Skip to content
HISTORY 680 KiB
Newer Older
Boris Mühmer's avatar
Boris Mühmer committed
	and manual pages that discuss smtpd_recipient_restrictions.

20121001

	Cleanup: prepend 5.1.1 status code to "User unknown in
	virtual alias table". File: trivial-rewrite/resolve.c.
Boris Mühmer's avatar
Boris Mühmer committed

20121003

	Bugfix: the postscreen_access_list feature was case-sensitive
	in the first character of permit, reject, etc. Reported by
	Francis Picabia. File: global/server_acl.c.

Boris Mühmer's avatar
Boris Mühmer committed
20121009

	Documentation: interaction between delay_warning_time,
	notify_classes and delay_notice_recipient. File:
	proto/postconf.proto.

20101009

	Human factors: log a warning that the postcat option -m
	without -h or -b has no effect. File: postcat/postcat.c.

Boris Mühmer's avatar
Boris Mühmer committed
20121010

	Bugfix (introduced: Postfix 2.5): memory leak in program
	initialization. Reported by Coverity. File: tls/tls_misc.c.

	Bugfix (introduced: Postfix 2.3): memory leak in the unused
	oqmgr program. Reported by Coverity. File: oqmgr/qmgr_message.c.

Boris Mühmer's avatar
Boris Mühmer committed
20121011
Boris Mühmer's avatar
Boris Mühmer committed
	Documentation: how to enable /etc/hosts multi-record lookups
	with main.cf settings.  File: proto/LINUX_README.html.
Boris Mühmer's avatar
Boris Mühmer committed
	Documentation: clarified the postscreen-tlsproxy interface.
	File: tlsproxy/tlsproxy.c.
Boris Mühmer's avatar
Boris Mühmer committed
20121012
Boris Mühmer's avatar
Boris Mühmer committed
	Documentation: a simpler null-client example.  File:
	proto/STANDARD_CONFIGURATION_README.html
Boris Mühmer's avatar
Boris Mühmer committed
20121013
Boris Mühmer's avatar
Boris Mühmer committed
	Cleanup: to compute the LDAP connection cache lookup key,
	join the numeric fields with null, just like string fields.
	Viktor Dukhovni. File: global/dict_ldap.c.
Boris Mühmer's avatar
Boris Mühmer committed
20121015
Boris Mühmer's avatar
Boris Mühmer committed
	Documentation: added section on regular-expression tables
	to the aliases(5) manpage. File: proto/aliases.
Boris Mühmer's avatar
Boris Mühmer committed
	Documentation: why "smtp_address_preference = any" is the
	preferred setting. File: proto/postconf.proto.
Boris Mühmer's avatar
Boris Mühmer committed
20121022
Boris Mühmer's avatar
Boris Mühmer committed
	Bugfix (introduced 20101009) don't complain about stray -m
	option if none of -[bhm] is specified. Ralf Hildebrandt.
	File: postmap/postmap.c.
Boris Mühmer's avatar
Boris Mühmer committed
20121029 
Boris Mühmer's avatar
Boris Mühmer committed
	Workaround: strip datalink suffix from IPv6 addresses
	returned by the system getaddrinfo() routine.  Such suffixes
	mess up the default mynetworks value, host name/address
	verification and possibly more. This change obsoletes the
	20101108 change that removes datalink suffixes in the SMTP
	and QMQP servers.  Files: util/myaddrinfo.c, smtpd/smtpd_peer.c,
	qmqpd/qmqpd_peer.c.
Boris Mühmer's avatar
Boris Mühmer committed
20121031
Boris Mühmer's avatar
Boris Mühmer committed
	Bugfix: smtpd_relay_restrictions compatibility shim did not
	detect "empty" value.  Sahil Tandon. The same problem existed
	with the inet_protocols shim. File: conf/post-install.
Boris Mühmer's avatar
Boris Mühmer committed
20121105
Boris Mühmer's avatar
Boris Mühmer committed
	Cleanup: the postscreen(8) "deep protocol" tests now log
	the SMTP command that precedes a protocol violation.  Files:
	postscreen/postscreen_smtpd.c, proto/POSTSCREEN_README.html.
Boris Mühmer's avatar
Boris Mühmer committed
	Bugfix (introduced: Postfix 1.1): wrong string termination
	when handling an MBOX From_ line at the start of a message.
	File: qmqpd/qmqpd.c.
Boris Mühmer's avatar
Boris Mühmer committed
20121110
Boris Mühmer's avatar
Boris Mühmer committed
	Cleanup: specify $(WARN) on the MacOS X compiler command
	line to suppress "nested comment" and possibly other unwanted
	warnings. Problem reported by Jim Reid. File: makedefs,
	Makefile.in.
Boris Mühmer's avatar
Boris Mühmer committed
20121119
Boris Mühmer's avatar
Boris Mühmer committed
	Documentation: added a note that key_format is required
	when postscreen(8) and verify(8) share the same memcache
	(with different persistent backup databases, or course)
	otherwise automatic cache cleanup breaks due to a name
	collision for the "last cache cleanup" database record.
	File: proto/memcache.
Boris Mühmer's avatar
Boris Mühmer committed
20121122
Boris Mühmer's avatar
Boris Mühmer committed
	Cleanup: the safety-check for smtpd_recipient_restrictions
	and smtpd_relay_restrictions now detects permit before
	reject.  File: smtpd/smtpd_check.c.
Boris Mühmer's avatar
Boris Mühmer committed
	Cleanup: the safety-check for smtpd_recipient_restrictions
	and smtpd_relay_restrictions is no longer case-sensitive.
	File: smtpd/smtpd_check.c.
Boris Mühmer's avatar
