HISTORY

	qmqpd_client_port_logging parameter setting. File:
	qmqpd/qmqpd.c.

20071216

	Cleanup: show the remote SMTP server port in verbose logging,
	warnings and postmaster notices.  Still don't show the port
	in delivery status notifications. Files: smtp/smtp_chat.c,
	smtp/smtp_sasl_glue.c, smtp/smtp_sasl_proto.c.

	The "tls_require_cert" is now compatible with OpenLDAP 2.1
	and later. Victor Duchovni. Files: proto/ldap_table,
	global/dict_ldap.c.

20071218

	Cleanup: removed the "#ifdef USE_LIBMILTER_INCLUDES"
	dependencies on system-installed Milter protocol include
	files. Verified that the object code has not changed. File:
	milter/milter8.c.

	Sanity check: idiot filter to detect attempts to use the
	same database file for different TLS session caches.  File:
	tlsmgr/tlsmgr.c.

	Cleanup: updated the spell check stoplist and the spell
	check script. Files: mantools/spell, proto/stop.

	Cleanup: replaced documentation references to xxgdb by ddd.
	The xxgdb program hasn't been updated in more than 10 years.
	Files: proto/postconf.proto, conf/main.cf.

20071219-20

	Feature: support for all new Sendmail 8.14 Milter features
	except SMFIR_SKIP (skip further events of this type),
	SMFIP_RCPT_REJ (report rejected recipients to the mail
	filter), SMFIR_CHGFROM (replace sender, with optional ESMTP
	command parameters), and SMFIR_ADDRCPT_PAR (add recipient,
	with optional ESMTP command parameters). Files: milter/milters.c,
	milter/milter8.c, milter/test-milter.c, cleanup/cleanup_milter.c.

20071221

	Feature: support for Sendmail 8.14 Milter SMFIR_SKIP (skip
	further events of this type). Files: milter/milter8.c,
	milter/test-milter.c.

	Cleanup: don't try sending HELO after a 421 EHLO reply.
	File: smtp/smtp_proto.c.

20071221-nonprod

	Using 20071221 as reference point.

	Cleanup: Simplified TLS library cipher and protocol API to
	just pass string-valued properties to tls_client_init() and
	tls_client_start(). The client is now agnostic of the
	mechanics of cipher management internal to the library. The
	main.cf parameters used internally in the library are now
	loaded by the library, not the caller. Files:
	src/smtp/lmtp_params.c, src/smtp/smtp.c, src/smtp/smtp.h,
	src/smtp/smtp_params.c, src/smtp/smtp_proto.c,
	src/smtp/smtp_session.c, src/smtpd/smtpd.c, src/tls/tls.h,
	src/tls/tls_client.c, src/tls/tls_level.c, src/tls/tls_misc.c,
	src/tls/tls_server.c, src/tls/tls_session.c, src/tls/tls_verify.c
	and src/tlsmgr/tlsmgr.c

	Cleanup: Client session lookup key "salting" is now handled
	internally in the tls library. Files: src/tls/tls_client.c

	Cleanup: Cipher state is cached, and only updated when
	necessary.  Files: src/tls/tls_misc.c

	Feature: Extended the syntax of protocol selection to allow
	exclusions as well as inclusions. Files: src/tls/tls_misc.c

	Cleanup: Updated default verification depth to match reality:
	default is 9 in OpenSSL and we don't yet override it.  When
	we do (soon), the default will match previous behavior.
	Files: src/global/mail_params.h

	Bugfix: Reference to obsolete "pfixtls" code won't compile
	inside #ifdef for OpenSSL <= 0.9.5a. Using an OpenSSL release
	that old has not been tested for some time, but may now
	work. Files: src/tls/tls_bio_ops.c.

	Replaced "void *" TLS library application handles by explicit
	pointer types, while hiding data structure implementation
	details from the TLS library users. Files: tls/tls_client.c,
	tls/tls_server.c, smtp/smtp.c, smtpd/smtpd.c.

	The TLS library no longer modifies VSTRINGs passed in by
	the caller. Where possible, information is passed as "const"
	from application to library. Files: smtp/smtp_proto.c,
	tls/tls_client.c.

