HISTORY

	of waiting for another 100 seconds. This allows the processes
	to refresh more frequently on low-traffic systems.

	Cleanup: smtpd_delay_open_until_valid_rcpt (default: yes)
	controls whether Postfix delays the start of a mail transaction
	until after the first valid recipient, or if it starts a
	transaction immediately after MAIL FROM. File: smtpd/smtpd.c.

20060217

	Bugfix: don't terminate with a non-standard exit status
	when the pipe-to-command feature has a problem before it
	executes the command. File: global/pipe_command.c.

20060223

	Bugfix: detect integer overflow when multiplying time values
	with non-trivial time units. File: global/conv_time.c.

20060307

	Bugfix: reset the msg_cleanup() fatal error handler in child
	processes. See also change 20060217. Files: postlock/postlock.c,
	master/multi_server.c, global/mail_run.c, util/vstream_popen.c.

20060310

	Bugfix: the MIME processor assumed that input was null
	terminated. This broke with CRLF input to the "sendmail -t"
	command  in Postfix 2.1 and later (see change 20030416).
	Found by Leandro Santi.  Based on patch by Victor Duchovni.
	Files: global/mime_state.c, global/is_header.c.

20060313

	Cleanup: the message arrival time (start of the receive
	transaction) no longer controls message expiration or
	delivery attempts.  Instead, expiration and delivery are
	now controlled by the time when the cleanup server creates
	a queue file.  This closes a problem that was introduced
	with the 20051104 change that introduced higher-resolution
	delay time keeping: as a result, "postsuper -r" could no
	longer manipulate the mail expiration schedule, so that
	mail "on hold" could expire too soon.

20060315

	Workaround. the PCRE library reports an inappropriate error
	code (invalid substring) when $number refers to a valid ()
	expression that matches the null string. This caused fatal
	run-time errors.  File: dict_pcre.c.

20060324

	Cleanup: eliminated name collisions between global and local
	variables, and other forms of shadowing. Documented switch
	fall-throughs with /* FALLTHROUGH */ where this wasn't
	already done.  Replaced (var = expr) by (var = expr) != 0
	where this wasn't already done.

20060324

	Bugfix: mis-placed parenthesis in a before-filter error
	test. A filter timeout was mis-reported as lost connection.
	Found in code review.  File: smtpd/smtpd_proxy.c.

20060327

	Cleanup: the SQL and LDAP clients now log a warning when
	they skip an empty lookup result, so that humans don't have
	to wonder why Postfix doesn't find all the database entries.
	File: global/db_common.c.

	Moved SMTP/LMTP parameter initialization from global/mail_params.c
	to the combined smtp/lmtp delivery agent. Added missing
	lmtp parameters.

20060328

	Feature: configurable chroot directive for the pipe(8)
	delivery agent, by Przemyslaw Wegrzyn. Files:
	global/pipe_command.c, pipe/pipe.c.

	Bugfix: cut-and-paste error: lmtp_connection_cache_limit
	was left with the name of smtp_connection_cache_limit.
	Reported by Victor? File: src/global/mail_params.h.

20060329

	More extensible interface for TLS client/server library,
	now passes property structures that combine all the relevant
	parameters in one type-safe structure.

	TLS session cache activity logging now takes place at TLS
	log level 2 or greater.

20060403

	Cleanup: made fcntl/flock handling consistent with respect
	to EINTR (reported by Carlo Contavalli). However, Postfix
	is not meant to be signal safe.  Only the master daemon
	handles signals without terminating, and it uses only a
	small subset of Postfix library routines. File: util/myflock.c.

	Bugfix: the pipe-to-command error message was lost when the
	command could not be executed. File: global/pipe_command.c.

20060404

	Bugfix in sanity check: after reading a record from the
	address verification database, a sanity check did not reject
	a record with all-zero time stamp fields.  Such records are
	never written; the test is there just in case something is
	broken, so that Postfix will not blindly march on and create
	chaos. The sanity check tested pointer values, instead of
	dereferencing the pointers.  Found by Coverity.  File:
	verify/verify.c.

