1v1.38 2===== 3- bugfix: fix for AutoCacheID and rulesets containing no items 4 51.37 6==== 7- code: new options --stdin and --cmd re-enable the ability to check requests at 8 the commmand-line without opening a network socket 9 (this was broken since version 1.36, see manpage for more info) 10 111.36 12==== 13- feature: new items postfwd_port and postfwd_interface, allow to use the same 14 ruleset for different instances of postfwd 15- code: code changes for --stdout and --nodaemon options allow to run postfwd in a 16 docker container. An example can be found in the ../docker folder of the 17 main distribution or at http://postfwd.org/docker 18- code: allowed several postfwd2 specific command-line arguments, to allow easy 19 switching between versions by using the same startscript. 20- code: new AutoCacheID feature enhances effectivity of the builtin request cache 21 221.35 23==== 24- code: rate(), size() and rcpt() function index is now case insensitive by default 25 (same limit counters for from@example.org and fRom@eXample.org) 26 if you need to treat the localpart case-sensitive according to rfc5321 27 you may use rate5321(), size5321() and rcpt5321() 28 291.34 30==== 31- bugfix: fixed taint mode logging error for verbose --showconfig and --stdoutlog 32 options and newer perl versions. 33- bugfix: check_* functions use print/getline instead of send/recv for large 34 --dumpcache output (thanks to Alexandre Simon) 35- code: log_* routines added to allow the same plugins for postfwd1 and postfwd2 36- code: added more information when using --debug=cleanup 37- docs: documentation updates 38- feature: new sendmail(sendmail-path::from::to::subject::body) action. 39 Please take a look at the manual, especially about 40 it's limitations, before using it! 41 ------------------------------------------------------------ 42 # alert 43 action=sendmail(/usr/sbin/sendmail::from@example.org::to@example.org::Subject::Text) 44 ------------------------------------------------------------ 45 46 471.33 48==== 49- feature: new compare operators * 50 ==================================================================== 51 *ITEM > VALUE true if ITEM > VALUE 52 *ITEM < VALUE true if ITEM < VALUE 53 ==================================================================== 54- bugfix: fixed bug when computing scores with more than 1 digit after the "." (n.nn) 55- bugfix: fixed bug when computing negative values with the set action 56- bugfix: ITEMS plugins returning zero values were handled incorrectly 57- bugfix: max command recursion was not reset for each rule 58 59 601.32 61==== 62- feature: new option --save_rates=<file> allows to load and save 63 rate limit counters to disk on program start and termination. 64 this allows rate limit persistence during restarts and reboots 65 (requires perl module 'Storable') 66- feature: the --debugitem="sender=example\.org$" option 67 allows verbose logging for particular requests 68- feature: the debug() action allows verbose logging for certain 69 rules: 70 ------------------------------------------------------------ 71 id=R01 72 client_address=1.1.1.1 73 action=debug(on) 74 id=R02 75 ... 76 id=R42 77 action=debug(off) 78 ------------------------------------------------------------ 79- feature: nested commands are possible now, e.g.: 80 ------------------------------------------------------------ 81 # throttle 82 action=rate(client_address/10/60/wait(3)) 83 ------------------------------------------------------------ 84- feature: new mail(server/helo/from/to/subject/body) action. 85 Please take a look at the manual, especially about 86 it's limitations, before using it! 87 ------------------------------------------------------------ 88 # alert 89 action=size(recipient_domain/100000000/86400/mail(mailhost/helo/from/to/subject/text)) 90 ------------------------------------------------------------ 91 921.31 93==== 94- feature: single cache items can be wiped using --delcache <item> 95 or --delrate <item> options. use --dumpcache to identify 96- feature: sasl_username is logged if available 97 (thanks to Bernhard Schmidt) 98- code: rate limit action is executed, if the first request exceeds the limit 99- code: exceeded ratecounters will not be kept permanently anymore. this 100 allows further requests to pass, if they are below the limit 101- code: rate limits are evaluated at ruleset stage now, which