Boris Mühmer committed
20121123
Boris Mühmer's avatar
Boris Mühmer committed
	Cleanup: consistent escaping of commands in postscreen deep
	protocol test logging. File: postscreen/postscreen_smtpd.c.
Boris Mühmer's avatar
Boris Mühmer committed
20121124
Boris Mühmer's avatar
Boris Mühmer committed
	Documentation: the bounce behavior for automatically-added
	BCC recipients has changed with Postfix 2.3 when DSN support
	was introduced.  File: proto/postconf.proto.
Boris Mühmer's avatar
Boris Mühmer committed
20121203
Boris Mühmer's avatar
Boris Mühmer committed
	Documentation: added explicit example for -o name=value.
	File: proto/master.
Boris Mühmer's avatar
Boris Mühmer committed
20121210
Boris Mühmer's avatar
Boris Mühmer committed
	Bugfix (introduced: Postfix 2.9) nesting count error while
	stripping the optional [] around a DNS[BW]L address pattern.
	This part of the code is not documented and had escaped
	testing.  Files: util/ip_match.c, util/ip_match.in,
	util/ip_match.ref.
Boris Mühmer's avatar
Boris Mühmer committed
20121215
Boris Mühmer's avatar
Boris Mühmer committed
	Bugfix (introduced: 19980218, when recipient_delimiter
	support was added): The error message for unknown local
	users (or missing required aliases) should report the user
	name instead of the full localpart which may contain an
	address extension.  Problem reported by Christian Holler.
	File: local/unknown.c.
Boris Mühmer's avatar
Boris Mühmer committed
20121221
Boris Mühmer's avatar
Boris Mühmer committed
	Feature: "postconf -x" support to expand $name in main.cf
	parameter values. Files: postconf/postconf_main.c,
	postconf/postconf.h, postconf/postconf_node.c, postconf/postconf.c.
Boris Mühmer's avatar
Boris Mühmer committed
20121222
Boris Mühmer's avatar
Boris Mühmer committed
	Feature: postconf support to warn about an attempt to modify
	a read-only parameter (process_name etc.) in main.cf or
	master.cf. Files: postconf/postconf_readonly.c,
	postconf/postconf_builtin.c.
Boris Mühmer's avatar
Boris Mühmer committed
20121223
Boris Mühmer's avatar
Boris Mühmer committed
	Feature: postconf support to warn about an undefined $name
	in a parameter value in main.cf or master.cf (except for
	backwards-compatibility parameters such as $virtual_maps)
	Files: postconf/postconf_user.c, postconf_dbms.c,
	postconf_builtin.c, util/dict_ht.c, util/htable.c.
Boris Mühmer's avatar
Boris Mühmer committed
	Feature: "postconf -Mx" support to expand $name in master.cf
	parameter values.  Files: postconf/postconf_master.c,
	postconf/postconf_lookup.c, postconf/postconf_main.c,
	postconf/postconf.c.
Boris Mühmer's avatar
Boris Mühmer committed
20121224
Boris Mühmer's avatar
Boris Mühmer committed
	Feature: "postconf -Mn" support to print only master.cf
	entries that have "-o name=value" parameter setttings.
	Files: postconf/postconf_master.c.
Boris Mühmer's avatar
Boris Mühmer committed
20121226
Boris Mühmer's avatar
Boris Mühmer committed
	Miscellaneous cleanups of postconf internal APIs, identifiers
	and comments. No changes in behavior.
Boris Mühmer's avatar
Boris Mühmer committed
	Bugfix (omission in feature 20111203): the SMTP server only
	supported time-dependent address-verification sender addresses
	with RCPT TO but not with MAIL FROM. File: smtpd/smtpd.c.
Boris Mühmer's avatar
Boris Mühmer committed
20121227
Boris Mühmer's avatar
Boris Mühmer committed
	Feature: "postconf -o name=value" support to override main.cf
	settings (for example, "postconf -x -o stress=whatever"
	shows effective settings under overload). Files:
	postconf/postconf.c, postconf/postconf_main.c.
Boris Mühmer's avatar
Boris Mühmer committed
20121230
Boris Mühmer's avatar
Boris Mühmer committed
	Cleanup: postconf(1) master.cf options parser. Files:
	postconf/postconf_master.c, postconf/postconf_user.c.
Boris Mühmer's avatar
Boris Mühmer committed
	Bugfix (omission in feature 20111106): the postconf(1)
	master.cf options parser didn't support "clusters" of
	command-line option letters. Files: postconf/postconf_master.c,
	postconf/test40.ref.
Boris Mühmer's avatar
Boris Mühmer committed
20130105
Boris Mühmer's avatar
Boris Mühmer committed
	Undo a change made around 20121224, and always whitelist
	configuration parameter names for legacy-style proxy:ldap:prefix
	etc.  lookup tables.  Files: postconf/postconf_dbms.c,
	postconf/test28.ref, postconf/test29.ref, postconf/Makefile.in.
Boris Mühmer's avatar
Boris Mühmer committed
20130107
Boris Mühmer's avatar
Boris Mühmer committed
	Factor out the master.cf line parser so that it can be
	reused for "postconf -Me". File: postconf/postconf_master.c.
Boris Mühmer's avatar
Boris Mühmer committed
20130113

	Feature: master.cf attribute namespace. "postconf -F" shows
	individual master.cf fields as "service/type/attribute =
	value", where attribute is "service", "type", "private",
	"unprivileged", "wakeup", "process_limit", or "command".

