Skip to content
HISTORY 752 KiB
Newer Older
Boris Mühmer's avatar
Boris Mühmer committed
	be proofread.  Originally by Victor Duchovni.  Files:
	src/postmulti/*, proto/MULTI_INSTANCE_README.html,
	conf/postmulti-script.
Boris Mühmer's avatar
Boris Mühmer committed
20090216-24
Boris Mühmer's avatar
Boris Mühmer committed
	Cleanup: assorted code cleanups in postmulti.  File:
	src/postmulti/postmulti.c.
Boris Mühmer's avatar
Boris Mühmer committed
20090223
Boris Mühmer's avatar
Boris Mühmer committed
	Cleanup: multiple instances of the same global.  Files:
	util/inet_windowsize.c, util/inet_listen.c.
Boris Mühmer's avatar
Boris Mühmer committed
20090228
Boris Mühmer's avatar
Boris Mühmer committed
	Cleanup: the Postfix SMTP server now maintains a per-session
	"improper command pipelining detected" flag. This flag can
	be tested at any time with reject_unauth_pipelining, and
	is raised whenever a client command is followed by unexpected
	commands or message content.  Files: smtpd/smtpd.c,
	smtpd/smtpd_check.c.
Boris Mühmer's avatar
Boris Mühmer committed
	Logging: the Postfix SMTP server now logs the first command
	pipelining transgression as "improper command pipelining
	after <command> from <hostname>[<hostaddress>]".
Boris Mühmer's avatar
Boris Mühmer committed
	Cleanup: after DATA command failure, log "(approximately
	XX bytes)" only if Postfix actually accepted the DATA
	command.  File: smtpd/smtpd.c.
Boris Mühmer's avatar
Boris Mühmer committed
20090303
Boris Mühmer's avatar
Boris Mühmer committed
	Cleanup: word smithing of "sendmail -bv" probe message.
	File: sendmail/sendmail.c.
Boris Mühmer's avatar
Boris Mühmer committed
	Cleanup: OpenLDAP now provides a sane solution for conflicts
	with PAM ldap-over-tls. Victor Duchovni.  File: global/dict_ldap.c.
Boris Mühmer's avatar
Boris Mühmer committed
20090304
Boris Mühmer's avatar
Boris Mühmer committed
	Cleanup: skip over suspended or throttled queues while
	looking for delivery requests. File: *qmgr/qmgr_transport.c.
Boris Mühmer's avatar
Boris Mühmer committed
20090305
Boris Mühmer's avatar
Boris Mühmer committed
	Bugfix: in the "new queue manager", the _destination_rate_delay
	code needed to postpone the job scheduler updates after
	delivery completion, otherwise the scheduler could loop on
	blocked jobs.  Victor & Wietse.  File: qmgr/qmgr_entry.c,
	qmgr/qmgr_queue.c, qmgr/qmgr_job.c.
Boris Mühmer's avatar
Boris Mühmer committed
	Cleanup: report a "queue file write error", instead of
	passing though bogus 2xx replies from proxy filters to SMTP
	clients.  File: smtpd/smtpd_proxy.c.
Boris Mühmer's avatar
Boris Mühmer committed
20090307
Boris Mühmer's avatar
Boris Mühmer committed
	Cleanup: with "lmtp_assume_final = yes", the Postfix LMTP
	delivery agent assumes that delivery is final when talking
	to an LMTP server that announces no DSN support.  Otherwise,
	the Postfix LMTP delivery agent assumes that delivery is
	"relayed", to maintain compatibility with simple LMTP-based
	content filters.  Based on code by Michel Sebastien, ATOS
	Origin.  File: smtp/smtp_rcpt.c.
Boris Mühmer's avatar
Boris Mühmer committed
20090310
Boris Mühmer's avatar
Boris Mühmer committed
	Bugfix: Postfix used mumble_concurrency_failed_cohort_limit
	instead of mumble_destination_concurrency_failed_cohort_limit
	as documented. File: global/mail_params.h.
Boris Mühmer's avatar
Boris Mühmer committed
20090330
Boris Mühmer's avatar
Boris Mühmer committed
	Cleanup: add (Resent-) From:, Date:, Message-ID: or To:
	headers only when clients match $local_header_rewrite_clients.
	Specify "always_add_missing_headers = yes" for backwards
	compatibility.  Adding such headers to remote mail can break
	DKIM signatures that cover headers that are not present.
	File: cleanup/cleanup_message.c.
Boris Mühmer's avatar
Boris Mühmer committed
20090415
Boris Mühmer's avatar
Boris Mühmer committed
	Workaround: to avoid unnecessary "fatal" delivery agent
	exits, delivery agents retry getting a shared lock on a
	queue file.  This is necessary since the queue manager's
	behavior was changed years ago to refill the in-memory
	recipient list before it was completely empty.  File:
	global/deliver_request.c.
Boris Mühmer's avatar
Boris Mühmer committed
	Documentation: updated STRESS_README.
Boris Mühmer's avatar
Boris Mühmer committed
20090416
Boris Mühmer's avatar
Boris Mühmer committed
	Workaround: some AWK implementations have a limit of 10
	output files and lack a working close() function. It is too
	much trouble to find out what systems have this limitation,
	and where, if any, such systems store their XPG4-compatible
	AWK program.  So instead we generate a stream of here
	documents and let the shell split the stream into files.
	File: postconf/extract.awk.
Boris Mühmer's avatar
Boris Mühmer committed
	Documentation: clarification of certificate file usage.
	Victor Duchovni.  Files: proto/postconf.proto,
	proto/TLS_README.html.
Boris Mühmer's avatar
Boris Mühmer committed
	Feature: pass a "TLS is active" flag to the server-side
	SASL support.  Based on code by Timo Sirainen, except that
	the implementation uses an extensible API so that it will
	be less painful to add more attributes in future Postfix
	versions.  Files: xsasl/xsasl.h, xsasl/xsasl_*server.c,
	smtpd/smtpd_sasl_glue.c.
Boris Mühmer's avatar
Boris Mühmer committed
20090417
Boris Mühmer's avatar
Boris Mühmer committed
	Documentation: re-generate READMEs and manpages for updated
	hyperlinks.
Boris Mühmer's avatar
Boris Mühmer committed
	Documentation: missing hyperlinks and missing parameters
	in manpages. File: mantools/postlink, mantools/check-postlink.
Boris Mühmer's avatar
Boris Mühmer committed
20090418
Boris Mühmer's avatar
Boris Mühmer committed
	Cleanup: use the extensible API to pass SMTP client address
	information to the dovecot SASL plugin, and prepare for
	passing server address information. Files: xsasl/xsasl.h,
	xsasl/xsasl_dovecot_server.c, smtpd/smtpd_sasl_glue.c.
Boris Mühmer's avatar
Boris Mühmer committed
	Same extensible API transformation for the SASL client-side
	code to make future extensions less painful. Files:
	xsasl/xsasl.h, xsasl/xsasl*client.c, smtp/smtp_sasl_glue.c.
Boris Mühmer's avatar
Boris Mühmer committed
	More postlink fixes. File: mantools/postlink.
Boris Mühmer's avatar
Boris Mühmer committed
20090419
Boris Mühmer's avatar
Boris Mühmer committed
	Bugfix: don't re-enable SIGHUP if it is ignored in the
	parent. This may cause random "Postfix integrity check
	failed" errors at boot time (POSIX SIGHUP death), causing
	Postfix not to start. We duplicate code from postdrop and
	thus avoid past mistakes.  File: postsuper/postsuper.c.

