HISTORY

20151018

	Added RFC 7672 (SMTP security via opportunistic DANE TLS)
	and RFC 7505 ("Null MX" No Service Resource Record) to the
	lists of supported RFCs in manpages. Viktor Dukhovni. Files:
	smtp/smtp.c, smtpd/smtpd.c.

20151031

	Bitrot: OpenSSL API cleanups. Viktor Dukhovni. Files:
	.indent.pro, tls/tls.h, tls/tls_dane.c, tls/tls_fprint.c,
	tls/tls_misc.c, tls/tls_server.c, tls/tls_verify.c.

20151124

	Bugfix (introduced: Postfix 3.0): don't throttle a destination
	after opportunistic TLS failure. Viktor Dukhovni and Wietse.
	Files: smtp/smtp_proto.c, smtp/smtp.h, smtp/smtp_trouble.c.

20151128

	Feature: JSON-formatted queue listing with "postqueue -j".
	Output is a stream of JSON objects, one per queue file.  To
	simplify stream-mode parsing, each JSON object is followed by
	a newline character. Files: postqueue/postqueue.c,
	postqueue/postqueue.h, postqueue/showq_compat.c,
	postqueue/showq_json.c, showq/showq.c.

20151216

	Bugfix (introduced: 20151128) bogus queue file parsing error.
	File: showq/showq.c.

20151226

	Cleanup: postlog(1) now pauses for 1s after reporting a
	fatal or panic error. This makes behavior of scripts such
	as postfix-script consistent with built-in error messages.
	File: postlog/postlog.c.

20151227

	Robustness: don't allow for whitespace in command-line
	arguments.  Files; postfix-install, conf/post-install.

	Robustness: added a comment to discourage people who keep
	adding code that calls gethostbyname() to determine the
	default myhostname setting.  This is a mistake: all Postfix
	programs will hang when the DNS is unavailable.  File:
	global/mail_params.c.

	Safety: a limit on the number of address verification probes
	in the active queue (address_verify_pending_request_limit),
	by default 1/4 of the active queue maximum size. The queue
	manager tempfails probe messages that exceed the limit.
	Files: mantools/postlink, proto/postconf.proto, cleanup/cleanup.h,
	cleanup/cleanup_envelope.c, cleanup/cleanup_out_recipient.c,
	cleanup/cleanup_state.c, global/mail_params.h, global/post_mail.c,
	global/post_mail.h, global/verify.c, oqmgr/qmgr.c, oqmgr/qmgr.h,
	oqmgr/qmgr_message.c, qmgr/qmgr.c, qmgr/qmgr.h,
	qmgr/qmgr_message.c, verify/verify.c.

20160102

	Workaround: MacOS/X 10.11.x /bin/sh unsets DYLD_LIBRARY_PATH,
	which breaks the build and install.  Viktor Dukhovni and
	Wietse.  Files: makedefs, postfix-install, Makefile.in.

	Bitrot: OpenSSL 1.1.0-dev drops support for EXPORT ciphers
	and ephemeral RSA.  Viktor Dukhovni. Files: tls/tls_client.c,
	tls/tls_rsa.c, tls/tls_server.c.

	Bugfix: memory leak in tls_set_eecdh_curve(). Viktor Dukhovni.
	File: tls/tls_dh.c.

	Bugfix (introduced 20150326): when lmtp_fallback_relay
	support was added, the code that generates lmtp_mumble
	parameters from smtp_mumble parameters wasn't updated. File:
	smtp/smtp-only.

	Bugfix (introduced 20151017): the smtpd_client_auth_rate_limit
	implementation was not guarded with #ifdef USE_SASL_AUTH.
	File: smtpd/smtpd.c.

