Newer
Older
Simply changing every data object size or offset to size_t
(which is unsigned!) would be dangerous. A lot of code was
written assuming signed arithmetic and rejects negative
lengths, which can happen as the result of integer overflow.
Portability: on LP64 systems, integer expressions are int,
but sizeof() and pointer difference expressions are larger.
11009
11010
11011
11012
11013
11014
11015
11016
11017
11018
11019
11020
11021
11022
11023
11024
11025
11026
11027
11028
11029
11030
11031
11032
11033
11034
11035
11036
11037
11038
11039
11040
11041
11042
11043
11044
11045
11046
11047
11048
11049
11050
11051
11052
11053
11054
11055
11056
11057
11058
11059
11060
11061
11062
The above changes fixed a few discrepancies with function
calls where *size_t was passed while the old code expected
an int: clean_env() versus argv_addn(), and code that sent
binary blobs via the TLS session cache manager protocol.
20050711
Bugfix: don't include <> when auto-generating an ORCPT
address from a client RCPT TO command. File: smtpd.c.
20050712
Cleanup: cleanup_out_recipient() still generated DSN records
that were incompatible with pre-DSN Postfix versions. File:
cleanup/cleanup_out_recipient.c.
20050716
Bugfix: the smtpd_sasl_authenticated_header code did not
check if SASL was actually enabled. File: smtpd/smtpd.c.
20050720
Feature: reverse client hostname. This is set at connection
time with information from the SMTP client address->name
mapping, and can be overruled with the REVERSE_NAME attribute
in the XCLIENT command. File: smtpd/smtpd_peer.c.
Cleanup: renaming of several confusing restriction names:
reject_unknown_client -> reject_unknown_client_hostname,
reject_unknown_hostname -> reject_unknown_helo_hostname,
reject_invalid_hostname -> reject_invalid_helo_hostname,
and reject_non_fqdn_hostname -> reject_non_fqdn_helo_hostname.
The old names are still recognized and documented. Files:
global/mail_params.h, smtpd/smtpd.c, smtpd/smtpd_check.c.
Feature: reject_unknown_reverse_client_hostname. This rejects
clients that have no address to name mapping (unlike the
reject_unknown_client_hostname feature which requires that
the address->name and name->address mappings resolve to the
client IP address). Files: global/mail_params.h,
smtpd/smtpd_peer.c, smtpd/smtpd.c, smtpd/smtpd_check.c.
20050726
Horror: total rewrite of DNS client error handling because
some misguided proposal attempts to give special meaning
to some syntactically invalid MX hostname lookup result.
Not only that, people expect sensible results with
reject_unknown_sender_domain etc. Files: dns/dns_lookup.c,
smtp/smtp_addr.c smtpd/smtpd_check.c, lmtp/lmtp_addr.c.
Cleanup: HOLD action executes only once, to reduce noise
in the logfile. Files: cleanup/cleanup_message.c, smtpd/smtpd.c.
20050806
Workaround: accept(2) fails with EPROTO when the client
already disconnected (SunOS 5.5.1). File: sane_accept.c.
20050815
Workaround: old Solaris compilers can't link an archive
without globally visible symbols. File: tls/tls_misc.c.
11074
11075
11076
11077
11078
11079
11080
11081
11082
11083
11084
11085
11086
11087
11088
11089
11090
11091
11092
11093
11094
11095
11096
11097
11098
11099
11100
11101
11102
11103
11104
11105
11106
11107
11108
11109
11110
11111
11112
11113
11114
11115
11116
11117
11118
11119
11120
11121
11122
11123
11124
11125
20050825
Feature: message_reject_characters and message_strip_characters
specify what characters in message content Postfix will
reject or remove. Based on patch by John Fawcett. Files:
cleanup/cleanup_message.c, cleanup/cleanup_init.c.
Safety: when the cleanup server rejects the content of mail
that is submitted with the Postfix sendmail command, or
re-queued with "postsuper -r", strip the message body from
the bounce message to reduce the risks from harmful content.
Files: cleanup/cleanup_envelope.c, cleanup/cleanup_bounce.c.
Feature: the smtpd_proxy_filter parameter value can now be
prefixed with "unix:" (for UNIX-domain socket) and "inet:"
(for TCP socket). TCP sockets are the default. Patch by
Edwin Kremer. File: smtpd/smtpd_proxy.c.
20050828
Bugfix: after adding DSN support, error notification was
broken for too large mail that was submitted with the Postfix
sendmail command, forwarded by the local(8) delivery agent,
or re-queued with "postsuper -r". The message would be saved
to the "corrupt" queue.
The mistake was to leave the truncated message in the
incoming queue and to ask the queue manager to notify the
sender; this was not possible because the queue manager
cannot (and should not) handle truncated queue files.
The fix is to have the cleanup server send the bounce
message, just like it did before DSN support was added. As
a side effect, Postfix will no longer send DSN_SUCCESS
notices after virtual aliasing, when the cleanup server
bounces all the recipients of the message anyway. This
could be called a feature. File: cleanup/cleanup_bounce.c.
Also needed for this fix: a new vstream_fpurge() routine
that discards unread/written data from a VSTREAM. It's
needed before cleanup_bounce() can seek to the start of the
queue file after a file size error. File: util/vstream.c.
