Skip to content
HISTORY 774 KiB
Newer Older
Boris Mühmer's avatar
Boris Mühmer committed

	Documentation: in the discard(8) manpage, the reason is not
	a host or domain name. File: discard/discard.c.

20131025

	Documentation: specify the expected result format with
	"list" tables. File: proto/DATABASE_README.html.
Boris Mühmer's avatar
Boris Mühmer committed

20131026

	Future proofing: API changes in the PCRE library.  File:
	util/dict_pcre.c.

Boris Mühmer's avatar
Boris Mühmer committed
19015 19016 19017 19018 19019 19020 19021 19022 19023 19024 19025 19026 19027 19028 19029 19030 19031 19032 19033 19034 19035 19036 19037 19038 19039 19040 19041 19042 19043 19044 19045 19046 19047 19048 19049 19050 19051 19052 19053 19054 19055 19056 19057 19058 19059 19060 19061 19062 19063 19064 19065 19066 19067 19068 19069 19070 19071 19072 19073 19074 19075 19076 19077 19078 19079 19080 19081 19082 19083 19084 19085 19086 19087 19088 19089 19090 19091 19092 19093 19094 19095 19096 19097 19098 19099 19100 19101 19102 19103 19104 19105 19106 19107 19108 19109 19110 19111 19112 19113 19114 19115 19116 19117 19118 19119 19120 19121 19122 19123 19124 19125 19126 19127 19128 19129 19130 19131 19132 19133 19134 19135 19136 19137 19138 19139 19140 19141 19142 19143 19144 19145 19146 19147 19148 19149 19150 19151 19152 19153 19154 19155 19156 19157 19158 19159 19160 19161 19162 19163 19164 19165 19166 19167 19168 19169 19170 19171 19172 19173 19174 19175 19176 19177 19178 19179 19180 19181 19182 19183 19184 19185 19186 19187 19188 19189 19190 19191 19192 19193 19194 19195 19196 19197 19198 19199 19200 19201 19202 19203 19204 19205 19206 19207 19208 19209 19210 19211 19212 19213 19214 19215 19216 19217 19218 19219 19220 19221 19222 19223 19224 19225 19226 19227 19228 19229 19230 19231 19232 19233 19234 19235 19236 19237 19238 19239 19240 19241 19242 19243 19244 19245 19246 19247 19248 19249 19250 19251 19252 19253 19254 19255 19256 19257 19258 19259 19260 19261 19262 19263 19264 19265 19266 19267 19268 19269 19270 19271 19272 19273 19274 19275 19276 19277 19278 19279 19280 19281 19282 19283 19284 19285 19286 19287 19288 19289 19290 19291 19292 19293 19294 19295 19296 19297 19298 19299 19300 19301
20131028

	Feature: check_sasl_access to block hijacked logins.  Files:
	mantools/postlink, proto/postconf.proto, global/mail_params.h,
	smtpd/smtpd_check.c, smtpd/smtpd_dsn_fix.h.

20131029-31

	Cleanup: slmdb(3) simplified LMDB API that hides recoverable
	LMDB errors from applications so that they can focus on
	their own job. Files: util/slmdb.[hc].

	Cleanup: LMDB functionality restored, after elimination of
	1) world-writable lockfiles, 2) hard limits on the number
	of concurrent readers, and 3) hard-coded database file inode
	numbers in lockfiles that can prevent automatic crash
	recovery.  Files: proto/LMDB_README.html, proto/postconf.proto,
	mantools/postlink, util/dict_lmdb.c.

20131101

	Cleanup: restore ability to build without LMDB support;
	further slmdb API streamlining. Files: util/slmdb.[hc],
	util/dict_lmdb.c.

	Bugfix: uninitialized variable. File: util/slmdb.c.

	Documentation: added SASL_README example for check_sasl_access.
	File: proto/SASL_README.html.

20131102-3

	Security violation: by default, LMDB 0.9.9 writes uninitialized
	heap memory to a world-readable database file, as chunks
	of up to 4096 bytes.  This is a huge memory disclosure
	vulnerability: memory content that a program does not intend
	to share ends up in a world-readable file.  The content of
	uninitialized heap memory depends on program execution
	history. That history includes code execution in other
	libraries that are linked into the program.

	This is a problem whenever the user who writes the database
	file differs from the user who reads the database file. For
	example, a privileged writer and an unprivileged reader.
	In the case of Postfix, the postmap(1) and postalias(1)
	commands would leak uninitialized heap memory, as chunks
	of up to 4096 bytes, from a root-privileged process that
	writes to a database file, to unprivileged processes that
	read from that database file.

	To work around this problem the postmap(1) and postalias(1)
	commands disable the use of malloc() in LMDB. However, that
	does not address several disclosures of stack memory.  Other
	Postfix databases do not need this workaround: those databases
	are maintained by Postfix daemon processes, and are accessible
	only by the postfix user. File: util/dict_lmdb.c.

20131102-3

	Cleanup: expand TAB characters when generating documentation.
	This was primarily an issue with non-HTML output, but it does
	not hurt to do this also for HTML.  Files: proto/Makefile.in,
	proto/MULTI_INSTANCE_README.html.

20131104

	Feature: ${queue_id} macro support for the pipe(8) delivery
	agent by Andreas Schulze. File: pipe/pipe.c.

20131107

	Cleanup: after 16 years the SKIP() and TRIM() macros were
	triggering compiler warnings.  Files: global/mail_params.c,
	smtpstone/smtp-sink.c, util/mac_parse.c, util/split_nameval.c.

20131110

	Bugfix (introduced Oct 26 1997): don't clobber errno before
	expanding %m. File: util/vbuf_print.c.

20131114

	Cleanup: LMDB >= 0.9.10 does not need the MDB_WRITEMAP
	workaround to avoid heap memory information leaks.  File:
	util/dict_lmdb.c.

