Newer
Older
12001
12002
12003
12004
12005
12006
12007
12008
12009
12010
12011
12012
12013
12014
12015
12016
12017
12018
12019
12020
12021
12022
12023
12024
of waiting for another 100 seconds. This allows the processes
to refresh more frequently on low-traffic systems.
Cleanup: smtpd_delay_open_until_valid_rcpt (default: yes)
controls whether Postfix delays the start of a mail transaction
until after the first valid recipient, or if it starts a
transaction immediately after MAIL FROM. File: smtpd/smtpd.c.
20060217
Bugfix: don't terminate with a non-standard exit status
when the pipe-to-command feature has a problem before it
executes the command. File: global/pipe_command.c.
20060223
Bugfix: detect integer overflow when multiplying time values
with non-trivial time units. File: global/conv_time.c.
20060307
Bugfix: reset the msg_cleanup() fatal error handler in child
processes. See also change 20060217. Files: postlock/postlock.c,
master/multi_server.c, global/mail_run.c, util/vstream_popen.c.
12028
12029
12030
12031
12032
12033
12034
12035
12036
12037
12038
12039
12040
12041
12042
12043
12044
Bugfix: the MIME processor assumed that input was null
terminated. This broke with CRLF input to the "sendmail -t"
command in Postfix 2.1 and later (see change 20030416).
Found by Leandro Santi. Based on patch by Victor Duchovni.
Files: global/mime_state.c, global/is_header.c.
20060313
Cleanup: the message arrival time (start of the receive
transaction) no longer controls message expiration or
delivery attempts. Instead, expiration and delivery are
now controlled by the time when the cleanup server creates
a queue file. This closes a problem that was introduced
with the 20051104 change that introduced higher-resolution
delay time keeping: as a result, "postsuper -r" could no
longer manipulate the mail expiration schedule, so that
mail "on hold" could expire too soon.
Workaround. the PCRE library reports an inappropriate error
code (invalid substring) when $number refers to a valid ()
expression that matches the null string. This caused fatal
run-time errors. File: dict_pcre.c.
20060324
Cleanup: eliminated name collisions between global and local
variables, and other forms of shadowing. Documented switch
fall-throughs with /* FALLTHROUGH */ where this wasn't
already done. Replaced (var = expr) by (var = expr) != 0
where this wasn't already done.
20060324
Bugfix: mis-placed parenthesis in a before-filter error
test. A filter timeout was mis-reported as lost connection.
Found in code review. File: smtpd/smtpd_proxy.c.
12067
12068
12069
12070
12071
12072
12073
12074
12075
12076
12077
12078
12079
12080
12081
12082
12083
12084
12085
12086
12087
12088
12089
12090
12091
12092
12093
12094
12095
12096
20060327
Cleanup: the SQL and LDAP clients now log a warning when
they skip an empty lookup result, so that humans don't have
to wonder why Postfix doesn't find all the database entries.
File: global/db_common.c.
Moved SMTP/LMTP parameter initialization from global/mail_params.c
to the combined smtp/lmtp delivery agent. Added missing
lmtp parameters.
20060328
Feature: configurable chroot directive for the pipe(8)
delivery agent, by Przemyslaw Wegrzyn. Files:
global/pipe_command.c, pipe/pipe.c.
Bugfix: cut-and-paste error: lmtp_connection_cache_limit
was left with the name of smtp_connection_cache_limit.
Reported by Victor? File: src/global/mail_params.h.
20060329
More extensible interface for TLS client/server library,
now passes property structures that combine all the relevant
parameters in one type-safe structure.
TLS session cache activity logging now takes place at TLS
log level 2 or greater.
Cleanup: made fcntl/flock handling consistent with respect
to EINTR (reported by Carlo Contavalli). However, Postfix
is not meant to be signal safe. Only the master daemon
handles signals without terminating, and it uses only a
small subset of Postfix library routines. File: util/myflock.c.
12105
12106
12107
12108
12109
12110
12111
12112
12113
12114
12115
12116
12117
12118
12119
12120
12121
12122
12123
12124
12125
12126
12127
12128
12129
12130
Bugfix: the pipe-to-command error message was lost when the
command could not be executed. File: global/pipe_command.c.
20060404
Bugfix in sanity check: after reading a record from the
address verification database, a sanity check did not reject
a record with all-zero time stamp fields. Such records are
never written; the test is there just in case something is
broken, so that Postfix will not blindly march on and create
chaos. The sanity check tested pointer values, instead of
dereferencing the pointers. Found by Coverity. File:
verify/verify.c.
Bugfix in sanity check: when the maildir delivery routine
opens an output file it looks up the file attributes via
the file handle it just got. There is a sanity check that
detects if the attribute lookup fails, an error that never
happens. The code that handles the impossible error did not
close the output file. This would cause a virtual or local
delivery agent to waste up to 100 file descriptors. But
for that error to happen the system would have to be so
sick that you would have more serious problems than a file
descriptor leak. Found by Coverity. Files: local/maildir.c,
virtual/maildir.c.
