Skip to content
HISTORY 757 KiB
Newer Older
Boris Mühmer's avatar
Boris Mühmer committed
	postscreen/postscreen_dnsbl.c.

	Workaround: better handling of pregreeting spambots. The
	postscreen built-in SMTP engine no longer sends a 220 banner
Boris Mühmer's avatar
Boris Mühmer committed
	to a client that falls into the pregreet trap.  This eliminates
Boris Mühmer's avatar
Boris Mühmer committed
	many "NON-SMTP COMMAND" records in postscreen logging, as
	the SMTP client and server no longer get out of sync.  It
	also results in better logging of sender/recipient information.
	File: postscreen/postscreen_smtpd.c.

20100916

	Cleanup: postscreen now uses the first responding DNSBL
	name in the "5.7.1 Service unavailable" reply, instead of
	the last responding one. File: postscreen/postscreen_dnsbl.c.

	Cleanup: the 20100914 "postscreen_greet_wait" speedup did
	not happen as often as it should, because some older code
	still turned on PREGREET tests gratuitously, causing a full
	greet-wait delay.  File: postscreen/postscreen_tests.c.

	Cleanup: to avoid "address in use" problems, postscreen now
	closes the listening socket after "postfix stop".  It also
	closes the socket after "postfix reload" but that does not
	hurt. Files: master/event_server.c, master/multi_server.c.

	Cleanup: postscreen now logs CONNECT and DISCONNECT events.
	Files: postscreen/postscreen.c, postscreen/postscreen_misc.c.

20100917

	Bugfix: cut-and-paste error. Postscreen used pregreet_ttl
	instead of dnsbnl_ttl. File: postscreen/postscreen_early.c.

20100920

	Cleanup: minor cleanups and invisible fixes. Files:
	postscreen/postscreen_misc.c, postscreen/postscreen.h,
	postscreen/postscreen_tests.c.

	Feature: preliminary postscreen penalty mechanism. Basic
	idea: when a client exceeds some threshold, don't allow it
	to pass any tests until the penalty expires. Penalties
	provide a way to slow down clients without blocking mail
	permanently.  Files: postscreen/postscreen_misc.c,
	postscreen/postscreen_tests.c, postscreen/postscreen.c.

	A first application of the postscreen penalty mechanism
	triggers on clients that make brief connections to find out
	if the mail server is up.  With "postscreen_early_hangup_penalty
	= 600" they will disqualify themselves for 10 minutes.
	Unfortunately, this behavior is used by legitimate bulk
	mail services. This application was removed 20101103.  The
	penalty mechanism itself is left in place as #ifdef NONPROD.

20100923

	Cleanup: renamed MUMBLE_FLAG_MUMBLE aggregates to
	MUMBLE_MASK_MUMBLE for consistency with other Postfix code.
	Files: postscreen/*.[hc].

20100930

	Cleanup: flag PIPELINING errors with NOOP and VRFY.  File:
	smtpd/smtpd.c.

20101006

	Bugfix (introduced: 20100914) dangling pointer when a client
	makes N > 1 simultaneous connections and closes M < N
	connections before postscreen has delivered the DNSBL score
	to the corresponding pseudothreads. In practice the pointer
	will refer to a block of 0xff bytes; the program terminates
	with a segmentation violation, and is restarted immediately
	by the master daemon. Files: postscreen/postscreen_early.c,
	postscreen/postscreen_dnsbl.c.

	Cleanup: avoid repeated delivery to mailing list members
	with pathological nested alias configurations.  The local(8)
	delivery agent now keeps the owner-alias attribute of the
	parent alias, when delivering mail to a child alias that
	does not have its own owner alias. With this change, local
	addresses from that child alias will be written to a new
	queue file, and a temporary error with one local address
	will no longer result in repeated delivery to other mailing
	list members.  Specify "reset_owner_alias = yes" for the
	older behavior.  File: local/alias.c.

20101007

	Bugfix (introduced: 2100923): duplicate "PASS OLD" logging.
	File: postscreen/postscreen_misc.c.

20101008

	Cleanup: dnsblog now logs "addr X listed by domain Y as Z"
	instead of "addr X blocked by domain Y as Z", because the
	service may be used for whitelist lookups. File:
	dnsblog/dnsblog.c.

Boris Mühmer's avatar
Boris Mühmer committed
20101023

	Cleanup: don't apply reject_rhsbl_helo to non-domain forms
	such as network addresses.  This would cause false positives
	with dbl.spamhaus.org.  File: smtpd/smtpd_check.c.

Boris Mühmer's avatar
Boris Mühmer committed
20101103
Boris Mühmer's avatar
Boris Mühmer committed
	Cleanup: new qmgr_ipc_timeout parameter (default: 60s) to
	override the system-wide ipc_timeout setting (default:
	3600s). The shorter timeout allows the queue manager to
	reset a deadlocked IPC connection before the watchdog timer
	goes off. Files: *qmgr/qmgr.c.
Boris Mühmer's avatar
Boris Mühmer committed
	Cleanup: new qmgr_daemon_timeout parameter (default: 1000s)
	to make the hard-coded 1000s watchdog timeout configurable.
	Files: *qmgr/qmgr.c.
Boris Mühmer's avatar
Boris Mühmer committed
	Cleanup: request default DSN notification when adding a
	recipient with smfi_addrcpt, instead of requesting "never
	notify" as with Postfix automatically-added BCC recipients.
	Files: cleanup/cleanup_addr.c, cleanup/cleanup.h,
	cleanup/cleanup_milter.c.
Boris Mühmer's avatar
Boris Mühmer committed
20101105