20131114

	Cleanup: Coverity found a harmless memory leak in the
	postconf master.cf parser.  Reported by Christos Zoulas,
	NetBSD.  File: postconf/postconf_master.c.

	Cleanup: graceful degradation after database open() error.
	Several instances of that code introduced a harmless memory
	leak, and Coverity complained about one of them (Christos
	Zoulas, NetBSD).  Instead of adding random code in random
	places, restructured dict_foo_open() routines with consistent
	code to dispose of memory or file handles. Files: dict_thash.c,
	dict_sockmap.c, dict_regexp.c, dict_pcre.c, dict_lmdb.c,
	dict_dbm.c, dict_cidr.c, dict_cdb.c.

	Cleanup: warning message after canonical/virtal/etc.
	table lookup error. Files: cleanup/cleanup_addr.c,
	cleanup/cleanup_map11.c, cleanup/cleanup_map1n.c,
	cleanup/cleanup_masquerade.c, cleanup/cleanup_message.c,
	cleanup/cleanup_milter.c.

20131116

	Feature: MySQL client support for option_file, option_group,
	tls_cert_file, tls_key_file, tls_CAfile, tls_CApath,
	tls_verify_cert. See mysql_table(5).  Code by Gareth Palmer.
	Files: proto/mysql_table, global/dict_mysql.c.

	Cleanup: DANE support. Keep the attributes of TA certificates
	obtained via "IN TLSA 2 0 X" RRs, while continuing to only
	use the key from "IN TLSA 2 1 X" RRs.  This means in the
	"2 0 X" case that we re-sign the TA certificate in place,
	rather than synthesize a vanilla cert around just the key.
	Viktor Dukhovni. File: tls/tls_dane.c.

	Bugfix: posttls-finger parsing of destination and optional
	match values. Viktor Dukhovni.  File:
	posttls-finger/posttls-finger.c.

	Cleanup: When wrap_signed is false (OpenSSL 1.0.2 some day),
	we don't have to sign trust anchors, and don't generate a
	key to do so.  Thus don't attempt to re-sign trust-anchor
	certificates (IN TLSA 2 0 X) in this case. Viktor Dukhovni.
	File: tls/tls_dane.c.

	Feature: configurable DANE digest algorithm priority. Use
	only the most-preferred, shared, digest algorithm for any
	give (usage, selector) combination. Viktor Dukhovni.
	mantools/postlink, proto/postconf.proto, global/mail_params.h,
	tls/tls_dane.c, tls/tls_misc.c.

	Bugfix: FreeBSD nroff workaround messed up. File:
	mantools/postlink.

20131118

	Cleanup: FreeBSD nroff workaround. Files: man/Makefile.in,
	proto/Makefile.in.

	Cleanup: the smtpd_proxy_filter client now sends QUIT before
	closing the connection to a content filter.  Files:
	smtpd/smtpd_proxy.c, smtpd/smtpd.c.

	Portability: C99 va_copy() compatibility, in case some
	implementation does not permit multiple va_start() calls
	on the same argument list. Files: global/memcache_proto.c,
	milter/milter8.c, smtpstone/smtp-source.c, util/attr_clnt.c,
	util/concatenate.c, util/dict_surrogate.c, util/netstring.c,
	util/compat_va_copy.h.

	Cleanup: comment formatting. Viktor Dukhovni. File: dns/dns.h.

	Cleanup: removed redundant sort operation. Viktor Dukhovni.
	File: tls/tls_dane.c.

20131119

	Feature: a Postfix LMDB database can now be used as shared
	persistent cache with multiple postscreen(8) or verify(8)
	daemons (but not both), without the need for a shared
	proxymap server.  Files: util/dict.h, util/dict_alloc.c,
	util/dict_open.c, util/dict_lmdb.c.

	Internal: DNS client support to report reply RCODE information,
	in addition to the simplified DNS_NOTFOUND, DNS_RETRY etc.
	Portability note: this requires the C99 __VA_ARGS__ feature.
	Files: dns/dns.h. dns/dns_lookup.c, dns/test_dns_lookup.c.

20131120

	Cleanup: reduced the code footprint for the LMDB < 0.9.10
	heap-to-file information leak workaround, and simplified
	the implementation to "good enough". Files: util/dict.h,
	util/dict.c, util/dict_lmdb.c, postalias/postalias.c,
	postmap/postmap.c.

	Cleanup: reduced the code footprint for the handling of
	multi-writer safe maps. A map only needs to assert that it
	is multi-writer safe, and the rest just happens.  Files:
	util/dict.h, util/dict_open.c, util/dict_lmdb.c,
	global/dict_memcache.c.

	Cleanup: Postfix daemons no longer restart when a multi-writer
	safe map is updated. File: util/dict.c.

	Documentation: sharing an LMDB cache between multiple
	verify(8) or postscreen(8) servers (but not both).  Files:
	proto/ADDRESS_VERIFICATION_README.html,
	proto/POSTSCREEN_README.html.

	Cleanup: improve suppression of TLSA lookups in insecure
	zones.  This is now applied not only to non-MX destinations,
	but also to each MX record.  Viktor Dukhovni. Files:
	src/posttls-finger/posttls-finger.c, src/smtp/smtp_tls_policy.c,
	src/tls/tls.h, src/tls/tls_dane.c.

	Workaround: increased the 5s connection timeout to 30s.
	Viktor Dukhovni. File: posttls-finger/posttls-finger.c.

20131121

	Documentation: new socketmap_table(5) and lmdb_table(5)
	manpages.  Files: mantools/postlink, conf/postfix-files,
	html/Makefile.in, man/Makefile.in, proto/DATABASE_README.html,
	postconf/postconf.c, proto/socketmap_table, proto/lmdb_table.

