Newer
Older
16001
16002
16003
16004
16005
16006
16007
16008
16009
16010
16011
16012
16013
16014
16015
16016
16017
16018
16019
16020
16021
16022
16023
16024
16025
16026
16027
16028
16029
16030
16031
16032
16033
16034
16035
16036
16037
16038
16039
16040
16041
16042
16043
16044
16045
16046
16047
16048
16049
16050
16051
16052
16053
16054
16055
16056
16057
16058
16059
16060
16061
16062
16063
16064
16065
16066
16067
16068
16069
16070
16071
16072
16073
16074
16075
16076
16077
16078
16079
16080
16081
16082
16083
16084
16085
16086
16087
16088
16089
16090
16091
16092
16093
16094
16095
16096
16097
16098
16099
16100
16101
16102
Bugfix (introduced 20100914): the "postscreen_greet_wait"
delay speedup worked only for DNSBL listed sites. File:
postscreen/postscreen_dnsbl.c.
Workaround: better handling of pregreeting spambots. The
postscreen built-in SMTP engine no longer sends a 220 banner
to a client that falls into the pregeet trap. This eliminates
many "NON-SMTP COMMAND" records in postscreen logging, as
the SMTP client and server no longer get out of sync. It
also results in better logging of sender/recipient information.
File: postscreen/postscreen_smtpd.c.
20100916
Cleanup: postscreen now uses the first responding DNSBL
name in the "5.7.1 Service unavailable" reply, instead of
the last responding one. File: postscreen/postscreen_dnsbl.c.
Cleanup: the 20100914 "postscreen_greet_wait" speedup did
not happen as often as it should, because some older code
still turned on PREGREET tests gratuitously, causing a full
greet-wait delay. File: postscreen/postscreen_tests.c.
Cleanup: to avoid "address in use" problems, postscreen now
closes the listening socket after "postfix stop". It also
closes the socket after "postfix reload" but that does not
hurt. Files: master/event_server.c, master/multi_server.c.
Cleanup: postscreen now logs CONNECT and DISCONNECT events.
Files: postscreen/postscreen.c, postscreen/postscreen_misc.c.
20100917
Bugfix: cut-and-paste error. Postscreen used pregreet_ttl
instead of dnsbnl_ttl. File: postscreen/postscreen_early.c.
20100920
Cleanup: minor cleanups and invisible fixes. Files:
postscreen/postscreen_misc.c, postscreen/postscreen.h,
postscreen/postscreen_tests.c.
Feature: preliminary postscreen penalty mechanism. Basic
idea: when a client exceeds some threshold, don't allow it
to pass any tests until the penalty expires. Penalties
provide a way to slow down clients without blocking mail
permanently. Files: postscreen/postscreen_misc.c,
postscreen/postscreen_tests.c, postscreen/postscreen.c.
A first application of the postscreen penalty mechanism
triggers on clients that make brief connections to find out
if the mail server is up. With "postscreen_early_hangup_penalty
= 600" they will disqualify themselves for 10 minutes.
Unfortunately, this behavior is used by legitimate bulk
mail services. This application was removed 20101103. The
penalty mechanism itself is left in place as #ifdef NONPROD.
20100923
Cleanup: renamed MUMBLE_FLAG_MUMBLE aggregates to
MUMBLE_MASK_MUMBLE for consistency with other Postfix code.
Files: postscreen/*.[hc].
20100930
Cleanup: flag PIPELINING errors with NOOP and VRFY. File:
smtpd/smtpd.c.
20101006
Bugfix (introduced: 20100914) dangling pointer when a client
makes N > 1 simultaneous connections and closes M < N
connections before postscreen has delivered the DNSBL score
to the corresponding pseudothreads. In practice the pointer
will refer to a block of 0xff bytes; the program terminates
with a segmentation violation, and is restarted immediately
by the master daemon. Files: postscreen/postscreen_early.c,
postscreen/postscreen_dnsbl.c.
