Skip to content
HISTORY 524 KiB
Newer Older
Boris Mühmer's avatar
Boris Mühmer committed
	take *size_t arguments or return *size_t results.

	Simply changing every data object size or offset to size_t
	(which is unsigned!) would be dangerous.  A lot of code was
	written assuming signed arithmetic and rejects negative
	lengths, which can happen as the result of integer overflow.
Boris Mühmer's avatar
Boris Mühmer committed

	Portability: on LP64 systems, integer expressions are int,
	but sizeof() and pointer difference expressions are larger.
Boris Mühmer's avatar
Boris Mühmer committed
	The above changes fixed a few discrepancies with function
	calls where *size_t was passed while the old code expected
	an int: clean_env() versus argv_addn(), and code that sent
	binary blobs via the TLS session cache manager protocol.

20050711

	Bugfix: don't include <> when auto-generating an ORCPT
	address from a client RCPT TO command. File: smtpd.c.

20050712

	Cleanup: cleanup_out_recipient() still generated DSN records
	that were incompatible with pre-DSN Postfix versions.  File:
	cleanup/cleanup_out_recipient.c.

20050716

	Bugfix: the smtpd_sasl_authenticated_header code did not
	check if SASL was actually enabled. File: smtpd/smtpd.c.

20050720

	Feature: reverse client hostname. This is set at connection
	time with information from the SMTP client address->name
	mapping, and can be overruled with the REVERSE_NAME attribute
	in the XCLIENT command. File: smtpd/smtpd_peer.c.

	Cleanup: renaming of several confusing restriction names:
	reject_unknown_client -> reject_unknown_client_hostname,
	reject_unknown_hostname -> reject_unknown_helo_hostname,
	reject_invalid_hostname -> reject_invalid_helo_hostname,
	and reject_non_fqdn_hostname -> reject_non_fqdn_helo_hostname.
	The old names are still recognized and documented.  Files:
	global/mail_params.h, smtpd/smtpd.c, smtpd/smtpd_check.c.

	Feature: reject_unknown_reverse_client_hostname. This rejects
	clients that have no address to name mapping (unlike the
	reject_unknown_client_hostname feature which requires that
	the address->name and name->address mappings resolve to the
	client IP address).  Files: global/mail_params.h,
	smtpd/smtpd_peer.c, smtpd/smtpd.c, smtpd/smtpd_check.c.

20050726

	Horror: total rewrite of DNS client error handling because
	some misguided proposal attempts to give special meaning
	to some syntactically invalid MX hostname lookup result.
	Not only that, people expect sensible results with
	reject_unknown_sender_domain etc.  Files: dns/dns_lookup.c,
	smtp/smtp_addr.c smtpd/smtpd_check.c, lmtp/lmtp_addr.c.

	Cleanup: HOLD action executes only once, to reduce noise
	in the logfile. Files: cleanup/cleanup_message.c, smtpd/smtpd.c.
Boris Mühmer's avatar
Boris Mühmer committed

20050806

	Workaround: accept(2) fails with EPROTO when the client
	already disconnected (SunOS 5.5.1). File: sane_accept.c.

20050815

	Workaround: old Solaris compilers can't link an archive
	without globally visible symbols. File: tls/tls_misc.c.

Boris Mühmer's avatar
Boris Mühmer committed
20050825

	Feature: message_reject_characters and message_strip_characters
	specify what characters in message content Postfix will
	reject or remove. Based on patch by John Fawcett. Files:
	cleanup/cleanup_message.c, cleanup/cleanup_init.c.

	Safety: when the cleanup server rejects the content of mail
	that is submitted with the Postfix sendmail command, or
	re-queued with "postsuper -r", strip the message body from
	the bounce message to reduce the risks from harmful content.
	Files: cleanup/cleanup_envelope.c, cleanup/cleanup_bounce.c.

	Feature: the smtpd_proxy_filter parameter value can now be
	prefixed with "unix:" (for UNIX-domain socket) and "inet:"
	(for TCP socket). TCP sockets are the default.  Patch by
	Edwin Kremer. File: smtpd/smtpd_proxy.c.

20050828

	Bugfix: after adding DSN support, error notification was
	broken for too large mail that was submitted with the Postfix
	sendmail command, forwarded by the local(8) delivery agent,
	or re-queued with "postsuper -r". The message would be saved
	to the "corrupt" queue.

	The mistake was to leave the truncated message in the
	incoming queue and to ask the queue manager to notify the
	sender; this was not possible because the queue manager
	cannot (and should not) handle truncated queue files.

	The fix is to have the cleanup server send the bounce
	message, just like it did before DSN support was added.  As
	a side effect, Postfix will no longer send DSN_SUCCESS
	notices after virtual aliasing, when the cleanup server
	bounces all the recipients of the message anyway.  This
	could be called a feature.  File: cleanup/cleanup_bounce.c.

	Also needed for this fix: a new vstream_fpurge() routine
	that discards unread/written data from a VSTREAM.  It's
	needed before cleanup_bounce() can seek to the start of the
	queue file after a file size error. File: util/vstream.c.

20050920

	Cleanup: removed the legacy "tls_info" structure, factored
	out common code for peer_CN and issuer_CN lookup, and added
	sanity check to not verify subject common names that contain
	nulls or that are execessively long. Patch by Victor Duchovni.
	Files: tls_client.c, tls_server.c, tls_session.c, tls_misc.c,
	tls_verify.c.
	
