1In addition to the names listed below, the following people provided 2useful inputs on many occasions: Paul D. Robertson, Simon J. Mudd. 3Apologies for any names omitted. 4 519980105 6 7 The compiled-in default value for resolve_smtp_sender was 8 wrong (from the days that it was a boolean), causing smtpd 9 to dump core when the variable was not set in main.cf. 10 11 The INSTALL instructions now have separate sections for 12 the three basic ways of running vmailer. 13 14 The INSTALL instructions now have discusses how to deal 15 with chrooted processes. 16 17 Ported to RedHat 5.0. My, these people have re-organized 18 their include files quite a bit, haven't they. 19 2019980106 21 22 On RedHat Linux 4.2/5.0, when a FIFO listener opens the 23 FIFO with mode O_RDONLY, the FIFO remains forever readable 24 after the writer has closed it. Workaround: open the FIFO 25 mode O_RDWR. 26 27 Test program: util/fifo_rdonly_bug.c 28 29 Unfortunately, the above fix triggers a bug on BSD/OS 3.1 30 where opening the FIFO mode O_RDWR causes select() to claim 31 that the FIFO is readable even before any data is written 32 to it, causing read() to block or to fail. 33 34 Test program: util/fifo_rdwr_bug.c 35 36 printfck (check arguments of printf-like function calls) 37 found a missing argument in local/command.c 38 39 Miscellaneous Makefile cleanups that I didn't finish before 40 the first alpha release. 41 4219980107 43 44 Sometimes the DNS will claim that a domain does not exist, 45 when in fact it does. Thus, it is a bad idea to reject mail 46 from apparently non-existent domains. I have changed the 47 smtpd so that it produces a soft error responses when a 48 resolve_smtp_sender test fails with HOST_NOT_FOUND. Note: 49 by default, this test is still disabled. 50 51 The DB and DBM read routines will now automagically figure 52 out if (key, value) pairs were written including a terminating 53 null byte or not. The DB and DBM write routines will use 54 this result to determine how to write, and will fall back 55 to per-system defaults otherwise. 56 57 Renamed the README to MUSINGS, and wrote up a README that 58 reflects the current status of the software. 59 60 Added -d (don't disconnect) and -c (show running counter) 61 option to te smtp-source test program. These tools are 62 great torture tests for the mail software, and for the 63 system that it runs on. 64 65 Turned down the process_limit parameter (# of parallel smtp 66 clients or servers) to avoid unpleasant surprises. You can 67 crank up the process_limit parameter in main.cf. 68 6919980111 70 71 Feature: when run by the superuser, mailq now shows the 72 mail queue even when the mail system is down. To this end, 73 mailq (sendmail -bp) runs the showq program directly instead 74 of connecting to the UNIX-domain service socket, and drops 75 privileges etc. as usual. 76 7719980119 78 79 Bugfix: Edwin Kremer spotted an oversight in the negated 80 host matching code (for name or address patterns prefixed 81 by !). 82 83 Bugfix: upon receipt of a SIGHUP signal, the master now 84 disconnects from its child processes, so that the current 85 generation of child processes commits suicide, and so that 86 the next generation of child processes will use the new 87 configuration settings. 88 89 Bugfix: the smtp server now skips the sender DNS domain 90 lookup test for foo@[address] 91 92 Bugfix: don't append the local domain to foo@[address] 93 9419980120 95 96 Bugfix: old low-priority bug in some list walk code that 97 caused the master to drop core when a service was turned 98 off in master.cf. 99 100 Robustness: the mail system should be able to start up and 101 to accept local postings even while the naming service is 102 down. For this reason, the mail system no longer uses 103 gethostbyname() to look up its own machine name. Sites 104 that use short hostnames will have to specify their FQDN 105 in main.cf (this will eventually be done by the system 106 installation/configuration procedure). Should the config 107 language support backticks so one can say `domainname`? 108 What about $name stuff between the backtics? 109 110 Security: the master now creates FIFOs and UNIX-domain 111 sockets as the mail owner instead of as root, for better 112 protection against subverted mail systems. chmod() is 113 susceptible to race conditions. fchmod(), although safer, 114 often does not work on sockets. 115 116 Portability: anticipate that all major UNIXes will create 117 UNIX-domain sockets with permissions modified by the process 118 umask (required by POSIX). For this reason, we always 119 chmod() UNIX-domain sockets, unless the system allows us 120 to use the safer fchmod() instead. 121 122 Portability: the semi-resident servers now properly handle 123 EWOULDBLOCK returns from accept() in addition to EGAIN 124 (on some systems, EAGAIN and EWOULDBLOCK have different 125 values). 126 127 Bugfix: the semi-resident servers now properly handle EINTR 128 returns From accept(). 129 130 Bugfix: Edwin Kremer found that mynetworks() would compute 131 (32 - mask) instead of mask. 132 13319980121 134 135 Feature: /etc/vmailer/relocated is used by the local delivery 136 program and specifies what mail should be bounced with a 137 "user has moved to XXX" message. The main.cf configuration 138 parameter is "relocated_maps". Just like the "virtual_maps" 139 config parameter, this feature is off by default, and the 140 parameter can have values such as "files" or "files, nis" 141 (on hosts equipped with NIS). 142 14319980123 144 145 Cleanup: virtual domain support moved from the queue manager 146 to the resolve service, where it belongs. 147 148 Feature: /etc/vmailer/canonical is used by the rewrite 149 service for all addresses, and maps a canonical address 150 (user@domain) to another address. Typical use is to generate 151 Firstname.Lastname@domain addresses, or to clean up dirty 152 addresses from non-RFC 822 mail systems. The main.cf 153 configuration parameter is "canonical_maps". Just like 154 the "virtual_maps" config parameter, this feature is off 155 by default, and the parameter can have values such as 156 "files" or "files, nis" (on hosts equipped with NIS). 157 15819980124 159 160 HPUX10 port and many little fixes from Pieter Schoenmakers. 161 162 Bugfix: isolated an old mysterious bug that could make the 163 master deaf for new connections while no child process was 164 running. A typical result was that no pickup daemon would 165 be started after the previous one had terminated voluntarily. 166 167 Bugfix: the NIS lookup code did not mystrdup() the NIS map 168 name and would access free()d memory. 169 17019980125 171 172 Bugfix: the vstream routines would sometimes ignore flushing 173 errors. The error would still be reported by vstream_fclose() 174 and vstream_ferror(). 175 176 Feature: time limit on delivery to shell commands. Config 177 parameter: command_time_limit. Default value: 100 sec. The 178 idea is to prevent one bad .forward file or alias file 179 entry from slowly using up all local delivery process slots. 180 18119980126 182 183 Code cleanup: in preparation for SMTP extensions such as 184 SIZE, allow an extended SMTP command to have a variable 185 number of options. 186 18719980127 188 189 Bugfix: moved canonical map lookups away from the rewriting 190 module to the cleanup service, so that canonical map lookups 191 do not interfere with address rewriting on behalf of other 192 programs. Back to an older trivial-rewrite program version. 193 194 Bugfix: moved virtual map lookups away from the resolver 195 back to the queue manager, so that virtual domain lookup 196 does not interfere with address resolution on behalf of 197 other programs. Back to an older qmgr program version. 198 19919980131 200 201 Feature: integrated and adapted Guido van Rooij's SIZE 202 option (RFC 1870), carefully avoiding potential problems 203 due to overflow (by multiplying large numbers) or unsigned 204 underflow (by subtracting numbers). 205 206 Code cleanup: cleaned up the code that parses the server 207 response to the HELO/EHLO command, so that we can more 208 reliably recognize what options a server supports. 209 21019980201 211 212 Portability: integrated the IRIX 6 port by Oved Ben-Aroya. 213 214 Portability: the software now figures out by itself if a 215 server should open its FIFO read-write or read-only, to 216 avoid getting stuck with a FIFO that stays readable forever. 217 218 Bugfix: the cleanup service would terminate with a fatal 219 vstream_fseek() error when the queue file was too large. 220 221 Bugfix: the cleanup service could be killed by a signal 222 when the queue file became too large. 223 22419980203 225 226 Portability: some systems have statfs(), some have statvfs(), 227 and the relevant include files are in a different place on 228 almost every system. 229 230 Portability: the makedefs script now nukes the -O compiler 231 flag when building on AIX with IBM's own compiler... 232 23319980204 234 235 Portability: HP-UX 9.x support by Pieter Schoenmakers. 236 237 Portability: added SYSV-style ulimit() file size limit 238 support for HP-UX 9.x. 239 240 Portability: added some #includes that appeared to be 241 missing according to the Digital UNIX cc compiler. 242 243 Bugfix: sys_defs.h now correctly specifies NIS support for 244 LINUX2, HPUX9 and HPUX10. 245 246 Security: fixed a file descriptor leak in the local delivery 247 agent that could give shell commands access to the VMailer 248 IPC streams. This should not cause a vulnerability, given 249 the design and implementation of the mailer, but it would 250 be like asking for trouble. 251 252 Bugfix: the sendmail -B (body type) option did not take a 253 value. 254 25519980205 256 257 Bugfix (SUNOS5): should not have deleted the SVID_GETTOD 258 definition from util/sys_defs.h. 259 260 Bugfix (HPUX9): forgot to specify whether to use statfs() 261 or statvfs(). 262 263 Bugfix (HPUX9): don't try to raise the file size ulimit. 264 265 Bugfix (HPUX9): must specify file size limit in 512-blocks. 266 26719980207 268 269 Robustness: the master process now raises the file size 270 limit when it is started with a limit that is less than 271 VMailer's file size limit. File: util/file_limit.c. 272 273 Security: the dns lookup routines now screen all result 274 names with valid_hostname(). Bad names are treated as 275 transient errors. 276 277 Feature: qmail compatibility: when the home_mailbox parameter 278 is set, mail is delivered to ~/$home_mailbox instead of to 279 /var[/spool]/mail/username. This hopefully makes it easier 280 to lure people away from qmail :-) 281 282 Robustness: several testers by accident configured relayhost 283 the same as myhostname. The programs now explicitly check 284 for this mistake. 285 286 Bugfix: deliver_request_read() would free unallocated memory 287 when it received an incomplete delivery request from the 288 queue manager. 289 290 Robustness: local_destination_concurrency=1 prevents parallel 291 delivery to the same user (with possibly disastrous effects 292 when that user has an expensive pipeline in the .forward 293 or procmail config file). Each transport can have its own 294 XXX_destination_concurrency parameter, to limit the number 295 of simultaneous deliveries to the same destination. 296 29719980208 298 299 Robustness: added "slow open" mode, to gradually increase 300 the number of simultaneous connections to the same site as 301 long as delivery succeeds, and to gradually decrease the 302 number of connections while delivery fails. Brad Knowles 303 provided the inspiration to do this. 304 305 This also solves the "thundering herd" problem (making a 306 bunch of connections to a dead host when it was time to 307 retry that host). Let's see when other mailers fix this. 308 309 Feature: Added $smtpd_banner and $mail_version, for those 310 who want to show the world what software version they are 311 running. 312 313 Bugfix: vmailer-script now properly labels each syslog 314 entry. 315 31619980210 317 318 Portability: merged in NEXTSTEP 3 port from Pieter Schoenmakers 319 320 Bugfix: the local delivery program now checks that a 321 destination is a regular file before locking it. 322 32319980211 324 325 Robustness: the local delivery agent sets HOME, LOGNAME, 326 and SHELL when delivering to a user shell command. PATH is 327 always set, and TZ is passed through if it is set. 328 32919980212 330 331 Feature: mailq (sendmail -bp) now also lists the maildrop 332 queue (with mail that hasn't been picked up yet). 333 33419980213 335 336 Feature: the smtpd now says: 502 HELP not implemented. This 337 should impress the heck out of the competition :-) 338 33919980214 340 341 Feature: local delivery to configurable system-wide command 342 (e.g. procmail) avoids the need for per-user ~/.forward 343 shell commands. Config parameter: mailbox_command. 344 34519980215 346 347 Performance: avoid running a shell when a command contains 348 no shell magic characters or built-in shell commands. This 349 speeds up delivery to all commands. File: util/exec_command.c. 350 351 Bugfix: the local delivery agent, after reading EOF from 352 a child process, now sends SIGKILL only when the child does 353 not terminate within a limited amount of time. This avoids 354 some problems with procmail. File: util/timed_wait.c. 355 35619980217 357 358 Portability: folded in NetInfo support from Pieter 359 Schoenmakers. 360 36119980218 362 363 Feature: new vmlock command to run a command while keeping 364 an exclusive lock on a mailbox. 365 366 Feature: with "recipient_delimiter = +", mail for local 367 address "user+foo" is delivered to "foo", with a "Delivered-To: 368 user+foo@domain" message header. Files: qmgr/qmgr_message.c, 369 local/recipient.c. This must be the cheapest feature. 370 37119980219 372 373 Code cleanup: moved error handling into functions that 374 should always succeed (non_blocking(), close_on_exec()). 375 37619980223 377 378 Bugfix: null pointer bug in the cleanup program after 379 processing a From: header with no mail address (or with 380 only a comment). 381 38219980226 383 384 Robustness: now detects when getpwnam() returns a name that 385 differs from the requested name. 386 387 Feature: Added %p support to the vbuf_print formatting 388 module. 389 390 Code cleanup: revamped the alias/include/.forward loop 391 detection and duplicate suppression code in the local 392 delivery agent. This must be the fourth iteration, and 393 again the code has been simplified. 394 39519980228 396 397 Robustness: don't treat anything starting with whitespace 398 as a header record. Instead, explicitly test for leading 399 whitespace where we permit it. Files: global/is_header.c, 400 bounce/bounce_flush_service.c, local/delivered.c. 401 40219980301 403 404 Compatibility: the sendmail program now accepts the -N 405 command-line option (delivery status notification) but 406 ignores it entirely, just like many other sendmail options. 407 408 Bugfix: dns_lookup.c was too conservative with buffer sizes 409 and would incorrectly report "malformed name server reply". 410 41119980302 412 413 Bugfix: the local delivery agent was not null-byte clean. 414 41519980307 416 417 Feature: integrated Pieter Schoenmaker's code for transport 418 lookup tables that list (transport, nexthop) by destination. 419 42019980309 421 422 Bugfix: delivery agents no longer rename corrupt queue 423 files, because programs might fall over each other doing 424 so. Instead, when a delivery agent detects queue file 425 corruption, it chmods the queue file, simulates a soft 426 error, and lets the queue manager take care of the problem. 427 428 Bugfix: the SMTP server implemented VRFY incorrectly. 429 430 Feature: first shot at a pipe mailer, which can be used to 431 extend VMailer with external mail transports such as UUCP 432 (provided that the remote site understands domain addressing, 433 because VMailer version 1 does not rewrite addresses). 434 435 Cleanup: extended the master/child interface so that the 436 service name (from master.cf) is passed on to the child. 437 The pipe mailer needs the service name so it can look up 438 service-specific configuration parameters (privilege level, 439 recipient limit, time limit, and so on). 440 44119980310-12 442 443 Cleanup: factored out the pipe_command() code, so it can 444 be shared between pipe mailer and local delivery agent. 445 44619980314 447 448 Compatibility: the sendmail program now parses each 449 command-line recipient as if it were an RFC 822 message 450 header; some MUAs specify comma-separated recipients in a 451 command-line argument; and some MUAs even specify "word 452 word <address>" forms as command-line arguments. 453 45419980315 455 456 Bugfix: VMailer's queue processing randomization wasn't 457 adequate for unloaded systems with small backlogs. 458 459 Bugfix: smtpd now uses double-buffered stream I/O to prevent 460 loss of input sent ahead of responses. 461 46219980316 463 464 Bugfix: the smtpd anti-relay code didn't treat all hosts 465 listed in $mydestinations as local, so it would accept mail 466 only for hosts listed in $relay_domains (default: my own 467 domain). 468 469 Bugfix: smtpd now replies with 502 when given an unknown 470 command. 471 47219980318 473 474 Cleanup: resolve/rewrite clients now automatically disconnect 475 after a configurable amount of idle time (ipc_idle). 476 47719980322 478 479 Tolerance: VRFY now permits user@domain, even though the 480 RFC requires that special characters such as @ be escaped. 481 48219980325 483 484 Bugfix: a recipient delimiter of "-" could interfere with 485 special addresses such as owner-xxx or double-bounce. 486 487 Tolerance: the SMTP client now permits blank lines in SMTP 488 server responses. 489 490 Tolerance: the SMTP client now falls back to SMTP when it 491 apparently mistook an SMTP server as ESMTP capable. 492 493 Bugfix: eliminated strtok() calls in favor of mystrtok(). 494 Symptom: master.cf parsing would break if $inet_interfaces 495 was more than one word. 496 49719980328 498 499 Bugfix: user->addr patterns in canonical and virtual tables 500 matched only $myorigin, not hosts listed in $mydestination 501 or addresses listed in $inet_interfaces. The man pages 502 were wrong too. File: global/addr_match.c. 503 50419980401 505 506 Robustness: FIFO file permissions now default to 0622. On 507 some systems, opening a FIFO read-only could deafen the 508 pickup daemon. Only the listener end (which is opened as 509 root) needs read access anyway, so there should not be a 510 loss of functionality by making FIFOs non-readable for 511 non-mail processes. 512 51319980402 514 515 Compatibility: sendmail -I and -c options added. 516 51719980403 518 519 Feature: virtual lookups are now recursive. File: 520 qmgr/qmgr_message.c 521 52219980405 523 524 Implemented sendmail -bs (stand-alone) mode. This mode runs 525 as the user and therefore deposits into the maildrop queue. 526 52719980406 528 529 The pickup service now removes malformed maildrop files. 530 53119980407 532 533 The pickup service now guards against maildrop files with 534 time stamps dated into the future. 535 53619980408 537 538 Bugfix: in the canonical and virtual maps, foo->address 539 would match foo@$myorigin only. This has been fixed to also 540 match hosts listed in main.cf:$mydestination and the 541 addresses listed in main.cf:$inet_interfaces. 542 543 Bugfix: added double buffering support to the VMailer SMTP 544 server. This makes the SMTP server robust against SMTP 545 clients that talk ahead of time, and should have been in 546 there from day one. 547 54819980409 549 550 Bugfix: the VMailer SMTP client now recognizes its own 551 hostname in the SMTP greeting banner only when that name 552 appears as the first word on the first line. 553 55419980410 555 556 Feature: smtpd now logs the local queue ID along with the 557 client name/address, and pickup now logs the local queue 558 ID along with the message owner. 559 560 Bugfix: still didn't do virtual/canonical lookups right 561 (code used the non-case-folded key instead of the case 562 folded one). 563 56419980418 565 566 Bugfix: the SMTP server did not flush the "250 OK queued 567 as XXXX" message from the SMTP conversation history. 568 56919980419 570 571 Bugfix: qmgr would not notice that a malformed message has 572 multiple senders, and would leak memory (Tom Ptacek). 573 57419980421 575 576 Portability: in the mantools scripts, the expr pattern no 577 longer has ^ at the beginning, and the scripts now use the 578 expand program instead of my own detab utility. 579 58019980425 581 582 NetBSD 1.x patch by Soren S. Jorvang. 583 58419980511 585 586 Feature: the SMTP server now logs the protocol (SMTP or 587 ESMTP) as part of the Received: header. 588 589 Feature: smtpd now logs the last command when a session is 590 aborted due to timeout, unexpected EOF, or too many client 591 errors. 592 59319980514 594 595 Bugfix: the queue manager did not update the counter for 596 in-core message structures, so the in-core message limit 597 had no effect. This can be bad when you have a large backlog 598 with many messages eligible for delivery. 599 600 Robustness: the queue manager now also limits the total 601 number of in-core recipient structures, so that it won't 602 use excessive amounts of memory on sites that have large 603 mailing lists. 604 60519980518 606 607 Bugfix: the SMTP client did not notice that the DNS client 608 received a truncated response. As a result, a backup MX 609 host could incorrectly claim that it was the best MX host 610 and declare a mailer loop. 611 612 Added start_msg/stop_msg entries to the vmailer startup 613 script, for easy installation. 614 615 Cleanup: VMailer databases are now explicitly specified as 616 type:name, for example, hash:/etc/aliases or nis:mail.aliases, 617 instead of implicitly as "files", "nis" and so on. Test 618 program: util/dict_open. This change allowed me to 619 eliminate a lot of redundant code from mkmap_xxx.c, and 620 from everything that does map lookups. 621 62219980525 623 624 Bugfix: local/dotforward.c compared the result of opening 625 a user's ~/.forward against the wrong error value. 626 62719980526 628 629 Bugfix: the smtpd VRFY command could look at free()d memory. 630 631 Robustness: the smtpd program had a fixed limit on the 632 number of token structures. The code now dynamically 633 allocates token structures. 634 635 Bugfix: the queue manager still used the deprecated parameter 636 name xxx_deliver_concurrency for concurrency control, but 637 the documentation talks about the preferred parameter name 638 xxx_destination_concurrency. Fix: try xxx_destination_concurrency 639 first, then fall back to xxx_deliver_concurrency. 640 64119980621-19980702 642 643 Cleanup: the string read routines now report the last 644 character read or VSTREAM_EOF. This change is necessary 645 for the implementation of the long SMTP line bugfix. 646 647 Bugfix: the smtp server exited the DATA command prematurely 648 when the client sent long lines. Reason: the smtp server 649 did not remember that it broke long lines, so that '.' 650 could appear to be the first character on a line when in 651 fact it wasn't. 652 653 Bugfix: the queue manager made lots of stupid errors while 654 reading $qmgr_message_recipient_limit chunks of recipients 655 from a queue file. This code has been restructured. 656 65719980706 658 659 Performance: the cleanup program now always adds return-receipt 660 and errors-to records to a queue file, so that the queue 661 manager does not have to plow through huge lists of 662 recipients. 663 664 Robustness: the initial destination concurrency now defaults 665 to 2, so that one bad message or one bad connection does 666 not stop all mail to a site. The configuration parameter 667 is called initial_destination_concurrency. 668 669 Performance: the per-message recipient limit is now enforced 670 by the queue manager instead of by the transport. Thus, a 671 large list of recipients for the same site is now mapped 672 onto several delivery requests which can be handled in 673 parallel, instead of being mapped onto one delivery request 674 that is sent to limited numbers of recipients, one group 675 after the other. 676 67719980707 678 679 Cleanup: the queue manager now does an additional recipient 680 sort after the recipients have been resolved, so that the 681 code can do better aggregation of recipients by next hop 682 destination. 683 684 Feature: lines in the master.cf file can now be continued 685 in the same manner as lines in the main.cf file, i.e. by 686 starting the next line with whitespace. 687 688 Feature: the smtp client now warns that a message may be 689 delivered multiple times when the response to "." is not 690 received (the problem described in RFC 1047). 691 692 Cleanup: when the queue manager changes its little mind 693 after contacting a delivery agent (for example, it decides 694 to skip the host because a transport or host goes bad), 695 the delivery agent no longer complains about premature EOF. 696 File: global/deliver_request.c 697 69819980709 699 700 Bugfix: when breaking long lines, the SMTP client did not 701 escape leading dots in secondary etc. line fragments. Fix: 702 don't break lines. This change makes VMailer line-length 703 transparent. Files: global/smtp_stream.c, smtp/smtp_proto.c. 704 70519980712 706 707 Cleanup: the queue manager to deliver agent protocol now 708 distinguishes between domain-specific soft errors and 709 recipient-specific soft errors. Result: many soft errors 710 with SMTP delivery no longer affect other mail the same 711 domain. 712 71319980713 714 715 Feature: the file modification time stamp of deferred queue 716 files is set to the nearest wakeup time of their recipient 717 hosts, or if delivery was deferred due to a non-host problem, 718 the time stamp is set into the future by the configurable 719 minimal backoff time. 720 721 Bugfix: the SMTP client and the MAILQ command would report 722 as message size the total queue file size. That would 723 grossly overestimate the size of a message with many 724 recipients. 725 726 Bugfix: the 19980709 fix screwed up locally-posted mail 727 that didn't end in newline. 728 72919980714 730 731 Robustness: the makedefs script now defaults to no optimization 732 when compiling for purify. 733 73419980715 735 736 Robustness: the makedefs script now defaults to no optimization 737 when compiling with gcc 2.8, until this compiler is known 738 to be OK. 739 740 Workaround: when sending multiple messages over the same 741 SMTP connection, some SMTP servers need an RSET command 742 before the second etc. MAIL FROM command. The VMailer SMTP 743 client now sends a redundant RSET command just in case. 744 745 The queue manager now logs explicitly when delivery is 746 deferred because of a "dead" message transport. 747 74819980716 749 750 Feature: mailq and mail bounces now finally report why mail 751 was deferred (the reason was logged to the syslog file 752 only). Changes were made to the bounce service (generalized 753 to be usable for defer logs), showq service (to show reasons) 754 and the queue manager. 755 756 As a result the defer directory (with one log per deferred 757 message) may contain many files; also, this directory is 758 accessed each time a message is let into the active queue, 759 in order to delete its old defer log. This means that hashed 760 directories are now a must. 761 76219980718-20 763 764 Feature: configurable timeout for establishing smtp 765 connections. Parameter: smtp_connect_timeout (default 0, 766 which means use the timeout as wired into the kernel). 767 Inspired by code from Lamont Jones. For a clean but far 768 from trivial implementation, see util/timed_connect.c 769 770 Cleaned up the interfaces that implement read/write deadlines. 771 Instead of returning -2, the routines now set errno to 772 ETIMEDOUT; the readable/writable tests are now separate. 773 77419980722 775 776 Feature: the default indexed file type (hash, btree, dbm) 777 is now configurable with the "database_type" parameter. 778 The default value for this parameter is system specific. 779 780 Feature: selectively turn on verbose logging for hosts that 781 match the patterns specified via the "debug_peer_list" 782 config parameter. Syntax is like the "bad_smtp_clients" 783 parameter (see global/peer_list.c). The verbose logging 784 level is specified with "debug_peer_level" (default 2). 785 786 Security: the local delivery agent no longer delivers to 787 files that have execute permission enabled. 788 78919980723 790 791 Workarounds for Solaris 2.x UNIX-domain sockets: they lose 792 data when you close them immediately after writing to them. 793 This could screw up the delivery agent to queue manager 794 protocol. 795 79619980724 797 798 Cleanup: spent most of the day cleaning up queue manager 799 code that defers mail when a site or transport dies, and 800 fixed a few obscure problems in the process. 801 80219980726 803 804 Feature: the admin can now configure what classes of problems 805 result in mail to the postmaster. Configuration parameter: 806 "notify_classes". Default is backwards compatible: bounce, 807 policy, protocol, resource, and software. 808 80919980726-28 810 811 Feature: the admin can now configure what smtp server access 812 control restrictions must be applied, and in what order. 813 Configuration parameters: smtpd_client_restrictions, 814 smtpd_helo_restrictions, smtpd_mail_restrictions and 815 smtpd_rcpt_restrictions. Defaults are intended to be 816 backwards compatible. The bad_senders and bad_clients lists 817 are gone and have become db (dbm, nis, etc) maps. Files: 818 smtpd/smtpd_check.c, config/main.cf. 819 82019980729-31 821 822 Feature: hashed queues. Rewrote parts of the mail queue 823 API. Configuration parameters: "hash_queue_names" specifies 824 what queue directories will be hashed (default: the defer 825 log directory), "hash_queue_depth" specifies the number of 826 subdirectories used for hashing (default 2). 827 82819980802 829 830 Bugfix: the pipe mailer should expand command-line arguments 831 with $recipient once for every recipient (producing one 832 command-line argument per recipient), instead of replacing 833 $recipient by of all recipients (i.e. producing only one 834 command-line argument). This is required for compatibility 835 with programs that expect to be run from sendmail, such as 836 uux. Thanks to Ollivier Robert for helping me to get this 837 right. 838 839 Code cleanup: for the above, cleaned up the macro expansion 840 code in dict.c and factored out the parsing into a separate 841 module, mac_parse.c. 842 84319980803 844 845 "|command" and /file/name destinations in alias databases 846 are now executed with the privileges of the database owner 847 (unless root or vmailer). Thus, with: "alias_maps = 848 hash:/etc/aliases, hash:/home/majordomo/aliases", and with 849 /home/majordomo/aliases* owned by the majordomo account, 850 you no longer need the majordomo set-uid wrapper program, 851 and you no longer need root privileges in order to install 852 a new mailing list. 853 85419980804 855 856 Added support for the real-time blackhole list. Example: 857 "client_restrictions = permit_mynetworks, reject_maps_rbl" 858 859 All SMTP server "reject" status codes are now configurable: 860 unknown_client_reject_code, mynetworks_reject_code, 861 invalid_hostname_reject_code, unknown_hostname_reject_code, 862 unknown_address_reject_code, relay_domains_reject_code, 863 access_map_reject_code, maps_rbl_reject_code. Default values 864 are documented in the smtpd/smtpd_check.c man page. 865 86619980806-8 867 868 Code cleanup: after eye balling line-by line diffs, started 869 deleting code that duplicated functionality because it was 870 at the wrong abstraction level (smtp_trouble.c), moved 871 functionality that was in the wrong place (dictionary 872 reference counts in maps.c instead of dict.c), simplified 873 code that was too complex (password-file structure cache) 874 and fixed some code that was just wrong. 875 87619980808 877 878 Robustness: the number of queue manager in-core structures 879 for dead hosts is limited; the limit scales with the limit 880 on the number of in-core recipient structures. The idea is 881 to not run out of memory under conditions of stress. 882 88319980809 884 885 Feature: mail to files and commands can now be restricted 886 by class: alias, forward file or include file. The default 887 restrictions are: "allow_mail_to_files = alias, forward" 888 and allow_mail_to_commands = alias, forward". The idea is 889 to protect against buggy mailing list managers that allow 890 intruders to subscribe /file/name or "|command". 891 89219980810-12 893 894 Cleanup: deleted a couple hundred lines of code from the 895 local delivery agent. It will never be a great program; 896 sendmail compatibility is asking a severe toll. 897 89819980814 899 900 Cleanup: made the program shut up about some benign error 901 conditions that were reported by Daniel Eisenbud. 902 90319980814-7 904 905 Documentation: made a start of HTML docs that describe all 906 configuration parameters. 907 908 Feature: while documenting things, added smtpd_helo_required. 909 91019980817 911 912 Bugfix: at startup the queue manager now updates the time 913 stamps of active queue files some time into the future. 914 This eliminates duplicate deliveries after "vmailer reload". 915 916 Bugfix: the local delivery agent now applies the recipient 917 delimiter after looking in the alias database, instead of 918 before. 919 920 Documentation bugfixes by Matt Shibla, Tom Limoncelli, 921 Eilon Gishri. 922 92319980819 924 925 GLIBC fixes from Myrdraal. 926 927 Bugfix: applied showq buffer reallocation workaround in 928 the wrong place. 929 930 Bugfix: can't use shorts in varargs lists. SunOS 4 has 931 short uid_t and gid_t. pipe_command() would complain. 932 933 Bugfix: can't use signed char in ctype macros. All ctype 934 arguments are now casted to unsigned char. Thanks, Casper 935 Dik. 936 93719980820 938 939 Bugfix: save the alias lookup result before looking up the 940 owner. The previous alpha release did this right. 941 942 Cleanup: mail_trigger() no longer complains when the trigger 943 FIFO or socket is unavailable. This change is necessary to 944 shut up the sendmail mail posting program, so that it can 945 be used on mail clients that mount their maildrop via NFS. 946 947 Experiment: pickup and pipe now run as vmailer most of the 948 time, and switch to user privileges only temporarily. 949 Files: util/set_eugid.c global/pipe_command.c pipe/pipe.c 950 pickup/pickup.c. Is this more secure/ What about someone 951 manipulating such a process while not root? It still has 952 ruid == 0. 953 95419980822 955 956 Portability: with GNU make, commands such as "(false;true)" 957 and "while :; do false; done" don't fail. Workaround: use 958 "set -e" all over the place. Problem found by Jeff Wolfe. 959 960 Feature: "check_XXX_access maptype:mapname" (XXX = client, 961 helo, sender, recipient). Now you can make recipient and 962 other SPAM restrictions dependent on client or sender access 963 tables lookup results. 964 96519980823 966 967 Bugfix: smtpd access table lookup keys were case sensitive. 968 969 Added "permit" and "reject" operators. These are useful at 970 the end of SPAM restriction lists (smtpd_XXX_restrictions). 971 972 Added a first implementation of the permit_mx_backup SPAM 973 restriction. This permits mail relaying to any domain that 974 lists this mail system as an MX host (including mail for 975 the local machine). Thanks to Ollivier Robert for useful 976 discussions. 977 97819980824 979 980 Bugfix: transport table lookup keys were case sensitive. 981 98219980825 983 984 Portability: sa_len is some ugly #define on some SGI systems, 985 so we must rename identifiers (file util/connect.c). 986 987 Bugfix: uucp delivery errors are now sent to the sender. 988 Thanks, Mark Delany. 989 990 Bugfix: the pipe delivery agent now replaces empty sender 991 by the mailer daemon address. Mark Delany, again. 992 993 Portability: GNU getopt looks at all command-line arguments. 994 Fix: insert -- into the pipe/uucp definition in master.cf. 995 996 Bugfix: the smtp server command tokenizer silently discarded 997 the [] around [text], so that HELO [x.x.x.x] was read as 998 if the client had sent: HELO x.x.x.x. Thanks, Peter Bivesand. 999 1000 Bugfix: the HELO unknown hostname/bad hostname restrictions 1001 would have treated [text] as a domain name anyway. 1002 1003 Bugfix: the $local_duplicate_filter_limit value was not 1004 picked up by the local delivery agent. This means the local 1005 delivery agent could run out of memory on large mailing 1006 list deliveries. 1007 100819980826 1009 1010 Performance: mkmap/mkalias now run with the same speed as 1011 sendmail. VMailer now uses a 4096-entry cache with 1 Mbyte 1012 of memory for DB lookups. File: util/dict_db.c. 1013 101419980902 1015 1016 Robustness: the reject_unknown_hostname restriction for 1017 HELO/EHLO hostnames will now permit names that have an MX 1018 record instead of an A record. 1019 102019980903 1021 1022 Feature: appending @$myorigin to an unqualified address is 1023 configurable with the boolean append_at_myorigin parameter 1024 (default: yes). 1025 1026 Feature: appending .$mydomain to user@host is configurable 1027 with the boolean append_dot_mydomain parameter (default: 1028 yes). 1029 1030 Feature: site!user is rewritten to user@site, under control 1031 of the boolean parameter swap_bangpath (default: yes). 1032 1033 Feature: permit a naked IP address in HELO commands (i.e. 1034 an address without the enclosing [] as required by the 1035 RFC), by specifying "permit_naked_ip_address" as one of 1036 the restrictions in the "smtpd_helo_restrictions" config 1037 parameter. 1038 103919980904 1040 1041 Code cleanup: when an SMTP client aborts a session after 1042 sending MAIL FROM, the cleanup service no longer warns that 1043 it is "skipping further client input". Files: cleanup/*.c. 1044 Thanks, Daniel Eisenbud, for prodding. 1045 1046 Code cleanup: when an SMTP server disconnects in the middle 1047 of a session, don't try to send QUIT over the non-existing 1048 connection. Files: global/smtp_stream.c, smtp/smtp.c. 1049 Thanks, Daniel Eisenbud, for prodding, again. 1050 1051 Code cleanup: the VMailer version number has moved from 1052 mail_params.h (which is included by lots of modules) to a 1053 separate file global/mail_version.h, so that a version 1054 change no longer results in massive recompilation. 1055 1056 Bugfix: Errors-To was flagged as a sender address, so the 1057 address never was picked up. 1058 1059 Code cleanup: support for Errors-To: headers completed. 1060 106119980905 1062 1063 Feature: per-message exponential delivery backoff, by 1064 looking at the amount of time a message has been queued. 1065 Thanks, Mark Delany. 1066 106719980906 1068 1069 Code cleanup: ripped out the per-host exponential backoff 1070 code. It was broken by 19980818. It was probably a bad idea 1071 anyway, because it required per-host, in-core, state kept 1072 by the queue manager. All we do now is to keep state for 1073 $minimal_backoff_time seconds, but only for a limited number 1074 of hosts. Daniel Eisenbud spotted the problem. 1075 1076 Lost feature: the SMTP session transcripts now show who 1077 said what. This feature was inadvertently dropped during 1078 development. Thanks, Daniel Eisenbud, for reminding. 1079 1080 Documentation: the hard-coded rewriting process of the 1081 trivial-rewrite program is described in html/rewrite.html. 1082 1083 Feature: the local delivery agent now does alias lookups 1084 before and after chopping off the recipient subaddress. 1085 This allows you to forward user-anything to another user, 1086 without losing the ability to redirect specific user-foo 1087 addresses. 1088 108919980909 1090 1091 Feature: the smtp client now logs a warning that a server 1092 sends a greeting banner with the client's hostname, which 1093 could imply a mailer loop. 1094 109519980910 1096 1097 Feature: separate canonical maps for sender and recipient 1098 address rewriting, so that you can rewrite an ugly sender 1099 address and still forward mail to that same ugly address 1100 without creating a mailer loop. Files: cleanup_envelope.c, 1101 cleanup_message.c, cleanup_rewrite.c. 1102 110319980911 1104 1105 Feature: virtual maps now support multiple addresses on 1106 the right-hand side. In the case of virtual domains this 1107 can eliminate the need for address expansion via local 1108 aliases, making virtual domains much easier to administer. 1109 This required that I moved the virtual table lookups from 1110 the queue manager to the cleanup service, so that every 1111 recipient has an on-disk status record. Files: qmgr.c, 1112 qmgr_message.c, cleanup_envelope.c, cleanup_rewrite.c, 1113 cleanup_virtual.c. 1114 1115 Feature: sendmail/mailq/newaliases pass on the -v flag to 1116 the program that they end up running, to make debugging a 1117 little easier. 