HISTORY

	Bugfix (introduced 20100914): the "postscreen_greet_wait"
	delay speedup worked only for DNSBL listed sites.  File:
	postscreen/postscreen_dnsbl.c.

	Workaround: better handling of pregreeting spambots. The
	postscreen built-in SMTP engine no longer sends a 220 banner
	to a client that falls into the pregeet trap.  This eliminates
	many "NON-SMTP COMMAND" records in postscreen logging, as
	the SMTP client and server no longer get out of sync.  It
	also results in better logging of sender/recipient information.
	File: postscreen/postscreen_smtpd.c.

20100916

	Cleanup: postscreen now uses the first responding DNSBL
	name in the "5.7.1 Service unavailable" reply, instead of
	the last responding one. File: postscreen/postscreen_dnsbl.c.

	Cleanup: the 20100914 "postscreen_greet_wait" speedup did
	not happen as often as it should, because some older code
	still turned on PREGREET tests gratuitously, causing a full
	greet-wait delay.  File: postscreen/postscreen_tests.c.

	Cleanup: to avoid "address in use" problems, postscreen now
	closes the listening socket after "postfix stop".  It also
	closes the socket after "postfix reload" but that does not
	hurt. Files: master/event_server.c, master/multi_server.c.

	Cleanup: postscreen now logs CONNECT and DISCONNECT events.
	Files: postscreen/postscreen.c, postscreen/postscreen_misc.c.

20100917

	Bugfix: cut-and-paste error. Postscreen used pregreet_ttl
	instead of dnsbnl_ttl. File: postscreen/postscreen_early.c.

20100920

	Cleanup: minor cleanups and invisible fixes. Files:
	postscreen/postscreen_misc.c, postscreen/postscreen.h,
	postscreen/postscreen_tests.c.

	Feature: preliminary postscreen penalty mechanism. Basic
	idea: when a client exceeds some threshold, don't allow it
	to pass any tests until the penalty expires. Penalties
	provide a way to slow down clients without blocking mail
	permanently.  Files: postscreen/postscreen_misc.c,
	postscreen/postscreen_tests.c, postscreen/postscreen.c.

	A first application of the postscreen penalty mechanism
	triggers on clients that make brief connections to find out
	if the mail server is up.  With "postscreen_early_hangup_penalty
	= 600" they will disqualify themselves for 10 minutes.
	Unfortunately, this behavior is used by legitimate bulk
	mail services. This application was removed 20101103.  The
	penalty mechanism itself is left in place as #ifdef NONPROD.

20100923

	Cleanup: renamed MUMBLE_FLAG_MUMBLE aggregates to
	MUMBLE_MASK_MUMBLE for consistency with other Postfix code.
	Files: postscreen/*.[hc].

20100930

	Cleanup: flag PIPELINING errors with NOOP and VRFY.  File:
	smtpd/smtpd.c.

20101006

	Bugfix (introduced: 20100914) dangling pointer when a client
	makes N > 1 simultaneous connections and closes M < N
	connections before postscreen has delivered the DNSBL score
	to the corresponding pseudothreads. In practice the pointer
	will refer to a block of 0xff bytes; the program terminates
	with a segmentation violation, and is restarted immediately
	by the master daemon. Files: postscreen/postscreen_early.c,
	postscreen/postscreen_dnsbl.c.

	Cleanup: avoid repeated delivery to mailing list members
	with pathological nested alias configurations.  The local(8)
	delivery agent now keeps the owner-alias attribute of the
	parent alias, when delivering mail to a child alias that
	does not have its own owner alias. With this change, local
	addresses from that child alias will be written to a new
	queue file, and a temporary error with one local address
	will no longer result in repeated delivery to other mailing
	list members.  Specify "reset_owner_alias = yes" for the
	older behavior.  File: local/alias.c.

20101007

	Bugfix (introduced: 2100923): duplicate "PASS OLD" logging.
	File: postscreen/postscreen_misc.c.

20101008

	Cleanup: dnsblog now logs "addr X listed by domain Y as Z"
	instead of "addr X blocked by domain Y as Z", because the
	service may be used for whitelist lookups. File:
	dnsblog/dnsblog.c.

20101023

	Cleanup: don't apply reject_rhsbl_helo to non-domain forms
	such as network addresses.  This would cause false positives
	with dbl.spamhaus.org.  File: smtpd/smtpd_check.c.

20101103

	Cleanup: new qmgr_ipc_timeout parameter (default: 60s) to
	override the system-wide ipc_timeout setting (default:
	3600s). The shorter timeout allows the queue manager to
	reset a deadlocked IPC connection before the watchdog timer
	goes off. Files: *qmgr/qmgr.c.

	Cleanup: new qmgr_daemon_timeout parameter (default: 1000s)
	to make the hard-coded 1000s watchdog timeout configurable.
	Files: *qmgr/qmgr.c.

