HISTORY

	Feature: "reject_rhsbl <domain>" for sender domain
	blacklisting.  Provides the same per-domain customized
	response message mechanisms with $name expansion as
	reject_rbl.

	Safety: the smtpd_expansion_filter parameter controls what
	characters are allowed in the expansion of $name macros in
	template RBL responses.

	Cleanup. In order to make sensible warnings possible when
	expanding a non-existent $name in RBL reply templates,
	mac_expand() had to be changed so that an empty string
	result (i.e. the name does exist) will no longer cause
	${name?text} to succeed.  File:  util/mac_expand.c.

20020923

	Cleanup. Renamed the RBL features according to a scheme
	that was suggested by Liviu Daia in October 2001. The names
	are reject_rbl_client and reject_rhsbl_sender, respectively.
	Added domain name based reject_rhsbl_client and
	reject_rhsbl_recipient restrictions for completeness.  The
	reject_rbl restriction name is still recognized for
	compatibility with systems maintained by LaMont Jones.

20020924

	Bugfix: reject_rhsbl_<mumble> was broken when <mumble> was
	unavailable, causing the restrictions parser to get out if
	sync. Spotted by Ralf Hildebrandt.  File:  smtpd/smtpd_check.c.

20020928

	Bugfix: missing %s in the 20020923 RBL code. This was not
	exploitable because Postfix implements only a safe subset
	of all printf format operators and because memory for the
	result is dynamically allocated.  Victor Duchovni. File:
	smtpd/smtpd_check.c.

20020929

	Updated MacOSX support scripts from Gerben Wierda.  Files:
	auxiliary/MacOSX/*.

20021009

	Bugfix: SIZE errors should be reported at MAIL FROM time,
	and should not be postponed (with smtpd_delay_reject = yes)
	until RCPT TO time. Reported by Jeroen Scheerder, Utrecht
	University. Files: smtpd/smtpd.c smtpd/smtpd_check.c.

20021013

	When Postfix development started, Linux mail delivery
	software such as procmail did not use kernel locks, and
	Postfix picked one that seemed plausible, namely, flock().
	In the mean time, Linux mail delivery software seems to
	have standardized on fcntl() locks. File: util/sys_defs.h.

	Feature: body_checks_size_limit parameter to specify how
	much of a message body segment (or attachment, if you prefer
	to use that term) is subjected to body_checks inspection.
	Default limit:  50 kbytes. Files:  global/mime_state.c,
	cleanup/cleanup_message.c.

20021015

	Bugfix: the code for missing postmaster/mailer-daemon
	aliases had to be moved after the code that implements the
	luser_relay feature. Files: local/alias.c, local/unknown.c.

	Weird? The LMTP client lowercased the MAIL FROM and RCPT
	TO addresses. Some remnant of code that someone put in
	there long ago. File: lmtp/lmtp_proto.c.

20021024

	Feature: proxy_interfaces parameter. Specify your NAT or
	other proxy addresses here to avoid mail delivery loops.
	Files: global/mail_params.[hc] global/own_inet_addr.[hc]
	global/resolve_local.c smtp/smtp_addr.c smtpd/smtpd_check.c.

	Paranoia: defend against a very unlikely false alarm in
	safe_open().

20021025

	Feature: X-Original-To: message headers with the raw original
	envelope recipient.

	Logging: status=sent/deferred/bounced/ logging now includes
	the original recipient address if it differs from the final
	address.

20021026

	Logging: SMTP UCE reject/warn/hold/discard logging now
	includes queue ID. This will break some logfile analyzers.

	Logging: SMTP UCE reject/warn/hold/discard logging now
	includes the protocol name and, if available, the hostname
	given in the SMTP HELO or EHLO command.

	Logging: header/body_checks reject/warn/hold/discard logging
	now includes the protocol name and, if available, the
	hostname given in the SMTP HELO or EHLO command.

20021028

	Bugfix: don't reset state after rejected EHLO. Reset state
	after HELO. Reported by Karthikeyan Bhargavan, upenn.edu.
	Files: smtpd/smtpd.c.

20021029

	Bugfix: local(8) did not prepend an X-Original-To:  message
	header while delivering to command, and local(8) did not
	document the X-Original-To:  message header.

	Workaround: DJBDNS produces a bogus A record when given a
	numerical hostname. File: dns/dns_lookup.c.

