xref: /netbsd/external/ibm-public/postfix/dist/HISTORY (revision 281658b6)

In addition to the names listed below, the following people provided
useful inputs on many occasions: Paul D. Robertson, Simon J. Mudd.
Apologies for any names omitted.

19980105

	The compiled-in default value for resolve_smtp_sender was
	wrong (from the days that it was a boolean), causing smtpd
	to dump core when the variable was not set in main.cf.

	The INSTALL instructions now have separate sections for
	the three basic ways of running vmailer.

	The INSTALL instructions now have discusses how to deal
	with chrooted processes.

	Ported to RedHat 5.0. My, these people have re-organized
	their include files quite a bit, haven't they.

19980106

	On RedHat Linux 4.2/5.0, when a FIFO listener opens the
	FIFO with mode O_RDONLY, the FIFO remains forever readable
	after the writer has closed it.  Workaround: open the FIFO
	mode O_RDWR.

	Test program: util/fifo_rdonly_bug.c

	Unfortunately, the above fix triggers a bug on BSD/OS 3.1
	where opening the FIFO mode O_RDWR causes select() to claim
	that the FIFO is readable even before any data is written
	to it, causing read() to block or to fail.

	Test program:  util/fifo_rdwr_bug.c

	printfck (check arguments of printf-like function calls)
	found a missing argument in local/command.c

	Miscellaneous Makefile cleanups that I didn't finish before
	the first alpha release.

19980107

	Sometimes the DNS will claim that a domain does not exist,
	when in fact it does. Thus, it is a bad idea to reject mail
	from apparently non-existent domains. I have changed the
	smtpd so that it produces a soft error responses when a
	resolve_smtp_sender test fails with HOST_NOT_FOUND.  Note:
	by default, this test is still disabled.

	The DB and DBM read routines will now automagically figure
	out if (key, value) pairs were written including a terminating
	null byte or not. The DB and DBM write routines will use
	this result to determine how to write, and will fall back
	to per-system defaults otherwise.

	Renamed the README to MUSINGS, and wrote up a README that
	reflects the current status of the software.

	Added -d (don't disconnect) and -c (show running counter)
	option to te smtp-source test program. These tools are
	great torture tests for the mail software, and for the
	system that it runs on.

	Turned down the process_limit parameter (# of parallel smtp
	clients or servers) to avoid unpleasant surprises. You can
	crank up the process_limit parameter in main.cf.

19980111

	Feature: when run by the superuser, mailq now shows the
	mail queue even when the mail system is down. To this end,
	mailq (sendmail -bp) runs the showq program directly instead
	of connecting to the UNIX-domain service socket, and drops
	privileges etc.  as usual.

19980119

	Bugfix: Edwin Kremer spotted an oversight in the negated
	host matching code (for name or address patterns prefixed
	by !).

	Bugfix: upon receipt of a SIGHUP signal, the master now
	disconnects from its child processes, so that the current
	generation of child processes commits suicide, and so that
	the next generation of child processes will use the new
	configuration settings.

	Bugfix: the smtp server now skips the sender DNS domain
	lookup test for foo@[address]

	Bugfix: don't append the local domain to foo@[address]

19980120

	Bugfix: old low-priority bug in some list walk code that
	caused the master to drop core when a service was turned
	off in master.cf.

	Robustness: the mail system should be able to start up and
	to accept local postings even while the naming service is
	down.  For this reason, the mail system no longer uses
	gethostbyname() to look up its own machine name.  Sites
	that use short hostnames will have to specify their FQDN
	in main.cf (this will eventually be done by the system
	installation/configuration procedure). Should the config
	language support backticks so one can say `domainname`?
	What about $name stuff between the backtics?

	Security: the master now creates FIFOs and UNIX-domain
	sockets as the mail owner instead of as root, for better
	protection against subverted mail systems. chmod() is
	susceptible to race conditions. fchmod(), although safer,
	often does not work on sockets.

	Portability: anticipate that all major UNIXes will create
	UNIX-domain sockets with permissions modified by the process
	umask (required by POSIX). For this reason, we always
	chmod() UNIX-domain sockets, unless the system allows us
	to use the safer fchmod() instead.

	Portability: the semi-resident servers now properly handle
	EWOULDBLOCK returns from accept()  in addition to EGAIN
	(on some systems, EAGAIN and EWOULDBLOCK have different
	values).

	Bugfix: the semi-resident servers now properly handle EINTR
	returns From accept().

	Bugfix: Edwin Kremer found that mynetworks() would compute
	(32 - mask) instead of mask.

19980121

	Feature: /etc/vmailer/relocated is used by the local delivery
	program and specifies what mail should be bounced with a
	"user has moved to XXX" message. The main.cf configuration
	parameter is "relocated_maps".  Just like the "virtual_maps"
	config parameter, this feature is off by default, and the
	parameter can have values such as "files" or "files, nis"
	(on hosts equipped with NIS).

19980123

	Cleanup: virtual domain support moved from the queue manager
	to the resolve service, where it belongs.

	Feature: /etc/vmailer/canonical is used by the rewrite
	service for all addresses, and maps a canonical address
	(user@domain) to another address.  Typical use is to generate
	Firstname.Lastname@domain addresses, or to clean up dirty
	addresses from non-RFC 822 mail systems. The main.cf
	configuration parameter is "canonical_maps".  Just like
	the "virtual_maps" config parameter, this feature is off
	by default, and the parameter can have values such as
	"files" or "files, nis" (on hosts equipped with NIS).

19980124

	HPUX10 port and many little fixes from Pieter Schoenmakers.

	Bugfix: isolated an old mysterious bug that could make the
	master deaf for new connections while no child process was
	running.  A typical result was that no pickup daemon would
	be started after the previous one had terminated voluntarily.

	Bugfix: the NIS lookup code did not mystrdup() the NIS map
	name and would access free()d memory.

19980125

	Bugfix: the vstream routines would sometimes ignore flushing
	errors. The error would still be reported by vstream_fclose()
	and vstream_ferror().

	Feature: time limit on delivery to shell commands.  Config
	parameter: command_time_limit. Default value: 100 sec. The
	idea is to prevent one bad .forward file or alias file
	entry from slowly using up all local delivery process slots.

19980126

	Code cleanup: in preparation for SMTP extensions such as
	SIZE, allow an extended SMTP command to have a variable
	number of options.

19980127

	Bugfix: moved canonical map lookups away from the rewriting
	module to the cleanup service, so that canonical map lookups
	do not interfere with address rewriting on behalf of other
	programs. Back to an older trivial-rewrite program version.

	Bugfix: moved virtual map lookups away from the resolver
	back to the queue manager, so that virtual domain lookup
	does not interfere with address resolution on behalf of
	other programs. Back to an older qmgr program version.

19980131

	Feature: integrated and adapted Guido van Rooij's SIZE
	option (RFC 1870), carefully avoiding potential problems
	due to overflow (by multiplying large numbers) or unsigned
	underflow (by subtracting numbers).

	Code cleanup: cleaned up the code that parses the server
	response to the HELO/EHLO command, so that we can more
	reliably recognize what options a server supports.

19980201

	Portability: integrated the IRIX 6 port by Oved Ben-Aroya.

	Portability: the software now figures out by itself if a
	server should open its FIFO read-write or read-only, to
	avoid getting stuck with a FIFO that stays readable forever.

	Bugfix: the cleanup service would terminate with a fatal
	vstream_fseek() error when the queue file was too large.

	Bugfix: the cleanup service could be killed by a signal
	when the queue file became too large.

19980203

	Portability: some systems have statfs(), some have statvfs(),
	and the relevant include files are in a different place on
	almost every system.

	Portability: the makedefs script now nukes the -O compiler
	flag when building on AIX with IBM's own compiler...

19980204

	Portability: HP-UX 9.x support by Pieter Schoenmakers.

	Portability: added SYSV-style ulimit() file size limit
	support for HP-UX 9.x.

	Portability: added some #includes that appeared to be
	missing according to the Digital UNIX cc compiler.

	Bugfix: sys_defs.h now correctly specifies NIS support for
	LINUX2, HPUX9 and HPUX10.

	Security: fixed a file descriptor leak in the local delivery
	agent that could give shell commands access to the VMailer
	IPC streams. This should not cause a vulnerability, given
	the design and implementation of the mailer, but it would
	be like asking for trouble.

	Bugfix: the sendmail -B (body type) option did not take a
	value.

19980205

	Bugfix (SUNOS5): should not have deleted the SVID_GETTOD
	definition from util/sys_defs.h.

	Bugfix (HPUX9): forgot to specify whether to use statfs()
	or statvfs().

	Bugfix (HPUX9): don't try to raise the file size ulimit.

	Bugfix (HPUX9): must specify file size limit in 512-blocks.

19980207

	Robustness: the master process now raises the file size
	limit when it is started with a limit that is less than
	VMailer's file size limit.  File: util/file_limit.c.

	Security: the dns lookup routines now screen all result
	names with valid_hostname(). Bad names are treated as
	transient errors.

	Feature: qmail compatibility: when the home_mailbox parameter
	is set, mail is delivered to ~/$home_mailbox instead of to
	/var[/spool]/mail/username.  This hopefully makes it easier
	to lure people away from qmail :-)

	Robustness: several testers by accident configured relayhost
	the same as myhostname. The programs now explicitly check
	for this mistake.

	Bugfix: deliver_request_read() would free unallocated memory
	when it received an incomplete delivery request from the
	queue manager.

	Robustness: local_destination_concurrency=1 prevents parallel
	delivery to the same user (with possibly disastrous effects
	when that user has an expensive pipeline in the .forward
	or procmail config file).  Each transport can have its own
	XXX_destination_concurrency parameter, to limit the number
	of simultaneous deliveries to the same destination.

19980208

	Robustness: added "slow open" mode, to gradually increase
	the number of simultaneous connections to the same site as
	long as delivery succeeds, and to gradually decrease the
	number of connections while delivery fails. Brad Knowles
	provided the inspiration to do this.

	This also solves the "thundering herd" problem (making a
	bunch of connections to a dead host when it was time to
	retry that host). Let's see when other mailers fix this.

	Feature: Added $smtpd_banner and $mail_version, for those
	who want to show the world what software version they are
	running.

	Bugfix: vmailer-script now properly labels each syslog
	entry.

19980210

	Portability: merged in NEXTSTEP 3 port from Pieter Schoenmakers

	Bugfix: the local delivery program now checks that a
	destination is a regular file before locking it.

19980211

	Robustness: the local delivery agent sets HOME, LOGNAME,
	and SHELL when delivering to a user shell command. PATH is
	always set, and TZ is passed through if it is set.

19980212

	Feature: mailq (sendmail -bp) now also lists the maildrop
	queue (with mail that hasn't been picked up yet).

19980213

	Feature: the smtpd now says: 502 HELP not implemented. This
	should impress the heck out of the competition :-)

19980214

	Feature: local delivery to configurable system-wide command
	(e.g.  procmail) avoids the need for per-user ~/.forward
	shell commands. Config parameter: mailbox_command.

19980215

	Performance: avoid running a shell when a command contains
	no shell magic characters or built-in shell commands. This
	speeds up delivery to all commands. File: util/exec_command.c.

	Bugfix: the local delivery agent, after reading EOF from
	a child process, now sends SIGKILL only when the child does
	not terminate within a limited amount of time. This avoids
	some problems with procmail.  File:  util/timed_wait.c.

19980217

	Portability: folded in NetInfo support from Pieter
	Schoenmakers.

19980218

	Feature: new vmlock command to run a command while keeping
	an exclusive lock on a mailbox.

	Feature: with "recipient_delimiter = +", mail for local
	address "user+foo" is delivered to "foo", with a "Delivered-To:
	user+foo@domain" message header. Files: qmgr/qmgr_message.c,
	local/recipient.c. This must be the cheapest feature.

19980219

	Code cleanup: moved error handling into functions that
	should always succeed (non_blocking(), close_on_exec()).

19980223

	Bugfix: null pointer bug in the cleanup program after
	processing a From: header with no mail address (or with
	only a comment).

19980226

	Robustness: now detects when getpwnam() returns a name that
	differs from the requested name.

	Feature: Added %p support to the vbuf_print formatting
	module.

	Code cleanup: revamped the alias/include/.forward loop
	detection and duplicate suppression code in the local
	delivery agent. This must be the fourth iteration, and
	again the code has been simplified.

19980228

	Robustness: don't treat anything starting with whitespace
	as a header record. Instead, explicitly test for leading
	whitespace where we permit it. Files: global/is_header.c,
	bounce/bounce_flush_service.c, local/delivered.c.

19980301

	Compatibility: the sendmail program now accepts the -N
	command-line option (delivery status notification) but
	ignores it entirely, just like many other sendmail options.

	Bugfix: dns_lookup.c was too conservative with buffer sizes
	and would incorrectly report "malformed name server reply".

19980302

	Bugfix: the local delivery agent was not null-byte clean.

19980307

	Feature: integrated Pieter Schoenmaker's code for transport
	lookup tables that list (transport, nexthop) by destination.

19980309

	Bugfix: delivery agents no longer rename corrupt queue
	files, because programs might fall over each other doing
	so. Instead, when a delivery agent detects queue file
	corruption, it chmods the queue file, simulates a soft
	error, and lets the queue manager take care of the problem.

	Bugfix: the SMTP server implemented VRFY incorrectly.

	Feature: first shot at a pipe mailer, which can be used to
	extend VMailer with external mail transports such as UUCP
	(provided that the remote site understands domain addressing,
	because VMailer version 1 does not rewrite addresses).

	Cleanup: extended the master/child interface so that the
	service name (from master.cf) is passed on to the child.
	The pipe mailer needs the service name so it can look up
	service-specific configuration parameters (privilege level,
	recipient limit, time limit, and so on).

19980310-12

	Cleanup: factored out the pipe_command() code, so it can
	be shared between pipe mailer and local delivery agent.

19980314

	Compatibility: the sendmail program now parses each
	command-line recipient as if it were an RFC 822 message
	header; some MUAs specify comma-separated recipients in a
	command-line argument; and some MUAs even specify "word
	word <address>" forms as command-line arguments.

19980315

	Bugfix: VMailer's queue processing randomization wasn't
	adequate for unloaded systems with small backlogs.

	Bugfix: smtpd now uses double-buffered stream I/O to prevent
	loss of input sent ahead of responses.

19980316

	Bugfix: the smtpd anti-relay code didn't treat all hosts
	listed in $mydestinations as local, so it would accept mail
	only for hosts listed in $relay_domains (default: my own
	domain).

	Bugfix: smtpd now replies with 502 when given an unknown
	command.

19980318

	Cleanup: resolve/rewrite clients now automatically disconnect
	after a configurable amount of idle time (ipc_idle).

19980322

	Tolerance: VRFY now permits user@domain, even though the
	RFC requires that special characters such as @ be escaped.

19980325

	Bugfix: a recipient delimiter of "-" could interfere with
	special addresses such as owner-xxx or double-bounce.

	Tolerance: the SMTP client now permits blank lines in SMTP
	server responses.

	Tolerance: the SMTP client now falls back to SMTP when it
	apparently mistook an SMTP server as ESMTP capable.

	Bugfix: eliminated strtok() calls in favor of mystrtok().
	Symptom: master.cf parsing would break if $inet_interfaces
	was more than one word.

19980328

	Bugfix: user->addr patterns in canonical and virtual tables
	matched only $myorigin, not hosts listed in $mydestination
	or addresses listed in $inet_interfaces.  The man pages
	were wrong too. File: global/addr_match.c.

19980401

	Robustness: FIFO file permissions now default to 0622.  On
	some systems, opening a FIFO read-only could deafen the
	pickup daemon.  Only the listener end (which is opened as
	root) needs read access anyway, so there should not be a
	loss of functionality by making FIFOs non-readable for
	non-mail processes.

19980402

	Compatibility: sendmail -I and -c options added.

19980403

	Feature: virtual lookups are now recursive. File:
	qmgr/qmgr_message.c

19980405

	Implemented sendmail -bs (stand-alone) mode. This mode runs
	as the user and therefore deposits into the maildrop queue.

19980406

	The pickup service now removes malformed maildrop files.

19980407

	The pickup service now guards against maildrop files with
	time stamps dated into the future.

19980408

	Bugfix: in the canonical and virtual maps, foo->address
	would match foo@$myorigin only. This has been fixed to also
	match hosts listed in main.cf:$mydestination and the
	addresses listed in main.cf:$inet_interfaces.

	Bugfix: added double buffering support to the VMailer SMTP
	server. This makes the SMTP server robust against SMTP
	clients that talk ahead of time, and should have been in
	there from day one.

19980409

	Bugfix: the VMailer SMTP client now recognizes its own
	hostname in the SMTP greeting banner only when that name
	appears as the first word on the first line.

19980410

	Feature: smtpd now logs the local queue ID along with the
	client name/address, and pickup now logs the local queue
	ID along with the message owner.

	Bugfix: still didn't do virtual/canonical lookups right
	(code used the non-case-folded key instead of the case
	folded one).

19980418

	Bugfix: the SMTP server did not flush the "250 OK queued
	as XXXX" message from the SMTP conversation history.

19980419

	Bugfix: qmgr would not notice that a malformed message has
	multiple senders, and would leak memory (Tom Ptacek).

19980421

	Portability: in the mantools scripts, the expr pattern no
	longer has ^ at the beginning, and the scripts now use the
	expand program instead of my own detab utility.

19980425

	NetBSD 1.x patch by Soren S. Jorvang.

19980511

	Feature: the SMTP server now logs the protocol (SMTP or
	ESMTP) as part of the Received: header.

	Feature: smtpd now logs the last command when a session is
	aborted due to timeout, unexpected EOF, or too many client
	errors.

19980514

	Bugfix: the queue manager did not update the counter for
	in-core message structures, so the in-core message limit
	had no effect. This can be bad when you have a large backlog
	with many messages eligible for delivery.

	Robustness: the queue manager now also limits the total
	number of in-core recipient structures, so that it won't
	use excessive amounts of memory on sites that have large
	mailing lists.

19980518

	Bugfix: the SMTP client did not notice that the DNS client
	received a truncated response. As a result, a backup MX
	host could incorrectly claim that it was the best MX host
	and declare a mailer loop.

	Added start_msg/stop_msg entries to the vmailer startup
	script, for easy installation.

	Cleanup: VMailer databases are now explicitly specified as
	type:name, for example, hash:/etc/aliases or nis:mail.aliases,
	instead of implicitly as "files", "nis" and so on. Test
	program:  util/dict_open.  This change allowed me to
	eliminate a lot of redundant code from mkmap_xxx.c, and
	from everything that does map lookups.

19980525

	Bugfix: local/dotforward.c compared the result of opening
	a user's ~/.forward against the wrong error value.

19980526

	Bugfix: the smtpd VRFY command could look at free()d memory.

	Robustness: the smtpd program had a fixed limit on the
	number of token structures.  The code now dynamically
	allocates token structures.

	Bugfix: the queue manager still used the deprecated parameter
	name xxx_deliver_concurrency for concurrency control, but
	the documentation talks about the preferred parameter name
	xxx_destination_concurrency.  Fix: try xxx_destination_concurrency
	first, then fall back to xxx_deliver_concurrency.

19980621-19980702

	Cleanup: the string read routines now report the last
	character read or VSTREAM_EOF. This change is necessary
	for the implementation of the long SMTP line bugfix.

	Bugfix: the smtp server exited the DATA command prematurely
	when the client sent long lines. Reason: the smtp server
	did not remember that it broke long lines, so that '.'
	could appear to be the first character on a line when in
	fact it wasn't.

	Bugfix: the queue manager made lots of stupid errors while
	reading $qmgr_message_recipient_limit chunks of recipients
	from a queue file. This code has been restructured.

19980706

	Performance: the cleanup program now always adds return-receipt
	and errors-to records to a queue file, so that the queue
	manager does not have to plow through huge lists of
	recipients.

	Robustness: the initial destination concurrency now defaults
	to 2, so that one bad message or one bad connection does
	not stop all mail to a site. The configuration parameter
	is called initial_destination_concurrency.

	Performance: the per-message recipient limit is now enforced
	by the queue manager instead of by the transport. Thus, a
	large list of recipients for the same site is now mapped
	onto several delivery requests which can be handled in
	parallel, instead of being mapped onto one delivery request
	that is sent to limited numbers of recipients, one group
	after the other.

19980707

	Cleanup: the queue manager now does an additional recipient
	sort after the recipients have been resolved, so that the
	code can do better aggregation of recipients by next hop
	destination.

	Feature: lines in the master.cf file can now be continued
	in the same manner as lines in the main.cf file, i.e. by
	starting the next line with whitespace.

	Feature: the smtp client now warns that a message may be
	delivered multiple times when the response to "." is not
	received (the problem described in RFC 1047).

	Cleanup: when the queue manager changes its little mind
	after contacting a delivery agent (for example, it decides
	to skip the host because a transport or host goes bad),
	the delivery agent no longer complains about premature EOF.
	File: global/deliver_request.c

19980709

	Bugfix: when breaking long lines, the SMTP client did not
	escape leading dots in secondary etc. line fragments.  Fix:
	don't break lines. This change makes VMailer line-length
	transparent.  Files: global/smtp_stream.c, smtp/smtp_proto.c.

19980712

	Cleanup: the queue manager to deliver agent protocol now
	distinguishes between domain-specific soft errors and
	recipient-specific soft errors.  Result: many soft errors
	with SMTP delivery no longer affect other mail the same
	domain.

19980713

	Feature: the file modification time stamp of deferred queue
	files is set to the nearest wakeup time of their recipient
	hosts, or if delivery was deferred due to a non-host problem,
	the time stamp is set into the future by the configurable
	minimal backoff time.

	Bugfix: the SMTP client and the MAILQ command would report
	as message size the total queue file size. That would
	grossly overestimate the size of a message with many
	recipients.

	Bugfix: the 19980709 fix screwed up locally-posted mail
	that didn't end in newline.

19980714

	Robustness: the makedefs script now defaults to no optimization
	when compiling for purify.

19980715

	Robustness: the makedefs script now defaults to no optimization
	when compiling with gcc 2.8, until this compiler is known
	to be OK.

	Workaround: when sending multiple messages over the same
	SMTP connection, some SMTP servers need an RSET command
	before the second etc. MAIL FROM command. The VMailer SMTP
	client now sends a redundant RSET command just in case.

	The queue manager now logs explicitly when delivery is
	deferred because of a "dead" message transport.

19980716

	Feature: mailq and mail bounces now finally report why mail
	was deferred (the reason was logged to the syslog file
	only).  Changes were made to the bounce service (generalized
	to be usable for defer logs), showq service (to show reasons)
	and the queue manager.

	As a result the defer directory (with one log per deferred
	message) may contain many files; also, this directory is
	accessed each time a message is let into the active queue,
	in order to delete its old defer log. This means that hashed
	directories are now a must.

19980718-20

	Feature: configurable timeout for establishing smtp
	connections.  Parameter:  smtp_connect_timeout (default 0,
	which means use the timeout as wired into the kernel).
	Inspired by code from Lamont Jones. For a clean but far
	from trivial implementation, see util/timed_connect.c

	Cleaned up the interfaces that implement read/write deadlines.
	Instead of returning -2, the routines now set errno to
	ETIMEDOUT; the readable/writable tests are now separate.

19980722

	Feature: the default indexed file type (hash, btree, dbm)
	is now configurable with the "database_type" parameter.
	The default value for this parameter is system specific.

	Feature: selectively turn on verbose logging for hosts that
	match the patterns specified via the "debug_peer_list"
	config parameter.  Syntax is like the "bad_smtp_clients"
	parameter (see global/peer_list.c). The verbose logging
	level is specified with "debug_peer_level" (default 2).

	Security: the local delivery agent no longer delivers to
	files that have execute permission enabled.

19980723

	Workarounds for Solaris 2.x UNIX-domain sockets: they lose
	data when you close them immediately after writing to them.
	This could screw up the delivery agent to queue manager
	protocol.

19980724

	Cleanup: spent most of the day cleaning up queue manager
	code that defers mail when a site or transport dies, and
	fixed a few obscure problems in the process.

19980726

	Feature: the admin can now configure what classes of problems
	result in mail to the postmaster. Configuration parameter:
	"notify_classes".  Default is backwards compatible: bounce,
	policy, protocol, resource, and software.

19980726-28

	Feature: the admin can now configure what smtp server access
	control restrictions must be applied, and in what order.
	Configuration parameters:  smtpd_client_restrictions,
	smtpd_helo_restrictions, smtpd_mail_restrictions and
	smtpd_rcpt_restrictions. Defaults are intended to be
	backwards compatible. The bad_senders and bad_clients lists
	are gone and have become db (dbm, nis, etc) maps. Files:
	smtpd/smtpd_check.c, config/main.cf.

19980729-31

	Feature: hashed queues. Rewrote parts of the mail queue
	API.  Configuration parameters: "hash_queue_names" specifies
	what queue directories will be hashed (default: the defer
	log directory), "hash_queue_depth" specifies the number of
	subdirectories used for hashing (default 2).

19980802

	Bugfix: the pipe mailer should expand command-line arguments
	with $recipient once for every recipient (producing one
	command-line argument per recipient), instead of replacing
	$recipient by of all recipients (i.e.  producing only one
	command-line argument).  This is required for compatibility
	with programs that expect to be run from sendmail, such as
	uux. Thanks to Ollivier Robert for helping me to get this
	right.

	Code cleanup: for the above, cleaned up the macro expansion
	code in dict.c and factored out the parsing into a separate
	module, mac_parse.c.

19980803

	"|command" and /file/name destinations in alias databases
	are now executed with the privileges of the database owner
	(unless root or vmailer).  Thus, with: "alias_maps =
	hash:/etc/aliases, hash:/home/majordomo/aliases", and with
	/home/majordomo/aliases* owned by the majordomo account,
	you no longer need the majordomo set-uid wrapper program,
	and you no longer need root privileges in order to install
	a new mailing list.

19980804

	Added support for the real-time blackhole list.  Example:
	"client_restrictions = permit_mynetworks, reject_maps_rbl"

	All SMTP server "reject" status codes are now configurable:
	unknown_client_reject_code, mynetworks_reject_code,
	invalid_hostname_reject_code, unknown_hostname_reject_code,
	unknown_address_reject_code, relay_domains_reject_code,
	access_map_reject_code, maps_rbl_reject_code. Default values
	are documented in the smtpd/smtpd_check.c man page.

19980806-8

	Code cleanup: after eye balling line-by line diffs, started
	deleting code that duplicated functionality because it was
	at the wrong abstraction level (smtp_trouble.c), moved
	functionality that was in the wrong place (dictionary
	reference counts in maps.c instead of dict.c), simplified
	code that was too complex (password-file structure cache)
	and fixed some code that was just wrong.

19980808

	Robustness: the number of queue manager in-core structures
	for dead hosts is limited; the limit scales with the limit
	on the number of in-core recipient structures. The idea is
	to not run out of memory under conditions of stress.

19980809

	Feature: mail to files and commands can now be restricted
	by class:  alias, forward file or include file. The default
	restrictions are:  "allow_mail_to_files = alias, forward"
	and allow_mail_to_commands = alias, forward". The idea is
	to protect against buggy mailing list managers that allow
	intruders to subscribe /file/name or "|command".

19980810-12

	Cleanup: deleted a couple hundred lines of code from the
	local delivery agent. It will never be a great program;
	sendmail compatibility is asking a severe toll.

19980814

	Cleanup: made the program shut up about some benign error
	conditions that were reported by Daniel Eisenbud.

19980814-7

	Documentation: made a start of HTML docs that describe all
	configuration parameters.

	Feature: while documenting things, added smtpd_helo_required.

19980817

	Bugfix: at startup the queue manager now updates the time
	stamps of active queue files some time into the future.
	This eliminates duplicate deliveries after "vmailer reload".

	Bugfix: the local delivery agent now applies the recipient
	delimiter after looking in the alias database, instead of
	before.

	Documentation bugfixes by Matt Shibla, Tom Limoncelli,
	Eilon Gishri.

19980819

	GLIBC fixes from Myrdraal.

	Bugfix: applied showq buffer reallocation workaround in
	the wrong place.

	Bugfix: can't use shorts in varargs lists. SunOS 4 has
	short uid_t and gid_t. pipe_command() would complain.

	Bugfix: can't use signed char in ctype macros. All ctype
	arguments are now casted to unsigned char. Thanks, Casper
	Dik.

19980820

	Bugfix: save the alias lookup result before looking up the
	owner.  The previous alpha release did this right.

	Cleanup: mail_trigger() no longer complains when the trigger
	FIFO or socket is unavailable. This change is necessary to
	shut up the sendmail mail posting program, so that it can
	be used on mail clients that mount their maildrop via NFS.

	Experiment: pickup and pipe now run as vmailer most of the
	time, and switch to user privileges only temporarily.
	Files: util/set_eugid.c global/pipe_command.c pipe/pipe.c
	pickup/pickup.c. Is this more secure/ What about someone
	manipulating such a process while not root? It still has
	ruid == 0.

19980822

	Portability: with GNU make, commands such as "(false;true)"
	and "while :; do false; done" don't fail. Workaround: use
	"set -e" all over the place.  Problem found by Jeff Wolfe.

	Feature: "check_XXX_access maptype:mapname" (XXX = client,
	helo, sender, recipient). Now you can make recipient and
	other SPAM restrictions dependent on client or sender access
	tables lookup results.

19980823

	Bugfix: smtpd access table lookup keys were case sensitive.

	Added "permit" and "reject" operators. These are useful at
	the end of SPAM restriction lists (smtpd_XXX_restrictions).

	Added a first implementation of the permit_mx_backup SPAM
	restriction. This permits mail relaying to any domain that
	lists this mail system as an MX host (including mail for
	the local machine). Thanks to Ollivier Robert for useful
	discussions.

19980824

	Bugfix: transport table lookup keys were case sensitive.

19980825

	Portability: sa_len is some ugly #define on some SGI systems,
	so we must rename identifiers (file util/connect.c).

	Bugfix: uucp delivery errors are now sent to the sender.
	Thanks, Mark Delany.

	Bugfix: the pipe delivery agent now replaces empty sender
	by the mailer daemon address. Mark Delany, again.

	Portability: GNU getopt looks at all command-line arguments.
	Fix: insert -- into the pipe/uucp definition in master.cf.

	Bugfix: the smtp server command tokenizer silently discarded
	the [] around [text], so that HELO [x.x.x.x] was read as
	if the client had sent: HELO x.x.x.x. Thanks, Peter Bivesand.

	Bugfix: the HELO unknown hostname/bad hostname restrictions
	would have treated [text] as a domain name anyway.

	Bugfix: the $local_duplicate_filter_limit value was not
	picked up by the local delivery agent. This means the local
	delivery agent could run out of memory on large mailing
	list deliveries.

19980826

	Performance: mkmap/mkalias now run with the same speed as
	sendmail. VMailer now uses a 4096-entry cache with 1 Mbyte
	of memory for DB lookups.  File: util/dict_db.c.

19980902

	Robustness: the reject_unknown_hostname restriction for
	HELO/EHLO hostnames will now permit names that have an MX
	record instead of an A record.

19980903

	Feature: appending @$myorigin to an unqualified address is
	configurable with the boolean append_at_myorigin parameter
	(default: yes).

	Feature: appending .$mydomain to user@host is configurable
	with the boolean append_dot_mydomain parameter (default:
	yes).

	Feature: site!user is rewritten to user@site, under control
	of the boolean parameter swap_bangpath (default: yes).

	Feature: permit a naked IP address in HELO commands (i.e.
	an address without the enclosing [] as required by the
	RFC), by specifying "permit_naked_ip_address" as one of
	the restrictions in the "smtpd_helo_restrictions" config
	parameter.

19980904

	Code cleanup: when an SMTP client aborts a session after
	sending MAIL FROM, the cleanup service no longer warns that
	it is "skipping further client input". Files: cleanup/*.c.
	Thanks, Daniel Eisenbud, for prodding.

	Code cleanup: when an SMTP server disconnects in the middle
	of a session, don't try to send QUIT over the non-existing
	connection. Files: global/smtp_stream.c, smtp/smtp.c.
	Thanks, Daniel Eisenbud, for prodding, again.

	Code cleanup: the VMailer version number has moved from
	mail_params.h (which is included by lots of modules) to a
	separate file global/mail_version.h, so that a version
	change no longer results in massive recompilation.

	Bugfix: Errors-To was flagged as a sender address, so the
	address never was picked up.

	Code cleanup: support for Errors-To: headers completed.

19980905

	Feature: per-message exponential delivery backoff, by
	looking at the amount of time a message has been queued.
	Thanks, Mark Delany.

19980906

	Code cleanup: ripped out the per-host exponential backoff
	code. It was broken by 19980818. It was probably a bad idea
	anyway, because it required per-host, in-core, state kept
	by the queue manager.  All we do now is to keep state for
	$minimal_backoff_time seconds, but only for a limited number
	of hosts. Daniel Eisenbud spotted the problem.

	Lost feature: the SMTP session transcripts now show who
	said what. This feature was inadvertently dropped during
	development. Thanks, Daniel Eisenbud, for reminding.

	Documentation: the hard-coded rewriting process of the
	trivial-rewrite program is described in html/rewrite.html.

	Feature: the local delivery agent now does alias lookups
	before and after chopping off the recipient subaddress.
	This allows you to forward user-anything to another user,
	without losing the ability to redirect specific user-foo
	addresses.

19980909

	Feature: the smtp client now logs a warning that a server
	sends a greeting banner with the client's hostname, which
	could imply a mailer loop.

19980910

	Feature: separate canonical maps for sender and recipient
	address rewriting, so that you can rewrite an ugly sender
	address and still forward mail to that same ugly address
	without creating a mailer loop.  Files: cleanup_envelope.c,
	cleanup_message.c, cleanup_rewrite.c.

19980911

	Feature: virtual maps now support multiple addresses on
	the right-hand side. In the case of virtual domains this
	can eliminate the need for address expansion via local
	aliases, making virtual domains much easier to administer.
	This required that I moved the virtual table lookups from
	the queue manager to the cleanup service, so that every
	recipient has an on-disk status record.  Files: qmgr.c,
	qmgr_message.c, cleanup_envelope.c, cleanup_rewrite.c,
	cleanup_virtual.c.

	Feature: sendmail/mailq/newaliases pass on the -v flag to
	the program that they end up running, to make debugging a
	little easier.

19980914

	Bugfix: some anti-spam measures didn't recognize some
	addresses as local and would do too much work. File:
	smtpd_check.c.

	Bugfix: the smtp sender/recipient table lookup restriction
	destroyed global data, so that other restrictions could
	break. File: smtpd_check.c.

	Bugfix: after vmailer reload, single-threaded servers could
	exit before flushing unwritten data to the client. Example:
	cleanup would exit before acking success to pickup, so the
	message would be delivered twice. Bug reported by Brian
	Candler.

	Cleanup: removed spurious error output from vmailer-script.
	Reported by Brian Candler.

	Tolerance: ignore non-numeric SMTP server responses. There's
	lot of brain damage out there on the net.

19980915

	Feature: the smtp-sink benchmark tool now announces itself
	with a neutral name so that it can be run on the same
	machine as VMailer, without causing Postfix to complain
	about a mailer loop.

	Robustness: on LINUX, vmailer-script now does chattr +S to
	force synchronous directory updates. Fix developed with
	Chris Wedgwood.

19980916

	Bugfix: when transforming an RFC 822 address to external
	form, there is no need to quote " characters in comments.
	This didn't break anything, it just looked ugly.  File:
	global/tok822_parse.c

19980917

	Workaround: with deliveries to /file/name, use fsync() and
	ftruncate() only on regular files.  File: local/file.c

	Workaround: the plumbing code in master_spawn.c didn't
	check if it was dup2()/close()ing a descriptor to itself
	then closing it. Will have to redo the plumbing later.

19980918

	Workaround: on multiprocessor Solaris machines, one-second
	rollover appears to happen on different CPUs at slightly
	different times. Made the queue manager more tolerant for
	such things.  Problem reported by Daniel Eisenbud.

	Workaround: in preparation for deployment with a network-shared
	maildrop directory. make pickup more tolerant against clock
	drift between clients and servers.

19980921

	New vstream_popen() module that opens a two-way channel
	across a socketpair-based pipe. This module isn't being
	used yet; it is here only to complete the vstream code.

19980922

	Code cleanup: the xxx_server_main() interface for master
	child processes now uses a name-value argument list instead
	of an ugly and inflexible data structure.

	Bugfix: moved the test if a non-interactive process is run
	by hand, so that the "don't do this" error message can be
	printed to stderr before any significant processing.

	Bugfix: smtpd now can talk to unix-domain sockets without
	bailing out on a peer lookup problem. Files: smtpd/smtpd.c,
	util/peer_name.c.

	Safety: by default, the postmaster is no longer informed
	of protocol problems, policy violations or bounces.

	Safety: the SMTP server now sleeps before sending a [45]xx
	error response, in order to prevent clients from hammering
	the server with a connect/error/disconnect loop. Parameter:
	smtpd_error_sleep_time (default: 5).

	Feature: the logging facility is compile-time configurable
	(e.g., make makefiles "CCARGS=-DLOG_FACILITY=LOG_LOCAL1").

19980923

	Bugfix: changed virtual/canonical map search order from
	(user@domain, @domain, user) to (user@domain, user, @domain)
	so the search order is most specific to least specific.
	File: global/addr_map.c, lots of documentation.

	Bugfix: after the change of 19980910, cleanup_message
	extracted recipients from Reply-To: etc. headers.  Found
	by Lamont Jones.

19980925

	Bugfix: the change in virtual/canonical map search order
	broke @domain entries; they would never be looked up if
	the address matched $myorigin or $mydestinations. Found by
	Chip Christian who now regrets asking for the change.

	Bugfix: cleanup initialized an error mask incorrectly, so
	that it would keep writing to a file larger than the queue
	file size limit, and so it would treat the error as a
	recoverable one instead of sending a bounce. Thanks, Pieter
	Schoenmakers.

	Bugfix: the "queue file cleanup on fatal error" action was
	no longer enabled in the sendmail mail posting agent.

	Feature: the sendmail mail posting program now returns
	EX_UNAVAILABLE when the size of the input exceeds the queue
	file size limit. NB THIS CHANGE HAS BEEN WITHDRAWN.

19980926

	Code cleanup: the dotlock file locking routine is no longer
	derived from Eric Allman's 4.3BSD port of mail.local.

	Code cleanup: the retry strategy of the file locking routines
	dot_lockfile() and deliver_flock() is now configurable
	(deliver_flock_attempts, deliver_flock_delay, deliver_flock_stale).

	Code cleanup: the master.pid lock file is now created with
	symlink paranoia, and is properly locked so that PID rollover
	will not cause false matches.

	Bugfix: the vbuf_print() formatting engine did not know
	about the '+' format specifier.

	Cleanup: replaced unnecessary instances of stdio calls by
	vstream ones.

19980929-19981002

	Compatibility: added support for "sendmail -q". This required
	a change to the queue manager trigger protocol, and a code
	reorganization of the way queue scans were done. The queue
	manager socket now has become public.

19981002

	SMTPD now logs "lost connection after end-of-message"
	instead of "lost connection after DATA".

19981005

	More bullet proofing: timeouts on all triggers.

19981006

	Bugfix: make the number of cleanup processes unlimited, in
	order to avoid deadlock. The number of instances needed is
	one per smtp/pickup process, and an indeterminate number
	per local delivery agent. Thanks, Thanks, David Miller and
	Terry Lorrah for cleueing me in.

	Bugfix: "sendmail -t" extracted recipients weren't subjected
	to virtual mapping. Daniel Eisenbud strikes again.

19981007

	Compatibility: if the first input line ends in CRLF, the
	sendmail posting agent will treat all CRLF as LF. Otherwise,
	CRLF is left alone. This is a compromise between sendmail
	compatibility (all lines end in CRLF) and binary transparency
	(some, but not all, lines contain CRLF).

19981008

	Robustness: stop recursive virtual expansion when the
	left-hand side appears in its own expansion.

19981009

	Portability: trigger servers such as pickup and qmgr can
	now use either FIFOs or UNIX-domain sockets; hopefully at
	least one of them works properly. Trigger clients were
	already capable of using either form of local IPC.

19981011

	Feature: masquerading. Strip subdomains from domains listed
	in $masquerade_domains. Exception: envelope recipients are
	left alone, in order to not screw up routing.

19981015

	Code cleanup: moved the recipient duplicate filter from
	the user-level sendmail posting agent to the semi-resident
	cleanup service, so that the filter operates on the output
	from address canonicalization and of virtual expansion,
	instead of operating on their inputs.

19981016

	Bugfix: after kill()ing a bunch of child processes, wait()
	sometimes fails before all children have been reaped, and
	must be called again, or the master will SIGSEGV later.
	Problem reported by Scott Cotton.

	Workaround: don't log a complaint when an SMTP client goes
	away without sending QUIT.

19981018

	Workaround: Solaris 2.5 ioctl SIOCGIFCONF returns a hard
	error (EINVAL) when the result buffer is not large enough.
	This can happen on systems with many real or virtual
	interfaces. File: util/inet_addr_local.c. Problem reported
	by Scott Cotton.

	Workaround: the optional HELO/EHLO hostname syntax check
	now allows a single trailing dot.

	Workaround: with UNIX-domain sockets, LINUX connect() blocks
	until the server calls accept(). File: qmgr/qmgr_transport.c.
	Terry Lorrah and Scott Cotton provided the necessary
	evidence.

19981020

	Robustness: recursive canonical mapping terminates when
	the result stops changing.

	Code cleanup: reorganized the address rewriting and mapping
	code in the cleanup service, to make it easier to implement
	the previous enhancement.

19981022

	Code cleanup: more general queue scanning programming
	interface, in preparation for hashed queues. File:
	qmgr/qmgr_scan.c.

	Bugfix: a non-FIFO server with a process limit of 1 has a
	too short listen queue.  Until now this was not a problem
	because only FIFO servers had a process limit of 1, and
	FIFOs have no listen queue.  Fix: always configure a listen
	queue of proc_limit or more.  File: master/master_listen.c.

19981023

	Feature: by popular request, mail delay is logged when
	delivering, bouncing or deferring mail.

19981024

	Cleanup: double-bounce mail is now absorbed by the queue
	manager, instead of the local delivery agent, so that the
	mail system will not go mad when no local delivery agent
	is configured.

19981025

	Cleanup: moved the relocated table from the local delivery
	agent to the queue manager, so that the table can also be
	used for virtual addresses.

	Code reorg: in order for the queue manager to absorb
	recipients, the queue file has to stay open until all
	recipients have been assigned to a destination queue.

19981026

	vmlogger command, so that vmailer-script logging becomes
	consistent with the rest of the VMailer system.

	Code reorg: logger interface now can handle multiple output
	handlers (e.g. syslog and stderr stream).

	Bugfix: a first line starting with whitespace is no longer
	treated as an extension of our own Received: header. Files:
	smtpd/smtpd.c, pickup/pickup.c.

19981027

	Bugfix: the bang-path swapping code went into a loop on an
	address consisting of just a single !. Eilon Gishri had
	the privilege of finding this one.

	Workaround: the non-blocking UNIX-domain socket connect is
	now enabled only on systems that need it. It may cause
	kernel trouble on Solaris 2.x.

	Bugfix: the resolver didn't implement bangpath swapping,
	so that mail for site!user@mydomain would be delivered to
	a local user named "site!user".

19981028

	Cleanup: a VSTREAM can now use different file descriptors
	for reading and writing. This was necessary to prevent
	"sendmail -bs" and showq from writing to stdin. Eilon Gishri
	observed the problem.

19981029

	The RFC 822 address manipulation routines no longer give
	special attention to 8-bit data. Files: global/tok822_parse.c,
	global/quote_822_local.c.

	Bugfix: host:port and other non-domain stuff is no longer
	allowed in mail addresses.  File: qmgr/qmgr_message.c.

	Workaround: LINUX accept() wakes up before the three-way
	handshake is complete, so it can fail with ECONNRESET.
	Files: master/single_server.c, master/multi_server.c.

	Feature: when delivering to user+foo, try ~user/.forward+foo
	before trying ~user/.forward.

	Bugfix: smtpd in "sendmail -bs" (stand-alone) mode didn't
	clean up when terminated by a signal.

	Bugfix: smtpd in "sendmail -bs" (stand-alone) mode should
	not try to enforce spam controls because it cannot access
	the address rewriting machinery.

	Cleanup: the percent hack (user%domain -> user@domain) is
	now configurable (allow_percent_hack, default: yes).

	Bugfix: daemons in -S (stand-alone) mode didn't change
	directory to the queue. This was no problem with daemons
	run by the sendmail compatibility program.

19981030

	Feature: when virtual/canonical/relocated lookup fails for
	an address that contains the optional recipient delimiter
	(e.g., user+foo@domain), the search is done again with the
	unextended address (e.g., user@domain). File: global/addr_find.c.

	Code reorg: the address searching is now implemented by a
	separate module global/addr_find.c, so that the same code
	can be used for both (non-mapping) relocated table lookups
	and for canonical and virtual mapping. The actual mapping
	is still done in the global/addr_map.c module.

	Robustness: the SMTP client now skips hosts that don't send
	greeting banner text. File: smtp/smtp_connect.c

	Feature: preliminary support to disable delivered-to. This
	is desirable for mailing list managers that don't want to
	advertise internal aliases.

	Generic support: when the recipient_feature_delimiter
	configuration parameter is set, the local delivery agent
	uses it to split the recipient localpart into fields. Any
	field that has a known name such as "nodelivered" enables
	the corresponding delivery feature.

19981031

	Code reorg: address splitting on recipient delimiter is
	now centralized in global/split_addr.c, which knows about
	all reserved names that should never be split.

	Robustness: when a request for an internal service cannot
	be satisfied because the master has terminated, terminate
	instead of trying to reach the service every 30 seconds.

	Safety: the local delivery agent now runs as vmailer most
	of the time, just like pickup and pipe. Files: local/local.c,
	local/mailbox.c

19981101

	Compatibility: the tokenizer for alias/forward/etc.
	expansion now updates an optional counter with the number
	of destinations found; If no destinations is found in a
	.forward file, deliver to the mailbox instead. Thanks,
	Daniel Eisenbud, for showing the way to go.

	Robustness: the pickup daemon should always include a
	posting-time record, even when the sendmail posting agent
	didn't. However, just like before, user-provided posting
	times will be ignored. Ollivier Robert found this one.

	Robustness: duplicate entries in aliases or maps now cause
	a warning instead of a fatal error (and an incomplete file).

	Robustness: mkmap now prints a warning when an entry is in
	"key: value" format, which is the format expected for alias
	databases, not for maps.

	Portability: on LINUX, prepend "+" to the getopt() options
	string so that getopt() will stop at the first non-option
	argument. Suggestion by Marco d'Itri.

19981103

	Cleaned up the set_eugid() and open_as() implementations,
	and added stat_as() and fstat_as() so that the local delivery
	agent would look up include files and .forward files with
	the right privileges.

19981104

	Bugfix: the :include: routine now stat()s/open()s files
	included by root-owned aliases as root, not as nobody.

	Bugfix: the master crashed when a service with wakeup timer
	was disabled or renamed.  Fix: eliminate some pathological
	coupling between process management and wakeup management.

	Feature: partial implementation of ETRN (causes a full
	deferred queue scan). Thanks Lamont Jones for reminding me
	that things can be useful already before they are perfect.

	Cleanup: simplified the SMTPD tokenizer.

	Bugfix: sendmail -bs didn't properly notify the mail system
	of new mail.

	Compatibility: the MAIL FROM and RCPT TO commands now accept
	the most common address forms without enclosing <>. The <>
	is still needed for addresses that contain a "string", an
	[address], or a colon (:).

19981105

	Bugfix: "master -t" would claim that the master runs when
	in fact the pid directory does not exist, causing trouble
	with first time startup (reported by several).

	Portability: added a sane_accept() module that maps all
	beneficial accept() error results to EAGAIN. According to
	private communication with Alan Cox, Linux 2.0.x accept()
	can return a variety of error conditions, so we play safe
	and allow for any error that may happen because SYN+ACK
	could not be sent.

	Portability: NETBSD1 uses dotlock files (Perry Metzger).

	Bugfix: the local delivery agent did not canonicalize
	owner-foo sender addresses, so that local users would see
	owner-foo instead of owner-foo@$myorigin (Perry Metzger).

	OPENSTEP4 support, similar to NEXTSTEP3 (Gerben Wierda).

19981106

	Portability: the master startup would take a long time on
	AIX because AIX has a very large per-process open file
	limit.  Fix is to check the status of only the first couple
	hundred file descriptors instead. File: master/master.c.

	Bugfix: mail to user@[net.work.addr.ess] was broken because
	of a reversed test. File: qmgr/qmgr_message.c.

19981107

	Compatibility: don't clobber the envelope sender address
	when an alias has no owner-foo alias (problem diagnosed by
	Christophe Kalt).

	Bugfix: mail to local users in include files would be
	delivered directly if the alias didn't have an owner-foo
	alias, and if the alias database and include file were
	owned by root.

	Feature: with user+foo addresses, any +foo address extension
	that is not explicitly matched in canonical, virtual or
	alias databases is propagated to the table lookup result.

19981108

	Bugfix: minor memory leak in the user+foo table lookup
	code.

	Configurability: specify virtual.domain in the virtual map,
	and mail for unknown@virtual.domain will bounce automatically.
	The $relay_domains default value now includes $virtual_maps,
	so the SMTP server will accept mail for the domain. Marco
	d'Itri put me on the right track.

	Configurability: The mydestinations configuration parameter
	now accepts /file/name expressions and type:name lookup
	tables.

	Code cleanup: in order to make the previous two enhancements
	possible, revised the string/host/address matching engine
	so it can handle any mixture of strings, /file/name patterns
	and type:name lookup tables. Files: util/match_{list,ops}.c,
	global/{domain,namadr,string}_list.c.

19981110

	Code cleanup: replaced remaining isxxx() calls by ISXXX().

19981111

	Bugfix: the "bounce unknown virtual user" code was in the
	wrong place. Problem tackled with help of Chip Christian.

	Portability: reportedly, Solaris 2.5.1 can hang waiting
	for a UNIX-domain connection to be accepted, so it gets
	the same workaround that was designed for LINUX. Problem
	reported by Scott Cotton.

19981112

	Management: "vmailer stop" now allows delivery agents to
	finish what they are doing, like "vmailer reload".

	Management; "vmailer abort" causes immediate termination.

	Workaround: zombie processes pile up with HP-UX. Reason:
	select() does not return upon SIGCHLD when SA_RESTART is
	specified to sigaction(). Workaround: shorten the select()
	timer to 10 seconds, #ifdef BRAINDEAD_SELECT_RESTARTS.
	Thanks, Lamont Jones.

19981117

	Rename: VMailer is now Postfix. Sigh.

19981118

	Cleanup: generalized the safe_open() routine so that it is
	no longer limited to mailbox files, lock files, etc.

	Bugfix (found during code review): vstream*printf() could
	run off the end of a stream buffer after an I/O error,
	because vbuf_print() ignored the result from VBUF_SPACE().

	Bugfix (found during code review): resolve_local() could
	clobber its argument, but the docs didn't say so.

19981121

	Cleanup: the is_header() routine now allows 8-bit data in
	header labels.

19981123

	Bugfix (found during code review): the mail_queue_enter()
	path argument wasn't optional.  File: global/mail_queue.c

19981124

	Cleanup: eliminated redundant tests for a zero result from
	vstream_fdopen(). Unlike the stdio fdopen() routine, the
	vstream_fdopen() routine either succeeds or never returns.

	Bugfix: the queue manager now looks at the clock before
	examining a file time stamp, to avoid spurious complaints
	about time warps on busy machines. File:  qmgr/qmgr_active.c.

19981125

	Compatibility: allow trailing dot at the end of user@domain.
	Address canonicalization now strips it off. Issue brought
	forward by Eilon Gishri. File: trivial-rewrite/rewrite.c.

	Robustness: changed DNS lookup order of MAIL FROM etc.
	domains from MX then A to A then MX, just in case the MX
	lookup fails with a server error.

	Renamed vmcat, vmlock, vmlogger, vmtrigger to postcat,
	postlock, postlog, postkick. Also renamed mkmap and mkalias
	to postmap and postalias.

19981126

	Workaround: Lamont Jones found a way for HP-UX to terminate
	select() after SIGCHLD. The code is #ifdef USE_SIG_RETURN.
	Files:  util/sys_defs.h, master/master_sig.c.

	Bugfix: the Delivered-To: loop detection code had stopped
	working, when long ago the is_header() routine was changed.
	File: local/delivered.c.

19981128

	Bugfix: postcat opened queue files read-write, where only
	read access was needed. File: postcat/postcat.c.

19981129

	Safety: added a sleep(1) to all fatal and panic exits.
	File: util/msg.c.

19981201

	Robustness: postcat now insists that a file starts with a
	time record.

	Consistency: added "-c config_dir" command-line options
	where appropriate.

19981202

	Man pages, on-line version.

19981203

	Man pages, html version; overview documentation.

19981206

	Sendmail silently accepted the unsupported -qRsite and
	-qSsite options.  It now prints an error message and
	terminates.

	Separated the contributed tree from the IBM code; moved
	the LDAP and NEXTSTEP/OPENSTEP code to the contributed
	source tree because obviously I didn't write it.

19981206-9

	Had to write a postconf configuration utility in order to
	reliably find out about all configuration parameters and
	their defaults.

	Documentation bugfixes by Matt Shibla, Scott Drassinower,
	Greg A. Woods.

19981209

	On machines with short hostnames, postconf -d cored while
	reporting a fatal error. It should not report that error
	in the first place. Thanks, Eilon Gishri.

	Changed the FAQ entry about rejecting mail for *.my.domain
	on a firewall. Chip Christian was right, I was wrong.

19981214

	Portability: with GNU getopt, optind is not initially 1,
	breaking an assumption in sendmail/sendmail.c. Liviu Daia.

	Annoyance: on non-networked systems, don't warn that only
	one network interface was found. File:  global/inet_addr_local.c.
	Reported by several.

	Bugfix: on non-networked systems, the smtp client assumed
	that it was running in virtual host mode, and would bind
	to the loopback interface. File smtp/smtp_connect.c.  Liviu
	Daia, again.

19981220

	Robustness: when looking up an A or MX record, do not give
	up when the A query fails because of a server error.  File
	dns/dns_lookup.c. Reported by Scott Drassinower.

19981221

	Bugfix: "bounce mail for non-existent virtual user" didn't
	work when a non-default relay host was configured in main.cf
	or in the transport table. File: qmgr/qmgr_message.c.

	Bugfix: the maildrop directory should not be world-readable.
	Files: conf/postfix-script, showq/showq.c.

	Documentation: fixed several omissions and errors.

	Documentation: removed references to the broken recipient
	feature delimiter configuration parameter.

	Bugfix: write mailbox file as the recipient, so that file
	quota work as expected.

	Bugfix: pickup would die when it tried to remove a non-file
	in the maildrop directory (Jeff Wolfe).

19981222

	Sendmail no longer logs the queue ID when it is unable to
	notify the pickup daemon. This is a late addition to the
	"unreadable maildrop queue" patch.

	user.lock files are now created as root, so that postfix
	needs no group directory write permission.

19981224

	Security: allow queue file link counts > 1, to avoid
	non-delivery of maildrop files with links to a non-maildrop
	directory.  Files:  global/mail_open_ok.c, and anything
	that calls this code (qmgr, pickup, showq). If multiple
	hard links are a problem, see the set-gid "postdrop" utility
	below.

19981225

	Robustness: the queue manager no longer aborts when a queue
	file suddenly disappears (e.g. because the file was removed
	by hand).

	Feature: when a writable maildrop directory is a problem,
	sites can make the new "postdrop" utility set-gid. This
	command is never used when the maildrop directory is
	world-writable.

	Robustness: make the queue file creation routine more
	resistant against denial of service race attack. File:
	global/mail_queue.c

19981226

	New suid_priv module to enable/disable privileges in a
	set-uid/gid program. In the end I decided to not use it.

19981228

	Robustness: make the pickup daemon more resistant against
	non-file race attack.

	Cleanup: generic mail_stream.c interface for writing queue
	file streams to files, daemons or commands. This simplifies
	the code in smtpd and in sendmail that must be able to pipe
	mail through the postdrop command. The cleanup daemon has
	been modified to use the same interface. Result: less code.

	Feature: smtpd now logs the only recipient in Received:
	headers.

	Feature: separate command and daemon directories. Both
	default to $program_directory. Install conf/postfix-script
	if you want to use this feature.

19981230

	Patch to avoid conflict with non-writable top-level Makefile
	(Lamont Jones).

19981231

	Portability: port to UnixWare 7 by Ronald Joe Record, SCO.

19990104

	Bugfix: fencepost (Jon Ribbens, Oaktree Internet Solutions
	Ltd.) Files: quote_82[12]_local.c.

	Bugfix: wrong default for relay_domains (Juergen Kirschbaum,
	Bayerische Landesbank). File: mail_params.h.

	Bugfix: changed 5xx response for "too may recipients" to
	4xx. File: smtpd.c.

19990106

	Feature: defer_transports specifies the names of transports
	that should be used only when "sendmail -q" (or equivalent)
	is issued. For example, "defer_transports = smtp" is useful
	for sites that are disconnected most of the time. File:
	qmgr_message.c.

19990107

	Feature: local_command_shell specifies a non-default shell
	for delivery to command by the local delivery agent. For
	example, "local_command_shell = /some/where/smrsh -c"
	restricts what may appear in "|command" destinations.
	File: global/pipe_command.c.

19990112-16

	Feature: SMTP command pipelining support based on an initial
	version by Jon Ribbens, Oaktree Internet Solutions Ltd.
	This one took several days of massaging before I felt
	comfortable about it. Files: smtp.c, smtp_proto.c.

	Bugfix: the SMTP server would flush responses one-by-one,
	which caused suboptimal performance with pipelined clients.
	The vstream routines now flush the write buffer when the
	read() routine is called, instead of flushing when the
	application changes from writing to reading. Delayed flush
	prevents the SMTP server from flushing responses one-by-one
	and thus triggering Nagle's algorithm. File: util/vstream.c.

19990117

	Bugfixes and enhancements to the smtpstone tools by Drew
	Derbyshire, Kendra Electronic Wonderworks: send helo command,
	send message headers, format the message content to lines
	< 80, work around NT stacks, make "." recognition more
	robust. Files: smtp-source.c, smtp-sink.c.

	Strategy: look at the deferred queue only when the incoming
	queue is empty; limit the number of recipients read from
	a queue file depending on the number of recipients already
	in core. Files: qmgr.c, qmgr_message.c.

	Feature: postponed anti-UCE restrictions. The decision to
	reject junk mail on the basis of the client name/address,
	HELO hostname or sender address can now be postponed until
	the RCPT TO command (or HELO or MAIL FROM if you like).
	File: smtpd_check.c.

19990118

	Feature: incremental updates of alias databases and of
	other lookup tables. Both postalias and postmap now take
	a -i option for incremental updates from standard input.
	Files: global/mkmap_*.c, post{map,alias}/post{map,alias}.c.

	Compatibility: newaliases can now update multiple alias
	databases: list them in the "alias_database" parameter in
	main.cf. By the same token, postalias can now update multiple
	maps in one command. Files:  post{map,alias}/post{map,alias}.c

	Feature: mail to <> is now sent to the address specified
	with the "empty_address_recipient" configuration parameter
	which defaults to MAILER-DAEMON (idea by Lamont Jones,
	Hewlett-Packard). File: cleanup/cleanup_envelope.c.

	Compatibility: the transport table now uses .domain.name
	to match subdomains, just like sendmail mailer tables (patch
	by Lamont Jones, Hewlett-Packard).

	Feature: mailq now ends with a total queue size summary
	(Eilon Gishri, Israel Inter University Computation Center).

19990119

	Feature: address masquerade exceptions for user names listed
	in the "masquerade_exceptions" configuration parameter.
	File: cleanup/cleanup_masquerade.c.

	Feature: qmail-style maildir support, based on initial code
	by Kevin W. Brown, Quantum Internet Services Inc.

	Workaround: Solaris 2.something connect() fails with
	ECONNREFUSED when the system is busy (Chris Cappuccio,
	Empire Net). File: global/mail_connect.c.

	Feature: the cleanup service now adds a Return-Path: header
	when none is present. This header is needed for some mail
	delivery programs (see below). File: cleanup_message.c.

	Feature: the pipe mailer now supports $user, $extension
	and $mailbox macros in command-line expansions. This, plus
	the Return-Path: header (see above), should be sufficient
	to support cyrus IMAP out of the box. Based on  initial
	code by Joerg Henne, Cogito Informationssysteme GMBH.
	File: pipe/pipe.c.

	Bugfix: with address extensions enabled, canonical and
	virtual lookups now are done in the proper order:
	user+foo@domain, user@domain, user+foo, user, @domain.
	File: global/mail_addr_find.c.

19990119

	Feature: the local mailer now prepends a Received: message
	header with the queue ID to forwarded mail, in order to
	make message tracing easier.  File: local/forward.c.

	Cleanup: after "postfix reload", no more broken pipe
	complaints from resolve/rewrite clients.

19990121

	Feature: pickup (again) logs uid and sender address.  On
	repeated request by Scott Cotton, Internet Consultants
	Group, Inc.

	Portability: doze() function for systems without usleep().

	Cleanup: clients are now consistently logged as host[address].

19990122

	Maildir support changed: specify "home_mailbox = Maildir/".
	The magic is the trailing /. Suggested by Daniel Eisenbud,
	University of California at Berkeley.

	Maildir support from aliases, :include: and .forward files.
	Specify /file/name/ - the trailing / is required. Suggested
	by Daniel Eisenbud, University of California at Berkeley.

	Workaround: watchdog timer to prevent the queue manager
	from locking up on some systems.

	Bugfix: in Received: headers, the "for <recipient>"
	information was in the wrong place. Pointed out by Jon
	Ribbens, Oaktree Internet Solutions Ltd.

19990124

	Portability: more workarounds for GNU getopt() by Liviu
	Daia, Institute of Mathematics, Romanian Academy. File:
	sendmail/sendmail.c.

19990125

	Bugfix: Postfix should not masquerade recipient addresses
	extracted from message headers. Problem reported by David
	Blacka, Network Solutions. File: cleanup/cleanup_message.c.

19990126

	Feature: smtpd_etrn_restrictions parameter to restrict who
	may use ETRN and what domains may be specified.  Example:
	"smtpd_etrn_restrictions = permit_mynetworks, reject".
	Requested by Jon Ribbens, Oaktree Internet Solutions Ltd.
	File: smtpd/smtpd_check.c.

19990127

	Bugfix: in an attempt to shave some cycles, the anti junk
	mail routines would use the wrong resolved address. This
	"optimization" is now turned off. Problem reported by Sam
	Eaton, Pavilion Internet Plc. File: smtpd/smtpd_check.c.

	Feature: BIFF notifications.  For compatibility reasons
	this feature is on by default.  This "protocol" can be a
	real performance pig.  Specify "biff = no" in main.cf if
	your machine has lots of shell users. Feature requested by
	Dan Farmer - it's one of the things one does for friends.
	Files:  local/mailbox.c, local/biff_notify.c.

	Bugfix: another case sensitivity problem, this time with
	virtual lookups to recognize unknown@virtual.domain.
	Problem reported by Bo Kleve, Linkoping University. File:
	qmgr/qmgr_message.c.

19990128

	Feature: with "soft_bounce = yes", defer delivery instead
	of bouncing mail. This is a safety net for configuration
	errors with delivery agents. It has no effect on errors in
	virtual maps, canonical maps, or in junk mail restrictions.
	Feature requested by Bennett Todd. File: global/bounce.c.

19990129

	Compatibility: the qmail maildir.5 documentation prescribes
	maildir file names of the form time.pid.hostname, which is
	wrong because Postfix processes perform multiple deliveries.
	Elsewhere the qmail author has documented how maildir files
	should be named under such conditions. Postfix has been
	changed to be conformant. File: local/maildir.c.

19990131

	Feature: special treatment of owner-foo and foo-request
	can be turned off. Specify "owner_request_special = no".
	Requested by Matthew Green and others. Files: local/alias.c,
	global/split_addr.c. This affects canonical, virtual and
	alias lookups.

19990204

	Portability: signal handling for HP-UX 9 by Lamont Jones
	of Hewlett Packard. File: master/master_sig.c.

	Robustness: disable random walk inside a per-site queue to
	avoid message starvation under heavy load. File: qmgr_entry.c.

	Robustness: under some conditions the queue manager could
	declare a host dead after just one delivery failure.  File:
	qmgr_queue.c.

19990212

	Feature: skip SMTP servers that greet us with a 4XX status
	code. Example: "smtp_skip_4xx_greeting = yes". By default,
	the Postfix SMTP client defers delivery when a server
	declines talking to us. File:  smtp/smtp_connect.c.

	Robustness: upon startup the queue manager now moves active
	queue files to the incoming queue instead of the deferred
	queue, to avoid anomalous delivery delays on systems that
	have a huge incoming queue.  Files: qmgr/qmgr.c,
	qmgr/qmgr_active.c, global/mail_flush.c, conf/postfix-script*

19990213

	Robustness: added watchdog timers to avoid getting stuck
	on systems with broken select() socket implementations.
	File: qmgr_transport.c, qmgr_deliver.c.

19990218

	Feature: NFS-friendly delivery to mailbox by avoiding the
	use of root privileges as much as possible. With input by
	Mike Muus, Army Research Lab, USA.

	Feature: the smtp-sink test server now supports SMTP command
	pipelining. To this end we had to generalize the timer and
	vstream support. Poor performance is fixed 19990222.

	Cleanup: timer event routines now have the same interface
	as read/write event routines (event type + context). File:
	util/events.c.

	Feature: new vstream_peek() routine to tell how much unread
	data is left in a VSTREAM buffer. This is the vstream
	variant of the peekfd() routine for kernel read buffers.
	File: util/vstream.c.

	Feature: directory scanning support for hashed mail queue
	directories. So far the results are disappointing: with
	depth = 2 (16 directories with 16 subdirectories), mailq
	takes 5 seconds with an empty queue unless all directories
	happen to be cached in memory.  We need a bit map before
	hashed queue directories become practical. Depth=1 hashing
	doesn't slow down mailq much, but doesn't help much either.
	Files: util/scan_dir.c, global/mail_scan_dir.c.

19990221

	Workaround: with "ignore_mx_lookup_error = yes", the SMTP
	client always performs an A lookup when an MX lookup could
	not be completed, rather than treating MX lookup failure
	as a temporary error condition.  Unfortunately there are
	many broken DNS servers on the Internet. File: smtp/smtp_addr.c.

19990222

	Performance: rewrote the guts of the smtp-sink test server
	so it can do pipelining without losing performance.

19990223

	Workaround: hotmail.com sometimes drops the connection
	after "." (causing misleading diagnostics to be logged) or
	waits minutes after receiving QUIT. Solution: do not wait
	for the response to QUIT. File: smtp/smtp_proto.c.  This
	is turned off with: "smtp_skip_quit_response = no".

19990224

	Feature: the pipe mailer accepts user=username:groupname,
	based on code submitted by Philip A. Prindeville, Mirapoint,
	Inc., USA.  File: pipe/pipe.c.

	Workaround: use file locking to prevent multiple processes
	from select()ing on the same socket. This causes performance
	problems on large BSD systems. Files: master/*_server.c.

19990225

	Bugfix: with "inet_interfaces = 127.0.0.1", don't bind to
	the loopback interface. Problem reported by Steve Bellovin
	of AT&T. File: smtp/smtp_addr.c.

	Feature: "postsuper" command to remove stale queue files
	to update queues after changes to the queue structure
	parameters (hash_queue_names, hash_queue_depth). This
	command is to be run from the postfix-script maintenance
	shell script.

19990301

	Feature: new postconf -h (suppress `name = ' in output)
	option to make the program easier to use in, e.g., shell
	scripts.

	Feature: dict_unix module so you can add the UNIX passwd
	table to the SMTPD access control list.

19990302

	Feature: "luser_relay = destination" captures mail for
	non-existent local recipients. This works only when the
	local delivery agent does mailbox delivery (including
	delivery via mailbox_command), not when mailbox delivery
	is delegated to another message transport.

	Feature: new reject_non_fqdn_{hostname,sender,recipient}
	restrictions to require fully.qualified.domain forms in
	HELO, MAIL FROM and RCPT TO commands (while still allowing
	the <> sender address).

19990304

	Bugfix: backed out the 19990119 change to always insert
	Return-Path:  if that header is not present. The pipe and
	local agents now are responsible for prepending Return-Path:.
	Files:  cleanup/cleanup_message.c, global/mail_copy.[hc],
	pipe/pipe.c, global/header_opts.c.  This causes an incompatible
	change to the pipe flags parameter, because Return-Path:
	now must be requested explicitly.

19990305

	Bugfix: showq (the mailq server) incorrectly assumed that
	all recipients of a deferred message are listed in the
	corresponding defer logfile. It now lists all recipients.
	Files: showq/showq.c, cleanup/cleanup_envelope.c (ensure
	that sender records always precede recipient records).

	Cleanup: smtpd HELO restrictions validate [numerical] forms.
	Files: util/valid_hostname.c, smtpd/smtpd_check.c.  Initial
	code by Philip A. Prindeville, Mirapoint, Inc., USA.

19990306

	Cleanup: re-vamped the valid_hostname module, and added a
	maximal label length (63) requirement.

	Feature: fallback_relay parameter to specify extra backup
	hosts in case the regular relay hosts are not found or not
	available.  Files:  smtp/smtp_addr.c.

	Feature: "always_bcc = address" specifies where to send a
	copy of each message that enters he system. However, if
	that copy bounces, the sender will be informed of the
	bounce. Files: smtpd/smtpd.c, pickup/pickup.c

	Compatibility: the transport map will now route on top-level
	domains, so you can dump all of .bitnet to a bitnet relay.

19990307

	Feature: LDAP lookups, updated by Jon Hensley, Merit Network,
	USA.

	Feature: regular expression (PCRE) support by Andrew
	McNamara, connect.com.au Pty. Ltd., Australia. In order to
	use this code specify pcre:/file/name. You can use this
	anywhere you would use a DB or DBM file, NIS or LDAP.  See:
	PCRE_README for how to enable this code.

	Feature: "delay_warning_time = 4" causes Postfix to send
	a "your mail is delayed" notice after approx. 4 hours.
	Daniel Eisenbud, University of California at Berkeley.
	Files:  qmgr/qmgr_active.c, qmgr/qmgr_message. Postmaster
	notices for delayed mail are disabled by default. In order
	to receive postmaster notices, specify "notify_classes =
	...  delay ...".

	Cleanup: do not send undeliverable bounced mail to postmaster.
	This was causing lots of pain with junk mail from bogus
	sender addresses to non-existent recipients.  This change
	was reversed 19990311.

19990308

	Bugfix: the dotforward routine was too eager with throwing
	away extension information, so that the Delivered-To: info
	would differ for \mailbox and |command. Problem reported
	by Rafi Sadowski, Open University, Israel.

	Bugfix: seems I never got around to fix the btree access
	method. I finally did. Problem reported by: Matt Smith,
	AvTel Communications Inc., USA.

19990311

	Back by popular demand: with "notify_classes = 2bounce ..."
	Postfix will send undeliverable bounced mail to postmaster.
	The default is to not send double bounces.  This change
	reverses a change made on 19990307.

19990312

	Feature: configurable exit handler for server skeletons.
	Philip A.  Prindeville, Mirapoint, Inc., USA. Files:
	master/*server.c.

	Feature: mail_spool_directory configuration parameter to
	specify the UNIX mail spool directory.  The default setting
	is system dependent.

19990313

	Cleanup: share file descriptors for resolve and rewrite
	client connections. This puts less strain on the trivial-rewrite
	service.

	Portability: support for UnixWare 2.1 by Dmitry E. Kiselyov,
	Nizhny Novgorod City Health Emergency Station.

	Feature: configurable delays in the smtpstone test programs.
	With input by Philip A.  Prindeville, Mirapoint, Inc., USA.
	Files:  smtpstone/*.c.

	Bugfix: a "signal 11" problem in the trivial-rewrite program
	that would occasionally happen after "postfix reload".
	Reason: some rewrite clients would clobber their input,
	and when they had to retransmit the query, the input would
	be a zero-length string, which trivial-rewrite isn't supposed
	to receive.

19990314

	Feature: "mailbox_transport = cyrus" delegates all local
	mailbox delivery to a master.cf entry called "cyrus" (the
	same trick for procmail), including users not found in the
	UNIX passwd database.  This gives the flexibility of $name
	expansions by the pipe mailer, without losing local aliases
	and ~/.forward processing.  Result of discussions with Rupa
	Schomaker, RS Consulting.

19990315

	Feature: the mydestination parameter can now be an empty
	string, for hosts that don't receive any mail locally. Be
	sure to specify a default route for mail that comes to the
	machine or mail will loop.

19990316

	Bugfix: the SMTPD check scaffolding didn't apply the same
	sanity checks as the production code. Problem reported by
	Alain Thivillon, Herve Schauer Consultants, France. File:
	smtpd/smtpd_check.c.

	Portability: some systems can have more than 59 seconds in
	a minute. Based on a fix by Liviu Daia, Institute of
	Mathematics, Romanian Academy.  File:  global/mail_date.c.

	Enhancement: include the client network address in the
	rejected by RBL response. Lamont Jones, Hewlett-Packard.

	Workaround: use fstat() to figure out if the maildrop is
	world-writable. access() uses the real uid, which stinks.

	Robustness: don't do partial address lookups (user@, domain,
	user, @domain) with regexp-style tables.

	Security: don't allow regexp-style tables to be used for
	aliases. It would be too easy to slip in "|command" or
	:include: or /file/name.

19990317

	Feature: "fallback_transport = cyrus" delegates non-UNIX
	recipients to a master.cf entry called "cyrus", allowing
	you to have both UNIX and non-UNIX mailboxes side by side.

19990319

	Workaround: on 4.4 BSD derivatives, fstat() can return
	EBADF on an open file descriptor. Now, that was a surprise.
	This caused std{out,err} from cron commands to not be
	delivered.

	Bugfix: "local -v" stopped working.

	Workaround: more watchdog timers for postfix-unfriendly
	systems. By now every Postfix daemon has one. Call it life
	insurance.

	Robustness: increased the maximal time to receive or deliver
	mail from $ipc_timeout (default: 3600 seconds) to the more
	generous $daemon_timeout (default: 18000 seconds). We don't
	want false alarms.

	Portability: IRIX 5.2 does not have usleep().

19990320

	Bugfix: \username was broken. Frank Dziuba was the first
	to notice.

19990321

	Workaround: from now on, Postfix on Solaris uses stream
	pipes instead of UNIX-domain sockets. Despite workarounds,
	the latter were causing more trouble than anything else on
	all systems combined.

19990322

	Portability: the makedefs would mis-identify IRIX 6.5.x as
	IRIX 5.x. Fix by Brian Truelsen of Maersk Mc-Kinney Moller
	Institute for Production Technology, Denmark.

	Feature: reject_unknown_recipient_domain restriction for
	recipient addresses. For the sake of symmetry, we now also
	have reject_unknown_sender_domain. This means the old
	reject_unknown_address restriction is being phased out.
	Suggested by Rask Ingemann Lambertsen, Denmark Technical
	University.

	Feature: unknown sender/recipient domain restrictions now
	distinguish between soft errors (always: 450) and hard
	errors (configurable with the unknown_address_reject_code
	parameter, default: 450; use 550 at your own risk).

	Feature: no HELO junk mail restrictions means that no syntax
	check will be done on HELO/EHLO hostname arguments.

	Bugfix: the initial Solaris workaround for UNIX-domain
	sockets could cause the queue manager to block if Postfix
	ran into a delivery agent process limit. After another code
	rewrite that problem is eliminated.  Thanks to Chris
	Cappuccio, Empire Net, for assistance with testing.

19990323

	Bugfix: too much forwarding when users list their own name
	in their .forward file (e.g. mail to user@localhost would
	go through .forward, would be forwarded to user@$myorigin,
	and would go through .forward again). Problem reported by
	Roman Dolejsi, Prague University of Economics.

19990324

	Bugfix: missing map name in check_xxx_access restrictions
	could cause a segmentation error. Lamont Jones, Hewlett-
	Packard.

	Feature: forward_path configuration parameter (default:
	$home/.forward$recipient_delimiter$extension,$home/.forward).
	Based on initial code by Philip A.  Prindeville, Mirapoint,
	Inc., USA.  Files:  local/dotforward.c.

19990325

	Workaround: Solaris NIS alias maps need special entries
	(YP_MASTER_NAME, YP_LAST_MODIFIED). What's worse, normal
	keys/values include a null byte at the end, but the YP_XXX
	ones don't. Problem reported by Walcir Fontanini, state
	university of Campinas, Brazil.  File: postalias/postalias.c.

	Compatibility: Solaris NIS apparently does include a null
	byte at the end of keys and values. File: util/sys_defs.h.

	Feature: library support for config parameters that are
	not $name expanded at program start-up. This was needed
	for forward_path, and will also be needed to make message
	headers customizable.

	Bugfix: pcre didn't handle \\ right. Lamont Jones, Hewlett-
	Packard. File: util/dict_pcre.c.

19990326

	Compatibility: Postfix now puts two spaces after the sender
	in a "From sender date..." header. Found by John A. Martin,
	fixed by Lamont Jones, Hewlett-Packard.

	Bugfix: when a recipient appeared multiple times in a local
	alias or include expansion, the delivery status could be
	left uninitialized, causing the mail to be deferred and
	delivered again. File: local/recipient.c.

19990327

	Cleanup: the dictionary routines now take an extra flag
	argument to control such things as warning about duplicates,
	and appending null bytes to key/value. The latter was needed
	for a clean implementation of NIS master alias maps support.

	Feature: POSIX regular expressions by Lamont Jones. See
	config/sample-regexp.c. Right now, enabled on *BSD and
	LINUX only.

19990328

	Code cleanup: dictionaries now have flags that say whether
	lookup keys are fixed strings or whether keys are subjected
	to pattern matching. This is needed to avoid passing partial
	addresses to regexp-based lookup tables (user, @domain,
	user@, domain). Files: util/dict*.c.

	Bugfix: fixed memory leaks and core dumps in the regexp
	and pcre routines (neither handled an empty pattern file).

19990329

	Code cleanup: the dictionary I/O routines now do their own
	locking depending on dictionary flag settings. This means
	that the low-level dict_get() interface can now be used
	for safe dictionary lookups. This is needed for 19990328's
	partial lookup key support. Files: util/dict*.c. global/maps.c.

	Feature: regular expression matches are no longer limited
	to user@domain address forms in access/canonical/virtual
	maps, but can also be used for domains in transport maps.
	This needed the partial lookup key support to avoid passing
	partial addresses to regexp-based lookup tables (user,
	@domain, user@, domain). Files: global/maps.c
	global/mail_addr_find.c.

	Feature: new dictionary types can be registered with
	dict_open_register(). File: util/dict_open.c.

19990330

	Bug fix: match_list membership dictionary lookups were case
	sensitive when they should not. Patch by Lutz Jaenicke,
	BTU Cottbus, Germany.

19990402

	Feature: $domain macro support in forward_path.  Philip A.
	Prindeville, Mirapoint, Inc., USA.  File:  local/dotforward.c.

	Feature: if an address extension (+foo) is explicitly
	matched by the .forward+foo file name, do not propagate
	the extension to recipient addresses. This is more consistent
	with the way aliases are expanded. File:  local/dotforward.c.

19990404

	Bugfix: after receiving mail, the SMTP server didn't reset
	the cleanup error flag, so that multiple deliveries over
	the same SMTP session could fail due to errors with previous
	deliveries. Found by Lamont Jones, Hewlett-Packard.

19990405

	Feature: MIME-encapsulated bounces. Philip A.  Prindeville,
	Mirapoint, Inc., USA.  File:  bounce/bounce_notify_service.c

	Cleanup: vstreams now properly look at the EOF flag before
	attempting to read, eliminating the need for typing Ctrl-D
	twice to test programs; the EOF flag is reset after each
	unget or seek operation.  Files: util/vstream.c, util/vbuf.c.

	Feature: in preparation for configurable message headers
	the mac_parse() routine now balances the parentheses in
	${name} or $(name). We need this in order to support
	conditional expressions such as ${name?text} where `text'
	contains other ${name} expressions.

19990406

	Cleanup: changed MIME header information to make bounces
	more RFC 1892 compliant.

19990407

	Feature: "best_mx_transport = local" delivers mail locally
	if the local machine is the best mail exchanger (by default,
	mail is bounced with a "mail loops back to myself" error).

	Config: in order to make feature tracking easier the source
	code distribution now has a copy of the default settings
	in conf/main.cf.default.

	Feature: separate configurable postmaster addresses for
	single bounces (bounce_notice_recipient), double bounces
	(2bounce_notice_recipient), delayed mail (delay_notice_recipient),
	and for other mailer errors (error_notice_recipient).  The
	default for all is "postmaster".

19990408

	Workaround: on Solaris 2.x, the master appears to lose its
	exclusive lock on the master.pid file, so keep grabbing
	the lock each time the master wakes up from select().

	Robustness: don't flush VSTREAM buffers after I/O error.
	This prevents surprises when calling vstream_fclose() after
	truncating a mailbox to its original size.

	Portability: on LINUX systems, if <db_185.h> exists, don't
	look for <db/db.h>.

	Workaround: specify "sun_mailtool_compatibility = yes" to
	avoid clashes with the mailtool application. This disables
	kernel locks on mailbox files. Use only where needed.

	Portability: renamed readline to readlline, to avoid clashes
	with mysql.

19990409

	Bugfix: ignore temp queue files that aren't old enough.
	Problem reported by Vivek Khera, Khera Communications, Inc.

	Bugfix: fixed typo in dict_db.c that caused processes to
	not release DB shared locks.

	Feature: auto-detection of changes to DB or DBM lookup
	tables.  This avoids the need to run "postfix reload" after
	change to the smtp access table and other tables.

	Feature: regular expression checks for message headers.
	This requires support for POSIX or for PCRE regular
	expressions.  Specify "header_checks = regexp:/file/name"
	or "header_checks = pcre:/file/name", and specify
	"/^header-name:  badstuff/ REJECT" in the pattern file
	(patterns are case-insensitive by default).  Code by Lamont
	Jones, Hewlett-Packard.  It is to be expected that full
	content filtering will be delegated to an external command.

19990410

	Bugfix: auto-detection of changes to DB or DBM lookup tables
	wasn't done for TCP connections.

19990410

	Feature: $recipient expansion in forward_path.  Philip A.
	Prindeville, Mirapoint, Inc., USA.  File: local/dotforward.c

	Feature: the smtp client consistently treats a numerical
	hostname as an address. File: smtp/smtp_addr.c.

19990414

	Compatibility: support comment lines starting with # in
	$mydestination include files. This makes Postfix more
	compatible with sendmail.cw files. File: util/match_list.c.

	Feature: if your machines have short host names, specify
	"mydomain = domain.name", and you no longer have to specify
	"myhostname = host.domain.name". Files:  global/mail_params.c,
	postconf/postconf.c.

19990420

	Cleanup: bounce mail when a mailbox goes over file quota,
	instead of deferring delivery.  File:  local/mailbox.c.

19990421

	Feature: auto-detection of changes to DB or DBM lookup
	tables now includes the case where a file is unlinked.
	Philip A.  Prindeville, Mirapoint, Inc., USA.  File:
	util/dict.c.

19990422

	Robustness: Lotus mail sends MAIL FROM: <@> instead of <>.
	Problem reported by Erik Toubro Nielsen, IFAD, Denmark.
	Files:  trivial-rewrite/rewrite.c (@ becomes empty address)
	and global/rewrite_clnt.c (allow empty response).

	Bugfix: showq could segfault when writing to a broken pipe.
	Problem reported by Bryan Fullerton, Canadian Broadcasting
	Corporation. Files: util/vbuf_print.c.

	Cleanup: got rid of the "fatal: write error: Broken pipe"
	message when mailq output is piped into a program that
	terminates early.

	Cleanup: bounce messages are multipart/mixed with the error
	report as part of the first message segment, because users
	had trouble extracting the delivery error report from the
	attachment.

19990423

	Cleanup: the default junk mail reject code is now 554
	(service unavailable) rather than 550 (user unknown).

	Folded in the updated dict_ldap.c module by John Hensley,
	Merit Network, USA.

	Folded in the vstream_popen.c updates by Philip A.
	Prindeville, Mirapoint, Inc., USA.  This copies a lot of
	code from pipe_command(); the next step is to trim that
	module.

19990425

	Workaround: renamed config.h to mail_conf.h etc. in order
	to avoid name collisions with LINUX (yes, they have a system
	include file called config.h). For compatibility with people
	who have written software for Postfix, there's a config.h
	that aliases the old names to the new ones. That file will
	go away eventually.

19990426

	Feature: error mailer, in order to easily bounce mail for
	specific destinations. In the transport table, specify:
	"host.domain    error:host.domain is unavailable". Too bad
	that the transport table triggers on destination domain
	only; it would be nice to bounce specific users as well.

19990427

	Cleanup: "disable_dns_lookups = yes" now should disable
	all DNS lookups by the SMTP client.

19990428

	Bugfix: with DBM files, Postfix was watching the "dir" file
	modification time for changes. It should be watching the
	"pag" file instead.

19990429

	Cleanup: all callbacks in the master to server API now pass
	on the service name and the application-specific argument
	vector. Files: master/*server.c.

19990504

	Feature: conditional macro expansion. ${name?text} expands
	to text when name is defined, otherwise the result is empty.
	${name:text} expands to text when name is undefined,
	otherwise the result is empty. File: util/mac_expand.c.

	Feature: conditional macro expansion of the forward_path
	configuration parameters of $user, $home, $shell, $recipient,
	$extension, $domain, $mailbox and $recipient_delimiter.
	Files:  local/dotforward.c, local/local_expand.c.

19990506

	Cleanup: eliminated misleading warnings about unknown HELO
	etc. SMTPD restrictions when the HELO etc. information is
	not available. File: smtpd/smtpd_check.c.

19990507

	Feature: all smtpd reject messages now contain the MAIL
	FROM and RCPT TO addresses, if available.

19990508

	Feature: conditional macro expansion of the luser_relay
	configuration parameter. It is no longer possible to specify
	/file/name or "|command" destinations. File: local/unknown.c.

	Cleanup: changed the mac_parse interface so that the
	application callback routine can return status information.
	Updated the dict_regexp and dict_pcre modules accordingly.

	Cleanup: changed the mac_expand interface so that the caller
	provides an attribute lookup routine, instead of having to
	provide a copy of all attributes upfront. Files:
	util/mac_expand.c, local/local_expand.c.

	Feature: control over how address extensions are propagated
	to other addresses. By default, propagation of unmatched
	address extensions is now restricted to canonical and
	virtual mappings. Specify "propagate_unmatched_extensions
	= canonical, virtual, alias, forward, include" to restore
	previous behavior.

19990509

	Feature: USER, EXTENSION, DOMAIN, RECIPIENT (entire address)
	and MAILBOX (address localpart) environment variables are
	exported to shell commands (including mailbox_command).

	Feature: new command_expansion_filter parameter to control
	what characters may appear in message attributes that are
	exported via environment variables.

	Cleanup: SMTPD reject messages are more informative, and
	more complete sender/recipient information is logged for
	the local sysadmin.

19990510

	Bugfix: missing MIME header in postmaster bounce notices.
	Found by Samuel Tardieu, Ecole Nationale Superieure des
	Telecommunications, France.

	Feature: UCE restrictions are always delayed until RCPT
	TO, VRFY or ETRN. To change back to the default specify
	"smtpd_delay_reject = no" in /etc/postfix/main.cf.

	Bugfix: missing duplicate filter call. This caused too many
	deliveries when a user is listed multiple times in an alias.
	Reported by Hideyuki Suzuki, School of Engineering, University
	of Tokyo. Backed out on 19990512 because it caused problems.
	Fixed 19990513 but needs further study.

	Feature: it is now possible to move queue files back into
	the maildrop queue, so that they can benefit from changes
	in canonical and virtual mappings. In order to make this
	possible, some restrictions on queue file contents were
	relaxed. Files: pickup/pickup.c, cleanup/cleanup_extracted.c.

	Feature: made a start with integrating Joerg Henne's
	dictionary extensions to remove entries and to iterate over
	entries. That code is almost four months old by now.

19990511

	Feature: added a "undeliverable postmaster notification
	discarded" warning when mail is dropped on the floor.
	Requested by Michael Hasenstein, SuSE, Germany.

19990517

	Bugfix: reject_non_fqdn_sender/recipient would pass
	user@[ip_address] regardless of destination. Eric Cholet
	had the honor of suffering from this one.

19990527

	More SMTP client logging for easier debugging: the smtp
	client now logs hostname[ip.addr], and logs every failed
	attempt to reach an MX host, not just the last one.

19990601

	Bugfix: emit a blank line before a MIME boundary; the line
	is part of the boundary. File: bounce/bounce_notify_service.c.
	Wolfgang Segmuller, IBM Research.

19990610

	Bugfix: the "is this the loopback interface" test was
	broken.  Reported by Claus Fischer @microworld.com.  File:
	smtp/smtp_connect.c.

	Usability: added helpful warnings about restrictions that
	are being ignored after check_relay_domains, etc.

	Portability: Reliant Unix support by Gert-Jan Looy, Siemens,
	the Netherlands.

19990611

	Robustness: the postfix-script start-up procedure now
	detects a missing master program, avoiding misleading
	warnings that the mail system is already running.  Fix
	suggested by David E. Smith @technopagan.org.

	Portability: Mac OS X Server Port by Mark Miller @swoon.net.

	Feature: on systems that use dotlock files for mailbox
	locking, the local delivery agent now will attempt to use
	dotlock files when delivering to user-specified files.
	Dotlock files for user-specified destinations are created
	with the privileges of the user. For backwards compatibility,
	Postfix will attempt to create dotlocks for user-specified
	destinations only when the user has parent directory write
	permission.

	Feature: specify "expand_owner_alias = yes" in order to
	use the right-hand side of an owner- alias, instead of
	using the left-hand side address. Needed by Juergen Georgi.

19990622

	Bugfix: the local delivery agent did not set user attributes
	when delivering to root, so that forward_path did not expand
	properly. Found by Jozsef Kadlecsik, KFKI Research Institute
	for Particle and Nuclear Physics, Hungary.  File:
	local/dotforward.c.

	Bugfix: the unix:passwd.byname mechanism is not suitable
	for smtpd access control - the user name would have to end
	in @, or the access control software would have to be
	changed. Removed the example from the RELEASE_NOTES file.

19990623

	Bugfix: the smtp server did not reset the error flag after
	".". Found by James Ponder, Oaktree Internet Solutions Ltd.
	File: smtpd/smtpd.c.

	Bugfix: fencepost error in the doze() routine (an usleep()
	replacement for systems without one). Found by Simon J
	Mudd.  File: util/doze.c.

19990624

	Portability: support for AIX 3.2.5 (!) by Florian Lohoff
	@rfc822.org.

	Portability: Ultrix 4.3 support by Christian von Roques
	@pond.sub.org.

	Feature: mysql support by Scott Cotton and Joshua Marcus,
	Internet Consultants Group, Inc. Files: util/dict_myqsl.*.

19990627

	Bugfix: Postfix is now distributed under the new IBM Public
	License (version 1, dated June 14, 1999).

	Feature: the Delivered-To: header can be turned off for
	delivery to command or file/mailbox. The default setting
	is:  "prepend_delivered_header = command, file, forward".
	Turning off the Delivered-To: header when forwarding mail
	is not recommended.

19990628

	Feature: the postlock command now returns EX_TEMPFAIL when
	the destination file is locked by another process.

19990705

	Workaround: in the SMTP client, move the "mail loops back
	to myself test" from the 220 greeting to the HELO response.
	This change does not weaken the test, and makes Postfix
	more robust against broken software that greets with the
	client hostname.

19990706

	Workaround: in the INSTALL file, use `&&' instead of `;'
	in (cd path; tar ...) pipelines because some UNIX re-invented
	shells don't bail out when cd fails. Matthias Andree
	@stud.uni-dortmund.de.

19990709

	Bugfix: $user was not set when delivering to a non-user.
	Found by Vladimir Ulogov @ rohan.control.att.com when
	configuring a luser_relay that contained $user.

19990714

	Robustness: add PATH statement to Solaris2 chroot setup
	script to avoid running the ucb commands. Problem found by
	Panagiotis Astithas @ ece.ntua.gr.

19990721

	Bugfix: don't claim a "mail loops to myself" error when
	the best MX host was not found in the DNS. Found by Andrew
	McNamara, connect.com.au Pty Ltd. File: smtp/smtp_addr.c.

19990810

	Feature: added "-c config_dir" support to the postconf
	command. This probably means that "-f file" will never be
	implemented.

19990812

	Bugfix: showq didn't print properly when listing a maildrop
	file.  Fix by: Andrew McNamara, connect.com.au Pty Ltd.
	File: showq/showq.c.

	Feature: added SENDER to the list of parameters exported
	to external commands. File: local/command.c. Code by: Lars
	Hecking, National Microelectronics Research Centre, Ireland.

19990813

	Bugfix: sendmail -t (extract recipients from headers) did
	not work when the always_bcc feature was turned on. Reported
	by: Denis Shaposhnikov @ neva.vlink.ru.

19990813
	Bugfix: "sendmail -bd" returns a bogus exit status (the
	child process ID). Fix by Lamont Jones of Hewlett-Packard.
	File:  sendmail/sendmail.c.

19990824

	Bugfix: null pointer dereference while rejecting VRFY before
	MAIL FROM. Found by Laurent Wacrenier @ fr.clara.net.

19990826

	Portability: more MacOS X Server patches; some NEXTSTEP/OPENSTEP
	code that had been removed for the first public beta release;
	NEXTSTEP/OPENSTEP now defaults to netinfo for the aliases
	database.  Submitted by Gerben Wierda.

	Portability: workaround for a FreeBSD 3.x active network
	interface without IP address by Pierre Beyssac @ enst.fr.
	File:  inet_addr_local.c.

19990831

	Workaround: sendmail now prints a warning when installed
	set-uid or when run by a set-uid command. Reportedly, the
	linuxconf software turns on the set-uid bit, which could
	open up a security loophole. File: sendmail/sendmail.c.

	Bugfix: Postfix daemons now temporarily lock DB/DBM files
	while opening them, in order to avoid "invalid argument"
	errors because some other process is changing the file.
	Files: util/dict_db.c, util/dict_dbm.c.

	Robustness: Postfix locks queue files during delivery, to
	prevent duplicate delivery when "postfix reload" is
	immediately followed by "sendmail -q". This involves a
	change of the deliver_request interface:  delivery agents
	no longer need to open and close queue files explicitly.
	Files:  global/deliver_request.c, pipe/pipe.c, smtp/smtp.c,
	local/local.c, qmgr/qmgr_active.c, qmgr/qmgr_message.c.

	Feature: reject_unauth_destination SMTP recipient restriction
	that rejects destinations not in $relay_domains.  By Lamont
	Jones of Hewlett-Packard.  File: smtpd/smtpd_check.c.

	Security: do not allow weird characters in the expansion
	of $names that appear in $forward_path. Just like with
	shell commands, replace bad characters in expansions by
	underscores.  Configuration parameter:  forward_expansion_filter.

19990902

	Documentation: added a sample postfix alias to the examples
	in the INSTALL document and in the conf/aliases file.
	Reminded by Simon J.  Mudd @ alltrading.com.

19990903

	Bugfix: in case of some error conditions the pickup daemon
	could leak small amounts of memory.

19990905

	Bugfix: no more "skipping further client input" warnings
	when a message header is rejected.

	Feature: reject_unauth_pipelining SMTP restriction that
	rejects mail from clients that improperly use SMTP command
	pipelining.

	Robustness: the LDAP client by default no longer looks up
	names containing "*". See the lookup_wildcards feature in
	LDAP_README. Update by John Hensley.

	Documentation: address masquerading with exceptions FAQ by
	Jim Seymour @ jimsun.LinxNet.com.

	Bugfix: mysql reconnect after disconnect by Scott Cotton
	Internet Consultants Group, Inc. File: util/dict_myqsl.c.

	Portability: the Postfix to PCRE interface now expects
	version 2.08.  Postfix is no longer compatible with PCRE
	versions before 2.6.

19990906

	Feature: INSTALL.sh script that makes Postfix installation
	a bit less painful. This script can be used for installing
	and for upgrading Postfix. It replaces files instead of
	overwriting them, and leaves existing configuration and
	queue files intact.

19990907

	Bugfix: reject_non_fqdn_sender used the wrong test to see
	if a sender address was given and could dump core. This
	must have been broken ever since the UCE tests were moved
	to the RCPT TO stage in 19990510.

	Bugfix: check_sender_access was recognized as a valid
	restriction name only if a sender had been specified.

19990908

	Portability: Unixware has <sysexits.h> only after sendmail
	is installed. Changed postlock.c to use global/sys_exits.h.

19990909

	Performance: added one-entry cache to the address rewriting
	client and to the address resolving client. This is because
	UCE restrictions tend to produce the same query repeatedly.
	Files: global/rewrite_clnt.c, global/resolve_clnt.c.

	Feature: the UCE restrictions are now fully recursive so
	you can have per-client/helo/sender/recipient restrictions.
	Instead of OK, REJECT or [45]xx, you can specify a sequence
	of restrictions on the right-hand side of an SMTPD access
	table. This means you can no longer use canonical/virtual/alias
	maps as SMTPD access tables. But the loss is compensated
	for.  File: smtpd/smtpd_access.c.

	Feature: restriction classes, essentially a short-hand for
	restriction lists.  These short hands are useful mostly on
	the right-hand side of SMTPD access tables. You must use
	restriction classes in order to have lookup tables on the
	right-hand side of an SMTPD access table.  File:
	smtpd/smtpd_access.c.

	Feature: "permit_recipient_map maptype:mapname" permits a
	recipient address when it matches the specified table.
	Lookups are done just as with canonical/virtual maps.  With
	this, you can also use passwd/aliases as SMTPD access maps.
	File: smtpd/smtpd_access.c.

19990910

	Changed "permit_address_map" into "permit_recipient_map"
	and added a test for the case that they specify a lookup
	table on the right-hand side of an SMTPD access map.  File:
	smtpd/smtpd_access.c.

	Cleanup: removed spurious sender address checks for <>.
	File: smtpd/smtpd_check.c.

	Cleanup: the smtp client now consistently logs host[address]
	for all connection attempts.

19990919

	Feature: in an SMTPD access map, an all-numeric right-hand
	side now means OK, for better cooperation with out-of-band
	authentication mechanisms.

19990922

	Security: recipient addresses must not start with '-', in
	order to protect external commands. The old behavior is
	re-instated when main.cf specifies:  "allow_min_user =
	yes".  Credits to Mads Kiilerich @ Kiilerich.com.  File:
	qmgr/qmgr_message.c.

	Bugfix: after 19990831, the queue manager would throw away
	defer logs after deferring mail to known-to-be-dead hosts
	or message transports. This means that in some cases, mailq
	would not show why mail is delayed, and that delayed mail
	could be sent back with recipients missing from the error
	report. Reported by Giulio Orsero @ tiscalinet.it.

19990923

	Bugfix: the above bugfix broke bounces of mail with bad
	address syntax and relocated users. Problem diagnosed by
	Dick Porter @ acm.org.

	Documentation: added DO NOT EDIT THIS FILE. EDIT MAIN.CF
	INSTEAD notices to the sample-xxx.cf files.

19991007

	Compatibility: ignore the sendmail -U (initial user
	submission) option. Thomas Quinot @ cuivre.fr.eu.org.

19991103

	Code cleanup: don't send postmaster notifications when an
	SMTP client sends a DATA command while no recipients were
	accepted.  This can happen when a pipelined client runs
	into an UCE block. File:  smtpd/smtpd.c.

19991104

	Robustness: do not apply UCE header checks to mail that is
	generated by Postfix (bounces, forwarded mail etc.).  Files:
	smtpd/smtpd.c, pickup/pickup.c, cleanup/cleanup_message.c.

	Robustness: new generic watchdog module that can deal with
	clocks that jump occasionally. Files: util/watchdog.c,
	master/master.c, master/{single,multi,trigger}_server.c.
	This hopefully ends the false watchdog alarms that happen
	when clocks are set or when laptops are resumed.

	Code cleanup: BSMTP requires dot quoting as per RFC 821.
	Based on code by Florian Lohoff @ rfc822.org. Files:
	global/mail_copy.[hc], pipe/pipe.c.

19991105

	Bugfix: the crufty code in inet_addr_local() did not find
	IP aliases. File: util/inet_addr_local.c.

	Portability: the INSTALL.sh utility did not find users or
	groups in NIS or Netinfo tables. The script no longer
	searches the /etc/passwd and /etc/group files.  Instead it
	now queries the unix:passwd.byname and unix:group.byname
	maps.  For this, a -q (query) option was added to postmap
	(and to postalias, for symmetry).  Files: util/dict_unix.c,
	postalias/postalias.c, postmap/postmap.c, INSTALL.sh.

	Bugfix: LDAP lookup timeout settings were ignored. Patch
	by John Hensley. File: util/dict_ldap.c.

19991108

	Bugfix: when doing a fresh install, INSTALL.sh didn't set
	main.cf:mail_owner properly (Simon J. Mudd).

19991109

	Bugfix: when doing a fresh install, INSTALL.sh no longer
	worked (missing main.cf file).  Fix: add "-c" argument to
	the postmap commands (Lars Hecking @ nmrc.ucc.ie).

	Documentation: removed spurious "do not edit" comments from
	the sample pcre and regexp configuration files.

19991110-13

	Code cleanup: greatly simplified the SMTPD command parser
	and somewhat simplified the code that groks RFC 822-style
	address syntax in MAIL FROM and RCPT TO commands.

	New parameter: strict_rfc821_envelopes (default: no) to
	reject RFC 822 address forms (with comments etc.) in SMTP
	envelopes. By default, the Postfix SMTP server only logs
	a warning.

19991113

	Oops, also updated the SMTP VRFY code in the light of
	changes to the SMTPD command parser.

	Cleanup: the local delivery agent now explicitly rejects
	recipients with an empty username.

19991114

	Workaround: with some gawk versions, postconf/extract.awk
	reportedly returns a non-zero exit status upon success.
	Added an explicit exit(0) statement.

19991115

	Feature: DNS TXT record lookup support, based on initial
	code by Simon J Mudd.  File: dns/dns_lookup.c.

	Feature: RBL TXT record lookups, based on initial code by
	Simon J Mudd.  File: smtpd/smtpd_check.c.

	Feature: permit_auth_destination restriction based on code
	by Jesper Skriver @ skriver.dk.

	Code cleanup: the transport table now can override all
	deliveries, including local ones.

19991116

	Code cleanup: a new "local_transports" configuration
	parameter explicitly lists all transports that deliver mail
	locally. The first name listed there is the default local
	transport.  This is the end of the "empty next-hop hostname"
	hack to indicate that a destination is local.  Files:
	trivial-rewrite/resolve.c, global/local_transport.[hc]

	Feature: "postconf -m" shows what lookup table types are
	available.  Code by Scott Cotton, Internet Consultants
	Group, Inc.

	Feature: "postconf -e" edits any number of main.cf parameters.
	The edit is done on a copy, and the copy is renamed into
	the place of the original. File: postconf/postconf.c,
	util/readlline.[hc].

19991117

	Portability: SunOS 4 has no SA_RESTART. File: util/watchdog.c.

	Feature: on systems with h_errno, the "reject_unknown_client"
	restriction now distinguishes between soft errors (always
	reply with 450) and hard errors (use the user-specified
	reply code).  This should lessen the load by broken mailers
	that re-connect once a minute.

	Feature: forward/reverse name/address check for SMTP client
	hostnames. This fends off some hypothetical attacks by
	spammers who are in control of their own reverse mapping.

	Robustness: postconf no longer aborts when it can't figure
	out the local domain name; it prints a warning instead.
	This allows you to use "postconf -e" to fix the problem.

19991118

	Bugfix: the RFC822 address parser would misparse a leading
	\ as an atom all by itself. Problem reported by Keith
	Stevenson @ louisville.edu. File: global/tok822_parse.c.

19991119

	Bugfix: tiny memory leak in pipe_command() when fork()
	fails.  File: global/pipe_command.c.

19991120

	Bugfix: reversed test for all-numerical results in SMTPD
	access maps. File: smtpd/smtpd_check.c.

19991121

	Robustness: INSTALL.sh no longer uses postmap for sanity
	checks.

	Feature: INSTALL.sh now has an install_root option.

	Bugfix: INSTALL.sh now installs manual pages with proper
	permissions and ownership.

	Bugfix: the LDAP client did not properly escape special
	characters in lookup keys (patch by John Hensley).  File:
	util/dict_ldap.c.

19991122

	Bugfix: missing absolute path in INSTALL.sh broke fresh
	install.

19991124

	Bugfix: the local delivery agent's recipient duplicate
	filter did not work when configured to use unlimited memory
	(which is not a recommended setting). Patrik Rak @raxoft.cz.

19991125

	Bugfix: postconf didn't have an umask(022) call at the
	beginning (problem experienced by Matthias Andree).

19991126

	Bugfix: DNS TXT records now have string lengths before text
	(Mark Martinec @ nsc.ijs.si).

19991127

	Update: the LDAP client code now supports escapes as per
	RFC2254 (John Hensley).

19991207

	Performance: one message with many recipients no longer
	stops other mail from being delivered. The queue manager
	now frees in-memory recipients as soon as a message is
	delivered to one destination, rather than waiting until
	all in-memory destinations of that message have been tried.
	Patch by Patrik Rak @ raxoft.cz.  Files: qmgr/qmgr_entry.c,
	qmgr/qmgr_message.c.

	Performance: when delivering mail to a huge list of
	recipients, the queue manager now reads more recipients
	from the queue file before delivery concurrency drops too
	low.  Files:  qmgr/qmgr_entry.c, qmgr/qmgr_message.c.

19991208

	Updated LDAP client code by John Hensley with escape
	sequences as per RFC 2254. File: util/dict_ldap.c.

	Updated MYSQL client code by Scott Cotton. File: dict_mysql.c.

	Feature: added -N/-n options to include/exclude terminating
	nulls in keys and values in postmap/postalias DB or DBM
	files. Normally, Postfix uses whatever is appropriate for
	the host system.  A non-default setting can be necessary
	for inter-operability with third-party software.

	Bugfix: the local delivery agent would deliver to the user
	instead of the .forward file when the .forward file was
	already visited via some non-recursive path. Patch by Patrik
	Rak @ raxoft.cz. Files: global/been_here.c, local/dotforward.c.

	Robustness: attempt to deliver all addresses in the expansion
	of an alias or .forward file, even when some addresses must
	be deferred.  File: local/token.c.

19991211

	Performance: qmgr_fudge_factor controls what percentage of
	delivery resources Postfix will devote to one message.
	With 100%, delivery of one message does not begin before
	delivery of the previous message is completed. This is good
	for list performance, bad for one-to-one mail. With 10%,
	response time for one-to-one mail improves much, but list
	performance suffers. In the worst case, people near the
	start of a mailing list get a burst of postings today,
	while people near the end of the list get that same burst
	of postings a whole day later.  Files: qmgr/qmgr_message.c,
	qmgr/qmgr_entry.c.

	Bugfix: address rewriting would panic on a lone \ at the
	end of a line where an address was expected. Jason Hoos @
	thwack.net. File: global/rewrite_clnt.c.

19991215

	Bugfix: the strict RFC821 envelope address check should
	not be applied to VRFY commands. File: smtpd/smtpd.c.

	Cleanup: permit_recipient_maps is gone, because that could
	only be used inside UCE restrictions.

19991216

	Feature: allow an empty inet_interfaces parameter, just
	like an empty mydestination parameter. It's needed for true
	null clients and for firewalls that deliver no local mail.

	Feature: "disable_vrfy_command = yes" disables some forms
	of address harvesting used by spammers.

	Workaround: added the alias map parameter definition to
	the smtpd code.  This is a symptom of a general problem
	with parameters that have non-empty default values:  unless
	a program explicitly defines such a parameter, the parameter
	defaults to the empty string when used in other parameters.
	There's also a problem with evaluation order.

	Feature: the SMTP server rejects mail for unknown users in
	virtual domains that are defined by Postfix virtual domain
	files. File: smtpd/smtpd_check.c.

	Feature: reject mail for unknown local users at the SMTP
	port.  The local_recipient_maps configuration parameter
	specifies maps with all addresses that are local with
	respect to $mydestination or $inet_interfaces. Example:
	"local_recipient_maps = $alias_maps unix:passwd.byname".
	This feature is disabled by default. You may have to copy
	the passwd file into the chroot jail. File:  smtpd/smtpd_check.c.

	Feature: the sendmail -f option now understands '<user>'
	and even understands address forms with RFC 822-style
	comments.

19991217

	Cleanup: no more UCE checks for VRFY commands. It still
	reports unknown local/virtual users. File:  smtpd/smtpd_check.c.

	Robustness: upon Postfix startup, report discrepancies
	between system files inside and outside the chroot jail.
	Files: conf/postfix-script-nosgid, conf/postfix-script-sgid.

19991218

	Cleanup: INSTALL.sh produces relative symlinks, which is
	necessary when install_root is not /.

19991219

	Documentation: completely reorganized the FAQ and added
	many new entries. Rewrote the UCE html documentation.

	Cleanup: INSTALL.sh uses a configurable directory for
	scratch files, so that it can install from a file system
	that is not writable by the super-user.

	Cleanup: INSTALL.sh gives helpful hints when the "mv"
	command is unable to move symlinks across file system
	boundaries.

19991220

	Cleanup: it is no longer necessary to list $virtual_maps
	as part of the relay_domains definition. The SMTP server
	now by default accepts mail for destinations that match
	$inet_interfaces, $mydestination or $virtual_maps, whether
	or not these are specified in relay_domains.  We still need
	the ugly "virtual.domain whatever" hack in the virtual
	maps. Files:  smtpd/smtpd_check.c and lots of documentation
	and sample config files.

19991221

	Removed cyrus -q flag (ignore quotas) from the sample
	master.cf file.

19991223

	Bugfix: smtpd should not check for unknown users when
	running in stand-alone (sendmail -bs) mode. Problem
	experienced by Chuck Mead.  File: smtpd/smtpd.c.

	Retraction: the "local_transports" configuration parameter
	is gone. Adjusted code and documentation accordingly.
	Instead, use just one "local_transport" parameter with the
	name of the default local transport. Files:  smtpd/smtpd_check.c,
	qmgr/qmgr_message.c, trivial-rewrite/ resolve.c, local/resolve.c.

	Feature: Postfix SMTPD now insists that the smtpd recipient
	restrictions contain at least one restriction that by
	default rejects mail. This should make it much more difficult
	to change Postfix into an open relay.  File:  smtpd/smtpd_check.c.

	Retraction: null-length inet_interfaces is too confusing.

19991224

	Bugfix: the relative symlink code in INSTALL.sh computed
	the ../ prefix from the wrong pathname.

1999122[5-7]

	Feature: "allow_untrusted_routing = no" (default) prevents
	forwarding of source-routed mail from untrusted clients to
	destinations that are blessed by the relay_domains parameter
	(example:  user@domain2@domain1 etc.).  This plugs a mail
	relay loophole where a backup MX host forwards junk mail
	to a primary MX host which forwards the junk to the Internet.
	Files:  global/quote_822_local.c, smtp/quote_821_local.c,
	trivial-rewrite/rewrite.c, trivial-rewrite/resolve.c,
	smtp/smtpd_check.c.

	In order to make this possible, the Postfix resolver data
	structure and protocol has changed, so that all resolver
	clients need to be re-compiled.

	Side effect from the above change: from now on, an address
	with @ in the recipient localpart no longer bounces with
	"user unknown" but instead is rejected with "relay access
	denied" or "source-routed relay access denied".

19991227

	Workaround: the BSD/OS "mkdir -p" and "cmp -s" commands
	misbehave on boundary cases: directory exists or file does
	not exist. Those who re-invent...

19991229

	Added the no source routing info requirement to addresses
	accepted by the permit_mx_backup UCE restriction.

19991230

	Added a spawn daemon (not compiled and installed by default)
	to enable LMTP delivery over UNIX-domain sockets. The goal
	is to simplify the experimental LMTP delivery agent by
	ripping out the privileged code that forks the LMTP server.

20000102

	Clarified documentation after early feedback on the 19991231
	release by Drew Derbyshire, Ollivier Robert, Khetan Gajjar.

	Sanity check: a common error is to list Postfix virtual
	domains in the mydestination parameter. This causes the
	new optional local_recipient_maps feature to reject mail
	for virtual users.  The SMTP server now explicitly tests
	for this common error and logs a warning instead of refusing
	the mail.  File:  smtpd/smtpd_check.c.

20000104

	Bugfix: a case sensitivity bug had slipped through in the
	anti-relaying code, causing mail for USER@VIRTUAL.DOMAIN
	to be rejected with "relay access denied". This was found
	by Jim Maenpaa @ jmm.com.

	Questionable feature: set "smtp_skip_5xx_greeting = yes"
	to make Postfix more sendmail compatible, even though this
	is wrong, IMNSHO. File: smtp/smtp_connect.c.

	Portability: Ultrix patch from Simon Burge @ thistledown.com.au.

	Portability: Siemens Pyramid (dcosx) patch by Thomas D.
	Knox @ vushta.com.

	Performance: FreeBSD has bidirectional pipes that are faster
	than socketpairs. Anticipating on more platform-specific
	optimizations, all duplex pipe plumbing is now isolated in
	a duplex_pipe.c module that provides a system-independent
	interface.

20000105

	Cleanup: the INSTALL.sh script now updates the sample files
	in /etc/postfix even when main.cf exists.

20000106

	Bugfix: the SMTP server should consult the relocated map
	for virtual destinations (Denis Shaposhnikov). Files:
	smtpd/smtpd.c smtpd/smtpd_check.c.

20000108

	Workaround: rename() over NFS can fail with ENOENT even
	when the operation succeeds (Graham Orndorff @ WebTV). This
	is not news. Any non-idempotent operation can fail over
	NFS when the NFS server's acknowledgment is lost and the
	NFS client code retries the operation (other examples are:
	create, symlink, link, unlink, mkdir, rmdir).  Postfix has
	workarounds for the cases where this is most likely to
	cause trouble. Files:  util/sane_{rename,link}.[hc].  If
	you want reliable mail system, do not use NFS.

20000115

	Workaround: better detection of bad hardware. Added SIGBUS
	to the list of signals that the master will log before
	exiting.

20000122

	Portability: preliminary SCO5 port Christopher Wong @
	csports.com. This still needs to a workaround for "find"
	not supporting "-type s" (actually, UNIX-domain sockets
	have no unique representation in the file system and show
	up as FIFOs).

20000115-22

	Bugfix: in case of a too long message header, don't extract
	recipients from message headers.  With the previous behavior,
	Bcc information could be left in the message body, as one
	person found out the hard way.  Files:  cleanup/cleanup.c,
	cleanup/cleanup_extracted.c, global/cleanup_user.h.

20000124

	Whatever: RFC 1869 amends RFC 821 and specifies that code
	555 is to be used when a MAIL FROM or RCPT TO parameter is
	not implemented or not recognized. Russ Allbery @stanford.edu.
	This reply code is added to the list of reply codes that
	cause the Postfix SMTP client to mail a transcript to the
	postmaster.  File: smtp/smtp_trouble.c.

20000126

	Emergency feature: qmgr_site_hog_factor (default: 90 percent)
	limits the amount of resources that Postfix devotes to a
	single destination. With less than 100, Postfix defers the
	excess mail so that one site with a large backlog does not
	block other deliveries. Files: qmgr/qmgr.c, qmgr/qmgr_message.c.

20000128

	Cleanup: the queue manager no longer replaces the nexthop
	field by the recipient localpart when a destination matches
	$mydestination/$inet_interfaces. The price is the introduction
	of a new parameter local_destination_recipient_limit which
	defaults to 1 in order to maintain backwards compatibility.
	Files: qmgr/qmgr.c, qmgr/qmgr_message.c.

20000129

	Bugfix: extracted recipients were misfiled when a message
	was moved back to the maildrop queue. But they still worked
	due to a coincidence.

	Feature: bounce_recip() bounces a recipient immediately
	without accessing a bounce logfile.  This is necessary for
	VERP bounces, for bounces by delivery agents that change
	the sender address, and for bounces that for some reason
	must not use temporary logfiles.  Files: global/bounce.c,
	bounce/bounce_recip_service.c.

20000130

	Bugfix: the too long header fix of 20000115-22 lost mail
	with too long headers that didn't need to extract recipients
	from message headers.

	Bugfix: the too long header fix of 20000115-22 lost mail
	without (blank line + message body).

	Code rewrite: reorganized the cleanup daemon source code
	so that the cleanup service can be called one record at a
	time (see cleanup/cleanup_api.c); also got rid of the global
	state variables and fixed a couple bugs that were introduced
	with 20000115-22.

20000204

	Feature: in daemon mode, the MAIL FROM size check can be
	postponed until RCPT TO so that Postfix can log sender and
	recipient. Simon J Mudd.  Files: smtpd/smtpd.c

	Robustness: limit the number of recipient addresses that
	can be extracted from message headers. Parameter:
	extract_recipient_limit (default:  10240). Files:
	cleanup/cleanup_message.c, cleanup/cleanup_extracted.c.

	Cleanup: the message header reject logging now includes
	sender and recipient address (if possible), so that the
	logging looks more like the other reject logging.  File:
	cleanup/cleanup_message.c.

	Documentation: added sections on regular expression tables
	to the access, canonical, virtual, transport and relocated
	man pages, and write new man pages that are specific to
	regular expressions: pcre_table.5 and regexp_table.5.

20000214

	Bugfix: postconf reported some parameters more than once
	because the parameter extracting script didn't recognize
	lines that differ in whitespace only. File: postconf/extract.awk.
	Reported by Kenn Martin.

20000221

	Logging: the SMTP client now logs log host+port when it is
	unable to connect to a non-MX host, just like it logs
	host+port when unable to connect to an MX host.

20000226

	Bugfix: the SMTP server's "User unknown" test didn't notice
	LDAP etc. dictionary access errors. The code now reports
	a 450 status (try again instead of bounce) if the reply is
	not definitive.  File: smtp/smtpd_check.c.

	Robustness: the smtp-source program could stall when making
	hundreds of parallel connections to a Postfix system with
	only one SMTP server process. The fix is to use non-blocking
	connect() calls, very carefully. File: smtpstone/smtp-source.c.

20000303

	Feature: with smtp_always_send_ehlo the SMTP client will
	send EHLO regardless of the content of the SMTP server's
	greeting.  File: smtp/smtp_proto.c.

20000304

	Feature: DICT_FLAG_SYNC_UPDATE flag for synchronous dictionary
	updates, if supported by the underlying mechanism. Files:
	util/dict.h, util/dict_open.c, util/dict_db.c.

20000307

	Cleanup: the manual pages in Postfix configuration files
	no longer contain troff formatting codes.  The text is now
	generated from prototype files in a new "proto" subdirectory.
	Requested by Matthias Andree @ stud.uni-dortmund.de.

