Skip to content
HISTORY 677 KiB
Newer Older
Boris Mühmer's avatar
Boris Mühmer committed

	Documentation: in the discard(8) manpage, the reason is not
	a host or domain name. File: discard/discard.c.

20131025

	Documentation: specify the expected result format with
	"list" tables. File: proto/DATABASE_README.html.
Boris Mühmer's avatar
Boris Mühmer committed

20131026

	Future proofing: API changes in the PCRE library.  File:
	util/dict_pcre.c.

Boris Mühmer's avatar
Boris Mühmer committed
19015 19016 19017 19018 19019 19020 19021 19022 19023 19024 19025 19026 19027 19028 19029 19030 19031 19032 19033 19034 19035 19036 19037 19038 19039 19040 19041 19042 19043 19044 19045 19046 19047 19048 19049 19050 19051 19052 19053 19054 19055 19056 19057 19058 19059 19060 19061 19062 19063 19064 19065 19066 19067 19068 19069 19070 19071 19072 19073 19074 19075 19076 19077 19078 19079 19080 19081 19082 19083 19084 19085 19086 19087 19088 19089 19090 19091 19092 19093 19094 19095 19096 19097 19098 19099 19100 19101 19102 19103 19104 19105 19106 19107 19108 19109 19110 19111 19112 19113 19114 19115 19116 19117 19118 19119 19120 19121 19122 19123 19124 19125 19126 19127 19128 19129 19130 19131 19132 19133 19134 19135 19136 19137 19138 19139 19140 19141 19142 19143 19144 19145 19146 19147 19148 19149 19150 19151 19152 19153 19154 19155 19156 19157 19158 19159 19160 19161 19162 19163 19164 19165 19166 19167 19168 19169 19170 19171 19172 19173 19174 19175 19176 19177 19178 19179 19180 19181 19182 19183 19184 19185 19186 19187 19188 19189 19190 19191 19192 19193 19194 19195 19196 19197 19198 19199 19200 19201 19202 19203 19204 19205 19206 19207 19208 19209 19210 19211 19212 19213 19214 19215 19216 19217 19218 19219 19220 19221 19222 19223 19224 19225 19226 19227 19228 19229 19230 19231 19232 19233 19234 19235 19236 19237 19238 19239 19240 19241 19242 19243 19244 19245 19246 19247 19248 19249 19250 19251 19252 19253 19254 19255 19256 19257 19258 19259 19260 19261 19262 19263 19264 19265 19266 19267 19268 19269 19270 19271 19272 19273 19274 19275 19276 19277 19278 19279 19280 19281 19282 19283 19284 19285 19286 19287 19288 19289 19290 19291 19292 19293 19294 19295 19296 19297 19298 19299 19300 19301
20131028

	Feature: check_sasl_access to block hijacked logins.  Files:
	mantools/postlink, proto/postconf.proto, global/mail_params.h,
	smtpd/smtpd_check.c, smtpd/smtpd_dsn_fix.h.

20131029-31

	Cleanup: slmdb(3) simplified LMDB API that hides recoverable
	LMDB errors from applications so that they can focus on
	their own job. Files: util/slmdb.[hc].

	Cleanup: LMDB functionality restored, after elimination of
	1) world-writable lockfiles, 2) hard limits on the number
	of concurrent readers, and 3) hard-coded database file inode
	numbers in lockfiles that can prevent automatic crash
	recovery.  Files: proto/LMDB_README.html, proto/postconf.proto,
	mantools/postlink, util/dict_lmdb.c.

20131101

	Cleanup: restore ability to build without LMDB support;
	further slmdb API streamlining. Files: util/slmdb.[hc],
	util/dict_lmdb.c.

	Bugfix: uninitialized variable. File: util/slmdb.c.

	Documentation: added SASL_README example for check_sasl_access.
	File: proto/SASL_README.html.