20050920
Cleanup: removed the legacy "tls_info" structure, factored
out common code for peer_CN and issuer_CN lookup, and added
sanity check to not verify subject common names that contain
nulls or that are execessively long. Patch by Victor Duchovni.
Files: tls_client.c, tls_server.c, tls_session.c, tls_misc.c,
tls_verify.c.
20050922
Bugfix: the *SQL clients did not uniformly choose the
database host from the available pool of servers due to an
off-by-one error, so that the "last" available server was
not selected. Leandro Santi. Files: dict_mysql.c, dict_pgsql.c.
11133
11134
11135
11136
11137
11138
11139
11140
11141
11142
11143
11144
11145
11146
11147
11148
11149
11150
11151
11152
Update: common code factored out into db_common.c, and
adoption of Liviu Daia's connection aware MySQL quoting.
Patch by Victor Duchovni. Files: dict_ldap.c, dict_mysql.c,
dict_pgsql.c, db_common.c.
20050923
Safety: don't update the local(8) delivery agent's idea of
the Delivered-To: address while expanding aliases or .forward
files. When an alias or .forward file changes the Delivered-To:
address, it ties up one queue file and one cleanup process
instance while mail is being forwarded. To get the old
behavior, specify "frozen_delivered_to = no". Problem
reported by Michael Tokarev, but found independently by
others. Files: local/local.c, local/aliases.c, local/dotforward.c,
local/mailbox.c, local/maildir.c.
Logging: additional SASL debug logging by Andreas Winkelmann.
Files: */*sasl_glue.c.
20050929
Paranoia: don't ignore garbage in SMTP or LMTP server replies
when ESMTP command pipelining is turned on. For example,
after sending ".<CR><LF>QUIT<CR><LF>", Postfix could recognize
the server's 2XX QUIT reply as a 2XX END-OF-DATA reply after
garbage, causing mail to be lost. The SMTP and LMTP clients
now report a remote protocol error and defer delivery.
Files: smtp/smtp_chat.c, smtp/smtp_trouble.c, lmtp/lmtp_chat.c,
lmtp/lmtp_trouble.c.
11164
11165
11166
11167
11168
11169
11170
11171
11172
11173
11174
11175
11176
11177
11178
11179
11180
11181
11182
Performance: specify "smtpd_peername_lookup = no" to disable
client hostname lookups in the SMTP server. All clients are
treated as "unknown". This should be used only under extreme
conditions where DNS lookup latencies are critical. File:
smtpd/smtpd_peer.c.
20051010
Feature: smtpd_client_new_tls_session_rate_limit parameter
to limit the number of new (i.e. uncached) TLS sessions
that a remote SMTP client may negotiate per unit time. This
feature, which is off by default, can limit the CPU load
due to expensive crypto operations. Files: global/anvil_clnt.c,
anvil/anvil.c, smtpd/smtpd.c.
Cleanup: eliminated massive code duplication in the anvil
server that resulted from adding similar features one at a
time. File: anvil/anvil.c.
20051011
Bugfix: raise the "policy violation" flag when a client
request exceeds a concurrency or rate limit. File:
smtpd/smtpd.c.
Bugfix (cut-and-paste error): don't reply with 421 (too
many MAIL FROM or RCPT TO commands) when we aren't closing
the connection. File: smtpd/smtpd.c.
20051012
Polishing: content of comments and sequence of code blocks
in the anvil server, TLS request rate error message in the
smtp server, and documentation, but no changes in code.
Files: anvil/anvil.c, smtpd/smtpd.c.
Horror: some systems have basename() and dirname() and some
don't; some implementations modify their input and some
don't; and some implementations use a private buffer that
is overwritten upon the next call. Postfix will use its own
safer versions called sane_basename() and sane_dirname().
These never modify the input, and allow the caller to control
how memory is allocated for the result. File:
util/sane_basename.c.
Feature: "sendmail -C path-to-main.cf" and "sendmail -C
config_directory" now do what one would expect. File:
sendmail/sendmail.c.
Bugfix: don't do smtpd_end_of_data_restrictions after the
transaction failed due to, e.g., a write error. File:
smtpd/smtpd.c.
Cleanup: the SMTP server now enforces the message_size_limit
even when the client did not send SIZE information with the
MAIL FROM command. This protects before-queue content
filters against over-size messages. File: smtpd/smtpd.c.
20051017
Bugfix: after DSN support was added, smtp_skip_5xx_greeting
no longer recognized a 5xx SMTP status as a 4xx one. Found
by Ralf Hildebrandt. Fix: use the enhanced status code
instead of the SMTP reply code to choose between permanent
or transient errors. File: smtp/smtp_trouble.c.
Feature: smtp-sink can hard-reject, soft-reject or simply
drop connection requests. File: smtpstone/smtp-sink.c.
Documentation: clarified the processing of server replies,
specifically the reply code and the enhanced status code,
in smtp_chat.c.