Cleanup: avoid repeated delivery to mailing list members
with pathological nested alias configurations. The local(8)
delivery agent now keeps the owner-alias attribute of the
parent alias, when delivering mail to a child alias that
does not have its own owner alias. With this change, local
addresses from that child alias will be written to a new
queue file, and a temporary error with one local address
will no longer result in repeated delivery to other mailing
list members. Specify "reset_owner_alias = yes" for the
older behavior. File: local/alias.c.
20101007
Bugfix (introduced: 2100923): duplicate "PASS OLD" logging.
File: postscreen/postscreen_misc.c.
20101008
Cleanup: dnsblog now logs "addr X listed by domain Y as Z"
instead of "addr X blocked by domain Y as Z", because the
service may be used for whitelist lookups. File:
dnsblog/dnsblog.c.
20101023
Cleanup: don't apply reject_rhsbl_helo to non-domain forms
such as network addresses. This would cause false positives
with dbl.spamhaus.org. File: smtpd/smtpd_check.c.
Cleanup: new qmgr_ipc_timeout parameter (default: 60s) to
override the system-wide ipc_timeout setting (default:
3600s). The shorter timeout allows the queue manager to
reset a deadlocked IPC connection before the watchdog timer
goes off. Files: *qmgr/qmgr.c.
Cleanup: new qmgr_daemon_timeout parameter (default: 1000s)
to make the hard-coded 1000s watchdog timeout configurable.
Files: *qmgr/qmgr.c.
Cleanup: request default DSN notification when adding a
recipient with smfi_addrcpt, instead of requesting "never
notify" as with Postfix automatically-added BCC recipients.
Files: cleanup/cleanup_addr.c, cleanup/cleanup.h,
cleanup/cleanup_milter.c.
20101105
Feature: DNS whitelist support in the Postfix SMTP server.
permit_dnswl_client whitelists a client by IP address, and
permit_rhswl_client whitelists a client by its hostname.
The syntax is the same as reject_rbl_client etc., but the
result is PERMIT instead of REJECT. For safety reasons,
permit_xxx_client are silently ignored when they would
override reject_unauth_destination. The result is
DEFER_IF_REJECT when DNSWL lookup fails. The implementation
is based on a design documented by Noel Jones (August 2010).
File: smtpd/smtpd_check.c.
Workaround: strip off IPv6 datalink suffix from peer address
to avoid problems with strict address checking code. Files:
smtpd/smtpd_peer.c, qmqpd/qmqpd_peer.c.
Robustness: postscreen(8) now implements a time limit on
reading an entire command, instead of a time limit for
reading individual characters. File: postscreen/postscreen_smtpd.c.
Cleanup: don't apply reject_rhsbl_helo to non-domain forms
such as network addresses. This would cause false positives
with dbl.spamhaus.org. File: smtpd/smtpd_check.c.
Bugfix: the "421" reply after Milter error was overruled
by Postfix 1.1 code that replied with "503" for RFC 2821
compliance. We now make an exception for "final" replies,
as permitted by RFC. Solution by Victor Duchovni. File:
smtpd/smtpd.c.
Feature: pattern matching for DNSWL/DNSBL responses. For
example, with "reject_rbl_client example.com=d.d.d.d", each
"d" can now be a pattern inside "[]" that contains one or
more comma-separated decimal numbers or number..number
ranges. Files: smtpd/smtpd_check.c, postscreen/postscreen_dnsbl.c,
util/ip_match.c, util/ip_match.h.
Cleanup: don't log "blocked using example.com=127.0.0.1",
just log the domain name. File: smtpd/smtpd_check.c.
Cleanup: postscreen_client_connection_count_limit (default:
$smtpd_client_connection_count_limit) to limit the number
of connections from the same IP address to the postscreen(8)
daemon. Files: postscreen/postscreen.c, postscreen/postscreen.h,
postscreen/postscreen_state.c.