20060405
Bugfix: the MIME parser assumed input is null terminated
when reporting errors. Fix by Leandro Santi. Files:
global/mime_state.c, cleanup/cleanup_message.c.
20060411
Bugfix: the SMTP server logged no warning when for some
reason the TLS engine was unavailable in wrappermode. Victor
Duchovni. File: smtpd/smtpd.c.
20060417
Cleanup: when SMTP access table lookup fails, reply with
4xx instead of aborting with a fatal run-time error. The
old behavior assumes local file access, and is inappropriate
with deployment of LDAP and SQL tables. File: smtpd/smtpd_check.c.
20060423
Bugfix: postcat did not print the attribute value of records
containing a named attribute. File: postcat/postcat.c.
20060430
Bugfix: dangling pointer in a function that has no caller.
Found by Coverity. File: tls/tls_prng_exch.c.
Bugfix: the workaround for CA-2003-07 (Sendmail) did not
null terminate the address before logging a warning. Reported
by Kris Kennaway. File: global/tok822_parse.c.
12164
12165
12166
12167
12168
12169
12170
12171
12172
12173
12174
12175
12176
12177
12178
12179
12180
12181
12182
12183
12184
12185
12186
12187
12188
12189
12190
20060301-20060515
Sendmail 8 Milter support, distributed across the smtpd(8)
server for SMTP commands, and the cleanup(8) server for
content inspection and manipulation. The code supports all
requests to add/delete recipients, and to add/delete/replace
message headers, but does not yet support requests to replace
the message body. See MILTER_README for more. Files:
smtpd/smtpd.c, smtpd/smtpd_milter.c, cleanup/cleanup_api.c,
cleanup/cleanup_envelope.c, cleanup/cleanup_extracted.c,
cleanup/cleanup_milter.c, milter/milter.c, milter/milter8.c.
That's 89 lines in smtpd, 1010 lines in cleanup, and 2449
lines of library support, comments not included.
A simple test Milter application for use in regression tests
is in src/milter/test-milter.c. Queue file modifications are
tested with a driver at the end src/cleanup/cleanup_milter.c
that reads commands from a script.
To make debugging easier, uncomment the "#define msg_verbose
2" lines at the top of cleanup_milter.c or milter8.c. This
produces logging without making everything else verbose.
20060510
Preliminary TLS_README and postconf(5) changes completed.
Added smtp_tls_policy_maps and smtp_tls_protocols features
to the smtp/lmtp client, changed smtp_tls_cipherlist to
only apply when TLS is mandatory. Victor Duchovni.
20060512
Destinations that share a common server may have distinct
TLS protocol and cipherlist requirements, with mandatory
TLS add the protocol and cipherlist values to the TLS session
20060516
Portability: __float80 alignment, by Albert Chin. File:
util/sys_defs.h.
12209
12210
12211
12212
12213
12214
12215
12216
12217
12218
12219
12220
12221
12222
12223
12224
12225
12226
12227
12228
12229
12230
12231
Further testing of Milter support uncovered typos; a missing
null pointer test while cleaning up after content miltering;
the need for a workaround to not bounce+delete local
submission after it triggers a temporary reject Milter
action.
Workaround: don't bounce+delete a local submission after
it triggers a "reject 4.x.x" action in header/body_checks.
This means an SMTP client now sees "queue file write error"
instead of the text from the "reject 4.x.x text" action.
File: cleanup/cleanup_message.c.
Workaround: OpenSSL 0.9.8[ab] with zlib support interoperability
problem. Victor Duchovni. Files: tls/tls_client.c,
tls/tls_misc.c, tls/tls_server.c.
Added smtpd_tls_protocols parameter to complement
smtp_tls_protocols. Victor Duchovni.
20060517
The smtp_tls_policy_maps table now implements parent domain
matching for destinations that are bare domains (without
enclosing [] or optional :port suffix). This allows one to
set TLS policy for a domain and all sub-domains. Victor
Duchovni.
20060519
The same parameter can bind to different variables in
different daemons. Ignore the variable name when eliminating
duplicates in extract.awk. Victor Duchovni.
20060523
Improved handling of smtp_tls_protocols and smtpd_tls_protocols,
names now processed via name_mask(3) and canonicalized prior
to use in the SMTP/LMTP client TLS session lookup key. Also
simplifies the corresponding code in the TLS driver. Victor
Duchovni.
20060524
Cleanup: send ETRN command parameter when using check_policy
in the context of an ETRN command. Joshua Goodall. File:
smtpd/smtpd_check.c.
20060601
Bugfix (bug introduced 20051118): permit_mx_backup authorized
domains without secondary MX records. Joshua Goodall. File:
smtpd/smtpd_check.c.
20060601
Fixed default value of LMTP TLS client certificate parameters,
using the SMTP values as a default was wrong. Victor Duchovni.