20051024
Performance: new smtp_connection_reuse_time_limit parameter to
limit connection reuse by elapsed time, instead of limiting
the number of deliveries per connection. Bounding by time
favors delivery over connections that perform well, while
bounding by number of deliveries allows slow connections
to drag down the performance. Insight and initial
implementation by Victor Duchovni, Morgan Stanley. Files:
smtp_connect.c, smtp_session.c,
Bugfix: the next-hop logical destination information for
connection caching was reset only after a good non-TLS
connection, so that cached connections to non-TLS backup
servers could suck away traffic from TLS primary servers
(the Postfix SMTP client cannot cache an open TLS connection).
11255
11256
11257
11258
11259
11260
11261
11262
11263
11264
11265
11266
11267
11268
11269
11270
11271
11272
11273
11274
11275
11276
11277
11278
11279
11280
11281
11282
11283
11284
11285
11286
11287
11288
11289
11290
11291
11292
11293
11294
11295
11296
11297
11298
11299
11300
11301
11302
11303
11304
11305
11306
11307
11308
11309
11310
11311
11312
11313
11314
11315
11316
11317
11318
11319
11320
11321
11322
11323
11324
11325
11326
11327
11328
Found during code review. This is fixed with multi-valued
connection caching state: expired, cachable, non-cachable,
and bad. Files: smtp_connect.c, smtp_trouble.c.
Bugfix: adding support for "sendmail -C" broke "sendmail
-q". File: sendmail/sendmail.c.
20051101
Migration from a single "arrival time" stamp to a structure
with time stamps from different stages of message delivery.
The first iteration merely replaces "arrival time" stamps
by a structure or pointer to structure, and uses only the
arrival time field of that structure. This is an extensive
but straightforward transformation, based on example by
Victor Duchovni, Morgan Stanley. Files: anything that
invokes bounce_append etc., the log_adhoc module, and
anything that sends or receives a delivery request.
20051102
Completion of support for time stamps from different stages
of message delivery. The information is now logged as
"delays=a/b/c/d" where a=time before queue manager, including
message transmission; b=time in queue manager; c=connection
setup including DNS, HELO and TLS; d=message transmission
time. Unlike Victor's example which used time differences,
this implementation uses absolute times. The decision of
what numbers to subtract actually depends on program history,
so we want to do it in one place. Files: global/log_adhoc.c,
smtp/smtp_connect.c, smtp/smtp_proto.c, smtp/smtp_trouble.c,
lmtp/lmtp_proto.c, lmtp/lmtp_trouble.c.
20051103
Refinement of time stamping and delays formatting. The
hand-off time is now stamped in the delivery agent, so that
time is properly attributed when a transport is saturated
or throttled. Delays are now logged if larger than 0.01
second. Files: *qmgr/qmgr_deliver.c, global/deliver_request.c,
global/log_adhoc.c.
20051104
New parameter delay_logging_time_resolution (default: 10000
microseconds, or 0.01 second) that controls the detail in
the new "delays=a/b/c/d" logging. Specify a power of 10
in the range from 1 to 100000. File: global/log_adhoc.c.
Parameter renamed 20051108.
20051105
All delay logging now has sub-second resolution. This means
updating all code that reads or updates the records that
specify when mail arrived, and ensuring that mail submitted
with older Postfix versions produces sensible results.
Files: global/post_mail.c, global/mail_timeofday.[hc],
global/log_adhoc.c, postdrop/postdrop.c, pickup/pickup.c,
cleanup/cleanup_envelope.c, cleanup/cleanup_message.c,
smtpd/smtpd.c, qmqpd/qmqpd.c, *qmgr/qmgr_message.c,
*qmgr/qmgr_active.c, local/forward.c.
20051106
The SMTP client logs the remote server port in the form of
relay=hostname[hostaddr]:port to the local maillog file.
The port number is NOT included in DSN status reports,
because remote users have no need to know such internal
information. Files: smtp/smtp_session.c, smtp/smtp_proto.c,
smtp/smtp_trouble.c.
Cleanup: encapsulated queue file time read/write operations
with a few simple macros, to make future changes in time
representation less painful.
Cleanup: eliminated floating point operations from the
ad-hoc delay logging code. Files: util/format_tv.[hc],
global/log_adhoc.c.
The delay logging resolution is now controlled with the
delay_logging_resolution_limit parameter, which specifies
the maximal number of digits after the decimal point.
Bugfix: two messages could get the same message ID due to
a race condition. This time window was increased when queue
file creation was postponed from MAIL FROM until the first
accepted RCPT TO. The window is closed again. Found by
Victor. Files: global/mail_stream.c, global/mail_queue.c,
11345
11346
11347
11348
11349
11350
11351
11352
11353
11354
11355
11356
11357
11358
11359
11360
11361
11362
11363
11364
11365
11366
11367
11368
11369
11370
11371
11372
11373
11374
11375
11376
11377
11378
11379
11380
11381
11382
11383
11384
11385
11386
11387
11388
11389
11390
11391
11392
11393
11394
11395
11396
11397
11398
11399
11400
11401
11402
11403
11404
11405
11406
11407
11408
11409
11410
11411
cleanup/cleanup_message.c.
20051109
qshape.pl updated for extra microsecond time field in Postfix
queue files.
Cleanup: removed obsolete code that handles rejected/dropped
connections before the HELO handshake. File: smtp/smtp_connect.c.
Bugfix: XCLIENT broke when reverse hostname support was added.