	Robustness: don't re-enable SIGTERM if it is ignored in the
	parent. Files: postsuper/postsuper.c, postdrop/postdrop.c.
Boris Mühmer's avatar
Boris Mühmer committed
20090422
Boris Mühmer's avatar
Boris Mühmer committed
	Undo delivery agent change 20090415. The queue manager never
	locks a queue file to read additional recipients into memory,
	so if a delivery agent runs into a locked file, then something
	is seriously wrong. File: global/deliver_request.c.
Boris Mühmer's avatar
Boris Mühmer committed
20090424
Boris Mühmer's avatar
Boris Mühmer committed
	Compatibility: the Postfix SMTP client no longer uses the
	obsolete SSLv2 by default for opportunistic encryption.
	This has nothing to do with security (we're willing to send
	plaintext over an unauthenticated connection) but with the
	loss of advanced options that give better performance.
	Victor Duchovni. Files: proto/postconf.proto, global/mail_params.h.
Boris Mühmer's avatar
Boris Mühmer committed
20090426
Boris Mühmer's avatar
Boris Mühmer committed
	Feature: more accurate support for Milter macros {mail_addr}
	and {rcpt_addr}, and new support for Milter macros {mail_host},
	{mail_mailer}, {rcpt_host}, and {rcpt_mailer}.  Files:
	milter/milter.[hc], smtpd/smtpd.[hc], smtpd/smtpd_milter.c,
	smtpd/smtpd_resolve.c.
Boris Mühmer's avatar
Boris Mühmer committed
	Feature: support to report rejected recipients to Milters
	(SMFIP_RCPT_REJ). Postfix reports the event as decribed in
	Sendmail 8.14.0 documentation: {rcpt_mailer} = "error",
	{rcpt_host} = enhanced status code (e.g., "5.7.1"), and
	{rcpt_addr} = reason to reject (e.g., "Relay access denied").
	Files: milter/milter.[hc], milter/milter8.c, smtpd/smtpd.[hc],
	smtpd/smtpd_milter.c.
Boris Mühmer's avatar
Boris Mühmer committed
20090427
Boris Mühmer's avatar
Boris Mühmer committed
	Feature: Milter support for replacing the envelope sender
	and adding recipients (SMFIR_CHGFROM, SMFIR_ADDRCPT_PAR).
	This support currently ignores ESMTP command parameters.
	Files: milter/milter8.c, cleanup/cleanup_milter.c.

20090428

	Compatibility: to make all the new Milter features usable,
	raise the default milter_protocol setting from 2 to 6.
	This has been tested with a Sendmail 8.14 libmilter.
	File: global/mail_params.h.

	Bugfix: don't disable MIME parsing with smtp_header_checks,
	smtp_mime_header_checks, smtp_nested_header_checks or with
	smtp_body_checks. Bug reported by Victor. File: smtp/smtp_proto.c.

	Code cleanups: respect VSTRING invariants by using VSTRING_RESET
	and VSTRING_TERMINATE instead of directly groping the
	underlying character buffer. Files: global/dsn_buf.c,
	milter/milter8.c.

20090507

	main.cf:tls_random_source now defaults to /dev/arandom on
	OpenBSD.  This device was introduced before Postfix development
	began. Files: util/sys_defs.h, global/mail_params.h.

20090510

	Code cleanups: while emulating SMTP client requests for
	Milter applications, use user@domain form addresses as
	required by the SMTP protocol, instead of bare usernames.
	This avoids hard to debug errors from some Milter applications.
	Files: cleanup/cleanup_envelope.c, cleanup/cleanup_extracted.c,
	cleanup/cleanup_addr.c.

20090511

	Code cleanups: don't clobber -o command-line arguments so
	that Linux people can debug daemon command lines more easily.
	Files: master/*server.c.
Boris Mühmer's avatar
Boris Mühmer committed
20090513

	Code cleanups: better parsing of Postfix daemon "-o"
	command-line options, with better error handling.  Files:
	master/*server.c.

20090518

	Documentation: missing dummy entries for lmtp_mumble_checks.
	File: proto/postconf.proto.

