HISTORY

	Bugfix (introduced 20100914): the "postscreen_greet_wait"
	delay speedup worked only for DNSBL listed sites.  File:
	postscreen/postscreen_dnsbl.c.

	Workaround: better handling of pregreeting spambots. The
	postscreen built-in SMTP engine no longer sends a 220 banner
	to a client that falls into the pregeet trap.  This eliminates
	many "NON-SMTP COMMAND" records in postscreen logging, as
	the SMTP client and server no longer get out of sync.  It
	also results in better logging of sender/recipient information.
	File: postscreen/postscreen_smtpd.c.

20100916

	Cleanup: postscreen now uses the first responding DNSBL
	name in the "5.7.1 Service unavailable" reply, instead of
	the last responding one. File: postscreen/postscreen_dnsbl.c.

	Cleanup: the 20100914 "postscreen_greet_wait" speedup did
	not happen as often as it should, because some older code
	still turned on PREGREET tests gratuitously, causing a full
	greet-wait delay.  File: postscreen/postscreen_tests.c.

	Cleanup: to avoid "address in use" problems, postscreen now
	closes the listening socket after "postfix stop".  It also
	closes the socket after "postfix reload" but that does not
	hurt. Files: master/event_server.c, master/multi_server.c.

	Cleanup: postscreen now logs CONNECT and DISCONNECT events.
	Files: postscreen/postscreen.c, postscreen/postscreen_misc.c.

20100917

	Bugfix: cut-and-paste error. Postscreen used pregreet_ttl
	instead of dnsbnl_ttl. File: postscreen/postscreen_early.c.

20100920

	Cleanup: minor cleanups and invisible fixes. Files:
	postscreen/postscreen_misc.c, postscreen/postscreen.h,
	postscreen/postscreen_tests.c.

	Feature: preliminary postscreen penalty mechanism. Basic
	idea: when a client exceeds some threshold, don't allow it
	to pass any tests until the penalty expires. Penalties
	provide a way to slow down clients without blocking mail
	permanently.  Files: postscreen/postscreen_misc.c,
	postscreen/postscreen_tests.c, postscreen/postscreen.c.

	A first application of the postscreen penalty mechanism
	triggers on clients that make brief connections to find out
	if the mail server is up.  With "postscreen_early_hangup_penalty
	= 600" they will disqualify themselves for 10 minutes.
	Unfortunately, this behavior is used by legitimate bulk
	mail services. This application was removed 20101103.  The
	penalty mechanism itself is left in place as #ifdef NONPROD.

20100923

	Cleanup: renamed MUMBLE_FLAG_MUMBLE aggregates to
	MUMBLE_MASK_MUMBLE for consistency with other Postfix code.
	Files: postscreen/*.[hc].

20100930

	Cleanup: flag PIPELINING errors with NOOP and VRFY.  File:
	smtpd/smtpd.c.

20101006

	Bugfix (introduced: 20100914) dangling pointer when a client
	makes N > 1 simultaneous connections and closes M < N
	connections before postscreen has delivered the DNSBL score
	to the corresponding pseudothreads. In practice the pointer
	will refer to a block of 0xff bytes; the program terminates
	with a segmentation violation, and is restarted immediately
	by the master daemon. Files: postscreen/postscreen_early.c,
	postscreen/postscreen_dnsbl.c.

	Cleanup: avoid repeated delivery to mailing list members
	with pathological nested alias configurations.  The local(8)
	delivery agent now keeps the owner-alias attribute of the
	parent alias, when delivering mail to a child alias that
	does not have its own owner alias. With this change, local
	addresses from that child alias will be written to a new
	queue file, and a temporary error with one local address
	will no longer result in repeated delivery to other mailing
	list members.  Specify "reset_owner_alias = yes" for the
	older behavior.  File: local/alias.c.

20101007

	Bugfix (introduced: 2100923): duplicate "PASS OLD" logging.
	File: postscreen/postscreen_misc.c.

20101008

	Cleanup: dnsblog now logs "addr X listed by domain Y as Z"
	instead of "addr X blocked by domain Y as Z", because the
	service may be used for whitelist lookups. File:
	dnsblog/dnsblog.c.

20101023

	Cleanup: don't apply reject_rhsbl_helo to non-domain forms
	such as network addresses.  This would cause false positives
	with dbl.spamhaus.org.  File: smtpd/smtpd_check.c.

20101103

	Cleanup: new qmgr_ipc_timeout parameter (default: 60s) to
	override the system-wide ipc_timeout setting (default:
	3600s). The shorter timeout allows the queue manager to
	reset a deadlocked IPC connection before the watchdog timer
	goes off. Files: *qmgr/qmgr.c.

	Cleanup: new qmgr_daemon_timeout parameter (default: 1000s)
	to make the hard-coded 1000s watchdog timeout configurable.
	Files: *qmgr/qmgr.c.

	Cleanup: request default DSN notification when adding a
	recipient with smfi_addrcpt, instead of requesting "never
	notify" as with Postfix automatically-added BCC recipients.
	Files: cleanup/cleanup_addr.c, cleanup/cleanup.h,
	cleanup/cleanup_milter.c.

20101105

	Feature: DNS whitelist support in the Postfix SMTP server.
	permit_dnswl_client whitelists a client by IP address, and
	permit_rhswl_client whitelists a client by its hostname.
	The syntax is the same as reject_rbl_client etc., but the
	result is PERMIT instead of REJECT.  For safety reasons,
	permit_xxx_client are silently ignored when they would
	override reject_unauth_destination.  The result is
	DEFER_IF_REJECT when DNSWL lookup fails.  The implementation
	is based on a design documented by Noel Jones (August 2010).
	File: smtpd/smtpd_check.c.

20101108

	Workaround: strip off IPv6 datalink suffix from peer address
	to avoid problems with strict address checking code. Files:
	smtpd/smtpd_peer.c, qmqpd/qmqpd_peer.c.

20101114

	Robustness: postscreen(8) now implements a time limit on
	reading an entire command, instead of a time limit for
	reading individual characters. File: postscreen/postscreen_smtpd.c.

20101023

	Cleanup: don't apply reject_rhsbl_helo to non-domain forms
	such as network addresses.  This would cause false positives
	with dbl.spamhaus.org.  File: smtpd/smtpd_check.c.

20101117

	Bugfix: the "421" reply after Milter error was overruled
	by Postfix 1.1 code that replied with "503" for RFC 2821
	compliance. We now make an exception for "final" replies,
	as permitted by RFC. Solution by Victor Duchovni. File:
	smtpd/smtpd.c.

20101124-6

	Feature: pattern matching for DNSWL/DNSBL responses.  For
	example, with "reject_rbl_client example.com=d.d.d.d", each
	"d" can now be a pattern inside "[]" that contains one or
	more comma-separated decimal numbers or number..number
	ranges.  Files: smtpd/smtpd_check.c, postscreen/postscreen_dnsbl.c,
	util/ip_match.c, util/ip_match.h.

20101126

	Cleanup: don't log "blocked using example.com=127.0.0.1",
	just log the domain name. File: smtpd/smtpd_check.c.

20101129

	Cleanup: postscreen_client_connection_count_limit (default:
	$smtpd_client_connection_count_limit) to limit the number
	of connections from the same IP address to the postscreen(8)
	daemon. Files: postscreen/postscreen.c, postscreen/postscreen.h,
	postscreen/postscreen_state.c.

20101130

	Cleanup: all postscreen(8) logging now reports the client
	as [address]:port.  This requires an update of tools that
	process postscreen logging.  Files: postscreen/*.c,
	proto/POSTSCREEN_README.html.

	Cleanup: polishing recent documentation and code. Files:
	postscreen/postscreen_dnsbl.c, util/ip_match.c.

20101201

	Bugfix (introduced 20101129): broken default value for
	postscreen_client_connection_count_limit if the
	smtpd_client_connection_count_limit parameter was left at
	its default.  File: postscreen/postscreen.c.

	Workaround: BSD-ish mkdir() ignores the effective GID
	and copies group ownership from the parent directory.
	File: util/make_dirs.c.

20101202

	Feature: the LDAP client can now authenticate to LDAP servers
	via SASL. This is tested with SASL GSSAPI and Kerberos 5.
	Original code by Quanah Gibson-Mount adapted by Victor
	Duchovni.  Files: global/dict_ldap.c, proto/LDAP_README.html,
	proto/ldap_table.

	Cleanup: the cleanup server now reports a temporary delivery
	error when it reaches the virtual_alias_expansion_limit or
	virtual_alias_recursion_limit. Previously, it would silently
	ignore the excess recipients and deliver the message.  File:
	cleanup/cleanup_map1n.c.

20101205

	Cleanup: sache_clnt_create() had an unnecessary data
	dependency on the non-library var_scache_service variable,
	causing problems with shared library builds.  Instead, it
	should use its service argument (which has the same value).
	File: global/scache.c.

	Cleanup: pipe_command.c had an unnecessary data dependency
	on the non-library var_command_maxtime variable, causing
	problems with shared library builds. The dependency was not
	necessary because the callers already specify an explicit
	time limit.  File: global/pipe_command.c.

20101206

	Bugfix (introduced 20101205): postscreen hung up due to
	incorrect output error test. File: postscreen/postscreen_send.c.

20101207

	Cleanup: the undisclosed_recipients_header default value
	is now the empty string. The Internet mail RFCs have supported
	messages without recipient header for almost 10 years now.
	File: global/mail_params.h.

	Cleanup: use strtol() instead of sscanf() for consistent
	handling of out-of-range numbers. Files: global/cfg_parser.c,
	global/conv_time.c, global/mail_conf_int.c,
	global/mail_conf_long.c, global/mail_conf_nint.c.

20101217

	Cleanup: eliminated the code that copied TLS protocol
	messages between the OpenSSL TLS engine and the network.
	This change hopefully simplifies the TLS library enough
	that it can be used in an event-driven TLS proxy in front
	of postscreen.  Files: tls/tls_bio.c, tls/tls_server.c,
	tls/tls_client.c.

	This change eliminates an obscure bug where the SMTP server
	would wait for another $smtpd_timeout seconds after sending
	the "421 Error: timeout exceeded" message to the client.

20101221

	Cleanup: simplified the VSTREAM "large buffer" support by
	dropping the Postfix 2.4 "binary compatibility" requirement.
	Files: util/vstream.c, util/vstream.h.

20101222

	Cleanup: the SMTP client PIPELINING code did not account
	for TLS protocol overhead. This could (only in theory)
	result in deadlock when the remote SMTP server announces a
	very small receive window after the client and server have
	synchronized their SMTP state. Victor Duchovni.  File:
	smtp/smtp_proto.c.

20101223

	Feature: with "tls_preempt_cipherlist = yes" the Postfix
	SMTP server will preempt the remote SMTP client's cipher
	preference order. This requires OpenSSL 0.9.7 and later.
	Victor Duchovni. Files: src/smtpd/smtpd.c, src/tls/tls_server.c,
	proto/TLS_README.html, proto/postconf.proto.

	Future proofing: specify "tls_disable_workarounds = a list
	or bit-mask of OpenSSL bug work-arounds to disable". This
	may become necessary when a bug workaround is found to cause
	problems (security or interoperability). Victor Duchovni.
	Files: tls/tls_misc.c, proto/TLS_README.html, proto/postconf.proto.

	Infrastructure: extended name_mask module feature set with
	extensive documentation and 32-bit regression tests.  Victor
	and Wietse.  File: util/name_mask.[hc].

20101224

	Cleanup: sanitized the name_mask API so that errors will be
	ignored only upon explicit request. Files: util/name_mask.[hc],
	src/global/ehlo_mask.c, src/smtp/smtp_proto.c,
	src/util/name_mask.c, src/xsasl/xsasl_dovecot_server.c.

	Cleanup: more TLS overhead horrors for the SMTP client's
	PIPELINING engine. Wietse and Victor. File: smtp/smtp_proto.c.

20101226

	Cleanup: the SMTP client logic for pipelining the "." and
	"QUIT" commands was bogus - the pipelining engine could not
	know how much unacknowledged data is pending in the local
	TCP stack.  We now ignore the buffer check for sending
	"QUIT" after ".".  Wietse and Victor. File: smtp/smtp_proto.c.

20110101

	Cleanup: the Postfix SMTP server now always refreshes the
	SASL authentication mechanism list after STARTTLS. Some
	Dovecot versions may change their responses when they know
	that the SMTP connection is encrypted. File: smtpd/smtpd.c.

	Cleanup: the smtpd_starttls_timeout default value is now
	stress-dependent.  Files: global/mail_params.h,
	proto/postconf.proto.

	Compatibility: postscreen_discard_ehlo_keyword(s|maps)
	support for compatibility with smtpd_discard_ehlo_keyword(s|maps).
	Files: postscreen/postscreen_smtpd.c.

20110102

	Feature: STARTTLS support for the postscreen(8) daemon.
	With early testing feedback from Victor Duchovni and Ralf
	Hildebrandt.  Files: postscreen/postscreen_smtpd,
	postscreen/postscreen_starttls.c.

	Feature: event-driven tlsproxy(8) daemon that translates
	TLS <=> plaintext for postscreen(8). One tlsproxy(8) process
	can translate traffic for multiple remote SMTP clients.
	With early testing feedback from Victor Duchovni and Christian
	Roessner.  Files: util/nbbio.[hc], tlsproxy/*.[hc],
	postscreen/postscreen_starttlsd.c, postscreen/postscreen_smtpd.c.

20110103

	Cleanup: missing tls_level support in tlsproxy (it has no
	way to send plaintext, but perhaps an informative error
	message is in order anyway).  File: tlsproxy/tlsproxy.c.

	Cleanup: simplified the handling of throttled output (i.e.
	output that can't be sent because the receiver tries to be
	nasty).  File: postscreen/postscreen_send.c.

20110104

	Feature: add contact information to each SMTP server reject
	message. For example, "smtpd_reject_footer = call 800-555-0101
	for assistance", with macro expansion and with multi-line
	support. Files: global/mail_params.h, mantools/postlink,
	proto/postconf.proto, smtpd/smtpd.c, smtpd/smtpd_chat.c,
	smtpd/smtpd_expand.[hc], util/mac_expand.[hc].

20110105

	Cleanup: the forest of TLS-related booleans was shrunk.
	Victor Duchovni. Files: smtpd/smtpd.c, postscreen/postscreen.c,
	postscreen/postscreen_smtpd.c, tlsproxy/tlsproxy.c.

	Non-production: tlsproxy support in the Postfix SMTP server
	for stress testing of the tlsproxy daemon (#ifdef TLSPROXY).
	Seen from outside, Postfix works just as if it has TLS
	support built into in smtpd(8). Files: smtpd/smtpd.c,
	tls/tls_proxy*.[hc], tlsproxy/tlsproxy.c, util/vstream.[hc].

	Bugfix (introduced with the Postfix TLS patch): discard
	plaintext following the STARTTLS command or response. This
	matters only for the minority of SMTP clients that actually
	verify server certificates.  Files: smtpd/smtpd.c,
	smtp/smtp_proto.c.

20110106

	Non-production: cleaned up the tlsproxy support in the
	Postfix SMTP server for stress testing of the tlsproxy
	daemon (still #ifdef TLSPROXY). File: smtpd/smtpd.c.

20110107

	Cleanup: smtpd_reject_contact_information is renamed to
	smtpd_reject_footer, because it can be used for non-contact
	information.

	Compatibility: postscreen_reject_footer support for
	compatibility with smtpd_reject_footer.  Files:
	global/smtp_reply_footer.[hc], global/mail_conf.[hc],
	postscreen/postscreen_expand.c, postscreen/postscreen_send.c,
	postscreen/postscreen.c, smtpd/smtpd_chat.c.

	Compatibility: postscreen_command_filter support for
	compatibility with smtpd_command_filter. Files:
	postscreen/postscreen_dict.c, postscreen/postscreen_smtpd.c

20110108

	Cleanup: postscreen(8) now displays control characters in
	PREGREET responses as C-style \letter escapes, instead of
	"?".  File: postscreen/postscreen_early.c.

20110109

	Cleanup: Solaris support for "pass" (file descriptor passing
	based) services in master.cf.  This was needed by postscreen(8).
	Also, renamed upass_xxx.c to unix_pass_xxx.c. One-character
	prefixes are too short. Removed upass_connect.c because it
	was useless code. Files: util/stream_pass_connect.c,
	util/unix_pass_listen.c, util/unix_pass_trigger.c.

	Bugfix (introduced Postfix 2.4): on Solaris the Postfix
	event engine was deaf for SIGHUP and SIGALRM signals after
	the switch to /dev/poll. Symptoms were delayed "postfix
	reload" response, and killed processes when the watchdog
	timeout was less than max_idle.  The fix is to set up SIGHUP
	and SIGALRM handlers that write to a pipe, and to monitor
	that pipe for read events via the Postfix event engine.
	Files: master/master_sig.c, util/watchdog.c, util/sys_defs.h.

20110111

	Cleanup: replaced the postscreen(8) separate blacklist and
	whitelist lookup tables by one postscreen_access_list table.
	See postconf(5) and POSTSCREEN_README for examples.  Files:
	postscreen/postscreen_access.c, postscreen/postscreen.c,
	proto/postconf.proto, proto/POSTSCREEN_README.html.

20110112

	Cleanup: suspend/resume logic for postscreen(8) SMTP sessions
	that temporarily switch control to an external program such
	as tlsproxy, or perhaps a future policy plugin.  Files:
	postscreen/postscreen_smtpd, postscreen/postscreen_starttls.c.

20110113

	Cleanup: ps_cache and psc_cache are now postscreen_cache.
	There is no need for obscure name abbrevations. File:
	src/global/mail_params.h.

20110115

	Workaround: malloc fuzz (safety margin for malloc requests).
	Files: util/sys_defs.h, util/mymalloc.c.

	Cleanup: dnsblog_service_name and tlsproxy_service_name are
	now configurable, in case someone needs this. Files:
	global/mail_params.h, postscreen/postscreen.c, mantools/postlink,
	proto/postconf.proto.

20110116

	Cleanup: soft_bounce support for postscreen(8). Files:
	postscreen/postscreen_smtpd.c, postscreen/postscreen_send.c.

	Cleanup: for smtpd(8) compatibility, postscreen(8) now
	strips deprecated route address prefixes from email addresses
	(@here,@there:user@example becomes user@example). This is
	primarily to make postscreen(8) logging more similar to
	that of smtpd(8). File: postscreen/postscreen_smtpd.c.

	Cleanup: documentation, in preparation for the Postfix 2.8
	stable release.

20110117

	Bugfix (introduced Postfix alpha, or thereabouts): on HP-UX
	the Postfix event engine was deaf for SIGALRM signals.
	Symptoms were killed processes when the watchdog timeout
	was less than max_idle.  The fix is the same as Solaris fix
	20110109. Since we can't know what other systems need this,
	the workaround is enabled by default.  Files: util/sys_defs.h.

	Cleanup: "smtpd_tls_eecdh_grade = strong" by default, instead
	of snapshot-only. File: global/mail_params.h, proto/postconf.proto.

	Cleanup: missing "#include <errno.h>" in util/watchdog.c.

	Bugfix: when compiled without -DUSE_TLS, tlsproxy used the
	wrong server skeleton (multi_server instead of event_server).
	File: tlsproxy/tlsproxy.c.

	Workaround: added a panic check for code that is mis-compiled
	by the HP-UX compiler.  File: postscreen/postscreen.c,
	postscreen/postscreen.h, postscreen/postscreen_state.c.

20110118

	Bugfix: the tls_disable_workarounds word list only included
	workarounds in SSL_OP_ALL. Problem report by Steve Jenkins,
	problem fix by Victor Duchovni. File: tls/tls_misc.c.
	
	Last-minute incompatible syntax change: Postfix now uses
	";" instead of "," to separate DNSBL/DNSWL address filter
	fields inside "[]". The compatibility break is not an issue,
	because the syntax never worked in main.cf. Problem reported
	by Mark Martinec. Files: util/ip_match.c, util/ip_match.in,
	util/ip_match.ref, proto/postconf.proto.

	Cleanup: postscreen now monitors the AVERAGE latency of
	table access, and complains at most once per minute.  File:
	postscreen/postscreen_dict.c.

	Bugfix: support for the "dunno" command somehow disappeared
	from the postscreen_access_list implementation.  File:
	postscreen/postscreen_access.c.

20110123

	Cleanup: remove #ifdef MIGRATION_WARNING transitional code
	from postscreen. File: postscreen/postscreen.c.

20110201

	Cleanup: when verifying that the client_address->client_name
	lookup result resolves to the client_address, request
	hostname->address lookup with the same protocol family (IPv4
	or IPv6) as the client_address.  Files: util/myaddrinfo.[hc],
	smtpd/smtpd_peer.c, qmqpd/qmqpd_peer.c.

20110207

	Bugfix (introduced Postfix 2.8): segfault with smtpd_tls_loglevel
	>= 3. Files: tls/tls_server.c, tls.h, smtpd.c, tlsproxy.c.

20110216

	Cleanup: don't log a "connection reset by peer" warning
	when postscreen(8) tries to send a server response.  File:
	postscreen/postscreen_send.c.