diff options
Diffstat (limited to '')
| -rw-r--r-- | RELEASE_NOTES | 314 | ||||
| -rw-r--r-- | RELEASE_NOTES-1.0 | 746 | ||||
| -rw-r--r-- | RELEASE_NOTES-1.1 | 1087 | ||||
| -rw-r--r-- | RELEASE_NOTES-2.0 | 853 | ||||
| -rw-r--r-- | RELEASE_NOTES-2.1 | 581 | ||||
| -rw-r--r-- | RELEASE_NOTES-2.10 | 268 | ||||
| -rw-r--r-- | RELEASE_NOTES-2.11 | 280 | ||||
| -rw-r--r-- | RELEASE_NOTES-2.2 | 443 | ||||
| -rw-r--r-- | RELEASE_NOTES-2.3 | 761 | ||||
| -rw-r--r-- | RELEASE_NOTES-2.4 | 198 | ||||
| -rw-r--r-- | RELEASE_NOTES-2.5 | 376 | ||||
| -rw-r--r-- | RELEASE_NOTES-2.6 | 300 | ||||
| -rw-r--r-- | RELEASE_NOTES-2.7 | 175 | ||||
| -rw-r--r-- | RELEASE_NOTES-2.8 | 383 | ||||
| -rw-r--r-- | RELEASE_NOTES-2.9 | 352 | ||||
| -rw-r--r-- | RELEASE_NOTES-3.0 | 628 | ||||
| -rw-r--r-- | RELEASE_NOTES-3.1 | 186 | ||||
| -rw-r--r-- | RELEASE_NOTES-3.2 | 180 | ||||
| -rw-r--r-- | RELEASE_NOTES-3.3 | 124 | ||||
| -rw-r--r-- | RELEASE_NOTES-3.4 | 208 | ||||
| -rw-r--r-- | RELEASE_NOTES-3.5 | 157 | ||||
| -rw-r--r-- | RELEASE_NOTES-3.6 | 277 |
22 files changed, 8877 insertions, 0 deletions
diff --git a/RELEASE_NOTES b/RELEASE_NOTES new file mode 100644 index 0000000..cd7a519 --- /dev/null +++ b/RELEASE_NOTES @@ -0,0 +1,314 @@ +This is the Postfix 3.7 (stable) release. + +The stable Postfix release is called postfix-3.7.x where 3=major +release number, 7=minor release number, x=patchlevel. The stable +release never changes except for patches that address bugs or +emergencies. Patches change the patchlevel and the release date. + +New features are developed in snapshot releases. These are called +postfix-3.8-yyyymmdd where yyyymmdd is the release date (yyyy=year, +mm=month, dd=day). Patches are never issued for snapshot releases; +instead, a new snapshot is released. + +The mail_release_date configuration parameter (format: yyyymmdd) +specifies the release date of a stable release or snapshot release. + +If you upgrade from Postfix 3.5 or earlier, read RELEASE_NOTES-3.6 +before proceeding. + +License change +--------------- + +This software is distributed with a dual license: in addition to the +historical IBM Public License 1.0, it is now also distributed with the +more recent Eclipse Public License 2.0. Recipients can choose to take +the software under the license of their choice. Those who are more +comfortable with the IPL can continue with that license. + +Incompatibility with Postfix 3.8.5, 3.7.10, 3.6.14, and 3.5.24 +============================================================== + +Improvements for outbound SMTP smuggling defense: + +- With "cleanup_replace_stray_cr_lf = yes" (the default), the cleanup + daemon replaces each stray <CR> or <LF> character in message + content with a space character. The replacement happens before + any other content management (header/body_checks, Milters, etc). + + This prevents outbound SMTP smuggling, where an attacker uses + Postfix to send email containing a non-standard End-of-DATA + sequence, to exploit inbound SMTP smuggling at a vulnerable remote + SMTP server. + + This also improves the remote evaluation of Postfix-added DKIM + and other signatures, as the evaluation result will not depend + on how a remote email server handles stray <CR> or <LF> characters. + +This feature applies to all email that Postfix locally or remotely +sends out. It is not allowlisted based on client identity. + +Major changes with Postfix 3.8.5, 3.7.10, 3.6.14, and 3.5.24 +============================================================ + +Improvements for inbound SMTP smuggling defense: + +- Better compatibility: the recommended setting "smtpd_forbid_bare_newline + = normalize" requires the standard End-of-DATA sequence + <CR><LF>.<CR><LF>, but allows bare newlines from SMTP clients, + maintaining more compatibility with existing infrastructure. + +- Improved logging for rejected input (it now includes queue ID, + helo, mail, and rcpt, if available). + +- The setting "smtpd_forbid_bare_newline = reject" requires + that input lines end in <CR><LF>, requires the standard End-of-DATA + sequence <CR><LF>.<CR><LF>, and rejects a command or message that + contains a bare newline. To disconnect the client, specify + "smtpd_forbid_bare_newline_reject_code = 521". + +- The Postfix SMTP server no longer strips extra <CR> as in + <CR><LF>.<CR><CR><LF>, to silence false alarms from test tools + that send attack sequences that real mail servers cannot send. + Details at https://www.postfix.org/false-smuggling-claims.html + +- The old setting "yes" has become an alias for "normalize". + +- The old setting "no" has not changed, and allows SMTP smuggling. + +The recommended settings are now: + + # Require the standard End-of-DATA sequence <CR><LF>.<CR><LF>. + # Otherwise, allow bare <LF> and process it as if the client sent + # <CR><LF>. + # + # This maintains compatibility with many legitimate SMTP client + # applications that send a mix of standard and non-standard line + # endings, but will fail to receive email from client implementations + # that do not terminate DATA content with the standard End-of-DATA + # sequence <CR><LF>.<CR><LF>. + # + # Such clients can be allowlisted with smtpd_forbid_bare_newline_exclusions. + # The example below allowlists SMTP clients in trusted networks. + # + smtpd_forbid_bare_newline = normalize + smtpd_forbid_bare_newline_exclusions = $mynetworks + +Alternative settings: + + # Reject input lines that contain <LF> and log a "bare <LF> received" + # error. Require that input lines end in <CR><LF>, and require the + # standard End-of-DATA sequence <CR><LF>.<CR><LF>. + # + # This will reject email from SMTP clients that send any non-standard + # line endings such as web applications, netcat, or load balancer + # health checks. + # + # This will also reject email from services that use BDAT to send + # MIME text containing a bare newline (RFC 3030 Section 3 requires + # canonical MIME format for text message types, defined in RFC 2045 + # Sections 2.7 and 2.8). + # + # Such clients can be allowlisted with smtpd_forbid_bare_newline_exclusions. + # The example below allowlists SMTP clients in trusted networks. + # + smtpd_forbid_bare_newline = reject + smtpd_forbid_bare_newline_exclusions = $mynetworks + # + # Alternatively, in the case of BDAT violations, BDAT can be selectively + # disabled with smtpd_discard_ehlo_keyword_address_maps, or globally + # disabled with smtpd_discard_ehlo_keywords. + # + # smtpd_discard_ehlo_keyword_address_maps = cidr:/path/to/file + # /path/to/file: + # 10.0.0.0/24 chunking, silent-discard + # smtpd_discard_ehlo_keywords = chunking, silent-discard + +Major changes with Postfix 3.7.6 +================================ + +Security: the Postfix SMTP server optionally disconnects remote +SMTP clients that violate RFC 2920 (or 5321) command pipelining +constraints. The server replies with "554 5.5.0 Error: SMTP protocol +synchronization" and logs the unexpected remote SMTP client input. +Specify "smtpd_forbid_unauth_pipelining = yes" to enable. This +feature is enabled by default in Postfix 3.9 and later. + +Workaround to limit collateral damage from OS distributions that +crank up security to 11, increasing the number of plaintext email +deliveries. This introduces basic OpenSSL configuration file support, +with two new parameters "tls_config_file" and "tls_config_name". +Details are in the postconf(5) manpage under "tls_config_file" and +"tls_config_name". + +Bugfix for messages not delivered after "warning: Unexpected record type 'X' +============================================================================ + +Due to a bug introduced in Postfix 3.7.0, a message could falsely +be flagged as corrupt with "warning: Unexpected record type 'X'". + +Such messages were moved to the "corrupt" queue directory, where +they may still be found. See below for instructions to deal with +these falsely flagged messages. + +This could happen for messages with 5000 or more recipients, or +with fewer recipients on a busy mail server. The problem was first +reported by Frank Brendel, reproduced by John Alex. + +A file in the "corrupt" queue directory may be inspected with the +command "postcat /var/spool/postfix/corrupt/<filename>. If delivery +of the file is still desired, the file can be moved back to +/var/spool/postfix/incoming after updating Postfix and executing +"postfix reload". + +Major changes - configuration +----------------------------- + +[Feature 20210605] Support to inline the content of small cidr:, +pcre:, and regexp: tables in Postfix parameter values. + +Example: + + smtpd_forbidden_commands = + CONNECT GET POST regexp:{{/^[^A-Z]/ Thrash}} + +This is the new smtpd_forbidden_commands default value. It will +immediately disconnect a remote SMTP client when a command does not +start with a letter (a-z or A-Z). + +The basic syntax is: + +/etc/postfix/main.cf: + parameter = .. map-type:{ { rule-1 }, { rule-2 } .. } .. + +/etc/postfix/master.cf: + .. -o { parameter = .. map-type:{ { rule-1 }, { rule-2 } .. } .. } .. + +where map-type is one of cidr, pcre, or regexp. + +Postfix ignores whitespace after '{' and before '}', and writes each +rule as one text line to a nameless in-memory file: + +in-memory file: + rule-1 + rule-2 + .. + +Postfix parses the result as if it is a file in /etc/postfix. + +Note: if a rule contains $, specify $$ to keep Postfix from trying +to do $name expansion as it evaluates the parameter value. + +Major changes - lmdb support +---------------------------- + +[Feature 20210605] Overhauled the LMDB client's error handling, and +added integration tests for future-proofing. There are no visible +changes in documented behavior. + +Major changes - logging +----------------------- + +[Feature 20210815] To make the maillog_file feature more useful, +the postlog(1) command is now set-gid postdrop, so that unprivileged +programs can use it to write logging through the postlogd(8) daemon. +This required hardening the postlog(1) command against privilege +escalation attacks. DO NOT turn on the set-gid bit with older +postlog(1) implementations. + +Major changes - pcre2 support +----------------------------- + +[Feature 20211127] Support for the pcre2 library (the legacy pcre +library is no longer maintained). The Postfix build procedure +automatically detects if the pcre2 library is installed, and if it +is unavailable, the Postfix build procedure will detect if the +legacy pcre library is installed. See PCRE_README if you need to +build Postfix with a specific library. + +Visible differences: some error messages may have a different text, +and the 'X' pattern flag is no longer supported with pcre2. + +Major changes - security +------------------------ + +[Feature 20220102] Postfix programs now randomize the initial state +of in-memory hash tables, to defend against hash collision attacks +involving a large number of attacker-chosen lookup keys. Presently, +the only known opportunity for such attacks involves remote SMTP +client IPv6 addresses in the anvil(8) service. The attack would +require making hundreds of short-lived connections per second from +thousands of different IP addresses, because the anvil(8) service +drops inactive counters after 100s. Other in-memory hash tables +with attacker-chosen lookup keys are by design limited in size. The +fix is cheap, and therefore implemented for all Postfix in-memory +hash tables. Problem reported by Pascal Junod. + +[Feature 20211030] The postqueue command now sanitizes non-printable +characters (such as newlines) in strings before they are formatted +as json or as legacy output. These outputs are piped into other +programs that are run by administrative users. This closes a +hypothetical opportunity for privilege escalation. + +[Feature 20210815] Updated defense against remote clients or servers +that 'trickle' SMTP or LMTP traffic, based on per-request deadlines +and minimum data rates. + +Per-request deadlines: + +The new {smtpd,smtp,lmtp}_per_request_deadline parameters replace +{smtpd,smtp,lmtp}_per_record_deadline, with backwards compatible +default settings. This defense is enabled by default in the Postfix +SMTP server in case of overload. + +The new smtpd_per_record_deadline parameter limits the combined +time for the Postfix SMTP server to receive a request and to send +a response, while the new {smtp,lmtp}_per_record_deadline parameters +limit the combined time for the Postfix SMTP or LMTP client to send +a request and to receive a response. + +Minimum data rates: + +The new smtpd_min_data_rate parameter enforces a minimum plaintext +data transfer rate for DATA and BDAT requests, but only when +smtpd_per_record_deadline is enabled. After a read operation transfers +N plaintext bytes (possibly after TLS decryption), and after the +DATA or BDAT request deadline is decreased by the elapsed time of +that read operation, the DATA or BDAT request deadline is increased +by N/smtpd_min_data_rate seconds. However, the deadline is never +increased beyond the smtpd_timeout value. The default minimum data +rate is 500 (bytes/second) but is still subject to change. + +The new {smtp,lmtp}_min_data_rate parameters enforce the corresponding +minimum DATA transfer rates for the Postfix SMTP and LMTP client. + +Major changes - tls support +--------------------------- + +[Cleanup 20220121] The new tlsproxy_client_security_level parameter +replaces tlsproxy_client_level, and the new tlsproxy_client_policy_maps +parameter replaces tlsproxy_client_policy. This is for consistent +parameter naming (tlsproxy_client_xxx corresponds to smtp_tls_xxx). +This change was made with backwards-compatible default settings. + +[Feature 20210926] Postfix was updated to support OpenSSL 3.0.0 API +features, and to work around OpenSSL 3.0.0 bit-rot (avoid using +deprecated API features). + +Other code health +----------------- + +[typos] Typo fixes by raf. + +[pre-release checks] Added pre-release checks to detect a) new typos +in documentation and source-code comments, b) missing entries in +the postfix-files file (some documentation would not be installed), +c) missing rules in the postlink script (some text would not have +a hyperlink in documentation), and d) missing map-based $parameter +names in the proxy_read_maps default value (the proxymap daemon +would not automatically authorize some proxied maps). + +[memory stream] Improved support for memory-based streams made it +possible to inline small cidr:, pcre:, and regexp: maps in Postfix +parameter values, and to eliminate some ad-hoc code that converted +tlsproxy(8) protocol data to or from serialized form. + diff --git a/RELEASE_NOTES-1.0 b/RELEASE_NOTES-1.0 new file mode 100644 index 0000000..9fcf519 --- /dev/null +++ b/RELEASE_NOTES-1.0 @@ -0,0 +1,746 @@ +This is the first official Postfix release that is not called BETA. +May it help the people who cannot get BETA software past their +management. + +Release 20010228 differs from snapshot 20010228 in that the virtual +delivery agent and nqmgr queue manager are left out. That software +will become part of the official release when it has not changed +in a while. + +In the text below, incompatible changes are labeled with the Postfix +version that introduced the change. If you upgrade from a later +Postfix version, then you do not have to worry about that particular +incompatibility. + +Major incompatible changes with release-20010228 +================================================ + +[snapshot-20010225] POSTFIX NO LONGER RELAYS MAIL FOR CLIENTS IN +THE ENTIRE CLASS A/B/C NETWORK. To get the old behavior, specify +"mynetworks_style = class" in the main.cf file. The default +(mynetworks_style = subnet) is to relay for clients in the local +IP subnet. See conf/main.cf. + +[snapshot-20001005, snapshot-20010225] You must execute "postfix +stop" before installing this release. Some recommended parameter +settings have changed, and a new entry must be added to the master.cf +file before you can start Postfix again. + +1 - The recommended Postfix configuration no longer uses flat + directories for the "incoming" "active", "bounce", and "defer" + queue directories. The "flush" directory for the new "flush" + service directory should not be flat either. + + Upon start-up, Postfix checks if the hash_queue_names configuration + parameter is properly set up, and will add any queue directory + names that are missing. + +2 - In order to improve performance of one-to-one mail deliveries + the queue manager will now look at up to 10000 queue files + (was: 1000). The default qmgr_message_active_limit setting + was changed accordingly. + + If you have a non-default qmgr_message_active_limit in main.cf, + you may want adjust it. + +3 - The new "flush" service needs to be configured in master.cf. + + Upon start-up, Postfix checks if the new "flush" service is + configured in the master.cf file, and will add an entry if it + is missing. + +Should you wish to back out to a previous Postfix release there is +no need to undo the above queue configuration changes. + +[snapshot-20000921] The protocol between queue manager and delivery +agents has changed. This means that you cannot mix the Postfix +queue manager or delivery agents with those of Postfix versions +prior to 20000921. This change does not affect Postfix queue file +formats. + +[snapshot-20000529] This release introduces an incompatible queue +file format change ONLY when content filtering is enabled (see text +in FILTER_README). Old Postfix queue files will work fine, but +queue files with the new content filtering info will not work with +Postfix versions before 20000529. Postfix logs a warning and moves +incompatible queue files to the "corrupt" mail queue subdirectory. + +Minor incompatible changes with release-20010228 +================================================ + +[snapshot-20010225] The incoming and deferred queue directories +are now hashed by default. This improves the performance considerably +under heavy load, at the cost of a small but noticeable slowdown +when one runs "mailq" on an unloaded system. + +[snapshot-20010222] Postfix no longer automatically delivers +recipients one at a time when their domain is listed in $mydestination. +This change solves delivery performance problems with delivery via +LMTP, with virus scanning, and with firewall relays that forward +all mail for $mydestination to an inside host. + +The "one recipient at a time" delivery behavior is now controlled +by the per-transport recipient limit (xxx_destination_recipient_limit, +where xxx is the name of the delivery mechanism). This parameter +controls the number of recipients that can be sent in one delivery +(surprise). + +The setting of the per-transport recipient limit also controls the +meaning of the per-transport destination concurrency limit (named +xxx_destination_concurrency_limit, where xxx is again the name of +the delivery mechanism): + + 1) When the per-transport recipient limit is 1 (i.e., send one + recipient per delivery), the per-transport destination concurrency + limit controls the number of simultaneous deliveries to the + same recipient. This is the default behavior for delivery via + the Postfix local delivery agent. + + 2) When the per-transport recipient limit is > 1 (i.e., send + multiple recipients per delivery), the per-transport destination + concurrency limit controls the number of simultaneous deliveries + to the same domain. This is the default behavior for all other + Postfix delivery agents. + +[snapshot-20010128] The Postfix local delivery agent now enforces +mailbox file size limits (default: mailbox_size_limit = 51200000). +This limit affects all file write access by the local delivery +agent or by a process run by the local delivery agent. The purpose +of this parameter is to act as a safety for run-away software. It +cannot be a substitute for a file quota management system. Specify +a limit of 0 to disable. + +[snapshot-20010128] REJECT in header/body_checks is now flagged as +policy violation rather than bounce, for consistency in postmaster +notifications. + +[snapshot-20010128] The default RBL (real-time blackhole lists) +domain examples have been changed from *.vix.com to *.mail-abuse.org. + +[snapshot-20001210] Several interfaces of libutil and libglobal +routines have changed. This may break third-party code written +for Postfix. In particular, the safe_open() routine has changed, +the way the preferred locking method is specified in the sys_defs.h +file, as well as all routines that perform file locking. When +compiling third-party code written for Postfix, the incompatibilities +will be detected by the compiler provided that #include file +dependencies are properly maintained. + +[snapshot-20001210] When delivering to /file/name (as directed in +an alias or .forward file), the local delivery agent now logs a +warning when it is unable to create a /file/name.lock file. Mail +is still delivered as before. + +[snapshot-20001210] The "sun_mailtool_compatibility" feature is +going away (a compatibility mode that turns off kernel locks on +mailbox files). It still works, but a warning is logged. Instead +of using "sun_mailtool_compatibility", specify the mailbox locking +strategy as "mailbox_delivery_lock = dotlock". + +[snapshot-20001210] The Postfix SMTP client now skips SMTP server +replies that do not start with "CODE SPACE" or with "CODE HYPHEN" +and flags them as protocol errors. Older Postfix SMTP clients +silently treated "CODE TEXT" as "CODE SPACE TEXT", i.e. as a valid +SMTP reply. + +[snapshot-20001121] On RedHat Linux 7.0, you must install the +db3-devel RPM before you can compile the Postfix source code. + +[snapshot-20000924] The postmaster address in the "sorry" text at +the top of bounced mail is now just postmaster, not postmaster@machine. +The idea is to refer users to their own postmaster. + +[snapshot-20000921] The notation of [host:port] in transport tables +etc. is going away but it is still supported. The preferred form +is now [host]:port. This change is necessary to support IPV6 +address forms which use ":" as part of a numeric IP address. In a +future release, Postfix will log a warning when it encounters the +[host:port] form. + +[snapshot-20000921] In mail headers, Errors-To:, Reply-To: and +Return-Receipt: addresses are now rewritten as a sender address +(was: recipient). + +[snapshot-20000921] Postfix no longer inserts Sender: message +headers. + +[snapshot-20000921] The queue manager now logs the original number +of recipients when opening a queue file (example: from=<>, size=3502, +nrcpt=1). + +[snapshot-20000921] The local delivery agent no longer appends a +blank line to mail that is delivered to external command. + +[snapshot-20000921] The pipe delivery agent no longer appends a +blank line when the F flag is specified (in the master.cf file). +Specify the B flag if you need that blank line. + +[snapshot-20000507] As required by RFC 822, Postfix now inserts a +generic destination message header when no destination header is +present. The text is specified via the undisclosed_recipients_header +configuration parameter (default: "To: undisclosed-recipients:;"). + +[snapshot-20000507] The Postfix sendmail command treats a line with +only `.' as the end of input, for the sake of sendmail compatibility. +To disable this feature, specify the sendmail-compatible `-i' or +`-oi' flags on the sendmail command line. + +[snapshot-20000507] For the sake of Sendmail compatibility, the +Postfix SMTP client skips over SMTP servers that greet with a 4XX +or 5XX reply code, treating them as unreachable servers. To obtain +prior behavior (4XX=retry, 5XX=bounce), specify "smtp_skip_4xx_greeting += no" and "smtp_skip_5xx_greeting = no". + +Major changes with release-20010228 +=================================== + +Postfix produces DSN formatted bounced/delayed mail notifications. +The human-readable text still exists, so that users will not have +to be unnecessarily confused by all the ugliness of RFC 1894. Full +DSN support will be later. + +This release introduces full content filtering through an external +process. This involves an incompatible change in queue file format. +Mail is delivered to content filtering software via an existing +mail delivery agent, and is re-injected into Postfix via an existing +mail submission agent. See examples in the FILTER_README file. +Depending on how the filter is implemented, you can expect to lose +a factor of 2 to 4 in delivery performance of SMTP transit mail, +more if the content filtering software needs lots of CPU or memory. + +Specify "body_checks = regexp:/etc/postfix/body_checks" for a quick +and dirty emergency content filter that looks at non-header lines +one line at a time (including MIME headers inside the message body). +Details in conf/sample-filter.cf. + +The header_checks and body_checks features can be used to strip +out unwanted data. Specify IGNORE on the right-hand side and the +data will disappear from the mail. + +Support for SASL (RFC 2554) authentication in the SMTP server and +in the SMTP and LMTP clients. See the SASL_README file for more +details. This file still needs better examples. + +Postfix now ships with an LMTP delivery agent that can deliver over +local/remote TCP sockets and over local UNIX-domain sockets. The +LMTP_README file gives example, but still needs to be revised. + +Fast "ETRN" and "sendmail -qR". Postfix maintains per-destination +logfiles with information about what mail is queued for selected +destinations. See the file ETRN_README for details. + +The mailbox locking style is now fully configurable at runtime. +The new configuration parameter is called "mailbox_delivery_lock". +Depending on the operating system type, mailboxes can be locked +with one or more of "flock", "fcntl" or "dotlock". The command +"postconf -l" shows the available locking styles. The default +mailbox locking style is system dependent. This change affects +all mailbox and all "/file/name" deliveries by the Postfix local +delivery agent. + +Minor changes with release-20010228 +=================================== + +You can now specify multiple SMTP destinations in the relayhost +and fallback_relay configuration parameters. The destinations are +tried in the specified order. Specify host or host:port (perform +MX record lookups), [host] or [host]:port (no MX record lookups), +[address] or [address]:port (numerical IP address). + +The "mailbox_transport" and "fallback_transport" parameters now +understand the form "transport:nexthop", with suitable defaults +when either transport or nexthop are omitted, just like in the +Postfix transport map. This allows you to specify for example, +"mailbox_transport = lmtp:unix:/file/name". + +The local_transport and default_transport configuration parameters +can now be specified in transport:destination notation, just like +the mailbox_transport and fallback_transport parameters. The +:destination part is optional. However, these parameters take only +one destination, unlike relayhost and fallback-relay which take +any number of destinations. + +More general virtual domain support. Postfix now supports both +Sendmail-style virtual domains and Postfix-style virtual domains. +Details and examples are given in the revised virtual manual page. + +- With Sendmail-style virtual domains, local users/aliases/mailing + lists are visible as localname@virtual.domain. This is convenient + if you want to host mailing lists under virtual domains. + +- With Postfix-style virtual domains, local users/aliases/mailing + lists are not visible as localname@virtual.domain. Each virtual + domain has its own separate name space. + +More general "soft bounce" feature. Specify "soft_bounce = yes" +in main.cf to prevent the SMTP server from bouncing mail while you +are testing configurations. Until this release the SMTP server was +not aware of soft bounces. + +Workarounds for non-standard RFC 2554 (AUTH command) implementations. +Specify "broken_sasl_auth_clients = yes" to enable SMTP server +support for old Microsoft client applications. The Postfix SMTP +client supports non-standard RFC 2554 servers by default. + +All time-related configuration parameters now accept a one-letter +suffix to indicate the time unit (s: second, m: minute, h: hour, +d: day, w: week). The exceptions are the LDAP and MYSQL modules +which are maintained separately. + +New "import_environment" and "export_environment" configuration +parameters provide explicit control over what environment variables +Postfix will import, and what environment variables Postfix will +pass on to a non-Postfix process. + +In order to improve performance of one-to-one deliveries, Postfix +by default now looks at up to 10000 messages at a time (was: 1000). + +Specify "syslog_facility = log_local1" etc. to separate the logging +from multiple Postfix instances. However, a non-default logging +facility takes effect only after process initialization. Errors +during command-line parsing are still logged with the default syslog +facility, as are errors while processing the main.cf file. + +Postfix now strips out Content-Length: headers in incoming mail to +avoid confusion in mail user agents. + +Specify "require_home_directory = yes" to prevent mail from being +delivered to a user whose home directory is not mounted. This +feature is implemented by the Postfix local delivery agent. + +The pipe mailer has a size limit (size=nnn) command-line argument. + +The pipe delivery agent has a configurable end-of-line attribute. +Specify "pipe ... eol=\r\n" for delivery mechanisms that require +CRLF record delimiters. The eol attribute understands the following +C-style escape sequences: \a \b \f \n \r \t \v \nnn \\. + +In master.cf you can selectively override main.cf configuration +parameters, for example: "smtpd -o myhostname=foo.com". + +In main.cf, specify "smtp_bind_address=x.x.x.x" to bind SMTP +connections to a specific local interface. Or override the default +setting in master.cf with "smtp -o smtp_bind_address=x.x.x.x". +For now, you must specify a numeric IP address. + +Questionable feature: with "smtp_always_send_ehlo = yes", the SMTP +client sends EHLO regardless of the content of the SMTP server's +greeting. + +Specify "-d key" to postalias or postmap in order to remove one +key. This still needs to be generalized to multi-key removal (e.g., +read keys from stdin). + +Comments in Postfix configuration files no longer contain troff +formatting codes. The text is now generated from prototype files +in a new "proto" subdirectory. + +Major changes with postfix-19991231: +==================================== + +- It is now much more difficult to configure Postfix as an open +relay. The SMTP server requires that "smtpd_recipient_restrictions" +contains at least one restriction that by default refuses mail (as +is the default). There were too many accidents with changes to +the UCE restrictions. + +- The relay_domains parameter no longer needs to contain $virtual_maps. + +- Overhauled FAQ (html/faq.html) with many more examples. + +- Updated UCE documentation (html/uce.html) with more examples. +More UCE configuration examples in sample configuration files. + +- Several little improvements to the installation procedure: +relative symlinks, configurable directory for scratch files so the +installation can be done without write access to the build tree. + +- Updated LDAP client code (John Hensley). + +- Updated mysql client code (Scott Cotton). + +- The SMTP server now rejects mail for unknown users in virtual +domains that are defined by Postfix virtual maps. + +- The SMTP server can reject mail for unknown local users. Specify +"local_recipient_maps = $alias_maps, unix:passwd.byname" if your +local mail is delivered by a UNIX-style local delivery agent. See +example in conf/main.cf. + +- Use "disable_vrfy_command = yes" to disable the SMTP VRFY command. +This prevents some forms of address harvesting. + +- The sendmail "-f" option now understands <user> and even understands +forms with RFC 822-style comments. + +- New "qmgr_fudge_factor" parameter allows you to balance mailing +list performance against response time for one-to-one mail. The +fudge factor controls what percentage of delivery resources Postfix +will devote to one message. With 100%, delivery of one message +does not begin before delivery of the previous message is completed. +This is good for list performance, bad for one-to-one mail. With +10%, response time for one-to-one mail improves much, but list +performance suffers: in the worst case, people near the start of a +mailing list get a burst of postings today, while people near the +end of the list get that same burst of postings a whole day later. + +- It is now relatively safe to configure 550 status codes for the +main.cf unknown_address_reject_code or unknown_client_reject_code +parameters. The SMTP server now always sends a 450 (try again) +reply code when an UCE restriction fails due to a soft DNS error, +regardless of what main.cf specifies. + +- The RBL checks now show the content of TXT records (Simon J Mudd). + +- The Postfix SMTP server now understands a wider range of illegal +address forms in MAIL FROM and RCPT TO commands. In order to disable +illegal forms, specify "strict_rfc821_envelopes = yes". This also +disables support for MAIL FROM and RCPT TO addresses without <>. + +- Per-client/helo/sender/recipient UCE restrictions (fully-recursive +UCE restriction parser). See the RESTRICTION_CLASS file for details. + +- Use "postmap -q key" or "postalias -q key" for testing Postfix +lookup tables or alias files. + +- Use "postconf -e name=value..." to edit the main.cf file. This +is easier and safer than editing the main.cf file by hand. The +edits are done on a temporary copy that is renamed into place. + +- Use "postconf -m" to display all supported lookup table types +(Scott Cotton). + +- New "permit_auth_destination" UCE restriction for finer-grained +access control (Jesper Skriver). + +Incompatible changes with postfix-19990906 +========================================== + +- On systems that use user.lock files to protect system mailboxes +against simultaneous updates, Postfix now uses /file/name.lock +files while delivering to files specified in aliases/forward/include +files. This is a no-op when the recipient lacks directory write +permission. + +- The LDAP client code no longer looks up a name containing "*" +because it could be abused. See the LDAP_README file for how to +restore previous behavior. + +- The Postfix to PCRE interface now expects PCRE version 2.08. +Postfix is no longer compatible with PCRE versions prior to 2.06. + +Major changes with postfix-19990906 +=================================== + +Several bugfixes, none related to security. See the HISTORY file +for a complete list of changes. + +- Postfix is now distributed under IBM Public License Version 1.0 +which does not carry the controversial termination clause. The new +license does have a requirement that contributors make source code +available. + +- INSTALL.sh install/upgrade procedure that replaces existing +programs and shell scripts instead of overwriting them, and that +leaves existing queue files and configuration files alone. + +- The ugly Delivered-To: header can now be turned off selectively. +The default setting is: "prepend_delivered_header = command, file, +forward". Turning off the Delivered-To: header when forwarding +mail is not recommended. + +- mysql client support by Scott Cotton and Joshua Marcus, Internet +Consultants Group, Inc. See the file MYSQL_README for instructions. + +- reject_unauth_destination SMTP recipient restriction that rejects +destinations not in $relay_domains. Unlike the check_relay_domains +restriction, reject_unauth_destination ignores the client hostname. +By Lamont Jones of Hewlett-Packard. + +- reject_unauth_pipelining SMTP *anything* restriction to stop mail +from spammers that improperly use SMTP command pipelining to speed +up their deliveries. + +- Postfix "sendmail" now issues a warning and drops privileges if +installed set-uid root. + +- No more duplicate delivery when "postfix reload" is immediately +followed by "sendmail -q". + +- No more "invalid argument" errors when a Postfix daemon opens a +DB/DBM file while some other process is changing the file. + +- Portability to the Mac OS X Server, Reliant Unix, AIX 3.2.5 and +Ultrix 4.3. + +Incompatible changes with postfix-19990601: +=========================================== + +- The SMTP server now delays all UCE restrictions until the RCPT +TO, VRFY or ETRN command. This makes the restrictions more useful, +because many SMTP clients do not expect negative responses earlier +in the protocol. In order to restore the old behavior, specify +"smtpd_delay_reject = no" in /etc/postfix/main.cf. + +- The Postfix local delivery agent no longer automatically propagates +address extensions to aliases/include/forward addresses. Specify +"propagate_unmatched_extensions = canonical, virtual, alias, forward, +include" to restore the old behavior. + +- The Postfix local delivery agent no longer does $name expansion +on words found in the mailbox_command configuration parameter. This +makes it easier to specify shell syntax. See conf/main.cf. + +- The luser_relay syntax has changed. You can specify one address; +it is subjected to $user, etc. expansions. See conf/main.cf. + +- File system reorganization: daemon executables are now in the +libexec subdirectory, command executables in the bin subdirectory. +The INSTALL instructions now recommend installing daemons and +commands into separate directories. + +Major changes with postfix-19990601: +===================================== + +- New USER, EXTENSION, LOCAL, DOMAIN and RECIPIENT environment +variables for delivery to command (including mailbox_command) by +the local delivery agent. As you might expect, the information is +censored. The list of acceptable characters is specified with the +command_expansion_filter configuration parameter. Unacceptable +characters are replaced by underscores. See html/local.8.html. + +- Specify "forward_path = /var/forward/$user" to avoid looking up +.forward files in user home directories. The default value is +$home/.forward$recipient_delimiter$extension, $home/.forward. +Initial code by Philip A. Prindeville, Mirapoint, Inc., USA. + +- Conditional $name expansion in forward_path and luser_relay. +Available names are: $user (bare user name) $shell (user login +shell), $home (user home directory), $local (everything to the left +of @), $extension (optional address extension), $domain (everything +to the right of @), $recipient (the complete address) and +$recipient_delimiter. A simple $name expands as usual. ${name?value} +expands to value when $name is defined. ${name:value} expands to +value when $name is not defined. With ${name?value} and ${name:value}, +the value is subject to another iteration of $name expansion. + +- POSIX regular expression support, enabled by default on 4.4BSD, +LINUX, HP-UX, and Solaris 2.5 and later. See conf/sample-regexp.cf. +Initial code by Lamont Jones, Hewlett-Packard, borrowing heavily +from the PCRE implementation by Andrew McNamara, connect.com.au +Pty. Ltd., Australia. + +- Regular expression checks for message headers. This requires +support for POSIX or for PCRE regular expressions. Specify +"header_checks = regexp:/file/name" or "header_checks = pcre:/file/name", +and specify "/^header-name: badstuff/ REJECT" in the pattern file +(patterns are case-insensitive by default). Code by Lamont Jones, +Hewlett-Packard. It is to be expected that full content filtering +will be delegated to an external command. + +- Regular expression support for all lookup tables, including access +control (full mail addresses only), address rewriting (canonical/virtual, +full mail addresses only) and transport tables (full domain names +only). However, regular expressions are not allowed for aliases, +because that would open up security exposures. + +- Automatic detection of changes to DB or DBM lookup tables. This +eliminates the need to run "postfix reload" after each change to +the SMTP access table, or to the canonical, virtual, transport or +aliases tables. + +- New error mailer. Specify ".domain.name error:domain is undeliverable" +in the transport table to bounce mail for entire domains. + +- No more Postfix lockups on Solaris (knock on wood). The code no +longer uses Solaris UNIX-domain sockets, because they are still +broken, even with Solaris 7. + +- Workaround for the Solaris mailtool, which keeps an exclusive +kernel lock on the mailbox while its window is not iconified (specify +"sun_mailtool_compatibility = yes" in main.cf). + +- Questionable workaround for Solaris, which reportedly loses +long-lived exclusive locks that are held by the master daemon. + +- New reject_unknown_{sender,recipient}_domain restrictions for +sender and recipient mail addresses that distinguish between soft +errors (always 450) and hard errors (unknown_address_reject_code, +default 450). + +- MIME-encapsulated bounce messages, making it easier to recover +bounced mail. Initial implementation by Philip A. Prindeville, +Mirapoint, Inc., USA. Support for RFC 1892 (multipart/report) and +RFC 1894 (DSN) will have to wait until Postfix internals have been +revised to support RFC 1893. + +- Separately configurable "postmaster" addresses for single bounces +(bounce_notice_recipient), double bounces (2bounce_notice_recipient), +delayed mail (delay_notice_recipient), and for mailer error reports +(error_notice_recipient). See conf/main.cf. + +- Questionable feature: specify "best_mx_transport = local" if +this machine is the best MX host for domains not in mydestinations. + +Incompatible changes with postfix-19990317: +=========================================== + +- You MUST install the new version of /etc/postfix/postfix-script. + +- The pipe mailer "flags" syntax has changed. You now explicitly +MUST specify the R flag in order to generate a Return-Path: message +header (as needed by, for example, cyrus). + +Major changes with postfix-19990317: +==================================== + +A detailed record of changes is given in the HISTORY file. + +- Less postmaster mail. Undeliverable bounce messages (double +bounces) are now discarded. Specify "notify_classes = 2bounce..." +to get copies of double bounces. Specify "notify_classes = bounce..." +to get copies of normal and double bounces. + +- Improved LDAP client code by John Hensley of Merit Network, USA. +See LDAP_README for details. + +- Perl-compatible regular expression support for lookup maps by +Andrew McNamara, connect.com.au Pty. Ltd., Australia.. Example: +"check_recipient_access pcre:/etc/postfix/sample-pcre.cf". Regular +expressions provide a powerful tool not only for SMTP access control +but also for address rewriting. See PCRE_README for details. + +- Automatic notification of delayed mail (disabled by default). +With "delay_warning_time = 4", Postfix informs senders when mail +has not been delivered after 4 hours. Initial version of the code +by Daniel Eisenbud, University of California at Berkeley. In order +to get postmaster copies of such warnings, specify "notify_classes += delay...". + +- More configurable local delivery: "mail_spool_directory" to +specify the UNIX mail spool directory; "mailbox_transport" to +delegate all mailbox delivery to, for example, cyrus, and +"fallback_transport" to delegate delivery of only non-UNIX users. +And all this without losing local aliases and local .forward +processing. See config/main.cf and config/master.cf. + +- Several changes to improve Postfix behavior under worst-case +conditions (frequent Postfix restarts/reloads combined with lots +if inbound mail, intermittent connectivity problems, SMTP servers +that become comatose after receiving QUIT). + +- More NFS-friendly mailbox delivery. The local delivery agent +now avoids using root privileges where possible. + +- For sites that do not receive mail at all, mydestination can now +be an empty string. Be sure to set up a transport table entry to +prevent mail from looping. + +- New "postsuper" utility to clean up stale files from Postfix +queues. + +- Workaround for BSD select() collisions that cause performance +problems on large BSD systems. + +- Several questionable but useful features to capture mail: +"always_bcc = address" to capture a copy of every message that +enters the system, and "luser_relay = address" to capture mail for +unknown recipients (does not work when mailbox_transport or +fallback_transport are being used). + +- Junk mail controls: new reject_non_fqdn_{hostname,sender,recipient} +restrictions to reject non-FQDN arguments in HELO, MAIL FROM and +RCPT TO commands, and stricter checking of numeric HELO arguments. + +- "fallback_relay" feature for sites that use DNS but that can't +talk to the entire world. The fall-back relay gets the mail when +a destination is not found in the DNS or when the destination is +found but not reachable. + +- Several questionable controls that can help to keep mail going: +specify "smtp_skip_4xx_greeting = yes" to skip SMTP servers that +greet with 4XX, "ignore_mx_lookup_error = yes" to look up an A +record when a DNS server does not respond to an MX query. + +Incompatible changes with postfix-beta-19990122-pl01: +===================================================== + +None. + +Major changes with postfix-beta-19990122-pl01: +============================================== + +- Restrict who may use ETRN and what domains may be specified. +Example: "smtpd_etrn_restrictions = permit_mynetworks, reject". + +- BIFF notifications. For compatibility reasons this feature is +on by default. Specify "biff = no" in main.cf if your machine has +lots of shell users. + +- With "soft_bounce = yes", defer delivery instead of bouncing +mail. This is a safety net for configuration errors with delivery +agents. It has no effect on errors in virtual maps, canonical maps, +or in junk mail restrictions. + +- Specify "owner_request_special = no" to turn off special treatment +of owner-foo and foo-request addresses. + +Incompatible changes with postfix-beta-19990122: +================================================ + +- The syntax of the transport table has changed. An entry like: + + customer.org smtp:[gateway.customer.org] + + no longer forwards mail for anything.customer.org. For that you + need to specify: + + customer.org smtp:[gateway.customer.org] + .customer.org smtp:[gateway.customer.org] + + This change makes transport tables more compatible with + sendmail mailer tables. + +- The format of syslog records has changed. A client is now always +logged as hostname[address]; the pickup daemon logs queue file uid +and sender address. + +Major changes with postfix-beta-19990122: +========================================= + +- Junk mail restrictions can now be postponed to the RCPT TO command. +Specify: "smtpd_recipient_restrictions = reject_maps_rbl...". + +- More flexible interface for delivery to e.g., cyrus IMAP without +need for PERL scripts to munge recipient addresses. In addition to +$sender, $nexthop and $recipient, the pipe mailer now also supports +$user, $extension and $mailbox. + +- New mail now has precedence over deferred mail, plus some other +tweaks to make bulk mail go faster. But it ain't no cure for massive +network outages. + +- Watchdog timer for systems that cause the Postfix queue manager +to lock up, so it recovers without human intervention. + +- Delivery to qmail-style maildir files, which is good for NFS +environments. Specify "home_mailbox = Maildir/", or specify +/file/name/ in aliases or in .forward files. The trailing / is +required to turn on maildir delivery. + +- Incremental updates of aliases and maps. Specify "postmap -i +mapname" and it will read new entries from stdin. + +- Newaliases will now update more than one alias database. +Specify the names with the main.cf "alias_database" parameter. + +- Address masquerading exceptions to prevent users from being +masqueraded. Specify "masquerade_exceptions = root". + +- A pipelined SMTP client. Deliveries to Postfix, qmail, LSOFT, +zmailer, and exim (once it's fixed) speed up by some 30% for short +messages with one recipient, with more for multi-recipient mails. + +- Hook for local delivery to "|command" via the smrsh restricted +shell, to restrict what commands may be used in .forward etc. files. +Specify "local_command_shell = /some/where/smrsh -c". diff --git a/RELEASE_NOTES-1.1 b/RELEASE_NOTES-1.1 new file mode 100644 index 0000000..c6f4611 --- /dev/null +++ b/RELEASE_NOTES-1.1 @@ -0,0 +1,1087 @@ +In the text below, incompatible changes are labeled with the Postfix +snapshot that introduced the change. If you upgrade from a later +Postfix version, then you do not have to worry about that particular +incompatibility. + +Official Postfix releases are called a.b.c where a=major release +number, b=minor release number, c=patchlevel. Snapshot releases +are now called a.b.c-yyyymmdd where yyyymmdd is the release date +(yyyy=year, mm=month, dd=day). The mail_release_date configuration +parameter contains the release date (both for official release and +snapshot release). Patches change the patchlevel and the release +date. Snapshots change only the release date, unless they include +the same bugfixes as a patch release. + +Incompatible changes with Postfix version 1.1.0 (released 20020117) +=================================================================== + +Changes are listed in order of decreasing importance, not release +date. + +[snapshot-20010709] This release introduces a new queue file record +type that is used only for messages that actually use VERP (variable +envelope return