	Bugfix in sanity check: when the maildir delivery routine
	opens an output file it looks up the file attributes via
	the file handle it just got.  There is a sanity check that
	detects if the attribute lookup fails, an error that never
	happens. The code that handles the impossible error did not
	close the output file. This would cause a virtual or local
	delivery agent to waste up to 100 file descriptors.  But
	for that error to happen the system would have to be so
	sick that you would have more serious problems than a file
	descriptor leak.  Found by Coverity.  Files: local/maildir.c,
	virtual/maildir.c.

20060405

	Bugfix: the MIME parser assumed input is null terminated
	when reporting errors. Fix by Leandro Santi. Files:
	global/mime_state.c, cleanup/cleanup_message.c.

20060411

	Bugfix: the SMTP server logged no warning when for some
	reason the TLS engine was unavailable in wrappermode. Victor
	Duchovni.  File: smtpd/smtpd.c.

20060417

	Cleanup: when SMTP access table lookup fails, reply with
	4xx instead of aborting with a fatal run-time error. The
	old behavior assumes local file access, and is inappropriate
	with deployment of LDAP and SQL tables. File: smtpd/smtpd_check.c.

20060423

	Bugfix: postcat did not print the attribute value of records
	containing a named attribute. File: postcat/postcat.c.

20060430

	Bugfix: dangling pointer in a function that has no caller.
	Found by Coverity. File: tls/tls_prng_exch.c.

	Bugfix: the workaround for CA-2003-07 (Sendmail) did not
	null terminate the address before logging a warning. Reported
	by Kris Kennaway. File: global/tok822_parse.c.

20060301-20060515

	Sendmail 8 Milter support, distributed across the smtpd(8)
	server for SMTP commands, and the cleanup(8) server for
	content inspection and manipulation. The code supports all
	requests to add/delete recipients, and to add/delete/replace
	message headers, but does not yet support requests to replace
	the message body.  See MILTER_README for more. Files:
	smtpd/smtpd.c, smtpd/smtpd_milter.c, cleanup/cleanup_api.c,
	cleanup/cleanup_envelope.c, cleanup/cleanup_extracted.c,
	cleanup/cleanup_milter.c, milter/milter.c, milter/milter8.c.

	That's 89 lines in smtpd, 1010 lines in cleanup, and 2449
	lines of library support, comments not included.  

	A simple test Milter application for use in regression tests
	is in src/milter/test-milter.c. Queue file modifications are
	tested with a driver at the end src/cleanup/cleanup_milter.c
	that reads commands from a script.

	To make debugging easier, uncomment the "#define msg_verbose
	2" lines at the top of cleanup_milter.c or milter8.c. This
	produces logging without making everything else verbose.

20060510

	Preliminary TLS_README and postconf(5) changes completed.

	Added smtp_tls_policy_maps and smtp_tls_protocols features
	to the smtp/lmtp client, changed smtp_tls_cipherlist to
	only apply when TLS is mandatory.

20060512

	Destinations that share a common server may have distinct
	TLS protocol and cipherlist requirements, with mandatory
	TLS add the protocol and cipherlist values to the TLS session
	lookup key.

20060516

	Portability: __float80 alignment, by Albert Chin.  File:
	util/sys_defs.h.

	Further testing of Milter support uncovered typos; a missing
	null pointer test while cleaning up after content miltering;
	the need for a workaround to not bounce+delete local
	submission after it triggers a temporary reject Milter
	action.

	Workaround: don't bounce+delete a local submission after
	it triggers a "reject 4.x.x" action in header/body_checks.
	This means an SMTP client now sees "queue file write error"
	instead of the text from the "reject 4.x.x text" action.
	File: cleanup/cleanup_message.c.