20000308

	Bugfix: the unused db and dbm "delete" routines would
	clobber the per-dictionary flags when called before reading
	or writing the table. Files: util/dict_dbm.c, util/dict_db.c.
	Lutz Jaenicke @ aet.TU-Cottbus.DE.

	Bugfix: the SMTP server would produce a cryptic message
	when a queue file write error happened before it had written
	any recipients.  Keith Stevenson. File: smtpd/smtpd.c.

	Robustness: the db and dbm "delete" routines didn't adjust
	to dictionaries with/without one trailing null in lookup
	keys and values. Did a complete rewrite of the routines.
	Files: util/dict_db.c, util/dict_dbm.c.

	Feature: specify "-d key" to postalias or postmap in order
	to remove one key. This still needs to be generalized to
	multi-key removal (read stdin?). Files: postmap/postmap.c,
	postalias/postalias.c.

	Test: added test targets for the dictionary delete operations.
	Files: util/Makefile.in, util/dict_test.{c,in,ref}.

	Feature: added data offset and recipient count fields to
	the first queue file record output from the cleanup daemon.
	The recipient counts provides an initial estimate for a
	more advanced queue manager scheduling algorithm. Files:
	cleanup/cleanup_envelope.c, cleanup/cleanup_extracted.c.

20000311

	Portability: HP-UX awk can't handle bare { in regexps
	(Lamont Jones. HP). File: postconf/extract.awk.

	Compatibility: sendmail now recognizes '.' as end of input.
	File: sendmail/sendmail.c.

20000313

	Compatibility: dtcm (CDE desktop calendar manager) leaks
	a file descriptor into its child process, and requires that
	sendmail closes the descriptor, otherwise mail notification
	will hang.  These GUI programmers never figured out that
	the child process must close the writing end of a pipe.
	File:  sendmail/sendmail.c.

20000314

	Feature: SASL authentication in the SMTP server and client.
	Based on code contributed by Till Franke, SuSE.  Specify:
	"smtpd_sasl_auth_enable = yes" and "smtp_sasl_auth_enable
	= yes". The "permit_sasl_authenticated" UCE restriction
	gives special treatment to authenticated clients.

20000315

	Workaround: added -blibpath option for AIX 4.x, to close
	hole in case postdrop needs to be set-gid.

20000320

	Portability: FreeBSD 5.x added to the list of supported
	systems (Mark Huizer).

20000323

	Portability: INSTALL.sh looks if sendmail is in /usr/lib
	rather than in /usr/sbin.

20000326

	Bugfix: settings in one mysql configuration file would act
	as the implicit defaults for the next one, which could be
	confusing.  Patch by Scott Cotton. File: util/dict_mysql.c.

	Robustness: limit the number of "junk" commands that can
	be issued in an SMTP session (ex.: NOOP, VRFY, ETRN, RSET).
	Problem report by Michael Ju. Tokarev @ tls.msk.ru.  Files:
	global/mail_params.h, smtpd/smtpd.c.

20000413

	Portability: more MacOS X patches by Gerben Wierda.

	Bugfix: RFC 822 requires the presence of at least one
	destination message header. The cleanup daemon now generates
	a generic "To: undisclosed-recipients:;" message header
	when no destination header is present.  The header content
	is specified with the undisclosed_recipients_header parameter.
	Problem pointed out by Geoff Gibbs, UK-Human Genome Mapping
	Project-Resource Centre.

20000416

	Workaround: allow <(comment)> as SMTP MAIL FROM address.

20000417

	The SASL authentication in the SMTP server and client works,
	but only on Linux and Solaris, neither of which I wish to
	run on my laptop.

20000418

	Added LMTP support to the smtp-source and smtp-sink utilities
	so that I don't have to install Cyrus IMAP just to test
	LMTP.

20000419

	Bugfix: removed the () from the tokenized representation
	of RFC 822 comments, so that comments with \( or \) can be
	unparsed correctly.  Problem reported by Bodo Moeller.

20000423

	Bugfix: mail_copy() could prepend > or . in the middle of
	long lines. Found by code inspection.

20000427

	New code: unescape module that translates C escape sequences
	into their equivalent character values.  File: util/unescape.c.

	Feature: the pipe mailer now has a way to specify the output
	record delimiter (for example, eol=\r\n). This is necessary
	for transports that require CRLF instead of UNIX-style LF.

20000502

	In order to support timeouts more conveniently, VSTREAMs
	now have built into them the concept of timeout.  Instead
	of calling read() and write(), the low-level VSTREAM
	interface now by default uses timed_read() and timed_write()
	which receive a timeout parameter; vstream_ctl(stream,
	VSTREAM_CTL_TIMEOUT...) sets the timeout deadline on a
	stream, and vstream_ftimeout(stream) queries a stream for
	timeout errors.  This change simplified timeout handling
	considerably.  Files: util/vbuf.h, util/vstream.[hc],
	global/smtp_stream.c, global/timed_ipc.c.

20000504

	Added application context to VSTREAMs, which is passed on
	transparently to application-provided read/write routines.
	vstream_ctl(stream, VSTREAM_CTL_CONTEXT...) sets the context.
	Files:  util/vstream.[hc].

	Added vstream_setjmp() and vstream_longjmp() support to
	make exception handling more convenient. Turn on exception
	handling with vstream_ctl(stream, VSTREAM_CTL_EXCEPT...).
	Files:  util/vstream.[hc].

	Cleaned up the smtp_stream module further and got rid of
	the global state that limited the use of this module to
	one stream per process. Files: global/smtp_stream.[hc].

20000505

	Bugfix: the SMTP server now flushes unwritten output before
	tarpit delays, to avoid protocol timeouts in pipelined
	sessions when a client causes lots of errors. Found by
	Lamont Jones, HP. File:  smtpd/smtpd_chat.c.

	Finished the LMTP client, which is based on a modified
	version of the SMTP client by Philippe Prindeville, Mirapoint,
	Inc., later modified by Amos Gouaux, UTDallas, and then
	Wietse ripped it all up again. Currently this talks LMTP
	over TCP only.

	Feature: override main.cf parameters in master.cf. Specify
	"-o parameter=value" after the program name. This allows
	you to selectively override myhostname etc. See also the
	new smtp_bind_address parameter below.

20000506

	Convenience: the LMTP and SMTP clients now append the local
	domain to unqualified nexthop destinations. This makes it
	more convenient to set up transport maps. Files:
	lmtp/lmtp_addr.c, smtp/smtp_addr.c.

	Sendmail compatibility: the Postfix SMTP client now skips
	servers that greet the client with a 4xx or 5xx status
	code.  To disable, set both smtp_skip_4xx_greeting and
	smtp_skip_5xx_greeting to "no".

20000507

	Portability: NetBSD has migrated to /etc/mail/aliases. We
	can expect to see this happen more often when systems start
	shipping Sendmail 8.10. File: util/sys_defs.h

	Updated LDAP code by John Hensley, with support for
	dereferencing of LDAP aliases, which have nothing to do
	with Postfix aliases.

	Feature: "smtp_bind_address=x.x.x.x" specifies the source
	IP address for SMTP client connections. Specify in master.cf
	as "smtp -o smtp_bind_address=x.x.x.x" in order to give
	different delivery agents different source addresses.

20000510

	Cleanup: mailbox_transport did not work with the lmtp
	delivery agent. This dates back to when Postfix used empty
	nexthop information to indicate that a destination was
	local. File: global/deliver_pass.c.

	Bugfix: configuration parameters for one mysql dictionary
	would become default settings for the next one. File:
	dict_mysql.c. This patch was merged into Postfix a while
	back but apparently that Postfix version was nuked when
	other parts were redesigned. Update by Scott Cotton.

	Bugfix: some Postfix delivery agents would abort on addresses
	of the form `stuff@.' which could be generated only locally.
	Found by Patrik Rak. File:  trivial-rewrite/resolve.c.

	Third-party Berkeley DB support for HP-UX by Lamont Jones.
	File: makedefs.

20000511

	Bugfix: Postfix would incorrectly reject domain names with
	adjacent - characters. File: util/valid_hostname.c.

	Bugfix: the 20000505 pipeline tarpit delay flush was wrong
	and caused the client and server to get out of phase. Yuck!

20000513

	Feature: VSTREAMs now have the concept of last fill/flush
	time, which is needed to prevent timeouts with pipelined
	SMTP sessions as detailed in the next item.

	Bugfix: delayed SMTP command/reply flushing to prevent
	sender delays from accumulating too much and causing timeouts
	with pipelined sessions.  For example, client-side delays
	happen when a client does DNS lookups to replace hostname
	aliases in MAIL FROM or RCPT TO commands; server-side delays
	happen when an UCE restriction involves a time-consuming
	DNS lookup, or when a server generates tarpit delays.
	Files:  lmtp/lmtp_proto.c, smtp/smtp_proto.c, smtpd/smtpd_chat.c.

	Portability: define ANAL_CAST for compilation environments
	that reject explicit casts between pointers and integral
	types. File: util/sys_defs.h, master/*server.c.  Upon closer
	investigation, this turned out to be the result of someone's
	compiler configuration preferences.  Therefore the change
	is likely to go away after a code cleanup.

20000514

	Feature: mysql client support for multi-valued queries
	(select email, email2 from aliastbl where username='$local')
	By Loic Le Loarer @ m4x.org. File: util/dict_mysql.c.

	Finalized the delayed SMTP command/reply flushing code in
	the SMTP and LMTP clients after lots of testing and review.

20000520

	Robustness: upon receipt of mail, map the mailer-daemon
	sender address back into the magic null string. File:
	cleanup/cleanup_envelope.c.

20000524

	Bugfix: the code for masquerade_exceptions was case sensitive.
	Reported by Eduard Vopicka.  File: cleanup/cleanup_masquerade.c.

20000526

	Feature: experimental queue manager by Patrik Rak with a
	fancy pre-emptive scheduling algorithm that improves delivery
	performance of mail with few recipients. This queue manager
	is made available as "nqmgr".

20000528

	Feature: the SMTP client SASL password file can contain
	entries for destination domain names (the address remote
	part) not just mail server hostnames. File: smtp_sasl_glue.c.

	Feature: smtpd_sasl_local_domain parameter (default:
	$myhostname) to specify the local SASL authentication realm.
	File: smtpd_sasl_glue.c.

	Feature: specify "body_checks=regexp:/file/name" for a very
	crude one line at a time message body content filter.  This
	feature uses the same filtering syntax as the header_checks
	feature.  File:  cleanup/cleanup_message.c. See also the
	conf/sample-filter.cf file.

20000530

	Feature: full content filtering through external software.
	This uses existing interfaces for sending mail to the
	external content filter and for injecting it back into
	Postfix.  Details in FILTER_README.  Files: pickup/pickup.c,
	smtpd/smtpd.c, qmgr/qmgr_message.c.

20000531

	More SASL feedback by Liviu Daia, regarding the use of
	authentication realms. File smtpd/smtpd_sasl_glue.c.

	Added a simple shell-script based content filtering example
	to the FILTER_README file.

	Content filtering support for nqmgr by Patrik Rak.  File:
	nqmgr/qmgr_message.c.

	Renamed "content inspection" etc. to "content filtering"
	in anticipation of a new hook for content inspection that
	only inspects mail without re-injecting it into Postfix.

20000601

	Feature: limit the size of pipe mailer deliveries with the
	size=nnn command-line attribute. Patch by Andrew McNamara.

20000603

	Bugfix: don't try to do SASL authentication when running
	in stand-alone (sendmail -bs) mode. Fix by Liviu Daia.

	Bug: the unauthorized pipelining test fails with single
	recipient mail when smtpd_delay_reject = yes.

20000617

	Bugfix: conf/sample-ldap.cf was no longer up to date with
	reality. Patch by Lamont Jones, HP.

	Bugfix: the maildir delivery routine left temporary files
	lying around after unsuccessful delivery (problem reported
	by Brian Laughton @ Corp.Axxent.Ca).

20000621

	AIX 4.x had POSIX regular expression support all the time
	I was working on Postfix. Better find out late than never.

20000623

	Bugfix: the SMTP server did not reset the so-called junk
	command counter after successful delivery (Mark Hoffman @
	wallst.com).  File: smtpd/smtpd.c.

20000625

	Cleanup: remove Content-Length from incoming mail. The
	sender has no authority over the format of mail as stored
	by the receiving system. File: global/header_opts.h.

	Feature: rewrite Mail-Followup-To: as sender. Files:
	global/header_opts.[hc].

	Cleanup: rewrite Reply-To, Errors-To, Return-Receipt-To as
	sender, so that address masquerading works as expected.
	Files: global/header_opts.c.

	Feature: specify "require_home_directory = yes" to prevent
	mail from being delivered to a user whose home directory
	is not mounted. File: local/dotforward.c.

	Cleanup: the pipe deliver agent no longer appends a blank
	line when the F flag (prepend From_ line) is specified.
	Specify the B flag if you need that blank line. The local
	delivery agent no longer appends a blank line to mail that
	is delivered to external command. Files:  pipe/pipe.c,
	global/mail_copy.[hc].

20000708

	Portability: support for NEXT/OPENSTEP requires extra
	include file in util/watchdog.c (Masaki Murase).

20000715

	Added macros to turn on vstream/vstring/etc. format string
	checking by gcc, in addition to the checking that was
	already implemented with printfck.  File: util/sys_defs.h,
	the macros for PRINTFLIKE and SCANFLIKE. Problem - unlike
	the printfck tool, gcc finds format argument type mismatches
	only in code that isn't #ifdef-ed out.

20000718

	Robustness: make_dirs() now continues when a missing
	directory is created by another process.

20000720

	Feature: the queue manager now logs the number of recipients
	when opening a queue file (a zero recipient count is logged
	with older queue files). File: global/opened.c.

20000726

	Robustness: added watchdog_pat() routine to keep the watchdog
	quiet if a client stays connected for a lot of time. Files:
	util/watchdog.[hc], smtpd/smtpd.c.

20000729

	Robustness: if relayhost is specified but the host does
	not exist, defer mail instead of bouncing it (which would
	lose the mail if the bounce would have to be delivered to
	that same non-existent relayhost). Problem reported by
	Chris Cooper @ maths.ox.ac.uk. File: smtp/smtp_connect.c.

20000821

	Feature: added -r (replace key+value) option to postalias
	and postmap.

	Cleanup: smtpd now replies with 555 when the client sends
	unrecognized RCPT TO parameters, as required by RFC 1869
	(problem report by Robert Norris @ its.monash.edu.au).
	File: smtpd/smtpd.c.

20000822

	Logging: the SMTP server's SASL code logs the authentication
	method along with an authentication failure. Suggested by
	Ronald F. Guilmette @ monkeys.com.

	Workaround: some systems have file size resource limits
	that cannot be represented with the off_t type that is used
	by standard functions such as lseek(2). Problem reported
	by Blaz Zupan @ amis.net.

20000823

	Feature: all this discussion about when to reject mail and
	when not made me decide to implement a TCP-based map type
	so that it becomes relatively simple to implement dynamic
	access controls, for example, hold off mail from an unknown
	client or sender until we have completed some investigation,
	after which we will either reject or accept.

	However, this code is turned off until it is finished.

20000905

	Robustness: the dns client now rejects malformed domain
	names rather than depending on the DNS to report that the
	name does not exist. Linux returns a rather misleading
	server failure code as found out by Patrik Rak. File:
	dns/dns_lookup.c.

20000911

	Feature: added IGNORE keyword to header_checks and body_checks
	to pretend that certain data does not exist. File:
	cleanup/cleanup_message.c.

20000911

	Bugfix: the SASL code did not allow MAIL FROM... AUTH=sender
	without prior authentication. The RFC allows this, although
	one wonders what the reasoning behind this is. File:
	smtpd/smtpd_sasl_proto.c.

20000913

	Bugfix: the rmail script did not handle remote UUCP systems
	that send a from_ line with unqualified envelope sender.
	Reported by Luciano Mannucci.

	Compatibility: don't insert Sender: header lines. Sendmail
	has not done so for at least 10 years, if it ever did.
	Problem reported by Brad Knowles. File: cleanup/cleanup_message.c.

20000916

	Bugfix: when propagating an address extension in a virtual
	or canonical mapping, cleanup accesses memory that is no
	longer allocated. This can happen when the result address
	length is more than 100 characters.  Problem reported by
	Adi Prasaja @ satunet.com. File: global/mail_addr_crunch.c.

	Bugfix: fixed a misleading error message when the cleanup
	server reaches the queue file size limit. Fix by Robby
	Griffin @ MIT.EDU.  File: cleanup/cleanup_extracted.c.

20000917

	Bugfix: postalias -i would complain about duplicate entries
	for the Sendmail-compatible @ entry and for the NIS-compatible
	YP_LAST_MODIFIED and YP_MASTER_NAME entries.

20000918

	Gross hack: prevent looping on a bad recipient by always
	forwarding recipients in :include: files to a new mail
	delivery request, even when owner-listname is not set.
	File: local/recipient.c.

20000919

	Convenience: INSTALL.sh now imports default settings from
	the process environment, in order to make scripting easier.

	Robustness: INSTALL.sh now systematically skips over CVS,
	RCS and SCCS cruft.

	Portability: another fix for NEXTSTEP (Masaki MURASE).
	File: util/spawn_command.h.

20000920

	Cleanup: in a transport table entry, do not ignore port
	numbers specified as [host]:port. In fact, this is now
	becoming the preferred form, in order to avoid parsing
	problems with IPV6 addresses. Postfix supports both forms,
	but future versions will print a warning for the old form.
	Problem reported by Claus Fischer @ werhats.at

	Bugfix: missing initialization for state->sasl_method can
	cause permit_sasl_authenticated to always succeed.  Report
	and fix by Lutz Jaenicke @ aet.TU-Cottbus.DE.

	FAQ: added notes about how to delete, copy or restore queue
	files in a safe manner.

20000921

	File reorganization. No code change except Makefiles. All
	sources are pushed down by one directory level to keep file
	listings usable. Released as 20000922, so that I have a
	reference to run "diff -cr against.

	Bugfix: the spawn service was installed without man pages.

	Portability: MacOSX hints and tips by Joe Block, University
	of Central Florida School of Optics/CREOL

	Portability: The MacOSX gcc compiler does not understand
	the new printf_like/scanf_like attributes. File: util/sys_defs.h.

20000922

	nqmgr update from Patrik Rak for the changed queue manager
	to delivery agent protocol.

	Lame feature: syslog_facility parameter to control where
	syslogd sends Postfix logging (default: syslog_facility =
	mail).  However, errors during command-line parsing are
	still logged with the default syslog facility, as are errors
	while processing the main.cf file (surprise).  Based on
	code by Andrew McNamara.

20000923

	Cleanup: new bounce logfile API so that Postfix can change
	to an extensible bounce logfile format with per-recipient
	sender addresses (needed for VERP and for reporting local
	list delivery problems to the list owner) and other
	attributes.  File:  global/bounce_log.[hc].

	Cleanup: replaced the ad-hoc logfile parsing code in showq
	by something that uses the generic bounce logfile API.

20000924

	Feature: Postfix bounced mail and delayed mail notifications
	now have the standard RFC 1894 form (DSN). The bounce
	service now uses the generic bounce logfile API.  File:
	bounce/bounce_notify_service.c, bounce/bounce_notify_util.c.

	Cleanup: deleted the per-recipient bounce protocol.  Future
	bounce logfiles will support per-recipient bounce addresses.
	Files:  global/bounce.c, bounce/bounce_recip_service.

20000925

	Workaround: sendmail allows MAIL FROM and RCPT TO envelope
	addresses like <the dude <dude@site>> so we will never get
	rid of them. To disallow, specify "strict_rfc821_envelopes
	= yes".  File: smtpd/smtpd.c.

20000926-20001003

	Feature: a "flush" server that keeps per-destination records
	of deferred mail. It is the basis of a faster ETRN and
	"sendmail -qRsite" implementation. This code was rewritten
	half a dozen times.

20000928

	Bugfix: the stricter dns_lookup() argument checks revealed
	that Postfix was doing DNS lookups for domain literals
	([ip.address]) when expanding aliases in MAIL FROM and RCPT
	TO address parameters.  Reported by Jim Littlefield. File:
	smtp/smtp_unalias.c.

	Documentation: added text on the biff=yes/no parameter to
	conf/sample-local.cf (text provided by Paul Wagland,
	relational-consultancy.com.

	Robustness? Log errors from SASL library code as warnings
	not as fatal errors. Files: smtp*/*glue.c.

20001001

	Feature: in master.cf, specify ? after wakeup time to avoid
	waking up services that aren't being used.

20001003

	Feature: the fast flush refresh and purge time interval
	parameters can now be specified in user-specified units by
	providing an appropriate suffix:  s (seconds), m (minutes),
	h (hours), d (days), w (weeks).  unit.  This was needed so
	that I could test the flush server code in a reasonable
	way (its timeouts are normally specified in days or hours,
	and I don't have that much time for testing).  Other Postfix
	time interval parameters will be migrated as time permits.
	Files:  conf/sample-flush.cf, global/mail_conf_time.c,
	postconf/postconf.c.

	Unfeature: qmgr_hog_factor is now disabled by default. It
	was just too confusing. If you don't know what this means,
	do not worry.

20001005

	Cleanup: after "postfix reload" do not penalize mail that
	was in the active queue, but make it ready for immediate
	delivery so that ETRN etc. works as intended. Files:
	*qmgr/qmgr.c, *qmgr/qmgr_active.c.

	Portability: Redhat 7 library interfaces have changed
	incompatibly, which breaks existing software. File makedefs.

	Consistency: the fallback_relay parameter did not understand
	the [] or host:port syntax, and there was no way to suppress
	MX record lookups. Files: smtp/smtp_addr.c, smtp/smtp_connect.c.

	Convenience: you can now specify multiple SMTP destinations
	in the relayhost or fallback_relay configuration parameters.
	The specified destinations will be tried in the specified
	order. File:  smtp/smtp_connect.c.

	Many typographical corrections by Matthias Andree.

20001024

	Documentation: the canonical, virtual etc. manual pages
	did not document the effect of leading whitespace.

20001025

	Bugfix: virtual map expansion stopped too early with
	self-referential aliases. Reported by Michael Douglass @
	datafoundry.net. File: cleanup/cleanup_map1n.c.

20001026

	Horror:  postmap and postalias (newaliases) silently lose
	the file lock while building a lookup table with Berkeley
	DB 2.x and later on Solaris, HP-UX, IRIX, and UNIXWARE.
	The result is that table lookups fail while the table is
	being built, so that mail is lost.  In order to avoid this
	misbehavior one has to use an undocumented feature that is
	NOT available with the DB1.85 compatibility interface.
	Therefore, Postfix now supports three Berkeley DB programming
	interfaces of increasing complexity. File: util/dict_db.c.

	Bugfix: some character manipulations were not portable for
	signed/unsigned characters. Files: global/quote_821_local.c,
	global/quote_822_local.c.

	Workaround: apparently, some software sends SMTP mail that
	begins with "From sender time-stamp". Sendmail silently
	ignores such RFC violating garbage, and therefore Postfix
	needs to jump another hoop.  File: smtpd/smtpd.c.

20001028

	Bugfix: the flush server tried to access config files after
	going to the chroot jail. Found by Lutz Jaenicke, TU-Cottbus.DE.
	File: flush/flush.c.

	Update: revised LDAP module from primary maintainer John
	Hensley, with contributions from many other people. Files:
	util/dict_ldap.c, LDAP_README.

	Update: LINUX2 chroot setup script by Matthias Andree,
	uni-dortmund.de.

	Feature: specify unix:/path/name for LMTP connections over
	UNIX-domain sockets, and specify inet:host or inet:host:port
	for IPV4. If no unix: or inet: is specified, IPV4 is assumed.
	File: lmtp/lmtp_connect.c.

	Feature: added UNIX-domain support to the smtpstone test
	programs in order to test the LMTP client UNIX-domain
	support.

20001030

	Bugfix: further testing in preparation for 19991231-pl10
	revealed that the DB map code was now broken for every
	platform.

20001031

	Performance: the slow start (gradually increase number of
	parallel connections to the same site) was too gentle and
	Postfix would back off too quickly. Files: qmgr/qmgr_queue.c
	and nqmgr/qmgr_queue.c.

20001101

	FAQ update by Ralph Hildebrandt.

20001104

	Portability: RedHat Linux has changed incompatibly, again.
	Fixed with the help of Matthias Andree.  File: makedefs.

20001109

	Cleanup: changed prototype of internal function that did
	not return a useful result. File: src/util/vstream_popen.c.

20001110

	Workaround: the Debian post install script passes an open
	file descriptor into the master server and waits forever.
	Reported by Lamont Jones. File: master/master.c.

20001114

	Compatibility: added sendmail -G (gateway submission) option
	for compatibility with the sendmail rmail command. Requested
	by David Gilbert, Velocet Communications.

20001116

	Documentation: added MAILER-DAEMON to the list of sample
	masquerade_exceptions settings in conf/sample-rewrite.cf.
	Suggested by Karl O. Pinc, pop.artic.edu.

	Performance: the slow start (gradually increase number of
	parallel connections to the same site) was too gentle and
	Postfix would back off too quickly. Files: qmgr/qmgr_queue.c
	and nqmgr/qmgr_queue.c. Yup, changed the same code, again.
	We now allow for a margin above the actual concurrency,
	with the size of the initial destination concurrency.
	Final solution by Patrik Rak.

	Bugfix: the recipient home directory test broke mailbox_transport
	support for non-UNIX recipients.  File:  local/recipient.c.

20001117

	Robustness: additional integrity tests for the nqmgr by
	Patrik Rak. File: nqmgr/qmgr_message.c.

20001118

	Bugfix: the new LDAP client code did not work properly if
	the new ldap_domain parameter was not specified. LaMont
	Jones, HP.  File: util/dict_ldap.c.

	Feature: the soft_bounce safety net is extended to the SMTP
	server. With "soft_bounce = yes", The SMTP server changes
	all 5xx (reject) replies into 4xx (try again) replies.

	Documentation: the virtual(5) man page now documents both
	Postfix-style virtual domains and Sendmail-style virtual
	domains, including their interaction with local usernames,
	aliases and mailing lists. Hopefully, this ends some of
	the confusion surrounding virtual domain support. Updated
	several FAQ entries concerning virtual domain support.

	Documentation: added FAQ entry for the biff service.

20001119

	Bugfix: per-destination queue names were case sensitive so
	that the same site could have multiple queues.  Reported
	by Patrik Rak. Files: *qmgr/qmgr_message.c.

20001120

	Bugfix: per-destination deferred mail logfiles were case
	sensitive so that the same site could have multiple deferred
	mail logfiles, so that not all mail would be flushed with
	ETRN. Reported by Ralph Hildebrandt. Files:  flush/flush.c.

	Portability: added (int) casts to printf-like arguments
	that specify the width of %*letter conversions.  On some
	systems, sizeof and pointer difference expressions are
	wider than an int.  Reported by Valentin Nechayev @ lucky.net.

20001121:

	Compatibility: Postfix now retries delivery when an external
	command is killed by a signal, because people expect such
	behavior from Sendmail. File: global/pipe_command.c.

20001123-30

	Feature: mailbox locking is now configurable. The configuration
	parameter name is "mailbox_delivery_lock". Depending on
	the operating system one can specify one or more of "flock",
	"fcntl" and "dotlock". Use "postconf -l" to find out what
	locking methods Postfix supports. The default setting is
	system dependent.  All mailbox file opens are now done by
	one central mbox_open() routine. This affects the operation
	of the postlock command, and of local delivery to mailbox
	or /file/name.  Files: util/safe_open.c, util/myflock.c,
	global/deliver_flock.c, global/mbox_conf.c, global/mbox_open.c.
	local/mailbox.c, local/file.c, postlock/postlock.c.

	Compatibility: the old sun_mailtool_compatibility parameter
	is being phased out. It still works (by turning off
	flock/fcntl locks), but logs a warning as a reminder that
	it will go away.

	Compatibility: when delivering to /file/name, the local
	delivery agent now logs a warning when it is unable to
	create a /file/name.lock file, and then delivers the mail
	(older Postfix versions would silently deliver).

20001202

	Feature: specify "smtp_never_send_ehlo = no" to disable
	ESMTP.  Someone asked for this long ago. Files:  smtp/smtp.c,
	smtp/smtp_proto.c.

	Feature? Bugfix? The smtp client now skips server replies
	that do not start with "CODE SPACE" or with "CODE HYPHEN",
	and flags them as protocol errors. Older versions silently
	treat "CODE TEXT" as "CODE SPACE TEXT".  File:  smtp/smtp_chat.c.

20001203

	Documentation: postmap(1) and postalias(1) did not document
	the process exit status for "-q key".

20001204

	Bugfix: the Postfix master daemon no longer imported
	MAIL_CONF and some other necessary environment parameters.
	Postfix now has explicit "import_environment" and
	"export_environment" configuration parameters that control
	what environment parameters are shared with non-Postfix
	processes. Files: util/clean_env.c, util/spawn_command.c,
	util/vstream_popen.c, global/pipe_command.c, and everything
	that invokes this code.

20001208

	Bugfix: while processing massive amounts of one-recipient
	mail, qmgr could deadlock for 10 seconds while sending a
	bounce message. All queue manager bounce send requests are
	now implemented asynchronously.  Files: global/abounce.[hc]
	(asynchronous bounce client), qmgr/qmgr_active.c.  Problem
	reported by El Bunzo (webpower.nl) and Tiger Technologies
	(tigertech.com).

20001209

	Feature: mailbox_transport and fallback_transport can now
	have the form transport:nexthop, with suitable defaults
	when either transport or nexthop are omitted, just like in
	the Postfix transport map. This allows you to specify for
	example, "mailbox_transport = lmtp:unix:/file/name". File:
	global/deliver_pass.c.

20001210

	Bugfix: the local_destination_concurrency_limit paramater
	no longer worked as per-user concurrency limit but instead
	worked as per-domain limit, so that the limit of "2" in
	the default main.cf files resulted in poor local delivery
	performance.  Files:  qmgr/qmgr_message.c, qmgr/qmgr_deliver.c.
	Problem reported by David Schweikert (ee.ethz.ch) and Dallas
	Wisehaupt (cynicism.com).

20001210

	Feature: support for MYSQL connections over UNIX-domain
	sockets by Piotr Klaban.  Files: util/dict_mysql.c,
	MYSQL_README.

20001211

	Small dirt: postconf -m produced too much output due to a
	missing "else", and the optional SASL code needed a fix
	for the changed name_mask API.

20001212

	Workaround: due to an error, record type L for "filter
	transport name" was the same as that for the already existing
	record type L for "record not ending in newline", causing
	the pickup daemon to discard all records not ending in
	newline. The code cannot be changed without breaking
	compatibility with queued mail, so the pickup server is
	changed to discard type L records only from the message
	envelope, not from the content. File: pickup/pickup.c.

20001213

	Bugfix: dict_ldap did not properly initialize a handle
	after connection timeout. Problem reported by Alain Thivillon.
	File: util/dict_ldap.c.

20001214

	Feature: local_transport and default_transport now also
	understand the transport[:destination] notation, so that
	all transport config parameters are similar again. File:
	trivial-rewrite/resolve.c, trivial-rewrite/transport.c.

	Code cleanup: mailbox_transport and fallback_transport no
	longer allow the user to omit the transport part of a
	transport:destination specification. That just did not make
	any sense at all. The :destination part is still optional.
	File: global/deliver_pass.c.

	Feature: most time-related configuration parameters take
	a one-letter suffix that specifies the time unit:  s
	(second), m (minutes), h (hours), d (days), w (weeks).
	"postconf -d" output includes the default time unit. Files:
	many.

	Code cleanup: in a CONFIG_TIME_TABLE, the default time unit
	is now always the last character of a default time value.
	It is no longer necessary to specify the default time unit
	separately. This change means that it will not be possible
	to specify default values in the form of function calls,
	but that was unused anyway.  Files: global/mail_conf_time.c,
	and user code.

20001217

	Bugfix: reorganized some code in the MYSQL client to end
	a number of memory allocation/deallocation problems.  This
	code needs more work. File: dict_mysql.c.

20001218

	Bugfix: the MYSQL client did not provide function pointers
	for unimplemented operations, causing "postmap -d" to dump
	core instead if issuing an error message. This is what I
	get for accepting code that I cannot test myself.

20001221

	Code cleanup: configuration parameters that are $name
	expanded at run-time now have their own data type hierarchy
	instead of being piggy-backed on top of strings that are
	$name expanded at program initialization time.  Files:
	global/mail_conf.h, global/mail_conf_raw.c, and code that
	calls it.

20001230

	Update: replaced the default rbl.maps.vix.com setting by
	the current blackholes.mail-abuse.org.

20010102

	Code cleanup: the queue manager is a bit greedier with
	allocating a delivery agent. Problem pointed out by Patrik
	Rak. All bugs in the solution are mine.  Files:
	*qmgr/qmgr_active.c.

20010105

	Bugfix: the FILTER_README shell script example did not
	correctly pass exit status to the parent.

	Bugfix: soft errors in client hostname lookups would be
	treated as hard errors. Fix by Michael Herrmann
	(informatik.tu-muenchen.de). File: smtpd/smtpd_peer.c.

20010110

	Bugfix: the mkdir() EEXIST race condition workaround was
	not complete.  Matthias Andree, Daniel Roesen.  Files:
	global/mail_queue.c, util/make_dirs.c.

20010111

	Portability: IRIX 6.5.10 defines sa_len as a macro, causing
	a name collision with a variable used by Postfix. Roberto
	Totaro, enigma.ethz.ch. File:  smtpstone/smtp-source.c.

20010116

	Bugfix: REJECT by header/body_checks was flagged in smtpd
	as a bounce, should be policy, in order to make postmaster
	notifications more consistent. File: smtpd/smtpd.c.

	Merged updated chroot setup procedure by Matthias Andree.
	Files: examples/chroot-setup/LINUX2.

20010117

	Formatting: changed the seconds and days formats in the
	"your mail is delayed" text so that it does not switch to
	scientific notation. File: bounce/bounce_notify_util.c.

20010119

	Feature: SASL support for the LMTP client. Recent CYRUS
	software requires this for Postfix over TCP sockets.

20010120

	Bugfix: the 20001005 revised fallback_relay support caused
	Postfix to send mail to the fallback even when the local
	machine was an MX host for the final destination. Result:
	mailer loop. Found by Laurent Wacrenier (teaser.fr).  Files:
	smtp/smtp_connect.c, smtp/smtp_addr.c.

20010121

	Workaround: specify "broken_sasl_auth_clients = yes" in
	order to support old Microsoft clients that implement a
	non-standard version of RFC 2554 (AUTH command).

	Workaround: Lotus Domino 5.0.4 violates RFC 2554 and replies
	to EHLO with AUTH=LOGIN. File: smtp/smtp_proto.c.

20010125

	Code cleanup: wrote creator/destructor for dictionary
	objects that provides default methods that trap all attempts
	to perform an unimplemented operation. Based on an ansatz
	by Laurent Wacrenier (teaser.fr).  Files: util/dict*.[hc].

	Code cleanup: INSTALL.sh does not ask questions when stdin
	is not connected to a tty (as in: make install</dev/null).
	To automate a customized install, the script imports
	environment variables for install_root etc.

20010127

	Workaround: randomize the delay between attempts to lock
	a file, so that multiple bounce or defer servers are less
	likely to retry all at the same time.  likely.  File:
	util/rand_sleep.c, global/deliver_flock.c, global/dot_lockfile.c.

20010128

	Code cleanup: complaints about invalid or numeric hostnames
	either provide specific context or are removed as redundant.
	Files:  util/valid_hostname.c dns/dns_lookup.c.

	Code cleanup: new mailbox_size_limit parameter (default:
	20MB).  Until now, the mailbox size limit was the same as
	the message size limit, due to artefact of implementation.
	Files: global/mail_params.h, local/local.c.

	Bugfix: fix for the ldap_domains parameter, both semantics
	and documentation by LaMont Jones. Files:  LDAP_README,
	conf/sample-ldap.cf, util/dict_ldap.c.

	Update: merged in the virtual delivery agent by Andrew
	McNamara.  See VIRTUAL_README for detailed examples.

	Update: merged a re-vamped nqmgr by Patrik Rak.

20010129

	Tweak: several little nqmgr tweaks by Patrik Rak. Files:
	global/mail_params.h, nqmgr/qmgr_job.c.

	Bugfix: the virtual delivery agent did not save maps_find()
	results timely. J?rgen Thomsen, postfix.jth.net. File:
	virtual/mailbox.c.

	Security: disallow regexp tables in the virtual delivery
	agent.  The $1 etc. substitution mechanism gives too much
	power to the sender. File: virtual/mailbox.c.

	Cleanup: clarified documentation and boundary cases in the
	random_sleep() routine.

	Bugfix: the MISSING_USLEEP feature was used backwards.
	Patrik Rak. File: util/random_sleep.c.

20010130

	Workaround: Linux usleep() is void, BSD/Solaris usleep()
	returns int, don't use it. File util/random_sleep.c.

	Made local maildir bounce/defer handling mode consistent
	with local mailbox delivery. File local/maildir.c.

	The smtp client now defers delivery when all MX hosts have
	no A record. File: smtp/smtp_addr.c

	Bundled the man2html and postlink quick hacks so people
	can do their own manual page processing. See scripts in
	the mantools directory.

	Documentation: updated the reference to sendmail in the
	html/index.html page.

	Documentation: added note about the Cisco PIX "fixup smtp"
	bug that causes mail delivery problems when "." and "CRLF"
	arrive in separate packets. File:  html/faq.html.

20010201

	Bugfix: another missing initialization in the mysql client.
	File: util/dict_mysql.c.

	Sanitized time routine by Patrik Rak, to make his nqmgr
	robust against people who set their clock back.  Files:
	util/sane_time.[hc].

	Bumped the default mailbox file size limits to 50MB.

20010202

	Bugfix: fixed the way the master resets the file size limit
	to avoid problems when a Postfix daemon updates a queue
	file.  The file size limit is now increased to INT_MAX if
	it is smaller than INT_MAX, so that it is less likely to
	interfere than the old setting of message_size_limit.

	Feature: disable mailbox size limits for the local and
	virtual delivery agents by setting mailbox_size_limit or
	virtual_mailbox_limit to zero.

20010203

	Update: null candidate patch from Patrik Rak. Files:
	nqmgr/qmgr_entry.c nqmgr/qmgr_job.c nqmgr/qmgr_message.c.

	Cleanup: added one gruesome command to the postlink script
	for hyperlinking nroff manual page output. Word abbreviation
	broke some <a href...> </a> instances across line boundaries.
	sed(1) is an amazing tool.  File: mantools/postlink.

20010204

	Laid the ground work for logging of table accesses. This
	will give more insight into how Postfix uses its lookup
	tables. User interface comes later.  File:  util/dict_debug.c.

20010216

	Bugfix: the pipe delivery agent expanded $size as if it
	were a recipient, instead of expanding it as $nexthop or
	as $sender. Reported by Michael Tokarev. File: pipe/pipe.c.

20010221

	Bugfix: poor LMTP performance for domains that are listed
	in $mydestination, because Postfix would send one recipient
	at a time, with multiple deliveries of recipients of the
	same message in parallel; a similar problem could exist
	with virus scanning and with firewall relay hosts that
	forward mail for $mydestination to an inside machine. This
	behavior is now changed to depend on the transport-specific
	xxx_destination_recipient_limit parameter.  This also means
	that you can now get qmail behavior for SMTP deliveries by
	setting smtp_destination_recipient_limit=1.  File:
	{qmgr,nqmgr}/qmgr_message.c.

	Workaround: Solaris socketpair() can fail with EINTR. Added
	a sane_socketpair.c module that joins the ranks of the
	other sane_whatever workarounds. Reported by Andrew McNamara.
	File: util/sane_socketpair.[hc]

20010222

	Documentation: the default main.cf file has a prominent
	warning that mynetworks should be properly configured in
	order to reject unauthorized mail relay requests from
	strangers.

	Documentation: the INSTALL document, section "mandatory
	configuration file edits" has a section that explains that
	mynetworks should be properly configured in order to reject
	unauthorized mail relay requests from strangers.

20010223

	Documentation: the basic.html document has a section that
	explains that mynetworks should be properly configured in
	order to reject unauthorized mail relay requests from
	strangers.

	Feature: new "mynetworks_style" parameter that controls
	how mynetworks (trusted networks) is derived from the
	inet_interfaces (machine interfaces) setting. Specify
	"class" for entire class A, B, C networks; "subnet" for
	the local subnets only; or "host" for maximal privacy.
	Files:  util/inet_addr_local.[hc], global/own_inet_addr.[hc],
	global/mynetworks.[hc], postconf/postconf.c.

	Portability: MACOSX patches by Gerben Wierda.

	Portability: Solaris /dev/null is a symlink, which tripped
	up the code to safely open a file before local delivery.
	We now grudgingly allow symlinks owned by root. File:
	util/safe_open.c.

20010224

	Bugfix: "postconf mynetworks" ignored the inet_interfaces
	setting. That was a very old one. File: postconf/postconf.c.

	INCOMPATIBLE CHANGE: POSTFIX NO LONGER RELAYS MAIL FOR
	CLIENTS IN THE ENTIRE CLASS A/B/C NETWORK. POSTFIX BY
	DEFAULT RELAYS MAIL FOR CLIENTS IN THE LOCAL SUBNETWORK.
	Specify "mynetworks_style = class" to get the old behavior.

20010225

	Portability: master sigchld handler based on writing to a
	pipe, so that the master wakes up from select(). Based on
	code by Erik Forsberg, Linkoping University, Sweden.  File:
	master/master_sig.c. Disabled until after the major release.

	Code cleanup: Postfix should now run with no alias database.

	Code cleanup: local_destination_recipient_limit and
	local_destination_concurrency_limit have become first-class
	configuration parameters. Files: global/mail_params.h,
	*qmgr/qmgr.c, postconf/postconf.c.

20010226

	Documentation suggestions by Lars Hecking and Richard
	Huxton, Matthias Andree and many others.

	Code cleanup: some queue/transport operations need to be
	moved, after the code cleanup of the recipient/concurrency
	limit handling. Patrik Rak.  Files: *qmgr/qmgr_message.c.

20010301

	Feature: configurable name in syslog output (default:
	"syslog_name = postfix") so that different Postfix instances
	can be recognized by their logging. File: global/mail_task.c.

20010313

	Workaround for logic mismatch in nqmgr that was exposed
	with the introduction of the asynchronous bounce client.
	Patrik Rak.

20010313

	Bugfix: the RFC 822 untokenizer quoted newlines inside
	comments. File: global/tok822_parse.c.

20010316

	Cleanup: removed an extraneous warning when a queue file
	write error happened.

20010321

	Workaround: LMTP connection caching never worked for
	destinations starting with unix: or inet:. File:
	lmtp/lmtp_connect.c.

20010322

	Portability: Solaris <2.6 does not have srandom() and
	random() in libc. File: util/rand_sleep.c. It does not have
	to be cryptographically strong.

	Bugfix: the fast ETRN flush server could not handle [ipaddr]
	or domain names with one-character hostname part.  This
	fix changes the destination to logfile name mapping, so
	that you need to populate the new files with "sendmail -q".
	The old files go away automatically. File:  flush/flush.c.

20010327

	Speed up mailq (sendmail -bp) display by flushing output
	after each file.  File: showq/showq.c.

	Portability: missing string.h includes, %p wants (void *),
	Lamont Jones, HP.

20010328

	Bugfix: swapped logic caused cleanup to stall when the
	queue file size exceeded the file size limit by less than
	one the VSTREAM buffer size, so that the "file too big"
	was detected after flushing the last queue file record.
	File: cleanup/cleanup.c.

20010329

	Portability: workaround for missing prototype problem in
	dict_ldap.c. This module should move to the global directory,
	because it depends on Postfix main.cf parameter information.

	Workaround: after sending a trigger message over a socket,
	do not immediately close the client side, but close it from
	a background thread that waits until the server closes the
	socket first. This avoids trouble with socket implementations
	that destroy a socket when the client closes a socket before
	the server has received the client's data.  Files:
	util/{inet,unix,stream}_trigger.c, util/events.c,
	master/master_trigger.c, postkick/postkick.c.

20010403

	Workaround: the mysql library can return null pointers
	rather than zero-length strings. File: util/dict_mysql.c.

20010404

	Ergonomics: log additional information about the reason
	why "mail for XXX loops back to myself" when the local
	machine is the best MX host. File: smtp/smtp_addr.c.

20010406

	Changed some noisy LDAP client warnings into optional
	logging. LaMont Jones, util/dict_ldap.c.

20010411

	Bugfix: the SMTP server now replies with 550 instead of
	503 when it receives the DATA command without having received
	a valid recipient address. This is needed for the Sendmail
	client-side pipelining implementation. Problem reported by
	Lutz Jaenicke. File: smtpd/smtpd.c.

	Cleanup: shut up if chattr fails on Reiserfs and other file
	systems that do not support the respective attributes.
	Files: conf/postfix-script-{no,}sgid.

20010413

	Ergonomics: Postfix applications now warn when a DB or DBM
	file is out of date, and recommend to rebuild the table.
	Files: util/dict_db.c, util/dict_dbm.c.

20010414

	Feature: specify a key of "-" to the postmap or postalias
	-q or -d option, and the keys will be read from standard
	input, one key per line. Files: postmap/postmap.c,
	postalias/postalias.c.

	Bugfix: with a non-default inet_interfaces setting, the
	master ignored host information in master.cf host:port
	settings.  Fix by Jun-ichiro itojun Hagino @ iijlab.net.
	Files: master/master.h, master/master_ent.c.

20010426

	Bugfix: the SMTP server did not parse invalid MAIL FROM or
	RCPT TO addresses such as <first last <user@domain>> the
	way it was supposed to do.  I thought this was taken care
	of years ago. File:  smtpd/smtpd.c.

20010427

	Bugfix: smtpd would reject mail instead of replying with
	a 4xx temporary error code when, for example, an LDAP or
	mysql server was unavailable. Remotely based on a fix by
	Robert Kiessling @ de.easynet.net. File: smtpd/smtpd_check.c.

20010429

	Feature: the Postfix SMTP client now by default randomly
	shuffles destination IP addresses of equal preference.
	Specify "smtp_randomize_addresses = no" to disable.
	Shuffling code by Elias Levy @ SecurityFocus.com Files:
	dns/dns_rr.c, smtp/smtp_addr.c.

20010501

	Bugfix: The SMTP server's 550 in reply to DATA should be
	a 554 response.  And it wasn't Sendmail. Claus Assman.

	Bugfix: the INSTALL.sh test for non-interactive upgrade
	broke rooted installations that specify settings via the
	environment.  Simon Mudd.

	Bugfix: mailq output is now really flushed one message at
	a time. File: sendmail/sendmail.c.

	Feature: "postsuper -d queueID" deletes one message queue
	file; "postsuper -d -" reads zero or more queue IDs from
	standard input, and deletes one instance of each file.
	File: postsuper/postsuper.c.

	Code cleanup: in order to make postsuper -d safe with a
	running Postfix mail system, some routines had to be made
	tolerant for sudden queue file disappearances.  Files:
	global/deliver_request.c, *qmgr/qmgr_move.c.

	Code cleanup: in order to make postsuper -d more usable,
	the showq command was extended to safely list the possibly
	world-writable maildrop directory.  File:  showq/showq.c.

20010504

	Feature: postsuper -d will also delete defer and bounce
	logfiles when the named queue file is found.

20010505

	RFC 2821 feature: an SMTP server must reset all buffers
	upon receipt of EHLO. File:  smtpd/smtpd_check.c.

	RFC 2821 feature: an SMTP server must accept a recipient
	address of "postmaster" without domain name. File:
	smtpd/smtpd_check.c.

	RFC 2821 recommendation: reply with 503 to commands sent
	after 554 greeting. File:  smtpd/smtpd.c.

	RFC 2821 recommendation: if VRFY is enabled, list it in
	the EHLO response. File:  smtpd/smtpd.c.

	RFC 2821 recommendation: SMTP clients should use EHLO.
	The default setting of smtp_always_send_ehlo has changed
	from 0 (send EHLO if server greets with ESMTP) to 1 (always
	send EHLO). In all cases, Postfix falls back to HELO if
	the server does not support EHLO. File: smtp/smtp_proto.c.

20010507

	Bugfix: with soft_bounce=yes, the SMTP server would log
	5xx replies even though it would send 4xx replies to the
	client (Phil Howard, ipal.net). File: smtpd/smtpd_check.c.

20010515

	Compatibility: Microsoft sends "AUTH=MBS_BASIC LOGIN".
	Updated the parsing code in smtp/smtp_proto.c.  Problem
	reported by Ralf Tessmann, Godot GmbH.

20010520

	Standard: deleted the non-standard "via" portion from
	Received: headers generated by Postfix bounce or other
	notification processes.  File: global/post_mail.c.

	Robustness: eliminated stack-based recursion from the RFC
	822 address parser. File: global/tok822_parse.c.

	Standard: annotated the source code with comments based on
	RFC 2821 and 2822. Not all the RFC changes make sense.

	RFC 2821 recommendation: treat a RCPT 552 reply as if the
	server sent 452. Files: smtp/smtp_proto.c, lmtp/lmtp_proto.c.

	Cleanup: moved ownership of the debug_peer parameters from
	the applications to the library, so that a Postfix shared
	library does not suffer from undefined references.  Files:
	smtp/smtp.c, lmtp/lmtp.c, smtpd/smtpd.c, global/mail_params.c.
	LaMont Jones, for Debian.

20010522

	Feature: "postsuper -r queueID" re-queues a message, and
	"postsuper -r ALL" re-queues all mail. The message is moved
	to the maildrop queue so that the pickup daemon will copy
	it to a new queue file, and so that address rewriting will
	be done again. This is useful after changes of address
	rewriting or virtual mappings.

	Feature: "postsuper -d ALL [queue-name]" deletes a bunch
	of mail.

20010523

	Feature: "postsuper -s" (which is done by default) renames
	queue files whose name (queue ID) does not match the message
	file inode number.

	Bugfix: memory leak in the LDAP client module. Alain
	Thivillon, France Teaser - Groupe Firstream.

20010525

	Portability: gcc 2.6.3 does not have __attribute__ (Clive
	Jones, dgw.co.uk). File: util/sys_defs.h.

	Bugfix: the SMTP and LMTP clients claimed that a queue file
	needed to be delivered again (even when all recipients were
	erased from the queue file) when no QUIT or RSET reply was
	received (by default, this does not happen with SMTP mail
	because the SMTP client does not wait for QUIT replies and
	does not send RSET to deliver mail).  As a result of the
	same bug the LMTP client followed a dangling pointer when
	sending QUIT after process idle timeout while the LMTP
	server had disconnected.  Files:  smtp/smtp_proto.c,
	lmtp/lmtp_proto.c.

20010526

	newaliases no longer complains when an empty list is
	specified with the alias_database configuration parameter.
	File:  sendmail/sendmail.c.

20010529

	Workaround: old PIX firewall code messes up when the final
	".<CR><LF>" at the end of DATA spans a packet boundary.
	When Postfix detects PIX SMTP fixup mode, Postfix flushes
	the output buffers before sending the final ".<CR><LF>".
	File:  smtp/smtp_proto.c.

20010530

	Portability: updated code for Mac OS X, accounting for the
	post-Beta changes. Code by Joe Block, UCF School of
	Optics/CREOL.

20010601

	Safety: postdrop turns off interrupts when cleaning up
	after interrupt. The additional safety does not hurt anyone.
	File: src/postdrop/postdrop.c.

20010607

	Safety: dropped the RFC 2821 compliant code that treats
	552 RCPT TO replies as 452. It created more problems than
	it solved. Files: smtp/smtp_proto.c, lmtp/lmtp_proto.c.

	Logging: the SMTP server now logs a warning if RBL lookups
	have problems other than "not found". file: smtpd/smtpd_check.c.

20010610

	Feature: address quoting and case folding flags for the
	pipe(8) mailer.

20010611

	Workaround: some MTAs fall on their face when they receive
	unexpectedly long lines. From now on, Postfix defaults to
	breaking long lines at 2048 (like Sendmail so it has got
	to be right). To get the old, content preserving, behavior
	specify "smtp_truncate_lines = no". File: smtp/smtp_proto.c.

20010614

	Bugfix: did not really undo 2821 552->452 mapping.

20010628

	Bugfix: postfix-script used a hard-coded maildrop group
	owner instead of using the install-time specified name
	stored in /etc/postfix/install.cf. Problem reported by
	David Terrell @ meat.net.

20010701

	Feature: mail_spool_directory ending in / causes maildir
	style delivery.

	Bugfix: the FreeBSD kernel parameters kern.ipc.nmbclusters
	and kern.ipc.maxsockets cannot be set with sysctl commands.
	File: html/faq.html. Len Conrad @ Go2France.com.

	Cleanup: the virtual delivery agent was poorly integrated
	so that the SMTP server and queue manager did not reject
	mail for unknown users. Files: smtpd/smtpd_check.c.

20010705

	Feature: QMQP server, compatible with qmail and the ezmlm
	list manager.  Files:  util/netstring.[hc], qmqpd/qmqpd*.c.

20010706

	Feature: QMQP stress test message generator program.  Files:
	smtpstone/qmqp-source.c, smtpstone/qmqp-sink.c.

20010708

	Bugfix: with disable_dns=yes, the SMTP client treated all
	host lookup errors as permanent. File: smtp/smtp_addr.c.

20010709

	Feature: VERP support, based on a patch by Peng Yong, and
	with the missing parts filled in so that the Postfix bounce
	daemon can send one VERP bounce per undeliverable recipient.
	Files: , sendmail/sendmail.c, smtpd/smtpd.c, qmgr/qmgr_deliver.c,
	bounce/bounce_notify_verp.c, qmqpd/qmqpd.c, plus a couple
	support routines in the global library.

	Cleanup: with recipient_delimiter=+ (or any character other
	than -) Postfix will now recognize address extensions even
	with owner-foo+extension addresses. This is necessary to
	make VERP work for mailing lists.

20010710

	Bugfix: potential memory leak in the queue managers with
	the new VERP delimiter record. Fix by Patrik Rak.

20010711

	Cleanup: you can now specify the VERP delimiter characters
	on the sendmail(1) command line, but they are still optional.

	Safety: with maildir style delivery and with hashed mailboxes
	the system mail spool directory must not be world writable.

20010713

	Safety: the verp_delimiter_filter parameter (default: -=+)
	limits what characters Postfix accepts as VERP delimiter
	characters.

20010714

	Logging: the queue manager now logs a "status=expired"
	record when it returns a message that is too old.  Files:
	*qmgr/qmgr_active.c.

20010719

	Feature: stiffer coupling between mail receiving rates and
	mail delivery rates, using a trivial token-based scheme,
	implemented by reading and writing an in-memory pipe.  The
	queue manager produces one token when it retrieves mail
	from the incoming queue. The cleanup daemon consumes one
	token when it adds mail to the incoming queue. If no token
	is available the cleanup server pauses for $in_flow_delay
	seconds and proceeds anyway. The delay allows mail sending
	process to catch up and access the disk while not blocking
	inbound mail. Valid delays are 0..10 seconds.

20010727

	Bugfix: updated LDAP client module from LaMont Jones, HP.
	This also introduces new LDAP query filter patterns: %u
	(address localpart) and %d (domain part). Files:
	conf/sample-ldap.cf, util/dict_ldap.c.

20010729

	Bugfix: recursive smtpd_whatever_restrictions clobbered
	intermediate results when switching between sender and
	recipient address restrictions. Problem found by Victor
	Duchovni, morganstanley.com. In order to fix, introduced
	address resolver result caching, which should also help to
	speed up sender/recipient address restriction processing.

	Bugfix: the not yet announced DUNNO access table lookup
	result did not prevent lookups with substrings of the same
	lookup key. Found by Victor Duchovni, morganstanley.com.

20010730

	Robustness: trim trailing whitespace from regexp and pcre
	right-hand sides, for consistency with DB/DBM tables.
	Files: util/dict_pcre.c, util/dict_regexp.c.

20010731

	Robustness: eliminate duplicate IP addresses after expansion
	of hostnames in $inet_interfaces, so that Postfix does not
	suddenly refuse to start up after someone changes the DNS.
	Files:  util/inet_addr_list.c global/own_inet_addr.c.

	Feature: specify "disable_verp_bounces = yes" to have
	Postfix send one RFC-standard, non-VERP, bounce report for
	multi-recipient mail, even when VERP style delivery was
	requested.

20010801

	Bugfix: postconf was using unexpanded values internally
	for myhostname, inet_interfaces, and mynetworks_style.
	This broke the "postconf -d" mynetworks computation.  File:
	postconf/postconf.c.

20010803

	Feature: masquerade_classes parameter for fine control of
	address masquerading. The default setting is backwards
	compatible: envelope_sender header_sender header_recipient.
	Files: cleanup/whatever.c.

20010822

	Code cleanup: the bounce daemon complained about data that
	it was not going to send back anyway. Fix: stop reading
	the original message when the bounce message reaches the
	bounce message size limit. File: bounce/bounce_notify_util.c.

20010826

	Logging: postsuper now logs the queue ID when it requeues
	a message, or when it deletes a message from the mail queue.
	File: postsuper/postsuper.c.

20010830

	Safety: the SMTP server now sends a 4xx (try again later)
	response when an UCE restriction is misconfigured, instead
	of ignoring the bad restriction and possibly accepting mail
	that it should not accept.   File: smtpd/smtpd_check.c.

20010907

	Workaround: the Postfix qmqp-source program produced mail
	not ending in newline. qmail-qmqpd accepts such mail, but
	qmail-remote is unable to deliver it.  Matthias Andree,
	uni-dortmund.de. File: smtpstone/qmqp-source.c.

20010910

	Bugfix: the smtp-sink stress test program broke when RCPT
	TO commands crossed network packet boundaries. Problem
	reported by Matthias Andree, uni-dortmund.de.  File:
	smtpstone/smtp-sink.c.

20010917

	Code cleanup: permit_mx_backup implements the old behavior
	(accept mail if the local MTA is MX relay), and allows an
	additional restriction via the permit_mx_backup_networks
	parameter (accept mail only if the primary MX hosts match
	the specified list of network blocks). This second restriction
	is now entirely optional, for backwards compatibility.

	Bugfix: an address extension could be appended multiple
	times to the result of a canonical or virtual map lookup.
	File: global/mail_addr_map.c.  Fix by Victor Duchovni,
	Morgan Stanley.

	Bugfix: split_addr() would split an address even when there
	was no data before the recipient delimiter. In combination
	with the above bug, this could cause an address to grow
	exponentially in size.  Problem reported by Victor Duchovni,
	Morgan Stanley.  File:  global/split_addr.c.

20010918

	Bugfix: the mail_addr_map() fix was almost but not quite
	right. It took two clever people and several iterations of
	email to really fix the mail_addr_map() problem.  Thanks
	to Victor Duchovni and Liviu Daia.

20011006

	Cleanup: Postfix no longer flushes the whole deferred queue
	after an ETRN request for a random domain name (i.e. a
	domain name not matched by $fast_flush_domains); the SMTP
	server instead replies with "459 service unavailable".
	Files:  smtpd/smtpd.c, global/flush_clnt.c, flush/flush.c.

20011008

	Bugfix: there was a minute memory leak when an smtpd access
	restriction was misconfigured. File: smtpd/smtpd_check.c.

20011010

	Code cleanup: Postfix daemons now print the name of the
	UNIX-domain socket (instead of "unknown stream") in case
	of a malformed client request. Files:  master/*server.c.

20011010-14

	Code cleanup: replaced the ugly mail_print() and mail-scan()
	protocols by (name,value) attribute lists. This gives better
	error detection when we make changes to internal protocols,
	and allows new attributes to be introduced without breaking
	everything immediately. Files: util/attr_print.c util/attr_scan.c
	global/mail_command_server.c global/mail_command_client.c
	as wel as most Postfix applications and daemons.

20011015

	Put base 64 encoding into place on the replaced internal
	protocols.  Files: util/base64_code.[hc].

	Feature: header/body REJECT rules can now provide text that
	is sent to the originator. Files: cleanup/cleanup.c,
	cleanup/cleanup_message.c, conf/sample-filter.cf.

20011016

	Bugfix: As of 20000625, Errors-To: was broken, because the
	code to extract the address was not moved from recipient
	address rewriting to sender address rewriting. Problem
	reported by Roelof Osinga @ nisser.com. File:
	cleanup/cleanup_message.c.

20011029

	Bugfix: virtual map expansion terminated early because the
	detection of self-referential entries was flawed.  File:
	cleanup/cleanup_map1n.c.

20011031

	Bugfix: mail_date() mis-formatted negative time zone offsets
	with fractional hours (-03-30 instead of -0330). Fix by
	Chad House, greyfirst.ca. File: global/mail_date.c.

20011102

	Feature: new -f option to postmap and postalias (do not
	lowercase the lookup key while creating a table). Files:
	util/dict.h postmap/postmap.c postalias/postalias.c.

	Code cleanup: simplified the attribute print/scan routines,
	and removed the never-used support for sending and receiving
	integer arrays and string arrays. Files: util/attr_print.c,
	util/attr_scan.c.

	Bugfix: qmqpd could read past the end of a string while
	looking for qmail's VERP magic token in the envelope sender
	address.  File: qmqpd/qmqpd.c.

	Code cleanup: finished testing the new internal protocols.
	The only bug was with the flush server, which still needs
	to support the old (string + null byte) protocol for triggers
	from the Postfix master daemon.

20011103

	Bugfix: Postfix would log the wrong error text when locally
	submitted mail was deferred due to "soft_bounce = yes".

	Bugfix: The LDAP client dropped any entries that don't have
	the result_attribute, but errored out when a DN didn't
	exist.  The behavior is now consistent: treat non-existant
	DN's in a special result attribute expansion the same as
	DN's with no attribute.  LaMont Jones, HP.

20011104

	Bugfix: the new smtp-sink -n option (terminate after the
	specified number of deliveries) wasn't optional.

	Portability: updated Mac OS X documentation and install
	scripts by Gerben Wierda.

20011105

	Bugfix: missing terminator in new attribute-based function
	call caused signal 11. File: src/cleanup/cleanup.c.

	Lame workaround for ESTALE errors with mail delivery over
	NFS. Additional bandages were added to the local delivery
	agent. However, Wietse maintains that Postfix offers no
	guarantee for reliable delivery over NFS.

	Feature: put "warn_if_reject" before an smtpd restriction,
	and that restriction logs warnings without rejecting mail.
	This makes it easier to test configurations "live" without
	having to lose mail. File: smtpd/smtpd_check.c.

20011107

	Workaround: in order to get mail past PIX firewall bugs,
	the Postfix SMTP client now blocks until the socket send
	buffer is empty before sending the final ".<CR><LF>". Files:
	util/sock_empty_wait.c, smtp/smtp_proto.c. Changed into
	sleep(10) on 20011119. Sleep suggested by Hobbit.

20011108

	Feature: added string-null encoding for internal protocols.
	Files: util/attr_print0.c, util/attr_scan0.c.

	Feature: configurable parent domain matching for domain
	and hostname/address match lists: either .domain or the
	domain name itself. Files: util/match_ops.c util/match_list.c

	Feature: added pretend-to-be-behind-PIX mode to the smtp-sink
	test program, in order to stress test some PIX bug workaround
	code.

20011109

	Workaround: Linux and Solaris systems have no reasonable
	way to block until a socket drains. On these systems Postfix
	simply waits for 10 seconds, in order to work around PIX
	".<CR><LF>" bugs.  File: util/sock_empty_wait.c.

20011114

	Bugfix: reset the smtpd command transaction log between
	deliveries. File: smtpd/smtpd.c.

20011115

	Feature: mailbox_command_maps no longer requires that every
	user has an entry. If the user does not have a command
	entry, the local delivery agent tries the other delivery
	methods (mailbox_command, home_mailbox).  File: local/mailbox.c.

	Bugfix: reset the smtpd command transaction log between
	non-deliveries. File: smtpd/smtpd.c.

20011116

	Bugfix: consolidated all the command transaction log resets
	and eliminated one missing reset (Victor Duchovni, Morgan
	Stanley). File: smtpd/smtpd.c.

20011118

	Cleanup: replaced unnecessary match_list wrapper code by
	macros. Files:  global/{string,domain,namadr}_list.[hc].

20011119

	Feature: configurable parent domain matching strategy for
	transport map lookups. File:  trivial-rewrite/transport.c.

	New parent_domain_matches_subdomains parameter. This lists
	all the Postfix features where a domain name matches itself
	and all its subdomains (instead of requiring ".domain.name"
	for subdomain matches).  Planning for future backwards
	compatibility :-)  File:  global/match_parent_style.c.

	Workaround: simplified the PIX ".<CR><LF>" bug to always
	sleep for 10 seconds.  File: smtp/smtp_proto.c.

20011120

	Workaround: disable attribute string length restriction so
	that trivial-rewrite does not refuse to rewrite broken mail
	headers.  Files:  util/attr_scan*.c.

20011121

	Bugfix: missing long integer support in the new IPC protocols.
	Files: util/attr_scan*.c, util/attr_print*.c.

	Portability: AIX5 (Adrian P. van Bloois), MAC OS X 10.1.1
	(Gerben Wierda).

20011125

	Bugfix: spurious postmaster notifications because some flag
	was not reset.

	Feature: new parameter smtpd_sender_login_maps that specifies
	the (SASL) login name that owns a MAIL FROM address.
	Specify a regexp table in order to require a simple one-to-one
	mapping. This is used in the reject_sender_login_mismatch
	sender anti-spoofing feature.

	Feature: restriction reject_sender_login_mismatch refuses
	a MAIL FROM address when $smtpd_sender_login_maps specifies
	an owner but the client is not (SASL) logged in as the MAIL
	FROM address owner, or when a client is (SASL) logged in
	but the client login name does not own the MAIL FROM address
	according to $smtpd_sender_login_maps.  File: smtpd/smpd_check.c.

	Documentation: added some redundancy to the LMTP_README
	file so people can keep track of the difference between
	the Postfix LMTP client and the non-Postfix LMTP server.

20011126

	Feature: smtpd_noop_commands specifies a list of commands
	that are treated as NOOP (no operation) commands, without
	syntax check or state change.  File: smtpd/smtpd.c.

	Bugfix: the "mark queue file as corrupt" code did not work
	because it was never used.  Files: global/mark_corrupt.c,
	global/mail_copy.c, global/pipe_command.c, *qmgr/qmgr_active.c,
	local/maildir.c, local/mailbox.c, local/command.c, pipe/pipe.c,
	virtual/mailbox.c, virtual/maildir.c.

	Bugfix: the bounce daemon broke in the unlikely case of a
	non-existing queue file. File: bounce/bounce_notify_util.c.

20011127

	Feature: added WARN command to header/body_checks files as
	proposed by Michael Tokarev. File: cleanup/cleanup_message.c.

	Bugfix: the postdrop program was broken after the change
	of Postfix internal protocols. This broke "sendmail -bs"
	mail submissions with "secure" maildrop directory.  Reported
	by Craig Loomis, apo.nmsu.edu. File: postdrop/postdrop.c.

	Feature: a first start at fault injection for testing
	unlikely error scenarios (such as corrupt queue files).
	Parameter: fault_injection_code, must be left at zero for
	production use.

20011128

	Robustness: add a file size limit to the sendmail and
	postdrop submission programs to stop run-away process
	accidents. This is not a defense against DOS attack.  Files:
	sendmail/sendmail.c, postdrop/postdrop.c.

	That resulted in a considerable amount of work to properly
	propagate "file too large" conditions back to the sendmail
	mail posting user interface. Took the opportunity to express
	other mail submission fatal exits with the <sysexits.h>
	exit status codes.  Files: sendmail/sendmail.c,
	postdrop/postdrop.c.

20011129

	Maintenance: dict_ldap.c wasn't updated after the revision
	of the string matching routines. File: util/dict_ldap.c.

20011208

	Maintenance: LDAP module and documentation from LaMont
	Jones.  This version adds verbose logging for LDAP library
	routines. Files: src/util/dict_ldap.[hc], LDAP_README,
	conf/sample-ldap.cf

	Portability: made memory alignment restrictions configurable.
	File: util/mymalloc.c.

	Bugfix? Avoid surprises with source routed destinations
	and OK entries in SMTPD access maps. File: smtpd/smtpd_access.c.

	Security: "postfix check" looks for damage by well-intended
	but misguided use of "chown -R postfix /var/spool/postfix".
	That would make chrooted Postfix less secure than non-chrooted
	Postfix.  These extra tests may cause complaints with
	third-party patches such as TLS that introduce their own
	files into the jail.

	Feature: static map type that always returns the map name
	as lookup value, regardless of lookup key value. Contributed
	Jeff Miller (jeffm at ghostgun.com)

	Feature: turn off the PIX <CR><LF>.<CR><LF> workaround for
	the first mail delivery attempt, i.e. when mail is queued
	for less than $smtp_pix_workaround_threshold_time (default:
	500) seconds. New parameter $smtp_pix_workaround_delay_time
	to control the delay before sending .<CR><LF> (default: 10
	seconds) when doing the PIX <CR><LF>.<CR><LF> workaround.

20011210

	Bugfix: the 20011128 change in sendmail and postdrop did
	not handle the case of message_size_limit=0. Fix by Will
	Day, Georgia Tech.

20011212

	Compatibility: The SMTP server now accepts <CR><CR><LF> as
	if the client sent <CR><LF>. Reportedly, some badly written
	windows software produces such garbage, and some badly
	written windows anti-VIRUS software cannot handle such
	garbage. File:  global/smtp_stream.c.

20011214

	Bugfix: postmap/postalias queries ignored the -f flag.
	Reported by Hamish Marson.

20011217

	Compatibility: Sendmail now has a -L option to set the
	syslogging label. Postfix sendmail uses syslog_name instead,
	and ignores the -L option.

	Security: subtle hardening of the Postfix chroot jail,
	Postfix queue file permissions and access methods, in case
	someone compromises the postfix account.  Michael Tokarev,
	who received the insights from Solar Designer, who tested
	Postfix with a kernel module that is paranoid about open()
	calls.  Files:  master/master_wakeup.c, util/fifo_trigger.c,
	postfix-script.

	Convenience: issue a warning instead of aborting when the
	local machine name is not in fully-qualified domain form.
	This would otherwise break initial postfix installation
	which needs the postconf command. File: global/mail_params.c.

20011220

	Added more garbage detection to postconf -e input processing.

20011221

	Feature: SMTPD access map lookups of null sender addresses.
	If your access maps cannot store or look up null string
	key values, specify "smtpd_null_access_lookup_key = <>"
	and the null sender address will be looked up as <> instead.
	File:  smtpd/smtpd_access.c.

20011223

	Safety: configuration file comments no longer span multiple
	lines when the next line begins with whitespace; multi-line
	input is no longer terminated by a comment line, by an all
	white space line, or by an empty line. Michael Tokarev made
	the crucial suggestion to simplify the readline routine.
	Files:  util/readlline.c, postconf/postconf.c.

	Cleanup: proper detection of big number overflow in EHLO
	and MAIL FROM size announcements, with input from Victor
	Duchovni, Morgan Stanley. Files: global/off_cvt.c,
	smtpd/smtpd.c, smtp/smtp_proto.c, util/alldig.c.

	Forward compatibility: added queue file record types for
	original recipient and for generic named attributes.

	Cleanup: safe_open() now returns sensible errno values so
	that the fifo_trigger() external interface is restored.

20011225

	Upgrade: PCRE_README now describes PCRE version 3.x.

	Cleanup: flush SMTPD command history upon receipt of EHLO,
	RSET, and upon DATA completion, only if it exceeds
	$smtpd_history_flush_threshold lines (default: 100).
	Distant derivative of code by Michael Tokarev.  File:
	smtpd/smtpd.c.

20011228

	Bugfix: a readlline() error message showed less text than
	intended. Christian von Roques.

	Cleanup: postfix now installs with group-writable maildrop
	directory and with a set-gid postdrop mail submission
	command.  The pickup service is now unprivileged.  The
	world-writable maildrop directory no longer exists.

	The cleanup service is now public, in preparation for local
	sendmail/postdrop mail submission that avoids the maildrop
	queue directory while Postfix is up.

	Cleanup: moved the main.cf/master.cf file editing from the
	postfix-script file to the INSTALL.sh file.

	Cleanup: INSTALL.sh no longer accepts "no" as the destination
	of Postfix manual pages.

20011230

	Cleanup: the code for "mailq", "sendmail -q", and for
	"sendmail -qRsite" was moved from the sendmail command to
	a new set-gid postqueue command. The pickup and qmgr FIFOs
	are no longer world writable. Files: sendmail/sendmail.c,
	postqueue/postqueue.c.

20020101

	Security: new alternate_config_directories parameter that
	specifies what directories a set-gid command will accept
	as its configuration directory. The list must be specified
	in the default main.cf file. File: global/mail_conf.c.

	Cleanup: "sendmail -qRsite" is no longer implemented by
	connecting to the SMTP port. It is now implemented by
	talking to the fast flush service. File: postqueue/postqueue.c.

20020203

	Cleanup: INSTALL.sh now records all installation information
	in the main.cf file. The now obsolete install.cf file is
	used only when upgrading from an older Postfix release.

	Cleanup: INSTALL.sh now takes name=value settings on the
	command line, and has a new "-upgrade" command line option
	to turn on non-interactive installation.

	Security: additional run-time checks to discourage sharing
	of Postfix user/group ID values with other accounts.

20020105

	Cleanup: SMTPD access maps now return DUNNO (undetermined)
	instead of OK when a recipient address contains multiple
	domains (user@dom1@dom2, etcetera).  Victor Duchovni, Morgan
	Stanley.  File:  smtpd/smtpd_check.c.

20020106

	Bugfix: SMTPD access maps did not handle address extensions.
	File: smtpd/smtpd_check.c.

20020107

	Bugfix: postfix-script, when creating a missing maildrop
	queue directory, still referenced install.cf when setting
	maildrop directory group ownership; and the postfix command
	did not export the setgid_group parameter to the postfix-script
	shell script.  Victor Duchovni.

	Bugfix: postfix-script, when creating a missing public
	queue directory, did not set group ownership of the public
	directory.

20020109

	Cleanup: rewrote the Postfix installation procedure again.
	It is now separated into 1) a primary installation script
	(postfix-install) that installs files locally or that builds
	a package for distribution and that stores file owner and
	permission information in /etc/postfix/post-files, and 2)
	a post-installation script (/etc/postfix/post-install) that
	creates missing directories, that sets file/directory
	ownership and permissions, and that upgrades existing
	configuration files if necessary.

20020110

	Workaround: AIX null read() return on an empty but open
	non-blocking pipe. File:  master/master_flow.c.  Report:
	Hamish Marson.

20020111

	Feedback: feedback, bugfixes, and brain-dead shell workarounds
	for the install scripts by Victor Duchovni and Simon Mudd.

20020113

	Rewrote postfix-install. The postfix-files file now controls
	what is installed.  Refined the semantics of many post-install
	operations. post-install now auto-saves settings that
	override main.cf.

20020114

	Bugfix: alternate_config_directories did not take comma or
	whitespace as separators. File: global/mail_conf.c.  Victor
	Duchovni, Morgan Stanley.

	Bugfix: the rewritten postfix-install script did not chattr
	+S the Postfix queue.

20020115

	Cleanup: added sample_directory and readme_directory
	installation parameters for sample configuration files and
	for README files. Files: postconf.c, postfix-install,
	conf/postfix-files, conf/post-install.

	Robustness: the postfix command now exports all installation
	parameter settings, and input filters the environment, so
	that the startup shell scripts produce a consistent result.
	Files: postconf.c.

20020117

	Portability: patch from LaMont Jones for compiling dict_ldap.c
	with the Netscape SDK.

	Feature: added "r" (recursive chown/chgrp) flag to the
	postfix-files database, for more convenient change of
	Postfix queue ownership. Files: conf/postfix-files,
	conf/post-install.

20020122

	Documentation: lots of little fixes.

	Documentation: updates for the VIRTUAL_README file by Victor
	Duchovni, Morgan Stanley.

	Bugfix: postqueue -s dereferenced a null pointer when given
	a numerical domain argument. LaMont Jones, HP.

	Cleanup: smtpd now logs a warning when permit_sasl_authenticated
	is used while SASL authentication is disabled, instead of
	simply ignoring the restriction. LaMont Jones, HP. File:
	smtpd/smtpd.c.

	Safety: when postmap creates a non-existent file, the new
	file inherits group/other read permissions from the source
	file.  Based on code by LaMont Jones, HP.  File:
	postmap/postmap.c.

20020123

	Portability: some Linux systems install libnsl.so without
	libnsl.a file, causing an yp_match undefined reference
	problem.  File: makedefs.

20020124

	Portability: post-install now requests that command_directory
	is given on the command line when the postconf command is
	in an unusual place.

	Safety: extra code to detect and report Berkeley DB version
	mismatches between compile time and run time.  This test
	is limited to mismatches in the major version number only.
	File:  util/dict_db.c. Based on code by Lawrence Greenfield,
	Carnegie-Mellon university.

	Safety: the postfix command and the master daemon abort if
	they are running set-uid.

	Documentation: the postmap manual page described an out of
	date input file format.

20020129

	Workaround: SCO version 3.2 can't ioctl(FIONREAD) a pipe.
	Therefore, input mail flow control is disabled by default.
	Files:  makedefs, global/mail_params.h, conf/main.cf.
	Problem reported by Kurt Andersen, Agilent.

20020201

	Workaround: changed the default smtpd_null_access_lookup_key
	setting to <>, because some Bezerkeloid DB implementations
	can't handle null-length lookup keys.  File: global/mail_params.h.

	Bugfix: backed out a null-length address panic call by
	ignoring the problem, like Postfix did in the past.  File:
	global/resolve_local.c.

	Safety: "postfix check" will now warn if /usr/lib/sendmail
	and /usr/sbin/sendmail differ, and will propose to replace
	one by a symlink to the other. File: conf/postfix-script.

20020204

	Sanity: additional permission checks for "postfix check"
	that warn for setgid_group group ownership mismatches.  by
	Matthias Andree, uni-dortmund.de. File: conf/postfix-script.

	Bugfix: "postfix check" used a too simplistic way to
	recognize file ownership (grepping ls output). It now uses
	the recently discovered "find -prune".  Peter Bieringer,
	Matthias Andree. File: conf/postfix-script.

20020218

	Workaround: log a warning and disconnect when an SMTP client
	ignores our negative replies and starts sending message
	content without permission. File: smtpd/smtpd.c.

20020220

	Bugfix: mismatch in the file being locked by dict_dbm and
	the file being locked by postmap, so that locks did not
	work correctly.  Victor Duchovni, Morgan Stanley.

20020222

	Workaround: Solaris bug 4380626: strcasecmp() and strncasecmp()
	produce incorrect results with 8-bit characters. For example,
	non-ASCII characters could compare equal to ASCII characters,
	and that could result in any number of security problems.
	Files:  util/strcasecmp.c, COPYRIGHT (the BSD license).

	Bugfix: off-by-one error, causing a null byte to be written
	outside dynamically allocated memory in the queue manager
	with addresses of exactly 100 bytes long, resulting in
	SIGSEGV on systems with an "exact fit" malloc routine.
	Experienced by Ralf Hildebrandt; diagnosed by Victor
	Duchovni. Files:  *qmgr/qmgr_message.c.  This is not a
	security problem.

	Bugfix: make all recipient comparisons transitive, because
	Solaris qsort() causes SIGSEGV errors otherwise. Victor
	Duchovni, Morgan Stanley. File: *qmgr/qmgr_message.c.

20020302

	Bugfix: don't strip source route (@domain...:) when the
	result would be an empty address. This avoids problems when
	append_at_myorigin is set to "no" (which is not supported).
	Problem reported by Charles McColgan, Big Fish Communications.
	File:  trivial-rewrite/rewrite.c.

20020304

	Cleanup: postqueue should not not complain when output
	fails with "broken pipe".

20020308

	Bugfix? reply with 550 not 552 when content is rejected.
	552 is reserved for "too much mail".

	Documentation: add note to sendmail manual page that running
	"sendmail -bs" as $mail_owner enables SMTP server UCE and
	access control checks. This is meant for use from inetd
	etc.  Matthias Andree.

20020311

	Bugfix: DBM maps should use different files for locking
	and for change detection.  Problem reported by Victor
	Duchovni, Morgan Stanley.  Files: util/dict.h util/dict.c
	util/dict_db.c util/dict_dbm.c global/mkmap.c local/alias.c.

20020313

	Bugfix: mailq could show addresses with unusual characters
	twice.  Problem reported by Victor Duchovni, Morgan Stanley.
	File: showq/showq.c.

	Bugfix: null recipients weren't properly recorded in
	bounce/defer logfiles. Such recipient addresses are not
	accepted in SMTP mail, but they could appear within locally
	submitted mail.  File: bounce/bounce_append_service.c.

20020318

	Workaround: Berkeley DB can't handle null key lookups,
	which happen with HELO names ending in ".".  Victor Duchovni,
	Morgan Stanley. File: smtpd/smtpd_check.c.

	Logging: log a hint when mail is deferred because the
	soft_bounce parameter is set. People sometimes forget to
	turn it off. File: global/bounce.c.

20020319

	Cleanup: add a msg_warn() call when fork() fails in
	pipe_command(), to make problems easier to investigate.
	Chris Wedgwood. File:  global/pipe_command.c.

20020320

	Feature: smtp_helo_name parameter to specify the hostname
	or [ip.address] in HELO or EHLO commands. Files: smtp/smtp.c
	smtp/smtp_proto.c.

20020324

	Cleanup: more graceful handling of long physical message
	header lines upon input. Physical header lines can now
	extend up to $header_size_limit characters. When a logical
	message header is too long, the excess text is discarded
	and Postfix no longer switches to body mode, to avoid
	breaking MIME encapsulation.  Based on code by Victor
	Duchovni, Morgan Stanley.  Files:  cleanup/cleanup_out.c,
	cleanup/cleanup_message.c.

	Cleanup: more graceful handling of long physical message
	header or body lines upon output by the SMTP client. The
	SMTP client output line length is controlled by a new
	parameter smtp_line_length_limit (default: 990; specify 0
	to disable the limit). Long lines are folded by inserting
	<CR> <LF> <SPACE>, to avoid breaking MIME encapsulation.
	Based on code by Victor Duchovni, Morgan Stanley.  File:
	smtp/smtp_proto.c.

20020325

	Cleanup: allow additional text after a WARN command in a
	header/body_checks pattern file, so that one can change
	REJECT+text into WARN+text and vice versa. Based on code
	by Fredrik Thulin, Stockholm University.

	Cleanup: log a warning when an unknown command is found in
	a header/body_checks pattern file, or when additional text
	is found after a command that does not expect additional
	text. Based on code by Fredrik Thulin, Stockholm University.

	Bugfix: sendmail should not recognize "." as the end of
	input when the current read operation started in the middle
	of a line.  Victor Duchovni, Morgan Stanley. File:
	sendmail/sendmail.c.

20020328

	Portability fix for OPENSTEP and NEXTSTEP by Gerben Wierda.
	File: util/sys_defs.h.

20020329

	Bugfix: defer_transports broke because the flush server
	triggered mail delivery (as if ETRN was sent) while doing
	some internal housekeeping of per-destination logfiles.
	Problem experienced by LaMont Jones, HP. File: flush/flush.c.

	Bugfix: virtual mapping broke for addresses with embedded
	whitespace. Fix by Victor Duchovni, Morgan Stanley. File:
	cleanup/cleanup_map1n.c.

	Feature: configurable service name for the internal services:
	bounce, cleanup, defer, error, flush, pickup, queue, rewrite,
	showq. This allows you to specify, for example, a non-default
	cleanup service (smtpd -o cleanup_service_name=alt_cleanup).
	Files: global/mail_params.[hc].

	Feature: SASL version 2 support by Jason Hoos. Files:
	*/*_sasl_glue.c, SASL_README, conf/sample-auth.cf.

20020330

	Bugfix: postqueue did not pass on non-default configuration
	directory settings when running showq while the mail system
	is down.  The super-user is now exempted from environment
	stripping in postqueue/postqueue.c. Problem reported by
	Victor Duchovni, Morgan Stanley.

20020402

	Workaround: recognize more headers that are sent instead
	of SMTP commands. File: smtpd/smtpd.c.

20020413

	Feature: new pipe delivery agent "D" flag to prepend a
	Delivered-To:  message header. This requires single recipient
	deliveries. Based on code by Matthias Andree. File:
	pipe/pipe.c.

20020414

	Portability: Postfix will no longer attempt to build with
	gdbm support, because gdbm is broken. File:  makedefs.

20020415

	Cleanup: the attribute list IPC code did not distinguish
	between "disconnect" and "timeout" while reading an attribute
	list, making trouble shooting more difficult than necessary.
	Files:  util/attr_scan0.c, util/attr_scan64.c.

	Cleanup: install parameter defaults can now be overruled
	from makedefs: sendmail_path, mailq_path, newaliases_path,
	command_directory, daemon_directory. Based on code by Victor
	Duchovni, Morgan Stanley. File: util/sys_defs.h.

20020411

	Cleanup: Use more robust quoting passing makedefs/Makefile
	settings. This also simplifies the seven backslashes example
	in the INSTALL file.  Victor Duchovni, Morgan Stanley.
	Files: makedefs, INSTALL.

20020417

	Bugfix: the post-install script failed to upgrade master.cf
	settings from private to public if the service was explicitly
	configured as private.

20020418

	Documentation: added CPU saving patterns for quickly skipping
	base 64 encoded text in message bodies.  Liviu Daia.  Files:
	{proto,conf}/pcre_table, {proto,conf}/regexp_table,
	conf/sample_{regexp,pcre}_body.cf.

20020426

	Bugfix: the SMTP client forgot to quote whitespace etc.
	in a sender/recipient address when DNS lookup was turned
	off (disable_dns_lookups = yes). Problem experienced by
	Chip Paswater. Files: smtp/smtp_proto.c.

20020501

	Feature: wildcard lookup in transport maps (lookup key
	"*").  Code developed with Lamont Jones, HP.

	Feature: a null transport:destination transport map entry
	means proceed as if the transport map lookup failed.  Code
	developed with Lamont Jones, HP.

	Feature: more efficient use of cache memory when a process
	opens multiple Berkeley DB tables; and faster performance
	creating large tables by using more buffer memory. Files:
	util/dict_db.[hc], global/mkmap_db.c. Victor Duchovni,
	Morgan Stanley.

20020503

	Cleanup: postqueue silently ignored command-line arguments
	following -p or -f options, instead of complaining; postqueue
	produced an incorrect error message (mail system down) when
	the command was installed with incorrect privileges.  File:
	postqueue/postqueue.c.

	Bugfix: while reporting a domain name or IP address syntax
	error, postqueue could dereference a dangling pointer with
	some getopt() implementations. LaMont Jones, HP.  File:
	postqueue/postqueue.c.

	Safety: postalias and postmap now drop root privileges
	while processing a non-root input file. Thus, the result
	should be writable to the source file owner. Specify the
	-o option if this is a problem. Files: postmap/postmap.c,
	postalias/postalias.c.

	Consistency: just like postmap, postalias now copies file
	permissions from the source file when it creates a new
	table for the first time. File: postalias/postalias.c.

20020504

	Portability: run-time test to avoid GDBM trouble.  File:
	util/dict_dbm.c.

20020505

	Cleanup: revised and simplified the transport map semantics.
	Null transport or nexhop fields now mean: "do not change":
	use what would be used if the transport map did not exist.
	This change eliminated a lot of code. The incompatibility
	is that a null transport field no longer defaults to
	$default_transport, but to $local_transport or $default_transport
	depending on the destination, and that a transport map only
	overrides relayhost when the table specifies explicit
	nexthop information.  Files:  trivial-rewrite/transport.c,
	trivial-rewrite/resolve.c.

	Cleanup: revised the user interface for controlling the
	Berkeley DB create and read buffer size controls. Files:
	util/dict_db.[hc], global/mail_params.[hc], global/mkmap_db.c.

20020507

	Cleanup: simplified the hash/btree cache management code.
	The caches are now per table instead of shared, and the
	default read cache size is reduced to 128 kBytes. File:
	util/dict_db.c.

20020508

	Bugfix: close user@domain@postfix-style.virtual.domain
	source routing relaying loophole involving postfix-style
	virtual domains with @virtual.domain catch-all patterns.
	Problem reported by Victor Duchovni. File:  smtpd/smtpd_check.c.

	Bugfix: mail_addr_map() used the "wrong" @ character in
	addresses with multiple @. Victor Duchovni. File:
	global/mail_addr_map.c.

	Bugfix: for address localpart quoting, now quote @ as a
	special character everywhere, except when resolving addresses.
	Previously, the @ was nowhere quoted as a special character,
	not even in SMTP commands.  Files:  global/quote_82[12]_local.c
	and clients.

20020509

	Safety: don't allow an OK access rule lookup result for
	user@domain@postfix-style.virtual.domain. Suggested by
	Victor Duchovni, Morgan Stanley. File: smtpd/smtpd_check.c.

	Bugfix: quote unquoted address localparts that need quoting.
	Files: global/tok822_parse.c, global/quote_82[12]_local.c.

	Documentation: simplified the advanced content filtering
	example, and included a more advanced example for those
	who want to squeeze out more performance without running
	multiple Postfix instances.  Text by Victor Duchovni, Morgan
	Stanley. File:  README_FILES/FILTER_README.

20020510

	Feature: header/body filters now log the origin of the
	message that is being rejected. Files: smtpd/smtpd.c,
	qmqpd/qmqpd.c, pickup/pickup.c, cleanup/cleanup_envelope.c,
	cleanup/cleanup_message.c.  Requested by Craig Sanders, if
	I remember correctly.

	Feature: the Postfix SMTP client now passes on MIME body
	type information (8bit, 7bit) received via SMTP, via MIME
	headers, or via the sendmail command line. Files:
	global/deliver_request.c, smtpd/smtpd.c, sendmail/sendmail.c,
	cleanup/cleanup_envelope.c, cleanup/cleanup_message.c,
	cleanup/cleanup_extracted.c, *qmgr/qmgr_message.c,
	*qmgr/qmgr_deliver.c, smtp/smtp_proto.c, lmtp/lmtp_proto.c.

20020511

	Feature: bounces now specify the proper MIME encoding (8bit,
	7bit), depending on the MIME body type information received
	via SMTP, via MIME headers, or via the sendmail command
	line. Files: global/bounce.c, global/defer.c, global/abounce.c,
	bounce/bounce_service.c, bounce/bounce_notify_util.c.

20020512

	Cleanup: the SMTP client logged and bounced the CNAME
	expanded recipient address, and thereby complicated trouble
	shooting.  File:  smtp/smtp_proto.c.

	Bugfix: the SMTP and LMTP clients bounced the quoted
	recipient address, resulting in too much quoting in bounce
	reports.  Files:  smtp/smtp_proto.c, lmtp/lmtp_proto.c.

20020513

	Bugfix: the LDAP client used the "wrong" @ character in
	addresses with multiple @. LaMont Jones, HP. File:
	util/dict_ldap.c.

	Feature: lots of new LDAP stuff: result_filter (filter to
	expand results from queries), chase_referrals, LaMont Jones,
	HP. The LDAP bind timeout now works thanks to Victor
	Duchovni, Morgan Stanley. File:  util/dict_ldap.c.

	Cleanup: specify "resolve_dequoted_address = no" to prevent
	Postfix from looking inside quotes for extra @ etc. characters
	when resolving an address. This behavior is technically
	more correct, but it opens a mail relay loophole with "user
	@domain"@domain when relaying mail to a Sendmail system.

20020514

	Bugfix: the new code for header address quoting sometimes
	did not null terminate strings so that arbitrary garbage
	could appear at the end of message headers.  Reported by
	Ralf Hildebrandt.  File:  global/tok822_parse.c.

	Safety: user@domain@domain is no longer accepted by the
	permit_mx_backup uce restriction (unless Postfix is configured
	with "resolve_dequoted_address = no"). Victor Duchovni,
	Morgan Stanley. File: smtpd/smtpd_check.c.

20020515

	Workaround: flush the SMTP client output buffer when no
	output has happened for 10+ seconds. This prevents the
	socket from timing out, in case DNS CNAME expansion is
	slow.  Problem experienced by Alex Erdelyi, peregrine.com.
	File:  smtp/smtp_chat.c. We did the same thing for the SMTP
	server years ago, and one wonders why the coin didn't drop
	at the time that the SMTP client could suffer from a similar
	problem.

20020516

	Updated the FILTER_README file to turn off DNS lookups in
	the SMTP client that feeds mail into a content filter.

20020517

	Cleanup: Mailbox-Line: message header labels should be
	X-Mailbox-Line:  labels. Files: smtpd/smtpd.c, qmqpd/qmqpd.c.

20020515-21

	Feature: new MIME parser, written from scratch, that
	recognizes the structure of MIME encapsulated mail. Influenced
	by comments from Victor Duchovni. This code can detect but
	will not decode obscure MIME formats or obscure character
	string encoding that Liviu Daia expresses concern about.

	MIME header scanning now happens in header_checks, and is
	faster than body_checks could ever be. This also eliminates
	the problem with multi-line MIME headers being matched one
	line at a time.  Files:  global/mime_state.[hc],
	cleanup/cleanup_message.c.

20020521-22

	Feature: 8-bit to quoted-printable conversion. First use
	in the Postfix SMTP client. File: smtp/smtp_proto.c.

	Logging: the Postfix SMTP and LMTP clients now report the
	the protocol stage when they report a server reply.  File:
	smtp/smtp_proto.c, lmtp/lmtp_proto.c.

	Bugfix: the SMTP server warned about ignored client attributes
	(these were introduced 20020510) in mail that was submitted
	with "sendmail -bs".  File: smtpd/smtpd.c.

20020525

	Feature: separation of header checks into header_checks
	(all primary headers except MIME related headers),
	mime_header_checks (all MIME headers including MIME headers
	at the start of messages) and nested_header_checks (headers
	of attached messages, except MIME related headers).

	Cleanup: broke out the header value parser from the MIME
	processor so that the code can be reused elsewhere. File:
	global/header_token.c.

	Compatibility: Postfix now recognizes "name :" as a valid
	message header, but normalizes it to "name:" form or else
	lots of things would break all over the place.  Files:
	global/is_header.c, global/mime_state.c.

20020526

	Bugfix: the SMTP server now disallows RCPT TO:<"">, just
	like it disallows RCPT TO:<>.  File: smtpd/smtpd.c.

	Feature: disable_mime_input_processing=yes/no controls
	whether Postfix recognizes (and optionally enforces) MIME
	formats while receiving mail. Default is NO.

	Feature: disable_mime_output_conversion=yes/no controls
	whether Postfix will convert 8BITMIME to 7BIT mail when
	delivering mail to an SMTP server that does not announce
	8BITMIME support.  Default is NO.

	Feature: strict_8bitmime=yes/no controls whether Postfix
	rejects 8-bit characters in headers and 7-bit body parts.
	This blocks mail from poorly written software, including
	majordomo approval requests that contain a valid 8BITMIME
	email message, as well as mail that is piped into ancient
	/bin/mail implementations that do not MIME format 8-bit
	content. Default is NO.

	Feature: strict_mime_encoding_domain=yes/no controls whether
	Postfix rejects illegal content transfer encodings for
	multipart/* and message/*. This blocks mail from poorly
	written software. Default is NO.

20020527

	Feature: "FILTER transport:nexthop" in header/body checks.
	After the message is queued, the message is sent through
	a content filter. This requires different cleanup servers
	before and after the filter, with header/body checks turned
	off in the second cleanup server.

20020528

	Feature: strict_7bit_headers and strict_8bitmime_body are
	now separately available. To to turn on both, use
	strict_8bitmime.

	Cleanup: abandon the use of isspace(3) in the parsing of
	RFC822 message headers. Files: global/lex_822.h and lots
	of little places.

	Documentation: replace domain.name by domain.tld in the
	example config files. The domain exists. They were getting
	mail from poorly configured Postfix boxes.

	Bugfix: The Postfix sendmail command did not export the
	MAIL_CONFIG environment setting to the postdrop command.
	File: global/mail_config.h.

	Incompatibility: by default, turn on the PCRE_DOTALL flag,
	so that PCRE patterns will match multi-line message headers
	without causing pain. Suggested by Michael Tokarev. Also
	documented all those darned undocumented PCRE flags in the
	pcre_table(5) manual page. Files:  util/dict_pcre.c,
	proto/pcre_table.

20020529

	Bugfix: mail rejected due to MIME errors was rejected
	without proper logging. Files: global/mime_state.c,
	cleanup/cleanup_message.c.

20020531

	Bugfix: the SMTP client code that prepends '.' to lines
	starting with '.' had to be moved from its old place to
	after the MIME output conversion. Problem found by Mark
	Martinec.  File: smtp/smtp_proto.c.

20020601

	Bugfix: the deliver_pass() routine needed updating for the
	extra MIME encoding attribute that was introduced 20020510.
	Patch by Sebastian Schaffert @ wastl.net.  File:
	global/deliver_pass.c.

20020604

	Workaround: Solaris non-blocking read() can fail on a socket
	with unread data according to ioctl FIONREAD.  Incredible.
	Diagnosis by Max Pashkov.  File:  smtp/smtp-sink.c.

	Weird feature: sender-based routing. This will become more
	useful once per-address transport map entries are done.
	File:  src/*qmgr/qmgr_message.c.

20020605

	Safety: header_address_token_limit limits the amount of
	memory and CPU that we're willing to spend while parsing
	addresses in message headers. The limit is expressed as a
	number of tokens. File: global/tok822_parse.c

20020608

	Feature: user@domain transport map lookup, based on code
	by Scott Cotton, from several years ago. Adding this code
	now was much less painful than it was in the past. Files:
	global/strip_addr.c, trivial-rewrite/transport.c.

20020610

	Cleanup: making user@domain transport map lookups work with
	sender-based routing was a bit tricky, because the null
	address must be handled sensibly. Files: global/resolve_clnt.c,
	trivial-rewrite/resolve.c. It ain't perfect yet, but close.

20020613

	Bugfix: postsuper -r was broken as of 20020510. The cleanup
	daemon would discard mail with MIME type information. Moved
	a bunch of sanity checks from the cleanup daemon to the
	pickup daemon, so the checks are in one place.  Problem
	experienced by Pavol Luptak. Files: pickup/pickup.c,
	cleanup/cleanup_extracted.c.

20020705

	Safety: log a warning when a domain is listed in mydestination
	and (virtual_maps or virtual_mailbox_maps).  This configuration
	error causes the Postfix SMTP server to reject recipients
	when the local_recipient_maps feature is enabled.  File:
	smtpd/smtpd_check.c.

200207011

	Portability: in the master daemon, the default now is to
	enable the signal handler code that writes a byte into a
	pipe, instead of the signal handler code that sets a global
	flag and hopes that select() will somehow wake up. File:
	master/master_sig.c. This is needed for some IRIX and
	UnixWare versions, but it should also produce a robust
	result on all other supported systems.

	Performance: the default SMTP connection establishment
	timeout is now 30 seconds, instead of the system default
	which can be atrociously large.

20020712

	When DNS lookup fails while delivering mail, report not
	only the domain name but also the DNS record type.  This
	should clue in people who ask why Postfix can't find a
	domain while nslookup can.  File:  dns/dns_lookup.c.

20020713

	Bugfix: undo change made at 20020610 that causes the trivial
	resolver client to loop when an address consists entirely
	of @ and . characters.  File: trivial-rewrite/resolve.c.

	Cleanup: Postfix no longer strips multiple '.' at the end
	of a domain name. One '.' is silently tolerated. Files:
	trivial-rewrite/rewrite.c, trivial-rewrite/resolve.c,
	global/resolve_local.c. This policy is too distributed.

20020715

	Feature: @domain.tld catch-all map entries for the virtual
	mail delivery agent. Files: global/virtual8_maps_find.c,
	virtual/mailbox.c, smtpd/smtpd_check.c.

	Feature: the virtual mail delivery agent now accepts address
	extensions (user+foo@domain.tld), ignores them when looking
	up users in its tables, but displays them in Delivered-To:
	message headers.  File: global/virtual8_maps_find.c.

20020716

	Feature: domain names in a masquerade_domains list can now
	be prefixed with !, in order to disable masquerading for
	that domain name and for its subdomains. File:
	cleanup/cleanup_masquerade.c.

20020717

	Bugfix: Mac OS X niscript (Netinfo) update by Gerben Wierda.
	File: auxiliary/MacOSX/niscript.

	Feature: The SMTP server reject_unknown_whatever restrictions
	now also attempt to look up AAAA (IPV6 address) records.
	Jun-ichiro itojun Hagino, IIJ labs. Files: smtpd/smtpd_check.c,
	dns/dns_lookup.c.

20020718

	Bugfix: unnecessary lookups for extended addresses by the
	virtual8_maps_find() routine. Victor Duchovni. His patch
	did not work, nor did my own, but the present version should
	be OK. File: global/virtual8_maps_find.c.

20020719

	Workaround: log a warning when an SMTP client name->address
	lookup results in a numeric IP address, and set the client
	hostname to "unknown". Some gethostbyname() implementations
	will actually accept such garbage and thereby allow sites
	to defeat the "reject_unknown_client" restriction. Problem
	reported by Wolfgang Rupprecht, fix based on analysis (but
	not code) by Victor Duchovni.

	Bugfix: memory leaks in the LDAP client by Victor Duchovni.
	File: util/dict_ldap.c.

	Bugfix: garbage in verbose "flush" server logging. Victor
	Duchovni.  File: flush/flush.c.

20020723

	Incompatibility: smtpd_sasl_local_domain now defaults to
	the null string. File: smtpd/smtpd.c, smtpd/smtpd_sasl_glue.c.

20020726

	Documentation: added GDB debugging instructions for sites
	that do not have X installed on the Postfix machine. Henrik
	Larsson, spambox.dk.

20020729

	Weird: installed RedHat 3.03 inside VMware, and no change
	was needed to build Postfix, except to recognize the Linux
	version.

	Bugfix: some mailers will announce ESMTP features in their
	HELO (not EHLO) response. Postfix did not ignore them.
	File: smtp/smtp_proto.c.

20020731

	Cleanup: permit_naked_ip_address is unsafe (especially when
	used with smtpd_recipient_restrictions) and will go away.
	Postfix now logs a warning. File: smtpd/smtpd_check.c.

20020801

	Cleanup: the warning message for matched header/body content
	was misleading. File: cleanup/cleanup_message.c.

	Safety: moved the "postsuper -r ALL" operation after the
	"postsuper -s" check that makes queue file names match
	inode numbers. This avoids loss of mail in the unlikely
	case that someone runs "postsuper -sr ALL" on a queue that
	was copied from another place.

	Feature: "postsuper -h" to put mail "on hold" and "postsuper
	-H" to release mail that was placed "on hold". This involves
	a new queue, which is appropriately named "hold".  Files:
	postsuper/postsuper.c, showq/showq.c.

20020803

	Feature: when a Delivered-To: mail delivery loop is detected,
	send the bounce to the mailing list owner. This required
	changes to the local delivery agent, a new bounce client
	stub, and a new bounce server stub and support routines
	for one recipient bouncing. Files: local/recipient.c,
	global/bounce_log.c, global/bounce.c, bounce/bounce.c,
	bounce/bounce_notify_util.c, bounce/bounce_one_service.c.

20020809

	Bugfix: the 20020531 bugfix could prepend '.' to lines when
	it shouldn't (but only when converting 8-bit mail to 7-bit).
	Problem experienced by Ralf Hildebrandt.  File:
	smtp/smtp_proto.c.

	Bugfix: smtpd_sender_login_maps did not do the @domain etc.
	wild-card lookups that were promised. Problem experienced
	by Sven Michels. File: smtpd/smtpd_check.c.

20020810

	Feature: new smtp-sink command-line options to specify the
	SMTP hostname, to disable ESMTP protocol support, to disable
	8BITMIME support, and to syslog selected commands.  File:
	smtpstone/smtp-sink.c.

20020814

	Feature: the queue manager now warns when mail for some
	destination is piling up in the active queue, and suggests
	a variety of remedies.  The qmgr_clog_warn_time parameter
	controls the time between warnings, mainly so that I could
	test the code. To disable these warnings, specify
	"qmgr_clog_warn_time = 0". Files:  *qmgr/qmgr_entry.c.

20020815

	Paranoia: truncate the DNS response length result value in
	case it is larger than the result buffer length (the resolver
	documentation is vague about this). File:  dns/dns_lookup.c.

20020816

	Cleanup: "postqueue -f" now also triggers delivery of mail
	in the maildrop directory. This is needed when the master
	does not frequently wake up the pickup service.  Files:
	global/mail_flush.c, postqueue/postqueue.c.

20020818

	Cleanup: the qmgr_site_hog_factor feature is gone (defer
	mail if a site uses up too much space in the active queue).
	Instead, the qmgr_clog_warn_time feature provides better
	solutions. File: qmgr/qmgr_message.c.

20020819

	Feature: new header/body_checks HOLD pattern that causes
	mail to be placed on the "hold" queue for manual inspection.
	Files: global/hold_message.[hc], cleanup/cleanup_message.c.

20020820

	Bugfix: yesterday's HOLD pattern code did not update the
	cleanup server's idea of the queue file name for error
	recovery and for error reporting purposes, so that incomplete
	or content rejected mail would not be deleted from the
	queue, and so that the bouncer would not find the queue
	file.

	Bugfix: the #ifdef that detects too old LDAP libraries was
	in the wrong place.  Victor Duchovni.  File: util/dict_ldap.c.

	Feature: new header/body_checks DISCARD pattern that causes
	mail to be silently discarded. Files: global/cleanup_user.h,
	cleanup/cleanup_message.c, cleanup/cleanup_api.c.

	Bugfix: the local delivery agent's mailbox duplicate delivery
	eliminator was not updated in the days that address extensions
	were added to Postfix. The other local duplicate eliminators
	probably need revision as well. File: local/mailbox.c.

20020821

	Feature: HOLD and DISCARD actions in SMTPD access tables.
	These requests are propagated to the cleanup daemon.  Files:
	cleanup/cleanup_envelope.c smtpd/smtpd_check.c.

	Cleanup: eliminate unnecessary references to the obsolete
	program_directory configuration parameter (but keep the
	parameter so as to not break existing installations).
	Matthias Andree, many little changes in documentation.

20020822

	Bit Rot: OpenLDAP incompatible change with URL parsing.
	Patches by Will Day, Georgia Tech, and Carsten Hoeger,
	SUSE.  File: util/dict_ldap.c.

20020823

	Bugfix: added a missing memset() call to wipe the lookup
	key in dict_db_delete(). This is needed by some Berkeley
	DB implementations. Patch by Katsu Yamamoto, Fujitsu.

	Bugfix: when permit_mx_backup is unable to make a decision
	due to DNS problems, set the "defer if reject" flag so that
	other restrictions will not cause mail to be rejected.
	File: smtpd/smtpd_check.c.

	Feature: instead of giving up immediately after DNS failure,
	turn on the "defer_if_permit" flag when reject_unknown_hostname,
	reject_unknown_sender_domain or reject_unknown_recipient_domain
	are unable to make a decision, and see if any subsequent
	restrictions would still cause the mail to be rejected.
	File:  smtpd/smtpd_check.c.

	Feature: "FILTER transport:nexthop" is now also available
	in SMTPD access tables.

20020826

	Workaround: HP-UX 11 accept() fails with ENOBUFS when the
	client disconnects early. File: sane_accept.c.

20020901

	Cleanup: postfix-install no longer installs all the manual
	pages under $POSTFIXSOURCE/man, so we can generate manual
	pages for smtp-sink etc.  File: man/Makefile.in.

20020903

	Bugfix: the rmail script should have been updated when
	Postfix sendmail was changed to recognize `.' as the end
	of input.  Problem fix by Christian Kratzer, cksoft.de.
	File:  auxiliary/rmail/rmail.

	Feature: specify "maximal_queue_lifetime = 0" for mail that
	should be returned immediately after the first unsuccessful
	delivery attempt. Files: qmgr/qmgr.c, nqmgr/nqmgr.c.

20020904

	Bugfix: qmail compatibility: qmqpd should support any
	character at the end of the VERP prefix in prefix@host-@[].
	Based on a patch by LaMont Jones, HP.

20020905

	Feature: "smtpd_data_restrictions = reject_unauth_pipelining"
	blocks mail from SMTP clients that send message content
	before Postfix has replied to the DATA command.  File:
	smtpd/smtpd.c, smtpd/smtpd_check.c.

	Bugfix: the LDAP client dumped core in verbose mode.
	Reported by Will Day and others.  File: util/dict_ldap.c.

20020906

	Cleanup: dict_regexp module speedups by avoiding unnecessary
	substring overhead while matching strings. Based on a
	suggestion by Liviu Daia. This involved major rewriting of
	the regexp map code.  File: util/dict_regexp.c.

20020907

	Feature: IF..ENDIF support based on code by Bert Driehuis.
	This involved a further rewrite of the regexp map code.
	File: util/dict_regexp.c.

200209010

	Bugfix: the SMTP client produced suprious warnings about
	trouble with fallback_relay hosts. File:  smtp/smtp_connect.c.

	Robustness: don't wait with detecting broken SMTP connections
	until reading input. Leandro Santi. File: smtpd/smtpd_chat.c.

200209011

	Workaround: IRIX 6 can't do ioctl FIONREAD on pipes. This
	breaks the in_flow_delay feature.  File:  util/sys_defs.h.

20020912

	Bugfix: canonical/virtual mapping core dump with a null
	right-hand side address. Report by Jussi Silvennoinen.
	File: global/mail-addr_crunch.c.

	Feature: IF..ENDIF support based on code by Bert Driehuis.
	This involved a rewrite of the pcre map code similar to
	the regexp map code.  File:  util/dict_pcre.c.

20020917

	Feature: on Linux, support for PCRE lookup tables is now
	compiled in if the PCRE library code is found under
	/usr/include and /usr/lib.  File: makedefs.

20020918

	Documentation: postsuper(1) did not document the -c option.

	Bugfix: possible longjump() before setjmp(). File:
	smtpd/smtpd.c.

	Bugfix: pickup should not preserve INSPECT or FILTER records
	from "postsuper -r". File: pickup/pickup.c.

20020919

	Feature: "reject_rbl <domain>" for client address blacklisting
	by LaMont Jones, including $name expansion for per-domain
	customized response messages. The obsolete reject_maps_rbl
	is now a wrapper that uses the new code.

20020921

	Internal: added caching and factored out common code that
	will be used for both reject_rbl and for the upcoming
	reject_rhsbl restriction.

20020922

	Feature: "reject_rhsbl <domain>" for sender domain
	blacklisting.  Provides the same per-domain customized
	response message mechanisms with $name expansion as
	reject_rbl.

	Safety: the smtpd_expansion_filter parameter controls what
	characters are allowed in the expansion of $name macros in
	template RBL responses.

	Cleanup. In order to make sensible warnings possible when
	expanding a non-existent $name in RBL reply templates,
	mac_expand() had to be changed so that an empty string
	result (i.e. the name does exist) will no longer cause
	${name?text} to succeed.  File:  util/mac_expand.c.

20020923

	Cleanup. Renamed the RBL features according to a scheme
	that was suggested by Liviu Daia in October 2001. The names
	are reject_rbl_client and reject_rhsbl_sender, respectively.
	Added domain name based reject_rhsbl_client and
	reject_rhsbl_recipient restrictions for completeness.  The
	reject_rbl restriction name is still recognized for
	compatibility with systems maintained by LaMont Jones.

20020924

	Bugfix: reject_rhsbl_<mumble> was broken when <mumble> was
	unavailable, causing the restrictions parser to get out if
	sync. Spotted by Ralf Hildebrandt.  File:  smtpd/smtpd_check.c.

20020928

	Bugfix: missing %s in the 20020923 RBL code. This was not
	exploitable because Postfix implements only a safe subset
	of all printf format operators and because memory for the
	result is dynamically allocated.  Victor Duchovni. File:
	smtpd/smtpd_check.c.

20020929

	Updated MacOSX support scripts from Gerben Wierda.  Files:
	auxiliary/MacOSX/*.

20021009

	Bugfix: SIZE errors should be reported at MAIL FROM time,
	and should not be postponed (with smtpd_delay_reject = yes)
	until RCPT TO time. Reported by Jeroen Scheerder, Utrecht
	University. Files: smtpd/smtpd.c smtpd/smtpd_check.c.

20021013

	When Postfix development started, Linux mail delivery
	software such as procmail did not use kernel locks, and
	Postfix picked one that seemed plausible, namely, flock().
	In the mean time, Linux mail delivery software seems to
	have standardized on fcntl() locks. File: util/sys_defs.h.

	Feature: body_checks_size_limit parameter to specify how
	much of a message body segment (or attachment, if you prefer
	to use that term) is subjected to body_checks inspection.
	Default limit:  50 kbytes. Files:  global/mime_state.c,
	cleanup/cleanup_message.c.

20021015

	Bugfix: the code for missing postmaster/mailer-daemon
	aliases had to be moved after the code that implements the
	luser_relay feature. Files: local/alias.c, local/unknown.c.

	Weird? The LMTP client lowercased the MAIL FROM and RCPT
	TO addresses. Some remnant of code that someone put in
	there long ago. File: lmtp/lmtp_proto.c.

20021024

	Feature: proxy_interfaces parameter. Specify your NAT or
	other proxy addresses here to avoid mail delivery loops.
	Files: global/mail_params.[hc] global/own_inet_addr.[hc]
	global/resolve_local.c smtp/smtp_addr.c smtpd/smtpd_check.c.

	Paranoia: defend against a very unlikely false alarm in
	safe_open().

20021025

	Feature: X-Original-To: message headers with the raw original
	envelope recipient.

	Logging: status=sent/deferred/bounced/ logging now includes
	the original recipient address if it differs from the final
	address.

20021026

	Logging: SMTP UCE reject/warn/hold/discard logging now
	includes queue ID. This will break some logfile analyzers.

	Logging: SMTP UCE reject/warn/hold/discard logging now
	includes the protocol name and, if available, the hostname
	given in the SMTP HELO or EHLO command.

	Logging: header/body_checks reject/warn/hold/discard logging
	now includes the protocol name and, if available, the
	hostname given in the SMTP HELO or EHLO command.

20021028

	Bugfix: don't reset state after rejected EHLO. Reset state
	after HELO. Reported by Karthikeyan Bhargavan, upenn.edu.
	Files: smtpd/smtpd.c.

20021029

	Bugfix: local(8) did not prepend an X-Original-To:  message
	header while delivering to command, and local(8) did not
	document the X-Original-To:  message header.

	Workaround: DJBDNS produces a bogus A record when given a
	numerical hostname. File: dns/dns_lookup.c.

20021030

	Portability: support for Berkeley DB version 4.0 but not
	for Berkeley DB version 4.1 (yes, the API is different).
	Postfix is now going to be paranoid about the minor version
	number, too. File:  util/dict_db.c.

	Documentation: updated LMTP_README file by Amos Gouaux.

20021031

	Bugfix: (bug introduced 20021026) log NOQUEUE when rejecting
	ETRN, instead of trying to log a non-existent queue ID.
	Victor Duchovni, Morgan Stanley. File: smtpd/smtpd_check.c.

	Cleanup: allow optional text after commands in SMTPD access
	maps. Based on initial effort by Victor Duchovni, Morgan
	Stanley. File: smtpd/smtpd_check.c.

	Portability: support for Berkeley DB version 4.1.  This
	version refuses to open zero-length files. This complicates
	lock management and requires extra code to remove broken
	files. Files:  util/dict_db.c, global/mkmap*.[hc].

20021101

	Bugfix: don't complain about out-of-order original recipient
	records for finished recipients. Files:  *qmgr/qmgr_message.c,
	cleanup/cleanup_envelope.c, cleanup/cleanup_extracted.c.

	Cleanup: further simplified the mkmap wrapper (used by
	postmap and postalias only) to remove some hurdles for
	Michael Tokarev's CDB support. Files: global/mkmap*.[hc].

20021105

	Postalias now produces YP_LAST_MODIFIED and YP_MASTER_NAME
	records only when NIS support is compiled in. File:
	postalias.c.

20021106

	Postalias now puts $myhostname in the YP_MASTER_NAME record,
	instead of the possibly bogus gethostname() result.  File:
	postalias.c.

	The PCRE map code did not reject non-numeric replacement
	indices in replacement text, and silently treated $text as
	$0. Found by Michael Tokarev. File: dict_pcre.c.

20021108

	Cleanup: the behavior of the SMTP server's defer_if_permit
	flag was changed, in order to maximize the opportunity to
	permanently reject mail without opening opportunities for
	losing legitimate mail. This was done in cooperation with
	Victor Duchovni, Morgan Stanley. File: smtpd/smtpd_check.c.

	The defer_if_permit flag is still set when an UCE reject
	restriction fails due to a temporary (e.g., DNS) problem,
	to prevent unwanted mail from slipping through. However,
	the flag is no longer tested at the end of client, helo or
	sender restrictions.  Instead, the flag is now tested at
	the end of the ETRN and recipient restrictions only.

	The behavior of the warn_if_reject restriction has changed.
	It no longer activates any already made defer_if_permit or
	defer_if_reject decisions (the defer_if_reject flag is set
	when some UCE permit restriction fails due to a temporary
	(DNS) problem, to avoid loss of legitimate mail).

	Bugfix: instead of setting the defer_if_permit flag, a
	failing reject restriction after warn_if_reject now merely
	logs that it would have caused mail to be deferred.

	A failing permit restriction after warn_if_reject still
	raises the defer_if_reject flag, to avoid loss of legitimate
	mail.

20021109

	Bugfix: a misguided change to the .forward macro expansion
	filter broke .forward file lookup.

	Bugfix: missing defer_if_permit test in smtpd_data_restrictions.
	Victor Duchovni. File:  smtpd/smtpd_check.c.

20021112

	Robustness: increase the mime_nesting_limit from 20 to 100,
	so that bounces can't loop. Each bounces increases the MIME
	nesting level by one.  Ralf Hildebrandt and Victor Duchovni.

20021113

	Robustness: reinstated SMTP client command flushing to
	avoid pipeline stalls.  File: smtp/smtp_chat.c.

20021114

	Robustness: distinguish between timeout and "lost connection"
	when the SMTP server is unable to send a reply to the remote
	client. File: smtpd/smtpd_chat.c.

20021115

	Bugfix: initialization error with "*" transport table
	lookup, reported by LaMont Jones. The transport map lookup
	code had grown into a monster and needed to be replaced.
	trivial-rewrite/transport.c.

20021115

	Start implementing recipient verification. For now this is
	done by adding trace flags to queue files. In case of a
	verification request, a delivery agent does not deliver,
	deliver, it just records what would happen.

	This required instrumenting the bounce/defer/sent logging
	routines to send their data to the right place depending
	on the type of delivery request.

20021116

	New trace service. This is used for reporting if a recipient
	is deliverable (sendmail -bv) and for producing a record
	of delivery attempts (sendmail -v). The report is sent via
	email, using the bounce daemon. Files: global/trace.[hc].

	This required replacing the bounce/defer logfile format by
	an extensible name=value format. Files: global/bounce_log.c,
	bounce/bounce_append_service.c.

20021117

	New address verification service with simple expiration
	and refresh policy. Storage can be in-core or in permanent
	table. The daemon is appropriately called "verify". Files:
	global/verify_clnt.[hc], verify/verify.c.