Boris Mühmer's avatar
Boris Mühmer committed
20090519

	Bugfix (introduced: Postfix 2.3, but did not cause trouble
Boris Mühmer's avatar
Boris Mühmer committed
	until 20090427).  Queue file corruption with (smtpd_milters
Boris Mühmer's avatar
Boris Mühmer committed
	or non_smtpd_milters) enabled, AND with delay_warning_time
Boris Mühmer's avatar
Boris Mühmer committed
	enabled, AND with short envelope sender addresses (e.g.,
Boris Mühmer's avatar
Boris Mühmer committed
	local submissions with bare usernames, but not bounces).
	The queue file would be corrupted when the delay_warning_time
	record was marked as "done" after sending the "your mail
	is delayed" notice.  File: qmgr/qmgr_message.c.
Boris Mühmer's avatar
Boris Mühmer committed
20090522

	Bugfix (introduced: Postfix 2.3).  The cleanup server
	rejected mail with records of type REC_TYPE_DRCP (recipient
	deleted by Milter), but such records could be present in
	mail re-submitted with "postsuper -r". Found during code
	review. Files: global/record.h, cleanup/cleanup_envelope.c.

20090524

	Feature: new postcat options: -e (print envelope), -h (print
	header), and -b (print body). Specify "postcat -bh" to
	suppress information about envelope records, and "postcat
	-h" to get the message header only. With large messages,
	"postcat -h" is much faster than manually stripping the
	message body from the output. File: postcat/postcat.c.

Boris Mühmer's avatar
Boris Mühmer committed
20090528

	Bugfix (introduced: Postfix 2.6 change 20080629): with
	plaintext sessions, smtpd_tls_auth_only=yes caused spurious
	warnings with reject_authenticated_sender_login_mismatch,
	and broke reject_unauthenticated_sender_login_mismatch and
	reject_sender_login_mismatch.  Based on fix by Victor
	Duchovni. File: smtpd/smtpd_check.c.
Boris Mühmer's avatar
Boris Mühmer committed
20090603

	Cleanup: Postfix 2.3 adopted a file descriptor passing
	workaround for OpenBSD. This workaround was hard-coded for
	all platforms because there were no have adverse effects.
	This is no longer the case: OpenBSD is fixed, and NetBSD
	does not like the workaround. We now default back to the
	non-workaround code and turn on the workaround dynamically.
	Files: util/unix_send_fd.c, unix_recv_fd.c, unix_pass_fd_fix.c.

Boris Mühmer's avatar
Boris Mühmer committed
20090605

Boris Mühmer's avatar
Boris Mühmer committed
	Portability: modern kernels below ancient user-land. File:
	makedefs.

20090606

	Feature: post-Milter header checks, with all actions except
	PREPEND. To enable, specify for example "milter_header_checks
	= pcre:/path/to/file".  Files: cleanup/cleanup_init.c,
	cleanup/cleanup_milter.c, cleanup/cleanup_extracted.c,
	cleanup/cleanup_state.c.

	Bugfix: non-portable command pathname in postmulti-script.

	Safety: "postmulti -e destroy" no longer attempts to remove
	files that are created AFTER "postmulti -e create". Rationale:
	by design, postfix queue/data directories are not trusted;
	actions within those directory trees must not affect files
	outside those those trees (e.g. by symlink race attacks).
	We don't want to be nailed with a bunch of CVEs for unsafe
	pathname handling.  File: conf/postmulti-script.

20090607

	Cleanup: revise milter_header_checks action implementation,
	and avoid redundant logging and work when milter_header_checks
	and Milters make redundant or conflicting decisions. File:
	cleanup_milter.c.

20090614

	Preliminary postscreen triage server for all inbound SMTP
	connections.  This is not a proxy: it rejects bad clients
	and forwards the rest of the connections to a real Postfix
	SMTP server. The initial version does a simple "friend or
	foe" based on whether the client starts talking too soon.
	Decisions are cached, so "good" clients have no overhead.
	File: postscreen/postscreen.c.

	Cleanup: more robust code for receiving file descriptors
	via the "pass" master service protocol.  File:
	util/upass_listen.c.

20090617

	Temporary helper daemon that does parallel DNSBL lookups
	for postscreen(8). It logs successful lookups to the maillog
	file without blocking the client. postscreen(8) will use
	the results in a later non-production version. To enable
	DNSBL lookups, specify "postscreen_dnsbl_sites = name,
	name, etc". and restart postscreen(8) with "postfix reload".
	File: src/dnsblog/dnblog.c.

20090618

	postscreen(8) logging and actions are now documented in the
	postscreen(8) manpage. When a client is listed in DNSBLs
	specified with postscreen_dnsbl_sites, it is no longer
	whitelisted. Instead the number of blocklist hits is logged.
	File: postscreen/postscreen.c.

20090619

	postscreen(8) by default no longer immediately drops
	connections. Specify "postscreen_greet_action = drop" and
	"postscreen_hangup_action = drop" for the old behavior.
	There is also a new postscreen_dnsbl_action parameter, for
	completeness.  File: postscreen/postscreen.c.

20090708

	Portability: FreeBSD 8 has closefrom(). File: uti/sys_defs.h.
Boris Mühmer's avatar
Boris Mühmer committed

20090710

	Bugfix (introduced Postfix 2.3): Postfix got out of sync
	with a Milter application after the application sent a
Boris Mühmer's avatar
Boris Mühmer committed
	"quarantine" request at end-of-message time. The milter 
Boris Mühmer's avatar
Boris Mühmer committed
	application would still be in the end-of-message state,
	while Postfix would already be working on the next SMTP
	event (typically, QUIT or MAIL FROM).  Problem diagnosed
	with help from Alban Deniz. File: milter/milter8.c.

Boris Mühmer's avatar
Boris Mühmer committed
20090711-2

	New "event_server" Postfix server framework. It is similar
	to the "multi_server" framework but does not manage client
	I/O events.  This framework is suitable for servers such
	as postscreen that have complex event management requirements.
	File: master/event_server.c.

	New event_fork() primitive to resume event processing in a
	child process after it is created with fork(). This is
	needed by postscreen to complete work-in-progress in the
	background after "postfix reload". File: util/events.c.

