Newer
Older
12001
12002
12003
12004
12005
12006
12007
12008
12009
12010
12011
12012
12013
12014
12015
12016
12017
12018
12019
12020
12021
12022
12023
to refresh more frequently on low-traffic systems.
Cleanup: smtpd_delay_open_until_valid_rcpt (default: yes)
controls whether Postfix delays the start of a mail transaction
until after the first valid recipient, or if it starts a
transaction immediately after MAIL FROM. File: smtpd/smtpd.c.
20060217
Bugfix: don't terminate with a non-standard exit status
when the pipe-to-command feature has a problem before it
executes the command. File: global/pipe_command.c.
20060223
Bugfix: detect integer overflow when multiplying time values
with non-trivial time units. File: global/conv_time.c.
20060307
Bugfix: reset the msg_cleanup() fatal error handler in child
processes. See also change 20060217. Files: postlock/postlock.c,
master/multi_server.c, global/mail_run.c, util/vstream_popen.c.
12027
12028
12029
12030
12031
12032
12033
12034
12035
12036
12037
12038
12039
12040
12041
12042
12043
Bugfix: the MIME processor assumed that input was null
terminated. This broke with CRLF input to the "sendmail -t"
command in Postfix 2.1 and later (see change 20030416).
Found by Leandro Santi. Based on patch by Victor Duchovni.
Files: global/mime_state.c, global/is_header.c.
20060313
Cleanup: the message arrival time (start of the receive
transaction) no longer controls message expiration or
delivery attempts. Instead, expiration and delivery are
now controlled by the time when the cleanup server creates
a queue file. This closes a problem that was introduced
with the 20051104 change that introduced higher-resolution
delay time keeping: as a result, "postsuper -r" could no
longer manipulate the mail expiration schedule, so that
mail "on hold" could expire too soon.
Workaround. the PCRE library reports an inappropriate error
code (invalid substring) when $number refers to a valid ()
expression that matches the null string. This caused fatal
run-time errors. File: dict_pcre.c.
20060324
Cleanup: eliminated name collisions between global and local
variables, and other forms of shadowing. Documented switch
fall-throughs with /* FALLTHROUGH */ where this wasn't
already done. Replaced (var = expr) by (var = expr) != 0
where this wasn't already done.
20060324
Bugfix: mis-placed parenthesis in a before-filter error
test. A filter timeout was mis-reported as lost connection.
Found in code review. File: smtpd/smtpd_proxy.c.
12066
12067
12068
12069
12070
12071
12072
12073
12074
12075
12076
12077
12078
12079
12080
12081
12082
12083
12084
12085
12086
12087
12088
12089
12090
12091
12092
12093
12094
12095
20060327
Cleanup: the SQL and LDAP clients now log a warning when
they skip an empty lookup result, so that humans don't have
to wonder why Postfix doesn't find all the database entries.
File: global/db_common.c.
Moved SMTP/LMTP parameter initialization from global/mail_params.c
to the combined smtp/lmtp delivery agent. Added missing
lmtp parameters.
20060328
Feature: configurable chroot directive for the pipe(8)
delivery agent, by Przemyslaw Wegrzyn. Files:
global/pipe_command.c, pipe/pipe.c.
Bugfix: cut-and-paste error: lmtp_connection_cache_limit
was left with the name of smtp_connection_cache_limit.
Reported by Victor? File: src/global/mail_params.h.
20060329
More extensible interface for TLS client/server library,
now passes property structures that combine all the relevant
parameters in one type-safe structure.
TLS session cache activity logging now takes place at TLS
log level 2 or greater.
Cleanup: made fcntl/flock handling consistent with respect
to EINTR (reported by Carlo Contavalli). However, Postfix
is not meant to be signal safe. Only the master daemon
handles signals without terminating, and it uses only a
small subset of Postfix library routines. File: util/myflock.c.
12104
12105
12106
12107
12108
12109
12110
12111
12112
12113
12114
12115
12116
12117
12118
12119
12120
12121
12122
12123
12124
12125
12126
12127
12128
12129
Bugfix: the pipe-to-command error message was lost when the
command could not be executed. File: global/pipe_command.c.
20060404
Bugfix in sanity check: after reading a record from the
address verification database, a sanity check did not reject
a record with all-zero time stamp fields. Such records are
never written; the test is there just in case something is
broken, so that Postfix will not blindly march on and create
chaos. The sanity check tested pointer values, instead of
dereferencing the pointers. Found by Coverity. File:
verify/verify.c.
Bugfix in sanity check: when the maildir delivery routine
opens an output file it looks up the file attributes via
the file handle it just got. There is a sanity check that
detects if the attribute lookup fails, an error that never
happens. The code that handles the impossible error did not
close the output file. This would cause a virtual or local
delivery agent to waste up to 100 file descriptors. But
for that error to happen the system would have to be so
sick that you would have more serious problems than a file
descriptor leak. Found by Coverity. Files: local/maildir.c,
virtual/maildir.c.