20071227-nonprod

	Replaced explicit initialization of props structures by
	emulating function calls with named parameter lists.  Files:
	tls/tls.h, smtp/smtp.c, smtp/smtp_proto.c, smtpd/smtpd.c.

20071222

	Further polishing of the Milter code and logging. File:
	milter/milter8.c.

20071123

	Further polishing of the Milter code. With SETSYMLIST, each
	Milter can now update its own macros instead of clobbering
	the global copy that is shared with other Milters. Also an
	opportunity to clean up some ad-hoc code for sending macro
	lists from smtpd(8) to cleanup(8). Files: milter/milter.c,
	milter/milter8.c, milter/milter_macros.c.

20071224

	Further polishing of the Milter code. Eliminated unnecessary
	steps from the initial smtpd/cleanup Milter handshake. Files:
	milter/milter.c, milter/milter8.c, milter/milter_macros.c.

	Cleanup: name_code(3) and name_mask(3) now support read-only
	tables. Files: util/name_code.[hc], util/name_mask.[hc].

20071227

	Cleanup: further refinements of the Milter code, allowing
	for multiple macro overrides. The code is now ready for
	serious testing. File: milter/milter8.c.

20071229

	Bugfix: the Milter client did not replace the Postfix-specific
	form for unknown host names by the Sendmail-specific form.
	File: milter/milter8.c.

	Cleanup: when a cleanup milter reports a problem don't log
	generic "4.3.0 Sevice unavailable", but log the text for
	the actual error. File: cleanup/cleanup_milter.c.

20080102-nonprod

	SMTP client fingerprint security level support and configurable
	fingerprint digest algorithm. Victor Duchovni. Files:
	smtp/lmtp_params.c, smtp/smtp.c, smtp/smtp.h,
	src/smtp/smtp_params.c, src/smtp/smtp_proto.c,
	src/smtp/smtp_session.c, tls/tls_client.c, tls/tls_level.c,
	tls/tls_verify.c.

20080103-nonprod

	Missed "invalid TLS configuration" patch for SMTP client.
	Victor Duchovni. File: smtp/smtp_proto.c.

	SMTP server configurable fingerprint digest algorithm.
	Victor Duchovni. Files: smtpd/smtpd.c, tls/tls.h,
	tls/tls_server.c, tls/tls_verify.c.

20080104-nonprod

	Cleanup: finally implemented certificate verification depth
	limit parameters. Prior to Postfix 2.5 these were ignored.
	For backwards compatibility, the default verification depth
	limit is now 9, the OpenSSL default. Victor Duchovni. Files:
	src/tls/tls_client.c, src/tls/tls_server.c, src/tls/tls_verify.c.

	Robustness: Avoid possibility of NULL pointer issues in
	application code that checks certificate names, by providing
	"empty string" values when no data is available.  Victor
	Duchovni.  Files: src/tls/tls_verify.c, src/tls/tls_client.c,
	src/tls/tls_server.c, src/smtpd/smtpd_check.c, src/smtpd/smtpd.c.

	Cleanup: separation of TLS handshake from security level
	enforcement. The library shakes hands; the application
	decides if the resulting security is acceptable. Victor
	Duchovni.  Files: smtpd/smtpd.c, smtpd/smtpd_proto.c,
	tls/tls_server.c, tls/tls_client.c, tls/tls_verify.c.

	Robustness: more robust processing of ASN.1 string attributes
	in x509v3 certificates, plus additional sanity checks (e.g.
	embedded null characters). Victor Duchovni. File:
	src/tls/tls_verify.c.

20080104

	Workaround: minor change to the Dovecot AUTH request to
	prevent dovecot-auth memory wastage. Timo Sirainen.  File:
	xsasl/xsasl_dovecot_server.c.

20080105-nonprod

	Cleanup: renamed TLS-related symbols for consistency (always
	include the init, start, stop prefix in the TLS library
	function and data structure names; consistently distinguish
	between per-application TLS state and per-session TLS state;
	consistently use the fpt prefix for fingerprint related
	variables and structure members; consistent use of monocase
	typedef-ed names).

20080106-nonprod

	Cleanup: consistent use of <pre> and <blockquote> in examples;
	instead of emphasizing new Postfix 2.5 behavior in reference
	documentation, describe the new behavior as "current", with
	historical behavior as a supplemental note.

