Skip to content
HISTORY 371 KiB
Newer Older
Boris Mühmer's avatar
Boris Mühmer committed

	Feature: selective suppression of SMTP extensions (pipelining,
	starttls, auth, etc.); this is useful to work around broken
	clients or servers.  Specify a list of EHLO keywords with
	the smtp(d)_discard_ehlo_keywords parameters, or specify
	one or more lookup tables, indexed by remote network address,
	with the smtp(d)_discard_ehlo_keyword_address_maps parameters.
	EHLO keyword lists are case insensitive.  Files:
	util/name_mask.[hc], global/ehlo_mask.[hc], smtpd/smtpd.c,
	smtp/smtp.c, smtp/smtp_proto.c.

20041219

	Bugfix: postcat without -o was broken. File: postcat/postcat.c.

20041220

	NON-PRODUCTION Bugfix: (bug introduced while adopting
	Postfix/TLS patch):  don't call smtp_flush() after return
	from vstream_setjmp(), we'll call you.  File: smtpd/smtpd.c.

	Dummy VSTREAM read-write routines. Files: util/dummy_read.c,
	util/dummy_write.c.

20041221

	Fixes for TLS_README by Victor Duchovni. File:
	proto/TLS_README.html.

	NON-PRODUCTION Bugfix: (bug introduced while adopting
	Postfix/TLS patch).  The client code had become too similar
	to the server implementation, and also required a host
	certificate and key. Fix by Victor Duchovni. File:
	tls/tls_client.c.

20041221

	Bugfix: further postcat corner cases.

20041223

	Cosmetic: don't log disconnect events as I/O errors.
	File: tls/tls_bio_ops.c.

20041221-9

	Infrastructure: unified IPv4/IPv6 name/address API so that
	Postfix can support IPv6 without #ifdef INET6 everywhere.
	In particular, we allow #ifdef in libraries but avoid it
	in applications.  Files:  util/myaddrinfo.[hc],
	util/sock_addr.[hc], dns/dns_rr_to_pa.c, dns/dns_sa_to_rr.c,
	dns/dns_rr_eq_sa.c, dns/dns_rr_to_sa.c, inet_proto.[hc].

	Postfix no longer attempts to deliver mail via IPv6 when
	the system has no IPv6 connectivity.  Network protocol
	support is now selected with the "inet_protocols" configuration
	parameter, instead of "inet_interfaces". The "inet_protocols"
	parameter also controls what DNS lookups Postfix will do.

	Infrastructure: eliminated two host/port parsing routines.
	Only one survives: host_port(), in an extended form that
	allows for missing host or missing service information but
	not both. File: util/host_port.c.

20041229

	Milestone: Postfix with the unified IPv4/IPv6 socket/name
	API builds without compiler error on IPv4-only system and
	actually works.
Boris Mühmer's avatar
Boris Mühmer committed

20041228

	Bugfix: SMTPD_PROXY_README incorrectly claimed that ":port"
	in master.cf causes a server to listen only on "localhost"
	without exposing the service to the network.  Instead,
	":port" causes a client to connect to "localhost".

Boris Mühmer's avatar
Boris Mühmer committed
20041231

	Linux workaround:  when mynetworks isn't set, a chrooted
	process could not read the IPv6 address information from
	/proc.  We now invoke own_inet_addr() before chrooting,
	while processing main.cf. File: global/mail_params.c.

20050101

	Workaround for (Linux) systems without IPV6_V6ONLY support
	(RFC 3493).  When Postfix listened on an IPv4 wild-card
	smtp socket, the IPv6 wild-card smtp listener would fail
	with EADDRINUSE (and vice versa).  File: util/myaddrinfo.c.

20050103

	Safety: when the IPV6 netmask can't be determined, assume
	/128 (host only). File: util/inet_addr_local.c.

20050104

	Re-implemented IPv6 support for net/mask pattern matching.
	Files:  util/cidr_match.[hc], util/dict_cidr.c,
	util/match_ops.[hc], proto/cidr_table.

20050105

	Moved mask_addr() to its own module so that it could also
	be called by mynetworks() and inet_addr_local() to remove
	non-zero host bits from IPv6 network/mask patterns. File:
	util/mask_addr.c.

20050108

	Re-implemented IPv6 support for network interface lookup
	via the Linux /proc file system. File:  util/inet_addr_local.c.

20050111

	Feature: specify "inet_interfaces = loopback-only" for
	servers that must listen on local interfaces only, without
	having to specify IPv4 and/or IPv6 addresses in main.cf or
	master.cf.  File:  global/own_inet_addr.c.

	Workaround: AIX 5.1 getaddrinfo() can't handle a null host
	argument with AI_PASSIVE. Instead we specify an explicit
	protocol family, a host of "::" or "0.0.0.0", and turn off
	IPV6_V6ONLY. Files: util_myaddrinfo.c, util/inet_listen.c.

	Workaround: AIX 5.1 getaddrinfo() can't handle a "0" service
	argument. Instead we specify "1".  Files: util/inet_addr_host.c.