1118 111919980914 1120 1121 Bugfix: some anti-spam measures didn't recognize some 1122 addresses as local and would do too much work. File: 1123 smtpd_check.c. 1124 1125 Bugfix: the smtp sender/recipient table lookup restriction 1126 destroyed global data, so that other restrictions could 1127 break. File: smtpd_check.c. 1128 1129 Bugfix: after vmailer reload, single-threaded servers could 1130 exit before flushing unwritten data to the client. Example: 1131 cleanup would exit before acking success to pickup, so the 1132 message would be delivered twice. Bug reported by Brian 1133 Candler. 1134 1135 Cleanup: removed spurious error output from vmailer-script. 1136 Reported by Brian Candler. 1137 1138 Tolerance: ignore non-numeric SMTP server responses. There's 1139 lot of brain damage out there on the net. 1140 114119980915 1142 1143 Feature: the smtp-sink benchmark tool now announces itself 1144 with a neutral name so that it can be run on the same 1145 machine as VMailer, without causing Postfix to complain 1146 about a mailer loop. 1147 1148 Robustness: on LINUX, vmailer-script now does chattr +S to 1149 force synchronous directory updates. Fix developed with 1150 Chris Wedgwood. 1151 115219980916 1153 1154 Bugfix: when transforming an RFC 822 address to external 1155 form, there is no need to quote " characters in comments. 1156 This didn't break anything, it just looked ugly. File: 1157 global/tok822_parse.c 1158 115919980917 1160 1161 Workaround: with deliveries to /file/name, use fsync() and 1162 ftruncate() only on regular files. File: local/file.c 1163 1164 Workaround: the plumbing code in master_spawn.c didn't 1165 check if it was dup2()/close()ing a descriptor to itself 1166 then closing it. Will have to redo the plumbing later. 1167 116819980918 1169 1170 Workaround: on multiprocessor Solaris machines, one-second 1171 rollover appears to happen on different CPUs at slightly 1172 different times. Made the queue manager more tolerant for 1173 such things. Problem reported by Daniel Eisenbud. 1174 1175 Workaround: in preparation for deployment with a network-shared 1176 maildrop directory. make pickup more tolerant against clock 1177 drift between clients and servers. 1178 117919980921 1180 1181 New vstream_popen() module that opens a two-way channel 1182 across a socketpair-based pipe. This module isn't being 1183 used yet; it is here only to complete the vstream code. 1184 118519980922 1186 1187 Code cleanup: the xxx_server_main() interface for master 1188 child processes now uses a name-value argument list instead 1189 of an ugly and inflexible data structure. 1190 1191 Bugfix: moved the test if a non-interactive process is run 1192 by hand, so that the "don't do this" error message can be 1193 printed to stderr before any significant processing. 1194 1195 Bugfix: smtpd now can talk to unix-domain sockets without 1196 bailing out on a peer lookup problem. Files: smtpd/smtpd.c, 1197 util/peer_name.c. 1198 1199 Safety: by default, the postmaster is no longer informed 1200 of protocol problems, policy violations or bounces. 1201 1202 Safety: the SMTP server now sleeps before sending a [45]xx 1203 error response, in order to prevent clients from hammering 1204 the server with a connect/error/disconnect loop. Parameter: 1205 smtpd_error_sleep_time (default: 5). 1206 1207 Feature: the logging facility is compile-time configurable 1208 (e.g., make makefiles "CCARGS=-DLOG_FACILITY=LOG_LOCAL1"). 1209 121019980923 1211 1212 Bugfix: changed virtual/canonical map search order from 1213 (user@domain, @domain, user) to (user@domain, user, @domain) 1214 so the search order is most specific to least specific. 1215 File: global/addr_map.c, lots of documentation. 1216 1217 Bugfix: after the change of 19980910, cleanup_message 1218 extracted recipients from Reply-To: etc. headers. Found 1219 by Lamont Jones. 1220 122119980925 1222 1223 Bugfix: the change in virtual/canonical map search order 1224 broke @domain entries; they would never be looked up if 1225 the address matched $myorigin or $mydestinations. Found by 1226 Chip Christian who now regrets asking for the change. 1227 1228 Bugfix: cleanup initialized an error mask incorrectly, so 1229 that it would keep writing to a file larger than the queue 1230 file size limit, and so it would treat the error as a 1231 recoverable one instead of sending a bounce. Thanks, Pieter 1232 Schoenmakers. 1233 1234 Bugfix: the "queue file cleanup on fatal error" action was 1235 no longer enabled in the sendmail mail posting agent. 1236 1237 Feature: the sendmail mail posting program now returns 1238 EX_UNAVAILABLE when the size of the input exceeds the queue 1239 file size limit. NB THIS CHANGE HAS BEEN WITHDRAWN. 1240 124119980926 1242 1243 Code cleanup: the dotlock file locking routine is no longer 1244 derived from Eric Allman's 4.3BSD port of mail.local. 1245 1246 Code cleanup: the retry strategy of the file locking routines 1247 dot_lockfile() and deliver_flock() is now configurable 1248 (deliver_flock_attempts, deliver_flock_delay, deliver_flock_stale). 1249 1250 Code cleanup: the master.pid lock file is now created with 1251 symlink paranoia, and is properly locked so that PID rollover 1252 will not cause false matches. 1253 1254 Bugfix: the vbuf_print() formatting engine did not know 1255 about the '+' format specifier. 1256 1257 Cleanup: replaced unnecessary instances of stdio calls by 1258 vstream ones. 1259 126019980929-19981002 1261 1262 Compatibility: added support for "sendmail -q". This required 1263 a change to the queue manager trigger protocol, and a code 1264 reorganization of the way queue scans were done. The queue 1265 manager socket now has become public. 1266 126719981002 1268 1269 SMTPD now logs "lost connection after end-of-message" 1270 instead of "lost connection after DATA". 1271 127219981005 1273 1274 More bullet proofing: timeouts on all triggers. 1275 127619981006 1277 1278 Bugfix: make the number of cleanup processes unlimited, in 1279 order to avoid deadlock. The number of instances needed is 1280 one per smtp/pickup process, and an indeterminate number 1281 per local delivery agent. Thanks, Thanks, David Miller and 1282 Terry Lorrah for cleueing me in. 1283 1284 Bugfix: "sendmail -t" extracted recipients weren't subjected 1285 to virtual mapping. Daniel Eisenbud strikes again. 1286 128719981007 1288 1289 Compatibility: if the first input line ends in CRLF, the 1290 sendmail posting agent will treat all CRLF as LF. Otherwise, 1291 CRLF is left alone. This is a compromise between sendmail 1292 compatibility (all lines end in CRLF) and binary transparency 1293 (some, but not all, lines contain CRLF). 1294 129519981008 1296 1297 Robustness: stop recursive virtual expansion when the 1298 left-hand side appears in its own expansion. 1299 130019981009 1301 1302 Portability: trigger servers such as pickup and qmgr can 1303 now use either FIFOs or UNIX-domain sockets; hopefully at 1304 least one of them works properly. Trigger clients were 1305 already capable of using either form of local IPC. 1306 130719981011 1308 1309 Feature: masquerading. Strip subdomains from domains listed 1310 in $masquerade_domains. Exception: envelope recipients are 1311 left alone, in order to not screw up routing. 1312 131319981015 1314 1315 Code cleanup: moved the recipient duplicate filter from 1316 the user-level sendmail posting agent to the semi-resident 1317 cleanup service, so that the filter operates on the output 1318 from address canonicalization and of virtual expansion, 1319 instead of operating on their inputs. 1320 132119981016 1322 1323 Bugfix: after kill()ing a bunch of child processes, wait() 1324 sometimes fails before all children have been reaped, and 1325 must be called again, or the master will SIGSEGV later. 1326 Problem reported by Scott Cotton. 1327 1328 Workaround: don't log a complaint when an SMTP client goes 1329 away without sending QUIT. 1330 133119981018 1332 1333 Workaround: Solaris 2.5 ioctl SIOCGIFCONF returns a hard 1334 error (EINVAL) when the result buffer is not large enough. 1335 This can happen on systems with many real or virtual 1336 interfaces. File: util/inet_addr_local.c. Problem reported 1337 by Scott Cotton. 1338 1339 Workaround: the optional HELO/EHLO hostname syntax check 1340 now allows a single trailing dot. 1341 1342 Workaround: with UNIX-domain sockets, LINUX connect() blocks 1343 until the server calls accept(). File: qmgr/qmgr_transport.c. 1344 Terry Lorrah and Scott Cotton provided the necessary 1345 evidence. 1346 134719981020 1348 1349 Robustness: recursive canonical mapping terminates when 1350 the result stops changing. 1351 1352 Code cleanup: reorganized the address rewriting and mapping 1353 code in the cleanup service, to make it easier to implement 1354 the previous enhancement. 1355 135619981022 1357 1358 Code cleanup: more general queue scanning programming 1359 interface, in preparation for hashed queues. File: 1360 qmgr/qmgr_scan.c. 1361 1362 Bugfix: a non-FIFO server with a process limit of 1 has a 1363 too short listen queue. Until now this was not a problem 1364 because only FIFO servers had a process limit of 1, and 1365 FIFOs have no listen queue. Fix: always configure a listen 1366 queue of proc_limit or more. File: master/master_listen.c. 1367 136819981023 1369 1370 Feature: by popular request, mail delay is logged when 1371 delivering, bouncing or deferring mail. 1372 137319981024 1374 1375 Cleanup: double-bounce mail is now absorbed by the queue 1376 manager, instead of the local delivery agent, so that the 1377 mail system will not go mad when no local delivery agent 1378 is configured. 1379 138019981025 1381 1382 Cleanup: moved the relocated table from the local delivery 1383 agent to the queue manager, so that the table can also be 1384 used for virtual addresses. 1385 1386 Code reorg: in order for the queue manager to absorb 1387 recipients, the queue file has to stay open until all 1388 recipients have been assigned to a destination queue. 1389 139019981026 1391 1392 vmlogger command, so that vmailer-script logging becomes 1393 consistent with the rest of the VMailer system. 1394 1395 Code reorg: logger interface now can handle multiple output 1396 handlers (e.g. syslog and stderr stream). 1397 1398 Bugfix: a first line starting with whitespace is no longer 1399 treated as an extension of our own Received: header. Files: 1400 smtpd/smtpd.c, pickup/pickup.c. 1401 140219981027 1403 1404 Bugfix: the bang-path swapping code went into a loop on an 1405 address consisting of just a single !. Eilon Gishri had 1406 the privilege of finding this one. 1407 1408 Workaround: the non-blocking UNIX-domain socket connect is 1409 now enabled only on systems that need it. It may cause 1410 kernel trouble on Solaris 2.x. 1411 1412 Bugfix: the resolver didn't implement bangpath swapping, 1413 so that mail for site!user@mydomain would be delivered to 1414 a local user named "site!user". 1415 141619981028 1417 1418 Cleanup: a VSTREAM can now use different file descriptors 1419 for reading and writing. This was necessary to prevent 1420 "sendmail -bs" and showq from writing to stdin. Eilon Gishri 1421 observed the problem. 1422 142319981029 1424 1425 The RFC 822 address manipulation routines no longer give 1426 special attention to 8-bit data. Files: global/tok822_parse.c, 1427 global/quote_822_local.c. 1428 1429 Bugfix: host:port and other non-domain stuff is no longer 1430 allowed in mail addresses. File: qmgr/qmgr_message.c. 1431 1432 Workaround: LINUX accept() wakes up before the three-way 1433 handshake is complete, so it can fail with ECONNRESET. 1434 Files: master/single_server.c, master/multi_server.c. 1435 1436 Feature: when delivering to user+foo, try ~user/.forward+foo 1437 before trying ~user/.forward. 1438 1439 Bugfix: smtpd in "sendmail -bs" (stand-alone) mode didn't 1440 clean up when terminated by a signal. 1441 1442 Bugfix: smtpd in "sendmail -bs" (stand-alone) mode should 1443 not try to enforce spam controls because it cannot access 1444 the address rewriting machinery. 1445 1446 Cleanup: the percent hack (user%domain -> user@domain) is 1447 now configurable (allow_percent_hack, default: yes). 1448 1449 Bugfix: daemons in -S (stand-alone) mode didn't change 1450 directory to the queue. This was no problem with daemons 1451 run by the sendmail compatibility program. 1452 145319981030 1454 1455 Feature: when virtual/canonical/relocated lookup fails for 1456 an address that contains the optional recipient delimiter 1457 (e.g., user+foo@domain), the search is done again with the 1458 unextended address (e.g., user@domain). File: global/addr_find.c. 1459 1460 Code reorg: the address searching is now implemented by a 1461 separate module global/addr_find.c, so that the same code 1462 can be used for both (non-mapping) relocated table lookups 1463 and for canonical and virtual mapping. The actual mapping 1464 is still done in the global/addr_map.c module. 1465 1466 Robustness: the SMTP client now skips hosts that don't send 1467 greeting banner text. File: smtp/smtp_connect.c 1468 1469 Feature: preliminary support to disable delivered-to. This 1470 is desirable for mailing list managers that don't want to 1471 advertise internal aliases. 1472 1473 Generic support: when the recipient_feature_delimiter 1474 configuration parameter is set, the local delivery agent 1475 uses it to split the recipient localpart into fields. Any 1476 field that has a known name such as "nodelivered" enables 1477 the corresponding delivery feature. 1478 147919981031 1480 1481 Code reorg: address splitting on recipient delimiter is 1482 now centralized in global/split_addr.c, which knows about 1483 all reserved names that should never be split. 1484 1485 Robustness: when a request for an internal service cannot 1486 be satisfied because the master has terminated, terminate 1487 instead of trying to reach the service every 30 seconds. 1488 1489 Safety: the local delivery agent now runs as vmailer most 1490 of the time, just like pickup and pipe. Files: local/local.c, 1491 local/mailbox.c 1492 149319981101 1494 1495 Compatibility: the tokenizer for alias/forward/etc. 1496 expansion now updates an optional counter with the number 1497 of destinations found; If no destinations is found in a 1498 .forward file, deliver to the mailbox instead. Thanks, 1499 Daniel Eisenbud, for showing the way to go. 1500 1501 Robustness: the pickup daemon should always include a 1502 posting-time record, even when the sendmail posting agent 1503 didn't. However, just like before, user-provided posting 1504 times will be ignored. Ollivier Robert found this one. 1505 1506 Robustness: duplicate entries in aliases or maps now cause 1507 a warning instead of a fatal error (and an incomplete file). 1508 1509 Robustness: mkmap now prints a warning when an entry is in 1510 "key: value" format, which is the format expected for alias 1511 databases, not for maps. 1512 1513 Portability: on LINUX, prepend "+" to the getopt() options 1514 string so that getopt() will stop at the first non-option 1515 argument. Suggestion by Marco d'Itri. 1516 151719981103 1518 1519 Cleaned up the set_eugid() and open_as() implementations, 1520 and added stat_as() and fstat_as() so that the local delivery 1521 agent would look up include files and .forward files with 1522 the right privileges. 1523 152419981104 1525 1526 Bugfix: the :include: routine now stat()s/open()s files 1527 included by root-owned aliases as root, not as nobody. 1528 1529 Bugfix: the master crashed when a service with wakeup timer 1530 was disabled or renamed. Fix: eliminate some pathological 1531 coupling between process management and wakeup management. 1532 1533 Feature: partial implementation of ETRN (causes a full 1534 deferred queue scan). Thanks Lamont Jones for reminding me 1535 that things can be useful already before they are perfect. 1536 1537 Cleanup: simplified the SMTPD tokenizer. 1538 1539 Bugfix: sendmail -bs didn't properly notify the mail system 1540 of new mail. 1541 1542 Compatibility: the MAIL FROM and RCPT TO commands now accept 1543 the most common address forms without enclosing <>. The <> 1544 is still needed for addresses that contain a "string", an 1545 [address], or a colon (:). 1546 154719981105 1548 1549 Bugfix: "master -t" would claim that the master runs when 1550 in fact the pid directory does not exist, causing trouble 1551 with first time startup (reported by several). 1552 1553 Portability: added a sane_accept() module that maps all 1554 beneficial accept() error results to EAGAIN. According to 1555 private communication with Alan Cox, Linux 2.0.x accept() 1556 can return a variety of error conditions, so we play safe 1557 and allow for any error that may happen because SYN+ACK 1558 could not be sent. 1559 1560 Portability: NETBSD1 uses dotlock files (Perry Metzger). 1561 1562 Bugfix: the local delivery agent did not canonicalize 1563 owner-foo sender addresses, so that local users would see 1564 owner-foo instead of owner-foo@$myorigin (Perry Metzger). 1565 1566 OPENSTEP4 support, similar to NEXTSTEP3 (Gerben Wierda). 1567 156819981106 1569 1570 Portability: the master startup would take a long time on 1571 AIX because AIX has a very large per-process open file 1572 limit. Fix is to check the status of only the first couple 1573 hundred file descriptors instead. File: master/master.c. 1574 1575 Bugfix: mail to user@[net.work.addr.ess] was broken because 1576 of a reversed test. File: qmgr/qmgr_message.c. 1577 157819981107 1579 1580 Compatibility: don't clobber the envelope sender address 1581 when an alias has no owner-foo alias (problem diagnosed by 1582 Christophe Kalt). 1583 1584 Bugfix: mail to local users in include files would be 1585 delivered directly if the alias didn't have an owner-foo 1586 alias, and if the alias database and include file were 1587 owned by root. 1588 1589 Feature: with user+foo addresses, any +foo address extension 1590 that is not explicitly matched in canonical, virtual or 1591 alias databases is propagated to the table lookup result. 1592 159319981108 1594 1595 Bugfix: minor memory leak in the user+foo table lookup 1596 code. 1597 1598 Configurability: specify virtual.domain in the virtual map, 1599 and mail for unknown@virtual.domain will bounce automatically. 1600 The $relay_domains default value now includes $virtual_maps, 1601 so the SMTP server will accept mail for the domain. Marco 1602 d'Itri put me on the right track. 1603 1604 Configurability: The mydestinations configuration parameter 1605 now accepts /file/name expressions and type:name lookup 1606 tables. 1607 1608 Code cleanup: in order to make the previous two enhancements 1609 possible, revised the string/host/address matching engine 1610 so it can handle any mixture of strings, /file/name patterns 1611 and type:name lookup tables. Files: util/match_{list,ops}.c, 1612 global/{domain,namadr,string}_list.c. 1613 161419981110 1615 1616 Code cleanup: replaced remaining isxxx() calls by ISXXX(). 1617 161819981111 1619 1620 Bugfix: the "bounce unknown virtual user" code was in the 1621 wrong place. Problem tackled with help of Chip Christian. 1622 1623 Portability: reportedly, Solaris 2.5.1 can hang waiting 1624 for a UNIX-domain connection to be accepted, so it gets 1625 the same workaround that was designed for LINUX. Problem 1626 reported by Scott Cotton. 1627 162819981112 1629 1630 Management: "vmailer stop" now allows delivery agents to 1631 finish what they are doing, like "vmailer reload". 1632 1633 Management; "vmailer abort" causes immediate termination. 1634 1635 Workaround: zombie processes pile up with HP-UX. Reason: 1636 select() does not return upon SIGCHLD when SA_RESTART is 1637 specified to sigaction(). Workaround: shorten the select() 1638 timer to 10 seconds, #ifdef BRAINDEAD_SELECT_RESTARTS. 1639 Thanks, Lamont Jones. 1640 164119981117 1642 1643 Rename: VMailer is now Postfix. Sigh. 1644 164519981118 1646 1647 Cleanup: generalized the safe_open() routine so that it is 1648 no longer limited to mailbox files, lock files, etc. 1649 1650 Bugfix (found during code review): vstream*printf() could 1651 run off the end of a stream buffer after an I/O error, 1652 because vbuf_print() ignored the result from VBUF_SPACE(). 1653 1654 Bugfix (found during code review): resolve_local() could 1655 clobber its argument, but the docs didn't say so. 1656 165719981121 1658 1659 Cleanup: the is_header() routine now allows 8-bit data in 1660 header labels. 1661 166219981123 1663 1664 Bugfix (found during code review): the mail_queue_enter() 1665 path argument wasn't optional. File: global/mail_queue.c 1666 166719981124 1668 1669 Cleanup: eliminated redundant tests for a zero result from 1670 vstream_fdopen(). Unlike the stdio fdopen() routine, the 1671 vstream_fdopen() routine either succeeds or never returns. 1672 1673 Bugfix: the queue manager now looks at the clock before 1674 examining a file time stamp, to avoid spurious complaints 1675 about time warps on busy machines. File: qmgr/qmgr_active.c. 1676 167719981125 1678 1679 Compatibility: allow trailing dot at the end of user@domain. 1680 Address canonicalization now strips it off. Issue brought 1681 forward by Eilon Gishri. File: trivial-rewrite/rewrite.c. 1682 1683 Robustness: changed DNS lookup order of MAIL FROM etc. 1684 domains from MX then A to A then MX, just in case the MX 1685 lookup fails with a server error. 1686 1687 Renamed vmcat, vmlock, vmlogger, vmtrigger to postcat, 1688 postlock, postlog, postkick. Also renamed mkmap and mkalias 1689 to postmap and postalias. 1690 169119981126 1692 1693 Workaround: Lamont Jones found a way for HP-UX to terminate 1694 select() after SIGCHLD. The code is #ifdef USE_SIG_RETURN. 1695 Files: util/sys_defs.h, master/master_sig.c. 1696 1697 Bugfix: the Delivered-To: loop detection code had stopped 1698 working, when long ago the is_header() routine was changed. 1699 File: local/delivered.c. 1700 170119981128 1702 1703 Bugfix: postcat opened queue files read-write, where only 1704 read access was needed. File: postcat/postcat.c. 1705 170619981129 1707 1708 Safety: added a sleep(1) to all fatal and panic exits. 1709 File: util/msg.c. 1710 171119981201 1712 1713 Robustness: postcat now insists that a file starts with a 1714 time record. 1715 1716 Consistency: added "-c config_dir" command-line options 1717 where appropriate. 1718 171919981202 1720 1721 Man pages, on-line version. 1722 172319981203 1724 1725 Man pages, html version; overview documentation. 1726 172719981206 1728 1729 Sendmail silently accepted the unsupported -qRsite and 1730 -qSsite options. It now prints an error message and 1731 terminates. 1732 1733 Separated the contributed tree from the IBM code; moved 1734 the LDAP and NEXTSTEP/OPENSTEP code to the contributed 1735 source tree because obviously I didn't write it. 1736 173719981206-9 1738 1739 Had to write a postconf configuration utility in order to 1740 reliably find out about all configuration parameters and 1741 their defaults. 1742 1743 Documentation bugfixes by Matt Shibla, Scott Drassinower, 1744 Greg A. Woods. 1745 174619981209 1747 1748 On machines with short hostnames, postconf -d cored while 1749 reporting a fatal error. It should not report that error 1750 in the first place. Thanks, Eilon Gishri. 1751 1752 Changed the FAQ entry about rejecting mail for *.my.domain 1753 on a firewall. Chip Christian was right, I was wrong. 1754 175519981214 1756 1757 Portability: with GNU getopt, optind is not initially 1, 1758 breaking an assumption in sendmail/sendmail.c. Liviu Daia. 1759 1760 Annoyance: on non-networked systems, don't warn that only 1761 one network interface was found. File: global/inet_addr_local.c. 1762 Reported by several. 1763 1764 Bugfix: on non-networked systems, the smtp client assumed 1765 that it was running in virtual host mode, and would bind 1766 to the loopback interface. File smtp/smtp_connect.c. Liviu 1767 Daia, again. 1768 176919981220 1770 1771 Robustness: when looking up an A or MX record, do not give 1772 up when the A query fails because of a server error. File 1773 dns/dns_lookup.c. Reported by Scott Drassinower. 1774 177519981221 1776 1777 Bugfix: "bounce mail for non-existent virtual user" didn't 1778 work when a non-default relay host was configured in main.cf 1779 or in the transport table. File: qmgr/qmgr_message.c. 1780 1781 Bugfix: the maildrop directory should not be world-readable. 1782 Files: conf/postfix-script, showq/showq.c. 1783 1784 Documentation: fixed several omissions and errors. 1785 1786 Documentation: removed references to the broken recipient 1787 feature delimiter configuration parameter. 1788 1789 Bugfix: write mailbox file as the recipient, so that file 1790 quota work as expected. 1791 1792 Bugfix: pickup would die when it tried to remove a non-file 1793 in the maildrop directory (Jeff Wolfe). 1794 179519981222 1796 1797 Sendmail no longer logs the queue ID when it is unable to 1798 notify the pickup daemon. This is a late addition to the 1799 "unreadable maildrop queue" patch. 1800 1801 user.lock files are now created as root, so that postfix 1802 needs no group directory write permission. 1803 180419981224 1805 1806 Security: allow queue file link counts > 1, to avoid 1807 non-delivery of maildrop files with links to a non-maildrop 1808 directory. Files: global/mail_open_ok.c, and anything 1809 that calls this code (qmgr, pickup, showq). If multiple 1810 hard links are a problem, see the set-gid "postdrop" utility 1811 below. 1812 181319981225 1814 1815 Robustness: the queue manager no longer aborts when a queue 1816 file suddenly disappears (e.g. because the file was removed 1817 by hand). 1818 1819 Feature: when a writable maildrop directory is a problem, 1820 sites can make the new "postdrop" utility set-gid. This 1821 command is never used when the maildrop directory is 1822 world-writable. 1823 1824 Robustness: make the queue file creation routine more 1825 resistant against denial of service race attack. File: 1826 global/mail_queue.c 1827 182819981226 1829 1830 New suid_priv module to enable/disable privileges in a 1831 set-uid/gid program. In the end I decided to not use it. 1832 183319981228 1834 1835 Robustness: make the pickup daemon more resistant against 1836 non-file race attack. 1837 1838 Cleanup: generic mail_stream.c interface for writing queue 1839 file streams to files, daemons or commands. This simplifies 1840 the code in smtpd and in sendmail that must be able to pipe 1841 mail through the postdrop command. The cleanup daemon has 1842 been modified to use the same interface. Result: less code. 1843 1844 Feature: smtpd now logs the only recipient in Received: 1845 headers. 1846 1847 Feature: separate command and daemon directories. Both 1848 default to $program_directory. Install conf/postfix-script 1849 if you want to use this feature. 1850 185119981230 1852 1853 Patch to avoid conflict with non-writable top-level Makefile 1854 (Lamont Jones). 1855 185619981231 1857 1858 Portability: port to UnixWare 7 by Ronald Joe Record, SCO. 1859 186019990104 1861 1862 Bugfix: fencepost (Jon Ribbens, Oaktree Internet Solutions 1863 Ltd.) Files: quote_82[12]_local.c. 1864 1865 Bugfix: wrong default for relay_domains (Juergen Kirschbaum, 1866 Bayerische Landesbank). File: mail_params.h. 1867 1868 Bugfix: changed 5xx response for "too may recipients" to 1869 4xx. File: smtpd.c. 1870 187119990106 1872 1873 Feature: defer_transports specifies the names of transports 1874 that should be used only when "sendmail -q" (or equivalent) 1875 is issued. For example, "defer_transports = smtp" is useful 1876 for sites that are disconnected most of the time. File: 1877 qmgr_message.c. 1878 187919990107 1880 1881 Feature: local_command_shell specifies a non-default shell 1882 for delivery to command by the local delivery agent. For 1883 example, "local_command_shell = /some/where/smrsh -c" 1884 restricts what may appear in "|command" destinations. 1885 File: global/pipe_command.c. 1886 188719990112-16 1888 1889 Feature: SMTP command pipelining support based on an initial 1890 version by Jon Ribbens, Oaktree Internet Solutions Ltd. 1891 This one took several days of massaging before I felt 1892 comfortable about it. Files: smtp.c, smtp_proto.c. 1893 1894 Bugfix: the SMTP server would flush responses one-by-one, 1895 which caused suboptimal performance with pipelined clients. 1896 The vstream routines now flush the write buffer when the 1897 read() routine is called, instead of flushing when the 1898 application changes from writing to reading. Delayed flush 1899 prevents the SMTP server from flushing responses one-by-one 1900 and thus triggering Nagle's algorithm. File: util/vstream.c. 1901 190219990117 1903 1904 Bugfixes and enhancements to the smtpstone tools by Drew 1905 Derbyshire, Kendra Electronic Wonderworks: send helo command, 1906 send message headers, format the message content to lines 1907 < 80, work around NT stacks, make "." recognition more 1908 robust. Files: smtp-source.c, smtp-sink.c. 1909 1910 Strategy: look at the deferred queue only when the incoming 1911 queue is empty; limit the number of recipients read from 1912 a queue file depending on the number of recipients already 1913 in core. Files: qmgr.c, qmgr_message.c. 1914 1915 Feature: postponed anti-UCE restrictions. The decision to 1916 reject junk mail on the basis of the client name/address, 1917 HELO hostname or sender address can now be postponed until 1918 the RCPT TO command (or HELO or MAIL FROM if you like). 1919 File: smtpd_check.c. 1920 192119990118 1922 1923 Feature: incremental updates of alias databases and of 1924 other lookup tables. Both postalias and postmap now take 1925 a -i option for incremental updates from standard input. 1926 Files: global/mkmap_*.c, post{map,alias}/post{map,alias}.c. 1927 1928 Compatibility: newaliases can now update multiple alias 1929 databases: list them in the "alias_database" parameter in 1930 main.cf. By the same token, postalias can now update multiple 1931 maps in one command. Files: post{map,alias}/post{map,alias}.c 1932 1933 Feature: mail to <> is now sent to the address specified 1934 with the "empty_address_recipient" configuration parameter 1935 which defaults to MAILER-DAEMON (idea by Lamont Jones, 1936 Hewlett-Packard). File: cleanup/cleanup_envelope.c. 1937 1938 Compatibility: the transport table now uses .domain.name 1939 to match subdomains, just like sendmail mailer tables (patch 1940 by Lamont Jones, Hewlett-Packard). 1941 1942 Feature: mailq now ends with a total queue size summary 1943 (Eilon Gishri, Israel Inter University Computation Center). 1944 194519990119 1946 1947 Feature: address masquerade exceptions for user names listed 1948 in the "masquerade_exceptions" configuration parameter. 1949 File: cleanup/cleanup_masquerade.c. 1950 1951 Feature: qmail-style maildir support, based on initial code 1952 by Kevin W. Brown, Quantum Internet Services Inc. 1953 1954 Workaround: Solaris 2.something connect() fails with 1955 ECONNREFUSED when the system is busy (Chris Cappuccio, 1956 Empire Net). File: global/mail_connect.c. 1957 1958 Feature: the cleanup service now adds a Return-Path: header 1959 when none is present. This header is needed for some mail 1960 delivery programs (see below). File: cleanup_message.c. 1961 1962 Feature: the pipe mailer now supports $user, $extension 1963 and $mailbox macros in command-line expansions. This, plus 1964 the Return-Path: header (see above), should be sufficient 1965 to support cyrus IMAP out of the box. Based on initial 1966 code by Joerg Henne, Cogito Informationssysteme GMBH. 1967 File: pipe/pipe.c. 1968 1969 Bugfix: with address extensions enabled, canonical and 1970 virtual lookups now are done in the proper order: 1971 user+foo@domain, user@domain, user+foo, user, @domain. 1972 File: global/mail_addr_find.c. 1973 197419990119 1975 1976 Feature: the local mailer now prepends a Received: message 1977 header with the queue ID to forwarded mail, in order to 1978 make message tracing easier. File: local/forward.c. 1979 1980 Cleanup: after "postfix reload", no more broken pipe 1981 complaints from resolve/rewrite clients. 1982 198319990121 1984 1985 Feature: pickup (again) logs uid and sender address. On 1986 repeated request by Scott Cotton, Internet Consultants 1987 Group, Inc. 1988 1989 Portability: doze() function for systems without usleep(). 1990 1991 Cleanup: clients are now consistently logged as host[address]. 1992 199319990122 1994 1995 Maildir support changed: specify "home_mailbox = Maildir/". 1996 The magic is the trailing /. Suggested by Daniel Eisenbud, 1997 University of California at Berkeley. 1998 1999 Maildir support from aliases, :include: and .forward files. 2000 Specify /file/name/ - the trailing / is required. Suggested 2001 by Daniel Eisenbud, University of California at Berkeley. 2002 2003 Workaround: watchdog timer to prevent the queue manager 2004 from locking up on some systems. 2005 2006 Bugfix: in Received: headers, the "for <recipient>" 2007 information was in the wrong place. Pointed out by Jon 2008 Ribbens, Oaktree Internet Solutions Ltd. 2009 201019990124 2011 2012 Portability: more workarounds for GNU getopt() by Liviu 2013 Daia, Institute of Mathematics, Romanian Academy. File: 2014 sendmail/sendmail.c. 2015 201619990125 2017 2018 Bugfix: Postfix should not masquerade recipient addresses 2019 extracted from message headers. Problem reported by David 2020 Blacka, Network Solutions. File: cleanup/cleanup_message.c. 2021 202219990126 2023 2024 Feature: smtpd_etrn_restrictions parameter to restrict who 2025 may use ETRN and what domains may be specified. Example: 2026 "smtpd_etrn_restrictions = permit_mynetworks, reject". 2027 Requested by Jon Ribbens, Oaktree Internet Solutions Ltd. 2028 File: smtpd/smtpd_check.c. 2029 203019990127 2031 2032 Bugfix: in an attempt to shave some cycles, the anti junk 2033 mail routines would use the wrong resolved address. This 2034 "optimization" is now turned off. Problem reported by Sam 2035 Eaton, Pavilion Internet Plc. File: smtpd/smtpd_check.c. 2036 2037 Feature: BIFF notifications. For compatibility reasons 2038 this feature is on by default. This "protocol" can be a 2039 real performance pig. Specify "biff = no" in main.cf if 2040 your machine has lots of shell users. Feature requested by 2041 Dan Farmer - it's one of the things one does for friends. 2042 Files: local/mailbox.c, local/biff_notify.c. 2043 2044 Bugfix: another case sensitivity problem, this time with 2045 virtual lookups to recognize unknown@virtual.domain. 2046 Problem reported by Bo Kleve, Linkoping University. File: 2047 qmgr/qmgr_message.c. 2048 204919990128 2050 2051 Feature: with "soft_bounce = yes", defer delivery instead 2052 of bouncing mail. This is a safety net for configuration 2053 errors with delivery agents. It has no effect on errors in 2054 virtual maps, canonical maps, or in junk mail restrictions. 2055 Feature requested by Bennett Todd. File: global/bounce.c. 2056 205719990129 2058 2059 Compatibility: the qmail maildir.5 documentation prescribes 2060 maildir file names of the form time.pid.hostname, which is 2061 wrong because Postfix processes perform multiple deliveries. 2062 Elsewhere the qmail author has documented how maildir files 2063 should be named under such conditions. Postfix has been 2064 changed to be conformant. File: local/maildir.c. 2065 206619990131 2067 2068 Feature: special treatment of owner-foo and foo-request 2069 can be turned off. Specify "owner_request_special = no". 2070 Requested by Matthew Green and others. Files: local/alias.c, 2071 global/split_addr.c. This affects canonical, virtual and 2072 alias lookups. 2073 207419990204 2075 2076 Portability: signal handling for HP-UX 9 by Lamont Jones 2077 of Hewlett Packard. File: master/master_sig.c. 2078 2079 Robustness: disable random walk inside a per-site queue to 2080 avoid message starvation under heavy load. File: qmgr_entry.c. 2081 2082 Robustness: under some conditions the queue manager could 2083 declare a host dead after just one delivery failure. File: 2084 qmgr_queue.c. 2085 208619990212 2087 2088 Feature: skip SMTP servers that greet us with a 4XX status 2089 code. Example: "smtp_skip_4xx_greeting = yes". By default, 2090 the Postfix SMTP client defers delivery when a server 2091 declines talking to us. File: smtp/smtp_connect.c. 2092 2093 Robustness: upon startup the queue manager now moves active 2094 queue files to the incoming queue instead of the deferred 2095 queue, to avoid anomalous delivery delays on systems that 2096 have a huge incoming queue. Files: qmgr/qmgr.c, 2097 qmgr/qmgr_active.c, global/mail_flush.c, conf/postfix-script* 2098 209919990213 2100 2101 Robustness: added watchdog timers to avoid getting stuck 2102 on systems with broken select() socket implementations. 2103 File: qmgr_transport.c, qmgr_deliver.c. 2104 210519990218 2106 2107 Feature: NFS-friendly delivery to mailbox by avoiding the 2108 use of root privileges as much as possible. With input by 2109 Mike Muus, Army Research Lab, USA. 2110 2111 Feature: the smtp-sink test server now supports SMTP command 2112 pipelining. To this end we had to generalize the timer and 2113 vstream support. Poor performance is fixed 19990222. 2114 2115 Cleanup: timer event routines now have the same interface 2116 as read/write event routines (event type + context). File: 2117 util/events.c. 2118 2119 Feature: new vstream_peek() routine to tell how much unread 2120 data is left in a VSTREAM buffer. This is the vstream 2121 variant of the peekfd() routine for kernel read buffers. 2122 File: util/vstream.c. 2123 2124 Feature: directory scanning support for hashed mail queue 2125 directories. So far the results are disappointing: with 2126 depth = 2 (16 directories with 16 subdirectories), mailq 2127 takes 5 seconds with an empty queue unless all directories 2128 happen to be cached in memory. We need a bit map before 2129 hashed queue directories become practical. Depth=1 hashing 2130 doesn't slow down mailq much, but doesn't help much either. 2131 Files: util/scan_dir.c, global/mail_scan_dir.c. 2132 213319990221 2134 2135 Workaround: with "ignore_mx_lookup_error = yes", the SMTP 2136 client always performs an A lookup when an MX lookup could 2137 not be completed, rather than treating MX lookup failure 2138 as a temporary error condition. Unfortunately there are 2139 many broken DNS servers on the Internet. File: smtp/smtp_addr.c. 2140 214119990222 2142 2143 Performance: rewrote the guts of the smtp-sink test server 2144 so it can do pipelining without losing performance. 2145 214619990223 2147 2148 Workaround: hotmail.com sometimes drops the connection 2149 after "." (causing misleading diagnostics to be logged) or 2150 waits minutes after receiving QUIT. Solution: do not wait 2151 for the response to QUIT. File: smtp/smtp_proto.c. This 2152 is turned off with: "smtp_skip_quit_response = no". 2153 215419990224 2155 2156 Feature: the pipe mailer accepts user=username:groupname, 2157 based on code submitted by Philip A. Prindeville, Mirapoint, 2158 Inc., USA. File: pipe/pipe.c. 2159 2160 Workaround: use file locking to prevent multiple processes 2161 from select()ing on the same socket. This causes performance 2162 problems on large BSD systems. Files: master/*_server.c. 2163 216419990225 2165 2166 Bugfix: with "inet_interfaces = 127.0.0.1", don't bind to 2167 the loopback interface. Problem reported by Steve Bellovin 2168 of AT&T. File: smtp/smtp_addr.c. 2169 2170 Feature: "postsuper" command to remove stale queue files 2171 to update queues after changes to the queue structure 2172 parameters (hash_queue_names, hash_queue_depth). This 2173 command is to be run from the postfix-script maintenance 2174 shell script. 2175 217619990301 2177 2178 Feature: new postconf -h (suppress `name = ' in output) 2179 option to make the program easier to use in, e.g., shell 2180 scripts. 2181 2182 Feature: dict_unix module so you can add the UNIX passwd 2183 table to the SMTPD access control list. 2184 218519990302 2186 2187 Feature: "luser_relay = destination" captures mail for 2188 non-existent local recipients. This works only when the 2189 local delivery agent does mailbox delivery (including 2190 delivery via mailbox_command), not when mailbox delivery 2191 is delegated to another message transport. 2192 2193 Feature: new reject_non_fqdn_{hostname,sender,recipient} 2194 restrictions to require fully.qualified.domain forms in 2195 HELO, MAIL FROM and RCPT TO commands (while still allowing 2196 the <> sender address). 2197 219819990304 2199 2200 Bugfix: backed out the 19990119 change to always insert 2201 Return-Path: if that header is not present. The pipe and 2202 local agents now are responsible for prepending Return-Path:. 2203 Files: cleanup/cleanup_message.c, global/mail_copy.[hc], 2204 pipe/pipe.c, global/header_opts.c. This causes an incompatible 2205 change to the pipe flags parameter, because Return-Path: 2206 now must be requested explicitly. 