path) support. With this sole exception, the queue +file format is entirely backwards compatible with the previous +official Postfix release (20010228, a.k.a. Postfix 1.0.0). + +[snapshot-20020106] This release modifies the existing master.cf +file. The local pickup service is now unprivileged, and the cleanup +and flush service are now "public". Should you have to back out to +a previous release, then you must 1) edit the master.cf file, make +the pickup service "privileged", and make the cleanup and flush +services "private"; 2) "chmod 755 /var/spool/postfix/public". To +revert to a world-writable mail submission directory, "chmod 1733 +/var/spool/postfix/maildrop". + +[snapshot-20020106, snapshot-20010808, snapshot-20011103, +snapshot-20011121] You must stop and restart Postfix because of +incompatible changes in the local Postfix security model and in +the Postfix internal protocols. Old and new components will not +work together. + +[snapshot-20020106] Simpler local Postfix security model. + +- No world-writable maildrop directory. Postfix now always uses + the set-gid postdrop command for local mail submissions. The + local mail pickup daemon is now an unprivileged process. + +- No world-accessible pickup and queue manager server FIFOs. + +- New set-gid postqueue command for the queue list/flush operations + that used to implemented by the Postfix sendmail command. + +[snapshot-20020106..15] Simpler Postfix installation and upgrading. + +- All installation settings are now kept in the main.cf file, and + better default settings are now generated for system dependent + pathnames such as sendmail_path etc. The install.cf file is no + longer used, except when upgrading from an older Postfix version. + +- Non-default installation parameter settings can (but do not have + to) be specified on the "make install" or "make upgrade" command + line as name=value arguments. + +- New postfix-files database (in /etc/postfix) with (pathname, + owner, permission) information about all Postfix-related files. + +- New postfix-install script replaces the awkward INSTALL.sh script. + This is driven by the postfix-files database. It has better + support for building packages for distribution to other systems. + See PACKAGE_README for details. + +- New post-install script (in /etc/postfix) for post-installation + maintenance of directory/file permissions and ownership (this is + used by "postfix check"). Example: + + # postfix stop + # post-install set-permissions mail_owner=username setgid_group=groupname + # postfix start + +[snapshot-20020106] Postfix will not run if it detects that the +postfix user or group ID are shared with other accounts on the +system. The checks aren't exhaustive (that would be too resource +consuming) but should be sufficient to encourage packagers and +developers to do the right thing. To fix the problem, use the above +post-install command, after you have created the appropriate new +mail_owner or setgid_group user or group IDs. + +[snapshot-20020106] If you run multiple Postfix instances on the +same machine you now have to specify their configuration directories +in the default main.cf file as "alternate_config_directories = +/dir1 /dir2 ...". Otherwise, some Postfix commands will no longer +work: the set-group ID postdrop command for mail submission and +the set-group ID postqueue command for queue listing/flushing. + +[snapshot-20010808] The default setting for the maps_rbl_domains +parameter is now "empty", because mail-abuse.org has become a +subscription-based service. The names of the RBL parameters haven't +changed. + +[snapshot-20020106] Postfix SMTP access maps will no longer return +OK for non-local multi-domain recipient mail addresses (user@dom1@dom2, +user%dom1@dom2, etcetera); the lookup now returns DUNNO (undetermined). +Non-local multi-domain recipient addresses were already prohibited +from matching the permit_mx_backup and the relay_domains-based +restrictions. + +[snapshot-20011210] Stricter checking of Postfix chroot configurations. +The Postfix startup procedure now warns if "system" directories +(etc, bin, lib, usr) under the Postfix top-level queue directory +are not owned by the super-user (usually the result of well-intended, +but misguided, applications of "chown -R postfix /var/spool/postfix). + +[snapshot-20011008] The Postfix SMTP server now rejects requests +with a generic "try again later" status (451 Server configuration +error) when it detects an error in smtp_{client, helo, sender, +recipient, etrn}_restrictions settings. More details about the +problem are logged to the syslogd; sending such information to +random clients would be inappropriate. + +[snapshot-20011008] Postfix no longer flushes the entire mail queue +after receiving an ETRN request for a random domain name. Requests +for domains that do not match $fast_flush_domains are now rejected +instead. + +[snapshot-20011226] Postfix configuration file comments no longer +continue on the next line when that next line starts with whitespace. +This change avoids surprises, but it may cause unexpected behavior +with existing, improperly formatted, configuration files. Caveat +user. Comment lines are allowed to begin with whitespace. Multi-line +input is no longer terminated by a comment line, by an all whitespace +line, or by an empty line. + +[snapshot-20010714] Postfix delivery agents now refuse to create +a missing maildir or mail spool subdirectory when its parent +directory is world writable. This is necessary to prevent security +problems with maildirs or with hashed mailboxes under a world +writable mail spool directory. + +[snapshot-20010525] As per RFC 2821, the Postfix SMTP client now +always sends EHLO at the beginning of an SMTP session. Specify +"smtp_always_send_ehlo = no" for the old behavior, which is to send +EHLO only when the server greeting banner contains the word ESMTP. + +[snapshot-20010525] As per RFC 2821, an EHLO command in the middle +of an SMTP session resets the Postfix SMTP server state just like +RSET. This behavior cannot be disabled. + +[snapshot-20010709] The SMTP client now by default breaks lines > +2048 characters, to avoid mail delivery problems with fragile SMTP +server software. To get the old behavior back, specify "smtp_break_lines += no" in the Postfix main.cf file. + +[snapshot-20010709] With recipient_delimiter=+ (or any character +other than -) Postfix will now recognize address extensions even +with owner-foo+extension addresses. This change was necessary to +make VERP useful for mailing list bounce processing. + +[snapshot-20010610] The Postfix pipe delivery agent no longer +automatically case-folds the expansion of $user, $extension or +$mailbox command-line macros. Specify the 'u' flag to get the old +behavior. + +[snapshot-20011210] The Postfix sendmail command no longer exits +with status 1 when mail submission fails, but instead returns a +sendmail-compatible status code as defined in /usr/include/sysexits.h. + +Major changes with Postfix version 1.1.0 (Released 20020117) +============================================================ + +Changes are listed in order of decreasing importance, not release +date. + +The nqmgr queue manager is now bundled with Postfix. It implements +a smarter scheduling strategy that allows ordinary mail to slip +past mailing list mail, resulting in better response. This queue +manager is expected to become the default queue manager shortly. + +[snapshot-20010709, snapshot-20010808] VERP (variable envelope +return path) support. This is enabled by default, including in +the SMTP server. See the VERP_README file for instructions. Specify +"disable_verp_bounces = yes" to have Postfix send one RFC-standard, +non-VERP, bounce report for multi-recipient mail, even when VERP +style delivery was requested. This reduces the explosive behavior +of bounces when sending mail to a list. + +[snapshot-20010709] QMQP server support, so that Postfix can be +used as a backend mailer for the ezmlm-idx mailing list manager. +You still need qmail to drive ezmlm and to process mailing list +bounces. The QMQP service is disabled by default. To enable, follow +the instructions in the QMQP_README file. + +[snapshot-20010709] You can now reject unknown virtual(8) recipients +at the SMTP port by specifying a "domain.name whatever" entry in +the tables specified with virtual_mailbox_maps, similar to Postfix +virtual(5) domains. [virtual(8) is the Postfix virtual delivery +agent, virtual(5) is the Postfix virtual map. The two implement +virtual domains in a very different manner.] + +[snapshot-20011121] Configurable host/domain name wildcard matching +behavior: choice between "pattern `domain.name' matches string +`host.domain.name'" (this is to be deprecated in the future) and +"pattern `.domain.name' matches string `host.domain.name'" (this +is to be preferred in the future). The configuration parameter +"parent_domain_matches_subdomains" specifies which Postfix features +use the behavior that will become deprecated. + +[snapshot-20010808] Variable coupling between message receiving +rates and message delivery rates. When the message receiving rate +exceeds the message delivery rate, an SMTP server will pause for +$in_flow_delay seconds before accepting a message. This delay +gives Postfix a chance catch up and access the disk, while still +allowing new mail to arrive. This feature currently has effect +only when mail arrives via a small number of SMTP clients. + +[snapshot-20010610, snapshot-20011121, snapshot-20011210] Workarounds +for a bug in old versions of the CISCO PIX firewall software that +caused mail to be resent repeatedly. The workaround has no effect +for other mail deliveries. The workaround is turned off when mail +is queued for less than $smtp_pix_workaround_threshold_time seconds +(default: 500 seconds) so that the workaround is normally enabled +only for deferred mail. The delay before sending .<CR><LF> is now +controlled by the $smtp_pix_workaround_delay_time setting (default: +10 seconds). + +[snapshot-20011226] Postfix will now do null address lookups in +SMTPD access maps. If your access maps cannot store or look up +null string key values, specify "smtpd_null_access_lookup_key = +<>" and the null sender address will be looked up as <> instead. + +[snapshot-20011210] More usable virtual delivery agent, thanks to +a new "static" map type by Jeff Miller that always returns its map +name as the lookup result. This eliminates the need for per-recipient +user ID and group ID tables. See the VIRTUAL_README file for more +details. + +[snapshot-20011125] Anti-sender spoofing. New main.cf parameter +smtpd_sender_login_maps that specifies the (SASL) login name that +owns a MAIL FROM sender address. Specify a regexp table in order +to require a simple one-to-one mapping. New SMTPD restriction +reject_sender_login_mismatch that refuses a MAIL FROM address when +$smtpd_sender_login_maps specifies an owner but the client is not +(SASL) logged in as the MAIL FROM address owner, or when a client +is (SASL) logged in but does not own the address according to +$smtpd_sender_login_maps. + +[snapshot-20011121] The mailbox_command_maps parameter allows you +to configure the external delivery command per user (local delivery +agent only). This feature has precedence over the mailbox_command +and home_mailbox settings. + +[snapshot-20011121] New "warn_if_reject" smtpd UCE restriction that +only warns if the restriction that follows would reject mail. Look +for file records that contain the string "reject_warning". + +[snapshot-20011127] New header/body_check result "WARN" to make +Postfix log a warning about a header/body line without rejecting +the content. + +[snapshot-20011103] In header/body_check files, REJECT can now be +followed by text that is sent to the originator. That feature was +stuck waiting for years, pending the internal protocol revision. + +[snapshot-20011008] The permit_mx_backup feature allows you to +specify network address blocks via the permit_mx_backup_networks +parameter. This requires that the primary MX hosts for the given +destination match the specified network blocks. When no value is +given for permit_mx_backup_networks, Postfix will accept mail +whenever the local MTA is listed in the DNS as an MX relay host +for a destination, even when you never gave permission to do so. + +[snapshot-20010709] Specify "mail_spool_directory = /var/mail/" +(note the trailing "/" character) to enable maildir format for +/var/mail/username. + +[snapshot-20010808] Finer control over address masquerading. The +masquerade_classes parameter now controls header and envelope sender +and recipient addresses. With earlier Postfix versions, address +masquerading rewrote all addresses except for the envelope recipient. + +[snapshot-20010610] The pipe mail delivery agent now supports proper +quoting of white space and other special characters in the expansions +of the $sender and $recipient command-line macros. This was necessary +for correct operation of the "simple" content filter, and is also +recommended for delivery via UUCP or BSMTP. + +[snapshot-20010610] The pipe mail delivery agent now supports case +folding the localpart and/or domain part of expansions of the +$nexthop, $recipient, $user, $extension or $mailbox command-line +macros. This is recommended for mail delivery via UUCP. Bug: $nexthop +is always case folded because of problems in the queue manager +code. + +[snapshot-20010525] This release contains many little revisions of +little details in the light of the new RFC 2821 and RFC 2822 +standards. Changes that may affect interoperability are listed +above under "incompatible changes". Other little details are +discussed in comments in the source code. + +[snapshot-20010502] The Postfix SMTP client now by default randomly +shuffles destination IP addresses of equal preference (whether +obtained via MX lookup or otherwise). Reportedly, this is needed +for sites that use Bernstein's dnscache program. Specify +"smtp_randomize_addresses = no" to disable this behavior. Based on +shuffling code by Aleph1. + +[snapshot-20011127] New parameter smtpd_noop_commands to specify +a list of commands that the Postfix SMTP server treats as NOOP +commands (no syntax check, no state change). This is a workaround +for misbehaving clients that send unsupported commands such as +ONEX. + +[snapshot-20010502] "postmap -q -" and "postmap -d -" read key +values from standard input, which makes it easier to drive them +from another program. The same feature was added to the postalias +command. + +[snapshot-20010502] The postsuper command now has a command-line +option to delete queue files. In principle this command can be +used while Postfix is running, but there is a possibility of deleting +the wrong queue file when Postfix deletes a queue file and reuses +the queue ID for a new message. In that case, postsuper will delete +the new message. + +[snapshot-20010525] The postsuper queue maintenance tool now renames +files whose name (queue ID) does not match the message file inode +number. This is necessary after a Postfix mail queue is restored +from another machine or from backups. The feature is selected with +the -s option, which is the default, and runs whenever Postfix is +started. + +[snapshot-20010525] The postsuper queue maintenance tool has a new +-r (requeue) option for subjecting some or all queue files to +another iteration of address rewriting. This is useful after the +virtual or canonical maps have changed. + +[snapshot-20010525] The postsuper queue maintenance tool was extended +with options to read queue IDs from standard input. This makes the +tool easier to drive from scripts. + +[snapshot-20010329] Better support for running multiple Postfix +instances on one machine. Each instance can be recognized by its +logging (defaults: "syslog_name = postfix", "syslog_facility = +mail"). + +Major incompatible changes with release-20010228 Patch 01 (a.k.a. Postfix 1.0.1) +================================================================================ + +This release changes the names of the "fast ETRN" logfiles with +delayed mail per destination. These files are maintained by the +Postfix "fast flush" daemon. The old scheme failed with addresses +of the form user@[ip.address] and user@a.domain.name. In order to +populate the new "fast ETRN" logfiles, execute the command "sendmail +-q". The old "fast ETRN" logfiles go away by themselves (default: +after 7 days). + +Major incompatible changes with release-20010228 (a.k.a. Postfix 1.0.0) +======================================================================= + +[snapshot-20010225] POSTFIX NO LONGER RELAYS MAIL FOR CLIENTS IN +THE ENTIRE CLASS A/B/C NETWORK. To get the old behavior, specify +"mynetworks_style = class" in the main.cf file. The default +(mynetworks_style = subnet) is to relay for clients in the local +IP subnet. See conf/main.cf. + +[snapshot-20001005, snapshot-20010225] You must execute "postfix +stop" before installing this release. Some recommended parameter +settings have changed, and a new entry must be added to the master.cf +file before you can start Postfix again. + +1 - The recommended Postfix configuration no longer uses flat + directories for the "incoming" "active", "bounce", and "defer" + queue directories. The "flush" directory for the new "flush" + service directory should not be flat either. + + Upon start-up, Postfix checks if the hash_queue_names configuration + parameter is properly set up, and will add any queue directory + names that are missing. + +2 - In order to improve performance of one-to-one mail deliveries + the queue manager will now look at up to 10000 queue files + (was: 1000). The default qmgr_message_active_limit setting + was changed accordingly. + + If you have a non-default qmgr_message_active_limit in main.cf, + you may want adjust it. + +3 - The new "flush" service needs to be configured in master.cf. + + Upon start-up, Postfix checks if the new "flush" service is + configured in the master.cf file, and will add an entry if it + is missing. + +Should you wish to back out to a previous Postfix release there is +no need to undo the above queue configuration changes. + +[snapshot-20000921] The protocol between queue manager and delivery +agents has changed. This means that you cannot mix the Postfix +queue manager or delivery agents with those of Postfix versions +prior to 20000921. This change does not affect Postfix queue file +formats. + +[snapshot-20000529] This release introduces an incompatible queue +file format change ONLY when content filtering is enabled (see text +in FILTER_README). Old Postfix queue files will work fine, but +queue files with the new content filtering info will not work with +Postfix versions before 20000529. Postfix logs a warning and moves +incompatible queue files to the "corrupt" mail queue subdirectory. + +Minor incompatible changes with release-20010228 +================================================ + +[snapshot-20010225] The incoming and deferred queue directories +are now hashed by default. This improves the performance considerably +under heavy load, at the cost of a small but noticeable slowdown +when one runs "mailq" on an unloaded system. + +[snapshot-20010222] Postfix no longer automatically delivers +recipients one at a time when their domain is listed in $mydestination. +This change solves delivery performance problems with delivery via +LMTP, with virus scanning, and with firewall relays that forward +all mail for $mydestination to an inside host. + +The "one recipient at a time" delivery behavior is now controlled +by the per-transport recipient limit (xxx_destination_recipient_limit, +where xxx is the name of the delivery mechanism). This parameter +controls the number of recipients that can be sent in one delivery +(surprise). + +The setting of the per-transport recipient limit also controls the +meaning of the per-transport destination concurrency limit (named +xxx_destination_concurrency_limit, where xxx is again the name of +the delivery mechanism): + + 1) When the per-transport recipient limit is 1 (i.e., send one + recipient per delivery), the per-transport destination concurrency + limit controls the number of simultaneous deliveries to the + same recipient. This is the default behavior for delivery via + the Postfix local delivery agent. + + 2) When the per-transport recipient limit is > 1 (i.e., send + multiple recipients per delivery), the per-transport destination + concurrency limit controls the number of simultaneous deliveries + to the same domain. This is the default behavior for all other + Postfix delivery agents. + +[snapshot-20010128] The Postfix local delivery agent now enforces +mailbox file size limits (default: mailbox_size_limit = 51200000). +This limit affects all file write access by the local delivery +agent or by a process run by the local delivery agent. The purpose +of this parameter is to act as a safety for run-away software. It +cannot be a substitute for a file quota management system. Specify +a limit of 0 to disable. + +[snapshot-20010128] REJECT in header/body_checks is now flagged as +policy violation rather than bounce, for consistency in postmaster +notifications. + +[snapshot-20010128] The default RBL (real-time blackhole lists) +domain examples have been changed from *.vix.com to *.mail-abuse.org. + +[snapshot-20001210] Several interfaces of libutil and libglobal +routines have changed. This may break third-party code written +for Postfix. In particular, the safe_open() routine has changed, +the way the preferred locking method is specified in the sys_defs.h +file, as well as all routines that perform file locking. When +compiling third-party code written for Postfix, the incompatibilities +will be detected by the compiler provided that #include file +dependencies are properly maintained. + +[snapshot-20001210] When delivering to /file/name (as directed in +an alias or .forward file), the local delivery agent now logs a +warning when it is unable to create a /file/name.lock file. Mail +is still delivered as before. + +[snapshot-20001210] The "sun_mailtool_compatibility" feature is +going away (a compatibility mode that turns off kernel locks on +mailbox files). It still works, but a warning is logged. Instead +of using "sun_mailtool_compatibility", specify the mailbox locking +strategy as "mailbox_delivery_lock = dotlock". + +[snapshot-20001210] The Postfix SMTP client now skips SMTP server +replies that do not start with "CODE SPACE" or with "CODE HYPHEN" +and flags them as protocol errors. Older Postfix SMTP clients +silently treated "CODE TEXT" as "CODE SPACE TEXT", i.e. as a valid +SMTP reply. + +[snapshot-20001121] On RedHat Linux 7.0, you must install the +db3-devel RPM before you can compile the Postfix source code. + +[snapshot-20000924] The postmaster address in the "sorry" text at +the top of bounced mail is now just postmaster, not postmaster@machine. +The idea is to refer users to their own postmaster. + +[snapshot-20000921] The notation of [host:port] in transport tables +etc. is going away but it is still supported. The preferred form +is now [host]:port. This change is necessary to support IPV6 +address forms which use ":" as part of a numeric IP address. In a +future release, Postfix will log a warning when it encounters the +[host:port] form. + +[snapshot-20000921] In mail headers, Errors-To:, Reply-To: and +Return-Receipt: addresses are now rewritten as a sender address +(was: recipient). + +[snapshot-20000921] Postfix no longer inserts Sender: message +headers. + +[snapshot-20000921] The queue manager now logs the original number +of recipients when opening a queue file (example: from=<>, size=3502, +nrcpt=1). + +[snapshot-20000921] The local delivery agent no longer appends a +blank line to mail that is delivered to external command. + +[snapshot-20000921] The pipe delivery agent no longer appends a +blank line when the F flag is specified (in the master.cf file). +Specify the B flag if you need that blank line. + +[snapshot-20000507] As required by RFC 822, Postfix now inserts a +generic destination message header when no destination header is +present. The text is specified via the undisclosed_recipients_header +configuration parameter (default: "To: undisclosed-recipients:;"). + +[snapshot-20000507] The Postfix sendmail command treats a line with +only `.' as the end of input, for the sake of sendmail compatibility. +To disable this feature, specify the sendmail-compatible `-i' or +`-oi' flags on the sendmail command line. + +[snapshot-20000507] For the sake of Sendmail compatibility, the +Postfix SMTP client skips over SMTP servers that greet with a 4XX +or 5XX reply code, treating them as unreachable servers. To obtain +prior behavior (4XX=retry, 5XX=bounce), specify "smtp_skip_4xx_greeting += no" and "smtp_skip_5xx_greeting = no". + +Major changes with release-20010228 +=================================== + +Postfix produces DSN formatted bounced/delayed mail notifications. +The human-readable text still exists, so that users will not have +to be unnecessarily confused by all the ugliness of RFC 1894. Full +DSN support will be later. + +This release introduces full content filtering through an external +process. This involves an incompatible change in queue file format. +Mail is delivered to content filtering software via an existing +mail delivery agent, and is re-injected into Postfix via an existing +mail submission agent. See examples in the FILTER_README file. +Depending on how the filter is implemented, you can expect to lose +a factor of 2 to 4 in delivery performance of SMTP transit mail, +more if the content filtering software needs lots of CPU or memory. + +Specify "body_checks = regexp:/etc/postfix/body_checks" for a quick +and dirty emergency content filter that looks at non-header lines +one line at a time (including MIME headers inside the message body). +Details in conf/sample-filter.cf. + +The header_checks and body_checks features can be used to strip +out unwanted data. Specify IGNORE on the right-hand side and the +data will disappear from the mail. + +Support for SASL (RFC 2554) authentication in the SMTP server and +in the SMTP and LMTP clients. See the SASL_README file for more +details. This file still needs better examples. + +Postfix now ships with an LMTP delivery agent that can deliver over +local/remote TCP sockets and over local UNIX-domain sockets. The +LMTP_README file gives example, but still needs to be revised. + +Fast "ETRN" and "sendmail -qR". Postfix maintains per-destination +logfiles with information about what mail is queued for selected +destinations. See the file ETRN_README for details. + +The mailbox locking style is now fully configurable at runtime. +The new configuration parameter is called "mailbox_delivery_lock". +Depending on the operating system type, mailboxes can be locked +with one or more of "flock", "fcntl" or "dotlock". The command +"postconf -l" shows the available locking styles. The default +mailbox locking style is system dependent. This change affects +all mailbox and all "/file/name" deliveries by the Postfix local +delivery agent. + +Minor changes with release-20010228 +=================================== + +You can now specify multiple SMTP destinations in the relayhost +and fallback_relay configuration parameters. The destinations are +tried in the specified order. Specify host or host:port (perform +MX record lookups), [host] or [host]:port (no MX record lookups), +[address] or [address]:port (numerical IP address). + +The "mailbox_transport" and "fallback_transport" parameters now +understand the form "transport:nexthop", with suitable defaults +when either transport or nexthop are omitted, just like in the +Postfix transport map. This allows you to specify for example, +"mailbox_transport = lmtp:unix:/file/name". + +The local_transport and default_transport configuration parameters +can now be specified in transport:destination notation, just like +the mailbox_transport and fallback_transport parameters. The +:destination part is optional. However, these parameters take only +one destination, unlike relayhost and fallback-relay which take +any number of destinations. + +More general virtual domain support. Postfix now supports both +Sendmail-style virtual domains and Postfix-style virtual domains. +Details and examples are given in the revised virtual manual page. + +- With Sendmail-style virtual domains, local users/aliases/mailing + lists are visible as localname@virtual.domain. This is convenient + if you want to host mailing lists under virtual domains. + +- With Postfix-style virtual domains, local users/aliases/mailing + lists are not visible as localname@virtual.domain. Each virtual + domain has its own separate name space. + +More general "soft bounce" feature. Specify "soft_bounce = yes" +in main.cf to prevent the SMTP server from bouncing mail while you +are testing configurations. Until this release the SMTP server was +not aware of soft bounces. + +Workarounds for non-standard RFC 2554 (AUTH command) implementations. +Specify "broken_sasl_auth_clients = yes" to enable SMTP server +support for old Microsoft client applications. The Postfix SMTP +client supports non-standard RFC 2554 servers by default. + +All time-related configuration parameters now accept a one-letter +suffix to indicate the time unit (s: second, m: minute, h: hour, +d: day, w: week). The exceptions are the LDAP and MYSQL modules +which are maintained separately. + +New "import_environment" and "export_environment" configuration +parameters provide explicit control over what environment variables +Postfix will import, and what environment variables Postfix will +pass on to a non-Postfix process. + +In order to improve performance of one-to-one deliveries, Postfix +by default now looks at up to 10000 messages at a time (was: 1000). + +Specify "syslog_facility = log_local1" etc. to separate the logging +from multiple Postfix instances. However, a non-default logging +facility takes effect only after process initialization. Errors +during command-line parsing are still logged with the default syslog +facility, as are errors while processing the main.cf file. + +Postfix now strips out Content-Length: headers in incoming mail to +avoid confusion in mail user agents. + +Specify "require_home_directory = yes" to prevent mail from being +delivered to a user whose home directory is not mounted. This +feature is implemented by the Postfix local delivery agent. + +The pipe mailer has a size limit (size=nnn) command-line argument. + +The pipe delivery agent has a configurable end-of-line attribute. +Specify "pipe ... eol=\r\n" for delivery mechanisms that require +CRLF record delimiters. The eol attribute understands the following +C-style escape sequences: \a \b \f \n \r \t \v \nnn \\. + +In master.cf you can selectively override main.cf configuration +parameters, for example: "smtpd -o myhostname=foo.com". + +In main.cf, specify "smtp_bind_address=x.x.x.x" to bind SMTP +connections to a specific local interface. Or override the default +setting in master.cf with "smtp -o smtp_bind_address=x.x.x.x". +For now, you must specify a numeric IP address. + +Questionable feature: with "smtp_always_send_ehlo = yes", the SMTP +client sends EHLO regardless of the content of the SMTP server's +greeting. + +Specify "-d key" to postalias or postmap in order to remove one +key. This still needs to be generalized to multi-key removal (e.g., +read keys from stdin). + +Comments in Postfix configuration files no longer contain troff +formatting codes. The text is now generated from prototype files +in a new "proto" subdirectory. + +Major changes with postfix-19991231: +==================================== + +- It is now much more difficult to configure Postfix as an open +relay. The SMTP server requires that "smtpd_recipient_restrictions" +contains at least one restriction that by default refuses mail (as +is the default). There were too many accidents with changes to +the UCE restrictions. + +- The relay_domains parameter no longer needs to contain $virtual_maps. + +- Overhauled FAQ (html/faq.html) with many more examples. + +- Updated UCE documentation (html/uce.html) with more examples. +More UCE configuration examples in sample configuration files. + +- Several little improvements to the installation procedure: +relative symlinks, configurable directory for scratch files so the +installation can be done without write access to the build tree. + +- Updated LDAP client code (John Hensley). + +- Updated mysql client code (Scott Cotton). + +- The SMTP server now rejects mail for unknown users in virtual +domains that are defined by Postfix virtual maps. + +- The SMTP server can reject mail for unknown local users. Specify +"local_recipient_maps = $alias_maps, unix:passwd.byname" if your +local mail is delivered by a UNIX-style local delivery agent. See +example in conf/main.cf. + +- Use "disable_vrfy_command = yes" to disable the SMTP VRFY command. +This prevents some forms of address harvesting. + +- The sendmail "-f" option now understands <user> and even understands +forms with RFC 822-style comments. + +- New "qmgr_fudge_factor" parameter allows you to balance mailing +list performance against response time for one-to-one mail. The +fudge factor controls what percentage of delivery resources Postfix +will devote to one message. With 100%, delivery of one message +does not begin before delivery of the previous message is completed. +This is good for list performance, bad for one-to-one mail. With +10%, response time for one-to-one mail improves much, but list +performance suffers: in the worst case, people near the start of a +mailing list get a burst of postings today, while people near the +end of the list get that same burst of postings a whole day later. + +- It is now relatively safe to configure 550 status codes for the +main.cf unknown_address_reject_code or unknown_client_reject_code +parameters. The SMTP server now always sends a 450 (try again) +reply code when an UCE restriction fails due to a soft DNS error, +regardless of what main.cf specifies. + +- The RBL checks now show the content of TXT records (Simon J Mudd). + +- The Postfix SMTP server now understands a wider range of illegal +address forms in MAIL FROM and RCPT TO commands. In order to disable +illegal forms, specify "strict_rfc821_envelopes = yes". This also +disables support for MAIL FROM and RCPT TO addresses without <>. + +- Per-client/helo/sender/recipient UCE restrictions (fully-recursive +UCE restriction parser). See the RESTRICTION_CLASS file for details. + +- Use "postmap -q key" or "postalias -q key" for testing Postfix +lookup tables or alias files. + +- Use "postconf -e name=value..." to edit the main.cf file. This +is easier and safer than editing the main.cf file by hand. The +edits are done on a temporary copy that is renamed into place. + +- Use "postconf -m" to display all supported lookup table types +(Scott Cotton). + +- New "permit_auth_destination" UCE restriction for finer-grained +access control (Jesper Skriver). + +Incompatible changes with postfix-19990906 +========================================== + +- On systems that use user.lock files to protect system mailboxes +against simultaneous updates, Postfix now uses /file/name.lock +files while delivering to files specified in aliases/forward/include +files. This is a no-op when the recipient lacks directory write +permission. + +- The LDAP client code no longer looks up a name containing "*" +because it could be abused. See the LDAP_README file for how to +restore previous behavior. + +- The Postfix to PCRE interface now expects PCRE version 2.08. +Postfix is no longer compatible with PCRE versions prior to 2.06. + +Major changes with postfix-19990906 +=================================== + +Several bugfixes, none related to security. See the HISTORY file +for a complete list of changes. + +- Postfix is now distributed under IBM Public License Version 1.0 +which does not carry the controversial termination clause. The new +license does have a requirement that contributors make source code +available. + +- INSTALL.sh install/upgrade procedure that replaces existing +programs and shell scripts instead of overwriting them, and that +leaves existing queue files and configuration files alone. + +- The ugly Delivered-To: header can now be turned off selectively. +The default setting is: "prepend_delivered_header = command, file, +forward". Turning off the Delivered-To: header when forwarding +mail is not recommended. + +- mysql client support by Scott Cotton and Joshua Marcus, Internet +Consultants Group, Inc. See the file MYSQL_README for instructions. + +- reject_unauth_destination SMTP recipient restriction that rejects +destinations not in $relay_domains. Unlike the check_relay_domains +restriction, reject_unauth_destination ignores the client hostname. +By Lamont Jones of Hewlett-Packard. + +- reject_unauth_pipelining SMTP *anything* restriction to stop mail +from spammers that improperly use SMTP command pipelining to speed +up their deliveries. + +- Postfix "sendmail" now issues a warning and drops privileges if +installed set-uid root. + +- No more duplicate delivery when "postfix reload" is immediately +followed by "sendmail -q". + +- No more "invalid argument" errors when a Postfix daemon opens a +DB/DBM file while some other process is changing the file. + +- Portability to the Mac OS X Server, Reliant Unix, AIX 3.2.5 and +Ultrix 4.3. + +Incompatible changes with postfix-19990601: +=========================================== + +- The SMTP server now delays all UCE restrictions until the RCPT +TO, VRFY or ETRN command. This makes the restrictions more useful, +because many SMTP clients do not expect negative responses earlier +in the protocol. In order to restore the old behavior, specify +"smtpd_delay_reject = no" in /etc/postfix/main.cf. + +- The Postfix local delivery agent no longer automatically propagates +address extensions to aliases/include/forward addresses. Specify +"propagate_unmatched_extensions = canonical, virtual, alias, forward, +include" to restore the old behavior. + +- The Postfix local delivery agent no longer does $name expansion +on words found in the mailbox_command configuration parameter. This +makes it easier to specify shell syntax. See conf/main.cf. + +- The luser_relay syntax has changed. You can specify one address; +it is subjected to $user, etc. expansions. See conf/main.cf. + +- File system reorganization: daemon executables are now in the +libexec subdirectory, command executables in the bin subdirectory. +The INSTALL instructions now recommend installing daemons and +commands into separate directories. + +Major changes with postfix-19990601: +===================================== + +- New USER, EXTENSION, LOCAL, DOMAIN and RECIPIENT environment +variables for delivery to command (including mailbox_command) by +the local delivery agent. As you might expect, the information is +censored. The list of acceptable characters is specified with the +command_expansion_filter configuration parameter. Unacceptable +characters are replaced by underscores. See html/local.8.html. + +- Specify "forward_path = /var/forward/$user" to avoid looking up +.forward files in user home directories. The default value is +$home/.forward$recipient_delimiter$extension, $home/.forward. +Initial code by Philip A. Prindeville, Mirapoint, Inc., USA. + +- Conditional $name expansion in forward_path and luser_relay. +Available names are: $user (bare user name) $shell (user login +shell), $home (user home directory), $local (everything to the left +of @), $extension (optional address extension), $domain (everything +to the right of @), $recipient (the complete address) and +$recipient_delimiter. A simple $name expands as usual. ${name?value} +expands to value when $name is defined. ${name:value} expands to +value when $name is not defined. With ${name?value} and ${name:value}, +the value is subject to another iteration of $name expansion. + +- POSIX regular expression support, enabled by default on 4.4BSD, +LINUX, HP-UX, and Solaris 2.5 and later. See conf/sample-regexp.cf. +Initial code by Lamont Jones, Hewlett-Packard, borrowing heavily +from the PCRE implementation by Andrew McNamara, connect.com.au +Pty. Ltd., Australia. + +- Regular expression checks for message headers. This requires +support for POSIX or for PCRE regular expressions. Specify +"header_checks = regexp:/file/name" or "header_checks = pcre:/file/name", +and specify "/^header-name: badstuff/ REJECT" in the pattern file +(patterns are case-insensitive by default). Code by Lamont Jones, +Hewlett-Packard. It is to be expected that full content filtering +will be delegated to an external command. + +- Regular expression support for all lookup tables, including access +control (full mail addresses only), address rewriting (canonical/virtual, +full mail addresses only) and transport tables (full domain names +only). However, regular expressions are not allowed for aliases, +because that would open up security exposures. + +- Automatic detection of changes to DB or DBM lookup tables. This +eliminates the need to run "postfix reload" after each change to +the SMTP access table, or to the canonical, virtual, transport or +aliases tables. + +- New error mailer. Specify ".domain.name error:domain is undeliverable" +in the transport table to bounce mail for entire domains. + +- No more Postfix lockups on Solaris (knock on wood). The code no +longer uses Solaris UNIX-domain sockets, because they are still +broken, even with Solaris 7. + +- Workaround for the Solaris mailtool, which keeps an exclusive +kernel lock on the mailbox while its window is not iconified (specify +"sun_mailtool_compatibility = yes" in main.cf). + +- Questionable workaround for Solaris, which reportedly loses +long-lived exclusive locks that are held by the master daemon. + +- New reject_unknown_{sender,recipient}_domain restrictions for +sender and recipient mail addresses that distinguish between soft +errors (always 450) and hard errors (unknown_address_reject_code, +default 450). + +- MIME-encapsulated bounce messages, making it easier to recover +bounced mail. Initial implementation by Philip A. Prindeville, +Mirapoint, Inc., USA. Support for RFC 1892 (multipart/report) and +RFC 1894 (DSN) will have to wait until Postfix internals have been +revised to support RFC 1893. + +- Separately configurable "postmaster" addresses for single bounces +(bounce_notice_recipient), double bounces (2bounce_notice_recipient), +delayed mail (delay_notice_recipient), and for mailer error reports +(error_notice_recipient). See conf/main.cf. + +- Questionable feature: specify "best_mx_transport = local" if +this machine is the best MX host for domains not in mydestinations. + +Incompatible changes with postfix-19990317: +=========================================== + +- You MUST install the new version of /etc/postfix/postfix-script. + +- The pipe mailer "flags" syntax has changed. You now explicitly +MUST specify the R flag in order to generate a Return-Path: message +header (as needed by, for example, cyrus). + +Major changes with postfix-19990317: +==================================== + +A detailed record of changes is given in the HISTORY file. + +- Less postmaster mail. Undeliverable bounce messages (double +bounces) are now discarded. Specify "notify_classes = 2bounce..." +to get copies of double bounces. Specify "notify_classes = bounce..." +to get copies of normal and double bounces. + +- Improved LDAP client code by John Hensley of Merit Network, USA. +See LDAP_README for details. + +- Perl-compatible regular expression support for lookup maps by +Andrew McNamara, connect.com.au Pty. Ltd., Australia.. Example: +"check_recipient_access pcre:/etc/postfix/sample-pcre.cf". Regular +expressions provide a powerful tool not only for SMTP access control +but also for address rewriting. See PCRE_README for details. + +- Automatic notification of delayed mail (disabled by default). +With "delay_warning_time = 4", Postfix informs senders when mail +has not been delivered after 4 hours. Initial version of the code +by Daniel Eisenbud, University of California at Berkeley. In order +to get postmaster copies of such warnings, specify "notify_classes += delay...". + +- More configurable local delivery: "mail_spool_directory" to +specify the UNIX mail spool directory; "mailbox_transport" to +delegate all mailbox delivery to, for example, cyrus, and +"fallback_transport" to delegate delivery of only non-UNIX users. +And all this without losing local aliases and local .forward +processing. See config/main.cf and config/master.cf. + +- Several changes to improve Postfix behavior under worst-case +conditions (frequent Postfix restarts/reloads combined with lots +if inbound mail, intermittent connectivity problems, SMTP servers +that become comatose after receiving QUIT). + +- More NFS-friendly mailbox delivery. The local delivery agent +now avoids using root privileges where possible. + +- For sites that do not receive mail at all, mydestination can now +be an empty string. Be sure to set up a transport table entry to +prevent mail from looping. + +- New "postsuper" utility to clean up stale files from Postfix +queues. + +- Workaround for BSD select() collisions that cause performance +problems on large BSD systems. + +- Several questionable but useful features to capture mail: +"always_bcc = address" to capture a copy of every message that +enters the system, and "luser_relay = address" to capture mail for +unknown recipients (does not work when mailbox_transport or +fallback_transport are being used). + +- Junk mail controls: new reject_non_fqdn_{hostname,sender,recipient} +restrictions to reject non-FQDN arguments in HELO, MAIL FROM and +RCPT TO commands, and stricter checking of numeric HELO arguments. + +- "fallback_relay" feature for sites that use DNS but that can't +talk to the entire world. The fall-back relay gets the mail when +a destination is not found in the DNS or when the destination is +found but not reachable. + +- Several questionable controls that can help to keep mail going: +specify "smtp_skip_4xx_greeting = yes" to skip SMTP servers that +greet with 4XX, "ignore_mx_lookup_error = yes" to look up an A +record when a DNS server does not respond to an MX query. + +Incompatible changes with postfix-beta-19990122-pl01: +===================================================== + +None. + +Major changes with postfix-beta-19990122-pl01: +============================================== + +- Restrict who may use ETRN and what domains may be specified. +Example: "smtpd_etrn_restrictions = permit_mynetworks, reject". + +- BIFF notifications. For compatibility reasons this feature is +on by default. Specify "biff = no" in main.cf if your machine has +lots of shell users. + +- With "soft_bounce = yes", defer delivery instead of bouncing +mail. This is a safety net for configuration errors with delivery +agents. It has no effect on errors in virtual maps, canonical maps, +or in junk mail restrictions. + +- Specify "owner_request_special = no" to turn off special treatment +of owner-foo and foo-request addresses. + +Incompatible changes with postfix-beta-19990122: +================================================ + +- The syntax of the transport table has changed. An entry like: + + customer.org smtp:[gateway.customer.org] + + no longer forwards mail for anything.customer.org. For that you + need to specify: + + customer.org smtp:[gateway.customer.org] + .customer.org smtp:[gateway.customer.org] + + This change makes transport tables more compatible with + sendmail mailer tables. + +- The format of syslog records has changed. A client is now always +logged as hostname[address]; the pickup daemon logs queue file uid +and sender address. + +Major changes with postfix-beta-19990122: +========================================= + +- Junk mail restrictions can now be postponed to the RCPT TO command. +Specify: "smtpd_recipient_restrictions = reject_maps_rbl...". + +- More flexible interface for delivery to e.g., cyrus IMAP without +need for PERL scripts to munge recipient addresses. In addition to +$sender, $nexthop and $recipient, the pipe mailer now also supports +$user, $extension and $mailbox. + +- New mail now has precedence over deferred mail, plus some other +tweaks to make bulk mail go faster. But it ain't no cure for massive +network outages. + +- Watchdog timer for systems that cause the Postfix queue manager +to lock up, so it recovers without human intervention. + +- Delivery to qmail-style maildir files, which is good for NFS +environments. Specify "home_mailbox = Maildir/", or specify +/file/name/ in aliases or in .forward files. The trailing / is +required to turn on maildir delivery. + +- Incremental updates of aliases and maps. Specify "postmap -i +mapname" and it will read new entries from stdin. + +- Newaliases will now update more than one alias database. +Specify the names with the main.cf "alias_database" parameter. + +- Address masquerading exceptions to prevent users from being +masqueraded. Specify "masquerade_exceptions = root". + +- A pipelined SMTP client. Deliveries to Postfix, qmail, LSOFT, +zmailer, and exim (once it's fixed) speed up by some 30% for short +messages with one recipient, with more for multi-recipient mails. + +- Hook for local delivery to "|command" via the smrsh restricted +shell, to restrict what commands may be used in .forward etc. files. +Specify "local_command_shell = /some/where/smrsh -c". diff --git a/RELEASE_NOTES-2.0 b/RELEASE_NOTES-2.0 new file mode 100644 index 0000000..586f2d7 --- /dev/null +++ b/RELEASE_NOTES-2.0 @@ -0,0 +1,853 @@ +============================================================== +NOTICE NOTICE NOTICE NOTICE NOTICE NOTICE NOTICE NOTICE NOTICE +============================================================== +Before upgrading from Postfix 1.1 you must stop Postfix ("postfix +stop"). Some internal protocols have changed. No mail will be +lost if you fail to stop and restart Postfix, but Postfix won't be +able to receive any new mail, either. +============================================================== +NOTICE NOTICE NOTICE NOTICE NOTICE NOTICE NOTICE NOTICE NOTICE +============================================================== + +In the text below, changes are labeled with the Postfix snapshot +that introduced the change, and whether the change introduced a +feature, an incompatibility, or whether the feature is obsolete. +If you upgrade from a later Postfix version, then you do not have +to worry about incompatibilities introduced in earlier versions. + +Official Postfix releases are called a.b.c where a=major release +number, b=minor release number, c=patchlevel. Snapshot releases +are now called a.b.c-yyyymmdd where yyyymmdd is the release date +(yyyy=year, mm=month, dd=day). The mail_release_date configuration +parameter contains the release date (both for official release and +snapshot release). Patches change the patchlevel and the release +date. Snapshots change only the release date, unless they include +the same bugfixes as a patch release. + +Major changes with Postfix version 2.0.0 (released 20021222, 20021223) +====================================================================== + +First comes the bad news - things that may break when you upgrade +from Postfix 1.1. Then comes the good news - things that evolved +in snapshots over the past year. + +For the release notes of Postfix 1.1 and earlier, see the +RELEASE_NOTES-1.1 file. + +Unknown Recipients are now rejected by default +============================================== + +[Incompatibility 20021209] The Postfix SMTP server now rejects mail +for $mydestination domain recipients that it does not know about. +This keeps undeliverable mail out of your queue. + +[Incompatibility 20021209] To avoid losing mail when upgrading from +Postfix 1.1, you need to review the LOCAL_RECIPIENT_README file if +one of the following is true: + +- You define $mydestination domain recipients in files other than + /etc/passwd or /etc/aliases. For example, you define $mydestination + domain recipients in the $virtual_mailbox_maps files. +- You run the Postfix SMTP server chrooted (see master.cf). +- You redefined the local delivery agent in master.cf. +- You redefined the "local_transport" setting in main.cf. +- You use the mailbox_transport feature of the Postfix local delivery agent. +- You use the fallback_transport feature of the Postfix local delivery agent. +- You use the luser_relay feature of the Postfix local delivery agent. + +Name change of virtual domain tables +==================================== + +This release introduces separation of lookup tables for addresses +and for domain names of virtual domains. + +[Incompat 20021209] the virtual_maps parameter is replaced by +virtual_alias_maps (for address lookups) and virtual_alias_domains +(for the names of what were formerly called "Postfix-style virtual +domains"). + + For backwards compatibility with Postfix version 1.1, the new + virtual_alias_maps parameter defaults to $virtual_maps, and the + new virtual_alias_domains parameter defaults to $virtual_alias_maps. + This means that you can still keep all information about a domain + in one file, just like before. + +For details, see the virtual(5) and sample-virtual.cf files. + +[Incompat 20021209] the virtual_mailbox_maps parameter now has a +companion parameter called virtual_mailbox_domains (for the names +of domains served by the virtual delivery agent). virtual_mailbox_maps +is now used for address lookups only. + + For backwards compatibility with Postfix version 1.1,, the new + virtual_mailbox_domains parameter defaults to $virtual_mailbox_maps. + This means that you can still keep all information about a domain + in one file, just like before. + +For details, see the VIRTUAL_README file. + +[Incompat 20021209] If you use the "advanced content filter" +technique, you MUST NOT override the virtual aliases and virtual +mailbox settings in the SMTP server that receives mail from the +content filter, or else mail for virtual recipients will be rejected +with "User unknown". + +For details, see the FILTER_README file. + +Incompatible queue file format changes +====================================== + +[Incompat 20020527] Queue files created with the header/body_checks +"FILTER" feature are not compatible with "postqueue -r" (move queue +files back to the maildrop directory) of previous Postfix releases. + +[Incompat 20020512] Postfix queue files contain records that are +incompatible with "postqueue -r" on all Postfix versions prior to +1.1 and release candidates. This happens whenever the sender +specifies MIME body type information via the SMTP `MAIL FROM' +command, via the `sendmail -B' command line option, or via the +Content-Transfer-Encoding: message header. + +[Incompat 20020512] Postfix queue files may contain records that +are incompatible with "postqueue -r" on previous 1.1 Postfix versions +and release candidates. This happens whenever the sender specifies +the MIME body type only via the Content-Transfer-Encoding: message +header, and not via `MAIL FROM' or `sendmail -B'. + +Features that are going away +============================ + +[Obsolete 20021209] Sendmail-style virtual domains are no longer +documented. This part of Postfix was too confusing. + +[Obsolete 20021209] The "reject_maps_rbl" restriction is going +away. The SMTP server now logs a warning and suggests using the +more flexible "reject_rbl_client" feature instead. + +[Obsolete 20021209] The "check_relay_domains" restriction is going +away. The SMTP server logs a warning and suggests using the more +robust "reject_unauth_destination" instead. This means that Postfix +by default no longer grants relay permissions on the basis of the +client hostname, and that relay clients must be authorized via +other means such as permit_mynetworks. + +[Obsolete 20020917] In regexp lookup tables, the form /pattern1/!