20021118

	Cleaning up the code for tracing and verification. Files:
	global/{log_adhoc,bounce,defer,trace,verify}.[hc].

20021119

	New address_verification_negative_cache = yes/no parameter
	controls whether Postfix stores the result of negative
	address verification probes. This reduces cache pollution
	but causes Postfix to send a probe for each address
	verification service query. File: verify/verify.c.

	Added optimistic caching to the verify daemon, so that one
	failed probe will not clobber a known to be good address.
	As long as some probes succeeed, a good address will stay
	cached as OK.

	Cleaning up of the bounce daemon's code for bounce, delayed
	mail warning and trace notification.  Files: bounce/*.[hc],
	global/bounce_log.c.

20021120

	Changed the probe's sender address to "postmaster" so that
	we get better information about the address we're testing.
	File: verify/verify.c.

	Added some paranoia to the routine that reads data from
	the address verification cache. Ignore data that is obviously
	bogus. File: verify/verify.c.

20021121

	Bugfix: garbage in "user@garbage"@domain address forms may
	cause the SMTP or LMTP client to terminate with a fatal
	error exit because garbage/tcp is not an existing service.
	This cannot be abused to cause the SMTP or LMTP client to
	send data into unauthorized ports.  Files: *qmgr/qmgr_message.c,
	trivial-rewrite/resolve.c.

20021124

	Bugfix: don't use same VSTRING buffer for reading and
	writing.  File: verify/verify.c.

20021128

	Feature: hashed hold queue support, with hashing turned on
	by default. Omission spotted by Victor Duchovni, Morgan
	Stanley. Files: global/hold_message.c, global/mail_params.h.

	Bugfix: the LMTP client lost the port(service) information
	when parsing host:port information. Victor Duchovni, Morgan
	Stanley. Fix is to have a new host_port(3) module that does
	the parsing for the SMTP and LMTP clients.

	Cleanup: host_port() routine that parses host/port information
	more consistently than the existing code in the LMTP and
	SMTP clients. Files: smtp/smtp_connect.c, lmtp/lmtp_connect.c,
	util/host_port.[hc].

20021130

	Cleanup: defer mail when recipient verification takes too
	long. File: smtpd/smtpd_proto.c.

	Feature: new reject_multi_recipient_bounce restriction, to
	reject "MAIL FROM: <>" with multiple recipients.  File:
	smtpd/smtpd_check.c.

20021201

	Compatibility: ignore the new Sendmail -A option. File:
	sendmail/sendmail.c.

	Workaround: sendmail -v now produces no output. You need
	to specify -v -v instead. This is to avoid problems when
	people request verbose mail delivery in their mail.rc file.
	File:  sendmail/sendmail.c.

20021202

	Cleanup: hash_queue_depth now defaults to 1 level of
	subdirectories. This makes "mailq" faster on most systems,
	but will result in poorer worst-case performance when lots
	of mail is queued.

	The check_relay_domains restriction is going away. The SMTP
	server logs a warning and suggests using reject_unauth_destination
	instead.

	Cleanup: the local(8) and virtual(8) delivery agents did
	not prepend X-Original-To: addresses to maildir files.
	Omission spotted by Matthias Andree.

	Specify "address_verify_sender=" or "address_verify_sender=<>"
	to use a null sender address while doing address verification
	probes.  Beware, doing so may trigger false negatives
	because some sites reject mail from the null sender, even
	though this is required by RFC standards.

	Bugfix: too many levels of dereferencing while testing for
	missing reject_rbl_mumble domain names. Patrik Rak.  File:
	smtpd/smtpd_check.c.

20021203

	Bugfix: the FILTER access table action included the FILTER
	command in the filter request, where only the transport+destination
	were expected. Noel Jones. File smtpd/smtpd_check.c.

	Cleanup: virtual_maps is now called virtual_alias_maps, in
	order to better distinguish it from virtual_mailbox_maps.
	The default value is $virtual_maps for backwards compatibility.

	New parameters virtual_alias_domains and virtual_mailbox_domains
	for the "domain.tld whatever" lookups.  These use the same
	syntax as the mydestination parameter.  Default settings
	are backwards compatible with Postfix 1.1.

	Concept: just like $mydestination+$inet_interfaces control
	what routes to $local_transport, $virtual_mailbox_domains
	now controls what routes to $virtual_transport (default
	transport:  virtual), and $relay_domains now controls what
	routes to $relay_transport (default transport: relay, a
	clone of the smtp transport).  Everything else routes to
	$default_transport as before.  This eliminates the need
	for transport map entries for every virtual(8) domain, and
	avoids performance problems with inbound relay mail. This
	was improvement was suggested by Victor Duchovni. File:
	trivial-rewrite/resolve.c.

20021206

	Cleanup: do allow regexps in aliases, virtual mailbox maps
	but do not allow regular expression substitutions. Files:
	util/dict.h, util/dict_regexp.c, util/dict_pcre.c.

20021207

	Cleanup: deleted the description of sendmail-style virtual
	domains from the virtual(5) manual page. This part of
	Postfix was too confusing.

	Performance: RFC 2821 blesses the use of CNAME domain names
	in MAIL FROM and RCPT TO. Not having to expand CNAME domain
	names speeds things up a bit.  File:  smtp/smtp_proto.c.

	Workaround: exclude error mailer destinations from transport
	mapping lookups :-(. File: trivial-rewrite/resolve.c.

	Cleanup: relocated_maps lookups are now moved to the
	trivial-rewrite server. As of now, the queue manager no
	longer does any map lookups, so it won't restart when maps
	change. Files:  *qmgr/qmgr_message.c, trivial-rewrite/resolve.c.

	Robustness: because the trivial-rewrite server now does
	many more table lookups, some of which are often LDAP or
	SQL based, trivial-rewrite clients must be be prepared for
	the case that the resolver reports a failure while processing
	a request (when it was unable to access a lookup table).
	Files:  trivial-rewrite/resolve.c, local/resolve.c,
	smtpd/smtpd_check.c.

	Robustness: moving possible LDAP or SQL table lookups into
	the trivial-rewrite server also required that trivial-rewrite
	be running as multiple processes to reduce lookup latencies.
	Files:  master/multi-server.c.

	Workaround: don't discard all the DNS lookup results when
	only one of the results has a malformed name or address.
	File:  dns/dns_lookup.c.

20021208

	Cleanup: with the preliminary address domain classification
	concept as implemented by the trivial-rewrite address
	resolver, a lot of table lookups could be eliminated from
	the SMTP server.  Files: smtpd/smtpd_check.c.

	Feature: new relay_recipient_maps parameter, for optional
	maps with all the recipients in the domains that match
	$relay_domains (so you can reject mail for unknown relay
	recipients). This is for consistency with virtual_xx_maps
	and virtual_xx_domains, and with local_recipient_maps and
	the local delivery agent.  File:  smtpd/smtpd_check.c.

	Cleanup: removed support for obsolete #number domain forms.
	File: smtpd/smtpd_check.c.

20021209

	The Postfix installation procedure no longer sets the
	"chattr +S" bit on Linux queue directories. Wietse has
	gotten too annoyed with naive reviewers who complain about
	performance without having a clue of what they are comparing.

	"Security": local_recipient_maps is now turned on by default,
	to reject mail for non-existent users at the SMTP port.
	See conf/main.cf for instructions, section REJECTING UNKNOWN
	LOCAL USERS.

	Safety: detection of missing or inaccessible passwd file
	database, to prevent massive complaints from people who
	suddenly lose all their mail because local_recipient_maps
	is now turned on by default.

20021210

	Feature: recipient address verification, using the code
	that already implements sender address verification.  Based
	on suggestion by Matthias Andree.  Files: src/smtpd/smtpd.c,
	src/smtpd/smtpd_check.c.

20021211

	Performance: doubled the default process limit (50->100)
	and default queue manager active queue message/recipient
	limits  (10k->20k).  File:  global/mail_params.h.

	Bugfix: the change that begot us multiple trivial-rewrite
	processes (good) also gave us multiple verify daemons (bad).
	File: conf/post-install.

20021212

	Cleanup: allow transport map lookups to override error
	mailer results (to avoid breaking existing installations),
	and do transport map lookups before relocated map lookups.
	Files:  trivial-rewrite/resolve.c, trivial-rewrite/transport.c.

	Shortened the verify server's negative cache refresh time
	from 12 hours to 2 hours. File:  global/mail_params.h.

	Admin friendliness: the SMTP server now reports "User
	unknown in {local recipient | virtual alias | virtual
	mailbox | relay recipient} table". This will make trouble
	shooting a little easier. Files: smtpd/smtpd_check.c,
	trivial-rewrite/resolve.c.

20021213

	Cleanup: transport map entries with null nexthop ignored
	relayhost settings. Making the code simpler also made it
	more correct. Files: trivial-rewrite/resolve.c,
	trivial-rewrite/transport.c.

	Feature: "helpful_warnings" (default: yes) that can be
	turned off if you really know what you're doing and want
	to eliminate some unnecessary work.

	Feature: enforcement of master.cf process limits for
	processes such as qmgr and pickup that must run alone, and
	processes such as cleanup and bounce that must run without
	explicit process count limit. If an incorrect process limit
	is specified in master.cf the service aborts.

20021214

	Cleanup: it looks like we finally get it right with transport
	lookup table entries that either override or specify an
	error transport without updating the nexthop information.
	File:  trivial-rewrite/resolve.c.

	Robustness: don't probe the sender address when probed for
	our own address verification probe sender address. File:
	smtpd/smtpd_check.c.

	Performance: don't do UCE checks (which may result in 4xx
	SMTP reply codes, and thus, repeated delivery attempts)
	when we already know that the recipient does not exist.
	Files:  smtpd/smtpd.c, smtpd/smtpd_check.c.

20021215

	Cleanup: further simplification of transport map handling
	after some really fine hair splitting with Victor Duchovni.
	Files: trivial-rewrite/resolve.c, trivial-rewrite/transport.c.

20021216

	Workaround:  transform the address local-part into unquoted
	form only when the address domain is local and the local-part
	contains routing operators.  Otherwise, we may damage the
	address local-part by inserting space between non-operator
	tokens. Some people use weird addresses and expect them to
	be handled without damage.  File: trivial-rewrite/resolve.c.

	Robustness: scan the resolved recipient address for routing
	operators in the address local-part, even when the local
	MTA does not recognize ! and % as valid operators.  File:
	trivial-rewrite/resolve.c.

	Cleanup: the address rewriting code no longer tries to
	rewrite broken user@ or user@. address forms into even more
	broken forms. bother. File: trivial-rewrite/rewrite.c.

	Cleanup: the address resolver code now treats forms ending
	in @ in a more rational manner (because the address rewriting
	code no longer messes up by appending .my.domain).

	Bugfix: a null address local-part before @domain now is
	properly quoted just like the null address. File:
	global/quote_82[12]_local.c.

20021217

	Cleanup: more work on the trivial-rewrite address rewriting
	and address resolving code. New regression tests for address
	rewriting and resolving that make some assumptions about
	main.cf settings. Files: global/Makefile.in (assumptions),
	global/rewrite_clnt.in, global/rewrite_clnt.ref,
	global/resolve_clnt.in, global/resolve_clnt.ref.

	Safety: configurable SMTPD reject codes for recipients not
	in {local,relay}_recipient,virtual_{alias,mailbox}}_maps,
	aptly named unknown_mumble_reject_code.  Postfix installs
	with unknown_local_recipient_reject_code=450, unless the
	site already ran Postfix with local_recipient_maps enabled.
	Files:  smtpd/smtpd.c, smtpd/smtpd_check.c, conf/post-install.

20021218

	Feature: specify unverified_recipient_reject_code=250 or
	unverified_sender_reject_code=250 to accept mail for an
	address that is known to bounce. File: smtpd/smtpd_check.c.

20021219

	Bugfix: longjmp() while sending "go away" without setjmp()
	in the QMQP server. Patrik Rak. File: qmqpd/qmqpd.c.

	Safety: the XVERP extension is restricted to clients listed
	in the authorized_verp_clients list (default: $mynetworks).
	File: smtpd/smtpd.c.

	Workaround: preliminary IPV6 support in valid_hostliteral().
	File: util/valid_hostname.c.

20021220

	Bugfix: the reject_multi_recipient_bounce restriction had
	an off-by-one error when used in smtpd_data_restrictions.
	File: smtpd/smtpd_check.c.

	Feature: new check_recipient_maps restriction that gives
	finer control over when unknown recipients are rejected.
	As with Postfix 1.1, the default is to do this at the end
	of the recipient restrictions. Sites that want to improve
	performance can put check_recipient_maps at the start of
	the smtpd_client_restrictions list and avoid doing unnecessary
	RBL lookups etc.  File:  smtpd/smtpd_check.c.

	Feature: new show_user_unknown_recipient_table parameter
	controls whether or not to reveal the lookup table name in
	"User unknown" responses. The extra detail makes trouble
	shooting easier but also reveals information that is nobody
	elses business.

20021221

	Workaround: don't allow the transport map to override the
	virtual alias class (error:User unknown) result.  File:
	trivial-rewrite/transport.c.

20030101

	Documentation update: new-style virtual domains broke the
	advanced content filtering example. Files: FILTER_README,
	RELEASE_NOTES-2.0.

20030102

	Cleanup: use different client instances when the same map
	is opened with different flags. File: global/maps.c.

	Feature: proxymap server for Postfix table lookups. This
	helps to consolidate the number of open lookup tables (such
	as MYSQL or LDAP), or to overcome chroot restrictions
	(example: specify proxy:unix:passwd.byname to avoid the
	need for a copy of the UNIX passwd file in chroot jails).
	Files:  global/dict_proxy.[hc], proxymap/proxymap.c

	Cleanup: multiservers such as trivial-rewrite and the new
	proxymap server now enforce the max_use total client number
	limit more agressively, by not accepting new connections
	after the limit is reached.  Based on a patch by Victor
	Duchovni, Morgan Stanley. File:  master/multi_server.c.

20030103

	Cleanup: client stream endpoints not only have an idle time
	limit ($ipc_idle) before a connection is closed, they now
	also have a time to live ($ipc_ttl) to prevent connections
	from becoming too persistent. This allows multi-servers
	such as trivial-rewrite or the proxymap server to refresh
	more frequently on busy systems. File:  global/clnt_stream.c.

20030104

	Cleanup: avoid warnings about flag mismatches when the same
	lookup table is listed under both virtual_alias_maps and
	virtual_mailbox_maps. Files: global/virtual8.h, virtual/virtual.c.

	Bugfix: an obscure memory leak that puzzled me for more
	than a year until I found out how to reproduce it. File:
	util/vstream.c.

20030105

	Cleanup: removed the address syntax check from the queue
	manager, since a better test was implemented recently in
	the trivial-rewrite server. Files: *qmgr/qmgr_message.c.

	Bugfix: redirect bounce/defer to the address verification
	service where appropriate. Files: *qmgr/qmgr_bounce.c,
	*qmgr/qmgr_defer.c.

	Bugfix: "no such file or directory" warnings after "postfix
	reload" when a chrooted smtpd reconnects to the proxy
	service.  Fix: use "private/proxymap" if possible, otherwise
	use "$queue_dir/private/proxymap".  File:  global/dict_proxy.c.

	Robustness: daemons now chdir() to the queue directory
	before running the pre-jail initialization code, so that
	daemons running in stand-alone mode produce more consistent
	results.  Files:  master/single_server.c, master/multi_server.c.
	master/trigger_server.c.

	Bugfix: "sendmail -bs" tried to access the proxymap service.
	It should not try to open any user/domain/uce related tables
	at all. File:  smtpd/smtpd.c.

20030106

	Bugfix: bouncing to owner-alias was broken, i.e. the mail
	kept being deferred, and when that was fixed, another buglet
	came to light. File: bounce/bounce.c.

	Robustness: the master no longer aborts with "address
	already in use" when inet_interfaces specifies the same IP
	address multiple times, or when a TCP service in master.cf
	specifies a hostname for which the same IP address is listed
	multiple times. File: master/master_ent.c.

20030107

	Robustness: check that FILTER actions in SMTPD access maps
	or cleanup header/body_checks have plausible syntax. Files:
	smtpd/smtpd_check.c, cleanup/cleanup_message.c.

20030109

	Cleanup: unnecessary "premature end of file on xxx while
	reading yyy" warnings became exposed after some code
	simplification. Files" global/*_clnt.c, global/dict_proxy.c

	Robustness: undo the change that causes a multi-server
	process to stop accepting new connections while it still
	services existing clients for an extended amount of time.
	We need a better process retirement strategy. File:
	master/multi_server.c.

20030110

	Cleanup: the virtual_mailbox_maps parameter is now optional
	even when virtual_mailbox_domains is. This makes virtual
	mailbox domains more like relay domains and the local
	domain.

	Portability: the makedefs script now uses the pcre-config
	utility to find out where things are installed.

	Bugfix: the SMTP server did not recognize the local built-in
	double bounce address as local. Reported by Matthias Andree.
	For safety sake, threw in the local postmaster address as
	well.  File:  smtpd/smtpd_check.c.

20030113

	Added MAILER-DAEMON to the list of always recognized local
	addresses, since it is generated by Postfix bounces. File:
	smtpd/smtpd_check.c.

20030114

	Bugfix: transport_errno was not reset upon successful
	transport map wildcard lookup after an earlier failure.
	Reported by Victor Duchovni. File:  trivial-rewrite/transport.c.

	Cleanup: unnecessary warnings from the proxymap client
	after proxymap server disconnect. File:  global/dict_proxy.c.

	Cleanup: Patrik Rak found a few more chattr invocations
	that were missed 20021209. Files: postfix-install,
	conf/post-install.

	Cleanup: the pcre-config command can produce null outputs.
	Matthias Andree.  File: makedefs.

	Bugfix: the virtual(8) Makefile included $(AUXLIBS) in the
	dependencies.

20030118

	Typos: some hyperlinks referred to flushd, which is the
	name that was used before the flush service was released.
	Reported by Victor Duchovni.

	Cleanup: smtpd no longer needed to open relocated_maps.

20030119

	Cleanup: bounce messages used "X-Postfix" even when mail_name
	was set to something other than the default "Postfix" name.
	File: bounce/bounce-notify_util.c.

20030120

	Bugfix: wrong FILTER_README instructions for disabling
	virtual alias mapping in the cleanup server before the
	content filter.

	Bugfix: wrong FILTER_README instructions for destination-dependent
	filtering, because relay_domains was specified incorrectly.

20030122

	Bugfix: 20021207 (move relocated table lookup from queue
	manager to trivial-rewrite server) broke relocated table
	lookup results with mail not rejected at the SMTP port.
	Files:  *qmgr/qmgr_deliver.c, *qmgr/qmgr_message.c.

20030123

	Bugfix: a widely used maildir filename algorithm was broken.
	Postfix now uses TIME.DEVICE_INODE.HOST. Files: local/maildir.c,
	virtual/maildir.c.

20030124

	Cleanup: queue structures no longer overload queue name
	and nexthop destination. Files: *qmgr/qmgr_message.c,
	*qmgr/qmgr_queue.c, *qmgr/qmgr_deliver.c.

20030125

	Feature: "REDIRECT user@domain" action in access maps or
	in header/body_checks causes mail to be sent to the specified
	address instead of the intended recipient(s). I would never
	recommend that people use this to redirect (bounced) SPAM
	to the beneficiaries of an advertisement campaign.  Files:
	smtpd/smtpd_check.c, cleanup/cleanup_message.c,
	*qmgr/qmgr_message.c.

20030126

	Update: maildir filename algorithm updated according to
	today's version of http://cr.yp.to/proto/maildir.html.

20030127

	Cleanup: use separate error messages for separate problems
	with computing the list of SASL authentication mechanisms.
	File: smtpd/smtpd_sasl_glue.c.

20030130

	Bugfix: allow $name in default time values. File:
	global/mail_conf_time.c.

20030205

	Feature: allow !, /file/name and map:name in masquerade_exceptions.
	By Liviu Daia.  Files:cleanup_init.c, cleanup.h,
	cleanup_masquerade.c.

20030219

	Bugfix: the local pickup daemon skipped unterminated records,
	since they happened to have the same record type code as
	content filtering instructions. Victor Duchovni.  Files:
	global/rec_type.h, pickup/pickup.c.

	Portability: Postfix could block, and thus not enforce
	command execution time limits, while delivering mail to
	command.  File: global/pipe_command.c.

	Bugfix: command execution time limits were not enforced
	because the child process killing code in pipe_command()
	was running with the wrong privileges. Problem reported by
	Ben Rosengart, Panix. File: global/pipe_command.c.

	Bugfix: duplicate recipient filtering in the cleanup server
	did not eliminate virtual expansion duplicates with the
	same original recipient. File: cleanup/cleanup_out_recipient.c.

20030223

	Cleanup: added postmap/postalias -p option (do not inherit
	the source file permissions when creating a new file), for
	completeness.  A feature that can't be turned off is a bug.
	Files:  postmap/postmap.c, postalias/postalias.c.

	Bugfix: smtpd_hard/soft_error_limit off-by-one error, so
	that the real limit was one larger than the configured
	value.  File: smtpd/smtpd.c, smtpd/smtpd_chat.c.

20030226

	Safety: proxymap server defense against potential deadlock
	when some library routine wants to open a proxied table.
	Instead, proxymap opens the requested table directly. File:
	proxymap/proxymap.c.

	Portability: updated AIX 5.x system dependent definitions.
	File: util/sys_defs.h.

20030227

	Bugfix: added mynetworks to the list of proxy_read_maps
	parameter settings that are pre-authorized to use proxied
	table lookups.  File: global/mail_params.h.

	Cleanup: daemons now log what table has changed before
	restarting. Files: dict.c, and anything that invoked
	dict_changed().

	Cleanup: more consistency in the naming of lookup table
	handles as generated by maps(3) and by match_list(3).

20030305

	Workaround: Postfix removes too long non-address text from
	message headers in order to protect vulnerable Sendmail
	systems against exploitation of the remote buffer overflow
	vulnerability described in CERT advisory CA-2003-07.

20030311-19

	Bugfix: the access map actions HOLD, DISCARD, FILTER and
	REDIRECT were broken with smtpd_delay_reject=no and with
	ETRN.  This required re-architecting of the actions code.
	Files:  smtpd/smtpd.[hc], smtpd/smtpd_check.c, smtpd/smtpd_state.c.

20030315

	Bugfix: the postsuper manual page documented support for
	the -c command line option, but it was not implemented.
	File: postsuper/postsuper.c.

	Bugfix: the Postfix 2.0 recipient map checking code broke
	the VRFY command, causing it to reply with status code 252
	for non-existent addresses. This required re-architecting
	the recipient table lookup code. File:  smtpd/smtpd_check.c.

20030319

	Feature: configurable limit on virtual alias expansion size
	and nesting depth, via the virtual_alias_expansion_limit
	and virtual_alias_recursion_limit parameters. The default
	limits are compatible with past Postfix versions.  Victor
	Duchovni, Morgan Stanley. Files: /sample-resource.cf,
	html/resource.html, cleanup/cleanup.c, cleanup/cleanup_init.c,
	cleanup/cleanup_map1n.c.

	Feature: the installation procedure records build information
	(by default:  in /etc/postfix/makedefs.out).

20030324

	Bugfix: smtp-source flushed too often, causing suboptimal
	performance with smtp-source sending directly into smtp-sink.
	Files: smtpstone/smtp-source.c.

20030410

	Safety: log a fatal error when a net/mask pattern has a
	non-zero host part, so that mail delivery is deferred.
	File: util/match_ops.c.

20030411

	Bugfix: extraneous warning about out-of-order original
	recipient records by Patrik Rak. Files: *qmgr/qmgr_message.c.

20030412

	Workaround: log a warning and reset the queue file time
	stamps when the file system clock is ahead of the local
	clock.  File: global/mail_stream.c.

20030414

	Feature: PostgreSQL client module, adopted by LaMont Jones.
	Files: README_FILES/PGSQL_README, util/dict_pgsql.c,
	util/dict_pgsql.h, conf/sample-pgsql-aliases.cf.

	Cleanup: the generic smtp client/server code in smtp_stream.c
	now has an explicit flush operation, and the smtp-source/sink
	programs are updated to take advantage of this.

	Cleanup: the file system clock drift detection code now
	runs only once per process instance, to minimize the
	performance impact. File: global/mail_stream.c.

	Robustness: avoid TIME_WAIT state with smtp/qmqp-source
	client sockets.  This puts less strain on local system
	resources.

20030415

	Cleanup: the file system clock drift detection code now
	runs only for incoming mail. File: global/mail_stream.c.

20030416

	Bugfix: missing partial last line when 1) someone submits
	8-bit mail not ending in newline via /usr/sbin/sendmail
	and 2) MIME input processing is turned off, and 3) MIME
	8bit->7bit conversion is requested upon delivery via SMTP.

	Cleanup: auto-bcc recipients are now added in one place
	(the cleanup server) instead of by individual front-end
	servers (pickup, smtpd, qmqpd). This makes it easier to
	add auto-bcc features that trigger on sender or recipient
	addresses.

	Cleanup: "sendmail -t" (recipients from headers) is now
	implemented by the sendmail command instead of by the
	cleanup server. This means that the extract_recipient_limit
	configuration parameter is no longer needed.  Files:
	sendmail/sendmail.c, cleanup/cleanup_message.c,
	cleanup/cleanup_extracted.c.

	Compatibility: "sendmail -t" (recipients from headers) now
	accepts command-line recipients instead of complaining.
	The extracted header recipients are added to the command-line
	recipients.

	Feature: sender/recipient_bcc_maps. These are indexed by
	sender/recipient address and are examined when mail enters
	from outside of Postfix. Files: cleanup/cleanup_addr.c.
	cleanup/cleanup_envelope.c cleanup/cleanup_extracted.c.

20030417

	Feature: the SMTP client now falls back to native name
	service lookups (including /etc/hosts) when a host cannot
	be found in the DNS. This is controlled by a new parameter
	smtp_host_lookup (default: dns, native). Files: smtp/smtp.c,
	smtp/smtp_addr.c.

20030418

	Bugfix: "sendmail -t" broke with unrecognized message
	headers.

20030419

	Feature: "postcat -q" searches the queue for the named
	file.

	Cleanup: made postcat "record names" output more consistent.

20030421

	Debugging: added some extra detailed error logging to the
	pipe-to-command delivery, to help folks with bizarre file
	truncation problems. File: global/pipe_command.c.

20030424

	Cleanup: readlline() did not terminate the result before
	complaining about lines starting with whitespace.

	Cleanup: eliminated valid_hostname warning for invalid
	queue file names. File: global/mail_queue.c.

	Bugfix: lost three lines of code when readying the postcat
	command for release, which broke postcat -q. File:
	postcat/postcat.c.

	Bugfix: the Postfix sendmail command applied the message
	size limit when running as newaliases. The limiting code
	is now moved to the message enqueuing branch of the code.
	File: sendmail/sendmail.c.

	Documentation: start of documentation for the algorithm of
	Patrik Rak's clever queue manager scheduler (nqmgr). Files:
	conf/sample-scheduler.cf, README_FILES/SCHEDULER_README.

20030429

	Bugfix: while verifying an address, the LMTP client entered
	a forbidden "next" sender state after the last recipient.
	Fix by Vladimir Davydoff. File: lmtp/lmtp_proto.c.

	Bugfix: "," was not recognized in proxy_read_maps settings.
	Fix by Leandro Santi. File: proxymap/proxymap.c.

20030502

	Bugfix: defer delivery after .forward etc. file read error.
	File: local/token.c. Problem reported by Ben Rosengart,
	Panix.

20030503

	Bugfix: the Postfix LMTP client used the wrong service
	name, causing trouble with SASL 2.1.13.  Daniel Schales,
	Louisiana Tech. File: lmtp/lmtp_sasl_glue.c.

20030518

	Workaround: IRIX select() reports that a non-blocking file
	descriptor is writable while write() transfers zero bytes.
	File:  util/vstream.c. Superseded by change 20030523.

20030520

	Cleanup: future time stamps in Received: headers and negative
	delays in delivery agent logging after "postdrop -r",
	because deferred queue files had future file modification
	times.  File:  src/postsuper/postsuper.c.

20030521

	Cleanup: nqmgr warnings about "recipient count mismatch"
	after "postdrop -r", because the cleanup server did not
	count the "already done" recipients. Problem reported by
	Richard Stockton, Gramma Software. Files:
	cleanup/cleanup_envelope.c, cleanup/cleanup_extracted.c.

20030523

	Workaround: IRIX select() reports that a non-blocking file
	descriptor is writable while write() transfers zero bytes.
	File:  global/pipe_command.c.

20030523-20030605

	Cleanup: rewrote the queue file record processing loops in
	pickup, cleanup and in [n]qmgr. This code had deteriorated
	a lot as the result of small changes over the years. This
	change brings the code closer to "obviously correct". Files:
	cleanup/cleanup_envelope.c, cleanup/cleanup_extracted.c,
	*qmgr/qmgr_message.c.

	Cleanup: Postfix no longer produces queue files with
	backwards compatibility data for Postfix versions < 1.0
	(a.k.a.  20010228). Files: cleanup/cleanup_extracted.c,
	showq/showq.c.

	Performance: the queue manager no longer has to examine
	every queue file record before it can start deliveries.
	This helps to avoid thrashing with very large mailing lists.
	Postfix queue files have an extra field in the size record
	with queue manager processing hints.  This change is backward
	and forward compatible.  Files:  cleanup/cleanup_envelope.c,
	cleanup/cleanup_extracted.c, *qmgr/qmgr_message.c.

20030528

	Compatibility: "sendmail -q<time>" without -bd option now
	exits immediately, instead of waiting for input on the
	standard input stream and screwing up system boot sequences.
	File: sendmail/sendmail.c.

20030530

	Bugfix: client access denied with smtpd_delay_reject=no
	broke "sendmail -bs". Fix by Victor Duchovni, Morgan Stanley.
	File: smtpd/smtpd.c.

20030531

	Compatibility: allow <@site,@site:address> route addresses
	in SMTP commands.  File: smtpd/smtpd.c.

20030605

	Cleanup: input checks moved from the pickup daemon to the
	postdrop mail submission command; this is to prepare for
	direct mail submission from postdrop->cleanup without going
	through the maildrop directory and the pickup service.
	Files: pickup/pickup.c, postdrop/postdrop.c.

	Bugfix: the "dead host" backoff timer in the MySQL client
	didn't work.  Fix by Leandro Santi. File: util/dict_mysql.c.

	Bugfix: same problem in the PostgreSQL client. File:
	util/dict_pgsql.c.

	Workaround: turned off non-blocking write to pipe because
	too many systems give a weird write() result. File:
	global/pipe_command.c.

	Cleanup: added support for vstream_fseek(.., .., SEEK_END).
	File: util/vstream.c.

20030608

	Feature: separate address resolver controls for address
	verification probe messages:  address_verify_{local,virtual,
	relay,default}_transport, address_verify_relayhost, and
	address_verify_transport_maps. The default values are the
	regular versions of the same controls. Files: trivial-rewrite/*,
	global/resolve_clnt.[hc], *qmgr/qmgr_message.c.

20030609

	Workaround: Solaris blocking socket read() may hang.  Hernan
	Perez Masci and Leandro Santi. File: smtpd/smtpd.c.

	Bugfix: the "unread recipient" counter needs to be restored
	after the queue manager has a problem reading a queue file.
	Fix by Patrik Rak. File: nqmgr/qmgr_message.c.

20030610

	Cleanup: the verify server now uses asynchronous submission
	of mail probes, so it will no longer block for in_flow_delay
	seconds when mail arrives faster than it is delivered.
	Still need to make mail_stream_finish() asynchronous in
	order to avoid blocking for trigger_timeout seconds when
	the queue manager is overwhelmed.  Files:  global/post_mail.c,
	verify/verify.c.

	Bugfix: removed extraneous sleep() after the last attempt
	to retrieve address verification status.  File: smtpd/smtpd.c.

20030611

	Bugfix: the stricter postdrop input filter broke "sendmail
	-bs". Found by Lutz Jaenicke. File: smtpd/smtpd.c.

20030614

	Portability: Dropped support for client side LDAP caching.
	As of release 2.1.13 OpenLDAP no longer supports client
	side caching, it has been deprecated for some time, and
	never worked well.  Implemented by Victor Duchovni, Morgan
	Stanley, and further enhanced by Lamont Jones, HP. Files:
	src/util/dict_ldap.c, conf/sample-ldap.cf,
	README_FILES/LDAP_README.

	Safety: Given suitable invalid database contents, LDAP
	lookups can produce too many results, enter an infinite
	loop in the expansion of "special result attributes" (LDAP
	DNs and LDAP URLs) or just consume excessive server resources
	returning large result sets.  Three new (per LDAP map)
	configuration parameters enable one to set limits on
	recursive nesting, result expansion and the server response
	"entry" count. Implemented by Victor Duchovni, Morgan
	Stanley, further enanced by Lamont Jones, HP. Files:
	src/util/dict_ldap.c, conf/sample-ldap.cf,
	README_FILES/LDAP_README.

20030616

	Feature: in mail delivery status reports, report the sender
	address as X-Postfix-Sender. Matthias Andree. File:
	bounce/bounce_notify_util.c.

	Cleanup: in mail delivery status reports, transform the
	original recipient into xtext format as required by RFC
	1891. Files: bounce/bounce_notify_util.c, util/xtext.[hc].

	Cleanup: more accurate "postfix check" warning for files
	that miss one or more of the required mode 02111 execute
	permission bits. Matthias Andree. File: conf/postfix-script.

20030618

	After "postfix reload", the master daemon now warns when
	inet_interfaces has changed, and ignores the change, instead
	of passing incorrect information to the smtp server. File:
	master/master_ent.c.

20030619

	Feature: the Postfix SMTP server can send all mail into a
	proxy server, for example a real-time SPAM filter. This
	proxy is supposed to send the mail into another Postfix
	SMTP server process for normal delivery. Files: smtpd/smtpd.c
	smtpd/smtpd_proxy.[hc].

20030620

	Bugfix: a cut-and-paste error caused the proxy server's
	354 status code to be reported when a proxy connection
	broke during the DATA phase. File: smtpd.c.

20030620

	Bugfix: after the last change to postdrop, postcat no longer
	recognized maildrop files as valid. File: postcat/postcat.c.

	Bugfix: after moving "sendmail -t" address extraction to
	sendmail, "-t" broke multi-line recipient headers.  Victor
	Duchovni, Morgan Stanley. File: sendmail/sendmail.c.

20030621

	Workaround: the safe_open(O_CREAT) race condition exploit
	avoiding code tries a little harder when it encounters a
	race condition. File: util/safe_open.c.

20030624

	Bugfix: reject_unverified_address() set the defer_if_reject
	flag when the verify service was unavailable (which never
	happens). Victor Duchovni, Morgan Stanley. File:
	smtpd/smtpd_check.c.

	New parameters address_verify_poll_{count,delay} that
	control how often to poll the address verification service
	for the completion of an address verification request.
	Specify address_verify_poll_count=1 to implement a crude
	form of greylisting, that is, always defer the first delivery
	attempt for an unknown address.  File: smtpd/smtpd_check.c.

	Bugfix: after the last change to postdrop, postcat no longer
	recognized non-maildrop queue files as valid. File:
	postcat/postcat.c.

20030629

	Cleanup: replaced references to "simulated virtual domains"
	by "virtual alias domains". Victor Duchovni, Morgan Stanley.

20030630

	Feature: smtp_quote_rfc821_envelope=(yes|no) to control
	RFC 821 style quoting of MAIL FROM and RCPT TO addresses.
	Files: global/mail_params.h, smtp/smtp.c, smtp/smtp_proto.c.

20030701

	Bugfix: multi-recipient probes triggered a bug in the SMTP
	client.  File: smtp/smtp_proto.c.

	Feature: enable_original_recipient (default: yes) to control
	whether Postfix keeps track of original recipient address
	information. Victor Duchovni, Morgan Stanley.  Files:
	cleanup/cleanup.c, cleanup/cleanup_init.c,
	cleanup/cleanup_out_recipient.c, global/log_adhoc.c,
	global/mail_copy.c, *qmgr/qmgr_message.c.

	Feature: !/pattern/ support for PCRE lookup tables.  Victor
	Duchovni, Morgan Stanley.  Files: util/dict_pcre.c.

	Cleanup: allow whitespace after patterns in repexp and pcre
	tables. Victor Duchovni, Morgan Stanley.  Files:
	util/dict_pcre.c, util/dict_regexp.c.

20030702

	Feature: CIDR lookup table support, very remotely based on
	code by Jozsef Kadlecsik. Files: proto/cidr_table,
	util/dict_cidr.[hc].

	Feature: TCP lookup table support, finally finished.  Files:
	proto/tcp_table, proto/dict_tcp.[hc].

20030705

	Feature: new receive_override_options parameter controls
	what happens before or after an external content filter:
	rejecting unknown recipients, canonical and virtual address
	mapping, address masquerading, automatic BCC recipients
	and header/body checks. This eliminates the need to configure
	multiple cleanup services in the master.cf file.

20030707

	Feature: context dependent SASL security options (i.e.
	different options when TLS is enabled/disabled). Lutz
	Jaenicke.  Files:  */*sasl_glue.[hc].

20030708

	Hardened the attr_scan routines for exposure to an untrusted
	environment, in preparation for possible use with SMTP
	policy delegation to an external server.

	Feature: address filter for RBL lookups, for use with
	multi-valued RBL services. File: smtpd/smtpd_check.c.

20030709

	Cleanup: use off_t instead of int for VSTREAM file offsets.
	This was needed for mailboxes > 2GB on 32-bit systems.
	Files: util/vstream.c, global/mail_copy.c.

20030710

	Support for multiple A and TXT results in RBL lookups.
	Victor Duchovni, Morgan Stanley.  File: smtpd/smtpd_check.c.

	Support for attribute-based query-reply protocols.  Files:
	util/attr_clnt.[hc], util/auto_clnt.[hc].

20030711

	Support for plain "name=value\n" attribute protocol.  Files:
	util/attr_{scan,print}_plain.c.

	Bugfix: the LMTP session caching code did not reset the
	EHLO server feature list when it needed to reconnect.
	Problem found by Tobias Erbsland.

20030712

	Feature: delegated SMTP policy server. As an example, see
	the greylisting server in examples/smtpd-policy.  Specify
	"check_smtpd_policy_service" in smtpd_mumble_restrictions.
	See SMTPD_POLICY_SERVICE_README for details.

20030716

	Bugfix: in the sample policy server, changed "ok" into
	"dunno" so the server can be used in the middle of a
	restriction list.

	Cleanup: when an RBL reply has multiple TXT records,
	concatenate them up to some reasonable limit, instead of
	selecting one randomly.  File:  smtpd/smtpd_check.c.

	Safety: always truncate SMTP server error replies to 512
	bytes.  File: smtpd/smtpd_check.c.

20030717

	Documentation: added description of policy_time_limit to
	the SMTPD_POLICY_README document.

	Documentation: corrected the command time limit parameter
	syntax in the spawn(8) manual page.

	Feature: defer_if_permit and defer_if_reject actions in
	access tables, mainly for use by the delegated policy
	server. Files: smtpd/smtpd_check.c, proto/access.

20030725

	The dict_pgsql module did not use dict_alloc() and dict_free(),
	causing improper initialization and a memory leak. Leandro
	Santi. File: util/dict_pgsql.c.

	Cleanup: added open_flags sanity checks to the dict_pgsql
	and dict_mysql modules. These maps must be opened in
	read-only mode.

20030731

	Bugfix: virtual(8) was changed to use mail_addr_find()
	instead of virtual8_maps_find(), but the SMTP server's
	virtual mailbox recipient validation was not updated.

20030804

	Bugfix: the 20030712 safety against invalid DNS results
	was broken. Reported by Ralf Hildebrandt. File:
	dns/dns_lookup.c.

20030805-12

	Safety: the pipe daemon now defers delivery with a warning
	when it is given a non-existent command-line macro name.
	File:  pipe/pipe.c.

20030810

	Bugfix: dict_ldap had a few harmless memory leaks.  By
	Liviu Daia.  File: util/dict_ldap.c.

	Feature: support for LDAP URLs in the LDAP parameter
	"server_host", if Postfix is linked against OpenLDAP.  This
	allows Postfix to connect to LDAP SSL sources.  By Liviu
	Daia.  File: util/dict_ldap.c.

20030811

	Cleanup: produce a warning when host:port specifies a badly
	formatted numerical port.  Files:  util/find_inet.c,
	smtp/smtp_connect.c, lmtp/lmtp_connect.c.

20030822

	Feature: the export_environment and import_environment
	parameters now accept name=value information that will be
	entered into the new environment. File: util/clean_env.c.

20030823

	Feature: smtpd_sasl_exceptions_networks parameter to prevent
	Postfix from offering AUTH  to clients that match the listed
	networks. Based on code by Ben Rosengart, Panix. Files:
	conf/sample-auth.cf, smtpd/smtpd.c.

20030902

	Portability: the Postfix master resets the file size to
	the largest possible off_t value when the actual limit
	appears to overflow the off_t range. Files: util/sys_defs.h,
	util/file_limit.c. A fine sample of bit banging.

20030905

	Workaround: Solaris 8 select() claims that a non-blocking
	socket is readable and then read() fails with EAGAIN. Files:
	util/timed_read.c and as precautionary measure,
	util/timed_write.c.

	Bugfix: dict_register() should not be called from dict_open()
	in dict_mysql and dict_pgsql.  Liviu Daia.  Files:
	util/dict_mysql.c, util/dict_pgsql.c.

	Feature: LDAP parameters can now be specified in external
	files.  This makes it possible to securely store bind
	passwords for plain auth outside of main.cf (which is world
	readable).  By Liviu Daia, based on a suggestion by Victor
	Duchovni and Lamont Jones.  File: util/dict_ldap.c.

	Feature: STARTTLS option for LDAP, if Postfix is linked
	against OpenLDAP.  By Liviu Daia, amended by Victor Duchovni.
	File:  util/dict_ldap.c.

	Cleanup: connections to LDAP sources are now postponed
	until they are actually needed.  By Liviu Daia.  File:
	util/dict_ldap.c.

20030908

	The 20030905 Solaris workaround triggers too many warnings.
	TCP sockets are back to blocking, and keepalives are turned
	on to kill off dead sockets, as suggested by Leandro Santi.
	Files: master/{single,multi}_server.c, smtpd/smtpd.c,
	util/sys_defs.h.

20030909

	Bugfix: the LMTP session caching code had problems with
	SASL authentication after the first connection, and pipelining
	was working poorly.  Fix by Victor Duchovni, Morgan Stanley.
	Files: lmtp/lmtp.c, lmtp/lmtp_proto.c.

20030912

	Workaround: besides SMTP server sockets, SMTP client sockets
	can also hang on Solaris, as reported by Leandro Santi. In
	order to deal with this at the root, all connection management
	is now done by sane_accept() and sane_connect().  Both turn
	on keepalives on Solaris.

20030913

	Safety: set-gid commands don't trust TZ.  File: msg_syslog.c.

20030914

	Address extension propagation wasn't documented enough when
	it was added to Postfix. Based on patches by Roman Neuhauser.

	Added clarifying notes to main.cf, master.cf and access by
	Dean Gibson.

	In header/body_checks, DUNNO is now the preferred action
	instead of the now deprecated OK. This may confuse fewer
	people.

	In header/body_checks, allow text after IGNORE and DUNNO,
	suggested by Victor Duchovni, Morgan Stanley.  File:
	src/cleanup/cleanup_message.c.

	Feature: reject_rhsbl_helo. File: smtpd/smtpd_check.c.

	Bugfix? The LMTP and SMTP clients now send "MAIL FROM:<sender>
	AUTH=<>" when SASL authenticated. Suggested by by Victor
	Duchovni, Morgan Stanley. Files: smtp/smtp_proto.c,
	lmtp/lmtp_proto.c.

20030915

	Bugfix: mail rejected by the before-queue content filter
	was mis-labeled as a software error; it should be labeled
	as a policy error instead. File: smtpd/smtpd.c.

	Cleanup: postcat is now null-byte transparent. File:
	postcat/postcat.c.

20030916

	Feature: ``check_{sender,recipient}_mx_access maptype:mapname''
	applies the named Postfix access table to the MX host name
	and IP addresses for the sender or recipient address. If
	no MX record is found, the A record is used instead. File:
	smtpd/smtpd_check.c.

	Feature: ``check_{sender,recipient}_ns_access maptype:mapname''
	applies the named Postfix access table to the DNS server
	hostname and IP addresses for the sender or recipient
	address. If no NS record is found, the parent domain is
	used instead. File: smtpd/smtpd_check.c.

20030917

	Feature: ``check_helo_{ns,mx}_access maptype:mapname'',
	same semantics as sender and recipient.

	Multiple LDAP lookup tables in the one Postfix process now
	share one LDAP connection. Code by Victor Duchovni, Morgan
	Stanley.  File: util/dict_ldap.c.

	Performance: with prefix_domain specified for an LDAP lookup
	table, lookups of @domain are skipped. Code by Victor
	Duchovni, Morgan Stanley.  File: util/dict_ldap.c.

	Safety: check_mumble_{mx,ns}_access refuses to be used for
	whitelisting. The Postfix SMTP server will reject the
	request with "451 server configuration error" and will log
	a warning explaining why. File: smtpd/smtpd_check.c.

20030918

	Bugfix: check_mumble_ns_access did not correctly look up
	NS records of parent domains, causing mail to be deferred
	with a 450 status code. File: smtpd/smtpd_check.c.

20030919

	Robustness: check_mumble_{mx,ns}_access skip over DNS lookup
	failures instead of deferring mail. This is not as bad as
	it appears to be because the restrictions can't be used
	for whitelisting.  File: smtpd/smtpd_check.c.

20030920

	Bugfix: the 20030917 LDAP connection sharing code introduced
	a compilation problem with non-OpenLDAP implementations.
	Fix by Liviu Daia. File: util/dict_ldap.c

	Compatibility: the LDAP server_host parameter now supports
	all the usual Postfix list element delimiters. Some LDAP
	libraries support just SPACE, others SPACE and ",". Postfix
	now normalizes the host list into a space separated format.
	This is less surprising to Postfix users used to the full
	range of delimiters in other contexts. Implemented by Liviu
	Daia. File: util/dict_ldap.c

	Bugfix: after returning too old mail, the bounce daemon
	now locks the original queue file and deletes deferred
	recipients, to avoid repeated bounce notifications when
	the queue manager is restarted. Files:  bounce/*.[hc],
	global/bounce_log.[hc], global/{bounce,defer}.[hc] and
	everything that invokes these routines including queue
	manager and delivery agents.

20030922

	Feature: "XADDR address hostname" SMTP command, for SMTPD
	restriction debugging, and for sites with fetchmail-like
	software that extracts client information from the first
	Received:  header. The smtpd_authorized_xaddr_clients
	parameter specifies what clients are allowed to use XADDR
	(default: none).  Files:  smtpd/smtpd.c.

20031015

	Workaround: smtpd access maps should not apply subdomain
	name magic to numerical hostnames. File: smtpd/smtpd_check.c.

	Safety: the local delivery agent now defers delivery when
	alias lookup produces an empty result. File: local/alias.c.

20031019

	Workaround: disable request/reply size limit in attr_scan*.c
	to prevent mail from getting stuck when rewriting a malformed
	message header.  This limit was turned on with snapshot
	20030715 to harden the protocol that is used by SMTPD policy
	delegation. A "no code change" workaround is to specify
	"header_size_limit = $line_length_limit".  The proper fix
	is to enforce request/reply size limits only for data from
	outside of Postfix. Problem reported by Brandon Mullenberg,
	Dialup USA. Files:  util/attr_scan*.c.

	Feature: "XLOGINFO address hostname" SMTP command, so that
	Postfix daemons behind SMTPD pass-through proxies log useful
	client name/address information instead of localhost[127.0.0.1].
	The smtpd_authorized_xloginfo_clients parameter specifies
	what clients are allowed to use XLOGINFO (default: none).
	Files:  smtpd/smtpd.c.

	Cleanup: renamed the authorized_verp_clients parameter to
	smtpd_authorized_verp_clients for consistency.

20031021

	Workaround: the demo greylist script now uses BTREE instead
	of HASH files for hopefully better stability. The real fix
	is to use a single updater process that serves multiple
	clients. That approach seems to work well with the verify
	daemon. File: examples/smtpd-policy/smtpd-policy.pl.

20031022

	Safety: the SMTP server now warns when the queue_minfree
	value is less than twice the message size limit. File:
	smtpd/smtpd.c.

	Safety:  the SMTP server no longer accepts mail when the
	amount of free space is less than twice the message size
	limit.  File: smtpd/smtpd_check.c.

	Safety: log a warning and defer mail when canonical or
	virtual lookups return a non-address result (like a string
	that contains no address). File: global/mail_addr_map.c.

	Safety: log a warning and defer mail when any map lookup
	returns an empty string result, and explain that "no result"
	is expected in case of a "not found" condition. This happens
	with incorrectly implemented SQL or LDAP tables. File:
	global/maps_find.c.

20031023

	Bugfix: the MYSQL and PGSQL modules invoked dict_register().
	This was fixed a while ago but never made it into the
	distribution. Files: util/dict*sql.c.

	Robustness: added three ISSPACE() calls in the smtpd proxy
	parser. File: smtpd/smtpd_proxy.c.

20031024

	Portability: added localhost to mydestination for sites
	that turn off append_dot_mydomain. File: global/mail_params.h.

20031027

	Portability: MacOS X Bind8 compatibility. File: makedefs.

20031103

	Robustness: flush pipelined "." and "quit" replies to avoid
	repeated deliveries in case of a program crash (you know,
	the kind of thing that happens before Postfix release :-).
	File:  smtpd/smtpd.c.

20031105

	Portability: turn off NETINFO support for MacOS X Panther
	by default. Files: makedefs, util/sys_defs.h.

20031106

	Feature: the sample greylist policy server is now case
	insensitive.  File: examples/smtpd-policy/smtpd-policy.pl.

20031103-20031110

	Feature: preliminary defense against SMTP clients that
	hammer the SMTP server with too many simultaneous or
	successive connection attempts, with a whitelist capability
	to disable the restriction for authorized clients.  Most
	work is implemented by a new "anvil" server.  Parameters:
	smtpd_client_connection_count_limit, smtpd_client_connection-
	_rate_limit, smtpd_client_connection_limit_exceptions, and
	client_connection_rate_time_unit.  Documentation:  smtpd(8),
	anvil(8), sample-smtpd.cf. Files:  smtpd/smtpd.c,
	global/anvil_clnt.[hc], anvil/anvil.c.  The anvil server
	logs peak count and rate information per client when it
	terminates after running out of work or after "postfix
	reload".

20031110

	Cleanup: Postfix now supports the /0 netmask (match every
	address).  This is useful as a catch-all pattern at the
	end of a table.  Files:  util/dict_cidr.c, util/match_ops.c.

	Cleanup: don't report that $queue_directory/etc/filename
	differs from /etc/filename when /etc/filename does not
	exist.  File: conf/postfix-script.

20031112

	Feature: client_connection_status_update_time parameter
	controls periodic logging of maximal connection counts or
	rates.  The default logging interval is 10 minutes.

	Feature: "make makefiles WARN=stuff..." overrides the
	built-in GCC warning options that are used when "make" is
	invoked from within a source subdirectory. Files:  makedefs,
	*/Makefile.in.

20031125

	Feature: qmgr logs "queueid: deleted", just like postsuper,
	when it removes a message from the mail queue.

	Performance: smtpd connects to the cleanup or proxy server
	AFTER the first valid RCPT TO command, instead of after
	the first valid MAIL FROM command. This avoid wasting
	real-time proxy filter resources when mail is stopped by
	the SMTP server's access blocks.  File: smtpd/smtpd.c.

20031126

	Bugfix: "panic: mymalloc: requested length 0" when master.cf
	specified an invalid host name or address.  Postfix now
	logs more specific information. File:  master/master_ent.c.
	Reported by several people.

20031125-20031201

	Feature: XCLIENT support to override the SMTP server's
	client information for logging and/or access control. This
	replaces the short-lived XADDR and XLOGINFO extensions.
	Remotely based on code by Victor Duchovni.  See FILTER_README
	and SMTPD_PROXY_README for usage details. Files:
	smtpd/{smtpd,smtpd_check,smtpd_proxy,smtpd_xclient}.c
	smtp/smtp_smtp_proto.c, *qmgr/qmgr_message.c,
	global/deliver_request.c.

20031202

	Cleanup: postfix-files now has support for files that are
	no longer part of Postfix. When upgrading Postfix, the
	post-install script gives the user a reminder. Files:
	conf/postfix-files, conf/post-install.

20031203

	Support for SMTPD access map actions (FILTER, REDIRECT,
	HOLD or DISCARD) that are delegated to the cleanup server,
	but can trigger before the first valid recipient address
	is accepted (and thus, before a cleanup server connection
	is available).  Files:  smtpd/{smtpd,smtpd_state,smtpd_check}.c.

20031204

	Bugfix: conf/post-install didn't skip non-existent obsolete
	files.  Victor Duchovni.

	Minor cleanups of the xclient error messages; xclient
	command lookup tables. File: smtpd/smtpd.c.

20031206

	Feature: reject_sender_login_mismatch allows multiple owners
	of a sender address.  Code by Liviu Daia.  Files:
	smtpd/smtpd_check.c and documentation.

	reject_sender_login_mismatch is now implemented by elementary
	features reject_unauthenticated_sender_login_mismatch
	(reject if the client is not SASL logged in but the sender
	address has an owner in smtpd_sender_login_maps) and
	reject_authenticated_sender_login_mismatch (reject if the
	client is SASL logged in but does not own the sender
	address).  Code by Liviu Daia.  Files: smtpd/smtpd_check.c
	and documentation.

20031207

	Bugfix: fallback_transport and mailbox_transport were broken
	because the deliver_pass.c module was not updated for the
	changed message delivery protocol.

20031211

	Safety: in dynamically growing data structures, update the
	length info after (instead of before) updating the data
	size. Files:  util/argv.c, util/inet_addrlist.c, util/intv.c,
	util/mvect.c, util/vstring.c, global/recipient_list.c,
	*qmgr/qmgr_rcpt_list.c.

20031212

	Cleanup: separate extensions XCLIENT (impersonate SMTP
	client) and XFORWARD (down-stream logging of up-stream MTA
	and/or message information, not necessarily SMTP related).
	The protocol is extensible: the server advertises what
	attributes XCLIENT or XFORWARD will accept, and it is an
	error to send an unsupported attribute.  No xtext encoding
	is used, since no attribute currently needs it.  See also:
	XCLIENT_README and XFORWARD_README.

20031214

	Feature: XFORWARD support in the LMTP client.

20031215

	Safety: updated mail_queue_id_ok() for long fast flush
	logfile names. File: global/mail_queue.c.

	Robustness: save and restore the resolver _res.options
	settings before and after DNS lookup, to avoid surprises
	in third-party code. This may eliminate some "localhost
	not found" problems. File: dns/dns_lookup.c.

20031216

	Cleanup:  easier to parse mailq output (no more space
	between short queue ID and message status).  File:
	showq/showq.c.

20031216-21

	Cleanup: the SMTP client now moves on to the next MX host
	or fallback relay when delivery fails in the middle of an
	SMTP session. This includes both broken connections and
	4xx SMTP server replies.  Files:  smtp/smtp.c, smtp_rcpt.c,
	smtp/smtp_connect.c, smtp_trouble.c.

	Configuration parameters: smtp_mx_address_limit (limit the
	list of IP addresses from MX lookup), and smtp_mx_session_limit
	(limit the number of actual SMTP sessions per delivery
	attempt, ignoring unusable MX IP addresses).

	The new code centers around a mark-and-sweep algorithm
	(replacing code that twiddled the rcpt->offset structure
	member), with paranoid sanity checks to ensure that every
	recipient is explicitly accounted for.

20031217

	Update: LDAP client logging (Liviu Daia) and LDAP client
	documentation (Victor Duchovni). Files: util/dict_ldap.c,
	conf/sample-ldap.cf, README_FILES/LDAP_README.

20031222

	Cleanup: shaved half the worst-case bits off the cleanup
	duplicate address filter footprint. After discussion with
	Victor Duchovni. File: cleanup/cleanup_out_recipient.c.

	Safety: added "mail loops to myself" logic for destinations
	that don't have an MX host.  File: smtp/smtp_addr.c.

20031223

	Workaround: turn off "mail loops to myself" for non-MX
	destinations because it breaks SMTP-based content filters.
	Fix is to turn off loop detection when a non-default TCP
	port is specified.  File: smtp/smtp_addr.c.

	Bugfix: restore errno after write failure in SIGCHLD handler.
	Leandro Santi (who got the idea from Hernan Perez Masci).
	File: master/master_sig.c.

	Bugfix: the auto_clnt module disconnected too early, causing
	unnecessary work by the anvil server.

	Cleanup: eliminated binary hashes from anvil server. Anvil
	client information is now stored on top of its VSTREAM.

20031226

	Feature: bounce_queue_lifetime parameter (default:
	$maximal_queue_life_time) that bounds the time that
	MAILER-DAEMON messages spend in the queue before they are
	considered undeliverable.

	Feature: disable "mail loops back to myself" protection
	when SMTP mail is sent to a non-standard port. This makes
	setting up content filters less painful.

	Cleanup: disallow bare x.x.x.x numeric IP addresses in
	email addresses. The form user@[x.x.x.x] is still allowed.

	Cleanup: cleaned up the naming of internal symbols in the
	SMTP client.

20031231

	Bugfix: stricter address syntax test broke "sendmail -bs".
	File: smtpd/smtpd.c.

20040101

	Cleanup: the Postfix SMTP server rejects a MAIL FROM address
	that matches a local, virtual or relay domain, while the
	address is not listed in the corresponding local, virtual
	or relay recipient table.

	Feature: the reject_unlisted_sender(recipient) SMTPD access
	restriction rejects an address that matches a local, virtual
	or relay domain, while the address is not listed in the
	corresponding local, virtual or relay recipient table.

	Compatibility: the check_recipient_maps restriction works
	like reject_unlisted_recipient, but will eventually be
	removed from Postfix.

20040102

	Misc documentation cleanup by Loic Minier.

20040104

	Workaround: MacOSX dumps core on the 20030913 TZ censoring
	code. We explicitly set TZ=UTC, which will produce incorrect
	results when "mailq" formatting is moved from the showq
	daemon to the postqueue command.   File: msg_syslog.c.

	Feature: after mail is requeued with "postsuper -r", the
	pickup server logs the old queue ID together with the new
	queue ID.  Victor Duchovni. File: pickup/pickup.c.

	Feature: smtpd_sasl_application_name parameter (default:
	smtpd) to control the name of the SASL configuration file
	used by the Postfix SMTP server. Liviu Daia. Files:
	mail_params.h, smtpd.c, smtpd_sasl_glue.c.

	Cleanup: the LDAP client configuration parser is now shared
	between the LDAP, MySQL, and PGSQL clients.  Liviu Daia.
	Files: global/cfgparser.[hc], global/dict_ldap.c,
	global/dict_mysql.c, global/dict_pgsql.c and documentation.

	Cleanup: moved "util" modules with dependencies on higher-level
	"global" code from the util directory to the global directory:
	util/dict_open.c, global/cfgparser.[hc], global/dict_ldap.c,
	global/dict_mysql.c, global/dict_pgsql.c, global/mail_dict.c.

	Cleanup: the new queue manager nqmgr replaces the default
	queue manager qmgr, leaving behind a hard link for backwards
	compatibility. The old queue manager remains available as
	as oqmgr but will eventually be removed.

	Bugfix: vstring_get() etc. now return VSTREAM_EOF when they
	terminate prematurely, instead of returning the last
	character stored.  This avoids mis-leading warnings. File:
	global/vstring_vstream.c.

20040105

	Cleanup: don't bother the flush daemon while deferring mail
	if the destination is not "fast flush" eligible. File:
	global/flush_clnt.c.

	Safety: the SMTP server flushes recipients to the cleanup
	server in order to avoid SMTP timeouts when virtual or
	canonical expansions take a lot of time. File smtpd/smtpd.c.

	Safety: add warnings to postmap and postalias when table
	lookup results in an empty string.

20040110

	Example: script to run qmail-local from Postfix by Ron
	Bickers.

	Change: queue minfree limit is now 1.5 * message size limit.
	File: smtpd/smtpd_check.c.

	Bugfix: apply hostname restriction even when host address
	lookup fails in check_{sender,recipient}_{ns,mx}_access.
	File: smtpd/smtpd_check.c.

20040115

	Performance: allow delivery concurrency to increase even
	while mail is deferred, as long as the delivery agent does
	not report really serious trouble with the destination.
	Files:  *qmgr/qmgr_deliver.c.

	Cleanup: in postfix-files, symbolic links and hard links
	are now first-class citizens with explicit mention of source
	and destination pathnames. Files: postfix-install,
	conf/postfix-files, conf/post-install.

20040116

	Cleanup: sendmail -v caused one mail delivery report upon
	every delivery attempt, not just the first one. The fix is
	to "kill" a queue file record after the first delivery
	attempt. This means a new record type. Files:  *qmgr/qmgr_active.c,
	*qmgr/qmgr_message.c, global/rec_type.c.

	Cleanup: in anticipation of other built-in rate limiters,
	the client_connection_rate_time_unit parameter is renamed
	to client_rate_time_unit.

	Documentation: finished the HOSTING_README file with an
	overview of methods to host domains with Postfix.

20040119

	Bugfix: anvil (count and rate limiting) server race condition
	could result in dangling pointer.  Postfix erases memory
	after allocating and before freeing, so it is extremely
	unlikely that this could be used to bring harmful data into
	the anvil server. File anvil/anvil.c.

20040120

	Cleanup: new header_checks(5) and body_checks(5) manual
	pages.  The sample-regexp* and sample-pcre* files are no
	longer needed and have been removed, as are the default
	*_table configuration files.

	Cleanup: support for the non-standard Errors-To: header is
	removed. File: cleanup/cleanup_message.c.

20040121

	Feature: "PREPEND headername: headervalue" action in Postfix
	access maps, to facilitate external policy servers that
	label mail instead of rejecting it. Files: smtpd/smtpd.c,
	smtpd/smtpd_check.c.

20040122

	UNDO the 20040104 change (vstring_get() etc. return
	VSTREAM_EOF when they terminate prematurely, instead of
	returning the last character stored, to avoid mis-leading
	warnings). File:  global/vstring_vstream.c.

	Portability: test -e is not portable. File: conf/postfix-script.

	Misc. documentation fixes by Victor Duchovni.

	Documentation: the README files are now hyperlinked, and
	are referenced in the on-line manual pages.

	Bugfix: the pickup daemon now strokes the watchdog frequently
	to prevent the watchdog from barking when mail arrives
	faster than it can be picked up. File: pickup/pickup.c.

20040123

	Feature: set smtpd_reject_unlisted_{sender,recipient}=no
	to turn off automatic rejection of non-existent local,
	virtual or relay addresses. This way it can be made
	conditional for local clients, always on for remote clients.
	Files:  global/mail_params.h, smtpd/smtpd.c, smtpd/smtpd_check.c.

20040124

	Feature: PREPEND in header/body_checks, for message tagging.
	File: cleanup/cleanup_message.c.

20040126

	Safety: handle the case that main.cf is updated while it
	is being read. File: util/dict.c.

	Feature: "instance" attribute that links policy etc. queries
	to the same message instance.

	Cleanup: the mynetworks setting may now be empty. File:
	global/mail_params.c.

20040127

	Bugfix: missing flush_init() call. Introduced 20040105.
	File: postqueue/postqueue.c.

20040128

	Cleanup: clnt_stream derived classes now try to detect that
	the server has disconnected before sending data and warning
	about an error. File: global/clnt_stream.c.

20040202

	Bugfix: changed mis-leading warning about text>4096 characters
	into "unexpected end-of-input". File: util/attr_scan0.c.

20040201

	Feature: sasl_method, sasl_username and sasl_sender attributes
	in smtpd policy queries. Files: src/smtpd/smtpd_check.c.

20040204

	Safety: smtpd_soft_error_limit now determines when
	$smtpd_error_sleep_time starts to take effect.

	Cleanup: local(8) and virtual(8) will now create maildirs
	in a world-writable directory. Files: util/make_dirs.c.

	Bugfix: don't panic on a corrupt queue file.  File:
	*qmgr/qmgr_message.c.

20040205

	Cleanup: sample-filter.cf is gone. Better documentation is
	available with "man header_checks".

20040209

	Bugfix: when delivery to smtpd_proxy_filter fails, report
	"451 Queue file write error" instead of repeating the
	previous "354 End data with <CR><LF>.<CR><LF>" response.
	File:  smtpd/smtpd.c.

20040220

	Compatibility: accept and ignore the sendmail -bh and -bH
	mode of operation requests.

20040302

	Bugfix: SMTPD proxy didn't send QUIT as the result of code
	duplication. Evidence reported by Mark Martinec. File:
	smtpd/smtpd.c.

20040311

	Bugfix: bad address syntax was passed to transport map
	lookups.  Problem reported by Andrei Koulik. File:
	util/match_ops.c, trivial-rewrite/resolve.c.

20040324

	Portability: ekkoBSD support by Philip Reynolds.  Files:
	makedefs, util/sys_defs.h.

20040325

	Cleanup: smtp_skip_4xx_greeting and smtp_skip_5xx_greeting
	functionality is moved from connection management to SMTP
	protocol processing, so that Postfix now logs the server
	response when a server refuses to provide service.  Files:
	smtp/smtp_connect.c, smtp/smtp_proto.c.

	Cleanup: smtp_skip_4xx_greeting is no longer configurable;
	it is now permanently turned on.

20040326

	Workaround: in the trivial-rewrite server, turn on the code
	to strip trailing "." while rewriting addresses, and change
	the address resolver to strip trailing "." in a compatible
	manner.  This does not eliminate the problem that the SMTP
	server may use a different address for recipient validation
	than what the cleanup server uses for virtual alias mapping.

20040329

	Bugfix: the SMTP server did not log client (and SASL)
	information with the real-time content filter was enabled.
	Files: smtpd/smtpd.c, smtpd/smtpd_sasl_proto.c.

	Compatibility: smtpd_reject_unlisted_sender is turned off
	by default, to avoid trouble with with in-house software
	that sends out mail software with an unreplyable address.

20040331

	Bugfix: postdrop should not abandon mail submission after
	receiving a SIGHUP signal when SIGHUP was ignored by the
	parent process.  Victor Duchovni, Morgan Stanley.  File:
	postdrop/postdrop.c.

	Bugfix: parsing bug in PgSQL dictionaries causing UNIX
	sockets to be ignored. Liviu Daia. Files: global/dict*sql.c.

	Performance: allow MySQL and PgSQL database connections to
	be closed when idle for more than 1 minute; Liviu Daia.
	Files: global/dict*sql.c.

20040401

	Sanity: the SMTP server no longer accepts sender or recipient
	addresses that end in the "@" null domain, as well as
	addresses that rewrite into such a form.  Specify
	"resolve_null_domain=yes" to get the old behavior back.
	File:  trivial-rewrite/resolve.c.

20040402

	Cleanup: added WARN action support for access maps, for
	consistency with the WARN action in header and body checks.
	File:  smtpd/smtpd_check.c.

20040407

	Bugfix: missing return statement at the end of the
	FREE_MEMORY_AND_RETURN error handling macro. Adi Prasaja.
	File: trivial-rewrite/resolve.c.

20040411

	Future proofing: client_rate_time_unit is renamed to
	anvil_rate_time_unit, so that it is no longer limited to
	clients only. File: src/global/mail_params.h.

	Cleanup: postalias and postmap now log problems to syslogd.
	Files: postalias/postalias.c, postmap/postmap.c.

20040413

	Feature: "postfix set-permissions" (re)sets ownership and
	access permissions of Postfix files and directories.

	Feature: "postfix upgrade-configuration" updates main.cf
	and master.cf. This is for people who people copy over
	their old files after installing a newer Postfix version.

	Feature: HTML files are now optionally installed under
	control of the html_directory configuration parameter.
	Files: postfix-install, conf/postfix-files, conf/post-install.

	Cleanup: README file installation is now optional.  Files:
	postfix-install, conf/postfix-files, conf/post-install.

20040414

	Cleanup: references to sample-mumble.cf files removed,
	conf/mumble_table files removed, new commands added to
	conf/postfix-script.

	Cleanups: function declared int but used as void, missing
	include file, missing const qualifier, unused variable.
	Matthias Andree. Files:  bounce/bounce_notify_util.c,
	bounce/bounce_service.h, postlog/postlog.c, smtpd/smtpd_check.c,
	util/attr_scan64.c.

	Bugfix: more robust version of SIGHUP test of 20040331.
	Victor Duchovni, Morgan Stanley. File: postdrop/postdrop.c.

	Safety: added NOCLOBBER qualifiers to local variables that
	might be clobbered by longjmp(). Files: util/sys_defs.h,
	smtp/smtp_proto.c, lmtp/lmtp_proto.c, smtpd/smtpd_check.c,
	smtpstone/smtp-source.c.

	Bugfix: sub-level Makefiles no longer turned on the extra
	compiler warnings. Files: Makefile.in.*, makedefs.*.

20040415

	Bugfix: the LMTP client attempted to reuse a connection
	after timeout, causing protocol synchronization errors.
	Reported by Rob Mueller. File: lmtp/lmtp.c.

20040416

	Cleanup: non-delivery reports now include the original
	recipient information. File: bounce/bounce_notify_util.c.

20040415-18

	Typos: many documentation fixes by Rob Foehl.

20040418

	Cleanup: "int" versus "const int" prototype mismatch between
	the DICT sequence method prototype and possible implementations.
	Files: util/dict_db.c, util/dict_dbm.c.

20040419

	Bugfix: the code that rejects client/helo RESTRICTIONS with
	smtpd_delay_reject=no looked at the wrong evidence and
	rejected client/helo ACCESS MAP lookups instead. Michael
	Tokarev. Files:  smtpd/smtpd.c, smtpd/smtpd_check.c.

	Bugfix: missing # in master.cf in optional submission
	service.

20040420

	Bugfix: smtpd logged the client too often. Michael Tokarev.
	File: smtpd/smtpd.c.

	Cleanup: client_event_status_update_time renamed to
	anvil_status_update_time. Files: mantools/postlink,
	proto/postconf.proto, anvil/anvil.c.

20040421

	Workaround: allow pipelined SMTP clients to overshoot the
	SMTP server recipient limit without triggering the server
	hard error limit.  The SMTP server does not count "too many
	recipients" towards the hard error limit, as long as the
	number of excess recipients stays within a configurable
	overshoot limit (default: smtpd_recipient_overshoot_limit
	= 1000).  Solution in cooperation with Victor Duchovni.
	Files:  smtpd/smtpd.c, smtpd/smtpd_state.c, smtpd/smtpd.h.

20040502

	Missing test for a never used flag (the problematic and
	thus never completed INSPECT feature that doesn't re-inject
	mail into Postfix).  Victor Duchovni, Morgan Stanley. File:
	virtual/virtual.c.

20040503

	Bugfix: missing "sasl enabled" guard in the SMTPD policy
	client.  File: smtpd/smtpd_check.c.

20040606

	Portability. UnixWare has strcasecmp() in strings.h.  Patch
	by Andreas Winkelmann. File: util/sys_defs.h.

	Portability. The postlink script is transformed from sed(1)
	to perl(1).

20040608

	Portability. Introduced SET_H_ERRNO() macro for compilation
	environments where h_errno can't be used as an lvalue.
	Files:  util/sys_defs.h, dns/dns_lookup.c.

	Portability. Eliminate assumption on bits per byte from
	vbuf_print.c.

20040614

	Bugfix: the SMTP client did not reset per-session EHLO,
	SASL, and history information when opening a connection to
	an alternate SMTP server.  This is the result of abstraction
	no longer matching function. Reported and diagnosed by
	Victor Duchovni, Morgan Stanley.

	Bugfix: non-portable reuse of variadic argument lists.
	Fix by Victor Duchovni, Morgan Stanley. Files:  global/bounce.c,
	global/defer.c, global/sent.c, global/trace.c, global/verify.c.

	Portability: NetBSD 2.0 has changed from statfs to statvfs.
	John Heasley. File: util/sys_defs.h.

	Documentation: typo fixes by IKEDA Nozomu.

20040616

	Bugfix: one missed variadic argument list fix. Victor
	Duchovni, Morgan Stanley. File: global/verify.c.

	Bugfix: the resolver client cache should be context dependent
	because address verification probes may use a different
	route than normal mail deliveries. File: global/resolve_clnt.c.

	Safety: added similar context dependence to the address
	rewriting client in order to avoid trouble when Postfix is
	changed. File: global/rewrite_clnt.c.

	Bugfix: space in HELO commands could end up in XFORWARD
	commands.  File: smtpd/smtpd.c.

20040619

	Code reorganization: in preparation for SMTP session caching,
	the SMTP client data structures were changed from the
	original "one session per delivery request" model to an
	explicit "multiple sessions per delivery request" model.
	This uncovered ESMTP and SASL missing re-initialization
	problems that were fixed in past week.  Design by Victor
	and Wietse, initial implementation by Victor Duchovni.

20040620

	Future proofing: after the reorganization of SMTP request
	state and session state, added code to the smtp client
	error handling routines to more consistently deal with the
	possibility that session information is not available.

20040621

	Feature: directory=pathname option for the pipe(8) delivery
	agent. This allows a command to run from a fixed directory.
	Failure to change directory causes delivery to be deferred.
	Files: pipe/pipe.c.

	Feature: command_execution_directory for local(8) delivery
	to external command. This supports the usual $home etc.
	expansions, subject to filtering with the character set
	specified with $execution_directory_expansion_filter.
	Failure to change directory causes delivery to be deferred.
	Files:  global/mail_params.h, local/command.c.

	Support for external command execution directory. Files:
	global/pipe_command.[hc].

20040622

	Safety: when mail is delivered to a transport with per-delivery
	recipient limit of 1, split the recipient address on the
	recipient delimiter if one is defined, so that extended
	addresses don't get extra delivery concurrency slots.
	Files: *qmgr/qmgr_message.c.

20040623

	Workaround for fragile clients: add microsecond time to
	maildir filename.  Files: virtual/maildir.c, local/maildir.c.

20040628-20040701

	SMTP connection caching work with Victor Duchovni.

	New module (later renamed to global/scache_single.c) for
	protocol-independent session caching.  The initial
	implementation supports in-process, single-session caching
	only.  A later version will support a central session cache
	daemon.  Some more work is needed for passivation/activation
	of session attributes.

	New function vstream_fdclose() to destroy a VSTREAM while
	leaving the underlying file(s) open. Files: util/vstream.[hc].

	New function dns_rr_remove() to remove one record from a
	resource record list. Some more work is needed to turn the
	list into a doubly-linked one. Files: dns/dns.h, dns/dns_rr.c.

	Restructuring of the SMTP protocol engine for session
	caching. File: smtp/smtp_proto.c.

	Restructuring of the connection management module, and
	first implementation of SMTP connection caching.  To enable,
	specify an smtp_connection_cache_time value greater than
	zero. The time unit is seconds. File: smtp/smtp_connect.c.

	New code to passivate and re-activate SMTP_SESSION objects,
	and isolation of session save/lookup in its own module.
	Files: smtp/smtp_session.c, smtp/smtp_reuse.c.

	Refinement: smtp_cache_reuse_limit parameter to bound the
	number of times a session may be reused.

	Refinements: when a session comes from the cache, give it
	back to the cache anyway (even when it will not be listed
	under the next-hop destination name).

	Future refinements should also include a bound on the number
	of consecutive and total non-delivering uses and other
	statistics.

20040714

	Bugfix: the code to eliminate the local MTA from the MX
	address list did not handle the case that inet_interfaces
	produced a less preferred match than proxy_interfaces.
	Victor Duchovni, Morgan Stanley. File: smtp/smtp_addr.c.

20040715

	Resume work on SMTP session caching.  All good sessions
	are now cached under their IP address. As before, only the
	first good session per delivery request is cached under
	the original next-hop destination.

	At this point, SMTP session caching works, with a session
	cache client module that uses in-process session caching.
	This is sufficient to demonstrate that the SMTP client is
	ready for session caching.

20040716

	New modules to send file descriptors from one process into
	another one. This will be needed for implementing a central
	connection cache manager daemon. Most systems use UNIX-domain
	sockets as the transport for this. On Solaris we use streams
	instead.  Applications are supposed to invoke LOCAL_SEND_FD()
	and LOCAL_RECV_FD().  Files: {unix,streams}_{send,recv}_fd.c.

20040717

	First implementation of a session caching client API that
	actually sends to/receives from a caching server process.
	The old in-process, single-session caching functionality
	is preserved as global/scache_single.c, so that we can use
	it for bootstrapping the session cache server. File:
	global/scache_clnt.c.

	First implementation of the scache session cache server,
	using the same in-process session caching code that was
	used to bootstrap the SMTP client.  File: scache/scache.c.

20040718

	Performance: the default RSET timeouts are reduced from
	120s to 20s.  Perhaps there should be different RSET timeout
	for address probes and for session cache checks. File:
	global/mail_params.h.

20040719

	Multi-session connection cache module. Implementing this
	was actually the easiest part of the entire connection
	caching project. File: global/scache_multi.c.

20040720

	Bugfix: event_drain() falsely reported a single-entry timer
	queue as empty.  File: util/events.c.

	Completed the multi-session cache support for SMTP. The
	code can be stress tested with a driver program that reads
	commands from a script. It is not practical to manually
	test the effects of collisions in the time or in name space
	domains. File:  global/scache.c.

20040721

	Feature: the session cache server now logs cache hit and
	miss statistics every $session_cache_status_update_time
	seconds (default: 600s), as well as upon process exit.
	File:  scache/scache.c.

20040722

	Workaround: LINUX 2.4 has trouble with mixed data and file
	descriptor traffic on UNIX-domain stream sockets.
	Specifically, it cannot handle data write (read) followed
	by file descriptor send (receive): the receiver hangs in
	recvmsg(). Workaround is to insert an intervening read
	(write) operation.  Presumably, LINUX 2.4 is confusing the
	data and file descriptor.  Lucky Ralf Hildebrandt.  Files:
	util/sys_defs.h, global/scache_clnt.c, scache/scache.c.

20040723

	Safety: spawn(8) now rejects a user with the -1 UID or GID
	value, so that commands will not end up running as root.
	Files:  util/spawn_command.c, spawn/spawn.c.

	User interface: parameter smtp_connection_cache_domains
	renamed to smtp_connection_cache_destinations. Destinations
	listed here must be specified without [] or :port.  File:
	smtp/smtp_connect.c.

	Bugfix: "421 Timeout exceeded" wasn't guarded by setjmp().
	Victor Duchovni, Morgan Stanley. File: smtpd/smtpd.c.

20040729

	Feature:  enable SMTP session caching temporarily while a
	postfix is able to schedule back-to-back deliveries.
	Parameter:  smtp_connection_cache_on_demand (default:
	yes).  Files:  smtp/smtp_connect.c, *qmgr/qmgr_entry.c,
	*qmgr/qmgr_queue.c, *qmgr/qmgr_deliver.c.

	Feature: smtp-source -N option to generate unique recipient
	addresses for (trivial-rewrite) stress testing. Victor
	Duchovni, Morgan Stanley. File: smtpstone/smtp-source.c.

20040730

	Safety: disallow "opportunistic session caching" when the
	queue manager is unable to schedule back-to-back deliveries.
	File: *qmgr/qmgr_entry.c.

20040731

	Hysteresis: turn on "opportunistic session caching" when
	back-to-back deliveries happen, but don't turn if off
	until both concurrent and back-to-back delivery ends.

20040801

	Workaround: disable session caching for Linux < 2.2 (does
	not work) or Glibc < 2 (does not compile).  Files:
	util/sys_defs.h, util/unix_{recv,send}_fd.c.

	Portability: h_errno is not an lvalue in the UnixWare 7.1
	multi-threaded environment. Olivier PRENANT.

20040812

	Bugfix: update SMTP server error counter when a client is
	denied access with smtpd_delay_reject=no.

20040816

	Bugfix: The smtp_chat_cmd() forced output flushing code in
	the SMTP client could run before an I/O error handler was
	set up.  Problem diagnosed by Victor Duchovni, Morgan
	Stanley. The fix is to disable the smtp_chat_cmd() forced
	output flushing code as it duplicates better code in
	smtp_loop(). File: smtp/smtp_chat.c.

	Safety: set up an I/O error handler before the smtp_loop()
	protocol engine starts; this handler logs a warning in case
	it ever runs, because that means someone broke ESMTP command
	pipelining.  File: smtp/smtp_proto.c.

	Feature: canonical_classes parameter by Kimmo Suominen, to
	control what addresses are rewritten by canonical_maps.
	Files: cleanup/cleanup_addr.c, cleanup/cleanup_message.c.

20040817

	Bugfix: update the vstream I/O time AFTER the completion
	of an I/O request, so that time-sensitive applications
	don't force flush output too soon and possibly trigger
	NAGLE delays.  Problem diagnosed by Victor Duchovni, Morgan
	Stanley. File: util/vstream.c.

	Portability: avoid postmap/postalias test file name clashes
	on Windows.  Ian Lance Taylor (of Taylor UUCP fame).

20040823

	Bugfix: vstream_popen() did not close the child pipe
	after failure to fork(). File: util/vstream_popen.c.

20040826

	Feature: support for systems with closefrom(), and emulation
	for those without. Andrew Brown. Files:  util/sys_defs.h,
	util/sys_compat.c.

20040827

	Feature: {sender,recipient}_canonical_classes parameters,
	which give better control than sender_canonical_classes.
	Files: cleanup/cleanup_addr.c, cleanup/cleanup_message.c.

	Feature: the proxymap client now recognizes when a map
	can't be proxied, and will open it directly instead.  This
	makes proxy maps easier to use for virtual mailbox domains.
	File: global/dict_proxy.c.

	Feature: smtp_sasl_mechanism_filter restricts what remote
	SMTP server mechanism names the Postfix SMTP client passes
	on to the SASL library.  Victor Duchovni, Morgan Stanley.
	Files: smtp/smtp.c.  smtp/smtp_sasl_glue.c, smtp/smtp_sasl_proto.c.

20040828

	User interface: when no recipients are specified, the
	Postfix sendmail command now terminates with status EX_USAGE
	instead of accepting the mail first and bouncing it later.
	This gives more direct feedback in case of a common client
	configuration error. File:  sendmail/sendmail.c.

20040829

	Portability: Solaris closefrom() support didn't work for
	non-SUN compilers. Victor Duchovni, Morgan Stanley.

20040830

	Feature: the scache(8) session cache manager now logs the
	peak counts of destinations, endpoints and sessions. Files:
	scache/scache.c, global/scache*c.

20040831

	Portability: disable session caching support on SCO 5
	because of incompatible sockets API. File: util/sys_defs.h.

20040913

	Bugfix (introduced 20020803): sent the wrong bounce message
	type when a Delivered-To: loop was detected for a mailing
	list alias.  Nicolas Riendeau. File: bounce_notify_util.c.

20040918

	Feature: authorized_flush_users, authorized_mailq_users,
	authorized_submit_users to restrict what users can flush
	the queue, list the queue, or submit mail locally.  Based
	on code by Victor Duchovni, Morgan Stanley. Files:
	sendmail/sendmail.c, postdrop/postdrop.c, postqueue/postqueue.c,
	global/user_acl.[hc].

	Feature: discard(8) mail delivery agent.  Victor Duchovni,
	Morgan Stanley. File: discard/discard.c.

20041002

	Long overdue, a master(5) manual page based on an initial
	version by Magnus Baeck.

	By popular demand, a postfix-manuals.html web page with
	totally useless links to UNIX-style manual pages (the same
	information should already be available simply by typing
	"apropos postfix"). To keep newbies from getting completely
	lost due to information overload, the document starts with
	a list of actually useful pointers to Postfix introductions,
	duplicated from the already existing documents.html.

20041006

	Bugfix: "sendmail -bv" did not reject the -t option.  File:
	sendmail/sendmail.c.

20041007

	Feature: SASL authentication attributes are now stored in
	queue files and passed on to delivery agents, by Leandro
	Santi. Files:  deliver_pass.c, deliver_request.c,
	qmgr_deliver.c, qmgr_message.c, pipe.c, smtpd.c.

20041009

	Feature: per SMTP client message rate limit and recipient
	rate limit, by Ragnar Lonn, GHN network technologies.
	Files: smtpd/smtpd.c, anvil/anvil.c, global/anvil_clnt.[hc].

	Incompatibility: smtpd_client_connection_limit_exceptions
	renamed to smtpd_client_event_limit_exceptions, because it
	now also controls message and recipient rate limit control.

20041013

	Portability: AIX 5.1/GCC.

20041014-23

	Postfix no longer appends the local domain to header
	addresses from remote clients.  Instead, Postfix either
	does not rewrite those headers at all, or it appends the
	domain specified with the new remote_header_rewrite_domain
	parameter.

	Postfix still appends $@myorigin or .$mydomain to headers
	from the Postfix sendmail command, or from clients listed
	with the new local_header_rewrite_clients parameter (default:
	permit_mynetworks, permit_sasl_authenticated).

	These changes affect the SMTP server (including XFORWARD
	support), the cleanup server (do or don't rewrite headers),
	the trivial-rewrite server (append local domain or surrogate
	remote domain to incomplete addresses), the queue manager
	(send additional attributes to delivery agents), the LMTP
	and SMTP clients (XFORWARD support), and the local delivery
	agent (preserve XFORWARD attributes when forwarding mail).

20041016

	Bugfix: attr_clnt_request() did not properly skip hash
	table arguments. Luc Pardon, Skopos Consulting. File:
	util/attr_clnt.c.

20041018

	The NIS+ module by Geoff Gibbs is now part of Postfix.
	Files: util/dict_nisplus.c, proto/nisplus_table.

20041019

	Support for Errors-To: is permanently removed.

20041022

	Bugfix: "smtp_connection_cache_on_demand=no" could crash
	the SMTP client. File: smtp/smtp_connect.c.

	Robustness: extra sanity checks. Files: util/dict_db.c,
	util/dict_dbm.c, dict_nis.c.

20041025

	Initial merge of Lutz Jaenicke's TLS patch. Initial rewrite
	of tlsmgr to eliminate some code duplication and to postpone
	calls into OpenSSL until after dropping privileges.

20041030

	Compatibility: "session cache" renamed to "connection cache"
	to avoid confusion with the TLS session cache.

20041102

	Feature: smtpd_end_of_data_restrictions allow you to specify
	restrictions at the end of the SMTP DATA command. The syntax
	is identical to that of the smtpd_data_restrictions feature.
	This introduces a new END-OF-DATA protocol state for the
	external policy server. Files:  proto/SMTPD_POLICY_README.html,
	proto/SMTPD_ACCESS_README.html, smtpd/smtpd_check.c.

20041111

	Cleanup: terminate the dict_eval() result buffer for verbose
	logging.  Victor Duchovni, Morgan Stanley. File: util/dict.c.

20041112

	Cleanup: be more careful when saving and restoring resolver(3)
	options to avoid problems with an HP-UX security patch
	(change introduced 20031215). File:  dns/dns_lookup.c.

20041115

	Bugfix: the test for "no debugger_command" was wrong.
	Leandro Santi. File: global/debugger_command.c.

20041117

	Robustness: the master-child protocol now includes a process
	generation number besides the child process ID.  The process
	generation number is incremented by one each time the master
	creates a child process. Child-to-master status updates
	with the wrong generation number are ignored, instead of
	triggering a consistency error in the master server.  Files:
	master/*server.c, master/master_status.c, master/master_spawn.c.

20041118

	Bugfix: the "local_header_rewrite_clients" feature (20041023)
	did not recognize "bare" lookup tables as documented.  Victor
	Duchovni, Morgan Stanley. File: smtpd/smtpd_check.c.

	Bugfix: the "local_header_rewrite_clients" feature (20041023)
	was broken because the local delivery agent passed on a
	bogus attribute value when forwarding internally generated
	mail, causing the mail to be rejected by the cleanup server.
	File: local/dotforward.c.

	Bugfix: the "local_header_rewrite_clients" feature (20041023)
	was broken because the pickup server always overwrote origin
	information. Files: pickup/pickup.c, cleanup/cleanup_state.c,
	*qmgr/qmgr_message.c.

	Workaround: enable the "can't write before sending a file
	descriptor" workaround for Solaris. Problem reported by
	Victor Duchovni for Solaris 2.5.1, but we play safe and
	enable it unconditionally.

20041120

	The TLS support routines are moved to a "tls" directory,
	and are published via the "libtls.a" object library.

20041122

	Infrastructure: support for binary attribute values
	(ATTR_TYPE_DATA) in Postfix IPC messages. Files:
	util/attr_scan*c, util/attr_print*c.

20041123-20041205

	TLS support: via a process of gradual transformation,
	decomposed Lutz Jaenicke's pfixtls.c into separate modules
	for clients, servers, certificate verification, session
	caching, and PRNG management. Global variables were eliminated
	so that the code now supports multiple client and/or server
	contexts in the same process.  Files:  tls/*.[hc].

20041205

	TLS support: eliminated shared access (and locking) of the
	TLS PRNG exchange file and TLS session caches. Instead,
	Postfix uses a client-server protocol, and the tlsmgr
	becomes the sole mediator. This eliminated the need for
	1000+ lines of SDBM support, and eliminated the need for
	running a persistent tlsmgr process on systems don't enable
	TLS in main.cf.

20041124

	Feature: configurable list of forbidden SMTP commands
	(default: smtpd_forbidden_commands = CONNECT, GET, POST)
	after which the Postfix SMTP server disconnects immediately.
	The SMTP server always disconnects immediately when the
	client sends a message header instead of an SMTP command.
	Magnus Baeck.  File: smtpd/smtpd.c.

20041207

	CDB support by Michael Tokarev, documentation by Victor
	Duchovni. Files: util/dict_cdb.[hc], global/mkmap_cdb.c.

20041209

	Completed support for the Berkeley DB sequence operator.
	This is needed for finding and deleting old entries in TLS
	session databases. File:  util/dict_db.c.

	Bugfix: the DBM client's sequence operator used exclusive
	locking instead of shared locking. File: util/dict_dbm.c.

	Feature: dump an entire database with the new postmap/postalias
	"-s" option. This works only for database types with Postfix
	sequence operator support: hash, btree, dbm, and sdbm.
	Files:  postmap/postmap.c, postalias/postalias.c.

20041212

	Solaris 10/ix86 chroot setup script update by J.D. Bronson.

	TLS support: cosmetic changes to comments and messages;
	completed the code for the master -> tlsmgr trigger handshake,
	so that the master no longer complains about trigger
	responses timing out.

20041213

	Updated the SDBM dictionary interface. It had fallen behind
	with the Postfix dictionary interfaces that were already
	bundled with Postfix. Files: util/dict_sdbm.[hc].

	Cleanup: "postconf -m" (show all available map types) now
	produces sorted output.  File: util/dict_open.c.

20041215

	No bugfix: tests with the new "postmap -s" feature show
	that SDBM first/next operations never worked with Postfix/TLS
	patch 20040829 (verified with the 20040829 dict_sdbm.c
	module on Linux and FreeBSD).  The code stops after finding
	one database element.  Other SDBM versions found on the
	Internet will find all database entries, but report an I/O
	error after the last database element is found. All this
	would be easy enough to fix, but the SDBM library is not
	part of Postfix, and never will be.

	Bugfix: the sequence operator in the DBM and SDBM clients
	released the shared lock after reading the next key but
	before reading the corresponding value. This was never a
	problem, because the sequence operator was used only in
	the Postfix/TLS patch. This used the SDBM sequence operator
	which didn't work as discussed above. Files:  util/dict_dbm.c,
	util/dict_sdbm.c.

	Feature: the local(8) and pipe(8) delivery agents now make
	the following attributes available upon delivery (with
	local(8) names must be spelled in upper case): client_hostname,
	client_address, client_protocol, client_helo, sasl_method,
	sasl_sender, sasl_username. Files: local/command.c,
	pipe/pipe.c, and lots of documentation.

20041216

	"postcat -o" now prints queue file record offsets; this is
	useful for debugging. File: postcat/postcat.c.

	NON-PRODUCTION Bugfix: (bug introduced while adopting the
	Postfix/TLS patch):  the new TLS certification call-back
	routine expects that the peer hostname is in
	tlscontext->peername_save, but the TLS server code never
	updated this field.  File:  tls/tls_server.c.

20041218

	Feature: selective suppression of SMTP extensions (pipelining,
	starttls, auth, etc.); this is useful to work around broken
	clients or servers.  Specify a list of EHLO keywords with
	the smtp(d)_discard_ehlo_keywords parameters, or specify
	one or more lookup tables, indexed by remote network address,
	with the smtp(d)_discard_ehlo_keyword_address_maps parameters.
	EHLO keyword lists are case insensitive.  Files:
	util/name_mask.[hc], global/ehlo_mask.[hc], smtpd/smtpd.c,
	smtp/smtp.c, smtp/smtp_proto.c.

20041219

	Bugfix: postcat without -o was broken. File: postcat/postcat.c.

20041220

	NON-PRODUCTION Bugfix: (bug introduced while adopting
	Postfix/TLS patch):  don't call smtp_flush() after return
	from vstream_setjmp(), we'll call you.  File: smtpd/smtpd.c.

	Dummy VSTREAM read-write routines. Files: util/dummy_read.c,
	util/dummy_write.c.

20041221

	Fixes for TLS_README by Victor Duchovni. File:
	proto/TLS_README.html.

	NON-PRODUCTION Bugfix: (bug introduced while adopting
	Postfix/TLS patch).  The client code had become too similar
	to the server implementation, and also required a host
	certificate and key. Fix by Victor Duchovni. File:
	tls/tls_client.c.

20041221

	Bugfix: further postcat corner cases.

20041223

	Cosmetic: don't log disconnect events as I/O errors.
	File: tls/tls_bio_ops.c.

20041221-9

	Infrastructure: unified IPv4/IPv6 name/address API so that
	Postfix can support IPv6 without #ifdef INET6 everywhere.
	In particular, we allow #ifdef in libraries but avoid it
	in applications.  Files:  util/myaddrinfo.[hc],
	util/sock_addr.[hc], dns/dns_rr_to_pa.c, dns/dns_sa_to_rr.c,
	dns/dns_rr_eq_sa.c, dns/dns_rr_to_sa.c, inet_proto.[hc].

	Postfix no longer attempts to deliver mail via IPv6 when
	the system has no IPv6 connectivity.  Network protocol
	support is now selected with the "inet_protocols" configuration
	parameter, instead of "inet_interfaces". The "inet_protocols"
	parameter also controls what DNS lookups Postfix will do.

	Infrastructure: eliminated two host/port parsing routines.
	Only one survives: host_port(), in an extended form that
	allows for missing host or missing service information but
	not both. File: util/host_port.c.

20041229

	Milestone: Postfix with the unified IPv4/IPv6 socket/name
	API builds without compiler error on IPv4-only system and
	actually works.

20041228

	Bugfix: SMTPD_PROXY_README incorrectly claimed that ":port"
	in master.cf causes a server to listen only on "localhost"
	without exposing the service to the network.  Instead,
	":port" causes a client to connect to "localhost".

20041231

	Linux workaround:  when mynetworks isn't set, a chrooted
	process could not read the IPv6 address information from
	/proc.  We now invoke own_inet_addr() before chrooting,
	while processing main.cf. File: global/mail_params.c.

20050101

	Workaround for (Linux) systems without IPV6_V6ONLY support
	(RFC 3493).  When Postfix listened on an IPv4 wild-card
	smtp socket, the IPv6 wild-card smtp listener would fail
	with EADDRINUSE (and vice versa).  File: util/myaddrinfo.c.

20050103

	Safety: when the IPV6 netmask can't be determined, assume
	/128 (host only). File: util/inet_addr_local.c.

20050104

	Re-implemented IPv6 support for net/mask pattern matching.
	Files:  util/cidr_match.[hc], util/dict_cidr.c,
	util/match_ops.[hc], proto/cidr_table.

20050105

	Moved mask_addr() to its own module so that it could also
	be called by mynetworks() and inet_addr_local() to remove
	non-zero host bits from IPv6 network/mask patterns. File:
	util/mask_addr.c.

20050108

	Re-implemented IPv6 support for network interface lookup
	via the Linux /proc file system. File:  util/inet_addr_local.c.

20050111

	Feature: specify "inet_interfaces = loopback-only" for
	servers that must listen on local interfaces only, without
	having to specify IPv4 and/or IPv6 addresses in main.cf or
	master.cf.  File:  global/own_inet_addr.c.

	Workaround: AIX 5.1 getaddrinfo() can't handle a null host
	argument with AI_PASSIVE. Instead we specify an explicit
	protocol family, a host of "::" or "0.0.0.0", and turn off
	IPV6_V6ONLY. Files: util_myaddrinfo.c, util/inet_listen.c.

	Workaround: AIX 5.1 getaddrinfo() can't handle a "0" service
	argument. Instead we specify "1".  Files: util/inet_addr_host.c.

20050113

	Cleanup: now that the over-all structure is proving itself,
	clean up some internal APIs to increase robustness and get
	rid of some clumsiness. Mainly, the getaddrinfo(3) interface.

	Start-up performance: the hash_queue_names default setting
	is reduced from eight directories to just defer and deferred.
	This reduces time for checking the Postfix queue. Files:
	conf/post-install, global/mail_params.h.

20050114

	Further cleanup: eliminate duplicate IPv6 results when the
	mynetworks value is generated by Postfix. More documentation
	of the new internal APIs.

	Performance: reduced start-up delay by moving warning-only
	startup checks into the background. File: conf/postfix-script.

20050115

	Further hardening of the IPv6 support: don't trust system
	libraries to protect Postfix against malformed IPv6 address
	literals. Their syntax is complex enough that errors are
	likely. Files: global/resolve_local.c, util/valid_hostname.c.

	Further cleanup: RFC 2821 requires the IPv6: prefix with
	IPv6 address strings.  The smtp and qmqp servers maintain
	separate address instances, the bare address and the RFC
	2821 compatible form, and use each where appropriate.  This
	strict separation simplifies address syntax checks as well
	as the implementation of XCLIENT and XFORWARD.

20050116

	Infrastructure: new valid_mailhost_addr() routine to verify
	that an address literal satisfies RFC 2821. An IPv4 address
	is in dotted-quad decimal form, and an IPv6 address is in
	hexadecimal form, with the "IPv6:" prefix. Files:
	global/valid_mailhost_addr.[hc].

	Further cleanup: valid_hostname() no longer allows network
	addresses or numerical domain names. While it made some
	sense with IPv4 dotted quad decimal forms, with IPv6 it
	just made no sense anymore.  Again, being stricter actually
	simplifies code. Files:  util/valid_hostname.c and a
	surprisingly small number of valid_hostname() callers that
	did not reject numerical forms.

	Bugfix: in the Postfix 2.2 SMTP client, the debug_peer_init()
	call was moved to the after-chroot initialization.

20050117

	Performance: reduced start-up delay by moving warning-only
	startup checks into the background; they now start after
	one minute to allow the system to finish booting. File:
	conf/postfix-script.

	Milestone: first non-non-production snapshot with IPv6.

20050119

	Milestone: first non-non-production snapshot with TLS.

20050124

	Workaround: don't send mail to $fallback_relay if Postfix
	is MX host for the next-hop destination. This is, however,
	a partial solution. The documentation has been updated to
	cover all the cases where a fallback_relay could interfere
	with the operation of a backup or primary MX host. Files:
	smtp/smtp_addr.c, smtp/smtp_connect.c.

20050127

	Configuration: Postfix daemons that need privileged operation
	(such as local, pipe, or spawn) now log a fatal error when
	they are configured in master.cf as unprivileged.

20050130

	Cleanup: simplified the handling of receive_override_options
	settings. Files: pickup/pickup.c, smtpd/smtpd.c, qmqpd/qmqpd.c,
	global/input_transp.c.

	Feature: permit_inet_interfaces allows a request when the
	client matches $inet_interfaces. This is used for generic
	access restrictions and for header address rewriting control.
	Files: global/mail_params.h, smtpd/smtpd_check.c.

	Cleanup: by default, message header address rewriting is
	now enabled only for mail that originates from the machine
	itself. Files: global/mail_params.h, smtpd/smtpd_check.c.

20050131

	Bugfix: when extracting recipients from message headers,
	the Postfix sendmail command produced output records longer
	than $line_length_limit, causing postdrop to reject the
	mail. Diagnosis by Victor Duchovni. File:  sendmail/sendmail.c.

20050202

	Cleanup: explicit Makefile targets for "make package" and
	"make non-interactive-package" to create ready-to-install
	packages for distribution to other systems. Added extra
	sanity checks to prevent attempts to overwrite your running
	Postfix instance. Files:  Makefile.in, proto/PACKAGE_README.

	Cleanup: when bounce_queue_lifetime > maximal_queue_lifetime,
	it is adjusted to maximal_queue_lifetime, and a warning is
	logged. Files:  *qmgr/qmgr.c.

20050203

	Cleanup: trivial-rewrite now restarts more timely after
	changes in lookup tables.  Of the all the alternatives
	tested, the simplest one produces the most bang for the
	buck. The other code is left in place for illustrative
	purposes. File:  trivial-rewrite/trivial-rewrite.c.

	Cleanup: sendmail no longer ignores null command-line
	recipients.  File: sendmail/sendmail.c.

	Cleanup: "postfix start" background checks moved back to
	the foreground so they can be stopped more easily.  File:
	conf/postfix-script.

20050204

	Feature: REPLACE command in header/body_checks (implemented
	as a combination of PREPEND and IGNORE) by Bastiaan Bakker.
	File: cleanup/cleanup_message.c.

	Cleanup: linted the manual pages for consistency in the
	way manuals are referenced, and in the presentation of
	command examples. Files: mantools/manlint, mantools/fixman,
	mantools/postconf2man.

20050205

	Cleanup: updated the mass-deletion example in the postsuper
	manual.

20050206

	Cleanup: don't count a [45]XX SMTP server greeting towards
	the mx_session_limit setting. File: smtp/smtp_connect.c.

	Feature: output address rewriting in the SMTP client. The
	smtp_generic_maps parameter specifies an address mapping
	that happens only when mail is delivered via SMTP. This is
	typically used for hosts without a valid domain name, that
	use something like localdomain.local instead.  This feature
	can replace local mail addresses by valid Internet mail
	addresses when mail needs to go across the Internet, but
	not when mail is sent between accounts on the local machine.
	Files:  smtp/smtp_proto.c, smtp/smtp_map11.c.

	Cleanup: don't panic in mymalloc() when master can't find
	any IP addresses. LaMont Jones. File: master/master_ent.c.

20050207

	Documentation: added a generic(5) manual page for consistency
	with the already existing table driven mechanisms, added
	references to or examples of the new generic mapping.

	Bugfix: the header_checks REPLACE action mis-handled
	multi-line replacement text in message headers, for example:
	/(.*)/ REPLACE X-$1. File:  cleanup/cleanup_message.c.

	Bugfix: the header_checks REPLACE action should not drop
	the input when the action is NOT executed. File:
	cleanup/cleanup_message.c.

	Bugfix? Cleanup? Documentation? main.cf now implements
	${name[?:]value} as promised in the postconf(5) manual.
	Implemented by deleting the macro processor in dict_eval(),
	and using the one in mac_expand() instead.  File: util/dict.c.

20050208

	Feature: check_ccert_access maptype:mapname for access(5)
	control, based on code by Victor Duchovni. File:
	smtpd/smtpd_check.c and documentation.

	Safety: don't allow unlimited message size with limited
	mailbox size. File: local/local.c, virtual/virtual.c.

	Feature: new smtpd policy attributes ccert_subject,
	ccert_issuer and ccert_fingerprint, with TLS client
	certificate information, but only when verification was
	successful.  Files:  src/smtpd/smtpd_check.c.

	Cleanup: corrected the address verification data flow in
	the ADDRESS_VERIFICATION_README illustration.

20050209

	Cleanup: the smtp generic mapping did syntax check on the
	input address instead of the result. These tests were not
	going to be useful in any case, because mail_addr_map()
	canonicalizes the lookup result, including @dom1->@dom2
	mapping. File:  smtp_map11.c.

	Cleanup: made the generic mapping documentation consistent
	with the implementation.

	Cleanup: documented the myorigin/mydomain address rewriting
	in canonical, generic and virtual alias maps.

	Feature: updated LDAP and *SQL query interfaces using a
	common infrastructure so that all have the same feature set
	where possible. Victor Duchovni and many others. This code
	was tested separately and was merged into the main stream
	20050308. Files: global/db_common.[hc], global/dict_ldap.c,
	global/dict_mysql.c, global/dict_pgsql.c, plus documentation.

20050210

	Bugfix: spurious fallback_relay warnings after 20050202.
	Victor Duchovni.  File: smtp/smtp_connect.c.

	Bugfix: (introduced while adopting Postfix/TLS patch) the
	TLS cache scan stopped after expiring one entry.  Victor
	Duchovni.  File: tls/tls_scache.c.

	Safety: delete-behind when removing expired entries from
	TLS session caches. With some maps the enumeration method
	mis-behaves when the current entry is deleted. File:
	tls/tls_scache.c.

20050211

	Cleanup: the "generics" feature (output address rewriting)
	is renamed to "generic", for consistency with "canonical"
	and "virtual".

20050212

	Cleanup: remove old trace(8) logfile before attempting
	delivery (and after locking the message file exclusively).
	Files: *qmgr/qmgr_message.c.

	Cleanup: don't parse-then-regenerate message headers when
	no address is changed by address rewriting operations. This
	behavior was copied from the SMTP client's generic mapping
	code.  Files: cleanup/cleanup_rewrite.c, cleanup/cleanup_map11.c,
	cleanup/cleanup_masquerade.c, cleanup/cleanup_message.c..

20050215

	Bugfix: don't chmod queue files while running "postfix
	set-permissions". This prevents mail from being labeled as
	"corrupt" when a live Postfix system is upgraded.  Found
	by Victor Duchovni.  File: conf/post-install.

20050216

	Feature: in smtpd?_discard_ehlo_keyword(s|_address_maps)
	specify the pseudo keyword "silent-discard" in order to
	avoid logging that some EHLO keyword is being suppressed.
	File: global/ehlo_mask.[hc].

20050217

	Bugfix: typo in tls_server.c, breaking CApath.  Fix by
	Philipp Morger. File: tls/tls_server.c.

20050227

	Bugfix (bug introduced 20040331): with SIGHUP ignored, the
	postdrop signal handler would effectively ignore SIGINT,
	SIGQUIT and SIGTERM.  Simplified the overly-conservative
	protection against nested signals in postdrop, and added
	some future proofing comments.  File:  postdrop/postdrop.c

	Cleanup: when address rewriting is enabled, don't change
	the capitalization of header labels, i.e. don't replace
	FROM: or CC: by From: or Cc:. Files: cleanup/cleanup_message.c,
	smtp/smtp_proto.c.

20050228

	Cleanup/portability: missing #includes and bad prototypes.
	Matthias Andree, Carsten Hoeger, and others.

20050302

	Workaround: make TLS session caching work with perverse
	sites that have multiple servers per hostname or even
	multiple servers per IP address, but no shared TLS session
	cache. The SMTP client TLS session cache is now indexed by
	(server hostname, server address, server port, server helo
	hostname). After an idea by Victor Duchovni. Files:
	smtp/smtp_proto.c, tls/tls_client.c.

20050303

	Bugfix (bug inherited from Postfix/TLS patch): a rare 9kbyte
	memory leak when in-memory TLS session information expires;
	found by setting the expiry time shorter than the time to
	deliver one or two messages with a very slow machine.  This
	was due to a missing SSL_SESSION_free() call in the "new
	session" call-back routines. Found by Victor Duchovni.
	Files: tls/tls_client.c, tls/tls_server.c.

	Workaround: OpenSSL is overly agressive when purging a
	not-yet expired entry from a full in-memory cache: it also
	purges the entry from the on-disk server session cache.
	Workaround is to let only the tlsmgr purge entries from the
	on-disk server session cache.  Found by Victor Duchovni.
	File: tls/tls_server.c.

20050304

	Postfix releases are now signed with Wietse's new PGP key.
	The old key was getting a bit short for today's standards.
	The new public key can be found on the Postfix download
	webpage. As proof of authenticity the new PGP key is signed
	with Wietse's old PGP key.

	Cleanup: check_mumble_{ns,mx}_access no longer attempt to
	do MX or NS lookups for address literals. An address literal
	is treated as its own MX host; there is no meaningful
	equivalent for NS access control. File: smtpd/smtpd_check.c.

20050310

	Bugfix: the AIX and SUN compilers rightfully complained
	about non-portable code in the "new" LDAP/SQL client. File:
	global/db_common.c.

	Workaround: some systems no longer recognize "tail +2" as
	valid command syntax. Instead they require "improved" syntax
	that is not valid on several other systems that Postfix
	builds on.  So we have to stop using the tail command.
	Files: Makefile.in, src/*/Makefile.in.

20050312

	Bugfix: the TLS session cache cleaning code didn't always
	delete the right entry. Problem found by Victor Duchovni,
	more problems found by Wietse. File: tls/tls_scache.c.

20050314

	Portability: Berkeley DB changed API from version 2.5 to
	2.6. Rob Foehl. File: util/dict_db.c.

20050315

	Bugfix: when <unistd.h> is included, read is a reserved
	identifier. File: smtpstone/smtp-source.c.

20050321-27

	Support for RFC 3463 enhanced status codes.  See also the
	ENHANCED_STATUS_README (a hacker's guide) for background.

	New module to pass around (status code + text) instead of
	just text.  File: Files: global/dsn_util.c.

	Status-related lookup tables now have an extra column for
	enhanced status codes.  Files: global/sys_exits.c,
	global/cleanup_strerror.c.

	Cleanup: centralized mapping of errno values to delivery
	status codes after failed delivery to mailbox, maildir, or
	file. Error codes EAGAIN, and ESTALE are 4.2.0 temporary
	errors; ENOSPC is a 4.3.0 temporary error; and EDQUOT and
	EFBIG are 5.2.2 hard errors. For backwards compatibility,
	the result of other errors depends on the delivery agent:
	with local(8) everything else is a 5.2.0 hard error, and
	with virtual(8) everything else is soft 4.2.0 error.  File:
	global/mbox_open.c.

20050324

	Workaround: gcc -W (version 3.4.2 [FreeBSD] 20040728) no
	longer warns about missing return statements. What a time
	waste.

	Workaround: gcc -E (version 3.4.2 [FreeBSD] 20040728) output
	has changed, causing too much "make depend" output.

20050325

	Bugfix: when bouncing mail that was submitted with Postfix
	sendmail, the cleanup daemon ignored the reason specified
	in header/body_checks, and always produced a generic reason.
	File: cleanup/cleanup_api.c.

	Workaround: don't announce pipelining support when the
	smtp-sink test program is configured to fail specific
	commands with -r or -f (the fix is to build a proper SMTP
	state engine into the smtp-sink test program).  File:
	smtpstone/smtp-sink.c.

20050326

	Update: more PCRE error codes. File: util/dict_pcre.c.

20050327

	Bugfix: the SMTP and LMTP clients did not ask the queue
	manager to reduce destination concurrency when "lost
	connection" or "connection timed out" happened AFTER Postfix
	received the server greeting. Files: smtp/smtp_trouble.c,
	lmtp/lmtp-trouble.c.

	Workaround: FreeBSD has incompatibly changed the output
	format from "od", breaking regression test portability.

	The TLS client session cache ID is now derived from the
	server IP address, TCP Port, and server HELO hostname
	if available. File: smtp/smtp_proto.c.

20050328

	Cleanup: the REPLACE action is no longer implemented as
	PREPEND+IGNORE. The result remains in the input stream,
	and is subject to address rewriting and other processing
	where applicable.  File: cleanup/cleanup_message.c.

	Feature: the TLS server name verification status is moved
	out of the TLS session cache. This not only simplifies the
	client-side TLS cache implementation, but also provides
	better cache support for clients that connect to multiple
	independent MTAs under the same DNS hostname or IP address,
	provided that each MTA replies with a unique name in the
	EHLO response. Patch by Victor Duchovni. Files: tlsmgr/tlsmgr.c,
	tls/tls_verify.c, tls/tls_session.c, tls/tls_server.c,
	tls/tls_scache.h, tls/tls_scache.c, tls/tls_misc.c,
	tls/tls_mgr.h, tls/tls_mgr.c, tls/tls_client.c, tls/tls.h,
	smtp/smtp_proto.c.

20050330

	Bugfix: in some compilation environments the SMTP and LMTP
	clients could ignore enhanced status codes in server replies.
	Bug introduced 20050329 while polishing working code.  Files:
	smtp/smtp_chat.c, lmtp/lmtp_chat.c.

	Feature: add enhanced status code support to the smtp-sink
	test program. File: smtpstone/smtp-sink.c.

20050331

	Workarounds for ancient gcc compilers that can't handle
	valid C. Bugs reported by Victor Duchovni. Files:
	util/sys_defs.h, global/dsn_util.h, tls/tls_client.c.

	Bugfix: when delivery to command failed, command output was
	not reported. Fix was to enable format checks for the new
	dsn_vstring_update() module. File: global/dsn_util.h,
	global/pipe_command.c.

20050401

	Cleanup: ignore incorrect enhanced status codes (such as
	5xx reply followed by a 4.x.x status), and don't look for
	enhanced status codes unless the server replies with a
	[245]XX reply.  Files: smtp/smtp_chat.c, lmtp/lmtp_chat.c.

20050402

	Feature: enhanced status code support for errors found by
	the MIME processor. Files: global/mime_state.c,
	cleanup/cleanup_message.c, smtp/smtp_proto.c.

	Cleanup: updated error messages about MIME processing errors
	in the SMTP client. These errors are no longer specific to
	8bit->7bit conversion; they can also happen with generic
	address mapping. File: smtp/smtp_proto.c.

	Safety: SASL 2.1.19 has a version lookup routine that we
	can use to detect compile time / run time version mis-matches
	(also known as DLL hell).  Files: src/smtpd/smtpd_sasl_glue.c,
	src/smtp/smtp_sasl_glue.c, src/lmtp/lmtp_sasl_glue.c.

20050404

	Typo: missing comma after dsn=x.yy.zz logging. File:
	global/log_adhoc.c.

	Feature: specify "smtpd_sasl_authenticated_header = yes"
	to report the SASL login name in the Received: message
	header, so that the login name is shared with the whole
	world. Based on code by Branko F. Gracnar. Files:
	smtpd/smtpd.c, and documentation.

20050407

	@%^!#& Thanks to inadequate SASL documentation the client
	could negotiate a security layer where none was desired.
	Better documentation has become available since Postfix
	SASL support was implemented, and now Postfix needs to be
	fixed. Files: */*_sasl_glue.c.

20050409

	Safety: the CDB map now logs a warning when the source file
	is newer than the indexed file, just like the Berkeley DB
	and DBM maps. Michael Tokarev. File: util/dict_cdb.c.

20040411

	Portability: put the SASL DLL Hell guard after the declarations
	instead of before.  Reported by Marcus Grando. Files:
	smtp/smtp_sasl_glue.c, lmtp/lmtp_sasl_glue.c.

20050412

	Infrastructure: change the disposition or other properties
	of an embryonic queue file. This is currently used only to
	place mail on hold.  After code by Victor Duchovni.  Files:
	global/mail_stream.[hc], cleanup/cleanup_api.c.

	Bugfix: while updating the cleanup_flush() infrastructure
	eliminated a portability problem that was introduced when
	"REJECT text" support was added. File: cleanup/cleanup.c.

20050413

	Portability: don't mix socket message send/receive calls
	with socket stream read/write calls. The fact that you can
	get away with it only on some stacks implies that there is
	no long-term guarantee. Specify -DCAN_WRITE_BEFORE_SENDING_FD
	if you feel brave. File: util/sys_defs.h.

	Robustness: re-compile all object files after the "make
	makefiles" options have changed. Files: src/*/Makefile.in.

	Tweaking: reply with 5.3.4 when the message size exceeds
	the mail system message_size_limit, instead of 5.2.3 which
	is a mailbox specific status. File: smtpd/smtpd_check.c.

20050417

	Safety: don't call syslog from a user-triggered signal
	handler.  File: postdrop/postdrop.c.

20050421

	Bugfix: don't panic when the fall-back relay can't be used
	because the local MTA is MX for the destination.  File:
	smtp/smtp_connect.c.

20050422

	Bugfix: don't panic when the fall-back relay can't be used
	because it was already tried via a cached session. Produce
	a default excuse instead. File: smtp/smtp_connect.c.

	Bugfix: postsuper could lose an error message after reporting
	a fatal error.  File: postsuper/postsuper.c.

20050426

	Bugfix: simplified and improved the 20050422 fall-back relay
	fix. File: smtp/smtp_connect.c.

20050427

	Final solution for the 20050422 fall-back relay problem:
	truncate the fall-back host list when the local MTA is MX
	for some destination. Files: util/argv.c, smtp/smtp_connect.c.

	Cleanup: extra dsn_vstring_update_dsn() routine to shut up
	GCC complaints about valid code. Files: src/global/dsn_util.c,
	src/global/mbox_open.c, src/lmtp/lmtp_addr.c, src/smtp/smtp_addr.c,
	src/smtp/smtp_connect.c.

20050429

	The Postfix SMTP server now announces ENHANCEDSTATUSCODES
	support in the EHLO response, as described in RFC 2034.
	File: smtpd/smtpd.c.

20050503

	Propagate enhanced status code from error(8) mailer to SMTP
	server replies. File: smtpd/smtpd_check.c.

	Cleanup: more consistent format of smtpd warning logging,
	so that it is easier to sort.  Files: smtpd/smtpd.c,
	smtpd/smtpd_check.c.

20050504

	Yikes. People are exposing the smtp-sink test program to
	hostile environments, while it was designed for controlled
	environments. Completed the support for write timeouts,
	added support for read timeouts, and added a missing exception
	handler for the 220 server greeting.  File: smtpstone/smtp-sink.c.

20050506

	Cleanup: with "REJECT 4.X.Y ..." actions in header/body_checks,
	change the SMTP server reply code from 550 into 450, instead
	of having the SMTP server change the DSN into 5.X.Y.  File:
	smtpd/smtpd.c.

20050510

	Usability: when reporting a sender address problem, transform
	a recipient DSN status (e.g., 4.1.1-4.1.6) into the
	corresponding sender DSN status, and vice versa; and when
	reporting a non-address problem, transform a sender or
	recipient DSN status into a generic non-address DSN status
	(e.g., 4.0.0).  This transformation may be needed when the
	same access table or RBL reply template are used for client,
	helo, sender, or recipient restrictions; or when the same
	error mailer information is used for senders or recipients.
	Files: smtpd/smtpd_check.c, smtpd/smtpd_dsn_fix.[hc].

20050512

	Feature: support for more SASL logging call-backs, if these
	are defined in the compile-time environment. Files:
	smtpd/smtpd_sasl_glue.c, smtp/smtp_sasl_glue.c.

20050513

	Workaround: Postfix now uses "localdomain" as the default
	domain name when $myhostname is not in "host.domain" form.
	Files: global/mail_params.[hc].

---------

20050415-20050615

	As of 20050525, DSN support does not involve new queue file
	record types, so you can switch back to older Postfix
	versions. Older non-production releases did introduce queue
	file incompatibility.