20131122

	Documentation: missing database hyperlinks, refined text
	about partial lookup keys. Files: mantools/postlink,
	proto/DATABASE_README.html, proto/lmdb_table,
	proto/socketmap_table.

20131123

	Feature: support for NOTIFY parameter in the Milter
	SMFIR_ADDRCPT_PAR request. Contributed by by Andrew Ayer.
	Wietse added support for ORCPT.  Files: cleanup/cleanup.h,
	cleanup/cleanup_milter.c, cleanup/cleanup_state.c,
	global/xtext.c, global/xtext.h, milter/test-milter.c.

20131122

	Feature: "postconf -Fe service/type/attribute = value" edits
	master.cf attribute values. The -e is optional. Example:
	use "postconf -F "*/*/chroot = n" to turn off chroot on all
	master.cf services. Files: postconf/postconf.h,
	postconf/postconf.c, postconf/postcof_master.c,
	postconf/postconf_edit.c.

20131124

	Cleanup: remove extra blank line from ccformat output,
	making it compatible with the script that Wietse actually
	uses (this line was part of a test to detect file truncation,
	but it is now obsolete).  File: mantools/ccformat.

	Feature: master.cf parameter namespace. "postconf -P" shows
	master.cf parameter settings as "service/type/parameter =
	value". This is applicable only to parameter settings in
	master.cf. Files: postconf/postconf.h, postconf/postconf.c,
	postconf/postcof_master.c, postconf/postconf_print.c.

	Incompatibility: the master_service_disable syntax has
	changed: use "service/type" instead of "service.type".  The
	new form is consistent with master.cf parameter namespaces.
	The old form is still supported to avoid breaking existing
	configurations.  Files: global/master_service.c,
	master/master_ent.c.

20131125

	Feature: change, add or delete "-o parameter=value" setting
	in master.cf. Examples: "postconf -P smtp/inet/parameter=value"
	(add or modify "-o name=value" setting) and "postconf -P
	smtp/inet/parameter" (delete "-o parameter=value" setting).
	Files: util/argv.[hc], postconf/postconf.h,
	postconf/postconf_edit.c, postconf_master.c.

20131126

	Cleanup: Leave SSLv3 enabled with DANE. Viktor Dukhovni.
	Files: proto/TLS_README.html proto/postconf.proto
	tls/tls_client.c.

	Cleanup: DANE support: Drop support for usage 0. It SHOULD
	NOT be supported in DANE with SMTP, and we already don't
	support digest TLSA RRs in this case, while full content
	TLSA RRs are not recommended for DNS bloat reasons.  Viktor
	Dukhovni. Files: proto/postconf.proto src/global/mail_params.h
	src/smtp/smtp.c src/tls/tls_dane.c src/tls/tls_misc.c.

	Feature: TLS support: Support future digest algorithms
	without re-compilation. Viktor Dukhovni. Files: .indent.pro
	proto/postconf.proto src/tls/tls_dane.c.

	Feature: DNS support: New configurable digest agility.
	Viktor Dukhovni. Files: .indent.pro proto/TLS_README.html
	proto/postconf.proto src/global/mail_params.h src/tls/tls_dane.c
	src/tls/tls_misc.c.

Boris Mühmer's avatar
Boris Mühmer committed
20131127

	Bugfix (introduced: 20090106): the postconf '-#' option
	erased prior options. File: postconf/postconf.c.

20131129

	Bugfix: Makefile example in MULTI_INSTANCE_README. Viktor
	Dukhovni. File: proto/MULTI_INSTANCE_README.html.