20131102-3

	Security violation: by default, LMDB 0.9.9 writes uninitialized
	heap memory to a world-readable database file, as chunks
	of up to 4096 bytes.  This is a huge memory disclosure
	vulnerability: memory content that a program does not intend
	to share ends up in a world-readable file.  The content of
	uninitialized heap memory depends on program execution
	history. That history includes code execution in other
	libraries that are linked into the program.

	This is a problem whenever the user who writes the database
	file differs from the user who reads the database file. For
	example, a privileged writer and an unprivileged reader.
	In the case of Postfix, the postmap(1) and postalias(1)
	commands would leak uninitialized heap memory, as chunks
	of up to 4096 bytes, from a root-privileged process that
	writes to a database file, to unprivileged processes that
	read from that database file.

	To work around this problem the postmap(1) and postalias(1)
	commands disable the use of malloc() in LMDB. However, that
	does not address several disclosures of stack memory.  Other
	Postfix databases do not need this workaround: those databases
	are maintained by Postfix daemon processes, and are accessible
	only by the postfix user. File: util/dict_lmdb.c.

20131102-3

	Cleanup: expand TAB characters when generating documentation.
	This was primarily an issue with non-HTML output, but it does
	not hurt to do this also for HTML.  Files: proto/Makefile.in,
	proto/MULTI_INSTANCE_README.html.

20131104

	Feature: ${queue_id} macro support for the pipe(8) delivery
	agent by Andreas Schulze. File: pipe/pipe.c.

20131107

	Cleanup: after 16 years the SKIP() and TRIM() macros were
	triggering compiler warnings.  Files: global/mail_params.c,
	smtpstone/smtp-sink.c, util/mac_parse.c, util/split_nameval.c.

20131110

	Bugfix (introduced Oct 26 1997): don't clobber errno before
	expanding %m. File: util/vbuf_print.c.

20131114

	Cleanup: LMDB >= 0.9.10 does not need the MDB_WRITEMAP
	workaround to avoid heap memory information leaks.  File:
	util/dict_lmdb.c.

20131114

	Cleanup: Coverity found a harmless memory leak in the
	postconf master.cf parser.  Reported by Christos Zoulas,
	NetBSD.  File: postconf/postconf_master.c.

	Cleanup: graceful degradation after database open() error.
	Several instances of that code introduced a harmless memory
	leak, and Coverity complained about one of them (Christos
	Zoulas, NetBSD).  Instead of adding random code in random
	places, restructured dict_foo_open() routines with consistent
	code to dispose of memory or file handles. Files: dict_thash.c,
	dict_sockmap.c, dict_regexp.c, dict_pcre.c, dict_lmdb.c,
	dict_dbm.c, dict_cidr.c, dict_cdb.c.

	Cleanup: warning message after canonical/virtal/etc.
	table lookup error. Files: cleanup/cleanup_addr.c,
	cleanup/cleanup_map11.c, cleanup/cleanup_map1n.c,
	cleanup/cleanup_masquerade.c, cleanup/cleanup_message.c,
	cleanup/cleanup_milter.c.

20131116

	Feature: MySQL client support for option_file, option_group,
	tls_cert_file, tls_key_file, tls_CAfile, tls_CApath,
	tls_verify_cert. See mysql_table(5).  Code by Gareth Palmer.
	Files: proto/mysql_table, global/dict_mysql.c.

	Cleanup: DANE support. Keep the attributes of TA certificates
	obtained via "IN TLSA 2 0 X" RRs, while continuing to only
	use the key from "IN TLSA 2 1 X" RRs.  This means in the
	"2 0 X" case that we re-sign the TA certificate in place,
	rather than synthesize a vanilla cert around just the key.
	Viktor Dukhovni. File: tls/tls_dane.c.

	Bugfix: posttls-finger parsing of destination and optional
	match values. Viktor Dukhovni.  File:
	posttls-finger/posttls-finger.c.

	Cleanup: When wrap_signed is false (OpenSSL 1.0.2 some day),
	we don't have to sign trust anchors, and don't generate a
	key to do so.  Thus don't attempt to re-sign trust-anchor
	certificates (IN TLSA 2 0 X) in this case. Viktor Dukhovni.
	File: tls/tls_dane.c.