20060603
Different transports may have different CAfile or CApath
settings. We need to add the transport name to the TLS
session lookup key so that sessions verified with one set
of trusted roots are not inadvertantly considered verified
for another. Victor Duchovni.
20060604
Cleanup: minor fluff found with the BEAM source code analyzer.
12278
12279
12280
12281
12282
12283
12284
12285
12286
12287
12288
12289
12290
12291
12292
12293
12294
12295
12296
12297
12298
12299
12300
12301
12302
12303
12304
12305
12306
12307
12308
12309
12310
12311
12312
12313
12314
12315
12316
12317
12318
12319
Files: global/quote_821_local.c, global/quote_822_local.c,
master/master_spawn.c, pickup/pickup.c, util/match_ops.c,
util/safe_open.c, xsasl/xsasl_cyrus_client.c.
20060606
Safety: mail receiving daemons (smtpd, qmqpd) now pass
actual client name/addres/helo attributes in addition to
the attributes used for logging (xforward). This prevents
Milter applications from treating qmqpd mail as if it
originated locally, and prevents incorrect Milter decisions
after "postsuper -r". Files: smtpd/smtpd.c, qmqpd/qmqpd.c,
cleanup/cleanup_envelope.c, cleanup/cleanup_milter.c,
cleanup/cleanup_state.c, global/post_mail.c, *qmgr/qmgr_message.c,
*qmgr/qmgr_deliver.c, global/deliver_request.c,
global/deliver_pass.c, local/forward.c.
Bugfix: qmgr panic after queue file corruption by Mailscanner.
Files: *qmgr/qmgr_message.c.
Bugfix: XCLIENT didn't work with smtpd_delay_reject=no
(problem reported by Joshua Goodall). To make XCLIENT work
correctly with built-in restrictions and with Milter
applications, the SMTP server now jumps back to the very
start (the 220 phase) of an SMTP session. File: smtpd/smtpd.c.
20060606
Portability: Some systems no longer support the traditional
"sort +0 -2 +3". Victor Duchovni.
20060607
Portability: Found by BEAM static code analyzer. SSL options
(long) were stored as int.
20060610
Cleanup: XCLIENT and XFORWARD attribute values are now sent
as xtext encoded strings. For backwards compatibility,
Postfix will still accept unencoded attribute values. Files:
smtpd/smtpd.c, smtpd/smtpd_proxy.c, smtp/smtp_proto.c.
Robustness: additional sanity checks for common database
routines. Viktor Dukhovni. File: global/db_common.c.
Portability: LDAP 2.3 API support. Viktor Dukhovni. File:
global/dict_ldap.c.
Security: the PostgreSQL client was updated after the
PostgreSQL developers made major database API changes in
response to PostgreSQL security issues. This breaks support
for PGSQL versions prior to 8.1.4, 8.0.8, 7.4.13, and 7.3.15.
Support for these requires major code changes which are not
possible in the time that is left for the Postfix 2.3 stable
release.
Specific PostgreSQL client changes: use connection-aware
quoting, and more robust PQexec() result handling. Previous
versions of the dict_pgsql driver didn't check the status
of the result pointer, and certain exceptional events can
be mis-interpreted as an empty result set. Fixes by Leandro
Santi. File: global/dict_pgsql.c.
12344
12345
12346
12347
12348
12349
12350
12351
12352
12353
12354
12355
12356
12357
12358
12359
12360
12361
12362
12363
12364
12365
12366
12367
12368
12369
12370
12371
12372
12373
12374
12375
12376
12377
12378
12379
12380
12381
12382
12383
12384
12385
12386
12387
12388
12389
12390
12391
12392
12393
12394
12395
20060612
Changed smtp security level parsing and level->name conversion
to use name_code(3). Victor Duchovni.
Implemented new smtp_tls_security_level parameter, to replace
the unnecessarily complex smtp_use_tls, smtp_enforce_tls
and smtp_tls_enforce_peername parameters. The main.cf
security level settings are now consistent with the new
policy table. Victor Duchovni.
The smtp_sasl_tls_verified_security_options feature is not
yet complete, added #ifdef SNAPSHOT and changed documentation
to delay introduction until Postfix 2.4. Victor Duchovni.
20060614
Merged in Victor's work including the new TLS policy table
and a complete set of configuration parameters for the LMTP
personality of the unified SMTP/LMTP client.
Allow mandatory TLS encryption with LMTP over UNIX-domain
sockets. Victor Duchovni.
Safety: improved code to avoid I/O on connections after the
TLS handshake fails. Victor Duchovni.
20060615
Cosmetic patch for const strings. Stefan Huehner.
Other cosmetic changes, mainly whitespace.
20060616
The qshape.pl script was updated for the pointer records
that were introduced to support message content modification
by Milter applications. Victor Duchovni.