/pattern2/ +is going away. Use the cleaner and more flexible "if !/pattern2/..endif" +form. The old form still exists but is no longer documented, and +causes a warning (suggesting to use the new format) to be logged. +For details, see "man regexp_table". + +[Obsolete 20020819] The qmgr_site_hog_factor feature is gone (this +would defer mail delivery for sites that occupy too much space in +the active queue, and be a real performance drain due to excessive +disk I/O). The new qmgr_clog_warn_time feature (see below) provides +more useful suggestions for dealing with Postfix congestion. + +[Obsolete 20020819] The "permit_naked_ip_address" restriction on +HELO command syntax is unsafe when used with most smtpd_XXX_restrictions +and will go away. Postfix logs a warning, suggesting to use +"permit_mynetworks" instead. + +MIME support +============ + +[Feature 20020527] Postfix now has real MIME support. This improves +content filtering efficiency and accuracy, and improves inter-operability +with mail systems that cannot receive 8-bit mail. See conf/sample-mime.cf +for details. + +[Feature 20020527] Postfix header_checks now properly recognize +MIME headers in attachments. This is much more efficient than +previous versions that recognized MIME headers via body_checks. +MIME headers are now processed one multi-line header at a time, +instead of one body line at a time. To get the old behavior, +specify "disable_mime_input_processing = yes". More details in +conf/sample-filter.cf. + +[Feature 20020527] Postfix now has three classes of header patterns: +header_checks (for primary message headers except MIME headers), +mime_header_checks (for MIME headers), and nested_header_checks +(for headers of attached email messages except MIME headers). By +default, all headers are matched with header_checks. + +[Feature 20020527] The Postfix SMTP client will now convert 8BITMIME +mail to 7BIT when delivering to an SMTP server that does not announce +8BITMIME support. To disable, specify "disable_mime_output_conversion += yes". However, this conversion is required by RFC standards. + +[Feature 20020528] Postfix can enforce specific aspects of the MIME +standards while receiving mail. + +* Specify "strict_7bit_headers = yes" to disallow 8-bit characters + in message headers. These are always illegal. + +* Specify "strict_8bitmime_body = yes" to block mail with 8-bit + content that is not properly labeled as 8-bit MIME. This blocks + mail from poorly written mail software, including (bounces from + qmail, bounces from Postfix before snapshot 20020514, and Majordomo + approval requests) that contain valid 8BITMIME mail. + +* Specify "strict_8bitmime = yes" to turn on both strict_7bit_headers + and strict_8bitmime_body. + +* Specify "strict_mime_encoding_domain = yes" to block mail from + poorly written mail software. More details in conf/sample-mime.cf. + +[Incompat 20020527] Postfix now rejects mail if the MIME multipart +structure is nested more than mime_nesting_limit levels (default: +100) when MIME input processing is enabled while receiving mail, or +when Postfix is performing 8BITMIME to 7BIT conversion while +delivering mail. + +[Incompat 20020527] Postfix now recognizes "name :" as a valid +message header, but normalizes it to "name:" for consistency +(actually, there is so much code in Postfix that would break with +"name :" that there is little choice, except to not recognize "name +:" headers). + +[Incompat 20020512] Postfix queue files contain records that are +incompatible with "postqueue -r" on all Postfix versions prior to +1.1 and release candidates. This happens whenever the sender +specifies MIME body type information via the SMTP `MAIL FROM' +command, via the `sendmail -B' command line option, or via the +Content-Transfer-Encoding: message header. + +[Incompat 20020512] Postfix queue files may contain records that +are incompatible with "postqueue -r" on previous 1.1 Postfix versions +and release candidates. This happens whenever the sender specifies +the MIME body type only via the Content-Transfer-Encoding: message +header, and not via `MAIL FROM' or `sendmail -B'. + +[Feature 20020512] The Postfix SMTP and LMTP clients now properly +pass on the MIME body type information (7BIT or 8BITMIME), provided +that the sender properly specifies MIME body type information via +the SMTP MAIL FROM command, via the sendmail -B command line option, +or via MIME message headers. This includes mail that is returned +as undeliverable. + +Improved performance +==================== + +[Incompat 20021209] The default queue directory hash_queue_depth +setting is reduced to 1 level of subdirectories per Postfix queue. +This improves "mailq" performance on most systems, but can result +in poorer worst-case performance on systems with lots of mail in +the queue. + +[Incompat 20021209] The Postfix SMTP client no longer expands CNAMEs +in MAIL FROM or RCPT TO addresses (as permitted by RFC 2821). This +eliminates one DNS lookup per sender and recipient, and can make +a dramatic difference when sending mailing list mail via a relayhost. + +[Incompat 20021209] The Postfix installation procedure no longer +sets the "chattr +S" bit on Linux queue directories. Wietse has +gotten too annoyed with naive reviewers who complain about performance +without having a clue of what they are comparing. + +[Feature 20021209] On mail gateway systems, separation of inbound +mail relay traffic from outbound traffic. This eliminates a problem +where inbound mail deliveries could become resource starved in the +presence of a high volume of outbound mail. + +[Feature 20021013] The body_checks_size_limit parameter limits the +amount of text per message body segment (or attachment, if you +prefer to use that term) that is subjected to body_checks inspection. +The default limit is 50 kbytes. This speeds up the processing of +mail with large attachments. + +[Feature 20020917] Speedups of regexp table lookups by optimizing +for the $number substitutions that are actually present in the +right-hand side. Based on a suggestion by Liviu Daia. + +[Feature 20020917] Speedups of regexp and pcre tables, using +IF..ENDIF support. Based on an idea by Bert Driehuis. To protect +a block of patterns, use: + + if /pattern1/ + /pattern2/ result2 + /pattern3/ result3 + endif + +IF..ENDIF can nest. Don't specify blanks at the beginning of lines +inside IF..ENDIF, because lines beginning with whitespace are +appended to the previous line. More details about the syntax are +given in the pcre_table(5) and regexp_table(5) manual pages. + +[Feature 20020717] The default timeout for establishing an SMTP +connection has been reduced to 30 seconds, because many system +TCP/IP stacks have an atrociously large default timeout value. + +[Feature 20020505] Finer control over Berkeley DB memory usage, +The parameter "berkeley_db_create_buffer_size" (default: 16 MBytes) +specifies the buffer size for the postmap and postalias commands. +The parameter "berkeley_db_read_buffer_size" (default: 128 kBytes) +specifies the buffer size for all other applications. Specify +"berkeley_db_read_buffer_size = 1048576" to get the old read buffer +size. Contributed by Victor Duchovni. For more information, see +the last paragraphs of the DB_README file. + +[Incompat 20021211] The default process limit is doubled from 50 +to 100. The default limits on the number of active queue files or +recipients are doubled from 10000 to 20000. The default concurrency +for parallel delivery to the same destination is doubled from 10 +to 20. + +Improved compatibility +====================== + +[Feature 20020527] The Postfix SMTP client will now convert 8BITMIME +mail to 7BIT when delivering to an SMTP server that does not announce +8BITMIME support. To disable, specify "disable_mime_output_conversion += yes". However, this conversion is required by RFC standards. + +[Feature 20020512] The Postfix SMTP and LMTP clients now properly +pass on the MIME body type information (7BIT or 8BITMIME), provided +that the sender properly specifies MIME body type information via +the SMTP MAIL FROM command, via the sendmail -B command line option, +or via MIME message headers. This includes mail that is returned +as undeliverable. + +[Incompat 20020326] The Postfix SMTP client now breaks message +header or body lines that are longer than $smtp_line_length_limit +characters (default: 990). Earlier Postfix versions broke lines +at $line_length_limit characters (default: 2048). Postfix versions +before 20010611 did not break long lines at all. Reportedly, some +mail servers refuse to receive mail with lines that exceed the 1000 +character limit that is specified by the SMTP standard. + +[Incompat 20020326] The Postfix SMTP client now breaks long message +header or body lines by inserting <CR> <LF> <SPACE>. Earlier +Postfix versions broke long lines by inserting <CR> <LF> only. This +broke MIME encapsulation, causing MIME attachments to "disappear" +with Postfix versions after 20010611. + +[Incompat 20020326] Postfix now discards text when a logical message +header exceeds $header_size_limit characters (default: 102400). +Earlier Postfix versions would place excess text, and all following +text, in the message body. The same thing was done when a physical +header line exceeded $line_length_limit characters (default: 2048). +Both behaviors broke MIME encapsulation, causing MIME attachments +to "disappear" with all previous Postfix versions. + +[Incompat 20021015] The Postfix LMTP client no longer lowercases email +addresses in MAIL FROM and RCPT TO commands. + +[Incompat 20021013] The default Linux kernel lock style for mailbox +delivery is changed from flock() to fcntl(). This has no impact if +your system uses procmail for local delivery, if you use maildir-style +mailboxes, or when mailbox access software locks mailboxes with +username.lock files (which is usually the case with non-maildir +mailboxes). + +Address classes +=============== + +[Feature 20021209] This release introduces the concept of address +domain classes, each having its own default mail delivery transport: + + Destination matches Default transport Default name + ============================================================== + $mydestination or + $inet_interfaces $local_transport local + $virtual_alias_domains (not applicable) (not applicable) + $virtual_mailbox_domains $virtual_transport virtual + $relay_domains $relay_transport relay + other $default_transport smtp + +The benefits of these changes are: + +- You no longer need to specify all the virtual(8) domains in the + Postfix transport map. The virtual(8) delivery agent has + become a first-class citizen just like local(8) or smtp(8). + +- On mail gateway systems, separation of inbound mail relay traffic + from outbound traffic. This eliminates a problem where inbound + mail deliveries could become resource starved in the presence of + a high volume of outbound mail. + +- The SMTP server rejects unknown recipients in a more consistent + manner than was possible with previous Postfix versions. + +See the ADDRESS_CLASS_README file for a description of address +classes, their benefits, and their incompatibilities. + +New relay transport in master.cf +================================ + +[Incompat 20021209] Postfix no longer defaults to the "smtp" +transport for all non-local destinations. In particular, Postfix +now uses the "relay" mail delivery transport for delivery to domains +matching $relay_domains. This may affect your defer_transports +settings. + +On mail gateway systems, this allows us to separate inbound mail +relay traffic from outbound traffic, and thereby eliminate a problem +where inbound mail deliveries could become resource starved in the +presence of a high volume of outbound mail. + +[Incompat 20021209] This release adds a new "relay" service to the +Postfix master.cf file. This is a clone of the "smtp" service. If +your Postfix is unable to connect to the "relay" service then you +have not properly followed the installation procedure. + +Revision of RBL blacklisting code +================================= + +[Feature 20020923] Complete rewrite of the RBL blacklisting code. +The names of RBL restrictions are now based on a suggestion that +was made by Liviu Daia in October 2001. See conf/sample-smtpd.cf +or html/uce.html for details. + +[Feature 20020923] "reject_rbl_client rbl.domain.tld" for client +IP address blacklisting. Based on code by LaMont Jones. The old +"reject_maps_rbl" is now implemented as a wrapper around the +reject_rbl_client code, and logs a warning that "reject_maps_rbl" +is going away. To upgrade, specify "reject_rbl_client domainname" +once for each domain name that is listed in maps_rbl_domains. + +[Feature 20020923] "reject_rhsbl_sender rbl.domain.tld" for sender +domain blacklisting. Also: reject_rhsbl_client and reject_rhsbl_recipient +for client and recipient domain blacklisting. + +[Feature 20020923] "rbl_reply_maps" configuration parameter for +lookup tables with template responses per RBL server. Based on code +by LaMont Jones. If no reply template is found the default template +is used as specified with the default_rbl_reply configuration +parameter. The template responses support $name expansion of +client, helo, sender, recipient and RBL related attributes. + +[Incompat 20020923] The default RBL "reject" server reply now +includes an indication of *what* is being rejected: Client host, +Helo command, Sender address, or Recipient address. This also +changes the logfile format. + +[Feature 20020923] "smtpd_expansion_filter" configuration parameter +to control what characters are allowed in the expansion of template +RBL reply $name macros. Characters outside the allowed set are +replaced by "_". + +More sophisticated handling of UCE-related DNS lookup errors +============================================================ + +[Feature 20020906] More sophisticated handling of UCE-related DNS +lookup errors. These cause Postfix to not give up so easily, so +that some deliveries will not have to be deferred after all. + +[Feature 20020906] The SMTP server sets a defer_if_permit flag when +an UCE reject restriction fails due to a temporary (DNS) problem, +to prevent unwanted mail from slipping through. The defer_if_permit +flag is tested at the end of the ETRN and recipient restrictions. + +[Feature 20020906] A similar flag, defer_if_reject, is maintained +to prevent mail from being rejected because a whitelist operation +(such as permit_mx_backup) fails due to a temporary (DNS) problem. + +[Feature 20020906] The permit_mx_backup restriction is made more +strict. With older versions, some DNS failures would cause mail to +be accepted anyway, and some DNS failures would cause mail to be +rejected by later restrictions in the same restriction list. The +improved version will defer delivery when Postfix could make the +wrong decision. + +- After DNS lookup failure, permit_mx_backup will now accept the +request if a subsequent restriction would cause the request to be +accepted anyway, and will defer the request if a subsequent +restriction would cause the request to be rejected. + +- After DNS lookup failure, reject_unknown_hostname (the hostname +given in HELO/EHLO commands) reject_unknown_sender_domain and +reject_unknown_recipient_domain will now reject the request if a +subsequent restriction would cause the request to be rejected +anyway, and will defer the request if a subsequent restriction +would cause the request to be accepted. + +[Feature 20020906] Specify "smtpd_data_restrictions = +reject_unauth_pipelining" to block mail from SMTP clients that send +message content before Postfix has replied to the SMTP DATA command. + +Other UCE related changes +========================= + +[Feature 20020717] The SMTP server reject_unknown_{sender,recipient}_domain +etc. restrictions now also attempt to look up AAAA (IPV6 address) +records. + +[Incompat 20020513] In order to allow user@domain@domain addresses +from untrusted systems, specify "allow_untrusted_routing = yes" in +main.cf. This opens opportunities for mail relay attacks when +Postfix provides backup MX service for Sendmail systems. + +[Incompat 20020514] For safety reasons, the permit_mx_backup +restriction no longer accepts mail for user@domain@domain. To +recover the old behavior, specify "allow_untrusted_routing = yes" +and live with the risk of becoming a relay victim. + +[Incompat 20020509] The Postfix SMTP server no longer honors OK +access rules for user@domain@postfix-style.virtual.domain, to close +a relaying loophole with postfix-style virtual domains that have +@domain.name catch-all patterns. + +[Incompat 20020201] In Postfix SMTPD access tables, Postfix now +uses <> as the default lookup key for the null address, in order +to work around bugs in some Berkeley DB implementations. This +behavior is controlled with the smtpd_null_access_lookup_key +configuration parameter. + +Changes in transport table lookups +================================== + +[Feature 20020610] user@domain address lookups in the transport +map. This feature also understands address extensions. Transport +maps still support lookup keys in the form of domain names, but +only with non-regexp tables. Specify mailer-daemon@my.host.name +in order to match the null address. More in the transport(5) manual +page. + +[Feature 20020505] Friendlier behavior of Postfix transport tables. +There is a new "*" wildcard pattern that always matches. The +meaning of null delivery transport AND nexhop information field +has changed to "do not modify": use the information that would be +used if the transport table did not exist. This change makes it +easier to route intranet mail (everything under my.domain) directly: +you no longer need to specify explicit "local" transport table +entries for every domain name that resolves to the local machine. +For more information, including examples, see the updated transport(5) +manual page. + +[Incompat 20020610] Regexp/PCRE-based transport maps now see the +entire recipient address instead of only the destination domain +name. + +[Incompat 20020505, 20021215] The meaning of null delivery transport +and nexhop fields has changed incompatibly. + +- A null delivery transport AND nexthop information field means +"do not modify": use the delivery transport or nexthop information +that would be used if no transport table did not exist. + +- The delivery transport is not changed with a null delivery +transport field and non-null nexthop field. + +- The nexthop is reset to the recipient domain with a non-null +transport field and a null nexthop information field. + +Address manipulation changes +============================ + +[Incompat 20020717] Postfix no longer strips multiple '.' characters +from the end of an email address or domain name. Only one '.' is +tolerated. + +[Feature 20020717] The masquerade_domains feature now supports +exceptions. Prepend a ! character to a domain name in order to +not strip its subdomain structure. More information in +conf/sample-rewrite.cf. + +[Feature 20020717] The Postfix virtual delivery agent supports +catch-all entries (@domain.tld) in lookup tables. These match users +that do not have a specific user@domain.tld entry. The virtual +delivery agent now ignores address extensions (user+foo@domain.tld) +when searching its lookup tables, but displays the extensions in +Delivered-To: message headers. + +[Feature 20020610] user@domain address lookups in the transport +map. This feature also understands address extensions. Transport +maps still support lookup keys in the form of domain names, but +only with non-regexp tables. Specify mailer-daemon@my.host.name +in order to match the null address. More in the transport(5) manual +page. + +[Incompat 20020610] Regexp/PCRE-based transport maps now see the +entire recipient address instead of only the destination domain +name. + +[Incompat 20020513] In order to allow user@domain@domain addresses +from untrusted systems, specify "allow_untrusted_routing = yes" in +main.cf. This opens opportunities for mail relay attacks when +Postfix provides backup MX service for Sendmail systems. + +[Incompat 20020509] The Postfix SMTP server no longer honors OK +access rules for user@domain@postfix-style.virtual.domain, to close +a relaying loophole with postfix-style virtual domains that have +@domain.name catch-all patterns. + +[Incompat 20020509] The appearance of user@domain1@domain2 addresses +has changed. In mail headers, such addresses are now properly +quoted as "user@domain1"@domain2. As a side effect, this quoted +form is now also expected on the left-hand side of virtual and +canonical lookup tables, but only by some of the Postfix components. +For now, it is better not to use user@domain1@domain2 address forms +on the left-hand side of lookup tables. + +Regular expression and PCRE related changes +=========================================== + +[Feature 20021209] Regular expression maps are now allowed with +local delivery agent alias tables and with all virtual delivery +agent lookup tables. However, regular expression substitution of +$1 etc. is still forbidden for security reasons. + +[Obsolete 20020917] In regexp lookup tables, the form /pattern1/!/pattern2/ +is going away. Use the cleaner and more flexible "if !/pattern2/..endif" +form. The old form still exists but is no longer documented, and +causes a warning (suggesting to use the new format) to be logged. + +[Incompat 20020610] Regexp/PCRE-based transport maps now see the +entire recipient address instead of only the destination domain +name. + +[Incompat 20020528] With PCRE pattern matching, the `.' metacharacter +now matches all characters including newline characters. This makes +PCRE pattern matching more convenient to use with multi-line message +headers, and also makes PCRE more compatible with regexp pattern +matching. The pcre_table(5) manual page has been greatly revised. + +New mail "HOLD" action and "hold" queue +======================================= + +[Feature 20020819] New "hold" queue for mail that should not be +delivered. "postsuper -h" puts mail on hold, and "postsuper -H" +releases mail, moving mail that was "on hold" to the deferred queue. + +[Feature 20020821] HOLD and DISCARD actions in SMTPD access tables. +As with the header/body version of the same, these actions apply +to all recipients of the same queue file. + +[Feature 20020819] New header/body HOLD action that causes mail to +be placed on the "hold" queue. Presently, all you can do with mail +"on hold" is to examine it with postcat, to take it "off hold" with +"postsuper -H", or to destroy it with "postsuper -d". See +conf/sample-filter.cf. + +[Incompat 20020819] In mailq output, the queue ID is followed by +the ! character when the message is in the "hold" queue (see below). +This may break programs that process mailq output. + +Content filtering +================= + +[Feature 20020823] Selective content filtering. In in SMTPD access +tables, specify "FILTER transport:nexthop" for mail that needs +filtering. More info about content filtering is in the Postfix +FILTER_README file. This feature overrides the main.cf content_filter +setting. Presently, this applies to all the recipients of a queue +file. + +[Feature 20020527] Selective content filtering. In header/body_check +patterns, specify "FILTER transport:nexthop" for mail that needs +filtering. This requires different cleanup servers before and after +the filter, with header/body checks turned off in the second cleanup +server. More info about content filtering is in the Postfix +FILTER_README file. This feature overrides the main.cf content_filter +setting. Presently, this applies to all the recipients of a queue +file. + +[Feature 20020527] Postfix now has real MIME support. This improves +content filtering efficiency and accuracy, and improves inter-operability +with mail systems that cannot receive 8-bit mail. See conf/sample-mime.cf +for details. + +[Feature 20020527] Postfix header_checks now properly recognize +MIME headers in attachments. This is much more efficient than +previous versions that recognized MIME headers via body_checks. +MIME headers are now processed one multi-line header at a time, +instead of one body line at a time. To get the old behavior, +specify "disable_mime_input_processing = yes". More details in +conf/sample-filter.cf. + +[Feature 20020527] Postfix now has three classes of header patterns: +header_checks (for primary message headers except MIME headers), +mime_header_checks (for MIME headers), and nested_header_checks +(for headers of attached email messages except MIME headers). By +default, all headers are matched with header_checks. + +[Feature 20021013] The body_checks_size_limit parameter limits the +amount of text per message body segment (or attachment, if you +prefer to use that term) that is subjected to body_checks inspection. +The default limit is 50 kbytes. This speeds up the processing of +mail with large attachments. + +[Feature 20020917] Speedups of regexp table lookups by optimizing +for the $number substitutions that are actually present in the +right-hand side. Based on a suggestion by Liviu Daia. + +[Feature 20020917] Speedups of regexp and pcre tables, using +IF..ENDIF support. Based on an idea by Bert Driehuis. To protect +a block of patterns, use: + + if /pattern1/ + /pattern2/ result2 + /pattern3/ result3 + endif + +IF..ENDIF can nest. Don't specify blanks at the beginning of lines +inside IF..ENDIF, because lines beginning with whitespace are +appended to the previous line. More details about the syntax are +given in the pcre_table(5) and regexp_table(5) manual pages. + +Postmap/postalias/newaliases changes +==================================== + +[Incompat 20020505] The postalias command now copies the source +file read permissions to the result file when creating a table for +the first time. Until now, the result file was created with default +read permissions. This change makes postalias more similar to +postmap. + +[Incompat 20020505] The postalias and postmap commands now drop +super-user privileges when processing a non-root source file. The +file is now processed as the source file owner, and the owner must +therefore have permission to update the result file. Specify the +"-o" flag to get the old behavior (process non-root files with root +privileges). + +[Incompat 20020122] When the postmap command creates a non-existent +result file, the new file inherits the group/other read permissions +of the source file. + +Assorted changes +================ + +[Feature 20021028] The local(8) and virtual(8) delivery agents now record +the original recipient address in the X-Original-To: message header. +This header can also be emitted by the pipe(8) delivery agent. + +[Incompat 20021028] With "domain in one mailbox", one message with +multiple recipients is no longer delivered only once. It is now +delivered as one copy for each original recipient, with the original +recipient address listed in the X-Original-To: message header. + +[Feature 20021024] New proxy_interfaces parameter, for sites behind a +network address translation gateway or other type of proxy. You +should specify all the proxy network addresses here, to avoid avoid +mail delivery loops. + +[Feature 20021013] Updated MacOS X support by Gerben Wierda. See +the auxiliary/MacOSX directory. + +[Incompat 20021013] Subtle change in ${name?result} macro expansions: +the expansion no longer happens when $name is an empty string. This +probably makes more sense than the old behavior. + +[Incompat 20020917] The relayhost setting now behaves as documented, +i.e. you can no longer specify multiple destinations. + +[Incompatibility 20021219] The use of the XVERP extension in the +SMTP MAIL FROM command is now restricted to SMTP clients that match +the hostnames, domains or networks listed with the authorized_verp_clients +parameter (default: $mynetworks). + +[Feature 20020819] When the Postfix local delivery agent detects +a mail delivery loop (usually the result of mis-configured mail +pickup software), the undeliverable mail is now sent to the mailing +list owner instead of the envelope sender address (usually the +original poster who has no guilt, and who cannot fix the problem). + +[Warning 20020819] The Postfix queue manager now warns when mail +for some destination is piling up in the active queue, and suggests +a variety of remedies to speed up delivery (increase per-destination +concurrency limit, increase active queue size, use a separate +delivery transport, increase per-transport process limit). The +qmgr_clog_warn_time parameter controls the time between warnings. +To disable these warnings, specify "qmgr_clog_warn_time = 0". + +[Warning 20020717] The Postfix SMTP client now logs a warning when +the same domain is listed in main.cf:mydestination as well as a +Postfix-style virtual map. Such a mis-configuration may cause mail +for users to be rejected with "user unknown". + +[Feature 20020331] A new smtp_helo_name parameter that specifies +the hostname to be used in HELO or EHLO commands; this can be more +convenient than changing the myhostname parameter setting. + +[Feature 20020331] Choice between multiple instances of internal +services: bounce, cleanup, defer, error, flush, pickup, queue, +rewrite, showq. This allows you to use different cleanup server +settings for different SMTP server instances. For example, specify +in the master.cf file: + + localhost:10025 ... smtpd -o cleanup_service_name=cleanup2 ... + cleanup2 ... cleanup -o header_checks= body_checks= ... + +Logfile format changes +====================== + +[Incompat 20021209] The Postfix SMTP client no longer expands CNAMEs +in MAIL FROM addresses (as permitted by RFC 2821) before logging +the recipient address. + +[Incompat 20021028] The Postfix SMTP server UCE reject etc. logging +now includes the queue ID, the mail protocol (SMTP or ESMTP), and +the hostname that was received with the HELO or EHLO command, if +available. + +[Incompat 20021028] The Postfix header/body_checks logging now +includes the mail protocol (SMTP, ESMTP, QMQP) and the hostname +that was received with the SMTP HELO or EHLO command, if available. + +[Incompat 20021028] The Postfix status=sent/bounced/deferred logging +now shows the original recipient address (as received before any +address rewriting or aliasing). The original recipient address is +logged only when it differs from the final recipient address. + +[Incompat 20020923] The default RBL "reject" server reply now +includes an indication of *what* is being rejected: Client host, +Helo command, Sender address, or Recipient address. This also +changes the logfile format. + +LDAP related changes +==================== + +[Incompat 20020819] LDAP API version 1 is no longer supported. The +memory allocation and deallocation strategy has changed too much +to maintain both version 1 and 2 at the same time. + +[Feature 20020513] Updated LDAP client module with better handling +of dead LDAP servers, and with configurable filtering of query +results. + +SASL related changes +==================== + +[Incompat 20020819] The smtpd_sasl_local_domain setting now defaults +to the null string, rather than $myhostname. This seems to work +better with Cyrus SASL version 2. This change may cause incompatibility +with the saslpasswd2 command. + +[Feature 20020331] Support for the Cyrus SASL version 2 library, +contributed by Jason Hoos. This adds some new functionality that +was not available in Cyrus SASL version 1, and provides bit-rot +insurance for the time when Cyrus SASL version 1 eventually stops +working. + +Berkeley DB related changes +=========================== + +[Feature 20020505] Finer control over Berkeley DB memory usage, +The parameter "berkeley_db_create_buffer_size" (default: 16 MBytes) +specifies the buffer size for the postmap and postalias commands. +The parameter "berkeley_db_read_buffer_size" (default: 256 kBytes) +specifies the buffer size for all other applications. Specify +"berkeley_db_read_buffer_size = 1048576" to get the old read buffer +size. For more information, see the last paragraphs of the DB_README +file. + +[Incompat 20020201] In Postfix SMTPD access tables, Postfix now +uses <> as the default lookup key for the null address, in order +to work around bugs in some Berkeley DB implementations. This +behavior is controlled with the smtpd_null_access_lookup_key +configuration parameter. + +[Incompat 20020201] Postfix now detects if the run-time Berkeley +DB library routines do not match the major version number of the +compile-time include file that was used for compiling Postfix. The +software issues a warning and aborts in case of a discrepancy. If +it didn't, the software was certain to crash with a segmentation +violation. + +Assorted workarounds +==================== + +[Incompat 20020201] On SCO 3.2 UNIX, the input rate flow control +is now turned off by default, because of limitations in the SCO +UNIX kernel. diff --git a/RELEASE_NOTES-2.1 b/RELEASE_NOTES-2.1 new file mode 100644 index 0000000..c25b28b --- /dev/null +++ b/RELEASE_NOTES-2.1 @@ -0,0 +1,581 @@ +In the text below, incompatible changes are labeled with the Postfix +snapshot that introduced the change. If you upgrade from a later +Postfix version, then you do not have to worry about that particular +incompatibility. + +The official Postfix release is called 2.1.x where 2=major release +number, 1=minor release number, x=patchlevel. Snapshot releases +are called 2.2-yyyymmdd where yyyymmdd is the release date (yyyy=year, +mm=month, dd=day). The mail_release_date configuration parameter +contains the release date (both for official release and snapshot +release). Patches are issued for the official release and change +the patchlevel and the release date. Patches are never issued for +snapshot releases. + +Major changes - critical +------------------------ + +If you run Postfix 2.0 or earlier then you must stop Postfix before +upgrading. The master-child protocols have changed between Postfix +1.1 and 2.0, and version 2.1 sometimes writes queue files that the +2.0 and earlier queue managers complain about. If this happens move +the files from the corrupt directory to the maildrop directory and +give them another chance. + +[Incompat 20021119] The Postfix upgrade procedure will add two new +services to your master.cf file: "trace" and "verify". These servers +can run inside a chroot jail, have no interaction with users, and +don't talk to the network. If Postfix complains that "trace" and +"verify" are not found, you made the error of copying your old +Postfix configuration files over the new ones. Execute "postfix +upgrade-configuration" to repair the Postfix configuration files. + +[Incompat 20040331] Support for the non-standard Errors-To: message +header is removed. This also helps to stop potential attacks that +rely on bouncing mail to a destination that is not directly reachable +by the attacker. Specify "enable_errors_to = yes" to get the old +behavior. + +Queue files written by Postfix 2.1 may contain information that +is incompatible with older Postfix versions: + +[Incompat 20040120] Queue files creates with "sendmail -v" are no +longer compatible with Postfix versions 2.0 and earlier. A new +record type, "killed", was introduced in order to avoid repeated +mail delivery reports from mail that could not be delivered due to +a temporary error condition. + +[Incompat 20030125] This release adds a new queue file record type +for the address specified in "REDIRECT user@domain" actions in +access maps or header/body_checks. Queue files with these records +will be rejected by older Postfix versions. + +[Feature 20040120] The new queue manager nqmgr has become the +default qmgr queue manager. For a limited time the old queue manager +remains available under the name oqmgr. The name nqmgr still works +but will cause a warning to be logged. + +[Incompat 20040413] The Postfix SMTP server no longer accepts mail +from or to an address ending in "@", including address forms that +rewrite into an address that ends in "@"). Specify "resolve_null_domain += yes" to get the old behavior. + +[Incompat 20031226] Postfix no longer allows mail addresses with +bare numeric IP addresses (user@1.2.3.4). This is not configurable. +The form user@[ipaddress] is still allowed. + +[Incompat 20031226] Bounce messages now have a separate queue life +time. This is controlled by the bounce_queue_lifetime parameter. + +[Incompat 20031019] The authorized_verp_clients parameter was +renamed to smtpd_authorized_verp_clients, and the default value +was changed to disable this feature. You now have to turn it on +explicitly. + +Major changes - build environment +--------------------------------- + +[Incompat 20030112] The Postfix build procedure now uses the +pcre-config utility (part of PCRE version 3) to find out the +pathnames of the PCRE include file and object library, instead of +probing /usr/include and/or /usr/lib. To build with PCRE version +2 support you will have to specify pathnames as described in +PCRE_README. To build without PCRE support, specify: make Makefiles +CCARGS="-DNO_PRCE". + +Major changes - documentation +----------------------------- + +[Feature 20040331] Complete documentation rewrite. All parameters +are now described in postconf(5), and all commands and daemons are +shown in their proper context in the OVERVIEW document. +- All documents come as HTML and ASCII text. +- All HTML documents have hyperlinks for every parameter name, + for every Postfix manual page, and for every README file. +- All documents specify what feature is available in what release. +- The sample-*.cf configuration files no longer exist. The information + is now available in HTML documents, README files and UNIX man pages). +- The mumble_table example configuration files no longer exist. + +[Incompat 20040413] The LMTP, Cyrus and Qmail related README files will +not be included in the Postfix version 2.1 distribution. They will +be made available via http://www.postfix.org/, and in Postfix 2.2 +snapshots. + +[Feature 20040413] You can install documentation in HTML format +besides the README files. Installation of README files is now +optional. + +Major changes - access control +------------------------------ + +[Feature 20031215] Easier debugging of SMTPD access restrictions. +The SMTP command "xclient name=xxx addr=yyy" changes Postfix's idea +of the remote client name and address, so that you can pretend to +connect from anywhere on the Internet. Use of this command is +restricted to clients that match the list of names or addresses +specified with the smtpd_authorized_xclient_hosts parameter. By +default, XCLIENT is not accepted from anywhere. More details are +in the XCLIENT_README file. + +[Feature 20030715] Support for multi-valued RBL lookup results. +For example, specify "reject_rbl_client foo.bar.tld=127.0.0.3" to +reject clients that are listed with a "127.0.0.3" address record. +More information is in the postconf(5) manual page. + +[Feature 20030917] New "check_{helo,sender,recipient}_{ns,mx}_access +type:table" restrictions that apply the specified access table to +the NS or MX hosts of the host/domain given in HELO, EHLO, MAIL +FROM or RCPT TO commands. More information is in the postconf(5) +manual page. + +This can be used to block mail from so-called spammer havens (all +domains that are served by the same DNS server, all domains that +resolve to the same MX host), from sender addresses that resolve +to Verisign's wild-card mail responder, or from domains that claim +to have mail servers in reserved networks such as 127.0.0.1. + +Note: OK actions are not allowed for security reasons. Instead of +OK, use DUNNO in order to exclude specific hosts from blacklists. +If an OK result is found for an NS or MX host, Postfix rejects the +SMTP command with "451 Server configuration error". + +[Feature 20040413] Support for a "WARN text..." feature in SMTPD +access tables, just like the WARN feature in header/body_checks. + +[Feature 20040122] New "PREPEND headername: headervalue" action in +Postfix access maps. Primarily intended for tagging mail by for +example, an external SMTPD policy server. See access(5). + +[Feature 20040124] New "PREPEND text" action in Postfix header/body_checks +maps. This action prepends a header or body line immediately before +the line that triggers the action. See header_checks(5) for details. + +[Feature 20030125] New "REDIRECT user@domain" action for access +maps and header/body_checks that overrides all the originally +specified recipients of a message. Wietse would never recommend +that people use this to redirect (bounced) SPAM to the beneficiaries +of an advertisement campaign. See access(5) and header_checks(5). + +[Feature 20031215] The reject_sender_login_mismatch feature (used +with SASL authenticated logins) is now implemented in terms of more +basic restrictions: reject_unauth_sender_login_mismatch (reject +mail when $sender_login_maps lists an owner for the sender address +but the SMTP client is not SASL authenticated) and +reject_auth_sender_login_mismatch (reject mail when the sender +address is not owned by the SASL authenticated user). The +sender_login_maps now support multiple owners per sender address. +See postconf(5) for details. + +Major changes - address verification +------------------------------------ + +[Feature 20021119] Address verification blocks mail from or to +addresses that are not deliverable. This is turned on with the +reject_unverified_sender UCE restriction. Addresses are verified +by probing, that is, by sending mail that is not actually delivered +(SMTP interruptus). Detailed information is in the +ADDRESS_VERIFICATION_README file. + +Address verification can follow a different route than ordinary +mail, typically to avoid sending probes to a relay host. To make +this possible, the address resolver supports multiple personalities. +For more detail see the ADDRESS_VERIFICATION_README file. + +New "sendmail -bv" option. Postfix probes the specified recipient +addresses without actually delivering mail, and sends back an email +delivery report. This is useful for testing address rewriting and +address routing, and shows the final envelope and header addresses. +This feature currently does not access or update the sender address +verification database. + +Major changes - content inspection +---------------------------------- + +[Feature 20030704] The Postfix SMTP server can be configured to +send all mail into a real-time content filter that inspects mail +BEFORE it is queued. See the SMTPD_PROXY_README file for details. + +[Feature 20031022] Improved logging by Postfix daemons behind an +SMTP-based proxy filter. The logging now shows the remote client +name and address, instead of localhost[127.0.0.1]. This uses the +new SMTP command "XFORWARD addr=client-address name=client-hostname", +which specifies remote client information for logging purposes. +This command is restricted to clients that match the list of names +or addresses specified with the smtpd_authorized_xforward_hosts +parameter. By default, XFORWARD is not accepted from anywhere. +For an example, see the SMTPD_PROXY_README file. + +[Feature 