Boris Mühmer's avatar
Boris Mühmer committed
20050922

	Bugfix: the *SQL clients did not uniformly choose the
	database host from the available pool of servers due to an
	off-by-one error, so that the "last" available server was
	not selected. Leandro Santi. Files: dict_mysql.c, dict_pgsql.c.

Boris Mühmer's avatar
Boris Mühmer committed
	Update: common code factored out into db_common.c, and
	adoption of Liviu Daia's connection aware MySQL quoting.
	Patch by Victor Duchovni.  Files: dict_ldap.c, dict_mysql.c,
	dict_pgsql.c, db_common.c.

20050923

	Safety: don't update the local(8) delivery agent's idea of
	the Delivered-To: address while expanding aliases or .forward
	files. When an alias or .forward file changes the Delivered-To:
	address, it ties up one queue file and one cleanup process
	instance while mail is being forwarded.  To get the old
	behavior, specify "frozen_delivered_to = no".  Problem
	reported by Michael Tokarev, but found independently by
	others.  Files: local/local.c, local/aliases.c, local/dotforward.c,
	local/mailbox.c, local/maildir.c.

	Logging: additional SASL debug logging by Andreas Winkelmann.
	Files: */*sasl_glue.c.

Boris Mühmer's avatar
Boris Mühmer committed
20050929

	Paranoia: don't ignore garbage in SMTP or LMTP server replies
	when ESMTP command pipelining is turned on. For example,
	after sending ".<CR><LF>QUIT<CR><LF>", Postfix could recognize
	the server's 2XX QUIT reply as a 2XX END-OF-DATA reply after
	garbage, causing mail to be lost. The SMTP and LMTP clients
	now report a remote protocol error and defer delivery.
	Files: smtp/smtp_chat.c, smtp/smtp_trouble.c, lmtp/lmtp_chat.c,
	lmtp/lmtp_trouble.c.

Boris Mühmer's avatar
Boris Mühmer committed
	Performance: specify "smtpd_peername_lookup = no" to disable
	client hostname lookups in the SMTP server. All clients are
	treated as "unknown". This should be used only under extreme
	conditions where DNS lookup latencies are critical. File:
	smtpd/smtpd_peer.c.

20051010

	Feature: smtpd_client_new_tls_session_rate_limit parameter
	to limit the number of new (i.e. uncached) TLS sessions
	that a remote SMTP client may negotiate per unit time. This
	feature, which is off by default, can limit the CPU load
	due to expensive crypto operations.  Files: global/anvil_clnt.c,
	anvil/anvil.c, smtpd/smtpd.c.

	Cleanup: eliminated massive code duplication in the anvil
	server that resulted from adding similar features one at a
	time.  File: anvil/anvil.c.

Boris Mühmer's avatar
Boris Mühmer committed
20051011

	Bugfix: raise the "policy violation" flag when a client
	request exceeds a concurrency or rate limit.  File:
	smtpd/smtpd.c.

	Bugfix (cut-and-paste error): don't reply with 421 (too
	many MAIL FROM or RCPT TO commands) when we aren't closing
	the connection.  File: smtpd/smtpd.c.

Boris Mühmer's avatar
Boris Mühmer committed
20051012

	Polishing: content of comments and sequence of code blocks
	in the anvil server, TLS request rate error message in the
	smtp server, and documentation, but no changes in code.
	Files: anvil/anvil.c, smtpd/smtpd.c.
 
Boris Mühmer's avatar
Boris Mühmer committed
	Horror: some systems have basename() and dirname() and some
	don't; some implementations modify their input and some
	don't; and some implementations use a private buffer that
	is overwritten upon the next call. Postfix will use its own
	safer versions called sane_basename() and sane_dirname().
	These never modify the input, and allow the caller to control
	how memory is allocated for the result.  File:
	util/sane_basename.c.

	Feature: "sendmail -C path-to-main.cf" and "sendmail -C
	config_directory" now do what one would expect. File:
	sendmail/sendmail.c.

Boris Mühmer's avatar
Boris Mühmer committed
	Bugfix: don't do smtpd_end_of_data_restrictions after the
	transaction failed due to, e.g., a write error.  File:
	smtpd/smtpd.c.

	Cleanup: the SMTP server now enforces the message_size_limit
	even when the client did not send SIZE information with the
	MAIL FROM command.  This protects before-queue content
	filters against over-size messages.  File: smtpd/smtpd.c.

Boris Mühmer's avatar
Boris Mühmer committed
20051017

	Bugfix: after DSN support was added, smtp_skip_5xx_greeting
	no longer recognized a 5xx SMTP status as a 4xx one. Found
	by Ralf Hildebrandt. Fix: use the enhanced status code
	instead of the SMTP reply code to choose between permanent
	or transient errors. File: smtp/smtp_trouble.c.

	Feature: smtp-sink can hard-reject, soft-reject or simply
	drop connection requests.  File: smtpstone/smtp-sink.c.