Boris Mühmer's avatar
Boris Mühmer committed
20131130
Boris Mühmer's avatar
Boris Mühmer committed
	Cleanup: simplify fingerprint security level implementation
	in new DANE code.  Viktor Dukhovni.  Files: src/tls/tls.h
	src/smtp/smtp_tls_policy.c src/tls/tls_dane.c
	src/posttls-finger/posttls-finger.c.
Boris Mühmer's avatar
Boris Mühmer committed
20131209
Boris Mühmer's avatar
Boris Mühmer committed
	Cleanup: safe_strtoul() did not report an error for empty
	or all-space input (the code to report this was in the wrong
	place). This was not a problem as long as safe_strtoul()
	was used only for output from safe_ultostr().  Files:
	global/safe_ultostr.c, global/safe_ultostr.in,
	global/safe_ultostr.ref.
Boris Mühmer's avatar
Boris Mühmer committed
20131210
Boris Mühmer's avatar
Boris Mühmer committed
	Documentation: updated description of SSL protocol controls.
	In particular, enabled protocols are part of a contiguous
	range. Viktor Dukhovni.  Files: proto/TLS_README.html,
	proto/postconf.proto.
Boris Mühmer's avatar
Boris Mühmer committed
	Bugfix: DANE support: handle OpenSSL memory allocation
	error. Viktor Dukhovni.  File: tls/tls_dane.c.
Boris Mühmer's avatar
Boris Mühmer committed
	Cleanup: LMDB_README was not installed. File: conf/postfix-files.
Boris Mühmer's avatar
Boris Mühmer committed
20131214
Boris Mühmer's avatar
Boris Mühmer committed
	Portability: on some platforms posttls-finger now requires
	explicitly linking libdl.  File: posttls-finger/Makefile.in.
Boris Mühmer's avatar
Boris Mühmer committed
	Cleanup: DANE support: extension gymnastics. Viktor Dukhovni.
	File: tls/tls_dane.c.
Boris Mühmer's avatar
Boris Mühmer committed
	Bugfix: DANE support: the wrap_cert() and wrap_key() calls
	should never fail, but some callers ignored the return
	value.  The only failure is for lack of memory, so we use
	msg_fatal() internally and change wrap_cert() and wrap_key()
	to return void. Viktor Dukhovni.  File: tls/tls_dane.c.
Boris Mühmer's avatar
Boris Mühmer committed
	Bugfix: DANE support: avoid making DANE certificates with
	replaced public-keys appear as if they were self-signed.
	Viktor Dukhovni.  File: tls/tls_dane.c.
Boris Mühmer's avatar
Boris Mühmer committed
	Cleanup: DANE support: simplify grow_chain() to always apply
	trust consistently. Viktor Dukhovni.  File: tls/tls_dane.c.
Boris Mühmer's avatar
Boris Mühmer committed
	Bugfix: DANE support: backport fixes from OpenSSL DANE
	testing.  Discard errors generated by raw TA key signature
	checks. Record the tadepth as zero with self-signed depth
	0 TAs. Robustness: Though it should never happen, don't
	update the tadepth if already set. Viktor Dukhovni.  Files:
	tls/tls_dane.c, tls/tls_server.c.
Boris Mühmer's avatar
Boris Mühmer committed
20131215
Boris Mühmer's avatar
Boris Mühmer committed
	Cleanup: OpenSSL "const" declarations have changed over
	time. Viktor Dukhovni. Files: src/tls/tls.h, src/tls/tls_client.c,
	src/tls/tls_dane.c, src/tls/tls_server.c.
Boris Mühmer's avatar
Boris Mühmer committed
20131216
Boris Mühmer's avatar
Boris Mühmer committed
	Cleanup: TLS support. Eliminate calls of deprecated functions
	before they are removed from OpenSSL.  CRYPTO_thread_id is
	deprecated and we don't need it.  Replace the deprecated
	ERR_remove_state() call with ERR_remove_thread_state(), and
	use RSA_generate_key_ex().  Viktor Dukhovni. Files:
	posttls-finger/posttls-finger.c, tls/tls_misc.c, tls/tls_rsa.c.
Boris Mühmer's avatar
Boris Mühmer committed
	Cleanup: DANE support: Reduce #ifdef clutter to improve
	redability and maintability. Viktor Dukhovni.  File:
	tls/tls_dane.c.
Boris Mühmer's avatar
Boris Mühmer committed
	Future proofing: Tolerate disappearance of named bug-workaround
	bits without invalidating user configurations.  When support
	for a bug workaround is removed from OpenSSL, the corresponding
	bit is defined as zero (i.e. NOOP) intstead of causing
	programs to break. Viktor Dukhovni.  File: tls/tls_misc.c.
Boris Mühmer's avatar
Boris Mühmer committed
20131217
Boris Mühmer's avatar
Boris Mühmer committed
	Portability: RSA_generate_key_ex() is not available on all
	supported platforms, so this change is made conditional.
	Enforce that this function will be used only for creating
	a 512-bit ephemeral RSA key.  Viktor Dukhovni. File:
	tls/tls_rsa.c.
Boris Mühmer's avatar
Boris Mühmer committed
20131218
Boris Mühmer's avatar
Boris Mühmer committed
	Documentation: new document FORWARD_SECRECY_README that
	describes how different versions of Postfix >= 2.2 implement
	"perfect" forward secrecy. Viktor Dukhovni. File:
	proto/FORWARD_SECRECY_README.html, proto/Makefile.in,
	conf/postfix-files, html/index.html.
Boris Mühmer's avatar
Boris Mühmer committed
20131219
Boris Mühmer's avatar
Boris Mühmer committed
	Cleanup: renamed postconf(1) internal identifiers according
	to a consistent scheme, to avoid future name conflicts as
	Postfix evolves. This is a no-feature change.  Files:
	postconf/*.[hc], postconf/extract.awk.
Boris Mühmer's avatar
Boris Mühmer committed
	Documentation: linearized the order of exposition in
	FORWARD_SECRECY_README. File: proto/FORWARD_SECRECY_README.html.
Boris Mühmer's avatar
Boris Mühmer committed
20131220
Boris Mühmer's avatar
Boris Mühmer committed
	Bugfix: DANE support: segfault. Viktor Dukhovni. File:
	tls/tls_dane.c.
Boris Mühmer's avatar
Boris Mühmer committed
	Documentation: typo in SASL_README. Patrick Ben Koetter.
	File: proto/SASL_README.html.
Boris Mühmer's avatar
Boris Mühmer committed
	Documentation: increased the *.[0-9].html manpage width
	from the historical 65 columns to the more contemporary 78
	columns, and future-proofed the pattern that eliminates
	redundant text from the "README FILES" section.  Files:
	mantools/postlink, mantools/man2html, man/Makefile.in.
Boris Mühmer's avatar
Boris Mühmer committed
	Documentation: misc manual page cleanups. Files:
	postconf/postconf.c, postmulti/postmulti.c.
Boris Mühmer's avatar
Boris Mühmer committed
20131221
Boris Mühmer's avatar
Boris Mühmer committed
	Testbed: TLS support. Viktor Dukhovni. Files: tls/Makefile.in,
	tls/tls_dane.c, tls/tls_dane.sh, tls/tls_mgr.c, .indent.pro.
Boris Mühmer's avatar
Boris Mühmer committed
	Documentation: added section on how to verify that forward
	secrecy works. File: proto/FORWARD_SECRECY_README.html.
Boris Mühmer's avatar
Boris Mühmer committed
20131222
Boris Mühmer's avatar
Boris Mühmer committed
	Documentation: forward secrecy, with feedback from Adam
	Shostack.  Viktor Dukhovni and Wietse Venema. File:
	proto/FORWARD_SECRECY_README.html.
Boris Mühmer's avatar
Boris Mühmer committed
20131224
Boris Mühmer's avatar
Boris Mühmer committed
	Feature: smtpd_sasl_service (until now, this was hard-coded
	internally as "smtp"). On request by Michal (sksoft.cz).
	Files: global/mail_params.h, proto/postconf.proto,
	mantools/postlink, smtpd/smtpd.c, smtpd/smtpd_sasl_glue.c.
Boris Mühmer's avatar
Boris Mühmer committed
	Documentation: updated example to Dovecot version 2 syntax.
	File: proto/SASL_README/html.
Boris Mühmer's avatar
Boris Mühmer committed
20131228
Boris Mühmer's avatar
Boris Mühmer committed
	Cleanup: DANE support: test script. Viktor Dukhovni. File
	tls/tls_dane.sh.
Boris Mühmer's avatar
Boris Mühmer committed
	Debugging: test driver for LMDB debugging and stress testing.
	Shockingly, LMDB terminates the postscreen daemon without
	logfile record.  File: util/dict_cache.c.
Boris Mühmer's avatar
Boris Mühmer committed
20140102
Boris Mühmer's avatar
Boris Mühmer committed
	Bugfix: close the LMDB database cursor's read transaction
	before writing with MDB_NOLOCK and before changing the
	database memory map size. File: util/slmdb.c.
Boris Mühmer's avatar
Boris Mühmer committed
20140103

	Cleanup: eliminated data duplication from the new SMTP_ITERATOR
	structure to the old SMTP_SESSION structure. The SMTP_ITERATOR
	structure now maintains the sole copy. Files: smtp/smtp.h,
	smtp_sasl_auth_cache.c, smtp_reuse.c, smtp_sasl_glue.c,
	smtp_rcpt.c, smtp_session.c, smtp_chat.c, smtp_proto.c,
	smtp_connect.c.

20140104

	Feature: support for optional configuration files
	"$daemon-directory/postfix-files.d/*".  These are processed
	in sorted order after "$daemon-directory/postfix-files",
	This avoids breaking "postfix set-permissions" etc. when a
	Postfix distribution comes in multiple packages.  File:
	conf/post-install.

20140107

	Feature: LMDB 0.9.11 allows Postfix daemons to log an LMDB
	error message, instead of falling out of the sky without
	any notification.  Files: util/slmdb.[hc], util/dict_lmdb.c.

20140108

	Bugfix: every Postfix LMDB transaction is now protected by
	an external lock for its entire life time. File: util/slmdb.c.

20140109

	Cleanup: turn off DNSSEC lookup after CNAME redirection to
	an insecure zone. This is an optimization for resolvers
	that do not automatically resolve CNAME chains. Viktor
	Dukhovni. File: dns/dns_lookup.c.

	Cleanup: do not salt the SMTP TLS policy lookup cache key
	with the DNSSEC status. The DNSSEC status will not change
	when the same nexthop/host pair is looked up repeatedly.
	Viktor Dukhovni. File: smtp/smtp_tls_policy.c.

	Robustness: Suppress TLSA lookups only when the qname zone
	is insecure, not just because the rname zone is insecure.
	This requires an extra T_CNAME lookup for the qname, since
	nameservers are often "too helpful" and report CNAME records
	together with the CNAME targets. When the targets are
	insecure the whole reply is marked as insecure.  Viktor
	Dukhovni.  File: tls/tls_dane.c.

	Cleanup: Unify/simplify reporting of configuration or other
	conditions that prevent DANE security.  Viktor Dukhovni.
	Files: global/dsn_buf.[hc], tls/tls_dane.c, smtp/smtp_tls_policy.c.
Boris Mühmer's avatar
Boris Mühmer committed
20140110-15
Boris Mühmer's avatar
Boris Mühmer committed
	Miscellaneous documentation cleanups.
Boris Mühmer's avatar
Boris Mühmer committed

20140116

	Workaround: prepend "-I. -I../../include" to CCARGS, to
	avoid name clashes with non-Postfix header files. File:
	makedefs.

20140125

Boris Mühmer's avatar
Boris Mühmer committed
	Cleanup: assorted documentation glitches.

20140209

	Workaround: the Postfix SMTP client now also falls back to
	plaintext when TLS fails after the TLS protocol handshake.
	Files: smtp/smtp.h, smtp/smtp_connect.c, smtp/smtp_trouble.c.

	Testbed: unsupported HANGUP access map action that drops
	the connection without responding to the remote SMTP client.
	File: smtpd/smtpd_check.c.

20140214

	Workaround: apparently some buggy kernels report WIFSTOPPED
	events to the parent process (master daemon) instead of the
	tracing process (e.g., gdb). File: master/master_spawn.c.

20140218

	Workaround: require that a queue file is older than
	$minimal_backoff_time, before falling back from failed TLS
	to plaintext (both during or after the TLS handshake).
	Viktor Dukhovni. Files: smtp/smtp.h, smtp/smtp.c,
	smtp/lmtp_params.c, smtp/smtp_params.c.

20140220

	Workaround: in case "minimal_backoff_time = $queue_run_delay".
	Files: smtp/smtp.c, smtp/smtp_params.c, smtp/lmtp_params.c.

	Cleanup: consolidate the code to log the start of a new
	mail transaction in one place, so that code can easily be
	added to log TLS status information in addition to the
	existing client and SASL status information. Files:
	smtpd/smtpd_sasl_proto.h, smtpd/smtpd_sasl_proto.c,
	smtpd/smtpd.c.
Boris Mühmer's avatar
Boris Mühmer committed
	Workaround: when a session breaks after the TLS handshake,
	do not fall back from TLS to plaintext when all recipients
	were deferred or rejected during the TLS phase. Files:
	smtp/smtp.h, smtp/smtp_rcpt.c.

Boris Mühmer's avatar
Boris Mühmer committed
	Logging: the TLS client logged that an "Untrusted" TLS
	connection was established instead of "Anonymous".  Viktor
	Dukhovni. File: tls/tls_client.c.

Boris Mühmer's avatar
Boris Mühmer committed
	Documentation: new self-signed certificate example and
	updated private CA example. File: proto/TLS_README.html.