2207 220819990305 2209 2210 Bugfix: showq (the mailq server) incorrectly assumed that 2211 all recipients of a deferred message are listed in the 2212 corresponding defer logfile. It now lists all recipients. 2213 Files: showq/showq.c, cleanup/cleanup_envelope.c (ensure 2214 that sender records always precede recipient records). 2215 2216 Cleanup: smtpd HELO restrictions validate [numerical] forms. 2217 Files: util/valid_hostname.c, smtpd/smtpd_check.c. Initial 2218 code by Philip A. Prindeville, Mirapoint, Inc., USA. 2219 222019990306 2221 2222 Cleanup: re-vamped the valid_hostname module, and added a 2223 maximal label length (63) requirement. 2224 2225 Feature: fallback_relay parameter to specify extra backup 2226 hosts in case the regular relay hosts are not found or not 2227 available. Files: smtp/smtp_addr.c. 2228 2229 Feature: "always_bcc = address" specifies where to send a 2230 copy of each message that enters he system. However, if 2231 that copy bounces, the sender will be informed of the 2232 bounce. Files: smtpd/smtpd.c, pickup/pickup.c 2233 2234 Compatibility: the transport map will now route on top-level 2235 domains, so you can dump all of .bitnet to a bitnet relay. 2236 223719990307 2238 2239 Feature: LDAP lookups, updated by Jon Hensley, Merit Network, 2240 USA. 2241 2242 Feature: regular expression (PCRE) support by Andrew 2243 McNamara, connect.com.au Pty. Ltd., Australia. In order to 2244 use this code specify pcre:/file/name. You can use this 2245 anywhere you would use a DB or DBM file, NIS or LDAP. See: 2246 PCRE_README for how to enable this code. 2247 2248 Feature: "delay_warning_time = 4" causes Postfix to send 2249 a "your mail is delayed" notice after approx. 4 hours. 2250 Daniel Eisenbud, University of California at Berkeley. 2251 Files: qmgr/qmgr_active.c, qmgr/qmgr_message. Postmaster 2252 notices for delayed mail are disabled by default. In order 2253 to receive postmaster notices, specify "notify_classes = 2254 ... delay ...". 2255 2256 Cleanup: do not send undeliverable bounced mail to postmaster. 2257 This was causing lots of pain with junk mail from bogus 2258 sender addresses to non-existent recipients. This change 2259 was reversed 19990311. 2260 226119990308 2262 2263 Bugfix: the dotforward routine was too eager with throwing 2264 away extension information, so that the Delivered-To: info 2265 would differ for \mailbox and |command. Problem reported 2266 by Rafi Sadowski, Open University, Israel. 2267 2268 Bugfix: seems I never got around to fix the btree access 2269 method. I finally did. Problem reported by: Matt Smith, 2270 AvTel Communications Inc., USA. 2271 227219990311 2273 2274 Back by popular demand: with "notify_classes = 2bounce ..." 2275 Postfix will send undeliverable bounced mail to postmaster. 2276 The default is to not send double bounces. This change 2277 reverses a change made on 19990307. 2278 227919990312 2280 2281 Feature: configurable exit handler for server skeletons. 2282 Philip A. Prindeville, Mirapoint, Inc., USA. Files: 2283 master/*server.c. 2284 2285 Feature: mail_spool_directory configuration parameter to 2286 specify the UNIX mail spool directory. The default setting 2287 is system dependent. 2288 228919990313 2290 2291 Cleanup: share file descriptors for resolve and rewrite 2292 client connections. This puts less strain on the trivial-rewrite 2293 service. 2294 2295 Portability: support for UnixWare 2.1 by Dmitry E. Kiselyov, 2296 Nizhny Novgorod City Health Emergency Station. 2297 2298 Feature: configurable delays in the smtpstone test programs. 2299 With input by Philip A. Prindeville, Mirapoint, Inc., USA. 2300 Files: smtpstone/*.c. 2301 2302 Bugfix: a "signal 11" problem in the trivial-rewrite program 2303 that would occasionally happen after "postfix reload". 2304 Reason: some rewrite clients would clobber their input, 2305 and when they had to retransmit the query, the input would 2306 be a zero-length string, which trivial-rewrite isn't supposed 2307 to receive. 2308 230919990314 2310 2311 Feature: "mailbox_transport = cyrus" delegates all local 2312 mailbox delivery to a master.cf entry called "cyrus" (the 2313 same trick for procmail), including users not found in the 2314 UNIX passwd database. This gives the flexibility of $name 2315 expansions by the pipe mailer, without losing local aliases 2316 and ~/.forward processing. Result of discussions with Rupa 2317 Schomaker, RS Consulting. 2318 231919990315 2320 2321 Feature: the mydestination parameter can now be an empty 2322 string, for hosts that don't receive any mail locally. Be 2323 sure to specify a default route for mail that comes to the 2324 machine or mail will loop. 2325 232619990316 2327 2328 Bugfix: the SMTPD check scaffolding didn't apply the same 2329 sanity checks as the production code. Problem reported by 2330 Alain Thivillon, Herve Schauer Consultants, France. File: 2331 smtpd/smtpd_check.c. 2332 2333 Portability: some systems can have more than 59 seconds in 2334 a minute. Based on a fix by Liviu Daia, Institute of 2335 Mathematics, Romanian Academy. File: global/mail_date.c. 2336 2337 Enhancement: include the client network address in the 2338 rejected by RBL response. Lamont Jones, Hewlett-Packard. 2339 2340 Workaround: use fstat() to figure out if the maildrop is 2341 world-writable. access() uses the real uid, which stinks. 2342 2343 Robustness: don't do partial address lookups (user@, domain, 2344 user, @domain) with regexp-style tables. 2345 2346 Security: don't allow regexp-style tables to be used for 2347 aliases. It would be too easy to slip in "|command" or 2348 :include: or /file/name. 2349 235019990317 2351 2352 Feature: "fallback_transport = cyrus" delegates non-UNIX 2353 recipients to a master.cf entry called "cyrus", allowing 2354 you to have both UNIX and non-UNIX mailboxes side by side. 2355 235619990319 2357 2358 Workaround: on 4.4 BSD derivatives, fstat() can return 2359 EBADF on an open file descriptor. Now, that was a surprise. 2360 This caused std{out,err} from cron commands to not be 2361 delivered. 2362 2363 Bugfix: "local -v" stopped working. 2364 2365 Workaround: more watchdog timers for postfix-unfriendly 2366 systems. By now every Postfix daemon has one. Call it life 2367 insurance. 2368 2369 Robustness: increased the maximal time to receive or deliver 2370 mail from $ipc_timeout (default: 3600 seconds) to the more 2371 generous $daemon_timeout (default: 18000 seconds). We don't 2372 want false alarms. 2373 2374 Portability: IRIX 5.2 does not have usleep(). 2375 237619990320 2377 2378 Bugfix: \username was broken. Frank Dziuba was the first 2379 to notice. 2380 238119990321 2382 2383 Workaround: from now on, Postfix on Solaris uses stream 2384 pipes instead of UNIX-domain sockets. Despite workarounds, 2385 the latter were causing more trouble than anything else on 2386 all systems combined. 2387 238819990322 2389 2390 Portability: the makedefs would mis-identify IRIX 6.5.x as 2391 IRIX 5.x. Fix by Brian Truelsen of Maersk Mc-Kinney Moller 2392 Institute for Production Technology, Denmark. 2393 2394 Feature: reject_unknown_recipient_domain restriction for 2395 recipient addresses. For the sake of symmetry, we now also 2396 have reject_unknown_sender_domain. This means the old 2397 reject_unknown_address restriction is being phased out. 2398 Suggested by Rask Ingemann Lambertsen, Denmark Technical 2399 University. 2400 2401 Feature: unknown sender/recipient domain restrictions now 2402 distinguish between soft errors (always: 450) and hard 2403 errors (configurable with the unknown_address_reject_code 2404 parameter, default: 450; use 550 at your own risk). 2405 2406 Feature: no HELO junk mail restrictions means that no syntax 2407 check will be done on HELO/EHLO hostname arguments. 2408 2409 Bugfix: the initial Solaris workaround for UNIX-domain 2410 sockets could cause the queue manager to block if Postfix 2411 ran into a delivery agent process limit. After another code 2412 rewrite that problem is eliminated. Thanks to Chris 2413 Cappuccio, Empire Net, for assistance with testing. 2414 241519990323 2416 2417 Bugfix: too much forwarding when users list their own name 2418 in their .forward file (e.g. mail to user@localhost would 2419 go through .forward, would be forwarded to user@$myorigin, 2420 and would go through .forward again). Problem reported by 2421 Roman Dolejsi, Prague University of Economics. 2422 242319990324 2424 2425 Bugfix: missing map name in check_xxx_access restrictions 2426 could cause a segmentation error. Lamont Jones, Hewlett- 2427 Packard. 2428 2429 Feature: forward_path configuration parameter (default: 2430 $home/.forward$recipient_delimiter$extension,$home/.forward). 2431 Based on initial code by Philip A. Prindeville, Mirapoint, 2432 Inc., USA. Files: local/dotforward.c. 2433 243419990325 2435 2436 Workaround: Solaris NIS alias maps need special entries 2437 (YP_MASTER_NAME, YP_LAST_MODIFIED). What's worse, normal 2438 keys/values include a null byte at the end, but the YP_XXX 2439 ones don't. Problem reported by Walcir Fontanini, state 2440 university of Campinas, Brazil. File: postalias/postalias.c. 2441 2442 Compatibility: Solaris NIS apparently does include a null 2443 byte at the end of keys and values. File: util/sys_defs.h. 2444 2445 Feature: library support for config parameters that are 2446 not $name expanded at program start-up. This was needed 2447 for forward_path, and will also be needed to make message 2448 headers customizable. 2449 2450 Bugfix: pcre didn't handle \\ right. Lamont Jones, Hewlett- 2451 Packard. File: util/dict_pcre.c. 2452 245319990326 2454 2455 Compatibility: Postfix now puts two spaces after the sender 2456 in a "From sender date..." header. Found by John A. Martin, 2457 fixed by Lamont Jones, Hewlett-Packard. 2458 2459 Bugfix: when a recipient appeared multiple times in a local 2460 alias or include expansion, the delivery status could be 2461 left uninitialized, causing the mail to be deferred and 2462 delivered again. File: local/recipient.c. 2463 246419990327 2465 2466 Cleanup: the dictionary routines now take an extra flag 2467 argument to control such things as warning about duplicates, 2468 and appending null bytes to key/value. The latter was needed 2469 for a clean implementation of NIS master alias maps support. 2470 2471 Feature: POSIX regular expressions by Lamont Jones. See 2472 config/sample-regexp.c. Right now, enabled on *BSD and 2473 LINUX only. 2474 247519990328 2476 2477 Code cleanup: dictionaries now have flags that say whether 2478 lookup keys are fixed strings or whether keys are subjected 2479 to pattern matching. This is needed to avoid passing partial 2480 addresses to regexp-based lookup tables (user, @domain, 2481 user@, domain). Files: util/dict*.c. 2482 2483 Bugfix: fixed memory leaks and core dumps in the regexp 2484 and pcre routines (neither handled an empty pattern file). 2485 248619990329 2487 2488 Code cleanup: the dictionary I/O routines now do their own 2489 locking depending on dictionary flag settings. This means 2490 that the low-level dict_get() interface can now be used 2491 for safe dictionary lookups. This is needed for 19990328's 2492 partial lookup key support. Files: util/dict*.c. global/maps.c. 2493 2494 Feature: regular expression matches are no longer limited 2495 to user@domain address forms in access/canonical/virtual 2496 maps, but can also be used for domains in transport maps. 2497 This needed the partial lookup key support to avoid passing 2498 partial addresses to regexp-based lookup tables (user, 2499 @domain, user@, domain). Files: global/maps.c 2500 global/mail_addr_find.c. 2501 2502 Feature: new dictionary types can be registered with 2503 dict_open_register(). File: util/dict_open.c. 2504 250519990330 2506 2507 Bug fix: match_list membership dictionary lookups were case 2508 sensitive when they should not. Patch by Lutz Jaenicke, 2509 BTU Cottbus, Germany. 2510 251119990402 2512 2513 Feature: $domain macro support in forward_path. Philip A. 2514 Prindeville, Mirapoint, Inc., USA. File: local/dotforward.c. 2515 2516 Feature: if an address extension (+foo) is explicitly 2517 matched by the .forward+foo file name, do not propagate 2518 the extension to recipient addresses. This is more consistent 2519 with the way aliases are expanded. File: local/dotforward.c. 2520 252119990404 2522 2523 Bugfix: after receiving mail, the SMTP server didn't reset 2524 the cleanup error flag, so that multiple deliveries over 2525 the same SMTP session could fail due to errors with previous 2526 deliveries. Found by Lamont Jones, Hewlett-Packard. 2527 252819990405 2529 2530 Feature: MIME-encapsulated bounces. Philip A. Prindeville, 2531 Mirapoint, Inc., USA. File: bounce/bounce_notify_service.c 2532 2533 Cleanup: vstreams now properly look at the EOF flag before 2534 attempting to read, eliminating the need for typing Ctrl-D 2535 twice to test programs; the EOF flag is reset after each 2536 unget or seek operation. Files: util/vstream.c, util/vbuf.c. 2537 2538 Feature: in preparation for configurable message headers 2539 the mac_parse() routine now balances the parentheses in 2540 ${name} or $(name). We need this in order to support 2541 conditional expressions such as ${name?text} where `text' 2542 contains other ${name} expressions. 2543 254419990406 2545 2546 Cleanup: changed MIME header information to make bounces 2547 more RFC 1892 compliant. 2548 254919990407 2550 2551 Feature: "best_mx_transport = local" delivers mail locally 2552 if the local machine is the best mail exchanger (by default, 2553 mail is bounced with a "mail loops back to myself" error). 2554 2555 Config: in order to make feature tracking easier the source 2556 code distribution now has a copy of the default settings 2557 in conf/main.cf.default. 2558 2559 Feature: separate configurable postmaster addresses for 2560 single bounces (bounce_notice_recipient), double bounces 2561 (2bounce_notice_recipient), delayed mail (delay_notice_recipient), 2562 and for other mailer errors (error_notice_recipient). The 2563 default for all is "postmaster". 2564 256519990408 2566 2567 Workaround: on Solaris 2.x, the master appears to lose its 2568 exclusive lock on the master.pid file, so keep grabbing 2569 the lock each time the master wakes up from select(). 2570 2571 Robustness: don't flush VSTREAM buffers after I/O error. 2572 This prevents surprises when calling vstream_fclose() after 2573 truncating a mailbox to its original size. 2574 2575 Portability: on LINUX systems, if <db_185.h> exists, don't 2576 look for <db/db.h>. 2577 2578 Workaround: specify "sun_mailtool_compatibility = yes" to 2579 avoid clashes with the mailtool application. This disables 2580 kernel locks on mailbox files. Use only where needed. 2581 2582 Portability: renamed readline to readlline, to avoid clashes 2583 with mysql. 2584 258519990409 2586 2587 Bugfix: ignore temp queue files that aren't old enough. 2588 Problem reported by Vivek Khera, Khera Communications, Inc. 2589 2590 Bugfix: fixed typo in dict_db.c that caused processes to 2591 not release DB shared locks. 2592 2593 Feature: auto-detection of changes to DB or DBM lookup 2594 tables. This avoids the need to run "postfix reload" after 2595 change to the smtp access table and other tables. 2596 2597 Feature: regular expression checks for message headers. 2598 This requires support for POSIX or for PCRE regular 2599 expressions. Specify "header_checks = regexp:/file/name" 2600 or "header_checks = pcre:/file/name", and specify 2601 "/^header-name: badstuff/ REJECT" in the pattern file 2602 (patterns are case-insensitive by default). Code by Lamont 2603 Jones, Hewlett-Packard. It is to be expected that full 2604 content filtering will be delegated to an external command. 2605 260619990410 2607 2608 Bugfix: auto-detection of changes to DB or DBM lookup tables 2609 wasn't done for TCP connections. 2610 261119990410 2612 2613 Feature: $recipient expansion in forward_path. Philip A. 2614 Prindeville, Mirapoint, Inc., USA. File: local/dotforward.c 2615 2616 Feature: the smtp client consistently treats a numerical 2617 hostname as an address. File: smtp/smtp_addr.c. 2618 261919990414 2620 2621 Compatibility: support comment lines starting with # in 2622 $mydestination include files. This makes Postfix more 2623 compatible with sendmail.cw files. File: util/match_list.c. 2624 2625 Feature: if your machines have short host names, specify 2626 "mydomain = domain.name", and you no longer have to specify 2627 "myhostname = host.domain.name". Files: global/mail_params.c, 2628 postconf/postconf.c. 2629 263019990420 2631 2632 Cleanup: bounce mail when a mailbox goes over file quota, 2633 instead of deferring delivery. File: local/mailbox.c. 2634 263519990421 2636 2637 Feature: auto-detection of changes to DB or DBM lookup 2638 tables now includes the case where a file is unlinked. 2639 Philip A. Prindeville, Mirapoint, Inc., USA. File: 2640 util/dict.c. 2641 264219990422 2643 2644 Robustness: Lotus mail sends MAIL FROM: <@> instead of <>. 2645 Problem reported by Erik Toubro Nielsen, IFAD, Denmark. 2646 Files: trivial-rewrite/rewrite.c (@ becomes empty address) 2647 and global/rewrite_clnt.c (allow empty response). 2648 2649 Bugfix: showq could segfault when writing to a broken pipe. 2650 Problem reported by Bryan Fullerton, Canadian Broadcasting 2651 Corporation. Files: util/vbuf_print.c. 2652 2653 Cleanup: got rid of the "fatal: write error: Broken pipe" 2654 message when mailq output is piped into a program that 2655 terminates early. 2656 2657 Cleanup: bounce messages are multipart/mixed with the error 2658 report as part of the first message segment, because users 2659 had trouble extracting the delivery error report from the 2660 attachment. 2661 266219990423 2663 2664 Cleanup: the default junk mail reject code is now 554 2665 (service unavailable) rather than 550 (user unknown). 2666 2667 Folded in the updated dict_ldap.c module by John Hensley, 2668 Merit Network, USA. 2669 2670 Folded in the vstream_popen.c updates by Philip A. 2671 Prindeville, Mirapoint, Inc., USA. This copies a lot of 2672 code from pipe_command(); the next step is to trim that 2673 module. 2674 267519990425 2676 2677 Workaround: renamed config.h to mail_conf.h etc. in order 2678 to avoid name collisions with LINUX (yes, they have a system 2679 include file called config.h). For compatibility with people 2680 who have written software for Postfix, there's a config.h 2681 that aliases the old names to the new ones. That file will 2682 go away eventually. 2683 268419990426 2685 2686 Feature: error mailer, in order to easily bounce mail for 2687 specific destinations. In the transport table, specify: 2688 "host.domain error:host.domain is unavailable". Too bad 2689 that the transport table triggers on destination domain 2690 only; it would be nice to bounce specific users as well. 2691 269219990427 2693 2694 Cleanup: "disable_dns_lookups = yes" now should disable 2695 all DNS lookups by the SMTP client. 2696 269719990428 2698 2699 Bugfix: with DBM files, Postfix was watching the "dir" file 2700 modification time for changes. It should be watching the 2701 "pag" file instead. 2702 270319990429 2704 2705 Cleanup: all callbacks in the master to server API now pass 2706 on the service name and the application-specific argument 2707 vector. Files: master/*server.c. 2708 270919990504 2710 2711 Feature: conditional macro expansion. ${name?text} expands 2712 to text when name is defined, otherwise the result is empty. 2713 ${name:text} expands to text when name is undefined, 2714 otherwise the result is empty. File: util/mac_expand.c. 2715 2716 Feature: conditional macro expansion of the forward_path 2717 configuration parameters of $user, $home, $shell, $recipient, 2718 $extension, $domain, $mailbox and $recipient_delimiter. 2719 Files: local/dotforward.c, local/local_expand.c. 2720 272119990506 2722 2723 Cleanup: eliminated misleading warnings about unknown HELO 2724 etc. SMTPD restrictions when the HELO etc. information is 2725 not available. File: smtpd/smtpd_check.c. 2726 272719990507 2728 2729 Feature: all smtpd reject messages now contain the MAIL 2730 FROM and RCPT TO addresses, if available. 2731 273219990508 2733 2734 Feature: conditional macro expansion of the luser_relay 2735 configuration parameter. It is no longer possible to specify 2736 /file/name or "|command" destinations. File: local/unknown.c. 2737 2738 Cleanup: changed the mac_parse interface so that the 2739 application callback routine can return status information. 2740 Updated the dict_regexp and dict_pcre modules accordingly. 2741 2742 Cleanup: changed the mac_expand interface so that the caller 2743 provides an attribute lookup routine, instead of having to 2744 provide a copy of all attributes upfront. Files: 2745 util/mac_expand.c, local/local_expand.c. 2746 2747 Feature: control over how address extensions are propagated 2748 to other addresses. By default, propagation of unmatched 2749 address extensions is now restricted to canonical and 2750 virtual mappings. Specify "propagate_unmatched_extensions 2751 = canonical, virtual, alias, forward, include" to restore 2752 previous behavior. 2753 275419990509 2755 2756 Feature: USER, EXTENSION, DOMAIN, RECIPIENT (entire address) 2757 and MAILBOX (address localpart) environment variables are 2758 exported to shell commands (including mailbox_command). 2759 2760 Feature: new command_expansion_filter parameter to control 2761 what characters may appear in message attributes that are 2762 exported via environment variables. 2763 2764 Cleanup: SMTPD reject messages are more informative, and 2765 more complete sender/recipient information is logged for 2766 the local sysadmin. 2767 276819990510 2769 2770 Bugfix: missing MIME header in postmaster bounce notices. 2771 Found by Samuel Tardieu, Ecole Nationale Superieure des 2772 Telecommunications, France. 2773 2774 Feature: UCE restrictions are always delayed until RCPT 2775 TO, VRFY or ETRN. To change back to the default specify 2776 "smtpd_delay_reject = no" in /etc/postfix/main.cf. 2777 2778 Bugfix: missing duplicate filter call. This caused too many 2779 deliveries when a user is listed multiple times in an alias. 2780 Reported by Hideyuki Suzuki, School of Engineering, University 2781 of Tokyo. Backed out on 19990512 because it caused problems. 2782 Fixed 19990513 but needs further study. 2783 2784 Feature: it is now possible to move queue files back into 2785 the maildrop queue, so that they can benefit from changes 2786 in canonical and virtual mappings. In order to make this 2787 possible, some restrictions on queue file contents were 2788 relaxed. Files: pickup/pickup.c, cleanup/cleanup_extracted.c. 2789 2790 Feature: made a start with integrating Joerg Henne's 2791 dictionary extensions to remove entries and to iterate over 2792 entries. That code is almost four months old by now. 2793 279419990511 2795 2796 Feature: added a "undeliverable postmaster notification 2797 discarded" warning when mail is dropped on the floor. 2798 Requested by Michael Hasenstein, SuSE, Germany. 2799 280019990517 2801 2802 Bugfix: reject_non_fqdn_sender/recipient would pass 2803 user@[ip_address] regardless of destination. Eric Cholet 2804 had the honor of suffering from this one. 2805 280619990527 2807 2808 More SMTP client logging for easier debugging: the smtp 2809 client now logs hostname[ip.addr], and logs every failed 2810 attempt to reach an MX host, not just the last one. 2811 281219990601 2813 2814 Bugfix: emit a blank line before a MIME boundary; the line 2815 is part of the boundary. File: bounce/bounce_notify_service.c. 2816 Wolfgang Segmuller, IBM Research. 2817 281819990610 2819 2820 Bugfix: the "is this the loopback interface" test was 2821 broken. Reported by Claus Fischer @microworld.com. File: 2822 smtp/smtp_connect.c. 2823 2824 Usability: added helpful warnings about restrictions that 2825 are being ignored after check_relay_domains, etc. 2826 2827 Portability: Reliant Unix support by Gert-Jan Looy, Siemens, 2828 the Netherlands. 2829 283019990611 2831 2832 Robustness: the postfix-script start-up procedure now 2833 detects a missing master program, avoiding misleading 2834 warnings that the mail system is already running. Fix 2835 suggested by David E. Smith @technopagan.org. 2836 2837 Portability: Mac OS X Server Port by Mark Miller @swoon.net. 2838 2839 Feature: on systems that use dotlock files for mailbox 2840 locking, the local delivery agent now will attempt to use 2841 dotlock files when delivering to user-specified files. 2842 Dotlock files for user-specified destinations are created 2843 with the privileges of the user. For backwards compatibility, 2844 Postfix will attempt to create dotlocks for user-specified 2845 destinations only when the user has parent directory write 2846 permission. 2847 2848 Feature: specify "expand_owner_alias = yes" in order to 2849 use the right-hand side of an owner- alias, instead of 2850 using the left-hand side address. Needed by Juergen Georgi. 2851 285219990622 2853 2854 Bugfix: the local delivery agent did not set user attributes 2855 when delivering to root, so that forward_path did not expand 2856 properly. Found by Jozsef Kadlecsik, KFKI Research Institute 2857 for Particle and Nuclear Physics, Hungary. File: 2858 local/dotforward.c. 2859 2860 Bugfix: the unix:passwd.byname mechanism is not suitable 2861 for smtpd access control - the user name would have to end 2862 in @, or the access control software would have to be 2863 changed. Removed the example from the RELEASE_NOTES file. 2864 286519990623 2866 2867 Bugfix: the smtp server did not reset the error flag after 2868 ".". Found by James Ponder, Oaktree Internet Solutions Ltd. 2869 File: smtpd/smtpd.c. 2870 2871 Bugfix: fencepost error in the doze() routine (an usleep() 2872 replacement for systems without one). Found by Simon J 2873 Mudd. File: util/doze.c. 2874 287519990624 2876 2877 Portability: support for AIX 3.2.5 (!) by Florian Lohoff 2878 @rfc822.org. 2879 2880 Portability: Ultrix 4.3 support by Christian von Roques 2881 @pond.sub.org. 2882 2883 Feature: mysql support by Scott Cotton and Joshua Marcus, 2884 Internet Consultants Group, Inc. Files: util/dict_myqsl.*. 2885 288619990627 2887 2888 Bugfix: Postfix is now distributed under the new IBM Public 2889 License (version 1, dated June 14, 1999). 2890 2891 Feature: the Delivered-To: header can be turned off for 2892 delivery to command or file/mailbox. The default setting 2893 is: "prepend_delivered_header = command, file, forward". 2894 Turning off the Delivered-To: header when forwarding mail 2895 is not recommended. 2896 289719990628 2898 2899 Feature: the postlock command now returns EX_TEMPFAIL when 2900 the destination file is locked by another process. 2901 290219990705 2903 2904 Workaround: in the SMTP client, move the "mail loops back 2905 to myself test" from the 220 greeting to the HELO response. 2906 This change does not weaken the test, and makes Postfix 2907 more robust against broken software that greets with the 2908 client hostname. 2909 291019990706 2911 2912 Workaround: in the INSTALL file, use `&&' instead of `;' 2913 in (cd path; tar ...) pipelines because some UNIX re-invented 2914 shells don't bail out when cd fails. Matthias Andree 2915 @stud.uni-dortmund.de. 2916 291719990709 2918 2919 Bugfix: $user was not set when delivering to a non-user. 2920 Found by Vladimir Ulogov @ rohan.control.att.com when 2921 configuring a luser_relay that contained $user. 2922 292319990714 2924 2925 Robustness: add PATH statement to Solaris2 chroot setup 2926 script to avoid running the ucb commands. Problem found by 2927 Panagiotis Astithas @ ece.ntua.gr. 2928 292919990721 2930 2931 Bugfix: don't claim a "mail loops to myself" error when 2932 the best MX host was not found in the DNS. Found by Andrew 2933 McNamara, connect.com.au Pty Ltd. File: smtp/smtp_addr.c. 2934 293519990810 2936 2937 Feature: added "-c config_dir" support to the postconf 2938 command. This probably means that "-f file" will never be 2939 implemented. 2940 294119990812 2942 2943 Bugfix: showq didn't print properly when listing a maildrop 2944 file. Fix by: Andrew McNamara, connect.com.au Pty Ltd. 2945 File: showq/showq.c. 2946 2947 Feature: added SENDER to the list of parameters exported 2948 to external commands. File: local/command.c. Code by: Lars 2949 Hecking, National Microelectronics Research Centre, Ireland. 2950 295119990813 2952 2953 Bugfix: sendmail -t (extract recipients from headers) did 2954 not work when the always_bcc feature was turned on. Reported 2955 by: Denis Shaposhnikov @ neva.vlink.ru. 2956 295719990813 2958 Bugfix: "sendmail -bd" returns a bogus exit status (the 2959 child process ID). Fix by Lamont Jones of Hewlett-Packard. 2960 File: sendmail/sendmail.c. 2961 296219990824 2963 2964 Bugfix: null pointer dereference while rejecting VRFY before 2965 MAIL FROM. Found by Laurent Wacrenier @ fr.clara.net. 2966 296719990826 2968 2969 Portability: more MacOS X Server patches; some NEXTSTEP/OPENSTEP 2970 code that had been removed for the first public beta release; 2971 NEXTSTEP/OPENSTEP now defaults to netinfo for the aliases 2972 database. Submitted by Gerben Wierda. 2973 2974 Portability: workaround for a FreeBSD 3.x active network 2975 interface without IP address by Pierre Beyssac @ enst.fr. 2976 File: inet_addr_local.c. 2977 297819990831 2979 2980 Workaround: sendmail now prints a warning when installed 2981 set-uid or when run by a set-uid command. Reportedly, the 2982 linuxconf software turns on the set-uid bit, which could 2983 open up a security loophole. File: sendmail/sendmail.c. 2984 2985 Bugfix: Postfix daemons now temporarily lock DB/DBM files 2986 while opening them, in order to avoid "invalid argument" 2987 errors because some other process is changing the file. 2988 Files: util/dict_db.c, util/dict_dbm.c. 2989 2990 Robustness: Postfix locks queue files during delivery, to 2991 prevent duplicate delivery when "postfix reload" is 2992 immediately followed by "sendmail -q". This involves a 2993 change of the deliver_request interface: delivery agents 2994 no longer need to open and close queue files explicitly. 2995 Files: global/deliver_request.c, pipe/pipe.c, smtp/smtp.c, 2996 local/local.c, qmgr/qmgr_active.c, qmgr/qmgr_message.c. 2997 2998 Feature: reject_unauth_destination SMTP recipient restriction 2999 that rejects destinations not in $relay_domains. By Lamont 3000 Jones of Hewlett-Packard. File: smtpd/smtpd_check.c. 3001 3002 Security: do not allow weird characters in the expansion 3003 of $names that appear in $forward_path. Just like with 3004 shell commands, replace bad characters in expansions by 3005 underscores. Configuration parameter: forward_expansion_filter. 3006 300719990902 3008 3009 Documentation: added a sample postfix alias to the examples 3010 in the INSTALL document and in the conf/aliases file. 3011 Reminded by Simon J. Mudd @ alltrading.com. 3012 301319990903 3014 3015 Bugfix: in case of some error conditions the pickup daemon 3016 could leak small amounts of memory. 3017 301819990905 3019 3020 Bugfix: no more "skipping further client input" warnings 3021 when a message header is rejected. 3022 3023 Feature: reject_unauth_pipelining SMTP restriction that 3024 rejects mail from clients that improperly use SMTP command 3025 pipelining. 3026 3027 Robustness: the LDAP client by default no longer looks up 3028 names containing "*". See the lookup_wildcards feature in 3029 LDAP_README. Update by John Hensley. 3030 3031 Documentation: address masquerading with exceptions FAQ by 3032 Jim Seymour @ jimsun.LinxNet.com. 3033 3034 Bugfix: mysql reconnect after disconnect by Scott Cotton 3035 Internet Consultants Group, Inc. File: util/dict_myqsl.c. 3036 3037 Portability: the Postfix to PCRE interface now expects 3038 version 2.08. Postfix is no longer compatible with PCRE 3039 versions before 2.6. 3040 304119990906 3042 3043 Feature: INSTALL.sh script that makes Postfix installation 3044 a bit less painful. This script can be used for installing 3045 and for upgrading Postfix. It replaces files instead of 3046 overwriting them, and leaves existing configuration and 3047 queue files intact. 3048 304919990907 3050 3051 Bugfix: reject_non_fqdn_sender used the wrong test to see 3052 if a sender address was given and could dump core. This 3053 must have been broken ever since the UCE tests were moved 3054 to the RCPT TO stage in 19990510. 3055 3056 Bugfix: check_sender_access was recognized as a valid 3057 restriction name only if a sender had been specified. 3058 305919990908 3060 3061 Portability: Unixware has <sysexits.h> only after sendmail 3062 is installed. Changed postlock.c to use global/sys_exits.h. 3063 306419990909 3065 3066 Performance: added one-entry cache to the address rewriting 3067 client and to the address resolving client. This is because 3068 UCE restrictions tend to produce the same query repeatedly. 3069 Files: global/rewrite_clnt.c, global/resolve_clnt.c. 3070 3071 Feature: the UCE restrictions are now fully recursive so 3072 you can have per-client/helo/sender/recipient restrictions. 3073 Instead of OK, REJECT or [45]xx, you can specify a sequence 3074 of restrictions on the right-hand side of an SMTPD access 3075 table. This means you can no longer use canonical/virtual/alias 3076 maps as SMTPD access tables. But the loss is compensated 3077 for. File: smtpd/smtpd_access.c. 3078 3079 Feature: restriction classes, essentially a short-hand for 3080 restriction lists. These short hands are useful mostly on 3081 the right-hand side of SMTPD access tables. You must use 3082 restriction classes in order to have lookup tables on the 3083 right-hand side of an SMTPD access table. File: 3084 smtpd/smtpd_access.c. 3085 3086 Feature: "permit_recipient_map maptype:mapname" permits a 3087 recipient address when it matches the specified table. 3088 Lookups are done just as with canonical/virtual maps. With 3089 this, you can also use passwd/aliases as SMTPD access maps. 3090 File: smtpd/smtpd_access.c. 3091 309219990910 3093 3094 Changed "permit_address_map" into "permit_recipient_map" 3095 and added a test for the case that they specify a lookup 3096 table on the right-hand side of an SMTPD access map. File: 3097 smtpd/smtpd_access.c. 3098 3099 Cleanup: removed spurious sender address checks for <>. 3100 File: smtpd/smtpd_check.c. 3101 3102 Cleanup: the smtp client now consistently logs host[address] 3103 for all connection attempts. 3104 310519990919 3106 3107 Feature: in an SMTPD access map, an all-numeric right-hand 3108 side now means OK, for better cooperation with out-of-band 3109 authentication mechanisms. 3110 311119990922 3112 3113 Security: recipient addresses must not start with '-', in 3114 order to protect external commands. The old behavior is 3115 re-instated when main.cf specifies: "allow_min_user = 3116 yes". Credits to Mads Kiilerich @ Kiilerich.com. File: 3117 qmgr/qmgr_message.c. 3118 3119 Bugfix: after 19990831, the queue manager would throw away 3120 defer logs after deferring mail to known-to-be-dead hosts 3121 or message transports. This means that in some cases, mailq 3122 would not show why mail is delayed, and that delayed mail 3123 could be sent back with recipients missing from the error 3124 report. Reported by Giulio Orsero @ tiscalinet.it. 3125 312619990923 3127 3128 Bugfix: the above bugfix broke bounces of mail with bad 3129 address syntax and relocated users. Problem diagnosed by 3130 Dick Porter @ acm.org. 3131 3132 Documentation: added DO NOT EDIT THIS FILE. EDIT MAIN.CF 3133 INSTEAD notices to the sample-xxx.cf files. 3134 313519991007 3136 3137 Compatibility: ignore the sendmail -U (initial user 3138 submission) option. Thomas Quinot @ cuivre.fr.eu.org. 3139 314019991103 3141 3142 Code cleanup: don't send postmaster notifications when an 3143 SMTP client sends a DATA command while no recipients were 3144 accepted. This can happen when a pipelined client runs 3145 into an UCE block. File: smtpd/smtpd.c. 3146 314719991104 3148 3149 Robustness: do not apply UCE header checks to mail that is 3150 generated by Postfix (bounces, forwarded mail etc.). Files: 3151 smtpd/smtpd.c, pickup/pickup.c, cleanup/cleanup_message.c. 3152 3153 Robustness: new generic watchdog module that can deal with 3154 clocks that jump occasionally. Files: util/watchdog.c, 3155 master/master.c, master/{single,multi,trigger}_server.c. 3156 This hopefully ends the false watchdog alarms that happen 3157 when clocks are set or when laptops are resumed. 3158 3159 Code cleanup: BSMTP requires dot quoting as per RFC 821. 3160 Based on code by Florian Lohoff @ rfc822.org. Files: 3161 global/mail_copy.[hc], pipe/pipe.c. 3162 316319991105 3164 3165 Bugfix: the crufty code in inet_addr_local() did not find 3166 IP aliases. File: util/inet_addr_local.c. 3167 3168 Portability: the INSTALL.sh utility did not find users or 3169 groups in NIS or Netinfo tables. The script no longer 3170 searches the /etc/passwd and /etc/group files. Instead it 3171 now queries the unix:passwd.byname and unix:group.byname 3172 maps. For this, a -q (query) option was added to postmap 3173 (and to postalias, for symmetry). Files: util/dict_unix.c, 3174 postalias/postalias.c, postmap/postmap.c, INSTALL.sh. 3175 3176 Bugfix: LDAP lookup timeout settings were ignored. Patch 3177 by John Hensley. File: util/dict_ldap.c. 3178 317919991108 3180 3181 Bugfix: when doing a fresh install, INSTALL.sh didn't set 3182 main.cf:mail_owner properly (Simon J. Mudd). 3183 318419991109 3185 3186 Bugfix: when doing a fresh install, INSTALL.sh no longer 3187 worked (missing main.cf file). Fix: add "-c" argument to 3188 the postmap commands (Lars Hecking @ nmrc.ucc.ie). 3189 3190 Documentation: removed spurious "do not edit" comments from 3191 the sample pcre and regexp configuration files. 3192 319319991110-13 3194 3195 Code cleanup: greatly simplified the SMTPD command parser 3196 and somewhat simplified the code that groks RFC 822-style 3197 address syntax in MAIL FROM and RCPT TO commands. 3198 3199 New parameter: strict_rfc821_envelopes (default: no) to 3200 reject RFC 822 address forms (with comments etc.) in SMTP 3201 envelopes. By default, the Postfix SMTP server only logs 3202 a warning. 3203 320419991113 3205 3206 Oops, also updated the SMTP VRFY code in the light of 3207 changes to the SMTPD command parser. 3208 3209 Cleanup: the local delivery agent now explicitly rejects 3210 recipients with an empty username. 3211 321219991114 3213 3214 Workaround: with some gawk versions, postconf/extract.awk 3215 reportedly returns a non-zero exit status upon success. 3216 Added an explicit exit(0) statement. 3217 321819991115 3219 3220 Feature: DNS TXT record lookup support, based on initial 3221 code by Simon J Mudd. File: dns/dns_lookup.c. 3222 3223 Feature: RBL TXT record lookups, based on initial code by 3224 Simon J Mudd. File: smtpd/smtpd_check.c. 3225 3226 Feature: permit_auth_destination restriction based on code 3227 by Jesper Skriver @ skriver.dk. 3228 3229 Code cleanup: the transport table now can override all 3230 deliveries, including local ones. 3231 323219991116 3233 3234 Code cleanup: a new "local_transports" configuration 3235 parameter explicitly lists all transports that deliver mail 3236 locally. The first name listed there is the default local 3237 transport. This is the end of the "empty next-hop hostname" 3238 hack to indicate that a destination is local. Files: 3239 trivial-rewrite/resolve.c, global/local_transport.[hc] 3240 3241 Feature: "postconf -m" shows what lookup table types are 3242 available. Code by Scott Cotton, Internet Consultants 3243 Group, Inc. 3244 3245 Feature: "postconf -e" edits any number of main.cf parameters. 3246 The edit is done on a copy, and the copy is renamed into 3247 the place of the original. File: postconf/postconf.c, 3248 util/readlline.[hc]. 3249 325019991117 3251 3252 Portability: SunOS 4 has no SA_RESTART. File: util/watchdog.c. 3253 3254 Feature: on systems with h_errno, the "reject_unknown_client" 3255 restriction now distinguishes between soft errors (always 3256 reply with 450) and hard errors (use the user-specified 3257 reply code). This should lessen the load by broken mailers 3258 that re-connect once a minute. 3259 3260 Feature: forward/reverse name/address check for SMTP client 3261 hostnames. This fends off some hypothetical attacks by 3262 spammers who are in control of their own reverse mapping. 3263 3264 Robustness: postconf no longer aborts when it can't figure 3265 out the local domain name; it prints a warning instead. 3266 This allows you to use "postconf -e" to fix the problem. 3267 326819991118 3269 3270 Bugfix: the RFC822 address parser would misparse a leading 3271 \ as an atom all by itself. Problem reported by Keith 3272 Stevenson @ louisville.edu. File: global/tok822_parse.c. 3273 327419991119 3275 3276 Bugfix: tiny memory leak in pipe_command() when fork() 3277 fails. File: global/pipe_command.c. 3278 327919991120 3280 3281 Bugfix: reversed test for all-numerical results in SMTPD 3282 access maps. File: smtpd/smtpd_check.c. 3283 328419991121 3285 3286 Robustness: INSTALL.sh no longer uses postmap for sanity 3287 checks. 