	Feature: configurable DANE digest algorithm priority. Use
	only the most-preferred, shared, digest algorithm for any
	give (usage, selector) combination. Viktor Dukhovni.
	mantools/postlink, proto/postconf.proto, global/mail_params.h,
	tls/tls_dane.c, tls/tls_misc.c.

	Bugfix: FreeBSD nroff workaround messed up. File:
	mantools/postlink.

20131118

	Cleanup: FreeBSD nroff workaround. Files: man/Makefile.in,
	proto/Makefile.in.

	Cleanup: the smtpd_proxy_filter client now sends QUIT before
	closing the connection to a content filter.  Files:
	smtpd/smtpd_proxy.c, smtpd/smtpd.c.

	Portability: C99 va_copy() compatibility, in case some
	implementation does not permit multiple va_start() calls
	on the same argument list. Files: global/memcache_proto.c,
	milter/milter8.c, smtpstone/smtp-source.c, util/attr_clnt.c,
	util/concatenate.c, util/dict_surrogate.c, util/netstring.c,
	util/compat_va_copy.h.

	Cleanup: comment formatting. Viktor Dukhovni. File: dns/dns.h.

	Cleanup: removed redundant sort operation. Viktor Dukhovni.
	File: tls/tls_dane.c.

20131119

	Feature: a Postfix LMDB database can now be used as shared
	persistent cache with multiple postscreen(8) or verify(8)
	daemons (but not both), without the need for a shared
	proxymap server.  Files: util/dict.h, util/dict_alloc.c,
	util/dict_open.c, util/dict_lmdb.c.

	Internal: DNS client support to report reply RCODE information,
	in addition to the simplified DNS_NOTFOUND, DNS_RETRY etc.
	Portability note: this requires the C99 __VA_ARGS__ feature.
	Files: dns/dns.h. dns/dns_lookup.c, dns/test_dns_lookup.c.

20131120

	Cleanup: reduced the code footprint for the LMDB < 0.9.10
	heap-to-file information leak workaround, and simplified
	the implementation to "good enough". Files: util/dict.h,
	util/dict.c, util/dict_lmdb.c, postalias/postalias.c,
	postmap/postmap.c.

	Cleanup: reduced the code footprint for the handling of
	multi-writer safe maps. A map only needs to assert that it
	is multi-writer safe, and the rest just happens.  Files:
	util/dict.h, util/dict_open.c, util/dict_lmdb.c,
	global/dict_memcache.c.

	Cleanup: Postfix daemons no longer restart when a multi-writer
	safe map is updated. File: util/dict.c.

	Documentation: sharing an LMDB cache between multiple
	verify(8) or postscreen(8) servers (but not both).  Files:
	proto/ADDRESS_VERIFICATION_README.html,
	proto/POSTSCREEN_README.html.

	Cleanup: improve suppression of TLSA lookups in insecure
	zones.  This is now applied not only to non-MX destinations,
	but also to each MX record.  Viktor Dukhovni. Files:
	src/posttls-finger/posttls-finger.c, src/smtp/smtp_tls_policy.c,
	src/tls/tls.h, src/tls/tls_dane.c.

	Workaround: increased the 5s connection timeout to 30s.
	Viktor Dukhovni. File: posttls-finger/posttls-finger.c.

20131121

	Documentation: new socketmap_table(5) and lmdb_table(5)
	manpages.  Files: mantools/postlink, conf/postfix-files,
	html/Makefile.in, man/Makefile.in, proto/DATABASE_README.html,
	postconf/postconf.c, proto/socketmap_table, proto/lmdb_table.

20131122

	Documentation: missing database hyperlinks, refined text
	about partial lookup keys. Files: mantools/postlink,
	proto/DATABASE_README.html, proto/lmdb_table,
	proto/socketmap_table.