leads to 102 much more comprehensible behaviour. due to this change the request 103 cache is now disabled, if rate limits are used. use the 104 --fast_limit_evaluation option to revert to the former mode. 105 1061.30 107==== 108- feature: new parser enhancement allows to omit the trailing "\" for multi-line rules, 109 if the following lines are prefixed by whitespace characters: 110 -------------------------------------- 111 id=RCPTCOUNT 112 protocol_state == END-OF-MESSAGE 113 client_address != 10.1.1.0/24 114 recipient_count >= 100 115 action=REJECT too many recipients 116 -------------------------------------- 117- feature: new plugin interface (BETA) 118- feature: Time::HiRes is used if available 119- feature: new $$ratecount variable for rate() actions 120- feature: ported --dumpstats and --dumpcache option from postfwd2 121- bugfix: fixed program usage statistics (--summary) 122- docs: documentation updates 123 1241.22 125===== 126- feature: new option --keep_rates 127- feature: queueid is logged when available 128- bugfix: rate limits using the same item and the same limits 129 did not work correctly (thanks to Yves Blusseau): 130 id=INT01; INT_DOMAIN==1; \ 131 action=rate(sender/100/60/450 4.7.1 too much for internal domains) 132 id=EXT01; EXT_DOMAIN==1; \ 133 action=rate(sender/100/60/450 4.7.1 too much for external domains) 134- bugfix: small fix for cleanup of old rate limits 135- docs: documentation updates and fixes (thanks to Vincent Lefevre) 136 1371.21 138===== 139- feature: postfwd supports multiple rate limits to the same items now. 140 this means that the following will now work as expected: 141 id=R001; recipient_count>=100; action=rate(sender/3/3600/WARN state RED) 142 id=R002; recipient_count>=100; action=rate(sender/2/3600/WARN state YELLOW) 143 id=R003; recipient_count>=100; action=rate(sender/1/3600/WARN state GREEN) 144- code: ported command-line option --facility from postfwd2 145- docs: documentation updates and fixes (thanks to Vincent Lefevre) 146 1471.20 148===== 149- code: changed the default umask for the server socket to 0111 150 to support out-of-the-box postfix setup. Use the 151 --umask setting to change this 152- bugfix: rbl check could fail on multiple dnsbl answers 153- bugfix: rbl checks disabled for ipv6 addresses, cidr compare 154 will switch to default (regex/string) 155 1561.19 157===== 158- code: Rate limit code rewritten 159- code: new --umask setting allows to set filepermissions for pidfiles 160 and unix domain sockets. Default is 0117 (owner and group rw). 161 1621.18 163===== 164- bugfix: Fixed bug when comparing sender and recipient addresses, like 165 "sender=$$recipient". This affects only postfwd version 1.17. 166 1671.17 168===== 169- bugfix: Invalid characters in variable substitutions were not correctly catched when 170 the '=' operator was used, like "client_name=$$helo_name". If you can not 171 upgrade for some reason change your rule to "client_name=~$$helo_name" 172- code: Net::DNS errors will now be handled gracefully 173- code: default for options --dns_max_ns_a_lookups and --dns_max_mx_a_lookups of 100 174 1751.16 176===== 177- bugfix: this is a bugfix release for 1.15. anyone affected is encouraged to upgrade. 178 detail: the default behavior for the '=' operator with numeric items 179 (size, recipient_count, ...) changed with version 1.15 to '==' (equals to). 180 now these items are compared '>=' (greater than) again. 181 note: if you are using 1.15 and you are not able upgrade for some reason, 182 please change '=' to '>=' in your ruleset where you mean 'greater than'. 183 1841.15 185===== 186- feature: items may now be retrieved from files using "item=file:/some/where" 187 more information in the postfwd manual (FILES section) 188- feature: helo_address, and sender_(ns|mx)_addrs can now be csv items 189- feature: new rcpt() command counts recipients for rate limits (thanks to Sahil Tandon) 190- code: redirect syslog to stdout for --kill, --reload and --showconfig 191- code: option --reload (HUP signal) now reloads config, if the file is unchanged 192- code: configuration parser improvements: 193 * rules without defined action will be skipped at configuration stage 194 * undefined ACLs will now be detected and skipped at configuration stage 195 * parser timeout skips loading a rule after 4s, to prevent problems with 196 large files or loops. use --config_timeout to override 197- bugfix: documentation fixed (missing "action=" in ask() examples) 198 1991.14 200===== 201- feature: new compare operators * 202 ==================================================================== 203 ITEM == VALUE true if ITEM equals VALUE 204 ITEM => VALUE true if ITEM >= VALUE 205 ITEM =< VALUE true if ITEM <= VALUE 206 ITEM =~ VALUE true if ITEM ~= /^VALUE$/i 207 *ITEM != VALUE false if ITEM equals VALUE 208 *ITEM !