3288 3289 Feature: INSTALL.sh now has an install_root option. 3290 3291 Bugfix: INSTALL.sh now installs manual pages with proper 3292 permissions and ownership. 3293 3294 Bugfix: the LDAP client did not properly escape special 3295 characters in lookup keys (patch by John Hensley). File: 3296 util/dict_ldap.c. 3297 329819991122 3299 3300 Bugfix: missing absolute path in INSTALL.sh broke fresh 3301 install. 3302 330319991124 3304 3305 Bugfix: the local delivery agent's recipient duplicate 3306 filter did not work when configured to use unlimited memory 3307 (which is not a recommended setting). Patrik Rak @raxoft.cz. 3308 330919991125 3310 3311 Bugfix: postconf didn't have an umask(022) call at the 3312 beginning (problem experienced by Matthias Andree). 3313 331419991126 3315 3316 Bugfix: DNS TXT records now have string lengths before text 3317 (Mark Martinec @ nsc.ijs.si). 3318 331919991127 3320 3321 Update: the LDAP client code now supports escapes as per 3322 RFC2254 (John Hensley). 3323 332419991207 3325 3326 Performance: one message with many recipients no longer 3327 stops other mail from being delivered. The queue manager 3328 now frees in-memory recipients as soon as a message is 3329 delivered to one destination, rather than waiting until 3330 all in-memory destinations of that message have been tried. 3331 Patch by Patrik Rak @ raxoft.cz. Files: qmgr/qmgr_entry.c, 3332 qmgr/qmgr_message.c. 3333 3334 Performance: when delivering mail to a huge list of 3335 recipients, the queue manager now reads more recipients 3336 from the queue file before delivery concurrency drops too 3337 low. Files: qmgr/qmgr_entry.c, qmgr/qmgr_message.c. 3338 333919991208 3340 3341 Updated LDAP client code by John Hensley with escape 3342 sequences as per RFC 2254. File: util/dict_ldap.c. 3343 3344 Updated MYSQL client code by Scott Cotton. File: dict_mysql.c. 3345 3346 Feature: added -N/-n options to include/exclude terminating 3347 nulls in keys and values in postmap/postalias DB or DBM 3348 files. Normally, Postfix uses whatever is appropriate for 3349 the host system. A non-default setting can be necessary 3350 for inter-operability with third-party software. 3351 3352 Bugfix: the local delivery agent would deliver to the user 3353 instead of the .forward file when the .forward file was 3354 already visited via some non-recursive path. Patch by Patrik 3355 Rak @ raxoft.cz. Files: global/been_here.c, local/dotforward.c. 3356 3357 Robustness: attempt to deliver all addresses in the expansion 3358 of an alias or .forward file, even when some addresses must 3359 be deferred. File: local/token.c. 3360 336119991211 3362 3363 Performance: qmgr_fudge_factor controls what percentage of 3364 delivery resources Postfix will devote to one message. 3365 With 100%, delivery of one message does not begin before 3366 delivery of the previous message is completed. This is good 3367 for list performance, bad for one-to-one mail. With 10%, 3368 response time for one-to-one mail improves much, but list 3369 performance suffers. In the worst case, people near the 3370 start of a mailing list get a burst of postings today, 3371 while people near the end of the list get that same burst 3372 of postings a whole day later. Files: qmgr/qmgr_message.c, 3373 qmgr/qmgr_entry.c. 3374 3375 Bugfix: address rewriting would panic on a lone \ at the 3376 end of a line where an address was expected. Jason Hoos @ 3377 thwack.net. File: global/rewrite_clnt.c. 3378 337919991215 3380 3381 Bugfix: the strict RFC821 envelope address check should 3382 not be applied to VRFY commands. File: smtpd/smtpd.c. 3383 3384 Cleanup: permit_recipient_maps is gone, because that could 3385 only be used inside UCE restrictions. 3386 338719991216 3388 3389 Feature: allow an empty inet_interfaces parameter, just 3390 like an empty mydestination parameter. It's needed for true 3391 null clients and for firewalls that deliver no local mail. 3392 3393 Feature: "disable_vrfy_command = yes" disables some forms 3394 of address harvesting used by spammers. 3395 3396 Workaround: added the alias map parameter definition to 3397 the smtpd code. This is a symptom of a general problem 3398 with parameters that have non-empty default values: unless 3399 a program explicitly defines such a parameter, the parameter 3400 defaults to the empty string when used in other parameters. 3401 There's also a problem with evaluation order. 3402 3403 Feature: the SMTP server rejects mail for unknown users in 3404 virtual domains that are defined by Postfix virtual domain 3405 files. File: smtpd/smtpd_check.c. 3406 3407 Feature: reject mail for unknown local users at the SMTP 3408 port. The local_recipient_maps configuration parameter 3409 specifies maps with all addresses that are local with 3410 respect to $mydestination or $inet_interfaces. Example: 3411 "local_recipient_maps = $alias_maps unix:passwd.byname". 3412 This feature is disabled by default. You may have to copy 3413 the passwd file into the chroot jail. File: smtpd/smtpd_check.c. 3414 3415 Feature: the sendmail -f option now understands '<user>' 3416 and even understands address forms with RFC 822-style 3417 comments. 3418 341919991217 3420 3421 Cleanup: no more UCE checks for VRFY commands. It still 3422 reports unknown local/virtual users. File: smtpd/smtpd_check.c. 3423 3424 Robustness: upon Postfix startup, report discrepancies 3425 between system files inside and outside the chroot jail. 3426 Files: conf/postfix-script-nosgid, conf/postfix-script-sgid. 3427 342819991218 3429 3430 Cleanup: INSTALL.sh produces relative symlinks, which is 3431 necessary when install_root is not /. 3432 343319991219 3434 3435 Documentation: completely reorganized the FAQ and added 3436 many new entries. Rewrote the UCE html documentation. 3437 3438 Cleanup: INSTALL.sh uses a configurable directory for 3439 scratch files, so that it can install from a file system 3440 that is not writable by the super-user. 3441 3442 Cleanup: INSTALL.sh gives helpful hints when the "mv" 3443 command is unable to move symlinks across file system 3444 boundaries. 3445 344619991220 3447 3448 Cleanup: it is no longer necessary to list $virtual_maps 3449 as part of the relay_domains definition. The SMTP server 3450 now by default accepts mail for destinations that match 3451 $inet_interfaces, $mydestination or $virtual_maps, whether 3452 or not these are specified in relay_domains. We still need 3453 the ugly "virtual.domain whatever" hack in the virtual 3454 maps. Files: smtpd/smtpd_check.c and lots of documentation 3455 and sample config files. 3456 345719991221 3458 3459 Removed cyrus -q flag (ignore quotas) from the sample 3460 master.cf file. 3461 346219991223 3463 3464 Bugfix: smtpd should not check for unknown users when 3465 running in stand-alone (sendmail -bs) mode. Problem 3466 experienced by Chuck Mead. File: smtpd/smtpd.c. 3467 3468 Retraction: the "local_transports" configuration parameter 3469 is gone. Adjusted code and documentation accordingly. 3470 Instead, use just one "local_transport" parameter with the 3471 name of the default local transport. Files: smtpd/smtpd_check.c, 3472 qmgr/qmgr_message.c, trivial-rewrite/ resolve.c, local/resolve.c. 3473 3474 Feature: Postfix SMTPD now insists that the smtpd recipient 3475 restrictions contain at least one restriction that by 3476 default rejects mail. This should make it much more difficult 3477 to change Postfix into an open relay. File: smtpd/smtpd_check.c. 3478 3479 Retraction: null-length inet_interfaces is too confusing. 3480 348119991224 3482 3483 Bugfix: the relative symlink code in INSTALL.sh computed 3484 the ../ prefix from the wrong pathname. 3485 34861999122[5-7] 3487 3488 Feature: "allow_untrusted_routing = no" (default) prevents 3489 forwarding of source-routed mail from untrusted clients to 3490 destinations that are blessed by the relay_domains parameter 3491 (example: user@domain2@domain1 etc.). This plugs a mail 3492 relay loophole where a backup MX host forwards junk mail 3493 to a primary MX host which forwards the junk to the Internet. 3494 Files: global/quote_822_local.c, smtp/quote_821_local.c, 3495 trivial-rewrite/rewrite.c, trivial-rewrite/resolve.c, 3496 smtp/smtpd_check.c. 3497 3498 In order to make this possible, the Postfix resolver data 3499 structure and protocol has changed, so that all resolver 3500 clients need to be re-compiled. 3501 3502 Side effect from the above change: from now on, an address 3503 with @ in the recipient localpart no longer bounces with 3504 "user unknown" but instead is rejected with "relay access 3505 denied" or "source-routed relay access denied". 3506 350719991227 3508 3509 Workaround: the BSD/OS "mkdir -p" and "cmp -s" commands 3510 misbehave on boundary cases: directory exists or file does 3511 not exist. Those who re-invent... 3512 351319991229 3514 3515 Added the no source routing info requirement to addresses 3516 accepted by the permit_mx_backup UCE restriction. 3517 351819991230 3519 3520 Added a spawn daemon (not compiled and installed by default) 3521 to enable LMTP delivery over UNIX-domain sockets. The goal 3522 is to simplify the experimental LMTP delivery agent by 3523 ripping out the privileged code that forks the LMTP server. 3524 352520000102 3526 3527 Clarified documentation after early feedback on the 19991231 3528 release by Drew Derbyshire, Ollivier Robert, Khetan Gajjar. 3529 3530 Sanity check: a common error is to list Postfix virtual 3531 domains in the mydestination parameter. This causes the 3532 new optional local_recipient_maps feature to reject mail 3533 for virtual users. The SMTP server now explicitly tests 3534 for this common error and logs a warning instead of refusing 3535 the mail. File: smtpd/smtpd_check.c. 3536 353720000104 3538 3539 Bugfix: a case sensitivity bug had slipped through in the 3540 anti-relaying code, causing mail for USER@VIRTUAL.DOMAIN 3541 to be rejected with "relay access denied". This was found 3542 by Jim Maenpaa @ jmm.com. 3543 3544 Questionable feature: set "smtp_skip_5xx_greeting = yes" 3545 to make Postfix more sendmail compatible, even though this 3546 is wrong, IMNSHO. File: smtp/smtp_connect.c. 3547 3548 Portability: Ultrix patch from Simon Burge @ thistledown.com.au. 3549 3550 Portability: Siemens Pyramid (dcosx) patch by Thomas D. 3551 Knox @ vushta.com. 3552 3553 Performance: FreeBSD has bidirectional pipes that are faster 3554 than socketpairs. Anticipating on more platform-specific 3555 optimizations, all duplex pipe plumbing is now isolated in 3556 a duplex_pipe.c module that provides a system-independent 3557 interface. 3558 355920000105 3560 3561 Cleanup: the INSTALL.sh script now updates the sample files 3562 in /etc/postfix even when main.cf exists. 3563 356420000106 3565 3566 Bugfix: the SMTP server should consult the relocated map 3567 for virtual destinations (Denis Shaposhnikov). Files: 3568 smtpd/smtpd.c smtpd/smtpd_check.c. 3569 357020000108 3571 3572 Workaround: rename() over NFS can fail with ENOENT even 3573 when the operation succeeds (Graham Orndorff @ WebTV). This 3574 is not news. Any non-idempotent operation can fail over 3575 NFS when the NFS server's acknowledgment is lost and the 3576 NFS client code retries the operation (other examples are: 3577 create, symlink, link, unlink, mkdir, rmdir). Postfix has 3578 workarounds for the cases where this is most likely to 3579 cause trouble. Files: util/sane_{rename,link}.[hc]. If 3580 you want reliable mail system, do not use NFS. 3581 358220000115 3583 3584 Workaround: better detection of bad hardware. Added SIGBUS 3585 to the list of signals that the master will log before 3586 exiting. 3587 358820000122 3589 3590 Portability: preliminary SCO5 port Christopher Wong @ 3591 csports.com. This still needs to a workaround for "find" 3592 not supporting "-type s" (actually, UNIX-domain sockets 3593 have no unique representation in the file system and show 3594 up as FIFOs). 3595 359620000115-22 3597 3598 Bugfix: in case of a too long message header, don't extract 3599 recipients from message headers. With the previous behavior, 3600 Bcc information could be left in the message body, as one 3601 person found out the hard way. Files: cleanup/cleanup.c, 3602 cleanup/cleanup_extracted.c, global/cleanup_user.h. 3603 360420000124 3605 3606 Whatever: RFC 1869 amends RFC 821 and specifies that code 3607 555 is to be used when a MAIL FROM or RCPT TO parameter is 3608 not implemented or not recognized. Russ Allbery @stanford.edu. 3609 This reply code is added to the list of reply codes that 3610 cause the Postfix SMTP client to mail a transcript to the 3611 postmaster. File: smtp/smtp_trouble.c. 3612 361320000126 3614 3615 Emergency feature: qmgr_site_hog_factor (default: 90 percent) 3616 limits the amount of resources that Postfix devotes to a 3617 single destination. With less than 100, Postfix defers the 3618 excess mail so that one site with a large backlog does not 3619 block other deliveries. Files: qmgr/qmgr.c, qmgr/qmgr_message.c. 3620 362120000128 3622 3623 Cleanup: the queue manager no longer replaces the nexthop 3624 field by the recipient localpart when a destination matches 3625 $mydestination/$inet_interfaces. The price is the introduction 3626 of a new parameter local_destination_recipient_limit which 3627 defaults to 1 in order to maintain backwards compatibility. 3628 Files: qmgr/qmgr.c, qmgr/qmgr_message.c. 3629 363020000129 3631 3632 Bugfix: extracted recipients were misfiled when a message 3633 was moved back to the maildrop queue. But they still worked 3634 due to a coincidence. 3635 3636 Feature: bounce_recip() bounces a recipient immediately 3637 without accessing a bounce logfile. This is necessary for 3638 VERP bounces, for bounces by delivery agents that change 3639 the sender address, and for bounces that for some reason 3640 must not use temporary logfiles. Files: global/bounce.c, 3641 bounce/bounce_recip_service.c. 3642 364320000130 3644 3645 Bugfix: the too long header fix of 20000115-22 lost mail 3646 with too long headers that didn't need to extract recipients 3647 from message headers. 3648 3649 Bugfix: the too long header fix of 20000115-22 lost mail 3650 without (blank line + message body). 3651 3652 Code rewrite: reorganized the cleanup daemon source code 3653 so that the cleanup service can be called one record at a 3654 time (see cleanup/cleanup_api.c); also got rid of the global 3655 state variables and fixed a couple bugs that were introduced 3656 with 20000115-22. 3657 365820000204 3659 3660 Feature: in daemon mode, the MAIL FROM size check can be 3661 postponed until RCPT TO so that Postfix can log sender and 3662 recipient. Simon J Mudd. Files: smtpd/smtpd.c 3663 3664 Robustness: limit the number of recipient addresses that 3665 can be extracted from message headers. Parameter: 3666 extract_recipient_limit (default: 10240). Files: 3667 cleanup/cleanup_message.c, cleanup/cleanup_extracted.c. 3668 3669 Cleanup: the message header reject logging now includes 3670 sender and recipient address (if possible), so that the 3671 logging looks more like the other reject logging. File: 3672 cleanup/cleanup_message.c. 3673 3674 Documentation: added sections on regular expression tables 3675 to the access, canonical, virtual, transport and relocated 3676 man pages, and write new man pages that are specific to 3677 regular expressions: pcre_table.5 and regexp_table.5. 3678 367920000214 3680 3681 Bugfix: postconf reported some parameters more than once 3682 because the parameter extracting script didn't recognize 3683 lines that differ in whitespace only. File: postconf/extract.awk. 3684 Reported by Kenn Martin. 3685 368620000221 3687 3688 Logging: the SMTP client now logs log host+port when it is 3689 unable to connect to a non-MX host, just like it logs 3690 host+port when unable to connect to an MX host. 3691 369220000226 3693 3694 Bugfix: the SMTP server's "User unknown" test didn't notice 3695 LDAP etc. dictionary access errors. The code now reports 3696 a 450 status (try again instead of bounce) if the reply is 3697 not definitive. File: smtp/smtpd_check.c. 3698 3699 Robustness: the smtp-source program could stall when making 3700 hundreds of parallel connections to a Postfix system with 3701 only one SMTP server process. The fix is to use non-blocking 3702 connect() calls, very carefully. File: smtpstone/smtp-source.c. 3703 370420000303 3705 3706 Feature: with smtp_always_send_ehlo the SMTP client will 3707 send EHLO regardless of the content of the SMTP server's 3708 greeting. File: smtp/smtp_proto.c. 3709 371020000304 3711 3712 Feature: DICT_FLAG_SYNC_UPDATE flag for synchronous dictionary 3713 updates, if supported by the underlying mechanism. Files: 3714 util/dict.h, util/dict_open.c, util/dict_db.c. 3715 371620000307 3717 3718 Cleanup: the manual pages in Postfix configuration files 3719 no longer contain troff formatting codes. The text is now 3720 generated from prototype files in a new "proto" subdirectory. 3721 Requested by Matthias Andree @ stud.uni-dortmund.de. 3722 372320000308 3724 3725 Bugfix: the unused db and dbm "delete" routines would 3726 clobber the per-dictionary flags when called before reading 3727 or writing the table. Files: util/dict_dbm.c, util/dict_db.c. 3728 Lutz Jaenicke @ aet.TU-Cottbus.DE. 3729 3730 Bugfix: the SMTP server would produce a cryptic message 3731 when a queue file write error happened before it had written 3732 any recipients. Keith Stevenson. File: smtpd/smtpd.c. 3733 3734 Robustness: the db and dbm "delete" routines didn't adjust 3735 to dictionaries with/without one trailing null in lookup 3736 keys and values. Did a complete rewrite of the routines. 3737 Files: util/dict_db.c, util/dict_dbm.c. 3738 3739 Feature: specify "-d key" to postalias or postmap in order 3740 to remove one key. This still needs to be generalized to 3741 multi-key removal (read stdin?). Files: postmap/postmap.c, 3742 postalias/postalias.c. 3743 3744 Test: added test targets for the dictionary delete operations. 3745 Files: util/Makefile.in, util/dict_test.{c,in,ref}. 3746 3747 Feature: added data offset and recipient count fields to 3748 the first queue file record output from the cleanup daemon. 3749 The recipient counts provides an initial estimate for a 3750 more advanced queue manager scheduling algorithm. Files: 3751 cleanup/cleanup_envelope.c, cleanup/cleanup_extracted.c. 3752 375320000311 3754 3755 Portability: HP-UX awk can't handle bare { in regexps 3756 (Lamont Jones. HP). File: postconf/extract.awk. 3757 3758 Compatibility: sendmail now recognizes '.' as end of input. 3759 File: sendmail/sendmail.c. 3760 376120000313 3762 3763 Compatibility: dtcm (CDE desktop calendar manager) leaks 3764 a file descriptor into its child process, and requires that 3765 sendmail closes the descriptor, otherwise mail notification 3766 will hang. These GUI programmers never figured out that 3767 the child process must close the writing end of a pipe. 3768 File: sendmail/sendmail.c. 3769 377020000314 3771 3772 Feature: SASL authentication in the SMTP server and client. 3773 Based on code contributed by Till Franke, SuSE. Specify: 3774 "smtpd_sasl_auth_enable = yes" and "smtp_sasl_auth_enable 3775 = yes". The "permit_sasl_authenticated" UCE restriction 3776 gives special treatment to authenticated clients. 3777 377820000315 3779 3780 Workaround: added -blibpath option for AIX 4.x, to close 3781 hole in case postdrop needs to be set-gid. 3782 378320000320 3784 3785 Portability: FreeBSD 5.x added to the list of supported 3786 systems (Mark Huizer). 3787 378820000323 3789 3790 Portability: INSTALL.sh looks if sendmail is in /usr/lib 3791 rather than in /usr/sbin. 3792 379320000326 3794 3795 Bugfix: settings in one mysql configuration file would act 3796 as the implicit defaults for the next one, which could be 3797 confusing. Patch by Scott Cotton. File: util/dict_mysql.c. 3798 3799 Robustness: limit the number of "junk" commands that can 3800 be issued in an SMTP session (ex.: NOOP, VRFY, ETRN, RSET). 3801 Problem report by Michael Ju. Tokarev @ tls.msk.ru. Files: 3802 global/mail_params.h, smtpd/smtpd.c. 3803 380420000413 3805 3806 Portability: more MacOS X patches by Gerben Wierda. 3807 3808 Bugfix: RFC 822 requires the presence of at least one 3809 destination message header. The cleanup daemon now generates 3810 a generic "To: undisclosed-recipients:;" message header 3811 when no destination header is present. The header content 3812 is specified with the undisclosed_recipients_header parameter. 3813 Problem pointed out by Geoff Gibbs, UK-Human Genome Mapping 3814 Project-Resource Centre. 3815 381620000416 3817 3818 Workaround: allow <(comment)> as SMTP MAIL FROM address. 3819 382020000417 3821 3822 The SASL authentication in the SMTP server and client works, 3823 but only on Linux and Solaris, neither of which I wish to 3824 run on my laptop. 3825 382620000418 3827 3828 Added LMTP support to the smtp-source and smtp-sink utilities 3829 so that I don't have to install Cyrus IMAP just to test 3830 LMTP. 3831 383220000419 3833 3834 Bugfix: removed the () from the tokenized representation 3835 of RFC 822 comments, so that comments with \( or \) can be 3836 unparsed correctly. Problem reported by Bodo Moeller. 3837 383820000423 3839 3840 Bugfix: mail_copy() could prepend > or . in the middle of 3841 long lines. Found by code inspection. 3842 384320000427 3844 3845 New code: unescape module that translates C escape sequences 3846 into their equivalent character values. File: util/unescape.c. 3847 3848 Feature: the pipe mailer now has a way to specify the output 3849 record delimiter (for example, eol=\r\n). This is necessary 3850 for transports that require CRLF instead of UNIX-style LF. 3851 385220000502 3853 3854 In order to support timeouts more conveniently, VSTREAMs 3855 now have built into them the concept of timeout. Instead 3856 of calling read() and write(), the low-level VSTREAM 3857 interface now by default uses timed_read() and timed_write() 3858 which receive a timeout parameter; vstream_ctl(stream, 3859 VSTREAM_CTL_TIMEOUT...) sets the timeout deadline on a 3860 stream, and vstream_ftimeout(stream) queries a stream for 3861 timeout errors. This change simplified timeout handling 3862 considerably. Files: util/vbuf.h, util/vstream.[hc], 3863 global/smtp_stream.c, global/timed_ipc.c. 3864 386520000504 3866 3867 Added application context to VSTREAMs, which is passed on 3868 transparently to application-provided read/write routines. 3869 vstream_ctl(stream, VSTREAM_CTL_CONTEXT...) sets the context. 3870 Files: util/vstream.[hc]. 3871 3872 Added vstream_setjmp() and vstream_longjmp() support to 3873 make exception handling more convenient. Turn on exception 3874 handling with vstream_ctl(stream, VSTREAM_CTL_EXCEPT...). 3875 Files: util/vstream.[hc]. 3876 3877 Cleaned up the smtp_stream module further and got rid of 3878 the global state that limited the use of this module to 3879 one stream per process. Files: global/smtp_stream.[hc]. 3880 388120000505 3882 3883 Bugfix: the SMTP server now flushes unwritten output before 3884 tarpit delays, to avoid protocol timeouts in pipelined 3885 sessions when a client causes lots of errors. Found by 3886 Lamont Jones, HP. File: smtpd/smtpd_chat.c. 3887 3888 Finished the LMTP client, which is based on a modified 3889 version of the SMTP client by Philippe Prindeville, Mirapoint, 3890 Inc., later modified by Amos Gouaux, UTDallas, and then 3891 Wietse ripped it all up again. Currently this talks LMTP 3892 over TCP only. 3893 3894 Feature: override main.cf parameters in master.cf. Specify 3895 "-o parameter=value" after the program name. This allows 3896 you to selectively override myhostname etc. See also the 3897 new smtp_bind_address parameter below. 3898 389920000506 3900 3901 Convenience: the LMTP and SMTP clients now append the local 3902 domain to unqualified nexthop destinations. This makes it 3903 more convenient to set up transport maps. Files: 3904 lmtp/lmtp_addr.c, smtp/smtp_addr.c. 3905 3906 Sendmail compatibility: the Postfix SMTP client now skips 3907 servers that greet the client with a 4xx or 5xx status 3908 code. To disable, set both smtp_skip_4xx_greeting and 3909 smtp_skip_5xx_greeting to "no". 3910 391120000507 3912 3913 Portability: NetBSD has migrated to /etc/mail/aliases. We 3914 can expect to see this happen more often when systems start 3915 shipping Sendmail 8.10. File: util/sys_defs.h 3916 3917 Updated LDAP code by John Hensley, with support for 3918 dereferencing of LDAP aliases, which have nothing to do 3919 with Postfix aliases. 3920 3921 Feature: "smtp_bind_address=x.x.x.x" specifies the source 3922 IP address for SMTP client connections. Specify in master.cf 3923 as "smtp -o smtp_bind_address=x.x.x.x" in order to give 3924 different delivery agents different source addresses. 3925 392620000510 3927 3928 Cleanup: mailbox_transport did not work with the lmtp 3929 delivery agent. This dates back to when Postfix used empty 3930 nexthop information to indicate that a destination was 3931 local. File: global/deliver_pass.c. 3932 3933 Bugfix: configuration parameters for one mysql dictionary 3934 would become default settings for the next one. File: 3935 dict_mysql.c. This patch was merged into Postfix a while 3936 back but apparently that Postfix version was nuked when 3937 other parts were redesigned. Update by Scott Cotton. 3938 3939 Bugfix: some Postfix delivery agents would abort on addresses 3940 of the form `stuff@.' which could be generated only locally. 3941 Found by Patrik Rak. File: trivial-rewrite/resolve.c. 3942 3943 Third-party Berkeley DB support for HP-UX by Lamont Jones. 3944 File: makedefs. 3945 394620000511 3947 3948 Bugfix: Postfix would incorrectly reject domain names with 3949 adjacent - characters. File: util/valid_hostname.c. 3950 3951 Bugfix: the 20000505 pipeline tarpit delay flush was wrong 3952 and caused the client and server to get out of phase. Yuck! 3953 395420000513 3955 3956 Feature: VSTREAMs now have the concept of last fill/flush 3957 time, which is needed to prevent timeouts with pipelined 3958 SMTP sessions as detailed in the next item. 3959 3960 Bugfix: delayed SMTP command/reply flushing to prevent 3961 sender delays from accumulating too much and causing timeouts 3962 with pipelined sessions. For example, client-side delays 3963 happen when a client does DNS lookups to replace hostname 3964 aliases in MAIL FROM or RCPT TO commands; server-side delays 3965 happen when an UCE restriction involves a time-consuming 3966 DNS lookup, or when a server generates tarpit delays. 3967 Files: lmtp/lmtp_proto.c, smtp/smtp_proto.c, smtpd/smtpd_chat.c. 3968 3969 Portability: define ANAL_CAST for compilation environments 3970 that reject explicit casts between pointers and integral 3971 types. File: util/sys_defs.h, master/*server.c. Upon closer 3972 investigation, this turned out to be the result of someone's 3973 compiler configuration preferences. Therefore the change 3974 is likely to go away after a code cleanup. 3975 397620000514 3977 3978 Feature: mysql client support for multi-valued queries 3979 (select email, email2 from aliastbl where username='$local') 3980 By Loic Le Loarer @ m4x.org. File: util/dict_mysql.c. 3981 3982 Finalized the delayed SMTP command/reply flushing code in 3983 the SMTP and LMTP clients after lots of testing and review. 3984 398520000520 3986 3987 Robustness: upon receipt of mail, map the mailer-daemon 3988 sender address back into the magic null string. File: 3989 cleanup/cleanup_envelope.c. 3990 399120000524 3992 3993 Bugfix: the code for masquerade_exceptions was case sensitive. 3994 Reported by Eduard Vopicka. File: cleanup/cleanup_masquerade.c. 3995 399620000526 3997 3998 Feature: experimental queue manager by Patrik Rak with a 3999 fancy pre-emptive scheduling algorithm that improves delivery 4000 performance of mail with few recipients. This queue manager 4001 is made available as "nqmgr". 4002 400320000528 4004 4005 Feature: the SMTP client SASL password file can contain 4006 entries for destination domain names (the address remote 4007 part) not just mail server hostnames. File: smtp_sasl_glue.c. 4008 4009 Feature: smtpd_sasl_local_domain parameter (default: 4010 $myhostname) to specify the local SASL authentication realm. 4011 File: smtpd_sasl_glue.c. 4012 4013 Feature: specify "body_checks=regexp:/file/name" for a very 4014 crude one line at a time message body content filter. This 4015 feature uses the same filtering syntax as the header_checks 4016 feature. File: cleanup/cleanup_message.c. See also the 4017 conf/sample-filter.cf file. 4018 401920000530 4020 4021 Feature: full content filtering through external software. 4022 This uses existing interfaces for sending mail to the 4023 external content filter and for injecting it back into 4024 Postfix. Details in FILTER_README. Files: pickup/pickup.c, 4025 smtpd/smtpd.c, qmgr/qmgr_message.c. 4026 402720000531 4028 4029 More SASL feedback by Liviu Daia, regarding the use of 4030 authentication realms. File smtpd/smtpd_sasl_glue.c. 4031 4032 Added a simple shell-script based content filtering example 4033 to the FILTER_README file. 4034 4035 Content filtering support for nqmgr by Patrik Rak. File: 4036 nqmgr/qmgr_message.c. 4037 4038 Renamed "content inspection" etc. to "content filtering" 4039 in anticipation of a new hook for content inspection that 4040 only inspects mail without re-injecting it into Postfix. 4041 404220000601 4043 4044 Feature: limit the size of pipe mailer deliveries with the 4045 size=nnn command-line attribute. Patch by Andrew McNamara. 4046 404720000603 4048 4049 Bugfix: don't try to do SASL authentication when running 4050 in stand-alone (sendmail -bs) mode. Fix by Liviu Daia. 4051 4052 Bug: the unauthorized pipelining test fails with single 4053 recipient mail when smtpd_delay_reject = yes. 4054 405520000617 4056 4057 Bugfix: conf/sample-ldap.cf was no longer up to date with 4058 reality. Patch by Lamont Jones, HP. 4059 4060 Bugfix: the maildir delivery routine left temporary files 4061 lying around after unsuccessful delivery (problem reported 4062 by Brian Laughton @ Corp.Axxent.Ca). 4063 406420000621 4065 4066 AIX 4.x had POSIX regular expression support all the time 4067 I was working on Postfix. Better find out late than never. 4068 406920000623 4070 4071 Bugfix: the SMTP server did not reset the so-called junk 4072 command counter after successful delivery (Mark Hoffman @ 4073 wallst.com). File: smtpd/smtpd.c. 4074 407520000625 4076 4077 Cleanup: remove Content-Length from incoming mail. The 4078 sender has no authority over the format of mail as stored 4079 by the receiving system. File: global/header_opts.h. 4080 4081 Feature: rewrite Mail-Followup-To: as sender. Files: 4082 global/header_opts.[hc]. 4083 4084 Cleanup: rewrite Reply-To, Errors-To, Return-Receipt-To as 4085 sender, so that address masquerading works as expected. 4086 Files: global/header_opts.c. 4087 4088 Feature: specify "require_home_directory = yes" to prevent 4089 mail from being delivered to a user whose home directory 4090 is not mounted. File: local/dotforward.c. 4091 4092 Cleanup: the pipe deliver agent no longer appends a blank 4093 line when the F flag (prepend From_ line) is specified. 4094 Specify the B flag if you need that blank line. The local 4095 delivery agent no longer appends a blank line to mail that 4096 is delivered to external command. Files: pipe/pipe.c, 4097 global/mail_copy.[hc]. 4098 409920000708 4100 4101 Portability: support for NEXT/OPENSTEP requires extra 4102 include file in util/watchdog.c (Masaki Murase). 4103 410420000715 4105 4106 Added macros to turn on vstream/vstring/etc. format string 4107 checking by gcc, in addition to the checking that was 4108 already implemented with printfck. File: util/sys_defs.h, 4109 the macros for PRINTFLIKE and SCANFLIKE. Problem - unlike 4110 the printfck tool, gcc finds format argument type mismatches 4111 only in code that isn't #ifdef-ed out. 4112 411320000718 4114 4115 Robustness: make_dirs() now continues when a missing 4116 directory is created by another process. 4117 411820000720 4119 4120 Feature: the queue manager now logs the number of recipients 4121 when opening a queue file (a zero recipient count is logged 4122 with older queue files). File: global/opened.c. 4123 412420000726 4125 4126 Robustness: added watchdog_pat() routine to keep the watchdog 4127 quiet if a client stays connected for a lot of time. Files: 4128 util/watchdog.[hc], smtpd/smtpd.c. 4129 413020000729 4131 4132 Robustness: if relayhost is specified but the host does 4133 not exist, defer mail instead of bouncing it (which would 4134 lose the mail if the bounce would have to be delivered to 4135 that same non-existent relayhost). Problem reported by 4136 Chris Cooper @ maths.ox.ac.uk. File: smtp/smtp_connect.c. 4137 413820000821 4139 4140 Feature: added -r (replace key+value) option to postalias 4141 and postmap. 4142 4143 Cleanup: smtpd now replies with 555 when the client sends 4144 unrecognized RCPT TO parameters, as required by RFC 1869 4145 (problem report by Robert Norris @ its.monash.edu.au). 4146 File: smtpd/smtpd.c. 4147 414820000822 4149 4150 Logging: the SMTP server's SASL code logs the authentication 4151 method along with an authentication failure. Suggested by 4152 Ronald F. Guilmette @ monkeys.com. 4153 4154 Workaround: some systems have file size resource limits 4155 that cannot be represented with the off_t type that is used 4156 by standard functions such as lseek(2). Problem reported 4157 by Blaz Zupan @ amis.net. 4158 415920000823 4160 4161 Feature: all this discussion about when to reject mail and 4162 when not made me decide to implement a TCP-based map type 4163 so that it becomes relatively simple to implement dynamic 4164 access controls, for example, hold off mail from an unknown 4165 client or sender until we have completed some investigation, 4166 after which we will either reject or accept. 4167 4168 However, this code is turned off until it is finished. 4169 417020000905 4171 4172 Robustness: the dns client now rejects malformed domain 4173 names rather than depending on the DNS to report that the 4174 name does not exist. Linux returns a rather misleading 4175 server failure code as found out by Patrik Rak. File: 4176 dns/dns_lookup.c. 4177 417820000911 4179 4180 Feature: added IGNORE keyword to header_checks and body_checks 4181 to pretend that certain data does not exist. File: 4182 cleanup/cleanup_message.c. 4183 418420000911 4185 4186 Bugfix: the SASL code did not allow MAIL FROM... AUTH=sender 4187 without prior authentication. The RFC allows this, although 4188 one wonders what the reasoning behind this is. File: 4189 smtpd/smtpd_sasl_proto.c. 4190 419120000913 4192 4193 Bugfix: the rmail script did not handle remote UUCP systems 4194 that send a from_ line with unqualified envelope sender. 4195 Reported by Luciano Mannucci. 4196 4197 Compatibility: don't insert Sender: header lines. Sendmail 4198 has not done so for at least 10 years, if it ever did. 4199 Problem reported by Brad Knowles. File: cleanup/cleanup_message.c. 4200 420120000916 4202 4203 Bugfix: when propagating an address extension in a virtual 4204 or canonical mapping, cleanup accesses memory that is no 4205 longer allocated. This can happen when the result address 4206 length is more than 100 characters. Problem reported by 4207 Adi Prasaja @ satunet.com. File: global/mail_addr_crunch.c. 4208 4209 Bugfix: fixed a misleading error message when the cleanup 4210 server reaches the queue file size limit. Fix by Robby 4211 Griffin @ MIT.EDU. File: cleanup/cleanup_extracted.c. 4212 421320000917 4214 4215 Bugfix: postalias -i would complain about duplicate entries 4216 for the Sendmail-compatible @ entry and for the NIS-compatible 4217 YP_LAST_MODIFIED and YP_MASTER_NAME entries. 4218 421920000918 4220 4221 Gross hack: prevent looping on a bad recipient by always 4222 forwarding recipients in :include: files to a new mail 4223 delivery request, even when owner-listname is not set. 4224 File: local/recipient.c. 4225 422620000919 4227 4228 Convenience: INSTALL.sh now imports default settings from 4229 the process environment, in order to make scripting easier. 4230 4231 Robustness: INSTALL.sh now systematically skips over CVS, 4232 RCS and SCCS cruft. 4233 4234 Portability: another fix for NEXTSTEP (Masaki MURASE). 4235 File: util/spawn_command.h. 4236 423720000920 4238 4239 Cleanup: in a transport table entry, do not ignore port 4240 numbers specified as [host]:port. In fact, this is now 4241 becoming the preferred form, in order to avoid parsing 4242 problems with IPV6 addresses. Postfix supports both forms, 4243 but future versions will print a warning for the old form. 4244 Problem reported by Claus Fischer @ werhats.at 4245 4246 Bugfix: missing initialization for state->sasl_method can 4247 cause permit_sasl_authenticated to always succeed. Report 4248 and fix by Lutz Jaenicke @ aet.TU-Cottbus.DE. 4249 4250 FAQ: added notes about how to delete, copy or restore queue 4251 files in a safe manner. 4252 425320000921 4254 4255 File reorganization. No code change except Makefiles. All 4256 sources are pushed down by one directory level to keep file 4257 listings usable. Released as 20000922, so that I have a 4258 reference to run "diff -cr against. 4259 4260 Bugfix: the spawn service was installed without man pages. 4261 4262 Portability: MacOSX hints and tips by Joe Block, University 4263 of Central Florida School of Optics/CREOL 4264 4265 Portability: The MacOSX gcc compiler does not understand 4266 the new printf_like/scanf_like attributes. File: util/sys_defs.h. 4267 426820000922 4269 4270 nqmgr update from Patrik Rak for the changed queue manager 4271 to delivery agent protocol. 4272 4273 Lame feature: syslog_facility parameter to control where 4274 syslogd sends Postfix logging (default: syslog_facility = 4275 mail). However, errors during command-line parsing are 4276 still logged with the default syslog facility, as are errors 4277 while processing the main.cf file (surprise). Based on 4278 code by Andrew McNamara. 4279 428020000923 4281 4282 Cleanup: new bounce logfile API so that Postfix can change 4283 to an extensible bounce logfile format with per-recipient 4284 sender addresses (needed for VERP and for reporting local 4285 list delivery problems to the list owner) and other 4286 attributes. File: global/bounce_log.[hc]. 4287 4288 Cleanup: replaced the ad-hoc logfile parsing code in showq 4289 by something that uses the generic bounce logfile API. 4290 429120000924 4292 4293 Feature: Postfix bounced mail and delayed mail notifications 4294 now have the standard RFC 1894 form (DSN). The bounce 4295 service now uses the generic bounce logfile API. File: 4296 bounce/bounce_notify_service.c, bounce/bounce_notify_util.c. 4297 4298 Cleanup: deleted the per-recipient bounce protocol. Future 4299 bounce logfiles will support per-recipient bounce addresses. 4300 Files: global/bounce.c, bounce/bounce_recip_service. 4301 430220000925 4303 4304 Workaround: sendmail allows MAIL FROM and RCPT TO envelope 4305 addresses like <the dude <dude@site>> so we will never get 4306 rid of them. To disallow, specify "strict_rfc821_envelopes 4307 = yes". File: smtpd/smtpd.c. 4308 430920000926-20001003 4310 4311 Feature: a "flush" server that keeps per-destination records 4312 of deferred mail. It is the basis of a faster ETRN and 4313 "sendmail -qRsite" implementation. This code was rewritten 4314 half a dozen times. 4315 431620000928 4317 4318 Bugfix: the stricter dns_lookup() argument checks revealed 4319 that Postfix was doing DNS lookups for domain literals 4320 ([ip.address]) when expanding aliases in MAIL FROM and RCPT 4321 TO address parameters. Reported by Jim Littlefield. File: 4322 smtp/smtp_unalias.c. 4323 4324 Documentation: added text on the biff=yes/no parameter to 4325 conf/sample-local.cf (text provided by Paul Wagland, 4326 relational-consultancy.com. 4327 4328 Robustness? Log errors from SASL library code as warnings 4329 not as fatal errors. Files: smtp*/*glue.c. 4330 433120001001 4332 4333 Feature: in master.cf, specify ? after wakeup time to avoid 4334 waking up services that aren't being used. 4335 433620001003 4337 4338 Feature: the fast flush refresh and purge time interval 4339 parameters can now be specified in user-specified units by 4340 providing an appropriate suffix: s (seconds), m (minutes), 4341 h (hours), d (days), w (weeks). unit. This was needed so 4342 that I could test the flush server code in a reasonable 4343 way (its timeouts are normally specified in days or hours, 4344 and I don't have that much time for testing). Other Postfix 4345 time interval parameters will be migrated as time permits. 4346 Files: conf/sample-flush.cf, global/mail_conf_time.c, 4347 postconf/postconf.c. 4348 4349 Unfeature: qmgr_hog_factor is now disabled by default. It 4350 was just too confusing. If you don't know what this means, 4351 do not worry. 