Newer
Older
Cleanup: show the remote SMTP server port in verbose logging,
warnings and postmaster notices. Still don't show the port
in delivery status notifications. Files: smtp/smtp_chat.c,
smtp/smtp_sasl_glue.c, smtp/smtp_sasl_proto.c.
The "tls_require_cert" is now compatible with OpenLDAP 2.1
and later. Victor Duchovni. Files: proto/ldap_table,
global/dict_ldap.c.
Cleanup: removed the "#ifdef USE_LIBMILTER_INCLUDES"
dependencies on system-installed Milter protocol include
files. Verified that the object code has not changed. File:
milter/milter8.c.
Sanity check: idiot filter to detect attempts to use the
same database file for different TLS session caches. File:
tlsmgr/tlsmgr.c.
Cleanup: updated the spell check stoplist and the spell
check script. Files: mantools/spell, proto/stop.
Cleanup: replaced documentation references to xxgdb by ddd.
The xxgdb program hasn't been updated in more than 10 years.
Files: proto/postconf.proto, conf/main.cf.
Feature: support for all new Sendmail 8.14 Milter features
except SMFIR_SKIP (skip further events of this type),
SMFIP_RCPT_REJ (report rejected recipients to the mail
filter), SMFIR_CHGFROM (replace sender, with optional ESMTP
command parameters), and SMFIR_ADDRCPT_PAR (add recipient,
with optional ESMTP command parameters). Files: milter/milters.c,
milter/milter8.c, milter/test-milter.c, cleanup/cleanup_milter.c.
Feature: support for Sendmail 8.14 Milter SMFIR_SKIP (skip
further events of this type). Files: milter/milter8.c,
milter/test-milter.c.
Cleanup: don't try sending HELO after a 421 EHLO reply.
File: smtp/smtp_proto.c.
14050
14051
14052
14053
14054
14055
14056
14057
14058
14059
14060
14061
14062
14063
14064
14065
14066
14067
14068
14069
14070
14071
14072
14073
14074
14075
14076
14077
14078
14079
14080
14081
14082
14083
14084
14085
14086
14087
14088
14089
14090
14091
14092
14093
14094
20071221-nonprod
Using 20071221 as reference point.
Cleanup: Simplified TLS library cipher and protocol API to
just pass string-valued properties to tls_client_init() and
tls_client_start(). The client is now agnostic of the
mechanics of cipher management internal to the library. The
main.cf parameters used internally in the library are now
loaded by the library, not the caller. Files:
src/smtp/lmtp_params.c, src/smtp/smtp.c, src/smtp/smtp.h,
src/smtp/smtp_params.c, src/smtp/smtp_proto.c,
src/smtp/smtp_session.c, src/smtpd/smtpd.c, src/tls/tls.h,
src/tls/tls_client.c, src/tls/tls_level.c, src/tls/tls_misc.c,
src/tls/tls_server.c, src/tls/tls_session.c, src/tls/tls_verify.c
and src/tlsmgr/tlsmgr.c
Cleanup: Client session lookup key "salting" is now handled
internally in the tls library. Files: src/tls/tls_client.c
Cleanup: Cipher state is cached, and only updated when
necessary. Files: src/tls/tls_misc.c
Feature: Extended the syntax of protocol selection to allow
exclusions as well as inclusions. Files: src/tls/tls_misc.c
Cleanup: Updated default verification depth to match reality:
default is 9 in OpenSSL and we don't yet override it. When
we do (soon), the default will match previous behavior.
Files: src/global/mail_params.h
Bugfix: Reference to obsolete "pfixtls" code won't compile
inside #ifdef for OpenSSL <= 0.9.5a. Using an OpenSSL release
that old has not been tested for some time, but may now
work. Files: src/tls/tls_bio_ops.c.
Replaced "void *" TLS library application handles by explicit
pointer types, while hiding data structure implementation
details from the TLS library users. Files: tls/tls_client.c,
tls/tls_server.c, smtp/smtp.c, smtpd/smtpd.c.
The TLS library no longer modifies VSTRINGs passed in by
the caller. Where possible, information is passed as "const"
from application to library. Files: smtp/smtp_proto.c,
tls/tls_client.c.
Replaced explicit initialization of props structures by
emulating function calls with named parameter lists. Files:
tls/tls.h, smtp/smtp.c, smtp/smtp_proto.c, smtpd/smtpd.c.
Further polishing of the Milter code and logging. File:
milter/milter8.c.
