HISTORY

20061213

	Bugfix: race condition in "ETRN site", "sendmail -qRsite"
	and "postqueue -s site". When the command arrived while an
	incoming queue scan was already in progress, mail could
	stay deferred instead of being flushed. The fix was to
	unthrottle the queue manager before moving files from the
	deferred queue to the incoming queue.  Files: flush/flush.c,
	qmgr/qmgr_scan.c.

	Cleanup: the sendmail and postqueue commands no longer
	terminate with a non-standard error status after a run-time
	error in some Postfix internal routine (typically, some
	essential file is not accessible, or the system is out of
	memory). Files: sendmail/sendmail.c, postqueue/postqueue.c.

	Feature: "sendmail -qIqueueid" and "postqueue -i queueid"
	to flush a specific queue file. Files: sendmail/sendmail.c,
	postqueue/postqueue.c, global/flush_clnt.c, flush/flush.c.

20061214

	Performance: "sendmail -qIqueueid" and "postqueue -i queueid"
	unthrottle only the necessary message delivery transports
	and queues. The unthrottle request now is propagated to the
	queue manager via queue file group read permission bits.
	Based on initial implementation by Victor Duchovni.  Files:
	flush/flush.c, *qmgr/qmgr.c, *qmgr/qmgr_scan.c,
	*qmgr/qmgr_active.c, *qmgr/qmgr_message.c.

20061220

	Workaround: PMilter 0.95 does not deliver SMFIC_EOB+data
	to the application as SMFIC_BODY+data followed by SMFIC_EOB.
	To avoid compatibility problems, Postfix now sends
	SMFIC_BODY+data followed by SMFIC_EOB.  File: milter/milter8.c.

	Bugfix (introduced with Postfix 2.3): when inserting
	Milter-generated headers at increasing positions in a
	message, a later header could end up at a previously used
	insertion point.  Thus, inserting headers at positions (N,
	N+M) could work as if (N, N) had been specified. Problem
	reported by Mark Martinec.  File: milter/milter8.c.

20061221

	Feature: time unit suffix support in _command_time_limit.
	Files: pipe/pipe.c, spawn/spawn.c.

20061227

	Bugfix (introduced with Postfix 2.3): the MX hostname syntax
	check was skipped with reject_unknown_helo_hostname and
	reject_unknown_sender/recipient_domain, so that Postfix
	would still accept mail from domains with a zero-length MX
	hostname.  File: smtpd/smtpd_check.c.

20061229

	Cleanup: use separate TLS_LEGACY_README to document the old
	TLS user interface. This will simplify TLS_README dramatically.

	Cleanup: untangled spaghetti code. File: util/inet_listen.c.

20070104

	Bugfix (introduced Postfix 2.3): when creating an alias map
	on a NIS-enabled system, don't case-fold the YP_MASTER_NAME
	and YP_LAST_MODIFIED lookup keys. This requires that an
	application can turn on/off case folding on the fly.  Files:
	postalias/postalias.c, global/dict_mumble.c, util/dict_mumble.c,
	proxymap/proxymap.c.

	Cleanup: after the above revision of the proxymap protocol,
	the proxymap server can now share the same map with clients
	that have only minor differences in dictionary open/access
	options.

20070105

	Performance: pipeline of pending delivery agent connections,
	to improve Linux/Solaris mail delivery performance by another
	10% while going down-hill with the wind from behind. Design
	and implementation Victor and Wietse. Files: *qmgr/qmgr.c,
	*qmgr/qmgr.h, *qmgr/qmgr_transport.c.

20070106

	Cleanup: eliminate the Linux/Solaris "wait for accept()"
	stage from the queue manager to delivery agent protocol.
	This alone achieves 99.99% of the Linux/Solaris speed up
	from the preceding change. The pending connection pipeline
	takes care of the rest.  Tested on Linux kernels dating
	back to 2.0.27 (that's more than 10 years ago).  Files:
	*qmgr/qmgr_transport.c.

20070112

	Bugfix (introduced 20011008): after return from nested
	access restriction, possible longjump into exited stack
	frame upon configuration error or table lookup error. Victor
	Duchovni.  Files: smtpd/smtpd_check.c.

	Workaround: don't insert header/body blank line separator
	in malformed attachments, to avoid breaking digital signatures.
	Switch from header to body state, for robust MIME parsing.
	People concerned about MIME evasion can use a MIME normalizer
	to corrupt their user's legitimate email.  File:
	global/mime_state.c.

20070114

	Feature: body replacement support for Milter applications.
	Postfix 2.3 and older 2.4 versions will be able to deliver
	body-replaced queue files, but will report the message size
	as it was before the body was replaced.  Files: milter/milter8.c,
	cleanup/cleanup_milter.c, cleanup/cleanup_body_region.c.