4352 435320001005 4354 4355 Cleanup: after "postfix reload" do not penalize mail that 4356 was in the active queue, but make it ready for immediate 4357 delivery so that ETRN etc. works as intended. Files: 4358 *qmgr/qmgr.c, *qmgr/qmgr_active.c. 4359 4360 Portability: Redhat 7 library interfaces have changed 4361 incompatibly, which breaks existing software. File makedefs. 4362 4363 Consistency: the fallback_relay parameter did not understand 4364 the [] or host:port syntax, and there was no way to suppress 4365 MX record lookups. Files: smtp/smtp_addr.c, smtp/smtp_connect.c. 4366 4367 Convenience: you can now specify multiple SMTP destinations 4368 in the relayhost or fallback_relay configuration parameters. 4369 The specified destinations will be tried in the specified 4370 order. File: smtp/smtp_connect.c. 4371 4372 Many typographical corrections by Matthias Andree. 4373 437420001024 4375 4376 Documentation: the canonical, virtual etc. manual pages 4377 did not document the effect of leading whitespace. 4378 437920001025 4380 4381 Bugfix: virtual map expansion stopped too early with 4382 self-referential aliases. Reported by Michael Douglass @ 4383 datafoundry.net. File: cleanup/cleanup_map1n.c. 4384 438520001026 4386 4387 Horror: postmap and postalias (newaliases) silently lose 4388 the file lock while building a lookup table with Berkeley 4389 DB 2.x and later on Solaris, HP-UX, IRIX, and UNIXWARE. 4390 The result is that table lookups fail while the table is 4391 being built, so that mail is lost. In order to avoid this 4392 misbehavior one has to use an undocumented feature that is 4393 NOT available with the DB1.85 compatibility interface. 4394 Therefore, Postfix now supports three Berkeley DB programming 4395 interfaces of increasing complexity. File: util/dict_db.c. 4396 4397 Bugfix: some character manipulations were not portable for 4398 signed/unsigned characters. Files: global/quote_821_local.c, 4399 global/quote_822_local.c. 4400 4401 Workaround: apparently, some software sends SMTP mail that 4402 begins with "From sender time-stamp". Sendmail silently 4403 ignores such RFC violating garbage, and therefore Postfix 4404 needs to jump another hoop. File: smtpd/smtpd.c. 4405 440620001028 4407 4408 Bugfix: the flush server tried to access config files after 4409 going to the chroot jail. Found by Lutz Jaenicke, TU-Cottbus.DE. 4410 File: flush/flush.c. 4411 4412 Update: revised LDAP module from primary maintainer John 4413 Hensley, with contributions from many other people. Files: 4414 util/dict_ldap.c, LDAP_README. 4415 4416 Update: LINUX2 chroot setup script by Matthias Andree, 4417 uni-dortmund.de. 4418 4419 Feature: specify unix:/path/name for LMTP connections over 4420 UNIX-domain sockets, and specify inet:host or inet:host:port 4421 for IPV4. If no unix: or inet: is specified, IPV4 is assumed. 4422 File: lmtp/lmtp_connect.c. 4423 4424 Feature: added UNIX-domain support to the smtpstone test 4425 programs in order to test the LMTP client UNIX-domain 4426 support. 4427 442820001030 4429 4430 Bugfix: further testing in preparation for 19991231-pl10 4431 revealed that the DB map code was now broken for every 4432 platform. 4433 443420001031 4435 4436 Performance: the slow start (gradually increase number of 4437 parallel connections to the same site) was too gentle and 4438 Postfix would back off too quickly. Files: qmgr/qmgr_queue.c 4439 and nqmgr/qmgr_queue.c. 4440 444120001101 4442 4443 FAQ update by Ralph Hildebrandt. 4444 444520001104 4446 4447 Portability: RedHat Linux has changed incompatibly, again. 4448 Fixed with the help of Matthias Andree. File: makedefs. 4449 445020001109 4451 4452 Cleanup: changed prototype of internal function that did 4453 not return a useful result. File: src/util/vstream_popen.c. 4454 445520001110 4456 4457 Workaround: the Debian post install script passes an open 4458 file descriptor into the master server and waits forever. 4459 Reported by Lamont Jones. File: master/master.c. 4460 446120001114 4462 4463 Compatibility: added sendmail -G (gateway submission) option 4464 for compatibility with the sendmail rmail command. Requested 4465 by David Gilbert, Velocet Communications. 4466 446720001116 4468 4469 Documentation: added MAILER-DAEMON to the list of sample 4470 masquerade_exceptions settings in conf/sample-rewrite.cf. 4471 Suggested by Karl O. Pinc, pop.artic.edu. 4472 4473 Performance: the slow start (gradually increase number of 4474 parallel connections to the same site) was too gentle and 4475 Postfix would back off too quickly. Files: qmgr/qmgr_queue.c 4476 and nqmgr/qmgr_queue.c. Yup, changed the same code, again. 4477 We now allow for a margin above the actual concurrency, 4478 with the size of the initial destination concurrency. 4479 Final solution by Patrik Rak. 4480 4481 Bugfix: the recipient home directory test broke mailbox_transport 4482 support for non-UNIX recipients. File: local/recipient.c. 4483 448420001117 4485 4486 Robustness: additional integrity tests for the nqmgr by 4487 Patrik Rak. File: nqmgr/qmgr_message.c. 4488 448920001118 4490 4491 Bugfix: the new LDAP client code did not work properly if 4492 the new ldap_domain parameter was not specified. LaMont 4493 Jones, HP. File: util/dict_ldap.c. 4494 4495 Feature: the soft_bounce safety net is extended to the SMTP 4496 server. With "soft_bounce = yes", The SMTP server changes 4497 all 5xx (reject) replies into 4xx (try again) replies. 4498 4499 Documentation: the virtual(5) man page now documents both 4500 Postfix-style virtual domains and Sendmail-style virtual 4501 domains, including their interaction with local usernames, 4502 aliases and mailing lists. Hopefully, this ends some of 4503 the confusion surrounding virtual domain support. Updated 4504 several FAQ entries concerning virtual domain support. 4505 4506 Documentation: added FAQ entry for the biff service. 4507 450820001119 4509 4510 Bugfix: per-destination queue names were case sensitive so 4511 that the same site could have multiple queues. Reported 4512 by Patrik Rak. Files: *qmgr/qmgr_message.c. 4513 451420001120 4515 4516 Bugfix: per-destination deferred mail logfiles were case 4517 sensitive so that the same site could have multiple deferred 4518 mail logfiles, so that not all mail would be flushed with 4519 ETRN. Reported by Ralph Hildebrandt. Files: flush/flush.c. 4520 4521 Portability: added (int) casts to printf-like arguments 4522 that specify the width of %*letter conversions. On some 4523 systems, sizeof and pointer difference expressions are 4524 wider than an int. Reported by Valentin Nechayev @ lucky.net. 4525 452620001121: 4527 4528 Compatibility: Postfix now retries delivery when an external 4529 command is killed by a signal, because people expect such 4530 behavior from Sendmail. File: global/pipe_command.c. 4531 453220001123-30 4533 4534 Feature: mailbox locking is now configurable. The configuration 4535 parameter name is "mailbox_delivery_lock". Depending on 4536 the operating system one can specify one or more of "flock", 4537 "fcntl" and "dotlock". Use "postconf -l" to find out what 4538 locking methods Postfix supports. The default setting is 4539 system dependent. All mailbox file opens are now done by 4540 one central mbox_open() routine. This affects the operation 4541 of the postlock command, and of local delivery to mailbox 4542 or /file/name. Files: util/safe_open.c, util/myflock.c, 4543 global/deliver_flock.c, global/mbox_conf.c, global/mbox_open.c. 4544 local/mailbox.c, local/file.c, postlock/postlock.c. 4545 4546 Compatibility: the old sun_mailtool_compatibility parameter 4547 is being phased out. It still works (by turning off 4548 flock/fcntl locks), but logs a warning as a reminder that 4549 it will go away. 4550 4551 Compatibility: when delivering to /file/name, the local 4552 delivery agent now logs a warning when it is unable to 4553 create a /file/name.lock file, and then delivers the mail 4554 (older Postfix versions would silently deliver). 4555 455620001202 4557 4558 Feature: specify "smtp_never_send_ehlo = no" to disable 4559 ESMTP. Someone asked for this long ago. Files: smtp/smtp.c, 4560 smtp/smtp_proto.c. 4561 4562 Feature? Bugfix? The smtp client now skips server replies 4563 that do not start with "CODE SPACE" or with "CODE HYPHEN", 4564 and flags them as protocol errors. Older versions silently 4565 treat "CODE TEXT" as "CODE SPACE TEXT". File: smtp/smtp_chat.c. 4566 456720001203 4568 4569 Documentation: postmap(1) and postalias(1) did not document 4570 the process exit status for "-q key". 4571 457220001204 4573 4574 Bugfix: the Postfix master daemon no longer imported 4575 MAIL_CONF and some other necessary environment parameters. 4576 Postfix now has explicit "import_environment" and 4577 "export_environment" configuration parameters that control 4578 what environment parameters are shared with non-Postfix 4579 processes. Files: util/clean_env.c, util/spawn_command.c, 4580 util/vstream_popen.c, global/pipe_command.c, and everything 4581 that invokes this code. 4582 458320001208 4584 4585 Bugfix: while processing massive amounts of one-recipient 4586 mail, qmgr could deadlock for 10 seconds while sending a 4587 bounce message. All queue manager bounce send requests are 4588 now implemented asynchronously. Files: global/abounce.[hc] 4589 (asynchronous bounce client), qmgr/qmgr_active.c. Problem 4590 reported by El Bunzo (webpower.nl) and Tiger Technologies 4591 (tigertech.com). 4592 459320001209 4594 4595 Feature: mailbox_transport and fallback_transport can now 4596 have the form transport:nexthop, with suitable defaults 4597 when either transport or nexthop are omitted, just like in 4598 the Postfix transport map. This allows you to specify for 4599 example, "mailbox_transport = lmtp:unix:/file/name". File: 4600 global/deliver_pass.c. 4601 460220001210 4603 4604 Bugfix: the local_destination_concurrency_limit paramater 4605 no longer worked as per-user concurrency limit but instead 4606 worked as per-domain limit, so that the limit of "2" in 4607 the default main.cf files resulted in poor local delivery 4608 performance. Files: qmgr/qmgr_message.c, qmgr/qmgr_deliver.c. 4609 Problem reported by David Schweikert (ee.ethz.ch) and Dallas 4610 Wisehaupt (cynicism.com). 4611 461220001210 4613 4614 Feature: support for MYSQL connections over UNIX-domain 4615 sockets by Piotr Klaban. Files: util/dict_mysql.c, 4616 MYSQL_README. 4617 461820001211 4619 4620 Small dirt: postconf -m produced too much output due to a 4621 missing "else", and the optional SASL code needed a fix 4622 for the changed name_mask API. 4623 462420001212 4625 4626 Workaround: due to an error, record type L for "filter 4627 transport name" was the same as that for the already existing 4628 record type L for "record not ending in newline", causing 4629 the pickup daemon to discard all records not ending in 4630 newline. The code cannot be changed without breaking 4631 compatibility with queued mail, so the pickup server is 4632 changed to discard type L records only from the message 4633 envelope, not from the content. File: pickup/pickup.c. 4634 463520001213 4636 4637 Bugfix: dict_ldap did not properly initialize a handle 4638 after connection timeout. Problem reported by Alain Thivillon. 4639 File: util/dict_ldap.c. 4640 464120001214 4642 4643 Feature: local_transport and default_transport now also 4644 understand the transport[:destination] notation, so that 4645 all transport config parameters are similar again. File: 4646 trivial-rewrite/resolve.c, trivial-rewrite/transport.c. 4647 4648 Code cleanup: mailbox_transport and fallback_transport no 4649 longer allow the user to omit the transport part of a 4650 transport:destination specification. That just did not make 4651 any sense at all. The :destination part is still optional. 4652 File: global/deliver_pass.c. 4653 4654 Feature: most time-related configuration parameters take 4655 a one-letter suffix that specifies the time unit: s 4656 (second), m (minutes), h (hours), d (days), w (weeks). 4657 "postconf -d" output includes the default time unit. Files: 4658 many. 4659 4660 Code cleanup: in a CONFIG_TIME_TABLE, the default time unit 4661 is now always the last character of a default time value. 4662 It is no longer necessary to specify the default time unit 4663 separately. This change means that it will not be possible 4664 to specify default values in the form of function calls, 4665 but that was unused anyway. Files: global/mail_conf_time.c, 4666 and user code. 4667 466820001217 4669 4670 Bugfix: reorganized some code in the MYSQL client to end 4671 a number of memory allocation/deallocation problems. This 4672 code needs more work. File: dict_mysql.c. 4673 467420001218 4675 4676 Bugfix: the MYSQL client did not provide function pointers 4677 for unimplemented operations, causing "postmap -d" to dump 4678 core instead if issuing an error message. This is what I 4679 get for accepting code that I cannot test myself. 4680 468120001221 4682 4683 Code cleanup: configuration parameters that are $name 4684 expanded at run-time now have their own data type hierarchy 4685 instead of being piggy-backed on top of strings that are 4686 $name expanded at program initialization time. Files: 4687 global/mail_conf.h, global/mail_conf_raw.c, and code that 4688 calls it. 4689 469020001230 4691 4692 Update: replaced the default rbl.maps.vix.com setting by 4693 the current blackholes.mail-abuse.org. 4694 469520010102 4696 4697 Code cleanup: the queue manager is a bit greedier with 4698 allocating a delivery agent. Problem pointed out by Patrik 4699 Rak. All bugs in the solution are mine. Files: 4700 *qmgr/qmgr_active.c. 4701 470220010105 4703 4704 Bugfix: the FILTER_README shell script example did not 4705 correctly pass exit status to the parent. 4706 4707 Bugfix: soft errors in client hostname lookups would be 4708 treated as hard errors. Fix by Michael Herrmann 4709 (informatik.tu-muenchen.de). File: smtpd/smtpd_peer.c. 4710 471120010110 4712 4713 Bugfix: the mkdir() EEXIST race condition workaround was 4714 not complete. Matthias Andree, Daniel Roesen. Files: 4715 global/mail_queue.c, util/make_dirs.c. 4716 471720010111 4718 4719 Portability: IRIX 6.5.10 defines sa_len as a macro, causing 4720 a name collision with a variable used by Postfix. Roberto 4721 Totaro, enigma.ethz.ch. File: smtpstone/smtp-source.c. 4722 472320010116 4724 4725 Bugfix: REJECT by header/body_checks was flagged in smtpd 4726 as a bounce, should be policy, in order to make postmaster 4727 notifications more consistent. File: smtpd/smtpd.c. 4728 4729 Merged updated chroot setup procedure by Matthias Andree. 4730 Files: examples/chroot-setup/LINUX2. 4731 473220010117 4733 4734 Formatting: changed the seconds and days formats in the 4735 "your mail is delayed" text so that it does not switch to 4736 scientific notation. File: bounce/bounce_notify_util.c. 4737 473820010119 4739 4740 Feature: SASL support for the LMTP client. Recent CYRUS 4741 software requires this for Postfix over TCP sockets. 4742 474320010120 4744 4745 Bugfix: the 20001005 revised fallback_relay support caused 4746 Postfix to send mail to the fallback even when the local 4747 machine was an MX host for the final destination. Result: 4748 mailer loop. Found by Laurent Wacrenier (teaser.fr). Files: 4749 smtp/smtp_connect.c, smtp/smtp_addr.c. 4750 475120010121 4752 4753 Workaround: specify "broken_sasl_auth_clients = yes" in 4754 order to support old Microsoft clients that implement a 4755 non-standard version of RFC 2554 (AUTH command). 4756 4757 Workaround: Lotus Domino 5.0.4 violates RFC 2554 and replies 4758 to EHLO with AUTH=LOGIN. File: smtp/smtp_proto.c. 4759 476020010125 4761 4762 Code cleanup: wrote creator/destructor for dictionary 4763 objects that provides default methods that trap all attempts 4764 to perform an unimplemented operation. Based on an ansatz 4765 by Laurent Wacrenier (teaser.fr). Files: util/dict*.[hc]. 4766 4767 Code cleanup: INSTALL.sh does not ask questions when stdin 4768 is not connected to a tty (as in: make install</dev/null). 4769 To automate a customized install, the script imports 4770 environment variables for install_root etc. 4771 477220010127 4773 4774 Workaround: randomize the delay between attempts to lock 4775 a file, so that multiple bounce or defer servers are less 4776 likely to retry all at the same time. likely. File: 4777 util/rand_sleep.c, global/deliver_flock.c, global/dot_lockfile.c. 4778 477920010128 4780 4781 Code cleanup: complaints about invalid or numeric hostnames 4782 either provide specific context or are removed as redundant. 4783 Files: util/valid_hostname.c dns/dns_lookup.c. 4784 4785 Code cleanup: new mailbox_size_limit parameter (default: 4786 20MB). Until now, the mailbox size limit was the same as 4787 the message size limit, due to artefact of implementation. 4788 Files: global/mail_params.h, local/local.c. 4789 4790 Bugfix: fix for the ldap_domains parameter, both semantics 4791 and documentation by LaMont Jones. Files: LDAP_README, 4792 conf/sample-ldap.cf, util/dict_ldap.c. 4793 4794 Update: merged in the virtual delivery agent by Andrew 4795 McNamara. See VIRTUAL_README for detailed examples. 4796 4797 Update: merged a re-vamped nqmgr by Patrik Rak. 4798 479920010129 4800 4801 Tweak: several little nqmgr tweaks by Patrik Rak. Files: 4802 global/mail_params.h, nqmgr/qmgr_job.c. 4803 4804 Bugfix: the virtual delivery agent did not save maps_find() 4805 results timely. J?rgen Thomsen, postfix.jth.net. File: 4806 virtual/mailbox.c. 4807 4808 Security: disallow regexp tables in the virtual delivery 4809 agent. The $1 etc. substitution mechanism gives too much 4810 power to the sender. File: virtual/mailbox.c. 4811 4812 Cleanup: clarified documentation and boundary cases in the 4813 random_sleep() routine. 4814 4815 Bugfix: the MISSING_USLEEP feature was used backwards. 4816 Patrik Rak. File: util/random_sleep.c. 4817 481820010130 4819 4820 Workaround: Linux usleep() is void, BSD/Solaris usleep() 4821 returns int, don't use it. File util/random_sleep.c. 4822 4823 Made local maildir bounce/defer handling mode consistent 4824 with local mailbox delivery. File local/maildir.c. 4825 4826 The smtp client now defers delivery when all MX hosts have 4827 no A record. File: smtp/smtp_addr.c 4828 4829 Bundled the man2html and postlink quick hacks so people 4830 can do their own manual page processing. See scripts in 4831 the mantools directory. 4832 4833 Documentation: updated the reference to sendmail in the 4834 html/index.html page. 4835 4836 Documentation: added note about the Cisco PIX "fixup smtp" 4837 bug that causes mail delivery problems when "." and "CRLF" 4838 arrive in separate packets. File: html/faq.html. 4839 484020010201 4841 4842 Bugfix: another missing initialization in the mysql client. 4843 File: util/dict_mysql.c. 4844 4845 Sanitized time routine by Patrik Rak, to make his nqmgr 4846 robust against people who set their clock back. Files: 4847 util/sane_time.[hc]. 4848 4849 Bumped the default mailbox file size limits to 50MB. 4850 485120010202 4852 4853 Bugfix: fixed the way the master resets the file size limit 4854 to avoid problems when a Postfix daemon updates a queue 4855 file. The file size limit is now increased to INT_MAX if 4856 it is smaller than INT_MAX, so that it is less likely to 4857 interfere than the old setting of message_size_limit. 4858 4859 Feature: disable mailbox size limits for the local and 4860 virtual delivery agents by setting mailbox_size_limit or 4861 virtual_mailbox_limit to zero. 4862 486320010203 4864 4865 Update: null candidate patch from Patrik Rak. Files: 4866 nqmgr/qmgr_entry.c nqmgr/qmgr_job.c nqmgr/qmgr_message.c. 4867 4868 Cleanup: added one gruesome command to the postlink script 4869 for hyperlinking nroff manual page output. Word abbreviation 4870 broke some <a href...> </a> instances across line boundaries. 4871 sed(1) is an amazing tool. File: mantools/postlink. 4872 487320010204 4874 4875 Laid the ground work for logging of table accesses. This 4876 will give more insight into how Postfix uses its lookup 4877 tables. User interface comes later. File: util/dict_debug.c. 4878 487920010216 4880 4881 Bugfix: the pipe delivery agent expanded $size as if it 4882 were a recipient, instead of expanding it as $nexthop or 4883 as $sender. Reported by Michael Tokarev. File: pipe/pipe.c. 4884 488520010221 4886 4887 Bugfix: poor LMTP performance for domains that are listed 4888 in $mydestination, because Postfix would send one recipient 4889 at a time, with multiple deliveries of recipients of the 4890 same message in parallel; a similar problem could exist 4891 with virus scanning and with firewall relay hosts that 4892 forward mail for $mydestination to an inside machine. This 4893 behavior is now changed to depend on the transport-specific 4894 xxx_destination_recipient_limit parameter. This also means 4895 that you can now get qmail behavior for SMTP deliveries by 4896 setting smtp_destination_recipient_limit=1. File: 4897 {qmgr,nqmgr}/qmgr_message.c. 4898 4899 Workaround: Solaris socketpair() can fail with EINTR. Added 4900 a sane_socketpair.c module that joins the ranks of the 4901 other sane_whatever workarounds. Reported by Andrew McNamara. 4902 File: util/sane_socketpair.[hc] 4903 490420010222 4905 4906 Documentation: the default main.cf file has a prominent 4907 warning that mynetworks should be properly configured in 4908 order to reject unauthorized mail relay requests from 4909 strangers. 4910 4911 Documentation: the INSTALL document, section "mandatory 4912 configuration file edits" has a section that explains that 4913 mynetworks should be properly configured in order to reject 4914 unauthorized mail relay requests from strangers. 4915 491620010223 4917 4918 Documentation: the basic.html document has a section that 4919 explains that mynetworks should be properly configured in 4920 order to reject unauthorized mail relay requests from 4921 strangers. 4922 4923 Feature: new "mynetworks_style" parameter that controls 4924 how mynetworks (trusted networks) is derived from the 4925 inet_interfaces (machine interfaces) setting. Specify 4926 "class" for entire class A, B, C networks; "subnet" for 4927 the local subnets only; or "host" for maximal privacy. 4928 Files: util/inet_addr_local.[hc], global/own_inet_addr.[hc], 4929 global/mynetworks.[hc], postconf/postconf.c. 4930 4931 Portability: MACOSX patches by Gerben Wierda. 4932 4933 Portability: Solaris /dev/null is a symlink, which tripped 4934 up the code to safely open a file before local delivery. 4935 We now grudgingly allow symlinks owned by root. File: 4936 util/safe_open.c. 4937 493820010224 4939 4940 Bugfix: "postconf mynetworks" ignored the inet_interfaces 4941 setting. That was a very old one. File: postconf/postconf.c. 4942 4943 INCOMPATIBLE CHANGE: POSTFIX NO LONGER RELAYS MAIL FOR 4944 CLIENTS IN THE ENTIRE CLASS A/B/C NETWORK. POSTFIX BY 4945 DEFAULT RELAYS MAIL FOR CLIENTS IN THE LOCAL SUBNETWORK. 4946 Specify "mynetworks_style = class" to get the old behavior. 4947 494820010225 4949 4950 Portability: master sigchld handler based on writing to a 4951 pipe, so that the master wakes up from select(). Based on 4952 code by Erik Forsberg, Linkoping University, Sweden. File: 4953 master/master_sig.c. Disabled until after the major release. 4954 4955 Code cleanup: Postfix should now run with no alias database. 4956 4957 Code cleanup: local_destination_recipient_limit and 4958 local_destination_concurrency_limit have become first-class 4959 configuration parameters. Files: global/mail_params.h, 4960 *qmgr/qmgr.c, postconf/postconf.c. 4961 496220010226 4963 4964 Documentation suggestions by Lars Hecking and Richard 4965 Huxton, Matthias Andree and many others. 4966 4967 Code cleanup: some queue/transport operations need to be 4968 moved, after the code cleanup of the recipient/concurrency 4969 limit handling. Patrik Rak. Files: *qmgr/qmgr_message.c. 4970 497120010301 4972 4973 Feature: configurable name in syslog output (default: 4974 "syslog_name = postfix") so that different Postfix instances 4975 can be recognized by their logging. File: global/mail_task.c. 4976 497720010313 4978 4979 Workaround for logic mismatch in nqmgr that was exposed 4980 with the introduction of the asynchronous bounce client. 4981 Patrik Rak. 4982 498320010313 4984 4985 Bugfix: the RFC 822 untokenizer quoted newlines inside 4986 comments. File: global/tok822_parse.c. 4987 498820010316 4989 4990 Cleanup: removed an extraneous warning when a queue file 4991 write error happened. 4992 499320010321 4994 4995 Workaround: LMTP connection caching never worked for 4996 destinations starting with unix: or inet:. File: 4997 lmtp/lmtp_connect.c. 4998 499920010322 5000 5001 Portability: Solaris <2.6 does not have srandom() and 5002 random() in libc. File: util/rand_sleep.c. It does not have 5003 to be cryptographically strong. 5004 5005 Bugfix: the fast ETRN flush server could not handle [ipaddr] 5006 or domain names with one-character hostname part. This 5007 fix changes the destination to logfile name mapping, so 5008 that you need to populate the new files with "sendmail -q". 5009 The old files go away automatically. File: flush/flush.c. 5010 501120010327 5012 5013 Speed up mailq (sendmail -bp) display by flushing output 5014 after each file. File: showq/showq.c. 5015 5016 Portability: missing string.h includes, %p wants (void *), 5017 Lamont Jones, HP. 5018 501920010328 5020 5021 Bugfix: swapped logic caused cleanup to stall when the 5022 queue file size exceeded the file size limit by less than 5023 one the VSTREAM buffer size, so that the "file too big" 5024 was detected after flushing the last queue file record. 5025 File: cleanup/cleanup.c. 5026 502720010329 5028 5029 Portability: workaround for missing prototype problem in 5030 dict_ldap.c. This module should move to the global directory, 5031 because it depends on Postfix main.cf parameter information. 5032 5033 Workaround: after sending a trigger message over a socket, 5034 do not immediately close the client side, but close it from 5035 a background thread that waits until the server closes the 5036 socket first. This avoids trouble with socket implementations 5037 that destroy a socket when the client closes a socket before 5038 the server has received the client's data. Files: 5039 util/{inet,unix,stream}_trigger.c, util/events.c, 5040 master/master_trigger.c, postkick/postkick.c. 5041 504220010403 5043 5044 Workaround: the mysql library can return null pointers 5045 rather than zero-length strings. File: util/dict_mysql.c. 5046 504720010404 5048 5049 Ergonomics: log additional information about the reason 5050 why "mail for XXX loops back to myself" when the local 5051 machine is the best MX host. File: smtp/smtp_addr.c. 5052 505320010406 5054 5055 Changed some noisy LDAP client warnings into optional 5056 logging. LaMont Jones, util/dict_ldap.c. 5057 505820010411 5059 5060 Bugfix: the SMTP server now replies with 550 instead of 5061 503 when it receives the DATA command without having received 5062 a valid recipient address. This is needed for the Sendmail 5063 client-side pipelining implementation. Problem reported by 5064 Lutz Jaenicke. File: smtpd/smtpd.c. 5065 5066 Cleanup: shut up if chattr fails on Reiserfs and other file 5067 systems that do not support the respective attributes. 5068 Files: conf/postfix-script-{no,}sgid. 5069 507020010413 5071 5072 Ergonomics: Postfix applications now warn when a DB or DBM 5073 file is out of date, and recommend to rebuild the table. 5074 Files: util/dict_db.c, util/dict_dbm.c. 5075 507620010414 5077 5078 Feature: specify a key of "-" to the postmap or postalias 5079 -q or -d option, and the keys will be read from standard 5080 input, one key per line. Files: postmap/postmap.c, 5081 postalias/postalias.c. 5082 5083 Bugfix: with a non-default inet_interfaces setting, the 5084 master ignored host information in master.cf host:port 5085 settings. Fix by Jun-ichiro itojun Hagino @ iijlab.net. 5086 Files: master/master.h, master/master_ent.c. 5087 508820010426 5089 5090 Bugfix: the SMTP server did not parse invalid MAIL FROM or 5091 RCPT TO addresses such as <first last <user@domain>> the 5092 way it was supposed to do. I thought this was taken care 5093 of years ago. File: smtpd/smtpd.c. 5094 509520010427 5096 5097 Bugfix: smtpd would reject mail instead of replying with 5098 a 4xx temporary error code when, for example, an LDAP or 5099 mysql server was unavailable. Remotely based on a fix by 5100 Robert Kiessling @ de.easynet.net. File: smtpd/smtpd_check.c. 5101 510220010429 5103 5104 Feature: the Postfix SMTP client now by default randomly 5105 shuffles destination IP addresses of equal preference. 5106 Specify "smtp_randomize_addresses = no" to disable. 5107 Shuffling code by Elias Levy @ SecurityFocus.com Files: 5108 dns/dns_rr.c, smtp/smtp_addr.c. 5109 511020010501 5111 5112 Bugfix: The SMTP server's 550 in reply to DATA should be 5113 a 554 response. And it wasn't Sendmail. Claus Assman. 5114 5115 Bugfix: the INSTALL.sh test for non-interactive upgrade 5116 broke rooted installations that specify settings via the 5117 environment. Simon Mudd. 5118 5119 Bugfix: mailq output is now really flushed one message at 5120 a time. File: sendmail/sendmail.c. 5121 5122 Feature: "postsuper -d queueID" deletes one message queue 5123 file; "postsuper -d -" reads zero or more queue IDs from 5124 standard input, and deletes one instance of each file. 5125 File: postsuper/postsuper.c. 5126 5127 Code cleanup: in order to make postsuper -d safe with a 5128 running Postfix mail system, some routines had to be made 5129 tolerant for sudden queue file disappearances. Files: 5130 global/deliver_request.c, *qmgr/qmgr_move.c. 5131 5132 Code cleanup: in order to make postsuper -d more usable, 5133 the showq command was extended to safely list the possibly 5134 world-writable maildrop directory. File: showq/showq.c. 5135 513620010504 5137 5138 Feature: postsuper -d will also delete defer and bounce 5139 logfiles when the named queue file is found. 5140 514120010505 5142 5143 RFC 2821 feature: an SMTP server must reset all buffers 5144 upon receipt of EHLO. File: smtpd/smtpd_check.c. 5145 5146 RFC 2821 feature: an SMTP server must accept a recipient 5147 address of "postmaster" without domain name. File: 5148 smtpd/smtpd_check.c. 5149 5150 RFC 2821 recommendation: reply with 503 to commands sent 5151 after 554 greeting. File: smtpd/smtpd.c. 5152 5153 RFC 2821 recommendation: if VRFY is enabled, list it in 5154 the EHLO response. File: smtpd/smtpd.c. 5155 5156 RFC 2821 recommendation: SMTP clients should use EHLO. 5157 The default setting of smtp_always_send_ehlo has changed 5158 from 0 (send EHLO if server greets with ESMTP) to 1 (always 5159 send EHLO). In all cases, Postfix falls back to HELO if 5160 the server does not support EHLO. File: smtp/smtp_proto.c. 5161 516220010507 5163 5164 Bugfix: with soft_bounce=yes, the SMTP server would log 5165 5xx replies even though it would send 4xx replies to the 5166 client (Phil Howard, ipal.net). File: smtpd/smtpd_check.c. 5167 516820010515 5169 5170 Compatibility: Microsoft sends "AUTH=MBS_BASIC LOGIN". 5171 Updated the parsing code in smtp/smtp_proto.c. Problem 5172 reported by Ralf Tessmann, Godot GmbH. 5173 517420010520 5175 5176 Standard: deleted the non-standard "via" portion from 5177 Received: headers generated by Postfix bounce or other 5178 notification processes. File: global/post_mail.c. 5179 5180 Robustness: eliminated stack-based recursion from the RFC 5181 822 address parser. File: global/tok822_parse.c. 5182 5183 Standard: annotated the source code with comments based on 5184 RFC 2821 and 2822. Not all the RFC changes make sense. 5185 5186 RFC 2821 recommendation: treat a RCPT 552 reply as if the 5187 server sent 452. Files: smtp/smtp_proto.c, lmtp/lmtp_proto.c. 5188 5189 Cleanup: moved ownership of the debug_peer parameters from 5190 the applications to the library, so that a Postfix shared 5191 library does not suffer from undefined references. Files: 5192 smtp/smtp.c, lmtp/lmtp.c, smtpd/smtpd.c, global/mail_params.c. 5193 LaMont Jones, for Debian. 5194 519520010522 5196 5197 Feature: "postsuper -r queueID" re-queues a message, and 5198 "postsuper -r ALL" re-queues all mail. The message is moved 5199 to the maildrop queue so that the pickup daemon will copy 5200 it to a new queue file, and so that address rewriting will 5201 be done again. This is useful after changes of address 5202 rewriting or virtual mappings. 5203 5204 Feature: "postsuper -d ALL [queue-name]" deletes a bunch 5205 of mail. 5206 520720010523 5208 5209 Feature: "postsuper -s" (which is done by default) renames 5210 queue files whose name (queue ID) does not match the message 5211 file inode number. 5212 5213 Bugfix: memory leak in the LDAP client module. Alain 5214 Thivillon, France Teaser - Groupe Firstream. 5215 521620010525 5217 5218 Portability: gcc 2.6.3 does not have __attribute__ (Clive 5219 Jones, dgw.co.uk). File: util/sys_defs.h. 5220 5221 Bugfix: the SMTP and LMTP clients claimed that a queue file 5222 needed to be delivered again (even when all recipients were 5223 erased from the queue file) when no QUIT or RSET reply was 5224 received (by default, this does not happen with SMTP mail 5225 because the SMTP client does not wait for QUIT replies and 5226 does not send RSET to deliver mail). As a result of the 5227 same bug the LMTP client followed a dangling pointer when 5228 sending QUIT after process idle timeout while the LMTP 5229 server had disconnected. Files: smtp/smtp_proto.c, 5230 lmtp/lmtp_proto.c. 5231 523220010526 5233 5234 newaliases no longer complains when an empty list is 5235 specified with the alias_database configuration parameter. 5236 File: sendmail/sendmail.c. 5237 523820010529 5239 5240 Workaround: old PIX firewall code messes up when the final 5241 ".<CR><LF>" at the end of DATA spans a packet boundary. 5242 When Postfix detects PIX SMTP fixup mode, Postfix flushes 5243 the output buffers before sending the final ".<CR><LF>". 5244 File: smtp/smtp_proto.c. 5245 524620010530 5247 5248 Portability: updated code for Mac OS X, accounting for the 5249 post-Beta changes. Code by Joe Block, UCF School of 5250 Optics/CREOL. 5251 525220010601 5253 5254 Safety: postdrop turns off interrupts when cleaning up 5255 after interrupt. The additional safety does not hurt anyone. 5256 File: src/postdrop/postdrop.c. 5257 525820010607 5259 5260 Safety: dropped the RFC 2821 compliant code that treats 5261 552 RCPT TO replies as 452. It created more problems than 5262 it solved. Files: smtp/smtp_proto.c, lmtp/lmtp_proto.c. 5263 5264 Logging: the SMTP server now logs a warning if RBL lookups 5265 have problems other than "not found". file: smtpd/smtpd_check.c. 5266 526720010610 5268 5269 Feature: address quoting and case folding flags for the 5270 pipe(8) mailer. 5271 527220010611 5273 5274 Workaround: some MTAs fall on their face when they receive 5275 unexpectedly long lines. From now on, Postfix defaults to 5276 breaking long lines at 2048 (like Sendmail so it has got 5277 to be right). To get the old, content preserving, behavior 5278 specify "smtp_truncate_lines = no". File: smtp/smtp_proto.c. 5279 528020010614 5281 5282 Bugfix: did not really undo 2821 552->452 mapping. 5283 528420010628 5285 5286 Bugfix: postfix-script used a hard-coded maildrop group 5287 owner instead of using the install-time specified name 5288 stored in /etc/postfix/install.cf. Problem reported by 5289 David Terrell @ meat.net. 5290 529120010701 5292 5293 Feature: mail_spool_directory ending in / causes maildir 5294 style delivery. 5295 5296 Bugfix: the FreeBSD kernel parameters kern.ipc.nmbclusters 5297 and kern.ipc.maxsockets cannot be set with sysctl commands. 5298 File: html/faq.html. Len Conrad @ Go2France.com. 5299 5300 Cleanup: the virtual delivery agent was poorly integrated 5301 so that the SMTP server and queue manager did not reject 5302 mail for unknown users. Files: smtpd/smtpd_check.c. 5303 530420010705 5305 5306 Feature: QMQP server, compatible with qmail and the ezmlm 5307 list manager. Files: util/netstring.[hc], qmqpd/qmqpd*.c. 5308 530920010706 5310 5311 Feature: QMQP stress test message generator program. Files: 5312 smtpstone/qmqp-source.c, smtpstone/qmqp-sink.c. 5313 531420010708 5315 5316 Bugfix: with disable_dns=yes, the SMTP client treated all 5317 host lookup errors as permanent. File: smtp/smtp_addr.c. 5318 531920010709 5320 5321 Feature: VERP support, based on a patch by Peng Yong, and 5322 with the missing parts filled in so that the Postfix bounce 5323 daemon can send one VERP bounce per undeliverable recipient. 5324 Files: , sendmail/sendmail.c, smtpd/smtpd.c, qmgr/qmgr_deliver.c, 5325 bounce/bounce_notify_verp.c, qmqpd/qmqpd.c, plus a couple 5326 support routines in the global library. 5327 5328 Cleanup: with recipient_delimiter=+ (or any character other 5329 than -) Postfix will now recognize address extensions even 5330 with owner-foo+extension addresses. This is necessary to 5331 make VERP work for mailing lists. 5332 533320010710 5334 5335 Bugfix: potential memory leak in the queue managers with 5336 the new VERP delimiter record. Fix by Patrik Rak. 5337 533820010711 5339 5340 Cleanup: you can now specify the VERP delimiter characters 5341 on the sendmail(1) command line, but they are still optional. 5342 5343 Safety: with maildir style delivery and with hashed mailboxes 5344 the system mail spool directory must not be world writable. 5345 534620010713 5347 5348 Safety: the verp_delimiter_filter parameter (default: -=+) 5349 limits what characters Postfix accepts as VERP delimiter 5350 characters. 5351 535220010714 5353 5354 Logging: the queue manager now logs a "status=expired" 5355 record when it returns a message that is too old. Files: 5356 *qmgr/qmgr_active.c. 5357 535820010719 5359 5360 Feature: stiffer coupling between mail receiving rates and 5361 mail delivery rates, using a trivial token-based scheme, 5362 implemented by reading and writing an in-memory pipe. The 5363 queue manager produces one token when it retrieves mail 5364 from the incoming queue. The cleanup daemon consumes one 5365 token when it adds mail to the incoming queue. If no token 5366 is available the cleanup server pauses for $in_flow_delay 5367 seconds and proceeds anyway. The delay allows mail sending 5368 process to catch up and access the disk while not blocking 5369 inbound mail. Valid delays are 0..10 seconds. 5370 537120010727 5372 5373 Bugfix: updated LDAP client module from LaMont Jones, HP. 5374 This also introduces new LDAP query filter patterns: %u 5375 (address localpart) and %d (domain part). Files: 5376 conf/sample-ldap.cf, util/dict_ldap.c. 5377 537820010729 5379 5380 Bugfix: recursive smtpd_whatever_restrictions clobbered 5381 intermediate results when switching between sender and 5382 recipient address restrictions. Problem found by Victor 5383 Duchovni, morganstanley.com. In order to fix, introduced 5384 address resolver result caching, which should also help to 5385 speed up sender/recipient address restriction processing. 5386 5387 Bugfix: the not yet announced DUNNO access table lookup 5388 result did not prevent lookups with substrings of the same 5389 lookup key. Found by Victor Duchovni, morganstanley.com. 5390 539120010730 5392 5393 Robustness: trim trailing whitespace from regexp and pcre 5394 right-hand sides, for consistency with DB/DBM tables. 5395 Files: util/dict_pcre.c, util/dict_regexp.c. 5396 539720010731 5398 5399 Robustness: eliminate duplicate IP addresses after expansion 5400 of hostnames in $inet_interfaces, so that Postfix does not 5401 suddenly refuse to start up after someone changes the DNS. 5402 Files: util/inet_addr_list.c global/own_inet_addr.c. 5403 5404 Feature: specify "disable_verp_bounces = yes" to have 5405 Postfix send one RFC-standard, non-VERP, bounce report for 5406 multi-recipient mail, even when VERP style delivery was 5407 requested. 5408 540920010801 5410 5411 Bugfix: postconf was using unexpanded values internally 5412 for myhostname, inet_interfaces, and mynetworks_style. 5413 This broke the "postconf -d" mynetworks computation. File: 5414 postconf/postconf.c. 5415 541620010803 5417 5418 Feature: masquerade_classes parameter for fine control of 5419 address masquerading. The default setting is backwards 5420 compatible: envelope_sender header_sender header_recipient. 5421 Files: cleanup/whatever.c. 5422 542320010822 5424 5425 Code cleanup: the bounce daemon complained about data that 5426 it was not going to send back anyway. Fix: stop reading 5427 the original message when the bounce message reaches the 5428 bounce message size limit. File: bounce/bounce_notify_util.c. 5429 543020010826 5431 5432 Logging: postsuper now logs the queue ID when it requeues 5433 a message, or when it deletes a message from the mail queue. 