	Cleanup: request default DSN notification when adding a
	recipient with smfi_addrcpt, instead of requesting "never
	notify" as with Postfix automatically-added BCC recipients.
	Files: cleanup/cleanup_addr.c, cleanup/cleanup.h,
	cleanup/cleanup_milter.c.

20101105

	Feature: DNS whitelist support in the Postfix SMTP server.
	permit_dnswl_client whitelists a client by IP address, and
	permit_rhswl_client whitelists a client by its hostname.
	The syntax is the same as reject_rbl_client etc., but the
	result is PERMIT instead of REJECT.  For safety reasons,
	permit_xxx_client are silently ignored when they would
	override reject_unauth_destination.  The result is
	DEFER_IF_REJECT when DNSWL lookup fails.  The implementation
	is based on a design documented by Noel Jones (August 2010).
	File: smtpd/smtpd_check.c.

20101108

	Workaround: strip off IPv6 datalink suffix from peer address
	to avoid problems with strict address checking code. Files:
	smtpd/smtpd_peer.c, qmqpd/qmqpd_peer.c.

20101114

	Robustness: postscreen(8) now implements a time limit on
	reading an entire command, instead of a time limit for
	reading individual characters. File: postscreen/postscreen_smtpd.c.

20101023

	Cleanup: don't apply reject_rhsbl_helo to non-domain forms
	such as network addresses.  This would cause false positives
	with dbl.spamhaus.org.  File: smtpd/smtpd_check.c.

20101117

	Bugfix: the "421" reply after Milter error was overruled
	by Postfix 1.1 code that replied with "503" for RFC 2821
	compliance. We now make an exception for "final" replies,
	as permitted by RFC. Solution by Victor Duchovni. File:
	smtpd/smtpd.c.

20101124-6

	Feature: pattern matching for DNSWL/DNSBL responses.  For
	example, with "reject_rbl_client example.com=d.d.d.d", each
	"d" can now be a pattern inside "[]" that contains one or
	more comma-separated decimal numbers or number..number
	ranges.  Files: smtpd/smtpd_check.c, postscreen/postscreen_dnsbl.c,
	util/ip_match.c, util/ip_match.h.

20101126

	Cleanup: don't log "blocked using example.com=127.0.0.1",
	just log the domain name. File: smtpd/smtpd_check.c.

20101129

	Cleanup: postscreen_client_connection_count_limit (default:
	$smtpd_client_connection_count_limit) to limit the number
	of connections from the same IP address to the postscreen(8)
	daemon. Files: postscreen/postscreen.c, postscreen/postscreen.h,
	postscreen/postscreen_state.c.

20101130

	Cleanup: all postscreen(8) logging now reports the client
	as [address]:port.  This requires an update of tools that
	process postscreen logging.  Files: postscreen/*.c,
	proto/POSTSCREEN_README.html.

	Cleanup: polishing recent documentation and code. Files:
	postscreen/postscreen_dnsbl.c, util/ip_match.c.

20101201

	Bugfix (introduced 20101129): broken default value for
	postscreen_client_connection_count_limit if the
	smtpd_client_connection_count_limit parameter was left at
	its default.  File: postscreen/postscreen.c.

	Workaround: BSD-ish mkdir() ignores the effective GID
	and copies group ownership from the parent directory.
	File: util/make_dirs.c.

20101202

	Feature: the LDAP client can now authenticate to LDAP servers
	via SASL. This is tested with SASL GSSAPI and Kerberos 5.
	Original code by Quanah Gibson-Mount adapted by Victor
	Duchovni.  Files: global/dict_ldap.c, proto/LDAP_README.html,
	proto/ldap_table.

	Cleanup: the cleanup server now reports a temporary delivery
	error when it reaches the virtual_alias_expansion_limit or
	virtual_alias_recursion_limit. Previously, it would silently
	ignore the excess recipients and deliver the message.  File:
	cleanup/cleanup_map1n.c.

20101205

	Cleanup: sache_clnt_create() had an unnecessary data
	dependency on the non-library var_scache_service variable,
	causing problems with shared library builds.  Instead, it
	should use its service argument (which has the same value).
	File: global/scache.c.

	Cleanup: pipe_command.c had an unnecessary data dependency
	on the non-library var_command_maxtime variable, causing
	problems with shared library builds. The dependency was not
	necessary because the callers already specify an explicit
	time limit.  File: global/pipe_command.c.

20101206

	Bugfix (introduced 20101205): postscreen hung up due to
	incorrect output error test. File: postscreen/postscreen_send.c.

20101207

	Cleanup: the undisclosed_recipients_header default value
	is now the empty string. The Internet mail RFCs have supported
	messages without recipient header for almost 10 years now.
	File: global/mail_params.h.

