From a848231ae0f346dc7cc000973fbeb65b0894ee92 Mon Sep 17 00:00:00 2001 From: Daniel Baumann Date: Wed, 10 Apr 2024 21:59:03 +0200 Subject: Adding upstream version 3.8.5. Signed-off-by: Daniel Baumann --- RELEASE_NOTES | 243 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 243 insertions(+) create mode 100644 RELEASE_NOTES (limited to 'RELEASE_NOTES') diff --git a/RELEASE_NOTES b/RELEASE_NOTES new file mode 100644 index 0000000..0a23bf8 --- /dev/null +++ b/RELEASE_NOTES @@ -0,0 +1,243 @@ +This is the Postfix 3.8 stable release. + +The stable Postfix release is called postfix-3.8.x where 3=major +release number, 8=minor release number, x=patchlevel. The stable +release never changes except for patches that address bugs or +emergencies. Patches change the patchlevel and the release date. + +New features are developed in snapshot releases. These are called +postfix-3.9-yyyymmdd where yyyymmdd is the release date (yyyy=year, +mm=month, dd=day). Patches are never issued for snapshot releases; +instead, a new snapshot is released. + +The mail_release_date configuration parameter (format: yyyymmdd) +specifies the release date of a stable release or snapshot release. + +If you upgrade from Postfix 3.6 or earlier, please read RELEASE_NOTES-3.7 +before proceeding. + +Dual license +------------ + +As of Postfix 3.2.5 this software is distributed with a dual license: +in addition to the historical IBM Public License (IPL) 1.0, it is +now also distributed with the more recent Eclipse Public License +(EPL) 2.0. Recipients can choose to take the software under the +license of their choice. Those who are more comfortable with the +IPL can continue with that license. + +Incompatibility with Postfix 3.8.5, 3.7.10, 3.6.14, and 3.5.24 +============================================================== + +Improvements for outbound SMTP smuggling defense: + +- With "cleanup_replace_stray_cr_lf = yes" (the default), the cleanup + daemon replaces each stray or character in message + content with a space character. The replacement happens before + any other content management (header/body_checks, Milters, etc). + + This prevents outbound SMTP smuggling, where an attacker uses + Postfix to send email containing a non-standard End-of-DATA + sequence, to exploit inbound SMTP smuggling at a vulnerable remote + SMTP server. + + This also improves the remote evaluation of Postfix-added DKIM + and other signatures, as the evaluation result will not depend + on how a remote email server handles stray or characters. + +This feature applies to all email that Postfix locally or remotely +sends out. It is not allowlisted based on client identity. + +Major changes with Postfix 3.8.5, 3.7.10, 3.6.14, and 3.5.24 +============================================================ + +Improvements for inbound SMTP smuggling defense: + +- Better compatibility: the recommended setting "smtpd_forbid_bare_newline + = normalize" requires the standard End-of-DATA sequence + ., but allows bare newlines from SMTP clients, + maintaining more compatibility with existing infrastructure. + +- Improved logging for rejected input (it now includes queue ID, + helo, mail, and rcpt, if available). + +- The setting "smtpd_forbid_bare_newline = reject" requires + that input lines end in , requires the standard End-of-DATA + sequence ., and rejects a command or message that + contains a bare newline. To disconnect the client, specify + "smtpd_forbid_bare_newline_reject_code = 521". + +- The Postfix SMTP server no longer strips extra as in + ., to silence false alarms from test tools + that send attack sequences that real mail servers cannot send. + Details at https://www.postfix.org/false-smuggling-claims.html + +- The old setting "yes" has become an alias for "normalize". + +- The old setting "no" has not changed, and allows SMTP smuggling. + +The recommended settings are now: + + # Require the standard End-of-DATA sequence .. + # Otherwise, allow bare and process it as if the client sent + # . + # + # This maintains compatibility with many legitimate SMTP client + # applications that send a mix of standard and non-standard line + # endings, but will fail to receive email from client implementations + # that do not terminate DATA content with the standard End-of-DATA + # sequence .. + # + # Such clients can be allowlisted with smtpd_forbid_bare_newline_exclusions. + # The example below allowlists SMTP clients in trusted networks. + # + smtpd_forbid_bare_newline = normalize + smtpd_forbid_bare_newline_exclusions = $mynetworks + +Alternative settings: + + # Reject input lines that contain and log a "bare received" + # error. Require that input lines end in , and require the + # standard End-of-DATA sequence .. + # + # This will reject email from SMTP clients that send any non-standard + # line endings such as web applications, netcat, or load balancer + # health checks. + # + # This will also reject email from services that use BDAT to send + # MIME text containing a bare newline (RFC 3030 Section 3 requires + # canonical MIME format for text message types, defined in RFC 2045 + # Sections 2.7 and 2.8). + # + # Such clients can be allowlisted with smtpd_forbid_bare_newline_exclusions. + # The example below allowlists SMTP clients in trusted networks. + # + smtpd_forbid_bare_newline = reject + smtpd_forbid_bare_newline_exclusions = $mynetworks + # + # Alternatively, in the case of BDAT violations, BDAT can be selectively + # disabled with smtpd_discard_ehlo_keyword_address_maps, or globally + # disabled with smtpd_discard_ehlo_keywords. + # + # smtpd_discard_ehlo_keyword_address_maps = cidr:/path/to/file + # /path/to/file: + # 10.0.0.0/24 chunking, silent-discard + # smtpd_discard_ehlo_keywords = chunking, silent-discard + +Major changes with Postfix 3.8.1 +================================ + +Security: the Postfix SMTP server optionally disconnects remote +SMTP clients that violate RFC 2920 (or 5321) command pipelining +constraints. The server replies with "554 5.5.0 Error: SMTP protocol +synchronization" and logs the unexpected remote SMTP client input. +Specify "smtpd_forbid_unauth_pipelining = yes" to enable. This +feature is enabled by default in Postfix 3.9 and later. + +Workaround to limit collateral damage from OS distributions that +crank up security to 11, increasing the number of plaintext email +deliveries. This introduces basic OpenSSL configuration file support, +with two new parameters "tls_config_file" and "tls_config_name". +Details are in the postconf(5) manpage under "tls_config_file" and +"tls_config_name". + +Major changes - documentation and code cleanup +---------------------------------------------- + +There are numerous small fixes to Postfix documentation, and small +code-health changes that should not affect documented behavior but +may improve Postfix behavior for malformed input, or that make +Postfix easier to maintain. See the HISTORY file for details. + +Major changes - SRV support +--------------------------- + +[Feature 20230214] Support to look up DNS SRV records in the Postfix +SMTP/LMTP client, Based on code by Tomas Korbar (Red Hat). + +For example, with "use_srv_lookup = submission" and "relayhost = +example.com:submission", the Postfix SMTP client will look up DNS +SRV records for _submission._tcp.example.com, and will relay email +through the hosts and ports that are specified with those records. + +See https://www.postfix.org/postconf.5.html#use_srv_lookup for more +details, including how to selectively use SRV in a configuration +that connects to multiple ISP accounts. + +SRV support may also be useful inside a cloud-based infrastructure +when Postfix needs to deliver mail to services that run on a +dynamically-allocated port. + +Major changes - TLS support +--------------------------- + +[Incompat 20230304] This introduces the following changes: + +- Postfix treats the "export" and "low" cipher grade settings as + "medium". The "export" and "low" grades are no longer supported + in OpenSSL 1.1.1, the minimum version that Postfix requires. + +- Postfix default settings now exclude the following deprecated or + unused ciphers (SEED, IDEA, 3DES, RC2, RC4, RC5), digest (MD5), + key exchange algorithms (DH, ECDH), and public key algorithm + (DSS). + +[Feature 20230108] New configuration parameter tls_ffdhe_auto_groups +for finite-field Diffie-Hellman ephemeral (FFDHE) support in TLS +1.3 with OpenSSL 3.0. + +Major changes - attack resistance +--------------------------------- + +[Feature 20240312] the Postfix SMTP server can now aggregate +smtpd_client_*_rate and smtpd_client_*_count statistics by network +block, as specified with smtpd_client_ipv4_prefix_length (default +32, no aggregation) and smtpd_client_ipv6_prefix_length (default +84, aggregation by /84 network blocks). The latter raises the bar +for a memory exhaustion attack. + +[Feature 20221023] Unconditionally disable a CPU resource attack +requesting TLS renegotiation. There's no good reason to support +this in the middle of an SMTP connection. + +Major changes - bit rot +----------------------- + +[Incompat 20221228] Postfix documentation and code have been converted +to use "grep -E" and "grep -F" instead of the historical forms +"egrep" and "fgrep". To build Postfix on a system that supports +only the historical forms, run the script auxiliary/fix-grep/fix-grep.sh +to revert this change. + +Major changes - configuration checks +------------------------------------ + +[Feature 20240406] The postconf command now warns for #comment in +or after a Postfix parameter value. Postfix programs do not support +#comment after other text, and treat that as input. + +Major changes - database support +-------------------------------- + +[Incompat 20220509] The PostgreSQL client encoding is now configurable +with the "encoding" Postfix configuration file attribute. The default +is "UTF8". Previously the encoding was hard-coded as "LATIN1". + +Major changes - logging +----------------------- + +[Incompat 20230308] The postfix(1) and postlog(1) commands now +produce stderr logging even when stderr is not connected to a +terminal. This eliminates an inconsistency, and makes these programs +easier to use in some automated procedures. The canonical example +is to capture output from "postmulti -p status" to figure out which +instances are or are not running. + +Major changes - source code organization +---------------------------------------- + +[Incompat 20220507] Most global/mkmap*.[hc] files are moved to the +util directory; only global/mkmap_proxy.* remains. The old file +organization was designed before support for dynamically-loadable +databases was added, and that code suffered from complexity. + -- cgit v1.2.3