5434 File: postsuper/postsuper.c. 5435 543620010830 5437 5438 Safety: the SMTP server now sends a 4xx (try again later) 5439 response when an UCE restriction is misconfigured, instead 5440 of ignoring the bad restriction and possibly accepting mail 5441 that it should not accept. File: smtpd/smtpd_check.c. 5442 544320010907 5444 5445 Workaround: the Postfix qmqp-source program produced mail 5446 not ending in newline. qmail-qmqpd accepts such mail, but 5447 qmail-remote is unable to deliver it. Matthias Andree, 5448 uni-dortmund.de. File: smtpstone/qmqp-source.c. 5449 545020010910 5451 5452 Bugfix: the smtp-sink stress test program broke when RCPT 5453 TO commands crossed network packet boundaries. Problem 5454 reported by Matthias Andree, uni-dortmund.de. File: 5455 smtpstone/smtp-sink.c. 5456 545720010917 5458 5459 Code cleanup: permit_mx_backup implements the old behavior 5460 (accept mail if the local MTA is MX relay), and allows an 5461 additional restriction via the permit_mx_backup_networks 5462 parameter (accept mail only if the primary MX hosts match 5463 the specified list of network blocks). This second restriction 5464 is now entirely optional, for backwards compatibility. 5465 5466 Bugfix: an address extension could be appended multiple 5467 times to the result of a canonical or virtual map lookup. 5468 File: global/mail_addr_map.c. Fix by Victor Duchovni, 5469 Morgan Stanley. 5470 5471 Bugfix: split_addr() would split an address even when there 5472 was no data before the recipient delimiter. In combination 5473 with the above bug, this could cause an address to grow 5474 exponentially in size. Problem reported by Victor Duchovni, 5475 Morgan Stanley. File: global/split_addr.c. 5476 547720010918 5478 5479 Bugfix: the mail_addr_map() fix was almost but not quite 5480 right. It took two clever people and several iterations of 5481 email to really fix the mail_addr_map() problem. Thanks 5482 to Victor Duchovni and Liviu Daia. 5483 548420011006 5485 5486 Cleanup: Postfix no longer flushes the whole deferred queue 5487 after an ETRN request for a random domain name (i.e. a 5488 domain name not matched by $fast_flush_domains); the SMTP 5489 server instead replies with "459 service unavailable". 5490 Files: smtpd/smtpd.c, global/flush_clnt.c, flush/flush.c. 5491 549220011008 5493 5494 Bugfix: there was a minute memory leak when an smtpd access 5495 restriction was misconfigured. File: smtpd/smtpd_check.c. 5496 549720011010 5498 5499 Code cleanup: Postfix daemons now print the name of the 5500 UNIX-domain socket (instead of "unknown stream") in case 5501 of a malformed client request. Files: master/*server.c. 5502 550320011010-14 5504 5505 Code cleanup: replaced the ugly mail_print() and mail-scan() 5506 protocols by (name,value) attribute lists. This gives better 5507 error detection when we make changes to internal protocols, 5508 and allows new attributes to be introduced without breaking 5509 everything immediately. Files: util/attr_print.c util/attr_scan.c 5510 global/mail_command_server.c global/mail_command_client.c 5511 as wel as most Postfix applications and daemons. 5512 551320011015 5514 5515 Put base 64 encoding into place on the replaced internal 5516 protocols. Files: util/base64_code.[hc]. 5517 5518 Feature: header/body REJECT rules can now provide text that 5519 is sent to the originator. Files: cleanup/cleanup.c, 5520 cleanup/cleanup_message.c, conf/sample-filter.cf. 5521 552220011016 5523 5524 Bugfix: As of 20000625, Errors-To: was broken, because the 5525 code to extract the address was not moved from recipient 5526 address rewriting to sender address rewriting. Problem 5527 reported by Roelof Osinga @ nisser.com. File: 5528 cleanup/cleanup_message.c. 5529 553020011029 5531 5532 Bugfix: virtual map expansion terminated early because the 5533 detection of self-referential entries was flawed. File: 5534 cleanup/cleanup_map1n.c. 5535 553620011031 5537 5538 Bugfix: mail_date() mis-formatted negative time zone offsets 5539 with fractional hours (-03-30 instead of -0330). Fix by 5540 Chad House, greyfirst.ca. File: global/mail_date.c. 5541 554220011102 5543 5544 Feature: new -f option to postmap and postalias (do not 5545 lowercase the lookup key while creating a table). Files: 5546 util/dict.h postmap/postmap.c postalias/postalias.c. 5547 5548 Code cleanup: simplified the attribute print/scan routines, 5549 and removed the never-used support for sending and receiving 5550 integer arrays and string arrays. Files: util/attr_print.c, 5551 util/attr_scan.c. 5552 5553 Bugfix: qmqpd could read past the end of a string while 5554 looking for qmail's VERP magic token in the envelope sender 5555 address. File: qmqpd/qmqpd.c. 5556 5557 Code cleanup: finished testing the new internal protocols. 5558 The only bug was with the flush server, which still needs 5559 to support the old (string + null byte) protocol for triggers 5560 from the Postfix master daemon. 5561 556220011103 5563 5564 Bugfix: Postfix would log the wrong error text when locally 5565 submitted mail was deferred due to "soft_bounce = yes". 5566 5567 Bugfix: The LDAP client dropped any entries that don't have 5568 the result_attribute, but errored out when a DN didn't 5569 exist. The behavior is now consistent: treat non-existant 5570 DN's in a special result attribute expansion the same as 5571 DN's with no attribute. LaMont Jones, HP. 5572 557320011104 5574 5575 Bugfix: the new smtp-sink -n option (terminate after the 5576 specified number of deliveries) wasn't optional. 5577 5578 Portability: updated Mac OS X documentation and install 5579 scripts by Gerben Wierda. 5580 558120011105 5582 5583 Bugfix: missing terminator in new attribute-based function 5584 call caused signal 11. File: src/cleanup/cleanup.c. 5585 5586 Lame workaround for ESTALE errors with mail delivery over 5587 NFS. Additional bandages were added to the local delivery 5588 agent. However, Wietse maintains that Postfix offers no 5589 guarantee for reliable delivery over NFS. 5590 5591 Feature: put "warn_if_reject" before an smtpd restriction, 5592 and that restriction logs warnings without rejecting mail. 5593 This makes it easier to test configurations "live" without 5594 having to lose mail. File: smtpd/smtpd_check.c. 5595 559620011107 5597 5598 Workaround: in order to get mail past PIX firewall bugs, 5599 the Postfix SMTP client now blocks until the socket send 5600 buffer is empty before sending the final ".<CR><LF>". Files: 5601 util/sock_empty_wait.c, smtp/smtp_proto.c. Changed into 5602 sleep(10) on 20011119. Sleep suggested by Hobbit. 5603 560420011108 5605 5606 Feature: added string-null encoding for internal protocols. 5607 Files: util/attr_print0.c, util/attr_scan0.c. 5608 5609 Feature: configurable parent domain matching for domain 5610 and hostname/address match lists: either .domain or the 5611 domain name itself. Files: util/match_ops.c util/match_list.c 5612 5613 Feature: added pretend-to-be-behind-PIX mode to the smtp-sink 5614 test program, in order to stress test some PIX bug workaround 5615 code. 5616 561720011109 5618 5619 Workaround: Linux and Solaris systems have no reasonable 5620 way to block until a socket drains. On these systems Postfix 5621 simply waits for 10 seconds, in order to work around PIX 5622 ".<CR><LF>" bugs. File: util/sock_empty_wait.c. 5623 562420011114 5625 5626 Bugfix: reset the smtpd command transaction log between 5627 deliveries. File: smtpd/smtpd.c. 5628 562920011115 5630 5631 Feature: mailbox_command_maps no longer requires that every 5632 user has an entry. If the user does not have a command 5633 entry, the local delivery agent tries the other delivery 5634 methods (mailbox_command, home_mailbox). File: local/mailbox.c. 5635 5636 Bugfix: reset the smtpd command transaction log between 5637 non-deliveries. File: smtpd/smtpd.c. 5638 563920011116 5640 5641 Bugfix: consolidated all the command transaction log resets 5642 and eliminated one missing reset (Victor Duchovni, Morgan 5643 Stanley). File: smtpd/smtpd.c. 5644 564520011118 5646 5647 Cleanup: replaced unnecessary match_list wrapper code by 5648 macros. Files: global/{string,domain,namadr}_list.[hc]. 5649 565020011119 5651 5652 Feature: configurable parent domain matching strategy for 5653 transport map lookups. File: trivial-rewrite/transport.c. 5654 5655 New parent_domain_matches_subdomains parameter. This lists 5656 all the Postfix features where a domain name matches itself 5657 and all its subdomains (instead of requiring ".domain.name" 5658 for subdomain matches). Planning for future backwards 5659 compatibility :-) File: global/match_parent_style.c. 5660 5661 Workaround: simplified the PIX ".<CR><LF>" bug to always 5662 sleep for 10 seconds. File: smtp/smtp_proto.c. 5663 566420011120 5665 5666 Workaround: disable attribute string length restriction so 5667 that trivial-rewrite does not refuse to rewrite broken mail 5668 headers. Files: util/attr_scan*.c. 5669 567020011121 5671 5672 Bugfix: missing long integer support in the new IPC protocols. 5673 Files: util/attr_scan*.c, util/attr_print*.c. 5674 5675 Portability: AIX5 (Adrian P. van Bloois), MAC OS X 10.1.1 5676 (Gerben Wierda). 5677 567820011125 5679 5680 Bugfix: spurious postmaster notifications because some flag 5681 was not reset. 5682 5683 Feature: new parameter smtpd_sender_login_maps that specifies 5684 the (SASL) login name that owns a MAIL FROM address. 5685 Specify a regexp table in order to require a simple one-to-one 5686 mapping. This is used in the reject_sender_login_mismatch 5687 sender anti-spoofing feature. 5688 5689 Feature: restriction reject_sender_login_mismatch refuses 5690 a MAIL FROM address when $smtpd_sender_login_maps specifies 5691 an owner but the client is not (SASL) logged in as the MAIL 5692 FROM address owner, or when a client is (SASL) logged in 5693 but the client login name does not own the MAIL FROM address 5694 according to $smtpd_sender_login_maps. File: smtpd/smpd_check.c. 5695 5696 Documentation: added some redundancy to the LMTP_README 5697 file so people can keep track of the difference between 5698 the Postfix LMTP client and the non-Postfix LMTP server. 5699 570020011126 5701 5702 Feature: smtpd_noop_commands specifies a list of commands 5703 that are treated as NOOP (no operation) commands, without 5704 syntax check or state change. File: smtpd/smtpd.c. 5705 5706 Bugfix: the "mark queue file as corrupt" code did not work 5707 because it was never used. Files: global/mark_corrupt.c, 5708 global/mail_copy.c, global/pipe_command.c, *qmgr/qmgr_active.c, 5709 local/maildir.c, local/mailbox.c, local/command.c, pipe/pipe.c, 5710 virtual/mailbox.c, virtual/maildir.c. 5711 5712 Bugfix: the bounce daemon broke in the unlikely case of a 5713 non-existing queue file. File: bounce/bounce_notify_util.c. 5714 571520011127 5716 5717 Feature: added WARN command to header/body_checks files as 5718 proposed by Michael Tokarev. File: cleanup/cleanup_message.c. 5719 5720 Bugfix: the postdrop program was broken after the change 5721 of Postfix internal protocols. This broke "sendmail -bs" 5722 mail submissions with "secure" maildrop directory. Reported 5723 by Craig Loomis, apo.nmsu.edu. File: postdrop/postdrop.c. 5724 5725 Feature: a first start at fault injection for testing 5726 unlikely error scenarios (such as corrupt queue files). 5727 Parameter: fault_injection_code, must be left at zero for 5728 production use. 5729 573020011128 5731 5732 Robustness: add a file size limit to the sendmail and 5733 postdrop submission programs to stop run-away process 5734 accidents. This is not a defense against DOS attack. Files: 5735 sendmail/sendmail.c, postdrop/postdrop.c. 5736 5737 That resulted in a considerable amount of work to properly 5738 propagate "file too large" conditions back to the sendmail 5739 mail posting user interface. Took the opportunity to express 5740 other mail submission fatal exits with the <sysexits.h> 5741 exit status codes. Files: sendmail/sendmail.c, 5742 postdrop/postdrop.c. 5743 574420011129 5745 5746 Maintenance: dict_ldap.c wasn't updated after the revision 5747 of the string matching routines. File: util/dict_ldap.c. 5748 574920011208 5750 5751 Maintenance: LDAP module and documentation from LaMont 5752 Jones. This version adds verbose logging for LDAP library 5753 routines. Files: src/util/dict_ldap.[hc], LDAP_README, 5754 conf/sample-ldap.cf 5755 5756 Portability: made memory alignment restrictions configurable. 5757 File: util/mymalloc.c. 5758 5759 Bugfix? Avoid surprises with source routed destinations 5760 and OK entries in SMTPD access maps. File: smtpd/smtpd_access.c. 5761 5762 Security: "postfix check" looks for damage by well-intended 5763 but misguided use of "chown -R postfix /var/spool/postfix". 5764 That would make chrooted Postfix less secure than non-chrooted 5765 Postfix. These extra tests may cause complaints with 5766 third-party patches such as TLS that introduce their own 5767 files into the jail. 5768 5769 Feature: static map type that always returns the map name 5770 as lookup value, regardless of lookup key value. Contributed 5771 Jeff Miller (jeffm at ghostgun.com) 5772 5773 Feature: turn off the PIX <CR><LF>.<CR><LF> workaround for 5774 the first mail delivery attempt, i.e. when mail is queued 5775 for less than $smtp_pix_workaround_threshold_time (default: 5776 500) seconds. New parameter $smtp_pix_workaround_delay_time 5777 to control the delay before sending .<CR><LF> (default: 10 5778 seconds) when doing the PIX <CR><LF>.<CR><LF> workaround. 5779 578020011210 5781 5782 Bugfix: the 20011128 change in sendmail and postdrop did 5783 not handle the case of message_size_limit=0. Fix by Will 5784 Day, Georgia Tech. 5785 578620011212 5787 5788 Compatibility: The SMTP server now accepts <CR><CR><LF> as 5789 if the client sent <CR><LF>. Reportedly, some badly written 5790 windows software produces such garbage, and some badly 5791 written windows anti-VIRUS software cannot handle such 5792 garbage. File: global/smtp_stream.c. 5793 579420011214 5795 5796 Bugfix: postmap/postalias queries ignored the -f flag. 5797 Reported by Hamish Marson. 5798 579920011217 5800 5801 Compatibility: Sendmail now has a -L option to set the 5802 syslogging label. Postfix sendmail uses syslog_name instead, 5803 and ignores the -L option. 5804 5805 Security: subtle hardening of the Postfix chroot jail, 5806 Postfix queue file permissions and access methods, in case 5807 someone compromises the postfix account. Michael Tokarev, 5808 who received the insights from Solar Designer, who tested 5809 Postfix with a kernel module that is paranoid about open() 5810 calls. Files: master/master_wakeup.c, util/fifo_trigger.c, 5811 postfix-script. 5812 5813 Convenience: issue a warning instead of aborting when the 5814 local machine name is not in fully-qualified domain form. 5815 This would otherwise break initial postfix installation 5816 which needs the postconf command. File: global/mail_params.c. 5817 581820011220 5819 5820 Added more garbage detection to postconf -e input processing. 5821 582220011221 5823 5824 Feature: SMTPD access map lookups of null sender addresses. 5825 If your access maps cannot store or look up null string 5826 key values, specify "smtpd_null_access_lookup_key = <>" 5827 and the null sender address will be looked up as <> instead. 5828 File: smtpd/smtpd_access.c. 5829 583020011223 5831 5832 Safety: configuration file comments no longer span multiple 5833 lines when the next line begins with whitespace; multi-line 5834 input is no longer terminated by a comment line, by an all 5835 white space line, or by an empty line. Michael Tokarev made 5836 the crucial suggestion to simplify the readline routine. 5837 Files: util/readlline.c, postconf/postconf.c. 5838 5839 Cleanup: proper detection of big number overflow in EHLO 5840 and MAIL FROM size announcements, with input from Victor 5841 Duchovni, Morgan Stanley. Files: global/off_cvt.c, 5842 smtpd/smtpd.c, smtp/smtp_proto.c, util/alldig.c. 5843 5844 Forward compatibility: added queue file record types for 5845 original recipient and for generic named attributes. 5846 5847 Cleanup: safe_open() now returns sensible errno values so 5848 that the fifo_trigger() external interface is restored. 5849 585020011225 5851 5852 Upgrade: PCRE_README now describes PCRE version 3.x. 5853 5854 Cleanup: flush SMTPD command history upon receipt of EHLO, 5855 RSET, and upon DATA completion, only if it exceeds 5856 $smtpd_history_flush_threshold lines (default: 100). 5857 Distant derivative of code by Michael Tokarev. File: 5858 smtpd/smtpd.c. 5859 586020011228 5861 5862 Bugfix: a readlline() error message showed less text than 5863 intended. Christian von Roques. 5864 5865 Cleanup: postfix now installs with group-writable maildrop 5866 directory and with a set-gid postdrop mail submission 5867 command. The pickup service is now unprivileged. The 5868 world-writable maildrop directory no longer exists. 5869 5870 The cleanup service is now public, in preparation for local 5871 sendmail/postdrop mail submission that avoids the maildrop 5872 queue directory while Postfix is up. 5873 5874 Cleanup: moved the main.cf/master.cf file editing from the 5875 postfix-script file to the INSTALL.sh file. 5876 5877 Cleanup: INSTALL.sh no longer accepts "no" as the destination 5878 of Postfix manual pages. 5879 588020011230 5881 5882 Cleanup: the code for "mailq", "sendmail -q", and for 5883 "sendmail -qRsite" was moved from the sendmail command to 5884 a new set-gid postqueue command. The pickup and qmgr FIFOs 5885 are no longer world writable. Files: sendmail/sendmail.c, 5886 postqueue/postqueue.c. 5887 588820020101 5889 5890 Security: new alternate_config_directories parameter that 5891 specifies what directories a set-gid command will accept 5892 as its configuration directory. The list must be specified 5893 in the default main.cf file. File: global/mail_conf.c. 5894 5895 Cleanup: "sendmail -qRsite" is no longer implemented by 5896 connecting to the SMTP port. It is now implemented by 5897 talking to the fast flush service. File: postqueue/postqueue.c. 5898 589920020203 5900 5901 Cleanup: INSTALL.sh now records all installation information 5902 in the main.cf file. The now obsolete install.cf file is 5903 used only when upgrading from an older Postfix release. 5904 5905 Cleanup: INSTALL.sh now takes name=value settings on the 5906 command line, and has a new "-upgrade" command line option 5907 to turn on non-interactive installation. 5908 5909 Security: additional run-time checks to discourage sharing 5910 of Postfix user/group ID values with other accounts. 5911 591220020105 5913 5914 Cleanup: SMTPD access maps now return DUNNO (undetermined) 5915 instead of OK when a recipient address contains multiple 5916 domains (user@dom1@dom2, etcetera). Victor Duchovni, Morgan 5917 Stanley. File: smtpd/smtpd_check.c. 5918 591920020106 5920 5921 Bugfix: SMTPD access maps did not handle address extensions. 5922 File: smtpd/smtpd_check.c. 5923 592420020107 5925 5926 Bugfix: postfix-script, when creating a missing maildrop 5927 queue directory, still referenced install.cf when setting 5928 maildrop directory group ownership; and the postfix command 5929 did not export the setgid_group parameter to the postfix-script 5930 shell script. Victor Duchovni. 5931 5932 Bugfix: postfix-script, when creating a missing public 5933 queue directory, did not set group ownership of the public 5934 directory. 5935 593620020109 5937 5938 Cleanup: rewrote the Postfix installation procedure again. 5939 It is now separated into 1) a primary installation script 5940 (postfix-install) that installs files locally or that builds 5941 a package for distribution and that stores file owner and 5942 permission information in /etc/postfix/post-files, and 2) 5943 a post-installation script (/etc/postfix/post-install) that 5944 creates missing directories, that sets file/directory 5945 ownership and permissions, and that upgrades existing 5946 configuration files if necessary. 5947 594820020110 5949 5950 Workaround: AIX null read() return on an empty but open 5951 non-blocking pipe. File: master/master_flow.c. Report: 5952 Hamish Marson. 5953 595420020111 5955 5956 Feedback: feedback, bugfixes, and brain-dead shell workarounds 5957 for the install scripts by Victor Duchovni and Simon Mudd. 5958 595920020113 5960 5961 Rewrote postfix-install. The postfix-files file now controls 5962 what is installed. Refined the semantics of many post-install 5963 operations. post-install now auto-saves settings that 5964 override main.cf. 5965 596620020114 5967 5968 Bugfix: alternate_config_directories did not take comma or 5969 whitespace as separators. File: global/mail_conf.c. Victor 5970 Duchovni, Morgan Stanley. 5971 5972 Bugfix: the rewritten postfix-install script did not chattr 5973 +S the Postfix queue. 5974 597520020115 5976 5977 Cleanup: added sample_directory and readme_directory 5978 installation parameters for sample configuration files and 5979 for README files. Files: postconf.c, postfix-install, 5980 conf/postfix-files, conf/post-install. 5981 5982 Robustness: the postfix command now exports all installation 5983 parameter settings, and input filters the environment, so 5984 that the startup shell scripts produce a consistent result. 5985 Files: postconf.c. 5986 598720020117 5988 5989 Portability: patch from LaMont Jones for compiling dict_ldap.c 5990 with the Netscape SDK. 5991 5992 Feature: added "r" (recursive chown/chgrp) flag to the 5993 postfix-files database, for more convenient change of 5994 Postfix queue ownership. Files: conf/postfix-files, 5995 conf/post-install. 5996 599720020122 5998 5999 Documentation: lots of little fixes. 6000 6001 Documentation: updates for the VIRTUAL_README file by Victor 6002 Duchovni, Morgan Stanley. 6003 6004 Bugfix: postqueue -s dereferenced a null pointer when given 6005 a numerical domain argument. LaMont Jones, HP. 6006 6007 Cleanup: smtpd now logs a warning when permit_sasl_authenticated 6008 is used while SASL authentication is disabled, instead of 6009 simply ignoring the restriction. LaMont Jones, HP. File: 6010 smtpd/smtpd.c. 6011 6012 Safety: when postmap creates a non-existent file, the new 6013 file inherits group/other read permissions from the source 6014 file. Based on code by LaMont Jones, HP. File: 6015 postmap/postmap.c. 6016 601720020123 6018 6019 Portability: some Linux systems install libnsl.so without 6020 libnsl.a file, causing an yp_match undefined reference 6021 problem. File: makedefs. 6022 602320020124 6024 6025 Portability: post-install now requests that command_directory 6026 is given on the command line when the postconf command is 6027 in an unusual place. 6028 6029 Safety: extra code to detect and report Berkeley DB version 6030 mismatches between compile time and run time. This test 6031 is limited to mismatches in the major version number only. 6032 File: util/dict_db.c. Based on code by Lawrence Greenfield, 6033 Carnegie-Mellon university. 6034 6035 Safety: the postfix command and the master daemon abort if 6036 they are running set-uid. 6037 6038 Documentation: the postmap manual page described an out of 6039 date input file format. 6040 604120020129 6042 6043 Workaround: SCO version 3.2 can't ioctl(FIONREAD) a pipe. 6044 Therefore, input mail flow control is disabled by default. 6045 Files: makedefs, global/mail_params.h, conf/main.cf. 6046 Problem reported by Kurt Andersen, Agilent. 6047 604820020201 6049 6050 Workaround: changed the default smtpd_null_access_lookup_key 6051 setting to <>, because some Bezerkeloid DB implementations 6052 can't handle null-length lookup keys. File: global/mail_params.h. 6053 6054 Bugfix: backed out a null-length address panic call by 6055 ignoring the problem, like Postfix did in the past. File: 6056 global/resolve_local.c. 6057 6058 Safety: "postfix check" will now warn if /usr/lib/sendmail 6059 and /usr/sbin/sendmail differ, and will propose to replace 6060 one by a symlink to the other. File: conf/postfix-script. 6061 606220020204 6063 6064 Sanity: additional permission checks for "postfix check" 6065 that warn for setgid_group group ownership mismatches. by 6066 Matthias Andree, uni-dortmund.de. File: conf/postfix-script. 6067 6068 Bugfix: "postfix check" used a too simplistic way to 6069 recognize file ownership (grepping ls output). It now uses 6070 the recently discovered "find -prune". Peter Bieringer, 6071 Matthias Andree. File: conf/postfix-script. 6072 607320020218 6074 6075 Workaround: log a warning and disconnect when an SMTP client 6076 ignores our negative replies and starts sending message 6077 content without permission. File: smtpd/smtpd.c. 6078 607920020220 6080 6081 Bugfix: mismatch in the file being locked by dict_dbm and 6082 the file being locked by postmap, so that locks did not 6083 work correctly. Victor Duchovni, Morgan Stanley. 6084 608520020222 6086 6087 Workaround: Solaris bug 4380626: strcasecmp() and strncasecmp() 6088 produce incorrect results with 8-bit characters. For example, 6089 non-ASCII characters could compare equal to ASCII characters, 6090 and that could result in any number of security problems. 6091 Files: util/strcasecmp.c, COPYRIGHT (the BSD license). 6092 6093 Bugfix: off-by-one error, causing a null byte to be written 6094 outside dynamically allocated memory in the queue manager 6095 with addresses of exactly 100 bytes long, resulting in 6096 SIGSEGV on systems with an "exact fit" malloc routine. 6097 Experienced by Ralf Hildebrandt; diagnosed by Victor 6098 Duchovni. Files: *qmgr/qmgr_message.c. This is not a 6099 security problem. 6100 6101 Bugfix: make all recipient comparisons transitive, because 6102 Solaris qsort() causes SIGSEGV errors otherwise. Victor 6103 Duchovni, Morgan Stanley. File: *qmgr/qmgr_message.c. 6104 610520020302 6106 6107 Bugfix: don't strip source route (@domain...:) when the 6108 result would be an empty address. This avoids problems when 6109 append_at_myorigin is set to "no" (which is not supported). 6110 Problem reported by Charles McColgan, Big Fish Communications. 6111 File: trivial-rewrite/rewrite.c. 6112 611320020304 6114 6115 Cleanup: postqueue should not not complain when output 6116 fails with "broken pipe". 6117 611820020308 6119 6120 Bugfix? reply with 550 not 552 when content is rejected. 6121 552 is reserved for "too much mail". 6122 6123 Documentation: add note to sendmail manual page that running 6124 "sendmail -bs" as $mail_owner enables SMTP server UCE and 6125 access control checks. This is meant for use from inetd 6126 etc. Matthias Andree. 6127 612820020311 6129 6130 Bugfix: DBM maps should use different files for locking 6131 and for change detection. Problem reported by Victor 6132 Duchovni, Morgan Stanley. Files: util/dict.h util/dict.c 6133 util/dict_db.c util/dict_dbm.c global/mkmap.c local/alias.c. 6134 613520020313 6136 6137 Bugfix: mailq could show addresses with unusual characters 6138 twice. Problem reported by Victor Duchovni, Morgan Stanley. 6139 File: showq/showq.c. 6140 6141 Bugfix: null recipients weren't properly recorded in 6142 bounce/defer logfiles. Such recipient addresses are not 6143 accepted in SMTP mail, but they could appear within locally 6144 submitted mail. File: bounce/bounce_append_service.c. 6145 614620020318 6147 6148 Workaround: Berkeley DB can't handle null key lookups, 6149 which happen with HELO names ending in ".". Victor Duchovni, 6150 Morgan Stanley. File: smtpd/smtpd_check.c. 6151 6152 Logging: log a hint when mail is deferred because the 6153 soft_bounce parameter is set. People sometimes forget to 6154 turn it off. File: global/bounce.c. 6155 615620020319 6157 6158 Cleanup: add a msg_warn() call when fork() fails in 6159 pipe_command(), to make problems easier to investigate. 6160 Chris Wedgwood. File: global/pipe_command.c. 6161 616220020320 6163 6164 Feature: smtp_helo_name parameter to specify the hostname 6165 or [ip.address] in HELO or EHLO commands. Files: smtp/smtp.c 6166 smtp/smtp_proto.c. 6167 616820020324 6169 6170 Cleanup: more graceful handling of long physical message 6171 header lines upon input. Physical header lines can now 6172 extend up to $header_size_limit characters. When a logical 6173 message header is too long, the excess text is discarded 6174 and Postfix no longer switches to body mode, to avoid 6175 breaking MIME encapsulation. Based on code by Victor 6176 Duchovni, Morgan Stanley. Files: cleanup/cleanup_out.c, 6177 cleanup/cleanup_message.c. 6178 6179 Cleanup: more graceful handling of long physical message 6180 header or body lines upon output by the SMTP client. The 6181 SMTP client output line length is controlled by a new 6182 parameter smtp_line_length_limit (default: 990; specify 0 6183 to disable the limit). Long lines are folded by inserting 6184 <CR> <LF> <SPACE>, to avoid breaking MIME encapsulation. 6185 Based on code by Victor Duchovni, Morgan Stanley. File: 6186 smtp/smtp_proto.c. 6187 618820020325 6189 6190 Cleanup: allow additional text after a WARN command in a 6191 header/body_checks pattern file, so that one can change 6192 REJECT+text into WARN+text and vice versa. Based on code 6193 by Fredrik Thulin, Stockholm University. 6194 6195 Cleanup: log a warning when an unknown command is found in 6196 a header/body_checks pattern file, or when additional text 6197 is found after a command that does not expect additional 6198 text. Based on code by Fredrik Thulin, Stockholm University. 6199 6200 Bugfix: sendmail should not recognize "." as the end of 6201 input when the current read operation started in the middle 6202 of a line. Victor Duchovni, Morgan Stanley. File: 6203 sendmail/sendmail.c. 6204 620520020328 6206 6207 Portability fix for OPENSTEP and NEXTSTEP by Gerben Wierda. 6208 File: util/sys_defs.h. 6209 621020020329 6211 6212 Bugfix: defer_transports broke because the flush server 6213 triggered mail delivery (as if ETRN was sent) while doing 6214 some internal housekeeping of per-destination logfiles. 6215 Problem experienced by LaMont Jones, HP. File: flush/flush.c. 6216 6217 Bugfix: virtual mapping broke for addresses with embedded 6218 whitespace. Fix by Victor Duchovni, Morgan Stanley. File: 6219 cleanup/cleanup_map1n.c. 6220 6221 Feature: configurable service name for the internal services: 6222 bounce, cleanup, defer, error, flush, pickup, queue, rewrite, 6223 showq. This allows you to specify, for example, a non-default 6224 cleanup service (smtpd -o cleanup_service_name=alt_cleanup). 6225 Files: global/mail_params.[hc]. 6226 6227 Feature: SASL version 2 support by Jason Hoos. Files: 6228 */*_sasl_glue.c, SASL_README, conf/sample-auth.cf. 6229 623020020330 6231 6232 Bugfix: postqueue did not pass on non-default configuration 6233 directory settings when running showq while the mail system 6234 is down. The super-user is now exempted from environment 6235 stripping in postqueue/postqueue.c. Problem reported by 6236 Victor Duchovni, Morgan Stanley. 6237 623820020402 6239 6240 Workaround: recognize more headers that are sent instead 6241 of SMTP commands. File: smtpd/smtpd.c. 6242 624320020413 6244 6245 Feature: new pipe delivery agent "D" flag to prepend a 6246 Delivered-To: message header. This requires single recipient 6247 deliveries. Based on code by Matthias Andree. File: 6248 pipe/pipe.c. 6249 625020020414 6251 6252 Portability: Postfix will no longer attempt to build with 6253 gdbm support, because gdbm is broken. File: makedefs. 6254 625520020415 6256 6257 Cleanup: the attribute list IPC code did not distinguish 6258 between "disconnect" and "timeout" while reading an attribute 6259 list, making trouble shooting more difficult than necessary. 6260 Files: util/attr_scan0.c, util/attr_scan64.c. 6261 6262 Cleanup: install parameter defaults can now be overruled 6263 from makedefs: sendmail_path, mailq_path, newaliases_path, 6264 command_directory, daemon_directory. Based on code by Victor 6265 Duchovni, Morgan Stanley. File: util/sys_defs.h. 6266 626720020411 6268 6269 Cleanup: Use more robust quoting passing makedefs/Makefile 6270 settings. This also simplifies the seven backslashes example 6271 in the INSTALL file. Victor Duchovni, Morgan Stanley. 6272 Files: makedefs, INSTALL. 6273 627420020417 6275 6276 Bugfix: the post-install script failed to upgrade master.cf 6277 settings from private to public if the service was explicitly 6278 configured as private. 6279 628020020418 6281 6282 Documentation: added CPU saving patterns for quickly skipping 6283 base 64 encoded text in message bodies. Liviu Daia. Files: 6284 {proto,conf}/pcre_table, {proto,conf}/regexp_table, 6285 conf/sample_{regexp,pcre}_body.cf. 6286 628720020426 6288 6289 Bugfix: the SMTP client forgot to quote whitespace etc. 6290 in a sender/recipient address when DNS lookup was turned 6291 off (disable_dns_lookups = yes). Problem experienced by 6292 Chip Paswater. Files: smtp/smtp_proto.c. 6293 629420020501 6295 6296 Feature: wildcard lookup in transport maps (lookup key 6297 "*"). Code developed with Lamont Jones, HP. 6298 6299 Feature: a null transport:destination transport map entry 6300 means proceed as if the transport map lookup failed. Code 6301 developed with Lamont Jones, HP. 6302 6303 Feature: more efficient use of cache memory when a process 6304 opens multiple Berkeley DB tables; and faster performance 6305 creating large tables by using more buffer memory. Files: 6306 util/dict_db.[hc], global/mkmap_db.c. Victor Duchovni, 6307 Morgan Stanley. 6308 630920020503 6310 6311 Cleanup: postqueue silently ignored command-line arguments 6312 following -p or -f options, instead of complaining; postqueue 6313 produced an incorrect error message (mail system down) when 6314 the command was installed with incorrect privileges. File: 6315 postqueue/postqueue.c. 6316 6317 Bugfix: while reporting a domain name or IP address syntax 6318 error, postqueue could dereference a dangling pointer with 6319 some getopt() implementations. LaMont Jones, HP. File: 6320 postqueue/postqueue.c. 6321 6322 Safety: postalias and postmap now drop root privileges 6323 while processing a non-root input file. Thus, the result 6324 should be writable to the source file owner. Specify the 6325 -o option if this is a problem. Files: postmap/postmap.c, 6326 postalias/postalias.c. 6327 6328 Consistency: just like postmap, postalias now copies file 6329 permissions from the source file when it creates a new 6330 table for the first time. File: postalias/postalias.c. 6331 633220020504 6333 6334 Portability: run-time test to avoid GDBM trouble. File: 6335 util/dict_dbm.c. 6336 633720020505 6338 6339 Cleanup: revised and simplified the transport map semantics. 6340 Null transport or nexhop fields now mean: "do not change": 6341 use what would be used if the transport map did not exist. 6342 This change eliminated a lot of code. The incompatibility 6343 is that a null transport field no longer defaults to 6344 $default_transport, but to $local_transport or $default_transport 6345 depending on the destination, and that a transport map only 6346 overrides relayhost when the table specifies explicit 6347 nexthop information. Files: trivial-rewrite/transport.c, 6348 trivial-rewrite/resolve.c. 6349 6350 Cleanup: revised the user interface for controlling the 6351 Berkeley DB create and read buffer size controls. Files: 6352 util/dict_db.[hc], global/mail_params.[hc], global/mkmap_db.c. 6353 635420020507 6355 6356 Cleanup: simplified the hash/btree cache management code. 6357 The caches are now per table instead of shared, and the 6358 default read cache size is reduced to 128 kBytes. File: 6359 util/dict_db.c. 6360 636120020508 6362 6363 Bugfix: close user@domain@postfix-style.virtual.domain 6364 source routing relaying loophole involving postfix-style 6365 virtual domains with @virtual.domain catch-all patterns. 6366 Problem reported by Victor Duchovni. File: smtpd/smtpd_check.c. 6367 6368 Bugfix: mail_addr_map() used the "wrong" @ character in 6369 addresses with multiple @. Victor Duchovni. File: 6370 global/mail_addr_map.c. 6371 6372 Bugfix: for address localpart quoting, now quote @ as a 6373 special character everywhere, except when resolving addresses. 6374 Previously, the @ was nowhere quoted as a special character, 6375 not even in SMTP commands. Files: global/quote_82[12]_local.c 6376 and clients. 6377 637820020509 6379 6380 Safety: don't allow an OK access rule lookup result for 6381 user@domain@postfix-style.virtual.domain. Suggested by 6382 Victor Duchovni, Morgan Stanley. File: smtpd/smtpd_check.c. 6383 6384 Bugfix: quote unquoted address localparts that need quoting. 6385 Files: global/tok822_parse.c, global/quote_82[12]_local.c. 6386 6387 Documentation: simplified the advanced content filtering 6388 example, and included a more advanced example for those 6389 who want to squeeze out more performance without running 6390 multiple Postfix instances. Text by Victor Duchovni, Morgan 6391 Stanley. File: README_FILES/FILTER_README. 6392 639320020510 6394 6395 Feature: header/body filters now log the origin of the 6396 message that is being rejected. Files: smtpd/smtpd.c, 6397 qmqpd/qmqpd.c, pickup/pickup.c, cleanup/cleanup_envelope.c, 6398 cleanup/cleanup_message.c. Requested by Craig Sanders, if 6399 I remember correctly. 6400 6401 Feature: the Postfix SMTP client now passes on MIME body 6402 type information (8bit, 7bit) received via SMTP, via MIME 6403 headers, or via the sendmail command line. Files: 6404 global/deliver_request.c, smtpd/smtpd.c, sendmail/sendmail.c, 6405 cleanup/cleanup_envelope.c, cleanup/cleanup_message.c, 6406 cleanup/cleanup_extracted.c, *qmgr/qmgr_message.c, 6407 *qmgr/qmgr_deliver.c, smtp/smtp_proto.c, lmtp/lmtp_proto.c. 6408 640920020511 6410 6411 Feature: bounces now specify the proper MIME encoding (8bit, 6412 7bit), depending on the MIME body type information received 6413 via SMTP, via MIME headers, or via the sendmail command 6414 line. Files: global/bounce.c, global/defer.c, global/abounce.c, 6415 bounce/bounce_service.c, bounce/bounce_notify_util.c. 6416 641720020512 6418 6419 Cleanup: the SMTP client logged and bounced the CNAME 6420 expanded recipient address, and thereby complicated trouble 6421 shooting. File: smtp/smtp_proto.c. 6422 6423 Bugfix: the SMTP and LMTP clients bounced the quoted 6424 recipient address, resulting in too much quoting in bounce 6425 reports. Files: smtp/smtp_proto.c, lmtp/lmtp_proto.c. 6426 642720020513 6428 6429 Bugfix: the LDAP client used the "wrong" @ character in 6430 addresses with multiple @. LaMont Jones, HP. File: 6431 util/dict_ldap.c. 6432 6433 Feature: lots of new LDAP stuff: result_filter (filter to 6434 expand results from queries), chase_referrals, LaMont Jones, 6435 HP. The LDAP bind timeout now works thanks to Victor 6436 Duchovni, Morgan Stanley. File: util/dict_ldap.c. 6437 6438 Cleanup: specify "resolve_dequoted_address = no" to prevent 6439 Postfix from looking inside quotes for extra @ etc. characters 6440 when resolving an address. This behavior is technically 6441 more correct, but it opens a mail relay loophole with "user 6442 @domain"@domain when relaying mail to a Sendmail system. 6443 644420020514 6445 6446 Bugfix: the new code for header address quoting sometimes 6447 did not null terminate strings so that arbitrary garbage 6448 could appear at the end of message headers. Reported by 6449 Ralf Hildebrandt. File: global/tok822_parse.c. 6450 6451 Safety: user@domain@domain is no longer accepted by the 6452 permit_mx_backup uce restriction (unless Postfix is configured 6453 with "resolve_dequoted_address = no"). Victor Duchovni, 6454 Morgan Stanley. File: smtpd/smtpd_check.c. 6455 645620020515 6457 6458 Workaround: flush the SMTP client output buffer when no 6459 output has happened for 10+ seconds. This prevents the 6460 socket from timing out, in case DNS CNAME expansion is 6461 slow. Problem experienced by Alex Erdelyi, peregrine.com. 6462 File: smtp/smtp_chat.c. We did the same thing for the SMTP 6463 server years ago, and one wonders why the coin didn't drop 6464 at the time that the SMTP client could suffer from a similar 6465 problem. 6466 646720020516 6468 6469 Updated the FILTER_README file to turn off DNS lookups in 6470 the SMTP client that feeds mail into a content filter. 6471 647220020517 6473 6474 Cleanup: Mailbox-Line: message header labels should be 6475 X-Mailbox-Line: labels. Files: smtpd/smtpd.c, qmqpd/qmqpd.c. 6476 647720020515-21 6478 6479 Feature: new MIME parser, written from scratch, that 6480 recognizes the structure of MIME encapsulated mail. Influenced 6481 by comments from Victor Duchovni. This code can detect but 6482 will not decode obscure MIME formats or obscure character 6483 string encoding that Liviu Daia expresses concern about. 6484 6485 MIME header scanning now happens in header_checks, and is 6486 faster than body_checks could ever be. This also eliminates 6487 the problem with multi-line MIME headers being matched one 6488 line at a time. Files: global/mime_state.