HISTORY

	Feature: postmulti mult-instance manager command, very
	lightly tested. The MULTI_INSTANCE_README still needs to
	be proofread.  Originally by Victor Duchovni.  Files:
	src/postmulti/*, proto/MULTI_INSTANCE_README.html,
	conf/postmulti-script.

20090216-24

	Cleanup: assorted code cleanups in postmulti.  File:
	src/postmulti/postmulti.c.

20090223

	Cleanup: multiple instances of the same global.  Files:
	util/inet_windowsize.c, util/inet_listen.c.

20090228

	Cleanup: the Postfix SMTP server now maintains a per-session
	"improper command pipelining detected" flag. This flag can
	be tested at any time with reject_unauth_pipelining, and
	is raised whenever a client command is followed by unexpected
	commands or message content.  Files: smtpd/smtpd.c,
	smtpd/smtpd_check.c.

	Logging: the Postfix SMTP server now logs the first command
	pipelining transgression as "improper command pipelining
	after <command> from <hostname>[<hostaddress>]".

	Cleanup: after DATA command failure, log "(approximately
	XX bytes)" only if Postfix actually accepted the DATA
	command.  File: smtpd/smtpd.c.

20090303

	Cleanup: word smithing of "sendmail -bv" probe message.
	File: sendmail/sendmail.c.

	Cleanup: OpenLDAP now provides a sane solution for conflicts
	with PAM ldap-over-tls. Victor Duchovni.  File: global/dict_ldap.c.

20090304

	Cleanup: skip over suspended or throttled queues while
	looking for delivery requests. File: *qmgr/qmgr_transport.c.

20090305

	Bugfix: in the "new queue manager", the _destination_rate_delay
	code needed to postpone the job scheduler updates after
	delivery completion, otherwise the scheduler could loop on
	blocked jobs.  Victor & Wietse.  File: qmgr/qmgr_entry.c,
	qmgr/qmgr_queue.c, qmgr/qmgr_job.c.

	Cleanup: report a "queue file write error", instead of
	passing though bogus 2xx replies from proxy filters to SMTP
	clients.  File: smtpd/smtpd_proxy.c.

20090307

	Cleanup: with "lmtp_assume_final = yes", the Postfix LMTP
	delivery agent assumes that delivery is final when talking
	to an LMTP server that announces no DSN support.  Otherwise,
	the Postfix LMTP delivery agent assumes that delivery is
	"relayed", to maintain compatibility with simple LMTP-based
	content filters.  Based on code by Michel Sebastien, ATOS
	Origin.  File: smtp/smtp_rcpt.c.

20090310

	Bugfix: Postfix used mumble_concurrency_failed_cohort_limit
	instead of mumble_destination_concurrency_failed_cohort_limit
	as documented. File: global/mail_params.h.

20090330

	Cleanup: add (Resent-) From:, Date:, Message-ID: or To:
	headers only when clients match $local_header_rewrite_clients.
	Specify "always_add_missing_headers = yes" for backwards
	compatibility.  Adding such headers to remote mail can break
	DKIM signatures that cover headers that are not present.
	File: cleanup/cleanup_message.c.

20090415

	Workaround: to avoid unnecessary "fatal" delivery agent
	exits, delivery agents retry getting a shared lock on a
	queue file.  This is necessary since the queue manager's
	behavior was changed years ago to refill the in-memory
	recipient list before it was completely empty.  File:
	global/deliver_request.c.

	Documentation: updated STRESS_README.

20090416

	Workaround: some AWK implementations have a limit of 10
	output files and lack a working close() function. It is too
	much trouble to find out what systems have this limitation,
	and where, if any, such systems store their XPG4-compatible
	AWK program.  So instead we generate a stream of here
	documents and let the shell split the stream into files.
	File: postconf/extract.awk.

	Documentation: clarification of certificate file usage.
	Victor Duchovni.  Files: proto/postconf.proto,
	proto/TLS_README.html.

	Feature: pass a "TLS is active" flag to the server-side
	SASL support.  Based on code by Timo Sirainen, except that
	the implementation uses an extensible API so that it will
	be less painful to add more attributes in future Postfix
	versions.  Files: xsasl/xsasl.h, xsasl/xsasl_*server.c,
	smtpd/smtpd_sasl_glue.c.