	Feature: DNS whitelist support in the Postfix SMTP server.
	permit_dnswl_client whitelists a client by IP address, and
	permit_rhswl_client whitelists a client by its hostname.
	The syntax is the same as reject_rbl_client etc., but the
	result is PERMIT instead of REJECT.  For safety reasons,
	permit_xxx_client are silently ignored when they would
	override reject_unauth_destination.  The result is
	DEFER_IF_REJECT when DNSWL lookup fails.  The implementation
	is based on a design documented by Noel Jones (August 2010).
	File: smtpd/smtpd_check.c.
Boris Mühmer's avatar
Boris Mühmer committed
20101108
Boris Mühmer's avatar
Boris Mühmer committed
	Workaround: strip off IPv6 datalink suffix from peer address
	to avoid problems with strict address checking code. Files:
	smtpd/smtpd_peer.c, qmqpd/qmqpd_peer.c.
Boris Mühmer's avatar
Boris Mühmer committed
20101114
Boris Mühmer's avatar
Boris Mühmer committed
	Robustness: postscreen(8) now implements a time limit on
	reading an entire command, instead of a time limit for
	reading individual characters. File: postscreen/postscreen_smtpd.c.
Boris Mühmer's avatar
Boris Mühmer committed
20101023
Boris Mühmer's avatar
Boris Mühmer committed
	Cleanup: don't apply reject_rhsbl_helo to non-domain forms
	such as network addresses.  This would cause false positives
	with dbl.spamhaus.org.  File: smtpd/smtpd_check.c.
Boris Mühmer's avatar
Boris Mühmer committed
20101117
Boris Mühmer's avatar
Boris Mühmer committed
	Bugfix: the "421" reply after Milter error was overruled
	by Postfix 1.1 code that replied with "503" for RFC 2821
	compliance. We now make an exception for "final" replies,
	as permitted by RFC. Solution by Victor Duchovni. File:
	smtpd/smtpd.c.
Boris Mühmer's avatar
Boris Mühmer committed
20101124-6
Boris Mühmer's avatar
Boris Mühmer committed
	Feature: pattern matching for DNSWL/DNSBL responses.  For
	example, with "reject_rbl_client example.com=d.d.d.d", each
	"d" can now be a pattern inside "[]" that contains one or
	more comma-separated decimal numbers or number..number
	ranges.  Files: smtpd/smtpd_check.c, postscreen/postscreen_dnsbl.c,
	util/ip_match.c, util/ip_match.h.
Boris Mühmer's avatar
Boris Mühmer committed
20101126
Boris Mühmer's avatar
Boris Mühmer committed
	Cleanup: don't log "blocked using example.com=127.0.0.1",
	just log the domain name. File: smtpd/smtpd_check.c.
Boris Mühmer's avatar
Boris Mühmer committed
20101129
Boris Mühmer's avatar
Boris Mühmer committed
	Cleanup: postscreen_client_connection_count_limit (default:
	$smtpd_client_connection_count_limit) to limit the number
	of connections from the same IP address to the postscreen(8)
	daemon. Files: postscreen/postscreen.c, postscreen/postscreen.h,
	postscreen/postscreen_state.c.
Boris Mühmer's avatar
Boris Mühmer committed
20101130
Boris Mühmer's avatar
Boris Mühmer committed
	Cleanup: all postscreen(8) logging now reports the client
	as [address]:port.  This requires an update of tools that
	process postscreen logging.  Files: postscreen/*.c,
	proto/POSTSCREEN_README.html.
Boris Mühmer's avatar
Boris Mühmer committed
	Cleanup: polishing recent documentation and code. Files:
	postscreen/postscreen_dnsbl.c, util/ip_match.c.
Boris Mühmer's avatar
Boris Mühmer committed
20101201
Boris Mühmer's avatar
Boris Mühmer committed
	Bugfix (introduced 20101129): broken default value for
	postscreen_client_connection_count_limit if the
	smtpd_client_connection_count_limit parameter was left at
	its default.  File: postscreen/postscreen.c.
Boris Mühmer's avatar
Boris Mühmer committed
	Workaround: BSD-ish mkdir() ignores the effective GID
	and copies group ownership from the parent directory.
	File: util/make_dirs.c.
Boris Mühmer's avatar
Boris Mühmer committed
20101202
Boris Mühmer's avatar
Boris Mühmer committed
	Feature: the LDAP client can now authenticate to LDAP servers
	via SASL. This is tested with SASL GSSAPI and Kerberos 5.
	Original code by Quanah Gibson-Mount adapted by Victor
	Duchovni.  Files: global/dict_ldap.c, proto/LDAP_README.html,
	proto/ldap_table.
Boris Mühmer's avatar
Boris Mühmer committed
	Cleanup: the cleanup server now reports a temporary delivery
	error when it reaches the virtual_alias_expansion_limit or
	virtual_alias_recursion_limit. Previously, it would silently
	ignore the excess recipients and deliver the message.  File:
	cleanup/cleanup_map1n.c.
Boris Mühmer's avatar
Boris Mühmer committed
20101205
Boris Mühmer's avatar
Boris Mühmer committed
	Cleanup: sache_clnt_create() had an unnecessary data
	dependency on the non-library var_scache_service variable,
	causing problems with shared library builds.  Instead, it
	should use its service argument (which has the same value).
	File: global/scache.c.
Boris Mühmer's avatar
Boris Mühmer committed
	Cleanup: pipe_command.c had an unnecessary data dependency
	on the non-library var_command_maxtime variable, causing
	problems with shared library builds. The dependency was not
	necessary because the callers already specify an explicit
	time limit.  File: global/pipe_command.c.
Boris Mühmer's avatar
Boris Mühmer committed
20101206
Boris Mühmer's avatar
Boris Mühmer committed
	Bugfix (introduced 20101205): postscreen hung up due to
	incorrect output error test. File: postscreen/postscreen_send.c.
Boris Mühmer's avatar
Boris Mühmer committed
20101207
Boris Mühmer's avatar
Boris Mühmer committed
	Cleanup: the undisclosed_recipients_header default value
	is now the empty string. The Internet mail RFCs have supported
	messages without recipient header for almost 10 years now.
	File: global/mail_params.h.
Boris Mühmer's avatar
Boris Mühmer committed
	Cleanup: use strtol() instead of sscanf() for consistent
	handling of out-of-range numbers. Files: global/cfg_parser.c,
	global/conv_time.c, global/mail_conf_int.c,
	global/mail_conf_long.c, global/mail_conf_nint.c.
Boris Mühmer's avatar
Boris Mühmer committed
20101217
Boris Mühmer's avatar
Boris Mühmer committed
	Cleanup: eliminated the code that copied TLS protocol