	Cleanup: postscreen migrated to the "event_server" framework.
	File: postscreen/postscreen.c.

Boris Mühmer's avatar
Boris Mühmer committed
20090712

Boris Mühmer's avatar
Boris Mühmer committed
	Cleanup: ${multi_instance_name:postfix}${multi_instance_name
Boris Mühmer's avatar
Boris Mühmer committed
	?$multi_instance_name} garbage in Postfix logging is now
	hopefully gone.  File: global/mail_task.c.

20090715

	Documentation: as of Postfix 2.6, the reject_unauth_pipelining
	feature can be used meaningfully at any protocol stage.
	File: proto/postconf.proto.
Boris Mühmer's avatar
Boris Mühmer committed
20090717

	Cleanup: postscreen PREGREET detection now uses non-destructive
	read, so that the real SMTP server can still receive the
	HELO command (apparently some sites allow pregreeters to
	talk to their servers).  File: postscreen/postscreen.c.

Boris Mühmer's avatar
Boris Mühmer committed
20090805

	Bugfix: don't panic when an unexpected smtpd access map is
	specified. File: smtpd/smtpd_check.c.
Boris Mühmer's avatar
Boris Mühmer committed

20090918

	Bugfix (introduced Postfix 2.3): with Milter RCPT TO replies
	turned off, there was no automatic flush-before-read on the
	smtpd-to-milter stream, because the read was done on the
	cleanup-to-milter stream. Problem reported by Stephen Warren.
	File: milter/milter8.c.

20091005

	Bugfix: core dump while printing error message for malformed
	%<letter> sequence in LDAP, MySQL or PostgreSQL configuration.
	File: global/db_common.c. Fix by Victor Duchovni.

Boris Mühmer's avatar
Boris Mühmer committed
20091006
Boris Mühmer's avatar
Boris Mühmer committed
	Feature: "postscreen_whitelist_networks = $mynetworks" (the
	default) to avoid problems with buggy SMTP implementations
	in network appliances.  Note: this feature never uses the
	remote SMTP client hostname.  Files: global/addr_match_list.[hc],
	postscreen/postscreen.c.
Boris Mühmer's avatar
Boris Mühmer committed
	Feature: postscreen_blacklist_networks (default: empty) to
	permanently blacklist hosts or networks. Address syntax is
	as with mynetworks. Note: this feature never uses the remote
	SMTP client hostname.  File: postscreen/postscreen.c.
Boris Mühmer's avatar
Boris Mühmer committed
	Feature: postscreen_blacklist_action (default: continue)
	to control what happens with a permanently blacklisted
	client. File: postscreen/postscreen.c.
Boris Mühmer's avatar
Boris Mühmer committed
20091007
Boris Mühmer's avatar
Boris Mühmer committed
	Feature: hostname-based check_client_{mx,ns}_access,
	check_reverse_client_hostname_{mx,ns}_access (the client
	IP address is not used). Rob Foehl.  Files: smtpd/smtpd_check.c,
	global/mail_params.h, proto/postconf.proto, mantools/postlink.
Boris Mühmer's avatar
Boris Mühmer committed
20091008
Boris Mühmer's avatar
Boris Mühmer committed
	Documentation: restructured the postscreen(8) manpage
	as a sequence of tests. File: postscreen/postscreen.c.
Boris Mühmer's avatar
Boris Mühmer committed
20091012
Boris Mühmer's avatar
Boris Mühmer committed
	Bugfix: postmulti did not skip commands with -p.  Luca
	Berra. File: postmulti/postmulti.c.
Boris Mühmer's avatar
Boris Mühmer committed
20091023
Boris Mühmer's avatar
Boris Mühmer committed
	Feature: specify "smtpd_command_filter = pcre:/file/name"
	to replace remote SMTP client commands before they are
	executed by the Postfix SMTP server. This a last-resort
	tool to fix inter-operability problems.  See examples in
	the postconf(5) manual page.  File: smtpd/smtpd.c.
Boris Mühmer's avatar
Boris Mühmer committed
20091026
Boris Mühmer's avatar
Boris Mühmer committed
	Cleanup: changed parameter evaluation order so that the
	multi_instance_wrapper parameter value is evaluated after
	the command and daemon directory parameters. File:
	global/mail_params.h.
Boris Mühmer's avatar
Boris Mühmer committed
20091101
Boris Mühmer's avatar
Boris Mühmer committed
	Performance: specify "smtpd_proxy_options = speed_adjust"
	to receive an entire message before sending it through a
	before-queue content filter. This reduces the number of
	simultaneous content filtering processes, and thus, the
	system memory requirements.  Files: smtpd/smtpd.[hc],
	smtpd/smtpd_proxy.[hc].
Boris Mühmer's avatar
Boris Mühmer committed
20091103-4
Boris Mühmer's avatar
Boris Mühmer committed
	Cleaned up the speed-adjust code, streamlined the error
	handling, and updated documentation. Files: smtpd/smtpd.[hc],
	smtpd/smtpd_proxy.[hc], proto/SMTPD_PROXY_README.html.
Boris Mühmer's avatar
Boris Mühmer committed
20091105
Boris Mühmer's avatar
Boris Mühmer committed
	Cleaning up after speed_adjust introduction: smtpd segfault
	caused by an incomplete API change; refined the queue space
	check; release scratch space immediately after delivering
	mail to the before-queue filter. Files: smtpd.c, smtpd_proxy.c.
Boris Mühmer's avatar
Boris Mühmer committed
20091110
Boris Mühmer's avatar
Boris Mühmer committed
	Workaround: specify "smtp_tls_block_early_mail_reply = yes"
	to detect a mail hijacking attack based on a TLS protocol
	vulnerability (CVE-2009-3555). The attack involves prepending
	malicious HELO/MAIL/RCPT/DATA commands to a Postfix SMTP
	client TLS session. The attack would succeed with non-Postfix
	SMTP servers that reply to the malicious commands after
	negotiating the Postfix SMTP client TLS session. File:
Boris Mühmer's avatar
Boris Mühmer committed
	smtp/smtp_proto.c.