20060405
Bugfix: the MIME parser assumed input is null terminated
when reporting errors. Fix by Leandro Santi. Files:
global/mime_state.c, cleanup/cleanup_message.c.
20060411
Bugfix: the SMTP server logged no warning when for some
reason the TLS engine was unavailable in wrappermode. Victor
Duchovni. File: smtpd/smtpd.c.
20060417
Cleanup: when SMTP access table lookup fails, reply with
4xx instead of aborting with a fatal run-time error. The
old behavior assumes local file access, and is inappropriate
with deployment of LDAP and SQL tables. File: smtpd/smtpd_check.c.
20060423
Bugfix: postcat did not print the attribute value of records
containing a named attribute. File: postcat/postcat.c.
20060430
Bugfix: dangling pointer in a function that has no caller.
Found by Coverity. File: tls/tls_prng_exch.c.
Bugfix: the workaround for CA-2003-07 (Sendmail) did not
null terminate the address before logging a warning. Reported
by Kris Kennaway. File: global/tok822_parse.c.
12163
12164
12165
12166
12167
12168
12169
12170
12171
12172
12173
12174
12175
12176
12177
12178
12179
12180
12181
12182
12183
12184
12185
12186
12187
12188
12189
20060301-20060515
Sendmail 8 Milter support, distributed across the smtpd(8)
server for SMTP commands, and the cleanup(8) server for
content inspection and manipulation. The code supports all
requests to add/delete recipients, and to add/delete/replace
message headers, but does not yet support requests to replace
the message body. See MILTER_README for more. Files:
smtpd/smtpd.c, smtpd/smtpd_milter.c, cleanup/cleanup_api.c,
cleanup/cleanup_envelope.c, cleanup/cleanup_extracted.c,
cleanup/cleanup_milter.c, milter/milter.c, milter/milter8.c.
That's 89 lines in smtpd, 1010 lines in cleanup, and 2449
lines of library support, comments not included.
A simple test Milter application for use in regression tests
is in src/milter/test-milter.c. Queue file modifications are
tested with a driver at the end src/cleanup/cleanup_milter.c
that reads commands from a script.
To make debugging easier, uncomment the "#define msg_verbose
2" lines at the top of cleanup_milter.c or milter8.c. This
produces logging without making everything else verbose.
20060510
Preliminary TLS_README and postconf(5) changes completed.
Added smtp_tls_policy_maps and smtp_tls_protocols features
to the smtp/lmtp client, changed smtp_tls_cipherlist to
only apply when TLS is mandatory. Victor Duchovni.
20060512
Destinations that share a common server may have distinct
TLS protocol and cipherlist requirements, with mandatory
TLS add the protocol and cipherlist values to the TLS session
20060516
Portability: __float80 alignment, by Albert Chin. File:
util/sys_defs.h.
12208
12209
12210
12211
12212
12213
12214
12215
12216
12217
12218
12219
12220
12221
12222
12223
12224
12225
12226
12227
12228
12229
12230
Further testing of Milter support uncovered typos; a missing
null pointer test while cleaning up after content miltering;
the need for a workaround to not bounce+delete local
submission after it triggers a temporary reject Milter
action.
Workaround: don't bounce+delete a local submission after
it triggers a "reject 4.x.x" action in header/body_checks.
This means an SMTP client now sees "queue file write error"
instead of the text from the "reject 4.x.x text" action.
File: cleanup/cleanup_message.c.
Workaround: OpenSSL 0.9.8[ab] with zlib support interoperability
problem. Victor Duchovni. Files: tls/tls_client.c,
tls/tls_misc.c, tls/tls_server.c.
Added smtpd_tls_protocols parameter to complement
smtp_tls_protocols. Victor Duchovni.
20060517
The smtp_tls_policy_maps table now implements parent domain
matching for destinations that are bare domains (without
enclosing [] or optional :port suffix). This allows one to
set TLS policy for a domain and all sub-domains. Victor
Duchovni.
20060519
The same parameter can bind to different variables in
different daemons. Ignore the variable name when eliminating
duplicates in extract.awk. Victor Duchovni.
20060523
Improved handling of smtp_tls_protocols and smtpd_tls_protocols,
names now processed via name_mask(3) and canonicalized prior
to use in the SMTP/LMTP client TLS session lookup key. Also
simplifies the corresponding code in the TLS driver. Victor
Duchovni.
20060524
Cleanup: send ETRN command parameter when using check_policy
in the context of an ETRN command. Joshua Goodall. File:
smtpd/smtpd_check.c.
20060601
Bugfix (bug introduced 20051118): permit_mx_backup authorized
domains without secondary MX records. Joshua Goodall. File:
smtpd/smtpd_check.c.
20060601
Fixed default value of LMTP TLS client certificate parameters,
using the SMTP values as a default was wrong. Victor Duchovni.
20060603
Different transports may have different CAfile or CApath
settings. We need to add the transport name to the TLS
session lookup key so that sessions verified with one set
of trusted roots are not inadvertantly considered verified
for another. Victor Duchovni.
20060604
Cleanup: minor fluff found with the BEAM source code analyzer.