20131123

	Feature: support for NOTIFY parameter in the Milter
	SMFIR_ADDRCPT_PAR request. Contributed by by Andrew Ayer.
	Wietse added support for ORCPT.  Files: cleanup/cleanup.h,
	cleanup/cleanup_milter.c, cleanup/cleanup_state.c,
	global/xtext.c, global/xtext.h, milter/test-milter.c.

20131122

	Feature: "postconf -Fe service/type/attribute = value" edits
	master.cf attribute values. The -e is optional. Example:
	use "postconf -F "*/*/chroot = n" to turn off chroot on all
	master.cf services. Files: postconf/postconf.h,
	postconf/postconf.c, postconf/postcof_master.c,
	postconf/postconf_edit.c.

20131124

	Cleanup: remove extra blank line from ccformat output,
	making it compatible with the script that Wietse actually
	uses (this line was part of a test to detect file truncation,
	but it is now obsolete).  File: mantools/ccformat.

	Feature: master.cf parameter namespace. "postconf -P" shows
	master.cf parameter settings as "service/type/parameter =
	value". This is applicable only to parameter settings in
	master.cf. Files: postconf/postconf.h, postconf/postconf.c,
	postconf/postcof_master.c, postconf/postconf_print.c.

	Incompatibility: the master_service_disable syntax has
	changed: use "service/type" instead of "service.type".  The
	new form is consistent with master.cf parameter namespaces.
	The old form is still supported to avoid breaking existing
	configurations.  Files: global/master_service.c,
	master/master_ent.c.

20131125

	Feature: change, add or delete "-o parameter=value" setting
	in master.cf. Examples: "postconf -P smtp/inet/parameter=value"
	(add or modify "-o name=value" setting) and "postconf -P
	smtp/inet/parameter" (delete "-o parameter=value" setting).
	Files: util/argv.[hc], postconf/postconf.h,
	postconf/postconf_edit.c, postconf_master.c.

20131126

	Cleanup: Leave SSLv3 enabled with DANE. Viktor Dukhovni.
	Files: proto/TLS_README.html proto/postconf.proto
	tls/tls_client.c.

	Cleanup: DANE support: Drop support for usage 0. It SHOULD
	NOT be supported in DANE with SMTP, and we already don't
	support digest TLSA RRs in this case, while full content
	TLSA RRs are not recommended for DNS bloat reasons.  Viktor
	Dukhovni. Files: proto/postconf.proto src/global/mail_params.h
	src/smtp/smtp.c src/tls/tls_dane.c src/tls/tls_misc.c.

	Feature: TLS support: Support future digest algorithms
	without re-compilation. Viktor Dukhovni. Files: .indent.pro
	proto/postconf.proto src/tls/tls_dane.c.

	Feature: DNS support: New configurable digest agility.
	Viktor Dukhovni. Files: .indent.pro proto/TLS_README.html
	proto/postconf.proto src/global/mail_params.h src/tls/tls_dane.c
	src/tls/tls_misc.c.

Boris Mühmer's avatar
Boris Mühmer committed
20131127

	Bugfix (introduced: 20090106): the postconf '-#' option
	erased prior options. File: postconf/postconf.c.

20131129

	Bugfix: Makefile example in MULTI_INSTANCE_README. Viktor
	Dukhovni. File: proto/MULTI_INSTANCE_README.html.

Boris Mühmer's avatar
Boris Mühmer committed
20131130
Boris Mühmer's avatar
Boris Mühmer committed
	Cleanup: simplify fingerprint security level implementation
	in new DANE code.  Viktor Dukhovni.  Files: src/tls/tls.h
	src/smtp/smtp_tls_policy.c src/tls/tls_dane.c
	src/posttls-finger/posttls-finger.c.
Boris Mühmer's avatar
Boris Mühmer committed
20131209
Boris Mühmer's avatar
Boris Mühmer committed
	Cleanup: safe_strtoul() did not report an error for empty
	or all-space input (the code to report this was in the wrong
	place). This was not a problem as long as safe_strtoul()
	was used only for output from safe_ultostr().  Files:
	global/safe_ultostr.c, global/safe_ultostr.in,
	global/safe_ultostr.ref.
Boris Mühmer's avatar
Boris Mühmer committed
20131210
Boris Mühmer's avatar
Boris Mühmer committed
	Documentation: updated description of SSL protocol controls.
	In particular, enabled protocols are part of a contiguous
	range. Viktor Dukhovni.  Files: proto/TLS_README.html,
	proto/postconf.proto.
Boris Mühmer's avatar
Boris Mühmer committed
	Bugfix: DANE support: handle OpenSSL memory allocation
	error. Viktor Dukhovni.  File: tls/tls_dane.c.
Boris Mühmer's avatar
Boris Mühmer committed
	Cleanup: LMDB_README was not installed. File: conf/postfix-files.
Boris Mühmer's avatar
Boris Mühmer committed
20131214
Boris Mühmer's avatar
Boris Mühmer committed
	Portability: on some platforms posttls-finger now requires
	explicitly linking libdl.  File: posttls-finger/Makefile.in.
Boris Mühmer's avatar
Boris Mühmer committed
	Cleanup: DANE support: extension gymnastics. Viktor Dukhovni.
	File: tls/tls_dane.c.
Boris Mühmer's avatar
Boris Mühmer committed
	Bugfix: DANE support: the wrap_cert() and wrap_key() calls
	should never fail, but some callers ignored the return
	value.  The only failure is for lack of memory, so we use
	msg_fatal() internally and change wrap_cert() and wrap_key()
	to return void. Viktor Dukhovni.  File: tls/tls_dane.c.
Boris Mühmer's avatar
Boris Mühmer committed
	Bugfix: DANE support: avoid making DANE certificates with
	replaced public-keys appear as if they were self-signed.
	Viktor Dukhovni.  File: tls/tls_dane.c.
Boris Mühmer's avatar
Boris Mühmer committed
	Cleanup: DANE support: simplify grow_chain() to always apply
	trust consistently. Viktor Dukhovni.  File: tls/tls_dane.c.
Boris Mühmer's avatar
Boris Mühmer committed
	Bugfix: DANE support: backport fixes from OpenSSL DANE
	testing.  Discard errors generated by raw TA key signature
	checks. Record the tadepth as zero with self-signed depth
	0 TAs. Robustness: Though it should never happen, don't
	update the tadepth if already set. Viktor Dukhovni.  Files:
	tls/tls_dane.c, tls/tls_server.c.
Boris Mühmer's avatar
Boris Mühmer committed
20131215
Boris Mühmer's avatar
Boris Mühmer committed
	Cleanup: OpenSSL "const" declarations have changed over
	time. Viktor Dukhovni. Files: src/tls/tls.h, src/tls/tls_client.c,
	src/tls/tls_dane.c, src/tls/tls_server.c.
Boris Mühmer's avatar
Boris Mühmer committed
20131216
Boris Mühmer's avatar
Boris Mühmer committed
	Cleanup: TLS support. Eliminate calls of deprecated functions
	before they are removed from OpenSSL.  CRYPTO_thread_id is
	deprecated and we don't need it.  Replace the deprecated
	ERR_remove_state() call with ERR_remove_thread_state(), and
	use RSA_generate_key_ex().  Viktor Dukhovni. Files:
	posttls-finger/posttls-finger.c, tls/tls_misc.c, tls/tls_rsa.c.
Boris Mühmer's avatar
Boris Mühmer committed
	Cleanup: DANE support: Reduce #ifdef clutter to improve
	redability and maintability. Viktor Dukhovni.  File:
	tls/tls_dane.c.
Boris Mühmer's avatar
Boris Mühmer committed
	Future proofing: Tolerate disappearance of named bug-workaround
	bits without invalidating user configurations.  When support
	for a bug workaround is removed from OpenSSL, the corresponding
	bit is defined as zero (i.e. NOOP) intstead of causing
	programs to break. Viktor Dukhovni.  File: tls/tls_misc.c.
Boris Mühmer's avatar
Boris Mühmer committed
20131217
Boris Mühmer's avatar
Boris Mühmer committed
	Portability: RSA_generate_key_ex() is not available on all
	supported platforms, so this change is made conditional.
	Enforce that this function will be used only for creating
	a 512-bit ephemeral RSA key.  Viktor Dukhovni. File:
	tls/tls_rsa.c.
Boris Mühmer's avatar
Boris Mühmer committed
20131218
Boris Mühmer's avatar
Boris Mühmer committed
	Documentation: new document FORWARD_SECRECY_README that
	describes how different versions of Postfix >= 2.2 implement
	"perfect" forward secrecy. Viktor Dukhovni. File:
	proto/FORWARD_SECRECY_README.html, proto/Makefile.in,
	conf/postfix-files, html/index.html.
Boris Mühmer's avatar
Boris Mühmer committed
20131219
Boris Mühmer's avatar
Boris Mühmer committed
	Cleanup: renamed postconf(1) internal identifiers according
	to a consistent scheme, to avoid future name conflicts as
	Postfix evolves. This is a no-feature change.  Files:
	postconf/*.[hc], postconf/extract.awk.
Boris Mühmer's avatar
Boris Mühmer committed
	Documentation: linearized the order of exposition in
	FORWARD_SECRECY_README. File: proto/FORWARD_SECRECY_README.html.
Boris Mühmer's avatar
Boris Mühmer committed
20131220
Boris Mühmer's avatar
Boris Mühmer committed
	Bugfix: DANE support: segfault. Viktor Dukhovni. File:
	tls/tls_dane.c.
Boris Mühmer's avatar
Boris Mühmer committed
	Documentation: typo in SASL_README. Patrick Ben Koetter.
	File: proto/SASL_README.html.
Boris Mühmer's avatar
Boris Mühmer committed
	Documentation: increased the *.[0-9].html manpage width
	from the historical 65 columns to the more contemporary 78
	columns, and future-proofed the pattern that eliminates
	redundant text from the "README FILES" section.  Files:
	mantools/postlink, mantools/man2html, man/Makefile.in.
Boris Mühmer's avatar
Boris Mühmer committed
	Documentation: misc manual page cleanups. Files:
	postconf/postconf.c, postmulti/postmulti.c.
Boris Mühmer's avatar
Boris Mühmer committed
20131221
Boris Mühmer's avatar
Boris Mühmer committed
	Testbed: TLS support. Viktor Dukhovni. Files: tls/Makefile.in,
	tls/tls_dane.c, tls/tls_dane.sh, tls/tls_mgr.c, .indent.pro.
Boris Mühmer's avatar
Boris Mühmer committed
	Documentation: added section on how to verify that forward
	secrecy works. File: proto/FORWARD_SECRECY_README.html.
Boris Mühmer's avatar
Boris Mühmer committed
20131222
Boris Mühmer's avatar
Boris Mühmer committed
	Documentation: forward secrecy, with feedback from Adam
	Shostack.  Viktor Dukhovni and Wietse Venema. File:
	proto/FORWARD_SECRECY_README.html.
Boris Mühmer's avatar
Boris Mühmer committed
20131224
Boris Mühmer's avatar
Boris Mühmer committed
	Feature: smtpd_sasl_service (until now, this was hard-coded
	internally as "smtp"). On request by Michal (sksoft.cz).
	Files: global/mail_params.h, proto/postconf.proto,
	mantools/postlink, smtpd/smtpd.c, smtpd/smtpd_sasl_glue.c.
Boris Mühmer's avatar
Boris Mühmer committed
	Documentation: updated example to Dovecot version 2 syntax.
	File: proto/SASL_README/html.
Boris Mühmer's avatar
Boris Mühmer committed
20131228
Boris Mühmer's avatar
Boris Mühmer committed
	Cleanup: DANE support: test script. Viktor Dukhovni. File
	tls/tls_dane.sh.
Boris Mühmer's avatar
Boris Mühmer committed
	Debugging: test driver for LMDB debugging and stress testing.
	Shockingly, LMDB terminates the postscreen daemon without
	logfile record.  File: util/dict_cache.c.
Boris Mühmer's avatar
Boris Mühmer committed
20140102
Boris Mühmer's avatar
Boris Mühmer committed
	Bugfix: close the LMDB database cursor's read transaction
	before writing with MDB_NOLOCK and before changing the
	database memory map size. File: util/slmdb.c.
Boris Mühmer's avatar
Boris Mühmer committed
20140103

	Cleanup: eliminated data duplication from the new SMTP_ITERATOR
	structure to the old SMTP_SESSION structure. The SMTP_ITERATOR
	structure now maintains the sole copy. Files: smtp/smtp.h,
	smtp_sasl_auth_cache.c, smtp_reuse.c, smtp_sasl_glue.c,
	smtp_rcpt.c, smtp_session.c, smtp_chat.c, smtp_proto.c,
	smtp_connect.c.

20140104

	Feature: support for optional configuration files
	"$daemon-directory/postfix-files.d/*".  These are processed
	in sorted order after "$daemon-directory/postfix-files",
	This avoids breaking "postfix set-permissions" etc. when a
	Postfix distribution comes in multiple packages.  File:
	conf/post-install.

20140107

	Feature: LMDB 0.9.11 allows Postfix daemons to log an LMDB
	error message, instead of falling out of the sky without
	any notification.  Files: util/slmdb.[hc], util/dict_lmdb.c.

20140108

	Bugfix: every Postfix LMDB transaction is now protected by
	an external lock for its entire life time. File: util/slmdb.c.

20140109

	Cleanup: turn off DNSSEC lookup after CNAME redirection to
	an insecure zone. This is an optimization for resolvers
	that do not automatically resolve CNAME chains. Viktor
	Dukhovni. File: dns/dns_lookup.c.

	Cleanup: do not salt the SMTP TLS policy lookup cache key
	with the DNSSEC status. The DNSSEC status will not change
	when the same nexthop/host pair is looked up repeatedly.
	Viktor Dukhovni. File: smtp/smtp_tls_policy.c.

	Robustness: Suppress TLSA lookups only when the qname zone
	is insecure, not just because the rname zone is insecure.
	This requires an extra T_CNAME lookup for the qname, since
	nameservers are often "too helpful" and report CNAME records
	together with the CNAME targets. When the targets are
	insecure the whole reply is marked as insecure.  Viktor
	Dukhovni.  File: tls/tls_dane.c.

	Cleanup: Unify/simplify reporting of configuration or other
	conditions that prevent DANE security.  Viktor Dukhovni.
	Files: global/dsn_buf.[hc], tls/tls_dane.c, smtp/smtp_tls_policy.c.
Boris Mühmer's avatar
Boris Mühmer committed
20140110-15
Boris Mühmer's avatar
Boris Mühmer committed
	Miscellaneous documentation cleanups.
Boris Mühmer's avatar
Boris Mühmer committed

20140116

	Workaround: prepend "-I. -I../../include" to CCARGS, to
	avoid name clashes with non-Postfix header files. File:
	makedefs.

20140125

	Cleanup: postconf(1) manpage missing version attribution
	and incorrect "author" formatting. File: postconf/postconf.c.

20140223

	Logging: the TLS client logged that an "Untrusted" TLS
	connection was established instead of "Anonymous".  Viktor
	Dukhovni. File: tls/tls_client.c.

20140227

	Bugfix: Enforce TLS when TLSA records exist, but all are
	unusable; Don't leak dane handle when all TLSA records are
	unusable.  Viktor Dukhovni. File: smtp/smtp_tls_policy.c.

	Cleanup: log TLS policy lookup errors as warnings. Viktor
	Dukhovni.  File: smtp/smtp_connect.c.

20140407

	Documentation: the documentation for Postfix > 2.8 TLS
	activity logging was incorrect. Loglevel 0 produces no
	logging. Instead, information is logged only with loglevel
	1 or higher. Viktor Dukhovni. Files: proto/TLS_README.html,
	proto/postconf.proto.

20140507

	Bugfix (introduced: Postfix 2.11): with connection caching
	enabled (the default), recipients could be given to the
	wrong mail server.  Root cause: due to an incorrect predicate,
	the Postfix SMTP client could save and restore plaintext
	connections that should not be cached, under nonsensical
	lookup keys that did not distinguish by destination.  Problem
	reported by Sahil Tandon, predicate error found by Viktor,
	redundant connection restore request eliminated by Wietse.
	File: smtp/smtp_connect.c.
Boris Mühmer's avatar
Boris Mühmer committed

20140619

	Bugfix (introduced: 2001): qmqpd null pointer bug when it
	logs a lost connection while not in a mail transaction.
	Reported by Michal Adamek. File: qmqpd/qmqpd.c.

20140920

	Bugfix (introduced: 20080212): incorrect client name in
	reject messages from check_reverse_client_hostname_access
	and check_reverse_client_hostname_{mx,ns}_access.  They
	replied with the verified client name, instead of the name
	that was rejected.  Problem reported by Reindl Harald. File:
	smtpd/smtpd_check.c.

20141012

	Bugfix (introduced: Postfix 2.3): the PREPEND access/policy
	action added headers ABOVE Postfix's own Received: header,
	exposing Postfix's own Received: header to Milters (protocol
	violation) and hiding the PREPENDed header from Milters.
	The latter caused problems for DMARC implementations with
	SPF policy plus DKIM Milter.  PREPENDed headers are now
	added BELOW Postfix's own Received: header and remain visible
	to Milters. File: smtpd/smtpd.c.
Boris Mühmer's avatar
Boris Mühmer committed

20141014

	Portability: Darwin 11.x needs to link with -lresolv. Viktor
	Dukhovni. File: makedefs.

20141018

	Bugfix (introduced: Postfix 2.3): when a Milter inserted a
	header ABOVE Postfix's own Received: header, Postfix would
	expose its own Received: header to Milters (violating
	protocol) and hide the Milter-inserted header from Milters
	(wtf).  Files: cleanup/cleanup.h, cleanup/cleanup_message.c,
	cleanup/cleanup_state.c, milter/milter.[hc], milter/milter8.c.

	Cleanup: revert the workaround that places headers inserted
	with PREPEND actions or policy requests BELOW Postfix's own
	Received: message header. File: smtpd/smtpd.c.
Boris Mühmer's avatar
Boris Mühmer committed

20141025

	Bugfix (introduced: Postfix 2.11): core dump when
	smtp_policy_maps specifies an invalid TLS level. Viktor
	Dukhovni. File: smtp/smtp_tls_policy.c.

20150106

	Robustness: don't segfault due to excessive recursion after
	a faulty configuration runs into the virtual_alias_recursion_limit.
	File: global/tok822_tree.c.

20150115

	Safety: stop aliasing loops that exponentially increase the
	address length with each iteration. Back-ported from Postfix
	3.0. File: cleanup/cleanup_map1n.c.

20150117

	Cleanup: missing " in \%s\" in postconf(1) fatal error
	messages. Iain Hibbert. File: postconf/postconf_master.c.
Boris Mühmer's avatar
Boris Mühmer committed

20150324

	Bugfix (introduced: Postfix 2.6): sender_dependent_relayhost_maps
	ignored the relayhost setting in the case of a DUNNO lookup
	result.  It would use the recipient domain instead.  Viktor
	Dukhovni. Wietse took the pieces of code that enforce the
	precedence of a sender-dependent relayhost, the global
	relayhost, and the recipient domain, and put that code
	together in once place so that it is easier to maintain.
	File: trivial-rewrite/resolve.c.

20150330

	Bitrot: prepare for future changes in OpenSSL API. Viktor
	Dukhovni. File: tls_dane.c.

20150408

	Portability: FreeBSD10 support. Files: makedefs, util/sys_defs.h.

	Incompatibility: specifying "make makefiles" with "CC=command"
	will no longer override the default WARN setting.