	DSN support is selected via the SMTP port by extra parameters
	to the MAIL FROM and RCPT TO commands, and with the Postfix
	sendmail command with new command-line options: -N (specify
	notification options such as "never", "success", "delay"
	or "failure") and -V (specify an envelope ID that identifies
	the mail submission transaction).  VERP support now uses
	-XV instead of -V.

	The implementation piggy-backs on the trace(8) service that
	was already used for "sendmail -v" (verbose delivery) and
	for "sendmail -bv" (what-if) reports. You can no longer
	requests these functions together with DSN support.

	All this means revision of bounce/defer/trace client
	interfaces, of the bounce service, the record reading loops
	in postdrop, cleanup(8) and qmgr(8), the queue manager to
	delivery agent protocol, and some extra SMTP protocol
	parameters in smtpd(8), lmtp(8) and smtp(8).

	New code module: global/dsn_smtp.[hc] for RFC 3461 related
	information (but this may still change).

	Feature: "sendmail -G" is no longer a no-op.  Message headers
	are treated as if the message has a remote origin. Files:
	sendmail/sendmail.c, postdrop/postdrop.c.

	Feature: automatic BCC senders are now created as if they
	were received with NOTIFY=NEVER, in case it helps. File:
	cleanup/cleanup_addr.c

	Compatibility: with large bounces, send message headers
	only, instead of truncating MIME messages in the middle.

20050517

	Bugfix: in a DSN report, the original recipient should not
	be xtext encoded. File: bounce/bounce_notify_util.c.

20050523

	Bugfix: mymalloc() panic with mistyped server host list.
	File: global/dict_pgsql.c.

20050525

	Feature: specify delay_warning_time=1 to get immediate
	notification of delay. File: qmgr/qmgr_active.c.

20050526

	Reset the Postfix original recipient when delivering to
	mailing list.

20050601

	Modified the master backgrounding procedure to not abort
	when the master is already a process group leader. This
	happens when people bypass or modify the official Postfix
	start-up procedure.  Jacek Konieczny. File: master/master.c.

20050602

	Sanity check: don't report "address in use" when some Postfix
	socket is a directory. File: util/unix_listen.c.

20050613

	Now that the over-all structure of the code is proving
	itself, interfaces can be cleaned up. This means nicer names
	for variables, functions and data structures, and dedicated
	read/write routines for recipient and DSN information.
	These remove a lot of clutter from the bounce client and
	server code.  Files: dsn_print.c dsb_scan.c, rcpt_print.c,
	rcpt_buf.c.

	For Sendmail compatibility, the Postfix sendmail -V option
	no longer controls VERP usage, but is used to specify the
	DSN envelope ID.  In order to provide a smooth transition,
	backwards compatibility code recognizes when -V is being
	used for VERP control.  It will do the right thing, and
	warns the user to use -XV instead. File: sendmail/sendmail.c.

20050614

	The cleanup server writes bounce (delivery failure) and
	trace (success) records, but it no longer requests sender
	notification.  That is now handled by the queue manager.
	The reason is that the cleanup server must be able to abort
	a request including its bounce and trace logfiles, so it
	must not take actions that can't be undone.

20050615

	Cleanup: the SMTP client now sends QUIT when the initial
	HELO handshake fails. it still doesn't send QUIT when the
	server greets with a [45]XX code, as that is handled in the
	connection management code before a session context exists.
	File: smtp/smtp_connect.c.

	Cleanup: made the quote_821_local() routine "const" clean.
	File: global/quote_821_local.[hc].

20050616

	Bugfix: missing or mis-placed va_end() macros, found in
	Postfix 2.3 code review. Files: util/netstring.c,
	util/myaddrinfo.c, util/attr_clnt.c, util/vstream.c.

	Bugfix: the SMTP server now separates the message size check
	from the queue space check, so that the size check can be
	done before an SMTPD proxy filter. Files: smtpd/smtpd.c,
	smtpd/smtpd_check.c.

20050617

	Postdrop didn't recognize the new recipient attributes.
	File: postdrop/postdrop.c.

	Feature: configurable MAILER-DAEMON replacement for the
	null sender address that is used by the pipe(8) delivery
	agent on the command line and in message headers. Command-line
	address quoting is disabled when the replacement is empty.
	File: pipe/pipe.c.

20050618

	With virtual aliasing enabled, Postfix would always report
	successful alias expansion, even when no alias was expanded.
	File: cleanup/cleanup_out_recipient.c.

20050621

	Portability: file descriptor passing is available for Tru64
	UNIX, but not for AIX4 and IRIX6.  Albert Chin. File:
	util/sys_defs.h.

20050622

	Cleanup: the DNS lookup code now accommodates name server
	replies longer than 4 kbytes, with a hard upper limit of
	32kbytes. For safety reasons, the number of MX host addresses
	that the SMTP client will try was reduced from unlimited
	to just 5, so that Postfix won't spend forever trying to
	connect to dozens and dozens of bogus MX hosts. Files:
	dns/dns_lookup.c, global/mail_params.h.

	Cleanup: the code that handles a 4xx or 5xx SMTP server
	greeting was moved from the connection management module
	to the protocol engine, for cleaner error handling.  This
	means that the failed session now counts towards the limit
	on the total number of SMTP sessions per domain name (default:
	smtp_mx_session_limit = 2).  Files: smtp/smtp_connect.c,
	smtp/smtp_proto.c.

20050623

	Cleanup: generalized the delegated attribute scan/print
	interfaces, and updated the deliver_pass module with delegated
	attribute scan/print support. Files: util/attr_scan0.c,
	util/attr_print0.c, global/dsb_scan.c, global/dsn_print.c,
	global/rcpt_buf,c global/rcpt_print.c, global/deliver_pass.c.

	Added delegated attribute scan/print function support to
	the base64 and plain attribute I/O encodings. Files:
	util/attr_scan_plain.c util/attr_print_plain.c.

20050624

	Added "." to the list commands that smtp-sink can "break"
	(by disconnecting, or by responding with a 4XX or 5XX reply
	code). File: smtpstone/smtp-sink.c.

20050625

	Safety: allow only 4.x.x and 5.x.x enhanced status codes
	in header/body_checks REJECT actions. File:
	cleanup/cleanup_message.c.

20050627

	Code cleanup: generalized the smtp-sink code that simulates
	server errors. File: smtpstone/smtp-sink.c.

20050629

	Code cleanup: the smtp_mx_session_limit setting (per delivery
	request session count limit) now ignores sessions that fail
	to complete the TCP, SMTP, EHLO or TLS handshake (was: TCP
	and SMTP).  File: smtp/smtp_proto.c.

20050630

	Updated the example spf.pl script to version 1.06.

	Portability: the file descriptor passing code broke on LP64
	systems (inherited from Stevens Network Programming).  Files:
	util/unix_send_fd.c, util/unix_recv_fd.c.

20050706

	Robustness: the SMTP client now disables connection caching
	when it is unable to communicate with the scache(8) server,
	instead of looping forever. File: global/scache_clnt.c.

	Portability: after sending a socket, the scache(8) server
	now waits for an ACK from the connection cache client before
	closing the socket that it just sent. Files: scache/scache.c,
	global/scache_clnt.c.

20050708

	Bugfix: missing returns in 20050706 caching disabling code
	(in error handling code that never executes).  File:
	global/scache_clnt.c.

	Portability: use explicitly unsigned operands when doing
	bit-wise shift operations on data larger than a character.

20050709-15

	Migration of data object sizes and offsets from int->ssize_t
	and unsigned->size_t for better portability to LP64 and
	LLP64 systems where *size_t is 64 bits wide.   This change
	has no effect on 32-bit systems.

	This change not only eliminated some obscure portability
	bugs (see two paragraphs down), it also eliminated many
	unnecessary conversions back and forth between 32-bit and
	64-bit integers, because all relevant system library functions
	take *size_t arguments or return *size_t results.

	Simply changing every data object size or offset to size_t
	(which is unsigned!) would be dangerous.  A lot of code was
	written assuming signed arithmetic and rejects negative
	lengths, which can happen as the result of integer overflow.

	Portability: on LP64 systems, integer expressions are int,
	but sizeof() and pointer difference expressions are larger.
	The above changes fixed a few discrepancies with function
	calls where *size_t was passed while the old code expected
	an int: clean_env() versus argv_addn(), and code that sent
	binary blobs via the TLS session cache manager protocol.

20050711

	Bugfix: don't include <> when auto-generating an ORCPT
	address from a client RCPT TO command. File: smtpd.c.

20050712

	Cleanup: cleanup_out_recipient() still generated DSN records
	that were incompatible with pre-DSN Postfix versions.  File:
	cleanup/cleanup_out_recipient.c.

20050716

	Bugfix: the smtpd_sasl_authenticated_header code did not
	check if SASL was actually enabled. File: smtpd/smtpd.c.

20050720

	Feature: reverse client hostname. This is set at connection
	time with information from the SMTP client address->name
	mapping, and can be overruled with the REVERSE_NAME attribute
	in the XCLIENT command. File: smtpd/smtpd_peer.c.

	Cleanup: renaming of several confusing restriction names:
	reject_unknown_client -> reject_unknown_client_hostname,
	reject_unknown_hostname -> reject_unknown_helo_hostname,
	reject_invalid_hostname -> reject_invalid_helo_hostname,
	and reject_non_fqdn_hostname -> reject_non_fqdn_helo_hostname.
	The old names are still recognized and documented.  Files:
	global/mail_params.h, smtpd/smtpd.c, smtpd/smtpd_check.c.

	Feature: reject_unknown_reverse_client_hostname. This rejects
	clients that have no address to name mapping (unlike the
	reject_unknown_client_hostname feature which requires that
	the address->name and name->address mappings resolve to the
	client IP address).  Files: global/mail_params.h,
	smtpd/smtpd_peer.c, smtpd/smtpd.c, smtpd/smtpd_check.c.

20050726

	Horror: total rewrite of DNS client error handling because
	some misguided proposal attempts to give special meaning
	to some syntactically invalid MX hostname lookup result.
	Not only that, people expect sensible results with
	reject_unknown_sender_domain etc.  Files: dns/dns_lookup.c,
	smtp/smtp_addr.c smtpd/smtpd_check.c, lmtp/lmtp_addr.c.

	Cleanup: HOLD action executes only once, to reduce noise
	in the logfile. Files: cleanup/cleanup_message.c, smtpd/smtpd.c.

20050806

	Workaround: accept(2) fails with EPROTO when the client
	already disconnected (SunOS 5.5.1). File: sane_accept.c.

20050815

	Workaround: old Solaris compilers can't link an archive
	without globally visible symbols. File: tls/tls_misc.c.

20050825

	Feature: message_reject_characters and message_strip_characters
	specify what characters in message content Postfix will
	reject or remove. Based on patch by John Fawcett. Files:
	cleanup/cleanup_message.c, cleanup/cleanup_init.c.

	Safety: when the cleanup server rejects the content of mail
	that is submitted with the Postfix sendmail command, or
	re-queued with "postsuper -r", strip the message body from
	the bounce message to reduce the risks from harmful content.
	Files: cleanup/cleanup_envelope.c, cleanup/cleanup_bounce.c.

	Feature: the smtpd_proxy_filter parameter value can now be
	prefixed with "unix:" (for UNIX-domain socket) and "inet:"
	(for TCP socket). TCP sockets are the default.  Patch by
	Edwin Kremer. File: smtpd/smtpd_proxy.c.

20050828

	Bugfix: after adding DSN support, error notification was
	broken for too large mail that was submitted with the Postfix
	sendmail command, forwarded by the local(8) delivery agent,
	or re-queued with "postsuper -r". The message would be saved
	to the "corrupt" queue.

	The mistake was to leave the truncated message in the
	incoming queue and to ask the queue manager to notify the
	sender; this was not possible because the queue manager
	cannot (and should not) handle truncated queue files.

	The fix is to have the cleanup server send the bounce
	message, just like it did before DSN support was added.  As
	a side effect, Postfix will no longer send DSN_SUCCESS
	notices after virtual aliasing, when the cleanup server
	bounces all the recipients of the message anyway.  This
	could be called a feature.  File: cleanup/cleanup_bounce.c.

	Also needed for this fix: a new vstream_fpurge() routine
	that discards unread/written data from a VSTREAM.  It's
	needed before cleanup_bounce() can seek to the start of the
	queue file after a file size error. File: util/vstream.c.

20050920

	Cleanup: removed the legacy "tls_info" structure, factored
	out common code for peer_CN and issuer_CN lookup, and added
	sanity check to not verify subject common names that contain
	nulls or that are excessively long. Patch by Victor Duchovni.
	Files: tls_client.c, tls_server.c, tls_session.c, tls_misc.c,
	tls_verify.c.

20050922

	Bugfix: the *SQL clients did not uniformly choose the
	database host from the available pool of servers due to an
	off-by-one error, so that the "last" available server was
	not selected. Leandro Santi. Files: dict_mysql.c, dict_pgsql.c.

	Update: common code factored out into db_common.c, and
	adoption of Liviu Daia's connection aware MySQL quoting.
	Patch by Victor Duchovni.  Files: dict_ldap.c, dict_mysql.c,
	dict_pgsql.c, db_common.c.

20050923

	Safety: don't update the local(8) delivery agent's idea of
	the Delivered-To: address while expanding aliases or .forward
	files. When an alias or .forward file changes the Delivered-To:
	address, it ties up one queue file and one cleanup process
	instance while mail is being forwarded.  To get the old
	behavior, specify "frozen_delivered_to = no".  Problem
	reported by Michael Tokarev, but found independently by
	others.  Files: local/local.c, local/aliases.c, local/dotforward.c,
	local/mailbox.c, local/maildir.c.

	Logging: additional SASL debug logging by Andreas Winkelmann.
	Files: */*sasl_glue.c.

20050929

	Paranoia: don't ignore garbage in SMTP or LMTP server replies
	when ESMTP command pipelining is turned on. For example,
	after sending ".<CR><LF>QUIT<CR><LF>", Postfix could recognize
	the server's 2XX QUIT reply as a 2XX END-OF-DATA reply after
	garbage, causing mail to be lost. The SMTP and LMTP clients
	now report a remote protocol error and defer delivery.
	Files: smtp/smtp_chat.c, smtp/smtp_trouble.c, lmtp/lmtp_chat.c,
	lmtp/lmtp_trouble.c.

	Performance: specify "smtpd_peername_lookup = no" to disable
	client hostname lookups in the SMTP server. All clients are
	treated as "unknown". This should be used only under extreme
	conditions where DNS lookup latencies are critical. File:
	smtpd/smtpd_peer.c.

20051010

	Feature: smtpd_client_new_tls_session_rate_limit parameter
	to limit the number of new (i.e. uncached) TLS sessions
	that a remote SMTP client may negotiate per unit time. This
	feature, which is off by default, can limit the CPU load
	due to expensive crypto operations.  Files: global/anvil_clnt.c,
	anvil/anvil.c, smtpd/smtpd.c.

	Cleanup: eliminated massive code duplication in the anvil
	server that resulted from adding similar features one at a
	time.  File: anvil/anvil.c.

20051011

	Bugfix: raise the "policy violation" flag when a client
	request exceeds a concurrency or rate limit.  File:
	smtpd/smtpd.c.

	Bugfix (cut-and-paste error): don't reply with 421 (too
	many MAIL FROM or RCPT TO commands) when we aren't closing
	the connection.  File: smtpd/smtpd.c.

20051012

	Polishing: content of comments and sequence of code blocks
	in the anvil server, TLS request rate error message in the
	smtp server, and documentation, but no changes in code.
	Files: anvil/anvil.c, smtpd/smtpd.c.

20051013

	Horror: some systems have basename() and dirname() and some
	don't; some implementations modify their input and some
	don't; and some implementations use a private buffer that
	is overwritten upon the next call. Postfix will use its own
	safer versions called sane_basename() and sane_dirname().
	These never modify the input, and allow the caller to control
	how memory is allocated for the result.  File:
	util/sane_basename.c.

	Feature: "sendmail -C path-to-main.cf" and "sendmail -C
	config_directory" now do what one would expect. File:
	sendmail/sendmail.c.

	Bugfix: don't do smtpd_end_of_data_restrictions after the
	transaction failed due to, e.g., a write error.  File:
	smtpd/smtpd.c.

	Cleanup: the SMTP server now enforces the message_size_limit
	even when the client did not send SIZE information with the
	MAIL FROM command.  This protects before-queue content
	filters against over-size messages.  File: smtpd/smtpd.c.

20051017

	Bugfix: after DSN support was added, smtp_skip_5xx_greeting
	no longer recognized a 5xx SMTP status as a 4xx one. Found
	by Ralf Hildebrandt. Fix: use the enhanced status code
	instead of the SMTP reply code to choose between permanent
	or transient errors. File: smtp/smtp_trouble.c.

	Feature: smtp-sink can hard-reject, soft-reject or simply
	drop connection requests.  File: smtpstone/smtp-sink.c.

	Documentation: clarified the processing of server replies,
	specifically the reply code and the enhanced status code,
	in smtp_chat.c.

20051024

	Performance: new smtp_connection_reuse_time_limit parameter to
	limit connection reuse by elapsed time, instead of limiting
	the number of deliveries per connection.  Bounding by time
	favors delivery over connections that perform well, while
	bounding by number of deliveries allows slow connections
	to drag down the performance.  Insight and initial
	implementation by Victor Duchovni, Morgan Stanley. Files:
	smtp_connect.c, smtp_session.c,

	Bugfix: the next-hop logical destination information for
	connection caching was reset only after a good non-TLS
	connection, so that cached connections to non-TLS backup
	servers could suck away traffic from TLS primary servers
	(the Postfix SMTP client cannot cache an open TLS connection).
	Found during code review. This is fixed with multi-valued
	connection caching state: expired, cachable, non-cachable,
	and bad.  Files: smtp_connect.c, smtp_trouble.c.

	Bugfix: adding support for "sendmail -C" broke "sendmail
	-q".  File: sendmail/sendmail.c.

20051101

	Migration from a single "arrival time" stamp to a structure
	with time stamps from different stages of message delivery.
	The first iteration merely replaces "arrival time" stamps
	by a structure or pointer to structure, and uses only the
	arrival time field of that structure.  This is an extensive
	but straightforward transformation, based on example by
	Victor Duchovni, Morgan Stanley.  Files: anything that
	invokes bounce_append etc., the log_adhoc module, and
	anything that sends or receives a delivery request.

20051102

	Completion of support for time stamps from different stages
	of message delivery. The information is now logged as
	"delays=a/b/c/d" where a=time before queue manager, including
	message transmission; b=time in queue manager; c=connection
	setup including DNS, HELO and TLS; d=message transmission
	time. Unlike Victor's example which used time differences,
	this implementation uses absolute times. The decision of
	what numbers to subtract actually depends on program history,
	so we want to do it in one place.  Files: global/log_adhoc.c,
	smtp/smtp_connect.c, smtp/smtp_proto.c, smtp/smtp_trouble.c,
	lmtp/lmtp_proto.c, lmtp/lmtp_trouble.c.

20051103

	Refinement of time stamping and delays formatting.  The
	hand-off time is now stamped in the delivery agent, so that
	time is properly attributed when a transport is saturated
	or throttled.  Delays are now logged if larger than 0.01
	second. Files: *qmgr/qmgr_deliver.c, global/deliver_request.c,
	global/log_adhoc.c.

20051104

	New parameter delay_logging_time_resolution (default: 10000
	microseconds, or 0.01 second) that controls the detail in
	the new "delays=a/b/c/d" logging. Specify a power of 10
	in the range from 1 to 100000. File: global/log_adhoc.c.
	Parameter renamed 20051108.

20051105

	All delay logging now has sub-second resolution. This means
	updating all code that reads or updates the records that
	specify when mail arrived, and ensuring that mail submitted
	with older Postfix versions produces sensible results.
	Files: global/post_mail.c, global/mail_timeofday.[hc],
	global/log_adhoc.c, postdrop/postdrop.c, pickup/pickup.c,
	cleanup/cleanup_envelope.c, cleanup/cleanup_message.c,
	smtpd/smtpd.c, qmqpd/qmqpd.c, *qmgr/qmgr_message.c,
	*qmgr/qmgr_active.c, local/forward.c.

20051106

	The SMTP client logs the remote server port in the form of
	relay=hostname[hostaddr]:port to the local maillog file.
	The port number is NOT included in DSN status reports,
	because remote users have no need to know such internal
	information.  Files: smtp/smtp_session.c, smtp/smtp_proto.c,
	smtp/smtp_trouble.c.

	Cleanup: encapsulated queue file time read/write operations
	with a few simple macros, to make future changes in time
	representation less painful.

20051108

	Cleanup: eliminated floating point operations from the
	ad-hoc delay logging code. Files: util/format_tv.[hc],
	global/log_adhoc.c.

	The delay logging resolution is now controlled with the
	delay_logging_resolution_limit parameter, which specifies
	the maximal number of digits after the decimal point.

	Bugfix: two messages could get the same message ID due to
	a race condition. This time window was increased when queue
	file creation was postponed from MAIL FROM until the first
	accepted RCPT TO.  The window is closed again. Found by
	Victor. Files: global/mail_stream.c, global/mail_queue.c,
	cleanup/cleanup_message.c.

20051109

	qshape.pl updated for extra microsecond time field in Postfix
	queue files.

	Cleanup: removed obsolete code that handles rejected/dropped
	connections before the HELO handshake. File: smtp/smtp_connect.c.

	Bugfix: XCLIENT broke when reverse hostname support was added.
	Fix by Tomoyuki Sakurai. File: smtpd/smtpd.c.

20051110

	Workaround: don't set the delay warning timer for messages
	from inside or from outside that have the null sender as
	recipient. This was a waste of time, because the warning
	would always be discarded.  File: cleanup/cleanup_envelope.c.

	Feature: the built-in mail delivery status notification
	text is now implemented by built-in templates. Files:
	bounce/bounce_template.c, bounce/bounce_notify_util.c.

20051112

	Feature: configurable bounce message templates based on
	contribution by Nicolas Riendeau. I kept the general format
	of his templates, but placed them together in one file to
	reduce process initialization overhead (most requests to
	the bounce daemon are not for sending bounce messages).
	Files: bounce/bounce_template.c, bounce/dict_ml.c (to be
	moved to library if useful enough). A sample bounce message
	template file is installed as $config_directory/bounce.cf.default.

20051113

	Feature: "postconf -b filename" to preview the non-default
	bounce message templates with $name expansions in the text.
	The actual work is of course done by the bounce daemon.

20051114

	Feature: -V option to make Postfix daemons to log to stderr.
	This is used when a daemon is invoked in stand-alone mode
	by a (non-daemon) command.

	Feature: "postconf -t" displays DSN templates, headers and
	all; use postconf -t ''" to view built-ins.

	Cleanup: renamed fail_template into failure_template.

20051117

	Cleanup: bounce template code reorg, no functionality change.
	Files: bounce/bounce_template.[hc], bounce/bounce_templates.c,
	bounce/bounce_notify_util.c.

20051118

	Bugfix: new bounce template code did not return after
	template syntax error. File: bounce/bounce_template.c

	Safety: permit_mx_backup now requires that the local MTA
	is not listed as primary MX for the recipient domain. This
	prevents mail loops when someone points the primary MX
	record to Postfix.

20051119

	Workaround: some SMTP servers announce multiple but different
	lists of SASL methods. Postfix now concatenates the lists
	instead of logging a warning and remembering only one. File:
	smtp/smtp_sasl_proto.c.

	Bugfix: the queue manager did not write a per-recipient
	defer logfile record when the delivery agent crashed between
	receiving a delivery request, and reporting the delivery
	status to the queue manager.  Found while redesigning the
	code that handles unavailable transports or destinations.
	Files: *qmgr/qmgr_deliver.c.

20051121

	Workaround: do not build the bounce.cf.default template
	while compiling Postfix  - it breaks when the default
	mail_owner etc. accounts don't exist.  Reported by Liviu
	Daia.

	Compatibility: added permit_auth_destination emulation to
	the permit_mx_backup feature. This avoids surprises with
	sites that used permit_mx_backup to authorize all their
	incoming mail.

20051122-24

	Feature: sender_dependent_relayhost_maps, lookup tables that specify
	a sender-dependent override for the relayhost parameter
	setting.  The lookup is done in the trivial-rewrite server,
	instead of the queue manager where it does not belong.
	Files: global/resolve_clnt.c, global/tok822_resolve.c,
	trivial-rewrite/resolve.c, trivial-rewrite/transport.c,
	*qmgr/qmgr_message.c.

	Also: address_verify_sender_dependent_relayhost_maps for
	completeness.

20051124

	Feature: specify "smtp_sender_dependent_authentication =
	yes" to enable sender-dependent SASL passwords. This disables
	SMTP connection caching to ensure that mail from different
	senders is delivered with the appropriate credentials. This
	is an extended version of a patch by Mathias Hasselmann.
	Files: smtp/smtp_connect.c, smtp/smtp_sasl_glue.c.

20051126

	Workaround: log warning when REDIRECT or FILTER are used
	in smtpd_end_of_data_restrictions. File: smtpd/smtpd_check.c.

	Log warning when REDIRECT, FILTER, HOLD and DISCARD are
	used in smtpd_etrn_restrictions. File: smtpd/smtpd_check.c.

20051128

	Bugfix: moved code around from one place to another to make
	REDIRECT, FILTER, HOLD and DISCARD access(5) table actions
	work in smtpd_end_of_data_restrictions.  PREPEND will not
	be fixed; it must be specified before the message content
	is received.  Files: smtpd/smtpd.c, smtpd/smtpd_check.c,
	cleanup/cleanup_extracted.c, pickup/pickup.c.

	Safety: abort if the SMTP or QMQP server runs with non-postfix
	privileges while it's connected to the network.  Files:
	smtpd/smtpd_peer.c, qmqpd/qmqpd_peer.c.

20051201

	Bugfix: the LMTP client would reuse a session after negative
	reply to the RSET command (which may happen when client and
	server somehow get out of sync). Problem found by Christian
	Theune.  Files: lmtp/lmtp.c, lmtp/lmtp_proto.c.

20051202

	Bugfix: the 20051128 code move for "smtpd_end_of_data_restrictions"
	broke "postsuper -r".

20051202-3

	Cleanup: the SMTP client now also implements the LMTP
	protocol.  Files: smtp/smtp.c, smtp/smtp_connect.c,
	smtp/smtp_proto.c, smtp/smtp_dsn.c, smtp_state.c,
	smtp_sasl_glue.c.

	As before, the LMTP behavior is controlled with parameters
	named lmtp_xxx instead of smtp_xxx.  However there are now
	a lot more lmtp_xxx parameters :-) With few exceptions, all
	SMTP features are now also available with LMTP. The exceptions
	are related to the HELO and EHLO commands, which exist in
	SMTP only. There are equivalent LHLO command parameters
	where it makes sense.

20051206

	SMTP+LMTP client connection management code rewritten to
	support UNIX-domain socket connections.

20051207

	Bugfix: race condition in the connection caching protocol,
	found while adding connection caching for UNIX-domain sockets
	(used for LMTP delivery).  This was introduced with the
	20050706 workaround, and may the same problem that Jussi
	Silvennoinen experienced (in Postfix 2.2.6) with SMTP after
	an upgrade.  Files: scache/scache.c.

	Bugfix: smtp-sink and qmqp-sink didn't ignore SIGPIPE.

20051208

	Robustness: reduced timeouts in the connection caching
	client, so that a malfunctioning service does not prevent
	mail delivery. This uses similar code that already exists
	for the anvil(8) client and the tlsmgr(8) client. Files:
	global/scache_clnt.c, smtp/smtp.c.

	To make reduced connection caching client timeouts possible,
	connection management was moved from the attr_clnt(3) module
	to the auto_clnt(3) module where it belongs. The auto_clnt(3)
	module is now a full alternative for the clnt_stream(3)
	module. Files: util/auto_clnt.c, util/attr_clnt.c.

	Bugfix: the best_mx_transport, mailbox_transport and
	fallback_transport features did not write a per-recipient
	defer logfile record when the target delivery agent was
	broken.  This the analog of queue manager bugfix 20051119.
	Files: global/deliver_pass.c.

20051210

	Cleanup: simplified the SMTP/LMTP connection management
	logic for address list and fallback relay processing.
	Still need to simplify deferred recipient handling.

20051212

	Bugfix: after a failed TLS session, the 20051210 SMTP client
	code cleanup broke sessions with backup servers, causing the
	client to get out of step with the backup server.  This in
	turn exposed a one-year old missing exception handling
	context in the EHLO handstake after sending STARTTLS. Victim
	was Ralf Hildebrandt, detectives Victor Duchovni and Wietse.
	File: smtp/smtp_proto.c.

20051213

	Bugfix: *SQL, proxy and LDAP map types were not defined in
	user-land commands such as postqueue. Leandro Santi. File:
	postqueue/postqueue.c.

20051212-14

	Server-side plug-in interface for SASL authentication. This
	uses Cyrus SASL by default, so nothing has changed except
	error messages may be more informative.  Files:
	smtpd/smtpd_sasl_proto.c smtpd/smtpd_sasl_glue.c,
	xsasl/xsasl_server.[hc], xsasl/cyrus_server.[hc]
	xsasl/cyrus_strerror.c, xsasl/cyrus_log.c, xsasl/cyrus_security.c.

20051215

	Portability: IRIX 6.5.28 defines sa_len as a macro, so it
	can't be used as a variable identifier. Zach McDanel. Files:
	dns/dns_rr_to_sa.c, smtpd/smtpd_peer.c, qmqpd/qmqpd_peer.c.

20051216

	Cleanup: removed some scar tissue that was introduced with
	server-side SASL plug-in support. Files: smtpd_sasl_proto.c,
	smtpd_sasl_glue.c.

	Client-side plug-in interface for SASL authentication. This
	uses Cyrus SASL by default, so nothing has changed except
	error messages may be more informative.  Files: smtp_sasl_glue.c,
	xsasl/xsasl_client.[hc], xsasl/cyrus_client.[hc].

20051217

	Bugfix: when a SASL client password is required by a specific
	server, defer delivery when no server-announced mechanism
	survives the smtp_sasl_mechanism_filter, instead of ignoring
	the SASL announcement and trying to deliver the mail over
	an unauthenticated connection and risking that mail will
	be rejected.  File: smtp/smtp_sasl_proto.c, smtp/smtp_proto.c.

	Portability: zero the "struct msg" just in case. Both purify
	(Linux) and valgrind (FreeBSD) complain about uninitialized
	bits.  Files: util/unix_{send,recv}_fd.c.

20051219

	Cleanup: generic smtpd_sasl_path, smtp_sasl_path and
	lmtp_sasl_path configuration parameters; simplified the
	SASL plug-in API, and made initial provisions for SASL
	session encryption. Files: xsasl/*.[hc].

	Feature: "postconf -a" lists the available SASL server
	plug-in types, and "postconf -A" does the same for the
	client.  Files: postconf.c, xsasl_{client,server}.c.

	Feature: new SMTPD policy attributes "encryption_protocol",
	"encryption_cipher" and "encryption_keysize", to distinguish
	plaintext from encrypted connections.

20051221

	Privacy: the new Cyrus SASL server plug-in replaces "no
	user" errors by "authentication failed" errors.  File:
	xsasl/xsasl_cyrus_server.c.

	Safety: the Postfix SMTP client no longer uses CNAME expanded
	hostnames for logging, SASL password lookup, TLS policy
	decisions, or TLS certificate verification.  Instead it
	uses the name of the recipient domain, or the host or domain
	name specified in Postfix configuration files. Of course
	this won't prevent cheating with hostnames that appear in
	MX lookup results. To avoid that you will have to suppress
	MX lookups with explicit [hostname] entries in transport
	maps. Files: dns/dns_lookup.c, dns/dns_rr.c.

20051222

	Feature: Dovecot SASL authentication (server side) plug-in
	by Timo Sirainen. This builds without external library
	dependencies and is therefore compiled in by default.
	Files: xsasl/xsasl_dovecot_server.[hc].

	Safety: set the default LANG=C, instead of deleting LANG
	from the environment and assuming the right thing will
	happen. File: global/mail_params.h.

	Safety: always add the ISASCII() requirement to the ISXXX()
	macros, because they are used for protocol and policy
	enforcement.  File: util/sys_defs.h.

	Bugfix: null pointer in the 20051219 policy delegation
	crypto attributes.  File: smtpd/smtpd_check.c.

	Compatibility: "resolve_numeric_domain = yes" will accept
	addresses with numeric domains instead of rejecting them as
	invalid. Files: trivial-rewrite/resolve.c, util/vstring.c.

	Bugfix: 20051219 "postconf -A" produced "postconf -a" output.
	Andreas Winkelmann.

20051225

	Bugfix: the regexp map cleverly avoided scanning constant
	lookup results for non-existent $number expressions, but
	failed to subject those results to the necessary $$ -> $
	replacement. Files: util/dict_regexp.c.

	Performance: the pcre map did not optimize constant lookup
	results; they were always scanned for non-existent $number
	expressions.  File: util/dict_pcre.c.

	This round of edits eliminates architectural differences
	between the pcre and regexp table implementations.  The
	remaining difference is that regexp tables still support
	the obsolete "/pattern1/!/pattern2/ action" syntax, for
	backwards compatibility with Postfix 2.0 and earlier.

20051227

	Bugfix: the 20051222 ISASCII paranoia broke the strcasecmp()
	workaround for Solaris. File: util/strcasecmp.c.

	Bitrot: SunOS4 pre-dates size_t, ssize_t, getsid().  File:
	src/util/sys_defs.h. The SunOS4 tests had been suspended
	due to what turned out to be a broken AUI-to-UTP transceiver.

	Bugfix: the 20061226 cosmetic change broke non-IPV6 support
	(example: sockaddr_to_hostaddr: Unknown error: success).
	File: util/myaddrinfo.c.

20051229

	The following workaround was removed 20060103.

	Workaround: when mail is still queued after 3000 seconds,
	the SMTP client no longer pipelines the DOT+QUIT commands.
	The 20050929 paranoia about malformed server replies
	eliminated a rare occurrence of "lost mail" with sites that
	mis-implement DOT+QUIT pipelining, but resulted in a larger
	occurrence of repeated deliveries to sites with a different
	DOT+QUIT pipelining bug. The time threshold is set with the
	smtp_dot_quit_workaround_threshold_time parameter.  Files:
	smtp/smtp_proto.c, smtp/smtp.c.

	Feature: mailbox_transport_maps and fallback_transport_maps
	to search delivery transports by recipient name. Files:
	local/mailbox.c, local/unknown.c.

	Feature: the master daemon now logs a warning when all
	servers are busy that may accept remote connections, and
	suggests to either increase the process count or to reduce
	the service time per client.  Files: master/master_ent.c,
	master/master_avail.c.

20051231

	Bugfix: the anvil server would terminate after "max_idle"
	seconds, even when this was less than the anvil_rate_time_unit
	interval. File: anvil/anvil.c.

20060102

	Deleted the 20051229 dot-quit bug workaround.  Automatically
	deferring delivery created "no delivery" and "repeated
	delivery" problems; and automatically turning off pipelining
	for delayed mail was a bad workaround for a bad workaround.
	The administrator still has the option to turn off pipelining
	by hand if loss of mail is a concern.

20060103

	Bugfix: the 20051217 fix (when a SASL client password is
	found, defer delivery when no server-announced mechanism
	survives the smtp_sasl_mechanism_filter) did the mechanism
	test too early, so that it could trip up with deliveries
	to servers that we don't have a SASL password for.  Files:
	smtp/smtp_sasl_proto.c, smtp/smtp_proto.c.

20060104

	Safety: new "smtp_cname_overrides_servername" parameter.
	The default value ("no") is NOT backwards compatible. This
	avoids surprises with the hostname that is used for logging,
	SASL password lookup, TLS policy decisions, or TLS certificate
	verification.  The change makes the 20051221 behavior more
	configurable.  Files: smtp/smtp_addr.c, smtp/smtp_connect.c,
	proto/postconf.proto.

20060105

	Cleanup: removed the unused DSN "code" attribute; removed
	surrogate SMTP replies for errors that were not reported
	by a remote SMTP server, making several DSN-related functions
	and macros redundant; cleaned up some bizarre code for DSN
	attribute memory management in the SMTP client.

20060106

	Cleanup: eliminated the global smtp_errno variable, which
	had become redundant after introducing DSN support. Files:
	smtp/smtp_addr.c, smtp/smtp_connect.c.

20060107

	Cleanup: removed more bizarre code for DSN attribute memory
	management in the queue manager, bounce server, and in
	delivery agents.

20060109

	Bugfix: smtp_sasl_tls_opts was unimplemented. File:
	smtp/smtp_sasl_proto.c.

	Cleanup: more bounce logfile code cleanup.  Files:
	global/bounce_log.c, bounce/bounce_notify_util.c,
	bounce/bounce.c, bounce/bounce_notify_verp.c,
	bounce/bounce_one_service.c, showq/showq.c

20060110

	Cleanup: more bounce logfile code cleanup.  Files:
	global/bounce_log.c, bounce/bounce_notify_util.c.

	Bugfix: the VERP bouncer never handled the case of a missing
	bounce logfile. Found while doing more logfile code cleanup.
	File: bounce/bounce_notify_verp.c.

	Feature: smtp_sasl_tls_verified_security_options for
	connections where the server certificate passed verification.
	The default value is $smtp_sasl_tls_security_options, which
	in turn defaults to $smtp_sasl_security_options.

20060111

	Optimization: mystrdup() and mystrndup() now return a pointer
	to a fixed read-only memory location instead of allocating
	memory for zero-length null-terminated strings.  This saves
	lots of memory for unused recipient attributes. If this
	change causes problems (for example, you have an ancient
	sscanf() implementation that writes to its input) then
	compile Postfix with -DNO_SHARED_EMPTY_STRINGS.

	Cleanup: eliminated null pointer members in DSN structures.
	Instead we now use the optimized mystrdup() for empty
	strings. For safety sake we keep the tests for null pointers
	in input, but we always produce empty strings on output.
	Files: global/dsn.c, global/dsn.h, global/dsn_buf.h,
	global/dsn_print.c.

	Cleanup: eliminated ad-hoc code for passing recipients in
	the queue manager delivery request protocol. Postfix now
	uses proper object activation/passivation instead. Files:
	*qmgr/qmgr_deliver.c, global/deliver_request.c,
	global/deliver_pass.c.

20060112

	Feature: to simplify debugging the bounce server logs the
	old and new queue ID when notifying the sender or postmaster.
	Files: global/post_mail.c, bounce/bounce_notify_service.c,
	bounce/bounce_one_service.c, bounce/bounce_notify_verp.c,
	bounce/bounce_warn_service.c, bounce/bounce_trace_service.c.

	Fudge: when translating recipient DSN codes into sender DSN
	codes, map sender address problems that have no DSN code
	to *.1.7 (Bad sender's mailbox address syntax) instead of
	*.1.0 (Other address status) because that loses the distinction
	between sender and recipient. File: smtpd/smtpd_dsn_fix.c.

20060113

	Cleanup: preserve upper case information of address localpart
	or extension when mapping one address to another with
	non-regexp/pcre tables.  Files: global/mail_addr_find.c,
	global/maps_find.c.

20060115

	Bugfix: don't ignore the per-site policy when SSL library
	initialization fails. Introduced after adopting the TLS
	patch. File: smtp/smtp_session.c.

20060117

	[withdrawn 20060126] Safety: daemon processes that need no
	privileges now insist that they are configured to run without
	privileges.  Files: master/single_server.c, master/multi_server.c,
	master/trigger_server.c.

	Cleanup: preserve upper case information of address localpart
	or extension when mapping addresses via regexp/pcre tables.
	This requires that Postfix does not case fold the search
	string when searching regexp or pcre tables, so that $number
	substitutions produce the expected result.

	In order to get a consistent handling of table operations,
	the search string case folding logic was moved from the
	application to the individual lookup table modules; the
	application specifies its case folding preference when it
	opens a table, and the table folds the search or update
	string as needed.

	Files: everything that opens a map or multiple maps (to
	specify the case folding preference), and everything that
	contained ad-hoc code to lowercase search strings (which
	is no longer needed).

	Bugfix: as a side effect of this revision of all code that
	opens tables, the postmap/postalias -n/-N options are no
	longer silently ignored when the -q (query) and -d (delete)
	options are specified.  Files: postmap/postmap.c,
	postalias/postalias.c.

	Safety: don't allow $number substitution in transport maps
	or sender-dependent relayhost maps.

	Cleanup: smtp_sasl_passwd_maps lookup keys are folded to
	lowercase before searching tables such as btree:, dbm: or
	hash: that have fixed-case fields. File: smtp/smtp_sasl_glue.c.

	Bugfix: per-sender relayhost maps were not locked for shared
	access.

20060119

	Cleanup: don't look up parent domain substrings in regexp/pcre
	like tables while searching a hostname in a domain/namaddr_list.
	File: util/match_ops.c.

20060120

	Cleanup: multiple boolean variables were replaced by a
	single TLS enforcement level (none, may, encrypt, verify).
	With Victor Duchovni. Files: smtp_session.c, smtp_proto.c,
	smtp.h.

	Cleanup: the SMTP per-site policy table was re-implemented
	in terms of enforcement levels instead of multiple boolean
	variables. This greatly simplified the code and led to the
	elimination of non-intuitive behavior as documented next.
	With Victor Duchovni. Files: smtp_session.c, smtp.h.

	Bugfix: a TLS per-site MUST_NOPEERMATCH policy could not
	override a main.cf MUST (with peer match) policy, while a
	per-site NONE policy could.

	Bugfix: a combined TLS per-site (host, next-hop) policy of
	(NONE, MAY) would change the strongest main.cf MUST policy
	into NONE, while it changed all weaker main.cf policies
	into MAY.  The result is now NONE for all main.cf policy
	settings.

20060123

	Feature: recipient_count attribute in SMTPD policy protocol.
	This is available only in the DATA and END-OF-MESSAGE stage.
	Based on code by Guo Black. Files: smtpd_check.c.

	Cleanup: renamed MUMBLE_NUM to MUMBLE_INT to make type
	discrepancies more explicit.

	Bugfix: change 20051208 broke when a connection could not
	be established. File: util/auto_clnt.c.

20060124

	Bugfix: the virtual(8) delivery agent did not insist on
	privileged operation as it should; this broke change 20060117.
	Ralf Hildebrandt.  File: virtual/virtual.c.

	Bugfix: the TLS sasl security options (change 20060110)
	should also be #ifdef USE_TLS, and not only #ifdef
	USE_SASL_AUTH.  Such feature interference is difficult to
	find in testing.  Liviu Daia. File: smtp/smtp_sasl_proto.c.

20060126

	Undo: change 20060117 (unprivileged operation test) broke
	"sendmail -bs", "postconf -b", "postconf -t", and probably
	more. Files: master/{single,multi,trigger}_server.c.

20060130

	Bugfix: an empty remote_header_rewrite_domain value caused
	trivial-rewrite to dereference a null pointer, but only in
	regression tests, not in production. Envelope addresses are
	by definition rewritten in the local domain context, because
	an address without domain is equivalent to an address in
	the local domain; and header addresses are rewritten in the
	remote context only when remote_header_rewrite_domain is
	non-empty.  File: trivial-rewrite/rewrite.c.

20060131

	Cleanup: regression tests are now separated into "make
	tests" for unprivileged tests, and "make root_tests" for
	tests that require privileges to connect to the Postfix
	internal sockets. Files Makefile.in, src/*/Makefile.in.

20060201

	Bugfix: despite efforts to treat malformed domain names as
	hard errors (change 20050726) they were still processed as
	soft errors. File: dns/dns_lookup.c.

20060203

	Bugfix: smtpd core dump when SASL was compiled in, turned
	off (smtpd_sasl_auth_enable = no) and permit_sasl_authenticated
	was specified in local_header_rewrite_clients. Victor
	Duchovni.  File: smtpd/smtpd_check.c.

	Cleanup: don't complain about useless SASL or TLS "permit"
	restrictions when SASL or TLS aren't compiled in, but do
	reject mail when reject_plaintext_session is specified while
	TLS isn't compiled in. File: smtpd/smtpd_check.c.

20060204

	Bugfix: disable the content_filter feature for user-requested
	"sendmail -bv" probes, just like it is disabled for probes
	generated by Postfix itself.  File: *qmgr/qmgr_message.c.

20060207

	Robustness: place the "do we have TLS" guards within method
	implementations, instead of putting them around method
	invocations.  File: smtpd/smtpd_check.c.

	Bugfix: duplicate the cleanup(8) DSN envelope ID syntax
	check in smtpd(8), so that clients get better error replies.
	File: smtpd/smtpd_check.c.

	Bugfix: change 20060203 broke the reject_plaintext_session
	feature.

	The trivial-rewrite and proxymap multi-server processes now
	terminate soon after all their clients disconnect, instead
	of waiting for another 100 seconds. This allows the processes
	to refresh more frequently on low-traffic systems.

	Cleanup: smtpd_delay_open_until_valid_rcpt (default: yes)
	controls whether Postfix delays the start of a mail transaction
	until after the first valid recipient, or if it starts a
	transaction immediately after MAIL FROM. File: smtpd/smtpd.c.

20060217

	Bugfix: don't terminate with a non-standard exit status
	when the pipe-to-command feature has a problem before it
	executes the command. File: global/pipe_command.c.

20060223

	Bugfix: detect integer overflow when multiplying time values
	with non-trivial time units. File: global/conv_time.c.

20060307

	Bugfix: reset the msg_cleanup() fatal error handler in child
	processes. See also change 20060217. Files: postlock/postlock.c,
	master/multi_server.c, global/mail_run.c, util/vstream_popen.c.

20060310

	Bugfix: the MIME processor assumed that input was null
	terminated. This broke with CRLF input to the "sendmail -t"
	command  in Postfix 2.1 and later (see change 20030416).
	Found by Leandro Santi.  Based on patch by Victor Duchovni.
	Files: global/mime_state.c, global/is_header.c.

20060313

	Cleanup: the message arrival time (start of the receive
	transaction) no longer controls message expiration or
	delivery attempts.  Instead, expiration and delivery are
	now controlled by the time when the cleanup server creates
	a queue file.  This closes a problem that was introduced
	with the 20051104 change that introduced higher-resolution
	delay time keeping: as a result, "postsuper -r" could no
	longer manipulate the mail expiration schedule, so that
	mail "on hold" could expire too soon.

20060315

	Workaround. the PCRE library reports an inappropriate error
	code (invalid substring) when $number refers to a valid ()
	expression that matches the null string. This caused fatal
	run-time errors.  File: dict_pcre.c.

20060324

	Cleanup: eliminated name collisions between global and local
	variables, and other forms of shadowing. Documented switch
	fall-throughs with /* FALLTHROUGH */ where this wasn't
	already done.  Replaced (var = expr) by (var = expr) != 0
	where this wasn't already done.

20060324

	Bugfix: mis-placed parenthesis in a before-filter error
	test. A filter timeout was mis-reported as lost connection.
	Found in code review.  File: smtpd/smtpd_proxy.c.

20060327

	Cleanup: the SQL and LDAP clients now log a warning when
	they skip an empty lookup result, so that humans don't have
	to wonder why Postfix doesn't find all the database entries.
	File: global/db_common.c.

	Moved SMTP/LMTP parameter initialization from global/mail_params.c
	to the combined smtp/lmtp delivery agent. Added missing
	lmtp parameters.

20060328

	Feature: configurable chroot directive for the pipe(8)
	delivery agent, by Przemyslaw Wegrzyn. Files:
	global/pipe_command.c, pipe/pipe.c.

	Bugfix: cut-and-paste error: lmtp_connection_cache_limit
	was left with the name of smtp_connection_cache_limit.
	Reported by Victor? File: src/global/mail_params.h.

20060329

	More extensible interface for TLS client/server library,
	now passes property structures that combine all the relevant
	parameters in one type-safe structure.

	TLS session cache activity logging now takes place at TLS
	log level 2 or greater.

20060403

	Cleanup: made fcntl/flock handling consistent with respect
	to EINTR (reported by Carlo Contavalli). However, Postfix
	is not meant to be signal safe.  Only the master daemon
	handles signals without terminating, and it uses only a
	small subset of Postfix library routines. File: util/myflock.c.

	Bugfix: the pipe-to-command error message was lost when the
	command could not be executed. File: global/pipe_command.c.

20060404

	Bugfix in sanity check: after reading a record from the
	address verification database, a sanity check did not reject
	a record with all-zero time stamp fields.  Such records are
	never written; the test is there just in case something is
	broken, so that Postfix will not blindly march on and create
	chaos. The sanity check tested pointer values, instead of
	dereferencing the pointers.  Found by Coverity.  File:
	verify/verify.c.

	Bugfix in sanity check: when the maildir delivery routine
	opens an output file it looks up the file attributes via
	the file handle it just got.  There is a sanity check that
	detects if the attribute lookup fails, an error that never
	happens. The code that handles the impossible error did not
	close the output file. This would cause a virtual or local
	delivery agent to waste up to 100 file descriptors.  But
	for that error to happen the system would have to be so
	sick that you would have more serious problems than a file
	descriptor leak.  Found by Coverity.  Files: local/maildir.c,
	virtual/maildir.c.

20060405

	Bugfix: the MIME parser assumed input is null terminated
	when reporting errors. Fix by Leandro Santi. Files:
	global/mime_state.c, cleanup/cleanup_message.c.

20060411

	Bugfix: the SMTP server logged no warning when for some
	reason the TLS engine was unavailable in wrappermode. Victor
	Duchovni.  File: smtpd/smtpd.c.

20060417

	Cleanup: when SMTP access table lookup fails, reply with
	4xx instead of aborting with a fatal run-time error. The
	old behavior assumes local file access, and is inappropriate
	with deployment of LDAP and SQL tables. File: smtpd/smtpd_check.c.

20060423

	Bugfix: postcat did not print the attribute value of records
	containing a named attribute. File: postcat/postcat.c.

20060430

	Bugfix: dangling pointer in a function that has no caller.
	Found by Coverity. File: tls/tls_prng_exch.c.

	Bugfix: the workaround for CA-2003-07 (Sendmail) did not
	null terminate the address before logging a warning. Reported
	by Kris Kennaway. File: global/tok822_parse.c.

20060301-20060515

	Sendmail 8 Milter support, distributed across the smtpd(8)
	server for SMTP commands, and the cleanup(8) server for
	content inspection and manipulation. The code supports all
	requests to add/delete recipients, and to add/delete/replace
	message headers, but does not yet support requests to replace
	the message body.  See MILTER_README for more. Files:
	smtpd/smtpd.c, smtpd/smtpd_milter.c, cleanup/cleanup_api.c,
	cleanup/cleanup_envelope.c, cleanup/cleanup_extracted.c,
	cleanup/cleanup_milter.c, milter/milter.c, milter/milter8.c.

	That's 89 lines in smtpd, 1010 lines in cleanup, and 2449
	lines of library support, comments not included.

	A simple test Milter application for use in regression tests
	is in src/milter/test-milter.c. Queue file modifications are
	tested with a driver at the end src/cleanup/cleanup_milter.c
	that reads commands from a script.

	To make debugging easier, uncomment the "#define msg_verbose
	2" lines at the top of cleanup_milter.c or milter8.c. This
	produces logging without making everything else verbose.

20060510

	Preliminary TLS_README and postconf(5) changes completed.
	Victor Duchovni.

	Added smtp_tls_policy_maps and smtp_tls_protocols features
	to the smtp/lmtp client, changed smtp_tls_cipherlist to
	only apply when TLS is mandatory. Victor Duchovni.

20060512

	Destinations that share a common server may have distinct
	TLS protocol and cipherlist requirements, with mandatory
	TLS add the protocol and cipherlist values to the TLS session
	lookup key. Victor Duchovni.

20060516

	Portability: __float80 alignment, by Albert Chin.  File:
	util/sys_defs.h.

	Further testing of Milter support uncovered typos; a missing
	null pointer test while cleaning up after content miltering;
	the need for a workaround to not bounce+delete local
	submission after it triggers a temporary reject Milter
	action.

	Workaround: don't bounce+delete a local submission after
	it triggers a "reject 4.x.x" action in header/body_checks.
	This means an SMTP client now sees "queue file write error"
	instead of the text from the "reject 4.x.x text" action.
	File: cleanup/cleanup_message.c.

	Workaround: OpenSSL 0.9.8[ab] with zlib support interoperability
	problem. Victor Duchovni. Files: tls/tls_client.c,
	tls/tls_misc.c, tls/tls_server.c.

	Added smtpd_tls_protocols parameter to complement
	smtp_tls_protocols. Victor Duchovni.

20060517

	The smtp_tls_policy_maps table now implements parent domain
	matching for destinations that are bare domains (without
	enclosing [] or optional :port suffix). This allows one to
	set TLS policy for a domain and all sub-domains. Victor
	Duchovni.

20060519

	The same parameter can bind to different variables in
	different daemons. Ignore the variable name when eliminating
	duplicates in extract.awk. Victor Duchovni.

20060523

	Improved handling of smtp_tls_protocols and smtpd_tls_protocols,
	names now processed via name_mask(3) and canonicalized prior
	to use in the SMTP/LMTP client TLS session lookup key. Also
	simplifies the corresponding code in the TLS driver. Victor
	Duchovni.

20060524

	Cleanup: send ETRN command parameter when using check_policy
	in the context of an ETRN command. Joshua Goodall. File:
	smtpd/smtpd_check.c.

20060601

	Bugfix (bug introduced 20051118): permit_mx_backup authorized
	domains without secondary MX records.  Joshua Goodall. File:
	smtpd/smtpd_check.c.

20060601

	Fixed default value of LMTP TLS client certificate parameters,
	using the SMTP values as a default was wrong. Victor Duchovni.

20060603

	Different transports may have different CAfile or CApath
	settings. We need to add the transport name to the TLS
	session lookup key so that sessions verified with one set
	of trusted roots are not inadvertantly considered verified
	for another. Victor Duchovni.

20060604

	Cleanup: minor fluff found with the BEAM source code analyzer.
	Files: global/quote_821_local.c, global/quote_822_local.c,
	master/master_spawn.c, pickup/pickup.c, util/match_ops.c,
	util/safe_open.c, xsasl/xsasl_cyrus_client.c.

20060606

	Safety: mail receiving daemons (smtpd, qmqpd) now pass
	actual client name/address/helo attributes in addition to
	the attributes used for logging (xforward). This prevents
	Milter applications from treating qmqpd mail as if it
	originated locally, and prevents incorrect Milter decisions
	after "postsuper -r". Files: smtpd/smtpd.c, qmqpd/qmqpd.c,
	cleanup/cleanup_envelope.c, cleanup/cleanup_milter.c,
	cleanup/cleanup_state.c, global/post_mail.c, *qmgr/qmgr_message.c,
	*qmgr/qmgr_deliver.c, global/deliver_request.c,
	global/deliver_pass.c, local/forward.c.

	Bugfix: qmgr panic after queue file corruption by Mailscanner.
	Files: *qmgr/qmgr_message.c.

	Bugfix: XCLIENT didn't work with smtpd_delay_reject=no
	(problem reported by Joshua Goodall).  To make XCLIENT work
	correctly with built-in restrictions and with Milter
	applications, the SMTP server now jumps back to the very
	start (the 220 phase) of an SMTP session.  File: smtpd/smtpd.c.

20060606

	Portability: Some systems no longer support the traditional
	"sort +0 -2 +3". Victor Duchovni.

20060607

	Portability: Found by BEAM static code analyzer. SSL options
	(long) were stored as int.

20060610

	Cleanup: XCLIENT and XFORWARD attribute values are now sent
	as xtext encoded strings. For backwards compatibility,
	Postfix will still accept unencoded attribute values.  Files:
	smtpd/smtpd.c, smtpd/smtpd_proxy.c, smtp/smtp_proto.c.

20060611

	Robustness: additional sanity checks for common database
	routines. Viktor Dukhovni. File: global/db_common.c.

	Portability: LDAP 2.3 API support. Viktor Dukhovni. File:
	global/dict_ldap.c.

	Security: the PostgreSQL client was updated after the
	PostgreSQL developers made major database API changes in
	response to PostgreSQL security issues. This breaks support
	for PGSQL versions prior to 8.1.4, 8.0.8, 7.4.13, and 7.3.15.
	Support for these requires major code changes which are not
	possible in the time that is left for the Postfix 2.3 stable
	release.

	Specific PostgreSQL client changes: use connection-aware
	quoting, and more robust PQexec() result handling.  Previous
	versions of the dict_pgsql driver didn't check the status
	of the result pointer, and certain exceptional events can
	be mis-interpreted as an empty result set.  Fixes by Leandro
	Santi. File: global/dict_pgsql.c.

20060612

	Changed smtp security level parsing and level->name conversion
	to use name_code(3). Victor Duchovni.

	Implemented new smtp_tls_security_level parameter, to replace
	the unnecessarily complex smtp_use_tls, smtp_enforce_tls
	and smtp_tls_enforce_peername parameters. The main.cf
	security level settings are now consistent with the new
	policy table. Victor Duchovni.

	The smtp_sasl_tls_verified_security_options feature is not
	yet complete, added #ifdef SNAPSHOT and changed documentation
	to delay introduction until Postfix 2.4. Victor Duchovni.

20060614

	Merged in Victor's work including the new TLS policy table
	and a complete set of configuration parameters for the LMTP
	personality of the unified SMTP/LMTP client.

	Allow mandatory TLS encryption with LMTP over UNIX-domain
	sockets. Victor Duchovni.

	Safety: improved code to avoid I/O on connections after the
	TLS handshake fails. Victor Duchovni.

20060615

	Cosmetic patch for const strings. Stefan Huehner.

	Other cosmetic changes, mainly whitespace.

20060616

	The qshape.pl script was updated for the pointer records
	that were introduced to support message content modification
	by Milter applications. Victor Duchovni.

20060620

	Feature: Substantially better cipherlist specification
	interface and support for anonymous ciphers when certificates
	are not needed. The primary interface in main.cf and the
	policy table selects one of 5 grades for mandatory TLS with
	smtp(8) or lmtp(8) or for all TLS sessions with smtpd(8).
	The levels are "high", "medium" (or better), "low" (or
	better), "export" (or better) and "null".  The underlying
	definitions of these levels are configurable, but users are
	strongly encouraged to not change those definitions. Victor
	Duchovni.

20060626

	Bugfix: the Milter reply syntax checker was off by one.
	File: milter/milter8.c.

	Workaround: disable SMTP connection cache lookup by server
	IP address when the tls_per_site policy table is enabled.
	This is a workaround for a shortcoming in the SMTP connection
	cache implementation, which retrieves the server hostname
	from the cached connection. Since this server name is not
	obtained in a secure manner, it must not be allowed to
	control the tls_per_site policy. File: smtp/smtp_reuse.c.

20060627

	Cleanup: mumble_mandatory_tls_mumble parameters renamed to
	mumble_tls_mandatory_mumble; added _mandatory_ qualifier
	to names of parameters that affect only mandatory TLS.

20060630

	Features promoted from SNAPSHOT to STABLE: the "sleep"
	pseudo restriction; Postfix daemons now read the local
	timezone file before chrooting; trivial-rewrite now detects
	table changes every 10 seconds, so it restarts more timely.

	Features that stay #ifdef SNAPSHOT: tcp_table,
	lmtp_sasl_tls_verified_security_options, and
	smtp_sasl_tls_verified_security_options.

	Compatibility: Sendmail does not send its own Received:
	header to Milter applications. Offsets in header replace
	requests are relative to the message content as received
	(i.e. without our own Received: header), while offsets in
	header insert requests are relative to the message as
	delivered (i.e. they include our own Received: header).
	This explains why dk-filter would sign our own Received:
	header but place the signature between our own Received:
	header and the rest of the message, violating the draft
	domainkeys spec.

20060702

	Cleanup: more graceful handling of queue file read/write
	errors while processing milter message modification requests.
	Files: cleanup/cleanup_milter.c, milter/milter8.c.

20060703

	Debugging: the Postfix milter client gives more context
	when it experiences trouble while talking to an uncooperative
	Milter application. File: milter/milter8.c.

	Compatibility: with OpenBSD 2.7 and later, the alias file
	is now in /etc/mail/aliases.

20060704

	Bugfix: the Milter client skipped zero-length body lines.
	File: milter/milter8.c.

	Feature (just this one): RFC 3834 "Auto-Submitted:" message
	header in DSNs.  File: bounce/bounce_notify_util.c.

20060705

	Portability: LP64 systems required a few ssize_t->int casts
	in debug logging statements.  Files: milter/test_milter.c,
	cleanup/cleanup_milter.c.

	Cleanup: comments, error messages, and crumbling interfaces.

20060707

	Workaround: apparently, Solaris gettimeofday() can return
	out-of range microsecond values.  File: src/global/log_adhoc.c.

	Robustness: the SMTPD policy client now encodes the
	ccert_subject and ccert-issuer attributes as xtext.  Some
	characters are replaced by +XX, where XX is the two-digit
	hexadecimal code for the character value.  File:
	smtpd/smtpd_check.c.

	Safety: the SMTP/LMTP client now defers delivery when a
	SASL password exists, but the server does not offer SASL
	authentication. Mail could be rejected otherwise. This may
	become an issue now that Postfix retries delivery in plaintext
	after an opportunistic TLS handshake fails. Specify
	"smtp_sasl_auth_enforce = no" to deliver mail anyway.  File:
	smtp/smtp_proto.c. See workaround 20060711 for sender-dependent
	SASL passwords. This was undone with the 20060719 workaround.

20060709

	Cleanup: the new single smtpd_tls_security_level parameter
	obsoletes the multiple smtpd_use_tls and smtpd_enforce_tls
	parameters. This is done for consistency with the Postfix
	SMTP client. In the Postfix SMTP server, the levels "verify"
	and "secure" are currently not applicable, and are treated
	as "encrypt", after logging a warning. Files: smtpd/smtpd.c,
	tls/tls_level.c, smtp/smtp_session.c.

	Compatibility: don't send the first (blank) body line to
	Milter applications.  This broke domain key etc. signatures
	when verified by non-Postfix MTAs.  File: milter/milter8.c.

20060710

	Cleanup: more consistency between smtpd(8) and smtp(8) TLS
	configuration interfaces: smtpd_tls_mandatory_exclude_ciphers,
	smtpd_tls_mandatory_ciphers, smtpd_tls_mandatory_protocols.
	By Victor. Files:smtpd/smtpd.c.

	Cleanup: to support domainkey signing of bounces and
	Postmaster notices, enable content inspection of Postfix-
	generated mail with the new internal_mail_filter_classes
	feature.  This is disabled by default, because it is not
	yet safe enough. Files: global/int_filt.[hc] and everything
	that calls post_mail_fopen*().

20060711

	Cleanup: smtpd_tls_mumble -> smtpd_tls_mandatory_mumble,
	and finer control over the Postfix SMTP server TLS ciphers,
	all this for consistency with the same functionality in the
	Postfix SMTP client. Victor Duchovni.

	Compatibility: Sendmail's milter client handles whitespace
	after the header label and ":" in an interesting manner.
	It eats one space (not tab). File: milter/milter8.c.

	Workaround: if sender-dependent SASL passwords are enabled,
	don't defer delivery when a SASL password exists but the
	server doesn't announce SASL support. File: smtp/smtp_proto.c.
	This was undone with the 20060719 workaround.

	Cleanup: format of cleanup milter reject messages.  File:
	cleanup_milter.c.

	Bugfix: file/memory leak if a transfer of multiple milters
	from smtpd to cleanup broke in the middle.  Found by Coverity.
	File: milter/milter.c.

20060716

	Bugfix: "sendmail -bs" panic caused by a missing
	SMTPD_STATE_ALONE() guard before a milter_abort() call.
	File: smtpd/smtpd.c.

	Bugfix (bug introduced with Postfix 2.2): the Postfix SMTP
	client enforced Mandatory TLS only when talking to an ESMTP
	server; enforcement did not happen if Postfix could somehow
	be forced to send HELO instead of EHLO.  Victor Duchovni.
	File: src/smtp/smtp_proto.c.

20060718

	Bugfix (bug introduced 20060711): null pointer bug when
	rejecting SMTP mail with Milter application.  File:
	cleanup/cleanup_milter.c.

	Workaround (problem introduced in 200605/200606 TLS update):
	the Postfix SMTP server now issues TLS session IDs even
	when TLS session caching is turned off, otherwise MS Outlook
	fails to deliver mail. There may also be interoperability
	issues with other MTAs that we haven't discovered yet.
	Specify "smtpd_tls_always_issue_session_ids = no" to disable
	the workaround. Victor Duchovni. Files: smtpd/smtpd.c,
	tls/tls_server.c.

20060719

	Cleanup: the smtp_sasl_auth_enforce feature is gone. It was
	meant to work around a problem that was introduced with
	plaintext fallback after a failed TLS handshake.  Unfortunately,
	it created more problems than it solved. We now address the
	underlying problem more directly as described next. File:
	smtp/smtp_proto.c.

	Safety: don't fall back to plaintext delivery after failed
	TLS handshake, when the Postfix SMTP client would have
	attempted to log in with SASL after successful TLS handshake.
	This avoids undesirable behavior regardless of whether the
	server does support SASL over plaintext (unexpected password
	disclosure) and whether the server doesn't support SASL
	over plaintext (insufficient mail relay permission).  Files:
	smtp/smtp_connect.c, smtp/smtp_session.c, smtp/smtp_proto.c.

20060720

	Compatibility: replace %% in milter replies by %, and strip
	single (i.e. invalid) % characters. File: milter/milter8.c.

	Compatibility: $_ macro support for Milter applications.
	Files: smtpd/smtpd.c, smtpd/smtpd_milter.c,
	cleanup/cleanup_state.c, cleanup/cleanup_milter.c.

20060721

	Safety: disable Milter processing after "postsuper -r".  If
	the mail has been filtered there is no need to do it again.
	Moreover, when mail has passed through an external content
	filter, we don't have sufficient information to reproduce
	the exact same SMTP events and Sendmail macros that Milters
	received when the mail originally arrived in Postfix.  This
	change does not affect Milter applications that run behind
	an after-queue content filter. File: pickup/pickup.c.

	Bugfix: Milters received a truncated ORCPT=xxx parameter
	due to destructive parsing of something that didn't have
	to be preserved before Milter support was added to Postfix.
	File: smtpd/smtpd.c.

20060724

	Bugfix: when updating the same header multiple times, the
	Postfix Milter client created a queue file that caused
	delivery agents to loop.  File: cleanup/cleanup_milter.c.

20060725

	Bugfix: damaged queue file record after a Milter request
	to modify a message header when 1) it was the last header
	in the unmodified message, and 2) the old header was less
	than 15 characters long.  File: cleanup/cleanup_milter.c.

	Bugfix: don't panic in smtp_rcpt_cleanup() after detecting
	a damaged queue file record. File: smtp/smtp_proto.c.

20060726

	Bugfix: the 20051013 change to enforce the message size
	limit in the SMTP server didn't work for size limits close
	enough to INT_MAX. File: smtpd/smtpd.c.

	Bugfix (introduced Postfix 2.3): after an SMTP client was
	rejected with "smtpd_delay_reject = no", the SMTP server
	would panic as it generated spurious Milter requests for
	unrecognized commands.  File: smtpd/smtpd.c.

20060727

	Cleanup: change redundant milter_abort() and milter_disc_event()
	calls into NO-OPs.  This avoids unnecessary panic() events
	for completely harmless conditions.  File: milter/milter8.c.

20060805

	Bugfix (introduced Postfix 2.3): #ifdef damage caused
	smtp_sasl_start() to be invoked twice. Reported by C-J
	Lofstedt. File: smtp/smtp_sasl_proto.c.

20060806

	Postfix no longer announces its name in delivery status
	notifications.  Users believe that Wietse provides a free
	helpdesk service that solves all their email problems.
	Credits to Jonathan Balester.  File: bounce/bounce_templates.c.

20060807

	Bugfix (introduced Postfix 2.2): when upgrading from Postfix
	< 2.2 with the third-party TLS patch, the post-install
	upgrade procedure didn't put a "?" in the existing tlsmgr
	entry, causing tlsmgr to repeatedly start and exit when TLS
	support was not compiled in.  File: conf/post-install.

20060812

	Bugfix (introduced < Postfix alpha): safety mechanism in
	mail_date() didn't work.  Found in code review.  File:
	global/mail_date.c.

20060817

	Test programs for host address->name and name->address
	lookups to debug name service inconsistencies, typically
	when the Postfix SMTP server claims that a hostname is
	"unknown".  Files: auxiliary/name-addr-test/*.

20060822

	Added missing logging for "message to large" etc.  Files:
	smtpd/smtpd.c, cleanup/cleanup_milter.c.

20060823

	Bugfix (introduced Postfix 2.2): segfault when vstream_fclose()
	attempted to flush unwritten output, after vstream_fdclose()
	had already disconnected the stream from its file descriptor.
	File: util/vstream.c.

	Bugfix (introduced Postfix 2.2): vstream_fdclose() did not
	flush unwritten output before disconnecting a stream from
	its file descriptor(s).  File: util/vstream.c.

	Feature: smtp-sink can capture mail to file, either as one
	individual message per file, or as multiple messages per
	file.  After an initial implementation by Weidong Cui. File:
	smtpstone/smtp-sink.c.

	Bugfix (introduced < Postfix alpha): smtp-sink did not
	correctly recognize DOT-CR-LF immediately after DATA. File:
	smtpstone/smtp-sink.c.

	Cleanup: smtp-sink now requires that MAIL FROM, RCPT TO and
	DATA be send in the correct order. This simplified the
	implementation of the capture to file feature. File:
	smtpstone/smtp-sink.c.

20050824

	Portability: inside functions, GCC 4 refuses forward
	declarations of static functions.  File: smtpstone/smtp-sink.c.

20060825

	Bugfix (introduced Postfix 2.3): with headers-only mail, a
	Milter "header insert" action corrupted the queue file. The
	cleanup server executed some end-of-body action before the
	end-of-header actions. File: cleanup/cleanup_message.c.

	Robustness: mail delivery agents now detect loops in queue
	files. Files with too many backward jumps are saved to the
	"corrupt" directory.  File: global/record.c.

20060831

	Bugfix (introduced with initial implementation): missing
	"dict_errno = 0" caused mis-leading error messages after
	non-error lookup failure.  Victor Duchovni.  File:
	util/dict_cidr.c.

	Robustness: the default TLS cipher lists were changed from
	!foo:ALL into ALL:!foo. Victor Duchovni.  Files:
	global/mail_params.h and documentation.

20060902

	Bugfix (introduced Postfix 2.3): the LMTP client stripped
	"inet": from the next-hop destination, but still used the
	complete next-hop from the delivery request. File:
	smtp/smtp_connect.c.

20060903

	Cleanup: record loop detection.  File: global/record.c.

20060929

	Workaround: AIX 5.[1-3] getaddrinfo() creates socket address
	structures with a non-zero port value. This breaks the
	smtp_bind_address etc. features, and breaks inet_interfaces
	settings with only one IP address.  Problem reported by
	Hamish Marson.  Files: util/sock_addr.[hc], util/myaddrinfo.c.

	Bugfix (introduced with the Postfix TLS patch): memory leak
	in verify_extract_peer(). The OpenSSL documentation provides
	no information on how subjectAltNames are managed.  Sam
	Rushing, ironport.  File: tls/tls_client.c.

	Bugfix (introduced with Postfix 2.2): smtp_generic_maps
	turned on MIME conversion. File: smtp/smtp_proto.c.

	Workaround: don't send SIZE information in the MAIL FROM
	command when message content will be subject to 8bit ->
	quoted-printable conversion.  File: smtp/smtp_proto.c.

20061002

	Compatibility: Sendmail now invokes the Milter connect
	action with the verified hostname instead of the name
	obtained with PTR lookup. File: smtpd/smtpd.c.

20061004

	Cleanup: force space between mailq queueid+status and file
	size items. File: showq/showq.c.

20061005

	Cleanup: make CISCO PIX bug workarounds configurable.  This
	introduces new parameters: smtp_pix_workarounds (default:
	disable_esmtp, delay_dotcrlf) and smtp_pix_workaround_maps
	(workarounds indexed by server IP address).  The default
	settings are backwards compatible. File: smtp/smtp.c,
	smtp/smtp_proto.c.

20061006

	Workaround: include the smtpd(8) service name when searching
	the TLS session cache, to avoid cross-talk between multiple
	master.cf entries. This does not eliminate cross-talk between
	multiple (x)inetd.conf entries. Victor Duchovni. Files:
	smtpd/smtpd.c, tls/tls_server.c.

20061015

	Cleanup: convert the Milter {mail_addr} and {rcpt_addr}
	macro values to external form. File: smtpd/smtpd_milter.c.

	Cleanup: the Milter {mail_addr} and {rcpt_addr} macros are
	now available with non-SMTP mail. File: cleanup/cleanup_milter.c.

	Cleanup: convert addresses in Milter recipient add/delete
	requests to internal form.  File: cleanup/cleanup_milter.c.

	Cleanup: with non-SMTP mail, convert addresses in simulated
	MAIL FROM and RCPT TO events to external form.  File:
	cleanup/cleanup_milter.c.

20061017

	Cleanup: removed spurious warning when the cleanup server
	attempts to bounce mail with soft_bounce=yes. Problem
	reported by Ralf Hildebrandt. File: cleanup/cleanup_bounce.c.

	Bugfix: null pointer bug when receiving a non-protocol
	response on a cached SMTP/LMTP connection.  Report by Brian
	Kantor.  Fix by Victor Duchovni.  File: smtp/smtp_reuse.c.

20061106

	Feature: new retry delivery agent, to avoid the synchronous
	defer service client in the queue manager. This code is
	co-located with the error(8) server. File: error/error.c.

	Performance: the queue manager could spend too much time
	in the synchronous defer service client, causing the watchdog
	timer to go off.  Where possible, the queue manager now
	bounces or defers recipients asynchronously, by routing
	them to the error or the retry delivery agent. Code by
	Wietse and Patrik Rak. Files: global/recipient_list.c,
	*qmgr/qmgr_error.c, *qmgr/qmgr_defer.c, *qmgr/qmgr_entry.c,
	*qmgr/qmgr_deliver.c, *qmgr/qmgr_message.c.

	Performance: refined recipient and job grouping, and more
	agressive early refill of in-memory recipients to prevent
	a worst-case scenario where the queue manager became starved
	until after the last batch of slow in-memory recipients of
	jumbo multi-recipient mail. Code by Patrik Rak.  Files:
	global/mail_conf_time.c, qmgr/qmgr_message.c, qmgr/qmgr.c,
	qmgr/qmgr.h, qmgr/qmgr_entry.c, qmgr/qmgr_job.c,
	qmgr/qmgr_message.c, qmgr/qmgr_transport.c.

20061113

	Bugfix: the Postfix install/upgrade procedure broke with
	non-default config_directory. File: conf/post-install.

20061115

	Bugfix: null pointer bug in end-of-header Milter action
	when the last header line is too large.  Reported by Mark
	Martinec. The root of the problem is that the MIME state
	engine may execute up to three call-back functions when it
	reaches the end of the headers, before it returns to the
	caller; as long as call-backs return no result, each call-back
	has to check for itself if a previous call-back ran into a
	problem.  File: milter/milter8.c.

	Workaround: reduce effective header_size_limit to 60000
	when Milter inspection is enabled, to avoid breaking the
	Milter protocol request length limit. File:
	cleanup/cleanup_message.c.

20061123

	Safety: don't read more than 5000 recipients at a time, to
	avoid spending too much time away from interrupts.  File:
	qmgr/qmgr_message.c.

20061201

	Workaround: don't complain with "Error 0" in the trivial-rewrite,
	verify, proxymap or connection cache client when the server
	exits after the client sends its request. We still complain,
	however, when the problem persists.  Files: global/rewrite_clnt.c,
	global/resolve_clnt.c, global/verify_clnt.c, global/scache_clnt.c,
	global/dict_proxy.c.

	Safety: the header_size_limit is now enforced more strictly,
	to avoid inter-operability problems with the Milter protocol.
	Long headers are truncated at a line boundary if possible,
	otherwise they are cut between line boundaries. File:
	cleanup/cleanup_out.c.

20061203

	Bugfix (introduced with Postfix 2.2): with SMTP server
	tarpit delays of smtp_rset_timeout or larger, the SMTP
	client could get out of sync with the server while reusing
	a connection.  The symptoms were "recipient rejected .. in
	reply to DATA".  Fix by Victor Duchovni and Wietse.  Files:
	smtp/smtp_proto.c, smtp/smtp_connect.c.

	Robustness: the vbuf and vstream documentation claimed that
	their *error() macros reported timeout errors, but they
	didn't really. The implementation was fixed, and redundant
	vstream_ftimeout() calls were removed. As a result, many
	Postfix daemons now properly detect write timeout errors
	on internal connections.  Files: util/vbuf.h.

	Workaround: some broken SMTP servers reply and hang up in
	the middle of DATA. The Postfix SMTP client now stops sending
	and tries to receive the server response. This can help to
	avoid repeated delivery attempts. Initial implementation
	by Wietse, later work by Victor Duchovni. Files:
	smtp/smtp_proto.c, smtpstone/smtp-sink.c, util/vstream.c,
	plus trivial mods for code thatr calls vstream_fpurge().

20061204

	Compatibility: The Postfix installation/upgrade procedure
	no longer sets "unknown_local_recipient_code = 450" in
	main.cf. This was a safety net for upgrades from Postfix
	1.x. Four years later is no longer needed. File:
	conf/post-install.

	Cleanup: removed vstream_fclose() error warning in the code
	that disconnects from a delivery agent. There is no need
	to report errors here because they would already be reported
	earlier.  Files: *qmgr/qmgr_deliver.c.

	Robustness: "kill me after N seconds" feature to ensure
	that a daemon process does not get stuck while preparing
	for exit after signal arrival. File: util/killme_after.[hc],
	util/watchdog.c, master/master_sig.c.

20061206

	Robustness: low-cost re-entrancy guard that allows daemons
	to safely call msg_fatal() etc. from a signal handler,
	without risking memory corruption, or deadlock on Redhat
	Linux.  This works provided that the signal handler terminates
	the process. In that special case we need not guarantee
	after-the-fact consistency of the thread that was interrupted.
	File: util/msg_output.c.

	Robustness: replace exit() calls by _exit(). File: util/msg.c,
	bounce/bounce_cleanup.c.

20061207

	Workaround: on systems with usable futimes() or equivalent
	(Solaris, *BSD, MacOS, but not Linux), always explicitly
	set the queue file last modification time stamps while
	creating a queue file. With this, Postfix can avoid logging
	warnings when the file system clock is ahead of the local
	clock.  Clock skew can be a problem, because Postfix does
	not deliver mail until the local clock catches up with the
	queue file's last modification time stamp.  File:
	global/mail_stream.c.

	Workaround: on systems without usable futimes() or equivalent,
	log a warning when the file system clock is more than 100
	seconds behind the local clock. This does not cause mail
	delivery problems, but it just looks silly in message
	headers. File: global/mail_stream.c.

	On systems without usable futimes() (Linux, and ancient
	versions of Solaris, SunOS and *BSD) Postfix will keep using
	the slower utime() system call to update queue file time
	stamps when the file system clock is off with respect to
	the local system clock.

	Compatibility with Postfix < 2.3: undo the change to bounce
	instead of defer after pipe-to-command delivery fails with
	a signal. File: global/pipe_command.c.

20061208

	Workaround: apparently, some mail software removes or hides
	"<postmaster>" in the Postfix bounce text, because it
	processes the text as if it were HTML. This confuses users.
	The bounce template has been updated to remove the < and
	>.  File: bounce/bounce_templates.c.

	Cleanup: when smtp_generic_maps is turned on, don't parse
	MIME structures in the message body. Victor Duchovni. File:
	smtp/smtp_proto.c.

20061210

	Cleanup: streamline the signal handler reentrancy protections,
	and document under what conditions these protections work,
	with REENTRANCY sections in the relevant man pages. Files:
	util/vbuf_print.c.  util/msg.c, util/msg_output.c.

20061211

	Cleanup: when doing server access control by the remote TLS
	client fingerprint, do not require client certificate
	verification.  Victor Duchovni.  File: smtpd/smtpd_check.c.

	Safety: when the remote TLS client certificate isn't verified,
	don't send ccert_subject and ccert_issuer attributes in
	check_policy_service requests. Victor Duchovni. File:
	smtpd/smtpd_check.c.

	Bugfix: the postconf command still complained about an
	unqualified machine name, because it was not updated with
	the 20050513 change that introduced a default "mydomain =
	localdomain".  File: postconf/postconf.c.

20061213

	Bugfix: race condition in "ETRN site", "sendmail -qRsite"
	and "postqueue -s site". When the command arrived while an
	incoming queue scan was already in progress, mail could
	stay deferred instead of being flushed. The fix was to
	unthrottle the queue manager before moving files from the
	deferred queue to the incoming queue.  Files: flush/flush.c,
	qmgr/qmgr_scan.c.

	Cleanup: the sendmail and postqueue commands no longer
	terminate with a non-standard error status after a run-time
	error in some Postfix internal routine (typically, some
	essential file is not accessible, or the system is out of
	memory). Files: sendmail/sendmail.c, postqueue/postqueue.c.

	Feature: "sendmail -qIqueueid" and "postqueue -i queueid"
	to flush a specific queue file. Files: sendmail/sendmail.c,
	postqueue/postqueue.c, global/flush_clnt.c, flush/flush.c.

20061214

	Performance: "sendmail -qIqueueid" and "postqueue -i queueid"
	unthrottle only the necessary message delivery transports
	and queues. The unthrottle request now is propagated to the
	queue manager via queue file group read permission bits.
	Based on initial implementation by Victor Duchovni.  Files:
	flush/flush.c, *qmgr/qmgr.c, *qmgr/qmgr_scan.c,
	*qmgr/qmgr_active.c, *qmgr/qmgr_message.c.

20061220

	Workaround: PMilter 0.95 does not deliver SMFIC_EOB+data
	to the application as SMFIC_BODY+data followed by SMFIC_EOB.
	To avoid compatibility problems, Postfix now sends
	SMFIC_BODY+data followed by SMFIC_EOB.  File: milter/milter8.c.

	Bugfix (introduced with Postfix 2.3): when inserting
	Milter-generated headers at increasing positions in a
	message, a later header could end up at a previously used
	insertion point.  Thus, inserting headers at positions (N,
	N+M) could work as if (N, N) had been specified. Problem
	reported by Mark Martinec.  File: milter/milter8.c.

20061221

	Feature: time unit suffix support in _command_time_limit.
	Files: pipe/pipe.c, spawn/spawn.c.

20061227

	Bugfix (introduced with Postfix 2.3): the MX hostname syntax
	check was skipped with reject_unknown_helo_hostname and
	reject_unknown_sender/recipient_domain, so that Postfix
	would still accept mail from domains with a zero-length MX
	hostname.  File: smtpd/smtpd_check.c.

20061229

	Cleanup: use separate TLS_LEGACY_README to document the old
	TLS user interface. This will simplify TLS_README dramatically.

	Cleanup: untangled spaghetti code. File: util/inet_listen.c.

20070104

	Bugfix (introduced Postfix 2.3): when creating an alias map
	on a NIS-enabled system, don't case-fold the YP_MASTER_NAME
	and YP_LAST_MODIFIED lookup keys. This requires that an
	application can turn on/off case folding on the fly.  Files:
	postalias/postalias.c, global/dict_mumble.c, util/dict_mumble.c,
	proxymap/proxymap.c.

	Cleanup: after the above revision of the proxymap protocol,
	the proxymap server can now share the same map with clients
	that have only minor differences in dictionary open/access
	options.

20070105

	Performance: pipeline of pending delivery agent connections,
	to improve Linux/Solaris mail delivery performance by another
	10% while going down-hill with the wind from behind. Design
	and implementation Victor and Wietse. Files: *qmgr/qmgr.c,
	*qmgr/qmgr.h, *qmgr/qmgr_transport.c.

20070106

	Cleanup: eliminate the Linux/Solaris "wait for accept()"
	stage from the queue manager to delivery agent protocol.
	This alone achieves 99.99% of the Linux/Solaris speed up
	from the preceding change. The pending connection pipeline
	takes care of the rest.  Tested on Linux kernels dating
	back to 2.0.27 (that's more than 10 years ago).  Files:
	*qmgr/qmgr_transport.c.

20070112

	Bugfix (introduced 20011008): after return from nested
	access restriction, possible longjump into exited stack
	frame upon configuration error or table lookup error. Victor
	Duchovni.  Files: smtpd/smtpd_check.c.

	Workaround: don't insert header/body blank line separator
	in malformed attachments, to avoid breaking digital signatures.
	Switch from header to body state, for robust MIME parsing.
	People concerned about MIME evasion can use a MIME normalizer
	to corrupt their user's legitimate email.  File:
	global/mime_state.c.

20070114

	Feature: body replacement support for Milter applications.
	Postfix 2.3 and older 2.4 versions will be able to deliver
	body-replaced queue files, but will report the message size
	as it was before the body was replaced.  Files: milter/milter8.c,
	cleanup/cleanup_milter.c, cleanup/cleanup_body_region.c.

20070117

	Cleanup: reusable infrastructure for body replacement.
	Files: cleanup/cleanup_body_edit.c, cleanup/cleanup_region.c.

20070118

	Bugfix: match lists didn't implement ![ipv6address].  Problem
	reported by Paulo Pacheco. File: util/match_list.c.

	Cleanup: revised the matchlist "!" support, added support
	for !/file/name, and updated the documentation. File:
	util/match_list.c.

20070119-21

	Cleanup: pad short message headers with a filler record,
	so that the result is never shorter than a pointer record.
	This immensely simplified the support for Milter header
	modification requests: three complex loops could be replaced
	by one simpler loop.  The DTXT record type was re-purposed
	from "deleted header text" to "short header padding", keeping
	the change backwards compatible.  Files: cleanup/cleanup_out.c,
	cleanup/cleanup_milter.c, global/record.c.

	Cleanup: the Milter "add recipient" action always added the
	recipient to the initial envelope segment, causing added
	recipients to be separate from "sendmail -t" recipients.
	This violated design, without impact on delivery (always_bcc
	recipient are always at the end of the queue file even when
	all other recipients are in the initial segment).  File:
	global/rec_types.h.

20070123

	Workaround: OpenSSL falsely concludes that AES256 support
	is present when only AES128 is available.  Code by Victor
	Duchovni.  File: tls/tls_misc.c.

20070125

	Disable workaround pending completion of updated TLS]
	support in non-production releases.

20070131

	Assorted code cleanup, portability fixes/workarounds, and
	minor updates: global/dict_ldap.c, mantools/postlink,
	tlsmgs/tlsmgr.c, conf/master.cf. LaMont Jones.

20070101

	Portability: GNU Hurd support for multiple kernel environments.
	LaMont Jones. Files: util/sys_defs.h, makedefs.

	Cleanup: some default settings were adjusted to better fit
	today's environment: queue_run_delay and minimal_backoff_time
	were reduced from 1000s to 300s, so that deliveries are
	retried earlier after the first failure; ipc_idle was reduced
	from 100s to 5s, so that tlsmgr and scache clients will
	more quickly release unused file handles. Files:
	global/mail_params.h, proto/postconf.5.html

20070202

	Catch-up: FreeBSD kqueue support. File: util/events.c.

20070205

	System-V poll(2) support. This is now the preferred method
	to test a single file descriptor on sufficiently recent
	versions of FreeBSD, NetBSD, OpenBSD, Solaris and Linux;
	other systems will be added as evidence becomes available
	of usable poll(2) implementations. Files: util/read_wait.c,
	util/write_wait.c, util/readble.c, util/writable.c.

	Streamlined the event_enable_read/write implementation to
	speed up smtp-source performance, by eliminating expensive
	kqueue/devpoll/epoll system calls when only the application
	call-back information changes. On FreeBSD, smtp-sink/source
	tests now run 5% faster than with the old select(2) based
	implementation.  File util/events.c.

20070206

	Catch-up: Solaris /dev/poll support. File: util/events.c.

	Bugfix (introduced 20060823): initial state was not in state
	machine, causing memory access outside the lookup table.
	File: smtpstone/smtp-sink.c.

20070210

	Catch-up: Linux epoll support. File: util/events.c.

20070211

	Polished the kqueue/devpoll/epoll support; this is now
	enabled by default on sufficiently recent versions of
	FreeBSD, NetBSD, OpenBSD, Solaris and Linux; other systems
	will be added as evidence becomes available of usable
	implementations. File: util/events.c.

20070212

	Further polish: removed some typos from new code in the
	events.c handler, undid some unnecessary changes to the
	{read,write}{_wait,able}.c modules, and addressed Victor's
	paranoia for multi-client servers with a thousand clients
	while linked with library routines that can't handle file
	descriptors >= FD_SETSIZE.

	Cleanup: while debugging the new events.c handler, removed
	an unnecessary "write after connect" call-back event. File:
	global/post_mail.c.

20070214

	Robustness: in the queue manager keep a number of free file
	descriptor slots at the low end, to work around library
	routines that can't handle file descriptors >= FD_SETSIZE.
	Files: *qmgr/qmgr_transport.c, util/vstream.[hc]

20070215

	Bugfix (introduced 20070114 with Milter body edit support):
	the cleanup server terminated with a fatal error when SMTP
	mail exceeded the message size limit, instead of handling
	it as a non-fatal error. Files: cleanup/cleanup_extracted.c,
	cleanup/cleanup_final.c, cleanup/cleanup_bounce.c,
	cleanup/cleanup_api.c.

20070217

	Streamline the compile time selection of event handling
	styles, replacing multiple on/off macros by just one
	multi-valued macro. Files: util/sys_defs.h, util/events.c,
	master/multi_server.c, *qmgr/qmgr_transport.c.

20070220

	Work-around: Disable SSL/TLS ciphers when the underlying
	symmetric algorithm is not available in the OpenSSL crypto
	library at the required bit strength. Problem observed with
	SunOS 5.10's bundled OpenSSL 0.9.7 and AES 256. Also possible
	with OpenSSL 0.9.8 and CAMELLIA 256. Root cause fixed in
	upcoming OpenSSL 0.9.7m, 0.9.8e and 0.9.9 releases. Victor
	Duchovni, Morgan Stanley. Files: src/smtp/smtp_proto.c,
	src/smtpd/smtpd.c, src/tls/tls.h, src/tls/tls_client.c,
	src/tls/tls_misc.c and src/tls/tls_server.c.

20070222

	Workaround: delayed "postfix reload" with ancient FreeBSD4
	kqueue implementations, causing the first external or
	internal clients after "postfix reload" to experience a
	quick disconnect.  Apparently, these kqueue implementations
	do not deliver a read notification when the master closes
	the per-service shared master/child status pipe (even when
	there is only one child; note that the master keeps a handle
	to both ends of each status pipe).  A child process remains
	ignorant that the status pipe was closed until the arrival
	of the next client request, and then terminates.  The
	workaround is to ignore master status write errors before
	handling a service request.  Files: master/*_server.c.

	Cleanup: fix race condition that caused unnecessary "premature
	end-of-input" warning messages when "postfix reload" was
	issued on a busy mail server. Files: util/attr_scan*c.

20070223

	Cleanup: syslog_name now works as documented with both
	daemons and commands (including set-gid commands).  Files:
	global/mail_task.c postlog/postlog.c, global/mail_version.h,
	sendmail/sendmail.c, postsuper/postsuper.c, postalias/postalias.c,
	postmap/postmap.c, postqueue/postqueue.c, postdrop/postdrop.c,
	master/trigger_server.c, master/single_server.c,
	master/multi_server.c.

20070224

	Workaround: GNU POP3D creates a new mailbox and deletes the
	old one. Postfix now backs off and retries delivery later,
	instead of appending mail to a deleted file.  To minimize
	the use of this workaround, Postfix now by default creates
	mailbox dotlock files on all systems, and creates dotlock
	files before opening mailbox files.  Files: util/sys_defs.h,
	global/mbox_open.c.

20070301

	Workaround: updated workaround for broken Solaris accept().
	File: util/inet_listen.c.

	Workaround: on some FreeBSD versions, accept(2) can fail
	with a bogus EINVAL error. We now allow accept(2) to fail
	for a limited number of times before terminating the process.
	Files: master/single_server.c, master/multi_server.c.

20070306

	Bugfix (introduced with Postfix 2.3 Milter support): postdrop
	reported "illegal seek" instead of "file too large".  File:
	postdrop/postdrop.c.

20070310

	Cleanup: specify "undisclosed_recipients_header =" to disable
	Postfix's "To: undisclosed-recipients:;" header for mail
	that lists no recipient. The To: header is not required as
	of RFC 2822.  The undisclosed_recipients_header parameter
	value can now be an empty string, a value that was not
	allowed with earlier Postfix versions. With Postfix 2.5 it
	will be empty by default. Files: cleanup/cleanup.c,
	cleanup/cleanup_message.c.

20070312

	Backwards compatibility: don't pad short message header
	records when Milter support is turned off. This maintains
	compatibility with Postfix versions that pre-date Milter
	support. File: cleanup/cleanup_out.c.

20070314

	Bitrot: move the "don't run this daemon by hand" message
	before other tests. Files: master/*server.c.

20070315

	Bitrot: New OpenLDAP APIs deprecate simplified interfaces,
	that are the only ones available in Sun's LDAP SDK. Define
	suitable macros that work with new OpenLDAP and Sun's code.
	Victor Duchovni, Morgan Stanley. File: src/global/dict_ldap.c

	Cleanup: new "leaf" and "terminal" result attributes support
	fine-tuning of LDAP group expansion, and provide a solution
	for the problem case where DN recursion returns both the
	group address and the addresses of the member objects.
	Victor Duchovni, Morgan Stanley.  Files: src/global/dict_ldap.c,
	proto/LDAP_README.html, proto/ldap_table

20070317

	Idioten Sicherheit: stamp every executable file and every
	core dump file with "mail_version=xxxxx". Adding version
	stamps and checks to every IPC message is too much change
	after code freeze, and requires too much time for testing.
	File: src/global/mail_version.h and every main program file.

20070320

	Bugfix (introduced between 20070120 and 20070121): the
	cleanup server stored no "delayed mail warning" queue file
	records with "sendmail -t", and no header_checks filter/redirect
	records or content encoding records with other mail.  File:
	global/rec_type.h.

20070321

	Bugfix (introduced 20070224): local(8) or virtual(8) could
	log a misleading error message after failure to open a
	mailbox file. File: global/mbox_open.c.

	Bugfix (code should have been updated 20070104): the proxymap
	client did not propagate changes in case folding flags.
	Currently, nothing in Postfix uses this functionality.
	File: global/dict_proxy.c.

20070325

	Bugfix: postfix-install didn't work for symlink or hardlink
	targets, when the parent directory had a value of "no".

20070326

	Workaround: Eric Raymond's man page formatters don't handle
	low-level *roff .in or .ti controls. We now use .nf and .fi
	instead. Files: many.

20070331

	Bugfix (introduced Postfix 2.3): segfault with HOLD action
	in access/header_checks/body_checks on 64-bit platforms.
	File: cleanup/cleanup_api.c.

20070402

	Portability (introduced 20070325): the fix for hardlinks
	and symlinks in postfix-install forgot to work around shells
	where "IFS=/ command" makes the IFS setting permanent.  This
	is allowed by some broken standard, and affects Solaris.
	File: postfix-install.

	Portability (introduced 20070212): the workaround for
	non-existent library bugs with descriptors >= FD_SETSIZE
	broke with "fcntl F_DUPFD: Invalid argument" on 64-bit
	Solaris.  Files: master/multi_server.c, *qmgr/qmgr_transport.c.

20070405

	Feature: BCC access/policy action, to demonstrate that this
	is not a good feature. The action's behavior is non-intuitive
	and requires too much documentation to explain.  It's
	therefore snapshot only.  File: smtpd/smtpd_check.c.

20070414

	Cleanup: expire cached results from address rewriting, address
	resolution, and from transport map lookups.  Results expire
	after 30 seconds; short enough that it doesn't freak out
	people who run the same test repeatedly, and long enough
	that it doesn't upset other people with continuous streams
	of "*" transport map lookups.  Files: global/rewrite_clnt.c,
	global/resolve_clnt.c, trivial-rewrite/transport.c.

20070421

	Cleanup: on (Linux) platforms that cripple signal handlers
	with deadlock, "postfix stop" now forcefully stops all the
	processes in the master's process group, not just the master
	process alone.  File: conf/postfix-script.

20070422

	Cleanup: the "Delivered-To:" loop detection implementation
	was moved from the local(8) delivery agent to the library,
	where it can also be used by other delivery agents. Files:
	global/delivered_hdr.[hc].

	Safety: the "Delivered-To:" loop detection implementation
	keeps state for no more than 1000 "Delivered-To:" headers.

	Feature: $domain command-line macro support, to get access
	to the recipient address domain portion.  Based on code by
	Koen Vermeer. File: pipe/pipe.c.

	Cleanup: support for "Delivered-To:" loop detection in the
	pipe(8) delivery agent. This follows a general principle:
	if a program creates the "Delivered-To:" header, then it
	is also responsible for "Delivered-To:" loop detection.
	File pipe/pipe.c.

20070423

	The cache expiring transport map lookups did not distinguish
	between wildcard transport map entry with an "empty" transport
	field, or no wildcard transport map entry.

20070424

	Cleanup: making hard-coded behavior configurable. In this
	case, extracting 8BITMIME encoding information from
	Content-Transfer-Encoding: message headers.  The default
	behavior, "detect_8bit_encoding_header = yes", is backwards
	compatible. This behavior was introduced to generate
	RFC-compliant bounce messages before Postfix supported the
	8BITMIME option in the MAIL FROM command and on the Postfix
	sendmail command line.  Files: cleanup/cleanup_init.c,
	cleanup/cleanup_message.c, global/mail_params.h.

20070425

	Bugfix: don't falsely report "lost connection from
	localhost[127.0.0.1]" when Postfix is being portscanned.
	Files: smtpd/smtpd_peer.c, qmqpd/qmqpd_peer.c.

20070429

	Feature: "postfix status" to report whether Postfix is
	running.  By Mike Cappella.

	Cleanup: configurable address case folding moved from the
	pipe(8) delivery agent to the library, where it can also
	be used by other delivery agents. Files: global/fold_addr.[hc].

20070430

	Robustness: recommend a "0" process limit for policy servers
	to avoid "connection refused" problems when the smtpd process
	limit exceeds the default process limit.  File:
	proto/SMTPD_POLICY_README.html.

20070501

	Workaround: turn on KEEPALIVE probes to avoided "lost
	connection after sending end-of-data" problems when some
	stateful (NAT) filter expires an idle connection too soon.
	This requires that the kernel's TCP keepalive timer be set
	to a sufficiently short time (perhaps 100s or less).  Files:
	util/sane_accept.c, util/sane_connect.c.

	Safety: when IPv6 (or IPv4) is turned off, don't treat an
	IPv6 (or IPv4) connection from e.g. inetd as if it comes
	from localhost[127.0.0.1]. Files: smtpd/smtpd_peer.c,
	qmqpd/qmqpd_peer.c.

20070502

	Workaround: build without EPOLL support when an epoll-enabled
	kernel sits underneath a retarded libc.  File: makedefs.

	Cleanup: missing support for SASL security properties with
	Dovecot SASL authentication. Based on an initial version
	by Lev A. Serebryakov.  File: xsasl/xsasl_dovecot_server.c.

20070503

	Cleanup: changed the default address verification sender
	from "postmaster" to "double-bounce", so that the Postfix
	SMTP server no longer surprises unsuspecting people by
	excluding "postmaster" from SMTPD access controls.  File:
	global/mail_params.h.

20070508

	Bugfix: Content-Transfer-Encoding: attribute values are
	case insensitive. File: src/cleanup/cleanup_message.c.

20070514

	Bugfix: the makedefs EPOLL workaround broke any attempt to
	build on a 2.6 kernel. And that two weeks after the workaround
	had been posted to the mailing list. File: makedefs.

	Bugfix: mailbox_transport(_maps) and fallback_transport(_maps)
	were broken when used with the error(8) or discard(8)
	transports. Cause: insufficient documentation.  Files:
	error/error.c, discard/discard.c.

20070520

	Bugfix (problem introduced Postfix 2.3): when DSN support
	was introduced it broke "agressive" recipient duplicate
	elimination with "enable_original_recipient = no".  File:
	cleanup/cleanup_out_recipient.c.

20070523

	Feature: cyrus_sasl_config_path to specify a search path
	for Cyrus SASL configuration files (currently used only to
	locate the smtpd.conf file).  Based on code by Victor
	Duchovni. Files: smtpd/smtpd.c xsasl/xsasl_cyrus_server.c,
	(and xsasl/xsasl_cyrus_client.c for future expansion).

20070525

	Bugfix (introduced 20070523): the sasl_set_path() function
	name was mis-speeled.

20070529

	Bugfix (introduced Postfix 2.3): the sendmail/postdrop
	commands would hang when trying to submit a message larger
	than the per-message size limit. File: postdrop/postdrop.c.

20070530

	Sabotage the saboteur who insists on breaking Postfix by
	adding gethostbyname() calls that cause maildir delivery
	to fail when the machine name is not found in /etc/hosts,
	or that cause Postfix processes to hang when the network
	is down.

20070531

	Portability: Victor helpfully pointed out that change
	20070425 broke on non-IPv6 systems. Files: smtpd/smtpd_peer.c,
	qmqpd/qmqpd_peer.c.

20070610

	Isolation: don't allow the pipe(8) delivery agent to leak
	postdrop group privileges with "user=xxx:postdrop". File:
	pipe/pipe.c.

20070613

	Bugfix: the Milter client assumed that a Milter application
	does not modify the message header or envelope, after that
	same Milter application has modified the message body of
	that same email message. This is not a problem with updates
	by different Milter applications.  Problem was triggered
	by Jose-Marcio Martins da Cruz. Also simplified the handling
	of queue file update errors. File: milter/milter8.c.

20070614

	Workaround: some non-Cyrus SASL SMTP servers require SASL
	login without authzid (authoriZation ID), i.e. the client
	must send only the authcid (authentiCation ID) + the authcid's
	password.  In this case the server is supposed to derive
	the authzid from the authcid. This works as expected when
	authenticating to a Cyrus SASL SMTP server.  To get the old
	behavior specify "send_cyrus_sasl_authzid = yes", in which
	case Postfix sends the (authzid, authcid, password), with
	the authzid equal to the authcid. File: xsasl/xsasl_cyrus_client.c.

20070619

	Portability: /dev/poll support for Solaris chroot jail setup
	scripts. Files: examples/chroot-setup/Solaris8,
	examples/chroot-setup/Solaris10.

20070713

	The RFC documents at www.faqs.org are being polluted with
	"feedback" spam. The Postfix hypertext documentation now
	points to tools.ietf.org. File: mantools/postlink.

20070719

	Feature: updated smtp-sink with new options to send a
	pre-formatted message from file, and to handle replies other
	than the expected 2xx or 3xx. File: smtpstone/smtp-source.c.

	Cleanup: Milter client error handling, so that the (Postfix
	SMTP server's Milter client) does not get out of sync with
	Milter applications after the (cleanup server's Milter
	client) encounters some non-recoverable problem.  Files:
	milter/milter8.c, smtpd/smtpd.c.

20070720

	Support for RFC 4954 (SASL AUTH, updates RFC 2554, refines
	some reply codes and introduces DSN enhanced status codes)
	and RFC 3848 ("Received ...  with ESMTPS?A? ...). Currently,
	support for the latter is always on.  Files: smtpd/smtpd.c,
	smtpd/smtpd_sasl_proto.c, smtpd/smtpd_sasl_glue.c.

20070727

	Workaround: the queue manager no longer logs a warning for
	mail sent to the local double-bounce address (normally, the
	this is used as the sender while reporting an undeliverable
	bounce message to the local postmaster).  As of 20070503
	the local double-bounce address is the default sender for
	sender/recipient address verification probes, and it now
	shows up as a spam target. Files: *qmgr/qmgr_message.c.

20070729

	Performance: fix for poor TCP performance for loopback
	(127.0.0.1) connections. Problem reported by Mark Martinec.
	Files: util/vstream.c, util/vstream_tweak.c, milter/milter8.c,
	smtp/smtp_connect.c, smtpstone/*source.c.

20070730

	Bugfix: when a milter replied with ACCEPT at or before the
	first RCPT command, the cleanup server would apply the
	non_smtpd_milters setting as if the message was a local
	submission. Problem reported by Jukka Salmi. Also, the
	cleanup server would get out of sync with the milter when
	a milter replied with ACCEPT at the DATA command. Files:
	cleanup/cleanup_envelope.c, smtpd/smtpd.c, milter/milters.c.

20070811

	Cleanup: unlike smtpd_mumble_restrictions, the Postfix SMTP
	server Milter reject logging did not show the (helo argument,
	sender address, or recipient address) that was being rejected.
	File: smtpd/smtpd.c.

20070824

	Bugfix (introduced snapshot 20070429): the pipe(8) delivery
	agent 'q' flag (quote address local-part) used the same bit
	mask as the 'B' flag (append blank line). Setting one flag
	also turned on the other. File: pipe/pipe.c.

	Feature: specify the 'X' flag to indicate that the pipe(8)
	delivery agent performs final delivery. This changes the
	status in DSN "success" messages from "relayed" into
	"delivered".  File: pipe/pipe.c.

20070904-6

	Feature: stress-adaptive behavior. When a "public" network
	service runs into an "all processes are busy" condition,
	the master(8) daemon logs a warning, restarts the service,
	and runs it with "-o stress=yes" on the command line (normally
	it runs the service with "-o stress=").  This can be used
	to make main.cf parameter settings stress dependent.
	Examples: "smtpd_timeout = ${stress?10}${stress:300}" and
	"smtpd_hard_error_limit = ${stress?1}${stress:20}".  Files:
	master/master_avail.c, master/master_spawn.c, master/master_ent.c.

20070911

	Bugfix (introduced Postfix 2.2.11): TLS client certificate
	with unparsable canonical name caused the SMTP server's
	policy client to allocate zero-length memory, triggering
	an assertion that it shouldn't do such things.  File:
	smtpd/smtpd_check.c.

20070912

	Bugfix (introduced Postfix 2.4) missing initialization of
	event mask in the event_mask_drain() routine (used by the
	obsolete postkick(1) command). Found by Coverity.  File:
	util/events.c.

20070917

	Workaround: the flush daemon forces an access time update
	for the per-destination logfile, to prevent an excessive
	rate of delivery attempts when the queue file system is
	mounted with "noatime".  File: flush/flush.c.

20070923

	Cleanup: don't complain when a "corrupt" queue file is
	deleted before it can be saved to the "corrupt" queue.
	Files: *qmgr/qmgr_active.c.

20071003

	Logging: the Postfix SMTP server now logs the number of
	bytes received after the DATA command when a connection
	breaks before mail delivery completes.  This may help finding
	the cause of the problem: packet loss, MTU, or other. File:
	smtpd/smtpd.c.

20071004

	Logging: all daemons now log the TCP port number of remote
	SMTP or QMQP clients.  The information is overruled with
	the SMTP XCLIENT command, is propagated through SMTP-based
	content filters with XFORWARD, and is sent to Milter
	applications.  Files: smtpd/smtpd_peer.c, smtpd/smtpd.c,
	smtpd/smtpd_proxy.c, smtpd/smtpd_milter.c, qmqpd/qmqpd_peer.c,
	cleanup/cleanup_milter.c, *qmgr/qmgr_message.c,
	*qmgr/qmgr_deliver.c, smtp/smtp_proto.c, pipe/pipe.c,
	global/deliver_request.c, global/deliver_pass.c,
	proto/XFORWARD_README, proto/XCLIENT_README.

	Feature: per-command delays in smtp-sink. File:
	smtpstone/smtp-sink.c.  Victor Duchovni.

20071006

	Cleanup: updated a bunch of hard-coded host[addr] logging
	statements. Files: smtpd/smtpd.c, smtpd/smtpd_chat.c,
	smtpd/smtpd_sasl_glue.c.

	Cleanup: client port logging is now configurable (off by
	default). Parameters: smtpd_client_port_logging and
	qmqpd_client_port_logging. Files: smtpd/smtpd_peer.c,
	qmqpd/qmqpd_peer.c.

	Cleanup: send client port information "0" instead of "unknown"
	to Milter applications. Files: smtpd/smtpd.c, smtpd/smtpd_milter.c,
	cleanup/cleanup_milter.c.

20071025

	Portability: on Linux we no longer need /proc to find out
	local IPv6 interface address information. LaMont Jones.
	Files: util/sys_defs.h.

20071030

	Bugfix (introduced Postfix 2.3): Postfix mistakenly enforced
	the 64kbyte limit (for sending body parts TO Milter
	applications) also while receiving packets FROM Milter
	applications.  The limit is now at least 1GB.  File:
	milter/milter8.c.

20071105

	Feature: ORIGINAL_RECIPIENT environment variable.  Corey
	Hickey. File: local/local.c.

20071108-10

	Feature: general-purpose header/body_checks library module,
	first used in the SMTP client. Actions that change the
	message delivery time or destination can be implemented
	with a simple extension mechanism (they make sense only in
	before-queue filters).  Configuration parameters:
	smtp_header_checks, smtp_mime_header_checks,
	smtp_nested_header_checks, smtp_body_checks. Unlike the
	cleanup server, the mime and nested header checks don't by
	default assume the header_checks value.  Files:
	global/header_body_checks.[hc], smtp/smtp_proto.c,
	smtp/smtp_session.c.

20071110

	Feature: ${original_recipient} command-line macro.  Corey
	Hickey. File: pipe/pipe.c.

	Bugfix (introduced: 20071004) missing exception handling
	in smtp-sink per-command delay feature. Victor Duchovni.
	File: smtpstone/smtp-sink.c.

2007117-20

	Revised queue manager with separate mechanisms for
	per-destination concurrency control and dead destination
	detection.  The concurrency control supports non-integer
	feedback for more gradual concurrency adjustments, and uses
	hysteresis to avoid rapid oscillations.  A destination is
	declared "dead" after a configurable number of pseudo-cohorts
	(number of deliveries equal to a destination's concurrency)
	reports connection or handshake failure. This work began
	with a discussion that Wietse started with Patrik Rak and
	Victor Duchovni late January 2004, and that Victor revived
	late October 2007. To establish a baseline for further
	improvement, Wietse implemented a few simple mechanisms.

	Configuration parameters for debugging, positive/negative
	hysteresis, and positive/negative feedback. Some have since
	been removed or renamed, so no point naming them here.
	Files: global/mail_params.h, qmgr/qmgr_queue.c,
	qmgr/qmgr_deliver.c.

20071121

	Boundary condition: Patrik Rak pointed out that handling
	of negative feedback with concurrency window 1 could
	be improved.

	Feature: support to look up null sender addresses in
	sender-dependent relayhost maps. Parameter name:
	empty_address_relayhost_maps_lookup_key (default; <>).
	Keean Schupke. File: trivial-rewrite/resolve.c.

20071127-9

	Revision 2 of queue manager scheduler interface, allowing
	feedback parameter settings with constants and variables
	such as 1/8 or 1/concurrency.  Some experimental parameters
	were removed and others were renamed. The new names are:
	default_destination_concurrency_negative_feedback,
	default_destination_concurrency_positive_feedback,
	default_destination_concurrency_failed_cohort_limit,
	destination_concurrency_feedback_debug.

	Also available are transport-specific overrides:
	<transport>_initial_destination_concurrency,
	<transport>_destination_concurrency_negative_feedback,
	<transport>_destination_concurrency_positive_feedback,
	<transport>_destination_concurrency_failed_cohort_limit.

	Files: global/mail_params.h, *qmgr/qmgr.c, *qmgr/qmgr_transport.c,
	*qmgr/qmgr_queue.c, *qmgr/qmgr_feedback.c, postconf/auto.awk.

20071202

	Feature: output rate control. For example, specify
	"smtp_destination_rate_delay = 5m" to insert a five-minute
	delay between deliveries. This was an opportunity to define
	the mutually exclusive states that a queue can have, and
	to detect invalid transitions.  This will make adding new
	features code easier.  Files: *qmgr/qmgr_transport.c,
	*qmgr/qmgr_queue.c, *qmgr/qmgr_entry.c.

	Bugfix (introduced Postfix 2.2): don't update the back-to-back
	delivery time stamp while deferring mail. File: *qmgr/qmgr_entry.c.

20071203

	Feature: support for read-write tables in the proxymap
	service. This is implemented with a separate master.cf entry
	named "proxywrite" that should run with process limit of 1
	if you want to update Berkeley DB like tables. This feature
	requires that tables be authorized with the proxy_write_maps
	configuration parameter. Files: global/dict_procy.[hc],
	proxymap/proxymap.c.

	Human factors: the postmap and postalias commands now produce
	nicer diagnostics when asked to do something with a proxied
	map that they can't do. Files: postmap/postmap.c,
	postalias/postalias.c.

	Bugfix: the proxymap client didn't properly propagate user
	options to the proxymap server.  File: util/dict.h.

	Workaround: force synchronous updates in the proxymap server
	so that maps will be in a consistent state between updates.
	File: proxymap/proxymap.c.

	Bugfix: an empty rate-limited queue wasn't removed after
	timer expiry. Files: *qmgr/qmgr_queue.c.

20071204

	Use different sockets for proxymap (read-only) and proxywrite
	(read-write) services in the proxy: client. Victor Duchovni.
	File: global/dict_proxy.c.

	Feature: proxymap delete support by Victor Duchovni.  Files:
	global/dict_proxy.c, proxymap/proxymap.c.

	Feature: proxymap delete support. Files: postmap/postmap.c
	postalias/postalias.c.

	Cleanup: the Postfix sendmail command did not include the
	user (name/uid) information in all error messages. File:
	sendmail/sendmail.c.

	Feature: data_directory configuration parameter for
	Postfix-writable data such as caches and random numbers.
	Files: postfix-install, conf/postfix-files.

20071206

	Security: tlsmgr(8) and verify(8) no longer use root
	privileges when opening their cache files. This avoids a
	potential security loophole where the ownership of a file
	(or directory) does not match the trust level of the content
	of that file (or directory). See RELEASE_NOTES for how to
	use pre-existing data. Files: util/set_eugid.[hc],
	tlsmgr/tlsmgr.c, verify/verify.c.

	Compatibility: as a migration tool, redirect attempts by
	tlsmgr(8) or verify(8) to open files in non-Postfix directories
	to the Postfix-owned data_directory. File: global/data_redirect.c.

	Lots of pathname fixes in the examples of TLS_README and
	postconf(5); -lm library screw-up in queue manager Makefiles.

20071207

	Cleanup: pathname fixes in documentation; unnecessary queue
	scan in the queue manager rate limiter; inverse square root
	feedback in the queue manager concurrency scheduler.  Files:
	mantools/postlink, proto/TLS_README.html, *qmgr/qmgr_queue.c.

	All changes up to this point should be ready for Postfix 2.5.

	Documentation: updated nqmgr preemptive scheduler documentation
	by Patrik Rak. File: proto/SCHEDULER_README.html.

20071211

	Bugfix (introduced 19980315): the "write" equivalent of
	bugfix 20030104. File: util/vstream.c.

20071212

	Feature: "stress=" or "stress=yes" attribute in the SMTPD
	policy delegation protocol. File: smtp/smtpd_check.c.

	Cleanup: allow_min_user now rejects recipients (and senders)
	starting with '-' at SMTP session time. To make this possible
	the feature was moved from qmgr(8) to trivial-rewrite(8).
	Files: *qmgr/qmgr_message.c, trivial-rewrite/resolve.c.

20071213:

	Cleanup: the queue manager and SMTP client now distinguish
	between connection cache store and retrieve hints. Once the
	queue manager enables connection caching (store and load)
	hints on a per-destination queue, it keeps sending connection
	cache retrieve hints to the delivery agent even after it
	stops sending connection cache store hints.  This prevents
	the SMTP client from making a new connection without checking
	the connection cache first. Victor Duchovni.  Files:
	*qmgr/qmgr_entry.c, smtp/smtp_connect.c.

	Bugfix (introduced Postfix 2.3): the SMTP client never
	marked corrupt files as corrupt. Victor Duchovni. File:
	smtp/smtp_proto.c.

	Cleanup: the SMTP client won't mark a destination as
	unavailable when at least one SMTP session was completed
	without connect or handshake error. Victor Duchovni. Files:
	smtp/smtp_connect.c, smtp/smtp_session.c, smtp/smtp_proto.c,
	smtp/smtp_trouble.c.

20071215

	Documentation and code cleanup. Files: global/deliver_request.h,
	*qmgr/qmgr_entry.c, smtp/smtp_connect.c,
	proto/SCHEDULER_README.html.

	Bugfix (introduced snapshot 20071006): qmqpd ignored the
	qmqpd_client_port_logging parameter setting. File:
	qmqpd/qmqpd.c.

20071216

	Cleanup: show the remote SMTP server port in verbose logging,
	warnings and postmaster notices.  Still don't show the port
	in delivery status notifications. Files: smtp/smtp_chat.c,
	smtp/smtp_sasl_glue.c, smtp/smtp_sasl_proto.c.

	The "tls_require_cert" is now compatible with OpenLDAP 2.1
	and later. Victor Duchovni. Files: proto/ldap_table,
	global/dict_ldap.c.

20071218

	Cleanup: removed the "#ifdef USE_LIBMILTER_INCLUDES"
	dependencies on system-installed Milter protocol include
	files. Verified that the object code has not changed. File:
	milter/milter8.c.

	Sanity check: idiot filter to detect attempts to use the
	same database file for different TLS session caches.  File:
	tlsmgr/tlsmgr.c.

	Cleanup: updated the spell check stoplist and the spell
	check script. Files: mantools/spell, proto/stop.

	Cleanup: replaced documentation references to xxgdb by ddd.
	The xxgdb program hasn't been updated in more than 10 years.
	Files: proto/postconf.proto, conf/main.cf.

20071219-20

	Feature: support for all new Sendmail 8.14 Milter features
	except SMFIR_SKIP (skip further events of this type),
	SMFIP_RCPT_REJ (report rejected recipients to the mail
	filter), SMFIR_CHGFROM (replace sender, with optional ESMTP
	command parameters), and SMFIR_ADDRCPT_PAR (add recipient,
	with optional ESMTP command parameters). Files: milter/milters.c,
	milter/milter8.c, milter/test-milter.c, cleanup/cleanup_milter.c.

20071221

	Feature: support for Sendmail 8.14 Milter SMFIR_SKIP (skip
	further events of this type). Files: milter/milter8.c,
	milter/test-milter.c.

	Cleanup: don't try sending HELO after a 421 EHLO reply.
	File: smtp/smtp_proto.c.

20071221-nonprod

	Using 20071221 as reference point.