20021030

	Portability: support for Berkeley DB version 4.0 but not
	for Berkeley DB version 4.1 (yes, the API is different).
	Postfix is now going to be paranoid about the minor version
	number, too. File:  util/dict_db.c.

	Documentation: updated LMTP_README file by Amos Gouaux.

20021031

	Bugfix: (bug introduced 20021026) log NOQUEUE when rejecting
	ETRN, instead of trying to log a non-existent queue ID.
	Victor Duchovni, Morgan Stanley. File: smtpd/smtpd_check.c.

	Cleanup: allow optional text after commands in SMTPD access
	maps. Based on initial effort by Victor Duchovni, Morgan
	Stanley. File: smtpd/smtpd_check.c.

	Portability: support for Berkeley DB version 4.1.  This
	version refuses to open zero-length files. This complicates
	lock management and requires extra code to remove broken
	files. Files:  util/dict_db.c, global/mkmap*.[hc].

20021101

	Bugfix: don't complain about out-of-order original recipient
	records for finished recipients. Files:  *qmgr/qmgr_message.c,
	cleanup/cleanup_envelope.c, cleanup/cleanup_extracted.c.

	Cleanup: further simplified the mkmap wrapper (used by
	postmap and postalias only) to remove some hurdles for
	Michael Tokarev's CDB support. Files: global/mkmap*.[hc].

20021105

	Postalias now produces YP_LAST_MODIFIED and YP_MASTER_NAME
	records only when NIS support is compiled in. File:
	postalias.c.

20021106

	Postalias now puts $myhostname in the YP_MASTER_NAME record,
	instead of the possibly bogus gethostname() result.  File:
	postalias.c.

	The PCRE map code did not reject non-numeric replacement
	indices in replacement text, and silently treated $text as
	$0. Found by Michael Tokarev. File: dict_pcre.c.

20021108

	Cleanup: the behavior of the SMTP server's defer_if_permit
	flag was changed, in order to maximize the opportunity to
	permanently reject mail without opening opportunities for
	losing legitimate mail. This was done in cooperation with
	Victor Duchovni, Morgan Stanley. File: smtpd/smtpd_check.c.

	The defer_if_permit flag is still set when an UCE reject
	restriction fails due to a temporary (e.g., DNS) problem,
	to prevent unwanted mail from slipping through. However,
	the flag is no longer tested at the end of client, helo or
	sender restrictions.  Instead, the flag is now tested at
	the end of the ETRN and recipient restrictions only.

	The behavior of the warn_if_reject restriction has changed.
	It no longer activates any already made defer_if_permit or
	defer_if_reject decisions (the defer_if_reject flag is set
	when some UCE permit restriction fails due to a temporary
	(DNS) problem, to avoid loss of legitimate mail).

	Bugfix: instead of setting the defer_if_permit flag, a
	failing reject restriction after warn_if_reject now merely
	logs that it would have caused mail to be deferred.

	A failing permit restriction after warn_if_reject still
	raises the defer_if_reject flag, to avoid loss of legitimate
	mail.

20021109

	Bugfix: a misguided change to the .forward macro expansion
	filter broke .forward file lookup.

	Bugfix: missing defer_if_permit test in smtpd_data_restrictions.
	Victor Duchovni. File:  smtpd/smtpd_check.c.

20021112

	Robustness: increase the mime_nesting_limit from 20 to 100,
	so that bounces can't loop. Each bounces increases the MIME
	nesting level by one.  Ralf Hildebrandt and Victor Duchovni.

20021113

	Robustness: reinstated SMTP client command flushing to
	avoid pipeline stalls.  File: smtp/smtp_chat.c.

20021114

	Robustness: distinguish between timeout and "lost connection"
	when the SMTP server is unable to send a reply to the remote
	client. File: smtpd/smtpd_chat.c.

20021115

	Bugfix: initialization error with "*" transport table
	lookup, reported by LaMont Jones. The transport map lookup
	code had grown into a monster and needed to be replaced.
	trivial-rewrite/transport.c.

20021115

	Start implementing recipient verification. For now this is
	done by adding trace flags to queue files. In case of a
	verification request, a delivery agent does not deliver,
	deliver, it just records what would happen.

	This required instrumenting the bounce/defer/sent logging
	routines to send their data to the right place depending
	on the type of delivery request.

20021116

	New trace service. This is used for reporting if a recipient
	is deliverable (sendmail -bv) and for producing a record
	of delivery attempts (sendmail -v). The report is sent via
	email, using the bounce daemon. Files: global/trace.[hc].

	This required replacing the bounce/defer logfile format by
	an extensible name=value format. Files: global/bounce_log.c,
	bounce/bounce_append_service.c.

20021117

	New address verification service with simple expiration
	and refresh policy. Storage can be in-core or in permanent
	table. The daemon is appropriately called "verify". Files:
	global/verify_clnt.[hc], verify/verify.c.

20021118

	Cleaning up the code for tracing and verification. Files:
	global/{log_adhoc,bounce,defer,trace,verify}.[hc].

20021119

	New address_verification_negative_cache = yes/no parameter
	controls whether Postfix stores the result of negatieve
	address verification probes. This reduces cache pollution
	but causes Postfix to send a probe for each address
	verification service query. File: verify/verify.c.

	Added optimistic caching to the verify daemon, so that one
	failed probe will not clobber a known to be good address.
	As long as some probes succeeed, a good address will stay
	cached as OK.

	Cleaning up of the bounce daemon's code for bounce, delayed
	mail warning and trace notification.  Files: bounce/*.[hc],
	global/bounce_log.c.

20021120

	Changed the probe's sender address to "postmaster" so that
	we get better information about the address we're testing.
	File: verify/verify.c.

	Added some paranoia to the routine that reads data from
	the address verification cache. Ignore data that is obviously
	bogus. File: verify/verify.c.

20021121

	Bugfix: garbage in "user@garbage"@domain address forms may
	cause the SMTP or LMTP client to terminate with a fatal
	error exit because garbage/tcp is not an existing service.
	This cannot be abused to cause the SMTP or LMTP client to
	send data into unauthorized ports.  Files: *qmgr/qmgr_message.c,
	trivial-rewrite/resolve.c.

20021124

	Bugfix: don't use same VSTRING buffer for reading and
	writing.  File: verify/verify.c.

20021128

	Feature: hashed hold queue support, with hashing turned on
	by default. Omission spotted by Victor Duchovni, Morgan
	Stanley. Files: global/hold_message.c, global/mail_params.h.

	Bugfix: the LMTP client lost the port(service) information
	when parsing host:port information. Victor Duchovni, Morgan
	Stanley. Fix is to have a new host_port(3) module that does
	the parsing for the SMTP and LMTP clients.

	Cleanup: host_port() routine that parses host/port information
	more consistently than the existing code in the LMTP and
	SMTP clients. Files: smtp/smtp_connect.c, lmtp/lmtp_connect.c,
	util/host_port.[hc].

20021130

	Cleanup: defer mail when recipient verification takes too
	long. File: smtpd/smtpd_proto.c.

	Feature: new reject_multi_recipient_bounce restriction, to
	reject "MAIL FROM: <>" with multiple recipients.  File:
	smtpd/smtpd_check.c.

20021201

	Compatibility: ignore the new Sendmail -A option. File:
	sendmail/sendmail.c.

	Workaround: sendmail -v now produces no output. You need
	to specify -v -v instead. This is to avoid problems when
	people request verbose mail delivery in their mail.rc file.
	File:  sendmail/sendmail.c.

20021202

	Cleanup: hash_queue_depth now defaults to 1 level of
	subdirectories. This makes "mailq" faster on most systems,
	but will result in poorer worst-case performance when lots
	of mail is queued.

	The check_relay_domains restriction is going away. The SMTP
	server logs a warning and suggests using reject_unauth_destination
	instead.

	Cleanup: the local(8) and virtual(8) delivery agents did
	not prepend X-Original-To: addresses to maildir files.
	Omission spotted by Matthias Andree.

	Specify "address_verify_sender=" or "address_verify_sender=<>"
	to use a null sender address while doing address verification
	probes.  Beware, doing so may trigger false negatives
	because some sites reject mail from the null sender, even
	though this is required by RFC standards.

	Bugfix: too many levels of dereferencing while testing for
	missing reject_rbl_mumble domain names. Patrik Rak.  File:
	smtpd/smtpd_check.c.

20021203

	Bugfix: the FILTER access table action included the FILTER
	command in the filter request, where only the transport+destination
	were expected. Noel Jones. File smtpd/smtpd_check.c.

	Cleanup: virtual_maps is now called virtual_alias_maps, in
	order to better distinguish it from virtual_mailbox_maps.
	The default value is $virtual_maps for backwards compatibility.

	New parameters virtual_alias_domains and virtual_mailbox_domains
	for the "domain.tld whatever" lookups.  These use the same
	syntax as the mydestination parameter.  Default settings
	are backwards compatible with Postfix 1.1.

	Concept: just like $mydestination+$inet_interfaces control
	what routes to $local_transport, $virtual_mailbox_domains
	now controls what routes to $virtual_transport (default
	transport:  virtual), and $relay_domains now controls what
	routes to $relay_transport (default transport: relay, a
	clone of the smtp transport).  Everything else routes to
	$default_transport as before.  This eliminates the need
	for transport map entries for every virtual(8) domain, and
	avoids performance problems with inbound relay mail. This
	was improvement was suggested by Victor Duchovni. File:
	trivial-rewrite/resolve.c.

20021206

	Cleanup: do allow regexps in aliases, virtual mailbox maps
	but do not allow regular expression substitutions. Files:
	util/dict.h, util/dict_regexp.c, util/dict_pcre.c.

20021207

	Cleanup: deleted the description of sendmail-style virtual
	domains from the virtual(5) manual page. This part of
	Postfix was too confusing.

	Performance: RFC 2821 blesses the use of CNAME domain names
	in MAIL FROM and RCPT TO. Not having to expand CNAME domain
	names speeds things up a bit.  File:  smtp/smtp_proto.c.

	Workaround: exclude error mailer destinations from transport
	mapping lookups :-(. File: trivial-rewrite/resolve.c.

	Cleanup: relocated_maps lookups are now moved to the
	trivial-rewrite server. As of now, the queue manager no
	longer does any map lookups, so it won't restart when maps
	change. Files:  *qmgr/qmgr_message.c, trivial-rewrite/resolve.c.

	Robustness: because the trivial-rewrite server now does
	many more table lookups, some of which are often LDAP or
	SQL based, trivial-rewrite clients must be be prepared for
	the case that the resolver reports a failure while processing
	a request (when it was unable to access a lookup table).
	Files:  trivial-rewrite/resolve.c, local/resolve.c,
	smtpd/smtpd_check.c.

	Robustness: moving possible LDAP or SQL table lookups into
	the trivial-rewrite server also required that trivial-rewrite
	be running as multiple processes to reduce lookup latencies.
	Files:  master/multi-server.c.

	Workaround: don't discard all the DNS lookup results when
	only one of the results has a malformed name or address.
	File:  dns/dns_lookup.c.

20021208

	Cleanup: with the preliminary address domain classification
	concept as implemented by the trivial-rewrite address
	resolver, a lot of table lookups could be eliminated from
	the SMTP server.  Files: smtpd/smtpd_check.c.

	Feature: new relay_recipient_maps parameter, for optional
	maps with all the recipients in the domains that match
	$relay_domains (so you can reject mail for unknown relay
	recipients). This is for consistency with virtual_xx_maps
	and virtual_xx_domains, and with local_recipient_maps and
	the local delivery agent.  File:  smtpd/smtpd_check.c.

	Cleanup: removed support for obsolete #number domain forms.
	File: smtpd/smtpd_check.c.

20021209

	The Postfix installation procedure no longer sets the
	"chattr +S" bit on Linux queue directories. Wietse has
	gotten too annoyed with naive reviewers who complain about
	performance without having a clue of what they are comparing.

	"Security": local_recipient_maps is now turned on by default,
	to reject mail for non-existent users at the SMTP port.
	See conf/main.cf for instructions, section REJECTING UNKNOWN
	LOCAL USERS.

	Safety: detection of missing or inaccessible passwd file
	database, to prevent massive complaints from people who
	suddenly lose all their mail because local_recipient_maps
	is now turned on by default.

20021210

	Feature: recipient address verification, using the code
	that already implements sender address verification.  Based
	on suggestion by Matthias Andree.  Files: src/smtpd/smtpd.c,
	src/smtpd/smtpd_check.c.

20021211

	Performance: doubled the default process limit (50->100)
	and default queue manager active queue message/recipient
	limits  (10k->20k).  File:  global/mail_params.h.

	Bugfix: the change that begot us multiple trivial-rewrite
	processes (good) also gave us multiple verify daemons (bad).
	File: conf/post-install.

20021212

	Cleanup: allow transport map lookups to override error
	mailer results (to avoid breaking existing installations),
	and do transport map lookups before relocated map lookups.
	Files:  trivial-rewrite/resolve.c, trivial-rewrite/transport.c.

	Shortened the verify server's negative cache refresh time
	from 12 hours to 2 hours. File:  global/mail_params.h.

	Admin friendliness: the SMTP server now reports "User
	unknown in {local recipient | virtual alias | virtual
	mailbox | relay recipient} table". This will make trouble
	shooting a little easier. Files: smtpd/smtpd_check.c,
	trivial-rewrite/resolve.c.

20021213

	Cleanup: transport map entries with null nexthop ignored
	relayhost settings. Making the code simpler also made it
	more correct. Files: trivial-rewrite/resolve.c,
	trivial-rewrite/transport.c.

	Feature: "helpful_warnings" (default: yes) that can be
	turned off if you really know what you're doing and want
	to eliminate some unnecessary work.

	Feature: enforcement of master.cf process limits for
	processes such as qmgr and pickup that must run alone, and
	processes such as cleanup and bounce that must run without
	explicit process count limit. If an incorrect process limit
	is specified in master.cf the service aborts.

20021214

	Cleanup: it looks like we finally get it right with transport
	lookup table entries that either override or specify an
	error transport without updating the nexthop information.
	File:  trivial-rewrite/resolve.c.

	Robustness: don't probe the sender address when probed for
	our own address verification probe sender address. File:
	smtpd/smtpd_check.c.

	Performance: don't do UCE checks (which may result in 4xx
	SMTP reply codes, and thus, repeated delivery attempts)
	when we already know that the recipient does not exist.
	Files:  smtpd/smtpd.c, smtpd/smtpd_check.c.

20021215

	Cleanup: further simplification of transport map handling
	after some really fine hair splitting with Victor Duchovni.
	Files: trivial-rewrite/resolve.c, trivial-rewrite/transport.c.

20021216

	Workaround:  transform the address local-part into unquoted
	form only when the address domain is local and the local-part
	contains routing operators.  Otherwise, we may damage the
	address local-part by inserting space between non-operator
	tokens. Some people use weird addresses and expect them to
	be handled without damage.  File: trivial-rewrite/resolve.c.

	Robustness: scan the resolved recipient address for routing
	operators in the address local-part, even when the local
	MTA does not recognize ! and % as valid operators.  File:
	trivial-rewrite/resolve.c.

	Cleanup: the address rewriting code no longer tries to
	rewrite broken user@ or user@. address forms into even more
	broken forms. bother. File: trivial-rewrite/rewrite.c.

	Cleanup: the address resolver code now treates forms ending
	in @ in a more rational manner (because the address rewriting
	code no longer messes up by appending .my.domain).

	Bugfix: a null address local-part before @domain now is
	properly quoted just like the null address. File:
	global/quote_82[12]_local.c.

20021217

	Cleanup: more work on the trivial-rewrite address rewriting
	and address resolving code. New regression tests for address
	rewriting and resolving that make some assumptions about
	main.cf settings. Files: global/Makefile.in (assumptions),
	global/rewrite_clnt.in, global/rewrite_clnt.ref,
	global/resolve_clnt.in, global/resolve_clnt.ref.

	Safety: configurable SMTPD reject codes for recipients not
	in {local,relay}_recipient,virtual_{alias,mailbox}}_maps,
	aptly named unknown_mumble_reject_code.  Postfix installs
	with unknown_local_recipient_reject_code=450, unless the
	site already ran Postfix with local_recipient_maps enabled.
	Files:  smtpd/smtpd.c, smtpd/smtpd_check.c, conf/post-install.

20021218

	Feature: specify unverified_recipient_reject_code=250 or
	unverified_sender_reject_code=250 to accept mail for an
	address that is known to bounce. File: smtpd/smtpd_check.c.

20021219

	Bugfix: longjmp() while sending "go away" without setjmp()
	in the QMQP server. Patrik Rak. File: qmqpd/qmqpd.c.

	Safety: the XVERP extension is restricted to clients listed
	in the authorized_verp_clients list (default: $mynetworks).
	File: smtpd/smtpd.c.

	Workaround: preliminary IPV6 support in valid_hostliteral().
	File: util/valid_hostname.c.

20021220

	Bugfix: the reject_multi_recipient_bounce restriction had
	an off-by-one error when used in smtpd_data_restrictions.
	File: smtpd/smtpd_check.c.

	Feature: new check_recipient_maps restriction that gives
	finer control over when unknown recipients are rejected.
	As with Postfix 1.1, the default is to do this at the end
	of the recipient restrictions. Sites that want to improve
	performance can put check_recipient_maps at the start of
	the smtpd_client_restrictions list and avoid doing unnecessary
	RBL lookups etc.  File:  smtpd/smtpd_check.c.

	Feature: new show_user_unknown_recipient_table parameter
	controls whether or not to reveal the lookup table name in
	"User unknown" responses. The extra detail makes trouble
	shooting easier but also reveals information that is nobody
	elses business.

20021221

	Workaround: don't allow the transport map to override the
	virtual alias class (error:User unknown) result.  File:
	trivial-rewrite/transport.c.

20030101

	Documentation update: new-style virtual domains broke the
	advanced content filtering example. Files: FILTER_README,
	RELEASE_NOTES-2.0.

20030102

	Cleanup: use different client instances when the same map
	is opened with different flags. File: global/maps.c.

	Feature: proxymap server for Postfix table lookups. This
	helps to consolidate the number of open lookup tables (such
	as MYSQL or LDAP), or to overcome chroot restrictions
	(example: specify proxy:unix:passwd.byname to avoid the
	need for a copy of the UNIX passwd file in chroot jails).
	Files:  global/dict_proxy.[hc], proxymap/proxymap.c

	Cleanup: multiservers such as trivial-rewrite and the new
	proxymap server now enforce the max_use total client number
	limit more agressively, by not accepting new connections
	after the limit is reached.  Based on a patch by Victor
	Duchovni, Morgan Stanley. File:  master/multi_server.c.

20030103

	Cleanup: client stream endpoints not only have an idle time
	limit ($ipc_idle) before a connection is closed, they now
	also have a time to live ($ipc_ttl) to prevent connections
	from becoming too persistent. This allows multi-servers
	such as trivial-rewrite or the proxymap server to refresh
	more frequently on busy systems. File:  global/clnt_stream.c.

20030104

	Cleanup: avoid warnings about flag mismatches when the same
	lookup table is listed under both virtual_alias_maps and
	virtual_mailbox_maps. Files: global/virtual8.h, virtual/virtual.c.

	Bugfix: an obscure memory leak that puzzled me for more
	than a year until I found out how to reproduce it. File:
	util/vstream.c.

20030105

	Cleanup: removed the address syntax check from the queue
	manager, since a better test was implemented recently in
	the trivial-rewrite server. Files: *qmgr/qmgr_message.c.

	Bugfix: redirect bounce/defer to the address verification
	service where appropriate. Files: *qmgr/qmgr_bounce.c,
	*qmgr/qmgr_defer.c.

	Bugfix: "no such file or directory" warnings after "postfix
	reload" when a chrooted smtpd reconnects to the proxy
	service.  Fix: use "private/proxymap" if possible, otherwise
	use "$queue_dir/private/proxymap".  File:  global/dict_proxy.c.

	Robustness: daemons now chdir() to the queue directory
	before running the pre-jail initialization code, so that
	daemons running in stand-alone mode produce more consistent
	results.  Files:  master/single_server.c, master/multi_server.c.
	master/trigger_server.c.

	Bugfix: "sendmail -bs" tried to access the proxymap service.
	It should not try to open any user/domain/uce related tables
	at all. File:  smtpd/smtpd.c.

20030106

	Bugfix: bouncing to owner-alias was broken, i.e. the mail
	kept being deferred, and when that was fixed, another buglet
	came to light. File: bounce/bounce.c.

	Robustness: the master no longer aborts with "address
	already in use" when inet_interfaces specifies the same IP
	address multiple times, or when a TCP service in master.cf
	specifies a hostname for which the same IP address is listed
	multiple times. File: master/master_ent.c.

20030107

	Robustness: check that FILTER actions in SMTPD access maps
	or cleanup header/body_checks have plausible syntax. Files:
	smtpd/smtpd_check.c, cleanup/cleanup_message.c.

20030109

	Cleanup: unnecessary "premature end of file on xxx while
	reading yyy" warnings became exposed after some code
	simplification. Files" global/*_clnt.c, global/dict_proxy.c

	Robustness: undo the change that causes a multi-server
	process to stop accepting new connections while it still
	services existing clients for an extended amount of time.
	We need a better process retirement strategy. File:
	master/multi_server.c.

20030110

	Cleanup: the virtual_mailbox_maps parameter is now optional
	even when virtual_mailbox_domains is. This makes virtual
	mailbox domains more like relay domains and the local
	domain.

	Portability: the makedefs script now uses the pcre-config
	utility to find out where things are installed.

	Bugfix: the SMTP server did not recognize the local built-in
	double bounce address as local. Reported by Matthias Andree.
	For safety sake, threw in the local postmaster address as
	well.  File:  smtpd/smtpd_check.c.

20030113

	Added MAILER-DAEMON to the list of always recognized local
	addresses, since it is generated by Postfix bounces. File:
	smtpd/smtpd_check.c.

20030114

	Bugfix: transport_errno was not reset upon successful
	transport map wildcard lookup after an earlier failure.
	Reported by Victor Duchovni. File:  trivial-rewrite/transport.c.

	Cleanup: unnecessary warnings from the proxymap client
	after proxymap server disconnect. File:  global/dict_proxy.c.

	Cleanup: Patrik Rak found a few more chattr invocations
	that were missed 20021209. Files: postfix-install,
	conf/post-install.

	Cleanup: the pcre-config command can produce null outputs.
	Matthias Andree.  File: makedefs.

	Bugfix: the virtual(8) Makefile included $(AUXLIBS) in the
	dependencies.

20030118

	Typos: some hyperlinks referred to flushd, which is the
	name that was used before the flush service was released.
	Reported by Victor Duchovni.

	Cleanup: smtpd no longer needed to open relocated_maps.

20030119

	Cleanup: bounce messages used "X-Postfix" even when mail_name
	was set to something other than the default "Postfix" name.
	File: bounce/bounce-notify_util.c.

20030120

	Bugfix: wrong FILTER_README instructions for disabling
	virtual alias mapping in the cleanup server before the
	content filter.

	Bugfix: wrong FILTER_README instructions for destination-dependent
	filtering, because relay_domains was specified incorrectly.

20030122

	Bugfix: 20021207 (move relocated table lookup from queue
	manager to trivial-rewrite server) broke relocated table
	lookup results with mail not rejected at the SMTP port.
	Files:  *qmgr/qmgr_deliver.c, *qmgr/qmgr_message.c.

20030123

	Bugfix: a widely used maildir filename algorithm was broken.
	Postfix now uses TIME.DEVICE_INODE.HOST. Files: local/maildir.c,
	virtual/maildir.c.

20030124

	Cleanup: queue structures no longer overload queue name
	and nexthop destination. Files: *qmgr/qmgr_message.c,
	*qmgr/qmgr_queue.c, *qmgr/qmgr_deliver.c.

20030125

	Feature: "REDIRECT user@domain" action in access maps or
	in header/body_checks causes mail to be sent to the specified
	address instead of the intended recipient(s). I would never
	recommend that people use this to redirect (bounced) SPAM
	to the beneficiaries of an advertisement campaign.  Files:
	smtpd/smtpd_check.c, cleanup/cleanup_message.c,
	*qmgr/qmgr_message.c.

20030126

	Update: maildir filename algorithm updated according to
	today's version of http://cr.yp.to/proto/maildir.html.

20030127

	Cleanup: use separate error messages for separate problems
	with computing the list of SASL authentication mechanisms.
	File: smtpd/smtpd_sasl_glue.c.

20030130

	Bugfix: allow $name in default time values. File:
	global/mail_conf_time.c.

20030205

	Feature: allow !, /file/name and map:name in masquerade_exceptions.
	By Liviu Daia.  Files:cleanup_init.c, cleanup.h,
	cleanup_masquerade.c.

20030219

	Bugfix: the local pickup daemon skipped unterminated records,
	since they happened to have the same record type code as
	content filtering instructions. Victor Duchovni.  Files:
	global/rec_type.h, pickup/pickup.c.

	Portability: Postfix could block, and thus not enforce
	command execution time limits, while delivering mail to
	command.  File: global/pipe_command.c.

	Bugfix: command execution time limits were not enforced
	because the child process killing code in pipe_command()
	was running with the wrong privileges. Problem reported by
	Ben Rosengart, Panix. File: global/pipe_command.c.

	Bugfix: duplicate recipient filtering in the cleanup server
	did not eliminate virtual expansion duplicates with the
	same original recipient. File: cleanup/cleanup_out_recipient.c.

20030223

	Cleanup: added postmap/postalias -p option (do not inherit
	the source file permissions when creating a new file), for
	completeness.  A feature that can't be turned off is a bug.
	Files:  postmap/postmap.c, postalias/postalias.c.

	Bugfix: smtpd_hard/soft_error_limit off-by-one error, so
	that the real limit was one larger than the configured
	value.  File: smtpd/smtpd.c, smtpd/smtpd_chat.c.

20030226

	Safety: proxymap server defense against potential deadlock
	when some library routine wants to open a proxied table.
	Instead, proxymap opens the requested table directly. File:
	proxymap/proxymap.c.

	Portability: updated AIX 5.x system dependent definitions.
	File: util/sys_defs.h.

20030227

	Bugfix: added mynetworks to the list of proxy_read_maps
	parameter settings that are pre-authorized to use proxied
	table lookups.  File: global/mail_params.h.

	Cleanup: daemons now log what table has changed before
	restarting. Files: dict.c, and anything that invoked
	dict_changed().

	Cleanup: more consistency in the naming of lookup table
	handles as generated by maps(3) and by match_list(3).

20030305

	Workaround: Postfix removes too long non-address text from
	message headers in order to protect vulnerable Sendmail
	systems against exploitation of the remote buffer overflow
	vulnerability described in CERT advisory CA-2003-07.

20030311-19

	Bugfix: the access map actions HOLD, DISCARD, FILTER and
	REDIRECT were broken with smtpd_delay_reject=no and with
	ETRN.  This required re-architecting of the actions code.
	Files:  smtpd/smtpd.[hc], smtpd/smtpd_check.c, smtpd/smtpd_state.c.

20030315

	Bugfix: the postsuper manual page documented support for
	the -c command line option, but it was not implemented.
	File: postsuper/postsuper.c.

	Bugfix: the Postfix 2.0 recipient map checking code broke
	the VRFY command, causing it to reply with status code 252
	for non-existent addresses. This required re-architecting
	the recipient table lookup code. File:  smtpd/smtpd_check.c.

20030319

	Feature: configurable limit on virtual alias expansion size
	and nesting depth, via the virtual_alias_expansion_limit
	and virtual_alias_recursion_limit parameters. The default
	limits are compatible with past Postfix versions.  Victor
	Duchovni, Morgan Stanley. Files: /sample-resource.cf,
	html/resource.html, cleanup/cleanup.c, cleanup/cleanup_init.c,
	cleanup/cleanup_map1n.c.

	Feature: the installation procedure records build information
	(by default:  in /etc/postfix/makedefs.out).

20030324

	Bugfix: smtp-source flushed too often, causing suboptimal
	performance with smtp-source sending directly into smtp-sink.
	Files: smtpstone/smtp-source.c.

20030410

	Safety: log a fatal error when a net/mask pattern has a
	non-zero host part, so that mail delivery is deferred.
	File: util/match_ops.c.

20030411

	Bugfix: extraneous warning about out-of-order original
	recipient records by Patrik Rak. Files: *qmgr/qmgr_message.c.

20030412

	Workaround: log a warning and reset the queue file time
	stamps when the file system clock is ahead of the local
	clock.  File: global/mail_stream.c.

20030414

	Feature: PostgreSQL client module, adopted by LaMont Jones.
	Files: README_FILES/PGSQL_README, util/dict_pgsql.c,
	util/dict_pgsql.h, conf/sample-pgsql-aliases.cf.

	Cleanup: the generic smtp client/server code in smtp_stream.c
	now has an explicit flush operation, and the smtp-source/sink
	programs are updated to take advantage of this.

	Cleanup: the file system clock drift detection code now
	runs only once per process instance, to minimize the
	performance impact. File: global/mail_stream.c.

	Robustness: avoid TIME_WAIT state with smtp/qmqp-source
	client sockets.  This puts less strain on local system
	resources.

20030415

	Cleanup: the file system clock drift detection code now
	runs only for incoming mail. File: global/mail_stream.c.

20030416

	Bugfix: missing partial last line when 1) someone submits
	8-bit mail not ending in newline via /usr/sbin/sendmail
	and 2) MIME input processing is turned off, and 3) MIME
	8bit->7bit conversion is requested upon delivery via SMTP.

	Cleanup: auto-bcc recipients are now added in one place
	(the cleanup server) instead of by individual front-end
	servers (pickup, smtpd, qmqpd). This makes it easier to
	add auto-bcc features that trigger on sender or recipient
	addresses.

	Cleanup: "sendmail -t" (recipients from headers) is now
	implemented by the sendmail command instead of by the
	cleanup server. This means that the extract_recipient_limit
	configuration parameter is no longer needed.  Files:
	sendmail/sendmail.c, cleanup/cleanup_message.c,
	cleanup/cleanup_extracted.c.

	Compatibility: "sendmail -t" (recipients from headers) now