Newer
Older
Bugfix: race condition in "ETRN site", "sendmail -qRsite"
and "postqueue -s site". When the command arrived while an
incoming queue scan was already in progress, mail could
stay deferred instead of being flushed. The fix was to
unthrottle the queue manager before moving files from the
deferred queue to the incoming queue. Files: flush/flush.c,
qmgr/qmgr_scan.c.
Cleanup: the sendmail and postqueue commands no longer
terminate with a non-standard error status after a run-time
error in some Postfix internal routine (typically, some
essential file is not accessible, or the system is out of
memory). Files: sendmail/sendmail.c, postqueue/postqueue.c.
Feature: "sendmail -qIqueueid" and "postqueue -i queueid"
to flush a specific queue file. Files: sendmail/sendmail.c,
postqueue/postqueue.c, global/flush_clnt.c, flush/flush.c.
20061214
Performance: "sendmail -qIqueueid" and "postqueue -i queueid"
unthrottle only the necessary message delivery transports
and queues. The unthrottle request now is propagated to the
queue manager via queue file group read permission bits.
Based on initial implementation by Victor Duchovni. Files:
flush/flush.c, *qmgr/qmgr.c, *qmgr/qmgr_scan.c,
*qmgr/qmgr_active.c, *qmgr/qmgr_message.c.
20061220
Workaround: PMilter 0.95 does not deliver SMFIC_EOB+data
to the application as SMFIC_BODY+data followed by SMFIC_EOB.
To avoid compatibility problems, Postfix now sends
SMFIC_BODY+data followed by SMFIC_EOB. File: milter/milter8.c.
Bugfix (introduced with Postfix 2.3): when inserting
Milter-generated headers at increasing positions in a
message, a later header could end up at a previously used
insertion point. Thus, inserting headers at positions (N,
N+M) could work as if (N, N) had been specified. Problem
reported by Mark Martinec. File: milter/milter8.c.
20061221
Feature: time unit suffix support in _command_time_limit.
Files: pipe/pipe.c, spawn/spawn.c.
20061227
Bugfix (introduced with Postfix 2.3): the MX hostname syntax
check was skipped with reject_unknown_helo_hostname and
reject_unknown_sender/recipient_domain, so that Postfix
would still accept mail from domains with a zero-length MX
hostname. File: smtpd/smtpd_check.c.
20061229
Cleanup: use separate TLS_LEGACY_README to document the old
TLS user interface. This will simplify TLS_README dramatically.
Cleanup: untangled spaghetti code. File: util/inet_listen.c.
20070104
Bugfix (introduced Postfix 2.3): when creating an alias map
on a NIS-enabled system, don't case-fold the YP_MASTER_NAME
and YP_LAST_MODIFIED lookup keys. This requires that an
application can turn on/off case folding on the fly. Files:
postalias/postalias.c, global/dict_mumble.c, util/dict_mumble.c,
proxymap/proxymap.c.
Cleanup: after the above revision of the proxymap protocol,
the proxymap server can now share the same map with clients
that have only minor differences in dictionary open/access
options.
Performance: pipeline of pending delivery agent connections,
to improve Linux/Solaris mail delivery performance by another
10% while going down-hill with the wind from behind. Design
and implementation Victor and Wietse. Files: *qmgr/qmgr.c,
*qmgr/qmgr.h, *qmgr/qmgr_transport.c.
Cleanup: eliminate the Linux/Solaris "wait for accept()"
stage from the queue manager to delivery agent protocol.
This alone achieves 99.99% of the Linux/Solaris speed up
from the preceding change. The pending connection pipeline
takes care of the rest. Tested on Linux kernels dating
back to 2.0.27 (that's more than 10 years ago). Files:
*qmgr/qmgr_transport.c.
Bugfix (introduced 20011008): after return from nested
access restriction, possible longjump into exited stack
frame upon configuration error or table lookup error. Victor
Duchovni. Files: smtpd/smtpd_check.c.
Workaround: don't insert header/body blank line separator
in malformed attachments, to avoid breaking digital signatures.
Switch from header to body state, for robust MIME parsing.
People concerned about MIME evasion can use a MIME normalizer
to corrupt their user's legitimate email. File:
global/mime_state.c.
Feature: body replacement support for Milter applications.
Postfix 2.3 and older 2.4 versions will be able to deliver
body-replaced queue files, but will report the message size
as it was before the body was replaced. Files: milter/milter8.c,
cleanup/cleanup_milter.c, cleanup/cleanup_body_region.c.
Cleanup: reusable infrastructure for body replacement.
Files: cleanup/cleanup_body_edit.c, cleanup/cleanup_region.c.
Bugfix: match lists didn't implement ![ipv6address]. Problem
reported by Paulo Pacheco. File: util/match_list.c.