	Cleanup: Simplified TLS library cipher and protocol API to
	just pass string-valued properties to tls_client_init() and
	tls_client_start(). The client is now agnostic of the
	mechanics of cipher management internal to the library. The
	main.cf parameters used internally in the library are now
	loaded by the library, not the caller. Files:
	src/smtp/lmtp_params.c, src/smtp/smtp.c, src/smtp/smtp.h,
	src/smtp/smtp_params.c, src/smtp/smtp_proto.c,
	src/smtp/smtp_session.c, src/smtpd/smtpd.c, src/tls/tls.h,
	src/tls/tls_client.c, src/tls/tls_level.c, src/tls/tls_misc.c,
	src/tls/tls_server.c, src/tls/tls_session.c, src/tls/tls_verify.c
	and src/tlsmgr/tlsmgr.c

	Cleanup: Client session lookup key "salting" is now handled
	internally in the tls library. Files: src/tls/tls_client.c

	Cleanup: Cipher state is cached, and only updated when
	necessary.  Files: src/tls/tls_misc.c

	Feature: Extended the syntax of protocol selection to allow
	exclusions as well as inclusions. Files: src/tls/tls_misc.c

	Cleanup: Updated default verification depth to match reality:
	default is 9 in OpenSSL and we don't yet override it.  When
	we do (soon), the default will match previous behavior.
	Files: src/global/mail_params.h

	Bugfix: Reference to obsolete "pfixtls" code won't compile
	inside #ifdef for OpenSSL <= 0.9.5a. Using an OpenSSL release
	that old has not been tested for some time, but may now
	work. Files: src/tls/tls_bio_ops.c.

	Replaced "void *" TLS library application handles by explicit
	pointer types, while hiding data structure implementation
	details from the TLS library users. Files: tls/tls_client.c,
	tls/tls_server.c, smtp/smtp.c, smtpd/smtpd.c.

	The TLS library no longer modifies VSTRINGs passed in by
	the caller. Where possible, information is passed as "const"
	from application to library. Files: smtp/smtp_proto.c,
	tls/tls_client.c.

20071227-nonprod

	Replaced explicit initialization of props structures by
	emulating function calls with named parameter lists.  Files:
	tls/tls.h, smtp/smtp.c, smtp/smtp_proto.c, smtpd/smtpd.c.

20071222

	Further polishing of the Milter code and logging. File:
	milter/milter8.c.

20071123

	Further polishing of the Milter code. With SETSYMLIST, each
	Milter can now update its own macros instead of clobbering
	the global copy that is shared with other Milters. Also an
	opportunity to clean up some ad-hoc code for sending macro
	lists from smtpd(8) to cleanup(8). Files: milter/milter.c,
	milter/milter8.c, milter/milter_macros.c.

20071224

	Further polishing of the Milter code. Eliminated unnecessary
	steps from the initial smtpd/cleanup Milter handshake. Files:
	milter/milter.c, milter/milter8.c, milter/milter_macros.c.

	Cleanup: name_code(3) and name_mask(3) now support read-only
	tables. Files: util/name_code.[hc], util/name_mask.[hc].

20071227

	Cleanup: further refinements of the Milter code, allowing
	for multiple macro overrides. The code is now ready for
	serious testing. File: milter/milter8.c.

20071229

	Bugfix: the Milter client did not replace the Postfix-specific
	form for unknown host names by the Sendmail-specific form.
	File: milter/milter8.c.

	Cleanup: when a cleanup milter reports a problem don't log
	generic "4.3.0 Sevice unavailable", but log the text for
	the actual error. File: cleanup/cleanup_milter.c.

20080102-nonprod

	SMTP client fingerprint security level support and configurable
	fingerprint digest algorithm. Victor Duchovni. Files:
	smtp/lmtp_params.c, smtp/smtp.c, smtp/smtp.h,
	src/smtp/smtp_params.c, src/smtp/smtp_proto.c,
	src/smtp/smtp_session.c, tls/tls_client.c, tls/tls_level.c,
	tls/tls_verify.c.

20080103-nonprod

	Missed "invalid TLS configuration" patch for SMTP client.
	Victor Duchovni. File: smtp/smtp_proto.c.

	SMTP server configurable fingerprint digest algorithm.
	Victor Duchovni. Files: smtpd/smtpd.c, tls/tls.h,
	tls/tls_server.c, tls/tls_verify.c.

20080104-nonprod

	Cleanup: finally implemented certificate verification depth
	limit parameters. Prior to Postfix 2.5 these were ignored.
	For backwards compatibility, the default verification depth
	limit is now 9, the OpenSSL default. Victor Duchovni. Files:
	src/tls/tls_client.c, src/tls/tls_server.c, src/tls/tls_verify.c.

	Robustness: Avoid possibility of NULL pointer issues in
	application code that checks certificate names, by providing
	"empty string" values when no data is available.  Victor
	Duchovni.  Files: src/tls/tls_verify.c, src/tls/tls_client.c,
	src/tls/tls_server.c, src/smtpd/smtpd_check.c, src/smtpd/smtpd.c.

	Cleanup: separation of TLS handshake from security level
	enforcement. The library shakes hands; the application
	decides if the resulting security is acceptable. Victor
	Duchovni.  Files: smtpd/smtpd.c, smtpd/smtpd_proto.c,
	tls/tls_server.c, tls/tls_client.c, tls/tls_verify.c.

	Robustness: more robust processing of ASN.1 string attributes
	in x509v3 certificates, plus additional sanity checks (e.g.
	embedded null characters). Victor Duchovni. File:
	src/tls/tls_verify.c.

20080104

	Workaround: minor change to the Dovecot AUTH request to
	prevent dovecot-auth memory wastage. Timo Sirainen.  File:
	xsasl/xsasl_dovecot_server.c.

20080105-nonprod

	Cleanup: renamed TLS-related symbols for consistency (always
	include the init, start, stop prefix in the TLS library
	function and data structure names; consistently distinguish
	between per-application TLS state and per-session TLS state;
	consistently use the fpt prefix for fingerprint related
	variables and structure members; consistent use of monocase
	typedef-ed names).

20080106-nonprod

	Cleanup: consistent use of <pre> and <blockquote> in examples;
	instead of emphasizing new Postfix 2.5 behavior in reference
	documentation, describe the new behavior as "current", with
	historical behavior as a supplemental note.

20080107

	Feature: new "pass" service type (in addition to "inet",
	"unix" and "fifo").  The "pass" service type supports
	front-end daemons that accept all inbound connections and
	that permit only well-behaved clients to talk to the MTA.
	This service type had been sitting in the master daemon for
	years but was disabled by default.  Actual applications for
	this will have to be developed later.  Files: util/upass_connect.c,
	util/upass_trigger.c.

20080108

	Cleanup: where possible, store data structures in read-only
	memory. Besides the security advantage of no write access,
	this also gives slightly better memory utilization when
	many processes execute the same file. Files: pretty much
	everything that has a static table, except for a few tables
	in the benchmark tools with flags that are controlled by
	command-line information.

20080109

	Cleanup: more read-only data. Files: everything that passes
	around a HEADER_OPTS pointer.

20080112

	Safety: optional lookup table to prevent the Postfix SMTP
	client from making repeated SASL login failures with the
	same hostname, username and password.  This introduces new
	parameters: smtp_sasl_auth_cache_name, smtp_sasl_auth_cache_time.
	Based on code by Keean Schupke.  Files: smtp/smtp_sasl_glue.c,
	smtp/smtp_sasl_auth_cache.c.

	Safety: the Postfix SMTP client now by default defers mail
	after the server rejects a SASL login attempt with a 535
	status code.  Specify "smtp_sasl_auth_soft_bounce = no" to
	get the earlier behavior.  Based on code by Keean Schupke.
	Files: smtp/smtp_sasl_glue.c.

20080114

	Safety: the smtpd_client_new_tls_session_rate_limit setting
	now also limits the number of failed TLS handshakes. This
	limits the impact of broken configurations. File: smtpd/smtpd.c.

20080115

	Bugfix (introduced 20080112): Patrik Rak found two bugs
	that largely canceled each other out, causing Postfix not
	to complain about a missing "proxy:" prefix with the new
	smtp_sasl_auth_cache_name parameter setting. File:
	smtp/smtp_sasl_glue.c.

	Documentation: new SOHO_README file for small/home offices.
	The text is automatically generated from bits and pieces of
	information that are scattered across other documents.
	File: mantools/make_soho_readme.

20080116

	Bugfix (introduced 20080112): missing #ifdef for the SASL
	login failure cache. File: smtp/smtp_sasl_auth_cache.h.

20080123

	Name fix: renamed the mumble_delivery_rate_delay parameter
	to mumble_destination_rate_delay, because it really is a
	per-destination feature. With this change we keep the option
	of implementing a future per-transport rate delay.

20080125

	Bugfix (introduced 20071216): missing {} in the LDAP client
	broke OpenLDAP TLS.  The setting tls_require_cert=no was
	further broken because Postfix used OpenLDAP incorrectly.
	Victor Duchovni.  This broke tls_require_cert=no File:
	global/dict_ldap.c.

20080126

	Cleanup: the post-install script now requires that it is
	invoked via the postfix(1) command. This was the intended
	use since Postfix 2.1, but it was never enforced.  The
	documentation for package maintainers has been updated
	accordingly. File: conf/post-install.

20080130

	Bugfix (introduced 20071204): wrong proxywrite process limit
	in the default master.cf file.  File: conf/master.cf.

20080131

	Bugfix (introduced 20080126): the new "do not execute
	directly" test in post-install got broken during code
	cleanup.  File: conf/post-install.

20080201

	Workaround: undo the changes that require that post-install
	is invoked via the postfix command, because this breaks
	when "postfix start" is invoked with an obsolete postfix
	command that doesn't export the new data_directory parameter.

	Workaround: pick up a missing data_directory setting from
	main.cf when "postfix start" is invoked with an obsolete
	postfix command. File: conf/post-install.

20080207

	Cleanup: soft_bounce support for multi-line Milter replies.
	File: src/milter/milter8.c.

	Cleanup: preserve multi-line format of header/body Milter
	replies. Files: cleanup/cleanup_milter.c, smtpd/smtpd.c.

	Cleanup: multi-line support in SMTP server replies.  File:
	smtpd/smtpd_chat.c.

	SAFETY: postfix-script, postfix-files and post-install are
	moved away from /etc/postfix to $daemon_directory. There
	were too many accidents where people clobbered these files
	with versions from an older Postfix release and ended up
	with an unusable Postfix setup.  Files: postfix-install,
	Makefile.in, postfix/postfix.c, conf/postfix-files,
	conf/postfix-script, conf/post-install.

20080212

	Feature: check_reverse_client_hostname_access, to make
	access decisions based on the unverified client hostname.
	For safety reasons an OK result is not allowed.  Noel Jones.
	Files: smtpd/smtpd_check.c plus header files and documentation.

20080215

	Safety: break SASL loop in case both the SASL library and
	the remote SMTP server are confused. File: smtp/smtp_sasl_glue.c.

20080220

	Safety: the master daemon now sets an exclusive lock on a
	file $data_directory/master.lock, so that the data directory
	can't be shared between multiple Postfix instances.  This
	would corrupt files that rely on single-writer updates
	(examples: verify(8) cache, tlsmgr(8) caches, etc.). File:
	master/master.c.

20080226

	Cleanup: the postfix command did not set argv[0] to a sane
	value when invoking postfix-script. Reported by Victor
	Duchovni. File: postfix/postfix.c.

20080228

	Bugfix: bounce(8) segfault on one-line template text.
	Problem found by Sacha Chlytor. File: bounce/bounce_template.c.

20080310

	Safety: the SMTP server's Dovecot authentication client now
	enforces the SASL mechanism output filter also on client
	command input. File: src/xsasl/xsasl_dovecot_server.c.

20080311

	Bugfix (introduced 20070811): the MAIL and RCPT Milter
	application call-backs no longer received {mail_addr} or
	{rcpt_addr} information. Problem reported by Anton Yuzhaninov.
	File: smtpd/smtpd.c.

	Bugfix (introduced 20080207): "cleanup -v" panic because
	the new "SMTP reply" request flag did not have a printable
	name. File: global/cleanup_strflags.c.

20080318

	Human factors: the PCRE and regexp maps now give more
	comprehensible error messages when people make the common
	mistake of indenting if/endif blocks. Files: util/dict_pcre.c,
	util/dict_regexp.c.

20080324

	Cleanup: the event_drain() function is now a proper event
	processing loop. File: util/events.c

	Feature: when the "postmap -q -" command reads lookup keys
	from standard input, it now understands RFC822 and MIME
	message format. Specify -h or -b to use headers or body
	lines as lookup keys, and specify -hm or -bm to simulate
	header_checks or body_checks.  The postmap -h option (without
	-m) will be compatible with a future postcat -h option.
	File: postmap/postmap.c.

20080411

	Bugfix (introduced Postfix 2.0): after "warn_if_reject
	reject_unlisted_recipient/sender", the SMTP server mistakenly
	remembered that recipient/sender validation was already
	done. File: smtpd/smtpd_check.c.

	Bugfix (introduced Postfix 2.3): the queue manager would
	initialize missing client logging attributes (from xforward)
	with real client attributes. Fix: enable this backwards
	compatibility feature only with queue files that don't
	contain logging attributes. Problem reported by Liviu Daia.
	Files *qmgr/qmgr_message.c.

20080424

	Cleanup: some warning messages said "regexp" or "regexp
	map" instead of "pcre map". File: util/dict_pcre.c.

20080426

	Feature: finer control over address verification error
	handling and amount of information disclosed in the SMTP
	reject message.  Parameters: unverified_recipient_defer_code,
	unverified_recipient_reject_reason, unverified_sender_defer_code,
	unverified_sender_reject_reason. If I don't do this properly,
	then someone will do it anyway. File: src/smtpd/smtpd_check.c.

20080428

	Cleanup: the proxy_read_maps (Postfix 2.0) default setting
	was not updated when adding sender/recipient_bcc_maps
	(Postfix 2.1) and smtp/lmtp_generic_maps (Postfix 2.3).
	File: global/mail_params.h.

	Cleanup: the SMTP server's XFORWARD and XCLIENT support was
	not updated when the smtpd_client_port_logging configuration
	parameter was added. Code by Victor Duchovni. Files:
	smtpd/smtpd.c, smtpd/smtpd_peer.c.

20080508

	Cleanup: delivery status notifications now prepend a
	Return-Path: message header to the returned message.
	File: bounce/bounce_notify_util.c.

20080509

	Bugfix: null-terminate CN comment string after sanitization.
	File: smtpd/smtpd.c.

20080510

	Cleanup: when extracting peer and issuer common name from
	TLS certificates, convert the result into UTF-8, and use
	RFC 2047 encoding when logging these as Received: header
	comment fields. Based remotely on code by Victor Duchovni.
	Files: smtpd/smtpd.c, tls/tls_verify.c.

20080511

	Cleanup: the RFC 2047 encoding of RFC*822 comments is too
	problematic.  The text that explains the problems is as
	long as the code itself.  That is usually a good indication
	that code is not ready for use.  File: smtpd/smtpd.c.

	Cleanup: block non-printable ASCII text in UTF8 encoded TLS
	peer and issuer common names.  File: tls/tls_verify.c.

20080602

	Workaround: avoid watchdog timeout in the local pickup
	daemon when the cleanup server expands a very large virtual
	alias list. Files: master/trigger_server.c, pickup/pickup.c.

20080603

	Workaround: avoid "bad address pattern" errors with non-address
	patterns in namadr_list_match() calls. File: util/match_ops.c.

	Feature: print fsstone elapsed time with sub-second time
	resolution.  Kenji Kikuchi. File: fsstone/fsstone.c.

20080606

	Bitrot: "make test" was broken due to recent changes in
	code and due to recent changes at mail-abuse.org.

20080618

	Add a note to SMTP session transcript email messages that
	other details may be found in the maillog file.  Files:
	smtpd/smtpd_chat.c, smtp/smtp_chat.c.

20080620

	Cleanup: with the "Before-queue content filter", RFC3848
	information was not added to the headers. Carlos Velasco.
	File smtpd/smtpd.c.

20080621

	Cleanup: include unread byte count in the SMTP server's "lost
	connection after DATA (xx bytes)" logging. Files: smtpd/smtpd.c.

20080629

	Bugfix (introduced Postfix 2.2): multiple inconsistencies
	in SASL support after introduction of TLS.  The Postfix
	SMTP server 1) complained about plain-text SASL configuration
	details when SASL was forbidden for plain-text sessions,
	and 2) ignored the smtpd_tls_auth_only parameter setting
	when built without TLS support.  Files: smtpd/smtpd.c,
	smtpd/smtpd_check.c, smtpd/smtpd_sasl_glue.[hc],
	smtpd/smtpd_state.c.

	Some clarification about recipient address versus domain,
	and recipients per message versus session. File:
	proto/postconf.proto.

	The description of SASL authentication attributes was
	garbled.  File: pipe/pipe.c.

	Information: the master(8) server now logs the version
	besides the configuration directory upon "postfix reload".
	File: master/master.c.

20080717

	Cleanup: a poorly-implemented integer overflow check for
	TCP MSS calculation had the unexpected effect that people
	broke Postfix on LP64 systems while attempting to silence
	a compiler warning.  File: util/vstream_tweak.c.

20080721

	The cleanup server now rejects undisclosed_recipients_header
	parameter values with invalid message header syntax.
	File: cleanup/cleanup_message.c.

20080725

	Paranoia: defer delivery when a mailbox file is not owned
	by the recipient. Sebastian Krahmer, SuSE.  Files:
	local/mailbox.c, virtual/mailbox.c.

20080804

	Bugfix: dangling pointer in vstring_sprintf_prepend().
	File: util/vstring.c.

20080814

	Security: some systems have changed their link() semantics,
	and will hardlink a symlink, contrary to POSIX and XPG4.
	Sebastian Krahmer, SuSE. File: util/safe_open.c.

	The solution introduces the following incompatible change:
	when the target of mail delivery is a symlink, the parent
	directory of that symlink must now be writable by root only
	(in addition to the already existing requirement that the
	symlink itself is owned by root).  This change will break
	legitimate configurations that deliver mail to a symbolic
	link in a directory with less restrictive permissions.

20080815

	Feature: the milter_default_action parameter now accepts
	the "quarantine" action. This works like "accept" but also
	freezes the mail in the "hold" queue. File: milter/milter8.c.

	Robustness: transition from setjmp()/longjmp() to the signal
	mask saving/restoring versions sigsetjmp()/siglongjmp().
	These functions have been around for 15 years, but they
	have had bugs on supported platforms, so makedefs tests for
	them.  Files: makedefs, util/sys_defs.h, util/vstream.h.

20080822

	Cleanup: the proxymap_service_name and proxywrite_service_name
	parameters make the proxymap service names configurable.
	This paves the way for a future option where the proxymap
	services are accessible via TCP so that they can be shared
	among multiple Postfix hosts.  File: global/dict_proxy.c.

	Feature: MacOS X support for kqueue style event handling,
	with workaround for broken MacOS X versions.  Files:
	util/sys_defs.h, makedefs.

	Cleanup: the makedefs script now keeps its test programs
	in a directory makedefs.d, instead of inlining them as
	fragile "here documents". Files: makedefs, makedefs.d/*.

20080823

	Feature: IPv6 dns blocklist lookup. File: smtpd/smtpd_check.c.

20080824

	Cleanup: untangled the MacOS X version dependent sections
	in the makedefs script, to make future updates easier. File:
	makedefs.

	Cleanup: don't log multiple Milter "hold" actions for the
	same email message. File: cleanup/cleanup_milter.c.

20080826

	Cleanup: moving test programs from makedefs into a makedefs.d
	directory brought more pain than gain.

	Cleanup: untangled the Linux version dependent sections in
	the makedefs script, to make future updates easier. File:
	makedefs.

	Documentation: MacOS process limit configuration by Quanah
	Gibson-Mount.  File: proto/TUNING_README.html.

	Feature: smtp-sink -M option to terminate after receiving
	a specified number of messages. Laurent Gentil. File:
	smtpstone/smtp-sink.c.

	Bugfix (introduced Postfix 2.4): epoll file descriptor leak.
	With Postfix >= 2.4 on Linux >= 2.6, Postfix has an epoll
	file descriptor leak when it executes non-Postfix commands
	in, for example, user-controlled $HOME/.forward files.  A
	local user can access a leaked epoll file descriptor to
	implement a denial of service attack on Postfix. Data
	confidentiality and integrity are not affected.  File:
	util/events.c.

20080903

	Don't enable kqueue (which requires poll) support on
	MacOS X. File: makedefs.

	Cleanup: remove obsolete Rhapsody and MacOS targets from
	makedefs.

20080929

	Workaround: don't log "file has 2 links" warnings when the
	condition appears to be temporary. As kernels have evolved
	from non-interruptible system calls towards fine-grained
	locks, the showq command has become likely to observe a
	file while the queue manager is in the middle of a rename
	operation, when the file has links to both the old and new
	name.  File: global/mail_open_ok.c.

	Workaround: don't loop forever when write() fails with a
	persistent EAGAIN error on a writable file descriptor.
	File: util/write_buf.c.

20081003

	Bugfix (introduced Postfix 2.1): when XFORWARD support was
	introduced with Postfix 2.1, the specification failed to
	clearly distinguish between missing and non-existent client
	information. This ambiguity affected the implementation:
	in $name expansions by delivery agents, unknown client
	hostnames could became empty strings (as if a submission
	was local), and local submissions could appear to originate
	from an SMTP-based content filter.  This was fixed with a
	a minor semantic change to the XFORWARD protocol.  Files:
	smtpd/smtpd.c, qmqpd/qmqpd.c, smtp/smtp_proto.c,
	cleanup/cleanup_envelope.c, proto/XFORWARD.html. Note: the
	changes to propagate local submission details were undone
	20082012.

	Feature: a DUNNO lookup result in per_sender_relayhost_maps
	stops the search without replacing the next-hop destination.
	File: trivial-rewrite/resolve.c.

20081005

	Bugfix: further refinements to the handling of missing or
	non-existent remote client attributes. Files: smtpd/smtpd.c,
	smtpd/smtpd.h.

	Documentation: the XFORWARD specification of the ADDR
	attribute did not agree with the actual on-the-wire protocol.
	Since we can't change already existing deployments, the
	spec has been updated. File: proto/XFORWARD_README.html.

20081006

	Bugfix: further refinements to the handling of remote client
	attributes.  Introduced a dummy "we have forwarded client
	info" record, to eliminate the need for the backwards
	incompatible queue file change that was introduced 20081003.
	Files: smtpd/smtpd.c, cleanup/cleanup_envelope.c,
	*qmgr/qmgr_message.c.

	Security: hardened the proxymap client, in case it ever
	ends up in a set-gid program. File: global/dict_proxy.c.

20081007

	Workaround: undo the proxymap client change. It broke
	chrooted servers when they attempted to reconnect to the
	proxy read/write service. File: global/dict_proxy.c.

20081008

	Safety: added checks that $queue_directory/pid is owned by
	root, and that $queue_directory/saved is owned by $mail_owner.
	File: conf/postfix-script.

20081010

	Feature: controls for opportunistic TLS protocols and
	ciphers. The smtp_tls_protocols, smtp_tls_ciphers, and
	equivalent parameters for lmtp and smtpd provide global
	settings; the SMTP client TLS policy table provides ciphers
	and protocols settings for specific peers.  Code by Victor
	Duchovni. Files: smtp/smtp.c, smtp/smtp_session.c, smtpd/smtpd.c
	and documentation.

20081012

	Cleanup: simplify the 20081003 changes and don't try to
	propagate local submission information through XFORWARD.
	Files: smtpd/smtpd.c, qmqpd/qmqpd.c, smtp/smtp_proto.c,
	cleanup/cleanup_envelope.c, proto/XFORWARD.html.

20081015

	Bugfix: GLIBC API version detection. Rob Foehl. File:
	util/sys_defs.h.

20081022

	Documentation: removed inapplicable daemon_timeout reference
	from qmgr(8), oqmgr(8), pickup(8). These daemons need to
	use a much shorter watchdog timer.

20081108

	Feature: smtp_sasl_tls_verified_security_options is no
	longer #ifdef SNAPSHOT.

	Feature: elliptic curve support. This requires OpenSSL
	version 0.9.9 or later. Victor Duchovni. Files: TLS_README,
	smtpd/smtpd.c, smtp/smtp.c, tls/tls_dh.c, tls/tls_certkey.c,
	tls/tls_server.c, tls/tls_client.c, tls/tls.h, tls/tls_misc.c.

	Bugfix (introduced Postfix 2.5): the Postfix SMTP server
	did not ask for a client certificate with "smtpd_tls_req_ccert
	= yes". Reported by Rob Foehl. File: smtpd/smtpd.c.

20081109

	Cleanup: confusing names of variables. File: smtpd/smtpd.c.

20081126

	Documentation: pcre_table(5) incorrectly claimed that the
	'x' flag supports #comment after text. File: proto/pcre_table.

20081202

	Cleanup: vstream_bufstat() provides a more systematic
	approach to get information about VSTREAM buffers. The
	vstream_peek() function is now a backwards compatibility
	wrapper.  Files: util/vstream.[hc].

	Cleanup: the SMTP server should warn about "lost connection
	after QUIT" only when the "." reply was pipelined together
	with the "QUIT" reply. File: smtpd/smtpd.c.

	Cleanup: the SMTP client's code was duplicating buffer
	management that was already done in the VSTREAM module.
	File: smtp/smtp_proto.c.

20081203

	Cleanup: adjust the VSTREAM buffer strategy when reusing
	an SMTP connection with a large TCP MSS value. File:
	smtp/smtp_reuse.c.

20081204

	Cleanup: state the SMTP client PIPELINING implementation's
	dependency on monotonic VSTREAM buffer size behavior, and
	add some checks for boundary cases with VSTREAM buffer size
	change requests. Files: util/vstream.c, smtp/smtp_proto.c.

20081205

	Fix 20081202 flush code. Victor Duchovni. File: smtpd/smtpd.c.

	Safety: add another check to "postfix check", in this case
	for group or other writable queue_directory. File:
	conf/postfix-script.

20081217

	Debugging: ad-hoc code to log the TLS error stack after
	VSTREAM read/write error.  File: tls/tls_bio_ops.c. In a
	better implementation, each I/O "object" would provide an
	optional error reporting method (besides timed_read and
	timed_write) that could be queried via the vstream module.

20081222

	Documentation: log the "*" pattern as the last transport
	map lookup. File: proto/transport.

20090103

	Documentation: rewrote NFS_README, to clarify the support
	status of Postfix and NFS, and to describe the NFS workarounds
	that Postfix actually implements.

20090106

	Feature: "postconf -# parametername ..." to comment out
	named parameter entries. Victor Duchovni.  File:
	postconf/postconf.c.

20090107

	Library: edit_file(3) module for cooperative editing of a
	file. Inspired by the postconf command, this creates a new
	version under a deterministic temporary name and renames
	it into place. The implementation uses an open/lock/stat
	protocol before updating the new file, and rename/unlock/close
	afterwards.  Based on pieces of code by Victor Duchovni,
	with minor improvements by Wietse.  Files: util/edit_file.[hc].

	Cleanup: the postconf command now uses the edit_file(3)
	module to manage collisions when multiple processes attempt
	to update the main.cf file.

20090108

	Feature: master_service_disable parameter (default: empty)
	to easily turn off/on master.cf services by type or by name
	and type. For example, to turn off the main SMTP listener
	use "master_service_disable = smtp.inet", and to turn off
	all TCP/IP listeners use "master_service_disable = inet".
	This immediately terminates all processes that provide the
	specified services. The master_service_disable feature does
	not distinguish services by their privacy property; some
	day, clients will not need to specify that anymore.  Files:
	global/mail_params.h, master/master.c, master/master_vars.c,
	master/master_ent.c.

	Bugfix (introduced May 19, 1997): removing a parameter
	setting from main.cf did not reset the parameter to its
	default value. This was a problem only in the master daemon.
	File: global/mail_conf.c, master/master_vars.c.

20090109

	Cleanup: "defer" action in access maps, and a corresponding
	access_map_defer_code parameter. No idea what was behind
	this omission.  Files: global/mail_params.h, smtpd/smtpd.c,
	smtpd/smtpd_check.c, proto/access.

	Workaround: specify "tcp_windowsize = 65535" (or less) to
	work around broken TCP window scaling implementations.  This
	is perhaps easier than collecting tcpdump output and tuning
	kernel parameters by hand.  See RELEASE_NOTES for how to
	change this setting without stopping Postfix.  Files:
	util/inet_connect.c, inet_listen.c, global/mail_params.[hc].

20090110

	Cleanup: create separate code modules for TCP window size
	handling, master.cf service name matching, and main.cf
	change monitoring.  Files: util/inet_windowsize.c,
	global/match_service.c, master/master_watch.c.

	Feature: TCP window size override for the Postfix SMTP/LMTP
	client, and for the smtp-source and smtp-sink test programs.
	Files: smtp/smtp_connect.c, smtpstone/smtp-source.c,
	smtpstone/smtp-sink.c.

20090114

	Bugfix: VERP now uses the Postfix original recipient, if
	available, because that is what the VERP consumer expects.
	Files: *qmgr/qmgr_deliver.c, bounce/bounce_notify_verp.c.

	Safety: extra check for broken third-party patches that
	allow file size limit < message size limit. This can cause
	mail to be stuck in the queue forever.

	Invisible change, in preparation for multi-instance support.
	Except for main.cf and master.cf, all files are optional
	for non-default Postfix configuration directories. File:
	conf/postfix-files.

20090115

	Cleanup: rewrote the 20090114 VERP bugfix, to replace code
	that "works" by code that is "right". Files: *qmgr/qmgr_deliver.c,
	bounce/bounce_notify_verp.c, global/verp_sender.c.

20090118

	Documentation: some URLs to enable/disable client-side TLS
	jumped into the middle of an enumeration.  File:
	proto/TLS_README.html.

20090119-21

	Feature: multi-instance manager plug-in API.  A sample
	multi-instance manager with instructions is available as
	$daemon_directory/postfix-wrapper. The plug-in API itself
	is described in postfix-wrapper(5).  Files: postfix/postfix.c,
	global/mail_params.[hc], proto/postfix-wrapper,
	conf/postfix-wrapper, conf/postfix-script, conf/postfix-files.

	Support to check/update shared files only in the context
	of the default Postfix instance. Files: conf/post-install,
	conf/postfix-script.

20090122

	Refinements: the multi-instance manager always replaces
	"start" by "check" when a Postfix instance is multi-instance
	disabled, so that problems will still be reported; polish
	documentation; delete unnecessary multi_instance_order
	parameter.  Files: conf/postfix-wrapper, proto/postfix-wrapper,
	global/mail_params.[hc] and documentation.

	Bugfix: the data_directory was not automatically created!
	File: conf/postfix-files.

20090123

	More little fixes in the "trivial but useful" postfix-wrapper
	including instructions. It's ready for testing in the field.
	File: conf/postfix-wrapper.

20090125

	Documentation: more precise description of multi-instance
	manager API, and minor edits of the example program. Files:
	conf/postfix-wrapper, proto/postfix-wrapper.

20090208

	Cleanup: enable multi-instance shared-file logic only when
	the instance is listed in multi_instance_directories.  Files:
	conf/post-install, conf/postfix-script.

20090210

	Feature: specify "reject_tempfail_action = defer" to
	immediately defer a remote SMTP client request after a
	reject-type restriction fails with a temporary error.  Based
	on code by Rob Foehl. File: smtpd/smtpd_check.c.

	Feature: finer control of reject_tempfail_action with
	unknown_address_tempfail_action, unverified_sender_tempfail_action
	unverified_recipient_tempfail_action, and
	unknown_helo_hostname_tempfail_action. See documentation
	for details.  File: smtpd/smtpd_check.c.

20090211

	Workaround: pass the SMTP server socket's local and remote
	peer address information to the Dovecot authentication server.
	This is incomplete code: it ignores XCLIENT server address
	overrides.  File: xsasl/xsasl_dovecot_server.c.

20090212

	Testing revealed that with mumble_tempfail_action=defer,
	the "defer" action was ignored.  Cause: the DEFER_IF_PERMIT[0-9]
	macros lost the SMTPD_CHECK_REJECT result value.  File:
	smtpd/smtpd_check.c.

	Feature: stress-dependent smtpd_timeout (normal: 300s,
	overload: 10s), smtpd_hard_error_limit (normal: 20, overload:
	1) and smtpd_junk_command_limit (normal: 100, overload: 1).
	Files: global/mail_params.h, global/mail_conf_nint.c,
	master/*_server.c, smtpd/smtpd.c.

20090213

	Fine tuning: don't enforce smtpd_junk_command_limit for
	XCLIENT and XFORWARD commands.  These commands can be issued
	only by authorized clients. File: src/smtpd/smtpd.c.

20090215

	Feature: the Postfix SMTP server hangs up after replying
	with "521". This makes overload handling more effective.
	See also RFC 1846.  File: smtpd/smtpd.c.

	Feature: postmulti mult-instance manager command, very
	lightly tested. The MULTI_INSTANCE_README still needs to
	be proofread.  Originally by Victor Duchovni.  Files:
	src/postmulti/*, proto/MULTI_INSTANCE_README.html,
	conf/postmulti-script.

20090216-24

	Cleanup: assorted code cleanups in postmulti.  File:
	src/postmulti/postmulti.c.

20090223

	Cleanup: multiple instances of the same global.  Files:
	util/inet_windowsize.c, util/inet_listen.c.

20090228

	Cleanup: the Postfix SMTP server now maintains a per-session
	"improper command pipelining detected" flag. This flag can
	be tested at any time with reject_unauth_pipelining, and
	is raised whenever a client command is followed by unexpected
	commands or message content.  Files: smtpd/smtpd.c,
	smtpd/smtpd_check.c.

	Logging: the Postfix SMTP server now logs the first command
	pipelining transgression as "improper command pipelining
	after <command> from <hostname>[<hostaddress>]".

	Cleanup: after DATA command failure, log "(approximately
	XX bytes)" only if Postfix actually accepted the DATA
	command.  File: smtpd/smtpd.c.

20090303

	Cleanup: word smithing of "sendmail -bv" probe message.
	File: sendmail/sendmail.c.

	Cleanup: OpenLDAP now provides a sane solution for conflicts
	with PAM ldap-over-tls. Victor Duchovni.  File: global/dict_ldap.c.

20090304

	Cleanup: skip over suspended or throttled queues while
	looking for delivery requests. File: *qmgr/qmgr_transport.c.

20090305

	Bugfix: in the "new queue manager", the _destination_rate_delay
	code needed to postpone the job scheduler updates after
	delivery completion, otherwise the scheduler could loop on
	blocked jobs.  Victor & Wietse.  File: qmgr/qmgr_entry.c,
	qmgr/qmgr_queue.c, qmgr/qmgr_job.c.

	Cleanup: report a "queue file write error", instead of
	passing though bogus 2xx replies from proxy filters to SMTP
	clients.  File: smtpd/smtpd_proxy.c.

20090307

	Cleanup: with "lmtp_assume_final = yes", the Postfix LMTP
	delivery agent assumes that delivery is final when talking
	to an LMTP server that announces no DSN support.  Otherwise,
	the Postfix LMTP delivery agent assumes that delivery is
	"relayed", to maintain compatibility with simple LMTP-based
	content filters.  Based on code by Michel Sebastien, ATOS
	Origin.  File: smtp/smtp_rcpt.c.

20090310

	Bugfix: Postfix used mumble_concurrency_failed_cohort_limit
	instead of mumble_destination_concurrency_failed_cohort_limit
	as documented. File: global/mail_params.h.

20090330

	Cleanup: add (Resent-) From:, Date:, Message-ID: or To:
	headers only when clients match $local_header_rewrite_clients.
	Specify "always_add_missing_headers = yes" for backwards
	compatibility.  Adding such headers to remote mail can break
	DKIM signatures that cover headers that are not present.
	File: cleanup/cleanup_message.c.

20090415

	Workaround: to avoid unnecessary "fatal" delivery agent
	exits, delivery agents retry getting a shared lock on a
	queue file.  This is necessary since the queue manager's
	behavior was changed years ago to refill the in-memory
	recipient list before it was completely empty.  File:
	global/deliver_request.c.

	Documentation: updated STRESS_README.

20090416

	Workaround: some AWK implementations have a limit of 10
	output files and lack a working close() function. It is too
	much trouble to find out what systems have this limitation,
	and where, if any, such systems store their XPG4-compatible
	AWK program.  So instead we generate a stream of here
	documents and let the shell split the stream into files.
	File: postconf/extract.awk.

	Documentation: clarification of certificate file usage.
	Victor Duchovni.  Files: proto/postconf.proto,
	proto/TLS_README.html.

	Feature: pass a "TLS is active" flag to the server-side
	SASL support.  Based on code by Timo Sirainen, except that
	the implementation uses an extensible API so that it will
	be less painful to add more attributes in future Postfix
	versions.  Files: xsasl/xsasl.h, xsasl/xsasl_*server.c,
	smtpd/smtpd_sasl_glue.c.

20090417

	Documentation: re-generate READMEs and manpages for updated
	hyperlinks.

	Documentation: missing hyperlinks and missing parameters
	in manpages. File: mantools/postlink, mantools/check-postlink.

20090418

	Cleanup: use the extensible API to pass SMTP client address
	information to the dovecot SASL plugin, and prepare for
	passing server address information. Files: xsasl/xsasl.h,
	xsasl/xsasl_dovecot_server.c, smtpd/smtpd_sasl_glue.c.

	Same extensible API transformation for the SASL client-side
	code to make future extensions less painful. Files:
	xsasl/xsasl.h, xsasl/xsasl*client.c, smtp/smtp_sasl_glue.c.

	More postlink fixes. File: mantools/postlink.

20090419

	Bugfix: don't re-enable SIGHUP if it is ignored in the
	parent. This may cause random "Postfix integrity check
	failed" errors at boot time (POSIX SIGHUP death), causing
	Postfix not to start. We duplicate code from postdrop and
	thus avoid past mistakes.  File: postsuper/postsuper.c.

	Robustness: don't re-enable SIGTERM if it is ignored in the
	parent. Files: postsuper/postsuper.c, postdrop/postdrop.c.

20090422

	Undo delivery agent change 20090415. The queue manager never
	locks a queue file to read additional recipients into memory,
	so if a delivery agent runs into a locked file, then something
	is seriously wrong. File: global/deliver_request.c.

20090424

	Compatibility: the Postfix SMTP client no longer uses the
	obsolete SSLv2 by default for opportunistic encryption.
	This has nothing to do with security (we're willing to send
	plaintext over an unauthenticated connection) but with the
	loss of advanced options that give better performance.
	Victor Duchovni. Files: proto/postconf.proto, global/mail_params.h.

20090426

	Feature: more accurate support for Milter macros {mail_addr}
	and {rcpt_addr}, and new support for Milter macros {mail_host},
	{mail_mailer}, {rcpt_host}, and {rcpt_mailer}.  Files:
	milter/milter.[hc], smtpd/smtpd.[hc], smtpd/smtpd_milter.c,
	smtpd/smtpd_resolve.c.

	Feature: support to report rejected recipients to Milters
	(SMFIP_RCPT_REJ). Postfix reports the event as decribed in
	Sendmail 8.14.0 documentation: {rcpt_mailer} = "error",
	{rcpt_host} = enhanced status code (e.g., "5.7.1"), and
	{rcpt_addr} = reason to reject (e.g., "Relay access denied").
	Files: milter/milter.[hc], milter/milter8.c, smtpd/smtpd.[hc],
	smtpd/smtpd_milter.c.

20090427

	Feature: Milter support for replacing the envelope sender
	and adding recipients (SMFIR_CHGFROM, SMFIR_ADDRCPT_PAR).
	This support currently ignores ESMTP command parameters.
	Files: milter/milter8.c, cleanup/cleanup_milter.c.

20090428

	Compatibility: to make all the new Milter features usable,
	raise the default milter_protocol setting from 2 to 6.
	This has been tested with a Sendmail 8.14 libmilter.
	File: global/mail_params.h.

	Bugfix: don't disable MIME parsing with smtp_header_checks,
	smtp_mime_header_checks, smtp_nested_header_checks or with
	smtp_body_checks. Bug reported by Victor. File: smtp/smtp_proto.c.

	Code cleanups: respect VSTRING invariants by using VSTRING_RESET
	and VSTRING_TERMINATE instead of directly groping the
	underlying character buffer. Files: global/dsn_buf.c,
	milter/milter8.c.

20090507

	main.cf:tls_random_source now defaults to /dev/arandom on
	OpenBSD.  This device was introduced before Postfix development
	began. Files: util/sys_defs.h, global/mail_params.h.

20090510

	Code cleanups: while emulating SMTP client requests for
	Milter applications, use user@domain form addresses as
	required by the SMTP protocol, instead of bare usernames.
	This avoids hard to debug errors from some Milter applications.
	Files: cleanup/cleanup_envelope.c, cleanup/cleanup_extracted.c,
	cleanup/cleanup_addr.c.

20090511

	Code cleanups: don't clobber -o command-line arguments so
	that Linux people can debug daemon command lines more easily.
	Files: master/*server.c.

20090513

	Code cleanups: better parsing of Postfix daemon "-o"
	command-line options, with better error handling.  Files:
	master/*server.c.

20090518

	Documentation: missing dummy entries for lmtp_mumble_checks.
	File: proto/postconf.proto.

20090519

	Bugfix (introduced: Postfix 2.3, but did not cause trouble
	until 20090427).  Queue file corruption with (smtpd_milters
	or non_smtpd_milters) enabled, AND with delay_warning_time
	enabled, AND with short envelope sender addresses (e.g.,
	local submissions with bare usernames, but not bounces).
	The queue file would be corrupted when the delay_warning_time
	record was marked as "done" after sending the "your mail
	is delayed" notice.  File: qmgr/qmgr_message.c.

20090522

	Bugfix (introduced: Postfix 2.3).  The cleanup server
	rejected mail with records of type REC_TYPE_DRCP (recipient
	deleted by Milter), but such records could be present in
	mail re-submitted with "postsuper -r". Found during code
	review. Files: global/record.h, cleanup/cleanup_envelope.c.

20090524

	Feature: new postcat options: -e (print envelope), -h (print
	header), and -b (print body). Specify "postcat -bh" to
	suppress information about envelope records, and "postcat
	-h" to get the message header only. With large messages,
	"postcat -h" is much faster than manually stripping the
	message body from the output. File: postcat/postcat.c.

20090528

	Bugfix (introduced: Postfix 2.6 change 20080629): with
	plaintext sessions, smtpd_tls_auth_only=yes caused spurious
	warnings with reject_authenticated_sender_login_mismatch,
	and broke reject_unauthenticated_sender_login_mismatch and
	reject_sender_login_mismatch.  Based on fix by Victor
	Duchovni. File: smtpd/smtpd_check.c.

20090603

	Cleanup: Postfix 2.3 adopted a file descriptor passing
	workaround for OpenBSD. This workaround was hard-coded for
	all platforms because there were no have adverse effects.
	This is no longer the case: OpenBSD is fixed, and NetBSD
	does not like the workaround. We now default back to the
	non-workaround code and turn on the workaround dynamically.
	Files: util/unix_send_fd.c, unix_recv_fd.c, unix_pass_fd_fix.c.

20090605

	Portability: modern kernels below ancient user-land. File:
	makedefs.

20090606

	Feature: post-Milter header checks, with all actions except
	PREPEND. To enable, specify for example "milter_header_checks
	= pcre:/path/to/file".  Files: cleanup/cleanup_init.c,
	cleanup/cleanup_milter.c, cleanup/cleanup_extracted.c,
	cleanup/cleanup_state.c.

	Bugfix: non-portable command pathname in postmulti-script.

	Safety: "postmulti -e destroy" no longer attempts to remove
	files that are created AFTER "postmulti -e create". Rationale:
	by design, postfix queue/data directories are not trusted;
	actions within those directory trees must not affect files
	outside those those trees (e.g. by symlink race attacks).
	We don't want to be nailed with a bunch of CVEs for unsafe
	pathname handling.  File: conf/postmulti-script.

20090607

	Cleanup: revise milter_header_checks action implementation,
	and avoid redundant logging and work when milter_header_checks
	and Milters make redundant or conflicting decisions. File:
	cleanup_milter.c.

20090614

	Preliminary postscreen triage server for all inbound SMTP
	connections.  This is not a proxy: it rejects bad clients
	and forwards the rest of the connections to a real Postfix
	SMTP server. The initial version does a simple "friend or
	foe" based on whether the client starts talking too soon.
	Decisions are cached, so "good" clients have no overhead.
	File: postscreen/postscreen.c.

	Cleanup: more robust code for receiving file descriptors
	via the "pass" master service protocol.  File:
	util/upass_listen.c.

20090617

	Temporary helper daemon that does parallel DNSBL lookups
	for postscreen(8). It logs successful lookups to the maillog
	file without blocking the client. postscreen(8) will use
	the results in a later non-production version. To enable
	DNSBL lookups, specify "postscreen_dnsbl_sites = name,
	name, etc". and restart postscreen(8) with "postfix reload".
	File: src/dnsblog/dnblog.c.

20090618

	postscreen(8) logging and actions are now documented in the
	postscreen(8) manpage. When a client is listed in DNSBLs
	specified with postscreen_dnsbl_sites, it is no longer
	whitelisted. Instead the number of blocklist hits is logged.
	File: postscreen/postscreen.c.

20090619

	postscreen(8) by default no longer immediately drops
	connections. Specify "postscreen_greet_action = drop" and
	"postscreen_hangup_action = drop" for the old behavior.
	There is also a new postscreen_dnsbl_action parameter, for
	completeness.  File: postscreen/postscreen.c.

20090708

	Portability: FreeBSD 8 has closefrom(). File: uti/sys_defs.h.

20090710

	Bugfix (introduced Postfix 2.3): Postfix got out of sync
	with a Milter application after the application sent a
	"quarantine" request at end-of-message time. The milter
	application would still be in the end-of-message state,
	while Postfix would already be working on the next SMTP
	event (typically, QUIT or MAIL FROM).  Problem diagnosed
	with help from Alban Deniz. File: milter/milter8.c.

20090711-2

	New "event_server" Postfix server framework. It is similar
	to the "multi_server" framework but does not manage client
	I/O events.  This framework is suitable for servers such
	as postscreen that have complex event management requirements.
	File: master/event_server.c.

	New event_fork() primitive to resume event processing in a
	child process after it is created with fork(). This is
	needed by postscreen to complete work-in-progress in the
	background after "postfix reload". File: util/events.c.

	Cleanup: postscreen migrated to the "event_server" framework.
	File: postscreen/postscreen.c.

20090712

	Cleanup: ${multi_instance_name:postfix}${multi_instance_name
	?$multi_instance_name} garbage in Postfix logging is now
	hopefully gone.  File: global/mail_task.c.

20090715

	Documentation: as of Postfix 2.6, the reject_unauth_pipelining
	feature can be used meaningfully at any protocol stage.
	File: proto/postconf.proto.

20090717

	Cleanup: postscreen PREGREET detection now uses non-destructive
	read, so that the real SMTP server can still receive the
	HELO command (apparently some sites allow pregreeters to
	talk to their servers).  File: postscreen/postscreen.c.

20090805

	Bugfix: don't panic when an unexpected smtpd access map is
	specified. File: smtpd/smtpd_check.c.

20090918

	Bugfix (introduced Postfix 2.3): with Milter RCPT TO replies
	turned off, there was no automatic flush-before-read on the
	smtpd-to-milter stream, because the read was done on the
	cleanup-to-milter stream. Problem reported by Stephen Warren.
	File: milter/milter8.c.

20091005

	Bugfix: core dump while printing error message for malformed
	%<letter> sequence in LDAP, MySQL or PostgreSQL configuration.
	File: global/db_common.c. Fix by Victor Duchovni.

20091006

	Feature: "postscreen_whitelist_networks = $mynetworks" (the
	default) to avoid problems with buggy SMTP implementations
	in network appliances.  Note: this feature never uses the
	remote SMTP client hostname.  Files: global/addr_match_list.[hc],
	postscreen/postscreen.c.

	Feature: postscreen_blacklist_networks (default: empty) to
	permanently blacklist hosts or networks. Address syntax is
	as with mynetworks. Note: this feature never uses the remote
	SMTP client hostname.  File: postscreen/postscreen.c.

	Feature: postscreen_blacklist_action (default: continue)
	to control what happens with a permanently blacklisted
	client. File: postscreen/postscreen.c.

20091007

	Feature: hostname-based check_client_{mx,ns}_access,
	check_reverse_client_hostname_{mx,ns}_access (the client
	IP address is not used). Rob Foehl.  Files: smtpd/smtpd_check.c,
	global/mail_params.h, proto/postconf.proto, mantools/postlink.

20091008

	Documentation: restructured the postscreen(8) manpage
	as a sequence of tests. File: postscreen/postscreen.c.

20091012

	Bugfix: postmulti did not skip commands with -p.  Luca
	Berra. File: postmulti/postmulti.c.

20091023

	Feature: specify "smtpd_command_filter = pcre:/file/name"
	to replace remote SMTP client commands before they are
	executed by the Postfix SMTP server. This a last-resort
	tool to fix inter-operability problems.  See examples in
	the postconf(5) manual page.  File: smtpd/smtpd.c.

20091026

	Cleanup: changed parameter evaluation order so that the
	multi_instance_wrapper parameter value is evaluated after
	the command and daemon directory parameters. File:
	global/mail_params.h.

20091101

	Performance: specify "smtpd_proxy_options = speed_adjust"
	to receive an entire message before sending it through a
	before-queue content filter. This reduces the number of
	simultaneous content filtering processes, and thus, the
	system memory requirements.  Files: smtpd/smtpd.[hc],
	smtpd/smtpd_proxy.[hc].

20091103-4

	Cleaned up the speed-adjust code, streamlined the error
	handling, and updated documentation. Files: smtpd/smtpd.[hc],
	smtpd/smtpd_proxy.[hc], proto/SMTPD_PROXY_README.html.

20091105

	Cleaning up after speed_adjust introduction: smtpd segfault
	caused by an incomplete API change; refined the queue space
	check; release scratch space immediately after delivering
	mail to the before-queue filter. Files: smtpd.c, smtpd_proxy.c.

20091110

	Workaround: specify "smtp_tls_block_early_mail_reply = yes"
	to detect a mail hijacking attack based on a TLS protocol
	vulnerability (CVE-2009-3555). The attack involves prepending
	malicious HELO/MAIL/RCPT/DATA commands to a Postfix SMTP
	client TLS session. The attack would succeed with non-Postfix
	SMTP servers that reply to the malicious commands after
	negotiating the Postfix SMTP client TLS session. File:
	smtp/smtp_proto.c.

20091113

	Workaround: skip interfaces without netmask, to avoid
	segfaults (reported by Dmitry Karasik). Don't supply a dummy
	null netmask, as that would turn Postfix into an open relay
	(mynetworks = 0.0.0.0/0). File: util/inet_addr_local.c.

	Bugfix: forgot to flush output to the smtpd_proxy speed-adjust
	buffer before truncating the file. Reported by Mark Martinec,
	fix by Victor Duchovni. File: smtpd/smtpd_proxy.c.

20091114

	Feature: specify "smtp_reply_filter = pcre:/file/name" to
	replace remote SMTP server reply lines before they are
	parsed by the Postfix SMTP client. This a last-resort tool
	to fix inter-operability problems.  See examples in the
	postconf(5) manual page.  File: smtp/smtp_chat.c.

	Safety: don't send postmaster notifications to report
	problems delivering (possible) postmaster notifications.
	File: smtp/smtp_connect.c.

20091121

	Feature: sender_dependent_default_transport_maps, to override
	the default transport in a sender-dependent manner. This
	is not a transport_maps override, and therefore it does not
	use the transport_maps syntax for null transport, null
	nexthop, or null email address.

20091127

	Usability: the Postfix SMTP client now logs a warning that
	wrappermode TLS is not supported, when configured to connect
	to port smtps/465. File: smtp/smtp_connect.c.

20091203

	Safety: the postscreen daemon logs a warning when table
	lookup is slow. Slow lookups cause postscreen to fall behind,
	and worse, to catch up in bursts, which results in overload
	elsewhere.  File: postscreen/postscreen.c.

20091206

	Feature: by popular demand, the Postfix SMTP server now
	logs the before-queue content filter's end-of-message
	accept/reject response.  File: smtpd/smtpd.c.

20091209

	Portability: as the result of continuous improvement,
	Berkeley DB no longer allows fork-then-close. File:
	postscreen/postscreen.c.

	Bugfix: sender_dependent_relayhost_maps did not reject an
	empty lookup result, and did not recognize lookup errors,
	thus treating errors as "not found". Problem found during
	code maintenance. File: trivial-rewrite/resolve.c.

	Cleanup: the postscreen daemon now applies the permanent
	whitelist first. It is a safety feature that prevents mail
	from being blocked. File: postscreen/postscreen.c.

20091224

	Bugfix (introduced 20041215): dict_dbm_sequence() did not
	release the shared lock when the end of the sequence was
	reached. File: util/dict_dbm.c.

20091227

	Cleanup: postscreen and verify periodic cache cleanup
	(default: 12 hours after the previous cache cleanup run).
	This is based on a new dict_cache(3) module that implements
	a generalized version of the tlsmgr(8) cache maintenance
	code.  Once the new dict_cache(3) code is burned in, the
	tlsmgr(8) will be migrated to it. See the RELEASE_NOTES for
	user interface details. Files: util/htable.[hc], util/dict_ht.c,
	util/dict_cache.[hc], postscreen/postscreen.c, verify/verify.c.

	Bugfix: the event handler starved I/O events when a timer
	call-back routine scheduled a zero-delay timer request.
	This bug was exposed when adding the new dict_cache(3)
	module for cache expiration.  File: util/events.c.

20091228

	Cleanup: postscreen and verify periodic cache cleanup is
	now optional (specify a null time interval between cache
	cleanup runs).

20091229

	Cleanup: the address_verify_poll_count default parameter
	value is now stress-dependent, so that the Postfix SMTP
	server will not wait (up to 6 seconds) for the address
	verification result. File: global/mail_params.h.

	Final solution for the I/O event starvation problem when a
	timer call-back schedules a zero-delay timer request.  File:
	util/events.c.

20091231

	Cleanup: the non-shared, in-memory hash table is now
	accessible as the "internal:" map type. This simplifies
	code by eliminating some special cases. Files: util/dict_ht.c,
	util/dict_open.c, and documentation.

20100101

	Bugfix: the mantools/postlink script applied hyperlinks
	for the "virtual:" transport to "/etc/postfix/virtual:".
	Symptom reported by Christoph Anton Mitterer.

20100102

	Workaround: don't report bogus Berkeley DB close errors as
	fatal errors. All operations before close are already error
	checked, so the data is known to be safe.  File: util/dict_db.c.

20100107

	Documentation: the access(5) manual page did not document
	the "send 521 and disconnect" behavior in the Postfix SMTP
	server (introduced with Postfix 2.6). File: proto/access.

	Bugfix: the pickup daemon did not discard messages that
	were requeued after all recipients were delivered (or
	bounced), and the cleanup server tried to bounce such
	messages. Files: pickup/pickup.c, global/cleanup_user.h.

	Future proofing: redundant code in postdrop to reject a
	submission without recipient record. File: postdrop/postdrop.c.

20100109

	Cleanup: "postcat -q" will now access files in the "saved"
	queue directory (for corrupted queue files). As before, the
	"postsuper" command will not, to avoid suddenly deleting
	such files. Files: global/mail_queue.h postcat/postcat.c.

20100113

	Cleanup: don't supply the "-o stress" command-line option
	with a single-process service. File: master/master_ent.c.

20100115

	Bugfix: the valid_hostname() fuction did not set the
	"non-numeric" flag after encountering the '-' character.
	Reported by Jan Schampera.  File: util/valid_hostname.c.

20100116

	Documentation: the content_filter and FILTER features never
	supported the special cases of transport_maps. References
	to transport_maps syntax are now removed from content filter
	discussions.  Files: proto/postconf.proto, proto/FILTER_README.

	Workaround: as of Postfix 2.3 the VRFY command did not allow
	a mailbox address inside <>, which broke expectations.  RFC
	2821 (and 5321) is vague about the VRFY request format, but
	spends lots of text on the reply format.  File: smtpd/smtpd.c.

20100117

	Cleanup: when a content_filter parameter or FILTER command
	specifies an empty next-hop destination, the queue manager
	now uses the recipient domain instead of $myhostname. Specify
	"default_filter_nexthop = $myhostname" for compatibility
	with Postfix 2.6 and earlier, or specify a non-empty next-hop
	filter destination.  Files: *qmgr/qmgr_message.c proto/access,
	proto/header_checks, proto/postconf.proto, proto/FILTER_README.

20100120

	Cleanup: detect illegal pipelining after HELO, EHLO.  File:
	smtpd/smtpd.c.

20100128

	Documentation: streamlined the decriptions of protocol and
	cipher tweaks. Victor Duchovni. Files: proto/TLS_README,
	proto/postconf.proto.

20100131

	Documentation: the address verification database is now
	persistent by default. This, combined with the now default
	stress-dependent configuration, improves the performance
	limits and simplifies database maintenance.  Files:
	proto/ADDRESS_VERIFICATION_README, verify/verify.c.

	Cleanup: undo the proxymap and trivial-rewrite max_idle=1s
	override that was introduced with Postfix 2.3. It did not
	help to retire long-lived proxymap or trivial-rewrite
	processes on busy servers, and worsened performance on
	low-traffic servers. The reduced ipc_ttl value (introduced
	with Postfix 2.4) already solves the problem of retiring
	long-lived proxymap or trivial-rewrite processes.  Files:
	proxymap/proxymap.c, trivial-rewrite/trivial-rewrite.c.

20100202

	Documentation: major revision of SASL_README with many
	details on how to configure Cyrus SASL internals. Patrick
	Koetter.  File: proto/SASL_README.html

20100204

	Feature: added "forward_secrecy" option for Cyrus SASL.
	File: xsasl/xsasl_cyrus_security.c.

20100206

	Bugfix (from day zero): the local delivery agent returned
	undeliverable mail to the envelope sender instead of the
	owner- alias, when delivering to command or file. This
	reuses the workaround that was implemented to report a
	Delivered-To: loop. Files: local/file.c, local/command.c,
	local/recipient.c, local/bounce_workaround.c.

20100209

	The tcp_table(5) interface is now part of the stable release.
	The last protocol change was in Postfix 2.1. File:
	util/dict_open.c.

20100305

	Feature: reject_rhsbl_reverse_client, to reject a remote
	SMTP client based on its unverified reverse hostname.  Code
	by Noel Jones. Files: smtpd/smtpd_check.c, proto/postconf.proto.

	Feature: smtp_address_preference (default: ipv6) to control
	the order in which the Postfix SMTP client will connect to
	a destination that has IPv6 and IPv4 addresses with equal
	MX preference. Files: global/mail_params.h, smtp/smtp.c,
	smtp/smtp_params.c, smtp/smtp_addr.c, dns/dns_rr.c,
	and documentation.

20100321

	Feature: allow Milter applications to use a lower protocol
	version than the version that Postfix is configured for.
	Based on an idea by Kouhei Sutou.  File: milter/milter8.c.

20100322

	Bugfix (introduced 20100305) the new smtp_address_preference
	feature was not tested with LMTP support. Problem reported
	by Stefan Foerster. File: smtp/smtp.c.

20100407

	Bugfix (introduced 20100305): reject_rhsbl_reverse_client
	was skipped if the forward-confirmed reverse DNS (FCRDNS)
	remote SMTP client hostname was "unknown".  Victor Duchovni.
	File: smtpd/smtpd_check.c.

20100422

	Workaround (introduced: postfix-19990906 a.k.a. Postfix
	0.8.0).  The Postfix local delivery agent did not properly
	distinguish between "address has no extension" and "address
	has an extension, but the extension is invalid". In both
	cases it would run only the full recipient local-part through
	the alias maps.  Instead, it now drops the faulty extension
	from the recipient address local-part (it would be too
	error-prone to replace all tests for "no extension" by tests
	for "no valid extension".  File: local/recipient.c.

20100430

	Feature: customized hard/soft reject responses by Jason
	Parsons.  File: smtpstone/smtp-sink.c.

20100515

	Bugfix (introduced Postfix 2.6): the Postfix SMTP client
	XFORWARD implementation did not skip "unknown" SMTP client
	attributes, causing a syntax error when sending a PORT
	attribute. Reported by Victor Duchovni. File: smtp/smtp_proto.c.

20100526

	Cleanup: a unit-test driver was not updated after an internal
	API change. Vesa-Matti J Kari File: milter/milter.c.

20100529

	Portability: OpenSSL 1.0.0 changes the priority of anonymous
	cyphers. Victor Duchovni. Files: postconf.proto,
	global/mail_params.h, tls/tls_certkey.c, tls/tls_client.c,
	tls/tls_dh.c, tls/tls_server.c.

	Portability: Mac OS 10.6.3 requires <arpa/nameser_compat.h>
	instead of <nameser8_compat.h>. Files: makedefs, util/sys_defs.h,
	dns/dns.h.

20100531

	Robustness: skip LDAP queries with non-UTF-8 search strings
	(in anticipation of UTF8SMTP support).  File: global/dict_ldap.c.

	Strict UTF-8 validator per RFC 3629. File: util/valid_utf8_string.c.

20100601

	Cleanup: Postfix LDAP client support for RFC 2255 LDAP URLs.
	Victor Duchovni. Files: proto/ldap_table global/dict_ldap.c.

	Safety: Postfix processes log a warning when a matchlist
	has a #comment at the end of a line (for example mynetworks
	or relay_domains).  File: util/match_list.c.

	Portability: Berkeley DB 5.x has the same API as Berkeley
	DB 4.1 and later. File: util/dict_db.c.

20100610

	Bugfix (introduced Postfix 2.2): Postfix no longer appends
	the system default CA certificates to the lists specified
	with *_tls_CAfile or with *_tls_CApath.  This prevents
	third-party certificates from getting mail relay permission
	with the permit_tls_all_clientcerts feature.  Unfortunately
	this may cause compatibility problems with configurations
	that rely on certificate verification for other purposes.
	To get the old behavior, specify "tls_append_default_CA =
	yes".  Files: tls/tls_certkey.c, tls/tls_misc.c,
	global/mail_params.h.  proto/postconf.proto, mantools/postlink.

20100615

	Cleanup: the master no longer logs "process P killed with
	signal S" when it shuts down a running service (for example,
	the service is removed from master.cf, or the service is
	disabled via the main.cf master_service_disable parameter).
	File: master/master_spawn.c.

20100617

	Feature: read-only sqlite support based on code by Axel
	Steiner and documentation by Jesus Garcia Crespo. Files:
	conf/postfix-files, mantools/postlink, proto/DATABASE_README.html,
	proto/Makefile.in, proto/INSTALL.html, proto/mysql_table,
	proto/pgsql_table, proto/sqlite_table, proto/SQLITE_README.html,
	global/Makefile.in, global/mail_dict.c, global/dict_sqlite.c,
	global/dict_sqlite.h, postconf/postconf.c, postfix/postfix.c.

20100618

	Cleanup: SQLite read-only driver and documentation.  Files:
	global/dict_sqlite.c, proto/mysql_table, proto/SQLITE_README.html.

20100707

	Completed the 20100610 bugfix. File: tls/tls_misc.c.

20100714

	Compatibility with Postfix < 2.3: fix 20061207 was incomplete
	(undoing the change to bounce instead of defer after
	pipe-to-command delivery fails with a signal). Fix by Thomas
	Arnett. File: global/pipe_command.c.

20100715

	Convenience: "postconf name=value ..." is now equivalent to
	"postconf -e name=value ...".  File: postconf/postconf.c.

20100724

	Feature: INFO header/body_checks action for non-warning
	messages (for example, to log all Milter-inserted headers).
	File: global/header_body_checks.c, proto/header_checks.

	Cleanup: after-filter Postfix SMTP servers now log before-filter
	queue IDs. For this, the XFORWARD protocol was extended
	with an IDENT attribute for the before-filter queue ID.
	This code was started in Postfix 2.1, but it was never
	finished due to time constraints.  Files: smtpd/smtpd.[hc]
	smtpd/smtpd_proxy.c, smtpd/smtpd_sasl_proto.c,
	*qmgr/qmgr_message.c, *qmgr/qmgr_deliver.c,
	global/deliver_request.[hc], global/mail_proto.h,
	global/deliver_pass.c, smtp/smtp_proto.c.

20100727

	Bugfix: the milter_header_checks parser provided only the
	actions that change the message flow (reject, filter,
	discard, redirect) but disabled the non-flow actions (warn,
	replace, prepend, ignore, dunno, ok).  File:
	cleanup/cleanup_milter.c.

20100827

	Performance: fix for poor smtpd_proxy_filter TCP performance
	over loopback (127.0.0.1) connections. Problem reported by
	Mark Martinec.  Files: smtpd/smtpd_proxy.c.

	Bugfix: the Postfix SMTP client no longer appends the local
	domain when looking up a DNS name without ".".  Specify
	"smtp_dns_resolver_options = res_defnames" to get the old
	behavior, which can produce unexpected results. Files:
	smtp/smtp.c, smtp/smtp_params.c, smtp/smtp_addr.c.

20100828

	Refactoring: postscreen source code broken up into multiple
	files, and identifiers updated to match changes in their
	purpose.  This will be the baseline for adding support for
	DNSBL weighting, then a dummy engine to collect forensic
	evidence with the option of future protocol checks.  Files:
	postscreen/*.[hc], Makefile.in.

20100829

	Postscreen DNSBL support for optional fixed-string filters
	and optional integral weight factors (use negative weights
	for whitelisting). See RELEASE_NOTES and postconf(5) for
	details.  Files: postscreen/postscreen_dnsbl.c,
	proto/postconf.proto, mantools.postlink, global/mail_params.h.

	Incompatibility: the postscreen-to-dnsblog protocol was
	changed to support DNSBL query result filters. Use "postfix
	reload" after installing the new version otherwise the
	dnsblog(8) server may complain.

20100830

	Polished the postscreen documentation and comments to clarify
	the user interface and implementation. No code changes.

20100831-910

	Restructured postscreen and added support for a dummy SMTP
	protocol engine. This engine logs rejected attempts to
	deliver mail with helo/sender/recipient information, and
	implements deep protocol tests.  The first deep protocol
	test is for command pipelining, where a client sends multiple
	commands instead of waiting for the server to respond to
	each command. The second one implements the Postfix SMTP
	server's smtpd_forbidden_commands feature.  Files:
	postscreen/*.[hc]. See RELEASE_NOTES, postconf(5) and
	postscreen(8) for incompatibilities, features, and configuration
	parameters.

20100910

	Feature: boolean configuration parameters with string-valued
	defaults, so that they can be subject to macro expansions.
	This was needed to make some postscreen parameter defaults
	to the values of the corresponding smtpd parameters.  Files:
	global/mail_conf.h, global/mail_conf_nbool.c,
	master/event_server.c, master/mail_server.h, master/multi_server.c,
	master/single_server.c, master/trigger_server.c,
	postconf/extract.awk, postconf/postconf.c.

20100911

	Feature: texthash read-only database. This is similar to
	hash: files, except that you don't need to run the postmap(1)
	command before you can use the file, and that it does not
	detect changes after the file is read.  All information is
	read into memory. Files: util/dict_open.c, util/dict_thash.[hc],
	proto/DATABASE_README.html, postconf/postconf.c

20100912

	Feature: bare newline detection in postscreen. Real spambots
	don't make this mistake anymore, but poorly-written software
	still does.  File: postscreen/smtpd.c.

	Documentation: POSTSCREEN_README including instructions for
	turning postscreen(8) on without blocking mail, and more.
	Trimmed the text in the postscreen(8) manpage.  File:
	proto/POSTSCREEN_README.html, postscreen/postscreen.c.

20100914

	Cleanup: the "postscreen_greet_wait" delay now ends as soon
	as both the pregreet and DNSBL tests complete (the postscreen
	documentation mentions in history/credits that the program
	started as a crude prototype).  The default postscreen_dnsbl_ttl
	caching time is now reduced to 1h from 24h, allowing
	postscreen to catch up on DNSBL updates more quickly. If
	this increases the database update frequency too much then
	we'll need to make dnsbl result non-cachable.  Files:
	postscreen/postscreen_dnsbl.c, global/mail_params.h.

20100915

	Bugfix (introduced 20100914): missing precondition for
	call-back notification.  File: postscreen/postscreen_dnsbl.c.

	Bugfix (introduced 20100914): the "postscreen_greet_wait"
	delay speedup worked only for DNSBL listed sites.  File:
	postscreen/postscreen_dnsbl.c.

	Workaround: better handling of pregreeting spambots. The
	postscreen built-in SMTP engine no longer sends a 220 banner
	to a client that falls into the pregreet trap.  This eliminates
	many "NON-SMTP COMMAND" records in postscreen logging, as
	the SMTP client and server no longer get out of sync.  It
	also results in better logging of sender/recipient information.
	File: postscreen/postscreen_smtpd.c.

20100916

	Cleanup: postscreen now uses the first responding DNSBL
	name in the "5.7.1 Service unavailable" reply, instead of
	the last responding one. File: postscreen/postscreen_dnsbl.c.

	Cleanup: the 20100914 "postscreen_greet_wait" speedup did
	not happen as often as it should, because some older code
	still turned on PREGREET tests gratuitously, causing a full
	greet-wait delay.  File: postscreen/postscreen_tests.c.

	Cleanup: to avoid "address in use" problems, postscreen now
	closes the listening socket after "postfix stop".  It also
	closes the socket after "postfix reload" but that does not
	hurt. Files: master/event_server.c, master/multi_server.c.

	Cleanup: postscreen now logs CONNECT and DISCONNECT events.
	Files: postscreen/postscreen.c, postscreen/postscreen_misc.c.

20100917

	Bugfix: cut-and-paste error. Postscreen used pregreet_ttl
	instead of dnsbnl_ttl. File: postscreen/postscreen_early.c.

20100920

	Cleanup: minor cleanups and invisible fixes. Files:
	postscreen/postscreen_misc.c, postscreen/postscreen.h,
	postscreen/postscreen_tests.c.

	Feature: preliminary postscreen penalty mechanism. Basic
	idea: when a client exceeds some threshold, don't allow it
	to pass any tests until the penalty expires. Penalties
	provide a way to slow down clients without blocking mail
	permanently.  Files: postscreen/postscreen_misc.c,
	postscreen/postscreen_tests.c, postscreen/postscreen.c.

	A first application of the postscreen penalty mechanism
	triggers on clients that make brief connections to find out
	if the mail server is up.  With "postscreen_early_hangup_penalty
	= 600" they will disqualify themselves for 10 minutes.
	Unfortunately, this behavior is used by legitimate bulk
	mail services. This application was removed 20101103.  The
	penalty mechanism itself is left in place as #ifdef NONPROD.

20100923

	Cleanup: renamed MUMBLE_FLAG_MUMBLE aggregates to
	MUMBLE_MASK_MUMBLE for consistency with other Postfix code.
	Files: postscreen/*.[hc].

20100930

	Cleanup: flag PIPELINING errors with NOOP and VRFY.  File:
	smtpd/smtpd.c.

20101006

	Bugfix (introduced: 20100914) dangling pointer when a client
	makes N > 1 simultaneous connections and closes M < N
	connections before postscreen has delivered the DNSBL score
	to the corresponding pseudothreads. In practice the pointer
	will refer to a block of 0xff bytes; the program terminates
	with a segmentation violation, and is restarted immediately
	by the master daemon. Files: postscreen/postscreen_early.c,
	postscreen/postscreen_dnsbl.c.

	Cleanup: avoid repeated delivery to mailing list members
	with pathological nested alias configurations.  The local(8)
	delivery agent now keeps the owner-alias attribute of the
	parent alias, when delivering mail to a child alias that
	does not have its own owner alias. With this change, local
	addresses from that child alias will be written to a new
	queue file, and a temporary error with one local address
	will no longer result in repeated delivery to other mailing
	list members.  Specify "reset_owner_alias = yes" for the
	older behavior.  File: local/alias.c.

20101007

	Bugfix (introduced: 2100923): duplicate "PASS OLD" logging.
	File: postscreen/postscreen_misc.c.

20101008

	Cleanup: dnsblog now logs "addr X listed by domain Y as Z"
	instead of "addr X blocked by domain Y as Z", because the
	service may be used for whitelist lookups. File:
	dnsblog/dnsblog.c.

20101023

	Cleanup: don't apply reject_rhsbl_helo to non-domain forms
	such as network addresses.  This would cause false positives
	with dbl.spamhaus.org.  File: smtpd/smtpd_check.c.

20101103

	Cleanup: new qmgr_ipc_timeout parameter (default: 60s) to
	override the system-wide ipc_timeout setting (default:
	3600s). The shorter timeout allows the queue manager to
	reset a deadlocked IPC connection before the watchdog timer
	goes off. Files: *qmgr/qmgr.c.

	Cleanup: new qmgr_daemon_timeout parameter (default: 1000s)
	to make the hard-coded 1000s watchdog timeout configurable.
	Files: *qmgr/qmgr.c.

	Cleanup: request default DSN notification when adding a
	recipient with smfi_addrcpt, instead of requesting "never
	notify" as with Postfix automatically-added BCC recipients.
	Files: cleanup/cleanup_addr.c, cleanup/cleanup.h,
	cleanup/cleanup_milter.c.

20101105

	Feature: DNS whitelist support in the Postfix SMTP server.
	permit_dnswl_client whitelists a client by IP address, and
	permit_rhswl_client whitelists a client by its hostname.
	The syntax is the same as reject_rbl_client etc., but the
	result is PERMIT instead of REJECT.  For safety reasons,
	permit_xxx_client are silently ignored when they would
	override reject_unauth_destination.  The result is
	DEFER_IF_REJECT when DNSWL lookup fails.  The implementation
	is based on a design documented by Noel Jones (August 2010).
	File: smtpd/smtpd_check.c.

20101108

	Workaround: strip off IPv6 datalink suffix from peer address
	to avoid problems with strict address checking code. Files:
	smtpd/smtpd_peer.c, qmqpd/qmqpd_peer.c.

20101114

	Robustness: postscreen(8) now implements a time limit on
	reading an entire command, instead of a time limit for
	reading individual characters. File: postscreen/postscreen_smtpd.c.

20101023

	Cleanup: don't apply reject_rhsbl_helo to non-domain forms
	such as network addresses.  This would cause false positives
	with dbl.spamhaus.org.  File: smtpd/smtpd_check.c.

20101117

	Bugfix: the "421" reply after Milter error was overruled
	by Postfix 1.1 code that replied with "503" for RFC 2821
	compliance. We now make an exception for "final" replies,
	as permitted by RFC. Solution by Victor Duchovni. File:
	smtpd/smtpd.c.

20101124-6

	Feature: pattern matching for DNSWL/DNSBL responses.  For
	example, with "reject_rbl_client example.com=d.d.d.d", each
	"d" can now be a pattern inside "[]" that contains one or
	more comma-separated decimal numbers or number..number
	ranges.  Files: smtpd/smtpd_check.c, postscreen/postscreen_dnsbl.c,
	util/ip_match.c, util/ip_match.h.

20101126

	Cleanup: don't log "blocked using example.com=127.0.0.1",
	just log the domain name. File: smtpd/smtpd_check.c.

20101129

	Cleanup: postscreen_client_connection_count_limit (default:
	$smtpd_client_connection_count_limit) to limit the number
	of connections from the same IP address to the postscreen(8)
	daemon. Files: postscreen/postscreen.c, postscreen/postscreen.h,
	postscreen/postscreen_state.c.

20101130

	Cleanup: all postscreen(8) logging now reports the client
	as [address]:port.  This requires an update of tools that
	process postscreen logging.  Files: postscreen/*.c,
	proto/POSTSCREEN_README.html.

	Cleanup: polishing recent documentation and code. Files:
	postscreen/postscreen_dnsbl.c, util/ip_match.c.

20101201

	Bugfix (introduced 20101129): broken default value for
	postscreen_client_connection_count_limit if the
	smtpd_client_connection_count_limit parameter was left at
	its default.  File: postscreen/postscreen.c.

	Workaround: BSD-ish mkdir() ignores the effective GID
	and copies group ownership from the parent directory.
	File: util/make_dirs.c.

20101202

	Feature: the LDAP client can now authenticate to LDAP servers
	via SASL. This is tested with SASL GSSAPI and Kerberos 5.
	Original code by Quanah Gibson-Mount adapted by Victor
	Duchovni.  Files: global/dict_ldap.c, proto/LDAP_README.html,
	proto/ldap_table.

	Cleanup: the cleanup server now reports a temporary delivery
	error when it reaches the virtual_alias_expansion_limit or
	virtual_alias_recursion_limit. Previously, it would silently
	ignore the excess recipients and deliver the message.  File:
	cleanup/cleanup_map1n.c.

20101205

	Cleanup: sache_clnt_create() had an unnecessary data
	dependency on the non-library var_scache_service variable,
	causing problems with shared library builds.  Instead, it
	should use its service argument (which has the same value).
	File: global/scache.c.

	Cleanup: pipe_command.c had an unnecessary data dependency
	on the non-library var_command_maxtime variable, causing
	problems with shared library builds. The dependency was not
	necessary because the callers already specify an explicit
	time limit.  File: global/pipe_command.c.

20101206

	Bugfix (introduced 20101205): postscreen hung up due to
	incorrect output error test. File: postscreen/postscreen_send.c.

20101207

	Cleanup: the undisclosed_recipients_header default value
	is now the empty string. The Internet mail RFCs have supported
	messages without recipient header for almost 10 years now.
	File: global/mail_params.h.

	Cleanup: use strtol() instead of sscanf() for consistent
	handling of out-of-range numbers. Files: global/cfg_parser.c,
	global/conv_time.c, global/mail_conf_int.c,
	global/mail_conf_long.c, global/mail_conf_nint.c.

20101217

	Cleanup: eliminated the code that copied TLS protocol
	messages between the OpenSSL TLS engine and the network.
	This change hopefully simplifies the TLS library enough
	that it can be used in an event-driven TLS proxy in front
	of postscreen.  Files: tls/tls_bio.c, tls/tls_server.c,
	tls/tls_client.c.

	This change eliminates an obscure bug where the SMTP server
	would wait for another $smtpd_timeout seconds after sending
	the "421 Error: timeout exceeded" message to the client.

20101221

	Cleanup: simplified the VSTREAM "large buffer" support by
	dropping the Postfix 2.4 "binary compatibility" requirement.
	Files: util/vstream.c, util/vstream.h.

20101222

	Cleanup: the SMTP client PIPELINING code did not account
	for TLS protocol overhead. This could (only in theory)
	result in deadlock when the remote SMTP server announces a
	very small receive window after the client and server have
	synchronized their SMTP state. Victor Duchovni.  File:
	smtp/smtp_proto.c.

20101223

	Feature: with "tls_preempt_cipherlist = yes" the Postfix
	SMTP server will preempt the remote SMTP client's cipher
	preference order. This requires OpenSSL 0.9.7 and later.
	Victor Duchovni. Files: src/smtpd/smtpd.c, src/tls/tls_server.c,
	proto/TLS_README.html, proto/postconf.proto.

	Future proofing: specify "tls_disable_workarounds = a list
	or bit-mask of OpenSSL bug work-arounds to disable". This
	may become necessary when a bug workaround is found to cause
	problems (security or interoperability). Victor Duchovni.
	Files: tls/tls_misc.c, proto/TLS_README.html, proto/postconf.proto.

	Infrastructure: extended name_mask module feature set with
	extensive documentation and 32-bit regression tests.  Victor
	and Wietse.  File: util/name_mask.[hc].

20101224

	Cleanup: sanitized the name_mask API so that errors will be
	ignored only upon explicit request. Files: util/name_mask.[hc],
	src/global/ehlo_mask.c, src/smtp/smtp_proto.c,
	src/util/name_mask.c, src/xsasl/xsasl_dovecot_server.c.

	Cleanup: more TLS overhead horrors for the SMTP client's
	PIPELINING engine. Wietse and Victor. File: smtp/smtp_proto.c.

20101226

	Cleanup: the SMTP client logic for pipelining the "." and
	"QUIT" commands was bogus - the pipelining engine could not
	know how much unacknowledged data is pending in the local
	TCP stack.  We now ignore the buffer check for sending
	"QUIT" after ".".  Wietse and Victor. File: smtp/smtp_proto.c.

20110101

	Cleanup: the Postfix SMTP server now always refreshes the
	SASL authentication mechanism list after STARTTLS. Some
	Dovecot versions may change their responses when they know
	that the SMTP connection is encrypted. File: smtpd/smtpd.c.

	Cleanup: the smtpd_starttls_timeout default value is now
	stress-dependent.  Files: global/mail_params.h,
	proto/postconf.proto.

	Compatibility: postscreen_discard_ehlo_keyword(s|maps)
	support for compatibility with smtpd_discard_ehlo_keyword(s|maps).
	Files: postscreen/postscreen_smtpd.c.

20110102

	Feature: STARTTLS support for the postscreen(8) daemon.
	With early testing feedback from Victor Duchovni and Ralf
	Hildebrandt.  Files: postscreen/postscreen_smtpd,
	postscreen/postscreen_starttls.c.

	Feature: event-driven tlsproxy(8) daemon that translates
	TLS <=> plaintext for postscreen(8). One tlsproxy(8) process
	can translate traffic for multiple remote SMTP clients.
	With early testing feedback from Victor Duchovni and Christian
	Roessner.  Files: util/nbbio.[hc], tlsproxy/*.[hc],
	postscreen/postscreen_starttlsd.c, postscreen/postscreen_smtpd.c.

20110103

	Cleanup: missing tls_level support in tlsproxy (it has no
	way to send plaintext, but perhaps an informative error
	message is in order anyway).  File: tlsproxy/tlsproxy.c.

	Cleanup: simplified the handling of throttled output (i.e.
	output that can't be sent because the receiver tries to be
	nasty).  File: postscreen/postscreen_send.c.

20110104

	Feature: add contact information to each SMTP server reject
	message. For example, "smtpd_reject_footer = call 800-555-0101
	for assistance", with macro expansion and with multi-line
	support. Files: global/mail_params.h, mantools/postlink,
	proto/postconf.proto, smtpd/smtpd.c, smtpd/smtpd_chat.c,
	smtpd/smtpd_expand.[hc], util/mac_expand.[hc].

20110105

	Cleanup: the forest of TLS-related booleans was shrunk.
	Victor Duchovni. Files: smtpd/smtpd.c, postscreen/postscreen.c,
	postscreen/postscreen_smtpd.c, tlsproxy/tlsproxy.c.

	Non-production: tlsproxy support in the Postfix SMTP server
	for stress testing of the tlsproxy daemon (#ifdef TLSPROXY).
	Seen from outside, Postfix works just as if it has TLS
	support built into in smtpd(8). Files: smtpd/smtpd.c,
	tls/tls_proxy*.[hc], tlsproxy/tlsproxy.c, util/vstream.[hc].

	Bugfix (introduced with the Postfix TLS patch): discard
	plaintext following the STARTTLS command or response. This
	matters only for the minority of SMTP clients that actually
	verify server certificates.  Files: smtpd/smtpd.c,
	smtp/smtp_proto.c.

20110106

	Non-production: cleaned up the tlsproxy support in the
	Postfix SMTP server for stress testing of the tlsproxy
	daemon (still #ifdef TLSPROXY). File: smtpd/smtpd.c.

20110107

	Cleanup: smtpd_reject_contact_information is renamed to
	smtpd_reject_footer, because it can be used for non-contact
	information.

	Compatibility: postscreen_reject_footer support for
	compatibility with smtpd_reject_footer.  Files:
	global/smtp_reply_footer.[hc], global/mail_conf.[hc],
	postscreen/postscreen_expand.c, postscreen/postscreen_send.c,
	postscreen/postscreen.c, smtpd/smtpd_chat.c.

	Compatibility: postscreen_command_filter support for
	compatibility with smtpd_command_filter. Files:
	postscreen/postscreen_dict.c, postscreen/postscreen_smtpd.c

20110108

	Cleanup: postscreen(8) now displays control characters in
	PREGREET responses as C-style \letter escapes, instead of
	"?".  File: postscreen/postscreen_early.c.

20110109

	Cleanup: Solaris support for "pass" (file descriptor passing
	based) services in master.cf.  This was needed by postscreen(8).
	Also, renamed upass_xxx.c to unix_pass_xxx.c. One-character
	prefixes are too short. Removed upass_connect.c because it
	was useless code. Files: util/stream_pass_connect.c,
	util/unix_pass_listen.c, util/unix_pass_trigger.c.

	Bugfix (introduced Postfix 2.4): on Solaris the Postfix
	event engine was deaf for SIGHUP and SIGALRM signals after
	the switch to /dev/poll. Symptoms were delayed "postfix
	reload" response, and killed processes when the watchdog
	timeout was less than max_idle.  The fix is to set up SIGHUP
	and SIGALRM handlers that write to a pipe, and to monitor
	that pipe for read events via the Postfix event engine.
	Files: master/master_sig.c, util/watchdog.c, util/sys_defs.h.

20110111

	Cleanup: replaced the postscreen(8) separate blacklist and
	whitelist lookup tables by one postscreen_access_list table.
	See postconf(5) and POSTSCREEN_README for examples.  Files:
	postscreen/postscreen_access.c, postscreen/postscreen.c,
	proto/postconf.proto, proto/POSTSCREEN_README.html.

20110112

	Cleanup: suspend/resume logic for postscreen(8) SMTP sessions
	that temporarily switch control to an external program such
	as tlsproxy, or perhaps a future policy plugin.  Files:
	postscreen/postscreen_smtpd, postscreen/postscreen_starttls.c.

20110113

	Cleanup: ps_cache and psc_cache are now postscreen_cache.
	There is no need for obscure name abbrevations. File:
	src/global/mail_params.h.

20110115

	Workaround: malloc fuzz (safety margin for malloc requests).
	Files: util/sys_defs.h, util/mymalloc.c.

	Cleanup: dnsblog_service_name and tlsproxy_service_name are
	now configurable, in case someone needs this. Files:
	global/mail_params.h, postscreen/postscreen.c, mantools/postlink,
	proto/postconf.proto.

20110116

	Cleanup: soft_bounce support for postscreen(8). Files:
	postscreen/postscreen_smtpd.c, postscreen/postscreen_send.c.

	Cleanup: for smtpd(8) compatibility, postscreen(8) now
	strips deprecated route address prefixes from email addresses
	(@here,@there:user@example becomes user@example). This is
	primarily to make postscreen(8) logging more similar to
	that of smtpd(8). File: postscreen/postscreen_smtpd.c.

	Cleanup: documentation, in preparation for the Postfix 2.8
	stable release.

20110117

	Bugfix (introduced Postfix alpha, or thereabouts): on HP-UX
	the Postfix event engine was deaf for SIGALRM signals.
	Symptoms were killed processes when the watchdog timeout
	was less than max_idle.  The fix is the same as Solaris fix
	20110109. Since we can't know what other systems need this,
	the workaround is enabled by default.  Files: util/sys_defs.h.

	Cleanup: "smtpd_tls_eecdh_grade = strong" by default, instead
	of snapshot-only. File: global/mail_params.h, proto/postconf.proto.

	Cleanup: missing "#include <errno.h>" in util/watchdog.c.

	Bugfix: when compiled without -DUSE_TLS, tlsproxy used the
	wrong server skeleton (multi_server instead of event_server).
	File: tlsproxy/tlsproxy.c.

	Workaround: added a panic check for code that is mis-compiled
	by the HP-UX compiler.  File: postscreen/postscreen.c,
	postscreen/postscreen.h, postscreen/postscreen_state.c.

20110118

	Bugfix: the tls_disable_workarounds word list only included
	workarounds in SSL_OP_ALL. Problem report by Steve Jenkins,
	problem fix by Victor Duchovni. File: tls/tls_misc.c.

	Last-minute incompatible syntax change: Postfix now uses
	";" instead of "," to separate DNSBL/DNSWL address filter
	fields inside "[]". The compatibility break is not an issue,
	because the syntax never worked in main.cf. Problem reported
	by Mark Martinec. Files: util/ip_match.c, util/ip_match.in,
	util/ip_match.ref, proto/postconf.proto.

	Cleanup: postscreen now monitors the AVERAGE latency of
	table access, and complains at most once per minute.  File:
	postscreen/postscreen_dict.c.

	Bugfix: support for the "dunno" command somehow disappeared
	from the postscreen_access_list implementation.  File:
	postscreen/postscreen_access.c.

20110123

	Feature: read/write deadlines. Deadlines were introduced
	with postscreen's dummy SMTP engine. In the Postfix SMTP
	client and server, deadlines limit the total amount of time
	to read or write one command line, one response line, or
	one line of message content. This reduces the impact of
	application exhaustion attacks that trickle data one byte
	at a time.  Files: util/vstream.[hc], global/smtp_stream.c.

	Cleanup: remove #ifdef MIGRATION_WARNING transitional code
	from postscreen. File: postscreen/postscreen.c.

20110125

	Cleaned up and finalized read/write deadline support. Once
	this code has been fielded it can go into Postfix 2.8.1,
	and made available as optional patch for earlier releases.
	Further refinements have only diminishing returns and can
	evolve in the 2.9 release cycle.  File: util/vstream.c.

20110128

	Infrastructure: separate VSTREAM flags for read or write
	errors. Files: util/vbuf.[hc], util/vstream.[hc].

	Cleanup: after write error, the smtp_stream routines now
	disable further network writes. This eliminates the need
	for clumsy code to avoid unwanted I/O while shutting down
	a TLS engine or closing a VSTREAM.  File: util/smtp_stream.c.

20110201

	Cleanup: when verifying that the client_address->client_name
	lookup result resolves to the client_address, request
	hostname->address lookup with the same protocol family (IPv4
	or IPv6) as the client_address.  Files: util/myaddrinfo.[hc],
	smtpd/smtpd_peer.c, qmqpd/qmqpd_peer.c.

20110205

	Infrastructure: vstream_peek_data() primitive to look ahead
	at buffered input. Use vstream_peek() to find out how much,
	and escape() for human presentation.  Files: util/vstream.[hc].

	Cleanup: smtpd(8) and postscreen(8) now log the input that
	triggers an SMTP command pipelining violation. File:
	postscreen/postscreen_smtpd.c, smtpd/smtpd.c.

	Infrastructure: smtp_get() option to skip over input in
	excess of the line length limit. Files: smtp/smtp_stream.[hc].

	Cleanup: handle excessively-long client requests and server
	responses more gracefully, i.e. without losing synchronization.
	Files: smtpd/smtpd_chat.c, smtpd/smtpd_proxy.c, smtp/smtp_chat.c,
	smtpstone/smtp-source.c.

20110207

	Bugfix (introduced Postfix 2.8): segfault with smtpd_tls_loglevel
	>= 3. Files: tls/tls_server.c, tls.h, smtpd.c, tlsproxy.c.

	Cleanup: read/write deadline support for single_server TLS
	applications (i.e. smtpd(8), smtp(8)).  File: tls/tls_bio_ops.c.

20110212

	Infrastructure: run-time switch for read/write deadline
	support. Files: util/vstream.[hc], global/smtp_stream.[hc],
	tls/tls_bio_ops.c.

	Cleanup: configurable read/write deadline support with
	smtpd_per_record_deadline (normal: "no", overload: "yes")
	and smtp_per_record_deadline (default: "no").  Files:
	global/mail_params.h, smtpd/smtpd.c, smtp/smtp.c,
	smtp/smtp_proto.c, proto/postconf.proto, mantools/postlink.

20110213

	Workaround: the TLS library passes the same information via
	different function arguments, and this same information is
	maintained by different functions, so things get out of
	step when code is updated. As of 20110212, tls_client_start()
	needs to set the VSTREAM property of the TLS session object.
	File: tls/tls_client.c.

20110215

	Human factors: the FCRDNS (forward-confirmed reverse DNS)
	checking code now logs "hostname X does not resolve to
	address Y", when a "reverse hostname" lookup result does
	not resolve to the client IP address.  Files: smtpd/smtpd_peer.c,
	qmqpr/qmqpd_peer.c.

20110216

	Cleanup: don't log a "connection reset by peer" error when
	postscreen(8) tries to send a server response.  File:
	postscreen/postscreen_send.c.

20110218

	Cleanup: Postfix now uses long integers for message_size_limit,
	mailbox_size_limit and virtual_mailbox_limit. On LP64 (64-bit
	long and pointer, but 32-bit integer) systems, these message
	and mailbox limits can now exceed 2GB. Files: global/mail_params.c
	global/mail_params.h local/local.c master/event_server.c
	master/mail_server.h master/multi_server.c master/single_server.c
	master/trigger_server.c virtual/virtual.c postconf/extract.awk
	postconf/postconf.c.

20110220

	Cleanup: compiler gripe.  File: util/vstream.c.

20110223

	Cleanup: Debian build tool gripe. File: smtpstone/smtp-sink.c.

20110224

	postscreen(8) support to enforce proper client MX lookup
	policy. Some spambots connect first to a backup MX address
	in the hope that the server has a weaker anti-spam policy.
	By listening on both primary and backup MX addresses,
	postscreen(8) can deny the temporary whitelist status to
	clients that connect only to backup MX hosts, and prevent
	them from talking to a Postfix SMTP server process.

	For example, when 1.2.3.4 is a local backup IP address,
	specify "postscreen_whitelist_interfaces = !1.2.3.4 static:all"
	to disable dynamic whitelisting for clients that connect
	(only) to the backup MX address. Files: mantools/postlink,
	proto/postconf.proto, proto/POSTSCREEN_README.html,
	global/mail_params.h, postscreen/postscreen.c,
	postscreen/postscreen.h, postscreen/postscreen_state.c.

20110225

	Workaround (problem introduced with IPv6 support in Postfix
	2.2): the SMTP client did not support mail to [ipv6:ipv6addr].
	Fix based on a patch by Gurusamy Sarathy (Sophos).  File:
	util/host_port.c and regression test files.

20110227

	Portability: FreeBSD closefrom() support time window.  Sahil
	Tandon. File: util/sys_defs.h.

	Cleanup: each lookup table now has an owner status and UID
	attributes for provenance purposes, even memory-resident
	tables such as pcre, regexp and cidr.  This fixes a problem
	where local(8) ignored the non-root ownership of a regular
	expression-based aliases(5) file.  The table owner status
	is TRUSTED (data straight from root-owned configuration
	file), UNKNOWN (unauthenticated data from proxy or tcp) or
	KNOWN (we actually have an owner UID). With most tables,
	the owner UID is the file owner UID. With LDAP and *SQL,
	the owner UID is the Postfix configuration file owner.
	Files: src/util/dict_unix.c src/util/dict_thash.c
	src/util/dict_static.c src/util/dict_sdbm.c src/util/dict_regexp.c
	src/util/dict_pcre.c src/util/dict_nisplus.c src/util/dict_nis.c
	src/util/dict_ni.c src/util/dict_ht.c src/util/dict_env.c
	src/util/dict_dbm.c src/util/dict_db.c src/util/dict_cidr.c
	src/util/dict_cdb.c src/util/dict_alloc.c src/util/dict.h
	src/util/dict.c src/local/alias.c src/global/dict_sqlite.c
	src/global/dict_pgsql.c src/global/dict_mysql.c
	src/global/dict_ldap.c src/global/cfg_parser.h
	src/global/cfg_parser.c.

20110311

	Feature: Base 32 encoder/decoder per RFC 4648. This code
	was going to be used for long queue IDs, but plans were
	changed. Files: src/util/base32_code.[hc].

20110313

	Bugfix (introduced Postfix 2.8): postscreen DNSBL scoring
	error. When a client disconnected and then reconnected
	before all DNSBL results for the earlier session arrived,
	DNSBL results for the earlier session would be added to the
	score for the later session. Problem report by Larry Vaden.
	Files: dnsblog/dnsblog.c, postscreen/postscreen_dnsbl.c.

	Cleanup: protocol description in dnsblog(8) manpage. File:
	dnsblog/dnsblog.c.

20110314

	Portability: the SUN compiler had trouble with a pointer
	expression of the form ``("text1" "text2") + constant'' so
	we don't try to be so clever. Fix by Victor Duchovni.  File:
	global/mail_params.h.

20110320

	Feature: specify "enable_long_queue_ids = yes" to enable
	support for non-repeating queue IDs (also used as queue
	file names). These queue IDs encode the time and inode
	number with a safe alphabet of the 52 characters 0-9B-Zb-z.
	The alphabet excludes vowels (AEIOUaeiou) to avoid creating
	real words.  The queue ID format is: time in seconds, time
	in microseconds, 'z', inode number (the inode number is
	encoded without using the 'z' character of the safe alphabet).
	Turning on long queue IDs changes the width of the first
	output column of the mailq (postqueue -p) command, and
	changes the appearance of Postfix Message-ID headers to
	queueID@myhostname.  Files: global/file_id.[hc],
	global/safe_ultostr.[hc], global/mail_queue.[hc],
	postsuper/postsuper.c, showq/showq.c

20110321

	Performance: with long queue file names, queue hashing now
	produces the same result as with short names. Postfix uses
	the hexadecimal representation of the file creation time
	in microseconds, instead of the beginning of the file name
	which changes once every year or so, a problem that was
	reported by Victor Duchovni. The base 16 encoding gives
	finer control over the number of directories than possible
	with base 52 encoding.  Files: global/mail_queue.[hc]. This
	change requires "postfix reload".

20110322

	Cleanup: preserve the microseconds value when renaming
	long->short or short->short queue file names.  As a side
	benefit, renaming long->short queue IDs will not change the
	result from queue hashing.  File: postsuper/postsuper.c.

20110323

	Bitrot: qshape regexp pattern for long queue file names.
	Ralf Hildebrandt. File: auxiliary/qshape/qshape.pl.

	Bitrot: text about queue ID reuse in the postsuper manpage.
	File: postsuper/postsuper.c.

20110328

	Cleanup: don't log warnings about socket shutdown() errors
	after a connection breaks. Postfix calls shutdown() to avoid
	unnecessary socket write timeouts. This is only an optimization,
	and failure is not critical.  File: global/smtp_stream.c.

20110411

	Cleanup: postscreen(8) and verify(8) daemons now lock their
	respective cache file exclusively upon open, to avoid massive
	cache corruption by unsupported sharing. Files: util/dict.h,
	util/dict_open.c, verify/verify.c, postscreen/postscreen.c.

20110414

	Bugfix (introduced with Postfix SASL patch 20000314): don't
	reuse a server Cyrus SASL handle after authentication
	failure. File: smtpd/smtpd_proto.c.

20110418

	Bugfix (introduced Postfix 2.3 and Postfix 2.7): the Milter
	client reported some "file too large" errors as temporary
	errors. Problem reported by Michael Tokarev. Files:
	milter/milter8.c, cleanup/cleanup_milter.c.

20110420

	Performance: a high load of DSN success notification requests
	could stall the queue manager. Solution: make the trace
	client asynchronous, just like the bounce and defer clients.
	Problem reported by Eduardo M. Stelmaszczyk of terra.com.br.
	Files: global/abounce.[hc], *qmgr/qmgr_active.c (the
	qmgr_active.c files are identical).

20110421

	Cleanup: updated abounce warning message, and added a safety
	timeout to abounce() etc. requests. File: global/abounce.c.

20110426

	Bugfix (introduced in Postfix 1.1, duplicated in Postfix
	2.3, unrelated mistake in Postfix 2.7): the local(8) delivery
	agent ignored table lookup errors in mailbox_command_maps,
	mailbox_transport_maps, fallback_transport_maps and (while
	bouncing mail to alias) alias owner lookup. Problem reported
	by William Ono. Files: local/command.c, local/mailbox.c,
	local/unknown.c, local/bounce_workaround.c.

20110516

	Update the warning when permit_naked_ip_address is used,
	and add permit_sasl_authenticated to the list of suggested
	alternatives.  File: smtpd/smtpd_check.c.

20110601

	Bugfix (introduced Postfix 2.6 with master_service_disable)
	loop control error when parsing a malformed master.cf file.
	Found by Coverity. File: master/master_ent.c.

20110602

	Bugfix (introduced: Postfix 2.7): "sendmail -t" reported
	"protocol error" after queue file write error.  File:
	postdrop/postdrop.c.

20110605

	Cleanup: removed the PSC_STATE_FLAG_CACHE_EXPIRED flag.
	Nothing uses this anymore. Files: postscreen/postscreen.h,
	postscreen/postscreen_state.c, postscreen/postscreen_tests.c.

20110614

	Linux kernel version 3 support. Linus Torvalds has reset
	the counters for reasons not related to changes in code.
	Files: makedefs, util/sys_defs.h.

20110615

	Workaround: some Spamhaus RHSBL rejects lookups with "No
	IP queries" even if the name has an alphanumerical prefix.
	We play safe, and skip both RHSBL and RHSWL queries for
	names ending in a numerical suffix.  File: smtpd/smtpd_check.c.

20110624

	Cleanup: added error checks for smtpd access primitives
	that don't automatically terminate the program after table
	lookup error: these primitives are permit_tls_clientcerts,
	permit_tls_all_clientcerts, and check_address_map (the last
	one is used in local_header_rewrite_clients only).  File:
	smtpd/smtpd_check.c.

20110729

	Workaround: some getpwnam() and getpwuid() implementations
	cause mail to bounce ("user unknown") after LDAP etc. lookup
	error. Postfix now uses POSIX getpwnam_r() and getpwuid_r()
	where available. Initially, this workaround supports FreeBSD,
	Solaris and Linux. Files: makedefs, util/sys_defs.h,
	global/mypwd.[hc], local/alias.c, local/dotforward.c,
	local/include.c, local/mailbox.c, local/recipient.c.

20110731

	MacOS X 10.5 supports POSIX getpwnam_r() and getpwuid_r()
	(source: MacOS manpages at www.freebsd.org). If MacOS turns
	out to make a false promise, then we will undo this change.
	Files: makedefs, util/sys_defs.h.

20110810

	Cleanup: optimize an optimization to avoid uid->name lookup
	when all users are authorized with authorized_submit_users,
	authorized_mailq_users, authorized_flush_users.  File:
	global/user_acl.c.

20110811

	Workaround: report a {client_connections} Milter macro value
	of zero instead of garbage, when the remote SMTP client is
	not subject to any smtpd_client_* limits. Problem reported
	by Christian Roessner. Files: smtpd/smtpd_state.c,
	proto/MILTER_README.html.

20110817

	Cleanup: avoid misleading error messages after future code
	change. The tls_bio_ops(3) module now returns non-zero errno
	values only when requests fail due to a system-call error.
	File: tls/tls_bio_ops.c.

	Cleanup: TLS handshake error messages. The SMTP client and
	server now report STARTTLS network errors as "connection
	timed out", "connection reset by peer", etc., instead of
	reporting TLS error number 0.  Files: tls/tls_bio_ops.c,
	tls/tls_server.c, tls/tls_client.c.

20110818

	Cleanup: VSTREAM-over-TLS error return values, for robustness
	against future change.  For consistency with VSTREAM internal
	interfaces, the tls_stream(3) read/write routines now return
	-1 instead of unspecified negative OpenSSL results.  File:
	tls/tls_stream.c.

20110819

	Cleanup: further TLS code cleanups, for robustness against
	future change.  Unexpected TLS errors are no longer silently
	treated as ordinary errors, and one corner-case error in TLS
	timeout handling was fixed before it could cause trouble.
	File: tls/tls_bio_ops.c.

20110821-24

	Cleanup: simplified the TLS read/write deadline implementation,
	and documented why this same simplification is not possible
	higher-up, at the VSTREAM level. Files: tls/tls_bio_ops.c,
	util/vstream.c.

20110831

	Bugfix: allow for Milters that send an SMTP server reply
	without RFC 3463 enhanced status code. Reported by Vladimir
	Vassiliev.  File: milter/milter8.c.

20110902

	Cleanup: don't log vstream_tweak "connection reset by peer"
	errors. File: util/vstream_tweak.c.

20110904-7

	Bugfix: master daemon panic with "master_spawn: at process
	limit", when "postfix reload" reduces the process limit
	from (a value larger than the current process count for
	some service) to (a value <= the current process count),
	and then a new connection is made to that service. This
	structural solution centralizes the decision to monitor a
	service port (or not). To improve robustness against future
	code changes, it clarifies some of the internal dependencies
	that exist inside the master daemon.  Files: master/master.h,
	master/master_avail.c, master/master_conf.c,
	master/master_service.c, master/master_spawn.c.

20110911

	Debugging: report the request size when memory allocation
	fails.  File util/mymalloc.c.

20110914

	Incompatibility: the default inet_protocols value is now
	"all" instead of "ipv4", meaning use both IPv4 and IPv6.
	As a compatibility workaround for sites without global IPv6
	connectivity, the commands "make upgrade" and "postfix
	upgrade-configuration" append "inet_protocols = ipv4" to
	main.cf when no explicit setting is present.  This compatibility
	workaround will be phased out in a future release.  Files:
	util/sys_defs.h, conf/post-install, proto/postconf.proto.

	Incompatibility: the default smtp_address_preference value
	is now "any" instead of "ipv6", meaning choose randomly
	between IPv6 and IPv4.  With this the Postfix SMTP client
	will have more success delivering mail to sites that have
	problematic IPv6 configurations.  Files: global/mail_params.h,
	proto/postconf.proto.

20110918

	Workaround for multiple ancient FreeBSD getsockopt() bugs
	after non-blocking connect fails with 'host unreachable'
	that resulted in a unreasonable memory allocation request.
	File: util/vstream_tweak.c.

20110921

	Bugfix (introduced: Postfix 1.1): smtpd(8) did not sanitize
	newline characters in cleanup(8) REJECT messages, causing
	them to be sent out via SMTP as bare newline characters.
	This happened when a REJECT pattern matched multi-line
	header text.  Discovered by Kevin Locke.  File: smtpd/smtpd.c.

20110922

	Bugfix (introduced: Postfix 2.1): smtpd(8) sent multi-line
	responses from a before-queue content filter as text with
	bare <LF> instead of <CR><LF>.  Found during code maintenance.
	File: smtpd/smtpd_proxy.c.

20111011

	Cleanup: for consistency with the SMTP standard, the
	smtp_line_length_limit default value was increased from 990
	characters to 998 (i.e. 1000 characters including <CR><LF>).
	File: global/mail_params.h, proto/postconf.proto.

	Cleanup: the Postfix sendmail command now always transforms
	all input lines ending in <CR><LF> into UNIX format (lines
	ending in <LF>).  This simplifies integration with third-party
	mail generating applications. Specify "sendmail_fix_line_endings
	= strict" to restore historical Postfix behavior (i.e. convert
	all input lines ending in <CR><LF> only if the first input
	line ends in <CR><LF>).  Files: sendmail/sendmail.c,
	global/mail_params.h, proto/postconf.proto.

20111017

	Cleanup: refined the heuristic that automagically transforms
	legacy "sendmail -V" VERP requests into contemporary "sendmail
	-XV" syntax.  File: sendmail/sendmail.c.

	Cleanup: when the cleanup daemon goes into discard mode,
	don't get stuck when it runs onto milter file descriptor
	information. File: cleanup/cleanup.c.

20111020

	EAI Future-proofing: don't apply strict_mime_encoding_domain
	checks to unknown message subtypes such as message/global*.
	File: global/mime_state.c.

20111025

	Bugfix (introduced: Postfix 2.8): postscreen sent non-compliant
	SMTP responses (220- followed by 421) when it could not
	hand off a connection to a real smtpd process, causing some
	remote SMTP clients to bounce mail. The fix redirects the
	client to the dummy SMTP engine which sends the 421 reply
	at the first legitimate opportunity.  Problem reported by
	Ralf Hildebrandt. Files: postscreen/postscreen_send.c,
	postscreen/postscreen_smtpd.c, postscreen/postscreen.h.

20111102

	Workaround: to improve inter-operability with broken remote
	SMTP servers, the Postfix SMTP client by default no longer
	appends the "AUTH=<>" option to the MAIL FROM command.
	Specify "smtp_send_dummy_mail_auth = yes" to restore the
	old behavior.

20111106

	Feature: "postconf -M" support to show Postfix's idea of
	what is in the master.cf file. File: postconf/postconf.c.

	Feature: postconf "-f" option to "nicely" format long lines
	from main.cf or master.cf. File: postconf/postconf.c.

20111108

	Cleanup: postconf finally supports dynamic configuration
	parameter names: parameters whose name depend on a mail
	delivery transport or spawn service in master.cf, and
	parameters whose names are specified with smtpd_restriction_classes
	in main.cf. This adds 70 parameters to the "postconf" output,
	more if additional mail delivery transports are defined in
	master.cf.  File: postconf/postconf.c.

20111109

	Cleanup: account for "," in smtpd_restriction_classes
	value (Victor Duchovni). File: postconf/postconf.c.

20111112

	Cleanup: postconf finally warns about possible mis-typed
	main.cf and master.cf parameter names (i.e. parameters that
	aren't used anywhere), and it finally displays user-defined
	main.cf parameters that *are* used.  File: postconf/postconf.c.

20111113

	Portability: specify ``make makefiles "CCARGS=-DNO_NIS
	..."'' to build on systems without NIS support. Files:
	makedefs, util/sys_defs.h.

	Cleanup: documented the postconf algorithms and their
	limitations, and added regression tests to speed up future
	development. File: postconf/postconf.c

20111117

	Cleanup: postconf didn't "bless" type "inet" service names.

	Cleanup: with pipelined sessions, smtp-sink flushed the
	output too often. Reported by Mark Martinec. File:
	smtpstone/smtp-sink.c.

	Workaround: don't use IPv6 at build time. File: conf/main.cf.

	Workaround: don't abort when IPv6 is present but busted.
	File: util/inet_proto.c.

	Portability: the Dovecot 2.0 authentication server supports
	more socket types for its authentication server. File:
	xsasl/xsasl_dovecot_server.c.

	Documentation: the Dovecot 2.0 authentication server supports
	communication over TCP sockets. Patrick Ben Koetter.  File:
	proto/SASL_README.html.

20111118

	Cleanup: "postconf -M" now supports filtering. For example,
	"postconf -M inet" shows only services that listen on the
	network, and "postconf -M smtp.unix" shows the SMTP delivery
	agent. File: postconf.c.

20111119

	Cleanup: "postconf" commands in postfix-install needed to
	be updated before master.cf was installed.  Reported by
	Sahil Tandon. File: postfix-install.

20111120

	Cleanup: support for parameter name spaces for master.cf
	entries. With this, postconf should no longer log false
	warnings for "-o user-defined-name=value" in master.cf.  As
	a benefit, it will warn for user-defined parameters with
	"name=value" entries that are unused because they are hidden
	by master.cf "-o name=value" entries with the same parameter
	name.  File: postconf/postconf.c.

20111121

	Cleanup: documentation fixes. File: postconf/postconf.c.

	Cleanup: in postconf "main.cf management" mode, errors
	opening master.cf are non-fatal. File: postconf/postconf.c.

20111122

	Documentation: examples to request VERP-style delivery at
	SMTP time with the smtpd_command_filter feature.  Files:
	proto/VERP_README.html, proto/postconf.proto.

	Feature: TLS certificate public-key fingerprint matching
	(SMTP server and client), and TLS logging cleanup. Victor
	Duchovni. Files: proto/SMTPD_POLICY_README.html,
	proto/TLS_README.html, proto/postconf.proto, global/mail_proto.h,
	smtpd/smtpd_check.c, tls/tls.h, tls/tls_client.c, tls/tls_misc.c,
	tls/tls_proxy_print.c, tls/tls_proxy_scan.c, tls/tls_server.c,
	tls/tls_stream.c, tls/tls_verify.c.

	Documentation: complete list of "make makefiles" overrides.
	File: proto/INSTALL.html.

	Cleanup: postscreen now logs more than the first word of
	non-SMTP commands. File: postscreen/postscreen_smtpd.c.

20111124

	Cleanup: eliminated false postconf "unused parameter"
	warnings with legacy parameters such as $virtual_maps, and
	with non-default parameter values for smtpd_expansion_filter
	that can contain legitimate "$" without a macro name.

	Cleanup: split postconf source into separate modules.
	Files: postconf/postconf.c, postconf/postconf_builtin.c,
	postconf/postconf_edit.c, postconf/postconf_main.c,
	postconf/postconf_master.c, postconf/postconf_misc.c,
	postconf/postconf_node.c, postconf/postconf_other.c,
	postconf/postconf_service.c postconf/postconf_unused.c,
	postconf/postconf_user.c, postconf/postconf.h.

20111126

	Bitrot: changes in error reporting to the under-documented
	OpenLDAP API. Problem reported by Quanah Gibson-Mount. Fix
	by Viktor Dukhovni. File: global/dict_ldap.c.

	Cleanup: four-space indentation had become a tab character.
	Files: postconf/postconf.h, postconf/test20.ref,
	postconf/test21.ref.

20111127

	Cleanup: documented <transport>_suffix parameters that don't
	show in postconf command output of earlier Postfix versions.
	Files: proto/SMTPD_POLICY_README.html, proto/postconf.proto,
	proto/SCHEDULER_README.html.

	Cleanup: added the pipe(8) delivery agent to the list of
	programs that implement transport_time_limit parameters.
	File: postconf/postconf_service.c, postconf/test6.ref,
	postconf/test22.ref.

20111128

	Feature: "postconf -C class,..." support to print parameters
	in one or more classes (builtin= built-in parameter names,
	service=service-defined parameter names, user=user-defined
	parameter names). Files: postconf/postconf.c, postconf/postconf.h,
	postconf_service.c, postconf/postconf_user.c.

20111129

	Cleanup: TLS logging level configuration. Files:
	global/mail_params.h, smtp/lmtp_params.c, smtp/smtp.c,
	smtp/smtp_params.c, smtp/smtp_proto.c, smtpd/smtpd.c,
	tls/tls.h, tls/tls_client.c, tls/tls_misc.c, tls/tls_server.c,
	tlsmgr/tlsmgr.c, tlsproxy/tlsproxy.c.

20111203

	Cleanup: time-dependent sender addresses of address
	verification probes.  Specify an address_verify_sender_ttl
	value of several hours or more to frustrate address harvesting.
	Files: global/verify_sender_addr.[hc], smtpd/smtpd.c,
	smtpd/smtpd_check.c, verify/verify.c, proto/postconf.proto,
	proto/ADDRESS_VERIFICATION_README.html.

20111204

	Cleanup: removed the log_level arguments from tls_client_start()
	and tls_server_start() calls. This information is already
	given to tls_client_init() and tls_server_init(). Files:
	smtpd/smtpd.c, tlsproxy/tlsproxy.c, smtp/smtp_proto.c,
	tls/tls.h, tls/tls_client.c, tls/tls_server.c, tls/tls_misc.c.

20111205

	Documentation: made the postconf(5) manpage more precise
	in its use of "client" and "server"; reorganized the
	TLS_README presentation of client configuration so that
	most relevant information is presented earlier. Files:
	proto/postconf.proto, proto/TLS_README.html.

	Bugfix: tlsproxy(8) stored TLS sessions with a serverID of
	"tlsproxy" instead of "smtpd", wasting an opportunity for
	session reuse.  File: tlsproxy/tlsproxy.c.

20111206

	Documentation: removed descriptions of Postfix < 2.3 user
	interface from TLS_README. Users of earlier releases are
	referred to TLS_LEGACY_README. File: proto/TLS_README.html.

20111207

	Cleanup: tlsproxy(8) now receives the session cache serverID
	from its client (postscreen(8)). Files: global/mail_proto.h,
	postscreen/postscreen_starttls.c, tlsproxy/tlsproxy.[hc],
	tlsproxy_state.c.

	Cleanup: the postscreen(8) daemon did not support a zero
	cache cleanup interval. This is needed for memcache support.
	File: postscreen/postscreen.c.

	Bugfix (introduced: 20110227): null pointer bug while
	updating dictionary owner attributes, after reading an empty
	(database) configuration file. File: util/dict.c.

20111208

	Cleanup: db_common_parse_domain() could not be called without
	preceding db_common_parse() call. Files: global/db_common.[hc].

20111209

	Feature: memcache client support. This implementation is
	based on the under-documented libmemcache library, and
	therefore supports only libmemcache version 1.4.0.  Files:
	conf/postfix-files, global/dict_memcache.[hc], global/mail_dict.c,
	html/index.html, mantools/postlink, postconf/postconf.c,
	postfix/postfix.c, proto/DATABASE_README.html,
	proto/MEMCACHE_README.html, proto/memcache_table.

20111209

	Cleanup: support for scripted and manual database tests with
	LDAP, *SQL, and memcache. Files: util/dict_test.c, util/dict.c,
	global/mail_dict.c.

	Workaround: apparently, some distributions use Postfix
	shared libraries without proper so-number versioning. This
	causes programs to fail mysteriously, after an update
	replaces the Postfix library but not the program (someone
	experienced this with an extra copy of the Postfix SMTP
	server).  Files: global/mail_version.[hc], master/*server.c,
	master/master.c, src/postalias/postalias.c,
	src/postdrop/postdrop.c, src/postfix/postfix.c,
	src/postlog/postlog.c, src/postmap/postmap.c,
	src/postmulti/postmulti.c, src/postqueue/postqueue.c,
	src/postsuper/postsuper.c, src/sendmail/sendmail.c.

20111211

	Feature: first/next (sequence) support in the proxymap
	protocol. This is needed for cache cleanup of a proxied
	postscreen or verify persistent cache. Files:
	global/dict_proxy.[hc], proxymap/proxymap.c.

	Feature: memcache client support without libmemcache
	dependencies. Files: global/memcache_proto.[hc],
	global/dict_memcache.c.

	Bugfix: missing lookup table entry and terminator, causing
	proxymap(8) server segfault when postscreen(8) or verify(8)
	attempted to access their cache via the proxymap(8) server.
	This could never have worked anyway, because the Postfix
	proxymap protocol did not support cache cleanup.  File
	util/dict.c.

	Feature: support for persistent backup database in the
	memcache client. The database can be shared with the proxymap
	service, but it needs to be listed as "proxy:maptype:mapname"
	in the proxy_read_maps or proxy_write_maps parameter value
	(depending on whether the access is read-only or read-write).
	Support for proxymap-over-tcp (proxy:maptype:mapname@host:port)
	is under development.  File: global/dict_memcache.c.

20111214

	Documentation: updated the submission and smtps examples
	in the sample master.cf file, so that their logging is
	easier to recognize.  File: conf/master.cf.

20111215

	Documentation: use different hosts to separate MUA "port
	25" traffic from the "port 25" MX service. Files:
	postscreen/postscreen.c, proto/POSTSCREEN_README.html.

20111216

	Cleanup: the proxymap client did not correctly propagate
	the "open_lock" flag, causing the proxymap service to open
	postscreen(8) and verify(8) caches twice, instead of once.
	File: global/dict_proxy.c.

	Cleanup: the verify and postscreen caches were not listed
	as "authorized" for access via the proxywrite service. File:
	global/mail_params.h.

	Refactoring: the postscreen permanent access list code is
	now a library module, so that it can be also used for remote
	access to the proxymap server.  Files: global/server_acl.[hc].

	Hardening: read/write deadlines, to make the proxymap server
	suitable for remote access. File: proxymap/proxymap.c.

20111217

	Cleanup: more orthogonal definition of when the proxymap
	server can/cannot share a single map instance among multiple
	requestors, and corresponding code cleanup in the proxymap
	client and server. Files: util/dict.h, util/dict_test.c,
	global/dict_proxy.c, proxymap/proxymap.c.

	Human factors: the postscreen/verify cache manager now logs
	the full database name including the proxy: prefix, to avoid
	WTF surprises. File: util/dict_cache.c.

20111218

	Cleanup: more configurable memcache client error handling.
	Files: global/dict_memcache.c, proto/memcache_table.

