HISTORY

20151018

	Added RFC 7672 (SMTP security via opportunistic DANE TLS)
	and RFC 7505 ("Null MX" No Service Resource Record) to the
	lists of supported RFCs in manpages. Viktor Dukhovni. Files:
	smtp/smtp.c, smtpd/smtpd.c.

20151031

	Bitrot: OpenSSL API cleanups. Viktor Dukhovni. Files:
	.indent.pro, tls/tls.h, tls/tls_dane.c, tls/tls_fprint.c,
	tls/tls_misc.c, tls/tls_server.c, tls/tls_verify.c.

20151124

	Bugfix (introduced: Postfix 3.0): don't throttle a destination
	after opportunistic TLS failure. Viktor Dukhovni and Wietse.
	Files: smtp/smtp_proto.c, smtp/smtp.h, smtp/smtp_trouble.c.

20151128

	Feature: JSON-formatted queue listing with "postqueue -j".
	Output is a stream of JSON objects, one per queue file.  To
	simplify stream-mode parsing, each JSON object is followed by
	a newline character. Files: postqueue/postqueue.c,
	postqueue/postqueue.h, postqueue/showq_compat.c,
	postqueue/showq_json.c, showq/showq.c.

20151216

	Bugfix (introduced: 20151128) bogus queue file parsing error.
	File: showq/showq.c.

20151226

	Cleanup: postlog(1) now pauses for 1s after reporting a
	fatal or panic error. This makes behavior of scripts such
	as postfix-script consistent with built-in error messages.
	File: postlog/postlog.c.

20151227

	Robustness: don't allow for whitespace in command-line
	arguments.  Files; postfix-install, conf/post-install.

	Robustness: added a comment to discourage people who keep
	adding code that calls gethostbyname() to determine the
	default myhostname setting.  This is a mistake: all Postfix
	programs will hang when the DNS is unavailable.  File:
	global/mail_params.c.

	Safety: a limit on the number of address verification probes
	in the active queue (address_verify_pending_request_limit),
	by default 1/4 of the active queue maximum size. The queue
	manager tempfails probe messages that exceed the limit.
	Files: mantools/postlink, proto/postconf.proto, cleanup/cleanup.h,
	cleanup/cleanup_envelope.c, cleanup/cleanup_out_recipient.c,
	cleanup/cleanup_state.c, global/mail_params.h, global/post_mail.c,
	global/post_mail.h, global/verify.c, oqmgr/qmgr.c, oqmgr/qmgr.h,
	oqmgr/qmgr_message.c, qmgr/qmgr.c, qmgr/qmgr.h,
	qmgr/qmgr_message.c, verify/verify.c.

20160102

	Workaround: MacOS/X 10.11.x /bin/sh unsets DYLD_LIBRARY_PATH,
	which breaks the build and install.  Viktor Dukhovni and
	Wietse.  Files: makedefs, postfix-install, Makefile.in.

	Bitrot: OpenSSL 1.1.0-dev drops support for EXPORT ciphers
	and ephemeral RSA.  Viktor Dukhovni. Files: tls/tls_client.c,
	tls/tls_rsa.c, tls/tls_server.c.

	Bugfix: memory leak in tls_set_eecdh_curve(). Viktor Dukhovni.
	File: tls/tls_dh.c.

	Bugfix (introduced 20150326): when lmtp_fallback_relay
	support was added, the code that generates lmtp_mumble
	parameters from smtp_mumble parameters wasn't updated. File:
	smtp/smtp-only.

	Bugfix (introduced 20151017): the smtpd_client_auth_rate_limit
	implementation was not guarded with #ifdef USE_SASL_AUTH.
	File: smtpd/smtpd.c.

20160103

	Feature: enable DANE policies when an MX host has a secure
	TLSA DNS record, even if the MX DNS record was obtained
	with insecure lookups. The existence of a secure TLSA record
	implies that the host wants to talk TLS and not plaintext.
	This behavior is controlled with smtp_tls_dane_insecure_mx_policy
	(default: "dane", other settings: "encrypt" and "may"; the
	latter is backwards-compatible with earlier Postfix releases).
	Viktor Dukhovni.  Files: mantools/postlink, proto/postconf.proto,
	src/global/mail_params.h, src/posttls-finger/posttls-finger.c,
	src/smtp/smtp-only, src/smtp/smtp.c, src/smtp/smtp.h,
	src/smtp/smtp_addr.c, src/smtp/smtp_params.c,
	src/smtp/smtp_tls_policy.c, src/tls/tls.h, src/tls/tls_client.c.

20160104

	Cleanup: distinct TLS levels for "full" DANE and for DANE
	with insecure MX records.  Viktor Dukhovni. Files:
	posttls-finger/posttls-finger.c, smtp/smtp_tls_policy.c,
	tls/tls.h, tls/tls_client.c, tls/tls_level.c.