20050113

	Cleanup: now that the over-all structure is proving itself,
	clean up some internal APIs to increase robustness and get
	rid of some clumsiness. Mainly, the getaddrinfo(3) interface.

	Start-up performance: the hash_queue_names default setting
	is reduced from eight directories to just defer and deferred.
	This reduces time for checking the Postfix queue. Files:
	conf/post-install, global/mail_params.h.

20050114

	Further cleanup: eliminate duplicate IPv6 results when the
	mynetworks value is generated by Postfix. More documentation
	of the new internal APIs.

	Performance: reduced start-up delay by moving warning-only
	startup checks into the background. File: conf/postfix-script.

20050115

	Further hardening of the IPv6 support: don't trust system
	libraries to protect Postfix against malformed IPv6 address
	literals. Their syntax is complex enough that errors are
	likely. Files: global/resolve_local.c, util/valid_hostname.c.

	Further cleanup: RFC 2821 requires the IPv6: prefix with
	IPv6 address strings.  The smtp and qmqp servers maintain
	separate address instances, the bare address and the RFC
	2821 compatible form, and use each where appropriate.  This
	strict separation simplifies address syntax checks as well
	as the implementation of XCLIENT and XFORWARD.

20050116

	Infrastructure: new valid_mailhost_addr() routine to verify
	that an address literal satisfies RFC 2821. An IPv4 address
	is in dotted-quad decimal form, and an IPv6 address is in
	hexadecimal form, with the "IPv6:" prefix. Files:
	global/valid_mailhost_addr.[hc].

	Further cleanup: valid_hostname() no longer allows network
	addresses or numerical domain names. While it made some
	sense with IPv4 dotted quad decimal forms, with IPv6 it
	just made no sense anymore.  Again, being stricter actually
	simplifies code. Files:  util/valid_hostname.c and a
	surprisingly small number of valid_hostname() callers that
	did not reject numerical forms.

	Bugfix: in the Postfix 2.2 SMTP client, the debug_peer_init()
	call was moved to the after-chroot initialization.

20050117

	Performance: reduced start-up delay by moving warning-only
	startup checks into the background; they now start after
	one minute to allow the system to finish booting. File:
	conf/postfix-script.

	Milestone: first non-non-production snapshot with IPv6.

20050119

	Milestone: first non-non-production snapshot with TLS.

20050124

	Workaround: don't send mail to $fallback_relay if Postfix
	is MX host for the next-hop destination. This is, however,
	a partial solution. The documentation has been updated to
	cover all the cases where a fallback_relay could interfere
	with the operation of a backup or primary MX host. Files:
	smtp/smtp_addr.c, smtp/smtp_connect.c.

20050127

	Configuration: Postfix daemons that need privileged operation
	(such as local, pipe, or spawn) now log a fatal error when
	they are configured in master.cf as unprivileged.

20050130

	Cleanup: simplified the handling of receive_override_options
	settings. Files: pickup/pickup.c, smtpd/smtpd.c, qmqpd/qmqpd.c,
	global/input_transp.c.

	Feature: permit_inet_interfaces allows a request when the
	client matches $inet_interfaces. This is used for generic
	access restrictions and for header address rewriting control.
	Files: global/mail_params.h, smtpd/smtpd_check.c.

	Cleanup: by default, message header address rewriting is
	now enabled only for mail that originates from the machine
	itself. Files: global/mail_params.h, smtpd/smtpd_check.c.
Boris Mühmer's avatar
Boris Mühmer committed

20050131

	Bugfix: when extracting recipients from message headers,
	the Postfix sendmail command produced output records longer
	than $line_length_limit, causing postdrop to reject the
	mail. Diagnosis by Victor Duchovni. File:  sendmail/sendmail.c.

Boris Mühmer's avatar
Boris Mühmer committed
20050202

	Cleanup: explicit Makefile targets for "make package" and
	"make non-interactive-package" to create ready-to-install
	packages for distribution to other systems. Added extra
	sanity checks to prevent attempts to overwrite your running
	Postfix instance. Files:  Makefile.in, proto/PACKAGE_README.

	Cleanup: when bounce_queue_lifetime > maximal_queue_lifetime,
	it is adjusted to maximal_queue_lifetime, and a warning is
	logged. Files:  *qmgr/qmgr.c.

20050203

	Cleanup: trivial-rewrite now restarts more timely after
	changes in lookup tables.  Of the all the alternatives
	tested, the simplest one produces the most bang for the
	buck. The other code is left in place for illustrative
	purposes. File:  trivial-rewrite/trivial-rewrite.c.

	Cleanup: sendmail no longer ignores null command-line
	recipients.  File: sendmail/sendmail.c.

	Cleanup: "postfix start" background checks moved back to
	the foreground so they can be stopped more easily.  File:
	conf/postfix-script.

20050204

	Feature: REPLACE command in header/body_checks (implemented
	as a combination of PREPEND and IGNORE) by Bastiaan Bakker.
	File: cleanup/cleanup_message.c.

	Cleanup: linted the manual pages for consistency in the
	way manuals are referenced, and in the presentation of
	command examples. Files: mantools/manlint, mantools/fixman,
	mantools/postconf2man.