Boris Mühmer's avatar
Boris Mühmer committed
20130121
Boris Mühmer's avatar
Boris Mühmer committed
	Bugfix (introduced 20120307): the postconf -X option erased
	other options.  File: postconf/postconf.c.
Boris Mühmer's avatar
Boris Mühmer committed
20130131
Boris Mühmer's avatar
Boris Mühmer committed
	Bugfix: the local(8) delivery agent dereferenced a null
	pointer while delivering to null command (for example, "|"
	in a .forward file).  Reported by Gilles Chehade.
Boris Mühmer's avatar
Boris Mühmer committed
20130203
Boris Mühmer's avatar
Boris Mühmer committed
	Bugfix: the undocumented OpenSSL X509_pubkey_digest()
	function is unsuitable for computing certificate PUBLIC KEY
	fingerprints.  Postfix now provides a correct procedure
	that accounts for the algorithm and parameters in addition
	to the key data.  Specify "tls_legacy_public_key_fingerprints
	= yes" if you need backwards compatibility. Fix by Victor
	Duchovni, BC added by Wietse.  Files: tls/tls_verify.c,
	tls/tls_misc.c, proto/TLS_README.html, global/mail_params.h.
Boris Mühmer's avatar
Boris Mühmer committed
20130210
Boris Mühmer's avatar
Boris Mühmer committed
	Bugfix: an error handler for smtp_tls_policy_maps lookups
	was never invoked.  File: smtp/smtp_session.c.
Boris Mühmer's avatar
Boris Mühmer committed
20130212

	Cleanup: logfile message formatting (X: subject_CN=X,
	issuer_CN=X, fingerprint=X, pkey_fingerprint=X). File:
	tls/tls_client.c.

20130315

	Feature: LMDB (memory-mapped persistent file) support by
	Howard Chu. This implementation has unexpected failure modes
	that don't exist with other Postfix databases, so don't
	just yet abandon CDB.  See LMDB_README for details.  Files:
	proto/postconf.proto, proto/LMDB_README.html,
	proto/DATABASE_README.html, proto/INSTALL.html util/dict_lmdb.[hc],
	util/dict_open.c, global/mkmap_lmdb.[hc], global/mkmap_open.c,
	postconf/postconf.c.

20130316

	Cleanup: new Postfix dictionary API flag to control the use
	of (LMDB) bulk database transactions.  With this, LMDB
	databases no longer fail to commit any transactions with
	tlsmgr(8), and LMDB databases no longer perform glacially
	slow with postmap -i/postalias -i.  Files: util/dict.h,
	util/dict_lmdb.c, postmap/postmap.c, postalias/postalias.c.

20130317

	Debugging: generalized setting of dictionary API flags.
	File: util/dict.[hc], util/dict_test.c.

	Robustness: Postfix programs can now recover from LMDB
	"database full" errors without requiring human intervention.
	When a program opens an LMDB file larger than lmdb_map_size/3,
	it logs a warning and uses a larger size limit instead.
	Files: util/dict_lmdb.c, proto/LMDB_README.html.

20130318

	Portability: botched #ifdef. File: util/dict_lmdb.c.

20130319

	Postfix support for LMDB databases is suspended due to the
	existence of a hard limit (an "out of storage" failure mode
	that cannot be resolved by increasing the database size).

	Postfix may support LMDB again when it no longer limits the
	size of Postfix transactions, whether the limit is built
	into LMDB itself, or implicit by requiring an unbounded
	amount of memory to handle a large transaction.

20130322

	Documentation: smtp_skip_5xx_greeting wording updated to
	reflect text in RFC 2821, which appears to say that a 554
	greeting is not a hard delivery error (note that RFC 2821
	was published later than smtp_skip_5xx_greeting). File:
	proto/postconf.proto.

20130324

	Workaround: MacOS 10.8 (Darwin 12) getrlimit(RLIMIT_NOFILE)
	incorrectly reports that rlim_max, the hard limit on the
	number of open files per process, is equal to RLIM_INFINITY
	(i.e. no limit is enforced).  In reality, setrlimit(RLIMIT_NOFILE)
	rejects requests where rlim_cur, the current limit, contains
	any value > kern.maxfilesperproc.  Axel Luttgens.  File:
	util/open_limit.c.

	Portability: MacOS 10.8 (Darwin 12) kqueue support works.
	Axel Luttgens. Files: makedefs.

20130324

	Support for anonymous certificates. Viktor Dukhovni. File:
	tls/tls_verify.c.

	Feature: support for DNSSEC-validated lookups and TLSA
	RRsets.  Viktor Dukhovni. Files: dns/Makefile.in, dns/dns.h,
	dns/dns_lookup.c, dns/dns_rr.c, dns/dns_strtype.c,
	dns/test_dns_lookup.c,

	Cleanup: the personality switch between "smtp" and "lmtp".
	This streamlines the switch in the SMTP/LMTP protocol, DNS
	MX lookups, and configuration parameter names in error
	messages.  Viktor Dukhovni. Files: smtp/smtp.c, smtp/smtp.h,
	smtp/smtp_chat.c, smtp/smtp_connect.c, smtp/smtp_proto.c,
	smtp/smtp_rcpt.c, smtp/smtp_sasl_glue.c, smtp/smtp_sasl_proto.c,
	smtp/smtp_session.c, smtp/smtp_state.c.

	Feature: replace disable_dns_lookups with smtp_dns_support_level,
	enable secure DNSSEC lookups in the Postfix SMTP client,
	and use the DNSSEC-validated remote SMTP server name to
	select the SMTP and TLS policies.  Viktor Dukhovni. Files:
	dns/Makefile.in, dns/dns.h, dns/dns_lookup.c, dns/dns_rr.c,
	dns/dns_strtype.c, dns/test_dns_lookup.c.

20130325

	Portability: on MacOS X, use kqueue() for event handling
	but use select() instead of poll() for read/write timeouts
	(with a workaround to handle file decriptors >=FD_SETSIZE).
	Files: util/sys_defs.h, util/readable.c, util/writable.c,
	util/read_wait.c, util/write_wait.c.

	Portability: support for NetBSD 5.x, NetBSD 6.x and DragonFly
	BSD. Viktor Dukhovni. Files: makedefs, util/sys_defs.h.

20130326

	Cleanup: new module that consolidates all system-dependent
	code to enforce read/write timeouts. This includes a final
	workaround for MacOS X that uses poll() first, and select()
	if that fails.  This makes their /dev/urandom workaround
	unnecessary. Files: util/poll_fd.c, util/iostuff.h.  Removed:
	util/readable.c, util/writable.c, util/read_wait.c,
	util/write_wait.c.