20160108

	Cleanup: smtp_reply_footer() now restores state in case of
	input error; unit tests that cover most if not all error
	and non-error cases.  Files: global/smtp_reply_footer.c,
	global/smtp_reply_footer.ref.

20160110

	Bitrot: const-ification for OpenSSL 1.1.0. Viktor Dukhovni.
	File: tls/tls_misc.c.

20160116

	"postconf -H" support (show names without the =value).
	Initial use case: mass reversal of TLS-related main.cf
	parameters (postconf -nH | grep _tls_ | xargs postconf -X).
	This flag also works with "postconf -F" and "postconf -P".
	Added missing documentation that -h works with "postconf
	-F" and "postconf -P".  Files: postconf.c, postconf.h,
	postconf_master.c, postconf_main.c.

	Robustness: force html2text to produce ASCII output.  File:
	mantools/html2readme.

	Feature: "postfix tls" commands to enable opportunistic TLS
	in the Postfix SMTP client or server, or generate or replace
	Postfix SMTP server TLS private keys and server certificates.
	Viktor Dukhovni, Wietse. Files: conf/postfix-files,
	conf/postfix-script, conf/postfix-tls-script, makedefs,
	proto/INSTALL.html, proto/postconf.proto, global/mail_params.h,
	postfix/postfix.c, tls/tls_misc.c.

	Portability: added a tls_random_source default setting for
	MacOS X. Viktor Dukhovni. File: util/sys_defs.h.

20160118

	Bitrot: OpenSSL 1.1.0-dev (aka the "master" branch) has new
	security levels ranging from 0 to 5. Level "0" is backwards
	compatible, and other levels are increasingly restrictive.
	Viktor Dukhovni. Files: tls/tls_server.c, tls/tls_client.c.

20160205

	Portability: Postfix TLS support uses /dev/urandom if
	available and no system-specific setting exists in sys_defs.h.
	Files: makedefs, util/sys_defs.h.

20160208

	Cleanup: building the INSTALL file had failed, added
	hyperlinks for "postfix tls". Files: mantools/postlink.

20160210

	Feature: all-default-client and all-default-server subcommands.
	Eray Aslan. File: conf/postfix-tls-script.

	Bugfix: the postqueue(1) JSON formatter wrote a spurious
	comma after the delay reason. Reported by Christian Roessner.
	File: postqueue/showq_json.c.

20160212

	Cleanup: Bold/Italic cleanup in manpages.

20160213

	Added Google credits to external manpages.

20160214

	More manpage cleanups. Viktor, Wietse.

20160215

	Cleanup: "match_list_match: permit_mynetworks: no match" after
	a SUCCESSFUL permit_mynetworks match of a client IP address was
	complicating troubleshooting.  The fix is to log additional
	context to clarify that this "no match" condition is for
	smtpd_log_access_permit_actions. File: smtpd/smtpd_check.c.

20160224

	Cleanup: un-break some DNS unit tests by replacing non-portable
	numerical flags with portable symbolic names in the verbose
	command output.  Files: dns/dns_str_resflags.c, dns/dns_lookup.c,
	dns/Makefile.in, many *.ref files.

20160227

	Cleanup: remember multiple BCC actions in access maps.
	Files: smtpd/smtpd.h, smtpd/smtpd.c, smtpd/smtpd_check.c,
	smtpd/smtpd_state.c, proto/access.

20160228

	Documentation: STRESS_README. File: proto/STRESS_README.html.

20160229

	Documentation: postmulti manpage. File: postmulti/postmulti.c.

20160305

	Future-proofing: detect integer overflow before it happens.
	After-the-fact detection relies on assumptions about
	undefined behavior that are invalidated by compilers.  Files:
	util/mymalloc.c, util/vstring.c.

20160310

	Bugfix (introduced: Postfix 2.6): the Milter SMFIR_CHGFROM
	(replace sender) request lost the sender_bcc_maps address.
	Fixed by moving some record keeping to the sender output
	function.  Files: cleanup/cleanup_envelope.c,
	cleanup/cleanup_addr.c, cleanup/cleanup_milter.c,
	cleanup/cleanup.h, regression tests.

20160314

	Future-proofing: revised off_t integer conversion (detect off_t
	overflow before it happens).  After-the-fact detection relies
	on assumptions about undefined behavior that are invalidated by
	compilers. Files: global/off_cvt.c.

	Cleanup: include <sys/types.h> once, instead of making it
	system-dependent. File: util/sys_defs.h.

	Cleanup: make sorting in "make depend" locale-independent.
	Files: */Makefile.in.

	Cleanup: postmulti manpage. File: postmulti/postmulti.c.