Fix by Tomoyuki Sakurai. File: smtpd/smtpd.c.
20051110
Workaround: don't set the delay warning timer for messages
from inside or from outside that have the null sender as
recipient. This was a waste of time, because the warning
would always be discarded. File: cleanup/cleanup_envelope.c.
Feature: the built-in mail delivery status notification
text is now implemented by built-in templates. Files:
bounce/bounce_template.c, bounce/bounce_notify_util.c.
20051112
Feature: configurable bounce message templates based on
contribution by Nicolas Riendeau. I kept the general format
of his templates, but placed them together in one file to
reduce process initialization overhead (most requests to
the bounce daemon are not for sending bounce messages).
Files: bounce/bounce_template.c, bounce/dict_ml.c (to be
moved to library if useful enough). A sample bounce message
template file is installed as $config_directory/bounce.cf.default.
20051113
Feature: "postconf -b filename" to preview the non-default
bounce message templates with $name expansions in the text.
The actual work is of course done by the bounce daemon.
20051114
Feature: -V option to make Postfix daemons to log to stderr.
This is used when a daemon is invoked in stand-alone mode
by a (non-daemon) command.
Feature: "postconf -t" displays DSN templates, headers and
all; use postconf -t ''" to view built-ins.
Cleanup: renamed fail_template into failure_template.
20051117
Cleanup: bounce template code reorg, no functionality change.
Files: bounce/bounce_template.[hc], bounce/bounce_templates.c,
bounce/bounce_notify_util.c.
20051118
Bugfix: new bounce template code did not return after
template syntax error. File: bounce/bounce_template.c
Safety: permit_mx_backup now requires that the local MTA
is not listed as primary MX for the recipient domain. This
prevents mail loops when someone points the primary MX
record to Postfix.
Workaround: some SMTP servers announce multiple but different
lists of SASL methods. Postfix now concatenates the lists
instead of logging a warning and remembering only one. File:
smtp/smtp_sasl_proto.c.
Bugfix: the queue manager did not write a per-recipient
11421
11422
11423
11424
11425
11426
11427
11428
11429
11430
11431
11432
11433
11434
11435
11436
11437
11438
11439
11440
11441
11442
11443
11444
11445
11446
11447
11448
11449
11450
11451
11452
11453
11454
11455
11456
11457
11458
11459
defer logfile record when the delivery agent crashed between
receiving a delivery request, and reporting the delivery
status to the queue manager. Found while redesigning the
code that handles unavailable transports or destinations.
Files: *qmgr/qmgr_deliver.c.
20051121
Workaround: do not build the bounce.cf.default template
while compiling Postfix - it breaks when the default
mail_owner etc. accounts don't exist. Reported by Liviu
Daia.
Compatibility: added permit_auth_destination emulation to
the permit_mx_backup feature. This avoids surprises with
sites that used permit_mx_backup to authorize all their
incoming mail.
20051122-24
Feature: sender_dependent_relayhost_maps, lookup tables that specify
a sender-dependent override for the relayhost parameter
setting. The lookup is done in the trivial-rewrite server,
instead of the queue manager where it does not belong.
Files: global/resolve_clnt.c, global/tok822_resolve.c,
trivial-rewrite/resolve.c, trivial-rewrite/transport.c,
*qmgr/qmgr_message.c.
Also: address_verify_sender_dependent_relayhost_maps for
completeness.
20051124
Feature: specify "smtp_sender_dependent_authentication =
yes" to enable sender-dependent SASL passwords. This disables
SMTP connection caching to ensure that mail from different
senders is delivered with the appropriate credentials. This
is an extended version of a patch by Mathias Hasselmann.
Files: smtp/smtp_connect.c, smtp/smtp_sasl_glue.c.
Workaround: log warning when REDIRECT or FILTER are used
in smtpd_end_of_data_restrictions. File: smtpd/smtpd_check.c.
Log warning when REDIRECT, FILTER, HOLD and DISCARD are
used in smtpd_etrn_restrictions. File: smtpd/smtpd_check.c.
20051128
Bugfix: moved code around from one place to another to make
REDIRECT, FILTER, HOLD and DISCARD access(5) table actions
work in smtpd_end_of_data_restrictions. PREPEND will not
be fixed; it must be specified before the message content
is received. Files: smtpd/smtpd.c, smtpd/smtpd_check.c,
cleanup/cleanup_extracted.c, pickup/pickup.c.
Safety: abort if the SMTP or QMQP server runs with non-postfix
privileges while it's connected to the network. Files:
smtpd/smtpd_peer.c, qmqpd/qmqpd_peer.c.
20051201
Bugfix: the LMTP client would reuse a session after negative
reply to the RSET command (which may happen when client and
server somehow get out of sync). Problem found by Christian
Theune. Files: lmtp/lmtp.c, lmtp/lmtp_proto.c.
11489
11490
11491
11492
11493
11494
11495
11496
11497
11498
11499
11500
11501
11502
11503
11504
11505
11506
11507
11508
11509
11510
11511
11512
11513
20051202
Bugfix: the 20051128 code move for "smtpd_end_of_data_restrictions"
broke "postsuper -r".
