1In the text below, incompatible changes are labeled with the Postfix
2snapshot that introduced the change. If you upgrade from a later
3Postfix version, then you do not have to worry about that particular
4incompatibility.
5
6The official Postfix release is called 2.1.x where 2=major release
7number, 1=minor release number, x=patchlevel.  Snapshot releases
8are called 2.2-yyyymmdd where yyyymmdd is the release date (yyyy=year,
9mm=month, dd=day).  The mail_release_date configuration parameter
10contains the release date (both for official release and snapshot
11release).  Patches are issued for the official release and change
12the patchlevel and the release date. Patches are never issued for
13snapshot releases.
14
15Major changes - critical
16------------------------
17
18If you run Postfix 2.0 or earlier then you must stop Postfix before
19upgrading. The master-child protocols have changed between Postfix
201.1 and 2.0, and version 2.1 sometimes writes queue files that the
212.0 and earlier queue managers complain about. If this happens move
22the files from the corrupt directory to the maildrop directory and
23give them another chance.
24
25[Incompat 20021119] The Postfix upgrade procedure will add two new
26services to your master.cf file: "trace" and "verify". These servers
27can run inside a chroot jail, have no interaction with users, and
28don't talk to the network.  If Postfix complains that "trace" and
29"verify" are not found, you made the error of copying your old
30Postfix configuration files over the new ones. Execute "postfix
31upgrade-configuration" to repair the Postfix configuration files.
32
33[Incompat 20040331] Support for the non-standard Errors-To:  message
34header is removed.  This also helps to stop potential attacks that
35rely on bouncing mail to a destination that is not directly reachable
36by the attacker. Specify "enable_errors_to = yes" to get the old
37behavior.
38
39Queue files written by Postfix 2.1 may contain information that
40is incompatible with older Postfix versions:
41
42[Incompat 20040120] Queue files creates with "sendmail -v" are no
43longer compatible with Postfix versions 2.0 and earlier. A new
44record type, "killed", was introduced in order to avoid repeated
45mail delivery reports from mail that could not be delivered due to
46a temporary error condition.
47
48[Incompat 20030125] This release adds a new queue file record type
49for the address specified in "REDIRECT user@domain" actions in
50access maps or header/body_checks. Queue files with these records
51will be rejected by older Postfix versions.
52
53[Feature 20040120] The new queue manager nqmgr has become the
54default qmgr queue manager. For a limited time the old queue manager
55remains available under the name oqmgr. The name nqmgr still works
56but will cause a warning to be logged.
57
58[Incompat 20040413] The Postfix SMTP server no longer accepts mail
59from or to an address ending in "@", including address forms that
60rewrite into an address that ends in "@"). Specify "resolve_null_domain
61= yes" to get the old behavior.
62
63[Incompat 20031226] Postfix no longer allows mail addresses with
64bare numeric IP addresses (user@1.2.3.4).  This is not configurable.
65The form user@[ipaddress] is still allowed.
66
67[Incompat 20031226] Bounce messages now have a separate queue life
68time.  This is controlled by the bounce_queue_lifetime parameter.
69
70[Incompat 20031019] The authorized_verp_clients parameter was
71renamed to smtpd_authorized_verp_clients, and the default value
72was changed to disable this feature. You now have to turn it on
73explicitly.
74
75Major changes - build environment
76---------------------------------
77
78[Incompat 20030112] The Postfix build procedure now uses the
79pcre-config utility (part of PCRE version 3) to find out the
80pathnames of the PCRE include file and object library, instead of
81probing /usr/include and/or /usr/lib. To build with PCRE version
822 support you will have to specify pathnames as described in
83PCRE_README. To build without PCRE support, specify:  make Makefiles
84CCARGS="-DNO_PRCE".
85
86Major changes - documentation
87-----------------------------
88
89[Feature 20040331] Complete documentation rewrite. All parameters
90are now described in postconf(5), and all commands and daemons are
91shown in their proper context in the OVERVIEW document.
92- All documents come as HTML and ASCII text.
93- All HTML documents have hyperlinks for every parameter name,
94  for every Postfix manual page, and for every README file.
95- All documents specify what feature is available in what release.
96- The sample-*.cf configuration files no longer exist. The information
97  is now available in HTML documents, README files and UNIX man pages).