	Documentation: clarified the processing of server replies,
	specifically the reply code and the enhanced status code,
	in smtp_chat.c.
Boris Mühmer's avatar
Boris Mühmer committed
20051024

	Performance: new smtp_connection_reuse_time_limit parameter to
	limit connection reuse by elapsed time, instead of limiting
	the number of deliveries per connection.  Bounding by time
	favors delivery over connections that perform well, while
	bounding by number of deliveries allows slow connections
	to drag down the performance.  Insight and initial
	implementation by Victor Duchovni, Morgan Stanley. Files:
	smtp_connect.c, smtp_session.c,

	Bugfix: the next-hop logical destination information for
	connection caching was reset only after a good non-TLS
Boris Mühmer's avatar
Boris Mühmer committed
	connection, so that cached connections to non-TLS backup
	servers could suck away traffic from TLS primary servers
	(the Postfix SMTP client cannot cache an open TLS connection).
Boris Mühmer's avatar
Boris Mühmer committed
	Found during code review. This is fixed with multi-valued
	connection caching state: expired, cachable, non-cachable,
	and bad.  Files: smtp_connect.c, smtp_trouble.c.

	Bugfix: adding support for "sendmail -C" broke "sendmail
	-q".  File: sendmail/sendmail.c.

20051101

	Migration from a single "arrival time" stamp to a structure
	with time stamps from different stages of message delivery.
	The first iteration merely replaces "arrival time" stamps
	by a structure or pointer to structure, and uses only the
	arrival time field of that structure.  This is an extensive
	but straightforward transformation, based on example by
	Victor Duchovni, Morgan Stanley.  Files: anything that
	invokes bounce_append etc., the log_adhoc module, and
	anything that sends or receives a delivery request.

20051102

	Completion of support for time stamps from different stages
	of message delivery. The information is now logged as
	"delays=a/b/c/d" where a=time before queue manager, including
	message transmission; b=time in queue manager; c=connection
	setup including DNS, HELO and TLS; d=message transmission
	time. Unlike Victor's example which used time differences,
	this implementation uses absolute times. The decision of
	what numbers to subtract actually depends on program history,
	so we want to do it in one place.  Files: global/log_adhoc.c,
	smtp/smtp_connect.c, smtp/smtp_proto.c, smtp/smtp_trouble.c,
	lmtp/lmtp_proto.c, lmtp/lmtp_trouble.c.

20051103

	Refinement of time stamping and delays formatting.  The
	hand-off time is now stamped in the delivery agent, so that
	time is properly attributed when a transport is saturated
	or throttled.  Delays are now logged if larger than 0.01
	second. Files: *qmgr/qmgr_deliver.c, global/deliver_request.c,
	global/log_adhoc.c.

20051104

	New parameter delay_logging_time_resolution (default: 10000
	microseconds, or 0.01 second) that controls the detail in
	the new "delays=a/b/c/d" logging. Specify a power of 10
	in the range from 1 to 100000. File: global/log_adhoc.c.
	Parameter renamed 20051108.

20051105

	All delay logging now has sub-second resolution. This means
	updating all code that reads or updates the records that
	specify when mail arrived, and ensuring that mail submitted
	with older Postfix versions produces sensible results.
	Files: global/post_mail.c, global/mail_timeofday.[hc],
	global/log_adhoc.c, postdrop/postdrop.c, pickup/pickup.c,
	cleanup/cleanup_envelope.c, cleanup/cleanup_message.c,
	smtpd/smtpd.c, qmqpd/qmqpd.c, *qmgr/qmgr_message.c,
	*qmgr/qmgr_active.c, local/forward.c.

20051106

	The SMTP client logs the remote server port in the form of
	relay=hostname[hostaddr]:port to the local maillog file.
	The port number is NOT included in DSN status reports,
	because remote users have no need to know such internal
	information.  Files: smtp/smtp_session.c, smtp/smtp_proto.c,
	smtp/smtp_trouble.c.

	Cleanup: encapsulated queue file time read/write operations
	with a few simple macros, to make future changes in time
	representation less painful.
Boris Mühmer's avatar
Boris Mühmer committed
	Cleanup: eliminated floating point operations from the
	ad-hoc delay logging code. Files: util/format_tv.[hc],
	global/log_adhoc.c.

	The delay logging resolution is now controlled with the
	delay_logging_resolution_limit parameter, which specifies
	the maximal number of digits after the decimal point.

Boris Mühmer's avatar
Boris Mühmer committed
	Bugfix: two messages could get the same message ID due to
	a race condition. This time window was increased when queue
	file creation was postponed from MAIL FROM until the first
	accepted RCPT TO.  The window is closed again. Found by
	Victor. Files: global/mail_stream.c, global/mail_queue.c,
Boris Mühmer's avatar
Boris Mühmer committed
	cleanup/cleanup_message.c.

20051109

	qshape.pl updated for extra microsecond time field in Postfix
	queue files.

	Cleanup: removed obsolete code that handles rejected/dropped
	connections before the HELO handshake. File: smtp/smtp_connect.c.

	Bugfix: XCLIENT broke when reverse hostname support was added.
	Fix by Tomoyuki Sakurai. File: smtpd/smtpd.c.

20051110

	Workaround: don't set the delay warning timer for messages
	from inside or from outside that have the null sender as
	recipient. This was a waste of time, because the warning
	would always be discarded.  File: cleanup/cleanup_envelope.c.

	Feature: the built-in mail delivery status notification
	text is now implemented by built-in templates. Files:
	bounce/bounce_template.c, bounce/bounce_notify_util.c.