20050205

	Cleanup: updated the mass-deletion example in the postsuper
	manual.

20050206

	Cleanup: don't count a [45]XX SMTP server greeting towards
	the mx_session_limit setting. File: smtp/smtp_connect.c.

	Feature: output address rewriting in the SMTP client. The
	smtp_generic_maps parameter specifies an address mapping
	that happens only when mail is delivered via SMTP. This is
	typically used for hosts without a valid domain name, that
	use something like localdomain.local instead.  This feature
	can replace local mail addresses by valid Internet mail
	addresses when mail needs to go across the Internet, but
	not when mail is sent between accounts on the local machine.
	Files:  smtp/smtp_proto.c, smtp/smtp_map11.c.

	Cleanup: don't panic in mymalloc() when master can't find
	any IP addresses. LaMont Jones. File: master/master_ent.c.

20050207

	Documentation: added a generic(5) manual page for consistency
	with the already existing table driven mechanisms, added
	references to or examples of the new generic mapping.

	Bugfix: the header_checks REPLACE action mis-handled
	multi-line replacement text in message headers, for example:
	/(.*)/ REPLACE X-$1. File:  cleanup/cleanup_message.c.

	Bugfix: the header_checks REPLACE action should not drop
	the input when the action is NOT executed. File:
	cleanup/cleanup_message.c.

	Bugfix? Cleanup? Documentation? main.cf now implements
	${name[?:]value} as promised in the postconf(5) manual.
	Implemented by deleting the macro processor in dict_eval(),
	and using the one in mac_expand() instead.  File: util/dict.c.

Boris Mühmer's avatar
Boris Mühmer committed
20050208

Boris Mühmer's avatar
Boris Mühmer committed
	Feature: check_ccert_access maptype:mapname for access(5)
	control, based on code by Victor Duchovni. File:
	smtpd/smtpd_check.c and documentation.

	Safety: don't allow unlimited message size with limited
Boris Mühmer's avatar
Boris Mühmer committed
	mailbox size. File: local/local.c, virtual/virtual.c.

Boris Mühmer's avatar
Boris Mühmer committed
	Feature: new smtpd policy attributes ccert_subject,
	ccert_issuer and ccert_fingerprint, with TLS client
	certificate information, but only when verification was
	successful.  Files:  src/smtpd/smtpd_check.c.

	Cleanup: corrected the address verification data flow in
	the ADDRESS_VERIFICATION_README illustration.

20050209

	Cleanup: the smtp generic mapping did syntax check on the
	input address instead of the result. These tests were not
	going to be useful in any case, because mail_addr_map()
	canonicalizes the lookup result, including @dom1->@dom2
	mapping. File:  smtp_map11.c.

	Cleanup: made the generic mapping documentation consistent
	with the implementation.

	Cleanup: documented the myorigin/mydomain address rewriting
	in canonical, generic and virtual alias maps.

	Feature: updated LDAP and *SQL query interfaces using a
	common infrastructure so that all have the same feature set
	where possible. Victor Duchovni and many others. This code
	was tested separately and was merged into the main stream
	20050308. Files: global/db_common.[hc], global/dict_ldap.c,
	global/dict_mysql.c, global/dict_pgsql.c, plus documentation.

20050210

	Bugfix: spurious fallback_relay warnings after 20050202.
	Victor Duchovni.  File: smtp/smtp_connect.c.

	Bugfix: (introduced while adopting Postfix/TLS patch) the
	TLS cache scan stopped after expiring one entry.  Victor
	Duchovni.  File: tls/tls_scache.c.

	Safety: delete-behind when removing expired entries from
	TLS session caches. With some maps the enumeration method
	mis-behaves when the current entry is deleted. File:
	tls/tls_scache.c.

20050211

	Cleanup: the "generics" feature (output address rewriting)
	is renamed to "generic", for consistency with "canonical"
	and "virtual".

20050212

	Cleanup: remove old trace(8) logfile before attempting
	delivery (and after locking the message file exclusively).
	Files: *qmgr/qmgr_message.c.

	Cleanup: don't parse-then-regenerate message headers when
	no address is changed by address rewriting operations. This
	behavior was copied from the SMTP client's generic mapping
	code.  Files: cleanup/cleanup_rewrite.c, cleanup/cleanup_map11.c,
	cleanup/cleanup_masquerade.c, cleanup/cleanup_message.c..

Boris Mühmer's avatar
Boris Mühmer committed
20050215

	Bugfix: don't chmod queue files while running "postfix
	set-permissions". This prevents mail from being labeled as
	"corrupt" when a live Postfix system is upgraded.  Found
	by Victor Duchovni.  File: conf/post-install.

Boris Mühmer's avatar
Boris Mühmer committed
20050216

	Feature: in smtpd?_discard_ehlo_keyword(s|_address_maps)
	specify the pseudo keyword "silent-discard" in order to
	avoid logging that some EHLO keyword is being suppressed.
	File: global/ehlo_mask.[hc].

20050217

	Bugfix: typo in tls_server.c, breaking CApath.  Fix by
	Philipp Morger. File: tls/tls_server.c.