20160319

	Future-proofing: revised format-string width or precision integer
	conversion (detect integer overflow before it happens), plus
	some tests to ensure that format-string widths and precisions
	are parsed correctly, and that output buffers are sized
	correctly. Files: util/vbuf_print.c, util/vbuf_print_test.in,
	util/vbuf_print_test.ref.

20160320

	Testing: exact-size VSTRING allocation. Files: util/vstring.[hc].

	Cleanup: switch to snprintf() for redundancy, keeping
	existing code in place to censor unnecessary format-string
	features. Specify "make makefiles CCARGS=-DNO_SNPRINTF" for
	ancient systems.  File: vbuf_print.c, makedefs, util/sys_defs.h,
	proto/INSTALL.html.

20160324

	Future-proofing: revised netstring length integer conversion
	(detect integer overflow before it happens).  File:
	util/netstring.c.

	Cleanup: report unsupported usage of '%ls' and '%lc' in
	format strings.  File: util/vbuf_print.c.

20160326

	Future-proofing: regression test for global/off_cvt.c.
	Files: global/off_cvt.in, global/off_cvt.ref.

20160327

	Cleanup: postconf(1) manpage. File: postconf/postconf.c.

	Cleanup: un-broke regression tests. Files: dns/mxonly_test.ref,
	dns/no-mx.ref, smtpd/smtpd_server.ref, smtpd/smtpd_server.in.

	Added Postfix version information to the "postconf -m" manpage
	section.  File: postconf/postconf.c.

20160330

	The collate.pl script by Viktor Dukhovni for grouping Postfix
	logfile records into "sessions" based on queue ID and process
	ID information. Files: auxiliary/collate/*.

20160407

	Treat SASL_FAIL and SASL_NOMEM as temporary errors.
	Markus Benning. File: xsasl/xsasl_cyrus_server.c.

20160410

	Bugfix (introduced: Postfix 2.6): the "bad filetype"
	header_checks pattern falsely rejected Content-Mumble headers
	with ``name="example"; x-apple-part-url="example.com"''.
	Fixed by respecting the ";" separator between content
	attribute values.  Reported by Cedric Knight.  File:
	proto/header_checks.

20160515

	Portability: OpenBSD 6.0. Files: makedefs, util/sys_defs.h,
	dns/dns_str_resflags.c.

20160521

	Bugfix (introduced: Postfix beta): the never-used function
	mvect_free() attempted to free memory that it has not
	allocated.  File: util/mvect.c.

	Cleanup: existing if/endif support for pcre and regexp
	tables, in preparation for new if/endif support for cidr
	tables. Files: util/dict_regexp.c, util/dict_pcre.c.

20160526

	Feature: cidr tables now support if/endif and negation (by
	prepending "!" to a pattern), just like regexp and pcre
	tables. The primarily purpose is to improve readability of
	complex tables. Files: util/cidr_match.[hc], util/dict_cidr.c,
	proto/cidr_table.

	Cleanup: make regexp: and pcre: parser warning messages more
	similar.  Files: dict_regexp.c, dict_pcre.c.

20160601

	Cleanup: moved parsing of '!' operators from cidr_match.c
	to dict_cidr.c. Files: util/cidr_match.[hc], util/dict_cidr.c,
	util/match_ops.c.

20160604

	Cleanup: made parsing of '!' operators in regexp and pcre
	tables consistent with cidr tables. Files: util/dict_regexp.c,
	util/dict_pcre.c.

20160605

	Cleanup: integer wrap-around detection in the MySQL and
	PostgreSQL clients. This is totally non-critical because
	Postfix strings are size-limited by design. Files:
	global/dict_mysqql.c, global/dict_pgsql.c.

20160607

	Documentation: dnsblog.

20160609

	Documentation: postsuper(1) manpage text for multiple -[dhH]
	options.  File: postsuper/postsuper.c.

20160611

	Cleanup: Postfix SMTP server local IP address and port
	attributes in the policy delegation protocol (attribute
	names: server_address, server_port), in the Milter protocol
	(macro names: {daemon_addr}, {daemon_port}) and in the
	XCLIENT protocol (attribute names: DESTADDR, DESTPORT).
	Files: proto/MILTER_README.html, proto/SMTPD_POLICY_README.html,
	cleanup/cleanup.h, cleanup/cleanup_milter.c, global/mail_proto.h,
	milter/milter.h, smtpd/smtpd.c, smtpd/smtpd.h, smtpd/smtpd_check.c,
	smtpd/smtpd_haproxy.c, smtpd/smtpd_milter.c, smtpd/smtpd_peer.c.

20160612

	Bugfix (introduced: 20090211): missing server address
	conversion for non-proxy, non-postscreen connections.  File:
	smtpd/smtpd_peer.c.

	Bugfix (introduced: 20160611) missing server port conversion
	for non-proxy, non-postscreen connections, because there was
	no server address conversion.  File: smtpd/smtpd_peer.c.

20160618

	Bugfix (introduced: 20091121): with the introduction of
	sender_dependent_default_transport_maps, the SMTP daemon
	was not updated. This resulted in false rejects with
	sender-dependent "error" transports. Based on a fix by
	Russell Yanofsky.  Files: global/resolve_clnt.c,
	global/resolve_clnt.h, smtpd/smtpd_check.c, smtpd/smtpd_check.h,
	smtpd/smtpd_milter.c, smtpd/smtpd_resolve.c, smtpd/smtpd_resolve.h.

20160619

	Refinements to the 20160618 fix. For more consistent results
	with sender address validation, use the recipient address
	(if available) as the sender-dependent address resolver
	context.  For better caching, pass sender context with all
	attempts to resolve an email address.  File: smtpd/smtpd.c,
	smtpd/smtpd_check.c, smtpd/smtpd_milter.c.

20160625

	Cleanup: the Postfix SMTP server now passes network address
	and port information to the Cyrus SASL library. Build with
	``make makefiles "CCARGS=$CCARGS -DNO_IP_CYRUS_SASL_AUTH"''
	for backwards compatibility. Files: makedefs,
	smtpd/smtpd_sasl_glue.c, xsasl/xsasl.h, xsasl/xsasl_cyrus_server.c,
	xsasl/xsasl_server.c.

	Cleanup: dnsblog manpage. File: dnsblog/dnsblog.c.

20160717

	Bugfix (introduced: Postfix 1.1): the virtual(8) delivery
	agent discarded the error result from vstream_fseek().

20160728

	Bugfix (introduced: 20090614): with concurrent connections
	from the same client IP address, and after-220 tests enabled,
	postscreen could overwrite the cached "all tests completed"
	result of one connection that completed the after-220 tests,
	with the "some tests not completed" result of a concurrent
	connection where the client hung up before completing the
	after-220 tests.  Files: postscreen_misc.c, postscreen_state.c,
	postscreen.h, postscreen_tests.c, postscreen.c, postscreen_smtpd.c,
	postscreen_early.c.

20160730

	Cleanup: don't try to optimize away postscreen cache updates.
	File: postscreen_misc.c.

	Cleanup: removed compatibility crutches that emulated a
	historical data organization from four years ago. Files:
	postscreen/postscreen.[hc], postscreen/postscreen_early.c,
	postscreen/postscreen_smtpd.c, postscreen/postscreen_tests.c.

20160808

	Cleanup: preserve the new file mtimes when installing Postfix.
	Ondřej Lysoněk. File: postfix-install.
	REVERTED 20160828.

20160819

	Bugfix (introduced: Postfix 3.0): the makedefs script ignored
	readme_directory=pathname overrides. Fix by Todd C. Olson.
	File: makedefs.

20160821

	Bugfix (introduced: Postfix 3.0): the tls_session_ticket_cipher
	documentation says aes-256-cbc, but the implementation was
	using aes-128-cbc (note that Postfix session ticket keys
	are rotated after 1/2 hour, to limit the impact of attacks
	on session ticket keys).

20160828

	Bitrot: fixes for incompatible OpenSSL 1.1.0 API changes.
	Viktor Dukhovni. Files: posttls-finger/posttls-finger.c,
	tls/tls.h, tls/tls_dane.c, tls/tls_verify.c, tls/tls_server.c,
	tls/tls_client.c.

	Cleanup: disable reuse of ECDH ephemeral keys. Viktor
	Dukhovni.  File: tls/tls_misc.h.

20160908

	Documentation: add a pointer to hosts(5) and services(5)
	for symbolic host and port syntax. File: proto/master.

20160911

	Bugfix (introduced: Postfix 3.0): the SMTP daemon did not
	reset a previous session's command counts before rejecting
	a client that exceeds request or concurrency rates. File:
	smtpd/smtpd.c.

20160912

	Feature: preserve the new file mtimes when installing
	Postfix.  Ondřej Lysoněk. Wietse made this conditional on
	the presence of a new -keep-new-mtime flag. File: postfix-install.
	[this flag was renamed to "-keep-build-mtime" on 20161126]

20160917

	Bugfix (introduced: Postfix 3.0): the unionmap did not
	propagate table lookup errors.  Based on patch by Roel van
	Meer.  Files: util/dict_union.c, util/dict_union_test.*.

	Cleanup: added unit test for pipemap. Files: util/dict_pipe.c,
	util/dict_pipe_test.*.

	Documentation: added a note about the order of search
	patterns and table lookup order. Files: proto/canonical,
	proto/generic, proto/virtual.

	Documentation: bitrot in postsuper(1) example. Different
	groff versions produce different results; some systems no
	longer support historical "tail -number" command syntax.
	Fix by Geert Stappers. File: postsuper/postsuper.c.