20030706] New receive_override_options parameter that +eliminates the need for different cleanup service instances before +and after an external content filter. One parameter controls what +happens before or after the content filter: rejecting unknown +recipients, canonical mapping, virtual alias expansion, masquerading, +automatic BCC recipients and header/body checks. See postconf(5) +for the fine details. + +[Feature 20040124] New "PREPEND text" action in Postfix header/body_checks +maps. This action prepends a header or body line immediately before +the line that triggers the action. See header_checks(5) for details. + +[Feature 20030125] New "REDIRECT user@domain" action for access maps +and header/body_checks that overrides all the originally specified +recipients of a message. Wietse would never recommend that people +use this to redirect (bounced) SPAM to the beneficiaries of an +advertisement campaign. See header_checks(5) and access(5). + +[Incompat 20030915] In header/body_checks actions, the OK action +is being phased out, and the DUNNO action is being phased in. Both +actions still work and do the same thing, but hopefully DUNNO causes +less confusion. See header_checks(5) for details. + +Major changes - policy delegation +--------------------------------- + +[Feature 20030715] Support for SMTP access policy delegation to an +external server. Greylisting and SPF are provided as examples. +See the SMTPD_POLICY_README file for further information. + +Major changes - client rate limiting +------------------------------------ + +Note: this feature is not included with Postfix 2.1, but it is +documented here so that the information will not be lost. + +[Feature 20031111] Preliminary defense against SMTP clients that +hammer an SMTP server with too many connections. By default, the +number of simultaneous connections per client is limited to half +the default process limit, and no limit is imposed on the number +of successive connections per time unit that a client is allowed +to make. + +The new anvil server maintains the connection statistics, and logs +the maximum connection count and connection rate per client every +anvil_status_update_time seconds (10 minutes), or when it terminates +(when there is no work to be done, or when "postfix reload" was +issued). Once you have an idea what the numbers look like, you can +clamp down the limits for your system. + +The relevant main.cf configuration parameters are: smtpd_client- +connection_count_limit for the number of simultaneous connections +per client, and smtpd_client_connection_rate_limit for the number +of successive connections per unit time and client. The time unit +is specified with the anvil_rate_time_unit parameter, and is one +minute by default. + +When Postfix rejects a client, it sends a 450 status code and +disconnects, and logs a warning with the client name/address and +the service name from master.cf. You can, for example, capture this +information with a logfile watching program that updates a firewall +rule (such a watcher program is not included with Postfix). + +To avoid rejecting authorized hosts, the smtpd_client_connection- +limit_exceptions parameter takes a list of network/netmask expressions, +hostnames or .domain names that are excluded from these restrictions. +By default, all clients in $mynetworks are excluded; you will +probably want to use a more restrictive setting. + +For further information, see: smtpd(8) and anvil(8). + +Major changes - configuration management +---------------------------------------- + +[Feature 20040413] New postfix(1) command features: + +- "postfix set-permissions" corrects Postfix file and directory + permissions and allows you to change mail_owner or setgid_group + settings after Postfix is installed. + +- "postfix upgrade-configuration" fixes Postfix systems after people + copy over their old configuration files after installing a new + Postfix system. + +See postfix(1) for details. + +[Incompat 20040120] The format of the postfix-files file has changed. +There is a new type for hard links. With hard or symbolic link +entries, the first field is now the destination pathname and the +"owner" field is now the origin pathname, while "group" and +"permissions" are ignored. + +Major changes - core functionality +---------------------------------- + +[Feature 20030704] New enable_original_recipient parameter (default: +yes) to control whether Postfix keeps track of original recipient +address information. If this is turned off Postfix produces no +X-Original-To: headers and ignores the original recipient when +eliminating duplicates after virtual alias expansion. Code by Victor +Duchovni. + +[Feature 20030417] Automatic BCC recipients depending on sender or +recipient address. The configuration parameters in question are +"sender_bcc_maps" and "recipient_bcc_maps". See postconf(5). + +[Incompat 20030415] Too many people mess up their net/mask patterns, +causing open mail relay problems. Postfix processes now abort when +given a net/mask pattern with a non-zero host portion (for example, +168.100.189.2/28), and suggest to specify the proper net/mask +pattern instead (for example, 168.100.189.0/28). + +[Feature 20030415] Workaround for file system clock drift that +caused Postfix to ignore new mail (this could happen with file +systems mounted from a server). Postfix now logs a warning and +proceeds with only slightly reduced performance, instead of ignoring +new mail. + +Major changes - database support +-------------------------------- + +Liviu Daia took the lead in a revision of the LDAP, MySQL and +PostgreSQL clients. Credits also go to Victor Duchovni and to +Lamont Jones. + +[Feature 20030915] LDAP parameters can now be defined in external +files. Specify the LDAP maps in main.cf as + ldap:/path/to/ldap.cf +and write the LDAP parameters in /path/to/ldap.cf, without the +"ldapsource_" prefix. This makes it possible to securely store +bind passwords for plain auth outside of main.cf (which must be +world readable). The old syntax still works, for backwards +compatibility. + +[Feature 20030915] Support for LDAP URLs in the LDAP parameter +"server_host", if Postfix is linked against OpenLDAP. LDAP hosts, +ports, and connection protocols to be used as LDAP sources can be +specified as a blank-separated list of LDAP URLs in "server_host". +As with OpenLDAP, specifying a port in a LDAP URL overrides +"server_port". Examples: + server_host = ldap://ldap.itd.umich.edu + server_host = ldaps://ldap.itd.umich.edu:636 + server_host = ldapi://%2Fsome%2Fpath + +[Feature 20030915] The LDAP SSL scheme ldaps:// is available if +OpenLDAP was compiled with SSL support. New parameters "tls_ca_cert_dir", +"tls_ca_cert_file", "tls_cert", "tls_key", "tls_require_cert", +"tls_random_file", "tls_cipher_suite" control the certificates, +source of random numbers, and cipher suites used for SSL connections. +See LDAP_README for further information. + +[Feature 20030915] Support for STARTTLS command in LDAP, if Postfix +is linked against OpenLDAP and OpenLDAP was compiled with SSL +support. STARTTLS is controlled by the "start_tls" parameter. +The above parameters for certificates, source of random numbers, +and cipher suites also apply. See LDAP_README for further information. + +[Incompat 20030704] Support for client side LDAP caching is gone. +OpenLDAP 2.1.13 and later no longer support it, and the feature +never worked well. Postfix now ignores cache controlling parameters +in an LDAP configuration file and logs a warning. + +[Feature 20030415] PostgreSQL table lookups. Specify "pgsql:/file/name" +where "/file/name" defines the database. See "man pgsql_table" for +examples, and the PGSQL_README file for general information. + +Major changes - internals +------------------------- + +[Incompat 20040120] The format of the postfix-files file has changed. +There is a new type for hard links. With hard or symbolic link +entries, the first field is now the destination pathname and the +"owner" field is now the origin pathname, while "group" and +"permissions" are ignored. + +[Incompat 20040120] The LDAP and SQL client source code is moved +to the global directory in order to eliminate reversed dependencies. + +[Feature 20030606] Complete rewrite of the queue file record reading +loops in the pickup, cleanup and in the queue manager daemons. This +code had deteriorated over time. The new code eliminates an old +problem where the queue manager had to read most queue file records +twice in the case of an alias/include file expansion with more than +qmgr_message_recipient_limit recipients. + +[Feature 20030125] Code cleanup up of queue manager internals. +Queue names are no longer mixed up with the next-hop destination, +and the address resolver loop is now easier to understand. + +[Feature 20030104] Multi-server daemons (servers that accept +simultaneous connections from multiple clients) will now stop +accepting new connections after serving $max_use clients. This +allows multi-server daemons to automatically restart even on busy +mail systems. + +[Feature 20030104] Clients of multi-server daemons such as +trivial-rewrite and the new proxymap service now automatically +disconnect after $ipc_ttl seconds of activity (default: 1000s). +This allows multi-server daemons to automatically restart even on +busy mail systems. + +[Incompat 20021119] The file format of bounce/defer logfiles has +changed from the old one-line ad-hoc format to a more structured +multi-line format. For backwards compatibility, Postfix now creates +bounce/defer logfile entries that contain both the old and the new +format, so that you can go back to an older Postfix release without +losing information. Old Postfix versions will warn about malformed +logfile entries, but should work properly. To disable backwards +compatibility specify "backwards_bounce_logfile_compatibility = +no" in main.cf. + +[Feature 20021119] Both "sendmail -bv" and "sendmail -v" use the +new "trace" daemon that is automatically added to master.cf when +you upgrade. + +Major changes - logging +----------------------- + +[Incompat 20040413] The postmap and postalias commands now report +errors to syslogd in addition to reporting them to the standard +error output. This makes logfile analysis easier. + +[Incompat 20031203] Many SMTPD "reject" logfile entries now show +NOQUEUE instead of a queue ID. This is because Postfix no longer +creates a queue file before the SMTP server has received a valid +recipient. + +Major changes - lookup table support +------------------------------------ + +[Feature 20030704] New CIDR-based lookup table, remotely based on +code by Jozsef Kadlecsik. For details and examples, see "man +cidr_table". + +[Feature 20030704] The TCP-based table lookup protocol is finished. +For details and examples, see "man tcp_table". This will allow you +to implement your own greylisting, or to do your own open proxy +tests before accepting mail. This table will not be included with +Postfix 2.1 because the protocol is obsoleted by the policy delegation +(see elsewhere in this document) which does a much better job. + +[Feature 20030704] Support for !/pattern/ (negative matches) in +PCRE lookup tables by Victor Duchovni. See "man pcre_table" and +"man regexp_table" for more. + +Major changes - resource control +-------------------------------- + +[Incompat 20031022] The Postfix SMTP server no longer accepts mail +when the amount of free queue space is less than 1.5 times the +message_size_limit value. + +Major changes - security +------------------------ + +[Incompat 20040413] The Postfix SMTP server no longer accepts mail +from or to an address ending in "@", including address forms that +rewrite into an address that ends in "@"). Specify "resolve_null_domain += yes" to get the old behavior. + +[Incompat 20040331] Support for the non-standard Errors-To: message +header is removed. This also helps to stop potential attacks that +rely on bouncing mail to a destination that is not directly reachable +by the attacker. Specify ""enable_errors_to = yes" to get the old +behavior. + +[Incompat 20040331] Tarpit delays are reduced. The Postfix SMTP +server no longer delays responses until the client has made +$smtpd_soft_error_limit errors, and the delay is fixed at +$smtpd_error_sleep_time seconds. Postfix still disconnects after +$smtpd_hard_error_limit errors. + +[Incompat 20040120] The SMTP server can reject non-existent sender +addresses in a local, virtual or relay domain; specify +"reject_unlisted_sender=yes" in order to require that a sender +address passes the same "user unknown" test as a recipient would +have to pass. This is optional in Postfix 2.1, likely to be turned +on by default in Postfix 2.2. + +[Incompat 20031226] Postfix no longer allows mail addresses with +bare numeric IP addresses (user@1.2.3.4). This is not configurable. +The form user@[ipaddress] is still allowed. + +[Incompat 20030305] Postfix truncates non-address information in message +address headers (comments, etc.) to 250 characters per address, in +order to protect vulnerable Sendmail systems against exploitation +of a remote buffer overflow problem (CERT advisory CA-2003-07). + +[Incompat 20030227] The smtpd_hard_error_limit and smtpd_soft_error_limit +values now behave as documented, that is, smtpd_hard_error_limit=1 +causes Postfix to disconnect upon the first client error. Previously, +there was an off-by-one error causing Postfix to change behavior +after smtpd_hard/soft_error_limit+1 errors. + +Major changes - smtp client +--------------------------- + +[Incompat 20031223] The SMTP client now tries to connect to an +alternate MX address when a delivery attempt fails **after the +initial SMTP handshake**. This includes both broken connections +and 4XX SMTP replies. To get the old behavior, specify +"smtp_mx_session_limit = 1" in main.cf. + +[Feature 20031223] The SMTP client now tries to connect to an +alternate MX address when a delivery attempt fails after the +initial SMTP handshake. This includes both broken connections +and 4XX SMTP replies. + +As a benefit, fallback_relay now works as promised, not just for +sessions that fail during the initial handshake. + +The new SMTP client connection management is controlled by two new +configuration parameters: + +- smtp_mx_address_limit (default unlimited): the number of MX (mail + exchanger) IP addresses that can result from mail exchanger + lookups. + +- smtp_mx_session_limit (default 2): the number of SMTP sessions + per delivery request before giving up or delivering to a fall-back + relay, ignoring IP addresses that fail to complete the SMTP + initial handshake. + +[Incompat 20031022] Postfix no longer retries delivery when no MX +host has a valid A record, for compatibility with many other MTAs. +This change is made in anticipation of a possible Verisign "wild-card +MX record without A record" for unregistered domains. To get the +old behavior, specify "smtp_defer_if_no_mx_address_found = yes". + +[Incompat 20031022] The Postfix SMTP client no longer looks in +/etc/hosts by default. To get the old behavior, specify +"smtp_host_lookup = dns, native". + +[Feature 20030417] Support for sending mail to hosts not in the +DNS, without having to turn off DNS lookups. The "smtp_host_lookup" +parameter controls how the Postfix SMTP client looks up hosts. In +order to use /etc/hosts besides DNS, specify "smtp_host_lookup = +dns, native". The default is to use DNS only. + +Major changes - user interface +------------------------------ + +[Incompat 20040418] The non-delivery report format has changed. +The "sorry" message and the DSN formatted report now include the +original recipient address, when that address is different from +the final recipient address. This makes it easier to diagnose some +mail delivery problems that happen after mail forwarding. + +[Incompat 20031223] In mailq (queue listing) output, there no longer +is space between a short queue ID and the "*" (delivery in progress) +or ! (mail on hold) status indicator. This makes the output easier +to parse. + +[Incompat 20030417] "sendmail -t" no longer complains when recipients +are given on the command line. Instead, it now adds recipients from +headers to the recipients from the command-line. + +[Incompat 20030126] The maildir file naming algorithm has changed +according to an updated version of http://cr.yp.to/proto/maildir.html. +The name is now TIME.VdevIinum.HOST + +[Incompat 20021119] The behavior of "sendmail -v" has changed. One +-v option now produces one email report with the status of each +recipient. Multiple -v options behave as before: turn on verbose +logging in the sendmail and postdrop commands. + +[Feature 20021119] New "sendmail -bv" option. Postfix probes the +specified recipient addresses without actually delivering mail, +and sends back an email delivery report. This is useful for testing +address rewriting and address routing of both envelope and header +addresses. This feature currently does not access or update the +sender address verification database. + diff --git a/RELEASE_NOTES-2.10 b/RELEASE_NOTES-2.10 new file mode 100644 index 0000000..1140ce1 --- /dev/null +++ b/RELEASE_NOTES-2.10 @@ -0,0 +1,268 @@ +The stable Postfix release is called postfix-2.10.x where 2=major +release number, 10=minor release number, x=patchlevel. The stable +release never changes except for patches that address bugs or +emergencies. Patches change the patchlevel and the release date. + +New features are developed in snapshot releases. These are called +postfix-2.11-yyyymmdd where yyyymmdd is the release date (yyyy=year, +mm=month, dd=day). Patches are never issued for snapshot releases; +instead, a new snapshot is released. + +The mail_release_date configuration parameter (format: yyyymmdd) +specifies the release date of a stable release or snapshot release. + +If you upgrade from Postfix 2.8 or earlier, read RELEASE_NOTES-2.9 +before proceeding. + +Major changes - laptop-friendliness +----------------------------------- + +[Incompat 20120924] Postfix no longer uses FIFOs to emulate UNIX-domain +sockets on Solaris 9 (Vintage 2002!) and later. If you install +Postfix for the first time on an older Solaris system, edit the +master.cf file and replace "unix" with "fifo" for the pickup and +qmgr services. + +[Feature 20120924] the default master.cf file now uses "unix" instead +of "fifo" for the pickup and qmgr services. This avoids periodic +disk drive spin-up. + +Major changes - permit logging +------------------------------ + +[Feature 20120303] [Feature 20120303] New control for "permit" +logging in smtpd_mumble_restrictions (by default, the SMTP server +logs "reject" actions but not "permit" actions). Specify +"smtpd_log_access_permit_actions = static:all" to log all "permit"-style +actions, or specify a list of explicit action names. More details +are in the postconf(5) manpage. + +Major changes - postconf +------------------------ + +[Incompat 20121224] The postconf command produces more warnings: + +- An attempt to modify a read-only parameter (process_name, process_id) + in main.cf or master.cf. + +- An undefined $name in a parameter value in main.cf or master.cf + (except for backwards-compatibility parameters such as $virtual_maps). + +[Feature 20121224] The postconf command has been updated to make +trouble-shooting (and support) easier. In summary, use "postconf +-Mxf" and "postconf -nxf" to review master.cf and main.cf parameter +settings with expanded parameter values. + +- "postconf -x" now expands $name in main.cf and master.cf parameter + values. + +- postconf warns about attempts to modify a read-only parameter + (process_name, process_id) in main.cf or master.cf. + +- postconf warns about an undefined $name in a parameter value in + main.cf or master.cf (except for backwards-compatibility parameters + such as $virtual_maps). + +[Feature 20121227] + +- "postconf -o name=value" overrides main.cf parameter settings. + This can be used, for example, to examine stress-dependent settings + with "postconf -x -o stress=yes". + +Major changes - postscreen +-------------------------- + +[Incompat 20121123] The postscreen deep protocol tests now log the +last command before a protocol error ("UNIMPLEMENTED" when the last +command is not implemented, "CONNECT" when there was no prior +command). The changed logfile messages are: + +NON-SMTP COMMAND from [address]:port after command: text +BARE NEWLINE from [address]:port after command +COMMAND TIME LIMIT from [address]:port after command +COMMAND COUNT LIMIT from [address]:port after command +COMMAND LENGTH LIMIT from [address]:port after command + +Major changes - load-balancer support +------------------------------------- + +[Incompat 20120625] The postscreen(8)-to-smtpd(8) protocol has +changed. To avoid "cannot receive connection attributes" warnings +and dropped connections, execute the command "postfix reload". No +mail will be lost as long as the remote SMTP client tries again +later. + +[Feature 20120625] Support for upstream proxy agent in the postscreen(8) +and smtpd(8) daemons. To enable the haproxy protocol, specify one +of the following: + + postscreen_upstream_proxy_protocol = haproxy + smtpd_upstream_proxy_protocol = haproxy + +Note 1: smtpd_upstream_proxy_protocol can't be used in smtpd processes +that are behind postscreen. Configure postscreen_upstream_proxy_protocol +instead. + +Note 2: To use the nginx proxy with smtpd(8), enable the XCLIENT +protocol with smtpd_authorized_xclient_hosts. This supports SASL +authentication in the proxy agent (Postfix 2.9 and later). + +Major changes - relay safety +---------------------------- + +[Incompat 20130613] New smtpd_relay_restrictions parameter built-in +default settings: + + smtpd_relay_restrictions = + permit_mynetworks + permit_sasl_authenticated + defer_unauth_destination + +This safety net prevents open relay problems due to mistakes +with spam filter rules in smtpd_recipient_restrictions. + +If your site has a complex mail relay policy configured under +smtpd_recipient_restrictions, this safety net may defer mail that +Postfix should accept. + +To fix this safety net, take one of the following actions: + +- Set smtpd_relay_restrictions empty, and keep using the existing + mail relay authorization policy in smtpd_recipient_restrictions. + +- Copy the existing mail relay authorization policy from + smtpd_recipient_restrictions to smtpd_relay_restrictions. + +There is no need to change the value of smtpd_recipient_restrictions. + +[Feature 20130613] This version introduces the smtpd_relay_restrictions +feature for mail relay control. The new built-in default settings +are: + + smtpd_relay_restrictions = + permit_mynetworks + permit_sasl_authenticated + defer_unauth_destination + + smtpd_recipient_restrictions = + ( optional spam blocking rules would go here ) + +For comparison, this is the Postfix before 2.10 default: + + smtpd_recipient_restrictions = + permit_mynetworks + reject_unauth_destination + ( optional spam blocking rules would go here ) + +With Postfix versions before 2.10, the mail relay policy and spam +blocking policy were combined under smtpd_recipient_restrictions, +resulting in error-prone configuration. + +As of Postfix 2.10, the mail relay policy is preferably implemented +with smtpd_relay_restrictions, so that a permissive spam blocking +policy under smtpd_recipient_restrictions will not unexpectedly +result in a permissive mail relay policy. + +As of Postfix 2.10.0 the smtpd_relay_restrictions parameter built-in +default settings are: + + smtpd_relay_restrictions = + permit_mynetworks + permit_sasl_authenticated + defer_unauth_destination + +If your site has a complex mail relay policy configured under +smtpd_recipient_restrictions, this safety net may defer mail that +Postfix should accept. + +To migrate from an earlier Postfix release with the least amount +of pain: + +- Set smtpd_relay_restrictions empty, and keep using the existing + mail relay authorization policy in smtpd_recipient_restrictions. + +- There is no need to change the value of smtpd_recipient_restrictions. + +To take advantage of the new smtpd_relay_restrictions feature: + +- Copy the existing mail relay authorization policy from + smtpd_recipient_restrictions to smtpd_relay_restrictions. + +- There is no need to change the value of smtpd_recipient_restrictions. + +Major changes - start-up +------------------------ + +[Feature 20120306] New master "-w" option, to wait for master daemon +process initialization to complete. This feature returns an error +exit status if master daemon initialization fails, or if it does +not complete in a reasonable amount of time. The exit status is +used by "postfix start" to provide more accurate information to +system start-up scripts. + +Major changes - tls +------------------- + +[Incompat 20130203] Thanks to OpenSSL documentation, the Postfix +2.9.0..2.9.5 SMTP client and server server used an incorrect procedure +to compute TLS certificate PUBLIC-KEY fingerprints (these may be +used in the check_ccert_access and in smtp_tls_policy_maps features). +Support for certificate PUBLIC-KEY finger prints was introduced +with Postfix 2.9; there is no known problem with the certificate +fingerprint algorithms available since Postfix 2.2. + +Certificate PUBLIC-KEY finger prints may be used in the Postfix +SMTP server (with "check_ccert_access") and in the Postfix SMTP +client (with the "fingerprint" security level). + +Specify "tls_legacy_public_key_fingerprints = yes" temporarily, +pending a migration from configuration files with incorrect Postfix +2.9.0..2.9.5 certificate PUBLIC-KEY finger prints, to the correct +fingerprints used by Postfix 2.9.6 and later. + +To compute the correct PUBLIC-KEY finger prints: + +# OpenSSL 1.0 with all certificates and SHA-1 fingerprints. +$ openssl x509 -in cert.pem -noout -pubkey | \ + openssl pkey -pubin -outform DER | \ + openssl dgst -sha1 -c + +# OpenSSL 0.9.8 with RSA certificates and MD5 fingerprints. +$ openssl x509 -in cert.pem -noout -pubkey | \ + openssl rsa -pubin -outform DER | \ + openssl dgst -md5 -c + +[Feature 20120422] This release adds support to turn off the TLSv1.1 +and TLSv1.2 protocols. Introduced with OpenSSL version 1.0.1, these +are known to cause inter-operability problems with for example +hotmail. + +The radical workaround is to temporarily turn off problematic +protocols globally: + +/etc/postfix/main.cf: + smtp_tls_protocols = !SSLv2, !TLSv1.1, !TLSv1.2 + smtp_tls_mandatory_protocols = !SSLv2, !TLSv1.1, !TLSv1.2 + + smtpd_tls_protocols = !SSLv2, !TLSv1.1, !TLSv1.2 + smtpd_tls_mandatory_protocols = !SSLv2, !TLSv1.1, !TLSv1.2 + +However, it may be better to temporarily turn off problematic +protocols for broken sites only: + +/etc/postfix/main.cf: + smtp_tls_policy_maps = hash:/etc/postfix/tls_policy + +/etc/postfix/tls_policy: + example.com may protocols=!SSLv2:!TLSv1.1:!TLSv1.2 + +Important: + +- Note the use of ":" instead of comma or space. Also, note that + there is NO space around the "=" in "protocols=". + +- The smtp_tls_policy_maps lookup key must match the "next-hop" + destination that is given to the Postfix SMTP client. If you + override the next-hop destination with transport_maps, relayhost, + sender_dependent_relayhost_maps, or otherwise, you need to specify + the same destination for the smtp_tls_policy_maps lookup key. diff --git a/RELEASE_NOTES-2.11 b/RELEASE_NOTES-2.11 new file mode 100644 index 0000000..2cf3939 --- /dev/null +++ b/RELEASE_NOTES-2.11 @@ -0,0 +1,280 @@ +The stable Postfix release is called postfix-2.11.x where 2=major +release number, 11=minor release number, x=patchlevel. The stable +release never changes except for patches that address bugs or +emergencies. Patches change the patchlevel and the release date. + +New features are developed in snapshot releases. These are called +postfix-2.12-yyyymmdd where yyyymmdd is the release date (yyyy=year, +mm=month, dd=day). Patches are never issued for snapshot releases; +instead, a new snapshot is released. + +The mail_release_date configuration parameter (format: yyyymmdd) +specifies the release date of a stable release or snapshot release. + +If you upgrade from Postfix 2.9 or earlier, read RELEASE_NOTES-2.10 +before proceeding. + +Major changes - tls +------------------- + +[Documentation 20131218] The new FORWARD_SECRECY_README document +conveniently presents all information about Postfix "perfect" forward +secrecy support in one place: what forward secrecy is, how to tweak +settings, and what you can expect to see when Postfix uses ciphers +with forward secrecy. + +[Feature 20130602] Support for PKI-less TLS server certificate +verification, where the CA public key or the server certificate is +identified via DNSSEC lookup. + +This feature introduces new TLS security levels called "dane" and +"dane-only" (DNS-based Authentication of Named Entities) that use +DNSSEC to look up CA or server certificate information. The details +of DANE core protocols are still evolving, as are the details of +how DANE should be used in the context of SMTP. Postfix implements +what appears to be a "rational" subset of the DANE profiles that +is suitable for SMTP. + +The problem with conventional PKI is that there are literally +hundreds of organizations world-wide that can provide a certificate +in anyone's name. There have been widely-published incidents in +recent history where a certificate authority gave out an inappropriate +certificate (e.g., a certificate in the name of Microsoft to someone +who did not represent Microsoft), where a CA was compromised (e.g., +DigiNotar, Comodo), or where a CA made operational mistakes (e.g., +TURKTRUST). Another concern is that a legitimate CA might be coerced +to provide a certificate that allows its government to play +man-in-the-middle on TLS traffic and observe the plaintext. + +Major changes - LMDB database support +------------------------------------- + +LMDB is a memory-mapped database that was originally developed as +part of OpenLDAP. The Postfix LMDB driver was originally contributed +by Howard Chu, LMDB's creator. + +LMDB can be used for all Postfix lookup tables and caches. It is +the first persistent Postfix database that can be shared among +multiple writers such as postscreen daemons (Postfix already supported +shared non-persistent memcached caches). See lmdb_table(5) and +LMDB_README for further information, including how to access Postfix +LMDB databases with non-Postfix programs. + +Postfix currently requires LMDB version 0.9.11 or later. The minimum +version may change over time in the light of deployment experience. + +Major changes - postscreen whitelisting +--------------------------------------- + +[Feature 20130512] Allow a remote SMTP client to skip postscreen(8) +tests based on its postscreen_dnsbl_sites score. + +Specify a negative "postscreen_dnsbl_whitelist_threshold" value to +enable this feature. When a client passes the threshold value +without having failed other tests, all pending or disabled tests +are flagged as completed. + +This feature can mitigate the email delays due to "after 220 greeting" +protocol tests, which otherwise require that a client reconnects +before it can deliver mail. Some providers such as Google don't +retry from the same IP address. This can result in large email +delivery delays. + +Major changes - recipient_delimiter +----------------------------------- + +[Feature 20130405] The recipient_delimiter parameter can now specify +a set of characters. A user name is now separated from its address +extension by the first character that matches the recipient_delimiter +set. + +For example, specify "recipient_delimiter = +-" to support both the +Postfix-style "+" and the qmail-style "-" extension delimiter. + +As before, this implementation recognizes one delimiter character +per email address, and one address extension per email address. + +Major changes - smtpd access control +------------------------------------ + +[Feature 20131031] The check_sasl_access feature can be used to +block hijacked logins. Like other check_mumble_access features it +queries a lookup table (in this case with the SASL login name), and +it supports the same actions as any Postfix access(5) table. + +[Feature 20130924] The reject_known_sender_login_mismatch feature +applies reject_sender_login_mismatch only to MAIL FROM addresses +that are known in $smtpd_sender_login_maps. + +Major changes - MacOS X +----------------------- + +[Feature 20130325] Full support for kqueue() event handling which +scales better with large numbers of file handles, plus a workaround +for timeout handling on file handles (such as /dev/urandom) that +still do not correctly support poll(). + +Major changes - master +---------------------- + +[Incompat 20131217] The master_service_disable parameter value +syntax has changed: use "service/type" instead of "service.type". +The new form is consistent with postconf(1) namespaces for master.cf. +The old form is still supported to avoid breaking existing +configurations. + +Major changes - milter +---------------------- + +[Feature 20131126] Support for ESMTP parameters "NOTIFY" and "ORCPT" +in the SMFIR_ADDRCPT_PAR (add recipient with parameters) request. +Credits: Andrew Ayer. + +Major changes - mysql +--------------------- + +[Feature 20131117] MySQL client support for option_file, option_group, +tls_cert_file, tls_key_file, tls_CAfile, tls_CApath, tls_verify_cert. +Credits: Gareth Palmer. + +Major changes - postconf +------------------------ + +[Feature 20131217] Support for advanced master.cf query and update +operations. This was implemented primarily to support automated +system management tools. + +The goal is to make all Postfix master.cf details accessible as +lists of "name=value" pairs, where the names are organized into +structured name spaces. This allows other programs to query +information or request updates, without having to worry about the +exact layout of master.cf files. + +Managing master.cf service attributes +------------------------------------- + +First, an example that shows the smtp/inet service in the traditional +form: + + $ postconf -M smtp/inet + smtp inet n - n - - smtpd + +Different variants of this command show different amounts of output. +For example, "postconf -M smtp" enumerates all services that have +a name "smtp" and any service type ("inet", "unix", etc.), and +"postconf -M" enumerates all master.cf services. + +General rule: each name component that is not present becomes a "*" +wildcard. + +Coming back to the above example, the postconf -F option can now +enumerate the smtp/inet service fields as follows: + + $ postconf -F smtp/inet + smtp/inet/service = smtp + smtp/inet/type = inet + smtp/inet/private = n + smtp/inet/unprivileged = - + smtp/inet/chroot = n + smtp/inet/wakeup = - + smtp/inet/process_limit = - + smtp/inet/command = smtpd + +This form makes it very easy to change one field in master.cf. +For example to turn on chroot on the smtp/inet service you use: + + $ postconf -F smtp/inet/chroot=y + $ postfix reload + +Moreover, with "-F" you can specify "*" for service name or service +type to get a wild-card match. For example, to turn off chroot on +all Postfix daemons, use this: + + $ postconf -F '*/*/chroot=n' + $ postfix reload + +Managing master.cf service "-o parameter=value" settings +-------------------------------------------------------- + +For a second example, let's look at the submission service. This +service typically has multiple "-o parameter=value" overrides. First +the traditional view: + + $ postconf -Mf submission + submission inet n - n - - smtpd + -o smtpd_tls_security_level=encrypt + -o smtpd_sasl_auth_enable=yes + ... + +The postconf -P option can now enumerate these parameters as follows: + + $ postconf -P submission + submission/inet/smtpd_sasl_auth_enable = yes + submission/inet/smtpd_tls_security_level = encrypt + ... + +Again, this form makes it very easy to modify one parameter +setting. For example, to change the smtpd_tls_security_level setting +for the submission/inet service: + + $ postconf -P 'submission/inet/smtpd_tls_security_level=may' + +You can create or remove a parametername=parametervalue setting: + +Create: + $ postconf -P 'submission/inet/parametername=parametervalue' + +Remove: + $ postconf -PX submission/inet/parametername + +Finally, always execute "postfix reload" after updating master.cf. + +Managing master.cf service entries +---------------------------------- + +Finally, adding master.cf entries is possible, but currently this +does not yet have "advanced" support. It can only be done at the +level of the traditional master.cf file format. + +Suppose that you need to configure a Postfix SMTP client that will +handle slow email deliveries. To implement this you need to clone +the smtp/unix service settings and create a new delay/unix service. + +First, you would enumerate the smtp/unix service like this: + + $ postconf -M smtp/unix + smtp unix - - n - - smtp + +Then you would copy those fields (except the first field) by hand +to create the delay/unix service: + + $ postconf -M delay/unix="delay unix - - n - - smtp" + +To combine the above steps in one command: + + $ postconf -M delay/unix="`postconf -M smtp/unix|awk '{$1 = "delay"}'`" + +This is perhaps not super-convenient for manual cloning, but it +should be sufficient for programmatic configuration management. + +Again, always execute "postfix reload" after updating master.cf. + +Deleting or commenting out master.cf entries +-------------------------------------------- + +The -X (delete entry) and -# (comment out entry) options already +exist for main.cf, and they now also work work for entire master.cf +entries: + +Remove main.cf or master.cf entry: + $ postconf -X parametername + $ postconf -MX delay/unix + +Comment out main.cf or master.cf entry: + $ postconf -# parametername + $ postconf -M# delay/unix + +As with main.cf, there is no support to "undo" master.cf changes +that are made with -X or -#. + +Again, always execute "postfix reload" after updating master.cf. diff --git a/RELEASE_NOTES-2.2 b/RELEASE_NOTES-2.2 new file mode 100644 index 0000000..e7e2cd8 --- /dev/null +++ b/RELEASE_NOTES-2.2 @@ -0,0 +1,443 @@ +The stable Postfix release is called postfix-2.2.x where 2=major +release number, 2=minor release number, x=patchlevel. The stable +release never changes except for patches that address bugs or +emergencies. Patches change the patchlevel and the release date. + +New features are developed in snapshot releases. These are called +postfix-2.3-yyyymmdd where yyyymmdd is the release date (yyyy=year, +mm=month, dd=day). Patches are never issued for snapshot releases; +instead, a new snapshot is released. + +The mail_release_date configuration parameter (format: yyyymmdd) +specifies the release date of a stable release or snapshot release. + +Main changes with Postfix version 2.2 +------------------------------------- + +This is a summary of the changes. These and more are detailed in +the following sections of this document. + +- TLS and IPv6 support are now built into Postfix, based on code +from third-party patches. + +- Extended query interface for LDAP, MySQL and PostgreSQL with free +form SQL queries, and domain filters to reduce unnecessary lookups. + +- SMTP client-side connection reuse. This can dramatically speed +up deliveries to high-volume destinations that have some servers +that respond, and some non-responding mail servers. + +- By default, Postfix no longer rewrites message headers in mail +from remote clients. This includes masquerading, canonical mapping, +replacing "!" and "%" by "@", and appending the local domain to +incomplete addresses. Thus, spam from poorly written software no +longer looks like it came from a local user. + +- When your machine does not have its own domain name, Postfix can +now replace your "home network" email address by your ISP account +in outgoing SMTP mail, while leaving your email address unchanged +when sending mail to someone on the local machine. + +- Compatibility workarounds: you can now selectively turn off ESMTP +features such as AUTH or STARTTLS in the Postfix SMTP client or +server, without having to "dumb down" other mail deliveries, and +without having to use transport maps for outgoing mail. + +- Remote SMTP client resource control (the anvil server). This +allows you to limit the number of connections, or the number of +MAIL FROM and RCPT TO commands that an SMTP client can send per +unit time. + +- Support for CDB, SDBM and NIS+ databases is now built into Postfix +(but the CDB and SDBM libraries are not). + +- New SMTP access control features, and more. + +Major changes - critical +------------------------ + +BEFORE upgrading from an older release you MUST stop Postfix, unless +you're running a Postfix 2.2 snapshot release that already has +Postfix 2.2 IPV6 and TLS support. + +AFTER upgrading from an older release DO NOT copy the old +master.cf/main.cf files over the new files. Instead, you MUST let +the Postfix installation procedure update the existing configuration +files with new service entries. + +[Incompat 20041118] The master-child protocol has changed. The +Postfix master daemon will log warnings about partial status updates +if you don't stop and start Postfix. + +[Incompat 20041023, 20041009] The queue manager to delivery agent +protocol has changed. Mail will remain queued if you do not restart +the queue manager. + +[Incompat 20050111] The upgrade procedure adds the tlsmgr service +to the master.cf file. This service entry is not compatible with +the Postfix/TLS patch. + +[Feature 20040919] The upgrade procedure adds the discard service +to the master.cf file. + +[Feature 20040720] The upgrade procedure adds the scache (shared +connection cache) service to the master.cf file. + +Major changes - IPv6 support +---------------------------- + +[Feature 20050111] Postfix version 2.2 IP version 6 support based +on the Postfix/IPv6 patch by Dean Strik and others. IPv6 support +is always compiled into Postfix on systems that have Postfix +compatible IPv6 support. On other systems Postfix will simply use +IP version 4 just like it did before. See the IPV6_README document +for what systems are supported, and how to turn on IPv6 in main.cf. + +[Incompat 20050111] Postfix version 2.2 IPv6 support differs from +the Postfix/IPv6 patch by Dean Strik in a few minor ways. + +- Network protocol support including DNS lookup is selected with +the inet_protocols parameter instead of the inet_interfaces parameter. +This is needed so that Postfix will not attempt to deliver mail via +IPv6 when the system has no IPv6 connectivity. + +- The lmtp_bind_address6 feature was omitted. The Postfix LMTP +client will be absorbed into the SMTP client, so there is no reason +to keep adding features to the LMTP client. + +- The CIDR-based address matching code was rewritten. The new +behavior is believed to be closer to expectation. The results may +be incompatible with that of the Postfix/IPv6 patch. + +[Incompat 20050117] The Postfix SMTP server now requires that IPv6 +addresses in SMTP commands are specified as [ipv6:ipv6address], as +described in RFC 2821. + +Major changes - TLS support +--------------------------- + +[Feature 20041210] Postfix version 2.2 TLS support, based on the +Postfix/TLS patch by Lutz Jaenicke. TLS support is not compiled +in by default. For more information about Postfix 2.2 TLS support, +see the TLS_README document. + +[Incompat 20041210] Postfix version 2.2 TLS support differs from +the Postfix/TLS patch by Lutz Jaenicke in a few minor ways. + +- main.cf: Use btree instead of sdbm for TLS session cache databases. + + Session caches are now accessed only by the tlsmgr(8) process, + so there are no concurrency issues. Although Postfix still has + an SDBM client, the SDBM library (1000 lines of code) is no longer + included with Postfix. + + TLS session caches can use any database that can store objects + of several kbytes or more, and that implements the sequence + operation. In most cases, btree databases should be adequate. + + NOTE: You cannot use dbm databases. TLS session objects are too + large. + +- master.cf: Specify unix instead of fifo for the tlsmgr service type. + This change is automatically made by the Postfix upgrade procedure. + + The smtp(8) and smtpd(8) processes use a client-server protocol + in order to access the tlsmgr(8)'s pseudo-random number generation + (PRNG) pool, and in order to access the TLS session cache databases. + Such a protocol cannot be run across fifos. + +[Feature 20050209] The Postfix SMTP server policy delegation protocol +now supplies TLS client certificate information after successful +verification. The new policy delegation protocol attribute names +are ccert_subject, ccert_issuer and ccert_fingerprint. + +[Feature 20050208] New "check_ccert_maps maptype:mapname" feature +to enforce access control based on hexadecimal client certificate +fingerprints. + +Major changes - SMTP client connection cache +-------------------------------------------- + +[Feature 20040720] SMTP client-side connection caching. Instead of +disconnecting immediately after a mail transaction, the Postfix +SMTP client can save the open connection to the scache(8) connection +cache daemon, so that any SMTP client process can reuse that session +for another mail transaction. See the CONNECTION_CACHE_README +document for a description of configuration and implementation. + +This feature introduces the scache (connection cache) server, which +is added to your master.cf file when you upgrade Postfix. + +[Feature 20040729] Opportunistic SMTP connection caching. When a +destination has a high volume of mail in the active queue, SMTP +connection caching is enabled automatically. This is controlled +with a new configuration parameter "smtp_connection_cache_on_demand" +(default: yes). + +[Feature 20040723] Per-destination SMTP connection caching. This +is enabled with the smtp_connection_cache_destinations parameter. +The parameter requires "bare" domain names or IP addresses without +"[]" or TCP port, to avoid a syntax conflict between host:port and +maptype:mapname entries. + +[Feature 20040721] The scache(8) connection cache manager logs cache +hit and miss statistics every $connection_cache_status_update_time +seconds (default: 600s). It reports the hit and miss rates for +lookups by domain, as well as for lookups by network address. + +Major changes - address rewriting +--------------------------------- + +[Feature 20050206] Support for address rewriting in outgoing SMTP +mail (headers and envelopes). This is useful for sites that have a +fantasy Internet domain name such as localdomain.local. Mail +addresses that use fantasy domain names are often rejected by mail +servers. + +The smtp_generic_maps feature allows you to replace a local mail +address (user@localdomain.local) by a valid Internet address +(account@isp.example) when mail is sent across the Internet. The +feature has no effect on mail that is sent between accounts on the +local machine. The syntax is described in generic(5) and a detailed +example is in the STANDARD_CONFIGURATION_README document, the section +titled "Postfix on hosts without a real Internet hostname". + +[Feature 20041023] By default, Postfix no longer rewrites message +headers in mail from remote clients. This includes masquerading, +canonical mapping, replacing "!" and "%" by "@", and appending the +local domain to incomplete addresses. Thus, spam from poorly written +software no longer looks like it came from a local user. + +By default, Postfix rewrites message header addresses only when the +client IP address matches the local machine's interface addresses, +or when mail is submitted with the Postfix sendmail(1) command. + +Postfix rewrites message headers in mail from other clients only +when the remote_header_rewrite_domain parameter specifies a domain +name (such as "domain.invalid"); this domain is appended to incomplete +addresses. Rewriting also includes masquerading, canonical mapping, +and replacing "!" and "%" by "@". + +To get the behavior before Postfix 2.2 (always append Postfix's own +domain to incomplete addresses in message headers, always subject +message headers to canonical mapping, address masquerading, and +always replace "!" and "%" by "@") specify: + +/etc/postfix/main.cf: + local_header_rewrite_clients = static:all + +If you must rewrite headers in mail from specific clients then you +can specify, for example, + +/etc/postfix/main.cf: + local_header_rewrite_clients = permit_mynetworks, + permit_sasl_authenticated, permit_tls_clientcerts, + check_address_map hash:/etc/postfix/pop-before-smtp + +Postfix always appends local domain information to envelope addresses +(as opposed to header addresses), because an unqualified envelope +address is effectively local for the purpose of delivery, and for +the purpose of replying to it. + +Full details are given in ADDRESS_REWRITING_README, and in the +postconf(5) manual. For best results, point your browser at the +ADDRESS_REWRITING_README.html file and navigate to the section +titled " To rewrite message headers or not, or to label as invalid". + +[Incompat 20050212] When header address rewriting is enabled, Postfix +now updates a message header only when at least one address in that +header is modified. Older Postfix versions first parse and then +un-parse a header so that there may be subtle changes in formatting, +such as the amount of whitespace between tokens. + +[Incompat 20050227] Postfix no longer changes message header labels. +Thus, FROM: or CC: are no longer replaced by From: or Cc:. + +[Feature 