Further polishing of the Milter code. With SETSYMLIST, each
Milter can now update its own macros instead of clobbering
the global copy that is shared with other Milters. Also an
opportunity to clean up some ad-hoc code for sending macro
lists from smtpd(8) to cleanup(8). Files: milter/milter.c,
milter/milter8.c, milter/milter_macros.c.
Further polishing of the Milter code. Eliminated unnecessary
steps from the initial smtpd/cleanup Milter handshake. Files:
milter/milter.c, milter/milter8.c, milter/milter_macros.c.
Cleanup: name_code(3) and name_mask(3) now support read-only
tables. Files: util/name_code.[hc], util/name_mask.[hc].
Cleanup: further refinements of the Milter code, allowing
for multiple macro overrides. The code is now ready for
serious testing. File: milter/milter8.c.
Bugfix: the Milter client did not replace the Postfix-specific
form for unknown host names by the Sendmail-specific form.
Cleanup: when a cleanup milter reports a problem don't log
generic "4.3.0 Sevice unavailable", but log the text for
the actual error. File: cleanup/cleanup_milter.c.
SMTP client fingerprint security level support and configurable
fingerprint digest algorithm. Victor Duchovni. Files:
smtp/lmtp_params.c, smtp/smtp.c, smtp/smtp.h,
src/smtp/smtp_params.c, src/smtp/smtp_proto.c,
src/smtp/smtp_session.c, tls/tls_client.c, tls/tls_level.c,
tls/tls_verify.c.
Missed "invalid TLS configuration" patch for SMTP client.
Victor Duchovni. File: smtp/smtp_proto.c.
SMTP server configurable fingerprint digest algorithm.
Victor Duchovni. Files: smtpd/smtpd.c, tls/tls.h,
tls/tls_server.c, tls/tls_verify.c.
Cleanup: finally implemented certificate verification depth
limit parameters. Prior to Postfix 2.5 these were ignored.
For backwards compatibility, the default verification depth
limit is now 9, the OpenSSL default. Victor Duchovni. Files:
src/tls/tls_client.c, src/tls/tls_server.c, src/tls/tls_verify.c.
Robustness: Avoid possibility of NULL pointer issues in
application code that checks certificate names, by providing
"empty string" values when no data is available. Victor
Duchovni. Files: src/tls/tls_verify.c, src/tls/tls_client.c,
src/tls/tls_server.c, src/smtpd/smtpd_check.c, src/smtpd/smtpd.c.
Cleanup: separation of TLS handshake from security level
enforcement. The library shakes hands; the application
decides if the resulting security is acceptable. Victor
Duchovni. Files: smtpd/smtpd.c, smtpd/smtpd_proto.c,
tls/tls_server.c, tls/tls_client.c, tls/tls_verify.c.
Robustness: more robust processing of ASN.1 string attributes
in x509v3 certificates, plus additional sanity checks (e.g.
embedded null characters). Victor Duchovni. File:
src/tls/tls_verify.c.
Workaround: minor change to the Dovecot AUTH request to
prevent dovecot-auth memory wastage. Timo Sirainen. File:
xsasl/xsasl_dovecot_server.c.
Cleanup: renamed TLS-related symbols for consistency (always
include the init, start, stop prefix in the TLS library
function and data structure names; consistently distinguish
between per-application TLS state and per-session TLS state;
consistently use the fpt prefix for fingerprint related
variables and structure members; consistent use of monocase
typedef-ed names).
Cleanup: consistent use of <pre> and <blockquote> in examples;
instead of emphasizing new Postfix 2.5 behavior in reference
documentation, describe the new behavior as "current", with
historical behavior as a supplemental note.
Feature: new "pass" service type (in addition to "inet",
"unix" and "fifo"). The "pass" service type supports
front-end daemons that accept all inbound connections and
that permit only well-behaved clients to talk to the MTA.
This service type had been sitting in the master daemon for
years but was disabled by default. Actual applications for
this will have to be developed later. Files: util/upass_connect.c,
util/upass_trigger.c.
Cleanup: where possible, store data structures in read-only
memory. Besides the security advantage of no write access,
this also gives slightly better memory utilization when
many processes execute the same file. Files: pretty much
everything that has a static table, except for a few tables
in the benchmark tools with flags that are controlled by
command-line information.
Cleanup: more read-only data. Files: everything that passes
around a HEADER_OPTS pointer.
Safety: optional lookup table to prevent the Postfix SMTP
client from making repeated SASL login failures with the
same hostname, username and password. This introduces new
parameters: smtp_sasl_auth_cache_name, smtp_sasl_auth_cache_time.
Based on code by Keean Schupke. Files: smtp/smtp_sasl_glue.c,
smtp/smtp_sasl_auth_cache.c.
