems + that send a from_ line with unqualified envelope sender. + Reported by Luciano Mannucci. + + Compatibility: don't insert Sender: header lines. Sendmail + has not done so for at least 10 years, if it ever did. + Problem reported by Brad Knowles. File: cleanup/cleanup_message.c. + +20000916 + + Bugfix: when propagating an address extension in a virtual + or canonical mapping, cleanup accesses memory that is no + longer allocated. This can happen when the result address + length is more than 100 characters. Problem reported by + Adi Prasaja @ satunet.com. File: global/mail_addr_crunch.c. + + Bugfix: fixed a misleading error message when the cleanup + server reaches the queue file size limit. Fix by Robby + Griffin @ MIT.EDU. File: cleanup/cleanup_extracted.c. + +20000917 + + Bugfix: postalias -i would complain about duplicate entries + for the Sendmail-compatible @ entry and for the NIS-compatible + YP_LAST_MODIFIED and YP_MASTER_NAME entries. + +20000918 + + Gross hack: prevent looping on a bad recipient by always + forwarding recipients in :include: files to a new mail + delivery request, even when owner-listname is not set. + File: local/recipient.c. + +20000919 + + Convenience: INSTALL.sh now imports default settings from + the process environment, in order to make scripting easier. + + Robustness: INSTALL.sh now systematically skips over CVS, + RCS and SCCS cruft. + + Portability: another fix for NEXTSTEP (Masaki MURASE). + File: util/spawn_command.h. + +20000920 + + Cleanup: in a transport table entry, do not ignore port + numbers specified as [host]:port. In fact, this is now + becoming the preferred form, in order to avoid parsing + problems with IPV6 addresses. Postfix supports both forms, + but future versions will print a warning for the old form. + Problem reported by Claus Fischer @ werhats.at + + Bugfix: missing initialization for state->sasl_method can + cause permit_sasl_authenticated to always succeed. Report + and fix by Lutz Jaenicke @ aet.TU-Cottbus.DE. + + FAQ: added notes about how to delete, copy or restore queue + files in a safe manner. + +20000921 + + File reorganization. No code change except Makefiles. All + sources are pushed down by one directory level to keep file + listings usable. Released as 20000922, so that I have a + reference to run "diff -cr against. + + Bugfix: the spawn service was installed without man pages. + + Portability: MacOSX hints and tips by Joe Block, University + of Central Florida School of Optics/CREOL + + Portability: The MacOSX gcc compiler does not understand + the new printf_like/scanf_like attributes. File: util/sys_defs.h. + +20000922 + + nqmgr update from Patrik Rak for the changed queue manager + to delivery agent protocol. + + Lame feature: syslog_facility parameter to control where + syslogd sends Postfix logging (default: syslog_facility = + mail). However, errors during command-line parsing are + still logged with the default syslog facility, as are errors + while processing the main.cf file (surprise). Based on + code by Andrew McNamara. + +20000923 + + Cleanup: new bounce logfile API so that Postfix can change + to an extensible bounce logfile format with per-recipient + sender addresses (needed for VERP and for reporting local + list delivery problems to the list owner) and other + attributes. File: global/bounce_log.[hc]. + + Cleanup: replaced the ad-hoc logfile parsing code in showq + by something that uses the generic bounce logfile API. + +20000924 + + Feature: Postfix bounced mail and delayed mail notifications + now have the standard RFC 1894 form (DSN). The bounce + service now uses the generic bounce logfile API. File: + bounce/bounce_notify_service.c, bounce/bounce_notify_util.c. + + Cleanup: deleted the per-recipient bounce protocol. Future + bounce logfiles will support per-recipient bounce addresses. + Files: global/bounce.c, bounce/bounce_recip_service. + +20000925 + + Workaround: sendmail allows MAIL FROM and RCPT TO envelope + addresses like <the dude <dude@site>> so we will never get + rid of them. To disallow, specify "strict_rfc821_envelopes + = yes". File: smtpd/smtpd.c. + +20000926-20001003 + + Feature: a "flush" server that keeps per-destination records + of deferred mail. It is the basis of a faster ETRN and + "sendmail -qRsite" implementation. This code was rewritten + half a dozen times. + +20000928 + + Bugfix: the stricter dns_lookup() argument checks revealed + that Postfix was doing DNS lookups for domain literals + ([ip.address]) when expanding aliases in MAIL FROM and RCPT + TO address parameters. Reported by Jim Littlefield. File: + smtp/smtp_unalias.c. + + Documentation: added text on the biff=yes/no parameter to + conf/sample-local.cf (text provided by Paul Wagland, + relational-consultancy.com. + + Robustness? Log errors from SASL library code as warnings + not as fatal errors. Files: smtp*/*glue.c. + +20001001 + + Feature: in master.cf, specify ? after wakeup time to avoid + waking up services that aren't being used. + +20001003 + + Feature: the fast flush refresh and purge time interval + parameters can now be specified in user-specified units by + providing an appropriate suffix: s (seconds), m (minutes), + h (hours), d (days), w (weeks). unit. This was needed so + that I could test the flush server code in a reasonable + way (its timeouts are normally specified in days or hours, + and I don't have that much time for testing). Other Postfix + time interval parameters will be migrated as time permits. + Files: conf/sample-flush.cf, global/mail_conf_time.c, + postconf/postconf.c. + + Unfeature: qmgr_hog_factor is now disabled by default. It + was just too confusing. If you don't know what this means, + do not worry. + +20001005 + + Cleanup: after "postfix reload" do not penalize mail that + was in the active queue, but make it ready for immediate + delivery so that ETRN etc. works as intended. Files: + *qmgr/qmgr.c, *qmgr/qmgr_active.c. + + Portability: Redhat 7 library interfaces have changed + incompatibly, which breaks existing software. File makedefs. + + Consistency: the fallback_relay parameter did not understand + the [] or host:port syntax, and there was no way to suppress + MX record lookups. Files: smtp/smtp_addr.c, smtp/smtp_connect.c. + + Convenience: you can now specify multiple SMTP destinations + in the relayhost or fallback_relay configuration parameters. + The specified destinations will be tried in the specified + order. File: smtp/smtp_connect.c. + + Many typographical corrections by Matthias Andree. + +20001024 + + Documentation: the canonical, virtual etc. manual pages + did not document the effect of leading whitespace. + +20001025 + + Bugfix: virtual map expansion stopped too early with + self-referential aliases. Reported by Michael Douglass @ + datafoundry.net. File: cleanup/cleanup_map1n.c. + +20001026 + + Horror: postmap and postalias (newaliases) silently lose + the file lock while building a lookup table with Berkeley + DB 2.x and later on Solaris, HP-UX, IRIX, and UNIXWARE. + The result is that table lookups fail while the table is + being built, so that mail is lost. In order to avoid this + misbehavior one has to use an undocumented feature that is + NOT available with the DB1.85 compatibility interface. + Therefore, Postfix now supports three Berkeley DB programming + interfaces of increasing complexity. File: util/dict_db.c. + + Bugfix: some character manipulations were not portable for + signed/unsigned characters. Files: global/quote_821_local.c, + global/quote_822_local.c. + + Workaround: apparently, some software sends SMTP mail that + begins with "From sender time-stamp". Sendmail silently + ignores such RFC violating garbage, and therefore Postfix + needs to jump another hoop. File: smtpd/smtpd.c. + +20001028 + + Bugfix: the flush server tried to access config files after + going to the chroot jail. Found by Lutz Jaenicke, TU-Cottbus.DE. + File: flush/flush.c. + + Update: revised LDAP module from primary maintainer John + Hensley, with contributions from many other people. Files: + util/dict_ldap.c, LDAP_README. + + Update: LINUX2 chroot setup script by Matthias Andree, + uni-dortmund.de. + + Feature: specify unix:/path/name for LMTP connections over + UNIX-domain sockets, and specify inet:host or inet:host:port + for IPV4. If no unix: or inet: is specified, IPV4 is assumed. + File: lmtp/lmtp_connect.c. + + Feature: added UNIX-domain support to the smtpstone test + programs in order to test the LMTP client UNIX-domain + support. + +20001030 + + Bugfix: further testing in preparation for 19991231-pl10 + revealed that the DB map code was now broken for every + platform. + +20001031 + + Performance: the slow start (gradually increase number of + parallel connections to the same site) was too gentle and + Postfix would back off too quickly. Files: qmgr/qmgr_queue.c + and nqmgr/qmgr_queue.c. + +20001101 + + FAQ update by Ralph Hildebrandt. + +20001104 + + Portability: RedHat Linux has changed incompatibly, again. + Fixed with the help of Matthias Andree. File: makedefs. + +20001109 + + Cleanup: changed prototype of internal function that did + not return a useful result. File: src/util/vstream_popen.c. + +20001110 + + Workaround: the Debian post install script passes an open + file descriptor into the master server and waits forever. + Reported by Lamont Jones. File: master/master.c. + +20001114 + + Compatibility: added sendmail -G (gateway submission) option + for compatibility with the sendmail rmail command. Requested + by David Gilbert, Velocet Communications. + +20001116 + + Documentation: added MAILER-DAEMON to the list of sample + masquerade_exceptions settings in conf/sample-rewrite.cf. + Suggested by Karl O. Pinc, pop.artic.edu. + + Performance: the slow start (gradually increase number of + parallel connections to the same site) was too gentle and + Postfix would back off too quickly. Files: qmgr/qmgr_queue.c + and nqmgr/qmgr_queue.c. Yup, changed the same code, again. + We now allow for a margin above the actual concurrency, + with the size of the initial destination concurrency. + Final solution by Patrik Rak. + + Bugfix: the recipient home directory test broke mailbox_transport + support for non-UNIX recipients. File: local/recipient.c. + +20001117 + + Robustness: additional integrity tests for the nqmgr by + Patrik Rak. File: nqmgr/qmgr_message.c. + +20001118 + + Bugfix: the new LDAP client code did not work properly if + the new ldap_domain parameter was not specified. LaMont + Jones, HP. File: util/dict_ldap.c. + + Feature: the soft_bounce safety net is extended to the SMTP + server. With "soft_bounce = yes", The SMTP server changes + all 5xx (reject) replies into 4xx (try again) replies. + + Documentation: the virtual(5) man page now documents both + Postfix-style virtual domains and Sendmail-style virtual + domains, including their interaction with local usernames, + aliases and mailing lists. Hopefully, this ends some of + the confusion surrounding virtual domain support. Updated + several FAQ entries concerning virtual domain support. + + Documentation: added FAQ entry for the biff service. + +20001119 + + Bugfix: per-destination queue names were case sensitive so + that the same site could have multiple queues. Reported + by Patrik Rak. Files: *qmgr/qmgr_message.c. + +20001120 + + Bugfix: per-destination deferred mail logfiles were case + sensitive so that the same site could have multiple deferred + mail logfiles, so that not all mail would be flushed with + ETRN. Reported by Ralph Hildebrandt. Files: flush/flush.c. + + Portability: added (int) casts to printf-like arguments + that specify the width of %*letter conversions. On some + systems, sizeof and pointer difference expressions are + wider than an int. Reported by Valentin Nechayev @ lucky.net. + +20001121: + + Compatibility: Postfix now retries delivery when an external + command is killed by a signal, because people expect such + behavior from Sendmail. File: global/pipe_command.c. + +20001123-30 + + Feature: mailbox locking is now configurable. The configuration + parameter name is "mailbox_delivery_lock". Depending on + the operating system one can specify one or more of "flock", + "fcntl" and "dotlock". Use "postconf -l" to find out what + locking methods Postfix supports. The default setting is + system dependent. All mailbox file opens are now done by + one central mbox_open() routine. This affects the operation + of the postlock command, and of local delivery to mailbox + or /file/name. Files: util/safe_open.c, util/myflock.c, + global/deliver_flock.c, global/mbox_conf.c, global/mbox_open.c. + local/mailbox.c, local/file.c, postlock/postlock.c. + + Compatibility: the old sun_mailtool_compatibility parameter + is being phased out. It still works (by turning off + flock/fcntl locks), but logs a warning as a reminder that + it will go away. + + Compatibility: when delivering to /file/name, the local + delivery agent now logs a warning when it is unable to + create a /file/name.lock file, and then delivers the mail + (older Postfix versions would silently deliver). + +20001202 + + Feature: specify "smtp_never_send_ehlo = no" to disable + ESMTP. Someone asked for this long ago. Files: smtp/smtp.c, + smtp/smtp_proto.c. + + Feature? Bugfix? The smtp client now skips server replies + that do not start with "CODE SPACE" or with "CODE HYPHEN", + and flags them as protocol errors. Older versions silently + treat "CODE TEXT" as "CODE SPACE TEXT". File: smtp/smtp_chat.c. + +20001203 + + Documentation: postmap(1) and postalias(1) did not document + the process exit status for "-q key". + +20001204 + + Bugfix: the Postfix master daemon no longer imported + MAIL_CONF and some other necessary environment parameters. + Postfix now has explicit "import_environment" and + "export_environment" configuration parameters that control + what environment parameters are shared with non-Postfix + processes. Files: util/clean_env.c, util/spawn_command.c, + util/vstream_popen.c, global/pipe_command.c, and everything + that invokes this code. + +20001208 + + Bugfix: while processing massive amounts of one-recipient + mail, qmgr could deadlock for 10 seconds while sending a + bounce message. All queue manager bounce send requests are + now implemented asynchronously. Files: global/abounce.[hc] + (asynchronous bounce client), qmgr/qmgr_active.c. Problem + reported by El Bunzo (webpower.nl) and Tiger Technologies + (tigertech.com). + +20001209 + + Feature: mailbox_transport and fallback_transport can now + have the form transport:nexthop, with suitable defaults + when either transport or nexthop are omitted, just like in + the Postfix transport map. This allows you to specify for + example, "mailbox_transport = lmtp:unix:/file/name". File: + global/deliver_pass.c. + +20001210 + + Bugfix: the local_destination_concurrency_limit paramater + no longer worked as per-user concurrency limit but instead + worked as per-domain limit, so that the limit of "2" in + the default main.cf files resulted in poor local delivery + performance. Files: qmgr/qmgr_message.c, qmgr/qmgr_deliver.c. + Problem reported by David Schweikert (ee.ethz.ch) and Dallas + Wisehaupt (cynicism.com). + +20001210 + + Feature: support for MYSQL connections over UNIX-domain + sockets by Piotr Klaban. Files: util/dict_mysql.c, + MYSQL_README. + +20001211 + + Small dirt: postconf -m produced too much output due to a + missing "else", and the optional SASL code needed a fix + for the changed name_mask API. + +20001212 + + Workaround: due to an error, record type L for "filter + transport name" was the same as that for the already existing + record type L for "record not ending in newline", causing + the pickup daemon to discard all records not ending in + newline. The code cannot be changed without breaking + compatibility with queued mail, so the pickup server is + changed to discard type L records only from the message + envelope, not from the content. File: pickup/pickup.c. + +20001213 + + Bugfix: dict_ldap did not properly initialize a handle + after connection timeout. Problem reported by Alain Thivillon. + File: util/dict_ldap.c. + +20001214 + + Feature: local_transport and default_transport now also + understand the transport[:destination] notation, so that + all transport config parameters are similar again. File: + trivial-rewrite/resolve.c, trivial-rewrite/transport.c. + + Code cleanup: mailbox_transport and fallback_transport no + longer allow the user to omit the transport part of a + transport:destination specification. That just did not make + any sense at all. The :destination part is still optional. + File: global/deliver_pass.c. + + Feature: most time-related configuration parameters take + a one-letter suffix that specifies the time unit: s + (second), m (minutes), h (hours), d (days), w (weeks). + "postconf -d" output includes the default time unit. Files: + many. + + Code cleanup: in a CONFIG_TIME_TABLE, the default time unit + is now always the last character of a default time value. + It is no longer necessary to specify the default time unit + separately. This change means that it will not be possible + to specify default values in the form of function calls, + but that was unused anyway. Files: global/mail_conf_time.c, + and user code. + +20001217 + + Bugfix: reorganized some code in the MYSQL client to end + a number of memory allocation/deallocation problems. This + code needs more work. File: dict_mysql.c. + +20001218 + + Bugfix: the MYSQL client did not provide function pointers + for unimplemented operations, causing "postmap -d" to dump + core instead if issuing an error message. This is what I + get for accepting code that I cannot test myself. + +20001221 + + Code cleanup: configuration parameters that are $name + expanded at run-time now have their own data type hierarchy + instead of being piggy-backed on top of strings that are + $name expanded at program initialization time. Files: + global/mail_conf.h, global/mail_conf_raw.c, and code that + calls it. + +20001230 + + Update: replaced the default rbl.maps.vix.com setting by + the current blackholes.mail-abuse.org. + +20010102 + + Code cleanup: the queue manager is a bit greedier with + allocating a delivery agent. Problem pointed out by Patrik + Rak. All bugs in the solution are mine. Files: + *qmgr/qmgr_active.c. + +20010105 + + Bugfix: the FILTER_README shell script example did not + correctly pass exit status to the parent. + + Bugfix: soft errors in client hostname lookups would be + treated as hard errors. Fix by Michael Herrmann + (informatik.tu-muenchen.de). File: smtpd/smtpd_peer.c. + +20010110 + + Bugfix: the mkdir() EEXIST race condition workaround was + not complete. Matthias Andree, Daniel Roesen. Files: + global/mail_queue.c, util/make_dirs.c. + +20010111 + + Portability: IRIX 6.5.10 defines sa_len as a macro, causing + a name collision with a variable used by Postfix. Roberto + Totaro, enigma.ethz.ch. File: smtpstone/smtp-source.c. + +20010116 + + Bugfix: REJECT by header/body_checks was flagged in smtpd + as a bounce, should be policy, in order to make postmaster + notifications more consistent. File: smtpd/smtpd.c. + + Merged updated chroot setup procedure by Matthias Andree. + Files: examples/chroot-setup/LINUX2. + +20010117 + + Formatting: changed the seconds and days formats in the + "your mail is delayed" text so that it does not switch to + scientific notation. File: bounce/bounce_notify_util.c. + +20010119 + + Feature: SASL support for the LMTP client. Recent CYRUS + software requires this for Postfix over TCP sockets. + +20010120 + + Bugfix: the 20001005 revised fallback_relay support caused + Postfix to send mail to the fallback even when the local + machine was an MX host for the final destination. Result: + mailer loop. Found by Laurent Wacrenier (teaser.fr). Files: + smtp/smtp_connect.c, smtp/smtp_addr.c. + +20010121 + + Workaround: specify "broken_sasl_auth_clients = yes" in + order to support old Microsoft clients that implement a + non-standard version of RFC 2554 (AUTH command). + + Workaround: Lotus Domino 5.0.4 violates RFC 2554 and replies + to EHLO with AUTH=LOGIN. File: smtp/smtp_proto.c. + +20010125 + + Code cleanup: wrote creator/destructor for dictionary + objects that provides default methods that trap all attempts + to perform an unimplemented operation. Based on an ansatz + by Laurent Wacrenier (teaser.fr). Files: util/dict*.[hc]. + + Code cleanup: INSTALL.sh does not ask questions when stdin + is not connected to a tty (as in: make install</dev/null). + To automate a customized install, the script imports + environment variables for install_root etc. + +20010127 + + Workaround: randomize the delay between attempts to lock + a file, so that multiple bounce or defer servers are less + likely to retry all at the same time. likely. File: + util/rand_sleep.c, global/deliver_flock.c, global/dot_lockfile.c. + +20010128 + + Code cleanup: complaints about invalid or numeric hostnames + either provide specific context or are removed as redundant. + Files: util/valid_hostname.c dns/dns_lookup.c. + + Code cleanup: new mailbox_size_limit parameter (default: + 20MB). Until now, the mailbox size limit was the same as + the message size limit, due to artefact of implementation. + Files: global/mail_params.h, local/local.c. + + Bugfix: fix for the ldap_domains parameter, both semantics + and documentation by LaMont Jones. Files: LDAP_README, + conf/sample-ldap.cf, util/dict_ldap.c. + + Update: merged in the virtual delivery agent by Andrew + McNamara. See VIRTUAL_README for detailed examples. + + Update: merged a re-vamped nqmgr by Patrik Rak. + +20010129 + + Tweak: several little nqmgr tweaks by Patrik Rak. Files: + global/mail_params.h, nqmgr/qmgr_job.c. + + Bugfix: the virtual delivery agent did not save maps_find() + results timely. J?rgen Thomsen, postfix.jth.net. File: + virtual/mailbox.c. + + Security: disallow regexp tables in the virtual delivery + agent. The $1 etc. substitution mechanism gives too much + power to the sender. File: virtual/mailbox.c. + + Cleanup: clarified documentation and boundary cases in the + random_sleep() routine. + + Bugfix: the MISSING_USLEEP feature was used backwards. + Patrik Rak. File: util/random_sleep.c. + +20010130 + + Workaround: Linux usleep() is void, BSD/Solaris usleep() + returns int, don't use it. File util/random_sleep.c. + + Made local maildir bounce/defer handling mode consistent + with local mailbox delivery. File local/maildir.c. + + The smtp client now defers delivery when all MX hosts have + no A record. File: smtp/smtp_addr.c + + Bundled the man2html and postlink quick hacks so people + can do their own manual page processing. See scripts in + the mantools directory. + + Documentation: updated the reference to sendmail in the + html/index.html page. + + Documentation: added note about the Cisco PIX "fixup smtp" + bug that causes mail delivery problems when "." and "CRLF" + arrive in separate packets. File: html/faq.html. + +20010201 + + Bugfix: another missing initialization in the mysql client. + File: util/dict_mysql.c. + + Sanitized time routine by Patrik Rak, to make his nqmgr + robust against people who set their clock back. Files: + util/sane_time.[hc]. + + Bumped the default mailbox file size limits to 50MB. + +20010202 + + Bugfix: fixed the way the master resets the file size limit + to avoid problems when a Postfix daemon updates a queue + file. The file size limit is now increased to INT_MAX if + it is smaller than INT_MAX, so that it is less likely to + interfere than the old setting of message_size_limit. + + Feature: disable mailbox size limits for the local and + virtual delivery agents by setting mailbox_size_limit or + virtual_mailbox_limit to zero. + +20010203 + + Update: null candidate patch from Patrik Rak. Files: + nqmgr/qmgr_entry.c nqmgr/qmgr_job.c nqmgr/qmgr_message.c. + + Cleanup: added one gruesome command to the postlink script + for hyperlinking nroff manual page output. Word abbreviation + broke some <a href...> </a> instances across line boundaries. + sed(1) is an amazing tool. File: mantools/postlink. + +20010204 + + Laid the ground work for logging of table accesses. This + will give more insight into how Postfix uses its lookup + tables. User interface comes later. File: util/dict_debug.c. + +20010216 + + Bugfix: the pipe delivery agent expanded $size as if it + were a recipient, instead of expanding it as $nexthop or + as $sender. Reported by Michael Tokarev. File: pipe/pipe.c. + +20010221 + + Bugfix: poor LMTP performance for domains that are listed + in $mydestination, because Postfix would send one recipient + at a time, with multiple deliveries of recipients of the + same message in parallel; a similar problem could exist + with virus scanning and with firewall relay hosts that + forward mail for $mydestination to an inside machine. This + behavior is now changed to depend on the transport-specific + xxx_destination_recipient_limit parameter. This also means + that you can now get qmail behavior for SMTP deliveries by + setting smtp_destination_recipient_limit=1. File: + {qmgr,nqmgr}/qmgr_message.c. + + Workaround: Solaris socketpair() can fail with EINTR. Added + a sane_socketpair.c module that joins the ranks of the + other sane_whatever workarounds. Reported by Andrew McNamara. + File: util/sane_socketpair.[hc] + +20010222 + + Documentation: the default main.cf file has a prominent + warning that mynetworks should be properly configured in + order to reject unauthorized mail relay requests from + strangers. + + Documentation: the INSTALL document, section "mandatory + configuration file edits" has a section that explains that + mynetworks should be properly configured in order to reject + unauthorized mail relay requests from strangers. + +20010223 + + Documentation: the basic.html document has a section that + explains that mynetworks should be properly configured in + order to reject unauthorized mail relay requests from + strangers. + + Feature: new "mynetworks_style" parameter that controls + how mynetworks (trusted networks) is derived from the + inet_interfaces (machine interfaces) setting. Specify + "class" for entire class A, B, C networks; "subnet" for + the local subnets only; or "host" for maximal privacy. + Files: util/inet_addr_local.[hc], global/own_inet_addr.[hc], + global/mynetworks.[hc], postconf/postconf.c. + + Portability: MACOSX patches by Gerben Wierda. + + Portability: Solaris /dev/null is a symlink, which tripped + up the code to safely open a file before local delivery. + We now grudgingly allow symlinks owned by root. File: + util/safe_open.c. + +20010224 + + Bugfix: "postconf mynetworks" ignored the inet_interfaces + setting. That was a very old one. File: postconf/postconf.c. + + INCOMPATIBLE CHANGE: POSTFIX NO LONGER RELAYS MAIL FOR + CLIENTS IN THE ENTIRE CLASS A/B/C NETWORK. POSTFIX BY + DEFAULT RELAYS MAIL FOR CLIENTS IN THE LOCAL SUBNETWORK. + Specify "mynetworks_style = class" to get the old behavior. + +20010225 + + Portability: master sigchld handler based on writing to a + pipe, so that the master wakes up from select(). Based on + code by Erik Forsberg, Linkoping University, Sweden. File: + master/master_sig.c. Disabled until after the major release. + + Code cleanup: Postfix should now run with no alias database. + + Code cleanup: local_destination_recipient_limit and + local_destination_concurrency_limit have become first-class + configuration parameters. Files: global/mail_params.h, + *qmgr/qmgr.c, postconf/postconf.c. + +20010226 + + Documentation suggestions by Lars Hecking and Richard + Huxton, Matthias Andree and many others. + + Code cleanup: some queue/transport operations need to be + moved, after the code cleanup of the recipient/concurrency + limit handling. Patrik Rak. Files: *qmgr/qmgr_message.c. + +20010301 + + Feature: configurable name in syslog output (default: + "syslog_name = postfix") so that different Postfix instances + can be recognized by their logging. File: global/mail_task.c. + +20010313 + + Workaround for logic mismatch in nqmgr that was exposed + with the introduction of the asynchronous bounce client. + Patrik Rak. + +20010313 + + Bugfix: the RFC 822 untokenizer quoted newlines inside + comments. File: global/tok822_parse.c. + +20010316 + + Cleanup: removed an extraneous warning when a queue file + write error happened. + +20010321 + + Workaround: LMTP connection caching never worked for + destinations starting with unix: or inet:. File: + lmtp/lmtp_connect.c. + +20010322 + + Portability: Solaris <2.6 does not have srandom() and + random() in libc. File: util/rand_sleep.c. It does not have + to be cryptographically strong. + + Bugfix: the fast ETRN flush server could not handle [ipaddr] + or domain names with one-character hostname part. This + fix changes the destination to logfile name mapping, so + that you need to populate the new files with "sendmail -q". + The old files go away automatically. File: flush/flush.c. + +20010327 + + Speed up mailq (sendmail -bp) display by flushing output + after each file. File: showq/showq.c. + + Portability: missing string.h includes, %p wants (void *), + Lamont Jones, HP. + +20010328 + + Bugfix: swapped logic caused cleanup to stall when the + queue file size exceeded the file size limit by less than + one the VSTREAM buffer size, so that the "file too big" + was detected after flushing the last queue file record. + File: cleanup/cleanup.c. + +20010329 + + Portability: workaround for missing prototype problem in + dict_ldap.c. This module should move to the global directory, + because it depends on Postfix main.cf parameter information. + + Workaround: after sending a trigger message over a socket, + do not immediately close the client side, but close it from + a background thread that waits until the server closes the + socket first. This avoids trouble with socket implementations + that destroy a socket when the client closes a socket before + the server has received the client's data. Files: + util/{inet,unix,stream}_trigger.c, util/events.c, + master/master_trigger.c, postkick/postkick.c. + +20010403 + + Workaround: the mysql library can return null pointers + rather than zero-length strings. File: util/dict_mysql.c. + +20010404 + + Ergonomics: log additional information about the reason + why "mail for XXX loops back to myself" when the local + machine is the best MX host. File: smtp/smtp_addr.c. + +20010406 + + Changed some noisy LDAP client warnings into optional + logging. LaMont Jones, util/dict_ldap.c. + +20010411 + + Bugfix: the SMTP server now replies with 550 instead of + 503 when it receives the DATA command without having received + a valid recipient address. This is needed for the Sendmail + client-side pipelining implementation. Problem reported by + Lutz Jaenicke. File: smtpd/smtpd.c. + + Cleanup: shut up if chattr fails on Reiserfs and other file + systems that do not support the respective attributes. + Files: conf/postfix-script-{no,}sgid. + +20010413 + + Ergonomics: Postfix applications now warn when a DB or DBM + file is out of date, and recommend to rebuild the table. + Files: util/dict_db.c, util/dict_dbm.c. + +20010414 + + Feature: specify a key of "-" to the postmap or postalias + -q or -d option, and the keys will be read from standard + input, one key per line. Files: postmap/postmap.c, + postalias/postalias.c. + + Bugfix: with a non-default inet_interfaces setting, the + master ignored host information in master.cf host:port + settings. Fix by Jun-ichiro itojun Hagino @ iijlab.net. + Files: master/master.h, master/master_ent.c. + +20010426 + + Bugfix: the SMTP server did not parse invalid MAIL FROM or + RCPT TO addresses such as <first last <user@domain>> the + way it was supposed to do. I thought this was taken care + of years ago. File: smtpd/smtpd.c. + +20010427 + + Bugfix: smtpd would reject mail instead of replying with + a 4xx temporary error code when, for example, an LDAP or + mysql server was unavailable. Remotely based on a fix by + Robert Kiessling @ de.easynet.net. File: smtpd/smtpd_check.c. + +20010429 + + Feature: the Postfix SMTP client now by default randomly + shuffles destination IP addresses of equal preference. + Specify "smtp_randomize_addresses = no" to disable. + Shuffling code by Elias Levy @ SecurityFocus.com Files: + dns/dns_rr.c, smtp/smtp_addr.c. + +20010501 + + Bugfix: The SMTP server's 550 in reply to DATA should be + a 554 response. And it wasn't Sendmail. Claus Assman. + + Bugfix: the INSTALL.sh test for non-interactive upgrade + broke rooted installations that specify settings via the + environment. Simon Mudd. + + Bugfix: mailq output is now really flushed one message at + a time. File: sendmail/sendmail.c. + + Feature: "postsuper -d queueID" deletes one message queue + file; "postsuper -d -" reads zero or more queue IDs from + standard input, and deletes one instance of each file. + File: postsuper/postsuper.c. + + Code cleanup: in order to make postsuper -d safe with a + running Postfix mail system, some routines had to be made + tolerant for sudden queue file disappearances. Files: + global/deliver_request.c, *qmgr/qmgr_move.c. + + Code cleanup: in order to make postsuper -d more usable, + the showq command was extended to safely list the possibly + world-writable maildrop directory. File: showq/showq.c. + +20010504 + + Feature: postsuper -d will also delete defer and bounce + logfiles when the named queue file is found. + +20010505 + + RFC 2821 feature: an SMTP server must reset all buffers + upon receipt of EHLO. File: smtpd/smtpd_check.c. + + RFC 2821 feature: an SMTP server must accept a recipient + address of "postmaster" without domain name. File: + smtpd/smtpd_check.c. + + RFC 2821 recommendation: reply with 503 to commands sent + after 554 greeting. File: smtpd/smtpd.c. + + RFC 2821 recommendation: if VRFY is enabled, list it in + the EHLO response. File: smtpd/smtpd.c. + + RFC 2821 recommendation: SMTP clients should use EHLO. + The default setting of smtp_always_send_ehlo has changed + from 0 (send EHLO if server greets with ESMTP) to 1 (always + send EHLO). In all cases, Postfix falls back to HELO if + the server does not support EHLO. File: smtp/smtp_proto.c. + +20010507 + + Bugfix: with soft_bounce=yes, the SMTP server would log + 5xx replies even though it would send 4xx replies to the + client (Phil Howard, ipal.net). File: smtpd/smtpd_check.c. + +20010515 + + Compatibility: Microsoft sends "AUTH=MBS_BASIC LOGIN". + Updated the parsing code in smtp/smtp_proto.c. Problem + reported by Ralf Tessmann, Godot GmbH. + +20010520 + + Standard: deleted the non-standard "via" portion from + Received: headers generated by Postfix bounce or other + notification processes. File: global/post_mail.c. + + Robustness: eliminated stack-based recursion from the RFC + 822 address parser. File: global/tok822_parse.c. + + Standard: annotated the source code with comments based on + RFC 2821 and 2822. Not all the RFC changes make sense. + + RFC 2821 recommendation: treat a RCPT 552 reply as if the + server sent 452. Files: smtp/smtp_proto.c, lmtp/lmtp_proto.c. + + Cleanup: moved ownership of the debug_peer parameters from + the applications to the library, so that a Postfix shared + library does not suffer from undefined references. Files: + smtp/smtp.c, lmtp/lmtp.c, smtpd/smtpd.c, global/mail_params.c. + LaMont Jones, for Debian. + +20010522 + + Feature: "postsuper -r queueID" re-queues a message, and + "postsuper -r ALL" re-queues all mail. The message is moved + to the maildrop queue so that the pickup daemon will copy + it to a new queue file, and so that address rewriting will + be done again. This is useful after changes of address + rewriting or virtual mappings. + + Feature: "postsuper -d ALL [queue-name]" deletes a bunch + of mail. + +20010523 + + Feature: "postsuper -s" (which is done by default) renames + queue files whose name (queue ID) does not match the message + file inode number. + + Bugfix: memory leak in the LDAP client module. Alain + Thivillon, France Teaser - Groupe Firstream. + +20010525 + + Portability: gcc 2.6.3 does not have __attribute__ (Clive + Jones, dgw.co.uk). File: util/sys_defs.h. + + Bugfix: the SMTP and LMTP clients claimed that a queue file + needed to be delivered again (even when all recipients were + erased from the queue file) when no QUIT or RSET reply was + received (by default, this does not happen with SMTP mail + because the SMTP client does not wait for QUIT replies and + does not send RSET to deliver mail). As a result of the + same bug the LMTP client followed a dangling pointer when + sending QUIT after process idle timeout while the LMTP + server had disconnected. Files: smtp/smtp_proto.c, + lmtp/lmtp_proto.c. + +20010526 + + newaliases no longer complains when an empty list is + specified with the alias_database configuration parameter. + File: sendmail/sendmail.c. + +20010529 + + Workaround: old PIX firewall code messes up when the final + ".<CR><LF>" at the end of DATA spans a packet boundary. + When Postfix detects PIX SMTP fixup mode, Postfix flushes + the output buffers before sending the final ".<CR><LF>". + File: smtp/smtp_proto.c. + +20010530 + + Portability: updated code for Mac OS X, accounting for the + post-Beta changes. Code by Joe Block, UCF School of + Optics/CREOL. + +20010601 + + Safety: postdrop turns off interrupts when cleaning up + after interrupt. The additional safety does not hurt anyone. + File: src/postdrop/postdrop.c. + +20010607 + + Safety: dropped the RFC 2821 compliant code that treats + 552 RCPT TO replies as 452. It created more problems than + it solved. Files: smtp/smtp_proto.c, lmtp/lmtp_proto.c. + + Logging: the SMTP server now logs a warning if RBL lookups + have problems other than "not found". file: smtpd/smtpd_check.c. + +20010610 + + Feature: address quoting and case folding flags for the + pipe(8) mailer. + +20010611 + + Workaround: some MTAs fall on their face when they receive + unexpectedly long lines. From now on, Postfix defaults to + breaking long lines at 2048 (like Sendmail so it has got + to be right). To get the old, content preserving, behavior + specify "smtp_truncate_lines = no". File: smtp/smtp_proto.c. + +20010614 + + Bugfix: did not really undo 2821 552->452 mapping. + +20010628 + + Bugfix: postfix-script used a hard-coded maildrop group + owner instead of using the install-time specified name + stored in /etc/postfix/install.cf. Problem reported by + David Terrell @ meat.net. + +20010701 + + Feature: mail_spool_directory ending in / causes maildir + style delivery. + + Bugfix: the FreeBSD kernel parameters kern.ipc.nmbclusters + and kern.ipc.maxsockets cannot be set with sysctl commands. + File: html/faq.html. Len Conrad @ Go2France.com. + + Cleanup: the virtual delivery agent was poorly integrated + so that the SMTP server and queue manager did not reject + mail for unknown users. Files: smtpd/smtpd_check.c. + +20010705 + + Feature: QMQP server, compatible with qmail and the ezmlm + list manager. Files: util/netstring.[hc], qmqpd/qmqpd*.c. + +20010706 + + Feature: QMQP stress test message generator program. Files: + smtpstone/qmqp-source.c, smtpstone/qmqp-sink.c. + +20010708 + + Bugfix: with disable_dns=yes, the SMTP client treated all + host lookup errors as permanent. File: smtp/smtp_addr.c. + +20010709 + + Feature: VERP support, based on a patch by Peng Yong, and + with the missing parts filled in so that the Postfix bounce + daemon can send one VERP bounce per undeliverable recipient. + Files: , sendmail/sendmail.c, smtpd/smtpd.c, qmgr/qmgr_deliver.c, + bounce/bounce_notify_verp.c, qmqpd/qmqpd.c, plus a couple + support routines in the global library. + + Cleanup: with recipient_delimiter=+ (or any character other + than -) Postfix will now recognize address extensions even + with owner-foo+extension addresses. This is necessary to + make VERP work for mailing lists. + +20010710 + + Bugfix: potential memory leak in the queue managers with + the new VERP delimiter record. Fix by Patrik Rak. + +20010711 + + Cleanup: you can now specify the VERP delimiter characters + on the sendmail(1) command line, but they are still optional. + + Safety: with maildir style delivery and with hashed mailboxes + the system mail spool directory must not be world writable. + +20010713 + + Safety: the verp_delimiter_filter parameter (default: -=+) + limits what characters Postfix accepts as VERP delimiter + characters. + +20010714 + + Logging: the queue manager now logs a "status=expired" + record when it returns a message that is too old. Files: + *qmgr/qmgr_active.c. + +20010719 + + Feature: stiffer coupling between mail receiving rates and + mail delivery rates, using a trivial token-based scheme, + implemented by reading and writing an in-memory pipe. The + queue manager produces one token when it retrieves mail + from the incoming queue. The cleanup daemon consumes one + token when it adds mail to the incoming queue. If no token + is available the cleanup server pauses for $in_flow_delay + seconds and proceeds anyway. The delay allows mail sending + process to catch up and access the disk while not blocking + inbound mail. Valid delays are 0..10 seconds. + +20010727 + + Bugfix: updated LDAP client module from LaMont Jones, HP. + This also introduces new LDAP query filter patterns: %u + (address localpart) and %d (domain part). Files: + conf/sample-ldap.cf, util/dict_ldap.c. + +20010729 + + Bugfix: recursive smtpd_whatever_restrictions clobbered + intermediate results when switching between sender and + recipient address restrictions. Problem found by Victor + Duchovni, morganstanley.com. In order to fix, introduced + address resolver result caching, which should also help to + speed up sender/recipient address restriction processing. + + Bugfix: the not yet announced DUNNO access table lookup + result did not prevent lookups with substrings of the same + lookup key. Found by Victor Duchovni, morganstanley.com. + +20010730 + + Robustness: trim trailing whitespace from regexp and pcre + right-hand sides, for consistency with DB/DBM tables. + Files: util/dict_pcre.c, util/dict_regexp.c. + +20010731 + + Robustness: eliminate duplicate IP addresses after expansion + of hostnames in $inet_interfaces, so that Postfix does not + suddenly refuse to start up after someone changes the DNS. + Files: util/inet_addr_list.c global/own_inet_addr.c. + + Feature: specify "disable_verp_bounces = yes" to have + Postfix send one RFC-standard, non-VERP, bounce report for + multi-recipient mail, even when VERP style delivery was + requested. + +20010801 + + Bugfix: postconf was using unexpanded values internally + for myhostname, inet_interfaces, and mynetworks_style. + This broke the "postconf -d" mynetworks computation. File: + postconf/postconf.c. + +20010803 + + Feature: masquerade_classes parameter for fine control of + address masquerading. The default setting is backwards + compatible: envelope_sender header_sender header_recipient. + Files: cleanup/whatever.c. + +20010822 + + Code cleanup: the bounce daemon complained about data that + it was not going to send back anyway. Fix: stop reading + the original message when the bounce message reaches the + bounce message size limit. File: bounce/bounce_notify_util.c. + +20010826 + + Logging: postsuper now logs the queue ID when it requeues + a message, or when it deletes a message from the mail queue. + File: postsuper/postsuper.c. + +20010830 + + Safety: the SMTP server now sends a 4xx (try again later) + response when an UCE restriction is misconfigured, instead + of ignoring the bad restriction and possibly accepting mail + that it should not accept. File: smtpd/smtpd_check.c. + +20010907 + + Workaround: the Postfix qmqp-source program produced mail + not ending in newline. qmail-qmqpd accepts such mail, but + qmail-remote is unable to deliver it. Matthias Andree, + uni-dortmund.de. File: smtpstone/qmqp-source.c. + +20010910 + + Bugfix: the smtp-sink stress test program broke when RCPT + TO commands crossed network packet boundaries. Problem + reported by Matthias Andree, uni-dortmund.de. File: + smtpstone/smtp-sink.c. + +20010917 + + Code cleanup: permit_mx_backup implements the old behavior + (accept mail if the local MTA is MX relay), and allows an + additional restriction via the permit_mx_backup_networks + parameter (accept mail only if the primary MX hosts match + the specified list of network blocks). This second restriction + is now entirely optional, for backwards compatibility. + + Bugfix: an address extension could be appended multiple + times to the result of a canonical or virtual map lookup. + File: global/mail_addr_map.c. Fix by Victor Duchovni, + Morgan Stanley. + + Bugfix: split_addr() would split an address even when there + was no data before the recipient delimiter. In combination + with the above bug, this could cause an address to grow + exponentially in size. Problem reported by Victor Duchovni, + Morgan Stanley. File: global/split_addr.c. + +20010918 + + Bugfix: the mail_addr_map() fix was almost but not quite + right. It took two clever people and several iterations of + email to really fix the mail_addr_map() problem. Thanks + to Victor Duchovni and Liviu Daia. + +20011006 + + Cleanup: Postfix no longer flushes the whole deferred queue + after an ETRN request for a random domain name (i.e. a + domain name not matched by $fast_flush_domains); the SMTP + server instead replies with "459 service unavailable". + Files: smtpd/smtpd.c, global/flush_clnt.c, flush/flush.c. + +20011008 + + Bugfix: there was a minute memory leak when an smtpd access + restriction was misconfigured. File: smtpd/smtpd_check.c. + +20011010 + + Code cleanup: Postfix daemons now print the name of the + UNIX-domain socket (instead of "unknown stream") in case + of a malformed client request. Files: master/*server.c. + +20011010-14 + + Code cleanup: replaced the ugly mail_print() and mail-scan() + protocols by (name,value) attribute lists. This gives better + error detection when we make changes to internal protocols, + and allows new attributes to be introduced without breaking + everything immediately. Files: util/attr_print.c util/attr_scan.c + global/mail_command_server.c global/mail_command_client.c + as wel as most Postfix applications and daemons. + +20011015 + + Put base 64 encoding into place on the replaced internal + protocols. Files: util/base64_code.[hc]. + + Feature: header/body REJECT rules can now provide text that + is sent to the originator. Files: cleanup/cleanup.c, + cleanup/cleanup_message.c, conf/sample-filter.cf. + +20011016 + + Bugfix: As of 20000625, Errors-To: was broken, because the + code to extract the address was not moved from recipient + address rewriting to sender address rewriting. Problem + reported by Roelof Osinga @ nisser.com. File: + cleanup/cleanup_message.c. + +20011029 + + Bugfix: virtual map expansion terminated early because the + detection of self-referential entries was flawed. File: + cleanup/cleanup_map1n.c. + +20011031 + + Bugfix: mail_date() mis-formatted negative time zone offsets + with fractional hours (-03-30 instead of -0330). Fix by + Chad House, greyfirst.ca. File: global/mail_date.c. + +20011102 + + Feature: new -f option to postmap and postalias (do not + lowercase the lookup key while creating a table). Files: + util/dict.h postmap/postmap.c postalias/postalias.c. + + Code cleanup: simplified the attribute print/scan routines, + and removed the never-used support for sending and receiving + integer arrays and string arrays. Files: util/attr_print.c, + util/attr_scan.c. + + Bugfix: qmqpd could read past the end of a string while + looking for qmail's VERP magic token in the envelope sender + address. File: qmqpd/qmqpd.c. + + Code cleanup: finished testing the new internal protocols. + The only bug was with the flush server, which still needs + to support the old (string + null byte) protocol for triggers + from the Postfix master daemon. + +20011103 + + Bugfix: Postfix would log the wrong error text when locally + submitted mail was deferred due to "soft_bounce = yes". + + Bugfix: The LDAP client dropped any entries that don't have + the result_attribute, but errored out when a DN didn't + exist. The behavior is now consistent: treat non-existant + DN's in a special result attribute expansion the same as + DN's with no attribute. LaMont Jones, HP. + +20011104 + + Bugfix: the new smtp-sink -n option (terminate after the + specified number of deliveries) wasn't optional. + + Portability: updated Mac OS X documentation and install + scripts by Gerben Wierda. + +20011105 + + Bugfix: missing terminator in new attribute-based function + call caused signal 11. File: src/cleanup/cleanup.c. + + Lame workaround for ESTALE errors with mail delivery over + NFS. Additional bandages were added to the local delivery + agent. However, Wietse maintains that Postfix offers no + guarantee for reliable delivery over NFS. + + Feature: put "warn_if_reject" before an smtpd restriction, + and that restriction logs warnings without rejecting mail. + This makes it easier to test configurations "live" without + having to lose mail. File: smtpd/smtpd_check.c. + +20011107 + + Workaround: in order to get mail past PIX firewall bugs, + the Postfix SMTP client now blocks until the socket send + buffer is empty before sending the final ".<CR><LF>". Files: + util/sock_empty_wait.c, smtp/smtp_proto.c. Changed into + sleep(10) on 20011119. Sleep suggested by Hobbit. + +20011108 + + Feature: added string-null encoding for internal protocols. + Files: util/attr_print0.c, util/attr_scan0.c. + + Feature: configurable parent domain matching for domain + and hostname/address match lists: either .domain or the + domain name itself. Files: util/match_ops.c util/match_list.c + + Feature: added pretend-to-be-behind-PIX mode to the smtp-sink + test program, in order to stress test some PIX bug workaround + code. + +20011109 + + Workaround: Linux and Solaris systems have no reasonable + way to block until a socket drains. On these systems Postfix + simply waits for 10 seconds, in order to work around PIX + ".<CR><LF>" bugs. File: util/sock_empty_wait.c. + +20011114 + + Bugfix: reset the smtpd command transaction log between + deliveries. File: smtpd/smtpd.c. + +20011115 + + Feature: mailbox_command_maps no longer requires that every + user has an entry. If the user does not have a command + entry, the local delivery agent tries the other delivery + methods (mailbox_command, home_mailbox). File: local/mailbox.c. + + Bugfix: reset the smtpd command transaction log between + non-deliveries. File: smtpd/smtpd.c. + +20011116 + + Bugfix: consolidated all the command transaction log resets + and eliminated one missing reset (Victor Duchovni, Morgan + Stanley). File: smtpd/smtpd.c. + +20011118 + + Cleanup: replaced unnecessary match_list wrapper code by + macros. Files: global/{string,domain,namadr}_list.[hc]. + +20011119 + + Feature: configurable parent domain matching strategy for + transport map lookups. File: trivial-rewrite/transport.c. + + New parent_domain_matches_subdomains parameter. This lists + all the Postfix features where a domain name matches itself + and all its subdomains (instead of requiring ".domain.name" + for subdomain matches). Planning for future backwards + compatibility :-) File: global/match_parent_style.c. + + Workaround: simplified the PIX ".<CR><LF>" bug to always + sleep for 10 seconds. File: smtp/smtp_proto.c. + +20011120 + + Workaround: disable attribute string length restriction so + that trivial-rewrite does not refuse to rewrite broken mail + headers. Files: util/attr_scan*.c. + +20011121 + + Bugfix: missing long integer support in the new IPC protocols. + Files: util/attr_scan*.c, util/attr_print*.c. + + Portability: AIX5 (Adrian P. van Bloois), MAC OS X 10.1.1 + (Gerben Wierda). + +20011125 + + Bugfix: spurious postmaster notifications because some flag + was not reset. + + Feature: new parameter smtpd_sender_login_maps that specifies + the (SASL) login name that owns a MAIL FROM address. + Specify a regexp table in order to require a simple one-to-one + mapping. This is used in the reject_sender_login_mismatch + sender anti-spoofing feature. + + Feature: restriction reject_sender_login_mismatch refuses + a MAIL FROM address when $smtpd_sender_login_maps specifies + an owner but the client is not (SASL) logged in as the MAIL + FROM address owner, or when a client is (SASL) logged in + but the client login name does not own the MAIL FROM address + according to $smtpd_sender_login_maps. File: smtpd/smpd_check.c. + + Documentation: added some redundancy to the LMTP_README + file so people can keep track of the difference between + the Postfix LMTP client and the non-Postfix LMTP server. + +20011126 + + Feature: smtpd_noop_commands specifies a list of commands + that are treated as NOOP (no operation) commands, without + syntax check or state change. File: smtpd/smtpd.c. + + Bugfix: the "mark queue file as corrupt" code did not work + because it was never used. Files: global/mark_corrupt.c, + global/mail_copy.c, global/pipe_command.c, *qmgr/qmgr_active.c, + local/maildir.c, local/mailbox.c, local/command.c, pipe/pipe.c, + virtual/mailbox.c, virtual/maildir.c. + + Bugfix: the bounce daemon broke in the unlikely case of a + non-existing queue file. File: bounce/bounce_notify_util.c. + +20011127 + + Feature: added WARN command to header/body_checks files as + proposed by Michael Tokarev. File: cleanup/cleanup_message.c. + + Bugfix: the postdrop program was broken after the change + of Postfix internal protocols. This broke "sendmail -bs" + mail submissions with "secure" maildrop directory. Reported + by Craig Loomis, apo.nmsu.edu. File: postdrop/postdrop.c. + + Feature: a first start at fault injection for testing + unlikely error scenarios (such as corrupt queue files). + Parameter: fault_injection_code, must be left at zero for + production use. + +20011128 + + Robustness: add a file size limit to the sendmail and + postdrop submission programs to stop run-away process + accidents. This is not a defense against DOS attack. Files: + sendmail/sendmail.c, postdrop/postdrop.c. + + That resulted in a considerable amount of work to properly + propagate "file too large" conditions back to the sendmail + mail posting user interface. Took the opportunity to express + other mail submission fatal exits with the <sysexits.h> + exit status codes. Files: sendmail/sendmail.c, + postdrop/postdrop.c. + +20011129 + + Maintenance: dict_ldap.c wasn't updated after the revision + of the string matching routines. File: util/dict_ldap.c. + +20011208 + + Maintenance: LDAP module and documentation from LaMont + Jones. This version adds verbose logging for LDAP library + routines. Files: src/util/dict_ldap.[hc], LDAP_README, + conf/sample-ldap.cf + + Portability: made memory alignment restrictions configurable. + File: util/mymalloc.c. + + Bugfix? Avoid surprises with source routed destinations + and OK entries in SMTPD access maps. File: smtpd/smtpd_access.c. + + Security: "postfix check" looks for damage by well-intended + but misguided use of "chown -R postfix /var/spool/postfix". + That would make chrooted Postfix less secure than non-chrooted + Postfix. These extra tests may cause complaints with + third-party patches such as TLS that introduce their own + files into the jail. + + Feature: static map type that always returns the map name + as lookup value, regardless of lookup key value. Contributed + Jeff Miller (jeffm at ghostgun.com) + + Feature: turn off the PIX <CR><LF>.<CR><LF> workaround for + the first mail delivery attempt, i.e. when mail is queued + for less than $smtp_pix_workaround_threshold_time (default: + 500) seconds. New parameter $smtp_pix_workaround_delay_time + to control the delay before sending .<CR><LF> (default: 10 + seconds) when doing the PIX <CR><LF>.<CR><LF> workaround. + +20011210 + + Bugfix: the 20011128 change in sendmail and postdrop did + not handle the case of message_size_limit=0. Fix by Will + Day, Georgia Tech. + +20011212 + + Compatibility: The SMTP server now accepts <CR><CR><LF> as + if the client sent <CR><LF>. Reportedly, some badly written + windows software produces such garbage, and some badly + written windows anti-VIRUS software cannot handle such + garbage. File: global/smtp_stream.c. + +20011214 + + Bugfix: postmap/postalias queries ignored the -f flag. + Reported by Hamish Marson. + +20011217 + + Compatibility: Sendmail now has a -L option to set the + syslogging label. Postfix sendmail uses syslog_name instead, + and ignores the -L option. + + Security: subtle hardening of the Postfix chroot jail, + Postfix queue file permissions and access methods, in case + someone compromises the postfix account. Michael Tokarev, + who received the insights from Solar Designer, who tested + Postfix with a kernel module that is paranoid about open() + calls. Files: master/master_wakeup.c, util/fifo_trigger.c, + postfix-script. + + Convenience: issue a warning instead of aborting when the + local machine name is not in fully-qualified domain form. + This would otherwise break initial postfix installation + which needs the postconf command. File: global/mail_params.c. + +20011220 + + Added more garbage detection to postconf -e input processing. + +20011221 + + Feature: SMTPD access map lookups of null sender addresses. + If your access maps cannot store or look up null string + key values, specify "smtpd_null_access_lookup_key = <>" + and the null sender address will be looked up as <> instead. + File: smtpd/smtpd_access.c. + +20011223 + + Safety: configuration file comments no longer span multiple + lines when the next line begins with whitespace; multi-line + input is no longer terminated by a comment line, by an all + white space line, or by an empty line. Michael Tokarev made + the crucial suggestion to simplify the readline routine. + Files: util/readlline.c, postconf/postconf.c. + + Cleanup: proper detection of big number overflow in EHLO + and MAIL FROM size announcements, with input from Victor + Duchovni, Morgan Stanley. Files: global/off_cvt.c, + smtpd/smtpd.c, smtp/smtp_proto.c, util/alldig.c. + + Forward compatibility: added queue file record types for + original recipient and for generic named attributes. + + Cleanup: safe_open() now returns sensible errno values so + that the fifo_trigger() external interface is restored. + +20011225 + + Upgrade: PCRE_README now describes PCRE version 3.x. + + Cleanup: flush SMTPD command history upon receipt of EHLO, + RSET, and upon DATA completion, only if it exceeds + $smtpd_history_flush_threshold lines (default: 100). + Distant derivative of code by Michael Tokarev. File: + smtpd/smtpd.c. + +20011228 + + Bugfix: a readlline() error message showed less text than + intended. Christian von Roques. + + Cleanup: postfix now installs with group-writable maildrop + directory and with a set-gid postdrop mail submission + command. The pickup service is now unprivileged. The + world-writable maildrop directory no longer exists. + + The cleanup service is now public, in preparation for local + sendmail/postdrop mail submission that avoids the maildrop + queue directory while Postfix is up. + + Cleanup: moved the main.cf/master.cf file editing from the + postfix-script file to the INSTALL.sh file. + + Cleanup: INSTALL.sh no longer accepts "no" as the destination + of Postfix manual pages. + +20011230 + + Cleanup: the code for "mailq", "sendmail -q", and for + "sendmail -qRsite" was moved from the sendmail command to + a new set-gid postqueue command. The pickup and qmgr FIFOs + are no longer world writable. Files: sendmail/sendmail.c, + postqueue/postqueue.c. + +20020101 + + Security: new alternate_config_directories parameter that + specifies what directories a set-gid command will accept + as its configuration directory. The list must be specified + in the default main.cf file. File: global/mail_conf.c. + + Cleanup: "sendmail -qRsite" is no longer implemented by + connecting to the SMTP port. It is now implemented by + talking to the fast flush service. File: postqueue/postqueue.c. + +20020203 + + Cleanup: INSTALL.sh now records all installation information + in the main.cf file. The now obsolete install.cf file is + used only when upgrading from an older Postfix release. + + Cleanup: INSTALL.sh now takes name=value settings on the + command line, and has a new "-upgrade" command line option + to turn on non-interactive installation. + + Security: additional run-time checks to discourage sharing + of Postfix user/group ID values with other accounts. + +20020105 + + Cleanup: SMTPD access maps now return DUNNO (undetermined) + instead of OK when a recipient address contains multiple + domains (user@dom1@dom2, etcetera). Victor Duchovni, Morgan + Stanley. File: smtpd/smtpd_check.c. + +20020106 + + Bugfix: SMTPD access maps did not handle address extensions. + File: smtpd/smtpd_check.c. + +20020107 + + Bugfix: postfix-script, when creating a missing maildrop + queue directory, still referenced install.cf when setting + maildrop directory group ownership; and the postfix command + did not export the setgid_group parameter to the postfix-script + shell script. Victor Duchovni. + + Bugfix: postfix-script, when creating a missing public + queue directory, did not set group ownership of the public + directory. + +20020109 + + Cleanup: rewrote the Postfix installation procedure again. + It is now separated into 1) a primary installation script + (postfix-install) that installs files locally or that builds + a package for distribution and that stores file owner and + permission information in /etc/postfix/post-files, and 2) + a post-installation script (/etc/postfix/post-install) that + creates missing directories, that sets file/directory + ownership and permissions, and that upgrades existing + configuration files if necessary. + +20020110 + + Workaround: AIX null read() return on an empty but open + non-blocking pipe. File: master/master_flow.c. Report: + Hamish Marson. + +20020111 + + Feedback: feedback, bugfixes, and brain-dead shell workarounds + for the install scripts by Victor Duchovni and Simon Mudd. + +20020113 + + Rewrote postfix-install. The postfix-files file now controls + what is installed. Refined the semantics of many post-install + operations. post-install now auto-saves settings that + override main.cf. + +20020114 + + Bugfix: alternate_config_directories did not take comma or + whitespace as separators. File: global/mail_conf.c. Victor + Duchovni, Morgan Stanley. + + Bugfix: the rewritten postfix-install script did not chattr + +S the Postfix queue. + +20020115 + + Cleanup: added sample_directory and readme_directory + installation parameters for sample configuration files and + for README files. Files: postconf.c, postfix-install, + conf/postfix-files, conf/post-install. + + Robustness: the postfix command now exports all installation + parameter settings, and input filters the environment, so + that the startup shell scripts produce a consistent result. + Files: postconf.c. + +20020117 + + Portability: patch from LaMont Jones for compiling dict_ldap.c + with the Netscape SDK. + + Feature: added "r" (recursive chown/chgrp) flag to the + postfix-files database, for more convenient change of + Postfix queue ownership. Files: conf/postfix-files, + conf/post-install. + +20020122 + + Documentation: lots of little fixes. + + Documentation: updates for the VIRTUAL_README file by Victor + Duchovni, Morgan Stanley. + + Bugfix: postqueue -s dereferenced a null pointer when given + a numerical domain argument. LaMont Jones, HP. + + Cleanup: smtpd now logs a warning when permit_sasl_authenticated + is used while SASL authentication is disabled, instead of + simply ignoring the restriction. LaMont Jones, HP. File: + smtpd/smtpd.c. + + Safety: when postmap creates a non-existent file, the new + file inherits group/other read permissions from the source + file. Based on code by LaMont Jones, HP. File: + postmap/postmap.c. + +20020123 + + Portability: some Linux systems install libnsl.so without + libnsl.a file, causing an yp_match undefined reference + problem. File: makedefs. + +20020124 + + Portability: post-install now requests that command_directory + is given on the command line when the postconf command is + in an unusual place. + + Safety: extra code to detect and report Berkeley DB version + mismatches between compile time and run time. This test + is limited to mismatches in the major version number only. + File: util/dict_db.c. Based on code by Lawrence Greenfield, + Carnegie-Mellon university. + + Safety: the postfix command and the master daemon abort if + they are running set-uid. + + Documentation: the postmap manual page described an out of + date input file format. + +20020129 + + Workaround: SCO version 3.2 can't ioctl(FIONREAD) a pipe. + Therefore, input mail flow control is disabled by default. + Files: makedefs, global/mail_params.h, conf/main.cf. + Problem reported by Kurt Andersen, Agilent. + +20020201 + + Workaround: changed the default smtpd_null_access_lookup_key + setting to <>, because some Bezerkeloid DB implementations + can't handle null-length lookup keys. File: global/mail_params.h. + + Bugfix: backed out a null-length address panic call by + ignoring the problem, like Postfix did in the past. File: + global/resolve_local.c. + + Safety: "postfix check" will now warn if /usr/lib/sendmail + and /usr/sbin/sendmail differ, and will propose to replace + one by a symlink to the other. File: conf/postfix-script. + +20020204 + + Sanity: additional permission checks for "postfix check" + that warn for setgid_group group ownership mismatches. by + Matthias Andree, uni-dortmund.de. File: conf/postfix-script. + + Bugfix: "postfix check" used a too simplistic way to + recognize file ownership (grepping ls output). It now uses + the recently discovered "find -prune". Peter Bieringer, + Matthias Andree. File: conf/postfix-script. + +20020218 + + Workaround: log a warning and disconnect when an SMTP client + ignores our negative replies and starts sending message + content without permission. File: smtpd/smtpd.c. + +20020220 + + Bugfix: mismatch in the file being locked by dict_dbm and + the file being locked by postmap, so that locks did not + work correctly. Victor Duchovni, Morgan Stanley. + +20020222 + + Workaround: Solaris bug 4380626: strcasecmp() and strncasecmp() + produce incorrect results with 8-bit characters. For example, + non-ASCII characters could compare equal to ASCII characters, + and that could result in any number of security problems. + Files: util/strcasecmp.c, COPYRIGHT (the BSD license). + + Bugfix: off-by-one error, causing a null byte to be written + outside dynamically allocated memory in the queue manager + with addresses of exactly 100 bytes long, resulting in + SIGSEGV on systems with an "exact fit" malloc routine. + Experienced by Ralf Hildebrandt; diagnosed by Victor + Duchovni. Files: *qmgr/qmgr_message.c. This is not a + security problem. + + Bugfix: make all recipient comparisons transitive, because + Solaris qsort() causes SIGSEGV errors otherwise. Victor + Duchovni, Morgan Stanley. File: *qmgr/qmgr_message.c. + +20020302 + + Bugfix: don't strip source route (@domain...:) when the + result would be an empty address. This avoids problems when + append_at_myorigin is set to "no" (which is not supported). + Problem reported by Charles McColgan, Big Fish Communications. + File: trivial-rewrite/rewrite.c. + +20020304 + + Cleanup: postqueue should not not complain when output + fails with "broken pipe". + +20020308 + + Bugfix? reply with 550 not 552 when content is rejected. + 552 is reserved for "too much mail". + + Documentation: add note to sendmail manual page that running + "sendmail -bs" as $mail_owner enables SMTP server UCE and + access control checks. This is meant for use from inetd + etc. Matthias Andree. + +20020311 + + Bugfix: DBM maps should use different files for locking + and for change detection. Problem reported by Victor + Duchovni, Morgan Stanley. Files: util/dict.h util/dict.c + util/dict_db.c util/dict_dbm.c global/mkmap.c local/alias.c. + +20020313 + + Bugfix: mailq could show addresses with unusual characters + twice. Problem reported by Victor Duchovni, Morgan Stanley. + File: showq/showq.c. + + Bugfix: null recipients weren't properly recorded in + bounce/defer logfiles. Such recipient addresses are not + accepted in SMTP mail, but they could appear within locally + submitted mail. File: bounce/bounce_append_service.c. + +20020318 + + Workaround: Berkeley DB can't handle null key lookups, + which happen with HELO names ending in ".". Victor Duchovni, + Morgan Stanley. File: smtpd/smtpd_check.c. + + Logging: log a hint when mail is deferred because the + soft_bounce parameter is set. People sometimes forget to + turn it off. File: global/bounce.c. + +20020319 + + Cleanup: add a msg_warn() call when fork() fails in + pipe_command(), to make problems easier to investigate. + Chris Wedgwood. File: global/pipe_command.c. + +20020320 + + Feature: smtp_helo_name parameter to specify the hostname + or [ip.address] in HELO or EHLO commands. Files: smtp/smtp.c + smtp/smtp_proto.c. + +20020324 + + Cleanup: more graceful handling of long physical message + header lines upon input. Physical header lines can now + extend up to $header_size_limit characters. When a logical + message header is too long, the excess text is discarded + and Postfix no longer switches to body mode, to avoid + breaking MIME encapsulation. Based on code by Victor + Duchovni, Morgan Stanley. Files: cleanup/cleanup_out.c, + cleanup/cleanup_message.c. + + Cleanup: more graceful handling of long physical message + header or body lines upon output by the SMTP client. The + SMTP client output line length is controlled by a new + parameter smtp_line_length_limit (default: 990; specify 0 + to disable the limit). Long lines are folded by inserting + <CR> <LF> <SPACE>, to avoid breaking MIME encapsulation. + Based on code by Victor Duchovni, Morgan Stanley. File: + smtp/smtp_proto.c. + +20020325 + + Cleanup: allow additional text after a WARN command in a + header/body_checks pattern file, so that one can change + REJECT+text into WARN+text and vice versa. Based on code + by Fredrik Thulin, Stockholm University. + + Cleanup: log a warning when an unknown command is found in + a header/body_checks pattern file, or when additional text + is found after a command that does not expect additional + text. Based on code by Fredrik Thulin, Stockholm University. + + Bugfix: sendmail should not recognize "." as the end of + input when the current read operation started in the middle + of a line. Victor Duchovni, Morgan Stanley. File: + sendmail/sendmail.c. + +20020328 + + Portability fix for OPENSTEP and NEXTSTEP by Gerben Wierda. + File: util/sys_defs.h. + +20020329 + + Bugfix: defer_transports broke because the flush server + triggered mail delivery (as if ETRN was sent) while doing + some internal housekeeping of per-destination logfiles. + Problem experienced by LaMont Jones, HP. File: flush/flush.c. + + Bugfix: virtual mapping broke for addresses with embedded + whitespace. Fix by Victor Duchovni, Morgan Stanley. File: + cleanup/cleanup_map1n.c. + + Feature: configurable service name for the internal services: + bounce, cleanup, defer, error, flush, pickup, queue, rewrite, + showq. This allows you to specify, for example, a non-default + cleanup service (smtpd -o cleanup_service_name=alt_cleanup). + Files: global/mail_params.[hc]. + + Feature: SASL version 2 support by Jason Hoos. Files: + */*_sasl_glue.c, SASL_README, conf/sample-auth.cf. + +20020330 + + Bugfix: postqueue did not pass on non-default configuration + directory settings when running showq while the mail system + is down. The super-user is now exempted from environment + stripping in postqueue/postqueue.c. Problem reported by + Victor Duchovni, Morgan Stanley. + +20020402 + + Workaround: recognize more headers that are sent instead + of SMTP commands. File: smtpd/smtpd.c. + +20020413 + + Feature: new pipe delivery agent "D" flag to prepend a + Delivered-To: message header. This requires single recipient + deliveries. Based on code by Matthias Andree. File: + pipe/pipe.c. + +20020414 + + Portability: Postfix will no longer attempt to build with + gdbm support, because gdbm is broken. File: makedefs. + +20020415 + + Cleanup: the attribute list IPC code did not distinguish + between "disconnect" and "timeout" while reading an attribute + list, making trouble shooting more difficult than necessary. + Files: util/attr_scan0.c, util/attr_scan64.c. + + Cleanup: install parameter defaults can now be overruled + from makedefs: sendmail_path, mailq_path, newaliases_path, + command_directory, daemon_directory. Based on code by Victor + Duchovni, Morgan Stanley. File: util/sys_defs.h. + +20020411 + + Cleanup: Use more robust quoting passing makedefs/Makefile + settings. This also simplifies the seven backslashes example + in the INSTALL file. Victor Duchovni, Morgan Stanley. + Files: makedefs, INSTALL. + +20020417 + + Bugfix: the post-install script failed to upgrade master.cf + settings from private to public if the service was explicitly + configured as private. + +20020418 + + Documentation: added CPU saving patterns for quickly skipping + base 64 encoded text in message bodies. Liviu Daia. Files: + {proto,conf}/pcre_table, {proto,conf}/regexp_table, + conf/sample_{regexp,pcre}_body.cf. + +20020426 + + Bugfix: the SMTP client forgot to quote whitespace etc. + in a sender/recipient address when DNS lookup was turned + off (disable_dns_lookups = yes). Problem experienced by + Chip Paswater. Files: smtp/smtp_proto.c. + +20020501 + + Feature: wildcard lookup in transport maps (lookup key + "*"). Code developed with Lamont Jones, HP. + + Feature: a null transport:destination transport map entry + means proceed as if the transport map lookup failed. Code + developed with Lamont Jones, HP. + + Feature: more efficient use of cache memory when a process + opens multiple Berkeley DB tables; and faster performance + creating large tables by using more buffer memory. Files: + util/dict_db.[hc], global/mkmap_db.c. Victor Duchovni, + Morgan Stanley. + +20020503 + + Cleanup: postqueue silently ignored command-line arguments + following -p or -f options, instead of complaining; postqueue + produced an incorrect error message (mail system down) when + the command was installed with incorrect privileges. File: + postqueue/postqueue.c. + + Bugfix: while reporting a domain name or IP address syntax + error, postqueue could dereference a dangling pointer with + some getopt() implementations. LaMont Jones, HP. File: + postqueue/postqueue.c. + + Safety: postalias and postmap now drop root privileges + while processing a non-root input file. Thus, the result + should be writable to the source file owner. Specify the + -o option if this is a problem. Files: postmap/postmap.c, + postalias/postalias.c. + + Consistency: just like postmap, postalias now copies file + permissions from the source file when it creates a new + table for the first time. File: postalias/postalias.c. + +20020504 + + Portability: run-time test to avoid GDBM trouble. File: + util/dict_dbm.c. + +20020505 + + Cleanup: revised and simplified the transport map semantics. + Null transport or nexhop fields now mean: "do not change": + use what would be used if the transport map did not exist. + This change eliminated a lot of code. The incompatibility + is that a null transport field no longer defaults to + $default_transport, but to $local_transport or $default_transport + depending on the destination, and that a transport map only + overrides relayhost when the table specifies explicit + nexthop information. Files: trivial-rewrite/transport.c, + trivial-rewrite/resolve.c. + + Cleanup: revised the user interface for controlling the + Berkeley DB create and read buffer size controls. Files: + util/dict_db.[hc], global/mail_params.[hc], global/mkmap_db.c. + +20020507 + + Cleanup: simplified the hash/btree cache management code. + The caches are now per table instead of shared, and the + default read cache size is reduced to 128 kBytes. File: + util/dict_db.c. + +20020508 + + Bugfix: close user@domain@postfix-style.virtual.domain + source routing relaying loophole involving postfix-style + virtual domains with @virtual.domain catch-all patterns. + Problem reported by Victor Duchovni. File: smtpd/smtpd_check.c. + + Bugfix: mail_addr_map() used the "wrong" @ character in + addresses with multiple @. Victor Duchovni. File: + global/mail_addr_map.c. + + Bugfix: for address localpart quoting, now quote @ as a + special character everywhere, except when resolving addresses. + Previously, the @ was nowhere quoted as a special character, + not even in SMTP commands. Files: global/quote_82[12]_local.c + and clients. + +20020509 + + Safety: don't allow an OK access rule lookup result for + user@domain@postfix-style.virtual.domain. Suggested by + Victor Duchovni, Morgan Stanley. File: smtpd/smtpd_check.c. + + Bugfix: quote unquoted address localparts that need quoting. + Files: global/tok822_parse.c, global/quote_82[12]_local.c. + + Documentation: simplified the advanced content filtering + example, and included a more advanced example for those + who want to squeeze out more performance without running + multiple Postfix instances. Text by Victor Duchovni, Morgan + Stanley. File: README_FILES/FILTER_README. + +20020510 + + Feature: header/body filters now log the origin of the + message that is being rejected. Files: smtpd/smtpd.c, + qmqpd/qmqpd.c, pickup/pickup.c, cleanup/cleanup_envelope.c, + cleanup/cleanup_message.c. Requested by Craig Sanders, if + I remember correctly. + + Feature: the Postfix SMTP client now passes on MIME body + type information (8bit, 7bit) received via SMTP, via MIME + headers, or via the sendmail command line. Files: + global/deliver_request.c, smtpd/smtpd.c, sendmail/sendmail.c, + cleanup/cleanup_envelope.c, cleanup/cleanup_message.c, + cleanup/cleanup_extracted.c, *qmgr/qmgr_message.c, + *qmgr/qmgr_deliver.c, smtp/smtp_proto.c, lmtp/lmtp_proto.c. + +20020511 + + Feature: bounces now specify the proper MIME encoding (8bit, + 7bit), depending on the MIME body type information received + via SMTP, via MIME headers, or via the sendmail command + line. Files: global/bounce.c, global/defer.c, global/abounce.c, + bounce/bounce_service.c, bounce/bounce_notify_util.c. + +20020512 + + Cleanup: the SMTP client logged and bounced the CNAME + expanded recipient address, and thereby complicated trouble + shooting. File: smtp/smtp_proto.c. + + Bugfix: the SMTP and LMTP clients bounced the quoted + recipient address, resulting in too much quoting in bounce + reports. Files: smtp/smtp_proto.c, lmtp/lmtp_proto.c. + +20020513 + + Bugfix: the LDAP client used the "wrong" @ character in + addresses with multiple @. LaMont Jones, HP. File: + util/dict_ldap.c. + + Feature: lots of new LDAP stuff: result_filter (filter to + expand results from queries), chase_referrals, LaMont Jones, + HP. The LDAP bind timeout now works thanks to Victor + Duchovni, Morgan Stanley. File: util/dict_ldap.c. + + Cleanup: specify "resolve_dequoted_address = no" to prevent + Postfix from looking inside quotes for extra @ etc. characters + when resolving an address. This behavior is technically + more correct, but it opens a mail relay loophole with "user + @domain"@domain when relaying mail to a Sendmail system. + +20020514 + + Bugfix: the new code for header address quoting sometimes + did not null terminate strings so that arbitrary garbage + could appear at the end of message headers. Reported by + Ralf Hildebrandt. File: global/tok822_parse.c. + + Safety: user@domain@domain is no longer accepted by the + permit_mx_backup uce restriction (unless Postfix is configured + with "resolve_dequoted_address = no"). Victor Duchovni, + Morgan Stanley. File: smtpd/smtpd_check.c. + +20020515 + + Workaround: flush the SMTP client output buffer when no + output has happened for 10+ seconds. This prevents the + socket from timing out, in case DNS CNAME expansion is + slow. Problem experienced by Alex Erdelyi, peregrine.com. + File: smtp/smtp_chat.c. We did the same thing for the SMTP + server years ago, and one wonders why the coin didn't drop + at the time that the SMTP client could suffer from a similar + problem. + +20020516 + + Updated the FILTER_README file to turn off DNS lookups in + the SMTP client that feeds mail into a content filter. + +20020517 + + Cleanup: Mailbox-Line: message header labels should be + X-Mailbox-Line: labels. Files: smtpd/smtpd.c, qmqpd/qmqpd.c. + +20020515-21 + + Feature: new MIME parser, written from scratch, that + recognizes the structure of MIME encapsulated mail. Influenced + by comments from Victor Duchovni. This code can detect but + will not decode obscure MIME formats or obscure character + string encoding that Liviu Daia expresses concern about. + + MIME header scanning now happens in header_checks, and is + faster than body_checks could ever be. This also eliminates + the problem with multi-line MIME headers being matched one + line at a time. Files: global/mime_state.[hc], + cleanup/cleanup_message.c. + +20020521-22 + + Feature: 8-bit to quoted-printable conversion. First use + in the Postfix SMTP client. File: smtp/smtp_proto.c. + + Logging: the Postfix SMTP and LMTP clients now report the + the protocol stage when they report a server reply. File: + smtp/smtp_proto.c, lmtp/lmtp_proto.c. + + Bugfix: the SMTP server warned about ignored client attributes + (these were introduced 20020510) in mail that was submitted + with "sendmail -bs". File: smtpd/smtpd.c. + +20020525 + + Feature: separation of header checks into header_checks + (all primary headers except MIME related headers), + mime_header_checks (all MIME headers including MIME headers + at the start of messages) and nested_header_checks (headers + of attached messages, except MIME related headers). + + Cleanup: broke out the header value parser from the MIME + processor so that the code can be reused elsewhere. File: + global/header_token.c. + + Compatibility: Postfix now recognizes "name :" as a valid + message header, but normalizes it to "name:" form or else + lots of things would break all over the place. Files: + global/is_header.c, global/mime_state.c. + +20020526 + + Bugfix: the SMTP server now disallows RCPT TO:<"">, just + like it disallows RCPT TO:<>. File: smtpd/smtpd.c. + + Feature: disable_mime_input_processing=yes/no controls + whether Postfix recognizes (and optionally enforces) MIME + formats while receiving mail. Default is NO. + + Feature: disable_mime_output_conversion=yes/no controls + whether Postfix will convert 8BITMIME to 7BIT mail when + delivering mail to an SMTP server that does not announce + 8BITMIME support. Default is NO. + + Feature: strict_8bitmime=yes/no controls whether Postfix + rejects 8-bit characters in headers and 7-bit body parts. + This blocks mail from poorly written software, including + majordomo approval requests that contain a valid 8BITMIME + email message, as well as mail that is piped into ancient + /bin/mail implementations that do not MIME format 8-bit + content. Default is NO. + + Feature: strict_mime_encoding_domain=yes/no controls whether + Postfix rejects illegal content transfer encodings for + multipart/* and message/*. This blocks mail from poorly + written software. Default is NO. + +20020527 + + Feature: "FILTER transport:nexthop" in header/body checks. + After the message is queued, the message is sent through + a content filter. This requires different cleanup servers + before and after the filter, with header/body checks turned + off in the second cleanup server. + +20020528 + + Feature: strict_7bit_headers and strict_8bitmime_body are + now separately available. To to turn on both, use + strict_8bitmime. + + Cleanup: abandon the use of isspace(3) in the parsing of + RFC822 message headers. Files: global/lex_822.h and lots + of little places. + + Documentation: replace domain.name by domain.tld in the + example config files. The domain exists. They were getting + mail from poorly configured Postfix boxes. + + Bugfix: The Postfix sendmail command did not export the + MAIL_CONFIG environment setting to the postdrop command. + File: global/mail_config.h. + + Incompatibility: by default, turn on the PCRE_DOTALL flag, + so that PCRE patterns will match multi-line message headers + without causing pain. Suggested by Michael Tokarev. Also + documented all those darned undocumented PCRE flags in the + pcre_table(5) manual page. Files: util/dict_pcre.c, + proto/pcre_table. + +20020529 + + Bugfix: mail rejected due to MIME errors was rejected + without proper logging. Files: global/mime_state.c, + cleanup/cleanup_message.c. + +20020531 + + Bugfix: the SMTP client code that prepends '.' to lines + starting with '.' had to be moved from its old place to + after the MIME output conversion. Problem found by Mark + Martinec. File: smtp/smtp_proto.c. + +20020601 + + Bugfix: the deliver_pass() routine needed updating for the + extra MIME encoding attribute that was introduced 20020510. + Patch by Sebastian Schaffert @ wastl.net. File: + global/deliver_pass.c. + +20020604 + + Workaround: Solaris non-blocking read() can fail on a socket + with unread data according to ioctl FIONREAD. Incredible. + Diagnosis by Max Pashkov. File: smtp/smtp-sink.c. + + Weird feature: sender-based routing. This will become more + useful once per-address transport map entries are done. + File: src/*qmgr/qmgr_message.c. + +20020605 + + Safety: header_address_token_limit limits the amount of + memory and CPU that we're willing to spend while parsing + addresses in message headers. The limit is expressed as a + number of tokens. File: global/tok822_parse.c + +20020608 + + Feature: user@domain transport map lookup, based on code + by Scott Cotton, from several years ago. Adding this code + now was much less painful than it was in the past. Files: + global/strip_addr.c, trivial-rewrite/transport.c. + +20020610 + + Cleanup: making user@domain transport map lookups work with + sender-based routing was a bit tricky, because the null + address must be handled sensibly. Files: global/resolve_clnt.c, + trivial-rewrite/resolve.c. It ain't perfect yet, but close. + +20020613 + + Bugfix: postsuper -r was broken as of 20020510. The cleanup + daemon would discard mail with MIME type information. Moved + a bunch of sanity checks from the cleanup daemon to the + pickup daemon, so the checks are in one place. Problem + experienced by Pavol Luptak. Files: pickup/pickup.c, + cleanup/cleanup_extracted.c. + +20020705 + + Safety: log a warning when a domain is listed in mydestination + and (virtual_maps or virtual_mailbox_maps). This configuration + error causes the Postfix SMTP server to reject recipients + when the local_recipient_maps feature is enabled. File: + smtpd/smtpd_check.c. + +200207011 + + Portability: in the master daemon, the default now is to + enable the signal handler code that writes a byte into a + pipe, instead of the signal handler code that sets a global + flag and hopes that select() will somehow wake up. File: + master/master_sig.c. This is needed for some IRIX and + UnixWare versions, but it should also produce a robust + result on all other supported systems. + + Performance: the default SMTP connection establishment + timeout is now 30 seconds, instead of the system default + which can be atrociously large. + +20020712 + + When DNS lookup fails while delivering mail, report not + only the domain name but also the DNS record type. This + should clue in people who ask why Postfix can't find a + domain while nslookup can. File: dns/dns_lookup.c. + +20020713 + + Bugfix: undo change made at 20020610 that causes the trivial + resolver client to loop when an address consists entirely + of @ and . characters. File: trivial-rewrite/resolve.c. + + Cleanup: Postfix no longer strips multiple '.' at the end + of a domain name. One '.' is silently tolerated. Files: + trivial-rewrite/rewrite.c, trivial-rewrite/resolve.c, + global/resolve_local.c. This policy is too distributed. + +20020715 + + Feature: @domain.tld catch-all map entries for the virtual + mail delivery agent. Files: global/virtual8_maps_find.c, + virtual/mailbox.c, smtpd/smtpd_check.c. + + Feature: the virtual mail delivery agent now accepts address + extensions (user+foo@domain.tld), ignores them when looking + up users in its tables, but displays them in Delivered-To: + message headers. File: global/virtual8_maps_find.c. + +20020716 + + Feature: domain names in a masquerade_domains list can now + be prefixed with !, in order to disable masquerading for + that domain name and for its subdomains. File: + cleanup/cleanup_masquerade.c. + +20020717 + + Bugfix: Mac OS X niscript (Netinfo) update by Gerben Wierda. + File: auxiliary/MacOSX/niscript. + + Feature: The SMTP server reject_unknown_whatever restrictions + now also attempt to look up AAAA (IPV6 address) records. + Jun-ichiro itojun Hagino, IIJ labs. Files: smtpd/smtpd_check.c, + dns/dns_lookup.c. + +20020718 + + Bugfix: unnecessary lookups for extended addresses by the + virtual8_maps_find() routine. Victor Duchovni. His patch + did not work, nor did my own, but the present version should + be OK. File: global/virtual8_maps_find.c. + +20020719 + + Workaround: log a warning when an SMTP client name->address + lookup results in a numeric IP address, and set the client + hostname to "unknown". Some gethostbyname() implementations + will actually accept such garbage and thereby allow sites + to defeat the "reject_unknown_client" restriction. Problem + reported by Wolfgang Rupprecht, fix based on analysis (but + not code) by Victor Duchovni. + + Bugfix: memory leaks in the LDAP client by Victor Duchovni. + File: util/dict_ldap.c. + + Bugfix: garbage in verbose "flush" server logging. Victor + Duchovni. File: flush/flush.c. + +20020723 + + Incompatibility: smtpd_sasl_local_domain now defaults to + the null string. File: smtpd/smtpd.c, smtpd/smtpd_sasl_glue.c. + +20020726 + + Documentation: added GDB debugging instructions for sites + that do not have X installed on the Postfix machine. Henrik + Larsson, spambox.dk. + +20020729 + + Weird: installed RedHat 3.03 inside VMware, and no change + was needed to build Postfix, except to recognize the Linux + version. + + Bugfix: some mailers will announce ESMTP features in their + HELO (not EHLO) response. Postfix did not ignore them. + File: smtp/smtp_proto.c. + +20020731 + + Cleanup: permit_naked_ip_address is unsafe (especially when + used with smtpd_recipient_restrictions) and will go away. + Postfix now logs a warning. File: smtpd/smtpd_check.c. + +20020801 + + Cleanup: the warning message for matched header/body content + was misleading. File: cleanup/cleanup_message.c. + + Safety: moved the "postsuper -r ALL" operation after the + "postsuper -s" check that makes queue file names match + inode numbers. This avoids loss of mail in the unlikely + case that someone runs "postsuper -sr ALL" on a queue that + was copied from another place. + + Feature: "postsuper -h" to put mail "on hold" and "postsuper + -H" to release mail that was placed "on hold". This involves + a new queue, which is appropriately named "hold". Files: + postsuper/postsuper.c, showq/showq.c. + +20020803 + + Feature: when a Delivered-To: mail delivery loop is detected, + send the bounce to the mailing list owner. This required + changes to the local delivery agent, a new bounce client + stub, and a new bounce server stub and support routines + for one recipient bouncing. Files: local/recipient.c, + global/bounce_log.c, global/bounce.c, bounce/bounce.c, + bounce/bounce_notify_util.c, bounce/bounce_one_service.c. + +20020809 + + Bugfix: the 20020531 bugfix could prepend '.' to lines when + it shouldn't (but only when converting 8-bit mail to 7-bit). + Problem experienced by Ralf Hildebrandt. File: + smtp/smtp_proto.c. + + Bugfix: smtpd_sender_login_maps did not do the @domain etc. + wild-card lookups that were promised. Problem experienced + by Sven Michels. File: smtpd/smtpd_check.c. + +20020810 + + Feature: new smtp-sink command-line options to specify the + SMTP hostname, to disable ESMTP protocol support, to disable + 8BITMIME support, and to syslog selected commands. File: + smtpstone/smtp-sink.c. + +20020814 + + Feature: the queue manager now warns when mail for some + destination is piling up in the active queue, and suggests + a variety of remedies. The qmgr_clog_warn_time parameter + controls the time between warnings, mainly so that I could + test the code. To disable these warnings, specify + "qmgr_clog_warn_time = 0". Files: *qmgr/qmgr_entry.c. + +20020815 + + Paranoia: truncate the DNS response length result value in + case it is larger than the result buffer length (the resolver + documentation is vague about this). File: dns/dns_lookup.c. + +20020816 + + Cleanup: "postqueue -f" now also triggers delivery of mail + in the maildrop directory. This is needed when the master + does not frequently wake up the pickup service. Files: + global/mail_flush.c, postqueue/postqueue.c. + +20020818 + + Cleanup: the qmgr_site_hog_factor feature is gone (defer + mail if a site uses up too much space in the active queue). + Instead, the qmgr_clog_warn_time feature provides better + solutions. File: qmgr/qmgr_message.c. + +20020819 + + Feature: new header/body_checks HOLD pattern that causes + mail to be placed on the "hold" queue for manual inspection. + Files: global/hold_message.[hc], cleanup/cleanup_message.c. + +20020820 + + Bugfix: yesterday's HOLD pattern code did not update the + cleanup server's idea of the queue file name for error + recovery and for error reporting purposes, so that incomplete + or content rejected mail would not be deleted from the + queue, and so that the bouncer would not find the queue + file. + + Bugfix: the #ifdef that detects too old LDAP libraries was + in the wrong place. Victor Duchovni. File: util/dict_ldap.c. + + Feature: new header/body_checks DISCARD pattern that causes + mail to be silently discarded. Files: global/cleanup_user.h, + cleanup/cleanup_message.c, cleanup/cleanup_api.c. + + Bugfix: the local delivery agent's mailbox duplicate delivery + eliminator was not updated in the days that address extensions + were added to Postfix. The other local duplicate eliminators + probably need revision as well. File: local/mailbox.c. + +20020821 + + Feature: HOLD and DISCARD actions in SMTPD access tables. + These requests are propagated to the cleanup daemon. Files: + cleanup/cleanup_envelope.c smtpd/smtpd_check.c. + + Cleanup: eliminate unnecessary references to the obsolete + program_directory configuration parameter (but keep the + parameter so as to not break existing installations). + Matthias Andree, many little changes in documentation. + +20020822 + + Bit Rot: OpenLDAP incompatible change with URL parsing. + Patches by Will Day, Georgia Tech, and Carsten Hoeger, + SUSE. File: util/dict_ldap.c. + +20020823 + + Bugfix: added a missing memset() call to wipe the lookup + key in dict_db_delete(). This is needed by some Berkeley + DB implementations. Patch by Katsu Yamamoto, Fujitsu. + + Bugfix: when permit_mx_backup is unable to make a decision + due to DNS problems, set the "defer if reject" flag so that + other restrictions will not cause mail to be rejected. + File: smtpd/smtpd_check.c. + + Feature: instead of giving up immediately after DNS failure, + turn on the "defer_if_permit" flag when reject_unknown_hostname, + reject_unknown_sender_domain or reject_unknown_recipient_domain + are unable to make a decision, and see if any subsequent + restrictions would still cause the mail to be rejected. + File: smtpd/smtpd_check.c. + + Feature: "FILTER transport:nexthop" is now also available + in SMTPD access tables. + +20020826 + + Workaround: HP-UX 11 accept() fails with ENOBUFS when the + client disconnects early. File: sane_accept.c. + +20020901 + + Cleanup: postfix-install no longer installs all the manual + pages under $POSTFIXSOURCE/man, so we can generate manual + pages for smtp-sink etc. File: man/Makefile.in. + +20020903 + + Bugfix: the rmail script should have been updated when + Postfix sendmail was changed to recognize `.' as the end + of input. Problem fix by Christian Kratzer, cksoft.de. + File: auxiliary/rmail/rmail. + + Feature: specify "maximal_queue_lifetime = 0" for mail that + should be returned immediately after the first unsuccessful + delivery attempt. Files: qmgr/qmgr.c, nqmgr/nqmgr.c. + +20020904 + + Bugfix: qmail compatibility: qmqpd should support any + character at the end of the VERP prefix in prefix@host-@[]. + Based on a patch by LaMont Jones, HP. + +20020905 + + Feature: "smtpd_data_restrictions = reject_unauth_pipelining" + blocks mail from SMTP clients that send message content + before Postfix has replied to the DATA command. File: + smtpd/smtpd.c, smtpd/smtpd_check.c. + + Bugfix: the LDAP client dumped core in verbose mode. + Reported by Will Day and others. File: util/dict_ldap.c. + +20020906 + + Cleanup: dict_regexp module speedups by avoiding unnecessary + substring overhead while matching strings. Based on a + suggestion by Liviu Daia. This involved major rewriting of + the regexp map code. File: util/dict_regexp.c. + +20020907 + + Feature: IF..ENDIF support based on code by Bert Driehuis. + This involved a further rewrite of the regexp map code. + File: util/dict_regexp.c. + +200209010 + + Bugfix: the SMTP client produced suprious warnings about + trouble with fallback_relay hosts. File: smtp/smtp_connect.c. + + Robustness: don't wait with detecting broken SMTP connections + until reading input. Leandro Santi. File: smtpd/smtpd_chat.c. + +200209011 + + Workaround: IRIX 6 can't do ioctl FIONREAD on pipes. This + breaks the in_flow_delay feature. File: util/sys_defs.h. + +20020912 + + Bugfix: canonical/virtual mapping core dump with a null + right-hand side address. Report by Jussi Silvennoinen. + File: global/mail-addr_crunch.c. + + Feature: IF..ENDIF support based on code by Bert Driehuis. + This involved a rewrite of the pcre map code similar to + the regexp map code. File: util/dict_pcre.c. + +20020917 + + Feature: on Linux, support for PCRE lookup tables is now + compiled in if the PCRE library code is found under + /usr/include and /usr/lib. File: makedefs. + +20020918 + + Documentation: postsuper(1) did not document the -c option. + + Bugfix: possible longjump() before setjmp(). File: + smtpd/smtpd.c. + + Bugfix: pickup should not preserve INSPECT or FILTER records + from "postsuper -r". File: pickup/pickup.c. + +20020919 + + Feature: "reject_rbl <domain>" for client address blacklisting + by LaMont Jones, including $name expansion for per-domain + customized response messages. The obsolete reject_maps_rbl + is now a wrapper that uses the new code. + +20020921 + + Internal: added caching and factored out common code that + will be used for both reject_rbl and for the upcoming + reject_rhsbl restriction. + +20020922 + + Feature: "reject_rhsbl <domain>" for sender domain + blacklisting. Provides the same per-domain customized + response message mechanisms with $name expansion as + reject_rbl. + + Safety: the smtpd_expansion_filter parameter controls what + characters are allowed in the expansion of $name macros in + template RBL responses. + + Cleanup. In order to make sensible warnings possible when + expanding a non-existent $name in RBL reply templates, + mac_expand() had to be changed so that an empty string + result (i.e. the name does exist) will no longer cause + ${name?text} to succeed. File: util/mac_expand.c. + +20020923 + + Cleanup. Renamed the RBL features according to a scheme + that was suggested by Liviu Daia in October 2001. The names + are reject_rbl_client and reject_rhsbl_sender, respectively. + Added domain name based reject_rhsbl_client and + reject_rhsbl_recipient restrictions for completeness. The + reject_rbl restriction name is still recognized for + compatibility with systems maintained by LaMont Jones. + +20020924 + + Bugfix: reject_rhsbl_<mumble> was broken when <mumble> was + unavailable, causing the restrictions parser to get out if + sync. Spotted by Ralf Hildebrandt. File: smtpd/smtpd_check.c. + +20020928 + + Bugfix: missing %s in the 20020923 RBL code. This was not + exploitable because Postfix implements only a safe subset + of all printf format operators and because memory for the + result is dynamically allocated. Victor Duchovni. File: + smtpd/smtpd_check.c. + +20020929 + + Updated MacOSX support scripts from Gerben Wierda. Files: + auxiliary/MacOSX/*. + +20021009 + + Bugfix: SIZE errors should be reported at MAIL FROM time, + and should not be postponed (with smtpd_delay_reject = yes) + until RCPT TO time. Reported by Jeroen Scheerder, Utrecht + University. Files: smtpd/smtpd.c smtpd/smtpd_check.c. + +20021013 + + When Postfix development started, Linux mail delivery + software such as procmail did not use kernel locks, and + Postfix picked one that seemed plausible, namely, flock(). + In the mean time, Linux mail delivery software seems to + have standardized on fcntl() locks. File: util/sys_defs.h. + + Feature: body_checks_size_limit parameter to specify how + much of a message body segment (or attachment, if you prefer + to use that term) is subjected to body_checks inspection. + Default limit: 50 kbytes. Files: global/mime_state.c, + cleanup/cleanup_message.c. + +20021015 + + Bugfix: the code for missing postmaster/mailer-daemon + aliases had to be moved after the code that implements the + luser_relay feature. Files: local/alias.c, local/unknown.c. + + Weird? The LMTP client lowercased the MAIL FROM and RCPT + TO addresses. Some remnant of code that someone put in + there long ago. File: lmtp/lmtp_proto.c. + +20021024 + + Feature: proxy_interfaces parameter. Specify your NAT or + other proxy addresses here to avoid mail delivery loops. + Files: global/mail_params.[hc] global/own_inet_addr.[hc] + global/resolve_local.c smtp/smtp_addr.c smtpd/smtpd_check.c. + + Paranoia: defend against a very unlikely false alarm in + safe_open(). + +20021025 + + Feature: X-Original-To: message headers with the raw original + envelope recipient. + + Logging: status=sent/deferred/bounced/ logging now includes + the original recipient address if it differs from the final + address. + +20021026 + + Logging: SMTP UCE reject/warn/hold/discard logging now + includes queue ID. This will break some logfile analyzers. + + Logging: SMTP UCE reject/warn/hold/discard logging now + includes the protocol name and, if available, the hostname + given in the SMTP HELO or EHLO command. + + Logging: header/body_checks reject/warn/hold/discard logging + now includes the protocol name and, if available, the + hostname given in the SMTP HELO or EHLO command. + +20021028 + + Bugfix: don't reset state after rejected EHLO. Reset state + after HELO. Reported by Karthikeyan Bhargavan, upenn.edu. + Files: smtpd/smtpd.c. + +20021029 + + Bugfix: local(8) did not prepend an X-Original-To: message + header while delivering to command, and local(8) did not + document the X-Original-To: message header. + + Workaround: DJBDNS produces a bogus A record when given a + numerical hostname. File: dns/dns_lookup.c. + +20021030 + + Portability: support for Berkeley DB version 4.0 but not + for Berkeley DB version 4.1 (yes, the API is different). + Postfix is now going to be paranoid about the minor version + number, too. File: util/dict_db.c. + + Documentation: updated LMTP_README file by Amos Gouaux. + +20021031 + + Bugfix: (bug introduced 20021026) log NOQUEUE when rejecting + ETRN, instead of trying to log a non-existent queue ID. + Victor Duchovni, Morgan Stanley. File: smtpd/smtpd_check.c. + + Cleanup: allow optional text after commands in SMTPD access + maps. Based on initial effort by Victor Duchovni, Morgan + Stanley. File: smtpd/smtpd_check.c. + + Portability: support for Berkeley DB version 4.1. This + version refuses to open zero-length files. This complicates + lock management and requires extra code to remove broken + files. Files: util/dict_db.c, global/mkmap*.[hc]. + +20021101 + + Bugfix: don't complain about out-of-order original recipient + records for finished recipients. Files: *qmgr/qmgr_message.c, + cleanup/cleanup_envelope.c, cleanup/cleanup_extracted.c. + + Cleanup: further simplified the mkmap wrapper (used by + postmap and postalias only) to remove some hurdles for + Michael Tokarev's CDB support. Files: global/mkmap*.