12277
12278
12279
12280
12281
12282
12283
12284
12285
12286
12287
12288
12289
12290
12291
12292
12293
12294
12295
12296
12297
12298
12299
12300
12301
12302
12303
12304
12305
12306
12307
12308
12309
12310
12311
12312
12313
12314
12315
12316
12317
12318
Files: global/quote_821_local.c, global/quote_822_local.c,
master/master_spawn.c, pickup/pickup.c, util/match_ops.c,
util/safe_open.c, xsasl/xsasl_cyrus_client.c.
20060606
Safety: mail receiving daemons (smtpd, qmqpd) now pass
actual client name/addres/helo attributes in addition to
the attributes used for logging (xforward). This prevents
Milter applications from treating qmqpd mail as if it
originated locally, and prevents incorrect Milter decisions
after "postsuper -r". Files: smtpd/smtpd.c, qmqpd/qmqpd.c,
cleanup/cleanup_envelope.c, cleanup/cleanup_milter.c,
cleanup/cleanup_state.c, global/post_mail.c, *qmgr/qmgr_message.c,
*qmgr/qmgr_deliver.c, global/deliver_request.c,
global/deliver_pass.c, local/forward.c.
Bugfix: qmgr panic after queue file corruption by Mailscanner.
Files: *qmgr/qmgr_message.c.
Bugfix: XCLIENT didn't work with smtpd_delay_reject=no
(problem reported by Joshua Goodall). To make XCLIENT work
correctly with built-in restrictions and with Milter
applications, the SMTP server now jumps back to the very
start (the 220 phase) of an SMTP session. File: smtpd/smtpd.c.
20060606
Portability: Some systems no longer support the traditional
"sort +0 -2 +3". Victor Duchovni.
20060607
Portability: Found by BEAM static code analyzer. SSL options
(long) were stored as int.
20060610
Cleanup: XCLIENT and XFORWARD attribute values are now sent
as xtext encoded strings. For backwards compatibility,
Postfix will still accept unencoded attribute values. Files:
smtpd/smtpd.c, smtpd/smtpd_proxy.c, smtp/smtp_proto.c.
Robustness: additional sanity checks for common database
routines. Viktor Dukhovni. File: global/db_common.c.
Portability: LDAP 2.3 API support. Viktor Dukhovni. File:
global/dict_ldap.c.
Security: the PostgreSQL client was updated after the
PostgreSQL developers made major database API changes in
response to PostgreSQL security issues. This breaks support
for PGSQL versions prior to 8.1.4, 8.0.8, 7.4.13, and 7.3.15.
Support for these requires major code changes which are not
possible in the time that is left for the Postfix 2.3 stable
release.
Specific PostgreSQL client changes: use connection-aware
quoting, and more robust PQexec() result handling. Previous
versions of the dict_pgsql driver didn't check the status
of the result pointer, and certain exceptional events can
be mis-interpreted as an empty result set. Fixes by Leandro
Santi. File: global/dict_pgsql.c.
12343
12344
12345
12346
12347
12348
12349
12350
12351
12352
12353
12354
12355
12356
12357
12358
12359
12360
12361
12362
12363
12364
12365
12366
12367
12368
12369
12370
12371
12372
12373
12374
12375
12376
12377
12378
12379
12380
12381
12382
12383
12384
12385
12386
12387
12388
12389
12390
12391
12392
12393
12394
20060612
Changed smtp security level parsing and level->name conversion
to use name_code(3). Victor Duchovni.
Implemented new smtp_tls_security_level parameter, to replace
the unnecessarily complex smtp_use_tls, smtp_enforce_tls
and smtp_tls_enforce_peername parameters. The main.cf
security level settings are now consistent with the new
policy table. Victor Duchovni.
The smtp_sasl_tls_verified_security_options feature is not
yet complete, added #ifdef SNAPSHOT and changed documentation
to delay introduction until Postfix 2.4. Victor Duchovni.
20060614
Merged in Victor's work including the new TLS policy table
and a complete set of configuration parameters for the LMTP
personality of the unified SMTP/LMTP client.
Allow mandatory TLS encryption with LMTP over UNIX-domain
sockets. Victor Duchovni.
Safety: improved code to avoid I/O on connections after the
TLS handshake fails. Victor Duchovni.
20060615
Cosmetic patch for const strings. Stefan Huehner.
Other cosmetic changes, mainly whitespace.
20060616
The qshape.pl script was updated for the pointer records
that were introduced to support message content modification
by Milter applications. Victor Duchovni.
20060620
Feature: Substantially better cipherlist specification
interface and support for anonymous ciphers when certificates
are not needed. The primary interface in main.cf and the
policy table selects one of 5 grades for mandatory TLS with
smtp(8) or lmtp(8) or for all TLS sessions with smtpd(8).
The levels are "high", "medium" (or better), "low" (or
better), "export" (or better) and "null". The underlying
definitions of these levels are configurable, but users are
strongly encouraged to not change those definitions. Victor
Duchovni.
Bugfix: the Milter reply syntax checker was off by one.