20090417

	Documentation: re-generate READMEs and manpages for updated
	hyperlinks.

	Documentation: missing hyperlinks and missing parameters
	in manpages. File: mantools/postlink, mantools/check-postlink.

20090418

	Cleanup: use the extensible API to pass SMTP client address
	information to the dovecot SASL plugin, and prepare for
	passing server address information. Files: xsasl/xsasl.h,
	xsasl/xsasl_dovecot_server.c, smtpd/smtpd_sasl_glue.c.

	Same extensible API transformation for the SASL client-side
	code to make future extensions less painful. Files:
	xsasl/xsasl.h, xsasl/xsasl*client.c, smtp/smtp_sasl_glue.c.

	More postlink fixes. File: mantools/postlink.

20090419

	Bugfix: don't re-enable SIGHUP if it is ignored in the
	parent. This may cause random "Postfix integrity check
	failed" errors at boot time (POSIX SIGHUP death), causing
	Postfix not to start. We duplicate code from postdrop and
	thus avoid past mistakes.  File: postsuper/postsuper.c.

	Robustness: don't re-enable SIGTERM if it is ignored in the
	parent. Files: postsuper/postsuper.c, postdrop/postdrop.c.

20090422

	Undo delivery agent change 20090415. The queue manager never
	locks a queue file to read additional recipients into memory,
	so if a delivery agent runs into a locked file, then something
	is seriously wrong. File: global/deliver_request.c.

20090424

	Compatibility: the Postfix SMTP client no longer uses the
	obsolete SSLv2 by default for opportunistic encryption.
	This has nothing to do with security (we're willing to send
	plaintext over an unauthenticated connection) but with the
	loss of advanced options that give better performance.
	Victor Duchovni. Files: proto/postconf.proto, global/mail_params.h.

20090426

	Feature: more accurate support for Milter macros {mail_addr}
	and {rcpt_addr}, and new support for Milter macros {mail_host},
	{mail_mailer}, {rcpt_host}, and {rcpt_mailer}.  Files:
	milter/milter.[hc], smtpd/smtpd.[hc], smtpd/smtpd_milter.c,
	smtpd/smtpd_resolve.c.

	Feature: support to report rejected recipients to Milters
	(SMFIP_RCPT_REJ). Postfix reports the event as decribed in
	Sendmail 8.14.0 documentation: {rcpt_mailer} = "error",
	{rcpt_host} = enhanced status code (e.g., "5.7.1"), and
	{rcpt_addr} = reason to reject (e.g., "Relay access denied").
	Files: milter/milter.[hc], milter/milter8.c, smtpd/smtpd.[hc],
	smtpd/smtpd_milter.c.

20090427

	Feature: Milter support for replacing the envelope sender
	and adding recipients (SMFIR_CHGFROM, SMFIR_ADDRCPT_PAR).
	This support currently ignores ESMTP command parameters.
	Files: milter/milter8.c, cleanup/cleanup_milter.c.

20090428

	Compatibility: to make all the new Milter features usable,
	raise the default milter_protocol setting from 2 to 6.
	This has been tested with a Sendmail 8.14 libmilter.
	File: global/mail_params.h.

	Bugfix: don't disable MIME parsing with smtp_header_checks,
	smtp_mime_header_checks, smtp_nested_header_checks or with
	smtp_body_checks. Bug reported by Victor. File: smtp/smtp_proto.c.

	Code cleanups: respect VSTRING invariants by using VSTRING_RESET
	and VSTRING_TERMINATE instead of directly groping the
	underlying character buffer. Files: global/dsn_buf.c,
	milter/milter8.c.

20090507

	main.cf:tls_random_source now defaults to /dev/arandom on
	OpenBSD.  This device was introduced before Postfix development
	began. Files: util/sys_defs.h, global/mail_params.h.

20090510

	Code cleanups: while emulating SMTP client requests for
	Milter applications, use user@domain form addresses as
	required by the SMTP protocol, instead of bare usernames.
	This avoids hard to debug errors from some Milter applications.
	Files: cleanup/cleanup_envelope.c, cleanup/cleanup_extracted.c,
	cleanup/cleanup_addr.c.

20090511

	Code cleanups: don't clobber -o command-line arguments so
	that Linux people can debug daemon command lines more easily.
	Files: master/*server.c.

