Skip to content
HISTORY 803 KiB
Newer Older
Boris Mühmer's avatar
Boris Mühmer committed
	to refresh more frequently on low-traffic systems.

	Cleanup: smtpd_delay_open_until_valid_rcpt (default: yes)
	controls whether Postfix delays the start of a mail transaction
	until after the first valid recipient, or if it starts a
	transaction immediately after MAIL FROM. File: smtpd/smtpd.c.

20060217

	Bugfix: don't terminate with a non-standard exit status
	when the pipe-to-command feature has a problem before it
	executes the command. File: global/pipe_command.c.

20060223

	Bugfix: detect integer overflow when multiplying time values
	with non-trivial time units. File: global/conv_time.c.

20060307

	Bugfix: reset the msg_cleanup() fatal error handler in child
	processes. See also change 20060217. Files: postlock/postlock.c,
	master/multi_server.c, global/mail_run.c, util/vstream_popen.c.
Boris Mühmer's avatar
Boris Mühmer committed
	Bugfix: the MIME processor assumed that input was null
	terminated. This broke with CRLF input to the "sendmail -t"
	command  in Postfix 2.1 and later (see change 20030416).
	Found by Leandro Santi.  Based on patch by Victor Duchovni.
	Files: global/mime_state.c, global/is_header.c.

20060313

	Cleanup: the message arrival time (start of the receive
	transaction) no longer controls message expiration or
	delivery attempts.  Instead, expiration and delivery are
	now controlled by the time when the cleanup server creates
	a queue file.  This closes a problem that was introduced
	with the 20051104 change that introduced higher-resolution
	delay time keeping: as a result, "postsuper -r" could no
	longer manipulate the mail expiration schedule, so that
	mail "on hold" could expire too soon.
Boris Mühmer's avatar
Boris Mühmer committed
	Workaround. the PCRE library reports an inappropriate error
Boris Mühmer's avatar
Boris Mühmer committed
	code (invalid substring) when $number refers to a valid ()
	expression that matches the null string. This caused fatal
	run-time errors.  File: dict_pcre.c.

20060324

Boris Mühmer's avatar
Boris Mühmer committed
	Cleanup: eliminated name collisions between global and local
	variables, and other forms of shadowing. Documented switch
	fall-throughs with /* FALLTHROUGH */ where this wasn't
	already done.  Replaced (var = expr) by (var = expr) != 0
	where this wasn't already done.

20060324

	Bugfix: mis-placed parenthesis in a before-filter error
Boris Mühmer's avatar
Boris Mühmer committed
	test. A filter timeout was mis-reported as lost connection.
	Found in code review.  File: smtpd/smtpd_proxy.c.

Boris Mühmer's avatar
Boris Mühmer committed
20060327

	Cleanup: the SQL and LDAP clients now log a warning when
	they skip an empty lookup result, so that humans don't have
	to wonder why Postfix doesn't find all the database entries.
	File: global/db_common.c.

	Moved SMTP/LMTP parameter initialization from global/mail_params.c
	to the combined smtp/lmtp delivery agent. Added missing
	lmtp parameters.

20060328

	Feature: configurable chroot directive for the pipe(8)
	delivery agent, by Przemyslaw Wegrzyn. Files:
	global/pipe_command.c, pipe/pipe.c.

	Bugfix: cut-and-paste error: lmtp_connection_cache_limit
	was left with the name of smtp_connection_cache_limit.
	Reported by Victor? File: src/global/mail_params.h.

20060329

	More extensible interface for TLS client/server library,
	now passes property structures that combine all the relevant
	parameters in one type-safe structure.

	TLS session cache activity logging now takes place at TLS
	log level 2 or greater.

Boris Mühmer's avatar
Boris Mühmer committed
20060403
Boris Mühmer's avatar
Boris Mühmer committed

	Cleanup: made fcntl/flock handling consistent with respect
	to EINTR (reported by Carlo Contavalli). However, Postfix
	is not meant to be signal safe.  Only the master daemon
	handles signals without terminating, and it uses only a
	small subset of Postfix library routines. File: util/myflock.c.

Boris Mühmer's avatar
Boris Mühmer committed
	Bugfix: the pipe-to-command error message was lost when the
	command could not be executed. File: global/pipe_command.c.

20060404

	Bugfix in sanity check: after reading a record from the
	address verification database, a sanity check did not reject
	a record with all-zero time stamp fields.  Such records are
	never written; the test is there just in case something is
	broken, so that Postfix will not blindly march on and create
	chaos. The sanity check tested pointer values, instead of
	dereferencing the pointers.  Found by Coverity.  File:
	verify/verify.c.

	Bugfix in sanity check: when the maildir delivery routine
	opens an output file it looks up the file attributes via
	the file handle it just got.  There is a sanity check that
	detects if the attribute lookup fails, an error that never
	happens. The code that handles the impossible error did not
	close the output file. This would cause a virtual or local
	delivery agent to waste up to 100 file descriptors.  But
	for that error to happen the system would have to be so
	sick that you would have more serious problems than a file
	descriptor leak.  Found by Coverity.  Files: local/maildir.c,
	virtual/maildir.c.

Boris Mühmer's avatar
Boris Mühmer committed
20060405

	Bugfix: the MIME parser assumed input is null terminated
	when reporting errors. Fix by Leandro Santi. Files:
	global/mime_state.c, cleanup/cleanup_message.c.