20160918

	Logging: the Postfix SMTP server logs the sasl_username
	after rejected SMTP commands.  As before, the SMTP server
	does not forward SASL login information to other Postfix
	subsystems, and it does not receive SASL login information
	in XFORWARD commands. File/smtpd/smtpd.c.

20160925

	Bugfix (introduced: Postfix 2.11): changed the default MySQL
	option_group value to "client" to enable the reading of
	"client" option group settings in the MySQL option file.
	This fixes false "not found" errors with Postfix queries
	that contain UTF8-encoded text.  Fix by John Fawcett.
	Specify an empty option_group value to get backwards-compatible
	behavior. Files: global/dict_mysql.c, proto/mysql_table.

20161007

	Bitrot: API for the ersatz inet_ntop() function, when
	compiling with -DNO_IPV6 (which exists only for debugging).
	Files: util/sys_defs.h, util/sys_compat.c.

20161008

	Feature: smtp_tcp_port, similar to the existing lmtp_tcp_port.
	Files: mantools/postlink, proto/postconf.proto,
	global/mail_params.h, smtp/smtp.c, smtp/smtp_connect.c,
	smtp/smtp_params.c.

	Feature: "PASS" and "STRIP" actions in header/body_checks.
	"STRIP" is similar to "IGNORE" but also logs the action,
	and "PASS" disables header, body, and Milter inspection for
	the remainder of the message content.  Contributed by Hobbit.
	Files: cleanup/cleanup_message.c, global/header_body_checks.c.

20161024

	Feature: smtpd_milter_maps, per-client Milter configuration
	that overrides smtpd_milters, and that has the same syntax.
	Files: mantools/postlink, proto/MILTER_README.html,
	proto/postconf.proto, global/mail_params.h, smtpd/smtpd.c,
	smtpd/smtpd.h, smtpd/smtpd_sasl_proto.c, smtpd/smtpd_state.c.

20161103

	Cleanup: error reporting for IDNA (non-ASCII domain name)
	conversion errors. File: util/midna_domain.c.

	Cleanup: non-transitional conversion of UTF8 to/from ASCII
	domain name labels used in DNS queries. This disables
	'transitional' compatibility between IDNA2003 and IDNA2008,
	and affects some corner cases such as German sz and Greek
	zeta. Specify "enable_idna2003_compatibility = yes" to
	restore historical behavior. Files: util/midna_domain.[hc],
	mantools/postlink, global/mail_params.[hc], proto/postconf.proto,
	proto/SMTPUTF8_README.html.

20161105

	Bugfix (introduced: Postfix 1.1): the postsuper command did
	not count a successful rename operation after error recovery.
	Problem reported by Markus Schönhaber. File: postsuper/postsuper.c.

	Cleanup: error reporting for IDNA (non-ASCII domain name)
	conversion errors, and enable_idna2003_compatibility
	configuration. File: util/midna_domain.c.

20161106

	Documentation: specify the minimum ICU library version (4.6).
	File: proto/SMTPUTF8_README.html.

20161109

	Portability: force LC_ALL=C in dict_utf8 test. This should
	probably be in every shell script.

20161120

	Documentation: clarified the syntax of $name and ${name...}
	in parameter values, and some wordsmithing. Files:
	proto/postconf.html.prolog, proto/postconf.man.prolog.

20161123

	Documentation: clarified reject_non_fqdn_{sender,recipient}.
	The syntax check applies only for domains that are actually
	specified, not for missing domains. File: proto/postconf.proto.

20161126

	Cleanup: the postfix-install option "-keep-new-mtime" was
	renamed to "-keep-build-mtime". File: postfix-install.

	Feature: "make makefiles POSTFIX_INSTALL_OPTS=-keep-build-mtime"
	to set the installed file mtimes to their build time instead
	of their installation time. Based on code by Ondřej Lysoněk.
	Wietse added a guard to prevent POSTFIX_INSTALL_OPTS from
	passing arbitrary options.  Files: makedefs, Makefile.in,
	proto/INSTALL.html.

20161201

	Documentation: add 'smtpd_tls_auth_only=yes' to the master.cf
	submission service example. File: conf/master.cf.

20161202

	Documentation: typos in postconf(1) manpage. File:
	postconf/postconf.c.

20161204

	Cleanup: properly report numerical conversion errors in
	${{number} relational-operator ${number}}, and wordsmithing.
	File: util/mac_expand.c.

	Updated auxiliary/collate/collate.pl with Viktor's suggestion
	in <98D25E24-EAB1-42BB-82FD-794F5DDD4E7F@dukhovni.org> for
	better tracking of message flows.