[hc]. + +20021105 + + Postalias now produces YP_LAST_MODIFIED and YP_MASTER_NAME + records only when NIS support is compiled in. File: + postalias.c. + +20021106 + + Postalias now puts $myhostname in the YP_MASTER_NAME record, + instead of the possibly bogus gethostname() result. File: + postalias.c. + + The PCRE map code did not reject non-numeric replacement + indices in replacement text, and silently treated $text as + $0. Found by Michael Tokarev. File: dict_pcre.c. + +20021108 + + Cleanup: the behavior of the SMTP server's defer_if_permit + flag was changed, in order to maximize the opportunity to + permanently reject mail without opening opportunities for + losing legitimate mail. This was done in cooperation with + Victor Duchovni, Morgan Stanley. File: smtpd/smtpd_check.c. + + The defer_if_permit flag is still set when an UCE reject + restriction fails due to a temporary (e.g., DNS) problem, + to prevent unwanted mail from slipping through. However, + the flag is no longer tested at the end of client, helo or + sender restrictions. Instead, the flag is now tested at + the end of the ETRN and recipient restrictions only. + + The behavior of the warn_if_reject restriction has changed. + It no longer activates any already made defer_if_permit or + defer_if_reject decisions (the defer_if_reject flag is set + when some UCE permit restriction fails due to a temporary + (DNS) problem, to avoid loss of legitimate mail). + + Bugfix: instead of setting the defer_if_permit flag, a + failing reject restriction after warn_if_reject now merely + logs that it would have caused mail to be deferred. + + A failing permit restriction after warn_if_reject still + raises the defer_if_reject flag, to avoid loss of legitimate + mail. + +20021109 + + Bugfix: a misguided change to the .forward macro expansion + filter broke .forward file lookup. + + Bugfix: missing defer_if_permit test in smtpd_data_restrictions. + Victor Duchovni. File: smtpd/smtpd_check.c. + +20021112 + + Robustness: increase the mime_nesting_limit from 20 to 100, + so that bounces can't loop. Each bounces increases the MIME + nesting level by one. Ralf Hildebrandt and Victor Duchovni. + +20021113 + + Robustness: reinstated SMTP client command flushing to + avoid pipeline stalls. File: smtp/smtp_chat.c. + +20021114 + + Robustness: distinguish between timeout and "lost connection" + when the SMTP server is unable to send a reply to the remote + client. File: smtpd/smtpd_chat.c. + +20021115 + + Bugfix: initialization error with "*" transport table + lookup, reported by LaMont Jones. The transport map lookup + code had grown into a monster and needed to be replaced. + trivial-rewrite/transport.c. + +20021115 + + Start implementing recipient verification. For now this is + done by adding trace flags to queue files. In case of a + verification request, a delivery agent does not deliver, + deliver, it just records what would happen. + + This required instrumenting the bounce/defer/sent logging + routines to send their data to the right place depending + on the type of delivery request. + +20021116 + + New trace service. This is used for reporting if a recipient + is deliverable (sendmail -bv) and for producing a record + of delivery attempts (sendmail -v). The report is sent via + email, using the bounce daemon. Files: global/trace.[hc]. + + This required replacing the bounce/defer logfile format by + an extensible name=value format. Files: global/bounce_log.c, + bounce/bounce_append_service.c. + +20021117 + + New address verification service with simple expiration + and refresh policy. Storage can be in-core or in permanent + table. The daemon is appropriately called "verify". Files: + global/verify_clnt.[hc], verify/verify.c. + +20021118 + + Cleaning up the code for tracing and verification. Files: + global/{log_adhoc,bounce,defer,trace,verify}.[hc]. + +20021119 + + New address_verification_negative_cache = yes/no parameter + controls whether Postfix stores the result of negative + address verification probes. This reduces cache pollution + but causes Postfix to send a probe for each address + verification service query. File: verify/verify.c. + + Added optimistic caching to the verify daemon, so that one + failed probe will not clobber a known to be good address. + As long as some probes succeeed, a good address will stay + cached as OK. + + Cleaning up of the bounce daemon's code for bounce, delayed + mail warning and trace notification. Files: bounce/*.[hc], + global/bounce_log.c. + +20021120 + + Changed the probe's sender address to "postmaster" so that + we get better information about the address we're testing. + File: verify/verify.c. + + Added some paranoia to the routine that reads data from + the address verification cache. Ignore data that is obviously + bogus. File: verify/verify.c. + +20021121 + + Bugfix: garbage in "user@garbage"@domain address forms may + cause the SMTP or LMTP client to terminate with a fatal + error exit because garbage/tcp is not an existing service. + This cannot be abused to cause the SMTP or LMTP client to + send data into unauthorized ports. Files: *qmgr/qmgr_message.c, + trivial-rewrite/resolve.c. + +20021124 + + Bugfix: don't use same VSTRING buffer for reading and + writing. File: verify/verify.c. + +20021128 + + Feature: hashed hold queue support, with hashing turned on + by default. Omission spotted by Victor Duchovni, Morgan + Stanley. Files: global/hold_message.c, global/mail_params.h. + + Bugfix: the LMTP client lost the port(service) information + when parsing host:port information. Victor Duchovni, Morgan + Stanley. Fix is to have a new host_port(3) module that does + the parsing for the SMTP and LMTP clients. + + Cleanup: host_port() routine that parses host/port information + more consistently than the existing code in the LMTP and + SMTP clients. Files: smtp/smtp_connect.c, lmtp/lmtp_connect.c, + util/host_port.[hc]. + +20021130 + + Cleanup: defer mail when recipient verification takes too + long. File: smtpd/smtpd_proto.c. + + Feature: new reject_multi_recipient_bounce restriction, to + reject "MAIL FROM: <>" with multiple recipients. File: + smtpd/smtpd_check.c. + +20021201 + + Compatibility: ignore the new Sendmail -A option. File: + sendmail/sendmail.c. + + Workaround: sendmail -v now produces no output. You need + to specify -v -v instead. This is to avoid problems when + people request verbose mail delivery in their mail.rc file. + File: sendmail/sendmail.c. + +20021202 + + Cleanup: hash_queue_depth now defaults to 1 level of + subdirectories. This makes "mailq" faster on most systems, + but will result in poorer worst-case performance when lots + of mail is queued. + + The check_relay_domains restriction is going away. The SMTP + server logs a warning and suggests using reject_unauth_destination + instead. + + Cleanup: the local(8) and virtual(8) delivery agents did + not prepend X-Original-To: addresses to maildir files. + Omission spotted by Matthias Andree. + + Specify "address_verify_sender=" or "address_verify_sender=<>" + to use a null sender address while doing address verification + probes. Beware, doing so may trigger false negatives + because some sites reject mail from the null sender, even + though this is required by RFC standards. + + Bugfix: too many levels of dereferencing while testing for + missing reject_rbl_mumble domain names. Patrik Rak. File: + smtpd/smtpd_check.c. + +20021203 + + Bugfix: the FILTER access table action included the FILTER + command in the filter request, where only the transport+destination + were expected. Noel Jones. File smtpd/smtpd_check.c. + + Cleanup: virtual_maps is now called virtual_alias_maps, in + order to better distinguish it from virtual_mailbox_maps. + The default value is $virtual_maps for backwards compatibility. + + New parameters virtual_alias_domains and virtual_mailbox_domains + for the "domain.tld whatever" lookups. These use the same + syntax as the mydestination parameter. Default settings + are backwards compatible with Postfix 1.1. + + Concept: just like $mydestination+$inet_interfaces control + what routes to $local_transport, $virtual_mailbox_domains + now controls what routes to $virtual_transport (default + transport: virtual), and $relay_domains now controls what + routes to $relay_transport (default transport: relay, a + clone of the smtp transport). Everything else routes to + $default_transport as before. This eliminates the need + for transport map entries for every virtual(8) domain, and + avoids performance problems with inbound relay mail. This + was improvement was suggested by Victor Duchovni. File: + trivial-rewrite/resolve.c. + +20021206 + + Cleanup: do allow regexps in aliases, virtual mailbox maps + but do not allow regular expression substitutions. Files: + util/dict.h, util/dict_regexp.c, util/dict_pcre.c. + +20021207 + + Cleanup: deleted the description of sendmail-style virtual + domains from the virtual(5) manual page. This part of + Postfix was too confusing. + + Performance: RFC 2821 blesses the use of CNAME domain names + in MAIL FROM and RCPT TO. Not having to expand CNAME domain + names speeds things up a bit. File: smtp/smtp_proto.c. + + Workaround: exclude error mailer destinations from transport + mapping lookups :-(. File: trivial-rewrite/resolve.c. + + Cleanup: relocated_maps lookups are now moved to the + trivial-rewrite server. As of now, the queue manager no + longer does any map lookups, so it won't restart when maps + change. Files: *qmgr/qmgr_message.c, trivial-rewrite/resolve.c. + + Robustness: because the trivial-rewrite server now does + many more table lookups, some of which are often LDAP or + SQL based, trivial-rewrite clients must be be prepared for + the case that the resolver reports a failure while processing + a request (when it was unable to access a lookup table). + Files: trivial-rewrite/resolve.c, local/resolve.c, + smtpd/smtpd_check.c. + + Robustness: moving possible LDAP or SQL table lookups into + the trivial-rewrite server also required that trivial-rewrite + be running as multiple processes to reduce lookup latencies. + Files: master/multi-server.c. + + Workaround: don't discard all the DNS lookup results when + only one of the results has a malformed name or address. + File: dns/dns_lookup.c. + +20021208 + + Cleanup: with the preliminary address domain classification + concept as implemented by the trivial-rewrite address + resolver, a lot of table lookups could be eliminated from + the SMTP server. Files: smtpd/smtpd_check.c. + + Feature: new relay_recipient_maps parameter, for optional + maps with all the recipients in the domains that match + $relay_domains (so you can reject mail for unknown relay + recipients). This is for consistency with virtual_xx_maps + and virtual_xx_domains, and with local_recipient_maps and + the local delivery agent. File: smtpd/smtpd_check.c. + + Cleanup: removed support for obsolete #number domain forms. + File: smtpd/smtpd_check.c. + +20021209 + + The Postfix installation procedure no longer sets the + "chattr +S" bit on Linux queue directories. Wietse has + gotten too annoyed with naive reviewers who complain about + performance without having a clue of what they are comparing. + + "Security": local_recipient_maps is now turned on by default, + to reject mail for non-existent users at the SMTP port. + See conf/main.cf for instructions, section REJECTING UNKNOWN + LOCAL USERS. + + Safety: detection of missing or inaccessible passwd file + database, to prevent massive complaints from people who + suddenly lose all their mail because local_recipient_maps + is now turned on by default. + +20021210 + + Feature: recipient address verification, using the code + that already implements sender address verification. Based + on suggestion by Matthias Andree. Files: src/smtpd/smtpd.c, + src/smtpd/smtpd_check.c. + +20021211 + + Performance: doubled the default process limit (50->100) + and default queue manager active queue message/recipient + limits (10k->20k). File: global/mail_params.h. + + Bugfix: the change that begot us multiple trivial-rewrite + processes (good) also gave us multiple verify daemons (bad). + File: conf/post-install. + +20021212 + + Cleanup: allow transport map lookups to override error + mailer results (to avoid breaking existing installations), + and do transport map lookups before relocated map lookups. + Files: trivial-rewrite/resolve.c, trivial-rewrite/transport.c. + + Shortened the verify server's negative cache refresh time + from 12 hours to 2 hours. File: global/mail_params.h. + + Admin friendliness: the SMTP server now reports "User + unknown in {local recipient | virtual alias | virtual + mailbox | relay recipient} table". This will make trouble + shooting a little easier. Files: smtpd/smtpd_check.c, + trivial-rewrite/resolve.c. + +20021213 + + Cleanup: transport map entries with null nexthop ignored + relayhost settings. Making the code simpler also made it + more correct. Files: trivial-rewrite/resolve.c, + trivial-rewrite/transport.c. + + Feature: "helpful_warnings" (default: yes) that can be + turned off if you really know what you're doing and want + to eliminate some unnecessary work. + + Feature: enforcement of master.cf process limits for + processes such as qmgr and pickup that must run alone, and + processes such as cleanup and bounce that must run without + explicit process count limit. If an incorrect process limit + is specified in master.cf the service aborts. + +20021214 + + Cleanup: it looks like we finally get it right with transport + lookup table entries that either override or specify an + error transport without updating the nexthop information. + File: trivial-rewrite/resolve.c. + + Robustness: don't probe the sender address when probed for + our own address verification probe sender address. File: + smtpd/smtpd_check.c. + + Performance: don't do UCE checks (which may result in 4xx + SMTP reply codes, and thus, repeated delivery attempts) + when we already know that the recipient does not exist. + Files: smtpd/smtpd.c, smtpd/smtpd_check.c. + +20021215 + + Cleanup: further simplification of transport map handling + after some really fine hair splitting with Victor Duchovni. + Files: trivial-rewrite/resolve.c, trivial-rewrite/transport.c. + +20021216 + + Workaround: transform the address local-part into unquoted + form only when the address domain is local and the local-part + contains routing operators. Otherwise, we may damage the + address local-part by inserting space between non-operator + tokens. Some people use weird addresses and expect them to + be handled without damage. File: trivial-rewrite/resolve.c. + + Robustness: scan the resolved recipient address for routing + operators in the address local-part, even when the local + MTA does not recognize ! and % as valid operators. File: + trivial-rewrite/resolve.c. + + Cleanup: the address rewriting code no longer tries to + rewrite broken user@ or user@. address forms into even more + broken forms. bother. File: trivial-rewrite/rewrite.c. + + Cleanup: the address resolver code now treats forms ending + in @ in a more rational manner (because the address rewriting + code no longer messes up by appending .my.domain). + + Bugfix: a null address local-part before @domain now is + properly quoted just like the null address. File: + global/quote_82[12]_local.c. + +20021217 + + Cleanup: more work on the trivial-rewrite address rewriting + and address resolving code. New regression tests for address + rewriting and resolving that make some assumptions about + main.cf settings. Files: global/Makefile.in (assumptions), + global/rewrite_clnt.in, global/rewrite_clnt.ref, + global/resolve_clnt.in, global/resolve_clnt.ref. + + Safety: configurable SMTPD reject codes for recipients not + in {local,relay}_recipient,virtual_{alias,mailbox}}_maps, + aptly named unknown_mumble_reject_code. Postfix installs + with unknown_local_recipient_reject_code=450, unless the + site already ran Postfix with local_recipient_maps enabled. + Files: smtpd/smtpd.c, smtpd/smtpd_check.c, conf/post-install. + +20021218 + + Feature: specify unverified_recipient_reject_code=250 or + unverified_sender_reject_code=250 to accept mail for an + address that is known to bounce. File: smtpd/smtpd_check.c. + +20021219 + + Bugfix: longjmp() while sending "go away" without setjmp() + in the QMQP server. Patrik Rak. File: qmqpd/qmqpd.c. + + Safety: the XVERP extension is restricted to clients listed + in the authorized_verp_clients list (default: $mynetworks). + File: smtpd/smtpd.c. + + Workaround: preliminary IPV6 support in valid_hostliteral(). + File: util/valid_hostname.c. + +20021220 + + Bugfix: the reject_multi_recipient_bounce restriction had + an off-by-one error when used in smtpd_data_restrictions. + File: smtpd/smtpd_check.c. + + Feature: new check_recipient_maps restriction that gives + finer control over when unknown recipients are rejected. + As with Postfix 1.1, the default is to do this at the end + of the recipient restrictions. Sites that want to improve + performance can put check_recipient_maps at the start of + the smtpd_client_restrictions list and avoid doing unnecessary + RBL lookups etc. File: smtpd/smtpd_check.c. + + Feature: new show_user_unknown_recipient_table parameter + controls whether or not to reveal the lookup table name in + "User unknown" responses. The extra detail makes trouble + shooting easier but also reveals information that is nobody + elses business. + +20021221 + + Workaround: don't allow the transport map to override the + virtual alias class (error:User unknown) result. File: + trivial-rewrite/transport.c. + +20030101 + + Documentation update: new-style virtual domains broke the + advanced content filtering example. Files: FILTER_README, + RELEASE_NOTES-2.0. + +20030102 + + Cleanup: use different client instances when the same map + is opened with different flags. File: global/maps.c. + + Feature: proxymap server for Postfix table lookups. This + helps to consolidate the number of open lookup tables (such + as MYSQL or LDAP), or to overcome chroot restrictions + (example: specify proxy:unix:passwd.byname to avoid the + need for a copy of the UNIX passwd file in chroot jails). + Files: global/dict_proxy.[hc], proxymap/proxymap.c + + Cleanup: multiservers such as trivial-rewrite and the new + proxymap server now enforce the max_use total client number + limit more agressively, by not accepting new connections + after the limit is reached. Based on a patch by Victor + Duchovni, Morgan Stanley. File: master/multi_server.c. + +20030103 + + Cleanup: client stream endpoints not only have an idle time + limit ($ipc_idle) before a connection is closed, they now + also have a time to live ($ipc_ttl) to prevent connections + from becoming too persistent. This allows multi-servers + such as trivial-rewrite or the proxymap server to refresh + more frequently on busy systems. File: global/clnt_stream.c. + +20030104 + + Cleanup: avoid warnings about flag mismatches when the same + lookup table is listed under both virtual_alias_maps and + virtual_mailbox_maps. Files: global/virtual8.h, virtual/virtual.c. + + Bugfix: an obscure memory leak that puzzled me for more + than a year until I found out how to reproduce it. File: + util/vstream.c. + +20030105 + + Cleanup: removed the address syntax check from the queue + manager, since a better test was implemented recently in + the trivial-rewrite server. Files: *qmgr/qmgr_message.c. + + Bugfix: redirect bounce/defer to the address verification + service where appropriate. Files: *qmgr/qmgr_bounce.c, + *qmgr/qmgr_defer.c. + + Bugfix: "no such file or directory" warnings after "postfix + reload" when a chrooted smtpd reconnects to the proxy + service. Fix: use "private/proxymap" if possible, otherwise + use "$queue_dir/private/proxymap". File: global/dict_proxy.c. + + Robustness: daemons now chdir() to the queue directory + before running the pre-jail initialization code, so that + daemons running in stand-alone mode produce more consistent + results. Files: master/single_server.c, master/multi_server.c. + master/trigger_server.c. + + Bugfix: "sendmail -bs" tried to access the proxymap service. + It should not try to open any user/domain/uce related tables + at all. File: smtpd/smtpd.c. + +20030106 + + Bugfix: bouncing to owner-alias was broken, i.e. the mail + kept being deferred, and when that was fixed, another buglet + came to light. File: bounce/bounce.c. + + Robustness: the master no longer aborts with "address + already in use" when inet_interfaces specifies the same IP + address multiple times, or when a TCP service in master.cf + specifies a hostname for which the same IP address is listed + multiple times. File: master/master_ent.c. + +20030107 + + Robustness: check that FILTER actions in SMTPD access maps + or cleanup header/body_checks have plausible syntax. Files: + smtpd/smtpd_check.c, cleanup/cleanup_message.c. + +20030109 + + Cleanup: unnecessary "premature end of file on xxx while + reading yyy" warnings became exposed after some code + simplification. Files" global/*_clnt.c, global/dict_proxy.c + + Robustness: undo the change that causes a multi-server + process to stop accepting new connections while it still + services existing clients for an extended amount of time. + We need a better process retirement strategy. File: + master/multi_server.c. + +20030110 + + Cleanup: the virtual_mailbox_maps parameter is now optional + even when virtual_mailbox_domains is. This makes virtual + mailbox domains more like relay domains and the local + domain. + + Portability: the makedefs script now uses the pcre-config + utility to find out where things are installed. + + Bugfix: the SMTP server did not recognize the local built-in + double bounce address as local. Reported by Matthias Andree. + For safety sake, threw in the local postmaster address as + well. File: smtpd/smtpd_check.c. + +20030113 + + Added MAILER-DAEMON to the list of always recognized local + addresses, since it is generated by Postfix bounces. File: + smtpd/smtpd_check.c. + +20030114 + + Bugfix: transport_errno was not reset upon successful + transport map wildcard lookup after an earlier failure. + Reported by Victor Duchovni. File: trivial-rewrite/transport.c. + + Cleanup: unnecessary warnings from the proxymap client + after proxymap server disconnect. File: global/dict_proxy.c. + + Cleanup: Patrik Rak found a few more chattr invocations + that were missed 20021209. Files: postfix-install, + conf/post-install. + + Cleanup: the pcre-config command can produce null outputs. + Matthias Andree. File: makedefs. + + Bugfix: the virtual(8) Makefile included $(AUXLIBS) in the + dependencies. + +20030118 + + Typos: some hyperlinks referred to flushd, which is the + name that was used before the flush service was released. + Reported by Victor Duchovni. + + Cleanup: smtpd no longer needed to open relocated_maps. + +20030119 + + Cleanup: bounce messages used "X-Postfix" even when mail_name + was set to something other than the default "Postfix" name. + File: bounce/bounce-notify_util.c. + +20030120 + + Bugfix: wrong FILTER_README instructions for disabling + virtual alias mapping in the cleanup server before the + content filter. + + Bugfix: wrong FILTER_README instructions for destination-dependent + filtering, because relay_domains was specified incorrectly. + +20030122 + + Bugfix: 20021207 (move relocated table lookup from queue + manager to trivial-rewrite server) broke relocated table + lookup results with mail not rejected at the SMTP port. + Files: *qmgr/qmgr_deliver.c, *qmgr/qmgr_message.c. + +20030123 + + Bugfix: a widely used maildir filename algorithm was broken. + Postfix now uses TIME.DEVICE_INODE.HOST. Files: local/maildir.c, + virtual/maildir.c. + +20030124 + + Cleanup: queue structures no longer overload queue name + and nexthop destination. Files: *qmgr/qmgr_message.c, + *qmgr/qmgr_queue.c, *qmgr/qmgr_deliver.c. + +20030125 + + Feature: "REDIRECT user@domain" action in access maps or + in header/body_checks causes mail to be sent to the specified + address instead of the intended recipient(s). I would never + recommend that people use this to redirect (bounced) SPAM + to the beneficiaries of an advertisement campaign. Files: + smtpd/smtpd_check.c, cleanup/cleanup_message.c, + *qmgr/qmgr_message.c. + +20030126 + + Update: maildir filename algorithm updated according to + today's version of http://cr.yp.to/proto/maildir.html. + +20030127 + + Cleanup: use separate error messages for separate problems + with computing the list of SASL authentication mechanisms. + File: smtpd/smtpd_sasl_glue.c. + +20030130 + + Bugfix: allow $name in default time values. File: + global/mail_conf_time.c. + +20030205 + + Feature: allow !, /file/name and map:name in masquerade_exceptions. + By Liviu Daia. Files:cleanup_init.c, cleanup.h, + cleanup_masquerade.c. + +20030219 + + Bugfix: the local pickup daemon skipped unterminated records, + since they happened to have the same record type code as + content filtering instructions. Victor Duchovni. Files: + global/rec_type.h, pickup/pickup.c. + + Portability: Postfix could block, and thus not enforce + command execution time limits, while delivering mail to + command. File: global/pipe_command.c. + + Bugfix: command execution time limits were not enforced + because the child process killing code in pipe_command() + was running with the wrong privileges. Problem reported by + Ben Rosengart, Panix. File: global/pipe_command.c. + + Bugfix: duplicate recipient filtering in the cleanup server + did not eliminate virtual expansion duplicates with the + same original recipient. File: cleanup/cleanup_out_recipient.c. + +20030223 + + Cleanup: added postmap/postalias -p option (do not inherit + the source file permissions when creating a new file), for + completeness. A feature that can't be turned off is a bug. + Files: postmap/postmap.c, postalias/postalias.c. + + Bugfix: smtpd_hard/soft_error_limit off-by-one error, so + that the real limit was one larger than the configured + value. File: smtpd/smtpd.c, smtpd/smtpd_chat.c. + +20030226 + + Safety: proxymap server defense against potential deadlock + when some library routine wants to open a proxied table. + Instead, proxymap opens the requested table directly. File: + proxymap/proxymap.c. + + Portability: updated AIX 5.x system dependent definitions. + File: util/sys_defs.h. + +20030227 + + Bugfix: added mynetworks to the list of proxy_read_maps + parameter settings that are pre-authorized to use proxied + table lookups. File: global/mail_params.h. + + Cleanup: daemons now log what table has changed before + restarting. Files: dict.c, and anything that invoked + dict_changed(). + + Cleanup: more consistency in the naming of lookup table + handles as generated by maps(3) and by match_list(3). + +20030305 + + Workaround: Postfix removes too long non-address text from + message headers in order to protect vulnerable Sendmail + systems against exploitation of the remote buffer overflow + vulnerability described in CERT advisory CA-2003-07. + +20030311-19 + + Bugfix: the access map actions HOLD, DISCARD, FILTER and + REDIRECT were broken with smtpd_delay_reject=no and with + ETRN. This required re-architecting of the actions code. + Files: smtpd/smtpd.[hc], smtpd/smtpd_check.c, smtpd/smtpd_state.c. + +20030315 + + Bugfix: the postsuper manual page documented support for + the -c command line option, but it was not implemented. + File: postsuper/postsuper.c. + + Bugfix: the Postfix 2.0 recipient map checking code broke + the VRFY command, causing it to reply with status code 252 + for non-existent addresses. This required re-architecting + the recipient table lookup code. File: smtpd/smtpd_check.c. + +20030319 + + Feature: configurable limit on virtual alias expansion size + and nesting depth, via the virtual_alias_expansion_limit + and virtual_alias_recursion_limit parameters. The default + limits are compatible with past Postfix versions. Victor + Duchovni, Morgan Stanley. Files: /sample-resource.cf, + html/resource.html, cleanup/cleanup.c, cleanup/cleanup_init.c, + cleanup/cleanup_map1n.c. + + Feature: the installation procedure records build information + (by default: in /etc/postfix/makedefs.out). + +20030324 + + Bugfix: smtp-source flushed too often, causing suboptimal + performance with smtp-source sending directly into smtp-sink. + Files: smtpstone/smtp-source.c. + +20030410 + + Safety: log a fatal error when a net/mask pattern has a + non-zero host part, so that mail delivery is deferred. + File: util/match_ops.c. + +20030411 + + Bugfix: extraneous warning about out-of-order original + recipient records by Patrik Rak. Files: *qmgr/qmgr_message.c. + +20030412 + + Workaround: log a warning and reset the queue file time + stamps when the file system clock is ahead of the local + clock. File: global/mail_stream.c. + +20030414 + + Feature: PostgreSQL client module, adopted by LaMont Jones. + Files: README_FILES/PGSQL_README, util/dict_pgsql.c, + util/dict_pgsql.h, conf/sample-pgsql-aliases.cf. + + Cleanup: the generic smtp client/server code in smtp_stream.c + now has an explicit flush operation, and the smtp-source/sink + programs are updated to take advantage of this. + + Cleanup: the file system clock drift detection code now + runs only once per process instance, to minimize the + performance impact. File: global/mail_stream.c. + + Robustness: avoid TIME_WAIT state with smtp/qmqp-source + client sockets. This puts less strain on local system + resources. + +20030415 + + Cleanup: the file system clock drift detection code now + runs only for incoming mail. File: global/mail_stream.c. + +20030416 + + Bugfix: missing partial last line when 1) someone submits + 8-bit mail not ending in newline via /usr/sbin/sendmail + and 2) MIME input processing is turned off, and 3) MIME + 8bit->7bit conversion is requested upon delivery via SMTP. + + Cleanup: auto-bcc recipients are now added in one place + (the cleanup server) instead of by individual front-end + servers (pickup, smtpd, qmqpd). This makes it easier to + add auto-bcc features that trigger on sender or recipient + addresses. + + Cleanup: "sendmail -t" (recipients from headers) is now + implemented by the sendmail command instead of by the + cleanup server. This means that the extract_recipient_limit + configuration parameter is no longer needed. Files: + sendmail/sendmail.c, cleanup/cleanup_message.c, + cleanup/cleanup_extracted.c. + + Compatibility: "sendmail -t" (recipients from headers) now + accepts command-line recipients instead of complaining. + The extracted header recipients are added to the command-line + recipients. + + Feature: sender/recipient_bcc_maps. These are indexed by + sender/recipient address and are examined when mail enters + from outside of Postfix. Files: cleanup/cleanup_addr.c. + cleanup/cleanup_envelope.c cleanup/cleanup_extracted.c. + +20030417 + + Feature: the SMTP client now falls back to native name + service lookups (including /etc/hosts) when a host cannot + be found in the DNS. This is controlled by a new parameter + smtp_host_lookup (default: dns, native). Files: smtp/smtp.c, + smtp/smtp_addr.c. + +20030418 + + Bugfix: "sendmail -t" broke with unrecognized message + headers. + +20030419 + + Feature: "postcat -q" searches the queue for the named + file. + + Cleanup: made postcat "record names" output more consistent. + +20030421 + + Debugging: added some extra detailed error logging to the + pipe-to-command delivery, to help folks with bizarre file + truncation problems. File: global/pipe_command.c. + +20030424 + + Cleanup: readlline() did not terminate the result before + complaining about lines starting with whitespace. + + Cleanup: eliminated valid_hostname warning for invalid + queue file names. File: global/mail_queue.c. + + Bugfix: lost three lines of code when readying the postcat + command for release, which broke postcat -q. File: + postcat/postcat.c. + + Bugfix: the Postfix sendmail command applied the message + size limit when running as newaliases. The limiting code + is now moved to the message enqueuing branch of the code. + File: sendmail/sendmail.c. + + Documentation: start of documentation for the algorithm of + Patrik Rak's clever queue manager scheduler (nqmgr). Files: + conf/sample-scheduler.cf, README_FILES/SCHEDULER_README. + +20030429 + + Bugfix: while verifying an address, the LMTP client entered + a forbidden "next" sender state after the last recipient. + Fix by Vladimir Davydoff. File: lmtp/lmtp_proto.c. + + Bugfix: "," was not recognized in proxy_read_maps settings. + Fix by Leandro Santi. File: proxymap/proxymap.c. + +20030502 + + Bugfix: defer delivery after .forward etc. file read error. + File: local/token.c. Problem reported by Ben Rosengart, + Panix. + +20030503 + + Bugfix: the Postfix LMTP client used the wrong service + name, causing trouble with SASL 2.1.13. Daniel Schales, + Louisiana Tech. File: lmtp/lmtp_sasl_glue.c. + +20030518 + + Workaround: IRIX select() reports that a non-blocking file + descriptor is writable while write() transfers zero bytes. + File: util/vstream.c. Superseded by change 20030523. + +20030520 + + Cleanup: future time stamps in Received: headers and negative + delays in delivery agent logging after "postdrop -r", + because deferred queue files had future file modification + times. File: src/postsuper/postsuper.c. + +20030521 + + Cleanup: nqmgr warnings about "recipient count mismatch" + after "postdrop -r", because the cleanup server did not + count the "already done" recipients. Problem reported by + Richard Stockton, Gramma Software. Files: + cleanup/cleanup_envelope.c, cleanup/cleanup_extracted.c. + +20030523 + + Workaround: IRIX select() reports that a non-blocking file + descriptor is writable while write() transfers zero bytes. + File: global/pipe_command.c. + +20030523-20030605 + + Cleanup: rewrote the queue file record processing loops in + pickup, cleanup and in [n]qmgr. This code had deteriorated + a lot as the result of small changes over the years. This + change brings the code closer to "obviously correct". Files: + cleanup/cleanup_envelope.c, cleanup/cleanup_extracted.c, + *qmgr/qmgr_message.c. + + Cleanup: Postfix no longer produces queue files with + backwards compatibility data for Postfix versions < 1.0 + (a.k.a. 20010228). Files: cleanup/cleanup_extracted.c, + showq/showq.c. + + Performance: the queue manager no longer has to examine + every queue file record before it can start deliveries. + This helps to avoid thrashing with very large mailing lists. + Postfix queue files have an extra field in the size record + with queue manager processing hints. This change is backward + and forward compatible. Files: cleanup/cleanup_envelope.c, + cleanup/cleanup_extracted.c, *qmgr/qmgr_message.c. + +20030528 + + Compatibility: "sendmail -q<time>" without -bd option now + exits immediately, instead of waiting for input on the + standard input stream and screwing up system boot sequences. + File: sendmail/sendmail.c. + +20030530 + + Bugfix: client access denied with smtpd_delay_reject=no + broke "sendmail -bs". Fix by Victor Duchovni, Morgan Stanley. + File: smtpd/smtpd.c. + +20030531 + + Compatibility: allow <@site,@site:address> route addresses + in SMTP commands. File: smtpd/smtpd.c. + +20030605 + + Cleanup: input checks moved from the pickup daemon to the + postdrop mail submission command; this is to prepare for + direct mail submission from postdrop->cleanup without going + through the maildrop directory and the pickup service. + Files: pickup/pickup.c, postdrop/postdrop.c. + + Bugfix: the "dead host" backoff timer in the MySQL client + didn't work. Fix by Leandro Santi. File: util/dict_mysql.c. + + Bugfix: same problem in the PostgreSQL client. File: + util/dict_pgsql.c. + + Workaround: turned off non-blocking write to pipe because + too many systems give a weird write() result. File: + global/pipe_command.c. + + Cleanup: added support for vstream_fseek(.., .., SEEK_END). + File: util/vstream.c. + +20030608 + + Feature: separate address resolver controls for address + verification probe messages: address_verify_{local,virtual, + relay,default}_transport, address_verify_relayhost, and + address_verify_transport_maps. The default values are the + regular versions of the same controls. Files: trivial-rewrite/*, + global/resolve_clnt.[hc], *qmgr/qmgr_message.c. + +20030609 + + Workaround: Solaris blocking socket read() may hang. Hernan + Perez Masci and Leandro Santi. File: smtpd/smtpd.c. + + Bugfix: the "unread recipient" counter needs to be restored + after the queue manager has a problem reading a queue file. + Fix by Patrik Rak. File: nqmgr/qmgr_message.c. + +20030610 + + Cleanup: the verify server now uses asynchronous submission + of mail probes, so it will no longer block for in_flow_delay + seconds when mail arrives faster than it is delivered. + Still need to make mail_stream_finish() asynchronous in + order to avoid blocking for trigger_timeout seconds when + the queue manager is overwhelmed. Files: global/post_mail.c, + verify/verify.c. + + Bugfix: removed extraneous sleep() after the last attempt + to retrieve address verification status. File: smtpd/smtpd.c. + +20030611 + + Bugfix: the stricter postdrop input filter broke "sendmail + -bs". Found by Lutz Jaenicke. File: smtpd/smtpd.c. + +20030614 + + Portability: Dropped support for client side LDAP caching. + As of release 2.1.13 OpenLDAP no longer supports client + side caching, it has been deprecated for some time, and + never worked well. Implemented by Victor Duchovni, Morgan + Stanley, and further enhanced by Lamont Jones, HP. Files: + src/util/dict_ldap.c, conf/sample-ldap.cf, + README_FILES/LDAP_README. + + Safety: Given suitable invalid database contents, LDAP + lookups can produce too many results, enter an infinite + loop in the expansion of "special result attributes" (LDAP + DNs and LDAP URLs) or just consume excessive server resources + returning large result sets. Three new (per LDAP map) + configuration parameters enable one to set limits on + recursive nesting, result expansion and the server response + "entry" count. Implemented by Victor Duchovni, Morgan + Stanley, further enanced by Lamont Jones, HP. Files: + src/util/dict_ldap.c, conf/sample-ldap.cf, + README_FILES/LDAP_README. + +20030616 + + Feature: in mail delivery status reports, report the sender + address as X-Postfix-Sender. Matthias Andree. File: + bounce/bounce_notify_util.c. + + Cleanup: in mail delivery status reports, transform the + original recipient into xtext format as required by RFC + 1891. Files: bounce/bounce_notify_util.c, util/xtext.[hc]. + + Cleanup: more accurate "postfix check" warning for files + that miss one or more of the required mode 02111 execute + permission bits. Matthias Andree. File: conf/postfix-script. + +20030618 + + After "postfix reload", the master daemon now warns when + inet_interfaces has changed, and ignores the change, instead + of passing incorrect information to the smtp server. File: + master/master_ent.c. + +20030619 + + Feature: the Postfix SMTP server can send all mail into a + proxy server, for example a real-time SPAM filter. This + proxy is supposed to send the mail into another Postfix + SMTP server process for normal delivery. Files: smtpd/smtpd.c + smtpd/smtpd_proxy.[hc]. + +20030620 + + Bugfix: a cut-and-paste error caused the proxy server's + 354 status code to be reported when a proxy connection + broke during the DATA phase. File: smtpd.c. + +20030620 + + Bugfix: after the last change to postdrop, postcat no longer + recognized maildrop files as valid. File: postcat/postcat.c. + + Bugfix: after moving "sendmail -t" address extraction to + sendmail, "-t" broke multi-line recipient headers. Victor + Duchovni, Morgan Stanley. File: sendmail/sendmail.c. + +20030621 + + Workaround: the safe_open(O_CREAT) race condition exploit + avoiding code tries a little harder when it encounters a + race condition. File: util/safe_open.c. + +20030624 + + Bugfix: reject_unverified_address() set the defer_if_reject + flag when the verify service was unavailable (which never + happens). Victor Duchovni, Morgan Stanley. File: + smtpd/smtpd_check.c. + + New parameters address_verify_poll_{count,delay} that + control how often to poll the address verification service + for the completion of an address verification request. + Specify address_verify_poll_count=1 to implement a crude + form of greylisting, that is, always defer the first delivery + attempt for an unknown address. File: smtpd/smtpd_check.c. + + Bugfix: after the last change to postdrop, postcat no longer + recognized non-maildrop queue files as valid. File: + postcat/postcat.c. + +20030629 + + Cleanup: replaced references to "simulated virtual domains" + by "virtual alias domains". Victor Duchovni, Morgan Stanley. + +20030630 + + Feature: smtp_quote_rfc821_envelope=(yes|no) to control + RFC 821 style quoting of MAIL FROM and RCPT TO addresses. + Files: global/mail_params.h, smtp/smtp.c, smtp/smtp_proto.c. + +20030701 + + Bugfix: multi-recipient probes triggered a bug in the SMTP + client. File: smtp/smtp_proto.c. + + Feature: enable_original_recipient (default: yes) to control + whether Postfix keeps track of original recipient address + information. Victor Duchovni, Morgan Stanley. Files: + cleanup/cleanup.c, cleanup/cleanup_init.c, + cleanup/cleanup_out_recipient.c, global/log_adhoc.c, + global/mail_copy.c, *qmgr/qmgr_message.c. + + Feature: !/pattern/ support for PCRE lookup tables. Victor + Duchovni, Morgan Stanley. Files: util/dict_pcre.c. + + Cleanup: allow whitespace after patterns in repexp and pcre + tables. Victor Duchovni, Morgan Stanley. Files: + util/dict_pcre.c, util/dict_regexp.c. + +20030702 + + Feature: CIDR lookup table support, very remotely based on + code by Jozsef Kadlecsik. Files: proto/cidr_table, + util/dict_cidr.[hc]. + + Feature: TCP lookup table support, finally finished. Files: + proto/tcp_table, proto/dict_tcp.[hc]. + +20030705 + + Feature: new receive_override_options parameter controls + what happens before or after an external content filter: + rejecting unknown recipients, canonical and virtual address + mapping, address masquerading, automatic BCC recipients + and header/body checks. This eliminates the need to configure + multiple cleanup services in the master.cf file. + +20030707 + + Feature: context dependent SASL security options (i.e. + different options when TLS is enabled/disabled). Lutz + Jaenicke. Files: */*sasl_glue.[hc]. + +20030708 + + Hardened the attr_scan routines for exposure to an untrusted + environment, in preparation for possible use with SMTP + policy delegation to an external server. + + Feature: address filter for RBL lookups, for use with + multi-valued RBL services. File: smtpd/smtpd_check.c. + +20030709 + + Cleanup: use off_t instead of int for VSTREAM file offsets. + This was needed for mailboxes > 2GB on 32-bit systems. + Files: util/vstream.c, global/mail_copy.c. + +20030710 + + Support for multiple A and TXT results in RBL lookups. + Victor Duchovni, Morgan Stanley. File: smtpd/smtpd_check.c. + + Support for attribute-based query-reply protocols. Files: + util/attr_clnt.[hc], util/auto_clnt.[hc]. + +20030711 + + Support for plain "name=value\n" attribute protocol. Files: + util/attr_{scan,print}_plain.c. + + Bugfix: the LMTP session caching code did not reset the + EHLO server feature list when it needed to reconnect. + Problem found by Tobias Erbsland. + +20030712 + + Feature: delegated SMTP policy server. As an example, see + the greylisting server in examples/smtpd-policy. Specify + "check_smtpd_policy_service" in smtpd_mumble_restrictions. + See SMTPD_POLICY_SERVICE_README for details. + +20030716 + + Bugfix: in the sample policy server, changed "ok" into + "dunno" so the server can be used in the middle of a + restriction list. + + Cleanup: when an RBL reply has multiple TXT records, + concatenate them up to some reasonable limit, instead of + selecting one randomly. File: smtpd/smtpd_check.c. + + Safety: always truncate SMTP server error replies to 512 + bytes. File: smtpd/smtpd_check.c. + +20030717 + + Documentation: added description of policy_time_limit to + the SMTPD_POLICY_README document. + + Documentation: corrected the command time limit parameter + syntax in the spawn(8) manual page. + + Feature: defer_if_permit and defer_if_reject actions in + access tables, mainly for use by the delegated policy + server. Files: smtpd/smtpd_check.c, proto/access. + +20030725 + + The dict_pgsql module did not use dict_alloc() and dict_free(), + causing improper initialization and a memory leak. Leandro + Santi. File: util/dict_pgsql.c. + + Cleanup: added open_flags sanity checks to the dict_pgsql + and dict_mysql modules. These maps must be opened in + read-only mode. + +20030731 + + Bugfix: virtual(8) was changed to use mail_addr_find() + instead of virtual8_maps_find(), but the SMTP server's + virtual mailbox recipient validation was not updated. + +20030804 + + Bugfix: the 20030712 safety against invalid DNS results + was broken. Reported by Ralf Hildebrandt. File: + dns/dns_lookup.c. + +20030805-12 + + Safety: the pipe daemon now defers delivery with a warning + when it is given a non-existent command-line macro name. + File: pipe/pipe.c. + +20030810 + + Bugfix: dict_ldap had a few harmless memory leaks. By + Liviu Daia. File: util/dict_ldap.c. + + Feature: support for LDAP URLs in the LDAP parameter + "server_host", if Postfix is linked against OpenLDAP. This + allows Postfix to connect to LDAP SSL sources. By Liviu + Daia. File: util/dict_ldap.c. + +20030811 + + Cleanup: produce a warning when host:port specifies a badly + formatted numerical port. Files: util/find_inet.c, + smtp/smtp_connect.c, lmtp/lmtp_connect.c. + +20030822 + + Feature: the export_environment and import_environment + parameters now accept name=value information that will be + entered into the new environment. File: util/clean_env.c. + +20030823 + + Feature: smtpd_sasl_exceptions_networks parameter to prevent + Postfix from offering AUTH to clients that match the listed + networks. Based on code by Ben Rosengart, Panix. Files: + conf/sample-auth.cf, smtpd/smtpd.c. + +20030902 + + Portability: the Postfix master resets the file size to + the largest possible off_t value when the actual limit + appears to overflow the off_t range. Files: util/sys_defs.h, + util/file_limit.c. A fine sample of bit banging. + +20030905 + + Workaround: Solaris 8 select() claims that a non-blocking + socket is readable and then read() fails with EAGAIN. Files: + util/timed_read.c and as precautionary measure, + util/timed_write.c. + + Bugfix: dict_register() should not be called from dict_open() + in dict_mysql and dict_pgsql. Liviu Daia. Files: + util/dict_mysql.c, util/dict_pgsql.c. + + Feature: LDAP parameters can now be specified in external + files. This makes it possible to securely store bind + passwords for plain auth outside of main.cf (which is world + readable). By Liviu Daia, based on a suggestion by Victor + Duchovni and Lamont Jones. File: util/dict_ldap.c. + + Feature: STARTTLS option for LDAP, if Postfix is linked + against OpenLDAP. By Liviu Daia, amended by Victor Duchovni. + File: util/dict_ldap.c. + + Cleanup: connections to LDAP sources are now postponed + until they are actually needed. By Liviu Daia. File: + util/dict_ldap.c. + +20030908 + + The 20030905 Solaris workaround triggers too many warnings. + TCP sockets are back to blocking, and keepalives are turned + on to kill off dead sockets, as suggested by Leandro Santi. + Files: master/{single,multi}_server.c, smtpd/smtpd.c, + util/sys_defs.h. + +20030909 + + Bugfix: the LMTP session caching code had problems with + SASL authentication after the first connection, and pipelining + was working poorly. Fix by Victor Duchovni, Morgan Stanley. + Files: lmtp/lmtp.c, lmtp/lmtp_proto.c. + +20030912 + + Workaround: besides SMTP server sockets, SMTP client sockets + can also hang on Solaris, as reported by Leandro Santi. In + order to deal with this at the root, all connection management + is now done by sane_accept() and sane_connect(). Both turn + on keepalives on Solaris. + +20030913 + + Safety: set-gid commands don't trust TZ. File: msg_syslog.c. + +20030914 + + Address extension propagation wasn't documented enough when + it was added to Postfix. Based on patches by Roman Neuhauser. + + Added clarifying notes to main.cf, master.cf and access by + Dean Gibson. + + In header/body_checks, DUNNO is now the preferred action + instead of the now deprecated OK. This may confuse fewer + people. + + In header/body_checks, allow text after IGNORE and DUNNO, + suggested by Victor Duchovni, Morgan Stanley. File: + src/cleanup/cleanup_message.c. + + Feature: reject_rhsbl_helo. File: smtpd/smtpd_check.c. + + Bugfix? The LMTP and SMTP clients now send "MAIL FROM:<sender> + AUTH=<>" when SASL authenticated. Suggested by by Victor + Duchovni, Morgan Stanley. Files: smtp/smtp_proto.c, + lmtp/lmtp_proto.c. + +20030915 + + Bugfix: mail rejected by the before-queue content filter + was mis-labeled as a software error; it should be labeled + as a policy error instead. File: smtpd/smtpd.c. + + Cleanup: postcat is now null-byte transparent. File: + postcat/postcat.c. + +20030916 + + Feature: ``check_{sender,recipient}_mx_access maptype:mapname'' + applies the named Postfix access table to the MX host name + and IP addresses for the sender or recipient address. If + no MX record is found, the A record is used instead. File: + smtpd/smtpd_check.c. + + Feature: ``check_{sender,recipient}_ns_access maptype:mapname'' + applies the named Postfix access table to the DNS server + hostname and IP addresses for the sender or recipient + address. If no NS record is found, the parent domain is + used instead. File: smtpd/smtpd_check.c. + +20030917 + + Feature: ``check_helo_{ns,mx}_access maptype:mapname'', + same semantics as sender and recipient. + + Multiple LDAP lookup tables in the one Postfix process now + share one LDAP connection. Code by Victor Duchovni, Morgan + Stanley. File: util/dict_ldap.c. + + Performance: with prefix_domain specified for an LDAP lookup + table, lookups of @domain are skipped. Code by Victor + Duchovni, Morgan Stanley. File: util/dict_ldap.c. + + Safety: check_mumble_{mx,ns}_access refuses to be used for + whitelisting. The Postfix SMTP server will reject the + request with "451 server configuration error" and will log + a warning explaining why. File: smtpd/smtpd_check.c. + +20030918 + + Bugfix: check_mumble_ns_access did not correctly look up + NS records of parent domains, causing mail to be deferred + with a 450 status code. File: smtpd/smtpd_check.c. + +20030919 + + Robustness: check_mumble_{mx,ns}_access skip over DNS lookup + failures instead of deferring mail. This is not as bad as + it appears to be because the restrictions can't be used + for whitelisting. File: smtpd/smtpd_check.c. + +20030920 + + Bugfix: the 20030917 LDAP connection sharing code introduced + a compilation problem with non-OpenLDAP implementations. + Fix by Liviu Daia. File: util/dict_ldap.c + + Compatibility: the LDAP server_host parameter now supports + all the usual Postfix list element delimiters. Some LDAP + libraries support just SPACE, others SPACE and ",". Postfix + now normalizes the host list into a space separated format. + This is less surprising to Postfix users used to the full + range of delimiters in other contexts. Implemented by Liviu + Daia. File: util/dict_ldap.c + + Bugfix: after returning too old mail, the bounce daemon + now locks the original queue file and deletes deferred + recipients, to avoid repeated bounce notifications when + the queue manager is restarted. Files: bounce/*.[hc], + global/bounce_log.[hc], global/{bounce,defer}.[hc] and + everything that invokes these routines including queue + manager and delivery agents. + +20030922 + + Feature: "XADDR address hostname" SMTP command, for SMTPD + restriction debugging, and for sites with fetchmail-like + software that extracts client information from the first + Received: header. The smtpd_authorized_xaddr_clients + parameter specifies what clients are allowed to use XADDR + (default: none). Files: smtpd/smtpd.c. + +20031015 + + Workaround: smtpd access maps should not apply subdomain + name magic to numerical hostnames. File: smtpd/smtpd_check.c. + + Safety: the local delivery agent now defers delivery when + alias lookup produces an empty result. File: local/alias.c. + +20031019 + + Workaround: disable request/reply size limit in attr_scan*.c + to prevent mail from getting stuck when rewriting a malformed + message header. This limit was turned on with snapshot + 20030715 to harden the protocol that is used by SMTPD policy + delegation. A "no code change" workaround is to specify + "header_size_limit = $line_length_limit". The proper fix + is to enforce request/reply size limits only for data from + outside of Postfix. Problem reported by Brandon Mullenberg, + Dialup USA. Files: util/attr_scan*.c. + + Feature: "XLOGINFO address hostname" SMTP command, so that + Postfix daemons behind SMTPD pass-through proxies log useful + client name/address information instead of localhost[127.0.0.1]. + The smtpd_authorized_xloginfo_clients parameter specifies + what clients are allowed to use XLOGINFO (default: none). + Files: smtpd/smtpd.c. + + Cleanup: renamed the authorized_verp_clients parameter to + smtpd_authorized_verp_clients for consistency. + +20031021 + + Workaround: the demo greylist script now uses BTREE instead + of HASH files for hopefully better stability. The real fix + is to use a single updater process that serves multiple + clients. That approach seems to work well with the verify + daemon. File: examples/smtpd-policy/smtpd-policy.pl. + +20031022 + + Safety: the SMTP server now warns when the queue_minfree + value is less than twice the message size limit. File: + smtpd/smtpd.c. + + Safety: the SMTP server no longer accepts mail when the + amount of free space is less than twice the message size + limit. File: smtpd/smtpd_check.c. + + Safety: log a warning and defer mail when canonical or + virtual lookups return a non-address result (like a string + that contains no address). File: global/mail_addr_map.c. + + Safety: log a warning and defer mail when any map lookup + returns an empty string result, and explain that "no result" + is expected in case of a "not found" condition. This happens + with incorrectly implemented SQL or LDAP tables. File: + global/maps_find.c. + +20031023 + + Bugfix: the MYSQL and PGSQL modules invoked dict_register(). + This was fixed a while ago but never made it into the + distribution. Files: util/dict*sql.c. + + Robustness: added three ISSPACE() calls in the smtpd proxy + parser. File: smtpd/smtpd_proxy.c. + +20031024 + + Portability: added localhost to mydestination for sites + that turn off append_dot_mydomain. File: global/mail_params.h. + +20031027 + + Portability: MacOS X Bind8 compatibility. File: makedefs. + +20031103 + + Robustness: flush pipelined "." and "quit" replies to avoid + repeated deliveries in case of a program crash (you know, + the kind of thing that happens before Postfix release :-). + File: smtpd/smtpd.c. + +20031105 + + Portability: turn off NETINFO support for MacOS X Panther + by default. Files: makedefs, util/sys_defs.h. + +20031106 + + Feature: the sample greylist policy server is now case + insensitive. File: examples/smtpd-policy/smtpd-policy.pl. + +20031103-20031110 + + Feature: preliminary defense against SMTP clients that + hammer the SMTP server with too many simultaneous or + successive connection attempts, with a whitelist capability + to disable the restriction for authorized clients. Most + work is implemented by a new "anvil" server. Parameters: + smtpd_client_connection_count_limit, smtpd_client_connection- + _rate_limit, smtpd_client_connection_limit_exceptions, and + client_connection_rate_time_unit. Documentation: smtpd(8), + anvil(8), sample-smtpd.cf. Files: smtpd/smtpd.c, + global/anvil_clnt.[hc], anvil/anvil.c. The anvil server + logs peak count and rate information per client when it + terminates after running out of work or after "postfix + reload". + +20031110 + + Cleanup: Postfix now supports the /0 netmask (match every + address). This is useful as a catch-all pattern at the + end of a table. Files: util/dict_cidr.c, util/match_ops.c. + + Cleanup: don't report that $queue_directory/etc/filename + differs from /etc/filename when /etc/filename does not + exist. File: conf/postfix-script. + +20031112 + + Feature: client_connection_status_update_time parameter + controls periodic logging of maximal connection counts or + rates. The default logging interval is 10 minutes. + + Feature: "make makefiles WARN=stuff..." overrides the + built-in GCC warning options that are used when "make" is + invoked from within a source subdirectory. Files: makedefs, + */Makefile.in. + +20031125 + + Feature: qmgr logs "queueid: deleted", just like postsuper, + when it removes a message from the mail queue. + + Performance: smtpd connects to the cleanup or proxy server + AFTER the first valid RCPT TO command, instead of after + the first valid MAIL FROM command. This avoid wasting + real-time proxy filter resources when mail is stopped by + the SMTP server's access blocks. File: smtpd/smtpd.c. + +20031126 + + Bugfix: "panic: mymalloc: requested length 0" when master.cf + specified an invalid host name or address. Postfix now + logs more specific information. File: master/master_ent.c. + Reported by several people. + +20031125-20031201 + + Feature: XCLIENT support to override the SMTP server's + client information for logging and/or access control. This + replaces the short-lived XADDR and XLOGINFO extensions. + Remotely based on code by Victor Duchovni. See FILTER_README + and SMTPD_PROXY_README for usage details. Files: + smtpd/{smtpd,smtpd_check,smtpd_proxy,smtpd_xclient}.c + smtp/smtp_smtp_proto.c, *qmgr/qmgr_message.c, + global/deliver_request.c. + +20031202 + + Cleanup: postfix-files now has support for files that are + no longer part of Postfix. When upgrading Postfix, the + post-install script gives the user a reminder. Files: + conf/postfix-files, conf/post-install. + +20031203 + + Support for SMTPD access map actions (FILTER, REDIRECT, + HOLD or DISCARD) that are delegated to the cleanup server, + but can trigger before the first valid recipient address + is accepted (and thus, before a cleanup server connection + is available). Files: smtpd/{smtpd,smtpd_state,smtpd_check}.c. + +20031204 + + Bugfix: conf/post-install didn't skip non-existent obsolete + files. Victor Duchovni. + + Minor cleanups of the xclient error messages; xclient + command lookup tables. File: smtpd/smtpd.c. + +20031206 + + Feature: reject_sender_login_mismatch allows multiple owners + of a sender address. Code by Liviu Daia. Files: + smtpd/smtpd_check.c and documentation. + + reject_sender_login_mismatch is now implemented by elementary + features reject_unauthenticated_sender_login_mismatch + (reject if the client is not SASL logged in but the sender + address has an owner in smtpd_sender_login_maps) and + reject_authenticated_sender_login_mismatch (reject if the + client is SASL logged in but does not own the sender + address). Code by Liviu Daia. Files: smtpd/smtpd_check.c + and documentation. + +20031207 + + Bugfix: fallback_transport and mailbox_transport were broken + because the deliver_pass.c module was not updated for the + changed message delivery protocol. + +20031211 + + Safety: in dynamically growing data structures, update the + length info after (instead of before) updating the data + size. Files: util/argv.c, util/inet_addrlist.c, util/intv.c, + util/mvect.c, util/vstring.c, global/recipient_list.c, + *qmgr/qmgr_rcpt_list.c. + +20031212 + + Cleanup: separate extensions XCLIENT (impersonate SMTP + client) and XFORWARD (down-stream logging of up-stream MTA + and/or message information, not necessarily SMTP related). + The protocol is extensible: the server advertises what + attributes XCLIENT or XFORWARD will accept, and it is an + error to send an unsupported attribute. No xtext encoding + is used, since no attribute currently needs it. See also: + XCLIENT_README and XFORWARD_README. + +20031214 + + Feature: XFORWARD support in the LMTP client. + +20031215 + + Safety: updated mail_queue_id_ok() for long fast flush + logfile names. File: global/mail_queue.c. + + Robustness: save and restore the resolver _res.options + settings before and after DNS lookup, to avoid surprises + in third-party code. This may eliminate some "localhost + not found" problems. File: dns/dns_lookup.c. + +20031216 + + Cleanup: easier to parse mailq output (no more space + between short queue ID and message status). File: + showq/showq.c. + +20031216-21 + + Cleanup: the SMTP client now moves on to the next MX host + or fallback relay when delivery fails in the middle of an + SMTP session. This includes both broken connections and + 4xx SMTP server replies. Files: smtp/smtp.c, smtp_rcpt.c, + smtp/smtp_connect.c, smtp_trouble.c. + + Configuration parameters: smtp_mx_address_limit (limit the + list of IP addresses from MX lookup), and smtp_mx_session_limit + (limit the number of actual SMTP sessions per delivery + attempt, ignoring unusable MX IP addresses). + + The new code centers around a mark-and-sweep algorithm + (replacing code that twiddled the rcpt->offset structure + member), with paranoid sanity checks to ensure that every + recipient is explicitly accounted for. + +20031217 + + Update: LDAP client logging (Liviu Daia) and LDAP client + documentation (Victor Duchovni). Files: util/dict_ldap.c, + conf/sample-ldap.cf, README_FILES/LDAP_README. + +20031222 + + Cleanup: shaved half the worst-case bits off the cleanup + duplicate address filter footprint. After discussion with + Victor Duchovni. File: cleanup/cleanup_out_recipient.c. + + Safety: added "mail loops to myself" logic for destinations + that don't have an MX host. File: smtp/smtp_addr.c. + +20031223 + + Workaround: turn off "mail loops to myself" for non-MX + destinations because it breaks SMTP-based content filters. + Fix is to turn off loop detection when a non-default TCP + port is specified. File: smtp/smtp_addr.c. + + Bugfix: restore errno after write failure in SIGCHLD handler. + Leandro Santi (who got the idea from Hernan Perez Masci). + File: master/master_sig.c. + + Bugfix: the auto_clnt module disconnected too early, causing + unnecessary work by the anvil server. + + Cleanup: eliminated binary hashes from anvil server. Anvil + client information is now stored on top of its VSTREAM. + +20031226 + + Feature: bounce_queue_lifetime parameter (default: + $maximal_queue_life_time) that bounds the time that + MAILER-DAEMON messages spend in the queue before they are + considered undeliverable. + + Feature: disable "mail loops back to myself" protection + when SMTP mail is sent to a non-standard port. This makes + setting up content filters less painful. + + Cleanup: disallow bare x.x.x.x numeric IP addresses in + email addresses. The form user@[x.x.x.x] is still allowed. + + Cleanup: cleaned up the naming of internal symbols in the + SMTP client. + +20031231 + + Bugfix: stricter address syntax test broke "sendmail -bs". + File: smtpd/smtpd.c. + +20040101 + + Cleanup: the Postfix SMTP server rejects a MAIL FROM address + that matches a local, virtual or relay domain, while the + address is not listed in the corresponding local, virtual + or relay recipient table. + + Feature: the reject_unlisted_sender(recipient) SMTPD access + restriction rejects an address that matches a local, virtual + or relay domain, while the address is not listed in the + corresponding local, virtual or relay recipient table. + + Compatibility: the check_recipient_maps restriction works + like reject_unlisted_recipient, but will eventually be + removed from Postfix. + +20040102 + + Misc documentation cleanup by Loic Minier. + +20040104 + + Workaround: MacOSX dumps core on the 20030913 TZ censoring + code. We explicitly set TZ=UTC, which will produce incorrect + results when "mailq" formatting is moved from the showq + daemon to the postqueue command. File: msg_syslog.c. + + Feature: after mail is requeued with "postsuper -r", the + pickup server logs the old queue ID together with the new + queue ID. Victor Duchovni. File: pickup/pickup.c. + + Feature: smtpd_sasl_application_name parameter (default: + smtpd) to control the name of the SASL configuration file + used by the Postfix SMTP server. Liviu Daia. Files: + mail_params.h, smtpd.c, smtpd_sasl_glue.c. + + Cleanup: the LDAP client configuration parser is now shared + between the LDAP, MySQL, and PGSQL clients. Liviu Daia. + Files: global/cfgparser.[hc], global/dict_ldap.c, + global/dict_mysql.c, global/dict_pgsql.c and documentation. + + Cleanup: moved "util" modules with dependencies on higher-level + "global" code from the util directory to the global directory: + util/dict_open.c, global/cfgparser.[hc], global/dict_ldap.c, + global/dict_mysql.c, global/dict_pgsql.c, global/mail_dict.c. + + Cleanup: the new queue manager nqmgr replaces the default + queue manager qmgr, leaving behind a hard link for backwards + compatibility. The old queue manager remains available as + as oqmgr but will eventually be removed. + + Bugfix: vstring_get() etc. now return VSTREAM_EOF when they + terminate prematurely, instead of returning the last + character stored. This avoids mis-leading warnings. File: + global/vstring_vstream.c. + +20040105 + + Cleanup: don't bother the flush daemon while deferring mail + if the destination is not "fast flush" eligible. File: + global/flush_clnt.c. + + Safety: the SMTP server flushes recipients to the cleanup + server in order to avoid SMTP timeouts when virtual or + canonical expansions take a lot of time. File smtpd/smtpd.c. + + Safety: add warnings to postmap and postalias when table + lookup results in an empty string. + +20040110 + + Example: script to run qmail-local from Postfix by Ron + Bickers. + + Change: queue minfree limit is now 1.5 * message size limit. + File: smtpd/smtpd_check.c. + + Bugfix: apply hostname restriction even when host address + lookup fails in check_{sender,recipient}_{ns,mx}_access. + File: smtpd/smtpd_check.c. + +20040115 + + Performance: allow delivery concurrency to increase even + while mail is deferred, as long as the delivery agent does + not report really serious trouble with the destination. + Files: *qmgr/qmgr_deliver.c. + + Cleanup: in postfix-files, symbolic links and hard links + are now first-class citizens with explicit mention of source + and destination pathnames. Files: postfix-install, + conf/postfix-files, conf/post-install. + +20040116 + + Cleanup: sendmail -v caused one mail delivery report upon + every delivery attempt, not just the first one. The fix is + to "kill" a queue file record after the first delivery + attempt. This means a new record type. Files: *qmgr/qmgr_active.c, + *qmgr/qmgr_message.c, global/rec_type.c. + + Cleanup: in anticipation of other built-in rate limiters, + the client_connection_rate_time_unit parameter is renamed + to client_rate_time_unit. + + Documentation: finished the HOSTING_README file with an + overview of methods to host domains with Postfix. + +20040119 + + Bugfix: anvil (count and rate limiting) server race condition + could result in dangling pointer. Postfix erases memory + after allocating and before freeing, so it is extremely + unlikely that this could be used to bring harmful data into + the anvil server. File anvil/anvil.c. + +20040120 + + Cleanup: new header_checks(5) and body_checks(5) manual + pages. The sample-regexp* and sample-pcre* files are no + longer needed and have been removed, as are the default + *_table configuration files. + + Cleanup: support for the non-standard Errors-To: header is + removed. File: cleanup/cleanup_message.c. + +20040121 + + Feature: "PREPEND headername: headervalue" action in Postfix + access maps, to facilitate external policy servers that + label mail instead of rejecting it. Files: smtpd/smtpd.c, + smtpd/smtpd_check.c. + +20040122 + + UNDO the 20040104 change (vstring_get() etc. return + VSTREAM_EOF when they terminate prematurely, instead of + returning the last character stored, to avoid mis-leading + warnings). File: global/vstring_vstream.c. + + Portability: test -e is not portable. File: conf/postfix-script. + + Misc. documentation fixes by Victor Duchovni. + + Documentation: the README files are now hyperlinked, and + are referenced in the on-line manual pages. + + Bugfix: the pickup daemon now strokes the watchdog frequently + to prevent the watchdog from barking when mail arrives + faster than it can be picked up. File: pickup/pickup.c. + +20040123 + + Feature: set smtpd_reject_unlisted_{sender,recipient}=no + to turn off automatic rejection of non-existent local, + virtual or relay addresses. This way it can be made + conditional for local clients, always on for remote clients. + Files: global/mail_params.h, smtpd/smtpd.c, smtpd/smtpd_check.c. + +20040124 + + Feature: PREPEND in header/body_checks, for message tagging. + File: cleanup/cleanup_message.c. + +20040126 + + Safety: handle the case that main.cf is updated while it + is being read. File: util/dict.c. + + Feature: "instance" attribute that links policy etc. queries + to the same message instance. + + Cleanup: the mynetworks setting may now be empty. File: + global/mail_params.c. + +20040127 + + Bugfix: missing flush_init() call. Introduced 20040105. + File: postqueue/postqueue.c. + +20040128 + + Cleanup: clnt_stream derived classes now try to detect that + the server has disconnected before sending data and warning + about an error. File: global/clnt_stream.c. + +20040202 + + Bugfix: changed mis-leading warning about text>4096 characters + into "unexpected end-of-input". File: util/attr_scan0.c. + +20040201 + + Feature: sasl_method, sasl_username and sasl_sender attributes + in smtpd policy queries. Files: src/smtpd/smtpd_check.c. + +20040204 + + Safety: smtpd_soft_error_limit now determines when + $smtpd_error_sleep_time starts to take effect. + + Cleanup: local(8) and virtual(8) will now create maildirs + in a world-writable directory. Files: util/make_dirs.c. + + Bugfix: don't panic on a corrupt queue file. File: + *qmgr/qmgr_message.c. + +20040205 + + Cleanup: sample-filter.cf is gone. Better documentation is + available with "man header_checks". + +20040209 + + Bugfix: when delivery to smtpd_proxy_filter fails, report + "451 Queue file write error" instead of repeating the + previous "354 End data with <CR><LF>.<CR><LF>" response. + File: smtpd/smtpd.c. + +20040220 + + Compatibility: accept and ignore the sendmail -bh and -bH + mode of operation requests. + +20040302 + + Bugfix: SMTPD proxy didn't send QUIT as the result of code + duplication. Evidence reported by Mark Martinec. File: + smtpd/smtpd.c. + +20040311 + + Bugfix: bad address syntax was passed to transport map + lookups. Problem reported by Andrei Koulik. File: + util/match_ops.c, trivial-rewrite/resolve.c. + +20040324 + + Portability: ekkoBSD support by Philip Reynolds. Files: + makedefs, util/sys_defs.h. + +20040325 + + Cleanup: smtp_skip_4xx_greeting and smtp_skip_5xx_greeting + functionality is moved from connection management to SMTP + protocol processing, so that Postfix now logs the server + response when a server refuses to provide service. Files: + smtp/smtp_connect.c, smtp/smtp_proto.c. + + Cleanup: smtp_skip_4xx_greeting is no longer configurable; + it is now permanently turned on. + +20040326 + + Workaround: in the trivial-rewrite server, turn on the code + to strip trailing "." while rewriting addresses, and change + the address resolver to strip trailing "." in a compatible + manner. This does not eliminate the problem that the SMTP + server may use a different address for recipient validation + than what the cleanup server uses for virtual alias mapping. + +20040329 + + Bugfix: the SMTP server did not log client (and SASL) + information with the real-time content filter was enabled. + Files: smtpd/smtpd.c, smtpd/smtpd_sasl_proto.c. + + Compatibility: smtpd_reject_unlisted_sender is turned off + by default, to avoid trouble with with in-house software + that sends out mail software with an unreplyable address. + +20040331 + + Bugfix: postdrop should not abandon mail submission after + receiving a SIGHUP signal when SIGHUP was ignored by the + parent process. Victor Duchovni, Morgan Stanley. File: + postdrop/postdrop.c. + + Bugfix: parsing bug in PgSQL dictionaries causing UNIX + sockets to be ignored. Liviu Daia. Files: global/dict*sql.c. + + Performance: allow MySQL and PgSQL database connections to + be closed when idle for more than 1 minute; Liviu Daia. + Files: global/dict*sql.c. + +20040401 + + Sanity: the SMTP server no longer accepts sender or recipient + addresses that end in the "@" null domain, as well as + addresses that rewrite into such a form. Specify + "resolve_null_domain=yes" to get the old behavior back. + File: trivial-rewrite/resolve.c. + +20040402 + + Cleanup: added WARN action support for access maps, for + consistency with the WARN action in header and body checks. + File: smtpd/smtpd_check.c. + +20040407 + + Bugfix: missing return statement at the end of the + FREE_MEMORY_AND_RETURN error handling macro. Adi Prasaja. + File: trivial-rewrite/resolve.c. + +20040411 + + Future proofing: client_rate_time_unit is renamed to + anvil_rate_time_unit, so that it is no longer limited to + clients only. File: src/global/mail_params.h. + + Cleanup: postalias and postmap now log problems to syslogd. + Files: postalias/postalias.c, postmap/postmap.c. + +20040413 + + Feature: "postfix set-permissions" (re)sets ownership and + access permissions of Postfix files and directories. + + Feature: "postfix upgrade-configuration" updates main.cf + and master.cf. This is for people who people copy over + their old files after installing a newer Postfix version. + + Feature: HTML files are now optionally installed under + control of the html_directory configuration parameter. + Files: postfix-install, conf/postfix-files, conf/post-install. + + Cleanup: README file installation is now optional. Files: + postfix-install, conf/postfix-files, conf/post-install. + +20040414 + + Cleanup: references to sample-mumble.cf files removed, + conf/mumble_table files removed, new commands added to + conf/postfix-script. + + Cleanups: function declared int but used as void, missing + include file, missing const qualifier, unused variable. + Matthias Andree. Files: bounce/bounce_notify_util.c, + bounce/bounce_service.h, postlog/postlog.c, smtpd/smtpd_check.c, + util/attr_scan64.c. + + Bugfix: more robust version of SIGHUP test of 20040331. + Victor Duchovni, Morgan Stanley. File: postdrop/postdrop.c. + + Safety: added NOCLOBBER qualifiers to local variables that + might be clobbered by longjmp(). Files: util/sys_defs.h, + smtp/smtp_proto.c, lmtp/lmtp_proto.c, smtpd/smtpd_check.c, + smtpstone/smtp-source.c. + + Bugfix: sub-level Makefiles no longer turned on the extra + compiler warnings. Files: Makefile.in.*, makedefs.*. + +20040415 + + Bugfix: the LMTP client attempted to reuse a connection + after timeout, causing protocol synchronization errors. + Reported by Rob Mueller. File: lmtp/lmtp.c. + +20040416 + + Cleanup: non-delivery reports now include the original + recipient information. File: bounce/bounce_notify_util.c. + +20040415-18 + + Typos: many documentation fixes by Rob Foehl. + +20040418 + + Cleanup: "int" versus "const int" prototype mismatch between + the DICT sequence method prototype and possible implementations. + Files: util/dict_db.c, util/dict_dbm.c. + +20040419 + + Bugfix: the code that rejects client/helo RESTRICTIONS with + smtpd_delay_reject=no looked at the wrong evidence and + rejected client/helo ACCESS MAP lookups instead. Michael + Tokarev. Files: smtpd/smtpd.c, smtpd/smtpd_check.c. + + Bugfix: missing # in master.cf in optional submission + service. + +20040420 + + Bugfix: smtpd logged the client too often. Michael Tokarev. + File: smtpd/smtpd.c. + + Cleanup: client_event_status_update_time renamed to + anvil_status_update_time. Files: mantools/postlink, + proto/postconf.proto, anvil/anvil.c. + +20040421 + + Workaround: allow pipelined SMTP clients to overshoot the + SMTP server recipient limit without triggering the server + hard error limit. The SMTP server does not count "too many + recipients" towards the hard error limit, as long as the + number of excess recipients stays within a configurable + overshoot limit (default: smtpd_recipient_overshoot_limit + = 1000). Solution in cooperation with Victor Duchovni. + Files: smtpd/smtpd.c, smtpd/smtpd_state.c, smtpd/smtpd.h. + +20040502 + + Missing test for a never used flag (the problematic and + thus never completed INSPECT feature that doesn't re-inject + mail into Postfix). Victor Duchovni, Morgan Stanley. File: + virtual/virtual.c. + +20040503 + + Bugfix: missing "sasl enabled" guard in the SMTPD policy + client. File: smtpd/smtpd_check.c. + +20040606 + + Portability. UnixWare has strcasecmp() in strings.h. Patch + by Andreas Winkelmann. File: util/sys_defs.h. + + Portability. The postlink script is transformed from sed(1) + to perl(1). + +20040608 + + Portability. Introduced SET_H_ERRNO() macro for compilation + environments where h_errno can't be used as an lvalue. + Files: util/sys_defs.h, dns/dns_lookup.c. + + Portability. Eliminate assumption on bits per byte from + vbuf_print.c. + +20040614 + + Bugfix: the SMTP client did not reset per-session EHLO, + SASL, and history information when opening a connection to + an alternate SMTP server. This is the result of abstraction + no longer matching function. Reported and diagnosed by + Victor Duchovni, Morgan Stanley. + + Bugfix: non-portable reuse of variadic argument lists. + Fix by Victor Duchovni, Morgan Stanley. Files: global/bounce.c, + global/defer.c, global/sent.c, global/trace.c, global/verify.c. + + Portability: NetBSD 2.0 has changed from statfs to statvfs. + John Heasley. File: util/sys_defs.h. + + Documentation: typo fixes by IKEDA Nozomu. + +20040616 + + Bugfix: one missed variadic argument list fix. Victor + Duchovni, Morgan Stanley. File: global/verify.c. + + Bugfix: the resolver client cache should be context dependent + because address verification probes may use a different + route than normal mail deliveries. File: global/resolve_clnt.c. + + Safety: added similar context dependence to the address + rewriting client in order to avoid trouble when Postfix is + changed. File: global/rewrite_clnt.c. + + Bugfix: space in HELO commands could end up in XFORWARD + commands. File: smtpd/smtpd.c. + +20040619 + + Code reorganization: in preparation for SMTP session caching, + the SMTP client data structures were changed from the + original "one session per delivery request" model to an + explicit "multiple sessions per delivery request" model. + This uncovered ESMTP and SASL missing re-initialization + problems that were fixed in past week. Design by Victor + and Wietse, initial implementation by Victor Duchovni. + +20040620 + + Future proofing: after the reorganization of SMTP request + state and session state, added code to the smtp client + error handling routines to more consistently deal with the + possibility that session information is not available. + +20040621 + + Feature: directory=pathname option for the pipe(8) delivery + agent. This allows a command to run from a fixed directory. + Failure to change directory causes delivery to be deferred. + Files: pipe/pipe.c. + + Feature: command_execution_directory for local(8) delivery + to external command. This supports the usual $home etc. + expansions, subject to filtering with the character set + specified with $execution_directory_expansion_filter. + Failure to change directory causes delivery to be deferred. + Files: global/mail_params.h, local/command.c. + + Support for external command execution directory. Files: + global/pipe_command.[hc]. + +20040622 + + Safety: when mail is delivered to a transport with per-delivery + recipient limit of 1, split the recipient address on the + recipient delimiter if one is defined, so that extended + addresses don't get extra delivery concurrency slots. + Files: *qmgr/qmgr_message.c. + +20040623 + + Workaround for fragile clients: add microsecond time to + maildir filename. Files: virtual/maildir.c, local/maildir.c. + +20040628-20040701 + + SMTP connection caching work with Victor Duchovni. + + New module (later renamed to global/scache_single.c) for + protocol-independent session caching. The initial + implementation supports in-process, single-session caching + only. A later version will support a central session cache + daemon. Some more work is needed for passivation/activation + of session attributes. + + New function vstream_fdclose() to destroy a VSTREAM while + leaving the underlying file(s) open. Files: util/vstream.[hc]. + + New function dns_rr_remove() to remove one record from a + resource record list. Some more work is needed to turn the + list into a doubly-linked one. Files: dns/dns.h, dns/dns_rr.c. + + Restructuring of the SMTP protocol engine for session + caching. File: smtp/smtp_proto.c. + + Restructuring of the connection management module, and + first implementation of SMTP connection caching. To enable, + specify an smtp_connection_cache_time value greater than + zero. The time unit is seconds. File: smtp/smtp_connect.c. + + New code to passivate and re-activate SMTP_SESSION objects, + and isolation of session save/lookup in its own module. + Files: smtp/smtp_session.c, smtp/smtp_reuse.c. + + Refinement: smtp_cache_reuse_limit parameter to bound the + number of times a session may be reused. + + Refinements: when a session comes from the cache, give it + back to the cache anyway (even when it will not be listed + under the next-hop destination name). + + Future refinements should also include a bound on the number + of consecutive and total non-delivering uses and other + statistics. + +20040714 + + Bugfix: the code to eliminate the local MTA from the MX + address list did not handle the case that inet_interfaces + produced a less preferred match than proxy_interfaces. + Victor Duchovni, Morgan Stanley. File: smtp/smtp_addr.c. + +20040715 + + Resume work on SMTP session caching. All good sessions + are now cached under their IP address. As before, only the + first good session per delivery request is cached under + the original next-hop destination. + + At this point, SMTP session caching works, with a session + cache client module that uses in-process session caching. + This is sufficient to demonstrate that the SMTP client is + ready for session caching. + +20040716 + + New modules to send file descriptors from one process into + another one. This will be needed for implementing a central + connection cache manager daemon. Most systems use UNIX-domain + sockets as the transport for this. On Solaris we use streams + instead. Applications are supposed to invoke LOCAL_SEND_FD() + and LOCAL_RECV_FD(). Files: {unix,streams}_{send,recv}_fd.c. + +20040717 + + First implementation of a session caching client API that + actually sends to/receives from a caching server process. + The old in-process, single-session caching functionality + is preserved as global/scache_single.c, so that we can use + it for bootstrapping the session cache server. File: + global/scache_clnt.c. + + First implementation of the scache session cache server, + using the same in-process session caching code that was + used to bootstrap the SMTP client. File: scache/scache.c. + +20040718 + + Performance: the default RSET timeouts are reduced from + 120s to 20s. Perhaps there should be different RSET timeout + for address probes and for session cache checks. File: + global/mail_params.h. + +20040719 + + Multi-session connection cache module. Implementing this + was actually the easiest part of the entire connection + caching project. File: global/scache_multi.c. + +20040720 + + Bugfix: event_drain() falsely reported a single-entry timer + queue as empty. File: util/events.c. + + Completed the multi-session cache support for SMTP. The + code can be stress tested with a driver program that reads + commands from a script. It is not practical to manually + test the effects of collisions in the time or in name space + domains. File: global/scache.c. + +20040721 + + Feature: the session cache server now logs cache hit and + miss statistics every $session_cache_status_update_time + seconds (default: 600s), as well as upon process exit. + File: scache/scache.c. + +20040722 + + Workaround: LINUX 2.4 has trouble with mixed data and file + descriptor traffic on UNIX-domain stream sockets. + Specifically, it cannot handle data write (read) followed + by file descriptor send (receive): the receiver hangs in + recvmsg(). Workaround is to insert an intervening read + (write) operation. Presumably, LINUX 2.4 is confusing the + data and file descriptor. Lucky Ralf Hildebrandt. Files: + util/sys_defs.h, global/scache_clnt.c, scache/scache.c. + +20040723 + + Safety: spawn(8) now rejects a user with the -1 UID or GID + value, so that commands will not end up running as root. + Files: util/spawn_command.c, spawn/spawn.c. + + User interface: parameter smtp_connection_cache_domains + renamed to smtp_connection_cache_destinations. Destinations + listed here must be specified without [] or :port. File: + smtp/smtp_connect.c. + + Bugfix: "421 Timeout exceeded" wasn't guarded by setjmp(). + Victor Duchovni, Morgan Stanley. File: smtpd/smtpd.c. + +20040729 + + Feature: enable SMTP session caching temporarily while a + postfix is able to schedule back-to-back deliveries. + Parameter: smtp_connection_cache_on_demand (default: + yes). Files: smtp/smtp_connect.c, *qmgr/qmgr_entry.c, + *qmgr/qmgr_queue.c, *qmgr/qmgr_deliver.c. + + Feature: smtp-source -N option to generate unique recipient + addresses for (trivial-rewrite) stress testing. Victor + Duchovni, Morgan Stanley. File: smtpstone/smtp-source.c. + +20040730 + + Safety: disallow "opportunistic session caching" when the + queue manager is unable to schedule back-to-back deliveries. + File: *qmgr/qmgr_entry.c. + +20040731 + + Hysteresis: turn on "opportunistic session caching" when + back-to-back deliveries happen, but don't turn if off + until both concurrent and back-to-back delivery ends. + +20040801 + + Workaround: disable session caching for Linux < 2.2 (does + not work) or Glibc < 2 (does not compile). Files: + util/sys_defs.h, util/unix_{recv,send}_fd.c. + + Portability: h_errno is not an lvalue in the UnixWare 7.1 + multi-threaded environment. Olivier PRENANT. + +20040812 + + Bugfix: update SMTP server error counter when a client is + denied access with smtpd_delay_reject=no. + +20040816 + + Bugfix: The smtp_chat_cmd() forced output flushing code in + the SMTP client could run before an I/O error handler was + set up. Problem diagnosed by Victor Duchovni, Morgan + Stanley. The fix is to disable the smtp_chat_cmd() forced + output flushing code as it duplicates better code in + smtp_loop(). File: smtp/smtp_chat.c. + + Safety: set up an I/O error handler before the smtp_loop() + protocol engine starts; this handler logs a warning in case + it ever runs, because that means someone broke ESMTP command + pipelining. File: smtp/smtp_proto.c. + + Feature: canonical_classes parameter by Kimmo Suominen, to + control what addresses are rewritten by canonical_maps. + Files: cleanup/cleanup_addr.c, cleanup/cleanup_message.c. + +20040817 + + Bugfix: update the vstream I/O time AFTER the completion + of an I/O request, so that time-sensitive applications + don't force flush output too soon and possibly trigger + NAGLE delays. Problem diagnosed by Victor Duchovni, Morgan + Stanley. File: util/vstream.c. + + Portability: avoid postmap/postalias test file name clashes + on Windows. Ian Lance Taylor (of Taylor UUCP fame). + +20040823 + + Bugfix: vstream_popen() did not close the child pipe + after failure to fork(). File: util/vstream_popen.c. + +20040826 + + Feature: support for systems with closefrom(), and emulation + for those without. Andrew Brown. Files: util/sys_defs.h, + util/sys_compat.c. + +20040827 + + Feature: {sender,recipient}_canonical_classes parameters, + which give better control than sender_canonical_classes. + Files: cleanup/cleanup_addr.c, cleanup/cleanup_message.c. + + Feature: the proxymap client now recognizes when a map + can't be proxied, and will open it directly instead. This + makes proxy maps easier to use for virtual mailbox domains. + File: global/dict_proxy.c. + + Feature: smtp_sasl_mechanism_filter restricts what remote + SMTP server mechanism names the Postfix SMTP client passes + on to the SASL library. Victor Duchovni, Morgan Stanley. + Files: smtp/smtp.c. smtp/smtp_sasl_glue.c, smtp/smtp_sasl_proto.c. + +20040828 + + User interface: when no recipients are specified, the + Postfix sendmail command now terminates with status EX_USAGE + instead of accepting the mail first and bouncing it later. + This gives more direct feedback in case of a common client + configuration error. File: sendmail/sendmail.c. + +20040829 + + Portability: Solaris closefrom() support didn't work for + non-SUN compilers. Victor Duchovni, Morgan Stanley. + +20040830 + + Feature: the scache(8) session cache manager now logs the + peak counts of destinations, endpoints and sessions. Files: + scache/scache.c, global/scache*c. + +20040831 + + Portability: disable session caching support on SCO 5 + because of incompatible sockets API. File: util/sys_defs.h. + +20040913 + + Bugfix (introduced 20020803): sent the wrong bounce message + type when a Delivered-To: loop was detected for a mailing + list alias. Nicolas Riendeau. File: bounce_notify_util.c. + +20040918 + + Feature: authorized_flush_users, authorized_mailq_users, + authorized_submit_users to restrict what users can flush + the queue, list the queue, or submit mail locally. Based + on code by Victor Duchovni, Morgan Stanley. Files: + sendmail/sendmail.c, postdrop/postdrop.c, postqueue/postqueue.c, + global/user_acl.[hc]. + + Feature: discard(8) mail delivery agent. Victor Duchovni, + Morgan Stanley. File: discard/discard.c. + +20041002 + + Long overdue, a master(5) manual page based on an initial + version by Magnus Baeck. + + By popular demand, a postfix-manuals.html web page with + totally useless links to UNIX-style manual pages (the same + information should already be available simply by typing + "apropos postfix"). To keep newbies from getting completely + lost due to information overload, the document starts with + a list of actually useful pointers to Postfix introductions, + duplicated from the already existing documents.html. + +20041006 + + Bugfix: "sendmail -bv" did not reject the -t option. File: + sendmail/sendmail.c. + +20041007 + + Feature: SASL authentication attributes are now stored in + queue files and passed on to delivery agents, by Leandro + Santi. Files: deliver_pass.c, deliver_request.c, + qmgr_deliver.c, qmgr_message.c, pipe.c, smtpd.c. + +20041009 + + Feature: per SMTP client message rate limit and recipient + rate limit, by Ragnar Lonn, GHN network technologies. + Files: smtpd/smtpd.c, anvil/anvil.c, global/anvil_clnt.[hc]. + + Incompatibility: smtpd_client_connection_limit_exceptions + renamed to smtpd_client_event_limit_exceptions, because it + now also controls message and recipient rate limit control. + +20041013 + + Portability: AIX 5.1/GCC. + +20041014-23 + + Postfix no longer appends the local domain to header + addresses from remote clients. Instead, Postfix either + does not rewrite those headers at all, or it appends the + domain specified with the new remote_header_rewrite_domain + parameter. + + Postfix still appends $@myorigin or .$mydomain to headers + from the Postfix sendmail command, or from clients listed + with the new local_header_rewrite_clients parameter (default: + permit_mynetworks, permit_sasl_authenticated). + + These changes affect the SMTP server (including XFORWARD + support), the cleanup server (do or don't rewrite headers), + the trivial-rewrite server (append local domain or surrogate + remote domain to incomplete addresses), the queue manager + (send additional attributes to delivery agents), the LMTP + and SMTP clients (XFORWARD support), and the local delivery + agent (preserve XFORWARD attributes when forwarding mail). + +20041016 + + Bugfix: attr_clnt_request() did not properly skip hash + table arguments. Luc Pardon, Skopos Consulting. File: + util/attr_clnt.c. + +20041018 + + The NIS+ module by Geoff Gibbs is now part of Postfix. + Files: util/dict_nisplus.c, proto/nisplus_table. + +20041019 + + Support for Errors-To: is permanently removed. + +20041022 + + Bugfix: "smtp_connection_cache_on_demand=no" could crash + the SMTP client. File: smtp/smtp_connect.c. + + Robustness: extra sanity checks. Files: util/dict_db.c, + util/dict_dbm.c, dict_nis.c. + +20041025 + + Initial merge of Lutz Jaenicke's TLS patch. Initial rewrite + of tlsmgr to eliminate some code duplication and to postpone + calls into OpenSSL until after dropping privileges. + +20041030 + + Compatibility: "session cache" renamed to "connection cache" + to avoid confusion with the TLS session cache. + +20041102 + + Feature: smtpd_end_of_data_restrictions allow you to specify + restrictions at the end of the SMTP DATA command. The syntax + is identical to that of the smtpd_data_restrictions feature. + This introduces a new END-OF-DATA protocol state for the + external policy server. Files: proto/SMTPD_POLICY_README.html, + proto/SMTPD_ACCESS_README.html, smtpd/smtpd_check.c. + +20041111 + + Cleanup: terminate the dict_eval() result buffer for verbose + logging. Victor Duchovni, Morgan Stanley. File: util/dict.c. + +20041112 + + Cleanup: be more careful when saving and restoring resolver(3) + options to avoid problems with an HP-UX security patch + (change introduced 20031215). File: dns/dns_lookup.c. + +20041115 + + Bugfix: the test for "no debugger_command" was wrong. + Leandro Santi. File: global/debugger_command.c. + +20041117 + + Robustness: the master-child protocol now includes a process + generation number besides the child process ID. The process + generation number is incremented by one each time the master + creates a child process. Child-to-master status updates + with the wrong generation number are ignored, instead of + triggering a consistency error in the master server. Files: + master/*server.c, master/master_status.c, master/master_spawn.c. + +20041118 + + Bugfix: the "local_header_rewrite_clients" feature (20041023) + did not recognize "bare" lookup tables as documented. Victor + Duchovni, Morgan Stanley. File: smtpd/smtpd_check.c. + + Bugfix: the "local_header_rewrite_clients" feature (20041023) + was broken because the local delivery agent passed on a + bogus attribute value when forwarding internally generated + mail, causing the mail to be rejected by the cleanup server. + File: local/dotforward.c. + + Bugfix: the "local_header_rewrite_clients" feature (20041023) + was broken because the pickup server always overwrote origin + information. Files: pickup/pickup.c, cleanup/cleanup_state.c, + *qmgr/qmgr_message.c. + + Workaround: enable the "can't write before sending a file + descriptor" workaround for Solaris. Problem reported by + Victor Duchovni for Solaris 2.5.1, but we play safe and + enable it unconditionally. + +20041120 + + The TLS support routines are moved to a "tls" directory, + and are published via the "libtls.a" object library. + +20041122 + + Infrastructure: support for binary attribute values + (ATTR_TYPE_DATA) in Postfix IPC messages. Files: + util/attr_scan*c, util/attr_print*c. + +20041123-20041205 + + TLS support: via a process of gradual transformation, + decomposed Lutz Jaenicke's pfixtls.c into separate modules + for clients, servers, certificate verification, session + caching, and PRNG management. Global variables were eliminated + so that the code now supports multiple client and/or server + contexts in the same process. Files: tls/*.[hc]. + +20041205 + + TLS support: eliminated shared access (and locking) of the + TLS PRNG exchange file and TLS session caches. Instead, + Postfix uses a client-server protocol, and the tlsmgr + becomes the sole mediator. This eliminated the need for + 1000+ lines of SDBM support, and eliminated the need for + running a persistent tlsmgr process on systems don't enable + TLS in main.cf. + +20041124 + + Feature: configurable list of forbidden SMTP commands + (default: smtpd_forbidden_commands = CONNECT, GET, POST) + after which the Postfix SMTP server disconnects immediately. + The SMTP server always disconnects immediately when the + client sends a message header instead of an SMTP command. + Magnus Baeck. File: smtpd/smtpd.c. + +20041207 + + CDB support by Michael Tokarev, documentation by Victor + Duchovni. Files: util/dict_cdb.[hc], global/mkmap_cdb.c. + +20041209 + + Completed support for the Berkeley DB sequence operator. + This is needed for finding and deleting old entries in TLS + session databases. File: util/dict_db.c. + + Bugfix: the DBM client's sequence operator used exclusive + locking instead of shared locking. File: util/dict_dbm.c. + + Feature: dump an entire database with the new postmap/postalias + "-s" option. This works only for database types with Postfix + sequence operator support: hash, btree, dbm, and sdbm. + Files: postmap/postmap.c, postalias/postalias.c. + +20041212 + + Solaris 10/ix86 chroot setup script update by J.D. Bronson. + + TLS support: cosmetic changes to comments and messages; + completed the code for the master -> tlsmgr trigger handshake, + so that the master no longer complains about trigger + responses timing out. + +20041213 + + Updated the SDBM dictionary interface. It had fallen behind + with the Postfix dictionary interfaces that were already + bundled with Postfix. Files: util/dict_sdbm.[hc]. + + Cleanup: "postconf -m" (show all available map types) now + produces sorted output. File: util/dict_open.c. + +20041215 + + No bugfix: tests with the new "postmap -s" feature show + that SDBM first/next operations never worked with Postfix/TLS + patch 20040829 (verified with the 20040829 dict_sdbm.c + module on Linux and FreeBSD). The code stops after finding + one database element. Other SDBM versions found on the + Internet will find all database entries, but report an I/O + error after the last database element is found. All this + would be easy enough to fix, but the SDBM library is not + part of Postfix, and never will be. + + Bugfix: the sequence operator in the DBM and SDBM clients + released the shared lock after reading the next key but + before reading the corresponding value. This was never a + problem, because the sequence operator was used only in + the Postfix/TLS patch. This used the SDBM sequence operator + which didn't work as discussed above. Files: util/dict_dbm.c, + util/dict_sdbm.c. + + Feature: the local(8) and pipe(8) delivery agents now make + the following attributes available upon delivery (with + local(8) names must be spelled in upper case): client_hostname, + client_address, client_protocol, client_helo, sasl_method, + sasl_sender, sasl_username. Files: local/command.c, + pipe/pipe.c, and lots of documentation. + +20041216 + + "postcat -o" now prints queue file record offsets; this is + useful for debugging. File: postcat/postcat.c. + + NON-PRODUCTION Bugfix: (bug introduced while adopting the + Postfix/TLS patch): the new TLS certification call-back + routine expects that the peer hostname is in + tlscontext->peername_save, but the TLS server code never + updated this field. File: tls/tls_server.c. + +20041218 + + Feature: selective suppression of SMTP extensions (pipelining, + starttls, auth, etc.); this is useful to work around broken + clients or servers. Specify a list of EHLO keywords with + the smtp(d)_discard_ehlo_keywords parameters, or specify + one or more lookup tables, indexed by remote network address, + with the smtp(d)_discard_ehlo_keyword_address_maps parameters. + EHLO keyword lists are case insensitive. Files: + util/name_mask.[hc], global/ehlo_mask.[hc], smtpd/smtpd.c, + smtp/smtp.c, smtp/smtp_proto.c. + +20041219 + + Bugfix: postcat without -o was broken. File: postcat/postcat.c. + +20041220 + + NON-PRODUCTION Bugfix: (bug introduced while adopting + Postfix/TLS patch): don't call smtp_flush() after return + from vstream_setjmp(), we'll call you. File: smtpd/smtpd.c. + + Dummy VSTREAM read-write routines. Files: util/dummy_read.c, + util/dummy_write.c. + +20041221 + + Fixes for TLS_README by Victor Duchovni. File: + proto/TLS_README.html. + + NON-PRODUCTION Bugfix: (bug introduced while adopting + Postfix/TLS patch). The client code had become too similar + to the server implementation, and also required a host + certificate and key. Fix by Victor Duchovni. File: + tls/tls_client.c. + +20041221 + + Bugfix: further postcat corner cases. + +20041223 + + Cosmetic: don't log disconnect events as I/O errors. + File: tls/tls_bio_ops.c. + +20041221-9 + + Infrastructure: unified IPv4/IPv6 name/address API so that + Postfix can support IPv6 without #ifdef INET6 everywhere. + In particular, we allow #ifdef in libraries but avoid it + in applications. Files: util/myaddrinfo.[hc], + util/sock_addr.[hc], dns/dns_rr_to_pa.c, dns/dns_sa_to_rr.c, + dns/dns_rr_eq_sa.c, dns/dns_rr_to_sa.c, inet_proto.[hc]. + + Postfix no longer attempts to deliver mail via IPv6 when + the system has no IPv6 connectivity. Network protocol + support is now selected with the "inet_protocols" configuration + parameter, instead of "inet_interfaces". The "inet_protocols" + parameter also controls what DNS lookups Postfix will do. + + Infrastructure: eliminated two host/port parsing routines. + Only one survives: host_port(), in an extended form that + allows for missing host or missing service information but + not both. File: util/host_port.c. + +20041229 + + Milestone: Postfix with the unified IPv4/IPv6 socket/name + API builds without compiler error on IPv4-only system and + actually works. + +20041228 + + Bugfix: SMTPD_PROXY_README incorrectly claimed that ":port" + in master.cf causes a server to listen only on "localhost" + without exposing the service to the network. Instead, + ":port" causes a client to connect to "localhost". + +20041231 + + Linux workaround: when mynetworks isn't set, a chrooted + process could not read the IPv6 address information from + /proc. We now invoke own_inet_addr() before chrooting, + while processing main.cf. File: global/mail_params.c. + +20050101 + + Workaround for (Linux) systems without IPV6_V6ONLY support + (RFC 3493). When Postfix listened on an IPv4 wild-card + smtp socket, the IPv6 wild-card smtp listener would fail + with EADDRINUSE (and vice versa). File: util/myaddrinfo.c. + +20050103 + + Safety: when the IPV6 netmask can't be determined, assume + /128 (host only). File: util/inet_addr_local.c. + +20050104 + + Re-implemented IPv6 support for net/mask pattern matching. + Files: util/cidr_match.[hc], util/dict_cidr.c, + util/match_ops.[hc], proto/cidr_table. + +20050105 + + Moved mask_addr() to its own module so that it could also + be called by mynetworks() and inet_addr_local() to remove + non-zero host bits from IPv6 network/mask patterns. File: + util/mask_addr.c. + +20050108 + + Re-implemented IPv6 support for network interface lookup + via the Linux /proc file system. File: util/inet_addr_local.c. + +20050111 + + Feature: specify "inet_interfaces = loopback-only" for + servers that must listen on local interfaces only, without + having to specify IPv4 and/or IPv6 addresses in main.cf or + master.cf. File: global/own_inet_addr.c. + + Workaround: AIX 5.1 getaddrinfo() can't handle a null host + argument with AI_PASSIVE. Instead we specify an explicit + protocol family, a host of "::" or "0.0.0.0", and turn off + IPV6_V6ONLY. Files: util_myaddrinfo.c, util/inet_listen.c. + + Workaround: AIX 5.1 getaddrinfo() can't handle a "0" service + argument. Instead we specify "1". Files: util/inet_addr_host.c. + +20050113 + + Cleanup: now that the over-all structure is proving itself, + clean up some internal APIs to increase robustness and get + rid of some clumsiness. Mainly, the getaddrinfo(3) interface. + + Start-up performance: the hash_queue_names default setting + is reduced from eight directories to just defer and deferred. + This reduces time for checking the Postfix queue. Files: + conf/post-install, global/mail_params.h. + +20050114 + + Further cleanup: eliminate duplicate IPv6 results when the + mynetworks value is generated by Postfix. More documentation + of the new internal APIs. + + Performance: reduced start-up delay by moving warning-only + startup checks into the background. File: conf/postfix-script. + +20050115 + + Further hardening of the IPv6 support: don't trust system + libraries to protect Postfix against malformed IPv6 address + literals. Their syntax is complex enough that errors are + likely. Files: global/resolve_local.c, util/valid_hostname.c. + + Further cleanup: RFC 2821 requires the IPv6: prefix with + IPv6 address strings. The smtp and qmqp servers maintain + separate address instances, the bare address and the RFC + 2821 compatible form, and use each where appropriate. This + strict separation simplifies address syntax checks as well + as the implementation of XCLIENT and XFORWARD. + +20050116 + + Infrastructure: new valid_mailhost_addr() routine to verify + that an address literal satisfies RFC 2821. An IPv4 address + is in dotted-quad decimal form, and an IPv6 address is in + hexadecimal form, with the "IPv6:" prefix. Files: + global/valid_mailhost_addr.