20070117

	Cleanup: reusable infrastructure for body replacement.
	Files: cleanup/cleanup_body_edit.c, cleanup/cleanup_region.c.

20070118

	Bugfix: match lists didn't implement ![ipv6address].  Problem
	reported by Paulo Pacheco. File: util/match_list.c.

	Cleanup: revised the matchlist "!" support, added support
	for !/file/name, and updated the documentation. File:
	util/match_list.c.

20070119-21

	Cleanup: pad short message headers with a filler record,
	so that the result is never shorter than a pointer record.
	This immensely simplified the support for Milter header
	modification requests: three complex loops could be replaced
	by one simpler loop.  The DTXT record type was re-purposed
	from "deleted header text" to "short header padding", keeping
	the change backwards compatible.  Files: cleanup/cleanup_out.c,
	cleanup/cleanup_milter.c, global/record.c.

	Cleanup: the Milter "add recipient" action always added the
	recipient to the initial envelope segment, causing added
	recipients to be separate from "sendmail -t" recipients.
	This violated design, without impact on delivery (always_bcc
	recipient are always at the end of the queue file even when
	all other recipients are in the initial segment).  File:
	global/rec_types.h.

20070123

	Workaround: OpenSSL falsely concludes that AES256 support
	is present when only AES128 is available.  Code by Victor
	Duchovni.  File: tls/tls_misc.c.

20070125

	Disable workaround pending completion of updated TLS]
	support in non-production releases.

20070131

	Assorted code cleanup, portability fixes/workarounds, and
	minor updates: global/dict_ldap.c, mantools/postlink,
	tlsmgs/tlsmgr.c, conf/master.cf. LaMont Jones.

20070101

	Portability: GNU Hurd support for multiple kernel environments.
	LaMont Jones. Files: util/sys_defs.h, makedefs.

	Cleanup: some default settings were adjusted to better fit
	today's environment: queue_run_delay and minimal_backoff_time
	were reduced from 1000s to 300s, so that deliveries are
	retried earlier after the first failure; ipc_idle was reduced
	from 100s to 5s, so that tlsmgr and scache clients will
	more quickly release unused file handles. Files:
	global/mail_params.h, proto/postconf.5.html

20070202

	Catch-up: FreeBSD kqueue support. File: util/events.c.

20070205

	System-V poll(2) support. This is now the preferred method
	to test a single file descriptor on sufficiently recent
	versions of FreeBSD, NetBSD, OpenBSD, Solaris and Linux;
	other systems will be added as evidence becomes available
	of usable poll(2) implementations. Files: util/read_wait.c,
	util/write_wait.c, util/readble.c, util/writable.c.

	Streamlined the event_enable_read/write implementation to
	speed up smtp-source performance, by eliminating expensive
	kqueue/devpoll/epoll system calls when only the application
	call-back information changes. On FreeBSD, smtp-sink/source
	tests now run 5% faster than with the old select(2) based
	implementation.  File util/events.c.

20070206

	Catch-up: Solaris /dev/poll support. File: util/events.c.

	Bugfix (introduced 20060823): initial state was not in state
	machine, causing memory access outside the lookup table.
	File: smtpstone/smtp-sink.c.

20070210

	Catch-up: Linux epoll support. File: util/events.c.

20070211

	Polished the kqueue/devpoll/epoll support; this is now
	enabled by default on sufficiently recent versions of
	FreeBSD, NetBSD, OpenBSD, Solaris and Linux; other systems
	will be added as evidence becomes available of usable
	implementations. File: util/events.c.

20070212

	Further polish: removed some typos from new code in the
	events.c handler, undid some unnecessary changes to the
	{read,write}{_wait,able}.c modules, and addressed Victor's
	paranoia for multi-client servers with a thousand clients
	while linked with library routines that can't handle file
	descriptors >= FD_SETSIZE.

	Cleanup: while debugging the new events.c handler, removed
	an unnecessary "write after connect" call-back event. File:
	global/post_mail.c.

20070214

	Robustness: in the queue manager keep a number of free file
	descriptor slots at the low end, to work around library
	routines that can't handle file descriptors >= FD_SETSIZE.
	Files: *qmgr/qmgr_transport.c, util/vstream.[hc]

20070215

	Bugfix (introduced 20070114 with Milter body edit support):
	the cleanup server terminated with a fatal error when SMTP
	mail exceeded the message size limit, instead of handling
	it as a non-fatal error. Files: cleanup/cleanup_extracted.c,
	cleanup/cleanup_final.c, cleanup/cleanup_bounce.c,
	cleanup/cleanup_api.c.