File: milter/milter8.c.
Workaround: disable SMTP connection cache lookup by server
IP address when the tls_per_site policy table is enabled.
This is a workaround for a shortcoming in the SMTP connection
cache implementation, which retrieves the server hostname
from the cached connection. Since this server name is not
obtained in a secure manner, it must not be allowed to
control the tls_per_site policy. File: smtp/smtp_reuse.c.
Cleanup: mumble_mandatory_tls_mumble parameters renamed to
mumble_tls_mandatory_mumble; added _mandatory_ qualifier
to names of parameters that affect only mandatory TLS.
Features promoted from SNAPSHOT to STABLE: the "sleep"
pseudo restriction; Postfix daemons now read the local
timezone file before chrooting; trivial-rewrite now detects
table changes every 10 seconds, so it restarts more timely.
Features that stay #ifdef SNAPSHOT: tcp_table,
lmtp_sasl_tls_verified_security_options, and
smtp_sasl_tls_verified_security_options.
Compatibility: Sendmail does not send its own Received:
header to Milter applications. Offsets in header replace
requests are relative to the message content as received
(i.e. without our own Received: header), while offsets in
header insert requests are relative to the message as
delivered (i.e. they include our own Received: header).
This explains why dk-filter would sign our own Received:
header but place the signature between our own Received:
header and the rest of the message, violating the draft
domainkeys spec.
Cleanup: more graceful handling of queue file read/write
errors while processing milter message modification requests.
Files: cleanup/cleanup_milter.c, milter/milter8.c.
Debugging: the Postfix milter client gives more context
when it experiences trouble while talking to an uncooperative
Milter application. File: milter/milter8.c.
Compatibility: with OpenBSD 2.7 and later, the alias file
is now in /etc/mail/aliases.
Bugfix: the Milter client skipped zero-length body lines.
File: milter/milter8.c.
12456
12457
12458
12459
12460
12461
12462
12463
12464
12465
12466
12467
12468
12469
12470
12471
12472
12473
12474
12475
12476
Feature (just this one): RFC 3834 "Auto-Submitted:" message
header in DSNs. File: bounce/bounce_notify_util.c.
20060705
Portability: LP64 systems required a few ssize_t->int casts
in debug logging statements. Files: milter/test_milter.c,
cleanup/cleanup_milter.c.
Cleanup: comments, error messages, and crumbling interfaces.
20060707
Workaround: apparently, Solaris gettimeofday() can return
out-of range microsecond values. File: src/global/log_adhoc.c.
Robustness: the SMTPD policy client now encodes the
ccert_subject and ccert-issuer attributes as xtext. Some
characters are replaced by +XX, where XX is the two-digit
hexadecimal code for the character value. File:
smtpd/smtpd_check.c.
Safety: the SMTP/LMTP client now defers delivery when a
SASL password exists, but the server does not offer SASL
authentication. Mail could be rejected otherwise. This may
become an issue now that Postfix retries delivery in plaintext
after an opportunistic TLS handshake fails. Specify
"smtp_sasl_auth_enforce = no" to deliver mail anyway. File:
smtp/smtp_proto.c. See workaround 20060711 for sender-dependent
SASL passwords. This was undone with the 20060719 workaround.
12486
12487
12488
12489
12490
12491
12492
12493
12494
12495
12496
12497
12498
12499
12500
12501
12502
12503
12504
12505
12506
12507
12508
12509
12510
12511
12512
12513
12514
12515
12516
12517
12518
12519
12520
12521
12522
12523
12524
12525
20060709
Cleanup: the new single smtpd_tls_security_level parameter
obsoletes the multiple smtpd_use_tls and smtpd_enforce_tls
parameters. This is done for consistency with the Postfix
SMTP client. In the Postfix SMTP server, the levels "verify"
and "secure" are currently not applicable, and are treated
as "encrypt", after logging a warning. Files: smtpd/smtpd.c,
tls/tls_level.c, smtp/smtp_session.c.
Compatibility: don't send the first (blank) body line to
Milter applications. This broke domain key etc. signatures
when verified by non-Postfix MTAs. File: milter/milter8.c.
20060710
Cleanup: more consistency between smtpd(8) and smtp(8) TLS
configuration interfaces: smtpd_tls_mandatory_exclude_ciphers,
smtpd_tls_mandatory_ciphers, smtpd_tls_mandatory_protocols.
By Victor. Files:smtpd/smtpd.c.
Cleanup: to support domainkey signing of bounces and
Postmaster notices, enable content inspection of Postfix-
generated mail with the new internal_mail_filter_classes
feature. This is disabled by default, because it is not
yet safe enough. Files: global/int_filt.[hc] and everything
that calls post_mail_fopen*().
20060711
Cleanup: smtpd_tls_mumble -> smtpd_tls_mandatory_mumble,
and finer control over the Postfix SMTP server TLS ciphers,
all this for consistency with the same functionality in the
Postfix SMTP client. Victor Duchovni.
Compatibility: Sendmail's milter client handles whitespace
after the header label and ":" in an interesting manner.