[hc]. + + Further cleanup: valid_hostname() no longer allows network + addresses or numerical domain names. While it made some + sense with IPv4 dotted quad decimal forms, with IPv6 it + just made no sense anymore. Again, being stricter actually + simplifies code. Files: util/valid_hostname.c and a + surprisingly small number of valid_hostname() callers that + did not reject numerical forms. + + Bugfix: in the Postfix 2.2 SMTP client, the debug_peer_init() + call was moved to the after-chroot initialization. + +20050117 + + Performance: reduced start-up delay by moving warning-only + startup checks into the background; they now start after + one minute to allow the system to finish booting. File: + conf/postfix-script. + + Milestone: first non-non-production snapshot with IPv6. + +20050119 + + Milestone: first non-non-production snapshot with TLS. + +20050124 + + Workaround: don't send mail to $fallback_relay if Postfix + is MX host for the next-hop destination. This is, however, + a partial solution. The documentation has been updated to + cover all the cases where a fallback_relay could interfere + with the operation of a backup or primary MX host. Files: + smtp/smtp_addr.c, smtp/smtp_connect.c. + +20050127 + + Configuration: Postfix daemons that need privileged operation + (such as local, pipe, or spawn) now log a fatal error when + they are configured in master.cf as unprivileged. + +20050130 + + Cleanup: simplified the handling of receive_override_options + settings. Files: pickup/pickup.c, smtpd/smtpd.c, qmqpd/qmqpd.c, + global/input_transp.c. + + Feature: permit_inet_interfaces allows a request when the + client matches $inet_interfaces. This is used for generic + access restrictions and for header address rewriting control. + Files: global/mail_params.h, smtpd/smtpd_check.c. + + Cleanup: by default, message header address rewriting is + now enabled only for mail that originates from the machine + itself. Files: global/mail_params.h, smtpd/smtpd_check.c. + +20050131 + + Bugfix: when extracting recipients from message headers, + the Postfix sendmail command produced output records longer + than $line_length_limit, causing postdrop to reject the + mail. Diagnosis by Victor Duchovni. File: sendmail/sendmail.c. + +20050202 + + Cleanup: explicit Makefile targets for "make package" and + "make non-interactive-package" to create ready-to-install + packages for distribution to other systems. Added extra + sanity checks to prevent attempts to overwrite your running + Postfix instance. Files: Makefile.in, proto/PACKAGE_README. + + Cleanup: when bounce_queue_lifetime > maximal_queue_lifetime, + it is adjusted to maximal_queue_lifetime, and a warning is + logged. Files: *qmgr/qmgr.c. + +20050203 + + Cleanup: trivial-rewrite now restarts more timely after + changes in lookup tables. Of the all the alternatives + tested, the simplest one produces the most bang for the + buck. The other code is left in place for illustrative + purposes. File: trivial-rewrite/trivial-rewrite.c. + + Cleanup: sendmail no longer ignores null command-line + recipients. File: sendmail/sendmail.c. + + Cleanup: "postfix start" background checks moved back to + the foreground so they can be stopped more easily. File: + conf/postfix-script. + +20050204 + + Feature: REPLACE command in header/body_checks (implemented + as a combination of PREPEND and IGNORE) by Bastiaan Bakker. + File: cleanup/cleanup_message.c. + + Cleanup: linted the manual pages for consistency in the + way manuals are referenced, and in the presentation of + command examples. Files: mantools/manlint, mantools/fixman, + mantools/postconf2man. + +20050205 + + Cleanup: updated the mass-deletion example in the postsuper + manual. + +20050206 + + Cleanup: don't count a [45]XX SMTP server greeting towards + the mx_session_limit setting. File: smtp/smtp_connect.c. + + Feature: output address rewriting in the SMTP client. The + smtp_generic_maps parameter specifies an address mapping + that happens only when mail is delivered via SMTP. This is + typically used for hosts without a valid domain name, that + use something like localdomain.local instead. This feature + can replace local mail addresses by valid Internet mail + addresses when mail needs to go across the Internet, but + not when mail is sent between accounts on the local machine. + Files: smtp/smtp_proto.c, smtp/smtp_map11.c. + + Cleanup: don't panic in mymalloc() when master can't find + any IP addresses. LaMont Jones. File: master/master_ent.c. + +20050207 + + Documentation: added a generic(5) manual page for consistency + with the already existing table driven mechanisms, added + references to or examples of the new generic mapping. + + Bugfix: the header_checks REPLACE action mis-handled + multi-line replacement text in message headers, for example: + /(.*)/ REPLACE X-$1. File: cleanup/cleanup_message.c. + + Bugfix: the header_checks REPLACE action should not drop + the input when the action is NOT executed. File: + cleanup/cleanup_message.c. + + Bugfix? Cleanup? Documentation? main.cf now implements + ${name[?:]value} as promised in the postconf(5) manual. + Implemented by deleting the macro processor in dict_eval(), + and using the one in mac_expand() instead. File: util/dict.c. + +20050208 + + Feature: check_ccert_access maptype:mapname for access(5) + control, based on code by Victor Duchovni. File: + smtpd/smtpd_check.c and documentation. + + Safety: don't allow unlimited message size with limited + mailbox size. File: local/local.c, virtual/virtual.c. + + Feature: new smtpd policy attributes ccert_subject, + ccert_issuer and ccert_fingerprint, with TLS client + certificate information, but only when verification was + successful. Files: src/smtpd/smtpd_check.c. + + Cleanup: corrected the address verification data flow in + the ADDRESS_VERIFICATION_README illustration. + +20050209 + + Cleanup: the smtp generic mapping did syntax check on the + input address instead of the result. These tests were not + going to be useful in any case, because mail_addr_map() + canonicalizes the lookup result, including @dom1->@dom2 + mapping. File: smtp_map11.c. + + Cleanup: made the generic mapping documentation consistent + with the implementation. + + Cleanup: documented the myorigin/mydomain address rewriting + in canonical, generic and virtual alias maps. + + Feature: updated LDAP and *SQL query interfaces using a + common infrastructure so that all have the same feature set + where possible. Victor Duchovni and many others. This code + was tested separately and was merged into the main stream + 20050308. Files: global/db_common.[hc], global/dict_ldap.c, + global/dict_mysql.c, global/dict_pgsql.c, plus documentation. + +20050210 + + Bugfix: spurious fallback_relay warnings after 20050202. + Victor Duchovni. File: smtp/smtp_connect.c. + + Bugfix: (introduced while adopting Postfix/TLS patch) the + TLS cache scan stopped after expiring one entry. Victor + Duchovni. File: tls/tls_scache.c. + + Safety: delete-behind when removing expired entries from + TLS session caches. With some maps the enumeration method + mis-behaves when the current entry is deleted. File: + tls/tls_scache.c. + +20050211 + + Cleanup: the "generics" feature (output address rewriting) + is renamed to "generic", for consistency with "canonical" + and "virtual". + +20050212 + + Cleanup: remove old trace(8) logfile before attempting + delivery (and after locking the message file exclusively). + Files: *qmgr/qmgr_message.c. + + Cleanup: don't parse-then-regenerate message headers when + no address is changed by address rewriting operations. This + behavior was copied from the SMTP client's generic mapping + code. Files: cleanup/cleanup_rewrite.c, cleanup/cleanup_map11.c, + cleanup/cleanup_masquerade.c, cleanup/cleanup_message.c.. + +20050215 + + Bugfix: don't chmod queue files while running "postfix + set-permissions". This prevents mail from being labeled as + "corrupt" when a live Postfix system is upgraded. Found + by Victor Duchovni. File: conf/post-install. + +20050216 + + Feature: in smtpd?_discard_ehlo_keyword(s|_address_maps) + specify the pseudo keyword "silent-discard" in order to + avoid logging that some EHLO keyword is being suppressed. + File: global/ehlo_mask.[hc]. + +20050217 + + Bugfix: typo in tls_server.c, breaking CApath. Fix by + Philipp Morger. File: tls/tls_server.c. + +20050227 + + Bugfix (bug introduced 20040331): with SIGHUP ignored, the + postdrop signal handler would effectively ignore SIGINT, + SIGQUIT and SIGTERM. Simplified the overly-conservative + protection against nested signals in postdrop, and added + some future proofing comments. File: postdrop/postdrop.c + + Cleanup: when address rewriting is enabled, don't change + the capitalization of header labels, i.e. don't replace + FROM: or CC: by From: or Cc:. Files: cleanup/cleanup_message.c, + smtp/smtp_proto.c. + +20050228 + + Cleanup/portability: missing #includes and bad prototypes. + Matthias Andree, Carsten Hoeger, and others. + +20050302 + + Workaround: make TLS session caching work with perverse + sites that have multiple servers per hostname or even + multiple servers per IP address, but no shared TLS session + cache. The SMTP client TLS session cache is now indexed by + (server hostname, server address, server port, server helo + hostname). After an idea by Victor Duchovni. Files: + smtp/smtp_proto.c, tls/tls_client.c. + +20050303 + + Bugfix (bug inherited from Postfix/TLS patch): a rare 9kbyte + memory leak when in-memory TLS session information expires; + found by setting the expiry time shorter than the time to + deliver one or two messages with a very slow machine. This + was due to a missing SSL_SESSION_free() call in the "new + session" call-back routines. Found by Victor Duchovni. + Files: tls/tls_client.c, tls/tls_server.c. + + Workaround: OpenSSL is overly agressive when purging a + not-yet expired entry from a full in-memory cache: it also + purges the entry from the on-disk server session cache. + Workaround is to let only the tlsmgr purge entries from the + on-disk server session cache. Found by Victor Duchovni. + File: tls/tls_server.c. + +20050304 + + Postfix releases are now signed with Wietse's new PGP key. + The old key was getting a bit short for today's standards. + The new public key can be found on the Postfix download + webpage. As proof of authenticity the new PGP key is signed + with Wietse's old PGP key. + + Cleanup: check_mumble_{ns,mx}_access no longer attempt to + do MX or NS lookups for address literals. An address literal + is treated as its own MX host; there is no meaningful + equivalent for NS access control. File: smtpd/smtpd_check.c. + +20050310 + + Bugfix: the AIX and SUN compilers rightfully complained + about non-portable code in the "new" LDAP/SQL client. File: + global/db_common.c. + + Workaround: some systems no longer recognize "tail +2" as + valid command syntax. Instead they require "improved" syntax + that is not valid on several other systems that Postfix + builds on. So we have to stop using the tail command. + Files: Makefile.in, src/*/Makefile.in. + +20050312 + + Bugfix: the TLS session cache cleaning code didn't always + delete the right entry. Problem found by Victor Duchovni, + more problems found by Wietse. File: tls/tls_scache.c. + +20050314 + + Portability: Berkeley DB changed API from version 2.5 to + 2.6. Rob Foehl. File: util/dict_db.c. + +20050315 + + Bugfix: when <unistd.h> is included, read is a reserved + identifier. File: smtpstone/smtp-source.c. + +20050321-27 + + Support for RFC 3463 enhanced status codes. See also the + ENHANCED_STATUS_README (a hacker's guide) for background. + + New module to pass around (status code + text) instead of + just text. File: Files: global/dsn_util.c. + + Status-related lookup tables now have an extra column for + enhanced status codes. Files: global/sys_exits.c, + global/cleanup_strerror.c. + + Cleanup: centralized mapping of errno values to delivery + status codes after failed delivery to mailbox, maildir, or + file. Error codes EAGAIN, and ESTALE are 4.2.0 temporary + errors; ENOSPC is a 4.3.0 temporary error; and EDQUOT and + EFBIG are 5.2.2 hard errors. For backwards compatibility, + the result of other errors depends on the delivery agent: + with local(8) everything else is a 5.2.0 hard error, and + with virtual(8) everything else is soft 4.2.0 error. File: + global/mbox_open.c. + +20050324 + + Workaround: gcc -W (version 3.4.2 [FreeBSD] 20040728) no + longer warns about missing return statements. What a time + waste. + + Workaround: gcc -E (version 3.4.2 [FreeBSD] 20040728) output + has changed, causing too much "make depend" output. + +20050325 + + Bugfix: when bouncing mail that was submitted with Postfix + sendmail, the cleanup daemon ignored the reason specified + in header/body_checks, and always produced a generic reason. + File: cleanup/cleanup_api.c. + + Workaround: don't announce pipelining support when the + smtp-sink test program is configured to fail specific + commands with -r or -f (the fix is to build a proper SMTP + state engine into the smtp-sink test program). File: + smtpstone/smtp-sink.c. + +20050326 + + Update: more PCRE error codes. File: util/dict_pcre.c. + +20050327 + + Bugfix: the SMTP and LMTP clients did not ask the queue + manager to reduce destination concurrency when "lost + connection" or "connection timed out" happened AFTER Postfix + received the server greeting. Files: smtp/smtp_trouble.c, + lmtp/lmtp-trouble.c. + + Workaround: FreeBSD has incompatibly changed the output + format from "od", breaking regression test portability. + + The TLS client session cache ID is now derived from the + server IP address, TCP Port, and server HELO hostname + if available. File: smtp/smtp_proto.c. + +20050328 + + Cleanup: the REPLACE action is no longer implemented as + PREPEND+IGNORE. The result remains in the input stream, + and is subject to address rewriting and other processing + where applicable. File: cleanup/cleanup_message.c. + + Feature: the TLS server name verification status is moved + out of the TLS session cache. This not only simplifies the + client-side TLS cache implementation, but also provides + better cache support for clients that connect to multiple + independent MTAs under the same DNS hostname or IP address, + provided that each MTA replies with a unique name in the + EHLO response. Patch by Victor Duchovni. Files: tlsmgr/tlsmgr.c, + tls/tls_verify.c, tls/tls_session.c, tls/tls_server.c, + tls/tls_scache.h, tls/tls_scache.c, tls/tls_misc.c, + tls/tls_mgr.h, tls/tls_mgr.c, tls/tls_client.c, tls/tls.h, + smtp/smtp_proto.c. + +20050330 + + Bugfix: in some compilation environments the SMTP and LMTP + clients could ignore enhanced status codes in server replies. + Bug introduced 20050329 while polishing working code. Files: + smtp/smtp_chat.c, lmtp/lmtp_chat.c. + + Feature: add enhanced status code support to the smtp-sink + test program. File: smtpstone/smtp-sink.c. + +20050331 + + Workarounds for ancient gcc compilers that can't handle + valid C. Bugs reported by Victor Duchovni. Files: + util/sys_defs.h, global/dsn_util.h, tls/tls_client.c. + + Bugfix: when delivery to command failed, command output was + not reported. Fix was to enable format checks for the new + dsn_vstring_update() module. File: global/dsn_util.h, + global/pipe_command.c. + +20050401 + + Cleanup: ignore incorrect enhanced status codes (such as + 5xx reply followed by a 4.x.x status), and don't look for + enhanced status codes unless the server replies with a + [245]XX reply. Files: smtp/smtp_chat.c, lmtp/lmtp_chat.c. + +20050402 + + Feature: enhanced status code support for errors found by + the MIME processor. Files: global/mime_state.c, + cleanup/cleanup_message.c, smtp/smtp_proto.c. + + Cleanup: updated error messages about MIME processing errors + in the SMTP client. These errors are no longer specific to + 8bit->7bit conversion; they can also happen with generic + address mapping. File: smtp/smtp_proto.c. + + Safety: SASL 2.1.19 has a version lookup routine that we + can use to detect compile time / run time version mis-matches + (also known as DLL hell). Files: src/smtpd/smtpd_sasl_glue.c, + src/smtp/smtp_sasl_glue.c, src/lmtp/lmtp_sasl_glue.c. + +20050404 + + Typo: missing comma after dsn=x.yy.zz logging. File: + global/log_adhoc.c. + + Feature: specify "smtpd_sasl_authenticated_header = yes" + to report the SASL login name in the Received: message + header, so that the login name is shared with the whole + world. Based on code by Branko F. Gracnar. Files: + smtpd/smtpd.c, and documentation. + +20050407 + + @%^!#& Thanks to inadequate SASL documentation the client + could negotiate a security layer where none was desired. + Better documentation has become available since Postfix + SASL support was implemented, and now Postfix needs to be + fixed. Files: */*_sasl_glue.c. + +20050409 + + Safety: the CDB map now logs a warning when the source file + is newer than the indexed file, just like the Berkeley DB + and DBM maps. Michael Tokarev. File: util/dict_cdb.c. + +20040411 + + Portability: put the SASL DLL Hell guard after the declarations + instead of before. Reported by Marcus Grando. Files: + smtp/smtp_sasl_glue.c, lmtp/lmtp_sasl_glue.c. + +20050412 + + Infrastructure: change the disposition or other properties + of an embryonic queue file. This is currently used only to + place mail on hold. After code by Victor Duchovni. Files: + global/mail_stream.[hc], cleanup/cleanup_api.c. + + Bugfix: while updating the cleanup_flush() infrastructure + eliminated a portability problem that was introduced when + "REJECT text" support was added. File: cleanup/cleanup.c. + +20050413 + + Portability: don't mix socket message send/receive calls + with socket stream read/write calls. The fact that you can + get away with it only on some stacks implies that there is + no long-term guarantee. Specify -DCAN_WRITE_BEFORE_SENDING_FD + if you feel brave. File: util/sys_defs.h. + + Robustness: re-compile all object files after the "make + makefiles" options have changed. Files: src/*/Makefile.in. + + Tweaking: reply with 5.3.4 when the message size exceeds + the mail system message_size_limit, instead of 5.2.3 which + is a mailbox specific status. File: smtpd/smtpd_check.c. + +20050417 + + Safety: don't call syslog from a user-triggered signal + handler. File: postdrop/postdrop.c. + +20050421 + + Bugfix: don't panic when the fall-back relay can't be used + because the local MTA is MX for the destination. File: + smtp/smtp_connect.c. + +20050422 + + Bugfix: don't panic when the fall-back relay can't be used + because it was already tried via a cached session. Produce + a default excuse instead. File: smtp/smtp_connect.c. + + Bugfix: postsuper could lose an error message after reporting + a fatal error. File: postsuper/postsuper.c. + +20050426 + + Bugfix: simplified and improved the 20050422 fall-back relay + fix. File: smtp/smtp_connect.c. + +20050427 + + Final solution for the 20050422 fall-back relay problem: + truncate the fall-back host list when the local MTA is MX + for some destination. Files: util/argv.c, smtp/smtp_connect.c. + + Cleanup: extra dsn_vstring_update_dsn() routine to shut up + GCC complaints about valid code. Files: src/global/dsn_util.c, + src/global/mbox_open.c, src/lmtp/lmtp_addr.c, src/smtp/smtp_addr.c, + src/smtp/smtp_connect.c. + +20050429 + + The Postfix SMTP server now announces ENHANCEDSTATUSCODES + support in the EHLO response, as described in RFC 2034. + File: smtpd/smtpd.c. + +20050503 + + Propagate enhanced status code from error(8) mailer to SMTP + server replies. File: smtpd/smtpd_check.c. + + Cleanup: more consistent format of smtpd warning logging, + so that it is easier to sort. Files: smtpd/smtpd.c, + smtpd/smtpd_check.c. + +20050504 + + Yikes. People are exposing the smtp-sink test program to + hostile environments, while it was designed for controlled + environments. Completed the support for write timeouts, + added support for read timeouts, and added a missing exception + handler for the 220 server greeting. File: smtpstone/smtp-sink.c. + +20050506 + + Cleanup: with "REJECT 4.X.Y ..." actions in header/body_checks, + change the SMTP server reply code from 550 into 450, instead + of having the SMTP server change the DSN into 5.X.Y. File: + smtpd/smtpd.c. + +20050510 + + Usability: when reporting a sender address problem, transform + a recipient DSN status (e.g., 4.1.1-4.1.6) into the + corresponding sender DSN status, and vice versa; and when + reporting a non-address problem, transform a sender or + recipient DSN status into a generic non-address DSN status + (e.g., 4.0.0). This transformation may be needed when the + same access table or RBL reply template are used for client, + helo, sender, or recipient restrictions; or when the same + error mailer information is used for senders or recipients. + Files: smtpd/smtpd_check.c, smtpd/smtpd_dsn_fix.[hc]. + +20050512 + + Feature: support for more SASL logging call-backs, if these + are defined in the compile-time environment. Files: + smtpd/smtpd_sasl_glue.c, smtp/smtp_sasl_glue.c. + +20050513 + + Workaround: Postfix now uses "localdomain" as the default + domain name when $myhostname is not in "host.domain" form. + Files: global/mail_params.[hc]. + +--------- + +20050415-20050615 + + As of 20050525, DSN support does not involve new queue file + record types, so you can switch back to older Postfix + versions. Older non-production releases did introduce queue + file incompatibility. + + DSN support is selected via the SMTP port by extra parameters + to the MAIL FROM and RCPT TO commands, and with the Postfix + sendmail command with new command-line options: -N (specify + notification options such as "never", "success", "delay" + or "failure") and -V (specify an envelope ID that identifies + the mail submission transaction). VERP support now uses + -XV instead of -V. + + The implementation piggy-backs on the trace(8) service that + was already used for "sendmail -v" (verbose delivery) and + for "sendmail -bv" (what-if) reports. You can no longer + requests these functions together with DSN support. + + All this means revision of bounce/defer/trace client + interfaces, of the bounce service, the record reading loops + in postdrop, cleanup(8) and qmgr(8), the queue manager to + delivery agent protocol, and some extra SMTP protocol + parameters in smtpd(8), lmtp(8) and smtp(8). + + New code module: global/dsn_smtp.[hc] for RFC 3461 related + information (but this may still change). + + Feature: "sendmail -G" is no longer a no-op. Message headers + are treated as if the message has a remote origin. Files: + sendmail/sendmail.c, postdrop/postdrop.c. + + Feature: automatic BCC senders are now created as if they + were received with NOTIFY=NEVER, in case it helps. File: + cleanup/cleanup_addr.c + + Compatibility: with large bounces, send message headers + only, instead of truncating MIME messages in the middle. + +20050517 + + Bugfix: in a DSN report, the original recipient should not + be xtext encoded. File: bounce/bounce_notify_util.c. + +20050523 + + Bugfix: mymalloc() panic with mistyped server host list. + File: global/dict_pgsql.c. + +20050525 + + Feature: specify delay_warning_time=1 to get immediate + notification of delay. File: qmgr/qmgr_active.c. + +20050526 + + Reset the Postfix original recipient when delivering to + mailing list. + +20050601 + + Modified the master backgrounding procedure to not abort + when the master is already a process group leader. This + happens when people bypass or modify the official Postfix + start-up procedure. Jacek Konieczny. File: master/master.c. + +20050602 + + Sanity check: don't report "address in use" when some Postfix + socket is a directory. File: util/unix_listen.c. + +20050613 + + Now that the over-all structure of the code is proving + itself, interfaces can be cleaned up. This means nicer names + for variables, functions and data structures, and dedicated + read/write routines for recipient and DSN information. + These remove a lot of clutter from the bounce client and + server code. Files: dsn_print.c dsb_scan.c, rcpt_print.c, + rcpt_buf.c. + + For Sendmail compatibility, the Postfix sendmail -V option + no longer controls VERP usage, but is used to specify the + DSN envelope ID. In order to provide a smooth transition, + backwards compatibility code recognizes when -V is being + used for VERP control. It will do the right thing, and + warns the user to use -XV instead. File: sendmail/sendmail.c. + +20050614 + + The cleanup server writes bounce (delivery failure) and + trace (success) records, but it no longer requests sender + notification. That is now handled by the queue manager. + The reason is that the cleanup server must be able to abort + a request including its bounce and trace logfiles, so it + must not take actions that can't be undone. + +20050615 + + Cleanup: the SMTP client now sends QUIT when the initial + HELO handshake fails. it still doesn't send QUIT when the + server greets with a [45]XX code, as that is handled in the + connection management code before a session context exists. + File: smtp/smtp_connect.c. + + Cleanup: made the quote_821_local() routine "const" clean. + File: global/quote_821_local.[hc]. + +20050616 + + Bugfix: missing or mis-placed va_end() macros, found in + Postfix 2.3 code review. Files: util/netstring.c, + util/myaddrinfo.c, util/attr_clnt.c, util/vstream.c. + + Bugfix: the SMTP server now separates the message size check + from the queue space check, so that the size check can be + done before an SMTPD proxy filter. Files: smtpd/smtpd.c, + smtpd/smtpd_check.c. + +20050617 + + Postdrop didn't recognize the new recipient attributes. + File: postdrop/postdrop.c. + + Feature: configurable MAILER-DAEMON replacement for the + null sender address that is used by the pipe(8) delivery + agent on the command line and in message headers. Command-line + address quoting is disabled when the replacement is empty. + File: pipe/pipe.c. + +20050618 + + With virtual aliasing enabled, Postfix would always report + successful alias expansion, even when no alias was expanded. + File: cleanup/cleanup_out_recipient.c. + +20050621 + + Portability: file descriptor passing is available for Tru64 + UNIX, but not for AIX4 and IRIX6. Albert Chin. File: + util/sys_defs.h. + +20050622 + + Cleanup: the DNS lookup code now accommodates name server + replies longer than 4 kbytes, with a hard upper limit of + 32kbytes. For safety reasons, the number of MX host addresses + that the SMTP client will try was reduced from unlimited + to just 5, so that Postfix won't spend forever trying to + connect to dozens and dozens of bogus MX hosts. Files: + dns/dns_lookup.c, global/mail_params.h. + + Cleanup: the code that handles a 4xx or 5xx SMTP server + greeting was moved from the connection management module + to the protocol engine, for cleaner error handling. This + means that the failed session now counts towards the limit + on the total number of SMTP sessions per domain name (default: + smtp_mx_session_limit = 2). Files: smtp/smtp_connect.c, + smtp/smtp_proto.c. + +20050623 + + Cleanup: generalized the delegated attribute scan/print + interfaces, and updated the deliver_pass module with delegated + attribute scan/print support. Files: util/attr_scan0.c, + util/attr_print0.c, global/dsb_scan.c, global/dsn_print.c, + global/rcpt_buf,c global/rcpt_print.c, global/deliver_pass.c. + + Added delegated attribute scan/print function support to + the base64 and plain attribute I/O encodings. Files: + util/attr_scan_plain.c util/attr_print_plain.c. + +20050624 + + Added "." to the list commands that smtp-sink can "break" + (by disconnecting, or by responding with a 4XX or 5XX reply + code). File: smtpstone/smtp-sink.c. + +20050625 + + Safety: allow only 4.x.x and 5.x.x enhanced status codes + in header/body_checks REJECT actions. File: + cleanup/cleanup_message.c. + +20050627 + + Code cleanup: generalized the smtp-sink code that simulates + server errors. File: smtpstone/smtp-sink.c. + +20050629 + + Code cleanup: the smtp_mx_session_limit setting (per delivery + request session count limit) now ignores sessions that fail + to complete the TCP, SMTP, EHLO or TLS handshake (was: TCP + and SMTP). File: smtp/smtp_proto.c. + +20050630 + + Updated the example spf.pl script to version 1.06. + + Portability: the file descriptor passing code broke on LP64 + systems (inherited from Stevens Network Programming). Files: + util/unix_send_fd.c, util/unix_recv_fd.c. + +20050706 + + Robustness: the SMTP client now disables connection caching + when it is unable to communicate with the scache(8) server, + instead of looping forever. File: global/scache_clnt.c. + + Portability: after sending a socket, the scache(8) server + now waits for an ACK from the connection cache client before + closing the socket that it just sent. Files: scache/scache.c, + global/scache_clnt.c. + +20050708 + + Bugfix: missing returns in 20050706 caching disabling code + (in error handling code that never executes). File: + global/scache_clnt.c. + + Portability: use explicitly unsigned operands when doing + bit-wise shift operations on data larger than a character. + +20050709-15 + + Migration of data object sizes and offsets from int->ssize_t + and unsigned->size_t for better portability to LP64 and + LLP64 systems where *size_t is 64 bits wide. This change + has no effect on 32-bit systems. + + This change not only eliminated some obscure portability + bugs (see two paragraphs down), it also eliminated many + unnecessary conversions back and forth between 32-bit and + 64-bit integers, because all relevant system library functions + take *size_t arguments or return *size_t results. + + Simply changing every data object size or offset to size_t + (which is unsigned!) would be dangerous. A lot of code was + written assuming signed arithmetic and rejects negative + lengths, which can happen as the result of integer overflow. + + Portability: on LP64 systems, integer expressions are int, + but sizeof() and pointer difference expressions are larger. + The above changes fixed a few discrepancies with function + calls where *size_t was passed while the old code expected + an int: clean_env() versus argv_addn(), and code that sent + binary blobs via the TLS session cache manager protocol. + +20050711 + + Bugfix: don't include <> when auto-generating an ORCPT + address from a client RCPT TO command. File: smtpd.c. + +20050712 + + Cleanup: cleanup_out_recipient() still generated DSN records + that were incompatible with pre-DSN Postfix versions. File: + cleanup/cleanup_out_recipient.c. + +20050716 + + Bugfix: the smtpd_sasl_authenticated_header code did not + check if SASL was actually enabled. File: smtpd/smtpd.c. + +20050720 + + Feature: reverse client hostname. This is set at connection + time with information from the SMTP client address->name + mapping, and can be overruled with the REVERSE_NAME attribute + in the XCLIENT command. File: smtpd/smtpd_peer.c. + + Cleanup: renaming of several confusing restriction names: + reject_unknown_client -> reject_unknown_client_hostname, + reject_unknown_hostname -> reject_unknown_helo_hostname, + reject_invalid_hostname -> reject_invalid_helo_hostname, + and reject_non_fqdn_hostname -> reject_non_fqdn_helo_hostname. + The old names are still recognized and documented. Files: + global/mail_params.h, smtpd/smtpd.c, smtpd/smtpd_check.c. + + Feature: reject_unknown_reverse_client_hostname. This rejects + clients that have no address to name mapping (unlike the + reject_unknown_client_hostname feature which requires that + the address->name and name->address mappings resolve to the + client IP address). Files: global/mail_params.h, + smtpd/smtpd_peer.c, smtpd/smtpd.c, smtpd/smtpd_check.c. + +20050726 + + Horror: total rewrite of DNS client error handling because + some misguided proposal attempts to give special meaning + to some syntactically invalid MX hostname lookup result. + Not only that, people expect sensible results with + reject_unknown_sender_domain etc. Files: dns/dns_lookup.c, + smtp/smtp_addr.c smtpd/smtpd_check.c, lmtp/lmtp_addr.c. + + Cleanup: HOLD action executes only once, to reduce noise + in the logfile. Files: cleanup/cleanup_message.c, smtpd/smtpd.c. + +20050806 + + Workaround: accept(2) fails with EPROTO when the client + already disconnected (SunOS 5.5.1). File: sane_accept.c. + +20050815 + + Workaround: old Solaris compilers can't link an archive + without globally visible symbols. File: tls/tls_misc.c. + +20050825 + + Feature: message_reject_characters and message_strip_characters + specify what characters in message content Postfix will + reject or remove. Based on patch by John Fawcett. Files: + cleanup/cleanup_message.c, cleanup/cleanup_init.c. + + Safety: when the cleanup server rejects the content of mail + that is submitted with the Postfix sendmail command, or + re-queued with "postsuper -r", strip the message body from + the bounce message to reduce the risks from harmful content. + Files: cleanup/cleanup_envelope.c, cleanup/cleanup_bounce.c. + + Feature: the smtpd_proxy_filter parameter value can now be + prefixed with "unix:" (for UNIX-domain socket) and "inet:" + (for TCP socket). TCP sockets are the default. Patch by + Edwin Kremer. File: smtpd/smtpd_proxy.c. + +20050828 + + Bugfix: after adding DSN support, error notification was + broken for too large mail that was submitted with the Postfix + sendmail command, forwarded by the local(8) delivery agent, + or re-queued with "postsuper -r". The message would be saved + to the "corrupt" queue. + + The mistake was to leave the truncated message in the + incoming queue and to ask the queue manager to notify the + sender; this was not possible because the queue manager + cannot (and should not) handle truncated queue files. + + The fix is to have the cleanup server send the bounce + message, just like it did before DSN support was added. As + a side effect, Postfix will no longer send DSN_SUCCESS + notices after virtual aliasing, when the cleanup server + bounces all the recipients of the message anyway. This + could be called a feature. File: cleanup/cleanup_bounce.c. + + Also needed for this fix: a new vstream_fpurge() routine + that discards unread/written data from a VSTREAM. It's + needed before cleanup_bounce() can seek to the start of the + queue file after a file size error. File: util/vstream.c. + +20050920 + + Cleanup: removed the legacy "tls_info" structure, factored + out common code for peer_CN and issuer_CN lookup, and added + sanity check to not verify subject common names that contain + nulls or that are excessively long. Patch by Victor Duchovni. + Files: tls_client.c, tls_server.c, tls_session.c, tls_misc.c, + tls_verify.c. + +20050922 + + Bugfix: the *SQL clients did not uniformly choose the + database host from the available pool of servers due to an + off-by-one error, so that the "last" available server was + not selected. Leandro Santi. Files: dict_mysql.c, dict_pgsql.c. + + Update: common code factored out into db_common.c, and + adoption of Liviu Daia's connection aware MySQL quoting. + Patch by Victor Duchovni. Files: dict_ldap.c, dict_mysql.c, + dict_pgsql.c, db_common.c. + +20050923 + + Safety: don't update the local(8) delivery agent's idea of + the Delivered-To: address while expanding aliases or .forward + files. When an alias or .forward file changes the Delivered-To: + address, it ties up one queue file and one cleanup process + instance while mail is being forwarded. To get the old + behavior, specify "frozen_delivered_to = no". Problem + reported by Michael Tokarev, but found independently by + others. Files: local/local.c, local/aliases.c, local/dotforward.c, + local/mailbox.c, local/maildir.c. + + Logging: additional SASL debug logging by Andreas Winkelmann. + Files: */*sasl_glue.c. + +20050929 + + Paranoia: don't ignore garbage in SMTP or LMTP server replies + when ESMTP command pipelining is turned on. For example, + after sending ".<CR><LF>QUIT<CR><LF>", Postfix could recognize + the server's 2XX QUIT reply as a 2XX END-OF-DATA reply after + garbage, causing mail to be lost. The SMTP and LMTP clients + now report a remote protocol error and defer delivery. + Files: smtp/smtp_chat.c, smtp/smtp_trouble.c, lmtp/lmtp_chat.c, + lmtp/lmtp_trouble.c. + + Performance: specify "smtpd_peername_lookup = no" to disable + client hostname lookups in the SMTP server. All clients are + treated as "unknown". This should be used only under extreme + conditions where DNS lookup latencies are critical. File: + smtpd/smtpd_peer.c. + +20051010 + + Feature: smtpd_client_new_tls_session_rate_limit parameter + to limit the number of new (i.e. uncached) TLS sessions + that a remote SMTP client may negotiate per unit time. This + feature, which is off by default, can limit the CPU load + due to expensive crypto operations. Files: global/anvil_clnt.c, + anvil/anvil.c, smtpd/smtpd.c. + + Cleanup: eliminated massive code duplication in the anvil + server that resulted from adding similar features one at a + time. File: anvil/anvil.c. + +20051011 + + Bugfix: raise the "policy violation" flag when a client + request exceeds a concurrency or rate limit. File: + smtpd/smtpd.c. + + Bugfix (cut-and-paste error): don't reply with 421 (too + many MAIL FROM or RCPT TO commands) when we aren't closing + the connection. File: smtpd/smtpd.c. + +20051012 + + Polishing: content of comments and sequence of code blocks + in the anvil server, TLS request rate error message in the + smtp server, and documentation, but no changes in code. + Files: anvil/anvil.c, smtpd/smtpd.c. + +20051013 + + Horror: some systems have basename() and dirname() and some + don't; some implementations modify their input and some + don't; and some implementations use a private buffer that + is overwritten upon the next call. Postfix will use its own + safer versions called sane_basename() and sane_dirname(). + These never modify the input, and allow the caller to control + how memory is allocated for the result. File: + util/sane_basename.c. + + Feature: "sendmail -C path-to-main.cf" and "sendmail -C + config_directory" now do what one would expect. File: + sendmail/sendmail.c. + + Bugfix: don't do smtpd_end_of_data_restrictions after the + transaction failed due to, e.g., a write error. File: + smtpd/smtpd.c. + + Cleanup: the SMTP server now enforces the message_size_limit + even when the client did not send SIZE information with the + MAIL FROM command. This protects before-queue content + filters against over-size messages. File: smtpd/smtpd.c. + +20051017 + + Bugfix: after DSN support was added, smtp_skip_5xx_greeting + no longer recognized a 5xx SMTP status as a 4xx one. Found + by Ralf Hildebrandt. Fix: use the enhanced status code + instead of the SMTP reply code to choose between permanent + or transient errors. File: smtp/smtp_trouble.c. + + Feature: smtp-sink can hard-reject, soft-reject or simply + drop connection requests. File: smtpstone/smtp-sink.c. + + Documentation: clarified the processing of server replies, + specifically the reply code and the enhanced status code, + in smtp_chat.c. + +20051024 + + Performance: new smtp_connection_reuse_time_limit parameter to + limit connection reuse by elapsed time, instead of limiting + the number of deliveries per connection. Bounding by time + favors delivery over connections that perform well, while + bounding by number of deliveries allows slow connections + to drag down the performance. Insight and initial + implementation by Victor Duchovni, Morgan Stanley. Files: + smtp_connect.c, smtp_session.c, + + Bugfix: the next-hop logical destination information for + connection caching was reset only after a good non-TLS + connection, so that cached connections to non-TLS backup + servers could suck away traffic from TLS primary servers + (the Postfix SMTP client cannot cache an open TLS connection). + Found during code review. This is fixed with multi-valued + connection caching state: expired, cachable, non-cachable, + and bad. Files: smtp_connect.c, smtp_trouble.c. + + Bugfix: adding support for "sendmail -C" broke "sendmail + -q". File: sendmail/sendmail.c. + +20051101 + + Migration from a single "arrival time" stamp to a structure + with time stamps from different stages of message delivery. + The first iteration merely replaces "arrival time" stamps + by a structure or pointer to structure, and uses only the + arrival time field of that structure. This is an extensive + but straightforward transformation, based on example by + Victor Duchovni, Morgan Stanley. Files: anything that + invokes bounce_append etc., the log_adhoc module, and + anything that sends or receives a delivery request. + +20051102 + + Completion of support for time stamps from different stages + of message delivery. The information is now logged as + "delays=a/b/c/d" where a=time before queue manager, including + message transmission; b=time in queue manager; c=connection + setup including DNS, HELO and TLS; d=message transmission + time. Unlike Victor's example which used time differences, + this implementation uses absolute times. The decision of + what numbers to subtract actually depends on program history, + so we want to do it in one place. Files: global/log_adhoc.c, + smtp/smtp_connect.c, smtp/smtp_proto.c, smtp/smtp_trouble.c, + lmtp/lmtp_proto.c, lmtp/lmtp_trouble.c. + +20051103 + + Refinement of time stamping and delays formatting. The + hand-off time is now stamped in the delivery agent, so that + time is properly attributed when a transport is saturated + or throttled. Delays are now logged if larger than 0.01 + second. Files: *qmgr/qmgr_deliver.c, global/deliver_request.c, + global/log_adhoc.c. + +20051104 + + New parameter delay_logging_time_resolution (default: 10000 + microseconds, or 0.01 second) that controls the detail in + the new "delays=a/b/c/d" logging. Specify a power of 10 + in the range from 1 to 100000. File: global/log_adhoc.c. + Parameter renamed 20051108. + +20051105 + + All delay logging now has sub-second resolution. This means + updating all code that reads or updates the records that + specify when mail arrived, and ensuring that mail submitted + with older Postfix versions produces sensible results. + Files: global/post_mail.c, global/mail_timeofday.[hc], + global/log_adhoc.c, postdrop/postdrop.c, pickup/pickup.c, + cleanup/cleanup_envelope.c, cleanup/cleanup_message.c, + smtpd/smtpd.c, qmqpd/qmqpd.c, *qmgr/qmgr_message.c, + *qmgr/qmgr_active.c, local/forward.c. + +20051106 + + The SMTP client logs the remote server port in the form of + relay=hostname[hostaddr]:port to the local maillog file. + The port number is NOT included in DSN status reports, + because remote users have no need to know such internal + information. Files: smtp/smtp_session.c, smtp/smtp_proto.c, + smtp/smtp_trouble.c. + + Cleanup: encapsulated queue file time read/write operations + with a few simple macros, to make future changes in time + representation less painful. + +20051108 + + Cleanup: eliminated floating point operations from the + ad-hoc delay logging code. Files: util/format_tv.[hc], + global/log_adhoc.c. + + The delay logging resolution is now controlled with the + delay_logging_resolution_limit parameter, which specifies + the maximal number of digits after the decimal point. + + Bugfix: two messages could get the same message ID due to + a race condition. This time window was increased when queue + file creation was postponed from MAIL FROM until the first + accepted RCPT TO. The window is closed again. Found by + Victor. Files: global/mail_stream.c, global/mail_queue.c, + cleanup/cleanup_message.c. + +20051109 + + qshape.pl updated for extra microsecond time field in Postfix + queue files. + + Cleanup: removed obsolete code that handles rejected/dropped + connections before the HELO handshake. File: smtp/smtp_connect.c. + + Bugfix: XCLIENT broke when reverse hostname support was added. + Fix by Tomoyuki Sakurai. File: smtpd/smtpd.c. + +20051110 + + Workaround: don't set the delay warning timer for messages + from inside or from outside that have the null sender as + recipient. This was a waste of time, because the warning + would always be discarded. File: cleanup/cleanup_envelope.c. + + Feature: the built-in mail delivery status notification + text is now implemented by built-in templates. Files: + bounce/bounce_template.c, bounce/bounce_notify_util.c. + +20051112 + + Feature: configurable bounce message templates based on + contribution by Nicolas Riendeau. I kept the general format + of his templates, but placed them together in one file to + reduce process initialization overhead (most requests to + the bounce daemon are not for sending bounce messages). + Files: bounce/bounce_template.c, bounce/dict_ml.c (to be + moved to library if useful enough). A sample bounce message + template file is installed as $config_directory/bounce.cf.default. + +20051113 + + Feature: "postconf -b filename" to preview the non-default + bounce message templates with $name expansions in the text. + The actual work is of course done by the bounce daemon. + +20051114 + + Feature: -V option to make Postfix daemons to log to stderr. + This is used when a daemon is invoked in stand-alone mode + by a (non-daemon) command. + + Feature: "postconf -t" displays DSN templates, headers and + all; use postconf -t ''" to view built-ins. + + Cleanup: renamed fail_template into failure_template. + +20051117 + + Cleanup: bounce template code reorg, no functionality change. + Files: bounce/bounce_template.[hc], bounce/bounce_templates.c, + bounce/bounce_notify_util.c. + +20051118 + + Bugfix: new bounce template code did not return after + template syntax error. File: bounce/bounce_template.c + + Safety: permit_mx_backup now requires that the local MTA + is not listed as primary MX for the recipient domain. This + prevents mail loops when someone points the primary MX + record to Postfix. + +20051119 + + Workaround: some SMTP servers announce multiple but different + lists of SASL methods. Postfix now concatenates the lists + instead of logging a warning and remembering only one. File: + smtp/smtp_sasl_proto.c. + + Bugfix: the queue manager did not write a per-recipient + defer logfile record when the delivery agent crashed between + receiving a delivery request, and reporting the delivery + status to the queue manager. Found while redesigning the + code that handles unavailable transports or destinations. + Files: *qmgr/qmgr_deliver.c. + +20051121 + + Workaround: do not build the bounce.cf.default template + while compiling Postfix - it breaks when the default + mail_owner etc. accounts don't exist. Reported by Liviu + Daia. + + Compatibility: added permit_auth_destination emulation to + the permit_mx_backup feature. This avoids surprises with + sites that used permit_mx_backup to authorize all their + incoming mail. + +20051122-24 + + Feature: sender_dependent_relayhost_maps, lookup tables that specify + a sender-dependent override for the relayhost parameter + setting. The lookup is done in the trivial-rewrite server, + instead of the queue manager where it does not belong. + Files: global/resolve_clnt.c, global/tok822_resolve.c, + trivial-rewrite/resolve.c, trivial-rewrite/transport.c, + *qmgr/qmgr_message.c. + + Also: address_verify_sender_dependent_relayhost_maps for + completeness. + +20051124 + + Feature: specify "smtp_sender_dependent_authentication = + yes" to enable sender-dependent SASL passwords. This disables + SMTP connection caching to ensure that mail from different + senders is delivered with the appropriate credentials. This + is an extended version of a patch by Mathias Hasselmann. + Files: smtp/smtp_connect.c, smtp/smtp_sasl_glue.c. + +20051126 + + Workaround: log warning when REDIRECT or FILTER are used + in smtpd_end_of_data_restrictions. File: smtpd/smtpd_check.c. + + Log warning when REDIRECT, FILTER, HOLD and DISCARD are + used in smtpd_etrn_restrictions. File: smtpd/smtpd_check.c. + +20051128 + + Bugfix: moved code around from one place to another to make + REDIRECT, FILTER, HOLD and DISCARD access(5) table actions + work in smtpd_end_of_data_restrictions. PREPEND will not + be fixed; it must be specified before the message content + is received. Files: smtpd/smtpd.c, smtpd/smtpd_check.c, + cleanup/cleanup_extracted.c, pickup/pickup.c. + + Safety: abort if the SMTP or QMQP server runs with non-postfix + privileges while it's connected to the network. Files: + smtpd/smtpd_peer.c, qmqpd/qmqpd_peer.c. + +20051201 + + Bugfix: the LMTP client would reuse a session after negative + reply to the RSET command (which may happen when client and + server somehow get out of sync). Problem found by Christian + Theune. Files: lmtp/lmtp.c, lmtp/lmtp_proto.c. + +20051202 + + Bugfix: the 20051128 code move for "smtpd_end_of_data_restrictions" + broke "postsuper -r". + +20051202-3 + + Cleanup: the SMTP client now also implements the LMTP + protocol. Files: smtp/smtp.c, smtp/smtp_connect.c, + smtp/smtp_proto.c, smtp/smtp_dsn.c, smtp_state.c, + smtp_sasl_glue.c. + + As before, the LMTP behavior is controlled with parameters + named lmtp_xxx instead of smtp_xxx. However there are now + a lot more lmtp_xxx parameters :-) With few exceptions, all + SMTP features are now also available with LMTP. The exceptions + are related to the HELO and EHLO commands, which exist in + SMTP only. There are equivalent LHLO command parameters + where it makes sense. + +20051206 + + SMTP+LMTP client connection management code rewritten to + support UNIX-domain socket connections. + +20051207 + + Bugfix: race condition in the connection caching protocol, + found while adding connection caching for UNIX-domain sockets + (used for LMTP delivery). This was introduced with the + 20050706 workaround, and may the same problem that Jussi + Silvennoinen experienced (in Postfix 2.2.6) with SMTP after + an upgrade. Files: scache/scache.c. + + Bugfix: smtp-sink and qmqp-sink didn't ignore SIGPIPE. + +20051208 + + Robustness: reduced timeouts in the connection caching + client, so that a malfunctioning service does not prevent + mail delivery. This uses similar code that already exists + for the anvil(8) client and the tlsmgr(8) client. Files: + global/scache_clnt.c, smtp/smtp.c. + + To make reduced connection caching client timeouts possible, + connection management was moved from the attr_clnt(3) module + to the auto_clnt(3) module where it belongs. The auto_clnt(3) + module is now a full alternative for the clnt_stream(3) + module. Files: util/auto_clnt.c, util/attr_clnt.c. + + Bugfix: the best_mx_transport, mailbox_transport and + fallback_transport features did not write a per-recipient + defer logfile record when the target delivery agent was + broken. This the analog of queue manager bugfix 20051119. + Files: global/deliver_pass.c. + +20051210 + + Cleanup: simplified the SMTP/LMTP connection management + logic for address list and fallback relay processing. + Still need to simplify deferred recipient handling. + +20051212 + + Bugfix: after a failed TLS session, the 20051210 SMTP client + code cleanup broke sessions with backup servers, causing the + client to get out of step with the backup server. This in + turn exposed a one-year old missing exception handling + context in the EHLO handstake after sending STARTTLS. Victim + was Ralf Hildebrandt, detectives Victor Duchovni and Wietse. + File: smtp/smtp_proto.c. + +20051213 + + Bugfix: *SQL, proxy and LDAP map types were not defined in + user-land commands such as postqueue. Leandro Santi. File: + postqueue/postqueue.c. + +20051212-14 + + Server-side plug-in interface for SASL authentication. This + uses Cyrus SASL by default, so nothing has changed except + error messages may be more informative. Files: + smtpd/smtpd_sasl_proto.c smtpd/smtpd_sasl_glue.c, + xsasl/xsasl_server.[hc], xsasl/cyrus_server.[hc] + xsasl/cyrus_strerror.c, xsasl/cyrus_log.c, xsasl/cyrus_security.c. + +20051215 + + Portability: IRIX 6.5.28 defines sa_len as a macro, so it + can't be used as a variable identifier. Zach McDanel. Files: + dns/dns_rr_to_sa.c, smtpd/smtpd_peer.c, qmqpd/qmqpd_peer.c. + +20051216 + + Cleanup: removed some scar tissue that was introduced with + server-side SASL plug-in support. Files: smtpd_sasl_proto.c, + smtpd_sasl_glue.c. + + Client-side plug-in interface for SASL authentication. This + uses Cyrus SASL by default, so nothing has changed except + error messages may be more informative. Files: smtp_sasl_glue.c, + xsasl/xsasl_client.[hc], xsasl/cyrus_client.[hc]. + +20051217 + + Bugfix: when a SASL client password is required by a specific + server, defer delivery when no server-announced mechanism + survives the smtp_sasl_mechanism_filter, instead of ignoring + the SASL announcement and trying to deliver the mail over + an unauthenticated connection and risking that mail will + be rejected. File: smtp/smtp_sasl_proto.c, smtp/smtp_proto.c. + + Portability: zero the "struct msg" just in case. Both purify + (Linux) and valgrind (FreeBSD) complain about uninitialized + bits. Files: util/unix_{send,recv}_fd.c. + +20051219 + + Cleanup: generic smtpd_sasl_path, smtp_sasl_path and + lmtp_sasl_path configuration parameters; simplified the + SASL plug-in API, and made initial provisions for SASL + session encryption. Files: xsasl/*.[hc]. + + Feature: "postconf -a" lists the available SASL server + plug-in types, and "postconf -A" does the same for the + client. Files: postconf.c, xsasl_{client,server}.c. + + Feature: new SMTPD policy attributes "encryption_protocol", + "encryption_cipher" and "encryption_keysize", to distinguish + plaintext from encrypted connections. + +20051221 + + Privacy: the new Cyrus SASL server plug-in replaces "no + user" errors by "authentication failed" errors. File: + xsasl/xsasl_cyrus_server.c. + + Safety: the Postfix SMTP client no longer uses CNAME expanded + hostnames for logging, SASL password lookup, TLS policy + decisions, or TLS certificate verification. Instead it + uses the name of the recipient domain, or the host or domain + name specified in Postfix configuration files. Of course + this won't prevent cheating with hostnames that appear in + MX lookup results. To avoid that you will have to suppress + MX lookups with explicit [hostname] entries in transport + maps. Files: dns/dns_lookup.c, dns/dns_rr.c. + +20051222 + + Feature: Dovecot SASL authentication (server side) plug-in + by Timo Sirainen. This builds without external library + dependencies and is therefore compiled in by default. + Files: xsasl/xsasl_dovecot_server.[hc]. + + Safety: set the default LANG=C, instead of deleting LANG + from the environment and assuming the right thing will + happen. File: global/mail_params.h. + + Safety: always add the ISASCII() requirement to the ISXXX() + macros, because they are used for protocol and policy + enforcement. File: util/sys_defs.h. + + Bugfix: null pointer in the 20051219 policy delegation + crypto attributes. File: smtpd/smtpd_check.c. + + Compatibility: "resolve_numeric_domain = yes" will accept + addresses with numeric domains instead of rejecting them as + invalid. Files: trivial-rewrite/resolve.c, util/vstring.c. + + Bugfix: 20051219 "postconf -A" produced "postconf -a" output. + Andreas Winkelmann. + +20051225 + + Bugfix: the regexp map cleverly avoided scanning constant + lookup results for non-existent $number expressions, but + failed to subject those results to the necessary $$ -> $ + replacement. Files: util/dict_regexp.c. + + Performance: the pcre map did not optimize constant lookup + results; they were always scanned for non-existent $number + expressions. File: util/dict_pcre.c. + + This round of edits eliminates architectural differences + between the pcre and regexp table implementations. The + remaining difference is that regexp tables still support + the obsolete "/pattern1/!/pattern2/ action" syntax, for + backwards compatibility with Postfix 2.0 and earlier. + +20051227 + + Bugfix: the 20051222 ISASCII paranoia broke the strcasecmp() + workaround for Solaris. File: util/strcasecmp.c. + + Bitrot: SunOS4 pre-dates size_t, ssize_t, getsid(). File: + src/util/sys_defs.h. The SunOS4 tests had been suspended + due to what turned out to be a broken AUI-to-UTP transceiver. + + Bugfix: the 20061226 cosmetic change broke non-IPV6 support + (example: sockaddr_to_hostaddr: Unknown error: success). + File: util/myaddrinfo.c. + +20051229 + + The following workaround was removed 20060103. + + Workaround: when mail is still queued after 3000 seconds, + the SMTP client no longer pipelines the DOT+QUIT commands. + The 20050929 paranoia about malformed server replies + eliminated a rare occurrence of "lost mail" with sites that + mis-implement DOT+QUIT pipelining, but resulted in a larger + occurrence of repeated deliveries to sites with a different + DOT+QUIT pipelining bug. The time threshold is set with the + smtp_dot_quit_workaround_threshold_time parameter. Files: + smtp/smtp_proto.c, smtp/smtp.c. + + Feature: mailbox_transport_maps and fallback_transport_maps + to search delivery transports by recipient name. Files: + local/mailbox.c, local/unknown.c. + + Feature: the master daemon now logs a warning when all + servers are busy that may accept remote connections, and + suggests to either increase the process count or to reduce + the service time per client. Files: master/master_ent.c, + master/master_avail.c. + +20051231 + + Bugfix: the anvil server would terminate after "max_idle" + seconds, even when this was less than the anvil_rate_time_unit + interval. File: anvil/anvil.c. + +20060102 + + Deleted the 20051229 dot-quit bug workaround. Automatically + deferring delivery created "no delivery" and "repeated + delivery" problems; and automatically turning off pipelining + for delayed mail was a bad workaround for a bad workaround. + The administrator still has the option to turn off pipelining + by hand if loss of mail is a concern. + +20060103 + + Bugfix: the 20051217 fix (when a SASL client password is + found, defer delivery when no server-announced mechanism + survives the smtp_sasl_mechanism_filter) did the mechanism + test too early, so that it could trip up with deliveries + to servers that we don't have a SASL password for. Files: + smtp/smtp_sasl_proto.c, smtp/smtp_proto.c. + +20060104 + + Safety: new "smtp_cname_overrides_servername" parameter. + The default value ("no") is NOT backwards compatible. This + avoids surprises with the hostname that is used for logging, + SASL password lookup, TLS policy decisions, or TLS certificate + verification. The change makes the 20051221 behavior more + configurable. Files: smtp/smtp_addr.c, smtp/smtp_connect.c, + proto/postconf.proto. + +20060105 + + Cleanup: removed the unused DSN "code" attribute; removed + surrogate SMTP replies for errors that were not reported + by a remote SMTP server, making several DSN-related functions + and macros redundant; cleaned up some bizarre code for DSN + attribute memory management in the SMTP client. + +20060106 + + Cleanup: eliminated the global smtp_errno variable, which + had become redundant after introducing DSN support. Files: + smtp/smtp_addr.c, smtp/smtp_connect.c. + +20060107 + + Cleanup: removed more bizarre code for DSN attribute memory + management in the queue manager, bounce server, and in + delivery agents. + +20060109 + + Bugfix: smtp_sasl_tls_opts was unimplemented. File: + smtp/smtp_sasl_proto.c. + + Cleanup: more bounce logfile code cleanup. Files: + global/bounce_log.c, bounce/bounce_notify_util.c, + bounce/bounce.c, bounce/bounce_notify_verp.c, + bounce/bounce_one_service.c, showq/showq.c + +20060110 + + Cleanup: more bounce logfile code cleanup. Files: + global/bounce_log.c, bounce/bounce_notify_util.c. + + Bugfix: the VERP bouncer never handled the case of a missing + bounce logfile. Found while doing more logfile code cleanup. + File: bounce/bounce_notify_verp.c. + + Feature: smtp_sasl_tls_verified_security_options for + connections where the server certificate passed verification. + The default value is $smtp_sasl_tls_security_options, which + in turn defaults to $smtp_sasl_security_options. + +20060111 + + Optimization: mystrdup() and mystrndup() now return a pointer + to a fixed read-only memory location instead of allocating + memory for zero-length null-terminated strings. This saves + lots of memory for unused recipient attributes. If this + change causes problems (for example, you have an ancient + sscanf() implementation that writes to its input) then + compile Postfix with -DNO_SHARED_EMPTY_STRINGS. + + Cleanup: eliminated null pointer members in DSN structures. + Instead we now use the optimized mystrdup() for empty + strings. For safety sake we keep the tests for null pointers + in input, but we always produce empty strings on output. + Files: global/dsn.c, global/dsn.h, global/dsn_buf.h, + global/dsn_print.c. + + Cleanup: eliminated ad-hoc code for passing recipients in + the queue manager delivery request protocol. Postfix now + uses proper object activation/passivation instead. Files: + *qmgr/qmgr_deliver.c, global/deliver_request.c, + global/deliver_pass.c. + +20060112 + + Feature: to simplify debugging the bounce server logs the + old and new queue ID when notifying the sender or postmaster. + Files: global/post_mail.c, bounce/bounce_notify_service.c, + bounce/bounce_one_service.c, bounce/bounce_notify_verp.c, + bounce/bounce_warn_service.c, bounce/bounce_trace_service.c. + + Fudge: when translating recipient DSN codes into sender DSN + codes, map sender address problems that have no DSN code + to *.1.7 (Bad sender's mailbox address syntax) instead of + *.1.0 (Other address status) because that loses the distinction + between sender and recipient. File: smtpd/smtpd_dsn_fix.c. + +20060113 + + Cleanup: preserve upper case information of address localpart + or extension when mapping one address to another with + non-regexp/pcre tables. Files: global/mail_addr_find.c, + global/maps_find.c. + +20060115 + + Bugfix: don't ignore the per-site policy when SSL library + initialization fails. Introduced after adopting the TLS + patch. File: smtp/smtp_session.c. + +20060117 + + [withdrawn 20060126] Safety: daemon processes that need no + privileges now insist that they are configured to run without + privileges. Files: master/single_server.c, master/multi_server.c, + master/trigger_server.c. + + Cleanup: preserve upper case information of address localpart + or extension when mapping addresses via regexp/pcre tables. + This requires that Postfix does not case fold the search + string when searching regexp or pcre tables, so that $number + substitutions produce the expected result. + + In order to get a consistent handling of table operations, + the search string case folding logic was moved from the + application to the individual lookup table modules; the + application specifies its case folding preference when it + opens a table, and the table folds the search or update + string as needed. + + Files: everything that opens a map or multiple maps (to + specify the case folding preference), and everything that + contained ad-hoc code to lowercase search strings (which + is no longer needed). + + Bugfix: as a side effect of this revision of all code that + opens tables, the postmap/postalias -n/-N options are no + longer silently ignored when the -q (query) and -d (delete) + options are specified. Files: postmap/postmap.c, + postalias/postalias.c. + + Safety: don't allow $number substitution in transport maps + or sender-dependent relayhost maps. + + Cleanup: smtp_sasl_passwd_maps lookup keys are folded to + lowercase before searching tables such as btree:, dbm: or + hash: that have fixed-case fields. File: smtp/smtp_sasl_glue.c. + + Bugfix: per-sender relayhost maps were not locked for shared + access. + +20060119 + + Cleanup: don't look up parent domain substrings in regexp/pcre + like tables while searching a hostname in a domain/namaddr_list. + File: util/match_ops.c. + +20060120 + + Cleanup: multiple boolean variables were replaced by a + single TLS enforcement level (none, may, encrypt, verify). + With Victor Duchovni. Files: smtp_session.c, smtp_proto.c, + smtp.h. + + Cleanup: the SMTP per-site policy table was re-implemented + in terms of enforcement levels instead of multiple boolean + variables. This greatly simplified the code and led to the + elimination of non-intuitive behavior as documented next. + With Victor Duchovni. Files: smtp_session.c, smtp.h. + + Bugfix: a TLS per-site MUST_NOPEERMATCH policy could not + override a main.cf MUST (with peer match) policy, while a + per-site NONE policy could. + + Bugfix: a combined TLS per-site (host, next-hop) policy of + (NONE, MAY) would change the strongest main.cf MUST policy + into NONE, while it changed all weaker main.cf policies + into MAY. The result is now NONE for all main.cf policy + settings. + +20060123 + + Feature: recipient_count attribute in SMTPD policy protocol. + This is available only in the DATA and END-OF-MESSAGE stage. + Based on code by Guo Black. Files: smtpd_check.c. + + Cleanup: renamed MUMBLE_NUM to MUMBLE_INT to make type + discrepancies more explicit. + + Bugfix: change 20051208 broke when a connection could not + be established. File: util/auto_clnt.c. + +20060124 + + Bugfix: the virtual(8) delivery agent did not insist on + privileged operation as it should; this broke change 20060117. + Ralf Hildebrandt. File: virtual/virtual.c. + + Bugfix: the TLS sasl security options (change 20060110) + should also be #ifdef USE_TLS, and not only #ifdef + USE_SASL_AUTH. Such feature interference is difficult to + find in testing. Liviu Daia. File: smtp/smtp_sasl_proto.c. + +20060126 + + Undo: change 20060117 (unprivileged operation test) broke + "sendmail -bs", "postconf -b", "postconf -t", and probably + more. Files: master/{single,multi,trigger}_server.c. + +20060130 + + Bugfix: an empty remote_header_rewrite_domain value caused + trivial-rewrite to dereference a null pointer, but only in + regression tests, not in production. Envelope addresses are + by definition rewritten in the local domain context, because + an address without domain is equivalent to an address in + the local domain; and header addresses are rewritten in the + remote context only when remote_header_rewrite_domain is + non-empty. File: trivial-rewrite/rewrite.c. + +20060131 + + Cleanup: regression tests are now separated into "make + tests" for unprivileged tests, and "make root_tests" for + tests that require privileges to connect to the Postfix + internal sockets. Files Makefile.in, src/*/Makefile.in. + +20060201 + + Bugfix: despite efforts to treat malformed domain names as + hard errors (change 20050726) they were still processed as + soft errors. File: dns/dns_lookup.c. + +20060203 + + Bugfix: smtpd core dump when SASL was compiled in, turned + off (smtpd_sasl_auth_enable = no) and permit_sasl_authenticated + was specified in local_header_rewrite_clients. Victor + Duchovni. File: smtpd/smtpd_check.c. + + Cleanup: don't complain about useless SASL or TLS "permit" + restrictions when SASL or TLS aren't compiled in, but do + reject mail when reject_plaintext_session is specified while + TLS isn't compiled in. File: smtpd/smtpd_check.c. + +20060204 + + Bugfix: disable the content_filter feature for user-requested + "sendmail -bv" probes, just like it is disabled for probes + generated by Postfix itself. File: *qmgr/qmgr_message.c. + +20060207 + + Robustness: place the "do we have TLS" guards within method + implementations, instead of putting them around method + invocations. File: smtpd/smtpd_check.c. + + Bugfix: duplicate the cleanup(8) DSN envelope ID syntax + check in smtpd(8), so that clients get better error replies. + File: smtpd/smtpd_check.c. + + Bugfix: change 20060203 broke the reject_plaintext_session + feature. + + The trivial-rewrite and proxymap multi-server processes now + terminate soon after all their clients disconnect, instead + of waiting for another 100 seconds. This allows the processes + to refresh more frequently on low-traffic systems. + + Cleanup: smtpd_delay_open_until_valid_rcpt (default: yes) + controls whether Postfix delays the start of a mail transaction + until after the first valid recipient, or if it starts a + transaction immediately after MAIL FROM. File: smtpd/smtpd.c. + +20060217 + + Bugfix: don't terminate with a non-standard exit status + when the pipe-to-command feature has a problem before it + executes the command. File: global/pipe_command.c. + +20060223 + + Bugfix: detect integer overflow when multiplying time values + with non-trivial time units. File: global/conv_time.c. + +20060307 + + Bugfix: reset the msg_cleanup() fatal error handler in child + processes. See also change 20060217. Files: postlock/postlock.c, + master/multi_server.c, global/mail_run.c, util/vstream_popen.c. + +20060310 + + Bugfix: the MIME processor assumed that input was null + terminated. This broke with CRLF input to the "sendmail -t" + command in Postfix 2.1 and later (see change 20030416). + Found by Leandro Santi. Based on patch by Victor Duchovni. + Files: global/mime_state.c, global/is_header.c. + +20060313 + + Cleanup: the message arrival time (start of the receive + transaction) no longer controls message expiration or + delivery attempts. Instead, expiration and delivery are + now controlled by the time when the cleanup server creates + a queue file. This closes a problem that was introduced + with the 20051104 change that introduced higher-resolution + delay time keeping: as a result, "postsuper -r" could no + longer manipulate the mail expiration schedule, so that + mail "on hold" could expire too soon. + +20060315 + + Workaround. the PCRE library reports an inappropriate error + code (invalid substring) when $number refers to a valid () + expression that matches the null string. This caused fatal + run-time errors. File: dict_pcre.c. + +20060324 + + Cleanup: eliminated name collisions between global and local + variables, and other forms of shadowing. Documented switch + fall-throughs with /* FALLTHROUGH */ where this wasn't + already done. Replaced (var = expr) by (var = expr) != 0 + where this wasn't already done. + +20060324 + + Bugfix: mis-placed parenthesis in a before-filter error + test. A filter timeout was mis-reported as lost connection. + Found in code review. File: smtpd/smtpd_proxy.c. + +20060327 + + Cleanup: the SQL and LDAP clients now log a warning when + they skip an empty lookup result, so that humans don't have + to wonder why Postfix doesn't find all the database entries. + File: global/db_common.c. + + Moved SMTP/LMTP parameter initialization from global/mail_params.c + to the combined smtp/lmtp delivery agent. Added missing + lmtp parameters. + +20060328 + + Feature: configurable chroot directive for the pipe(8) + delivery agent, by Przemyslaw Wegrzyn. Files: + global/pipe_command.c, pipe/pipe.c. + + Bugfix: cut-and-paste error: lmtp_connection_cache_limit + was left with the name of smtp_connection_cache_limit. + Reported by Victor? File: src/global/mail_params.h. + +20060329 + + More extensible interface for TLS client/server library, + now passes property structures that combine all the relevant + parameters in one type-safe structure. + + TLS session cache activity logging now takes place at TLS + log level 2 or greater. + +20060403 + + Cleanup: made fcntl/flock handling consistent with respect + to EINTR (reported by Carlo Contavalli). However, Postfix + is not meant to be signal safe. Only the master daemon + handles signals without terminating, and it uses only a + small subset of Postfix library routines. File: util/myflock.c. + + Bugfix: the pipe-to-command error message was lost when the + command could not be executed. File: global/pipe_command.c. + +20060404 + + Bugfix in sanity check: after reading a record from the + address verification database, a sanity check did not reject + a record with all-zero time stamp fields. Such records are + never written; the test is there just in case something is + broken, so that Postfix will not blindly march on and create + chaos. The sanity check tested pointer values, instead of + dereferencing the pointers. Found by Coverity. File: + verify/verify.c. + + Bugfix in sanity check: when the maildir delivery routine + opens an output file it looks up the file attributes via + the file handle it just got. There is a sanity check that + detects if the attribute lookup fails, an error that never + happens. The code that handles the impossible error did not + close the output file. This would cause a virtual or local + delivery agent to waste up to 100 file descriptors. But + for that error to happen the system would have to be so + sick that you would have more serious problems than a file + descriptor leak. Found by Coverity. Files: local/maildir.c, + virtual/maildir.c. + +20060405 + + Bugfix: the MIME parser assumed input is null terminated + when reporting errors. Fix by Leandro Santi. Files: + global/mime_state.c, cleanup/cleanup_message.c. + +20060411 + + Bugfix: the SMTP server logged no warning when for some + reason the TLS engine was unavailable in wrappermode. Victor + Duchovni. File: smtpd/smtpd.c. + +20060417 + + Cleanup: when SMTP access table lookup fails, reply with + 4xx instead of aborting with a fatal run-time error. The + old behavior assumes local file access, and is inappropriate + with deployment of LDAP and SQL tables. File: smtpd/smtpd_check.c. + +20060423 + + Bugfix: postcat did not print the attribute value of records + containing a named attribute. File: postcat/postcat.c. + +20060430 + + Bugfix: dangling pointer in a function that has no caller. + Found by Coverity. File: tls/tls_prng_exch.c. + + Bugfix: the workaround for CA-2003-07 (Sendmail) did not + null terminate the address before logging a warning. Reported + by Kris Kennaway. File: global/tok822_parse.c. + +20060301-20060515 + + Sendmail 8 Milter support, distributed across the smtpd(8) + server for SMTP commands, and the cleanup(8) server for + content inspection and manipulation. The code supports all + requests to add/delete recipients, and to add/delete/replace + message headers, but does not yet support requests to replace + the message body. See MILTER_README for more. Files: + smtpd/smtpd.c, smtpd/smtpd_milter.c, cleanup/cleanup_api.c, + cleanup/cleanup_envelope.c, cleanup/cleanup_extracted.c, + cleanup/cleanup_milter.c, milter/milter.c, milter/milter8.c. + + That's 89 lines in smtpd, 1010 lines in cleanup, and 2449 + lines of library support, comments not included. + + A simple test Milter application for use in regression tests + is in src/milter/test-milter.c. Queue file modifications are + tested with a driver at the end src/cleanup/cleanup_milter.c + that reads commands from a script. + + To make debugging easier, uncomment the "#define msg_verbose + 2" lines at the top of cleanup_milter.c or milter8.c. This + produces logging without making everything else verbose. + +20060510 + + Preliminary TLS_README and postconf(5) changes completed. + Victor Duchovni. + + Added smtp_tls_policy_maps and smtp_tls_protocols features + to the smtp/lmtp client, changed smtp_tls_cipherlist to + only apply when TLS is mandatory. Victor Duchovni. + +20060512 + + Destinations that share a common server may have distinct + TLS protocol and cipherlist requirements, with mandatory + TLS add the protocol and cipherlist values to the TLS session + lookup key. Victor Duchovni. + +20060516 + + Portability: __float80 alignment, by Albert Chin. File: + util/sys_defs.h. + + Further testing of Milter support uncovered typos; a missing + null pointer test while cleaning up after content miltering; + the need for a workaround to not bounce+delete local + submission after it triggers a temporary reject Milter + action. + + Workaround: don't bounce+delete a local submission after + it triggers a "reject 4.x.x" action in header/body_checks. + This means an SMTP client now sees "queue file write error" + instead of the text from the "reject 4.x.x text" action. + File: cleanup/cleanup_message.c. + + Workaround: OpenSSL 0.9.8[ab] with zlib support interoperability + problem. Victor Duchovni. Files: tls/tls_client.c, + tls/tls_misc.c, tls/tls_server.c. + + Added smtpd_tls_protocols parameter to complement + smtp_tls_protocols. Victor Duchovni. + +20060517 + + The smtp_tls_policy_maps table now implements parent domain + matching for destinations that are bare domains (without + enclosing [] or optional :port suffix). This allows one to + set TLS policy for a domain and all sub-domains. Victor + Duchovni. + +20060519 + + The same parameter can bind to different variables in + different daemons. Ignore the variable name when eliminating + duplicates in extract.awk. Victor Duchovni. + +20060523 + + Improved handling of smtp_tls_protocols and smtpd_tls_protocols, + names now processed via name_mask(3) and canonicalized prior + to use in the SMTP/LMTP client TLS session lookup key. Also + simplifies the corresponding code in the TLS driver. Victor + Duchovni. + +20060524 + + Cleanup: send ETRN command parameter when using check_policy + in the context of an ETRN command. Joshua Goodall. File: + smtpd/smtpd_check.c. + +20060601 + + Bugfix (bug introduced 20051118): permit_mx_backup authorized + domains without secondary MX records. Joshua Goodall. File: + smtpd/smtpd_check.c. + +20060601 + + Fixed default value of LMTP TLS client certificate parameters, + using the SMTP values as a default was wrong. Victor Duchovni. + +20060603 + + Different transports may have different CAfile or CApath + settings. We need to add the transport name to the TLS + session lookup key so that sessions verified with one set + of trusted roots are not inadvertantly considered verified + for another. Victor Duchovni. + +20060604 + + Cleanup: minor fluff found with the BEAM source code analyzer. + Files: global/quote_821_local.c, global/quote_822_local.c, + master/master_spawn.c, pickup/pickup.c, util/match_ops.c, + util/safe_open.c, xsasl/xsasl_cyrus_client.c. + +20060606 + + Safety: mail receiving daemons (smtpd, qmqpd) now pass + actual client name/address/helo attributes in addition to + the attributes used for logging (xforward). This prevents + Milter applications from treating qmqpd mail as if it + originated locally, and prevents incorrect Milter decisions + after "postsuper -r". Files: smtpd/smtpd.c, qmqpd/qmqpd.c, + cleanup/cleanup_envelope.c, cleanup/cleanup_milter.c, + cleanup/cleanup_state.c, global/post_mail.c, *qmgr/qmgr_message.c, + *qmgr/qmgr_deliver.c, global/deliver_request.c, + global/deliver_pass.c, local/forward.c. + + Bugfix: qmgr panic after queue file corruption by Mailscanner. + Files: *qmgr/qmgr_message.c. + + Bugfix: XCLIENT didn't work with smtpd_delay_reject=no + (problem reported by Joshua Goodall). To make XCLIENT work + correctly with built-in restrictions and with Milter + applications, the SMTP server now jumps back to the very + start (the 220 phase) of an SMTP session. File: smtpd/smtpd.c. + +20060606 + + Portability: Some systems no longer support the traditional + "sort +0 -2 +3". Victor Duchovni. + +20060607 + + Portability: Found by BEAM static code analyzer. SSL options + (long) were stored as int. + +20060610 + + Cleanup: XCLIENT and XFORWARD attribute values are now sent + as xtext encoded strings. For backwards compatibility, + Postfix will still accept unencoded attribute values. Files: + smtpd/smtpd.c, smtpd/smtpd_proxy.c, smtp/smtp_proto.c. + +20060611 + + Robustness: additional sanity checks for common database + routines. Viktor Dukhovni. File: global/db_common.c. + + Portability: LDAP 2.3 API support. Viktor Dukhovni. File: + global/dict_ldap.c. + + Security: the PostgreSQL client was updated after the + PostgreSQL developers made major database API changes in + response to PostgreSQL security issues. This breaks support + for PGSQL versions prior to 8.1.4, 8.0.8, 7.4.13, and 7.3.15. + Support for these requires major code changes which are not + possible in the time that is left for the Postfix 2.3 stable + release. + + Specific PostgreSQL client changes: use connection-aware + quoting, and more robust PQexec() result handling. Previous + versions of the dict_pgsql driver didn't check the status + of the result pointer, and certain exceptional events can + be mis-interpreted as an empty result set. Fixes by Leandro + Santi. File: global/dict_pgsql.c. + +20060612 + + Changed smtp security level parsing and level->name conversion + to use name_code(3). Victor Duchovni. + + Implemented new smtp_tls_security_level parameter, to replace + the unnecessarily complex smtp_use_tls, smtp_enforce_tls + and smtp_tls_enforce_peername parameters. The main.cf + security level settings are now consistent with the new + policy table. Victor Duchovni. + + The smtp_sasl_tls_verified_security_options feature is not + yet complete, added #ifdef SNAPSHOT and changed documentation + to delay introduction until Postfix 2.4. Victor Duchovni. + +20060614 + + Merged in Victor's work including the new TLS policy table + and a complete set of configuration parameters for the LMTP + personality of the unified SMTP/LMTP client. + + Allow mandatory TLS encryption with LMTP over UNIX-domain + sockets. Victor Duchovni. + + Safety: improved code to avoid I/O on connections after the + TLS handshake fails. Victor Duchovni. + +20060615 + + Cosmetic patch for const strings. Stefan Huehner. + + Other cosmetic changes, mainly whitespace. + +20060616 + + The qshape.pl script was updated for the pointer records + that were introduced to support message content modification + by Milter applications. Victor Duchovni. + +20060620 + + Feature: Substantially better cipherlist specification + interface and support for anonymous ciphers when certificates + are not needed. The primary interface in main.cf and the + policy table selects one of 5 grades for mandatory TLS with + smtp(8) or lmtp(8) or for all TLS sessions with smtpd(8). + The levels are "high", "medium" (or better), "low" (or + better), "export" (or better) and "null". The underlying + definitions of these levels are configurable, but users are + strongly encouraged to not change those definitions. Victor + Duchovni. + +20060626 + + Bugfix: the Milter reply syntax checker was off by one. + File: milter/milter8.c. + + Workaround: disable SMTP connection cache lookup by server + IP address when the tls_per_site policy table is enabled. + This is a workaround for a shortcoming in the SMTP connection + cache implementation, which retrieves the server hostname + from the cached connection. Since this server name is not + obtained in a secure manner, it must not be allowed to + control the tls_per_site policy. File: smtp/smtp_reuse.c. + +20060627 + + Cleanup: mumble_mandatory_tls_mumble parameters renamed to + mumble_tls_mandatory_mumble; added _mandatory_ qualifier + to names of parameters that affect only mandatory TLS. + +20060630 + + Features promoted from SNAPSHOT to STABLE: the "sleep" + pseudo restriction; Postfix daemons now read the local + timezone file before chrooting; trivial-rewrite now detects + table changes every 10 seconds, so it restarts more timely. + + Features that stay #ifdef SNAPSHOT: tcp_table, + lmtp_sasl_tls_verified_security_options, and + smtp_sasl_tls_verified_security_options. + + Compatibility: Sendmail does not send its own Received: + header to Milter applications. Offsets in header replace + requests are relative to the message content as received + (i.e. without our own Received: header), while offsets in + header insert requests are relative to the message as + delivered (i.e. they include our own Received: header). + This explains why dk-filter would sign our own Received: + header but place the signature between our own Received: + header and the rest of the message, violating the draft + domainkeys spec. + +20060702 + + Cleanup: more graceful handling of queue file read/write + errors while processing milter message modification requests. + Files: cleanup/cleanup_milter.c, milter/milter8.c. + +20060703 + + Debugging: the Postfix milter client gives more context + when it experiences trouble while talking to an uncooperative + Milter application. File: milter/milter8.c. + + Compatibility: with OpenBSD 2.7 and later, the alias file + is now in /etc/mail/aliases. + +20060704 + + Bugfix: the Milter client skipped zero-length body lines. + File: milter/milter8.c. + + Feature (just this one): RFC 3834 "Auto-Submitted:" message + header in DSNs. File: bounce/bounce_notify_util.c. + +20060705 + + Portability: LP64 systems required a few ssize_t->int casts + in debug logging statements. Files: milter/test_milter.c, + cleanup/cleanup_milter.c. + + Cleanup: comments, error messages, and crumbling interfaces. + +20060707 + + Workaround: apparently, Solaris gettimeofday() can return + out-of range microsecond values. File: src/global/log_adhoc.c. + + Robustness: the SMTPD policy client now encodes the + ccert_subject and ccert-issuer attributes as xtext. Some + characters are replaced by +XX, where XX is the two-digit + hexadecimal code for the character value. File: + smtpd/smtpd_check.c. + + Safety: the SMTP/LMTP client now defers delivery when a + SASL password exists, but the server does not offer SASL + authentication. Mail could be rejected otherwise. This may + become an issue now that Postfix retries delivery in plaintext + after an opportunistic TLS handshake fails. Specify + "smtp_sasl_auth_enforce = no" to deliver mail anyway. File: + smtp/smtp_proto.c. See workaround 20060711 for sender-dependent + SASL passwords. This was undone with the 20060719 workaround. + +20060709 + + Cleanup: the new single smtpd_tls_security_level parameter + obsoletes the multiple smtpd_use_tls and smtpd_enforce_tls + parameters. This is done for consistency with the Postfix + SMTP client. In the Postfix SMTP server, the levels "verify" + and "secure" are currently not applicable, and are treated + as "encrypt", after logging a warning. Files: smtpd/smtpd.c, + tls/tls_level.c, smtp/smtp_session.c. + + Compatibility: don't send the first (blank) body line to + Milter applications. This broke domain key etc. signatures + when verified by non-Postfix MTAs. File: milter/milter8.c. + +20060710 + + Cleanup: more consistency between smtpd(8) and smtp(8) TLS + configuration interfaces: smtpd_tls_mandatory_exclude_ciphers, + smtpd_tls_mandatory_ciphers, smtpd_tls_mandatory_protocols. + By Victor. Files:smtpd/smtpd.c. + + Cleanup: to support domainkey signing of bounces and + Postmaster notices, enable content inspection of Postfix- + generated mail with the new internal_mail_filter_classes + feature. This is disabled by default, because it is not + yet safe enough. Files: global/int_filt.[hc] and everything + that calls post_mail_fopen*(). + +20060711 + + Cleanup: smtpd_tls_mumble -> smtpd_tls_mandatory_mumble, + and finer control over the Postfix SMTP server TLS ciphers, + all this for consistency with the same functionality in the + Postfix SMTP client. Victor Duchovni. + + Compatibility: Sendmail's milter client handles whitespace + after the header label and ":" in an interesting manner. + It eats one space (not tab). File: milter/milter8.c. + + Workaround: if sender-dependent SASL passwords are enabled, + don't defer delivery when a SASL password exists but the + server doesn't announce SASL support. File: smtp/smtp_proto.c. + This was undone with the 20060719 workaround. + + Cleanup: format of cleanup milter reject messages. File: + cleanup_milter.c. + + Bugfix: file/memory leak if a transfer of multiple milters + from smtpd to cleanup broke in the middle. Found by Coverity. + File: milter/milter.c. + +20060716 + + Bugfix: "sendmail -bs" panic caused by a missing + SMTPD_STATE_ALONE() guard before a milter_abort() call. + File: smtpd/smtpd.c. + + Bugfix (bug introduced with Postfix 2.2): the Postfix SMTP + client enforced Mandatory TLS only when talking to an ESMTP + server; enforcement did not happen if Postfix could somehow + be forced to send HELO instead of EHLO. Victor Duchovni. + File: src/smtp/smtp_proto.c. + +20060718 + + Bugfix (bug introduced 20060711): null pointer bug when + rejecting SMTP mail with Milter application. File: + cleanup/cleanup_milter.c. + + Workaround (problem introduced in 200605/200606 TLS update): + the Postfix SMTP server now issues TLS session IDs even + when TLS session caching is turned off, otherwise MS Outlook + fails to deliver mail. There may also be interoperability + issues with other MTAs that we haven't discovered yet. + Specify "smtpd_tls_always_issue_session_ids = no" to disable + the workaround. Victor Duchovni. Files: smtpd/smtpd.c, + tls/tls_server.c. + +20060719 + + Cleanup: the smtp_sasl_auth_enforce feature is gone. It was + meant to work around a problem that was introduced with + plaintext fallback after a failed TLS handshake. Unfortunately, + it created more problems than it solved. We now address the + underlying problem more directly as described next. File: + smtp/smtp_proto.c. + + Safety: don't fall back to plaintext delivery after failed + TLS handshake, when the Postfix SMTP client would have + attempted to log in with SASL after successful TLS handshake. + This avoids undesirable behavior regardless of whether the + server does support SASL over plaintext (unexpected password + disclosure) and whether the server doesn't support SASL + over plaintext (insufficient mail relay permission). Files: + smtp/smtp_connect.c, smtp/smtp_session.c, smtp/smtp_proto.c. + +20060720 + + Compatibility: replace %% in milter replies by %, and strip + single (i.e. invalid) % characters. File: milter/milter8.c. + + Compatibility: $_ macro support for Milter applications. + Files: smtpd/smtpd.c, smtpd/smtpd_milter.c, + cleanup/cleanup_state.c, cleanup/cleanup_milter.c. + +20060721 + + Safety: disable Milter processing after "postsuper -r". If + the mail has been filtered there is no need to do it again. + Moreover, when mail has passed through an external content + filter, we don't have sufficient information to reproduce + the exact same SMTP events and Sendmail macros that Milters + received when the mail originally arrived in Postfix. This + change does not affect Milter applications that run behind + an after-queue content filter. File: pickup/pickup.c. + + Bugfix: Milters received a truncated ORCPT=xxx parameter + due to destructive parsing of something that didn't have + to be preserved before Milter support was added to Postfix. + File: smtpd/smtpd.c. + +20060724 + + Bugfix: when updating the same header multiple times, the + Postfix Milter client created a queue file that caused + delivery agents to loop. File: cleanup/cleanup_milter.c. + +20060725 + + Bugfix: damaged queue file record after a Milter request + to modify a message header when 1) it was the last header + in the unmodified message, and 2) the old header was less + than 15 characters long. File: cleanup/cleanup_milter.c. + + Bugfix: don't panic in smtp_rcpt_cleanup() after detecting + a damaged queue file record. File: smtp/smtp_proto.c. + +20060726 + + Bugfix: the 20051013 change to enforce the message size + limit in the SMTP server didn't work for size limits close + enough to INT_MAX. File: smtpd/smtpd.c. + + Bugfix (introduced Postfix 2.3): after an SMTP client was + rejected with "smtpd_delay_reject = no", the SMTP server + would panic as it generated spurious Milter requests for + unrecognized commands. File: smtpd/smtpd.c. + +20060727 + + Cleanup: change redundant milter_abort() and milter_disc_event() + calls into NO-OPs. This avoids unnecessary panic() events + for completely harmless conditions. File: milter/milter8.c. + +20060805 + + Bugfix (introduced Postfix 2.3): #ifdef damage caused + smtp_sasl_start() to be invoked twice. Reported by C-J + Lofstedt. File: smtp/smtp_sasl_proto.c. + +20060806 + + Postfix no longer announces its name in delivery status + notifications. Users believe that Wietse provides a free + helpdesk service that solves all their email problems. + Credits to Jonathan Balester. File: bounce/bounce_templates.c. + +20060807 + + Bugfix (introduced Postfix 2.2): when upgrading from Postfix + < 2.2 with the third-party TLS patch, the post-install + upgrade procedure didn't put a "?" in the existing tlsmgr + entry, causing tlsmgr to repeatedly start and exit when TLS + support was not compiled in. File: conf/post-install. + +20060812 + + Bugfix (introduced < Postfix alpha): safety mechanism in + mail_date() didn't work. Found in code review. File: + global/mail_date.c. + +20060817 + + Test programs for host address->name and name->address + lookups to debug name service inconsistencies, typically + when the Postfix SMTP server claims that a hostname is + "unknown". Files: auxiliary/name-addr-test/*. + +20060822 + + Added missing logging for "message to large" etc. Files: + smtpd/smtpd.c, cleanup/cleanup_milter.c. + +20060823 + + Bugfix (introduced Postfix 2.2): segfault when vstream_fclose() + attempted to flush unwritten output, after vstream_fdclose() + had already disconnected the stream from its file descriptor. + File: util/vstream.c. + + Bugfix (introduced Postfix 2.2): vstream_fdclose() did not + flush unwritten output before disconnecting a stream from + its file descriptor(s). File: util/vstream.c. + + Feature: smtp-sink can capture mail to file, either as one + individual message per file, or as multiple messages per + file. After an initial implementation by Weidong Cui. File: + smtpstone/smtp-sink.c. + + Bugfix (introduced < Postfix alpha): smtp-sink did not + correctly recognize DOT-CR-LF immediately after DATA. File: + smtpstone/smtp-sink.c. + + Cleanup: smtp-sink now requires that MAIL FROM, RCPT TO and + DATA be send in the correct order. This simplified the + implementation of the capture to file feature. File: + smtpstone/smtp-sink.c. + +20050824 + + Portability: inside functions, GCC 4 refuses forward + declarations of static functions. File: smtpstone/smtp-sink.c. + +20060825 + + Bugfix (introduced Postfix 2.3): with headers-only mail, a + Milter "header insert" action corrupted the queue file. The + cleanup server executed some end-of-body action before the + end-of-header actions. File: cleanup/cleanup_message.c. + + Robustness: mail delivery agents now detect loops in queue + files. Files with too many backward jumps are saved to the + "corrupt" directory. File: global/record.c. + +20060831 + + Bugfix (introduced with initial implementation): missing + "dict_errno = 0" caused mis-leading error messages after + non-error lookup failure. Victor Duchovni. File: + util/dict_cidr.c. + + Robustness: the default TLS cipher lists were changed from + !foo:ALL into ALL:!foo. Victor Duchovni. Files: + global/mail_params.h and documentation. + +20060902 + + Bugfix (introduced Postfix 2.3): the LMTP client stripped + "inet": from the next-hop destination, but still used the + complete next-hop from the delivery request. File: + smtp/smtp_connect.c. + +20060903 + + Cleanup: record loop detection. File: global/record.c. + +20060929 + + Workaround: AIX 5.[1-3] getaddrinfo() creates socket address + structures with a non-zero port value. This breaks the + smtp_bind_address etc. features, and breaks inet_interfaces + settings with only one IP address. Problem reported by + Hamish Marson. Files: util/sock_addr.[hc], util/myaddrinfo.c. + + Bugfix (introduced with the Postfix TLS patch): memory leak + in verify_extract_peer(). The OpenSSL documentation provides + no information on how subjectAltNames are managed. Sam + Rushing, ironport. File: tls/tls_client.c. + + Bugfix (introduced with Postfix 2.2): smtp_generic_maps + turned on MIME conversion. File: smtp/smtp_proto.c. + + Workaround: don't send SIZE information in the MAIL FROM + command when message content will be subject to 8bit -> + quoted-printable conversion. File: smtp/smtp_proto.c. + +20061002 + + Compatibility: Sendmail now invokes the Milter connect + action with the verified hostname instead of the name + obtained with PTR lookup. File: smtpd/smtpd.c. + +20061004 + + Cleanup: force space between mailq queueid+status and file + size items. File: showq/showq.c. + +20061005 + + Cleanup: make CISCO PIX bug workarounds configurable. This + introduces new parameters: smtp_pix_workarounds (default: + disable_esmtp, delay_dotcrlf) and smtp_pix_workaround_maps + (workarounds indexed by server IP address). The default + settings are backwards compatible. File: smtp/smtp.c, + smtp/smtp_proto.c. + +20061006 + + Workaround: include the smtpd(8) service name when searching + the TLS session cache, to avoid cross-talk between multiple + master.cf entries. This does not eliminate cross-talk between + multiple (x)inetd.conf entries. Victor Duchovni. Files: + smtpd/smtpd.c, tls/tls_server.c. + +20061015 + + Cleanup: convert the Milter {mail_addr} and {rcpt_addr} + macro values to external form. File: smtpd/smtpd_milter.c. + + Cleanup: the Milter {mail_addr} and {rcpt_addr} macros are + now available with non-SMTP mail. File: cleanup/cleanup_milter.c. + + Cleanup: convert addresses in Milter recipient add/delete + requests to internal form. File: cleanup/cleanup_milter.c. + + Cleanup: with non-SMTP mail, convert addresses in simulated + MAIL FROM and RCPT TO events to external form. File: + cleanup/cleanup_milter.c. + +20061017 + + Cleanup: removed spurious warning when the cleanup server + attempts to bounce mail with soft_bounce=yes. Problem + reported by Ralf Hildebrandt. File: cleanup/cleanup_bounce.c. + + Bugfix: null pointer bug when receiving a non-protocol + response on a cached SMTP/LMTP connection. Report by Brian + Kantor. Fix by Victor Duchovni. File: smtp/smtp_reuse.c. + +20061106 + + Feature: new retry delivery agent, to avoid the synchronous + defer service client in the queue manager. This code is + co-located with the error(8) server. File: error/error.c. + + Performance: the queue manager could spend too much time + in the synchronous defer service client, causing the watchdog + timer to go off. Where possible, the queue manager now + bounces or defers recipients asynchronously, by routing + them to the error or the retry delivery agent. Code by + Wietse and Patrik Rak. Files: global/recipient_list.c, + *qmgr/qmgr_error.c, *qmgr/qmgr_defer.c, *qmgr/qmgr_entry.c, + *qmgr/qmgr_deliver.c, *qmgr/qmgr_message.c. + + Performance: refined recipient and job grouping, and more + agressive early refill of in-memory recipients to prevent + a worst-case scenario where the queue manager became starved + until after the last batch of slow in-memory recipients of + jumbo multi-recipient mail. Code by Patrik Rak. Files: + global/mail_conf_time.c, qmgr/qmgr_message.c, qmgr/qmgr.c, + qmgr/qmgr.h, qmgr/qmgr_entry.c, qmgr/qmgr_job.c, + qmgr/qmgr_message.c, qmgr/qmgr_transport.c. + +20061113 + + Bugfix: the Postfix install/upgrade procedure broke with + non-default config_directory. File: conf/post-install. + +20061115 + + Bugfix: null pointer bug in end-of-header Milter action + when the last header line is too large. Reported by Mark + Martinec. The root of the problem is that the MIME state + engine may execute up to three call-back functions when it + reaches the end of the headers, before it returns to the + caller; as long as call-backs return no result, each call-back + has to check for itself if a previous call-back ran into a + problem. File: milter/milter8.c. + + Workaround: reduce effective header_size_limit to 60000 + when Milter inspection is enabled, to avoid breaking the + Milter protocol request length limit. File: + cleanup/cleanup_message.c. + +20061123 + + Safety: don't read more than 5000 recipients at a time, to + avoid spending too much time away from interrupts. File: + qmgr/qmgr_message.c. + +20061201 + + Workaround: don't complain with "Error 0" in the trivial-rewrite, + verify, proxymap or connection cache client when the server + exits after the client sends its request. We still complain, + however, when the problem persists. Files: global/rewrite_clnt.c, + global/resolve_clnt.c, global/verify_clnt.c, global/scache_clnt.c, + global/dict_proxy.c. + + Safety: the header_size_limit is now enforced more strictly, + to avoid inter-operability problems with the Milter protocol. + Long headers are truncated at a line boundary if possible, + otherwise they are cut between line boundaries. File: + cleanup/cleanup_out.c. + +20061203 + + Bugfix (introduced with Postfix 2.2): with SMTP server + tarpit delays of smtp_rset_timeout or larger, the SMTP + client could get out of sync with the server while reusing + a connection. The symptoms were "recipient rejected .. in + reply to DATA". Fix by Victor Duchovni and Wietse. Files: + smtp/smtp_proto.c, smtp/smtp_connect.c. + + Robustness: the vbuf and vstream documentation claimed that + their *error() macros reported timeout errors, but they + didn't really. The implementation was fixed, and redundant + vstream_ftimeout() calls were removed. As a result, many + Postfix daemons now properly detect write timeout errors + on internal connections. Files: util/vbuf.h. + + Workaround: some broken SMTP servers reply and hang up in + the middle of DATA. The Postfix SMTP client now stops sending + and tries to receive the server response. This can help to + avoid repeated delivery attempts. Initial implementation + by Wietse, later work by Victor Duchovni. Files: + smtp/smtp_proto.c, smtpstone/smtp-sink.c, util/vstream.c, + plus trivial mods for code thatr calls vstream_fpurge(). + +20061204 + + Compatibility: The Postfix installation/upgrade procedure + no longer sets "unknown_local_recipient_code = 450" in + main.cf. This was a safety net for upgrades from Postfix + 1.x. Four years later is no longer needed. File: + conf/post-install. + + Cleanup: removed vstream_fclose() error warning in the code + that disconnects from a delivery agent. There is no need + to report errors here because they would already be reported + earlier. Files: *qmgr/qmgr_deliver.c. + + Robustness: "kill me after N seconds" feature to ensure + that a daemon process does not get stuck while preparing + for exit after signal arrival. File: util/killme_after.[hc], + util/watchdog.c, master/master_sig.c. + +20061206 + + Robustness: low-cost re-entrancy guard that allows daemons + to safely call msg_fatal() etc. from a signal handler, + without risking memory corruption, or deadlock on Redhat + Linux. This works provided that the signal handler terminates + the process. In that special case we need not guarantee + after-the-fact consistency of the thread that was interrupted. + File: util/msg_output.c. + + Robustness: replace exit() calls by _exit(). File: util/msg.c, + bounce/bounce_cleanup.c. + +20061207 + + Workaround: on systems with usable futimes() or equivalent + (Solaris, *BSD, MacOS, but not Linux), always explicitly + set the queue file last modification time stamps while + creating a queue file. With this, Postfix can avoid logging + warnings when the file system clock is ahead of the local + clock. Clock skew can be a problem, because Postfix does + not deliver mail until the local clock catches up with the + queue file's last modification time stamp. File: + global/mail_stream.c. + + Workaround: on systems without usable futimes() or equivalent, + log a warning when the file system clock is more than 100 + seconds behind the local clock. This does not cause mail + delivery problems, but it just looks silly in message + headers. File: global/mail_stream.c. + + On systems without usable futimes() (Linux, and ancient + versions of Solaris, SunOS and *BSD) Postfix will keep using + the slower utime() system call to update queue file time + stamps when the file system clock is off with respect to + the local system clock. + + Compatibility with Postfix < 2.3: undo the change to bounce + instead of defer after pipe-to-command delivery fails with + a signal. File: global/pipe_command.c. + +20061208 + + Workaround: apparently, some mail software removes or hides + "<postmaster>" in the Postfix bounce text, because it + processes the text as if it were HTML. This confuses users. + The bounce template has been updated to remove the < and + >. File: bounce/bounce_templates.c. + + Cleanup: when smtp_generic_maps is turned on, don't parse + MIME structures in the message body. Victor Duchovni. File: + smtp/smtp_proto.c. + +20061210 + + Cleanup: streamline the signal handler reentrancy protections, + and document under what conditions these protections work, + with REENTRANCY sections in the relevant man pages. Files: + util/vbuf_print.c. util/msg.c, util/msg_output.c. + +20061211 + + Cleanup: when doing server access control by the remote TLS + client fingerprint, do not require client certificate + verification. Victor Duchovni. File: smtpd/smtpd_check.c. + + Safety: when the remote TLS client certificate isn't verified, + don't send ccert_subject and ccert_issuer attributes in + check_policy_service requests. Victor Duchovni. File: + smtpd/smtpd_check.c. + + Bugfix: the postconf command still complained about an + unqualified machine name, because it was not updated with + the 20050513 change that introduced a default "mydomain = + localdomain". File: postconf/postconf.c. + +20061213 + + Bugfix: race condition in "ETRN site", "sendmail -qRsite" + and "postqueue -s site". When the command arrived while an + incoming queue scan was already in progress, mail could + stay deferred instead of being flushed. The fix was to + unthrottle the queue manager before moving files from the + deferred queue to the incoming queue. Files: flush/flush.c, + qmgr/qmgr_scan.c. + + Cleanup: the sendmail and postqueue commands no longer + terminate with a non-standard error status after a run-time + error in some Postfix internal routine (typically, some + essential file is not accessible, or the system is out of + memory). Files: sendmail/sendmail.c, postqueue/postqueue.c. + + Feature: "sendmail -qIqueueid" and "postqueue -i queueid" + to flush a specific queue file. Files: sendmail/sendmail.c, + postqueue/postqueue.c, global/flush_clnt.c, flush/flush.c. + +20061214 + + Performance: "sendmail -qIqueueid" and "postqueue -i queueid" + unthrottle only the necessary message delivery transports + and queues. The unthrottle request now is propagated to the + queue manager via queue file group read permission bits. + Based on initial implementation by Victor Duchovni. Files: + flush/flush.c, *qmgr/qmgr.c, *qmgr/qmgr_scan.c, + *qmgr/qmgr_active.c, *qmgr/qmgr_message.c. + +20061220 + + Workaround: PMilter 0.95 does not deliver SMFIC_EOB+data + to the application as SMFIC_BODY+data followed by SMFIC_EOB. + To avoid compatibility problems, Postfix now sends + SMFIC_BODY+data followed by SMFIC_EOB. File: milter/milter8.c. + + Bugfix (introduced with Postfix 2.3): when inserting + Milter-generated headers at increasing positions in a + message, a later header could end up at a previously used + insertion point. Thus, inserting headers at positions (N, + N+M) could work as if (N, N) had been specified. Problem + reported by Mark Martinec. File: milter/milter8.c. + +20061221 + + Feature: time unit suffix support in _command_time_limit. + Files: pipe/pipe.c, spawn/spawn.c. + +20061227 + + Bugfix (introduced with Postfix 2.3): the MX hostname syntax + check was skipped with reject_unknown_helo_hostname and + reject_unknown_sender/recipient_domain, so that Postfix + would still accept mail from domains with a zero-length MX + hostname. File: smtpd/smtpd_check.c. + +20061229 + + Cleanup: use separate TLS_LEGACY_README to document the old + TLS user interface. This will simplify TLS_README dramatically. + + Cleanup: untangled spaghetti code. File: util/inet_listen.c. + +20070104 + + Bugfix (introduced Postfix 2.3): when creating an alias map + on a NIS-enabled system, don't case-fold the YP_MASTER_NAME + and YP_LAST_MODIFIED lookup keys. This requires that an + application can turn on/off case folding on the fly. Files: + postalias/postalias.c, global/dict_mumble.c, util/dict_mumble.c, + proxymap/proxymap.c. + + Cleanup: after the above revision of the proxymap protocol, + the proxymap server can now share the same map with clients + that have only minor differences in dictionary open/access + options. + +20070105 + + Performance: pipeline of pending delivery agent connections, + to improve Linux/Solaris mail delivery performance by another + 10% while going down-hill with the wind from behind. Design + and implementation Victor and Wietse. Files: *qmgr/qmgr.c, + *qmgr/qmgr.h, *qmgr/qmgr_transport.c. + +20070106 + + Cleanup: eliminate the Linux/Solaris "wait for accept()" + stage from the queue manager to delivery agent protocol. + This alone achieves 99.99% of the Linux/Solaris speed up + from the preceding change. The pending connection pipeline + takes care of the rest. Tested on Linux kernels dating + back to 2.0.27 (that's more than 10 years ago). Files: + *qmgr/qmgr_transport.c. + +20070112 + + Bugfix (introduced 20011008): after return from nested + access restriction, possible longjump into exited stack + frame upon configuration error or table lookup error. Victor + Duchovni. Files: smtpd/smtpd_check.c. + + Workaround: don't insert header/body blank line separator + in malformed attachments, to avoid breaking digital signatures. + Switch from header to body state, for robust MIME parsing. + People concerned about MIME evasion can use a MIME normalizer + to corrupt their user's legitimate email. File: + global/mime_state.c. + +20070114 + + Feature: body replacement support for Milter applications. + Postfix 2.3 and older 2.4 versions will be able to deliver + body-replaced queue files, but will report the message size + as it was before the body was replaced. Files: milter/milter8.c, + cleanup/cleanup_milter.c, cleanup/cleanup_body_region.c. + +20070117 + + Cleanup: reusable infrastructure for body replacement. + Files: cleanup/cleanup_body_edit.c, cleanup/cleanup_region.c. + +20070118 + + Bugfix: match lists didn't implement ![ipv6address]. Problem + reported by Paulo Pacheco. File: util/match_list.c. + + Cleanup: revised the matchlist "!" support, added support + for !