20140224

	Bugfix (introduced: 20061106): when the "retry" transport
	was added to Postfix, it was not given special status like
	the "error" transport. The Postfix SMTP server did not defer
	mail that resolves to the "retry" transport, and the
	trivial-rewrite daemon would override the null nexthop
	destination in "retry:" with the current nexthop destination.
	Files: smtpd/smtpd_check.c, trivial-rewrite/transport.c.

Boris Mühmer's avatar
Boris Mühmer committed
20140227

	Bugfix: Enforce TLS when TLSA records exist, but all are
	unusable; Don't leak dane handle when all TLSA records are
	unusable.  Viktor Dukhovni. File: smtp/smtp_tls_policy.c.

	Cleanup: log TLS policy lookup errors as warnings. Viktor
	Dukhovni.  File: smtp/smtp_connect.c.

Boris Mühmer's avatar
Boris Mühmer committed
20140316

	Feature: preliminary support to change arbitrary hard
	delivery errors into soft errors and vice versa, or to
	replace the descriptive text of non-delivery notifications.
	This was originally introduced for sites that want to bounce
	mail when no remote SMTP server announces TLS support. New
	parameters: {default,smtp,pipe,virtual}_bounce_defer_filter.
	Files: proto/postconf.proto, mantools/postlink, global/bounce.[hc],
	bounce/defer.[hc], global/ndr_filter.[hc], global/mail_params.[hc],
	master/event_server.c, master/multi_server.c,
	master/single_server.c, master/trigger_server.c, smtp/smtp.c,
	pipe/pipe.c, virtual/virtual.c.

20140317

	Feature: local_bounce_defer_filter support. Files:
	global/bounce.[hc], global/defer.[hc], local/command.c,
	local/file.c, local/bounce_workaround.c, local/local.c,
	global/mail_params.h, mantools/postlink.

20140318

	Refinement: don't throttle an SMTP destination when the new
	smtp_bounce_defer_filter feature turns a soft bounce into
	a hard bounce.  File: smtp/smtp_trouble.c.

20140320

	Feature: support to replace successful delivery status code
	and explanatory text.  This can be used to to hide local
	details such as destination commands or file names when a
	remote sender requests confirmation of delivery.  As of now
	*_bounce_defer_filter is renamed into *_delivery_status_filter.
	Files: global/bounce.c, global/bounce.h, global/defer.c,
	global/defer.h, global/dsn_filter.c, global/dsn_filter.h,
	global/mail_params.c, global/mail_params.h, global/sent.c,
	local/local.c, master/event_server.c, master/multi_server.c,
	master/single_server.c, master/trigger_server.c, pipe/pipe.c,
	smtp/lmtp_params.c, smtp/smtp.c, smtp/smtp_params.c,
	virtual/virtual.c, mantools/postlink.

20140322

	Cleanup: code comments and identifier names to reflect the
	evolution from "NDR filter" to "delivery status filter".
	Files: global/mail_params.h, smtp/smtp.c, global/dsn_filter.c,
	global/dsn_filter.h, local/local.c, pipe/pipe.c,
	smtp/lmtp_params.c, smtp/smtp_params.c, virtual/virtual.c,
	global/bounce.c.

20140323

	Feature: initial merge of Debian-style dynamic linking.
	Viktor Dukhovni.

20140406

	Bugfix: when testing session caching, stop reconnecting
	after encountering a previously-used server (when the session
	is re-used or not). Viktor Dukhovni. File:
	posttls-finger/posttls-finger.c.

	Feature: configurable TLS session-ticket cipher (default:
	tls_session_ticket_cipher = aes-128-cbc). Viktor Dukhovni
	and Wietse. Files: mantools/postlink, smtpd/smtpd.c,
	proto/postconf.proto, global/mail_params.h, tls/tls_misc.c,
	tls/tls_scache.h, tls/tls_server.c.

20140416

	Cleanup: replace "~0 << positive" with "~0U << positive"
	even if we use only the lower bytes.  Jeffrey Walton.  File:
	util/mask_addr.c.

Boris Mühmer's avatar
Boris Mühmer committed
20140407

	Documentation: the documentation for Postfix > 2.8 TLS
	activity logging was incorrect. Loglevel 0 produces no
	logging. Instead, information is logged only with loglevel
	1 or higher. Viktor Dukhovni. Files: proto/TLS_README.html,
	proto/postconf.proto.

Boris Mühmer's avatar
Boris Mühmer committed
20140501

	Cleanup: postscreen_dnsbl_timeout parameter. Files:
	mantools/postlink, proto/postconf.proto, global/mail_params.h,
	postscreen/postscreen.c, postscreen/postscreen_dnsbl.c.

	Cleanup: added table search order information to the
	postconf(5) manpage. File: proto/postconf.proto.

20140505

	Cleanup: added a client port attribute to the policy
	delegation protocol. Jernej Porenta. File: smtpd/smtpd_check.c.

Boris Mühmer's avatar
Boris Mühmer committed
20140507

	Bugfix (introduced: Postfix 2.11): with connection caching
	enabled (the default), recipients could be given to the
	wrong mail server.  Root cause: due to an incorrect predicate,
	the Postfix SMTP client could save and restore plaintext
	connections that should not be cached, under nonsensical
	lookup keys that did not distinguish by destination.  Problem
	reported by Sahil Tandon, predicate error found by Viktor,
	redundant connection restore request eliminated by Wietse.
	File: smtp/smtp_connect.c.
Boris Mühmer's avatar
Boris Mühmer committed
	Cleanup: the macros that control SMTP connection reuse
	poorly reflected their purpose. "DEAD" is replaced with
	"FORBIDDEN" (no I/O allowed) and "BAD" is replaced with
	"THROTTLED" (anything that causes the queue manager to back
	off from some destination). Files: smtp.h, smtp_connect.c,
	smtp_proto.c, smtp_trouble.c.