	Workaround: OpenSSL 0.9.8[ab] with zlib support interoperability
	problem. Victor Duchovni. Files: tls/tls_client.c,
	tls/tls_misc.c, tls/tls_server.c.

	Added smtpd_tls_protocols parameter to complement
	smtp_tls_protocols. Victor Duchovni.

20060517

	The smtp_tls_policy_maps table now implements parent domain
	matching for destinations that are bare domains (without
	enclosin [] or optional :port suffix). This allows one to
	set TLS policy for a domain and all sub-domains. Victor
	Duchovni.

20060519

	The same parameter can bind to different variables in
	different daemons, ignore the variable name when eliminating
	duplicates in extract.awk. Victor Duchovni.

20060523

	Improved handling of smtp_tls_protocols and smtpd_tls_protocols,
	names now processed via name_mask(3) and canonicalized prior
	to use in the SMTP/LMTP client TLS session lookup key. Also
	simplifies the corresponding code in the TLS driver. Victor
	Duchovni.

20060524

	Cleanup: send ETRN command parameter when using check_policy
	in the context of an ETRN command. Joshua Goodall. File:
	smtpd/smtpd_check.c.

20060601

	Bugfix (bug introduced 20051118): permit_mx_backup authorized
	domains without secondary MX records.  Joshua Goodall. File:
	smtpd/smtpd_check.c.

20060601

	Fixed default value of LMTP TLS client certificate parameters,
	using the SMTP values as a default was wrong. Victor Duchovni.

20060603

	Different transports may have different CAfile or CApath
	settings. We need to add the transport name to the TLS
	session lookup key so that sessions verified with one set
	of trusted roots are not inadvertantly considered verified
	for another. Victor Duchovni.

20060604

	Cleanup: minor fluff found with the BEAM source code analyzer.
	Files: global/quote_821_local.c, global/quote_822_local.c,
	master/master_spawn.c, pickup/pickup.c, util/match_ops.c,
	util/safe_open.c, xsasl/xsasl_cyrus_client.c.

20060606

	Safety: mail receiving daemons (smtpd, qmqpd) now pass
	actual client name/addres/helo attributes in addition to
	the attributes used for logging (xforward). This prevents
	Milter applications from treating qmqpd mail as if it
	originated locally, and prevents incorrect Milter decisions
	after "postsuper -r". Files: smtpd/smtpd.c, qmqpd/qmqpd.c,
	cleanup/cleanup_envelope.c, cleanup/cleanup_milter.c,
	cleanup/cleanup_state.c, global/post_mail.c, *qmgr/qmgr_message.c,
	*qmgr/qmgr_deliver.c, global/deliver_request.c,
	global/deliver_pass.c, local/forward.c.

	Bugfix: qmgr panic after queue file corruption by Mailscanner.
	Files: *qmgr/qmgr_message.c.

	Bugfix: XCLIENT didn't work with smtpd_delay_reject=no
	(problem reported by Joshua Goodall).  To make XCLIENT work
	correctly with built-in restrictions and with Milter
	applications, the SMTP server now jumps back to the very
	start (the 220 phase) of an SMTP session.  File: smtpd/smtpd.c.

20060606

	Portability: Some systems no longer support the traditional
	"sort +0 -2 +3". Victor Duchovni.

20060607

	Portability: Found by BEAM static code analyzer. SSL options
	(long) were stored as int.

20060610

	Cleanup: XCLIENT and XFORWARD attribute values are now sent
	as xtext encoded strings. For backwards compatibility,
	Postfix will still accept unencoded attribute values.  Files:
	smtpd/smtpd.c, smtpd/smtpd_proxy.c, smtp/smtp_proto.c.

20060611

	Robustness: additional sanity checks for common database
	routines. Viktor Dukhovni. File: global/db_common.c.

	Portability: LDAP 2.3 API support. Viktor Dukhovni. File:
	global/dict_ldap.c.