	Cleanup: remove tentative features that were implemented
	before the DANE spec was finalized: support for certificate
	usage PKIX-EE(1), the ability to disable digest agility
	(Postfix now behaves as if "tls_dane_digest_agility = on"),
	and the ability to disable support for "TLSA 2 [01] [12]"
	records that specify the digest of a trust anchor (Postfix
	now behaves as if "tls_dane_trust_anchor_digest_enable =
	yes).  Viktor Dukhovni.  Files: mantools/postlink,
	proto/postconf.proto, proto/TLS_README.html, tls/tls.h,
	tls/tls_dane.c, smtp/smtp.c.

	Bugfix (introduced: Postfix 3.1): cut-and-paste error in
	the "postfix tls deploy-server-cert" command, causing the
	wrong certfile and keyfile to be used. Viktor Dukhovni.
	File: conf/postfix-tls-script.

	Robustness: create a new keyfile when "postfix tls
	new-server-cert" is invoked, and main.cf specifies a
	non-existent keyfile. Viktor Dukhovni.  File:
	conf/postfix-tls-script.

20161205

	Cleanup: log the sender address when rejecting a too large
	message size in a "MAIL FROM:<sender> SIZE=nnn" command.
	File: smtpd/smtpd.c.

20161206

	Bugfix (introduced: Postfix 3.0): when receiving a MAIL
	FROM...SMTPUTF8 command while smtpd_delay_reject=no, enable
	SMTPUTF8 support before processing smtpd_sender_restrictions.
	Problem reported by Viktor Dukhovni. File: smtpd/smtpd.c.

	Bugfix (introduced: Postfix 3.0): when receiving a
	VRFY...SMTPUTF8 command, enable SMTPUTF8 support while
	processing smtpd_recipient_restrictions. File: smtpd/smtpd.c.

20161220

	Bugfix (introduced: Postfix 2.1.0): the Postfix SMTP daemon
	did not query sender_canonical_maps when rejecting unknown
	senders with "smtpd_reject_unlisted_recipient = yes" or
	with reject_unlisted_sender.  Stephen R. van den Berg (Mr.
	procmail). Files: smtpd/smtpd.c, smtpd/smtpd_check.c.

20161217

	Enable elliptic curve negotiation with OpenSSL >= 1.0.2.
	This changes the default smtpd_tls_eecdh_grade setting to
	"auto", and introduces a new parameter tls_eecdh_auto_curves
	with the names of curves that may be negotiated.  The default
	tls_eecdh_auto_curves setting is determined at compile time,
	and depends on the Postfix and OpenSSL versions.  At runtime,
	Postfix will skip curve names that aren't supported by the
	OpenSSL library.  Viktor Dukhovni.  Files: mantools/postlink,
	proto/FORWARD_SECRECY_README.html, proto/TLS_README.html,
	proto/postconf.proto, global/mail_params.h, smtpd/smtpd.c,
	tls/tls.h, tls/tls_client.c, tls/tls_dh.c, tls/tls_misc.c,
	tls/tls_server.c.

	Feature: stored-procedure support for MySQL databases.
	John Fawcett. Files: global/dict_mysql.c, proto/mysql_table.

20161223

	Bugfix (introduced: Postfix 3.2 snapshots): the makedefs
	script produced a garbled CCARGS setting when no suitable
	ICU library was found. File: makedefs.

20161225

	Cleanup: simplified handling of unsupported curve names in
	the tls_eecdh_auto_curves parameter value.  File: tls/tls_dh.c.

	Cleanup: simplified code structure in the MySQL client
	support for stored procedures. File: global/dict_mysql.c.

20161226

	Cleanup: more MySQL client code simplification, better error
	messages, new per-database "require_result_set" parameter
	(default: yes) which can be set to "no" to avoid the need
	for dummy SELECT statements in stored procedures.  Files:
	global/dict_mysql.c, proto/mysql_table, postconf/postconf_dbms.c.

	Portability: SSL_CTX_set_ecdh_auto() is part of the deprecated
	OpenSSL API, so it must be used under #ifdef. Viktor Dukhovni.
	File: src/tls/tls_dh.c.

20161227

	Safety: the sendmail -C option must specify an authorized
	configuration directory: the default configuration directory,
	a directory that is listed in the default main.cf file with
	alternate_config_directories or multi_instance_directories,
	or the command must be invoked with root priveleges.  This
	mitigates a problem with the PHP mail() function.  Files:
	global/mail_conf.[hc], sendmail/sendmail.c.

20161228

	Documentation: moved the "BACKWARDS COMPATIBILITY" sections
	to the end of ldap_table, mysql_table, pgsql_table, and
	sqlite_table, renamed to "OBSOLETE MAIN.CF PARAMETERS".

20161231

	Bugfix (introduced: 20160521): segfault (null pointer) in
	cidr, pcre, and regexp table when an input does not match
	an ENDIF-less IF operator.  Found during code maintenance.
	File: util/cidr_map.c, util/dict_regexp.c, util/dict_pcre.c.

20170101

	Portability; SunOS5 builds broke after moving the sys/types.h
	include statement to the top of sys_defs.h.