20080107

	Feature: new "pass" service type (in addition to "inet",
	"unix" and "fifo").  The "pass" service type supports
	front-end daemons that accept all inbound connections and
	that permit only well-behaved clients to talk to the MTA.
	This service type had been sitting in the master daemon for
	years but was disabled by default.  Actual applications for
	this will have to be developed later.  Files: util/upass_connect.c,
	util/upass_trigger.c.

20080108

	Cleanup: where possible, store data structures in read-only
	memory. Besides the security advantage of no write access,
	this also gives slightly better memory utilization when
	many processes execute the same file. Files: pretty much
	everything that has a static table, except for a few tables
	in the benchmark tools with flags that are controlled by
	command-line information.

20080109

	Cleanup: more read-only data. Files: everything that passes
	around a HEADER_OPTS pointer.

20080112

	Safety: optional lookup table to prevent the Postfix SMTP
	client from making repeated SASL login failures with the
	same hostname, username and password.  This introduces new
	parameters: smtp_sasl_auth_cache_name, smtp_sasl_auth_cache_time.
	Based on code by Keean Schupke.  Files: smtp/smtp_sasl_glue.c,
	smtp/smtp_sasl_auth_cache.c.

	Safety: the Postfix SMTP client now by default defers mail
	after the server rejects a SASL login attempt with a 535
	status code.  Specify "smtp_sasl_auth_soft_bounce = no" to
	get the earlier behavior.  Based on code by Keean Schupke.
	Files: smtp/smtp_sasl_glue.c.

20080114

	Safety: the smtpd_client_new_tls_session_rate_limit setting
	now also limits the number of failed TLS handshakes. This
	limits the impact of broken configurations. File: smtpd/smtpd.c.

20080115

	Bugfix (introduced 20080112): Patrik Rak found two bugs
	that largely canceled each other out, causing Postfix not
	to complain about a missing "proxy:" prefix with the new
	smtp_sasl_auth_cache_name parameter setting. File:
	smtp/smtp_sasl_glue.c.

	Documentation: new SOHO_README file for small/home offices.
	The text is automatically generated from bits and pieces of
	information that are scattered across other documents.
	File: mantools/make_soho_readme.

20080116

	Bugfix (introduced 20080112): missing #ifdef for the SASL
	login failure cache. File: smtp/smtp_sasl_auth_cache.h.

20080123

	Name fix: renamed the mumble_delivery_rate_delay parameter
	to mumble_destination_rate_delay, because it really is a
	per-destination feature. With this change we keep the option
	of implementing a future per-transport rate delay.

20080125

	Bugfix (introduced 20071216): missing {} in the LDAP client
	broke OpenLDAP TLS.  The setting tls_require_cert=no was
	further broken because Postfix used OpenLDAP incorrectly.
	Victor Duchovni.  This broke tls_require_cert=no File:
	global/dict_ldap.c.

20080130

	Bugfix (introduced 20071204): wrong proxywrite process limit
	in the default master.cf file.  File: conf/master.cf.

20080201

	Workaround: pick up a missing data_directory setting from
	main.cf when "postfix start" is invoked with an obsolete
	postfix command. File: conf/post-install.

20080207

	Cleanup: soft_bounce support for multi-line Milter replies.
	File: src/milter/milter8.c.

	Cleanup: preserve multi-line format of header/body Milter
	replies. Files: cleanup/cleanup_milter.c, smtpd/smtpd.c.

	Cleanup: multi-line support in SMTP server replies.  File:
	smtpd/smtpd_chat.c.

20080215

	Safety: break SASL loop in case both the SASL library and
	the remote SMTP server are confused. File: smtp/smtp_sasl_glue.c.

20080220

	Safety: the master daemon now sets an exclusive lock on a
	file $data_directory/master.lock, so that the data directory
	can't be shared between multiple Postfix instances.  This
	would corrupt files that rely on single-writer updates
	(examples: verify(8) cache, tlsmgr(8) caches, etc.). File:
	master/master.c.

20080228

	Bugfix: bounce(8) segfault on one-line template text.
	Problem found by Sacha Chlytor. File: bounce/bounce_template.c.