Boris Mühmer's avatar
Boris Mühmer committed
20091113
Boris Mühmer's avatar
Boris Mühmer committed
	Workaround: skip interfaces without netmask, to avoid
	segfaults (reported by Dmitry Karasik). Don't supply a dummy
	null netmask, as that would turn Postfix into an open relay
	(mynetworks = 0.0.0.0/0). File: util/inet_addr_local.c.
Boris Mühmer's avatar
Boris Mühmer committed
	Bugfix: forgot to flush output to the smtpd_proxy speed-adjust
	buffer before truncating the file. Reported by Mark Martinec,
	fix by Victor Duchovni. File: smtpd/smtpd_proxy.c.
Boris Mühmer's avatar
Boris Mühmer committed
20091114
Boris Mühmer's avatar
Boris Mühmer committed
	Feature: specify "smtp_reply_filter = pcre:/file/name" to
	replace remote SMTP server reply lines before they are
	parsed by the Postfix SMTP client. This a last-resort tool
	to fix inter-operability problems.  See examples in the
	postconf(5) manual page.  File: smtp/smtp_chat.c.
Boris Mühmer's avatar
Boris Mühmer committed
	Safety: don't send postmaster notifications to report
	problems delivering (possible) postmaster notifications.
	File: smtp/smtp_connect.c.
Boris Mühmer's avatar
Boris Mühmer committed
20091121
Boris Mühmer's avatar
Boris Mühmer committed
	Feature: sender_dependent_default_transport_maps, to override
	the default transport in a sender-dependent manner. This
	is not a transport_maps override, and therefore it does not
	use the transport_maps syntax for null transport, null
	nexthop, or null email address.
Boris Mühmer's avatar
Boris Mühmer committed
20091127
Boris Mühmer's avatar
Boris Mühmer committed
	Usability: the Postfix SMTP client now logs a warning that
	wrappermode TLS is not supported, when configured to connect
	to port smtps/465. File: smtp/smtp_connect.c.
Boris Mühmer's avatar
Boris Mühmer committed
20091203
Boris Mühmer's avatar
Boris Mühmer committed
	Safety: the postscreen daemon logs a warning when table
	lookup is slow. Slow lookups cause postscreen to fall behind,
	and worse, to catch up in bursts, which results in overload
	elsewhere.  File: postscreen/postscreen.c.
Boris Mühmer's avatar
Boris Mühmer committed
20091206
Boris Mühmer's avatar
Boris Mühmer committed
	Feature: by popular demand, the Postfix SMTP server now
	logs the before-queue content filter's end-of-message
	accept/reject response.  File: smtpd/smtpd.c.
Boris Mühmer's avatar
Boris Mühmer committed
20091209
Boris Mühmer's avatar
Boris Mühmer committed
	Portability: as the result of continuous improvement,
	Berkeley DB no longer allows fork-then-close. File:
	postscreen/postscreen.c.
Boris Mühmer's avatar
Boris Mühmer committed
	Bugfix: sender_dependent_relayhost_maps did not reject an
	empty lookup result, and did not recognize lookup errors,
	thus treating errors as "not found". Problem found during
	code maintenance. File: trivial-rewrite/resolve.c.
Boris Mühmer's avatar
Boris Mühmer committed
	Cleanup: the postscreen daemon now applies the permanent
	whitelist first. It is a safety feature that prevents mail
	from being blocked. File: postscreeb/postscreen.c.
Boris Mühmer's avatar
Boris Mühmer committed
20091224
Boris Mühmer's avatar
Boris Mühmer committed
	Bugfix (introduced 20041215): dict_dbm_sequence() did not
	release the shared lock when the end of the sequence was
	reached. File: util/dict_dbm.c.
Boris Mühmer's avatar
Boris Mühmer committed
20091227
Boris Mühmer's avatar
Boris Mühmer committed
	Cleanup: postscreen and verify periodic cache cleanup
	(default: 12 hours after the previous cache cleanup run).
	This is based on a new dict_cache(3) module that implements
	a generalized version of the tlsmgr(8) cache maintenance
	code.  Once the new dict_cache(3) code is burned in, the
	tlsmgr(8) will be migrated to it. See the RELEASE_NOTES for
	user interface details. Files: util/htable.[hc], util/dict_ht.c,
	util/dict_cache.[hc], postscreen/postscreen.c, verify/verify.c.
Boris Mühmer's avatar
Boris Mühmer committed
	Bugfix: the event handler starved I/O events when a timer
	call-back routine scheduled a zero-delay timer request.
	This bug was exposed when adding the new dict_cache(3)
	module for cache expiration.  File: util/events.c.
Boris Mühmer's avatar
Boris Mühmer committed
20091228
Boris Mühmer's avatar
Boris Mühmer committed
	Cleanup: postscreen and verify periodic cache cleanup is
	now optional (specify a null time interval between cache
	cleanup runs).
Boris Mühmer's avatar
Boris Mühmer committed
20091229
Boris Mühmer's avatar
Boris Mühmer committed
	Cleanup: the address_verify_poll_count default parameter
	value is now stress-dependent, so that the Postfix SMTP
	server will not wait (up to 6 seconds) for the address
	verification result. File: global/mail_params.h.
Boris Mühmer's avatar
Boris Mühmer committed
	Final solution for the I/O event starvation problem when a
Boris Mühmer's avatar
Boris Mühmer committed
	timer call-back schedules a zero-delay timer request.  File:
	util/events.c.
Boris Mühmer's avatar
Boris Mühmer committed
20091231
Boris Mühmer's avatar
Boris Mühmer committed
	Cleanup: the non-shared, in-memory hash table is now
	accessible as the "internal:" map type. This simplifies
	code by eliminating some special cases. Files: util/dict_ht.c,
	util/dict_open.c, and documentation.
Boris Mühmer's avatar
Boris Mühmer committed
20100101
Boris Mühmer's avatar
Boris Mühmer committed
	Bugfix: the mantools/postlink script applied hyperlinks
	for the "virtual:" transport to "/etc/postfix/virtual:".