	Feature: the Postfix SMTP server XCLIENT command now supports
	the LOGIN attribute (e.g., login information from nginx).
	Based on the nginx:xclient-login-patch from citrin.ru (Anton
	Yuzhis). The patch was further enhanced to support SASL
	login information everywhere in the Postfix SMTP server
	without having to specify "smtpd_sasl_auth_enable = yes"
	in main.cf.  Files: smtpd.[hc], smtpd_sasl_glue.[hc],
	smtpd_check.c, smtpd_sasl_proto.[hc], smtpd_state.c,
	proto/XCLIENT_README.html.

	Incompatibility: the Postfix SMTP server now always checks
	the smtpd_sender_login_maps table, even without having
	"smtpd_sasl_auth_enable = yes" in main.cf.

20111219

	Cleanup: the match_list-based primitives now provide an
	option to return an error result instead of terminating the
	process with a fatal error.  Files: util/match_ops.[hc],
	util/match_list.c, global/addr_list_match.c, domain_list.c,
	string_list.c, namadr_list.c.

	Cleanup: a "fail:" database type that reliably fails all
	requests. The lookup table name specifies the internal error
	result code. having this table facilitates a systematic
	review of all Postfix table lookup error handling.

	Cleanup: trivial-rewrite now "catches" errors with implicit
	database lookups in virtual_alias_domains, relay_domains,
	virtual_mailbox_domains, just like it already caught explicit
	database lookup errors. This means there are fewer occasions
	where trivial-rewrite clients will appear to hang. File:
	trivial-rewrite/resolve.c.

	Cleanup: a broken relay_domains table would cause many
	Postfix processes to terminate with fatal error as they
	initialized the flush() client (used by defer_append()
	etc.). Postfix now logs a warning instead.  File:
	global/flush_clnt.c.

	Cleanup: the Postfix SMTP server now "catches" errors with
	implicit database lookups in mynetworks, TLS client certificate
	tables, and local_header_rewrite_clients, and reports "server
	configuration error" or "table lookup error" instead of
	terminating with a fatal error. This is work in progress;
	errors with opening a database may be covered later. Files:
	smtpd/smtpd.c, smtpd/smtpd_check.c.

20111220

	Cleanup: the Postfix SMTP server now "catches" errors with
	implicit database lookups in mynetworks, debug_peer_list,
	smtpd_client_event_limit_exceptions, permit_mx_backup_networks.
	This continues work started 20111219, and does not cover
	errors with opening a database.  Files: smtpd/smtpd.c,
	smtpd/smtpd_checks.c, smtpd/smtpd_error.in, smtpd/smtpd_error.ref.

	Cleanup: memory leak testing of error handling. File:
	util/name_mask.c.

20111222

	Cleanup: memory leak testing of error handling. File:
	util/name_mask.c.

	Cleanup: simplified the match_list error reporting, thereby
	reducing the footprint of the changes to "catch" errors
	with implicit database lookups in mynetworks, and other
	lists.  Files: util/match_ops.[hc], util/match_list.c,
	global/addr_list_match.c, domain_list.c, string_list.c,
	namadr_list.c, trivial-rewrite/resolve.c, smtpd/smtpd.c,
	smtpd/smtpd_check.c, global/flush_clnt.c, flush/flush.c.

20111224

	Cleanup: eliminated the global dict_errno variable that
	made error reporting convenient but not necessarily precise.
	This was a straightforward change except in the few modules
	that propagate errors from one dictionary API to another:
	dict_cache.c, dict_debug.c, maps.c, dict_memcache.c.  Files:
	src/cleanup/cleanup_map11.c, src/cleanup/cleanup_map1n.c,
	src/global/addr_match_list.c, src/global/dict_ldap.c,
	src/global/dict_memcache.c, src/global/dict_mysql.c,
	src/global/dict_pgsql.c, src/global/dict_proxy.c,
	src/global/dict_sqlite.c, src/global/domain_list.c,
	src/global/flush_clnt.c, src/global/mail_addr_find.c,
	src/global/mail_addr_map.c, src/global/maps.c, src/global/maps.h,
	src/global/match_parent_style.h, src/global/namadr_list.c,
	src/global/resolve_local.c, src/global/resolve_local.h,
	src/global/server_acl.c, src/global/string_list.c,
	src/local/alias.c, src/local/bounce_workaround.c,
	src/local/mailbox.c, src/local/unknown.c, src/proxymap/proxymap.c,
	src/qmqpd/qmqpd.c, src/smtp/smtp_map11.c, src/smtpd/smtpd_check.c,
	src/trivial-rewrite/resolve.c, src/trivial-rewrite/transport.c,
	src/util/dict.h, src/util/dict_alloc.c, src/util/dict_cache.c,
	src/util/dict_cidr.c, src/util/dict_db.c, src/util/dict_debug.c,
	src/util/dict_env.c, src/util/dict_fail.c, src/util/dict_ht.c,
	src/util/dict_pcre.c, src/util/dict_regexp.c,
	src/util/dict_static.c, src/util/dict_tcp.c, src/util/dict_test.c,
	src/util/dict_thash.c, src/util/dict_unix.c, src/util/match_list.c,
	src/util/match_list.h, src/util/match_ops.c, src/virtual/mailbox.c.

20111226

	Bugfix (introduced 20110426): after lookup error with
	mailbox_transport_maps, mailbox_command_maps or
	fallback_transport_maps, the local delivery agent did not
	log the problem before deferring mail, and produced no defer
	logfile record. Files: local/mailbox.c, local/unknown.c.

20120102

	Workaround: degrade gracefully when the network protocols
	specified with inet_protocols are unavailable.  Files:
	global/mail_params.c, global/mynetworks.c, global/own_inet_addr.c
	master/master_ent.c, master/master_vars.c, postscreen/postscreen.c,
	qmqpd/qmqpd.c, smtp/smtp_connect.c, smtpd/smtpd.c,
	util/inet_proto.c.

20120107

	Workaround: degrade gracefully when the "domain" feature
	of LDAP, *SQL and memcache databases has a table lookup
	problem.  Files: global/db_common.c, global/dict_ldap.c,
	global/dict*sql*.c, global/dict_memcache.c.

	Cleanup: fixed memcache client error handling for things
	that never happen.  global/dict_memcache.c.

	Future proofing: prepare postmap/postalias error logging
	for future changes to database code. Files: postalias/postalias.c,
	postmap/postmap.c.

20120108

	Cleanup: the postscreen(8) and verify(8) cache managers log
	warnings at a reduced rate of one per second per cache
	operation, to avoid logging large numbers of warnings about
	a problem with low-value information. File: util/msg_rate_delay.c,
	util/dict_cache.c.

20120110

	Cleanup: added logging for failed table lookups, and replaced
	some "fatal" errors by warnings. Files: cleanup/cleanup_addr.c,
	cleanup/cleanup_message.c, cleanup/cleanup_milter.c,
	cleanup/cleanup_masquerade.c, global/header_body_checks.c,
	global/smtp_stream.c, postscreen/postscreen_dnsbl.c,
	postscreen/postscreen_smtpd.c, smtp/smtp_chat.c,
	smtp/smtp_proto.c, smtp/smtp_sasl_auth_cache.c,
	smtp/smtp_sasl_glue.c, smtp/smtp_session.c, smtp/smtp_trouble.c,
	smtpd/smtpd.c, smtpd/smtpd_check.c.

20120114

	Cleanup: gradual degradation after database file open errors.
	Instead of terminating immediately with a "fatal" error, a
	Postfix daemon logs an error and continues execution with
	reduced functionality. In other words, features that don't
	depend on the unavailable table will keep working.  However,
	for the sake of sanity, the number of such errors over the
	life of a process is limited to 13.  Files:
	src/global/cfg_parser.c, src/util/dict_thash.c,
	src/util/dict_cidr.c, src/util/dict_nis.c, src/util/dict_nisplus.c,
	src/global/dict_ldap.c, src/global/dict_mysql.c,
	src/global/dict_pgsql.c, src/global/dict_sqlite.c,
	src/postconf/postconf_main.c, src/global/mail_conf.c,
	src/util/dict.h, src/util/dict.c, src/global/dict_memcache.c,
	src/util/dict_tcp.c, src/util/dict_unix.c, src/util/dict_pcre.c,
	src/util/dict_regexp.c, src/master/trigger_server.c,
	src/master/single_server.c, src/master/multi_server.c,
	src/master/event_server.c, src/util/dict_test.c,
	src/util/dict_surrogate.c, src/util/dict_alloc.c, src/util/msg.c,
	src/util/dict_cdb.c, src/util/dict_dbm.c, src/util/msg.h,
	src/util/dict_db.c.

	Incompatibility: the Postfix SMTP server no longer reports
	transcripts of sessions where a client command is rejected
	because a table is unavailable.  To receive such reports,
	add the new "data" class to the notify_classes parameter
	value. The reports will be sent to the error_notice_recipient
	address as before. This class is also used by the Postfix
	SMTP client to report about sessions that fail because a
	table is unavailable. Files: global/mail_error.[hc],
	smtpd/smtpd_check.c, smtp/smtp_trouble.c.

20120115

	Fine tuning: SMTP server error messages. File: smtpd/smtpd.c.

	Fine tuning: documentation. Files: proto/MEMCACHE_README.html.
	proto/memcache_table.html.

	Apply "gradual degradation" also when an unsupported database
	*type* is specified. File: util/dict_open.c.

	Cleanup: tiny memory leaks after surrogate database opens.
	Files: util/dict_cidr.c, util/dict_db.c.

20120117

	Cleanup: support for legacy-style database configuration
	where parameter names are generated by appending suffixes
	to the database name. Files: postconf/postconf_dbms.c.

	Other: build without Berkeley DB support (make makefiles
	"CCARGS=$CCARGS -DNO_DB"). Files: makedefs, util/sys_defs.h,
	proto/DB_README.html, proto/INSTALL.html.

20120120

	Compatibility: added file pflogsumm_quickfix.txt with quick
	patches for pflogsumm that handle the new default master.cf
	entries for the submission and smtps services.

20120121

	Cleanup: getopt(3) compatibility in the postconf(1) master.cf
	parser. Process "--" as the end-of-options indicator, and
	process "-oname=value" as "-o name=value".  Files:
	util/argv.[hc], postconf/postconf_master.cf,
	postconf/postconf_user.c.

20120122

	Workaround: log a warning and suggested solution for common
	stat()/fstat()/lstat() problems caused by 32-bit overflow.
	This is a real stinker that causes Postfix to fail without
	any prior warning.  File: util/warn_stat.[hc], and everything
	that directly calls stat(), fstat() or lstat().

20120127

	Bugfix (introduced: Postfix 2.8): the Postfix client sqlite
	quoting routine returned the unquoted result instead of the
	quoted text.  The opportunities for misuse are limited,
	because Postfix sqlite files are usually owned by root, and
	Postfix daemons usually run with non-root privileges so
	they can't corrupt the database. Problem reported by Rob
	McGee (rob0).  File: global/dict_sqlite.c.

20120130

	Bugfix (introduced: Postfix 2.3): the trace service did not
	distinguish between DSN SUCCESS notifications for a non-bounce
	or a bounce message. This code pre-dates DSN support and
	should have been updated when it was re-purposed to handle
	DSN SUCCESS notifications. Problem reported by Sabahattin
	Gucukoglu.  File: bounce/bounce_trace_service.c.

20120202

	Bugfix (introduced: Postfix 2.3): the "change header" milter
	request could replace the wrong header. A long header name
	could match a shorter one, because a length check was done
	on the wrong string.  Reported by Vladimir Vassiliev.  File:
	cleanup/cleanup_milter.c.

20120214

	Bugfix (introduced: Postfix 2.4): extraneous null assignment
	caused core dump when postlog emitted the "usage" message.
	Reported by Kant (fnord.hammer). File: postlog/postlog.c.

20120217

	Bugfix (introduced 20111219): sendmail -bs segfault, due
	to a missing guard statement after an smtpd_check_rewrite()
	call was moved closer to the command processor loop. Fix
	by Bartek Szady. File: smtpd/smtpd.c.

20120220

	Cleanup: documentation of how to use only system-supplied
	certificates with *CAfile and *CApath. File: proto/postconf.proto.

	Cleanup: documentation of smtp_sasl_mechanism_filter.  File:
	proto/postconf.proto.

20120222

	Cleanup: when multiple DNSBLs block an SMTP client, the
	postscreen "reject" message now gives credit to the DNSBL
	with the largest weight, instead of the DNSBL that replies
	first. File: postscreen/postscreen_dnsbl.c.

	Cleanup: memcache_table(5) manpage. File proto/memcache_table.

20120225

	Cleanup: eliminated the build-time Perl dependency.  File:
	bounce/annotate.sh.

	Cleanup: when -DNO_DB support was added, the makedefs script
	was not updated to skip the Linux Berkeley DB tests.

	FreeBSD9 is now a supported platform. Files: makedefs,
	util/sys_defs.h.

20120226

	Cleanup: documentation in postfix-install.

20120229

	Feature: smtpd_log_access_permit_actions to enable logging
	of specific permit-like actions in Postfix SMTP server
	access lists.  Files: mantools/postlink, proto/postconf.proto,
	global/mail_params.h, smtpd/smtpd.c, smtpd/smtpd_check.c.

20120306

	To improve the interaction with start-up scripts, "postfix
	start" now waits for master daemon process initialization
	to complete, and returns a non-zero exit status if daemon
	initialization failed or if it did not complete in a
	reasonable amount of time. This involves a new "-w" master
	option.  Files: conf/postfix-script, master/master.c,
	master/master.h.  master/master_monitor.c.

20120307

	postconf -X option to exclude parameters from main.cf
	(require two-finger action, because this is irreversible).
	Files: postconf/postconf.[hc], postconf/postconf_edit.c.

20120317

	Feature: Sendmail-style socketmap.  Files: util/dict_sockmap.[hc],
	util/netstring.[hc], proto/DATABASE_README.html,
	postconf/postconf.c.

20120330

	Workaround: specify "\c" at the start of an smtpd_reject_footer
	template to suppress the line break between the reply text
	and the footer text. Files: global/smtp_reply_footer.c,
	proto/postconf.proto.

20120401

	Bugfix (introduced Postfix 2.6): irrelevant memory leak
	that was introduced with postconf -#. File:
	postconf/postconf_edit.c.

	Bitrot: shut up useless warnings about Cyrus SASL call-back
	function pointer type mis-matches. Files: xsasl/xsasl_cyrus.h,
	xsasl/xsasl_cyrus_server.c, xsasl/xsasl_client.c.

20120404

	Cleanup: added smtpd_sender_login_maps to the default
	proxy_read_maps value. Files: global/mail_params.h,
	proxymap/proxymap.c.

	Cleanup: weed out stale TODO's from the WISHLIST, and moved
	some CYA text from WISHLIST into the code. Files: WISHLIST,
	smtpd/smtpd_proxy.c.

20120407

	Bugfix (introduced: 20120330): don't replace <reply-code>
	<space> by <reply-code> <hyphen> when a reply footer starts
	with \c and contains no \n. File: global/smtp_reply_footer.c.

20120422

	Bit-rot: OpenSSL 1.0.1 introduces new protocols. Update the
	known TLS protocol list so that protocols can be turned off
	selectively to work around implementation bugs.  Based on
	a patch by Victor Duchovni.  Files: proto/TLS_README.html,
	proto/postconf.proto, tls/tls.h, tls/tls_misc.c, tls/tls_client.c,
	tls/tls_server.c.

20120425

	Workaround: bugs in 10-year old gcc versions break compilation
	with #ifdef inside a macro invocation (NOT: definition).
	Files: tls/tls.h, tls/tls_client.c, tls/tls_server.c.

20120426

	Bugfix (introduced Postfix 2.9): the postconf command flagged
	parameters defined in master.cf as "unused" when they were
	used only in main.cf. Problem reported by Michael Tokarev.
	Files: postconf/postconf_user.c, postconf/test4b.ref,
	postconf Makefile.in.

20120513

	Cleanup: report both the first and last line number when a
	malformed main.cf entry spans multiple lines, instead of
	reporting the last line number only. File: util/dict.c,
	util/line_number.[hc].

20120516

	Workaround: apparently, FreeBSD 8.3 kqueue notifications
	sometimes break when a dnsblog(8) process loses an accept()
	race on a shared socket, resulting in repeated "connect to
	private/dnsblog service: Connection refused" warnings.  This
	condition is unique to dnsblog(8). The postscreen(8) daemon
	closes a postscreen-to-dnsblog connection as soon as it
	receives a dnsblog(8) reply, resulting in hundreds or
	thousands of connection requests per second.  All other
	multi-server daemons such as anvil(8) or proxymap(8) have
	connection lifetimes ranging from 5s to 1000s depending on
	server load.  The workaround is for dnsblog to use the
	single_server driver instead of the multi_server driver.
	This one-line code change eliminates the accept() race
	without any Postfix performance impact.  Problem reported
	by Sahil Tandon.  File: dnsblog/dnsblog.c.

	Logging: postscreen now logs a warning when a dnsblog(8)
	request takes longer than the hard-coded time limit of 10s.
	File: postscreen/postscreen_dnsbl.c.

20120517

	Workaround: to avoid crashes when the OpenSSL library is
	updated without "postfix reload", the Postfix TLS session
	cache ID now includes the OpenSSL library version number.
	Note: this problem cannot be fixed in tlsmgr(8). Code by
	Victor Duchovni. Files: tls/tls_server.c, tls_client.c.

20120520

	Bugfix (introduced Postfix 2.4): the event_drain() function
	was comparing bitmasks incorrectly causing the program to
	always wait for the full time limit. This error affected
	the unused postkick command, but only after s/fifo/unix/
	in master.cf.  File: util/events.c.

	Cleanup: laptop users have always been able to avoid
	unnecessary disk spin-up by doing s/fifo/unix/ in master.cf
	(this is currently not supported on Solaris systems).
	However, to make this work reliably, the "postqueue -f"
	command must wait until its requests have reached the pickup
	and qmgr servers before closing the UNIX-domain request
	sockets.  Files: postqueue/postqueue.c, postqueue/Makefile.in.

20120522

	Robustness: set LC_ALL=C in post-install to avoid surprises
	when parsing output from Postfix or non-Postfix commands.
	File: postfix-install.

20120611

	Bugfix (introduced: 20031216-21): with soft_bounce=yes, the
	SMTP client did not move on to the next MX host or fallback
	relay after a 5xx reply. File: smtp/smtp_trouble.c.

20120527-8

	Infrastructure: limited support to shrink VSTREAM buffers.
	The change takes place when reading from (a stream for the
	first time | an empty buffer) or when writing to (a stream
	for the first time | a full buffer). TODO: the change should
	also happen after purging or flushing a buffer.  File:
	util/vstream.c.

20120531-617

	Feature: haproxy support in postscreen(8) and smtpd(8).  To
	enable, specify "smtpd_upstream_proxy_protocol = haproxy"
	or "postscreen_upstream_proxy_protocol = haproxy".  Files:
	mantools/postlink, proto/postconf.proto, global/Makefile.in,
	global/haproxy_srvr.c, global/haproxy_srvr.h, global/mail_params.h,
	global/mail_proto.h, master/single_server.c, master/multi_server.c,
	master/event_server.c, postscreen/Makefile.in,
	postscreen/postscreen.c, postscreen/postscreen.h,
	postscreen/postscreen_endpt.c, postscreen/postscreen_haproxy.c,
	postscreen/postscreen_haproxy.h, postscreen/postscreen_send.c,
	postscreen/postscreen_state.c, smtpd/Makefile.in, smtpd/smtpd.h,
	smtpd/smtpd_peer.c, smtpd/smtpd_sasl_glue.c, smtpd/smtpd_haproxy.c,
	util/Makefile.in, util/listen.h, util/recv_pass_attr.c,
	util/stream_listen.c, util/sys_defs.h, util/unix_pass_listen.c.

20120618

	Cleanup: made the postscreen-to-smtpd haproxy attribute
	transmission more robust for Solaris. Files: util/sys_defs.h,
	util/connect.h, util/steam_listen.c, postscreen/postscreen_send.c.

	Cleanup: simplified the "stream used" workaround. Files:
	util/vstream.h, master/event_server.c, master/multi_server.c.

20120621

	Cleanup: simplified workarounds for Solaris streams versus
	UNIX-domain sockets.  Files: util/pass_accept.c (new),
	util/pass_trigger.c (new), util/stream_pass_connect.c
	(deleted), util/unix_pass_listen.c (deleted),
	util/unix_pass_trigger.c (deleted), updated header files,
	and replaced PASS_XXX macros by pass_xxx function calls.

	Cleanup: don't clobber errno when logging a problem.
	File util/msg_output.c.

20120627

	Bugfix (introduced: 20120531-617): in the postscreen module
	for HAproxy sypport, a VSTREAM buffer size request was not
	LP64-clean.  File: postscreen/postscreen_haproxy.c.

	Cleanup: avoid single-character reads in the postscreen
	HAproxy module. File: postscreen/postscreen_haproxy.c.

20120628

	Workaround: heuristic to detect missing (ssize_t) type-cast
	in VSTREAM buffer size requests. File: util/vstream.c.

20120629

	Workaround: "sendmail -bl" emulation. File: sendmail/sendmail.c.

20120630

	Cleanup: sub-optimal hash performance on systems where the
	"char" type is signed.  Files: util/htable.c, util/binhash.c.

20120702

	Bugfix (introduced: 19990127): the BIFF client leaked an
	unprivileged UDP socket. Fix by Jaroslav Skarvada.  File:
	local/biff_notify.c.

20120713

	Bugfix (introduced: 20120527-8): infrastructure to specify
	a smaller-than-default VSTREAM buffer, without the complex
	run-time checks. File: util/vstream.c, vstream_tweak.c.

20120714

	Cleanup: semantics of requests to query or modify the VSTREAM
	buffer size that will be used with the next read(2) or
	write(2) operation. Files: util/vstream.c, util/vstream.h,
	util/vstream_tweak.c.

20120717

	Documentation: update to RFC5321.

20120730

	Bugfix (introduced: 20000314): AUTH is not allowed after
	MAIL. Timo Sirainen.  Files: smtpd/smtpd.c, smtpd/smtpd.h,
	smtpd/smtpd_sasl_proto.c.

20120801

	Documentation: point of what virtual_xxx parameters are
	specific to the virtual(8) delivery agent, and will have
	no effect when mail is delivered with a different program.
	Files: proto/postconf.proto, proto/VIRTUAL_README.html.

20120824

	Feature: support for "sendmail -R hdrs|full". Jan Kundr?t.
	File: sendmail/sendmail.c.

20120902

	Documentation: updated TUNING_README with new pointers to
	the STRESS_README and POSTSCREEN_README documents. Miscellaneous
	documentation clarifications based on postfix-users discussions.

20120903

	Bugfix (introduced 20120317): the socketmap client should
	not share unrelated client endpoint handles. File:
	util/dict_sockmap.c.

20120907

	Cleanup (for change 20120824): the DSN RET attribute should
	not be stored once per recipient. It is a message property
	just like DSN ENVID.  File: sendmail/sendmail.c.

20120911

	Documentation: more explicit enumeration of what happens
	when setting a per-destination recipient limit value to 1.
	File: proto/postconf.proto.

20120918

	Documentation: clarified the bounce/queue_life-time parameter
	descriptions. File: proto/postconf.proto.

20120920

	Documentation: the postscreen_whitelist_interfaces parameter
	syntax was defined only by example. File: proto/postconf.proto.

20120923

	Infrastructure: cleaned up the support for database
	lock-on-open. This is needed for databases that are not
	multi-updater safe.  Files: util/dict_alloc.c, util/dict.c,
	util/dict_open.c, util/dict.h.  tls/tls_scache.c.

20120924

	Documentation: some people are read-challenged distribute
	their own incorrect understanding of master.cf syntax.
	File: proto/master.

	Cleanup: don't emulate UNIX-domain sockets over FIFOs on
	Solaris systems less than 10 years old. This allows us to
	globally s/fifo/unix/ in master.cf.  Files: makedefs,
	util/sys_defs.h.

	Laptop-friendliness: avoid disk spin-up on idle systems by
	s/fifo/unix/ in master.cf.  Files: conf/master.cf.

20120928-30

	Feature: smtpd_relay_restrictions, proposed long ago by
	Victor. The idea is to separate the mail relay policy from
	the spam blocking policy, so that a permissive spam blocking
	policy under smtpd_recipient_restrictions will no longer
	unexpectedly result in a permissive mail relay policy.

	This involves a change in default settings.  Similar to the
	way that local_recipient_maps was introduced, there is a
	safety net that prevents unexpected mail bounces when a
	site upgrades to Postfix 2.10 or later, and there is no
	change in documented smtpd_recipient_restrictions behavior.
	See the RELEASE_NOTES file for details.  Files:
	global/mail_params.h, smtpd/smtpd.c, smtpd/smtpd_check.c,
	proto/postconf.proto, proto/SMTPD_ACCESS_README.html,
	mantools/postlink, conf/post-install, RELEASE_NOTES.

20120931-1001

	Documentation: updated the remainder of the README files
	and manual pages that discuss smtpd_recipient_restrictions.

20121001

	Cleanup: prepend 5.1.1 status code to "User unknown in
	virtual alias table". File: trivial-rewrite/resolve.c.

20121003

	Bugfix: the postscreen_access_list feature was case-sensitive
	in the first character of permit, reject, etc. Reported by
	Francis Picabia. File: global/server_acl.c.

20121009

	Documentation: interaction between delay_warning_time,
	notify_classes and delay_notice_recipient. File:
	proto/postconf.proto.

20101009

	Human factors: log a warning that the postcat option -m
	without -h or -b has no effect. File: postcat/postcat.c.

20121010

	Bugfix (introduced: Postfix 2.5): memory leak in program
	initialization. Reported by Coverity. File: tls/tls_misc.c.

	Bugfix (introduced: Postfix 2.3): memory leak in the unused
	oqmgr program. Reported by Coverity. File: oqmgr/qmgr_message.c.

20121011

	Documentation: how to enable /etc/hosts multi-record lookups
	with main.cf settings.  File: proto/LINUX_README.html.

	Documentation: clarified the postscreen-tlsproxy interface.
	File: tlsproxy/tlsproxy.c.

20121012

	Documentation: a simpler null-client example.  File:
	proto/STANDARD_CONFIGURATION_README.html

20121013

	Cleanup: to compute the LDAP connection cache lookup key,
	join the numeric fields with null, just like string fields.
	Viktor Dukhovni. File: global/dict_ldap.c.

20121015

	Documentation: added section on regular-expression tables
	to the aliases(5) manpage. File: proto/aliases.

	Documentation: why "smtp_address_preference = any" is the
	preferred setting. File: proto/postconf.proto.

20121022

	Bugfix (introduced 20101009) don't complain about stray -m
	option if none of -[bhm] is specified. Ralf Hildebrandt.
	File: postmap/postmap.c.

20121029

	Workaround: strip datalink suffix from IPv6 addresses
	returned by the system getaddrinfo() routine.  Such suffixes
	mess up the default mynetworks value, host name/address
	verification and possibly more. This change obsoletes the
	20101108 change that removes datalink suffixes in the SMTP
	and QMQP servers.  Files: util/myaddrinfo.c, smtpd/smtpd_peer.c,
	qmqpd/qmqpd_peer.c.

20121031

	Bugfix: smtpd_relay_restrictions compatibility shim did not
	detect "empty" value.  Sahil Tandon. The same problem existed
	with the inet_protocols shim. File: conf/post-install.

20121105

	Cleanup: the postscreen(8) "deep protocol" tests now log
	the SMTP command that precedes a protocol violation.  Files:
	postscreen/postscreen_smtpd.c, proto/POSTSCREEN_README.html.

	Bugfix (introduced: Postfix 1.1): wrong string termination
	when handling an MBOX From_ line at the start of a message.
	File: qmqpd/qmqpd.c.

20121110

	Cleanup: specify $(WARN) on the MacOS X compiler command
	line to suppress "nested comment" and possibly other unwanted
	warnings. Problem reported by Jim Reid. File: makedefs,
	Makefile.in.

20121119

	Documentation: added a note that key_format is required
	when postscreen(8) and verify(8) share the same memcache
	(with different persistent backup databases, or course)
	otherwise automatic cache cleanup breaks due to a name
	collision for the "last cache cleanup" database record.
	File: proto/memcache.

20121122

	Cleanup: the safety-check for smtpd_recipient_restrictions
	and smtpd_relay_restrictions now detects permit before
	reject.  File: smtpd/smtpd_check.c.

	Cleanup: the safety-check for smtpd_recipient_restrictions
	and smtpd_relay_restrictions is no longer case-sensitive.
	File: smtpd/smtpd_check.c.

20121123

	Cleanup: consistent escaping of commands in postscreen deep
	protocol test logging. File: postscreen/postscreen_smtpd.c.

20121124

	Documentation: the bounce behavior for automatically-added
	BCC recipients has changed with Postfix 2.3 when DSN support
	was introduced.  File: proto/postconf.proto.

20121203

	Documentation: added explicit example for -o name=value.
	File: proto/master.

20121210

	Bugfix (introduced: Postfix 2.9) nesting count error while
	stripping the optional [] around a DNS[BW]L address pattern.
	This part of the code is not documented and had escaped
	testing.  Files: util/ip_match.c, util/ip_match.in,
	util/ip_match.ref.

20121215

	Bugfix (introduced: 19980218, when recipient_delimiter
	support was added): The error message for unknown local
	users (or missing required aliases) should report the user
	name instead of the full localpart which may contain an
	address extension.  Problem reported by Christian Holler.
	File: local/unknown.c.

20121221

	Feature: "postconf -x" support to expand $name in main.cf
	parameter values. Files: postconf/postconf_main.c,
	postconf/postconf.h, postconf/postconf_node.c, postconf/postconf.c.

20121222

	Feature: postconf support to warn about an attempt to modify
	a read-only parameter (process_name etc.) in main.cf or
	master.cf. Files: postconf/postconf_readonly.c,
	postconf/postconf_builtin.c.

20121223

	Feature: postconf support to warn about an undefined $name
	in a parameter value in main.cf or master.cf (except for
	backwards-compatibility parameters such as $virtual_maps)
	Files: postconf/postconf_user.c, postconf_dbms.c,
	postconf_builtin.c, util/dict_ht.c, util/htable.c.

	Feature: "postconf -Mx" support to expand $name in master.cf
	parameter values.  Files: postconf/postconf_master.c,
	postconf/postconf_lookup.c, postconf/postconf_main.c,
	postconf/postconf.c.

20121224

	Feature: "postconf -Mn" support to print only master.cf
	entries that have "-o name=value" parameter setttings.
	Files: postconf/postconf_master.c.

20121226

	Miscellaneous cleanups of postconf internal APIs, identifiers
	and comments. No changes in behavior.

	Bugfix (omission in feature 20111203): the SMTP server only
	supported time-dependent address-verification sender addresses
	with RCPT TO but not with MAIL FROM. File: smtpd/smtpd.c.

20121227

	Feature: "postconf -o name=value" support to override main.cf
	settings (for example, "postconf -x -o stress=whatever"
	shows effective settings under overload). Files:
	postconf/postconf.c, postconf/postconf_main.c.

20121230

	Cleanup: postconf(1) master.cf options parser. Files:
	postconf/postconf_master.c, postconf/postconf_user.c.

	Bugfix (omission in feature 20111106): the postconf(1)
	master.cf options parser didn't support "clusters" of
	command-line option letters. Files: postconf/postconf_master.c,
	postconf/test40.ref.

20130105

	Undo a change made around 20121224, and always whitelist
	configuration parameter names for legacy-style proxy:ldap:prefix
	etc.  lookup tables.  Files: postconf/postconf_dbms.c,
	postconf/test28.ref, postconf/test29.ref, postconf/Makefile.in.

20130107

	Factor out the master.cf line parser so that it can be
	reused for "postconf -Me". File: postconf/postconf_master.c.

20130113

	Feature: master.cf attribute namespace. "postconf -F" shows
	individual master.cf fields as "service/type/attribute =
	value", where attribute is "service", "type", "private",
	"unprivileged", "wakeup", "process_limit", or "command".

20130121

	Bugfix (introduced 20120307): the postconf -X option erased
	other options.  File: postconf/postconf.c.

20130131

	Bugfix: the local(8) delivery agent dereferenced a null
	pointer while delivering to null command (for example, "|"
	in a .forward file).  Reported by Gilles Chehade.

20130203

	Bugfix: the undocumented OpenSSL X509_pubkey_digest()
	function is unsuitable for computing certificate PUBLIC KEY
	fingerprints.  Postfix now provides a correct procedure
	that accounts for the algorithm and parameters in addition
	to the key data.  Specify "tls_legacy_public_key_fingerprints
	= yes" if you need backwards compatibility. Fix by Victor
	Duchovni, BC added by Wietse.  Files: tls/tls_verify.c,
	tls/tls_misc.c, proto/TLS_README.html, global/mail_params.h.

20130210

	Bugfix: an error handler for smtp_tls_policy_maps lookups
	was never invoked.  File: smtp/smtp_session.c.

20130212

	Cleanup: logfile message formatting (X: subject_CN=X,
	issuer_CN=X, fingerprint=X, pkey_fingerprint=X). File:
	tls/tls_client.c.

20130315

	Feature: LMDB (memory-mapped persistent file) support by
	Howard Chu. This implementation has unexpected failure modes
	that don't exist with other Postfix databases, so don't
	just yet abandon CDB.  See LMDB_README for details.  Files:
	proto/postconf.proto, proto/LMDB_README.html,
	proto/DATABASE_README.html, proto/INSTALL.html util/dict_lmdb.[hc],
	util/dict_open.c, global/mkmap_lmdb.[hc], global/mkmap_open.c,
	postconf/postconf.c.

20130316

	Cleanup: new Postfix dictionary API flag to control the use
	of (LMDB) bulk database transactions.  With this, LMDB
	databases no longer fail to commit any transactions with
	tlsmgr(8), and LMDB databases no longer perform glacially
	slow with postmap -i/postalias -i.  Files: util/dict.h,
	util/dict_lmdb.c, postmap/postmap.c, postalias/postalias.c.

20130317

	Debugging: generalized setting of dictionary API flags.
	File: util/dict.[hc], util/dict_test.c.

	Robustness: Postfix programs can now recover from LMDB
	"database full" errors without requiring human intervention.
	When a program opens an LMDB file larger than lmdb_map_size/3,
	it logs a warning and uses a larger size limit instead.
	Files: util/dict_lmdb.c, proto/LMDB_README.html.

20130318

	Portability: botched #ifdef. File: util/dict_lmdb.c.

20130319

	Postfix support for LMDB databases is suspended due to the
	existence of a hard limit (an "out of storage" failure mode
	that cannot be resolved by increasing the database size).

	Postfix may support LMDB again when it no longer limits the
	size of Postfix transactions, whether the limit is built
	into LMDB itself, or implicit by requiring an unbounded
	amount of memory to handle a large transaction.

20130322

	Documentation: smtp_skip_5xx_greeting wording updated to
	reflect text in RFC 2821, which appears to say that a 554
	greeting is not a hard delivery error (note that RFC 2821
	was published later than smtp_skip_5xx_greeting). File:
	proto/postconf.proto.

20130324

	Workaround: MacOS 10.8 (Darwin 12) getrlimit(RLIMIT_NOFILE)
	incorrectly reports that rlim_max, the hard limit on the
	number of open files per process, is equal to RLIM_INFINITY
	(i.e. no limit is enforced).  In reality, setrlimit(RLIMIT_NOFILE)
	rejects requests where rlim_cur, the current limit, contains
	any value > kern.maxfilesperproc.  Axel Luttgens.  File:
	util/open_limit.c.

	Portability: MacOS 10.8 (Darwin 12) kqueue support works.
	Axel Luttgens. Files: makedefs.

20130324

	Support for anonymous certificates. Viktor Dukhovni. File:
	tls/tls_verify.c.

	Feature: support for DNSSEC-validated lookups and TLSA
	RRsets.  Viktor Dukhovni. Files: dns/Makefile.in, dns/dns.h,
	dns/dns_lookup.c, dns/dns_rr.c, dns/dns_strtype.c,
	dns/test_dns_lookup.c,

	Cleanup: the personality switch between "smtp" and "lmtp".
	This streamlines the switch in the SMTP/LMTP protocol, DNS
	MX lookups, and configuration parameter names in error
	messages.  Viktor Dukhovni. Files: smtp/smtp.c, smtp/smtp.h,
	smtp/smtp_chat.c, smtp/smtp_connect.c, smtp/smtp_proto.c,
	smtp/smtp_rcpt.c, smtp/smtp_sasl_glue.c, smtp/smtp_sasl_proto.c,
	smtp/smtp_session.c, smtp/smtp_state.c.

	Feature: replace disable_dns_lookups with smtp_dns_support_level,
	enable secure DNSSEC lookups in the Postfix SMTP client,
	and use the DNSSEC-validated remote SMTP server name to
	select the SMTP and TLS policies.  Viktor Dukhovni. Files:
	dns/Makefile.in, dns/dns.h, dns/dns_lookup.c, dns/dns_rr.c,
	dns/dns_strtype.c, dns/test_dns_lookup.c.

20130325

	Portability: on MacOS X, use kqueue() for event handling
	but use select() instead of poll() for read/write timeouts
	(with a workaround to handle file decriptors >=FD_SETSIZE).
	Files: util/sys_defs.h, util/readable.c, util/writable.c,
	util/read_wait.c, util/write_wait.c.

	Portability: support for NetBSD 5.x, NetBSD 6.x and DragonFly
	BSD. Viktor Dukhovni. Files: makedefs, util/sys_defs.h.

20130326

	Cleanup: new module that consolidates all system-dependent
	code to enforce read/write timeouts. This includes a final
	workaround for MacOS X that uses poll() first, and select()
	if that fails.  This makes their /dev/urandom workaround
	unnecessary. Files: util/poll_fd.c, util/iostuff.h.  Removed:
	util/readable.c, util/writable.c, util/read_wait.c,
	util/write_wait.c.

	Cleanup: refactor TLS digest functions, improved signature
	for TLS session cache. Viktor Dukhovni. Files: smtp/smtp.c,
	smtp/smtp_proto.c, smtpd/smtpd.c, tls/Makefile.in, tls/tls.h,
	tls/tls_client.c, tls/tls_fprint.c, tls/tls_level.c,
	tls/tls_misc.c, tls/tls_server.c, tls/tls_verify.c,
	tlsproxy/tlsproxy.c.

20130327

	Cleanup: final polish for MacOSX workarounds; replaced
	#ifdef MacOSX by feature test as required by PORTING document.
	Files: util/poll_fd.c, util/open_limit.c.

	Export tls_fprint() and tls_digest_encode() for use in DANE.
	Viktor Dukhovni. Files: tls/tls.h, tls/tls_fprint.c.

20130331

	Refactoring: TLS verification callback processing in
	preparation for DANE support. Viktor Dukhovni. Files:
	tls/tls.h, tls/tls_client.c, tls/tls_misc.c, tls/tls_verify.c.

	Refactoring: split off SMTP client per-session TLS policy
	data and code in preparation for DANE support.  Viktor
	Dukhovni.  Files: smtp/Makefile.in, smtp/smtp.h,
	smtp/smtp_connect.c, smtp/smtp_proto.c, smtp/smtp_reuse.c,
	smtp/smtp_session.c, smtp/smtp_tls_sess.c.

	Cleanup: "zero time limit" corner case in read_wait() and
	write_wait() emulation. Files: util/poll_fd.c, util/iostuff.h.

20130401

	Refactoring: allow smtp_session_alloc() to fail gracefully
	and report an error.

20130403

	Documentation: in smtpd.c, the comment that justifies the
	454 reply for "TLS unavailable" cited the wrong RFC.

20130404

	Human factors: warning when a main.cf parameter has multiple
	entries with different values.  File: util/dict.c.

20130405

	Feature: the recipient_delimiter parameter can now specify
	a set of characters. A user name is now separated from its
	address extension by the first character that matches the
	recipient_delimiter set.  Files: proto/postconf.proto,
	src/global/mail_addr_find.c, src/global/mail_params.c,
	src/global/split_addr.c, src/global/split_addr.h,
	src/global/strip_addr.c, src/global/strip_addr.h,
	src/global/strip_addr.ref, src/local/bounce_workaround.c,
	src/local/local.c, src/local/local_expand.c, src/local/recipient.c,
	src/local/resolve.c, src/oqmgr/qmgr_message.c, src/pipe/pipe.c,
	src/qmgr/qmgr_message.c, src/smtpd/smtpd.c,
	src/smtpd/smtpd_check.c, src/trivial-rewrite/transport.c,
	src/trivial-rewrite/trivial-rewrite.c.

	Feature: support for trust anchors, i.e. CA certificates
	or public keys that will be used instead of conventional
	root certificates, and revised fingerprint support.  This
	can be used by itself, and this provides support for an
	upcoming DANE implementation.  Victor Duchovni.  Files:
	mantools/postlink, proto/TLS_README.html, proto/postconf.proto,
	global/mail_params.h, smtp/lmtp_params.c, smtp/smtp.c,
	smtp/smtp.h, smtp/smtp_params.c, smtp/smtp_proto.c,
	smtp/smtp_session.c, smtp/smtp_state.c, smtp/smtp_tls_sess.c,
	tls/Makefile.in, tls/tls.h, tls/tls_client.c, tls/tls_dane.c,
	tls/tls_fprint.c, tls/tls_misc.c, tls/tls_verify.c,
	util/argv.c, util/argv.h.

20130409

	Documentation: pointers to other actions under "ACCEPT
	ACTIONS" and "REJECT ACTIONS". File: proto/access.

20130410

	Cleanup: more uniform permutation in dns_rr() by Victor
	Duchovni & Son. File: dns/dns_rr.c.

20130411

	Documentation: clarified text about result formats. Files:
	proto/canonical, proto/virtual.

20130414

	Cleanup: the SMTP client connection management code now
	maintains iterator state with a structure that contains
	next-hop, host name, address, port and other information.
	This iterator structure replaces random variables that were
	updated by add-hoc code, and replaces random function
	argument lists. The more structured approach is easier to
	maintain and has already paid off by exposing opportunities
	to improve SMTP connection cache usage.  Wietse Venema.
	Files: smtp/smtp.h, smtp/smtp_connect.c, smtp/smtp_session.c,
	smtp_reuse.c.

	Cleanup: eliminated minor false SMTP connection cache-sharing
	problems due to mis-aligned lookup keys for caches and
	lookup tables (for example some used the nexthop, and some
	the domain name).  Information that is used in more than
	one lookup key is now generated by a centralized function.
	This replaces ad-hoc code in random places that was
	concatenating ad-hoc data to construct lookup keys. The
	more structured approach is easier to maintain and makes
	future cache-sharing issues easier to prevent.  Wietse
	Venema. Files: smtp/smtp.h, smtp/smtp_connect.c, smtp_reuse.c,
	smtp_key.c, smtp_tls_sess.c.

	Cleanup and fix of non-production code: the trust anchor-digest
	code and smtp_sess_tls_required() function. Victor Duchovni.
	Files: smtp/smtp_connect.c, smtp/smtp_proto.c,
	smtp/smtp_tls_sess.c, tls/tls.h, tls/tls_client.c,
	tls/tls_dane.c, tls/tls_level.c, tls/tls_verify.c.

20130417

	Cleanup and fix of non-production code: add the SASL
	credentials or absence thereof to the connection cache
	endpoint label; better reuse of SASL-authenticated connections
	over UNIX-domains sockets, however unlikely these may be;
	a first step towards refinement of connection cache lookup
	by IP address for plaintext or SASL-unauthenticated connections.
	Files: smtp/smtp.h smtp/smtp_connect.c, smtp/smtp_reuse.c,
	smtp/smtp_key.c, smtp/smtp_tls_sess.s.

20130418

	Cleanup: configurable field delimiter and optional "not
	available" field place holder for cache and table lookup
	keys; automatic base64 encoding for key fields that contain
	these. Files: smtp/smtp_key,c, smtp/smtp_reuse.c,
	smtp/smtp_proto.c, smtp/smtp_tls_sess.c.

20130420-21

	Documentation: "dane" TLS security level and parameters.
	Viktor Dukhovni. Files: mantools/postlink, proto/TLS_README.html,
	proto/postconf.proto.

	Feature: implemented and enabled DNS-based DANE security
	level.  Viktor Dukhovni. Files: global/mail_params.h,
	smtp/lmtp_params.c, smtp/smtp.c, smtp/smtp.h, smtp/smtp_params.c,
	smtp/smtp_proto.c, smtp/smtp_tls_sess.c, tls/tls.h,
	tls/tls_client.c, tls/tls_dane.c, tls/tls_fprint.c,
	tls/tls_level.c, tls/tls_misc.c, util/Makefile.in,
	util/ctable.c, util/ctable.h, util/timecmp.c, util/timecmp.h.

	Cleanup: rename (unchanged) smtp_tls_sess.c to smtp_tls_policy.c.
	Viktor Dukhovni. Files: smtp/Makefile.in, smtp/smtp_tls_policy.c,
	smtp/smtp_tls_sess.c.

	Portability: OpenSSL workarounds for versions before 0.9.7
	are removed from the source code. Viktor Dukhovni. Files:
	tls/tls.h, tls/tls_bio_ops.c, tls/tls_client.c.

	Non-production fixes: when falling back from opportunistic
	TLS to plaintext, don't modify the cached TLS policy "retry
	as plaintext" and "level" members.  Files: smtp/smtp_session.c.

	Non-production fixes: move TLS policy lookup to the main
	connection iterator loop, so that the policy is known before
	attempting connection reuse and before SMTP connection
	creation. Temporarily link session->tls to state->tls.
	Files: smtp/smtp.h, smtp/smtp_connect.c, smtp/smtp_reuse.c,
	smtp/smtp_tls_policy.c.

20130422

	Feature: smtptls-finger test program for SMTP over TLS.
	Viktor Dukhovni. Files: Makefile.in, html/Makefile.in,
	man/Makefile.in, mantools/postlink, posttls-finger/.indent.pro,
	posttls-finger/Makefile.in, posttls-finger/posttls-finger.c,
	posttls-finger/tlsmgrmem.c, posttls-finger/tlsmgrmem.h,
	tls/tls.h, tls/tls_misc.c.

20130423

	Bugfix (introduced: Postfix 2.0): when myhostname is not
	listed in mydestination, the trivial-rewrite resolver may
	log "do not list <myhostname value> in both mydestination
	and <name of non-mydestination domain list>".  The fix is
	to re-resolve a domain-less address after adding $myhostname
	as the surrogate domain, so that it pops out with the right
	address-class label.  Problem reported by Quanah Gibson-Mount.
	File: trivial-rewrite/resolve.c.

20130425

	Non-production fixes: revert to using proxies (sender,
	nexthop, hostname) to distinguish between different SASL
	credentials for connections to the same IP address and port.
	Files: smtp/smtp.h smtp/smtp_connect.c, smtp/smtp_key.c.

	Non-production cleanup: documentation, identifiers.  Viktor
	Dukhovni. Files: proto/postconf.proto, src/dns/dns.h,
	src/dns/dns_lookup.c, src/dns/dns_rr.c, src/dns/test_dns_lookup.c,
	src/global/mail_proto.h, src/posttls-finger/posttls-finger.c,
	src/smtp/smtp.h, src/smtp/smtp_addr.c, src/smtp/smtp_connect.c,
	src/smtp/smtp_session.c, src/smtp/smtp_tls_policy.c,
	src/smtpd/smtpd_check.c, src/tls/tls.h, src/tls/tls_client.c,
	src/tls/tls_dane.c, src/tls/tls_fprint.c, src/tls/tls_misc.c,
	src/tls/tls_proxy_clnt.c, src/tls/tls_proxy_print.c,
	src/tls/tls_proxy_scan.c, src/tls/tls_server.c,
	src/tls/tls_verify.c.

20130426

	Non-production fixes: refinement of SASL-dependent context
	for connection-cache reuse, documentation. Viktor Dukhovni
	and Wietse Venema. Files: smtp/smtp.h, smtp/smtp_key.c,
	tls/tls_client.c.

20130506

	Non-production bugfix: macros must use distinct names for
	temporary variables, to avoid name collision problems.
	Problem report: Ralf Hildebrandt. Problem fix: Viktor
	Dukhovni.  File: smtp/smtp.h.

	Non-production cleanup: simplified "dane" user interface,
	replacing one "dane" security level plus multiple fall-back
	options, with two "dane" security levels, one opportunistic
	and one mandatory. Viktor Dukhovni.  Files: proto/TLS_README.html,
	proto/postconf.proto, mantools/postlink, proto/TLS_README.html,
	proto/postconf.proto, global/mail_params.h,
	posttls-finger/posttls-finger.c, smtp/lmtp_params.c,
	smtp/smtp.c, smtp/smtp.h, smtp/smtp_params.c,
	smtp/smtp_tls_policy.c, tls/tls.h, tls/tls_level.c.

20130512

	Feature: allow an SMTP client to skip postscreen(8) tests
	before or after the 220 greeting, based on its DNSBL score.
	Suggested by Rob McGee (/dev/rob0). Files: mantools/postlink,
	proto/postconf.proto, global/mail_params.h,
	postscreen/postscreen.c, postscreen/postscreen.h,
	postscreen/postscreen_early.c, postscreen/postscreen_state.c,
	postscreen/postscreen_tests.c.

20130513

	Bugfix (introduced: 20130512): postscreen logged no "PASS
	NEW" event when the pregreet tests were turned off and the
	postscreen_dnsbl_whitelist_treshold feature was turned on.
	Reported by Rob McGee (/dev/rob0). Files: postscreen/postscreen.h,
	postscreen/postscreen_early.c.

	Bugfix (introduced: 20130512): postscreen panic because the
	logic for dnsbl result retrieval was changed. Reported by
	Noel Jones. File: postscreen/postscreen_early.c.

20130517

	Cleanup: just like the postscreen DNS block test will use
	partial scores when some DNS lookup result is unavailable,
	the postscreen_dnsbl_whitelist_treshold feature will now
	use partial scores instead of ignoring them.  File:
	postscreen/postscreen_early.c.

20130518

	Bugfix (introduced: 1997): memory leak after error while
	forwarding mail through the cleanup server. Viktor found
	one, Wietse eliminated the rest.  File: local/forward.c.

	Feature: posttls-finger protocol and cipher grade selection
	options.  Leave protocol debug flags active across reconnects,
	only suppress redundant logging of the certificate details.
	Viktor Dukhovni. File: posttls-finger/posttls-finger.c.

	Robustness: send SNI even when trying to reuse a DANE
	session, because a new session may be negotiated anyway.
	Viktor Dukhovni. File: tls/tls_client.c.

	Cleanup: eliminate variable that is redundant with respect
	to more authoritative state.  Viktor Dukhovni. File:
	posttls-finger/posttls-finger.c.

	Feature: new tls_ssl_options parameter to enable OpenSSL
	features (as opposed to tls_disable_workarounds which is
	disables bug workarounds that are on by default). Viktor
	Dukhovni. Files: proto/TLS_README.html, proto/postconf.proto,
	src/global/mail_params.h, src/tls/tls.h, src/tls/tls_client.c,
	src/tls/tls_misc.c.

20130520

	Documentation: removed resolve_null_domain from the list
	of smtpd(8) parameters. File: smtpd/smtpd.c.

20130523

	Documentation: add cidr: and texthash: to the list of maps
	that don't have automatic change detection. File:
	proto/DATABASE_README.html.

	Documentation: define the netmask format of CIDR maps.
	File: proto/cidr_table.

20130530

	Cleanup: replace alloca() with mymalloc()/myfree() for
	better error handling. Reported by Bill Parker. File:
	util/dict_ni.c (does anyone still use this code?).

20130531

	Feature: tls_wildcard_matches_multiple_labels (default:
	yes) to match multiple DNS labels with "*" in wildcard
	certificates. Viktor Dukhovni. Files: proto/postconf.proto,
	mantools/postlink, global/mail_params.h, tls/tls_client.c,
	tls/tls_misc.c.

20130607

	Bugfix (DANE support): with multiple TLSA RR that carry "x
	0 0" certificates or "x 1 0" keys, Postfix failed to reset
	the cert/key pointer before calling d2i_mumble(), causing
	OpenSSL to clobber the previous cert or key.  Viktor Dukhovni.
	tls/tls_dane.c.

	Robustness: check that TLSA-supplied certs have valid keys.
	It is not clear whether that check is performed in d2i().
	Viktor Dukhovni. tls/tls_dane.c.

20130608

	Cleanup (DANE support): be more explicit in the logging of
	object digests.  Viktor Dukhovni. tls/tls_dane.c.

20100613

	Workaround: unhelpful down-stream maintainers fail to install
	the new smtpd_relay_restrictions safety net, causing breakage
	that could have been avoided. We now hard-code the safety
	net instead.  Files: global/mail_params.h, conf/post-install,
	RELEASE_NOTES_2.10.

	Bugfix (DANE support): when TLSA records are insecure,
	report that none are found. Viktor Dukhovni. Files:
	posttls-finger/posttls-finger.c, smtp/smtp_tls_policy.c,
	tls/tls_dane.c.

20130615

	TLS Interoperability: turn on SHA-2 digests by force.  This
	improves interoperability with clients and servers that
	deploy SHA-2 digests without the required support for
	TLSv1.2-style digest negotiation.  Based on patch by Viktor
	Dukhovni.  Files: tls/tls_client.c, tls/tls_server.c.

20130616

	Workaround: The Postfix SMTP server TLS session cache was
	broken because OpenSSL now enables session tickets by
	default, resulting in different ticket encryption key for
	each smtpd(8) process.  the workaround turns off session
	tickets. In 2.11 we'll enable session tickets properly.
	Viktor Dukhovni. File: tls/tls_server.c.

	Updated DANE support (trust in DNS instead of PKI).  With
	OpenSSL 1.0.2 (under development) trusted certificates don't
	need to be self-signed roots.  Otherwise we use an ephemeral
	root certificate to sign the trust anchor. Viktor Dukhovni.
	Files: posttls-finger/posttls-finger.c, smtp/smtp_proto.c,
	smtp/smtp_tls_policy.c, tls/tls.h, tls/tls_client.c,
	tls/tls_dane.c, tls/tls_fprint.c, tls/tls_misc.c,
	tls/tls_verify.c.

20130619

	Documentation: troff lint. Patch by ES Raymond's bot.  File:
	proto/header_checks.

	Cleanup: enforce smtpd_client_recipient_rate_limit for VRFY
	commands. File: smtpd/smtpd.c.

20130622

	Bugfix: typo in the 20130613 smtpd_relay_restrictions default
	setting. File: global/mail_params.h.

20130623

	Cleanup: configurable tlsmgr(8) service name. Files:
	mantools/postlink, proto/postconf.proto, tls/tls_mgr.c,
	tls/tls_misc.c, tlsproxy/tls-proxy.c, smtp/smtp.c,
	smtpd/smtpd.c.

20130629

	Cleanup: documentation. Files: proto/CONNECTION_CACHE_README.html,
	proto/SCHEDULER_README.html.

20130708

	Cleanup: postscreen_upstream_proxy_protocol setting.  Files:
	global/mail_params.h, postscreen/postscreen_endpt.c.

20130709

	Cleanup: qmgr documentation clarification by Patrik Rak.
	Files: proto/SCHEDULER_README.html, qmgr/qmgr_job.c.

	Cleanup: re-indented code. File: qmgr/qmgr_job.c.

	Logging: minimal DNAME support. Viktor Dukhovni.  dns/dns.h,
	dns/dns_lookup.c, dns/dns_strtype.c, dns/test_dns_lookup.c.

20130710

	Workaround: smtp_connection_reuse_count_limit (default 0,
	i.e.  unlimited) for sites that must deal with hostile
	connection reuse policies. The documentation comes with a
	warning that this feature introduces a "fatal attractor"
	failure mode.  Files: global/mail_params.h, mantools/postlink,
	proto/postconf.proto, smtp/smtp.c, smtp/smtp_params.c,
	smtp/lmtp_params.c, smtp/smtp.h.

	Workaround: FreeBSD9 nroff outputs ANSI escape sequences
	instead of overstrike sequences. To make matters worse, it
	uses the ESC[0m sequence sometimes for end-of-bold and
	sometimes for end-of-italic.  File: mantools/man2html.

20130714

	Cleanup: added smtpd_relay_restrictions entries to the
	default master.cf file, so that main.cf settings won't
	affect the submission and smtps services. Simon Matter.
	File: conf/master.cf.

20130728

	Cleanup: wrong function name in error message. John Fawcett.
	File: util/vstring_vstream.c.

20130801

	Cleanup: with ``make makefiles CCARGS="-DHAS_DB...'', the
	makedefs script no longer tries to locate the Linux Berkeley
	DB include and library files. Instead it assumes that the
	locations are given on the command line, as shown in the
	DB_README examples.  Leo Baltus. File: makedefs.

20130805

	Documentation: clarified reject_non_fqdn_helo_hostname.
	File: proto/postconf.proto.

20130809

	Cleanup: the lmdb_map_size parameter is now a long integer.
	Howard Chu. Files: global/mail_params.[hc].

20130815

	Documentation: added pointer to Dovecot 2 configuration.
	File: proto/SASL_README.html

20130818

	Update: LMDB client updated to LMDB 0.9.7, which hopefully
	fixes the unrecoverable "transaction full" error. With a
	new MDB_MAP_FULL workaround by Howard Chu that ensures that
	postfix will make progress as long as the disk is not full.
	File: util/dict_lmdb.c.

20130822

	The status of LMDB databases is "not recommended".  Unlike
	other Postfix databases, LMDB does not grow beyond a specified
	limit even when the file system has room.  This show-stopper
	bug breaks applications whose requirements grow with load:
	postscreen(8), greylisting, tlsmgr(8) and verify(8).

20130825

	Bitrot: Arrange for shared keys in SMTP server session
	tickets.  Otherwise, with clients that enable session
	tickets, the SMTP session cache is per-process and largely
	ineffective.  Older releases should add SSL_OP_NO_TICKET
	to the SSL options bit mask in the SMTP server only.  The
	session ticket key validity interval (sum of initial issuing
	and retired key validation intervals) must not exceed the
	SSL session lifetime.  Otherwise, clients may send valid
	tickets for expired sessions, which the OpenSSL server code
	mishandles (does not send a replacement ticket, patch
	pending...).

	We set the session lifetime to 2 times the configured cache
	lifetime which is also the ticket issuing and retired
	validation lifetime, so ticketed sessions last 1 to 2 times
	the configured session lifetime and never longer than a
	session's expiration time.

	Code by Viktor Dukhovni.  Files: .indent.pro, mantools/postlink,
	proto/TLS_README.html, proto/postconf.proto, global/mail_params.h,
	posttls-finger/posttls-finger.c, posttls-finger/tlsmgrmem.c,
	smtpd/smtpd.c, tls/tls.h, tls/tls_client.c, tls/tls_mgr.c,
	tls/tls_mgr.h, tls/tls_scache.c, tls/tls_scache.h,
	tls/tls_server.c, tlsmgr/tlsmgr.c, tlsproxy/tlsproxy.c.

	Robustness: Search for TLSA RRs at the resolved server name
	(rname) and failing that request server name (qname), and
	use whichever was found as the TLSA base domain for certificate
	matching.

	When we find a DNSSEC validated MX RRset, and the initial
	next-hop domain is a CNAME, include both the initial and
	final (the one with the actual MX RRs) domains in the list
	of valid server certificate names.

	When we find no MX records, then the initial next-hop domain
	is obtained securely from the recipient domain or transport
	next-hop.  Without MX records, this is a destination hostname,
	so we should generally do a TLSA lookup.  If however the
	address lookup yields an insecure result, and its rname is
	equal to its qname (no CNAMEs), we reasonably assume that
	the its child "_port._tcp" sub-domain is likewise insecure
	(security here would require DLV just for this sub-domain).
	This allows us to skip futile TLSA queries for most non-MX
	destinations (those that are in insecure zones and are not
	CNAMEs).  This heuristic can be disabled by setting the new
	main.cf parameter smtp_tls_force_insecure_host_tlsa_lookup
	to "yes", the default is "no".

	Finally, with MX hostnames, if the MX RRset is secure, we
	look for TLSA RRs at the qname only when the MX host is an
	alias with an insecure rname.  If both the qname and the
	rname are secure, as before we prefer the rname, but when
	nothing is found there, fall back to the qname.

	Code by Viktor Dukhovni. Files: mantools/postlink,
	proto/postconf.proto, src/global/mail_params.h,
	src/posttls-finger/posttls-finger.c, src/smtp/lmtp_params.c,
	src/smtp/smtp.c, src/smtp/smtp.h, src/smtp/smtp_addr.c,
	src/smtp/smtp_addr.h, src/smtp/smtp_connect.c,
	src/smtp/smtp_params.c, src/smtp/smtp_tls_policy.c,
	src/tls/tls.h, src/tls/tls_dane.c.

20130826

	Documentation: re-ordered STRESS_README, now that all
	supported releases have stress-adaptive behavior built in.
	File: proto/STRESS_README.html.

20130903

	Cleanup: made the default_database_type compile-time
	configurable. Files: util/sys_defs.h, makedefs, proto/INSTALL.

20130916

	Feature: reject_known_sender_login_mismatch, which applies
	reject_sender_login_mismatch only to MAIL FROM addresses
	that are known in $smtpd_sender_login_maps. Viktor & Wietse.
	Files: mantools/postlink, proto/SASL_README.html,
	proto/postconf.proto, global/mail_params.h, smtpd/smtpd_check.c.

20130927

	Cleanup: no more LMDB "database full" errors.  Postfix now
	requires LMDB >= 0.9.8 which supports on-the-fly database
	resizing. When a database becomes full, its size limit is
	automatically doubled, and other processes automatically
	pick up the new database size limit.  Files: util/dict.h,
	util/dict_open.c, util/dict_alloc.c, util/dict_lmdb.c,
	postmap/postmap.c, postalias/postalias.c, proto/LMDB_README.html,
	proto/postconf.proto.

20130928

	Cleanup: the lmdb_max_readers property is now configurable.
	This is a hard limit built into the OpenLDAP library that
	causes requests to fail when the number of open read
	transactions exceeds the limit.  When this happens the LMDB
	client logs an MDB_READERS_FULL warning and continues with
	reduced performance.  Files: util/dict_lmdb.c, util/dict_lmdb.h,
	global/mail_params.h, global/mail_params.c, proto/postconf.proto,
	proto/LMDB_README.html.

20130929

	Security violation: LMDB opens files with read/write access
	for lock management purposes.  This gives unprivileged
	daemon processes read/write file handles for root-owned
	files under /etc/postfix.  This also breaks when a non-root
	process needs to access a root-owned database.  Even if
	LMDB lock files were world-writable, and kept in a dedicated
	directory, they would still violate the principle of least
	privilege. For all these reasons, support to create LMDB
	files is removed from the postmap and postalias commands.
	LMDB files can still be created by unprivileged Postfix
	daemon processes under the postfix-owned data_directory.
	Files: proto/LMDB_README.html, global/mkmap.c.

20131001

	Cleanup: LMDB support is forbidden due to problems with
	LMDB lock management. These problems hinder error recovery
	in multi-programmed systems, and prohibit database sharing
	between privileged writer processes and unprivileged reader
	processes.

20131009

	Documentation: inet_protols description was not updated
	when smtp_address_preference was added. File: proto/postconf.proto

20131013

	Documentation: why postscreen(8) uses hash-table lookups
	instead of direct pointers to find the DNSBL lookup result
	for a specific session. File: postscreen/postscreen_early.c.

20131022

	Cleanup: add more &code; to postconf2man. Someone has been
	writing documentation without checking the result, File:
	mantools/postconf2man.

	Documentation: in the discard(8) manpage, the reason is not
	a host or domain name. File: discard/discard.c.

20131025

	Documentation: specify the expected result format with
	"list" tables. File: proto/DATABASE_README.html.

20131026

	Future proofing: API changes in the PCRE library.  File:
	util/dict_pcre.c.

20131028

	Feature: check_sasl_access to block hijacked logins.  Files:
	mantools/postlink, proto/postconf.proto, global/mail_params.h,
	smtpd/smtpd_check.c, smtpd/smtpd_dsn_fix.h.

20131029-31

	Cleanup: slmdb(3) simplified LMDB API that hides recoverable
	LMDB errors from applications so that they can focus on
	their own job. Files: util/slmdb.[hc].

	Cleanup: LMDB functionality restored, after elimination of
	1) world-writable lockfiles, 2) hard limits on the number
	of concurrent readers, and 3) hard-coded database file inode
	numbers in lockfiles that can prevent automatic crash
	recovery.  Files: proto/LMDB_README.html, proto/postconf.proto,
	mantools/postlink, util/dict_lmdb.c.

20131101

	Cleanup: restore ability to build without LMDB support;
	further slmdb API streamlining. Files: util/slmdb.[hc],
	util/dict_lmdb.c.

	Bugfix: uninitialized variable. File: util/slmdb.c.

	Documentation: added SASL_README example for check_sasl_access.
	File: proto/SASL_README.html.

20131102-3

	Security violation: by default, LMDB 0.9.9 writes uninitialized
	heap memory to a world-readable database file, as chunks
	of up to 4096 bytes.  This is a huge memory disclosure
	vulnerability: memory content that a program does not intend
	to share ends up in a world-readable file.  The content of
	uninitialized heap memory depends on program execution
	history. That history includes code execution in other
	libraries that are linked into the program.

	This is a problem whenever the user who writes the database
	file differs from the user who reads the database file. For
	example, a privileged writer and an unprivileged reader.
	In the case of Postfix, the postmap(1) and postalias(1)
	commands would leak uninitialized heap memory, as chunks
	of up to 4096 bytes, from a root-privileged process that
	writes to a database file, to unprivileged processes that
	read from that database file.

	To work around this problem the postmap(1) and postalias(1)
	commands disable the use of malloc() in LMDB. However, that
	does not address several disclosures of stack memory.  Other
	Postfix databases do not need this workaround: those databases
	are maintained by Postfix daemon processes, and are accessible
	only by the postfix user. File: util/dict_lmdb.c.

20131102-3

	Cleanup: expand TAB characters when generating documentation.
	This was primarily an issue with non-HTML output, but it does
	not hurt to do this also for HTML.  Files: proto/Makefile.in,
	proto/MULTI_INSTANCE_README.html.

20131104

	Feature: ${queue_id} macro support for the pipe(8) delivery
	agent by Andreas Schulze. File: pipe/pipe.c.

20131107

	Cleanup: after 16 years the SKIP() and TRIM() macros were
	triggering compiler warnings.  Files: global/mail_params.c,
	smtpstone/smtp-sink.c, util/mac_parse.c, util/split_nameval.c.

20131110

	Bugfix (introduced Oct 26 1997): don't clobber errno before
	expanding %m. File: util/vbuf_print.c.

20131114

	Cleanup: LMDB >= 0.9.10 does not need the MDB_WRITEMAP
	workaround to avoid heap memory information leaks.  File:
	util/dict_lmdb.c.

20131114

	Cleanup: Coverity found a harmless memory leak in the
	postconf master.cf parser.  Reported by Christos Zoulas,
	NetBSD.  File: postconf/postconf_master.c.

	Cleanup: graceful degradation after database open() error.
	Several instances of that code introduced a harmless memory
	leak, and Coverity complained about one of them (Christos
	Zoulas, NetBSD).  Instead of adding random code in random
	places, restructured dict_foo_open() routines with consistent
	code to dispose of memory or file handles. Files: dict_thash.c,
	dict_sockmap.c, dict_regexp.c, dict_pcre.c, dict_lmdb.c,
	dict_dbm.c, dict_cidr.c, dict_cdb.c.

	Cleanup: warning message after canonical/virtual/etc.
	table lookup error. Files: cleanup/cleanup_addr.c,
	cleanup/cleanup_map11.c, cleanup/cleanup_map1n.c,
	cleanup/cleanup_masquerade.c, cleanup/cleanup_message.c,
	cleanup/cleanup_milter.c.

20131116

	Feature: MySQL client support for option_file, option_group,
	tls_cert_file, tls_key_file, tls_CAfile, tls_CApath,
	tls_verify_cert. See mysql_table(5).  Code by Gareth Palmer.
	Files: proto/mysql_table, global/dict_mysql.c.

	Cleanup: DANE support. Keep the attributes of TA certificates
	obtained via "IN TLSA 2 0 X" RRs, while continuing to only
	use the key from "IN TLSA 2 1 X" RRs.  This means in the
	"2 0 X" case that we re-sign the TA certificate in place,
	rather than synthesize a vanilla cert around just the key.
	Viktor Dukhovni. File: tls/tls_dane.c.

	Bugfix: posttls-finger parsing of destination and optional
	match values. Viktor Dukhovni.  File:
	posttls-finger/posttls-finger.c.

	Cleanup: When wrap_signed is false (OpenSSL 1.0.2 some day),
	we don't have to sign trust anchors, and don't generate a
	key to do so.  Thus don't attempt to re-sign trust-anchor
	certificates (IN TLSA 2 0 X) in this case. Viktor Dukhovni.
	File: tls/tls_dane.c.

	Feature: configurable DANE digest algorithm priority. Use
	only the most-preferred, shared, digest algorithm for any
	give (usage, selector) combination. Viktor Dukhovni.
	mantools/postlink, proto/postconf.proto, global/mail_params.h,
	tls/tls_dane.c, tls/tls_misc.c.

	Bugfix: FreeBSD nroff workaround messed up. File:
	mantools/postlink.

20131118

	Cleanup: FreeBSD nroff workaround. Files: man/Makefile.in,
	proto/Makefile.in.

	Cleanup: the smtpd_proxy_filter client now sends QUIT before
	closing the connection to a content filter.  Files:
	smtpd/smtpd_proxy.c, smtpd/smtpd.c.

	Portability: C99 va_copy() compatibility, in case some
	implementation does not permit multiple va_start() calls
	on the same argument list. Files: global/memcache_proto.c,
	milter/milter8.c, smtpstone/smtp-source.c, util/attr_clnt.c,
	util/concatenate.c, util/dict_surrogate.c, util/netstring.c,
	util/compat_va_copy.h.

	Cleanup: comment formatting. Viktor Dukhovni. File: dns/dns.h.

	Cleanup: removed redundant sort operation. Viktor Dukhovni.
	File: tls/tls_dane.c.

20131119

	Feature: a Postfix LMDB database can now be used as shared
	persistent cache with multiple postscreen(8) or verify(8)
	daemons (but not both), without the need for a shared
	proxymap server.  Files: util/dict.h, util/dict_alloc.c,
	util/dict_open.c, util/dict_lmdb.c.

	Internal: DNS client support to report reply RCODE information,
	in addition to the simplified DNS_NOTFOUND, DNS_RETRY etc.
	Portability note: this requires the C99 __VA_ARGS__ feature.
	Files: dns/dns.h. dns/dns_lookup.c, dns/test_dns_lookup.c.

20131120

	Cleanup: reduced the code footprint for the LMDB < 0.9.10
	heap-to-file information leak workaround, and simplified
	the implementation to "good enough". Files: util/dict.h,
	util/dict.c, util/dict_lmdb.c, postalias/postalias.c,
	postmap/postmap.c.

	Cleanup: reduced the code footprint for the handling of
	multi-writer safe maps. A map only needs to assert that it
	is multi-writer safe, and the rest just happens.  Files:
	util/dict.h, util/dict_open.c, util/dict_lmdb.c,
	global/dict_memcache.c.

	Cleanup: Postfix daemons no longer restart when a multi-writer
	safe map is updated. File: util/dict.c.

	Documentation: sharing an LMDB cache between multiple
	verify(8) or postscreen(8) servers (but not both).  Files:
	proto/ADDRESS_VERIFICATION_README.html,
	proto/POSTSCREEN_README.html.

	Cleanup: improve suppression of TLSA lookups in insecure
	zones.  This is now applied not only to non-MX destinations,
	but also to each MX record.  Viktor Dukhovni. Files:
	src/posttls-finger/posttls-finger.c, src/smtp/smtp_tls_policy.c,
	src/tls/tls.h, src/tls/tls_dane.c.

	Workaround: increased the 5s connection timeout to 30s.
	Viktor Dukhovni. File: posttls-finger/posttls-finger.c.

20131121

	Documentation: new socketmap_table(5) and lmdb_table(5)
	manpages.  Files: mantools/postlink, conf/postfix-files,
	html/Makefile.in, man/Makefile.in, proto/DATABASE_README.html,
	postconf/postconf.c, proto/socketmap_table, proto/lmdb_table.

20131122

	Documentation: missing database hyperlinks, refined text
	about partial lookup keys. Files: mantools/postlink,
	proto/DATABASE_README.html, proto/lmdb_table,
	proto/socketmap_table.

20131123

	Feature: support for NOTIFY parameter in the Milter
	SMFIR_ADDRCPT_PAR request. Contributed by by Andrew Ayer.
	Wietse added support for ORCPT.  Files: cleanup/cleanup.h,
	cleanup/cleanup_milter.c, cleanup/cleanup_state.c,
	global/xtext.c, global/xtext.h, milter/test-milter.c.

20131122

	Feature: "postconf -Fe service/type/attribute = value" edits
	master.cf attribute values. The -e is optional. Example:
	use "postconf -F "*/*/chroot = n" to turn off chroot on all
	master.cf services. Files: postconf/postconf.h,
	postconf/postconf.c, postconf/postcof_master.c,
	postconf/postconf_edit.c.

20131124

	Cleanup: remove extra blank line from ccformat output,
	making it compatible with the script that Wietse actually
	uses (this line was part of a test to detect file truncation,
	but it is now obsolete).  File: mantools/ccformat.

	Feature: master.cf parameter namespace. "postconf -P" shows
	master.cf parameter settings as "service/type/parameter =
	value". This is applicable only to parameter settings in
	master.cf. Files: postconf/postconf.h, postconf/postconf.c,
	postconf/postcof_master.c, postconf/postconf_print.c.

	Incompatibility: the master_service_disable syntax has
	changed: use "service/type" instead of "service.type".  The
	new form is consistent with master.cf parameter namespaces.
	The old form is still supported to avoid breaking existing
	configurations.  Files: global/master_service.c,
	master/master_ent.c.

20131125

	Feature: change, add or delete "-o parameter=value" setting
	in master.cf. Examples: "postconf -P smtp/inet/parameter=value"
	(add or modify "-o name=value" setting) and "postconf -P
	smtp/inet/parameter" (delete "-o parameter=value" setting).
	Files: util/argv.[hc], postconf/postconf.h,
	postconf/postconf_edit.c, postconf_master.c.

20131126

	Cleanup: Leave SSLv3 enabled with DANE. Viktor Dukhovni.
	Files: proto/TLS_README.html proto/postconf.proto
	tls/tls_client.c.

	Cleanup: DANE support: Drop support for usage 0. It SHOULD
	NOT be supported in DANE with SMTP, and we already don't
	support digest TLSA RRs in this case, while full content
	TLSA RRs are not recommended for DNS bloat reasons.  Viktor
	Dukhovni. Files: proto/postconf.proto src/global/mail_params.h
	src/smtp/smtp.c src/tls/tls_dane.c src/tls/tls_misc.c.

	Feature: TLS support: Support future digest algorithms
	without re-compilation. Viktor Dukhovni. Files: .indent.pro
	proto/postconf.proto src/tls/tls_dane.c.

	Feature: DNS support: New configurable digest agility.
	Viktor Dukhovni. Files: .indent.pro proto/TLS_README.html
	proto/postconf.proto src/global/mail_params.h src/tls/tls_dane.c
	src/tls/tls_misc.c.

20131127

	Bugfix (introduced: 20090106): the postconf '-#' option
	erased prior options. File: postconf/postconf.c.

20131129

	Bugfix: Makefile example in MULTI_INSTANCE_README. Viktor
	Dukhovni. File: proto/MULTI_INSTANCE_README.html.

20131130

	Cleanup: simplify fingerprint security level implementation
	in new DANE code.  Viktor Dukhovni.  Files: src/tls/tls.h
	src/smtp/smtp_tls_policy.c src/tls/tls_dane.c
	src/posttls-finger/posttls-finger.c.

20131209

	Cleanup: safe_strtoul() did not report an error for empty
	or all-space input (the code to report this was in the wrong
	place). This was not a problem as long as safe_strtoul()
	was used only for output from safe_ultostr().  Files:
	global/safe_ultostr.c, global/safe_ultostr.in,
	global/safe_ultostr.ref.

20131210

	Documentation: updated description of SSL protocol controls.
	In particular, enabled protocols are part of a contiguous
	range. Viktor Dukhovni.  Files: proto/TLS_README.html,
	proto/postconf.proto.

	Bugfix: DANE support: handle OpenSSL memory allocation
	error. Viktor Dukhovni.  File: tls/tls_dane.c.

	Cleanup: LMDB_README was not installed. File: conf/postfix-files.

20131214

	Portability: on some platforms posttls-finger now requires
	explicitly linking libdl.  File: posttls-finger/Makefile.in.

	Cleanup: DANE support: extension gymnastics. Viktor Dukhovni.
	File: tls/tls_dane.c.

	Bugfix: DANE support: the wrap_cert() and wrap_key() calls
	should never fail, but some callers ignored the return
	value.  The only failure is for lack of memory, so we use
	msg_fatal() internally and change wrap_cert() and wrap_key()
	to return void. Viktor Dukhovni.  File: tls/tls_dane.c.

	Bugfix: DANE support: avoid making DANE certificates with
	replaced public-keys appear as if they were self-signed.
	Viktor Dukhovni.  File: tls/tls_dane.c.

	Cleanup: DANE support: simplify grow_chain() to always apply
	trust consistently. Viktor Dukhovni.  File: tls/tls_dane.c.

	Bugfix: DANE support: backport fixes from OpenSSL DANE
	testing.  Discard errors generated by raw TA key signature
	checks. Record the tadepth as zero with self-signed depth
	0 TAs. Robustness: Though it should never happen, don't
	update the tadepth if already set. Viktor Dukhovni.  Files:
	tls/tls_dane.c, tls/tls_server.c.

20131215

	Cleanup: OpenSSL "const" declarations have changed over
	time. Viktor Dukhovni. Files: src/tls/tls.h, src/tls/tls_client.c,
	src/tls/tls_dane.c, src/tls/tls_server.c.

20131216

	Cleanup: TLS support. Eliminate calls of deprecated functions
	before they are removed from OpenSSL.  CRYPTO_thread_id is
	deprecated and we don't need it.  Replace the deprecated
	ERR_remove_state() call with ERR_remove_thread_state(), and
	use RSA_generate_key_ex().  Viktor Dukhovni. Files:
	posttls-finger/posttls-finger.c, tls/tls_misc.c, tls/tls_rsa.c.

	Cleanup: DANE support: Reduce #ifdef clutter to improve
	redability and maintainability. Viktor Dukhovni.  File:
	tls/tls_dane.c.

	Future proofing: Tolerate disappearance of named bug-workaround
	bits without invalidating user configurations.  When support
	for a bug workaround is removed from OpenSSL, the corresponding
	bit is defined as zero (i.e. NOOP) instead of causing
	programs to break. Viktor Dukhovni.  File: tls/tls_misc.c.

20131217

	Portability: RSA_generate_key_ex() is not available on all
	supported platforms, so this change is made conditional.
	Enforce that this function will be used only for creating
	a 512-bit ephemeral RSA key.  Viktor Dukhovni. File:
	tls/tls_rsa.c.

20131218

	Documentation: new document FORWARD_SECRECY_README that
	describes how different versions of Postfix >= 2.2 implement
	"perfect" forward secrecy. Viktor Dukhovni. File:
	proto/FORWARD_SECRECY_README.html, proto/Makefile.in,
	conf/postfix-files, html/index.html.

20131219

	Cleanup: renamed postconf(1) internal identifiers according
	to a consistent scheme, to avoid future name conflicts as
	Postfix evolves. This is a no-feature change.  Files:
	postconf/*.[hc], postconf/extract.awk.

	Documentation: linearized the order of exposition in
	FORWARD_SECRECY_README. File: proto/FORWARD_SECRECY_README.html.

20131220

	Bugfix: DANE support: segfault. Viktor Dukhovni. File:
	tls/tls_dane.c.

	Documentation: typo in SASL_README. Patrick Ben Koetter.
	File: proto/SASL_README.html.

	Documentation: increased the *.[0-9].html manpage width
	from the historical 65 columns to the more contemporary 78
	columns, and future-proofed the pattern that eliminates
	redundant text from the "README FILES" section.  Files:
	mantools/postlink, mantools/man2html, man/Makefile.in.

	Documentation: misc manual page cleanups. Files:
	postconf/postconf.c, postmulti/postmulti.c.

20131221

	Testbed: TLS support. Viktor Dukhovni. Files: tls/Makefile.in,
	tls/tls_dane.c, tls/tls_dane.sh, tls/tls_mgr.c, .indent.pro.

	Documentation: added section on how to verify that forward
	secrecy works. File: proto/FORWARD_SECRECY_README.html.

20131222

	Documentation: forward secrecy, with feedback from Adam
	Shostack.  Viktor Dukhovni and Wietse Venema. File:
	proto/FORWARD_SECRECY_README.html.

20131224

	Feature: smtpd_sasl_service (until now, this was hard-coded
	internally as "smtp"). On request by Michal (sksoft.cz).
	Files: global/mail_params.h, proto/postconf.proto,
	mantools/postlink, smtpd/smtpd.c, smtpd/smtpd_sasl_glue.c.

	Documentation: updated example to Dovecot version 2 syntax.
	File: proto/SASL_README/html.

20131228

	Cleanup: DANE support: test script. Viktor Dukhovni. File
	tls/tls_dane.sh.

	Debugging: test driver for LMDB debugging and stress testing.
	Shockingly, LMDB terminates the postscreen daemon without
	logfile record.  File: util/dict_cache.c.

20140102

	Bugfix: close the LMDB database cursor's read transaction
	before writing with MDB_NOLOCK and before changing the
	database memory map size. File: util/slmdb.c.

20140103

	Cleanup: eliminated data duplication from the new SMTP_ITERATOR
	structure to the old SMTP_SESSION structure. The SMTP_ITERATOR
	structure now maintains the sole copy. Files: smtp/smtp.h,
	smtp_sasl_auth_cache.c, smtp_reuse.c, smtp_sasl_glue.c,
	smtp_rcpt.c, smtp_session.c, smtp_chat.c, smtp_proto.c,
	smtp_connect.c.

20140104

	Feature: support for optional configuration files
	"$daemon-directory/postfix-files.d/*".  These are processed
	in sorted order after "$daemon-directory/postfix-files",
	This avoids breaking "postfix set-permissions" etc. when a
	Postfix distribution comes in multiple packages.  File:
	conf/post-install.

20140107

	Feature: LMDB 0.9.11 allows Postfix daemons to log an LMDB
	error message, instead of falling out of the sky without
	any notification.  Files: util/slmdb.[hc], util/dict_lmdb.c.

20140108

	Bugfix: every Postfix LMDB transaction is now protected by
	an external lock for its entire life time. File: util/slmdb.c.

20140109

	Cleanup: turn off DNSSEC lookup after CNAME redirection to
	an insecure zone. This is an optimization for resolvers
	that do not automatically resolve CNAME chains. Viktor
	Dukhovni. File: dns/dns_lookup.c.

	Cleanup: do not salt the SMTP TLS policy lookup cache key
	with the DNSSEC status. The DNSSEC status will not change
	when the same nexthop/host pair is looked up repeatedly.
	Viktor Dukhovni. File: smtp/smtp_tls_policy.c.

	Robustness: Suppress TLSA lookups only when the qname zone
	is insecure, not just because the rname zone is insecure.
	This requires an extra T_CNAME lookup for the qname, since
	nameservers are often "too helpful" and report CNAME records
	together with the CNAME targets. When the targets are
	insecure the whole reply is marked as insecure.  Viktor
	Dukhovni.  File: tls/tls_dane.c.

	Cleanup: Unify/simplify reporting of configuration or other
	conditions that prevent DANE security.  Viktor Dukhovni.
	Files: global/dsn_buf.[hc], tls/tls_dane.c, smtp/smtp_tls_policy.c.

20140110-15

	Miscellaneous documentation cleanups.

20140116

	Workaround: prepend "-I. -I../../include" to CCARGS, to
	avoid name clashes with non-Postfix header files. File:
	makedefs.

20140125

	Cleanup: assorted documentation glitches.

20140209

	Workaround: the Postfix SMTP client now also falls back to
	plaintext when TLS fails after the TLS protocol handshake.
	Files: smtp/smtp.h, smtp/smtp_connect.c, smtp/smtp_trouble.c.

	Testbed: unsupported HANGUP access map action that drops
	the connection without responding to the remote SMTP client.
	File: smtpd/smtpd_check.c.

20140214

	Workaround: apparently some buggy kernels report WIFSTOPPED
	events to the parent process (master daemon) instead of the
	tracing process (e.g., gdb). File: master/master_spawn.c.

20140218

	Workaround: require that a queue file is older than
	$minimal_backoff_time, before falling back from failed TLS
	to plaintext (both during or after the TLS handshake).
	Viktor Dukhovni. Files: smtp/smtp.h, smtp/smtp.c,
	smtp/lmtp_params.c, smtp/smtp_params.c.

20140220

	Workaround: in case "minimal_backoff_time = $queue_run_delay".
	Files: smtp/smtp.c, smtp/smtp_params.c, smtp/lmtp_params.c.

	Cleanup: consolidate the code to log the start of a new
	mail transaction in one place, so that code can easily be
	added to log TLS status information in addition to the
	existing client and SASL status information. Files:
	smtpd/smtpd_sasl_proto.h, smtpd/smtpd_sasl_proto.c,
	smtpd/smtpd.c.

20140223

	Workaround: when a session breaks after the TLS handshake,
	do not fall back from TLS to plaintext when all recipients
	were deferred or rejected during the TLS phase. Files:
	smtp/smtp.h, smtp/smtp_rcpt.c.

	Logging: the TLS client logged that an "Untrusted" TLS
	connection was established instead of "Anonymous".  Viktor
	Dukhovni. File: tls/tls_client.c.

	Documentation: new self-signed certificate example and
	updated private CA example. File: proto/TLS_README.html.

20140224

	Bugfix (introduced: 20061106): when the "retry" transport
	was added to Postfix, it was not given special status like
	the "error" transport. The Postfix SMTP server did not defer
	mail that resolves to the "retry" transport, and the
	trivial-rewrite daemon would override the null nexthop
	destination in "retry:" with the current nexthop destination.
	Files: smtpd/smtpd_check.c, trivial-rewrite/transport.c.

20140227

	Bugfix: Enforce TLS when TLSA records exist, but all are
	unusable; Don't leak dane handle when all TLSA records are
	unusable.  Viktor Dukhovni. File: smtp/smtp_tls_policy.c.

	Cleanup: log TLS policy lookup errors as warnings. Viktor
	Dukhovni.  File: smtp/smtp_connect.c.

20140316

	Feature: preliminary support to change arbitrary hard
	delivery errors into soft errors and vice versa, or to
	replace the descriptive text of non-delivery notifications.
	This was originally introduced for sites that want to bounce
	mail when no remote SMTP server announces TLS support. New
	parameters: {default,smtp,pipe,virtual}_bounce_defer_filter.
	Files: proto/postconf.proto, mantools/postlink, global/bounce.[hc],
	bounce/defer.[hc], global/ndr_filter.[hc], global/mail_params.[hc],
	master/event_server.c, master/multi_server.c,
	master/single_server.c, master/trigger_server.c, smtp/smtp.c,
	pipe/pipe.c, virtual/virtual.c.

20140317

	Feature: local_bounce_defer_filter support. Files:
	global/bounce.[hc], global/defer.[hc], local/command.c,
	local/file.c, local/bounce_workaround.c, local/local.c,
	global/mail_params.h, mantools/postlink.

20140318

	Refinement: don't throttle an SMTP destination when the new
	smtp_bounce_defer_filter feature turns a soft bounce into
	a hard bounce.  File: smtp/smtp_trouble.c.

20140320

	Feature: support to replace successful delivery status code
	and explanatory text.  This can be used to to hide local
	details such as destination commands or file names when a
	remote sender requests confirmation of delivery.  As of now
	*_bounce_defer_filter is renamed into *_delivery_status_filter.
	Files: global/bounce.c, global/bounce.h, global/defer.c,
	global/defer.h, global/dsn_filter.c, global/dsn_filter.h,
	global/mail_params.c, global/mail_params.h, global/sent.c,
	local/local.c, master/event_server.c, master/multi_server.c,
	master/single_server.c, master/trigger_server.c, pipe/pipe.c,
	smtp/lmtp_params.c, smtp/smtp.c, smtp/smtp_params.c,
	virtual/virtual.c, mantools/postlink.

20140322

	Cleanup: code comments and identifier names to reflect the
	evolution from "NDR filter" to "delivery status filter".
	Files: global/mail_params.h, smtp/smtp.c, global/dsn_filter.c,
	global/dsn_filter.h, local/local.c, pipe/pipe.c,
	smtp/lmtp_params.c, smtp/smtp_params.c, virtual/virtual.c,
	global/bounce.c.

20140323

	Feature: initial merge of Debian-style dynamic linking.
	Viktor Dukhovni.

20140406

	Bugfix: when testing session caching, stop reconnecting
	after encountering a previously-used server (when the session
	is re-used or not). Viktor Dukhovni. File:
	posttls-finger/posttls-finger.c.

	Feature: configurable TLS session-ticket cipher (default:
	tls_session_ticket_cipher = aes-128-cbc). Viktor Dukhovni
	and Wietse. Files: mantools/postlink, smtpd/smtpd.c,
	proto/postconf.proto, global/mail_params.h, tls/tls_misc.c,
	tls/tls_scache.h, tls/tls_server.c.

20140416

	Cleanup: replace "~0 << positive" with "~0U << positive"
	even if we use only the lower bytes.  Jeffrey Walton.  File:
	util/mask_addr.c.

20140407

	Documentation: the documentation for Postfix > 2.8 TLS
	activity logging was incorrect. Loglevel 0 produces no
	logging. Instead, information is logged only with loglevel
	1 or higher. Viktor Dukhovni. Files: proto/TLS_README.html,
	proto/postconf.proto.

20140501

	Cleanup: postscreen_dnsbl_timeout parameter. Files:
	mantools/postlink, proto/postconf.proto, global/mail_params.h,
	postscreen/postscreen.c, postscreen/postscreen_dnsbl.c.

	Cleanup: added table search order information to the
	postconf(5) manpage. File: proto/postconf.proto.

20140505

	Cleanup: added a client port attribute to the policy
	delegation protocol. Jernej Porenta. File: smtpd/smtpd_check.c.

20140507

	Bugfix (introduced: Postfix 2.11): with connection caching
	enabled (the default), recipients could be given to the
	wrong mail server.  Root cause: due to an incorrect predicate,
	the Postfix SMTP client could save and restore plaintext
	connections that should not be cached, under nonsensical
	lookup keys that did not distinguish by destination.  Problem
	reported by Sahil Tandon, predicate error found by Viktor,
	redundant connection restore request eliminated by Wietse.
	File: smtp/smtp_connect.c.

	Cleanup: the macros that control SMTP connection reuse
	poorly reflected their purpose. "DEAD" is replaced with
	"FORBIDDEN" (no I/O allowed) and "BAD" is replaced with
	"THROTTLED" (anything that causes the queue manager to back
	off from some destination). Files: smtp.h, smtp_connect.c,
	smtp_proto.c, smtp_trouble.c.

	Cleanup: enable SMTP connection cache lookup by destination
	name while a surge of mail dries up. File: smtp_connect.c.

20140505

	Bugfix: the postdrop authorized_submit_users feature requires
	that lookup table support is initialized so that it can use
	libglobal or dynamicmaps maps.  File: postdrop/postdrop.c.

	Cleanup: moved dynamicmaps initialization from parameter
	initialization (mail_conf_suck()) to dictionary initialization
	(mail_dict_init()).  A benefit of this is that dynamicmaps.cf
	is no longer read by programs that don't use Postfix lookup
	tables.  Files: global/mail_conf.[hc], global/mail_dict.c.

	Cleanup: move the mail_dict_init() call after the
	mail_conf_read() or mail_params_init() call, to prepare for
	a configurable dynamicmaps.cf directory.   Files:
	master/event_server.c, master/multi_server.c,
	master/single_server.c, master/trigger_server.c.

20140506

	Cleanup: you can now specify "make makefiles parameter=value"
	for selected compile-time parameter default overrides.  The
	old "make makefiles 'CCARGS=-DDEF_MUMBLE=\"mumble\"'"
	approach remains supported.  File: makedefs.

20140508

	Cleanup: dynamicmaps.cf is now installed into $daemon_directory
	because the file is shared among Postfix instances just
	like postfix-files and other files.  Files: conf/dynamicmaps.cf,
	Makefile.in, conf/postfix-files.

	Cleanup: INSTALL is now plain ASCII instead of README format,
	to avoid a chicken-and-egg problem (the instructions to
	print/view README-format files are in the INSTALL file).

	Documentation: updated INSTALL instructions and RELEASE_NOTES.

20140512

	Portability: Berkeley DB6 support. File: util/dict_db.c.

20140514

	Cleanup: replace #ifdef/endif containing hard-coded calls
	of dynamicmaps functions with an extension mechanism that
	dynamicmaps functions invoke instead. Files: util/dict.h,
	util/dict_open.c, global/dynamicmaps.[hc], global/mkmap.h,
	global/mkmap_open.c.

20140515

	Bugfix (introduced: 20140320): missing initialization.
	Viktor Dukhovni. File pipe/pipe.c.

	Cleanup: mkmap_open() now caches a dynamically-loaded
	function. This is useful because postmap/postalias may open
	the same database type multiple times. Files: global/mkmap.h,
	global/mkmap_open.c.

	Security: the dynamicmaps.cf file and its and shared-object
	files must not be writable by non-root users. File:
	global/dynamicmaps.c.

20140517

	Cleanup: dynamic linking and hooking. Files: util/dict.h,
	util/load_lib.[hc], global/dynamicmaps.c.

20140518

	Preliminary "make plugins" support. Todo: macros to dynamically
	remove pluggable maps from compile-time tables in dict_open.c
	and mkmap_open.c, and from the OBJS lists in Makefile.in.

20140522

	Support for "make shared=yes" and "make dynamicmaps=yes".
	New plugin_directory parameter for the location of the
	dynamicmaps.cf file and for plugins with a relative pathname.
	See RELEASE_NOTES and INSTALL for details. Files: postfix.c,
	mail_params.[hc], dynamicmaps.c, mail_dict.c, makedefs,
	postfix-files, dynamicmaps.cf, Makefile.in, util/Makefile.in,
	global/Makefile.in, postlink, postconf.proto.  INSTALL.html,
	RELEASE_NOTES.

20140523

	Cleanup: don't install plugins for unsupported databases,
	and don't make dynamicmaps.cf entries for them. Files:
	makedefs, Makefile.in, util/Makefile.in, global/Makefile.in.

	Cleanup: added support for symlinks where the "source" is
	specified as a relative pathname. File: postfix-install.

	Cleanup: moved instructions from RELEASE_NOTES to INSTALL
	to avoid duplication. Files: RELEASE_NOTES, proto/INSTALL.html.

	Cleanup: include <dict_lmdb.h> unconditionally so that
	dict_lmdb_map_size is always defined. Files: mail_params.c,
	dict_test.c.

	Cleanup: port for ancient Solaris9 revealed some non-portability.
	Files: master/Makefile.in, makedefs, sys_defs.h.

20140524

	Cleanup: specify database library dependencies with variables
	named AUXLIBS_CDB, AUXLIBS_LDAP, etc. The global AUXLIBS
	variable is still supported, but the new variables are
	required when building dynamically-loadable building database
	plugins.  Files: RELEASE_NOTES, INSTALL.html, CDB_README.html,
	LDAP_README.html, LMDB_README.html, MYSQL_README.html,
	PCRE_README.html, PGSQL_README.html, SQLITE_README.html,
	makedefs, util/Makefile.in, global/Makefile.in.

	Workaround: reportedly, MacOS can fail to move a symlink
	with a relative target across file system boundaries, because
	it examines the symlink with stat() instead of lstat().
	Files: makedefs, Makefile.in.

	Cleanup: use readlink to verify symlink target. File:
	postfix-install.

20140528

	Cleanup: the configuration file dynamicmaps.cf will now
	automatically include files under the directory dynamicmaps.cf.d,
	just like the configuration file postfix-files will
	automatically include files under the directory postfix-files.d.
	See INSTALL section "Building with Postfix shared libraries
	and database plugins".  File: dynamicmaps.c.

20140530

	Cleanup: add shlib_directory and plugin_directory to the
	postmulti-script list of shared parameters. Viktor Dukhovni.
	File: postmulti-script.

	Cleanup: to avoid "postfix set-permission" errors, don't
	create postfix-files entries for non-existent database
	plugins. Problem reported by Viktor. File: Makefile.in.

	Bugfix: we can't use "mv" to replace a symlink-to-directory.
	Instead we now create all symlinks in place. Unfortunately
	the "ln -n" option is not universally implemented, so we
	remove the old symlink first.  Problem reported by Viktor.
	File: postfix-install.

20140603

	Cleanup: use the OpenSSL session id accessor (available
	since OpenSSL 0.9.8 or so) instead of groping a session
	object directly. Viktor Dukhovni. File: tls_server.c.

20140605

	Feature: the pipe(8) daemon logs some command output after
	successful delivery as "dsn=2.0.0, status=sent (delivered
	via XXX service (YYY))" where XXX is the master.cf service
	name, and YYY is command output. Files: pipe/command.c,
	pipe.c.

20140613

	Feature: the "pipeline" table implements a table pipeline.
	Example "pipeline:!type_1:name_1!...!type_n:name_n".  The
	ASCII character after "pipeline:" will be used as the
	separator between the lookup tables that follow (do not use
	space, ",", ":" or non-ASCII).  Each "pipeline:" query is
	given to the first table.  Each lookup result becomes the
	query for the next table in the pipeline, and the last table
	produces the final result.  When any table lookup produces
	no result, the pipeline produces no result.  Files:
	dict_pipe.[hc], dict_open.c, postlink, DATABASE_README.html,
	postconf.c.

20140617

	Feature: the "random" table performs random selection.
	Example: "random:!result_1!...!result_n". Each table query
	returns a random choice from the specified results. The
	ASCII character after "random:" will be used as the separator
	between the results that follow (do not use space, ",", ":"
	or non-ASCII).  Files: dict_random.[hc], dict_open.c,
	postlink, DATABASE_README.html, postconf.c.

20140618

	Cleanup: INFO action in access(5) tables, for consistency
	with header/body_checks. Viktor Dukhovni.  Files:
	smtpd/smtpd_check.c, proto/access.

20140619

	Cleanup: process LaMont Jones feedback for shared-library
	and database-plugin builds. Changes: 1) move non-executable
	files from $daemon_directory to the default $config_directory
	(postfix-files*, dynamicmaps.cf*, main.cf.proto/master.cf.proto
	for multi-instance support); 2) add foo.so -> foo.so.version
	symlinks; 3) change $shlib_directory and $plugin_directory
	defaults to /usr/lib/postfix to reduce sprawl.  Files:
	conf/main.cf.proto, conf/master.cf.proto, conf/postfix-files.proto,
	conf/post-install, conf/postmulti-script, makedefs,
	postfix-install, proto/INSTALL.html, global/dynamicmaps.c,
	global/dynamicmaps.h, global/mail_dict.c, global/mail_params.h,
	postmulti/postmulti.c.

	Bugfix (introduced: 2001): qmqpd null pointer bug when it
	logs a lost connection while not in a mail transaction.
	Reported by Michal Adamek. File: qmqpd/qmqpd.c.

	Cleanup: filter non-printable characters in X509 subject
	or issuer names. Viktor Dukhovni. File: tls/tls_server.c.

20140620

	Cleanup: for compliance with file system policies, some
	files have been moved from $daemon-directory to the directory
	specified with the new meta_directory parameter which has
	the same default value as config_directory.  This change
	affects non-executable files that are shared among multiple
	Postfix instances, such as postfix-files, dynamicmaps.cf,
	and multi-instance template files.

	For backwards compatibility with Postfix 2.6..2.11, specify
	"meta_directory = $daemon_directory" in main.cf before
	installing Postfix, or specify "meta_directory = /path/name"
	on the "make makefiles", "make install" or "make upgrade"
	command line.

	Files: Makefile.in, RELEASE_NOTES, conf/post-install,
	conf/postfix-files.proto, conf/postmulti-script, makedefs,
	mantools/postlink, postfix-install, proto/INSTALL.html,
	proto/postconf.proto, global/mail_params.c, global/mail_params.h,
	postfix/postfix.c, postmulti/postmulti.c.

	Feature: check_xxx_a_access (for xxx in client, reverse_client,
	helo, sender, recipient) implements access control on all
	A and AAAA IP addresses for the client hostname, helo
	parameter, sender domain or recipient domain. Some spam has
	sender domains with the same IP address but different MX
	hosts.  Files: global/mail_params.h, smtpd/smtpd_check.c,
	proto/postconf.proto.

20140622

	Cleanup: eliminated plugin_directory to reduce configuration
	parameter sprawl. Files: Makefile.in, RELEASE_NOTES,
	conf/post-install, conf/postfix-files.proto, conf/postfix-script,
	conf/postmulti-script, makedefs, mantools/postlink,
	postfix-install, proto/INSTALL.html, proto/postconf.proto,
	global/Makefile.in, global/mail_dict.c, global/mail_params.c,
	global/mail_params.h, global/mail_version.h, postfix/postfix.c,
	postmulti/postmulti.c, smtpd/smtpd_check.c, util/Makefile.in.

20140623

	Cleanup: eliminated the use of Postfix release versions as
	file name suffixes for shared libraries, database plugins
	and dynamicmaps.cf.  The shared-library version suffixes
	were fighting against assumptions and conventions in run-time
	linkers, including the assumption that ABIs are preserved
	from one version to the next. The Postfix version can now
	be embedded in the shlib_directory parameter. As this is
	sufficient to permit upgrade of a running Postfix system
	without risking that old binaries will link against newer
	shared objects, we no longer need a version suffix for
	dynamicmaps.cf.  Files: Makefile.in, RELEASE_NOTES,
	conf/postfix-files.proto, makedefs, proto/INSTALL.html,
	proto/postconf.proto, global/mail_params.h, global/mail_version.h,

20140624

	Cleanup: the commands "make (makefiles|install|upgrade|package)
	parameter=value" now replace the string MAIL_VERSION in a
	configuration parameter value with the Postfix release
	version.  Unfortunately, the more obvious approach, a
	parameter value with the unexpanded '$mail_version', produces
	inconsistent results with different make implementations.
	Files: makedefs, Makefile.in, postfix-install, proto/INSTALL.html,
	proto/PACKAGE_README.html

	Cleanup: postmulti now requires "postmulti -e init" before
	accepting other multi-instance requests.  Viktor Dukhovni.
	File: conf/postmulti-script.

20140625

	Kludge: moved dict_db_cache_size away from dict_db.c in
	preparation for Berkeley DB database plugin support (a
	similar kludge was implemented for LMDB).  Files:
	util/dict_db.[hc], util/dict_test.c, global/mail_params.c.

	Cleanup: don't leak build directory information via SHLIB_ENV
	in makedefs.out.  Files: Makefile.in, conf/postfix-files.

20140626

	Cleanup: construction debris. Files: Makefile.in,
	conf/postfix-script.

	Cleanup: replace the result of MAIL_VERSION expansion with
	$mail_version in main.cf installation parameter settings,
	to permit safe upgrade of a running mail system. File:
	postfix-install.

	Cleanup: replace the result of MAIL_VERSION expansion with
	$mail_version in built-in default installation parameter
	settings, for consistency with main.cf. File: makedefs,
	postfix-install, conf/post-install.

	Cleanup: removed $mail_version from the default shlib_directory
	value. Files: global/mail_params.h, proto/INSTALL.html.

	Cleanup: in postfix-script, use find instead of ls to
	determine permissions or ownership, and group some checks
	with "pathname/." and "pathname/*" into one.  Downside:
	more warnings will now have "/./" in the middle of a pathname.
	File: conf/postfix-script.

	Cleanup: need to evaluate mail_version before evaluating
	parameters that may contain $mail_version. File:
	global/mail_params.c.

	Cleanup: the postmulti command now exercises the postconf
	"-x" option to expand $parameter_name in secondary-instance
	parameter values.  File: postmulti/postmulti.c.

	Cleanup: post-install also needed to replace the result of
	MAIL_VERSION expansion with $mail_version, for the same
	reasons as postfix-script. Viktor Dukhovni. File:
	conf/post-install.

20140627

	Bugfix (introduced: 20140626) broken build and broken install
	with default shlib_directory. Files: makedefs.

	Bugfix (introduced: 20140627) "make install" stopped with
	a bogus error when there was no real "make install name=value"
	parameter override.  Files: conf/post-install.

	Cleanup: support MAIL_VERSION magic (see INSTALL) only at
	the end of a parameter value. Files: proto/INSTALL.html
	makedefs, postfix-install, conf/postfix-files.

	Cleanup: use ${mail_version} as the MAIL_VERSION-unexpanded
	form.  Viktor Dukhovni. Files: makedefs, postfix-install,
	conf/postfix-files.

20140630

	Cleanup: the pipeline and random lookup tables are now
	called pipemap and randmap, respectively. These names are
	more specific. The old names remain available, at least
	temporarily.  Files: util/dict_pipe.[hc], util/dict_random.[hc],
	postconf/postconf.c, mantools/postlink, proto/DATABASE_README.html.

	Feature: smtpd_policy_service_request_limit to limit the
	number of requests per Postfix SMTP server policy connection.
	This is a workaround to avoid error-recovery delays with
	policy servers that cannot maintain a persistent connection.
	Based on code by Markus Benning. Files: global/mail_params.h,
	mantools/postlink, proto/SMTPD_POLICY_README.html,
	proto/postconf.proto, smtpd/smtpd.c, smtpd/smtpd_check.c,
	util/attr_clnt.[hc].

20140701

	Cleanup: documented how Postfix maintains dictionary
	provenance. Provenance matters: for example, the owner UID
	of an aliases(5) database file determines the execution
	privileges for delivery to |command or /file/name.  Refined
	the algorithm that computes the provenance of a pipemap,
	based on the provenance of its constituent lookup tables.
	Files: util/dict.[hc], util/dict_pipe.c.

	Cleanup: made mail_spool_directory configurable with "make
	makefiles mail_spool_directory=/path/name".  This allows
	Postfix to be built without any pathnames that reference
	system directories. This is useful for testing and sandboxing.
	Files: global/mail_params.h, makedefs.

	Cleanup: configurable attr_clnt(3) retry strategy (try limit
	and retry delay).  Files: util/attr_clnt.[hc].

	Feature: control over SMTPD policy lookup error handling:
	smtpd_policy_service_try_limit, smtpd_policy_service_retry_delay,
	smtpd_policy_service_default_action determine how many times
	to try to send a policy request before giving up, the delay
	before resending a failed policy request, and a default
	action when giving up. The defaults are backwards-compatible.
	Files: global/mail_params.h, mantools/postlink,
	proto/postconf.proto, smtpd/smtpd.c, smtpd/smtpd_check.c.

20140709

	Cleanup: bitrot in unused function. File: global/defer.c.

	Cleanup: add SYSLIBS minus static libraries while building
	Postfix shared-library objects. Files: makedefs, util/Makefile.in,
	global/Makefile.in, dns/Makefile.in, master/Makefile.in/.

20140708

	Bugfix (introduced 20140701): did not restore jumpbuf while
	evaluatingsmtpd_policy_service_default_action.  Viktor
	Dukhovni. File: smtpd/smtpd_check.c.

	Feature: VERY PRELIMINARY support for SMTPUTF8 based on an
	initial implementation by Arnt Gulbrandsen, funded by CNNIC.
	This implements the syntax of SMTP commands and DSN delivery
	status notifications. It does not address the problem that
	the same domain name may show up in different forms: an
	UTF8-encoded name with non-ASCII characters, or an IDNA-encoded
	(xn--mumble) name with ASCII-only characters. This means
	that access policies, mydestination, virtual_*_domains and
	relay_domans will have to understand both forms in order
	to provide complete coverage.  For now, SMTPUTF8 support
	must not be enabled except for testing.

20140710

	Portability: add '-Wl,--enable-new-dtags' to the linker
	command line with building with Postfix shared libraries
	on Linux. Viktor Dukhovni. file: makedefs.

20140711

	Background: What is SMTPUTF8 autodetection? Postfix cannot
	rely solely on the sender's declaration that a message
	requires SMTPUTF8 support, because UTF8 may be introduced
	during local processing (for example, the client hostname
	in Postfix's Received: header, adding @$myorigin or .$mydomain
	to an incomplete address, address rewriting, alias expansion,
	automatic BCC recipients, local forwarding, and modifications
	made by header checks or Milter applications).  This means
	that some form of autodetection is needed that a message
	requires SMTPUTF8 support.

	Cleanup: don't try to distinguish between UTF that is already
	present in a message or envelope, and UTF8 that is introduced
	during local processing (see above).  Maintaining this
	distinction is too problematic.

	Cleanup: mailing list friendliness. Allow delivery of
	SMTPUTF8 mail to non-SMTPUTF8 servers when a message has
	no UTF8 headers, no UTF8 envelope sender, and when the
	specific delivery request contains no UTF8 envelope recipient.
	This is needed for mailing lists that may have a mix of
	UTF8 and non-UTF8 subscriber addresses. File: global/smtputf8.h,
	smtp/smtp_proto.c.

	Cleanup: moved all SMTPUTF8 detection to the cleanup server,
	so that it can apply equally to sendmail command-line
	submission, forwarded mail, postmaster notifications,
	delivery status notifications, mail received with the qmqpd
	server, address verification probes, as well as UTF8
	introduced during local processing (see above).  Files:
	cleanup/cleanup_out.c, cleanup/cleanup_addr.c.

	Cleanup: store the SMTPUTF8 message (i.e. non-recipient)
	flags in the first queue file record, so that the queue
	manager can find the information without having to read
	every queue file record.  Files: cleanup/cleanup_final.c,
	*qmgr/qmgr_message.c.

20140713

	Interoperability: new parameter smtputf8_autodetect_classes
	for selective autodetection that a message requires UTF8SMTP
	support. During the initial SMTPUTF8 rollout, this is limited
	by default to Postfix sendmail command-line submissions and
	address verification probes.  Sites that introduce UTF8
	during local processing (see above) will have to enable
	SMTPUTF8 autodetection for all mail sources. This feature
	shares infrastructure with the older internal_filter_classes
	feature.  Files: bounce/bounce_notify_service.c,
	bounce/bounce_notify_verp.c, bounce/bounce_one_service.c,
	bounce/bounce_trace_service.c, bounce/bounce_warn_service.c,
	global/int_filt.c, global/mail_proto.h, global/smtputf8.c,
	local/forward.c, pickup/pickup.c, qmqpd/qmqpd.c, smtp/smtp_chat.c,
	smtpd/smtpd.c, smtpd/smtpd_chat.c, verify/verify.c.

	Feature: preliminary message/global support. This does not
	yet parse encoded message/global (such as message/global
	sent through an non-8BITMIME system). Such mail cannot yet
	be inspected with header_checks. File: global/mime_state.c.

20140714

	Cleanup: update the "smtputf8" delivery request flags when
	VERP expansion causes an UTF8 recipient address to appear
	in the envelope sender address.  Files: *qmgr/qmgr_deliver.c.

	Cleanup: emit the correct content transfer encoding name
	when downgrading message/global as quoted-printable. File:
	global/mime_state.c.

	Cleanup: generate a bounce message with MIME type *global*
	only when the original message requested SMTPUTF8 support.
	File: bounce/bounce_notify_util.c.

	Cleanup: propagate the "SMTPUTF8 support requested" flag
	when bouncing a message or when forwarding a message through
	a local alias or .forward file.  Files: local/forward.c,
	bounce/bounce_notify_util.c, src/global/post_mail.[hc], and
	specify a dummy argument SMTPUTF8_FLAGS_NONE in all other
	programs that programs that invoke post_mail_fopen*(),

20140715

	Cleanup: change extract_addr() API to indicate that an
	address is parsed in SMTPUTF8 context. File: smtpd/smtpd.c.

	Cleanup: shared-library build fixes. Viktor Dukhovni.  Files:
	makedefs, dns/Makefile.in, global/Makefile.in, master/Makefile.in,
	tls/Makefile.in, util/Makefile.in.

	First general release with SMTPUTF8 support; see RELEASE_NOTES
	for an initial writeup.  The last pre-SMTPUTF8 release is
	snapshot 20140713.

20140716

	Paranoia: validate UTF8 before exposing it to libicuuc.
	File: util/midna.c.

	Typo: Postfix did not warn when smtputf8_enable=yes while
	UTF-8 support is not compiled in. File: global/mail_params.c.

	Cleanup: hard-coded GCC dependencies. Eray Aslan. File:
	makedefs.

20140717

	Safety: manipulate unsigned characters while decoding.
	Files: global/xtext.c, global/uxtext.c.

	Infrastructure: ACE label to UTF-8 conversion. Files:
	util/midna.[hc].

	Infrastructure: macro expansion with printable() filter.
	Files: util/mac_expand.[hc].

	Feature: when expanding myhostname or mydomain in bounce
	template messages, and smtputf8_enable=yes, convert ACE
	(xn--mumble) labels into UTF-8.  bounce/bounce_template.c.

20140720

	Cleanup: charset selection and content-transfer encoding
	in bounce messages (work in progress). The proper solution
	requires separate handling of the returned-message MIME
	properties and of the (boiler-plate text, delivery status)
	MIME properties.  File: bounce/bounce_notify_util.c.

20140722

	Documentation: the TLS_README example for creating a
	self-signed certificate was incomplete. Also, added
	"smtp_tls_loglevel = 1" and "smtpd_tls_loglevel = 1" settings
	to cookbook recipes, so that TLS handshake results will be
	logged. Viktor Dukhovni.  File: proto/TLS_README.html.

	Documentation: update Perl MIME::Base64 example.  File:
	proto/SASL_README.html.

	Documentation: update pointer to Bennett Todd's SMTP proxy.
	File: proto/SMTPD_PROXY_README.html.

20140725

	Documentation: describe what features are controlled by
	parent_domain_matches_subdomains, both in the description
	of the controlled feature, and in the description of
	parent_domain_matches_subdomains. File: proto/postconf.proto.

	Cleanup: smtpd_client_event_limit_exceptions is now controlled
	with parent_domain_matches_subdomains, with backwards-compatible
	default (specify .example.com in order to match subdomains
	of example.com). Files: smtpd/smtpd.c.

	Documentation: SMTPUTF8_README, an updated version of text
	that was originally part of the RELEASE_NOTES file. Files:
	proto/SMTPUTF8_README.html, proto/Makefile.in, html/index.html.

20140731

	Feature: the Postfix SMTP server now logs at the end of a
	session how many times each SMTP command was successfully
	invoked, followed by the total number of invocations if it
	is different.  File: smtpd/smtpd.c.

20140802

	Workaround: detect mis-configuration where Postfix talks
	to the Dovecot master socket instead of the Dovecot userdb
	socket. Timo Sirainen. File: xsasl/xsasl_dovecot_server.c.

20140904

	Logging: the MySQL client now logs a warning when a match
	against the "domain" list fails due to table lookup error
	(the underlying mechanism already logs a warning, but it
	has less context information).  File: global/dict_mysql.c.

20140907

	Feature: with "confirm_delay_cleared = yes", Postfix informs
	the sender when delayed mail leaves the queue. This can
	result in a sudden burst of notifications at the end of a
	prolonged network outage, and is therefore disabled by
	default. Files: mantools/postlink, proto/postconf.proto,
	global/deliver_request.h, global/mail_params.h, global/sent.c,
	*qmgr/qmgr.c, *qmgr/qmgr_active.c, *qmgr/qmgr_message.c.

20140908-14

	Feature: for the first time in 17 years, support for
	${name?if-nonempty:if-empty} macro expressions, and for
	logical expressions ${logical-expr?if-true:if-false}. In
	preparation for configurable message headers and logging.
	Files: util/mac_expand.c.

20140914

	Bugfix (introduced: 19971026): a zero precision value in
	%.*s and $.<digits>s was implemented as if no precision
	value was specified, i.e. print the entire string. This was
	not harmful, it just looked weird.  File: util/vbuf_print.c.

20140917

	Feature: RFC 7372 enhanced status code for unknown SMTP
	client hostnames.  File: smtpd/smtpd_check.c

	Bugfix: the accept() calls in test progams escaped attention
	when Postfix 2.2 was ported to IPv6. Problem found by Mark
	Martinec. Files: smtpstone/smtp-sink.c, smtpstone/qmqp-sink.c.

20140918

	Cleanup: log a warning when the cleanup server detects too
	many hops. smtpd(8) does not log any of the CLEANUP_STAT_XXX
	results. The pickup server logs some because there is no
	client to send the problem description to. This logic of
	who logs what needs to be revisited. File:
	cleanup/cleanup_message.c.

20140919

	Usability: randmap and pipemap syntax, for example,
	pipemap:{type_1:name_1, ..., type_n:name_n}.  This required
	small updates to code that parses input into lookup table
	names. Files: global/data_redirect.c, global/maps.c,
	global/server_acl.c, postconf/postconf.c, postconf/postconf_dbms.c,
	postconf/test58.ref, proto/DATABASE_README.html,
	proxymap/proxymap.c, smtpd/smtpd_check.c, util/argv.h,
	util/balpar.c, util/dict_pipe.c, util/dict_random.c,
	util/match_list.c, util/mystrtok.c, util/argv_splitq.c,
	util/stringops.h.

	Cleanup: added PRINTFLIKE() to enable missing format string
	checks. Files: bounce/bounce_template.h, global/memcache_proto.h,
	global/dict_memcache, postconf/postconf.h, util/dict.h,
	util/msg.h.

20140920

	Bugfix (introduced: 20080212): incorrect client name in
	reject messages from check_reverse_client_hostname_access
	and check_reverse_client_hostname_{a,mx,ns}_access.  They
	replied with the verified client name, instead of the name
	that was rejected.  Problem reported by Reindl Harald. File:
	smtpd/smtpd_check.c.

20140921

	Cleanup: postconf code to determine the default mydomain
	value had not evolved since 1997, while the rest of Postfix
	changed in 2000.  File: postconf/postconf-dbms.c.

20140922

	Cleanup: the confirm_delay_cleared feature now sends no
	notification when the sender requests NOTIFY options that
	do not include NOTIFY=DELAY. Files: global/deliver_request,h,
	global/sent.c, *qmgr/qmgr_active.c, *qmgr/qmgr_message.c.

	Bugfix (introduced: yesterday): missing print arguments.
	File: postconf/postconf_dbms.c.

	Cleanup: simplified "nested" lookup table checks.

	Cleanup: replace stress-dependent main.cf defaults with the
	ternary form: "${stress?{x}:{y}}" File: global/mail_params.h,
	proto/postconf.proto, postscreen/postscreen.c (comments).

20140923

	Cleanup: dict_db and dict_lmdb global settings. Files:
	global/mail_params.c, util/dict_open.c.

	Feature: unionmap, based on contribution by Roel van Meer.
	Files: mantools/postlink, postconf/postconf.c (manpage),
	proto/DATABASE_README.html, util/dict_open.c, util/dict_union.[hc].

20140924

	Bugfix (introduced: 20060117): the escape function didn't
	correctly convert non-ASCII. File: util/unescape.c.