Boris Mühmer's avatar
Boris Mühmer committed
20060411

	Bugfix: the SMTP server logged no warning when for some
	reason the TLS engine was unavailable in wrappermode. Victor
	Duchovni.  File: smtpd/smtpd.c.

Boris Mühmer's avatar
Boris Mühmer committed
20060417

	Cleanup: when SMTP access table lookup fails, reply with
	4xx instead of aborting with a fatal run-time error. The
	old behavior assumes local file access, and is inappropriate
	with deployment of LDAP and SQL tables. File: smtpd/smtpd_check.c.

20060423

	Bugfix: postcat did not print the attribute value of records
	containing a named attribute. File: postcat/postcat.c.

Boris Mühmer's avatar
Boris Mühmer committed
20060430

	Bugfix: dangling pointer in a function that has no caller.
	Found by Coverity. File: tls/tls_prng_exch.c.

	Bugfix: the workaround for CA-2003-07 (Sendmail) did not
	null terminate the address before logging a warning. Reported
	by Kris Kennaway. File: global/tok822_parse.c.

Boris Mühmer's avatar
Boris Mühmer committed
20060301-20060515

	Sendmail 8 Milter support, distributed across the smtpd(8)
	server for SMTP commands, and the cleanup(8) server for
	content inspection and manipulation. The code supports all
	requests to add/delete recipients, and to add/delete/replace
	message headers, but does not yet support requests to replace
	the message body.  See MILTER_README for more. Files:
	smtpd/smtpd.c, smtpd/smtpd_milter.c, cleanup/cleanup_api.c,
	cleanup/cleanup_envelope.c, cleanup/cleanup_extracted.c,
	cleanup/cleanup_milter.c, milter/milter.c, milter/milter8.c.

	That's 89 lines in smtpd, 1010 lines in cleanup, and 2449
	lines of library support, comments not included.  

	A simple test Milter application for use in regression tests
	is in src/milter/test-milter.c. Queue file modifications are
	tested with a driver at the end src/cleanup/cleanup_milter.c
	that reads commands from a script.

	To make debugging easier, uncomment the "#define msg_verbose
	2" lines at the top of cleanup_milter.c or milter8.c. This
	produces logging without making everything else verbose.

20060510

	Preliminary TLS_README and postconf(5) changes completed.
Boris Mühmer's avatar
Boris Mühmer committed
	Victor Duchovni.
Boris Mühmer's avatar
Boris Mühmer committed

	Added smtp_tls_policy_maps and smtp_tls_protocols features
	to the smtp/lmtp client, changed smtp_tls_cipherlist to
Boris Mühmer's avatar
Boris Mühmer committed
	only apply when TLS is mandatory. Victor Duchovni.
Boris Mühmer's avatar
Boris Mühmer committed

20060512

	Destinations that share a common server may have distinct
	TLS protocol and cipherlist requirements, with mandatory
	TLS add the protocol and cipherlist values to the TLS session
Boris Mühmer's avatar
Boris Mühmer committed
	lookup key. Victor Duchovni.
Boris Mühmer's avatar
Boris Mühmer committed
20060516

	Portability: __float80 alignment, by Albert Chin.  File:
	util/sys_defs.h.

Boris Mühmer's avatar
Boris Mühmer committed
	Further testing of Milter support uncovered typos; a missing
	null pointer test while cleaning up after content miltering;
	the need for a workaround to not bounce+delete local
	submission after it triggers a temporary reject Milter
	action.

	Workaround: don't bounce+delete a local submission after
	it triggers a "reject 4.x.x" action in header/body_checks.
	This means an SMTP client now sees "queue file write error"
	instead of the text from the "reject 4.x.x text" action.
	File: cleanup/cleanup_message.c.

	Workaround: OpenSSL 0.9.8[ab] with zlib support interoperability
	problem. Victor Duchovni. Files: tls/tls_client.c,
	tls/tls_misc.c, tls/tls_server.c.

	Added smtpd_tls_protocols parameter to complement
	smtp_tls_protocols. Victor Duchovni.

20060517

	The smtp_tls_policy_maps table now implements parent domain
	matching for destinations that are bare domains (without
Boris Mühmer's avatar
Boris Mühmer committed
	enclosing [] or optional :port suffix). This allows one to
Boris Mühmer's avatar
Boris Mühmer committed
	set TLS policy for a domain and all sub-domains. Victor
	Duchovni.

20060519

	The same parameter can bind to different variables in
Boris Mühmer's avatar
Boris Mühmer committed
	different daemons. Ignore the variable name when eliminating
Boris Mühmer's avatar
Boris Mühmer committed
	duplicates in extract.awk. Victor Duchovni.

20060523

	Improved handling of smtp_tls_protocols and smtpd_tls_protocols,
	names now processed via name_mask(3) and canonicalized prior
	to use in the SMTP/LMTP client TLS session lookup key. Also
	simplifies the corresponding code in the TLS driver. Victor
	Duchovni.

Boris Mühmer's avatar
Boris Mühmer committed
20060524

	Cleanup: send ETRN command parameter when using check_policy
	in the context of an ETRN command. Joshua Goodall. File:
	smtpd/smtpd_check.c.