	Cleanup: use strtol() instead of sscanf() for consistent
	handling of out-of-range numbers. Files: global/cfg_parser.c,
	global/conv_time.c, global/mail_conf_int.c,
	global/mail_conf_long.c, global/mail_conf_nint.c.

20101217

	Cleanup: eliminated the code that copied TLS protocol
	messages between the OpenSSL TLS engine and the network.
	This change hopefully simplifies the TLS library enough
	that it can be used in an event-driven TLS proxy in front
	of postscreen.  Files: tls/tls_bio.c, tls/tls_server.c,
	tls/tls_client.c.

	This change eliminates an obscure bug where the SMTP server
	would wait for another $smtpd_timeout seconds after sending
	the "421 Error: timeout exceeded" message to the client.

20101221

	Cleanup: simplified the VSTREAM "large buffer" support by
	dropping the Postfix 2.4 "binary compatibility" requirement.
	Files: util/vstream.c, util/vstream.h.

20101222

	Cleanup: the SMTP client PIPELINING code did not account
	for TLS protocol overhead. This could (only in theory)
	result in deadlock when the remote SMTP server announces a
	very small receive window after the client and server have
	synchronized their SMTP state. Victor Duchovni.  File:
	smtp/smtp_proto.c.

20101223

	Feature: with "tls_preempt_cipherlist = yes" the Postfix
	SMTP server will preempt the remote SMTP client's cipher
	preference order. This requires OpenSSL 0.9.7 and later.
	Victor Duchovni. Files: src/smtpd/smtpd.c, src/tls/tls_server.c,
	proto/TLS_README.html, proto/postconf.proto.

	Future proofing: specify "tls_disable_workarounds = a list
	or bit-mask of OpenSSL bug work-arounds to disable". This
	may become necessary when a bug workaround is found to cause
	problems (security or interoperability). Victor Duchovni.
	Files: tls/tls_misc.c, proto/TLS_README.html, proto/postconf.proto.

	Infrastructure: extended name_mask module feature set with
	extensive documentation and 32-bit regression tests.  Victor
	and Wietse.  File: util/name_mask.[hc].

20101224

	Cleanup: sanitized the name_mask API so that errors will be
	ignored only upon explicit request. Files: util/name_mask.[hc],
	src/global/ehlo_mask.c, src/smtp/smtp_proto.c,
	src/util/name_mask.c, src/xsasl/xsasl_dovecot_server.c.

	Cleanup: more TLS overhead horrors for the SMTP client's
	PIPELINING engine. Wietse and Victor. File: smtp/smtp_proto.c.

20101226

	Cleanup: the SMTP client logic for pipelining the "." and
	"QUIT" commands was bogus - the pipelining engine could not
	know how much unacknowledged data is pending in the local
	TCP stack.  We now ignore the buffer check for sending
	"QUIT" after ".".  Wietse and Victor. File: smtp/smtp_proto.c.

20110101

	Cleanup: the Postfix SMTP server now always refreshes the
	SASL authentication mechanism list after STARTTLS. Some
	Dovecot versions may change their responses when they know
	that the SMTP connection is encrypted. File: smtpd/smtpd.c.

	Cleanup: the smtpd_starttls_timeout default value is now
	stress-dependent.  Files: global/mail_params.h,
	proto/postconf.proto.

	Compatibility: postscreen_discard_ehlo_keyword(s|maps)
	support for compatibility with smtpd_discard_ehlo_keyword(s|maps).
	Files: postscreen/postscreen_smtpd.c.

20110102

	Feature: STARTTLS support for the postscreen(8) daemon.
	With early testing feedback from Victor Duchovni and Ralf
	Hildebrandt.  Files: postscreen/postscreen_smtpd,
	postscreen/postscreen_starttls.c.

	Feature: event-driven tlsproxy(8) daemon that translates
	TLS <=> plaintext for postscreen(8). One tlsproxy(8) process
	can translate traffic for multiple remote SMTP clients.
	With early testing feedback from Victor Duchovni and Christian
	Roessner.  Files: util/nbbio.[hc], tlsproxy/*.[hc],
	postscreen/postscreen_starttlsd.c, postscreen/postscreen_smtpd.c.

20110103

	Cleanup: missing tls_level support in tlsproxy (it has no
	way to send plaintext, but perhaps an informative error
	message is in order anyway).  File: tlsproxy/tlsproxy.c.

	Cleanup: simplified the handling of throttled output (i.e.
	output that can't be sent because the receiver tries to be
	nasty).  File: postscreen/postscreen_send.c.

20110104

	Feature: add contact information to each SMTP server reject
	message. For example, "smtpd_reject_footer = call 800-555-0101
	for assistance", with macro expansion and with multi-line
	support. Files: global/mail_params.h, mantools/postlink,
	proto/postconf.proto, smtpd/smtpd.c, smtpd/smtpd_chat.c,
	smtpd/smtpd_expand.[hc], util/mac_expand.[hc].