/file/name, and updated the documentation. File: + util/match_list.c. + +20070119-21 + + Cleanup: pad short message headers with a filler record, + so that the result is never shorter than a pointer record. + This immensely simplified the support for Milter header + modification requests: three complex loops could be replaced + by one simpler loop. The DTXT record type was re-purposed + from "deleted header text" to "short header padding", keeping + the change backwards compatible. Files: cleanup/cleanup_out.c, + cleanup/cleanup_milter.c, global/record.c. + + Cleanup: the Milter "add recipient" action always added the + recipient to the initial envelope segment, causing added + recipients to be separate from "sendmail -t" recipients. + This violated design, without impact on delivery (always_bcc + recipient are always at the end of the queue file even when + all other recipients are in the initial segment). File: + global/rec_types.h. + +20070123 + + Workaround: OpenSSL falsely concludes that AES256 support + is present when only AES128 is available. Code by Victor + Duchovni. File: tls/tls_misc.c. + +20070125 + + Disable workaround pending completion of updated TLS] + support in non-production releases. + +20070131 + + Assorted code cleanup, portability fixes/workarounds, and + minor updates: global/dict_ldap.c, mantools/postlink, + tlsmgs/tlsmgr.c, conf/master.cf. LaMont Jones. + +20070101 + + Portability: GNU Hurd support for multiple kernel environments. + LaMont Jones. Files: util/sys_defs.h, makedefs. + + Cleanup: some default settings were adjusted to better fit + today's environment: queue_run_delay and minimal_backoff_time + were reduced from 1000s to 300s, so that deliveries are + retried earlier after the first failure; ipc_idle was reduced + from 100s to 5s, so that tlsmgr and scache clients will + more quickly release unused file handles. Files: + global/mail_params.h, proto/postconf.5.html + +20070202 + + Catch-up: FreeBSD kqueue support. File: util/events.c. + +20070205 + + System-V poll(2) support. This is now the preferred method + to test a single file descriptor on sufficiently recent + versions of FreeBSD, NetBSD, OpenBSD, Solaris and Linux; + other systems will be added as evidence becomes available + of usable poll(2) implementations. Files: util/read_wait.c, + util/write_wait.c, util/readble.c, util/writable.c. + + Streamlined the event_enable_read/write implementation to + speed up smtp-source performance, by eliminating expensive + kqueue/devpoll/epoll system calls when only the application + call-back information changes. On FreeBSD, smtp-sink/source + tests now run 5% faster than with the old select(2) based + implementation. File util/events.c. + +20070206 + + Catch-up: Solaris /dev/poll support. File: util/events.c. + + Bugfix (introduced 20060823): initial state was not in state + machine, causing memory access outside the lookup table. + File: smtpstone/smtp-sink.c. + +20070210 + + Catch-up: Linux epoll support. File: util/events.c. + +20070211 + + Polished the kqueue/devpoll/epoll support; this is now + enabled by default on sufficiently recent versions of + FreeBSD, NetBSD, OpenBSD, Solaris and Linux; other systems + will be added as evidence becomes available of usable + implementations. File: util/events.c. + +20070212 + + Further polish: removed some typos from new code in the + events.c handler, undid some unnecessary changes to the + {read,write}{_wait,able}.c modules, and addressed Victor's + paranoia for multi-client servers with a thousand clients + while linked with library routines that can't handle file + descriptors >= FD_SETSIZE. + + Cleanup: while debugging the new events.c handler, removed + an unnecessary "write after connect" call-back event. File: + global/post_mail.c. + +20070214 + + Robustness: in the queue manager keep a number of free file + descriptor slots at the low end, to work around library + routines that can't handle file descriptors >= FD_SETSIZE. + Files: *qmgr/qmgr_transport.c, util/vstream.[hc] + +20070215 + + Bugfix (introduced 20070114 with Milter body edit support): + the cleanup server terminated with a fatal error when SMTP + mail exceeded the message size limit, instead of handling + it as a non-fatal error. Files: cleanup/cleanup_extracted.c, + cleanup/cleanup_final.c, cleanup/cleanup_bounce.c, + cleanup/cleanup_api.c. + +20070217 + + Streamline the compile time selection of event handling + styles, replacing multiple on/off macros by just one + multi-valued macro. Files: util/sys_defs.h, util/events.c, + master/multi_server.c, *qmgr/qmgr_transport.c. + +20070220 + + Work-around: Disable SSL/TLS ciphers when the underlying + symmetric algorithm is not available in the OpenSSL crypto + library at the required bit strength. Problem observed with + SunOS 5.10's bundled OpenSSL 0.9.7 and AES 256. Also possible + with OpenSSL 0.9.8 and CAMELLIA 256. Root cause fixed in + upcoming OpenSSL 0.9.7m, 0.9.8e and 0.9.9 releases. Victor + Duchovni, Morgan Stanley. Files: src/smtp/smtp_proto.c, + src/smtpd/smtpd.c, src/tls/tls.h, src/tls/tls_client.c, + src/tls/tls_misc.c and src/tls/tls_server.c. + +20070222 + + Workaround: delayed "postfix reload" with ancient FreeBSD4 + kqueue implementations, causing the first external or + internal clients after "postfix reload" to experience a + quick disconnect. Apparently, these kqueue implementations + do not deliver a read notification when the master closes + the per-service shared master/child status pipe (even when + there is only one child; note that the master keeps a handle + to both ends of each status pipe). A child process remains + ignorant that the status pipe was closed until the arrival + of the next client request, and then terminates. The + workaround is to ignore master status write errors before + handling a service request. Files: master/*_server.c. + + Cleanup: fix race condition that caused unnecessary "premature + end-of-input" warning messages when "postfix reload" was + issued on a busy mail server. Files: util/attr_scan*c. + +20070223 + + Cleanup: syslog_name now works as documented with both + daemons and commands (including set-gid commands). Files: + global/mail_task.c postlog/postlog.c, global/mail_version.h, + sendmail/sendmail.c, postsuper/postsuper.c, postalias/postalias.c, + postmap/postmap.c, postqueue/postqueue.c, postdrop/postdrop.c, + master/trigger_server.c, master/single_server.c, + master/multi_server.c. + +20070224 + + Workaround: GNU POP3D creates a new mailbox and deletes the + old one. Postfix now backs off and retries delivery later, + instead of appending mail to a deleted file. To minimize + the use of this workaround, Postfix now by default creates + mailbox dotlock files on all systems, and creates dotlock + files before opening mailbox files. Files: util/sys_defs.h, + global/mbox_open.c. + +20070301 + + Workaround: updated workaround for broken Solaris accept(). + File: util/inet_listen.c. + + Workaround: on some FreeBSD versions, accept(2) can fail + with a bogus EINVAL error. We now allow accept(2) to fail + for a limited number of times before terminating the process. + Files: master/single_server.c, master/multi_server.c. + +20070306 + + Bugfix (introduced with Postfix 2.3 Milter support): postdrop + reported "illegal seek" instead of "file too large". File: + postdrop/postdrop.c. + +20070310 + + Cleanup: specify "undisclosed_recipients_header =" to disable + Postfix's "To: undisclosed-recipients:;" header for mail + that lists no recipient. The To: header is not required as + of RFC 2822. The undisclosed_recipients_header parameter + value can now be an empty string, a value that was not + allowed with earlier Postfix versions. With Postfix 2.5 it + will be empty by default. Files: cleanup/cleanup.c, + cleanup/cleanup_message.c. + +20070312 + + Backwards compatibility: don't pad short message header + records when Milter support is turned off. This maintains + compatibility with Postfix versions that pre-date Milter + support. File: cleanup/cleanup_out.c. + +20070314 + + Bitrot: move the "don't run this daemon by hand" message + before other tests. Files: master/*server.c. + +20070315 + + Bitrot: New OpenLDAP APIs deprecate simplified interfaces, + that are the only ones available in Sun's LDAP SDK. Define + suitable macros that work with new OpenLDAP and Sun's code. + Victor Duchovni, Morgan Stanley. File: src/global/dict_ldap.c + + Cleanup: new "leaf" and "terminal" result attributes support + fine-tuning of LDAP group expansion, and provide a solution + for the problem case where DN recursion returns both the + group address and the addresses of the member objects. + Victor Duchovni, Morgan Stanley. Files: src/global/dict_ldap.c, + proto/LDAP_README.html, proto/ldap_table + +20070317 + + Idioten Sicherheit: stamp every executable file and every + core dump file with "mail_version=xxxxx". Adding version + stamps and checks to every IPC message is too much change + after code freeze, and requires too much time for testing. + File: src/global/mail_version.h and every main program file. + +20070320 + + Bugfix (introduced between 20070120 and 20070121): the + cleanup server stored no "delayed mail warning" queue file + records with "sendmail -t", and no header_checks filter/redirect + records or content encoding records with other mail. File: + global/rec_type.h. + +20070321 + + Bugfix (introduced 20070224): local(8) or virtual(8) could + log a misleading error message after failure to open a + mailbox file. File: global/mbox_open.c. + + Bugfix (code should have been updated 20070104): the proxymap + client did not propagate changes in case folding flags. + Currently, nothing in Postfix uses this functionality. + File: global/dict_proxy.c. + +20070325 + + Bugfix: postfix-install didn't work for symlink or hardlink + targets, when the parent directory had a value of "no". + +20070326 + + Workaround: Eric Raymond's man page formatters don't handle + low-level *roff .in or .ti controls. We now use .nf and .fi + instead. Files: many. + +20070331 + + Bugfix (introduced Postfix 2.3): segfault with HOLD action + in access/header_checks/body_checks on 64-bit platforms. + File: cleanup/cleanup_api.c. + +20070402 + + Portability (introduced 20070325): the fix for hardlinks + and symlinks in postfix-install forgot to work around shells + where "IFS=/ command" makes the IFS setting permanent. This + is allowed by some broken standard, and affects Solaris. + File: postfix-install. + + Portability (introduced 20070212): the workaround for + non-existent library bugs with descriptors >= FD_SETSIZE + broke with "fcntl F_DUPFD: Invalid argument" on 64-bit + Solaris. Files: master/multi_server.c, *qmgr/qmgr_transport.c. + +20070405 + + Feature: BCC access/policy action, to demonstrate that this + is not a good feature. The action's behavior is non-intuitive + and requires too much documentation to explain. It's + therefore snapshot only. File: smtpd/smtpd_check.c. + +20070414 + + Cleanup: expire cached results from address rewriting, address + resolution, and from transport map lookups. Results expire + after 30 seconds; short enough that it doesn't freak out + people who run the same test repeatedly, and long enough + that it doesn't upset other people with continuous streams + of "*" transport map lookups. Files: global/rewrite_clnt.c, + global/resolve_clnt.c, trivial-rewrite/transport.c. + +20070421 + + Cleanup: on (Linux) platforms that cripple signal handlers + with deadlock, "postfix stop" now forcefully stops all the + processes in the master's process group, not just the master + process alone. File: conf/postfix-script. + +20070422 + + Cleanup: the "Delivered-To:" loop detection implementation + was moved from the local(8) delivery agent to the library, + where it can also be used by other delivery agents. Files: + global/delivered_hdr.[hc]. + + Safety: the "Delivered-To:" loop detection implementation + keeps state for no more than 1000 "Delivered-To:" headers. + + Feature: $domain command-line macro support, to get access + to the recipient address domain portion. Based on code by + Koen Vermeer. File: pipe/pipe.c. + + Cleanup: support for "Delivered-To:" loop detection in the + pipe(8) delivery agent. This follows a general principle: + if a program creates the "Delivered-To:" header, then it + is also responsible for "Delivered-To:" loop detection. + File pipe/pipe.c. + +20070423 + + The cache expiring transport map lookups did not distinguish + between wildcard transport map entry with an "empty" transport + field, or no wildcard transport map entry. + +20070424 + + Cleanup: making hard-coded behavior configurable. In this + case, extracting 8BITMIME encoding information from + Content-Transfer-Encoding: message headers. The default + behavior, "detect_8bit_encoding_header = yes", is backwards + compatible. This behavior was introduced to generate + RFC-compliant bounce messages before Postfix supported the + 8BITMIME option in the MAIL FROM command and on the Postfix + sendmail command line. Files: cleanup/cleanup_init.c, + cleanup/cleanup_message.c, global/mail_params.h. + +20070425 + + Bugfix: don't falsely report "lost connection from + localhost[127.0.0.1]" when Postfix is being portscanned. + Files: smtpd/smtpd_peer.c, qmqpd/qmqpd_peer.c. + +20070429 + + Feature: "postfix status" to report whether Postfix is + running. By Mike Cappella. + + Cleanup: configurable address case folding moved from the + pipe(8) delivery agent to the library, where it can also + be used by other delivery agents. Files: global/fold_addr.[hc]. + +20070430 + + Robustness: recommend a "0" process limit for policy servers + to avoid "connection refused" problems when the smtpd process + limit exceeds the default process limit. File: + proto/SMTPD_POLICY_README.html. + +20070501 + + Workaround: turn on KEEPALIVE probes to avoided "lost + connection after sending end-of-data" problems when some + stateful (NAT) filter expires an idle connection too soon. + This requires that the kernel's TCP keepalive timer be set + to a sufficiently short time (perhaps 100s or less). Files: + util/sane_accept.c, util/sane_connect.c. + + Safety: when IPv6 (or IPv4) is turned off, don't treat an + IPv6 (or IPv4) connection from e.g. inetd as if it comes + from localhost[127.0.0.1]. Files: smtpd/smtpd_peer.c, + qmqpd/qmqpd_peer.c. + +20070502 + + Workaround: build without EPOLL support when an epoll-enabled + kernel sits underneath a retarded libc. File: makedefs. + + Cleanup: missing support for SASL security properties with + Dovecot SASL authentication. Based on an initial version + by Lev A. Serebryakov. File: xsasl/xsasl_dovecot_server.c. + +20070503 + + Cleanup: changed the default address verification sender + from "postmaster" to "double-bounce", so that the Postfix + SMTP server no longer surprises unsuspecting people by + excluding "postmaster" from SMTPD access controls. File: + global/mail_params.h. + +20070508 + + Bugfix: Content-Transfer-Encoding: attribute values are + case insensitive. File: src/cleanup/cleanup_message.c. + +20070514 + + Bugfix: the makedefs EPOLL workaround broke any attempt to + build on a 2.6 kernel. And that two weeks after the workaround + had been posted to the mailing list. File: makedefs. + + Bugfix: mailbox_transport(_maps) and fallback_transport(_maps) + were broken when used with the error(8) or discard(8) + transports. Cause: insufficient documentation. Files: + error/error.c, discard/discard.c. + +20070520 + + Bugfix (problem introduced Postfix 2.3): when DSN support + was introduced it broke "agressive" recipient duplicate + elimination with "enable_original_recipient = no". File: + cleanup/cleanup_out_recipient.c. + +20070523 + + Feature: cyrus_sasl_config_path to specify a search path + for Cyrus SASL configuration files (currently used only to + locate the smtpd.conf file). Based on code by Victor + Duchovni. Files: smtpd/smtpd.c xsasl/xsasl_cyrus_server.c, + (and xsasl/xsasl_cyrus_client.c for future expansion). + +20070525 + + Bugfix (introduced 20070523): the sasl_set_path() function + name was mis-speeled. + +20070529 + + Bugfix (introduced Postfix 2.3): the sendmail/postdrop + commands would hang when trying to submit a message larger + than the per-message size limit. File: postdrop/postdrop.c. + +20070530 + + Sabotage the saboteur who insists on breaking Postfix by + adding gethostbyname() calls that cause maildir delivery + to fail when the machine name is not found in /etc/hosts, + or that cause Postfix processes to hang when the network + is down. + +20070531 + + Portability: Victor helpfully pointed out that change + 20070425 broke on non-IPv6 systems. Files: smtpd/smtpd_peer.c, + qmqpd/qmqpd_peer.c. + +20070610 + + Isolation: don't allow the pipe(8) delivery agent to leak + postdrop group privileges with "user=xxx:postdrop". File: + pipe/pipe.c. + +20070613 + + Bugfix: the Milter client assumed that a Milter application + does not modify the message header or envelope, after that + same Milter application has modified the message body of + that same email message. This is not a problem with updates + by different Milter applications. Problem was triggered + by Jose-Marcio Martins da Cruz. Also simplified the handling + of queue file update errors. File: milter/milter8.c. + +20070614 + + Workaround: some non-Cyrus SASL SMTP servers require SASL + login without authzid (authoriZation ID), i.e. the client + must send only the authcid (authentiCation ID) + the authcid's + password. In this case the server is supposed to derive + the authzid from the authcid. This works as expected when + authenticating to a Cyrus SASL SMTP server. To get the old + behavior specify "send_cyrus_sasl_authzid = yes", in which + case Postfix sends the (authzid, authcid, password), with + the authzid equal to the authcid. File: xsasl/xsasl_cyrus_client.c. + +20070619 + + Portability: /dev/poll support for Solaris chroot jail setup + scripts. Files: examples/chroot-setup/Solaris8, + examples/chroot-setup/Solaris10. + +20070713 + + The RFC documents at www.faqs.org are being polluted with + "feedback" spam. The Postfix hypertext documentation now + points to tools.ietf.org. File: mantools/postlink. + +20070719 + + Feature: updated smtp-sink with new options to send a + pre-formatted message from file, and to handle replies other + than the expected 2xx or 3xx. File: smtpstone/smtp-source.c. + + Cleanup: Milter client error handling, so that the (Postfix + SMTP server's Milter client) does not get out of sync with + Milter applications after the (cleanup server's Milter + client) encounters some non-recoverable problem. Files: + milter/milter8.c, smtpd/smtpd.c. + +20070720 + + Support for RFC 4954 (SASL AUTH, updates RFC 2554, refines + some reply codes and introduces DSN enhanced status codes) + and RFC 3848 ("Received ... with ESMTPS?A? ...). Currently, + support for the latter is always on. Files: smtpd/smtpd.c, + smtpd/smtpd_sasl_proto.c, smtpd/smtpd_sasl_glue.c. + +20070727 + + Workaround: the queue manager no longer logs a warning for + mail sent to the local double-bounce address (normally, the + this is used as the sender while reporting an undeliverable + bounce message to the local postmaster). As of 20070503 + the local double-bounce address is the default sender for + sender/recipient address verification probes, and it now + shows up as a spam target. Files: *qmgr/qmgr_message.c. + +20070729 + + Performance: fix for poor TCP performance for loopback + (127.0.0.1) connections. Problem reported by Mark Martinec. + Files: util/vstream.c, util/vstream_tweak.c, milter/milter8.c, + smtp/smtp_connect.c, smtpstone/*source.c. + +20070730 + + Bugfix: when a milter replied with ACCEPT at or before the + first RCPT command, the cleanup server would apply the + non_smtpd_milters setting as if the message was a local + submission. Problem reported by Jukka Salmi. Also, the + cleanup server would get out of sync with the milter when + a milter replied with ACCEPT at the DATA command. Files: + cleanup/cleanup_envelope.c, smtpd/smtpd.c, milter/milters.c. + +20070811 + + Cleanup: unlike smtpd_mumble_restrictions, the Postfix SMTP + server Milter reject logging did not show the (helo argument, + sender address, or recipient address) that was being rejected. + File: smtpd/smtpd.c. + +20070824 + + Bugfix (introduced snapshot 20070429): the pipe(8) delivery + agent 'q' flag (quote address local-part) used the same bit + mask as the 'B' flag (append blank line). Setting one flag + also turned on the other. File: pipe/pipe.c. + + Feature: specify the 'X' flag to indicate that the pipe(8) + delivery agent performs final delivery. This changes the + status in DSN "success" messages from "relayed" into + "delivered". File: pipe/pipe.c. + +20070904-6 + + Feature: stress-adaptive behavior. When a "public" network + service runs into an "all processes are busy" condition, + the master(8) daemon logs a warning, restarts the service, + and runs it with "-o stress=yes" on the command line (normally + it runs the service with "-o stress="). This can be used + to make main.cf parameter settings stress dependent. + Examples: "smtpd_timeout = ${stress?10}${stress:300}" and + "smtpd_hard_error_limit = ${stress?1}${stress:20}". Files: + master/master_avail.c, master/master_spawn.c, master/master_ent.c. + +20070911 + + Bugfix (introduced Postfix 2.2.11): TLS client certificate + with unparsable canonical name caused the SMTP server's + policy client to allocate zero-length memory, triggering + an assertion that it shouldn't do such things. File: + smtpd/smtpd_check.c. + +20070912 + + Bugfix (introduced Postfix 2.4) missing initialization of + event mask in the event_mask_drain() routine (used by the + obsolete postkick(1) command). Found by Coverity. File: + util/events.c. + +20070917 + + Workaround: the flush daemon forces an access time update + for the per-destination logfile, to prevent an excessive + rate of delivery attempts when the queue file system is + mounted with "noatime". File: flush/flush.c. + +20070923 + + Cleanup: don't complain when a "corrupt" queue file is + deleted before it can be saved to the "corrupt" queue. + Files: *qmgr/qmgr_active.c. + +20071003 + + Logging: the Postfix SMTP server now logs the number of + bytes received after the DATA command when a connection + breaks before mail delivery completes. This may help finding + the cause of the problem: packet loss, MTU, or other. File: + smtpd/smtpd.c. + +20071004 + + Logging: all daemons now log the TCP port number of remote + SMTP or QMQP clients. The information is overruled with + the SMTP XCLIENT command, is propagated through SMTP-based + content filters with XFORWARD, and is sent to Milter + applications. Files: smtpd/smtpd_peer.c, smtpd/smtpd.c, + smtpd/smtpd_proxy.c, smtpd/smtpd_milter.c, qmqpd/qmqpd_peer.c, + cleanup/cleanup_milter.c, *qmgr/qmgr_message.c, + *qmgr/qmgr_deliver.c, smtp/smtp_proto.c, pipe/pipe.c, + global/deliver_request.c, global/deliver_pass.c, + proto/XFORWARD_README, proto/XCLIENT_README. + + Feature: per-command delays in smtp-sink. File: + smtpstone/smtp-sink.c. Victor Duchovni. + +20071006 + + Cleanup: updated a bunch of hard-coded host[addr] logging + statements. Files: smtpd/smtpd.c, smtpd/smtpd_chat.c, + smtpd/smtpd_sasl_glue.c. + + Cleanup: client port logging is now configurable (off by + default). Parameters: smtpd_client_port_logging and + qmqpd_client_port_logging. Files: smtpd/smtpd_peer.c, + qmqpd/qmqpd_peer.c. + + Cleanup: send client port information "0" instead of "unknown" + to Milter applications. Files: smtpd/smtpd.c, smtpd/smtpd_milter.c, + cleanup/cleanup_milter.c. + +20071025 + + Portability: on Linux we no longer need /proc to find out + local IPv6 interface address information. LaMont Jones. + Files: util/sys_defs.h. + +20071030 + + Bugfix (introduced Postfix 2.3): Postfix mistakenly enforced + the 64kbyte limit (for sending body parts TO Milter + applications) also while receiving packets FROM Milter + applications. The limit is now at least 1GB. File: + milter/milter8.c. + +20071105 + + Feature: ORIGINAL_RECIPIENT environment variable. Corey + Hickey. File: local/local.c. + +20071108-10 + + Feature: general-purpose header/body_checks library module, + first used in the SMTP client. Actions that change the + message delivery time or destination can be implemented + with a simple extension mechanism (they make sense only in + before-queue filters). Configuration parameters: + smtp_header_checks, smtp_mime_header_checks, + smtp_nested_header_checks, smtp_body_checks. Unlike the + cleanup server, the mime and nested header checks don't by + default assume the header_checks value. Files: + global/header_body_checks.[hc], smtp/smtp_proto.c, + smtp/smtp_session.c. + +20071110 + + Feature: ${original_recipient} command-line macro. Corey + Hickey. File: pipe/pipe.c. + + Bugfix (introduced: 20071004) missing exception handling + in smtp-sink per-command delay feature. Victor Duchovni. + File: smtpstone/smtp-sink.c. + +2007117-20 + + Revised queue manager with separate mechanisms for + per-destination concurrency control and dead destination + detection. The concurrency control supports non-integer + feedback for more gradual concurrency adjustments, and uses + hysteresis to avoid rapid oscillations. A destination is + declared "dead" after a configurable number of pseudo-cohorts + (number of deliveries equal to a destination's concurrency) + reports connection or handshake failure. This work began + with a discussion that Wietse started with Patrik Rak and + Victor Duchovni late January 2004, and that Victor revived + late October 2007. To establish a baseline for further + improvement, Wietse implemented a few simple mechanisms. + + Configuration parameters for debugging, positive/negative + hysteresis, and positive/negative feedback. Some have since + been removed or renamed, so no point naming them here. + Files: global/mail_params.h, qmgr/qmgr_queue.c, + qmgr/qmgr_deliver.c. + +20071121 + + Boundary condition: Patrik Rak pointed out that handling + of negative feedback with concurrency window 1 could + be improved. + + Feature: support to look up null sender addresses in + sender-dependent relayhost maps. Parameter name: + empty_address_relayhost_maps_lookup_key (default; <>). + Keean Schupke. File: trivial-rewrite/resolve.c. + +20071127-9 + + Revision 2 of queue manager scheduler interface, allowing + feedback parameter settings with constants and variables + such as 1/8 or 1/concurrency. Some experimental parameters + were removed and others were renamed. The new names are: + default_destination_concurrency_negative_feedback, + default_destination_concurrency_positive_feedback, + default_destination_concurrency_failed_cohort_limit, + destination_concurrency_feedback_debug. + + Also available are transport-specific overrides: + <transport>_initial_destination_concurrency, + <transport>_destination_concurrency_negative_feedback, + <transport>_destination_concurrency_positive_feedback, + <transport>_destination_concurrency_failed_cohort_limit. + + Files: global/mail_params.h, *qmgr/qmgr.c, *qmgr/qmgr_transport.c, + *qmgr/qmgr_queue.c, *qmgr/qmgr_feedback.c, postconf/auto.awk. + +20071202 + + Feature: output rate control. For example, specify + "smtp_destination_rate_delay = 5m" to insert a five-minute + delay between deliveries. This was an opportunity to define + the mutually exclusive states that a queue can have, and + to detect invalid transitions. This will make adding new + features code easier. Files: *qmgr/qmgr_transport.c, + *qmgr/qmgr_queue.c, *qmgr/qmgr_entry.c. + + Bugfix (introduced Postfix 2.2): don't update the back-to-back + delivery time stamp while deferring mail. File: *qmgr/qmgr_entry.c. + +20071203 + + Feature: support for read-write tables in the proxymap + service. This is implemented with a separate master.cf entry + named "proxywrite" that should run with process limit of 1 + if you want to update Berkeley DB like tables. This feature + requires that tables be authorized with the proxy_write_maps + configuration parameter. Files: global/dict_procy.[hc], + proxymap/proxymap.c. + + Human factors: the postmap and postalias commands now produce + nicer diagnostics when asked to do something with a proxied + map that they can't do. Files: postmap/postmap.c, + postalias/postalias.c. + + Bugfix: the proxymap client didn't properly propagate user + options to the proxymap server. File: util/dict.h. + + Workaround: force synchronous updates in the proxymap server + so that maps will be in a consistent state between updates. + File: proxymap/proxymap.c. + + Bugfix: an empty rate-limited queue wasn't removed after + timer expiry. Files: *qmgr/qmgr_queue.c. + +20071204 + + Use different sockets for proxymap (read-only) and proxywrite + (read-write) services in the proxy: client. Victor Duchovni. + File: global/dict_proxy.c. + + Feature: proxymap delete support by Victor Duchovni. Files: + global/dict_proxy.c, proxymap/proxymap.c. + + Feature: proxymap delete support. Files: postmap/postmap.c + postalias/postalias.c. + + Cleanup: the Postfix sendmail command did not include the + user (name/uid) information in all error messages. File: + sendmail/sendmail.c. + + Feature: data_directory configuration parameter for + Postfix-writable data such as caches and random numbers. + Files: postfix-install, conf/postfix-files. + +20071206 + + Security: tlsmgr(8) and verify(8) no longer use root + privileges when opening their cache files. This avoids a + potential security loophole where the ownership of a file + (or directory) does not match the trust level of the content + of that file (or directory). See RELEASE_NOTES for how to + use pre-existing data. Files: util/set_eugid.[hc], + tlsmgr/tlsmgr.c, verify/verify.c. + + Compatibility: as a migration tool, redirect attempts by + tlsmgr(8) or verify(8) to open files in non-Postfix directories + to the Postfix-owned data_directory. File: global/data_redirect.c. + + Lots of pathname fixes in the examples of TLS_README and + postconf(5); -lm library screw-up in queue manager Makefiles. + +20071207 + + Cleanup: pathname fixes in documentation; unnecessary queue + scan in the queue manager rate limiter; inverse square root + feedback in the queue manager concurrency scheduler. Files: + mantools/postlink, proto/TLS_README.html, *qmgr/qmgr_queue.c. + + All changes up to this point should be ready for Postfix 2.5. + + Documentation: updated nqmgr preemptive scheduler documentation + by Patrik Rak. File: proto/SCHEDULER_README.html. + +20071211 + + Bugfix (introduced 19980315): the "write" equivalent of + bugfix 20030104. File: util/vstream.c. + +20071212 + + Feature: "stress=" or "stress=yes" attribute in the SMTPD + policy delegation protocol. File: smtp/smtpd_check.c. + + Cleanup: allow_min_user now rejects recipients (and senders) + starting with '-' at SMTP session time. To make this possible + the feature was moved from qmgr(8) to trivial-rewrite(8). + Files: *qmgr/qmgr_message.c, trivial-rewrite/resolve.c. + +20071213: + + Cleanup: the queue manager and SMTP client now distinguish + between connection cache store and retrieve hints. Once the + queue manager enables connection caching (store and load) + hints on a per-destination queue, it keeps sending connection + cache retrieve hints to the delivery agent even after it + stops sending connection cache store hints. This prevents + the SMTP client from making a new connection without checking + the connection cache first. Victor Duchovni. Files: + *qmgr/qmgr_entry.c, smtp/smtp_connect.c. + + Bugfix (introduced Postfix 2.3): the SMTP client never + marked corrupt files as corrupt. Victor Duchovni. File: + smtp/smtp_proto.c. + + Cleanup: the SMTP client won't mark a destination as + unavailable when at least one SMTP session was completed + without connect or handshake error. Victor Duchovni. Files: + smtp/smtp_connect.c, smtp/smtp_session.c, smtp/smtp_proto.c, + smtp/smtp_trouble.c. + +20071215 + + Documentation and code cleanup. Files: global/deliver_request.h, + *qmgr/qmgr_entry.c, smtp/smtp_connect.c, + proto/SCHEDULER_README.html. + + Bugfix (introduced snapshot 20071006): qmqpd ignored the + qmqpd_client_port_logging parameter setting. File: + qmqpd/qmqpd.c. + +20071216 + + Cleanup: show the remote SMTP server port in verbose logging, + warnings and postmaster notices. Still don't show the port + in delivery status notifications. Files: smtp/smtp_chat.c, + smtp/smtp_sasl_glue.c, smtp/smtp_sasl_proto.c. + + The "tls_require_cert" is now compatible with OpenLDAP 2.1 + and later. Victor Duchovni. Files: proto/ldap_table, + global/dict_ldap.c. + +20071218 + + Cleanup: removed the "#ifdef USE_LIBMILTER_INCLUDES" + dependencies on system-installed Milter protocol include + files. Verified that the object code has not changed. File: + milter/milter8.c. + + Sanity check: idiot filter to detect attempts to use the + same database file for different TLS session caches. File: + tlsmgr/tlsmgr.c. + + Cleanup: updated the spell check stoplist and the spell + check script. Files: mantools/spell, proto/stop. + + Cleanup: replaced documentation references to xxgdb by ddd. + The xxgdb program hasn't been updated in more than 10 years. + Files: proto/postconf.proto, conf/main.cf. + +20071219-20 + + Feature: support for all new Sendmail 8.14 Milter features + except SMFIR_SKIP (skip further events of this type), + SMFIP_RCPT_REJ (report rejected recipients to the mail + filter), SMFIR_CHGFROM (replace sender, with optional ESMTP + command parameters), and SMFIR_ADDRCPT_PAR (add recipient, + with optional ESMTP command parameters). Files: milter/milters.c, + milter/milter8.c, milter/test-milter.c, cleanup/cleanup_milter.c. + +20071221 + + Feature: support for Sendmail 8.14 Milter SMFIR_SKIP (skip + further events of this type). Files: milter/milter8.c, + milter/test-milter.c. + + Cleanup: don't try sending HELO after a 421 EHLO reply. + File: smtp/smtp_proto.c. + +20071221-nonprod + + Using 20071221 as reference point. + + Cleanup: Simplified TLS library cipher and protocol API to + just pass string-valued properties to tls_client_init() and + tls_client_start(). The client is now agnostic of the + mechanics of cipher management internal to the library. The + main.cf parameters used internally in the library are now + loaded by the library, not the caller. Files: + src/smtp/lmtp_params.c, src/smtp/smtp.c, src/smtp/smtp.h, + src/smtp/smtp_params.c, src/smtp/smtp_proto.c, + src/smtp/smtp_session.c, src/smtpd/smtpd.c, src/tls/tls.h, + src/tls/tls_client.c, src/tls/tls_level.c, src/tls/tls_misc.c, + src/tls/tls_server.c, src/tls/tls_session.c, src/tls/tls_verify.c + and src/tlsmgr/tlsmgr.c + + Cleanup: Client session lookup key "salting" is now handled + internally in the tls library. Files: src/tls/tls_client.c + + Cleanup: Cipher state is cached, and only updated when + necessary. Files: src/tls/tls_misc.c + + Feature: Extended the syntax of protocol selection to allow + exclusions as well as inclusions. Files: src/tls/tls_misc.c + + Cleanup: Updated default verification depth to match reality: + default is 9 in OpenSSL and we don't yet override it. When + we do (soon), the default will match previous behavior. + Files: src/global/mail_params.h + + Bugfix: Reference to obsolete "pfixtls" code won't compile + inside #ifdef for OpenSSL <= 0.9.5a. Using an OpenSSL release + that old has not been tested for some time, but may now + work. Files: src/tls/tls_bio_ops.c. + + Replaced "void *" TLS library application handles by explicit + pointer types, while hiding data structure implementation + details from the TLS library users. Files: tls/tls_client.c, + tls/tls_server.c, smtp/smtp.c, smtpd/smtpd.c. + + The TLS library no longer modifies VSTRINGs passed in by + the caller. Where possible, information is passed as "const" + from application to library. Files: smtp/smtp_proto.c, + tls/tls_client.c. + +20071227-nonprod + + Replaced explicit initialization of props structures by + emulating function calls with named parameter lists. Files: + tls/tls.h, smtp/smtp.c, smtp/smtp_proto.c, smtpd/smtpd.c. + +20071222 + + Further polishing of the Milter code and logging. File: + milter/milter8.c. + +20071123 + + Further polishing of the Milter code. With SETSYMLIST, each + Milter can now update its own macros instead of clobbering + the global copy that is shared with other Milters. Also an + opportunity to clean up some ad-hoc code for sending macro + lists from smtpd(8) to cleanup(8). Files: milter/milter.c, + milter/milter8.c, milter/milter_macros.c. + +20071224 + + Further polishing of the Milter code. Eliminated unnecessary + steps from the initial smtpd/cleanup Milter handshake. Files: + milter/milter.c, milter/milter8.c, milter/milter_macros.c. + + Cleanup: name_code(3) and name_mask(3) now support read-only + tables. Files: util/name_code.[hc], util/name_mask.[hc]. + +20071227 + + Cleanup: further refinements of the Milter code, allowing + for multiple macro overrides. The code is now ready for + serious testing. File: milter/milter8.c. + +20071229 + + Bugfix: the Milter client did not replace the Postfix-specific + form for unknown host names by the Sendmail-specific form. + File: milter/milter8.c. + + Cleanup: when a cleanup milter reports a problem don't log + generic "4.3.0 Sevice unavailable", but log the text for + the actual error. File: cleanup/cleanup_milter.c. + +20080102-nonprod + + SMTP client fingerprint security level support and configurable + fingerprint digest algorithm. Victor Duchovni. Files: + smtp/lmtp_params.c, smtp/smtp.c, smtp/smtp.h, + src/smtp/smtp_params.c, src/smtp/smtp_proto.c, + src/smtp/smtp_session.c, tls/tls_client.c, tls/tls_level.c, + tls/tls_verify.c. + +20080103-nonprod + + Missed "invalid TLS configuration" patch for SMTP client. + Victor Duchovni. File: smtp/smtp_proto.c. + + SMTP server configurable fingerprint digest algorithm. + Victor Duchovni. Files: smtpd/smtpd.c, tls/tls.h, + tls/tls_server.c, tls/tls_verify.c. + +20080104-nonprod + + Cleanup: finally implemented certificate verification depth + limit parameters. Prior to Postfix 2.5 these were ignored. + For backwards compatibility, the default verification depth + limit is now 9, the OpenSSL default. Victor Duchovni. Files: + src/tls/tls_client.c, src/tls/tls_server.c, src/tls/tls_verify.c. + + Robustness: Avoid possibility of NULL pointer issues in + application code that checks certificate names, by providing + "empty string" values when no data is available. Victor + Duchovni. Files: src/tls/tls_verify.c, src/tls/tls_client.c, + src/tls/tls_server.c, src/smtpd/smtpd_check.c, src/smtpd/smtpd.c. + + Cleanup: separation of TLS handshake from security level + enforcement. The library shakes hands; the application + decides if the resulting security is acceptable. Victor + Duchovni. Files: smtpd/smtpd.c, smtpd/smtpd_proto.c, + tls/tls_server.c, tls/tls_client.c, tls/tls_verify.c. + + Robustness: more robust processing of ASN.1 string attributes + in x509v3 certificates, plus additional sanity checks (e.g. + embedded null characters). Victor Duchovni. File: + src/tls/tls_verify.c. + +20080104 + + Workaround: minor change to the Dovecot AUTH request to + prevent dovecot-auth memory wastage. Timo Sirainen. File: + xsasl/xsasl_dovecot_server.c. + +20080105-nonprod + + Cleanup: renamed TLS-related symbols for consistency (always + include the init, start, stop prefix in the TLS library + function and data structure names; consistently distinguish + between per-application TLS state and per-session TLS state; + consistently use the fpt prefix for fingerprint related + variables and structure members; consistent use of monocase + typedef-ed names). + +20080106-nonprod + + Cleanup: consistent use of <pre> and <blockquote> in examples; + instead of emphasizing new Postfix 2.5 behavior in reference + documentation, describe the new behavior as "current", with + historical behavior as a supplemental note. + +20080107 + + Feature: new "pass" service type (in addition to "inet", + "unix" and "fifo"). The "pass" service type supports + front-end daemons that accept all inbound connections and + that permit only well-behaved clients to talk to the MTA. + This service type had been sitting in the master daemon for + years but was disabled by default. Actual applications for + this will have to be developed later. Files: util/upass_connect.c, + util/upass_trigger.c. + +20080108 + + Cleanup: where possible, store data structures in read-only + memory. Besides the security advantage of no write access, + this also gives slightly better memory utilization when + many processes execute the same file. Files: pretty much + everything that has a static table, except for a few tables + in the benchmark tools with flags that are controlled by + command-line information. + +20080109 + + Cleanup: more read-only data. Files: everything that passes + around a HEADER_OPTS pointer. + +20080112 + + Safety: optional lookup table to prevent the Postfix SMTP + client from making repeated SASL login failures with the + same hostname, username and password. This introduces new + parameters: smtp_sasl_auth_cache_name, smtp_sasl_auth_cache_time. + Based on code by Keean Schupke. Files: smtp/smtp_sasl_glue.c, + smtp/smtp_sasl_auth_cache.c. + + Safety: the Postfix SMTP client now by default defers mail + after the server rejects a SASL login attempt with a 535 + status code. Specify "smtp_sasl_auth_soft_bounce = no" to + get the earlier behavior. Based on code by Keean Schupke. + Files: smtp/smtp_sasl_glue.c. + +20080114 + + Safety: the smtpd_client_new_tls_session_rate_limit setting + now also limits the number of failed TLS handshakes. This + limits the impact of broken configurations. File: smtpd/smtpd.c. + +20080115 + + Bugfix (introduced 20080112): Patrik Rak found two bugs + that largely canceled each other out, causing Postfix not + to complain about a missing "proxy:" prefix with the new + smtp_sasl_auth_cache_name parameter setting. File: + smtp/smtp_sasl_glue.c. + + Documentation: new SOHO_README file for small/home offices. + The text is automatically generated from bits and pieces of + information that are scattered across other documents. + File: mantools/make_soho_readme. + +20080116 + + Bugfix (introduced 20080112): missing #ifdef for the SASL + login failure cache. File: smtp/smtp_sasl_auth_cache.h. + +20080123 + + Name fix: renamed the mumble_delivery_rate_delay parameter + to mumble_destination_rate_delay, because it really is a + per-destination feature. With this change we keep the option + of implementing a future per-transport rate delay. + +20080125 + + Bugfix (introduced 20071216): missing {} in the LDAP client + broke OpenLDAP TLS. The setting tls_require_cert=no was + further broken because Postfix used OpenLDAP incorrectly. + Victor Duchovni. This broke tls_require_cert=no File: + global/dict_ldap.c. + +20080126 + + Cleanup: the post-install script now requires that it is + invoked via the postfix(1) command. This was the intended + use since Postfix 2.1, but it was never enforced. The + documentation for package maintainers has been updated + accordingly. File: conf/post-install. + +20080130 + + Bugfix (introduced 20071204): wrong proxywrite process limit + in the default master.cf file. File: conf/master.cf. + +20080131 + + Bugfix (introduced 20080126): the new "do not execute + directly" test in post-install got broken during code + cleanup. File: conf/post-install. + +20080201 + + Workaround: undo the changes that require that post-install + is invoked via the postfix command, because this breaks + when "postfix start" is invoked with an obsolete postfix + command that doesn't export the new data_directory parameter. + + Workaround: pick up a missing data_directory setting from + main.cf when "postfix start" is invoked with an obsolete + postfix command. File: conf/post-install. + +20080207 + + Cleanup: soft_bounce support for multi-line Milter replies. + File: src/milter/milter8.c. + + Cleanup: preserve multi-line format of header/body Milter + replies. Files: cleanup/cleanup_milter.c, smtpd/smtpd.c. + + Cleanup: multi-line support in SMTP server replies. File: + smtpd/smtpd_chat.c. + + SAFETY: postfix-script, postfix-files and post-install are + moved away from /etc/postfix to $daemon_directory. There + were too many accidents where people clobbered these files + with versions from an older Postfix release and ended up + with an unusable Postfix setup. Files: postfix-install, + Makefile.in, postfix/postfix.c, conf/postfix-files, + conf/postfix-script, conf/post-install. + +20080212 + + Feature: check_reverse_client_hostname_access, to make + access decisions based on the unverified client hostname. + For safety reasons an OK result is not allowed. Noel Jones. + Files: smtpd/smtpd_check.c plus header files and documentation. + +20080215 + + Safety: break SASL loop in case both the SASL library and + the remote SMTP server are confused. File: smtp/smtp_sasl_glue.c. + +20080220 + + Safety: the master daemon now sets an exclusive lock on a + file $data_directory/master.lock, so that the data directory + can't be shared between multiple Postfix instances. This + would corrupt files that rely on single-writer updates + (examples: verify(8) cache, tlsmgr(8) caches, etc.). File: + master/master.c. + +20080226 + + Cleanup: the postfix command did not set argv[0] to a sane + value when invoking postfix-script. Reported by Victor + Duchovni. File: postfix/postfix.c. + +20080228 + + Bugfix: bounce(8) segfault on one-line template text. + Problem found by Sacha Chlytor. File: bounce/bounce_template.c. + +20080310 + + Safety: the SMTP server's Dovecot authentication client now + enforces the SASL mechanism output filter also on client + command input. File: src/xsasl/xsasl_dovecot_server.c. + +20080311 + + Bugfix (introduced 20070811): the MAIL and RCPT Milter + application call-backs no longer received {mail_addr} or + {rcpt_addr} information. Problem reported by Anton Yuzhaninov. + File: smtpd/smtpd.c. + + Bugfix (introduced 20080207): "cleanup -v" panic because + the new "SMTP reply" request flag did not have a printable + name. File: global/cleanup_strflags.c. + +20080318 + + Human factors: the PCRE and regexp maps now give more + comprehensible error messages when people make the common + mistake of indenting if/endif blocks. Files: util/dict_pcre.c, + util/dict_regexp.c. + +20080324 + + Cleanup: the event_drain() function is now a proper event + processing loop. File: util/events.c + + Feature: when the "postmap -q -" command reads lookup keys + from standard input, it now understands RFC822 and MIME + message format. Specify -h or -b to use headers or body + lines as lookup keys, and specify -hm or -bm to simulate + header_checks or body_checks. The postmap -h option (without + -m) will be compatible with a future postcat -h option. + File: postmap/postmap.c. + +20080411 + + Bugfix (introduced Postfix 2.0): after "warn_if_reject + reject_unlisted_recipient/sender", the SMTP server mistakenly + remembered that recipient/sender validation was already + done. File: smtpd/smtpd_check.c. + + Bugfix (introduced Postfix 2.3): the queue manager would + initialize missing client logging attributes (from xforward) + with real client attributes. Fix: enable this backwards + compatibility feature only with queue files that don't + contain logging attributes. Problem reported by Liviu Daia. + Files *qmgr/qmgr_message.c. + +20080424 + + Cleanup: some warning messages said "regexp" or "regexp + map" instead of "pcre map". File: util/dict_pcre.c. + +20080426 + + Feature: finer control over address verification error + handling and amount of information disclosed in the SMTP + reject message. Parameters: unverified_recipient_defer_code, + unverified_recipient_reject_reason, unverified_sender_defer_code, + unverified_sender_reject_reason. If I don't do this properly, + then someone will do it anyway. File: src/smtpd/smtpd_check.c. + +20080428 + + Cleanup: the proxy_read_maps (Postfix 2.0) default setting + was not updated when adding sender/recipient_bcc_maps + (Postfix 2.1) and smtp/lmtp_generic_maps (Postfix 2.3). + File: global/mail_params.h. + + Cleanup: the SMTP server's XFORWARD and XCLIENT support was + not updated when the smtpd_client_port_logging configuration + parameter was added. Code by Victor Duchovni. Files: + smtpd/smtpd.c, smtpd/smtpd_peer.c. + +20080508 + + Cleanup: delivery status notifications now prepend a + Return-Path: message header to the returned message. + File: bounce/bounce_notify_util.c. + +20080509 + + Bugfix: null-terminate CN comment string after sanitization. + File: smtpd/smtpd.c. + +20080510 + + Cleanup: when extracting peer and issuer common name from + TLS certificates, convert the result into UTF-8, and use + RFC 2047 encoding when logging these as Received: header + comment fields. Based remotely on code by Victor Duchovni. + Files: smtpd/smtpd.c, tls/tls_verify.c. + +20080511 + + Cleanup: the RFC 2047 encoding of RFC*822 comments is too + problematic. The text that explains the problems is as + long as the code itself. That is usually a good indication + that code is not ready for use. File: smtpd/smtpd.c. + + Cleanup: block non-printable ASCII text in UTF8 encoded TLS + peer and issuer common names. File: tls/tls_verify.c. + +20080602 + + Workaround: avoid watchdog timeout in the local pickup + daemon when the cleanup server expands a very large virtual + alias list. Files: master/trigger_server.c, pickup/pickup.c. + +20080603 + + Workaround: avoid "bad address pattern" errors with non-address + patterns in namadr_list_match() calls. File: util/match_ops.c. + + Feature: print fsstone elapsed time with sub-second time + resolution. Kenji Kikuchi. File: fsstone/fsstone.c. + +20080606 + + Bitrot: "make test" was broken due to recent changes in + code and due to recent changes at mail-abuse.org. + +20080618 + + Add a note to SMTP session transcript email messages that + other details may be found in the maillog file. Files: + smtpd/smtpd_chat.c, smtp/smtp_chat.c. + +20080620 + + Cleanup: with the "Before-queue content filter", RFC3848 + information was not added to the headers. Carlos Velasco. + File smtpd/smtpd.c. + +20080621 + + Cleanup: include unread byte count in the SMTP server's "lost + connection after DATA (xx bytes)" logging. Files: smtpd/smtpd.c. + +20080629 + + Bugfix (introduced Postfix 2.2): multiple inconsistencies + in SASL support after introduction of TLS. The Postfix + SMTP server 1) complained about plain-text SASL configuration + details when SASL was forbidden for plain-text sessions, + and 2) ignored the smtpd_tls_auth_only parameter setting + when built without TLS support. Files: smtpd/smtpd.c, + smtpd/smtpd_check.c, smtpd/smtpd_sasl_glue.[hc], + smtpd/smtpd_state.c. + + Some clarification about recipient address versus domain, + and recipients per message versus session. File: + proto/postconf.proto. + + The description of SASL authentication attributes was + garbled. File: pipe/pipe.c. + + Information: the master(8) server now logs the version + besides the configuration directory upon "postfix reload". + File: master/master.c. + +20080717 + + Cleanup: a poorly-implemented integer overflow check for + TCP MSS calculation had the unexpected effect that people + broke Postfix on LP64 systems while attempting to silence + a compiler warning. File: util/vstream_tweak.c. + +20080721 + + The cleanup server now rejects undisclosed_recipients_header + parameter values with invalid message header syntax. + File: cleanup/cleanup_message.c. + +20080725 + + Paranoia: defer delivery when a mailbox file is not owned + by the recipient. Sebastian Krahmer, SuSE. Files: + local/mailbox.c, virtual/mailbox.c. + +20080804 + + Bugfix: dangling pointer in vstring_sprintf_prepend(). + File: util/vstring.c. + +20080814 + + Security: some systems have changed their link() semantics, + and will hardlink a symlink, contrary to POSIX and XPG4. + Sebastian Krahmer, SuSE. File: util/safe_open.c. + + The solution introduces the following incompatible change: + when the target of mail delivery is a symlink, the parent + directory of that symlink must now be writable by root only + (in addition to the already existing requirement that the + symlink itself is owned by root). This change will break + legitimate configurations that deliver mail to a symbolic + link in a directory with less restrictive permissions. + +20080815 + + Feature: the milter_default_action parameter now accepts + the "quarantine" action. This works like "accept" but also + freezes the mail in the "hold" queue. File: milter/milter8.c. + + Robustness: transition from setjmp()/longjmp() to the signal + mask saving/restoring versions sigsetjmp()/siglongjmp(). + These functions have been around for 15 years, but they + have had bugs on supported platforms, so makedefs tests for + them. Files: makedefs, util/sys_defs.h, util/vstream.h. + +20080822 + + Cleanup: the proxymap_service_name and proxywrite_service_name + parameters make the proxymap service names configurable. + This paves the way for a future option where the proxymap + services are accessible via TCP so that they can be shared + among multiple Postfix hosts. File: global/dict_proxy.c. + + Feature: MacOS X support for kqueue style event handling, + with workaround for broken MacOS X versions. Files: + util/sys_defs.h, makedefs. + + Cleanup: the makedefs script now keeps its test programs + in a directory makedefs.d, instead of inlining them as + fragile "here documents". Files: makedefs, makedefs.d/*. + +20080823 + + Feature: IPv6 dns blocklist lookup. File: smtpd/smtpd_check.c. + +20080824 + + Cleanup: untangled the MacOS X version dependent sections + in the makedefs script, to make future updates easier. File: + makedefs. + + Cleanup: don't log multiple Milter "hold" actions for the + same email message. File: cleanup/cleanup_milter.c. + +20080826 + + Cleanup: moving test programs from makedefs into a makedefs.d + directory brought more pain than gain. + + Cleanup: untangled the Linux version dependent sections in + the makedefs script, to make future updates easier. File: + makedefs. + + Documentation: MacOS process limit configuration by Quanah + Gibson-Mount. File: proto/TUNING_README.html. + + Feature: smtp-sink -M option to terminate after receiving + a specified number of messages. Laurent Gentil. File: + smtpstone/smtp-sink.c. + + Bugfix (introduced Postfix 2.4): epoll file descriptor leak. + With Postfix >= 2.4 on Linux >= 2.6, Postfix has an epoll + file descriptor leak when it executes non-Postfix commands + in, for example, user-controlled $HOME/.forward files. A + local user can access a leaked epoll file descriptor to + implement a denial of service attack on Postfix. Data + confidentiality and integrity are not affected. File: + util/events.c. + +20080903 + + Don't enable kqueue (which requires poll) support on + MacOS X. File: makedefs. + + Cleanup: remove obsolete Rhapsody and MacOS targets from + makedefs. + +20080929 + + Workaround: don't log "file has 2 links" warnings when the + condition appears to be temporary. As kernels have evolved + from non-interruptible system calls towards fine-grained + locks, the showq command has become likely to observe a + file while the queue manager is in the middle of a rename + operation, when the file has links to both the old and new + name. File: global/mail_open_ok.c. + + Workaround: don't loop forever when write() fails with a + persistent EAGAIN error on a writable file descriptor. + File: util/write_buf.c. + +20081003 + + Bugfix (introduced Postfix 2.1): when XFORWARD support was + introduced with Postfix 2.1, the specification failed to + clearly distinguish between missing and non-existent client + information. This ambiguity affected the implementation: + in $name expansions by delivery agents, unknown client + hostnames could became empty strings (as if a submission + was local), and local submissions could appear to originate + from an SMTP-based content filter. This was fixed with a + a minor semantic change to the XFORWARD protocol. Files: + smtpd/smtpd.c, qmqpd/qmqpd.c, smtp/smtp_proto.c, + cleanup/cleanup_envelope.c, proto/XFORWARD.html. Note: the + changes to propagate local submission details were undone + 20082012. + + Feature: a DUNNO lookup result in per_sender_relayhost_maps + stops the search without replacing the next-hop destination. + File: trivial-rewrite/resolve.c. + +20081005 + + Bugfix: further refinements to the handling of missing or + non-existent remote client attributes. Files: smtpd/smtpd.c, + smtpd/smtpd.h. + + Documentation: the XFORWARD specification of the ADDR + attribute did not agree with the actual on-the-wire protocol. + Since we can't change already existing deployments, the + spec has been updated. File: proto/XFORWARD_README.html. + +20081006 + + Bugfix: further refinements to the handling of remote client + attributes. Introduced a dummy "we have forwarded client + info" record, to eliminate the need for the backwards + incompatible queue file change that was introduced 20081003. + Files: smtpd/smtpd.c, cleanup/cleanup_envelope.c, + *qmgr/qmgr_message.c. + + Security: hardened the proxymap client, in case it ever + ends up in a set-gid program. File: global/dict_proxy.c. + +20081007 + + Workaround: undo the proxymap client change. It broke + chrooted servers when they attempted to reconnect to the + proxy read/write service. File: global/dict_proxy.c. + +20081008 + + Safety: added checks that $queue_directory/pid is owned by + root, and that $queue_directory/saved is owned by $mail_owner. + File: conf/postfix-script. + +20081010 + + Feature: controls for opportunistic TLS protocols and + ciphers. The smtp_tls_protocols, smtp_tls_ciphers, and + equivalent parameters for lmtp and smtpd provide global + settings; the SMTP client TLS policy table provides ciphers + and protocols settings for specific peers. Code by Victor + Duchovni. Files: smtp/smtp.c, smtp/smtp_session.c, smtpd/smtpd.c + and documentation. + +20081012 + + Cleanup: simplify the 20081003 changes and don't try to + propagate local submission information through XFORWARD. + Files: smtpd/smtpd.c, qmqpd/qmqpd.c, smtp/smtp_proto.c, + cleanup/cleanup_envelope.c, proto/XFORWARD.html. + +20081015 + + Bugfix: GLIBC API version detection. Rob Foehl. File: + util/sys_defs.h. + +20081022 + + Documentation: removed inapplicable daemon_timeout reference + from qmgr(8), oqmgr(8), pickup(8). These daemons need to + use a much shorter watchdog timer. + +20081108 + + Feature: smtp_sasl_tls_verified_security_options is no + longer #ifdef SNAPSHOT. + + Feature: elliptic curve support. This requires OpenSSL + version 0.9.9 or later. Victor Duchovni. Files: TLS_README, + smtpd/smtpd.c, smtp/smtp.c, tls/tls_dh.c, tls/tls_certkey.c, + tls/tls_server.c, tls/tls_client.c, tls/tls.h, tls/tls_misc.c. + + Bugfix (introduced Postfix 2.5): the Postfix SMTP server + did not ask for a client certificate with "smtpd_tls_req_ccert + = yes". Reported by Rob Foehl. File: smtpd/smtpd.c. + +20081109 + + Cleanup: confusing names of variables. File: smtpd/smtpd.c. + +20081126 + + Documentation: pcre_table(5) incorrectly claimed that the + 'x' flag supports #comment after text. File: proto/pcre_table. + +20081202 + + Cleanup: vstream_bufstat() provides a more systematic + approach to get information about VSTREAM buffers. The + vstream_peek() function is now a backwards compatibility + wrapper. Files: util/vstream.[hc]. + + Cleanup: the SMTP server should warn about "lost connection + after QUIT" only when the "." reply was pipelined together + with the "QUIT" reply. File: smtpd/smtpd.c. + + Cleanup: the SMTP client's code was duplicating buffer + management that was already done in the VSTREAM module. + File: smtp/smtp_proto.c. + +20081203 + + Cleanup: adjust the VSTREAM buffer strategy when reusing + an SMTP connection with a large TCP MSS value. File: + smtp/smtp_reuse.c. + +20081204 + + Cleanup: state the SMTP client PIPELINING implementation's + dependency on monotonic VSTREAM buffer size behavior, and + add some checks for boundary cases with VSTREAM buffer size + change requests. Files: util/vstream.c, smtp/smtp_proto.c. + +20081205 + + Fix 20081202 flush code. Victor Duchovni. File: smtpd/smtpd.c. + + Safety: add another check to "postfix check", in this case + for group or other writable queue_directory. File: + conf/postfix-script. + +20081217 + + Debugging: ad-hoc code to log the TLS error stack after + VSTREAM read/write error. File: tls/tls_bio_ops.c. In a + better implementation, each I/O "object" would provide an + optional error reporting method (besides timed_read and + timed_write) that could be queried via the vstream module. + +20081222 + + Documentation: log the "*" pattern as the last transport + map lookup. File: proto/transport. + +20090103 + + Documentation: rewrote NFS_README, to clarify the support + status of Postfix and NFS, and to describe the NFS workarounds + that Postfix actually implements. + +20090106 + + Feature: "postconf -# parametername ..." to comment out + named parameter entries. Victor Duchovni. File: + postconf/postconf.c. + +20090107 + + Library: edit_file(3) module for cooperative editing of a + file. Inspired by the postconf command, this creates a new + version under a deterministic temporary name and renames + it into place. The implementation uses an open/lock/stat + protocol before updating the new file, and rename/unlock/close + afterwards. Based on pieces of code by Victor Duchovni, + with minor improvements by Wietse. Files: util/edit_file.[hc]. + + Cleanup: the postconf command now uses the edit_file(3) + module to manage collisions when multiple processes attempt + to update the main.cf file. + +20090108 + + Feature: master_service_disable parameter (default: empty) + to easily turn off/on master.cf services by type or by name + and type. For example, to turn off the main SMTP listener + use "master_service_disable = smtp.inet", and to turn off + all TCP/IP listeners use "master_service_disable = inet". + This immediately terminates all processes that provide the + specified services. The master_service_disable feature does + not distinguish services by their privacy property; some + day, clients will not need to specify that anymore. Files: + global/mail_params.h, master/master.c, master/master_vars.c, + master/master_ent.c. + + Bugfix (introduced May 19, 1997): removing a parameter + setting from main.cf did not reset the parameter to its + default value. This was a problem only in the master daemon. + File: global/mail_conf.c, master/master_vars.c. + +20090109 + + Cleanup: "defer" action in access maps, and a corresponding + access_map_defer_code parameter. No idea what was behind + this omission. Files: global/mail_params.h, smtpd/smtpd.c, + smtpd/smtpd_check.c, proto/access. + + Workaround: specify "tcp_windowsize = 65535" (or less) to + work around broken TCP window scaling implementations. This + is perhaps easier than collecting tcpdump output and tuning + kernel parameters by hand. See RELEASE_NOTES for how to + change this setting without stopping Postfix. Files: + util/inet_connect.c, inet_listen.c, global/mail_params.[hc]. + +20090110 + + Cleanup: create separate code modules for TCP window size + handling, master.cf service name matching, and main.cf + change monitoring. Files: util/inet_windowsize.c, + global/match_service.c, master/master_watch.c. + + Feature: TCP window size override for the Postfix SMTP/LMTP + client, and for the smtp-source and smtp-sink test programs. + Files: smtp/smtp_connect.c, smtpstone/smtp-source.c, + smtpstone/smtp-sink.c. + +20090114 + + Bugfix: VERP now uses the Postfix original recipient, if + available, because that is what the VERP consumer expects. + Files: *qmgr/qmgr_deliver.c, bounce/bounce_notify_verp.c. + + Safety: extra check for broken third-party patches that + allow file size limit < message size limit. This can cause + mail to be stuck in the queue forever. + + Invisible change, in preparation for multi-instance support. + Except for main.cf and master.cf, all files are optional + for non-default Postfix configuration directories. File: + conf/postfix-files. + +20090115 + + Cleanup: rewrote the 20090114 VERP bugfix, to replace code + that "works" by code that is "right". Files: *qmgr/qmgr_deliver.c, + bounce/bounce_notify_verp.c, global/verp_sender.c. + +20090118 + + Documentation: some URLs to enable/disable client-side TLS + jumped into the middle of an enumeration. File: + proto/TLS_README.html. + +20090119-21 + + Feature: multi-instance manager plug-in API. A sample + multi-instance manager with instructions is available as + $daemon_directory/postfix-wrapper. The plug-in API itself + is described in postfix-wrapper(5). Files: postfix/postfix.c, + global/mail_params.[hc], proto/postfix-wrapper, + conf/postfix-wrapper, conf/postfix-script, conf/postfix-files. + + Support to check/update shared files only in the context + of the default Postfix instance. Files: conf/post-install, + conf/postfix-script. + +20090122 + + Refinements: the multi-instance manager always replaces + "start" by "check" when a Postfix instance is multi-instance + disabled, so that problems will still be reported; polish + documentation; delete unnecessary multi_instance_order + parameter. Files: conf/postfix-wrapper, proto/postfix-wrapper, + global/mail_params.[hc] and documentation. + + Bugfix: the data_directory was not automatically created! + File: conf/postfix-files. + +20090123 + + More little fixes in the "trivial but useful" postfix-wrapper + including instructions. It's ready for testing in the field. + File: conf/postfix-wrapper. + +20090125 + + Documentation: more precise description of multi-instance + manager API, and minor edits of the example program. Files: + conf/postfix-wrapper, proto/postfix-wrapper. + +20090208 + + Cleanup: enable multi-instance shared-file logic only when + the instance is listed in multi_instance_directories. Files: + conf/post-install, conf/postfix-script. + +20090210 + + Feature: specify "reject_tempfail_action = defer" to + immediately defer a remote SMTP client request after a + reject-type restriction fails with a temporary error. Based + on code by Rob Foehl. File: smtpd/smtpd_check.c. + + Feature: finer control of reject_tempfail_action with + unknown_address_tempfail_action, unverified_sender_tempfail_action + unverified_recipient_tempfail_action, and + unknown_helo_hostname_tempfail_action. See documentation + for details. File: smtpd/smtpd_check.c. + +20090211 + + Workaround: pass the SMTP server socket's local and remote + peer address information to the Dovecot authentication server. + This is incomplete code: it ignores XCLIENT server address + overrides. File: xsasl/xsasl_dovecot_server.c. + +20090212 + + Testing revealed that with mumble_tempfail_action=defer, + the "defer" action was ignored. Cause: the DEFER_IF_PERMIT[0-9] + macros lost the SMTPD_CHECK_REJECT result value. File: + smtpd/smtpd_check.c. + + Feature: stress-dependent smtpd_timeout (normal: 300s, + overload: 10s), smtpd_hard_error_limit (normal: 20, overload: + 1) and smtpd_junk_command_limit (normal: 100, overload: 1). + Files: global/mail_params.h, global/mail_conf_nint.c, + master/*_server.c, smtpd/smtpd.c. + +20090213 + + Fine tuning: don't enforce smtpd_junk_command_limit for + XCLIENT and XFORWARD commands. These commands can be issued + only by authorized clients. File: src/smtpd/smtpd.c. + +20090215 + + Feature: the Postfix SMTP server hangs up after replying + with "521". This makes overload handling more effective. + See also RFC 1846. File: smtpd/smtpd.c. + + Feature: postmulti mult-instance manager command, very + lightly tested. The MULTI_INSTANCE_README still needs to + be proofread. Originally by Victor Duchovni. Files: + src/postmulti/*, proto/MULTI_INSTANCE_README.html, + conf/postmulti-script. + +20090216-24 + + Cleanup: assorted code cleanups in postmulti. File: + src/postmulti/postmulti.c. + +20090223 + + Cleanup: multiple instances of the same global. Files: + util/inet_windowsize.c, util/inet_listen.c. + +20090228 + + Cleanup: the Postfix SMTP server now maintains a per-session + "improper command pipelining detected" flag. This flag can + be tested at any time with reject_unauth_pipelining, and + is raised whenever a client command is followed by unexpected + commands or message content. Files: smtpd/smtpd.c, + smtpd/smtpd_check.c. + + Logging: the Postfix SMTP server now logs the first command + pipelining transgression as "improper command pipelining + after <command> from <hostname>[<hostaddress>]". + + Cleanup: after DATA command failure, log "(approximately + XX bytes)" only if Postfix actually accepted the DATA + command. File: smtpd/smtpd.c. + +20090303 + + Cleanup: word smithing of "sendmail -bv" probe message. + File: sendmail/sendmail.c. + + Cleanup: OpenLDAP now provides a sane solution for conflicts + with PAM ldap-over-tls. Victor Duchovni. File: global/dict_ldap.c. + +20090304 + + Cleanup: skip over suspended or throttled queues while + looking for delivery requests. File: *qmgr/qmgr_transport.c. + +20090305 + + Bugfix: in the "new queue manager", the _destination_rate_delay + code needed to postpone the job scheduler updates after + delivery completion, otherwise the scheduler could loop on + blocked jobs. Victor & Wietse. File: qmgr/qmgr_entry.c, + qmgr/qmgr_queue.c, qmgr/qmgr_job.c. + + Cleanup: report a "queue file write error", instead of + passing though bogus 2xx replies from proxy filters to SMTP + clients. File: smtpd/smtpd_proxy.c. + +20090307 + + Cleanup: with "lmtp_assume_final = yes", the Postfix LMTP + delivery agent assumes that delivery is final when talking + to an LMTP server that announces no DSN support. Otherwise, + the Postfix LMTP delivery agent assumes that delivery is + "relayed", to maintain compatibility with simple LMTP-based + content filters. Based on code by Michel Sebastien, ATOS + Origin. File: smtp/smtp_rcpt.c. + +20090310 + + Bugfix: Postfix used mumble_concurrency_failed_cohort_limit + instead of mumble_destination_concurrency_failed_cohort_limit + as documented. File: global/mail_params.h. + +20090330 + + Cleanup: add (Resent-) From:, Date:, Message-ID: or To: + headers only when clients match $local_header_rewrite_clients. + Specify "always_add_missing_headers = yes" for backwards + compatibility. Adding such headers to remote mail can break + DKIM signatures that cover headers that are not present. + File: cleanup/cleanup_message.c. + +20090415 + + Workaround: to avoid unnecessary "fatal" delivery agent + exits, delivery agents retry getting a shared lock on a + queue file. This is necessary since the queue manager's + behavior was changed years ago to refill the in-memory + recipient list before it was completely empty. File: + global/deliver_request.c. + + Documentation: updated STRESS_README. + +20090416 + + Workaround: some AWK implementations have a limit of 10 + output files and lack a working close() function. It is too + much trouble to find out what systems have this limitation, + and where, if any, such systems store their XPG4-compatible + AWK program. So instead we generate a stream of here + documents and let the shell split the stream into files. + File: postconf/extract.awk. + + Documentation: clarification of certificate file usage. + Victor Duchovni. Files: proto/postconf.proto, + proto/TLS_README.html. + + Feature: pass a "TLS is active" flag to the server-side + SASL support. Based on code by Timo Sirainen, except that + the implementation uses an extensible API so that it will + be less painful to add more attributes in future Postfix + versions. Files: xsasl/xsasl.h, xsasl/xsasl_*server.c, + smtpd/smtpd_sasl_glue.c. + +20090417 + + Documentation: re-generate READMEs and manpages for updated + hyperlinks. + + Documentation: missing hyperlinks and missing parameters + in manpages. File: mantools/postlink, mantools/check-postlink. + +20090418 + + Cleanup: use the extensible API to pass SMTP client address + information to the dovecot SASL plugin, and prepare for + passing server address information. Files: xsasl/xsasl.h, + xsasl/xsasl_dovecot_server.c, smtpd/smtpd_sasl_glue.c. + + Same extensible API transformation for the SASL client-side + code to make future extensions less painful. Files: + xsasl/xsasl.h, xsasl/xsasl*client.c, smtp/smtp_sasl_glue.c. + + More postlink fixes. File: mantools/postlink. + +20090419 + + Bugfix: don't re-enable SIGHUP if it is ignored in the + parent. This may cause random "Postfix integrity check + failed" errors at boot time (POSIX SIGHUP death), causing + Postfix not to start. We duplicate code from postdrop and + thus avoid past mistakes. File: postsuper/postsuper.c. + + Robustness: don't re-enable SIGTERM if it is ignored in the + parent. Files: postsuper/postsuper.c, postdrop/postdrop.c. + +20090422 + + Undo delivery agent change 20090415. The queue manager never + locks a queue file to read additional recipients into memory, + so if a delivery agent runs into a locked file, then something + is seriously wrong. File: global/deliver_request.c. + +20090424 + + Compatibility: the Postfix SMTP client no longer uses the + obsolete SSLv2 by default for opportunistic encryption. + This has nothing to do with security (we're willing to send + plaintext over an unauthenticated connection) but with the + loss of advanced options that give better performance. + Victor Duchovni. Files: proto/postconf.proto, global/mail_params.h. + +20090426 + + Feature: more accurate support for Milter macros {mail_addr} + and {rcpt_addr}, and new support for Milter macros {mail_host}, + {mail_mailer}, {rcpt_host}, and {rcpt_mailer}. Files: + milter/milter.[hc], smtpd/smtpd.[hc], smtpd/smtpd_milter.c, + smtpd/smtpd_resolve.c. + + Feature: support to report rejected recipients to Milters + (SMFIP_RCPT_REJ). Postfix reports the event as decribed in + Sendmail 8.14.0 documentation: {rcpt_mailer} = "error", + {rcpt_host} = enhanced status code (e.g., "5.7.1"), and + {rcpt_addr} = reason to reject (e.g., "Relay access denied"). + Files: milter/milter.[hc], milter/milter8.c, smtpd/smtpd.[hc], + smtpd/smtpd_milter.c. + +20090427 + + Feature: Milter support for replacing the envelope sender + and adding recipients (SMFIR_CHGFROM, SMFIR_ADDRCPT_PAR). + This support currently ignores ESMTP command parameters. + Files: milter/milter8.c, cleanup/cleanup_milter.c. + +20090428 + + Compatibility: to make all the new Milter features usable, + raise the default milter_protocol setting from 2 to 6. + This has been tested with a Sendmail 8.14 libmilter. + File: global/mail_params.h. + + Bugfix: don't disable MIME parsing with smtp_header_checks, + smtp_mime_header_checks, smtp_nested_header_checks or with + smtp_body_checks. Bug reported by Victor. File: smtp/smtp_proto.c. + + Code cleanups: respect VSTRING invariants by using VSTRING_RESET + and VSTRING_TERMINATE instead of directly groping the + underlying character buffer. Files: global/dsn_buf.c, + milter/milter8.c. + +20090507 + + main.cf:tls_random_source now defaults to /dev/arandom on + OpenBSD. This device was introduced before Postfix development + began. Files: util/sys_defs.h, global/mail_params.h. + +20090510 + + Code cleanups: while emulating SMTP client requests for + Milter applications, use user@domain form addresses as + required by the SMTP protocol, instead of bare usernames. + This avoids hard to debug errors from some Milter applications. + Files: cleanup/cleanup_envelope.c, cleanup/cleanup_extracted.c, + cleanup/cleanup_addr.c. + +20090511 + + Code cleanups: don't clobber -o command-line arguments so + that Linux people can debug daemon command lines more easily. + Files: master/*server.c. + +20090513 + + Code cleanups: better parsing of Postfix daemon "-o" + command-line options, with better error handling. Files: + master/*server.c. + +20090518 + + Documentation: missing dummy entries for lmtp_mumble_checks. + File: proto/postconf.proto. + +20090519 + + Bugfix (introduced: Postfix 2.3, but did not cause trouble + until 20090427). Queue file corruption with (smtpd_milters + or non_smtpd_milters) enabled, AND with delay_warning_time + enabled, AND with short envelope sender addresses (e.g., + local submissions with bare usernames, but not bounces). + The queue file would be corrupted when the delay_warning_time + record was marked as "done" after sending the "your mail + is delayed" notice. File: qmgr/qmgr_message.c. + +20090522 + + Bugfix (introduced: Postfix 2.3). The cleanup server + rejected mail with records of type REC_TYPE_DRCP (recipient + deleted by Milter), but such records could be present in + mail re-submitted with "postsuper -r". Found during code + review. Files: global/record.h, cleanup/cleanup_envelope.c. + +20090524 + + Feature: new postcat options: -e (print envelope), -h (print + header), and -b (print body). Specify "postcat -bh" to + suppress information about envelope records, and "postcat + -h" to get the message header only. With large messages, + "postcat -h" is much faster than manually stripping the + message body from the output. File: postcat/postcat.c. + +20090528 + + Bugfix (introduced: Postfix 2.6 change 20080629): with + plaintext sessions, smtpd_tls_auth_only=yes caused spurious + warnings with reject_authenticated_sender_login_mismatch, + and broke reject_unauthenticated_sender_login_mismatch and + reject_sender_login_mismatch. Based on fix by Victor + Duchovni. File: smtpd/smtpd_check.c. + +20090603 + + Cleanup: Postfix 2.3 adopted a file descriptor passing + workaround for OpenBSD. This workaround was hard-coded for + all platforms because there were no have adverse effects. + This is no longer the case: OpenBSD is fixed, and NetBSD + does not like the workaround. We now default back to the + non-workaround code and turn on the workaround dynamically. + Files: util/unix_send_fd.c, unix_recv_fd.c, unix_pass_fd_fix.c. + +20090605 + + Portability: modern kernels below ancient user-land. File: + makedefs. + +20090606 + + Feature: post-Milter header checks, with all actions except + PREPEND. To enable, specify for example "milter_header_checks + = pcre:/path/to/file". Files: cleanup/cleanup_init.c, + cleanup/cleanup_milter.c, cleanup/cleanup_extracted.c, + cleanup/cleanup_state.c. + + Bugfix: non-portable command pathname in postmulti-script. + + Safety: "postmulti -e destroy" no longer attempts to remove + files that are created AFTER "postmulti -e create". Rationale: + by design, postfix queue/data directories are not trusted; + actions within those directory trees must not affect files + outside those those trees (e.g. by symlink race attacks). + We don't want to be nailed with a bunch of CVEs for unsafe + pathname handling. File: conf/postmulti-script. + +20090607 + + Cleanup: revise milter_header_checks action implementation, + and avoid redundant logging and work when milter_header_checks + and Milters make redundant or conflicting decisions. File: + cleanup_milter.c. + +20090614 + + Preliminary postscreen triage server for all inbound SMTP + connections. This is not a proxy: it rejects bad clients + and forwards the rest of the connections to a real Postfix + SMTP server. The initial version does a simple "friend or + foe" based on whether the client starts talking too soon. + Decisions are cached, so "good" clients have no overhead. + File: postscreen/postscreen.c. + + Cleanup: more robust code for receiving file descriptors + via the "pass" master service protocol. File: + util/upass_listen.c. + +20090617 + + Temporary helper daemon that does parallel DNSBL lookups + for postscreen(8). It logs successful lookups to the maillog + file without blocking the client. postscreen(8) will use + the results in a later non-production version. To enable + DNSBL lookups, specify "postscreen_dnsbl_sites = name, + name, etc". and restart postscreen(8) with "postfix reload". + File: src/dnsblog/dnblog.c. + +20090618 + + postscreen(8) logging and actions are now documented in the + postscreen(8) manpage. When a client is listed in DNSBLs + specified with postscreen_dnsbl_sites, it is no longer + whitelisted. Instead the number of blocklist hits is logged. + File: postscreen/postscreen.c. + +20090619 + + postscreen(8) by default no longer immediately drops + connections. Specify "postscreen_greet_action = drop" and + "postscreen_hangup_action = drop" for the old behavior. + There is also a new postscreen_dnsbl_action parameter, for + completeness. File: postscreen/postscreen.c. + +20090708 + + Portability: FreeBSD 8 has closefrom(). File: uti/sys_defs.h. + +20090710 + + Bugfix (introduced Postfix 2.3): Postfix got out of sync + with a Milter application after the application sent a + "quarantine" request at end-of-message time. The milter + application would still be in the end-of-message state, + while Postfix would already be working on the next SMTP + event (typically, QUIT or MAIL FROM). Problem diagnosed + with help from Alban Deniz. File: milter/milter8.c. + +20090711-2 + + New "event_server" Postfix server framework. It is similar + to the "multi_server" framework but does not manage client + I/O events. This framework is suitable for servers such + as postscreen that have complex event management requirements. + File: master/event_server.c. + + New event_fork() primitive to resume event processing in a + child process after it is created with fork(). This is + needed by postscreen to complete work-in-progress in the + background after "postfix reload". File: util/events.c. + + Cleanup: postscreen migrated to the "event_server" framework. + File: postscreen/postscreen.c. + +20090712 + + Cleanup: ${multi_instance_name:postfix}${multi_instance_name + ?$multi_instance_name} garbage in Postfix logging is now + hopefully gone. File: global/mail_task.c. + +20090715 + + Documentation: as of Postfix 2.6, the reject_unauth_pipelining + feature can be used meaningfully at any protocol stage. + File: proto/postconf.proto. + +20090717 + + Cleanup: postscreen PREGREET detection now uses non-destructive + read, so that the real SMTP server can still receive the + HELO command (apparently some sites allow pregreeters to + talk to their servers). File: postscreen/postscreen.c. + +20090805 + + Bugfix: don't panic when an unexpected smtpd access map is + specified. File: smtpd/smtpd_check.c. + +20090918 + + Bugfix (introduced Postfix 2.3): with Milter RCPT TO replies + turned off, there was no automatic flush-before-read on the + smtpd-to-milter stream, because the read was done on the + cleanup-to-milter stream. Problem reported by Stephen Warren. + File: milter/milter8.c. + +20091005 + + Bugfix: core dump while printing error message for malformed + %<letter> sequence in LDAP, MySQL or PostgreSQL configuration. + File: global/db_common.c. Fix by Victor Duchovni. + +20091006 + + Feature: "postscreen_whitelist_networks = $mynetworks" (the + default) to avoid problems with buggy SMTP implementations + in network appliances. Note: this feature never uses the + remote SMTP client hostname. Files: global/addr_match_list.[hc], + postscreen/postscreen.c. + + Feature: postscreen_blacklist_networks (default: empty) to + permanently blacklist hosts or networks. Address syntax is + as with mynetworks. Note: this feature never uses the remote + SMTP client hostname. File: postscreen/postscreen.c. + + Feature: postscreen_blacklist_action (default: continue) + to control what happens with a permanently blacklisted + client. File: postscreen/postscreen.c. + +20091007 + + Feature: hostname-based check_client_{mx,ns}_access, + check_reverse_client_hostname_{mx,ns}_access (the client + IP address is not used). Rob Foehl. Files: smtpd/smtpd_check.c, + global/mail_params.h, proto/postconf.proto, mantools/postlink. + +20091008 + + Documentation: restructured the postscreen(8) manpage + as a sequence of tests. File: postscreen/postscreen.c. + +20091012 + + Bugfix: postmulti did not skip commands with -p. Luca + Berra. File: postmulti/postmulti.c. + +20091023 + + Feature: specify "smtpd_command_filter = pcre:/file/name" + to replace remote SMTP client commands before they are + executed by the Postfix SMTP server. This a last-resort + tool to fix inter-operability problems. See examples in + the postconf(5) manual page. File: smtpd/smtpd.c. + +20091026 + + Cleanup: changed parameter evaluation order so that the + multi_instance_wrapper parameter value is evaluated after + the command and daemon directory parameters. File: + global/mail_params.h. + +20091101 + + Performance: specify "smtpd_proxy_options = speed_adjust" + to receive an entire message before sending it through a + before-queue content filter. This reduces the number of + simultaneous content filtering processes, and thus, the + system memory requirements. Files: smtpd/smtpd.[hc], + smtpd/smtpd_proxy.[hc]. + +20091103-4 + + Cleaned up the speed-adjust code, streamlined the error + handling, and updated documentation. Files: smtpd/smtpd.[hc], + smtpd/smtpd_proxy.[hc], proto/SMTPD_PROXY_README.html. + +20091105 + + Cleaning up after speed_adjust introduction: smtpd segfault + caused by an incomplete API change; refined the queue space + check; release scratch space immediately after delivering + mail to the before-queue filter. Files: smtpd.c, smtpd_proxy.c. + +20091110 + + Workaround: specify "smtp_tls_block_early_mail_reply = yes" + to detect a mail hijacking attack based on a TLS protocol + vulnerability (CVE-2009-3555). The attack involves prepending + malicious HELO/MAIL/RCPT/DATA commands to a Postfix SMTP + client TLS session. The attack would succeed with non-Postfix + SMTP servers that reply to the malicious commands after + negotiating the Postfix SMTP client TLS session. File: + smtp/smtp_proto.c. + +20091113 + + Workaround: skip interfaces without netmask, to avoid + segfaults (reported by Dmitry Karasik). Don't supply a dummy + null netmask, as that would turn Postfix into an open relay + (mynetworks = 0.0.0.0/0). File: util/inet_addr_local.c. + + Bugfix: forgot to flush output to the smtpd_proxy speed-adjust + buffer before truncating the file. Reported by Mark Martinec, + fix by Victor Duchovni. File: smtpd/smtpd_proxy.c. + +20091114 + + Feature: specify "smtp_reply_filter = pcre:/file/name" to + replace remote SMTP server reply lines before they are + parsed by the Postfix SMTP client. This a last-resort tool + to fix inter-operability problems. See examples in the + postconf(5) manual page. File: smtp/smtp_chat.c. + + Safety: don't send postmaster notifications to report + problems delivering (possible) postmaster notifications. + File: smtp/smtp_connect.c. + +20091121 + + Feature: sender_dependent_default_transport_maps, to override + the default transport in a sender-dependent manner. This + is not a transport_maps override, and therefore it does not + use the transport_maps syntax for null transport, null + nexthop, or null email address. + +20091127 + + Usability: the Postfix SMTP client now logs a warning that + wrappermode TLS is not supported, when configured to connect + to port smtps/465. File: smtp/smtp_connect.c. + +20091203 + + Safety: the postscreen daemon logs a warning when table + lookup is slow. Slow lookups cause postscreen to fall behind, + and worse, to catch up in bursts, which results in overload + elsewhere. File: postscreen/postscreen.c. + +20091206 + + Feature: by popular demand, the Postfix SMTP server now + logs the before-queue content filter's end-of-message + accept/reject response. File: smtpd/smtpd.c. + +20091209 + + Portability: as the result of continuous improvement, + Berkeley DB no longer allows fork-then-close. File: + postscreen/postscreen.c. + + Bugfix: sender_dependent_relayhost_maps did not reject an + empty lookup result, and did not recognize lookup errors, + thus treating errors as "not found". Problem found during + code maintenance. File: trivial-rewrite/resolve.c. + + Cleanup: the postscreen daemon now applies the permanent + whitelist first. It is a safety feature that prevents mail + from being blocked. File: postscreen/postscreen.c. + +20091224 + + Bugfix (introduced 20041215): dict_dbm_sequence() did not + release the shared lock when the end of the sequence was + reached. File: util/dict_dbm.c. + +20091227 + + Cleanup: postscreen and verify periodic cache cleanup + (default: 12 hours after the previous cache cleanup run). + This is based on a new dict_cache(3) module that implements + a generalized version of the tlsmgr(8) cache maintenance + code. Once the new dict_cache(3) code is burned in, the + tlsmgr(8) will be migrated to it. See the RELEASE_NOTES for + user interface details. Files: util/htable.[hc], util/dict_ht.c, + util/dict_cache.[hc], postscreen/postscreen.c, verify/verify.c. + + Bugfix: the event handler starved I/O events when a timer + call-back routine scheduled a zero-delay timer request. + This bug was exposed when adding the new dict_cache(3) + module for cache expiration. File: util/events.c. + +20091228 + + Cleanup: postscreen and verify periodic cache cleanup is + now optional (specify a null time interval between cache + cleanup runs). + +20091229 + + Cleanup: the address_verify_poll_count default parameter + value is now stress-dependent, so that the Postfix SMTP + server will not wait (up to 6 seconds) for the address + verification result. File: global/mail_params.h. + + Final solution for the I/O event starvation problem when a + timer call-back schedules a zero-delay timer request. File: + util/events.c. + +20091231 + + Cleanup: the non-shared, in-memory hash table is now + accessible as the "internal:" map type. This simplifies + code by eliminating some special cases. Files: util/dict_ht.c, + util/dict_open.c, and documentation. + +20100101 + + Bugfix: the mantools/postlink script applied hyperlinks + for the "virtual:" transport to "/etc/postfix/virtual:". + Symptom reported by Christoph Anton Mitterer. + +20100102 + + Workaround: don't report bogus Berkeley DB close errors as + fatal errors. All operations before close are already error + checked, so the data is known to be safe. File: util/dict_db.c. + +20100107 + + Documentation: the access(5) manual page did not document + the "send 521 and disconnect" behavior in the Postfix SMTP + server (introduced with Postfix 2.6). File: proto/access. + + Bugfix: the pickup daemon did not discard messages that + were requeued after all recipients were delivered (or + bounced), and the cleanup server tried to bounce such + messages. Files: pickup/pickup.c, global/cleanup_user.h. + + Future proofing: redundant code in postdrop to reject a + submission without recipient record. File: postdrop/postdrop.c. + +20100109 + + Cleanup: "postcat -q" will now access files in the "saved" + queue directory (for corrupted queue files). As before, the + "postsuper" command will not, to avoid suddenly deleting + such files. Files: global/mail_queue.h postcat/postcat.c. + +20100113 + + Cleanup: don't supply the "-o stress" command-line option + with a single-process service. File: master/master_ent.c. + +20100115 + + Bugfix: the valid_hostname() fuction did not set the + "non-numeric" flag after encountering the '-' character. + Reported by Jan Schampera. File: util/valid_hostname.c. + +20100116 + + Documentation: the content_filter and FILTER features never + supported the special cases of transport_maps. References + to transport_maps syntax are now removed from content filter + discussions. Files: proto/postconf.proto, proto/FILTER_README. + + Workaround: as of Postfix 2.3 the VRFY command did not allow + a mailbox address inside <>, which broke expectations. RFC + 2821 (and 5321) is vague about the VRFY request format, but + spends lots of text on the reply format. File: smtpd/smtpd.c. + +20100117 + + Cleanup: when a content_filter parameter or FILTER command + specifies an empty next-hop destination, the queue manager + now uses the recipient domain instead of $myhostname. Specify + "default_filter_nexthop = $myhostname" for compatibility + with Postfix 2.6 and earlier, or specify a non-empty next-hop + filter destination. Files: *qmgr/qmgr_message.c proto/access, + proto/header_checks, proto/postconf.proto, proto/FILTER_README. + +20100120 + + Cleanup: detect illegal pipelining after HELO, EHLO. File: + smtpd/smtpd.c. + +20100128 + + Documentation: streamlined the decriptions of protocol and + cipher tweaks. Victor Duchovni. Files: proto/TLS_README, + proto/postconf.proto. + +20100131 + + Documentation: the address verification database is now + persistent by default. This, combined with the now default + stress-dependent configuration, improves the performance + limits and simplifies database maintenance. Files: + proto/ADDRESS_VERIFICATION_README, verify/verify.c. + + Cleanup: undo the proxymap and trivial-rewrite max_idle=1s + override that was introduced with Postfix 2.3. It did not + help to retire long-lived proxymap or trivial-rewrite + processes on busy servers, and worsened performance on + low-traffic servers. The reduced ipc_ttl value (introduced + with Postfix 2.4) already solves the problem of retiring + long-lived proxymap or trivial-rewrite processes. Files: + proxymap/proxymap.c, trivial-rewrite/trivial-rewrite.c. + +20100202 + + Documentation: major revision of SASL_README with many + details on how to configure Cyrus SASL internals. Patrick + Koetter. File: proto/SASL_README.html + +20100204 + + Feature: added "forward_secrecy" option for Cyrus SASL. + File: xsasl/xsasl_cyrus_security.c. + +20100206 + + Bugfix (from day zero): the local delivery agent returned + undeliverable mail to the envelope sender instead of the + owner- alias, when delivering to command or file. This + reuses the workaround that was implemented to report a + Delivered-To: loop. Files: local/file.c, local/command.c, + local/recipient.c, local/bounce_workaround.c. + +20100209 + + The tcp_table(5) interface is now part of the stable release. + The last protocol change was in Postfix 2.1. File: + util/dict_open.c. + +20100305 + + Feature: reject_rhsbl_reverse_client, to reject a remote + SMTP client based on its unverified reverse hostname. Code + by Noel Jones. Files: smtpd/smtpd_check.c, proto/postconf.proto. + + Feature: smtp_address_preference (default: ipv6) to control + the order in which the Postfix SMTP client will connect to + a destination that has IPv6 and IPv4 addresses with equal + MX preference. Files: global/mail_params.h, smtp/smtp.c, + smtp/smtp_params.c, smtp/smtp_addr.c, dns/dns_rr.c, + and documentation. + +20100321 + + Feature: allow Milter applications to use a lower protocol + version than the version that Postfix is configured for. + Based on an idea by Kouhei Sutou. File: milter/milter8.c. + +20100322 + + Bugfix (introduced 20100305) the new smtp_address_preference + feature was not tested with LMTP support. Problem reported + by Stefan Foerster. File: smtp/smtp.c. + +20100407 + + Bugfix (introduced 20100305): reject_rhsbl_reverse_client + was skipped if the forward-confirmed reverse DNS (FCRDNS) + remote SMTP client hostname was "unknown". Victor Duchovni. + File: smtpd/smtpd_check.c. + +20100422 + + Workaround (introduced: postfix-19990906 a.k.a. Postfix + 0.8.0). The Postfix local delivery agent did not properly + distinguish between "address has no extension" and "address + has an extension, but the extension is invalid". In both + cases it would run only the full recipient local-part through + the alias maps. Instead, it now drops the faulty extension + from the recipient address local-part (it would be too + error-prone to replace all tests for "no extension" by tests + for "no valid extension". File: local/recipient.c. + +20100430 + + Feature: customized hard/soft reject responses by Jason + Parsons. File: smtpstone/smtp-sink.c. + +20100515 + + Bugfix (introduced Postfix 2.6): the Postfix SMTP client + XFORWARD implementation did not skip "unknown" SMTP client + attributes, causing a syntax error when sending a PORT + attribute. Reported by Victor Duchovni. File: smtp/smtp_proto.c. + +20100526 + + Cleanup: a unit-test driver was not updated after an internal + API change. Vesa-Matti J Kari File: milter/milter.c. + +20100529 + + Portability: OpenSSL 1.0.0 changes the priority of anonymous + cyphers. Victor Duchovni. Files: postconf.proto, + global/mail_params.h, tls/tls_certkey.c, tls/tls_client.c, + tls/tls_dh.c, tls/tls_server.c. + + Portability: Mac OS 10.6.3 requires <arpa/nameser_compat.h> + instead of <nameser8_compat.h>. Files: makedefs, util/sys_defs.h, + dns/dns.h. + +20100531 + + Robustness: skip LDAP queries with non-UTF-8 search strings + (in anticipation of UTF8SMTP support). File: global/dict_ldap.c. + + Strict UTF-8 validator per RFC 3629. File: util/valid_utf8_string.c. + +20100601 + + Cleanup: Postfix LDAP client support for RFC 2255 LDAP URLs. + Victor Duchovni. Files: proto/ldap_table global/dict_ldap.c. + + Safety: Postfix processes log a warning when a matchlist + has a #comment at the end of a line (for example mynetworks + or relay_domains). File: util/match_list.c. + + Portability: Berkeley DB 5.x has the same API as Berkeley + DB 4.1 and later. File: util/dict_db.c. + +20100610 + + Bugfix (introduced Postfix 2.2): Postfix no longer appends + the system default CA certificates to the lists specified + with *_tls_CAfile or with *_tls_CApath. This prevents + third-party certificates from getting mail relay permission + with the permit_tls_all_clientcerts feature. Unfortunately + this may cause compatibility problems with configurations + that rely on certificate verification for other purposes. + To get the old behavior, specify "tls_append_default_CA = + yes". Files: tls/tls_certkey.c, tls/tls_misc.c, + global/mail_params.h. proto/postconf.proto, mantools/postlink. + +20100615 + + Cleanup: the master no longer logs "process P killed with + signal S" when it shuts down a running service (for example, + the service is removed from master.cf, or the service is + disabled via the main.cf master_service_disable parameter). + File: master/master_spawn.c. + +20100617 + + Feature: read-only sqlite support based on code by Axel + Steiner and documentation by Jesus Garcia Crespo. Files: + conf/postfix-files, mantools/postlink, proto/DATABASE_README.html, + proto/Makefile.in, proto/INSTALL.html, proto/mysql_table, + proto/pgsql_table, proto/sqlite_table, proto/SQLITE_README.html, + global/Makefile.in, global/mail_dict.c, global/dict_sqlite.c, + global/dict_sqlite.h, postconf/postconf.c, postfix/postfix.c. + +20100618 + + Cleanup: SQLite read-only driver and documentation. Files: + global/dict_sqlite.c, proto/mysql_table, proto/SQLITE_README.html. + +20100707 + + Completed the 20100610 bugfix. File: tls/tls_misc.c. + +20100714 + + Compatibility with Postfix < 2.3: fix 20061207 was incomplete + (undoing the change to bounce instead of defer after + pipe-to-command delivery fails with a signal). Fix by Thomas + Arnett. File: global/pipe_command.c. + +20100715 + + Convenience: "postconf name=value ..." is now equivalent to + "postconf -e name=value ...". File: postconf/postconf.c. + +20100724 + + Feature: INFO header/body_checks action for non-warning + messages (for example, to log all Milter-inserted headers). + File: global/header_body_checks.c, proto/header_checks. + + Cleanup: after-filter Postfix SMTP servers now log before-filter + queue IDs. For this, the XFORWARD protocol was extended + with an IDENT attribute for the before-filter queue ID. + This code was started in Postfix 2.1, but it was never + finished due to time constraints. Files: smtpd/smtpd.[hc] + smtpd/smtpd_proxy.c, smtpd/smtpd_sasl_proto.c, + *qmgr/qmgr_message.c, *qmgr/qmgr_deliver.c, + global/deliver_request.[hc], global/mail_proto.h, + global/deliver_pass.c, smtp/smtp_proto.c. + +20100727 + + Bugfix: the milter_header_checks parser provided only the + actions that change the message flow (reject, filter, + discard, redirect) but disabled the non-flow actions (warn, + replace, prepend, ignore, dunno, ok). File: + cleanup/cleanup_milter.c. + +20100827 + + Performance: fix for poor smtpd_proxy_filter TCP performance + over loopback (127.0.0.1) connections. Problem reported by + Mark Martinec. Files: smtpd/smtpd_proxy.c. + + Bugfix: the Postfix SMTP client no longer appends the local + domain when looking up a DNS name without ".". Specify + "smtp_dns_resolver_options = res_defnames" to get the old + behavior, which can produce unexpected results. Files: + smtp/smtp.c, smtp/smtp_params.c, smtp/smtp_addr.c. + +20100828 + + Refactoring: postscreen source code broken up into multiple + files, and identifiers updated to match changes in their + purpose. This will be the baseline for adding support for + DNSBL weighting, then a dummy engine to collect forensic + evidence with the option of future protocol checks. Files: + postscreen/*.[hc], Makefile.in. + +20100829 + + Postscreen DNSBL support for optional fixed-string filters + and optional integral weight factors (use negative weights + for whitelisting). See RELEASE_NOTES and postconf(5) for + details. Files: postscreen/postscreen_dnsbl.c, + proto/postconf.proto, mantools.postlink, global/mail_params.h. + + Incompatibility: the postscreen-to-dnsblog protocol was + changed to support DNSBL query result filters. Use "postfix + reload" after installing the new version otherwise the + dnsblog(8) server may complain. + +20100830 + + Polished the postscreen documentation and comments to clarify + the user interface and implementation. No code changes. + +20100831-910 + + Restructured postscreen and added support for a dummy SMTP + protocol engine. This engine logs rejected attempts to + deliver mail with helo/sender/recipient information, and + implements deep protocol tests. The first deep protocol + test is for command pipelining, where a client sends multiple + commands instead of waiting for the server to respond to + each command. The second one implements the Postfix SMTP + server's smtpd_forbidden_commands feature. Files: + postscreen/*.[hc]. See RELEASE_NOTES, postconf(5) and + postscreen(8) for incompatibilities, features, and configuration + parameters. + +20100910 + + Feature: boolean configuration parameters with string-valued + defaults, so that they can be subject to macro expansions. + This was needed to make some postscreen parameter defaults + to the values of the corresponding smtpd parameters. Files: + global/mail_conf.h, global/mail_conf_nbool.c, + master/event_server.c, master/mail_server.h, master/multi_server.c, + master/single_server.c, master/trigger_server.c, + postconf/extract.awk, postconf/postconf.c. + +20100911 + + Feature: texthash read-only database. This is similar to + hash: files, except that you don't need to run the postmap(1) + command before you can use the file, and that it does not + detect changes after the file is read. All information is + read into memory. Files: util/dict_open.c, util/dict_thash.