20040827] Finer control over canonical mapping with +canonical_classes, sender_canonical_classes and +recipient_canonical_classes. These specify one or more of +envelope_sender, header_sender, envelope_recipient or header_recipient. +The default settings are backwards compatible. + +Major changes - SMTP compatibility controls +------------------------------------------- + +[Feature 20041218] Fine control for SMTP inter-operability problems, +by discarding keywords that are sent or received with the EHLO +handshake. Typically one would discard "pipelining", "starttls", +or "auth" to work around systems with a broken implementation. +Specify a list of EHLO keywords with the smtp(d)_discard_ehlo_keywords +parameters, or specify one or more lookup tables, indexed by remote +network address, with the smtp(d)_discard_ehlo_keyword_address_maps +parameters. + +Note: this feature only discards words from the EHLO conversation; +it does not turn off the actual features in the SMTP server. + +Major changes - database support +-------------------------------- + +[Feature 20050209] Extended LDAP, MySQL and PgSQL query interface +with free form SQL queries, the domain filter optimization that was +already available with LDAP and more. This code was worked on by +many people but Victor Duchovni took the lead. See the respective +{LDAP,MYSQL,PGSQL}_README and {ldap,mysql,pgsql}_table documents. + +[Feature 20041210] You can now dump an entire database with the new +postmap/postalias "-s" option. This works only for database types +with Postfix sequence operator support: hash, btree, dbm, and sdbm. + +[Feature 20041208] Support for CDB databases by Michael Tokarev. +This supports both Michael's tinycdb and Daniel Bernstein's cdb +implementations, but neither of the two implementations is bundled +with Postfix. + +[Feature 20041023] The NIS+ client by Geoff Gibbs is now part of +the Postfix source tree. Details are given in the nisplus_table(5) +manual page. + +[Feature 20040827] Easier use of the proxymap(8) service with the +virtual(8) delivery agent. The virtual(8) delivery agent will +silently open maps directly when those maps can't be proxied for +security reasons. This means you can now specify "virtual_mailbox_maps += proxy:mysql:whatever" without triggering a fatal error in the +virtual(8) delivery agent. + +Major changes - remote SMTP client resource control +--------------------------------------------------- + +[Incompat 20041009] The smtpd_client_connection_limit_exceptions +parameter is renamed to smtpd_client_event_limit_exceptions. Besides +connections it now also applies to per-client message rate and +recipient rate limits. + +[Feature 20041009] Per SMTP client message rate and recipient rate +limits. These limit the number of MAIL FROM or RCPT TO requests +regardless of whether or not Postfix would have accepted them +otherwise. The user interface (smtpd_client_message_rate_limit and +smtpd_client_recipient_rate_limit) is similar to that of the existing +per SMTP client connection rate limit, and the same warnings apply: +these features are to be used to stop abuse, and must not be used +to regulate legitimate mail. More details can be found in the +postconf(5) manual. + +Major changes - remote SMTP client access control +------------------------------------------------- + +[Feature 20050209] The Postfix SMTP server policy delegation protocol +now supplies TLS client certificate information after successful +verification. The new policy delegation protocol attribute names +are ccert_subject, ccert_issuer and ccert_fingerprint. + +[Feature 20050208] New "check_ccert_maps maptype:mapname" feature +to enforce access control based on hexadecimal client certificate +fingerprints. + +[Feature 20050203] New "permit_inet_interfaces" access restriction +to allow access from local IP addresses only. This is used for the +default, purist, setting of local_header_rewrite_clients (rewrite +only headers in mail from this machine). + +[Feature 20050203] New "sleep time-in-seconds" pseudo access +restriction to block zombie clients with reject_unauthorized_pipelining +before the Postfix SMTP server sends the SMTP greeting. See postconf(5) +for example. This feature is not available the stable Postfix 2.2 +release, but it is documented here so that it will not get lost. + +[Feature 20041118] New "smtpd_end_of_data_restrictions" feature +that is invoked after the client terminates the SMTP DATA command. +The syntax is the same as with "smtpd_data_restrictions". In the +SMTPD policy delegation request, the message size is the actual +byte count of the message content, instead of the message size +announced by the client in the MAIL FROM command. + +Major changes - SASL authentication +----------------------------------- + +[Feature 20040827] Better SMTP client control over the use of SASL +mechanisms. New smtp_sasl_mechanism_filter mechanism to shorten the +list of SASL mechanisms from a remote server to just those that the +local SASL library can actually use. + +Major changes - header/body patterns +------------------------------------ + +[Feature 20050205] REPLACE action in header_checks and body_checks, +to replace a message header or body line. See header_checks(5) for +details. + +Major changes - local delivery +------------------------------ + +[Feature 20040621] Control over the working directory when executing +an external command. With the pipe(8) mailer, specify directory=pathname, +and with local(8) specify "command_execution_directory = expression" +where "expression" is subject to $home etc. macro expansion. The +result of macro expansion is restricted by the set of characters +specified with execution_directory_expansion_filter. + +Major changes - mail delivery attributes +---------------------------------------- + +[Feature 20041218] More client attributes for delivery to command +with the local(8) and pipe(8) delivery agents: client_hostname, +client_address, client_protocol, client_helo, sasl_method, sasl_sender, +and sasl_username. With local(8), attribute names must be specified +in upper case. + +Major changes - package creation +-------------------------------- + +[Feature 20050203] To create a ready-to-install package for +distribution to other systems you can now use "make package" or +"make non-interactive-package", instead of invoking the internal +postfix-install script by hand. See the PACKAGE_README file for +details. + +Major changes - performance +--------------------------- + +[Incompat 20050117] Only the deferred and defer queue directories +are now hashed by default, instead of eight queue directories. This +may speed up Postfix boot time on low-traffic systems without +compromising performance under high load too much. Hashing must be +turned on for the defer and deferred queue directories, because +those directories contain lots of files when undeliverable mail is +backing up. + +[Incompat 20040720] The default SMTP/LMTP timeouts for sending RSET +are reduced to 20s. + +Major changes - miscellaneous +----------------------------- + +[Feature 20050203] Safety: Postfix no longer tries to send mail to +the fallback_relay when the local machine is MX host for the mail +destination. See the postconf(5) description of the fallback_relay +feature for details. + +[Incompat 20041023] Support for the non-standard Errors-To: return +addresses is now removed from Postfix. It was already disabled by +default with Postfix version 2.1. Since Errors-To: is non-standard, +there was no guarantee that it would have the desired effect with +other MTAs. + +[Feature 20040919] A new discard(8) mail delivery agent that makes +throwing away mail easier and more efficient. It's the Postfix +equivalent of /dev/null for mail deliveries. On the mail receiving +side, Postfix already has a /dev/null equivalent in the form of the +DISCARD action in access maps and header_body_checks. + +[Feature 20040919] Access control for local mail submission, for +listing the queue, and for flushing the queue. These features are +controlled with authorized_submit_users, authorized_mailq_users, +and with authorized_flush_users, respectively. The last two controls +are always permitted for the super-user and for the mail system +owner. More information is in the postconf(5) manual. + +[Incompat 20040829] When no recipients are specified on the command +line or via the -t option, the Postfix sendmail command terminates +with status EX_USAGE and produces an error message instead of +accepting the mail first and bouncing it later. This gives more +direct feedback in case of a common client configuration error. + diff --git a/RELEASE_NOTES-2.3 b/RELEASE_NOTES-2.3 new file mode 100644 index 0000000..a1ac8c0 --- /dev/null +++ b/RELEASE_NOTES-2.3 @@ -0,0 +1,761 @@ +The stable Postfix release is called postfix-2.3.x where 2=major +release number, 3=minor release number, x=patchlevel. The stable +release never changes except for patches that address bugs or +emergencies. Patches change the patchlevel and the release date. + +New features are developed in snapshot releases. These are called +postfix-2.4-yyyymmdd where yyyymmdd is the release date (yyyy=year, +mm=month, dd=day). Patches are never issued for snapshot releases; +instead, a new snapshot is released. + +The mail_release_date configuration parameter (format: yyyymmdd) +specifies the release date of a stable release or snapshot release. + +Critical notes +-------------- + +See RELEASE_NOTES_2.2 if you upgrade from Postfix 2.1 or earlier. + +Some Postfix internal protocols have changed. You need to "postfix +reload" or restart Postfix, otherwise many servers will log warning +messages like "unexpected attribute xxx" or "problem talking to +service yyy", and mail will not be delivered. + +The Sendmail-compatible Milter support introduces three new queue +file record types. As long as you leave this feature turned off, +you can still go back to Postfix version 2.2 without losing mail +that was received by Postfix 2.3. + +Major changes - DNS lookups +--------------------------- + +[Incompat 20050726] Name server replies that contain a malformed +hostname are now flagged as permanent errors instead of transient +errors. This change works around a questionable proposal to use +syntactically invalid hostnames in MX records. + +Major changes - DSN +------------------- + +[Feature 20050615] DSN support as described in RFC 3461 .. RFC 3464. +This gives senders control over successful and failed delivery +notifications. DSN involves extra parameters to the SMTP "MAIL +FROM" and "RCPT TO" commands, as well as extra Postfix sendmail +command line options for mail submission. + +See DSN_README for details. Some implementation notes can be found +in implementation-notes/DSN. + +[Incompat 20050615] The new DSN support conflicts with VERP support. +For Sendmail compatibility, Postfix now uses the sendmail -V command +line option for DSN. To request VERP style delivery, you must now +specify -XV instead of -V. The Postfix sendmail command will +recognize if you try to use -V for VERP-style delivery. It will +usually do the right thing, and remind you of the new syntax. + +[Incompat 20050828] Postfix no longer sends DSN SUCCESS notification +after virtual alias expansions when the cleanup server rejects the +content or size of mail that was submitted with the Postfix sendmail +command, mail that was forwarded with the local(8) delivery agent, +or mail that was re-queued with "postsuper -r". Since all the +recipients are reported as failed, the SUCCESS notification seems +redundant. + +Major changes - LMTP client +--------------------------- + +See the "SASL authentication" and "TLS" sections for changes related +to SASL authentication and TLS support, respectively. + +[Feature 20051208] The SMTP client now implements the LMTP protocol. +Most but not all smtp_xxx parameters now have an lmtp_xxx equivalent. +This means there are lot of new LMTP features, including support +for TLS and for the shared connection cache. See the "SMTP client" +section for details. + +[Incompat 20051208] The LMTP client now reports the server as +"myhostname[/path/name]". With the real server hostname in delivery +status reports, the information will be more useful. + +Major changes - Milter support +------------------------------ + +[Feature 20060515] Milter (mail filter) application support, +compatible with Sendmail version 8.13.6 and earlier. This allows +you to run a large number of plug-ins to reject unwanted mail, and +to sign mail with for example domain keys. All Milter functions are +implemented except replacing the message body, which will be added +later. Milters are before-queue filters, so they don't change the +queue ID. + +See the MILTER_README document for a discussion of how to use Milter +support with Postfix, and limitations of the current implementation. + +The Sendmail-compatible Milter support introduces three new queue +file record types. As long as you leave this feature turned off, +you can still go back to Postfix version 2.2 without losing mail +that was received by Postfix 2.3. + +[Incompat 20060515] Milter support introduces new logfile event +types: milter-reject, milter-discard and milter-hold, that identify +actions from Milter applications. This may affect logfile processing +software. + +Major changes - SASL authentication +----------------------------------- + +[Feature 20051220] Plug-in support for SASL authentication in the +SMTP server and in the SMTP/LMTP client. With this, Postfix can +support multiple SASL implementations without source code patches. +Some distributors may even make SASL support a run-time linking +option, just like they already do with Postfix lookup tables. + +Hints and tips for plug-in developers are in the xsasl/README file. + +For backwards compatibility the default plug-in type is Cyrus SASL, +so everything should behave like it did before. Some error messages +are slightly different, but these are generally improvements. + +The "postconf -a" command shows what plug-in implementations are +available for the SMTP server, and "postconf -A" does the same for +the SMTP/LMTP client. Plug-in implementations are selected with +the smtpd_sasl_type, smtp_sasl_type and lmtp_sasl_type configuration +parameters. + +Other new configuration parameters are smtpd_sasl_path, smtp_sasl_path +and lmtp_sasl_path. These are better left alone; they are introduced +for the convenience of other SASL implementations. + +[Feature 20051222] Dovecot SASL support (SMTP server only). Details +can be found in the SASL_README document. + +[Incompat 20051220] The Postfix-with-Cyrus-SASL build procedure has +changed. You now need to specify -DUSE_CYRUS_SASL in addition to +-DUSE_SASL_AUTH or else you end up without any Cyrus SASL support. +The error messages are: + + unsupported SASL server implementation: cyrus + unsupported SASL client implementation: cyrus + +[Feature 20051125] This snapshot adds support for sender-dependent +ISP accounts. + +- Sender-dependent smarthost lookup tables. The maps are searched + with the sender address and with the sender @domain. The result + overrides the global relayhost setting, but otherwise has identical + behavior. See the postconf(5) manual page for more details. + + Example: + /etc/postfix/main.cf: + sender_dependent_relayhost_maps = hash:/etc/postfix/sender_relay + +- Sender-dependent SASL authentication support. This disables SMTP + connection caching to ensure that mail from different senders + will use the correct authentication credentials. The SMTP SASL + password file is first searched by sender address, and then by + the remote domain and hostname as usual. + + Example: + /etc/postfix/main.cf: + smtp_sasl_auth_enable = yes + smtp_sender_dependent_authentication = yes + smtp_sasl_password_maps = hash:/etc/postfix/sasl_pass + +[Incompat 20060707] The SMTP/LMTP client now defers delivery when +a SASL password exists but the server does not announce support for +SASL authentication. This can happen with servers that announce +SASL support only when TLS is turned on. When an opportunistic TLS +handshake fails, Postfix >= 2.3 retries delivery in plaintext, and +the remote server rejects mail from the unauthenticated client. +Specify "smtp_sasl_auth_enforce = no" to deliver mail anyway. + +Major changes - SMTP client +--------------------------- + +See the "SASL authentication" and "TLS" sections for changes related +to SASL authentication and TLS support, respectively. + +[Feature 20051208] The SMTP client now implements the LMTP protocol. +Most but not all smtp_xxx parameters now have an lmtp_xxx equivalent. +This means there are lot of new LMTP features, including support +for TLS and for the shared connection cache. + +[Incompat 20060112] The Postfix SMTP/LMTP client by default no +longer allows DNS CNAME records to override the server hostname +that is used for logging, SASL password lookup, TLS policy selection +and TLS server certificate verification. Specify +"smtp_cname_overrides_servername = yes" to get the old behavior. + +[Incompat 20060103] The Postfix SMTP/LMTP client no longer defers +mail delivery when it receives a malformed SMTP server reply in a +session with command pipelining. When helpful warnings are enabled, +it will suggest that command pipelining be disabled for the affected +destination. + +[Incompat 20051208] The fallback_relay feature is renamed to +smtp_fallback_relay, to make clear that the combined SMTP/LMTP +client uses this setting only for SMTP deliveries. The old name +still works. + +[Incompat 20051106] The relay=... logging has changed and now +includes the remote SMTP server port number as hostname[hostaddr]:port. + +[Incompat 20051026] The smtp_connection_cache_reuse_limit parameter +(which limits the number of deliveries per SMTP connection) is +replaced by the new smtp_connection_reuse_time_limit parameter (the +time after which a connection is no longer stored into the connection +cache). + +[Feature 20051026] This snapshot addresses a performance stability +problem with remote SMTP servers. The problem is not specific to +Postfix: it can happen when any MTA sends large amounts of SMTP +email to a site that has multiple MX hosts. The insight that led +to the solution, as well as an initial implementation, are due to +Victor Duchovni. + +The problem starts when one of a set of MX hosts becomes slower +than the rest. Even though SMTP clients connect to fast and slow +MX hosts with equal probability, the slow MX host ends up with more +simultaneous inbound connections than the faster MX hosts, because +the slow MX host needs more time to serve each client request. + +The slow MX host becomes a connection attractor. If one MX host +becomes N times slower than the rest, it dominates mail delivery +latency unless there are more than N fast MX hosts to counter the +effect. And if the number of MX hosts is smaller than N, the mail +delivery latency becomes effectively that of the slowest MX host +divided by the total number of MX hosts. + +The solution uses connection caching in a way that differs from +Postfix 2.2. By limiting the amount of time during which a connection +can be used repeatedly (instead of limiting the number of deliveries +over that connection), Postfix not only restores fairness in the +distribution of simultaneous connections across a set of MX hosts, +it also favors deliveries over connections that perform well, which +is exactly what we want. + +The smtp_connection_reuse_time_limit feature implements the connection +reuse time limit as discussed above. It limits the amount of time +after which an SMTP connection is no longer stored into the connection +cache. The default limit, 300s, can result in a huge number of +deliveries over a single connection. + +This solution will be complete when Postfix logging is updated to +include information about the number of times that a connection was +used. This information is needed to diagnose inter-operability +problems with servers that exhibit bugs when they receive multiple +messages over the same connection. + +[Incompat 20050627] The Postfix SMTP client no longer applies the +smtp_mx_session_limit to non-permanent errors during the TCP, SMTP, +HELO or TLS handshake. Previous versions did that only with TCP +and SMTP handshake errors. + +[Incompat 20050622] The Postfix SMTP client by default limits the +number of MX server addresses to smtp_mx_address_limit=5. Previously +this limit was disabled by default. The new limit prevents Postfix +from spending lots of time trying to connect to lots of bogus MX +servers. + +Major changes - SMTP server +--------------------------- + +See the "SASL authentication" and "TLS" sections for changes related +to SASL authentication and TLS support, respectively. + +[Feature 20051222] To accept the non-compliant user@ipaddress form, +specify "resolve_numeric_domain = yes". Postfix will deliver the +mail to user@[ipaddress] instead. + +[Incompat 20051202] The Postfix SMTP server now refuses to receive +mail from the network if it isn't running with postfix mail_owner +privileges. This prevents surprises when, for example, "sendmail +-bs" is configured to run as root from xinetd. + +[Incompat 20051121] Although the permit_mx_backup feature still +accepts mail for authorized destinations (see permit_mx_backup for +definition), with all other destinations it now requires that the +local MTA is listed as non-primary MX server. This prevents mail +loop problems when someone points their primary MX record at a +Postfix system. + +[Feature 20051011] Optional suppression of remote SMTP client +hostname lookup and hostname verification. Specify "smtpd_peername_lookup += no" to eliminate DNS lookup latencies, but do so only under extreme +conditions, as it makes Postfix logging less informative. + +[Feature 20050724] SMTPD Access control based on the existence of +an address->name mapping, with reject_unknown_reverse_client_hostname. +There is no corresponding access table lookup feature, because the +name is not validated in any way (except that it has proper syntax). + +Several confusing SMTPD access restrictions were renamed: + + reject_unknown_client -> reject_unknown_client_hostname, + reject_unknown_hostname -> reject_unknown_helo_hostname, + reject_invalid_hostname -> reject_invalid_helo_hostname, + reject_non_fqdn_hostname -> reject_non_fqdn_helo_hostname. + +The old names are still recognized and documented. + +Major changes - TLS +------------------- + +Major revisions were made to Postfix TLS support; see TLS_README +for the details. For backwards compatibility, the old TLS policy +user interface will be kept intact for a few releases so that sites +can upgrade Postfix without being forced to use a different TLS +policy mechanism. + +[Feature 20060614] New concept: TLS security levels ("none", "may", +"encrypt", "verify" or "secure") in the Postfix SMTP client. You +can specify the TLS security level via the smtp_tls_security_level +parameter. This is more convenient than controlling TLS with the +multiple smtp_use_tls, smtp_enforce_tls, and smtp_tls_enforce_peername, +parameters. + +[Feature 20060709] TLS security levels ("none", "may", "encrypt") +in the Postfix SMTP server. You specify the security level with the +smtpd_tls_security_level parameter. This overrides the multiple +smtpd_use_tls and smtpd_enforce_tls parameters. When one of the +unimplemented "verify" or "secure" levels is specified, the Postfix +SMTP server logs a warning and uses "encrypt" instead. + +[Feature 20060123] A new per-site TLS policy mechanism for the +Postfix SMTP client that supports the new TLS security levels, +and that eliminates DNS spoofing attacks more effectively. + +[Feature 20060626] Both the Postfix SMTP client and server can be +configured without a client or server certificate. An SMTP server +without certificate can use only anonymous ciphers, and will not +inter-operate with most clients. + +The Postfix SMTP server supports anonymous ciphers when 1) no client +certificates are requested or required, and 2) the administrator +has not excluded the "aNULL" OpenSSL cipher type with the +smtpd_tls_exclude_ciphers parameter. + +The Postfix SMTP client supports anonymous ciphers when 1) no server +certificate is required and 2) the administrator has not excluded +the "aNULL" OpenSSL cipher type with the smtp_tls_exclude_ciphers +parameter. + +[Incompat 20060707] The SMTPD policy client now encodes the +ccert_subject and ccert_issuer attributes as xtext. Some characters +are represented by +XX, where XX is the two-digit hexadecimal +representation of the character value. + +[Feature 20060614] The smtpd_tls_protocols parameter restricts the +list of TLS protocols supported by the SMTP server. This is +recommended for use with MSA configurations only. It should not +be used with MX hosts that receive mail from the Internet, as it +reduces inter-operability. + +[Incompat 20060614] The smtp_tls_cipherlist parameter only applies +when TLS is mandatory. It is ignored with opportunistic TLS sessions. + +[Incompat 20060614] At (lmtp|smtp|smtpd)_tls_loglevel >= 2, Postfix +now also logs TLS session cache activity. Use level 2 and higher +for debugging only; use levels 0 or 1 as production settings. + +[Incompat 20060207] The Postfix SMTP server no longer complains +when TLS support is not compiled in while permit_tls_clientcerts, +permit_tls_all_clientcerts, or check_ccert_access are specified in +main.cf. These features now are effectively ignored. However, the +reject_plaintext_session feature is not ignored and will reject +plain-text mail. + +[Feature 20060123] Some obscure behavior was eliminated from the +smtp_tls_per_site feature, without changes to the user interface. +Some Postfix internals had to be re-structured for the new TLS +policy mechanism; for this, smtp_tls_per_site had to be re-implemented. +The obscure behavior was found during compatibility testing. + +[Feature 20051011] Optional protection against SMTP clients that +hammer the server with too many new (i.e. uncached) SMTP-over-TLS +sessions. Cached sessions are much less expensive in terms of CPU +cycles. Use the smtpd_client_new_tls_session_rate_limit parameter +to specify a limit that is at least the inbound client concurrency +limit, or else you may deny legitimate service requests. + +Major changes - VERP +-------------------- + +[Incompat 20050615] The new DSN support conflicts with VERP support. +For Sendmail compatibility, Postfix now uses the sendmail -V command +line option for DSN. In order to request VERP style delivery, you +must now specify -XV instead of -V. The Postfix sendmail command +will recognize if you try to use -V for VERP-style delivery. It +will do the right thing and will remind you of the new syntax. + +Major changes - XCLIENT and XFORWARD +------------------------------------ + +[Incompat 20060611] The SMTP server XCLIENT implementation has +changed. The SMTP server now resets state to the initial server +greeting stage, immediately before the EHLO/HELO greeting. This +was needed to correctly simulate the effect of connection-level +access restrictions. Without this change, XCLIENT would not work +at all with Milter applications. + +[Incompat 20060611] The SMTP server XCLIENT and XFORWARD commands +now expect that attributes are xtext encoded (RFC 1891). For backwards +compatibility they will also accept unencoded attribute values. The +XFORWARD client code in the SMTP client and in the SMTPD_PROXY +client now always encode attribute values. This change will have a +visible effect only for malformed hostname and helo parameter values. + +For more details, see the XCLIENT_README and XFORWARD_README +documents. + +Major changes - address manipulation +------------------------------------ + +[Incompat 20060123] Postfix now preserves uppercase information +while mapping addresses with canonical, virtual, relocated or generic +maps; this happens even with $number substitutions in regular +expression maps. However, the local(8) and virtual(8) delivery +agents still fold addresses to lower case. + +As a side effect, Postfix now also does a better job at being case +insensitive where it should be, for example while searching per-host +TLS policies or SASL passwords. + +By default, Postfix now folds the search string to lowercase only +with tables that have fixed-case lookup fields such as btree:, +hash:, dbm:, ldap:, or *sql:. The search string is no longer case +folded with tables whose lookup fields can match both upper or lower +case, such as regexp:, pcre:, or cidr:. + +For safety reasons, Postfix no longer allows $number substitution +in regexp: or pcre: transport tables or per-sender relayhost tables. + +Major changes - bounce message templates +---------------------------------------- + +[Feature 20051113] Configurable bounce messages, based on a format +that was developed by Nicolas Riendeau. The file with templates is +specified with the bounce_template_file parameter. Details are in +the bounce(5) manual page, and examples of the built-in templates +can be found in $config_directory/bounce.cf.default. The template +for the default bounce message looks like this: + + failure_template = <<EOF + Charset: us-ascii + From: MAILER-DAEMON (Mail Delivery System) + Subject: Undelivered Mail Returned to Sender + Postmaster-Subject: Postmaster Copy: Undelivered Mail + + This is the $mail_name program at host $myhostname. + + I'm sorry to have to inform you that your message could not + be delivered to one or more recipients. It's attached below. + + For further assistance, please send mail to <postmaster> + + If you do so, please include this problem report. You can + delete your own text from the attached returned message. + + The $mail_name program + EOF + +Major changes - built-in filters +-------------------------------- + +[Feature 20050828] Configurable filters to reject or remove unwanted +characters in email content. The message_reject_characters and +message_strip_characters parameters understand the usual C-like +escape sequences: \a \b \f \n \r \t \v \ddd (up to three octal +digits) and \\. + +[Incompat 20050828] When a header/body_checks rule or when +message_reject_characters rejects mail that was submitted with the +Postfix sendmail command (or re-queued with "postsuper -r"), the +returned message is now limited to just the message headers, to +avoid the risk of exposure to harmful content in the message body +or attachments. + +Major changes - database support +-------------------------------- + +[Incompat 20060611] The PostgreSQL client was updated after the +PostgreSQL developers made major database API changes in response +to SQL injection problems. This breaks support for PGSQL versions +prior to 8.1.4, 8.0.8, 7.4.13, and 7.3.15. Support for these requires +major code changes which are not possible in the time that is left +for completing the Postfix 2.3 stable release. + +Major changes - enhanced status codes +------------------------------------- + +[Feature 20050328] This release introduces support for RFC 3463 +enhanced status codes. For example, status code 5.1.1 means +"recipient unknown". Postfix recognizes enhanced status codes in +remote server replies, generates enhanced status codes while handling +email, and reports enhanced status codes in non-delivery notifications. +This improves the user experience with mail clients that translate +enhanced status codes into text in the user's own language. + +You can, but don't have to, specify RFC 3463 enhanced status codes +in the output from commands that receive mail from a pipe. If a +command terminates with non-zero exit status, and an enhanced status +code is present at the beginning of the command output, then that +status code takes precedence over the non-zero exit status. + +You can, but don't have to, specify RFC 3463 enhanced status codes +in Postfix access maps, header/body_checks REJECT actions, or in +RBL replies. For example: + + REJECT 5.7.1 You can't go here from there + +The status 5.7.1 means "no authorization, message refused", and is +the default for access maps, header/body_checks REJECT actions, and +for RBL replies. + +[Feature 20050328] If you specify your own enhanced status code, +the Postfix SMTP server will automatically change a leading '5' +digit (hard error) into '4' where appropriate. This is needed, for +example, with soft_bounce=yes. + +[Feature 20050510] This release improves usability of enhanced +status codes in Postfix access tables, RBL reply templates and in +transport maps that use the error(8) delivery agent. + +- When the SMTP server rejects a sender address, it transforms a + recipient DSN status (e.g., 4.1.1-4.1.6) into the corresponding + sender DSN status, and vice versa. + +- When the SMTP server rejects non-address information (such as the + HELO command parameter or the client hostname/address), it + transforms a sender or recipient DSN status into a generic + non-address DSN status (e.g., 4.0.0). + +These transformations are needed when the same access table or RBL +reply template are used for client, helo, sender, or recipient +restrictions; or when the same error(8) mailer information is used +for both senders and recipients. + +Major changes - local alias expansion +------------------------------------- + +[Incompat 20051011] The Postfix local(8) delivery agent no longer +updates its idea of the Delivered-To: address while it expands +aliases or .forward files. With deeply nested aliases or .forward +files, this can greatly reduce the number of queue files and cleanup +process instances. To get the earlier behavior, specify +"frozen_delivered_to = no". + +The frozen_delivered_to feature can help to alleviate a long-standing +problem with multiple deliveries to recipients that are listed +multiple times in a hierarchy of nested aliases. For this to work, +only the top-level alias should have an owner- alias, and none of +the subordinate aliases. + +Major changes - logging +----------------------- + +[Incompat 20060515] Milter support introduces new logfile event +types: milter-reject, milter-discard and milter-hold, that identify +actions from Milter applications. This may affect logfile processing +software. + +[Incompat 20051106] The relay=... logging has changed and now +includes the remote SMTP server port number as hostname[hostaddr]:port. + +[Incompat 20060112] The Postfix SMTP/LMTP client by default no +longer allows DNS CNAME records to override the server hostname +that is used for logging, SASL password lookup, TLS policy selection +and TLS server certificate verification. Specify +"smtp_cname_overrides_servername = yes" to get the old behavior. + +[Incompat 20051105] All delay logging now has sub-second resolution, +including the over-all "delay=nnn" logging. A patch is available +for pflogsumm (pflogsumm-conn-delays-dsn-patch). The qshape script +has been updated (auxiliary/qshape/qshape.pl). + +[Feature 20051103] This release makes a beginning with a series of +new attributes in Postfix logfile records. + +- Better insight into the nature of performance bottle necks, with + detailed logging of delays in various stages of message delivery. + Postfix logs additional delay information as "delays=a/b/c/d" + where a=time before queue manager, including message transmission; + b=time in queue manager; c=connection setup time including DNS, + HELO and TLS; d=message transmission time. + +- Logging of the connection reuse count when SMTP connections are + used for more than one message delivery. This information is + needed because Postfix can now reuse connections hundreds of times + or more. Logging of the connection reuse count can help to diagnose + inter-operability problems with servers that suffer from memory + leaks or other resource leaks. + +At this point the Postfix logging for a recipient looks like this: + + Nov 3 16:04:31 myname postfix/smtp[30840]: 19B6B2900FE: + to=<wietse@test.example.com>, orig_to=<wietse@test>, + relay=mail.example.com[1.2.3.4], conn_use=2, delay=0, + delays=0/0.01/0.05/0.1, dsn=2.0.0, status=sent (250 2.0.0 Ok) + +The following two logfile fields may or may not be present: + + orig_to This is omitted when the address did not change. + conn_use This is omitted when a connection is used once. + +[Incompat 20050503] The format of some "warning:" messages in the +maillog has changed so that they are easier to sort: + +- The logging now talks about "access table", instead of using three + different expressions "access table", "access map" and "SMTPD + access map" for the same thing. + +- "non-SMTP command" is now logged BEFORE the client name/address + and the offending client input, instead of at the end. + +[Incompat 20050328] The logging format has changed. Postfix delivery +agents now log the RFC 3463 enhanced status code as "dsn=x.y.z" +where y and z can be up to three digits each. + +[Incompat 20051208] The LMTP client now reports the server as +"myhostname[/path/name]". With the real server hostname in delivery +status reports, the information will be more useful. + +Major changes - performance +--------------------------- + +[Incompat 20051105] All delay logging now has sub-second resolution, +including the over-all "delay=nnn" logging. A patch is available +for pflogsumm (pflogsumm-conn-delays-dsn-patch). The qshape script +has been updated (auxiliary/qshape/qshape.pl). + +[Incompat 20050622] The Postfix SMTP client by default limits the +number of MX server addresses to smtp_mx_address_limit=5. Previously +this limit was disabled by default. The new limit prevents Postfix +from spending lots of time trying to connect to lots of bogus MX +servers. + +[Feature 20051026] This snapshot addresses a performance stability +problem with remote SMTP servers. The problem is not specific to +Postfix: it can happen when any MTA sends large amounts of SMTP +email to a site that has multiple MX hosts. The insight that led +to the solution, as well as an initial implementation, are due to +Victor Duchovni. + +The problem starts when one of a set of MX hosts becomes slower +than the rest. Even though SMTP clients connect to fast and slow +MX hosts with equal probability, the slow MX host ends up with more +simultaneous inbound connections than the faster MX hosts, because +the slow MX host needs more time to serve each client request. + +The slow MX host becomes a connection attractor. If one MX host +becomes N times slower than the rest, it dominates mail delivery +latency unless there are more than N fast MX hosts to counter the +effect. And if the number of MX hosts is smaller than N, the mail +delivery latency becomes effectively that of the slowest MX host +divided by the total number of MX hosts. + +The solution uses connection caching in a way that differs from +Postfix 2.2. By limiting the amount of time during which a connection +can be used repeatedly (instead of limiting the number of deliveries +over that connection), Postfix not only restores fairness in the +distribution of simultaneous connections across a set of MX hosts, +it also favors deliveries over connections that perform well, which +is exactly what we want. + +The smtp_connection_reuse_time_limit feature implements the connection +reuse time limit as discussed above. It limits the amount of time +after which an SMTP connection is no longer stored into the connection +cache. The default limit, 300s, can result in a huge number of +deliveries over a single connection. + +This solution will be complete when Postfix logging is updated to +include information about the number of times that a connection was +used. This information is needed to diagnose inter-operability +problems with servers that exhibit bugs when they receive multiple +messages over the same connection. + +[Feature 20051011] Optional protection against SMTP clients that +hammer the server with too many new (i.e. uncached) SMTP-over-TLS +sessions. Cached sessions are much less expensive in terms of CPU +cycles. Use the smtpd_client_new_tls_session_rate_limit parameter +to specify a limit that is at least the inbound client concurrency +limit, or else you may deny legitimate service requests. + +[Feature 20051011] Optional suppression of remote SMTP client +hostname lookup and hostname verification. Specify "smtpd_peername_lookup += no" to eliminate DNS lookup latencies, but do so only under extreme +conditions, as it makes Postfix logging less informative. + +Major changes - portability +--------------------------- + +[Incompat 20050716] Internal interfaces have changed; this may break +third-party patches because the types of function arguments and of +result values have changed. The types of buffer lengths and offsets +were changed from "int" or "unsigned int" (32 bit on 32-bit and +LP64 systems) to "ssize_t" or "size_t" (64 bit on LP64 systems, 32 +bit on 32-bit systems). + +This change makes no difference in Postfix behavior on 32-bit +systems. On LP64 systems, however, this change not only eliminates +some obscure portability bugs, it also eliminates unnecessary +conversions between 32/64 bit integer types, because many system +library routines take "(s)size_t" arguments or return "(s)size_t" +values. + +This change may break software on LP64 systems 1) when Postfix is +linked with pre-compiled code that was compiled with old Postfix +interface definitions and 2) when compiling Postfix source that was +modified by a third-party patch: incorrect code will be generated +when the patch passes the wrong integer argument type in contexts +that disable automatic argument type conversions. Examples of such +contexts are formatting with printf-like arguments, and invoking +functions that write Postfix request or reply attributes across +inter-process communication channels. Unfortunately, gcc reports +"(unsigned) int" versus "(s)size_t" format string argument mis-matches +only on LP64 systems. + +Major changes - safety +---------------------- + +[Incompat 20051121] Although the permit_mx_backup feature still +accepts mail for authorized destinations (see permit_mx_backup for +definition), with all other destinations it now requires that the +local MTA is listed as non-primary MX. This prevents mail loop +problems when someone points the primary MX record at a Postfix +system. + +[Incompat 20051011] The Postfix local(8) delivery agent no longer +updates its idea of the Delivered-To: address while it expands +aliases or .forward files. With deeply nested aliases or .forward +files, this can greatly reduce the number of queue files and cleanup +process instances. To get the earlier behavior, specify +"frozen_delivered_to = no". + +The frozen_delivered_to feature can help to alleviate a long-standing +problem with multiple deliveries to recipients that are listed +multiple times in a hierarchy of nested aliases. For this to work, +only the top-level alias should have an owner- alias, and none of +the subordinate aliases. + +[Incompat 20050828] When a header/body_checks rule or when +message_reject_characters rejects mail that was submitted with the +Postfix sendmail command (or re-queued with "postsuper -r"), the +returned message is now limited to just the message headers, to +avoid the risk of exposure to harmful content in the message body +or attachments. + +[Incompat 20051202] The Postfix SMTP server now refuses to receive +mail from the network if it isn't running with postfix mail_owner +privileges. This prevents surprises when, for example, "sendmail +-bs" is configured to run as root from xinetd. + +[Incompat 20060123] For safety reasons, Postfix no longer allows +$number substitution in regexp: or pcre: transport tables or +per-sender relayhost tables. + +[Incompat 20060112] The Postfix SMTP/LMTP client by default no +longer allows DNS CNAME records to override the server hostname +that is used for logging, SASL password lookup, TLS policy selection +and TLS server certificate verification. Specify +"smtp_cname_overrides_servername = yes" to get the old behavior. diff --git a/RELEASE_NOTES-2.4 b/RELEASE_NOTES-2.4 new file mode 100644 index 0000000..e56972d --- /dev/null +++ b/RELEASE_NOTES-2.4 @@ -0,0 +1,198 @@ +The stable Postfix release is called postfix-2.4.x where 2=major +release number, 4=minor release number, x=patchlevel. The stable +release never changes except for patches that address bugs or +emergencies. Patches change the patchlevel and the release date. + +New features are developed in snapshot releases. These are called +postfix-2.5-yyyymmdd where yyyymmdd is the release date (yyyy=year, +mm=month, dd=day). Patches are never issued for snapshot releases; +instead, a new snapshot is released. + +The mail_release_date configuration parameter (format: yyyymmdd) +specifies the release date of a stable release or snapshot release. + +Major changes - critical +------------------------ + +See RELEASE_NOTES-2.3 if you upgrade from Postfix 2.2 or earlier. + +[Incompat 20070122] To take advantage of the new support for BSD +kqueue, Linux epoll, or Solaris /dev/poll, you must restart (not +reload) Postfix after upgrading from Postfix 2.3. + +[Incompat 20061209] If you upgrade Postfix without restarting, you +MUST execute "postfix reload", otherwise the queue manager may log +a warnings with: + + warning: connect to transport retry: Connection refused + +[Incompat 20061209] The upgrade procedure adds a new "retry" service +to the master.cf file. If you make the mistake of copying old +Postfix configuration files over the new files, the queue manager +may log warnings with: + + warning: connect to transport retry: Connection refused + +To fix your master.cf file, use "postfix upgrade-configuration" +followed by "postfix reload". + +Major changes - safety +---------------------- + +[Incompat 20070222] As a safety measure, Postfix now by default +creates mailbox dotlock files on all systems. This prevents problems +with GNU POP3D which subverts kernel locking by creating a new +mailbox file and deleting the old one. + +Major changes - Milter support +------------------------------ + +[Feature 20070121] The support for Milter header modification +requests was revised. With minimal change in the on-disk representation, +the code was greatly simplified, and regression tests were updated +to ensure that old errors were not re-introduced. The queue file +format is entirely backwards compatible with Postfix 2.3. + +[Feature 20070116] Support for Milter requests to replace the message +body. Postfix now implements all the header/body modification +requests that are available with Sendmail 8.13. + +[Incompat 20070116] A new field is added to the queue file "size" +record that specifies the message content length. Postfix 2.3 and +older Postfix 2.4 snapshots will ignore this field, and will report +the message size as it was before the body was replaced. + +Major changes - TLS support +--------------------------- + +[Incompat 20061214] The check_smtpd_policy client sends TLS certificate +attributes (client ccert_subject, ccert_issuer) only after successful +client certificate verification. The reason is that the certification +verification status itself is not available in the policy request. + +[Incompat 20061214] The check_smtpd_policy client sends TLS certificate +fingerprint information even when the certificate itself was not +verified. + +[Incompat 20061214] The remote SMTP client TLS certificate fingerprint +can be used for access control even when the certificate itself was +not verified. + +[Incompat 20061006] The format of SMTP server TLS session cache +lookup keys has changed. The lookup key now includes the master.cf +service name. + +Major changes - performance +--------------------------- + +[Feature 20070212] Better support for systems that run thousands +of Postfix processes. Postfix now supports FreeBSD kqueue(2), +Solaris poll(7d) and Linux epoll(4) as more scalable alternatives +to the traditional select(2) system call, and uses poll(2) when +examining a single file descriptor for readability or writability. +These features are supported on sufficiently recent versions of +FreeBSD, NetBSD, OpenBSD, Solaris and Linux; support for other +systems will be added as evidence becomes available that usable +implementations exist. + +[Incompat 20070201] Some default settings have been adjusted to +better match contemporary requirements: + +- queue_run_delay and minimal_backoff_time were reduced from 1000s + to 300s so that deliveries are retried earlier after the first + failure. + +- ipc_idle was reduced from 100s to 5s, so that tlsmgr and scache + clients will more quickly release unused file handles. + +[Feature 20061209] Improved worst-case (old and new) queue manager +performance when deferring or bouncing large amounts of mail. Instead +of talking to the bounce or defer service synchronously, this work +is now done in the background by the error or retry service. + +[Feature 20061209] Improved worst-case (new) queue manager performance +when delivering multi-recipient mail. The queue manager now proactively +reads recipients from the queue file, instead of waiting for the +slowest deliveries to complete before reading in new recipients. +This introduces two parameters: default_recipient_refill_limit (how +many recipient slots to refill at a time) and +default_recipient_refill_delay (how long to wait between refill +operations). These two parameters act as defaults for optional +per-transport settings. + +Major changes - delivery status notifications +--------------------------------------------- + +[Incompat 20061209] Small changes were made to the default bounce +message templates, to prevent HTML-aware software from hiding or +removing the text "<postmaster>", and