20051112

	Feature: configurable bounce message templates based on
	contribution by Nicolas Riendeau. I kept the general format
	of his templates, but placed them together in one file to
	reduce process initialization overhead (most requests to
	the bounce daemon are not for sending bounce messages).
	Files: bounce/bounce_template.c, bounce/dict_ml.c (to be
	moved to library if useful enough). A sample bounce message
	template file is installed as $config_directory/bounce.cf.default.

20051113

	Feature: "postconf -b filename" to preview the non-default
	bounce message templates with $name expansions in the text.
	The actual work is of course done by the bounce daemon.

20051114

	Feature: -V option to make Postfix daemons to log to stderr.
	This is used when a daemon is invoked in stand-alone mode
	by a (non-daemon) command.

	Feature: "postconf -t" displays DSN templates, headers and
	all; use postconf -t ''" to view built-ins.

	Cleanup: renamed fail_template into failure_template.

20051117

	Cleanup: bounce template code reorg, no functionality change.
	Files: bounce/bounce_template.[hc], bounce/bounce_templates.c,
	bounce/bounce_notify_util.c.

20051118

	Bugfix: new bounce template code did not return after
	template syntax error. File: bounce/bounce_template.c

	Safety: permit_mx_backup now requires that the local MTA
	is not listed as primary MX for the recipient domain. This
	prevents mail loops when someone points the primary MX
	record to Postfix.
Boris Mühmer's avatar
Boris Mühmer committed
	Workaround: some SMTP servers announce multiple but different
	lists of SASL methods. Postfix now concatenates the lists
	instead of logging a warning and remembering only one. File:
	smtp/smtp_sasl_proto.c.

Boris Mühmer's avatar
Boris Mühmer committed
	Bugfix: the queue manager did not write a per-recipient
Boris Mühmer's avatar
Boris Mühmer committed
	defer logfile record when the delivery agent crashed between
	receiving a delivery request, and reporting the delivery
	status to the queue manager.  Found while redesigning the
	code that handles unavailable transports or destinations.
	Files: *qmgr/qmgr_deliver.c.

20051121

	Workaround: do not build the bounce.cf.default template
	while compiling Postfix  - it breaks when the default
	mail_owner etc. accounts don't exist.  Reported by Liviu
	Daia.

	Compatibility: added permit_auth_destination emulation to
	the permit_mx_backup feature. This avoids surprises with
	sites that used permit_mx_backup to authorize all their
	incoming mail.

20051122-24

	Feature: sender_dependent_relayhost_maps, lookup tables that specify
	a sender-dependent override for the relayhost parameter
	setting.  The lookup is done in the trivial-rewrite server,
	instead of the queue manager where it does not belong.
	Files: global/resolve_clnt.c, global/tok822_resolve.c,
	trivial-rewrite/resolve.c, trivial-rewrite/transport.c,
	*qmgr/qmgr_message.c.

	Also: address_verify_sender_dependent_relayhost_maps for
	completeness.

20051124

	Feature: specify "smtp_sender_dependent_authentication =
	yes" to enable sender-dependent SASL passwords. This disables
	SMTP connection caching to ensure that mail from different
	senders is delivered with the appropriate credentials. This
	is an extended version of a patch by Mathias Hasselmann.
	Files: smtp/smtp_connect.c, smtp/smtp_sasl_glue.c.
Boris Mühmer's avatar
Boris Mühmer committed
	Workaround: log warning when REDIRECT or FILTER are used
	in smtpd_end_of_data_restrictions. File: smtpd/smtpd_check.c.

Boris Mühmer's avatar
Boris Mühmer committed
	Log warning when REDIRECT, FILTER, HOLD and DISCARD are
	used in smtpd_etrn_restrictions. File: smtpd/smtpd_check.c.

20051128

	Bugfix: moved code around from one place to another to make
	REDIRECT, FILTER, HOLD and DISCARD access(5) table actions
	work in smtpd_end_of_data_restrictions.  PREPEND will not
	be fixed; it must be specified before the message content
	is received.  Files: smtpd/smtpd.c, smtpd/smtpd_check.c,
	cleanup/cleanup_extracted.c, pickup/pickup.c.

Boris Mühmer's avatar
Boris Mühmer committed
	Safety: abort if the SMTP or QMQP server runs with non-postfix
	privileges while it's connected to the network.  Files:
	smtpd/smtpd_peer.c, qmqpd/qmqpd_peer.c.

Boris Mühmer's avatar
Boris Mühmer committed
20051201

	Bugfix: the LMTP client would reuse a session after negative
	reply to the RSET command (which may happen when client and
	server somehow get out of sync). Problem found by Christian
	Theune.  Files: lmtp/lmtp.c, lmtp/lmtp_proto.c.

Boris Mühmer's avatar
Boris Mühmer committed
20051202

	Bugfix: the 20051128 code move for "smtpd_end_of_data_restrictions"
	broke "postsuper -r".

20051202-3

	Cleanup: the SMTP client now also implements the LMTP
	protocol.  Files: smtp/smtp.c, smtp/smtp_connect.c,
	smtp/smtp_proto.c, smtp/smtp_dsn.c, smtp_state.c,
	smtp_sasl_glue.c.

	As before, the LMTP behavior is controlled with parameters
	named lmtp_xxx instead of smtp_xxx.  However there are now
	a lot more lmtp_xxx parameters :-) With few exceptions, all
	SMTP features are now also available with LMTP. The exceptions
	are related to the HELO and EHLO commands, which exist in
	SMTP only. There are equivalent LHLO command parameters
	where it makes sense.

20051206

	SMTP+LMTP client connection management code rewritten to
	support UNIX-domain socket connections.

Boris Mühmer's avatar
Boris Mühmer committed
20051207

	Bugfix: race condition in the connection caching protocol,
Boris Mühmer's avatar
Boris Mühmer committed
	found while adding connection caching for UNIX-domain sockets
	(used for LMTP delivery).  This was introduced with the
	20050706 workaround, and may the same problem that Jussi
	Silvennoinen experienced (in Postfix 2.2.6) with SMTP after
	an upgrade.  Files: scache/scache.c.

	Bugfix: smtp-sink and qmqp-sink didn't ignore SIGPIPE.
Boris Mühmer's avatar
Boris Mühmer committed
	Robustness: reduced timeouts in the connection caching
	client, so that a malfunctioning service does not prevent
	mail delivery. This uses similar code that already exists
	for the anvil(8) client and the tlsmgr(8) client. Files:
	global/scache_clnt.c, smtp/smtp.c.

	To make reduced connection caching client timeouts possible,
	connection management was moved from the attr_clnt(3) module
	to the auto_clnt(3) module where it belongs. The auto_clnt(3)
	module is now a full alternative for the clnt_stream(3)
	module. Files: util/auto_clnt.c, util/attr_clnt.c.

Boris Mühmer's avatar
Boris Mühmer committed
	Bugfix: the best_mx_transport, mailbox_transport and
	fallback_transport features did not write a per-recipient
	defer logfile record when the target delivery agent was
	broken.  This the analog of queue manager bugfix 20051119.
	Files: global/deliver_pass.c.
Boris Mühmer's avatar
Boris Mühmer committed
	
20051210

	Cleanup: simplified the SMTP/LMTP connection management
	logic for address list and fallback relay processing.
	Still need to simplify deferred recipient handling.
Boris Mühmer's avatar
Boris Mühmer committed
	Bugfix: after a failed TLS session, the 20051210 SMTP client
	code cleanup broke sessions with backup servers, causing the
	client to get out of step with the backup server.  This in
	turn exposed a one-year old missing exception handling
	context in the EHLO handstake after sending STARTTLS. Victim
	was Ralf Hildebrandt, detectives Victor Duchovni and Wietse.
	File: smtp/smtp_proto.c.
Boris Mühmer's avatar
Boris Mühmer committed
20051213 
Boris Mühmer's avatar
Boris Mühmer committed
	Bugfix: *SQL, proxy and LDAP map types were not defined in
Boris Mühmer's avatar
Boris Mühmer committed
	user-land commands such as postqueue. Leandro Santi. File:
	postqueue/postqueue.c.

Boris Mühmer's avatar
Boris Mühmer committed
20051212-14

	Server-side plug-in interface for SASL authentication. This
	uses Cyrus SASL by default, so nothing has changed except
	error messages may be more informative.  Files:
	smtpd/smtpd_sasl_proto.c smtpd/smtpd_sasl_glue.c,
	xsasl/xsasl_server.[hc], xsasl/cyrus_server.[hc]
	xsasl/cyrus_strerror.c, xsasl/cyrus_log.c, xsasl/cyrus_security.c.

20051215

	Portability: IRIX 6.5.28 defines sa_len as a macro, so it
	can't be used as a variable identifier. Zach McDanel. Files:
	dns/dns_rr_to_sa.c, smtpd/smtpd_peer.c, qmqpd/qmqpd_peer.c.

20051216

	Cleanup: removed some scar tissue that was introduced with
	server-side SASL plug-in support. Files: smtpd_sasl_proto.c,
	smtpd_sasl_glue.c.

	Client-side plug-in interface for SASL authentication. This
	uses Cyrus SASL by default, so nothing has changed except
	error messages may be more informative.  Files: smtp_sasl_glue.c,
	xsasl/xsasl_client.[hc], xsasl/cyrus_client.[hc].

20051217

	Bugfix: when a SASL client password is required by a specific
	server, defer delivery when no server-announced mechanism
	survives the smtp_sasl_mechanism_filter, instead of ignoring
	the SASL announcement and trying to deliver the mail over
	an unauthenticated connection and risking that mail will
	be rejected.  File: smtp/smtp_sasl_proto.c, smtp/smtp_proto.c.

	Portability: zero the "struct msg" just in case. Both purify
	(Linux) and valgrind (FreeBSD) complain about uninitialized
	bits.  Files: util/unix_{send,recv}_fd.c.

20051219

	Cleanup: generic smtpd_sasl_path, smtp_sasl_path and
	lmtp_sasl_path configuration parameters; simplified the
	SASL plug-in API, and made initial provisions for SASL
	session encryption. Files: xsasl/*.[hc].

	Feature: "postconf -a" lists the available SASL server
	plug-in types, and "postconf -A" does the same for the
	client.  Files: postconf.c, xsasl_{client,server}.c.

	Feature: new SMTPD policy attributes "encryption_protocol",
	"encryption_cipher" and "encryption_keysize", to distinguish
	plaintext from encrypted connections.

20051221

	Privacy: the new Cyrus SASL server plug-in replaces "no
	user" errors by "authentication failed" errors.  File:
	xsasl/xsasl_cyrus_server.c.

	Safety: the Postfix SMTP client no longer uses CNAME expanded
	hostnames for logging, SASL password lookup, TLS policy
	decisions, or TLS certificate verification.  Instead it
	uses the name of the recipient domain, or the host or domain
	name specified in Postfix configuration files. Of course
	this won't prevent cheating with hostnames that appear in
	MX lookup results. To avoid that you will have to suppress
	MX lookups with explicit [hostname] entries in transport
	maps. Files: dns/dns_lookup.c, dns/dns_rr.c.

20051222

	Feature: Dovecot SASL authentication (server side) plug-in
	by Timo Sirainen. This builds without external library
	dependencies and is therefore compiled in by default.
	Files: xsasl/xsasl_dovecot_server.[hc].

	Safety: set the default LANG=C, instead of deleting LANG
	from the environment and assuming the right thing will
	happen. File: global/mail_params.h.

	Safety: always add the ISASCII() requirement to the ISXXX()
	macros, because they are used for protocol and policy
	enforcement.  File: util/sys_defs.h.

	Bugfix: null pointer in the 20051219 policy delegation
	crypto attributes.  File: smtpd/smtpd_check.c.

	Compatibility: "resolve_numeric_domain = yes" will accept
	addresses with numeric domains instead of rejecting them as
	invalid. Files: trivial-rewrite/resolve.c, util/vstring.c.

	Bugfix: 20051219 "postconf -A" produced "postconf -a" output.
	Andreas Winkelmann.

Boris Mühmer's avatar
Boris Mühmer committed
	Bugfix: the regexp map cleverly avoided scanning constant
	lookup results for non-existent $number expressions, but
	failed to subject those results to the necessary $$ -> $
	replacement. Files: util/dict_regexp.c.

	Performance: the pcre map did not optimize constant lookup
	results; they were always scanned for non-existent $number
	expressions.  File: util/dict_pcre.c.

	This round of edits eliminates architectural differences
	between the pcre and regexp table implementations.  The
	remaining difference is that regexp tables still support
	the obsolete "/pattern1/!/pattern2/ action" syntax, for
	backwards compatibility with Postfix 2.0 and earlier.

20051227

	Bugfix: the 20051222 ISASCII paranoia broke the strcasecmp()
	workaround for Solaris. File: util/strcasecmp.c.

	Bitrot: SunOS4 pre-dates size_t, ssize_t, getsid().  File:
	src/util/sys_defs.h. The SunOS4 tests had been suspended
	due to what turned out to be a broken AUI-to-UTP transceiver.

	Bugfix: the 20061226 cosmetic change broke non-IPV6 support
	(example: sockaddr_to_hostaddr: Unknown error: success).
	File: util/myaddrinfo.c.

20051229

	The following workaround was removed 20060103.

	Workaround: when mail is still queued after 3000 seconds,
	the SMTP client no longer pipelines the DOT+QUIT commands.
	The 20050929 paranoia about malformed server replies
	eliminated a rare occurrence of "lost mail" with sites that
	mis-implement DOT+QUIT pipelining, but resulted in a larger
	occurrence of repeated deliveries to sites with a different
	DOT+QUIT pipelining bug. The time threshold is set with the
	smtp_dot_quit_workaround_threshold_time parameter.  Files:
	smtp/smtp_proto.c, smtp/smtp.c.

	Feature: mailbox_transport_maps and fallback_transport_maps
	to search delivery transports by recipient name. Files:
	local/mailbox.c, local/unknown.c.

	Feature: the master daemon now logs a warning when all
	servers are busy that may accept remote connections, and
	suggests to either increase the process count or to reduce
	the service time per client.  Files: master/master_ent.c,
	master/master_avail.c.
Boris Mühmer's avatar
Boris Mühmer committed

20051231

	Bugfix: the anvil server would terminate after "max_idle"
	seconds, even when this was less than the anvil_rate_time_unit
	interval. File: anvil/anvil.c.

Boris Mühmer's avatar
Boris Mühmer committed
20060102
Boris Mühmer's avatar
Boris Mühmer committed
	Deleted the 20051229 dot-quit bug workaround.  Automatically
	deferring delivery created "no delivery" and "repeated
	delivery" problems; and automatically turning off pipelining
	for delayed mail was a bad workaround for a bad workaround.
	The administrator still has the option to turn off pipelining
	by hand if loss of mail is a concern.
Boris Mühmer's avatar
Boris Mühmer committed
	Bugfix: the 20051217 fix (when a SASL client password is
	found, defer delivery when no server-announced mechanism
	survives the smtp_sasl_mechanism_filter) did the mechanism
	test too early, so that it could trip up with deliveries
	to servers that we don't have a SASL password for.  Files:
	smtp/smtp_sasl_proto.c, smtp/smtp_proto.c.
Boris Mühmer's avatar
Boris Mühmer committed
20060104
Boris Mühmer's avatar
Boris Mühmer committed

	Safety: new "smtp_cname_overrides_servername" parameter.
Boris Mühmer's avatar
Boris Mühmer committed
	The default value ("no") is NOT backwards compatible. This
	avoids surprises with the hostname that is used for logging,
	SASL password lookup, TLS policy decisions, or TLS certificate
	verification.  The change makes the 20051221 behavior more
	configurable.  Files: smtp/smtp_addr.c, smtp/smtp_connect.c,
	proto/postconf.proto.