Boris Mühmer's avatar
Boris Mühmer committed
20050227

	Bugfix (bug introduced 20040331): with SIGHUP ignored, the
	postdrop signal handler would effectively ignore SIGINT,
	SIGQUIT and SIGTERM.  Simplified the overly-conservative
Boris Mühmer's avatar
Boris Mühmer committed
	protection against nested signals in postdrop, and added
	some future proofing comments.  File:  postdrop/postdrop.c

	Cleanup: when address rewriting is enabled, don't change
	the capitalization of header labels, i.e. don't replace
	FROM: or CC: by From: or Cc:. Files: cleanup/cleanup_message.c,
	smtp/smtp_proto.c.

20050228

	Cleanup/portability: missing #includes and bad prototypes.
	Matthias Andree, Carsten Hoeger, and others.

20050302

	Workaround: make TLS session caching work with perverse
	sites that have multiple servers per hostname or even
	multiple servers per IP address, but no shared TLS session
	cache. The SMTP client TLS session cache is now indexed by
	(server hostname, server address, server port, server helo
	hostname). After an idea by Victor Duchovni. Files:
	smtp/smtp_proto.c, tls/tls_client.c.

20050303

	Bugfix (bug inherited from Postfix/TLS patch): a rare 9kbyte
	memory leak when in-memory TLS session information expires;
	found by setting the expiry time shorter than the time to
	deliver one or two messages with a very slow machine.  This
	was due to a missing SSL_SESSION_free() call in the "new
	session" call-back routines. Found by Victor Duchovni.
	Files: tls/tls_client.c, tls/tls_server.c.

	Workaround: OpenSSL is overly agressive when purging a
	not-yet expired entry from a full in-memory cache: it also
	purges the entry from the on-disk server session cache.
	Workaround is to let only the tlsmgr purge entries from the
	on-disk server session cache.  Found by Victor Duchovni.
	File: tls/tls_server.c.

20050304

	Postfix releases are now signed with Wietse's new PGP key.
	The old key was getting a bit short for today's standards.
	The new public key can be found on the Postfix download
	webpage. As proof of authenticity the new PGP key is signed
	with Wietse's old PGP key.

	Cleanup: check_mumble_{ns,mx}_access no longer attempt to
	do MX or NS lookups for address literals. An address literal
	is treated as its own MX host; there is no meaningful
	equivalent for NS access control. File: smtpd/smtpd_check.c.

20050310

	Bugfix: the AIX and SUN compilers rightfully complained
	about non-portable code in the "new" LDAP/SQL client. File:
	global/db_common.c.

	Workaround: some systems no longer recognize "tail +2" as
	valid command syntax. Instead they require "improved" syntax
	that is not valid on several other systems that Postfix
	builds on.  So we have to stop using the tail command.
	Files: Makefile.in, src/*/Makefile.in.

20050312

	Bugfix: the TLS session cache cleaning code didn't always
	delete the right entry. Problem found by Victor Duchovni,
	more problems found by Wietse. File: tls/tls_scache.c.

20050314

	Portability: Berkeley DB changed API from version 2.5 to
	2.6. Rob Foehl. File: util/dict_db.c.

20050315

	Bugfix: when <unistd.h> is included, read is a reserved
	identifier. File: smtpstone/smtp-source.c.

20050317

	Cleanup: change wording of error message when an IPv6 address
	is mistaken for maptype:mapname. File: util/dict_open.c.
Boris Mühmer's avatar
Boris Mühmer committed
20050321
Boris Mühmer's avatar
Boris Mühmer committed
	Robustness: don't look for SMTP status code when there was
	none. File: smtp/smtp_chat.c, lmtp/lmtp_chat.c.
Boris Mühmer's avatar
Boris Mühmer committed
	Portability: missing netinet/in.h include, so that ntohs()
	was not defined on HP-UX. File: smtp/smtp_proto.c.

Boris Mühmer's avatar
Boris Mühmer committed
20050327
Boris Mühmer's avatar
Boris Mühmer committed
	Bugfix: the SMTP and LMTP clients did not ask the queue
	manager to reduce destination concurrency when "lost
	connection" or "connection timed out" happened AFTER Postfix
	received the server greeting. Files: smtp/smtp_trouble.c,
	lmtp/lmtp-trouble.c.
Boris Mühmer's avatar
Boris Mühmer committed
20050328

	Cleanup: the REPLACE action is no longer implemented as
	PREPEND+IGNORE. The result remains in the input stream, and
	is subject to address rewriting and other processing where
	applicable.  File: cleanup/cleanup_message.c.

20050402

	Cleanup: updated error messages about MIME processing errors
	in the SMTP client. These errors are no longer specific to
	8bit->7bit conversion; they can also happen with generic
	address mapping. File: smtp/smtp_proto.c.