Safety: the Postfix SMTP client now by default defers mail
after the server rejects a SASL login attempt with a 535
status code. Specify "smtp_sasl_auth_soft_bounce = no" to
get the earlier behavior. Based on code by Keean Schupke.
Files: smtp/smtp_sasl_glue.c.
Safety: the smtpd_client_new_tls_session_rate_limit setting
now also limits the number of failed TLS handshakes. This
limits the impact of broken configurations. File: smtpd/smtpd.c.
Bugfix (introduced 20080112): Patrik Rak found two bugs
that largely canceled each other out, causing Postfix not
to complain about a missing "proxy:" prefix with the new
smtp_sasl_auth_cache_name parameter setting. File:
smtp/smtp_sasl_glue.c.
Documentation: new SOHO_README file for small/home offices.
The text is automatically generated from bits and pieces of
information that are scattered across other documents.
File: mantools/make_soho_readme.
Bugfix (introduced 20080112): missing #ifdef for the SASL
login failure cache. File: smtp/smtp_sasl_auth_cache.h.
Name fix: renamed the mumble_delivery_rate_delay parameter
to mumble_destination_rate_delay, because it really is a
per-destination feature. With this change we keep the option
of implementing a future per-transport rate delay.
20080125
Bugfix (introduced 20071216): missing {} in the LDAP client
broke OpenLDAP TLS. The setting tls_require_cert=no was
further broken because Postfix used OpenLDAP incorrectly.
Victor Duchovni. This broke tls_require_cert=no File:
global/dict_ldap.c.
20080126
Cleanup: the post-install script now requires that it is
invoked via the postfix(1) command. This was the intended
use since Postfix 2.1, but it was never enforced. The
documentation for package maintainers has been updated
accordingly. File: conf/post-install.
20080130
Bugfix (introduced 20071204): wrong proxywrite process limit
in the default master.cf file. File: conf/master.cf.
20080131
Bugfix (introduced 20080126): the new "do not execute
directly" test in post-install got broken during code
cleanup. File: conf/post-install.
Workaround: undo the changes that require that post-install
is invoked via the postfix command, because this breaks
when "postfix start" is invoked with an obsolete postfix
command that doesn't export the new data_directory parameter.
Workaround: pick up a missing data_directory setting from
main.cf when "postfix start" is invoked with an obsolete
postfix command. File: conf/post-install.
20080207
Cleanup: soft_bounce support for multi-line Milter replies.
File: src/milter/milter8.c.
Cleanup: preserve multi-line format of header/body Milter
replies. Files: cleanup/cleanup_milter.c, smtpd/smtpd.c.
Cleanup: multi-line support in SMTP server replies. File:
smtpd/smtpd_chat.c.
SAFETY: postfix-script, postfix-files and post-install are
moved away from /etc/postfix to $daemon_directory. There
were too many accidents where people clobbered these files
with versions from an older Postfix release and ended up
with an unusable Postfix setup. Files: postfix-install,
Makefile.in, postfix/postfix.c, conf/postfix-files,
conf/postfix-script, conf/post-install.
20080212
Feature: check_reverse_client_hostname_access, to make
access decisions based on the unverified client hostname.
For safety reasons an OK result is not allowed. Noel Jones.
Files: smtpd/smtpd_check.c plus header files and documentation.
20080215
Safety: break SASL loop in case both the SASL library and
the remote SMTP server are confused. File: smtp/smtp_sasl_glue.c.
20080220
Safety: the master daemon now sets an exclusive lock on a
file $data_directory/master.lock, so that the data directory
can't be shared between multiple Postfix instances. This
would corrupt files that rely on single-writer updates
(examples: verify(8) cache, tlsmgr(8) caches, etc.). File:
master/master.c.
20080226
Cleanup: the postfix command did not set argv[0] to a sane
value when invoking postfix-script. Reported by Victor
Duchovni. File: postfix/postfix.c.
14363
14364
14365
14366
14367
14368
14369
14370
14371
14372
14373
14374
14375
14376
14377
14378
14379
14380
20080228
Bugfix: bounce(8) segfault on one-line template text.
Problem found by Sacha Chlytor. File: bounce/bounce_template.c.
20080310
Safety: the SMTP server's Dovecot authentication client now
enforces the SASL mechanism output filter also on client
command input. File: src/xsasl/xsasl_dovecot_server.c.
20080311
Bugfix (introduced 20070811): the MAIL and RCPT Milter
application call-backs no longer received {mail_addr} or
{rcpt_addr} information. Problem reported by Anton Yuzhaninov.