20110105

	Cleanup: the forest of TLS-related booleans was shrunk.
	Victor Duchovni. Files: smtpd/smtpd.c, postscreen/postscreen.c,
	postscreen/postscreen_smtpd.c, tlsproxy/tlsproxy.c.

	Non-production: tlsproxy support in the Postfix SMTP server
	for stress testing of the tlsproxy daemon (#ifdef TLSPROXY).
	Seen from outside, Postfix works just as if it has TLS
	support built into in smtpd(8). Files: smtpd/smtpd.c,
	tls/tls_proxy*.[hc], tlsproxy/tlsproxy.c, util/vstream.[hc].

	Bugfix (introduced with the Postfix TLS patch): discard
	plaintext following the STARTTLS command or response. This
	matters only for the minority of SMTP clients that actually
	verify server certificates.  Files: smtpd/smtpd.c,
	smtp/smtp_proto.c.

20110106

	Non-production: cleaned up the tlsproxy support in the
	Postfix SMTP server for stress testing of the tlsproxy
	daemon (still #ifdef TLSPROXY). File: smtpd/smtpd.c.

20110107

	Cleanup: smtpd_reject_contact_information is renamed to
	smtpd_reject_footer, because it can be used for non-contact
	information.

	Compatibility: postscreen_reject_footer support for
	compatibility with smtpd_reject_footer.  Files:
	global/smtp_reply_footer.[hc], global/mail_conf.[hc],
	postscreen/postscreen_expand.c, postscreen/postscreen_send.c,
	postscreen/postscreen.c, smtpd/smtpd_chat.c.

	Compatibility: postscreen_command_filter support for
	compatibility with smtpd_command_filter. Files:
	postscreen/postscreen_dict.c, postscreen/postscreen_smtpd.c

20110108

	Cleanup: postscreen(8) now displays control characters in
	PREGREET responses as C-style \letter escapes, instead of
	"?".  File: postscreen/postscreen_early.c.

20110109

	Cleanup: Solaris support for "pass" (file descriptor passing
	based) services in master.cf.  This was needed by postscreen(8).
	Also, renamed upass_xxx.c to unix_pass_xxx.c. One-character
	prefixes are too short. Removed upass_connect.c because it
	was useless code. Files: util/stream_pass_connect.c,
	util/unix_pass_listen.c, util/unix_pass_trigger.c.

	Bugfix (introduced Postfix 2.4): on Solaris the Postfix
	event engine was deaf for SIGHUP and SIGALRM signals after
	the switch to /dev/poll. Symptoms were delayed "postfix
	reload" response, and killed processes when the watchdog
	timeout was less than max_idle.  The fix is to set up SIGHUP
	and SIGALRM handlers that write to a pipe, and to monitor
	that pipe for read events via the Postfix event engine.
	Files: master/master_sig.c, util/watchdog.c, util/sys_defs.h.

20110111

	Cleanup: replaced the postscreen(8) separate blacklist and
	whitelist lookup tables by one postscreen_access_list table.
	See postconf(5) and POSTSCREEN_README for examples.  Files:
	postscreen/postscreen_access.c, postscreen/postscreen.c,
	proto/postconf.proto, proto/POSTSCREEN_README.html.

20110112

	Cleanup: suspend/resume logic for postscreen(8) SMTP sessions
	that temporarily switch control to an external program such
	as tlsproxy, or perhaps a future policy plugin.  Files:
	postscreen/postscreen_smtpd, postscreen/postscreen_starttls.c.

20110113

	Cleanup: ps_cache and psc_cache are now postscreen_cache.
	There is no need for obscure name abbrevations. File:
	src/global/mail_params.h.

20110115

	Workaround: malloc fuzz (safety margin for malloc requests).
	Files: util/sys_defs.h, util/mymalloc.c.

	Cleanup: dnsblog_service_name and tlsproxy_service_name are
	now configurable, in case someone needs this. Files:
	global/mail_params.h, postscreen/postscreen.c, mantools/postlink,
	proto/postconf.proto.

20110116

	Cleanup: soft_bounce support for postscreen(8). Files:
	postscreen/postscreen_smtpd.c, postscreen/postscreen_send.c.

	Cleanup: for smtpd(8) compatibility, postscreen(8) now
	strips deprecated route address prefixes from email addresses
	(@here,@there:user@example becomes user@example). This is
	primarily to make postscreen(8) logging more similar to
	that of smtpd(8). File: postscreen/postscreen_smtpd.c.

	Cleanup: documentation, in preparation for the Postfix 2.8
	stable release.