20060620
Feature: Substantially better cipherlist specification
interface and support for anonymous ciphers when certificates
are not needed. The primary interface in main.cf and the
policy table selects one of 5 grades for mandatory TLS with
smtp(8) or lmtp(8) or for all TLS sessions with smtpd(8).
The levels are "high", "medium" (or better), "low" (or
better), "export" (or better) and "null". The underlying
definitions of these levels are configurable, but users are
strongly encouraged to not change those definitions. Victor
Duchovni.
Bugfix: the Milter reply syntax checker was off by one.
File: milter/milter8.c.
Workaround: disable SMTP connection cache lookup by server
IP address when the tls_per_site policy table is enabled.
This is a workaround for a shortcoming in the SMTP connection
cache implementation, which retrieves the server hostname
from the cached connection. Since this server name is not
obtained in a secure manner, it must not be allowed to
control the tls_per_site policy. File: smtp/smtp_reuse.c.
Cleanup: mumble_mandatory_tls_mumble parameters renamed to
mumble_tls_mandatory_mumble; added _mandatory_ qualifier
to names of parameters that affect only mandatory TLS.
Features promoted from SNAPSHOT to STABLE: the "sleep"
pseudo restriction; Postfix daemons now read the local
timezone file before chrooting; trivial-rewrite now detects
table changes every 10 seconds, so it restarts more timely.
Features that stay #ifdef SNAPSHOT: tcp_table,
lmtp_sasl_tls_verified_security_options, and
smtp_sasl_tls_verified_security_options.
Compatibility: Sendmail does not send its own Received:
header to Milter applications. Offsets in header replace
requests are relative to the message content as received
(i.e. without our own Received: header), while offsets in
header insert requests are relative to the message as
delivered (i.e. they include our own Received: header).
This explains why dk-filter would sign our own Received:
header but place the signature between our own Received:
header and the rest of the message, violating the draft
domainkeys spec.
Cleanup: more graceful handling of queue file read/write
errors while processing milter message modification requests.
Files: cleanup/cleanup_milter.c, milter/milter8.c.
Debugging: the Postfix milter client gives more context
when it experiences trouble while talking to an uncooperative
Milter application. File: milter/milter8.c.
Compatibility: with OpenBSD 2.7 and later, the alias file
is now in /etc/mail/aliases.
Bugfix: the Milter client skipped zero-length body lines.
File: milter/milter8.c.
12457
12458
12459
12460
12461
12462
12463
12464
12465
12466
12467
12468
12469
12470
12471
12472
12473
12474
12475
12476
12477
Feature (just this one): RFC 3834 "Auto-Submitted:" message
header in DSNs. File: bounce/bounce_notify_util.c.
20060705
Portability: LP64 systems required a few ssize_t->int casts
in debug logging statements. Files: milter/test_milter.c,
cleanup/cleanup_milter.c.
Cleanup: comments, error messages, and crumbling interfaces.
20060707
Workaround: apparently, Solaris gettimeofday() can return
out-of range microsecond values. File: src/global/log_adhoc.c.
Robustness: the SMTPD policy client now encodes the
ccert_subject and ccert-issuer attributes as xtext. Some
characters are replaced by +XX, where XX is the two-digit
hexadecimal code for the character value. File:
smtpd/smtpd_check.c.
Safety: the SMTP/LMTP client now defers delivery when a
SASL password exists, but the server does not offer SASL
authentication. Mail could be rejected otherwise. This may
become an issue now that Postfix retries delivery in plaintext
after an opportunistic TLS handshake fails. Specify
"smtp_sasl_auth_enforce = no" to deliver mail anyway. File:
smtp/smtp_proto.c. See workaround 20060711 for sender-dependent
SASL passwords. This was undone with the 20060719 workaround.
12487
12488
12489
12490
12491
12492
12493
12494
12495
12496
12497
12498
12499
12500
12501
12502
12503
12504
12505
12506
12507
12508
12509
12510
12511
12512
12513
12514
12515
12516
12517
12518
12519
12520
12521
12522
12523
12524
12525
12526
20060709
Cleanup: the new single smtpd_tls_security_level parameter
obsoletes the multiple smtpd_use_tls and smtpd_enforce_tls
parameters. This is done for consistency with the Postfix
SMTP client. In the Postfix SMTP server, the levels "verify"
and "secure" are currently not applicable, and are treated
as "encrypt", after logging a warning. Files: smtpd/smtpd.c,
tls/tls_level.c, smtp/smtp_session.c.
Compatibility: don't send the first (blank) body line to
Milter applications. This broke domain key etc. signatures
when verified by non-Postfix MTAs. File: milter/milter8.c.
20060710
Cleanup: more consistency between smtpd(8) and smtp(8) TLS
configuration interfaces: smtpd_tls_mandatory_exclude_ciphers,
smtpd_tls_mandatory_ciphers, smtpd_tls_mandatory_protocols.
By Victor. Files:smtpd/smtpd.c.