	Bugfix (introduced: 201407): missing conversions for non-ASCII
	domain names in permit_mx_backup, check_mumble_{a,mx,ns}_access
	and reject_unknown_{sender,recipient}_domain. Mark Martinec.
	File: smtpd/smtpd_check.c.

20140925

	Cleanup: support for per-Milter settings, for example:
	smtpd_milters = {inet:host:port, default_action=accept,
	...}.  Specify the Milter endpoint address followed by zero
	or more attribute=value pairs separated by comma or space.
	The supported attributes are command_timeout, connect_timeout,
	content_timeout, default_action, and protocol. These have
	the same names as the corresponding main.cf parameters,
	minus the "milter_" prefix.  Files: global/mail_conf_over.c,
	global/mail_conf_str.c, global/mail_conf_time.c,
	global/mail_conf.h, milter/milters.c.

20140927

	Cleanup: specify { name = value } in per-Milter settings,
	to support space around the "=" or comma/space within the
	value. Files: global/attr_over.[hc].

	Cleanup: "postconf -n" now only shows config_directory when
	an override is in effect (environment, -c or -o).

	Cleanup: support for master.cf arguments inside {}, to
	protect arguments that contain whitespace. File:
	master/master_ent.c, postconf/postconf_master.c,
	postconf/test59.ref.

	Cleanup: support for per-policy client settings, for example:
	check_policy_service {inet:host:port, default_action=dunno,
	timeout=50s, ...}. Specify the policy server endpoint address
	followed by zero or more attribute=value pairs separated
	by comma or space.  Specify { name = value } for attributes
	that contain whitespace; otherwise, space is not allowed
	around the "=".  The supported attributes are default_action,
	max_idle, max_ttl, request_limit, retry_delay, timeout, and
	try_limit. These have the same names as the corresponding
	main.cf parameters, minus the "smtpd_policy_service_" prefix.
	Files: global/mail_conf_int.c, global/mail_conf.h,
	global/attr_override.[hc], smtpd/smtpd_check.c.

20140928

	Cleanup: extpar.c module to reduce code duplication.  Files:
	global/attr_override.c, master/master_ent.c, milter/milter.c,
	postconf/postconf_dbms.c, postconf/postconf_master.c,
	smtpd/smtpd_check.c, util/extpar.c, util/stringops.h.

	Cleanup: the table-driven code for per-Milter and per-policy
	overrides now updates stack-based variables, instead of
	(ugh) statically-allocated variables. Files:
	global/attr_override.[hc], smtpd/smtpd_check.c, milter/milter.c.

	Documentation: added advanced configuration sections for
	how to use per-Milter and per-policy settings.  Files:
	proto/SMTPD_POLICY_README.html, proto/MILTER_README.html.

	Cleanup: force LANG=C to prevent groff from outputting
	non-ASCII cruft into the HTML-ized manpages.  Files:
	html/Makefile.in, proto/Makefile.in, many HTML output files.

20140929

	Cleanup: the table-driven code for per-Milter and per-policy
	overrides now updates arbitrary variables, so that it can
	also be used for, say, TLS policies. Files:
	global/attr_override.[hc], smtpd/smtpd_check.c, milter/milter.c.

	Documentation: support for "{ argument with whitespace }"
	in master(5) and pipe(8). Files: proto/master, src/pipe/pipe.c.

	Documentation: in ADDRES_VERIFY_README, replaced "nearest
	MTA" with "preferred MTA". The SMTP client was changed years
	ago to try alternate MXes after a 4XX SMTP server response.
	File: proto/ADDRES_VERIFY_README.html.

20141001

	Safety: backwards-compatibility safety net that forces
	Postfix to run with backwards-compatible default settings
	after an upgrade to a newer Postfix version.  Postfix logs
	all uses of those backwards-compatible default settings so
	that the system administator can determine whether or not
	some backwards-compatible default settings need to be made
	permanent in main.cf or master.cf.  All this is controlled
	with a new compatibility_level parameter, default value 0.
	Files: global/mail_params.[hc], trivial-rewrite/rewrite.c,
	master/master_ent.c, smtpd/smtpd.c, postfix/postfix.c.

	New defaults for master.cf chroot (n), append_dot_mydomain
	(no) and smtputf8_enable (yes). File: global/mail_params.h,
	global/mail_params.c, smtp/smtp.c (manpage), smtpd/smtpd.c
	(manpage), trivial-rewrite/trivial-rewrite.c.

	Simple relational expression evaluator so that main.cf
	defaults can be made dependent on comparisons with the
	compatibility_level parameter value. File: util/mac_expand.c.

	Bugfix: do not reset the mail transaction after receiving
	a non-ASCII recipient. File: smtpd/smtpd.c.

20141002

	Cleanup: moved the details of BC safety-net messages from
	RELEASE_NOTES to postconf(5) manpage, and changed the wording
	of the BC messages. Files: RELEASE_NOTES, proto/postconf.proto,
	master/master_ent.c, smtpd/smtpd.c, trivial-rewrite/rewrite.c.

20141003

	Workaround: kludge for multiple paragraphs of text in
	indented paragraphs.  Files: mantools/postconf2html,
	mantools/postconf2man, proto/Makefile.in, proto/postconf.proto

20141005

	Cleanup: CHARSET_COMMA_SP, CHARSET_SPACE and CHARSET_BRACE
	to prepare for the elimination of ad-hoc string constants.
	File: util/sys_defs.h.

	Cleanup: allow "{ name=value }" to protect whitespace in
	import_environment and export_environment. Files:
	proto/postconf.proto, global/mail_parm_split.c, global
	/mail_parm_split.h, global/mail_stream.c, local/command.c,
	master/master.c, pipe/pipe.c, postdrop/postdrop.c,
	postfix/postfix.c, postmulti/postmulti.c, postqueue/postqueue.c,
	spawn/spawn.c.

20141006

	Backwards compatibility: log a helpful message when "localhost"
	is missing from mydestination. Files: trivial_rewrite/rewrite.c,
	trivial_rewrite/resolve.c, trivial-rewrite/trivial-rewrite.h,
	proto/postconf.proto.

	Cleanup: message_drop_header for configurable header dropping
	(default: bcc, content-length, resent-bcc, return-path).
	The list of supported header names covers RFC 5321, 5322,
	MIME RFCs, and some historical names.  File: global/header_opts.c,
	global/mail_params.[hc], cleanup/cleanup.c (manpage),
	proto/postconf.proto, mantools/postlink.

20141008

	New defaults: "relayhost=" and "mynetworks_style = host",
	plus a backwards-compatibility safety net that warns when
	the change in defaults could result in rejection of mail
	(with mynetworks_style this requires that Postfix evaluates
	both old and new default values).  Files: proto/postconf.proto,
	global/flush_clnt.c, global/mail_params.c, global/mail_params.h,
	global/mynetworks.c, global/mynetworks.h, global/server_acl.c,
	postconf/postconf_builtin.c, smtpd/smtpd.c, smtpd/smtpd_check.c.

20141009

	Documentation: moved the gory details from postconf(5) to
	a new COMPATIBILITY_README document. Files: proto/postconf.proto,
	proto/COMPATIBILITY_README.html html/index.html.

	Documentation: update the conf/main.cf compatibility_level
	setting for new Postfix installs, and updated a reminder
	in mail_params.h.

20141010

	Cleanup: make "const char myname[]" declarations static.
	global/attr_override.c, global/bounce.c, global/dsn_filter.c,
	global/dynamicmaps.c, global/mkmap_open.c, global/smtputf8.c,
	smtp/smtp_key.c, smtpd/smtpd_check.c, util/dict_pipe.c,
	util/dict_union.c, util/mac_expand.c, util/midna.c,
	util/valid_utf8_hostname.c.

	Documentation: summarize the user-specified "make makefiles"
	settings at the top of makedefs.out. This file now has so
	many internal variables that people would get lost.

20141011

	Cleanup: replaced cryptic macros X_SMTP() and SMTP_X() with
	more descriptive names: LMTP_SMTP_SUFFIX() and VAR_LMTP_SMTP().
	Files: smtp/smtp.c, smtp/smtp.h, smtp/smtp_chat.c,
	smtp/smtp_connect.c, smtp/smtp_proto.c, smtp/smtp_sasl_glue.c,
	smtp/smtp_sasl_proto.c, smtp/smtp_tls_policy.c.

20141012

	Cleanup: missing format-string checks. Files: master/master_ent.c,
	posttls-finger/posttls-finger.c, smtpd/smtpd_proxy.c.

	Bugfix (introduced: Postfix 2.3): the PREPEND access/policy
	action added headers ABOVE Postfix's own Received: header,
	exposing Postfix's own Received: header to Milters (protocol
	violation) and hiding the PREPENDed header from Milters.
	The latter caused problems for DMARC implementations with
	SPF policy plus DKIM Milter.  PREPENDed headers are now
	added BELOW Postfix's own Received: header and remain visible
	to Milters. File: smtpd/smtpd.c.

20141013

	Cleanup: configuration file line numbers in error/warning
	messages could point to comment lines before or after the
	problem. Files: util/readlline.[hc], master/master_ent.c,
	postalias/postalias.c, postmap/postmap.c, util/dict.c,
	util/dict_cidr.c, util/dict_pcre.e, util/dict_regexp.c,
	util/dict_thash.c, postconf/postconf_master.c.

20141014

	Portability: Darwin 11.x needs to link with -lresolv. Viktor
	Dukhovni. File: makedefs.

	Documentation: ICU (unicode) library package names. File:
	proto/SMTPUTF*_README.html.

20141015

	Cleanup: master.cf line number reporting made more consistent
	with similar code elsewhere. File: master/master_ent.c.

	Backed out SMTP client TLS fallback due to multiple problems.

20141018

	Bugfix (introduced: Postfix 2.3): when a Milter inserted a
	header ABOVE Postfix's own Received: header, Postfix would
	expose its own Received: header to Milters (violating
	protocol) and hide the Milter-inserted header from Milters
	(wtf).  Files: cleanup/cleanup.h, cleanup/cleanup_message.c,
	cleanup/cleanup_state.c, milter/milter.[hc], milter/milter8.c.

	Cleanup: revert the workaround that places headers inserted
	with PREPEND actions or policy requests BELOW Postfix's own
	Received: message header. File: smtpd/smtpd.c.

20141019

	Cleanup: replace dozens and dozens of ad-hoc string constants
	with CHARS_SPACE, CHARS_COMMA_SP, and CHARS_BRACE. Files:
	52, too many files to mention here.

	Bugfix: the recently-introduced randmap, pipemap, and
	unionmap did not check for all possible forms of "empty
	list". Files: util/dict_random.c, util/dict_pipe.c,
	util/dict_union.c.

	Documentation: word smithing. File: proto/master.

	Cleanup: the last remaining remnants of the withdrawn
	smtp_tls_fallback_level feature. Files: mantools/postlink,
	global/mail_params.h.

20141021

	Per IETF TLS WG consensus, the tls_session_ticket_cipher
	default setting was changed from aes-128-cbc to aes-256-cbc.
	Take that, you quantum computer attackers! Viktor Dukhovni.
	Files: proto/postconf.proto, global/mail_params.h.

20141024

	Cleanup: added $smtpd_mumble_restrictions to the proxy_read_maps
	default setting. File: global/mail_params.h.

	Documentation: different header/body checks for MX service
	and SMTP submissions. File: proto/BUILTIN_FILTER_README.html.

	Cleanup: don't send "bare" original recipient in SMTP DSN
	attributes. File: cleanup/cleanup_addr.c.

	Feature: smtp-sink -N option to suppress DSN announcement.
	File: smtpstone/smtp-sink.c.

20141025

	Bugfix (introduced: Postfix 2,11): core dump when
	smtp_policy_maps specifies an invalid TLS level. Viktor
	Dukhovni. File: smtp/smtp_tls_policy.c.

20141103

	Logging: when a connection is closed, log the request counts
	for unimplemented STARTTLS or AUTH commands separately,
	instead of logging such commands as "unknown". File:
	smtpd/smtpd.c.

20141106

	Cleanup: set errno to ETIMEDOUT after postscreen handshake
	timeout event, so that warnings report the correct error.
	File: tlsproxy/tlsproxy.c.

20141112

	Documentation: 24 identical typos. File: proto/postconf.proto.

	Workaround: support space after "MAIL FROM:" and "RCPT TO:"
	in smtpd_command_filter examples. Reportedly, cashedge.com's
	software (used by banks) needs this (source: Claus Assmann).
	File: proto/postconf.proto.

20141117

	Cleanup: use ~0U instead of (unsigned) -1.  Based on
	complaints from the BEAM static analyzer.  Files:
	global/mynetworks.c, postconf/postconf.c, util/cidr_match.c.

	Cleanup: forgot the "do" in "do { stuff } while (0)" macros.
	Luckily, this had caused no problem. Based on complaints
	from the BEAM static analyzer. Files: util/dict_cdb.c,
	util/dict_dbm.c, util/dict_lmdb.c, util/dict_pcre.c,
	util/dict_regexp.c, util/dict_sockmap.c, util/dict_thash.c.

	Bugfix (introduced: Postfix 2.9):  lockfile descriptor leak
	after error. Based on complaints from the BEAM static
	analyzer. File: util/dict_db.c.

	Bugfix (introduced: Postfix 1.1): don't "set" the null byte
	element in the base64 and base32 decoding maps. Based on
	complaints from the BEAM static analyzer. Files: util/base64_code,
	util/base32_code.c.

	Cleanup: don't exit(0) after failing to run showq(8). Based
	on complaints from the BEAM static analyzer.  File:
	postqueue/postqueue.c.

	Bugfix: memory leak when getaddrinfo() returns a result
	that is neither IPv4 nor IPv6.  Based on complaints from
	the BEAM static analyzer.  File: smtp/smtp_addr.c.

	Cleanup: use more meaningful name for global variable so
	that it isn't shadowed by a local variable. Based on
	complaints from the BEAM static analyzer. smtpstone/smtp-sink.c.

20141119

	Cleanup: base64 test driver. File: base64_code.c.

	Cleanup: make the CONST_CHAR_STAR typedef project-wide.
	Files: global/attr_override.h, util/sys_defs.h.

	Feature: BCC action in header/body_checks and milter_header_checks.
	Files: proto/header_checks, cleanup/cleanup.h,
	cleanup/cleanup_extracted.c, cleanup/cleanup_message.c,
	cleanup/cleanup_milter.c, cleanup/cleanup_milter.in16a,
	cleanup/cleanup_milter.ref16a1, cleanup/cleanup_milter.ref16a2,
	cleanup/cleanup_milter.reg16a, cleanup/cleanup_state.c,
	cleanup/test-queue-file16, global/attr_override.h,
	global/cleanup_strflags.c, global/cleanup_user.h,
	util/sys_defs.h.

	Cleanup: don't write back-to-back queue file pointer records
	when the "add recipient" action was a NOOP (e.g., because
	the recipient was a duplicate). File: cleanup/cleanup_milter.c.

20141120

	Documentation: COMPATIBILITY_README now has "purpose of
	this document" section, plus a separate section for turning
	off the safety net. File: proto/COMPATIBILITY_README.html

20131121

	Cleanup: replace mua_mumble with msa_mumble in master.cf
	submission and smtps service parameter overrides. File:
	proto/BUILTIN_FILTER_README.html.

	Feature: "static:{ text with whitespace }".  This could be
	used as check_mumble_access static:{reject text...} at the
	end of smtpd_mumble_restrictions. Files: util/dict_static.c,
	util/Makefile.in, util/dict_static_test.ref,
	proto/DATABASE_README.html.  postconf/postconf.c (manpage).

20141126

	Feature: "inline:{key=value, { key = text with comma/space}}"
	avoids the need to create a database for just a few entries.
	Files: util/dict_inline.[hc], mantools/postlink,
	proto/DATABASE_README.html. postconf/postconf.c (manpage),
	util/dict_inline.[hc], util/dict_open.c, util/Makefile.in,
	util/dict_inline_test.ref.

	Cleanup: report nullmx DNS records as "domain does not
	accept mail", instead of "invalid DNS response".  The Postfix
	SMTP client already bounced mail for such domains, and the
	Postfix SMTP server already rejected such domains with
	reject_unknown_sender/recipient_domain. This introduces a
	new SMTP server configuration parameter nullmx_reject_code
	(default: 556).  Files: src/dns/dns_lookup.[hc], dns/Makefile,in,
	dns/nullmx_test.ref, src/smtp/smtp_addr.c, smtpd/smtpd_check.c,
	smtpd/smtpd_check_nullmx.in, smtpd/smtpd_check_nullmx.ref,
	mantools/postlink, proto/postconf.proto, smtpd/smtpd.c.

	Cleanup: added some missing libdns tests: dns/Makefile,in,
	dns/mxonly_test,ref, dns/nxdomain_test.ref

	Cleanup: libglobal "make test" had suffered from bitrot.
	Files: global/mime_state.c, global/header_body_checks.c.

20141127

	Feature: DNS reply filter, configured with smtp_dns_reply_filter,
	smtpd_dns_reply_filter, and lmtp_dns_reply_filter. Files:
	mantools/postlink, proto/postconf.proto, dns/dns.h,
	dns/dns_lookup.c, dns/dns_rr_filter.c, dns/dns_strrecord.c,
	dns/error.ref, dns/error.reg, dns/mxonly_test.ref, dns/no-a.ref,
	dns/no-a.reg, dns/no-aaaa.ref, dns/no-aaaa.reg, dns/no-mx.ref,
	dns/no-mx.reg, dns/nullmx_test.ref, dns/test_dns_lookup.c,
	global/mail_params.h, smtp/lmtp_params.c, smtp/smtp.c,
	smtp/smtp_addr.c, smtp/smtp_params.c, smtpd/smtpd.c,
	smtpd/smtpd_check.c, smtpd/smtpd_dns_filter.{in,ref}.

20141130

	Cleanup: when searching multiple DNS record types for a
	specific name, and not all queries return the same result
	status, do not blindly return the last query's rcode and
	diagnostic text.  Instead, return rcode and text that is
	consistent with the aggregate result status.

	Cleanup: un-broke several smtpd regression tests (work in
	progress, with three more to go).  Files: smtpd/smtpd_check.c,
	smtpd/smtpd_server.{in,ref}, smtpd/smtpd_exp.{in,ref}.
	smtpd/smtpd_dnswl.{in,ref}.

	Documentation: added note on Milter-signing bounces.

20141201

	Bugfix (introduced: 20141130): memory leak. File: dns_lookup.c.

	Cleanup: un-broke several dns regression tests by sorting
	getaddrinfo() results by address family. Files: dns/dns_rr_eq_sa.c,
	dns/dns_rr_eq_sa.ref, dns/dns_sa_to_rr.c, dns/dns_sa_to_rr.ref.

	Cleanup: missing #ifdef in smtpd_check test driver. File:
	smtpd/smtpd_check.c.

	Cleanup: fix google.com regexp in smtp_dns_reply_filter
	example. Viktor Dukhovni. File: proto/postconf.proto.

	Cleanup: in the ASCII form of DNS resource records, add
	space after the TLSA match-type field. Viktor Dukhovni.
	File: dns/dns_strrecord.c.

20141202

	Cleanup: to increase clarity. rename DNS result status from
	DNS_UNAVAIL to DNS_NULLMX. If someone uses the same zero-length
	name trick with some other resource type, then we will worry
	about that later.  Files: smtpd/smtpd_check.c, smtp/smtp_addr.c,
	dns/dns.h, dns/dns_lookup.c.

	Cleanup: eliminate TLS state duplication from state->tls
	to session->tls. Viktor Dukhovni. Files: src/smtp/smtp.h,
	src/smtp/smtp_connect.c, src/smtp/smtp_proto.c,
	src/smtp/smtp_reuse.c, src/smtp/smtp_session.c.

20141203

	Feature: support to match UTF8 domain names against ASCII
	names in TLS certificates. Viktor Dukhovni. Files:
	posttls-finger/posttls-finger.c, tls/tls_client.c.

20141206

	Cleanup: use (char *) only for strings, not for data.  The
	"void *" type was not fully portable during initial Postfix
	development, but we no longer have that problem. Also started
	the migration of data structure sizes/counters to ssize_t/size_t
	(the IBM Beam analyzer identified lots of unnecessary 64-bit
	to 32-bit conversions).  The transformation and verification
	were mostly mechanical with manual supervision.  Files:
	anvil/anvil.c, bounce/bounce.c, bounce/bounce_notify_util.c,
	bounce/bounce_template.c, bounce/bounce_templates.c,
	cleanup/cleanup_message.c, cleanup/cleanup_region.c,
	cleanup/cleanup_state.c, dns/dns_lookup.c, dns/dns_rr.c,
	dns/dns_rr_eq_sa.c, dns/dns_rr_to_sa.c, dns/test_dns_lookup.c,
	flush/flush.c, global/abounce.c, global/abounce.h,
	global/been_here.c, global/bounce_log.c, global/clnt_stream.c,
	global/db_common.c, global/deliver_request.c,
	global/delivered_hdr.c, global/dict_ldap.c, global/dict_mysql.c,
	global/dict_pgsql.c, global/dsn.c, global/dsn_buf.c,
	global/dsn_filter.c, global/dynamicmaps.c,
	global/header_body_checks.c, global/header_opts.c,
	global/mail_addr_crunch.c, global/mail_stream.c,
	global/mail_version.c, global/maps.c, global/mbox_open.c,
	global/mime_state.c, global/mkmap_open.c, global/msg_stats_scan.c,
	global/mypwd.c, global/post_mail.c, global/rcpt_buf.c,
	global/recipient_list.c, global/scache_clnt.c,
	global/scache_multi.c, global/scache_single.c,
	global/smtp_reply_footer.c, global/smtp_reply_footer.h,
	global/tok822_node.c, local/biff_notify.c, local/forward.c,
	local/local_expand.c, local/unknown.c, master/event_server.c,
	master/master.c, master/master_avail.c, master/master_ent.c,
	master/master_monitor.c, master/master_proto.c,
	master/master_sig.c, master/master_spawn.c, master/master_status.c,
	master/master_vars.c, master/master_wakeup.c,
	master/multi_server.c, master/single_server.c,
	master/trigger_server.c, milter/milter.c, milter/milter8.c,
	milter/milter_macros.c, oqmgr/qmgr.c, oqmgr/qmgr_active.c,
	oqmgr/qmgr_deliver.c, oqmgr/qmgr_entry.c, oqmgr/qmgr_message.c,
	oqmgr/qmgr_queue.c, oqmgr/qmgr_transport.c, pipe/pipe.c,
	postalias/postalias.c, postconf/postconf.h,
	postconf/postconf_builtin.c, postconf/postconf_edit.c,
	postconf/postconf_lookup.c, postconf/postconf_main.c,
	postconf/postconf_master.c, postconf/postconf_node.c,
	postconf/postconf_service.c, postconf/postconf_user.c,
	postmap/postmap.c, postmulti/postmulti.c, postscreen/postscreen.c,
	postscreen/postscreen.h, postscreen/postscreen_dnsbl.c,
	postscreen/postscreen_early.c, postscreen/postscreen_expand.c,
	postscreen/postscreen_haproxy.c, postscreen/postscreen_send.c,
	postscreen/postscreen_smtpd.c, postscreen/postscreen_starttls.c,
	postscreen/postscreen_state.c, posttls-finger/posttls-finger.c,
	posttls-finger/tlsmgrmem.c, proxymap/proxymap.c, qmgr/qmgr.c,
	qmgr/qmgr_active.c, qmgr/qmgr_deliver.c, qmgr/qmgr_entry.c,
	qmgr/qmgr_job.c, qmgr/qmgr_message.c, qmgr/qmgr_peer.c,
	qmgr/qmgr_queue.c, qmgr/qmgr_transport.c, qmqpd/qmqpd_peer.c,
	qmqpd/qmqpd_state.c, scache/scache.c, sendmail/sendmail.c,
	showq/showq.c, smtp/smtp_chat.c, smtp/smtp_connect.c,
	smtp/smtp_proto.c, smtp/smtp_reuse.c, smtp/smtp_session.c,
	smtp/smtp_state.c, smtp/smtp_tls_policy.c, smtpd/smtpd.c,
	smtpd/smtpd_chat.c, smtpd/smtpd_check.c, smtpd/smtpd_expand.c,
	smtpd/smtpd_expand.h, smtpd/smtpd_peer.c, smtpd/smtpd_proxy.c,
	smtpstone/qmqp-sink.c, smtpstone/qmqp-source.c,
	smtpstone/smtp-sink.c, smtpstone/smtp-source.c, tls/tls_dane.c,
	tls/tls_mgr.c, tls/tls_misc.c, tls/tls_prng_dev.c,
	tls/tls_prng_egd.c, tls/tls_prng_exch.c, tls/tls_prng_file.c,
	tls/tls_proxy_clnt.c, tls/tls_scache.c, tls/tls_server.c,
	tlsmgr/tlsmgr.c, tlsproxy/tlsproxy.c, tlsproxy/tlsproxy_state.c,
	trivial-rewrite/transport.c, trivial-rewrite/trivial-rewrite.c,
	util/argv.c, util/attr_clnt.c, util/attr_print0.c,
	util/attr_print64.c, util/attr_print_plain.c, util/attr_scan0.c,
	util/attr_scan64.c, util/attr_scan_plain.c, util/auto_clnt.c,
	util/binhash.c, util/binhash.h, util/ctable.c, util/ctable.h,
	util/dict.c, util/dict.h, util/dict_alloc.c, util/dict_cache.c,
	util/dict_cache.h, util/dict_cidr.c, util/dict_db.c,
	util/dict_ht.c, util/dict_open.c, util/dict_pcre.c,
	util/dict_regexp.c, util/dict_sockmap.c, util/dict_surrogate.c,
	util/dict_thash.c, util/edit_file.c, util/events.c,
	util/events.h, util/fifo_trigger.c, util/find_inet.c,
	util/htable.c, util/htable.h, util/inet_addr_host.c,
	util/inet_addr_list.c, util/inet_addr_local.c, util/inet_listen.c,
	util/inet_proto.c, util/inet_trigger.c, util/inet_windowsize.c,
	util/iostuff.h, util/line_wrap.c, util/line_wrap.h,
	util/mac_expand.c, util/mac_expand.h, util/mac_parse.c,
	util/mac_parse.h, util/match_list.c, util/msg_output.c,
	util/mvect.c, util/myaddrinfo.c, util/myflock.c, util/mymalloc.c,
	util/mymalloc.h, util/nbbio.c, util/nbbio.h, util/netstring.c,
	util/nvtable.c, util/nvtable.h, util/pass_trigger.c,
	util/sane_accept.c, util/sane_connect.c, util/scan_dir.c,
	util/sock_addr.c, util/stream_trigger.c, util/sys_compat.c,
	util/sys_defs.h, util/timecmp.c, util/timed_connect.c,
	util/timed_write.c, util/unix_connect.c, util/unix_listen.c,
	util/unix_recv_fd.c, util/unix_send_fd.c, util/unix_trigger.c,
	util/vbuf.c, util/vbuf.h, util/vstream.c, util/vstream_tweak.c,
	util/vstring.c, util/watchdog.c, verify/verify.c,
	xsasl/xsasl_cyrus_client.c, xsasl/xsasl_cyrus_server.c,
	xsasl/xsasl_dovecot_server.c.

	Cleanup: removed unnecessary casts. File: global/cfg_parser.c.

	Cleanup: dont cast away "const". File: global/dict_sqlite.c.

20141208

	Bugfix (introduced: 20141207): in new #ifdef, && should be
	||.  File: smtpd.c.

20141210

	Cleanup: the "inline" table now supports case-insensitive
	search, and an iterator. File: util/dict_inline.c.

	Cleanup: minuscule memory leaks in graceful degradation
	after lookup table open error.  Files: util/dict_inline.c,
	util/dict_static.c.

20141211

	Cleanup: memory leaks in unit-test driver programs (i.e.
	code used only during development). Files:
	cleanup/cleanup_milter.c, util/base64_code.c.

	Bugfix (introduced 20141001): mac_expand() error message
	with "??" due to dangling pointer. File: util/mac_expand.c.

	Portability: unit-test driver programs. Files: util/myaddrinfo.c,
	util/myaddrinfo.ref.

	Portability: Clang support. Files: makedefs, util/sys_defs.h.

	Portability: FreeBSD 10 support. Files: makedefs,
	util/sys_defs.h.

	Cleanup: in makedefs, the CC and WARN features are now
	independent. File: makedefs.

	Shut up some Clang format-string nags: util/events.c.

	Cleanup: eliminated unnecessary 64->32bit (and back)
	conversions on LP64 platforms.  Files: util/htable.c,
	util/binhash.c util/mvect.[hc], util/name_mask.c,
	util/sane_time.c, util/unix_listen.c, util/unix_connect.c,
	util/stringops.h, util/trimblanks.c, and dependent code in
	smtpd/smtpd_token.c.

	Cleanup: unused inet_proto_init() results. Files:
	global/mail_params.c, postconf/postconf_builtin.c,
	smtpstone/qmqp-sink.c, smtpstone/qmqp-source.c,
	smtpstone/smtp-source.c/

	Shut up some Clang nags about unused functions in network
	interface API selection.  File: util/inet_addr_local.c.

	Portability: a historical compiler lacks printf-like
	format-string checks for function pointers. Files: util/msg.h,
	bounce/bounce_template.h.

20141212

	Shut up some Clang format-string nags: util/line_number.c,
	sendmail/sendmail.c, smtpd/smtpd_proxy.c, smtp/smtp_sasl_proto.c.

	Cleanup: eliminated unnecessary 64->32bit (and back)
	conversions on LP64 platforms.  Files: dict_memcache.c,
	header_body_checks.[hc], log_adhoc.c, pipe_command.c,
	record.[hc], smtp_reply_footer.c, split_addr.c.
	cleanup/cleanup_milter.c, master/mail_server.h,
	src/master/trigger_server.c, oqmgr/qmgr.c, qmgr/qmgr.c,
	pickup/pickup.c.

	Cleanup: nullmx SMTP reply codes 550 and 556, and enhanced
	status codes X.1.10 and X.7.27. The nullmx SMTP reply codes
	are no longer configurable.  Files: global/mail_params.h,
	smtpd/smtpd.c, smtpd/smtpd_check.c.

	Portability: default table owner UID for testing.  Files:
	util/dict_alloc.c, util/dict_open.c.

	Shut up Clang unused assignment nag: global/mail_queue.h.
	sendmail/sendmail.c, smtpd/smtpd_proxy.c, smtp/smtp_sasl_proto.c.

20141214

	Bugfix (introduced: 20141212): typo in Clang function pointer
	format check, making it a noop. Viktor Dukhovni. File:
	util/sys_defs.h.

	Maintainability: compile-time argument typechecking for
	variadic attribute-value read/write functions. Files:
	anvil/anvil.c, bounce/bounce.c, cleanup/cleanup.c,
	dnsblog/dnsblog.c, flush/flush.c, global/abounce.c,
	global/anvil_clnt.c, global/bounce.c, global/defer.c,
	global/deliver_pass.c, global/deliver_request.c,
	global/dict_proxy.c, global/dsb_scan.c, global/dsn_print.c,
	global/flush_clnt.c, global/mail_command_client.c,
	global/mail_stream.c, global/msg_stats_print.c,
	global/msg_stats_scan.c, global/post_mail.c, global/rcpt_buf.c,
	global/rcpt_print.c, global/resolve_clnt.c, global/rewrite_clnt.c,
	global/scache_clnt.c, global/trace.c, global/verify_clnt.c,
	local/forward.c, milter/milter.c, milter/milter8.c,
	milter/milter_macros.c, oqmgr/qmgr_deliver.c, pickup/pickup.c,
	postdrop/postdrop.c, postscreen/postscreen_dnsbl.c,
	postscreen/postscreen_send.c, postscreen/postscreen_starttls.c,
	proxymap/proxymap.c, qmgr/qmgr_deliver.c, qmqpd/qmqpd.c,
	scache/scache.c, smtpd/smtpd.c, smtpd/smtpd_check.c,
	tls/tls_mgr.c, tls/tls_proxy_clnt.c, tls/tls_proxy_print.c,
	tls/tls_proxy_scan.c, tlsmgr/tlsmgr.c, tlsproxy/tlsproxy.c,
	trivial-rewrite/resolve.c, trivial-rewrite/rewrite.c,
	trivial-rewrite/trivial-rewrite.c, util/attr.h.

20141217

	Replaced compile-time argument typechecking based on inline
	functions with an implementation based on ternary expressions
	with unreachable assignments to dummy variables.   This
	should produce the exact same result as the approach based
	on inline functions (which were standardized with C99).
	Files: util/check_arg.h, util/attr.h, util/attr.c.

20141221

	Portability: proof-of-concept template for OpenBSD build
	with shared libpostfix etc. libraries. File: makedefs.

20141223

	Cleanup: compile-time variadic argument type checking for
	attribute-value APIs of vstream, vstream_popen, vstring,
	pipe_command, spawn_command, attr_override, and mail_server
	skeletons.  Based on mostly automatic conversion and checking,
	with a manual inspection of the remainder.  Files:
	anvil/anvil.c, bounce/bounce.c, cleanup/cleanup.c,
	cleanup/cleanup_api.c, discard/discard.c, dnsblog/dnsblog.c,
	error/error.c, flush/flush.c, global/attr_override.c,
	global/attr_override.h, global/mail_connect.c, global/mail_queue.c,
	global/mail_stream.c, global/mail_stream.h, global/pipe_command.c,
	global/pipe_command.h, global/smtp_stream.c, global/timed_ipc.c,
	local/command.c, local/local.c, master/event_server.c,
	master/mail_server.h, master/multi_server.c,
	master/single_server.c, milter/milter.c, milter/milter8.c,
	oqmgr/qmgr.c, oqmgr/qmgr_transport.c, pickup/pickup.c,
	pipe/pipe.c, postalias/postalias.c, postcat/postcat.c,
	postdrop/postdrop.c, postmap/postmap.c, postscreen/postscreen.c,
	postscreen/postscreen_dnsbl.c, postscreen/postscreen_haproxy.c,
	postscreen/postscreen_starttls.c, posttls-finger/posttls-finger.c,
	proxymap/proxymap.c, qmgr/qmgr.c, qmgr/qmgr_transport.c,
	qmqpd/qmqpd.c, scache/scache.c, showq/showq.c, smtp/smtp.c,
	smtpd/smtpd.c, smtpd/smtpd_check.c, smtpd/smtpd_proxy.c,
	smtpstone/smtp-source.c, spawn/spawn.c, tls/tls_proxy_clnt.c,
	tls/tls_stream.c, tlsmgr/tlsmgr.c, tlsproxy/tlsproxy.c,
	trivial-rewrite/trivial-rewrite.c, util/auto_clnt.c,
	util/ctable.c, util/dict_cache.c, util/dict_cache.h,
	util/dict_lmdb.c, util/dict_tcp.c, util/netstring.c,
	util/recv_pass_attr.c, util/slmdb.c, util/slmdb.h,
	util/spawn_command.c, util/spawn_command.h, util/vstream.c,
	util/vstream.h, util/vstream_popen.c, util/vstream_tweak.c,
	util/vstring.c, util/vstring.h, verify/verify.c,
	virtual/virtual.c, xsasl/xsasl_dovecot_server.c.

20141224

	Cleanup: the compile-time argument typechecks for attribute-value
	APIs are now by default implemented with inline functions.
	Compile with -DNO_INLINE to implement the argument typechecks
	with ternary operators and unreachable assignments.  Files:
	util/check_arg.h and its consumers.

20141226

	NetBSD6/7 dynamic linking support. Viktor Dukhovni.

	Cleanup: instead of making up new names, use a consistent
	CA_ prefix for macros that implement compile-time argument
	typechecks for non-protocol attribute-value APIs. This
	transformation and its verification are mechanical.

	Bugfix (introduced: Postfix 1.1, but latent before 3.0):
	"postfix-install: daemon_directory: not found" error with
	an ancient Solaris shell.  Fixed by ALSO resetting IFS after
	the end of a ``while IFS=foo command'' loop; counter to
	expectation, the IFS reset in the loop body executed in a
	child process.  Background: some shells implement "IFS=foo
	command" as a permanent IFS change; this was allowed by
	standards at some point in time.  File: postfix-install.

20141227

	Feature: smtp_address_verify_target (default: rcpt) that
	determines what protocol stage decides if a recipient is
	valid. Specify "data" for servers that reject recipients
	after the DATA command. Files: mantools/postlink,
	proto/postconf.proto, proto/ADDRESS_VERIFICATION_README.html,
	global/mail_params.h, smtp/lmtp_params.c, smtp/smtp.c,
	smtp/smtp.h, smtp/smtp_params.c, smtp/smtp_proto.c.

20141228

	Cleanup: the IDNA conversion routines now accept both ASCII
	and UTF8 inputs. The functions als verify that either their
	result is a valid ASCII domain name or that it converts
	into a valid ASCII domain name. Files: util/midna.c,
	util/midna_test.in, util/midna_test.ref.

20141230

	Cleanup: s/midna/midna_domain/ for better specificity,
	because we also need functions that act only on the domain
	portion of an email address. Files: bounce/bounce_template.c,
	global/midna_adomain.c, posttls-finger/posttls-finger.c,
	smtp/smtp_addr.c, smtpd/smtpd_check.c, tls/tls_client.c,
	util/midna_domain.[hc], util/valid_utf8_hostname.c.

	Infrastructure: function midna_adomain_to_utf8() (and
	midna_adomain_to_ascii) to convert the domain portion of
	an email address before table lookup. Files:
	global/midna_adomain.[hc].

20141230-20140109

	What is described here is the result of four iterations to
	deal with malformed UTF-8 without massively contaminating
	every Postfix program with new error-handling code paths,
	in particular without triggering fatal errors that didn't
	happen before.

	Infrastructure: function casefold() to support caseless
	string comparison, primarily for table lookups. This function
	supports two modes: case folding a la lowercase() for ASCII
	byte values, and UTF-8 case folding. As recommended at
	http://www.w3.org/International/wiki/Case_folding for
	caseless string comparison, this uses the en_US locale to
	avoid surprises. The implementatin handles the entire RFC
	3629 Unicode range (code points U+0000..U+10FFFF including
	surrogates) and is chroot(2) safe. Files: casefold.c,
	stringops.h.

	Infrastructure: revised the midna_domain_to_ascii and
	midna_domain_to_utf8 domain name conversion functions after
	careful reading of the UTS #46 specification, and after
	observing that ICU 4.8 library functions indeed implement
	this spec, at least with default options. In particular,
	midna_domain_to_utf8 takes an UTF-8 domain name and verifies
	that its A-label form will pass the valid_hostname() test.
	File: util/midna_domain.c.

	Infrastructure: handle UTF-8 errors in lookup table keys
	or values without massively contaminating every Postfix
	program with new error-handling code paths, in particular
	without triggering fatal errors that didn't happen before.
	The lookup/update/delete functions log a warning and ignore
	a request with a bad key (it cannot exist); the update
	functions ignore a request to store a bad value (it cannot
	exist); and the lookup function reports a bad value as a
	configuration error (it should not exist, but there it is).
	Table iterators still report all (key, value) pairs in a
	table. Files: util/dict.h, util/dict_open.c, util/dict_utf8.c,
	global/mkmap_open.c.

	Note that with SMTPUTF8 turned on, each table-driven mechanism
	(access, aliases, etc.) needs to make its own decision
	whether UTF-8 syntax is required. We cannot blindly require
	that everything has valid UTF-8 syntax. That would make
	header/body_checks useless for content inspection, because
	headers may be malformed and bodies may contain legitimate
	binary content that isn't UTF-8.

	Note that with SMTPUTF8 turned off, Postfix must remain
	8-bit clean as it always has been. Table operations must
	not complain that something violates UTF-8 syntax rules.

	UTF-8 sanitization in the Postfix SMTP server.  With
	smtputf8_enable=yes, SMTP commands with UTF-8 syntax errors
	are rejected, table lookup results with invalid UTF-8 syntax
	are handled as configuration errors, and UTF-8 syntax errors
	in policy server replies result in execution of the policy
	server's default action.

20150102

	Cleanup: propagate DICT_ERR_CONFIG through the proxymap
	protocol. Files: global/dict_proxy.[hc], proxymap/proxymap.c.

20150106

	Robustness: don't segfault due to excessive recursion in
	tok822_free_tree() after a faulty configuration runs into
	the virtual_alias_recursion_limit.  File: global/tok822_tree.c.

20150109

	Cleanup: the dict debug module now proxies dict flags.
	File: util/dict_debug.c.

	With "smtputf8_enable = yes", the postmap and postalias
	commands now enable UTF-8 by default (use "-u" to disable)
	with one exception: UTF-8 remains disabled for header/body_checks
	emulation (use "-U" to enable).  Files: postmap/postmap.c,
	postalias/postalias.c.

20150110

	Cleanup: the "inline" and "texthash" implementations now
	reuse the "internal" database instead of reinventing the
	wheel.  Files: util/dict_inline.c, util/dict_thash.c.

	As a first step, with "smtputf8_enable = yes" all features
	based on Postfix matchlists enable UTF-8 syntax checks and
	UTF-8 casefolding for table patterns, but NOT YET for string
	patterns. The list of features includes authorized_flush_users,
	authorized_mailq_users, authorized_submit_users, debug_peer_list,
	fast_flush_domains, mydestination, permit_mx_backup_networks,
	qmqpd_authorized_clients, smtp_connection_cache_destinations,
	smtpd_authorized_verp_clients, smtpd_authorized_xclient_hosts,
	smtpd_authorized_xforward_hosts,
	smtpd_client_event_limit_exceptions,
	smtpd_log_access_permit_actions, smtpd_sasl_exceptions_networks,
	the "domains" feature in ldap_table(5), memcache_table(5)
	mysql_table(5), pgsql_table(5) and sqlite_table(5),
	virtual_alias_domains, virtual_mailbox_domains.

20150111

	Cleanup: simplified the interposition layer that adds UTF-8
	support to Postfix lookup tables. Files: util/dict_utf8.c.

	With "smtputf8_enable = yes", Enable UTF-8 syntax checks
	and UTF-8 casefolding for SMTP server access maps, alias_maps,
	canonical_maps, fallback_transport_maps,
	lmtp_tls_session_cache_database, local_recipient_maps,
	mailbox_command_maps, mailbox_transport_maps, rbl_reply_maps,
	recipient_bcc_maps, recipient_canonical_maps, relay_recipient_maps,
	relocated_maps, sender_bcc_maps, sender_canonical_maps,
	sender_dependent_relayhost_maps, sender_dependent_transport_maps,
	smtp_generic_maps, smtp_sasl_auth_cache_name,
	smtp_sasl_password_maps, smtp_tls_per_site, smtp_tls_policy_maps,
	smtp_tls_session_cache_database, smtpd_sender_login_maps,
	smtpd_tls_session_cache_database, transport_maps,
	virtual_alias_maps, virtual_gid_maps, virtual_mailbox_maps,
	virtual_uid_maps.

20150112

	Infrastructure: support for UTF-8 casefolding in match_lists.
	Instead of using strcasecmp(), casefold all fixed-string
	patterns during initialization, casefold a search string
	at the beginning of the search, and use strcmp() for
	comparison.  Files: util/casefold.c util/dict.h, util/dict_utf8.c,
	util/match_list.c, util/match_list.h, util/match_ops.c,
	util/stringops.h, global/addr_match_list.c, global/domain_list.c,
	global/namadr_list.c, global/string_list.c.

20150113

	Cleanup: show the configuration parameter name in error
	messages while parsing or searching match_list-based features
	such as mydestination, relay_domains and a few dozen more.
	Files: cleanup/cleanup_init.c, flush/flush.c,
	global/addr_match_list.c, global/debug_peer.c,
	global/domain_list.c, global/flush_clnt.c,
	global/match_parent_style.c, global/namadr_list.c,
	global/resolve_local.c, global/string_list.c, global/user_acl.[hc],
	postdrop/postdrop.c, postqueue/postqueue.c,
	postscreen/postscreen.c, qmqpd/qmqpd.c, sendmail/sendmail.c.,
	smtp/smtp.c, smtp/smtp_sasl_glue.c, smtpd/smtpd.c,
	smtpd/smtpd_check.c, trivial-rewrite/resolve.c,
	util/match_list.[hc], util/match_ops.c.

	Cleanup: apply printable() to all bounce(8) service
	string-valued protocol fields. File: bounce/bounce.c.

	Apparently the UCI 4.8 ucasemap_utf8FoldCase() function does
	not complain about UTF-8 syntax errors, so we add our own
	redundant check. File: util/casefold.c.

20150115

	Bitrot: prepare for future changes in OpenSSL. Viktor
	Dukhovni. Files: tls/tls.h, tls/tls_dh.c, tls/tls_misc.c,
	tls/tls_rsa.c, tls/tls_server.c.

	Documentation: "avoid hash files here, use btree or lmdb
	instead".  File: proto/ADDRESS_VERIFICATION_README.html.

	Safety: virtual_alias_address_length_limit (default: 1000)
	to stop aliasing loops that exponentially increase the
	address length with each iteration. Files: global/mail_params.h,
	mantools/postlink, proto/postconf.proto, cleanup/cleanup.c,
	cleanup/cleanup_init.c, cleanup/cleanup_map1n.c.

20150116

	TLS wrappermode in the Postfix smtp(8) client. This introduces
	a new parameter "smtp_tls_wrappermode" (default: no). Files:
	global/mail_params.h, mantools/postlink, proto/postconf.proto,
	smtp/lmtp_params.c, smtp/smtp.[hc], smtp/smtp_connect.c,
	smtp/smtp_params.c, smtp/smtp_proto.c.

	TLS wrappermode in posttls-finger(1), and some DANE-related
	cleanups. This introduces a new option "-w". Viktor Dukhovni.
	Files: posttls-finger/posttls-finger.c, smtp/smtp_tls_policy.c,
	tls/tls.h, tls/tls_client.c, tls/tls_fprint.c.

20150117

	Cleanup: missing " in \%s\" in postscreen(8) fatal error
	messages. Iain Hibbert. File: postconf/postconf_master.c.

20150118

	Bugfix (introduced: 20140731): when a connection timed out
	before any command was received, the Postfix SMTP server
	"disconnect from" logging would show the content of the
	last SMTP server response (421 4.4.2 $myhostname error:
	timeout exceeded) instead of per-command statistics, because
	there were no statistics to report.  The Postfix SMTP server
	now always logs the total number of commands (commands=x/y)
	even when the client did not send any. This helps logfile
	analyzers to recognize sessions without commands.  File:
	smtpd/smtpd.c.

20150120

	Bugfix (introduced: 20141230-20140109): do not reallocate
	a dictionary handle after it is initialized. This breaks
	CDB. Problem reported by Andreas Schulze. Files: util/dict.h,
	util/dict_alloc.c, util/dict_utf8.c.

	Cleanup: simplified the dict_utf8 wrapper implementation.
	Files: util/dict.h, util/dict_alloc.c, util/dict_utf8.c.

20150121

	Cleanup: undo changes in check_mumble_access() that replaced
	error handling with longjmp() calls. This could introduce
	memory leaks in check_mumble_access() callers. Files:
	smtpd/smtpd_check.c, smtpd/smtpd_error.ref.

20150122

	Cleanup: miscellaneous cruft, typos, comments, error messages.
	proto/COMPATIBILITY_README.html, global/addr_match_list.c,
	global/domain_list.c, global/namadr_list.c, global/string_list.c,
	global/user_acl.c, postalias/postalias.c, postmap/postmap.c,
	tls/tls_client.c, util/dict_alloc.c, util/dict_open.c,
	util/match_list.c.

20150124

	Workaround: nroff has been improved so that "-" comes out as
	some non-ASCII character, unlike HTML where it comes out
	as itself.  Andreas Schulze. This requires jumping a few
	hops to generate HTML and nroff input from the same source
	text.  Files; mantools/srctoman, mantools/postconf2man.

	Cleanup: UTF-8 support in masquerade_domains.  File:
	cleanup/cleanup_masquerade.c.

20150125

	Cleanup: simplified the casefold() API: no input-dependent
	failure modes. Files: cleanup/cleanup_masquerade.c,
	util/casefold.c, util/dict_utf8.c, util/match_list.c,
	util/strcasecmp_utf8.c, util/stringops.h.

	Cleanup: replaced str*casecmp() calls with UTF8-enabled
	versions. Files: bounce/bounce.c, bounce/bounce_append_service.c,
	bounce/bounce_notify_service.c, bounce/bounce_notify_verp.c,
	bounce/bounce_one_service.c, bounce/bounce_trace_service.c,
	bounce/bounce_warn_service.c, cleanup/cleanup_addr.c,
	cleanup/cleanup_map11.c, cleanup/cleanup_map1n.c,
	global/log_adhoc.c, global/mail_addr_find.c, global/mail_params.c,
	global/split_addr.c, global/verify.c, global/verify_sender_addr.c,
	local/alias.c, local/recipient.c, oqmgr/qmgr_message.c,
	qmgr/qmgr_message.c, smtp/smtp_tls_policy.c, smtpd/smtpd_check.c,
	smtpd/smtpd_milter.c, trivial-rewrite/resolve.c,
	util/strcasecmp_utf8.c, util/stringops.h.

20150126

	Portability: added missing #ifdef STRCASECMP_IN_STRINGS_H
	for platforms that require it. Files: dns/dns_rr_filter.c,
	milter/milter8.c, posttls-finger/posttls-finger.c,
	tls/tls_dane.c, tlsproxy/tlsproxy.c, util/dict_test.c.

	Cleanup: replaced lowercase() calls with UTF-8-enabled
	versions. Files: flush/flush.c, global/been_here.c,
	global/delivered_hdr.c, global/fold_addr.c, global/fold_addr.h,
	local/forward.c, local/recipient.c, pipe/pipe.c,
	smtpd/smtpd_resolve.c, util/casefold.c, util/stringops.h,
	virtual/recipient.c.

20150127

	Cleanup: simplified the 20150125 and 20150126 APIs, replacing
	the most-common use cases with convenience macros that have
	fewer arguments. Files: anything that implements or invokes
	casefold*() or str*casecmp().

	Documentation: missing words and typos. Matthew Selsky. Files:
	proto/SMTPUTF8_README.html, util/dict_open.c, util/vstream.c.

20150128

	Bugfix: the ICU casemapping API can report success, while
	producing output that is not null-terminated. But we can
	deal with that. File: util/casefold.c.

	Cleanup: unnecessary buffers. File: util/strcasecmp_utf8.c.

	Cleanup: whitespace in source-code documentation has gotten
	damaged through the years. Files: util/iostuff.h,
	util/msg_vstream.h, util/msg_syslog.h, util/msg_output.h,
	util/msg.h, util/inet_proto.c, trivial-rewrite/trivial-rewrite.c,
	tls/tls.h, postconf/postconf.c, master/multi_server.c,
	master/event_server.c, global/memcache_proto.h,
	global/dict_mysql.c, global/dict_ldap.c, discard/discard.c,
	error/error.c, global/dict_proxy.c, global/mail_conf_int.c,
	global/match_parent_style.c, global/scache.c, global/scache.h,
	qmgr/qmgr_entry.c, qmgr/qmgr_peer.c, smtp/smtp_rcpt.c,
	smtpd/smtpd_peer.c, tls/tls_mgr.c, util/attr_scan0.c,
	util/dict_tcp.c, util/hex_code.c, util/valid_hostname.c.

	Cleanup: typos. Files: proto/socketmap_table, proto/mysql_table,
	global/dict_mysql.c, proto/lmdb_table, smtpstone/smtp-sink.c,
	posttls-finger/posttls-finger.c.

	Bugfix: restart the Postfix SMTP server SASL client after
	XCLIENT may have changed the client IP address. Matthew
	Via. File: smtpd/smtpd.c.

20150129

	More whitespace in source-code comment regressions. Viktor
	(mostly) and Wietse.  smtpd/smtpd_proxy.c, util/format_tv.c,
	util/line_wrap.c, util/slmdb.c, qmgr/qmgr_peer.c,
	smtp/smtp_rcpt.c, smtpd/smtpd_peer.c, tls/tls_mgr.c,
	trivial-rewrite/trivial-rewrite.c, util/attr_scan0.c,
	util/dict_tcp.c, util/hex_code.c, util/valid_hostname.c,
	discard/discard.c, error/error.c, global/dict_proxy.c,
	global/mail_conf_int.c, global/match_parent_style.c,
	global/scache.c, qmgr/qmgr_entry.c, global/dict_ldap.c,
	global/dict_mysql.c, posttls-finger/posttls-finger.c,
	smtp/smtp.c, tls/tls_certkey.c.

	Cleanup: avoid hidden buffer allocation in casefold().
	Files: local/forward.c, local/recipient.c, virtual/recipient.c.

	Cleanup: HTML validator errors. Files: proto/postconf.proto,
	proto/TLS_README.html, proto/MILTER_README.html.

	Great rename from 2.12 to 3.0. Lots of files, 99% mechanical.

	Cleanup: HTML entities in *roff manpage source. File:
	mantools/fixman, proto/postconf.proto, smtpd/smtpd.c,
	trivial-rewrite/trivial-rewrite.c.

20150201

	Usability: in error messages, print the CAfile and CApath
	value in double quotes, to clue in people who specify quoted
	pathnames in main.cf. Viktor Dukhovni. Files: tls/tls_certkey.c
	and testing code in posttls-finger/posttls-finger.c.

20150202

	Cleanup: make posttls-finger -k/-K documentation consistent
	with behavior. File: posttls-finger/posttls-finger.c.

20150203

	Cleanup: API minimization, by making some functions static.
	Files: util/dict.h, util/dict_utf8.c.

20150205

	Preliminary feature: support for building position-independent
	executables (PIE), tested on Fedora Core 20, Ubuntu 14.04,
	FreeBSD 9 and 10, and NetBSD 6. See INSTALL section 4.3 for
	details and limitations. Files: makedefs, proto/INSTALL.html,
	RELEASE_NOTES-3.0.

20150208

	Cleanup: after many years, the access(5) map BCC action is
	part of the stable release. Files: smtpd/smtpd_check.c,
	proto/acces.

20150210

	Cleanup: socketmap documentation. File: proto/socketmap_table.

20150211

	Cleanup: strncasecmp_utf8() streamlining. Files: util/stringops.h,
	util/allascii.c, util/strcasecmp_utf8.c.

20150212

	Cleanup: in code after reading main.cf, removed bogus guard
	before re-evaluating the mail_task() syslog prefix.  File:
	postlog/postlog.c.

20150214

	Bugfix (introduced: Postfix 3.0): missing #ifdef USE_TLS
	inside #ifdef USE_SASL_AUTH broke the build. Viktor Dukhovni.
	File: smtpd/smtpd.c.

	Cleanup: missing errno logging in bounce daemon clients.
	This made troubleshooting significantly more difficult.
	File: global/mail_command_client.c.

20150216

	Cleanup: documented that mail_connect() produces no errno
	logging.  The functions that call it should log the error
	(and the majority does). File: global/mail_connect.c.

	Cleanup: added errno logging after mail_connect() failure.
	Files: global/post_mail.c, local/forward.c.

	Cleanup: in code after reading main.cf, removed bogus guard
	before re-evaluating the mail_task() syslog prefix. Files:
	postalias/postalias.c, postdrop/postdrop.c, postmap/postmap.c,
	postqueue/postqueue.c, postsuper/postsuper.c, sendmail/sendmail.c.

20150218

	Documentation: header/body_checks additional text about whether
	an action stops further inspection of the input stream.  File:
	proto/header_checks.

	Robustness: reject installation pathnames with whitespace.
	File: postfix-install.

20150217

	Cleanup: missing <string.h> include. File: util/allascii.c.

20150221

	Bugfix (introduced: Postfix 3.0): don't append '.' to the
	DNS resource record value, when converting TXT records to
	the string form that is used used by xxx_dns_reply_filter.
	File: dns/dns_strrecord.c.

20150313

	Documentation: incorrect Postfix version number for
	postscreen_dnsbl_timeout. Quanah Gibson-Mount. File:
	postscreen/postscreen.c.

20150320

	Cleanup: better sorting order for the default tls_*_cipherlist
	settings. OpenSSL does not order "ALL" quite right: some
	MEDIUM ciphers (SEED and IDEA) sneak up above some 128-bit
	HIGH ciphers.  Also previously, when we prefer "aNULL" we
	moved MEDIUM with aNULL above same bit-length HIGH but not
	aNULL.  Viktor Dukhovni.  File: global/mail_params.h.

20150324

	Bugfix (introduced: Postfix 2.6): sender_dependent_relayhost_maps
	ignored the relayhost setting in the case of a DUNNO lookup
	result.  It would use the recipient domain instead.  Viktor
	Dukhovni. Wietse took the pieces of code that enforce the
	precedence of a sender-dependent relayhost, the global
	relayhost, and the recipient domain, and put that code
	together in once place so that it is easier to maintain.
	File: trivial-rewrite/resolve.c.

20150326

	Feature: lmtp_fallback_relay, limited to TCP destinations
	only.  Viktor Dukhovni. Wietse updated the postlink, smtp.c,
	and smtp-only files, and added a warning when lmtp_fallback_relay
	is specified for a non-TCP destination. Files: mantools/postlink,
	smtp/smtp.c, smtp/smtp-only, smtp/smtp_connect.c,
	smtp/smtp_params.c, global/mail_params.h, proto/postconf.proto.

20150328

	Bugfix (introduced: Postfix 1.1.0): post-install expanded
	macros in parameter values when trying to detect parameter
	overrides, causing unnecessary main.cf updates during Postfix
	start-up. Julian Reich, Viktor Dukhovni, and Wietse.  File:
	conf/post-install.

20150330

	Bitrot: prepare for future changes in OpenSSL API. Viktor
	Dukhovni. File: tls_dane.c.

	Safety: instead of bouncing mail, report a soft error when
	SASL infrastucture breaks.  Viktor Dukhovni, Emmanuel Fuste.
	Files: smtpd/smtpd_sasl_glue.c, xsasl/xsasl.h,
	xsasl/xsasl_cyrus_server.c, xsasl/xsasl_dovecot_server.c.

20150401

	Documentation: update the mydestination default value in
	the stock main.cf file.  File: conf/main.cf.

20150404

	Documentation: add "postconf -m" output to problem reports. File:
	proto/DEBUG_README.html.

20150418

	Portability: use the icu-config utility to locate the ICU
	include and library files. With this, Postfix builds out
	of the box on MacOS X. File: makedefs.

20150421

	Bugfix (introduced: 19970309): reset errno before calling
	readdir(), in order to distinguish between end-of-directory and
	an error condition. File: scandir.c.

20150426

	Cleanup: when transmitting an attribute-value sequence
	between Postfix processes, a hash table may now appear at
	any position instead of only at the end.  Files:
	util/attr_scan{0,64,plain}.c, util/attr_print{0,64,plain}.c,
	util/attr_scan{0,64,plain}.ref.

	Feature: milter_macro_defaults, an optional list of macro
	name=value pairs that specify default values for Milter
	macros.  When a macro is to be sent to a Milter application,
	Postfix will send its default value when no value is available
	from the mail delivery context. For example, with
	"milter_macro_defaults = auth_type=TLS", Postfix will send
	an auth_type of "TLS" unless a remote client authenticates
	with SASL. Files: mantools/postlink, proto/MILTER_README.html,
	proto/postconf.proto, cleanup/cleanup.c, cleanup/cleanup_init.c,
	cleanup/cleanup_milter.c, global/mail_params.h, milter/milter.c,
	milter/milter.h, smtpd/smtpd.c, smtpd/smtpd_milter.c.

20150501

	Support for Linux 4.*, and some simplification for future
	makedefs files. Files: makedefs, util/sys_defs.h.

20150502

	Cleanup: updated the examples in MILTER_README.  File:
	proto/MILTER_README.html

20150529

	Support for DNS reply TTL values in dnsblog and postscreen.
	Files: dnsblog/dnsblog.c, postscreen/postscreen_early.c,
	postscreen/postscreen_dnsbl.c.

20150607

	Support for DNS reply TTL values for "not found" responses
	(negative reply caching).  The postscreen daemon needs this to
	accurately whitelist an SMTP client that is not found on any
	DNSBL. Files: dns/dns_lookup.c, dns/dns_strrecord.c, dns/dns.h,
	dns/test_dns_lookup.c.

20150615

	Two new parameters to limit how long a DNSBL or DNSWL lookup
	result remains valid: postscreen_dnsbl_max_ttl is an upper
	limit for the TTL from a DNS query, and postscreen_dnsbl_min_ttl
	is a lower limit. The old postscreen_dnsbl_ttl provides a
	backwards-compatible default for postscreen_dnsbl_max_ttl.
	Files: global/mail_params.h, postscreen/postscreen.c,
	postscreen/postscreen_early.c, mantools/postlink,
	proto/postconf.proto.

20150616

	Refinement: the postscreen daemon now computes two combined
	DNS reply TTLs: one combined TTL for replies that the client
	should be blocked, and one combined TTL for replies that the
	client should be allowed. This is more conservative than
	simply combining all reply TTLs into one number.  File:
	postscreen/postscreen_dnsbl.c.

20150621

	Feature: default_transport_rate_delay (and the transport-specific
	*transport*_transport_rate_delay) to enforce a destination-
	independent rate limit on deliveries.  Files: mantools/postlink,
	proto/postconf.proto, *qmgr/qmgr.h, *qmgr/qmgr_transport.c,
	*qmgr/qmgr_deliver.c, *qmgr/qmgr.c.

20150707

	Workaround: some DNS servers reply with NXDOMAIN for type
	NS queries with names that actually have an A record. This
	broke check_mumble_ns_access.  File: smtpd/smtpd_check.c.

20150711

	Workaround: conditional time default value can result in
	multiple time unit suffixes. Files: global/conv_time.c
	global/mail_conf_time.c.

20150712

	Cleanup: configurable workaround (dns_ncache_ttl_fix_enable)
	in case some future libc change breaks a promise made by
	current resolver(3) documentation. Files: global/mail_params.[hc].

	Cleanup: removed unused libdns dependencies. No-one remembers
	why they were introduced. Files: postscreen/Makefile.in,
	qmqpd/Makefile.in, smtpd/Makefile.in, tlsmgr/Makefile.in.

	Cleanup: code indentation. Viktor Dukhovni. File:
	smtp/smtp_addr.c.

	Workaround: With Solaris10, write_wait() hangs in poll()
	until timeout, when invoked after peekfd() has received an
	ECONNRESET error indication. This happens when a client
	sends QUIT and closes the connection immediately. File:
	util/peekfd.c.

20150715

	Security: updated default Diffie-Hellman export (512 bit)
	primes and non-export (from 1024 to 2048 bit) primes, and
	updated text on non-export DH primes. Viktor Dukhovni.
	Files: tls/tls_dh.c, proto/FORWARD_SECRECY_README.html.

20150718

	Security: opportunistic TLS by default uses "medium" or
	stronger ciphers instead of "export" or stronger. See the
	RELEASE_NOTES file for how to get the old settings back.
	Files: global/mail_params.h, proto/TLS_README.html,
	proto/postconf.proto, and files derived from those.

20150719

	Security: Postfix TLS support by default no longer uses
	SSLv2 or SSLv3.  See the RELEASE_NOTES file for how to get
	the old settings back. Files: global/mail_params.h,
	proto/postconf.proto, and files derived from those.

20150722

	Cleanup: the COMPATIBILITY_README* files were not installed.
	File: conf/postfix-files.

20150726

	Cleanup: some lost edits for the SASL_README file. File:
	proto/SASL_README.html.

20150816

	Workaround: updated the 20150707 fix for DNS servers that
	reply with NXDOMAIN for type NS queries instead of (NOERROR,
	zero answers).  File: smtpd/smtpd_check.c.

20150829

	Documentation: TLS session tickets are preferred over the
	local server-side smtpd_tls_session_cache_database storage.
	TLS session tickets are supported as of OpenSSL 0.9.8h (May
	2008).  Files: mantools/postlink, proto/TLS_README.html,
	proto/postconf.proto.

20150831

	Cleanup: obsolete comments in Makefile.init.

20150903

	Workaround: disable DNSSEC support for AIX 7x and earlier.
	The AIX 6/7 resolver(5) API defines RES_USE_DNSSEC without
	defining the "ad" bit.  Viktor Dukhovni.  Files: makedefs,
	proto/INSTALL.html, dns/dns.h.

20150912

	Future-proofing and code cleanup: exploit GCC and Clang
	"warn_unused_result" feature to flag missing error checks.
	Files: util/sys_defs.h, util/attr.h, util/edit_file.h,
	util/listen.h, util/lstat_as.h, util/mac_expand.h,
	util/mac_parse.h, util/myaddrinfo.h, util/myflock.h,
	util/sane_fsops.h, util/sane_socketpair.h, util/stat_as.h,
	util/base32_code.h, util/base64_code.h, util/hex_code.h,
	util/timed_wait.h, util/vstream.h, src/util/vstring_vstream.h.

	Cleanup: incomplete error check. Found with WARN_UNUSED_RESULT
	check. File: util/recv_pass_attr.c.

	Future-proofing: added type mis-match detection for
	ATTR_TYPE_FUNC function-pointer arguments. File: util/attr.h.

	Cleanup: don't ignore seek-to-end-of-file errors.  File:
	global/record.c.

	Cleanup: use vstream_fpurge() to purge VSTREAM buffers,
	instead of calling vstream_fseek() and ignoring ESPIPE
	errors.  File: smtpstone/qmqp-sink.c.

20150913

	Feature: SMTPD policy service "policy_context" attribute
	and smtpd_policy_service_policy_context main.cf parameter.
	Originally, to share the same SMTPD policy service endpoint
	among multiple check_policy_service clients. Markus Benning.
	Files: mantools/postlink, proto/SMTPD_POLICY_README.html,
	proto/postconf.proto, global/mail_params.h, global/mail_proto.h,
	smtpd/smtpd.c, smtpd/smtpd_check.c.

20150923

	Bugfix (introduced: 20120531-617): the Postfix SMTP server
	used a larger-than-1 VSTREAM buffer to read the HAProxy
	connection hand-off information. This broke TLS wrappermode,
	as the TLS helo packet would end up in the plaintext VSTREAM
	buffer. Reported by Lukas Erlacher.  File: smtpd/smtpd_haproxy.c.

20150924

	Cleanup (introduced: 20060510, exposed 20150912): eliminated
	a harmless warning message "seek error after reading END
	record: Illegal seek" from the cleanup server after a
	check_sender_access DISCARD action.  File: cleanup/cleanup.c.

	Bugfix (introduced: 20090216-24): incorrect postmulti error
	message. Reported by Patrik Koetter. Fix by Viktor Dukhovni.
	File: postmulti/postmulti.c.

	Workaround: don't create a new instance when the template
	main.cf and master.cf files are missing, as happens on
	Debian-like systems. Viktor Dukhovni. File: conf/postmulti-script.

20150930

	Bugfix (introduced: 20040124): Milter client panic while
	adding a header, because the PREPEND action used the same
	output function for header_checks and body_checks.  Viktor
	Dukhovni and Wietse. File: cleanup/cleanup_message.c.

	Bugfix (introduced: 20031128): xtext_unquote() did not
	propagate error reports from xtext_unquote_append(), causing
	the decoder to return partial output, instead of rejecting
	malformed input. Fix by Krzysztof Wojta.  File: global/xtext.c.

20151003

	Bugfix (copied from xtext): uxtext_unquote() did not propagate
	error reports from uxtext_unquote_append(), causing the
	decoder to return partial output, instead of rejecting
	malformed input.  Found by searching the code for similar
	error patterns as with xtext_unquote().  File: global/uxtext.c.

	Cleanup: added missing "negative" unit tests. Files:
	global/xtext.c, global/uxtext.c.

20151004

	Future proofing: use a real VSTRING in the 20150930 header
	PREPEND fix. File: cleanup/cleanup_message.c.

	Future proofing: make vstring_import() consistent with
	vstring_alloc(). The alternative would be to remove the
	function as it is unused and exists only for symmetry with
	vstring_export(). File: usr/vstring.c.

20151010

	Cleanup: the 20150903 workaround for AIX DNSSEC used the
	wrong name in #ifdef. File: dns/dns.h.

20151011

	Cleanup: in the PCRE client, turn fatal lookup errors into
	warnings, and skip the failing pattern as in dict_regexp.c.
	Also, fixed the error text when running into the matcher's
	backtracking limit. File: util/dict_pcre.c.

20151017

	Feature: smtpd_client_auth_rate_limit enforces a rate
	limit on the number of AUTH commands per client IP address.
	mantools/postlink, proto/postconf.proto, anvil/anvil.c,
	global/anvil_clnt.c, global/anvil_clnt.h, global/mail_params.h,
	smtpd/smtpd.c.

20151018

	Added RFC 7672 (SMTP security via opportunistic DANE TLS)
	and RFC 7505 ("Null MX" No Service Resource Record) to the
	lists of supported RFCs in manpages. Viktor Dukhovni. Files:
	smtp/smtp.c, smtpd/smtpd.c.

20151031

	Bitrot: OpenSSL API cleanups. Viktor Dukhovni. Files:
	.indent.pro, tls/tls.h, tls/tls_dane.c, tls/tls_fprint.c,
	tls/tls_misc.c, tls/tls_server.c, tls/tls_verify.c.

20151124

	Bugfix (introduced: Postfix 3.0): don't throttle a destination
	after opportunistic TLS failure. Viktor Dukhovni and Wietse.
	Files: smtp/smtp_proto.c, smtp/smtp.h, smtp/smtp_trouble.c.

20151128

	Feature: JSON-formatted queue listing with "postqueue -j".
	Output is a stream of JSON objects, one per queue file.  To
	simplify stream-mode parsing, each JSON object is followed by
	a newline character. Files: postqueue/postqueue.c,
	postqueue/postqueue.h, postqueue/showq_compat.c,
	postqueue/showq_json.c, showq/showq.c.

20151216

	Bugfix (introduced: 20151128) bogus queue file parsing error.
	File: showq/showq.c.

20151226

	Cleanup: postlog(1) now pauses for 1s after reporting a
	fatal or panic error. This makes behavior of scripts such
	as postfix-script consistent with built-in error messages.
	File: postlog/postlog.c.

20151227

	Robustness: don't allow for whitespace in command-line
	arguments.  Files; postfix-install, conf/post-install.

	Robustness: added a comment to discourage people who keep
	adding code that calls gethostbyname() to determine the
	default myhostname setting.  This is a mistake: all Postfix
	programs will hang when the DNS is unavailable.  File:
	global/mail_params.c.

	Safety: a limit on the number of address verification probes
	in the active queue (address_verify_pending_request_limit),
	by default 1/4 of the active queue maximum size. The queue
	manager tempfails probe messages that exceed the limit.
	Files: mantools/postlink, proto/postconf.proto, cleanup/cleanup.h,
	cleanup/cleanup_envelope.c, cleanup/cleanup_out_recipient.c,
	cleanup/cleanup_state.c, global/mail_params.h, global/post_mail.c,
	global/post_mail.h, global/verify.c, oqmgr/qmgr.c, oqmgr/qmgr.h,
	oqmgr/qmgr_message.c, qmgr/qmgr.c, qmgr/qmgr.h,
	qmgr/qmgr_message.c, verify/verify.c.

20160102

	Workaround: MacOS/X 10.11.x /bin/sh unsets DYLD_LIBRARY_PATH,
	which breaks the build and install.  Viktor Dukhovni and
	Wietse.  Files: makedefs, postfix-install, Makefile.in.

	Bitrot: OpenSSL 1.1.0-dev drops support for EXPORT ciphers
	and ephemeral RSA.  Viktor Dukhovni. Files: tls/tls_client.c,
	tls/tls_rsa.c, tls/tls_server.c.

	Bugfix: memory leak in tls_set_eecdh_curve(). Viktor Dukhovni.
	File: tls/tls_dh.c.

	Bugfix (introduced 20150326): when lmtp_fallback_relay
	support was added, the code that generates lmtp_mumble
	parameters from smtp_mumble parameters wasn't updated. File:
	smtp/smtp-only.

	Bugfix (introduced 20151017): the smtpd_client_auth_rate_limit
	implementation was not guarded with #ifdef USE_SASL_AUTH.
	File: smtpd/smtpd.c.

20160103

	Feature: enable DANE policies when an MX host has a secure
	TLSA DNS record, even if the MX DNS record was obtained
	with insecure lookups. The existence of a secure TLSA record
	implies that the host wants to talk TLS and not plaintext.
	This behavior is controlled with smtp_tls_dane_insecure_mx_policy
	(default: "dane", other settings: "encrypt" and "may"; the
	latter is backwards-compatible with earlier Postfix releases).
	Viktor Dukhovni.  Files: mantools/postlink, proto/postconf.proto,
	src/global/mail_params.h, src/posttls-finger/posttls-finger.c,
	src/smtp/smtp-only, src/smtp/smtp.c, src/smtp/smtp.h,
	src/smtp/smtp_addr.c, src/smtp/smtp_params.c,
	src/smtp/smtp_tls_policy.c, src/tls/tls.h, src/tls/tls_client.c.

20160104

	Cleanup: distinct TLS levels for "full" DANE and for DANE
	with insecure MX records.  Viktor Dukhovni. Files:
	posttls-finger/posttls-finger.c, smtp/smtp_tls_policy.c,
	tls/tls.h, tls/tls_client.c, tls/tls_level.c.

20160108

	Cleanup: smtp_reply_footer() now restores state in case of
	input error; unit tests that cover most if not all error
	and non-error cases.  Files: global/smtp_reply_footer.c,
	global/smtp_reply_footer.ref.

20160110

	Bitrot: const-ification for OpenSSL 1.1.0. Viktor Dukhovni.
	File: tls/tls_misc.c.

20160116

	"postconf -H" support (show names without the =value).
	Initial use case: mass reversal of TLS-related main.cf
	parameters (postconf -nH | grep _tls_ | xargs postconf -X).
	This flag also works with "postconf -F" and "postconf -P".
	Added missing documentation that -h works with "postconf
	-F" and "postconf -P".  Files: postconf.c, postconf.h,
	postconf_master.c, postconf_main.c.

	Robustness: force html2text to produce ASCII output.  File:
	mantools/html2readme.

	Feature: "postfix tls" commands to enable opportunistic TLS
	in the Postfix SMTP client or server, or generate or replace
	Postfix SMTP server TLS private keys and server certificates.
	Viktor Dukhovni, Wietse. Files: conf/postfix-files,
	conf/postfix-script, conf/postfix-tls-script, makedefs,
	proto/INSTALL.html, proto/postconf.proto, global/mail_params.h,
	postfix/postfix.c, tls/tls_misc.c.

	Portability: added a tls_random_source default setting for
	MacOS X. Viktor Dukhovni. File: util/sys_defs.h.

20160118

	Bitrot: OpenSSL 1.1.0-dev (aka the "master" branch) has new
	security levels ranging from 0 to 5. Level "0" is backwards
	compatible, and other levels are increasingly restrictive.
	Viktor Dukhovni. Files: tls/tls_server.c, tls/tls_client.c.

20160205

	Portability: Postfix TLS support uses /dev/urandom if
	available and no system-specific setting exists in sys_defs.h.
	Files: makedefs, util/sys_defs.h.

20160208

	Cleanup: building the INSTALL file had failed, added
	hyperlinks for "postfix tls". Files: mantools/postlink.

20160210

	Feature: all-default-client and all-default-server subcommands.
	Eray Aslan. File: conf/postfix-tls-script.

	Bugfix: the postqueue(1) JSON formatter wrote a spurious
	comma after the delay reason. Reported by Christian Roessner.
	File: postqueue/showq_json.c.

20160212

	Cleanup: Bold/Italic cleanup in manpages.

20160213

	Added Google credits to external manpages.

20160214

	More manpage cleanups. Viktor, Wietse.

20160215

	Cleanup: "match_list_match: permit_mynetworks: no match" after
	a SUCCESSFUL permit_mynetworks match of a client IP address was
	complicating troubleshooting.  The fix is to log additional
	context to clarify that this "no match" condition is for
	smtpd_log_access_permit_actions. File: smtpd/smtpd_check.c.

20160224

	Cleanup: un-break some DNS unit tests by replacing non-portable
	numerical flags with portable symbolic names in the verbose
	command output.  Files: dns/dns_str_resflags.c, dns/dns_lookup.c,
	dns/Makefile.in, many *.ref files.

20160227

	Cleanup: remember multiple BCC actions in access maps.
	Files: smtpd/smtpd.h, smtpd/smtpd.c, smtpd/smtpd_check.c,
	smtpd/smtpd_state.c, proto/access.

20160228

	Documentation: STRESS_README. File: proto/STRESS_README.html.

20160229

	Documentation: postmulti manpage. File: postmulti/postmulti.c.

20160305

	Future-proofing: detect integer overflow before it happens.
	After-the-fact detection relies on assumptions about
	undefined behavior that are invalidated by compilers.  Files:
	util/mymalloc.c, util/vstring.c.

20160310

	Bugfix (introduced: Postfix 2.6): the Milter SMFIR_CHGFROM
	(replace sender) request lost the sender_bcc_maps address.
	Fixed by moving some record keeping to the sender output
	function.  Files: cleanup/cleanup_envelope.c,
	cleanup/cleanup_addr.c, cleanup/cleanup_milter.c,
	cleanup/cleanup.h, regression tests.

20160314

	Future-proofing: revised off_t integer conversion (detect off_t
	overflow before it happens).  After-the-fact detection relies
	on assumptions about undefined behavior that are invalidated by
	compilers. Files: global/off_cvt.c.

	Cleanup: include <sys/types.h> once, instead of making it
	system-dependent. File: util/sys_defs.h.

	Cleanup: make sorting in "make depend" locale-independent.
	Files: */Makefile.in.

	Cleanup: postmulti manpage. File: postmulti/postmulti.c.

20160319

	Future-proofing: revised format-string width or precision integer
	conversion (detect integer overflow before it happens), plus
	some tests to ensure that format-string widths and precisions
	are parsed correctly, and that output buffers are sized
	correctly. Files: util/vbuf_print.c, util/vbuf_print_test.in,
	util/vbuf_print_test.ref.

20160320

	Testing: exact-size VSTRING allocation. Files: util/vstring.[hc].

	Cleanup: switch to snprintf() for redundancy, keeping
	existing code in place to censor unnecessary format-string
	features. Specify "make makefiles CCARGS=-DNO_SNPRINTF" for
	ancient systems.  File: vbuf_print.c, makedefs, util/sys_defs.h,
	proto/INSTALL.html.

20160324

	Future-proofing: revised netstring length integer conversion
	(detect integer overflow before it happens).  File:
	util/netstring.c.

	Cleanup: report unsupported usage of '%ls' and '%lc' in
	format strings.  File: util/vbuf_print.c.

20160326

	Future-proofing: regression test for global/off_cvt.c.
	Files: global/off_cvt.in, global/off_cvt.ref.

20160327

	Cleanup: postconf(1) manpage. File: postconf/postconf.c.

	Cleanup: un-broke regression tests. Files: dns/mxonly_test.ref,
	dns/no-mx.ref, smtpd/smtpd_server.ref, smtpd/smtpd_server.in.

	Added Postfix version information to the "postconf -m" manpage
	section.  File: postconf/postconf.c.

20160330

	The collate.pl script by Viktor Dukhovni for grouping Postfix
	logfile records into "sessions" based on queue ID and process
	ID information. Files: auxiliary/collate/*.

20160407

	Treat SASL_FAIL and SASL_NOMEM as temporary errors.
	Markus Benning. File: xsasl/xsasl_cyrus_server.c.

20160410

	Bugfix (introduced: Postfix 2.6): the "bad filetype"
	header_checks pattern falsely rejected Content-Mumble headers
	with ``name="example"; x-apple-part-url="example.com"''.
	Fixed by respecting the ";" separator between content
	attribute values.  Reported by Cedric Knight.  File:
	proto/header_checks.

20160515

	Portability: OpenBSD 6.0. Files: makedefs, util/sys_defs.h,
	dns/dns_str_resflags.c.

20160521

	Bugfix (introduced: Postfix beta): the never-used function
	mvect_free() attempted to free memory that it has not
	allocated.  File: util/mvect.c.

	Cleanup: existing if/endif support for pcre and regexp
	tables, in preparation for new if/endif support for cidr
	tables. Files: util/dict_regexp.c, util/dict_pcre.c.

20160526

	Feature: cidr tables now support if/endif and negation (by
	prepending "!" to a pattern), just like regexp and pcre
	tables. The primarily purpose is to improve readability of
	complex tables. Files: util/cidr_match.[hc], util/dict_cidr.c,
	proto/cidr_table.

	Cleanup: make regexp: and pcre: parser warning messages more
	similar.  Files: dict_regexp.c, dict_pcre.c.

20160601

	Cleanup: moved parsing of '!' operators from cidr_match.c
	to dict_cidr.c. Files: util/cidr_match.[hc], util/dict_cidr.c,
	util/match_ops.c.

20160604

	Cleanup: made parsing of '!' operators in regexp and pcre
	tables consistent with cidr tables. Files: util/dict_regexp.c,
	util/dict_pcre.c.

20160605

	Cleanup: integer wrap-around detection in the MySQL and
	PostgreSQL clients. This is totally non-critical because
	Postfix strings are size-limited by design. Files:
	global/dict_mysqql.c, global/dict_pgsql.c.

20160607

	Documentation: dnsblog.

20160609

	Documentation: postsuper(1) manpage text for multiple -[dhH]
	options.  File: postsuper/postsuper.c.

20160611

	Cleanup: Postfix SMTP server local IP address and port
	attributes in the policy delegation protocol (attribute
	names: server_address, server_port), in the Milter protocol
	(macro names: {daemon_addr}, {daemon_port}) and in the
	XCLIENT protocol (attribute names: DESTADDR, DESTPORT).
	Files: proto/MILTER_README.html, proto/SMTPD_POLICY_README.html,
	cleanup/cleanup.h, cleanup/cleanup_milter.c, global/mail_proto.h,
	milter/milter.h, smtpd/smtpd.c, smtpd/smtpd.h, smtpd/smtpd_check.c,
	smtpd/smtpd_haproxy.c, smtpd/smtpd_milter.c, smtpd/smtpd_peer.c.

20160612

	Bugfix (introduced: 20090211): missing server address
	conversion for non-proxy, non-postscreen connections.  File:
	smtpd/smtpd_peer.c.

	Bugfix (introduced: 20160611) missing server port conversion
	for non-proxy, non-postscreen connections, because there was
	no server address conversion.  File: smtpd/smtpd_peer.c.

20160618

	Bugfix (introduced: 20091121): with the introduction of
	sender_dependent_default_transport_maps, the SMTP daemon
	was not updated. This resulted in false rejects with
	sender-dependent "error" transports. Based on a fix by
	Russell Yanofsky.  Files: global/resolve_clnt.c,
	global/resolve_clnt.h, smtpd/smtpd_check.c, smtpd/smtpd_check.h,
	smtpd/smtpd_milter.c, smtpd/smtpd_resolve.c, smtpd/smtpd_resolve.h.

20160619

	Refinements to the 20160618 fix. For more consistent results
	with sender address validation, use the recipient address
	(if available) as the sender-dependent address resolver
	context.  For better caching, pass sender context with all
	attempts to resolve an email address.  File: smtpd/smtpd.c,
	smtpd/smtpd_check.c, smtpd/smtpd_milter.c.

20160625

	Cleanup: the Postfix SMTP server now passes network address
	and port information to the Cyrus SASL library. Build with
	``make makefiles "CCARGS=$CCARGS -DNO_IP_CYRUS_SASL_AUTH"''
	for backwards compatibility. Files: makedefs,
	smtpd/smtpd_sasl_glue.c, xsasl/xsasl.h, xsasl/xsasl_cyrus_server.c,
	xsasl/xsasl_server.c.

	Cleanup: dnsblog manpage. File: dnsblog/dnsblog.c.

20160717

	Bugfix (introduced: Postfix 1.1): the virtual(8) delivery
	agent discarded the error result from vstream_fseek().

20160728

	Bugfix (introduced: 20090614): with concurrent connections
	from the same client IP address, and after-220 tests enabled,
	postscreen could overwrite the cached "all tests completed"
	result of one connection that completed the after-220 tests,
	with the "some tests not completed" result of a concurrent
	connection where the client hung up before completing the
	after-220 tests.  Files: postscreen_misc.c, postscreen_state.c,
	postscreen.h, postscreen_tests.c, postscreen.c, postscreen_smtpd.c,
	postscreen_early.c.

20160730

	Cleanup: don't try to optimize away postscreen cache updates.
	File: postscreen_misc.c.

	Cleanup: removed compatibility crutches that emulated a
	historical data organization from four years ago. Files:
	postscreen/postscreen.[hc], postscreen/postscreen_early.c,
	postscreen/postscreen_smtpd.c, postscreen/postscreen_tests.c.

20160808

	Cleanup: preserve the new file mtimes when installing Postfix.
	Ondřej Lysoněk. File: postfix-install.
	REVERTED 20160828.

20160819

	Bugfix (introduced: Postfix 3.0): the makedefs script ignored
	readme_directory=pathname overrides. Fix by Todd C. Olson.
	File: makedefs.

20160821

	Bugfix (introduced: Postfix 3.0): the tls_session_ticket_cipher
	documentation says aes-256-cbc, but the implementation was
	using aes-128-cbc (note that Postfix session ticket keys
	are rotated after 1/2 hour, to limit the impact of attacks
	on session ticket keys).

20160828

	Bitrot: fixes for incompatible OpenSSL 1.1.0 API changes.
	Viktor Dukhovni. Files: posttls-finger/posttls-finger.c,
	tls/tls.h, tls/tls_dane.c, tls/tls_verify.c, tls/tls_server.c,
	tls/tls_client.c.

	Cleanup: disable reuse of ECDH ephemeral keys. Viktor
	Dukhovni.  File: tls/tls_misc.h.

20160908

	Documentation: add a pointer to hosts(5) and services(5)
	for symbolic host and port syntax. File: proto/master.

20160911

	Bugfix (introduced: Postfix 3.0): the SMTP daemon did not
	reset a previous session's command counts before rejecting
	a client that exceeds request or concurrency rates. File:
	smtpd/smtpd.c.

20160912

	Feature: preserve the new file mtimes when installing
	Postfix.  Ondřej Lysoněk. Wietse made this conditional on
	the presence of a new -keep-new-mtime flag. File: postfix-install.
	[this flag was renamed to "-keep-build-mtime" on 20161126]

20160917

	Bugfix (introduced: Postfix 3.0): the unionmap did not
	propagate table lookup errors.  Based on patch by Roel van
	Meer.  Files: util/dict_union.c, util/dict_union_test.*.

	Cleanup: added unit test for pipemap. Files: util/dict_pipe.c,
	util/dict_pipe_test.*.

	Documentation: added a note about the order of search
	patterns and table lookup order. Files: proto/canonical,
	proto/generic, proto/virtual.

	Documentation: bitrot in postsuper(1) example. Different
	groff versions produce different results; some systems no
	longer support historical "tail -number" command syntax.
	Fix by Geert Stappers. File: postsuper/postsuper.c.

20160918

	Logging: the Postfix SMTP server logs the sasl_username
	after rejected SMTP commands.  As before, the SMTP server
	does not forward SASL login information to other Postfix
	subsystems, and it does not receive SASL login information
	in XFORWARD commands. File/smtpd/smtpd.c.

20160925

	Bugfix (introduced: Postfix 2.11): changed the default MySQL
	option_group value to "client" to enable the reading of
	"client" option group settings in the MySQL option file.
	This fixes false "not found" errors with Postfix queries
	that contain UTF8-encoded text.  Fix by John Fawcett.
	Specify an empty option_group value to get backwards-compatible
	behavior. Files: global/dict_mysql.c, proto/mysql_table.

20161007

	Bitrot: API for the ersatz inet_ntop() function, when
	compiling with -DNO_IPV6 (which exists only for debugging).
	Files: util/sys_defs.h, util/sys_compat.c.

20161008

	Feature: smtp_tcp_port, similar to the existing lmtp_tcp_port.
	Files: mantools/postlink, proto/postconf.proto,
	global/mail_params.h, smtp/smtp.c, smtp/smtp_connect.c,
	smtp/smtp_params.c.

	Feature: "PASS" and "STRIP" actions in header/body_checks.
	"STRIP" is similar to "IGNORE" but also logs the action,
	and "PASS" disables header, body, and Milter inspection for
	the remainder of the message content.  Contributed by Hobbit.
	Files: cleanup/cleanup_message.c, global/header_body_checks.c.

20161024

	Feature: smtpd_milter_maps, per-client Milter configuration
	that overrides smtpd_milters, and that has the same syntax.
	Files: mantools/postlink, proto/MILTER_README.html,
	proto/postconf.proto, global/mail_params.h, smtpd/smtpd.c,
	smtpd/smtpd.h, smtpd/smtpd_sasl_proto.c, smtpd/smtpd_state.c.

20161103

	Cleanup: error reporting for IDNA (non-ASCII domain name)
	conversion errors. File: util/midna_domain.c.

	Cleanup: non-transitional conversion of UTF8 to/from ASCII
	domain name labels used in DNS queries. This disables
	'transitional' compatibility between IDNA2003 and IDNA2008,
	and affects some corner cases such as German sz and Greek
	zeta. Specify "enable_idna2003_compatibility = yes" to
	restore historical behavior. Files: util/midna_domain.[hc],
	mantools/postlink, global/mail_params.[hc], proto/postconf.proto,
	proto/SMTPUTF8_README.html.

20161105

	Bugfix (introduced: Postfix 1.1): the postsuper command did
	not count a successful rename operation after error recovery.
	Problem reported by Markus Schönhaber. File: postsuper/postsuper.c.

	Cleanup: error reporting for IDNA (non-ASCII domain name)
	conversion errors, and enable_idna2003_compatibility
	configuration. File: util/midna_domain.c.

20161106

	Documentation: specify the minimum ICU library version (4.6).
	File: proto/SMTPUTF8_README.html.

20161109

	Portability: force LC_ALL=C in dict_utf8 test. This should
	probably be in every shell script.

20161120

	Documentation: clarified the syntax of $name and ${name...}
	in parameter values, and some wordsmithing. Files:
	proto/postconf.html.prolog, proto/postconf.man.prolog.

20161123

	Documentation: clarified reject_non_fqdn_{sender,recipient}.
	The syntax check applies only for domains that are actually
	specified, not for missing domains. File: proto/postconf.proto.

20161126

	Cleanup: the postfix-install option "-keep-new-mtime" was
	renamed to "-keep-build-mtime". File: postfix-install.

	Feature: "make makefiles POSTFIX_INSTALL_OPTS=-keep-build-mtime"
	to set the installed file mtimes to their build time instead
	of their installation time. Based on code by Ondřej Lysoněk.
	Wietse added a guard to prevent POSTFIX_INSTALL_OPTS from
	passing arbitrary options.  Files: makedefs, Makefile.in,
	proto/INSTALL.html.

20161201

	Documentation: add 'smtpd_tls_auth_only=yes' to the master.cf
	submission service example. File: conf/master.cf.

20161202

	Documentation: typos in postconf(1) manpage. File:
	postconf/postconf.c.

20161204

	Cleanup: properly report numerical conversion errors in
	${{number} relational-operator ${number}}, and wordsmithing.
	File: util/mac_expand.c.

	Updated auxiliary/collate/collate.pl with Viktor's suggestion
	in <98D25E24-EAB1-42BB-82FD-794F5DDD4E7F@dukhovni.org> for
	better tracking of message flows.

	Cleanup: remove tentative features that were implemented
	before the DANE spec was finalized: support for certificate
	usage PKIX-EE(1), the ability to disable digest agility
	(Postfix now behaves as if "tls_dane_digest_agility = on"),
	and the ability to disable support for "TLSA 2 [01] [12]"
	records that specify the digest of a trust anchor (Postfix
	now behaves as if "tls_dane_trust_anchor_digest_enable =
	yes).  Viktor Dukhovni.  Files: mantools/postlink,
	proto/postconf.proto, proto/TLS_README.html, tls/tls.h,
	tls/tls_dane.c, smtp/smtp.c.

	Bugfix (introduced: Postfix 3.1): cut-and-paste error in
	the "postfix tls deploy-server-cert" command, causing the
	wrong certfile and keyfile to be used. Viktor Dukhovni.
	File: conf/postfix-tls-script.

	Robustness: create a new keyfile when "postfix tls
	new-server-cert" is invoked, and main.cf specifies a
	non-existent keyfile. Viktor Dukhovni.  File:
	conf/postfix-tls-script.

20161205

	Cleanup: log the sender address when rejecting a too large
	message size in a "MAIL FROM:<sender> SIZE=nnn" command.
	File: smtpd/smtpd.c.

20161206

	Bugfix (introduced: Postfix 3.0): when receiving a MAIL
	FROM...SMTPUTF8 command while smtpd_delay_reject=no, enable
	SMTPUTF8 support before processing smtpd_sender_restrictions.
	Problem reported by Viktor Dukhovni. File: smtpd/smtpd.c.

	Bugfix (introduced: Postfix 3.0): when receiving a
	VRFY...SMTPUTF8 command, enable SMTPUTF8 support while
	processing smtpd_recipient_restrictions. File: smtpd/smtpd.c.

20161220

	Bugfix (introduced: Postfix 2.1.0): the Postfix SMTP daemon
	did not query sender_canonical_maps when rejecting unknown
	senders with "smtpd_reject_unlisted_recipient = yes" or
	with reject_unlisted_sender.  Stephen R. van den Berg (Mr.
	procmail). Files: smtpd/smtpd.c, smtpd/smtpd_check.c.

20161217

	Enable elliptic curve negotiation with OpenSSL >= 1.0.2.
	This changes the default smtpd_tls_eecdh_grade setting to
	"auto", and introduces a new parameter tls_eecdh_auto_curves
	with the names of curves that may be negotiated.  The default
	tls_eecdh_auto_curves setting is determined at compile time,
	and depends on the Postfix and OpenSSL versions.  At runtime,
	Postfix will skip curve names that aren't supported by the
	OpenSSL library.  Viktor Dukhovni.  Files: mantools/postlink,
	proto/FORWARD_SECRECY_README.html, proto/TLS_README.html,
	proto/postconf.proto, global/mail_params.h, smtpd/smtpd.c,
	tls/tls.h, tls/tls_client.c, tls/tls_dh.c, tls/tls_misc.c,
	tls/tls_server.c.

	Feature: stored-procedure support for MySQL databases.
	John Fawcett. Files: global/dict_mysql.c, proto/mysql_table.

20161223

	Bugfix (introduced: Postfix 3.2 snapshots): the makedefs
	script produced a garbled CCARGS setting when no suitable
	ICU library was found. File: makedefs.

20161225

	Cleanup: simplified handling of unsupported curve names in
	the tls_eecdh_auto_curves parameter value.  File: tls/tls_dh.c.

	Cleanup: simplified code structure in the MySQL client
	support for stored procedures. File: global/dict_mysql.c.

20161226

	Cleanup: more MySQL client code simplification, better error
	messages, new per-database "require_result_set" parameter
	(default: yes) which can be set to "no" to avoid the need
	for dummy SELECT statements in stored procedures.  Files:
	global/dict_mysql.c, proto/mysql_table, postconf/postconf_dbms.c.

	Portability: SSL_CTX_set_ecdh_auto() is part of the deprecated
	OpenSSL API, so it must be used under #ifdef. Viktor Dukhovni.
	File: src/tls/tls_dh.c.

20161227

	Safety: the sendmail -C option must specify an authorized
	configuration directory: the default configuration directory,
	a directory that is listed in the default main.cf file with
	alternate_config_directories or multi_instance_directories,
	or the command must be invoked with root privileges.  This
	mitigates a problem with the PHP mail() function.  Files:
	global/mail_conf.[hc], sendmail/sendmail.c.

20161228

	Documentation: moved the "BACKWARDS COMPATIBILITY" sections
	to the end of ldap_table, mysql_table, pgsql_table, and
	sqlite_table, renamed to "OBSOLETE MAIN.CF PARAMETERS".

20161231

	Bugfix (introduced: 20160521): segfault (null pointer) in
	cidr, pcre, and regexp table when an input does not match
	an ENDIF-less IF operator.  Found during code maintenance.
	File: util/cidr_map.c, util/dict_regexp.c, util/dict_pcre.c.

20170101

	Portability; SunOS5 builds broke after moving the sys/types.h
	include statement to the top of sys_defs.h.

	Portability: declaration after code is GNU dialect. File:
	util/vbuf_print.c.

	Portability: compatibility macros for SSLv23_client_method()
	etc.  deprecation. Files: tls/tls.h, tls/tls_client.c,
	tls/tls_dane.c, tls_server.c.

201606-20170108

	Cleanup: handling of address extensions with email addresses
	that contain spaces. The virtual_alias_maps, canonical_maps,
	and smtp_generic_maps features now correctly propagate an
	address extension from "aa bb+ext"@example.com to "cc
	dd+ext"@other.example, instead of producing broken output.

	Files updated to support conversion between unquoted and
	quoted address forms, as required for addresses that contain
	spaces: global/mail_addr_map.*, global/mail_addr_find.* and
	global/mail_addr_crunch.*.

	Files updated to enable these address conversions to correctly
	propagate address extensions: cleanup/cleanup_map11.c
	(canonical_maps), cleanup/cleanup_map1n.c (virtual_alias_maps),
	and smtp/smtp_generic.c (smtp_generic_maps).

	Files updated to rename functions to better reflect their
	input and output forms: global/split_addr.*, global/strip_addr.*.

	Files updated to support quoted lookup keys: util/dict_inline.c,
	util/dict_thash.c, postmap/postmap.c.

	Files updated to invoke a backwards-compatible mail_addr_find()
	version that disables quoted/unquoted address conversions:
	smtp/smtp/smtp_sasl_glue.c (smtp_sasl_password_maps),
	smtpd/smtpd_check.c (SMTP server address validation),
	cleanup/cleanup_addr.c (sender_bcc_maps and recipient_bcc_maps),
	virtual/mailbox.c (user-related table lookups),
	trivial-rewrite/transport.c (transport_maps),
	trivial-rewrite/resolve.c (sender_dependent_mumble_maps,
	relocated_maps). These features may be migrated later to
	enable quoted-form address lookup keys, for consistency
	with other Postfix features.

20170109

	Cleanup: reduce the number of modified files relative to
	the last regular release, to make a back-port more feasible.
	This renames the new mail_addr_find() to mail_addr_find_opt(),
	and renames the backwards_compatibility mail_addr_find_noconv()
	to its old name mail_addr_find().  Added backwards-compatible
	aliases {split,strip}_addr() for {split,strip}_addr_local().
	To ensure correctness these edits were done mechanically,
	and verified mechanically.

20170111

	Documentation: when (smtp|lmtp)_delivery_status_filter is
	applied. File: proto/postconf.proto.

20170114

	Cleanup: careful handling of local-parts that contain '@',
	as they are converted into quoted form.  Files:
	global/mail_addr_find.*, global/quote_822_local.*,
	global/quote_flags.*.

	Cleanup: added unit tests for malformed inputs. Files:
	util/dict_thash{in,ref}.

	Cleanup: minimize the patch size of the quoting fixes, and
	a preliminary back-port to Postfix 3.1.4.

20170115

	Cleanup: enable "externalized" address lookup by default,
	with legacy-style "internalized" lookup for backwards
	compatibility, for sender_bcc_maps, recipient_bcc_maps,
	smtp_sasl_passwd_maps, smtpd_sender_login_maps, relocated_maps,
	sender_dependent_mumble_maps, virtual_{mailbox,uid,gid}_maps.
	File: global/mail_addr_find.c.

	Cleanup: enable "externalized" address lookup by default,
	with legacy-style "internalized" lookup for backwards
	compatibility, for transport_maps. Files: global/mail_addr_find.*,
	trivial-rewrite/transport.*.

	Cleanup: mail_addr_find_() now has a configurable strategy
	for full and partial address lookup, so that it may also
	be used for localpart lookup in access maps.

20170116:

	Cleanup: parent domain matching is now implemented in the
	mail_addr_find() engine. Simplified the transport_maps
	lookup to just one mail_addr_find_() call. Files:
	global/mail_addr_find.*, trivial-rewrite/transport.*.

	Cleanup: enabled "externalized" address lookup by default,
	with legacy-style "internalized" lookup for backwards
	compatibility, for check_sender_access and check_recipient_access.
	This now uses 'user@' lookup support in the mail_addr_find()
	engine.  File: global/mail_addr_find.*, smtpd/smtpd_check.c.

20170122

	Cleanup: separated the database query form from the address
	form that is input to mail_addr_find_() or mail_addr_map*(),
	in attempt to make code more obviously correct. Files:
	global/mail_addr_find.c, global/mail_addr_map.c.

	Abandoned an experiment that used internal-form queries for
	all maps, because it would be very difficult to test. The
	tests inputs would have to compensate for multiple levels
	of unquoting by postmap, C compilers, or shell interpreters.

	Cleanup: moved the backwards-compatibility lookup strategy
	(try the external address form first, then the internal
	address form if it is different) inside the loop that
	iterates over full and partial address forms. File:
	global/mail_addr_find.c.

20170125

	Cleanup: mail_addr_find test scripting. Eliminate main.cf
	dependencies, and allow all tests to run in one process.
	Files: global/mail_addr_find.*

20170127

	Cleanup: mail_addr_find and mail_addr_form named constants.
	Files: global/mail_addr_form.h, mail_addr_find.h, and
	dependents.

20170128

	Cleanup: smtp_generic_maps implementation. Reduced the
	number of internal<->external form address conversions,
	added more rigorous tests, and eliminated the main.cf and
	trivial-rewrite dependencies.  Files: smtp_map11.*.

20170129

	Cleanup: bogus UTC timezone setting for postqueue/mailq
	command output, and other environment settings for root and
	non-root users in set-gid programs. File: postqueue/postqueue.c
	(enforce import_environment name=value overrides for root
	users), util/msg_syslog_init.c (don't override non-existent
	TZ settings with UTC), util/unsafe.c (exclude uid==0, euid==0
	super-user from privilege escalation concerns).

20170131

	Cleanup: more complete VALGRIND coverage for test build targets
	and scripts. Files: postalias/fail_test.in, postmap/fail_test.in,
	postmap/quote_test.in, util/dict_pipe_test.in,
	util/dict_union_test.in, util/dict_utf8_test.in.


20170201

	Portability: unsetenv() for ancient platforms. File:
	makedefs, util/sys_compat.c.

20170205

	Cleanup: security checks for config_directory overrides.
	File: global/mail_conf.c.

	Cleanup: enforce import_environment name=value settings in
	command-line utilities, for consistency with Postfix daemons (but
	without removing environment variables).  This is not enforced
	in the postconf command which must be able to process main.cf
	files with incomplete settings. Files: postalias/postalias.c,
	postcat/postcat.c, postkick/postkick.c, postlock/postlock.c,
	postlog/postlog.c, postmap/postmap.c, postsuper/postsuper.c,
	posttls-finger/posttls-finger.c, sendmail/sendmail.c,
	util/clean_env.[hc].

20170206

	Bugfix (introduced: Postfix 3.0): check_mumble_a_access
	did not handle [ipaddress], unlike check_mumble_mx_access.
	When check_mumble_a_access was introduced, some condition
	was not updated.  Reported by James (postfix_tracker). File:
	smtpd/smtpd_check.c.

20170207

	Cleanup: rephrased paranoia precondition. File: global/mail_conf.c.

20170211

	Cleanup: rephrased paranoia precondition. File: util/unsafe.c.

20170218

	Cleanup: typofixes from klemens. The only change in compiled
	code is in one identical mysql error message that also
	appears in the pgsql client.  Files: about 50.

20170221

	Compatibility fix (introduced: Postfix 3.1): some Milter
	applications do not recognize macros sent as {name} when macros
	have single-character names. Postfix now sends such macros
	without {} as it has done historically. Viktor Dukhovni. File:
	milter/milter.c.

20170228

	Documentation: re-word scary warnings at the top of SASL_README
	and TLS_README.

20170402

	Bugfix (introduced: Postfix 3.2): restore the SMTP server
	receive override options at the end of an SMTP session,
	after the options may have been modified by an smtpd_milter_maps
	setting of "DISABLE". Problem report by Christian Rößner,
	root cause analysis by Viktor Dukhovni. File: smtpd/smtpd.c.

20170430

	Safety net: append a null byte to vstring buffers, so that
	C-style string operations won't scribble past the end. File:
	vstring.[hc].

20170505

	Workaround for a current problem where some destination
	announces primarily IPv6 MX addresses, the smtp_address_limit
	eliminates most or all IPv4 addresses, and the destination
	is not reachable over IPv6. This workaround is enabled with
	"smtp_balance_mx_inet_protocols = yes", which is the default.
	Files: smtp/smtp.c, smtp/smtp_params.c, smtp/smtp_addr.c,
	global/mail_params.h, proto/postconf.proto.

20170506

	A last-minute cosmetic fix had introduced a bug in
	smtp/smtp_addr.c.

20170512

	Bugfix (introduced: Postfix 2.0): the MIME nesting level
	counter was not initialized (i.e. left at the memory fill
	pattern 0xffffffff which equals -1). This broke unit tests
	with a different memory allocator. Changing the value to
	zero would break backwards compatibility (reject mail that
	was previously not rejected). Files: global/mime_state.c.

20170531

	Bugfix (introduced: Postfix 3.2): after the table lookup
	overhaul, the check_sender_access and check_recipient_access
	features ignored the parent_domain_matches_subdomains
	setting. Reported by Henrik Larsson. File: smtpd/smtpd_check.c.

	Workaround (introduced: Postfix 3.2): mail_addr_find() logs
	a warning that it does not support both parent-domain and
	dot-parent-domain style lookups in the same call.  File:
	global/mail_addr_find.c

20170610

	Workaround (introduced: Postfix 3.0 20140718): prevent MIME
	downgrade of Postfix-generated message/delivery-status.
	It's supposed to be 7bit, therefore quoted-printable encoding
	is not expected. Problem reported by Griff. File:
	bounce/bounce_notify_util.c.

	Documentation: indicate that the transport_mumble parameters
	are implemented by the queue manager, not by delivery agents.
	Files: mantools/postlink, local/local.c, pipe/pipe.c,
	*qmgr/qmgr.c, smtp/smtp.c, virtual/virtual.c.

20170611

	Security: Berkeley DB 2 and later try to read settings from
	a file DB_CONFIG in the current directory.  This undocumented
	feature may introduce undisclosed vulnerabilities resulting
	in privilege escalation with Postfix set-gid programs
	(postdrop, postqueue) before they chdir to the Postfix queue
	directory, and with the postmap and postalias commands
	depending on whether the user's current directory is writable
	by other users. This fix does not change Postfix behavior
	for Berkeley DB < 3, but reduces file create performance
	for Berkeley DB 3 .. 4.6.  File: util/dict_db.c.

20170617

	Cleanup: the postconf command warns about unknown parameter
	names in a database configuration file, specified as an
	absolute pathname (for example, ldap:/path/to/file). This
	code was mostly written in January 2017, and it still is a
	partial implementation.  Files: postconf/postconf_dbms.c,
	postconf/Makefile.in, postconf/test66.ref.

20170618

	Cleanup: added missing "defined(__GLIBC__)" guards for
	GLIBC version tests. File: util/sys_defs.h.

20170620

	Bugfix (introduced: Postfix 3.2) extension propagation was
	broken with "recipient_delimiter = .". This change reverts
	a change that was trying to be too clever. Files:
	global/mail_adr_crunch.c, global/mail_addr_crunch.ref.

20170704

	Typos (introduced: Postfix 2.10): in comments about
	IPv4-in-IPv6 addresses, replace :ffff::1.2.3.4 with the
	correct form ::ffff:1.2.3.4. Incorrect or misleading comments
	are worse than no comments. Files: smtpd/smtpd_haproxy.c,
	postscreen/postscreen_haproxy.c.

20170721

	Bitrot: updated postconf LDAP database configuration check with
	SASL and TLS-related parameters. Reported by Ralf Hildebrandt.
	File: postconf/postconf_dbms.c.

20170722

	Cleanup: don't log the 'delay_dotcrlf' workaround for CISCO
	PIX bugs before the smtp_pix_workaround_threshold_time has
	passed. Reported by Ralf Hildebrandt. File: smtp/smtp_proto.c.

20170727

	Cleanup: the postconf command now uses mechanically-generated
	lists of DBMS parameter names. This eliminates false positives
	with mysql databases. Files: postconf/Makefile.in,
	postconf/extract_cfg.sh, postconf/postconf_dbms.c.

	Cleanup: removed `#if 0/#endif' dead code from dict_ldap.c,
	to avoid spurious output from the extract_cfg.sh parameter name
	extraction tool.

20170728

	Documentation: added warnings that "enable_original_recipient
	= no" prevents Postfix <= 3.2 from saving the address
	verification result under the original probe destination
	address, if it is changed by aliasing or canonical mapping.
	Files: proto/ADDRESS_VERIFICATION_README.html,
	proto/postconf.proto.

	Cleanup: don't store an empty address in the verify cache
	(this could happen with "enable_original_recipient = no").
	File: global/verify.c.

20170729

	Cleanup: the setting "enable_original_recipient = no" no
	longer breaks address verification for aliased addresses.
	This does not change the behavior of the X-Original-To
	header and of recipient deduplication. The fix is to always
	store the original recipient in queue files. Some other
	changes were needed to move ownership of the var_enable_orcpt
	parameter from the cleanup daemon to the global library.
	Files: cleanup/cleanup_init.c, cleanup/cleanup_milter.c,
	cleanup_out_recipient.c, global/mail_params.c, global/mail_copy.c,
	proto/postconf.proto proto/ADDRESS_VERIFICATION_README.html,
	local/local.c, virtual/virtual.c, pipe/pipe.c.

20170730

	Bugfix (introduced: yesterday): revert global/verify.c code
	to always store the verify result under the original address,
	and to conditionally store it under the rewritten address.
	File: global/verify.c.

20170827

	Safety: in vstream_buf_space(), add a sanity check to reject
	negative request sizes, instead of letting the program fail
	later. File: util/vstream.c

	Bugfix: in tests that enable the VSTRING_FLAG_EXACT flag,
	vstring_buf_put_ready() could fail to extend the buffer,
	causing infinite recursion in VBUF_PUT(). File: util/vstring.c.

20170830

	Bugfix: in vbuf_print(), save the parser-produced format
	string before calling msg_panic(), so that the panic message
	will not display its own format string. File: util/vbuf_print.c.

20170831

	Undefined behavior (introduced Postfix 1.0): after subtracting
	a larger unsigned integer from a smaller one, do not assign
	the result to a signed integer. File: postqueue/showq_compat.c.

20170910

	Safety: restore sanity checks for dynamically-specified
	width and precision in format strings (%*, %.*, and %*.*).
	These checks were lost with the Postfix 3.2 rewrite of
	the vbuf_print formatter. File: vbuf_print.c.

	Bugfix (introduced: postfix-alpha): improve the 'fatal:
	invalid option' message to show the optopt value instead of
	the getopt() result.  Files: master/*server.c.

20170923

	Bugfix (introduced: Postfix 3.2): panic in the postqueue
	command after output write error while listing the queue.
	This change restores a write error check that was lost with
	the Postfix 3.2 rewrite of the vbuf_print formatter.
	Problem reported by Andreas Schulze. File: util/vbuf_print.c.

20170924

	Cleanup: terminate early after output write error. Files:
	showq/show_compat.c, showq/show_json.c.

20171009

	Bugfix (introduced: Postfix 3.1): DANE support. Postfix
	builds with OpenSSL 1.0.0 or 1.0.1 failed to send email to
	some sites with "TLSA 2 X X" records associated with an
	intermediate CA certificate. Problem report and initial
	fix by Erwan Legrand. File: src/tls/tls_dane.c.

20171024

	Bugfix (introduced: Postfix 3.0) missing dynamicmaps support
	in the Postfix sendmail command broke authorized_submit_users
	with a dynamically-loaded map type. File: sendmail/sendmail.c.

20171116

	Bugfix (introduced: Postfix 2.1): don't log warnings
	that some restriction returns OK, when the access map
	DISCARD feature is in effect. File: smtpd/smtpd_check.c.

20171209

	Documentation: the effects of owner_request_special and
	reset_owner_alias on alias expansion. Files: proto/aliases,
	proto/postconf.proto.

20171215

	Bugfix (introduced: 20170611): the DB_CONFIG bugfix broke
	Berkeley DB configurations with a relative pathname.  File:
	util/dict_db.c.

20171218

	Workaround: reportedly, some res_query(3) implementation
	can return -1 with h_errno==0. Instead of terminating with
	a panic, the Postfix DNS client now logs a warning and sets
	h_errno to TRY_AGAIN. File: dns/dns_lookup.c.

	Cleanup: allow XCLIENT before STARTTLS, when TLS is required.
	File: smtpd/smtpd.c.

20171219

	Feature: preliminary support to run Postfix in the foreground.
	This requires that multi-instance support is disabled.
	Files: conf/postfix-script, postfix/postfix.c.

20171223

	Feature: Milters can now send RET and ENVID arguments in
	SMFIR_CHGFROM requests. Files: cleanup/Makefile.in,
	cleanup/cleanup.h, cleanup/cleanup_envelope.c,
	cleanup/cleanup_milter.c, cleanup/cleanup_milter.in13h,
	cleanup/cleanup_milter.in13i, cleanup/cleanup_milter.ref13c,
	cleanup/cleanup_milter.ref13d, cleanup/cleanup_milter.ref13f,
	cleanup/cleanup_milter.ref13g, cleanup/cleanup_milter.ref13h,
	cleanup/cleanup_milter.ref13i, cleanup/cleanup_state.c,
	cleanup/test-queue-file13h, cleanup/test-queue-file13i,
	oqmgr/qmgr_message.c, qmgr/qmgr_message.c.

20171226

	Documentation patches by Sven Neuhaus. Files:
	proto/FORWARD_SECRECY_README.html, proto/MILTER_README.html,
	proto/SMTPD_ACCESS_README.html.

20171227

	Feature: postgresql:// URI support by Magosányi Árpád.
	Files: global/dict_pgsql.c, proto/pgsql_table.

	Cleanup: added employer attributions for non-trivial changes
	after Wietse changed employers.

20180106

	Compatibility: with compatibility_level < 1, the SMTP server
	now warns for mail that would be blocked by the Postfix
	2.10 smtpd_relay_restrictions feature. This extends the
	safety net for sites that upgrade from earlier Postfix
	versions (questions on the postfix-users list show a steady
	trickle). Files: proto/COMPATIBILITY_README.html,
	global/mail_params[hc], smtpd/smtpd_check.c.

	Cleanup: reset compatibility_level warnings after 'postfix
	reload'. This is relevant primarily for the master daemon.
	File: global/mail_params.c.

	Cleanup: missing mailbox seek-to-end error check in the
	local(8) delivery agent. File: local/mailbox.c.

	Cleanup: incorrect mailbox seek-to-end error message in the
	virtual(8) delivery agent. File: virtual/mailbox.c.

20180107

	Cleanup: Postfix-generated From: headers with 'full name'
	information are now formatted as "From: name <address>" by
	default. Specify "header_from_format = obsolete" for the
	earlier form "From: address (name)". Files: proto/postconf.proto,
	cleanup/cleanup.h, cleanup_init.c, cleanup_message.c,
	mail_params.h.

20180113

	Bugfix: "postconf -M" commands did not warn about unused
	name=value settings in master.cf. File: postconf/postconf.c.

	Bugfix: "postconf -xM" now expands $process_name using the
	daemon file name in master.cf, instead of the "postconf"
	command process name. Files: postconf/postconf.h,
	postconf/postconf_lookup.c, postconf/postconf_master.c.

	Feature: read-only service_name parameter that contains the
	master.cf service name. This allows, for example, setting
	the syslog_name with "-o syslog_name=postfix/$service_name"
	for the "submission" and "smtps" services. Files:
	proto/postconf.proto global/mail_params.h, global/mail_params.c,
	master/single_server.c, master/multi_server.c,
	master/trigger_server.c, master/event_server.c,
	postconf/postconf_master.c, postconf/postconf_builtin.c,
	and daemon manpages.

20180114

	Paranoia: censor the postqueue process name, similar to the
	set-gid postdrop program. File: postqueue/postqueue.c.

	Cleanup: the new "service_name" parameter is applicable
	only to Postfix daemons configured in master.cf; hyperlink
	the parameter name in documentation.  Files: proto/postconf.proto,
	mantools/postlink, daemon manpages.

	Cleanup: allow whitespace between $[{(], parameter name,
	and [:?)}]. This allows making complex expressions more
	readable with line breaks. File: util/mac_expand.c.

	Cleanup: don't initialize the service_name parameter with
	the process_name value.  Files: postconf/postconf.[hc],
	postconf/postconf_builtin.c.

20180121

	Bugfix (introduced: 20180106): too many arguments for format
	string. File: local/mailbox.c.

20180128

	Documentation: the tcp_table(5) manpage now documents the
	absence of substring lookups. File: proto/tcp_table.

20180203

	Licence: in addition to the historical IBM Public License
	1.0, this software is now also distributed with the more
	recent Eclipse Public License 2.0. Recipients can choose
	to take the software under the license of their choice.
	Those who are more comfortable with the IPL can continue
	with that license. File: LICENSE.

20180217

	Cleanup: added 22 missing *_maps parameters to the default
	proxy_read_maps setting. Files: global/mail_params.h,
	mantools/missing-proxy-read-maps.

20180218

	Cleanup: back-ported the missing-proxy-read-maps script to
	older Postfix releases, and added error checks. Undid some
	of the 20180217 changes in mail_params.h that are no longer
	needed.

	Bugfix (introduced: 20120117): postconf should scan only
	built-in or service-defined parameters for ldap, *sql, etc.
	database names. Problem reported by Christian Rößner. Files:
	postconf/postconf_user.c.

20180224

	Workaround: postconf build did not abort if the m4 command
	is not installed (on a system that does have the make command,
	the awk command, the perl command, and the C compiler?!).
	File: postconf/extract_cfg.sh.

20180303

	Portability: slight differences between MySQL and MariaDB.
	Olli Hauer. File: global/dict_mysql.c.

20180306

	Bugfix (introduced: 19990302): when luser_relay specifies
	a non-existent local address, the luser_relay feature becomes
	a black hole. Reported by Jørgen Thomsen. File: local/unknown.c.

	Portability: FreeBSD 11 is supported. Files: makedefs,
	util/sys_defs.h.

20180403

	Containers: "postfix start-fg" will now attempt to run the
	master daemon as PID 1, and "postfix stop" will use a
	stronger signal if the master does not stop. Files:
	conf/postfix-script, master/master.c, master/master_sig.c,
	postfix/postfix.c.

20180404

	Containers: "postfix start-fg" running as PID=1 will now
	properly terminate after "postfix stop". With assistance
	from Andreas Schulze and Eray Aslan. Files: master/master.c,
	master/master.h, master/master_sig.c.

20180421

	Documentation: in the protocol description mention early
	on that a policy server must not close the connection unless
	there is an error. File: proto/SMTPD_POLICY_README.html.

20180422

	Undocumented: when running in PID=1 mode on Linux, a signal
	won't be delivered unless the process specifies a handler.
	Conveniently, _exit() can be used directly as a signal
	handler. This changes the wait status that a parent would
	see, but in the case of PID=1 mode on Linux, no-one would
	care. Viktor Dukhovni. File: util/killme_after.c.

	Bugfix (introduced: Postfix 2.8): missing tls_server_start()
	error propagation in tlsproxy(8) resulting in segfault after
	TLS handshake error. Found during code maintenance. File:
	tlsproxy/tlsproxy.c.