20070217

	Streamline the compile time selection of event handling
	styles, replacing multiple on/off macros by just one
	multi-valued macro. Files: util/sys_defs.h, util/events.c,
	master/multi_server.c, *qmgr/qmgr_transport.c.

20070220

	Work-around: Disable SSL/TLS ciphers when the underlying
	symmetric algorithm is not available in the OpenSSL crypto
	library at the required bit strength. Problem observed with
	SunOS 5.10's bundled OpenSSL 0.9.7 and AES 256. Also possible
	with OpenSSL 0.9.8 and CAMELLIA 256. Root cause fixed in
	upcoming OpenSSL 0.9.7m, 0.9.8e and 0.9.9 releases. Victor
	Duchovni, Morgan Stanley. Files: src/smtp/smtp_proto.c,
	src/smtpd/smtpd.c, src/tls/tls.h, src/tls/tls_client.c,
	src/tls/tls_misc.c and src/tls/tls_server.c.

20070222

	Workaround: delayed "postfix reload" with ancient FreeBSD4
	kqueue implementations, causing the first external or
	internal clients after "postfix reload" to experience a
	quick disconnect.  Apparently, these kqueue implementations
	do not deliver a read notification when the master closes
	the per-service shared master/child status pipe (even when
	there is only one child; note that the master keeps a handle
	to both ends of each status pipe).  A child process remains
	ignorant that the status pipe was closed until the arrival
	of the next client request, and then terminates.  The
	workaround is to ignore master status write errors before
	handling a service request.  Files: master/*_server.c.

	Cleanup: fix race condition that caused unnecessary "premature
	end-of-input" warning messages when "postfix reload" was
	issued on a busy mail server. Files: util/attr_scan*c.

20070223

	Cleanup: syslog_name now works as documented with both
	daemons and commands (including set-gid commands).  Files:
	global/mail_task.c postlog/postlog.c, global/mail_version.h,
	sendmail/sendmail.c, postsuper/postsuper.c, postalias/postalias.c,
	postmap/postmap.c, postqueue/postqueue.c, postdrop/postdrop.c,
	master/trigger_server.c, master/single_server.c,
	master/multi_server.c.

20070224

	Workaround: GNU POP3D creates a new mailbox and deletes the
	old one. Postfix now backs off and retries delivery later,
	instead of appending mail to a deleted file.  To minimize
	the use of this workaround, Postfix now by default creates
	mailbox dotlock files on all systems, and creates dotlock
	files before opening mailbox files.  Files: util/sys_defs.h,
	global/mbox_open.c.

20070301

	Workaround: updated workaround for broken Solaris accept().
	File: util/inet_listen.c.

	Workaround: on some FreeBSD versions, accept(2) can fail
	with a bogus EINVAL error. We now allow accept(2) to fail
	for a limited number of times before terminating the process.
	Files: master/single_server.c, master/multi_server.c.

20070306

	Bugfix (introduced with Postfix 2.3 Milter support): postdrop
	reported "illegal seek" instead of "file too large".  File:
	postdrop/postdrop.c.

20070310

	Cleanup: specify "undisclosed_recipients_header =" to disable
	Postfix's "To: undisclosed-recipients:;" header for mail
	that lists no recipient. The To: header is not required as
	of RFC 2822.  The undisclosed_recipients_header parameter
	value can now be an empty string, a value that was not
	allowed with earlier Postfix versions. With Postfix 2.5 it
	will be empty by default. Files: cleanup/cleanup.c,
	cleanup/cleanup_message.c.

20070312

	Backwards compatibility: don't pad short message header
	records when Milter support is turned off. This maintains
	compatibility with Postfix versions that pre-date Milter
	support. File: cleanup/cleanup_out.c.

20070314

	Bitrot: move the "don't run this daemon by hand" message
	before other tests. Files: master/*server.c.

20070315

	Bitrot: New OpenLDAP APIs deprecate simplified interfaces,
	that are the only ones available in Sun's LDAP SDK. Define
	suitable macros that work with new OpenLDAP and Sun's code.
	Victor Duchovni, Morgan Stanley. File: src/global/dict_ldap.c

	Cleanup: new "leaf" and "terminal" result attributes support
	fine-tuning of LDAP group expansion, and provide a solution
	for the problem case where DN recursion returns both the
	group address and the addresses of the member objects.
	Victor Duchovni, Morgan Stanley.  Files: src/global/dict_ldap.c,
	proto/LDAP_README.html, proto/ldap_table

20070317

	Idioten Sicherheit: stamp every executable file and every
	core dump file with "mail_version=xxxxx". Adding version
	stamps and checks to every IPC message is too much change
	after code freeze, and requires too much time for testing.
	File: src/global/mail_version.h and every main program file.