20090519

	Bugfix (introduced: Postfix 2.3, but did not cause trouble
	until 20090427).  Queue file corruption, with (smtpd_milters
	or non_smtpd_milters) enabled, AND with delay_warning_time
	enabled, AND with short envelope sender addresses e.g.,
	local submissions with bare usernames, but not bounces).
	The queue file would be corrupted when the delay_warning_time
	record was marked as "done" after sending the "your mail
	is delayed" notice.  File: qmgr/qmgr_message.c.

20090528

	Bugfix (introduced: Postfix 2.6 change 20080629): with
	plaintext sessions, smtpd_tls_auth_only=yes caused spurious
	warnings with reject_authenticated_sender_login_mismatch,
	and broke reject_unauthenticated_sender_login_mismatch and
	reject_sender_login_mismatch.  Based on fix by Victor
	Duchovni. File: smtpd/smtpd_check.c.

20090605

	Bugfix: "postmulti -e destroy" used hard-coded /bin/env
	command. Simplified the "destroy" procedure to destroy only
	known safe names without "/". File: conf/postmulti-script.

20090710

	Bugfix (introduced Postfix 2.3): Postfix got out of sync
	with a Milter application after the application sent a
	"quarantine" request at end-of-message time. The milter
	application would still be in the end-of-message state,
	while Postfix would already be working on the next SMTP
	event (typically, QUIT or MAIL FROM).  Problem diagnosed
	with help from Alban Deniz. File: milter/milter8.c.

20090712

	Bugfix (garbage introduced Postfix 2.6): the ugly
	${multi_instance_name:postfix}${multi_instance_name
	?$multi_instance_name} garbage in Postfix logging is now
	hopefully gone.  File: global/mail_task.c.

20090715

	Documentation: as of Postfix 2.6, the reject_unauth_pipelining
	feature can be used meaningfully at any protocol stage.
	File: proto/postconf.proto.

20090805

	Bugfix: don't panic when an unexpected smtpd access map is
	specified. File: smtpd/smtpd_check.c.

20090918

	Bugfix (introduced Postfix 2.3): with Milter RCPT TO replies
	turned off, there was no automatic flush-before-read on the
	smtpd-to-milter stream, because the read was done on the
	cleanup-to-milter stream. Problem reported by Stephen Warren.
	File: milter/milter8.c.

20091005

	Bugfix: core dump while printing error message for malformed
	%<letter> sequence in LDAP, MySQL or PostgreSQL configuration.
	File: global/db_common.c. Fix by Victor Duchovni.

20091012

	Bugfix: postmulti did not skip commands with -p.  Luca
	Berra. File: postmulti/postmulti.c.

20091026

	Cleanup: changed parameter evaluation order so that the
	multi_instance_wrapper parameter value is evaluated after
	the command and daemon directory parameters. File:
	global/mail_params.h.

20091209

	Bugfix: sender_dependent_relayhost_maps did not reject an
	empty lookup result, and did not recognize lookup errors,
	thus treating errors as "not found". Problem found during
	code maintenance. File: trivial-rewrite/resolve.c.

20091229

	Cleanup: the address_verify_poll_count default parameter
	value is now stress-dependent, so that the Postfix SMTP
	server will not wait (up to 6 seconds) for the address
	verification result. File: global/mail_params.h.

20100107

	Documentation: the access(5) manual page did not document
	the "send 521 and disconnect" behavior in the Postfix SMTP
	server. File: proto/access.

	Bugfix: the pickup daemon did not discard messages that
	were requeued after all recipients were delivered (or
	bounced), and the cleanup server tried to bounce such
	messages. Files: pickup/pickup.c, global/cleanup_user.h.

20100115

	Bugfix: the valid_hostname() fuction did not set the
	"non-numeric" flag after encountering the '-' character.
	Reported by Jan Schampera.  File: util/valid_hostname.c.

20100116

	Workaround: as of Postfix 2.3 the VRFY command did not allow
	a mailbox address inside <>, which broke expectations.  RFC
	2821 (and 5321) is vague about the VRFY request format, but
	spends lots of text on the reply format.  File: smtpd/smtpd.c.