Boris Mühmer's avatar
Boris Mühmer committed
20050407
Boris Mühmer's avatar
Boris Mühmer committed
	@%^!#& Thanks to inadequate SASL documentation the client
	could negotiate a security layer where none was desired.
	Better documentation has become available since Postfix
	SASL support was implemented, and now Postfix needs to be
	fixed. Files: */*_sasl_glue.c.
Boris Mühmer's avatar
Boris Mühmer committed
20050409

	Safety: the CDB map now logs a warning when the source file
	is newer than the indexed file, just like the Berkeley DB
	and DBM maps. Michael Tokarev. File: util/dict_cdb.c.

Boris Mühmer's avatar
Boris Mühmer committed
20050412
Boris Mühmer's avatar
Boris Mühmer committed
	Bugfix: while updating the cleanup_flush() infrastructure
	in the 2.3 development release, eliminated a portability
	problem that was introduced when "REJECT text" support was
	added. File: cleanup/cleanup.c.
Boris Mühmer's avatar
Boris Mühmer committed
20050413

	Portability: don't mix socket message send/receive calls
	with socket stream read/write calls. The fact that you can
	get away with it only on some stacks implies that there is
	no long-term guarantee. Specify -DCAN_WRITE_BEFORE_SENDING_FD
	if you feel brave. File: util/sys_defs.h.

	Robustness: re-compile all object files after the "make
	makefiles" options have changed. Files: src/*/Makefile.in.

Boris Mühmer's avatar
Boris Mühmer committed
20050417
Boris Mühmer's avatar
Boris Mühmer committed
	Safety: don't call syslog from a user-triggered signal
Boris Mühmer's avatar
Boris Mühmer committed
10558 10559 10560 10561 10562 10563 10564 10565 10566 10567 10568 10569 10570 10571 10572 10573 10574 10575 10576 10577 10578 10579 10580 10581 10582 10583 10584 10585 10586 10587 10588 10589 10590 10591 10592 10593 10594 10595 10596 10597 10598 10599 10600 10601 10602 10603 10604 10605 10606 10607 10608 10609 10610 10611 10612 10613 10614 10615 10616 10617 10618 10619 10620 10621 10622 10623 10624 10625 10626 10627 10628 10629 10630 10631 10632 10633 10634 10635 10636 10637 10638 10639 10640 10641 10642 10643 10644 10645 10646 10647 10648 10649 10650 10651 10652 10653 10654 10655 10656 10657 10658 10659 10660 10661 10662 10663 10664 10665 10666 10667 10668 10669 10670 10671 10672 10673 10674 10675 10676 10677 10678 10679 10680 10681 10682 10683 10684 10685 10686 10687 10688 10689 10690 10691 10692 10693 10694 10695 10696 10697 10698 10699 10700 10701 10702 10703 10704 10705 10706 10707 10708 10709 10710 10711 10712 10713 10714 10715 10716 10717 10718 10719 10720 10721 10722 10723 10724 10725 10726 10727 10728 10729 10730 10731 10732 10733 10734 10735 10736 10737 10738 10739 10740 10741 10742 10743 10744 10745 10746 10747 10748 10749 10750 10751 10752 10753 10754 10755 10756 10757 10758 10759 10760 10761 10762 10763 10764 10765 10766 10767 10768 10769 10770 10771 10772 10773 10774 10775 10776 10777 10778 10779 10780 10781 10782 10783 10784 10785 10786 10787 10788 10789 10790 10791 10792 10793 10794 10795 10796 10797 10798 10799 10800 10801 10802 10803 10804 10805 10806 10807 10808 10809 10810 10811 10812 10813 10814 10815 10816 10817 10818 10819 10820 10821 10822 10823 10824 10825 10826 10827 10828 10829 10830 10831 10832 10833 10834 10835 10836 10837 10838 10839 10840 10841 10842 10843 10844 10845 10846 10847 10848 10849 10850 10851 10852 10853 10854 10855 10856 10857 10858 10859 10860 10861 10862 10863 10864 10865 10866 10867 10868 10869 10870 10871 10872 10873 10874 10875 10876 10877 10878 10879 10880 10881 10882 10883 10884 10885 10886 10887 10888 10889 10890 10891 10892 10893 10894 10895 10896 10897 10898 10899 10900 10901 10902 10903 10904 10905 10906 10907 10908 10909 10910 10911 10912 10913 10914 10915 10916 10917 10918 10919 10920 10921 10922 10923 10924 10925 10926 10927 10928 10929 10930 10931 10932 10933 10934 10935 10936 10937 10938 10939 10940 10941 10942 10943 10944 10945 10946 10947 10948 10949 10950 10951 10952 10953 10954 10955 10956 10957 10958 10959 10960 10961 10962 10963 10964 10965 10966 10967 10968 10969 10970 10971 10972 10973 10974 10975 10976 10977 10978 10979 10980 10981 10982 10983 10984 10985 10986 10987 10988 10989 10990 10991 10992 10993 10994 10995 10996 10997 10998 10999 11000
	handler, and other minor fixes back-ported from the 2.3
	development release.  File: postdrop/postdrop.c.

20050422

	Bugfix: postsuper could lose an error message after reporting
	a fatal error. Fix back-ported from the 2.3 development
	release.  File: postsuper/postsuper.c.