	Security: the PostgreSQL client was updated after the
	PostgreSQL developers made major database API changes in
	response to PostgreSQL security issues. This breaks support
	for PGSQL versions prior to 8.1.4, 8.0.8, 7.4.13, and 7.3.15.
	Support for these requires major code changes which are not
	possible in the time that is left for the Postfix 2.3 stable
	release.

	Specific PostgreSQL client changes: use connection-aware
	quoting, and more robust PQexec() result handling.  Previous
	versions of the dict_pgsql driver didn't check the status
	of the result pointer, and certain exceptional events can
	be mis-interpreted as an empty result set.  Fixes by Leandro
	Santi. File: global/dict_pgsql.c.

20060612

	Changed smtp security level parsing and level->name conversion
	to use name_code(3). Victor Duchovni.

	Implemented new smtp_tls_security_level parameter, to replace
	the unnecessarily complex smtp_use_tls, smtp_enforce_tls
	and smtp_tls_enforce_peername parameters. The main.cf
	security level settings are now consistent with the new
	policy table. Victor Duchovni.

	The smtp_sasl_tls_verified_security_options feature is not
	yet complete, added #ifdef SNAPSHOT and changed documentation
	to delay introduction until Postfix 2.4. Victor Duchovni.

20060614

	Merged in Victor's work including the new TLS policy table
	and a complete set of configuration parameters for the LMTP
	personality of the unified SMTP/LMTP client.

	Allow mandatory TLS encryption with LMTP over UNIX-domain
	sockets. Victor Duchovni.

	Safety: improved code to avoid I/O on connections after the
	TLS handshake fails. Victor Duchovni.

20060615

	Cosmetic patch for const strings. Stefan Huehner.

	Other cosmetic changes, mainly whitespace.

20060616

	The qshape.pl script was updated for the pointer records
	that were introduced to support message content modification
	by Milter applications. Victor Duchovni.

20060620

	Feature: Substantially better cipherlist specification
	interface and support for anonymous ciphers when certificates
	are not needed. The primary interface in main.cf and the
	policy table selects one of 5 grades for mandatory TLS with
	smtp(8) or lmtp(8) or for all TLS sessions with smtpd(8).
	The levels are "high", "medium" (or better), "low" (or
	better), "export" (or better) and "null".  The underlying
	definitions of these levels are configurable, but users are
	strongly encouraged to not change those definitions. Victor
	Duchovni.

20060626

	Bugfix: the Milter reply syntax checker was off by one.
	File: milter/milter8.c.

	Workaround: disable SMTP connection cache lookup by server
	IP address when the tls_per_site policy table is enabled.
	This is a workaround for a shortcoming in the SMTP connection
	cache implementation, which retrieves the server hostname
	from the cached connection. Since this server name is not
	obtained in a secure manner, it must not be allowed to
	control the tls_per_site policy. File: smtp/smtp_reuse.c.

20060627

	Cleanup: mumble_mandatory_tls_mumble parameters renamed to
	mumble_tls_mandatory_mumble; added _mandatory_ qualifier
	to names of parameters that affect only mandatory TLS.

20060630

	Features promoted from SNAPSHOT to STABLE: the "sleep"
	pseudo restriction; Postfix daemons now read the local
	timezone file before chrooting; trivial-rewrite now detects
	table changes every 10 seconds, so it restarts more timely.

	Features that stay #ifdef SNAPSHOT: tcp_table,
	lmtp_sasl_tls_verified_security_options, and
	smtp_sasl_tls_verified_security_options.

	Compatibility: Sendmail does not send its own Received:
	header to Milter applications. Offsets in header replace
	requests are relative to the message content as received
	(i.e. without our own Received: header), while offsets in
	header insert requests are relative to the message as
	delivered (i.e. they include our own Received: header).
	This explains why dk-filter would sign our own Received:
	header but place the signature between our own Received:
	header and the rest of the message, violating the draft
	domainkeys spec.