[hc], + proto/DATABASE_README.html, postconf/postconf.c + +20100912 + + Feature: bare newline detection in postscreen. Real spambots + don't make this mistake anymore, but poorly-written software + still does. File: postscreen/smtpd.c. + + Documentation: POSTSCREEN_README including instructions for + turning postscreen(8) on without blocking mail, and more. + Trimmed the text in the postscreen(8) manpage. File: + proto/POSTSCREEN_README.html, postscreen/postscreen.c. + +20100914 + + Cleanup: the "postscreen_greet_wait" delay now ends as soon + as both the pregreet and DNSBL tests complete (the postscreen + documentation mentions in history/credits that the program + started as a crude prototype). The default postscreen_dnsbl_ttl + caching time is now reduced to 1h from 24h, allowing + postscreen to catch up on DNSBL updates more quickly. If + this increases the database update frequency too much then + we'll need to make dnsbl result non-cachable. Files: + postscreen/postscreen_dnsbl.c, global/mail_params.h. + +20100915 + + Bugfix (introduced 20100914): missing precondition for + call-back notification. File: postscreen/postscreen_dnsbl.c. + + Bugfix (introduced 20100914): the "postscreen_greet_wait" + delay speedup worked only for DNSBL listed sites. File: + postscreen/postscreen_dnsbl.c. + + Workaround: better handling of pregreeting spambots. The + postscreen built-in SMTP engine no longer sends a 220 banner + to a client that falls into the pregreet trap. This eliminates + many "NON-SMTP COMMAND" records in postscreen logging, as + the SMTP client and server no longer get out of sync. It + also results in better logging of sender/recipient information. + File: postscreen/postscreen_smtpd.c. + +20100916 + + Cleanup: postscreen now uses the first responding DNSBL + name in the "5.7.1 Service unavailable" reply, instead of + the last responding one. File: postscreen/postscreen_dnsbl.c. + + Cleanup: the 20100914 "postscreen_greet_wait" speedup did + not happen as often as it should, because some older code + still turned on PREGREET tests gratuitously, causing a full + greet-wait delay. File: postscreen/postscreen_tests.c. + + Cleanup: to avoid "address in use" problems, postscreen now + closes the listening socket after "postfix stop". It also + closes the socket after "postfix reload" but that does not + hurt. Files: master/event_server.c, master/multi_server.c. + + Cleanup: postscreen now logs CONNECT and DISCONNECT events. + Files: postscreen/postscreen.c, postscreen/postscreen_misc.c. + +20100917 + + Bugfix: cut-and-paste error. Postscreen used pregreet_ttl + instead of dnsbnl_ttl. File: postscreen/postscreen_early.c. + +20100920 + + Cleanup: minor cleanups and invisible fixes. Files: + postscreen/postscreen_misc.c, postscreen/postscreen.h, + postscreen/postscreen_tests.c. + + Feature: preliminary postscreen penalty mechanism. Basic + idea: when a client exceeds some threshold, don't allow it + to pass any tests until the penalty expires. Penalties + provide a way to slow down clients without blocking mail + permanently. Files: postscreen/postscreen_misc.c, + postscreen/postscreen_tests.c, postscreen/postscreen.c. + + A first application of the postscreen penalty mechanism + triggers on clients that make brief connections to find out + if the mail server is up. With "postscreen_early_hangup_penalty + = 600" they will disqualify themselves for 10 minutes. + Unfortunately, this behavior is used by legitimate bulk + mail services. This application was removed 20101103. The + penalty mechanism itself is left in place as #ifdef NONPROD. + +20100923 + + Cleanup: renamed MUMBLE_FLAG_MUMBLE aggregates to + MUMBLE_MASK_MUMBLE for consistency with other Postfix code. + Files: postscreen/*.[hc]. + +20100930 + + Cleanup: flag PIPELINING errors with NOOP and VRFY. File: + smtpd/smtpd.c. + +20101006 + + Bugfix (introduced: 20100914) dangling pointer when a client + makes N > 1 simultaneous connections and closes M < N + connections before postscreen has delivered the DNSBL score + to the corresponding pseudothreads. In practice the pointer + will refer to a block of 0xff bytes; the program terminates + with a segmentation violation, and is restarted immediately + by the master daemon. Files: postscreen/postscreen_early.c, + postscreen/postscreen_dnsbl.c. + + Cleanup: avoid repeated delivery to mailing list members + with pathological nested alias configurations. The local(8) + delivery agent now keeps the owner-alias attribute of the + parent alias, when delivering mail to a child alias that + does not have its own owner alias. With this change, local + addresses from that child alias will be written to a new + queue file, and a temporary error with one local address + will no longer result in repeated delivery to other mailing + list members. Specify "reset_owner_alias = yes" for the + older behavior. File: local/alias.c. + +20101007 + + Bugfix (introduced: 2100923): duplicate "PASS OLD" logging. + File: postscreen/postscreen_misc.c. + +20101008 + + Cleanup: dnsblog now logs "addr X listed by domain Y as Z" + instead of "addr X blocked by domain Y as Z", because the + service may be used for whitelist lookups. File: + dnsblog/dnsblog.c. + +20101023 + + Cleanup: don't apply reject_rhsbl_helo to non-domain forms + such as network addresses. This would cause false positives + with dbl.spamhaus.org. File: smtpd/smtpd_check.c. + +20101103 + + Cleanup: new qmgr_ipc_timeout parameter (default: 60s) to + override the system-wide ipc_timeout setting (default: + 3600s). The shorter timeout allows the queue manager to + reset a deadlocked IPC connection before the watchdog timer + goes off. Files: *qmgr/qmgr.c. + + Cleanup: new qmgr_daemon_timeout parameter (default: 1000s) + to make the hard-coded 1000s watchdog timeout configurable. + Files: *qmgr/qmgr.c. + + Cleanup: request default DSN notification when adding a + recipient with smfi_addrcpt, instead of requesting "never + notify" as with Postfix automatically-added BCC recipients. + Files: cleanup/cleanup_addr.c, cleanup/cleanup.h, + cleanup/cleanup_milter.c. + +20101105 + + Feature: DNS whitelist support in the Postfix SMTP server. + permit_dnswl_client whitelists a client by IP address, and + permit_rhswl_client whitelists a client by its hostname. + The syntax is the same as reject_rbl_client etc., but the + result is PERMIT instead of REJECT. For safety reasons, + permit_xxx_client are silently ignored when they would + override reject_unauth_destination. The result is + DEFER_IF_REJECT when DNSWL lookup fails. The implementation + is based on a design documented by Noel Jones (August 2010). + File: smtpd/smtpd_check.c. + +20101108 + + Workaround: strip off IPv6 datalink suffix from peer address + to avoid problems with strict address checking code. Files: + smtpd/smtpd_peer.c, qmqpd/qmqpd_peer.c. + +20101114 + + Robustness: postscreen(8) now implements a time limit on + reading an entire command, instead of a time limit for + reading individual characters. File: postscreen/postscreen_smtpd.c. + +20101023 + + Cleanup: don't apply reject_rhsbl_helo to non-domain forms + such as network addresses. This would cause false positives + with dbl.spamhaus.org. File: smtpd/smtpd_check.c. + +20101117 + + Bugfix: the "421" reply after Milter error was overruled + by Postfix 1.1 code that replied with "503" for RFC 2821 + compliance. We now make an exception for "final" replies, + as permitted by RFC. Solution by Victor Duchovni. File: + smtpd/smtpd.c. + +20101124-6 + + Feature: pattern matching for DNSWL/DNSBL responses. For + example, with "reject_rbl_client example.com=d.d.d.d", each + "d" can now be a pattern inside "[]" that contains one or + more comma-separated decimal numbers or number..number + ranges. Files: smtpd/smtpd_check.c, postscreen/postscreen_dnsbl.c, + util/ip_match.c, util/ip_match.h. + +20101126 + + Cleanup: don't log "blocked using example.com=127.0.0.1", + just log the domain name. File: smtpd/smtpd_check.c. + +20101129 + + Cleanup: postscreen_client_connection_count_limit (default: + $smtpd_client_connection_count_limit) to limit the number + of connections from the same IP address to the postscreen(8) + daemon. Files: postscreen/postscreen.c, postscreen/postscreen.h, + postscreen/postscreen_state.c. + +20101130 + + Cleanup: all postscreen(8) logging now reports the client + as [address]:port. This requires an update of tools that + process postscreen logging. Files: postscreen/*.c, + proto/POSTSCREEN_README.html. + + Cleanup: polishing recent documentation and code. Files: + postscreen/postscreen_dnsbl.c, util/ip_match.c. + +20101201 + + Bugfix (introduced 20101129): broken default value for + postscreen_client_connection_count_limit if the + smtpd_client_connection_count_limit parameter was left at + its default. File: postscreen/postscreen.c. + + Workaround: BSD-ish mkdir() ignores the effective GID + and copies group ownership from the parent directory. + File: util/make_dirs.c. + +20101202 + + Feature: the LDAP client can now authenticate to LDAP servers + via SASL. This is tested with SASL GSSAPI and Kerberos 5. + Original code by Quanah Gibson-Mount adapted by Victor + Duchovni. Files: global/dict_ldap.c, proto/LDAP_README.html, + proto/ldap_table. + + Cleanup: the cleanup server now reports a temporary delivery + error when it reaches the virtual_alias_expansion_limit or + virtual_alias_recursion_limit. Previously, it would silently + ignore the excess recipients and deliver the message. File: + cleanup/cleanup_map1n.c. + +20101205 + + Cleanup: sache_clnt_create() had an unnecessary data + dependency on the non-library var_scache_service variable, + causing problems with shared library builds. Instead, it + should use its service argument (which has the same value). + File: global/scache.c. + + Cleanup: pipe_command.c had an unnecessary data dependency + on the non-library var_command_maxtime variable, causing + problems with shared library builds. The dependency was not + necessary because the callers already specify an explicit + time limit. File: global/pipe_command.c. + +20101206 + + Bugfix (introduced 20101205): postscreen hung up due to + incorrect output error test. File: postscreen/postscreen_send.c. + +20101207 + + Cleanup: the undisclosed_recipients_header default value + is now the empty string. The Internet mail RFCs have supported + messages without recipient header for almost 10 years now. + File: global/mail_params.h. + + Cleanup: use strtol() instead of sscanf() for consistent + handling of out-of-range numbers. Files: global/cfg_parser.c, + global/conv_time.c, global/mail_conf_int.c, + global/mail_conf_long.c, global/mail_conf_nint.c. + +20101217 + + Cleanup: eliminated the code that copied TLS protocol + messages between the OpenSSL TLS engine and the network. + This change hopefully simplifies the TLS library enough + that it can be used in an event-driven TLS proxy in front + of postscreen. Files: tls/tls_bio.c, tls/tls_server.c, + tls/tls_client.c. + + This change eliminates an obscure bug where the SMTP server + would wait for another $smtpd_timeout seconds after sending + the "421 Error: timeout exceeded" message to the client. + +20101221 + + Cleanup: simplified the VSTREAM "large buffer" support by + dropping the Postfix 2.4 "binary compatibility" requirement. + Files: util/vstream.c, util/vstream.h. + +20101222 + + Cleanup: the SMTP client PIPELINING code did not account + for TLS protocol overhead. This could (only in theory) + result in deadlock when the remote SMTP server announces a + very small receive window after the client and server have + synchronized their SMTP state. Victor Duchovni. File: + smtp/smtp_proto.c. + +20101223 + + Feature: with "tls_preempt_cipherlist = yes" the Postfix + SMTP server will preempt the remote SMTP client's cipher + preference order. This requires OpenSSL 0.9.7 and later. + Victor Duchovni. Files: src/smtpd/smtpd.c, src/tls/tls_server.c, + proto/TLS_README.html, proto/postconf.proto. + + Future proofing: specify "tls_disable_workarounds = a list + or bit-mask of OpenSSL bug work-arounds to disable". This + may become necessary when a bug workaround is found to cause + problems (security or interoperability). Victor Duchovni. + Files: tls/tls_misc.c, proto/TLS_README.html, proto/postconf.proto. + + Infrastructure: extended name_mask module feature set with + extensive documentation and 32-bit regression tests. Victor + and Wietse. File: util/name_mask.[hc]. + +20101224 + + Cleanup: sanitized the name_mask API so that errors will be + ignored only upon explicit request. Files: util/name_mask.[hc], + src/global/ehlo_mask.c, src/smtp/smtp_proto.c, + src/util/name_mask.c, src/xsasl/xsasl_dovecot_server.c. + + Cleanup: more TLS overhead horrors for the SMTP client's + PIPELINING engine. Wietse and Victor. File: smtp/smtp_proto.c. + +20101226 + + Cleanup: the SMTP client logic for pipelining the "." and + "QUIT" commands was bogus - the pipelining engine could not + know how much unacknowledged data is pending in the local + TCP stack. We now ignore the buffer check for sending + "QUIT" after ".". Wietse and Victor. File: smtp/smtp_proto.c. + +20110101 + + Cleanup: the Postfix SMTP server now always refreshes the + SASL authentication mechanism list after STARTTLS. Some + Dovecot versions may change their responses when they know + that the SMTP connection is encrypted. File: smtpd/smtpd.c. + + Cleanup: the smtpd_starttls_timeout default value is now + stress-dependent. Files: global/mail_params.h, + proto/postconf.proto. + + Compatibility: postscreen_discard_ehlo_keyword(s|maps) + support for compatibility with smtpd_discard_ehlo_keyword(s|maps). + Files: postscreen/postscreen_smtpd.c. + +20110102 + + Feature: STARTTLS support for the postscreen(8) daemon. + With early testing feedback from Victor Duchovni and Ralf + Hildebrandt. Files: postscreen/postscreen_smtpd, + postscreen/postscreen_starttls.c. + + Feature: event-driven tlsproxy(8) daemon that translates + TLS <=> plaintext for postscreen(8). One tlsproxy(8) process + can translate traffic for multiple remote SMTP clients. + With early testing feedback from Victor Duchovni and Christian + Roessner. Files: util/nbbio.[hc], tlsproxy/*.[hc], + postscreen/postscreen_starttlsd.c, postscreen/postscreen_smtpd.c. + +20110103 + + Cleanup: missing tls_level support in tlsproxy (it has no + way to send plaintext, but perhaps an informative error + message is in order anyway). File: tlsproxy/tlsproxy.c. + + Cleanup: simplified the handling of throttled output (i.e. + output that can't be sent because the receiver tries to be + nasty). File: postscreen/postscreen_send.c. + +20110104 + + Feature: add contact information to each SMTP server reject + message. For example, "smtpd_reject_footer = call 800-555-0101 + for assistance", with macro expansion and with multi-line + support. Files: global/mail_params.h, mantools/postlink, + proto/postconf.proto, smtpd/smtpd.c, smtpd/smtpd_chat.c, + smtpd/smtpd_expand.[hc], util/mac_expand.[hc]. + +20110105 + + Cleanup: the forest of TLS-related booleans was shrunk. + Victor Duchovni. Files: smtpd/smtpd.c, postscreen/postscreen.c, + postscreen/postscreen_smtpd.c, tlsproxy/tlsproxy.c. + + Non-production: tlsproxy support in the Postfix SMTP server + for stress testing of the tlsproxy daemon (#ifdef TLSPROXY). + Seen from outside, Postfix works just as if it has TLS + support built into in smtpd(8). Files: smtpd/smtpd.c, + tls/tls_proxy*.[hc], tlsproxy/tlsproxy.c, util/vstream.[hc]. + + Bugfix (introduced with the Postfix TLS patch): discard + plaintext following the STARTTLS command or response. This + matters only for the minority of SMTP clients that actually + verify server certificates. Files: smtpd/smtpd.c, + smtp/smtp_proto.c. + +20110106 + + Non-production: cleaned up the tlsproxy support in the + Postfix SMTP server for stress testing of the tlsproxy + daemon (still #ifdef TLSPROXY). File: smtpd/smtpd.c. + +20110107 + + Cleanup: smtpd_reject_contact_information is renamed to + smtpd_reject_footer, because it can be used for non-contact + information. + + Compatibility: postscreen_reject_footer support for + compatibility with smtpd_reject_footer. Files: + global/smtp_reply_footer.[hc], global/mail_conf.[hc], + postscreen/postscreen_expand.c, postscreen/postscreen_send.c, + postscreen/postscreen.c, smtpd/smtpd_chat.c. + + Compatibility: postscreen_command_filter support for + compatibility with smtpd_command_filter. Files: + postscreen/postscreen_dict.c, postscreen/postscreen_smtpd.c + +20110108 + + Cleanup: postscreen(8) now displays control characters in + PREGREET responses as C-style \letter escapes, instead of + "?". File: postscreen/postscreen_early.c. + +20110109 + + Cleanup: Solaris support for "pass" (file descriptor passing + based) services in master.cf. This was needed by postscreen(8). + Also, renamed upass_xxx.c to unix_pass_xxx.c. One-character + prefixes are too short. Removed upass_connect.c because it + was useless code. Files: util/stream_pass_connect.c, + util/unix_pass_listen.c, util/unix_pass_trigger.c. + + Bugfix (introduced Postfix 2.4): on Solaris the Postfix + event engine was deaf for SIGHUP and SIGALRM signals after + the switch to /dev/poll. Symptoms were delayed "postfix + reload" response, and killed processes when the watchdog + timeout was less than max_idle. The fix is to set up SIGHUP + and SIGALRM handlers that write to a pipe, and to monitor + that pipe for read events via the Postfix event engine. + Files: master/master_sig.c, util/watchdog.c, util/sys_defs.h. + +20110111 + + Cleanup: replaced the postscreen(8) separate blacklist and + whitelist lookup tables by one postscreen_access_list table. + See postconf(5) and POSTSCREEN_README for examples. Files: + postscreen/postscreen_access.c, postscreen/postscreen.c, + proto/postconf.proto, proto/POSTSCREEN_README.html. + +20110112 + + Cleanup: suspend/resume logic for postscreen(8) SMTP sessions + that temporarily switch control to an external program such + as tlsproxy, or perhaps a future policy plugin. Files: + postscreen/postscreen_smtpd, postscreen/postscreen_starttls.c. + +20110113 + + Cleanup: ps_cache and psc_cache are now postscreen_cache. + There is no need for obscure name abbrevations. File: + src/global/mail_params.h. + +20110115 + + Workaround: malloc fuzz (safety margin for malloc requests). + Files: util/sys_defs.h, util/mymalloc.c. + + Cleanup: dnsblog_service_name and tlsproxy_service_name are + now configurable, in case someone needs this. Files: + global/mail_params.h, postscreen/postscreen.c, mantools/postlink, + proto/postconf.proto. + +20110116 + + Cleanup: soft_bounce support for postscreen(8). Files: + postscreen/postscreen_smtpd.c, postscreen/postscreen_send.c. + + Cleanup: for smtpd(8) compatibility, postscreen(8) now + strips deprecated route address prefixes from email addresses + (@here,@there:user@example becomes user@example). This is + primarily to make postscreen(8) logging more similar to + that of smtpd(8). File: postscreen/postscreen_smtpd.c. + + Cleanup: documentation, in preparation for the Postfix 2.8 + stable release. + +20110117 + + Bugfix (introduced Postfix alpha, or thereabouts): on HP-UX + the Postfix event engine was deaf for SIGALRM signals. + Symptoms were killed processes when the watchdog timeout + was less than max_idle. The fix is the same as Solaris fix + 20110109. Since we can't know what other systems need this, + the workaround is enabled by default. Files: util/sys_defs.h. + + Cleanup: "smtpd_tls_eecdh_grade = strong" by default, instead + of snapshot-only. File: global/mail_params.h, proto/postconf.proto. + + Cleanup: missing "#include <errno.h>" in util/watchdog.c. + + Bugfix: when compiled without -DUSE_TLS, tlsproxy used the + wrong server skeleton (multi_server instead of event_server). + File: tlsproxy/tlsproxy.c. + + Workaround: added a panic check for code that is mis-compiled + by the HP-UX compiler. File: postscreen/postscreen.c, + postscreen/postscreen.h, postscreen/postscreen_state.c. + +20110118 + + Bugfix: the tls_disable_workarounds word list only included + workarounds in SSL_OP_ALL. Problem report by Steve Jenkins, + problem fix by Victor Duchovni. File: tls/tls_misc.c. + + Last-minute incompatible syntax change: Postfix now uses + ";" instead of "," to separate DNSBL/DNSWL address filter + fields inside "[]". The compatibility break is not an issue, + because the syntax never worked in main.cf. Problem reported + by Mark Martinec. Files: util/ip_match.c, util/ip_match.in, + util/ip_match.ref, proto/postconf.proto. + + Cleanup: postscreen now monitors the AVERAGE latency of + table access, and complains at most once per minute. File: + postscreen/postscreen_dict.c. + + Bugfix: support for the "dunno" command somehow disappeared + from the postscreen_access_list implementation. File: + postscreen/postscreen_access.c. + +20110123 + + Feature: read/write deadlines. Deadlines were introduced + with postscreen's dummy SMTP engine. In the Postfix SMTP + client and server, deadlines limit the total amount of time + to read or write one command line, one response line, or + one line of message content. This reduces the impact of + application exhaustion attacks that trickle data one byte + at a time. Files: util/vstream.[hc], global/smtp_stream.c. + + Cleanup: remove #ifdef MIGRATION_WARNING transitional code + from postscreen. File: postscreen/postscreen.c. + +20110125 + + Cleaned up and finalized read/write deadline support. Once + this code has been fielded it can go into Postfix 2.8.1, + and made available as optional patch for earlier releases. + Further refinements have only diminishing returns and can + evolve in the 2.9 release cycle. File: util/vstream.c. + +20110128 + + Infrastructure: separate VSTREAM flags for read or write + errors. Files: util/vbuf.[hc], util/vstream.[hc]. + + Cleanup: after write error, the smtp_stream routines now + disable further network writes. This eliminates the need + for clumsy code to avoid unwanted I/O while shutting down + a TLS engine or closing a VSTREAM. File: util/smtp_stream.c. + +20110201 + + Cleanup: when verifying that the client_address->client_name + lookup result resolves to the client_address, request + hostname->address lookup with the same protocol family (IPv4 + or IPv6) as the client_address. Files: util/myaddrinfo.[hc], + smtpd/smtpd_peer.c, qmqpd/qmqpd_peer.c. + +20110205 + + Infrastructure: vstream_peek_data() primitive to look ahead + at buffered input. Use vstream_peek() to find out how much, + and escape() for human presentation. Files: util/vstream.[hc]. + + Cleanup: smtpd(8) and postscreen(8) now log the input that + triggers an SMTP command pipelining violation. File: + postscreen/postscreen_smtpd.c, smtpd/smtpd.c. + + Infrastructure: smtp_get() option to skip over input in + excess of the line length limit. Files: smtp/smtp_stream.[hc]. + + Cleanup: handle excessively-long client requests and server + responses more gracefully, i.e. without losing synchronization. + Files: smtpd/smtpd_chat.c, smtpd/smtpd_proxy.c, smtp/smtp_chat.c, + smtpstone/smtp-source.c. + +20110207 + + Bugfix (introduced Postfix 2.8): segfault with smtpd_tls_loglevel + >= 3. Files: tls/tls_server.c, tls.h, smtpd.c, tlsproxy.c. + + Cleanup: read/write deadline support for single_server TLS + applications (i.e. smtpd(8), smtp(8)). File: tls/tls_bio_ops.c. + +20110212 + + Infrastructure: run-time switch for read/write deadline + support. Files: util/vstream.[hc], global/smtp_stream.[hc], + tls/tls_bio_ops.c. + + Cleanup: configurable read/write deadline support with + smtpd_per_record_deadline (normal: "no", overload: "yes") + and smtp_per_record_deadline (default: "no"). Files: + global/mail_params.h, smtpd/smtpd.c, smtp/smtp.c, + smtp/smtp_proto.c, proto/postconf.proto, mantools/postlink. + +20110213 + + Workaround: the TLS library passes the same information via + different function arguments, and this same information is + maintained by different functions, so things get out of + step when code is updated. As of 20110212, tls_client_start() + needs to set the VSTREAM property of the TLS session object. + File: tls/tls_client.c. + +20110215 + + Human factors: the FCRDNS (forward-confirmed reverse DNS) + checking code now logs "hostname X does not resolve to + address Y", when a "reverse hostname" lookup result does + not resolve to the client IP address. Files: smtpd/smtpd_peer.c, + qmqpr/qmqpd_peer.c. + +20110216 + + Cleanup: don't log a "connection reset by peer" error when + postscreen(8) tries to send a server response. File: + postscreen/postscreen_send.c. + +20110218 + + Cleanup: Postfix now uses long integers for message_size_limit, + mailbox_size_limit and virtual_mailbox_limit. On LP64 (64-bit + long and pointer, but 32-bit integer) systems, these message + and mailbox limits can now exceed 2GB. Files: global/mail_params.c + global/mail_params.h local/local.c master/event_server.c + master/mail_server.h master/multi_server.c master/single_server.c + master/trigger_server.c virtual/virtual.c postconf/extract.awk + postconf/postconf.c. + +20110220 + + Cleanup: compiler gripe. File: util/vstream.c. + +20110223 + + Cleanup: Debian build tool gripe. File: smtpstone/smtp-sink.c. + +20110224 + + postscreen(8) support to enforce proper client MX lookup + policy. Some spambots connect first to a backup MX address + in the hope that the server has a weaker anti-spam policy. + By listening on both primary and backup MX addresses, + postscreen(8) can deny the temporary whitelist status to + clients that connect only to backup MX hosts, and prevent + them from talking to a Postfix SMTP server process. + + For example, when 1.2.3.4 is a local backup IP address, + specify "postscreen_whitelist_interfaces = !1.2.3.4 static:all" + to disable dynamic whitelisting for clients that connect + (only) to the backup MX address. Files: mantools/postlink, + proto/postconf.proto, proto/POSTSCREEN_README.html, + global/mail_params.h, postscreen/postscreen.c, + postscreen/postscreen.h, postscreen/postscreen_state.c. + +20110225 + + Workaround (problem introduced with IPv6 support in Postfix + 2.2): the SMTP client did not support mail to [ipv6:ipv6addr]. + Fix based on a patch by Gurusamy Sarathy (Sophos). File: + util/host_port.c and regression test files. + +20110227 + + Portability: FreeBSD closefrom() support time window. Sahil + Tandon. File: util/sys_defs.h. + + Cleanup: each lookup table now has an owner status and UID + attributes for provenance purposes, even memory-resident + tables such as pcre, regexp and cidr. This fixes a problem + where local(8) ignored the non-root ownership of a regular + expression-based aliases(5) file. The table owner status + is TRUSTED (data straight from root-owned configuration + file), UNKNOWN (unauthenticated data from proxy or tcp) or + KNOWN (we actually have an owner UID). With most tables, + the owner UID is the file owner UID. With LDAP and *SQL, + the owner UID is the Postfix configuration file owner. + Files: src/util/dict_unix.c src/util/dict_thash.c + src/util/dict_static.c src/util/dict_sdbm.c src/util/dict_regexp.c + src/util/dict_pcre.c src/util/dict_nisplus.c src/util/dict_nis.c + src/util/dict_ni.c src/util/dict_ht.c src/util/dict_env.c + src/util/dict_dbm.c src/util/dict_db.c src/util/dict_cidr.c + src/util/dict_cdb.c src/util/dict_alloc.c src/util/dict.h + src/util/dict.c src/local/alias.c src/global/dict_sqlite.c + src/global/dict_pgsql.c src/global/dict_mysql.c + src/global/dict_ldap.c src/global/cfg_parser.h + src/global/cfg_parser.c. + +20110311 + + Feature: Base 32 encoder/decoder per RFC 4648. This code + was going to be used for long queue IDs, but plans were + changed. Files: src/util/base32_code.[hc]. + +20110313 + + Bugfix (introduced Postfix 2.8): postscreen DNSBL scoring + error. When a client disconnected and then reconnected + before all DNSBL results for the earlier session arrived, + DNSBL results for the earlier session would be added to the + score for the later session. Problem report by Larry Vaden. + Files: dnsblog/dnsblog.c, postscreen/postscreen_dnsbl.c. + + Cleanup: protocol description in dnsblog(8) manpage. File: + dnsblog/dnsblog.c. + +20110314 + + Portability: the SUN compiler had trouble with a pointer + expression of the form ``("text1" "text2") + constant'' so + we don't try to be so clever. Fix by Victor Duchovni. File: + global/mail_params.h. + +20110320 + + Feature: specify "enable_long_queue_ids = yes" to enable + support for non-repeating queue IDs (also used as queue + file names). These queue IDs encode the time and inode + number with a safe alphabet of the 52 characters 0-9B-Zb-z. + The alphabet excludes vowels (AEIOUaeiou) to avoid creating + real words. The queue ID format is: time in seconds, time + in microseconds, 'z', inode number (the inode number is + encoded without using the 'z' character of the safe alphabet). + Turning on long queue IDs changes the width of the first + output column of the mailq (postqueue -p) command, and + changes the appearance of Postfix Message-ID headers to + queueID@myhostname. Files: global/file_id.[hc], + global/safe_ultostr.[hc], global/mail_queue.[hc], + postsuper/postsuper.c, showq/showq.c + +20110321 + + Performance: with long queue file names, queue hashing now + produces the same result as with short names. Postfix uses + the hexadecimal representation of the file creation time + in microseconds, instead of the beginning of the file name + which changes once every year or so, a problem that was + reported by Victor Duchovni. The base 16 encoding gives + finer control over the number of directories than possible + with base 52 encoding. Files: global/mail_queue.[hc]. This + change requires "postfix reload". + +20110322 + + Cleanup: preserve the microseconds value when renaming + long->short or short->short queue file names. As a side + benefit, renaming long->short queue IDs will not change the + result from queue hashing. File: postsuper/postsuper.c. + +20110323 + + Bitrot: qshape regexp pattern for long queue file names. + Ralf Hildebrandt. File: auxiliary/qshape/qshape.pl. + + Bitrot: text about queue ID reuse in the postsuper manpage. + File: postsuper/postsuper.c. + +20110328 + + Cleanup: don't log warnings about socket shutdown() errors + after a connection breaks. Postfix calls shutdown() to avoid + unnecessary socket write timeouts. This is only an optimization, + and failure is not critical. File: global/smtp_stream.c. + +20110411 + + Cleanup: postscreen(8) and verify(8) daemons now lock their + respective cache file exclusively upon open, to avoid massive + cache corruption by unsupported sharing. Files: util/dict.h, + util/dict_open.c, verify/verify.c, postscreen/postscreen.c. + +20110414 + + Bugfix (introduced with Postfix SASL patch 20000314): don't + reuse a server Cyrus SASL handle after authentication + failure. File: smtpd/smtpd_proto.c. + +20110418 + + Bugfix (introduced Postfix 2.3 and Postfix 2.7): the Milter + client reported some "file too large" errors as temporary + errors. Problem reported by Michael Tokarev. Files: + milter/milter8.c, cleanup/cleanup_milter.c. + +20110420 + + Performance: a high load of DSN success notification requests + could stall the queue manager. Solution: make the trace + client asynchronous, just like the bounce and defer clients. + Problem reported by Eduardo M. Stelmaszczyk of terra.com.br. + Files: global/abounce.[hc], *qmgr/qmgr_active.c (the + qmgr_active.c files are identical). + +20110421 + + Cleanup: updated abounce warning message, and added a safety + timeout to abounce() etc. requests. File: global/abounce.c. + +20110426 + + Bugfix (introduced in Postfix 1.1, duplicated in Postfix + 2.3, unrelated mistake in Postfix 2.7): the local(8) delivery + agent ignored table lookup errors in mailbox_command_maps, + mailbox_transport_maps, fallback_transport_maps and (while + bouncing mail to alias) alias owner lookup. Problem reported + by William Ono. Files: local/command.c, local/mailbox.c, + local/unknown.c, local/bounce_workaround.c. + +20110516 + + Update the warning when permit_naked_ip_address is used, + and add permit_sasl_authenticated to the list of suggested + alternatives. File: smtpd/smtpd_check.c. + +20110601 + + Bugfix (introduced Postfix 2.6 with master_service_disable) + loop control error when parsing a malformed master.cf file. + Found by Coverity. File: master/master_ent.c. + +20110602 + + Bugfix (introduced: Postfix 2.7): "sendmail -t" reported + "protocol error" after queue file write error. File: + postdrop/postdrop.c. + +20110605 + + Cleanup: removed the PSC_STATE_FLAG_CACHE_EXPIRED flag. + Nothing uses this anymore. Files: postscreen/postscreen.h, + postscreen/postscreen_state.c, postscreen/postscreen_tests.c. + +20110614 + + Linux kernel version 3 support. Linus Torvalds has reset + the counters for reasons not related to changes in code. + Files: makedefs, util/sys_defs.h. + +20110615 + + Workaround: some Spamhaus RHSBL rejects lookups with "No + IP queries" even if the name has an alphanumerical prefix. + We play safe, and skip both RHSBL and RHSWL queries for + names ending in a numerical suffix. File: smtpd/smtpd_check.c. + +20110624 + + Cleanup: added error checks for smtpd access primitives + that don't automatically terminate the program after table + lookup error: these primitives are permit_tls_clientcerts, + permit_tls_all_clientcerts, and check_address_map (the last + one is used in local_header_rewrite_clients only). File: + smtpd/smtpd_check.c. + +20110729 + + Workaround: some getpwnam() and getpwuid() implementations + cause mail to bounce ("user unknown") after LDAP etc. lookup + error. Postfix now uses POSIX getpwnam_r() and getpwuid_r() + where available. Initially, this workaround supports FreeBSD, + Solaris and Linux. Files: makedefs, util/sys_defs.h, + global/mypwd.[hc], local/alias.c, local/dotforward.c, + local/include.c, local/mailbox.c, local/recipient.c. + +20110731 + + MacOS X 10.5 supports POSIX getpwnam_r() and getpwuid_r() + (source: MacOS manpages at www.freebsd.org). If MacOS turns + out to make a false promise, then we will undo this change. + Files: makedefs, util/sys_defs.h. + +20110810 + + Cleanup: optimize an optimization to avoid uid->name lookup + when all users are authorized with authorized_submit_users, + authorized_mailq_users, authorized_flush_users. File: + global/user_acl.c. + +20110811 + + Workaround: report a {client_connections} Milter macro value + of zero instead of garbage, when the remote SMTP client is + not subject to any smtpd_client_* limits. Problem reported + by Christian Roessner. Files: smtpd/smtpd_state.c, + proto/MILTER_README.html. + +20110817 + + Cleanup: avoid misleading error messages after future code + change. The tls_bio_ops(3) module now returns non-zero errno + values only when requests fail due to a system-call error. + File: tls/tls_bio_ops.c. + + Cleanup: TLS handshake error messages. The SMTP client and + server now report STARTTLS network errors as "connection + timed out", "connection reset by peer", etc., instead of + reporting TLS error number 0. Files: tls/tls_bio_ops.c, + tls/tls_server.c, tls/tls_client.c. + +20110818 + + Cleanup: VSTREAM-over-TLS error return values, for robustness + against future change. For consistency with VSTREAM internal + interfaces, the tls_stream(3) read/write routines now return + -1 instead of unspecified negative OpenSSL results. File: + tls/tls_stream.c. + +20110819 + + Cleanup: further TLS code cleanups, for robustness against + future change. Unexpected TLS errors are no longer silently + treated as ordinary errors, and one corner-case error in TLS + timeout handling was fixed before it could cause trouble. + File: tls/tls_bio_ops.c. + +20110821-24 + + Cleanup: simplified the TLS read/write deadline implementation, + and documented why this same simplification is not possible + higher-up, at the VSTREAM level. Files: tls/tls_bio_ops.c, + util/vstream.c. + +20110831 + + Bugfix: allow for Milters that send an SMTP server reply + without RFC 3463 enhanced status code. Reported by Vladimir + Vassiliev. File: milter/milter8.c. + +20110902 + + Cleanup: don't log vstream_tweak "connection reset by peer" + errors. File: util/vstream_tweak.c. + +20110904-7 + + Bugfix: master daemon panic with "master_spawn: at process + limit", when "postfix reload" reduces the process limit + from (a value larger than the current process count for + some service) to (a value <= the current process count), + and then a new connection is made to that service. This + structural solution centralizes the decision to monitor a + service port (or not). To improve robustness against future + code changes, it clarifies some of the internal dependencies + that exist inside the master daemon. Files: master/master.h, + master/master_avail.c, master/master_conf.c, + master/master_service.c, master/master_spawn.c. + +20110911 + + Debugging: report the request size when memory allocation + fails. File util/mymalloc.c. + +20110914 + + Incompatibility: the default inet_protocols value is now + "all" instead of "ipv4", meaning use both IPv4 and IPv6. + As a compatibility workaround for sites without global IPv6 + connectivity, the commands "make upgrade" and "postfix + upgrade-configuration" append "inet_protocols = ipv4" to + main.cf when no explicit setting is present. This compatibility + workaround will be phased out in a future release. Files: + util/sys_defs.h, conf/post-install, proto/postconf.proto. + + Incompatibility: the default smtp_address_preference value + is now "any" instead of "ipv6", meaning choose randomly + between IPv6 and IPv4. With this the Postfix SMTP client + will have more success delivering mail to sites that have + problematic IPv6 configurations. Files: global/mail_params.h, + proto/postconf.proto. + +20110918 + + Workaround for multiple ancient FreeBSD getsockopt() bugs + after non-blocking connect fails with 'host unreachable' + that resulted in a unreasonable memory allocation request. + File: util/vstream_tweak.c. + +20110921 + + Bugfix (introduced: Postfix 1.1): smtpd(8) did not sanitize + newline characters in cleanup(8) REJECT messages, causing + them to be sent out via SMTP as bare newline characters. + This happened when a REJECT pattern matched multi-line + header text. Discovered by Kevin Locke. File: smtpd/smtpd.c. + +20110922 + + Bugfix (introduced: Postfix 2.1): smtpd(8) sent multi-line + responses from a before-queue content filter as text with + bare <LF> instead of <CR><LF>. Found during code maintenance. + File: smtpd/smtpd_proxy.c. + +20111011 + + Cleanup: for consistency with the SMTP standard, the + smtp_line_length_limit default value was increased from 990 + characters to 998 (i.e. 1000 characters including <CR><LF>). + File: global/mail_params.h, proto/postconf.proto. + + Cleanup: the Postfix sendmail command now always transforms + all input lines ending in <CR><LF> into UNIX format (lines + ending in <LF>). This simplifies integration with third-party + mail generating applications. Specify "sendmail_fix_line_endings + = strict" to restore historical Postfix behavior (i.e. convert + all input lines ending in <CR><LF> only if the first input + line ends in <CR><LF>). Files: sendmail/sendmail.c, + global/mail_params.h, proto/postconf.proto. + +20111017 + + Cleanup: refined the heuristic that automagically transforms + legacy "sendmail -V" VERP requests into contemporary "sendmail + -XV" syntax. File: sendmail/sendmail.c. + + Cleanup: when the cleanup daemon goes into discard mode, + don't get stuck when it runs onto milter file descriptor + information. File: cleanup/cleanup.c. + +20111020 + + EAI Future-proofing: don't apply strict_mime_encoding_domain + checks to unknown message subtypes such as message/global*. + File: global/mime_state.c. + +20111025 + + Bugfix (introduced: Postfix 2.8): postscreen sent non-compliant + SMTP responses (220- followed by 421) when it could not + hand off a connection to a real smtpd process, causing some + remote SMTP clients to bounce mail. The fix redirects the + client to the dummy SMTP engine which sends the 421 reply + at the first legitimate opportunity. Problem reported by + Ralf Hildebrandt. Files: postscreen/postscreen_send.c, + postscreen/postscreen_smtpd.c, postscreen/postscreen.h. + +20111102 + + Workaround: to improve inter-operability with broken remote + SMTP servers, the Postfix SMTP client by default no longer + appends the "AUTH=<>" option to the MAIL FROM command. + Specify "smtp_send_dummy_mail_auth = yes" to restore the + old behavior. + +20111106 + + Feature: "postconf -M" support to show Postfix's idea of + what is in the master.cf file. File: postconf/postconf.c. + + Feature: postconf "-f" option to "nicely" format long lines + from main.cf or master.cf. File: postconf/postconf.c. + +20111108 + + Cleanup: postconf finally supports dynamic configuration + parameter names: parameters whose name depend on a mail + delivery transport or spawn service in master.cf, and + parameters whose names are specified with smtpd_restriction_classes + in main.cf. This adds 70 parameters to the "postconf" output, + more if additional mail delivery transports are defined in + master.cf. File: postconf/postconf.c. + +20111109 + + Cleanup: account for "," in smtpd_restriction_classes + value (Victor Duchovni). File: postconf/postconf.c. + +20111112 + + Cleanup: postconf finally warns about possible mis-typed + main.cf and master.cf parameter names (i.e. parameters that + aren't used anywhere), and it finally displays user-defined + main.cf parameters that *are* used. File: postconf/postconf.c. + +20111113 + + Portability: specify ``make makefiles "CCARGS=-DNO_NIS + ..."'' to build on systems without NIS support. Files: + makedefs, util/sys_defs.h. + + Cleanup: documented the postconf algorithms and their + limitations, and added regression tests to speed up future + development. File: postconf/postconf.c + +20111117 + + Cleanup: postconf didn't "bless" type "inet" service names. + + Cleanup: with pipelined sessions, smtp-sink flushed the + output too often. Reported by Mark Martinec. File: + smtpstone/smtp-sink.c. + + Workaround: don't use IPv6 at build time. File: conf/main.cf. + + Workaround: don't abort when IPv6 is present but busted. + File: util/inet_proto.c. + + Portability: the Dovecot 2.0 authentication server supports + more socket types for its authentication server. File: + xsasl/xsasl_dovecot_server.c. + + Documentation: the Dovecot 2.0 authentication server supports + communication over TCP sockets. Patrick Ben Koetter. File: + proto/SASL_README.html. + +20111118 + + Cleanup: "postconf -M" now supports filtering. For example, + "postconf -M inet" shows only services that listen on the + network, and "postconf -M smtp.unix" shows the SMTP delivery + agent. File: postconf.c. + +20111119 + + Cleanup: "postconf" commands in postfix-install needed to + be updated before master.cf was installed. Reported by + Sahil Tandon. File: postfix-install. + +20111120 + + Cleanup: support for parameter name spaces for master.cf + entries. With this, postconf should no longer log false + warnings for "-o user-defined-name=value" in master.cf. As + a benefit, it will warn for user-defined parameters with + "name=value" entries that are unused because they are hidden + by master.cf "-o name=value" entries with the same parameter + name. File: postconf/postconf.c. + +20111121 + + Cleanup: documentation fixes. File: postconf/postconf.c. + + Cleanup: in postconf "main.cf management" mode, errors + opening master.cf are non-fatal. File: postconf/postconf.c. + +20111122 + + Documentation: examples to request VERP-style delivery at + SMTP time with the smtpd_command_filter feature. Files: + proto/VERP_README.html, proto/postconf.proto. + + Feature: TLS certificate public-key fingerprint matching + (SMTP server and client), and TLS logging cleanup. Victor + Duchovni. Files: proto/SMTPD_POLICY_README.html, + proto/TLS_README.html, proto/postconf.proto, global/mail_proto.h, + smtpd/smtpd_check.c, tls/tls.h, tls/tls_client.c, tls/tls_misc.c, + tls/tls_proxy_print.c, tls/tls_proxy_scan.c, tls/tls_server.c, + tls/tls_stream.c, tls/tls_verify.c. + + Documentation: complete list of "make makefiles" overrides. + File: proto/INSTALL.html. + + Cleanup: postscreen now logs more than the first word of + non-SMTP commands. File: postscreen/postscreen_smtpd.c. + +20111124 + + Cleanup: eliminated false postconf "unused parameter" + warnings with legacy parameters such as $virtual_maps, and + with non-default parameter values for smtpd_expansion_filter + that can contain legitimate "$" without a macro name. + + Cleanup: split postconf source into separate modules. + Files: postconf/postconf.c, postconf/postconf_builtin.c, + postconf/postconf_edit.c, postconf/postconf_main.c, + postconf/postconf_master.c, postconf/postconf_misc.c, + postconf/postconf_node.c, postconf/postconf_other.c, + postconf/postconf_service.c postconf/postconf_unused.c, + postconf/postconf_user.c, postconf/postconf.h. + +20111126 + + Bitrot: changes in error reporting to the under-documented + OpenLDAP API. Problem reported by Quanah Gibson-Mount. Fix + by Viktor Dukhovni. File: global/dict_ldap.c. + + Cleanup: four-space indentation had become a tab character. + Files: postconf/postconf.h, postconf/test20.ref, + postconf/test21.ref. + +20111127 + + Cleanup: documented <transport>_suffix parameters that don't + show in postconf command output of earlier Postfix versions. + Files: proto/SMTPD_POLICY_README.html, proto/postconf.proto, + proto/SCHEDULER_README.html. + + Cleanup: added the pipe(8) delivery agent to the list of + programs that implement transport_time_limit parameters. + File: postconf/postconf_service.c, postconf/test6.ref, + postconf/test22.ref. + +20111128 + + Feature: "postconf -C class,..." support to print parameters + in one or more classes (builtin= built-in parameter names, + service=service-defined parameter names, user=user-defined + parameter names). Files: postconf/postconf.c, postconf/postconf.h, + postconf_service.c, postconf/postconf_user.c. + +20111129 + + Cleanup: TLS logging level configuration. Files: + global/mail_params.h, smtp/lmtp_params.c, smtp/smtp.c, + smtp/smtp_params.c, smtp/smtp_proto.c, smtpd/smtpd.c, + tls/tls.h, tls/tls_client.c, tls/tls_misc.c, tls/tls_server.c, + tlsmgr/tlsmgr.c, tlsproxy/tlsproxy.c. + +20111203 + + Cleanup: time-dependent sender addresses of address + verification probes. Specify an address_verify_sender_ttl + value of several hours or more to frustrate address harvesting. + Files: global/verify_sender_addr.[hc], smtpd/smtpd.c, + smtpd/smtpd_check.c, verify/verify.c, proto/postconf.proto, + proto/ADDRESS_VERIFICATION_README.html. + +20111204 + + Cleanup: removed the log_level arguments from tls_client_start() + and tls_server_start() calls. This information is already + given to tls_client_init() and tls_server_init(). Files: + smtpd/smtpd.c, tlsproxy/tlsproxy.c, smtp/smtp_proto.c, + tls/tls.h, tls/tls_client.c, tls/tls_server.c, tls/tls_misc.c. + +20111205 + + Documentation: made the postconf(5) manpage more precise + in its use of "client" and "server"; reorganized the + TLS_README presentation of client configuration so that + most relevant information is presented earlier. Files: + proto/postconf.proto, proto/TLS_README.html. + + Bugfix: tlsproxy(8) stored TLS sessions with a serverID of + "tlsproxy" instead of "smtpd", wasting an opportunity for + session reuse. File: tlsproxy/tlsproxy.c. + +20111206 + + Documentation: removed descriptions of Postfix < 2.3 user + interface from TLS_README. Users of earlier releases are + referred to TLS_LEGACY_README. File: proto/TLS_README.html. + +20111207 + + Cleanup: tlsproxy(8) now receives the session cache serverID + from its client (postscreen(8)). Files: global/mail_proto.h, + postscreen/postscreen_starttls.c, tlsproxy/tlsproxy.[hc], + tlsproxy_state.c. + + Cleanup: the postscreen(8) daemon did not support a zero + cache cleanup interval. This is needed for memcache support. + File: postscreen/postscreen.c. + + Bugfix (introduced: 20110227): null pointer bug while + updating dictionary owner attributes, after reading an empty + (database) configuration file. File: util/dict.c. + +20111208 + + Cleanup: db_common_parse_domain() could not be called without + preceding db_common_parse() call. Files: global/db_common.[hc]. + +20111209 + + Feature: memcache client support. This implementation is + based on the under-documented libmemcache library, and + therefore supports only libmemcache version 1.4.0. Files: + conf/postfix-files, global/dict_memcache.[hc], global/mail_dict.c, + html/index.html, mantools/postlink, postconf/postconf.c, + postfix/postfix.c, proto/DATABASE_README.html, + proto/MEMCACHE_README.html, proto/memcache_table. + +20111209 + + Cleanup: support for scripted and manual database tests with + LDAP, *SQL, and memcache. Files: util/dict_test.c, util/dict.c, + global/mail_dict.c. + + Workaround: apparently, some distributions use Postfix + shared libraries without proper so-number versioning. This + causes programs to fail mysteriously, after an update + replaces the Postfix library but not the program (someone + experienced this with an extra copy of the Postfix SMTP + server). Files: global/mail_version.[hc], master/*server.c, + master/master.c, src/postalias/postalias.c, + src/postdrop/postdrop.c, src/postfix/postfix.c, + src/postlog/postlog.c, src/postmap/postmap.c, + src/postmulti/postmulti.c, src/postqueue/postqueue.c, + src/postsuper/postsuper.c, src/sendmail/sendmail.c. + +20111211 + + Feature: first/next (sequence) support in the proxymap + protocol. This is needed for cache cleanup of a proxied + postscreen or verify persistent cache. Files: + global/dict_proxy.[hc], proxymap/proxymap.c. + + Feature: memcache client support without libmemcache + dependencies. Files: global/memcache_proto.[hc], + global/dict_memcache.c. + + Bugfix: missing lookup table entry and terminator, causing + proxymap(8) server segfault when postscreen(8) or verify(8) + attempted to access their cache via the proxymap(8) server. + This could never have worked anyway, because the Postfix + proxymap protocol did not support cache cleanup. File + util/dict.c. + + Feature: support for persistent backup database in the + memcache client. The database can be shared with the proxymap + service, but it needs to be listed as "proxy:maptype:mapname" + in the proxy_read_maps or proxy_write_maps parameter value + (depending on whether the access is read-only or read-write). + Support for proxymap-over-tcp (proxy:maptype:mapname@host:port) + is under development. File: global/dict_memcache.c. + +20111214 + + Documentation: updated the submission and smtps examples + in the sample master.cf file, so that their logging is + easier to recognize. File: conf/master.cf. + +20111215 + + Documentation: use different hosts to separate MUA "port + 25" traffic from the "port 25" MX service. Files: + postscreen/postscreen.c, proto/POSTSCREEN_README.html. + +20111216 + + Cleanup: the proxymap client did not correctly propagate + the "open_lock" flag, causing the proxymap service to open + postscreen(8) and verify(8) caches twice, instead of once. + File: global/dict_proxy.c. + + Cleanup: the verify and postscreen caches were not listed + as "authorized" for access via the proxywrite service. File: + global/mail_params.h. + + Refactoring: the postscreen permanent access list code is + now a library module, so that it can be also used for remote + access to the proxymap server. Files: global/server_acl.[hc]. + + Hardening: read/write deadlines, to make the proxymap server + suitable for remote access. File: proxymap/proxymap.c. + +20111217 + + Cleanup: more orthogonal definition of when the proxymap + server can/cannot share a single map instance among multiple + requestors, and corresponding code cleanup in the proxymap + client and server. Files: util/dict.h, util/dict_test.c, + global/dict_proxy.c, proxymap/proxymap.c. + + Human factors: the postscreen/verify cache manager now logs + the full database name including the proxy: prefix, to avoid + WTF surprises. File: util/dict_cache.c. + +20111218 + + Cleanup: more configurable memcache client error handling. + Files: global/dict_memcache.c, proto/memcache_table. + + Feature: the Postfix SMTP server XCLIENT command now supports + the LOGIN attribute (e.g., login information from nginx). + Based on the nginx:xclient-login-patch from citrin.ru (Anton + Yuzhis). The patch was further enhanced to support SASL + login information everywhere in the Postfix SMTP server + without having to specify "smtpd_sasl_auth_enable = yes" + in main.cf. Files: smtpd.[hc], smtpd_sasl_glue.[hc], + smtpd_check.c, smtpd_sasl_proto.[hc], smtpd_state.c, + proto/XCLIENT_README.html. + + Incompatibility: the Postfix SMTP server now always checks + the smtpd_sender_login_maps table, even without having + "smtpd_sasl_auth_enable = yes" in main.cf. + +20111219 + + Cleanup: the match_list-based primitives now provide an + option to return an error result instead of terminating the + process with a fatal error. Files: util/match_ops.[hc], + util/match_list.c, global/addr_list_match.c, domain_list.c, + string_list.c, namadr_list.c. + + Cleanup: a "fail:" database type that reliably fails all + requests. The lookup table name specifies the internal error + result code. having this table facilitates a systematic + review of all Postfix table lookup error handling. + + Cleanup: trivial-rewrite now "catches" errors with implicit + database lookups in virtual_alias_domains, relay_domains, + virtual_mailbox_domains, just like it already caught explicit + database lookup errors. This means there are fewer occasions + where trivial-rewrite clients will appear to hang. File: + trivial-rewrite/resolve.c. + + Cleanup: a broken relay_domains table would cause many + Postfix processes to terminate with fatal error as they + initialized the flush() client (used by defer_append() + etc.). Postfix now logs a warning instead. File: + global/flush_clnt.c. + + Cleanup: the Postfix SMTP server now "catches" errors with + implicit database lookups in mynetworks, TLS client certificate + tables, and local_header_rewrite_clients, and reports "server + configuration error" or "table lookup error" instead of + terminating with a fatal error. This is work in progress; + errors with opening a database may be covered later. Files: + smtpd/smtpd.c, smtpd/smtpd_check.c. + +20111220 + + Cleanup: the Postfix SMTP server now "catches" errors with + implicit database lookups in mynetworks, debug_peer_list, + smtpd_client_event_limit_exceptions, permit_mx_backup_networks. + This continues work started 20111219, and does not cover + errors with opening a database. Files: smtpd/smtpd.c, + smtpd/smtpd_checks.c, smtpd/smtpd_error.in, smtpd/smtpd_error.ref. + + Cleanup: memory leak testing of error handling. File: + util/name_mask.c. + +20111222 + + Cleanup: memory leak testing of error handling. File: + util/name_mask.c. + + Cleanup: simplified the match_list error reporting, thereby + reducing the footprint of the changes to "catch" errors + with implicit database lookups in mynetworks, and other + lists. Files: util/match_ops.[hc], util/match_list.c, + global/addr_list_match.c, domain_list.c, string_list.c, + namadr_list.c, trivial-rewrite/resolve.c, smtpd/smtpd.c, + smtpd/smtpd_check.c, global/flush_clnt.c, flush/flush.c. + +20111224 + + Cleanup: eliminated the global dict_errno variable that + made error reporting convenient but not necessarily precise. + This was a straightforward change except in the few modules + that propagate errors from one dictionary API to another: + dict_cache.c, dict_debug.c, maps.c, dict_memcache.c. Files: + src/cleanup/cleanup_map11.c, src/cleanup/cleanup_map1n.c, + src/global/addr_match_list.c, src/global/dict_ldap.c, + src/global/dict_memcache.c, src/global/dict_mysql.c, + src/global/dict_pgsql.c, src/global/dict_proxy.c, + src/global/dict_sqlite.c, src/global/domain_list.c, + src/global/flush_clnt.c, src/global/mail_addr_find.c, + src/global/mail_addr_map.c, src/global/maps.c, src/global/maps.h, + src/global/match_parent_style.h, src/global/namadr_list.c, + src/global/resolve_local.c, src/global/resolve_local.h, + src/global/server_acl.c, src/global/string_list.c, + src/local/alias.c, src/local/bounce_workaround.c, + src/local/mailbox.c, src/local/unknown.c, src/proxymap/proxymap.c, + src/qmqpd/qmqpd.c, src/smtp/smtp_map11.c, src/smtpd/smtpd_check.c, + src/trivial-rewrite/resolve.c, src/trivial-rewrite/transport.c, + src/util/dict.h, src/util/dict_alloc.c, src/util/dict_cache.c, + src/util/dict_cidr.c, src/util/dict_db.c, src/util/dict_debug.c, + src/util/dict_env.c, src/util/dict_fail.c, src/util/dict_ht.c, + src/util/dict_pcre.c, src/util/dict_regexp.c, + src/util/dict_static.c, src/util/dict_tcp.c, src/util/dict_test.c, + src/util/dict_thash.c, src/util/dict_unix.c, src/util/match_list.c, + src/util/match_list.h, src/util/match_ops.c, src/virtual/mailbox.c. + +20111226 + + Bugfix (introduced 20110426): after lookup error with + mailbox_transport_maps, mailbox_command_maps or + fallback_transport_maps, the local delivery agent did not + log the problem before deferring mail, and produced no defer + logfile record. Files: local/mailbox.c, local/unknown.c. + +20120102 + + Workaround: degrade gracefully when the network protocols + specified with inet_protocols are unavailable. Files: + global/mail_params.c, global/mynetworks.c, global/own_inet_addr.c + master/master_ent.c, master/master_vars.c, postscreen/postscreen.c, + qmqpd/qmqpd.c, smtp/smtp_connect.c, smtpd/smtpd.c, + util/inet_proto.c. + +20120107 + + Workaround: degrade gracefully when the "domain" feature + of LDAP, *SQL and memcache databases has a table lookup + problem. Files: global/db_common.c, global/dict_ldap.c, + global/dict*sql*.c, global/dict_memcache.c. + + Cleanup: fixed memcache client error handling for things + that never happen. global/dict_memcache.c. + + Future proofing: prepare postmap/postalias error logging + for future changes to database code. Files: postalias/postalias.c, + postmap/postmap.c. + +20120108 + + Cleanup: the postscreen(8) and verify(8) cache managers log + warnings at a reduced rate of one per second per cache + operation, to avoid logging large numbers of warnings about + a problem with low-value information. File: util/msg_rate_delay.c, + util/dict_cache.c. + +20120110 + + Cleanup: added logging for failed table lookups, and replaced + some "fatal" errors by warnings. Files: cleanup/cleanup_addr.c, + cleanup/cleanup_message.c, cleanup/cleanup_milter.c, + cleanup/cleanup_masquerade.c, global/header_body_checks.c, + global/smtp_stream.c, postscreen/postscreen_dnsbl.c, + postscreen/postscreen_smtpd.c, smtp/smtp_chat.c, + smtp/smtp_proto.c, smtp/smtp_sasl_auth_cache.c, + smtp/smtp_sasl_glue.c, smtp/smtp_session.c, smtp/smtp_trouble.c, + smtpd/smtpd.c, smtpd/smtpd_check.c. + +20120114 + + Cleanup: gradual degradation after database file open errors. + Instead of terminating immediately with a "fatal" error, a + Postfix daemon logs an error and continues execution with + reduced functionality. In other words, features that don't + depend on the unavailable table will keep working. However, + for the sake of sanity, the number of such errors over the + life of a process is limited to 13. Files: + src/global/cfg_parser.c, src/util/dict_thash.c, + src/util/dict_cidr.c, src/util/dict_nis.c, src/util/dict_nisplus.c, + src/global/dict_ldap.c, src/global/dict_mysql.c, + src/global/dict_pgsql.c, src/global/dict_sqlite.c, + src/postconf/postconf_main.c, src/global/mail_conf.c, + src/util/dict.h, src/util/dict.c, src/global/dict_memcache.c, + src/util/dict_tcp.c, src/util/dict_unix.c, src/util/dict_pcre.c, + src/util/dict_regexp.c, src/master/trigger_server.c, + src/master/single_server.c, src/master/multi_server.c, + src/master/event_server.c, src/util/dict_test.c, + src/util/dict_surrogate.c, src/util/dict_alloc.c, src/util/msg.c, + src/util/dict_cdb.c, src/util/dict_dbm.c, src/util/msg.h, + src/util/dict_db.c. + + Incompatibility: the Postfix SMTP server no longer reports + transcripts of sessions where a client command is rejected + because a table is unavailable. To receive such reports, + add the new "data" class to the notify_classes parameter + value. The reports will be sent to the error_notice_recipient + address as before. This class is also used by the Postfix + SMTP client to report about sessions that fail because a + table is unavailable. Files: global/mail_error.[hc], + smtpd/smtpd_check.c, smtp/smtp_trouble.c. + +20120115 + + Fine tuning: SMTP server error messages. File: smtpd/smtpd.c. + + Fine tuning: documentation. Files: proto/MEMCACHE_README.html. + proto/memcache_table.html. + + Apply "gradual degradation" also when an unsupported database + *type* is specified. File: util/dict_open.c. + + Cleanup: tiny memory leaks after surrogate database opens. + Files: util/dict_cidr.c, util/dict_db.c. + +20120117 + + Cleanup: support for legacy-style database configuration + where parameter names are generated by appending suffixes + to the database name. Files: postconf/postconf_dbms.c. + + Other: build without Berkeley DB support (make makefiles + "CCARGS=$CCARGS -DNO_DB"). Files: makedefs, util/sys_defs.h, + proto/DB_README.html, proto/INSTALL.html. + +20120120 + + Compatibility: added file pflogsumm_quickfix.txt with quick + patches for pflogsumm that handle the new default master.cf + entries for the submission and smtps services. + +20120121 + + Cleanup: getopt(3) compatibility in the postconf(1) master.cf + parser. Process "--" as the end-of-options indicator, and + process "-oname=value" as "-o name=value". Files: + util/argv.[hc], postconf/postconf_master.cf, + postconf/postconf_user.c. + +20120122 + + Workaround: log a warning and suggested solution for common + stat()/fstat()/lstat() problems caused by 32-bit overflow. + This is a real stinker that causes Postfix to fail without + any prior warning. File: util/warn_stat.[hc], and everything + that directly calls stat(), fstat() or lstat(). + +20120127 + + Bugfix (introduced: Postfix 2.8): the Postfix client sqlite + quoting routine returned the unquoted result instead of the + quoted text. The opportunities for misuse are limited, + because Postfix sqlite files are usually owned by root, and + Postfix daemons usually run with non-root privileges so + they can't corrupt the database. Problem reported by Rob + McGee (rob0). File: global/dict_sqlite.c. + +20120130 + + Bugfix (introduced: Postfix 2.3): the trace service did not + distinguish between DSN SUCCESS notifications for a non-bounce + or a bounce message. This code pre-dates DSN support and + should have been updated when it was re-purposed to handle + DSN SUCCESS notifications. Problem reported by Sabahattin + Gucukoglu. File: bounce/bounce_trace_service.c. + +20120202 + + Bugfix (introduced: Postfix 2.3): the "change header" milter + request could replace the wrong header. A long header name + could match a shorter one, because a length check was done + on the wrong string. Reported by Vladimir Vassiliev. File: + cleanup/cleanup_milter.c. + +20120214 + + Bugfix (introduced: Postfix 2.4): extraneous null assignment + caused core dump when postlog emitted the "usage" message. + Reported by Kant (fnord.hammer). File: postlog/postlog.c. + +20120217 + + Bugfix (introduced 20111219): sendmail -bs segfault, due + to a missing guard statement after an smtpd_check_rewrite() + call was moved closer to the command processor loop. Fix + by Bartek Szady. File: smtpd/smtpd.c. + +20120220 + + Cleanup: documentation of how to use only system-supplied + certificates with *CAfile and *CApath. File: proto/postconf.proto. + + Cleanup: documentation of smtp_sasl_mechanism_filter. File: + proto/postconf.proto. + +20120222 + + Cleanup: when multiple DNSBLs block an SMTP client, the + postscreen "reject" message now gives credit to the DNSBL + with the largest weight, instead of the DNSBL that replies + first. File: postscreen/postscreen_dnsbl.c. + + Cleanup: memcache_table(5) manpage. File proto/memcache_table. + +20120225 + + Cleanup: eliminated the build-time Perl dependency. File: + bounce/annotate.sh. + + Cleanup: when -DNO_DB support was added, the makedefs script + was not updated to skip the Linux Berkeley DB tests. + + FreeBSD9 is now a supported platform. Files: makedefs, + util/sys_defs.h. + +20120226 + + Cleanup: documentation in postfix-install. + +20120229 + + Feature: smtpd_log_access_permit_actions to enable logging + of specific permit-like actions in Postfix SMTP server + access lists. Files: mantools/postlink, proto/postconf.proto, + global/mail_params.h, smtpd/smtpd.c, smtpd/smtpd_check.c. + +20120306 + + To improve the interaction with start-up scripts, "postfix + start" now waits for master daemon process initialization + to complete, and returns a non-zero exit status if daemon + initialization failed or if it did not complete in a + reasonable amount of time. This involves a new "-w" master + option. Files: conf/postfix-script, master/master.c, + master/master.h. master/master_monitor.c. + +20120307 + + postconf -X option to exclude parameters from main.cf + (require two-finger action, because this is irreversible). + Files: postconf/postconf.[hc], postconf/postconf_edit.c. + +20120317 + + Feature: Sendmail-style socketmap. Files: util/dict_sockmap.[hc], + util/netstring.[hc], proto/DATABASE_README.html, + postconf/postconf.c. + +20120330 + + Workaround: specify "\c" at the start of an smtpd_reject_footer + template to suppress the line break between the reply text + and the footer text. Files: global/smtp_reply_footer.c, + proto/postconf.proto. + +20120401 + + Bugfix (introduced Postfix 2.6): irrelevant memory leak + that was introduced with postconf -#. File: + postconf/postconf_edit.c. + + Bitrot: shut up useless warnings about Cyrus SASL call-back + function pointer type mis-matches. Files: xsasl/xsasl_cyrus.h, + xsasl/xsasl_cyrus_server.c, xsasl/xsasl_client.c. + +20120404 + + Cleanup: added smtpd_sender_login_maps to the default + proxy_read_maps value. Files: global/mail_params.h, + proxymap/proxymap.c. + + Cleanup: weed out stale TODO's from the WISHLIST, and moved + some CYA text from WISHLIST into the code. Files: WISHLIST, + smtpd/smtpd_proxy.c. + +20120407 + + Bugfix (introduced: 20120330): don't replace <reply-code> + <space> by <reply-code> <hyphen> when a reply footer starts + with \c and contains no \n. File: global/smtp_reply_footer.c. + +20120422 + + Bit-rot: OpenSSL 1.0.1 introduces new protocols. Update the + known TLS protocol list so that protocols can be turned off + selectively to work around implementation bugs. Based on + a patch by Victor Duchovni. Files: proto/TLS_README.html, + proto/postconf.proto, tls/tls.h, tls/tls_misc.c, tls/tls_client.c, + tls/tls_server.c. + +20120425 + + Workaround: bugs in 10-year old gcc versions break compilation + with #ifdef inside a macro invocation (NOT: definition). + Files: tls/tls.h, tls/tls_client.c, tls/tls_server.c. + +20120426 + + Bugfix (introduced Postfix 2.9): the postconf command flagged + parameters defined in master.cf as "unused" when they were + used only in main.cf. Problem reported by Michael Tokarev. + Files: postconf/postconf_user.c, postconf/test4b.ref, + postconf Makefile.in. + +20120513 + + Cleanup: report both the first and last line number when a + malformed main.cf entry spans multiple lines, instead of + reporting the last line number only. File: util/dict.c, + util/line_number.[hc]. + +20120516 + + Workaround: apparently, FreeBSD 8.3 kqueue notifications + sometimes break when a dnsblog(8) process loses an accept() + race on a shared socket, resulting in repeated "connect to + private/dnsblog service: Connection refused" warnings. This + condition is unique to dnsblog(8). The postscreen(8) daemon + closes a postscreen-to-dnsblog connection as soon as it + receives a dnsblog(8) reply, resulting in hundreds or + thousands of connection requests per second. All other + multi-server daemons such as anvil(8) or proxymap(8) have + connection lifetimes ranging from 5s to 1000s depending on + server load. The workaround is for dnsblog to use the + single_server driver instead of the multi_server driver. + This one-line code change eliminates the accept() race + without any Postfix performance impact. Problem reported + by Sahil Tandon. File: dnsblog/dnsblog.c. + + Logging: postscreen now logs a warning when a dnsblog(8) + request takes longer than the hard-coded time limit of 10s. + File: postscreen/postscreen_dnsbl.c. + +20120517 + + Workaround: to avoid crashes when the OpenSSL library is + updated without "postfix reload", the Postfix TLS session + cache ID now includes the OpenSSL library version number. + Note: this problem cannot be fixed in tlsmgr(8). Code by + Victor Duchovni. Files: tls/tls_server.c, tls_client.c. + +20120520 + + Bugfix (introduced Postfix 2.4): the event_drain() function + was comparing bitmasks incorrectly causing the program to + always wait for the full time limit. This error affected + the unused postkick command, but only after s/fifo/unix/ + in master.cf. File: util/events.c. + + Cleanup: laptop users have always been able to avoid + unnecessary disk spin-up by doing s/fifo/unix/ in master.cf + (this is currently not supported on Solaris systems). + However, to make this work reliably, the "postqueue -f" + command must wait until its requests have reached the pickup + and qmgr servers before closing the UNIX-domain request + sockets. Files: postqueue/postqueue.c, postqueue/Makefile.in. + +20120522 + + Robustness: set LC_ALL=C in post-install to avoid surprises + when parsing output from Postfix or non-Postfix commands. + File: postfix-install. + +20120611 + + Bugfix (introduced: 20031216-21): with soft_bounce=yes, the + SMTP client did not move on to the next MX host or fallback + relay after a 5xx reply. File: smtp/smtp_trouble.c. + +20120527-8 + + Infrastructure: limited support to shrink VSTREAM buffers. + The change takes place when reading from (a stream for the + first time | an empty buffer) or when writing to (a stream + for the first time | a full buffer). TODO: the change should + also happen after purging or flushing a buffer. File: + util/vstream.c. + +20120531-617 + + Feature: haproxy support in postscreen(8) and smtpd(8). To + enable, specify "smtpd_upstream_proxy_protocol = haproxy" + or "postscreen_upstream_proxy_protocol = haproxy". Files: + mantools/postlink, proto/postconf.proto, global/Makefile.in, + global/haproxy_srvr.c, global/haproxy_srvr.h, global/mail_params.h, + global/mail_proto.h, master/single_server.c, master/multi_server.c, + master/event_server.c, postscreen/Makefile.in, + postscreen/postscreen.c, postscreen/postscreen.h, + postscreen/postscreen_endpt.c, postscreen/postscreen_haproxy.c, + postscreen/postscreen_haproxy.h, postscreen/postscreen_send.c, + postscreen/postscreen_state.c, smtpd/Makefile.in, smtpd/smtpd.h, + smtpd/smtpd_peer.c, smtpd/smtpd_sasl_glue.c, smtpd/smtpd_haproxy.c, + util/Makefile.in, util/listen.h, util/recv_pass_attr.c, + util/stream_listen.c, util/sys_defs.h, util/unix_pass_listen.c. + +20120618 + + Cleanup: made the postscreen-to-smtpd haproxy attribute + transmission more robust for Solaris. Files: util/sys_defs.h, + util/connect.h, util/steam_listen.c, postscreen/postscreen_send.c. + + Cleanup: simplified the "stream used" workaround. Files: + util/vstream.h, master/event_server.c, master/multi_server.c. + +20120621 + + Cleanup: simplified workarounds for Solaris streams versus + UNIX-domain sockets. Files: util/pass_accept.c (new), + util/pass_trigger.c (new), util/stream_pass_connect.c + (deleted), util/unix_pass_listen.c (deleted), + util/unix_pass_trigger.c (deleted), updated header files, + and replaced PASS_XXX macros by pass_xxx function calls. + + Cleanup: don't clobber errno when logging a problem. + File util/msg_output.c. + +20120627 + + Bugfix (introduced: 20120531-617): in the postscreen module + for HAproxy sypport, a VSTREAM buffer size request was not + LP64-clean. File: postscreen/postscreen_haproxy.c. + + Cleanup: avoid single-character reads in the postscreen + HAproxy module. File: postscreen/postscreen_haproxy.c. + +20120628 + + Workaround: heuristic to detect missing (ssize_t) type-cast + in VSTREAM buffer size requests. File: util/vstream.c. + +20120629 + + Workaround: "sendmail -bl" emulation. File: sendmail/sendmail.c. + +20120630 + + Cleanup: sub-optimal hash performance on systems where the + "char" type is signed. Files: util/htable.c, util/binhash.c. + +20120702 + + Bugfix (introduced: 19990127): the BIFF client leaked an + unprivileged UDP socket. Fix by Jaroslav Skarvada. File: + local/biff_notify.c. + +20120713 + + Bugfix (introduced: 20120527-8): infrastructure to specify + a smaller-than-default VSTREAM buffer, without the complex + run-time checks. File: util/vstream.c, vstream_tweak.c. + +20120714 + + Cleanup: semantics of requests to query or modify the VSTREAM + buffer size that will be used with the next read(2) or + write(2) operation. Files: util/vstream.c, util/vstream.h, + util/vstream_tweak.c. + +20120717 + + Documentation: update to RFC5321. + +20120730 + + Bugfix (introduced: 20000314): AUTH is not allowed after + MAIL. Timo Sirainen. Files: smtpd/smtpd.c, smtpd/smtpd.h, + smtpd/smtpd_sasl_proto.c. + +20120801 + + Documentation: point of what virtual_xxx parameters are + specific to the virtual(8) delivery agent, and will have + no effect when mail is delivered with a different program. + Files: proto/postconf.proto, proto/VIRTUAL_README.html. + +20120824 + + Feature: support for "sendmail -R hdrs|full". Jan Kundr?t. + File: sendmail/sendmail.c. + +20120902 + + Documentation: updated TUNING_README with new pointers to + the STRESS_README and POSTSCREEN_README documents. Miscellaneous + documentation clarifications based on postfix-users discussions. + +20120903 + + Bugfix (introduced 20120317): the socketmap client should + not share unrelated client endpoint handles. File: + util/dict_sockmap.c. + +20120907 + + Cleanup (for change 20120824): the DSN RET attribute should + not be stored once per recipient. It is a message property + just like DSN ENVID. File: sendmail/sendmail.c. + +20120911 + + Documentation: more explicit enumeration of what happens + when setting a per-destination recipient limit value to 1. + File: proto/postconf.proto. + +20120918 + + Documentation: clarified the bounce/queue_life-time parameter + descriptions. File: proto/postconf.proto. + +20120920 + + Documentation: the postscreen_whitelist_interfaces parameter + syntax was defined only by example. File: proto/postconf.proto. + +20120923 + + Infrastructure: cleaned up the support for database + lock-on-open. This is needed for databases that are not + multi-updater safe. Files: util/dict_alloc.c, util/dict.c, + util/dict_open.c, util/dict.h. tls/tls_scache.c. + +20120924 + + Documentation: some people are read-challenged distribute + their own incorrect understanding of master.cf syntax. + File: proto/master. + + Cleanup: don't emulate UNIX-domain sockets over FIFOs on + Solaris systems less than 10 years old. This allows us to + globally s/fifo/unix/ in master.cf. Files: makedefs, + util/sys_defs.h. + + Laptop-friendliness: avoid disk spin-up on idle systems by + s/fifo/unix/ in master.cf. Files: conf/master.cf. + +20120928-30 + + Feature: smtpd_relay_restrictions, proposed long ago by + Victor. The idea is to separate the mail relay policy from + the spam blocking policy, so that a permissive spam blocking + policy under smtpd_recipient_restrictions will no longer + unexpectedly result in a permissive mail relay policy. + + This involves a change in default settings. Similar to the + way that local_recipient_maps was introduced, there is a + safety net that prevents unexpected mail bounces when a + site upgrades to Postfix 2.10 or later, and there is no + change in documented smtpd_recipient_restrictions behavior. + See the RELEASE_NOTES file for details. Files: + global/mail_params.h, smtpd/smtpd.c, smtpd/smtpd_check.c, + proto/postconf.proto, proto/SMTPD_ACCESS_README.html, + mantools/postlink, conf/post-install, RELEASE_NOTES. + +20120931-1001 + + Documentation: updated the remainder of the README files + and manual pages that discuss smtpd_recipient_restrictions. + +20121001 + + Cleanup: prepend 5.1.1 status code to "User unknown in + virtual alias table". File: trivial-rewrite/resolve.c. + +20121003 + + Bugfix: the postscreen_access_list feature was case-sensitive + in the first character of permit, reject, etc. Reported by + Francis Picabia. File: global/server_acl.c. + +20121009 + + Documentation: interaction between delay_warning_time, + notify_classes and delay_notice_recipient. File: + proto/postconf.proto. + +20101009 + + Human factors: log a warning that the postcat option -m + without -h or -b has no effect. File: postcat/postcat.c. + +20121010 + + Bugfix (introduced: Postfix 2.5): memory leak in program + initialization. Reported by Coverity. File: tls/tls_misc.c. + + Bugfix (introduced: Postfix 2.3): memory leak in the unused + oqmgr program. Reported by Coverity. File: oqmgr/qmgr_message.c. + +20121011 + + Documentation: how to enable /etc/hosts multi-record lookups + with main.cf settings. File: proto/LINUX_README.html. + + Documentation: clarified the postscreen-tlsproxy interface. + File: tlsproxy/tlsproxy.c. + +20121012 + + Documentation: a simpler null-client example. File: + proto/STANDARD_CONFIGURATION_README.html + +20121013 + + Cleanup: to compute the LDAP connection cache lookup key, + join the numeric fields with null, just like string fields. + Viktor Dukhovni. File: global/dict_ldap.c. + +20121015 + + Documentation: added section on regular-expression tables + to the aliases(5) manpage. File: proto/aliases. + + Documentation: why "smtp_address_preference = any" is the + preferred setting. File: proto/postconf.proto. + +20121022 + + Bugfix (introduced 20101009) don't complain about stray -m + option if none of -[bhm] is specified. Ralf Hildebrandt. + File: postmap/postmap.c. + +20121029 + + Workaround: strip datalink suffix from IPv6 addresses + returned by the system getaddrinfo() routine. Such suffixes + mess up the default mynetworks value, host name/address + verification and possibly more. This change obsoletes the + 20101108 change that removes datalink suffixes in the SMTP + and QMQP servers. Files: util/myaddrinfo.c, smtpd/smtpd_peer.c, + qmqpd/qmqpd_peer.c. + +20121031 + + Bugfix: smtpd_relay_restrictions compatibility shim did not + detect "empty" value. Sahil Tandon. The same problem existed + with the inet_protocols shim. File: conf/post-install. + +20121105 + + Cleanup: the postscreen(8) "deep protocol" tests now log + the SMTP command that precedes a protocol violation. Files: + postscreen/postscreen_smtpd.c, proto/POSTSCREEN_README.html. + + Bugfix (introduced: Postfix 1.1): wrong string termination + when handling an MBOX From_ line at the start of a message. + File: qmqpd/qmqpd.c. + +20121110 + + Cleanup: specify $(WARN) on the MacOS X compiler command + line to suppress "nested comment" and possibly other unwanted + warnings. Problem reported by Jim Reid. File: makedefs, + Makefile.in. + +20121119 + + Documentation: added a note that key_format is required + when postscreen(8) and verify(8) share the same memcache + (with different persistent backup databases, or course) + otherwise automatic cache cleanup breaks due to a name + collision for the "last cache cleanup" database record. + File: proto/memcache. + +20121122 + + Cleanup: the safety-check for smtpd_recipient_restrictions + and smtpd_relay_restrictions now detects permit before + reject. File: smtpd/smtpd_check.c. + + Cleanup: the safety-check for smtpd_recipient_restrictions + and smtpd_relay_restrictions is no longer case-sensitive. + File: smtpd/smtpd_check.c. + +20121123 + + Cleanup: consistent escaping of commands in postscreen deep + protocol test logging. File: postscreen/postscreen_smtpd.c. + +20121124 + + Documentation: the bounce behavior for automatically-added + BCC recipients has changed with Postfix 2.3 when DSN support + was introduced. File: proto/postconf.proto. + +20121203 + + Documentation: added explicit example for -o name=value. + File: proto/master. + +20121210 + + Bugfix (introduced: Postfix 2.9) nesting count error while + stripping the optional [] around a DNS[BW]L address pattern. + This part of the code is not documented and had escaped + testing. Files: util/ip_match.c, util/ip_match.in, + util/ip_match.ref. + +20121215 + + Bugfix (introduced: 19980218, when recipient_delimiter + support was added): The error message for unknown local + users (or missing required aliases) should report the user + name instead of the full localpart which may contain an + address extension. Problem reported by Christian Holler. + File: local/unknown.c. + +20121221 + + Feature: "postconf -x" support to expand $name in main.cf + parameter values. Files: postconf/postconf_main.c, + postconf/postconf.h, postconf/postconf_node.c, postconf/postconf.c. + +20121222 + + Feature: postconf support to warn about an attempt to modify + a read-only parameter (process_name etc.) in main.cf or + master.cf. Files: postconf/postconf_readonly.c, + postconf/postconf_builtin.c. + +20121223 + + Feature: postconf support to warn about an undefined $name + in a parameter value in main.cf or master.cf (except for + backwards-compatibility parameters such as $virtual_maps) + Files: postconf/postconf_user.c, postconf_dbms.c, + postconf_builtin.c, util/dict_ht.c, util/htable.c. + + Feature: "postconf -Mx" support to expand $name in master.cf + parameter values. Files: postconf/postconf_master.c, + postconf/postconf_lookup.c, postconf/postconf_main.c, + postconf/postconf.c. + +20121224 + + Feature: "postconf -Mn" support to print only master.cf + entries that have "-o name=value" parameter setttings. + Files: postconf/postconf_master.c. + +20121226 + + Miscellaneous cleanups of postconf internal APIs, identifiers + and comments. No changes in behavior. + + Bugfix (omission in feature 20111203): the SMTP server only + supported time-dependent address-verification sender addresses + with RCPT TO but not with MAIL FROM. File: smtpd/smtpd.c. + +20121227 + + Feature: "postconf -o name=value" support to override main.cf + settings (for example, "postconf -x -o stress=whatever" + shows effective settings under overload). Files: + postconf/postconf.c, postconf/postconf_main.c. + +20121230 + + Cleanup: postconf(1) master.cf options parser. Files: + postconf/postconf_master.c, postconf/postconf_user.c. + + Bugfix (omission in feature 20111106): the postconf(1) + master.cf options parser didn't support "clusters" of + command-line option letters. Files: postconf/postconf_master.c, + postconf/test40.ref. + +20130105 + + Undo a change made around 20121224, and always whitelist + configuration parameter names for legacy-style proxy:ldap:prefix + etc. lookup tables. Files: postconf/postconf_dbms.c, + postconf/test28.ref, postconf/test29.ref, postconf/Makefile.in. + +20130107 + + Factor out the master.cf line parser so that it can be + reused for "postconf -Me". File: postconf/postconf_master.c. + +20130113 + + Feature: master.cf attribute namespace. "postconf -F" shows + individual master.cf fields as "service/type/attribute = + value", where attribute is "service", "type", "private", + "unprivileged", "wakeup", "process_limit", or "command". + +20130121 + + Bugfix (introduced 20120307): the postconf -X option erased + other options. File: postconf/postconf.c. + +20130131 + + Bugfix: the local(8) delivery agent dereferenced a null + pointer while delivering to null command (for example, "|" + in a .forward file). Reported by Gilles Chehade. + +20130203 + + Bugfix: the undocumented OpenSSL X509_pubkey_digest() + function is unsuitable for computing certificate PUBLIC KEY + fingerprints. Postfix now provides a correct procedure + that accounts for the algorithm and parameters in addition + to the key data. Specify "tls_legacy_public_key_fingerprints + = yes" if you need backwards compatibility. Fix by Victor + Duchovni, BC added by Wietse. Files: tls/tls_verify.c, + tls/tls_misc.c, proto/TLS_README.html, global/mail_params.h. + +20130210 + + Bugfix: an error handler for smtp_tls_policy_maps lookups + was never invoked. File: smtp/smtp_session.c. + +20130212 + + Cleanup: logfile message formatting (X: subject_CN=X, + issuer_CN=X, fingerprint=X, pkey_fingerprint=X). File: + tls/tls_client.c. + +20130315 + + Feature: LMDB (memory-mapped persistent file) support by + Howard Chu. This implementation has unexpected failure modes + that don't exist with other Postfix databases, so don't + just yet abandon CDB. See LMDB_README for details. Files: + proto/postconf.proto, proto/LMDB_README.html, + proto/DATABASE_README.html, proto/INSTALL.html util/dict_lmdb.[hc], + util/dict_open.c, global/mkmap_lmdb.[hc], global/mkmap_open.c, + postconf/postconf.c. + +20130316 + + Cleanup: new Postfix dictionary API flag to control the use + of (LMDB) bulk database transactions. With this, LMDB + databases no longer fail to commit any transactions with + tlsmgr(8), and LMDB databases no longer perform glacially + slow with postmap -i/postalias -i. Files: util/dict.h, + util/dict_lmdb.c, postmap/postmap.c, postalias/postalias.c. + +20130317 + + Debugging: generalized setting of dictionary API flags. + File: util/dict.[hc], util/dict_test.c. + + Robustness: Postfix programs can now recover from LMDB + "database full" errors without requiring human intervention. + When a program opens an LMDB file larger than lmdb_map_size/3, + it logs a warning and uses a larger size limit instead. + Files: util/dict_lmdb.c, proto/LMDB_README.html. + +20130318 + + Portability: botched #ifdef. File: util/dict_lmdb.c. + +20130319 + + Postfix support for LMDB databases is suspended due to the + existence of a hard limit (an "out of storage" failure mode + that cannot be resolved by increasing the database size). + + Postfix may support LMDB again when it no longer limits the + size of Postfix transactions, whether the limit is built + into LMDB itself, or implicit by requiring an unbounded + amount of memory to handle a large transaction. + +20130322 + + Documentation: smtp_skip_5xx_greeting wording updated to + reflect text in RFC 2821, which appears to say that a 554 + greeting is not a hard delivery error (note that RFC 2821 + was published later than smtp_skip_5xx_greeting). File: + proto/postconf.proto. + +20130324 + + Workaround: MacOS 10.8 (Darwin 12) getrlimit(RLIMIT_NOFILE) + incorrectly reports that rlim_max, the hard limit on the + number of open files per process, is equal to RLIM_INFINITY + (i.e. no limit is enforced). In reality, setrlimit(RLIMIT_NOFILE) + rejects requests where rlim_cur, the current limit, contains + any value > kern.maxfilesperproc. Axel Luttgens. File: + util/open_limit.c. + + Portability: MacOS 10.8 (Darwin 12) kqueue support works. + Axel Luttgens. Files: makedefs. + +20130324 + + Support for anonymous certificates. Viktor Dukhovni. File: + tls/tls_verify.c. + + Feature: support for DNSSEC-validated lookups and TLSA + RRsets. Viktor Dukhovni. Files: dns/Makefile.in, dns/dns.h, + dns/dns_lookup.c, dns/dns_rr.c, dns/dns_strtype.c, + dns/test_dns_lookup.c, + + Cleanup: the personality switch between "smtp" and "lmtp". + This streamlines the switch in the SMTP/LMTP protocol, DNS + MX lookups, and configuration parameter names in error + messages. Viktor Dukhovni. Files: smtp/smtp.c, smtp/smtp.h, + smtp/smtp_chat.c, smtp/smtp_connect.c, smtp/smtp_proto.c, + smtp/smtp_rcpt.c, smtp/smtp_sasl_glue.c, smtp/smtp_sasl_proto.c, + smtp/smtp_session.c, smtp/smtp_state.c. + + Feature: replace disable_dns_lookups with smtp_dns_support_level, + enable secure DNSSEC lookups in the Postfix SMTP client, + and use the DNSSEC-validated remote SMTP server name to + select the SMTP and TLS policies. Viktor Dukhovni. Files: + dns/Makefile.in, dns/dns.h, dns/dns_lookup.c, dns/dns_rr.c, + dns/dns_strtype.c, dns/test_dns_lookup.c. + +20130325 + + Portability: on MacOS X, use kqueue() for event handling + but use select() instead of poll() for read/write timeouts + (with a workaround to handle file decriptors >=FD_SETSIZE). + Files: util/sys_defs.h, util/readable.c, util/writable.c, + util/read_wait.c, util/write_wait.c. + + Portability: support for NetBSD 5.x, NetBSD 6.x and DragonFly + BSD. Viktor Dukhovni. Files: makedefs, util/sys_defs.h. + +20130326 + + Cleanup: new module that consolidates all system-dependent + code to enforce read/write timeouts. This includes a final + workaround for MacOS X that uses poll() first, and select() + if that fails. This makes their /dev/urandom workaround + unnecessary. Files: util/poll_fd.c, util/iostuff.h. Removed: + util/readable.c, util/writable.c, util/read_wait.c, + util/write_wait.c. + + Cleanup: refactor TLS digest functions, improved signature + for TLS session cache. Viktor Dukhovni. Files: smtp/smtp.c, + smtp/smtp_proto.c, smtpd/smtpd.c, tls/Makefile.in, tls/tls.h, + tls/tls_client.c, tls/tls_fprint.c, tls/tls_level.c, + tls/tls_misc.c, tls/tls_server.c, tls/tls_verify.c, + tlsproxy/tlsproxy.c. + +20130327 + + Cleanup: final polish for MacOSX workarounds; replaced + #ifdef MacOSX by feature test as required by PORTING document. + Files: util/poll_fd.c, util/open_limit.c. + + Export tls_fprint() and tls_digest_encode() for use in DANE. + Viktor Dukhovni. Files: tls/tls.h, tls/tls_fprint.c. + +20130331 + + Refactoring: TLS verification callback processing in + preparation for DANE support. Viktor Dukhovni. Files: + tls/tls.h, tls/tls_client.c, tls/tls_misc.c, tls/tls_verify.c. + + Refactoring: split off SMTP client per-session TLS policy + data and code in preparation for DANE support. Viktor + Dukhovni. Files: smtp/Makefile.in, smtp/smtp.h, + smtp/smtp_connect.c, smtp/smtp_proto.c, smtp/smtp_reuse.c, + smtp/smtp_session.c, smtp/smtp_tls_sess.c. + + Cleanup: "zero time limit" corner case in read_wait() and + write_wait() emulation. Files: util/poll_fd.c, util/iostuff.h. + +20130401 + + Refactoring: allow smtp_session_alloc() to fail gracefully + and report an error. + +20130403 + + Documentation: in smtpd.c, the comment that justifies the + 454 reply for "TLS unavailable" cited the wrong RFC. + +20130404 + + Human factors: warning when a main.cf parameter has multiple + entries with different values. File: util/dict.c. + +20130405 + + Feature: the recipient_delimiter parameter can now specify + a set of characters. A user name is now separated from its + address extension by the first character that matches the + recipient_delimiter set. Files: proto/postconf.proto, + src/global/mail_addr_find.c, src/global/mail_params.c, + src/global/split_addr.c, src/global/split_addr.h, + src/global/strip_addr.c, src/global/strip_addr.h, + src/global/strip_addr.ref, src/local/bounce_workaround.c, + src/local/local.c, src/local/local_expand.c, src/local/recipient.c, + src/local/resolve.c, src/oqmgr/qmgr_message.c, src/pipe/pipe.c, + src/qmgr/qmgr_message.c, src/smtpd/smtpd.c, + src/smtpd/smtpd_check.c, src/trivial-rewrite/transport.c, + src/trivial-rewrite/trivial-rewrite.c. + + Feature: support for trust anchors, i.e. CA certificates + or public keys that will be used instead of conventional + root certificates, and revised fingerprint support. This + can be used by itself, and this provides support for an + upcoming DANE implementation. Victor Duchovni. Files: + mantools/postlink, proto/TLS_README.html, proto/postconf.proto, + global/mail_params.h, smtp/lmtp_params.c, smtp/smtp.c, + smtp/smtp.h, smtp/smtp_params.c, smtp/smtp_proto.c, + smtp/smtp_session.c, smtp/smtp_state.c, smtp/smtp_tls_sess.c, + tls/Makefile.in, tls/tls.h, tls/tls_client.c, tls/tls_dane.c, + tls/tls_fprint.c, tls/tls_misc.c, tls/tls_verify.c, + util/argv.c, util/argv.h. + +20130409 + + Documentation: pointers to other actions under "ACCEPT + ACTIONS" and "REJECT ACTIONS". File: proto/access. + +20130410 + + Cleanup: more uniform permutation in dns_rr() by Victor + Duchovni & Son. File: dns/dns_rr.c. + +20130411 + + Documentation: clarified text about result formats. Files: + proto/canonical, proto/virtual. + +20130414 + + Cleanup: the SMTP client connection management code now + maintains iterator state with a structure that contains + next-hop, host name, address, port and other information. + This iterator structure replaces random variables that were + updated by add-hoc code, and replaces random function + argument lists. The more structured approach is easier to + maintain and has already paid off by exposing opportunities + to improve SMTP connection cache usage. Wietse Venema. + Files: smtp/smtp.h, smtp/smtp_connect.c, smtp/smtp_session.c, + smtp_reuse.c. + + Cleanup: eliminated minor false SMTP connection cache-sharing + problems due to mis-aligned lookup keys for caches and + lookup tables (for example some used the nexthop, and some + the domain name). Information that is used in more than + one lookup key is now generated by a centralized function. + This replaces ad-hoc code in random places that was + concatenating ad-hoc data to construct lookup keys. The + more structured approach is easier to maintain and makes + future cache-sharing issues easier to prevent. Wietse + Venema. Files: smtp/smtp.h, smtp/smtp_connect.c, smtp_reuse.c, + smtp_key.c, smtp_tls_sess.c. + + Cleanup and fix of non-production code: the trust anchor-digest + code and smtp_sess_tls_required() function. Victor Duchovni. + Files: smtp/smtp_connect.c, smtp/smtp_proto.c, + smtp/smtp_tls_sess.c, tls/tls.h, tls/tls_client.c, + tls/tls_dane.c, tls/tls_level.c, tls/tls_verify.c. + +20130417 + + Cleanup and fix of non-production code: add the SASL + credentials or absence thereof to the connection cache + endpoint label; better reuse of SASL-authenticated connections + over UNIX-domains sockets, however unlikely these may be; + a first step towards refinement of connection cache lookup + by IP address for plaintext or SASL-unauthenticated connections. + Files: smtp/smtp.h smtp/smtp_connect.c, smtp/smtp_reuse.c, + smtp/smtp_key.c, smtp/smtp_tls_sess.s. + +20130418 + + Cleanup: configurable field delimiter and optional "not + available" field place holder for cache and table lookup + keys; automatic base64 encoding for key fields that contain + these. Files: smtp/smtp_key,c, smtp/smtp_reuse.c, + smtp/smtp_proto.c, smtp/smtp_tls_sess.c. + +20130420-21 + + Documentation: "dane" TLS security level and parameters. + Viktor Dukhovni. Files: mantools/postlink, proto/TLS_README.html, + proto/postconf.proto. + + Feature: implemented and enabled DNS-based DANE security + level. Viktor Dukhovni. Files: global/mail_params.h, + smtp/lmtp_params.c, smtp/smtp.c, smtp/smtp.h, smtp/smtp_params.c, + smtp/smtp_proto.c, smtp/smtp_tls_sess.c, tls/tls.h, + tls/tls_client.c, tls/tls_dane.c, tls/tls_fprint.c, + tls/tls_level.c, tls/tls_misc.c, util/Makefile.in, + util/ctable.c, util/ctable.h, util/timecmp.c, util/timecmp.h. + + Cleanup: rename (unchanged) smtp_tls_sess.c to smtp_tls_policy.c. + Viktor Dukhovni. Files: smtp/Makefile.in, smtp/smtp_tls_policy.c, + smtp/smtp_tls_sess.c. + + Portability: OpenSSL workarounds for versions before 0.9.7 + are removed from the source code. Viktor Dukhovni. Files: + tls/tls.h, tls/tls_bio_ops.c, tls/tls_client.c. + + Non-production fixes: when falling back from opportunistic + TLS to plaintext, don't modify the cached TLS policy "retry + as plaintext" and "level" members. Files: smtp/smtp_session.c. + + Non-production fixes: move TLS policy lookup to the main + connection iterator loop, so that the policy is known before + attempting connection reuse and before SMTP connection + creation. Temporarily link session->tls to state->tls. + Files: smtp/smtp.h, smtp/smtp_connect.c, smtp/smtp_reuse.c, + smtp/smtp_tls_policy.c. + +20130422 + + Feature: smtptls-finger test program for SMTP over TLS. + Viktor Dukhovni. Files: Makefile.in, html/Makefile.in, + man/Makefile.in, mantools/postlink, posttls-finger/.indent.pro, + posttls-finger/Makefile.in, posttls-finger/posttls-finger.c, + posttls-finger/tlsmgrmem.c, posttls-finger/tlsmgrmem.h, + tls/tls.h, tls/tls_misc.c. + +20130423 + + Bugfix (introduced: Postfix 2.0): when myhostname is not + listed in mydestination, the trivial-rewrite resolver may + log "do not list <myhostname value> in both mydestination + and <name of non-mydestination domain list>". The fix is + to re-resolve a domain-less address after adding $myhostname + as the surrogate domain, so that it pops out with the right + address-class label. Problem reported by Quanah Gibson-Mount. + File: trivial-rewrite/resolve.c. + +20130425 + + Non-production fixes: revert to using proxies (sender, + nexthop, hostname) to distinguish between different SASL + credentials for connections to the same IP address and port. + Files: smtp/smtp.h smtp/smtp_connect.c, smtp/smtp_key.c. + + Non-production cleanup: documentation, identifiers. Viktor + Dukhovni. Files: proto/postconf.proto, src/dns/dns.h, + src/dns/dns_lookup.c, src/dns/dns_rr.c, src/dns/test_dns_lookup.c, + src/global/mail_proto.h, src/posttls-finger/posttls-finger.c, + src/smtp/smtp.h, src/smtp/smtp_addr.c, src/smtp/smtp_connect.c, + src/smtp/smtp_session.c, src/smtp/smtp_tls_policy.c, + src/smtpd/smtpd_check.c, src/tls/tls.h, src/tls/tls_client.c, + src/tls/tls_dane.c, src/tls/tls_fprint.c, src/tls/tls_misc.c, + src/tls/tls_proxy_clnt.c, src/tls/tls_proxy_print.c, + src/tls/tls_proxy_scan.c, src/tls/tls_server.c, + src/tls/tls_verify.c. + +20130426 + + Non-production fixes: refinement of SASL-dependent context + for connection-cache reuse, documentation. Viktor Dukhovni + and Wietse Venema. Files: smtp/smtp.h, smtp/smtp_key.c, + tls/tls_client.c. + +20130506 + + Non-production bugfix: macros must use distinct names for + temporary variables, to avoid name collision problems. + Problem report: Ralf Hildebrandt. Problem fix: Viktor + Dukhovni. File: smtp/smtp.h. + + Non-production cleanup: simplified "dane" user interface, + replacing one "dane" security level plus multiple fall-back + options, with two "dane" security levels, one opportunistic + and one mandatory. Viktor Dukhovni. Files: proto/TLS_README.html, + proto/postconf.proto, mantools/postlink, proto/TLS_README.html, + proto/postconf.proto, global/mail_params.h, + posttls-finger/posttls-finger.c, smtp/lmtp_params.c, + smtp/smtp.c, smtp/smtp.h, smtp/smtp_params.c, + smtp/smtp_tls_policy.c, tls/tls.h, tls/tls_level.c. + +20130512 + + Feature: allow an SMTP client to skip postscreen(8) tests + before or after the 220 greeting, based on its DNSBL score. + Suggested by Rob McGee (/dev/rob0). Files: mantools/postlink, + proto/postconf.proto, global/mail_params.h, + postscreen/postscreen.c, postscreen/postscreen.h, + postscreen/postscreen_early.c, postscreen/postscreen_state.c, + postscreen/postscreen_tests.c. + +20130513 + + Bugfix (introduced: 20130512): postscreen logged no "PASS + NEW" event when the pregreet tests were turned off and the + postscreen_dnsbl_whitelist_treshold feature was turned on. + Reported by Rob McGee (/dev/rob0). Files: postscreen/postscreen.h, + postscreen/postscreen_early.c. + + Bugfix (introduced: 20130512): postscreen panic because the + logic for dnsbl result retrieval was changed. Reported by + Noel Jones. File: postscreen/postscreen_early.c. + +20130517 + + Cleanup: just like the postscreen DNS block test will use + partial scores when some DNS lookup result is unavailable, + the postscreen_dnsbl_whitelist_treshold feature will now + use partial scores instead of ignoring them. File: + postscreen/postscreen_early.c. + +20130518 + + Bugfix (introduced: 1997): memory leak after error while + forwarding mail through the cleanup server. Viktor found + one, Wietse eliminated the rest. File: local/forward.c. + + Feature: posttls-finger protocol and cipher grade selection + options. Leave protocol debug flags active across reconnects, + only suppress redundant logging of the certificate details. + Viktor Dukhovni. File: posttls-finger/posttls-finger.c. + + Robustness: send SNI even when trying to reuse a DANE + session, because a new session may be negotiated anyway. + Viktor Dukhovni. File: tls/tls_client.c. + + Cleanup: eliminate variable that is redundant with respect + to more authoritative state. Viktor Dukhovni. File: + posttls-finger/posttls-finger.c. + + Feature: new tls_ssl_options parameter to enable OpenSSL + features (as opposed to tls_disable_workarounds which is + disables bug workarounds that are on by default). Viktor + Dukhovni. Files: proto/TLS_README.html, proto/postconf.proto, + src/global/mail_params.h, src/tls/tls.h, src/tls/tls_client.c, + src/tls/tls_misc.c. + +20130520 + + Documentation: removed resolve_null_domain from the list + of smtpd(8) parameters. File: smtpd/smtpd.c. + +20130523 + + Documentation: add cidr: and texthash: to the list of maps + that don't have automatic change detection. File: + proto/DATABASE_README.html. + + Documentation: define the netmask format of CIDR maps. + File: proto/cidr_table. + +20130530 + + Cleanup: replace alloca() with mymalloc()/myfree() for + better error handling. Reported by Bill Parker. File: + util/dict_ni.c (does anyone still use this code?). + +20130531 + + Feature: tls_wildcard_matches_multiple_labels (default: + yes) to match multiple DNS labels with "*" in wildcard + certificates. Viktor Dukhovni. Files: proto/postconf.proto, + mantools/postlink, global/mail_params.h, tls/tls_client.c, + tls/tls_misc.c. + +20130607 + + Bugfix (DANE support): with multiple TLSA RR that carry "x + 0 0" certificates or "x 1 0" keys, Postfix failed to reset + the cert/key pointer before calling d2i_mumble(), causing + OpenSSL to clobber the previous cert or key. Viktor Dukhovni. + tls/tls_dane.c. + + Robustness: check that TLSA-supplied certs have valid keys. + It is not clear whether that check is performed in d2i(). + Viktor Dukhovni. tls/tls_dane.c. + +20130608 + + Cleanup (DANE support): be more explicit in the logging of + object digests. Viktor Dukhovni. tls/tls_dane.c. + +20100613 + + Workaround: unhelpful down-stream maintainers fail to install + the new smtpd_relay_restrictions safety net, causing breakage + that could have been avoided. We now hard-code the safety + net instead. Files: global/mail_params.h, conf/post-install, + RELEASE_NOTES_2.10. + + Bugfix (DANE support): when TLSA records are insecure, + report that none are found. Viktor Dukhovni. Files: + posttls-finger/posttls-finger.c, smtp/smtp_tls_policy.c, + tls/tls_dane.c. + +20130615 + + TLS Interoperability: turn on SHA-2 digests by force. This + improves interoperability with clients and servers that + deploy SHA-2 digests without the required support for + TLSv1.2-style digest negotiation. Based on patch by Viktor + Dukhovni. Files: tls/tls_client.c, tls/tls_server.c. + +20130616 + + Workaround: The Postfix SMTP server TLS session cache was + broken because OpenSSL now enables session tickets by + default, resulting in different ticket encryption key for + each smtpd(8) process. the workaround turns off session + tickets. In 2.11 we'll enable session tickets properly. + Viktor Dukhovni. File: tls/tls_server.c. + + Updated DANE support (trust in DNS instead of PKI). With + OpenSSL 1.0.2 (under development) trusted certificates don't + need to be self-signed roots. Otherwise we use an ephemeral + root certificate to sign the trust anchor. Viktor Dukhovni. + Files: posttls-finger/posttls-finger.c, smtp/smtp_proto.c, + smtp/smtp_tls_policy.c, tls/tls.h, tls/tls_client.c, + tls/tls_dane.c, tls/tls_fprint.c, tls/tls_misc.c, + tls/tls_verify.c. + +20130619 + + Documentation: troff lint. Patch by ES Raymond's bot. File: + proto/header_checks. + + Cleanup: enforce smtpd_client_recipient_rate_limit for VRFY + commands. File: smtpd/smtpd.c. + +20130622 + + Bugfix: typo in the 20130613 smtpd_relay_restrictions default + setting. File: global/mail_params.h. + +20130623 + + Cleanup: configurable tlsmgr(8) service name. Files: + mantools/postlink, proto/postconf.proto, tls/tls_mgr.c, + tls/tls_misc.c, tlsproxy/tls-proxy.c, smtp/smtp.c, + smtpd/smtpd.c. + +20130629 + + Cleanup: documentation. Files: proto/CONNECTION_CACHE_README.html, + proto/SCHEDULER_README.html. + +20130708 + + Cleanup: postscreen_upstream_proxy_protocol setting. Files: + global/mail_params.h, postscreen/postscreen_endpt.c. + +20130709 + + Cleanup: qmgr documentation clarification by Patrik Rak. + Files: proto/SCHEDULER_README.html, qmgr/qmgr_job.c. + + Cleanup: re-indented code. File: qmgr/qmgr_job.c. + + Logging: minimal DNAME support. Viktor Dukhovni. dns/dns.h, + dns/dns_lookup.c, dns/dns_strtype.c, dns/test_dns_lookup.c. + +20130710 + + Workaround: smtp_connection_reuse_count_limit (default 0, + i.e. unlimited) for sites that must deal with hostile + connection reuse policies. The documentation comes with a + warning that this feature introduces a "fatal attractor" + failure mode. Files: global/mail_params.h, mantools/postlink, + proto/postconf.proto, smtp/smtp.c, smtp/smtp_params.c, + smtp/lmtp_params.c, smtp/smtp.h. + + Workaround: FreeBSD9 nroff outputs ANSI escape sequences + instead of overstrike sequences. To make matters worse, it + uses the ESC[0m sequence sometimes for end-of-bold and + sometimes for end-of-italic. File: mantools/man2html. + +20130714 + + Cleanup: added smtpd_relay_restrictions entries to the + default master.cf file, so that main.cf settings won't + affect the submission and smtps services. Simon Matter. + File: conf/master.cf. + +20130728 + + Cleanup: wrong function name in error message. John Fawcett. + File: util/vstring_vstream.c. + +20130801 + + Cleanup: with ``make makefiles CCARGS="-DHAS_DB...'', the + makedefs script no longer tries to locate the Linux Berkeley + DB include and library files. Instead it assumes that the + locations are given on the command line, as shown in the + DB_README examples. Leo Baltus. File: makedefs. + +20130805 + + Documentation: clarified reject_non_fqdn_helo_hostname. + File: proto/postconf.proto. + +20130809 + + Cleanup: the lmdb_map_size parameter is now a long integer. + Howard Chu. Files: global/mail_params.[hc]. + +20130815 + + Documentation: added pointer to Dovecot 2 configuration. + File: proto/SASL_README.html + +20130818 + + Update: LMDB client updated to LMDB 0.9.7, which hopefully + fixes the unrecoverable "transaction full" error. With a + new MDB_MAP_FULL workaround by Howard Chu that ensures that + postfix will make progress as long as the disk is not full. + File: util/dict_lmdb.c. + +20130822 + + The status of LMDB databases is "not recommended". Unlike + other Postfix databases, LMDB does not grow beyond a specified + limit even when the file system has room. This show-stopper + bug breaks applications whose requirements grow with load: + postscreen(8), greylisting, tlsmgr(8) and verify(8). + +20130825 + + Bitrot: Arrange for shared keys in SMTP server session + tickets. Otherwise, with clients that enable session + tickets, the SMTP session cache is per-process and largely + ineffective. Older releases should add SSL_OP_NO_TICKET + to the SSL options bit mask in the SMTP server only. The + session ticket key validity interval (sum of initial issuing + and retired key validation intervals) must not exceed the + SSL session lifetime. Otherwise, clients may send valid + tickets for expired sessions, which the OpenSSL server code + mishandles (does not send a replacement ticket, patch + pending...). + + We set the session lifetime to 2 times the configured cache + lifetime which is also the ticket issuing and retired + validation lifetime, so ticketed sessions last 1 to 2 times + the configured session lifetime and never longer than a + session's expiration time. + + Code by Viktor Dukhovni. Files: .indent.pro, mantools/postlink, + proto/TLS_README.html, proto/postconf.proto, global/mail_params.h, + posttls-finger/posttls-finger.c, posttls-finger/tlsmgrmem.c, + smtpd/smtpd.c, tls/tls.h, tls/tls_client.c, tls/tls_mgr.c, + tls/tls_mgr.h, tls/tls_scache.c, tls/tls_scache.h, + tls/tls_server.c, tlsmgr/tlsmgr.c, tlsproxy/tlsproxy.c. + + Robustness: Search for TLSA RRs at the resolved server name + (rname) and failing that request server name (qname), and + use whichever was found as the TLSA base domain for certificate + matching. + + When we find a DNSSEC validated MX RRset, and the initial + next-hop domain is a CNAME, include both the initial and + final (the one with the actual MX RRs) domains in the list + of valid server certificate names. + + When we find no MX records, then the initial next-hop domain + is obtained securely from the recipient domain or transport + next-hop. Without MX records, this is a destination hostname, + so we should generally do a TLSA lookup. If however the + address lookup yields an insecure result, and its rname is + equal to its qname (no CNAMEs), we reasonably assume that + the its child "_port._tcp" sub-domain is likewise insecure + (security here would require DLV just for this sub-domain). + This allows us to skip futile TLSA queries for most non-MX + destinations (those that are in insecure zones and are not + CNAMEs). This heuristic can be disabled by setting the new + main.cf parameter smtp_tls_force_insecure_host_tlsa_lookup + to "yes", the default is "no". + + Finally, with MX hostnames, if the MX RRset is secure, we + look for TLSA RRs at the qname only when the MX host is an + alias with an insecure rname. If both the qname and the + rname are secure, as before we prefer the rname, but when + nothing is found there, fall back to the qname. + + Code by Viktor Dukhovni. Files: mantools/postlink, + proto/postconf.proto, src/global/mail_params.h, + src/posttls-finger/posttls-finger.c, src/smtp/lmtp_params.c, + src/smtp/smtp.c, src/smtp/smtp.h, src/smtp/smtp_addr.c, + src/smtp/smtp_addr.h, src/smtp/smtp_connect.c, + src/smtp/smtp_params.c, src/smtp/smtp_tls_policy.c, + src/tls/tls.h, src/tls/tls_dane.c. + +20130826 + + Documentation: re-ordered STRESS_README, now that all + supported releases have stress-adaptive behavior built in. + File: proto/STRESS_README.html. + +20130903 + + Cleanup: made the default_database_type compile-time + configurable. Files: util/sys_defs.h, makedefs, proto/INSTALL. + +20130916 + + Feature: reject_known_sender_login_mismatch, which applies + reject_sender_login_mismatch only to MAIL FROM addresses + that are known in $smtpd_sender_login_maps. Viktor & Wietse. + Files: mantools/postlink, proto/SASL_README.html, + proto/postconf.proto, global/mail_params.h, smtpd/smtpd_check.c. + +20130927 + + Cleanup: no more LMDB "database full" errors. Postfix now + requires LMDB >= 0.9.8 which supports on-the-fly database + resizing. When a database becomes full, its size limit is + automatically doubled, and other processes automatically + pick up the new database size limit. Files: util/dict.h, + util/dict_open.c, util/dict_alloc.c, util/dict_lmdb.c, + postmap/postmap.c, postalias/postalias.c, proto/LMDB_README.html, + proto/postconf.proto. + +20130928 + + Cleanup: the lmdb_max_readers property is now configurable. + This is a hard limit built into the OpenLDAP library that + causes requests to fail when the number of open read + transactions exceeds the limit. When this happens the LMDB + client logs an MDB_READERS_FULL warning and continues with + reduced performance. Files: util/dict_lmdb.c, util/dict_lmdb.h, + global/mail_params.h, global/mail_params.c, proto/postconf.proto, + proto/LMDB_README.html. + +20130929 + + Security violation: LMDB opens files with read/write access + for lock management purposes. This gives unprivileged + daemon processes read/write file handles for root-owned + files under /etc/postfix. This also breaks when a non-root + process needs to access a root-owned database. Even if + LMDB lock files were world-writable, and kept in a dedicated + directory, they would still violate the principle of least + privilege. For all these reasons, support to create LMDB + files is removed from the postmap and postalias commands. + LMDB files can still be created by unprivileged Postfix + daemon processes under the postfix-owned data_directory. + Files: proto/LMDB_README.html, global/mkmap.c. + +20131001 + + Cleanup: LMDB support is forbidden due to problems with + LMDB lock management. These problems hinder error recovery + in multi-programmed systems, and prohibit database sharing + between privileged writer processes and unprivileged reader + processes. + +20131009 + + Documentation: inet_protols description was not updated + when smtp_address_preference was added. File: proto/postconf.proto + +20131013 + + Documentation: why postscreen(8) uses hash-table lookups + instead of direct pointers to find the DNSBL lookup result + for a specific session. File: postscreen/postscreen_early.c. + +20131022 + + Cleanup: add more &code; to postconf2man. Someone has been + writing documentation without checking the result, File: + mantools/postconf2man. + + Documentation: in the discard(8) manpage, the reason is not + a host or domain name. File: discard/discard.c. + +20131025 + + Documentation: specify the expected result format with + "list" tables. File: proto/DATABASE_README.html. + +20131026 + + Future proofing: API changes in the PCRE library. File: + util/dict_pcre.c. + +20131028 + + Feature: check_sasl_access to block hijacked logins. Files: + mantools/postlink, proto/postconf.proto, global/mail_params.h, + smtpd/smtpd_check.c, smtpd/smtpd_dsn_fix.h. + +20131029-31 + + Cleanup: slmdb(3) simplified LMDB API that hides recoverable + LMDB errors from applications so that they can focus on + their own job. Files: util/slmdb.[hc]. + + Cleanup: LMDB functionality restored, after elimination of + 1) world-writable lockfiles, 2) hard limits on the number + of concurrent readers, and 3) hard-coded database file inode + numbers in lockfiles that can prevent automatic crash + recovery. Files: proto/LMDB_README.html, proto/postconf.proto, + mantools/postlink, util/dict_lmdb.c. + +20131101 + + Cleanup: restore ability to build without LMDB support; + further slmdb API streamlining. Files: util/slmdb.[hc], + util/dict_lmdb.c. + + Bugfix: uninitialized variable. File: util/slmdb.c. + + Documentation: added SASL_README example for check_sasl_access. + File: proto/SASL_README.html. + +20131102-3 + + Security violation: by default, LMDB 0.9.9 writes uninitialized + heap memory to a world-readable database file, as chunks + of up to 4096 bytes. This is a huge memory disclosure + vulnerability: memory content that a program does not intend + to share ends up in a world-readable file. The content of + uninitialized heap memory depends on program execution + history. That history includes code execution in other + libraries that are linked into the program. + + This is a problem whenever the user who writes the database + file differs from the user who reads the database file. For + example, a privileged writer and an unprivileged reader. + In the case of Postfix, the postmap(1) and postalias(1) + commands would leak uninitialized heap memory, as chunks + of up to 4096 bytes, from a root-privileged process that + writes to a database file, to unprivileged processes that + read from that database file. + + To work around this problem the postmap(1) and postalias(1) + commands disable the use of malloc() in LMDB. However, that + does not address several disclosures of stack memory. Other + Postfix databases do not need this workaround: those databases + are maintained by Postfix daemon processes, and are accessible + only by the postfix user. File: util/dict_lmdb.c. + +20131102-3 + + Cleanup: expand TAB characters when generating documentation. + This was primarily an issue with non-HTML output, but it does + not hurt to do this also for HTML. Files: proto/Makefile.in, + proto/MULTI_INSTANCE_README.html. + +20131104 + + Feature: ${queue_id} macro support for the pipe(8) delivery + agent by Andreas Schulze. File: pipe/pipe.c. + +20131107 + + Cleanup: after 16 years the SKIP() and TRIM() macros were + triggering compiler warnings. Files: global/mail_params.c, + smtpstone/smtp-sink.c, util/mac_parse.c, util/split_nameval.c. + +20131110 + + Bugfix (introduced Oct 26 1997): don't clobber errno before + expanding %m. File: util/vbuf_print.c. + +20131114 + + Cleanup: LMDB >= 0.9.10 does not need the MDB_WRITEMAP + workaround to avoid heap memory information leaks. File: + util/dict_lmdb.c. + +20131114 + + Cleanup: Coverity found a harmless memory leak in the + postconf master.cf parser. Reported by Christos Zoulas, + NetBSD. File: postconf/postconf_master.c. + + Cleanup: graceful degradation after database open() error. + Several instances of that code introduced a harmless memory + leak, and Coverity complained about one of them (Christos + Zoulas, NetBSD). Instead of adding random code in random + places, restructured dict_foo_open() routines with consistent + code to dispose of memory or file handles. Files: dict_thash.c, + dict_sockmap.c, dict_regexp.c, dict_pcre.c, dict_lmdb.c, + dict_dbm.c, dict_cidr.c, dict_cdb.c. + + Cleanup: warning message after canonical/virtual/etc. + table lookup error. Files: cleanup/cleanup_addr.c, + cleanup/cleanup_map11.c, cleanup/cleanup_map1n.c, + cleanup/cleanup_masquerade.c, cleanup/cleanup_message.c, + cleanup/cleanup_milter.c. + +20131116 + + Feature: MySQL client support for option_file, option_group, + tls_cert_file, tls_key_file, tls_CAfile, tls_CApath, + tls_verify_cert. See mysql_table(5). Code by Gareth Palmer. + Files: proto/mysql_table, global/dict_mysql.c. + + Cleanup: DANE support. Keep the attributes of TA certificates + obtained via "IN TLSA 2 0 X" RRs, while continuing to only + use the key from "IN TLSA 2 1 X" RRs. This means in the + "2 0 X" case that we re-sign the TA certificate in place, + rather than synthesize a vanilla cert around just the key. + Viktor Dukhovni. File: tls/tls_dane.c. + + Bugfix: posttls-finger parsing of destination and optional + match values. Viktor Dukhovni. File: + posttls-finger/posttls-finger.c. + + Cleanup: When wrap_signed is false (OpenSSL 1.0.2 some day), + we don't have to sign trust anchors, and don't generate a + key to do so. Thus don't attempt to re-sign trust-anchor + certificates (IN TLSA 2 0 X) in this case. Viktor Dukhovni. + File: tls/tls_dane.c. + + Feature: configurable DANE digest algorithm priority. Use + only the most-preferred, shared, digest algorithm for any + give (usage, selector) combination. Viktor Dukhovni. + mantools/postlink, proto/postconf.proto, global/mail_params.h, + tls/tls_dane.c, tls/tls_misc.c. + + Bugfix: FreeBSD nroff workaround messed up. File: + mantools/postlink. + +20131118 + + Cleanup: FreeBSD nroff workaround. Files: man/Makefile.in, + proto/Makefile.in. + + Cleanup: the smtpd_proxy_filter client now sends QUIT before + closing the connection to a content filter. Files: + smtpd/smtpd_proxy.c, smtpd/smtpd.c. + + Portability: C99 va_copy() compatibility, in case some + implementation does not permit multiple va_start() calls + on the same argument list. Files: global/memcache_proto.c, + milter/milter8.c, smtpstone/smtp-source.c, util/attr_clnt.c, + util/concatenate.c, util/dict_surrogate.c, util/netstring.c, + util/compat_va_copy.h. + + Cleanup: comment formatting. Viktor Dukhovni. File: dns/dns.h. + + Cleanup: removed redundant sort operation. Viktor Dukhovni. + File: tls/tls_dane.c. + +20131119 + + Feature: a Postfix LMDB database can now be used as shared + persistent cache with multiple postscreen(8) or verify(8) + daemons (but not both), without the need for a shared + proxymap server. Files: util/dict.h, util/dict_alloc.c, + util/dict_open.c, util/dict_lmdb.c. + + Internal: DNS client support to report reply RCODE information, + in addition to the simplified DNS_NOTFOUND, DNS_RETRY etc. + Portability note: this requires the C99 __VA_ARGS__ feature. + Files: dns/dns.h. dns/dns_lookup.c, dns/test_dns_lookup.c. + +20131120 + + Cleanup: reduced the code footprint for the LMDB < 0.9.10 + heap-to-file information leak workaround, and simplified + the implementation to "good enough". Files: util/dict.h, + util/dict.c, util/dict_lmdb.c, postalias/postalias.c, + postmap/postmap.c. + + Cleanup: reduced the code footprint for the handling of + multi-writer safe maps. A map only needs to assert that it + is multi-writer safe, and the rest just happens. Files: + util/dict.h, util/dict_open.c, util/dict_lmdb.c, + global/dict_memcache.c. + + Cleanup: Postfix daemons no longer restart when a multi-writer + safe map is updated. File: util/dict.c. + + Documentation: sharing an LMDB cache between multiple + verify(8) or postscreen(8) servers (but not both). Files: + proto/ADDRESS_VERIFICATION_README.html, + proto/POSTSCREEN_README.html. + + Cleanup: improve suppression of TLSA lookups in insecure + zones. This is now applied not only to non-MX destinations, + but also to each MX record. Viktor Dukhovni. Files: + src/posttls-finger/posttls-finger.c, src/smtp/smtp_tls_policy.c, + src/tls/tls.h, src/tls/tls_dane.c. + + Workaround: increased the 5s connection timeout to 30s. + Viktor Dukhovni. File: posttls-finger/posttls-finger.c. + +20131121 + + Documentation: new socketmap_table(5) and lmdb_table(5) + manpages. Files: mantools/postlink, conf/postfix-files, + html/Makefile.in, man/Makefile.in, proto/DATABASE_README.html, + postconf/postconf.c, proto/socketmap_table, proto/lmdb_table. + +20131122 + + Documentation: missing database hyperlinks, refined text + about partial lookup keys. Files: mantools/postlink, + proto/DATABASE_README.html, proto/lmdb_table, + proto/socketmap_table. + +20131123 + + Feature: support for NOTIFY parameter in the Milter + SMFIR_ADDRCPT_PAR request. Contributed by by Andrew Ayer. + Wietse added support for ORCPT. Files: cleanup/cleanup.h, + cleanup/cleanup_milter.c, cleanup/cleanup_state.c, + global/xtext.c, global/xtext.h, milter/test-milter.c. + +20131122 + + Feature: "postconf -Fe service/type/attribute = value" edits + master.cf attribute values. The -e is optional. Example: + use "postconf -F "*/*/chroot = n" to turn off chroot on all + master.cf services. Files: postconf/postconf.h, + postconf/postconf.c, postconf/postcof_master.c, + postconf/postconf_edit.c. + +20131124 + + Cleanup: remove extra blank line from ccformat output, + making it compatible with the script that Wietse actually + uses (this line was part of a test to detect file truncation, + but it is now obsolete). File: mantools/ccformat. + + Feature: master.cf parameter namespace. "postconf -P" shows + master.cf parameter settings as "service/type/parameter = + value". This is applicable only to parameter settings in + master.cf. Files: postconf/postconf.h, postconf/postconf.c, + postconf/postcof_master.c, postconf/postconf_print.c. + + Incompatibility: the master_service_disable syntax has + changed: use "service/type" instead of "service.type". The + new form is consistent with master.cf parameter namespaces. + The old form is still supported to avoid breaking existing + configurations. Files: global/master_service.c, + master/master_ent.c. + +20131125 + + Feature: change, add or delete "-o parameter=value" setting + in master.cf. Examples: "postconf -P smtp/inet/parameter=value" + (add or modify "-o name=value" setting) and "postconf -P + smtp/inet/parameter" (delete "-o parameter=value" setting). + Files: util/argv.[hc], postconf/postconf.h, + postconf/postconf_edit.c, postconf_master.c. + +20131126 + + Cleanup: Leave SSLv3 enabled with DANE. Viktor Dukhovni. + Files: proto/TLS_README.html proto/postconf.proto + tls/tls_client.c. + + Cleanup: DANE support: Drop support for usage 0. It SHOULD + NOT be supported in DANE with SMTP, and we already don't + support digest TLSA RRs in this case, while full content + TLSA RRs are not recommended for DNS bloat reasons. Viktor + Dukhovni. Files: proto/postconf.proto src/global/mail_params.h + src/smtp/smtp.c src/tls/tls_dane.c src/tls/tls_misc.c. + + Feature: TLS support: Support future digest algorithms + without re-compilation. Viktor Dukhovni. Files: .indent.pro + proto/postconf.proto src/tls/tls_dane.c. + + Feature: DNS support: New configurable digest agility. + Viktor Dukhovni. Files: .indent.pro proto/TLS_README.html + proto/postconf.proto src/global/mail_params.h src/tls/tls_dane.c + src/tls/tls_misc.c. + +20131127 + + Bugfix (introduced: 20090106): the postconf '-#' option + erased prior options. File: postconf/postconf.c. + +20131129 + + Bugfix: Makefile example in MULTI_INSTANCE_README. Viktor + Dukhovni. File: proto/MULTI_INSTANCE_README.html. + +20131130 + + Cleanup: simplify fingerprint security level implementation + in new DANE code. Viktor Dukhovni. Files: src/tls/tls.h + src/smtp/smtp_tls_policy.c src/tls/tls_dane.c + src/posttls-finger/posttls-finger.c. + +20131209 + + Cleanup: safe_strtoul() did not report an error for empty + or all-space input (the code to report this was in the wrong + place). This was not a problem as long as safe_strtoul() + was used only for output from safe_ultostr(). Files: + global/safe_ultostr.c, global/safe_ultostr.in, + global/safe_ultostr.ref. + +20131210 + + Documentation: updated description of SSL protocol controls. + In particular, enabled protocols are part of a contiguous + range. Viktor Dukhovni. Files: proto/TLS_README.html, + proto/postconf.proto. + + Bugfix: DANE support: handle OpenSSL memory allocation + error. Viktor Dukhovni. File: tls/tls_dane.c. + + Cleanup: LMDB_README was not installed. File: conf/postfix-files. + +20131214 + + Portability: on some platforms posttls-finger now requires + explicitly linking libdl. File: posttls-finger/Makefile.in. + + Cleanup: DANE support: extension gymnastics. Viktor Dukhovni. + File: tls/tls_dane.c. + + Bugfix: DANE support: the wrap_cert() and wrap_key() calls + should never fail, but some callers ignored the return + value. The only failure is for lack of memory, so we use + msg_fatal() internally and change wrap_cert() and wrap_key() + to return void. Viktor Dukhovni. File: tls/tls_dane.c. + + Bugfix: DANE support: avoid making DANE certificates with + replaced public-keys appear as if they were self-signed. + Viktor Dukhovni. File: tls/tls_dane.c. + + Cleanup: DANE support: simplify grow_chain() to always apply + trust consistently. Viktor Dukhovni. File: tls/tls_dane.c. + + Bugfix: DANE support: backport fixes from OpenSSL DANE + testing. Discard errors generated by raw TA key signature + checks. Record the tadepth as zero with self-signed depth + 0 TAs. Robustness: Though it should never happen, don't + update the tadepth if already set. Viktor Dukhovni. Files: + tls/tls_dane.c, tls/tls_server.c. + +20131215 + + Cleanup: OpenSSL "const" declarations have changed over + time. Viktor Dukhovni. Files: src/tls/tls.h, src/tls/tls_client.c, + src/tls/tls_dane.c, src/tls/tls_server.c. + +20131216 + + Cleanup: TLS support. Eliminate calls of deprecated functions + before they are removed from OpenSSL. CRYPTO_thread_id is + deprecated and we don't need it. Replace the deprecated + ERR_remove_state() call with ERR_remove_thread_state(), and + use RSA_generate_key_ex(). Viktor Dukhovni. Files: + posttls-finger/posttls-finger.c, tls/tls_misc.c, tls/tls_rsa.c. + + Cleanup: DANE support: Reduce #ifdef clutter to improve + redability and maintainability. Viktor Dukhovni. File: + tls/tls_dane.c. + + Future proofing: Tolerate disappearance of named bug-workaround + bits without invalidating user configurations. When support + for a bug workaround is removed from OpenSSL, the corresponding + bit is defined as zero (i.e. NOOP) instead of causing + programs to break. Viktor Dukhovni. File: tls/tls_misc.c. + +20131217 + + Portability: RSA_generate_key_ex() is not available on all + supported platforms, so this change is made conditional. + Enforce that this function will be used only for creating + a 512-bit ephemeral RSA key. Viktor Dukhovni. File: + tls/tls_rsa.c. + +20131218 + + Documentation: new document FORWARD_SECRECY_README that + describes how different versions of Postfix >= 2.2 implement + "perfect" forward secrecy. Viktor Dukhovni. File: + proto/FORWARD_SECRECY_README.html, proto/Makefile.in, + conf/postfix-files, html/index.html. + +20131219 + + Cleanup: renamed postconf(1) internal identifiers according + to a consistent scheme, to avoid future name conflicts as + Postfix evolves. This is a no-feature change. Files: + postconf/*.[hc], postconf/extract.awk. + + Documentation: linearized the order of exposition in + FORWARD_SECRECY_README. File: proto/FORWARD_SECRECY_README.html. + +20131220 + + Bugfix: DANE support: segfault. Viktor Dukhovni. File: + tls/tls_dane.c. + + Documentation: typo in SASL_README. Patrick Ben Koetter. + File: proto/SASL_README.html. + + Documentation: increased the *.[0-9].html manpage width + from the historical 65 columns to the more contemporary 78 + columns, and future-proofed the pattern that eliminates + redundant text from the "README FILES" section. Files: + mantools/postlink, mantools/man2html, man/Makefile.in. + + Documentation: misc manual page cleanups. Files: + postconf/postconf.c, postmulti/postmulti.c. + +20131221 + + Testbed: TLS support. Viktor Dukhovni. Files: tls/Makefile.in, + tls/tls_dane.c, tls/tls_dane.sh, tls/tls_mgr.c, .indent.pro. + + Documentation: added section on how to verify that forward + secrecy works. File: proto/FORWARD_SECRECY_README.html. + +20131222 + + Documentation: forward secrecy, with feedback from Adam + Shostack. Viktor Dukhovni and Wietse Venema. File: + proto/FORWARD_SECRECY_README.html. + +20131224 + + Feature: smtpd_sasl_service (until now, this was hard-coded + internally as "smtp"). On request by Michal (sksoft.cz). + Files: global/mail_params.h, proto/postconf.proto, + mantools/postlink, smtpd/smtpd.c, smtpd/smtpd_sasl_glue.c. + + Documentation: updated example to Dovecot version 2 syntax. + File: proto/SASL_README/html. + +20131228 + + Cleanup: DANE support: test script. Viktor Dukhovni. File + tls/tls_dane.sh. + + Debugging: test driver for LMDB debugging and stress testing. + Shockingly, LMDB terminates the postscreen daemon without + logfile record. File: util/dict_cache.c. + +20140102 + + Bugfix: close the LMDB database cursor's read transaction + before writing with MDB_NOLOCK and before changing the + database memory map size. File: util/slmdb.c. + +20140103 + + Cleanup: eliminated data duplication from the new SMTP_ITERATOR + structure to the old SMTP_SESSION structure. The SMTP_ITERATOR + structure now maintains the sole copy. Files: smtp/smtp.h, + smtp_sasl_auth_cache.c, smtp_reuse.c, smtp_sasl_glue.c, + smtp_rcpt.c, smtp_session.c, smtp_chat.c, smtp_proto.c, + smtp_connect.c. + +20140104 + + Feature: support for optional configuration files + "$daemon-directory/postfix-files.d/*". These are processed + in sorted order after "$daemon-directory/postfix-files", + This avoids breaking "postfix set-permissions" etc. when a + Postfix distribution comes in multiple packages. File: + conf/post-install. + +20140107 + + Feature: LMDB 0.9.11 allows Postfix daemons to log an LMDB + error message, instead of falling out of the sky without + any notification. Files: util/slmdb.[hc], util/dict_lmdb.c. + +20140108 + + Bugfix: every Postfix LMDB transaction is now protected by + an external lock for its entire life time. File: util/slmdb.c. + +20140109 + + Cleanup: turn off DNSSEC lookup after CNAME redirection to + an insecure zone. This is an optimization for resolvers + that do not automatically resolve CNAME chains. Viktor + Dukhovni. File: dns/dns_lookup.c. + + Cleanup: do not salt the SMTP TLS policy lookup cache key + with the DNSSEC status. The DNSSEC status will not change + when the same nexthop/host pair is looked up repeatedly. + Viktor Dukhovni. File: smtp/smtp_tls_policy.c. + + Robustness: Suppress TLSA lookups only when the qname zone + is insecure, not just because the rname zone is insecure. + This requires an extra T_CNAME lookup for the qname, since + nameservers are often "too helpful" and report CNAME records + together with the CNAME targets. When the targets are + insecure the whole reply is marked as insecure. Viktor + Dukhovni. File: tls/tls_dane.c. + + Cleanup: Unify/simplify reporting of configuration or other + conditions that prevent DANE security. Viktor Dukhovni. + Files: global/dsn_buf.[hc], tls/tls_dane.c, smtp/smtp_tls_policy.c. + +20140110-15 + + Miscellaneous documentation cleanups. + +20140116 + + Workaround: prepend "-I. -I../../include" to CCARGS, to + avoid name clashes with non-Postfix header files. File: + makedefs. + +20140125 + + Cleanup: assorted documentation glitches. + +20140209 + + Workaround: the Postfix SMTP client now also falls back to + plaintext when TLS fails after the TLS protocol handshake. + Files: smtp/smtp.h, smtp/smtp_connect.c, smtp/smtp_trouble.c. + + Testbed: unsupported HANGUP access map action that drops + the connection without responding to the remote SMTP client. + File: smtpd/smtpd_check.c. + +20140214 + + Workaround: apparently some buggy kernels report WIFSTOPPED + events to the parent process (master daemon) instead of the + tracing process (e.g., gdb). File: master/master_spawn.c. + +20140218 + + Workaround: require that a queue file is older than + $minimal_backoff_time, before falling back from failed TLS + to plaintext (both during or after the TLS handshake). + Viktor Dukhovni. Files: smtp/smtp.h, smtp/smtp.c, + smtp/lmtp_params.c, smtp/smtp_params.c. + +20140220 + + Workaround: in case "minimal_backoff_time = $queue_run_delay". + Files: smtp/smtp.c, smtp/smtp_params.c, smtp/lmtp_params.c. + + Cleanup: consolidate the code to log the start of a new + mail transaction in one place, so that code can easily be + added to log TLS status information in addition to the + existing client and SASL status information. Files: + smtpd/smtpd_sasl_proto.h, smtpd/smtpd_sasl_proto.c, + smtpd/smtpd.c. + +20140223 + + Workaround: when a session breaks after the TLS handshake, + do not fall back from TLS to plaintext when all recipients + were deferred or rejected during the TLS phase. Files: + smtp/smtp.h, smtp/smtp_rcpt.c. + + Logging: the TLS client logged that an "Untrusted" TLS + connection was established instead of "Anonymous". Viktor + Dukhovni. File: tls/tls_client.c. + + Documentation: new self-signed certificate example and + updated private CA example. File: proto/TLS_README.html. + +20140224 + + Bugfix (introduced: 20061106): when the "retry" transport + was added to Postfix, it was not given special status like + the "error" transport. The Postfix SMTP server did not defer + mail that resolves to the "retry" transport, and the + trivial-rewrite daemon would override the null nexthop + destination in "retry:" with the current nexthop destination. + Files: smtpd/smtpd_check.c, trivial-rewrite/transport.c. + +20140227 + + Bugfix: Enforce TLS when TLSA records exist, but all are + unusable; Don't leak dane handle when all TLSA records are + unusable. Viktor Dukhovni. File: smtp/smtp_tls_policy.c. + + Cleanup: log TLS policy lookup errors as warnings. Viktor + Dukhovni. File: smtp/smtp_connect.c. + +20140316 + + Feature: preliminary support to change arbitrary hard + delivery errors into soft errors and vice versa, or to + replace the descriptive text of non-delivery notifications. + This was originally introduced for sites that want to bounce + mail when no remote SMTP server announces TLS support. New + parameters: {default,smtp,pipe,virtual}_bounce_defer_filter. + Files: proto/postconf.proto, mantools/postlink, global/bounce.[hc], + bounce/defer.[hc], global/ndr_filter.[hc], global/mail_params.[hc], + master/event_server.c, master/multi_server.c, + master/single_server.c, master/trigger_server.c, smtp/smtp.c, + pipe/pipe.c, virtual/virtual.c. + +20140317 + + Feature: local_bounce_defer_filter support. Files: + global/bounce.[hc], global/defer.[hc], local/command.c, + local/file.c, local/bounce_workaround.c, local/local.c, + global/mail_params.h, mantools/postlink. + +20140318 + + Refinement: don't throttle an SMTP destination when the new + smtp_bounce_defer_filter feature turns a soft bounce into + a hard bounce. File: smtp/smtp_trouble.c. + +20140320 + + Feature: support to replace successful delivery status code + and explanatory text. This can be used to to hide local + details such as destination commands or file names when a + remote sender requests confirmation of delivery. As of now + *_bounce_defer_filter is renamed into *_delivery_status_filter. + Files: global/bounce.c, global/bounce.h, global/defer.c, + global/defer.h, global/dsn_filter.c, global/dsn_filter.h, + global/mail_params.c, global/mail_params.h, global/sent.c, + local/local.c, master/event_server.c, master/multi_server.c, + master/single_server.c, master/trigger_server.c, pipe/pipe.c, + smtp/lmtp_params.c, smtp/smtp.c, smtp/smtp_params.c, + virtual/virtual.c, mantools/postlink. + +20140322 + + Cleanup: code comments and identifier names to reflect the + evolution from "NDR filter" to "delivery status filter". + Files: global/mail_params.h, smtp/smtp.c, global/dsn_filter.c, + global/dsn_filter.h, local/local.c, pipe/pipe.c, + smtp/lmtp_params.c, smtp/smtp_params.c, virtual/virtual.c, + global/bounce.c. + +20140323 + + Feature: initial merge of Debian-style dynamic linking. + Viktor Dukhovni. + +20140406 + + Bugfix: when testing session caching, stop reconnecting + after encountering a previously-used server (when the session + is re-used or not). Viktor Dukhovni. File: + posttls-finger/posttls-finger.c. + + Feature: configurable TLS session-ticket cipher (default: + tls_session_ticket_cipher = aes-128-cbc). Viktor Dukhovni + and Wietse. Files: mantools/postlink, smtpd/smtpd.c, + proto/postconf.proto, global/mail_params.h, tls/tls_misc.c, + tls/tls_scache.h, tls/tls_server.c. + +20140416 + + Cleanup: replace "~0 << positive" with "~0U << positive" + even if we use only the lower bytes. Jeffrey Walton. File: + util/mask_addr.c. + +20140407 + + Documentation: the documentation for Postfix > 2.8 TLS + activity logging was incorrect. Loglevel 0 produces no + logging. Instead, information is logged only with loglevel + 1 or higher. Viktor Dukhovni. Files: proto/TLS_README.html, + proto/postconf.proto. + +20140501 + + Cleanup: postscreen_dnsbl_timeout parameter. Files: + mantools/postlink, proto/postconf.proto, global/mail_params.h, + postscreen/postscreen.c, postscreen/postscreen_dnsbl.c. + + Cleanup: added table search order information to the + postconf(5) manpage. File: proto/postconf.proto. + +20140505 + + Cleanup: added a client port attribute to the policy + delegation protocol. Jernej Porenta. File: smtpd/smtpd_check.c. + +20140507 + + Bugfix (introduced: Postfix 2.11): with connection caching + enabled (the default), recipients could be given to the + wrong mail server. Root cause: due to an incorrect predicate, + the Postfix SMTP client could save and restore plaintext + connections that should not be cached, under nonsensical + lookup keys that did not distinguish by destination. Problem + reported by Sahil Tandon, predicate error found by Viktor, + redundant connection restore request eliminated by Wietse. + File: smtp/smtp_connect.c. + + Cleanup: the macros that control SMTP connection reuse + poorly reflected their purpose. "DEAD" is replaced with + "FORBIDDEN" (no I/O allowed) and "BAD" is replaced with + "THROTTLED" (anything that causes the queue manager to back + off from some destination). Files: smtp.h, smtp_connect.c, + smtp_proto.c, smtp_trouble.c. + + Cleanup: enable SMTP connection cache lookup by destination + name while a surge of mail dries up. File: smtp_connect.c. + +20140505 + + Bugfix: the postdrop authorized_submit_users feature requires + that lookup table support is initialized so that it can use + libglobal or dynamicmaps maps. File: postdrop/postdrop.c. + + Cleanup: moved dynamicmaps initialization from parameter + initialization (mail_conf_suck()) to dictionary initialization + (mail_dict_init()). A benefit of this is that dynamicmaps.cf + is no longer read by programs that don't use Postfix lookup + tables. Files: global/mail_conf.[hc], global/mail_dict.c. + + Cleanup: move the mail_dict_init() call after the + mail_conf_read() or mail_params_init() call, to prepare for + a configurable dynamicmaps.cf directory. Files: + master/event_server.c, master/multi_server.c, + master/single_server.c, master/trigger_server.c. + +20140506 + + Cleanup: you can now specify "make makefiles parameter=value" + for selected compile-time parameter default overrides. The + old "make makefiles 'CCARGS=-DDEF_MUMBLE=\"mumble\"'" + approach remains supported. File: makedefs. + +20140508 + + Cleanup: dynamicmaps.cf is now installed into $daemon_directory + because the file is shared among Postfix instances just + like postfix-files and other files. Files: conf/dynamicmaps.cf, + Makefile.in, conf/postfix-files. + + Cleanup: INSTALL is now plain ASCII instead of README format, + to avoid a chicken-and-egg problem (the instructions to + print/view README-format files are in the INSTALL file). + + Documentation: updated INSTALL instructions and RELEASE_NOTES. + +20140512 + + Portability: Berkeley DB6 support. File: util/dict_db.c. + +20140514 + + Cleanup: replace #ifdef/endif containing hard-coded calls + of dynamicmaps functions with an extension mechanism that + dynamicmaps functions invoke instead. Files: util/dict.h, + util/dict_open.c, global/dynamicmaps.[hc], global/mkmap.h, + global/mkmap_open.c. + +20140515 + + Bugfix (introduced: 20140320): missing initialization. + Viktor Dukhovni. File pipe/pipe.c. + + Cleanup: mkmap_open() now caches a dynamically-loaded + function. This is useful because postmap/postalias may open + the same database type multiple times. Files: global/mkmap.h, + global/mkmap_open.c. + + Security: the dynamicmaps.cf file and its and shared-object + files must not be writable by non-root users. File: + global/dynamicmaps.c. + +20140517 + + Cleanup: dynamic linking and hooking. Files: util/dict.h, + util/load_lib.[hc], global/dynamicmaps.c. + +20140518 + + Preliminary "make plugins" support. Todo: macros to dynamically + remove pluggable maps from compile-time tables in dict_open.c + and mkmap_open.c, and from the OBJS lists in Makefile.in. + +20140522 + + Support for "make shared=yes" and "make dynamicmaps=yes". + New plugin_directory parameter for the location of the + dynamicmaps.cf file and for plugins with a relative pathname. + See RELEASE_NOTES and INSTALL for details. Files: postfix.c, + mail_params.[hc], dynamicmaps.c, mail_dict.c, makedefs, + postfix-files, dynamicmaps.cf, Makefile.in, util/Makefile.in, + global/Makefile.in, postlink, postconf.proto. INSTALL.html, + RELEASE_NOTES. + +20140523 + + Cleanup: don't install plugins for unsupported databases, + and don't make dynamicmaps.cf entries for them. Files: + makedefs, Makefile.in, util/Makefile.in, global/Makefile.in. + + Cleanup: added support for symlinks where the "source" is + specified as a relative pathname. File: postfix-install. + + Cleanup: moved instructions from RELEASE_NOTES to INSTALL + to avoid duplication. Files: RELEASE_NOTES, proto/INSTALL.html. + + Cleanup: include <dict_lmdb.h> unconditionally so that + dict_lmdb_map_size is always defined. Files: mail_params.c, + dict_test.c. + + Cleanup: port for ancient Solaris9 revealed some non-portability. + Files: master/Makefile.in, makedefs, sys_defs.h. + +20140524 + + Cleanup: specify database library dependencies with variables + named AUXLIBS_CDB, AUXLIBS_LDAP, etc. The global AUXLIBS + variable is still supported, but the new variables are + required when building dynamically-loadable building database + plugins. Files: RELEASE_NOTES, INSTALL.html, CDB_README.html, + LDAP_README.html, LMDB_README.html, MYSQL_README.html, + PCRE_README.html, PGSQL_README.html, SQLITE_README.html, + makedefs, util/Makefile.in, global/Makefile.in. + + Workaround: reportedly, MacOS can fail to move a symlink + with a relative target across file system boundaries, because + it examines the symlink with stat() instead of lstat(). + Files: makedefs, Makefile.in. + + Cleanup: use readlink to verify symlink target. File: + postfix-install. + +20140528 + + Cleanup: the configuration file dynamicmaps.cf will now + automatically include files under the directory dynamicmaps.cf.d, + just like the configuration file postfix-files will + automatically include files under the directory postfix-files.d. + See INSTALL section "Building with Postfix shared libraries + and database plugins". File: dynamicmaps.c. + +20140530 + + Cleanup: add shlib_directory and plugin_directory to the + postmulti-script list of shared parameters. Viktor Dukhovni. + File: postmulti-script. + + Cleanup: to avoid "postfix set-permission" errors, don't + create postfix-files entries for non-existent database + plugins. Problem reported by Viktor. File: Makefile.in. + + Bugfix: we can't use "mv" to replace a symlink-to-directory. + Instead we now create all symlinks in place. Unfortunately + the "ln -n" option is not universally implemented, so we + remove the old symlink first. Problem reported by Viktor. + File: postfix-install. + +20140603 + + Cleanup: use the OpenSSL session id accessor (available + since OpenSSL 0.9.8 or so) instead of groping a session + object directly. Viktor Dukhovni. File: tls_server.c. + +20140605 + + Feature: the pipe(8) daemon logs some command output after + successful delivery as "dsn=2.0.0, status=sent (delivered + via XXX service (YYY))" where XXX is the master.cf service + name, and YYY is command output. Files: pipe/command.c, + pipe.c. + +20140613 + + Feature: the "pipeline" table implements a table pipeline. + Example "pipeline:!type_1:name_1!...!type_n:name_n". The + ASCII character after "pipeline:" will be used as the + separator between the lookup tables that follow (do not use + space, ",", ":" or non-ASCII). Each "pipeline:" query is + given to the first table. Each lookup result becomes the + query for the next table in the pipeline, and the last table + produces the final result. When any table lookup produces + no result, the pipeline produces no result. Files: + dict_pipe.[hc], dict_open.c, postlink, DATABASE_README.html, + postconf.c. + +20140617 + + Feature: the "random" table performs random selection. + Example: "random:!result_1!...!result_n". Each table query + returns a random choice from the specified results. The + ASCII character after "random:" will be used as the separator + between the results that follow (do not use space, ",", ":" + or non-ASCII). Files: dict_random.[hc], dict_open.c, + postlink, DATABASE_README.html, postconf.c. + +20140618 + + Cleanup: INFO action in access(5) tables, for consistency + with header/body_checks. Viktor Dukhovni. Files: + smtpd/smtpd_check.c, proto/access. + +20140619 + + Cleanup: process LaMont Jones feedback for shared-library + and database-plugin builds. Changes: 1) move non-executable + files from $daemon_directory to the default $config_directory + (postfix-files*, dynamicmaps.cf*, main.cf.proto/master.cf.proto + for multi-instance support); 2) add foo.so -> foo.so.version + symlinks; 3) change $shlib_directory and $plugin_directory + defaults to /usr/lib/postfix to reduce sprawl. Files: + conf/main.cf.proto, conf/master.cf.proto, conf/postfix-files.proto, + conf/post-install, conf/postmulti-script, makedefs, + postfix-install, proto/INSTALL.html, global/dynamicmaps.c, + global/dynamicmaps.h, global/mail_dict.c, global/mail_params.h, + postmulti/postmulti.c. + + Bugfix (introduced: 2001): qmqpd null pointer bug when it + logs a lost connection while not in a mail transaction. + Reported by Michal Adamek. File: qmqpd/qmqpd.c. + + Cleanup: filter non-printable characters in X509 subject + or issuer names. Viktor Dukhovni. File: tls/tls_server.c. + +20140620 + + Cleanup: for compliance with file system policies, some + files have been moved from $daemon-directory to the directory + specified with the new meta_directory parameter which has + the same default value as config_directory. This change + affects non-executable files that are shared among multiple + Postfix instances, such as postfix-files, dynamicmaps.cf, + and multi-instance template files. + + For backwards compatibility with Postfix 2.6..2.11, specify + "meta_directory = $daemon_directory" in main.cf before + installing Postfix, or specify "meta_directory = /path/name" + on the "make makefiles", "make install" or "make upgrade" + command line. + + Files: Makefile.in, RELEASE_NOTES, conf/post-install, + conf/postfix-files.proto, conf/postmulti-script, makedefs, + mantools/postlink, postfix-install, proto/INSTALL.html, + proto/postconf.proto, global/mail_params.c, global/mail_params.h, + postfix/postfix.c, postmulti/postmulti.c. + + Feature: check_xxx_a_access (for xxx in client, reverse_client, + helo, sender, recipient) implements access control on all + A and AAAA IP addresses for the client hostname, helo + parameter, sender domain or recipient domain. Some spam has + sender domains with the same IP address but different MX + hosts. Files: global/mail_params.h, smtpd/smtpd_check.c, + proto/postconf.proto. + +20140622 + + Cleanup: eliminated plugin_directory to reduce configuration + parameter sprawl. Files: Makefile.in, RELEASE_NOTES, + conf/post-install, conf/postfix-files.proto, conf/postfix-script, + conf/postmulti-script, makedefs, mantools/postlink, + postfix-install, proto/INSTALL.html, proto/postconf.proto, + global/Makefile.in, global/mail_dict.c, global/mail_params.c, + global/mail_params.h, global/mail_version.h, postfix/postfix.c, + postmulti/postmulti.c, smtpd/smtpd_check.c, util/Makefile.in. + +20140623 + + Cleanup: eliminated the use of Postfix release versions as + file name suffixes for shared libraries, database plugins + and dynamicmaps.cf. The shared-library version suffixes + were fighting against assumptions and conventions in run-time + linkers, including the assumption that ABIs are preserved + from one version to the next. The Postfix version can now + be embedded in the shlib_directory parameter. As this is + sufficient to permit upgrade of a running Postfix system + without risking that old binaries will link against newer + shared objects, we no longer need a version suffix for + dynamicmaps.cf. Files: Makefile.in, RELEASE_NOTES, + conf/postfix-files.proto, makedefs, proto/INSTALL.html, + proto/postconf.proto, global/mail_params.h, global/mail_version.h, + +20140624 + + Cleanup: the commands "make (makefiles|install|upgrade|package) + parameter=value" now replace the string MAIL_VERSION in a + configuration parameter value with the Postfix release + version. Unfortunately, the more obvious approach, a + parameter value with the unexpanded '$mail_version', produces + inconsistent results with different make implementations. + Files: makedefs, Makefile.in, postfix-install, proto/INSTALL.html, + proto/PACKAGE_README.html + + Cleanup: postmulti now requires "postmulti -e init" before + accepting other multi-instance requests. Viktor Dukhovni. + File: conf/postmulti-script. + +20140625 + + Kludge: moved dict_db_cache_size away from dict_db.c in + preparation for Berkeley DB database plugin support (a + similar kludge was implemented for LMDB). Files: + util/dict_db.[hc], util/dict_test.c, global/mail_params.c. + + Cleanup: don't leak build directory information via SHLIB_ENV + in makedefs.out. Files: Makefile.in, conf/postfix-files. + +20140626 + + Cleanup: construction debris. Files: Makefile.in, + conf/postfix-script. + + Cleanup: replace the result of MAIL_VERSION expansion with + $mail_version in main.cf installation parameter settings, + to permit safe upgrade of a running mail system. File: + postfix-install. + + Cleanup: replace the result of MAIL_VERSION expansion with + $mail_version in built-in default installation parameter + settings, for consistency with main.cf. File: makedefs, + postfix-install, conf/post-install. + + Cleanup: removed $mail_version from the default shlib_directory + value. Files: global/mail_params.h, proto/INSTALL.html. + + Cleanup: in postfix-script, use find instead of ls to + determine permissions or ownership, and group some checks + with "pathname/." and "pathname/*" into one. Downside: + more warnings will now have "/./" in the middle of a pathname. + File: conf/postfix-script. + + Cleanup: need to evaluate mail_version before evaluating + parameters that may contain $mail_version. File: + global/mail_params.c. + + Cleanup: the postmulti command now exercises the postconf + "-x" option to expand $parameter_name in secondary-instance + parameter values. File: postmulti/postmulti.c. + + Cleanup: post-install also needed to replace the result of + MAIL_VERSION expansion with $mail_version, for the same + reasons as postfix-script. Viktor Dukhovni. File: + conf/post-install. + +20140627 + + Bugfix (introduced: 20140626) broken build and broken install + with default shlib_directory. Files: makedefs. + + Bugfix (introduced: 20140627) "make install" stopped with + a bogus error when there was no real "make install name=value" + parameter override. Files: conf/post-install. + + Cleanup: support MAIL_VERSION magic (see INSTALL) only at + the end of a parameter value. Files: proto/INSTALL.html + makedefs, postfix-install, conf/postfix-files. + + Cleanup: use ${mail_version} as the MAIL_VERSION-unexpanded + form. Viktor Dukhovni. Files: makedefs, postfix-install, + conf/postfix-files. + +20140630 + + Cleanup: the pipeline and random lookup tables are now + called pipemap and randmap, respectively. These names are + more specific. The old names remain available, at least + temporarily. Files: util/dict_pipe.[hc], util/dict_random.[hc], + postconf/postconf.c, mantools/postlink, proto/DATABASE_README.html. + + Feature: smtpd_policy_service_request_limit to limit the + number of requests per Postfix SMTP server policy connection. + This is a workaround to avoid error-recovery delays with + policy servers that cannot maintain a persistent connection. + Based on code by Markus Benning. Files: global/mail_params.h, + mantools/postlink, proto/SMTPD_POLICY_README.html, + proto/postconf.proto, smtpd/smtpd.c, smtpd/smtpd_check.c, + util/attr_clnt.[hc]. + +20140701 + + Cleanup: documented how Postfix maintains dictionary + provenance. Provenance matters: for example, the owner UID + of an aliases(5) database file determines the execution + privileges for delivery to |command or /file/name. Refined + the algorithm that computes the provenance of a pipemap, + based on the provenance of its constituent lookup tables. + Files: util/dict.[hc], util/dict_pipe.c. + + Cleanup: made mail_spool_directory configurable with "make + makefiles mail_spool_directory=/path/name". This allows + Postfix to be built without any pathnames that reference + system directories. This is useful for testing and sandboxing. + Files: global/mail_params.h, makedefs. + + Cleanup: configurable attr_clnt(3) retry strategy (try limit + and retry delay). Files: util/attr_clnt.[hc]. + + Feature: control over SMTPD policy lookup error handling: + smtpd_policy_service_try_limit, smtpd_policy_service_retry_delay, + smtpd_policy_service_default_action determine how many times + to try to send a policy request before giving up, the delay + before resending a failed policy request, and a default + action when giving up. The defaults are backwards-compatible. + Files: global/mail_params.h, mantools/postlink, + proto/postconf.proto, smtpd/smtpd.c, smtpd/smtpd_check.c. + +20140709 + + Cleanup: bitrot in unused function. File: global/defer.c. + + Cleanup: add SYSLIBS minus static libraries while building + Postfix shared-library objects. Files: makedefs, util/Makefile.in, + global/Makefile.in, dns/Makefile.in, master/Makefile.in/. + +20140708 + + Bugfix (introduced 20140701): did not restore jumpbuf while + evaluatingsmtpd_policy_service_default_action. Viktor + Dukhovni. File: smtpd/smtpd_check.c. + + Feature: VERY PRELIMINARY support for SMTPUTF8 based on an + initial implementation by Arnt Gulbrandsen, funded by CNNIC. + This implements the syntax of SMTP commands and DSN delivery + status notifications. It does not address the problem that + the same domain name may show up in different forms: an + UTF8-encoded name with non-ASCII characters, or an IDNA-encoded + (xn--mumble) name with ASCII-only characters. This means + that access policies, mydestination, virtual_*_domains and + relay_domans will have to understand both forms in order + to provide complete coverage. For now, SMTPUTF8 support + must not be enabled except for testing. + +20140710 + + Portability: add '-Wl,--enable-new-dtags' to the linker + command line with building with Postfix shared libraries + on Linux. Viktor Dukhovni. file: makedefs. + +20140711 + + Background: What is SMTPUTF8 autodetection? Postfix cannot + rely solely on the sender's declaration that a message + requires SMTPUTF8 support, because UTF8 may be introduced + during local processing (for example, the client hostname + in Postfix's Received: header, adding @$myorigin or .$mydomain + to an incomplete address, address rewriting, alias expansion, + automatic BCC recipients, local forwarding, and modifications + made by header checks or Milter applications). This means + that some form of autodetection is needed that a message + requires SMTPUTF8 support. + + Cleanup: don't try to distinguish between UTF that is already + present in a message or envelope, and UTF8 that is introduced + during local processing (see above). Maintaining this + distinction is too problematic. + + Cleanup: mailing list friendliness. Allow delivery of + SMTPUTF8 mail to non-SMTPUTF8 servers when a message has + no UTF8 headers, no UTF8 envelope sender, and when the + specific delivery request contains no UTF8 envelope recipient. + This is needed for mailing lists that may have a mix of + UTF8 and non-UTF8 subscriber addresses. File: global/smtputf8.h, + smtp/smtp_proto.c. + + Cleanup: moved all SMTPUTF8 detection to the cleanup server, + so that it can apply equally to sendmail command-line + submission, forwarded mail, postmaster notifications, + delivery status notifications, mail received with the qmqpd + server, address verification probes, as well as UTF8 + introduced during local processing (see above). Files: + cleanup/cleanup_out.c, cleanup/cleanup_addr.c. + + Cleanup: store the SMTPUTF8 message (i.e. non-recipient) + flags in the first queue file record, so that the queue + manager can find the information without having to read + every queue file record. Files: cleanup/cleanup_final.c, + *qmgr/qmgr_message.c. + +20140713 + + Interoperability: new parameter smtputf8_autodetect_classes + for selective autodetection that a message requires UTF8SMTP + support. During the initial SMTPUTF8 rollout, this is limited + by default to Postfix sendmail command-line submissions and + address verification probes. Sites that introduce UTF8 + during local processing (see above) will have to enable + SMTPUTF8 autodetection for all mail sources. This feature + shares infrastructure with the older internal_filter_classes + feature. Files: bounce/bounce_notify_service.c, + bounce/bounce_notify_verp.c, bounce/bounce_one_service.c, + bounce/bounce_trace_service.c, bounce/bounce_warn_service.c, + global/int_filt.c, global/mail_proto.h, global/smtputf8.c, + local/forward.c, pickup/pickup.c, qmqpd/qmqpd.c, smtp/smtp_chat.c, + smtpd/smtpd.c, smtpd/smtpd_chat.c, verify/verify.c. + + Feature: preliminary message/global support. This does not + yet parse encoded message/global (such as message/global + sent through an non-8BITMIME system). Such mail cannot yet + be inspected with header_checks. File: global/mime_state.c. + +20140714 + + Cleanup: update the "smtputf8" delivery request flags when + VERP expansion causes an UTF8 recipient address to appear + in the envelope sender address. Files: *qmgr/qmgr_deliver.c. + + Cleanup: emit the correct content transfer encoding name + when downgrading message/global as quoted-printable. File: + global/mime_state.c. + + Cleanup: generate a bounce message with MIME type *global* + only when the original message requested SMTPUTF8 support. + File: bounce/bounce_notify_util.c. + + Cleanup: propagate the "SMTPUTF8 support requested" flag + when bouncing a message or when forwarding a message through + a local alias or .forward file. Files: local/forward.c, + bounce/bounce_notify_util.c, src/global/post_mail.[hc], and + specify a dummy argument SMTPUTF8_FLAGS_NONE in all other + programs that programs that invoke post_mail_fopen*(), + +20140715 + + Cleanup: change extract_addr() API to indicate that an + address is parsed in SMTPUTF8 context. File: smtpd/smtpd.c. + + Cleanup: shared-library build fixes. Viktor Dukhovni. Files: + makedefs, dns/Makefile.in, global/Makefile.in, master/Makefile.in, + tls/Makefile.in, util/Makefile.in. + + First general release with SMTPUTF8 support; see RELEASE_NOTES + for an initial writeup. The last pre-SMTPUTF8 release is + snapshot 20140713. + +20140716 + + Paranoia: validate UTF8 before exposing it to libicuuc. + File: util/midna.c. + + Typo: Postfix did not warn when smtputf8_enable=yes while + UTF-8 support is not compiled in. File: global/mail_params.c. + + Cleanup: hard-coded GCC dependencies. Eray Aslan. File: + makedefs. + +20140717 + + Safety: manipulate unsigned characters while decoding. + Files: global/xtext.c, global/uxtext.c. + + Infrastructure: ACE label to UTF-8 conversion. Files: + util/midna.[hc]. + + Infrastructure: macro expansion with printable() filter. + Files: util/mac_expand.[hc]. + + Feature: when expanding myhostname or mydomain in bounce + template messages, and smtputf8_enable=yes, convert ACE + (xn--mumble) labels into UTF-8. bounce/bounce_template.c. + +20140720 + + Cleanup: charset selection and content-transfer encoding + in bounce messages (work in progress). The proper solution + requires separate handling of the returned-message MIME + properties and of the (boiler-plate text, delivery status) + MIME properties. File: bounce/bounce_notify_util.c. + +20140722 + + Documentation: the TLS_README example for creating a + self-signed certificate was incomplete. Also, added + "smtp_tls_loglevel = 1" and "smtpd_tls_loglevel = 1" settings + to cookbook recipes, so that TLS handshake results will be + logged. Viktor Dukhovni. File: proto/TLS_README.html. + + Documentation: update Perl MIME::Base64 example. File: + proto/SASL_README.html. + + Documentation: update pointer to Bennett Todd's SMTP proxy. + File: proto/SMTPD_PROXY_README.html. + +20140725 + + Documentation: describe what features are controlled by + parent_domain_matches_subdomains, both in the description + of the controlled feature, and in the description of + parent_domain_matches_subdomains. File: proto/postconf.proto. + + Cleanup: smtpd_client_event_limit_exceptions is now controlled + with parent_domain_matches_subdomains, with backwards-compatible + default (specify .example.com in order to match subdomains + of example.com). Files: smtpd/smtpd.c. + + Documentation: SMTPUTF8_README, an updated version of text + that was originally part of the RELEASE_NOTES file. Files: + proto/SMTPUTF8_README.html, proto/Makefile.in, html/index.html. + +20140731 + + Feature: the Postfix SMTP server now logs at the end of a + session how many times each SMTP command was successfully + invoked, followed by the total number of invocations if it + is different. File: smtpd/smtpd.c. + +20140802 + + Workaround: detect mis-configuration where Postfix talks + to the Dovecot master socket instead of the Dovecot userdb + socket. Timo Sirainen. File: xsasl/xsasl_dovecot_server.c. + +20140904 + + Logging: the MySQL client now logs a warning when a match + against the "domain" list fails due to table lookup error + (the underlying mechanism already logs a warning, but it + has less context information). File: global/dict_mysql.c. + +20140907 + + Feature: with "confirm_delay_cleared = yes", Postfix informs + the sender when delayed mail leaves the queue. This can + result in a sudden burst of notifications at the end of a + prolonged network outage, and is therefore disabled by + default. Files: mantools/postlink, proto/postconf.proto, + global/deliver_request.h, global/mail_params.h, global/sent.c, + *qmgr/qmgr.c, *qmgr/qmgr_active.c, *qmgr/qmgr_message.c. + +20140908-14 + + Feature: for the first time in 17 years, support for + ${name?if-nonempty:if-empty} macro expressions, and for + logical expressions ${logical-expr?if-true:if-false}. In + preparation for configurable message headers and logging. + Files: util/mac_expand.c. + +20140914 + + Bugfix (introduced: 19971026): a zero precision value in + %.*s and $.<digits>s was implemented as if no precision + value was specified, i.e. print the entire string. This was + not harmful, it just looked weird. File: util/vbuf_print.c. + +20140917 + + Feature: RFC 7372 enhanced status code for unknown SMTP + client hostnames. File: smtpd/smtpd_check.c + + Bugfix: the accept() calls in test progams escaped attention + when Postfix 2.2 was ported to IPv6. Problem found by Mark + Martinec. Files: smtpstone/smtp-sink.c, smtpstone/qmqp-sink.c. + +20140918 + + Cleanup: log a warning when the cleanup server detects too + many hops. smtpd(8) does not log any of the CLEANUP_STAT_XXX + results. The pickup server logs some because there is no + client to send the problem description to. This logic of + who logs what needs to be revisited. File: + cleanup/cleanup_message.c. + +20140919 + + Usability: randmap and pipemap syntax, for example, + pipemap:{type_1:name_1, ..., type_n:name_n}. This required + small updates to code that parses input into lookup table + names. Files: global/data_redirect.c, global/maps.c, + global/server_acl.c, postconf/postconf.c, postconf/postconf_dbms.c, + postconf/test58.ref, proto/DATABASE_README.html, + proxymap/proxymap.c, smtpd/smtpd_check.c, util/argv.h, + util/balpar.c, util/dict_pipe.c, util/dict_random.c, + util/match_list.c, util/mystrtok.c, util/argv_splitq.c, + util/stringops.h. + + Cleanup: added PRINTFLIKE() to enable missing format string + checks. Files: bounce/bounce_template.h, global/memcache_proto.h, + global/dict_memcache, postconf/postconf.h, util/dict.h, + util/msg.h. + +20140920 + + Bugfix (introduced: 20080212): incorrect client name in + reject messages from check_reverse_client_hostname_access + and check_reverse_client_hostname_{a,mx,ns}_access. They + replied with the verified client name, instead of the name + that was rejected. Problem reported by Reindl Harald. File: + smtpd/smtpd_check.c. + +20140921 + + Cleanup: postconf code to determine the default mydomain + value had not evolved since 1997, while the rest of Postfix + changed in 2000. File: postconf/postconf-dbms.c. + +20140922 + + Cleanup: the confirm_delay_cleared feature now sends no + notification when the sender requests NOTIFY options that + do not include NOTIFY=DELAY. Files: global/deliver_request,h, + global/sent.c, *qmgr/qmgr_active.c, *qmgr/qmgr_message.c. + + Bugfix (introduced: yesterday): missing print arguments. + File: postconf/postconf_dbms.c. + + Cleanup: simplified "nested" lookup table checks. + + Cleanup: replace stress-dependent main.cf defaults with the + ternary form: "${stress?{x}:{y}}" File: global/mail_params.h, + proto/postconf.proto, postscreen/postscreen.c (comments). + +20140923 + + Cleanup: dict_db and dict_lmdb global settings. Files: + global/mail_params.c, util/dict_open.c. + + Feature: unionmap, based on contribution by Roel van Meer. + Files: mantools/postlink, postconf/postconf.c (manpage), + proto/DATABASE_README.html, util/dict_open.c, util/dict_union.[hc]. + +20140924 + + Bugfix (introduced: 20060117): the escape function didn't + correctly convert non-ASCII. File: util/unescape.c. + + Bugfix (introduced: 201407): missing conversions for non-ASCII + domain names in permit_mx_backup, check_mumble_{a,mx,ns}_access + and reject_unknown_{sender,recipient}_domain. Mark Martinec. + File: smtpd/smtpd_check.c. + +20140925 + + Cleanup: support for per-Milter settings, for example: + smtpd_milters = {inet:host:port, default_action=accept, + ...}. Specify the Milter endpoint address followed by zero + or more attribute=value pairs separated by comma or space. + The supported attributes are command_timeout, connect_timeout, + content_timeout, default_action, and protocol. These have + the same names as the corresponding main.cf parameters, + minus the "milter_" prefix. Files: global/mail_conf_over.c, + global/mail_conf_str.c, global/mail_conf_time.c, + global/mail_conf.h, milter/milters.c. + +20140927 + + Cleanup: specify { name = value } in per-Milter settings, + to support space around the "=" or comma/space within the + value. Files: global/attr_over.[hc]. + + Cleanup: "postconf -n" now only shows config_directory when + an override is in effect (environment, -c or -o). + + Cleanup: support for master.cf arguments inside {}, to + protect arguments that contain whitespace. File: + master/master_ent.c, postconf/postconf_master.c, + postconf/test59.ref. + + Cleanup: support for per-policy client settings, for example: + check_policy_service {inet:host:port, default_action=dunno, + timeout=50s, ...}. Specify the policy server endpoint address + followed by zero or more attribute=value pairs separated + by comma or space. Specify { name = value } for attributes + that contain whitespace; otherwise, space is not allowed + around the "=". The supported attributes are default_action, + max_idle, max_ttl, request_limit, retry_delay, timeout, and + try_limit. These have the same names as the corresponding + main.cf parameters, minus the "smtpd_policy_service_" prefix. + Files: global/mail_conf_int.c, global/mail_conf.h, + global/attr_override.[hc], smtpd/smtpd_check.c. + +20140928 + + Cleanup: extpar.c module to reduce code duplication. Files: + global/attr_override.c, master/master_ent.c, milter/milter.c, + postconf/postconf_dbms.c, postconf/postconf_master.c, + smtpd/smtpd_check.c, util/extpar.c, util/stringops.h. + + Cleanup: the table-driven code for per-Milter and per-policy + overrides now updates stack-based variables, instead of + (ugh) statically-allocated variables. Files: + global/attr_override.[hc], smtpd/smtpd_check.c, milter/milter.c. + + Documentation: added advanced configuration sections for + how to use per-Milter and per-policy settings. Files: + proto/SMTPD_POLICY_README.html, proto/MILTER_README.html. + + Cleanup: force LANG=C to prevent groff from outputting + non-ASCII cruft into the HTML-ized manpages. Files: + html/Makefile.in, proto/Makefile.in, many HTML output files. + +20140929 + + Cleanup: the table-driven code for per-Milter and per-policy + overrides now updates arbitrary variables, so that it can + also be used for, say, TLS policies. Files: + global/attr_override.[hc], smtpd/smtpd_check.c, milter/milter.c. + + Documentation: support for "{ argument with whitespace }" + in master(5) and pipe(8). Files: proto/master, src/pipe/pipe.c. + + Documentation: in ADDRES_VERIFY_README, replaced "nearest + MTA" with "preferred MTA". The SMTP client was changed years + ago to try alternate MXes after a 4XX SMTP server response. + File: proto/ADDRES_VERIFY_README.html. + +20141001 + + Safety: backwards-compatibility safety net that forces + Postfix to run with backwards-compatible default settings + after an upgrade to a newer Postfix version. Postfix logs + all uses of those backwards-compatible default settings so + that the system administator can determine whether or not + some backwards-compatible default settings need to be made + permanent in main.cf or master.cf. All this is controlled + with a new compatibility_level parameter, default value 0. + Files: global/mail_params.[hc], trivial-rewrite/rewrite.c, + master/master_ent.c, smtpd/smtpd.c, postfix/postfix.c. + + New defaults for master.cf chroot (n), append_dot_mydomain + (no) and smtputf8_enable (yes). File: global/mail_params.h, + global/mail_params.c, smtp/smtp.c (manpage), smtpd/smtpd.c + (manpage), trivial-rewrite/trivial-rewrite.c. + + Simple relational expression evaluator so that main.cf + defaults can be made dependent on comparisons with the + compatibility_level parameter value. File: util/mac_expand.c. + + Bugfix: do not reset the mail transaction after receiving + a non-ASCII recipient. File: smtpd/smtpd.c. + +20141002 + + Cleanup: moved the details of BC safety-net messages from + RELEASE_NOTES to postconf(5) manpage, and changed the wording + of the BC messages. Files: RELEASE_NOTES, proto/postconf.proto, + master/master_ent.c, smtpd/smtpd.c, trivial-rewrite/rewrite.c. + +20141003 + + Workaround: kludge for multiple paragraphs of text in + indented paragraphs. Files: mantools/postconf2html, + mantools/postconf2man, proto/Makefile.in, proto/postconf.proto + +20141005 + + Cleanup: CHARSET_COMMA_SP, CHARSET_SPACE and CHARSET_BRACE + to prepare for the elimination of ad-hoc string constants. + File: util/sys_defs.h. + + Cleanup: allow "{ name=value }" to protect whitespace in + import_environment and export_environment. Files: + proto/postconf.proto, global/mail_parm_split.c, global + /mail_parm_split.h, global/mail_stream.c, local/command.c, + master/master.c, pipe/pipe.c, postdrop/postdrop.c, + postfix/postfix.c, postmulti/postmulti.c, postqueue/postqueue.c, + spawn/spawn.c. + +20141006 + + Backwards compatibility: log a helpful message when "localhost" + is missing from mydestination. Files: trivial_rewrite/rewrite.c, + trivial_rewrite/resolve.c, trivial-rewrite/trivial-rewrite.h, + proto/postconf.proto. + + Cleanup: message_drop_header for configurable header dropping + (default: bcc, content-length, resent-bcc, return-path). + The list of supported header names covers RFC 5321, 5322, + MIME RFCs, and some historical names. File: global/header_opts.c, + global/mail_params.[hc], cleanup/cleanup.c (manpage), + proto/postconf.proto, mantools/postlink. + +20141008 + + New defaults: "relayhost=" and "mynetworks_style = host", + plus a backwards-compatibility safety net that warns when + the change in defaults could result in rejection of mail + (with mynetworks_style this requires that Postfix evaluates + both old and new default values). Files: proto/postconf.proto, + global/flush_clnt.c, global/mail_params.c, global/mail_params.h, + global/mynetworks.c, global/mynetworks.h, global/server_acl.c, + postconf/postconf_builtin.c, smtpd/smtpd.c, smtpd/smtpd_check.c. + +20141009 + + Documentation: moved the gory details from postconf(5) to + a new COMPATIBILITY_README document. Files: proto/postconf.proto, + proto/COMPATIBILITY_README.html html/index.html. + + Documentation: update the conf/main.cf compatibility_level + setting for new Postfix installs, and updated a reminder + in mail_params.h. + +20141010 + + Cleanup: make "const char myname[]" declarations static. + global/attr_override.c, global/bounce.c, global/dsn_filter.c, + global/dynamicmaps.c, global/mkmap_open.c, global/smtputf8.c, + smtp/smtp_key.c, smtpd/smtpd_check.c, util/dict_pipe.c, + util/dict_union.c, util/mac_expand.c, util/midna.c, + util/valid_utf8_hostname.c. + + Documentation: summarize the user-specified "make makefiles" + settings at the top of makedefs.out. This file now has so + many internal variables that people would get lost. + +20141011 + + Cleanup: replaced cryptic macros X_SMTP() and SMTP_X() with + more descriptive names: LMTP_SMTP_SUFFIX() and VAR_LMTP_SMTP(). + Files: smtp/smtp.c, smtp/smtp.h, smtp/smtp_chat.c, + smtp/smtp_connect.c, smtp/smtp_proto.c, smtp/smtp_sasl_glue.c, + smtp/smtp_sasl_proto.c, smtp/smtp_tls_policy.c. + +20141012 + + Cleanup: missing format-string checks. Files: master/master_ent.c, + posttls-finger/posttls-finger.c, smtpd/smtpd_proxy.c. + + Bugfix (introduced: Postfix 2.3): the PREPEND access/policy + action added headers ABOVE Postfix's own Received: header, + exposing Postfix's own Received: header to Milters (protocol + violation) and hiding the PREPENDed header from Milters. + The latter caused problems for DMARC implementations with + SPF policy plus DKIM Milter. PREPENDed headers are now + added BELOW Postfix's own Received: header and remain visible + to Milters. File: smtpd/smtpd.c. + +20141013 + + Cleanup: configuration file line numbers in error/warning + messages could point to comment lines before or after the + problem. Files: util/readlline.[hc], master/master_ent.c, + postalias/postalias.c, postmap/postmap.c, util/dict.c, + util/dict_cidr.c, util/dict_pcre.e, util/dict_regexp.c, + util/dict_thash.c, postconf/postconf_master.c. + +20141014 + + Portability: Darwin 11.x needs to link with -lresolv. Viktor + Dukhovni. File: makedefs. + + Documentation: ICU (unicode) library package names. File: + proto/SMTPUTF*_README.html. + +20141015 + + Cleanup: master.cf line number reporting made more consistent + with similar code elsewhere. File: master/master_ent.c. + + Backed out SMTP client TLS fallback due to multiple problems. + +20141018 + + Bugfix (introduced: Postfix 2.3): when a Milter inserted a + header ABOVE Postfix's own Received: header, Postfix would + expose its own Received: header to Milters (violating + protocol) and hide the Milter-inserted header from Milters + (wtf). Files: cleanup/cleanup.h, cleanup/cleanup_message.c, + cleanup/cleanup_state.c, milter/milter.[hc], milter/milter8.c. + + Cleanup: revert the workaround that places headers inserted + with PREPEND actions or policy requests BELOW Postfix's own + Received: message header. File: smtpd/smtpd.c. + +20141019 + + Cleanup: replace dozens and dozens of ad-hoc string constants + with CHARS_SPACE, CHARS_COMMA_SP, and CHARS_BRACE. Files: + 52, too many files to mention here. + + Bugfix: the recently-introduced randmap, pipemap, and + unionmap did not check for all possible forms of "empty + list". Files: util/dict_random.c, util/dict_pipe.c, + util/dict_union.c. + + Documentation: word smithing. File: proto/master. + + Cleanup: the last remaining remnants of the withdrawn + smtp_tls_fallback_level feature. Files: mantools/postlink, + global/mail_params.h. + +20141021 + + Per IETF TLS WG consensus, the tls_session_ticket_cipher + default setting was changed from aes-128-cbc to aes-256-cbc. + Take that, you quantum computer attackers! Viktor Dukhovni. + Files: proto/postconf.proto, global/mail_params.h. + +20141024 + + Cleanup: added $smtpd_mumble_restrictions to the proxy_read_maps + default setting. File: global/mail_params.h. + + Documentation: different header/body checks for MX service + and SMTP submissions. File: proto/BUILTIN_FILTER_README.html. + + Cleanup: don't send "bare" original recipient in SMTP DSN + attributes. File: cleanup/cleanup_addr.c. + + Feature: smtp-sink -N option to suppress DSN announcement. + File: smtpstone/smtp-sink.c. + +20141025 + + Bugfix (introduced: Postfix 2,11): core dump when + smtp_policy_maps specifies an invalid TLS level. Viktor + Dukhovni. File: smtp/smtp_tls_policy.c. + +20141103 + + Logging: when a connection is closed, log the request counts + for unimplemented STARTTLS or AUTH commands separately, + instead of logging such commands as "unknown". File: + smtpd/smtpd.c. + +20141106 + + Cleanup: set errno to ETIMEDOUT after postscreen handshake + timeout event, so that warnings report the correct error. + File: tlsproxy/tlsproxy.c. + +20141112 + + Documentation: 24 identical typos. File: proto/postconf.proto. + + Workaround: support space after "MAIL FROM:" and "RCPT TO:" + in smtpd_command_filter examples. Reportedly, cashedge.com's + software (used by banks) needs this (source: Claus Assmann). + File: proto/postconf.proto. + +20141117 + + Cleanup: use ~0U instead of (unsigned) -1. Based on + complaints from the BEAM static analyzer. Files: + global/mynetworks.c, postconf/postconf.c, util/cidr_match.c. + + Cleanup: forgot the "do" in "do { stuff } while (0)" macros. + Luckily, this had caused no problem. Based on complaints + from the BEAM static analyzer. Files: util/dict_cdb.c, + util/dict_dbm.c, util/dict_lmdb.c, util/dict_pcre.c, + util/dict_regexp.c, util/dict_sockmap.c, util/dict_thash.c. + + Bugfix (introduced: Postfix 2.9): lockfile descriptor leak + after error. Based on complaints from the BEAM static + analyzer. File: util/dict_db.c. + + Bugfix (introduced: Postfix 1.1): don't "set" the null byte + element in the base64 and base32 decoding maps. Based on + complaints from the BEAM static analyzer. Files: util/base64_code, + util/base32_code.c. + + Cleanup: don't exit(0) after failing to run showq(8). Based + on complaints from the BEAM static analyzer. File: + postqueue/postqueue.c. + + Bugfix: memory leak when getaddrinfo() returns a result + that is neither IPv4 nor IPv6. Based on complaints from + the BEAM static analyzer. File: smtp/smtp_addr.c. + + Cleanup: use more meaningful name for global variable so + that it isn't shadowed by a local variable. Based on + complaints from the BEAM static analyzer. smtpstone/smtp-sink.c. + +20141119 + + Cleanup: base64 test driver. File: base64_code.c. + + Cleanup: make the CONST_CHAR_STAR typedef project-wide. + Files: global/attr_override.h, util/sys_defs.h. + + Feature: BCC action in header/body_checks and milter_header_checks. + Files: proto/header_checks, cleanup/cleanup.h, + cleanup/cleanup_extracted.c, cleanup/cleanup_message.c, + cleanup/cleanup_milter.c, cleanup/cleanup_milter.in16a, + cleanup/cleanup_milter.ref16a1, cleanup/cleanup_milter.ref16a2, + cleanup/cleanup_milter.reg16a, cleanup/cleanup_state.c, + cleanup/test-queue-file16, global/attr_override.h, + global/cleanup_strflags.c, global/cleanup_user.h, + util/sys_defs.h. + + Cleanup: don't write back-to-back queue file pointer records + when the "add recipient" action was a NOOP (e.g., because + the recipient was a duplicate). File: cleanup/cleanup_milter.c. + +20141120 + + Documentation: COMPATIBILITY_README now has "purpose of + this document" section, plus a separate section for turning + off the safety net. File: proto/COMPATIBILITY_README.html + +20131121 + + Cleanup: replace mua_mumble with msa_mumble in master.cf + submission and smtps service parameter overrides. File: + proto/BUILTIN_FILTER_README.html. + + Feature: "static:{ text with whitespace }". This could be + used as check_mumble_access static:{reject text...} at the + end of smtpd_mumble_restrictions. Files: util/dict_static.c, + util/Makefile.in, util/dict_static_test.ref, + proto/DATABASE_README.html. postconf/postconf.c (manpage). + +20141126 + + Feature: "inline:{key=value, { key = text with comma/space}}" + avoids the need to create a database for just a few entries. + Files: util/dict_inline.[hc], mantools/postlink, + proto/DATABASE_README.html. postconf/postconf.c (manpage), + util/dict_inline.[hc], util/dict_open.c, util/Makefile.in, + util/dict_inline_test.ref. + + Cleanup: report nullmx DNS records as "domain does not + accept mail", instead of "invalid DNS response". The Postfix + SMTP client already bounced mail for such domains, and the + Postfix SMTP server already rejected such domains with + reject_unknown_sender/recipient_domain. This introduces a + new SMTP server configuration parameter nullmx_reject_code + (default: 556). Files: src/dns/dns_lookup.[hc], dns/Makefile,in, + dns/nullmx_test.ref, src/smtp/smtp_addr.c, smtpd/smtpd_check.c, + smtpd/smtpd_check_nullmx.in, smtpd/smtpd_check_nullmx.ref, + mantools/postlink, proto/postconf.proto, smtpd/smtpd.c. + + Cleanup: added some missing libdns tests: dns/Makefile,in, + dns/mxonly_test,ref, dns/nxdomain_test.ref + + Cleanup: libglobal "make test" had suffered from bitrot. + Files: global/mime_state.c, global/header_body_checks.c. + +20141127 + + Feature: DNS reply filter, configured with smtp_dns_reply_filter, + smtpd_dns_reply_filter, and lmtp_dns_reply_filter. Files: + mantools/postlink, proto/postconf.proto, dns/dns.h, + dns/dns_lookup.c, dns/dns_rr_filter.c, dns/dns_strrecord.c, + dns/error.ref, dns/error.reg, dns/mxonly_test.ref, dns/no-a.ref, + dns/no-a.reg, dns/no-aaaa.ref, dns/no-aaaa.reg, dns/no-mx.ref, + dns/no-mx.reg, dns/nullmx_test.ref, dns/test_dns_lookup.c, + global/mail_params.h, smtp/lmtp_params.c, smtp/smtp.c, + smtp/smtp_addr.c, smtp/smtp_params.c, smtpd/smtpd.c, + smtpd/smtpd_check.c, smtpd/smtpd_dns_filter.{in,ref}. + +20141130 + + Cleanup: when searching multiple DNS record types for a + specific name, and not all queries return the same result + status, do not blindly return the last query's rcode and + diagnostic text. Instead, return rcode and text that is + consistent with the aggregate result status. + + Cleanup: un-broke several smtpd regression tests (work in + progress, with three more to go). Files: smtpd/smtpd_check.c, + smtpd/smtpd_server.{in,ref}, smtpd/smtpd_exp.{in,ref}. + smtpd/smtpd_dnswl.{in,ref}. + + Documentation: added note on Milter-signing bounces. + +20141201 + + Bugfix (introduced: 20141130): memory leak. File: dns_lookup.c. + + Cleanup: un-broke several dns regression tests by sorting + getaddrinfo() results by address family. Files: dns/dns_rr_eq_sa.c, + dns/dns_rr_eq_sa.ref, dns/dns_sa_to_rr.c, dns/dns_sa_to_rr.ref. + + Cleanup: missing #ifdef in smtpd_check test driver. File: + smtpd/smtpd_check.c. + + Cleanup: fix google.com regexp in smtp_dns_reply_filter + example. Viktor Dukhovni. File: proto/postconf.proto. + + Cleanup: in the ASCII form of DNS resource records, add + space after the TLSA match-type field. Viktor Dukhovni. + File: dns/dns_strrecord.c. + +20141202 + + Cleanup: to increase clarity. rename DNS result status from + DNS_UNAVAIL to DNS_NULLMX. If someone uses the same zero-length + name trick with some other resource type, then we will worry + about that later. Files: smtpd/smtpd_check.c, smtp/smtp_addr.c, + dns/dns.h, dns/dns_lookup.c. + + Cleanup: eliminate TLS state duplication from state->tls + to session->tls. Viktor Dukhovni. Files: src/smtp/smtp.h, + src/smtp/smtp_connect.c, src/smtp/smtp_proto.c, + src/smtp/smtp_reuse.c, src/smtp/smtp_session.c. + +20141203 + + Feature: support to match UTF8 domain names against ASCII + names in TLS certificates. Viktor Dukhovni. Files: + posttls-finger/posttls-finger.c, tls/tls_client.c. + +20141206 + + Cleanup: use (char *) only for strings, not for data. The + "void *" type was not fully portable during initial Postfix + development, but we no longer have that problem. Also started + the migration of data structure sizes/counters to ssize_t/size_t + (the IBM Beam analyzer identified lots of unnecessary 64-bit + to 32-bit conversions). The transformation and verification + were mostly mechanical with manual supervision. Files: + anvil/anvil.c, bounce/bounce.c, bounce/bounce_notify_util.c, + bounce/bounce_template.c, bounce/bounce_templates.c, + cleanup/cleanup_message.c, cleanup/cleanup_region.c, + cleanup/cleanup_state.c, dns/dns_lookup.c, dns/dns_rr.c, + dns/dns_rr_eq_sa.c, dns/dns_rr_to_sa.c, dns/test_dns_lookup.c, + flush/flush.c, global/abounce.c, global/abounce.h, + global/been_here.c, global/bounce_log.c, global/clnt_stream.c, + global/db_common.c, global/deliver_request.c, + global/delivered_hdr.c, global/dict_ldap.c, global/dict_mysql.c, + global/dict_pgsql.c, global/dsn.c, global/dsn_buf.c, + global/dsn_filter.c, global/dynamicmaps.c, + global/header_body_checks.c, global/header_opts.c, + global/mail_addr_crunch.c, global/mail_stream.c, + global/mail_version.c, global/maps.c, global/mbox_open.c, + global/mime_state.c, global/mkmap_open.c, global/msg_stats_scan.c, + global/mypwd.c, global/post_mail.c, global/rcpt_buf.c, + global/recipient_list.c, global/scache_clnt.c, + global/scache_multi.c, global/scache_single.c, + global/smtp_reply_footer.c, global/smtp_reply_footer.h, + global/tok822_node.c, local/biff_notify.c, local/forward.c, + local/local_expand.c, local/unknown.c, master/event_server.c, + master/master.c, master/master_avail.c, master/master_ent.c, + master/master_monitor.c, master/master_proto.c, + master/master_sig.c, master/master_spawn.c, master/master_status.c, + master/master_vars.c, master/master_wakeup.c, + master/multi_server.c, master/single_server.c, + master/trigger_server.c, milter/milter.c, milter/milter8.c, + milter/milter_macros.c, oqmgr/qmgr.c, oqmgr/qmgr_active.c, + oqmgr/qmgr_deliver.c, oqmgr/qmgr_entry.c, oqmgr/qmgr_message.c, + oqmgr/qmgr_queue.c, oqmgr/qmgr_transport.c, pipe/pipe.c, + postalias/postalias.c, postconf/postconf.h, + postconf/postconf_builtin.c, postconf/postconf_edit.c, + postconf/postconf_lookup.c, postconf/postconf_main.c, + postconf/postconf_master.c, postconf/postconf_node.c, + postconf/postconf_service.c, postconf/postconf_user.c, + postmap/postmap.c, postmulti/postmulti.c, postscreen/postscreen.c, + postscreen/postscreen.h, postscreen/postscreen_dnsbl.c, + postscreen/postscreen_early.c, postscreen/postscreen_expand.c, + postscreen/postscreen_haproxy.c, postscreen/postscreen_send.c, + postscreen/postscreen_smtpd.c, postscreen/postscreen_starttls.c, + postscreen/postscreen_state.c, posttls-finger/posttls-finger.c, + posttls-finger/tlsmgrmem.c, proxymap/proxymap.c, qmgr/qmgr.c, + qmgr/qmgr_active.c, qmgr/qmgr_deliver.c, qmgr/qmgr_entry.c, + qmgr/qmgr_job.c, qmgr/qmgr_message.c, qmgr/qmgr_peer.c, + qmgr/qmgr_queue.c, qmgr/qmgr_transport.c, qmqpd/qmqpd_peer.c, + qmqpd/qmqpd_state.c, scache/scache.c, sendmail/sendmail.c, + showq/showq.c, smtp/smtp_chat.c, smtp/smtp_connect.c, + smtp/smtp_proto.c, smtp/smtp_reuse.c, smtp/smtp_session.c, + smtp/smtp_state.c, smtp/smtp_tls_policy.c, smtpd/smtpd.c, + smtpd/smtpd_chat.c, smtpd/smtpd_check.c, smtpd/smtpd_expand.c, + smtpd/smtpd_expand.h, smtpd/smtpd_peer.c, smtpd/smtpd_proxy.c, + smtpstone/qmqp-sink.c, smtpstone/qmqp-source.c, + smtpstone/smtp-sink.c, smtpstone/smtp-source.c, tls/tls_dane.c, + tls/tls_mgr.c, tls/tls_misc.c, tls/tls_prng_dev.c, + tls/tls_prng_egd.c, tls/tls_prng_exch.c, tls/tls_prng_file.c, + tls/tls_proxy_clnt.c, tls/tls_scache.c, tls/tls_server.c, + tlsmgr/tlsmgr.c, tlsproxy/tlsproxy.c, tlsproxy/tlsproxy_state.c, + trivial-rewrite/transport.c, trivial-rewrite/trivial-rewrite.c, + util/argv.c, util/attr_clnt.c, util/attr_print0.c, + util/attr_print64.c, util/attr_print_plain.c, util/attr_scan0.c, + util/attr_scan64.c, util/attr_scan_plain.c, util/auto_clnt.c, + util/binhash.c, util/binhash.h, util/ctable.c, util/ctable.h, + util/dict.c, util/dict.h, util/dict_alloc.c, util/dict_cache.c, + util/dict_cache.h, util/dict_cidr.c, util/dict_db.c, + util/dict_ht.c, util/dict_open.c, util/dict_pcre.c, + util/dict_regexp.c, util/dict_sockmap.c, util/dict_surrogate.c, + util/dict_thash.c, util/edit_file.c, util/events.c, + util/events.h, util/fifo_trigger.c, util/find_inet.c, + util/htable.c, util/htable.h, util/inet_addr_host.c, + util/inet_addr_list.c, util/inet_addr_local.c, util/inet_listen.c, + util/inet_proto.c, util/inet_trigger.c, util/inet_windowsize.c, + util/iostuff.h, util/line_wrap.c, util/line_wrap.h, + util/mac_expand.c, util/mac_expand.h, util/mac_parse.c, + util/mac_parse.h, util/match_list.c, util/msg_output.c, + util/mvect.c, util/myaddrinfo.c, util/myflock.c, util/mymalloc.c, + util/mymalloc.h, util/nbbio.c, util/nbbio.h, util/netstring.c, + util/nvtable.c, util/nvtable.h, util/pass_trigger.c, + util/sane_accept.c, util/sane_connect.c, util/scan_dir.c, + util/sock_addr.c, util/stream_trigger.c, util/sys_compat.c, + util/sys_defs.h, util/timecmp.c, util/timed_connect.c, + util/timed_write.c, util/unix_connect.c, util/unix_listen.c, + util/unix_recv_fd.c, util/unix_send_fd.c, util/unix_trigger.c, + util/vbuf.c, util/vbuf.h, util/vstream.c, util/vstream_tweak.c, + util/vstring.c, util/watchdog.c, verify/verify.c, + xsasl/xsasl_cyrus_client.c, xsasl/xsasl_cyrus_server.c, + xsasl/xsasl_dovecot_server.c. + + Cleanup: removed unnecessary casts. File: global/cfg_parser.c. + + Cleanup: dont cast away "const". File: global/dict_sqlite.c. + +20141208 + + Bugfix (introduced: 20141207): in new #ifdef, && should be + ||. File: smtpd.c. + +20141210 + + Cleanup: the "inline" table now supports case-insensitive + search, and an iterator. File: util/dict_inline.c. + + Cleanup: minuscule memory leaks in graceful degradation + after lookup table open error. Files: util/dict_inline.c, + util/dict_static.c. + +20141211 + + Cleanup: memory leaks in unit-test driver programs (i.e. + code used only during development). Files: + cleanup/cleanup_milter.c, util/base64_code.c. + + Bugfix (introduced 20141001): mac_expand() error message + with "??" due to dangling pointer. File: util/mac_expand.c. + + Portability: unit-test driver programs. Files: util/myaddrinfo.c, + util/myaddrinfo.ref. + + Portability: Clang support. Files: makedefs, util/sys_defs.h. + + Portability: FreeBSD 10 support. Files: makedefs, + util/sys_defs.h. + + Cleanup: in makedefs, the CC and WARN features are now + independent. File: makedefs. + + Shut up some Clang format-string nags: util/events.c. + + Cleanup: eliminated unnecessary 64->32bit (and back) + conversions on LP64 platforms. Files: util/htable.c, + util/binhash.c util/mvect.[hc], util/name_mask.c, + util/sane_time.c, util/unix_listen.c, util/unix_connect.c, + util/stringops.h, util/trimblanks.c, and dependent code in + smtpd/smtpd_token.c. + + Cleanup: unused inet_proto_init() results. Files: + global/mail_params.c, postconf/postconf_builtin.c, + smtpstone/qmqp-sink.c, smtpstone/qmqp-source.c, + smtpstone/smtp-source.c/ + + Shut up some Clang nags about unused functions in network + interface API selection. File: util/inet_addr_local.c. + + Portability: a historical compiler lacks printf-like + format-string checks for function pointers. Files: util/msg.h, + bounce/bounce_template.h. + +20141212 + + Shut up some Clang format-string nags: util/line_number.c, + sendmail/sendmail.c, smtpd/smtpd_proxy.c, smtp/smtp_sasl_proto.c. + + Cleanup: eliminated unnecessary 64->32bit (and back) + conversions on LP64 platforms. Files: dict_memcache.c, + header_body_checks.[hc], log_adhoc.c, pipe_command.c, + record.[hc], smtp_reply_footer.c, split_addr.c. + cleanup/cleanup_milter.c, master/mail_server.h, + src/master/trigger_server.c, oqmgr/qmgr.c, qmgr/qmgr.c, + pickup/pickup.c. + + Cleanup: nullmx SMTP reply codes 550 and 556, and enhanced + status codes X.1.10 and X.7.27. The nullmx SMTP reply codes + are no longer configurable. Files: global/mail_params.h, + smtpd/smtpd.c, smtpd/smtpd_check.c. + + Portability: default table owner UID for testing. Files: + util/dict_alloc.c, util/dict_open.c. + + Shut up Clang unused assignment nag: global/mail_queue.h. + sendmail/sendmail.c, smtpd/smtpd_proxy.c, smtp/smtp_sasl_proto.c. + +20141214 + + Bugfix (introduced: 20141212): typo in Clang function pointer + format check, making it a noop. Viktor Dukhovni. File: + util/sys_defs.h. + + Maintainability: compile-time argument typechecking for + variadic attribute-value read/write functions. Files: + anvil/anvil.c, bounce/bounce.c, cleanup/cleanup.c, + dnsblog/dnsblog.c, flush/flush.c, global/abounce.c, + global/anvil_clnt.c, global/bounce.c, global/defer.c, + global/deliver_pass.c, global/deliver_request.c, + global/dict_proxy.c, global/dsb_scan.c, global/dsn_print.c, + global/flush_clnt.c, global/mail_command_client.c, + global/mail_stream.c, global/msg_stats_print.c, + global/msg_stats_scan.c, global/post_mail.c, global/rcpt_buf.c, + global/rcpt_print.c, global/resolve_clnt.c, global/rewrite_clnt.c, + global/scache_clnt.c, global/trace.c, global/verify_clnt.c, + local/forward.c, milter/milter.c, milter/milter8.c, + milter/milter_macros.c, oqmgr/qmgr_deliver.c, pickup/pickup.c, + postdrop/postdrop.c, postscreen/postscreen_dnsbl.c, + postscreen/postscreen_send.c, postscreen/postscreen_starttls.c, + proxymap/proxymap.c, qmgr/qmgr_deliver.c, qmqpd/qmqpd.c, + scache/scache.c, smtpd/smtpd.c, smtpd/smtpd_check.c, + tls/tls_mgr.c, tls/tls_proxy_clnt.c, tls/tls_proxy_print.c, + tls/tls_proxy_scan.c, tlsmgr/tlsmgr.c, tlsproxy/tlsproxy.c, + trivial-rewrite/resolve.c, trivial-rewrite/rewrite.c, + trivial-rewrite/trivial-rewrite.c, util/attr.h. + +20141217 + + Replaced compile-time argument typechecking based on inline + functions with an implementation based on ternary expressions + with unreachable assignments to dummy variables. This + should produce the exact same result as the approach based + on inline functions (which were standardized with C99). + Files: util/check_arg.h, util/attr.h, util/attr.c. + +20141221 + + Portability: proof-of-concept template for OpenBSD build + with shared libpostfix etc. libraries. File: makedefs. + +20141223 + + Cleanup: compile-time variadic argument type checking for + attribute-value APIs of vstream, vstream_popen, vstring, + pipe_command, spawn_command, attr_override, and mail_server + skeletons. Based on mostly automatic conversion and checking, + with a manual inspection of the remainder. Files: + anvil/anvil.c, bounce/bounce.c, cleanup/cleanup.c, + cleanup/cleanup_api.c, discard/discard.c, dnsblog/dnsblog.c, + error/error.c, flush/flush.c, global/attr_override.c, + global/attr_override.h, global/mail_connect.c, global/mail_queue.c, + global/mail_stream.c, global/mail_stream.h, global/pipe_command.c, + global/pipe_command.h, global/smtp_stream.c, global/timed_ipc.c, + local/command.c, local/local.c, master/event_server.c, + master/mail_server.h, master/multi_server.c, + master/single_server.c, milter/milter.c, milter/milter8.c, + oqmgr/qmgr.c, oqmgr/qmgr_transport.c, pickup/pickup.c, + pipe/pipe.c, postalias/postalias.c, postcat/postcat.c, + postdrop/postdrop.c, postmap/postmap.c, postscreen/postscreen.c, + postscreen/postscreen_dnsbl.c, postscreen/postscreen_haproxy.c, + postscreen/postscreen_starttls.c, posttls-finger/posttls-finger.c, + proxymap/proxymap.c, qmgr/qmgr.c, qmgr/qmgr_transport.c, + qmqpd/qmqpd.c, scache/scache.c, showq/showq.c, smtp/smtp.c, + smtpd/smtpd.c, smtpd/smtpd_check.c, smtpd/smtpd_proxy.c, + smtpstone/smtp-source.c, spawn/spawn.c, tls/tls_proxy_clnt.c, + tls/tls_stream.c, tlsmgr/tlsmgr.c, tlsproxy/tlsproxy.c, + trivial-rewrite/trivial-rewrite.c, util/auto_clnt.c, + util/ctable.c, util/dict_cache.c, util/dict_cache.h, + util/dict_lmdb.c, util/dict_tcp.c, util/netstring.c, + util/recv_pass_attr.c, util/slmdb.c, util/slmdb.h, + util/spawn_command.c, util/spawn_command.h, util/vstream.c, + util/vstream.h, util/vstream_popen.c, util/vstream_tweak.c, + util/vstring.c, util/vstring.h, verify/verify.c, + virtual/virtual.c, xsasl/xsasl_dovecot_server.c. + +20141224 + + Cleanup: the compile-time argument typechecks for attribute-value + APIs are now by default implemented with inline functions. + Compile with -DNO_INLINE to implement the argument typechecks + with ternary operators and unreachable assignments. Files: + util/check_arg.h and its consumers. + +20141226 + + NetBSD6/7 dynamic linking support. Viktor Dukhovni. + + Cleanup: instead of making up new names, use a consistent + CA_ prefix for macros that implement compile-time argument + typechecks for non-protocol attribute-value APIs. This + transformation and its verification are mechanical. + + Bugfix (introduced: Postfix 1.1, but latent before 3.0): + "postfix-install: daemon_directory: not found" error with + an ancient Solaris shell. Fixed by ALSO resetting IFS after + the end of a ``while IFS=foo command'' loop; counter to + expectation, the IFS reset in the loop body executed in a + child process. Background: some shells implement "IFS=foo + command" as a permanent IFS change; this was allowed by + standards at some point in time. File: postfix-install. + +20141227 + + Feature: smtp_address_verify_target (default: rcpt) that + determines what protocol stage decides if a recipient is + valid. Specify "data" for servers that reject recipients + after the DATA command. Files: mantools/postlink, + proto/postconf.proto, proto/ADDRESS_VERIFICATION_README.html, + global/mail_params.h, smtp/lmtp_params.c, smtp/smtp.c, + smtp/smtp.h, smtp/smtp_params.c, smtp/smtp_proto.c. + +20141228 + + Cleanup: the IDNA conversion routines now accept both ASCII + and UTF8 inputs. The functions als verify that either their + result is a valid ASCII domain name or that it converts + into a valid ASCII domain name. Files: util/midna.c, + util/midna_test.in, util/midna_test.ref. + +20141230 + + Cleanup: s/midna/midna_domain/ for better specificity, + because we also need functions that act only on the domain + portion of an email address. Files: bounce/bounce_template.c, + global/midna_adomain.c, posttls-finger/posttls-finger.c, + smtp/smtp_addr.c, smtpd/smtpd_check.c, tls/tls_client.c, + util/midna_domain.[hc], util/valid_utf8_hostname.c. + + Infrastructure: function midna_adomain_to_utf8() (and + midna_adomain_to_ascii) to convert the domain portion of + an email address before table lookup. Files: + global/midna_adomain.[hc]. + +20141230-20140109 + + What is described here is the result of four iterations to + deal with malformed UTF-8 without massively contaminating + every Postfix program with new error-handling code paths, + in particular without triggering fatal errors that didn't + happen before. + + Infrastructure: function casefold() to support caseless + string comparison, primarily for table lookups. This function + supports two modes: case folding a la lowercase() for ASCII + byte values, and UTF-8 case folding. As recommended at + http://www.w3.org/International/wiki/Case_folding for + caseless string comparison, this uses the en_US locale to + avoid surprises. The implementatin handles the entire RFC + 3629 Unicode range (code points U+0000..U+10FFFF including + surrogates) and is chroot(2) safe. Files: casefold.c, + stringops.h. + + Infrastructure: revised the midna_domain_to_ascii and + midna_domain_to_utf8 domain name conversion functions after + careful reading of the UTS #46 specification, and after + observing that ICU 4.8 library functions indeed implement + this spec, at least with default options. In particular, + midna_domain_to_utf8 takes an UTF-8 domain name and verifies + that its A-label form will pass the valid_hostname() test. + File: util/midna_domain.c. + + Infrastructure: handle UTF-8 errors in lookup table keys + or values without massively contaminating every Postfix + program with new error-handling code paths, in particular + without triggering fatal errors that didn't happen before. + The lookup/update/delete functions log a warning and ignore + a request with a bad key (it cannot exist); the update + functions ignore a request to store a bad value (it cannot + exist); and the lookup function reports a bad value as a + configuration error (it should not exist, but there it is). + Table iterators still report all (key, value) pairs in a + table. Files: util/dict.h, util/dict_open.c, util/dict_utf8.c, + global/mkmap_open.c. + + Note that with SMTPUTF8 turned on, each table-driven mechanism + (access, aliases, etc.) needs to make its own decision + whether UTF-8 syntax is required. We cannot blindly require + that everything has valid UTF-8 syntax. That would make + header/body_checks useless for content inspection, because + headers may be malformed and bodies may contain legitimate + binary content that isn't UTF-8. + + Note that with SMTPUTF8 turned off, Postfix must remain + 8-bit clean as it always has been. Table operations must + not complain that something violates UTF-8 syntax rules. + + UTF-8 sanitization in the Postfix SMTP server. With + smtputf8_enable=yes, SMTP commands with UTF-8 syntax errors + are rejected, table lookup results with invalid UTF-8 syntax + are handled as configuration errors, and UTF-8 syntax errors + in policy server replies result in execution of the policy + server's default action. + +20150102 + + Cleanup: propagate DICT_ERR_CONFIG through the proxymap + protocol. Files: global/dict_proxy.[hc], proxymap/proxymap.c. + +20150106 + + Robustness: don't segfault due to excessive recursion in + tok822_free_tree() after a faulty configuration runs into + the virtual_alias_recursion_limit. File: global/tok822_tree.c. + +20150109 + + Cleanup: the dict debug module now proxies dict flags. + File: util/dict_debug.c. + + With "smtputf8_enable = yes", the postmap and postalias + commands now enable UTF-8 by default (use "-u" to disable) + with one exception: UTF-8 remains disabled for header/body_checks + emulation (use "-U" to enable). Files: postmap/postmap.c, + postalias/postalias.c. + +20150110 + + Cleanup: the "inline" and "texthash" implementations now + reuse the "internal" database instead of reinventing the + wheel. Files: util/dict_inline.c, util/dict_thash.c. + + As a first step, with "smtputf8_enable = yes" all features + based on Postfix matchlists enable UTF-8 syntax checks and + UTF-8 casefolding for table patterns, but NOT YET for string + patterns. The list of features includes authorized_flush_users, + authorized_mailq_users, authorized_submit_users, debug_peer_list, + fast_flush_domains, mydestination, permit_mx_backup_networks, + qmqpd_authorized_clients, smtp_connection_cache_destinations, + smtpd_authorized_verp_clients, smtpd_authorized_xclient_hosts, + smtpd_authorized_xforward_hosts, + smtpd_client_event_limit_exceptions, + smtpd_log_access_permit_actions, smtpd_sasl_exceptions_networks, + the "domains" feature in ldap_table(5), memcache_table(5) + mysql_table(5), pgsql_table(5) and sqlite_table(5), + virtual_alias_domains, virtual_mailbox_domains. + +20150111 + + Cleanup: simplified the interposition layer that adds UTF-8 + support to Postfix lookup tables. Files: util/dict_utf8.c. + + With "smtputf8_enable = yes", Enable UTF-8 syntax checks + and UTF-8 casefolding for SMTP server access maps, alias_maps, + canonical_maps, fallback_transport_maps, + lmtp_tls_session_cache_database, local_recipient_maps, + mailbox_command_maps, mailbox_transport_maps, rbl_reply_maps, + recipient_bcc_maps, recipient_canonical_maps, relay_recipient_maps, + relocated_maps, sender_bcc_maps, sender_canonical_maps, + sender_dependent_relayhost_maps, sender_dependent_transport_maps, + smtp_generic_maps, smtp_sasl_auth_cache_name, + smtp_sasl_password_maps, smtp_tls_per_site, smtp_tls_policy_maps, + smtp_tls_session_cache_database, smtpd_sender_login_maps, + smtpd_tls_session_cache_database, transport_maps, + virtual_alias_maps, virtual_gid_maps, virtual_mailbox_maps, + virtual_uid_maps. + +20150112 + + Infrastructure: support for UTF-8 casefolding in match_lists. + Instead of using strcasecmp(), casefold all fixed-string + patterns during initialization, casefold a search string + at the beginning of the search, and use strcmp() for + comparison. Files: util/casefold.c util/dict.h, util/dict_utf8.c, + util/match_list.c, util/match_list.h, util/match_ops.c, + util/stringops.h, global/addr_match_list.c, global/domain_list.c, + global/namadr_list.c, global/string_list.c. + +20150113 + + Cleanup: show the configuration parameter name in error + messages while parsing or searching match_list-based features + such as mydestination, relay_domains and a few dozen more. + Files: cleanup/cleanup_init.c, flush/flush.c, + global/addr_match_list.c, global/debug_peer.c, + global/domain_list.c, global/flush_clnt.c, + global/match_parent_style.c, global/namadr_list.c, + global/resolve_local.c, global/string_list.c, global/user_acl.[hc], + postdrop/postdrop.c, postqueue/postqueue.c, + postscreen/postscreen.c, qmqpd/qmqpd.c, sendmail/sendmail.c., + smtp/smtp.c, smtp/smtp_sasl_glue.c, smtpd/smtpd.c, + smtpd/smtpd_check.c, trivial-rewrite/resolve.c, + util/match_list.[hc], util/match_ops.c. + + Cleanup: apply printable() to all bounce(8) service + string-valued protocol fields. File: bounce/bounce.c. + + Apparently the UCI 4.8 ucasemap_utf8FoldCase() function does + not complain about UTF-8 syntax errors, so we add our own + redundant check. File: util/casefold.c. + +20150115 + + Bitrot: prepare for future changes in OpenSSL. Viktor + Dukhovni. Files: tls/tls.h, tls/tls_dh.c, tls/tls_misc.c, + tls/tls_rsa.c, tls/tls_server.c. + + Documentation: "avoid hash files here, use btree or lmdb + instead". File: proto/ADDRESS_VERIFICATION_README.html. + + Safety: virtual_alias_address_length_limit (default: 1000) + to stop aliasing loops that exponentially increase the + address length with each iteration. Files: global/mail_params.h, + mantools/postlink, proto/postconf.proto, cleanup/cleanup.c, + cleanup/cleanup_init.c, cleanup/cleanup_map1n.c. + +20150116 + + TLS wrappermode in the Postfix smtp(8) client. This introduces + a new parameter "smtp_tls_wrappermode" (default: no). Files: + global/mail_params.h, mantools/postlink, proto/postconf.proto, + smtp/lmtp_params.c, smtp/smtp.