20051202-3
Cleanup: the SMTP client now also implements the LMTP
protocol. Files: smtp/smtp.c, smtp/smtp_connect.c,
smtp/smtp_proto.c, smtp/smtp_dsn.c, smtp_state.c,
smtp_sasl_glue.c.
As before, the LMTP behavior is controlled with parameters
named lmtp_xxx instead of smtp_xxx. However there are now
a lot more lmtp_xxx parameters :-) With few exceptions, all
SMTP features are now also available with LMTP. The exceptions
are related to the HELO and EHLO commands, which exist in
SMTP only. There are equivalent LHLO command parameters
where it makes sense.
20051206
SMTP+LMTP client connection management code rewritten to
support UNIX-domain socket connections.
20051207
Bugfix: race condition in the connection caching protocol,
found while adding connection caching for UNIX-domain sockets
(used for LMTP delivery). This was introduced with the
20050706 workaround, and may the same problem that Jussi
Silvennoinen experienced (in Postfix 2.2.6) with SMTP after
an upgrade. Files: scache/scache.c.
Bugfix: smtp-sink and qmqp-sink didn't ignore SIGPIPE.
Robustness: reduced timeouts in the connection caching
client, so that a malfunctioning service does not prevent
mail delivery. This uses similar code that already exists
for the anvil(8) client and the tlsmgr(8) client. Files:
global/scache_clnt.c, smtp/smtp.c.
To make reduced connection caching client timeouts possible,
connection management was moved from the attr_clnt(3) module
to the auto_clnt(3) module where it belongs. The auto_clnt(3)
module is now a full alternative for the clnt_stream(3)
module. Files: util/auto_clnt.c, util/attr_clnt.c.
Bugfix: the best_mx_transport, mailbox_transport and
fallback_transport features did not write a per-recipient
defer logfile record when the target delivery agent was
broken. This the analog of queue manager bugfix 20051119.
Files: global/deliver_pass.c.
20051210
Cleanup: simplified the SMTP/LMTP connection management
logic for address list and fallback relay processing.
Still need to simplify deferred recipient handling.
Bugfix: after a failed TLS session, the 20051210 SMTP client
code cleanup broke sessions with backup servers, causing the
client to get out of step with the backup server. This in
turn exposed a one-year old missing exception handling
context in the EHLO handstake after sending STARTTLS. Victim
was Ralf Hildebrandt, detectives Victor Duchovni and Wietse.
File: smtp/smtp_proto.c.
Bugfix: *SQL, proxy and LDAP map types were not defined in
user-land commands such as postqueue. Leandro Santi. File:
postqueue/postqueue.c.
11567
11568
11569
11570
11571
11572
11573
11574
11575
11576
11577
11578
11579
11580
11581
11582
11583
11584
11585
11586
11587
11588
11589
11590
11591
11592
11593
11594
11595
11596
11597
11598
11599
11600
11601
11602
11603
11604
11605
11606
11607
11608
11609
11610
11611
11612
11613
11614
11615
11616
11617
11618
11619
11620
11621
11622
11623
11624
11625
11626
11627
11628
11629
11630
11631
11632
11633
11634
11635
11636
11637
11638
11639
11640
11641
11642
11643
11644
11645
11646
11647
11648
11649
11650
11651
11652
11653
11654
11655
11656
11657
11658
11659
11660
11661
20051212-14
Server-side plug-in interface for SASL authentication. This
uses Cyrus SASL by default, so nothing has changed except
error messages may be more informative. Files:
smtpd/smtpd_sasl_proto.c smtpd/smtpd_sasl_glue.c,
xsasl/xsasl_server.[hc], xsasl/cyrus_server.[hc]
xsasl/cyrus_strerror.c, xsasl/cyrus_log.c, xsasl/cyrus_security.c.
20051215
Portability: IRIX 6.5.28 defines sa_len as a macro, so it
can't be used as a variable identifier. Zach McDanel. Files:
dns/dns_rr_to_sa.c, smtpd/smtpd_peer.c, qmqpd/qmqpd_peer.c.
20051216
Cleanup: removed some scar tissue that was introduced with
server-side SASL plug-in support. Files: smtpd_sasl_proto.c,
smtpd_sasl_glue.c.
Client-side plug-in interface for SASL authentication. This
uses Cyrus SASL by default, so nothing has changed except
error messages may be more informative. Files: smtp_sasl_glue.c,
xsasl/xsasl_client.[hc], xsasl/cyrus_client.[hc].
20051217
Bugfix: when a SASL client password is required by a specific
server, defer delivery when no server-announced mechanism
survives the smtp_sasl_mechanism_filter, instead of ignoring
the SASL announcement and trying to deliver the mail over
an unauthenticated connection and risking that mail will
be rejected. File: smtp/smtp_sasl_proto.c, smtp/smtp_proto.c.
Portability: zero the "struct msg" just in case. Both purify
(Linux) and valgrind (FreeBSD) complain about uninitialized
bits. Files: util/unix_{send,recv}_fd.c.
20051219
Cleanup: generic smtpd_sasl_path, smtp_sasl_path and
lmtp_sasl_path configuration parameters; simplified the
SASL plug-in API, and made initial provisions for SASL
session encryption. Files: xsasl/*.[hc].