Boris Mühmer's avatar
Boris Mühmer committed
20060601

	Bugfix (bug introduced 20051118): permit_mx_backup authorized
	domains without secondary MX records.  Joshua Goodall. File:
	smtpd/smtpd_check.c.

20060601

	Fixed default value of LMTP TLS client certificate parameters,
	using the SMTP values as a default was wrong. Victor Duchovni.
Boris Mühmer's avatar
Boris Mühmer committed
20060603

	Different transports may have different CAfile or CApath
	settings. We need to add the transport name to the TLS
	session lookup key so that sessions verified with one set
	of trusted roots are not inadvertantly considered verified
	for another. Victor Duchovni.

20060604
Boris Mühmer's avatar
Boris Mühmer committed

	Cleanup: minor fluff found with the BEAM source code analyzer.
Boris Mühmer's avatar
Boris Mühmer committed
	Files: global/quote_821_local.c, global/quote_822_local.c,
	master/master_spawn.c, pickup/pickup.c, util/match_ops.c,
	util/safe_open.c, xsasl/xsasl_cyrus_client.c.

20060606

	Safety: mail receiving daemons (smtpd, qmqpd) now pass
	actual client name/addres/helo attributes in addition to
	the attributes used for logging (xforward). This prevents
	Milter applications from treating qmqpd mail as if it
	originated locally, and prevents incorrect Milter decisions
	after "postsuper -r". Files: smtpd/smtpd.c, qmqpd/qmqpd.c,
	cleanup/cleanup_envelope.c, cleanup/cleanup_milter.c,
	cleanup/cleanup_state.c, global/post_mail.c, *qmgr/qmgr_message.c,
	*qmgr/qmgr_deliver.c, global/deliver_request.c,
	global/deliver_pass.c, local/forward.c.

	Bugfix: qmgr panic after queue file corruption by Mailscanner.
	Files: *qmgr/qmgr_message.c.

	Bugfix: XCLIENT didn't work with smtpd_delay_reject=no
	(problem reported by Joshua Goodall).  To make XCLIENT work
	correctly with built-in restrictions and with Milter
	applications, the SMTP server now jumps back to the very
	start (the 220 phase) of an SMTP session.  File: smtpd/smtpd.c.

20060606

	Portability: Some systems no longer support the traditional
	"sort +0 -2 +3". Victor Duchovni.

20060607

	Portability: Found by BEAM static code analyzer. SSL options
	(long) were stored as int.

20060610

	Cleanup: XCLIENT and XFORWARD attribute values are now sent
	as xtext encoded strings. For backwards compatibility,
	Postfix will still accept unencoded attribute values.  Files:
	smtpd/smtpd.c, smtpd/smtpd_proxy.c, smtp/smtp_proto.c.
Boris Mühmer's avatar
Boris Mühmer committed
	Robustness: additional sanity checks for common database
	routines. Viktor Dukhovni. File: global/db_common.c.

	Portability: LDAP 2.3 API support. Viktor Dukhovni. File:
	global/dict_ldap.c.

	Security: the PostgreSQL client was updated after the
	PostgreSQL developers made major database API changes in
	response to PostgreSQL security issues. This breaks support
	for PGSQL versions prior to 8.1.4, 8.0.8, 7.4.13, and 7.3.15.
	Support for these requires major code changes which are not
	possible in the time that is left for the Postfix 2.3 stable
	release.
Boris Mühmer's avatar
Boris Mühmer committed

	Specific PostgreSQL client changes: use connection-aware
	quoting, and more robust PQexec() result handling.  Previous
	versions of the dict_pgsql driver didn't check the status
	of the result pointer, and certain exceptional events can
	be mis-interpreted as an empty result set.  Fixes by Leandro
	Santi. File: global/dict_pgsql.c.

Boris Mühmer's avatar
Boris Mühmer committed
20060612

	Changed smtp security level parsing and level->name conversion
	to use name_code(3). Victor Duchovni.

	Implemented new smtp_tls_security_level parameter, to replace
	the unnecessarily complex smtp_use_tls, smtp_enforce_tls
	and smtp_tls_enforce_peername parameters. The main.cf
	security level settings are now consistent with the new
	policy table. Victor Duchovni.

	The smtp_sasl_tls_verified_security_options feature is not
	yet complete, added #ifdef SNAPSHOT and changed documentation
	to delay introduction until Postfix 2.4. Victor Duchovni.

20060614

	Merged in Victor's work including the new TLS policy table
	and a complete set of configuration parameters for the LMTP
	personality of the unified SMTP/LMTP client.

	Allow mandatory TLS encryption with LMTP over UNIX-domain
	sockets. Victor Duchovni.

	Safety: improved code to avoid I/O on connections after the
	TLS handshake fails. Victor Duchovni.

20060615

	Cosmetic patch for const strings. Stefan Huehner.

	Other cosmetic changes, mainly whitespace.

20060616

	The qshape.pl script was updated for the pointer records
	that were introduced to support message content modification
	by Milter applications. Victor Duchovni.

20060620

	Feature: Substantially better cipherlist specification
	interface and support for anonymous ciphers when certificates
	are not needed. The primary interface in main.cf and the
	policy table selects one of 5 grades for mandatory TLS with
	smtp(8) or lmtp(8) or for all TLS sessions with smtpd(8).
	The levels are "high", "medium" (or better), "low" (or
	better), "export" (or better) and "null".  The underlying
	definitions of these levels are configurable, but users are
	strongly encouraged to not change those definitions. Victor
	Duchovni.