	messages between the OpenSSL TLS engine and the network.
	This change hopefully simplifies the TLS library enough
	that it can be used in an event-driven TLS proxy in front
	of postscreen.  Files: tls/tls_bio.c, tls/tls_server.c,
	tls/tls_client.c.
Boris Mühmer's avatar
Boris Mühmer committed
	This change eliminates an obscure bug where the SMTP server
	would wait for another $smtpd_timeout seconds after sending
	the "421 Error: timeout exceeded" message to the client.
Boris Mühmer's avatar
Boris Mühmer committed
20101221
Boris Mühmer's avatar
Boris Mühmer committed
	Cleanup: simplified the VSTREAM "large buffer" support by
	dropping the Postfix 2.4 "binary compatibility" requirement.
	Files: util/vstream.c, util/vstream.h.
Boris Mühmer's avatar
Boris Mühmer committed
20101222
Boris Mühmer's avatar
Boris Mühmer committed
	Cleanup: the SMTP client PIPELINING code did not account
	for TLS protocol overhead. This could (only in theory)
	result in deadlock when the remote SMTP server announces a
	very small receive window after the client and server have
	synchronized their SMTP state. Victor Duchovni.  File:
	smtp/smtp_proto.c.
Boris Mühmer's avatar
Boris Mühmer committed
20101223
Boris Mühmer's avatar
Boris Mühmer committed
	Feature: with "tls_preempt_cipherlist = yes" the Postfix
	SMTP server will preempt the remote SMTP client's cipher
	preference order. This requires OpenSSL 0.9.7 and later.
	Victor Duchovni. Files: src/smtpd/smtpd.c, src/tls/tls_server.c,
	proto/TLS_README.html, proto/postconf.proto.
Boris Mühmer's avatar
Boris Mühmer committed
	Future proofing: specify "tls_disable_workarounds = a list
	or bit-mask of OpenSSL bug work-arounds to disable". This
	may become necessary when a bug workaround is found to cause
	problems (security or interoperability). Victor Duchovni.
	Files: tls/tls_misc.c, proto/TLS_README.html, proto/postconf.proto.
Boris Mühmer's avatar
Boris Mühmer committed
	Infrastructure: extended name_mask module feature set with
	extensive documentation and 32-bit regression tests.  Victor
	and Wietse.  File: util/name_mask.[hc].
Boris Mühmer's avatar
Boris Mühmer committed
20101224
Boris Mühmer's avatar
Boris Mühmer committed
	Cleanup: sanitized the name_mask API so that errors will be
	ignored only upon explicit request. Files: util/name_mask.[hc],
	src/global/ehlo_mask.c, src/smtp/smtp_proto.c,
	src/util/name_mask.c, src/xsasl/xsasl_dovecot_server.c.
Boris Mühmer's avatar
Boris Mühmer committed
	Cleanup: more TLS overhead horrors for the SMTP client's
	PIPELINING engine. Wietse and Victor. File: smtp/smtp_proto.c.
Boris Mühmer's avatar
Boris Mühmer committed
20101226
Boris Mühmer's avatar
Boris Mühmer committed
	Cleanup: the SMTP client logic for pipelining the "." and
	"QUIT" commands was bogus - the pipelining engine could not
	know how much unacknowledged data is pending in the local
	TCP stack.  We now ignore the buffer check for sending
	"QUIT" after ".".  Wietse and Victor. File: smtp/smtp_proto.c.
Boris Mühmer's avatar
Boris Mühmer committed
20110101
Boris Mühmer's avatar
Boris Mühmer committed
	Cleanup: the Postfix SMTP server now always refreshes the
	SASL authentication mechanism list after STARTTLS. Some
	Dovecot versions may change their responses when they know
	that the SMTP connection is encrypted. File: smtpd/smtpd.c.
Boris Mühmer's avatar
Boris Mühmer committed
	Cleanup: the smtpd_starttls_timeout default value is now
	stress-dependent.  Files: global/mail_params.h,
	proto/postconf.proto.
Boris Mühmer's avatar
Boris Mühmer committed
	Compatibility: postscreen_discard_ehlo_keyword(s|maps)
	support for compatibility with smtpd_discard_ehlo_keyword(s|maps).
	Files: postscreen/postscreen_smtpd.c.
Boris Mühmer's avatar
Boris Mühmer committed
20110102
Boris Mühmer's avatar
Boris Mühmer committed
	Feature: STARTTLS support for the postscreen(8) daemon.
	With early testing feedback from Victor Duchovni and Ralf
	Hildebrandt.  Files: postscreen/postscreen_smtpd,
	postscreen/postscreen_starttls.c.
Boris Mühmer's avatar
Boris Mühmer committed
	Feature: event-driven tlsproxy(8) daemon that translates
	TLS <=> plaintext for postscreen(8). One tlsproxy(8) process
	can translate traffic for multiple remote SMTP clients.
	With early testing feedback from Victor Duchovni and Christian
	Roessner.  Files: util/nbbio.[hc], tlsproxy/*.[hc],
	postscreen/postscreen_starttlsd.c, postscreen/postscreen_smtpd.c.
Boris Mühmer's avatar
Boris Mühmer committed
20110103
Boris Mühmer's avatar
Boris Mühmer committed
	Cleanup: missing tls_level support in tlsproxy (it has no
	way to send plaintext, but perhaps an informative error
	message is in order anyway).  File: tlsproxy/tlsproxy.c.
Boris Mühmer's avatar
Boris Mühmer committed
	Cleanup: simplified the handling of throttled output (i.e.
	output that can't be sent because the receiver tries to be
	nasty).  File: postscreen/postscreen_send.c.
Boris Mühmer's avatar
Boris Mühmer committed
20110104
Boris Mühmer's avatar
Boris Mühmer committed
	Feature: add contact information to each SMTP server reject
	message. For example, "smtpd_reject_footer = call 800-555-0101
	for assistance", with macro expansion and with multi-line
	support. Files: global/mail_params.h, mantools/postlink,
	proto/postconf.proto, smtpd/smtpd.c, smtpd/smtpd_chat.c,
	smtpd/smtpd_expand.[hc], util/mac_expand.[hc].
Boris Mühmer's avatar
Boris Mühmer committed
20110105
Boris Mühmer's avatar
Boris Mühmer committed
	Cleanup: the forest of TLS-related booleans was shrunk.
	Victor Duchovni. Files: smtpd/smtpd.c, postscreen/postscreen.c,
	postscreen/postscreen_smtpd.c, tlsproxy/tlsproxy.c.
Boris Mühmer's avatar
Boris Mühmer committed
	Non-production: tlsproxy support in the Postfix SMTP server
	for stress testing of the tlsproxy daemon (#ifdef TLSPROXY).
	Seen from outside, Postfix works just as if it has TLS
	support built into in smtpd(8). Files: smtpd/smtpd.c,
	tls/tls_proxy*.[hc], tlsproxy/tlsproxy.c, util/vstream.[hc].
Boris Mühmer's avatar
Boris Mühmer committed