20070320

	Bugfix (introduced between 20070120 and 20070121): the
	cleanup server stored no "delayed mail warning" queue file
	records with "sendmail -t", and no header_checks filter/redirect
	records or content encoding records with other mail.  File:
	global/rec_type.h.

20070321

	Bugfix (introduced 20070224): local(8) or virtual(8) could
	log a misleading error message after failure to open a
	mailbox file. File: global/mbox_open.c.

	Bugfix (code should have been updated 20070104): the proxymap
	client did not propagate changes in case folding flags.
	Currently, nothing in Postfix uses this functionality.
	File: global/dict_proxy.c.

20070325

	Bugfix: postfix-install didn't work for symlink or hardlink
	targets, when the parent directory had a value of "no".

20070326

	Workaround: Eric Raymond's man page formatters don't handle
	low-level *roff .in or .ti controls. We now use .nf and .fi
	instead. Files: many.

20070331 

	Bugfix (introduced Postfix 2.3): segfault with HOLD action
	in access/header_checks/body_checks on 64-bit platforms.
	File: cleanup/cleanup_api.c.

20070402

	Portability (introduced 20070325): the fix for hardlinks
	and symlinks in postfix-install forgot to work around shells
	where "IFS=/ command" makes the IFS setting permanent.  This
	is allowed by some broken standard, and affects Solaris.
	File: postfix-install.

	Portability (introduced 20070212): the workaround for
	non-existent library bugs with descriptors >= FD_SETSIZE
	broke with "fcntl F_DUPFD: Invalid argument" on 64-bit
	Solaris.  Files: master/multi_server.c, *qmgr/qmgr_transport.c.

20070405

	Feature: BCC access/policy action, to demonstrate that this
	is not a good feature. The action's behavior is non-intuitive
	and requires too much documentation to explain.  It's
	therefore snapshot only.  File: smtpd/smtpd_check.c.

20070414

	Cleanup: expire cached results from addres rewriting, address
	resolution, and from transport map lookups.  Results expire
	after 30 seconds; short enough that it doesn't freak out
	people who run the same test repeatedly, and long enough
	that it doesn't upset other people with continuous streams
	of "*" transport map lookups.  Files: global/rewrite_clnt.c,
	global/resolve_clnt.c, trivial-rewrite/transport.c.

20070421

	Cleanup: on (Linux) platforms that cripple signal handlers
	with deadlock, "postfix stop" now forcefully stops all the
	processes in the master's process group, not just the master
	process alone.  File: conf/postfix-script.

20070422

	Cleanup: the "Delivered-To:" loop detection implementation
	was moved from the local(8) delivery agent to the library,
	where it can also be used by other delivery agents. Files:
	global/delivered_hdr.[hc].

	Safety: the "Delivered-To:" loop detection implementation
	keeps state for no more than 1000 "Delivered-To:" headers.

	Feature: $domain command-line macro support, to get access
	to the recipient address domain portion.  Based on code by
	Koen Vermeer. File: pipe/pipe.c.

	Cleanup: support for "Delivered-To:" loop detection in the
	pipe(8) delivery agent. This follows a general principle:
	if a program creates the "Delivered-To:" header, then it
	is also responsible for "Delivered-To:" loop detection.
	File pipe/pipe.c.

20070423

	The cache expiring transport map lookups did not distinguish
	between wildcard transport map entry with an "empty" transport
	field, or no wildcard transport map entry.

20070424

	Cleanup: making hard-coded behavior configurable. In this
	case, extracting 8BITMIME encoding information from
	Content-Transfer-Encoding: message headers.  The default
	behavior, "detect_8bit_encoding_header = yes", is backwards
	compatible. This behavior was introduced to generate
	RFC-compliant bounce messages before Postfix supported the
	8BITMIME option in the MAIL FROM command and on the Postfix
	sendmail command line.  Files: cleanup/cleanup_init.c,
	cleanup/cleanup_message.c, global/mail_params.h.

20070425

	Bugfix: don't falsely report "lost connection from
	localhost[127.0.0.1]" when Postfix is being portscanned.
	Files: smtpd/smtpd_peer.c, qmqpd/qmqpd_peer.c.

20070429

	Feature: "postfix status" to report whether Postfix is
	running.  By Mike Cappella.

	Cleanup: configurable address case folding moved from the
	pipe(8) delivery agent to the library, where it can also
	be used by other delivery agents. Files: global/fold_addr.[hc].

20070430

	Robustness: recommend a "0" process limit for policy servers
	to avoid "connection refused" problems when the smtpd process
	limit exceeds the default process limit.  File:
	proto/SMTPD_POLICY_README.html.

20070501

	Workaround: turn on KEEPALIVE probes to avoided "lost
	connection after sending end-of-data" problems when some
	stateful (NAT) filter expires an idle connection too soon.
	This requires that the kernel's TCP keepalive timer be set
	to a sufficiently short time (perhaps 100s or less).  Files:
	util/sane_accept.c, util/sane_connect.c.