	Cleanup: enable SMTP connection cache lookup by destination
	name while a surge of mail dries up. File: smtp_connect.c.

20140505

	Bugfix: the postdrop authorized_submit_users feature requires
	that lookup table support is initialized so that it can use
	libglobal or dynamicmaps maps.  File: postdrop/postdrop.c.

	Cleanup: moved dynamicmaps initialization from parameter
	inititialization (mail_conf_suck()) to dictionary initialization
	(mail_dict_init()).  A benefit of this is that dynamicmaps.cf
	is no longer read by programs that don't use Postfix lookup
	tables.  Files: global/mail_conf.[hc], global/mail_dict.c.

	Cleanup: move the mail_dict_init() call after the
	mail_conf_read() or mail_params_init() call, to prepare for
	a configurable dynamicmaps.cf directory.   Files:
	master/event_server.c, master/multi_server.c,
	master/single_server.c, master/trigger_server.c.

20140506

	Cleanup: you can now specify "make makefiles parameter=value"
	for selected compile-time parameter default overrides.  The
	old "make makefiles 'CCARGS=-DDEF_MUMBLE=\"mumble\"'"
	approach remains supported.  File: makedefs.

20140508

	Cleanup: dynamicmaps.cf is now installed into $daemon_directory
	because the file is shared among Postfix instances just
	like postfix-files and other files.  Files: conf/dynamicmaps.cf,
	Makefile.in, conf/postfix-files.

	Cleanup: INSTALL is now plain ASCII instead of README format,
	to avoid a chicken-and-egg problem (the instructions to
	print/view README-format files are in the INSTALL file).

	Documentation: updated INSTALL instructions and RELEASE_NOTES.

20140512

	Portability: Berkeley DB6 support. File: util/dict_db.c.

20140514

	Cleanup: replace #ifdef/endif containing hard-coded calls
	of dynamicmaps functions with an extension mechanism that
	dynamicmaps functions invoke instead. Files: util/dict.h,
	util/dict_open.c, global/dynamicmaps.[hc], global/mkmap.h,
	global/mkmap_open.c.

20140515

	Bugfix (introduced: 20140320): missing initialization.
	Viktor Dukhovni. File pipe/pipe.c.

	Cleanup: mkmap_open() now caches a dynamically-loaded
	function. This is useful because postmap/postalias may open
	the same database type multiple times. Files: global/mkmap.h,
	global/mkmap_open.c.

	Security: the dynamicmaps.cf file and its and shared-object
	files must not be writable by non-root users. File:
	global/dynamicmaps.c.

20140517

	Cleanup: dynamic linking and hooking. Files: util/dict.h,
	util/load_lib.[hc], global/dynamicmaps.c.

20140518

	Preliminary "make plugins" support. Todo: macros to dynamically
	remove pluggable maps from compile-time tables in dict_open.c
	and mkmap_open.c, and from the OBJS lists in Makefile.in.

20140522

	Support for "make shared=yes" and "make dynamicmaps=yes".
	New plugin_directory parameter for the location of the
	dynamicmaps.cf file and for plugins with a relative pathname.
	See RELEASE_NOTES and INSTALL for details. Files: postfix.c,
	mail_params.[hc], dynamicmaps.c, mail_dict.c, makedefs,
	postfix-files, dynamicmaps.cf, Makefile.in, util/Makefile.in,
	global/Makefile.in, postlink, postconf.proto.  INSTALL.html,
	RELEASE_NOTES.

20140523

	Cleanup: don't install plugins for unsupported databases,
	and don't make dynamicmaps.cf entries for them. Files:
	makedefs, Makefile.in, util/Makefile.in, global/Makefile.in.

	Cleanup: added support for symlinks where the "source" is
	specified as a relative pathname. File: postfix-install.

	Cleanup: moved instructions from RELEASE_NOTES to INSTALL
	to avoid duplication. Files: RELEASE_NOTES, proto/INSTALL.html.

	Cleanup: include <dict_lmdb.h> unconditionally so that
	dict_lmdb_map_size is always defined. Files: mail_params.c,
	dict_test.c.

	Cleanup: port for ancient Solaris9 revealed some non-portability.
	Files: master/Makefile.in, makedefs, sys_defs.h.

20140524

	Cleanup: specify database library dependencies with variables
	named AUXLIBS_CDB, AUXLIBS_LDAP, etc. The global AUXLIBS
	variable is still supported, but the new variables are
	required when building dynamically-loadable building database
	plugins.  Files: RELEASE_NOTES, INSTALL.html, CDB_README.html,
	LDAP_README.html, LMDB_README.html, MYSQL_README.html,
	PCRE_README.html, PGSQL_README.html, SQLITE_README.html,
	makedefs, util/Makefile.in, global/Makefile.in.

	Workaround: reportedly, MacOS can fail to move a symlink
	with a relative target across file system boundaries, because
	it examines the symlink with stat() instead of lstat().
	Files: makedefs, Makefile.in.

	Cleanup: use readlink to verify symlink target. File:
	postfix-install.

20140528

	Cleanup: the configuration file dynamicmaps.cf will now
	automatically include files under the directory dynamicmaps.cf.d,
	just like the configuration file postfix-files will
	automatically include files under the directory postfix-files.d.
	See INSTALL section "Building with Postfix shared libraries
	and database plugins".  File: dynamicmaps.c.

20140530

	Cleanup: add shlib_directory and plugin_directory to the
	postmulti-script list of shared parameters. Viktor Dukhovni.
	File: postmulti-script.

	Cleanup: to avoid "postfix set-permission" errors, don't
	create postfix-files entries for non-existent database
	plugins. Problem reported by Viktor. File: Makefile.in.