> VALUE false if ITEM >= VALUE 209 *ITEM !< VALUE false if ITEM <= VALUE 210 *ITEM !~ VALUE false if ITEM ~= /^VALUE$/i 211 ITEM = VALUE default behaviour (see ITEMS section) 212 ==================================================================== 213- feature: added --nodaemon option 214- code: non dns items first: if a rule contains dns and non dns items, the 215 lookups will only be done if all non dns items matched 216- bugfix: empty pcre with empty sender_(ns|mx)_names was parsed incorrectly. 217 this bug affects postfwd versions 1.12 - 1.13 218- bugfix: negated pcre items with '~=' operator were parsed incorrectly. 219 this bug affects postfwd version 1.13 220 2211.13 222===== 223- feature: enabled dns cache for sender(ns|mx) and helo address 224- feature: new options --dns_max_ns_lookups and --dns_max_mx_lookups 225- bugfix: workaround: Net::Server died if a unix domain socket 226 filename without a dot ('.') was used (B. Frauendienst) 227 2281.12 229===== 230- feature: new items sender_ns_names and sender_ns_addrs 231- feature: new items sender_mx_names and sender_mx_addrs 232- feature: new item helo_address, please see docs for more 233- feature: added --proto switch, to enable the use of unix domain sockets 234 (thanks to Bernhard Frauendienst) 235- feature: added command-line options --kill and --reload 236 (of course you can still use TERM and HUP signals) 237- feature: dnsbl txt lookups only for dnsbls with at least one a record. 238 use --dns_async_txt for the old behaviour (see docs for more). 239- code: small performance improvement (5-10%) for pcre (~= or =~) items 240- bugfix: network 0.0.0.0/0 did not work as expected on all platforms 241- bugfix: postfwd tried to chop() an uninitialized value when sending 242 garbage (non policy delegation protocol requests) to it. 243 2441.11 245===== 246- feature: the ask() action allows to delegate the policy decision to another 247 policy service (like postgrey). a new parameter allows to specify 248 answer patterns which should be ignored by postfwd. please look 249 at the 'ACTIONS' section in the manual (postfwd2 -m) for details. 250- feature: new options --noidlestats and --norulelog 251- feature: more informative --version 252- feature: documentation updates 253 254 255************************************************************************************************** 256ATTENTION: requirements changed - postfwd since v1.10pre8 now uses Net::DNS. 257 Net::DNS::Async and Net::CIDR::Lite are not required anymore. 258NOTE: please see the docs ('postfwd -m' or 'perldoc postfwd') for more information 259************************************************************************************************** 260 2611.10pre8b 262========== 263- bugfix: fixed two warnings about logging of undefined values in verbose mode 264 2651.10pre8a 266========== 267- bugfix: item plugins have been made available as cache-id items. this fixes a minor issue with 268 --cache-rdomain-only and version 1.10pre8 269 2701.10pre8 271========= 272- code: Net::DNS::Async is no longer used. The parameters --dns_queuesize and 273 --dns_retries are still valid but have no function. The option --dns_timeout 274 now defaults to 14s and applies to all rules containing dns items. 275- code: Net::CIDR::Lite is not required any longer. 276- feature: the new variable $$request_hits contains a list of all matching ruleids 277- feature: the new variable $$dnsbltext allows access to txt records of rbls 278- feature: new options --no-rulestats and --nodnslog 279- feature: ttls of the dns responses override --cache-rbl-timeout when bigger, which means 280 that you can set the option to 0 if you want to use the ttl of the dns answer. 281- feature: new item "rhsbl_helo" allows to check helo against rhsbls 282- bugfix: disabled fallback to synchronous dns on timed out rbls, default is now 283 to disable non responding dnsbls after 11 timeouts for 1200 seconds. 284 use --dns_timeout_max and --dns_timeout_interval to adjust these settings. 285- bugfix: days=Wed now means exactly Wednesday. to use a range you may 286 still specify days=Wed- days=-Wed and days=Tue-Thu 287 this applies to all date and time items 288- code: --shortlog is now default behaviour (use -v to see more) 289- code: changed Net::Server behaviour to ignore syslog errors 290 291 2921.10pre7c 293========== 294- note: 1.10pre7c does not contain any code-changes to the postfwd daemon. 295 this release only fixes some issues when buidling packages. 296- bugfix: set permissions of manpage dirs to 755 297- bugfix: manpage has gone to section 8 298- bugfix: postfwd-rblcheck.pl has gone to the tools folder 299- bugfix: documentation now refers to request.sample 300 3011.10pre7b 302========== 303- bugfix: inter-section links in documentation did not work correctly 304 (thanks to Alexander 'Leo' Bergolth) 305 3061.10pre7a 307========== 308- bugfix: implemented workaround for possible crash of Sys::Syslog when syslog 309 daemon is unavailable (thanks to Henrik Krohns) 310- bugfix: changed syslog socktype on solaris 311 3121.10pre7 313========= 314- feature: $$request_score may now be used to access a request's score 315- feature: auto-deactivation of non-responding dnsbls; please see the 316 new --cleanup-timeouts and --dns_timeout_max options 317- feature: the set command allows some basic operations: 318 ========================================================= 319 action=set(ITEM+=VALUE) adds VALUE to ITEM 320 action=set(ITEM-=VALUE) substracts VALUE from ITEM 321 action=set(ITEM*=VALUE) multiplies ITEM by VALUE 322 action=set(ITEM/=VALUE) divides ITEM through VALUE 323 action=set(ITEM.=VALUE) concatenates ITEM and VALUE 324 action=set(ITEM==VALUE) sets ITEM to VALUE 325 action=set(ITEM=VALUE) default: sets ITEM to VALUE 326 ========================================================= 327- bugfix: fixed wrong timestamp for timed out rbls 328- code: score() command now allows integer values 329- code: setting an empty score removes it from the table 330- code: duplicate lookups within the same rule are now recognised 331 3321.10pre6 333========= 334- feature: the new rate() and size() commands offer some basic rate limit controls 335- feature: new cleanup options: --cleanup-rates 336- feature: regexps may now be included in // characters 337- feature: an empty sender address is now replaced by <> 338- bugfix: some csv-separated itemlists did not work correctly since v1.10pre1 339- bugfix: fixed a possible race condition with request cache when config was reloaded via HUP signal 340 3411.10pre5a 342========= 343- bugfix: fixed a possible race condition in rbl_read_dns() function 344 3451.10pre5 346======== 347- feature: new dnsbl lookup types: rhsbl_client, rhsbl_sender, rhsbl_reverse_client 348- feature: new caching option --cacheid allows to increase performance and cache efficiency 349- code: cleanups will only be logged if '-v' was set or if the process took at least 1 second 350 3511.10pre4 352======== 353- feature: new date items 'days=Sun-Sat' and 'months=Jan-Dec' 354- feature: all date/time items may now be csv-separated lists 355- feature: the set command can now have multiple, csv-separated arguments 356- feature: enhanced use of rblcount and rhsblcount (see doc) 357- feature: new caching options --cache-no-sender,--cache-rbl-timeout and --cache-rbl-default 358- feature: new cleanup options: --cleanup-requests and --cleanup-rbls 359- code: cache cleanups are now performed on interval basis (not per request) 360 which should decrease load on busy systems. 361- code: warning on multiple definitions of id, action, rblcount and rhsblcount is issued 362- bugfix: date items may now contain whitespaces (e.g. days = Fri - Sat) 363 3641.10pre3 365======== 366- feature: all hits for a rule are now logged in the final message 367- feature: option --shortlog disables logging for some postfwd actions 368- feature: introduced set() command, which enables setting of variables, which then can be 369 compared to the ruleset to gain performance on repeated item lists (see doc). 370- feature: introduced new command-line switches --dns_queuesize, --dns_retries and dns_retries 371 to influence the behaviour of DNS lookups 372- code: restructured code (~+15% speed compared to v1.03, with nodns ruleset) 373 3741.10pre2 375======== 376- feature: DNS lookups are now parallelized per rule. this increases the performance of dnsbl 377 items (and any other future dns based check) significantly. implementation (per rule): 378 1.) send dns queries, 2.) process other non-dns items, 3.) evaluate dns results 379 As a downside of this approach the parser does not wait for dns queries anymore, which 380 could result in increased load. you might use the sleep() command to get some delay ;-) 381 3821.10pre1 383======== 384- feature: the way how request items are compared to the ruleset can now be influenced. 385 =============================================================== 386 ITEM==VALUE true if ITEM equals VALUE 387 ITEM>=VALUE true if ITEM >= VALUE 388 ITEM<=VALUE true if ITEM <= VALUE 389 ITEM~=VALUE true if ITEM ~= /^VALUE$/i 390 ITEM=VALUE old default behaviour 391 =============================================================== 392- feature: the score() command now allows some basic arithmetic operations (+-*/=) 393 e.g. action=score(*2) will double the current score 394- feature: you can now refer to request attributes in actions, which will e.g. allow the following: 395 id=R001; rbl=zen.spamhaus.org; \ 396 action=554 5.7.1 see http://www.spamhaus.org/query/bl?ip=$$client_address 397- feature: introduced extra request attributes sender_localpart, sender_domain, 398 recipient_localpart, recipient_domain and version for use like: 399 id=test01; client_name ~= $$(sender_domain)$; action=score(-0.5) 400- bugfix: the "=" character could not be used in items 401- bugfix: negation of items (!!) did not work correctly under some circumstances 402- bugfix: time was logged incorrectly during request cache cleanups in verbose mode 403 (thanks to Henrik Krohns) 404- code: restructured some parts of the code for future enhancement options. a plugin interface 405 was prepared and will be included in the final version. perl's -w switch is used now. 406- note: the documentation has not been fully updated yet. 407 4081.03 409==== 410- feature: request attributes can now be compared (e.g. to compare client_name and helo_name) 411- feature: rule items can now be negated (e.g. to compare if client_name does not match helo_name) 412- feature: extra verbose mode '-vv' now displays much more debug information 413- feature: -L switch to redirect log output to stdout 414- feature: new manual section about the parser, other updates 415- bugfix: caching did not work at end_of_data level because of different queue ids, corrected 416- bugfix: all numeric items will now match if the request attribute exceeds the corresponding 417 rule item. the negation operator will lead to the opposite effect: 418 ============================================================================= 419 ITEM=VALUE TYPE 420 ============================================================================= 421 rblcount=2 matches if rbl hits >= 2 422 recipient_count=10 matches if recipients >= 10 423 size=12345 matches if size >= 12345 424 encryption_keysize=256 matches if keysize >= 256 425 encryption_keysize=!!256 matches if keysize < 256 426 ============================================================================= 427 4281.02 429==== 430- bugfix: rblcount and rhsblcount did not work correctly since V1.01, corrected 431 4321.01 433==== 434- feature: multiple rbl, rhsbl and client_address statements in a single rule are now possible 435- feature: note() command will now log (not warn!). an empty argument suppresses logging 436- feature: in verbose mode you must set -vv now to see the whole request attributes 437- feature: cached dnsbl results are now only logged in verbose mode 438- manual: several minor updates 439 4401.00 441==== 442- feature: multiple definitions of the same item in a single rule to build groups 443- feature: rules can span multiple lines by specifying a trailing "\" character 444- feature: syslog_name can now be set with -l|--logname <label> 445- bugfix: fixed bug in acl parser (no "}" character could be used in ACLs) 446 4470.99p 448===== 449- bugfix: size and rcpt_count were checked as minimum values 450 now they are correctly interpreted as maximum. 451 4520.99o 453===== 454- feature: date and time based rules 455- feature: macros (please see doc) 456- feature: slightly changed statistics output 457 4580.99n 459===== 460- first public beta version 461 462 463