Feature: "postconf -a" lists the available SASL server
plug-in types, and "postconf -A" does the same for the
client. Files: postconf.c, xsasl_{client,server}.c.
Feature: new SMTPD policy attributes "encryption_protocol",
"encryption_cipher" and "encryption_keysize", to distinguish
plaintext from encrypted connections.
20051221
Privacy: the new Cyrus SASL server plug-in replaces "no
user" errors by "authentication failed" errors. File:
xsasl/xsasl_cyrus_server.c.
Safety: the Postfix SMTP client no longer uses CNAME expanded
hostnames for logging, SASL password lookup, TLS policy
decisions, or TLS certificate verification. Instead it
uses the name of the recipient domain, or the host or domain
name specified in Postfix configuration files. Of course
this won't prevent cheating with hostnames that appear in
MX lookup results. To avoid that you will have to suppress
MX lookups with explicit [hostname] entries in transport
maps. Files: dns/dns_lookup.c, dns/dns_rr.c.
20051222
Feature: Dovecot SASL authentication (server side) plug-in
by Timo Sirainen. This builds without external library
dependencies and is therefore compiled in by default.
Files: xsasl/xsasl_dovecot_server.[hc].
Safety: set the default LANG=C, instead of deleting LANG
from the environment and assuming the right thing will
happen. File: global/mail_params.h.
Safety: always add the ISASCII() requirement to the ISXXX()
macros, because they are used for protocol and policy
enforcement. File: util/sys_defs.h.
Bugfix: null pointer in the 20051219 policy delegation
crypto attributes. File: smtpd/smtpd_check.c.
Compatibility: "resolve_numeric_domain = yes" will accept
addresses with numeric domains instead of rejecting them as
invalid. Files: trivial-rewrite/resolve.c, util/vstring.c.
Bugfix: 20051219 "postconf -A" produced "postconf -a" output.
Andreas Winkelmann.
11664
11665
11666
11667
11668
11669
11670
11671
11672
11673
11674
11675
11676
11677
11678
11679
11680
11681
11682
11683
11684
11685
11686
11687
11688
11689
11690
11691
11692
11693
11694
11695
11696
11697
11698
11699
11700
11701
11702
11703
11704
11705
11706
11707
11708
11709
11710
11711
11712
11713
11714
Bugfix: the regexp map cleverly avoided scanning constant
lookup results for non-existent $number expressions, but
failed to subject those results to the necessary $$ -> $
replacement. Files: util/dict_regexp.c.
Performance: the pcre map did not optimize constant lookup
results; they were always scanned for non-existent $number
expressions. File: util/dict_pcre.c.
This round of edits eliminates architectural differences
between the pcre and regexp table implementations. The
remaining difference is that regexp tables still support
the obsolete "/pattern1/!/pattern2/ action" syntax, for
backwards compatibility with Postfix 2.0 and earlier.
20051227
Bugfix: the 20051222 ISASCII paranoia broke the strcasecmp()
workaround for Solaris. File: util/strcasecmp.c.
Bitrot: SunOS4 pre-dates size_t, ssize_t, getsid(). File:
src/util/sys_defs.h. The SunOS4 tests had been suspended
due to what turned out to be a broken AUI-to-UTP transceiver.
Bugfix: the 20061226 cosmetic change broke non-IPV6 support
(example: sockaddr_to_hostaddr: Unknown error: success).
File: util/myaddrinfo.c.
20051229
The following workaround was removed 20060103.
Workaround: when mail is still queued after 3000 seconds,
the SMTP client no longer pipelines the DOT+QUIT commands.
The 20050929 paranoia about malformed server replies
eliminated a rare occurrence of "lost mail" with sites that
mis-implement DOT+QUIT pipelining, but resulted in a larger
occurrence of repeated deliveries to sites with a different
DOT+QUIT pipelining bug. The time threshold is set with the
smtp_dot_quit_workaround_threshold_time parameter. Files:
smtp/smtp_proto.c, smtp/smtp.c.
Feature: mailbox_transport_maps and fallback_transport_maps
to search delivery transports by recipient name. Files:
local/mailbox.c, local/unknown.c.
Feature: the master daemon now logs a warning when all
servers are busy that may accept remote connections, and
suggests to either increase the process count or to reduce
the service time per client. Files: master/master_ent.c,
master/master_avail.c.
20051231
Bugfix: the anvil server would terminate after "max_idle"
seconds, even when this was less than the anvil_rate_time_unit
interval. File: anvil/anvil.c.
Deleted the 20051229 dot-quit bug workaround. Automatically
deferring delivery created "no delivery" and "repeated
delivery" problems; and automatically turning off pipelining
for delayed mail was a bad workaround for a bad workaround.
The administrator still has the option to turn off pipelining
by hand if loss of mail is a concern.
Bugfix: the 20051217 fix (when a SASL client password is
found, defer delivery when no server-announced mechanism
survives the smtp_sasl_mechanism_filter) did the mechanism
test too early, so that it could trip up with deliveries
to servers that we don't have a SASL password for. Files:
smtp/smtp_sasl_proto.c, smtp/smtp_proto.c.
Safety: new "smtp_cname_overrides_servername" parameter.