Cleanup: revised the matchlist "!" support, added support
for !/file/name, and updated the documentation. File:
util/match_list.c.
Cleanup: pad short message headers with a filler record,
so that the result is never shorter than a pointer record.
This immensely simplified the support for Milter header
modification requests: three complex loops could be replaced
by one simpler loop. The DTXT record type was re-purposed
from "deleted header text" to "short header padding", keeping
the change backwards compatible. Files: cleanup/cleanup_out.c,
cleanup/cleanup_milter.c, global/record.c.
Cleanup: the Milter "add recipient" action always added the
recipient to the initial envelope segment, causing added
recipients to be separate from "sendmail -t" recipients.
This violated design, without impact on delivery (always_bcc
recipient are always at the end of the queue file even when
all other recipients are in the initial segment). File:
global/rec_types.h.
Workaround: OpenSSL falsely concludes that AES256 support
is present when only AES128 is available. Code by Victor
Duchovni. File: tls/tls_misc.c.
Disable workaround pending completion of updated TLS]
support in non-production releases.
Assorted code cleanup, portability fixes/workarounds, and
minor updates: global/dict_ldap.c, mantools/postlink,
tlsmgs/tlsmgr.c, conf/master.cf. LaMont Jones.
Portability: GNU Hurd support for multiple kernel environments.
LaMont Jones. Files: util/sys_defs.h, makedefs.
Cleanup: some default settings were adjusted to better fit
today's environment: queue_run_delay and minimal_backoff_time
were reduced from 1000s to 300s, so that deliveries are
retried earlier after the first failure; ipc_idle was reduced
from 100s to 5s, so that tlsmgr and scache clients will
more quickly release unused file handles. Files:
global/mail_params.h, proto/postconf.5.html
Catch-up: FreeBSD kqueue support. File: util/events.c.
System-V poll(2) support. This is now the preferred method
to test a single file descriptor on sufficiently recent
versions of FreeBSD, NetBSD, OpenBSD, Solaris and Linux;
other systems will be added as evidence becomes available
of usable poll(2) implementations. Files: util/read_wait.c,
util/write_wait.c, util/readble.c, util/writable.c.
Streamlined the event_enable_read/write implementation to
speed up smtp-source performance, by eliminating expensive
kqueue/devpoll/epoll system calls when only the application
call-back information changes. On FreeBSD, smtp-sink/source
tests now run 5% faster than with the old select(2) based
implementation. File util/events.c.
Catch-up: Solaris /dev/poll support. File: util/events.c.
Bugfix (introduced 20060823): initial state was not in state
machine, causing memory access outside the lookup table.
File: smtpstone/smtp-sink.c.
Catch-up: Linux epoll support. File: util/events.c.
Polished the kqueue/devpoll/epoll support; this is now
enabled by default on sufficiently recent versions of
FreeBSD, NetBSD, OpenBSD, Solaris and Linux; other systems
will be added as evidence becomes available of usable
implementations. File: util/events.c.
Further polish: removed some typos from new code in the
events.c handler, undid some unnecessary changes to the
{read,write}{_wait,able}.c modules, and addressed Victor's
paranoia for multi-client servers with a thousand clients
while linked with library routines that can't handle file
descriptors >= FD_SETSIZE.
Cleanup: while debugging the new events.c handler, removed
an unnecessary "write after connect" call-back event. File:
global/post_mail.c.
Robustness: in the queue manager keep a number of free file
descriptor slots at the low end, to work around library
routines that can't handle file descriptors >= FD_SETSIZE.
Files: *qmgr/qmgr_transport.c, util/vstream.[hc]
Bugfix (introduced 20070114 with Milter body edit support):
the cleanup server terminated with a fatal error when SMTP
mail exceeded the message size limit, instead of handling
it as a non-fatal error. Files: cleanup/cleanup_extracted.c,
cleanup/cleanup_final.c, cleanup/cleanup_bounce.c,
cleanup/cleanup_api.c.
Streamline the compile time selection of event handling
styles, replacing multiple on/off macros by just one
multi-valued macro. Files: util/sys_defs.h, util/events.c,
master/multi_server.c, *qmgr/qmgr_transport.c.
Work-around: Disable SSL/TLS ciphers when the underlying
symmetric algorithm is not available in the OpenSSL crypto
library at the required bit strength. Problem observed with
SunOS 5.10's bundled OpenSSL 0.9.7 and AES 256. Also possible
with OpenSSL 0.9.8 and CAMELLIA 256. Root cause fixed in
upcoming OpenSSL 0.9.7m, 0.9.8e and 0.9.9 releases. Victor
Duchovni, Morgan Stanley. Files: src/smtp/smtp_proto.c,
src/smtpd/smtpd.c, src/tls/tls.h, src/tls/tls_client.c,
src/tls/tls_misc.c and src/tls/tls_server.c.