producing misleading text. + +[Incompat 20060806] Postfix no longer announces its name in delivery +status notifications. Users believe that Wietse provides a free +help desk service that solves all their email problems. + +Major changes - ETRN support +---------------------------- + +[Feature 20061217] More precise queue flushing with the ETRN, +"postqueue -s site", and "sendmail -qRsite" commands, after +minimization of race conditions. New per-queue-file flushing with +"postqueue -i queueid" and "sendmail -qIqueueid". + +Major changes - small office/home office support +------------------------------------------------ + +[Incompat 20061217] Postfix no longer requires a domain name. It +uses "localdomain" as the default Internet domain name when no +domain is specified via main.cf or via the machine's hostname. + +Major changes - SMTP access control +----------------------------------- + +[Incompat 20061214] The check_smtpd_policy client sends TLS certificate +attributes (client ccert_subject, ccert_issuer) only after successful +client certificate verification. The reason is that the certification +verification status itself is not available in the policy request. + +[Incompat 20061214] The check_smtpd_policy client sends TLS certificate +fingerprint information even when the certificate itself was not +verified. + +[Incompat 20061214] The remote SMTP client TLS certificate fingerprint +can be used for +access control even when the certificate itself was not verified. + +[Incompat 20061209] The Postfix installation procedure no longer +updates main.cf with "unknown_local_recipient_reject_code = 450". +Four years after the introduction of mandatory recipient validation, +this transitional tool is no longer neeed. + +Major changes - workarounds +--------------------------- + +[Incompat 20070222] As a safety measure, Postfix now by default +creates mailbox dotlock files on all systems. This prevents problems +with GNU POP3D which subverts kernel locking by creating a new +mailbox file and deleting the old one. + +[Feature 20061209] Better interoperability with non-conforming SMTP +servers that reply and disconnect before Postfix has sent the +complete message content. + +[Feature 20061209] Better support for queue file systems on file +servers with drifting clocks. Clock skew can be a problem, because +Postfix does not deliver mail until the local clock catches up with +the queue file's last modification time stamp. On systems with +usable futimes() or equivalent (Solaris, *BSD, MacOS, but not Linux), +Postfix now always explicitly sets the queue file last modification +time stamps while creating a queue file. On systems without usable +futimes() (Linux, and ancient versions of Solaris, SunOS and *BSD) +Postfix keeps using the slower utime() system call to update queue +file time stamps when the file system clock is off with respect to +the local system clock, and logs a warning. + +[Feature 20061006] Individual CISCO PIX bug workarounds are now +on/off configurable. This introduces new parameters: smtp_pix_workarounds +(default: disable_esmtp, delay_dotcrlf) and smtp_pix_workaround_maps +(workarounds indexed by server IP address). The default settings +are backwards compatible. diff --git a/RELEASE_NOTES-2.5 b/RELEASE_NOTES-2.5 new file mode 100644 index 0000000..f560d3b --- /dev/null +++ b/RELEASE_NOTES-2.5 @@ -0,0 +1,376 @@ +The stable Postfix release is called postfix-2.5.x where 2=major +release number, 5=minor release number, x=patchlevel. The stable +release never changes except for patches that address bugs or +emergencies. Patches change the patchlevel and the release date. + +New features are developed in snapshot releases. These are called +postfix-2.6-yyyymmdd where yyyymmdd is the release date (yyyy=year, +mm=month, dd=day). Patches are never issued for snapshot releases; +instead, a new snapshot is released. + +The mail_release_date configuration parameter (format: yyyymmdd) +specifies the release date of a stable release or snapshot release. + +Incompatibility with Postfix 2.3 and earlier +-------------------------------------------- + +If you upgrade from Postfix 2.3 or earlier, read RELEASE_NOTES-2.4 +before proceeding. + +Major changes - critical +------------------------ + +[Incompat 20071224] The protocol to send Milter information from +smtpd(8) to cleanup(8) processes was cleaned up. If you use the +Milter feature, and upgrade a live Postfix system, you may see an +"unexpected record type" warning from a cleanup(8) server process. +To prevent this, execute the command "postfix reload". The +incompatibility affects only systems that use the Milter feature. +It does not cause loss of mail, just a minor delay until the remote +SMTP client retries. + +[Incompat 20071212] The allow_min_user feature now applies to both +sender and recipient addresses in SMTP commands. With earlier Postfix +versions, only recipients were subject to the allow_min_user feature, +and the restriction took effect at mail delivery time, causing mail +to be bounced later instead of being rejected immediately. + +[Incompat 20071206] The "make install" and "make upgrade" procedures +now create a Postfix-owned directory for Postfix-writable data files +such as caches and random numbers. The location is specified with +the "data_directory" parameter (default: "/var/lib/postfix"), and +the ownership is specified with the "mail_owner" parameter. + +[Incompat 20071206] The tlsmgr(8) and verify(8) servers no longer +use root privileges when opening the address_verify_map, +*_tls_session_cache_database, and tls_random_exchange_name cache +files. This avoids a potential security loophole where the ownership +of a file (or directory) does not match the trust level of the +content of that file (or directory). + +[Incompat 20071206] The tlsmgr(8) and verify(8) cache files should +now be stored as Postfix-owned files under the Postfix-owned +data_directory. As a migration aid, attempts to open these files +under a non-Postfix directory are redirected to the Postfix-owned +data_directory, and a warning is logged. + +This is an example of the warning messages: + + Dec 6 12:56:22 bristle postfix/tlsmgr[7899]: warning: request + to update file /etc/postfix/prng_exch in non-postfix directory + /etc/postfix + + Dec 6 12:56:22 bristle postfix/tlsmgr[7899]: warning: redirecting + the request to postfix-owned data_directory /var/lib/postfix + +If you wish to continue using a pre-existing tls_random_exchange_name +or address_verify_map file, move it to the Postfix-owned data_directory +and change ownership from root to Postfix (that is, change ownership +to the account specified with the mail_owner configuration parameter). + +[Feature 20071205] The "make install" and "make upgrade" procedures +now create a Postfix-owned directory for Postfix-writable data files +such as caches and random numbers. The location is specified with +the "data_directory" parameter (default: "/var/lib/postfix"), and +the ownership is specified with the "mail_owner" parameter. + +[Incompat 20071203] The "make upgrade" procedure adds a new service +"proxywrite" to the master.cf file, for read/write lookup table +access. If you copy your old configuration file over the updated +one, you may see warnings in the maillog file like this: + + connect #xx to subsystem private/proxywrite: No such file or directory + +To recover, run "postfix upgrade-configuration" again. + +[Incompat 20070613] The pipe(8) delivery agent no longer allows +delivery with the same group ID as the main.cf postdrop group. + +Major changes - malware defense +------------------------------- + +[Feature 20080107] New "pass" service type in master.cf. Written +years ago, this allows future front-end daemons to accept all +connections from the network, and to hand over connections from +well-behaved clients to Postfix. Since this feature uses file +descriptor passing, it imposes no overhead once a connection is +handed over to Postfix. See master(5) for a few details. + +[Feature 20070911] Stress-adaptive behavior. When a "public" network +service runs into an "all processes are busy" condition, the master(8) +daemon logs a warning, restarts the service, and runs it with "-o +stress=yes" on the command line (under normal conditions it runs +the service with "-o stress=" on the command line). This can be +used to make main.cf parameter settings stress dependent, for +example: + +/etc/postfix/main.cf: + smtpd_timeout = ${stress?10}${stress:300} + smtpd_hard_error_limit = ${stress?1}${stress:20} + +Translation: under conditions of stress, use an smtpd_timeout value +of 10 seconds instead of 300, and use smtpd_hard_error_limit of 1 +instead of 20. The syntax is explained in the postconf(5) manpage. + +The STRESS_README file gives examples of how to mitigate flooding +problems. + +Major changes - tls support +--------------------------- + +[Incompat 20080109] TLS logging output has changed to make it more +useful. Existing logfile parser regular expressions may need +adjustment. + +- More log entries include the "hostnamename[ipaddress]" of the + remote SMTP peer. + +- Certificate trust chain error reports show only the first + error certificate (closest to the trust chain root), and the + reporting is more human-readable for the most likely errors. + +- After the completion of the TLS handshake, the session is logged + with TLS loglevel >= 1 as either "Untrusted", "Trusted" or + "Verified" (SMTP client only). + - "Untrusted" means that the certificate trust chain is invalid, + or that the root CA is not trusted. + - "Trusted" means that the certificate trust chain is valid, and + that the root CA is trusted. + - "Verified" means that the certificate meets the SMTP client's + matching criteria for the destination: + - In the case of a destination name match, "Verified" also + implies "Trusted". + - In the case of a fingerprint match, CA trust is not applicable. + +- The logging of protocol states with TLS loglevel >= 2 no longer + reports bogus error conditions when OpenSSL asks Postfix to refill + (or flush) network I/O buffers. This loglevel is for debugging + only; use 0 or 1 in production configurations. + +[Feature 20080109] The Postfix SMTP client has a new "fingerprint" +security level. This avoids dependencies on CAs, and relies entirely +on bi-lateral exchange of public keys (really self-signed or private +CA signed X.509 public key certificates). Scalability is clearly +limited. For details, see the fingerprint discussion in TLS_README. + +[Feature 20080109] The Postfix SMTP server can now use SHA1 instead +of MD5 to compute remote SMTP client certificate fingerprints. For +backwards compatibility, the default algorithm is MD5. For details, +see the "smtpd_tls_fingerprint_digest" parameter in the postconf(5) +manual. + +[Feature 20080109] The maximum certificate trust chain depth +(verifydepth) is finally implemented in the Postfix TLS library. +Previously, the parameter had no effect. The default depth was +changed to 9 (the OpenSSL default) for backwards compatibility. + +If you have explicity limited the verification depth in main.cf, +check that the configured limit meets your needs. See the +"lmtp_tls_scert_verifydepth", "smtp_tls_scert_verifydepth" and +"smtpd_tls_ccert_verifydepth" parameters in the postconf(5) manual. + +[Feature 20080109] The selection of SSL/TLS protocols for mandatory +TLS can now use exclusion rather than inclusion. Either form is +acceptable; see the "lmtp_tls_mandatory_protocols", +"smtp_tls_mandatory_protocols" and "smtpd_tls_mandatory_protocols" +parameters in the postconf(5) manual. + +Major changes - scheduler +------------------------- + +[Feature 20071130] Revised queue manager with separate mechanisms +for per-destination concurrency control and for dead destination +detection. The concurrency control supports less-than-1 feedback +to allow for more gradual concurrency adjustments, and uses hysteresis +to avoid rapid oscillations. A destination is declared "dead" after +a configurable number of pseudo-cohorts(*) reports connection or +handshake failure. + +(*) A pseudo-cohort is a number of delivery requests equal to a + destination's delivery concurrency. + +The drawbacks of the old +/-1 feedback scheduler are a) overshoot +due to exponential delivery concurrency growth with each pseudo-cohort(*) +(5-10-20...); b) throttling down to zero concurrency after a single +pseudo-cohort(*) failure. The latter was especially an issue with +low-concurrency channels where a single failure could be sufficient +to mark a destination as "dead", and suspend further deliveries. + +New configuration parameters: destination_concurrency_feedback_debug, +default_destination_concurrency_positive_feedback, +default_destination_concurrency_negative_feedback, +default_destination_concurrency_failed_cohort_limit, as well as +transport-specific versions of the same. + +The default parameter settings are backwards compatible with older +Postfix versions. This may change after better defaults are field +tested. + +The updated SCHEDULER_README document describes the theory behind +the new concurrency scheduler, as well as Patrik Rak's preemptive +job scheduler. See postconf(5) for more extensive descriptions of +the configuration parameters. + +Major changes - small/home office +--------------------------------- + +[Feature 20080115] Preliminary SOHO_README document that combines +bits and pieces from other document in one place, so that it is +easier to find. This document describes the "mail sending" side +only. + +[Feature 20071202] Output rate control in the queue manager. For +example, specify "smtp_destination_rate_delay = 5m", to pause five +minutes between message deliveries. More information in the postconf(5) +manual under "default_destination_rate_delay". + +Major changes - smtp client +--------------------------- + +[Incompat 20080114] The Postfix SMTP client now by default defers +mail after a remote SMTP server rejects a SASL authentication +attempt. Specify "smtp_sasl_auth_soft_bounce = no" for the old +behavior. + +[Feature 20080114] The Postfix SMTP client can now avoid making +repeated SASL login failures with the same server, username and +password. To enable this safety feature, specify for example +"smtp_sasl_auth_cache_name = proxy:btree:/var/lib/postfix/sasl_auth_cache" +(access through the proxy service is required). Instead of trying +to SASL authenticate, the Postfix SMTP client defers or bounces +mail as controlled with the new smtp_sasl_auth_soft_bounce configuration +parameter. + +[Feature 20071111] Header/body checks are now available in the SMTP +client, after the implementation was moved from the cleanup server +to a library module. The SMTP client provides only actions that +don't change the message delivery time or destination: warn, replace, +prepend, ignore, dunno, ok. + +[Incompat 20070614] By default, the Postfix Cyrus SASL client no +longer sends a SASL authoriZation ID (authzid); it sends only the +SASL authentiCation ID (authcid) plus the authcid's password. Specify +"send_cyrus_sasl_authzid = yes" to get the old behavior. + +Major changes - smtp server +--------------------------- + +[Feature 20070724] Not really major. New support for RFC 3848 +(Received: headers with ESMTPS, ESMTPA, or ESMTPSA); updated SASL +support according to RFC 4954, resulting in small changes to SMTP +reply codes and (DSN) enhanced status codes. + +Major changes - milter +---------------------- + +[Incompat 20071224] The protocol to send Milter information from +smtpd(8) to cleanup(8) processes was cleaned up. If you use the +Milter feature, and upgrade a live Postfix system, you may see an +"unexpected record type" warning from a cleanup(8) server process. +To prevent this, execute the command "postfix reload". The +incompatibility affects only systems that use the Milter feature. +It does not cause loss of mail, just a minor delay until the remote +SMTP client retries. + +[Feature 20071221] Support for most of the Sendmail 8.14 Milter +protocol features. + +To enable the new features specify "milter_protocol = 6" and link +the filter application with a libmilter library from Sendmail 8.14 +or later. + +Sendmail 8.14 Milter features supported at this time: + +- NR_CONN, NR_HELO, NR_MAIL, NR_RCPT, NR_DATA, NR_UNKN, NR_HDR, + NR_EOH, NR_BODY: The filter can tell Postfix that it won't reply + to some of the SMTP events that Postfix sends. This makes the + protocol less chatty and improves performance. + +- SKIP: The filter can tell Postfix to skip sending the rest of + the message body, which also improves performance. + +- HDR_LEADSPC: The filter can request that Postfix does not delete + the first space character between header name and header value + when sending a header to the filter, and that Postfix does not + insert a space character between header name and header value + when receiving a header from the filter. This fixes a limitation + in the old Milter protocol that can break DKIM and DK signatures. + +- SETSYMLIST: The filter can override one or more of the main.cf + milter_xxx_macros parameter settings. + +Sendmail 8.14 Milter features not supported at this time: + +- RCPT_REJ: report rejected recipients to the mail filter. + +- CHGFROM: replace sender, with optional ESMTP command parameters. + +- ADDRCPT_PAR: add recipient, with optional ESMTP command parameters. + +It is unclear when (if ever) the missing features will be implemented. +SMFIP_RCPT_REJ requires invasive changes in the SMTP server recipient +processing and error handling. SMFIR_CHGFROM and SMFIR_ADDRCPT_PAR +require ESMTP command-line parsing in the cleanup server. Unfortunately, +Sendmail's documentation does not specify what ESMTP options are +supported, but only discusses examples of things that don't work. + +Major changes - address verification +------------------------------------ + +[Incompat 20070514] The default sender address for address verification +probes was changed from "postmaster" to "double-bounce", so that +the Postfix SMTP server no longer causes surprising behavior by +excluding "postmaster" from SMTP server access controls. + +Major changes - ldap +-------------------- + +[Incompat 20071216] Due to an incompatible API change between +OpenLDAP 2.0.11 and 2.0.12, an LDAP client compiled for OpenLDAP +version <= 2.0.11 will refuse to work with an OpenLDAP library +version >= 2.0.12 and vice versa. + +Major changes - logging +----------------------- + +[Incompat 20080109] TLS logging output has changed to make it more +useful. Existing logfile parser regular expressions may need +adjustment. + +- More log entries include the "hostnamename[ipaddress]" of the + remote SMTP peer. + +- Certificate trust chain error reports show only the first + error certificate (closest to the trust chain root), and the + reporting is more human-readable for the most likely errors. + +- After the completion of the TLS handshake, the session is logged + with TLS loglevel >= 1 as either "Untrusted", "Trusted" or + "Verified" (SMTP client only). + - "Untrusted" means that the certificate trust chain is invalid, + or that the root CA is not trusted. + - "Trusted" means that the certificate trust chain is valid, and + that the root CA is trusted. + - "Verified" means that the certificate meets the SMTP client's + matching criteria for the destination: + - In the case of a destination name match, "Verified" also + implies "Trusted". + - In the case of a fingerprint match, CA trust is not applicable. + +- The logging of protocol states with TLS loglevel >= 2 no longer + reports bogus error conditions when OpenSSL asks Postfix to refill + (or flush) network I/O buffers. This loglevel is for debugging + only; use 0 or 1 in production configurations. + +[Incompat 20071216] The SMTP "transcript of session" email now +includes the remote SMTP server TCP port number. + +Major changes - loop detection +------------------------------ + +[Incompat 20070422] [Incompat 20070422] When the pipe(8) delivery +agent is configured to create the optional Delivered-To: header, +it now first checks if that same header is already present in the +message. If so, the message is returned as undeliverable. This test +should have been included with Postfix 2.0 when Delivered-To: support +was added to the pipe(8) delivery agent. diff --git a/RELEASE_NOTES-2.6 b/RELEASE_NOTES-2.6 new file mode 100644 index 0000000..ff07431 --- /dev/null +++ b/RELEASE_NOTES-2.6 @@ -0,0 +1,300 @@ +The stable Postfix release is called postfix-2.6.x where 2=major +release number, 6=minor release number, x=patchlevel. The stable +release never changes except for patches that address bugs or +emergencies. Patches change the patchlevel and the release date. + +New features are developed in snapshot releases. These are called +postfix-2.7-yyyymmdd where yyyymmdd is the release date (yyyy=year, +mm=month, dd=day). Patches are never issued for snapshot releases; +instead, a new snapshot is released. + +The mail_release_date configuration parameter (format: yyyymmdd) +specifies the release date of a stable release or snapshot release. + +If you upgrade from Postfix 2.4 or earlier, read RELEASE_NOTES-2.5 +before proceeding. + +Major changes - multi-instance support +-------------------------------------- + +[Feature 20090121] Support for managing multiple Postfix instances. +This can automatically apply your "postfix start" etc. command to +multiple Postfix instances, including upgrades to new Postfix +versions. Multi-instance support allows you to do the following +and more: + +- Simplify post-queue content filter configuration by using separate + Postfix instances before and after the filter. This simplifies + trouble shooting and performance tuning. + +- Implement per-user content filters (or no filter) via transport + map lookups instead of content_filter settings. Mail for some + users can be sent directly from the before-filter instance to the + after-filter instance. + +- Test new configuration settings (on a different server IP address + or TCP port) without disturbing production instances. + +- Each additional Postfix instance uses a few files and directories, + plus memory for an extra master daemon and queue manager. The + pickup daemon is needed only if you use local submission or + "postsuper -r". + +Best of all, nothing changes when you use only one Postfix instance. + +The MULTI_INSTANCE_README file presents an introduction to +multi-instance management. Multi-instance support is based on an +API that is described in the postfix-wrapper(5) manual page. + +Major changes - milter support +------------------------------ + +[Feature 20090428] The following improvements have been made to the +Milter implementation: + +- Improved compatibility of the {mail_addr} and {rcpt_addr} macros. + +- Support for the {mail_host}, {mail_mailer}, {rcpt_host} and +{rcpt_mailer} macros. + +- Milter applications can now request rejected recipients with the +SMFIP_RCPT_REJ feature. Rejected recipients are reported with +{rcpt_mailer} = "error", {rcpt_host} = enhanced status code, and +{rcpt_addr} = descriptive text. This feature requires "milter_protocol += 6" or higher (default as of Postfix 2.6). + +- Milters can now replace the envelope sender address with the +SMFIR_CHGFROM request, and can add recipients with SMFIR_ADDRCPT_PAR. +These implementations ignore ESMTP command parameters and log a +warning message as follows: + + warning: 100B22B3293: cleanup_chg_from: ignoring ESMTP arguments "whatever" + warning: 100B22B3293: cleanup_add_rcpt: ignoring ESMTP arguments "whatever" + +[Incompat 20090428] The default milter_protocol setting is increased +from 2 to 6; this enables all available features up to and including +Sendmail 8.14.0. The new milter_protocol setting may break +compatibility with older Milter libraries or applications, and may +cause Postfix to log warning messages such as: + + warning: milter inet:host:port: can't read packet header: Unknown error : 0 + + warning: milter inet:host:port: can't read packet header: Success + + warning: milter inet:host:port: can't read SMFIC_DATA reply + packet header: No such file or directory + +To restore compatibility, specify "milter_protocol = 2" in main.cf. + +Major changes - security +------------------------ + +[Incompat 20080726] When a mailbox file is not owned by its recipient, +the local and virtual delivery agents now log a warning and defer +delivery. Specify "strict_mailbox_ownership = no" to ignore such +ownership discrepancies. + +Major changes - smtp server +--------------------------- + +[Feature 20080212] check_reverse_client_hostname_access, to make +access decisions based on the unverified client hostname. For +safety reasons an OK result is not allowed. + +[Feature 20090210] With "reject_tempfail_action = defer", the Postfix +SMTP server immediately replies with a 4xx status after some temporary +error, instead of executing an implicit "defer_if_permit" action. + +[Feature 20090215] The Postfix SMTP server automatically hangs up +after replying with "521". This makes overload handling more +effective. See also RFC 1846 for prior art on this topic. + +[Feature 20090228] The Postfix SMTP server maintains a per-session +"improper command pipelining detected" flag. This flag can be tested +at any time with reject_unauth_pipelining, and is raised whenever +a client command is followed by unexpected commands or message +content. The Postfix SMTP server logs the first command pipelining +transgression as "improper command pipelining after <command> from +<hostname>[<hostaddress>]". + +[Feature 20090212] Stress-dependent behavior is enabled by default. +Under conditions of overload, smtpd_timeout is reduced from 300s +to 10s, smtpd_hard_error_limit is reduced from 20 to 1, and +smtpd_junk_command_limit is reduced from 100 to 1. This will reduce +the impact of overload for most legitimate mail. + +[Feature 20080629] The Postfix SMTP server's SASL authentication +was re-structured. With "smtpd_tls_auth_only = yes", SASL support +is now activated only after a successful TLS handshake. Earlier +Postfix SMTP server versions could complain about unavailable SASL +mechanisms during the plaintext phase of the SMTP protocol. + +[Incompat 20080510] In the policy delegation protocol, certificate +common name attributes are now xtext encoded UTF-8. The xtext decoded +attributes may contain any UTF-8 value except non-printable ASCII +characters. + +Major changes - performance +--------------------------- + +[Feature 20090215] The Postfix SMTP server automatically hangs up +after replying with "521". This makes overload handling more +effective. See also RFC 1846 for prior art on this topic. + +[Feature 20090212] Stress-dependent behavior is enabled by default. +Under conditions of overload, smtpd_timeout is reduced from 300s +to 10s, smtpd_hard_error_limit is reduced from 20 to 1, and +smtpd_junk_command_limit is reduced from 100 to 1. This will reduce +the negative impact of server overload for most legitimate mail. + +[Feature 20090109] Specify "tcp_windowsize = 65535" (or less) to +work around routers with broken TCP window scaling implementations. +This is perhaps more convenient than collecting tcpdump output and +tuning kernel parameters by hand. With Postfix TCP servers (smtpd(8), +qmqpd(8)), this feature is implemented by the Postfix master(8) +daemon. + +To change this parameter without stopping Postfix, you need to first +terminate all Postfix TCP servers: + + # postconf -e master_service_disable=inet + # postfix reload + +This immediately terminates all processes that accept network +connections. Then you enable Postfix TCP servers with the updated +tcp_windowsize setting: + + # postconf -e tcp_windowsize=65535 master_service_disable= + # postfix reload + +If you skip these steps with a running Postfix system, then the +tcp_windowsize change will work only for Postfix TCP clients (smtp(8), +lmtp(8)). + +Of course you can also do "postfix stop" and "postfix start", +but that is more disruptive. + +Major changes - tls +------------------- + +[Incompat 20090428] The Postfix SMTP client(!) no longer tries to +use the obsolete SSLv2 protocol by default, as this may prevent the +use of modern SSL features. Lack of SSLv2 support should never be +a problem, since SSLv3 was defined in 1996, and TLSv1 in 1999. You +can undo the change by specifying empty main.cf values for +smtp_tls_protocols and lmtp_tls_protocols. The Postfix SMTP server +maintains SSLv2 support for backwards compatibility with ancient +clients. + +[Feature 20081010] Controls for the protocols and ciphers that +Postfix will use with opportunistic TLS. The smtp_tls_protocols, +smtp_tls_ciphers, and equivalent parameters for lmtp and smtpd +provide global settings; the SMTP client TLS policy table provides +ciphers and protocols settings for specific peers. Code by Victor +Duchovni. Details are given in the TLS_README and postconf(5) +documents. + +[Feature 20081108] Elliptic curve support. This requires OpenSSL +version 0.9.9 or later. + +Major changes - address verification +------------------------------------ + +[Incompat 20080428] Postfix SMTP server replies for address +verification have changed. unverified_recipient_reject_code and +unverified_sender_reject_code now handle "5XX" rejects only. The +"4XX" rejects are now controlled with unverified_sender_defer_code +and unverified_recipient_defer_code. + +[Feature 20080428] Finer control over the way Postfix reports address +verification failures to remote SMTP clients. + +- unverified_sender/recipient_defer_code: the numerical Postfix + SMTP server reply code when address verification failed due + to some temporary error. + +- unverified_sender/recipient_reject_reason: fixed text that Postfix + will send to the remote SMTP client, instead of sending actual + address verification details. + +Major changes - dsn +------------------- + +[Feature 20090307] New "lmtp_assume_final = yes" flag to send correct +DSN "success" notifications when LMTP delivery is "final" as opposed +to delivery into a content filter. + +Major changes - file organization +--------------------------------- + +[Incompat 20080207] According to discussions on the mailing list, +too many people are breaking newly installed Postfix by overwriting +the new /etc/postfix files with versions from an older release, and +end up with a broken configuration that cannot repair itself. For +this reason, postfix-script, postfix-files and post-install are +moved away from /etc/postfix to $daemon_directory. + +Major changes - header rewriting +-------------------------------- + +[Incompat 20090330] Postfix now adds (Resent-) From:, Date:, +Message-ID: or To: headers only when clients match +$local_header_rewrite_clients. Specify "always_add_missing_headers += yes" for backwards compatibility. Adding such headers can break +DKIM signatures that cover headers that are not present. For +compatibility with existing logfile processing software, Postfix +will log ``message-id=<>'' for messages without Message-Id header. + +Major changes - lmtp client +--------------------------- + +[Feature 20090307] New "lmtp_assume_final = yes" flag to send correct +DSN "success" notifications when LMTP delivery is "final" as opposed +to delivery into a content filter. + +Major changes - logging +----------------------- + +[Incompat 20090330] Postfix now adds (Resent-) From:, Date:, +Message-ID: or To: headers only when clients match +$local_header_rewrite_clients. Specify "always_add_missing_headers += yes" for backwards compatibility. Adding such headers can break +DKIM signatures that cover headers that are not present. + +This changes the appearance of Postfix logging: to preserve +compatibility with existing logfile processing software, Postfix +will log ``message-id=<>'' for messages without Message-Id header. + +Major changes - mime +-------------------- + +[Feature 20080324] When the "postmap -q -" command reads lookup +keys from standard input, it now understands RFC822 and MIME message +format. Specify -h or -b to use headers or body lines as lookup +keys, and specify -hm or -bm to simulate header_checks or body_checks. + +Major changes - miscellaneous +----------------------------- + +[Feature 20090109] Support to selectively disable master(8) listener +ports by service type or by service name + type. Specify a list of +service types ("inet", "unix", "fifo", or "pass") or "name.type" +tuples, where "name" is the first field of a master.cf entry and +"type" is a service type. Examples: to turn off the main SMTP +listener port, use "master_service_disable = smtp.inet"; to turn +off all TCP/IP listeners, use "master_service_disable = inet". +Changing this parameter requires "postfix reload". + +Major changes - sasl +-------------------- + +[Feature 20090418] The Postfix SMTP server passes more information +to the Dovecot authentication server: the "TLS is active" flag, the +server IP address, and the client IP address. + +[Feature 20080629] The Postfix SMTP server's SASL authentication +was re-structured. With "smtpd_tls_auth_only = yes", SASL support +is now activated only after a successful TLS handshake. Earlier +Postfix SMTP server versions could complain about unavailable SASL +mechanisms during the plaintext phase of the SMTP protocol. + diff --git a/RELEASE_NOTES-2.7 b/RELEASE_NOTES-2.7 new file mode 100644 index 0000000..8632638 --- /dev/null +++ b/RELEASE_NOTES-2.7 @@ -0,0 +1,175 @@ +The stable Postfix release is called postfix-2.7.x where 2=major +release number, 7=minor release number, x=patchlevel. The stable +release never changes except for patches that address bugs or +emergencies. Patches change the patchlevel and the release date. + +New features are developed in snapshot releases. These are called +postfix-2.8-yyyymmdd where yyyymmdd is the release date (yyyy=year, +mm=month, dd=day). Patches are never issued for snapshot releases; +instead, a new snapshot is released. + +The mail_release_date configuration parameter (format: yyyymmdd) +specifies the release date of a stable release or snapshot release. + +If you upgrade from Postfix 2.5 or earlier, read RELEASE_NOTES-2.6 +before proceeding. + +Major changes - performance +--------------------------- + +[Feature 20100101] Periodic cache cleanup for the verify(8) cache +database. The time between cache cleanup runs is controlled with +the address_verify_cache_cleanup_interval (default: 12h) parameter. +Cache cleanup increases the database access latency, so this should +not be run more often than necessary. + +[Feature 20091109] Improved before-queue filter performance. With +"smtpd_proxy_options = speed_adjust", the Postfix SMTP server +receives the entire message before it connects to a before-queue +content filter. This means you can run more SMTP server processes +with the same number of running content filter processes, and thus, +handle more mail. This feature is off by default until it is proven +to create no new problems. + +This addresses a concern of people in Europe who want to reject all +bad mail with a before-queue filter. The alternative, an after-queue +filter, means they would have to discard bad mail (which is illegal) +or bounce bad mail (which violates good network citizenship). + +NOTE 1: When this feature is turned on, a filter cannot selectively +reject recipients of a multi-recipient message. It is OK to reject +all recipients of the same multi-recipient message, as is deferring +or accepting all recipients of the same multi-recipient message. + +NOTE 2: This feature increases the minimum amount of free queue +space by $message_size_limit. The extra space is needed to save the +message to a temporary file. + +To keep the performance overhead low, the same temporary file is +reused with successive mail transactions (the file is of course +truncated before reuse, so there is no information leakage). + +Major changes - sender reputation +--------------------------------- + +[Feature 20100117] The FILTER action in access maps or header/body_checks +now supports sender reputation schemes that dynamically choose the +SMTP source IP address. Typically, mail is split into classes, and +all mail in class X is sent out from an SMTP client IP address that +is reserved for class X. + +This is implemented by specifying FILTER actions with empty next-hop +destinations in access maps or header/body_checks, and by configuring +in master.cf one Postfix SMTP client for each SMTP source IP address, +where each client has its own "-o myhostname" and "-o smtp_bind_address" +settings. + +[Feature 20091209] sender_dependent_default_transport_maps, a +per-sender override for default_transport. The original motivation +is to use different output channels (with different source IP +addresses) for different sender addresses, in order to keep their +IP-based reputations separate from each other. + +The result value syntax is that of default_transport, not transport_maps. +Thus, sender_dependent_default_transport_maps does not support the +special transport_maps result value syntax for null transport, null +nexthop, or null email address. + +This feature makes sender_dependent_relayhost_maps pretty much +redundant (though sender_dependent_relayhost_maps will often be +easier to use because that is the only thing people want to override). + +Major changes - address verification +------------------------------------ + +[Incompat 20100101] The verify(8) service now uses a persistent +cache by default (address_verify_map = btree:$data_directory/verify_cache). +To disable, specify "address_verify_map =" in main.cf. + +When periodic cache cleanup is enabled (the default), the verify(8) +server now requires that the cache database supports the "delete" +and "sequence" operations. To disable periodic cache cleanup specify +a zero address_verify_cache_cleanup_interval value. + +[Feature 20100101] Periodic cache cleanup for the verify(8) cache +database. The time between cache cleanup runs is controlled with +the address_verify_cache_cleanup_interval (default: 12h) parameter. +Cache cleanup increases the database access latency, so this should +not be run more often than necessary. + +Major changes - content filter +------------------------------ + +[Incompat 20100117] The meaning of an empty filter next-hop destination +has changed (for example, "content_filter = foo:" or "FILTER foo:"). +Postfix now uses the recipient domain, instead of using $myhostname +as in Postfix 2.6 and earlier. To restore the old behavior specify +"default_filter_nexthop = $myhostname", or specify a non-empty +next-hop content filter destination. + +This compatibility option is not needed with SMTP-based content +filters, because these always have an explicit next-hop destination. + +With pipe-based filters that specify no next-hop destination, the +compatibility option restores the FIFO order of deliveries. Without +the compatibility option, the delivery order for filters without +next-hop destination changes to round-robin domain selection. + +[Feature 20100117] The FILTER action in access maps or header/body_checks +now supports sender reputation schemes that dynamically choose the +SMTP source IP address. Typically, mail is split into classes, and +all mail in class X is sent out from an SMTP client IP address that +is reserved for class X. + +This is implemented by specifying FILTER actions with empty next-hop +destinations in access maps or header/body_checks, and by configuring +in master.cf one Postfix SMTP client for each SMTP source IP address, +where each client has its own "-o myhostname" and "-o smtp_bind_address" +settings. + +[Feature 20091109] Improved before-queue filter performance. With +"smtpd_proxy_options = speed_adjust", the Postfix SMTP server +receives the entire message before it connects to a before-queue +content filter. This means you can run more SMTP server processes +with the same number of running content filter processes, and thus, +handle more mail. This feature is off by default until it is proven +to create no new problems. + +This addresses a concern of people in Europe who want to reject all +bad mail with a before-queue filter. The alternative, an after-queue +filter, means they would have to discard bad mail (which is illegal) +or bounce bad mail (which violates good network citizenship). + +NOTE 1: When this feature is turned on, a filter cannot selectively +reject recipients of a multi-recipient message. It is OK to reject +all recipients of the same multi-recipient message, as is deferring +or accepting all recipients of the same multi-recipient message. + +NOTE 2: This feature increases the minimum amount of free queue +space by $message_size_limit. The extra space is needed to save the +message to a temporary file. + +To keep the performance overhead low, the same temporary file is +reused with successive mail transactions (the file is of course +truncated before reuse, so there is no information leakage). + +Major changes - milter +---------------------- + +[Feature 20090606] Support for header checks on Milter-generated +message headers. This can be used, for example, to control mail +flow with Milter-generated headers that carry indicators for badness +or goodness. For details, see the postconf(5) section for +"milter_header_checks". Currently, all header_checks features are +implemented except PREPEND. + +Major changes - multi-instance support +-------------------------------------- + +[Incompat 20090606] The "postmulti -e destroy" command no longer +attempts to remove files that are created AFTER "postmulti -e +create". It still works as expected immediately after creating an +instance by mistake. Trying to automatically remove other files +is too risky because Postfix-owned directories are by design not +trusted. + diff --git a/RELEASE_NOTES-2.8 b/RELEASE_NOTES-2.8 new file mode 100644 index 0000000..622577f --- /dev/null +++ b/RELEASE_NOTES-2.8 @@ -0,0 +1,383 @@ +The stable Postfix release is called postfix-2.8.x where 2=major +release number, 8=minor release number, x=patchlevel. The stable +release never changes except for patches that address bugs or +emergencies. Patches change the patchlevel and the release date. + +New features are developed in snapshot releases. These are called +postfix-2.9-yyyymmdd where yyyymmdd is the release date (yyyy=year, +mm=month, dd=day). Patches are never issued for snapshot releases; +instead, a new snapshot is released. + +The mail_release_date configuration parameter (format: yyyymmdd) +specifies the release date of a stable release or snapshot release. + +If you upgrade from Postfix 2.6 or earlier, read RELEASE_NOTES-2.7 +before proceeding. + +Major changes - restart Postfix +------------------------------- + +If you upgrade from Postfix 2.6 or earlier, you must execute "postfix +stop" and "postfix start" before you can use the postscreen(8) +daemon. This is needed because the Postfix 2.6 "pass" master service +type did not work reliably on some systems. + +If you upgrade from Postfix 2.7, or from Postfix 2.8 before July +25, 2010, you must execute "postfix reload" (or "postfix stop" +followed by "postfix start"). This is needed because the queue +manager to delivery agent protocol has changed. Failure to do this +results in repeated logging of warnings with: + + warning: unexpected attribute rewrite_context ... + +If the warning does not go away after restarting Postfix, examine +the output from this command: + + strings -af /usr/libexec/postfix/* | grep mail_version= + +(where /usr/libexec/postfix is the value of main.cf:daemon_directory) +and update the executables that have a version string that differs +from the other programs. + +Major changes - DNSBL/DNSWL support +----------------------------------- + +[Feature 20101126] Support for address patterns in DNS blacklist +and whitelist lookup results. + +For example, "reject_rbl_client example.com=127.0.0.[2;4;6..8]" +will reject clients when the lookup result is 127.0.0.2, 127.0.0.4, +127.0.0.6, 127.0.0.7, or 127.0.0.8. + +The setting "postscreen_dnsbl_sites = example.com=127.0.0.[2;4;6..8]" +rejects the same clients. + +An IPv4 address pattern has four fields separated by ".". Each +field is either a decimal number, or a sequence inside "[]" that +contains one or more ";"-separated decimal numbers or number..number +ranges. + +Thus, any pattern field can be a sequence inside "[]", but a "[]" +sequence cannot span multiple address fields, and a pattern field +cannot contain both a number and a "[]" sequence at the same time. + +This means that the pattern 1.2.