11743
11744
11745
11746
11747
11748
11749
11750
11751
11752
11753
11754
11755
11756
11757
11758
11759
11760
11761
11762
11763
11764
11765
11766
11767
11768
11769
11770
11771
11772
11773
11774
11775
11776
11777
11778
11779
11780
11781
11782
11783
11784
11785
11786
11787
The default value ("no") is NOT backwards compatible. This
avoids surprises with the hostname that is used for logging,
SASL password lookup, TLS policy decisions, or TLS certificate
verification. The change makes the 20051221 behavior more
configurable. Files: smtp/smtp_addr.c, smtp/smtp_connect.c,
proto/postconf.proto.
20060105
Cleanup: removed the unused DSN "code" attribute; removed
surrogate SMTP replies for errors that were not reported
by a remote SMTP server, making several DSN-related functions
and macros redundant; cleaned up some bizarre code for DSN
attribute memory management in the SMTP client.
20060106
Cleanup: eliminated the global smtp_errno variable, which
had become redundant after introducing DSN support. Files:
smtp/smtp_addr.c, smtp/smtp_connect.c.
20060107
Cleanup: removed more bizarre code for DSN attribute memory
management in the queue manager, bounce server, and in
delivery agents.
20060109
Bugfix: smtp_sasl_tls_opts was unimplemented. File:
smtp/smtp_sasl_proto.c.
Cleanup: more bounce logfile code cleanup. Files:
global/bounce_log.c, bounce/bounce_notify_util.c,
bounce/bounce.c, bounce/bounce_notify_verp.c,
bounce/bounce_one_service.c, showq/showq.c
20060110
Cleanup: more bounce logfile code cleanup. Files:
global/bounce_log.c, bounce/bounce_notify_util.c.
Bugfix: the VERP bouncer never handled the case of a missing
bounce logfile. Found while doing more logfile code cleanup.
File: bounce/bounce_notify_verp.c.
Feature: smtp_sasl_tls_verified_security_options for
connections where the server certificate passed verification.
The default value is $smtp_sasl_tls_security_options, which
in turn defaults to $smtp_sasl_security_options.
11796
11797
11798
11799
11800
11801
11802
11803
11804
11805
11806
11807
11808
11809
11810
11811
11812
11813
11814
11815
11816
11817
11818
11819
11820
11821
11822
11823
11824
11825
11826
11827
11828
11829
11830
11831
11832
11833
11834
11835
11836
Optimization: mystrdup() and mystrndup() now return a pointer
to a fixed read-only memory location instead of allocating
memory for zero-length null-terminated strings. This saves
lots of memory for unused recipient attributes. If this
change causes problems (for example, you have an ancient
sscanf() implementation that writes to its input) then
compile Postfix with -DNO_SHARED_EMPTY_STRINGS.
Cleanup: eliminated null pointer members in DSN structures.
Instead we now use the optimized mystrdup() for empty
strings. For safety sake we keep the tests for null pointers
in input, but we always produce empty strings on output.
Files: global/dsn.c, global/dsn.h, global/dsn_buf.h,
global/dsn_print.c.
Cleanup: eliminated ad-hoc code for passing recipients in
the queue manager delivery request protocol. Postfix now
uses proper object activation/passivation instead. Files:
*qmgr/qmgr_deliver.c, global/deliver_request.c,
global/deliver_pass.c.
20060112
Feature: to simplify debugging the bounce server logs the
old and new queue ID when notifying the sender or postmaster.
Files: global/post_mail.c, bounce/bounce_notify_service.c,
bounce/bounce_one_service.c, bounce/bounce_notify_verp.c,
bounce/bounce_warn_service.c, bounce/bounce_trace_service.c.
Fudge: when translating recipient DSN codes into sender DSN
codes, map sender address problems that have no DSN code
to *.1.7 (Bad sender's mailbox address syntax) instead of
*.1.0 (Other address status) because that loses the distinction
between sender and recipient. File: smtpd/smtpd_dsn_fix.c.
20060113
Cleanup: preserve upper case information of address localpart
or extension when mapping one address to another with
non-regexp/pcre tables. Files: global/mail_addr_find.c,
global/maps_find.c.
20060115
Bugfix: don't ignore the per-site policy when SSL library
initialization fails. Introduced after adopting the TLS
patch. File: smtp/smtp_session.c.
11844
11845
11846
11847
11848
11849
11850
11851
11852
11853
11854
11855
11856
11857
11858
11859
11860
11861
11862
11863
11864
11865
11866
11867
11868
11869
11870
11871
11872
11873
11874
11875
11876
11877
11878
11879
11880
11881
11882
11883
11884
11885
11886
11887
11888
11889
11890
11891
11892
11893
11894
11895
11896
11897
11898
11899
11900
11901
11902
20060117
[withdrawn 20060126] Safety: daemon processes that need no
privileges now insist that they are configured to run without
privileges. Files: master/single_server.c, master/multi_server.c,
master/trigger_server.c.
Cleanup: preserve upper case information of address localpart
or extension when mapping addresses via regexp/pcre tables.
This requires that Postfix does not case fold the search
string when searching regexp or pcre tables, so that $number
substitutions produce the expected result.