[hc], smtp/smtp_connect.c, + smtp/smtp_params.c, smtp/smtp_proto.c. + + TLS wrappermode in posttls-finger(1), and some DANE-related + cleanups. This introduces a new option "-w". Viktor Dukhovni. + Files: posttls-finger/posttls-finger.c, smtp/smtp_tls_policy.c, + tls/tls.h, tls/tls_client.c, tls/tls_fprint.c. + +20150117 + + Cleanup: missing " in \%s\" in postscreen(8) fatal error + messages. Iain Hibbert. File: postconf/postconf_master.c. + +20150118 + + Bugfix (introduced: 20140731): when a connection timed out + before any command was received, the Postfix SMTP server + "disconnect from" logging would show the content of the + last SMTP server response (421 4.4.2 $myhostname error: + timeout exceeded) instead of per-command statistics, because + there were no statistics to report. The Postfix SMTP server + now always logs the total number of commands (commands=x/y) + even when the client did not send any. This helps logfile + analyzers to recognize sessions without commands. File: + smtpd/smtpd.c. + +20150120 + + Bugfix (introduced: 20141230-20140109): do not reallocate + a dictionary handle after it is initialized. This breaks + CDB. Problem reported by Andreas Schulze. Files: util/dict.h, + util/dict_alloc.c, util/dict_utf8.c. + + Cleanup: simplified the dict_utf8 wrapper implementation. + Files: util/dict.h, util/dict_alloc.c, util/dict_utf8.c. + +20150121 + + Cleanup: undo changes in check_mumble_access() that replaced + error handling with longjmp() calls. This could introduce + memory leaks in check_mumble_access() callers. Files: + smtpd/smtpd_check.c, smtpd/smtpd_error.ref. + +20150122 + + Cleanup: miscellaneous cruft, typos, comments, error messages. + proto/COMPATIBILITY_README.html, global/addr_match_list.c, + global/domain_list.c, global/namadr_list.c, global/string_list.c, + global/user_acl.c, postalias/postalias.c, postmap/postmap.c, + tls/tls_client.c, util/dict_alloc.c, util/dict_open.c, + util/match_list.c. + +20150124 + + Workaround: nroff has been improved so that "-" comes out as + some non-ASCII character, unlike HTML where it comes out + as itself. Andreas Schulze. This requires jumping a few + hops to generate HTML and nroff input from the same source + text. Files; mantools/srctoman, mantools/postconf2man. + + Cleanup: UTF-8 support in masquerade_domains. File: + cleanup/cleanup_masquerade.c. + +20150125 + + Cleanup: simplified the casefold() API: no input-dependent + failure modes. Files: cleanup/cleanup_masquerade.c, + util/casefold.c, util/dict_utf8.c, util/match_list.c, + util/strcasecmp_utf8.c, util/stringops.h. + + Cleanup: replaced str*casecmp() calls with UTF8-enabled + versions. Files: bounce/bounce.c, bounce/bounce_append_service.c, + bounce/bounce_notify_service.c, bounce/bounce_notify_verp.c, + bounce/bounce_one_service.c, bounce/bounce_trace_service.c, + bounce/bounce_warn_service.c, cleanup/cleanup_addr.c, + cleanup/cleanup_map11.c, cleanup/cleanup_map1n.c, + global/log_adhoc.c, global/mail_addr_find.c, global/mail_params.c, + global/split_addr.c, global/verify.c, global/verify_sender_addr.c, + local/alias.c, local/recipient.c, oqmgr/qmgr_message.c, + qmgr/qmgr_message.c, smtp/smtp_tls_policy.c, smtpd/smtpd_check.c, + smtpd/smtpd_milter.c, trivial-rewrite/resolve.c, + util/strcasecmp_utf8.c, util/stringops.h. + +20150126 + + Portability: added missing #ifdef STRCASECMP_IN_STRINGS_H + for platforms that require it. Files: dns/dns_rr_filter.c, + milter/milter8.c, posttls-finger/posttls-finger.c, + tls/tls_dane.c, tlsproxy/tlsproxy.c, util/dict_test.c. + + Cleanup: replaced lowercase() calls with UTF-8-enabled + versions. Files: flush/flush.c, global/been_here.c, + global/delivered_hdr.c, global/fold_addr.c, global/fold_addr.h, + local/forward.c, local/recipient.c, pipe/pipe.c, + smtpd/smtpd_resolve.c, util/casefold.c, util/stringops.h, + virtual/recipient.c. + +20150127 + + Cleanup: simplified the 20150125 and 20150126 APIs, replacing + the most-common use cases with convenience macros that have + fewer arguments. Files: anything that implements or invokes + casefold*() or str*casecmp(). + + Documentation: missing words and typos. Matthew Selsky. Files: + proto/SMTPUTF8_README.html, util/dict_open.c, util/vstream.c. + +20150128 + + Bugfix: the ICU casemapping API can report success, while + producing output that is not null-terminated. But we can + deal with that. File: util/casefold.c. + + Cleanup: unnecessary buffers. File: util/strcasecmp_utf8.c. + + Cleanup: whitespace in source-code documentation has gotten + damaged through the years. Files: util/iostuff.h, + util/msg_vstream.h, util/msg_syslog.h, util/msg_output.h, + util/msg.h, util/inet_proto.c, trivial-rewrite/trivial-rewrite.c, + tls/tls.h, postconf/postconf.c, master/multi_server.c, + master/event_server.c, global/memcache_proto.h, + global/dict_mysql.c, global/dict_ldap.c, discard/discard.c, + error/error.c, global/dict_proxy.c, global/mail_conf_int.c, + global/match_parent_style.c, global/scache.c, global/scache.h, + qmgr/qmgr_entry.c, qmgr/qmgr_peer.c, smtp/smtp_rcpt.c, + smtpd/smtpd_peer.c, tls/tls_mgr.c, util/attr_scan0.c, + util/dict_tcp.c, util/hex_code.c, util/valid_hostname.c. + + Cleanup: typos. Files: proto/socketmap_table, proto/mysql_table, + global/dict_mysql.c, proto/lmdb_table, smtpstone/smtp-sink.c, + posttls-finger/posttls-finger.c. + + Bugfix: restart the Postfix SMTP server SASL client after + XCLIENT may have changed the client IP address. Matthew + Via. File: smtpd/smtpd.c. + +20150129 + + More whitespace in source-code comment regressions. Viktor + (mostly) and Wietse. smtpd/smtpd_proxy.c, util/format_tv.c, + util/line_wrap.c, util/slmdb.c, qmgr/qmgr_peer.c, + smtp/smtp_rcpt.c, smtpd/smtpd_peer.c, tls/tls_mgr.c, + trivial-rewrite/trivial-rewrite.c, util/attr_scan0.c, + util/dict_tcp.c, util/hex_code.c, util/valid_hostname.c, + discard/discard.c, error/error.c, global/dict_proxy.c, + global/mail_conf_int.c, global/match_parent_style.c, + global/scache.c, qmgr/qmgr_entry.c, global/dict_ldap.c, + global/dict_mysql.c, posttls-finger/posttls-finger.c, + smtp/smtp.c, tls/tls_certkey.c. + + Cleanup: avoid hidden buffer allocation in casefold(). + Files: local/forward.c, local/recipient.c, virtual/recipient.c. + + Cleanup: HTML validator errors. Files: proto/postconf.proto, + proto/TLS_README.html, proto/MILTER_README.html. + + Great rename from 2.12 to 3.0. Lots of files, 99% mechanical. + + Cleanup: HTML entities in *roff manpage source. File: + mantools/fixman, proto/postconf.proto, smtpd/smtpd.c, + trivial-rewrite/trivial-rewrite.c. + +20150201 + + Usability: in error messages, print the CAfile and CApath + value in double quotes, to clue in people who specify quoted + pathnames in main.cf. Viktor Dukhovni. Files: tls/tls_certkey.c + and testing code in posttls-finger/posttls-finger.c. + +20150202 + + Cleanup: make posttls-finger -k/-K documentation consistent + with behavior. File: posttls-finger/posttls-finger.c. + +20150203 + + Cleanup: API minimization, by making some functions static. + Files: util/dict.h, util/dict_utf8.c. + +20150205 + + Preliminary feature: support for building position-independent + executables (PIE), tested on Fedora Core 20, Ubuntu 14.04, + FreeBSD 9 and 10, and NetBSD 6. See INSTALL section 4.3 for + details and limitations. Files: makedefs, proto/INSTALL.html, + RELEASE_NOTES-3.0. + +20150208 + + Cleanup: after many years, the access(5) map BCC action is + part of the stable release. Files: smtpd/smtpd_check.c, + proto/acces. + +20150210 + + Cleanup: socketmap documentation. File: proto/socketmap_table. + +20150211 + + Cleanup: strncasecmp_utf8() streamlining. Files: util/stringops.h, + util/allascii.c, util/strcasecmp_utf8.c. + +20150212 + + Cleanup: in code after reading main.cf, removed bogus guard + before re-evaluating the mail_task() syslog prefix. File: + postlog/postlog.c. + +20150214 + + Bugfix (introduced: Postfix 3.0): missing #ifdef USE_TLS + inside #ifdef USE_SASL_AUTH broke the build. Viktor Dukhovni. + File: smtpd/smtpd.c. + + Cleanup: missing errno logging in bounce daemon clients. + This made troubleshooting significantly more difficult. + File: global/mail_command_client.c. + +20150216 + + Cleanup: documented that mail_connect() produces no errno + logging. The functions that call it should log the error + (and the majority does). File: global/mail_connect.c. + + Cleanup: added errno logging after mail_connect() failure. + Files: global/post_mail.c, local/forward.c. + + Cleanup: in code after reading main.cf, removed bogus guard + before re-evaluating the mail_task() syslog prefix. Files: + postalias/postalias.c, postdrop/postdrop.c, postmap/postmap.c, + postqueue/postqueue.c, postsuper/postsuper.c, sendmail/sendmail.c. + +20150218 + + Documentation: header/body_checks additional text about whether + an action stops further inspection of the input stream. File: + proto/header_checks. + + Robustness: reject installation pathnames with whitespace. + File: postfix-install. + +20150217 + + Cleanup: missing <string.h> include. File: util/allascii.c. + +20150221 + + Bugfix (introduced: Postfix 3.0): don't append '.' to the + DNS resource record value, when converting TXT records to + the string form that is used used by xxx_dns_reply_filter. + File: dns/dns_strrecord.c. + +20150313 + + Documentation: incorrect Postfix version number for + postscreen_dnsbl_timeout. Quanah Gibson-Mount. File: + postscreen/postscreen.c. + +20150320 + + Cleanup: better sorting order for the default tls_*_cipherlist + settings. OpenSSL does not order "ALL" quite right: some + MEDIUM ciphers (SEED and IDEA) sneak up above some 128-bit + HIGH ciphers. Also previously, when we prefer "aNULL" we + moved MEDIUM with aNULL above same bit-length HIGH but not + aNULL. Viktor Dukhovni. File: global/mail_params.h. + +20150324 + + Bugfix (introduced: Postfix 2.6): sender_dependent_relayhost_maps + ignored the relayhost setting in the case of a DUNNO lookup + result. It would use the recipient domain instead. Viktor + Dukhovni. Wietse took the pieces of code that enforce the + precedence of a sender-dependent relayhost, the global + relayhost, and the recipient domain, and put that code + together in once place so that it is easier to maintain. + File: trivial-rewrite/resolve.c. + +20150326 + + Feature: lmtp_fallback_relay, limited to TCP destinations + only. Viktor Dukhovni. Wietse updated the postlink, smtp.c, + and smtp-only files, and added a warning when lmtp_fallback_relay + is specified for a non-TCP destination. Files: mantools/postlink, + smtp/smtp.c, smtp/smtp-only, smtp/smtp_connect.c, + smtp/smtp_params.c, global/mail_params.h, proto/postconf.proto. + +20150328 + + Bugfix (introduced: Postfix 1.1.0): post-install expanded + macros in parameter values when trying to detect parameter + overrides, causing unnecessary main.cf updates during Postfix + start-up. Julian Reich, Viktor Dukhovni, and Wietse. File: + conf/post-install. + +20150330 + + Bitrot: prepare for future changes in OpenSSL API. Viktor + Dukhovni. File: tls_dane.c. + + Safety: instead of bouncing mail, report a soft error when + SASL infrastucture breaks. Viktor Dukhovni, Emmanuel Fuste. + Files: smtpd/smtpd_sasl_glue.c, xsasl/xsasl.h, + xsasl/xsasl_cyrus_server.c, xsasl/xsasl_dovecot_server.c. + +20150401 + + Documentation: update the mydestination default value in + the stock main.cf file. File: conf/main.cf. + +20150404 + + Documentation: add "postconf -m" output to problem reports. File: + proto/DEBUG_README.html. + +20150418 + + Portability: use the icu-config utility to locate the ICU + include and library files. With this, Postfix builds out + of the box on MacOS X. File: makedefs. + +20150421 + + Bugfix (introduced: 19970309): reset errno before calling + readdir(), in order to distinguish between end-of-directory and + an error condition. File: scandir.c. + +20150426 + + Cleanup: when transmitting an attribute-value sequence + between Postfix processes, a hash table may now appear at + any position instead of only at the end. Files: + util/attr_scan{0,64,plain}.c, util/attr_print{0,64,plain}.c, + util/attr_scan{0,64,plain}.ref. + + Feature: milter_macro_defaults, an optional list of macro + name=value pairs that specify default values for Milter + macros. When a macro is to be sent to a Milter application, + Postfix will send its default value when no value is available + from the mail delivery context. For example, with + "milter_macro_defaults = auth_type=TLS", Postfix will send + an auth_type of "TLS" unless a remote client authenticates + with SASL. Files: mantools/postlink, proto/MILTER_README.html, + proto/postconf.proto, cleanup/cleanup.c, cleanup/cleanup_init.c, + cleanup/cleanup_milter.c, global/mail_params.h, milter/milter.c, + milter/milter.h, smtpd/smtpd.c, smtpd/smtpd_milter.c. + +20150501 + + Support for Linux 4.*, and some simplification for future + makedefs files. Files: makedefs, util/sys_defs.h. + +20150502 + + Cleanup: updated the examples in MILTER_README. File: + proto/MILTER_README.html + +20150529 + + Support for DNS reply TTL values in dnsblog and postscreen. + Files: dnsblog/dnsblog.c, postscreen/postscreen_early.c, + postscreen/postscreen_dnsbl.c. + +20150607 + + Support for DNS reply TTL values for "not found" responses + (negative reply caching). The postscreen daemon needs this to + accurately whitelist an SMTP client that is not found on any + DNSBL. Files: dns/dns_lookup.c, dns/dns_strrecord.c, dns/dns.h, + dns/test_dns_lookup.c. + +20150615 + + Two new parameters to limit how long a DNSBL or DNSWL lookup + result remains valid: postscreen_dnsbl_max_ttl is an upper + limit for the TTL from a DNS query, and postscreen_dnsbl_min_ttl + is a lower limit. The old postscreen_dnsbl_ttl provides a + backwards-compatible default for postscreen_dnsbl_max_ttl. + Files: global/mail_params.h, postscreen/postscreen.c, + postscreen/postscreen_early.c, mantools/postlink, + proto/postconf.proto. + +20150616 + + Refinement: the postscreen daemon now computes two combined + DNS reply TTLs: one combined TTL for replies that the client + should be blocked, and one combined TTL for replies that the + client should be allowed. This is more conservative than + simply combining all reply TTLs into one number. File: + postscreen/postscreen_dnsbl.c. + +20150621 + + Feature: default_transport_rate_delay (and the transport-specific + *transport*_transport_rate_delay) to enforce a destination- + independent rate limit on deliveries. Files: mantools/postlink, + proto/postconf.proto, *qmgr/qmgr.h, *qmgr/qmgr_transport.c, + *qmgr/qmgr_deliver.c, *qmgr/qmgr.c. + +20150707 + + Workaround: some DNS servers reply with NXDOMAIN for type + NS queries with names that actually have an A record. This + broke check_mumble_ns_access. File: smtpd/smtpd_check.c. + +20150711 + + Workaround: conditional time default value can result in + multiple time unit suffixes. Files: global/conv_time.c + global/mail_conf_time.c. + +20150712 + + Cleanup: configurable workaround (dns_ncache_ttl_fix_enable) + in case some future libc change breaks a promise made by + current resolver(3) documentation. Files: global/mail_params.[hc]. + + Cleanup: removed unused libdns dependencies. No-one remembers + why they were introduced. Files: postscreen/Makefile.in, + qmqpd/Makefile.in, smtpd/Makefile.in, tlsmgr/Makefile.in. + + Cleanup: code indentation. Viktor Dukhovni. File: + smtp/smtp_addr.c. + + Workaround: With Solaris10, write_wait() hangs in poll() + until timeout, when invoked after peekfd() has received an + ECONNRESET error indication. This happens when a client + sends QUIT and closes the connection immediately. File: + util/peekfd.c. + +20150715 + + Security: updated default Diffie-Hellman export (512 bit) + primes and non-export (from 1024 to 2048 bit) primes, and + updated text on non-export DH primes. Viktor Dukhovni. + Files: tls/tls_dh.c, proto/FORWARD_SECRECY_README.html. + +20150718 + + Security: opportunistic TLS by default uses "medium" or + stronger ciphers instead of "export" or stronger. See the + RELEASE_NOTES file for how to get the old settings back. + Files: global/mail_params.h, proto/TLS_README.html, + proto/postconf.proto, and files derived from those. + +20150719 + + Security: Postfix TLS support by default no longer uses + SSLv2 or SSLv3. See the RELEASE_NOTES file for how to get + the old settings back. Files: global/mail_params.h, + proto/postconf.proto, and files derived from those. + +20150722 + + Cleanup: the COMPATIBILITY_README* files were not installed. + File: conf/postfix-files. + +20150726 + + Cleanup: some lost edits for the SASL_README file. File: + proto/SASL_README.html. + +20150816 + + Workaround: updated the 20150707 fix for DNS servers that + reply with NXDOMAIN for type NS queries instead of (NOERROR, + zero answers). File: smtpd/smtpd_check.c. + +20150829 + + Documentation: TLS session tickets are preferred over the + local server-side smtpd_tls_session_cache_database storage. + TLS session tickets are supported as of OpenSSL 0.9.8h (May + 2008). Files: mantools/postlink, proto/TLS_README.html, + proto/postconf.proto. + +20150831 + + Cleanup: obsolete comments in Makefile.init. + +20150903 + + Workaround: disable DNSSEC support for AIX 7x and earlier. + The AIX 6/7 resolver(5) API defines RES_USE_DNSSEC without + defining the "ad" bit. Viktor Dukhovni. Files: makedefs, + proto/INSTALL.html, dns/dns.h. + +20150912 + + Future-proofing and code cleanup: exploit GCC and Clang + "warn_unused_result" feature to flag missing error checks. + Files: util/sys_defs.h, util/attr.h, util/edit_file.h, + util/listen.h, util/lstat_as.h, util/mac_expand.h, + util/mac_parse.h, util/myaddrinfo.h, util/myflock.h, + util/sane_fsops.h, util/sane_socketpair.h, util/stat_as.h, + util/base32_code.h, util/base64_code.h, util/hex_code.h, + util/timed_wait.h, util/vstream.h, src/util/vstring_vstream.h. + + Cleanup: incomplete error check. Found with WARN_UNUSED_RESULT + check. File: util/recv_pass_attr.c. + + Future-proofing: added type mis-match detection for + ATTR_TYPE_FUNC function-pointer arguments. File: util/attr.h. + + Cleanup: don't ignore seek-to-end-of-file errors. File: + global/record.c. + + Cleanup: use vstream_fpurge() to purge VSTREAM buffers, + instead of calling vstream_fseek() and ignoring ESPIPE + errors. File: smtpstone/qmqp-sink.c. + +20150913 + + Feature: SMTPD policy service "policy_context" attribute + and smtpd_policy_service_policy_context main.cf parameter. + Originally, to share the same SMTPD policy service endpoint + among multiple check_policy_service clients. Markus Benning. + Files: mantools/postlink, proto/SMTPD_POLICY_README.html, + proto/postconf.proto, global/mail_params.h, global/mail_proto.h, + smtpd/smtpd.c, smtpd/smtpd_check.c. + +20150923 + + Bugfix (introduced: 20120531-617): the Postfix SMTP server + used a larger-than-1 VSTREAM buffer to read the HAProxy + connection hand-off information. This broke TLS wrappermode, + as the TLS helo packet would end up in the plaintext VSTREAM + buffer. Reported by Lukas Erlacher. File: smtpd/smtpd_haproxy.c. + +20150924 + + Cleanup (introduced: 20060510, exposed 20150912): eliminated + a harmless warning message "seek error after reading END + record: Illegal seek" from the cleanup server after a + check_sender_access DISCARD action. File: cleanup/cleanup.c. + + Bugfix (introduced: 20090216-24): incorrect postmulti error + message. Reported by Patrik Koetter. Fix by Viktor Dukhovni. + File: postmulti/postmulti.c. + + Workaround: don't create a new instance when the template + main.cf and master.cf files are missing, as happens on + Debian-like systems. Viktor Dukhovni. File: conf/postmulti-script. + +20150930 + + Bugfix (introduced: 20040124): Milter client panic while + adding a header, because the PREPEND action used the same + output function for header_checks and body_checks. Viktor + Dukhovni and Wietse. File: cleanup/cleanup_message.c. + + Bugfix (introduced: 20031128): xtext_unquote() did not + propagate error reports from xtext_unquote_append(), causing + the decoder to return partial output, instead of rejecting + malformed input. Fix by Krzysztof Wojta. File: global/xtext.c. + +20151003 + + Bugfix (copied from xtext): uxtext_unquote() did not propagate + error reports from uxtext_unquote_append(), causing the + decoder to return partial output, instead of rejecting + malformed input. Found by searching the code for similar + error patterns as with xtext_unquote(). File: global/uxtext.c. + + Cleanup: added missing "negative" unit tests. Files: + global/xtext.c, global/uxtext.c. + +20151004 + + Future proofing: use a real VSTRING in the 20150930 header + PREPEND fix. File: cleanup/cleanup_message.c. + + Future proofing: make vstring_import() consistent with + vstring_alloc(). The alternative would be to remove the + function as it is unused and exists only for symmetry with + vstring_export(). File: usr/vstring.c. + +20151010 + + Cleanup: the 20150903 workaround for AIX DNSSEC used the + wrong name in #ifdef. File: dns/dns.h. + +20151011 + + Cleanup: in the PCRE client, turn fatal lookup errors into + warnings, and skip the failing pattern as in dict_regexp.c. + Also, fixed the error text when running into the matcher's + backtracking limit. File: util/dict_pcre.c. + +20151017 + + Feature: smtpd_client_auth_rate_limit enforces a rate + limit on the number of AUTH commands per client IP address. + mantools/postlink, proto/postconf.proto, anvil/anvil.c, + global/anvil_clnt.c, global/anvil_clnt.h, global/mail_params.h, + smtpd/smtpd.c. + +20151018 + + Added RFC 7672 (SMTP security via opportunistic DANE TLS) + and RFC 7505 ("Null MX" No Service Resource Record) to the + lists of supported RFCs in manpages. Viktor Dukhovni. Files: + smtp/smtp.c, smtpd/smtpd.c. + +20151031 + + Bitrot: OpenSSL API cleanups. Viktor Dukhovni. Files: + .indent.pro, tls/tls.h, tls/tls_dane.c, tls/tls_fprint.c, + tls/tls_misc.c, tls/tls_server.c, tls/tls_verify.c. + +20151124 + + Bugfix (introduced: Postfix 3.0): don't throttle a destination + after opportunistic TLS failure. Viktor Dukhovni and Wietse. + Files: smtp/smtp_proto.c, smtp/smtp.h, smtp/smtp_trouble.c. + +20151128 + + Feature: JSON-formatted queue listing with "postqueue -j". + Output is a stream of JSON objects, one per queue file. To + simplify stream-mode parsing, each JSON object is followed by + a newline character. Files: postqueue/postqueue.c, + postqueue/postqueue.h, postqueue/showq_compat.c, + postqueue/showq_json.c, showq/showq.c. + +20151216 + + Bugfix (introduced: 20151128) bogus queue file parsing error. + File: showq/showq.c. + +20151226 + + Cleanup: postlog(1) now pauses for 1s after reporting a + fatal or panic error. This makes behavior of scripts such + as postfix-script consistent with built-in error messages. + File: postlog/postlog.c. + +20151227 + + Robustness: don't allow for whitespace in command-line + arguments. Files; postfix-install, conf/post-install. + + Robustness: added a comment to discourage people who keep + adding code that calls gethostbyname() to determine the + default myhostname setting. This is a mistake: all Postfix + programs will hang when the DNS is unavailable. File: + global/mail_params.c. + + Safety: a limit on the number of address verification probes + in the active queue (address_verify_pending_request_limit), + by default 1/4 of the active queue maximum size. The queue + manager tempfails probe messages that exceed the limit. + Files: mantools/postlink, proto/postconf.proto, cleanup/cleanup.h, + cleanup/cleanup_envelope.c, cleanup/cleanup_out_recipient.c, + cleanup/cleanup_state.c, global/mail_params.h, global/post_mail.c, + global/post_mail.h, global/verify.c, oqmgr/qmgr.c, oqmgr/qmgr.h, + oqmgr/qmgr_message.c, qmgr/qmgr.c, qmgr/qmgr.h, + qmgr/qmgr_message.c, verify/verify.c. + +20160102 + + Workaround: MacOS/X 10.11.x /bin/sh unsets DYLD_LIBRARY_PATH, + which breaks the build and install. Viktor Dukhovni and + Wietse. Files: makedefs, postfix-install, Makefile.in. + + Bitrot: OpenSSL 1.1.0-dev drops support for EXPORT ciphers + and ephemeral RSA. Viktor Dukhovni. Files: tls/tls_client.c, + tls/tls_rsa.c, tls/tls_server.c. + + Bugfix: memory leak in tls_set_eecdh_curve(). Viktor Dukhovni. + File: tls/tls_dh.c. + + Bugfix (introduced 20150326): when lmtp_fallback_relay + support was added, the code that generates lmtp_mumble + parameters from smtp_mumble parameters wasn't updated. File: + smtp/smtp-only. + + Bugfix (introduced 20151017): the smtpd_client_auth_rate_limit + implementation was not guarded with #ifdef USE_SASL_AUTH. + File: smtpd/smtpd.c. + +20160103 + + Feature: enable DANE policies when an MX host has a secure + TLSA DNS record, even if the MX DNS record was obtained + with insecure lookups. The existence of a secure TLSA record + implies that the host wants to talk TLS and not plaintext. + This behavior is controlled with smtp_tls_dane_insecure_mx_policy + (default: "dane", other settings: "encrypt" and "may"; the + latter is backwards-compatible with earlier Postfix releases). + Viktor Dukhovni. Files: mantools/postlink, proto/postconf.proto, + src/global/mail_params.h, src/posttls-finger/posttls-finger.c, + src/smtp/smtp-only, src/smtp/smtp.c, src/smtp/smtp.h, + src/smtp/smtp_addr.c, src/smtp/smtp_params.c, + src/smtp/smtp_tls_policy.c, src/tls/tls.h, src/tls/tls_client.c. + +20160104 + + Cleanup: distinct TLS levels for "full" DANE and for DANE + with insecure MX records. Viktor Dukhovni. Files: + posttls-finger/posttls-finger.c, smtp/smtp_tls_policy.c, + tls/tls.h, tls/tls_client.c, tls/tls_level.c. + +20160108 + + Cleanup: smtp_reply_footer() now restores state in case of + input error; unit tests that cover most if not all error + and non-error cases. Files: global/smtp_reply_footer.c, + global/smtp_reply_footer.ref. + +20160110 + + Bitrot: const-ification for OpenSSL 1.1.0. Viktor Dukhovni. + File: tls/tls_misc.c. + +20160116 + + "postconf -H" support (show names without the =value). + Initial use case: mass reversal of TLS-related main.cf + parameters (postconf -nH | grep _tls_ | xargs postconf -X). + This flag also works with "postconf -F" and "postconf -P". + Added missing documentation that -h works with "postconf + -F" and "postconf -P". Files: postconf.c, postconf.h, + postconf_master.c, postconf_main.c. + + Robustness: force html2text to produce ASCII output. File: + mantools/html2readme. + + Feature: "postfix tls" commands to enable opportunistic TLS + in the Postfix SMTP client or server, or generate or replace + Postfix SMTP server TLS private keys and server certificates. + Viktor Dukhovni, Wietse. Files: conf/postfix-files, + conf/postfix-script, conf/postfix-tls-script, makedefs, + proto/INSTALL.html, proto/postconf.proto, global/mail_params.h, + postfix/postfix.c, tls/tls_misc.c. + + Portability: added a tls_random_source default setting for + MacOS X. Viktor Dukhovni. File: util/sys_defs.h. + +20160118 + + Bitrot: OpenSSL 1.1.0-dev (aka the "master" branch) has new + security levels ranging from 0 to 5. Level "0" is backwards + compatible, and other levels are increasingly restrictive. + Viktor Dukhovni. Files: tls/tls_server.c, tls/tls_client.c. + +20160205 + + Portability: Postfix TLS support uses /dev/urandom if + available and no system-specific setting exists in sys_defs.h. + Files: makedefs, util/sys_defs.h. + +20160208 + + Cleanup: building the INSTALL file had failed, added + hyperlinks for "postfix tls". Files: mantools/postlink. + +20160210 + + Feature: all-default-client and all-default-server subcommands. + Eray Aslan. File: conf/postfix-tls-script. + + Bugfix: the postqueue(1) JSON formatter wrote a spurious + comma after the delay reason. Reported by Christian Roessner. + File: postqueue/showq_json.c. + +20160212 + + Cleanup: Bold/Italic cleanup in manpages. + +20160213 + + Added Google credits to external manpages. + +20160214 + + More manpage cleanups. Viktor, Wietse. + +20160215 + + Cleanup: "match_list_match: permit_mynetworks: no match" after + a SUCCESSFUL permit_mynetworks match of a client IP address was + complicating troubleshooting. The fix is to log additional + context to clarify that this "no match" condition is for + smtpd_log_access_permit_actions. File: smtpd/smtpd_check.c. + +20160224 + + Cleanup: un-break some DNS unit tests by replacing non-portable + numerical flags with portable symbolic names in the verbose + command output. Files: dns/dns_str_resflags.c, dns/dns_lookup.c, + dns/Makefile.in, many *.ref files. + +20160227 + + Cleanup: remember multiple BCC actions in access maps. + Files: smtpd/smtpd.h, smtpd/smtpd.c, smtpd/smtpd_check.c, + smtpd/smtpd_state.c, proto/access. + +20160228 + + Documentation: STRESS_README. File: proto/STRESS_README.html. + +20160229 + + Documentation: postmulti manpage. File: postmulti/postmulti.c. + +20160305 + + Future-proofing: detect integer overflow before it happens. + After-the-fact detection relies on assumptions about + undefined behavior that are invalidated by compilers. Files: + util/mymalloc.c, util/vstring.c. + +20160310 + + Bugfix (introduced: Postfix 2.6): the Milter SMFIR_CHGFROM + (replace sender) request lost the sender_bcc_maps address. + Fixed by moving some record keeping to the sender output + function. Files: cleanup/cleanup_envelope.c, + cleanup/cleanup_addr.c, cleanup/cleanup_milter.c, + cleanup/cleanup.h, regression tests. + +20160314 + + Future-proofing: revised off_t integer conversion (detect off_t + overflow before it happens). After-the-fact detection relies + on assumptions about undefined behavior that are invalidated by + compilers. Files: global/off_cvt.c. + + Cleanup: include <sys/types.h> once, instead of making it + system-dependent. File: util/sys_defs.h. + + Cleanup: make sorting in "make depend" locale-independent. + Files: */Makefile.in. + + Cleanup: postmulti manpage. File: postmulti/postmulti.c. + +20160319 + + Future-proofing: revised format-string width or precision integer + conversion (detect integer overflow before it happens), plus + some tests to ensure that format-string widths and precisions + are parsed correctly, and that output buffers are sized + correctly. Files: util/vbuf_print.c, util/vbuf_print_test.in, + util/vbuf_print_test.ref. + +20160320 + + Testing: exact-size VSTRING allocation. Files: util/vstring.[hc]. + + Cleanup: switch to snprintf() for redundancy, keeping + existing code in place to censor unnecessary format-string + features. Specify "make makefiles CCARGS=-DNO_SNPRINTF" for + ancient systems. File: vbuf_print.c, makedefs, util/sys_defs.h, + proto/INSTALL.html. + +20160324 + + Future-proofing: revised netstring length integer conversion + (detect integer overflow before it happens). File: + util/netstring.c. + + Cleanup: report unsupported usage of '%ls' and '%lc' in + format strings. File: util/vbuf_print.c. + +20160326 + + Future-proofing: regression test for global/off_cvt.c. + Files: global/off_cvt.in, global/off_cvt.ref. + +20160327 + + Cleanup: postconf(1) manpage. File: postconf/postconf.c. + + Cleanup: un-broke regression tests. Files: dns/mxonly_test.ref, + dns/no-mx.ref, smtpd/smtpd_server.ref, smtpd/smtpd_server.in. + + Added Postfix version information to the "postconf -m" manpage + section. File: postconf/postconf.c. + +20160330 + + The collate.pl script by Viktor Dukhovni for grouping Postfix + logfile records into "sessions" based on queue ID and process + ID information. Files: auxiliary/collate/*. + +20160407 + + Treat SASL_FAIL and SASL_NOMEM as temporary errors. + Markus Benning. File: xsasl/xsasl_cyrus_server.c. + +20160410 + + Bugfix (introduced: Postfix 2.6): the "bad filetype" + header_checks pattern falsely rejected Content-Mumble headers + with ``name="example"; x-apple-part-url="example.com"''. + Fixed by respecting the ";" separator between content + attribute values. Reported by Cedric Knight. File: + proto/header_checks. + +20160515 + + Portability: OpenBSD 6.0. Files: makedefs, util/sys_defs.h, + dns/dns_str_resflags.c. + +20160521 + + Bugfix (introduced: Postfix beta): the never-used function + mvect_free() attempted to free memory that it has not + allocated. File: util/mvect.c. + + Cleanup: existing if/endif support for pcre and regexp + tables, in preparation for new if/endif support for cidr + tables. Files: util/dict_regexp.c, util/dict_pcre.c. + +20160526 + + Feature: cidr tables now support if/endif and negation (by + prepending "!" to a pattern), just like regexp and pcre + tables. The primarily purpose is to improve readability of + complex tables. Files: util/cidr_match.[hc], util/dict_cidr.c, + proto/cidr_table. + + Cleanup: make regexp: and pcre: parser warning messages more + similar. Files: dict_regexp.c, dict_pcre.c. + +20160601 + + Cleanup: moved parsing of '!' operators from cidr_match.c + to dict_cidr.c. Files: util/cidr_match.[hc], util/dict_cidr.c, + util/match_ops.c. + +20160604 + + Cleanup: made parsing of '!' operators in regexp and pcre + tables consistent with cidr tables. Files: util/dict_regexp.c, + util/dict_pcre.c. + +20160605 + + Cleanup: integer wrap-around detection in the MySQL and + PostgreSQL clients. This is totally non-critical because + Postfix strings are size-limited by design. Files: + global/dict_mysqql.c, global/dict_pgsql.c. + +20160607 + + Documentation: dnsblog. + +20160609 + + Documentation: postsuper(1) manpage text for multiple -[dhH] + options. File: postsuper/postsuper.c. + +20160611 + + Cleanup: Postfix SMTP server local IP address and port + attributes in the policy delegation protocol (attribute + names: server_address, server_port), in the Milter protocol + (macro names: {daemon_addr}, {daemon_port}) and in the + XCLIENT protocol (attribute names: DESTADDR, DESTPORT). + Files: proto/MILTER_README.html, proto/SMTPD_POLICY_README.html, + cleanup/cleanup.h, cleanup/cleanup_milter.c, global/mail_proto.h, + milter/milter.h, smtpd/smtpd.c, smtpd/smtpd.h, smtpd/smtpd_check.c, + smtpd/smtpd_haproxy.c, smtpd/smtpd_milter.c, smtpd/smtpd_peer.c. + +20160612 + + Bugfix (introduced: 20090211): missing server address + conversion for non-proxy, non-postscreen connections. File: + smtpd/smtpd_peer.c. + + Bugfix (introduced: 20160611) missing server port conversion + for non-proxy, non-postscreen connections, because there was + no server address conversion. File: smtpd/smtpd_peer.c. + +20160618 + + Bugfix (introduced: 20091121): with the introduction of + sender_dependent_default_transport_maps, the SMTP daemon + was not updated. This resulted in false rejects with + sender-dependent "error" transports. Based on a fix by + Russell Yanofsky. Files: global/resolve_clnt.c, + global/resolve_clnt.h, smtpd/smtpd_check.c, smtpd/smtpd_check.h, + smtpd/smtpd_milter.c, smtpd/smtpd_resolve.c, smtpd/smtpd_resolve.h. + +20160619 + + Refinements to the 20160618 fix. For more consistent results + with sender address validation, use the recipient address + (if available) as the sender-dependent address resolver + context. For better caching, pass sender context with all + attempts to resolve an email address. File: smtpd/smtpd.c, + smtpd/smtpd_check.c, smtpd/smtpd_milter.c. + +20160625 + + Cleanup: the Postfix SMTP server now passes network address + and port information to the Cyrus SASL library. Build with + ``make makefiles "CCARGS=$CCARGS -DNO_IP_CYRUS_SASL_AUTH"'' + for backwards compatibility. Files: makedefs, + smtpd/smtpd_sasl_glue.c, xsasl/xsasl.h, xsasl/xsasl_cyrus_server.c, + xsasl/xsasl_server.c. + + Cleanup: dnsblog manpage. File: dnsblog/dnsblog.c. + +20160717 + + Bugfix (introduced: Postfix 1.1): the virtual(8) delivery + agent discarded the error result from vstream_fseek(). + +20160728 + + Bugfix (introduced: 20090614): with concurrent connections + from the same client IP address, and after-220 tests enabled, + postscreen could overwrite the cached "all tests completed" + result of one connection that completed the after-220 tests, + with the "some tests not completed" result of a concurrent + connection where the client hung up before completing the + after-220 tests. Files: postscreen_misc.c, postscreen_state.c, + postscreen.h, postscreen_tests.c, postscreen.c, postscreen_smtpd.c, + postscreen_early.c. + +20160730 + + Cleanup: don't try to optimize away postscreen cache updates. + File: postscreen_misc.c. + + Cleanup: removed compatibility crutches that emulated a + historical data organization from four years ago. Files: + postscreen/postscreen.[hc], postscreen/postscreen_early.c, + postscreen/postscreen_smtpd.c, postscreen/postscreen_tests.c. + +20160808 + + Cleanup: preserve the new file mtimes when installing Postfix. + Ondřej Lysoněk. File: postfix-install. + REVERTED 20160828. + +20160819 + + Bugfix (introduced: Postfix 3.0): the makedefs script ignored + readme_directory=pathname overrides. Fix by Todd C. Olson. + File: makedefs. + +20160821 + + Bugfix (introduced: Postfix 3.0): the tls_session_ticket_cipher + documentation says aes-256-cbc, but the implementation was + using aes-128-cbc (note that Postfix session ticket keys + are rotated after 1/2 hour, to limit the impact of attacks + on session ticket keys). + +20160828 + + Bitrot: fixes for incompatible OpenSSL 1.1.0 API changes. + Viktor Dukhovni. Files: posttls-finger/posttls-finger.c, + tls/tls.h, tls/tls_dane.c, tls/tls_verify.c, tls/tls_server.c, + tls/tls_client.c. + + Cleanup: disable reuse of ECDH ephemeral keys. Viktor + Dukhovni. File: tls/tls_misc.h. + +20160908 + + Documentation: add a pointer to hosts(5) and services(5) + for symbolic host and port syntax. File: proto/master. + +20160911 + + Bugfix (introduced: Postfix 3.0): the SMTP daemon did not + reset a previous session's command counts before rejecting + a client that exceeds request or concurrency rates. File: + smtpd/smtpd.c. + +20160912 + + Feature: preserve the new file mtimes when installing + Postfix. Ondřej Lysoněk. Wietse made this conditional on + the presence of a new -keep-new-mtime flag. File: postfix-install. + [this flag was renamed to "-keep-build-mtime" on 20161126] + +20160917 + + Bugfix (introduced: Postfix 3.0): the unionmap did not + propagate table lookup errors. Based on patch by Roel van + Meer. Files: util/dict_union.c, util/dict_union_test.*. + + Cleanup: added unit test for pipemap. Files: util/dict_pipe.c, + util/dict_pipe_test.*. + + Documentation: added a note about the order of search + patterns and table lookup order. Files: proto/canonical, + proto/generic, proto/virtual. + + Documentation: bitrot in postsuper(1) example. Different + groff versions produce different results; some systems no + longer support historical "tail -number" command syntax. + Fix by Geert Stappers. File: postsuper/postsuper.c. + +20160918 + + Logging: the Postfix SMTP server logs the sasl_username + after rejected SMTP commands. As before, the SMTP server + does not forward SASL login information to other Postfix + subsystems, and it does not receive SASL login information + in XFORWARD commands. File/smtpd/smtpd.c. + +20160925 + + Bugfix (introduced: Postfix 2.11): changed the default MySQL + option_group value to "client" to enable the reading of + "client" option group settings in the MySQL option file. + This fixes false "not found" errors with Postfix queries + that contain UTF8-encoded text. Fix by John Fawcett. + Specify an empty option_group value to get backwards-compatible + behavior. Files: global/dict_mysql.c, proto/mysql_table. + +20161007 + + Bitrot: API for the ersatz inet_ntop() function, when + compiling with -DNO_IPV6 (which exists only for debugging). + Files: util/sys_defs.h, util/sys_compat.c. + +20161008 + + Feature: smtp_tcp_port, similar to the existing lmtp_tcp_port. + Files: mantools/postlink, proto/postconf.proto, + global/mail_params.h, smtp/smtp.c, smtp/smtp_connect.c, + smtp/smtp_params.c. + + Feature: "PASS" and "STRIP" actions in header/body_checks. + "STRIP" is similar to "IGNORE" but also logs the action, + and "PASS" disables header, body, and Milter inspection for + the remainder of the message content. Contributed by Hobbit. + Files: cleanup/cleanup_message.c, global/header_body_checks.c. + +20161024 + + Feature: smtpd_milter_maps, per-client Milter configuration + that overrides smtpd_milters, and that has the same syntax. + Files: mantools/postlink, proto/MILTER_README.html, + proto/postconf.proto, global/mail_params.h, smtpd/smtpd.c, + smtpd/smtpd.h, smtpd/smtpd_sasl_proto.c, smtpd/smtpd_state.c. + +20161103 + + Cleanup: error reporting for IDNA (non-ASCII domain name) + conversion errors. File: util/midna_domain.c. + + Cleanup: non-transitional conversion of UTF8 to/from ASCII + domain name labels used in DNS queries. This disables + 'transitional' compatibility between IDNA2003 and IDNA2008, + and affects some corner cases such as German sz and Greek + zeta. Specify "enable_idna2003_compatibility = yes" to + restore historical behavior. Files: util/midna_domain.[hc], + mantools/postlink, global/mail_params.[hc], proto/postconf.proto, + proto/SMTPUTF8_README.html. + +20161105 + + Bugfix (introduced: Postfix 1.1): the postsuper command did + not count a successful rename operation after error recovery. + Problem reported by Markus Schönhaber. File: postsuper/postsuper.c. + + Cleanup: error reporting for IDNA (non-ASCII domain name) + conversion errors, and enable_idna2003_compatibility + configuration. File: util/midna_domain.c. + +20161106 + + Documentation: specify the minimum ICU library version (4.6). + File: proto/SMTPUTF8_README.html. + +20161109 + + Portability: force LC_ALL=C in dict_utf8 test. This should + probably be in every shell script. + +20161120 + + Documentation: clarified the syntax of $name and ${name...} + in parameter values, and some wordsmithing. Files: + proto/postconf.html.prolog, proto/postconf.man.prolog. + +20161123 + + Documentation: clarified reject_non_fqdn_{sender,recipient}. + The syntax check applies only for domains that are actually + specified, not for missing domains. File: proto/postconf.proto. + +20161126 + + Cleanup: the postfix-install option "-keep-new-mtime" was + renamed to "-keep-build-mtime". File: postfix-install. + + Feature: "make makefiles POSTFIX_INSTALL_OPTS=-keep-build-mtime" + to set the installed file mtimes to their build time instead + of their installation time. Based on code by Ondřej Lysoněk. + Wietse added a guard to prevent POSTFIX_INSTALL_OPTS from + passing arbitrary options. Files: makedefs, Makefile.in, + proto/INSTALL.html. + +20161201 + + Documentation: add 'smtpd_tls_auth_only=yes' to the master.cf + submission service example. File: conf/master.cf. + +20161202 + + Documentation: typos in postconf(1) manpage. File: + postconf/postconf.c. + +20161204 + + Cleanup: properly report numerical conversion errors in + ${{number} relational-operator ${number}}, and wordsmithing. + File: util/mac_expand.c. + + Updated auxiliary/collate/collate.pl with Viktor's suggestion + in <98D25E24-EAB1-42BB-82FD-794F5DDD4E7F@dukhovni.org> for + better tracking of message flows. + + Cleanup: remove tentative features that were implemented + before the DANE spec was finalized: support for certificate + usage PKIX-EE(1), the ability to disable digest agility + (Postfix now behaves as if "tls_dane_digest_agility = on"), + and the ability to disable support for "TLSA 2 [01] [12]" + records that specify the digest of a trust anchor (Postfix + now behaves as if "tls_dane_trust_anchor_digest_enable = + yes). Viktor Dukhovni. Files: mantools/postlink, + proto/postconf.proto, proto/TLS_README.html, tls/tls.h, + tls/tls_dane.c, smtp/smtp.c. + + Bugfix (introduced: Postfix 3.1): cut-and-paste error in + the "postfix tls deploy-server-cert" command, causing the + wrong certfile and keyfile to be used. Viktor Dukhovni. + File: conf/postfix-tls-script. + + Robustness: create a new keyfile when "postfix tls + new-server-cert" is invoked, and main.cf specifies a + non-existent keyfile. Viktor Dukhovni. File: + conf/postfix-tls-script. + +20161205 + + Cleanup: log the sender address when rejecting a too large + message size in a "MAIL FROM:<sender> SIZE=nnn" command. + File: smtpd/smtpd.c. + +20161206 + + Bugfix (introduced: Postfix 3.0): when receiving a MAIL + FROM...SMTPUTF8 command while smtpd_delay_reject=no, enable + SMTPUTF8 support before processing smtpd_sender_restrictions. + Problem reported by Viktor Dukhovni. File: smtpd/smtpd.c. + + Bugfix (introduced: Postfix 3.0): when receiving a + VRFY...SMTPUTF8 command, enable SMTPUTF8 support while + processing smtpd_recipient_restrictions. File: smtpd/smtpd.c. + +20161220 + + Bugfix (introduced: Postfix 2.1.0): the Postfix SMTP daemon + did not query sender_canonical_maps when rejecting unknown + senders with "smtpd_reject_unlisted_recipient = yes" or + with reject_unlisted_sender. Stephen R. van den Berg (Mr. + procmail). Files: smtpd/smtpd.c, smtpd/smtpd_check.c. + +20161217 + + Enable elliptic curve negotiation with OpenSSL >= 1.0.2. + This changes the default smtpd_tls_eecdh_grade setting to + "auto", and introduces a new parameter tls_eecdh_auto_curves + with the names of curves that may be negotiated. The default + tls_eecdh_auto_curves setting is determined at compile time, + and depends on the Postfix and OpenSSL versions. At runtime, + Postfix will skip curve names that aren't supported by the + OpenSSL library. Viktor Dukhovni. Files: mantools/postlink, + proto/FORWARD_SECRECY_README.html, proto/TLS_README.html, + proto/postconf.proto, global/mail_params.h, smtpd/smtpd.c, + tls/tls.h, tls/tls_client.c, tls/tls_dh.c, tls/tls_misc.c, + tls/tls_server.c. + + Feature: stored-procedure support for MySQL databases. + John Fawcett. Files: global/dict_mysql.c, proto/mysql_table. + +20161223 + + Bugfix (introduced: Postfix 3.2 snapshots): the makedefs + script produced a garbled CCARGS setting when no suitable + ICU library was found. File: makedefs. + +20161225 + + Cleanup: simplified handling of unsupported curve names in + the tls_eecdh_auto_curves parameter value. File: tls/tls_dh.c. + + Cleanup: simplified code structure in the MySQL client + support for stored procedures. File: global/dict_mysql.c. + +20161226 + + Cleanup: more MySQL client code simplification, better error + messages, new per-database "require_result_set" parameter + (default: yes) which can be set to "no" to avoid the need + for dummy SELECT statements in stored procedures. Files: + global/dict_mysql.c, proto/mysql_table, postconf/postconf_dbms.c. + + Portability: SSL_CTX_set_ecdh_auto() is part of the deprecated + OpenSSL API, so it must be used under #ifdef. Viktor Dukhovni. + File: src/tls/tls_dh.c. + +20161227 + + Safety: the sendmail -C option must specify an authorized + configuration directory: the default configuration directory, + a directory that is listed in the default main.cf file with + alternate_config_directories or multi_instance_directories, + or the command must be invoked with root privileges. This + mitigates a problem with the PHP mail() function. Files: + global/mail_conf.[hc], sendmail/sendmail.c. + +20161228 + + Documentation: moved the "BACKWARDS COMPATIBILITY" sections + to the end of ldap_table, mysql_table, pgsql_table, and + sqlite_table, renamed to "OBSOLETE MAIN.CF PARAMETERS". + +20161231 + + Bugfix (introduced: 20160521): segfault (null pointer) in + cidr, pcre, and regexp table when an input does not match + an ENDIF-less IF operator. Found during code maintenance. + File: util/cidr_map.c, util/dict_regexp.c, util/dict_pcre.c. + +20170101 + + Portability; SunOS5 builds broke after moving the sys/types.h + include statement to the top of sys_defs.h. + + Portability: declaration after code is GNU dialect. File: + util/vbuf_print.c. + + Portability: compatibility macros for SSLv23_client_method() + etc. deprecation. Files: tls/tls.h, tls/tls_client.c, + tls/tls_dane.c, tls_server.c. + +201606-20170108 + + Cleanup: handling of address extensions with email addresses + that contain spaces. The virtual_alias_maps, canonical_maps, + and smtp_generic_maps features now correctly propagate an + address extension from "aa bb+ext"@example.com to "cc + dd+ext"@other.example, instead of producing broken output. + + Files updated to support conversion between unquoted and + quoted address forms, as required for addresses that contain + spaces: global/mail_addr_map.*, global/mail_addr_find.* and + global/mail_addr_crunch.*. + + Files updated to enable these address conversions to correctly + propagate address extensions: cleanup/cleanup_map11.c + (canonical_maps), cleanup/cleanup_map1n.c (virtual_alias_maps), + and smtp/smtp_generic.c (smtp_generic_maps). + + Files updated to rename functions to better reflect their + input and output forms: global/split_addr.*, global/strip_addr.*. + + Files updated to support quoted lookup keys: util/dict_inline.c, + util/dict_thash.c, postmap/postmap.c. + + Files updated to invoke a backwards-compatible mail_addr_find() + version that disables quoted/unquoted address conversions: + smtp/smtp/smtp_sasl_glue.c (smtp_sasl_password_maps), + smtpd/smtpd_check.c (SMTP server address validation), + cleanup/cleanup_addr.c (sender_bcc_maps and recipient_bcc_maps), + virtual/mailbox.c (user-related table lookups), + trivial-rewrite/transport.c (transport_maps), + trivial-rewrite/resolve.c (sender_dependent_mumble_maps, + relocated_maps). These features may be migrated later to + enable quoted-form address lookup keys, for consistency + with other Postfix features. + +20170109 + + Cleanup: reduce the number of modified files relative to + the last regular release, to make a back-port more feasible. + This renames the new mail_addr_find() to mail_addr_find_opt(), + and renames the backwards_compatibility mail_addr_find_noconv() + to its old name mail_addr_find(). Added backwards-compatible + aliases {split,strip}_addr() for {split,strip}_addr_local(). + To ensure correctness these edits were done mechanically, + and verified mechanically. + +20170111 + + Documentation: when (smtp|lmtp)_delivery_status_filter is + applied. File: proto/postconf.proto. + +20170114 + + Cleanup: careful handling of local-parts that contain '@', + as they are converted into quoted form. Files: + global/mail_addr_find.*, global/quote_822_local.*, + global/quote_flags.*. + + Cleanup: added unit tests for malformed inputs. Files: + util/dict_thash{in,ref}. + + Cleanup: minimize the patch size of the quoting fixes, and + a preliminary back-port to Postfix 3.1.4. + +20170115 + + Cleanup: enable "externalized" address lookup by default, + with legacy-style "internalized" lookup for backwards + compatibility, for sender_bcc_maps, recipient_bcc_maps, + smtp_sasl_passwd_maps, smtpd_sender_login_maps, relocated_maps, + sender_dependent_mumble_maps, virtual_{mailbox,uid,gid}_maps. + File: global/mail_addr_find.c. + + Cleanup: enable "externalized" address lookup by default, + with legacy-style "internalized" lookup for backwards + compatibility, for transport_maps. Files: global/mail_addr_find.*, + trivial-rewrite/transport.*. + + Cleanup: mail_addr_find_() now has a configurable strategy + for full and partial address lookup, so that it may also + be used for localpart lookup in access maps. + +20170116: + + Cleanup: parent domain matching is now implemented in the + mail_addr_find() engine. Simplified the transport_maps + lookup to just one mail_addr_find_() call. Files: + global/mail_addr_find.*, trivial-rewrite/transport.*. + + Cleanup: enabled "externalized" address lookup by default, + with legacy-style "internalized" lookup for backwards + compatibility, for check_sender_access and check_recipient_access. + This now uses 'user@' lookup support in the mail_addr_find() + engine. File: global/mail_addr_find.*, smtpd/smtpd_check.c. + +20170122 + + Cleanup: separated the database query form from the address + form that is input to mail_addr_find_() or mail_addr_map*(), + in attempt to make code more obviously correct. Files: + global/mail_addr_find.c, global/mail_addr_map.c. + + Abandoned an experiment that used internal-form queries for + all maps, because it would be very difficult to test. The + tests inputs would have to compensate for multiple levels + of unquoting by postmap, C compilers, or shell interpreters. + + Cleanup: moved the backwards-compatibility lookup strategy + (try the external address form first, then the internal + address form if it is different) inside the loop that + iterates over full and partial address forms. File: + global/mail_addr_find.c. + +20170125 + + Cleanup: mail_addr_find test scripting. Eliminate main.cf + dependencies, and allow all tests to run in one process. + Files: global/mail_addr_find.* + +20170127 + + Cleanup: mail_addr_find and mail_addr_form named constants. + Files: global/mail_addr_form.h, mail_addr_find.h, and + dependents. + +20170128 + + Cleanup: smtp_generic_maps implementation. Reduced the + number of internal<->external form address conversions, + added more rigorous tests, and eliminated the main.cf and + trivial-rewrite dependencies. Files: smtp_map11.*. + +20170129 + + Cleanup: bogus UTC timezone setting for postqueue/mailq + command output, and other environment settings for root and + non-root users in set-gid programs. File: postqueue/postqueue.c + (enforce import_environment name=value overrides for root + users), util/msg_syslog_init.c (don't override non-existent + TZ settings with UTC), util/unsafe.c (exclude uid==0, euid==0 + super-user from privilege escalation concerns). + +20170131 + + Cleanup: more complete VALGRIND coverage for test build targets + and scripts. Files: postalias/fail_test.in, postmap/fail_test.in, + postmap/quote_test.in, util/dict_pipe_test.in, + util/dict_union_test.in, util/dict_utf8_test.in. + + +20170201 + + Portability: unsetenv() for ancient platforms. File: + makedefs, util/sys_compat.c. + +20170205 + + Cleanup: security checks for config_directory overrides. + File: global/mail_conf.c. + + Cleanup: enforce import_environment name=value settings in + command-line utilities, for consistency with Postfix daemons (but + without removing environment variables). This is not enforced + in the postconf command which must be able to process main.cf + files with incomplete settings. Files: postalias/postalias.c, + postcat/postcat.c, postkick/postkick.c, postlock/postlock.c, + postlog/postlog.c, postmap/postmap.c, postsuper/postsuper.c, + posttls-finger/posttls-finger.c, sendmail/sendmail.c, + util/clean_env.[hc]. + +20170206 + + Bugfix (introduced: Postfix 3.0): check_mumble_a_access + did not handle [ipaddress], unlike check_mumble_mx_access. + When check_mumble_a_access was introduced, some condition + was not updated. Reported by James (postfix_tracker). File: + smtpd/smtpd_check.c. + +20170207 + + Cleanup: rephrased paranoia precondition. File: global/mail_conf.c. + +20170211 + + Cleanup: rephrased paranoia precondition. File: util/unsafe.c. + +20170218 + + Cleanup: typofixes from klemens. The only change in compiled + code is in one identical mysql error message that also + appears in the pgsql client. Files: about 50. + +20170221 + + Compatibility fix (introduced: Postfix 3.1): some Milter + applications do not recognize macros sent as {name} when macros + have single-character names. Postfix now sends such macros + without {} as it has done historically. Viktor Dukhovni. File: + milter/milter.c. + +20170228 + + Documentation: re-word scary warnings at the top of SASL_README + and TLS_README. + +20170402 + + Bugfix (introduced: Postfix 3.2): restore the SMTP server + receive override options at the end of an SMTP session, + after the options may have been modified by an smtpd_milter_maps + setting of "DISABLE". Problem report by Christian Rößner, + root cause analysis by Viktor Dukhovni. File: smtpd/smtpd.c. + +20170430 + + Safety net: append a null byte to vstring buffers, so that + C-style string operations won't scribble past the end. File: + vstring.[hc]. + +20170505 + + Workaround for a current problem where some destination + announces primarily IPv6 MX addresses, the smtp_address_limit + eliminates most or all IPv4 addresses, and the destination + is not reachable over IPv6. This workaround is enabled with + "smtp_balance_mx_inet_protocols = yes", which is the default. + Files: smtp/smtp.c, smtp/smtp_params.c, smtp/smtp_addr.c, + global/mail_params.h, proto/postconf.proto. + +20170506 + + A last-minute cosmetic fix had introduced a bug in + smtp/smtp_addr.c. + +20170512 + + Bugfix (introduced: Postfix 2.0): the MIME nesting level + counter was not initialized (i.e. left at the memory fill + pattern 0xffffffff which equals -1). This broke unit tests + with a different memory allocator. Changing the value to + zero would break backwards compatibility (reject mail that + was previously not rejected). Files: global/mime_state.c. + +20170531 + + Bugfix (introduced: Postfix 3.2): after the table lookup + overhaul, the check_sender_access and check_recipient_access + features ignored the parent_domain_matches_subdomains + setting. Reported by Henrik Larsson. File: smtpd/smtpd_check.c. + + Workaround (introduced: Postfix 3.2): mail_addr_find() logs + a warning that it does not support both parent-domain and + dot-parent-domain style lookups in the same call. File: + global/mail_addr_find.c + +20170610 + + Workaround (introduced: Postfix 3.0 20140718): prevent MIME + downgrade of Postfix-generated message/delivery-status. + It's supposed to be 7bit, therefore quoted-printable encoding + is not expected. Problem reported by Griff. File: + bounce/bounce_notify_util.c. + + Documentation: indicate that the transport_mumble parameters + are implemented by the queue manager, not by delivery agents. + Files: mantools/postlink, local/local.c, pipe/pipe.c, + *qmgr/qmgr.c, smtp/smtp.c, virtual/virtual.c. + +20170611 + + Security: Berkeley DB 2 and later try to read settings from + a file DB_CONFIG in the current directory. This undocumented + feature may introduce undisclosed vulnerabilities resulting + in privilege escalation with Postfix set-gid programs + (postdrop, postqueue) before they chdir to the Postfix queue + directory, and with the postmap and postalias commands + depending on whether the user's current directory is writable + by other users. This fix does not change Postfix behavior + for Berkeley DB < 3, but reduces file create performance + for Berkeley DB 3 .. 4.6. File: util/dict_db.c. + +20170617 + + Cleanup: the postconf command warns about unknown parameter + names in a database configuration file, specified as an + absolute pathname (for example, ldap:/path/to/file). This + code was mostly written in January 2017, and it still is a + partial implementation. Files: postconf/postconf_dbms.c, + postconf/Makefile.in, postconf/test66.ref. + +20170618 + + Cleanup: added missing "defined(__GLIBC__)" guards for + GLIBC version tests. File: util/sys_defs.h. + +20170620 + + Bugfix (introduced: Postfix 3.2) extension propagation was + broken with "recipient_delimiter = .". This change reverts + a change that was trying to be too clever. Files: + global/mail_adr_crunch.c, global/mail_addr_crunch.ref. + +20170704 + + Typos (introduced: Postfix 2.10): in comments about + IPv4-in-IPv6 addresses, replace :ffff::1.2.3.4 with the + correct form ::ffff:1.2.3.4. Incorrect or misleading comments + are worse than no comments. Files: smtpd/smtpd_haproxy.c, + postscreen/postscreen_haproxy.c. + +20170721 + + Bitrot: updated postconf LDAP database configuration check with + SASL and TLS-related parameters. Reported by Ralf Hildebrandt. + File: postconf/postconf_dbms.c. + +20170722 + + Cleanup: don't log the 'delay_dotcrlf' workaround for CISCO + PIX bugs before the smtp_pix_workaround_threshold_time has + passed. Reported by Ralf Hildebrandt. File: smtp/smtp_proto.c. + +20170727 + + Cleanup: the postconf command now uses mechanically-generated + lists of DBMS parameter names. This eliminates false positives + with mysql databases. Files: postconf/Makefile.in, + postconf/extract_cfg.sh, postconf/postconf_dbms.c. + + Cleanup: removed `#if 0/#endif' dead code from dict_ldap.c, + to avoid spurious output from the extract_cfg.sh parameter name + extraction tool. + +20170728 + + Documentation: added warnings that "enable_original_recipient + = no" prevents Postfix <= 3.2 from saving the address + verification result under the original probe destination + address, if it is changed by aliasing or canonical mapping. + Files: proto/ADDRESS_VERIFICATION_README.html, + proto/postconf.proto. + + Cleanup: don't store an empty address in the verify cache + (this could happen with "enable_original_recipient = no"). + File: global/verify.c. + +20170729 + + Cleanup: the setting "enable_original_recipient = no" no + longer breaks address verification for aliased addresses. + This does not change the behavior of the X-Original-To + header and of recipient deduplication. The fix is to always + store the original recipient in queue files. Some other + changes were needed to move ownership of the var_enable_orcpt + parameter from the cleanup daemon to the global library. + Files: cleanup/cleanup_init.c, cleanup/cleanup_milter.c, + cleanup_out_recipient.c, global/mail_params.c, global/mail_copy.c, + proto/postconf.proto proto/ADDRESS_VERIFICATION_README.html, + local/local.c, virtual/virtual.c, pipe/pipe.c. + +20170730 + + Bugfix (introduced: yesterday): revert global/verify.c code + to always store the verify result under the original address, + and to conditionally store it under the rewritten address. + File: global/verify.c. + +20170827 + + Safety: in vstream_buf_space(), add a sanity check to reject + negative request sizes, instead of letting the program fail + later. File: util/vstream.c + + Bugfix: in tests that enable the VSTRING_FLAG_EXACT flag, + vstring_buf_put_ready() could fail to extend the buffer, + causing infinite recursion in VBUF_PUT(). File: util/vstring.c. + +20170830 + + Bugfix: in vbuf_print(), save the parser-produced format + string before calling msg_panic(), so that the panic message + will not display its own format string. File: util/vbuf_print.c. + +20170831 + + Undefined behavior (introduced Postfix 1.0): after subtracting + a larger unsigned integer from a smaller one, do not assign + the result to a signed integer. File: postqueue/showq_compat.c. + +20170910 + + Safety: restore sanity checks for dynamically-specified + width and precision in format strings (%*, %.*, and %*.*). + These checks were lost with the Postfix 3.2 rewrite of + the vbuf_print formatter. File: vbuf_print.c. + + Bugfix (introduced: postfix-alpha): improve the 'fatal: + invalid option' message to show the optopt value instead of + the getopt() result. Files: master/*server.c. + +20170923 + + Bugfix (introduced: Postfix 3.2): panic in the postqueue + command after output write error while listing the queue. + This change restores a write error check that was lost with + the Postfix 3.2 rewrite of the vbuf_print formatter. + Problem reported by Andreas Schulze. File: util/vbuf_print.c. + +20170924 + + Cleanup: terminate early after output write error. Files: + showq/show_compat.c, showq/show_json.c. + +20171009 + + Bugfix (introduced: Postfix 3.1): DANE support. Postfix + builds with OpenSSL 1.0.0 or 1.0.1 failed to send email to + some sites with "TLSA 2 X X" records associated with an + intermediate CA certificate. Problem report and initial + fix by Erwan Legrand. File: src/tls/tls_dane.c. + +20171024 + + Bugfix (introduced: Postfix 3.0) missing dynamicmaps support + in the Postfix sendmail command broke authorized_submit_users + with a dynamically-loaded map type. File: sendmail/sendmail.c. + +20171116 + + Bugfix (introduced: Postfix 2.1): don't log warnings + that some restriction returns OK, when the access map + DISCARD feature is in effect. File: smtpd/smtpd_check.c. + +20171209 + + Documentation: the effects of owner_request_special and + reset_owner_alias on alias expansion. Files: proto/aliases, + proto/postconf.proto. + +20171215 + + Bugfix (introduced: 20170611): the DB_CONFIG bugfix broke + Berkeley DB configurations with a relative pathname. File: + util/dict_db.c. + +20171218 + + Workaround: reportedly, some res_query(3) implementation + can return -1 with h_errno==0. Instead of terminating with + a panic, the Postfix DNS client now logs a warning and sets + h_errno to TRY_AGAIN. File: dns/dns_lookup.c. + + Cleanup: allow XCLIENT before STARTTLS, when TLS is required. + File: smtpd/smtpd.c. + +20171219 + + Feature: preliminary support to run Postfix in the foreground. + This requires that multi-instance support is disabled. + Files: conf/postfix-script, postfix/postfix.c. + +20171223 + + Feature: Milters can now send RET and ENVID arguments in + SMFIR_CHGFROM requests. Files: cleanup/Makefile.in, + cleanup/cleanup.h, cleanup/cleanup_envelope.c, + cleanup/cleanup_milter.c, cleanup/cleanup_milter.in13h, + cleanup/cleanup_milter.in13i, cleanup/cleanup_milter.ref13c, + cleanup/cleanup_milter.ref13d, cleanup/cleanup_milter.ref13f, + cleanup/cleanup_milter.ref13g, cleanup/cleanup_milter.ref13h, + cleanup/cleanup_milter.ref13i, cleanup/cleanup_state.c, + cleanup/test-queue-file13h, cleanup/test-queue-file13i, + oqmgr/qmgr_message.c, qmgr/qmgr_message.c. + +20171226 + + Documentation patches by Sven Neuhaus. Files: + proto/FORWARD_SECRECY_README.html, proto/MILTER_README.html, + proto/SMTPD_ACCESS_README.html. + +20171227 + + Feature: postgresql:// URI support by Magosányi Árpád. + Files: global/dict_pgsql.c, proto/pgsql_table. + + Cleanup: added employer attributions for non-trivial changes + after Wietse changed employers. + +20180106 + + Compatibility: with compatibility_level < 1, the SMTP server + now warns for mail that would be blocked by the Postfix + 2.10 smtpd_relay_restrictions feature. This extends the + safety net for sites that upgrade from earlier Postfix + versions (questions on the postfix-users list show a steady + trickle). Files: proto/COMPATIBILITY_README.html, + global/mail_params[hc], smtpd/smtpd_check.c. + + Cleanup: reset compatibility_level warnings after 'postfix + reload'. This is relevant primarily for the master daemon. + File: global/mail_params.c. + + Cleanup: missing mailbox seek-to-end error check in the + local(8) delivery agent. File: local/mailbox.c. + + Cleanup: incorrect mailbox seek-to-end error message in the + virtual(8) delivery agent. File: virtual/mailbox.c. + +20180107 + + Cleanup: Postfix-generated From: headers with 'full name' + information are now formatted as "From: name <address>" by + default. Specify "header_from_format = obsolete" for the + earlier form "From: address (name)". Files: proto/postconf.proto, + cleanup/cleanup.h, cleanup_init.c, cleanup_message.c, + mail_params.h. + +20180113 + + Bugfix: "postconf -M" commands did not warn about unused + name=value settings in master.cf. File: postconf/postconf.c. + + Bugfix: "postconf -xM" now expands $process_name using the + daemon file name in master.cf, instead of the "postconf" + command process name. Files: postconf/postconf.h, + postconf/postconf_lookup.c, postconf/postconf_master.c. + + Feature: read-only service_name parameter that contains the + master.cf service name. This allows, for example, setting + the syslog_name with "-o syslog_name=postfix/$service_name" + for the "submission" and "smtps" services. Files: + proto/postconf.proto global/mail_params.h, global/mail_params.c, + master/single_server.c, master/multi_server.c, + master/trigger_server.c, master/event_server.c, + postconf/postconf_master.c, postconf/postconf_builtin.c, + and daemon manpages. + +20180114 + + Paranoia: censor the postqueue process name, similar to the + set-gid postdrop program. File: postqueue/postqueue.c. + + Cleanup: the new "service_name" parameter is applicable + only to Postfix daemons configured in master.cf; hyperlink + the parameter name in documentation. Files: proto/postconf.proto, + mantools/postlink, daemon manpages. + + Cleanup: allow whitespace between $[{(], parameter name, + and [:?)}]. This allows making complex expressions more + readable with line breaks. File: util/mac_expand.c. + + Cleanup: don't initialize the service_name parameter with + the process_name value. Files: postconf/postconf.[hc], + postconf/postconf_builtin.c. + +20180121 + + Bugfix (introduced: 20180106): too many arguments for format + string. File: local/mailbox.c. + +20180128 + + Documentation: the tcp_table(5) manpage now documents the + absence of substring lookups. File: proto/tcp_table. + +20180203 + + Licence: in addition to the historical IBM Public License + 1.0, this software is now also distributed with the more + recent Eclipse Public License 2.0. Recipients can choose + to take the software under the license of their choice. + Those who are more comfortable with the IPL can continue + with that license. File: LICENSE. + +20180217 + + Cleanup: added 22 missing *_maps parameters to the default + proxy_read_maps setting. Files: global/mail_params.h, + mantools/missing-proxy-read-maps. + +20180218 + + Cleanup: back-ported the missing-proxy-read-maps script to + older Postfix releases, and added error checks. Undid some + of the 20180217 changes in mail_params.h that are no longer + needed. + + Bugfix (introduced: 20120117): postconf should scan only + built-in or service-defined parameters for ldap, *sql, etc. + database names. Problem reported by Christian Rößner. Files: + postconf/postconf_user.c. + +20180224 + + Workaround: postconf build did not abort if the m4 command + is not installed (on a system that does have the make command, + the awk command, the perl command, and the C compiler?!). + File: postconf/extract_cfg.sh. + +20180303 + + Portability: slight differences between MySQL and MariaDB. + Olli Hauer. File: global/dict_mysql.c. + +20180306 + + Bugfix (introduced: 19990302): when luser_relay specifies + a non-existent local address, the luser_relay feature becomes + a black hole. Reported by Jørgen Thomsen. File: local/unknown.c. + + Portability: FreeBSD 11 is supported. Files: makedefs, + util/sys_defs.h. + +20180403 + + Containers: "postfix start-fg" will now attempt to run the + master daemon as PID 1, and "postfix stop" will use a + stronger signal if the master does not stop. Files: + conf/postfix-script, master/master.c, master/master_sig.c, + postfix/postfix.c. + +20180404 + + Containers: "postfix start-fg" running as PID=1 will now + properly terminate after "postfix stop". With assistance + from Andreas Schulze and Eray Aslan. Files: master/master.c, + master/master.h, master/master_sig.c. + +20180421 + + Documentation: in the protocol description mention early + on that a policy server must not close the connection unless + there is an error. File: proto/SMTPD_POLICY_README.html. + +20180422 + + Undocumented: when running in PID=1 mode on Linux, a signal + won't be delivered unless the process specifies a handler. + Conveniently, _exit() can be used directly as a signal + handler. This changes the wait status that a parent would + see, but in the case of PID=1 mode on Linux, no-one would + care. Viktor Dukhovni. File: util/killme_after.c. + + Bugfix (introduced: Postfix 2.8): missing tls_server_start() + error propagation in tlsproxy(8) resulting in segfault after + TLS handshake error. Found during code maintenance. File: + tlsproxy/tlsproxy.c. + + Connection reuse for TLS-encrypted SMTP sessions. This is + work-in-progress, #ifdef USE_TLSPROXY, to avoid contamination + of existing code. + + The idea is to have smtp(8) talk plaintext while tlsproxy(8) + converts between local plaintext and remote ciphertext. + Then, smtp(8) can save plaintext connections to the cache, + and scache(8) holds the handles to the tlsproxy(8) processes. + + This preliminary implementation does not yet support proxying + of DANE attributes from smtp(8) to tlsproxy(8). tlsproxy(8) + does not have permissions to read private key files that + smtp(8) can read. And the name of a connection cache entry + does not yet depend on whether the cached connection uses + TLS, nor does it depend on DANE information. + + Files: global/mail_proto.h, postscreen/postscreen_starttls.c, + posttls-finger/posttls-finger.c, smtp/smtp.c, smtp/smtp.h, + smtp/smtp_params.c, smtp/smtp_proto.c, smtp/smtp_session.c, + smtpd/smtpd.c, tls/tls.h, tls/tls_client.c, tls/tls_proxy.h, + tls/tls_proxy_client_init_print.c, + tls/tls_proxy_client_init_scan.c, + tls/tls_proxy_client_start_print.c, + tls/tls_proxy_client_start_scan.c, tls/tls_proxy_clnt.c, + tls/tls_proxy_context_print.c, tls/tls_proxy_context_scan.c, + tls/tls_proxy_server_init_print.c, + tls/tls_proxy_server_init_scan.c, + tls/tls_proxy_server_start_print.c, + tls/tls_proxy_server_start_scan.c, tlsproxy/tlsproxy.c, + tlsproxy/tlsproxy.h, tlsproxy/tlsproxy_state.c, util/argv_attr.h, + util/argv_attr_print.c, util/argv_attr_scan.c. + +20180425 + + Cleanup: dnsblog proccesses now retire voluntarily after + max_use*max_idle seconds. Files: master/mail_server.h, + master/single_server.c, dnsblog/dnsblog.c. + +20180429 + + Documentation: smtpd_relay_restrictions was incorrectly + listed before smtpd_recipient_restrictions. File: + proto/SMTPD_ACCESS_README.html. + +20180509 + + Bugfix (introduced: 20170617): postconf(1) command segfault + if unable to open a Postfix database configuration file due + to a file permission error. Report by Andreas Hasenack, fix + by Viktor Dukhovni. File: postconf/postconf_dbms.c. + +20180519 + + Documentation: updated descriptions of PID 1 mode in manpages + and source-code comments. Files: postfix/postfix.c, + master/master.c, master/master_sig.c, util/killme_after.c. + + Documentation: document non-iterative lookup behavior + in postmap(1) and postalias(1) manpages. Files: postmap/postmap.c, + postalias/postalias.c. + + Cleanup: the init-mode change should not forbid the combined + use of -D, -d and -w. File: master/master.c. + +20180520 + + Documentation: add backscatter remediation to the virtual(5) + and canonical(5) manpages. Files: proto/virtual, proto/canonical. + + Bugfix (introduced: 20180425): broken implementation of + voluntary dnsblog retirement after max_use*max_idle seconds. + File: master/single_server.c. + +20180531 + + Documentation: bash syntax to eliminate or view default + settings in "postconf -n" output. File: postconf/postconf.c. + Contributed by various postfix-users list members. + +20180603 + + TLS reuse: serializer/deserializer support for TLS_DANE and + related data structures. Files: tls/tls_proxy_client_print.c, + tls/tls_proxy_client_scan.c, tls/tls_proxy.h, util/argv_attr.h, + util/argv_attr_print.c, util/argv_attr_scan.c. + + TLS reuse: posttls-finger -X test flag for quick tests. + File: posttls-finger/posttls-finger.c. + + TLS reuse: smtp_use_tlsproxy boolean parameter. This is a + preliminary implementation that should support override via + smtp_tls_policy_maps. Files: smtp.c, smtp_connect.c, + smtp_params.c, smtp_proto.c, smtp_session.c. + + TLS reuse: the SMTP client now includes the requested TLS + security level in the scache(8) key. + + TLS reuse: address-based reuse is allowed only for TLS + levels that require no certificate checks. Perhaps it still + makes sense to save such sessions for reuse by less sensitive + deliveries. Files: smtp/smtp.h smtp/smtp_reuse.c. + +20180604 + + TLS reuse: smtp_tls_connection_reuse boolean parameter, and + corresponding override with "connection_reuse" boolean + attribute in smtp_policy_maps. Files: global/mail_params.h, + smtp.c, smtp.h, smtp_params.c, smtp_proto.c, smtp_session.c, + smtp_tls_policy.c. proto/postconf.proto. mantools/postlink. + +20180605 + + TLS reuse: updated TLS_README and CONNECTION_CACHE_README, + added comments in tlsproxy.c to explain why it works. + +20180617 + + Bugfix (introduced: Postfix 2.11): minor memory leak when + minting issuer certs. This affects a tiny minority of use + cases. Fix by Viktor Dukhovni, based on a fix by Juan + Altmayer Pizzorno for Viktor's ssl_dane library. + + Cleanup: support for longer timeouts after the TLS handshake, + so that the tlsproxy server won't time out too soon, while + the SMTP client waits for the end-of-data response. This + tlxproxy timeout is a redundant safety feature for the case + that the SMTP client does not enforce the SMTP-level time + limit. Files: tls/tls_proxy.h, tls/tls_proxy_clnt.c, + tlsproxy/tlsproxy.c, posttls-finger/posttls-finger.c, + postcreen/postscreen_starttls.c, smtp/smtp_proto.c. + + Cleanup: earlier purging of unexpected plaintext. Files: + posttls-finger/posttls-finger.c, smtp/smtp_proto.c. + + Release: first production snapshot with multiple outbound + deliveries per TLS-encrypted connection. + +20180618 + + Quick tlsproxy workaround: after the remote TLS peer shuts + down TLS, allow unsent inbound plaintext to trickle out + before tearing down the proxied connection. This addresses + a sporadic "lost connection after end-of-data" error in the + Postfix SMTP client, and addresses a sporadic "lost connection + after sending QUIT" error with "posttls-finger -X". File: + tlsproxy/tlsproxy.c. + +20180619 + + Segfault: don't lookup the TLS security level for nexthop-based + connection cache storage keys. The combination of (service, + nexthop, etc.) should be stable enough over the time range + of interest, and the policy is still enforced on an individual + connection to an MX host, before that connection is stored + under a nexthop- or host-based storage key. Files: + smtp/smtp_connect.c, smtp/smtp.h. + +20180620 + + TLS connection reuse: save and restore the TLS level for a + reused connection, so that the reused connection will be + saved under a key that matches the connection's original + TLS level. This was not a problem for destinations that + require certificate verification, because we currently reuse + connections that require certificate checks only if they + are looked up by their nexthop destination. File: + smtp/smtp_session.c. + + TLS connection reuse: with TLS level > encrypt, prohibit + sharing of the same connection endpoint under different + nexthops, by making the nexthop part of the endpoint-based + connection cache lookup key. File: smtp/smtp.h. + +20180623 + + TLS connection reuse: replaced random logic with TLS_MUST_MATCH() + when deciding under what conditions an authenticated + connection may be reused. Files: smtp/smtp_proto.c, + smtp/smtp.h. + + TLS connection reuse: a tlsproxy(8) process will retire + after max_idle*max_use, or some sane constant if either is + set to zero. Files: master/event_server.c, tlsproxy/tlsproxy.c. + + Documentation: automatic retirement. File: master/single_server.c. + + Documentation: the connection caching limitation for SMTP + over TLS is now obsolete. File: proto/CONNECTION_CACHE_README.html. + +20180701 + + Incompatibility: the tlsproxy(8) daemon now requires a zero + process limit in master.cf (this setting is provided with + the default master.cf file). See RELEASE_NOTES for how to + change the tlsproxy process limit. File: tlsproxy/tlsproxy.c. + +20180707 + + Bugfix (introduced: Postfix 3.0): with smtputf8_enable=yes, + table lookups could casefold the search string when searching + a lookup table that does not use fixed-string keys (regexp, + pcre, tcp, etc.). Historically, Postfix would not case-fold + the search string with such tables. File: util/dict_utf8.c. + + Cleanup: removed unimplemented VSTRING support to enforce + a buffer size limit (by returning an error of sorts). In + practice, the limit was enforced in smtp_get(). Also made + the VSTRING inplementation more VSTREAM-compatible. Files: + util/vstring.[hc], posttls-finger/posttls-finger.c, + smtpstone/smtp-source.c. + + Cleanup: unused variable. File: postqueue/postqueue.c. + + Feature: VSTREAM support to "open" a VSTRING for read, write + or append mode, enabling the reuse of existing stream-based + code to serialize/deserialize Postfix data structures to/from + memory. File: vstream.[hc]. + + Cleanup: "make manpages" now generates a makedefs(1) manpage + for publication on the web. Also cleaned up some makedefs(1) + content. Files: man/Makefile.in, man/man1/makedefs.1, + html/Makefile.in, html/makedefs.1.html. + +20180708 + + Cleanup: VSTREAM support to "open" a VSTRING: added + vstream_ftell() support; documented what changes are needed + before this can support vstream_fseek(), without breaking a + VSTRING during vstream_fflush(); added a simple 'allow' + filter for vstream_control() requests; added a unit test. + File: util/vstream.c. + +20180812 + + Feature: smtpd_reject_footer_maps (as well as the postscreen + variant postscreen_reject_footer_maps). This is indexed + with the SMTP server response text, and overrides the footer + specified with smtpd_reject_footer. Files: global/mail_params.h, + mantools/postlink, postscreen/postscreen.c, + postscreen/postscreen_send.c, postscreen/postscreen_smtpd.c, + proto/postconf.proto, smtpd/smtpd.c, smtpd/smtpd_chat.c. + + Minor wordsmithing. File: makedefs. + +20180823 + + Bugfix (introduced: 20180812): postscreen_send.c did not + build without warnings. Viktor Dukhovni. + +20180824 + + Cleanup: with SMTPUTF8 turned off, the MySQL and PgSQL maps + accept only well-formed UTF-8 queries, and return NOT FOUND + otherwise. This was in introduced in Postfix 3.0 for LDAP + and SQLite, with no complaints coming forth. Files: + global/dict_mysql.c, global/dict_pgsql.c. + +20180805-20180825 Chunking support + + Cleanup: vbuf_get() now sets the EOF flag, so that reading + from a VSTRING stream works as expected. File: util/vbuf.c. + + Cleanup: added an append-mode flag to functions that read + a VSTRING from a stream. The historical APIs are preserved + in the form of aliases. Files: util/vstring_vstream.[hc], + global/smtp_stream.[hc]. + + SMTP server support for CHUNKING (BDAT) per RFC 3030. The + SMTP server is the only program that knows the difference + between mail received with BDAT or DATA. Both use the same + smtpd_data_restrictions and smtpd_end_of_data_restrictions, + both send one Milter DATA event per mail transaction, and + both send one DATA command ending in <CR><LF>.<CR><LF> + to an smtpd_proxy_filter. Files: global/ehlo_mask.h, + global/smtp_stream.c, global/smtp_stream.c, global/smtp_stream.h, + postscreen/postscreen_smtpd.c, smtpd/smtpd.c, smtpd/smtpd.h, + smtpd/smtpd_chat.c, smtpd/smtpd_chat.h, smtpd/smtpd_state.c. + + Cleanup: the postscreen(8) daemon now hangs up after receiving + the DATA command. Justification: it should never receive DATA + from a legitimate client, because 1) postscreen(8) rejects all + recipients, and 2) postscreen(8) does not announce PIPELINING. + This makes postscreen(8) DATA and BDAT behavior more + consistent. File: postscreen/postscreen_smtpd.c. + + BDAT final touches: report accurate BDAT byte counts after + timeout or lost connection; send DATA instead of BDAT in + policy delegation protocol. Files: smtpd/smtpd.[hc], + smtpd/smtpd_check.c. + + BDAT final touches: if the BDAT EHLO announcement is disabled, + then smtpd(8) and postscreen(8) will not accept BDAT commands. + Files: smtpd/smtpd.c, postscreen/postscreen_smtpd.c. + +20180826 + + Cleanup: with GSSAPI, the Postfix SMTP client's initial + SASL response may be as large as 12288 bytes. When the "AUTH + <method> <initial-response>" command would exceed the SMTP + command length of 512 bytes, send the initial response + during the SASL dialog. Viktor Dukhovni. File: + smtp/smtp_sasl_glue.c. + + Cleanup: prepare the Postfix SMTP server needs to receive + SASL responses that exceed the line_length_limit value. + This introduces a new parameter smtpd_sasl_response_limit + (default: 12288). Viktor Dukhovni. Files: mantools/postlink, + proto/postconf.proto, global/mail_params.h, smtpd/smtpd.c, + smtpd/smtpd_chat.c, smtpd/smtpd_chat.h, smtpd/smtpd_sasl_glue.c. + +20180827 + + Miscellaneous documentation updates, and a correction in + the byte count for sending a large SASL initial response. + +20181014 + + Cleanup: figured out why vstring_get() did not return + VSTREAM_EOF in APPEND mode. File: util/vstring_vstream.c. + +20180903 + + Bugfix (introduced: 20180825): postscreen falsely claimed + that the remote SMTP client was pipelining after sending + BDAT. Found by Ralf Hildebrandt. File: + postscreen/postscreen_smtpd.c. + +20180904 + + Bugfix (introduced: 20180812): parameter name error + (postscreen_reject_footer should have been + postscreen_reject_footer_maps). Noel Jones (finder) and + Viktor Dukhovni (fixer). + +20181104 + + Multiple 'bit rot' fixes for OpenSSL API changes, including + support to disable TLSv1.3, to avoid issuing multiple session + tickets, and to allow OpenSSL >= 1.1.0 run-time micro version + bumps without complaining about library version mismatches. + Viktor Dukhovni. Files: proto/postconf.proto, + proto/TLS_README.html, tls/tls.h, tls/tls_dane.c, + tls/tls_server.c, tls/tls_misc.c + +20181105 + + Feature: "postmap -F" reads a source file with (key, filename) + entries, and creates database records with (key, base64-encoded + filecontent). This feature will be used for SNI lookup + table support, where each key will be a domainname, and + each value will contain a sequence of (private key, certificate + hierarchy) for that domainname. The same 'value is filename' + behavior is implemented in cidr:, inline:, pcre:, randmap:, + regexp:, and static: maps if the application sets the flag + DICT_FLAG_RHS_IS_FILE. In the forseeable future, this will + be used for specific TLS features. Files: postmap/postmap.c, + util/dict.c, util/dict.h, util/dict_cidr.c, util/dict_file.c, + util/dict_inline.c, util/dict_pcre.c, util/dict_random.c, + util/dict_regexp.c, util/dict_static.c. + +20181106 + + Bugfix (introduced: 3.0): smtpd_discard_ehlo_keywords could + not disable "SMTPUTF8". because the lookup table was using + "EHLO_MASK_SMTPUTF8" instead. File: global/ehlo_mask.c. + + Documentation: the postmap(1) manpage no longer refers to + compatibility with Sendmail's makemap command. File: + postmap/postmap.c. + + Cleanup: don't use ssize_t for boolean result. File: + global/smtp_stream.c. + + Cleanup: memory leak caused by missing dbenv->close() call + after failing to open a Berkeley DB table. File: util/dict_db.c. + +20181112 + + Improved logging of TLS 1.3 summary information, and improved + reporting of the same info in Received: message headers. + Viktor Dukhovni. Files: proto/FORWARD_SECRECY_README.html, + smtpd/smtpd.c, tls/tls.h, tls/tls_client.c, tls/tls_misc.c, + tls/tls_proxy.h, tls/tls_proxy_context_print.c, + tls/tls_proxy_context_scan.c, tls/tls_server.c. + +20181116 + + Library function to log TLS 1.3 summary information, and + some wordsmithing of TLS context member names. Viktor + Dukhovni. Files: tls/tls.h, tls/tls_misc.c, tls/tls_proxy.h, + tls/tls_proxy_context_print.c, tls/tls_proxy_context_scan.c, + tls/tls_client.c, tls/tls_server.c, smtpd/smtpd.c, + posttls-finger/posttls-finger.c. + + Cleanup: vstream_memopen() flags handling. File: + util/vstream.c. + + Cleanup: the SMTP client now uses 'attr_print_plain' + serialization and 'attr_scan_plain' deserialization for + connection cache lookup keys, which now contain a serialized + version of the TLS context. File: smtp/smtp_session.c. + +20181117 + + The Postfix SMTP client now logs whether an SMTP-over-TLS + connection is newly established ("TLS connection established") + or whether the connection is reused ("TLS connection reused"). + Files: smtp/smtp.h, smtp/smtp_proto.c, smtp/smtp_session.c. + + (20181117-nonprod) Unified summary logging in the SMTP + client, SMTP server, and posttls-finger. Viktor Dukhovni. + Files: tls/tls.h, tls/tls_misc.c, tls/tls_proxy.h, + tls/tls_proxy_context_print.c, tls/tls_proxy_context_scan.c, + tls/tls_client.c, src/tls/tls_server.c, smtpd/smtpd.c, + posttls-finger/posttls-finger.c. + + (20181117-nonprod) Improved logging of TLS 1.3 summary + information. On the server side this also affects the TLS + information optionally recorded in "Received" headers. + Viktor Dukhovni. Files: smtpd/smtpd.c, tls/tls.h, + tls/tls_client.c, tls/tls_misc.c, tls/tls_proxy.h, + tls/tls_proxy_context_print.c, tls/tls_proxy_context_scan.c, + tls/tls_server.c. + + (20181117-nonprod) FORWARD_SECRECY examples with TLS 1.3 + logging. Viktor Dukhovni. File: proto/FORWARD_SECRECY_README.html. + +20181118 + + Cleanup, no behavior change: updated comments concerning + connection reuse, and updated some identifiers to reflect + current reality. Files: smtp_reuse.c, smtp_key.c, smtp_proto.c, + smtp_tls_policy.c, smtp.h, smtp_connect.c. + +20181119 + + Bitrot: makedefs will use "pkg-config" to locate ICU build + information, falling back to "icu-config" if "pkg-config" + is not found. File: makedefs. + +20181122 + + Cleanup: tlsproxy loads the same TLS client configuration + at pre-jail time as the Postfix SMTP client, so that secret + keys can remain read-only for root. This is sufficient for + MTAs that have a fixed TLS client identity. tlsproxy will + log a warning if it is requested to assume a different TLS + client identity, and will log suggestions for a workaround. + The long-term solution is to stop loading certs/keys from + files, and to use the same approach as planned for server-side + SNI support: open a cert/key map at pre-jail time, and read + cert/key information on-the-fly at post-jail time. Files: + proto/postconf.proto, mantools/postlink, global/mail_params.h, + tlsproxy/tlsproxy.c. + +20181123 + + Cleanup: tlsproxy now logs better instructions when a + tls_client_init request specifies an unexpected client + identity, and the test for that condition is now moved to + the right place. File: tlsproxy/tlsproxy.c. + +20181124 + + Documentation: clarified the behavior of whitespace within + "{}". Files: proto/DATABASE_README.html, proto/postconf.proto, + pipe/pipe.c, postconf/postconf.c, + +20181125 + + Cleanup: dict_file_to_xxx() takes a list of file names + separated by CHARS_COMMA_SP. Shoe-horned into the existing + API, make it nicer when there is time. File: util/dict_file.c. + +20181127 + + Cleanup: encapsulated clumsy 'read into VSTRING' code with + easier-to-use vstream_fread_buf() and vstream_fread_app() + primitives. Files: global/memcache_proto.c, global/record.c, + global/smtp_stream.c, global/smtp_stream.h, global/uxtext.c, + global/xtext.c, milter/milter8.c, util/dict_file.c, + util/hex_quote.c, util/netstring.c, util/vstream.c, + util/vstream.h. Verified with "make tests". + + Cleanup: simplified the smtp_fread() API (introduced for + BDAT support), and changed the name to smtp_fread_buf(). + Files: global/smtp_stream.c, smtpd/smtpd.c. Verified with + ~megabyte BDAT commands. + + Cleanup: simplified a tlsproxy-internal API. File: + tlsproxy/tlsproxy.c. + +20181128 + + Initial support for key/certificate chain files that will + replace the proliferation of separate parameters for + RSA/DSA/ECC/etc. key and certificate files. Viktor + Dukhovni. + +20181201 + + Cleanup: replaced the remaining unsafe VSTRING_AT_OFFSET() + calls with safe vstring_set_payload_size() calls, in code + that directly writes into VSTRING. Files: tls/tls_session.c, + tlsmgr/tlsmgr.c, util/casefold.c, util/vstring.c, util/vstring.h, + xsasl/xsasl_cyrus_client.c. + + Cleanup: postscreen_command_time_limit did not need to be + a 'raw' parameter. This makes "postconf -x" behavior more + consistent. Files: global/mail_params.h, postscreen/postscreen.c. + + Documentation: added text that the following parameter + values are not subject to Postfix parameter $name expansion: + default_rbl_reply, command_execution_directory, luser_relay, + smtpd_reject_footer. These have their own documented $name + substitution mechanism. File: proto/postconf.proto. + +20181202 + + Bugfix: posttls-finger reported an error for UNIX-domain + connections, even if they did not fail. Found by Coverity. + File: posttls-finger/posttls-finger.c. + +20181208 + + Documentation: add even more redundancy to the rate-delay + description. File: proto/postconf.proto. + +20181210 + + Cleanup: code deduplication. File: util/dict_file.c. + +20181226 + + Cleanup: code deduplication and better encapsulation with + PSC_DEL_CLIENT_STATE() and PSC_DEL_SERVER_STATE() macros. + Files: postscreen/postscreen.h, postscreen/postscreen_state.c. + + Documentation: POSTSCREEN_README did not describe the + postscreen_post_queue_limit, and attributed the wrong reject + message to the postscreen_pre_queue_limit. Problem reported + by Michael Orlitzky. File: proto/POSTSCREEN_README.html. + + (20181226-nonprod) Compatibility: removed support for OpenSSL + 1.0.1 (not supported since December 31, 2016) and earlier + releases. This eliminated a large number of #ifdefs with + bitrot workarounds. Viktor Dukhovni. Files: global/mail_params.h, + posttls-finger/posttls-finger.c, tls/tls.h, tls/tls_certkey.c, + tls/tls_client.c, tls/tls_dane.c, tls/tls_dh.c, tls/tls_misc.c, + tls/tls_proxy_client_scan.c, tls/tls_rsa.c, tls/tls_server.c, + tls/tls_session.c. + + (20181226-nonprod) Use the OpenSSL 1.0.2 and later API for + setting ECDHE curves. Viktor Dukhovni. Files: tls/tls.h, + tls/tls_client.c, tls/tls_dh.c. + + (20181226-nonprod) Documentation update for TLS support. + Viktor Dukhovni. Files: mantools/postlink, proto/TLS_README.html, + proto/postconf.proto, src/sendmail/sendmail.c, src/smtpd/smtpd.c. + +20181229 + + Explicit maps_file_find() and dict_file_lookup() methods + that decode base64 content. Decoding content is not built + into the dict->lookup() method, because that would complicate + the implementation of map nesting (inline, thash), map + composition (pipemap, unionmap), and map proxying. For + consistency, decoding base64 file content is also not built + into the maps_find() method. Files: util/dict.h. + util/dict_file.c, global/maps.[hc], postmap/postmap.c. + +20190106 + + Documentation: documented the SRC_RHS_IS_FILE flag in + dict_open.c, and updated the -F description in the postmap + manpage. Files: util/dict_open.c, postmap/postmap.c. + + (20190106-nonprod) Feature: support for files that combine + multiple (key, certificate, trust chain) instances in one + file, to avoid separate files for RSA, DSA, Elliptic Curve, + and so on. Viktor Dukhovni. Files: .indent.pro, + global/mail_params.h, posttls-finger/posttls-finger.c, + smtp/lmtp_params.c, smtp/smtp.c, smtp/smtp_params.c, + smtp/smtp_proto.c, smtpd/smtpd.c, tls/tls.h, tls/tls_certkey.c, + tls/tls_client.c, tls/tls_proxy.h, tls/tls_proxy_client_print.c, + tls/tls_proxy_client_scan.c, tls/tls_proxy_server_print.c, + tls/tls_proxy_server_scan.c, tls/tls_server.c, tlsproxy/tlsproxy.c. + + (20190106-nonprod) Create a second, no-key no-cert, SSL_CTX + for use with SNI. Viktor Dukhovni. Files: src/tls/tls.h, + src/tls/tls_client.c, src/tls/tls_misc.c, src/tls/tls_server.c. + + (20190106-nonprod) Server-side SNI support. Viktor Dukhovni. + Files: src/global/mail_params.h, src/smtp/smtp.c, + src/smtpd/smtpd.c, src/tls/tls.h, src/tls/tls_certkey.c, + src/tls/tls_misc.c, src/tlsproxy/tlsproxy.c, + + (20190106-nonprod) Configurable client-side SNI signal. + Viktor Dukhovni. Files: global/mail_params.h, + posttls-finger/posttls-finger.c, smtp/lmtp_params.c, + smtp/smtp.c, smtp/smtp.h, smtp/smtp_params.c, smtp/smtp_proto.c, + smtp/smtp_tls_policy.c, tls/tls.h, tls/tls_client.c, + tls/tls_proxy.h, tls/tls_proxy_client_print.c, + tls/tls_proxy_client_scan.c. + +20190121 + + Logging: support for internal logging file, without using + syslog (it uses the new postlogd daemon instead). This + solves a usability problem for MacOS, may help getting + around systemd, and solves 99% of the problem for logging + to stdout in a container (hopefully we have 100% soon). + Enable by setting, for example, "maillog_file = + /var/log/postfix.log"). This works fine for daemons, and + with some limitations for non-daemon programs. See + RELEASE_NOTES for more details. Files: conf/master.cf, + conf/post-install, conf/postfix-files, conf/postfix-script, + mantools/postlink, proto/master, proto/postconf.proto, + global/mail_params.c, global/mail_params.h, global/mail_proto.h, + global/maillog_client.c, global/maillog_client.h, + master/dgram_server.c, master/event_server.c, master/mail_server.h, + master/master.c, master/master.h, master/master_ent.c, + master/master_listen.c, master/master_proto.h, + master/master_wakeup.c, master/multi_server.c, + master/single_server.c, master/trigger_server.c, + postalias/postalias.c, postconf/postconf_master.c, + postdrop/postdrop.c, postfix/postfix.c, postkick/postkick.c, + postlog/postlog.c, postlogd/postlogd.c, postmap/postmap.c, + postmulti/postmulti.c, postqueue/postqueue.c, + postsuper/postsuper.c, sendmail/sendmail.c, util/connect.h, + util/listen.h, util/logwriter.c, util/logwriter.h, + util/msg_logger.c, util/msg_logger.h, util/msg_output.c, + util/msg_output.h, util/unix_dgram_connect.c, + util/unix_dgram_listen.c. + + Cleanup: cert/key/chain loading, plus unit tests to exercise + non-error and error cases. Viktor Dukhovni. Files: tls/*.pem, + tls*.pem.ref, tls/tls_certkey.c. + +20190126 + + Safety: Postfix programs will log to either syslog or postlog + but not both; and postlogd forwards postlog logging to + syslog, when a configuration change removes the maillog_file + pathname, but some programs still use the old configuration. + Files: util/msg_syslog.[hc], util/msg_logger.c, + global/maillog_client.c, postlogd/postlogd.c, + + Bugfix (introduced: Postfix 20110109, Postfix 2.10): watchdog + pipe file descriptor leak. This pipe provides one source + of liveness, data from this pipe is discarded, and therefore + this does not enable privilege escalation or DOS. File: + util/watchdog.c. + + Feature: stdout logging support; requires "postfix start-fg" + and "maillog_file = /dev/stdout". Files: master/master.c, + conf/postfix-script. + +20190127 + + Safety: when maillog_file is specified, 'postfix check' now + requires that the postlog service is enabled in master.cf. + Otherwise 'postfix start' etc. will log a fatal error. File: + conf/postfix-script. + + Documentation: added policy_context example. File: + proto/SMTPD_POLICY_README.html. + +20190128 + + Testing: run libtls tests under Valgrind. File tls/Makefile.in. + +20190129 + + Safety: require that $maillog_file matches one of the + pathname prefixes specified in $maillog_file_prefixes. The + maillog file is created by root, and the prefixes limit the + damage from a single configuration error. Files: + global/mail_params.[hc], global/maillog_client.c. + +20191201 + + Feature: "postfix logrotate" command with configurable + compression program and datestamp filename suffix. File: + conf/postfix-script. + +20190202 + + Cleanup: log a warning when the client sends a malformed + SNI; log an info message when the client sends a valid SNI + that does not match the SNI lookup tables; update the + FORWARD_SECRECY_README logging examples. Viktor Dukhovni. + Files: proto/FORWARD_SECRECY_README.html, tls/tls.h, + tls/tls_client.c, tls/tls_misc.c. + +20190208 + + Debugging: the master(8) daemon now logs a warning if a + master.cf entry is defined multiple times. File: + src/master/master_conf.c. + +20190209 + + Debugging: tlsproxy(8) now logs more details about unexpected + configuration differences between the Postfix SMTP client + and the tlsproxy(8) daemon. + +20190210 + + Documentation: Postfix 3.4.0 RELEASE NOTES. + + Documentation: added BDAT_README. + + Documentation: global TLS settings. Files: mantools/postlink, + smtp/smtp.c, tlsproxy/tlsproxy.c. + +20190211 + + Cleanup: removed obsolete parameters: tls_dane_digest_agility, + tls_dane_trust_anchor_digest_enable; removed openssl_path + parameter from configuration difference checks in tlsproxy. + Files: global/mail_params.h, tls/tls_misc.c, + tls/tls_proxy_client_misc.c, tls/tls_proxy_client_print.c, + tls/tls_proxy_client_scan.c, tls/tls_proxy.h. + +20190212 + + Cleanup: missing #ifdef USE_TLS. Files: smtp/smtp_session.c, + posttls-finger/posttls-finger.c. + +20190217 + + Cleanup: when the master daemon runs with PID=1 (init mode), + reap orhpan processes from non-Postfix code running in the + same container, instead of terminating with a panic. File: + master/master_spawn.c. + +20190218 + + Bugfix: tlsproxy did not enable DANE-style PKI because + libtls seems to have to accreted multiple init functions + instead of reusing the tls_client_init() and tls_client_start() + API. And some functions that do initialization don't even + have init in their name! Problem report by Andreas Schulze. + Viktor Dukhovni. Files: tls/tls_misc.c, tlsproxy/tlsproxy.c. + + Workaround: Postfix libtls makes DANE-specific changes to + the shared SSL_CTX. To avoid false sharing, tlsproxy needs + to label the SSL_CTX cache with DANE bits until we can + remove the code that modifies SSL_CTX. File: tlsproxy/tlsproxy.c. + + Cleanup: Postfix libtls changed the shared SSL_CTX to + override ciphers. instead of changing the SSL handle. To + avoid false sharing in tlsproxy, the changes are now made + to the SSL handle. Viktor Dukhovni. Files: tls/tls.h, + tls/tls_client.c, tls/tls_misc.c, tls/tls_server.c. + +20190219 + + Bugfix: in the Postfix SMTP client, TLS wrappermode was not + tested in tlsproxy mode. It needed some setup for buffering + and timeouts. Problem report by Andreas Schulze. File: + smtp/smtp_proto.c. + +20190226 + + Documentation: postconf(1) and DATABASE_README were out of + sync. Added a note that this should be deduplicated. File: + proto/DATABASE_README.html. + +20190227 + + Documentation: strict_smtputf8 in SMTPUTF8_README. + +20190304 + + Bugfix: a reversed test broke TLS configurations that specify + the same filename for a private key and certificate. Reported + by Mike Kazantsev. Fix by Viktor Dukhovni. Wietse fixed the + test. Files: tls/tls_certkey.c, tls/Makefile.in. + +20190310 + + Bitrot: LINUX5s support, after some sanity checks with a + rawhide prerelease version. Files: makedefs, util/sys_defs.h. + + Bugfix (introduced: 20181226): broken DANE trust anchor + file support, caused by left-over debris from the 20181226 + TLS library overhaul. By intrigeri. File: tls/tls_dane.c. + + Bugfix (introduced: Postfix-1.0.1): null pointer read, while + logging a warning after reading a corrupted bounce log file. + File: global/bounce_log.c. + + Bugfix (introduced: Postfix-2.9.0): null pointer read, while + logging a warning after a postscreen_command_filter read + error. File: postscreen/postscreen_smtpd.c. + +20190312 + + Bugfix (introduced: Postfix 2.2): reject_multi_recipient_bounce + has been producing false rejects starting with the Postfix + 2.2 smtpd_end_of_data_restrictons, and for the same reasons, + did the same with the Postfix 3.4 BDAT command. The latter + was reported by Andreas Schulze. File: smtpd/smtpd_check.c. + +20190319 + + With message_size_limit=0 (which is NOT DOCUMENTED), BDAT + chunks were always too large. Reported by Thorben Thuermer. + fix by Viktor Dukhovni. File: src/smtpd/smtpd.c. + +20190328 + + Bugfix (introduced: Postfix 3.0): LMTP connections over + UNIX-domain sockets were cached but not reused, due to a + cache lookup key mismatch. Therefore, idle cached connections + could exhaust LMTP server resources, resulting in two-second + pauses between email deliveries. This problem was investigated + by Juliana Rodrigueiro. File: smtp/smtp_connect.c. + +20190331 + + Documentation: tlsext_padding is not a tls_ssl_options + feature. File: proto/postconf.proto. + +20190401 + + Portability: to avoid a compile-time error on Solaris, added + "#undef sun" to util/unix_dgram_connect.c. + +20190403 + + Bugfix (introduced: Postfix 2.3): a censoring filter broke + multiline Milter responses for header/body events. Problem + report by Andreas Thienemann. Files: util/printable.c, + util/stringops.h, smtpd/smtpd.c. + + Bugfix (introduced: Postfix 3.3): "smtp_mx_address_limit = 0" + no longer meant 'unlimited'. Problem report by Luc Pardon. + File: smtp/smtp_addr.c. + +20190427 + + Cleanup: normalize the IP address string forms received with + XCLIENT, XFORWARD, and HaProxy, for consistency with address + information for direct connections to Postfix, and add unit + tests. This casefolds and removes redundant nulls from the + string representation of an IPv6 address, normalizes the + "IPv6:" address prefix of RFC 2821 IPv6 address forms, and + converts IPv4 address octets with leading zeros (octal form) + into decimal form. Files: global/haproxy.c, + global/normalize_mailhost_addr.[hc], smtpd/smtpd.c. + + Incompatibility: this may change the appearance of logging, + and the way that check_client_access will match subnets of + an IPv6 address. + +20190428 + + Cleanup: replace "(whatever *) 0" with meaningfully-named + constants. Sheesh. File: smtpd/smtpd.c. + + Documentation: BASIC_CONFIGURATION_README example default + setting was not updated after Postfix 3.0 change. File: + proto/BASIC_CONFIGURATION_README.html + +20190505 + + Workaround: uClibc has no res_send. Log a warning if this + code path would be used, and ignore dns_ncache_ttl_fix_enable. + Files: util/sys_defs.h, dns/dns_lookup.c, TODO: makedefs + and INSTALL documentation. + +20190516 + + Initial search order support for check_ccert_access. The + default behavior is backwards-compatible. This is work in + progress; see the RELEASE_NOTES for examples. Files: + global/map_search.[hc], smtpd/smtpd_check.c. + +20190517 + + Bugfix: postconf mis-parsed text starting with "{" such as + "check_ccert_access { inline:{a=b} { search_order=c,d } }". + Fixed by adding another level of recursion. File: + postconf/postconf_dbms.c. + +20190525 + + Infrastructure: reject_deliver_request() to reject an entire + delivery request and bounce or defer all its recipients. + File: global/reject_deliver_request.c. + +20190609 + + Infrastructure: byte_mask() to convert "flags=mumble" into + a byte mask. This is similar to name_mask(). Files: + util/byte_mask.[hc] and tests. + +20190615 + + Dovecot usability: SMTP/LMTP client support for 'D', 'O', + 'R', 'X' flags similar to the pipe(8) daemon, to produce + Delivered-To, X-Original-To, and Return-Path headers, and + to indicate final delivery. Files: smtp/smtp.c, smtp/smtp.h, + smtp/smtp_misc.c, smtp/smtp_proto.c, smtp/smtp_rcpt.c. + + Workaround for implementations that hang Postfix while + shutting down a TLS session, until Postfix times out. With + "tls_fast_shutdown_enable = yes" (the default), Postfix no + longer waits for the TLS peer to respond to a TLS 'close' + request. This is recommended with TLSv1.0 and later. Files: + global/mail_params.h, tls/tls_session.c, and documentation. + +20190618 + + Documentation: corrected comments about the code change to + not wait for the TLS peer's response after sending a TLS + 'close' notification. Viktor Dukhovni. Files: HISTORY, + RELEASE_NOTES, proto/postconf.proto smtp/smtp.c smtpd/smtpd.c + tlsproxy/tlsproxy.c + +20190621 + + Workaround: don't reuse an SMTP connection after an SMTP + protocol error. This limits the impact of, for example, + pipelining synchronization errors. File: smtp/smtp_trouble.c. + + Bugfix (introduced: Postfix 3.0): the code to reset Postfix + SMTP server command counts was not called after a HaProxy + handshake failure, causing stale numbers to be reported. + The command counts are now reset in the function that reports + the counts. Problem report by Joseph Ward. File: smtpd/smtpd.c. + +20190719 + + Bitrot: OpenBSD stopped having /dev/arandom 8 years ago. + Brad Smith. File: util/sys_defs.h. + +20190723 + + Bugfix: the documentation said tls_fast_shutdown_enable, + but the code said tls_fast_shutdown. Viktor Dukhovni. Changed + the code because no-one is expected to override the default. + File: global/mail_params.h. + +20190724 + + Cleanup: proxymap(8) support for table search order syntax. + File: proxymap/proxymap.c. + + Safety: vstring_set_payload_size() now checks that the + payload has not overwritten the safety terminator at the + end of the VSTRING buffer. File: util/vstring.c. + +20190813 + + Documentation: access(5) map network address pattern syntax. + File: proto/access. + +20190820 + + Workaround for poor TCP loopback performance on LINUX, where + getsockopt(..., TCP_MAXSEG, ..) reports a TCP maximal segment + size that is 1/2 to 1/3 of the MTU. For example, with kernel + 5.1.16-300.fc30.x86_64 the TCP client and server announce + an mss of 65495 in the TCP handshake, but getsockopt() + returns 32741 (less than half). As a matter of principle, + Postfix won't turn on client-side TCP_NODELAY because that + hides application performance bugs, and because that still + suffers from server-side delayed ACKs. Instead, Postfix + avoids sending "small" writes back-to-back, by choosing a + VSTREAM buffer size that is a multiple of the reported MSS. + This workaround bumps the multiplier from 2x to 4x. File: + util/vstream_tweak.c. + +20190825 + + Bugfix (introduced: 20051222): the Dovecot client could + segfault (null pointer read) or cause an SMTP server assertion + to fail when talking to a fake Dovecot server. The client + now logs a proper error instead. Problem reported by Tim + Düsterhus. File: xsasl/xsasl_dovecot_server.c. + +20190908 + + Documentation: updated postconf(5) description of the + tls_server_sni_maps configuration parameter. Viktor Dukhovni. + File: proto/postconf.proto. + +20190914 + + Bugfix (introduced: Postfix 3.4): don't whitewash OpenSSL + error results after a plaintext output error. The code could + loop, and with some OpenSSL error results could flood the + log with error messages (see below for a specific case). + Problem reported by Andreas Schulze. File: tlsproxy/tlsproxy.c. + + Bitrot: don't invoke SSL_shutdown() when the SSL engine + thinks it is processing a TLS handshake. The commit at + https://github.com/openssl/openssl/commit/64193c8218540499984cd63cda41f3cd491f3f59 + changed the error status, incompatibly, from SSL_ERROR_NONE + into SSL_ERROR_SSL. File: tlsproxy/tlsproxxy.c. + +20190918 + + Cleanup: the nbbio(3) library now accepts a sequence of + nbbio_enable_read() calls or a sequence of nbbio_enable_write() + calls. This allows tlsproxy(8) to reset an I/O timer after + each event without having to make an nbbio_disable_readwrite() + call. Files: util/nbbio.c, tlsproxy/tlsproxy.c. + +20191013 + + Cleanup: code pattern ENFORCING_SIZE_LIMIT() for more + consistent enforcement of the 'no size limit' case (it now + requires "> 0" where previous code used "!