Cleanup: to support domainkey signing of bounces and
Postmaster notices, enable content inspection of Postfix-
generated mail with the new internal_mail_filter_classes
feature. This is disabled by default, because it is not
yet safe enough. Files: global/int_filt.[hc] and everything
that calls post_mail_fopen*().
20060711
Cleanup: smtpd_tls_mumble -> smtpd_tls_mandatory_mumble,
and finer control over the Postfix SMTP server TLS ciphers,
all this for consistency with the same functionality in the
Postfix SMTP client. Victor Duchovni.
Compatibility: Sendmail's milter client handles whitespace
after the header label and ":" in an interesting manner.
It eats one space (not tab). File: milter/milter8.c.
Workaround: if sender-dependent SASL passwords are enabled,
don't defer delivery when a SASL password exists but the
server doesn't announce SASL support. File: smtp/smtp_proto.c.
Cleanup: format of cleanup milter reject messages. File:
cleanup_milter.c.
Bugfix: file/memory leak if a transfer of multiple milters
from smtpd to cleanup broke in the middle. Found by Coverity.
File: milter/milter.c.
12538
12539
12540
12541
12542
12543
12544
12545
12546
12547
12548
12549
12550
12551
12552
12553
12554
12555
12556
12557
12558
12559
12560
12561
12562
12563
12564
12565
12566
12567
12568
12569
12570
12571
12572
12573
12574
12575
12576
12577
12578
12579
12580
12581
12582
12583
12584
12585
12586
12587
12588
12589
12590
12591
12592
12593
12594
12595
12596
12597
12598
12599
12600
12601
12602
12603
12604
12605
12606
12607
12608
12609
12610
12611
12612
12613
20060716
Bugfix: "sendmail -bs" panic caused by a missing
SMTPD_STATE_ALONE() guard before a milter_abort() call.
File: smtpd/smtpd.c.
Bugfix (bug introduced with Postfix 2.2): the Postfix SMTP
client enforced Mandatory TLS only when talking to an ESMTP
server; enforcement did not happen if Postfix could somehow
be forced to send HELO instead of EHLO. Victor Duchovni.
File: src/smtp/smtp_proto.c.
20060718
Bugfix (bug introduced 20060711): null pointer bug when
rejecting SMTP mail with Milter application. File:
cleanup/cleanup_milter.c.
Workaround (problem introduced in 200605/200606 TLS update):
the Postfix SMTP server now issues TLS session IDs even
when TLS session caching is turned off, otherwise MS Outlook
fails to deliver mail. There may also be interoperability
issues with other MTAs that we haven't discovered yet.
Specify "smtpd_tls_always_issue_session_ids = no" to disable
the workaround. Victor Duchovni. Files: smtpd/smtpd.c,
tls/tls_server.c.
20060719
Cleanup: the smtp_sasl_auth_enforce feature is gone. It was
meant to work around a problem that was introduced with
plaintext fallback after a failed TLS handshake. Unfortunately,
it created more problems than it solved. We now address the
underlying problem more directly as described next. File:
smtp/smtp_proto.c.
Safety: don't fall back to plaintext delivery after failed
TLS handshake, when the Postfix SMTP client would have
attempted to log in with SASL after successful TLS handshake.
This avoids undesirable behavior regardless of whether the
server does support SASL over plaintext (unexpected password
disclosure) and whether the server doesn't support SASL
over plaintext (insufficient mail relay permission). Files:
smtp/smtp_connect.c, smtp/smtp_session.c, smtp/smtp_proto.c.
20060720
Compatibility: replace %% in milter replies by %, and strip
single (i.e. invalid) % characters. File: milter/milter8.c.
Compatibility: $_ macro support for Milter applications.
Files: smtpd/smtpd.c, smtpd/smtpd_milter.c,
cleanup/cleanup_state.c, cleanup/cleanup_milter.c.
20060721
Safety: disable Milter processing after "postsuper -r". If
the mail has been filtered there is no need to do it again.
Moreover, when mail has passed through an external content
filter, we don't have sufficient information to reproduce
the exact same SMTP events and Sendmail macros that Milters
received when the mail originally arrived in Postfix. This
change does not affect Milter applications that run behind
an after-queue content filter. File: pickup/pickup.c.
Bugfix: Milters received a truncated ORCPT=xxx parameter
due to destructive parsing of something that didn't have
to be preserved before Milter support was added to Postfix.
File: smtpd/smtpd.c.
20060724
Bugfix: when updating the same header multiple times, the
Postfix Milter client created a queue file that caused
delivery agents to loop. File: cleanup/cleanup_milter.c.
12614
12615
12616
12617
12618
12619
12620
12621
12622
12623
12624
12625
12626
12627
12628
12629
12630
12631
12632
12633
12634
12635
12636
12637
12638
12639
20060725
Bugfix: damaged queue file record after a Milter request
to modify a message header when 1) it was the last header
in the unmodified message, and 2) the old header was less
than 15 characters long. File: cleanup/cleanup_milter.c.