In order to get a consistent handling of table operations,
the search string case folding logic was moved from the
application to the individual lookup table modules; the
application specifies its case folding preference when it
opens a table, and the table folds the search or update
string as needed.
Files: everything that opens a map or multiple maps (to
specify the case folding preference), and everything that
contained ad-hoc code to lowercase search strings (which
is no longer needed).
Bugfix: as a side effect of this revision of all code that
opens tables, the postmap/postalias -n/-N options are no
longer silently ignored when the -q (query) and -d (delete)
options are specified. Files: postmap/postmap.c,
postalias/postalias.c.
Safety: don't allow $number substitution in transport maps
or sender-dependent relayhost maps.
Cleanup: smtp_sasl_passwd_maps lookup keys are folded to
lowercase before searching tables such as btree:, dbm: or
hash: that have fixed-case fields. File: smtp/smtp_sasl_glue.c.
Bugfix: per-sender relayhost maps were not locked for shared
access.
20060119
Cleanup: don't look up parent domain substrings in regexp/pcre
like tables while searching a hostname in a domain/namaddr_list.
File: util/match_ops.c.
20060120
Cleanup: multiple boolean variables were replaced by a
single TLS enforcement level (none, may, encrypt, verify).
With Victor Duchovni. Files: smtp_session.c, smtp_proto.c,
smtp.h.
Cleanup: the SMTP per-site policy table was re-implemented
in terms of enforcement levels instead of multiple boolean
variables. This greatly simplified the code and led to the
elimination of non-intuitive behavior as documented next.
With Victor Duchovni. Files: smtp_session.c, smtp.h.
Bugfix: a TLS per-site MUST_NOPEERMATCH policy could not
override a main.cf MUST (with peer match) policy, while a
per-site NONE policy could.
Bugfix: a combined TLS per-site (host, next-hop) policy of
(NONE, MAY) would change the strongest main.cf MUST policy
into NONE, while it changed all weaker main.cf policies
into MAY. The result is now NONE for all main.cf policy
settings.
20060123
11916
11917
11918
11919
11920
11921
11922
11923
11924
11925
11926
11927
11928
11929
11930
11931
11932
11933
11934
11935
11936
11937
11938
11939
11940
11941
Feature: recipient_count attribute in SMTPD policy protocol.
This is available only in the DATA and END-OF-MESSAGE stage.
Based on code by Guo Black. Files: smtpd_check.c.
Cleanup: renamed MUMBLE_NUM to MUMBLE_INT to make type
discrepancies more explicit.
Bugfix: change 20051208 broke when a connection could not
be established. File: util/auto_clnt.c.
20060124
Bugfix: the virtual(8) delivery agent did not insist on
privileged operation as it should; this broke change 20060117.
Ralf Hildebrandt. File: virtual/virtual.c.
Bugfix: the TLS sasl security options (change 20060110)
should also be #ifdef USE_TLS, and not only #ifdef
USE_SASL_AUTH. Such feature interference is difficult to
find in testing. Liviu Daia. File: smtp/smtp_sasl_proto.c.
20060126
Undo: change 20060117 (unprivileged operation test) broke
"sendmail -bs", "postconf -b", "postconf -t", and probably
more. Files: master/{single,multi,trigger}_server.c.
20060130
Bugfix: an empty remote_header_rewrite_domain value caused
trivial-rewrite to dereference a null pointer, but only in
regression tests, not in production. Envelope addresses are
by definition rewritten in the local domain context, because
an address without domain is equivalent to an address in
the local domain; and header addresses are rewritten in the
remote context only when remote_header_rewrite_domain is
non-empty. File: trivial-rewrite/rewrite.c.
20060131
Cleanup: regression tests are now separated into "make
tests" for unprivileged tests, and "make root_tests" for
tests that require privileges to connect to the Postfix
internal sockets. Files Makefile.in, src/*/Makefile.in.
Bugfix: despite efforts to treat malformed domain names as
hard errors (change 20050726) they were still processed as
soft errors. File: dns/dns_lookup.c.
Bugfix: smtpd core dump when SASL was compiled in, turned
off (smtpd_sasl_auth_enable = no) and permit_sasl_authenticated
was specified in local_header_rewrite_clients. Victor
Duchovni. File: smtpd/smtpd_check.c.
Cleanup: don't complain about useless SASL or TLS "permit"
restrictions when SASL or TLS aren't compiled in, but do
reject mail when reject_plaintext_session is specified while
TLS isn't compiled in. File: smtpd/smtpd_check.c.
20060204
Bugfix: disable the content_filter feature for user-requested
"sendmail -bv" probes, just like it is disabled for probes
generated by Postfix itself. File: *qmgr/qmgr_message.c.
20060207
Robustness: place the "do we have TLS" guards within method
implementations, instead of putting them around method
invocations. File: smtpd/smtpd_check.c.
Bugfix: duplicate the cleanup(8) DSN envelope ID syntax
check in smtpd(8), so that clients get better error replies.
File: smtpd/smtpd_check.c.
Bugfix: change 20060203 broke the reject_plaintext_session
feature.
The trivial-rewrite and proxymap multi-server processes now
terminate soon after all their clients disconnect, instead
of waiting for another 100 seconds. This allows the processes