	Safety: when IPv6 (or IPv4) is turned off, don't treat an
	IPv6 (or IPv4) connection from e.g. inetd as if it comes
	from localhost[127.0.0.1]. Files: smtpd/smtpd_peer.c,
	qmqpd/qmqpd_peer.c.

20070502

	Workaround: build without EPOLL support when an epoll-enabled
	kernel sits underneath a retarded libc.  File: makedefs.

	Cleanup: missing support for SASL security properties with
	Dovecot SASL authentication. Based on an initial version
	by Lev A. Serebryakov.  File: xsasl/xsasl_dovecot_server.c.

20070503

	Cleanup: changed the default address verification sender
	from "postmaster" to "double-bounce", so that the Postfix
	SMTP server no longer surprises unsuspecting people by
	excluding "postmaster" from SMTPD access controls.  File:
	global/mail_params.h.

20070508

	Bugfix: Content-Transfer-Encoding: attribute values are
	case insensitive. File: src/cleanup/cleanup_message.c.


20070514

	Bugfix: the makedefs EPOLL workaround broke any attempt to
	build on a 2.6 kernel. And that two weeks after the workaround
	had been posted to the mailing list. File: makedefs.

	Bugfix: mailbox_transport(_maps) and fallback_transport(_maps)
	were broken when used with the error(8) or discard(8)
	transports. Cause: insufficient documentation.  Files:
	error/error.c, discard/discard.c.

20070520

	Bugfix (problem introduced Postfix 2.3): when DSN support
	was introduced it broke "agressive" recipient duplicate
	elimination with "enable_original_recipient = no".  File:
	cleanup/cleanup_out_recipient.c.

20070523

	Feature: cyrus_sasl_config_path to specify a search path
	for Cyrus SASL configuration files (currently used only to
	locate the smtpd.conf file).  Based on code by Victor
	Duchovni. Files: smtpd/smtpd.c xsasl/xsasl_cyrus_server.c,
	(and xsasl/xsasl_cyrus_client.c for future expansion).

20070525

	Bugfix (introduced 20070523): the sasl_set_path() function
	name was mis-speeled.

20070529

	Bugfix (introduced Postfix 2.3): the sendmail/postdrop
	commands would hang when trying to submit a message larger
	than the per-message size limit. File: postdrop/postdrop.c.

20070530

	Sabotage the saboteur who insists on breaking Postfix by
	adding gethostbyname() calls that cause maildir delivery
	to fail when the machine name is not found in /etc/hosts,
	or that cause Postfix processes to hang when the network
	is down.

20070531

	Portability: Victor helpfully pointed out that change
	20070425 broke on non-IPv6 systems. Files: smtpd/smtpd_peer.c,
	qmqpd/qmqpd_peer.c.

20070610

	Isolation: don't allow the pipe(8) delivery agent to leak
	postdrop group privileges with "user=xxx:postdrop". File:
	pipe/pipe.c.

20070613

	Bugfix: the Milter client assumed that a Milter application
	does not modify the message header or envelope, after that
	same Milter application has modified the message body of
	that same email message. This is not a problem with updates
	by different Milter applications.  Problem was triggered
	by Jose-Marcio Martins da Cruz. Also simplified the handling
	of queue file update errors. File: milter/milter8.c.

20070614

	Workaround: some non-Cyrus SASL SMTP servers require SASL
	login without authzid (authoriZation ID), i.e. the client
	must send only the authcid (authentiCation ID) + the authcid's
	password.  In this case the server is supposed to derive
	the authzid from the authcid. This works as expected when
	authenticating to a Cyrus SASL SMTP server.  To get the old
	behavior specify "send_cyrus_sasl_authzid = yes", in which
	case Postfix sends the (authzid, authcid, password), with
	the authzid equal to the authcid. File: xsasl/xsasl_cyrus_client.c.

20070619

	Portability: /dev/poll support for Solaris chroot jail setup
	scripts. Files: examples/chroot-setup/Solaris8,
	examples/chroot-setup/Solaris10.

20070713

	The RFC documents at www.faqs.org are being polluted with
	"feedback" spam. The Postfix hypertext documentation now
	points to tools.ietf.org. File: mantools/postlink.

20070719

	Feature: updated smtp-sink with new options to send a
	pre-formatted message from file, and to handle replies other
	than the expected 2xx or 3xx. File: smtpstone/smtp-source.c.

	Cleanup: Milter client error handling, so that the (Postfix
	SMTP server's Milter client) does not get out of sync with
	Milter applications after the (cleanup server's Milter
	client) encounters some non-recoverable problem.  Files:
	milter/milter8.c, smtpd/smtpd.c.

