path: root/RELEASE_NOTES

This is the Postfix 3.8 stable release.

The stable Postfix release is called postfix-3.8.x where 3=major
release number, 8=minor release number, x=patchlevel. The stable
release never changes except for patches that address bugs or
emergencies. Patches change the patchlevel and the release date.

New features are developed in snapshot releases. These are called
postfix-3.9-yyyymmdd where yyyymmdd is the release date (yyyy=year,
mm=month, dd=day). Patches are never issued for snapshot releases;
instead, a new snapshot is released.

The mail_release_date configuration parameter (format: yyyymmdd)
specifies the release date of a stable release or snapshot release.

If you upgrade from Postfix 3.6 or earlier, please read RELEASE_NOTES-3.7
before proceeding.

Dual license
------------

As of Postfix 3.2.5 this software is distributed with a dual license:
in addition to the historical IBM Public License (IPL) 1.0, it is
now also distributed with the more recent Eclipse Public License
(EPL) 2.0. Recipients can choose to take the software under the
license of their choice. Those who are more comfortable with the
IPL can continue with that license.

Incompatibility with Postfix 3.8.5, 3.7.10, 3.6.14, and 3.5.24
==============================================================

Improvements for outbound SMTP smuggling defense:

- With "cleanup_replace_stray_cr_lf = yes" (the default), the cleanup
  daemon replaces each stray <CR> or <LF> character in message
  content with a space character. The replacement happens before
  any other content management (header/body_checks, Milters, etc).

  This prevents outbound SMTP smuggling, where an attacker uses
  Postfix to send email containing a non-standard End-of-DATA
  sequence, to exploit inbound SMTP smuggling at a vulnerable remote
  SMTP server.

  This also improves the remote evaluation of Postfix-added DKIM
  and other signatures, as the evaluation result will not depend
  on how a remote email server handles stray <CR> or <LF> characters.

This feature applies to all email that Postfix locally or remotely
sends out. It is not allowlisted based on client identity.

Major changes with Postfix 3.8.5, 3.7.10, 3.6.14, and 3.5.24
============================================================

Improvements for inbound SMTP smuggling defense:

- Better compatibility: the recommended setting "smtpd_forbid_bare_newline
  = normalize" requires the standard End-of-DATA sequence
  <CR><LF>.<CR><LF>, but allows bare newlines from SMTP clients,
  maintaining more compatibility with existing infrastructure.

- Improved logging for rejected input (it now includes queue ID,
  helo, mail, and rcpt, if available).

- The setting "smtpd_forbid_bare_newline = reject" requires
  that input lines end in <CR><LF>, requires the standard End-of-DATA
  sequence <CR><LF>.<CR><LF>, and rejects a command or message that
  contains a bare newline. To disconnect the client, specify
  "smtpd_forbid_bare_newline_reject_code = 521".

- The Postfix SMTP server no longer strips extra <CR> as in
  <CR><LF>.<CR><CR><LF>, to silence false alarms from test tools
  that send attack sequences that real mail servers cannot send.
  Details at https://www.postfix.org/false-smuggling-claims.html

- The old setting "yes" has become an alias for "normalize".

- The old setting "no" has not changed, and allows SMTP smuggling.

The recommended settings are now:

    # Require the standard End-of-DATA sequence <CR><LF>.<CR><LF>.
    # Otherwise, allow bare <LF> and process it as if the client sent
    # <CR><LF>.
    #
    # This maintains compatibility with many legitimate SMTP client
    # applications that send a mix of standard and non-standard line
    # endings, but will fail to receive email from client implementations
    # that do not terminate DATA content with the standard End-of-DATA
    # sequence <CR><LF>.<CR><LF>.
    #
    # Such clients can be allowlisted with smtpd_forbid_bare_newline_exclusions.
    # The example below allowlists SMTP clients in trusted networks.
    #
    smtpd_forbid_bare_newline = normalize
    smtpd_forbid_bare_newline_exclusions = $mynetworks

Alternative settings:

    # Reject input lines that contain <LF> and log a "bare <LF> received"
    # error. Require that input lines end in <CR><LF>, and require the
    # standard End-of-DATA sequence <CR><LF>.<CR><LF>.
    #
    # This will reject email from SMTP clients that send any non-standard
    # line endings such as web applications, netcat, or load balancer
    # health checks.
    #
    # This will also reject email from services that use BDAT to send
    # MIME text containing a bare newline (RFC 3030 Section 3 requires
    # canonical MIME format for text message types, defined in RFC 2045
    # Sections 2.7 and 2.8).
    #
    # Such clients can be allowlisted with smtpd_forbid_bare_newline_exclusions.
    # The example below allowlists SMTP clients in trusted networks.
    #
    smtpd_forbid_bare_newline = reject
    smtpd_forbid_bare_newline_exclusions = $mynetworks
    #
    # Alternatively, in the case of BDAT violations, BDAT can be selectively
    # disabled with smtpd_discard_ehlo_keyword_address_maps, or globally
    # disabled with smtpd_discard_ehlo_keywords.
    #
    # smtpd_discard_ehlo_keyword_address_maps = cidr:/path/to/file
    # /path/to/file:
    #     10.0.0.0/24 chunking, silent-discard
    # smtpd_discard_ehlo_keywords = chunking, silent-discard