	Connection reuse for TLS-encrypted SMTP sessions. This is
	work-in-progress, #ifdef USE_TLSPROXY, to avoid contamination
	of existing code.

	The idea is to have smtp(8) talk plaintext while tlsproxy(8)
	converts between local plaintext and remote ciphertext.
	Then, smtp(8) can save plaintext connections to the cache,
	and scache(8) holds the handles to the tlsproxy(8) processes.

	This preliminary implementation does not yet support proxying
	of DANE attributes from smtp(8) to tlsproxy(8). tlsproxy(8)
	does not have permissions to read private key files that
	smtp(8) can read. And the name of a connection cache entry
	does not yet depend on whether the cached connection uses
	TLS, nor does it depend on DANE information.

	Files: global/mail_proto.h, postscreen/postscreen_starttls.c,
	posttls-finger/posttls-finger.c, smtp/smtp.c, smtp/smtp.h,
	smtp/smtp_params.c, smtp/smtp_proto.c, smtp/smtp_session.c,
	smtpd/smtpd.c, tls/tls.h, tls/tls_client.c, tls/tls_proxy.h,
	tls/tls_proxy_client_init_print.c,
	tls/tls_proxy_client_init_scan.c,
	tls/tls_proxy_client_start_print.c,
	tls/tls_proxy_client_start_scan.c, tls/tls_proxy_clnt.c,
	tls/tls_proxy_context_print.c, tls/tls_proxy_context_scan.c,
	tls/tls_proxy_server_init_print.c,
	tls/tls_proxy_server_init_scan.c,
	tls/tls_proxy_server_start_print.c,
	tls/tls_proxy_server_start_scan.c, tlsproxy/tlsproxy.c,
	tlsproxy/tlsproxy.h, tlsproxy/tlsproxy_state.c, util/argv_attr.h,
	util/argv_attr_print.c, util/argv_attr_scan.c.

20180425

	Cleanup: dnsblog proccesses now retire voluntarily after
	max_use*max_idle seconds. Files: master/mail_server.h,
	master/single_server.c, dnsblog/dnsblog.c.

20180429

	Documentation: smtpd_relay_restrictions was incorrectly
	listed before smtpd_recipient_restrictions. File:
	proto/SMTPD_ACCESS_README.html.

20180509

	Bugfix (introduced: 20170617): postconf(1) command segfault
	if unable to open a Postfix database configuration file due
	to a file permission error. Report by Andreas Hasenack, fix
	by Viktor Dukhovni.  File: postconf/postconf_dbms.c.

20180519

	Documentation: updated descriptions of PID 1 mode in manpages
	and source-code comments. Files: postfix/postfix.c,
	master/master.c, master/master_sig.c, util/killme_after.c.

	Documentation: document non-iterative lookup behavior
	in postmap(1) and postalias(1) manpages. Files: postmap/postmap.c,
	postalias/postalias.c.

	Cleanup: the init-mode change should not forbid the combined
	use of -D, -d and -w. File: master/master.c.

20180520

	Documentation: add backscatter remediation to the virtual(5)
	and canonical(5) manpages. Files: proto/virtual, proto/canonical.

	Bugfix (introduced: 20180425): broken implementation of
	voluntary dnsblog retirement after max_use*max_idle seconds.
	File: master/single_server.c.

20180531

	Documentation: bash syntax to eliminate or view default
	settings in "postconf -n" output. File: postconf/postconf.c.
	Contributed by various postfix-users list members.

20180603

	TLS reuse: serializer/deserializer support for TLS_DANE and
	related data structures. Files: tls/tls_proxy_client_print.c,
	tls/tls_proxy_client_scan.c, tls/tls_proxy.h, util/argv_attr.h,
	util/argv_attr_print.c, util/argv_attr_scan.c.

	TLS reuse: posttls-finger -X test flag for quick tests.
	File: posttls-finger/posttls-finger.c.

	TLS reuse: smtp_use_tlsproxy boolean parameter. This is a
	preliminary implementation that should support override via
	smtp_tls_policy_maps. Files: smtp.c, smtp_connect.c,
	smtp_params.c, smtp_proto.c, smtp_session.c.

	TLS reuse: the SMTP client now includes the requested TLS
	security level in the scache(8) key.

	TLS reuse: address-based reuse is allowed only for TLS
	levels that require no certificate checks. Perhaps it still
	makes sense to save such sessions for reuse by less sensitive
	deliveries. Files: smtp/smtp.h smtp/smtp_reuse.c.

20180604

	TLS reuse: smtp_tls_connection_reuse boolean parameter, and
	corresponding override with "connection_reuse" boolean
	attribute in smtp_policy_maps. Files: global/mail_params.h,
	smtp.c, smtp.h, smtp_params.c, smtp_proto.c, smtp_session.c,
	smtp_tls_policy.c. proto/postconf.proto. mantools/postlink.

20180605

	TLS reuse: updated TLS_README and CONNECTION_CACHE_README,
	added comments in tlsproxy.c to explain why it works.

20180617

	Bugfix (introduced: Postfix 2.11): minor memory leak when
	minting issuer certs. This affects a tiny minority of use
	cases. Fix by Viktor Dukhovni, based on a fix by Juan
	Altmayer Pizzorno for Viktor's ssl_dane library.

	Cleanup: support for longer timeouts after the TLS handshake,
	so that the tlsproxy server won't time out too soon, while
	the SMTP client waits for the end-of-data response. This
	tlxproxy timeout is a redundant safety feature for the case
	that the SMTP client does not enforce the SMTP-level time
	limit.  Files: tls/tls_proxy.h, tls/tls_proxy_clnt.c,
	tlsproxy/tlsproxy.c, posttls-finger/posttls-finger.c,
	postcreen/postscreen_starttls.c, smtp/smtp_proto.c.

	Cleanup: earlier purging of unexpected plaintext. Files:
	posttls-finger/posttls-finger.c, smtp/smtp_proto.c.

	Release: first production snapshot with multiple outbound
	deliveries per TLS-encrypted connection.

20180618

	Quick tlsproxy workaround: after the remote TLS peer shuts
	down TLS, allow unsent inbound plaintext to trickle out
	before tearing down the proxied connection.  This addresses
	a sporadic "lost connection after end-of-data" error in the
	Postfix SMTP client, and addresses a sporadic "lost connection
	after sending QUIT" error with "posttls-finger -X". File:
	tlsproxy/tlsproxy.c.

20180619

	Segfault: don't lookup the TLS security level for nexthop-based
	connection cache storage keys. The combination of (service,
	nexthop, etc.) should be stable enough over the time range
	of interest, and the policy is still enforced on an individual
	connection to an MX host, before that connection is stored
	under a nexthop- or host-based storage key. Files:
	smtp/smtp_connect.c, smtp/smtp.h.

20180620

	TLS connection reuse: save and restore the TLS level for a
	reused connection, so that the reused connection will be
	saved under a key that matches the connection's original
	TLS level. This was not a problem for destinations that
	require certificate verification, because we currently reuse
	connections that require certificate checks only if they
	are looked up by their nexthop destination. File:
	smtp/smtp_session.c.

	TLS connection reuse: with TLS level > encrypt, prohibit
	sharing of the same connection endpoint under different
	nexthops, by making the nexthop part of the endpoint-based
	connection cache lookup key. File: smtp/smtp.h.

20180623

	TLS connection reuse: replaced random logic with TLS_MUST_MATCH()
	when deciding under what conditions an authenticated
	connection may be reused.  Files: smtp/smtp_proto.c,
	smtp/smtp.h.

	TLS connection reuse: a tlsproxy(8) process will retire
	after max_idle*max_use, or some sane constant if either is
	set to zero.  Files: master/event_server.c, tlsproxy/tlsproxy.c.

	Documentation: automatic retirement. File: master/single_server.c.

	Documentation: the connection caching limitation for SMTP
	over TLS is now obsolete. File: proto/CONNECTION_CACHE_README.html.

20180701

	Incompatibility: the tlsproxy(8) daemon now requires a zero
	process limit in master.cf (this setting is provided with
	the default master.cf file). See RELEASE_NOTES for how to
	change the tlsproxy process limit. File: tlsproxy/tlsproxy.c.

20180707

	Bugfix (introduced: Postfix 3.0): with smtputf8_enable=yes,
	table lookups could casefold the search string when searching
	a lookup table that does not use fixed-string keys (regexp,
	pcre, tcp, etc.). Historically, Postfix would not case-fold
	the search string with such tables. File: util/dict_utf8.c.

	Cleanup: removed unimplemented VSTRING support to enforce
	a buffer size limit (by returning an error of sorts). In
	practice, the limit was enforced in smtp_get(). Also made
	the VSTRING inplementation more VSTREAM-compatible. Files:
	util/vstring.[hc], posttls-finger/posttls-finger.c,
	smtpstone/smtp-source.c.

	Cleanup: unused variable. File: postqueue/postqueue.c.

	Feature: VSTREAM support to "open" a VSTRING for read, write
	or append mode, enabling the reuse of existing stream-based
	code to serialize/deserialize Postfix data structures to/from
	memory. File: vstream.[hc].

	Cleanup: "make manpages" now generates a makedefs(1) manpage
	for publication on the web. Also cleaned up some makedefs(1)
	content. Files: man/Makefile.in, man/man1/makedefs.1,
	html/Makefile.in, html/makedefs.1.html.

20180708

	Cleanup: VSTREAM support to "open" a VSTRING: added
	vstream_ftell() support; documented what changes are needed
	before this can support vstream_fseek(), without breaking a
	VSTRING during vstream_fflush(); added a simple 'allow'
	filter for vstream_control() requests; added a unit test.
	File: util/vstream.c.

20180812

	Feature: smtpd_reject_footer_maps (as well as the postscreen
	variant postscreen_reject_footer_maps). This is indexed
	with the SMTP server response text, and overrides the footer
	specified with smtpd_reject_footer. Files: global/mail_params.h,
	mantools/postlink, postscreen/postscreen.c,
	postscreen/postscreen_send.c, postscreen/postscreen_smtpd.c,
	proto/postconf.proto, smtpd/smtpd.c, smtpd/smtpd_chat.c.

	Minor wordsmithing. File: makedefs.

20180823

	Bugfix (introduced: 20180812): postscreen_send.c did not
	build without warnings. Viktor Dukhovni.

20180824

	Cleanup: with SMTPUTF8 turned off, the MySQL and PgSQL maps
	accept only well-formed UTF-8 queries, and return NOT FOUND
	otherwise. This was in introduced in Postfix 3.0 for LDAP
	and SQLite, with no complaints coming forth. Files:
	global/dict_mysql.c, global/dict_pgsql.c.

20180805-20180825 Chunking support

	Cleanup: vbuf_get() now sets the EOF flag, so that reading
	from a VSTRING stream works as expected. File: util/vbuf.c.

	Cleanup: added an append-mode flag to functions that read
	a VSTRING from a stream. The historical APIs are preserved
	in the form of aliases. Files: util/vstring_vstream.[hc],
	global/smtp_stream.[hc].

	SMTP server support for CHUNKING (BDAT) per RFC 3030. The
	SMTP server is the only program that knows the difference
	between mail received with BDAT or DATA. Both use the same
	smtpd_data_restrictions and smtpd_end_of_data_restrictions,
	both send one Milter DATA event per mail transaction, and
	both send one DATA command ending in <CR><LF>.<CR><LF>
	to an smtpd_proxy_filter. Files: global/ehlo_mask.h,
	global/smtp_stream.c, global/smtp_stream.c, global/smtp_stream.h,
	postscreen/postscreen_smtpd.c, smtpd/smtpd.c, smtpd/smtpd.h,
	smtpd/smtpd_chat.c, smtpd/smtpd_chat.h, smtpd/smtpd_state.c.

	Cleanup: the postscreen(8) daemon now hangs up after receiving
	the DATA command. Justification: it should never receive DATA
	from a legitimate client, because 1) postscreen(8) rejects all
	recipients, and 2) postscreen(8) does not announce PIPELINING.
	This makes postscreen(8) DATA and BDAT behavior more
	consistent. File: postscreen/postscreen_smtpd.c.

	BDAT final touches: report accurate BDAT byte counts after
	timeout or lost connection; send DATA instead of BDAT in
	policy delegation protocol. Files: smtpd/smtpd.[hc],
	smtpd/smtpd_check.c.

	BDAT final touches: if the BDAT EHLO announcement is disabled,
	then smtpd(8) and postscreen(8) will not accept BDAT commands.
	Files: smtpd/smtpd.c, postscreen/postscreen_smtpd.c.

20180826

	Cleanup: with GSSAPI, the Postfix SMTP client's initial
	SASL response may be as large as 12288 bytes. When the "AUTH
	<method> <initial-response>" command would exceed the SMTP
	command length of 512 bytes, send the initial response
	during the SASL dialog. Viktor Dukhovni. File:
	smtp/smtp_sasl_glue.c.

	Cleanup: prepare the Postfix SMTP server needs to receive
	SASL responses that exceed the line_length_limit value.
	This introduces a new parameter smtpd_sasl_response_limit
	(default: 12288). Viktor Dukhovni.  Files: mantools/postlink,
	proto/postconf.proto, global/mail_params.h, smtpd/smtpd.c,
	smtpd/smtpd_chat.c, smtpd/smtpd_chat.h, smtpd/smtpd_sasl_glue.c.

20180827

	Miscellaneous documentation updates, and a correction in
	the byte count for sending a large SASL initial response.

20181014

	Cleanup: figured out why vstring_get() did not return
	VSTREAM_EOF in APPEND mode. File: util/vstring_vstream.c.

20180903

	Bugfix (introduced: 20180825): postscreen falsely claimed
	that the remote SMTP client was pipelining after sending
	BDAT. Found by Ralf Hildebrandt. File:
	postscreen/postscreen_smtpd.c.

20180904

	Bugfix (introduced: 20180812): parameter name error
	(postscreen_reject_footer should have been
	postscreen_reject_footer_maps). Noel Jones (finder) and
	Viktor Dukhovni (fixer).

20181104

	Multiple 'bit rot' fixes for OpenSSL API changes, including
	support to disable TLSv1.3, to avoid issuing multiple session
	tickets, and to allow OpenSSL >= 1.1.0 run-time micro version
	bumps without complaining about library version mismatches.
	Viktor Dukhovni. Files: proto/postconf.proto,
	proto/TLS_README.html, tls/tls.h, tls/tls_dane.c,
	tls/tls_server.c, tls/tls_misc.c

20181105

	Feature: "postmap -F" reads a source file with (key, filename)
	entries, and creates database records with (key, base64-encoded
	filecontent). This feature will be used for SNI lookup
	table support, where each key will be a domainname, and
	each value will contain a sequence of (private key, certificate
	hierarchy) for that domainname. The same 'value is filename'
	behavior is implemented in cidr:, inline:, pcre:, randmap:,
	regexp:, and static: maps if the application sets the flag
	DICT_FLAG_RHS_IS_FILE. In the forseeable future, this will
	be used for specific TLS features. Files: postmap/postmap.c,
	util/dict.c, util/dict.h, util/dict_cidr.c, util/dict_file.c,
	util/dict_inline.c, util/dict_pcre.c, util/dict_random.c,
	util/dict_regexp.c, util/dict_static.c.

20181106

	Bugfix (introduced: 3.0): smtpd_discard_ehlo_keywords could
	not disable "SMTPUTF8". because the lookup table was using
	"EHLO_MASK_SMTPUTF8" instead. File: global/ehlo_mask.c.

	Documentation: the postmap(1) manpage no longer refers to
	compatibility with Sendmail's makemap command. File:
	postmap/postmap.c.

	Cleanup: don't use ssize_t for boolean result. File:
	global/smtp_stream.c.

	Cleanup: memory leak caused by missing dbenv->close() call
	after failing to open a Berkeley DB table. File: util/dict_db.c.

20181112

	Improved logging of TLS 1.3 summary information, and improved
	reporting of the same info in Received: message headers.
	Viktor Dukhovni.  Files: proto/FORWARD_SECRECY_README.html,
	smtpd/smtpd.c, tls/tls.h, tls/tls_client.c, tls/tls_misc.c,
	tls/tls_proxy.h, tls/tls_proxy_context_print.c,
	tls/tls_proxy_context_scan.c, tls/tls_server.c.

20181116

	Library function to log TLS 1.3 summary information, and
	some wordsmithing of TLS context member names. Viktor
	Dukhovni.  Files: tls/tls.h, tls/tls_misc.c, tls/tls_proxy.h,
	tls/tls_proxy_context_print.c, tls/tls_proxy_context_scan.c,
	tls/tls_client.c, tls/tls_server.c, smtpd/smtpd.c,
	posttls-finger/posttls-finger.c.

	Cleanup: vstream_memopen() flags handling. File:
	util/vstream.c.

	Cleanup: the SMTP client now uses 'attr_print_plain'
	serialization and 'attr_scan_plain' deserialization for
	connection cache lookup keys, which now contain a serialized
	version of the TLS context. File: smtp/smtp_session.c.

20181117

	The Postfix SMTP client now logs whether an SMTP-over-TLS
	connection is newly established ("TLS connection established")
	or whether the connection is reused ("TLS connection reused").
	Files: smtp/smtp.h, smtp/smtp_proto.c, smtp/smtp_session.c.

	(20181117-nonprod) Unified summary logging in the SMTP
	client, SMTP server, and posttls-finger. Viktor Dukhovni.
	Files: tls/tls.h, tls/tls_misc.c, tls/tls_proxy.h,
	tls/tls_proxy_context_print.c, tls/tls_proxy_context_scan.c,
	tls/tls_client.c, src/tls/tls_server.c, smtpd/smtpd.c,
	posttls-finger/posttls-finger.c.

	(20181117-nonprod) Improved logging of TLS 1.3 summary
	information. On the server side this also affects the TLS
	information optionally recorded in "Received" headers.
	Viktor Dukhovni. Files: smtpd/smtpd.c, tls/tls.h,
	tls/tls_client.c, tls/tls_misc.c, tls/tls_proxy.h,
	tls/tls_proxy_context_print.c, tls/tls_proxy_context_scan.c,
	tls/tls_server.c.

	(20181117-nonprod) FORWARD_SECRECY examples with TLS 1.3
	logging. Viktor Dukhovni. File: proto/FORWARD_SECRECY_README.html.

20181118

	Cleanup, no behavior change: updated comments concerning
	connection reuse, and updated some identifiers to reflect
	current reality. Files: smtp_reuse.c, smtp_key.c, smtp_proto.c,
	smtp_tls_policy.c, smtp.h, smtp_connect.c.

20181119

	Bitrot: makedefs will use "pkg-config" to locate ICU build
	information, falling back to "icu-config" if "pkg-config"
	is not found. File: makedefs.

20181122

	Cleanup: tlsproxy loads the same TLS client configuration
	at pre-jail time as the Postfix SMTP client, so that secret
	keys can remain read-only for root. This is sufficient for
	MTAs that have a fixed TLS client identity. tlsproxy will
	log a warning if it is requested to assume a different TLS
	client identity, and will log suggestions for a workaround.
	The long-term solution is to stop loading certs/keys from
	files, and to use the same approach as planned for server-side
	SNI support: open a cert/key map at pre-jail time, and read
	cert/key information on-the-fly at post-jail time. Files:
	proto/postconf.proto, mantools/postlink, global/mail_params.h,
	tlsproxy/tlsproxy.c.

20181123

	Cleanup: tlsproxy now logs better instructions when a
	tls_client_init request specifies an unexpected client
	identity, and the test for that condition is now moved to
	the right place. File: tlsproxy/tlsproxy.c.

20181124

	Documentation: clarified the behavior of whitespace within
	"{}".  Files: proto/DATABASE_README.html, proto/postconf.proto,
	pipe/pipe.c, postconf/postconf.c,

20181125

	Cleanup: dict_file_to_xxx() takes a list of file names
	separated by CHARS_COMMA_SP. Shoe-horned into the existing
	API, make it nicer when there is time. File: util/dict_file.c.

20181127

	Cleanup: encapsulated clumsy 'read into VSTRING' code with
	easier-to-use vstream_fread_buf() and vstream_fread_app()
	primitives. Files: global/memcache_proto.c, global/record.c,
	global/smtp_stream.c, global/smtp_stream.h, global/uxtext.c,
	global/xtext.c, milter/milter8.c, util/dict_file.c,
	util/hex_quote.c, util/netstring.c, util/vstream.c,
	util/vstream.h. Verified with "make tests".

	Cleanup: simplified the smtp_fread() API (introduced for
	BDAT support), and changed the name to smtp_fread_buf().
	Files: global/smtp_stream.c, smtpd/smtpd.c. Verified with
	~megabyte BDAT commands.

	Cleanup: simplified a tlsproxy-internal API. File:
	tlsproxy/tlsproxy.c.

20181128

	Initial support for key/certificate chain files that will
	replace the proliferation of separate parameters for
	RSA/DSA/ECC/etc. key and certificate files. Viktor
	Dukhovni.

20181201

	Cleanup: replaced the remaining unsafe VSTRING_AT_OFFSET()
	calls with safe vstring_set_payload_size() calls, in code
	that directly writes into VSTRING. Files: tls/tls_session.c,
	tlsmgr/tlsmgr.c, util/casefold.c, util/vstring.c, util/vstring.h,
	xsasl/xsasl_cyrus_client.c.

	Cleanup: postscreen_command_time_limit did not need to be
	a 'raw' parameter. This makes "postconf -x" behavior more
	consistent. Files: global/mail_params.h, postscreen/postscreen.c.

	Documentation: added text that the following parameter
	values are not subject to Postfix parameter $name expansion:
	default_rbl_reply, command_execution_directory, luser_relay,
	smtpd_reject_footer. These have their own documented $name
	substitution mechanism. File: proto/postconf.proto.

20181202

	Bugfix: posttls-finger reported an error for UNIX-domain
	connections, even if they did not fail. Found by Coverity.
	File: posttls-finger/posttls-finger.c.

20181208

	Documentation: add even more redundancy to the rate-delay
	description. File: proto/postconf.proto.

20181210

	Cleanup: code deduplication. File: util/dict_file.c.

20181226

	Cleanup: code deduplication and better encapsulation with
	PSC_DEL_CLIENT_STATE() and PSC_DEL_SERVER_STATE() macros.
	Files: postscreen/postscreen.h, postscreen/postscreen_state.c.

	Documentation: POSTSCREEN_README did not describe the
	postscreen_post_queue_limit, and attributed the wrong reject
	message to the postscreen_pre_queue_limit. Problem reported
	by Michael Orlitzky. File: proto/POSTSCREEN_README.html.

	(20181226-nonprod) Compatibility: removed support for OpenSSL
	1.0.1 (not supported since December 31, 2016) and earlier
	releases. This eliminated a large number of #ifdefs with
	bitrot workarounds.  Viktor Dukhovni. Files: global/mail_params.h,
	posttls-finger/posttls-finger.c, tls/tls.h, tls/tls_certkey.c,
	tls/tls_client.c, tls/tls_dane.c, tls/tls_dh.c, tls/tls_misc.c,
	tls/tls_proxy_client_scan.c, tls/tls_rsa.c, tls/tls_server.c,
	tls/tls_session.c.

	(20181226-nonprod) Use the OpenSSL 1.0.2 and later API for
	setting ECDHE curves. Viktor Dukhovni. Files: tls/tls.h,
	tls/tls_client.c, tls/tls_dh.c.

	(20181226-nonprod) Documentation update for TLS support.
	Viktor Dukhovni. Files: mantools/postlink, proto/TLS_README.html,
	proto/postconf.proto, src/sendmail/sendmail.c, src/smtpd/smtpd.c.

20181229

	Explicit maps_file_find() and dict_file_lookup() methods
	that decode base64 content. Decoding content is not built
	into the dict->lookup() method, because that would complicate
	the implementation of map nesting (inline, thash), map
	composition (pipemap, unionmap), and map proxying.  For
	consistency, decoding base64 file content is also not built
	into the maps_find() method. Files: util/dict.h.
	util/dict_file.c, global/maps.[hc], postmap/postmap.c.

20190106

        Documentation: documented the SRC_RHS_IS_FILE flag in
        dict_open.c, and updated the -F description in the postmap
        manpage. Files: util/dict_open.c, postmap/postmap.c.

	(20190106-nonprod) Feature: support for files that combine
	multiple (key, certificate, trust chain) instances in one
	file, to avoid separate files for RSA, DSA, Elliptic Curve,
	and so on. Viktor Dukhovni. Files: .indent.pro,
	global/mail_params.h, posttls-finger/posttls-finger.c,
	smtp/lmtp_params.c, smtp/smtp.c, smtp/smtp_params.c,
	smtp/smtp_proto.c, smtpd/smtpd.c, tls/tls.h, tls/tls_certkey.c,
	tls/tls_client.c, tls/tls_proxy.h, tls/tls_proxy_client_print.c,
	tls/tls_proxy_client_scan.c, tls/tls_proxy_server_print.c,
	tls/tls_proxy_server_scan.c, tls/tls_server.c, tlsproxy/tlsproxy.c.

	(20190106-nonprod) Create a second, no-key no-cert, SSL_CTX
	for use with SNI. Viktor Dukhovni. Files: src/tls/tls.h,
	src/tls/tls_client.c, src/tls/tls_misc.c, src/tls/tls_server.c.

	(20190106-nonprod) Server-side SNI support. Viktor Dukhovni.
	Files: src/global/mail_params.h, src/smtp/smtp.c,
	src/smtpd/smtpd.c, src/tls/tls.h, src/tls/tls_certkey.c,
	src/tls/tls_misc.c, src/tlsproxy/tlsproxy.c,

	(20190106-nonprod) Configurable client-side SNI signal.
	Viktor Dukhovni. Files: global/mail_params.h,
	posttls-finger/posttls-finger.c, smtp/lmtp_params.c,
	smtp/smtp.c, smtp/smtp.h, smtp/smtp_params.c, smtp/smtp_proto.c,
	smtp/smtp_tls_policy.c, tls/tls.h, tls/tls_client.c,
	tls/tls_proxy.h, tls/tls_proxy_client_print.c,
	tls/tls_proxy_client_scan.c.

20190121

	Logging: support for internal logging file, without using
	syslog (it uses the new postlogd daemon instead). This
	solves a usability problem for MacOS, may help getting
	around systemd, and solves 99% of the problem for logging
	to stdout in a container (hopefully we have 100% soon).
	Enable by setting, for example, "maillog_file =
	/var/log/postfix.log").  This works fine for daemons, and
	with some limitations for non-daemon programs.  See
	RELEASE_NOTES for more details.  Files: conf/master.cf,
	conf/post-install, conf/postfix-files, conf/postfix-script,
	mantools/postlink, proto/master, proto/postconf.proto,
	global/mail_params.c, global/mail_params.h, global/mail_proto.h,
	global/maillog_client.c, global/maillog_client.h,
	master/dgram_server.c, master/event_server.c, master/mail_server.h,
	master/master.c, master/master.h, master/master_ent.c,
	master/master_listen.c, master/master_proto.h,
	master/master_wakeup.c, master/multi_server.c,
	master/single_server.c, master/trigger_server.c,
	postalias/postalias.c, postconf/postconf_master.c,
	postdrop/postdrop.c, postfix/postfix.c, postkick/postkick.c,
	postlog/postlog.c, postlogd/postlogd.c, postmap/postmap.c,
	postmulti/postmulti.c, postqueue/postqueue.c,
	postsuper/postsuper.c, sendmail/sendmail.c, util/connect.h,
	util/listen.h, util/logwriter.c, util/logwriter.h,
	util/msg_logger.c, util/msg_logger.h, util/msg_output.c,
	util/msg_output.h, util/unix_dgram_connect.c,
	util/unix_dgram_listen.c.

	Cleanup: cert/key/chain loading, plus unit tests to exercise
	non-error and error cases. Viktor Dukhovni. Files: tls/*.pem,
	tls*.pem.ref, tls/tls_certkey.c.

20190126

	Safety: Postfix programs will log to either syslog or postlog
	but not both; and postlogd forwards postlog logging to
	syslog, when a configuration change removes the maillog_file
	pathname, but some programs still use the old configuration.
	Files: util/msg_syslog.[hc], util/msg_logger.c,
	global/maillog_client.c, postlogd/postlogd.c,

	Bugfix (introduced: Postfix 20110109, Postfix 2.10): watchdog
	pipe file descriptor leak. This pipe provides one source
	of liveness, data from this pipe is discarded, and therefore
	this does not enable privilege escalation or DOS. File:
	util/watchdog.c.

	Feature: stdout logging support; requires "postfix start-fg"
	and "maillog_file = /dev/stdout". Files: master/master.c,
	conf/postfix-script.

20190127

	Safety: when maillog_file is specified, 'postfix check' now
	requires that the postlog service is enabled in master.cf.
	Otherwise 'postfix start' etc. will log a fatal error. File:
	conf/postfix-script.

	Documentation: added policy_context example. File:
	proto/SMTPD_POLICY_README.html.

20190128

	Testing: run libtls tests under Valgrind. File tls/Makefile.in.

20190129

	Safety: require that $maillog_file matches one of the
	pathname prefixes specified in $maillog_file_prefixes. The
	maillog file is created by root, and the prefixes limit the
	damage from a single configuration error. Files:
	global/mail_params.[hc], global/maillog_client.c.

20191201

	Feature: "postfix logrotate" command with configurable
	compression program and datestamp filename suffix. File:
	conf/postfix-script.

20190202

	Cleanup: log a warning when the client sends a malformed
	SNI; log an info message when the client sends a valid SNI
	that does not match the SNI lookup tables; update the
	FORWARD_SECRECY_README logging examples. Viktor Dukhovni.
	Files: proto/FORWARD_SECRECY_README.html, tls/tls.h,
	tls/tls_client.c, tls/tls_misc.c.

20190208

	Debugging: the master(8) daemon now logs a warning if a
	master.cf entry is defined multiple times. File:
	src/master/master_conf.c.

20190209

	Debugging: tlsproxy(8) now logs more details about unexpected
	configuration differences between the Postfix SMTP client
	and the tlsproxy(8) daemon.

20190210

	Documentation: Postfix 3.4.0 RELEASE NOTES.

	Documentation: added BDAT_README.

	Documentation: global TLS settings. Files: mantools/postlink,
	smtp/smtp.c, tlsproxy/tlsproxy.c.

20190211

	Cleanup: removed obsolete parameters: tls_dane_digest_agility,
	tls_dane_trust_anchor_digest_enable; removed openssl_path
	parameter from configuration difference checks in tlsproxy.
	Files: global/mail_params.h, tls/tls_misc.c,
	tls/tls_proxy_client_misc.c, tls/tls_proxy_client_print.c,
	tls/tls_proxy_client_scan.c, tls/tls_proxy.h.

20190212

	Cleanup: missing #ifdef USE_TLS. Files: smtp/smtp_session.c,
	posttls-finger/posttls-finger.c.

20190217

	Cleanup: when the master daemon runs with PID=1 (init mode),
	reap orhpan processes from non-Postfix code running in the
	same container, instead of terminating with a panic. File:
	master/master_spawn.c.

20190218

	Bugfix: tlsproxy did not enable DANE-style PKI because
	libtls seems to have to accreted multiple init functions
	instead of reusing the tls_client_init() and tls_client_start()
	API. And some functions that do initialization don't even
	have init in their name! Problem report by Andreas Schulze.
	Viktor Dukhovni. Files: tls/tls_misc.c, tlsproxy/tlsproxy.c.

	Workaround: Postfix libtls makes DANE-specific changes to
	the shared SSL_CTX. To avoid false sharing, tlsproxy needs
	to label the SSL_CTX cache with DANE bits until we can
	remove the code that modifies SSL_CTX. File: tlsproxy/tlsproxy.c.

	Cleanup: Postfix libtls changed the shared SSL_CTX to
	override ciphers. instead of changing the SSL handle. To
	avoid false sharing in tlsproxy, the changes are now made
	to the SSL handle. Viktor Dukhovni. Files: tls/tls.h,
	tls/tls_client.c, tls/tls_misc.c, tls/tls_server.c.

20190219

	Bugfix: in the Postfix SMTP client, TLS wrappermode was not
	tested in tlsproxy mode. It needed some setup for buffering
	and timeouts. Problem report by Andreas Schulze. File:
	smtp/smtp_proto.c.

20190226

	Documentation: postconf(1) and DATABASE_README were out of
	sync. Added a note that this should be deduplicated. File:
	proto/DATABASE_README.html.

20190227

	Documentation: strict_smtputf8 in SMTPUTF8_README.

20190304

	Bugfix: a reversed test broke TLS configurations that specify
	the same filename for a private key and certificate. Reported
	by Mike Kazantsev. Fix by Viktor Dukhovni. Wietse fixed the
	test. Files: tls/tls_certkey.c, tls/Makefile.in.

20190310

	Bitrot: LINUX5s support, after some sanity checks with a
	rawhide prerelease version. Files: makedefs, util/sys_defs.h.

	Bugfix (introduced: 20181226): broken DANE trust anchor
	file support, caused by left-over debris from the 20181226
	TLS library overhaul. By intrigeri. File: tls/tls_dane.c.

	Bugfix (introduced: Postfix-1.0.1): null pointer read, while
	logging a warning after reading a corrupted bounce log file.
	File: global/bounce_log.c.

	Bugfix (introduced: Postfix-2.9.0): null pointer read, while
	logging a warning after a postscreen_command_filter read
	error. File: postscreen/postscreen_smtpd.c.

20190312

	Bugfix (introduced: Postfix 2.2): reject_multi_recipient_bounce
	has been producing false rejects starting with the Postfix
	2.2 smtpd_end_of_data_restrictons, and for the same reasons,
	did the same with the Postfix 3.4 BDAT command. The latter
	was reported by Andreas Schulze. File: smtpd/smtpd_check.c.

20190319

	With message_size_limit=0 (which is NOT DOCUMENTED), BDAT
	chunks were always too large. Reported by Thorben Thuermer.
	fix by Viktor Dukhovni. File: src/smtpd/smtpd.c.

20190328

	Bugfix (introduced: Postfix 3.0): LMTP connections over
	UNIX-domain sockets were cached but not reused, due to a
	cache lookup key mismatch. Therefore, idle cached connections
	could exhaust LMTP server resources, resulting in two-second
	pauses between email deliveries. This problem was investigated
	by Juliana Rodrigueiro. File: smtp/smtp_connect.c.

20190331

	Documentation: tlsext_padding is not a tls_ssl_options
	feature. File: proto/postconf.proto.

20190401

	Portability: to avoid a compile-time error on Solaris, added
	"#undef sun" to util/unix_dgram_connect.c.

20190403

	Bugfix (introduced: Postfix 2.3): a censoring filter broke
	multiline Milter responses for header/body events. Problem
	report by Andreas Thienemann. Files: util/printable.c,
	util/stringops.h, smtpd/smtpd.c.

	Bugfix (introduced: Postfix 3.3): "smtp_mx_address_limit = 0"
	no longer meant 'unlimited'. Problem report by Luc Pardon.
	File: smtp/smtp_addr.c.

20190427

	Cleanup: normalize the IP address string forms received with
	XCLIENT, XFORWARD, and HaProxy, for consistency with address
	information for direct connections to Postfix, and add unit
	tests. This casefolds and removes redundant nulls from the
	string representation of an IPv6 address, normalizes the
	"IPv6:" address prefix of RFC 2821 IPv6 address forms, and
	converts IPv4 address octets with leading zeros (octal form)
	into decimal form. Files: global/haproxy.c,
	global/normalize_mailhost_addr.[hc], smtpd/smtpd.c.

	Incompatibility: this may change the appearance of logging,
	and the way that check_client_access will match subnets of
	an IPv6 address.

20190428

	Cleanup: replace "(whatever *) 0" with meaningfully-named
	constants. Sheesh. File: smtpd/smtpd.c.

	Documentation: BASIC_CONFIGURATION_README example default
	setting was not updated after Postfix 3.0 change. File:
	proto/BASIC_CONFIGURATION_README.html

20190505

	Workaround: uClibc has no res_send. Log a warning if this
	code path would be used, and ignore dns_ncache_ttl_fix_enable.
	Files: util/sys_defs.h, dns/dns_lookup.c, TODO: makedefs
	and INSTALL documentation.

20190516

	Initial search order support for check_ccert_access. The
	default behavior is backwards-compatible. This is work in
	progress; see the RELEASE_NOTES for examples.  Files:
	global/map_search.[hc], smtpd/smtpd_check.c.

20190517

	Bugfix: postconf mis-parsed text starting with "{" such as
	"check_ccert_access { inline:{a=b} { search_order=c,d } }".
	Fixed by adding another level of recursion. File:
	postconf/postconf_dbms.c.

20190525

	Infrastructure: reject_deliver_request() to reject an entire
	delivery request and bounce or defer all its recipients.
	File: global/reject_deliver_request.c.

20190609

	Infrastructure: byte_mask() to convert "flags=mumble" into
	a byte mask. This is similar to name_mask(). Files:
	util/byte_mask.[hc] and tests.

20190615

	Dovecot usability: SMTP/LMTP client support for 'D', 'O',
	'R', 'X' flags similar to the pipe(8) daemon, to produce
	Delivered-To, X-Original-To, and Return-Path headers, and
	to indicate final delivery. Files: smtp/smtp.c, smtp/smtp.h,
	smtp/smtp_misc.c, smtp/smtp_proto.c, smtp/smtp_rcpt.c.

	Workaround for implementations that hang Postfix while
	shutting down a TLS session, until Postfix times out. With
	"tls_fast_shutdown_enable = yes" (the default), Postfix no
	longer waits for the TLS peer to respond to a TLS 'close'
	request. This is recommended with TLSv1.0 and later. Files:
	global/mail_params.h, tls/tls_session.c, and documentation.

20190618

	Documentation: corrected comments about the code change to
	not wait for the TLS peer's response after sending a TLS
	'close' notification. Viktor Dukhovni. Files: HISTORY,
	RELEASE_NOTES, proto/postconf.proto smtp/smtp.c smtpd/smtpd.c
	tlsproxy/tlsproxy.c

20190621

	Workaround: don't reuse an SMTP connection after an SMTP
	protocol error. This limits the impact of, for example,
	pipelining synchronization errors. File: smtp/smtp_trouble.c.

	Bugfix (introduced: Postfix 3.0): the code to reset Postfix
	SMTP server command counts was not called after a HaProxy
	handshake failure, causing stale numbers to be reported.
	The command counts are now reset in the function that reports
	the counts. Problem report by Joseph Ward. File: smtpd/smtpd.c.

20190719

	Bitrot: OpenBSD stopped having /dev/arandom 8 years ago.
	Brad Smith. File: util/sys_defs.h.

20190723

	Bugfix: the documentation said tls_fast_shutdown_enable,
	but the code said tls_fast_shutdown. Viktor Dukhovni. Changed
	the code because no-one is expected to override the default.
	File: global/mail_params.h.

20190724

	Cleanup: proxymap(8) support for table search order syntax.
	File: proxymap/proxymap.c.

	Safety: vstring_set_payload_size() now checks that the
	payload has not overwritten the safety terminator at the
	end of the VSTRING buffer. File: util/vstring.c.

20190813

	Documentation: access(5) map network address pattern syntax.
	File: proto/access.

20190820

	Workaround for poor TCP loopback performance on LINUX, where
	getsockopt(..., TCP_MAXSEG, ..) reports a TCP maximal segment
	size that is 1/2 to 1/3 of the MTU. For example, with kernel
	5.1.16-300.fc30.x86_64 the TCP client and server announce
	an mss of 65495 in the TCP handshake, but getsockopt()
	returns 32741 (less than half). As a matter of principle,
	Postfix won't turn on client-side TCP_NODELAY because that
	hides application performance bugs, and because that still
	suffers from server-side delayed ACKs. Instead, Postfix
	avoids sending "small" writes back-to-back, by choosing a
	VSTREAM buffer size that is a multiple of the reported MSS.
	This workaround bumps the multiplier from 2x to 4x. File:
	util/vstream_tweak.c.

20190825

	Bugfix (introduced: 20051222): the Dovecot client could
	segfault (null pointer read) or cause an SMTP server assertion
	to fail when talking to a fake Dovecot server. The client
	now logs a proper error instead. Problem reported by Tim
	Düsterhus. File: xsasl/xsasl_dovecot_server.c.

20190908

	Documentation: updated postconf(5) description of the
	tls_server_sni_maps configuration parameter. Viktor Dukhovni.
	File: proto/postconf.proto.

20190914

	Bugfix (introduced: Postfix 3.4): don't whitewash OpenSSL
	error results after a plaintext output error. The code could
	loop, and with some OpenSSL error results could flood the
	log with error messages (see below for a specific case).
	Problem reported by Andreas Schulze. File: tlsproxy/tlsproxy.c.

	Bitrot: don't invoke SSL_shutdown() when the SSL engine
	thinks it is processing a TLS handshake. The commit at
	https://github.com/openssl/openssl/commit/64193c8218540499984cd63cda41f3cd491f3f59
	changed the error status, incompatibly, from SSL_ERROR_NONE
	into SSL_ERROR_SSL. File: tlsproxy/tlsproxxy.c.

20190918

	Cleanup: the nbbio(3) library now accepts a sequence of
	nbbio_enable_read() calls or a sequence of nbbio_enable_write()
	calls. This allows tlsproxy(8) to reset an I/O timer after
	each event without having to make an nbbio_disable_readwrite()
	call. Files: util/nbbio.c, tlsproxy/tlsproxy.c.

20191013

	Cleanup: code pattern ENFORCING_SIZE_LIMIT() for more
	consistent enforcement of the 'no size limit' case (it now
	requires "> 0" where previous code used "!= 0" or "> 0").
	More relevant, this explicit pattern will help finding code
	that does not implement the 'no size limit' case with
	var_message_limit, etc. Files: cleanup/cleanup_init.c,
	local/local.c, postdrop/postdrop.c, postscreen/postscreen_smtpd.c,
	sendmail/sendmail.c, smtpd/smtpd.c, smtpd/smtpd_check.c,
	util/netstring.c, util/sys_defs.h, virtual/virtual.c.

	Cleanup; with message_size_limit>0, local(8) and virtual(8)
	mailbox size limit checks would produce a misleading error
	message when the mailbox size was unlimited. Files:
	local/local.c, virtual/virtual.c.

	Cleanup: queue_minfree changed from 'int' to 'long'. File:
	global/mail_params.h, src/smtpd/smtpd.c.

	Attribution: updated AUTHOR in file headers. Files:
	global/bounce_log.c, global/deliver_request.h, smtp/smtp_chat.c,
	smtp/smtp_rcpt.c, tls/tls_certkey.c, util/nbbio.c,
	util/vstream_tweak.c.

20191014

	Bugfix (introduced: Postfix 2.8): don't gratuitously enable
	all after-220 tests when only one such test is enabled.
	This made selective tests impossible with 'good' clients.
	File: postscreen/postscreen_smtpd.c.

	Bugfix: the 20180903 postscreen fix for a misleading
	"PIPELINING after BDAT" warning looked at the wrong variable.
	The warning now says "BDAT without valid RCPT", and the
	error is no longer treated as a command PIPELINING error
	(but sending BDAT is still a client error, because postscreen
	rejects all RCPT commands and does not announce PIPELINING
	support). File: postscreen/postscreen_smtpd.c.

20190922

	Documentation: replaced the link to "Suite B" cryptography
	with a link to web.archive.org. File: proto/postconf.proto.

20191109

	Cleanup: Postfix daemon processes now log the from= and to=
	addresses in external (quoted) form in non-debug logging
	(info, warning, etc.). This is consistent with the address
	form that Postfix 3.2 and later prefer for table lookups.
	It is therefore the more useful form for non-debug logging.
	Files: cleanup/cleanup.c, cleanup/cleanup_message.c,
	cleanup/cleanup_milter.c, global/info_log_addr_form.c,
	global/info_log_addr_form.h, global/log_adhoc.c,
	global/mail_params.c, global/mail_params.h, global/opened.c,
	local/local.c, oqmgr/qmgr.c, oqmgr/qmgr_active.c,
	pickup/pickup.c, pipe/pipe.c, postscreen/postscreen.c,
	postscreen/postscreen_smtpd.c, proto/postconf.proto,
	qmgr/qmgr.c, qmgr/qmgr_active.c, smtp/smtp.c, smtpd/smtpd.c,
	smtpd/smtpd_check.c, virtual/virtual.c.

	Usability: the parser for key/certificate chain files
	rejected inputs that contain an EC PARAMETERS object. While
	this is technically correct (the documentation says what
	types are allowed) this is surprising behavior because the
	legacy cert/key parameters will accept such inputs. For
	now, the parser skips object types that it does not know
	about usability, and logs a warning because ignoring inputs
	is not kosher. Viktor and Wietse. File: tls/tls_certkey.c.

20191201

	Compatibility: added '_' to the milter_connect_macros default
	value. Reportedly some software produces an ugly warning
	message if Postfix does not send the macro, and there is
	no harm in sending it. File: global/mail_params.h.

20191214

	Bugfix (introduced: Postfix 3.1): support for
	smtp_dns_resolver_options was broken while adding support
	for negative DNS response caching in postscreen. Postfix
	was inadvertently changed to call res_query() instead of
	res_search(). Reported by Jaroslav Skarvada. File:
	dns/dns_lookup.c.

	Bugfix: sanitize server responses before storing them in
	the verify database, to avoid Postfix warnings about malformed
	UTF8. File: verify/verify.c.

20191215

	Future proofing: the Postfix DNS library logs a warning if
	the DNS_REQ_FLAG_NCACHE_TTL dns_lookup flag is set and the
	RES_DNSRCH or RES_DEFNAMES resolver flags are set, and
	disables those resolver flags. File: dns/dns_lookup.c.

20191230

	Documentation: added the 'X' flag (final delivery) to the
	pipe-based final delivery examples in the default master.cf
	file. File: conf/master.cf

20201005

	Workaround: postlog clients open the socket before entering
	the chroot jail and before dropping privileges. This is needed
	on MacOS and would not hurt otherwise. Files: util/msg_logger.[hc],
	global/maillog_client.c.

20200108

	UI cleanup: SMTP (and LMTP) client support for a list of
	nexthop destinations separated by comma or whitespace. These
	will be tried in the specified order. The list form can be
	specified in relayhost, transport_maps, default_transport,
	and sender_dependent_default_transport_maps.  Examples:
	"relayhost = foo.example, bar.example", and "default_transport
	= smtp:foo.example, bar.example". Files: smtp/smtp.c,
	smtp/smtp_connect.c, trivial-rewrite/resolve.c, proto/transport,
	proto/postconf.proto, global/mail_params.c.

20200112

	[initially released as part of postfix-20200101-nonprod]
	Refactored the haproxy infrastructure in preparation for
	haproxy version 2 support. This is necessary because version
	2 introduces a dependency of the reader on the parser.
	Additionally, version 2 introduces support for non-proxied
	connections (used by health checks). Files: global/haproxy_srvr.c,
	smtpd/smtpd_peer.c, smtpd/smtpd_haproxy.c, smtpd/smtpd.h,
	postscreen/postscreen.h, postscreen/postscreen_endpt.c,
	postscreen/postscreen_haproxy.c, postscreen/postscreen_haproxy.h,
	global/haproxy_srvr.h. Initial release 3.5-20200101-nonprod.

	[initially released as part of postfix-20200105-nonprod]
	Support for the haproxy v2 protocol. The haproxy v2 protocol
	support is limited to TCP over IPv4 and TCP over IPv6. It
	also supports non-proxied connections (typically used for
	heartbeat tests). File: global/haproxy_srvr.c.

	[initially released as part of postfix-20200105-nonprod]
	Cleanup: after haproxy handshake error, the Postfix SMTP
	daemon now logs the proxy connection information instead
	of unknown/unknown, and replies with "421 4.3.0 $myhostname
	Server local error" instead of just hanging up. Error
	details are logged to the maillog file. File: smtpd/smtpd.c.

	Cleanup: miscellaneous comments, constants, error checks,
	no normal behavior change. Files: global/haproxy_srvr.c,
	postscreen/postscreen_haproxy.c.

20200126

	Cleanup: missing 'extern' declarations in some header files.
	Eray Aslan. Files: global/mail_params.h, postconf/postconf.h,
	smtpd/smtpd_expand.h, trivial-rewrite/trivial-rewrite.h

	Typos: Viktor Dukhovni. File: HISTORY.

	Documentation: haproxy2 support. File: proto/postconf.proto.

20200120

	[initially released as part of postfix-20200125-nonprod]
	Feature: forced message expiration. The "postsuper -e"
	option sets an 'expired' bit on one or more messages selected
	by their message ID. The queue manager returns a message
	as undeliverable when it moves the message to the active
	queue. Messages in the hold queue stay in that queue.

	If a force-expired message was deferred, then it is returned
	with the reason for the delay. Otherwise, the message is
	returned with "message is administratively expired". Design
	by Wietse; Viktor suggested using the group execute permission
	bit. Files: global/mail_queue.h, *qmgr/qmgr.h, *qmgr/qmgr_active.c,
	*qmgr/qmgr_message.c, postsuper/Makefile.in, postsuper/postsuper.c.

20200125

	[initially released as part of postfix-20200125-nonprod]
	Added support for "postsuper -f" to expire and optionally
	release a message. Restructured the postsuper command so
	that it will execute actions in the order of the -[defhr]
	flags, instead of using an invisible fixed internal order.
	The -e and -f options are idempotent (just like -h and -H).
	Adjusted the summary at the end to make this more clear.
	File: postsuper/postsuper.c.

20200126

	[initially released as part of postfix-20200126-nonprod]
	Updated the mailq/postqueue commands to make forced message
	expiration status available. In ASCII ouput this is indicated
	with "#" appended to the queue file name, and in JSON output
	this is indicated with the boolean "force_expired" attribute.
	Files: showq/showq.c, postqueue/showq_compat.c,
	postqueue/showq_json.c.

	[initially released as part of postfix-20200126-nonprod]
	Cleanup: minor tweaks to comments and code.

	Safety: give maildrop queue files more time (week instead
	of day) to reach completion, in case a message is submitted
	by a really long-running program. File: postsuper/postsuper.c.

	Cleanup: postsuper manpage indentation, word abbreviation.
	Files: mantools/postlink, postsuper/postsuper.c.

20200202

	Cleanup: nags about strcpy()/sprintf() from naive checkers.
	Files: global/mail_conf_int.c, global/mail_conf_long.c,
	global/mail_conf_nint.c, global/mail_conf_time.c,
	global/maillog_client.c, util/mymalloc.c.

	Documentation: rephrased the postconf(5) manual page entry
	for milter_default_action. File: proto/postconf.proto.

	Bugfix (introduced: Postfix 2.5): Milter SMTP connect event
	macros were evaluated before the Postfix-to-Milter connection
	had been negotiated. Problem reported by David Bürgin.
	Files: milter/milter.h, milter/milter.c, milter/milter8.c

20200308

	Cleanup: spellchecks, attributions. Files: HISTORY,
	auxiliary/name-addr-test/gethostbyaddr.c,
	auxiliary/name-addr-test/getnameinfo.c, proto/postconf.proto,
	global/haproxy_srvr.c, global/mail_version.h, global/map_search.c,
	global/map_search.h, postsuper/postsuper.c, smtp/smtp.c,
	smtp/smtp_misc.c, smtpd/smtpd.c, smtpd/smtpd_check.c,
	smtpd/smtpd_expand.h, tls/tls_client.c, tls/tls_server.c,
	tlsproxy/tlsproxy.c, trivial-rewrite/trivial-rewrite.h,
	util/byte_mask.c, util/vstream_tweak.c.

	Cleanup: bitrot in tests. File: cleanup/cleanup_milter.c.

	Cleanup: harmless memory leak in postconf. File:
	postconf/postconf_master.c.

	Bugfix (introduced: Postfix 2.3): panic with Postfix
	multi-Milter configuration during MAIL FROM. Milter client
	state was not properly reset after one of the Milters failed.
	Reported by WeiYu Wu.

20200312

	Usability: the Postfix SMTP server now logs a warning when
	a configuration requests access control by client certificate,
	but "smtpd_tls_ask_ccert = no". Files: proto/postconf.proto,
	smtpd/smtpd_check.c.

20200316

	Removed the issuer_cn and subject_cn matches from
	check_ccert_access. Files: smtpd/smtpd_check.c,
	proto/postconf.proto.

20200407

	Helper script by Viktor Dukhovni to report TLS information
	per message delivery. This processes output from the
	collate.pl script. Files: auxiliary/collate/README.tlstype,
	auxiliary/collate/tlstype.pl.

20200416

	Workaround for broken builds after an incompatible change
	in GCC 10. Files: makedefs, Makefile.in.

	Workaround for broken DANE support after an incompatible
	change in GLIBC 2.31. This avoids the need for new options
	in /etc/resolv.conf. Files: dns/dns.h, dns/dns_lookup.c.

	Misc fixes for gcc 'multiple definition' errors. Files:
	master/master_vars.c, smtp/smtp.c, proxymap/proxymap.c.

20200419

	Bugfix (introduced: Postfix 3.4): segfault in the tlsproxy
	client role when the server role was disabled. This typically
	happens with a first-time Postfix install and after configuring
	only outbound TLS. Found during program maintenance. File:
	tlsproxy/tlsproxy.c.

20200420

	Noise suppression: shut up a compiler that special-cases
	string literals. Viktor Dukhovni. File milter/milter.c.

20200422

	Security: disable DANE support on Alpine Linux because
	libc-musl provides no indication whether DNS responses are
	authentic. This broke DANE support without a clear explanation.
	File: makedefs.

20200425

	Robustness: enable the socket option SO_REUSEPORT_LB or
	SO_REUSEPORT on systems that support it. It allows multiple
	processes to create distinct listen sockets for the same
	address and port, and makes Postfix easier to restart.
	However, with a SHARED listen socket as used in Postfix,
	kernel-based load balancing does not help, and Postfix still
	requires locking to avoid waking up multiple processes when
	a connection arrives. Files: util/inet_listen.c,

20200502

	Documentation: update SNI support status in TLS_README.
	File: proto/TLS_READNE.html.

20200503

	Portability: declaration should be before executable
	statement. File: util/msg_logger.c.

	Portability: replace res_xxx() calls with res_nxxx() not
	because those are threadsafe, but because new features are
	being added there. To build old style, build with "make
	makefiles CCARGS="-DNO_RES_NCALLS...". Files: makedefs.
	util/sys_defs.h, dns/dns_lookup.c.

	Portability: libc-musl does not have res_nxxx() support,
	so it builds with -DNO_RES_NCALLS.

20200505

	Noise suppression: shut up a compiler that special-cases
	string literals. Viktor Dukhovni. File smtpd/smtpd_check.c.

	Portability: not all supported systems have ldd(1). Viktor
	Dukhovni. File: makedefs.

20200509

	Bugfix (introduced: Postfix 3.4): maillog_file_rotate_suffix
	default value used the minute instead of the month. Reported
	by Larry Stone. Files: conf/postfix-tls-script,
	proto/MAILLOG_README.html, proto/postconf.proto.

20200510

	Bitrot: avoid U_FILE_ACCESS_ERROR after chroot(), by
	initializing the ICU library before making the chroot()
	call. Files: util/midna_domain.[hc], global/mail_params.c.

20200511

	Noise suppression: avoid "SSL_Shutdown:shutdown while in
	init" warnings. File: tls/tls_session.c.

	Debugging: with a single -v, the cleanup server now also
	logs output envelope records, so that one -v option shows
	the input and output. File: cleanup_out.c.

20200515

	Bugfix (introduced: Postfix 2.2): a TLS error for a PostgreSQL
	client caused a false 'lost connection' error for an SMTP
	over TLS session in the same Postfix process. Reported by
	Alexander Vasarab, diagnosed by Viktor Dukhovni. File:
	tls/tls_bio_ops.c.

	Bugfix (introduced: Postfix 2.8): a TLS error for one TLS
	session may cause a false 'lost connection' error for a
	concurrent TLS session in the same tlsproxy process. File:
	tlsproxy/tlsproxy.c.

20200518

	Documentation: updated the wording of recent HISTORY entries,
	based on the text in the 20200516 stable releases.

20200521

	Cleanup: the value of __RES (defined in resolv.h) determines
	whether the res_nxxx() API is available. Credit to Rich
	Felker. Files: util/sys_defs.h, dns/dns_lookup.c.

20200522

	Cleanup: the postconf command builds with -fno-common.
	Files: makedefs, Makefile.in, postconf/extract.awk,
	postconf/install_vars.h.

20200523

	Cleanup: the 20200503 change did not prevent direct access
	to the obsolete h_errno variable in smtpd_checks.c. This
	variable may still be updated, but we should not count on
	that. Files: dns/dns.h, dns/dns_lookup.c, smtpd/smtpd_check.c.

	Cleanup: unit tests now build with -fno-common. Files:
	global/server_acl.c, smtpd/smtpd_check.c, global/strip_addr.c,
	proxymap/proxymap.c.

20200525

	Documentation: revised text about TLS connection reuse.
	File: proto/CONNECTION_CACHE_README.html

20200530

	Bugfix (introduced: Postfix 3.1): "postfix tls deploy-server-cert"
	did not handle a missing optional argument. File:
	conf/postfix-tls-script.

20200531

	Debugging: per-nexthop SMTP client "debug peer" logging so
	that we can also see what happens before, between, and after
	SMTP sessions; add explicit SMTP client debug logging for
	non-DNS host lookups.  Files: smtp/smtp.c, proto/postconf.proto,
	smtp/smtp_addr.c, smtp/smtp.c, smtp/smtp.h, smtp/smtp_session.c,
	smtp/smtp_state.c.

	Postfix delivery agents now log an explicit record when
	delegating delivery to a different Postfix delivery agent.
	Example: "postfix/smtp[pid] queueid: passing <recipient>
	to transport=local". This makes the delegating delivery
	agent visible, where it would otherwise have remained
	invisible, which would complicate troubleshooting. File:
	global/deliver_pass.c.

20200610

	Respectful code: replace 'slave' in internal identifiers
	and comments, and make the master(5) description more
	consistent with that in master(8). Postfix does not have a
	master/slave architecture, and these identifiers and comments
	were just poorly worded. Files: conf/postmulti-script,
	html/master.5.html, man/man5/master.5, proto/master,
	global/dsb_scan.c, global/dsb_scan.h, global/dsn_print.c,
	global/dsn_print.h, global/msg_stats.h, global/msg_stats_print.c,
	global/msg_stats_scan.c, global/rcpt_buf.c, global/rcpt_buf.h,
	global/rcpt_print.c, global/rcpt_print.h, milter/milter.h,
	milter/milter_macros.c, tls/tls_proxy.h,
	tls/tls_proxy_client_print.c, tls/tls_proxy_client_scan.c,
	tls/tls_proxy_context_print.c, tls/tls_proxy_context_scan.c,
	tls/tls_proxy_server_print.c, tls/tls_proxy_server_scan.c,
	util/argv_attr.h, util/argv_attr_print.c, util/argv_attr_scan.c,
	util/attr.h, util/attr_print0.c, util/attr_print64.c,
	util/attr_print_plain.c, util/attr_scan0.c, util/attr_scan64.c,
	util/attr_scan_plain.c.

	Bugfix (introduced: Postfix 3.4): in the Postfix SMTP server,
	the SNI callback reported an error when it was called a
	second time. This happened after the server-side TLS engine
	sent a TLSv1.3 HelloRetryRequest (HRR) to a remote SMTP
	client. Reported by Ján Máté, fixed by Viktor Dukhovni.
	File: tls/tls_misc.c.

20200617

	Bugfix (introduced: Postfix 3.4): the connection_reuse
	attribute in smtp_tls_policy_maps resulted in an "invalid
	attribute name" error. Fix by Thorsten Habich. File:
	smtp/smtp_tls_policy.c.

20200618

	Documentation: documented that smtp_line_length_limit=0
	disables the feature, and made this more explicit in the
	code by using the ENFORCING_SIZE_LIMIT macro. Files:
	proto/postconf.proto, smtp/smtp_proto.c.

20200619

	Bugfix (introduced: Postfix 3.4): SMTP over TLS connection
	reuse was broken for configurations that use explicit trust
	anchors. Reported by Thorsten Habich. Cause: the tlsproxy
	client was sending a zero certificate length. File:
	tls/tls_proxy_client_print.c.

	Bugfix: posttls-finger reported a conflict betwen -X and
	-r when only -X was used. File: posttls-finger/posttls-finger.c.

20200620

	Bugfix (introduced: Postfix 3.4): SMTP over TLS connection
	reuse was broken for configurations that use explicit trust
	anchors. Reported by Thorsten Habich. Fixed by calling DANE
	initialization unconditionally (WTF). File: tlsproxy/tlsproxy.c.

20200626

	Typo: in postconf(5) documentation, AAAAA should be AAAA.
	Christian Franke. File: proto/postconf.proto.

	Bugfix (introduced: Postfix 2.11): The Postfix smtp(8)
	client did not send the right SNI name when the TLSA base
	domain was a secure CNAME expansion of the MX hostname (or
	non-MX nexthop domain). Domains with CNAME expanded MX hosts
	are not conformant with RFC5321, and so are rare. Even more
	rare are MX hosts with TLSA records for their CNAME expansion.
	For this to matter, the remote SMTP server would also have
	to select its certificate based on the SNI name in such a
	way that the original MX host would yield a different
	certificate. Among the ~2 million hosts in the DANE survey,
	none meet the conditions for returning a different certificate
	for the expanded CNAME. Therefore, sending the correct SNI
	name should not break existing mail flows. Fixed by Viktor
	Dukhovni. File: src/tls/tls_client.c.

20200705

	Cleanup: OpenSSL-1.1.1 is the minimum supported version.
	This is an LTS (long-term support) version that will reach
	the end of life by 2023-09-11. This removes support for
	export ciphers.

	This also changes the Postfix default fingerprint digest
	from MD5 to SHA256, but only when the compatibility_level
	is set to '3' or higher.

	Code by Viktor Dukhovni. Files: global/mail_params.c,
	global/mail_params.h, posttls-finger/posttls-finger.c,
	proto/COMPATIBILITY_README.html, proto/TLS_README.html,
	proto/postconf.proto, smtp/smtp.c, smtp/smtp_tls_policy.c,
	smtpd/smtpd.c, smtpd/smtpd_check.c, tls/Makefile.in,
	tls/tls.h, tls/tls_certkey.c, tls/tls_client.c, tls/tls_dane.c,
	tls/tls_dh.c, tls/tls_misc.c, tls/tls_rsa.c, tls/tls_server.c,
	tls/tls_verify.c.

20200710

	Security: added a section to the sendmail(1) manpage for
	security researchers and application developers, with an
	example of using '--' to disable command option processing
	for user-specified data. File sendmail/sendmail.c.

	Error reporting: added '--' to a postalias command line to
	make an obsecure error message less confusing. File
	sendmail/sendmail.c.

	Conversion from Postfix built-in DANE support to OpenSSL
	DANE support. Code by Viktor Dukhovni. Files:
	posttls-finger/posttls-finger.c, proto/postconf.proto,
	smtp/smtp.c, smtp/smtp_proto.c, smtp/smtp_tls_policy.c,
	tls/Makefile.in, tlsproxy/tlsproxy.c, tls/tls_client.c,
	tls/tls_dane.c, tls/tls_fprint.c, tls/tls.h, tls/tls_misc.c,
	tls/tls_proxy_client_print.c, tls/tls_proxy_client_scan.c,
	tls/tls_proxy_context_print.c, tls/tls_proxy_context_scan.c,
	tls/tls_proxy.h, tls/tls_verify.c, util/hex_code.c.

	Bugfix (introduced: Postfix 3.0): minor memory leaks in the
	Postfix TLS library, found during tests. File: tls/tls_misc.c.

20200712

	Cleanup: non-TLS builds were failing. File: util/tls_misc.c.

	Bugfix (introduced: Postfix 3.0): 4kbyte per session memory
	leak in the Postfix TLS library, found during tests. File:
	tls/tls_misc.c.

20200718

	Cleanup TLS library: coding style, additional error message,
	additional handling of internationalized domain name, and
	dropping an unused variable.  Files: tls.h, tls_dane.c,
	tls_proxy_client_scan.c, tls_client.c.

	Noise suppression: shut up compilers that warn about
	sizeof("text"). File: smtpstone/smtp-sink.c.

20200719

	Cleanup old API: mymemdup() should return "void *", the
	same value type as its main argument, and the same result
	type as mymalloc(). In a future update we can remove all
	the noisy but unnecessary casts of their result values to
	character pointer. Files: util/mymalloc.c, util/mymalloc.h.

	Cleanup: don't split the sendmail -oA option value on comma
	or whitespace, before passing the value to the postalias
	command line. This results in unexpected behavior. File:
	sendmail/sendmail.c.

	Documentation: updated the manpage of the unprivileged(!)
	sendmail(1) command with instructions to avoid privilege
	esclation attacks in naive programs that run Postfix programs
	with user-specified arguments. File: sendmail/sendmail.c.

20200720

	Bugfix (introduced: postfix 3.4): nullpointer dereference
	in debug logging when tlsproxy is unavailable.  File:
	posttls-finger/posttls-finger.c.

	Final cleanups of the peername matching code.  File:
	tls/tls_client.c.

202000725

	Documentation of how to set the minimum and maximum allowed
	TLS protocol versions (these override system-wide OpenSSL
	configuration), some related code cleanups including better
	warning messages. Viktor Dukhovni. Files: proto/TLS_README.html,
	proto/postconf.proto, global/mail_params.h,
	posttls-finger/posttls-finger.c, tls/tls.h, tls/tls_client.c,
	tls/tls_fprint.c, tls/tls_misc.c, tls/tls_server.c.

	The Postfix TLS library did not override the system-wide
	OpenSSL configuration of allowed TLS protocol versions, for
	sessions where the remote SMTP client sends SNI. File:
	tls/tls_server.c.

20200726

	Code health: the tls_get_signature_params() function reused
	variable names for different objects that have up to three
	different life-cycle management models. To avoid more
	accidents we now use distinct names for distinct purposes.
	File: tls/tls_misc.c.

20200727

	Code health: inet_proto_info() should return a const pointer.
	This is global data that callers should not change. Files:
	cleanup/cleanup_milter.c, global/haproxy_srvr.c,
	global/mynetworks.c, global/normalize_mailhost_addr.c,
	global/own_inet_addr.c, postscreen/postscreen_endpt.c,
	posttls-finger/posttls-finger.c, qmqpd/qmqpd_peer.c,
	smtpd/smtpd_check.c, smtpd/smtpd_peer.c, smtp/smtp_addr.c,
	smtpstone/smtp-sink.c, util/inet_addr_host.c,
	util/inet_addr_list.c, util/inet_addr_local.c, util/inet_connect.c,
	util/inet_listen.c, util/inet_proto.c, util/inet_proto.h.

20200728

	Code health: deleted a mis-spelled macro from code and
	documentation. Files: bounce/bounce_template.[hc].

20200829

	Other debt: updated the encoding in HTML from us-ascii to
	utf-8. Files: mantools/makemanidx, mantools/make_soho_readme,
	mantools/man2html, mantools/readme2html, proto/*_README.html,
	proto/INSTALL.html, proto/postconf.html.prolog, html/index.html.

20200830

	Refactor: moved the SASL mechanism filter code from the
	Postfix SMTP client to a library module, so that it can be
	reused in the Postfix SMTP server. Files: smtp/smtp_sasl_proto.c,
	global/sacl_mech_filter.[hc].

	Bugfix (introduced: Postfix 2.0): smtp_sasl_mechanism_filter
	ignored table lookup errors, treating them as 'not found'.
	Found while refactoring code. File: smtp/smtp_sasl_proto.c.

	Feature: smtpd_sasl_mechanism_list (default: !external,
	static:rest) to avoid confusing errors when a SASL backend
	wants to anounce EXTERNAL support for which Postfix support
	does not exist. Files: smtpd/smtpd.[hc], smtpd_sasl_glue.[hc],
	global/mail_params.h, proto/postconf.proto, mantools/postlink.

20200906

	Cleanup: missing file. File: src/postqueue/.indent.pro.

	Cleanup: uninitialized value in unit test code. File:
	global/haproxy_srvr.c.

	Cleanup: duplicate 'const' in argument declaration. File:
	src/global/sasl_mech_filter.c.

20200906-18

	Other debt: internal protocol identification. Each server
	sends the name of the internal protocol that it implements,
	and each client logs a warning if it receives the wrong
	protocol name. With this, a client-server mismatch results
	in a better error message. It is a good idea to "postfix
	stop" before updating, or before backing out to an earlier
	relase. To make this work consistently, a few internal
	protocols were converted from "client speaks first" to
	"server speaks first". Files: anvil/anvil.c, bounce/bounce.c,
	cleanup/cleanup.c, flush/flush.c, global/abounce.c,
	global/anvil_clnt.c, global/bounce.c, global/clnt_stream.c,
	global/clnt_stream.h, global/defer.c, global/deliver_pass.c,
	global/deliver_request.c, global/dict_proxy.c, global/flush_clnt.c,
	global/mail_command_client.c, global/mail_proto.h,
	global/mail_stream.c, global/mail_version.h, global/post_mail.c,
	global/resolve_clnt.c, global/rewrite_clnt.c, global/scache_clnt.c,
	global/trace.c, global/verify_clnt.c, local/forward.c,
	master/event_server.c, master/mail_server.h, master/multi_server.c,
	oqmgr/qmgr_deliver.c, pickup/pickup.c, postdrop/postdrop.c,
	postqueue/postqueue.c, postscreen/postscreen_starttls.c,
	proxymap/proxymap.c, qmgr/qmgr_deliver.c, scache/scache.c,
	showq/showq.c, tls/tls_mgr.c, tls/tls_proxy_clnt.c,
	tlsmgr/tlsmgr.c, tlsproxy/tlsproxy.c,
	trivial-rewrite/trivial-rewrite.c, util/attr.h, util/attr_clnt.c,
	util/attr_clnt.h, util/attr_print0.c, util/attr_print64.c,
	util/attr_print_plain.c, util/attr_scan0.c, util/attr_scan64.c,
	util/attr_scan_plain.c, util/auto_clnt.c, util/auto_clnt.h,
	verify/verify.c.

	Debt: during the conversion of some internal protocols to
	"server speaks first", took the opportunity to improve how
	event-driven client implementations handle a server that
	is locked up.  Files: global/abounce.c,
	postscreen/postscreen_starttls.c.

20200919

	Cleanup: eliminated a silly optimization for lazy clients
	that read the "server speaks first" protocol announcement
	after sending a client request. Files: src/anvil/anvil.c,
	src/bounce/bounce.c, src/flush/flush.c, src/global/abounce.c,
	src/global/anvil_clnt.c, src/global/deliver_pass.c,
	src/global/deliver_request.c, src/global/dict_proxy.c,
	src/global/mail_command_client.c, src/global/mail_stream.c,
	src/global/resolve_clnt.c, src/global/rewrite_clnt.c,
	src/global/scache_clnt.c, src/global/verify_clnt.c,
	src/local/forward.c, src/oqmgr/qmgr_deliver.c, src/pickup/pickup.c,
	src/postqueue/postqueue.c, src/postscreen/postscreen_starttls.c,
	src/proxymap/proxymap.c, src/qmgr/qmgr_deliver.c,
	src/scache/scache.c, src/showq/showq.c, src/tlsmgr/tlsmgr.c,
	src/tlsproxy/tlsproxy.c, src/tls/tls_mgr.c,
	src/tls/tls_proxy_clnt.c, src/trivial-rewrite/trivial-rewrite.c,
	src/verify/verify.c.

	Cleanup: factored out some duplicate showq client code.
	File: postqueue/postqueue.c.

20200920

	Cleanup: deleted the percentm module. It was obsoleted in
	19971027 by the vbuf_print() string formatter for VSTREAM
	and VSTRING objects. Files: util/percentm.[hc].

	Cleanup: replaced hard-coded 'private' with named constant.
	File: global/scache_clnt.c.

	Bugfix (introduced: Postfix 2.3): when deleting a recipient
	with a milter, delete the recipient from the duplicate
	filter, so that the recipient can be added back. Files:
	global/been_here.[hc], cleanup/cleanup_milter.c,
	cleanup/Makefile.in, lots of cleanup unit test files.

20200925

	Cleanup: vstream_fseek() support for reading or writing
	memory buffer streams, and minor cleanups in VSTREAM support
	for reading/writing VSTRINGs. Also added unit tests. Files:
	util/vstream.c, util/vstring.h.

	Bugfix (introduced: before Postfix alpha): the code that
	looks for Delivered-To: headers ignored headers longer than
	$line_length_limit. Also added unit tests. File:
	global/delivered_hdr.c.

20200930

	Feature: when a Postfix program makes a DNS query that
	requests DNSSEC validation (usually for Postfix DANE support)
	but the DNS response is not DNSSEC validated, Postfix will
	send a DNS query configured with the "dnssec_probe" parameter
	to determine if DNSSEC support is available, and logs a
	warning if it is not. By default, the probe has type "ns"
	and domain name ".". The probe is sent once per process
	lifetime. Files: dns/dns.h, dns/dns_lookup.c, dns/dns_sec.c,
	test_dns_lookup.c, global/mail_params.[hc], mantools/postlink..

20201003

	The makedefs script no longer disables DNSSEC when Postfix
	is built with libc-musl. Instead Postfix will rely on the
	new dnssec_probe feature, and will log a warning when Postfix
	requests DNSSEC validation, but the infrastructure does not
	validate DNSSEC signatures. File: makedefs.

	Cleanup: some wordsmithing of warnings when DNSSEC validation
	is unavailable. File: dns/dns_sec.c.

	Cleanup: add missing warnings for libpostfix version
	mismatches. This will help folks with build processes that
	mistakenly run newly-built Postfix installation commands
	with previously-installed libpostfix files. Files:
	postcat/postcat.c, postconf/postconf.c, postkick/postkick.c,
	postlock/postlock.c.

	Documentation: hyperlink occurrences of the info_log_address_format
	parameter name in daemon manpages.

20201005

	Cleanup: move the submit_users check after the postdrop
	initializations that strip the environment, set up signal
	handlers, etc. File: postdrop/postdrop.c.

	Documentation: descriptions of Postfix TLS wrappermode
	support. File: proto/TLS_README.html, proto/SASL_README.html.

20201011

	Bugfix (introduced: Postfix 2.8): save a copy of the
	postscreen_dnsbl_reply_map lookup result. This has no effect
	when the recommended texthash: look table is used, but it
	may avoid stale data with other lookup tables. File:
	postscreen/postscreen_dnsbl.c.

20201015

	Documentation: simplified the recipient_delimiter
	description. File: proto/postconf.proto.

20201022

	Bugfix (introduced: Postfix 2.2): after processing an
	XCLIENT command, the smtps service was waiting for a TLS
	handshake. Found by Aki Tuomi. File: smtpd/smtpd.c.

20201025

	Feature: local_login_sender_maps to lock down the envelope
	sender addresses that the postdrop command will accept. The
	default is backwards compatible. Developed with input from
	Demi M. Obenour. Files: postdrop/postdrop.c, global/mail_params.h,
	global/local_sender_login_match.[hc],
	global/local_sender_login_match.in,
	global/local_sender_login_match.ref, global/quote_822_local.c,
	global/quote_822_local.in, global/quote_822_local.ref,
	mantools/postlink, proto/postconf.proto.

	Bugfix (introduced: Postfix 2.3): static maps did not free
	their casefolding buffer. File: util/dict_static.c.

20201026

	Cleanup: changed the postdrop numerical UID prefix from "#"
	to "uid:", and tweaked some local_login_sender_maps
	documentation. Files: proto/postconf.proto, postdrop/postdrop.c.

20201031

	Cleanup: don't split a space-comma separated address list
	on space or comma inside a quoted string. Files: util/mystrtok.c,
	util/mystrtok.ref, global/login_sender_match.c.

20201101

	Cleanup: the default "smtp_tls_dane_insecure_mx_policy = dane"
	was forcing too many A/AAAA lookups for MX hosts in DANE mode.
	The default is now "dane" when smtp_tls_security_level is "dane".
	otherwise it is "may". File: global/mail_params.h.

20201104

	Bugfix (introduced: Postfix 3.5): the Postfix SMTP client
	broke message headers longer than $line_length_limit, causing
	subsequent header content to become message body content.
	Reported by Andreas Weigel, fix by Viktor Dukhovni. File:
	smtp/smtp_proto.c.

	Added missing employer attributions to .c and .h files.

20201116

	Documentation: document that check_mumble_mx_access will
	look up A or AAAA records when a domain name has no MX
	record, just like the Postfix SMTP client would. File:
	proto/postconf.proto.

20201122

	Cleanup: log "Application error" instead of "Success" or
	"Unknown error: 0" when an operation fails with errno ==
	0. File: util/vbuf_print.c.

20201125

	Documentation: in the cleanup(8) description of message
	transformations, mention how some transformations are
	controlled with the local_header_rewrite_clients,
	always_add_missing_headers, and message_drop_headers parameter
	settings. File: cleanup/cleanup.c.

20201129

	Cleanup: future-proofing a condition in delivered_hdr_init().
	The code was not wrong, but the new code is more consistent
	with new code in the bounce daemon where the difference does
	matter. File: global/delivered_hdr.c

20201205

	Testing: generic test_main() routine to initialize configuration
	parameters before running a test routine. Files:
	global/test_main.[hc].

	Feature: specify "enable_threaded_bounces = yes" to enable
	bounce messages that link to the original message with a
	References: and In-Reply_to: header. Based on code by Andreas
	Thienemann. See RELEASE_NOTES for caveats. Files:
	proto/postconf.proto, bounce/bounce_notify_tester.c, many
	test data files to exercise corner cases.

20201220

	Infrastructure: support to add custom comparison operators
	for Postfix configuration files. This will be used to implement
	custom comparison operators for compatibility_level values
	that contain both the Postfix major and minor version and
	maybe patchlevel. Files: util/alldig.c, util/stringops.h,
	util/mac_expand.[hc] and test files.

20210102

	Infrastructure: support for the <=level, <level, and other
	operators to compare compatibility levels. With the standard
	<=, <, etc. operators, compatibility level 3.10 would be
	less than 3.9 which is undesirable. Files: global/compat_level.[hc]
	and test files.

20210107

	Documentation: added lmdb to the postmap/postalias pages.
	Files: postmap/postmap.c, postalias/postalias.c.

20210109

	Feature: support for compatibility levels of the form
	"major.minor.patch". Files: global/mail_params.[hc],
	master/master_ent.c, postconf/postconf.c, postfix/postfix.c,
	proto/COMPATIBILITY_README.html, proto/postconf.proto.

20210110

	Documentation: the postfix(1) manpage missed some changes
	that were introduced in the Postfix 3.0 development
	cycle. File:postfix/postfix.c.

	Bugfix: the 20210109 change broke 'postfix reload' for the
	master daemon. File: global/mail_params.c.

20210111

	Cleanup: compiler warning for casting '0' to the wrong type
	(zero impact). File: dns/dns_sec.c .

	Cleanup: after back-porting the dnssec_probe implementation
	to Postfix 3.5 and earlier versions, forward-ported some
	comment and documentation changes to the 3.6 releases.
	Files: proto/postconf.proto, RELEASE_NOTES, dns/dns.h.

20210113

	Workaround: STRREF() macro to shut up compiler warnings for
	legitimate expressions involving string constants. Files:
	util.stringops.h, flush/flush.c.

20210130

	Feature: with smtpd_relay_before_recipient_restrictions=yes,
	the Postfix SMTP server will evaluate smtpd_relay_restrictions
	before smtpd_recipient_restrictions. This is the default
	behavior with compatibility_level >= 3.6. This makes the
	implemented behavior consistent with existing documentation.
	There is a backwards-compatibility warning that allows users
	to freeze historical behavior. Files: mantools/postlink,
	proto/COMPATIBILITY_README.html, proto/postconf.proto,
	global/mail_params.c, global/mail_params.h, smtpd/smtpd.c,
	smtpd/smtpd_check.c.

20210201

	Flipped a bit in the smtpd_relay_before_recipient_restrictions
	implementation. File: smtpd/smtpd_check.c.

20210206

	Documentation: the inet_protocols default setting is compile-time
	dependent. Files: proto/postconf.proto, proto/IPV6_README.html,
	and documentation in smtpd/smtpd.c, smtp/smtp.c, master/master.c.

20210212

	Documentation: added a jq example to the postsuper(1) manpage.
	File: postsuper/postsuper.c.

20210216

	Respectful code: avoid using terminology that implies white
	is better than black. Instead, use 'allowlist', 'denylist',
	and variations on those words. This continues work started
	with Noel Jones a year ago.

	Documentation: replaced white/blacklist with allow/denylist,
	except in parameter names and logging. Files:
	proto/ADDRESS_VERIFICATION_README.html, proto/cidr_table,
	proto/OVERVIEW.html, proto/postconf.proto,
	proto/POSTSCREEN_README.html, proto/SMTPD_ACCESS_README.html,
	proto/SMTPD_POLICY_README.html, proto/STRESS_README.html,
	dns/dns_lookup.c, dnsblog/dnsblog.c, global/server_acl.c,
	postfix/postfix.c, postscreen/postscreen.c,
	postscreen/postscreen_dnsbl.c, postscreen/postscreen_early.c,
	postscreen/postscreen.h, postscreen/postscreen_misc.c,
	postscreen/postscreen_smtpd.c, postscreen/postscreen_tests.c,
	proxymap/proxymap.c, smtpd/smtpd.c, smtpd/smtpd_check.c,
	smtpd/smtpd_dnswl.in, smtpd/smtpd_dnswl.ref, tlsproxy/tlsproxy.c,
	verify/verify.c.

20210220

	Renamed postscreen_dnsbl_whitelist_threshold,
	postscreen_blacklist_action, and postscreen_whitelist_interfaces,
	with backwards-compatible default settings, and updated
	documentation.

	Forked POSTSCREEN_README for readability, to avoid deprecated
	parameter names and logging examples. The historical parameter
	names and logging are still described in POSTSCREEN_3_5_README.
	Files: proto/Makefile.in, proto/POSTSCREEN_3_5_README.html,
	proto/POSTSCREEN_README.html.

	Renamed internal variables with names that contain 'white' or
	'black'. Files: postscreen/postscreen.c, postscreen/postscreen.h.

	Feature: respectful_logging configuration parameter (the
	default depends on the compatibility_level) to choose
	between respectful and deprecated logging formats. Files:
	mantools/postlink, proto/postconf.proto, global/mail_params.[hc],
	postscreen/postscreen.c, proto/COMPATIBILITY_README.

20210224

	Typo: the "respectful_logging" parameter had a typo and a
	"postscreen_" prefix that should have been deleted. File:
	global/mail_params.h

20210313

	Documentation: enable_threaded_bounces also applies to
	"success" and "delay" delivery status notiifications. File:
	proto/postconf.proto.

20210403

	Missing null pointer checks (introduced: Postfix 3.4) after
	an internal I/O error during the smtp(8) to tlsproxy(8)
	handshake. Found by Coverity, reported by Jaroslav Skarvada.
	Based on fix by Viktor Dukhovni. File: tls/tls_proxy_client_scan.c.

	Null pointer bug (introduced: Postfix 3.0) and memory leak
	(introduced: Postfix 3.4) after an inline: table syntax
	error in main.cf or master.cf. Found by Coverity, reported
	by Jaroslav Skarvada. Based on fix by Viktor Dukhovni. File:
	util/dict_inline.c.

	Incomplete null pointer check (introduced: Postfix 2.10)
	after truncated HaProxy version 1 handshake message. Found
	by Coverity, reported by Jaroslav Skarvada. Fix by Viktor
	Dukhovni. File: global/haproxy_srvr.c.

20210404

	Unbroke a ton of regression tests after DNS-related changes.

20210406

	More specific warnings for incorrect net/mask syntax. Files:
	util/cidr_match.c, util/dict_cidr.ref.

20210410

	Documentation: updated containerization suggestions in
	the postfix(1) manpage. File: postfix/postfix.c.

	Documentation: added text and ASCII art to illustrate how
	tlsproxy(8) is used for outbound SMTP connection caching
	and for inbound postscreen(8) TLS support. File:
	proto/OVERVIEW.html.

	Documentation: added text and ASCII art to illustrate how
	postlogd(8) provides an alternative to syslog logging.
	File: proto/OVERVIEW.html.

20210411

	Updated the missing null pointer check (introduced: Postfix
	alpha) after null argv[0] value. File: global/mail_task.c.

	Cleanup: added a test case for a missing haproxy v1 protocol
	type, and improved the haproxy parser error messages. File:
	global/haproxy_srvr.c.

	Documentation: updated examples and TLS configuration. File
	proto/CONNECTION_CACHE_README.html.

20210418

	Bitrot: new "known_tcp_ports" configuration parameter to
	reduce Postfix dependency on the services(5) database.
	There is no agreement about the name of the port 465 service:
	the intersection of different systems is reportedly empty.
	By default, Postfix now "knows" the port numbers for SMTP
	services. Files: proto/postconf.proto, global/Makefile.in,
	global/config_known_tcp_ports.c, global/config_known_tcp_ports.h,
	global/config_known_tcp_ports.ref, global/mail_params.c,
	global/mail_params.h, global/mail_version.h,
	global/namadr_list.ref, master/master.c,
	posttls-finger/Makefile.in, posttls-finger/posttls-finger.c,
	smtp/Makefile.in, smtp/smtp.c, smtp/smtp_connect.c,
	smtpd/smtpd.c, util/Makefile.in, util/find_inet.c,
	util/known_tcp_ports.c, util/known_tcp_ports.h,
	util/known_tcp_ports.ref, util/myaddrinfo.c.

20210419

	Bugfix (bug introduced 20210102): panic in some postconf
	commands due to duplicate initialization of compatibility
	level comparison operators. File: global/compat_level.c.

	Cleanup: stricter parsing of known_tcp_port settings. Files:
	util/argv_split_at.c, util/argv.h, global/config_known_tcp_ports.c.

20210420

	Documentation: typofixes by Paul Menzel. File: RELEASE_NOTES.

	Documentation: numeric IP address examples. File: conf/master.cf.

	Documentation: added "-Wl,-R,/path/to/directory" hints to
	optional build instructions. Files: proto/DB_README.html,
	proto/LDAP_README.html, proto/LMDB_README.html,
	proto/MYSQL_README.html, proto/PGSQL_README.html,
	proto/SASL_README.html, proto/SQLITE_README.html,
	proto/TLS_README.html.

20210422

	Cleanup: in the Postfix SMTP and LMTP client, prepend Return-Path
	and other headers in the same order as in other Postfix delivery
	agents. Adi Prasaja. File: smtp/smtp_proto.c.

20210428

	Documentation: update by Paul Menzel. File: proto/SASL_README.html.

20210529

	Cleanup: simplified master.cf stanzas for the submission
	and submissions (formerly: smtps) services, to avoid
	surprising warnings for undefined mua_smtpd_xxx_restrictions
	parameters. File: conf/master.cf.

	Bugfix (introduced: Postfix 2.11): "postmap lmdb:/file/name"
	handled duplicate keys ungracefully, with a dangling pointer
	resulting in a double free() call with lmdb versions 0.9.17
	and later. Reported by Adi Prasaja, root cause analysis by
	Howard Chu. In addition, "postmap lmdb:/file/name" forgot
	entries stored up to and including the duplicate key. File:
	util/slmdb.c.

20210605

	Fixed a few more potential dangling pointer cases in the
	LMDB client, future-proofing code paths that sofar aren't
	used. File: util/slmdb.c.

	Added LMDB integration tests using the postmmap command.
	Files: postmap/Makefile.in, postmap/lmdb_abb, postmap/lmdb_abb.ref.

	Cleanup: reset errno in the fail: database methods for
	consistent error messages. File: util/dict_fail.c.

	Cleanup: new vstream_control() option to give a memory stream
	ownership of the underlying VSTRING. This simplifies resource
	management for read-only streams. Files: util/vstream.[hc].

	Cleanup: extpar() returns an error in case of a missing
	initial '{', instead of aborting. This simplifies the
	implementation of some callers. File: util/extpar.c.

	Feature: inline pcre, regexp, and cidr table definition in main.cf
	or master.cf, to improve their usability in matchlists. Files:
	util/dict_stream.c, util/dict.h, util/dict_pcre.c,
	util/dict_regexp.c, util/dict_cidr.c, and test files.

	The smtpd_forbidden_commands default setting now also inludes
	a regular expression regexp:{{/^[^A-Z]/ Bogus}} for bogus inputs.
	File: global/mail_params.h.

20210606

	Cleanup: "Postfix is running with backwards-compatible..."
	did not make sense when Postfix is down. File: postfix/postfix.c.

	Cleanup: the postscreen BDAT handler now replies with "need
	MAIL command" when the client did not provide a sender address.
	File: postscreen/postscreen_smtpd.c.

	Typo: silent_discard should be silent-discard.  File:
	proto/BDAT_README.html.

20210610

	Cleanup: escape non-printable characters in non-SMTP commands,
	instead of replacing them with '?'. File: smtpd/smtpd.c.

	Misc typofixes by Viktor Dukhovni. Files: conf/master.cf,
	proto/regexp_table, proto/cidr_table.

	Cleanup: simplify the LMDB error recovery code. File:
	util/slmdb.c.

20210615

	Bugfix (introduced: Postfix 3.4): the texthash: map
	implementation did not support "postmap -F" behavior.
	Reported by Christopher Gurnee, who also found the missing
	code in the postmap source. File: util/dict_thash.c.

	Cleanup: documentation for the postmap -F option. File:
	postmap/postmap.c.

	Cleanup: simplify the LMDB error recovery code. File:
	util/slmdb.c.

20210623

	Cleanup: the known_tcp_ports parameter was not hyperlinked.
	File: mantools/postlink.

	Bugfix: some strtou?l() calls had no 'errno=0' statement
	before the call. Fixed with strtou?l() wrapper functions
	that reset errno before calling strtou?l(), and calling
	these from code that did not explicitly reset errno. Other
	strtou?l() can be migrated later. Problem reported by David
	Bohman. Files: util/sane_strtol.[hc], global/compat_level.c,
	postscreen/postscreen_tests.c, util/mac_expand.c.

20210705

	Bugfix (introduced: Postfix 3.3): "null pointer read" error
	in the cleanup daemon when "header_from_format = standard"
	(the default as of Postfix 3.3) and email was submitted
	with /usr/sbin/sendmail without From: header, and an all-space
	full name was specified in 1) the password file, 2) with
	"sendmail -F", or 3) with the NAME environment variable.
	Found by Renaud Metrich. File: cleanup/cleanup_message.c.

20210708

	Bugfix (introduced: 1999): the Postfix SMTP server was
	sending all session transcripts to the error_notice_recipient,
	instead of sending transcripts of bounced mail to the
	bounce_notice_recipient. Reported by Hans van Zijst. File:
	smtpd/smtpd_chat.c.

20210713

	Bugfix (introduced: Postfix 2.4): false "too many reverse
	jump" warnings in the showq daemon. The loop detection code
	was comparing memory addresses instead of queue file names.
	It now properly compares strings. Reported by Mehmet Avcioglu.
	File: global/record.c.

20210724

	Cleanup: missing const in the 20210713 bugfix. File:
	global/record.c.

20210728

	Bitrot: GLIBC 2.34 has closefrom(), and of course their
	interface is different. File: util/sys_defs.h.

20210804

	Cleanup: replace ad-hoc object-to-VSTRING serialization with
	attr_print*() based serialization. Files: tls/tls_proxy.h,
	tls/tls_proxy_client_misc.c, tlsproxy.c/tlsproxy.c.

	Cleanup: left-over code from a DANE on/off workaround. File:
	tlsproxy.c/tlsproxy.c.

20210806

	Constified the object argument of functions that write objects
	to VSTREAM. Files: global/bounce.c, global/defer.c,
	global/deliver_pass.c, global/deliver_request.c,
	global/dsn_print.c, global/dsn_print.h,
	global/msg_stats.h, global/msg_stats_print.c,
	global/rcpt_print.c, global/rcpt_print.h, global/trace.c,
	milter/milter8.c, milter/milter.c, milter/milter.h,
	milter/milter_macros.c, oqmgr/qmgr_deliver.c,
	qmgr/qmgr_deliver.c, tls/tls_proxy_client_misc.c,
	tls/tls_proxy_client_print.c, tls/tls_proxy_context_print.c,
	tls/tls_proxy.h, tls/tls_proxy_server_print.c, util/argv_attr.h,
	util/argv_attr_print.c, util/attr.h.

20210810

	Pedantism: the Postfix SMTP server now replies with status
	500 when a command is not recogized (status 502 is applicable
	when a command is recognized but not implemented). File:
	smtpd/smtpd.c.

	Wordsmithing: in inet_connect() replaced "host/service xxx/yyy
	not found" with "host or service xxx:yyy not found". The former
	suggests UNIX-domain pathname syntax which is confusing. File:
	until/inet_connect.c.

20210815

	To make the maillog_file feature more useful, the postlog(1)
	command is now set-gid postdrop, so that unprivileged
	programs can write logging through the postlogd(8) daemon.
	Adopted some code from postqueue(1) and postdrop(1) to
	harden postlog(1) against privilege escalation attacks.
	Files: postlog/postlog.c, conf/postfix-files.

	Hardening: specify smtpd_per_request_deadline=yes to limit
	the combined amount of time to receive a complete SMTP
	request and to send a complete SMTP response. Specify
	smtpd_min_data_rate to enforce a minimum data rate during
	DATA and BDAT. This replaces smtpd_per_record_deadline; the
	new smtpd_per_request_deadline parameter has a backwards-
	compatible default value.

	Hardening: specify {smtp,lmtp}_per_request_deadline=yes to
	limit the combined amount of time to send a complete SMTP
	request and to receive a complete SMTP response. Specify
	{smtp,lmtp}_min_data_rate to enforce a minimum data rate
	during DATA. This replaces {smtp,lmtp}_per_record_deadline.
	The new {smtp,lmtp}_per_request_deadline parameters have a
	backwards-compatible default value.

	Minor text and code cleanups. File: postlog/postlog.c.

20210925

	Prevent sharing of xxx_tls_session_cache_database instances
	between different Postfix instances when a database is
	not multi-writer safe. Like postscreen(8) and verify(8),
	open such a database with a permanent lock, and raise
	a fatal error when that database is already opened as
	xxx_tls_session_cache_database. File: src/tls/tls_scache.c.

	Bugfix (bug introduced: Postfix 2.10): postconf -x produced
	incorrect output, because different functions were implicitly
	sharing a buffer for intermediate results. Reported by raf, root
	cause analysis by Viktor Dukhovni, and Wietse eliminated the
	underlying anti-pattern. Files: postconf/postconf_builtin.c,
	postconf/postconf_dbms.c, postconf/postconf_lookup.c,
	postconf/postconf_main.c, postconf/postconf_master.c.

	Documentation: missing lmtp_tls_wrappermode parameter
	documentation. Viktor Dukhovni. Files: mantools/postlink,
	proto/postconf.proto.

20210926

	OpenSSL 3.0.0 feature and bitrot updates. Viktor Dukhovni.
	Files: proto/FORWARD_SECRECY_README.html, proto/postconf.proto,
	tls/tls_client.c, tls/tls_dh.c, tls/tls.h, tls/tls_misc.c,
	tls/tls_server.c/^+

	Cleanup: don't hyperlink text that is already hyperlinked.
	File: mantools/postlink.

20211002

	Bugfix (introduced: Postfix 3.3): the header_from_format
	feature was not implemented for From: headers from the
	bounce daemon, and for Postfix SMTP server and client
	postmaster notifications.  Reported by Vladimir Mishonov.
	Files: bounce/bounce.c, bounce/bounce_notify_util_tester.c,
	bounce/bounce_service.h, bounce/bounce_template.c,
	bounce/bounce_template.h, bounce/bounce_templates.c,
	cleanup/cleanup.h, cleanup/cleanup_init.c,
	cleanup/cleanup_message.c, smtp/lmtp_params.c, smtp/smtp.c,
	smtp/smtp.h, smtp/smtp_chat.c, smtp/smtp_params.c,
	smtpd/smtpd.c, smtpd/smtpd.h, smtpd/smtpd_chat.c, and test
	data.

20211006

	Documentation: http://tools.ietf.org/html/rfc[0-9]+ sometimes
	does not redirect to the https site. Max-Julian Pogner.
	Fixed by updating mantools/postlink and rebuilding the HTML
	files that reference RFCs.

20211016

	Documentation: clarified the difference between private and
	public services in master.cf. File: proto/master.

20211022

	Bugfix (introduced: Postfix 3.6): the known_tcp_ports setting
	had no effect. Reported by Peter. The feature wasn't fully
	implemented. Files: config_known_tcp_ports.c, mail_params.c,
	posttls-finger/posttls-finger.c, smtp/smtp_connect.c,
	util/find_inet.c, util/myaddrinfo.c.

20211023

	Documentation: fixed a jq example in the postsuper manpage, to
	delete the quotes around a queue ID. File: postsuper/postsuper.c.

	Cleanup: with "smtputf8_enable = yes" (the default), the
	postscreen(8) dummy SMTP engine will no longer log a "non-UTF-8
	key" warning when a remote SMTP client sends garbage. Instead,
	postscreen(8) will reject the command with the same server
	response as smtpd(8). File: postscreen/postscreen_smtpd.c.

20211025

	Bugfix (introduced: Postfix 3.6): mangled warning where a
	hostname and warning message ran together. Viktor Dukhovni.
	File: tls/tls_dane.c.

20211026

	Feature: with "smtp_bind_address_enforce = yes" the Postfix
	SMTP client will defer delivery when it is unable to apply
	the smtp_bind_address or smtp_bind_address6 setting. By
	default, the Postfix SMTP client continues with delivery,
	after logging a warning. File: src/smtp/smtp_connect.c.

20211027

	Documentation: readability fix for the text about automatic
	or explicit daemon restart (postfix reload) after LMDB table
	change. raj. File: proto/lmdb_table.

	Safety: the postqueue command now sanitizes strings before they
	are formatted as json output or legacy output. These outputs are
	piped into other programs that are run by administrative
	users. This closes a hypothetical opportunity for privilege
	escalation. Files: util/attr.h, util/attr_scan*.c,
	postqueue/showq_json.c, postqueue/showq_compat.c.

20211030

	Bugfix: check_ccert_access worked as expected, but produced
	a spurious warning when Postfix was built without SASL
	support. Fix by Brad Barden. File: smtpd/smtpd_check.c.

20211102

	Bugfix for smtp_bind_address_enforce (change 20211026), file
	descriptor leak. Found by Viktor. File: smtp/smtp_connect.c.

20211105

	Bugfix (introduced: Postfix 2.4): queue file corruption
	after a Milter (for example, MIMEDefang) made a request to
	replace the message body with a copy of that message body
	plus additional text (for example, a SpamAssassin report).

	The most likely impacts were a) the queue manager reporting
	a fatal error resulting in email delivery delays, or b) the
	queue manager reporting the corruption and moving the message
	to the corrupt queue for damaged messages.

	However, a determined adversary could craft an email message
	that would trigger the bug, and insert a content filter
	destination or a redirect email address into its queue file.
	Postfix would then deliver the message headers there, in
	most cases without delivering the message body. With enough
	experimentation, an attacker could make Postfix deliver
	both the message headers and body.

	The details of a successful attack depend on the Milter
	implementation, and on the Postfix and Milter configuration
	details; these can be determined remotely through
	experimentation.  Failed experiments may be detected when
	the queue manager terminates with a fatal error, or when
	the queue manager moves damaged files to the "corrupt" queue
	as evidence.

	Technical details: when Postfix executes a "replace body"
	Milter request it will reuse queue file storage that was
	used by the existing email message body. If the new body
	is larger, Postfix will append body content to the end of
	the queue file. The corruption happened when a Milter (for
	example, MIMEDefang) made a request to replace the body of
	a message with a new body that contained a copy of the
	original body plus some new text, and the original body
	contained a line longer than $line_length_limit bytes (for
	example, an image encoded in base64 without hard or soft
	line breaks). In queue files, Postfix stores a long text
	line as multiple records with up to $line_length_limit bytes
	each. Unfortunately, Postfix's "replace body" support did
	not account for the additional queue file space needed to
	store the second etc.  record headers. And thus, the last
	record(s) of a long text line could overwrite one or more
	queue file records immediately after the space that was
	previously occupied by the original message body.

	Problem report by Benoît Panizzon.

20211107

	Additional postcat flags for debuging a corrupted queue
	file (-s: skip to offset; -r: don't follow pointer records).
	File: postcat/postcat.c.

20211110

	Minor edits of 20211107 postcat changes. File: postcat.c.

	Regression prevention: added sanity check in the queue file
	editing code. File: cleanup/cleanup_body_edit.c

	Regression prevention: copied a queue file record typecheck
	from the pickup daemon. Files: *qmgr/qmgr_message.c.

20211115

	Bugfix (introduced: 20210708): duplicate bounce_notice_recipient
	entries in postconf output. The fix to send SMTP session
	transcripts to bounce_notice_recipient was incomplete.
	Reported by Vincent Lefevre. File: smtpd/smtpd.c.

20211127

	Feature: support for the pcre2 library (the legacy pcre
	library is still supported). See RELEASE_NOTES for details.
	Files: makedefs, util/dict_open.c, util.dict_pcre.c,
	proto/pcre_table, proto/PCRE_README.html.

20211129

	Portability: defines for FreeBSD <= 14.x, OpenBSD 7.x, NetBSD <=
	10.x. Brad Smith. Files: makedefs, util/sys_defs.h.

20211202

	Cleanup: warning messages when a Diffie-Hellman parameter
	file cannot be opened or parsed. Viktor Dukhovni. File:
	tls/tls_dh.c.

20211204

	Cleanup: parameter descriptions in manpages were frozen in the
	past. Files: proto/aliases, src/local/local.c, src/pipe/pipe.c,
	src/qmqpd/qmqpd.c, src/trivial-rewrite/trivial-rewrite.c.

	Documentation: added a "howto tip" to the stock main.cf
	file. File: conf/main.cf

20211211

	Logging: the Postfix SMTP client logs an info message when it
	breaks a long line with "<CR><LF><SP>".

20211216

	Bugfix (introduced: Postfix 3.0): the proxymap daemon did not
	automatically authorize proxied maps inside pipemap (example:
	pipemap:{proxy:maptype:mapname, ...}) or inside unionmap. Problem
	reported by Mirko Vogt. Files: proxymap/proxymap.c.

20211218

	Typo fixes based on automated scans of C source code comments.
	Verified that the .o files have not changed. Files:
	bounce/bounce_notify_util.c, cleanup/cleanup_api.c,
	cleanup/cleanup_message.c, dns/dns_lookup.c, flush/flush.c,
	global/compat_level.c, global/db_common.c,
	global/deliver_request.c, global/dict_ldap.c, global/dict_sqlite.c,
	global/dynamicmaps.c, global/mail_conf_time.c, global/mail_copy.c,
	global/mail_params.h, global/mail_proto.h, global/memcache_proto.c,
	global/normalize_mailhost_addr.c, global/quote_822_local.c,
	global/test_main.c, global/verify.c, global/verify_sender_addr.c,
	local/unknown.c, master/dgram_server.c, master/event_server.c,
	master/multi_server.c, master/single_server.c,
	master/trigger_server.c, oqmgr/qmgr_entry.c,
	postconf/postconf_dbms.c, postconf/postconf_master.c,
	postconf/postconf_user.c, postdrop/postdrop.c, postmap/postmap.c,
	postmulti/postmulti.c, postqueue/showq_compat.c,
	postscreen/postscreen_smtpd.c, postscreen/postscreen_starttls.c,
	posttls-finger/posttls-finger.c, proxymap/proxymap.c,
	qmgr/qmgr_entry.c, qmqpd/qmqpd_peer.c, smtp/smtp.h,
	smtp/smtp_proto.c, smtpd/smtpd_check.c, smtpd/smtpd_peer.c,
	tls/tls_certkey.c, tls/tls_client.c, tls/tls_fprint.c,
	tls/tls_misc.c, tls/tls_server.c, tlsmgr/tlsmgr.c,
	tlsproxy/tlsproxy.c, trivial-rewrite/resolve.c,
	trivial-rewrite/transport.c, trivial-rewrite/trivial-rewrite.c,
	util/argv.c, util/dict_cache.c, util/dict_cdb.c, util/dict_file.c,
	util/dict_random.c, util/dict_random.h, util/dict_thash.c,
	util/dup2_pass_on_exec.c, util/edit_file.c, util/extpar.c,
	util/gccw.c, util/mac_expand.c, util/mac_expand.h,
	util/myaddrinfo.c, util/name_mask.c, util/sane_link.c,
	util/sane_rename.c, util/unix_dgram_connect.c,
	util/unix_dgram_listen.c, util/unix_pass_fd_fix.c,
	util/vstring.c, xsasl/xsasl_dovecot_server.c.

	Typo fixes based on automated scans of other files. Files:
	auxiliary/qshape/qshape.pl, conf/post-install,
	conf/postmulti-script, makedefs, postfix-install,
	proto/postconf.proto, TLS_ACKNOWLEDGEMENTS, TLS_CHANGES.

	Documentation: added a note to the cidr_table manpage that
	with an inline CIDR map, "$" needs to be specified as "$$"
	to avoid $name expansion surprises. File: proto/cidr_table.

20211220

	Bugfix (introduced: Postfix 2.5): off-by-one error while
	writing a string terminator. This code had passed all memory
	corruption tests, presumably because it wrote over an
	alignment padding byte, or over an adjacent character byte
	that was never read. Reported by Robert Siemer. Files:
	*qmgr/qmgr_feedback.c.

	Typo fixes from Raf, based on manual inspection. Verified
	that the .o files have not changed. Files: conf/main.cf,
	mantools/postlink, proto/ADDRESS_REWRITING_README.html,
	proto/BACKSCATTER_README.html,
	proto/BASIC_CONFIGURATION_README.html, proto/BDAT_README.html,
	proto/BUILTIN_FILTER_README.html, proto/COMPATIBILITY_README.html,
	proto/CONNECTION_CACHE_README.html, proto/DATABASE_README.html,
	proto/DEBUG_README.html, proto/FORWARD_SECRECY_README.html,
	proto/INSTALL.html, proto/IPV6_README.html, proto/LDAP_README.html,
	proto/LINUX_README.html, proto/MAILLOG_README.html,
	proto/MILTER_README.html, proto/MULTI_INSTANCE_README.html,
	proto/MYSQL_README.html, proto/POSTSCREEN_3_5_README.html,
	proto/POSTSCREEN_README.html, proto/QSHAPE_README.html,
	proto/SASL_README.html, proto/SCHEDULER_README.html,
	proto/SMTPD_ACCESS_README.html, proto/SMTPD_POLICY_README.html,
	proto/SMTPD_PROXY_README.html, proto/SMTPUTF8_README.html,
	proto/SQLITE_README.html, proto/STANDARD_CONFIGURATION_README.html,
	proto/STRESS_README.html, proto/TLS_LEGACY_README.html,
	proto/TLS_README.html, proto/TUNING_README.html,
	proto/VIRTUAL_README.html, proto/access, proto/canonical,
	proto/generic, proto/ldap_table, proto/master, proto/mysql_table,
	proto/pgsql_table, proto/postconf.proto, proto/relocated,
	proto/sqlite_table, proto/transport, proto/virtual,
	global/mail_version.h, local/local.c, pipe/pipe.c,
	postalias/postalias.c, postconf/postconf.c, postfix/postfix.c,
	postmap/postmap.c, postmulti/postmulti.c,
	posttls-finger/posttls-finger.c, sendmail/sendmail.c,
	smtpstone/smtp-sink.c, tlsproxy/tlsproxy.c,
	trivial-rewrite/trivial-rewrite.c, virtual/virtual.c.

20211221

	Documentation: reverted some postconf(5) changes from
	"Specify a non-zero time value" to "Specify a non-negative
	time value". File: proto/postconf.proto.

	Documentation: reverted "destination concurrency limit" to
	"destination recipient limit". File: proto/SCHEDULER_README.html.

	Documentation: rephrased conditional $name expositions for
	forward_path and command_execution_directory. File:
	local/local.c.

	Documentation: added Postfix 3.0 syntax to postconf(5)
	descriptions of command_execution_directory, default_rbl_reply,
	forward_path, luser_relay, recipient_delimiter. File:
	proto/postconf.proto.

	Documentation: updated descriptions of smtpd_error_sleep_time
	and smtpd_soft_error_limit. File: proto/postconf.proto.

	Fixed non-UTF8 quotes in TLS_CHANGES that caused nvi to
	truncate the file.

	Fixed a remaining typo in util/load_lib.c.

20211222

	Added a top-level 'make typo-check' target to automate
	the typo checks (this only works on Wietse's development
	system, because it depends on specific implementations of
	spell and lynx). Files: Makefile.in, mantools/comment.c,
	mantools/deroff, mantools/check-double-cc,
	mantools/check-double-install-proto-text,
	mantools/check-double-proto-html, mantools/check-spell-cc,
	mantools/check-spell-install-proto-text,
	mantools/check-spell-proto-html, proto/stop, proto/stop.double-cc,
	proto/stop.double-install-proto-text, proto/stop.double-proto-html,
	proto/stop.spell-cc, proto/stop.spell-proto-html.

	Cleanup: manpages don't need \' - that causes groff to emit
	non-ASCII text (depending on the locale). Christian Goettsche.
	Files: sendmail/sendmail.c, spawn/spawn.c.

20211223

	Report unsupported usage. Do not link Postfix database
	plugins against libpostfix-util or libpostfix-global. This
	introduces false build dependencies. File: makedefs.

	Report unsupported usage. Do not build with LD_LIBRARY_PATH.
	File: makedefs.

	Documented the implementation-dependent mailbox_size_limit
	and message_size_limit maximal values. File: proto/postconf.proto.

	Cleanup: make typo-check tests portable across differernt
	spellcheck implementations. Files: proto/stop.spell-proto-html,
	proto/stop.spell-cc.

	Cleanup: added missing parameters to the mantools/postlink
	script, based on output from the mantools/check-postlink
	script.

	Cleanup: added missing _maps parameter names to the
	proxy_read_maps default value, based on output from the
	mantools/missing-proxy-read-maps script. File:
	global/mail_params.h.

	Sanity: added LANG=C to the typo-check scripts to get
	consistent output. Files: mantools/check-spell-proto-html,
	mantools/check-spell-install-proto-text, mantools/check-spell-cc,
	mantools/check-double-proto-html,
	mantools/check-double-install-proto-text, mantools/check-double-cc.

20211224

	Cleanup: some compilter complains about indentation in a
	multiline macro. File: util/dict_db.c.

20211231

	Cleanup: informative error message after failure to connect
	to 'dovecot' socket. File: src/xsasl/xsasl_dovecot_server.c.

20220101

	Cleanup: AppArmor may return EPERM for permission errors.
	This could result in a false "mail system is down" error
	message from the postqueue command. File: postqueue/postqueue.c.

202220102

	Cleanup: log the reason why the postqueue command thinks
	that the mail system is down, in case some security software
	or kernel bug emits a weird error. File: postqueue/postqueue.c.

	Robustness: randomize the initial state of Postfix in-memory
	hash tables, to defend against collision attacks involving
	a large number of attacker-chosen lookup keys. Presently,
	the only known opportunity for such attacks involves remote
	SMTP client IPv6 addresses in the anvil service. Other
	tables with attacker-chosen lookup keys are limited in size.
	The fix is cheap, and therefore implemented for all Postfix
	in-memory hash tables. Problem reported by Pascal Junod.
	File: util/htable.c.

20210103

	Documentation: CIDR example for mynetworks. Scott Kitterman.
	File: proto/postconf.proto.

	Updated the hash function to make the distance between
	colliding inputs seed-dependent, which is really the only
	property that we needed. File: util/htable.c.

20210105

	Cleanup: deleting the \ before \' broke other things. Now
	we need to escape \ at the start of an nroff input line.
	Files: mantools/postconf2man, mantools/srctoman.

20220107

	Updated the hash function to avoid losing state when an
	input byte is 0 (can never happen with a null-terminated
	string, but makes the hash function usable in other contexts.
	File: util/htable.c.

20220116

	Added more pre-release checks: missing postlink rules,
	missing maps in proxy_read_maps. File: Makefile.in.

20220117

	Cleanup: the nullmx_reject_code parameter was removed from
	Postfix 3.0 before it was released, but the manpage was not
	updated. File: proto/postconf.proto.

	Cleanup: after seeking past the end of a writable memory-backed
	VSTREAM (i.e. backed by a VSTRING), write nulls over the
	newly allocated bytes. This behavior is compatible with
	seeking past the end of a writable regular file. File:
	util/vstream.c.

	Cleanup: unit tests. File: cleanup/cleanup_milter.c.

	Cleamup: disable hash-table seed in unit tests. Many
	Makefiles, some unit test 'reference' files.

	Bugfix (documented but not implemented since Postfix 2.2):
	missing support for [address] in smtp_bind_address and
	smtp_bind_address6. Reported by Vincent Pelletier. File:
	smtp/smtp_connect.c.

20220119

	Cleanup: the 20211211 change could result in logfile spam.
	Added a 1-bit counter to log "breaking long line" only once per
	delivery request. File: smtp/smtp_proto.c.

20220121

	Cleanup: added a pre-release check for missing entries
	in postfix-files. Problem reported by Jaroslav Skarvada.
	Files: Makefile.in, conf/postfix-files,
	mantools/check-postfix-files. Deleted: CYRUS_README.

	Cleanup: added the RELEASE_NOTES file to the pre-release
	checks, after Viktor Dukhovni reported a typo. Files:
	mantools/check-double-install-proto-text,
	mantools/check-spell-install-proto-text.

	Cleanup: for consistent parameter naming (tlsproxy_client_xxx
	correspnds to smtp_tls_xxx), renamed tlsproxy_client_level
	to tlsproxy_client_security_level, and tlsproxy_client_policy
	to tlsproxy_client_policy_maps, with backwards-compatible
	defaults and updated documentation. Problem reported by
	Raf. Files: global/mail_params.h, mantools/postlink,
	postconf/postconf_builtin.c.

20220123

	Documentation: added LINUX_README sections for logging in
	a container, and for systemd logging workarounds. File:
	proto/LINUX_README.hmtl.

20220126

	Added defensive logging while waiting for the master daemon
	to initialize in the background. File: master/master_monitor.c.

20220127

	Cleanup: smtpprox hyperlink. File: proto/FILTER_README.html.

20220128

	Clenaup: standardize on FNV hash, after having verified
	that collisions will change with the hash seed value, and
	that the collision rate is low. Files: util/htable.c,
	util/hash_fnv.[hc].

20220129

	Cleanup: factored out the non-cryptographic seeder. Files:
	ldseed.[hc].

20220130

	Cleanup: added a binhash unit test, and updated the htable
	unit test. Files: util/Makefile.in, util/binhash.[hc],
	util/htable.c.

	Cleanup: names of hash_fnv(3) build options. File: hash:fnv.c.

20220202

	Bitrot: Berkeley DB 18 is like Berkeley DB 6. Yasuhiro
	Kimura. File: util/dict_db.c.

20220217

	Typo (introduced: Postfix.3.7): "pcre2 --libs" should be
	"pcre2 --libs8". Reported by Carlos Velasco. File
	proto/PCRE_README.html.

20220322

	Cleanup: added missing _checks, _reply_footer, _reply_filter,
	_command_filter, and _delivery_status_filter parameter names
	to the proxy_read_maps default value. Files: global/mail_params.h,
	mantools/missing-proxy-read-maps.

20220330

	Documentation: updated the postlogd(8) daemon manpage,
	adding that the Postfix >= 3.7 postlog(1) command can run
	with setgid permissions. File: postlogd/postlogd.c.

20220404

	Bugfix: in an internal client module, "host or service not
	found" was a fatal error, causing the milter_default_action
	setting to be ignored. It is now a non-fatal error. The
	same client is used by many Postfix clients (smtpd_proxy,
	dovecot auth, tcp_table, memcache, socketmap, and so on).
	Problem reported by Christian Degenkolb. File: util/inet_connect.c.

20220415

	Cleanup (problem introduced: Postfix 3.0): with dynamic map
	loading enabled, an attempt to create a map with "postmap
	regexp:path" would result in a bogus error message "Is the
	postfix-regexp package installed?" instead of "unsupported
	map type for this operation". This happened with all built-in
	map types (static, cidr, etc.) that have no 'bulk create'
	support. Problem reported by Greg Klanderman. File:
	global/dynamicmaps.c.

20220417

	Cleanup (problem introduced: Postfix 2.7): milter_header_checks
	maps are now opened before the cleanup server enters the
	chroot jail. Problem reported by Jesper Dybdal. Files:
	cleanup/cleanup.h, cleanup/cleanup_init.c,
	cleanup/cleanup_milter.c, cleanup/cleanup_state.c.

20220421

	Bugfix (introduced: Postfix 3.7): reverted an overly complex
	change in the postscreen SMTP engine from 20211023, and
	replaced it with a much simpler change. The bad change was
	segfaulting on some systems after receiving malformed input
	(for example, TLS "hello"). File: postscreen/postscreen_smtpd.c.

	Under conditions described below, the postscreen program
	attempted to read through an uninitialized 'const' pointer.
	The pointer value depended on the compiler type and compiler
	options, but crucially, it did not depend on network inputs.

	The conditions were that SMTPUTF8 support was enabled (the
	default), and that postscreen received non-UTF8 input, for
	example, a TLS or RDP handshake request. Depending on
	compiler details, the result of the read operation could
	be uninteresting, a combined memory leak and file handle
	leak, or a segmentation violation (signal 11).

	The segmentation violation result was reported by Michael
	Grimm who used a FreeBSD 13.1 early version. The result was
	"uninteresting" with FreeBSD 13.0. Both FreeBSD systems use
	Clang instead of GCC. The result was also "uninteresting"
	on Linux-based systems that use GCC, or on a few older
	systems that use GCC.

20220719

	Cleanup: Postfix 3.5.0 introduced debug logging noise in
	map_search_create(). Files: global/map_search.c.

20220724

	Workaround: in a TLS server disable Postfix's 1-element
	internal session cache, to work around an OpenSSL 3.0
	regression that broke TLS handshakes. It is rarely useful.
	Report by Spil Oss, fix by Viktor Dukhovni. File:
	tls/tls_server.c.

20220905

	Cleanup: Postfix 3.3.0 introduced an uninitialized
	verify_append() request status in case of a null original
	recipient address.  File: global/verify.c.

20220906

	Cleanup: Postfix 3.7.1 introduced a missing msg_panic()
	argument (in code that never executes). File:
	cleanup/cleanup_milter.c.

20221006

	Bugfix (introduced: Postfix 3.7.0). A message could falsely
	be flagged as corrupt with "warning: Unexpected record type
	'X'". Such messages were moved to the "corrupt" queue directory,
	where they may still be found. See below for instructions to
	deal with these falsely flagged messages.

	This could happen for messages with 5000 or more recipients,
	or with fewer recipients on a busy mail server. Problem
	reported by Frank Brendel, reproduced by John Alex. Files:
	qmgr/qmgr_message.c, oqmgr/qmgr_message.c.

	A file in the "corrupt" queue directory may be inspected
	with the command "postcat /var/spool/postfix/corrupt/<filename>.
	If delivery of the file is still desired, the file can be
	moved back to /var/spool/postfix/incoming after updating
	Postfix and executing "postfix reload".