20110117

	Bugfix (introduced Postfix alpha, or thereabouts): on HP-UX
	the Postfix event engine was deaf for SIGALRM signals.
	Symptoms were killed processes when the watchdog timeout
	was less than max_idle.  The fix is the same as Solaris fix
	20110109. Since we can't know what other systems need this,
	the workaround is enabled by default.  Files: util/sys_defs.h.

	Cleanup: "smtpd_tls_eecdh_grade = strong" by default, instead
	of snapshot-only. File: global/mail_params.h, proto/postconf.proto.

	Cleanup: missing "#include <errno.h>" in util/watchdog.c.

	Bugfix: when compiled without -DUSE_TLS, tlsproxy used the
	wrong server skeleton (multi_server instead of event_server).
	File: tlsproxy/tlsproxy.c.

	Workaround: added a panic check for code that is mis-compiled
	by the HP-UX compiler.  File: postscreen/postscreen.c,
	postscreen/postscreen.h, postscreen/postscreen_state.c.

20110118

	Bugfix: the tls_disable_workarounds word list only included
	workarounds in SSL_OP_ALL. Problem report by Steve Jenkins,
	problem fix by Victor Duchovni. File: tls/tls_misc.c.
	
	Last-minute incompatible syntax change: Postfix now uses
	";" instead of "," to separate DNSBL/DNSWL address filter
	fields inside "[]". The compatibility break is not an issue,
	because the syntax never worked in main.cf. Problem reported
	by Mark Martinec. Files: util/ip_match.c, util/ip_match.in,
	util/ip_match.ref, proto/postconf.proto.

	Cleanup: postscreen now monitors the AVERAGE latency of
	table access, and complains at most once per minute.  File:
	postscreen/postscreen_dict.c.

	Bugfix: support for the "dunno" command somehow disappeared
	from the postscreen_access_list implementation.  File:
	postscreen/postscreen_access.c.

20110123

	Cleanup: remove #ifdef MIGRATION_WARNING transitional code
	from postscreen. File: postscreen/postscreen.c.

20110201

	Cleanup: when verifying that the client_address->client_name
	lookup result resolves to the client_address, request
	hostname->address lookup with the same protocol family (IPv4
	or IPv6) as the client_address.  Files: util/myaddrinfo.[hc],
	smtpd/smtpd_peer.c, qmqpd/qmqpd_peer.c.

20110207

	Bugfix (introduced Postfix 2.8): segfault with smtpd_tls_loglevel
	>= 3. Files: tls/tls_server.c, tls.h, smtpd.c, tlsproxy.c.

20110216

	Cleanup: don't log a "connection reset by peer" warning
	when postscreen(8) tries to send a server response.  File:
	postscreen/postscreen_send.c.

20110225

	Workaround (problem introduced with IPv6 support in Postfix
	2.2): the SMTP client did not support mail to [ipv6:ipv6addr].
	Fix based on a patch by Gurusamy Sarathy (Sophos).  File:
	util/host_port.c and regression test files.

20110227

	Portability: FreeBSD closefrom() support time window. Sahil
	Tandon.  File: util/sys_defs.h.

20110313

	Bugfix (introduced Postfix 2.8): postscreen DNSBL scoring
	error. When a client disconnected and then reconnected
	before all DNSBL results for the earlier session arrived,
	DNSBL results for the earlier session would be added to the
	score for the later session. Problem report by Larry Vaden.
	Files: dnsblog/dnsblog.c, postscreen/postscreen_dnsbl.c.

	Cleanup: protocol description in dnsblog(8) manpage. File:
	dnsblog/dnsblog.c.

20110314

	Portability: the SUN compiler had trouble with a pointer
	expression of the form ``("text1" "text2") + constant'' so
	we don't try to be so clever. Fix by Victor Duchovni.  File:
	global/mail_params.h.

20110411

	Cleanup: postscreen(8) and verify(8) daemons now lock their
	respective cache file exclusively upon open, to avoid massive
	cache corruption by unsupported sharing. Files: util/dict.h,
	util/dict_open.c, verify/verify.c, postscreen/postscreen.c.

20110414

	Bugfix (introduced with Postfix SASL patch 20000314): don't
	reuse a server SASL handle after authentication failure.
	Problem reported by Thomas Jarosch of Intra2net AG. File:
	smtpd/smtpd_proto.c.

20110420

	Performance: a high load of DSN success notification requests
	could slow down the queue manager. Solution: make the trace
	client asynchronous, just like the bounce and defer clients.
	Problem reported by Eduardo M. Stelmaszczyk of terra.com.br.
	Files: global/abounce.[hc], *qmgr/qmgr_active.c (the
	qmgr_active.c files are identical).

20110418

	Bugfix (introduced Postfix 2.3 and Postfix 2.7): the Milter
	client reported some "file too large" errors as temporary
	errors. Problem reported by Michael Tokarev. Files:
	milter/milter8.c, cleanup/cleanup_milter.c.