20050427

	Bugfix: don't panic when the fall-back relay can't be used
	because the local MTA is MX for the destination, or when
	the fall-back relay can't be used because it was already
	tried via a cached session.  Files: util/argv.c,
	smtp/smtp_connect.c.

20050517

	Bugfix: in a DSN report, the original recipient should not
	be xtext encoded. File: bounce/bounce_notify_util.c.

20050523

	Bugfix: mymalloc() panic with mistyped server host list.
	File: global/dict_pgsql.c.

20040530

	Bugfix: TLS MUST_NOPEERMATCH didn't work (inherited from
	TLS patch), and a dangling pointer in the corresponding
	error handling. File: smtp/smtp_proto.c.

20050615

	Cleanup: the SMTP client now sends QUIT when the initial
	HELO handshake fails. it still doesn't send QUIT when the
	server greets with a [45]XX code, as that is handled in the
	connection management code before a session context exists.
	File: smtp/smtp_connect.c.

20050616

	Bugfix: missing or mis-placed va_end() macros, found in
	Postfix 2.3 code review. Files: util/netstring.c,
	util/myaddrinfo.c, util/attr_clnt.c, util/vstream.c.

20050621

	Portability: file descriptor passing is available for Tru64
	UNIX, but AIX4 and IRIX6 will have to do without. This means
	no SMTP connection caching for those platforms.  Albert
	Chin.  File: util/sys_defs.h.

20050630

	Portability: the connection caching code broke on LP64
	systems (inherited from Stevens Network Programming).  Files:
	util/unix_send_fd.c, util/unix_recv_fd.c. This code is
	back-ported from the Postfix 2.3 snapshot release.

20050706

	Robustness: the SMTP client now disables connection caching
	when it is unable to communicate with the scache(8) server,
	instead of looping forever and not delivering mail.  File:
	global/scache_clnt.c.  This code is back-ported from the
	Postfix 2.3 snapshot release.

	Portability: after sending a socket, the scache(8) server
	now waits for an ACK from the connection cache client before
	closing the socket that it just sent. Files: scache/scache.c,
	global/scache_clnt.c. This code is back-ported from the
	Postfix 2.3 snapshot release.

20050711-3

	Portability: on LP64 systems, integer expressions are int,
	but sizeof() and pointer difference expressions are larger.
	Point fixes for a few discrepancies with variadic functions
	that expect int (the permanent fix is to change the receiving
	modules, but that results in too much change, and is not
	allowed in the stable release).  Files: tls/tls_scache.c,
	util/clean_env.c, util/vstring.h, smtpstone/qmqp-source.c.

20050806

	Workaround: accept(2) fails with EPROTO when the client
	already disconnected (SunOS 5.5.1). File: sane_accept.c.

20050815

	Workaround: old Solaris compilers can't link an archive
	without globally visible symbols. File: tls/tls_misc.c.

20050922

	Bugfix: the *SQL clients did not uniformly choose the
	database host from the available pool of servers due to an
	off-by-one error, so that the "last" available server was
	not selected. Leandro Santi. Files: dict_mysql.c, dict_pgsql.c.

20050929

	Paranoia: don't ignore garbage in SMTP or LMTP server replies
	when ESMTP command pipelining is turned on. For example,
	after sending ".<CR><LF>QUIT<CR><LF>", Postfix could recognize
	the server's 2XX QUIT reply as a 2XX END-OF-DATA reply after
	garbage, causing mail to be lost. The SMTP and LMTP clients
	now report a remote protocol error and defer delivery.
	Files: smtp/smtp_chat.c, smtp/smtp_trouble.c, lmtp/lmtp_chat.c,
	lmtp/lmtp_trouble.c.

20051011

	Bugfix: raise the "policy violation" flag when a client
	request exceeds a concurrency or rate limit.  File:
	smtpd/smtpd.c.

	Bugfix (cut-and-paste error): don't reply with 421 (too
	many MAIL FROM or RCPT TO commands) when we aren't closing
	the connection.  File: smtpd/smtpd.c.

20051013

	Bugfix: don't do smtpd_end_of_data_restrictions after the
	transaction failed due to, e.g., a write error.  File:
	smtpd/smtpd.c.

	Cleanup: the SMTP server now enforces the message_size_limit
	even when the client did not send SIZE information with the
	MAIL FROM command.  This protects before-queue content
	filters against over-size messages.  File: smtpd/smtpd.c.

20051105

	Workaround: the next-hop logical destination information
	for connection caching was reset only after a good non-TLS
	connection, so that cached connections to non-TLS backup
	servers could suck away traffic from TLS primary servers
	(the Postfix SMTP client cannot cache an open TLS connection).
	Found during code review. Fixing this requires more change
	than is allowed in a stable release.  File: smtp/smtp_connect.c.

20051108

	Bugfix: two messages could get the same message ID due to
	a race condition. This time window was increased when queue
	file creation was postponed from MAIL FROM until the first
	accepted RCPT TO.  The window is closed again. Found by
	Victor. Files: global/mail_stream.c, global/mail_queue.c,
	cleanup/cleanup_message.c. This code is back-ported from
	the Postfix 2.3 snapshot release.

