Newer
Older
qmqpd_client_port_logging parameter setting. File:
qmqpd/qmqpd.c.
Cleanup: show the remote SMTP server port in verbose logging,
warnings and postmaster notices. Still don't show the port
in delivery status notifications. Files: smtp/smtp_chat.c,
smtp/smtp_sasl_glue.c, smtp/smtp_sasl_proto.c.
The "tls_require_cert" is now compatible with OpenLDAP 2.1
and later. Victor Duchovni. Files: proto/ldap_table,
global/dict_ldap.c.
Cleanup: removed the "#ifdef USE_LIBMILTER_INCLUDES"
dependencies on system-installed Milter protocol include
files. Verified that the object code has not changed. File:
milter/milter8.c.
Sanity check: idiot filter to detect attempts to use the
same database file for different TLS session caches. File:
tlsmgr/tlsmgr.c.
Cleanup: updated the spell check stoplist and the spell
check script. Files: mantools/spell, proto/stop.
Cleanup: replaced documentation references to xxgdb by ddd.
The xxgdb program hasn't been updated in more than 10 years.
Files: proto/postconf.proto, conf/main.cf.
Feature: support for all new Sendmail 8.14 Milter features
except SMFIR_SKIP (skip further events of this type),
SMFIP_RCPT_REJ (report rejected recipients to the mail
filter), SMFIR_CHGFROM (replace sender, with optional ESMTP
command parameters), and SMFIR_ADDRCPT_PAR (add recipient,
with optional ESMTP command parameters). Files: milter/milters.c,
milter/milter8.c, milter/test-milter.c, cleanup/cleanup_milter.c.
Feature: support for Sendmail 8.14 Milter SMFIR_SKIP (skip
further events of this type). Files: milter/milter8.c,
milter/test-milter.c.
Cleanup: don't try sending HELO after a 421 EHLO reply.
File: smtp/smtp_proto.c.
14052
14053
14054
14055
14056
14057
14058
14059
14060
14061
14062
14063
14064
14065
14066
14067
14068
14069
14070
14071
14072
14073
14074
14075
14076
14077
14078
14079
14080
14081
14082
14083
14084
14085
14086
14087
14088
14089
14090
14091
14092
14093
14094
14095
14096
20071221-nonprod
Using 20071221 as reference point.
Cleanup: Simplified TLS library cipher and protocol API to
just pass string-valued properties to tls_client_init() and
tls_client_start(). The client is now agnostic of the
mechanics of cipher management internal to the library. The
main.cf parameters used internally in the library are now
loaded by the library, not the caller. Files:
src/smtp/lmtp_params.c, src/smtp/smtp.c, src/smtp/smtp.h,
src/smtp/smtp_params.c, src/smtp/smtp_proto.c,
src/smtp/smtp_session.c, src/smtpd/smtpd.c, src/tls/tls.h,
src/tls/tls_client.c, src/tls/tls_level.c, src/tls/tls_misc.c,
src/tls/tls_server.c, src/tls/tls_session.c, src/tls/tls_verify.c
and src/tlsmgr/tlsmgr.c
Cleanup: Client session lookup key "salting" is now handled
internally in the tls library. Files: src/tls/tls_client.c
Cleanup: Cipher state is cached, and only updated when
necessary. Files: src/tls/tls_misc.c
Feature: Extended the syntax of protocol selection to allow
exclusions as well as inclusions. Files: src/tls/tls_misc.c
Cleanup: Updated default verification depth to match reality:
default is 9 in OpenSSL and we don't yet override it. When
we do (soon), the default will match previous behavior.
Files: src/global/mail_params.h
Bugfix: Reference to obsolete "pfixtls" code won't compile
inside #ifdef for OpenSSL <= 0.9.5a. Using an OpenSSL release
that old has not been tested for some time, but may now
work. Files: src/tls/tls_bio_ops.c.
Replaced "void *" TLS library application handles by explicit
pointer types, while hiding data structure implementation
details from the TLS library users. Files: tls/tls_client.c,
tls/tls_server.c, smtp/smtp.c, smtpd/smtpd.c.
The TLS library no longer modifies VSTRINGs passed in by
the caller. Where possible, information is passed as "const"
from application to library. Files: smtp/smtp_proto.c,
tls/tls_client.c.