20110426

	Bugfix (introduced in Postfix 1.1, duplicated in Postfix
	2.3, unrelated mistake in Postfix 2.7): the local(8) delivery
	agent ignored table lookup errors in mailbox_command_maps,
	mailbox_transport_maps, fallback_transport_maps and (while
	bouncing mail to alias) alias owner lookup. Problem reported
	by William Ono. Files: local/command.c, local/mailbox.c,
	local/unknown.c, local/bounce_workaround.c.

20110601

	Bugfix (introduced Postfix 2.6 with master_service_disable)
	loop control error when parsing a malformed master.cf file.
	Found by Coverity. File: master/master_ent.c.

20110602

	Bugfix (introduced: Postfix 2.7): "sendmail -t" reported
	"protocol error" after queue file write error.  File:
	postdrop/postdrop.c.

20110614

	Linux kernel version 3 support. Linus Torvalds has reset
	the counters for reasons not related to changes in code.
	Files: makedefs, util/sys_defs.h.

20110615

	Workaround: some Spamhaus RHSBL rejects lookups with "No
	IP queries" even if the name has an alphanumerical prefix.
	We play safe, and skip both RHSBL and RHSWL queries for
	names ending in a numerical suffix.  File: smtpd/smtpd_check.c.

20110811

	Workaround: report a {client_connections} Milter macro value
	of zero instead of garbage, when the remote SMTP client is
	not subject to any smtpd_client_* limits. Problem reported
	by Christian Roessner. File: smtpd/smtpd_state.c,
	proto/MILTER_README.html.

20110831

	Bugfix: allow for Milters that send an SMTP server reply
	without RFC 3463 enhanced status code. Reported by Vladimir
	Vassiliev.  File: milter/milter8.c.

20110903

	Bugfix: master daemon panic with "master_spawn: at process
	limit" error, when "postfix reload" reduced the process
	limit from (a value larger than the current process count
	for some service) to (a value <= the current process count),
	and then a new connection was made to that service.  This
	is the smallest change that eliminates the problem. The
	final solution involves structural change, and goes into
	the development release. File: master/master_avail.c.

20110921

	Bugfix (introduced: Postfix 1.1): smtpd(8) did not sanitize
	newline characters in cleanup(8) REJECT messages, causing
	them to be sent out via SMTP as bare newline characters.
	This happened when a REJECT pattern matched multi-line
	header text.  Discovered by Kevin Locke.  File: smtpd/smtpd.c.

20110922

	Bugfix (introduced: Postfix 2.1): smtpd(8) sent multi-line
	responses from a before-queue content filter as text with
	bare <LF> instead of <CR><LF>.  Found during code maintenance.
	File: smtpd/smtpd_proxy.c.

20111020

	EAI Future-proofing: don't apply strict_mime_encoding_domain
	checks to unknown message subtypes such as message/global*.
	File: global/mime_state.c.

20111025

	Workaround: postscreen sent non-compliant SMTP responses
	(220- followed by 421) when it could not give a connection
	to a real smtpd process, causing some remote SMTP clients
	to bounce mail. The workaround is to hang up without sending
	the 421 reply (which is harmless); the complete fix involves
	too much change for a stable release.  Problem reported by
	Ralf Hildebrandt.  File: postscreen/postscreen_send.c.

20111102

	Portability: OpenBSD 5.x is supported. Files: makedefs,
	util/sys_defs.h.

	Portability: Dovecot now officially supports more socket
	types for its authentication server. File:
	xsasl/xsasl_dovecot_server.c.

20111126

	Bitrot: changes in error reporting to the under-documented
	OpenLDAP API. Problem reported by Quanah Gibson-Mount. Fix
	by Viktor Dukhovni. File: global/dict_ldap.c.

20111205

	Bugfix: tlsproxy(8) stored TLS sessions with a serverID of
	"tlsproxy" instead of "smtpd", wasting an opportunity for
	session reuse.  File: tlsproxy/tlsproxy.c.

20111211

	Bugfix: missing lookup table entry and terminator, causing
	proxymap server segfault when postscreen(8) or verify(8)
	attempted to access their cache via the proxymap server.
	This could never have worked anyway, because the Postfix
	2.8 proxymap protocol does not support cache cleanup.  File
	util/dict.c.

20111226

	Bugfix (introduced 20110426): after lookup error with
	mailbox_transport_maps, mailbox_command_maps or
	fallback_transport_maps, the local delivery agent did not
	log the problem before deferring mail, and produced no defer
	logfile record. Files: local/mailbox.c, local/unknown.c.