Boris Mühmer's avatar
Boris Mühmer committed
	Bugfix: the Milter reply syntax checker was off by one.
	File: milter/milter8.c.

Boris Mühmer's avatar
Boris Mühmer committed
	Workaround: disable SMTP connection cache lookup by server
	IP address when the tls_per_site policy table is enabled.
Boris Mühmer's avatar
Boris Mühmer committed
	This is a workaround for a shortcoming in the SMTP connection
	cache implementation, which retrieves the server hostname
	from the cached connection. Since this server name is not
	obtained in a secure manner, it must not be allowed to
	control the tls_per_site policy. File: smtp/smtp_reuse.c.
Boris Mühmer's avatar
Boris Mühmer committed
20060627
Boris Mühmer's avatar
Boris Mühmer committed
	Cleanup: mumble_mandatory_tls_mumble parameters renamed to
	mumble_tls_mandatory_mumble; added _mandatory_ qualifier
	to names of parameters that affect only mandatory TLS.
Boris Mühmer's avatar
Boris Mühmer committed
20060630
Boris Mühmer's avatar
Boris Mühmer committed
	Features promoted from SNAPSHOT to STABLE: the "sleep"
	pseudo restriction; Postfix daemons now read the local
	timezone file before chrooting; trivial-rewrite now detects
	table changes every 10 seconds, so it restarts more timely.
Boris Mühmer's avatar
Boris Mühmer committed
	Features that stay #ifdef SNAPSHOT: tcp_table,
	lmtp_sasl_tls_verified_security_options, and
	smtp_sasl_tls_verified_security_options.
Boris Mühmer's avatar
Boris Mühmer committed
	Compatibility: Sendmail does not send its own Received:
	header to Milter applications. Offsets in header replace
	requests are relative to the message content as received
	(i.e. without our own Received: header), while offsets in
	header insert requests are relative to the message as
	delivered (i.e. they include our own Received: header).
	This explains why dk-filter would sign our own Received:
	header but place the signature between our own Received:
	header and the rest of the message, violating the draft
	domainkeys spec.
Boris Mühmer's avatar
Boris Mühmer committed
20060702
Boris Mühmer's avatar
Boris Mühmer committed
	Cleanup: more graceful handling of queue file read/write
	errors while processing milter message modification requests.
	Files: cleanup/cleanup_milter.c, milter/milter8.c.
Boris Mühmer's avatar
Boris Mühmer committed
20060703
Boris Mühmer's avatar
Boris Mühmer committed
	Debugging: the Postfix milter client gives more context
	when it experiences trouble while talking to an uncooperative
	Milter application. File: milter/milter8.c.
Boris Mühmer's avatar
Boris Mühmer committed
	Compatibility: with OpenBSD 2.7 and later, the alias file
	is now in /etc/mail/aliases.
Boris Mühmer's avatar
Boris Mühmer committed
20060704
Boris Mühmer's avatar
Boris Mühmer committed
	Bugfix: the Milter client skipped zero-length body lines.
	File: milter/milter8.c.
Boris Mühmer's avatar
Boris Mühmer committed
	Feature (just this one): RFC 3834 "Auto-Submitted:" message
	header in DSNs.  File: bounce/bounce_notify_util.c.

20060705

	Portability: LP64 systems required a few ssize_t->int casts
	in debug logging statements.  Files: milter/test_milter.c,
	cleanup/cleanup_milter.c.

	Cleanup: comments, error messages, and crumbling interfaces.

20060707

	Workaround: apparently, Solaris gettimeofday() can return
	out-of range microsecond values.  File: src/global/log_adhoc.c.

	Robustness: the SMTPD policy client now encodes the
	ccert_subject and ccert-issuer attributes as xtext.  Some
	characters are replaced by +XX, where XX is the two-digit
	hexadecimal code for the character value.  File:
	smtpd/smtpd_check.c.
Boris Mühmer's avatar
Boris Mühmer committed
	Safety: the SMTP/LMTP client now defers delivery when a
	SASL password exists, but the server does not offer SASL
	authentication. Mail could be rejected otherwise. This may
	become an issue now that Postfix retries delivery in plaintext
	after an opportunistic TLS handshake fails. Specify
	"smtp_sasl_auth_enforce = no" to deliver mail anyway.  File:
	smtp/smtp_proto.c. See workaround 20060711 for sender-dependent
Boris Mühmer's avatar
Boris Mühmer committed
	SASL passwords. This was undone with the 20060719 workaround.
Boris Mühmer's avatar
Boris Mühmer committed

20060709

	Cleanup: the new single smtpd_tls_security_level parameter
	obsoletes the multiple smtpd_use_tls and smtpd_enforce_tls
	parameters. This is done for consistency with the Postfix
	SMTP client. In the Postfix SMTP server, the levels "verify"
	and "secure" are currently not applicable, and are treated
	as "encrypt", after logging a warning. Files: smtpd/smtpd.c,
	tls/tls_level.c, smtp/smtp_session.c.

	Compatibility: don't send the first (blank) body line to
	Milter applications.  This broke domain key etc. signatures
	when verified by non-Postfix MTAs.  File: milter/milter8.c.