[3.4] is not valid (the sequence +[3.4] cannot span two address fields) and the pattern 1.2.3.3[6..9] +is also not valid (the last field cannot be both number 3 and +sequence [6..9] at the same time). + +The syntax for IPv4 patterns is as follows: + +v4pattern = v4field "." v4field "." v4field "." v4field +v4field = v4octet | "[" v4sequence "]" +v4octet = any decimal number in the range 0 through 255 +v4sequence = v4seq_member | v4sequence ";" v4seq_member +v4seq_member = v4octet | v4octet ".." v4octet + +[Feature 20101105] The Postfix SMTP server now supports DNS-based +whitelisting with several safety features: permit_dnswl_client +whitelists a client by IP address, and permit_rhswl_client whitelists +a client by its hostname. These features use the same syntax as +reject_rbl_client and reject_rhsbl_client, respectively. The main +difference is that they return PERMIT instead of REJECT. + +Whitelisting is primarily a tool to reduce the false positive rate +of DNS blocklist lookups. Client name whitelisting should not be +used to make exceptions to access rules. The reason is that client +name lookup can fail unpredictably due to some temporary outage. + +For safety reasons, permit_dnswl_client and permit_rhswl_client are +silently ignored when they would override reject_unauth_destination. +Also for safety reasons, the result is DEFER_IF_REJECT when DNS +whitelist lookup fails (this result will be made configurable). + +Major changes - sqlite support +------------------------------ + +[Feature 20100617] Support for read-only sqlite database access, +with code by Axel Steiner and documentation by Jesus Garcia Crespo. +See SQLITE_README and sqlite_table(5) for details. + +Major changes - Milter support +------------------------------- + +[Incompat 20101103] Postfix now requests default delivery status +notifications when adding a recipient with the Milter smfi_addrcpt +action, instead of "never notify" as with Postfix automatically-added +recipients (always_bcc and sender/recipient_bcc_maps). + +Major changes - alias expansion +------------------------------- + +[Incompat 20101202] Postfix now reports a temporary delivery error +when the result of virtual alias expansion would exceed the +virtual_alias_recursion_limit or virtual_alias_expansion_limit. +Previously, Postfix would silently drop the excess recipients and +deliver the message. + +[Incompat 20101006] To avoid repeated delivery to mailing lists +with pathological nested alias configurations, the local(8) delivery +agent now keeps the owner-alias attribute of a parent alias, when +delivering mail to a child alias that does not have its own owner +alias. + +With this change, local addresses from that child alias will be +written to a new queue file, and a temporary error with one local +address will no longer result in repeated delivery to other mailing +list members. Specify "reset_owner_alias = yes" for the older, +more fragile, behavior. + +The postconf(5) manpage entry for "reset_owner_alias" has more +background information on this issue. + +Major changes - dns lookup +-------------------------- + +[Incompat 20100827] The Postfix SMTP client no longer appends the +local domain when looking up a DNS name without ".". Specify +"smtp_dns_resolver_options = res_defnames" to get the old behavior, +which may produce unexpected results. + +Major changes - logging +----------------------- + +[Incompat 20100728] The format of the "postfix/smtpd[pid]: queueid: +client=host[addr]" logfile record has changed. When available, the +before-filter client information and the before-filter queue ID are +now appended to the end of the record. + +[Feature 20100728] Improved message tracking across SMTP-based +content filters. The logging example below is from an after-filter +SMTP server. Here, 951F692462F is a before-filter queue ID, +hades.porcupine.org is a before-filter SMTP client, while 6B4A9924782 +is the after-filter queue ID, and localhost[127.0.0.1] is the +SMTP-based content filter that sends mail into the after-filter +SMTP server. + + postfix/smtpd[4074]: 6B4A9924782: + client=localhost[127.0.0.1], + orig_queue_id=951F692462F + orig_client=hades.porcupine.org[168.100.189.10] + +Major changes - reply footer +---------------------------- + +[Feature 20110105] The SMTP server now supports contact information +that is appended to "reject" responses. This includes SMTP server +responses that aren't logged to the maillog file, such as responses +to syntax errors, or unsupported commands. + +Example: + smtpd_reject_footer = For assistance, call 800-555-0101. + +Server response: + 550-5.5.1 <user@example> Recipient address rejected: User unknown + 550 5.5.1 For assistance, call 800-555-0101. + +This feature supports macro expansion ($client_address, $localtime, +etc.), as documented in the postconf(5) manpage. + +This feature is also supported as postscreen_reject_footer using +the same setting as smtpd_reject_footer by default. + +Major changes - rfc compliance +------------------------------ + +[Incompat 20101206] Postfix by default no longer adds a "To: +undisclosed-recipients:;" header when no recipient specified in the +message header. The Internet mail RFCs have supported messages +without recipient header for almost 10 years now. + +For backwards compatibility, specify: + +/etc/postfix/main.cf + undisclosed_recipients_header = To: undisclosed-recipients:; + +Note: both the ":" and ";" are required. + +Major changes - tls support +--------------------------- + +[Incompat 20110102] The Postfix SMTP server now always re-computes +the SASL mechanism list after successful completion of the STARTTLS +command. Earlier versions only re-computed the mechanism list when +the values of smtp_sasl_tls_security_options and smtp_sasl_security_options +differ. This could produce incorrect results, because the Dovecot +authentication server may change responses when the SMTP session +is encrypted. + +[Incompat 20110102] The smtpd_starttls_timeout default value is now +stress-dependent. By default, TLS negotiations must now complete +under overload in 10s instead of 300s. + +[Feature 20101223] The new tls_disable_workarounds parameter specifies +a list or bit-mask of OpenSSL bug work-arounds to disable. This may +be necessary if one of the work-arounds enabled by default in OpenSSL +proves to pose a security risk, or introduces an unexpected +interoperability issue. Some bug work-arounds known to be problematic +are disabled in the default value of the parameter when linked with +an OpenSSL library that could be vulnerable. See postconf(5) and +TLS_README for details. + +With "tls_preempt_cipherlist = yes" the Postfix SMTP server will +choose its most preferred cipher that is supported (offered) by the +client. This can lead to a more secure or performant cipher choice, +but may also introduce interoperability problems when a client +announces support for a cipher that does not work. See postconf(5) +and TLS_README for details. + +[Feature 20101217] The lower-level code in the TLS engine was +simplified by removing an unnecessary layer of data copying. OpenSSL +now writes directly to the network. The difference in performance +should be hardly noticeable. + +[Incompat 20100610] Postfix no longer appends the system-supplied +default CA certificates to the lists specified with *_tls_CAfile +or with *_tls_CApath. This prevents third-party certificates from +getting mail relay permission with the permit_tls_all_clientcerts +feature. + +Unfortunately this change may cause compatibility problems when +configurations rely on certificate verification for other purposes. +Specify "tls_append_default_CA = yes" for backwards compatibility. + +Major changes - postscreen +-------------------------- + +See html/POSTSCREEN_README.html for an introduction to postscreen +(or the text version, README_FILES/POSTSCREEN_README). The text +below summarizes milestones in reverse chronological order. + +[Incompat 20110111] The postscreen_access_list feature replaces the +postscreen_whitelist_networks and postscreen_blacklist_networks +features. Reason: CIDR-style access maps are some 100x faster than +the code that implemented the postscreen_white/blacklist_networks +support. CIDR maps can match about 100 million CIDR patterns/second +on a modern CPU, which is not blindingly fast but adequate for the +near future. + +[Feature 20110102] STARTTLS support for the postscreen(8) daemon. +This is implemented by a new tlsproxy(8) daemon that you will need +to enable in master.cf (see POSTSCREEN_README for instructions). +tlsproxy(8) implements its own tlsproxy_mumble versions of TLS-related +smtpd_mumble parameters. This leaves no confusion about which +parameters will affect tlsproxy(8) behavior, but it adds another +25 parameters to the documentation. + +[Incompat 20100912] If your DNSBL queries have a "secret" in the +domain name, you must now censor this information from the postscreen(8) +SMTP replies. For example: + + /etc/postfix/main.cf: + postscreen_dnsbl_reply_map = texthash:/etc/postfix/dnsbl_reply + + /etc/postfix/dnsbl_reply: + # Secret DNSBL name Name in postscreen(8) replies + secret.zen.spamhaus.org zen.spamhaus.org + +The texthash: format is similar to hash: except that there is no need to +run postmap(1) before the file can be used, and that it does not detect +changes after the file is read. It is new with Postfix version 2.8. + +[Incompat 20100912] The postscreen "continue" action is now called +"ignore". The old name is still supported but no longer documented. + +[Incompat 20100912] The postscreen_hangup_action parameter was +removed. Postscreen now always behaves as if "postscreen_hangup_action += drop". + +[Incompat 20100912] The postscreen_cache_retention_time default was +increased from 1d to 7d, to avoid deleting results from expensive +deep SMTP protocol tests too quickly. + +[Feature 20100912] SMTP protocol engine for deep protocol tests, +and for logging the helo/sender/recipient information when postscreen +rejects an attempt to deliver mail. + +The postscreen SMTP protocol engine implements a number of deep +protocol tests and defers or rejects all attempts to deliver mail. +The first test detects unauthorized SMTP command pipelining (an +SMTP client sends multiple commands, instead of sending one command +and waiting for the server response); a second deep protocol test +implements the Postfix SMTP server's smtpd_forbidden_commands feature +(a client sends commands such as CONNECT, GET, POST); and a third +deep protocol test detects spambots that send SMTP commands that +end in newline instead of carriage-return/newline. Real spambots +rarely make this mistake, but poorly-written software often does. + +Deep protocol tests are disabled by default, because the built-in +SMTP engine cannot not hand off the "live" connection from a good +SMTP client to a Postfix SMTP server process. To work around this, +postscreen(8) defers attempts to deliver mail with a 4XX status, +and waits for the client to disconnect. The next time a good client +connects, it will be allowed to talk to a Postfix SMTP server process +to deliver mail. + +[Feature 20100830] Postscreen DNSBL support is extended with optional +fixed-string filters, with optional integral weight factors, and +with an adjustable threshold to block SMTP clients with DNSBL score +>= that threshold. Reply filters will be implemented later. + +The updated postscreen configuration syntax is: + + postscreen_dnsbl_sites = domain[=ipaddr][*weight] ... + postscreen_dnsbl_threshold = score + +Elements inside [] are optional, ipaddr is an IPv4 address, and +weight and score are integral numbers. The [] are not part of the +postscreen_dnsbl_sites input. By default, weight and score are +equal to 1, and entries without filter will match any non-error +DNSBL reply. Use a negative weight value for whitelisting. + +Examples: + +To use example.com as a high-confidence blocklist, and to block +mail with example.net and example.org only when both agree, use: + + postscreen_dnsbl_threshold = 2 + postscreen_dnsbl_sites = example.com*2, example.net, example.org + +To filter only DNSBL replies containing 127.0.0.4, use: + + postscreen_dnsbl_sites = example.com=127.0.0.4 + +See also postconf(5) for the fine details. + +[Incompat 20100101] When periodic cache cleanup is enabled (the +default), the postscreen(8) server now requires that the cache +database supports the "delete" and "sequence" operations. To disable +periodic cache cleanup specify a zero postscreen_cache_cleanup_interval +value. + +[Feature 20100101] Periodic cache cleanup for the postscreen(8) +cache database. The time between cache cleanup runs is controlled +with the postscreen_cache_cleanup_interval (default: 12h) parameter. +Cache cleanup increases the database access latency, so this should +not be run more often than necessary. + +In addition, the postscreen_cache_retention_time (default: 1d) +parameter specifies how long to keep an expired entry in the cache. +This prevents a client from being logged as "NEW" after its record +expired only a little while ago. + +[Feature 20091008] Prototype postscreen(8) server that runs a number +of time-consuming checks in parallel for all incoming SMTP connections, +before clients are allowed to talk to a real Postfix SMTP server. +It detects clients that start talking too soon, or clients that +appear on DNS blocklists, or clients that hang up without sending +any command. + +By doing these checks in a single postscreen(8) process, Postfix +can avoid wasting one SMTP server process per connection. A side +benefit of postscreen(8)'s DNSBL lookups is that DNS records are +already cached before the Postfix SMTP server looks them up later. + +postscreen(8) maintains a temporary whitelist of positive decisions. +Once an SMTP client is whitelisted, it is immediately forwarded to +a real Postfix SMTP server process without further checking. + +By default, the program logs only statistics, and it does not run +any checks on clients in mynetworks (primarily, to avoid problems +with buggy SMTP implementations in network appliances). The logging +function alone is already useful for research. + diff --git a/RELEASE_NOTES-2.9 b/RELEASE_NOTES-2.9 new file mode 100644 index 0000000..e30a34d --- /dev/null +++ b/RELEASE_NOTES-2.9 @@ -0,0 +1,352 @@ +The stable Postfix release is called postfix-2.9.x where 2=major +release number, 9=minor release number, x=patchlevel. The stable +release never changes except for patches that address bugs or +emergencies. Patches change the patchlevel and the release date. + +New features are developed in snapshot releases. These are called +postfix-2.10-yyyymmdd where yyyymmdd is the release date (yyyy=year, +mm=month, dd=day). Patches are never issued for snapshot releases; +instead, a new snapshot is released. + +The mail_release_date configuration parameter (format: yyyymmdd) +specifies the release date of a stable release or snapshot release. + +If you upgrade from Postfix 2.7 or earlier, read RELEASE_NOTES-2.8 +before proceeding. + +Major changes - critical +------------------------ + +[Incompat 20110321] You need to "postfix reload" after upgrade from +snapshot 20110320 or earlier. The hash_queue_names algorithm was +changed to provide better performance with long queue IDs. + +[Incompat 20110313] Use "postfix reload" after "make upgrade" on a +running Postfix system. This is needed because the protocol between +postscreen(8) and dnsblog(8) has changed. + +Major changes - library API +--------------------------- + +[Incompat 20110130] The VSTREAM error flags are now split into +separate read and write error flags. As a result of this change, +all programs that use Postfix VSTREAMs MUST be recompiled. + +Major changes - compatibility +----------------------------- + +[Incompat 20111012] For consistency with the SMTP standard, the +(client-side) smtp_line_length_limit default value was increased +from 990 characters to 999 (i.e. 1000 characters including <CR><LF>). +Specify "smtp_line_length_limit = 990" to restore historical Postfix +behavior. + +[Incompat 20111012] To simplify integration with third-party +applications, the Postfix sendmail command now always transforms +all input lines ending in <CR><LF> into UNIX format (lines ending +in <LF>). Specify "sendmail_fix_line_endings = strict" to restore +historical Postfix behavior (i.e. convert all input lines ending +in <CR><LF> only if the first line ends in <CR><LF>). + +[Incompat 20111106] To work around broken remote SMTP servers, the +Postfix SMTP client by default no longer appends the "AUTH=<>" +option to the MAIL FROM command. Specify "smtp_send_dummy_mail_auth += yes" to restore the old behavior. + +Major changes - gradual degradation +----------------------------------- + +[Incompat 20120114] Logfile-based alerting systems may need to be +updated to look for "error" messages in addition to "fatal" messages. +Specify "daemon_table_open_error_is_fatal = yes" to get the historical +behavior (immediate termination with "fatal" message). + +[Feature 20120114] Instead of terminating immediately with a "fatal" +message when a database file can't be opened, a Postfix daemon +program now logs an "error" message, and continues execution with +reduced functionality. For the sake of sanity, the number of +"errors" over the life of a process is limited to 13. + +Features that don't depend on the unavailable table will continue +to work; attempts to use features that depend on the table will +fail, and will be logged with a "warning" message. + +[Feature 20120108] Instead of terminating with a fatal error, the +LDAP, *SQL and memcache clients now handle table lookup errors in +the "domain" feature, instead of terminating with a fatal error. + +[Feature 20120102] Degrade gradually when some or all network +protocols specified with inet_protocols are unavailable, instead +of terminating with a fatal error. This eliminates build errors on +non-standard systems where opening an IPv4 socket results in an +error, and on non-standard systems where opening an IPv6 socket +results in an error. In the worst case, the master daemon will log +a message that it disables all type "inet" services. This will still +allow local submission and local delivery. + +[Feature 20111222] Instead of terminating with a fatal error, the +Postfix SMTP server now handles errors with database lookups in +mynetworks, TLS client certificate tables, debug_peer_list, +smtpd_client_event_limit_exceptions, permit_mx_backup_networks and +local_header_rewrite_clients, and reports "server local data error" +or "temporary lookup error". + +[Feature 20111229] Instead of terminating with a fatal error, the +trivial-rewrite server now handles errors with database lookups in +virtual_alias_domains, relay_domains, virtual_mailbox_domains. This +means fewer occasions where trivial-rewrite clients (such as the +SMTP server) will appear to hang. + +Major changes - long queue IDs +------------------------------ + +Postfix 2.9 introduces support for non-repeating queue IDs (also +used as queue file names). These names are encoded in a mix of upper +case, lower case and decimal digit characters. Long queue IDs are +disabled by default to avoid breaking tools that parse logfiles and +that expect queue IDs with the smaller [A-F0-9] character set. + +[Incompat 20110320] If you enable support for long queue file names, +you need to be aware that these file names are not compatible with +Postfix <= 2.8. If you must migrate back to Postfix <= 2.8, you +must first convert all long queue file names into short names, +otherwise the old Postfix version will complain. + +The conversion procedure before migration to Postfix <= 2.8 is: + + # postfix stop + # postconf enable_long_queue_ids=no + # postsuper + +Run the postsuper command repeatedly until it no longer reports +queue file name changes. + +[Feature 20110320] Support for long, non-repeating, queue IDs (queue +file names). The benefit of non-repeating names is simpler logfile +analysis, and easier queue migration (if you don't merge different +queues, there is no need to run "postsuper" to change queue file +names that don't match their message file inode number). + +Specify "enable_long_queue_ids = yes" to enable the feature. This +does not change the names of existing queue files. See postconf(5) +or postconf.5.html#enable_long_queue_ids for a detailed description +of the differences with the old short queue IDs. + +This changes new Postfix queue IDs from the short form 0FCEE9247A9 +into the longer form 3Ps0FS1Zhtz1PFjb, and changes new Message-ID +header values from YYMMDDHHMMSS.queueid@myhostname into the shorter +form queueid@myhostname. + +Major changes - memcache +------------------------ + +[Feature 20111209] memcache lookup and update support. This provides +a way to share postscreen(8) or verify(8) caches between Postfix +instances. See MEMCACHE_README and memcache_table(5) for details +and limitations. + +[Feature 20111213] Support for a persistent backup database in the +memcache client. The memcache client updates the memcache whenever +it looks up or modifies information in the persistent database. + +Major changes - postconf +------------------------ + +The postconf command was restructured - it now warns about unused +parameter name=value settings in main.cf or master.cf (likely to +be mistakes), it now understands "dynamic" parameter names such as +parameters whose name depends on the name of a master.cf entry, and +it can display main.cf and master.cf in a more user-friendly format. + +[Feature 20120117] support for legacy database parameter names +(main.cf parameter names that are generated by prepending a suffix +to the database name). + +[Feature 20111118] The "postconf -M" (display master.cf) command +now supports filtering. For example, specify "postconf -M inet" +to display only services that listen on the network. + +[Feature 20111113] postconf support to warn about unused "name=value" +entries in main.cf, and about unused "-o name=value" entries in +master.cf. This should help to eliminate common errors with mis-typed +names. + +[Feature 20111108] postconf support for parameter names that are +generated automatically from master.cf entries (delivery agents, +spawn services), and for parameter names that are defined with +main.cf smtpd_restriction_classes. + +[Feature 20111106] "postconf -M" support to print master.cf entries, +and "postconf -f" support to fold long main.cf or master.cf lines +for human readability. + +Major changes - trickle defense +------------------------------- + +[Feature 20110212] Support for per-record deadlines. These change +the behavior of Postfix timeout parameters, from a time limit per +read or write system call, to a time limit to send or receive a +complete record (an SMTP command line, SMTP response line, SMTP +message content line, or TLS protocol message). This limits the +impact from hostile peers that trickle data one byte at a time. + +The new configuration parameters and their default settings are: +smtpd_per_record_deadline (normal: no, overload: yes), +smtp_per_record_deadline (no), and lmtp_per_record_deadline (no). + +Note: when per-record deadlines are enabled, a short time limit may +cause problems with TLS over very slow network connections. The +reason is that a TLS protocol message can be up to 16 kbytes long +(with TLSv1), and that an entire TLS protocol message must be sent +or received within the per-record deadline. + +Per-record deadlines were introduced with postscreen(8) in Postfix +2.8. This program does not receive mail, and therefore it has no +problems with TLS over slow connections. + +Major changes - postscreen +-------------------------- + +[Feature 20111211] The proxymap(8) server can now be used to share +postscreen(8) or verify(8) caches between Postfix instances. Support +for proxymap-over-TCP, to share a Postfix database between hosts, +is expected to be completed in the Postfix 2.10 development cycle. + +[Feature 20111209] memcache lookup and update support. This provides +a way to share postscreen(8) or verify(8) caches between Postfix +instances. + +[Feature 20110228] postscreen(8) support to force remote SMTP clients +to implement proper MX lookup policy. By listening on both primary +and backup MX addresses, postscreen(8) can deny the temporary +whitelist status to clients that connect only to backup MX hosts, +and prevent them from talking to a Postfix SMTP server process. + +Example: when 1.2.3.4 is a local backup IP address, specify +"postscreen_whitelist_interfaces = !1.2.3.4 static:all". + +Major changes - tls +------------------- + +[Incompat 20111205] Postfix now logs the result of successful TLS +negotiation with TLS logging levels of 0. See the smtp_tls_loglevel +and smtpd_tls_loglevel descriptions in the postconf(5) manpage for +other minor differences. + +[Feature 20111205] Support for TLS public key fingerprint matching +in the Postfix SMTP client (in smtp_tls_policy_maps) and server (in +check_ccert access maps). Public key fingerprints are inherently +more specific than fingerprints over the entire certificate. + +[Feature 20111205] Revision of Postfix TLS logging. The main +difference is that Postfix now logs the result of successful TLS +negotiation with TLS logging levels of 0. See the smtp_tls_loglevel +and smtpd_tls_loglevel descriptions in the postconf(5) manpage for +other minor differences. + +Major changes - sasl authentication +----------------------------------- + +[Incompat 20111218] To support external SASL authentication, e.g., +in an NGINX proxy daemon, the Postfix SMTP server now always checks +the smtpd_sender_login_maps table, even without having +"smtpd_sasl_auth_enable = yes" in main.cf. + +[Feature 20111218] Support for external SASL authentication via the +XCLIENT command. This is used to accept SASL authentication from +an SMTP proxy such as NGINX. This support works even without having +to specify "smtpd_sasl_auth_enable = yes" in main.cf. + +[Incompat 20111106] To work around broken remote SMTP servers, the +Postfix SMTP client by default no longer appends the "AUTH=<>" +option to the MAIL FROM command. Specify "smtp_send_dummy_mail_auth += yes" to restore the old behavior. + +Major changes - large file support +---------------------------------- + +[Feature 20110219] Postfix now uses long integers for message_size_limit, +mailbox_size_limit and virtual_mailbox_limit. On LP64 systems (64-bit +long and pointer, but 32-bit integer), these limits can now exceed +2GB. + +Major changes - ipv6 +-------------------- + +[Incompat 20110918] The following changes were made in default +settings, in preparation for general availability of IPv6: + +- The default inet_protocols value is now "all" instead of "ipv4", + meaning use both IPv4 and IPv6. + + To avoid an unexpected loss of performance for sites without + global IPv6 connectivity, the commands "make upgrade" and "postfix + upgrade-configuration" now append "inet_protocols = ipv4" to + main.cf when no explicit inet_protocols setting is already present. + This workaround will be removed in a future release. + +- The default smtp_address_preference value is now "any" instead + of "ipv6", meaning choose randomly between IPv6 and IPv4. With + this the Postfix SMTP client will have more success delivering + mail to sites that have problematic IPv6 configurations. + +Major changes - address verification +------------------------------------ + +[Feature 20111211] The proxymap(8) server can now be used to share +postscreen(8) or verify(8) caches between Postfix instances. Support +for proxymap-over-TCP, to share a Postfix database between hosts, +is expected to be completed in the Postfix 2.10 development cycle. + +[Feature 20111209] memcache lookup and update support. This provides +a way to share postscreen(8) or verify(8) caches between Postfix +instances. + +[Feature 20111203] Support for time-dependent sender addresses +of address verification probes. The default address, double-bounce, +may end up on spammer blacklists. Although Postfix discards mail +for this address, such mail still uses up network bandwidth and +server resources. Specify an address_verify_sender_ttl value of +several hours or more to frustrate address harvesting. + +Major changes - session transcript notification +----------------------------------------------- + +[Incompat 20120114] By default the Postfix SMTP server no longer +reports transcripts of sessions where a client command is rejected +because a lookup table is unavailable. Postfix now implements gradual +degradation, for example, the SMTP server keeps running instead of +terminating with a fatal error. This change in error handling would +result in a very large number of "transcript of session" email +notifications when an LDAP or *SQL server goes down). + +To receive such reports, add the new "data" class to the notify_classes +parameter value. The reports will be sent to the error_notice_recipient +address as before. This class is also used by the Postfix SMTP +client to report about sessions that fail because a table is +unavailable. + +Major changes - logging +---------------------------------------- + +[Incompat 20120114] Logfile-based alerting systems may need to be +updated to look for "error" messages in addition to "fatal" messages. +Specify "daemon_table_open_error_is_fatal = yes" to get the historical +behavior (immediate termination with "fatal" message). + +[Incompat 20111214] Logfile-based analysis tools may need to be +updated. The submission and smtps examples in the sample master.cf +file were updated to make their logging easier to distinguish. + +See the source file pflogsumm_quickfix.txt for a "quick fix". + +[Incompat 20111205] Postfix now logs the result of successful TLS +negotiation with TLS logging levels of 0. See the smtp_tls_loglevel +and smtpd_tls_loglevel descriptions in the postconf(5) manpage for +other minor differences. + +[Incompat 20110219] The Postfix SMTP and QMQP servers now log +"hostname X does not resolve to address Y", when a "reverse hostname" +lookup result does not resolve to the client IP address. Until now +these servers logged "Y: hostname X verification failed" or "Y: +address not listed for hostname X" which people found confusing. diff --git a/RELEASE_NOTES-3.0 b/RELEASE_NOTES-3.0 new file mode 100644 index 0000000..62ee5e3 --- /dev/null +++ b/RELEASE_NOTES-3.0 @@ -0,0 +1,628 @@ +The stable Postfix release is called postfix-3.0.x where 3=major +release number, 0=minor release number, x=patchlevel. The stable +release never changes except for patches that address bugs or +emergencies. Patches change the patchlevel and the release date. + +New features are developed in snapshot releases. These are called +postfix-3.1-yyyymmdd where yyyymmdd is the release date (yyyy=year, +mm=month, dd=day). Patches are never issued for snapshot releases; +instead, a new snapshot is released. + +The mail_release_date configuration parameter (format: yyyymmdd) +specifies the release date of a stable release or snapshot release. + +If you upgrade from Postfix 2.10 or earlier, read RELEASE_NOTES-2.11 +before proceeding. + +Notes for distribution maintainers +---------------------------------- + +* New backwards-compatibility safety net. + +With NEW Postfix installs, you MUST install a main.cf file with +the setting "compatibility_level = 2". See conf/main.cf for an +example. + +With UPGRADES of existing Postfix systems, you MUST NOT change the +main.cf compatibility_level setting, nor add this setting if it +does not exist. + +Several Postfix default settings have changed with Postfix 3.0. To +avoid massive frustration with existing Postfix installations, +Postfix 3.0 comes with a safety net that forces Postfix to keep +running with backwards-compatible main.cf and master.cf default +settings. This safety net depends on the main.cf compatibility_level +setting (default: 0). Details are in COMPATIBILITY_README. + +* New Postfix build system. + +The Postfix build/install procedure has changed to support Postfix +dynamically-linked libraries and database plugins. These must not +be "shared" with non-Postfix programs, and therefore must not be +installed in a public directory. + +To avoid massive frustration due to broken patches, PLEASE BUILD +POSTFIX FIRST WITHOUT APPLYING ANY PATCHES. Follow the INSTALL +instructions (see "Building with Postfix dynamically-linked libraries +and database plugins"), and see how things work and what the +dynamically-linked libraries, database plugin, and configuration +files look like. Then, go ahead and perform your platform-specific +customizations. The INSTALL section "Tips for distribution maintainers" +has further suggestions. + +Major changes - critical +------------------------ + +[Incompat 20140714] After upgrading Postfix, "postfix reload" (or +start/stop) is required. Several Postfix-internal protocols have +been extended to support SMTPUTF8. Failure to reload or restart +will result in mail staying queued, while Postfix daemons log +warning messages about unexpected attributes. + +Major changes - default settings +-------------------------------- + +[Incompat 20141009] The default settings have changed for relay_domains +(new: empty, old: $mydestination) and mynetworks_style (new: host, +old: subnet). However the backwards-compatibility safety net will +prevent these changes from taking effect, giving the system +administrator the option to make an old default setting permanent +in main.cf or to adopt the new default setting, before turning off +backwards compatibility. See COMPATIBILITY_README for details. + +[Incompat 20141001] A new backwards-compatibility safety net forces +Postfix to run with backwards-compatible main.cf and master.cf +default settings after an upgrade to a newer but incompatible Postfix +version. See COMPATIBILITY_README for details. + +While the backwards-compatible default settings are in effect, +Postfix logs what services or what email would be affected by the +incompatible change. Based on this the administrator can make some +backwards-compatibility settings permanent in main.cf or master.cf, +before turning off backwards compatibility. + +See postconf.5.html#compatibility_level for details. + +[Incompat 20141001] The default settings +have changed for append_dot_mydomain (new: no. old: yes), master.cf +chroot (new: n, old: y), and smtputf8 (new: yes, old: no). + +Major changes - access control +------------------------------ + +[Feature 20141119] Support for BCC actions in header/body_checks +and milter_header_checks. There is no limit on the number of BCC +actions that may be specified, other than the implicit limit due +to finite storage. BCC support will not be implemented in Postfix +delivery agent header/body_checks. + +It works in the same way as always_bcc and sender/recipient_bcc_maps: +there can be only one address per action, recipients are added with +the NOTIFY=NONE delivery status notification option, and duplicate +recipients are ignored (with the same delivery status notification +options). + +[Incompat 20141009] The default settings have changed for relay_domains +(new: empty, old: $mydestination) and mynetworks_style (new: host, +old: subnet). However the backwards-compatibility safety net will +prevent these changes from taking effect, giving the system +administrator the option to make an old default setting permanent +in main.cf or to adopt the new default setting, before turning off +backwards compatibility. See COMPATIBILITY_README for details. + +[Feature 20140618] New INFO action in access(5) tables, for consistency +with header/body_checks. + +[Feature 20140620] New check_xxx_a_access (for xxx in client, +reverse_client, helo, sender, recipient) implements access control +on all A and AAAA IP addresses for respectively the client hostname, +helo parameter, sender domain or recipient domain. This complements +the existing check_xxx_mx_access and check_xxx_ns_access features. + +Major changes - address rewriting +--------------------------------- + +[Incompat 20141001] The default settings have changed for +append_dot_mydomain (new: no. old: yes), master.cf chroot (new: +n, old: y), and smtputf8 (new: yes, old: no). + +Major changes - address verification +------------------------------------ + +[Feature 20141227] The new smtp_address_verify_target parameter +(default: rcpt) specifies what protocol stage decides if a recipient +is valid. Specify "data" for servers that reject invalid recipients +in response to the DATA command. + +Major changes - database support +-------------------------------- + +[Feature 20140512] Support for Berkeley DB version 6. + +[Feature 20140618] The "randmap" lookup table performs random +selection. This may be used to implement load balancing, for example: + +/etc/postfix/transport: + # Deliver my own domain as usual. + example.com : + .example.com : + +/etc/postfix/main.cf: + transport_maps = + # Deliver my own domain as usual. + hash:/etc/postfix/transport + # Deliver other domains via randomly-selected relayhosts + randmap:{smtp:smtp0.example.com, smtp:smtp1.example.com} + +A variant of this can randomly select SMTP clients with different +smtp_bind_address settings. + +To implement different weights, specify lookup results multiple +times. For example, to choose smtp:smtp1.example.com twice as often +as smtp:smtp0.example.com, specify smtp:smtp1.example.com twice. + +A future version may support randmap:/path/to/file to load a list +of results from file. + +[Feature 20140618] As the name suggests, the "pipemap" table +implements a pipeline of lookup tables. The name of the table +specifies the pipeline as a sequence of tables. For example, the +following prevents SMTP mail to system accounts that have "nologin" +as their login shell: + + /etc/postfix/main.cf: + local_recipient_maps = + pipemap:{unix:passwd.byname, pcre:/etc/postfix/no-nologin.pcre} + alias_maps + + /etc/postfix/no-nologin.pcre: + !/nologin/ whatever + +Each "pipemap:" query is given to the first table. Each table +lookup result becomes the query for the next table in the pipeline, +and the last table produces the final result. When any table lookup +produces no result, the entire pipeline produces no result. + +A future version may support pipemap:/path/to/file to load a list +of lookup tables from file. + +[Feature 20140924] Support for unionmap, with the same syntax as +pipemap. This sends a query to all tables, and concatenates non-empty +results, separated by comma. + +[Feature 20131121] The "static" lookup table now supports whitespace +when invoked as "static:{ text with whitespace }", so that it can +be used, for example, at the end of smtpd_mumble_restrictions as +"check_mumble_access static:{reject text...}". + +[Feature 20141126] "inline:{key=value, { key = text with comma/space}}" +avoids the need to create a database for just a few entries. + +Major changes - delivery status notifications +--------------------------------------------- + +[Feature 20140321] Delivery status filter support, to replace the +delivery status codes and explanatory text of successful or +unsuccessful deliveries by Postfix mail delivery agents. + +This was originally implemented for sites that want to turn certain +soft delivery errors into hard delivery errors, but it can also be +used to censor out information from delivery confirmation reports. + +This feature is implemented as a filter that replaces the three-number +enhanced status code and descriptive text in Postfix delivery agent +success, bounce, or defer messages. Note: this will not override +"soft_bounce=yes", and this will not change a successful delivery +status into an unsuccessful status or vice versa. + +The first example turns specific soft TLS errors into hard +errors, by overriding the first number in the enhanced status code. + +/etc/postfix/main.cf: + smtp_delivery_status_filter = pcre:/etc/postfix/smtp_dsn_filter + +/etc/postfix/smtp_dsn_filter: + /^4(\.\d+\.\d+ TLS is required, but host \S+ refused to start TLS: .+)/ 5$1 + /^4(\.\d+\.\d+ TLS is required, but was not offered by host .+)/ 5$1 + +The second example removes the destination command name and file +name from local(8) successful delivery reports, so that they will +not be reported when a sender requests confirmation of delivery. + +/etc/postfix/main.cf: + local_delivery_status_filter = pcre:/etc/postfix/local_dsn_filter + +/etc/postfix/local_dsn_filter: + /^(2\S+ delivered to file).+/ $1 + /^(2\S+ delivered to command).+/ $1 + +This feature is supported in the lmtp(8), local(8), pipe(8), smtp(8) +and virtual(8) delivery agents. That is, all delivery agents that +actually deliver mail. It will not be implemented in the error and +retry pseudo-delivery agents. + +The new main.cf parameters and default values are: + + default_delivery_status_filter = + lmtp_delivery_status_filter = $default_delivery_status_filter + local_delivery_status_filter = $default_delivery_status_filter + pipe_delivery_status_filter = $default_delivery_status_filter + smtp_delivery_status_filter = $default_delivery_status_filter + virtual_delivery_status_filter = $default_delivery_status_filter + +See the postconf(5) manpage for more details. + +[Incompat 20140618] The pipe(8) delivery agent will now log a limited +amount of command output upon successful delivery, and will report +that output in "SUCCESS" delivery status reports. This is another +good reason to disable inbound DSN requests at the Internet perimeter. + +[Feature 20140907] With "confirm_delay_cleared = yes", Postfix +informs the sender when delayed mail leaves the queue (this is in +addition to the delay_warning_time feature that warns when mail is +still queued). This feature is disabled by default, because it can +result in a sudden burst of notifications when the queue drains at +the end of a prolonged network outage. + +Major changes - dns +------------------- + +[Feature 20141128] Support for DNS server reply filters in the +Postfix SMTP/LMTP client and SMTP server. This helps to work around +mail delivery problems with sites that have incorrect DNS information. +Note: this has no effect on the implicit DNS lookups that are made +by nsswitch.conf or equivalent mechanisms. + +This feature renders each lookup result as one line of text in +standard zone-file format as shown below. The class field is always +"IN", the preference field exists only for MX records, the names +of hosts, domains, etc. end in ".", and those names are in ASCII +form (xn--mumble form for internationalized domain names). + + name ttl class type preference value + --------------------------------------------------------- + postfix.org. 86400 IN MX 10 mail.cloud9.net. + +Typically, one would match this text with a regexp: or pcre: table. +When a match is found, the table lookup result specifies an action. +By default, the table query and the action name are case-insensitive. +Currently, only the IGNORE action is implemented. + +For safety reasons, Postfix logs a warning or defers mail delivery +when a DNS reply filter removes all lookup results from a successful +query. + +The Postfix SMTP/LMTP client uses the smtp_dns_reply_filter and +lmtp_dns_reply_filter features only for Postfix SMTP client lookups +of MX, A, and AAAAA records to locate a remote SMTP or LMTP server, +including lookups that implement the features reject_unverified_sender +and reject_unverified_recipient. The filters are not used for lookups +made through nsswitch.conf and similar mechanisms. + +The Postfix SMTP server uses the smtpd_dns_reply_filter feature +only for Postfix SMTP server lookups of MX, A, AAAAA, and TXT records +to implement the features reject_unknown_helo_hostname, +reject_unknown_sender_domain, reject_unknown_recipient_domain, +reject_rbl_*, and reject_rhsbl_*. The filter is not used for lookups +made through nsswitch.conf and similar mechanisms, such as lookups +of the remote SMTP client name. + +[Feature 20141126] Nullmx support (MX records with a null hostname). +This change affects error messages only. The Postfix SMTP client +already bounced mail for such domains, and the Postfix SMTP server +already rejected such domains with reject_unknown_sender/recipient_domain. +This feature introduces a new SMTP server configuration parameter +nullmx_reject_code (default: 556). + +Major changes - dynamic linking +------------------------------- + +[Feature 20140530] Support to build Postfix with Postfix +dynamically-linked libraries, and with dynamically-loadable database +clients. These MUST NOT be used by non-Postfix programs. Postfix +dynamically-linked libraries introduce minor runtime overhead and +result in smaller Postfix executable files. Dynamically-loadable +database clients are useful when you distribute or install pre-compiled +packages. Postfix 3.0 supports dynamic loading for CDB, LDAP, LMDB, +MYSQL, PCRE, PGSQL, SDBM, and SQLITE database clients. + +This implementation is based on Debian code by LaMont Jones, initially +ported by Viktor Dukhovni. Currently, support exists for recent +versions of Linux, FreeBSD, MacOS X, and for the ancient Solaris 9. + +To support Postfix dynamically-linked libraries and dynamically-loadable +database clients, the Postfix build procedure had to be changed +(specifically, the files makedefs and Makefile.in, and the files +postfix-install and post-install that install or update Postfix). + +[Incompat 20140530] The Postfix 3.0 build procedure expects that +you specify database library dependencies with variables named +AUXLIBS_CDB, AUXLIBS_LDAP, etc. With Postfix 3.0 and later, the +old AUXLIBS variable still supports building a statically-loaded +CDB etc. database client, but only the new AUXLIBS_CDB etc. variables +support building a dynamically-loaded or statically-loaded CDB etc. +database client. See CDB_README, LDAP_README, etc. for details. + +Failure to follow this advice will defeat the purpose of dynamic +database client loading. Every Postfix executable file will have +database library dependencies. And that was exactly what dynamic +database client loading was meant to avoid. + +Major changes - future proofing +------------------------------- + +[Cleanup 20141224] The changes described here have no visible effect +on Postfix behavior, but they make Postfix code easier to maintain, +and therefore make new functionality easier to add. + +* Compile-time argument typechecks of non-printf/scanf-like variadic + function argument lists. + +* Deprecating the use of "char *" for non-text purposes such as + memory allocation and pointers to application context for call-back + functions. This dates from long-past days before void * became + universally available. + +* Replace integer types for counters and sizes with size_t or ssize_t + equivalents. This eliminates some wasteful 64<->32bit conversions + on 64-bit systems. + +Major changes - installation pathnames +-------------------------------------- + +[Incompat 20140625] For compliance with file system policies, some +non-executable files have been moved from $daemon_directory to the +directory specified with the new meta_directory configuration +parameter which has the same default value as the config_directory +parameter. This change affects non-executable files that are shared +between multiple Postfix instances such as postfix-files, dynamicmaps.cf, +and multi-instance template files. + +For backwards compatibility with Postfix 2.6 .. 2.11, specify +"meta_directory = $daemon_directory" in main.cf before installing +or upgrading Postfix, or specify "meta_directory = /path/name" on +the "make makefiles", "make install" or "make upgrade" command line. + +Major changes - milter +---------------------- + +[Feature 20140928] Support for per-Milter settings that override +main.cf parameters. For details see the section "Advanced policy +client configuration" in the SMTPD_POLICY_README document. + +Here is an example that uses both old and new syntax: + + smtpd_milters = { inet:127.0.0.1:port1, default_action=accept, ... }, + inet:127.0.0.1:port2, ... + +The supported attribute names are: command_timeout, connect_timeout, +content_timeout, default_action, and protocol. These have the same +names as the corresponding main.cf parameters, without the "milter_" +prefix. + +The per-milter settings are specified as attribute=value pairs +separated by comma or space; specify { name = value } to allow +spaces around the "=" or within an attribute value. + +[Feature 20141018] DMARC compatibility: when a Milter inserts a +header ABOVE Postfix's own Received: header, Postfix no longer +exposes its own Received: header to Milters (violating protocol) +and Postfix no longer hides the Milter-inserted header from Milters +(wtf). + +Major changes - parameter syntax +-------------------------------- + +[Feature 20140921] In preparation for configurable mail headers and +logging, new main.cf support for if-then-else expressions: + + ${name?{text1}:{text2}} + +and for logical expressions: + + ${{text1}=={text2}?{text3}:{text4}} + ${{text1}!={text2}?