	Symptom reported by Christoph Anton Mitterer.
Boris Mühmer's avatar
Boris Mühmer committed
20100102
Boris Mühmer's avatar
Boris Mühmer committed
	Workaround: don't report bogus Berkeley DB close errors as
	fatal errors. All operations before close are already error
	checked, so the data is known to be safe.  File: util/dict_db.c.
Boris Mühmer's avatar
Boris Mühmer committed
20100107
Boris Mühmer's avatar
Boris Mühmer committed
	Documentation: the access(5) manual page did not document
	the "send 521 and disconnect" behavior in the Postfix SMTP
	server (introduced with Postfix 2.6). File: proto/access.
Boris Mühmer's avatar
Boris Mühmer committed
	Bugfix: the pickup daemon did not discard messages that
	were requeued after all recipients were delivered (or
	bounced), and the cleanup server tried to bounce such
	messages. Files: pickup/pickup.c, global/cleanup_user.h.
Boris Mühmer's avatar
Boris Mühmer committed
	Future proofing: redundant code in postdrop to reject a
	submission without recipient record. File: postdrop/postdrop.c.
Boris Mühmer's avatar
Boris Mühmer committed
20100109
Boris Mühmer's avatar
Boris Mühmer committed
	Cleanup: "postcat -q" will now access files in the "saved"
	queue directory (for corrupted queue files). As before, the
	"postsuper" command will not, to avoid suddenly deleting
	such files. Files: global/mail_queue.h postcat/postcat.c.
Boris Mühmer's avatar
Boris Mühmer committed
20100113
Boris Mühmer's avatar
Boris Mühmer committed
	Cleanup: don't supply the "-o stress" command-line option
	with a single-process service. File: master/master_ent.c.
Boris Mühmer's avatar
Boris Mühmer committed
20100115
Boris Mühmer's avatar
Boris Mühmer committed
	Bugfix: the valid_hostname() fuction did not set the
	"non-numeric" flag after encountering the '-' character.
	Reported by Jan Schampera.  File: util/valid_hostname.c.
Boris Mühmer's avatar
Boris Mühmer committed
20100116
Boris Mühmer's avatar
Boris Mühmer committed
	Documentation: the content_filter and FILTER features never
	supported the special cases of transport_maps. References
	to transport_maps syntax are now removed from content filter
	discussions.  Files: proto/postconf.proto, proto/FILTER_README.
Boris Mühmer's avatar
Boris Mühmer committed
	Workaround: as of Postfix 2.3 the VRFY command did not allow
	a mailbox address inside <>, which broke expectations.  RFC
	2821 (and 5321) is vague about the VRFY request format, but
	spends lots of text on the reply format.  File: smtpd/smtpd.c.
Boris Mühmer's avatar
Boris Mühmer committed
20100117
Boris Mühmer's avatar
Boris Mühmer committed
	Cleanup: when a content_filter parameter or FILTER command
	specifies an empty next-hop destination, the queue manager
	now uses the recipient domain instead of $myhostname. Specify
	"default_filter_nexthop = $myhostname" for compatibility
	with Postfix 2.6 and earlier, or specify a non-empty next-hop
	filter destination.  Files: *qmgr/qmgr_message.c proto/access,
	proto/header_checks, proto/postconf.proto, proto/FILTER_README.
Boris Mühmer's avatar
Boris Mühmer committed
20100120
Boris Mühmer's avatar
Boris Mühmer committed
	Cleanup: detect illegal pipelining after HELO, EHLO.  File:
	smtpd/smtpd.c.
Boris Mühmer's avatar
Boris Mühmer committed
20100128
Boris Mühmer's avatar
Boris Mühmer committed
	Documentation: streamlined the decriptions of protocol and
	cipher tweaks. Victor Duchovni. Files: proto/TLS_README,
	proto/postconf.proto.
Boris Mühmer's avatar
Boris Mühmer committed
20100131
Boris Mühmer's avatar
Boris Mühmer committed
	Documentation: the address verification database is now
	persistent by default. This, combined with the now default
	stress-dependent configuration, improves the performance
	limits and simplifies database maintenance.  Files:
	proto/ADDRESS_VERIFICATION_README, verify/verify.c.
Boris Mühmer's avatar
Boris Mühmer committed
	Cleanup: undo the proxymap and trivial-rewrite max_idle=1s
	override that was introduced with Postfix 2.3. It did not
	help to retire long-lived proxymap or trivial-rewrite
	processes on busy servers, and worsened performance on
	low-traffic servers. The reduced ipc_ttl value (introduced
	with Postfix 2.4) already solves the problem of retiring
	long-lived proxymap or trivial-rewrite processes.  Files:
	proxymap/proxymap.c, trivial-rewrite/trivial-rewrite.c.
Boris Mühmer's avatar
Boris Mühmer committed
20100202
Boris Mühmer's avatar
Boris Mühmer committed
	Documentation: major revision of SASL_README with many
	details on how to configure Cyrus SASL internals. Patrick
	Koetter.  File: proto/SASL_README.html
Boris Mühmer's avatar
Boris Mühmer committed
20100204
Boris Mühmer's avatar
Boris Mühmer committed
	Feature: added "forward_secrecy" option for Cyrus SASL.
	File: xsasl/xsasl_cyrus_security.c.
Boris Mühmer's avatar
Boris Mühmer committed
20100206
Boris Mühmer's avatar
Boris Mühmer committed
	Bugfix (from day zero): the local delivery agent returned
	undeliverable mail to the envelope sender instead of the
	owner- alias, when delivering to command or file. This
	reuses the workaround that was implemented to report a
	Delivered-To: loop. Files: local/file.c, local/command.c,
	local/recipient.c, local/bounce_workaround.c.
Boris Mühmer's avatar
Boris Mühmer committed
20100209
Boris Mühmer's avatar
Boris Mühmer committed
	The tcp_table(5) interface is now part of the stable release.
	The last protocol change was in Postfix 2.1. File:
	util/dict_open.c.
Boris Mühmer's avatar
Boris Mühmer committed
20100305