Major changes with Postfix 3.8.1
================================

Security: the Postfix SMTP server optionally disconnects remote
SMTP clients that violate RFC 2920 (or 5321) command pipelining
constraints. The server replies with "554 5.5.0 Error: SMTP protocol
synchronization" and logs the unexpected remote SMTP client input.
Specify "smtpd_forbid_unauth_pipelining = yes" to enable. This
feature is enabled by default in Postfix 3.9 and later.

Workaround to limit collateral damage from OS distributions that
crank up security to 11, increasing the number of plaintext email
deliveries. This introduces basic OpenSSL configuration file support,
with two new parameters "tls_config_file" and "tls_config_name".
Details are in the postconf(5) manpage under "tls_config_file" and
"tls_config_name".

Major changes - documentation and code cleanup
----------------------------------------------

There are numerous small fixes to Postfix documentation, and small
code-health changes that should not affect documented behavior but
may improve Postfix behavior for malformed input, or that make
Postfix easier to maintain. See the HISTORY file for details.

Major changes - SRV support
---------------------------

[Feature 20230214] Support to look up DNS SRV records in the Postfix
SMTP/LMTP client, Based on code by Tomas Korbar (Red Hat).

For example, with "use_srv_lookup = submission" and "relayhost =
example.com:submission", the Postfix SMTP client will look up DNS
SRV records for _submission._tcp.example.com, and will relay email
through the hosts and ports that are specified with those records.

See https://www.postfix.org/postconf.5.html#use_srv_lookup for more
details, including how to selectively use SRV in a configuration
that connects to multiple ISP accounts.

SRV support may also be useful inside a cloud-based infrastructure
when Postfix needs to deliver mail to services that run on a
dynamically-allocated port.

Major changes - TLS support
---------------------------

[Incompat 20230304] This introduces the following changes:

- Postfix treats the "export" and "low" cipher grade settings as
  "medium". The  "export" and "low" grades are no longer supported
  in OpenSSL 1.1.1, the minimum version that Postfix requires.

- Postfix default settings now exclude the following deprecated or
  unused ciphers (SEED, IDEA, 3DES, RC2, RC4, RC5), digest (MD5),
  key exchange algorithms (DH, ECDH), and public key algorithm
  (DSS).

[Feature 20230108] New configuration parameter tls_ffdhe_auto_groups
for finite-field Diffie-Hellman ephemeral (FFDHE) support in TLS
1.3 with OpenSSL 3.0.

Major changes - attack resistance
---------------------------------

[Feature 20240312] the Postfix SMTP server can now aggregate
smtpd_client_*_rate and smtpd_client_*_count statistics by network
block, as specified with smtpd_client_ipv4_prefix_length (default
32, no aggregation) and smtpd_client_ipv6_prefix_length (default
84, aggregation by /84 network blocks). The latter raises the bar
for a memory exhaustion attack.

[Feature 20221023] Unconditionally disable a CPU resource attack
requesting TLS renegotiation. There's no good reason to support
this in the middle of an SMTP connection.

Major changes - bit rot
-----------------------

[Incompat 20221228] Postfix documentation and code have been converted
to use "grep -E" and "grep -F" instead of the historical forms
"egrep" and "fgrep". To build Postfix on a system that supports
only the historical forms, run the script auxiliary/fix-grep/fix-grep.sh
to revert this change.

Major changes - configuration checks
------------------------------------

[Feature 20240406] The postconf command now warns for #comment in
or after a Postfix parameter value. Postfix programs do not support
#comment after other text, and treat that as input.

Major changes - database support
--------------------------------

[Incompat 20220509] The PostgreSQL client encoding is now configurable
with the "encoding" Postfix configuration file attribute. The default
is "UTF8". Previously the encoding was hard-coded as "LATIN1".

Major changes - logging
-----------------------

[Incompat 20230308] The postfix(1) and postlog(1) commands now
produce stderr logging even when stderr is not connected to a
terminal. This eliminates an inconsistency, and makes these programs
easier to use in some automated procedures. The canonical example
is to capture output from "postmulti -p status" to figure out which
instances are or are not running.

Major changes - source code organization
----------------------------------------

[Incompat 20220507] Most global/mkmap*.[hc] files are moved to the
util directory; only global/mkmap_proxy.* remains. The old file
organization was designed before support for dynamically-loadable
databases was added, and that code suffered from complexity.