	Bugfix: we can't use "mv" to replace a symlink-to-directory.
	Instead we now create all symlinks in place. Unfortunately
	the "ln -n" option is not universally implemented, so we
	remove the old symlink first.  Problem reported by Viktor.
	File: postfix-install.

20140603

	Cleanup: use the OpenSSL session id accessor (available
	since OpenSSL 0.9.8 or so) instead of groping a session
	object directly. Viktor Dukhovni. File: tls_server.c.

20140605

	Feature: the pipe(8) daemon logs some command output after
	successful delivery as "dsn=2.0.0, status=sent (delivered
	via XXX service (YYY))" where XXX is the master.cf service
	name, and YYY is command output. Files: pipe/command.c,
	pipe.c.

20140613

	Feature: the "pipeline" table implements a table pipeline.
	Example "pipeline:!type_1:name_1!...!type_n:name_n".  The
	ASCII character after "pipeline:" will be used as the
	separator between the lookup tables that follow (do not use
	space, ",", ":" or non-ASCII).  Each "pipeline:" query is
	given to the first table.  Each lookup result becomes the
	query for the next table in the pipeline, and the last table
	produces the final result.  When any table lookup produces
	no result, the pipeline produces no result.  Files:
	dict_pipe.[hc], dict_open.c, postlink, DATABASE_README.html,
	postconf.c.

20140617

	Feature: the "random" table performs random selection.
	Example: "random:!result_1!...!result_n". Each table query
	returns a random choice from the specified results. The
	ASCII character after "random:" will be used as the separator
	between the results that follow (do not use space, ",", ":"
	or non-ASCII).  Files: dict_random.[hc], dict_open.c,
	postlink, DATABASE_README.html, postconf.c.

20140618

	Cleanup: INFO action in access(5) tables, for consistency
	with header/body_checks. Viktor Dukhovni.  Files:
	smtpd/smtpd_check.c, proto/access.

Boris Mühmer's avatar
Boris Mühmer committed
	Cleanup: process LaMont Jones feedback for shared-library
	and database-plugin builds. Changes: 1) move non-executable
	files from $daemon_directory to the default $config_directory
	(postfix-files*, dynamicmaps.cf*, main.cf.proto/master.cf.proto
	for multi-instance support); 2) add foo.so -> foo.so.version
	symlinks; 3) change $shlib_directory and $plugin_directory
	defaults to /usr/lib/postfix to reduce sprawl.  Files:
	conf/main.cf.proto, conf/master.cf.proto, conf/postfix-files.proto,
	conf/post-install, conf/postmulti-script, makedefs,
	postfix-install, proto/INSTALL.html, global/dynamicmaps.c,
	global/dynamicmaps.h, global/mail_dict.c, global/mail_params.h,
	postmulti/postmulti.c.

Boris Mühmer's avatar
Boris Mühmer committed
	Bugfix (introduced: 2001): qmqpd null pointer bug when it
	logs a lost connection while not in a mail transaction.
	Reported by Michal Adamek. File: qmqpd/qmqpd.c.

Boris Mühmer's avatar
Boris Mühmer committed
	Cleanup: filter non-printable characters in X509 subject
	or issuer names. Viktor Dukhovni. File: tls/tls_server.c.

20140620

	Cleanup: for compliance with file system policies, some
	files have been moved from $daemon-directory to the directory
	specified with the new meta_directory parameter which has
	the same default value as config_directory.  This change
	affects non-executable files that are shared among multiple
	Postfix instances, such as postfix-files, dynamicmaps.cf,
	and multi-instance template files.

	For backwards compatibility with Postfix 2.6..2.11, specify
	"meta_directory = $daemon_directory" in main.cf before
	installing Postfix, or specify "meta_directory = /path/name"
	on the "make makefiles", "make install" or "make upgrade"
	command line.

	Files: Makefile.in, RELEASE_NOTES, conf/post-install,
	conf/postfix-files.proto, conf/postmulti-script, makedefs,
	mantools/postlink, postfix-install, proto/INSTALL.html,
	proto/postconf.proto, global/mail_params.c, global/mail_params.h,
	postfix/postfix.c, postmulti/postmulti.c.

	Feature: check_xxx_a_access (for xxx in client, reverse_client,
	helo, sender, recipient) implements access control on all
	A and AAAA IP addresses for the client hostname, helo
	parameter, sender domain or recipient domain. Some spam has
	sender domains with the same IP address but different MX
	hosts.  Files: global/mail_params.h, smtpd/smtpd_check.c,
	proto/postconf.proto.

20140622

	Cleanup: eliminated plugin_directory to reduce configuration
	parameter sprawl. Files: Makefile.in, RELEASE_NOTES,
	conf/post-install, conf/postfix-files.proto, conf/postfix-script,
	conf/postmulti-script, makedefs, mantools/postlink,
	postfix-install, proto/INSTALL.html, proto/postconf.proto,
	global/Makefile.in, global/mail_dict.c, global/mail_params.c,
	global/mail_params.h, global/mail_version.h, postfix/postfix.c,
	postmulti/postmulti.c, smtpd/smtpd_check.c, util/Makefile.in.

20140623

	Cleanup: eliminated the use of Postfix release versions as
	file name suffixes for shared libraries, database plugins
	and dynamicmaps.cf.  The shared-library version suffixes
	were fighting against assumptions and conventions in run-time
	linkers, including the assumption that ABIs are preserved
	from one version to the next. The Postfix version can now
	be embedded in the shlib_directory parameter. As this is
	sufficient to permit upgrade of a running Postfix system
	without risking that old binaries will link against newer
	shared objects, we no longer need a version suffix for
	dynamicmaps.cf.  Files: Makefile.in, RELEASE_NOTES,
	conf/postfix-files.proto, makedefs, proto/INSTALL.html,
	proto/postconf.proto, global/mail_params.h, global/mail_version.h,