20120127

	Bugfix (introduced: Postfix 2.8): the Postfix client sqlite
	quoting routine returned the unquoted result instead of the
	quoted text.  The opportunities for misuse are limited,
	because Postfix sqlite files are usually owned by root, and
	Postfix daemons usually run with non-root privileges so
	they can't corrupt the database. Problem reported by Rob
	McGee (rob0).  File: global/dict_sqlite.c.

20120130

	Bugfix (introduced: Postfix 2.3): the trace service did not
	distinguish between notifications for a non-bounce or a
	bounce message. This code pre-dates DSN support and should
	have been updated when it was re-purposed to handle DSN
	SUCCESS notifications. Problem reported by Sabahattin
	Gucukoglu.  File: bounce/bounce_trace_service.c.

20120202

	Bugfix (introduced: Postfix 2.3): the "change header" milter
	request could replace the wrong header. A long header name
	could match a shorter one, because a length check was done
	on the wrong string.  Reported by Vladimir Vassiliev.  File:
	cleanup/cleanup_milter.c.

20120214

	Bugfix (introduced: Postfix 2.4): extraneous null assignment
	caused core dump when postlog emitted the "usage" message.
	Reported by Kant (fnord.hammer). File: postlog/postlog.c.

20120217

	Cleanup: missing #include statement for bugfix code added
	20111226. File: local/unknown.c.

20120401

	Bitrot: shut up useless warnings about Cyrus SASL call-back
	function pointer type mis-matches. Files: xsasl/xsasl_cyrus.h,
	xsasl/xsasl_cyrus_server.c, xsasl/xsasl_client.c.

20120422

	Bit-rot: OpenSSL 1.0.1 introduces new protocols. Update the
	known TLS protocol list so that protocols can be turned off
	selectively to work around implementation bugs.  Based on
	a patch by Victor Duchovni.  Files: proto/TLS_README.html,
	proto/postconf.proto, tls/tls.h, tls/tls_misc.c, tls/tls_client.c,
	tls/tls_server.c.

20120425

	Workaround: bugs in 10-year old gcc versions break compilation
	with #ifdef inside a macro invocation (NOT: definition).
	Files: tls/tls.h, tls/tls_client.c, tls/tls_server.c.

20120516

	Workaround: apparently, FreeBSD 8.3 kqueue notifications
	sometimes break when a dnsblog(8) process loses an accept()
	race on a shared socket, resulting in repeated "connect to
	private/dnsblog service: Connection refused" warnings.  This
	condition is unique to dnsblog(8). The postscreen(8) daemon
	closes a postscreen-to-dnsblog connection as soon as it
	receives a dnsblog(8) reply, resulting in hundreds or
	thousands of connection requests per second.  All other
	multi-server daemons such as anvil(8) or proxymap(8) have
	connection lifetimes ranging from 5s to 1000s depending on
	server load.  The workaround is for dnsblog to use the
	single_server driver instead of the multi_server driver.
	This one-line code change eliminates the accept() race
	without any Postfix performance impact.  Problem reported
	by Sahil Tandon.  File: dnsblog/dnsblog.c.

20120517

	Workaround: to avoid crashes when the OpenSSL library is
	updated without "postfix reload", the Postfix TLS session
	cache ID now includes the OpenSSL library version number.
	Note: this problem cannot be fixed in tlsmgr(8). Code by
	Victor Duchovni. Files: tls/tls_server.c, tls_client.c.

20120520

	Bugfix (introduced Postfix 2.4): the event_drain() function
	was comparing bitmasks incorrectly causing the program to
	always wait for the full time limit. This error affected
	the unused postkick command, but only after s/fifo/unix/
	in master.cf.  File: util/events.c.

	Cleanup: laptop users have always been able to avoid
	unnecessary disk spin-up by doing s/fifo/unix/ in master.cf
	(this is currently not supported on Solaris systems).
	However, to make this work reliably, the "postqueue -f"
	command must wait until its requests have reached the pickup
	and qmgr servers before closing the UNIX-domain request
	sockets.  Files: postqueue/postqueue.c, postqueue/Makefile.in.

20120621

	Bugfix (introduced: Postfix 2.8): the unused "pass" trigger
	client could close the wrong file descriptors.  File:
	util/unix_pass_trigger.c.

20120702

	Bugfix (introduced: 19990127): the BIFF client leaked an
	unprivileged UDP socket. Fix by Jaroslav Skarvada.  File:
	local/biff_notify.c.

20120730

	Bugfix (introduced: 20000314): AUTH is not allowed after
	MAIL. Timo Sirainen.  File: smtpd/smtpd_sasl_proto.c.

20121003

	Bugfix: the postscreen_access_list feature was case-sensitive
	in the first character of permit, reject, etc. Reported by
	Francis Picabia. File: global/server_acl.c.

20121010

	Bugfix (introduced: Postfix 2.5): memory leak in program
	initialization. Reported by Coverity. File: tls/tls_misc.c.