Bugfix: don't panic in smtp_rcpt_cleanup() after detecting
a damaged queue file record. File: smtp/smtp_proto.c.
20060726
Bugfix: the 20051013 change to enforce the message size
limit in the SMTP server didn't work for size limits close
enough to INT_MAX. File: smtpd/smtpd.c.
Bugfix: after an SMTP client was rejected with "smtpd_delay_reject
= no", the SMTP server would panic as it generated spurious
Milter requests for unrecognized commands. File: smtpd/smtpd.c.
20060727
Cleanup: change redundant milter_abort() and milter_disc_event()
calls into NO-OPs. This avoids unnecessary panic() events
for completely harmless conditions. File: milter/milter8.c.
12640
12641
12642
12643
12644
12645
12646
12647
12648
12649
12650
12651
12652
12653
12654
12655
12656
12657
12658
12659
12660
12661
12662
12663
12664
12665
12666
12667
12668
12669
12670
12671
12672
12673
12674
12675
12676
12677
12678
12679
12680
12681
12682
12683
12684
12685
12686
12687
12688
12689
12690
12691
12692
12693
20060805
Bugfix (introduced Postfix 2.3): #ifdef damage caused
smtp_sasl_start() to be invoked twice. Reported by C-J
Lofstedt. File: smtp/smtp_sasl_proto.c.
20060806
Postfix no longer announces its name in delivery status
notifications. Users believe that Wietse provides a free
helpdesk service that solves all their email problems.
Credits to Jonathan Balester. File: bounce/bounce_templates.c.
20060807
Bugfix (introduced Postfix 2.2): when upgrading from Postfix
< 2.2 with the third-party TLS patch, the post-install
upgrade procedure didn't put a "?" in the existing tlsmgr
entry, causing tlsmgr to repeatedly start and exit when TLS
support was not compiled in. File: conf/post-install.
20060812
Bugfix (introduced Postfix < alpha): safety mechanism in
mail_date() didn't work. Found in code review. File:
global/mail_date.c.
20060822
Added missing logging for "message to large" etc. Files:
smtpd/smtpd.c, cleanup/cleanup_milter.c.
20060823
Bugfix (introduced Postfix 2.2): segfault when vstream_fclose()
attempted to flush unwritten output, after vstream_fdclose()
had already disconnected the stream from its file descriptor.
File: util/vstream.c.
Bugfix (introduced Postfix 2.2): vstream_fdclose() did not
flush unwritten output before disconnecting a stream from
its file descriptor(s). File: util/vstream.c.
20060825
Bugfix (introduced Postfix 2.3): with headers-only mail, a
Milter "header insert" action corrupted the queue file. The
cleanup server executed some end-of-body action before the
end-of-header actions. File: cleanup/cleanup_message.c.
Robustness: mail delivery agents now detect loops in queue
files. Files with too many backward jumps are saved to the
"corrupt" directory. File: global/record.c.
12694
12695
12696
12697
12698
12699
12700
12701
12702
12703
12704
12705
12706
12707
12708
12709
12710
12711
12712
12713
12714
12715
12716
12717
12718
12719
12720
12721
12722
12723
12724
12725
12726
12727
12728
12729
12730
12731
12732
12733
12734
12735
12736
12737
12738
12739
12740
12741
12742
12743
12744
12745
12746
12747
12748
12749
12750
12751
12752
12753
12754
12755
12756
12757
12758
12759
12760
12761
12762
12763
12764
12765
12766
12767
12768
12769
12770
12771
20060831
Bugfix (introduced with initial implementation): missing
"dict_errno = 0" caused mis-leading error messages after
non-error lookup failure. Victor Duchovni. File:
util/dict_cidr.c.
Robustness: the default TLS cipher lists were changed from
!foo:ALL into ALL:!foo. Victor Duchovni. Files:
global/mail_params.h and documentation.
20060902
Bugfix (introduced Postfix 2.3): the LMTP client stripped
"inet": from the next-hop destination, but still used the
complete next-hop from the delivery request. File:
smtp/smtp_connect.c.
20060903
Cleanup: record loop detection. File: global/record.c.
20060929
Workaround: AIX 5.[1-3] getaddrinfo() creates socket address
structures with a non-zero port value. This breaks the
smtp_bind_address etc. features, and breaks inet_interfaces
settings with only one IP address. Problem reported by
Hamish Marson. Files: util/sock_addr.[hc], util/myaddrinfo.c.
Bugfix (introduced with the Postfix TLS patch): memory leak
in verify_extract_peer(). The OpenSSL documentation provides
no information on how subjectAltNames are managed. Sam
Rushing, ironport. File: tls/tls_client.c.
Bugfix (introduced with Postfix 2.2): smtp_generic_maps
turned on MIME conversion. File: smtp/smtp_proto.c.