20070720

	Support for RFC 4954 (SASL AUTH, updates RFC 2554, refines
	some reply codes and introduces DSN enhanced status codes)
	and RFC 3848 ("Received ...  with ESMTPS?A? ...). Currently,
	support for the latter is always on.  Files: smtpd/smtpd.c,
	smtpd/smtpd_sasl_proto.c, smtpd/smtpd_sasl_glue.c.

20070727

	Workaround: the queue manager no longer logs a warning for
	mail sent to the local double-bounce address (normally, the
	this is used as the sender while reporting an undeliverable
	bounce message to the local postmaster).  As of 20070503
	the local double-bounce address is the default sender for
	sender/recipient address verification probes, and it now
	shows up as a spam target. Files: *qmgr/qmgr_message.c.

20070729

	Performance: fix for poor TCP performance for loopback
	(127.0.0.1) connections. Problem reported by Mark Martinec.
	Files: util/vstream.c, util/vstream_tweak.c, milter/milter8.c,
	smtp/smtp_connect.c, smtpstone/*source.c.

20070730

	Bugfix: when a milter replied with ACCEPT at or before the
	first RCPT command, the cleanup server would apply the
	non_smtpd_milters setting as if the message was a local
	submission. Problem reported by Jukka Salmi. Also, the
	cleanup server would get out of sync with the milter when
	a milter replied with ACCEPT at the DATA command. Files:
	cleanup/cleanup_envelope.c, smtpd/smtpd.c, milter/milters.c.

20070811

	Cleanup: unlike smtpd_mumble_restrictions, the Postfix SMTP
	server Milter reject logging did not show the (helo argument,
	sender address, or recipient address) that was being rejected.
	File: smtpd/smtpd.c.

20070824

	Bugfix (introduced snapshot 20070429): the pipe(8) delivery
	agent 'q' flag (quote address local-part) used the same bit
	mask as the 'B' flag (append blank line). Setting one flag
	also turned on the other. File: pipe/pipe.c.

	Feature: specify the 'X' flag to indicate that the pipe(8)
	delivery agent performs final delivery. This changes the
	status in DSN "success" messages from "relayed" into
	"delivered".  File: pipe/pipe.c.

20070904-6

	Feature: stress-adaptive behavior. When a "public" network
	service runs into an "all processes are busy" condition,
	the master(8) daemon logs a warning, restarts the service,
	and runs it with "-o stress=yes" on the command line (normally
	it runs the service with "-o stress=").  This can be used
	to make main.cf parameter settings stress dependent.
	Examples: "smtpd_timeout = ${stress?10}${stress:300}" and
	"smtpd_hard_error_limit = ${stress?1}${stress:20}".  Files:
	master/master_avail.c, master/master_spawn.c, master/master_ent.c.

20070911

	Bugfix (introduced Postfix 2.2.11): TLS client certificate
	with unparsable canonical name caused the SMTP server's
	policy client to allocate zero-length memory, triggering
	an assertion that it shouldn't do such things.  File:
	smtpd/smtpd_check.c.

20070912

	Bugfix (introduced Postfix 2.4) missing initialization of
	event mask in the event_mask_drain() routine (used by the
	obsolete postkick(1) command). Found by Coverity.  File:
	util/events.c.

20070917

	Workaround: the flush daemon forces an access time update
	for the per-destination logfile, to prevent an excessive
	rate of delivery attempts when the queue file system is
	mounted with "noatime".  File: flush/flush.c.

20070923

	Cleanup: don't complain when a "corrupt" queue file is 
	deleted before it can be saved to the "corrupt" queue.
	Files: *qmgr/qmgr_active.c.

20071003

	Logging: the Postfix SMTP server now logs the number of
	bytes received after the DATA command when a connection
	breaks before mail delivery completes.  This may help finding
	the cause of the problem: packet loss, MTU, or other. File:
	smtpd/smtpd.c.

20071004

	Logging: all daemons now log the TCP port number of remote
	SMTP or QMQP clients.  The information is overruled with
	the SMTP XCLIENT command, is propagated through SMTP-based
	content filters with XFORWARD, and is sent to Milter
	applications.  Files: smtpd/smtpd_peer.c, smtpd/smtpd.c,
	smtpd/smtpd_proxy.c, smtpd/smtpd_milter.c, qmqpd/qmqpd_peer.c,
	cleanup/cleanup_milter.c, *qmgr/qmgr_message.c,
	*qmgr/qmgr_deliver.c, smtp/smtp_proto.c, pipe/pipe.c,
	global/deliver_request.c, global/deliver_pass.c,
	proto/XFORWARD_README, proto/XCLIENT_README.

