Skip to content
HISTORY 772 KiB
Newer Older
Boris Mühmer's avatar
Boris Mühmer committed
20151018
Boris Mühmer's avatar
Boris Mühmer committed
	Added RFC 7672 (SMTP security via opportunistic DANE TLS)
	and RFC 7505 ("Null MX" No Service Resource Record) to the
	lists of supported RFCs in manpages. Viktor Dukhovni. Files:
	smtp/smtp.c, smtpd/smtpd.c.
Boris Mühmer's avatar
Boris Mühmer committed
20151031
Boris Mühmer's avatar
Boris Mühmer committed
	Bitrot: OpenSSL API cleanups. Viktor Dukhovni. Files:
	.indent.pro, tls/tls.h, tls/tls_dane.c, tls/tls_fprint.c,
	tls/tls_misc.c, tls/tls_server.c, tls/tls_verify.c.
Boris Mühmer's avatar
Boris Mühmer committed
20151124
Boris Mühmer's avatar
Boris Mühmer committed
	Bugfix (introduced: Postfix 3.0): don't throttle a destination
	after opportunistic TLS failure. Viktor Dukhovni and Wietse.
	Files: smtp/smtp_proto.c, smtp/smtp.h, smtp/smtp_trouble.c.
Boris Mühmer's avatar
Boris Mühmer committed
20151128
Boris Mühmer's avatar
Boris Mühmer committed
	Feature: JSON-formatted queue listing with "postqueue -j".
	Output is a stream of JSON objects, one per queue file.  To
	simplify stream-mode parsing, each JSON object is followed by
	a newline character. Files: postqueue/postqueue.c,
	postqueue/postqueue.h, postqueue/showq_compat.c,
	postqueue/showq_json.c, showq/showq.c.
Boris Mühmer's avatar
Boris Mühmer committed
20151216
Boris Mühmer's avatar
Boris Mühmer committed
	Bugfix (introduced: 20151128) bogus queue file parsing error.
	File: showq/showq.c.
Boris Mühmer's avatar
Boris Mühmer committed
20151226
Boris Mühmer's avatar
Boris Mühmer committed
	Cleanup: postlog(1) now pauses for 1s after reporting a
	fatal or panic error. This makes behavior of scripts such
	as postfix-script consistent with built-in error messages.
	File: postlog/postlog.c.
Boris Mühmer's avatar
Boris Mühmer committed
20151227
Boris Mühmer's avatar
Boris Mühmer committed
	Robustness: don't allow for whitespace in command-line
	arguments.  Files; postfix-install, conf/post-install.
Boris Mühmer's avatar
Boris Mühmer committed
	Robustness: added a comment to discourage people who keep
	adding code that calls gethostbyname() to determine the
	default myhostname setting.  This is a mistake: all Postfix
	programs will hang when the DNS is unavailable.  File:
	global/mail_params.c.
Boris Mühmer's avatar
Boris Mühmer committed
	Safety: a limit on the number of address verification probes
	in the active queue (address_verify_pending_request_limit),
	by default 1/4 of the active queue maximum size. The queue
	manager tempfails probe messages that exceed the limit.
	Files: mantools/postlink, proto/postconf.proto, cleanup/cleanup.h,
	cleanup/cleanup_envelope.c, cleanup/cleanup_out_recipient.c,
	cleanup/cleanup_state.c, global/mail_params.h, global/post_mail.c,
	global/post_mail.h, global/verify.c, oqmgr/qmgr.c, oqmgr/qmgr.h,
	oqmgr/qmgr_message.c, qmgr/qmgr.c, qmgr/qmgr.h,
	qmgr/qmgr_message.c, verify/verify.c.

20160102

	Workaround: MacOS/X 10.11.x /bin/sh unsets DYLD_LIBRARY_PATH,
	which breaks the build and install.  Viktor Dukhovni and
	Wietse.  Files: makedefs, postfix-install, Makefile.in.

	Bitrot: OpenSSL 1.1.0-dev drops support for EXPORT ciphers
	and ephemeral RSA.  Viktor Dukhovni. Files: tls/tls_client.c,
	tls/tls_rsa.c, tls/tls_server.c.
Boris Mühmer's avatar
Boris Mühmer committed
	Bugfix: memory leak in tls_set_eecdh_curve(). Viktor Dukhovni.
	File: tls/tls_dh.c.
Boris Mühmer's avatar
Boris Mühmer committed
	Bugfix (introduced 20150326): when lmtp_fallback_relay
	support was added, the code that generates lmtp_mumble
	parameters from smtp_mumble parameters wasn't updated. File:
	smtp/smtp-only.
Boris Mühmer's avatar
Boris Mühmer committed
	Bugfix (introduced 20151017): the smtpd_client_auth_rate_limit
	implementation was not guarded with #ifdef USE_SASL_AUTH.
	File: smtpd/smtpd.c.
Boris Mühmer's avatar
Boris Mühmer committed
20160103

	Feature: enable DANE policies when an MX host has a secure
	TLSA DNS record, even if the MX DNS record was obtained
	with insecure lookups. The existence of a secure TLSA record
	implies that the host wants to talk TLS and not plaintext.
	This behavior is controlled with smtp_tls_dane_insecure_mx_policy
	(default: "dane", other settings: "encrypt" and "may"; the
	latter is backwards-compatible with earlier Postfix releases).
	Viktor Dukhovni.  Files: mantools/postlink, proto/postconf.proto,
	src/global/mail_params.h, src/posttls-finger/posttls-finger.c,
	src/smtp/smtp-only, src/smtp/smtp.c, src/smtp/smtp.h,
	src/smtp/smtp_addr.c, src/smtp/smtp_params.c,
	src/smtp/smtp_tls_policy.c, src/tls/tls.h, src/tls/tls_client.c.