	Cleanup: refactor TLS digest functions, improved signature
	for TLS session cache. Viktor Dukhovni. Files: smtp/smtp.c,
	smtp/smtp_proto.c, smtpd/smtpd.c, tls/Makefile.in, tls/tls.h,
	tls/tls_client.c, tls/tls_fprint.c, tls/tls_level.c,
	tls/tls_misc.c, tls/tls_server.c, tls/tls_verify.c,
	tlsproxy/tlsproxy.c.

20130327

	Cleanup: final polish for MacOSX workarounds; replaced
	#ifdef MacOSX by feature test as required by PORTING document.
	Files: util/poll_fd.c, util/open_limit.c.

	Export tls_fprint() and tls_digest_encode() for use in DANE.
	Viktor Dukhovni. Files: tls/tls.h, tls/tls_fprint.c.

20130331

	Refactoring: TLS verification callback processing in
	preparation for DANE support. Viktor Dukhovni. Files:
	tls/tls.h, tls/tls_client.c, tls/tls_misc.c, tls/tls_verify.c.

	Refactoring: split off SMTP client per-session TLS policy
	data and code in preparation for DANE support.  Viktor
	Dukhovni.  Files: smtp/Makefile.in, smtp/smtp.h,
	smtp/smtp_connect.c, smtp/smtp_proto.c, smtp/smtp_reuse.c,
	smtp/smtp_session.c, smtp/smtp_tls_sess.c.

	Cleanup: "zero time limit" corner case in read_wait() and
	write_wait() emulation. Files: util/poll_fd.c, util/iostuff.h.

20130401

	Refactoring: allow smtp_session_alloc() to fail gracefully
	and report an error.

Boris Mühmer's avatar
Boris Mühmer committed
	Documentation: in smtpd.c, the comment that justifies the
	454 reply for "TLS unavailable" cited the wrong RFC.

20130404

	Human factors: warning when a main.cf parameter has multiple
	entries with different values.  File: util/dict.c.

20130405

	Feature: the recipient_delimiter parameter can now specify
	a set of characters. A user name is now separated from its
	address extension by the first character that matches the
	recipient_delimiter set.  Files: proto/postconf.proto,
	src/global/mail_addr_find.c, src/global/mail_params.c,
	src/global/split_addr.c, src/global/split_addr.h,
	src/global/strip_addr.c, src/global/strip_addr.h,
	src/global/strip_addr.ref, src/local/bounce_workaround.c,
	src/local/local.c, src/local/local_expand.c, src/local/recipient.c,
	src/local/resolve.c, src/oqmgr/qmgr_message.c, src/pipe/pipe.c,
	src/qmgr/qmgr_message.c, src/smtpd/smtpd.c,
	src/smtpd/smtpd_check.c, src/trivial-rewrite/transport.c,
	src/trivial-rewrite/trivial-rewrite.c.

	Feature: support for trust anchors, i.e. CA certificates
	or public keys that will be used instead of conventional
	root certificates, and revised fingerprint support.  This
	can be used by itself, and this provides support for an
	upcoming DANE implementation.  Victor Duchovni.  Files:
	mantools/postlink, proto/TLS_README.html, proto/postconf.proto,
	global/mail_params.h, smtp/lmtp_params.c, smtp/smtp.c,
	smtp/smtp.h, smtp/smtp_params.c, smtp/smtp_proto.c,
	smtp/smtp_session.c, smtp/smtp_state.c, smtp/smtp_tls_sess.c,
	tls/Makefile.in, tls/tls.h, tls/tls_client.c, tls/tls_dane.c,
	tls/tls_fprint.c, tls/tls_misc.c, tls/tls_verify.c,
	util/argv.c, util/argv.h.

20130409

	Documentation: pointers to other actions under "ACCEPT
	ACTIONS" and "REJECT ACTIONS". File: proto/access.

20130410

	Cleanup: more uniform permutation in dns_rr() by Victor
	Duchovni & Son. File: dns/dns_rr.c.

20130411

	Documentation: clarified text about result formats. Files:
	proto/canonical, proto/virtual.

20130414

	Cleanup: the SMTP client connection management code now
	maintains iterator state with a structure that contains
	next-hop, host name, address, port and other information.
	This iterator structure replaces random variables that were
	updated by add-hoc code, and replaces random function
	argument lists. The more structured approach is easier to
	maintain and has already paid off by exposing opportunities
	to improve SMTP connection cache usage.  Wietse Venema.
	Files: smtp/smtp.h, smtp/smtp_connect.c, smtp/smtp_session.c,
	smtp_reuse.c.

	Cleanup: eliminated minor false SMTP connection cache-sharing
	problems due to mis-aligned lookup keys for caches and
	lookup tables (for example some used the nexthop, and some
	the domain name).  Information that is used in more than
	one lookup key is now generated by a centralized function.
	This replaces ad-hoc code in random places that was
	concatenating ad-hoc data to construct lookup keys. The
	more structured approach is easier to maintain and makes
	future cache-sharing issues easier to prevent.  Wietse
	Venema. Files: smtp/smtp.h, smtp/smtp_connect.c, smtp_reuse.c,
	smtp_key.c, smtp_tls_sess.c.

	Cleanup and fix of non-production code: the trust anchor-digest
	code and smtp_sess_tls_required() function. Victor Duchovni.
	Files: smtp/smtp_connect.c, smtp/smtp_proto.c,
	smtp/smtp_tls_sess.c, tls/tls.h, tls/tls_client.c,
	tls/tls_dane.c, tls/tls_level.c, tls/tls_verify.c.