Workaround: don't send SIZE information in the MAIL FROM
command when message content will be subject to 8bit ->
quoted-printable conversion. File: smtp/smtp_proto.c.
20061002
Compatibility: Sendmail now invokes the Milter connect
action with the verified hostname instead of the name
obtained with PTR lookup. File: smtpd/smtpd.c.
20061004
Cleanup: force space between mailq queueid+status and file
size items. File: showq/showq.c.
20061015
Cleanup: convert the Milter {mail_addr} and {rcpt_addr}
macro values to external form. File: smtpd/smtpd_milter.c.
Cleanup: the Milter {mail_addr} and {rcpt_addr} macros are
now available with non-SMTP mail. File: cleanup/cleanup_milter.c.
Cleanup: convert addresses in Milter recipient add/delete
requests to internal form. File: cleanup/cleanup_milter.c.
Cleanup: with non-SMTP mail, convert addresses in simulated
MAIL FROM and RCPT TO events to external form. File:
cleanup/cleanup_milter.c.
20061017
Cleanup: removed spurious warning when the cleanup server
attempts to bounce mail with soft_bounce=yes. Problem
reported by Ralf Hildebrandt. File: cleanup/cleanup_bounce.c.
Bugfix: null pointer bug when receiving a non-protocol
response on a cached SMTP/LMTP connection. Report by Brian
Kantor. Fix by Victor Duchovni. File: smtp/smtp_reuse.c.
12772
12773
12774
12775
12776
12777
12778
12779
12780
12781
12782
12783
12784
12785
12786
12787
12788
12789
12790
12791
12792
12793
12794
12795
12796
12797
12798
12799
12800
12801
12802
12803
12804
12805
12806
12807
12808
12809
12810
12811
12812
12813
12814
12815
12816
12817
12818
12819
12820
12821
12822
12823
12824
12825
12826
12827
12828
12829
12830
12831
12832
12833
12834
12835
12836
12837
12838
12839
12840
12841
12842
12843
12844
12845
12846
12847
12848
12849
12850
12851
12852
12853
12854
12855
12856
12857
12858
12859
12860
12861
12862
20061113
Bugfix: the Postfix install/upgrade procedure broke with
non-default config_directory. File: conf/post-install.
20061115
Bugfix: null pointer bug in end-of-header Milter action
when the last header line is too large. Reported by Mark
Martinec. The root of the problem is that the MIME state
engine may execute up to three call-back functions when it
reaches the end of the headers, before it returns to the
caller; as long as call-backs return no result, each call-back
has to check for itself if a previous call-back ran into a
problem. File: milter/milter8.c.
Workaround: reduce effective header_size_limit to 60000
when Milter inspection is enabled, to avoid breaking the
Milter protocol request length limit. File:
cleanup/cleanup_message.c.
20061123
Workaround: more agressive early refill of in-memory
recipients to prevent a worst-case scenario where the queue
manager became starved until after the last batch of slow
in-memory recipients of jumbo multi-recipient mail. Files:
qmgr/qmgr_job.c.
Safety: don't read more than 5000 recipients at a time, to
avoid spending too much time away from interrupts. File:
qmgr/qmgr_message.c.
20061201
Workaround: don't complain with "Error 0" in the trivial-rewrite,
verify, proxymap or connection cache client when the server
exits after the client sends its request. We still complain,
however, when the problem persists. Files: global/rewrite_clnt.c,
global/resolve_clnt.c, global/verify_clnt.c, global/scache_clnt.c,
global/dict_proxy.c.
Safety: the header_size_limit is now enforced more strictly,
to avoid inter-operability problems with the Milter protocol.
Long headers are truncated at a line boundary if possible,
otherwise they are cut between line boundaries. File:
cleanup/cleanup_out.c.
20061203
Bugfix (introduced with Postfix 2.2): with SMTP server
tarpit delays of smtp_rset_timeout or larger, the SMTP
client could get out of sync with the server while reusing
a connection. The symptoms were "recipient rejected .. in
reply to DATA". Fix by Victor Duchovni and Wietse. File:
smtp/smtp_proto.c.
20061207
Compatibility with Postfix < 2.3: undo the change to bounce
instead of defer after pipe-to-command delivery fails with
a signal. File: global/pipe_command.c.
20061208
Workaround: apparently, some mail software removes or hides
"<postmaster>" in the Postfix bounce text, because it
processes the text as if it were HTML. This confuses users.
The bounce template has been updated to remove the < and
>. File: bounce/bounce_templates.c.
Cleanup: when smtp_generic_maps is turned on, don't parse
MIME structures in the message body. Victor Duchovni. File:
smtp/smtp_proto.c.
20061210
Robustness: low-cost re-entrancy guard that allows daemons
to call msg_fatal() etc. from a signal handler, without
risking memory corruption, or deadlock on Redhat Linux.
This works provided that the signal handler never returns.
In that special case we need not guarantee after-the-fact
consistency of the interrupted process. File: util/msg_output.c.