It eats one space (not tab). File: milter/milter8.c.
Workaround: if sender-dependent SASL passwords are enabled,
don't defer delivery when a SASL password exists but the
server doesn't announce SASL support. File: smtp/smtp_proto.c.
Cleanup: format of cleanup milter reject messages. File:
cleanup_milter.c.
Bugfix: file/memory leak if a transfer of multiple milters
from smtpd to cleanup broke in the middle. Found by Coverity.
File: milter/milter.c.
12537
12538
12539
12540
12541
12542
12543
12544
12545
12546
12547
12548
12549
12550
12551
12552
12553
12554
12555
12556
12557
12558
12559
12560
12561
12562
12563
12564
12565
12566
12567
12568
12569
12570
12571
12572
12573
12574
12575
12576
12577
12578
12579
12580
12581
12582
12583
12584
12585
12586
12587
12588
12589
12590
12591
12592
12593
12594
12595
12596
12597
12598
12599
12600
12601
12602
12603
12604
12605
12606
12607
12608
12609
12610
12611
12612
20060716
Bugfix: "sendmail -bs" panic caused by a missing
SMTPD_STATE_ALONE() guard before a milter_abort() call.
File: smtpd/smtpd.c.
Bugfix (bug introduced with Postfix 2.2): the Postfix SMTP
client enforced Mandatory TLS only when talking to an ESMTP
server; enforcement did not happen if Postfix could somehow
be forced to send HELO instead of EHLO. Victor Duchovni.
File: src/smtp/smtp_proto.c.
20060718
Bugfix (bug introduced 20060711): null pointer bug when
rejecting SMTP mail with Milter application. File:
cleanup/cleanup_milter.c.
Workaround (problem introduced in 200605/200606 TLS update):
the Postfix SMTP server now issues TLS session IDs even
when TLS session caching is turned off, otherwise MS Outlook
fails to deliver mail. There may also be interoperability
issues with other MTAs that we haven't discovered yet.
Specify "smtpd_tls_always_issue_session_ids = no" to disable
the workaround. Victor Duchovni. Files: smtpd/smtpd.c,
tls/tls_server.c.
20060719
Cleanup: the smtp_sasl_auth_enforce feature is gone. It was
meant to work around a problem that was introduced with
plaintext fallback after a failed TLS handshake. Unfortunately,
it created more problems than it solved. We now address the
underlying problem more directly as described next. File:
smtp/smtp_proto.c.
Safety: don't fall back to plaintext delivery after failed
TLS handshake, when the Postfix SMTP client would have
attempted to log in with SASL after successful TLS handshake.
This avoids undesirable behavior regardless of whether the
server does support SASL over plaintext (unexpected password
disclosure) and whether the server doesn't support SASL
over plaintext (insufficient mail relay permission). Files:
smtp/smtp_connect.c, smtp/smtp_session.c, smtp/smtp_proto.c.
20060720
Compatibility: replace %% in milter replies by %, and strip
single (i.e. invalid) % characters. File: milter/milter8.c.
Compatibility: $_ macro support for Milter applications.
Files: smtpd/smtpd.c, smtpd/smtpd_milter.c,
cleanup/cleanup_state.c, cleanup/cleanup_milter.c.
20060721
Safety: disable Milter processing after "postsuper -r". If
the mail has been filtered there is no need to do it again.
Moreover, when mail has passed through an external content
filter, we don't have sufficient information to reproduce
the exact same SMTP events and Sendmail macros that Milters
received when the mail originally arrived in Postfix. This
change does not affect Milter applications that run behind
an after-queue content filter. File: pickup/pickup.c.
Bugfix: Milters received a truncated ORCPT=xxx parameter
due to destructive parsing of something that didn't have
to be preserved before Milter support was added to Postfix.
File: smtpd/smtpd.c.
20060724
Bugfix: when updating the same header multiple times, the
Postfix Milter client created a queue file that caused
delivery agents to loop. File: cleanup/cleanup_milter.c.
12613
12614
12615
12616
12617
12618
12619
12620
12621
12622
12623
12624
12625
12626
12627
12628
12629
20060725
Bugfix: damaged queue file record after a Milter request
to modify a message header when 1) it was the last header
in the unmodified message, and 2) the old header was less
than 15 characters long. File: cleanup/cleanup_milter.c.
Bugfix: don't panic in smtp_rcpt_cleanup() after detecting
a damaged queue file record. File: smtp/smtp_proto.c.
20060726
Bugfix: the 20051013 change to enforce the message size
limit in the SMTP server didn't work for size limits close
enough to INT_MAX. File: smtpd/smtpd.c.
Bugfix (introduced Postfix 2.3): after an SMTP client was
rejected with "smtpd_delay_reject = no", the SMTP server
would panic as it generated spurious Milter requests for
unrecognized commands. File: smtpd/smtpd.c.
20060727
Cleanup: change redundant milter_abort() and milter_disc_event()
calls into NO-OPs. This avoids unnecessary panic() events
for completely harmless conditions. File: milter/milter8.c.