20130417

	Cleanup and fix of non-production code: add the SASL
	credentials or absence thereof to the connection cache
	endpoint label; better reuse of SASL-authenticated connections
	over UNIX-domains sockets, however unlikely these may be;
	a first step towards refinement of connection cache lookup
	by IP addres for plaintext or SASL-unauthenticated connections.
	Files: smtp/smtp.h smtp/smtp_connect.c, smtp/smtp_reuse.c,
	smtp/smtp_key.c, smtp/smtp_tls_sess.s.

20130418

	Cleanup: configurable field delimiter and optional "not
	available" field place holder for cache and table lookup
	keys; automatic base64 encoding for key fields that contain
	these. Files: smtp/smtp_key,c, smtp/smtp_reuse.c,
	smtp/smtp_proto.c, smtp/smtp_tls_sess.c.

20130420-21

	Documentation: "dane" TLS security level and parameters.
	Viktor Dukhovni. Files: mantools/postlink, proto/TLS_README.html,
	proto/postconf.proto.

	Feature: implemented and enabled DNS-based DANE security
	level.  Viktor Dukhovni. Files: global/mail_params.h,
	smtp/lmtp_params.c, smtp/smtp.c, smtp/smtp.h, smtp/smtp_params.c,
	smtp/smtp_proto.c, smtp/smtp_tls_sess.c, tls/tls.h,
	tls/tls_client.c, tls/tls_dane.c, tls/tls_fprint.c,
	tls/tls_level.c, tls/tls_misc.c, util/Makefile.in,
	util/ctable.c, util/ctable.h, util/timecmp.c, util/timecmp.h.

	Cleanup: rename (unchanged) smtp_tls_sess.c to smtp_tls_policy.c.
	Viktor Dukhovni. Files: smtp/Makefile.in, smtp/smtp_tls_policy.c,
	smtp/smtp_tls_sess.c.

	Portability: OpenSSL workarounds for versions before 0.9.7
	are removed from the source code. Viktor Dukhovni. Files:
	tls/tls.h, tls/tls_bio_ops.c, tls/tls_client.c.

	Non-production fixes: when falling back from opportunistic
	TLS to plaintext, don't modify the cached TLS policy "retry
	as plaintext" and "level" members.  Files: smtp/smtp_session.c.

	Non-production fixes: move TLS policy lookup to the main
	connection iterator loop, so that the policy is known before
	attempting connection reuse and before SMTP connection
	creation. Temporarily link session->tls to state->tls.
	Files: smtp/smtp.h, smtp/smtp_connect.c, smtp/smtp_reuse.c,
	smtp/smtp_tls_policy.c.

20130422

	Feature: smtptls-finger test program for SMTP over TLS.
	Viktor Dukhovni. Files: Makefile.in, html/Makefile.in,
	man/Makefile.in, mantools/postlink, posttls-finger/.indent.pro,
	posttls-finger/Makefile.in, posttls-finger/posttls-finger.c,
	posttls-finger/tlsmgrmem.c, posttls-finger/tlsmgrmem.h,
	tls/tls.h, tls/tls_misc.c.
Boris Mühmer's avatar
Boris Mühmer committed

20130423

	Bugfix (introduced: Postfix 2.0): when myhostname is not
	listed in mydestination, the trivial-rewrite resolver may
	log "do not list <myhostname value> in both mydestination
	and <name of non-mydestination domain list>".  The fix is
	to re-resolve a domain-less address after adding $myhostname
	as the surrogate domain, so that it pops out with the right
	address-class label.  Problem reported by Quanah Gibson-Mount.
	File: trivial-rewrite/resolve.c.

20130425

Boris Mühmer's avatar
Boris Mühmer committed
	Non-production fixes: revert to using proxies (sender,
	nexthop, hostname) to distinguish between different SASL
	credentials for connections to the same IP address and port.
	Files: smtp/smtp.h smtp/smtp_connect.c, smtp/smtp_key.c.

	Non-production cleanup: documentation, identifiers.  Viktor
	Dukhovni. Files: proto/postconf.proto, src/dns/dns.h,
	src/dns/dns_lookup.c, src/dns/dns_rr.c, src/dns/test_dns_lookup.c,
	src/global/mail_proto.h, src/posttls-finger/posttls-finger.c,
	src/smtp/smtp.h, src/smtp/smtp_addr.c, src/smtp/smtp_connect.c,
	src/smtp/smtp_session.c, src/smtp/smtp_tls_policy.c,
	src/smtpd/smtpd_check.c, src/tls/tls.h, src/tls/tls_client.c,
	src/tls/tls_dane.c, src/tls/tls_fprint.c, src/tls/tls_misc.c,
	src/tls/tls_proxy_clnt.c, src/tls/tls_proxy_print.c,
	src/tls/tls_proxy_scan.c, src/tls/tls_server.c,
	src/tls/tls_verify.c.

20130426

	Non-production fixes: refinement of SASL-dependent context
	for connection-cache reuse, documentation. Viktor Dukhovni
	and Wietse Venema. Files: smtp/smtp.h, smtp/smtp_key.c,
	tls/tls_client.c.

20130506

	Non-production bugfix: macros must use distinct names for
	temporary variables, to avoid name collision problems.
	Problem report: Ralf Hildebrandt. Problem fix: Viktor
	Dukhovni.  File: smtp/smtp.h.

	Non-production cleanup: simplified "dane" user interface,
	replacing one "dane" security level plus multiple fall-back
	options, with two "dane" security levels, one opportunistic
	and one mandatory. Viktor Dukhovni.  Files: proto/TLS_README.html,
	proto/postconf.proto, mantools/postlink, proto/TLS_README.html,
	proto/postconf.proto, global/mail_params.h,
	posttls-finger/posttls-finger.c, smtp/lmtp_params.c,
	smtp/smtp.c, smtp/smtp.h, smtp/smtp_params.c,
	smtp/smtp_tls_policy.c, tls/tls.h, tls/tls_level.c.

20130512

	Feature: allow an SMTP client to skip postscreen(8) tests
	before or after the 220 greeting, based on its DNSBL score.
	Suggested by Rob McGee (/dev/rob0). Files: mantools/postlink,
	proto/postconf.proto, global/mail_params.h,
	postscreen/postscreen.c, postscreen/postscreen.h,
	postscreen/postscreen_early.c, postscreen/postscreen_state.c,
	postscreen/postscreen_tests.c.

20130513

	Bugfix (introduced: 20130512): postscreen logged no "PASS
	NEW" event when the pregreet tests were turned off and the
	postscreen_dnsbl_whitelist_treshold feature was turned on.
	Reported by Rob McGee (/dev/rob0). Files: postscreen/postscreen.h,
	postscreen/postscreen_early.c.

	Bugfix (introduced: 20130512): postscreen panic because the
	logic for dnsbl result retrieval was changed. Reported by
	Noel Jones. File: postscreen/postscreen_early.c.

20130517

	Cleanup: just like the postscreen DNS block test will use
	partial scores when some DNS lookup result is unavailable,
	the postscreen_dnsbl_whitelist_treshold feature will now
	use partial scores instead of ignoring them.  File:
	postscreen/postscreen_early.c.
Boris Mühmer's avatar
Boris Mühmer committed
20130518

	Bugfix (introduced: 1997): memory leak after error while
	forwarding mail through the cleanup server. Viktor found
	one, Wietse eliminated the rest.  File: local/forward.c.

Boris Mühmer's avatar
Boris Mühmer committed
	Feature: posttls-finger protocol and cipher grade selection
	options.  Leave protocol debug flags active across reconnects,
	only suppress redundant logging of the certificate details.
	Viktor Dukhovni. File: posttls-finger/posttls-finger.c.

	Robustness: send SNI even when trying to reuse a DANE
	session, because a new session may be negotiated anyway.
	Viktor Dukhovni. File: tls/tls_client.c.

	Cleanup: eliminate variable that is redundant with respect
	to more authoritative state.  Viktor Dukhovni. File:
	posttls-finger/posttls-finger.c.

	Feature: new tls_ssl_options parameter to enable OpenSSL
	features (as opposed to tls_disable_workarounds which is
	disables bug workarounds that are on by default). Viktor
	Dukhovni. Files: proto/TLS_README.html, proto/postconf.proto,
	src/global/mail_params.h, src/tls/tls.h, src/tls/tls_client.c,
	src/tls/tls_misc.c.

20130520

	Documentation: removed resolve_null_domain from the list
	of smtpd(8) parameters. File: smtpd/smtpd.c.

20130523

	Documentation: add cidr: and texthash: to the list of maps
	that don't have automatic change detection. File:
	proto/DATABASE_README.html.

	Documentation: define the netmask format of CIDR maps.
	File: proto/cidr_table.

20130530

	Cleanup: replace alloca() with mymalloc()/myfree() for
	better error handling. Reported by Bill Parker. File:
	util/dict_ni.c (does anyone still use this code?).

20130531

	Feature: tls_wildcard_matches_multiple_labels (default:
	yes) to match multiple DNS labels with "*" in wildcard
	certificates. Viktor Dukhovni. Files: proto/postconf.proto,
	mantools/postlink, global/mail_params.h, tls/tls_client.c,
	tls/tls_misc.c.

20130607

	Bugfix (DANE support): with multiple TLSA RR that carry "x
	0 0" certificates or "x 1 0" keys, Postfix failed to reset
	the cert/key pointer before calling d2i_mumble(), causing
	OpenSSL to clobber the previous cert or key.  Viktor Dukhovni.
	tls/tls_dane.c.

	Robustness: check that TLSA-supplied certs have valid keys.
	It is not clear whether that check is performed in d2i().
	Viktor Dukhovni. tls/tls_dane.c.

20130608

	Cleanup (DANE support): be more explicit in the logging of
	object digests.  Viktor Dukhovni. tls/tls_dane.c.

20100613
Boris Mühmer's avatar
Boris Mühmer committed

	Workaround: unhelpful down-stream maintainers fail to install
	the new smtpd_relay_restrictions safety net, causing breakage
	that could have been avoided. We now hard-code the safety
	net instead.  Files: global/mail_params.h, conf/post-install,
Boris Mühmer's avatar
Boris Mühmer committed
	RELEASE_NOTES_2.10.

	Bugfix (DANE support): when TLSA records are insecure,
	report that none are found. Viktor Dukhovni. Files:
	posttls-finger/posttls-finger.c, smtp/smtp_tls_policy.c,
	tls/tls_dane.c.
Boris Mühmer's avatar
Boris Mühmer committed

20130615

	TLS Interoperability: turn on SHA-2 digests by force.  This
	improves interoperability with clients and servers that
	deploy SHA-2 digests without the required support for
	TLSv1.2-style digest negotiation.  Based on patch by Viktor
	Dukhovni.  Files: tls/tls_client.c, tls/tls_server.c.