20160103

	Feature: enable DANE policies when an MX host has a secure
	TLSA DNS record, even if the MX DNS record was obtained
	with insecure lookups. The existence of a secure TLSA record
	implies that the host wants to talk TLS and not plaintext.
	This behavior is controlled with smtp_tls_dane_insecure_mx_policy
	(default: "dane", other settings: "encrypt" and "may"; the
	latter is backwards-compatible with earlier Postfix releases).
	Viktor Dukhovni.  Files: mantools/postlink, proto/postconf.proto,
	src/global/mail_params.h, src/posttls-finger/posttls-finger.c,
	src/smtp/smtp-only, src/smtp/smtp.c, src/smtp/smtp.h,
	src/smtp/smtp_addr.c, src/smtp/smtp_params.c,
	src/smtp/smtp_tls_policy.c, src/tls/tls.h, src/tls/tls_client.c.

20160104

	Cleanup: distinct TLS levels for "full" DANE and for DANE
	with insecure MX records.  Viktor Dukhovni. Files:
	posttls-finger/posttls-finger.c, smtp/smtp_tls_policy.c,
	tls/tls.h, tls/tls_client.c, tls/tls_level.c.

20160108

	Cleanup: smtp_reply_footer() now restores state in case of
	input error; unit tests that cover most if not all error
	and non-error cases.  Files: global/smtp_reply_footer.c,
	global/smtp_reply_footer.ref.

20160110

	Bitrot: const-ification for OpenSSL 1.1.0. Viktor Dukhovni.
	File: tls/tls_misc.c.

20160116

	"postconf -H" support (show names without the =value).
	Initial use case: mass reversal of TLS-related main.cf
	parameters (postconf -nH | grep _tls_ | xargs postconf -X).
	This flag also works with "postconf -F" and "postconf -P".
	Added missing documentation that -h works with "postconf
	-F" and "postconf -P".  Files: postconf.c, postconf.h,
	postconf_master.c, postconf_main.c.

	Robustness: force html2text to produce ASCII output.  File:
	mantools/html2readme.

	Feature: "postfix tls" commands to enable opportunistic TLS
	in the Postfix SMTP client or server, or generate or replace
	Postfix SMTP server TLS private keys and server certificates.
	Viktor Dukhovni, Wietse. Files: conf/postfix-files,
	conf/postfix-script, conf/postfix-tls-script, makedefs,
	proto/INSTALL.html, proto/postconf.proto, global/mail_params.h,
	postfix/postfix.c, tls/tls_misc.c.

	Portability: added a tls_random_source default setting for
	MacOS X. Viktor Dukhovni. File: util/sys_defs.h.

20150118

	Bitrot: OpenSSL 1.1.0-dev (aka the "master" branch) has new
	security levels ranging from 0 to 5. Level "0" is backwards
	compatible, and other levels are increasingly restrictive.
	Viktor Dukhovni. Files: tls/tls_server.c, tls/tls_client.c.

20161205

	Portability: Postfix TLS support uses /dev/urandom if
	available and no system-specific setting exists in sys_defs.h.
	Files: makedefs, util/sys_defs.h.

20160208

	Cleanup: building the INSTALL file had failed, added
	hyperlinks for "postfix tls". Files: mantools/postlink.

20160210

	Feature: all-default-client and all-default-server subcommands.
	Eray Aslan. File: conf/postfix-tls-script.

	Bugfix: the postqueue(1) JSON formatter wrote a spurious
	comma after the delay reason. Reported by Christian Roessner.
	File: postqueue/showq_json.c.

20160212

	Cleanup: Bold/Italic cleanup in manpages.

20160213

	Added Google credits to external manpages.

20160214

	More manpage cleanups. Viktor, Wietse.

20160215

	Cleanup: "match_list_match: permit_mynetworks: no match" after
	a SUCCESSFUL permit_mynetworks match of a client IP address was
	complicating troubleshooting.  The fix is to log additional
	context to clarify that this "no match" condition is for
	smtpd_log_access_permit_actions. File: smtpd/smtpd_check.c.

20160228

	Documentation: typos in postfix-tls-script(1) manpage.

20160327

	Documentation: line wrapping in postconf(1) manpage.

20160310

	Bugfix (introduced: Postfix 2.6): the Milter SMFIR_CHGFROM
	(replace sender) request lost the sender_bcc_maps address.
	Fixed by moving some record keeping to the sender output
	function.  Files: cleanup/cleanup_envelope.c,
	cleanup/cleanup_addr.c, cleanup/cleanup_milter.c,
	cleanup/cleanup.h, regression tests.