[hc], 6489 cleanup/cleanup_message.c. 6490 649120020521-22 6492 6493 Feature: 8-bit to quoted-printable conversion. First use 6494 in the Postfix SMTP client. File: smtp/smtp_proto.c. 6495 6496 Logging: the Postfix SMTP and LMTP clients now report the 6497 the protocol stage when they report a server reply. File: 6498 smtp/smtp_proto.c, lmtp/lmtp_proto.c. 6499 6500 Bugfix: the SMTP server warned about ignored client attributes 6501 (these were introduced 20020510) in mail that was submitted 6502 with "sendmail -bs". File: smtpd/smtpd.c. 6503 650420020525 6505 6506 Feature: separation of header checks into header_checks 6507 (all primary headers except MIME related headers), 6508 mime_header_checks (all MIME headers including MIME headers 6509 at the start of messages) and nested_header_checks (headers 6510 of attached messages, except MIME related headers). 6511 6512 Cleanup: broke out the header value parser from the MIME 6513 processor so that the code can be reused elsewhere. File: 6514 global/header_token.c. 6515 6516 Compatibility: Postfix now recognizes "name :" as a valid 6517 message header, but normalizes it to "name:" form or else 6518 lots of things would break all over the place. Files: 6519 global/is_header.c, global/mime_state.c. 6520 652120020526 6522 6523 Bugfix: the SMTP server now disallows RCPT TO:<"">, just 6524 like it disallows RCPT TO:<>. File: smtpd/smtpd.c. 6525 6526 Feature: disable_mime_input_processing=yes/no controls 6527 whether Postfix recognizes (and optionally enforces) MIME 6528 formats while receiving mail. Default is NO. 6529 6530 Feature: disable_mime_output_conversion=yes/no controls 6531 whether Postfix will convert 8BITMIME to 7BIT mail when 6532 delivering mail to an SMTP server that does not announce 6533 8BITMIME support. Default is NO. 6534 6535 Feature: strict_8bitmime=yes/no controls whether Postfix 6536 rejects 8-bit characters in headers and 7-bit body parts. 6537 This blocks mail from poorly written software, including 6538 majordomo approval requests that contain a valid 8BITMIME 6539 email message, as well as mail that is piped into ancient 6540 /bin/mail implementations that do not MIME format 8-bit 6541 content. Default is NO. 6542 6543 Feature: strict_mime_encoding_domain=yes/no controls whether 6544 Postfix rejects illegal content transfer encodings for 6545 multipart/* and message/*. This blocks mail from poorly 6546 written software. Default is NO. 6547 654820020527 6549 6550 Feature: "FILTER transport:nexthop" in header/body checks. 6551 After the message is queued, the message is sent through 6552 a content filter. This requires different cleanup servers 6553 before and after the filter, with header/body checks turned 6554 off in the second cleanup server. 6555 655620020528 6557 6558 Feature: strict_7bit_headers and strict_8bitmime_body are 6559 now separately available. To to turn on both, use 6560 strict_8bitmime. 6561 6562 Cleanup: abandon the use of isspace(3) in the parsing of 6563 RFC822 message headers. Files: global/lex_822.h and lots 6564 of little places. 6565 6566 Documentation: replace domain.name by domain.tld in the 6567 example config files. The domain exists. They were getting 6568 mail from poorly configured Postfix boxes. 6569 6570 Bugfix: The Postfix sendmail command did not export the 6571 MAIL_CONFIG environment setting to the postdrop command. 6572 File: global/mail_config.h. 6573 6574 Incompatibility: by default, turn on the PCRE_DOTALL flag, 6575 so that PCRE patterns will match multi-line message headers 6576 without causing pain. Suggested by Michael Tokarev. Also 6577 documented all those darned undocumented PCRE flags in the 6578 pcre_table(5) manual page. Files: util/dict_pcre.c, 6579 proto/pcre_table. 6580 658120020529 6582 6583 Bugfix: mail rejected due to MIME errors was rejected 6584 without proper logging. Files: global/mime_state.c, 6585 cleanup/cleanup_message.c. 6586 658720020531 6588 6589 Bugfix: the SMTP client code that prepends '.' to lines 6590 starting with '.' had to be moved from its old place to 6591 after the MIME output conversion. Problem found by Mark 6592 Martinec. File: smtp/smtp_proto.c. 6593 659420020601 6595 6596 Bugfix: the deliver_pass() routine needed updating for the 6597 extra MIME encoding attribute that was introduced 20020510. 6598 Patch by Sebastian Schaffert @ wastl.net. File: 6599 global/deliver_pass.c. 6600 660120020604 6602 6603 Workaround: Solaris non-blocking read() can fail on a socket 6604 with unread data according to ioctl FIONREAD. Incredible. 6605 Diagnosis by Max Pashkov. File: smtp/smtp-sink.c. 6606 6607 Weird feature: sender-based routing. This will become more 6608 useful once per-address transport map entries are done. 6609 File: src/*qmgr/qmgr_message.c. 6610 661120020605 6612 6613 Safety: header_address_token_limit limits the amount of 6614 memory and CPU that we're willing to spend while parsing 6615 addresses in message headers. The limit is expressed as a 6616 number of tokens. File: global/tok822_parse.c 6617 661820020608 6619 6620 Feature: user@domain transport map lookup, based on code 6621 by Scott Cotton, from several years ago. Adding this code 6622 now was much less painful than it was in the past. Files: 6623 global/strip_addr.c, trivial-rewrite/transport.c. 6624 662520020610 6626 6627 Cleanup: making user@domain transport map lookups work with 6628 sender-based routing was a bit tricky, because the null 6629 address must be handled sensibly. Files: global/resolve_clnt.c, 6630 trivial-rewrite/resolve.c. It ain't perfect yet, but close. 6631 663220020613 6633 6634 Bugfix: postsuper -r was broken as of 20020510. The cleanup 6635 daemon would discard mail with MIME type information. Moved 6636 a bunch of sanity checks from the cleanup daemon to the 6637 pickup daemon, so the checks are in one place. Problem 6638 experienced by Pavol Luptak. Files: pickup/pickup.c, 6639 cleanup/cleanup_extracted.c. 6640 664120020705 6642 6643 Safety: log a warning when a domain is listed in mydestination 6644 and (virtual_maps or virtual_mailbox_maps). This configuration 6645 error causes the Postfix SMTP server to reject recipients 6646 when the local_recipient_maps feature is enabled. File: 6647 smtpd/smtpd_check.c. 6648 6649200207011 6650 6651 Portability: in the master daemon, the default now is to 6652 enable the signal handler code that writes a byte into a 6653 pipe, instead of the signal handler code that sets a global 6654 flag and hopes that select() will somehow wake up. File: 6655 master/master_sig.c. This is needed for some IRIX and 6656 UnixWare versions, but it should also produce a robust 6657 result on all other supported systems. 6658 6659 Performance: the default SMTP connection establishment 6660 timeout is now 30 seconds, instead of the system default 6661 which can be atrociously large. 6662 666320020712 6664 6665 When DNS lookup fails while delivering mail, report not 6666 only the domain name but also the DNS record type. This 6667 should clue in people who ask why Postfix can't find a 6668 domain while nslookup can. File: dns/dns_lookup.c. 6669 667020020713 6671 6672 Bugfix: undo change made at 20020610 that causes the trivial 6673 resolver client to loop when an address consists entirely 6674 of @ and . characters. File: trivial-rewrite/resolve.c. 6675 6676 Cleanup: Postfix no longer strips multiple '.' at the end 6677 of a domain name. One '.' is silently tolerated. Files: 6678 trivial-rewrite/rewrite.c, trivial-rewrite/resolve.c, 6679 global/resolve_local.c. This policy is too distributed. 6680 668120020715 6682 6683 Feature: @domain.tld catch-all map entries for the virtual 6684 mail delivery agent. Files: global/virtual8_maps_find.c, 6685 virtual/mailbox.c, smtpd/smtpd_check.c. 6686 6687 Feature: the virtual mail delivery agent now accepts address 6688 extensions (user+foo@domain.tld), ignores them when looking 6689 up users in its tables, but displays them in Delivered-To: 6690 message headers. File: global/virtual8_maps_find.c. 6691 669220020716 6693 6694 Feature: domain names in a masquerade_domains list can now 6695 be prefixed with !, in order to disable masquerading for 6696 that domain name and for its subdomains. File: 6697 cleanup/cleanup_masquerade.c. 6698 669920020717 6700 6701 Bugfix: Mac OS X niscript (Netinfo) update by Gerben Wierda. 6702 File: auxiliary/MacOSX/niscript. 6703 6704 Feature: The SMTP server reject_unknown_whatever restrictions 6705 now also attempt to look up AAAA (IPV6 address) records. 6706 Jun-ichiro itojun Hagino, IIJ labs. Files: smtpd/smtpd_check.c, 6707 dns/dns_lookup.c. 6708 670920020718 6710 6711 Bugfix: unnecessary lookups for extended addresses by the 6712 virtual8_maps_find() routine. Victor Duchovni. His patch 6713 did not work, nor did my own, but the present version should 6714 be OK. File: global/virtual8_maps_find.c. 6715 671620020719 6717 6718 Workaround: log a warning when an SMTP client name->address 6719 lookup results in a numeric IP address, and set the client 6720 hostname to "unknown". Some gethostbyname() implementations 6721 will actually accept such garbage and thereby allow sites 6722 to defeat the "reject_unknown_client" restriction. Problem 6723 reported by Wolfgang Rupprecht, fix based on analysis (but 6724 not code) by Victor Duchovni. 6725 6726 Bugfix: memory leaks in the LDAP client by Victor Duchovni. 6727 File: util/dict_ldap.c. 6728 6729 Bugfix: garbage in verbose "flush" server logging. Victor 6730 Duchovni. File: flush/flush.c. 6731 673220020723 6733 6734 Incompatibility: smtpd_sasl_local_domain now defaults to 6735 the null string. File: smtpd/smtpd.c, smtpd/smtpd_sasl_glue.c. 6736 673720020726 6738 6739 Documentation: added GDB debugging instructions for sites 6740 that do not have X installed on the Postfix machine. Henrik 6741 Larsson, spambox.dk. 6742 674320020729 6744 6745 Weird: installed RedHat 3.03 inside VMware, and no change 6746 was needed to build Postfix, except to recognize the Linux 6747 version. 6748 6749 Bugfix: some mailers will announce ESMTP features in their 6750 HELO (not EHLO) response. Postfix did not ignore them. 6751 File: smtp/smtp_proto.c. 6752 675320020731 6754 6755 Cleanup: permit_naked_ip_address is unsafe (especially when 6756 used with smtpd_recipient_restrictions) and will go away. 6757 Postfix now logs a warning. File: smtpd/smtpd_check.c. 6758 675920020801 6760 6761 Cleanup: the warning message for matched header/body content 6762 was misleading. File: cleanup/cleanup_message.c. 6763 6764 Safety: moved the "postsuper -r ALL" operation after the 6765 "postsuper -s" check that makes queue file names match 6766 inode numbers. This avoids loss of mail in the unlikely 6767 case that someone runs "postsuper -sr ALL" on a queue that 6768 was copied from another place. 6769 6770 Feature: "postsuper -h" to put mail "on hold" and "postsuper 6771 -H" to release mail that was placed "on hold". This involves 6772 a new queue, which is appropriately named "hold". Files: 6773 postsuper/postsuper.c, showq/showq.c. 6774 677520020803 6776 6777 Feature: when a Delivered-To: mail delivery loop is detected, 6778 send the bounce to the mailing list owner. This required 6779 changes to the local delivery agent, a new bounce client 6780 stub, and a new bounce server stub and support routines 6781 for one recipient bouncing. Files: local/recipient.c, 6782 global/bounce_log.c, global/bounce.c, bounce/bounce.c, 6783 bounce/bounce_notify_util.c, bounce/bounce_one_service.c. 6784 678520020809 6786 6787 Bugfix: the 20020531 bugfix could prepend '.' to lines when 6788 it shouldn't (but only when converting 8-bit mail to 7-bit). 6789 Problem experienced by Ralf Hildebrandt. File: 6790 smtp/smtp_proto.c. 6791 6792 Bugfix: smtpd_sender_login_maps did not do the @domain etc. 6793 wild-card lookups that were promised. Problem experienced 6794 by Sven Michels. File: smtpd/smtpd_check.c. 6795 679620020810 6797 6798 Feature: new smtp-sink command-line options to specify the 6799 SMTP hostname, to disable ESMTP protocol support, to disable 6800 8BITMIME support, and to syslog selected commands. File: 6801 smtpstone/smtp-sink.c. 6802 680320020814 6804 6805 Feature: the queue manager now warns when mail for some 6806 destination is piling up in the active queue, and suggests 6807 a variety of remedies. The qmgr_clog_warn_time parameter 6808 controls the time between warnings, mainly so that I could 6809 test the code. To disable these warnings, specify 6810 "qmgr_clog_warn_time = 0". Files: *qmgr/qmgr_entry.c. 6811 681220020815 6813 6814 Paranoia: truncate the DNS response length result value in 6815 case it is larger than the result buffer length (the resolver 6816 documentation is vague about this). File: dns/dns_lookup.c. 6817 681820020816 6819 6820 Cleanup: "postqueue -f" now also triggers delivery of mail 6821 in the maildrop directory. This is needed when the master 6822 does not frequently wake up the pickup service. Files: 6823 global/mail_flush.c, postqueue/postqueue.c. 6824 682520020818 6826 6827 Cleanup: the qmgr_site_hog_factor feature is gone (defer 6828 mail if a site uses up too much space in the active queue). 6829 Instead, the qmgr_clog_warn_time feature provides better 6830 solutions. File: qmgr/qmgr_message.c. 6831 683220020819 6833 6834 Feature: new header/body_checks HOLD pattern that causes 6835 mail to be placed on the "hold" queue for manual inspection. 6836 Files: global/hold_message.[hc], cleanup/cleanup_message.c. 6837 683820020820 6839 6840 Bugfix: yesterday's HOLD pattern code did not update the 6841 cleanup server's idea of the queue file name for error 6842 recovery and for error reporting purposes, so that incomplete 6843 or content rejected mail would not be deleted from the 6844 queue, and so that the bouncer would not find the queue 6845 file. 6846 6847 Bugfix: the #ifdef that detects too old LDAP libraries was 6848 in the wrong place. Victor Duchovni. File: util/dict_ldap.c. 6849 6850 Feature: new header/body_checks DISCARD pattern that causes 6851 mail to be silently discarded. Files: global/cleanup_user.h, 6852 cleanup/cleanup_message.c, cleanup/cleanup_api.c. 6853 6854 Bugfix: the local delivery agent's mailbox duplicate delivery 6855 eliminator was not updated in the days that address extensions 6856 were added to Postfix. The other local duplicate eliminators 6857 probably need revision as well. File: local/mailbox.c. 6858 685920020821 6860 6861 Feature: HOLD and DISCARD actions in SMTPD access tables. 6862 These requests are propagated to the cleanup daemon. Files: 6863 cleanup/cleanup_envelope.c smtpd/smtpd_check.c. 6864 6865 Cleanup: eliminate unnecessary references to the obsolete 6866 program_directory configuration parameter (but keep the 6867 parameter so as to not break existing installations). 6868 Matthias Andree, many little changes in documentation. 6869 687020020822 6871 6872 Bit Rot: OpenLDAP incompatible change with URL parsing. 6873 Patches by Will Day, Georgia Tech, and Carsten Hoeger, 6874 SUSE. File: util/dict_ldap.c. 6875 687620020823 6877 6878 Bugfix: added a missing memset() call to wipe the lookup 6879 key in dict_db_delete(). This is needed by some Berkeley 6880 DB implementations. Patch by Katsu Yamamoto, Fujitsu. 6881 6882 Bugfix: when permit_mx_backup is unable to make a decision 6883 due to DNS problems, set the "defer if reject" flag so that 6884 other restrictions will not cause mail to be rejected. 6885 File: smtpd/smtpd_check.c. 6886 6887 Feature: instead of giving up immediately after DNS failure, 6888 turn on the "defer_if_permit" flag when reject_unknown_hostname, 6889 reject_unknown_sender_domain or reject_unknown_recipient_domain 6890 are unable to make a decision, and see if any subsequent 6891 restrictions would still cause the mail to be rejected. 6892 File: smtpd/smtpd_check.c. 6893 6894 Feature: "FILTER transport:nexthop" is now also available 6895 in SMTPD access tables. 6896 689720020826 6898 6899 Workaround: HP-UX 11 accept() fails with ENOBUFS when the 6900 client disconnects early. File: sane_accept.c. 6901 690220020901 6903 6904 Cleanup: postfix-install no longer installs all the manual 6905 pages under $POSTFIXSOURCE/man, so we can generate manual 6906 pages for smtp-sink etc. File: man/Makefile.in. 6907 690820020903 6909 6910 Bugfix: the rmail script should have been updated when 6911 Postfix sendmail was changed to recognize `.' as the end 6912 of input. Problem fix by Christian Kratzer, cksoft.de. 6913 File: auxiliary/rmail/rmail. 6914 6915 Feature: specify "maximal_queue_lifetime = 0" for mail that 6916 should be returned immediately after the first unsuccessful 6917 delivery attempt. Files: qmgr/qmgr.c, nqmgr/nqmgr.c. 6918 691920020904 6920 6921 Bugfix: qmail compatibility: qmqpd should support any 6922 character at the end of the VERP prefix in prefix@host-@[]. 6923 Based on a patch by LaMont Jones, HP. 6924 692520020905 6926 6927 Feature: "smtpd_data_restrictions = reject_unauth_pipelining" 6928 blocks mail from SMTP clients that send message content 6929 before Postfix has replied to the DATA command. File: 6930 smtpd/smtpd.c, smtpd/smtpd_check.c. 6931 6932 Bugfix: the LDAP client dumped core in verbose mode. 6933 Reported by Will Day and others. File: util/dict_ldap.c. 6934 693520020906 6936 6937 Cleanup: dict_regexp module speedups by avoiding unnecessary 6938 substring overhead while matching strings. Based on a 6939 suggestion by Liviu Daia. This involved major rewriting of 6940 the regexp map code. File: util/dict_regexp.c. 6941 694220020907 6943 6944 Feature: IF..ENDIF support based on code by Bert Driehuis. 6945 This involved a further rewrite of the regexp map code. 6946 File: util/dict_regexp.c. 6947 6948200209010 6949 6950 Bugfix: the SMTP client produced suprious warnings about 6951 trouble with fallback_relay hosts. File: smtp/smtp_connect.c. 6952 6953 Robustness: don't wait with detecting broken SMTP connections 6954 until reading input. Leandro Santi. File: smtpd/smtpd_chat.c. 6955 6956200209011 6957 6958 Workaround: IRIX 6 can't do ioctl FIONREAD on pipes. This 6959 breaks the in_flow_delay feature. File: util/sys_defs.h. 6960 696120020912 6962 6963 Bugfix: canonical/virtual mapping core dump with a null 6964 right-hand side address. Report by Jussi Silvennoinen. 6965 File: global/mail-addr_crunch.c. 6966 6967 Feature: IF..ENDIF support based on code by Bert Driehuis. 6968 This involved a rewrite of the pcre map code similar to 6969 the regexp map code. File: util/dict_pcre.c. 6970 697120020917 6972 6973 Feature: on Linux, support for PCRE lookup tables is now 6974 compiled in if the PCRE library code is found under 6975 /usr/include and /usr/lib. File: makedefs. 6976 697720020918 6978 6979 Documentation: postsuper(1) did not document the -c option. 6980 6981 Bugfix: possible longjump() before setjmp(). File: 6982 smtpd/smtpd.c. 6983 6984 Bugfix: pickup should not preserve INSPECT or FILTER records 6985 from "postsuper -r". File: pickup/pickup.c. 6986 698720020919 6988 6989 Feature: "reject_rbl <domain>" for client address blacklisting 6990 by LaMont Jones, including $name expansion for per-domain 6991 customized response messages. The obsolete reject_maps_rbl 6992 is now a wrapper that uses the new code. 6993 699420020921 6995 6996 Internal: added caching and factored out common code that 6997 will be used for both reject_rbl and for the upcoming 6998 reject_rhsbl restriction. 6999 700020020922 7001 7002 Feature: "reject_rhsbl <domain>" for sender domain 7003 blacklisting. Provides the same per-domain customized 7004 response message mechanisms with $name expansion as 7005 reject_rbl. 7006 7007 Safety: the smtpd_expansion_filter parameter controls what 7008 characters are allowed in the expansion of $name macros in 7009 template RBL responses. 7010 7011 Cleanup. In order to make sensible warnings possible when 7012 expanding a non-existent $name in RBL reply templates, 7013 mac_expand() had to be changed so that an empty string 7014 result (i.e. the name does exist) will no longer cause 7015 ${name?text} to succeed. File: util/mac_expand.c. 7016 701720020923 7018 7019 Cleanup. Renamed the RBL features according to a scheme 7020 that was suggested by Liviu Daia in October 2001. The names 7021 are reject_rbl_client and reject_rhsbl_sender, respectively. 7022 Added domain name based reject_rhsbl_client and 7023 reject_rhsbl_recipient restrictions for completeness. The 7024 reject_rbl restriction name is still recognized for 7025 compatibility with systems maintained by LaMont Jones. 7026 702720020924 7028 7029 Bugfix: reject_rhsbl_<mumble> was broken when <mumble> was 7030 unavailable, causing the restrictions parser to get out if 7031 sync. Spotted by Ralf Hildebrandt. File: smtpd/smtpd_check.c. 7032 703320020928 7034 7035 Bugfix: missing %s in the 20020923 RBL code. This was not 7036 exploitable because Postfix implements only a safe subset 7037 of all printf format operators and because memory for the 7038 result is dynamically allocated. Victor Duchovni. File: 7039 smtpd/smtpd_check.c. 7040 704120020929 7042 7043 Updated MacOSX support scripts from Gerben Wierda. Files: 7044 auxiliary/MacOSX/*. 7045 704620021009 7047 7048 Bugfix: SIZE errors should be reported at MAIL FROM time, 7049 and should not be postponed (with smtpd_delay_reject = yes) 7050 until RCPT TO time. Reported by Jeroen Scheerder, Utrecht 7051 University. Files: smtpd/smtpd.c smtpd/smtpd_check.c. 7052 705320021013 7054 7055 When Postfix development started, Linux mail delivery 7056 software such as procmail did not use kernel locks, and 7057 Postfix picked one that seemed plausible, namely, flock(). 7058 In the mean time, Linux mail delivery software seems to 7059 have standardized on fcntl() locks. File: util/sys_defs.h. 7060 7061 Feature: body_checks_size_limit parameter to specify how 7062 much of a message body segment (or attachment, if you prefer 7063 to use that term) is subjected to body_checks inspection. 7064 Default limit: 50 kbytes. Files: global/mime_state.c, 7065 cleanup/cleanup_message.c. 7066 706720021015 7068 7069 Bugfix: the code for missing postmaster/mailer-daemon 7070 aliases had to be moved after the code that implements the 7071 luser_relay feature. Files: local/alias.c, local/unknown.c. 7072 7073 Weird? The LMTP client lowercased the MAIL FROM and RCPT 7074 TO addresses. Some remnant of code that someone put in 7075 there long ago. File: lmtp/lmtp_proto.c. 7076 707720021024 7078 7079 Feature: proxy_interfaces parameter. Specify your NAT or 7080 other proxy addresses here to avoid mail delivery loops. 7081 Files: global/mail_params.[hc] global/own_inet_addr.[hc] 7082 global/resolve_local.c smtp/smtp_addr.c smtpd/smtpd_check.c. 7083 7084 Paranoia: defend against a very unlikely false alarm in 7085 safe_open(). 7086 708720021025 7088 7089 Feature: X-Original-To: message headers with the raw original 7090 envelope recipient. 7091 7092 Logging: status=sent/deferred/bounced/ logging now includes 7093 the original recipient address if it differs from the final 7094 address. 7095 709620021026 7097 7098 Logging: SMTP UCE reject/warn/hold/discard logging now 7099 includes queue ID. This will break some logfile analyzers. 7100 7101 Logging: SMTP UCE reject/warn/hold/discard logging now 7102 includes the protocol name and, if available, the hostname 7103 given in the SMTP HELO or EHLO command. 7104 7105 Logging: header/body_checks reject/warn/hold/discard logging 7106 now includes the protocol name and, if available, the 7107 hostname given in the SMTP HELO or EHLO command. 7108 710920021028 7110 7111 Bugfix: don't reset state after rejected EHLO. Reset state 7112 after HELO. Reported by Karthikeyan Bhargavan, upenn.edu. 7113 Files: smtpd/smtpd.c. 7114 711520021029 7116 7117 Bugfix: local(8) did not prepend an X-Original-To: message 7118 header while delivering to command, and local(8) did not 7119 document the X-Original-To: message header. 7120 7121 Workaround: DJBDNS produces a bogus A record when given a 7122 numerical hostname. File: dns/dns_lookup.c. 7123 712420021030 7125 7126 Portability: support for Berkeley DB version 4.0 but not 7127 for Berkeley DB version 4.1 (yes, the API is different). 7128 Postfix is now going to be paranoid about the minor version 7129 number, too. File: util/dict_db.c. 7130 7131 Documentation: updated LMTP_README file by Amos Gouaux. 7132 713320021031 7134 7135 Bugfix: (bug introduced 20021026) log NOQUEUE when rejecting 7136 ETRN, instead of trying to log a non-existent queue ID. 7137 Victor Duchovni, Morgan Stanley. File: smtpd/smtpd_check.c. 7138 7139 Cleanup: allow optional text after commands in SMTPD access 7140 maps. Based on initial effort by Victor Duchovni, Morgan 7141 Stanley. File: smtpd/smtpd_check.c. 7142 7143 Portability: support for Berkeley DB version 4.1. This 7144 version refuses to open zero-length files. This complicates 7145 lock management and requires extra code to remove broken 7146 files. Files: util/dict_db.c, global/mkmap*.[hc]. 7147 714820021101 7149 7150 Bugfix: don't complain about out-of-order original recipient 7151 records for finished recipients. Files: *qmgr/qmgr_message.c, 7152 cleanup/cleanup_envelope.c, cleanup/cleanup_extracted.c. 7153 7154 Cleanup: further simplified the mkmap wrapper (used by 7155 postmap and postalias only) to remove some hurdles for 7156 Michael Tokarev's CDB support. Files: global/mkmap*.[hc]. 7157 715820021105 7159 7160 Postalias now produces YP_LAST_MODIFIED and YP_MASTER_NAME 7161 records only when NIS support is compiled in. File: 7162 postalias.c. 7163 716420021106 7165 7166 Postalias now puts $myhostname in the YP_MASTER_NAME record, 7167 instead of the possibly bogus gethostname() result. File: 7168 postalias.c. 7169 7170 The PCRE map code did not reject non-numeric replacement 7171 indices in replacement text, and silently treated $text as 7172 $0. Found by Michael Tokarev. File: dict_pcre.c. 7173 717420021108 7175 7176 Cleanup: the behavior of the SMTP server's defer_if_permit 7177 flag was changed, in order to maximize the opportunity to 7178 permanently reject mail without opening opportunities for 7179 losing legitimate mail. This was done in cooperation with 7180 Victor Duchovni, Morgan Stanley. File: smtpd/smtpd_check.c. 7181 7182 The defer_if_permit flag is still set when an UCE reject 7183 restriction fails due to a temporary (e.g., DNS) problem, 7184 to prevent unwanted mail from slipping through. However, 7185 the flag is no longer tested at the end of client, helo or 7186 sender restrictions. Instead, the flag is now tested at 7187 the end of the ETRN and recipient restrictions only. 7188 7189 The behavior of the warn_if_reject restriction has changed. 7190 It no longer activates any already made defer_if_permit or 7191 defer_if_reject decisions (the defer_if_reject flag is set 7192 when some UCE permit restriction fails due to a temporary 7193 (DNS) problem, to avoid loss of legitimate mail). 7194 7195 Bugfix: instead of setting the defer_if_permit flag, a 7196 failing reject restriction after warn_if_reject now merely 7197 logs that it would have caused mail to be deferred. 7198 7199 A failing permit restriction after warn_if_reject still 7200 raises the defer_if_reject flag, to avoid loss of legitimate 7201 mail. 7202 720320021109 7204 7205 Bugfix: a misguided change to the .forward macro expansion 7206 filter broke .forward file lookup. 7207 7208 Bugfix: missing defer_if_permit test in smtpd_data_restrictions. 7209 Victor Duchovni. File: smtpd/smtpd_check.c. 7210 721120021112 7212 7213 Robustness: increase the mime_nesting_limit from 20 to 100, 7214 so that bounces can't loop. Each bounces increases the MIME 7215 nesting level by one. Ralf Hildebrandt and Victor Duchovni. 7216 721720021113 7218 7219 Robustness: reinstated SMTP client command flushing to 7220 avoid pipeline stalls. File: smtp/smtp_chat.c. 7221 722220021114 7223 7224 Robustness: distinguish between timeout and "lost connection" 7225 when the SMTP server is unable to send a reply to the remote 7226 client. File: smtpd/smtpd_chat.c. 7227 722820021115 7229 7230 Bugfix: initialization error with "*" transport table 7231 lookup, reported by LaMont Jones. The transport map lookup 7232 code had grown into a monster and needed to be replaced. 7233 trivial-rewrite/transport.c. 7234 723520021115 7236 7237 Start implementing recipient verification. For now this is 7238 done by adding trace flags to queue files. In case of a 7239 verification request, a delivery agent does not deliver, 7240 deliver, it just records what would happen. 7241 7242 This required instrumenting the bounce/defer/sent logging 7243 routines to send their data to the right place depending 7244 on the type of delivery request. 7245 724620021116 7247 7248 New trace service. This is used for reporting if a recipient 7249 is deliverable (sendmail -bv) and for producing a record 7250 of delivery attempts (sendmail -v). The report is sent via 7251 email, using the bounce daemon. Files: global/trace.[hc]. 7252 7253 This required replacing the bounce/defer logfile format by 7254 an extensible name=value format. Files: global/bounce_log.c, 7255 bounce/bounce_append_service.c. 7256 725720021117 7258 7259 New address verification service with simple expiration 7260 and refresh policy. Storage can be in-core or in permanent 7261 table. The daemon is appropriately called "verify". Files: 7262 global/verify_clnt.[hc], verify/verify.c. 7263 726420021118 7265 7266 Cleaning up the code for tracing and verification. Files: 7267 global/{log_adhoc,bounce,defer,trace,verify}.[hc]. 7268 726920021119 7270 7271 New address_verification_negative_cache = yes/no parameter 7272 controls whether Postfix stores the result of negative 7273 address verification probes. This reduces cache pollution 7274 but causes Postfix to send a probe for each address 7275 verification service query. File: verify/verify.c. 7276 7277 Added optimistic caching to the verify daemon, so that one 7278 failed probe will not clobber a known to be good address. 7279 As long as some probes succeeed, a good address will stay 7280 cached as OK. 7281 7282 Cleaning up of the bounce daemon's code for bounce, delayed 7283 mail warning and trace notification. Files: bounce/*.[hc], 7284 global/bounce_log.c. 7285 728620021120 7287 7288 Changed the probe's sender address to "postmaster" so that 7289 we get better information about the address we're testing. 7290 File: verify/verify.c. 7291 7292 Added some paranoia to the routine that reads data from 7293 the address verification cache. Ignore data that is obviously 7294 bogus. File: verify/verify.c. 7295 729620021121 7297 7298 Bugfix: garbage in "user@garbage"@domain address forms may 7299 cause the SMTP or LMTP client to terminate with a fatal 7300 error exit because garbage/tcp is not an existing service. 7301 This cannot be abused to cause the SMTP or LMTP client to 7302 send data into unauthorized ports. Files: *qmgr/qmgr_message.c, 7303 trivial-rewrite/resolve.c. 7304 730520021124 7306 7307 Bugfix: don't use same VSTRING buffer for reading and 7308 writing. File: verify/verify.c. 7309 731020021128 7311 7312 Feature: hashed hold queue support, with hashing turned on 7313 by default. Omission spotted by Victor Duchovni, Morgan 7314 Stanley. Files: global/hold_message.c, global/mail_params.h. 7315 7316 Bugfix: the LMTP client lost the port(service) information 7317 when parsing host:port information. Victor Duchovni, Morgan 7318 Stanley. Fix is to have a new host_port(3) module that does 7319 the parsing for the SMTP and LMTP clients. 7320 7321 Cleanup: host_port() routine that parses host/port information 7322 more consistently than the existing code in the LMTP and 7323 SMTP clients. Files: smtp/smtp_connect.c, lmtp/lmtp_connect.c, 7324 util/host_port.[hc]. 7325 732620021130 7327 7328 Cleanup: defer mail when recipient verification takes too 7329 long. File: smtpd/smtpd_proto.c. 7330 7331 Feature: new reject_multi_recipient_bounce restriction, to 7332 reject "MAIL FROM: <>" with multiple recipients. File: 7333 smtpd/smtpd_check.c. 7334 733520021201 7336 7337 Compatibility: ignore the new Sendmail -A option. File: 7338 sendmail/sendmail.c. 7339 7340 Workaround: sendmail -v now produces no output. You need 7341 to specify -v -v instead. This is to avoid problems when 7342 people request verbose mail delivery in their mail.rc file. 7343 File: sendmail/sendmail.c. 7344 734520021202 7346 7347 Cleanup: hash_queue_depth now defaults to 1 level of 7348 subdirectories. This makes "mailq" faster on most systems, 7349 but will result in poorer worst-case performance when lots 7350 of mail is queued. 7351 7352 The check_relay_domains restriction is going away. The SMTP 7353 server logs a warning and suggests using reject_unauth_destination 7354 instead. 7355 7356 Cleanup: the local(8) and virtual(8) delivery agents did 7357 not prepend X-Original-To: addresses to maildir files. 7358 Omission spotted by Matthias Andree. 7359 7360 Specify "address_verify_sender=" or "address_verify_sender=<>" 7361 to use a null sender address while doing address verification 7362 probes. Beware, doing so may trigger false negatives 7363 because some sites reject mail from the null sender, even 7364 though this is required by RFC standards. 7365 7366 Bugfix: too many levels of dereferencing while testing for 7367 missing reject_rbl_mumble domain names. Patrik Rak. File: 7368 smtpd/smtpd_check.c. 7369 737020021203 7371 7372 Bugfix: the FILTER access table action included the FILTER 7373 command in the filter request, where only the transport+destination 7374 were expected. Noel Jones. File smtpd/smtpd_check.c. 7375 7376 Cleanup: virtual_maps is now called virtual_alias_maps, in 7377 order to better distinguish it from virtual_mailbox_maps. 7378 The default value is $virtual_maps for backwards compatibility. 7379 7380 New parameters virtual_alias_domains and virtual_mailbox_domains 7381 for the "domain.tld whatever" lookups. These use the same 7382 syntax as the mydestination parameter. Default settings 7383 are backwards compatible with Postfix 1.1. 7384 7385 Concept: just like $mydestination+$inet_interfaces control 7386 what routes to $local_transport, $virtual_mailbox_domains 7387 now controls what routes to $virtual_transport (default 7388 transport: virtual), and $relay_domains now controls what 7389 routes to $relay_transport (default transport: relay, a 7390 clone of the smtp transport). Everything else routes to 7391 $default_transport as before. This eliminates the need 7392 for transport map entries for every virtual(8) domain, and 7393 avoids performance problems with inbound relay mail. This 7394 was improvement was suggested by Victor Duchovni. File: 7395 trivial-rewrite/resolve.c. 7396 739720021206 7398 7399 Cleanup: do allow regexps in aliases, virtual mailbox maps 7400 but do not allow regular expression substitutions. Files: 7401 util/dict.h, util/dict_regexp.c, util/dict_pcre.c. 7402 740320021207 7404 7405 Cleanup: deleted the description of sendmail-style virtual 7406 domains from the virtual(5) manual page. This part of 7407 Postfix was too confusing. 7408 7409 Performance: RFC 2821 blesses the use of CNAME domain names 7410 in MAIL FROM and RCPT TO. Not having to expand CNAME domain 7411 names speeds things up a bit. File: smtp/smtp_proto.c. 7412 7413 Workaround: exclude error mailer destinations from transport 7414 mapping lookups :-(. File: trivial-rewrite/resolve.c. 7415 7416 Cleanup: relocated_maps lookups are now moved to the 7417 trivial-rewrite server. As of now, the queue manager no 7418 longer does any map lookups, so it won't restart when maps 7419 change. Files: *qmgr/qmgr_message.c, trivial-rewrite/resolve.c. 7420 7421 Robustness: because the trivial-rewrite server now does 7422 many more table lookups, some of which are often LDAP or 7423 SQL based, trivial-rewrite clients must be be prepared for 7424 the case that the resolver reports a failure while processing 7425 a request (when it was unable to access a lookup table). 7426 Files: trivial-rewrite/resolve.c, local/resolve.c, 7427 smtpd/smtpd_check.c. 7428 7429 Robustness: moving possible LDAP or SQL table lookups into 7430 the trivial-rewrite server also required that trivial-rewrite 7431 be running as multiple processes to reduce lookup latencies. 7432 Files: master/multi-server.c. 7433 7434 Workaround: don't discard all the DNS lookup results when 7435 only one of the results has a malformed name or address. 7436 File: dns/dns_lookup.c. 7437 743820021208 7439 7440 Cleanup: with the preliminary address domain classification 7441 concept as implemented by the trivial-rewrite address 7442 resolver, a lot of table lookups could be eliminated from 7443 the SMTP server. Files: smtpd/smtpd_check.c. 7444 7445 Feature: new relay_recipient_maps parameter, for optional 7446 maps with all the recipients in the domains that match 7447 $relay_domains (so you can reject mail for unknown relay 7448 recipients). This is for consistency with virtual_xx_maps 7449 and virtual_xx_domains, and with local_recipient_maps and 7450 the local delivery agent. File: smtpd/smtpd_check.c. 7451 7452 Cleanup: removed support for obsolete #number domain forms. 7453 File: smtpd/smtpd_check.c. 7454 745520021209 7456 7457 The Postfix installation procedure no longer sets the 7458 "chattr +S" bit on Linux queue directories. Wietse has 7459 gotten too annoyed with naive reviewers who complain about 7460 performance without having a clue of what they are comparing. 7461 7462 "Security": local_recipient_maps is now turned on by default, 7463 to reject mail for non-existent users at the SMTP port. 7464 See conf/main.cf for instructions, section REJECTING UNKNOWN 7465 LOCAL USERS. 7466 7467 Safety: detection of missing or inaccessible passwd file 7468 database, to prevent massive complaints from people who 7469 suddenly lose all their mail because local_recipient_maps 7470 is now turned on by default. 7471 747220021210 7473 7474 Feature: recipient address verification, using the code 7475 that already implements sender address verification. Based 7476 on suggestion by Matthias Andree. Files: src/smtpd/smtpd.c, 7477 src/smtpd/smtpd_check.c. 7478 747920021211 7480 7481 Performance: doubled the default process limit (50->100) 7482 and default queue manager active queue message/recipient 7483 limits (10k->20k). File: global/mail_params.h. 7484 7485 Bugfix: the change that begot us multiple trivial-rewrite 7486 processes (good) also gave us multiple verify daemons (bad). 7487 File: conf/post-install. 7488 748920021212 7490 7491 Cleanup: allow transport map lookups to override error 7492 mailer results (to avoid breaking existing installations), 7493 and do transport map lookups before relocated map lookups. 7494 Files: trivial-rewrite/resolve.c, trivial-rewrite/transport.c. 7495 7496 Shortened the verify server's negative cache refresh time 7497 from 12 hours to 2 hours. File: global/mail_params.h. 7498 7499 Admin friendliness: the SMTP server now reports "User 7500 unknown in {local recipient | virtual alias | virtual 7501 mailbox | relay recipient} table". This will make trouble 7502 shooting a little easier. Files: smtpd/smtpd_check.c, 7503 trivial-rewrite/resolve.c. 7504 750520021213 7506 7507 Cleanup: transport map entries with null nexthop ignored 7508 relayhost settings. Making the code simpler also made it 7509 more correct. Files: trivial-rewrite/resolve.c, 7510 trivial-rewrite/transport.c. 7511 7512 Feature: "helpful_warnings" (default: yes) that can be 7513 turned off if you really know what you're doing and want 7514 to eliminate some unnecessary work. 7515 7516 Feature: enforcement of master.cf process limits for 7517 processes such as qmgr and pickup that must run alone, and 7518 processes such as cleanup and bounce that must run without 7519 explicit process count limit. If an incorrect process limit 7520 is specified in master.cf the service aborts. 7521 752220021214 7523 7524 Cleanup: it looks like we finally get it right with transport 7525 lookup table entries that either override or specify an 7526 error transport without updating the nexthop information. 7527 File: trivial-rewrite/resolve.c. 7528 7529 Robustness: don't probe the sender address when probed for 7530 our own address verification probe sender address. File: 7531 smtpd/smtpd_check.c. 7532 7533 Performance: don't do UCE checks (which may result in 4xx 7534 SMTP reply codes, and thus, repeated delivery attempts) 7535 when we already know that the recipient does not exist. 7536 Files: smtpd/smtpd.c, smtpd/smtpd_check.c. 7537 753820021215 7539 7540 Cleanup: further simplification of transport map handling 7541 after some really fine hair splitting with Victor Duchovni. 7542 Files: trivial-rewrite/resolve.c, trivial-rewrite/transport.c. 7543 754420021216 7545 7546 Workaround: transform the address local-part into unquoted 7547 form only when the address domain is local and the local-part 7548 contains routing operators. Otherwise, we may damage the 7549 address local-part by inserting space between non-operator 7550 tokens. Some people use weird addresses and expect them to 7551 be handled without damage. File: trivial-rewrite/resolve.c. 7552 7553 Robustness: scan the resolved recipient address for routing 7554 operators in the address local-part, even when the local 7555 MTA does not recognize ! and % as valid operators. File: 7556 trivial-rewrite/resolve.c. 7557 7558 Cleanup: the address rewriting code no longer tries to 7559 rewrite broken user@ or user@. address forms into even more 7560 broken forms. bother. File: trivial-rewrite/rewrite.c. 7561 7562 Cleanup: the address resolver code now treats forms ending 7563 in @ in a more rational manner (because the address rewriting 7564 code no longer messes up by appending .my.domain). 