	Feature: per-command delays in smtp-sink. File:
	smtpstone/smtp-sink.c.  Victor Duchovni.

20071006

	Cleanup: updated a bunch of hard-coded host[addr] logging
	statements. Files: smtpd/smtpd.c, smtpd/smtpd_chat.c,
	smtpd/smtpd_sasl_glue.c.

	Cleanup: client port logging is now configurable (off by
	default). Parameters: smtpd_client_port_logging and
	qmqpd_client_port_logging. Files: smtpd/smtpd_peer.c,
	qmqpd/qmqpd_peer.c.

	Cleanup: send client port information "0" instead of "unknown"
	to Milter applications. Files: smtpd/smtpd.c, smtpd/smtpd_milter.c,
	cleanup/cleanup_milter.c.

20071025

	Portability: on Linux we no longer need /proc to find out
	local IPv6 interface address information. LaMont Jones.
	Files: util/sys_defs.h.

20071030

	Bugfix (introduced Postfix 2.3): Postfix mistakenly enforced
	the 64kbyte limit (for sending body parts TO Milter
	applications) also while receiving packets FROM Milter
	applications.  The limit is now at least 1GB.  File:
	milter/milter8.c.

20071105

	Feature: ORIGINAL_RECIPIENT environment variable.  Corey
	Hickey. File: local/local.c.

20071108-10

	Feature: general-purpose header/body_checks library module,
	first used in the SMTP client. Actions that change the
	message delivery time or destination can be implemented
	with a simple extension mechanism (they make sense only in
	before-queue filters).  Configuration parameters:
	smtp_header_checks, smtp_mime_header_checks,
	smtp_nested_header_checks, smtp_body_checks. Unlike the
	cleanup server, the mime and nested header checks don't by
	default assume the header_checks value.  Files:
	global/header_body_checks.[hc], smtp/smtp_proto.c,
	smtp/smtp_session.c.

20071110

	Feature: ${original_recipient} command-line macro.  Corey
	Hickey. File: pipe/pipe.c.

	Bugfix (introduced: 20071004) missing exception handling
	in smtp-sink per-command delay feature. Victor Duchovni.
	File: smtpstone/smtp-sink.c.

2007117-20

	Revised queue manager with separate mechanisms for
	per-destination concurrency control and dead destination
	detection.  The concurrency control supports non-integer
	feedback for more gradual concurrency adjustments, and uses
	hysteresis to avoid rapid oscillations.  A destination is
	declared "dead" after a configurable number of pseudo-cohorts
	(number of deliveries equal to a destination's concurrency)
	reports connection or handshake failure. This work began
	with a discussion that Wietse started with Patrik Rak and
	Victor Duchovni late January 2004, and that Victor revived
	late October 2007. To establish a baseline for further
	improvement, Wietse implemented a few simple mechanisms.

	Configuration parameters for debugging, positive/negative
	hysteresis, and positive/negative feedback. Some have since
	been removed or renamed, so no point naming them here.
	Files: global/mail_params.h, qmgr/qmgr_queue.c,
	qmgr/qmgr_deliver.c.

20071121

	Boundary condition: Patrik Rak pointed out that handling
	of negative feedback with concurrency window 1 could
	be improved.

	Feature: support to look up null sender addresses in
	sender-dependent relayhost maps. Parameter name:
	empty_address_relayhost_maps_lookup_key (default; <>).
	Keean Schupke. File: trivial-rewrite/resolve.c.

20071127-9

	Revision 2 of queue manager scheduler interface, allowing
	feedback parameter settings with constants and variables
	such as 1/8 or 1/concurrency.  Some experimental parameters
	were removed and others were renamed. The new names are:
	default_destination_concurrency_negative_feedback,
	default_destination_concurrency_positive_feedback,
	default_destination_concurrency_failed_cohort_limit,
	destination_concurrency_feedback_debug.

	Also available are transport-specific overrides:
	<transport>_initial_destination_concurrency,
	<transport>_destination_concurrency_negative_feedback,
	<transport>_destination_concurrency_positive_feedback,
	<transport>_destination_concurrency_failed_cohort_limit.

	Files: global/mail_params.h, *qmgr/qmgr.c, *qmgr/qmgr_transport.c,
	*qmgr/qmgr_queue.c, *qmgr/qmgr_feedback.c, postconf/auto.awk.

20071202

	Feature: output rate control. For example, specify
	"smtp_destination_rate_delay = 5m" to insert a five-minute
	delay between deliveries. This was an opportunity to define
	the mutually exclusive states that a queue can have, and
	to detect invalid transitions.  This will make adding new
	features code easier.  Files: *qmgr/qmgr_transport.c,
	*qmgr/qmgr_queue.c, *qmgr/qmgr_entry.c.