20060702

	Cleanup: more graceful handling of queue file read/write
	errors while processing milter message modification requests.
	Files: cleanup/cleanup_milter.c, milter/milter8.c.

20060703

	Debugging: the Postfix milter client gives more context
	when it experiences trouble while talking to an uncooperative
	Milter application. File: milter/milter8.c.

	Compatibility: with OpenBSD 2.7 and later, the alias file
	is now in /etc/mail/aliases.

20060704

	Bugfix: the Milter client skipped zero-length body lines.
	File: milter/milter8.c.

	Feature (just this one): RFC 3834 "Auto-Submitted:" message
	header in DSNs.  File: bounce/bounce_notify_util.c.

20060705

	Portability: LP64 systems required a few ssize_t->int casts
	in debug logging statements.  Files: milter/test_milter.c,
	cleanup/cleanup_milter.c.

	Cleanup: comments, error messages, and crumbling interfaces.

20060707

	Workaround: apparently, Solaris gettimeofday() can return
	out-of range microsecond values.  File: src/global/log_adhoc.c.

	Robustness: the SMTPD policy client now encodes the
	ccert_subject and ccert-issuer attributes as xtext.  Some
	characters are replaced by +XX, where XX is the two-digit
	hexadecimal code for the character value.  File:
	smtpd/smtpd_check.c.

	Safety: the SMTP/LMTP client now defers delivery when a
	SASL password exists, but the server does not offer SASL
	authentication. Mail could be rejected otherwise. This may
	become an issue now that Postfix retries delivery in plaintext
	after an opportunistic TLS handshake fails. Specify
	"smtp_sasl_auth_enforce = no" to deliver mail anyway.  File:
	smtp/smtp_proto.c. See workaround 20060711 for sender-dependent
	SASL passwords.

20060709

	Cleanup: the new single smtpd_tls_security_level parameter
	obsoletes the multiple smtpd_use_tls and smtpd_enforce_tls
	parameters. This is done for consistency with the Postfix
	SMTP client. In the Postfix SMTP server, the levels "verify"
	and "secure" are currently not applicable, and are treated
	as "encrypt", after logging a warning. Files: smtpd/smtpd.c,
	tls/tls_level.c, smtp/smtp_session.c.

	Compatibility: don't send the first (blank) body line to
	Milter applications.  This broke domain key etc. signatures
	when verified by non-Postfix MTAs.  File: milter/milter8.c.

20060710

	Cleanup: more consistency between smtpd(8) and smtp(8) TLS
	configuration interfaces: smtpd_tls_mandatory_exclude_ciphers,
	smtpd_tls_mandatory_ciphers, smtpd_tls_mandatory_protocols.
	By Victor. Files:smtpd/smtpd.c.

	Cleanup: to support domainkey signing of bounces and
	Postmaster notices, enable content inspection of Postfix-
	generated mail with the new internal_mail_filter_classes
	feature.  This is disabled by default, because it is not
	yet safe enough. Files: global/int_filt.[hc] and everything
	that calls post_mail_fopen*().

20060711

	Cleanup: smtpd_tls_mumble -> smtpd_tls_mandatory_mumble,
	and finer control over the Postfix SMTP server TLS ciphers,
	all this for consistency with the same functionality in the
	Postfix SMTP client. Victor Duchovni.

	Compatibility: Sendmail's milter client handles whitespace
	after the header label and ":" in an interesting manner.
	It eats one space (not tab). File: milter/milter8.c.

	Workaround: if sender-depedendent SASL passwords are enabled,
	don't defer delivery when a SASL password exists but the
	server doesn't announce SASL support. File: smtp/smtp_proto.c.

	Cleanup: format of cleanup milter reject messages.  File:
	cleanup_milter.c.

	Bugfix: file/memory leak if a transfer of multiple milters
	from smtpd to cleanup broke in the middle.  Found by Coverity.
	File: milter/milter.c.