20060105

	Cleanup: removed the unused DSN "code" attribute; removed
	surrogate SMTP replies for errors that were not reported
	by a remote SMTP server, making several DSN-related functions
	and macros redundant; cleaned up some bizarre code for DSN
	attribute memory management in the SMTP client.

20060106

	Cleanup: eliminated the global smtp_errno variable, which
	had become redundant after introducing DSN support. Files:
	smtp/smtp_addr.c, smtp/smtp_connect.c.

20060107

	Cleanup: removed more bizarre code for DSN attribute memory
	management in the queue manager, bounce server, and in
	delivery agents.

20060109

	Bugfix: smtp_sasl_tls_opts was unimplemented. File:
	smtp/smtp_sasl_proto.c.

	Cleanup: more bounce logfile code cleanup.  Files:
	global/bounce_log.c, bounce/bounce_notify_util.c,
	bounce/bounce.c, bounce/bounce_notify_verp.c,
	bounce/bounce_one_service.c, showq/showq.c

20060110

	Cleanup: more bounce logfile code cleanup.  Files:
	global/bounce_log.c, bounce/bounce_notify_util.c.

	Bugfix: the VERP bouncer never handled the case of a missing
	bounce logfile. Found while doing more logfile code cleanup.
	File: bounce/bounce_notify_verp.c.
Boris Mühmer's avatar
Boris Mühmer committed
	Feature: smtp_sasl_tls_verified_security_options for
	connections where the server certificate passed verification.
	The default value is $smtp_sasl_tls_security_options, which
	in turn defaults to $smtp_sasl_security_options.
Boris Mühmer's avatar
Boris Mühmer committed
20060111
Boris Mühmer's avatar
Boris Mühmer committed
	Optimization: mystrdup() and mystrndup() now return a pointer
	to a fixed read-only memory location instead of allocating
	memory for zero-length null-terminated strings.  This saves
	lots of memory for unused recipient attributes. If this
	change causes problems (for example, you have an ancient
	sscanf() implementation that writes to its input) then
	compile Postfix with -DNO_SHARED_EMPTY_STRINGS.

	Cleanup: eliminated null pointer members in DSN structures.
	Instead we now use the optimized mystrdup() for empty
	strings. For safety sake we keep the tests for null pointers
	in input, but we always produce empty strings on output.
	Files: global/dsn.c, global/dsn.h, global/dsn_buf.h,
	global/dsn_print.c.

	Cleanup: eliminated ad-hoc code for passing recipients in
	the queue manager delivery request protocol. Postfix now
	uses proper object activation/passivation instead. Files:
	*qmgr/qmgr_deliver.c, global/deliver_request.c,
	global/deliver_pass.c.

20060112

	Feature: to simplify debugging the bounce server logs the
	old and new queue ID when notifying the sender or postmaster.
	Files: global/post_mail.c, bounce/bounce_notify_service.c,
	bounce/bounce_one_service.c, bounce/bounce_notify_verp.c,
	bounce/bounce_warn_service.c, bounce/bounce_trace_service.c.

	Fudge: when translating recipient DSN codes into sender DSN
	codes, map sender address problems that have no DSN code
	to *.1.7 (Bad sender's mailbox address syntax) instead of
	*.1.0 (Other address status) because that loses the distinction
	between sender and recipient. File: smtpd/smtpd_dsn_fix.c.

20060113

	Cleanup: preserve upper case information of address localpart
	or extension when mapping one address to another with
	non-regexp/pcre tables.  Files: global/mail_addr_find.c,
	global/maps_find.c.
Boris Mühmer's avatar
Boris Mühmer committed

20060115

	Bugfix: don't ignore the per-site policy when SSL library
	initialization fails. Introduced after adopting the TLS
	patch. File: smtp/smtp_session.c.

Boris Mühmer's avatar
Boris Mühmer committed
20060117

	[withdrawn 20060126] Safety: daemon processes that need no
	privileges now insist that they are configured to run without
	privileges.  Files: master/single_server.c, master/multi_server.c,
	master/trigger_server.c.

	Cleanup: preserve upper case information of address localpart
	or extension when mapping addresses via regexp/pcre tables.
	This requires that Postfix does not case fold the search
	string when searching regexp or pcre tables, so that $number
	substitutions produce the expected result.

	In order to get a consistent handling of table operations,
	the search string case folding logic was moved from the
	application to the individual lookup table modules; the
	application specifies its case folding preference when it
	opens a table, and the table folds the search or update
	string as needed.

	Files: everything that opens a map or multiple maps (to
	specify the case folding preference), and everything that
	contained ad-hoc code to lowercase search strings (which
	is no longer needed).

	Bugfix: as a side effect of this revision of all code that
	opens tables, the postmap/postalias -n/-N options are no
	longer silently ignored when the -q (query) and -d (delete)
	options are specified.  Files: postmap/postmap.c,
	postalias/postalias.c.

	Safety: don't allow $number substitution in transport maps
	or sender-dependent relayhost maps.