= 0" or "> 0"). + More relevant, this explicit pattern will help finding code + that does not implement the 'no size limit' case with + var_message_limit, etc. Files: cleanup/cleanup_init.c, + local/local.c, postdrop/postdrop.c, postscreen/postscreen_smtpd.c, + sendmail/sendmail.c, smtpd/smtpd.c, smtpd/smtpd_check.c, + util/netstring.c, util/sys_defs.h, virtual/virtual.c. + + Cleanup; with message_size_limit>0, local(8) and virtual(8) + mailbox size limit checks would produce a misleading error + message when the mailbox size was unlimited. Files: + local/local.c, virtual/virtual.c. + + Cleanup: queue_minfree changed from 'int' to 'long'. File: + global/mail_params.h, src/smtpd/smtpd.c. + + Attribution: updated AUTHOR in file headers. Files: + global/bounce_log.c, global/deliver_request.h, smtp/smtp_chat.c, + smtp/smtp_rcpt.c, tls/tls_certkey.c, util/nbbio.c, + util/vstream_tweak.c. + +20191014 + + Bugfix (introduced: Postfix 2.8): don't gratuitously enable + all after-220 tests when only one such test is enabled. + This made selective tests impossible with 'good' clients. + File: postscreen/postscreen_smtpd.c. + + Bugfix: the 20180903 postscreen fix for a misleading + "PIPELINING after BDAT" warning looked at the wrong variable. + The warning now says "BDAT without valid RCPT", and the + error is no longer treated as a command PIPELINING error + (but sending BDAT is still a client error, because postscreen + rejects all RCPT commands and does not announce PIPELINING + support). File: postscreen/postscreen_smtpd.c. + +20190922 + + Documentation: replaced the link to "Suite B" cryptography + with a link to web.archive.org. File: proto/postconf.proto. + +20191109 + + Cleanup: Postfix daemon processes now log the from= and to= + addresses in external (quoted) form in non-debug logging + (info, warning, etc.). This is consistent with the address + form that Postfix 3.2 and later prefer for table lookups. + It is therefore the more useful form for non-debug logging. + Files: cleanup/cleanup.c, cleanup/cleanup_message.c, + cleanup/cleanup_milter.c, global/info_log_addr_form.c, + global/info_log_addr_form.h, global/log_adhoc.c, + global/mail_params.c, global/mail_params.h, global/opened.c, + local/local.c, oqmgr/qmgr.c, oqmgr/qmgr_active.c, + pickup/pickup.c, pipe/pipe.c, postscreen/postscreen.c, + postscreen/postscreen_smtpd.c, proto/postconf.proto, + qmgr/qmgr.c, qmgr/qmgr_active.c, smtp/smtp.c, smtpd/smtpd.c, + smtpd/smtpd_check.c, virtual/virtual.c. + + Usability: the parser for key/certificate chain files + rejected inputs that contain an EC PARAMETERS object. While + this is technically correct (the documentation says what + types are allowed) this is surprising behavior because the + legacy cert/key parameters will accept such inputs. For + now, the parser skips object types that it does not know + about usability, and logs a warning because ignoring inputs + is not kosher. Viktor and Wietse. File: tls/tls_certkey.c. + +20191201 + + Compatibility: added '_' to the milter_connect_macros default + value. Reportedly some software produces an ugly warning + message if Postfix does not send the macro, and there is + no harm in sending it. File: global/mail_params.h. + +20191214 + + Bugfix (introduced: Postfix 3.1): support for + smtp_dns_resolver_options was broken while adding support + for negative DNS response caching in postscreen. Postfix + was inadvertently changed to call res_query() instead of + res_search(). Reported by Jaroslav Skarvada. File: + dns/dns_lookup.c. + + Bugfix: sanitize server responses before storing them in + the verify database, to avoid Postfix warnings about malformed + UTF8. File: verify/verify.c. + +20191215 + + Future proofing: the Postfix DNS library logs a warning if + the DNS_REQ_FLAG_NCACHE_TTL dns_lookup flag is set and the + RES_DNSRCH or RES_DEFNAMES resolver flags are set, and + disables those resolver flags. File: dns/dns_lookup.c. + +20191230 + + Documentation: added the 'X' flag (final delivery) to the + pipe-based final delivery examples in the default master.cf + file. File: conf/master.cf + +20201005 + + Workaround: postlog clients open the socket before entering + the chroot jail and before dropping privileges. This is needed + on MacOS and would not hurt otherwise. Files: util/msg_logger.[hc], + global/maillog_client.c. + +20200108 + + UI cleanup: SMTP (and LMTP) client support for a list of + nexthop destinations separated by comma or whitespace. These + will be tried in the specified order. The list form can be + specified in relayhost, transport_maps, default_transport, + and sender_dependent_default_transport_maps. Examples: + "relayhost = foo.example, bar.example", and "default_transport + = smtp:foo.example, bar.example". Files: smtp/smtp.c, + smtp/smtp_connect.c, trivial-rewrite/resolve.c, proto/transport, + proto/postconf.proto, global/mail_params.c. + +20200112 + + [initially released as part of postfix-20200101-nonprod] + Refactored the haproxy infrastructure in preparation for + haproxy version 2 support. This is necessary because version + 2 introduces a dependency of the reader on the parser. + Additionally, version 2 introduces support for non-proxied + connections (used by health checks). Files: global/haproxy_srvr.c, + smtpd/smtpd_peer.c, smtpd/smtpd_haproxy.c, smtpd/smtpd.h, + postscreen/postscreen.h, postscreen/postscreen_endpt.c, + postscreen/postscreen_haproxy.c, postscreen/postscreen_haproxy.h, + global/haproxy_srvr.h. Initial release 3.5-20200101-nonprod. + + [initially released as part of postfix-20200105-nonprod] + Support for the haproxy v2 protocol. The haproxy v2 protocol + support is limited to TCP over IPv4 and TCP over IPv6. It + also supports non-proxied connections (typically used for + heartbeat tests). File: global/haproxy_srvr.c. + + [initially released as part of postfix-20200105-nonprod] + Cleanup: after haproxy handshake error, the Postfix SMTP + daemon now logs the proxy connection information instead + of unknown/unknown, and replies with "421 4.3.0 $myhostname + Server local error" instead of just hanging up. Error + details are logged to the maillog file. File: smtpd/smtpd.c. + + Cleanup: miscellaneous comments, constants, error checks, + no normal behavior change. Files: global/haproxy_srvr.c, + postscreen/postscreen_haproxy.c. + +20200126 + + Cleanup: missing 'extern' declarations in some header files. + Eray Aslan. Files: global/mail_params.h, postconf/postconf.h, + smtpd/smtpd_expand.h, trivial-rewrite/trivial-rewrite.h + + Typos: Viktor Dukhovni. File: HISTORY. + + Documentation: haproxy2 support. File: proto/postconf.proto. + +20200120 + + [initially released as part of postfix-20200125-nonprod] + Feature: forced message expiration. The "postsuper -e" + option sets an 'expired' bit on one or more messages selected + by their message ID. The queue manager returns a message + as undeliverable when it moves the message to the active + queue. Messages in the hold queue stay in that queue. + + If a force-expired message was deferred, then it is returned + with the reason for the delay. Otherwise, the message is + returned with "message is administratively expired". Design + by Wietse; Viktor suggested using the group execute permission + bit. Files: global/mail_queue.h, *qmgr/qmgr.h, *qmgr/qmgr_active.c, + *qmgr/qmgr_message.c, postsuper/Makefile.in, postsuper/postsuper.c. + +20200125 + + [initially released as part of postfix-20200125-nonprod] + Added support for "postsuper -f" to expire and optionally + release a message. Restructured the postsuper command so + that it will execute actions in the order of the -[defhr] + flags, instead of using an invisible fixed internal order. + The -e and -f options are idempotent (just like -h and -H). + Adjusted the summary at the end to make this more clear. + File: postsuper/postsuper.c. + +20200126 + + [initially released as part of postfix-20200126-nonprod] + Updated the mailq/postqueue commands to make forced message + expiration status available. In ASCII ouput this is indicated + with "#" appended to the queue file name, and in JSON output + this is indicated with the boolean "force_expired" attribute. + Files: showq/showq.c, postqueue/showq_compat.c, + postqueue/showq_json.c. + + [initially released as part of postfix-20200126-nonprod] + Cleanup: minor tweaks to comments and code. + + Safety: give maildrop queue files more time (week instead + of day) to reach completion, in case a message is submitted + by a really long-running program. File: postsuper/postsuper.c. + + Cleanup: postsuper manpage indentation, word abbreviation. + Files: mantools/postlink, postsuper/postsuper.c. + +20200202 + + Cleanup: nags about strcpy()/sprintf() from naive checkers. + Files: global/mail_conf_int.c, global/mail_conf_long.c, + global/mail_conf_nint.c, global/mail_conf_time.c, + global/maillog_client.c, util/mymalloc.c. + + Documentation: rephrased the postconf(5) manual page entry + for milter_default_action. File: proto/postconf.proto. + + Bugfix (introduced: Postfix 2.5): Milter SMTP connect event + macros were evaluated before the Postfix-to-Milter connection + had been negotiated. Problem reported by David Bürgin. + Files: milter/milter.h, milter/milter.c, milter/milter8.c + +20200308 + + Cleanup: spellchecks, attributions. Files: HISTORY, + auxiliary/name-addr-test/gethostbyaddr.c, + auxiliary/name-addr-test/getnameinfo.c, proto/postconf.proto, + global/haproxy_srvr.c, global/mail_version.h, global/map_search.c, + global/map_search.h, postsuper/postsuper.c, smtp/smtp.c, + smtp/smtp_misc.c, smtpd/smtpd.c, smtpd/smtpd_check.c, + smtpd/smtpd_expand.h, tls/tls_client.c, tls/tls_server.c, + tlsproxy/tlsproxy.c, trivial-rewrite/trivial-rewrite.h, + util/byte_mask.c, util/vstream_tweak.c. + + Cleanup: bitrot in tests. File: cleanup/cleanup_milter.c. + + Cleanup: harmless memory leak in postconf. File: + postconf/postconf_master.c. + + Bugfix (introduced: Postfix 2.3): panic with Postfix + multi-Milter configuration during MAIL FROM. Milter client + state was not properly reset after one of the Milters failed. + Reported by WeiYu Wu. + +20200312 + + Usability: the Postfix SMTP server now logs a warning when + a configuration requests access control by client certificate, + but "smtpd_tls_ask_ccert = no". Files: proto/postconf.proto, + smtpd/smtpd_check.c. + +20200316 + + Removed the issuer_cn and subject_cn matches from + check_ccert_access. Files: smtpd/smtpd_check.c, + proto/postconf.proto. + +20200407 + + Helper script by Viktor Dukhovni to report TLS information + per message delivery. This processes output from the + collate.pl script. Files: auxiliary/collate/README.tlstype, + auxiliary/collate/tlstype.pl. + +20200416 + + Workaround for broken builds after an incompatible change + in GCC 10. Files: makedefs, Makefile.in. + + Workaround for broken DANE support after an incompatible + change in GLIBC 2.31. This avoids the need for new options + in /etc/resolv.conf. Files: dns/dns.h, dns/dns_lookup.c. + + Misc fixes for gcc 'multiple definition' errors. Files: + master/master_vars.c, smtp/smtp.c, proxymap/proxymap.c. + +20200419 + + Bugfix (introduced: Postfix 3.4): segfault in the tlsproxy + client role when the server role was disabled. This typically + happens with a first-time Postfix install and after configuring + only outbound TLS. Found during program maintenance. File: + tlsproxy/tlsproxy.c. + +20200420 + + Noise suppression: shut up a compiler that special-cases + string literals. Viktor Dukhovni. File milter/milter.c. + +20200422 + + Security: disable DANE support on Alpine Linux because + libc-musl provides no indication whether DNS responses are + authentic. This broke DANE support without a clear explanation. + File: makedefs. + +20200425 + + Robustness: enable the socket option SO_REUSEPORT_LB or + SO_REUSEPORT on systems that support it. It allows multiple + processes to create distinct listen sockets for the same + address and port, and makes Postfix easier to restart. + However, with a SHARED listen socket as used in Postfix, + kernel-based load balancing does not help, and Postfix still + requires locking to avoid waking up multiple processes when + a connection arrives. Files: util/inet_listen.c, + +20200502 + + Documentation: update SNI support status in TLS_README. + File: proto/TLS_READNE.html. + +20200503 + + Portability: declaration should be before executable + statement. File: util/msg_logger.c. + + Portability: replace res_xxx() calls with res_nxxx() not + because those are threadsafe, but because new features are + being added there. To build old style, build with "make + makefiles CCARGS="-DNO_RES_NCALLS...". Files: makedefs. + util/sys_defs.h, dns/dns_lookup.c. + + Portability: libc-musl does not have res_nxxx() support, + so it builds with -DNO_RES_NCALLS. + +20200505 + + Noise suppression: shut up a compiler that special-cases + string literals. Viktor Dukhovni. File smtpd/smtpd_check.c. + + Portability: not all supported systems have ldd(1). Viktor + Dukhovni. File: makedefs. + +20200509 + + Bugfix (introduced: Postfix 3.4): maillog_file_rotate_suffix + default value used the minute instead of the month. Reported + by Larry Stone. Files: conf/postfix-tls-script, + proto/MAILLOG_README.html, proto/postconf.proto. + +20200510 + + Bitrot: avoid U_FILE_ACCESS_ERROR after chroot(), by + initializing the ICU library before making the chroot() + call. Files: util/midna_domain.[hc], global/mail_params.c. + +20200511 + + Noise suppression: avoid "SSL_Shutdown:shutdown while in + init" warnings. File: tls/tls_session.c. + + Debugging: with a single -v, the cleanup server now also + logs output envelope records, so that one -v option shows + the input and output. File: cleanup_out.c. + +20200515 + + Bugfix (introduced: Postfix 2.2): a TLS error for a PostgreSQL + client caused a false 'lost connection' error for an SMTP + over TLS session in the same Postfix process. Reported by + Alexander Vasarab, diagnosed by Viktor Dukhovni. File: + tls/tls_bio_ops.c. + + Bugfix (introduced: Postfix 2.8): a TLS error for one TLS + session may cause a false 'lost connection' error for a + concurrent TLS session in the same tlsproxy process. File: + tlsproxy/tlsproxy.c. + +20200518 + + Documentation: updated the wording of recent HISTORY entries, + based on the text in the 20200516 stable releases. + +20200521 + + Cleanup: the value of __RES (defined in resolv.h) determines + whether the res_nxxx() API is available. Credit to Rich + Felker. Files: util/sys_defs.h, dns/dns_lookup.c. + +20200522 + + Cleanup: the postconf command builds with -fno-common. + Files: makedefs, Makefile.in, postconf/extract.awk, + postconf/install_vars.h. + +20200523 + + Cleanup: the 20200503 change did not prevent direct access + to the obsolete h_errno variable in smtpd_checks.c. This + variable may still be updated, but we should not count on + that. Files: dns/dns.h, dns/dns_lookup.c, smtpd/smtpd_check.c. + + Cleanup: unit tests now build with -fno-common. Files: + global/server_acl.c, smtpd/smtpd_check.c, global/strip_addr.c, + proxymap/proxymap.c. + +20200525 + + Documentation: revised text about TLS connection reuse. + File: proto/CONNECTION_CACHE_README.html + +20200530 + + Bugfix (introduced: Postfix 3.1): "postfix tls deploy-server-cert" + did not handle a missing optional argument. File: + conf/postfix-tls-script. + +20200531 + + Debugging: per-nexthop SMTP client "debug peer" logging so + that we can also see what happens before, between, and after + SMTP sessions; add explicit SMTP client debug logging for + non-DNS host lookups. Files: smtp/smtp.c, proto/postconf.proto, + smtp/smtp_addr.c, smtp/smtp.c, smtp/smtp.h, smtp/smtp_session.c, + smtp/smtp_state.c. + + Postfix delivery agents now log an explicit record when + delegating delivery to a different Postfix delivery agent. + Example: "postfix/smtp[pid] queueid: passing <recipient> + to transport=local". This makes the delegating delivery + agent visible, where it would otherwise have remained + invisible, which would complicate troubleshooting. File: + global/deliver_pass.c. + +20200610 + + Respectful code: replace 'slave' in internal identifiers + and comments, and make the master(5) description more + consistent with that in master(8). Postfix does not have a + master/slave architecture, and these identifiers and comments + were just poorly worded. Files: conf/postmulti-script, + html/master.5.html, man/man5/master.5, proto/master, + global/dsb_scan.c, global/dsb_scan.h, global/dsn_print.c, + global/dsn_print.h, global/msg_stats.h, global/msg_stats_print.c, + global/msg_stats_scan.c, global/rcpt_buf.c, global/rcpt_buf.h, + global/rcpt_print.c, global/rcpt_print.h, milter/milter.h, + milter/milter_macros.c, tls/tls_proxy.h, + tls/tls_proxy_client_print.c, tls/tls_proxy_client_scan.c, + tls/tls_proxy_context_print.c, tls/tls_proxy_context_scan.c, + tls/tls_proxy_server_print.c, tls/tls_proxy_server_scan.c, + util/argv_attr.h, util/argv_attr_print.c, util/argv_attr_scan.c, + util/attr.h, util/attr_print0.c, util/attr_print64.c, + util/attr_print_plain.c, util/attr_scan0.c, util/attr_scan64.c, + util/attr_scan_plain.c. + + Bugfix (introduced: Postfix 3.4): in the Postfix SMTP server, + the SNI callback reported an error when it was called a + second time. This happened after the server-side TLS engine + sent a TLSv1.3 HelloRetryRequest (HRR) to a remote SMTP + client. Reported by Ján Máté, fixed by Viktor Dukhovni. + File: tls/tls_misc.c. + +20200617 + + Bugfix (introduced: Postfix 3.4): the connection_reuse + attribute in smtp_tls_policy_maps resulted in an "invalid + attribute name" error. Fix by Thorsten Habich. File: + smtp/smtp_tls_policy.c. + +20200618 + + Documentation: documented that smtp_line_length_limit=0 + disables the feature, and made this more explicit in the + code by using the ENFORCING_SIZE_LIMIT macro. Files: + proto/postconf.proto, smtp/smtp_proto.c. + +20200619 + + Bugfix (introduced: Postfix 3.4): SMTP over TLS connection + reuse was broken for configurations that use explicit trust + anchors. Reported by Thorsten Habich. Cause: the tlsproxy + client was sending a zero certificate length. File: + tls/tls_proxy_client_print.c. + + Bugfix: posttls-finger reported a conflict betwen -X and + -r when only -X was used. File: posttls-finger/posttls-finger.c. + +20200620 + + Bugfix (introduced: Postfix 3.4): SMTP over TLS connection + reuse was broken for configurations that use explicit trust + anchors. Reported by Thorsten Habich. Fixed by calling DANE + initialization unconditionally (WTF). File: tlsproxy/tlsproxy.c. + +20200626 + + Typo: in postconf(5) documentation, AAAAA should be AAAA. + Christian Franke. File: proto/postconf.proto. + + Bugfix (introduced: Postfix 2.11): The Postfix smtp(8) + client did not send the right SNI name when the TLSA base + domain was a secure CNAME expansion of the MX hostname (or + non-MX nexthop domain). Domains with CNAME expanded MX hosts + are not conformant with RFC5321, and so are rare. Even more + rare are MX hosts with TLSA records for their CNAME expansion. + For this to matter, the remote SMTP server would also have + to select its certificate based on the SNI name in such a + way that the original MX host would yield a different + certificate. Among the ~2 million hosts in the DANE survey, + none meet the conditions for returning a different certificate + for the expanded CNAME. Therefore, sending the correct SNI + name should not break existing mail flows. Fixed by Viktor + Dukhovni. File: src/tls/tls_client.c. + +20200705 + + Cleanup: OpenSSL-1.1.1 is the minimum supported version. + This is an LTS (long-term support) version that will reach + the end of life by 2023-09-11. This removes support for + export ciphers. + + This also changes the Postfix default fingerprint digest + from MD5 to SHA256, but only when the compatibility_level + is set to '3' or higher. + + Code by Viktor Dukhovni. Files: global/mail_params.c, + global/mail_params.h, posttls-finger/posttls-finger.c, + proto/COMPATIBILITY_README.html, proto/TLS_README.html, + proto/postconf.proto, smtp/smtp.c, smtp/smtp_tls_policy.c, + smtpd/smtpd.c, smtpd/smtpd_check.c, tls/Makefile.in, + tls/tls.h, tls/tls_certkey.c, tls/tls_client.c, tls/tls_dane.c, + tls/tls_dh.c, tls/tls_misc.c, tls/tls_rsa.c, tls/tls_server.c, + tls/tls_verify.c. + +20200710 + + Security: added a section to the sendmail(1) manpage for + security researchers and application developers, with an + example of using '--' to disable command option processing + for user-specified data. File sendmail/sendmail.c. + + Error reporting: added '--' to a postalias command line to + make an obsecure error message less confusing. File + sendmail/sendmail.c. + + Conversion from Postfix built-in DANE support to OpenSSL + DANE support. Code by Viktor Dukhovni. Files: + posttls-finger/posttls-finger.c, proto/postconf.proto, + smtp/smtp.c, smtp/smtp_proto.c, smtp/smtp_tls_policy.c, + tls/Makefile.in, tlsproxy/tlsproxy.c, tls/tls_client.c, + tls/tls_dane.c, tls/tls_fprint.c, tls/tls.h, tls/tls_misc.c, + tls/tls_proxy_client_print.c, tls/tls_proxy_client_scan.c, + tls/tls_proxy_context_print.c, tls/tls_proxy_context_scan.c, + tls/tls_proxy.h, tls/tls_verify.c, util/hex_code.c. + + Bugfix (introduced: Postfix 3.0): minor memory leaks in the + Postfix TLS library, found during tests. File: tls/tls_misc.c. + +20200712 + + Cleanup: non-TLS builds were failing. File: util/tls_misc.c. + + Bugfix (introduced: Postfix 3.0): 4kbyte per session memory + leak in the Postfix TLS library, found during tests. File: + tls/tls_misc.c. + +20200718 + + Cleanup TLS library: coding style, additional error message, + additional handling of internationalized domain name, and + dropping an unused variable. Files: tls.h, tls_dane.c, + tls_proxy_client_scan.c, tls_client.c. + + Noise suppression: shut up compilers that warn about + sizeof("text"). File: smtpstone/smtp-sink.c. + +20200719 + + Cleanup old API: mymemdup() should return "void *", the + same value type as its main argument, and the same result + type as mymalloc(). In a future update we can remove all + the noisy but unnecessary casts of their result values to + character pointer. Files: util/mymalloc.c, util/mymalloc.h. + + Cleanup: don't split the sendmail -oA option value on comma + or whitespace, before passing the value to the postalias + command line. This results in unexpected behavior. File: + sendmail/sendmail.c. + + Documentation: updated the manpage of the unprivileged(!) + sendmail(1) command with instructions to avoid privilege + esclation attacks in naive programs that run Postfix programs + with user-specified arguments. File: sendmail/sendmail.c. + +20200720 + + Bugfix (introduced: postfix 3.4): nullpointer dereference + in debug logging when tlsproxy is unavailable. File: + posttls-finger/posttls-finger.c. + + Final cleanups of the peername matching code. File: + tls/tls_client.c. + +202000725 + + Documentation of how to set the minimum and maximum allowed + TLS protocol versions (these override system-wide OpenSSL + configuration), some related code cleanups including better + warning messages. Viktor Dukhovni. Files: proto/TLS_README.html, + proto/postconf.proto, global/mail_params.h, + posttls-finger/posttls-finger.c, tls/tls.h, tls/tls_client.c, + tls/tls_fprint.c, tls/tls_misc.c, tls/tls_server.c. + + The Postfix TLS library did not override the system-wide + OpenSSL configuration of allowed TLS protocol versions, for + sessions where the remote SMTP client sends SNI. File: + tls/tls_server.c. + +20200726 + + Code health: the tls_get_signature_params() function reused + variable names for different objects that have up to three + different life-cycle management models. To avoid more + accidents we now use distinct names for distinct purposes. + File: tls/tls_misc.c. + +20200727 + + Code health: inet_proto_info() should return a const pointer. + This is global data that callers should not change. Files: + cleanup/cleanup_milter.c, global/haproxy_srvr.c, + global/mynetworks.c, global/normalize_mailhost_addr.c, + global/own_inet_addr.c, postscreen/postscreen_endpt.c, + posttls-finger/posttls-finger.c, qmqpd/qmqpd_peer.c, + smtpd/smtpd_check.c, smtpd/smtpd_peer.c, smtp/smtp_addr.c, + smtpstone/smtp-sink.c, util/inet_addr_host.c, + util/inet_addr_list.c, util/inet_addr_local.c, util/inet_connect.c, + util/inet_listen.c, util/inet_proto.c, util/inet_proto.h. + +20200728 + + Code health: deleted a mis-spelled macro from code and + documentation. Files: bounce/bounce_template.[hc]. + +20200829 + + Other debt: updated the encoding in HTML from us-ascii to + utf-8. Files: mantools/makemanidx, mantools/make_soho_readme, + mantools/man2html, mantools/readme2html, proto/*_README.html, + proto/INSTALL.html, proto/postconf.html.prolog, html/index.html. + +20200830 + + Refactor: moved the SASL mechanism filter code from the + Postfix SMTP client to a library module, so that it can be + reused in the Postfix SMTP server. Files: smtp/smtp_sasl_proto.c, + global/sacl_mech_filter.[hc]. + + Bugfix (introduced: Postfix 2.0): smtp_sasl_mechanism_filter + ignored table lookup errors, treating them as 'not found'. + Found while refactoring code. File: smtp/smtp_sasl_proto.c. + + Feature: smtpd_sasl_mechanism_list (default: !external, + static:rest) to avoid confusing errors when a SASL backend + wants to anounce EXTERNAL support for which Postfix support + does not exist. Files: smtpd/smtpd.[hc], smtpd_sasl_glue.[hc], + global/mail_params.h, proto/postconf.proto, mantools/postlink. + +20200906 + + Cleanup: missing file. File: src/postqueue/.indent.pro. + + Cleanup: uninitialized value in unit test code. File: + global/haproxy_srvr.c. + + Cleanup: duplicate 'const' in argument declaration. File: + src/global/sasl_mech_filter.c. + +20200906-18 + + Other debt: internal protocol identification. Each server + sends the name of the internal protocol that it implements, + and each client logs a warning if it receives the wrong + protocol name. With this, a client-server mismatch results + in a better error message. It is a good idea to "postfix + stop" before updating, or before backing out to an earlier + relase. To make this work consistently, a few internal + protocols were converted from "client speaks first" to + "server speaks first". Files: anvil/anvil.c, bounce/bounce.c, + cleanup/cleanup.c, flush/flush.c, global/abounce.c, + global/anvil_clnt.c, global/bounce.c, global/clnt_stream.c, + global/clnt_stream.h, global/defer.c, global/deliver_pass.c, + global/deliver_request.c, global/dict_proxy.c, global/flush_clnt.c, + global/mail_command_client.c, global/mail_proto.h, + global/mail_stream.c, global/mail_version.h, global/post_mail.c, + global/resolve_clnt.c, global/rewrite_clnt.c, global/scache_clnt.c, + global/trace.c, global/verify_clnt.c, local/forward.c, + master/event_server.c, master/mail_server.h, master/multi_server.c, + oqmgr/qmgr_deliver.c, pickup/pickup.c, postdrop/postdrop.c, + postqueue/postqueue.c, postscreen/postscreen_starttls.c, + proxymap/proxymap.c, qmgr/qmgr_deliver.c, scache/scache.c, + showq/showq.c, tls/tls_mgr.c, tls/tls_proxy_clnt.c, + tlsmgr/tlsmgr.c, tlsproxy/tlsproxy.c, + trivial-rewrite/trivial-rewrite.c, util/attr.h, util/attr_clnt.c, + util/attr_clnt.h, util/attr_print0.c, util/attr_print64.c, + util/attr_print_plain.c, util/attr_scan0.c, util/attr_scan64.c, + util/attr_scan_plain.c, util/auto_clnt.c, util/auto_clnt.h, + verify/verify.c. + + Debt: during the conversion of some internal protocols to + "server speaks first", took the opportunity to improve how + event-driven client implementations handle a server that + is locked up. Files: global/abounce.c, + postscreen/postscreen_starttls.c. + +20200919 + + Cleanup: eliminated a silly optimization for lazy clients + that read the "server speaks first" protocol announcement + after sending a client request. Files: src/anvil/anvil.c, + src/bounce/bounce.c, src/flush/flush.c, src/global/abounce.c, + src/global/anvil_clnt.c, src/global/deliver_pass.c, + src/global/deliver_request.c, src/global/dict_proxy.c, + src/global/mail_command_client.c, src/global/mail_stream.c, + src/global/resolve_clnt.c, src/global/rewrite_clnt.c, + src/global/scache_clnt.c, src/global/verify_clnt.c, + src/local/forward.c, src/oqmgr/qmgr_deliver.c, src/pickup/pickup.c, + src/postqueue/postqueue.c, src/postscreen/postscreen_starttls.c, + src/proxymap/proxymap.c, src/qmgr/qmgr_deliver.c, + src/scache/scache.c, src/showq/showq.c, src/tlsmgr/tlsmgr.c, + src/tlsproxy/tlsproxy.c, src/tls/tls_mgr.c, + src/tls/tls_proxy_clnt.c, src/trivial-rewrite/trivial-rewrite.c, + src/verify/verify.c. + + Cleanup: factored out some duplicate showq client code. + File: postqueue/postqueue.c. + +20200920 + + Cleanup: deleted the percentm module. It was obsoleted in + 19971027 by the vbuf_print() string formatter for VSTREAM + and VSTRING objects. Files: util/percentm.[hc]. + + Cleanup: replaced hard-coded 'private' with named constant. + File: global/scache_clnt.c. + + Bugfix (introduced: Postfix 2.3): when deleting a recipient + with a milter, delete the recipient from the duplicate + filter, so that the recipient can be added back. Files: + global/been_here.[hc], cleanup/cleanup_milter.c, + cleanup/Makefile.in, lots of cleanup unit test files. + +20200925 + + Cleanup: vstream_fseek() support for reading or writing + memory buffer streams, and minor cleanups in VSTREAM support + for reading/writing VSTRINGs. Also added unit tests. Files: + util/vstream.c, util/vstring.h. + + Bugfix (introduced: before Postfix alpha): the code that + looks for Delivered-To: headers ignored headers longer than + $line_length_limit. Also added unit tests. File: + global/delivered_hdr.c. + +20200930 + + Feature: when a Postfix program makes a DNS query that + requests DNSSEC validation (usually for Postfix DANE support) + but the DNS response is not DNSSEC validated, Postfix will + send a DNS query configured with the "dnssec_probe" parameter + to determine if DNSSEC support is available, and logs a + warning if it is not. By default, the probe has type "ns" + and domain name ".". The probe is sent once per process + lifetime. Files: dns/dns.h, dns/dns_lookup.c, dns/dns_sec.c, + test_dns_lookup.c, global/mail_params.[hc], mantools/postlink.. + +20201003 + + The makedefs script no longer disables DNSSEC when Postfix + is built with libc-musl. Instead Postfix will rely on the + new dnssec_probe feature, and will log a warning when Postfix + requests DNSSEC validation, but the infrastructure does not + validate DNSSEC signatures. File: makedefs. + + Cleanup: some wordsmithing of warnings when DNSSEC validation + is unavailable. File: dns/dns_sec.c. + + Cleanup: add missing warnings for libpostfix version + mismatches. This will help folks with build processes that + mistakenly run newly-built Postfix installation commands + with previously-installed libpostfix files. Files: + postcat/postcat.c, postconf/postconf.c, postkick/postkick.c, + postlock/postlock.c. + + Documentation: hyperlink occurrences of the info_log_address_format + parameter name in daemon manpages. + +20201005 + + Cleanup: move the submit_users check after the postdrop + initializations that strip the environment, set up signal + handlers, etc. File: postdrop/postdrop.c. + + Documentation: descriptions of Postfix TLS wrappermode + support. File: proto/TLS_README.html, proto/SASL_README.html. + +20201011 + + Bugfix (introduced: Postfix 2.8): save a copy of the + postscreen_dnsbl_reply_map lookup result. This has no effect + when the recommended texthash: look table is used, but it + may avoid stale data with other lookup tables. File: + postscreen/postscreen_dnsbl.c. + +20201015 + + Documentation: simplified the recipient_delimiter + description. File: proto/postconf.proto. + +20201022 + + Bugfix (introduced: Postfix 2.2): after processing an + XCLIENT command, the smtps service was waiting for a TLS + handshake. Found by Aki Tuomi. File: smtpd/smtpd.c. + +20201025 + + Feature: local_login_sender_maps to lock down the envelope + sender addresses that the postdrop command will accept. The + default is backwards compatible. Developed with input from + Demi M. Obenour. Files: postdrop/postdrop.c, global/mail_params.h, + global/local_sender_login_match.[hc], + global/local_sender_login_match.in, + global/local_sender_login_match.ref, global/quote_822_local.c, + global/quote_822_local.in, global/quote_822_local.ref, + mantools/postlink, proto/postconf.proto. + + Bugfix (introduced: Postfix 2.3): static maps did not free + their casefolding buffer. File: util/dict_static.c. + +20201026 + + Cleanup: changed the postdrop numerical UID prefix from "#" + to "uid:", and tweaked some local_login_sender_maps + documentation. Files: proto/postconf.proto, postdrop/postdrop.c. + +20201031 + + Cleanup: don't split a space-comma separated address list + on space or comma inside a quoted string. Files: util/mystrtok.c, + util/mystrtok.ref, global/login_sender_match.c. + +20201101 + + Cleanup: the default "smtp_tls_dane_insecure_mx_policy = dane" + was forcing too many A/AAAA lookups for MX hosts in DANE mode. + The default is now "dane" when smtp_tls_security_level is "dane". + otherwise it is "may". File: global/mail_params.h. + +20201104 + + Bugfix (introduced: Postfix 3.5): the Postfix SMTP client + broke message headers longer than $line_length_limit, causing + subsequent header content to become message body content. + Reported by Andreas Weigel, fix by Viktor Dukhovni. File: + smtp/smtp_proto.c. + + Added missing employer attributions to .c and .h files. + +20201116 + + Documentation: document that check_mumble_mx_access will + look up A or AAAA records when a domain name has no MX + record, just like the Postfix SMTP client would. File: + proto/postconf.proto. + +20201122 + + Cleanup: log "Application error" instead of "Success" or + "Unknown error: 0" when an operation fails with errno == + 0. File: util/vbuf_print.c. + +20201125 + + Documentation: in the cleanup(8) description of message + transformations, mention how some transformations are + controlled with the local_header_rewrite_clients, + always_add_missing_headers, and message_drop_headers parameter + settings. File: cleanup/cleanup.c. + +20201129 + + Cleanup: future-proofing a condition in delivered_hdr_init(). + The code was not wrong, but the new code is more consistent + with new code in the bounce daemon where the difference does + matter. File: global/delivered_hdr.c + +20201205 + + Testing: generic test_main() routine to initialize configuration + parameters before running a test routine. Files: + global/test_main.[hc]. + + Feature: specify "enable_threaded_bounces = yes" to enable + bounce messages that link to the original message with a + References: and In-Reply_to: header. Based on code by Andreas + Thienemann. See RELEASE_NOTES for caveats. Files: + proto/postconf.proto, bounce/bounce_notify_tester.c, many + test data files to exercise corner cases. + +20201220 + + Infrastructure: support to add custom comparison operators + for Postfix configuration files. This will be used to implement + custom comparison operators for compatibility_level values + that contain both the Postfix major and minor version and + maybe patchlevel. Files: util/alldig.c, util/stringops.h, + util/mac_expand.[hc] and test files. + +20210102 + + Infrastructure: support for the <=level, <level, and other + operators to compare compatibility levels. With the standard + <=, <, etc. operators, compatibility level 3.10 would be + less than 3.9 which is undesirable. Files: global/compat_level.[hc] + and test files. + +20210107 + + Documentation: added lmdb to the postmap/postalias pages. + Files: postmap/postmap.c, postalias/postalias.c. + +20210109 + + Feature: support for compatibility levels of the form + "major.minor.patch". Files: global/mail_params.[hc], + master/master_ent.c, postconf/postconf.c, postfix/postfix.c, + proto/COMPATIBILITY_README.html, proto/postconf.proto. + +20210110 + + Documentation: the postfix(1) manpage missed some changes + that were introduced in the Postfix 3.0 development + cycle. File:postfix/postfix.c. + + Bugfix: the 20210109 change broke 'postfix reload' for the + master daemon. File: global/mail_params.c. + +20210111 + + Cleanup: compiler warning for casting '0' to the wrong type + (zero impact). File: dns/dns_sec.c . + + Cleanup: after back-porting the dnssec_probe implementation + to Postfix 3.5 and earlier versions, forward-ported some + comment and documentation changes to the 3.6 releases. + Files: proto/postconf.proto, RELEASE_NOTES, dns/dns.h. + +20210113 + + Workaround: STRREF() macro to shut up compiler warnings for + legitimate expressions involving string constants. Files: + util.stringops.h, flush/flush.c. + +20210130 + + Feature: with smtpd_relay_before_recipient_restrictions=yes, + the Postfix SMTP server will evaluate smtpd_relay_restrictions + before smtpd_recipient_restrictions. This is the default + behavior with compatibility_level >= 3.6. This makes the + implemented behavior consistent with existing documentation. + There is a backwards-compatibility warning that allows users + to freeze historical behavior. Files: mantools/postlink, + proto/COMPATIBILITY_README.html, proto/postconf.proto, + global/mail_params.c, global/mail_params.h, smtpd/smtpd.c, + smtpd/smtpd_check.c. + +20210201 + + Flipped a bit in the smtpd_relay_before_recipient_restrictions + implementation. File: smtpd/smtpd_check.c. + +20210206 + + Documentation: the inet_protocols default setting is compile-time + dependent. Files: proto/postconf.proto, proto/IPV6_README.html, + and documentation in smtpd/smtpd.c, smtp/smtp.c, master/master.c. + +20210212 + + Documentation: added a jq example to the postsuper(1) manpage. + File: postsuper/postsuper.c. + +20210216 + + Respectful code: avoid using terminology that implies white + is better than black. Instead, use 'allowlist', 'denylist', + and variations on those words. This continues work started + with Noel Jones a year ago. + + Documentation: replaced white/blacklist with allow/denylist, + except in parameter names and logging. Files: + proto/ADDRESS_VERIFICATION_README.html, proto/cidr_table, + proto/OVERVIEW.html, proto/postconf.proto, + proto/POSTSCREEN_README.html, proto/SMTPD_ACCESS_README.html, + proto/SMTPD_POLICY_README.html, proto/STRESS_README.html, + dns/dns_lookup.c, dnsblog/dnsblog.c, global/server_acl.c, + postfix/postfix.c, postscreen/postscreen.c, + postscreen/postscreen_dnsbl.c, postscreen/postscreen_early.c, + postscreen/postscreen.h, postscreen/postscreen_misc.c, + postscreen/postscreen_smtpd.c, postscreen/postscreen_tests.c, + proxymap/proxymap.c, smtpd/smtpd.c, smtpd/smtpd_check.c, + smtpd/smtpd_dnswl.in, smtpd/smtpd_dnswl.ref, tlsproxy/tlsproxy.c, + verify/verify.c. + +20210220 + + Renamed postscreen_dnsbl_whitelist_threshold, + postscreen_blacklist_action, and postscreen_whitelist_interfaces, + with backwards-compatible default settings, and updated + documentation. + + Forked POSTSCREEN_README for readability, to avoid deprecated + parameter names and logging examples. The historical parameter + names and logging are still described in POSTSCREEN_3_5_README. + Files: proto/Makefile.in, proto/POSTSCREEN_3_5_README.html, + proto/POSTSCREEN_README.html. + + Renamed internal variables with names that contain 'white' or + 'black'. Files: postscreen/postscreen.c, postscreen/postscreen.h. + + Feature: respectful_logging configuration parameter (the + default depends on the compatibility_level) to choose + between respectful and deprecated logging formats. Files: + mantools/postlink, proto/postconf.proto, global/mail_params.[hc], + postscreen/postscreen.c, proto/COMPATIBILITY_README. + +20210224 + + Typo: the "respectful_logging" parameter had a typo and a + "postscreen_" prefix that should have been deleted. File: + global/mail_params.h + +20210313 + + Documentation: enable_threaded_bounces also applies to + "success" and "delay" delivery status notiifications. File: + proto/postconf.proto. + +20210403 + + Missing null pointer checks (introduced: Postfix 3.4) after + an internal I/O error during the smtp(8) to tlsproxy(8) + handshake. Found by Coverity, reported by Jaroslav Skarvada. + Based on fix by Viktor Dukhovni. File: tls/tls_proxy_client_scan.c. + + Null pointer bug (introduced: Postfix 3.0) and memory leak + (introduced: Postfix 3.4) after an inline: table syntax + error in main.cf or master.cf. Found by Coverity, reported + by Jaroslav Skarvada. Based on fix by Viktor Dukhovni. File: + util/dict_inline.c. + + Incomplete null pointer check (introduced: Postfix 2.10) + after truncated HaProxy version 1 handshake message. Found + by Coverity, reported by Jaroslav Skarvada. Fix by Viktor + Dukhovni. File: global/haproxy_srvr.c. + +20210404 + + Unbroke a ton of regression tests after DNS-related changes. + +20210406 + + More specific warnings for incorrect net/mask syntax. Files: + util/cidr_match.c, util/dict_cidr.ref. + +20210410 + + Documentation: updated containerization suggestions in + the postfix(1) manpage. File: postfix/postfix.c. + + Documentation: added text and ASCII art to illustrate how + tlsproxy(8) is used for outbound SMTP connection caching + and for inbound postscreen(8) TLS support. File: + proto/OVERVIEW.html. + + Documentation: added text and ASCII art to illustrate how + postlogd(8) provides an alternative to syslog logging. + File: proto/OVERVIEW.html. + +20210411 + + Updated the missing null pointer check (introduced: Postfix + alpha) after null argv[0] value. File: global/mail_task.c. + + Cleanup: added a test case for a missing haproxy v1 protocol + type, and improved the haproxy parser error messages. File: + global/haproxy_srvr.c. + + Documentation: updated examples and TLS configuration. File + proto/CONNECTION_CACHE_README.html. + +20210418 + + Bitrot: new "known_tcp_ports" configuration parameter to + reduce Postfix dependency on the services(5) database. + There is no agreement about the name of the port 465 service: + the intersection of different systems is reportedly empty. + By default, Postfix now "knows" the port numbers for SMTP + services. Files: proto/postconf.proto, global/Makefile.in, + global/config_known_tcp_ports.c, global/config_known_tcp_ports.h, + global/config_known_tcp_ports.ref, global/mail_params.c, + global/mail_params.h, global/mail_version.h, + global/namadr_list.ref, master/master.c, + posttls-finger/Makefile.in, posttls-finger/posttls-finger.c, + smtp/Makefile.in, smtp/smtp.c, smtp/smtp_connect.c, + smtpd/smtpd.c, util/Makefile.in, util/find_inet.c, + util/known_tcp_ports.c, util/known_tcp_ports.h, + util/known_tcp_ports.ref, util/myaddrinfo.c. + +20210419 + + Bugfix (bug introduced 20210102): panic in some postconf + commands due to duplicate initialization of compatibility + level comparison operators. File: global/compat_level.c. + + Cleanup: stricter parsing of known_tcp_port settings. Files: + util/argv_split_at.c, util/argv.h, global/config_known_tcp_ports.c. + +20210420 + + Documentation: typofixes by Paul Menzel. File: RELEASE_NOTES. + + Documentation: numeric IP address examples. File: conf/master.cf. + + Documentation: added "-Wl,-R,/path/to/directory" hints to + optional build instructions. Files: proto/DB_README.html, + proto/LDAP_README.html, proto/LMDB_README.html, + proto/MYSQL_README.html, proto/PGSQL_README.html, + proto/SASL_README.html, proto/SQLITE_README.html, + proto/TLS_README.html. + +20210422 + + Cleanup: in the Postfix SMTP and LMTP client, prepend Return-Path + and other headers in the same order as in other Postfix delivery + agents. Adi Prasaja. File: smtp/smtp_proto.c. + +20210428 + + Documentation: update by Paul Menzel. File: proto/SASL_README.html. + +20210529 + + Cleanup: simplified master.cf stanzas for the submission + and submissions (formerly: smtps) services, to avoid + surprising warnings for undefined mua_smtpd_xxx_restrictions + parameters. File: conf/master.cf. + + Bugfix (introduced: Postfix 2.11): "postmap lmdb:/file/name" + handled duplicate keys ungracefully, with a dangling pointer + resulting in a double free() call with lmdb versions 0.9.17 + and later. Reported by Adi Prasaja, root cause analysis by + Howard Chu. In addition, "postmap lmdb:/file/name" forgot + entries stored up to and including the duplicate key. File: + util/slmdb.c. + +20210605 + + Fixed a few more potential dangling pointer cases in the + LMDB client, future-proofing code paths that sofar aren't + used. File: util/slmdb.c. + + Added LMDB integration tests using the postmmap command. + Files: postmap/Makefile.in, postmap/lmdb_abb, postmap/lmdb_abb.ref. + + Cleanup: reset errno in the fail: database methods for + consistent error messages. File: util/dict_fail.c. + + Cleanup: new vstream_control() option to give a memory stream + ownership of the underlying VSTRING. This simplifies resource + management for read-only streams. Files: util/vstream.[hc]. + + Cleanup: extpar() returns an error in case of a missing + initial '{', instead of aborting. This simplifies the + implementation of some callers. File: util/extpar.c. + + Feature: inline pcre, regexp, and cidr table definition in main.cf + or master.cf, to improve their usability in matchlists. Files: + util/dict_stream.c, util/dict.h, util/dict_pcre.c, + util/dict_regexp.c, util/dict_cidr.c, and test files. + + The smtpd_forbidden_commands default setting now also inludes + a regular expression regexp:{{/^[^A-Z]/ Bogus}} for bogus inputs. + File: global/mail_params.h. + +20210606 + + Cleanup: "Postfix is running with backwards-compatible..." + did not make sense when Postfix is down. File: postfix/postfix.c. + + Cleanup: the postscreen BDAT handler now replies with "need + MAIL command" when the client did not provide a sender address. + File: postscreen/postscreen_smtpd.c. + + Typo: silent_discard should be silent-discard. File: + proto/BDAT_README.html. + +20210610 + + Cleanup: escape non-printable characters in non-SMTP commands, + instead of replacing them with '?'. File: smtpd/smtpd.c. + + Misc typofixes by Viktor Dukhovni. Files: conf/master.cf, + proto/regexp_table, proto/cidr_table. + + Cleanup: simplify the LMDB error recovery code. File: + util/slmdb.c. + +20210615 + + Bugfix (introduced: Postfix 3.4): the texthash: map + implementation did not support "postmap -F" behavior. + Reported by Christopher Gurnee, who also found the missing + code in the postmap source. File: util/dict_thash.c. + + Cleanup: documentation for the postmap -F option. File: + postmap/postmap.c. + + Cleanup: simplify the LMDB error recovery code. File: + util/slmdb.c. + +20210623 + + Cleanup: the known_tcp_ports parameter was not hyperlinked. + File: mantools/postlink. + + Bugfix: some strtou?l() calls had no 'errno=0' statement + before the call. Fixed with strtou?l() wrapper functions + that reset errno before calling strtou?l(), and calling + these from code that did not explicitly reset errno. Other + strtou?l() can be migrated later. Problem reported by David + Bohman. Files: util/sane_strtol.[hc], global/compat_level.c, + postscreen/postscreen_tests.c, util/mac_expand.c. + +20210705 + + Bugfix (introduced: Postfix 3.3): "null pointer read" error + in the cleanup daemon when "header_from_format = standard" + (the default as of Postfix 3.3) and email was submitted + with /usr/sbin/sendmail without From: header, and an all-space + full name was specified in 1) the password file, 2) with + "sendmail -F", or 3) with the NAME environment variable. + Found by Renaud Metrich. File: cleanup/cleanup_message.c. + +20210708 + + Bugfix (introduced: 1999): the Postfix SMTP server was + sending all session transcripts to the error_notice_recipient, + instead of sending transcripts of bounced mail to the + bounce_notice_recipient. Reported by Hans van Zijst. File: + smtpd/smtpd_chat.c. + +20210713 + + Bugfix (introduced: Postfix 2.4): false "too many reverse + jump" warnings in the showq daemon. The loop detection code + was comparing memory addresses instead of queue file names. + It now properly compares strings. Reported by Mehmet Avcioglu. + File: global/record.c. + +20210724 + + Cleanup: missing const in the 20210713 bugfix. File: + global/record.c. + +20210728 + + Bitrot: GLIBC 2.34 has closefrom(), and of course their + interface is different. File: util/sys_defs.h. + +20210804 + + Cleanup: replace ad-hoc object-to-VSTRING serialization with + attr_print*() based serialization. Files: tls/tls_proxy.h, + tls/tls_proxy_client_misc.c, tlsproxy.c/tlsproxy.c. + + Cleanup: left-over code from a DANE on/off workaround. File: + tlsproxy.c/tlsproxy.c. + +20210806 + + Constified the object argument of functions that write objects + to VSTREAM. Files: global/bounce.c, global/defer.c, + global/deliver_pass.c, global/deliver_request.c, + global/dsn_print.c, global/dsn_print.h, + global/msg_stats.h, global/msg_stats_print.c, + global/rcpt_print.c, global/rcpt_print.h, global/trace.c, + milter/milter8.c, milter/milter.c, milter/milter.h, + milter/milter_macros.c, oqmgr/qmgr_deliver.c, + qmgr/qmgr_deliver.c, tls/tls_proxy_client_misc.c, + tls/tls_proxy_client_print.c, tls/tls_proxy_context_print.c, + tls/tls_proxy.h, tls/tls_proxy_server_print.c, util/argv_attr.h, + util/argv_attr_print.c, util/attr.h. + +20210810 + + Pedantism: the Postfix SMTP server now replies with status + 500 when a command is not recogized (status 502 is applicable + when a command is recognized but not implemented). File: + smtpd/smtpd.c. + + Wordsmithing: in inet_connect() replaced "host/service xxx/yyy + not found" with "host or service xxx:yyy not found". The former + suggests UNIX-domain pathname syntax which is confusing. File: + until/inet_connect.c. + +20210815 + + To make the maillog_file feature more useful, the postlog(1) + command is now set-gid postdrop, so that unprivileged + programs can write logging through the postlogd(8) daemon. + Adopted some code from postqueue(1) and postdrop(1) to + harden postlog(1) against privilege escalation attacks. + Files: postlog/postlog.c, conf/postfix-files. + + Hardening: specify smtpd_per_request_deadline=yes to limit + the combined amount of time to receive a complete SMTP + request and to send a complete SMTP response. Specify + smtpd_min_data_rate to enforce a minimum data rate during + DATA and BDAT. This replaces smtpd_per_record_deadline; the + new smtpd_per_request_deadline parameter has a backwards- + compatible default value. + + Hardening: specify {smtp,lmtp}_per_request_deadline=yes to + limit the combined amount of time to send a complete SMTP + request and to receive a complete SMTP response. Specify + {smtp,lmtp}_min_data_rate to enforce a minimum data rate + during DATA. This replaces {smtp,lmtp}_per_record_deadline. + The new {smtp,lmtp}_per_request_deadline parameters have a + backwards-compatible default value. + + Minor text and code cleanups. File: postlog/postlog.c. + +20210925 + + Prevent sharing of xxx_tls_session_cache_database instances + between different Postfix instances when a database is + not multi-writer safe. Like postscreen(8) and verify(8), + open such a database with a permanent lock, and raise + a fatal error when that database is already opened as + xxx_tls_session_cache_database. File: src/tls/tls_scache.c. + + Bugfix (bug introduced: Postfix 2.10): postconf -x produced + incorrect output, because different functions were implicitly + sharing a buffer for intermediate results. Reported by raf, root + cause analysis by Viktor Dukhovni, and Wietse eliminated the + underlying anti-pattern. Files: postconf/postconf_builtin.c, + postconf/postconf_dbms.c, postconf/postconf_lookup.c, + postconf/postconf_main.c, postconf/postconf_master.c. + + Documentation: missing lmtp_tls_wrappermode parameter + documentation. Viktor Dukhovni. Files: mantools/postlink, + proto/postconf.proto. + +20210926 + + OpenSSL 3.0.0 feature and bitrot updates. Viktor Dukhovni. + Files: proto/FORWARD_SECRECY_README.html, proto/postconf.proto, + tls/tls_client.c, tls/tls_dh.c, tls/tls.h, tls/tls_misc.c, + tls/tls_server.c/^+ + + Cleanup: don't hyperlink text that is already hyperlinked. + File: mantools/postlink. + +20211002 + + Bugfix (introduced: Postfix 3.3): the header_from_format + feature was not implemented for From: headers from the + bounce daemon, and for Postfix SMTP server and client + postmaster notifications. Reported by Vladimir Mishonov. + Files: bounce/bounce.c, bounce/bounce_notify_util_tester.c, + bounce/bounce_service.h, bounce/bounce_template.c, + bounce/bounce_template.h, bounce/bounce_templates.c, + cleanup/cleanup.h, cleanup/cleanup_init.c, + cleanup/cleanup_message.c, smtp/lmtp_params.c, smtp/smtp.c, + smtp/smtp.h, smtp/smtp_chat.c, smtp/smtp_params.c, + smtpd/smtpd.c, smtpd/smtpd.h, smtpd/smtpd_chat.c, and test + data. + +20211006 + + Documentation: http://tools.ietf.org/html/rfc[0-9]+ sometimes + does not redirect to the https site. Max-Julian Pogner. + Fixed by updating mantools/postlink and rebuilding the HTML + files that reference RFCs. + +20211016 + + Documentation: clarified the difference between private and + public services in master.cf. File: proto/master. + +20211022 + + Bugfix (introduced: Postfix 3.6): the known_tcp_ports setting + had no effect. Reported by Peter. The feature wasn't fully + implemented. Files: config_known_tcp_ports.c, mail_params.c, + posttls-finger/posttls-finger.c, smtp/smtp_connect.c, + util/find_inet.c, util/myaddrinfo.c. + +20211023 + + Documentation: fixed a jq example in the postsuper manpage, to + delete the quotes around a queue ID. File: postsuper/postsuper.c. + + Cleanup: with "smtputf8_enable = yes" (the default), the + postscreen(8) dummy SMTP engine will no longer log a "non-UTF-8 + key" warning when a remote SMTP client sends garbage. Instead, + postscreen(8) will reject the command with the same server + response as smtpd(8). File: postscreen/postscreen_smtpd.c. + +20211025 + + Bugfix (introduced: Postfix 3.6): mangled warning where a + hostname and warning message ran together. Viktor Dukhovni. + File: tls/tls_dane.c. + +20211026 + + Feature: with "smtp_bind_address_enforce = yes" the Postfix + SMTP client will defer delivery when it is unable to apply + the smtp_bind_address or smtp_bind_address6 setting. By + default, the Postfix SMTP client continues with delivery, + after logging a warning. File: src/smtp/smtp_connect.c. + +20211027 + + Documentation: readability fix for the text about automatic + or explicit daemon restart (postfix reload) after LMDB table + change. raj. File: proto/lmdb_table. + + Safety: the postqueue command now sanitizes strings before they + are formatted as json output or legacy output. These outputs are + piped into other programs that are run by administrative + users. This closes a hypothetical opportunity for privilege + escalation. Files: util/attr.h, util/attr_scan*.c, + postqueue/showq_json.c, postqueue/showq_compat.c. + +20211030 + + Bugfix: check_ccert_access worked as expected, but produced + a spurious warning when Postfix was built without SASL + support. Fix by Brad Barden. File: smtpd/smtpd_check.c. + +20211102 + + Bugfix for smtp_bind_address_enforce (change 20211026), file + descriptor leak. Found by Viktor. File: smtp/smtp_connect.c. + +20211105 + + Bugfix (introduced: Postfix 2.4): queue file corruption + after a Milter (for example, MIMEDefang) made a request to + replace the message body with a copy of that message body + plus additional text (for example, a SpamAssassin report). + + The most likely impacts were a) the queue manager reporting + a fatal error resulting in email delivery delays, or b) the + queue manager reporting the corruption and moving the message + to the corrupt queue for damaged messages. + + However, a determined adversary could craft an email message + that would trigger the bug, and insert a content filter + destination or a redirect email address into its queue file. + Postfix would then deliver the message headers there, in + most cases without delivering the message body. With enough + experimentation, an attacker could make Postfix deliver + both the message headers and body. + + The details of a successful attack depend on the Milter + implementation, and on the Postfix and Milter configuration + details; these can be determined remotely through + experimentation. Failed experiments may be detected when + the queue manager terminates with a fatal error, or when + the queue manager moves damaged files to the "corrupt" queue + as evidence. + + Technical details: when Postfix executes a "replace body" + Milter request it will reuse queue file storage that was + used by the existing email message body. If the new body + is larger, Postfix will append body content to the end of + the queue file. The corruption happened when a Milter (for + example, MIMEDefang) made a request to replace the body of + a message with a new body that contained a copy of the + original body plus some new text, and the original body + contained a line longer than $line_length_limit bytes (for + example, an image encoded in base64 without hard or soft + line breaks). In queue files, Postfix stores a long text + line as multiple records with up to $line_length_limit bytes + each. Unfortunately, Postfix's "replace body" support did + not account for the additional queue file space needed to + store the second etc. record headers. And thus, the last + record(s) of a long text line could overwrite one or more + queue file records immediately after the space that was + previously occupied by the original message body. + + Problem report by Benoît Panizzon. + +20211107 + + Additional postcat flags for debuging a corrupted queue + file (-s: skip to offset; -r: don't follow pointer records). + File: postcat/postcat.c. + +20211110 + + Minor edits of 20211107 postcat changes. File: postcat.c. + + Regression prevention: added sanity check in the queue file + editing code. File: cleanup/cleanup_body_edit.c + + Regression prevention: copied a queue file record typecheck + from the pickup daemon. Files: *qmgr/qmgr_message.c. + +20211115 + + Bugfix (introduced: 20210708): duplicate bounce_notice_recipient + entries in postconf output. The fix to send SMTP session + transcripts to bounce_notice_recipient was incomplete. + Reported by Vincent Lefevre. File: smtpd/smtpd.c. + +20211127 + + Feature: support for the pcre2 library (the legacy pcre + library is still supported). See RELEASE_NOTES for details. + Files: makedefs, util/dict_open.c, util.dict_pcre.c, + proto/pcre_table, proto/PCRE_README.html. + +20211129 + + Portability: defines for FreeBSD <= 14.x, OpenBSD 7.x, NetBSD <= + 10.x. Brad Smith. Files: makedefs, util/sys_defs.h. + +20211202 + + Cleanup: warning messages when a Diffie-Hellman parameter + file cannot be opened or parsed. Viktor Dukhovni. File: + tls/tls_dh.c. + +20211204 + + Cleanup: parameter descriptions in manpages were frozen in the + past. Files: proto/aliases, src/local/local.c, src/pipe/pipe.c, + src/qmqpd/qmqpd.c, src/trivial-rewrite/trivial-rewrite.c. + + Documentation: added a "howto tip" to the stock main.cf + file. File: conf/main.cf + +20211211 + + Logging: the Postfix SMTP client logs an info message when it + breaks a long line with "<CR><LF><SP>". + +20211216 + + Bugfix (introduced: Postfix 3.0): the proxymap daemon did not + automatically authorize proxied maps inside pipemap (example: + pipemap:{proxy:maptype:mapname, ...}) or inside unionmap. Problem + reported by Mirko Vogt. Files: proxymap/proxymap.c. + +20211218 + + Typo fixes based on automated scans of C source code comments. + Verified that the .o files have not changed. Files: + bounce/bounce_notify_util.c, cleanup/cleanup_api.c, + cleanup/cleanup_message.c, dns/dns_lookup.c, flush/flush.c, + global/compat_level.c, global/db_common.c, + global/deliver_request.c, global/dict_ldap.c, global/dict_sqlite.c, + global/dynamicmaps.c, global/mail_conf_time.c, global/mail_copy.c, + global/mail_params.h, global/mail_proto.h, global/memcache_proto.c, + global/normalize_mailhost_addr.c, global/quote_822_local.c, + global/test_main.c, global/verify.c, global/verify_sender_addr.c, + local/unknown.c, master/dgram_server.c, master/event_server.c, + master/multi_server.c, master/single_server.c, + master/trigger_server.c, oqmgr/qmgr_entry.c, + postconf/postconf_dbms.c, postconf/postconf_master.c, + postconf/postconf_user.c, postdrop/postdrop.c, postmap/postmap.c, + postmulti/postmulti.c, postqueue/showq_compat.c, + postscreen/postscreen_smtpd.c, postscreen/postscreen_starttls.c, + posttls-finger/posttls-finger.c, proxymap/proxymap.c, + qmgr/qmgr_entry.c, qmqpd/qmqpd_peer.c, smtp/smtp.h, + smtp/smtp_proto.c, smtpd/smtpd_check.c, smtpd/smtpd_peer.c, + tls/tls_certkey.c, tls/tls_client.c, tls/tls_fprint.c, + tls/tls_misc.c, tls/tls_server.c, tlsmgr/tlsmgr.c, + tlsproxy/tlsproxy.c, trivial-rewrite/resolve.c, + trivial-rewrite/transport.c, trivial-rewrite/trivial-rewrite.c, + util/argv.c, util/dict_cache.c, util/dict_cdb.c, util/dict_file.c, + util/dict_random.c, util/dict_random.h, util/dict_thash.c, + util/dup2_pass_on_exec.c, util/edit_file.c, util/extpar.c, + util/gccw.c, util/mac_expand.c, util/mac_expand.h, + util/myaddrinfo.c, util/name_mask.c, util/sane_link.c, + util/sane_rename.c, util/unix_dgram_connect.c, + util/unix_dgram_listen.c, util/unix_pass_fd_fix.c, + util/vstring.c, xsasl/xsasl_dovecot_server.c. + + Typo fixes based on automated scans of other files. Files: + auxiliary/qshape/qshape.pl, conf/post-install, + conf/postmulti-script, makedefs, postfix-install, + proto/postconf.proto, TLS_ACKNOWLEDGEMENTS, TLS_CHANGES. + + Documentation: added a note to the cidr_table manpage that + with an inline CIDR map, "$" needs to be specified as "$$" + to avoid $name expansion surprises. File: proto/cidr_table. + +20211220 + + Bugfix (introduced: Postfix 2.5): off-by-one error while + writing a string terminator. This code had passed all memory + corruption tests, presumably because it wrote over an + alignment padding byte, or over an adjacent character byte + that was never read. Reported by Robert Siemer. Files: + *qmgr/qmgr_feedback.c. + + Typo fixes from Raf, based on manual inspection. Verified + that the .o files have not changed. Files: conf/main.cf, + mantools/postlink, proto/ADDRESS_REWRITING_README.html, + proto/BACKSCATTER_README.html, + proto/BASIC_CONFIGURATION_README.html, proto/BDAT_README.html, + proto/BUILTIN_FILTER_README.html, proto/COMPATIBILITY_README.html, + proto/CONNECTION_CACHE_README.html, proto/DATABASE_README.html, + proto/DEBUG_README.html, proto/FORWARD_SECRECY_README.html, + proto/INSTALL.html, proto/IPV6_README.html, proto/LDAP_README.html, + proto/LINUX_README.html, proto/MAILLOG_README.html, + proto/MILTER_README.html, proto/MULTI_INSTANCE_README.html, + proto/MYSQL_README.html, proto/POSTSCREEN_3_5_README.html, + proto/POSTSCREEN_README.html, proto/QSHAPE_README.html, + proto/SASL_README.html, proto/SCHEDULER_README.html, + proto/SMTPD_ACCESS_README.html, proto/SMTPD_POLICY_README.html, + proto/SMTPD_PROXY_README.html, proto/SMTPUTF8_README.html, + proto/SQLITE_README.html, proto/STANDARD_CONFIGURATION_README.html, + proto/STRESS_README.html, proto/TLS_LEGACY_README.html, + proto/TLS_README.html, proto/TUNING_README.html, + proto/VIRTUAL_README.html, proto/access, proto/canonical, + proto/generic, proto/ldap_table, proto/master, proto/mysql_table, + proto/pgsql_table, proto/postconf.proto, proto/relocated, + proto/sqlite_table, proto/transport, proto/virtual, + global/mail_version.h, local/local.c, pipe/pipe.c, + postalias/postalias.c, postconf/postconf.c, postfix/postfix.c, + postmap/postmap.c, postmulti/postmulti.c, + posttls-finger/posttls-finger.c, sendmail/sendmail.c, + smtpstone/smtp-sink.c, tlsproxy/tlsproxy.c, + trivial-rewrite/trivial-rewrite.c, virtual/virtual.c. + +20211221 + + Documentation: reverted some postconf(5) changes from + "Specify a non-zero time value" to "Specify a non-negative + time value". File: proto/postconf.proto. + + Documentation: reverted "destination concurrency limit" to + "destination recipient limit". File: proto/SCHEDULER_README.html. + + Documentation: rephrased conditional $name expositions for + forward_path and command_execution_directory. File: + local/local.c. + + Documentation: added Postfix 3.0 syntax to postconf(5) + descriptions of command_execution_directory, default_rbl_reply, + forward_path, luser_relay, recipient_delimiter. File: + proto/postconf.proto. + + Documentation: updated descriptions of smtpd_error_sleep_time + and smtpd_soft_error_limit. File: proto/postconf.proto. + + Fixed non-UTF8 quotes in TLS_CHANGES that caused nvi to + truncate the file. + + Fixed a remaining typo in util/load_lib.c. + +20211222 + + Added a top-level 'make typo-check' target to automate + the typo checks (this only works on Wietse's development + system, because it depends on specific implementations of + spell and lynx). Files: Makefile.in, mantools/comment.c, + mantools/deroff, mantools/check-double-cc, + mantools/check-double-install-proto-text, + mantools/check-double-proto-html, mantools/check-spell-cc, + mantools/check-spell-install-proto-text, + mantools/check-spell-proto-html, proto/stop, proto/stop.double-cc, + proto/stop.double-install-proto-text, proto/stop.double-proto-html, + proto/stop.spell-cc, proto/stop.spell-proto-html. + + Cleanup: manpages don't need \' - that causes groff to emit + non-ASCII text (depending on the locale). Christian Goettsche. + Files: sendmail/sendmail.c, spawn/spawn.c. + +20211223 + + Report unsupported usage. Do not link Postfix database + plugins against libpostfix-util or libpostfix-global. This + introduces false build dependencies. File: makedefs. + + Report unsupported usage. Do not build with LD_LIBRARY_PATH. + File: makedefs. + + Documented the implementation-dependent mailbox_size_limit + and message_size_limit maximal values. File: proto/postconf.proto. + + Cleanup: make typo-check tests portable across differernt + spellcheck implementations. Files: proto/stop.spell-proto-html, + proto/stop.spell-cc. + + Cleanup: added missing parameters to the mantools/postlink + script, based on output from the mantools/check-postlink + script. + + Cleanup: added missing _maps parameter names to the + proxy_read_maps default value, based on output from the + mantools/missing-proxy-read-maps script. File: + global/mail_params.h. + + Sanity: added LANG=C to the typo-check scripts to get + consistent output. Files: mantools/check-spell-proto-html, + mantools/check-spell-install-proto-text, mantools/check-spell-cc, + mantools/check-double-proto-html, + mantools/check-double-install-proto-text, mantools/check-double-cc. + +20211224 + + Cleanup: some compilter complains about indentation in a + multiline macro. File: util/dict_db.c. + +20211231 + + Cleanup: informative error message after failure to connect + to 'dovecot' socket. File: src/xsasl/xsasl_dovecot_server.c. + +20220101 + + Cleanup: AppArmor may return EPERM for permission errors. + This could result in a false "mail system is down" error + message from the postqueue command. File: postqueue/postqueue.c. + +202220102 + + Cleanup: log the reason why the postqueue command thinks + that the mail system is down, in case some security software + or kernel bug emits a weird error. File: postqueue/postqueue.c. + + Robustness: randomize the initial state of Postfix in-memory + hash tables, to defend against collision attacks involving + a large number of attacker-chosen lookup keys. Presently, + the only known opportunity for such attacks involves remote + SMTP client IPv6 addresses in the anvil service. Other + tables with attacker-chosen lookup keys are limited in size. + The fix is cheap, and therefore implemented for all Postfix + in-memory hash tables. Problem reported by Pascal Junod. + File: util/htable.c. + +20210103 + + Documentation: CIDR example for mynetworks. Scott Kitterman. + File: proto/postconf.proto. + + Updated the hash function to make the distance between + colliding inputs seed-dependent, which is really the only + property that we needed. File: util/htable.c. + +20210105 + + Cleanup: deleting the \ before \' broke other things. Now + we need to escape \ at the start of an nroff input line. + Files: mantools/postconf2man, mantools/srctoman. + +20220107 + + Updated the hash function to avoid losing state when an + input byte is 0 (can never happen with a null-terminated + string, but makes the hash function usable in other contexts. + File: util/htable.c. + +20220116 + + Added more pre-release checks: missing postlink rules, + missing maps in proxy_read_maps. File: Makefile.in. + +20220117 + + Cleanup: the nullmx_reject_code parameter was removed from + Postfix 3.0 before it was released, but the manpage was not + updated. File: proto/postconf.proto. + + Cleanup: after seeking past the end of a writable memory-backed + VSTREAM (i.e. backed by a VSTRING), write nulls over the + newly allocated bytes. This behavior is compatible with + seeking past the end of a writable regular file. File: + util/vstream.c. + + Cleanup: unit tests. File: cleanup/cleanup_milter.c. + + Cleanup: disable hash-table seed in unit tests. Many + Makefiles, some unit test 'reference' files. + + Bugfix (documented but not implemented since Postfix 2.2): + missing support for [address] in smtp_bind_address and + smtp_bind_address6. Reported by Vincent Pelletier. File: + smtp/smtp_connect.c. + +20220119 + + Cleanup: the 20211211 change could result in logfile spam. + Added a 1-bit counter to log "breaking long line" only once per + delivery request. File: smtp/smtp_proto.c. + +20220121 + + Cleanup: added a pre-release check for missing entries + in postfix-files. Problem reported by Jaroslav Skarvada. + Files: Makefile.in, conf/postfix-files, + mantools/check-postfix-files. Deleted: CYRUS_README. + + Cleanup: added the RELEASE_NOTES file to the pre-release + checks, after Viktor Dukhovni reported a typo. Files: + mantools/check-double-install-proto-text, + mantools/check-spell-install-proto-text. + + Cleanup: for consistent parameter naming (tlsproxy_client_xxx + corresponds to smtp_tls_xxx), renamed tlsproxy_client_level + to tlsproxy_client_security_level, and tlsproxy_client_policy + to tlsproxy_client_policy_maps, with backwards-compatible + defaults and updated documentation. Problem reported by + Raf. Files: global/mail_params.h, mantools/postlink, + postconf/postconf_builtin.c. + +20220123 + + Documentation: added LINUX_README sections for logging in + a container, and for systemd logging workarounds. File: + proto/LINUX_README.hmtl. + +20220126 + + Added defensive logging while waiting for the master daemon + to initialize in the background. File: master/master_monitor.c. + +20220127 + + Cleanup: smtpprox hyperlink. File: proto/FILTER_README.html. + +20220128 + + Cleanup: standardize on FNV hash, after having verified + that collisions will change with the hash seed value, and + that the collision rate is low. Files: util/htable.c, + util/hash_fnv.[hc]. + +20220129 + + Cleanup: factored out the non-cryptographic seeder. Files: + ldseed.[hc]. + +20220130 + + Cleanup: added a binhash unit test, and updated the htable + unit test. Files: util/Makefile.in, util/binhash.[hc], + util/htable.c. + + Cleanup: names of hash_fnv(3) build options. File: hash:fnv.c. + +20220202 + + Bitrot: Berkeley DB 18 is like Berkeley DB 6. Yasuhiro + Kimura. File: util/dict_db.c. + +20220204 + + Updated collate.pl script for better tracking when a + Milter rejects, discards, or quarantines a message. Viktor + Dukhovni. File: auxiliary/collate/collate.pl. + +20220212 + + Cleanup: removed WISHLIST items that were recently fixed. + +20220217 + + Typo: "pcre2 --libs" should be "pcre2 --libs8". Reported by + Carlos Velasco. File proto/PCRE_README.html. + + Future proofing: added comments on the purpose of address + sanitization. File: showq/showq.c. + +20220220 + + Added a hash_fnvz() function to eliminate unnecessary strlen() + calls, and added regression tests. File: util/hash_fnv.c, + util/htable.c. + + Cleanup: unused initialization. File: util/make_dirs.c + +20220222 + + Documentation: updated comment text. File: util/hash_fnv.c. + +20220312 + + Cleanup: when a main.cf like file may have changed while + it was read, forget the settings before re-reading the file. + File: util/dict.c. + +20220322 + + Cleanup: added missing _checks, _reply_footer, _reply_filter, + _command_filter, and _delivery_status_filter parameter names + to the proxy_read_maps default value. Files: global/mail_params.h, + mantools/missing-proxy-read-maps. + +20220325 + + Documentation: how to stop recursion in virtual_alias_maps. + File: proto/virtual. + +20220330 + + Documentation: updated the postlogd(8) daemon manpage, + adding that the Postfix >= 3.7 postlog(1) command can run + with setgid permissions. File: postlogd/postlogd.c. + +20220403 + + (Rolled back because there was too much collateral damage) + Cleanup: milter_header_checks maps are now opened before the + cleanup server enters the chroot jail. Files: cleanup/cleanup.h, + cleanup/cleanup_init.c, cleanup/cleanup_milter.c, + global/header_body_checks.c, global/header_body_checks.h, + global/maps.c, global/maps.h, smtp/smtp.c. + +20220404 + + Bugfix: in an internal client module, "host or service not + found" was a fatal error, causing the milter_default_action + setting to be ignored. It is now a non-fatal error. The + same client is used by many Postfix clients (smtpd_proxy, + dovecot auth, tcp_table, memcache, socketmap, and so on). + Problem reported by Christian Degenkolb. File: util/inet_connect.c. + +20220407 + + Documentation: updated the firewall/gateway example to use + the "relay" transport to forward inbound messages. File: + proto/STANDARD_CONFIGURATION_README.html + + Documentation: updated smtp_fallback_relay description. + The text was based on an early Postfix implementation. + File: proto/postconf.proto. + + Cleanup (problem introduced: Postfix 2.7): milter_header_checks + maps are now opened before the cleanup server enters the + chroot jail. Problem reported by Jesper Dybdal. Files: + cleanup/cleanup.h, cleanup/cleanup_init.c, + cleanup/cleanup_milter.c, cleanup/cleanup_state.c. + +20220407 + + Feature: the policy delegation protocol now sends a + "compatibility_level" attribute with the value of the + compatibility_level configuration parameter. Files: + global/mail_proto.h, smtpd/smtpd_check.c, + proto/SMTPD_POLICY_README.html. + +20220415 + + Cleanup (problem introduced: Postfix 3.0): with dynamic map + loading enabled, an attempt to create a map with "postmap + regexp:path" would result in a bogus error message "Is the + postfix-regexp package installed?" instead of "unsupported + map type for this operation". This happened with all built-in + map types (static, cidr, etc.) that have no 'bulk create' + support. Problem reported by Greg Klanderman. File: + global/dynamicmaps.c. + +20220417 + + Bugfix (introduced: 20220406): reset the milter_header_checks + response buffer, so that a negative response for one email + message will not be applied to a later email message that is + handled by the same cleanup process. File: + cleanup/cleanup_milter.c. + +20220421 + + Bugfix (introduced: Postfix 3.7): reverted an overly complex + change in the postscreen SMTP engine from 20211023, and + replaced it with a much simpler change. The bad change was + segfaulting on some systems after receiving malformed input + (for example, TLS "hello"). File: postscreen/postscreen_smtpd.c. + + Under conditions described below, the postscreen program + attempted to read through an uninitialized 'const' pointer. + The pointer value depended on the compiler type and compiler + options, but crucially, it did not depend on network inputs. + + The conditions were that SMTPUTF8 support was enabled (the + default), and that postscreen received non-UTF8 input, for + example, a TLS or RDP handshake request. + + Depending on compiler details, the result of the read + operation could be uninteresting, a combined memory leak + and file handle leak, or a segmentation violation (signal + 11). + + The segmentation violation result was reported by Michael + Grimm who used a FreeBSD 13.1 early version. The result was + "uninteresting" with FreeBSD 13.0. Both FreeBSD systems use + Clang instead of GCC. The result was also "uninteresting" + on Linux-based systems that use GCC, or on a few older + systems that use GCC. + +20220427 + + Cleanup: incorrect error message after postscreen received + a STARTTLS command with too many arguments. File: + postscreen/postscreen_smtpd.c. + +20220429 + + Noise: shut up a useless warning. File: cleanup_map1n.c. + + Documentation: IPv6 support, by Pau Amma. Files: proto/INSTALL, + proto/IPV6_README.html. + +20220501 + + Cleanup: merged the infrastructure that "knows" which tables + are created with "postmap" or "postalias", with infrastructure + that has other information about lookup tables. The old design + pre-dated dynamically-loaded table drivers, and was difficult + to maintain. + + The following files were moved from the "global" directory to + the "util" directory: src/util/mkmap.h, src/util/mkmap_cdb.c, + src/util/mkmap_db.c, src/util/mkmap_dbm.c, src/util/mkmap_fail.c, + src/util/mkmap_lmdb.c, src/util/mkmap_open.c, + src/util/mkmap_sdbm.c. + + The corresponding postfix-xxx.so shared objects are now created + by util/Makefile instead of global/Makefile. There is no change + in how these files are installed or deployed. + + Other files affected by this change: src/util/dict_open.c, + src/global/dynamicmaps.c, src/global/mail_version.h, + src/global/header_body_checks.h, src/global/maps.c, + src/global/dict_proxy.h, src/util/dict.c, src/util/dict_dbm.h, + src/util/dict_fail.h, src/util/dict_db.h, src/util/dict_lmdb.h, + src/util/dict_cdb.h, src/util/dict_sdbm.h, src/util/dict.h, + src/global/mail_dict.c, src/postalias/postalias.c, + src/postmap/postmap.c. + + Portability: variable declaration after code. File: + global/compat_level.c. + +20220504 + + Documentation: dymap_init() description. File: + global/dynamicmaps.c. + +20220506 + + Added an argv_uniq() function to deduplicate same-value + adjacent array elements. Added a ton of tests to validate + the argv implementation. File: util/argv.c. + + Cleanup: the dict_mapnames() function (used in "postconf + -m") now deduplicates dictionary type names. File: + util/dict_open.c. + +20220507 + + Documentation: inverted the paragraph about "known" addresses, + in the descriptions of smtpd_reject_unlisted_sender and + smtpd_reject_unlisted_recipient. File: proto/postconf.proto. + + Documentation: added the HISTORY file to the pre-release-checks. + Files: mantools/check-double-history, mantools/check-spell-history, + proto/stop.double-history, proto/stop.spell-history. + + Documentation: added POSTLOG_SERVICE and POSTLOG_HOSTNAME + to the import_environment description. File: proto/postconf.proto. + +20220509 + + Cleanup: the pgsql: client encoding is now configurable + with the "encoding" configuration file attribute. The default + is "UTF8". Previously the encoding was hard-coded as "LATIN1". + Files: global/dict_pgsql,c, proto/pgsql_table. + +20220512 + + Documentation: in the text for smtpd_reject_unlisted_sender + and smtpd_reject_unlisted_recipient, refer to the address + class validation in ADDRESS_CLASS_README, instead of repeating + that information in postconf(5). File: proto/postconf.proto. + +20220515 + + Documentation: the text for reject_xxx_sender_login_mismatch + was not optimal for clarity. As new features were added + over time, they were documented in terms of the existing + features. File: proto/postconf.proto. + + Documentation: minor tweaks in ADDRESS_CLASS_README. File: + proto/ADDRESS_CLASS_README.html. + +20220523 + + Documentation: add the Postfix >= 3.7 postlog(1) command + to the list of programs that can have set-gid permissions. + File: proto/MAILLOG_README.html. + +20220527 + + Internal documentation: update the timeline annotations of + Milter protocol features. File: milter/milter8.c. + + Documentation: edit text for clarity. File: + proto/MILTER_README.html. + +20220529 + + Documentation: Cyrus SASL configuration file location. + Viktor Dukhovni. File: proto/SASL_README.html. + +20220617 + + Cleanup: missing <stdio.h> include was causing a warning + on some platform. posttls-finger/posttls-finger.c. + +20220620 + + Documentation: inet_interfaces and proxy_interfaces + descriptions. File: proto/postconf.proto. + + +20220719 + + Cleanup: Postfix 3.5.0 introduced debug logging noise in + map_search_create(). Files: global/map_search.c, + global/map_search.ref. + +20220724 + + Workaround: in a TLS server disable Postfix's 1-element + internal session cache, to work around an OpenSSL 3.0 + regression that broke TLS handshakes. It is rarely useful. + Report by Spil Oss, fix by Viktor Dukhovni. File: + tls/tls_server.c. + +20220802 + + Documentation: in the aliases(5) manpage, more specific + pointers to the local(8) manpage sections for delivery to + file, command execution, and delivery rights. File: + proto/aliases. + +20220805 + + Feature: "mail_version" attribute in the SMTPD policy + protocol, with the value of the "mail_version" configuration + parameter. This differs from the "compatibility_level" + attribute, because "mail_version" indicates the presence + of new features, while "compatibility_level" concerns changes + in default settings. Files: global/mail_proto.h, + proto/SMTPD_POLICY_README.html, smtpd/smtpd_check.c. + +20220808 + + Documentation: some Debian releases hard-code the search + path for Cyrus SASL application configuration files, + overriding the cyrus_sasl_config_path setting. Viktor + Dukhovni. File: proto/SASL_README.html. + +20220815 + + Updated the postscreen_dnsbl_sites documentation, based + on questions on the postfix-users mailing list. File: + proto/postconf.proto. + +20220905 + + Cleanup: uninitialized verify_append() request status in case + of a null original recipient address. File: global/verify.c. + +20220907 + + Support for Linux 6.x. Eray Aslan. Files: makedefs, + util/sys_defs.h. + +20220930 + + Documented the use of the JSON LINES format in the postqueue(1) + manpage. File: postqueue/postqueue.c. + +20221006 + + Bugfix (introduced: Postfix 3.7.0). A message could falsely + be flagged as corrupt with "warning: Unexpected record type + 'X'. Such messages were moved to the "corrupt" queue + directory, where they may still be found. See below for + instructions to deal with these falsely flagged messages. + + This could happen for messages with 5000 or more recipients, + or with fewer recipients on a busy mail server. Problem + reported by Frank Brendel, reproduced by John Alex. Files: + qmgr/qmgr_message.c, oqmgr/qmgr_message.c. + + A file in the "corrupt" queue directory may be inspected + with the command "postcat /var/spool/postfix/corrupt/<filename>. + If delivery of the file is still desired, the file can be + moved back to /var/spool/postfix/incoming after updating + Postfix and executing "postfix reload". + +20221007 + + Ran "make manpages", updated the change log and release + notes for consistency with new stable releases, update + pre-release-checks stop filters. Files: RELEASE_NOTES, + HISTORY, stop.spell-history, stop.double-history, + stop.spell-proto-html, postqueue.1, postqueue.1.html. + +20221008 + + Cleanup: in the default master.cf file, unconditionally + enable header rewriting and missing header insertion, for + the submission and smtps services. Dan Mahoney. File + conf/master.cf. + +20221017 + + Robustness: unconditionally disable a CPU resource attack + requesting TLS renegotiation. There's no good reason to + support this in the middle of an SMTP connection. Viktor + Dukhovni. File: tls/tls_misc.c. + +20221023 + + Documentation: describe limitations of smtpd(8) features + that cannot work with smtpd_proxy_filter. File: + proto/SMTPD_PROXY_README.html. + + Documentation: the local_header_rewrite_clients and + remote_header_rewrite_domain features also enable adding + missing headers. File: proto/postconf.proto. + +20221125 + + Bugfix (introduced: Postfix 3.6): the Postfix TLS client + logged a TLS connection as 'Untrusted' instead of 'Trusted', + when a matching DANE record was found but the MX RRset was + insecure. Fix by Viktor Dukhovni. File: tls/tls_client.c. + +20221128 + + Bugfix (introduced: Postfix 2.2): the smtpd_proxy_client + code mis-parsed the last XFORWARD attribute name in the + SMTP server's EHLO response. The result was that the + smtpd_proxy_client code failed to forward the IDENT attribute. + Fix by Andreas Weigel. File: smtpd/smtpd_proxy.c. + + Typo in MAILLOG_README. Paul Menzel. + +20221207 + + Workaround: OpenSSL 3.x EVP_get_digestbyname() can return + lazily bound handles that may fail to work when one attempts + to use them, because no provider search happens until one + constructs an actual operation context. In sufficiently + hostile configurations, Postfix could mistakenly believe + that an algorithm is available, when in fact it is not. A + similar workaround may be needed for EVP_get_cipherbyname(). + Fix by Viktor Dukhovni. Files: tls/tls.h, tls/tls_dane.c, + tls/tls_fprint.c, tls/tls_misc.c. + + Bugfix (introduced: Postfix 2.11): the checkok() macro in + tls/tls_fprint.c evaluated its argument unconditionally; + it should evaluate the argument only if there was no prior + error. Found during code review. File: tls/tls_fprint.c. + +20221215 + + Foolproofing: postscreen segfault with postscreen_dnsbl_threshold + < 1. It should reject such input with a fatal error instead. + Discovered by Benny Pedersen. File: postscreen/postscreen.c. + + Documentation: replaced instances of '.domain' in some + examples; clarified that bcc maps are indexed by envelope + address; lmtp_line_length_limit default wasn't updated to + 998. File: proto/postconf.proto. + +20221227 + + Documentation: the mysql_table(5) manpage did not document + the tls_ciphers feature that was added in Postfix 2.11. + File: proto/mysql_table. + + Cleanup: added a pre-release check that the parameter lists + in the proto/*_table documentation match the global/dict*.c + implementations. Files: Makefile.in, mantools/check-table-proto + + Documentation: consistent xxxx_table formatting to make + parameter documentation easier to match against the + corresponding implementation. Files: proto/mysql_table, + proto/pgsql_table, proto/ldap_table. + + Typofixes for changes made 20221207. File: tls/tls_fprint.c. + +20221228 + + Long ago, a committee decided that "grep -E" and "grep -F" + are better than "egrep" and "fgrep". This could not be an + optimization for ease of use: the new command syntax requires + mixed case for common usage, and the new command is longer. + To make things better, some implementation now warns when + the "obsolete" syntax is used. To address this, all Postfix + code and documentation has been converted; a script + auxiliary/fix-grep/fix-grep.sh can revert the syntax if you + want to build Postfix on an older platform. Files: too many + to mention here. + +20230101 + + Documentation: add text that cidr:, pcre: and regexp: tables + support inline specification only in Postfix 3.7 and later. + Files: proto/cidr_table, proto/pcre_table, proto/regexp_table. + +20230102 + + Cleanup: in internal documentation, text about DHE was under + the corresponding ECDHE function. Viktor Dukhovni. File: + tls/tls_dh.c. + +20230103 + + Bugfix (introduced: Postfix 2.7): the verify daemon logged + a garbled cache name when terminating a cache scan in + progress. Reported by Phil Biggs, fix by Viktor Dukhovni. + File: util/dict_cache.c. + +20230104 + + Feature: configuration parameter tls_ffdhe_auto_groups for + FFDHE support in TLS 1.3 with OpenSSL 3.0. Viktor Dukhovni. + Files: mantools/postlink, proto/FORWARD_SECRECY_README.html, + proto/postconf.proto, src/tlsproxy/tlsproxy.c, src/smtpd/smtpd.c, + src/tls/tls.h, src/tls/tls_proxy_client_misc.c, src/tls/tls_misc.c, + src/tls/tls_dh.c, src/tls/tls_proxy_client_scan.c, + src/tls/tls_server.c, src/tls/tls_client.c, + src/tls/tls_proxy_client_print.c, src/tls/tls_proxy.h, + src/global/mail_params.h, src/smtp/smtp.c. + + Documentation: remove text for behavior that is no longer + implemented in Postfix or in other relevant systems. Viktor + Dukhovni. File: proto/FORWARD_SECRECY_README.html. + + Bitrot: fixes for linker warnings from newer Darwin (MacOS) + versions. Viktor Dukhovni. File: makedefs. + +20230108 + + Minor wordsmithing. Files: text in proto/postconf.proto, + warning message tls.tls_dh.c. + +20230115 + + Workaround for a breaking change in OpenSSL 3: always turn + on SSL_OP_IGNORE_UNEXPECTED_EOF, to avoid warning messages + and missed opportunities for TLS session reuse. This is + safe because the SMTP protocol implements application-level + framing, and is therefore not affected by TLS truncation + attacks. Fix by Viktor Dukhovni. Files: tls/tls.h, tls_client.c, + tls/tls_server.c. + +20230121 + + Documentation: describe when Postfix and Milters inspect + SMTP commands or header/body content. File: + proto/MILTER_README.html. + +20230127 + + Bugfix (introduced: Postfix 3.4): the posttls-finger command + failed to detect that a connection was resumed in the case + that a server did not return a certificate. Viktor Dukhovni. + File: posttls-finger/posttls-finger.c. + + Workaround: OpenSSL 3.x EVP_get_cipherbyname() can return + lazily-bound handles. Postfix now checks that the expected + functionality will be available instead of failing later. + Fix by Viktor Dukhovni. File: tls/tls_server.c. + + Portability: MacOS support for the postfix-env.sh test + script. + +20230129 + + Documentation: in the postconf(5) manpage, the text for + append_dot_mydomain described old default behavior. File: + proto/postconf.proto. + + Documentation: in the smtpd(8) manpage, the text for the + info_log_address_format parameter was in the wrong place. + File: smtpd/smtpd.c. + +20230202 + + Documentation: fixed a broken HTML tag in SASL_README.html. + +20230209 + + Cleanup: noise suppression for resolver-related macros. + Viktor Dukhovni. Files: dns/dns_str_resflags.c, util/sys_defs.h. + +20230212 + + Cleanup: valgrind complained about uninitialized padding. + File: util/unix_send_fd.c + +20230213 + + Feature: SRV lookup support in the Postfix SMTP/LMTP client. + See https://www.postfix.org/postconf.5.html#use_srv_lookup. + Based on code by Tomas Korbar (Red Hat). Files: proto/stop, + proto/stop.spell-proto-html, dns/dns.h, dns/dns_lookup.c, + dns/dns_rr.c, dns/dns_sa_to_rr.c, dns/dns_strrecord.c, + dns/dns_strtype.c, global/mail_params.h, smtp/lmtp_params.c, + smtp/smtp_addr.c, smtp/smtp_addr.h, smtp/smtp.c, + smtp/smtp_connect.c, smtp/smtp.h, smtp/smtp_params.c, + smtp/smtp_session.c, smtpd/smtpd_check.c, util/attr.h, + util/unix_send_fd.c, mantools/postlink, proto/postconf.proto. + +20230214 + + SRV lookup: propagate preference and port information when + converting a numerical hostname to IP address. File: + smtp/smtp_addr.c. + + SRV lookup: add SRV support to the posttls-finger command. + File: posttls-finger/posttls-finger.c. + + SRV lookup: updated documentation examples. File: + proto/postconf.proto. + +20230219 + + Code health: replaced a proliferation of 'bare' zero arguments + with named constants: DNS_RR_NOPREF, DNS_RR_NOWEIGHT, + DNS_RR_NOPORT, and added convenience wrappers for + dns_rr_create(), to simplify code that needs to specify + only a subset of all arguments. Files: src/dns/dns.h, + src/dns/dns_rr_eq_sa.c, src/dns/dns_sa_to_rr.c, + src/smtpd/smtpd_check.c. + + Code health: updated internal documentation. Files: + dns/dns_rr.c, smtp/smtp_connect.c. + + Compatibility: downgraded some modernisms to avoid breaking + builds on older test systems. File: dns/dns_rr.c. + + Code health: simplified the SRV record priority grouping + and record ordering code. Eliminated some special-case + handling of zero-weight records (that was already started + in the initial implementation). File: dns/dns_rr.c. + +20230224 + + Documentation fix (error introduced: Postfix 2.7): In a + "make makefiles" example in SASL_README, a backslash-newline + inside single quotes produced a broken Makefile. Problem + reported by James Brown (Bordo International). Updated "make + makefiles" examples, replacing single quotes with double + quotes, and inside those quotes replacing \" with \\\" to + protect a string-valued macro definition. Files: + proto/INSTALL.html, proto/MYSQL_README.html, + proto/PGSQL_README.html, proto/postconf.proto, + proto/SASL_README.html, proto/SQLITE_README.html. + +20230303 + + Cleanup: Postfix TLS configuration. Treat "export" and "low" + cipher grades as "medium", and ignore "export" and "low" + cipherlist settings. These grades are no longer supported + in OpenSSL 1.1.1, the minimum version that Postfix requires. + Also, update Postfix default settings to exclude the following + deprecated or unused ciphers (SEED, IDEA, 3DES, RC2, RC4, + RC5), digest (MD5), key exchange algorithms (DH, ECDH), and + public key algorithm (DSS). Viktor Dukhovni. Files: + proto/postconf.proto, global/mail_params.h, smtp/smtp.c, + smtpd/smtpd.c, tls/tls_misc.c, tls/tls_proxy_client_misc.c, + tls/tls_proxy_client_print.c, tls/tls_proxy_client_scan.c, + tls/tls_proxy.h, tlsproxy/tlsproxy.c. + +20230308 + + Documentation: basic style sheet. Files: conf/postfix-files, + html/postfix-doc.css, mantools/make_soho_readme, + mantools/makemanidx, mantools/man2html, proto/[A-Z]*.html, + proto/postconf.html.prolog. + + Cleanup: the postfix(1) and postlog(1) commands now produce + stderr output even when stderr is not connected to a terminal. + This eliminates an inconsistency, and makes these programs + easier to use in some automated procedures. The canonical + example is to capture output from "postmulti -p status" to + figure out which instances are or are not running. Files: + postfix/postfix.c, postlog/postlog.c. + +20230209 + + Cleanup: in smtp_service_addr() refined the loop detection + code for SRV lookup. File: smtp/smtp_addr.c. + + Cleanup: renamed macros with invisible side effects and + implicit inputs to upper case. Verified that the compiled + code did not change. File: tls_fprint.c. + +20230310 + + Cleanup: the milter header/body checks logged less text (up + to 60 bytes) than the 'original' header/body checks (up to + 200 bytes). Problem reported by Aleksandr Stankevic. Fixed + the same inconsistency in the Postfix SMTP client. Files: + cleanup/cleanup_milter.c, smtp/smtp_proto.c. + +20230311 + + Hardening: the Postfix SMTP server can now aggregate + smtpd_client_*_rate and smtpd_client_*_count statistics by + network block, as specified with smtpd_client_ipv4_prefix_length + (default 32, no aggregation) and smtpd_client_ipv6_prefix_length + (default 72, aggregation by /72 network blocks). The latter + raises the bar for a memory exhaustion attack. Files: + util/inet_prefix_top.[hc], smtpd/smtpd.c, smtpd/smtpd_peer.c, + mantools/postlink, proto/postconf.proto. + +20230313 + + Factored out a function that may be generally useful, and + made a vstring_alloc() argument more precise to avoid memory + reallocation. Files: util/inet_prefix_top.c, + util/inet_addr_sizes.[hc]. + +20230314 + + Bugfix (introduced: Postfix 3.5): check_ccert_access did + not parse inline map specifications. Report and fix by + Sean Gallagher. File: global/map_search.c. + + Cleanup: don't do smtpd_client_*_rate and smtpd_client_*_count + address range computations when "/usr/sbin/sendmail -bs" + is not talking to a network client. File: smtpd/smtpd_peer.c. + + Cleanup: renamed net_mask_top.* to inet_prefix_top.*. + + Cleanup: updated unit tests. Files: smtpd/smtpd_check.c, + smtpd/smtpd_server.in, smtpd/smtpd_server.ref. + + Increased the smtpd_client_ipv6_prefix_length to 84 bits, + which should prevent anvil exhaustion attacks from a typical + /64 consumer network, without penalizing legitimate usage. + +20230319 + + Shut up a compiler waning triggered by an extreme setting. + File: smtp/smtp.h. + +20230328 + + Cleanup: replaced ``argv_split_append(x, y, "")'' with + ``argv_add(x, y, , ARGV_END)'', in two places. File: + posttls-finger/posttls-finger.c. + +20230330 + + Safety: the long form { name = value } in import_environment + or export_environment is not documented, but it is accepted, + and it was stored in the process environment as the invalid + form "name = value, thus not setting or overriding an entry + for "name". This form is now stored as the expected + "name=value". Found during code maintenance. Also refined + the "missing attribute name" detection. Files: clean_env.c, + split_nameval.c. + +20230402 + + Cleanup: changed the DNS_RR data structure so that it remains + ABI-compatible when new fields are added at the end. This + avoids crashing programs that are started while Postfix is + being updated. However, *this* specific change cannot be + ABI-compatible. Files: dns/dns_rr.c. + + Cleanup: added missing Valgrind test support. Files: + dns/Makefile.in, util/Makefile.in. + + Documentation: fixed a `whitelist' instance in the postscreen(8) + manpage. File: postscreen/postscreen.c. + + Cleanup: support for multiline entities in match lists, for + example, inline maps. Added Valgrind support to the namadr_list + unit test. Files: util/match_list.c, global/namadr_list.in, + util/Makefile.in. + +20240406 + + Bugfix (introduced: 20230402): after a change in the DNS_RR + structure, the dns_rr_copy() function had not been updated, + causing the Postfix SMTP client to panic as it detected a + double-free() attempt. Reported by Florian Piekert. File: + dns/dns_rr.c. + + Usability: The postconf command now warns for trailing + comments in Postfix parameter values. Also refactored comment + warnings in match lists. Files: util/mystrtok.c, + util/mystrtok.ref, util/match_list.c, global/namadr_list.ref, + postconf/postconf_dbms.c, postconf/test71.ref. + + Cleanup: some postconf warnings did not include the full + main.cf or master.cf pathname, complicating the analysis + of multi-instance configurations. Also refactored ad-hoc + code that computed full main.cf or master.cf pathnames. + Files: postconf/postconf.h, postconf/postconf_dbms.c, + postconf/postconf_edit.c, postconf/postconf_main.c, + postconf/postconf_master.c, postconf/postconf_misc.c. + + Cleanup: eliminated unused libdns dependencies. Files: + postlogd/Makefile.in. + + Cleanup: added inet_prefix_top() tests. File: + util/inet_prefix_top.c. + +20230413 + + Cleanup: in postconf source, removed redundant pcf_set_config_dir() + calls as these are made automatically when a config file + pathname cache is queried. Files: postconf/postconf_edit.c, + postconf/postconf_main.c, postconf/postconf_master.c. + + Cleanup: in source-code comments, replaced redundant (and + sometimes incomplete) lookup table configuration info with + a reference to the corresponding *_table(5) manpage. + +20230418 + + Bugfix defect (introduced: Postfix 3.2): the MySQL client + could return "not found" instead of "error" (for example, + resulting in a 5XX SMTP status instead of 4XX) during the + time that all MySQL server connections were turned down + after error. Found during code maintenance. File: + global/dict_mysql.c. + +20230428 + + Bugfix (defect introduced: Postfix 1.0): the command "postconf + .. name=v1 .. name=v2 .." (multiple instances of the same + parameter name) created multiple name=value entries with + the same parameter name. It now logs a warning and skips + the earlier update. Found during code maintenance. File: + postconf/postconf_edit.c + + Bugfix (defect introduced: Postfix 3.3): the command "postconf + -M name1/type1='name2 type2 ...'" died with a segmentation + violation when the request matched multiple master.cf + entries. The master.cf file was not damaged. Problem reported + by SATOH Fumiyasu. File: postconf/postconf_master.c. + +20230502 + + Bugfix (defect introduced: Postfix 2.11): the command + "postconf -M name1/type1='name2 type2 ...'" could add a + service definition to master.cf that conflicted with an + already existing service definition. It now replaces all + existing service definitions that match the service pattern + 'name1/type1' or the service name and type in 'name2 type2 + ...' with a single service definition 'name2 type2 ...'. + Problem reported by SATOH Fumiyasu. File: postconf/postconf_edit.c. + +20230517 + + Bugfix (defect introduced: Postfix 3.8) the posttls-finger + command could access uninitialized memory when reconnecting. + This also fixes a warning message when a destination contains + ":service" information. Reported by Thomas Korbar. File: + posttls-finger/posttls-finger.c. + +20230519 + + Bitrot: preliminary support for OpenSSL configuration files, + primarily OpenSSL 1.1.1b and later. This introduces new + parameters "tls_config_file" and "tls_config_name", which + can be used to limit collateral damage from OS distributions + that crank up security to 11, increasing the number of + plaintext email deliveries. Details are in the postconf(5) + manpage under "tls_config_file" and "tls_config_name". + Viktor Dukhovni. Files: mantools/postlink, proto/postconf.proto, + global/mail_params.h, posttls-finger/posttls-finger.c, + smtp/smtp.c, smtp/smtp_proto.c, tls/tls_client.c, tls/tls.h, + tls/tls_misc.c, tls/tls_proxy_client_print.c, + tls/tls_proxy_client_scan.c, tls/tls_proxy.h, tls/tls_server.c, + tlsproxy/tlsproxy.c. + +20230523 + + Cleanup: use TLS_CLIENT_PARAMS to pass the OpensSSL 'init' + configurations. This information is independent from the + client or server TLS context, and therefore does not belong + in tls_*_init() or tls_*_start() calls. The tlsproxy(8) + server uses TLS_CLIENT_PARAMS to report differences between + its own global TLS settings, and those from its clients. + Files: posttls-finger/posttls-finger.c, smtp/smtp.c, + smtp/smtp_proto.c, tls/tls.h, tls/tls_proxy_client_misc.c, + tls/tls_proxy_client_print.c, tls/tls_proxy_client_scan.c, + tls/tls_proxy.h, tlsproxy/tlsproxy.c. + +20230524 + + Cleanup: reverted cosmetic-only changes to minimize the + patch footprint for OpenSSL INI file support; updated daemon + manpages with the new tls_config_file and tls_config_name + configuration parameters. Files: smtp/smtp.c, smtpd/smtpd.c, + tls/tls_client.c, tls/tls.h, tls/tls_server.c, tlsproxy/tlsproxy.c, + +20230529 + + Cleanup: made OpenSSL 'default' INI file support error + handling consistent with OpenSSL default behavior. Viktor + Dukhovni. Files: proto/postconf.proto, tls/tls_misc.c. + +20230602 + + Backwards compatibility for stable releases that originally + had no OpenSSL INI support. Skip the new OpenSSL INI support + code, unless the Postfix configuration actually specifies + non-default tls_config_xxx settings. File: tls/tls_misc.c. + + Cleanup: added a multiple initialization guard in the + tls_library_init() function, and made an initialization + error sticky. File: tls/tls_misc.c. + +20230605 + + Security: new parameter smtpd_forbid_unauth_pipelining + (default: no) to disconnect remote SMTP clients that violate + RFC 2920 (or 5321) command pipelining constraints. Files: + global/mail_params.h, smtpd/smtpd.c, proto/postconf.proto. + +20230815 + + Bugfix (bug introduced: 20140218): when opportunistic TLS fails + during or after the handshake, don't require that a probe + message spent a minimum time-in-queue before falling back to + plaintext. Problem reported by Serg. File: smtp/smtp.h. + +20230819 + + Bugfix (defect introduced: 19980207): the valid_hostname() + check in the Postfix DNS client library was blocking unusual + but legitimate wildcard names (*.name) in some DNS lookup + results and lookup requests. Examples: + + name class/type value + *.one.example IN CNAME *.other.example + *.other.example IN A 10.0.0.1 + *.other.example IN TLSA ..certificate info... + + Such syntax is blesed in RFC 1034 section 4.3.3. + + This problem was reported first in the context of TLSA + record lookups. Files: util/valid_hostname.[hc], + dns/dns_lookup.c. + +20230929 + + Bugfix (defect introduced Postfix 2.5, 20080104): the Postfix + SMTP server was waiting for a client command instead of + replying immediately, after a client certificate verification + error in TLS wrappermode. Reported by Andreas Kinzler. File: + smtpd/smtpd.c. + +20231006 + + Usability: the Postfix SMTP server now attempts to log the + SASL username after authentication failure. In Postfix + logging, this appends ", sasl_username=xxx" after the reason + for SASL authentication failure. The logging replaces an + unavailable reason with "(reason unavailable)", and replaces + an unavailable sasl_username with "(unavailable)". Based + on code by Jozsef Kadlecsik. Files: xsasl/xsasl_server.c, + xsasl/xsasl_cyrus_server.c, smtpd/smtpd_sasl_glue.c. + +20231026 + + Bugfix (defect introduced: Postfix 2.11): in forward_path, + the expression ${recipient_delimiter} would expand to an + empty string when a recipient address had no recipient + delimiter. Fixed by restoring Postfix 2.10 behavior to use + a configured recipient delimiter value. Reported by Tod + A. Sandman. Files: proto/postconf.proto, local/local_expand.c. + +20240109 + + Security (outbound SMTP smuggling): with the default setting + "cleanup_replace_stray_cr_lf = yes" Postfix will replace + stray <CR> or <LF> characters in message content with a + space character. This prevents Postfix from enabling + outbound (remote) SMTP smuggling, and it also makes evaluation + of Postfix-added DKIM etc. signatures independent from how + a remote mail server handles stray <CR> or <LF> characters. + Files: global/mail_params.h, cleanup/cleanup.c, + cleanup/cleanup_message.c, mantools/postlink, proto/postconf.proto. + +20240112 + + Security (inbound SMTP smuggling): with "smtpd_forbid_bare_newline + = normalize" (default "no" for Postfix < 3.9), the Postfix + SMTP server requires the standard End-of-DATA sequence + <CR><LF>.<CR><LF>, and otherwise allows command or message + content lines ending in the non-standard <LF>, processing + them as if the client sent the standard <CR><LF>. + + The alternative setting, "smtpd_forbid_bare_newline = reject" + will reject any command or message that contains a bare + <LF>, and is more likely to cause problems with legitimate + clients. + + For backwards compatibility, local clients are excluded by + default with "smtpd_forbid_bare_newline_exclusions = + $mynetworks". + + Files: mantools/postlink, proto/postconf.proto, + global/mail_params.h, global/smtp_stream.c, global/smtp_stream.h, + smtpd/smtpd.c, smtpd/smtpd_check.[hc]. |