Bugfix (introduced Postfix 2.3): #ifdef damage caused
12644
12645
12646
12647
12648
12649
12650
12651
12652
12653
12654
12655
12656
12657
12658
12659
12660
12661
12662
12663
smtp_sasl_start() to be invoked twice. Reported by C-J
Lofstedt. File: smtp/smtp_sasl_proto.c.
20060806
Postfix no longer announces its name in delivery status
notifications. Users believe that Wietse provides a free
helpdesk service that solves all their email problems.
Credits to Jonathan Balester. File: bounce/bounce_templates.c.
20060807
Bugfix (introduced Postfix 2.2): when upgrading from Postfix
< 2.2 with the third-party TLS patch, the post-install
upgrade procedure didn't put a "?" in the existing tlsmgr
entry, causing tlsmgr to repeatedly start and exit when TLS
support was not compiled in. File: conf/post-install.
20060812
Bugfix (introduced < Postfix alpha): safety mechanism in
mail_date() didn't work. Found in code review. File:
global/mail_date.c.
20060817
Test programs for host address->name and name->address
lookups to debug name service inconsistencies, typically
when the Postfix SMTP server claims that a hostname is
"unknown". Files: auxiliary/name-addr-test/*.
20060822
Added missing logging for "message to large" etc. Files:
smtpd/smtpd.c, cleanup/cleanup_milter.c.
20060823
Bugfix (introduced Postfix 2.2): segfault when vstream_fclose()
attempted to flush unwritten output, after vstream_fdclose()
had already disconnected the stream from its file descriptor.
File: util/vstream.c.
Bugfix (introduced Postfix 2.2): vstream_fdclose() did not
flush unwritten output before disconnecting a stream from
its file descriptor(s). File: util/vstream.c.
12691
12692
12693
12694
12695
12696
12697
12698
12699
12700
12701
12702
12703
12704
12705
12706
12707
12708
12709
Feature: smtp-sink can capture mail to file, either as one
individual message per file, or as multiple messages per
file. After an initial implementation by Weidong Cui. File:
smtpstone/smtp-sink.c.
Bugfix (introduced < Postfix alpha): smtp-sink did not
correctly recognize DOT-CR-LF immediately after DATA. File:
smtpstone/smtp-sink.c.
Cleanup: smtp-sink now requires that MAIL FROM, RCPT TO and
DATA be send in the correct order. This simplified the
implementation of the capture to file feature. File:
smtpstone/smtp-sink.c.
20050824
Portability: inside functions, GCC 4 refuses forward
declarations of static functions. File: smtpstone/smtp-sink.c.
20060825
Bugfix (introduced Postfix 2.3): with headers-only mail, a
Milter "header insert" action corrupted the queue file. The
cleanup server executed some end-of-body action before the
end-of-header actions. File: cleanup/cleanup_message.c.
Robustness: mail delivery agents now detect loops in queue
files. Files with too many backward jumps are saved to the
"corrupt" directory. File: global/record.c.
12720
12721
12722
12723
12724
12725
12726
12727
12728
12729
12730
12731
12732
12733
12734
12735
12736
12737
12738
12739
12740
12741
12742
12743
12744
12745
12746
12747
12748
12749
12750
12751
12752
12753
12754
12755
20060831
Bugfix (introduced with initial implementation): missing
"dict_errno = 0" caused mis-leading error messages after
non-error lookup failure. Victor Duchovni. File:
util/dict_cidr.c.
Robustness: the default TLS cipher lists were changed from
!foo:ALL into ALL:!foo. Victor Duchovni. Files:
global/mail_params.h and documentation.
20060902
Bugfix (introduced Postfix 2.3): the LMTP client stripped
"inet": from the next-hop destination, but still used the
complete next-hop from the delivery request. File:
smtp/smtp_connect.c.
20060903
Cleanup: record loop detection. File: global/record.c.
20060929
Workaround: AIX 5.[1-3] getaddrinfo() creates socket address
structures with a non-zero port value. This breaks the
smtp_bind_address etc. features, and breaks inet_interfaces
settings with only one IP address. Problem reported by
Hamish Marson. Files: util/sock_addr.[hc], util/myaddrinfo.c.
Bugfix (introduced with the Postfix TLS patch): memory leak
in verify_extract_peer(). The OpenSSL documentation provides
no information on how subjectAltNames are managed. Sam
Rushing, ironport. File: tls/tls_client.c.
Bugfix (introduced with Postfix 2.2): smtp_generic_maps
12757
12758
12759
12760
12761
12762
12763
12764
12765
12766
12767
12768
12769
12770
12771
12772
12773
turned on MIME conversion. File: smtp/smtp_proto.c.
Workaround: don't send SIZE information in the MAIL FROM
command when message content will be subject to 8bit ->
quoted-printable conversion. File: smtp/smtp_proto.c.
20061002
Compatibility: Sendmail now invokes the Milter connect
action with the verified hostname instead of the name
obtained with PTR lookup. File: smtpd/smtpd.c.
20061004
Cleanup: force space between mailq queueid+status and file
size items. File: showq/showq.c.