{text3}:{text4}} + +Whitespace before and after {text} is ignored. This can help to +make complex expressions more readable. See the postconf(5) manpage +for further details. + +[Feature 20140928] Support for whitespace in daemon command-line +arguments. For details, see the "Command name + arguments" section +in the master(5) manpage. Example: + + smtpd -o { parameter = value containing whitespace } ... + +The { ... } form is also available for non-option command-line +arguments in master.cf, for example: + + pipe ... argv=command { argument containing whitespace } ... + +In both cases, whitespace immediately after "{" and before "}" +is ignored. + +[Feature 20141005] Postfix import_environment and export_environment +now allow "{ name=value }" to protect whitespace in attribute values. + +[Feature 20141006] The new message_drop_header parameter replaces +a hard-coded table that specifies what message headers the cleanup +daemon will remove. The list of supported header names covers RFC +5321, 5322, MIME RFCs, and some historical names. + +Major changes - pipe daemon +--------------------------- + +[Incompat 20140618] The pipe(8) delivery agent will now log a limited +amount of command output upon successful delivery, and will report +that output in "SUCCESS" delivery status reports. This is another +good reason to disable inbound DSN requests at the Internet perimeter. + +Major changes - policy client +----------------------------- + +[Feature 20140703] This release introduces three new configuration +parameters that control error recovery for failed SMTPD policy +requests. + + * smtpd_policy_service_default_action (default: 451 4.3.5 Server + configuration problem): The default action when an SMTPD policy + service request fails. + + * smtpd_policy_service_try_limit (default: 2): The maximal number + of attempts to send an SMTPD policy service request before + giving up. This must be a number greater than zero. + + * smtpd_policy_service_retry_delay (default: 1s): The delay between + attempts to resend a failed SMTPD policy service request. This + must be a number greater than zero. + +See postconf(5) for details and limitations. + +[Feature 20140928] Support for per-policy service settings that +override main.cf parameters. For details see the section "Different +settings for different Milter applications" in the MILTER_README +document. + +Here is an example that uses both old and new syntax: + +smtpd_recipient_restrictions = ... + check_policy_service { inet:127.0.0.1:port3, default_action=DUNNO } + check_policy_service inet:127.0.0.1:port4 + ... + +The per-policy service settings are specified as attribute=value pairs +separated by comma or space; specify { name = value } to allow +spaces around the "=" or within an attribute value. + +The supported attribute names are: default_action, max_idle, max_ttl, +request_limit, retry_delay, timeout, try_limit. These have the same +names as the corresponding main.cf parameters, without the +"smtpd_policy_service_" prefix. + +[Feature 20140505] A client port attribute was added to the policy +delegation protocol. + +[Feature 20140630] New smtpd_policy_service_request_limit feature to +limit the number of requests per Postfix SMTP server policy connection. +This is a workaround to avoid error-recovery delays with policy +servers that cannot maintain a persistent connection. + +Major changes - position-independent executables +------------------------------------------------ + +[Feature 20150205] Preliminary support for building position-independent +executables (PIE), tested on Fedora Core 20, Ubuntu 14.04, FreeBSD +9 and 10, and NetBSD 6. Specify: + +$ make makefiles pie=yes ...other arguments... + +On some systems, PIE is used by the ASLR exploit mitigation technique +(ASLR = Address-Space Layout Randomization). Whether specifying +"pie=yes" has any effect at all depends on the compiler. Reportedly, +some compilers always produce PIE executables. + +Major changes - postscreen +-------------------------- + +[Feature 20140501] Configurable time limit (postscreen_dnsbl_timeout) +for DNSBL or DNSWL lookups. This is separate from the timeouts in +the dnsblog(8) daemon which are controlled by system resolver(3) +routines. + +Major changes - session fingerprint +----------------------------------- + +[Feature 20140801] The Postfix SMTP server now logs at the end of +a session how many times an SMTP command was successfully invoked, +followed by the total number of invocations if some invocations +were unsuccessful. + +This logging will enough to diagnose many problems without using +verbose logging or network sniffer. + + Normal session, no TLS: + disconnect from name[addr] ehlo=1 mail=1 rcpt=1 data=1 quit=1 + + Normal session. with TLS: + disconnect from name[addr] ehlo=2 starttls=1 mail=1 rcpt=1 data=1 quit=1 + + All recipients rejected, no ESMTP command pipelining: + disconnect from name[addr] ehlo=1 mail=1 rcpt=0/1 quit=1 + + All recipients rejected, with ESMTP command pipelining: + disconnect from name[addr] ehlo=1 mail=1 rcpt=0/1 data=0/1 rset=1 quit=1 + + Password guessing bot, hangs up without QUIT: + disconnect from name[addr] ehlo=1 auth=0/1 + + Mis-configured client trying to use TLS wrappermode on port 587: + disconnect from name[addr] unknown=0/1 + +Logfile analyzers can trigger on the presence of "/". It indicates +that Postfix rejected at least one command. + +[Feature 20150118] As a late addition, the SMTP server now also +logs the total number of commands (as "commands=x/y") even when the +client did not send any commands. This helps logfile analyzers to +recognize sessions without commands. + +Major changes - smtp client +--------------------------- + +[Feature 20141227] The new smtp_address_verify_target parameter +(default: rcpt) determines what protocol stage decides if a recipient +is valid. Specify "data" for servers that reject recipients after +the DATA command. + +Major changes - smtputf8 +------------------------ + +[Incompat 20141001] The default settings have changed for +append_dot_mydomain (new: no, old: yes), master.cf chroot (new: +n, old: y), and smtputf8 (new: yes, old: no). + +[Incompat 20140714] After upgrading Postfix, "postfix reload" (or +start/stop) is required. Several Postfix-internal protocols have +been extended to support SMTPUTF8. Failure to reload or restart +will result in mail staying queued, while Postfix daemons log +warning messages about unexpected attributes. + +[Feature 20140715] Support for Email Address Internationalization +(EAI) as defined in RFC 6531..6533. This supports UTF-8 in SMTP/LMTP +sender addresses, recipient addresses, and message header values. +The implementation is based on initial work by Arnt Gulbrandsen +that was funded by CNNIC. + +See SMTPUTF8_README for a description of Postfix SMTPUTF8 support. + +[Feature 20150112] UTF-8 Casefolding support for Postfix lookup +tables and matchlists (mydestination, relay_domains, etc.). This +is enabled only with "smtpuf8 = yes". + +[Feature 20150112] With smtputf8_enable=yes, SMTP commands with +UTF-8 syntax errors are rejected, table lookup results with invalid +UTF-8 syntax are handled as configuration errors, and UTF-8 syntax +errors in policy server replies result in execution of the policy +server's default action. + +Major changes - tls support +--------------------------- + +(see "Major changes - delivery status notifications" above for +turning 4XX soft errors into 5XX bounces when a remote SMTP server +does not offer STARTTLS support). + +[Feature 20140209] the Postfix SMTP client now also falls back to +plaintext when TLS fails AFTER the TLS protocol handshake. + +[Feature 20140218] The Postfix SMTP client now requires that a queue +file is older than $minimal_backoff_time, before falling back from +failed TLS to plaintext (both during or after the TLS handshake). + +[Feature 20141021] Per IETF TLS WG consensus, the tls_session_ticket_cipher +default setting was changed from aes-128-cbc to aes-256-cbc. + +[Feature 20150116] TLS wrappermode support in the Postfix smtp(8) +client (new smtp_tls_wrappermode parameter) and in posttls-finger(1) +(new -w option). There still is life in that deprecated protocol, +and people should not have to jump hoops with stunnel. diff --git a/RELEASE_NOTES-3.1 b/RELEASE_NOTES-3.1 new file mode 100644 index 0000000..aa2fbf2 --- /dev/null +++ b/RELEASE_NOTES-3.1 @@ -0,0 +1,186 @@ +This is the Postfix 3.1 (stable) release. + +The stable Postfix release is called postfix-3.1.x where 3=major +release number, 1=minor release number, x=patchlevel. The stable +release never changes except for patches that address bugs or +emergencies. Patches change the patchlevel and the release date. + +New features are developed in snapshot releases. These are called +postfix-3.2-yyyymmdd where yyyymmdd is the release date (yyyy=year, +mm=month, dd=day). Patches are never issued for snapshot releases; +instead, a new snapshot is released. + +The mail_release_date configuration parameter (format: yyyymmdd) +specifies the release date of a stable release or snapshot release. + +If you upgrade from Postfix 2.11 or earlier, read RELEASE_NOTES-3.0 +before proceeding. + +Major changes - address verification safety +------------------------------------------- + +[Feature 20151227] The new address_verify_pending_request_limit +parameter introduces a safety limit for the number of address +verification probes in the active queue. The default limit is 1/4 +of the active queue maximum size. The queue manager enforces the +limit by tempfailing probe messages that exceed the limit. This +design avoids dependencies on global counters that get out of sync +after a process or system crash. + +Tempfailing verify requests is not as bad as one might think. The +Postfix verify cache proactively updates active addresses weeks +before they expire. The address_verify_pending_request_limit affects +only unknown addresses, and inactive addresses that have expired +from the address verify cache (by default, after 31 days). + +Major changes - json support +---------------------------- + +[Feature 20151129] Machine-readable, JSON-formatted queue listing +with "postqueue -j" (no "mailq" equivalent). The output is a stream +of JSON objects, one per queue file. To simplify parsing, each +JSON object is formatted as one text line followed by one newline +character. See the postqueue(1) manpage for a detailed description +of the output format. + +Major changes - milter support +------------------------------ + +[Feature 20150523] The milter_macro_defaults feature provides an +optional list of macro name=value pairs. These specify default +values for Milter macros when no value is available from the SMTP +session context. + +For example, with "milter_macro_defaults = auth_type=TLS", the +Postfix SMTP server will send an auth_type of "TLS" to a Milter, +unless the remote client authenticates with SASL. + +This feature was originally implemented for a submission service +that may authenticate clients with a TLS certificate, without having +to make changes to the code that implements TLS support. + +Major changes - output rate control +----------------------------------- + +[Feature 20150710] Destination-independent delivery rate delay + +Support to enforce a destination-independent delay between email +deliveries. The following example inserts 20 seconds of delay +between all deliveries with the SMTP transport, limiting the delivery +rate to at most three messages per minute. + +/etc/postfix/main.cf: + smtp_transport_rate_delay = 20s + +For details, see the description of default_transport_rate_delay +and transport_transport_rate_delay in the postconf(5) manpage. + +Major changes - postscreen dnsbl +-------------------------------- + +[Feature 20150710] postscreen support for the TTL of DNSBL and DNSWL +lookup results + +Historically, the default setting "postscreen_dnsbl_ttl = 1h" assumes +that a "not found" result from a DNSBL server will be valid for one +hour. This may have been adequate five years ago when postscreen +was first implemented, but nowadays, that one hour can result in +missed opportunities to block new spambots. + +To address this, postscreen now respects the TTL of DNSBL "not +found" replies, as well as the TTL of DNSWL replies (both "found" +and "not found"). The TTL for a "not found" reply is determined +according to RFC 2308 (the TTL of an SOA record in the reply). + +Support for DNSBL or DNSWL reply TTL values is controlled by two +configuration parameters: + +postscreen_dnsbl_min_ttl (default: 60 seconds). + + This parameter specifies a minimum for the amount of time that + a DNSBL or DNSWL result will be cached in the postscreen_cache_map. + This prevents an excessive number of postscreen cache updates + when a DNSBL or DNSWL server specifies a very small reply TTL. + +postscreen_dnsbl_max_ttl (default: $postscreen_dnsbl_ttl or 1 hour) + + This parameter specifies a maximum for the amount of time that + a DNSBL or DNSWL result will be cached in the postscreen_cache_map. + This prevents cache pollution when a DNSBL or DNSWL server + specifies a very large reply TTL. + +The postscreen_dnsbl_ttl parameter is now obsolete, and has become +the default value for the new postscreen_dnsbl_max_ttl parameter. + +Major changes - sasl auth safety +-------------------------------- + +[Feature 20151031] New "smtpd_client_auth_rate_limit" feature, to +enforce an optional rate limit on AUTH commands per SMTP client IP +address. Similar to other smtpd_client_*_rate_limit features, this +enforces a limit on the number of requests per $anvil_rate_time_unit. + +Major changes - smtpd policy +---------------------------- + +[Feature 20150913] New SMTPD policy service attribute "policy_context", +with a corresponding "smtpd_policy_service_policy_context" configuration +parameter. Originally, this was implemented to share the same SMTPD +policy service endpoint among multiple check_policy_service clients. + +Major changes - tls +------------------- + +[Feature 20160207] A new "postfix tls" command to quickly enable +opportunistic TLS in the Postfix SMTP client or server, and to +manage SMTP server keys and certificates, including certificate +signing requests and TLSA DNS records for DANE. See the postfix-tls(1) +manpage for a detailed description. + +[Feature 20160103] The Postfix SMTP client by default enables DANE +policies when an MX host has a (DNSSEC) secure TLSA DNS record, +even if the MX DNS record was obtained with insecure lookups. The +existence of a secure TLSA record implies that the host wants to +talk TLS and not plaintext. For details see the +smtp_tls_dane_insecure_mx_policy configuration parameter. + +[Incompat 20150721] As of the middle of 2015, all supported Postfix +releases no longer enable "export" grade ciphers for opportunistic +TLS, and no longer use the deprecated SSLv2 and SSLv3 protocols for +mandatory or opportunistic TLS. + +These changes are very unlikely to cause problems with server-to-server +communication over the Internet, but they may result in interoperability +problems with ancient client or server implementations on internal +networks. To address this problem, you can revert the changes with: + +Postfix SMTP client settings: + + lmtp_tls_ciphers = export + smtp_tls_ciphers = export + lmtp_tls_protocols = !SSLv2 + smtp_tls_protocols = !SSLv2 + lmtp_tls_mandatory_protocols = !SSLv2 + smtp_tls_mandatory_protocols = !SSLv2 + +Postfix SMTP server settings: + + smtpd_tls_ciphers = export + smtpd_tls_protocols = + smtpd_tls_mandatory_protocols = !SSLv2 + +These settings, if put in main.cf, affect all Postfix SMTP client +or server communication, which may be undesirable. To be more +selective, use "-o name=value" parameter overrides on specific +services in master.cf. Execute the command "postfix reload" to make +the changes effective. + +[Incompat 20150719] The default Diffie-Hellman non-export prime was +updated from 1024 to 2048 bits, because SMTP clients are starting +to reject TLS handshakes with primes smaller than 2048 bits. + +Historically, this prime size is not negotiable, and each site needs +to determine which prime size works best for the majority of its +clients. See FORWARD_SECRECY_README for some hints in the quick-start +section. + diff --git a/RELEASE_NOTES-3.2 b/RELEASE_NOTES-3.2 new file mode 100644 index 0000000..876d4b7 --- /dev/null +++ b/RELEASE_NOTES-3.2 @@ -0,0 +1,180 @@ +This is the Postfix 3.2 (stable) release. + +The stable Postfix release is called postfix-3.2.x where 3=major +release number, 2=minor release number, x=patchlevel. The stable +release never changes except for patches that address bugs or +emergencies. Patches change the patchlevel and the release date. + +New features are developed in snapshot releases. These are called +postfix-3.3-yyyymmdd where yyyymmdd is the release date (yyyy=year, +mm=month, dd=day). Patches are never issued for snapshot releases; +instead, a new snapshot is released. + +The mail_release_date configuration parameter (format: yyyymmdd) +specifies the release date of a stable release or snapshot release. + +If you upgrade from Postfix 3.0 or earlier, read RELEASE_NOTES-3.1 +before proceeding. + +Invisible changes +----------------- + +In addition to the visible changes described below, there is an +ongoing overhaul of low-level code. With each change come updated +tests to ensure that future changes will not 'break' compatibility +with past behavior. + +Major changes - address mapping +------------------------------- + +[Feature 20170128] Postfix 3.2 fixes the handling of address +extensions with email addresses that contain spaces. For example, +the virtual_alias_maps, canonical_maps, and smtp_generic_maps +features now correctly propagate an address extension from "aa +bb+ext"@example.com to "cc dd+ext"@other.example, instead of +producing broken output. + +Major changes - header/body_checks +---------------------------------- + +[Feature 20161008] "PASS" and "STRIP" actions in header/body_checks. +"STRIP" is similar to "IGNORE" but also logs the action, and "PASS" +disables header, body, and Milter inspection for the remainder of +the message content. Contributed by Hobbit. + +Major changes - log analysis +---------------------------- + +[Feature 20160330] The collate.pl script by Viktor Dukhovni for +grouping Postfix logfile records into "sessions" based on queue ID +and process ID information. It's in the auxiliary/collate directory +of the Postfix source tree. + +Major changes - maps support +---------------------------- + +[Feature 20160527] Postfix 3.2 cidr tables support if/endif and +negation (by prepending ! to a pattern), just like regexp and pcre +tables. The primarily purpose is to improve readability of complex +tables. See the cidr_table(5) manpage for syntax details. + +[Incompat 20160925] In the Postfix MySQL database client, the default +option_group value has changed to "client", to enable reading of +"client" option group settings in the MySQL options file. This fixes +a "not found" problem with Postfix queries that contain UTF8-encoded +non-ASCII text. Specify an empty option_group value (option_group +=) to get backwards-compatible behavior. + +[Feature 20161217] Stored-procedure support for MySQL databases. +Contributed by John Fawcett. See mysql_table(5) for instructions. + +[Feature 20170128] The postmap command, and the inline: and texthash: +maps now support spaces in left-hand field of the lookup table +"source text". Use double quotes (") around a left-hand field that +contains spaces, and use backslash (\) to protect embedded quotes +in a left-hand field. There is no change in the processing of the +right-hand field. + +Major changes - milter support +------------------------------ + +[Feature 20160611] The Postfix SMTP server local IP address and +port are available in the policy delegation protocol (attribute +names: server_address, server_port), in the Milter protocol (macro +names: {daemon_addr}, {daemon_port}), and in the XCLIENT protocol +(attribute names: DESTADDR, DESTPORT). + +[Feature 20161024] smtpd_milter_maps support for per-client Milter +configuration that overrides smtpd_milters, and that has the same +syntax. A lookup result of "DISABLE" turns off Milter support. See +MILTER_README.html for details. + +Major changes - policy delegation +--------------------------------- + +[Feature 20160611] The Postfix SMTP server local IP address and +port are available in the policy delegation protocol (attribute +names: server_address, server_port), in the Milter protocol (macro +names: {daemon_addr}, {daemon_port}), and in the XCLIENT protocol +(attribute names: DESTADDR, DESTPORT). + +Major changes - postqueue +------------------------- + +[Incompat 20170129] The postqueue command no longer forces all +message arrival times to be reported in UTC. To get the old behavior, +set TZ=UTC in main.cf:import_environment (this override is not +recommended, as it affects all Postfix utities and daemons). + +Major changes - safety +---------------------- + +[Incompat 20161227] For safety reasons, the sendmail -C option must +specify an authorized directory: the default configuration directory, +a directory that is listed in the default main.cf file with +alternate_config_directories or multi_instance_directories, or the +command must be invoked with root privileges (UID 0 and EUID 0). +This mitigates a recurring problem with the PHP mail() function. + +Major changes - sasl +-------------------- + +[Feature 20160625] The Postfix SMTP server now passes remote client +and local server network address and port information to the Cyrus +SASL library. Build with ``make makefiles "CCARGS=$CCARGS +-DNO_IP_CYRUS_SASL_AUTH"'' for backwards compatibility. + +Major changes - smtputf8 +------------------------ + +[Feature 20161103] Postfix 3.2 disables the 'transitional' compatibility +between the IDNA2003 and IDNA2008 standards for internationalized +domain names (domain names beyond the limits of US-ASCII). + +This change makes Postfix behavior consistent with contemporary web +browsers. It affects the handling of some corner cases such as +German sz and Greek zeta. See http://unicode.org/cldr/utility/idna.jsp +for more examples. + +Specify "enable_idna2003_compatibility = yes" to restore historical +behavior (but keep in mind that the rest of the world may not make +that same choice). + +Major changes - tls +------------------- + +[Feature 20160828] Fixes for deprecated OpenSSL 1.1.0 API features, +so that Postfix will build without depending on backwards-compatibility +support. + +[Incompat 20161204] Postfix 3.2 removes tentative features that +were implemented before the DANE spec was finalized: + +- Support for certificate usage PKIX-EE(1), + +- The ability to disable digest agility (Postfix now behaves as if + "tls_dane_digest_agility = on"), and + +- The ability to disable support for "TLSA 2 [01] [12]" records + that specify the digest of a trust anchor (Postfix now behaves + as if "tls_dane_trust_anchor_digest_enable = yes). + +[Feature 20161217] Postfix 3.2 enables elliptic curve negotiation +with OpenSSL >= 1.0.2. This changes the default smtpd_tls_eecdh_grade +setting to "auto", and introduces a new parameter tls_eecdh_auto_curves +with the names of curves that may be negotiated. + +The default tls_eecdh_auto_curves setting is determined at compile +time, and depends on the Postfix and OpenSSL versions. At runtime, +Postfix will skip curve names that aren't supported by the OpenSSL +library. + +Major changes - xclient +----------------------- + +[Feature 20160611] The Postfix SMTP server local IP address and +port are available in the policy delegation protocol (attribute +names: server_address, server_port), in the Milter protocol (macro +names: {daemon_addr}, {daemon_port}), and in the XCLIENT protocol +(attribute names: DESTADDR, DESTPORT). + diff --git a/RELEASE_NOTES-3.3 b/RELEASE_NOTES-3.3 new file mode 100644 index 0000000..e3762d8 --- /dev/null +++ b/RELEASE_NOTES-3.3 @@ -0,0 +1,124 @@ +This is the Postfix 3.3 (stable) release. + +The stable Postfix release is called postfix-3.3.x where 3=major +release number, 3=minor release number, x=patchlevel. The stable +release never changes except for patches that address bugs or +emergencies. Patches change the patchlevel and the release date. + +New features are developed in snapshot releases. These are called +postfix-3.4-yyyymmdd where yyyymmdd is the release date (yyyy=year, +mm=month, dd=day). Patches are never issued for snapshot releases; +instead, a new snapshot is released. + +The mail_release_date configuration parameter (format: yyyymmdd) +specifies the release date of a stable release or snapshot release. + +If you upgrade from Postfix 3.1 or earlier, read RELEASE_NOTES-3.2 +before proceeding. + +License change +--------------- + +This software is distributed with a dual license: in addition to the +historical IBM Public License 1.0, it is now also distributed with the +more recent Eclipse Public License 2.0. Recipients can choose to take +the software under the license of their choice. Those who are more +comfortable with the IPL can continue with that license. + +Major changes - compatibility safety net +---------------------------------------- + +[20180106] With compatibility_level < 1, the Postfix SMTP server +now warns for mail that would be blocked by the Postfix 2.10 +smtpd_relay_restrictions feature, without blocking that mail. This +extends the compatibility safety net for sites that upgrade from +earlier Postfix versions (questions on the postfix-users list show +there is a steady trickle). See COMPATIBILITY_README for details. + +Major changes - configuration +----------------------------- + +[20170617] The postconf command now warns about unknown parameter +names in a Postfix database configuration file. As with other unknown +parameter names, these warnings can help to find typos early. + +[20180113] New read-only service_name parameter that contains the +master.cf service name of a Postfix daemon process (it that is empty +in a non-daemon process). This can make Postfix SMTP server logging +logging distinct by setting the syslog_name in master.cf with "-o +syslog_name=postfix/$service_name" for the "submission" and "smtps" +services, and can make Postfix SMTP client distinct by setting "-o +syslog_name=postfix/$service_name" for the "relay" service. + +Major changes - container support +--------------------------------- + +[20171218] Preliminary support to run Postfix in the foreground, +with "postfix start-fg". This requires that Postfix multi-instance +support is disabled. To receive Postfix syslog information on the +container's host, mount the host's /dev/log socket inside the +container (example: "docker run -v /dev/log:/dev/log ..."), and +specify a distinct Postfix "syslog_name" prefix that identifies the +logging from the Postfix instance. Postfix does not log systemd +events. + +Major changes - database support +--------------------------------- + +[20170617] The postconf command warns about unknown parameter names +in a Postfix database configuration file. + +[20171227] The pgsql_table(5) hosts parameter now supports the +postgresql:// URI syntax. Contributed by Magosányi Árpád. + +Major changes - header format +----------------------------- + +[20180010] This release changes the format of 'full name' information +in Postfix-generated From: headers, when a local program such as +/bin/mail submits a message without From: header. + +Postfix-generated From: headers with 'full name' information are +now formatted as "From: name <address>" by default. Specify +"header_from_format = obsolete" to get the earlier form "From: +address (name)". See the postconf(5) manpage for more details. + +Major changes - invisible changes +--------------------------------- + +[20170617] Additional paranoia in the VSTRING implementation: a +null byte after the end of vstring buffers (this is a safety net +so that C-style string operations won't scribble past the end); +earlier detection of bad length and precision format string specifiers +(these are the result of programming error, as Postfix format strings +cannot be specified externally). + +Major changes - milter support +------------------------------ + +[20171223] Milter applications can now send RET and ENVID parameters +in SMFIR_CHGFROM (change envelope sender) requests. + +Major changes - mixed IPv6/IPv4 support +--------------------------------------- + +[20170505] Workaround for mail delivery problems when 1) both Postfix +IPv6 and IPv4 support are enabled, 2) some destination announces +more primary IPv6 MX addresses than primary IPv4 MX addresses, 3) +the destination is unreachable over IPv6, and 4) Postfix runs into +the smtp_mx_address_limit before it can try to deliver over IPv4. + +When both Postfix IPv6 and IPv4 support are enabled, the Postfix +SMTP client will now relax MX preferences so that it can schedule +similar numbers of IPv4 and IPv6 destination addresses. This ensures +that an IPv6 connectivity problem will not prevent mail from being +delivered over IPv4 (and vice versa). Specify "smtp_balance_inet_protocols += no" to disable this workaround. + +Major changes - xclient +----------------------- + +[20171218] The Postfix SMTP server now allows the XCLIENT command +before STARTTLS when TLS is required. This is useful for servers +that run behind a reverse proxy server such as nginx. + diff --git a/RELEASE_NOTES-3.4 b/RELEASE_NOTES-3.4 new file mode 100644 index 0000000..6794f1d --- /dev/null +++ b/RELEASE_NOTES-3.4 @@ -0,0 +1,208 @@ +This is the Postfix 3.4 (stable) release. + +The stable Postfix release is called postfix-3.4.x where 3=major +release number, 4=minor release number, x=patchlevel. The stable +release never changes except for patches that address bugs or +emergencies. Patches change the patchlevel and the release date. + +New features are developed in snapshot releases. These are called +postfix-3.5-yyyymmdd where yyyymmdd is the release date (yyyy=year, +mm=month, dd=day). Patches are never issued for snapshot releases; +instead, a new snapshot is released. + +The mail_release_date configuration parameter (format: yyyymmdd) +specifies the release date of a stable release or snapshot release. + +If you upgrade from Postfix 3.2 or earlier, read RELEASE_NOTES-3.3 +before proceeding. + +License change +--------------- + +This software is distributed with a dual license: in addition to the +historical IBM Public License 1.0, it is now also distributed with the +more recent Eclipse Public License 2.0. Recipients can choose to take +the software under the license of their choice. Those who are more +comfortable with the IPL can continue with that license. + +Summary of changes +------------------ + +Incompatible changes, bdat support, containers, database support, +logging, safety, tls connection pooling, tls support, usability, + +Incompatible changes +-------------------- + +[Incompat 20180826] The Postfix SMTP server announces CHUNKING (BDAT +command) by default. In the unlikely case that this breaks some +important remote SMTP client, disable the feature as follows: + +/etc/postfix/main.cf: + # The logging alternative: + smtpd_discard_ehlo_keywords = chunking + # The non-logging alternative: + smtpd_discard_ehlo_keywords = chunking, silent_discard + +See BDAT_README for more. + +[Incompat 20190126] This introduces a new master.cf service 'postlog' +with type 'unix-dgram' that is used by the new postlogd(8) daemon. +Before backing out to an older Postfix version, edit the master.cf +file and remove the postlog entry. + +[Incompat 20190106] Postfix 3.4 drops support for OpenSSL 1.0.1 +(end-of-life was December 31, 2016) and all earlier releases. + +[Incompat 20180701] To avoid performance loss under load, the +tlsproxy(8) daemon now requires a zero process limit in master.cf +(this setting is provided with the default master.cf file). By +default, a tlsproxy(8) process will retire after several hours. + +To set the tlsproxy process limit to zero: + +# postconf -F tlsproxy/unix/process_limit=0 +# postfix reload + +Major changes - bdat support +-------------------- + +[Feature 20180826] Postfix SMTP server support for RFC 3030 CHUNKING +(the BDAT command) without BINARYMIME, in both smtpd(8) and +postscreen(8). This has no effect on Milters, smtpd_mumble_restrictions, +and smtpd_proxy_filter. See BDAT_README for more. + +Major changes - containers +-------------------------- + +[Feature 20190126] Support for logging to file or stdout, instead +of using syslog. + +- Logging to file solves a usability problem for MacOS, and + eliminates multiple problems with systemd-based systems. + +- Logging to stdout is useful when Postfix runs in a container, as + it eliminates a syslogd dependency. + +See MAILLOG_README for configuration examples and logfile rotation. + +[Feature 20180422] Better handling of undocumented(!) Linux behavior +whether or not signals are delivered to a PID=1 process. + +Major changes - database support +-------------------------------- + +[Feature 20181105] Support for (key, list of filenames) in map +source text. + +- Currently, this feature is used only by tls_server_sni_maps. + +- When a map is created from source with "postmap -F maptype:mapname", + the command processes each key as usual and processes each value + as a list of filenames, concatenates the content of those files + (with one newline character in-between files), and stores an entry + with (key, base64-encoded result). + +- When a map is queried with "postmap -F -q ...", the command + base64-decodes each value. It reports an error when a value is + not in base64 form. + + This "postmap -F -q ..." behavior also works when querying the + memory-resident map types cidr:, inline:, pcre:, randmap:, regexp:, + and static:. Postfix reads the files specified as table values, + stores base64-encoded content, and base64-decodes content upon + table lookup. + + Internally, Postfix will turn on this behavior for lookups (not + updates) when a map is opened with the DICT_FLAG_RHS_IS_FILE flag. + +Major changes - logging +----------------------- + +[Feature 20190126] Support for logging to file or stdout, instead +of using syslog. + +- Logging to file solves a usability problem for MacOS, and + eliminates multiple problems with systemd-based systems. + +- Logging to stdout is useful when Postfix runs in a container, as + it eliminates a syslogd dependency. + +See MAILLOG_README for configuration examples and logfile rotation. + +Major changes - safety +---------------------- + +[Feature 20180623] Automatic retirement: dnsblog(8) and tlsproxy(8) process +will now voluntarily retire after after max_idle*max_use, or some +sane limit if either limit is disabled. Without this, a process +could stay busy for days or more. + +Major changes - tls connection pooling +-------------------------------------- + +[Feature 20180617] Postfix SMTP client support for multiple deliveries +per TLS-encrypted connection. This is primarily to improve mail +delivery performance for destinations that throttle clients when +they don't combine deliveries. + +This feature is enabled with "smtp_tls_connection_reuse=yes" in +main.cf, or with "tls_connection_reuse=yes" in smtp_tls_policy_maps. +It supports all Postfix TLS security levels including dane and +dane-only. + +The implementation of TLS connection reuse relies on the same +scache(8) service as used for delivering plaintext SMTP mail, the +same tlsproxy(8) daemon as used by the postscreen(8) service for +inbound connections, and relies on the same hints from the qmgr(8) +daemon. It reuses the configuration parameters described in +CONNECTION_CACHE_README. + +The Postfix SMTP client now logs whether an SMTP-over-TLS connection +is newly established ("TLS connection established") or whether the +connection is reused ("TLS connection reused"). + +The following illustrates how TLS connections are reused: + + Initial plaintext SMTP handshake: + smtp(8) -> remote SMTP server + + Reused SMTP/TLS connection, or new SMTP/TLS connection: + smtp(8) -> tlsproxy(8) -> remote SMTP server + + Cached SMTP/TLS connection: + scache(8) -> tlsproxy(8) -> remote SMTP server + +Major changes - tls support +--------------------------- + +[Feature 20190106] SNI support in the Postfix SMTP server, the +Postfix SMTP client, and in the tlsproxy(8) daemon (both server and +client roles). See the postconf(5) documentation for the new +tls_server_sni_maps and smtp_tls_servername parameters. + +[Feature 20190106] Support for files that contain multiple (key, +certificate, trust chain) instances. This was required to implement +server-side SNI table lookups, but it also eliminates the need for +separate cert/key files for RSA, DSA, Elliptic Curve, and so on. +The file format is documented in the TLS_README sections "Server-side +certificate and private key configuration" and "Client-side certificate +and private key configuration", and in the postconf(5) documentation +for the parameters smtp_tls_chain_files, smtpd_tls_chain_files, +tlsproxy_client_chain_files, and tlsproxy_tls_chain_files. + +Note: the command "postfix tls" does not yet support the new +consolidated certificate chain format. If you switch to the new +format, you'll need to manage your keys and certificates directly, +rather than via postfix-tls(1). + +Major changes - usability +------------------------- + +[Feature 20180812] Support for smtpd_reject_footer_maps (as well +as the postscreen variant postscreen_reject_footer_maps) for more +informative reject messages. This is indexed with the Postfix SMTP +server response text, and overrides the footer specified with +smtpd_reject_footer. One will want to use a pcre: or regexp: map +with this. + diff --git a/RELEASE_NOTES-3.5 b/RELEASE_NOTES-3.5 new file mode 100644 index 0000000..d3c41b8 --- /dev/null +++ b/RELEASE_NOTES-3.5 @@ -0,0 +1,157 @@ +This is the Postfix 3.5 (stable) release. + +The stable Postfix release is called postfix-3.5.x where 3=major +release number, 5=minor release number, x=patchlevel. The stable +release never changes except for patches that address bugs or +emergencies. Patches change the patchlevel and the release date. + +New features are developed in snapshot releases. These are called +postfix-3.6-yyyymmdd where yyyymmdd is the release date (yyyy=year, +mm=month, dd=day). Patches are never issued for snapshot releases; +instead, a new snapshot is released. + +The mail_release_date configuration parameter (format: yyyymmdd) +specifies the release date of a stable release or snapshot release. + +If you upgrade from Postfix 3.3 or earlier, read RELEASE_NOTES-3.4 +before proceeding. + +License change +--------------- + +This software is distributed with a dual license: in addition to the +historical IBM Public License 1.0, it is now also distributed with the +more recent Eclipse Public License 2.0. Recipients can choose to take +the software under the license of their choice. Those who are more +comfortable with the IPL can continue with that license. + +Major changes - multiple relayhost in SMTP +------------------------------------------ + +[Feature 20200111] the Postfix SMTP and LMTP client support a list +of nexthop destinations separated by comma or whitespace. These +destinations will be tried in the specified order. + +The list form can be specified in relayhost, transport_maps, +default_transport, and sender_dependent_default_transport_maps. + +Examples: +/etc/postfix/main.cf: + relayhost = foo.example, bar.example + default_transport = smtp:foo.example, bar.example. + +NOTE: this is an SMTP and LMTP client feature. It does not work for +other Postfix delivery agents. + +Major changes - certificate access +---------------------------------- + +[Feature 20190517] Search order support for check_ccert_access. +Search order support for other tables is in design (canonical_maps, +virtual_alias_maps, transport_maps, etc.). + +The following check_ccert_access setting uses the built-in search +order: it first looks up the client certificate fingerprint, then +the client certificate public-key fingerprint, and it stops when a +decision is made. + +/etc/postfix/main.cf: + smtpd_mumble_restrictions = + ... + check_ccert_access hash:/etc/postfix/ccert-access + ... + +The following setting, with explicit search order, produces the +exact same result: + +/etc/postfix/main.cf: + smtpd_mumble_restrictions = + ... + check_ccert_access { + hash:/etc/postfix/ccert-access { + search_order = cert_fingerprint, pubkey_fingerprint } } + ... + +Support is planned for other certificate features. + +Major changes - dovecot usability +--------------------------------- + +[Feature 20190615] The SMTP+LMTP delivery agent can now prepend +Delivered-To, X-Original-To and Return-Path headers, just like the +pipe(8) and local(8) delivery agents. + +This uses the "flags=DORX" command-line flags in master.cf. See the +smtp(8) manpage for details. + +This obsoletes the "lmtp_assume_final = yes" setting, and replaces +it with "flags=...X...", for consistency with the pipe(8) delivery +agent. + +Major changes - forced expiration +--------------------------------- + +[Feature 20200202] Support to force-expire email messages. This +introduces new postsuper(1) command-line options to request expiration, +and additional information in mailq(1) or postqueue(1) output. + +The forced-to-expire status is stored in a queue file attribute. +An expired message is returned to the sender when the queue manager +attempts to deliver that message (note that Postfix will never +deliver messages in the hold queue). + +The postsuper(1) -e and -f options both set the forced-to-expire +queue file attribute. The difference is that -f will also release +a message if it is in the hold queue. With -e, such a message would +not be returned to the sender until it is released with -f or -H. + +In the mailq(1) or postqueue(1) -p output, a forced-to-expire message +is indicated with # after the queue file name. In postqueue(1) JSON +output, there is a new per-message field "forced_expire" (with value +true or false) that shows the forced-to-expire status. + +Major changes - haproxy2 protocol +--------------------------------- + +[Feature 20200112] Support for the haproxy v2 protocol. The Postfix +implementation supports TCP over IPv4 and IPv6, as well as non-proxied +connections; the latter are typically used for heartbeat tests. + +The haproxy v2 protocol introduces no additional Postfix configuration. +The Postfix smtpd(8) and postscreen(8) daemons accept both v1 and +v2 protocol versions. + +Major changes - logging +----------------------- + +[Incompat 20191109] Postfix daemon processes now log the from= and +to= addresses in external (quoted) form in non-debug logging (info, +warning, etc.). This means that when an address localpart contains +spaces or other special characters, the localpart will be quoted, +for example: + + from=<"name with spaces"@example.com> + +Older Postfix versions would log the internal (unquoted) form: + + from=<name with spaces@example.com> + +The external and internal forms are identical for the vast majority +of email addresses that contain no spaces or other special characters +in the localpart. + +Specify "info_log_address_format = internal" for backwards +compatibility. + +The logging in external form is consistent with the address form +that Postfix 3.2 and later prefer for table lookups. It is therefore +the more useful form for non-debug logging. + +Major changes - IP address normalization +---------------------------------------- + +[Incompat 20190427] Postfix now normalizes IP addresses received +with XCLIENT, XFORWARD, or with the HaProxy protocol, for consistency +with direct connections to Postfix. This may change the appearance +of logging, and the way that check_client_access will match subnets +of an IPv6 address. diff --git a/RELEASE_NOTES-3.6 b/RELEASE_NOTES-3.6 new file mode 100644 index 0000000..d8ac90c --- /dev/null +++ b/RELEASE_NOTES-3.6 @@ -0,0 +1,277 @@ +This is the Postfix 3.6 (stable) release. + +The stable Postfix release is called postfix-3.6.x where 3=major +release number, 6=minor release number, x=patchlevel. The stable +release never changes except for patches that address bugs or +emergencies. Patches change the patchlevel and the release date. + +New features are developed in snapshot releases. These are called +postfix-3.7-yyyymmdd where yyyymmdd is the release date (yyyy=year, +mm=month, dd=day). Patches are never issued for snapshot releases; +instead, a new snapshot is released. + +The mail_release_date configuration parameter (format: yyyymmdd) +specifies the release date of a stable release or snapshot release. + +If you upgrade from Postfix 3.4 or earlier, read RELEASE_NOTES-3.5 +before proceeding. + +License change +--------------- + +This software is distributed with a dual license: in addition to the +historical IBM Public License 1.0, it is now also distributed with the +more recent Eclipse Public License 2.0. Recipients can choose to take +the software under the license of their choice. Those who are more +comfortable with the IPL can continue with that license. + +Major changes - internal protocol identification +------------------------------------------------ + +[Incompat 20200920] Internal protocols have changed. You need to +"postfix stop" before updating, or before backing out to an earlier +release, otherwise long-running daemons (pickup, qmgr, verify, tlsproxy, +postscreen) may fail to communicate with the rest of Postfix, causing +mail delivery delays until Postfix is restarted. + +This change does not affect message files in Postfix queue directories, +only the communication between running Postfix programs. + +With this change, every Postfix internal service, including the postdrop +command, announces the name of its protocol before doing any other I/O. +Every Postfix client program, including the Postfix sendmail command, +will verify that the protocol name matches what it is supposed to be. + +The purpose of this change is to produce better error messages, for +example, when someone configures the discard daemon as a bounce +service in master.cf, or vice versa. + +This change may break third-party programs that implement a +Postfix-internal protocol such as qpsmtpd. Such programs have never +been supported. Fortunately, this will be an easy fix: look at the +first data from the cleanup daemon: if it is a protocol announcement, +you're talking to Postfix 3.6 or later. That's the only real change. + +Major changes - tls +------------------- + +[Incompat 20200705] The minimum supported OpenSSL version is 1.1.1, +which will reach the end of life by 2023-09-11. Postfix 3.6 is +expected to reach the end of support in 2025. Until then, Postfix +will be updated as needed for compatibility with OpenSSL. + +The default fingerprint digest has changed from md5 to sha256 (Postfix +3.6 with compatibility_level >= 3.6). With a lower compatibility_level +setting, Postfix defaults to using md5, and logs a warning when a Postfix +configuration specifies no explicit digest type. + +Export-grade Diffie-Hellman key exchange is no longer supported, +and the tlsproxy_tls_dh512_param_file parameter is ignored, + +[Feature 20200906] The tlstype.pl helper script by Viktor Dukhovni +reports TLS information per message delivery. This processes output +from the collate.pl script. See auxiliary/collate/README.tlstype and +auxiliary/collate/tlstype.pl. + +Major changes - compatibility level +----------------------------------- + +[Feature 20210109] Starting with Postfix version 3.6, the compatibility +level is "3.6". In future Postfix releases, the compatibility level will +be the Postfix version that introduced the last incompatible change. The +level is formatted as 'major.minor.patch', where 'patch' is usually +omitted and defaults to zero. Earlier compatibility levels are 0, 1 and 2. + +This also introduces main.cf and master.cf support for the <=level, +<level, and other operators to compare compatibility levels. With the +standard <=, <, etc. operators, compatibility level 3.10 would be less +than 3.9, which is undesirable. + +Major changes - services(5) override +------------------------------------ + +[Feature 20210418] Postfix no longer uses the services(5) database +to look up the TCP ports for SMTP and LMTP services. Instead, this +information is configured with the new known_tcp_ports configuration +parameter (default: lmtp=24, smtp=25, smtps=submissions=465, +submission=587). When a service is not specified in known_tcp_ports, +Postfix will still query the services(5) database. + +Major changes - local_login_sender_maps +--------------------------------------- + +[Feature 20201025] Fine-grained control over the envelope sender address +for submission with the Postfix sendmail (or postdrop) commands. + +The local_login_sender_maps parameter (default: static:*) specifies +a list of lookup tables that are searched by the UNIX login name, and +that return a list of allowed envelope sender patterns separated by +space or comma. The default is backwards-compatible: every user may +specify any sender envelope address. + +This feature is enforced by the postdrop command. When no UNIX login +name is available, the postdrop command will prepend "uid:" to the +numerical UID and use that instead. + +This feature ignores address extensions in the user-specified +envelope sender address. + +Besides the special pattern "*" which allows any sender address, +there are "<>" which matches an empty sender address, and the +"@domain" wildcard pattern. More information about those can be found +in the postconf(5) manpage. + +Example: + +/etc/postfix/main.cf: + # Allow root and postfix full control, anyone else can only + # send mail as themselves. Use "uid:" followed by the numerical + # UID when the UID has no entry in the UNIX password file. + local_login_sender_maps = + inline:{ { root = *}, { postfix = * } }, + pcre:/etc/postfix/login_senders + +/etc/postfix/login_senders: + # Allow both the bare username and the user@domain forms. + /(.+)/ $1 $1@example.com + +Major changes - order of relay and recipient restrictions +--------------------------------------------------------- + +[Incompat 20210131] With smtpd_relay_before_recipient_restrictions=yes, +the Postfix SMTP server will evaluate smtpd_relay_restrictions before +smtpd_recipient_restrictions. This is the default behavior with +compatibility_level >= 3.6. + +This change makes the implemented behavior consistent with existing +documentation. There is a backwards-compatibility warning that allows +users to freeze historical behavior. See COMPATIBILITY_README for +details. + +Major changes - respectful logging +---------------------------------- + +[Feature 20210220] Postfix version 3.6 deprecates terminology +that implies white is better than black. Instead, Postfix prefers +'allowlist', 'denylist', and variations on those words. This change +affects Postfix documentation, and postscreen parameters and logging. + +To keep the old postscreen logging set "respectful_logging = no" +in main.cf. + +Noel Jones assisted with the initial transition. + +Changes in documentation +------------------------ + +Postfix documentation was updated to use 'allowlist', 'denylist', etc. +These documentation changes do not affect Postfix behavior. + +Changes in parameter names +-------------------------- + +The following postscreen parameters replace names that contain 'blacklist' +or 'whitelist': + + postscreen_allowlist_interfaces + postscreen_denylist_action + postscreen_dnsbl_allowlist_threshold + +These new parameters have backwards-compatible default settings +that support the old parameter names, so that the name change should +not affect Postfix behavior. This means that existing management tools +that use the old parameter names should keep working as before. + +This compatibility safety net may break when some management tools +use the new parameter names, and some use the old names, such that +different tools will disagree on how Postfix works. + +Changes in logging +------------------ + +The following logging replaces forms that contain 'blacklist' or +'whitelist': + + postfix/postscreen[pid]: ALLOWLIST VETO [address]:port + postfix/postscreen[pid]: ALLOWLISTED [address]:port + postfix/postscreen[pid]: DENYLISTED [address]:port + +To avoid breaking logfile analysis tools, Postfix keeps logging the old +forms by default, as long as the compatibility_level parameter setting +is less than 3.6, and the respectful_logging parameter is not explicitly +configured. As a reminder, Postfix will log the following: + + postfix/postscreen[pid]: Using backwards-compatible default setting + respectful_logging=no for client [address]:port + +To keep logging the old form, make the setting "respectful_logging = +no" permanent in main.cf, for example: + + # postconf "respectful_logging = no" + # postfix reload + +To stop the reminder, configure the respectful_logging parameter to +"yes" or "no", or configure "compatibility_level = 3.6". + +Major changes - threaded bounces +-------------------------------- + +[Feature 20201205] Support for threaded bounces. This allows mail +readers to present a non-delivery, delayed delivery, or successful +delivery notification in the same email thread as the original +message. + +Unfortunately, this also makes it easy for users to mistakenly delete +the whole email thread (all related messages), instead of deleting +only the delivery status notification. + +To enable, specify "enable_threaded_bounces = yes". + +Other changes - smtpd_sasl_mechanism_list +----------------------------------------- + +[Feature 20200906] The smtpd_sasl_mechanism_list parameter (default: +!external, static:rest) prevents confusing errors when a SASL backend +announces EXTERNAL support which Postfix does not support. + +Other changes - delivery logging +-------------------------------- + +[Incompat 20200531] Postfix delivery agents now log an explicit record +when delegating delivery to a different Postfix delivery agent. + +For example, with "best_mx_transport = local", an SMTP delivery +agent will now log when a recipient will be delivered locally. This +makes the delegating delivery agent visible, where it would otherwise +have remained invisible, which would complicate troubleshooting. + + postfix/smtp[pid]: queueid: passing <recipient> to transport=local + +This will usually be followed by logging for an actual delivery: + + postfix/local[pid]: queueid: to=<recipient>, relay=local, ... + +Other examples: the local delivery agent will log a record that it +defers mailbox delivery through mailbox_transport or through +fallback_transport. + +Other changes - error logging +----------------------------- + +[Incompat 20200531] Postfix programs will now log "Application error" +instead of "Success" or "Unknown error: 0" when an operation fails with +errno == 0, i.e., the error originates from non-kernel code. + +Other changes - dns lookups +--------------------------- + +[Feature 20200509] The threadsafe resolver API (res_nxxx() calls) +is now the default, not because the API is threadsafe, but because +this is the API where new features are being added. + +To build old style, build with: + + make makefiles CCARGS="-DNO_RES_NCALLS..." + +This is the default for systems that are known not to support the +threadsafe resolver API. |