	Feature: reject_rhsbl_reverse_client, to reject a remote
	SMTP client based on its unverified reverse hostname.  Code
	by Noel Jones. Files: smtpd/smtpd_check.c, proto/postconf.proto.

	Feature: smtp_address_preference (default: ipv6) to control
	the order in which the Postfix SMTP client will connect to
	a destination that has IPv6 and IPv4 addresses with equal
	MX preference. Files: global/mail_params.h, smtp/smtp.c,
	smtp/smtp_params.c, smtp/smtp_addr.c, dns/dns_rr.c,
	and documentation.

20100321

	Feature: allow Milter applications to use a lower protocol
	version than the version that Postfix is configured for.
	Based on an idea by Kouhei Sutou.  File: milter/milter8.c.

20100322

	Bugfix (introduced 20100305) the new smtp_address_preference
	feature was not tested with LMTP support. Problem reported
	by Stefan Foerster. File: smtp/smtp.c.

20100407

	Bugfix (introduced 20100305): reject_rhsbl_reverse_client
	was skipped if the forward-confirmed reverse DNS (FCRDNS)
	remote SMTP client hostname was "unknown".  Victor Duchovni.
	File: smtpd/smtpd_check.c.

Boris Mühmer's avatar
Boris Mühmer committed
20100422

	Workaround (introduced: postfix-19990906 a.k.a. Postfix
	0.8.0).  The Postfix local delivery agent did not properly
	distinguish between "address has no extension" and "address
	has an extension, but the extension is invalid". In both
	cases it would run only the full recipient local-part through
	the alias maps.  Instead, it now drops the faulty extension
	from the recipient address local-part (it would be too
	error-prone to replace all tests for "no extension" by tests
	for "no valid extension".  File: local/recipient.c.

Boris Mühmer's avatar
Boris Mühmer committed
20100430

	Feature: customized hard/soft reject responses by Jason
	Parsons.  File: smtpstone/smtp-sink.c.

Boris Mühmer's avatar
Boris Mühmer committed
20100515

	Bugfix (introduced Postfix 2.6): the Postfix SMTP client
	XFORWARD implementation did not skip "unknown" SMTP client
	attributes, causing a syntax error when sending a PORT
	attribute. Reported by Victor Duchovni. File: smtp/smtp_proto.c.

20100526

Boris Mühmer's avatar
Boris Mühmer committed
	Cleanup: a unit-test driver was not updated after an internal
	API change. Vesa-Matti J Kari File: milter/milter.c.
Boris Mühmer's avatar
Boris Mühmer committed

20100529

	Portability: OpenSSL 1.0.0 changes the priority of anonymous
	cyphers. Victor Duchovni. Files: postconf.proto,
	global/mail_params.h, tls/tls_certkey.c, tls/tls_client.c,
	tls/tls_dh.c, tls/tls_server.c.

	Portability: Mac OS 10.6.3 requires <arpa/nameser_compat.h>
	instead of <nameser8_compat.h>. Files: makedefs, util/sys_defs.h,
	dns/dns.h.

20100531

Boris Mühmer's avatar
Boris Mühmer committed
	Robustness: skip LDAP queries with non-UTF-8 search strings
	(in anticipation of UTF8SMTP support).  File: global/dict_ldap.c.

Boris Mühmer's avatar
Boris Mühmer committed
	Strict UTF-8 validator per RFC 3629. File: util/valid_utf8_string.c.
Boris Mühmer's avatar
Boris Mühmer committed
	Cleanup: Postfix LDAP client support for RFC 2255 LDAP URLs.
	Victor Duchovni. Files: proto/ldap_table global/dict_ldap.c.

Boris Mühmer's avatar
Boris Mühmer committed
	Safety: Postfix processes log a warning when a matchlist
	has a #comment at the end of a line (for example mynetworks
	or relay_domains).  File: util/match_list.c.

	Portability: Berkeley DB 5.x has the same API as Berkeley
	DB 4.1 and later. File: util/dict_db.c.
Boris Mühmer's avatar
Boris Mühmer committed

20100610

	Bugfix (introduced Postfix 2.2): Postfix no longer appends
	the system default CA certificates to the lists specified
	with *_tls_CAfile or with *_tls_CApath.  This prevents
	third-party certificates from getting mail relay permission
	with the permit_tls_all_clientcerts feature.  Unfortunately
	this may cause compatibility problems with configurations
	that rely on certificate verification for other purposes.
	To get the old behavior, specify "tls_append_default_CA =
	yes".  Files: tls/tls_certkey.c, tls/tls_misc.c,
	global/mail_params.h.  proto/postconf.proto, mantools/postlink.

Boris Mühmer's avatar
Boris Mühmer committed
20100615

	Cleanup: the master no longer logs "process P killed with
	signal S" when it shuts down a running service (for example,
	the service is removed from master.cf, or the service is
	disabled via the main.cf master_service_disable parameter).
	File: master/master_spawn.c.

20100617

	Feature: read-only sqlite support based on code by Axel
	Steiner and documentation by Jesus Garcia Crespo. Files:
	conf/postfix-files, mantools/postlink, proto/DATABASE_README.html,
	proto/Makefile.in, proto/INSTALL.html, proto/mysql_table,
	proto/pgsql_table, proto/sqlite_table, proto/SQLITE_README.html,
	global/Makefile.in, global/mail_dict.c, global/dict_sqlite.c,
	global/dict_sqlite.h, postconf/postconf.c, postfix/postfix.c.