20130616

Boris Mühmer's avatar
Boris Mühmer committed
18734 18735 18736 18737 18738 18739 18740 18741 18742 18743 18744 18745 18746 18747 18748 18749 18750 18751 18752 18753 18754 18755 18756 18757 18758 18759 18760 18761 18762 18763 18764 18765 18766 18767 18768 18769 18770 18771 18772 18773 18774 18775 18776 18777 18778 18779 18780 18781 18782 18783 18784 18785 18786 18787 18788 18789 18790 18791 18792 18793 18794 18795 18796 18797 18798 18799 18800 18801 18802 18803 18804 18805 18806 18807 18808 18809 18810 18811 18812 18813 18814 18815 18816 18817 18818 18819 18820 18821 18822 18823 18824 18825 18826 18827 18828 18829 18830 18831 18832 18833 18834 18835 18836 18837 18838 18839 18840 18841 18842 18843 18844 18845 18846 18847 18848 18849 18850 18851 18852 18853 18854 18855 18856 18857 18858 18859 18860 18861 18862 18863 18864 18865 18866 18867 18868 18869 18870 18871 18872 18873 18874 18875 18876 18877 18878 18879 18880 18881 18882 18883 18884 18885 18886 18887 18888 18889 18890 18891 18892 18893 18894 18895 18896 18897 18898 18899 18900 18901 18902 18903 18904 18905 18906 18907 18908 18909 18910 18911 18912 18913 18914 18915 18916 18917 18918 18919 18920 18921 18922 18923 18924 18925 18926 18927 18928 18929 18930 18931 18932 18933 18934 18935 18936 18937 18938 18939 18940 18941 18942 18943 18944 18945 18946 18947 18948 18949 18950 18951 18952 18953 18954 18955 18956 18957 18958 18959 18960 18961 18962 18963 18964 18965 18966 18967 18968 18969 18970 18971 18972 18973 18974 18975 18976 18977 18978 18979 18980 18981 18982 18983 18984 18985 18986 18987 18988 18989 18990 18991 18992 18993 18994 18995 18996 18997 18998 18999 19000
	Workaround: The Postfix SMTP server TLS session cache was
	broken because OpenSSL now enables session tickets by
	default, resulting in different ticket encryption key for
	each smtpd(8) process.  the workaround turns off session
	tickets. In 2.11 we'll enable session tickets properly.
	Viktor Dukhovni. File: tls/tls_server.c.

	Updated DANE support (trust in DNS instead of PKI).  With
	OpenSSL 1.0.2 (under development) trusted certificates don't
	need to be self-signed roots.  Otherwise we use an ephemeral
	root certificate to sign the trust anchor. Viktor Dukhovni.
	Files: posttls-finger/posttls-finger.c, smtp/smtp_proto.c,
	smtp/smtp_tls_policy.c, tls/tls.h, tls/tls_client.c,
	tls/tls_dane.c, tls/tls_fprint.c, tls/tls_misc.c,
	tls/tls_verify.c.

20130619

	Documentation: troff lint. Patch by ES Raymond's bot.  File:
	proto/header_checks.

	Cleanup: enforce smtpd_client_recipient_rate_limit for VRFY
	commands. File: smtpd/smtpd.c.

20130622

	Bugfix: typo in the 20130613 smtpd_relay_restrictions default
	setting. File: global/mail_params.h.

20130623

	Cleanup: configurable tlsmgr(8) service name. Files:
	mantools/postlink, proto/postconf.proto, tls/tls_mgr.c,
	tls/tls_misc.c, tlsproxy/tls-proxy.c, smtp/smtp.c,
	smtpd/smtpd.c.

20130629

	Cleanup: documentation. Files: proto/CONNECTION_CACHE_README.html,
	proto/SCHEDULER_README.html.

20130708

	Cleanup: postscreen_upstream_proxy_protocol setting.  Files:
	global/mail_params.h, postscreen/postscreen_endpt.c.

20130709

	Cleanup: qmgr documentation clarification by Patrik Rak.
	Files: proto/SCHEDULER_README.html, qmgr/qmgr_job.c.

	Cleanup: re-indented code. File: qmgr/qmgr_job.c.

	Logging: minimal DNAME support. Viktor Dukhovni.  dns/dns.h,
	dns/dns_lookup.c, dns/dns_strtype.c, dns/test_dns_lookup.c.

20130710

	Workaround: smtp_connection_reuse_count_limit (default 0,
	i.e.  unlimited) for sites that must deal with hostile
	connection reuse policies. The documentation comes with a
	warning that this feature introduces a "fatal attractor"
	failure mode.  Files: global/mail_params.h, mantools/postlink,
	proto/postconf.proto, smtp/smtp.c, smtp/smtp_params.c,
	smtp/lmtp_params.c, smtp/smtp.h.

	Workaround: FreeBSD9 nroff outputs ANSI escape sequences
	instead of overstrike sequences. To make matters worse, it
	uses the ESC[0m sequence sometimes for end-of-bold and
	sometimes for end-of-italic.  File: mantools/man2html.

20130714

	Cleanup: added smtpd_relay_restrictions entries to the
	default master.cf file, so that main.cf settings won't
	affect the submission and smtps services. Simon Matter.
	File: conf/master.cf.

20130728

	Cleanup: wrong function name in error message. John Fawcett.
	File: util/vstring_vstream.c.

20130801

	Cleanup: with ``make makefiles CCARGS="-DHAS_DB...'', the
	makedefs script no longer tries to locate the Linux Berkeley
	DB include and library files. Instead it assumes that the
	locations are given on the command line, as shown in the
	DB_README examples.  Leo Baltus. File: makedefs.

20130805

	Documentation: clarified reject_non_fqdn_helo_hostname.
	File: proto/postconf.proto.

20130809

	Cleanup: the lmdb_map_size parameter is now a long integer.
	Howard Chu. Files: global/mail_params.[hc].

20130815

	Documentation: added pointer to Dovecot 2 configuration.
	File: proto/SASL_README.html

20130818

	Update: LMDB client updated to LMDB 0.9.7, which hopefully
	fixes the unrecoverable "transaction full" error. With a
	new MDB_MAP_FULL workaround by Howard Chu that ensures that
	postfix will make progress as long as the disk is not full.
	File: util/dict_lmdb.c.

20130822

	The status of LMDB databases is "not recommended".  Unlike
	other Postfix databases, LMDB does not grow beyond a specified
	limit even when the file system has room.  This show-stopper
	bug breaks applications whose requirements grow with load:
	postscreen(8), greylisting, tlsmgr(8) and verify(8).