Replaced explicit initialization of props structures by
emulating function calls with named parameter lists. Files:
tls/tls.h, smtp/smtp.c, smtp/smtp_proto.c, smtpd/smtpd.c.
Further polishing of the Milter code and logging. File:
milter/milter8.c.
Further polishing of the Milter code. With SETSYMLIST, each
Milter can now update its own macros instead of clobbering
the global copy that is shared with other Milters. Also an
opportunity to clean up some ad-hoc code for sending macro
lists from smtpd(8) to cleanup(8). Files: milter/milter.c,
milter/milter8.c, milter/milter_macros.c.
Further polishing of the Milter code. Eliminated unnecessary
steps from the initial smtpd/cleanup Milter handshake. Files:
milter/milter.c, milter/milter8.c, milter/milter_macros.c.
Cleanup: name_code(3) and name_mask(3) now support read-only
tables. Files: util/name_code.[hc], util/name_mask.[hc].
Cleanup: further refinements of the Milter code, allowing
for multiple macro overrides. The code is now ready for
serious testing. File: milter/milter8.c.
Bugfix: the Milter client did not replace the Postfix-specific
form for unknown host names by the Sendmail-specific form.
Cleanup: when a cleanup milter reports a problem don't log
generic "4.3.0 Sevice unavailable", but log the text for
the actual error. File: cleanup/cleanup_milter.c.
SMTP client fingerprint security level support and configurable
fingerprint digest algorithm. Victor Duchovni. Files:
smtp/lmtp_params.c, smtp/smtp.c, smtp/smtp.h,
src/smtp/smtp_params.c, src/smtp/smtp_proto.c,
src/smtp/smtp_session.c, tls/tls_client.c, tls/tls_level.c,
tls/tls_verify.c.
Missed "invalid TLS configuration" patch for SMTP client.
Victor Duchovni. File: smtp/smtp_proto.c.
SMTP server configurable fingerprint digest algorithm.
Victor Duchovni. Files: smtpd/smtpd.c, tls/tls.h,
tls/tls_server.c, tls/tls_verify.c.
Cleanup: finally implemented certificate verification depth
limit parameters. Prior to Postfix 2.5 these were ignored.
For backwards compatibility, the default verification depth
limit is now 9, the OpenSSL default. Victor Duchovni. Files:
src/tls/tls_client.c, src/tls/tls_server.c, src/tls/tls_verify.c.
Robustness: Avoid possibility of NULL pointer issues in
application code that checks certificate names, by providing
"empty string" values when no data is available. Victor
Duchovni. Files: src/tls/tls_verify.c, src/tls/tls_client.c,
src/tls/tls_server.c, src/smtpd/smtpd_check.c, src/smtpd/smtpd.c.
Cleanup: separation of TLS handshake from security level
enforcement. The library shakes hands; the application
decides if the resulting security is acceptable. Victor
Duchovni. Files: smtpd/smtpd.c, smtpd/smtpd_proto.c,
tls/tls_server.c, tls/tls_client.c, tls/tls_verify.c.
Robustness: more robust processing of ASN.1 string attributes
in x509v3 certificates, plus additional sanity checks (e.g.
embedded null characters). Victor Duchovni. File:
src/tls/tls_verify.c.
Workaround: minor change to the Dovecot AUTH request to
prevent dovecot-auth memory wastage. Timo Sirainen. File:
xsasl/xsasl_dovecot_server.c.
Cleanup: renamed TLS-related symbols for consistency (always
include the init, start, stop prefix in the TLS library
function and data structure names; consistently distinguish
between per-application TLS state and per-session TLS state;
consistently use the fpt prefix for fingerprint related
variables and structure members; consistent use of monocase
typedef-ed names).
Cleanup: consistent use of <pre> and <blockquote> in examples;
instead of emphasizing new Postfix 2.5 behavior in reference
documentation, describe the new behavior as "current", with
historical behavior as a supplemental note.
Feature: new "pass" service type (in addition to "inet",
"unix" and "fifo"). The "pass" service type supports
front-end daemons that accept all inbound connections and
that permit only well-behaved clients to talk to the MTA.
This service type had been sitting in the master daemon for
years but was disabled by default. Actual applications for
this will have to be developed later. Files: util/upass_connect.c,
util/upass_trigger.c.