20160410

	Bugfix (introduced: Postfix 2.6): the "bad filetype"
	header_checks pattern falsely rejected Content-Mumble headers
	with ``name="example"; x-apple-part-url="example.com"''.
	Fixed by respecting the ";" separator between content
	attribute values.  Reported by Cedric Knight.  File:
	proto/header_checks.

20160515

	Portability: OpenBSD 6.0. Files: makedefs, util/sys_defs.h.

20160619

	Bugfix (introduced: 20091121): with the introduction of
	sender_dependent_default_transport_maps, the SMTP daemon
	was not updated. This resulted in false rejects with
	sender-dependent "error" transports. Based on a fix by
	Russell Yanofsky.  Files: global/resolve_clnt.c,
	global/resolve_clnt.h, smtpd/smtpd_check.c, smtpd/smtpd_check.h,
	smtpd/smtpd_milter.c, smtpd/smtpd_resolve.c, smtpd/smtpd_resolve.h.

20160717

	Bugfix (introduced: Postfix 1.1): the virtual(8) delivery
	agent discarded the error result from vstream_fseek().
	File: virtual/mailbox.c.

20160730

	Bugfix (introduced: 20090614): with concurrent connections
	from the same client IP address, and after-220 tests enabled,
	postscreen could overwrite the cached "all tests completed"
	result of one connection that completed the after-220 tests,
	with the "some tests not completed" result of a concurrent
	connection where the client hung up later, without completing
	the after-220 tests.

20160819

	Bugfix (introduced: Postfix 3.0): the makedefs script ignored
	readme_directory=pathname overrides. Fix by Todd C. Olson.
	File: makedefs.

20160821

	Bugfix (introduced: Postfix 3.0): the tls_session_ticket_cipher
	documentation says aes-256-cbc, but the implementation was
	using aes-128-cbc (note that Postfix session ticket keys
	are rotated after 1/2 hour, to limit the impact of attacks
	on session ticket keys).

20160828

	Bitrot: fixes for incompatible OpenSSL 1.1.0 API changes.
	Viktor Dukhovni.  Files: posttls-finger/posttls-finger.c,
	tls/tls.h, tls/tls_dane.c, tls/tls_verify.c, tls/tls_server.c,
	tls/tls_client.c.

20160911

	Bugfix (introduced: Postfix 3.0): the SMTP daemon did not
	reset a previous session's command counts before rejecting
	a client that exceeds request or concurrency rates. File:
	smtpd/smtpd.c.

20160917

	Bugfix (introduced: Postfix 3.0): the unionmap did not
	propagate table lookup errors.  Based on patch by Roel van
	Meer.  Files: util/dict_union.c, util/dict_union_test.*.

20160925

	Workaround (problem introduced: Postfix 2.11): to avoid
	false "not found" errors with MySQL map queries that contain
	UTF8-encoded text, specify "option_group = client" in Postfix
	MySQL configuration files.  This will be the default setting
	with Postfix 3.2 and later.

20161105

	Bugfix (introduced: Postfix 1.1): the postsuper command did
	not count a successful rename operation after error recovery.
	Problem reported by Markus Schönhaber. File: postsuper/postsuper.c.

20161204

	Bugfix (introduced: Postfix 3.1): cut-and-paste error in
	the "postfix tls deploy-server-cert" command, causing the
	wrong certfile and keyfile to be used. Viktor Dukhovni.
	File: conf/postfix-tls-script.

	Robustness: create a new keyfile when "postfix tls
	new-server-cert" is invoked and main.cf specifies a
	non-existent keyfile. Viktor Dukhovni.  File:
	conf/postfix-tls-script.

20161206

	Bugfix (introduced: Postfix 3.0): when receiving a MAIL
	FROM...SMTPUTF8 command while smtpd_delay_reject=no, enable
	SMTPUTF8 support before processing smtpd_sender_restrictions.
	Problem reported by Viktor Dukhovni. File: smtpd/smtpd.c.

20161220

	Bugfix (introduced: Postfix 2.1.0): the Postfix SMTP daemon
	did not query sender_canonical_maps when rejecting unknown
	senders with "smtpd_reject_unlisted_recipient = yes" or
	with reject_unlisted_sender.  Stephen R. van den Berg (Mr.
	procmail).  Files: smtpd/smtpd.c, smtpd/smtpd_check.c.

20170221

	Compatibility fix (introduced: Postfix 3.1): some Milter
	applications do not recognize macros sent as {name} when
	macros have single-character names. Postfix now sends such
	macros without {} as it has done historically. Viktor
	Dukhovni. File: milter/milter.c.

20170430

	Safety net: append a null byte to vstring buffers, so that
	C-style string operations won't scribble past the end. File:
	vstring.c.

20170610

	Workaround (introduced: Postfix 3.0 20140718): prevent MIME
	downgrade of Postfix-generated message/delivery status.
	It's supposed to be 7bit, therefore quoted-printable encoding
	is not expected. Problem reported by Griff. File:
	bounce/bounce_notify_util.c.

20170611

	Security: Berkeley DB 2 and later try to read settings from
	a file DB_CONFIG in the current directory.  This undocumented
	feature may introduce undisclosed vulnerabilities resulting
	in privilege escalation with Postfix set-gid programs
	(postdrop, postqueue) before they chdir to the Postfix queue
	directory, and with the postmap and postalias commands
	depending on whether the user's current directory is writable
	by other users. This fix does not change Postfix behavior
	for Berkeley DB < 3, but reduces file create performance
	for Berkeley DB 3 .. 4.6.  File: util/dict_db.c.

20171009

	Bugfix (introduced: Postfix 3.1): DANE support. Postfix
	builds with OpenSSL 1.0.0 or 1.0.1 failed to send email to
	some sites with "TLSA 2 X X" records associated with an
	intermediate CA certificate. Problem report and initial
	fix by Erwan Legrand. File: src/tls/tls_dane.c.

20171024

	Bugfix (introduced: Postfix 3.0) missing dynamicmaps support
	in the Postfix sendmail command broke authorized_submit_users
	with a dynamically-loaded map type. File: sendmail/sendmail.c.

20171116

	Bugfix (introduced: Postfix 2.1): don't log warnings 
	that some restriction returns OK, when the access map
	DISCARD feature is in effect. File: smtpd/smtpd_check.c.

20171215

	Bugfix (introduced: 20170611): the DB_CONFIG bugfix broke
	Berkeley DB configurations with a relative pathname.  File:
	util/dict_db.c.

20171218

	Workaround: reportedly, some res_query(3) implementation
	can return -1 with h_errno==0. Instead of terminating with
	a panic, the Postfix DNS client now logs a warning and sets
	h_errno to TRY_AGAIN. File: dns/dns_lookup.c.

20171226

	Documentation patches by Sven Neuhaus. Files:
	proto/FORWARD_SECRECY_README.html, proto/SMTPD_ACCESS_README.html.

20180106

	Cleanup: missing mailbox seek-to-end error check in the
	local(8) delivery agent. File: local/mailbox.c.

	Cleanup: incorrect mailbox seek-to-end error message in the
	virtual(8) delivery agent. File: virtual/mailbox.c.

20180218

	Cleanup: added 21 missing *_maps parameters to the default
	proxy_read_maps setting. Files: global/mail_params.h.

	Bugfix (introduced: 20120117): postconf should scan only
	built-in or service-defined parameters for ldap, *sql, etc.
	database names. Files: postconf/postconf_user.c.

20180306

	Bugfix (introduced: 19990302): when luser_relay specifies
	a non-existent local address, the luser_relay feature becomes
	a black hole. Reported by Jørgen Thomsen. File: local/unknown.c.

20180422

	Bugfix (introduced: Postfix 2.8): missing tls_server_start()
	error propagation in tlsproxy(8) resulting in segfault after
	TLS handshake error. Found during code maintenance. File:
	tlsproxy/tlsproxy.c.