Cleanup: all postscreen(8) logging now reports the client
as [address]:port. This requires an update of tools that
process postscreen logging. Files: postscreen/*.c,
proto/POSTSCREEN_README.html.
Cleanup: polishing recent documentation and code. Files:
postscreen/postscreen_dnsbl.c, util/ip_match.c.
Bugfix (introduced 20101129): broken default value for
postscreen_client_connection_count_limit if the
smtpd_client_connection_count_limit parameter was left at
its default. File: postscreen/postscreen.c.
Workaround: BSD-ish mkdir() ignores the effective GID
and copies group ownership from the parent directory.
File: util/make_dirs.c.
Feature: the LDAP client can now authenticate to LDAP servers
via SASL. This is tested with SASL GSSAPI and Kerberos 5.
Original code by Quanah Gibson-Mount adapted by Victor
Duchovni. Files: global/dict_ldap.c, proto/LDAP_README.html,
proto/ldap_table.
Cleanup: the cleanup server now reports a temporary delivery
error when it reaches the virtual_alias_expansion_limit or
virtual_alias_recursion_limit. Previously, it would silently
ignore the excess recipients and deliver the message. File:
cleanup/cleanup_map1n.c.
Cleanup: sache_clnt_create() had an unnecessary data
dependency on the non-library var_scache_service variable,
causing problems with shared library builds. Instead, it
should use its service argument (which has the same value).
File: global/scache.c.
Cleanup: pipe_command.c had an unnecessary data dependency
on the non-library var_command_maxtime variable, causing
problems with shared library builds. The dependency was not
necessary because the callers already specify an explicit
time limit. File: global/pipe_command.c.
Bugfix (introduced 20101205): postscreen hung up due to
incorrect output error test. File: postscreen/postscreen_send.c.
Cleanup: the undisclosed_recipients_header default value
is now the empty string. The Internet mail RFCs have supported
messages without recipient header for almost 10 years now.
File: global/mail_params.h.
Cleanup: use strtol() instead of sscanf() for consistent
handling of out-of-range numbers. Files: global/cfg_parser.c,
global/conv_time.c, global/mail_conf_int.c,
global/mail_conf_long.c, global/mail_conf_nint.c.
Cleanup: eliminated the code that copied TLS protocol
messages between the OpenSSL TLS engine and the network.
This change hopefully simplifies the TLS library enough
that it can be used in an event-driven TLS proxy in front
of postscreen. Files: tls/tls_bio.c, tls/tls_server.c,
tls/tls_client.c.
This change eliminates an obscure bug where the SMTP server
would wait for another $smtpd_timeout seconds after sending
the "421 Error: timeout exceeded" message to the client.
Cleanup: simplified the VSTREAM "large buffer" support by
dropping the Postfix 2.4 "binary compatibility" requirement.
Files: util/vstream.c, util/vstream.h.
Cleanup: the SMTP client PIPELINING code did not account
for TLS protocol overhead. This could (only in theory)
result in deadlock when the remote SMTP server announces a
very small receive window after the client and server have
synchronized their SMTP state. Victor Duchovni. File:
smtp/smtp_proto.c.
Feature: with "tls_preempt_cipherlist = yes" the Postfix
SMTP server will preempt the remote SMTP client's cipher
preference order. This requires OpenSSL 0.9.7 and later.
Victor Duchovni. Files: src/smtpd/smtpd.c, src/tls/tls_server.c,
proto/TLS_README.html, proto/postconf.proto.
Future proofing: specify "tls_disable_workarounds = a list
or bit-mask of OpenSSL bug work-arounds to disable". This
may become necessary when a bug workaround is found to cause
problems (security or interoperability). Victor Duchovni.
Files: tls/tls_misc.c, proto/TLS_README.html, proto/postconf.proto.