20160104

	Cleanup: distinct TLS levels for "full" DANE and for DANE
	with insecure MX records.  Viktor Dukhovni. Files:
	posttls-finger/posttls-finger.c, smtp/smtp_tls_policy.c,
	tls/tls.h, tls/tls_client.c, tls/tls_level.c.
Boris Mühmer's avatar
Boris Mühmer committed
20160108
Boris Mühmer's avatar
Boris Mühmer committed
	Cleanup: smtp_reply_footer() now restores state in case of
	input error; unit tests that cover most if not all error
	and non-error cases.  Files: global/smtp_reply_footer.c,
	global/smtp_reply_footer.ref.
Boris Mühmer's avatar
Boris Mühmer committed
20160110
Boris Mühmer's avatar
Boris Mühmer committed
	Bitrot: const-ification for OpenSSL 1.1.0. Viktor Dukhovni.
	File: tls/tls_misc.c.
Boris Mühmer's avatar
Boris Mühmer committed
20160116
Boris Mühmer's avatar
Boris Mühmer committed
	"postconf -H" support (show names without the =value).
	Initial use case: mass reversal of TLS-related main.cf
	parameters (postconf -nH | grep _tls_ | xargs postconf -X).
	This flag also works with "postconf -F" and "postconf -P".
	Added missing documentation that -h works with "postconf
	-F" and "postconf -P".  Files: postconf.c, postconf.h,
	postconf_master.c, postconf_main.c.
Boris Mühmer's avatar
Boris Mühmer committed
	Robustness: force html2text to produce ASCII output.  File:
	mantools/html2readme.
Boris Mühmer's avatar
Boris Mühmer committed
	Feature: "postfix tls" commands to enable opportunistic TLS
	in the Postfix SMTP client or server, or generate or replace
	Postfix SMTP server TLS private keys and server certificates.
	Viktor Dukhovni, Wietse. Files: conf/postfix-files,
	conf/postfix-script, conf/postfix-tls-script, makedefs,
	proto/INSTALL.html, proto/postconf.proto, global/mail_params.h,
	postfix/postfix.c, tls/tls_misc.c.
Boris Mühmer's avatar
Boris Mühmer committed
	Portability: added a tls_random_source default setting for
	MacOS X. Viktor Dukhovni. File: util/sys_defs.h.
Boris Mühmer's avatar
Boris Mühmer committed
20150118
Boris Mühmer's avatar
Boris Mühmer committed
	Bitrot: OpenSSL 1.1.0-dev (aka the "master" branch) has new
	security levels ranging from 0 to 5. Level "0" is backwards
	compatible, and other levels are increasingly restrictive.
	Viktor Dukhovni. Files: tls/tls_server.c, tls/tls_client.c.
Boris Mühmer's avatar
Boris Mühmer committed
20161205
Boris Mühmer's avatar
Boris Mühmer committed
	Portability: Postfix TLS support uses /dev/urandom if
	available and no system-specific setting exists in sys_defs.h.
	Files: makedefs, util/sys_defs.h.
Boris Mühmer's avatar
Boris Mühmer committed
20160208
Boris Mühmer's avatar
Boris Mühmer committed
	Cleanup: building the INSTALL file had failed, added
	hyperlinks for "postfix tls". Files: mantools/postlink.
Boris Mühmer's avatar
Boris Mühmer committed
20160210
Boris Mühmer's avatar
Boris Mühmer committed
	Feature: all-default-client and all-default-server subcommands.
	Eray Aslan. File: conf/postfix-tls-script.
Boris Mühmer's avatar
Boris Mühmer committed
	Bugfix: the postqueue(1) JSON formatter wrote a spurious
	comma after the delay reason. Reported by Christian Roessner.
	File: postqueue/showq_json.c.
Boris Mühmer's avatar
Boris Mühmer committed
20160212
Boris Mühmer's avatar
Boris Mühmer committed
	Cleanup: Bold/Italic cleanup in manpages.
Boris Mühmer's avatar
Boris Mühmer committed
20160213
Boris Mühmer's avatar
Boris Mühmer committed
	Added Google credits to external manpages.
Boris Mühmer's avatar
Boris Mühmer committed
20160214
Boris Mühmer's avatar
Boris Mühmer committed
	More manpage cleanups. Viktor, Wietse.
Boris Mühmer's avatar
Boris Mühmer committed
20160215
Boris Mühmer's avatar
Boris Mühmer committed
	Cleanup: "match_list_match: permit_mynetworks: no match" after
	a SUCCESSFUL permit_mynetworks match of a client IP address was
	complicating troubleshooting.  The fix is to log additional
	context to clarify that this "no match" condition is for
	smtpd_log_access_permit_actions. File: smtpd/smtpd_check.c.