	Bugfix (introduced with the Postfix TLS patch): discard
	plaintext following the STARTTLS command or response. This
	matters only for the minority of SMTP clients that actually
	verify server certificates.  Files: smtpd/smtpd.c,
	smtp/smtp_proto.c.
Boris Mühmer's avatar
Boris Mühmer committed
20110106
Boris Mühmer's avatar
Boris Mühmer committed
	Non-production: cleaned up the tlsproxy support in the
	Postfix SMTP server for stress testing of the tlsproxy
	daemon (still #ifdef TLSPROXY). File: smtpd/smtpd.c.
Boris Mühmer's avatar
Boris Mühmer committed
20110107
Boris Mühmer's avatar
Boris Mühmer committed
	Cleanup: smtpd_reject_contact_information is renamed to
	smtpd_reject_footer, because it can be used for non-contact
	information.
Boris Mühmer's avatar
Boris Mühmer committed
	Compatibility: postscreen_reject_footer support for
	compatibility with smtpd_reject_footer.  Files:
	global/smtp_reply_footer.[hc], global/mail_conf.[hc],
	postscreen/postscreen_expand.c, postscreen/postscreen_send.c,
	postscreen/postscreen.c, smtpd/smtpd_chat.c.
Boris Mühmer's avatar
Boris Mühmer committed
	Compatibility: postscreen_command_filter support for
	compatibility with smtpd_command_filter. Files:
	postscreen/postscreen_dict.c, postscreen/postscreen_smtpd.c
Boris Mühmer's avatar
Boris Mühmer committed
20110108
Boris Mühmer's avatar
Boris Mühmer committed
	Cleanup: postscreen(8) now displays control characters in
	PREGREET responses as C-style \letter escapes, instead of
	"?".  File: postscreen/postscreen_early.c.
Boris Mühmer's avatar
Boris Mühmer committed
20110109
Boris Mühmer's avatar
Boris Mühmer committed
	Cleanup: Solaris support for "pass" (file descriptor passing
	based) services in master.cf.  This was needed by postscreen(8).
	Also, renamed upass_xxx.c to unix_pass_xxx.c. One-character
	prefixes are too short. Removed upass_connect.c because it
	was useless code. Files: util/stream_pass_connect.c,
	util/unix_pass_listen.c, util/unix_pass_trigger.c.
Boris Mühmer's avatar
Boris Mühmer committed
	Bugfix (introduced Postfix 2.4): on Solaris the Postfix
	event engine was deaf for SIGHUP and SIGALRM signals after
	the switch to /dev/poll. Symptoms were delayed "postfix
	reload" response, and killed processes when the watchdog
	timeout was less than max_idle.  The fix is to set up SIGHUP
	and SIGALRM handlers that write to a pipe, and to monitor
	that pipe for read events via the Postfix event engine.
	Files: master/master_sig.c, util/watchdog.c, util/sys_defs.h.
Boris Mühmer's avatar
Boris Mühmer committed
20110111
Boris Mühmer's avatar
Boris Mühmer committed
	Cleanup: replaced the postscreen(8) separate blacklist and
	whitelist lookup tables by one postscreen_access_list table.
	See postconf(5) and POSTSCREEN_README for examples.  Files:
	postscreen/postscreen_access.c, postscreen/postscreen.c,
	proto/postconf.proto, proto/POSTSCREEN_README.html.
Boris Mühmer's avatar
Boris Mühmer committed
20110112
Boris Mühmer's avatar
Boris Mühmer committed
	Cleanup: suspend/resume logic for postscreen(8) SMTP sessions
	that temporarily switch control to an external program such
	as tlsproxy, or perhaps a future policy plugin.  Files:
	postscreen/postscreen_smtpd, postscreen/postscreen_starttls.c.
Boris Mühmer's avatar
Boris Mühmer committed
20110113
Boris Mühmer's avatar
Boris Mühmer committed
	Cleanup: ps_cache and psc_cache are now postscreen_cache.
	There is no need for obscure name abbrevations. File:
	src/global/mail_params.h.
Boris Mühmer's avatar
Boris Mühmer committed
20110115
Boris Mühmer's avatar
Boris Mühmer committed
	Workaround: malloc fuzz (safety margin for malloc requests).
	Files: util/sys_defs.h, util/mymalloc.c.
Boris Mühmer's avatar
Boris Mühmer committed
	Cleanup: dnsblog_service_name and tlsproxy_service_name are
	now configurable, in case someone needs this. Files:
	global/mail_params.h, postscreen/postscreen.c, mantools/postlink,
	proto/postconf.proto.
Boris Mühmer's avatar
Boris Mühmer committed
20110116
Boris Mühmer's avatar
Boris Mühmer committed
	Cleanup: soft_bounce support for postscreen(8). Files:
	postscreen/postscreen_smtpd.c, postscreen/postscreen_send.c.
Boris Mühmer's avatar
Boris Mühmer committed
	Cleanup: for smtpd(8) compatibility, postscreen(8) now
	strips deprecated route address prefixes from email addresses
	(@here,@there:user@example becomes user@example). This is
	primarily to make postscreen(8) logging more similar to
	that of smtpd(8). File: postscreen/postscreen_smtpd.c.
Boris Mühmer's avatar
Boris Mühmer committed
	Cleanup: documentation, in preparation for the Postfix 2.8
	stable release.
Boris Mühmer's avatar
Boris Mühmer committed
20110117
Boris Mühmer's avatar
Boris Mühmer committed
	Bugfix (introduced Postfix alpha, or thereabouts): on HP-UX
	the Postfix event engine was deaf for SIGALRM signals.
	Symptoms were killed processes when the watchdog timeout
	was less than max_idle.  The fix is the same as Solaris fix
	20110109. Since we can't know what other systems need this,
	the workaround is enabled by default.  Files: util/sys_defs.h.
Boris Mühmer's avatar
Boris Mühmer committed
	Cleanup: "smtpd_tls_eecdh_grade = strong" by default, instead
	of snapshot-only. File: global/mail_params.h, proto/postconf.proto.
Boris Mühmer's avatar
Boris Mühmer committed
	Cleanup: missing "#include <errno.h>" in util/watchdog.c.
Boris Mühmer's avatar
Boris Mühmer committed
	Bugfix: when compiled without -DUSE_TLS, tlsproxy used the
	wrong server skeleton (multi_server instead of event_server).
	File: tlsproxy/tlsproxy.c.
Boris Mühmer's avatar
Boris Mühmer committed
	Workaround: added a panic check for code that is mis-compiled
	by the HP-UX compiler.  File: postscreen/postscreen.c,
	postscreen/postscreen.h, postscreen/postscreen_state.c.
Boris Mühmer's avatar
Boris Mühmer committed
20110118
Boris Mühmer's avatar
Boris Mühmer committed
	Bugfix: the tls_disable_workarounds word list only included
	workarounds in SSL_OP_ALL. Problem report by Steve Jenkins,
	problem fix by Victor Duchovni. File: tls/tls_misc.c.
	
	Last-minute incompatible syntax change: Postfix now uses
	";" instead of "," to separate DNSBL/DNSWL address filter
	fields inside "[]". The compatibility break is not an issue,
	because the syntax never worked in main.cf. Problem reported
	by Mark Martinec. Files: util/ip_match.c, util/ip_match.in,
	util/ip_match.ref, proto/postconf.proto.

	Cleanup: postscreen now monitors the AVERAGE latency of
	table access, and complains at most once per minute.  File:
	postscreen/postscreen_dict.c.

	Bugfix: support for the "dunno" command somehow disappeared
	from the postscreen_access_list implementation.  File:
	postscreen/postscreen_access.c.
Boris Mühmer's avatar
Boris Mühmer committed
	Feature: read/write deadlines. Deadlines were introduced
	with postscreen's dummy SMTP engine. In the Postfix SMTP
	client and server, deadlines limit the total amount of time
	to read or write one command line, one response line, or
	one line of message content. This reduces the impact of
	application exhaustion attacks that trickle data one byte
	at a time.  Files: util/vstream.[hc], global/smtp_stream.c.

Boris Mühmer's avatar
Boris Mühmer committed
	Cleanup: remove #ifdef MIGRATION_WARNING transitional code
	from postscreen. File: postscreen/postscreen.c.

Boris Mühmer's avatar
Boris Mühmer committed
20110125

	Cleaned up and finalized read/write deadline support. Once
	this code has been fielded it can go into Postfix 2.8.1,
	and made available as optional patch for earlier releases.
	Further refinements have only dimishing returns and can
	evolve in the 2.9 release cycle.  File: util/vstream.c.

20110128

	Infrastructure: separate VSTREAM flags for read or write
	errors. Files: util/vbuf.[hc], util/vstream.[hc].

	Cleanup: after write error, the smtp_stream routines now
	disable further network writes. This eliminates the need
	for clumsy code to avoid unwanted I/O while shutting down
	a TLS engine or closing a VSTREAM.  File: util/smtp_stream.c.

Boris Mühmer's avatar
Boris Mühmer committed
20110201

	Cleanup: when verifying that the client_address->client_name
	lookup result resolves to the client_address, request
	hostname->address lookup with the same protocol family (IPv4
	or IPv6) as the client_address.  Files: util/myaddrinfo.[hc],
	smtpd/smtpd_peer.c, qmqpd/qmqpd_peer.c.

Boris Mühmer's avatar
Boris Mühmer committed
20110205

	Infrastructure: vstream_peek_data() primitive to look ahead
	at buffered input. Use vstream_peek() to find out how much,
	and escape() for human presentation.  Files: util/vstream.[hc].

	Cleanup: smtpd(8) and postscreen(8) now log the input that
	triggers an SMTP command pipelining violation. File:
	postscreen/postscreen_smtpd.c, smtpd/smtpd.c.

	Infrastructure: smtp_get() option to skip over input in
	excess of the line length limit. Files: smtp/smtp_stream.[hc].

	Cleanup: handle excessively-long client requests and server
	responses more gracefully, i.e. without losing synchronization.
	Files: smtpd/smtpd_chat.c, smtpd/smtpd_proxy.c, smtp/smtp_chat.c,
	smtpstone/smtp-source.c.

Boris Mühmer's avatar
Boris Mühmer committed
20110207

	Bugfix (introduced Postfix 2.8): segfault with smtpd_tls_loglevel
	>= 3. Files: tls/tls_server.c, tls.h, smtpd.c, tlsproxy.c.

Boris Mühmer's avatar
Boris Mühmer committed
	Cleanup: read/write deadline support for single_server TLS
	applications (i.e. smtpd(8), smtp(8)).  File: tls/tls_bio_ops.c.

20110212

	Infrastructure: run-time switch for read/write deadline
	support. Files: util/vstream.[hc], global/smtp_stream.[hc],
	tls/tls_bio_ops.c.

	Cleanup: configurable read/write deadline support with
	smtpd_per_record_deadline (normal: "no", overload: "yes")
	and smtp_per_record_deadline (default: "no").  Files:
	global/mail_params.h, smtpd/smtpd.c, smtp/smtp.c,
	smtp/smtp_proto.c, proto/postconf.proto, mantools/postlink.

20110213

	Workaround: the TLS library passes the same information via
	different function arguments, and this same information is
	maintained by different functions, so things get out of
	step when code is updated. As of 20110212, tls_client_start()
	needs to set the VSTREAM property of the TLS session object.
	File: tls/tls_client.c.

20110215

	Human factors: the FCRDNS (forward-confirmed reverse DNS)
	checking code now logs "hostname X does not resolve to
	address Y", when a "reverse hostname" lookup result does
	not resolve to the client IP address.  Files: smtpd/smtpd_peer.c,
	qmqpr/qmqpd_peer.c.

Boris Mühmer's avatar
Boris Mühmer committed
20110216

Boris Mühmer's avatar
Boris Mühmer committed
	Cleanup: don't log a "connection reset by peer" error when
	postscreen(8) tries to send a server response.  File:
Boris Mühmer's avatar
Boris Mühmer committed
	postscreen/postscreen_send.c.
Boris Mühmer's avatar
Boris Mühmer committed
20110218

	Cleanup: Postfix now uses long integers for message_size_limit,
	mailbox_size_limit and virtual_mailbox_limit. On LP64 (64-bit
	long and pointer, but 32-bit integer) systems, these message
	and mailbox limits can now exceed 2GB. Files: global/mail_params.c
	global/mail_params.h local/local.c master/event_server.c
	master/mail_server.h master/multi_server.c master/single_server.c
	master/trigger_server.c virtual/virtual.c postconf/extract.awk
	postconf/postconf.c.

20110220

	Cleanup: compiler gripe.  File: util/vstream.c.

20110223

	Cleanup: Debian build tool gripe. File: smtpstone/smtp-sink.c.

20110224

	postscreen(8) support to enforce proper client MX lookup
	policy. Some spambots connect first to a backup MX address
	in the hope that the server has a weaker anti-spam policy.
	By listening on both primary and backup MX addresses,
	postscreen(8) can deny the temporary whitelist status to
	clients that connect only to backup MX hosts, and prevent
	them from talking to a Postfix SMTP server process.

	For example, when 1.2.3.4 is a local backup IP address,
	specify "postscreen_whitelist_interfaces = !1.2.3.4 static:all"
	to disable dynamic whitelisting for clients that connect
	(only) to the backup MX address. Files: mantools/postlink,
	proto/postconf.proto, proto/POSTSCREEN_README.html,
	global/mail_params.h, postscreen/postscreen.c,
	postscreen/postscreen.h, postscreen/postscreen_state.c.

Boris Mühmer's avatar
Boris Mühmer committed
20110225

	Workaround (problem introduced with IPv6 support in Postfix
	2.2): the SMTP client did not support mail to [ipv6:ipv6addr].
	Fix based on a patch by Gurusamy Sarathy (Sophos).  File:
	util/host_port.c and regression test files.

20110227

Boris Mühmer's avatar
Boris Mühmer committed
	Portability: FreeBSD closefrom() support time window.  Sahil
	Tandon. File: util/sys_defs.h.

	Cleanup: each lookup table now has an owner status and UID
	attributes for provenance purposes, even memory-resident
	tables such as pcre, regexp and cidr.  This fixes a problem
	where local(8) ignored the non-root ownership of a regular
	expression-based aliases(5) file.  The table owner status
	is TRUSTED (data straight from root-owned configuration
	file), UNKNOWN (unauthenticated data from proxy or tcp) or
	KNOWN (we actually have an owner UID). With most tables,
	the owner UID is the file owner UID. With LDAP and *SQL,
	the owner UID is the Postfix configuration file owner.
	Files: src/util/dict_unix.c src/util/dict_thash.c
	src/util/dict_static.c src/util/dict_sdbm.c src/util/dict_regexp.c
	src/util/dict_pcre.c src/util/dict_nisplus.c src/util/dict_nis.c
	src/util/dict_ni.c src/util/dict_ht.c src/util/dict_env.c
	src/util/dict_dbm.c src/util/dict_db.c src/util/dict_cidr.c
	src/util/dict_cdb.c src/util/dict_alloc.c src/util/dict.h
	src/util/dict.c src/local/alias.c src/global/dict_sqlite.c
	src/global/dict_pgsql.c src/global/dict_mysql.c
	src/global/dict_ldap.c src/global/cfg_parser.h
	src/global/cfg_parser.c.

20110311

	Feature: Base 32 encoder/decoder per RFC 4648. This code
	was going to be used for long queue IDs, but plans were
	changed. Files: src/util/base32_code.[hc].
Boris Mühmer's avatar
Boris Mühmer committed

20110313

	Bugfix (introduced Postfix 2.8): postscreen DNSBL scoring
	error. When a client disconnected and then reconnected
	before all DNSBL results for the earlier session arrived,
	DNSBL results for the earlier session would be added to the
	score for the later session. Problem report by Larry Vaden.
	Files: dnsblog/dnsblog.c, postscreen/postscreen_dnsbl.c.

	Cleanup: protocol description in dnsblog(8) manpage. File:
	dnsblog/dnsblog.c.

20110314

	Portability: the SUN compiler had trouble with a pointer
	expression of the form ``("text1" "text2") + constant'' so
	we don't try to be so clever. Fix by Victor Duchovni.  File:
	global/mail_params.h.
Boris Mühmer's avatar
Boris Mühmer committed
20110320

	Feature: specify "enable_long_queue_ids = yes" to enable
	support for non-repeating queue IDs (also used as queue
	file names). These queue IDs encode the time and inode
	number with a safe alphabet of the 52 characters 0-9B-Zb-z.
	The alphabet excludes vowels (AEIOUaeiou) to avoid creating
	real words.  The queue ID format is: time in seconds, time
	in microseconds, 'z', inode number (the inode number is
	encoded without using the 'z' character of the safe alphabet).
	Turning on long queue IDs changes the width of the first
	output column of the mailq (postqueue -p) command, and
	changes the appearance of Postfix Message-ID headers to
	queueID@myhostname.  Files: global/file_id.[hc],
	global/safe_ultostr.[hc], global/mail_queue.[hc],
	postsuper/postsuper.c, showq/showq.c

20110321

	Performance: with long queue file names, queue hashing now
	produces the same result as with short names. Postfix uses
	the hexadecimal representation of the file creation time
	in microseconds, instead of the beginning of the file name
	which changes once every year or so, a problem that was
	reported by Victor Duchovni. The base 16 encoding gives
	finer control over the number of directories than possible
	with base 52 encoding.  Files: global/mail_queue.[hc]. This
	change requires "postfix reload".

20110322

	Cleanup: preserve the microseconds value when renaming
	long->short or short->short queue file names.  As a side
	benefit, renaming long->short queue IDs will not change the
	result from queue hashing.  File: postsuper/postsuper.c.

20110323

	Bitrot: qshape regexp pattern for long queue file names.
	Ralf Hildebrandt. File: auxiliary/qshape/qshape.pl.

	Bitrot: text about queue ID reuse in the postsuper manpage.
	File: postsuper/postsuper.c.

20110328

	Cleanup: don't log warnings about socket shutdown() errors
	after a connection breaks. Postfix calls shutdown() to avoid
	unnecessary socket write timeouts. This is only an optimization,
	and failure is not critical.  File: global/smtp_stream.c.

Boris Mühmer's avatar
Boris Mühmer committed
20110411

	Cleanup: postscreen(8) and verify(8) daemons now lock their
	respective cache file exclusively upon open, to avoid massive
	cache corruption by unsupported sharing. Files: util/dict.h,
	util/dict_open.c, verify/verify.c, postscreen/postscreen.c.

20110414

	Bugfix (introduced with Postfix SASL patch 20000314): don't
Boris Mühmer's avatar
Boris Mühmer committed
	reuse a server Cyrus SASL handle after authentication
	failure. File: smtpd/smtpd_proto.c.

20110418

	Bugfix (introduced Postfix 2.3 and Postfix 2.7): the Milter
	client reported some "file too large" errors as temporary
	errors. Problem reported by Michael Tokarev. Files:
	milter/milter8.c, cleanup/cleanup_milter.c.
Boris Mühmer's avatar
Boris Mühmer committed

20110420

	Performance: a high load of DSN success notification requests
Boris Mühmer's avatar
Boris Mühmer committed
	could stall the queue manager. Solution: make the trace
Boris Mühmer's avatar
Boris Mühmer committed
	client asynchronous, just like the bounce and defer clients.
	Problem reported by Eduardo M. Stelmaszczyk of terra.com.br.
	Files: global/abounce.[hc], *qmgr/qmgr_active.c (the
	qmgr_active.c files are identical).

Boris Mühmer's avatar
Boris Mühmer committed
20110421
Boris Mühmer's avatar
Boris Mühmer committed
	Cleanup: updated abounce warning message, and added a safety
	timeout to abounce() etc. requests. File: global/abounce.c.
Boris Mühmer's avatar
Boris Mühmer committed

20110426

	Bugfix (introduced in Postfix 1.1, duplicated in Postfix
	2.3, unrelated mistake in Postfix 2.7): the local(8) delivery
	agent ignored table lookup errors in mailbox_command_maps,
	mailbox_transport_maps, fallback_transport_maps and (while
	bouncing mail to alias) alias owner lookup. Problem reported
	by William Ono. Files: local/command.c, local/mailbox.c,
	local/unknown.c, local/bounce_workaround.c.

Boris Mühmer's avatar
Boris Mühmer committed
20110516

	Update the warning when permit_naked_ip_address is used,
	and add permit_sasl_authenticated to the list of suggested
	alternatives.  File: smtpd/smtpd_check.c.

Boris Mühmer's avatar
Boris Mühmer committed
20110601

	Bugfix (introduced Postfix 2.6 with master_service_disable)
	loop control error when parsing a malformed master.cf file.
	Found by Coverity. File: master/master_ent.c.

20110602

	Bugfix (introduced: Postfix 2.7): "sendmail -t" reported
	"protocol error" after queue file write error.  File:
	postdrop/postdrop.c.

Boris Mühmer's avatar
Boris Mühmer committed
20110605

	Cleanup: removed the PSC_STATE_FLAG_CACHE_EXPIRED flag.
	Nothing uses this anymore. Files: postscreen/postscreen.h,
	postscreen/postscreen_state.c, postscreen/postscreen_tests.c.

Boris Mühmer's avatar
Boris Mühmer committed
20110614

	Linux kernel version 3 support. Linus Torvalds has reset
	the counters for reasons not related to changes in code.
	Files: makedefs, util/sys_defs.h.

20110615

	Workaround: some Spamhaus RHSBL rejects lookups with "No
	IP queries" even if the name has an alphanumerical prefix.
	We play safe, and skip both RHSBL and RHSWL queries for
	names ending in a numerical suffix.  File: smtpd/smtpd_check.c.
Boris Mühmer's avatar
Boris Mühmer committed
20110624

	Cleanup: added error checks for smtpd access primitives
	that don't automatically terminate the program after table
	lookup error: these primitives are permit_tls_clientcerts,
	permit_tls_all_clientcerts, and check_address_map (the last
	one is used in local_header_rewrite_clients only).  File:
	smtpd/smtpd_check.c.

20110729

	Workaround: some getpwnam() and getpwuid() implementations
	cause mail to bounce ("user unknown") after LDAP etc. lookup
	error. Postfix now uses POSIX getpwnam_r() and getpwuid_r()
	where available. Initially, this workaround supports FreeBSD,
	Solaris and Linux. Files: makedefs, util/sys_defs.h,
	global/mypwd.[hc], local/alias.c, local/dotforward.c,
	local/include.c, local/mailbox.c, local/recipient.c.

20110731

	MacOS X 10.5 supports POSIX getpwnam_r() and getpwuid_r()
	(source: MacOS manpages at www.freebsd.org). If MacOS turns
	out to make a false promise, then we will undo this change.
	Files: makedefs, util/sys_defs.h.

20110810

	Cleanup: optimize an optimization to avoid uid->name lookup
	when all users are authorized with authorized_submit_users,
	authorized_mailq_users, authorized_flush_users.  File:
	global/user_acl.c.

Boris Mühmer's avatar
Boris Mühmer committed
20110811

	Workaround: report a {client_connections} Milter macro value
	of zero instead of garbage, when the remote SMTP client is
	not subject to any smtpd_client_* limits. Problem reported
Boris Mühmer's avatar
Boris Mühmer committed
	by Christian Roessner. Files: smtpd/smtpd_state.c,
Boris Mühmer's avatar
Boris Mühmer committed
	proto/MILTER_README.html.

Boris Mühmer's avatar
Boris Mühmer committed
20110817

	Cleanup: avoid misleading error messages after future code
	change. The tls_bio_ops(3) module now returns non-zero errno
	values only when requests fail due to a system-call error.
	File: tls/tls_bio_ops.c.

	Cleanup: TLS handshake error messages. The SMTP client and
	server now report STARTTLS network errors as "connection
	timed out", "connection reset by peer", etc., instead of
	reporting TLS error number 0.  Files: tls/tls_bio_ops.c,
	tls/tls_server.c, tls/tls_client.c.

20110818

	Cleanup: VSTREAM-over-TLS error return values, for robustness
	against future change.  For consistency with VSTREAM internal
	interfaces, the tls_stream(3) read/write routines now return
	-1 instead of unspecified negative OpenSSL results.  File:
	tls/tls_stream.c.

20110819

	Cleanup: further TLS code cleanups, for robustness against
	future change.  Unexpected TLS errors are no longer silently
	treated as ordinary errors, and one corner-case error in TLS
	timeout handling was fixed before it could cause trouble.
	File: tls/tls_bio_ops.c.

20110821-24

	Cleanup: simplified the TLS read/write deadline implementation,
	and documented why this same simplification is not possible
	higher-up, at the VSTREAM level. Files: tls/tls_bio_ops.c,
	util/vstream.c.

Boris Mühmer's avatar
Boris Mühmer committed
20110831

	Bugfix: allow for Milters that send an SMTP server reply
	without RFC 3463 enhanced status code. Reported by Vladimir
	Vassiliev.  File: milter/milter8.c.
Boris Mühmer's avatar
Boris Mühmer committed
20110902

	Cleanup: don't log vstream_tweak "connection reset by peer"
	errors. File: util/vstream_tweak.c.

20110904-7
Boris Mühmer's avatar
Boris Mühmer committed

	Bugfix: master daemon panic with "master_spawn: at process
Boris Mühmer's avatar
Boris Mühmer committed
	limit", when "postfix reload" reduces the process limit
	from (a value larger than the current process count for
	some service) to (a value <= the current process count),
	and then a new connection is made to that service. This
	structural solution centralizes the decision to monitor a
	service port (or not). To improve robustness against future
	code changes, it clarifies some of the internal dependencies
	that exist inside the master daemon.  Files: master/master.h,
	master/master_avail.c, master/master_conf.c,
	master/master_service.c, master/master_spawn.c.

20110911

	Debugging: report the request size when memory allocation
	fails.  File util/mymalloc.c.

20110914

	Incompatibility: the default inet_protocols value is now
	"all" instead of "ipv4", meaning use both IPv4 and IPv6.
	As a compatibility workaround for sites without global IPv6
	connectivity, the commands "make upgrade" and "postfix
	upgrade-configuration" append "inet_protocols = ipv4" to
	main.cf when no explicit setting is present.  This compatibility
	workaround will be phased out in a future release.  Files:
	util/sys_defs.h, conf/post-install, proto/postconf.proto.

	Incompatibility: the default smtp_address_preference value
	is now "any" instead of "ipv6", meaning choose randomly
	between IPv6 and IPv4.  With this the Postfix SMTP client
	will have more success delivering mail to sites that have
	problematic IPv6 configurations.  Files: global/mail_params.h,
	proto/postconf.proto.

20110918

	Workaround for multiple ancient FreeBSD getsockopt() bugs
	after non-blocking connect fails with 'host unreachable'
	that resulted in a unreasonable memory allocation request.
	File: util/vstream_tweak.c.
Boris Mühmer's avatar
Boris Mühmer committed

20110921

	Bugfix (introduced: Postfix 1.1): smtpd(8) did not sanitize
	newline characters in cleanup(8) REJECT messages, causing
	them to be sent out via SMTP as bare newline characters.
	This happened when a REJECT pattern matched multi-line
	header text.  Discovered by Kevin Locke.  File: smtpd/smtpd.c.

20110922

	Bugfix (introduced: Postfix 2.1): smtpd(8) sent multi-line
	responses from a before-queue content filter as text with
	bare <LF> instead of <CR><LF>.  Found during code maintenance.
	File: smtpd/smtpd_proxy.c.

Boris Mühmer's avatar
Boris Mühmer committed
20111011

	Cleanup: for consistency with the SMTP standard, the
	smtp_line_length_limit default value was increased from 990
	characters to 998 (i.e. 1000 characters including <CR><LF>).
	File: global/mail_params.h, proto/postconf.proto.

	Cleanup: the Postfix sendmail command now always transforms
	all input lines ending in <CR><LF> into UNIX format (lines
	ending in <LF>).  This simplifies integration with third-party
	mail generating applications. Specify "sendmail_fix_line_endings