Infrastructure: extended name_mask module feature set with
extensive documentation and 32-bit regression tests. Victor
and Wietse. File: util/name_mask.[hc].
Cleanup: sanitized the name_mask API so that errors will be
ignored only upon explicit request. Files: util/name_mask.[hc],
src/global/ehlo_mask.c, src/smtp/smtp_proto.c,
src/util/name_mask.c, src/xsasl/xsasl_dovecot_server.c.
Cleanup: more TLS overhead horrors for the SMTP client's
PIPELINING engine. Wietse and Victor. File: smtp/smtp_proto.c.
Cleanup: the SMTP client logic for pipelining the "." and
"QUIT" commands was bogus - the pipelining engine could not
know how much unacknowledged data is pending in the local
TCP stack. We now ignore the buffer check for sending
"QUIT" after ".". Wietse and Victor. File: smtp/smtp_proto.c.
Cleanup: the Postfix SMTP server now always refreshes the
SASL authentication mechanism list after STARTTLS. Some
Dovecot versions may change their responses when they know
that the SMTP connection is encrypted. File: smtpd/smtpd.c.
Cleanup: the smtpd_starttls_timeout default value is now
stress-dependent. Files: global/mail_params.h,
proto/postconf.proto.
Compatibility: postscreen_discard_ehlo_keyword(s|maps)
support for compatibility with smtpd_discard_ehlo_keyword(s|maps).
Files: postscreen/postscreen_smtpd.c.
Feature: STARTTLS support for the postscreen(8) daemon.
With early testing feedback from Victor Duchovni and Ralf
Hildebrandt. Files: postscreen/postscreen_smtpd,
postscreen/postscreen_starttls.c.
Feature: event-driven tlsproxy(8) daemon that translates
TLS <=> plaintext for postscreen(8). One tlsproxy(8) process
can translate traffic for multiple remote SMTP clients.
With early testing feedback from Victor Duchovni and Christian
Roessner. Files: util/nbbio.[hc], tlsproxy/*.[hc],
postscreen/postscreen_starttlsd.c, postscreen/postscreen_smtpd.c.
Cleanup: missing tls_level support in tlsproxy (it has no
way to send plaintext, but perhaps an informative error
message is in order anyway). File: tlsproxy/tlsproxy.c.
Cleanup: simplified the handling of throttled output (i.e.
output that can't be sent because the receiver tries to be
nasty). File: postscreen/postscreen_send.c.
Feature: add contact information to each SMTP server reject
message. For example, "smtpd_reject_footer = call 800-555-0101
for assistance", with macro expansion and with multi-line
support. Files: global/mail_params.h, mantools/postlink,
proto/postconf.proto, smtpd/smtpd.c, smtpd/smtpd_chat.c,
smtpd/smtpd_expand.[hc], util/mac_expand.[hc].
Cleanup: the forest of TLS-related booleans was shrunk.
Victor Duchovni. Files: smtpd/smtpd.c, postscreen/postscreen.c,
postscreen/postscreen_smtpd.c, tlsproxy/tlsproxy.c.
Non-production: tlsproxy support in the Postfix SMTP server
for stress testing of the tlsproxy daemon (#ifdef TLSPROXY).
Seen from outside, Postfix works just as if it has TLS
support built into in smtpd(8). Files: smtpd/smtpd.c,
tls/tls_proxy*.[hc], tlsproxy/tlsproxy.c, util/vstream.[hc].
Bugfix (introduced with the Postfix TLS patch): discard
plaintext following the STARTTLS command or response. This
matters only for the minority of SMTP clients that actually
verify server certificates. Files: smtpd/smtpd.c,
smtp/smtp_proto.c.
Non-production: cleaned up the tlsproxy support in the
Postfix SMTP server for stress testing of the tlsproxy
daemon (still #ifdef TLSPROXY). File: smtpd/smtpd.c.
Cleanup: smtpd_reject_contact_information is renamed to
smtpd_reject_footer, because it can be used for non-contact
information.