Cleanup: where possible, store data structures in read-only
memory. Besides the security advantage of no write access,
this also gives slightly better memory utilization when
many processes execute the same file. Files: pretty much
everything that has a static table, except for a few tables
in the benchmark tools with flags that are controlled by
command-line information.
Cleanup: more read-only data. Files: everything that passes
around a HEADER_OPTS pointer.
Safety: optional lookup table to prevent the Postfix SMTP
client from making repeated SASL login failures with the
same hostname, username and password. This introduces new
parameters: smtp_sasl_auth_cache_name, smtp_sasl_auth_cache_time.
Based on code by Keean Schupke. Files: smtp/smtp_sasl_glue.c,
smtp/smtp_sasl_auth_cache.c.
Safety: the Postfix SMTP client now by default defers mail
after the server rejects a SASL login attempt with a 535
status code. Specify "smtp_sasl_auth_soft_bounce = no" to
get the earlier behavior. Based on code by Keean Schupke.
Files: smtp/smtp_sasl_glue.c.
Safety: the smtpd_client_new_tls_session_rate_limit setting
now also limits the number of failed TLS handshakes. This
limits the impact of broken configurations. File: smtpd/smtpd.c.
Bugfix (introduced 20080112): Patrik Rak found two bugs
that largely canceled each other out, causing Postfix not
to complain about a missing "proxy:" prefix with the new
smtp_sasl_auth_cache_name parameter setting. File:
smtp/smtp_sasl_glue.c.
Documentation: new SOHO_README file for small/home offices.
The text is automatically generated from bits and pieces of
information that are scattered across other documents.
File: mantools/make_soho_readme.
Bugfix (introduced 20080112): missing #ifdef for the SASL
login failure cache. File: smtp/smtp_sasl_auth_cache.h.
Name fix: renamed the mumble_delivery_rate_delay parameter
to mumble_destination_rate_delay, because it really is a
per-destination feature. With this change we keep the option
of implementing a future per-transport rate delay.
14280
14281
14282
14283
14284
14285
14286
14287
14288
14289
14290
14291
14292
14293
14294
14295
14296
14297
14298
14299
14300
14301
14302
14303
14304
14305
14306
14307
14308
14309
14310
20080125
Bugfix (introduced 20071216): missing {} in the LDAP client
broke OpenLDAP TLS. The setting tls_require_cert=no was
further broken because Postfix used OpenLDAP incorrectly.
Victor Duchovni. This broke tls_require_cert=no File:
global/dict_ldap.c.
20080130
Bugfix (introduced 20071204): wrong proxywrite process limit
in the default master.cf file. File: conf/master.cf.
20080201
Workaround: pick up a missing data_directory setting from
main.cf when "postfix start" is invoked with an obsolete
postfix command. File: conf/post-install.
20080207
Cleanup: soft_bounce support for multi-line Milter replies.
File: src/milter/milter8.c.
Cleanup: preserve multi-line format of header/body Milter
replies. Files: cleanup/cleanup_milter.c, smtpd/smtpd.c.
Cleanup: multi-line support in SMTP server replies. File:
smtpd/smtpd_chat.c.
14311
14312
14313
14314
14315
14316
14317
14318
14319
14320
14321
14322
14323
14324
14325
14326
14327
14328
14329
14330
14331
14332
14333
14334
14335
14336
14337
14338
14339
14340
14341
14342
14343
14344
14345
14346
14347
14348
14349
14350
14351
14352
14353
14354
14355
14356
14357
14358
14359
14360
14361
14362
14363
14364
14365
14366
14367
14368
14369
14370
14371
14372
14373
14374
14375
14376
14377
14378
14379
20080215
Safety: break SASL loop in case both the SASL library and
the remote SMTP server are confused. File: smtp/smtp_sasl_glue.c.
20080220
Safety: the master daemon now sets an exclusive lock on a
file $data_directory/master.lock, so that the data directory
can't be shared between multiple Postfix instances. This
would corrupt files that rely on single-writer updates
(examples: verify(8) cache, tlsmgr(8) caches, etc.). File:
master/master.c.
20080228
Bugfix: bounce(8) segfault on one-line template text.
Problem found by Sacha Chlytor. File: bounce/bounce_template.c.
20080310
Safety: the SMTP server's Dovecot authentication client now
enforces the SASL mechanism output filter also on client
command input. File: src/xsasl/xsasl_dovecot_server.c.
20080311
Bugfix (introduced 20070811): the MAIL and RCPT Milter
application call-backs no longer received {mail_addr} or
{rcpt_addr} information. Problem reported by Anton Yuzhaninov.
File: smtpd/smtpd.c.
20080318
Human factors: the PCRE and regexp maps now give more
comprehensible error messages when people make the common
mistake of indenting if/endif blocks. Files: util/dict_pcre.c,
util/dict_regexp.c.
20080411
Bugfix (introduced Postfix 2.0): after "warn_if_reject
reject_unlisted_recipient/sender", the SMTP server mistakenly
remembered that recipient/sender validation was already
done. File: smtpd/smtpd_check.c.
Bugfix (introduced Postfix 2.3): the queue manager would
initialize missing client logging attributes (from xforward)
with real client attributes. Fix: enable this backwards
compatibility feature only with queue files that don't
contain logging attributes. Problem reported by Liviu Daia.
Files *qmgr/qmgr_message.c.
20080424
Cleanup: some warning messages said "regexp" or "regexp
map" instead of "pcre map". File: util/dict_pcre.c.
20080428
Cleanup: the proxy_read_maps (Postfix 2.0) default setting
was not updated when adding sender/recipient_bcc_maps
(Postfix 2.1) and smtp/lmtp_generic_maps (Postfix 2.3).
File: global/mail_params.h.
Cleanup: the SMTP server's XFORWARD and XCLIENT support was
not updated when the smtpd_client_port_logging configuration
parameter was added. Code by Victor Duchovni. Files:
smtpd/smtpd.c, smtpd/smtpd_peer.c.
14380
14381
14382
14383
14384
14385
14386
14387
14388
14389
14390
14391
14392
14393
14394
14395
14396
14397
14398
14399
14400
14401
14402
14403
14404
14405
14406
14407
14408
14409
14410
14411
14412
14413
20080509
Bugfix: null-terminate CN comment string after sanitization.
File: smtpd/smtpd.c.
20080603
Workaround: avoid "bad address pattern" errors with non-address
patterns in namadr_list_match() calls. File: util/match_ops.c.
20080620
Bugfix (introduced 20080207): "cleanup -v" panic because
the new "SMTP reply" request flag did not have a printable
name. File: global/cleanup_strflags.c.
Cleanup: using "Before-queue content filter", RFC3848
information was not added to the headers. Carlos Velasco.
File smtpd/smtpd.c.
20080717
Cleanup: a poorly-implemented integer overflow check for
TCP MSS calculation had the unexpected effect that people
broke Postfix on LP64 systems while attempting to silence
a compiler warning. File: util/vstream_tweak.c.
20080725
Paranoia: defer delivery when a mailbox file is not owned
by the recipient. Requested by Sebastian Krahmer, SuSE.
Specify "strict_mailbox_ownership=no" to ignore ownership
discrepancies. Files: local/mailbox.c, virtual/mailbox.c.
14414
14415
14416
14417
14418
14419
14420
14421
14422
14423
14424
14425
14426
14427
14428
14429
14430
14431
14432
20080804
Bugfix: dangling pointer in vstring_sprintf_prepend().
File: util/vstring.c.
20080814
Security: some systems have changed their link() semantics,
and will hardlink a symlink, contrary to POSIX and XPG4.
Sebastian Krahmer, SuSE. File: util/safe_open.c.
The solution introduces the following incompatible change:
when the target of mail delivery is a symlink, the parent
directory of that symlink must now be writable by root only
(in addition to the already existing requirement that the
symlink itself is owned by root). This change will break
legitimate configurations that deliver mail to a symbolic
link in a directory with less restrictive permissions.
20080826
Bugfix (introduced Postfix 2.4): epoll file descriptor leak.
With Postfix >= 2.4 on Linux >= 2.6, Postfix has an epoll
file descriptor leak when it executes non-Postfix commands
in, for example, user-controlled $HOME/.forward files. A
local user can access a leaked epoll file descriptor to
implement a denial of service attack on Postfix. Data
confidentiality and integrity are not affected. File:
util/events.c.