98- The mumble_table example configuration files no longer exist.
99
100[Incompat 20040413] The LMTP, Cyrus and Qmail related README files will
101not be included in the Postfix version 2.1 distribution. They will
102be made available via http://www.postfix.org/, and in Postfix 2.2
103snapshots.
104
105[Feature 20040413] You can install documentation in HTML format
106besides the README files.  Installation of README files is now
107optional.
108
109Major changes - access control
110------------------------------
111
112[Feature 20031215] Easier debugging of SMTPD access restrictions.
113The SMTP command "xclient name=xxx addr=yyy" changes Postfix's idea
114of the remote client name and address, so that you can pretend to
115connect from anywhere on the Internet.  Use of this command is
116restricted to clients that match the list of names or addresses
117specified with the smtpd_authorized_xclient_hosts parameter.  By
118default, XCLIENT is not accepted from anywhere.  More details are
119in the XCLIENT_README file.
120
121[Feature 20030715] Support for multi-valued RBL lookup results.
122For example, specify "reject_rbl_client foo.bar.tld=127.0.0.3" to
123reject clients that are listed with a "127.0.0.3" address record.
124More information is in the postconf(5) manual page.
125
126[Feature 20030917] New "check_{helo,sender,recipient}_{ns,mx}_access
127type:table" restrictions that apply the specified access table to
128the NS or MX hosts of the host/domain given in HELO, EHLO, MAIL
129FROM or RCPT TO commands. More information is in the postconf(5)
130manual page.
131
132This can be used to block mail from so-called spammer havens (all
133domains that are served by the same DNS server, all domains that
134resolve to the same MX host), from sender addresses that resolve
135to Verisign's wild-card mail responder, or from domains that claim
136to have mail servers in reserved networks such as 127.0.0.1.
137
138Note: OK actions are not allowed for security reasons.  Instead of
139OK, use DUNNO in order to exclude specific hosts from blacklists.
140If an OK result is found for an NS or MX host, Postfix rejects the
141SMTP command with "451 Server configuration error".
142
143[Feature 20040413] Support for a "WARN text..." feature in SMTPD
144access tables, just like the WARN feature in header/body_checks.
145
146[Feature 20040122] New "PREPEND headername: headervalue" action in
147Postfix access maps. Primarily intended for tagging mail by for
148example, an external SMTPD policy server. See access(5).
149
150[Feature 20040124] New "PREPEND text" action in Postfix header/body_checks
151maps. This action prepends a header or body line immediately before
152the line that triggers the action. See header_checks(5) for details.
153
154[Feature 20030125] New "REDIRECT user@domain" action for access
155maps and header/body_checks that overrides all the originally
156specified recipients of a message.  Wietse would never recommend
157that people use this to redirect (bounced) SPAM to the beneficiaries
158of an advertisement campaign. See access(5) and header_checks(5).
159
160[Feature 20031215] The reject_sender_login_mismatch feature (used
161with SASL authenticated logins) is now implemented in terms of more
162basic restrictions:  reject_unauth_sender_login_mismatch (reject
163mail when $sender_login_maps lists an owner for the sender address
164but the SMTP client is not SASL authenticated) and
165reject_auth_sender_login_mismatch (reject mail when the sender
166address is not owned by the SASL authenticated user). The
167sender_login_maps now support multiple owners per sender address.
168See postconf(5) for details.
169
170Major changes - address verification
171------------------------------------
172
173[Feature 20021119] Address verification blocks mail from or to
174addresses that are not deliverable.  This is turned on with the
175reject_unverified_sender UCE restriction. Addresses are verified
176by probing, that is, by sending mail that is not actually delivered
177(SMTP interruptus).  Detailed information is in the
178ADDRESS_VERIFICATION_README file.
179
180Address verification can follow a different route than ordinary
181mail, typically to avoid sending probes to a relay host.  To make
182this possible, the address resolver supports multiple personalities.
183For more detail see the ADDRESS_VERIFICATION_README file.
184
185New "sendmail -bv" option.  Postfix probes the specified recipient
186addresses without actually delivering mail, and sends back an email
187delivery report.  This is useful for testing address rewriting and
188address routing, and shows the final envelope and header addresses.