	Portability: declaration after code is GNU dialect. File:
	util/vbuf_print.c.

	Portability: compatibility macros for SSLv23_client_method()
	etc.  deprecation. Files: tls/tls.h, tls/tls_client.c,
	tls/tls_dane.c, tls_server.c.

201606-20170108

	Cleanup: handling of address extensions with email addresses
	that contain spaces. The virtual_alias_maps, canonical_maps,
	and smtp_generic_maps features now correctly propagate an
	address extension from "aa bb+ext"@example.com to "cc
	dd+ext"@other.example, instead of producing broken output.

	Files updated to support conversion between unquoted and
	quoted address forms, as required for addresses that contain
	spaces: global/mail_addr_map.*, global/mail_addr_find.* and
	global/mail_addr_crunch.*.

	Files updated to enable these address conversions to correctly
	propagate address extensions: cleanup/cleanup_map11.c
	(canonical_maps), cleanup/cleanup_map1n.c (virtual_alias_maps),
	and smtp/smtp_generic.c (smtp_generic_maps).

	Files updated to rename functions to better reflect their
	input and output forms: global/split_addr.*, global/strip_addr.*.

	Files updated to support quoted lookup keys: util/dict_inline.c,
	util/dict_thash.c, postmap/postmap.c.

	Files updated to invoke a backwards-compatible mail_addr_find()
	version that disables quoted/unquoted address conversions:
	smtp/smtp/smtp_sasl_glue.c (smtp_sasl_password_maps),
	smtpd/smtpd_check.c (SMTP server address validation),
	cleanup/cleanup_addr.c (sender_bcc_maps and recipient_bcc_maps),
	virtual/mailbox.c (user-related table lookups),
	trivial-rewrite/transport.c (transport_maps),
	trivial-rewrite/resolve.c (sender_dependent_mumble_maps,
	relocated_maps). These features may be migrated later to
	enable quoted-form address lookup keys, for consistency
	with other Postfix features.

20170109

	Cleanup: reduce the number of modified files relative to
	the last regular release, to make a back-port more feasible.
	This renames the new mail_addr_find() to mail_addr_find_opt(),
	and renames the backwards_compatibility mail_addr_find_noconv()
	to its old name mail_addr_find().  Added backwards-compatible
	aliases {split,strip}_addr() for {split,strip}_addr_local().
	To ensure correctness these edits were done mechanically,
	and verified mechanically.

20170111

	Documentation: when (smtp|lmtp)_delivery_status_filter is
	applied. File: proto/postconf.proto.

20170114

	Cleanup: careful handling of local-parts that contain '@',
	as they are converted into quoted form.  Files:
	global/mail_addr_find.*, global/quote_822_local.*,
	global/quote_flags.*.

	Cleanup: added unit tests for malformed inputs. Files:
	util/dict_thash{in,ref}.

	Cleanup: minimize the patch size of the quoting fixes, and
	a preliminary back-port to Postfix 3.1.4.

20170115

	Cleanup: enable "externalized" address lookup by default,
	with legacy-style "internalized" lookup for backwards
	compatibility, for sender_bcc_maps, recipient_bcc_maps,
	smtp_sasl_passwd_maps, smtpd_sender_login_maps, relocated_maps,
	sender_dependent_mumble_maps, virtual_{mailbox,uid,gid}_maps.
	File: global/mail_addr_find.c.

	Cleanup: enable "externalized" address lookup by default,
	with legacy-style "internalized" lookup for backwards
	compatibility, for transport_maps. Files: global/mail_addr_find.*,
	trivial-rewrite/transport.*.

	Cleanup: mail_addr_find_() now has a configurable strategy
	for full and partial address lookup, so that it may also
	be used for localpart lookup in access maps.

20170116:

	Cleanup: parent domain matching is now implemented in the
	mail_addr_find() engine. Simplified the transport_maps
	lookup to just one mail_addr_find_() call. Files:
	global/mail_addr_find.*, trivial-rewrite/transport.*.

	Cleanup: enabled "externalized" address lookup by default,
	with legacy-style "internalized" lookup for backwards
	compatibility, for check_sender_access and check_recipient_access.
	This now uses 'user@' lookup support in the mail_addr_find()
	engine.  File: global/mail_addr_find.*, smtpd/smtpd_check.c.

20170122

	Cleanup: separated the database query form from the address
	form that is input to mail_addr_find_() or mail_addr_map*(),
	in attempt to make code more obviously correct. Files:
	global/mail_addr_find.c, global/mail_addr_map.c.

	Abandoned an experiment that used internal-form queries for
	all maps, because it would be very difficult to test. The
	tests inputs would have to compensate for multiple levels
	of unquoting by postmap, C compilers, or shell interpreters.