20051119

	Bugfix: the queue manager did not write a per-recipient
	defer logfile record when the delivery agent crashed after
	the initial handshake with the queue manager, and before
	reporting the delivery status to the queue manager.  Files:
	*qmgr/qmgr_deliver.c.

20051126

	Log warning when REDIRECT, FILTER, HOLD and DISCARD are
	used in smtpd_etrn_restrictions. File: smtpd/smtpd_check.c.

20051128

	Bugfix: moved code around from one place to another to make
	REDIRECT, FILTER, HOLD and DISCARD access(5) table actions
	work in smtpd_end_of_data_restrictions.  PREPEND will not
	be fixed; it must be specified before the message content
	is received.  Files: smtpd/smtpd.c, smtpd/smtpd_check.c,
	cleanup/cleanup_extracted.c, pickup/pickup.c.

20051201

	Bugfix: the LMTP client would reuse a session after negative
	reply to the RSET command (which may happen when client and
	server somehow get out of sync). Problem found by Christian
	Theune.  Files: lmtp/lmtp.c, lmtp/lmtp_proto.c.

20051207

	Bugfix: race condition in the connection caching protocol,
	causing the SMTP delivery agent to hang after delivering
	mail, while trying to save a connection. Introduced with
	Postfix 2.2.5.  Files: scache/scache.c.

20051208

	Bugfix: the best_mx_transport, mailbox_transport and
	fallback_transport features did not write a per-recipient
	defer logfile record when the target delivery agent was
	broken.  This the analog of queue manager bugfix 20051119.
	Files: global/deliver_pass.c.

20051212

	Bugfix: an EHLO I/O error after STARTTLS would be reported
	as a STARTTLS I/O error. File: smtp/smtp_proto.c.

20051213

	Bugfix: the *SQL, proxy and LDAP maps were not defined in
	user-land commands such as postqueue. Leandro Santi. File:
	postqueue/postqueue.c.

20051225

	Workaround: the regexp map cleverly avoided scanning constant
	results for non-existent $number expressions, but failed
	to subject those constant results to $$ -> $ replacement.
	Since fixing this requires too much change for a stable
	release, the optimization is turned off (it doesn't exist
	in the 2.2 PCRE map, either). Files: util/dict_regexp.c.

20051231

	Bugfix: the anvil server would terminate after "max_idle"
	seconds, even when this was less than the anvil_rate_time_unit
	interval. File: anvil/anvil.c.

20060101

	Portability: 64-bit support for LINUX chroot script by Keith
	Owens.  File: examples/chroot-setup/LINUX2.

20060103

	Backout: the Postfix 2.2.6 paranoia about garbage in remote
	server replies caused "multiple delivery" problems or "no
	delivery" problems with broken servers/firewalls. Postfix
	still logs a warning but no longer defers delivery.  File:
	smtp/smtp_chat.c.

	Portability: FreeBSD 6 is a supported platform. Files:
	util/sys_defs.h, makedefs.

20010604

	Safety: new "smtp_cname_overrides_servername" parameter.
	The default value ("yes") is backwards compatible.

	With a value of "no", the Postfix SMTP client no longer
	allows CNAME expansion to override the hostname that is
	used for logging, SASL password lookup, TLS policy decisions,
	or TLS certificate verification.  Instead it uses the name
	of the recipient domain, the host or domain name specified
	in Postfix configuration files, or the hostnames obtained
	with MX lookups. To prevent cheating with hostnames in MX
	lookup results, you will have to suppress MX lookups with
	explicit [hostname] entries in transport maps. Files:
	dns/dns_lookup.c, dns/dns_rr.c, proto/postconf.proto.

20060108

	Bugfix: mailbox_command_maps was not subject to $name
	expansion. File: local/local.c.

20060115

	Bugfix: don't ignore the per-site policy when SSL library
	initialization fails. Introduced after adopting the TLS
	patch. File: smtp/smtp_session.c.

20060121

	Bugfix: a TLS per-site MUST_NOPEERMATCH policy could not
	override a stronger main.cf policy, while a per-site NONE
	policy could. Fixed with a clean re-implementation from
	Postfix 2.3.  File: smtp/smtp_session.c.

	Bugfix: a combined TLS per-site (host, recipient) policy
	of (NONE, MAY) changed a global MUST policy into NONE, and
	a global MUST_NOPEERMATCH into MAY. The result is now NONE.
	Problem found by exhaustive simulation. Fixed with a clean
	re-implementation from Postfix 2.3.  File: smtp/smtp_session.c.

20060130

	Bugfix: an empty remote_header_rewrite_domain value caused
	trivial-rewrite to dereference a null pointer, but only in
	regression tests, not in production.  Postfix rewrites
	addresses in the remote rewriting context only when the
	remote_header_rewrite_domain parameter value is non-empty.
	File: trivial-rewrite/rewrite.c.

20060202

	Workaround: a malformed domain name lookup result (such as
	null MX record) is now treated as a hard error, so that
	Postfix will no longer repeatedly try to deliver mail until
	the message expires in the queue.  However, this will not
	reject mail with reject_unknown_sender/recipient_domain.
	That would require too much change for a stable release.
	File: dns/dns_lookup.c.