20100422

	Workaround (introduced: postfix-19990906 a.k.a. Postfix
	0.8.0).  The Postfix local delivery agent did not properly
	distinguish between "address has no extension" and "address
	has an extension, but the extension is invalid". In both
	cases it would run only the full recipient local-part through
	the alias maps.  Instead, it now drops the faulty extension
	from the recipient address local-part (it would be too
	error-prone to replace all tests for "no extension" by tests
	for "no valid extension".  File: local/recipient.c.

20100515

	Bugfix (introduced Postfix 2.6): the Postfix SMTP client
	XFORWARD implementation did not skip "unknown" SMTP client
	attributes, causing a syntax error when sending a PORT
	attribute. Reported by Victor Duchovni. File: smtp/smtp_proto.c.

20100529

	Portability: OpenSSL 1.0.0 changes the priority of anonymous
	cyphers. Victor Duchovni. Files: postconf.proto,
	global/mail_params.h, tls/tls_certkey.c, tls/tls_client.c,
	tls/tls_dh.c, tls/tls_server.c.

	Portability: Mac OS 10.6.3 requires <arpa/nameser_compat.h>
	instead of <nameser8_compat.h>. Files: makedefs, util/sys_defs.h,
	dns/dns.h.

20100531

	Robustness: skip LDAP queries with non-ASCII search strings.
	The LDAP library requires well-formed UTF-8.  Victor Duchovni.
	File: global/dict_ldap.c.

20100601

	Portability: Berkeley DB 5.x has the same API as Berkeley
	DB 4.1 and later. File: util/dict_db.c.

20100610

	Bugfix (introduced Postfix 2.2): Postfix no longer appends
	the system default CA certificates to the lists specified
	with *_tls_CAfile or with *_tls_CApath.  This prevents
	third-party certificates from getting mail relay permission
	with the permit_tls_all_clientcerts feature.  Unfortunately
	this may cause compatibility problems with configurations
	that rely on certificate verification for other purposes.
	To get the old behavior, specify "tls_append_default_CA =
	yes".  Files: tls/tls_certkey.c, tls/tls_misc.c,
	global/mail_params.h.  proto/postconf.proto, mantools/postlink.

20100714

	Compatibility with Postfix < 2.3: fix 20061207 was incomplete
	(undoing the change to bounce instead of defer after
	pipe-to-command delivery fails with a signal). Fix by Thomas
	Arnett. File: global/pipe_command.c.

20100827

	Performance: fix for poor smtpd_proxy_filter TCP performance
	over loopback (127.0.0.1) connections. Problem reported by
	Mark Martinec.  Files: smtpd/smtpd_proxy.c.

20101023

	Cleanup: don't apply reject_rhsbl_helo to non-domain forms
	such as network addresses.  This would cause false positives
	with dbl.spamhaus.org.  File: smtpd/smtpd_check.c.

20101117

	Bugfix: the "421" reply after Milter error was overruled
	by Postfix 1.1 code that replied with "503" for RFC 2821
	compliance. We now make an exception for "final" replies,
	as permitted by RFC. Solution by Victor Duchovni. File:
	smtpd/smtpd.c.

20101201

	Workaround: BSD-ish mkdir() ignores the effective GID and
	copies group ownership from the parent directory.  File:
	util/make_dirs.c.

20101202

	Cleanup: the cleanup server now reports a temporary delivery
	error when it reaches the virtual_alias_expansion_limit or
	virtual_alias_recursion_limit. Previously, it would silently
	ignore the excess recipients and deliver the message.  File:
	cleanup/cleanup_map1n.c.

20110105

	Bugfix (introduced with the Postfix TLS patch): discard
	plaintext following the STARTTLS command or response. This
	matters only for the minority of SMTP clients that actually
	verify server certificates.  Files: smtpd/smtpd.c,
	smtp/smtp_proto.c.

	This vulnerability is also known as CVE-2011-0411.

20110109

	Bugfix (introduced Postfix 2.4): on Solaris the Postfix
	event engine was deaf for SIGHUP and SIGALRM signals after
	the switch to /dev/poll. Symptoms were delayed "postfix
	reload" response, and killed processes when the watchdog
	timeout was less than max_idle.  The fix is to set up SIGHUP
	and SIGALRM handlers that write to a pipe, and to monitor
	that pipe for read events via the Postfix event engine.
	Files: master/master_sig.c, util/watchdog.c, util/sys_defs.h.