20060710

	Cleanup: more consistency between smtpd(8) and smtp(8) TLS
	configuration interfaces: smtpd_tls_mandatory_exclude_ciphers,
	smtpd_tls_mandatory_ciphers, smtpd_tls_mandatory_protocols.
	By Victor. Files:smtpd/smtpd.c.

	Cleanup: to support domainkey signing of bounces and
	Postmaster notices, enable content inspection of Postfix-
	generated mail with the new internal_mail_filter_classes
	feature.  This is disabled by default, because it is not
	yet safe enough. Files: global/int_filt.[hc] and everything
	that calls post_mail_fopen*().

20060711

	Cleanup: smtpd_tls_mumble -> smtpd_tls_mandatory_mumble,
	and finer control over the Postfix SMTP server TLS ciphers,
	all this for consistency with the same functionality in the
	Postfix SMTP client. Victor Duchovni.

	Compatibility: Sendmail's milter client handles whitespace
	after the header label and ":" in an interesting manner.
	It eats one space (not tab). File: milter/milter8.c.

Boris Mühmer's avatar
Boris Mühmer committed
	Workaround: if sender-dependent SASL passwords are enabled,
Boris Mühmer's avatar
Boris Mühmer committed
	don't defer delivery when a SASL password exists but the
	server doesn't announce SASL support. File: smtp/smtp_proto.c.
Boris Mühmer's avatar
Boris Mühmer committed
	This was undone with the 20060719 workaround.
Boris Mühmer's avatar
Boris Mühmer committed

	Cleanup: format of cleanup milter reject messages.  File:
	cleanup_milter.c.

	Bugfix: file/memory leak if a transfer of multiple milters
	from smtpd to cleanup broke in the middle.  Found by Coverity.
	File: milter/milter.c.
Boris Mühmer's avatar
Boris Mühmer committed

20060716

	Bugfix: "sendmail -bs" panic caused by a missing
	SMTPD_STATE_ALONE() guard before a milter_abort() call.
	File: smtpd/smtpd.c.

	Bugfix (bug introduced with Postfix 2.2): the Postfix SMTP
	client enforced Mandatory TLS only when talking to an ESMTP
	server; enforcement did not happen if Postfix could somehow
	be forced to send HELO instead of EHLO.  Victor Duchovni.
	File: src/smtp/smtp_proto.c.

20060718

	Bugfix (bug introduced 20060711): null pointer bug when
	rejecting SMTP mail with Milter application.  File:
	cleanup/cleanup_milter.c.

	Workaround (problem introduced in 200605/200606 TLS update):
	the Postfix SMTP server now issues TLS session IDs even
	when TLS session caching is turned off, otherwise MS Outlook
	fails to deliver mail. There may also be interoperability
	issues with other MTAs that we haven't discovered yet.
	Specify "smtpd_tls_always_issue_session_ids = no" to disable
	the workaround. Victor Duchovni. Files: smtpd/smtpd.c,
	tls/tls_server.c.

20060719

	Cleanup: the smtp_sasl_auth_enforce feature is gone. It was
	meant to work around a problem that was introduced with
	plaintext fallback after a failed TLS handshake.  Unfortunately,
	it created more problems than it solved. We now address the
	underlying problem more directly as described next. File:
	smtp/smtp_proto.c.

	Safety: don't fall back to plaintext delivery after failed
	TLS handshake, when the Postfix SMTP client would have
	attempted to log in with SASL after successful TLS handshake.
	This avoids undesirable behavior regardless of whether the
	server does support SASL over plaintext (unexpected password
	disclosure) and whether the server doesn't support SASL
	over plaintext (insufficient mail relay permission).  Files:
	smtp/smtp_connect.c, smtp/smtp_session.c, smtp/smtp_proto.c.

20060720

	Compatibility: replace %% in milter replies by %, and strip
	single (i.e. invalid) % characters. File: milter/milter8.c.

	Compatibility: $_ macro support for Milter applications.
	Files: smtpd/smtpd.c, smtpd/smtpd_milter.c,
	cleanup/cleanup_state.c, cleanup/cleanup_milter.c.

20060721

	Safety: disable Milter processing after "postsuper -r".  If
	the mail has been filtered there is no need to do it again.
	Moreover, when mail has passed through an external content
	filter, we don't have sufficient information to reproduce
	the exact same SMTP events and Sendmail macros that Milters
	received when the mail originally arrived in Postfix.  This
	change does not affect Milter applications that run behind
	an after-queue content filter. File: pickup/pickup.c.

	Bugfix: Milters received a truncated ORCPT=xxx parameter
	due to destructive parsing of something that didn't have
	to be preserved before Milter support was added to Postfix.
	File: smtpd/smtpd.c.

20060724

	Bugfix: when updating the same header multiple times, the
	Postfix Milter client created a queue file that caused
	delivery agents to loop.  File: cleanup/cleanup_milter.c.
Boris Mühmer's avatar
Boris Mühmer committed

20060725

	Bugfix: damaged queue file record after a Milter request
	to modify a message header when 1) it was the last header
	in the unmodified message, and 2) the old header was less
	than 15 characters long.  File: cleanup/cleanup_milter.c.

	Bugfix: don't panic in smtp_rcpt_cleanup() after detecting
	a damaged queue file record. File: smtp/smtp_proto.c.

20060726

	Bugfix: the 20051013 change to enforce the message size
	limit in the SMTP server didn't work for size limits close
	enough to INT_MAX. File: smtpd/smtpd.c.

Boris Mühmer's avatar
Boris Mühmer committed
	Bugfix (introduced Postfix 2.3): after an SMTP client was
	rejected with "smtpd_delay_reject = no", the SMTP server
	would panic as it generated spurious Milter requests for
	unrecognized commands.  File: smtpd/smtpd.c.
Boris Mühmer's avatar
Boris Mühmer committed

20060727

	Cleanup: change redundant milter_abort() and milter_disc_event()
	calls into NO-OPs.  This avoids unnecessary panic() events
	for completely harmless conditions.  File: milter/milter8.c.
Boris Mühmer's avatar
Boris Mühmer committed
	Bugfix (introduced Postfix 2.3): #ifdef damage caused
Boris Mühmer's avatar
Boris Mühmer committed
	smtp_sasl_start() to be invoked twice. Reported by C-J
	Lofstedt. File: smtp/smtp_sasl_proto.c.

20060806

	Postfix no longer announces its name in delivery status
	notifications.  Users believe that Wietse provides a free
	helpdesk service that solves all their email problems.
	Credits to Jonathan Balester.  File: bounce/bounce_templates.c.

20060807

	Bugfix (introduced Postfix 2.2): when upgrading from Postfix
	< 2.2 with the third-party TLS patch, the post-install
	upgrade procedure didn't put a "?" in the existing tlsmgr
	entry, causing tlsmgr to repeatedly start and exit when TLS
	support was not compiled in.  File: conf/post-install.

20060812

Boris Mühmer's avatar
Boris Mühmer committed
	Bugfix (introduced < Postfix alpha): safety mechanism in
Boris Mühmer's avatar
Boris Mühmer committed
	mail_date() didn't work.  Found in code review.  File:
	global/mail_date.c.

Boris Mühmer's avatar
Boris Mühmer committed
20060817

	Test programs for host address->name and name->address
	lookups to debug name service inconsistencies, typically
	when the Postfix SMTP server claims that a hostname is
	"unknown".  Files: auxiliary/name-addr-test/*.

Boris Mühmer's avatar
Boris Mühmer committed
20060822

	Added missing logging for "message to large" etc.  Files:
	smtpd/smtpd.c, cleanup/cleanup_milter.c.

20060823

	Bugfix (introduced Postfix 2.2): segfault when vstream_fclose()
	attempted to flush unwritten output, after vstream_fdclose()
	had already disconnected the stream from its file descriptor.
	File: util/vstream.c.

	Bugfix (introduced Postfix 2.2): vstream_fdclose() did not
	flush unwritten output before disconnecting a stream from
	its file descriptor(s).  File: util/vstream.c.

Boris Mühmer's avatar
Boris Mühmer committed
	Feature: smtp-sink can capture mail to file, either as one
	individual message per file, or as multiple messages per
	file.  After an initial implementation by Weidong Cui. File:
	smtpstone/smtp-sink.c.

	Bugfix (introduced < Postfix alpha): smtp-sink did not
	correctly recognize DOT-CR-LF immediately after DATA. File:
	smtpstone/smtp-sink.c.

	Cleanup: smtp-sink now requires that MAIL FROM, RCPT TO and
	DATA be send in the correct order. This simplified the
	implementation of the capture to file feature. File:
	smtpstone/smtp-sink.c.

20050824

	Portability: inside functions, GCC 4 refuses forward
	declarations of static functions.  File: smtpstone/smtp-sink.c.

Boris Mühmer's avatar
Boris Mühmer committed
20060825

	Bugfix (introduced Postfix 2.3): with headers-only mail, a
	Milter "header insert" action corrupted the queue file. The
	cleanup server executed some end-of-body action before the
	end-of-header actions. File: cleanup/cleanup_message.c.

	Robustness: mail delivery agents now detect loops in queue
	files. Files with too many backward jumps are saved to the
	"corrupt" directory.  File: global/record.c.
Boris Mühmer's avatar
Boris Mühmer committed

20060831

	Bugfix (introduced with initial implementation): missing
	"dict_errno = 0" caused mis-leading error messages after
	non-error lookup failure.  Victor Duchovni.  File:
	util/dict_cidr.c.

	Robustness: the default TLS cipher lists were changed from
	!foo:ALL into ALL:!foo. Victor Duchovni.  Files:
	global/mail_params.h and documentation.

20060902

	Bugfix (introduced Postfix 2.3): the LMTP client stripped
	"inet": from the next-hop destination, but still used the
	complete next-hop from the delivery request. File:
	smtp/smtp_connect.c.

20060903

	Cleanup: record loop detection.  File: global/record.c.

20060929

	Workaround: AIX 5.[1-3] getaddrinfo() creates socket address
	structures with a non-zero port value. This breaks the
	smtp_bind_address etc. features, and breaks inet_interfaces
	settings with only one IP address.  Problem reported by
	Hamish Marson.  Files: util/sock_addr.[hc], util/myaddrinfo.c.

	Bugfix (introduced with the Postfix TLS patch): memory leak
	in verify_extract_peer(). The OpenSSL documentation provides
	no information on how subjectAltNames are managed.  Sam
	Rushing, ironport.  File: tls/tls_client.c.

Boris Mühmer's avatar
Boris Mühmer committed
	Bugfix (introduced with Postfix 2.2): smtp_generic_maps 
Boris Mühmer's avatar
Boris Mühmer committed
	turned on MIME conversion. File: smtp/smtp_proto.c.

	Workaround: don't send SIZE information in the MAIL FROM
	command when message content will be subject to 8bit ->
	quoted-printable conversion.  File: smtp/smtp_proto.c.

20061002

	Compatibility: Sendmail now invokes the Milter connect
	action with the verified hostname instead of the name
	obtained with PTR lookup. File: smtpd/smtpd.c.

20061004

	Cleanup: force space between mailq queueid+status and file
	size items. File: showq/showq.c.

Boris Mühmer's avatar
Boris Mühmer committed
20061005

	Cleanup: make CISCO PIX bug workarounds configurable.  This
	introduces new parameters: smtp_pix_workarounds (default:
	disable_esmtp, delay_dotcrlf) and smtp_pix_workaround_maps
	(workarounds indexed by server IP address).  The default
	settings are backwards compatible. File: smtp/smtp.c,
	smtp/smtp_proto.c.

20061006

	Workaround: include the smtpd(8) service name when searching
	the TLS session cache, to avoid cross-talk between multiple
	master.cf entries. This does not eliminate cross-talk between
	multiple (x)inetd.conf entries. Victor Duchovni. Files:
	smtpd/smtpd.c, tls/tls_server.c.

Boris Mühmer's avatar
Boris Mühmer committed
20061015

	Cleanup: convert the Milter {mail_addr} and {rcpt_addr}
	macro values to external form. File: smtpd/smtpd_milter.c.

	Cleanup: the Milter {mail_addr} and {rcpt_addr} macros are
	now available with non-SMTP mail. File: cleanup/cleanup_milter.c.

	Cleanup: convert addresses in Milter recipient add/delete
	requests to internal form.  File: cleanup/cleanup_milter.c.

	Cleanup: with non-SMTP mail, convert addresses in simulated
	MAIL FROM and RCPT TO events to external form.  File:
	cleanup/cleanup_milter.c.

20061017

	Cleanup: removed spurious warning when the cleanup server
	attempts to bounce mail with soft_bounce=yes. Problem
	reported by Ralf Hildebrandt. File: cleanup/cleanup_bounce.c.

	Bugfix: null pointer bug when receiving a non-protocol
	response on a cached SMTP/LMTP connection.  Report by Brian
	Kantor.  Fix by Victor Duchovni.  File: smtp/smtp_reuse.c.
Boris Mühmer's avatar
Boris Mühmer committed
20061106

	Feature: new retry delivery agent, to avoid the synchronous
	defer service client in the queue manager. This code is
	co-located with the error(8) server. File: error/error.c.

	Performance: the queue manager could spend too much time
	in the synchronous defer service client, causing the watchdog
	timer to go off.  Where possible, the queue manager now
	bounces or defers recipients asynchronously, by routing
	them to the error or the retry delivery agent. Code by
	Wietse and Patrik Rak. Files: global/recipient_list.c,
	*qmgr/qmgr_error.c, *qmgr/qmgr_defer.c, *qmgr/qmgr_entry.c,
	*qmgr/qmgr_deliver.c, *qmgr/qmgr_message.c.

	Performance: refined recipient and job grouping, and more
	agressive early refill of in-memory recipients to prevent
	a worst-case scenario where the queue manager became starved
	until after the last batch of slow in-memory recipients of
	jumbo multi-recipient mail. Code by Patrik Rak.  Files:
	global/mail_conf_time.c, qmgr/qmgr_message.c, qmgr/qmgr.c,
	qmgr/qmgr.h, qmgr/qmgr_entry.c, qmgr/qmgr_job.c,
	qmgr/qmgr_message.c, qmgr/qmgr_transport.c.

Boris Mühmer's avatar
Boris Mühmer committed
20061113

	Bugfix: the Postfix install/upgrade procedure broke with
	non-default config_directory. File: conf/post-install.

20061115

	Bugfix: null pointer bug in end-of-header Milter action
	when the last header line is too large.  Reported by Mark
	Martinec. The root of the problem is that the MIME state
	engine may execute up to three call-back functions when it
	reaches the end of the headers, before it returns to the
	caller; as long as call-backs return no result, each call-back
	has to check for itself if a previous call-back ran into a
	problem.  File: milter/milter8.c.

	Workaround: reduce effective header_size_limit to 60000
	when Milter inspection is enabled, to avoid breaking the
	Milter protocol request length limit. File:
	cleanup/cleanup_message.c.

20061123

	Safety: don't read more than 5000 recipients at a time, to
	avoid spending too much time away from interrupts.  File:
	qmgr/qmgr_message.c.

20061201

	Workaround: don't complain with "Error 0" in the trivial-rewrite,
	verify, proxymap or connection cache client when the server
	exits after the client sends its request. We still complain,
	however, when the problem persists.  Files: global/rewrite_clnt.c,
	global/resolve_clnt.c, global/verify_clnt.c, global/scache_clnt.c,
	global/dict_proxy.c.

	Safety: the header_size_limit is now enforced more strictly,
	to avoid inter-operability problems with the Milter protocol.
	Long headers are truncated at a line boundary if possible,
	otherwise they are cut between line boundaries. File:
	cleanup/cleanup_out.c.

20061203

	Bugfix (introduced with Postfix 2.2): with SMTP server
	tarpit delays of smtp_rset_timeout or larger, the SMTP
	client could get out of sync with the server while reusing
	a connection.  The symptoms were "recipient rejected .. in
Boris Mühmer's avatar
Boris Mühmer committed
	reply to DATA".  Fix by Victor Duchovni and Wietse.  Files:
	smtp/smtp_proto.c, smtp/smtp_connect.c.

	Robustness: the vbuf and vstream documentation claimed that
	their *error() macros reported timeout errors, but they
	didn't really. The implementation was fixed, and redundant
	vstream_ftimeout() calls were removed. As a result, many
	Postfix daemons now properly detect write timeout errors
	on internal connections.  Files: util/vbuf.h.

	Workaround: some broken SMTP servers reply and hang up in
	the middle of DATA. The Postfix SMTP client now stops sending
	and tries to receive the server response. This can help to
	avoid repeated delivery attempts. Initial implementation
	by Wietse, later work by Victor Duchovni. Files:
	smtp/smtp_proto.c, smtpstone/smtp-sink.c, util/vstream.c,
	plus trivial mods for code thatr calls vstream_fpurge().

20061204

	Compatibility: The Postfix installation/upgrade procedure
	no longer sets "unknown_local_recipient_code = 450" in
	main.cf. This was a safety net for upgrades from Postfix
	1.x. Four years later is no longer needed. File:
	conf/post-install.

	Cleanup: removed vstream_fclose() error warning in the code
	that disconnects from a delivery agent. There is no need
	to report errors here because they would already be reported
	earlier.  Files: *qmgr/qmgr_deliver.c.

	Robustness: "kill me after N seconds" feature to ensure
	that a daemon process does not get stuck while preparing
	for exit after signal arrival. File: util/killme_after.[hc],
	util/watchdog.c, master/master_sig.c.

20061206

	Robustness: low-cost re-entrancy guard that allows daemons
	to safely call msg_fatal() etc. from a signal handler,
	without risking memory corruption, or deadlock on Redhat
	Linux.  This works provided that the signal handler terminates
	the process. In that special case we need not guarantee
	after-the-fact consistency of the thread that was interrupted.
	File: util/msg_output.c.

	Robustness: replace exit() calls by _exit(). File: util/msg.c,
	bounce/bounce_cleanup.c.
Boris Mühmer's avatar
Boris Mühmer committed
	Workaround: on systems with usable futimes() or equivalent
	(Solaris, *BSD, MacOS, but not Linux), always explicitly
	set the queue file last modification time stamps while
	creating a queue file. With this, Postfix can avoid logging
	warnings when the file system clock is ahead of the local
	clock.  Clock skew can be a problem, because Postfix does
	not deliver mail until the local clock catches up with the
	queue file's last modification time stamp.  File:
	global/mail_stream.c.

	Workaround: on systems without usable futimes() or equivalent,
	log a warning when the file system clock is more than 100
	seconds behind the local clock. This does not cause mail
	delivery problems, but it just looks silly in message
	headers. File: global/mail_stream.c.

	On systems without usable futimes() (Linux, and ancient
	versions of Solaris, SunOS and *BSD) Postfix will keep using
	the slower utime() system call to update queue file time
	stamps when the file system clock is off with respect to
	the local system clock.

Boris Mühmer's avatar
Boris Mühmer committed
	Compatibility with Postfix < 2.3: undo the change to bounce
	instead of defer after pipe-to-command delivery fails with
	a signal. File: global/pipe_command.c.

20061208

	Workaround: apparently, some mail software removes or hides
	"<postmaster>" in the Postfix bounce text, because it
	processes the text as if it were HTML. This confuses users.
	The bounce template has been updated to remove the < and
Boris Mühmer's avatar
Boris Mühmer committed
	>.  File: bounce/bounce_templates.c.
Boris Mühmer's avatar
Boris Mühmer committed

	Cleanup: when smtp_generic_maps is turned on, don't parse
	MIME structures in the message body. Victor Duchovni. File:
	smtp/smtp_proto.c.

20061210

Boris Mühmer's avatar
Boris Mühmer committed
	Cleanup: streamline the signal handler reentrancy protections,
	and document under what conditions these protections work,
	with REENTRANCY sections in the relevant man pages. Files:
	util/vbuf_print.c.  util/msg.c, util/msg_output.c.
Boris Mühmer's avatar
Boris Mühmer committed
20061211

	Cleanup: when doing server access control by the remote TLS
	client fingerprint, do not require client certificate
	verification.  Victor Duchovni.  File: smtpd/smtpd_check.c.

	Safety: when the remote TLS client certificate isn't verified,
	don't send ccert_subject and ccert_issuer attributes in
	check_policy_service requests. Victor Duchovni. File:
	smtpd/smtpd_check.c.

	Bugfix: the postconf command still complained about an
	unqualified machine name, because it was not updated with
	the 20050513 change that introduced a default "mydomain =
	localdomain".  File: postconf/postconf.c.

20061213