Robustness: replace exit() calls by _exit(). File: util/msg.c,
bounce/bounce_cleanup.c.
Cleanup: document under what conditions these protections
work, with REENTRANCY sections in the relevant man pages.
Files: util/vbuf_print.c. util/msg.c, util/msg_output.c.
12865
12866
12867
12868
12869
12870
12871
12872
12873
12874
12875
12876
12877
12878
12879
12880
12881
12882
12883
12884
12885
12886
12887
12888
12889
12890
12891
12892
12893
12894
12895
12896
12897
12898
12899
12900
12901
12902
12903
12904
12905
12906
12907
12908
12909
20061211
Cleanup: when doing server access control by the remote TLS
client fingerprint, do not require client certificate
verification. Victor Duchovni. File: smtpd/smtpd_check.c.
Safety: when the remote TLS client certificate isn't verified,
don't send ccert_subject and ccert_issuer attributes in
check_policy_service requests. Victor Duchovni. File:
smtpd/smtpd_check.c.
Bugfix: the postconf command still complained about an
unqualified machine name, because it was not updated with
the 20050513 change that introduced a default "mydomain =
localdomain". File: postconf/postconf.c.
20061213
Cleanup: the sendmail and postqueue commands no longer
terminate with a non-standard error status after a run-time
error in some Postfix internal routine (typically, some
essential file is not accessible, or the system is out of
memory). Files: sendmail/sendmail.c, postqueue/postqueue.c.
20061220
Workaround: PMilter 0.95 does not deliver SMFIC_EOB+data
to the application as SMFIC_BODY+data followed by SMFIC_EOB.
To avoid compatibility problems, Postfix now sends
SMFIC_BODY+data followed by SMFIC_EOB. File: milter/milter8.c.
Bugfix (introduced with Postfix 2.3): when inserting
Milter-generated headers at increasing positions in a
message, a later header could end up at a previously used
insertion point. Thus, inserting headers at positions (N,
N+M) could work as if (N, N) had been specified. Problem
reported by Mark Martinec. File: milter/milter8.c.
20061227
Bugfix (introduced with Postfix 2.3): the MX hostname syntax
check was skipped with reject_unknown_helo_hostname and
reject_unknown_sender/recipient_domain, so that Postfix
would still accept mail from domains with a zero-length MX
hostname. File: smtpd/smtpd_check.c.
12910
12911
12912
12913
12914
12915
12916
12917
12918
12919
12920
12921
12922
12923
12924
12925
12926
12927
12928
12929
12930
20070104
Bugfix (introduced Postfix 2.3): when creating an alias map
on a NIS-enabled system, don't case-fold the YP_MASTER_NAME
and YP_LAST_MODIFIED lookup keys. This requires that an
application can turn off case folding on the fly. This is
a point fix. A complete fix requires updates to other map
types and to the proxymap protocol, which is too much change
for a stable release. Files: postalias/postalias.c,
util/dict_db.c, util/dict_dbm.c, util/dict_cdb.c.
20070112
Bugfix (introduced 20011008): after return from a nested
access restriction, possible longjump into exited stack
frame upon configuration error or table lookup error. Victor
Duchovni. Files: smtpd/smtpd_check.c.
Workaround: don't insert empty-line header/body separator
into malformed MIME attachments, to avoid breaking digital
signatures. This change introduces ambiguity. As before,
Postfix treats the remainder of the attachment as body
content, and header_checks rules will not detect forbidden
MIME types inside a malformed message/rfc822 attachment.
With the empty-line header/body separator no longer inserted
by Postfix, other software may process the malformed
attachment differently, and thus may now become exposed to
forbidden MIME types. This is back-ported from Postfix
2.4. File: global/mime_state.c.
20070118
Bugfix: match lists didn't implement ![ipv6address]. Problem
reported by Paulo Pacheco. File: util/match_list.c.
12945
12946
12947
12948
12949
12950
12951
12952
12953
12954
12955
12956
12957
12958
12959
12960
12961
12962
12963
20070224
Workaround: GNU POP3D creates a new mailbox and deletes the
old one. Postfix now backs off and retries delivery later,
instead of appending mail to a deleted file. File:
global/mbox_open.c.
20070225
Workaround: Disable SSL/TLS ciphers when the underlying
symmetric algorithm is not available in the OpenSSL crypto
library at the required bit strength. Problem observed with
SunOS 5.10's bundled OpenSSL 0.9.7 and AES 256. Also possible
with OpenSSL 0.9.8 and CAMELLIA 256. Root cause fixed in
upcoming OpenSSL 0.9.7m, 0.9.8e and 0.9.9 releases. Victor
Duchovni, Morgan Stanley. Files: src/smtp/smtp_proto.c,
src/smtpd/smtpd.c, src/tls/tls.h, src/tls/tls_client.c,
src/tls/tls_misc.c and src/tls/tls_server.c.