20080310

	Safety: the SMTP server's Dovecot authentication client now
	enforces the SASL mechanism output filter also on client
	command input. File: src/xsasl/xsasl_dovecot_server.c.

20080311

	Bugfix (introduced 20070811): the MAIL and RCPT Milter
	application call-backs no longer received {mail_addr} or
	{rcpt_addr} information. Problem reported by Anton Yuzhaninov.
	File: smtpd/smtpd.c.

20080318

	Human factors: the PCRE and regexp maps now give more
	comprehensible error messages when people make the common
	mistake of indenting if/endif blocks. Files: util/dict_pcre.c,
	util/dict_regexp.c.

20080411

	Bugfix (introduced Postfix 2.0): after "warn_if_reject
	reject_unlisted_recipient/sender", the SMTP server mistakenly
	remembered that recipient/sender validation was already
	done. File: smtpd/smtpd_check.c.

	Bugfix (introduced Postfix 2.3): the queue manager would
	initialize missing client logging attributes (from xforward)
	with real client attributes. Fix: enable this backwards
	compatibility feature only with queue files that don't
	contain logging attributes. Problem reported by Liviu Daia.
	Files *qmgr/qmgr_message.c.

20080424

	Cleanup: some warning messages said "regexp" or "regexp
	map" instead of "pcre map". File: util/dict_pcre.c.

20080428

	Cleanup: the proxy_read_maps (Postfix 2.0) default setting
	was not updated when adding sender/recipient_bcc_maps
	(Postfix 2.1) and smtp/lmtp_generic_maps (Postfix 2.3).
	File: global/mail_params.h.

	Cleanup: the SMTP server's XFORWARD and XCLIENT support was
	not updated when the smtpd_client_port_logging configuration
	parameter was added. Code by Victor Duchovni. Files:
	smtpd/smtpd.c, smtpd/smtpd_peer.c.

20080509

	Bugfix: null-terminate CN comment string after sanitization.
	File: smtpd/smtpd.c.

20080603

	Workaround: avoid "bad address pattern" errors with non-address
	patterns in namadr_list_match() calls. File: util/match_ops.c.

20080620

	Bugfix (introduced 20080207): "cleanup -v" panic because
	the new "SMTP reply" request flag did not have a printable
	name. File: global/cleanup_strflags.c.

	Cleanup: using "Before-queue content filter", RFC3848
	information was not added to the headers. Carlos Velasco.
	File smtpd/smtpd.c.

20080717

	Cleanup: a poorly-implemented integer overflow check for
	TCP MSS calculation had the unexpected effect that people
	broke Postfix on LP64 systems while attempting to silence
	a compiler warning.  File: util/vstream_tweak.c.

20080725

	Paranoia: defer delivery when a mailbox file is not owned
	by the recipient. Requested by Sebastian Krahmer, SuSE.
	Specify "strict_mailbox_ownership=no" to ignore ownership
	discrepancies.  Files: local/mailbox.c, virtual/mailbox.c.

20080804

	Bugfix: dangling pointer in vstring_sprintf_prepend().
	File: util/vstring.c.

20080814

	Security: some systems have changed their link() semantics,
	and will hardlink a symlink, contrary to POSIX and XPG4.
	Sebastian Krahmer, SuSE. File: util/safe_open.c.

	The solution introduces the following incompatible change:
	when the target of mail delivery is a symlink, the parent
	directory of that symlink must now be writable by root only
	(in addition to the already existing requirement that the
	symlink itself is owned by root).  This change will break
	legitimate configurations that deliver mail to a symbolic
	link in a directory with less restrictive permissions.

20080826

	Bugfix (introduced Postfix 2.4): epoll file descriptor leak.
	With Postfix >= 2.4 on Linux >= 2.6, Postfix has an epoll
	file descriptor leak when it executes non-Postfix commands
	in, for example, user-controlled $HOME/.forward files.  A
	local user can access a leaked epoll file descriptor to
	implement a denial of service attack on Postfix. Data
	confidentiality and integrity are not affected.  File:
	util/events.c.

20081022

	Documentation: removed inapplicable daemon_timeout reference
	from qmgr(8), oqmgr(8), pickup(8). These daemons need to
	use a much shorter watchdog timer.