Compatibility: postscreen_reject_footer support for
compatibility with smtpd_reject_footer. Files:
global/smtp_reply_footer.[hc], global/mail_conf.[hc],
postscreen/postscreen_expand.c, postscreen/postscreen_send.c,
postscreen/postscreen.c, smtpd/smtpd_chat.c.
Compatibility: postscreen_command_filter support for
compatibility with smtpd_command_filter. Files:
postscreen/postscreen_dict.c, postscreen/postscreen_smtpd.c
Cleanup: postscreen(8) now displays control characters in
PREGREET responses as C-style \letter escapes, instead of
"?". File: postscreen/postscreen_early.c.
Cleanup: Solaris support for "pass" (file descriptor passing
based) services in master.cf. This was needed by postscreen(8).
Also, renamed upass_xxx.c to unix_pass_xxx.c. One-character
prefixes are too short. Removed upass_connect.c because it
was useless code. Files: util/stream_pass_connect.c,
util/unix_pass_listen.c, util/unix_pass_trigger.c.
Bugfix (introduced Postfix 2.4): on Solaris the Postfix
event engine was deaf for SIGHUP and SIGALRM signals after
the switch to /dev/poll. Symptoms were delayed "postfix
reload" response, and killed processes when the watchdog
timeout was less than max_idle. The fix is to set up SIGHUP
and SIGALRM handlers that write to a pipe, and to monitor
that pipe for read events via the Postfix event engine.
Files: master/master_sig.c, util/watchdog.c, util/sys_defs.h.
Cleanup: replaced the postscreen(8) separate blacklist and
whitelist lookup tables by one postscreen_access_list table.
See postconf(5) and POSTSCREEN_README for examples. Files:
postscreen/postscreen_access.c, postscreen/postscreen.c,
proto/postconf.proto, proto/POSTSCREEN_README.html.
Cleanup: suspend/resume logic for postscreen(8) SMTP sessions
that temporarily switch control to an external program such
as tlsproxy, or perhaps a future policy plugin. Files:
postscreen/postscreen_smtpd, postscreen/postscreen_starttls.c.
Cleanup: ps_cache and psc_cache are now postscreen_cache.
There is no need for obscure name abbrevations. File:
src/global/mail_params.h.
Workaround: malloc fuzz (safety margin for malloc requests).
Files: util/sys_defs.h, util/mymalloc.c.
Cleanup: dnsblog_service_name and tlsproxy_service_name are
now configurable, in case someone needs this. Files:
global/mail_params.h, postscreen/postscreen.c, mantools/postlink,
proto/postconf.proto.
Cleanup: soft_bounce support for postscreen(8). Files:
postscreen/postscreen_smtpd.c, postscreen/postscreen_send.c.
Cleanup: for smtpd(8) compatibility, postscreen(8) now
strips deprecated route address prefixes from email addresses
(@here,@there:user@example becomes user@example). This is
primarily to make postscreen(8) logging more similar to
that of smtpd(8). File: postscreen/postscreen_smtpd.c.
Cleanup: documentation, in preparation for the Postfix 2.8
stable release.
Bugfix (introduced Postfix alpha, or thereabouts): on HP-UX
the Postfix event engine was deaf for SIGALRM signals.
Symptoms were killed processes when the watchdog timeout
was less than max_idle. The fix is the same as Solaris fix
20110109. Since we can't know what other systems need this,
the workaround is enabled by default. Files: util/sys_defs.h.
Cleanup: "smtpd_tls_eecdh_grade = strong" by default, instead
of snapshot-only. File: global/mail_params.h, proto/postconf.proto.
Cleanup: missing "#include <errno.h>" in util/watchdog.c.
Bugfix: when compiled without -DUSE_TLS, tlsproxy used the
wrong server skeleton (multi_server instead of event_server).
File: tlsproxy/tlsproxy.c.