	Bugfix (introduced: Postfix 2.3): memory leak in the unused
	oqmgr program. Reported by Coverity. File: oqmgr/qmgr_message.c.

20121013

	Cleanup: to compute the LDAP connection cache lookup key,
	join the numeric fields with null, just like string fields.
	Viktor Dukhovni. File: global/dict_ldap.c.

20121029

	Workaround: strip datalink suffix from IPv6 addresses
	returned by the system getaddrinfo() routine.  Such suffixes
	mess up the default mynetworks value, host name/address
	verification and possibly more. This change obsoletes the
	20101108 change that removes datalink suffixes in the SMTP
	and QMQP servers, but we leave that code alone.  File:
	util/myaddrinfo.c.

20130131

	Bugfix: the local(8) delivery agent dereferenced a null
	pointer while delivering to null command (for example, "|"
	in a .forward file).  Reported by Gilles Chehade.

20130203

	Bugfix: the 20121010 fix for tls_misc.c was documented but
	not included.

20130403

	Bugfix (introduced: Postfix 2.3): don't reuse TCP connections
	when smtp_tls_policy_maps is specified. Victor Duchovni.
	Found during Postfix 2.11 code maintenance.  File:
	smtp/smtp_reuse.c.

20130423

	Bugfix (introduced: Postfix 2.0): when myhostname is not
	listed in mydestination, the trivial-rewrite resolver may
	log "do not list <myhostname value> in both mydestination
	and <name of non-mydestination domain list>".  The fix is
	to re-resolve a domain-less address after adding $myhostname
	as the surrogate domain, so that it pops out with the right
	address-class label.  Problem reported by Quanah Gibson-Mount.
	File: trivial-rewrite/resolve.c.

20130425

	Bugfix (introduced: Postfix 2.2): don't reuse TCP connections
	when SASL authentication is enabled. SASL passwords may
	depend on the remote SMTP server hostname, but the Postfix
	<2.11 SMTP connection cache client does not distinguish
	between different hostnames that resolve to the same IP
	address.  Found during Postfix 2.11 code maintenance.  File:
	smtp/smtp_connect.c.

20130518

	Bugfix (introduced: 1997): memory leak after error while
	forwarding mail through the cleanup server. Viktor found
	one, Wietse eliminated the rest.  File: local/forward.c.

20130615

	TLS Interoperability: turn on SHA-2 digests by force.  This
	improves interoperability with clients and servers that
	deploy SHA-2 digests without the required support for
	TLSv1.2-style digest negotiation.  Based on patch by Viktor
	Dukhovni.  Files: tls/tls_client.c, tls/tls_server.c.

20130616

	Workaround: The Postfix SMTP server TLS session cache was
	broken because OpenSSL now enables session tickets by
	default, resulting in a different ticket encryption key for
	each smtpd(8) process.  The workaround turns off session
	tickets. In 2.11 we'll enable session tickets properly.
	Viktor Dukhovni. File: tls/tls_server.c.

20131026

	Future proofing: API changes in the PCRE library.  File:
	util/dict_pcre.c.

20131127

	Bugfix (introduced: 20090106): the postconf '-#' option
	erased prior options. File: postconf/postconf.c.

20131129

	Bugfix: Makefile example in MULTI_INSTANCE_README. Viktor
	Dukhovni. File: proto/MULTI_INSTANCE_README.html.

20131216

	OpenSSL future proofing: tolerate disappearance of named
	bug-workaround bits without invalidating tls_disable_workarounds
	configurations.  When support for a bug workaround is removed
	from OpenSSL, the corresponding bit is defined as zero (i.e.
	NOOP) instead of causing programs to break. Viktor Dukhovni.
	File: tls/tls_misc.c.

20131220

	Documentation: typo in SASL_README. Patrick Ben Koetter.
	File: proto/SASL_README.html.

20140104

	Bugfix: malformed error message. File: conf/post-install.

20140116

	Workaround: prepend "-I. -I../../include" to CCARGS, to
	avoid name clashes with non-Postfix header files. File:
	makedefs.

20140223

	Logging: the TLS client logged that an "Untrusted" TLS
	connection was established instead of "Anonymous".  Viktor
	Dukhovni. File: tls/tls_client.c.

20140619

	Bugfix (introduced: 2001): qmqpd null pointer bug when it
	logs a lost connection while not in a mail transaction.
	Reported by Michal Adamek. File: qmqpd/qmqpd.c.

20140920

	Bugfix (introduced: 20080212): incorrect client name in
	reject messages from check_reverse_client_hostname_access
	and check_reverse_client_hostname_{mx,ns}_access.  They
	replied with the verified client name, instead of the name
	that was rejected.  Problem reported by Reindl Harald. File:
	smtpd/smtpd_check.c.