	Cleanup: moved the backwards-compatibility lookup strategy
	(try the external address form first, then the internal
	address form if it is different) inside the loop that
	iterates over full and partial address forms. File:
	global/mail_addr_find.c.

20170125

	Cleanup: mail_addr_find test scripting. Eliminate main.cf
	dependencies, and allow all tests to run in one process.
	Files: global/mail_addr_find.*

20170127

	Cleanup: mail_addr_find and mail_addr_form named constants.
	Files: global/mail_addr_form.h, mail_addr_find.h, and
	dependents.

20170128

	Cleanup: smtp_generic_maps implementation. Reduced the
	number of internal<->external form address conversions,
	added more rigorous tests, and eliminated the main.cf and
	trivial-rewrite dependencies.  Files: smtp_map11.*.

20170129

	Cleanup: bogus UTC timezone setting for postqueue/mailq
	command output, and other environment settings for root and
	non-root users in set-gid programs. File: postqueue/postqueue.c
	(enforce import_environment name=value overrides for root
	users), util/msg_syslog_init.c (don't override non-existent
	TZ settings with UTC), util/unsafe.c (exclude uid==0, euid==0
	super-user from privilege escalation concerns).

20170131

	Cleanup: more complete VALGRIND coverage for test build targets
	and scripts. Files: postalias/fail_test.in, postmap/fail_test.in,
	postmap/quote_test.in, util/dict_pipe_test.in,
	util/dict_union_test.in, util/dict_utf8_test.in.


20170201

	Portability: unsetenv() for ancient platforms. File:
	makedefs, util/sys_compat.c.

20170205

	Cleanup: security checks for config_directory overrides.
	File: global/mail_conf.c.

	Cleanup: enforce import_environment name=value settings in
	command-line utilities, for consistency with Postfix daemons (but
	without removing environment variables).  This is not enforced
	in the postconf command which must be able to process main.cf
	files with incomplete settings. Files: postalias/postalias.c,
	postcat/postcat.c, postkick/postkick.c, postlock/postlock.c,
	postlog/postlog.c, postmap/postmap.c, postsuper/postsuper.c,
	posttls-finger/posttls-finger.c, sendmail/sendmail.c,
	util/clean_env.[hc].

20170206

	Bugfix (introduced: Postfix 3.0): check_mumble_a_access
	did not handle [ipaddress], unlike check_mumble_mx_access.
	When check_mumble_a_access was introduced, some condition
	was not updated.  Reported by James (postfix_tracker). File:
	smtpd/smtpd_check.c.

20170207

	Cleanup: rephrased paranoia precondition. File: global/mail_conf.c.

20170211

	Cleanup: rephrased paranoia precondition. File: util/unsafe.c.

20170218

	Cleanup: typofixes from klemens. The only change in compiled
	code is in one mysql error message that also appears in the
	pgsql client. Files: about 50.

20170221

	Compatibility fix (introduced: Postfix 3.1): some Milter
	applications do not recognize macros sent as {name} when
	macros have single-character names. Postfix now sends such
	macros without {} as it has done historically. Viktor
	Dukhovni. File: milter/milter.c.

20170402

	Bugfix (introduced: Postfix 3.2): restore the SMTP server
	receive override options at the end of an SMTP session,
	after the options may have been modified by an smtpd_milter_maps
	setting of "DISABLE". Problem report by Christian Rößner,
	root cause analysis by Viktor Dukhovni. File: smtpd/smtpd.c.

20170430

	Safety net: append a null byte to vstring buffers, so that
	C-style string operations won't scribble past the end. File:
	vstring.c.

20170531

	Bugfix (introduced: Postfix 3.2): after the table lookup
	overhaul, the check_sender_access and check_recipient_access
	features ignored the parent_domain_matches_subdomains
	setting. Reported by Henrik Larsson. File: smtpd/smtpd_check.c.

20170610

	Workaround (introduced: Postfix 3.0 20140718): prevent MIME
	downgrade of Postfix-generated message/delivery status.
	It's supposed to be 7bit, therefore quoted-printable encoding
	is not expected. Problem reported by Griff. File:
	bounce/bounce_notify_util.c.

20170611

	Security: Berkeley DB 2 and later try to read settings from
	a file DB_CONFIG in the current directory.  This undocumented
	feature may introduce undisclosed vulnerabilities resulting
	in privilege escalation with Postfix set-gid programs
	(postdrop, postqueue) before they chdir to the Postfix queue
	directory, and with the postmap and postalias commands
	depending on whether the user's current directory is writable
	by other users. This fix does not change Postfix behavior
	for Berkeley DB < 3, but reduces file create performance
	for Berkeley DB 3 .. 4.6.  File: util/dict_db.c.

20170620

	Bugfix (introduced: Postfix 3.2) extension propagation was
	broken with "recipient_delimiter = .". This change reverts
	a change that was trying to be too clever. Files: