#
f64a59b3 |
| 25-May-2020 |
christos <christos@NetBSD.org> |
Postfix versions 3.5.2, 3.4.12, 3.3.10, 3.2.15:
A TLS error for a database client caused a false 'lost connection' error for an SMTP over TLS session in the same Postfix process. Reported by Alexand
Postfix versions 3.5.2, 3.4.12, 3.3.10, 3.2.15:
A TLS error for a database client caused a false 'lost connection' error for an SMTP over TLS session in the same Postfix process. Reported by Alexander Vasarab, diagnosed by Viktor Dukhovni. This bug was introduced with Postfix 2.2.
The same bug existed in the tlsproxy(8) daemon, where a TLS error for one TLS session could cause a false 'lost connection' error for a concurrent TLS session in the same process. This bug was introduced with Postfix 2.8.
The Postfix build now disables DANE support on Linux systems with libc-musl such as Alpine, because libc-musl provides no indication whether DNS responses are authentic. This broke DANE support without a clear explanation.
Due to implementation changes in the ICU library, some Postfix daemons reported file access errrors (U_FILE_ACCESS_ERROR) after chroot(). This was fixed by initializing the ICU library before making the chroot() call.
Minor code changes to silence a compiler that special-cases string literals.
Postfix 3.5.2, 3.4.12:
Segfault (null pointer) in the tlsproxy(8) client role when the server role was disabled. This typically happened on systems that do not receive mail, after configuring connection reuse for outbound SMTP over TLS.
The date portion of the maillog_file_rotate_suffix default value used the minute (%M) instead of the month (%m). Reported by Larry Stone.
Postfix versions 3.5.1, 3.4.11, 3.3.9, 3.2.14:
Bitrot workaround for broken builds after an incompatible change in GCC 10.
Bitrot workaround for broken DANE/DNSSEC support after an incompatible change in GLIBC 2.31. This change avoids the need for new options in /etc/resolv.conf.
Postfix 3.3.9, 3.2.14:
Bitrot workarounds for Linux 5 and GLIBC resolver flags.
show more ...
|
#
2e5cb688 |
| 06-Jul-2014 |
tron <tron@NetBSD.org> |
Import Postfix 2.11.1. The main changes since version 2.10.* are: - Support for PKI-less TLS server certificate verification with DANE (DNS-based Authentication of Named Entities) where the CA publ
Import Postfix 2.11.1. The main changes since version 2.10.* are: - Support for PKI-less TLS server certificate verification with DANE (DNS-based Authentication of Named Entities) where the CA public key or the server certificate is identified via DNSSEC lookup. This requires a DNS resolver that validates DNSSEC replies. The problem with conventional PKI is that there are literally hundreds of organizations world-wide that can provide a certificate in anyone's name. DANE limits trust to the people who control the target DNS zone and its parent zones. - A new postscreen_dnsbl_whitelist_threshold feature to allow clients to skip postscreen tests based on their DNSBL score. This can eliminate email delays due to "after 220 greeting" protocol tests, which otherwise require that a client reconnects before it can deliver mail. Some providers such as Google don't retry from the same IP address, and that can result in large email delivery delays. - The recipient_delimiter feature now supports different delimiters, for example both "+" and "-". As before, this implementation recognizes exactly one delimiter character per email address, and exactly one address extension per email address. - Advanced master.cf query/update support to access service attributes as "name = value" pairs. For example to turn off chroot on all services use "postconf -F '*/*/chroot = n'", and to change/add a "-o name=value" setting use "postconf -P 'smtp/inet/name = value'". This was developed primarily to allow automated tools to manage Postfix systems without having to parse Postfix configuration files.
show more ...
|
#
e694ac3b |
| 02-Jan-2013 |
tron <tron@NetBSD.org> |
Import Postfix 2.9.5. Major changes since version 2.8.x: - Support for long, non-repeating, queue IDs (queue file names). The main benefit of non-repeating names is simpler logfile analysis. See
Import Postfix 2.9.5. Major changes since version 2.8.x: - Support for long, non-repeating, queue IDs (queue file names). The main benefit of non-repeating names is simpler logfile analysis. See the description of "enable_long_queue_ids" in postconf(5) for details. - Memcache client support, and support to share postscreen(8) and verify(8) caches via the proxymap server. Details about memcache support are in memcache_table(5) and MEMCACHE_README. - Gradual degradation: if a database is unavailable (can't open, most read or write errors) a Postfix daemon will log a warning and continue providing the services that don't depend on that table, instead of immediately terminating with a fatal error. To terminate immediately when a database file can't be opened, specify "daemon_table_open_error_is_fatal = yes". - Revised postconf(1) command. It warns about unused parameter name=value settings in main.cf or master.cf (likely mistakes), understands "dynamic" parameter names such as names that depend on the name of a master.cf entry (finally, "postconf -n" shows all parameter settings), and it can display main.cf and master.cf in a more user-friendly format (postconf -nf, postconf -Mf). - Read/write deadline support in the SMTP client and server to defend against application-level DOS attacks that very slowly write or read data one byte at a time.
show more ...
|
#
e8314800 |
| 02-Mar-2011 |
tron <tron@NetBSD.org> |
Import Postfix 2.8.1. Changes since version 2.7.*: Postfix stable release 2.8.0 is available. This release continues the move towards improving code and documentation, and making the system better pr
Import Postfix 2.8.1. Changes since version 2.7.*: Postfix stable release 2.8.0 is available. This release continues the move towards improving code and documentation, and making the system better prepared for changes in the threat environment.
The postscreen daemon (a zombie blocker in front of Postfix) is now included with the stable release. postscreen now supports TLS and can log the rejected sender, recipient and helo information. See the POSTSCREEN_README file for recommended usage scenarios.
Support for DNS whitelisting (permit_rhswl_client), and for pattern matching to filter the responses from DNS white/blacklist servers (e.g., reject_rhsbl_client zen.spamhaus.org=127.0.0.[1..10]).
Improved message tracking across SMTP-based content filters; the after-filter SMTP server can log the before-filter queue ID (the XCLIENT protocol was extended).
Read-only support for sqlite databases. See sqlite_table(5) and SQLITE_README.
Support for 'footers' that are appended to SMTP server "reject" responses. See "smtpd_reject_footer" in the postconf(5) manpage.
show more ...
|
#
28e9a2d2 |
| 17-Jun-2010 |
tron <tron@NetBSD.org> |
Import Postfix 2.7.1. Major changes since Postfix 2.6.6: - Improved before-queue content filter performance. With "smtpd_proxy_options = speed_adjust", the Postfix SMTP server receives the entire
Import Postfix 2.7.1. Major changes since Postfix 2.6.6: - Improved before-queue content filter performance. With "smtpd_proxy_options = speed_adjust", the Postfix SMTP server receives the entire message before it connects to a before-queue content filter. Typically, this allows Postfix to handle the same mail load with fewer content filter processes. - Improved address verification performance. The verify database is now persistent by default, and it is automatically cleaned periodically. Under overload conditions, the Postfix SMTP server no longer waits up to 6 seconds for an address probe to complete. - Support for reputation management based on the local SMTP client IP address. This is typically implemented with "FILTER transportname:" actions in access maps or header/body checks, and mail delivery transports in master.cf with unique smtp_bind_address values.
show more ...
|
#
41fbaed0 |
| 23-Jun-2009 |
tron <tron@NetBSD.org> |
Import Postfix 2.6.2.
|