189This feature currently does not access or update the sender address
190verification database.
191
192Major changes - content inspection
193----------------------------------
194
195[Feature 20030704] The Postfix SMTP server can be configured to
196send all mail into a real-time content filter that inspects mail
197BEFORE it is queued.  See the SMTPD_PROXY_README file for details.
198
199[Feature 20031022] Improved logging by Postfix daemons behind an
200SMTP-based proxy filter. The logging now shows the remote client
201name and address, instead of localhost[127.0.0.1].  This uses the
202new SMTP command "XFORWARD addr=client-address name=client-hostname",
203which specifies remote client information for logging purposes.
204This command is restricted to clients that match the list of names
205or addresses specified with the smtpd_authorized_xforward_hosts
206parameter. By default, XFORWARD is not accepted from anywhere.
207For an example, see the SMTPD_PROXY_README file.
208
209[Feature 20030706] New receive_override_options parameter that
210eliminates the need for different cleanup service instances before
211and after an external content filter. One parameter controls what
212happens before or after the content filter: rejecting unknown
213recipients, canonical mapping, virtual alias expansion, masquerading,
214automatic BCC recipients and header/body checks. See postconf(5)
215for the fine details.
216
217[Feature 20040124] New "PREPEND text" action in Postfix header/body_checks
218maps. This action prepends a header or body line immediately before
219the line that triggers the action. See header_checks(5) for details.
220
221[Feature 20030125] New "REDIRECT user@domain" action for access maps
222and header/body_checks that overrides all the originally specified
223recipients of a message.  Wietse would never recommend that people
224use this to redirect (bounced) SPAM to the beneficiaries of an
225advertisement campaign. See header_checks(5) and access(5).
226
227[Incompat 20030915] In header/body_checks actions, the OK action
228is being phased out, and the DUNNO action is being phased in. Both
229actions still work and do the same thing, but hopefully DUNNO causes
230less confusion. See header_checks(5) for details.
231
232Major changes - policy delegation
233---------------------------------
234
235[Feature 20030715] Support for SMTP access policy delegation to an
236external server.  Greylisting and SPF are provided as examples.
237See the SMTPD_POLICY_README file for further information.
238
239Major changes - client rate limiting
240------------------------------------
241
242Note: this feature is not included with Postfix 2.1, but it is
243documented here so that the information will not be lost.
244
245[Feature 20031111] Preliminary defense against SMTP clients that
246hammer an SMTP server with too many connections.  By default, the
247number of simultaneous connections per client is limited to half
248the default process limit, and no limit is imposed on the number
249of successive connections per time unit that a client is allowed
250to make.
251
252The new anvil server maintains the connection statistics, and logs
253the maximum connection count and connection rate per client every
254anvil_status_update_time seconds (10 minutes), or when it terminates
255(when there is no work to be done, or when "postfix reload" was
256issued). Once you have an idea what the numbers look like, you can
257clamp down the limits for your system.
258
259The relevant main.cf configuration parameters are: smtpd_client-
260connection_count_limit for the number of simultaneous connections
261per client, and smtpd_client_connection_rate_limit for the number
262of successive connections per unit time and client. The time unit
263is specified with the anvil_rate_time_unit parameter, and is one
264minute by default.
265
266When Postfix rejects a client, it sends a 450 status code and
267disconnects, and logs a warning with the client name/address and
268the service name from master.cf. You can, for example, capture this
269information with a logfile watching program that updates a firewall
270rule (such a watcher program is not included with Postfix).
271
272To avoid rejecting authorized hosts, the smtpd_client_connection-
273limit_exceptions parameter takes a list of network/netmask expressions,
274hostnames or .domain names that are excluded from these restrictions.
275By default, all clients in $mynetworks are excluded; you will
276probably want to use a more restrictive setting.
277
278For further information, see:  smtpd(8) and anvil(8).
279
280Major changes - configuration management
281----------------------------------------
282
283[Feature 20040413] New postfix(1) command features:
284
285- "postfix set-permissions" corrects Postfix file and directory
286   permissions and allows you to change mail_owner or setgid_group
287   settings after Postfix is installed.
288
289- "postfix upgrade-configuration" fixes Postfix systems after people
290   copy over their old configuration files after installing a new
291   Postfix system.
292
293See postfix(1) for details.