20081108

	Bugfix (introduced Postfix 2.5): the Postfix SMTP server
	did not ask for a client certificate with "smtpd_tls_req_ccert
	= yes". Reported by Rob Foehl. File: smtpd/smtpd.c.

20081126

	Documentation: pcre_table(5) incorrectly claimed that the
	'x' flag supports #comment after text. File: proto/pcre_table.

20081203

	Cleanup: adjust the VSTREAM buffer strategy when reusing
	an SMTP connection with a large TCP MSS value. File:
	smtp/smtp_reuse.c.

20081222

	Documentation: log the "*" pattern as the last transport
	map lookup. File: proto/transport.

20090122

	Bugfix: the data_directory was not automatically created!
	File: conf/postfix-files.

20090304

	Cleanup: skip over suspended or throttled queues while
	looking for delivery requests. File: *qmgr/qmgr_transport.c.

20090305

	Bugfix: in the "new queue manager", the _destination_rate_delay
	code needed to postpone the job scheduler updates after
	delivery completion, otherwise the scheduler could loop on
	blocked jobs.  Victor & Wietse.  File: qmgr/qmgr_entry.c,
	qmgr/qmgr_queue.c, qmgr/qmgr_job.c.

	Cleanup: report a "queue file write error", instead of
	passing though bogus 2xx replies from proxy filters to SMTP
	clients.  File: smtpd/smtpd_proxy.c.

20090310

	Bugfix: Postfix used mumble_concurrency_failed_cohort_limit
	instead of mumble_destination_concurrency_failed_cohort_limit
	as documented. File: global/mail_params.h.

20090419

	Bugfix: don't re-enable SIGHUP if it is ignored in the
	parent. This may cause random "Postfix integrity check
	failed" errors at boot time (POSIX SIGHUP death), causing
	Postfix not to start. We duplicate code from postdrop and
	thus avoid past mistakes.  File: postsuper/postsuper.c.

	Robustness: don't re-enable SIGTERM if it is ignored in the
	parent. Files: postsuper/postsuper.c, postdrop/postdrop.c.

20090428

	Bugfix: don't disable MIME parsing with smtp_header_checks,
	smtp_mime_header_checks, smtp_nested_header_checks or with
	smtp_body_checks. Bug reported by Victor. File: smtp/smtp_proto.c.

20090710

	Bugfix (introduced Postfix 2.3): Postfix got out of sync
	with a Milter application after the application sent a
	"quarantine" request at end-of-message time. The milter
	application would still be in the end-of-message state,
	while Postfix would already be working on the next SMTP
	event (typically, QUIT or MAIL FROM).  Problem diagnosed
	with help from Alban Deniz. File: milter/milter8.c.

20090805

	Bugfix: don't panic when an unexpected smtpd access map is
	specified. File: smtpd/smtpd_check.c.

20090918

	Bugfix (introduced Postfix 2.3): with Milter RCPT TO replies
	turned off, there was no automatic flush-before-read on the
	smtpd-to-milter stream, because the read was done on the
	cleanup-to-milter stream. Problem reported by Stephen Warren.
	File: milter/milter8.c.

20091005

	Bugfix: core dump while printing error message for malformed
	%<letter> sequence in LDAP, MySQL or PostgreSQL configuration.
	File: global/db_common.c. Fix by Victor Duchovni.

20091209

	Bugfix: sender_dependent_relayhost_maps did not reject an
	empty lookup result, and did not recognize lookup errors,
	thus treating errors as "not found". Problem found during
	code maintenance. File: trivial-rewrite/resolve.c.

20100107

	Bugfix: the pickup daemon did not discard messages that
	were requeued after all recipients were delivered (or
	bounced), and the cleanup server tried to bounce such
	messages. Files: pickup/pickup.c, global/cleanup_user.h.

20100115

	Bugfix: the valid_hostname() fuction did not set the
	"non-numeric" flag after encountering the '-' character.
	Reported by Jan Schampera.  File: util/valid_hostname.c.

20100116

	Workaround: as of Postfix 2.3 the VRFY command did not allow
	a mailbox address inside <>, which broke expectations.  RFC
	2821 (and 5321) is vague about the VRFY request format, but
	spends lots of text on the reply format.  File: smtpd/smtpd.c.