20130825

	Bitrot: Arrange for shared keys in SMTP server session
	tickets.  Otherwise, with clients that enable session
	tickets, the SMTP session cache is per-process and largely
	ineffective.  Older releases should add SSL_OP_NO_TICKET
	to the SSL options bit mask in the SMTP server only.  The
	session ticket key validity interval (sum of initial issuing
	and retired key validation intervals) must not exceed the
	SSL session lifetime.  Otherwise, clients may send valid
	tickets for expired sessions, which the OpenSSL server code
	mishandles (does not send a replacement ticket, patch
	pending...).

	We set the session lifetime to 2 times the configured cache
	lifetime which is also the ticket issuing and retired
	validation lifetime, so ticketed sessions last 1 to 2 times
	the configured session lifetime and never longer than a
	session's expiration time. 

	Code by Viktor Dukhovni.  Files: .indent.pro, mantools/postlink,
	proto/TLS_README.html, proto/postconf.proto, global/mail_params.h,
	posttls-finger/posttls-finger.c, posttls-finger/tlsmgrmem.c,
	smtpd/smtpd.c, tls/tls.h, tls/tls_client.c, tls/tls_mgr.c,
	tls/tls_mgr.h, tls/tls_scache.c, tls/tls_scache.h,
	tls/tls_server.c, tlsmgr/tlsmgr.c, tlsproxy/tlsproxy.c.

	Robustness: Search for TLSA RRs at the resolved server name
	(rname) and failing that request server name (qname), and
	use whichever was found as the TLSA base domain for certificate
	matching.

	When we find a DNSSEC validated MX RRset, and the initial
	next-hop domain is a CNAME, include both the initial and
	final (the one with the actual MX RRs) domains in the list
	of valid server certificate names.

	When we find no MX records, then the initial next-hop domain
	is obtained securely from the recipient domain or transport
	next-hop.  Without MX records, this is a destination hostname,
	so we should generally do a TLSA lookup.  If however the
	address lookup yields an insecure result, and its rname is
	equal to its qname (no CNAMEs), we reasonably assume that
	the its child "_port._tcp" sub-domain is likewise insecure
	(security here would require DLV just for this sub-domain).
	This allows us to skip futile TLSA queries for most non-MX
	destinations (those that are in insecure zones and are not
	CNAMEs).  This heuristic can be disabled by setting the new
	main.cf parameter smtp_tls_force_insecure_host_tlsa_lookup
	to "yes", the default is "no".

	Finally, with MX hostnames, if the MX RRset is secure, we
	look for TLSA RRs at the qname only when the MX host is an
	alias with an insecure rname.  If both the qname and the
	rname are secure, as before we prefer the rname, but when
	nothing is found there, fall back to the qname.

	Code by Viktor Dukhovni. Files: mantools/postlink,
	proto/postconf.proto, src/global/mail_params.h,
	src/posttls-finger/posttls-finger.c, src/smtp/lmtp_params.c,
	src/smtp/smtp.c, src/smtp/smtp.h, src/smtp/smtp_addr.c,
	src/smtp/smtp_addr.h, src/smtp/smtp_connect.c,
	src/smtp/smtp_params.c, src/smtp/smtp_tls_policy.c,
	src/tls/tls.h, src/tls/tls_dane.c.

20130826

	Documentation: re-ordered STRESS_README, now that all
	supported releases have stress-adaptive behavior built in.
	File: proto/STRESS_README.html.

20130903

	Cleanup: made the default_database_type compile-time
	configurable. Files: util/sys_defs.h, makedefs, proto/INSTALL.

20130916

	Feature: reject_known_sender_login_mismatch, which applies
	reject_sender_login_mismatch only to MAIL FROM addresses
	that are known in $smtpd_sender_login_maps. Viktor & Wietse.
	Files: mantools/postlink, proto/SASL_README.html,
	proto/postconf.proto, global/mail_params.h, smtpd/smtpd_check.c.

20130927

	Cleanup: no more LMDB "database full" errors.  Postfix now
	requires LMDB >= 0.9.8 which supports on-the-fly database
	resizing. When a database becomes full, its size limit is
	automatically doubled, and other processes automatically
	pick up the new database size limit.  Files: util/dict.h,
	util/dict_open.c, util/dict_alloc.c, util/dict_lmdb.c,
	postmap/postmap.c, postalias/postalias.c, proto/LMDB_README.html,
	proto/postconf.proto.

20130928

	Cleanup: the lmdb_max_readers property is now configurable.
	This is a hard limit built into the OpenLDAP library that
	causes requests to fail when the number of open read
	transactions exceeds the limit.  When this happens the LMDB
	client logs an MDB_READERS_FULL warning and continues with
	reduced performance.  Files: util/dict_lmdb.c, util/dict_lmdb.h,
	global/mail_params.h, global/mail_params.c, proto/postconf.proto,
	proto/LMDB_README.html.

20130929

	Security violation: LMDB opens files with read/write access
	for lock management purposes.  This gives unprivileged
	daemon processes read/write file handles for root-owned
	files under /etc/postfix.  This also breaks when a non-root
	process needs to access a root-owned database.  Even if
	LMDB lock files were world-writable, and kept in a dedicated
	directory, they would still violate the principle of least
	privilege. For all these reasons, support to create LMDB
	files is removed from the postmap and postalias commands.
	LMDB files can still be created by unprivileged Postfix
	daemon processes under the postfix-owned data_directory.
	Files: proto/LMDB_README.html, global/mkmap.c.

20131001

	Cleanup: LMDB support is forbidden due to problems with
	LMDB lock management. These problems hinder error recovery
	in multi-programmed systems, and prohibit database sharing
	between privileged writer processes and unprivileged reader
	processes.

20131009

	Documentation: inet_protols description was not updated
	when smtp_address_preference was added. File: proto/postconf.proto

20131013

	Documentation: why postscreen(8) uses hash-table lookups
	instead of direct pointers to find the DNSBL lookup result
	for a specific session. File: postscreen/postscreen_early.c.

20131022

	Cleanup: add more &code; to postconf2man. Someone has been
	writing documentation without checking the result, File:
	mantools/postconf2man.