	Bugfix (introduced Postfix 2.2): don't update the back-to-back
	delivery time stamp while deferring mail. File: *qmgr/qmgr_entry.c.

20071203

	Feature: support for read-write tables in the proxymap
	service. This is implemented with a separate master.cf entry
	named "proxywrite" that should run with process limit of 1
	if you want to update Berkeley DB like tables. This feature
	requires that tables be authorized with the proxy_write_maps
	configuration parameter. Files: global/dict_procy.[hc],
	proxymap/proxymap.c.

	Human factors: the postmap and postalias commands now produce
	nicer diagnostics when asked to do something with a proxied
	map that they can't do. Files: postmap/postmap.c,
	postalias/postalias.c.

	Bugfix: the proxymap client didn't properly propagate user
	options to the proxymap server.  File: util/dict.h.

	Workaround: force synchronous updates in the proxymap server
	so that maps will be in a consistent state between updates.
	File: proxymap/proxymap.c.

	Bugfix: an empty rate-limited queue wasn't removed after
	timer expiry. Files: *qmgr/qmgr_queue.c.

20071204

	Use different sockets for proxymap (read-only) and proxywrite
	(read-write) services in the proxy: client. Victor Duchovni.
	File: global/dict_proxy.c.

	Feature: proxymap delete support by Victor Duchovni.  Files:
	global/dict_proxy.c, proxymap/proxymap.c.

	Feature: proxymap delete support. Files: postmap/postmap.c
	postalias/postalias.c.

	Cleanup: the Postfix sendmail command did not include the
	user (name/uid) information in all error messages. File:
	sendmail/sendmail.c.

	Feature: data_directory configuration parameter for
	Postfix-writable data such as caches and random numbers.
	Files: postfix-install, conf/postfix-files.

20071206

	Security: tlsmgr(8) and verify(8) no longer use root
	privileges when opening their cache files. This avoids a
	potential security loophole where the ownership of a file
	(or directory) does not match the trust level of the content
	of that file (or directory). See RELEASE_NOTES for how to
	use pre-existing data. Files: util/set_eugid.[hc],
	tlsmgr/tlsmgr.c, verify/verify.c.

	Compatibility: as a migration tool, redirect attempts by
	tlsmgr(8) or verify(8) to open files in non-Postfix directories
	to the Postfix-owned data_directory. File: global/data_redirect.c.

	Lots of pathname fixes in the examples of TLS_README and
	postconf(5); -lm library screw-up in queue manager Makefiles.

20071207

	Cleanup: pathname fixes in documentation; unnecessary queue
	scan in the queue manager rate limiter; inverse square root
	feedback in the queue manager concurrency scheduler.  Files:
	mantools/postlink, proto/TLS_README.html, *qmgr/qmgr_queue.c.

	All changes up to this point should be ready for Postfix 2.5.

	Documentation: updated nqmgr preemptive scheduler documentation
	by Patrik Rak. File: proto/SCHEDULER_README.html.

20071211

	Bugfix (introduced 19980315): the "write" equivalent of
	bugfix 20030104. File: util/vstream.c.

20071212

	Feature: "stress=" or "stress=yes" attribute in the SMTPD
	policy delegation protocol. File: smtp/smtpd_check.c.

	Cleanup: allow_min_user now rejects recipients (and senders)
	starting with '-' at SMTP session time. To make this possible
	the feature was moved from qmgr(8) to trivial-rewrite(8).
	Files: *qmgr/qmgr_message.c, trivial-rewrite/resolve.c.

20071213:

	Cleanup: the queue manager and SMTP client now distinguish
	between connection cache store and retrieve hints. Once the
	queue manager enables connection caching (store and load)
	hints on a per-destination queue, it keeps sending connection
	cache retrieve hints to the delivery agent even after it
	stops sending connection cache store hints.  This prevents
	the SMTP client from making a new connection without checking
	the connection cache first. Victor Duchovni.  Files:
	*qmgr/qmgr_entry.c, smtp/smtp_connect.c.

	Bugfix (introduced Postfix 2.3): the SMTP client never
	marked corrupt files as corrupt. Victor Duchovni. File:
	smtp/smtp_proto.c.

	Cleanup: the SMTP client won't mark a destination as
	unavailable when at least one SMTP session was completed
	without connect or handshake error. Victor Duchovni. Files:
	smtp/smtp_connect.c, smtp/smtp_session.c, smtp/smtp_proto.c,
	smtp/smtp_trouble.c.

20071215

	Documentation and code cleanup. Files: global/deliver_request.h,
	*qmgr/qmgr_entry.c, smtp/smtp_connect.c,
	proto/SCHEDULER_README.html.

	Bugfix (introduced snapshot 20071006): qmqpd ignored the