20060203

	Bugfix: smtpd core dump when SASL is compiled in, turned
	off (smtpd_sasl_auth_enable = no) and permit_sasl_authenticated
	is specified in local_header_rewrite_clients. Victor Duchovni.
	File: smtpd/smtpd_check.c.

20060204

	Bugfix: disable the content_filter feature for user-requested
	"sendmail -bv" probes, just like it is disabled for probes
	generated by Postfix itself.  File: *qmgr/qmgr_message.c.

20060212

	Workaround: don't consume in_flow tokens when incoming mail
	is placed on hold. Back-ported from Postfix 2.3. File:
	cleanup/cleanup_api.c.

20060310

	Workaround: null-terminate the input after stripping CR,
	and before passing the input to the MIME processor. Leandro
	Santi. The fix, a rewrite of the MIME processor input
	handling, is too much change for a stable release. File:
	sendmail/sendmail.c.

20060315

	Workaround: the PCRE library reports an inappropriate error
	code (invalid substring) when $number refers to a valid ()
	expression that matches the null string. This caused fatal
	run-time errors.  File: dict_pcre.c.

20060324

	Bugfix: mis-placed parenthesis in SMTP before-filter error
	test. A filter timeout was mis-reported as lost connection.
	Found in code review.  File: smtpd/smtpd_proxy.c.

20060403
	Bugfix: the pipe-to-command error message was lost when the
	command could not be executed. File: global/pipe_command.c.

20060404

	Bugfix in sanity check: after reading a record from the
	address verification database, a sanity check did not reject
	a record with all-zero time stamp fields.  Such records are
	never written; the test is there just in case something is
	broken, so that Postfix will not blindly march on and create
	chaos. The sanity check tested pointer values, instead of
	dereferencing the pointers.  Found by Coverity.  File:
	verify/verify.c.

	Bugfix in sanity check: when the maildir delivery routine
	opens an output file it looks up the file attributes via
	the file handle it just got.  There is a sanity check that
	detects if the attribute lookup fails, an error that never
	happens. The code that handles the impossible error did not
	close the output file. This would cause a virtual or local
	delivery agent to waste up to 100 file descriptors.  But
	for that error to happen the system would have to be so
	sick that you would have more serious problems than a file
	descriptor leak.  Found by Coverity.  Files: local/maildir.c,
	virtual/maildir.c.

20060411

	Bugfix: the SMTP server logged no warning when for some
	reason the TLS engine was unavailable in wrappermode. Victor
	Duchovni.  File: smtpd/smtpd.c.

20060430

	Bugfix: dangling pointer in a function that has no caller.
	Found by Coverity. File: tls/tls_prng_exch.c.

	Bugfix: the workaround for CA-2003-07 (Sendmail) did not
	null terminate the address before logging a warning. Reported
	by Kris Kennaway. File: global/tok822_parse.c.

20060516

	Portability: __float80 alignment, by Albert Chin.  File:
	util/sys_defs.h.

20060524

	Cleanup: send ETRN command parameter when using check_policy
	in the context of an ETRN command. Joshua Goodall. File:
	smtpd/smtpd_check.c.

20060604

	Bugfix: the HOLD feature in access or header/body_checks
	tables didn't properly report subdirectory create errors
	(which don't happen because the hold queue isn't hashed by
	default). Found with the BEAM code scanner. File:
	global/hold_message.c.

	Cleanup: minor fluff found with the BEAM source code analyzer.
	File: util/safe_open.c.

20060611

	Security: the PostgreSQL client was updated after major
	database API changes in response to PostgreSQL security
	issues. This breaks support for PGSQL versions prior to
	8.1.4, 8.0.8, 7.4.13, and 7.3.15. Support for these requires
	major code changes which are not possible in the time that
	is left for the Postfix 2.3 stable release.

	Specific PostgreSQL client changes: use connection-aware
	quoting, and more robust PQexec() result handling.  Previous
	versions of the dict_pgsql driver didn't check the status
	of the result pointer, and certain exceptional events can
	be mis-interpreted as an empty result set.  Fixes by Leandro
	Santi. File: global/dict_pgsql.c.

20060626

	Workaround: disable SMTP connection cache lookup by server
	IP address when the tls_per_site policy table is enabled.
	Different server names may resolve to the same IP address,
	and we don't want to use the wrong TLS policy.  File:
	smtp/smtp_reuse.c.

20060706

	Workaround: disable SMTP connection cache lookup by server
	IP address when the smtp_sasl_password_maps password feature
	is enabled.  Different server names may resolve to the same
	IP address, and we don't want to use the wrong SASL
	credentials. File: smtp/smtp_reuse.c.

	Bugfix: don't reuse a plaintext connection when the TLS
	policy requires encryption. This can happen because we have
	to search the connection cache before we know the
	server-dependent TLS policy. It does not eliminate the
	problem that we may still be using the wrong policy because
	the cached server name was obtained in an insecure manner.

20060707