20110117

	Bugfix (introduced Postfix alpha, or thereabouts): on HP-UX
	the Postfix event engine was deaf for SIGALRM signals.
	Symptoms were killed processes when the watchdog timeout
	was less than max_idle.  The fix is the same as Solaris fix
	20110109. Since we can't know what other systems need this,
	the workaround is enabled by default.  Files: util/sys_defs.h.

20110225

	Workaround (problem introduced with IPv6 support in Postfix
	2.2): the SMTP client did not support mail to [ipv6:ipv6addr].
	Fix based on a patch by Gurusamy Sarathy (Sophos).  File:
	util/host_port.c and regression test files.

20110227

	Portability: FreeBSD closefrom() support time window.  Sahil
	Tandon. File: util/sys_defs.h.

20110414

	Bugfix (introduced with Postfix SASL patch 20000314): don't
	reuse a server SASL handle after authentication failure.
	Problem reported by Thomas Jarosch of Intra2net AG. File:
	smtpd/smtpd_proto.c.

20110418

	Bugfix (introduced Postfix 2.3): the Milter client reported
	some "file too large" errors as temporary errors. Problem
	reported by Michael Tokarev. File: milter/milter8.c.

20110420

	Performance: a high load of DSN success notification requests
	could slow down the queue manager. Solution: make the trace
	client asynchronous, just like the bounce and defer clients.
	Problem reported by Eduardo M. Stelmaszczyk of terra.com.br.
	Files: global/abounce.[hc], *qmgr/qmgr_active.c (the
	qmgr_active.c files are identical).

20110426

	Bugfix (introduced in Postfix 1.1): the local(8) delivery
	agent ignored table lookup errors in mailbox_command_maps,
	mailbox_transport_maps, and fallback_transport_maps. Problem
	reported by William Ono. Files: local/command.c, local/mailbox.c,
	local/unknown.c.

20110601

	Cleanup: don't supply the "-o stress" command-line option
	with a single-process service. File: master/master_ent.c.

	Bugfix (introduced Postfix 2.6 with master_service_disable)
	loop control error when parsing a malformed master.cf file.
	Found by Coverity. File: master/master_ent.c.

20110614

	Linux kernel version 3 support. Linus Torvalds has reset
	the counters for reasons not related to changes in code.
	Files: makedefs, util/sys_defs.h.

20110615

	Workaround: some Spamhaus RHSBL rejects lookups with "No
	IP queries" even if the name has an alphanumerical prefix.
	We play safe, and skip RHSBL queries for names ending in a
	numerical suffix.  File: smtpd/smtpd_check.c.

20110811

	Workaround: report a {client_connections} Milter macro value
	of zero instead of garbage, when the remote SMTP client is
	not subject to any smtpd_client_* limits. Problem reported
	by Christian Roessner. File: smtpd/smtpd_state.c,
	proto/MILTER_README.html.

20110831

	Bugfix: allow for Milters that send an SMTP server reply
	without RFC 3463 enhanced status code. Reported by Vladimir
	Vassiliev.  File: milter/milter8.c.

20110903

	Bugfix: master daemon panic with "master_spawn: at process
	limit" error, when "postfix reload" reduced the process
	limit from (a value larger than the current process count
	for some service) to (a value <= the current process count),
	and then a new connection was made to that service.  This
	is the smallest change that eliminates the problem. The
	final solution involves structural change, and goes into
	the development release. File: master/master_avail.c.

20110921

	Bugfix (introduced: Postfix 1.1): smtpd(8) did not sanitize
	newline characters in cleanup(8) REJECT messages, causing
	them to be sent out via SMTP as bare newline characters.
	This happened when a REJECT pattern matched multi-line
	header text.  Discovered by Kevin Locke.  File: smtpd/smtpd.c.

20110922

	Bugfix (introduced: Postfix 2.1): smtpd(8) sent multi-line
	responses from a before-queue content filter as text with
	bare <LF> instead of <CR><LF>.  Found during code maintenance.
	File: smtpd/smtpd_proxy.c.

20111020

	EAI Future-proofing: don't apply strict_mime_encoding_domain
	checks to unknown message subtypes such as message/global*.
	File: global/mime_state.c.