Workaround: added a panic check for code that is mis-compiled
by the HP-UX compiler. File: postscreen/postscreen.c,
postscreen/postscreen.h, postscreen/postscreen_state.c.
16499
16500
16501
16502
16503
16504
16505
16506
16507
16508
16509
16510
16511
16512
16513
16514
16515
16516
Bugfix: the tls_disable_workarounds word list only included
workarounds in SSL_OP_ALL. Problem report by Steve Jenkins,
problem fix by Victor Duchovni. File: tls/tls_misc.c.
Last-minute incompatible syntax change: Postfix now uses
";" instead of "," to separate DNSBL/DNSWL address filter
fields inside "[]". The compatibility break is not an issue,
because the syntax never worked in main.cf. Problem reported
by Mark Martinec. Files: util/ip_match.c, util/ip_match.in,
util/ip_match.ref, proto/postconf.proto.
Cleanup: postscreen now monitors the AVERAGE latency of
table access, and complains at most once per minute. File:
postscreen/postscreen_dict.c.
Bugfix: support for the "dunno" command somehow disappeared
from the postscreen_access_list implementation. File:
postscreen/postscreen_access.c.
16517
16518
16519
16520
16521
16522
16523
16524
16525
16526
16527
16528
16529
16530
16531
16532
16533
16534
16535
16536
16537
16538
16539
16540
20110123
Cleanup: remove #ifdef MIGRATION_WARNING transitional code
from postscreen. File: postscreen/postscreen.c.
20110201
Cleanup: when verifying that the client_address->client_name
lookup result resolves to the client_address, request
hostname->address lookup with the same protocol family (IPv4
or IPv6) as the client_address. Files: util/myaddrinfo.[hc],
smtpd/smtpd_peer.c, qmqpd/qmqpd_peer.c.
20110207
Bugfix (introduced Postfix 2.8): segfault with smtpd_tls_loglevel
>= 3. Files: tls/tls_server.c, tls.h, smtpd.c, tlsproxy.c.
20110216
Cleanup: don't log a "connection reset by peer" warning
when postscreen(8) tries to send a server response. File:
postscreen/postscreen_send.c.
16541
16542
16543
16544
16545
16546
16547
16548
16549
16550
16551
16552
16553
16554
16555
16556
16557
16558
16559
16560
16561
16562
16563
16564
16565
16566
16567
16568
16569
16570
16571
20110225
Workaround (problem introduced with IPv6 support in Postfix
2.2): the SMTP client did not support mail to [ipv6:ipv6addr].
Fix based on a patch by Gurusamy Sarathy (Sophos). File:
util/host_port.c and regression test files.
20110227
Portability: FreeBSD closefrom() support time window. Sahil
Tandon. File: util/sys_defs.h.
20110313
Bugfix (introduced Postfix 2.8): postscreen DNSBL scoring
error. When a client disconnected and then reconnected
before all DNSBL results for the earlier session arrived,
DNSBL results for the earlier session would be added to the
score for the later session. Problem report by Larry Vaden.
Files: dnsblog/dnsblog.c, postscreen/postscreen_dnsbl.c.
Cleanup: protocol description in dnsblog(8) manpage. File:
dnsblog/dnsblog.c.
20110314
Portability: the SUN compiler had trouble with a pointer
expression of the form ``("text1" "text2") + constant'' so
we don't try to be so clever. Fix by Victor Duchovni. File:
global/mail_params.h.
20110411
Cleanup: postscreen(8) and verify(8) daemons now lock their
respective cache file exclusively upon open, to avoid massive
cache corruption by unsupported sharing. Files: util/dict.h,
util/dict_open.c, verify/verify.c, postscreen/postscreen.c.
20110414
Bugfix (introduced with Postfix SASL patch 20000314): don't
reuse a server SASL handle after authentication failure.
Problem reported by Thomas Jarosch of Intra2net AG. File:
smtpd/smtpd_proto.c.