12774
12775
12776
12777
12778
12779
12780
12781
12782
12783
12784
12785
12786
12787
12788
12789
12790
20061005
Cleanup: make CISCO PIX bug workarounds configurable. This
introduces new parameters: smtp_pix_workarounds (default:
disable_esmtp, delay_dotcrlf) and smtp_pix_workaround_maps
(workarounds indexed by server IP address). The default
settings are backwards compatible. File: smtp/smtp.c,
smtp/smtp_proto.c.
20061006
Workaround: include the smtpd(8) service name when searching
the TLS session cache, to avoid cross-talk between multiple
master.cf entries. This does not eliminate cross-talk between
multiple (x)inetd.conf entries. Victor Duchovni. Files:
smtpd/smtpd.c, tls/tls_server.c.
12791
12792
12793
12794
12795
12796
12797
12798
12799
12800
12801
12802
12803
12804
12805
12806
12807
12808
12809
12810
12811
12812
12813
12814
20061015
Cleanup: convert the Milter {mail_addr} and {rcpt_addr}
macro values to external form. File: smtpd/smtpd_milter.c.
Cleanup: the Milter {mail_addr} and {rcpt_addr} macros are
now available with non-SMTP mail. File: cleanup/cleanup_milter.c.
Cleanup: convert addresses in Milter recipient add/delete
requests to internal form. File: cleanup/cleanup_milter.c.
Cleanup: with non-SMTP mail, convert addresses in simulated
MAIL FROM and RCPT TO events to external form. File:
cleanup/cleanup_milter.c.
20061017
Cleanup: removed spurious warning when the cleanup server
attempts to bounce mail with soft_bounce=yes. Problem
reported by Ralf Hildebrandt. File: cleanup/cleanup_bounce.c.
Bugfix: null pointer bug when receiving a non-protocol
response on a cached SMTP/LMTP connection. Report by Brian
Kantor. Fix by Victor Duchovni. File: smtp/smtp_reuse.c.
12816
12817
12818
12819
12820
12821
12822
12823
12824
12825
12826
12827
12828
12829
12830
12831
12832
12833
12834
12835
12836
12837
12838
12839
20061106
Feature: new retry delivery agent, to avoid the synchronous
defer service client in the queue manager. This code is
co-located with the error(8) server. File: error/error.c.
Performance: the queue manager could spend too much time
in the synchronous defer service client, causing the watchdog
timer to go off. Where possible, the queue manager now
bounces or defers recipients asynchronously, by routing
them to the error or the retry delivery agent. Code by
Wietse and Patrik Rak. Files: global/recipient_list.c,
*qmgr/qmgr_error.c, *qmgr/qmgr_defer.c, *qmgr/qmgr_entry.c,
*qmgr/qmgr_deliver.c, *qmgr/qmgr_message.c.
Performance: refined recipient and job grouping, and more
agressive early refill of in-memory recipients to prevent
a worst-case scenario where the queue manager became starved
until after the last batch of slow in-memory recipients of
jumbo multi-recipient mail. Code by Patrik Rak. Files:
global/mail_conf_time.c, qmgr/qmgr_message.c, qmgr/qmgr.c,
qmgr/qmgr.h, qmgr/qmgr_entry.c, qmgr/qmgr_job.c,
qmgr/qmgr_message.c, qmgr/qmgr_transport.c.
12840
12841
12842
12843
12844
12845
12846
12847
12848
12849
12850
12851
12852
12853
12854
12855
12856
12857
12858
12859
12860
12861
12862
12863
12864
12865
12866
12867
12868
12869
12870
12871
12872
12873
12874
12875
12876
12877
12878
12879
12880
12881
12882
12883
12884
12885
12886
12887
20061113
Bugfix: the Postfix install/upgrade procedure broke with
non-default config_directory. File: conf/post-install.
20061115
Bugfix: null pointer bug in end-of-header Milter action
when the last header line is too large. Reported by Mark
Martinec. The root of the problem is that the MIME state
engine may execute up to three call-back functions when it
reaches the end of the headers, before it returns to the
caller; as long as call-backs return no result, each call-back
has to check for itself if a previous call-back ran into a
problem. File: milter/milter8.c.
Workaround: reduce effective header_size_limit to 60000
when Milter inspection is enabled, to avoid breaking the
Milter protocol request length limit. File:
cleanup/cleanup_message.c.
20061123
Safety: don't read more than 5000 recipients at a time, to
avoid spending too much time away from interrupts. File:
qmgr/qmgr_message.c.
20061201
Workaround: don't complain with "Error 0" in the trivial-rewrite,
verify, proxymap or connection cache client when the server
exits after the client sends its request. We still complain,
however, when the problem persists. Files: global/rewrite_clnt.c,
global/resolve_clnt.c, global/verify_clnt.c, global/scache_clnt.c,
global/dict_proxy.c.
Safety: the header_size_limit is now enforced more strictly,
to avoid inter-operability problems with the Milter protocol.
Long headers are truncated at a line boundary if possible,
otherwise they are cut between line boundaries. File:
cleanup/cleanup_out.c.