294
295[Incompat 20040120] The format of the postfix-files file has changed.
296There is a new type for hard links. With hard or symbolic link
297entries, the first field is now the destination pathname and the
298"owner" field is now the origin pathname, while "group" and
299"permissions" are ignored.
300
301Major changes - core functionality
302----------------------------------
303
304[Feature 20030704] New enable_original_recipient parameter (default:
305yes) to control whether Postfix keeps track of original recipient
306address information.  If this is turned off Postfix produces no
307X-Original-To: headers and ignores the original recipient when
308eliminating duplicates after virtual alias expansion. Code by Victor
309Duchovni.
310
311[Feature 20030417] Automatic BCC recipients depending on sender or
312recipient address.  The configuration parameters in question are
313"sender_bcc_maps" and "recipient_bcc_maps". See postconf(5).
314
315[Incompat 20030415] Too many people mess up their net/mask patterns,
316causing open mail relay problems. Postfix processes now abort when
317given a net/mask pattern with a non-zero host portion (for example,
318168.100.189.2/28), and suggest to specify the proper net/mask
319pattern instead (for example, 168.100.189.0/28).
320
321[Feature 20030415] Workaround for file system clock drift that
322caused Postfix to ignore new mail (this could happen with file
323systems mounted from a server).  Postfix now logs a warning and
324proceeds with only slightly reduced performance, instead of ignoring
325new mail.
326
327Major changes - database support
328--------------------------------
329
330Liviu Daia took the lead in a revision of the LDAP, MySQL and
331PostgreSQL clients.  Credits also go to Victor Duchovni and to
332Lamont Jones.
333
334[Feature 20030915] LDAP parameters can now be defined in external
335files.  Specify the LDAP maps in main.cf as
336	ldap:/path/to/ldap.cf
337and write the LDAP parameters in /path/to/ldap.cf, without the
338"ldapsource_" prefix.  This makes it possible to securely store
339bind passwords for plain auth outside of main.cf (which must be
340world readable).  The old syntax still works, for backwards
341compatibility.
342
343[Feature 20030915] Support for LDAP URLs in the LDAP parameter
344"server_host", if Postfix is linked against OpenLDAP.  LDAP hosts,
345ports, and connection protocols to be used as LDAP sources can be
346specified as a blank-separated list of LDAP URLs in "server_host".
347As with OpenLDAP, specifying a port in a LDAP URL overrides
348"server_port".  Examples:
349    server_host = ldap://ldap.itd.umich.edu
350    server_host = ldaps://ldap.itd.umich.edu:636
351    server_host = ldapi://%2Fsome%2Fpath
352
353[Feature 20030915] The LDAP SSL scheme ldaps:// is available if
354OpenLDAP was compiled with SSL support.  New parameters "tls_ca_cert_dir",
355"tls_ca_cert_file", "tls_cert", "tls_key", "tls_require_cert",
356"tls_random_file", "tls_cipher_suite" control the certificates,
357source of random numbers, and cipher suites used for SSL connections.
358See LDAP_README for further information.
359
360[Feature 20030915] Support for STARTTLS command in LDAP, if Postfix
361is linked against OpenLDAP and OpenLDAP was compiled with SSL
362support.  STARTTLS is controlled by the "start_tls" parameter.
363The above parameters for certificates, source of random numbers,
364and cipher suites also apply.  See LDAP_README for further information.
365
366[Incompat 20030704] Support for client side LDAP caching is gone.
367OpenLDAP 2.1.13 and later no longer support it, and the feature
368never worked well.  Postfix now ignores cache controlling parameters
369in an LDAP configuration file and logs a warning.
370
371[Feature 20030415] PostgreSQL table lookups. Specify "pgsql:/file/name"
372where "/file/name" defines the database. See "man pgsql_table" for
373examples, and the PGSQL_README file for general information.
374
375Major changes - internals
376-------------------------
377
378[Incompat 20040120] The format of the postfix-files file has changed.
379There is a new type for hard links. With hard or symbolic link
380entries, the first field is now the destination pathname and the
381"owner" field is now the origin pathname, while "group" and
382"permissions" are ignored.
383
384[Incompat 20040120] The LDAP and SQL client source code is moved
385to the global directory in order to eliminate reversed dependencies.
386
387[Feature 20030606] Complete rewrite of the queue file record reading
388loops in the pickup, cleanup and in the queue manager daemons. This
389code had deteriorated over time.  The new code eliminates an old
390problem where the queue manager had to read most queue file records
391twice in the case of an alias/include file expansion with more than
392qmgr_message_recipient_limit recipients.
393
394[Feature 20030125] Code cleanup up of queue manager internals.
395Queue names are no longer mixed up with the next-hop destination,
396and the address resolver loop is now easier to understand.
397
398[Feature 20030104] Multi-server daemons (servers that accept
399simultaneous connections from multiple clients) will now stop
400accepting new connections after serving $max_use clients. This
401allows multi-server daemons to automatically restart even on busy
402mail systems.
403
404[Feature 20030104] Clients of multi-server daemons such as
405trivial-rewrite and the new proxymap service now automatically
406disconnect after $ipc_ttl seconds of activity (default: 1000s).
407This allows multi-server daemons to automatically restart even on
408busy mail systems.
409
410[Incompat 20021119] The file format of bounce/defer logfiles has
411changed from the old one-line ad-hoc format to a more structured
412multi-line format. For backwards compatibility, Postfix now creates
413bounce/defer logfile entries that contain both the old and the new
414format, so that you can go back to an older Postfix release without
415losing information.  Old Postfix versions will warn about malformed
416logfile entries, but should work properly. To disable backwards
417compatibility specify "backwards_bounce_logfile_compatibility =
418no" in main.cf.
419
420[Feature 20021119] Both "sendmail -bv" and "sendmail -v" use the
421new "trace" daemon that is automatically added to master.cf when
422you upgrade.
423
424Major changes - logging
425-----------------------
426
427[Incompat 20040413] The postmap and postalias commands now report
428errors to syslogd in addition to reporting them to the standard
429error output. This makes logfile analysis easier.
430
431[Incompat 20031203] Many SMTPD "reject" logfile entries now show
432NOQUEUE instead of a queue ID.  This is because Postfix no longer
433creates a queue file before the SMTP server has received a valid
434recipient.
435
436Major changes - lookup table support
437------------------------------------
438
439[Feature 20030704] New CIDR-based lookup table, remotely based on
440code by Jozsef Kadlecsik.  For details and examples, see "man
441cidr_table".
442
443[Feature 20030704] The TCP-based table lookup protocol is finished.
444For details and examples, see "man tcp_table". This will allow you
445to implement your own greylisting, or to do your own open proxy
446tests before accepting mail. This table will not be included with
447Postfix 2.1 because the protocol is obsoleted by the policy delegation
448(see elsewhere in this document) which does a much better job.
449
450[Feature 20030704] Support for !/pattern/ (negative matches) in
451PCRE lookup tables by Victor Duchovni. See "man pcre_table" and
452"man regexp_table" for more.
453
454Major changes - resource control
455--------------------------------
456
457[Incompat 20031022] The Postfix SMTP server no longer accepts mail
458when the amount of free queue space is less than 1.5 times the
459message_size_limit value.
460
461Major changes - security
462------------------------
463
464[Incompat 20040413] The Postfix SMTP server no longer accepts mail
465from or to an address ending in "@", including address forms that
466rewrite into an address that ends in "@"). Specify "resolve_null_domain
467= yes" to get the old behavior.
468
469[Incompat 20040331] Support for the non-standard Errors-To:  message
470header is removed.  This also helps to stop potential attacks that
471rely on bouncing mail to a destination that is not directly reachable
472by the attacker. Specify ""enable_errors_to = yes" to get the old
473behavior.
474
475[Incompat 20040331] Tarpit delays are reduced. The Postfix SMTP
476server no longer delays responses until the client has made
477$smtpd_soft_error_limit errors, and the delay is fixed at
478$smtpd_error_sleep_time seconds.  Postfix still disconnects after
479$smtpd_hard_error_limit errors.
480
481[Incompat 20040120] The SMTP server can reject non-existent sender
482addresses in a local, virtual or relay domain; specify
483"reject_unlisted_sender=yes" in order to require that a sender
484address passes the same "user unknown" test as a recipient would
485have to pass. This is optional in Postfix 2.1, likely to be turned
486on by default in Postfix 2.2.
487
488[Incompat 20031226] Postfix no longer allows mail addresses with
489bare numeric IP addresses (user@1.2.3.4).  This is not configurable.
490The form user@[ipaddress] is still allowed.
491
492[Incompat 20030305] Postfix truncates non-address information in message
493address headers (comments, etc.) to 250 characters per address, in
494order to protect vulnerable Sendmail systems against exploitation
495of a remote buffer overflow problem (CERT advisory CA-2003-07).
496
497[Incompat 20030227] The smtpd_hard_error_limit and smtpd_soft_error_limit
498values now behave as documented, that is, smtpd_hard_error_limit=1
499causes Postfix to disconnect upon the first client error. Previously,
500there was an off-by-one error causing Postfix to change behavior
501after smtpd_hard/soft_error_limit+1 errors.
502
503Major changes - smtp client
504---------------------------
505
506[Incompat 20031223] The SMTP client now tries to connect to an
507alternate MX address when a delivery attempt fails **after the
508initial SMTP handshake**.  This includes both broken connections
509and 4XX SMTP replies.  To get the old behavior, specify
510"smtp_mx_session_limit = 1" in main.cf.
511
512[Feature 20031223] The SMTP client now tries to connect to an
513alternate MX address when a delivery attempt fails after the
514initial SMTP handshake.  This includes both broken connections
515and 4XX SMTP replies.
516
517As a benefit, fallback_relay now works as promised, not just for
518sessions that fail during the initial handshake.
519
520The new SMTP client connection management is controlled by two new
521configuration parameters:
522
523- smtp_mx_address_limit (default unlimited): the number of MX (mail
524  exchanger) IP addresses that can result from mail exchanger
525  lookups.
526
527- smtp_mx_session_limit (default 2):  the number of SMTP sessions
528  per delivery request before giving up or delivering to a fall-back
529  relay, ignoring IP addresses that fail to complete the SMTP
530  initial handshake.
531
532[Incompat 20031022] Postfix no longer retries delivery when no MX
533host has a valid A record, for compatibility with many other MTAs.
534This change is made in anticipation of a possible Verisign "wild-card
535MX record without A record" for unregistered domains. To get the
536old behavior, specify "smtp_defer_if_no_mx_address_found = yes".
537
538[Incompat 20031022] The Postfix SMTP client no longer looks in
539/etc/hosts by default.  To get the old behavior, specify
540"smtp_host_lookup = dns, native".
541
542[Feature 20030417] Support for sending mail to hosts not in the
543DNS, without having to turn off DNS lookups. The "smtp_host_lookup"
544parameter controls how the Postfix SMTP client looks up hosts.  In
545order to use /etc/hosts besides DNS, specify "smtp_host_lookup =
546dns, native". The default is to use DNS only.
547
548Major changes - user interface
549------------------------------
550
551[Incompat 20040418] The non-delivery report format has changed.
552The "sorry" message and the DSN formatted report now include the
553original recipient address, when that address is different from
554the final recipient address.  This makes it easier to diagnose some
555mail delivery problems that happen after mail forwarding.
556
557[Incompat 20031223] In mailq (queue listing) output, there no longer
558is space between a short queue ID and the "*" (delivery in progress)
559or ! (mail on hold) status indicator. This makes the output easier
560to parse.
561
562[Incompat 20030417] "sendmail -t" no longer complains when recipients
563are given on the command line. Instead, it now adds recipients from
564headers to the recipients from the command-line.
565
566[Incompat 20030126] The maildir file naming algorithm has changed
567according to an updated version of http://cr.yp.to/proto/maildir.html.
568The name is now TIME.VdevIinum.HOST
569
570[Incompat 20021119] The behavior of "sendmail -v" has changed. One
571-v option now produces one email report with the status of each
572recipient.  Multiple -v options behave as before: turn on verbose
573logging in the sendmail and postdrop commands.
574
575[Feature 20021119] New "sendmail -bv" option.  Postfix probes the
576specified recipient addresses without actually delivering mail,
577and sends back an email delivery report.  This is useful for testing
578address rewriting and address routing of both envelope and header
579addresses. This feature currently does not access or update the
580sender address verification database.
581
582