13270
13271
13272
13273
13274
13275
13276
13277
13278
13279
13280
13281
13282
13283
13284
13285
13286
13287
13288
13289
13290
13291
13292
13293
13294
13295
13296
13297
20070222
Workaround: delayed "postfix reload" with ancient FreeBSD4
kqueue implementations, causing the first external or
internal clients after "postfix reload" to experience a
quick disconnect. Apparently, these kqueue implementations
do not deliver a read notification when the master closes
the per-service shared master/child status pipe (even when
there is only one child; note that the master keeps a handle
to both ends of each status pipe). A child process remains
ignorant that the status pipe was closed until the arrival
of the next client request, and then terminates. The
workaround is to ignore master status write errors before
handling a service request. Files: master/*_server.c.
Cleanup: fix race condition that caused unnecessary "premature
end-of-input" warning messages when "postfix reload" was
issued on a busy mail server. Files: util/attr_scan*c.
20070223
Cleanup: syslog_name now works as documented with both
daemons and commands (including set-gid commands). Files:
global/mail_task.c postlog/postlog.c, global/mail_version.h,
sendmail/sendmail.c, postsuper/postsuper.c, postalias/postalias.c,
postmap/postmap.c, postqueue/postqueue.c, postdrop/postdrop.c,
master/trigger_server.c, master/single_server.c,
master/multi_server.c.
Workaround: GNU POP3D creates a new mailbox and deletes the
old one. Postfix now backs off and retries delivery later,
instead of appending mail to a deleted file. To minimize
the use of this workaround, Postfix now by default creates
mailbox dotlock files on all systems, and creates dotlock
files before opening mailbox files. Files: util/sys_defs.h,
global/mbox_open.c.
Workaround: updated workaround for broken Solaris accept().
File: util/inet_listen.c.
Workaround: on some FreeBSD versions, accept(2) can fail
with a bogus EINVAL error. We now allow accept(2) to fail
for a limited number of times before terminating the process.
Files: master/single_server.c, master/multi_server.c.
Bugfix (introduced with Postfix 2.3 Milter support): postdrop
reported "illegal seek" instead of "file too large". File:
postdrop/postdrop.c.
Cleanup: specify "undisclosed_recipients_header =" to disable
Postfix's "To: undisclosed-recipients:;" header for mail
that lists no recipient. The To: header is not required as
of RFC 2822. The undisclosed_recipients_header parameter
value can now be an empty string, a value that was not
allowed with earlier Postfix versions. With Postfix 2.5 it
will be empty by default. Files: cleanup/cleanup.c,
cleanup/cleanup_message.c.
Backwards compatibility: don't pad short message header
records when Milter support is turned off. This maintains
compatibility with Postfix versions that pre-date Milter
support. File: cleanup/cleanup_out.c.
Bitrot: move the "don't run this daemon by hand" message
before other tests. Files: master/*server.c.
Bitrot: New OpenLDAP APIs deprecate simplified interfaces,
that are the only ones available in Sun's LDAP SDK. Define
suitable macros that work with new OpenLDAP and Sun's code.
Victor Duchovni, Morgan Stanley. File: src/global/dict_ldap.c
Cleanup: new "leaf" and "terminal" result attributes support
fine-tuning of LDAP group expansion, and provide a solution
for the problem case where DN recursion returns both the
group address and the addresses of the member objects.
Victor Duchovni, Morgan Stanley. Files: src/global/dict_ldap.c,
proto/LDAP_README.html, proto/ldap_table
Idioten Sicherheit: stamp every executable file and every
core dump file with "mail_version=xxxxx". Adding version
stamps and checks to every IPC message is too much change
after code freeze, and requires too much time for testing.
File: src/global/mail_version.h and every main program file.
Bugfix (introduced between 20070120 and 20070121): the
cleanup server stored no "delayed mail warning" queue file
records with "sendmail -t", and no header_checks filter/redirect
records or content encoding records with other mail. File:
global/rec_type.h.
Bugfix (introduced 20070224): local(8) or virtual(8) could
log a misleading error message after failure to open a
mailbox file. File: global/mbox_open.c.
Bugfix (code should have been updated 20070104): the proxymap
client did not propagate changes in case folding flags.
Currently, nothing in Postfix uses this functionality.
File: global/dict_proxy.c.
Bugfix: postfix-install didn't work for symlink or hardlink
targets, when the parent directory had a value of "no".
Workaround: Eric Raymond's man page formatters don't handle
low-level *roff .in or .ti controls. We now use .nf and .fi
instead. Files: many.