File: smtpd/smtpd.c.
Bugfix (introduced 20080207): "cleanup -v" panic because
the new "SMTP reply" request flag did not have a printable
name. File: global/cleanup_strflags.c.
20080318
Human factors: the PCRE and regexp maps now give more
comprehensible error messages when people make the common
mistake of indenting if/endif blocks. Files: util/dict_pcre.c,
util/dict_regexp.c.
20080324
Cleanup: the event_drain() function is now a proper event
processing loop. File: util/events.c
Feature: when the "postmap -q -" command reads lookup keys
from standard input, it now understands RFC822 and MIME
message format. Specify -h or -b to use headers or body
lines as lookup keys, and specify -hm or -bm to simulate
header_checks or body_checks. The postmap -h option (without
-m) will be compatible with a future postcat -h option.
File: postmap/postmap.c.
14405
14406
14407
14408
14409
14410
14411
14412
14413
14414
14415
14416
14417
14418
14419
14420
14421
14422
14423
20080411
Bugfix (introduced Postfix 2.0): after "warn_if_reject
reject_unlisted_recipient/sender", the SMTP server mistakenly
remembered that recipient/sender validation was already
done. File: smtpd/smtpd_check.c.
Bugfix (introduced Postfix 2.3): the queue manager would
initialize missing client logging attributes (from xforward)
with real client attributes. Fix: enable this backwards
compatibility feature only with queue files that don't
contain logging attributes. Problem reported by Liviu Daia.
Files *qmgr/qmgr_message.c.
20080424
Cleanup: some warning messages said "regexp" or "regexp
map" instead of "pcre map". File: util/dict_pcre.c.
20080426
Feature: finer control over address verification error
handling and amount of information disclosed in the SMTP
reject message. Parameters: unverified_recipient_defer_code,
unverified_recipient_reject_reason, unverified_sender_defer_code,
unverified_sender_reject_reason. If I don't do this properly,
then someone will do it anyway. File: src/smtpd/smtpd_check.c.
20080428
Cleanup: the proxy_read_maps (Postfix 2.0) default setting
was not updated when adding sender/recipient_bcc_maps
(Postfix 2.1) and smtp/lmtp_generic_maps (Postfix 2.3).
File: global/mail_params.h.
Cleanup: the SMTP server's XFORWARD and XCLIENT support was
not updated when the smtpd_client_port_logging configuration
parameter was added. Code by Victor Duchovni. Files:
smtpd/smtpd.c, smtpd/smtpd_peer.c.
20080508
Cleanup: delivery status notifications now prepend a
Return-Path: message header to the returned message.
File: bounce/bounce_notify_util.c.
20080509
Bugfix: null-terminate CN comment string after sanitization.
File: smtpd/smtpd.c.
14456
14457
14458
14459
14460
14461
14462
14463
14464
14465
14466
14467
14468
14469
14470
14471
14472
14473
14474
14475
14476
14477
14478
14479
20080510
Cleanup: when extracting peer and issuer common name from
TLS certificates, convert the result into UTF-8, and use
RFC 2047 encoding when logging these as Received: header
comment fields. Based remotely on code by Victor Duchovni.
Files: smtpd/smtpd.c, tls/tls_verify.c.
20080511
Cleanup: the RFC 2047 encoding of RFC*822 comments is too
problematic. The text that explains the problems is as
long as the code itself. That is usually a good indication
that code is not ready for use. File: smtpd/smtpd.c.
Cleanup: block non-printable ASCII text in UTF8 encoded TLS
peer and issuer common names. File: tls/tls_verify.c.
20080602
Workaround: avoid watchdog timeout in the local pickup
daemon when the cleanup server expands a very large virtual
alias list. Files: master/trigger_server.c, pickup/pickup.c.
20080603
Workaround: avoid "bad address pattern" errors with non-address
patterns in namadr_list_match() calls. File: util/match_ops.c.
Feature: print fsstone elapsed time with sub-second time
resolution. Kenji Kikuchi. File: fsstone/fsstone.c.
Bitrot: "make test" was broken due to recent changes in
code and due to recent changes at mail-abuse.org.
20080618
Add a note to SMTP session transcript email messages that
other details may be found in the maillog file. Files:
smtpd/smtpd_chat.c, smtp/smtp_chat.c.
20080620
Cleanup: with the "Before-queue content filter", RFC3848
information was not added to the headers. Carlos Velasco.
File smtpd/smtpd.c.
14505
14506
14507
14508
14509
14510
14511
14512
14513
14514
14515
14516
14517
14518
14519
14520
14521
14522
14523
14524
14525
14526
14527
14528
14529
14530
14531
20080621
Cleanup: include unread byte count in the SMTP server's "lost
connection after DATA (xx bytes)" logging. Files: smtpd/smtpd.c.
20080629
Bugfix (introduced Postfix 2.2): multiple inconsistencies
in SASL support after introduction of TLS. The Postfix
SMTP server 1) complained about plain-text SASL configuration
details when SASL was forbidden for plain-text sessions,
and 2) ignored the smtpd_tls_auth_only parameter setting
when built without TLS support. Files: smtpd/smtpd.c,
smtpd/smtpd_check.c, smtpd/smtpd_sasl_glue.[hc],
smtpd/smtpd_state.c.
Some clarification about recipient address versus domain,
and recipients per message versus session. File:
proto/postconf.proto.
The description of SASL authentication attributes was
garbled. File: pipe/pipe.c.
Information: the master(8) server now logs the version
besides the configuration directory upon "postfix reload".
File: master/master.c.
20080717
Cleanup: a poorly-implemented integer overflow check for
TCP MSS calculation had the unexpected effect that people
broke Postfix on LP64 systems while attempting to silence
a compiler warning. File: util/vstream_tweak.c.
20080721
The cleanup server now rejects undisclosed_recipients_header
parameter values with invalid message header syntax.
File: cleanup/cleanup_message.c.
20080725
Paranoia: defer delivery when a mailbox file is not owned
by the recipient. Sebastian Krahmer, SuSE. Files:
local/mailbox.c, virtual/mailbox.c.
14550
14551
14552
14553
14554
14555
14556
14557
14558
14559
14560
14561
14562
14563
14564
14565
14566
14567
14568
20080804
Bugfix: dangling pointer in vstring_sprintf_prepend().
File: util/vstring.c.
20080814
Security: some systems have changed their link() semantics,
and will hardlink a symlink, contrary to POSIX and XPG4.
Sebastian Krahmer, SuSE. File: util/safe_open.c.
The solution introduces the following incompatible change:
when the target of mail delivery is a symlink, the parent
directory of that symlink must now be writable by root only
(in addition to the already existing requirement that the
symlink itself is owned by root). This change will break
legitimate configurations that deliver mail to a symbolic
link in a directory with less restrictive permissions.
14570
14571
14572
14573
14574
14575
14576
14577
14578
14579
14580
14581
14582
14583
14584
14585
14586
14587
14588
14589
14590
14591
14592
14593
14594
14595
14596
14597
14598
14599
14600
14601
14602
14603
14604
14605
14606
14607
14608
14609
14610
20080815
Feature: the milter_default_action parameter now accepts
the "quarantine" action. This works like "accept" but also
freezes the mail in the "hold" queue. File: milter/milter8.c.
Robustness: transition from setjmp()/longjmp() to the signal
mask saving/restoring versions sigsetjmp()/siglongjmp().
These functions have been around for 15 years, but they
have had bugs on supported platforms, so makedefs tests for
them. Files: makedefs, util/sys_defs.h, util/vstream.h.
20080822
Cleanup: the proxymap_service_name and proxywrite_service_name
parameters make the proxymap service names configurable.
This paves the way for a future option where the proxymap
services are accessible via TCP so that they can be shared
among multiple Postfix hosts. File: global/dict_proxy.c.
Feature: MacOS X support for kqueue style event handling,
with workaround for broken MacOS X versions. Files:
util/sys_defs.h, makedefs.
Cleanup: the makedefs script now keeps its test programs
in a directory makedefs.d, instead of inlining them as
fragile "here documents". Files: makedefs, makedefs.d/*.
20080823
Feature: IPv6 dns blocklist lookup. File: smtpd/smtpd_check.c.
20080824
Cleanup: untangled the MacOS X version dependent sections
in the makedefs script, to make future updates easier. File:
makedefs.
Cleanup: don't log multiple Milter "hold" actions for the
same email message. File: cleanup/cleanup_milter.c.
Cleanup: moving test programs from makedefs into a makedefs.d
directory brought more pain than gain.
Cleanup: untangled the Linux version dependent sections in
the makedefs script, to make future updates easier. File:
makedefs.
Documentation: MacOS process limit configuration by Quanah
Gibson-Mount. File: proto/TUNING_README.html.
Feature: smtp-sink -M option to terminate after receiving
a specified number of messages. Laurent Gentil. File:
smtpstone/smtp-sink.c.
Bugfix (introduced Postfix 2.4): epoll file descriptor leak.
With Postfix >= 2.4 on Linux >= 2.6, Postfix has an epoll
file descriptor leak when it executes non-Postfix commands
in, for example, user-controlled $HOME/.forward files. A
local user can access a leaked epoll file descriptor to
implement a denial of service attack on Postfix. Data
confidentiality and integrity are not affected. File:
util/events.c.
14636
14637
14638
14639
14640
14641
14642
14643
14644
14645
14646
14647
14648
14649
14650
14651
14652
14653
14654
14655
14656
14657
14658
14659
14660
14661
14662
14663
14664
14665
14666
14667
14668
14669
14670
14671
14672
14673
14674
14675
14676
14677
14678
14679
14680
14681
14682
14683
14684
14685
14686
14687
14688
14689
14690
14691
14692
14693
14694
14695
14696
14697
14698
14699
14700
14701
14702
14703
14704
14705
14706
14707
14708
14709
14710
14711
14712
14713
14714
14715
14716
14717
14718
14719
14720
14721
14722
14723
14724
14725
14726
14727
14728
14729
14730
14731
14732
14733
14734
20080903
Don't enable kqueue (which requires poll) support on
MacOS X. File: makedefs.
Cleanup: remove obsolete Rhapsody and MacOS targets from
makedefs.
20080929
Workaround: don't log "file has 2 links" warnings when the
condition appears to be temporary. As kernels have evolved
from non-interruptible system calls towards fine-grained
locks, the showq command has become likely to observe a
file while the queue manager is in the middle of a rename
operation, when the file has links to both the old and new
name. File: global/mail_open_ok.c.
Workaround: don't loop forever when write() fails with a
persistent EAGAIN error on a writable file descriptor.
File: util/write_buf.c.
20081003
Bugfix (introduced Postfix 2.1): when XFORWARD support was
introduced with Postfix 2.1, the specification failed to
clearly distinguish between missing and non-existent client
information. This ambiguity affected the implementation:
in $name expansions by delivery agents, unknown client
hostnames could became empty strings (as if a submission
was local), and local submissions could appear to originate
from an SMTP-based content filter. This was fixed with a
a minor semantic change to the XFORWARD protocol. Files:
smtpd/smtpd.c, qmqpd/qmqpd.c, smtp/smtp_proto.c,
cleanup/cleanup_envelope.c, proto/XFORWARD.html. Note: the
changes to propagate local submission details were undone
20082012.
Feature: a DUNNO lookup result in per_sender_relayhost_maps
stops the search without replacing the next-hop destination.
File: trivial-rewrite/resolve.c.
20081005
Bugfix: further refinements to the handling of missing or
non-existent remote client attributes. Files: smtpd/smtpd.c,
smtpd/smtpd.h.
Documentation: the XFORWARD specification of the ADDR
attribute did not agree with the actual on-the-wire protocol.
Since we can't change already existing deployments, the
spec has been updated. File: proto/XFORWARD_README.html.
20081006
Bugfix: further refinements to the handling of remote client
attributes. Introduced a dummy "we have forwarded client
info" record, to eliminate the need for the backwards
incompatible queue file change that was introduced 20081003.
Files: smtpd/smtpd.c, cleanup/cleanup_envelope.c,
*qmgr/qmgr_message.c.
Security: hardened the proxymap client, in case it ever
ends up in a set-gid program. File: global/dict_proxy.c.
20081007
Workaround: undo the proxymap client change. It broke
chrooted servers when they attempted to reconnect to the
proxy read/write service. File: global/dict_proxy.c.
20081008
Safety: added checks that $queue_directory/pid is owned by
root, and that $queue_directory/saved is owned by $mail_owner.
File: conf/postfix-script.
20081010
Feature: controls for opportunistic TLS protocols and
ciphers. The smtp_tls_protocols, smtp_tls_ciphers, and
equivalent parameters for lmtp and smtpd provide global
settings; the SMTP client TLS policy table provides ciphers
and protocols settings for specific peers. Code by Victor
Duchovni. Files: smtp/smtp.c, smtp/smtp_session.c, smtpd/smtpd.c
and documentation.
20081012
Cleanup: simplify the 20081003 changes and don't try to
propagate local submission information through XFORWARD.
Files: smtpd/smtpd.c, qmqpd/qmqpd.c, smtp/smtp_proto.c,
cleanup/cleanup_envelope.c, proto/XFORWARD.html.
20081015
Bugfix: GLIBC API version detection. Rob Foehl. File:
util/sys_defs.h.
20081022
Documentation: removed inapplicable daemon_timeout reference
from qmgr(8), oqmgr(8), pickup(8). These daemons need to
use a much shorter watchdog timer.
20081108
Feature: smtp_sasl_tls_verified_security_options is no
longer #ifdef SNAPSHOT.
Feature: elliptic curve support. This requires OpenSSL
version 0.9.9 or later. Victor Duchovni. Files: TLS_README,
smtpd/smtpd.c, smtp/smtp.c, tls/tls_dh.c, tls/tls_certkey.c,
tls/tls_server.c, tls/tls_client.c, tls/tls.h, tls/tls_misc.c.
Bugfix (introduced Postfix 2.5): the Postfix SMTP server
did not ask for a client certificate with "smtpd_tls_req_ccert
= yes". Reported by Rob Foehl. File: smtpd/smtpd.c.
20081109
Cleanup: confusing names of variables. File: smtpd/smtpd.c.
20081126
Documentation: pcre_table(5) incorrectly claimed that the
'x' flag supports #comment after text. File: proto/pcre_table.
20081202
Cleanup: vstream_bufstat() provides a more systematic
approach to get information about VSTREAM buffers. The
vstream_peek() function is now a backwards compatibility
wrapper. Files: util/vstream.[hc].
Cleanup: the SMTP server should warn about "lost connection
after QUIT" only when the "." reply was pipelined together
with the "QUIT" reply. File: smtpd/smtpd.c.
Cleanup: the SMTP client's code was duplicating buffer
management that was already done in the VSTREAM module.
File: smtp/smtp_proto.c.
20081203
Cleanup: adjust the VSTREAM buffer strategy when reusing
an SMTP connection with a large TCP MSS value. File:
smtp/smtp_reuse.c.
14785
14786
14787
14788
14789
14790
14791
14792
14793
14794
14795
14796
14797
14798
14799
14800
14801
14802
14803
14804
14805
14806
14807
20081204
Cleanup: state the SMTP client PIPELINING implementation's
dependency on monotonic VSTREAM buffer size behavior, and
add some checks for boundary cases with VSTREAM buffer size
change requests. Files: util/vstream.c, smtp/smtp_proto.c.
20081205
Fix 20081202 flush code. Victor Duchovni. File: smtpd/smtpd.c.
Safety: add another check to "postfix check", in this case
for group or other writable queue_directory. File:
conf/postfix-script.
20081217
Debugging: ad-hoc code to log the TLS error stack after
VSTREAM read/write error. File: tls/tls_bio_ops.c. In a
better implementation, each I/O "object" would provide an
optional error reporting method (besides timed_read and
timed_write) that could be queried via the vstream module.
20081222
Documentation: log the "*" pattern as the last transport
map lookup. File: proto/transport.
Documentation: rewrote NFS_README, to clarify the support
status of Postfix and NFS, and to describe the NFS workarounds
that Postfix actually implements.
Feature: "postconf -# parametername ..." to comment out
named parameter entries. Victor Duchovni. File:
postconf/postconf.c.
14825
14826
14827
14828
14829
14830
14831
14832
14833
14834
14835
14836
14837
14838
14839
14840
14841
14842
14843
14844
14845
14846
14847
14848
14849
14850
14851
20090107
Library: edit_file(3) module for cooperative editing of a
file. Inspired by the postconf command, this creates a new
version under a deterministic temporary name and renames
it into place. The implementation uses an open/lock/stat
protocol before updating the new file, and rename/unlock/close
afterwards. Based on pieces of code by Victor Duchovni,
with minor improvements by Wietse. Files: util/edit_file.[hc].
Cleanup: the postconf command now uses the edit_file(3)
module to manage collisions when multiple processes attempt
to update the main.cf file.
20090108
Feature: master_service_disable parameter (default: empty)
to easily turn off/on master.cf services by type or by name
and type. For example, to turn off the main SMTP listener
use "master_service_disable = smtp.inet", and to turn off
all TCP/IP listeners use "master_service_disable = inet".
This immediately terminates all processes that provide the
specified services. The master_service_disable feature does
not distinguish services by their privacy property; some
day, clients will not need to specify that anymore. Files:
global/mail_params.h, master/master.c, master/master_vars.c,
master/master_ent.c.
Bugfix (introduced May 19, 1997): removing a parameter
setting from main.cf did not reset the parameter to its
default value. This was a problem only in the master daemon.
Cleanup: "defer" action in access maps, and a corresponding
access_map_defer_code parameter. No idea what was behind
this omission. Files: global/mail_params.h, smtpd/smtpd.c,
smtpd/smtpd_check.c, proto/access.
Workaround: specify "tcp_windowsize = 65535" (or less) to
work around broken TCP window scaling implementations. This
is perhaps easier than collecting tcpdump output and tuning
kernel parameters by hand. See RELEASE_NOTES for how to
change this setting without stopping Postfix. Files:
util/inet_connect.c, inet_listen.c, global/mail_params.[hc].
Cleanup: create separate code modules for TCP window size
handling, master.cf service name matching, and main.cf
change monitoring. Files: util/inet_windowsize.c,
global/match_service.c, master/master_watch.c.
Feature: TCP window size override for the Postfix SMTP/LMTP
client, and for the smtp-source and smtp-sink test programs.
Files: smtp/smtp_connect.c, smtpstone/smtp-source.c,
smtpstone/smtp-sink.c.
Bugfix: VERP now uses the Postfix original recipient, if
available, because that is what the VERP consumer expects.
Files: *qmgr/qmgr_deliver.c, bounce/bounce_notify_verp.c.
Safety: extra check for broken third-party patches that
allow file size limit < message size limit. This can cause
mail to be stuck in the queue forever.
Invisible change, in preparation for multi-instance support.
Except for main.cf and master.cf, all files are optional
for non-default Postfix configuration directories. File:
conf/postfix-files.
Cleanup: rewrote the 20090114 VERP bugfix, to replace code
that "works" by code that is "right". Files: *qmgr/qmgr_deliver.c,
bounce/bounce_notify_verp.c, global/verp_sender.c.
Documentation: some URLs to enable/disable client-side TLS
jumped into the middle of an enumeration. File:
proto/TLS_README.html.
Feature: multi-instance manager plug-in API. A sample
multi-instance manager with instructions is available as
$daemon_directory/postfix-wrapper. The plug-in API itself
is described in postfix-wrapper(5). Files: postfix/postfix.c,
global/mail_params.[hc], proto/postfix-wrapper,
conf/postfix-wrapper, conf/postfix-script, conf/postfix-files.
Support to check/update shared files only in the context
of the default Postfix instance. Files: conf/post-install,
conf/postfix-script.
20090122
Refinements: the multi-instance manager always replaces
"start" by "check" when a Postfix instance is multi-instance
disabled, so that problems will still be reported; polish
documentation; delete unnecessary multi_instance_order
parameter. Files: conf/postfix-wrapper, proto/postfix-wrapper,
global/mail_params.[hc] and documentation.
Bugfix: the data_directory was not automatically created!
File: conf/postfix-files.
More little fixes in the "trivial but useful" postfix-wrapper
including instructions. It's ready for testing in the field.
File: conf/postfix-wrapper.
Documentation: more precise description of multi-instance
manager API, and minor edits of the example program. Files:
conf/postfix-wrapper, proto/postfix-wrapper.
Cleanup: enable multi-instance shared-file logic only when
the instance is listed in multi_instance_directories. Files:
conf/post-install, conf/postfix-script.
Feature: specify "reject_tempfail_action = defer" to
immediately defer a remote SMTP client request after a
reject-type restriction fails with a temporary error. Based
on code by Rob Foehl. File: smtpd/smtpd_check.c.
Feature: finer control of reject_tempfail_action with
unknown_address_tempfail_action, unverified_sender_tempfail_action
unverified_recipient_tempfail_action, and
unknown_helo_hostname_tempfail_action. See documentation
for details. File: smtpd/smtpd_check.c.
Workaround: pass the SMTP server socket's local and remote
peer address information to the Dovecot authentication server.
This is incomplete code: it ignores XCLIENT server address
overrides. File: xsasl/xsasl_dovecot_server.c.
Testing revealed that with mumble_tempfail_action=defer,
the "defer" action was ignored. Cause: the DEFER_IF_PERMIT[0-9]
macros lost the SMTPD_CHECK_REJECT result value. File:
smtpd/smtpd_check.c.
Feature: stress-dependent smtpd_timeout (normal: 300s,
overload: 10s), smtpd_hard_error_limit (normal: 20, overload:
1) and smtpd_junk_command_limit (normal: 100, overload: 1).
Files: global/mail_params.h, global/mail_conf_nint.c,
master/*_server.c, smtpd/smtpd.c.
Fine tuning: don't enforce smtpd_junk_command_limit for
XCLIENT and XFORWARD commands. These commands can be issued
only by authorized clients. File: src/smtpd/smtpd.c.
Feature: the Postfix SMTP server hangs up after replying
with "521". This makes overload handling more effective.
See also RFC 1846. File: smtpd/smtpd.c.
Feature: postmulti mult-instance manager command, very
lightly tested. The MULTI_INSTANCE_README still needs to