20100618

	Cleanup: SQLite read-only driver and documentation.  Files:
	global/dict_sqlite.c, proto/mysql_table, proto/SQLITE_README.html.

20100707

	Completed the 20100610 bugfix. File: tls/tls_misc.c.

Boris Mühmer's avatar
Boris Mühmer committed
20100714

	Compatibility with Postfix < 2.3: fix 20061207 was incomplete
	(undoing the change to bounce instead of defer after
	pipe-to-command delivery fails with a signal). Fix by Thomas
	Arnett. File: global/pipe_command.c.

Boris Mühmer's avatar
Boris Mühmer committed
20100715

	Convenience: "postconf name=value ..." is now equivalent to
	"postconf -e name=value ...".  File: postconf/postconf.c.

20100724

	Feature: INFO header/body_checks action for non-warning
	messages (for example, to log all Milter-inserted headers).
	File: global/header_body_checks.c, proto/header_checks.

	Cleanup: after-filter Postfix SMTP servers now log before-filter
	queue IDs. For this, the XFORWARD protocol was extended
	with an IDENT attribute for the before-filter queue ID.
	This code was started in Postfix 2.1, but it was never
	finished due to time constraints.  Files: smtpd/smtpd.[hc]
	smtpd/smtpd_proxy.c, smtpd/smtpd_sasl_proto.c,
	*qmgr/qmgr_messsage.c, *qmgr/qmgr_deliver.c,
	global/deliver_request.[hc], global/mail_proto.h,
	global/deliver_pass.c, smtp/smtp_proto.c.

Boris Mühmer's avatar
Boris Mühmer committed
20100727

	Bugfix: the milter_header_checks parser provided only the
	actions that change the message flow (reject, filter,
	discard, redirect) but disabled the non-flow actions (warn,
	replace, prepend, ignore, dunno, ok).  File:
	cleanup/cleanup_milter.c.

20100827

	Performance: fix for poor smtpd_proxy_filter TCP performance
	over loopback (127.0.0.1) connections. Problem reported by
	Mark Martinec.  Files: smtpd/smtpd_proxy.c.

Boris Mühmer's avatar
Boris Mühmer committed
	Bugfix: the Postfix SMTP client no longer appends the local
	domain when looking up a DNS name without ".".  Specify
	"smtp_dns_resolver_options = res_defnames" to get the old
	behavior, which can produce unexpected results. Files:
	smtp/smtp.c, smtp/smtp_params.c, smtp/smtp_addr.c.

20100828

	Refactoring: postscreen source code broken up into multiple
	files, and identifiers updated to match changes in their
	purpose.  This will be the baseline for adding support for
	DNSBL weighting, then a dummy engine to collect forensic
	evidence with the option of future protocol checks.  Files:
	postscreen/*.[hc], Makefile.in.

20100829

	Postscreen DNSBL support for optional fixed-string filters
	and optional integral weight factors (use negative weights
	for whitelisting). See RELEASE_NOTES and postconf(5) for
	details.  Files: postscreen/postscreen_dnsbl.c,
	proto/postconf.proto, mantools.postlink, global/mail_params.h.

	Incompatibility: the postscreen-to-dnsblog protocol was
	changed to support DNSBL query result filters. Use "postfix
	reload" after installing the new version otherwise the
	dnsblog(8) server may complain.

20100830

	Polished the postscreen documentation and comments to clarify
	the user interface and implementation. No code changes.

20100831-910

	Restructured postscreen and added support for a dummy SMTP
	protocol engine. This engine logs rejected attempts to
	deliver mail with helo/sender/recipient information, and
	implements deep protocol tests.  The first deep protocol
	test is for command pipelining, where a client sends multiple
	commands instead of waiting for the server to respond to
	each command. The second one implements the Postfix SMTP
	server's smtpd_forbidden_commands feature.  Files:
	postscreen/*.[hc]. See RELEASE_NOTES, postconf(5) and
	postscreen(8) for incompatibilities, features, and configuration
	parameters.

20100910

	Feature: boolean configuration parameters with string-valued
	defaults, so that they can be subject to macro expansions.
	This was needed to make some postscreen parameter defaults
	to the values of the corresponding smtpd parameters.  Files:
	global/mail_conf.h, global/mail_conf_nbool.c,
	master/event_server.c, master/mail_server.h, master/multi_server.c,
	master/single_server.c, master/trigger_server.c,
	postconf/extract.awk, postconf/postconf.c.

20100911

	Feature: texthash read-only database. This is similar to
	hash: files, except that you don't need to run the postmap(1)
	command before you can use the file, and that it does not
	detect changes after the file is read.  All information is
	read into memory. Files: util/dict_open.c, util/dict_thash.[hc],
	proto/DATABASE_README.html, postconf/postconf.c

20100912

	Feature: bare newline detection in postscreen. Real spambots
	don't make this mistake anymore, but poorly-written software
	still does.  File: postscreen/smtpd.c.

	Documentation: POSTSCREEN_README including instructions for
	turning postscreen(8) on without blocking mail, and more.
	Trimmed the text in the postscreen(8) manpage.  File:
	proto/POSTSCREEN_README.html, postscreen/postscreen.c.

20100914

	Cleanup: the "postscreen_greet_wait" delay now ends as soon
	as both the pregreet and DNSBL tests complete (the postscreen
	documentation mentions in history/credits that the program
	started as a crude prototype).  The default postscreen_dnsbl_ttl
	caching time is now reduced to 1h from 24h, allowing
	postscreen to catch up on DNSBL updates more quickly. If
	this increases the database update frequency too much then
	we'll need to make dnsbl result non-cachable.  Files:
	postscreen/postscreen_dnsbl.c, global/mail_params.h.

20100915

	Bugfix (introduced 20100914): missing precondition for
	call-back notification.  File: postscreen/postscreen_dnsbl.c.

	Bugfix (introduced 20100914): the "postscreen_greet_wait"
	delay speedup worked only for DNSBL listed sites.  File: