HISTORY

	qmqpd_client_port_logging parameter setting. File:
	qmqpd/qmqpd.c.

20071216

	Cleanup: show the remote SMTP server port in verbose logging,
	warnings and postmaster notices.  Still don't show the port
	in delivery status notifications. Files: smtp/smtp_chat.c,
	smtp/smtp_sasl_glue.c, smtp/smtp_sasl_proto.c.

	The "tls_require_cert" is now compatible with OpenLDAP 2.1
	and later. Victor Duchovni. Files: proto/ldap_table,
	global/dict_ldap.c.

20071218

	Cleanup: removed the "#ifdef USE_LIBMILTER_INCLUDES"
	dependencies on system-installed Milter protocol include
	files. Verified that the object code has not changed. File:
	milter/milter8.c.

	Sanity check: idiot filter to detect attempts to use the
	same database file for different TLS session caches.  File:
	tlsmgr/tlsmgr.c.

	Cleanup: updated the spell check stoplist and the spell
	check script. Files: mantools/spell, proto/stop.

	Cleanup: replaced documentation references to xxgdb by ddd.
	The xxgdb program hasn't been updated in more than 10 years.
	Files: proto/postconf.proto, conf/main.cf.

20071219-20

	Feature: support for all new Sendmail 8.14 Milter features
	except SMFIR_SKIP (skip further events of this type),
	SMFIP_RCPT_REJ (report rejected recipients to the mail
	filter), SMFIR_CHGFROM (replace sender, with optional ESMTP
	command parameters), and SMFIR_ADDRCPT_PAR (add recipient,
	with optional ESMTP command parameters). Files: milter/milters.c,
	milter/milter8.c, milter/test-milter.c, cleanup/cleanup_milter.c.

20071221

	Feature: support for Sendmail 8.14 Milter SMFIR_SKIP (skip
	further events of this type). Files: milter/milter8.c,
	milter/test-milter.c.

	Cleanup: don't try sending HELO after a 421 EHLO reply.
	File: smtp/smtp_proto.c.

20071221-nonprod

	Using 20071221 as reference point.

	Cleanup: Simplified TLS library cipher and protocol API to
	just pass string-valued properties to tls_client_init() and
	tls_client_start(). The client is now agnostic of the
	mechanics of cipher management internal to the library. The
	main.cf parameters used internally in the library are now
	loaded by the library, not the caller. Files:
	src/smtp/lmtp_params.c, src/smtp/smtp.c, src/smtp/smtp.h,
	src/smtp/smtp_params.c, src/smtp/smtp_proto.c,
	src/smtp/smtp_session.c, src/smtpd/smtpd.c, src/tls/tls.h,
	src/tls/tls_client.c, src/tls/tls_level.c, src/tls/tls_misc.c,
	src/tls/tls_server.c, src/tls/tls_session.c, src/tls/tls_verify.c
	and src/tlsmgr/tlsmgr.c

	Cleanup: Client session lookup key "salting" is now handled
	internally in the tls library. Files: src/tls/tls_client.c

	Cleanup: Cipher state is cached, and only updated when
	necessary.  Files: src/tls/tls_misc.c

	Feature: Extended the syntax of protocol selection to allow
	exclusions as well as inclusions. Files: src/tls/tls_misc.c

	Cleanup: Updated default verification depth to match reality:
	default is 9 in OpenSSL and we don't yet override it.  When
	we do (soon), the default will match previous behavior.
	Files: src/global/mail_params.h

	Bugfix: Reference to obsolete "pfixtls" code won't compile
	inside #ifdef for OpenSSL <= 0.9.5a. Using an OpenSSL release
	that old has not been tested for some time, but may now
	work. Files: src/tls/tls_bio_ops.c.

	Replaced "void *" TLS library application handles by explicit
	pointer types, while hiding data structure implementation
	details from the TLS library users. Files: tls/tls_client.c,
	tls/tls_server.c, smtp/smtp.c, smtpd/smtpd.c.

	The TLS library no longer modifies VSTRINGs passed in by
	the caller. Where possible, information is passed as "const"
	from application to library. Files: smtp/smtp_proto.c,
	tls/tls_client.c.

20071227-nonprod

	Replaced explicit initialization of props structures by
	emulating function calls with named parameter lists.  Files:
	tls/tls.h, smtp/smtp.c, smtp/smtp_proto.c, smtpd/smtpd.c.

20071222

	Further polishing of the Milter code and logging. File:
	milter/milter8.c.

20071123

	Further polishing of the Milter code. With SETSYMLIST, each
	Milter can now update its own macros instead of clobbering
	the global copy that is shared with other Milters. Also an
	opportunity to clean up some ad-hoc code for sending macro
	lists from smtpd(8) to cleanup(8). Files: milter/milter.c,
	milter/milter8.c, milter/milter_macros.c.

20071224

	Further polishing of the Milter code. Eliminated unnecessary
	steps from the initial smtpd/cleanup Milter handshake. Files:
	milter/milter.c, milter/milter8.c, milter/milter_macros.c.

	Cleanup: name_code(3) and name_mask(3) now support read-only
	tables. Files: util/name_code.[hc], util/name_mask.[hc].

20071227

	Cleanup: further refinements of the Milter code, allowing
	for multiple macro overrides. The code is now ready for
	serious testing. File: milter/milter8.c.

20071229

	Bugfix: the Milter client did not replace the Postfix-specific
	form for unknown host names by the Sendmail-specific form.
	File: milter/milter8.c.

	Cleanup: when a cleanup milter reports a problem don't log
	generic "4.3.0 Sevice unavailable", but log the text for
	the actual error. File: cleanup/cleanup_milter.c.

20080102-nonprod

	SMTP client fingerprint security level support and configurable
	fingerprint digest algorithm. Victor Duchovni. Files:
	smtp/lmtp_params.c, smtp/smtp.c, smtp/smtp.h,
	src/smtp/smtp_params.c, src/smtp/smtp_proto.c,
	src/smtp/smtp_session.c, tls/tls_client.c, tls/tls_level.c,
	tls/tls_verify.c.

20080103-nonprod

	Missed "invalid TLS configuration" patch for SMTP client.
	Victor Duchovni. File: smtp/smtp_proto.c.

	SMTP server configurable fingerprint digest algorithm.
	Victor Duchovni. Files: smtpd/smtpd.c, tls/tls.h,
	tls/tls_server.c, tls/tls_verify.c.

20080104-nonprod

	Cleanup: finally implemented certificate verification depth
	limit parameters. Prior to Postfix 2.5 these were ignored.
	For backwards compatibility, the default verification depth
	limit is now 9, the OpenSSL default. Victor Duchovni. Files:
	src/tls/tls_client.c, src/tls/tls_server.c, src/tls/tls_verify.c.

	Robustness: Avoid possibility of NULL pointer issues in
	application code that checks certificate names, by providing
	"empty string" values when no data is available.  Victor
	Duchovni.  Files: src/tls/tls_verify.c, src/tls/tls_client.c,
	src/tls/tls_server.c, src/smtpd/smtpd_check.c, src/smtpd/smtpd.c.

	Cleanup: separation of TLS handshake from security level
	enforcement. The library shakes hands; the application
	decides if the resulting security is acceptable. Victor
	Duchovni.  Files: smtpd/smtpd.c, smtpd/smtpd_proto.c,
	tls/tls_server.c, tls/tls_client.c, tls/tls_verify.c.

	Robustness: more robust processing of ASN.1 string attributes
	in x509v3 certificates, plus additional sanity checks (e.g.
	embedded null characters). Victor Duchovni. File:
	src/tls/tls_verify.c.

20080104

	Workaround: minor change to the Dovecot AUTH request to
	prevent dovecot-auth memory wastage. Timo Sirainen.  File:
	xsasl/xsasl_dovecot_server.c.

20080105-nonprod

	Cleanup: renamed TLS-related symbols for consistency (always
	include the init, start, stop prefix in the TLS library
	function and data structure names; consistently distinguish
	between per-application TLS state and per-session TLS state;
	consistently use the fpt prefix for fingerprint related
	variables and structure members; consistent use of monocase
	typedef-ed names).

20080106-nonprod

	Cleanup: consistent use of <pre> and <blockquote> in examples;
	instead of emphasizing new Postfix 2.5 behavior in reference
	documentation, describe the new behavior as "current", with
	historical behavior as a supplemental note.

20080107

	Feature: new "pass" service type (in addition to "inet",
	"unix" and "fifo").  The "pass" service type supports
	front-end daemons that accept all inbound connections and
	that permit only well-behaved clients to talk to the MTA.
	This service type had been sitting in the master daemon for
	years but was disabled by default.  Actual applications for
	this will have to be developed later.  Files: util/upass_connect.c,
	util/upass_trigger.c.

20080108

	Cleanup: where possible, store data structures in read-only
	memory. Besides the security advantage of no write access,
	this also gives slightly better memory utilization when
	many processes execute the same file. Files: pretty much
	everything that has a static table, except for a few tables
	in the benchmark tools with flags that are controlled by
	command-line information.

20080109

	Cleanup: more read-only data. Files: everything that passes
	around a HEADER_OPTS pointer.

20080112

	Safety: optional lookup table to prevent the Postfix SMTP
	client from making repeated SASL login failures with the
	same hostname, username and password.  This introduces new
	parameters: smtp_sasl_auth_cache_name, smtp_sasl_auth_cache_time.
	Based on code by Keean Schupke.  Files: smtp/smtp_sasl_glue.c,
	smtp/smtp_sasl_auth_cache.c.

	Safety: the Postfix SMTP client now by default defers mail
	after the server rejects a SASL login attempt with a 535
	status code.  Specify "smtp_sasl_auth_soft_bounce = no" to
	get the earlier behavior.  Based on code by Keean Schupke.
	Files: smtp/smtp_sasl_glue.c.

20080114

	Safety: the smtpd_client_new_tls_session_rate_limit setting
	now also limits the number of failed TLS handshakes. This
	limits the impact of broken configurations. File: smtpd/smtpd.c.

20080115

	Bugfix (introduced 20080112): Patrik Rak found two bugs
	that largely canceled each other out, causing Postfix not
	to complain about a missing "proxy:" prefix with the new
	smtp_sasl_auth_cache_name parameter setting. File:
	smtp/smtp_sasl_glue.c.

	Documentation: new SOHO_README file for small/home offices.
	The text is automatically generated from bits and pieces of
	information that are scattered across other documents.
	File: mantools/make_soho_readme.

20080116

	Bugfix (introduced 20080112): missing #ifdef for the SASL
	login failure cache. File: smtp/smtp_sasl_auth_cache.h.

20080123

	Name fix: renamed the mumble_delivery_rate_delay parameter
	to mumble_destination_rate_delay, because it really is a
	per-destination feature. With this change we keep the option
	of implementing a future per-transport rate delay.

20080125

	Bugfix (introduced 20071216): missing {} in the LDAP client
	broke OpenLDAP TLS.  The setting tls_require_cert=no was
	further broken because Postfix used OpenLDAP incorrectly.
	Victor Duchovni.  This broke tls_require_cert=no File:
	global/dict_ldap.c.

20080126

	Cleanup: the post-install script now requires that it is
	invoked via the postfix(1) command. This was the intended
	use since Postfix 2.1, but it was never enforced.  The
	documentation for package maintainers has been updated
	accordingly. File: conf/post-install.

20080130

	Bugfix (introduced 20071204): wrong proxywrite process limit
	in the default master.cf file.  File: conf/master.cf.

20080131

	Bugfix (introduced 20080126): the new "do not execute
	directly" test in post-install got broken during code
	cleanup.  File: conf/post-install.

20080201

	Workaround: undo the changes that require that post-install
	is invoked via the postfix command, because this breaks
	when "postfix start" is invoked with an obsolete postfix
	command that doesn't export the new data_directory parameter.

	Workaround: pick up a missing data_directory setting from
	main.cf when "postfix start" is invoked with an obsolete
	postfix command. File: conf/post-install.

20080207

	Cleanup: soft_bounce support for multi-line Milter replies.
	File: src/milter/milter8.c.

	Cleanup: preserve multi-line format of header/body Milter
	replies. Files: cleanup/cleanup_milter.c, smtpd/smtpd.c.

	Cleanup: multi-line support in SMTP server replies.  File:
	smtpd/smtpd_chat.c.

	SAFETY: postfix-script, postfix-files and post-install are
	moved away from /etc/postfix to $daemon_directory. There
	were too many accidents where people clobbered these files
	with versions from an older Postfix release and ended up
	with an unusable Postfix setup.  Files: postfix-install,
	Makefile.in, postfix/postfix.c, conf/postfix-files,
	conf/postfix-script, conf/post-install.

20080212

	Feature: check_reverse_client_hostname_access, to make
	access decisions based on the unverified client hostname.
	For safety reasons an OK result is not allowed.  Noel Jones.
	Files: smtpd/smtpd_check.c plus header files and documentation.

20080215

	Safety: break SASL loop in case both the SASL library and
	the remote SMTP server are confused. File: smtp/smtp_sasl_glue.c.

20080220

	Safety: the master daemon now sets an exclusive lock on a
	file $data_directory/master.lock, so that the data directory
	can't be shared between multiple Postfix instances.  This
	would corrupt files that rely on single-writer updates
	(examples: verify(8) cache, tlsmgr(8) caches, etc.). File:
	master/master.c.

20080226

	Cleanup: the postfix command did not set argv[0] to a sane
	value when invoking postfix-script. Reported by Victor
	Duchovni. File: postfix/postfix.c.

20080228

	Bugfix: bounce(8) segfault on one-line template text.
	Problem found by Sacha Chlytor. File: bounce/bounce_template.c.

20080310

	Safety: the SMTP server's Dovecot authentication client now
	enforces the SASL mechanism output filter also on client
	command input. File: src/xsasl/xsasl_dovecot_server.c.

20080311

	Bugfix (introduced 20070811): the MAIL and RCPT Milter
	application call-backs no longer received {mail_addr} or
	{rcpt_addr} information. Problem reported by Anton Yuzhaninov.
	File: smtpd/smtpd.c.

	Bugfix (introduced 20080207): "cleanup -v" panic because
	the new "SMTP reply" request flag did not have a printable
	name. File: global/cleanup_strflags.c.

20080318

	Human factors: the PCRE and regexp maps now give more
	comprehensible error messages when people make the common
	mistake of indenting if/endif blocks. Files: util/dict_pcre.c,
	util/dict_regexp.c.

20080324

	Cleanup: the event_drain() function is now a proper event
	processing loop. File: util/events.c

	Feature: when the "postmap -q -" command reads lookup keys
	from standard input, it now understands RFC822 and MIME
	message format. Specify -h or -b to use headers or body
	lines as lookup keys, and specify -hm or -bm to simulate
	header_checks or body_checks.  The postmap -h option (without
	-m) will be compatible with a future postcat -h option.
	File: postmap/postmap.c.

20080411

	Bugfix (introduced Postfix 2.0): after "warn_if_reject
	reject_unlisted_recipient/sender", the SMTP server mistakenly
	remembered that recipient/sender validation was already
	done. File: smtpd/smtpd_check.c.

	Bugfix (introduced Postfix 2.3): the queue manager would
	initialize missing client logging attributes (from xforward)
	with real client attributes. Fix: enable this backwards
	compatibility feature only with queue files that don't
	contain logging attributes. Problem reported by Liviu Daia.
	Files *qmgr/qmgr_message.c.

20080424

	Cleanup: some warning messages said "regexp" or "regexp
	map" instead of "pcre map". File: util/dict_pcre.c.

20080426

	Feature: finer control over address verification error
	handling and amount of information disclosed in the SMTP
	reject message.  Parameters: unverified_recipient_defer_code,
	unverified_recipient_reject_reason, unverified_sender_defer_code,
	unverified_sender_reject_reason. If I don't do this properly,
	then someone will do it anyway. File: src/smtpd/smtpd_check.c.

20080428

	Cleanup: the proxy_read_maps (Postfix 2.0) default setting
	was not updated when adding sender/recipient_bcc_maps
	(Postfix 2.1) and smtp/lmtp_generic_maps (Postfix 2.3).
	File: global/mail_params.h.

	Cleanup: the SMTP server's XFORWARD and XCLIENT support was
	not updated when the smtpd_client_port_logging configuration
	parameter was added. Code by Victor Duchovni. Files:
	smtpd/smtpd.c, smtpd/smtpd_peer.c.

20080508

	Cleanup: delivery status notifications now prepend a
	Return-Path: message header to the returned message.
	File: bounce/bounce_notify_util.c.

20080509

	Bugfix: null-terminate CN comment string after sanitization.
	File: smtpd/smtpd.c.

20080510

	Cleanup: when extracting peer and issuer common name from
	TLS certificates, convert the result into UTF-8, and use
	RFC 2047 encoding when logging these as Received: header
	comment fields. Based remotely on code by Victor Duchovni.
	Files: smtpd/smtpd.c, tls/tls_verify.c.

20080511

	Cleanup: the RFC 2047 encoding of RFC*822 comments is too
	problematic.  The text that explains the problems is as
	long as the code itself.  That is usually a good indication
	that code is not ready for use.  File: smtpd/smtpd.c.

	Cleanup: block non-printable ASCII text in UTF8 encoded TLS
	peer and issuer common names.  File: tls/tls_verify.c.

20080602

	Workaround: avoid watchdog timeout in the local pickup
	daemon when the cleanup server expands a very large virtual
	alias list. Files: master/trigger_server.c, pickup/pickup.c.

20080603

	Workaround: avoid "bad address pattern" errors with non-address
	patterns in namadr_list_match() calls. File: util/match_ops.c.

	Feature: print fsstone elapsed time with sub-second time
	resolution.  Kenji Kikuchi. File: fsstone/fsstone.c.

20080606

	Bitrot: "make test" was broken due to recent changes in
	code and due to recent changes at mail-abuse.org.

20080618

	Add a note to SMTP session transcript email messages that
	other details may be found in the maillog file.  Files:
	smtpd/smtpd_chat.c, smtp/smtp_chat.c.

20080620

	Cleanup: with the "Before-queue content filter", RFC3848
	information was not added to the headers. Carlos Velasco.
	File smtpd/smtpd.c.

20080621

	Cleanup: include unread byte count in the SMTP server's "lost
	connection after DATA (xx bytes)" logging. Files: smtpd/smtpd.c.

20080629

	Bugfix (introduced Postfix 2.2): multiple inconsistencies
	in SASL support after introduction of TLS.  The Postfix
	SMTP server 1) complained about plain-text SASL configuration
	details when SASL was forbidden for plain-text sessions,
	and 2) ignored the smtpd_tls_auth_only parameter setting
	when built without TLS support.  Files: smtpd/smtpd.c,
	smtpd/smtpd_check.c, smtpd/smtpd_sasl_glue.[hc],
	smtpd/smtpd_state.c.

	Some clarification about recipient address versus domain,
	and recipients per message versus session. File:
	proto/postconf.proto.

	The description of SASL authentication attributes was
	garbled.  File: pipe/pipe.c.

	Information: the master(8) server now logs the version
	besides the configuration directory upon "postfix reload".
	File: master/master.c.

20080717

	Cleanup: a poorly-implemented integer overflow check for
	TCP MSS calculation had the unexpected effect that people
	broke Postfix on LP64 systems while attempting to silence
	a compiler warning.  File: util/vstream_tweak.c.

20080721

	The cleanup server now rejects undisclosed_recipients_header
	parameter values with invalid message header syntax.
	File: cleanup/cleanup_message.c.

20080725

	Paranoia: defer delivery when a mailbox file is not owned
	by the recipient. Sebastian Krahmer, SuSE.  Files:
	local/mailbox.c, virtual/mailbox.c.

20080804

	Bugfix: dangling pointer in vstring_sprintf_prepend().
	File: util/vstring.c.

20080814

	Security: some systems have changed their link() semantics,
	and will hardlink a symlink, contrary to POSIX and XPG4.
	Sebastian Krahmer, SuSE. File: util/safe_open.c.

	The solution introduces the following incompatible change:
	when the target of mail delivery is a symlink, the parent
	directory of that symlink must now be writable by root only
	(in addition to the already existing requirement that the
	symlink itself is owned by root).  This change will break
	legitimate configurations that deliver mail to a symbolic
	link in a directory with less restrictive permissions.

20080815

	Feature: the milter_default_action parameter now accepts
	the "quarantine" action. This works like "accept" but also
	freezes the mail in the "hold" queue. File: milter/milter8.c.

	Robustness: transition from setjmp()/longjmp() to the signal
	mask saving/restoring versions sigsetjmp()/siglongjmp().
	These functions have been around for 15 years, but they
	have had bugs on supported platforms, so makedefs tests for
	them.  Files: makedefs, util/sys_defs.h, util/vstream.h.

20080822

	Cleanup: the proxymap_service_name and proxywrite_service_name
	parameters make the proxymap service names configurable.
	This paves the way for a future option where the proxymap
	services are accessible via TCP so that they can be shared
	among multiple Postfix hosts.  File: global/dict_proxy.c.

	Feature: MacOS X support for kqueue style event handling,
	with workaround for broken MacOS X versions.  Files:
	util/sys_defs.h, makedefs.

	Cleanup: the makedefs script now keeps its test programs
	in a directory makedefs.d, instead of inlining them as
	fragile "here documents". Files: makedefs, makedefs.d/*.

20080823

	Feature: IPv6 dns blocklist lookup. File: smtpd/smtpd_check.c.

20080824

	Cleanup: untangled the MacOS X version dependent sections
	in the makedefs script, to make future updates easier. File:
	makedefs.

	Cleanup: don't log multiple Milter "hold" actions for the
	same email message. File: cleanup/cleanup_milter.c.

20080826

	Cleanup: moving test programs from makedefs into a makedefs.d
	directory brought more pain than gain.

	Cleanup: untangled the Linux version dependent sections in
	the makedefs script, to make future updates easier. File:
	makedefs.

	Documentation: MacOS process limit configuration by Quanah
	Gibson-Mount.  File: proto/TUNING_README.html.

	Feature: smtp-sink -M option to terminate after receiving
	a specified number of messages. Laurent Gentil. File:
	smtpstone/smtp-sink.c.

	Bugfix (introduced Postfix 2.4): epoll file descriptor leak.
	With Postfix >= 2.4 on Linux >= 2.6, Postfix has an epoll
	file descriptor leak when it executes non-Postfix commands
	in, for example, user-controlled $HOME/.forward files.  A
	local user can access a leaked epoll file descriptor to
	implement a denial of service attack on Postfix. Data
	confidentiality and integrity are not affected.  File:
	util/events.c.

20080903

	Don't enable kqueue (which requires poll) support on
	MacOS X. File: makedefs.

	Cleanup: remove obsolete Rhapsody and MacOS targets from
	makedefs.

20080929

	Workaround: don't log "file has 2 links" warnings when the
	condition appears to be temporary. As kernels have evolved
	from non-interruptible system calls towards fine-grained
	locks, the showq command has become likely to observe a
	file while the queue manager is in the middle of a rename
	operation, when the file has links to both the old and new
	name.  File: global/mail_open_ok.c.

	Workaround: don't loop forever when write() fails with a
	persistent EAGAIN error on a writable file descriptor.
	File: util/write_buf.c.  

20081003

	Bugfix (introduced Postfix 2.1): when XFORWARD support was
	introduced with Postfix 2.1, the specification failed to
	clearly distinguish between missing and non-existent client
	information. This ambiguity affected the implementation:
	in $name expansions by delivery agents, unknown client
	hostnames could became empty strings (as if a submission
	was local), and local submissions could appear to originate
	from an SMTP-based content filter.  This was fixed with a
	a minor semantic change to the XFORWARD protocol.  Files:
	smtpd/smtpd.c, qmqpd/qmqpd.c, smtp/smtp_proto.c,
	cleanup/cleanup_envelope.c, proto/XFORWARD.html. Note: the
	changes to propagate local submission details were undone
	20082012.

	Feature: a DUNNO lookup result in per_sender_relayhost_maps
	stops the search without replacing the next-hop destination.
	File: trivial-rewrite/resolve.c.

20081005

	Bugfix: further refinements to the handling of missing or
	non-existent remote client attributes. Files: smtpd/smtpd.c,
	smtpd/smtpd.h.

	Documentation: the XFORWARD specification of the ADDR
	attribute did not agree with the actual on-the-wire protocol.
	Since we can't change already existing deployments, the
	spec has been updated. File: proto/XFORWARD_README.html.

20081006

	Bugfix: further refinements to the handling of remote client
	attributes.  Introduced a dummy "we have forwarded client
	info" record, to eliminate the need for the backwards
	incompatible queue file change that was introduced 20081003.
	Files: smtpd/smtpd.c, cleanup/cleanup_envelope.c,
	*qmgr/qmgr_message.c.

	Security: hardened the proxymap client, in case it ever
	ends up in a set-gid program. File: global/dict_proxy.c.

20081007

	Workaround: undo the proxymap client change. It broke
	chrooted servers when they attempted to reconnect to the
	proxy read/write service. File: global/dict_proxy.c.

20081008

	Safety: added checks that $queue_directory/pid is owned by
	root, and that $queue_directory/saved is owned by $mail_owner.
	File: conf/postfix-script.

20081010

	Feature: controls for opportunistic TLS protocols and
	ciphers. The smtp_tls_protocols, smtp_tls_ciphers, and
	equivalent parameters for lmtp and smtpd provide global
	settings; the SMTP client TLS policy table provides ciphers
	and protocols settings for specific peers.  Code by Victor
	Duchovni. Files: smtp/smtp.c, smtp/smtp_session.c, smtpd/smtpd.c
	and documentation.

20081012

	Cleanup: simplify the 20081003 changes and don't try to
	propagate local submission information through XFORWARD.
	Files: smtpd/smtpd.c, qmqpd/qmqpd.c, smtp/smtp_proto.c,
	cleanup/cleanup_envelope.c, proto/XFORWARD.html.

20081015

	Bugfix: GLIBC API version detection. Rob Foehl. File:
	util/sys_defs.h.

20081022

	Documentation: removed inapplicable daemon_timeout reference
	from qmgr(8), oqmgr(8), pickup(8). These daemons need to
	use a much shorter watchdog timer.

20081108

	Feature: smtp_sasl_tls_verified_security_options is no
	longer #ifdef SNAPSHOT.

	Feature: elliptic curve support. This requires OpenSSL
	version 0.9.9 or later. Victor Duchovni. Files: TLS_README,
	smtpd/smtpd.c, smtp/smtp.c, tls/tls_dh.c, tls/tls_certkey.c,
	tls/tls_server.c, tls/tls_client.c, tls/tls.h, tls/tls_misc.c.

	Bugfix (introduced Postfix 2.5): the Postfix SMTP server
	did not ask for a client certificate with "smtpd_tls_req_ccert
	= yes". Reported by Rob Foehl. File: smtpd/smtpd.c.

20081109

	Cleanup: confusing names of variables. File: smtpd/smtpd.c.

20081126

	Documentation: pcre_table(5) incorrectly claimed that the
	'x' flag supports #comment after text. File: proto/pcre_table.

20081202

	Cleanup: vstream_bufstat() provides a more systematic
	approach to get information about VSTREAM buffers. The
	vstream_peek() function is now a backwards compatibility
	wrapper.  Files: util/vstream.[hc].

	Cleanup: the SMTP server should warn about "lost connection
	after QUIT" only when the "." reply was pipelined together
	with the "QUIT" reply. File: smtpd/smtpd.c.

	Cleanup: the SMTP client's code was duplicating buffer
	management that was already done in the VSTREAM module.
	File: smtp/smtp_proto.c.

20081203

	Cleanup: adjust the VSTREAM buffer strategy when reusing
	an SMTP connection with a large TCP MSS value. File:
	smtp/smtp_reuse.c.

20081204

	Cleanup: state the SMTP client PIPELINING implementation's
	dependency on monotonic VSTREAM buffer size behavior, and
	add some checks for boundary cases with VSTREAM buffer size
	change requests. Files: util/vstream.c, smtp/smtp_proto.c.

20081205

	Fix 20081202 flush code. Victor Duchovni. File: smtpd/smtpd.c.

	Safety: add another check to "postfix check", in this case
	for group or other writable queue_directory. File:
	conf/postfix-script.

20081217

	Debugging: ad-hoc code to log the TLS error stack after
	VSTREAM read/write error.  File: tls/tls_bio_ops.c. In a
	better implementation, each I/O "object" would provide an
	optional error reporting method (besides timed_read and
	timed_write) that could be queried via the vstream module.

20081222

	Documentation: log the "*" pattern as the last transport
	map lookup. File: proto/transport.

20090103

	Documentation: rewrote NFS_README, to clarify the support
	status of Postfix and NFS, and to describe the NFS workarounds
	that Postfix actually implements.

20090106

	Feature: "postconf -# parametername ..." to comment out
	named parameter entries. Victor Duchovni.  File:
	postconf/postconf.c.

20090107

	Library: edit_file(3) module for cooperative editing of a
	file. Inspired by the postconf command, this creates a new
	version under a deterministic temporary name and renames
	it into place. The implementation uses an open/lock/stat
	protocol before updating the new file, and rename/unlock/close
	afterwards.  Based on pieces of code by Victor Duchovni,
	with minor improvements by Wietse.  Files: util/edit_file.[hc].

	Cleanup: the postconf command now uses the edit_file(3)
	module to manage collisions when multiple processes attempt
	to update the main.cf file.

20090108

	Feature: master_service_disable parameter (default: empty)
	to easily turn off/on master.cf services by type or by name
	and type. For example, to turn off the main SMTP listener
	use "master_service_disable = smtp.inet", and to turn off
	all TCP/IP listeners use "master_service_disable = inet".
	This immediately terminates all processes that provide the
	specified services. The master_service_disable feature does
	not distinguish services by their privacy property; some
	day, clients will not need to specify that anymore.  Files:
	global/mail_params.h, master/master.c, master/master_vars.c,
	master/master_ent.c.

	Bugfix (introduced May 19, 1997): removing a parameter
	setting from main.cf did not reset the parameter to its
	default value. This was a problem only in the master daemon.
	File: global/mail_conf.c, master/master_vars.c.

20090109

	Cleanup: "defer" action in access maps, and a corresponding
	access_map_defer_code parameter. No idea what was behind
	this omission.  Files: global/mail_params.h, smtpd/smtpd.c,
	smtpd/smtpd_check.c, proto/access.

	Workaround: specify "tcp_windowsize = 65535" (or less) to
	work around broken TCP window scaling implementations.  This
	is perhaps easier than collecting tcpdump output and tuning
	kernel parameters by hand.  See RELEASE_NOTES for how to
	change this setting without stopping Postfix.  Files:
	util/inet_connect.c, inet_listen.c, global/mail_params.[hc].

20090110

	Cleanup: create separate code modules for TCP window size
	handling, master.cf service name matching, and main.cf
	change monitoring.  Files: util/inet_windowsize.c,
	global/match_service.c, master/master_watch.c.

	Feature: TCP window size override for the Postfix SMTP/LMTP
	client, and for the smtp-source and smtp-sink test programs.
	Files: smtp/smtp_connect.c, smtpstone/smtp-source.c,
	smtpstone/smtp-sink.c.

20090114

	Bugfix: VERP now uses the Postfix original recipient, if
	available, because that is what the VERP consumer expects.
	Files: *qmgr/qmgr_deliver.c, bounce/bounce_notify_verp.c.

	Safety: extra check for broken third-party patches that
	allow file size limit < message size limit. This can cause
	mail to be stuck in the queue forever.

	Invisible change, in preparation for multi-instance support.
	Except for main.cf and master.cf, all files are optional
	for non-default Postfix configuration directories. File:
	conf/postfix-files.

20090115

	Cleanup: rewrote the 20090114 VERP bugfix, to replace code
	that "works" by code that is "right". Files: *qmgr/qmgr_deliver.c,
	bounce/bounce_notify_verp.c, global/verp_sender.c.

20090118

	Documentation: some URLs to enable/disable client-side TLS
	jumped into the middle of an enumeration.  File:
	proto/TLS_README.html.

20090119-21

	Feature: multi-instance manager plug-in API.  A sample
	multi-instance manager with instructions is available as
	$daemon_directory/postfix-wrapper. The plug-in API itself
	is described in postfix-wrapper(5).  Files: postfix/postfix.c,
	global/mail_params.[hc], proto/postfix-wrapper,
	conf/postfix-wrapper, conf/postfix-script, conf/postfix-files.

	Support to check/update shared files only in the context
	of the default Postfix instance. Files: conf/post-install,
	conf/postfix-script.

20090122

	Refinements: the multi-instance manager always replaces
	"start" by "check" when a Postfix instance is multi-instance
	disabled, so that problems will still be reported; polish
	documentation; delete unnecessary multi_instance_order
	parameter.  Files: conf/postfix-wrapper, proto/postfix-wrapper,
	global/mail_params.[hc] and documentation.

	Bugfix: the data_directory was not automatically created!
	File: conf/postfix-files.

20090123

	More little fixes in the "trivial but useful" postfix-wrapper
	including instructions. It's ready for testing in the field.
	File: conf/postfix-wrapper.

20090125

	Documentation: more precise description of multi-instance
	manager API, and minor edits of the example program. Files:
	conf/postfix-wrapper, proto/postfix-wrapper.

20090208

	Cleanup: enable multi-instance shared-file logic only when
	the instance is listed in multi_instance_directories.  Files:
	conf/post-install, conf/postfix-script.

20090210

	Feature: specify "reject_tempfail_action = defer" to
	immediately defer a remote SMTP client request after a
	reject-type restriction fails with a temporary error.  Based
	on code by Rob Foehl. File: smtpd/smtpd_check.c.

	Feature: finer control of reject_tempfail_action with
	unknown_address_tempfail_action, unverified_sender_tempfail_action
	unverified_recipient_tempfail_action, and
	unknown_helo_hostname_tempfail_action. See documentation
	for details.  File: smtpd/smtpd_check.c.

20090211

	Workaround: pass the SMTP server socket's local and remote
	peer address information to the Dovecot authentication server.
	This is incomplete code: it ignores XCLIENT server address
	overrides.  File: xsasl/xsasl_dovecot_server.c.

20090212

	Testing revealed that with mumble_tempfail_action=defer,
	the "defer" action was ignored.  Cause: the DEFER_IF_PERMIT[0-9]
	macros lost the SMTPD_CHECK_REJECT result value.  File:
	smtpd/smtpd_check.c.

	Feature: stress-dependent smtpd_timeout (normal: 300s,
	overload: 10s), smtpd_hard_error_limit (normal: 20, overload:
	1) and smtpd_junk_command_limit (normal: 100, overload: 1).
	Files: global/mail_params.h, global/mail_conf_nint.c,
	master/*_server.c, smtpd/smtpd.c.

20090213

	Fine tuning: don't enforce smtpd_junk_command_limit for
	XCLIENT and XFORWARD commands.  These commands can be issued
	only by authorized clients. File: src/smtpd/smtpd.c.

20090215

	Feature: the Postfix SMTP server hangs up after replying
	with "521". This makes overload handling more effective. 
	See also RFC 1846.  File: smtpd/smtpd.c.