	Cleanup: smtp_sasl_passwd_maps lookup keys are folded to
	lowercase before searching tables such as btree:, dbm: or
	hash: that have fixed-case fields. File: smtp/smtp_sasl_glue.c.

	Bugfix: per-sender relayhost maps were not locked for shared
	access.

20060119

	Cleanup: don't look up parent domain substrings in regexp/pcre
	like tables while searching a hostname in a domain/namaddr_list.
	File: util/match_ops.c.

20060120

	Cleanup: multiple boolean variables were replaced by a
	single TLS enforcement level (none, may, encrypt, verify).
	With Victor Duchovni. Files: smtp_session.c, smtp_proto.c,
	smtp.h.

	Cleanup: the SMTP per-site policy table was re-implemented
	in terms of enforcement levels instead of multiple boolean
	variables. This greatly simplified the code and led to the
	elimination of non-intuitive behavior as documented next.
	With Victor Duchovni. Files: smtp_session.c, smtp.h.
Boris Mühmer's avatar
Boris Mühmer committed

	Bugfix: a TLS per-site MUST_NOPEERMATCH policy could not
Boris Mühmer's avatar
Boris Mühmer committed
	override a main.cf MUST (with peer match) policy, while a
	per-site NONE policy could.

	Bugfix: a combined TLS per-site (host, next-hop) policy of
	(NONE, MAY) would change the strongest main.cf MUST policy
	into NONE, while it changed all weaker main.cf policies
	into MAY.  The result is now NONE for all main.cf policy
	settings.

20060123
Boris Mühmer's avatar
Boris Mühmer committed
	Feature: recipient_count attribute in SMTPD policy protocol.
	This is available only in the DATA and END-OF-MESSAGE stage.
	Based on code by Guo Black. Files: smtpd_check.c.

	Cleanup: renamed MUMBLE_NUM to MUMBLE_INT to make type
	discrepancies more explicit.

	Bugfix: change 20051208 broke when a connection could not
	be established. File: util/auto_clnt.c.

20060124

	Bugfix: the virtual(8) delivery agent did not insist on
	privileged operation as it should; this broke change 20060117.
	Ralf Hildebrandt.  File: virtual/virtual.c.

	Bugfix: the TLS sasl security options (change 20060110)
	should also be #ifdef USE_TLS, and not only #ifdef
	USE_SASL_AUTH.  Such feature interference is difficult to
	find in testing.  Liviu Daia. File: smtp/smtp_sasl_proto.c.

20060126

	Undo: change 20060117 (unprivileged operation test) broke
	"sendmail -bs", "postconf -b", "postconf -t", and probably
	more. Files: master/{single,multi,trigger}_server.c.
Boris Mühmer's avatar
Boris Mühmer committed

20060130

	Bugfix: an empty remote_header_rewrite_domain value caused
	trivial-rewrite to dereference a null pointer, but only in
Boris Mühmer's avatar
Boris Mühmer committed
	regression tests, not in production. Envelope addresses are
	by definition rewritten in the local domain context, because
	an address without domain is equivalent to an address in
	the local domain; and header addresses are rewritten in the
	remote context only when remote_header_rewrite_domain is
	non-empty.  File: trivial-rewrite/rewrite.c.

20060131

	Cleanup: regression tests are now separated into "make
	tests" for unprivileged tests, and "make root_tests" for
	tests that require privileges to connect to the Postfix
	internal sockets. Files Makefile.in, src/*/Makefile.in.
Boris Mühmer's avatar
Boris Mühmer committed
20060201
Boris Mühmer's avatar
Boris Mühmer committed
	Bugfix: despite efforts to treat malformed domain names as
	hard errors (change 20050726) they were still processed as
	soft errors. File: dns/dns_lookup.c.
Boris Mühmer's avatar
Boris Mühmer committed
	Bugfix: smtpd core dump when SASL was compiled in, turned
Boris Mühmer's avatar
Boris Mühmer committed
	off (smtpd_sasl_auth_enable = no) and permit_sasl_authenticated
Boris Mühmer's avatar
Boris Mühmer committed
	was specified in local_header_rewrite_clients. Victor
	Duchovni.  File: smtpd/smtpd_check.c.

	Cleanup: don't complain about useless SASL or TLS "permit"
	restrictions when SASL or TLS aren't compiled in, but do
	reject mail when reject_plaintext_session is specified while
	TLS isn't compiled in. File: smtpd/smtpd_check.c.
Boris Mühmer's avatar
Boris Mühmer committed

20060204

	Bugfix: disable the content_filter feature for user-requested
	"sendmail -bv" probes, just like it is disabled for probes
	generated by Postfix itself.  File: *qmgr/qmgr_message.c.

Boris Mühmer's avatar
Boris Mühmer committed
20060207

	Robustness: place the "do we have TLS" guards within method
	implementations, instead of putting them around method
	invocations.  File: smtpd/smtpd_check.c.
Boris Mühmer's avatar
Boris Mühmer committed
	Bugfix: duplicate the cleanup(8) DSN envelope ID syntax
	check in smtpd(8), so that clients get better error replies.
	File: smtpd/smtpd_check.c.

	Bugfix: change 20060203 broke the reject_plaintext_session
	feature.

	The trivial-rewrite and proxymap multi-server processes now
	terminate soon after all their clients disconnect, instead