20061203
Bugfix (introduced with Postfix 2.2): with SMTP server
tarpit delays of smtp_rset_timeout or larger, the SMTP
client could get out of sync with the server while reusing
a connection. The symptoms were "recipient rejected .. in
12888
12889
12890
12891
12892
12893
12894
12895
12896
12897
12898
12899
12900
12901
12902
12903
12904
12905
12906
12907
12908
12909
12910
12911
12912
12913
12914
12915
12916
12917
12918
12919
12920
12921
12922
12923
12924
12925
12926
12927
12928
12929
12930
12931
12932
12933
12934
12935
reply to DATA". Fix by Victor Duchovni and Wietse. Files:
smtp/smtp_proto.c, smtp/smtp_connect.c.
Robustness: the vbuf and vstream documentation claimed that
their *error() macros reported timeout errors, but they
didn't really. The implementation was fixed, and redundant
vstream_ftimeout() calls were removed. As a result, many
Postfix daemons now properly detect write timeout errors
on internal connections. Files: util/vbuf.h.
Workaround: some broken SMTP servers reply and hang up in
the middle of DATA. The Postfix SMTP client now stops sending
and tries to receive the server response. This can help to
avoid repeated delivery attempts. Initial implementation
by Wietse, later work by Victor Duchovni. Files:
smtp/smtp_proto.c, smtpstone/smtp-sink.c, util/vstream.c,
plus trivial mods for code thatr calls vstream_fpurge().
20061204
Compatibility: The Postfix installation/upgrade procedure
no longer sets "unknown_local_recipient_code = 450" in
main.cf. This was a safety net for upgrades from Postfix
1.x. Four years later is no longer needed. File:
conf/post-install.
Cleanup: removed vstream_fclose() error warning in the code
that disconnects from a delivery agent. There is no need
to report errors here because they would already be reported
earlier. Files: *qmgr/qmgr_deliver.c.
Robustness: "kill me after N seconds" feature to ensure
that a daemon process does not get stuck while preparing
for exit after signal arrival. File: util/killme_after.[hc],
util/watchdog.c, master/master_sig.c.
20061206
Robustness: low-cost re-entrancy guard that allows daemons
to safely call msg_fatal() etc. from a signal handler,
without risking memory corruption, or deadlock on Redhat
Linux. This works provided that the signal handler terminates
the process. In that special case we need not guarantee
after-the-fact consistency of the thread that was interrupted.
File: util/msg_output.c.
Robustness: replace exit() calls by _exit(). File: util/msg.c,
bounce/bounce_cleanup.c.
12939
12940
12941
12942
12943
12944
12945
12946
12947
12948
12949
12950
12951
12952
12953
12954
12955
12956
12957
12958
12959
12960
Workaround: on systems with usable futimes() or equivalent
(Solaris, *BSD, MacOS, but not Linux), always explicitly
set the queue file last modification time stamps while
creating a queue file. With this, Postfix can avoid logging
warnings when the file system clock is ahead of the local
clock. Clock skew can be a problem, because Postfix does
not deliver mail until the local clock catches up with the
queue file's last modification time stamp. File:
global/mail_stream.c.
Workaround: on systems without usable futimes() or equivalent,
log a warning when the file system clock is more than 100
seconds behind the local clock. This does not cause mail
delivery problems, but it just looks silly in message
headers. File: global/mail_stream.c.
On systems without usable futimes() (Linux, and ancient
versions of Solaris, SunOS and *BSD) Postfix will keep using
the slower utime() system call to update queue file time
stamps when the file system clock is off with respect to
the local system clock.
Compatibility with Postfix < 2.3: undo the change to bounce
instead of defer after pipe-to-command delivery fails with
a signal. File: global/pipe_command.c.
20061208
Workaround: apparently, some mail software removes or hides
"<postmaster>" in the Postfix bounce text, because it
processes the text as if it were HTML. This confuses users.
The bounce template has been updated to remove the < and
Cleanup: when smtp_generic_maps is turned on, don't parse
MIME structures in the message body. Victor Duchovni. File:
smtp/smtp_proto.c.
20061210
Cleanup: streamline the signal handler reentrancy protections,
and document under what conditions these protections work,
with REENTRANCY sections in the relevant man pages. Files:
util/vbuf_print.c. util/msg.c, util/msg_output.c.
12984
12985
12986
12987
12988
12989
12990
12991
12992
12993
12994
12995
12996
12997
12998
12999
13000
20061211
Cleanup: when doing server access control by the remote TLS
client fingerprint, do not require client certificate
verification. Victor Duchovni. File: smtpd/smtpd_check.c.
Safety: when the remote TLS client certificate isn't verified,
don't send ccert_subject and ccert_issuer attributes in
check_policy_service requests. Victor Duchovni. File:
smtpd/smtpd_check.c.
Bugfix: the postconf command still complained about an
unqualified machine name, because it was not updated with
the 20050513 change that introduced a default "mydomain =
localdomain". File: postconf/postconf.c.
20061213