7565 7566 Bugfix: a null address local-part before @domain now is 7567 properly quoted just like the null address. File: 7568 global/quote_82[12]_local.c. 7569 757020021217 7571 7572 Cleanup: more work on the trivial-rewrite address rewriting 7573 and address resolving code. New regression tests for address 7574 rewriting and resolving that make some assumptions about 7575 main.cf settings. Files: global/Makefile.in (assumptions), 7576 global/rewrite_clnt.in, global/rewrite_clnt.ref, 7577 global/resolve_clnt.in, global/resolve_clnt.ref. 7578 7579 Safety: configurable SMTPD reject codes for recipients not 7580 in {local,relay}_recipient,virtual_{alias,mailbox}}_maps, 7581 aptly named unknown_mumble_reject_code. Postfix installs 7582 with unknown_local_recipient_reject_code=450, unless the 7583 site already ran Postfix with local_recipient_maps enabled. 7584 Files: smtpd/smtpd.c, smtpd/smtpd_check.c, conf/post-install. 7585 758620021218 7587 7588 Feature: specify unverified_recipient_reject_code=250 or 7589 unverified_sender_reject_code=250 to accept mail for an 7590 address that is known to bounce. File: smtpd/smtpd_check.c. 7591 759220021219 7593 7594 Bugfix: longjmp() while sending "go away" without setjmp() 7595 in the QMQP server. Patrik Rak. File: qmqpd/qmqpd.c. 7596 7597 Safety: the XVERP extension is restricted to clients listed 7598 in the authorized_verp_clients list (default: $mynetworks). 7599 File: smtpd/smtpd.c. 7600 7601 Workaround: preliminary IPV6 support in valid_hostliteral(). 7602 File: util/valid_hostname.c. 7603 760420021220 7605 7606 Bugfix: the reject_multi_recipient_bounce restriction had 7607 an off-by-one error when used in smtpd_data_restrictions. 7608 File: smtpd/smtpd_check.c. 7609 7610 Feature: new check_recipient_maps restriction that gives 7611 finer control over when unknown recipients are rejected. 7612 As with Postfix 1.1, the default is to do this at the end 7613 of the recipient restrictions. Sites that want to improve 7614 performance can put check_recipient_maps at the start of 7615 the smtpd_client_restrictions list and avoid doing unnecessary 7616 RBL lookups etc. File: smtpd/smtpd_check.c. 7617 7618 Feature: new show_user_unknown_recipient_table parameter 7619 controls whether or not to reveal the lookup table name in 7620 "User unknown" responses. The extra detail makes trouble 7621 shooting easier but also reveals information that is nobody 7622 elses business. 7623 762420021221 7625 7626 Workaround: don't allow the transport map to override the 7627 virtual alias class (error:User unknown) result. File: 7628 trivial-rewrite/transport.c. 7629 763020030101 7631 7632 Documentation update: new-style virtual domains broke the 7633 advanced content filtering example. Files: FILTER_README, 7634 RELEASE_NOTES-2.0. 7635 763620030102 7637 7638 Cleanup: use different client instances when the same map 7639 is opened with different flags. File: global/maps.c. 7640 7641 Feature: proxymap server for Postfix table lookups. This 7642 helps to consolidate the number of open lookup tables (such 7643 as MYSQL or LDAP), or to overcome chroot restrictions 7644 (example: specify proxy:unix:passwd.byname to avoid the 7645 need for a copy of the UNIX passwd file in chroot jails). 7646 Files: global/dict_proxy.[hc], proxymap/proxymap.c 7647 7648 Cleanup: multiservers such as trivial-rewrite and the new 7649 proxymap server now enforce the max_use total client number 7650 limit more agressively, by not accepting new connections 7651 after the limit is reached. Based on a patch by Victor 7652 Duchovni, Morgan Stanley. File: master/multi_server.c. 7653 765420030103 7655 7656 Cleanup: client stream endpoints not only have an idle time 7657 limit ($ipc_idle) before a connection is closed, they now 7658 also have a time to live ($ipc_ttl) to prevent connections 7659 from becoming too persistent. This allows multi-servers 7660 such as trivial-rewrite or the proxymap server to refresh 7661 more frequently on busy systems. File: global/clnt_stream.c. 7662 766320030104 7664 7665 Cleanup: avoid warnings about flag mismatches when the same 7666 lookup table is listed under both virtual_alias_maps and 7667 virtual_mailbox_maps. Files: global/virtual8.h, virtual/virtual.c. 7668 7669 Bugfix: an obscure memory leak that puzzled me for more 7670 than a year until I found out how to reproduce it. File: 7671 util/vstream.c. 7672 767320030105 7674 7675 Cleanup: removed the address syntax check from the queue 7676 manager, since a better test was implemented recently in 7677 the trivial-rewrite server. Files: *qmgr/qmgr_message.c. 7678 7679 Bugfix: redirect bounce/defer to the address verification 7680 service where appropriate. Files: *qmgr/qmgr_bounce.c, 7681 *qmgr/qmgr_defer.c. 7682 7683 Bugfix: "no such file or directory" warnings after "postfix 7684 reload" when a chrooted smtpd reconnects to the proxy 7685 service. Fix: use "private/proxymap" if possible, otherwise 7686 use "$queue_dir/private/proxymap". File: global/dict_proxy.c. 7687 7688 Robustness: daemons now chdir() to the queue directory 7689 before running the pre-jail initialization code, so that 7690 daemons running in stand-alone mode produce more consistent 7691 results. Files: master/single_server.c, master/multi_server.c. 7692 master/trigger_server.c. 7693 7694 Bugfix: "sendmail -bs" tried to access the proxymap service. 7695 It should not try to open any user/domain/uce related tables 7696 at all. File: smtpd/smtpd.c. 7697 769820030106 7699 7700 Bugfix: bouncing to owner-alias was broken, i.e. the mail 7701 kept being deferred, and when that was fixed, another buglet 7702 came to light. File: bounce/bounce.c. 7703 7704 Robustness: the master no longer aborts with "address 7705 already in use" when inet_interfaces specifies the same IP 7706 address multiple times, or when a TCP service in master.cf 7707 specifies a hostname for which the same IP address is listed 7708 multiple times. File: master/master_ent.c. 7709 771020030107 7711 7712 Robustness: check that FILTER actions in SMTPD access maps 7713 or cleanup header/body_checks have plausible syntax. Files: 7714 smtpd/smtpd_check.c, cleanup/cleanup_message.c. 7715 771620030109 7717 7718 Cleanup: unnecessary "premature end of file on xxx while 7719 reading yyy" warnings became exposed after some code 7720 simplification. Files" global/*_clnt.c, global/dict_proxy.c 7721 7722 Robustness: undo the change that causes a multi-server 7723 process to stop accepting new connections while it still 7724 services existing clients for an extended amount of time. 7725 We need a better process retirement strategy. File: 7726 master/multi_server.c. 7727 772820030110 7729 7730 Cleanup: the virtual_mailbox_maps parameter is now optional 7731 even when virtual_mailbox_domains is. This makes virtual 7732 mailbox domains more like relay domains and the local 7733 domain. 7734 7735 Portability: the makedefs script now uses the pcre-config 7736 utility to find out where things are installed. 7737 7738 Bugfix: the SMTP server did not recognize the local built-in 7739 double bounce address as local. Reported by Matthias Andree. 7740 For safety sake, threw in the local postmaster address as 7741 well. File: smtpd/smtpd_check.c. 7742 774320030113 7744 7745 Added MAILER-DAEMON to the list of always recognized local 7746 addresses, since it is generated by Postfix bounces. File: 7747 smtpd/smtpd_check.c. 7748 774920030114 7750 7751 Bugfix: transport_errno was not reset upon successful 7752 transport map wildcard lookup after an earlier failure. 7753 Reported by Victor Duchovni. File: trivial-rewrite/transport.c. 7754 7755 Cleanup: unnecessary warnings from the proxymap client 7756 after proxymap server disconnect. File: global/dict_proxy.c. 7757 7758 Cleanup: Patrik Rak found a few more chattr invocations 7759 that were missed 20021209. Files: postfix-install, 7760 conf/post-install. 7761 7762 Cleanup: the pcre-config command can produce null outputs. 7763 Matthias Andree. File: makedefs. 7764 7765 Bugfix: the virtual(8) Makefile included $(AUXLIBS) in the 7766 dependencies. 7767 776820030118 7769 7770 Typos: some hyperlinks referred to flushd, which is the 7771 name that was used before the flush service was released. 7772 Reported by Victor Duchovni. 7773 7774 Cleanup: smtpd no longer needed to open relocated_maps. 7775 777620030119 7777 7778 Cleanup: bounce messages used "X-Postfix" even when mail_name 7779 was set to something other than the default "Postfix" name. 7780 File: bounce/bounce-notify_util.c. 7781 778220030120 7783 7784 Bugfix: wrong FILTER_README instructions for disabling 7785 virtual alias mapping in the cleanup server before the 7786 content filter. 7787 7788 Bugfix: wrong FILTER_README instructions for destination-dependent 7789 filtering, because relay_domains was specified incorrectly. 7790 779120030122 7792 7793 Bugfix: 20021207 (move relocated table lookup from queue 7794 manager to trivial-rewrite server) broke relocated table 7795 lookup results with mail not rejected at the SMTP port. 7796 Files: *qmgr/qmgr_deliver.c, *qmgr/qmgr_message.c. 7797 779820030123 7799 7800 Bugfix: a widely used maildir filename algorithm was broken. 7801 Postfix now uses TIME.DEVICE_INODE.HOST. Files: local/maildir.c, 7802 virtual/maildir.c. 7803 780420030124 7805 7806 Cleanup: queue structures no longer overload queue name 7807 and nexthop destination. Files: *qmgr/qmgr_message.c, 7808 *qmgr/qmgr_queue.c, *qmgr/qmgr_deliver.c. 7809 781020030125 7811 7812 Feature: "REDIRECT user@domain" action in access maps or 7813 in header/body_checks causes mail to be sent to the specified 7814 address instead of the intended recipient(s). I would never 7815 recommend that people use this to redirect (bounced) SPAM 7816 to the beneficiaries of an advertisement campaign. Files: 7817 smtpd/smtpd_check.c, cleanup/cleanup_message.c, 7818 *qmgr/qmgr_message.c. 7819 782020030126 7821 7822 Update: maildir filename algorithm updated according to 7823 today's version of http://cr.yp.to/proto/maildir.html. 7824 782520030127 7826 7827 Cleanup: use separate error messages for separate problems 7828 with computing the list of SASL authentication mechanisms. 7829 File: smtpd/smtpd_sasl_glue.c. 7830 783120030130 7832 7833 Bugfix: allow $name in default time values. File: 7834 global/mail_conf_time.c. 7835 783620030205 7837 7838 Feature: allow !, /file/name and map:name in masquerade_exceptions. 7839 By Liviu Daia. Files:cleanup_init.c, cleanup.h, 7840 cleanup_masquerade.c. 7841 784220030219 7843 7844 Bugfix: the local pickup daemon skipped unterminated records, 7845 since they happened to have the same record type code as 7846 content filtering instructions. Victor Duchovni. Files: 7847 global/rec_type.h, pickup/pickup.c. 7848 7849 Portability: Postfix could block, and thus not enforce 7850 command execution time limits, while delivering mail to 7851 command. File: global/pipe_command.c. 7852 7853 Bugfix: command execution time limits were not enforced 7854 because the child process killing code in pipe_command() 7855 was running with the wrong privileges. Problem reported by 7856 Ben Rosengart, Panix. File: global/pipe_command.c. 7857 7858 Bugfix: duplicate recipient filtering in the cleanup server 7859 did not eliminate virtual expansion duplicates with the 7860 same original recipient. File: cleanup/cleanup_out_recipient.c. 7861 786220030223 7863 7864 Cleanup: added postmap/postalias -p option (do not inherit 7865 the source file permissions when creating a new file), for 7866 completeness. A feature that can't be turned off is a bug. 7867 Files: postmap/postmap.c, postalias/postalias.c. 7868 7869 Bugfix: smtpd_hard/soft_error_limit off-by-one error, so 7870 that the real limit was one larger than the configured 7871 value. File: smtpd/smtpd.c, smtpd/smtpd_chat.c. 7872 787320030226 7874 7875 Safety: proxymap server defense against potential deadlock 7876 when some library routine wants to open a proxied table. 7877 Instead, proxymap opens the requested table directly. File: 7878 proxymap/proxymap.c. 7879 7880 Portability: updated AIX 5.x system dependent definitions. 7881 File: util/sys_defs.h. 7882 788320030227 7884 7885 Bugfix: added mynetworks to the list of proxy_read_maps 7886 parameter settings that are pre-authorized to use proxied 7887 table lookups. File: global/mail_params.h. 7888 7889 Cleanup: daemons now log what table has changed before 7890 restarting. Files: dict.c, and anything that invoked 7891 dict_changed(). 7892 7893 Cleanup: more consistency in the naming of lookup table 7894 handles as generated by maps(3) and by match_list(3). 7895 789620030305 7897 7898 Workaround: Postfix removes too long non-address text from 7899 message headers in order to protect vulnerable Sendmail 7900 systems against exploitation of the remote buffer overflow 7901 vulnerability described in CERT advisory CA-2003-07. 7902 790320030311-19 7904 7905 Bugfix: the access map actions HOLD, DISCARD, FILTER and 7906 REDIRECT were broken with smtpd_delay_reject=no and with 7907 ETRN. This required re-architecting of the actions code. 7908 Files: smtpd/smtpd.[hc], smtpd/smtpd_check.c, smtpd/smtpd_state.c. 7909 791020030315 7911 7912 Bugfix: the postsuper manual page documented support for 7913 the -c command line option, but it was not implemented. 7914 File: postsuper/postsuper.c. 7915 7916 Bugfix: the Postfix 2.0 recipient map checking code broke 7917 the VRFY command, causing it to reply with status code 252 7918 for non-existent addresses. This required re-architecting 7919 the recipient table lookup code. File: smtpd/smtpd_check.c. 7920 792120030319 7922 7923 Feature: configurable limit on virtual alias expansion size 7924 and nesting depth, via the virtual_alias_expansion_limit 7925 and virtual_alias_recursion_limit parameters. The default 7926 limits are compatible with past Postfix versions. Victor 7927 Duchovni, Morgan Stanley. Files: /sample-resource.cf, 7928 html/resource.html, cleanup/cleanup.c, cleanup/cleanup_init.c, 7929 cleanup/cleanup_map1n.c. 7930 7931 Feature: the installation procedure records build information 7932 (by default: in /etc/postfix/makedefs.out). 7933 793420030324 7935 7936 Bugfix: smtp-source flushed too often, causing suboptimal 7937 performance with smtp-source sending directly into smtp-sink. 7938 Files: smtpstone/smtp-source.c. 7939 794020030410 7941 7942 Safety: log a fatal error when a net/mask pattern has a 7943 non-zero host part, so that mail delivery is deferred. 7944 File: util/match_ops.c. 7945 794620030411 7947 7948 Bugfix: extraneous warning about out-of-order original 7949 recipient records by Patrik Rak. Files: *qmgr/qmgr_message.c. 7950 795120030412 7952 7953 Workaround: log a warning and reset the queue file time 7954 stamps when the file system clock is ahead of the local 7955 clock. File: global/mail_stream.c. 7956 795720030414 7958 7959 Feature: PostgreSQL client module, adopted by LaMont Jones. 7960 Files: README_FILES/PGSQL_README, util/dict_pgsql.c, 7961 util/dict_pgsql.h, conf/sample-pgsql-aliases.cf. 7962 7963 Cleanup: the generic smtp client/server code in smtp_stream.c 7964 now has an explicit flush operation, and the smtp-source/sink 7965 programs are updated to take advantage of this. 7966 7967 Cleanup: the file system clock drift detection code now 7968 runs only once per process instance, to minimize the 7969 performance impact. File: global/mail_stream.c. 7970 7971 Robustness: avoid TIME_WAIT state with smtp/qmqp-source 7972 client sockets. This puts less strain on local system 7973 resources. 7974 797520030415 7976 7977 Cleanup: the file system clock drift detection code now 7978 runs only for incoming mail. File: global/mail_stream.c. 7979 798020030416 7981 7982 Bugfix: missing partial last line when 1) someone submits 7983 8-bit mail not ending in newline via /usr/sbin/sendmail 7984 and 2) MIME input processing is turned off, and 3) MIME 7985 8bit->7bit conversion is requested upon delivery via SMTP. 7986 7987 Cleanup: auto-bcc recipients are now added in one place 7988 (the cleanup server) instead of by individual front-end 7989 servers (pickup, smtpd, qmqpd). This makes it easier to 7990 add auto-bcc features that trigger on sender or recipient 7991 addresses. 7992 7993 Cleanup: "sendmail -t" (recipients from headers) is now 7994 implemented by the sendmail command instead of by the 7995 cleanup server. This means that the extract_recipient_limit 7996 configuration parameter is no longer needed. Files: 7997 sendmail/sendmail.c, cleanup/cleanup_message.c, 7998 cleanup/cleanup_extracted.c. 7999 8000 Compatibility: "sendmail -t" (recipients from headers) now 8001 accepts command-line recipients instead of complaining. 8002 The extracted header recipients are added to the command-line 8003 recipients. 8004 8005 Feature: sender/recipient_bcc_maps. These are indexed by 8006 sender/recipient address and are examined when mail enters 8007 from outside of Postfix. Files: cleanup/cleanup_addr.c. 8008 cleanup/cleanup_envelope.c cleanup/cleanup_extracted.c. 8009 801020030417 8011 8012 Feature: the SMTP client now falls back to native name 8013 service lookups (including /etc/hosts) when a host cannot 8014 be found in the DNS. This is controlled by a new parameter 8015 smtp_host_lookup (default: dns, native). Files: smtp/smtp.c, 8016 smtp/smtp_addr.c. 8017 801820030418 8019 8020 Bugfix: "sendmail -t" broke with unrecognized message 8021 headers. 8022 802320030419 8024 8025 Feature: "postcat -q" searches the queue for the named 8026 file. 8027 8028 Cleanup: made postcat "record names" output more consistent. 8029 803020030421 8031 8032 Debugging: added some extra detailed error logging to the 8033 pipe-to-command delivery, to help folks with bizarre file 8034 truncation problems. File: global/pipe_command.c. 8035 803620030424 8037 8038 Cleanup: readlline() did not terminate the result before 8039 complaining about lines starting with whitespace. 8040 8041 Cleanup: eliminated valid_hostname warning for invalid 8042 queue file names. File: global/mail_queue.c. 8043 8044 Bugfix: lost three lines of code when readying the postcat 8045 command for release, which broke postcat -q. File: 8046 postcat/postcat.c. 8047 8048 Bugfix: the Postfix sendmail command applied the message 8049 size limit when running as newaliases. The limiting code 8050 is now moved to the message enqueuing branch of the code. 8051 File: sendmail/sendmail.c. 8052 8053 Documentation: start of documentation for the algorithm of 8054 Patrik Rak's clever queue manager scheduler (nqmgr). Files: 8055 conf/sample-scheduler.cf, README_FILES/SCHEDULER_README. 8056 805720030429 8058 8059 Bugfix: while verifying an address, the LMTP client entered 8060 a forbidden "next" sender state after the last recipient. 8061 Fix by Vladimir Davydoff. File: lmtp/lmtp_proto.c. 8062 8063 Bugfix: "," was not recognized in proxy_read_maps settings. 8064 Fix by Leandro Santi. File: proxymap/proxymap.c. 8065 806620030502 8067 8068 Bugfix: defer delivery after .forward etc. file read error. 8069 File: local/token.c. Problem reported by Ben Rosengart, 8070 Panix. 8071 807220030503 8073 8074 Bugfix: the Postfix LMTP client used the wrong service 8075 name, causing trouble with SASL 2.1.13. Daniel Schales, 8076 Louisiana Tech. File: lmtp/lmtp_sasl_glue.c. 8077 807820030518 8079 8080 Workaround: IRIX select() reports that a non-blocking file 8081 descriptor is writable while write() transfers zero bytes. 8082 File: util/vstream.c. Superseded by change 20030523. 8083 808420030520 8085 8086 Cleanup: future time stamps in Received: headers and negative 8087 delays in delivery agent logging after "postdrop -r", 8088 because deferred queue files had future file modification 8089 times. File: src/postsuper/postsuper.c. 8090 809120030521 8092 8093 Cleanup: nqmgr warnings about "recipient count mismatch" 8094 after "postdrop -r", because the cleanup server did not 8095 count the "already done" recipients. Problem reported by 8096 Richard Stockton, Gramma Software. Files: 8097 cleanup/cleanup_envelope.c, cleanup/cleanup_extracted.c. 8098 809920030523 8100 8101 Workaround: IRIX select() reports that a non-blocking file 8102 descriptor is writable while write() transfers zero bytes. 8103 File: global/pipe_command.c. 8104 810520030523-20030605 8106 8107 Cleanup: rewrote the queue file record processing loops in 8108 pickup, cleanup and in [n]qmgr. This code had deteriorated 8109 a lot as the result of small changes over the years. This 8110 change brings the code closer to "obviously correct". Files: 8111 cleanup/cleanup_envelope.c, cleanup/cleanup_extracted.c, 8112 *qmgr/qmgr_message.c. 8113 8114 Cleanup: Postfix no longer produces queue files with 8115 backwards compatibility data for Postfix versions < 1.0 8116 (a.k.a. 20010228). Files: cleanup/cleanup_extracted.c, 8117 showq/showq.c. 8118 8119 Performance: the queue manager no longer has to examine 8120 every queue file record before it can start deliveries. 8121 This helps to avoid thrashing with very large mailing lists. 8122 Postfix queue files have an extra field in the size record 8123 with queue manager processing hints. This change is backward 8124 and forward compatible. Files: cleanup/cleanup_envelope.c, 8125 cleanup/cleanup_extracted.c, *qmgr/qmgr_message.c. 8126 812720030528 8128 8129 Compatibility: "sendmail -q<time>" without -bd option now 8130 exits immediately, instead of waiting for input on the 8131 standard input stream and screwing up system boot sequences. 8132 File: sendmail/sendmail.c. 8133 813420030530 8135 8136 Bugfix: client access denied with smtpd_delay_reject=no 8137 broke "sendmail -bs". Fix by Victor Duchovni, Morgan Stanley. 8138 File: smtpd/smtpd.c. 8139 814020030531 8141 8142 Compatibility: allow <@site,@site:address> route addresses 8143 in SMTP commands. File: smtpd/smtpd.c. 8144 814520030605 8146 8147 Cleanup: input checks moved from the pickup daemon to the 8148 postdrop mail submission command; this is to prepare for 8149 direct mail submission from postdrop->cleanup without going 8150 through the maildrop directory and the pickup service. 8151 Files: pickup/pickup.c, postdrop/postdrop.c. 8152 8153 Bugfix: the "dead host" backoff timer in the MySQL client 8154 didn't work. Fix by Leandro Santi. File: util/dict_mysql.c. 8155 8156 Bugfix: same problem in the PostgreSQL client. File: 8157 util/dict_pgsql.c. 8158 8159 Workaround: turned off non-blocking write to pipe because 8160 too many systems give a weird write() result. File: 8161 global/pipe_command.c. 8162 8163 Cleanup: added support for vstream_fseek(.., .., SEEK_END). 8164 File: util/vstream.c. 8165 816620030608 8167 8168 Feature: separate address resolver controls for address 8169 verification probe messages: address_verify_{local,virtual, 8170 relay,default}_transport, address_verify_relayhost, and 8171 address_verify_transport_maps. The default values are the 8172 regular versions of the same controls. Files: trivial-rewrite/*, 8173 global/resolve_clnt.[hc], *qmgr/qmgr_message.c. 8174 817520030609 8176 8177 Workaround: Solaris blocking socket read() may hang. Hernan 8178 Perez Masci and Leandro Santi. File: smtpd/smtpd.c. 8179 8180 Bugfix: the "unread recipient" counter needs to be restored 8181 after the queue manager has a problem reading a queue file. 8182 Fix by Patrik Rak. File: nqmgr/qmgr_message.c. 8183 818420030610 8185 8186 Cleanup: the verify server now uses asynchronous submission 8187 of mail probes, so it will no longer block for in_flow_delay 8188 seconds when mail arrives faster than it is delivered. 8189 Still need to make mail_stream_finish() asynchronous in 8190 order to avoid blocking for trigger_timeout seconds when 8191 the queue manager is overwhelmed. Files: global/post_mail.c, 8192 verify/verify.c. 8193 8194 Bugfix: removed extraneous sleep() after the last attempt 8195 to retrieve address verification status. File: smtpd/smtpd.c. 8196 819720030611 8198 8199 Bugfix: the stricter postdrop input filter broke "sendmail 8200 -bs". Found by Lutz Jaenicke. File: smtpd/smtpd.c. 8201 820220030614 8203 8204 Portability: Dropped support for client side LDAP caching. 8205 As of release 2.1.13 OpenLDAP no longer supports client 8206 side caching, it has been deprecated for some time, and 8207 never worked well. Implemented by Victor Duchovni, Morgan 8208 Stanley, and further enhanced by Lamont Jones, HP. Files: 8209 src/util/dict_ldap.c, conf/sample-ldap.cf, 8210 README_FILES/LDAP_README. 8211 8212 Safety: Given suitable invalid database contents, LDAP 8213 lookups can produce too many results, enter an infinite 8214 loop in the expansion of "special result attributes" (LDAP 8215 DNs and LDAP URLs) or just consume excessive server resources 8216 returning large result sets. Three new (per LDAP map) 8217 configuration parameters enable one to set limits on 8218 recursive nesting, result expansion and the server response 8219 "entry" count. Implemented by Victor Duchovni, Morgan 8220 Stanley, further enanced by Lamont Jones, HP. Files: 8221 src/util/dict_ldap.c, conf/sample-ldap.cf, 8222 README_FILES/LDAP_README. 8223 822420030616 8225 8226 Feature: in mail delivery status reports, report the sender 8227 address as X-Postfix-Sender. Matthias Andree. File: 8228 bounce/bounce_notify_util.c. 8229 8230 Cleanup: in mail delivery status reports, transform the 8231 original recipient into xtext format as required by RFC 8232 1891. Files: bounce/bounce_notify_util.c, util/xtext.[hc]. 8233 8234 Cleanup: more accurate "postfix check" warning for files 8235 that miss one or more of the required mode 02111 execute 8236 permission bits. Matthias Andree. File: conf/postfix-script. 8237 823820030618 8239 8240 After "postfix reload", the master daemon now warns when 8241 inet_interfaces has changed, and ignores the change, instead 8242 of passing incorrect information to the smtp server. File: 8243 master/master_ent.c. 8244 824520030619 8246 8247 Feature: the Postfix SMTP server can send all mail into a 8248 proxy server, for example a real-time SPAM filter. This 8249 proxy is supposed to send the mail into another Postfix 8250 SMTP server process for normal delivery. Files: smtpd/smtpd.c 8251 smtpd/smtpd_proxy.[hc]. 8252 825320030620 8254 8255 Bugfix: a cut-and-paste error caused the proxy server's 8256 354 status code to be reported when a proxy connection 8257 broke during the DATA phase. File: smtpd.c. 8258 825920030620 8260 8261 Bugfix: after the last change to postdrop, postcat no longer 8262 recognized maildrop files as valid. File: postcat/postcat.c. 8263 8264 Bugfix: after moving "sendmail -t" address extraction to 8265 sendmail, "-t" broke multi-line recipient headers. Victor 8266 Duchovni, Morgan Stanley. File: sendmail/sendmail.c. 8267 826820030621 8269 8270 Workaround: the safe_open(O_CREAT) race condition exploit 8271 avoiding code tries a little harder when it encounters a 8272 race condition. File: util/safe_open.c. 8273 827420030624 8275 8276 Bugfix: reject_unverified_address() set the defer_if_reject 8277 flag when the verify service was unavailable (which never 8278 happens). Victor Duchovni, Morgan Stanley. File: 8279 smtpd/smtpd_check.c. 8280 8281 New parameters address_verify_poll_{count,delay} that 8282 control how often to poll the address verification service 8283 for the completion of an address verification request. 8284 Specify address_verify_poll_count=1 to implement a crude 8285 form of greylisting, that is, always defer the first delivery 8286 attempt for an unknown address. File: smtpd/smtpd_check.c. 8287 8288 Bugfix: after the last change to postdrop, postcat no longer 8289 recognized non-maildrop queue files as valid. File: 8290 postcat/postcat.c. 8291 829220030629 8293 8294 Cleanup: replaced references to "simulated virtual domains" 8295 by "virtual alias domains". Victor Duchovni, Morgan Stanley. 8296 829720030630 8298 8299 Feature: smtp_quote_rfc821_envelope=(yes|no) to control 8300 RFC 821 style quoting of MAIL FROM and RCPT TO addresses. 8301 Files: global/mail_params.h, smtp/smtp.c, smtp/smtp_proto.c. 8302 830320030701 8304 8305 Bugfix: multi-recipient probes triggered a bug in the SMTP 8306 client. File: smtp/smtp_proto.c. 8307 8308 Feature: enable_original_recipient (default: yes) to control 8309 whether Postfix keeps track of original recipient address 8310 information. Victor Duchovni, Morgan Stanley. Files: 8311 cleanup/cleanup.c, cleanup/cleanup_init.c, 8312 cleanup/cleanup_out_recipient.c, global/log_adhoc.c, 8313 global/mail_copy.c, *qmgr/qmgr_message.c. 8314 8315 Feature: !/pattern/ support for PCRE lookup tables. Victor 8316 Duchovni, Morgan Stanley. Files: util/dict_pcre.c. 8317 8318 Cleanup: allow whitespace after patterns in repexp and pcre 8319 tables. Victor Duchovni, Morgan Stanley. Files: 8320 util/dict_pcre.c, util/dict_regexp.c. 8321 832220030702 8323 8324 Feature: CIDR lookup table support, very remotely based on 8325 code by Jozsef Kadlecsik. Files: proto/cidr_table, 8326 util/dict_cidr.[hc]. 8327 8328 Feature: TCP lookup table support, finally finished. Files: 8329 proto/tcp_table, proto/dict_tcp.[hc]. 8330 833120030705 8332 8333 Feature: new receive_override_options parameter controls 8334 what happens before or after an external content filter: 8335 rejecting unknown recipients, canonical and virtual address 8336 mapping, address masquerading, automatic BCC recipients 8337 and header/body checks. This eliminates the need to configure 8338 multiple cleanup services in the master.cf file. 8339 834020030707 8341 8342 Feature: context dependent SASL security options (i.e. 8343 different options when TLS is enabled/disabled). Lutz 8344 Jaenicke. Files: */*sasl_glue.[hc]. 8345 834620030708 8347 8348 Hardened the attr_scan routines for exposure to an untrusted 8349 environment, in preparation for possible use with SMTP 8350 policy delegation to an external server. 8351 8352 Feature: address filter for RBL lookups, for use with 8353 multi-valued RBL services. File: smtpd/smtpd_check.c. 8354 835520030709 8356 8357 Cleanup: use off_t instead of int for VSTREAM file offsets. 8358 This was needed for mailboxes > 2GB on 32-bit systems. 8359 Files: util/vstream.c, global/mail_copy.c. 8360 836120030710 8362 8363 Support for multiple A and TXT results in RBL lookups. 8364 Victor Duchovni, Morgan Stanley. File: smtpd/smtpd_check.c. 8365 8366 Support for attribute-based query-reply protocols. Files: 8367 util/attr_clnt.[hc], util/auto_clnt.[hc]. 8368 836920030711 8370 8371 Support for plain "name=value\n" attribute protocol. Files: 8372 util/attr_{scan,print}_plain.c. 8373 8374 Bugfix: the LMTP session caching code did not reset the 8375 EHLO server feature list when it needed to reconnect. 8376 Problem found by Tobias Erbsland. 8377 837820030712 8379 8380 Feature: delegated SMTP policy server. As an example, see 8381 the greylisting server in examples/smtpd-policy. Specify 8382 "check_smtpd_policy_service" in smtpd_mumble_restrictions. 8383 See SMTPD_POLICY_SERVICE_README for details. 8384 838520030716 8386 8387 Bugfix: in the sample policy server, changed "ok" into 8388 "dunno" so the server can be used in the middle of a 8389 restriction list. 8390 8391 Cleanup: when an RBL reply has multiple TXT records, 8392 concatenate them up to some reasonable limit, instead of 8393 selecting one randomly. File: smtpd/smtpd_check.c. 8394 8395 Safety: always truncate SMTP server error replies to 512 8396 bytes. File: smtpd/smtpd_check.c. 8397 839820030717 8399 8400 Documentation: added description of policy_time_limit to 8401 the SMTPD_POLICY_README document. 8402 8403 Documentation: corrected the command time limit parameter 8404 syntax in the spawn(8) manual page. 8405 8406 Feature: defer_if_permit and defer_if_reject actions in 8407 access tables, mainly for use by the delegated policy 8408 server. Files: smtpd/smtpd_check.c, proto/access. 8409 841020030725 8411 8412 The dict_pgsql module did not use dict_alloc() and dict_free(), 8413 causing improper initialization and a memory leak. Leandro 8414 Santi. File: util/dict_pgsql.c. 8415 8416 Cleanup: added open_flags sanity checks to the dict_pgsql 8417 and dict_mysql modules. These maps must be opened in 8418 read-only mode. 8419 842020030731 8421 8422 Bugfix: virtual(8) was changed to use mail_addr_find() 8423 instead of virtual8_maps_find(), but the SMTP server's 8424 virtual mailbox recipient validation was not updated. 8425 842620030804 8427 8428 Bugfix: the 20030712 safety against invalid DNS results 8429 was broken. Reported by Ralf Hildebrandt. File: 8430 dns/dns_lookup.c. 8431 843220030805-12 8433 8434 Safety: the pipe daemon now defers delivery with a warning 8435 when it is given a non-existent command-line macro name. 8436 File: pipe/pipe.c. 8437 843820030810 8439 8440 Bugfix: dict_ldap had a few harmless memory leaks. By 8441 Liviu Daia. File: util/dict_ldap.c. 8442 8443 Feature: support for LDAP URLs in the LDAP parameter 8444 "server_host", if Postfix is linked against OpenLDAP. This 8445 allows Postfix to connect to LDAP SSL sources. By Liviu 8446 Daia. File: util/dict_ldap.c. 8447 844820030811 8449 8450 Cleanup: produce a warning when host:port specifies a badly 8451 formatted numerical port. Files: util/find_inet.c, 8452 smtp/smtp_connect.c, lmtp/lmtp_connect.c. 8453 845420030822 8455 8456 Feature: the export_environment and import_environment 8457 parameters now accept name=value information that will be 8458 entered into the new environment. File: util/clean_env.c. 8459 846020030823 8461 8462 Feature: smtpd_sasl_exceptions_networks parameter to prevent 8463 Postfix from offering AUTH to clients that match the listed 8464 networks. Based on code by Ben Rosengart, Panix. Files: 8465 conf/sample-auth.cf, smtpd/smtpd.c. 8466 846720030902 8468 8469 Portability: the Postfix master resets the file size to 8470 the largest possible off_t value when the actual limit 8471 appears to overflow the off_t range. Files: util/sys_defs.h, 8472 util/file_limit.c. A fine sample of bit banging. 8473 847420030905 8475 8476 Workaround: Solaris 8 select() claims that a non-blocking 8477 socket is readable and then read() fails with EAGAIN. Files: 8478 util/timed_read.c and as precautionary measure, 8479 util/timed_write.c. 8480 8481 Bugfix: dict_register() should not be called from dict_open() 8482 in dict_mysql and dict_pgsql. Liviu Daia. Files: 8483 util/dict_mysql.c, util/dict_pgsql.c. 8484 8485 Feature: LDAP parameters can now be specified in external 8486 files. This makes it possible to securely store bind 8487 passwords for plain auth outside of main.cf (which is world 8488 readable). By Liviu Daia, based on a suggestion by Victor 8489 Duchovni and Lamont Jones. File: util/dict_ldap.c. 8490 8491 Feature: STARTTLS option for LDAP, if Postfix is linked 8492 against OpenLDAP. By Liviu Daia, amended by Victor Duchovni. 8493 File: util/dict_ldap.c. 8494 8495 Cleanup: connections to LDAP sources are now postponed 8496 until they are actually needed. By Liviu Daia. File: 8497 util/dict_ldap.c. 8498 849920030908 8500 8501 The 20030905 Solaris workaround triggers too many warnings. 8502 TCP sockets are back to blocking, and keepalives are turned 8503 on to kill off dead sockets, as suggested by Leandro Santi. 8504 Files: master/{single,multi}_server.c, smtpd/smtpd.c, 8505 util/sys_defs.h. 8506 850720030909 8508 8509 Bugfix: the LMTP session caching code had problems with 8510 SASL authentication after the first connection, and pipelining 8511 was working poorly. Fix by Victor Duchovni, Morgan Stanley. 8512 Files: lmtp/lmtp.c, lmtp/lmtp_proto.c. 8513 851420030912 8515 8516 Workaround: besides SMTP server sockets, SMTP client sockets 8517 can also hang on Solaris, as reported by Leandro Santi. In 8518 order to deal with this at the root, all connection management 8519 is now done by sane_accept() and sane_connect(). Both turn 8520 on keepalives on Solaris. 8521 852220030913 8523 8524 Safety: set-gid commands don't trust TZ. File: msg_syslog.c. 8525 852620030914 8527 8528 Address extension propagation wasn't documented enough when 8529 it was added to Postfix. Based on patches by Roman Neuhauser. 8530 8531 Added clarifying notes to main.cf, master.cf and access by 8532 Dean Gibson. 8533 8534 In header/body_checks, DUNNO is now the preferred action 8535 instead of the now deprecated OK. This may confuse fewer 8536 people. 8537 8538 In header/body_checks, allow text after IGNORE and DUNNO, 8539 suggested by Victor Duchovni, Morgan Stanley. File: 8540 src/cleanup/cleanup_message.c. 8541 8542 Feature: reject_rhsbl_helo. File: smtpd/smtpd_check.c. 8543 8544 Bugfix? The LMTP and SMTP clients now send "MAIL FROM:<sender> 8545 AUTH=<>" when SASL authenticated. Suggested by by Victor 8546 Duchovni, Morgan Stanley. Files: smtp/smtp_proto.c, 8547 lmtp/lmtp_proto.c. 8548 854920030915 8550 8551 Bugfix: mail rejected by the before-queue content filter 8552 was mis-labeled as a software error; it should be labeled 8553 as a policy error instead. File: smtpd/smtpd.c. 8554 8555 Cleanup: postcat is now null-byte transparent. File: 8556 postcat/postcat.c. 8557 855820030916 8559 8560 Feature: ``check_{sender,recipient}_mx_access maptype:mapname'' 8561 applies the named Postfix access table to the MX host name 8562 and IP addresses for the sender or recipient address. If 8563 no MX record is found, the A record is used instead. File: 8564 smtpd/smtpd_check.c. 8565 8566 Feature: ``check_{sender,recipient}_ns_access maptype:mapname'' 8567 applies the named Postfix access table to the DNS server 8568 hostname and IP addresses for the sender or recipient 8569 address. If no NS record is found, the parent domain is 8570 used instead. File: smtpd/smtpd_check.c. 8571 857220030917 8573 8574 Feature: ``check_helo_{ns,mx}_access maptype:mapname'', 8575 same semantics as sender and recipient. 8576 8577 Multiple LDAP lookup tables in the one Postfix process now 8578 share one LDAP connection. Code by Victor Duchovni, Morgan 8579 Stanley. File: util/dict_ldap.c. 8580 8581 Performance: with prefix_domain specified for an LDAP lookup 8582 table, lookups of @domain are skipped. Code by Victor 8583 Duchovni, Morgan Stanley. File: util/dict_ldap.c. 8584 8585 Safety: check_mumble_{mx,ns}_access refuses to be used for 8586 whitelisting. The Postfix SMTP server will reject the 8587 request with "451 server configuration error" and will log 8588 a warning explaining why. File: smtpd/smtpd_check.c. 8589 859020030918 8591 8592 Bugfix: check_mumble_ns_access did not correctly look up 8593 NS records of parent domains, causing mail to be deferred 8594 with a 450 status code. File: smtpd/smtpd_check.c. 8595 859620030919 8597 8598 Robustness: check_mumble_{mx,ns}_access skip over DNS lookup 8599 failures instead of deferring mail. This is not as bad as 8600 it appears to be because the restrictions can't be used 8601 for whitelisting. File: smtpd/smtpd_check.c. 8602 860320030920 8604 8605 Bugfix: the 20030917 LDAP connection sharing code introduced 8606 a compilation problem with non-OpenLDAP implementations. 8607 Fix by Liviu Daia. File: util/dict_ldap.c 8608 8609 Compatibility: the LDAP server_host parameter now supports 8610 all the usual Postfix list element delimiters. Some LDAP 8611 libraries support just SPACE, others SPACE and ",". Postfix 8612 now normalizes the host list into a space separated format. 8613 This is less surprising to Postfix users used to the full 8614 range of delimiters in other contexts. Implemented by Liviu 8615 Daia. File: util/dict_ldap.c 8616 8617 Bugfix: after returning too old mail, the bounce daemon 8618 now locks the original queue file and deletes deferred 8619 recipients, to avoid repeated bounce notifications when 8620 the queue manager is restarted. Files: bounce/*.[hc], 8621 global/bounce_log.[hc], global/{bounce,defer}.[hc] and 8622 everything that invokes these routines including queue 8623 manager and delivery agents. 8624 862520030922 8626 8627 Feature: "XADDR address hostname" SMTP command, for SMTPD 8628 restriction debugging, and for sites with fetchmail-like 8629 software that extracts client information from the first 8630 Received: header. The smtpd_authorized_xaddr_clients 8631 parameter specifies what clients are allowed to use XADDR 8632 (default: none). Files: smtpd/smtpd.c. 8633 863420031015 8635 8636 Workaround: smtpd access maps should not apply subdomain 8637 name magic to numerical hostnames. File: smtpd/smtpd_check.c. 8638 8639 Safety: the local delivery agent now defers delivery when 8640 alias lookup produces an empty result. File: local/alias.c. 8641 864220031019 8643 8644 Workaround: disable request/reply size limit in attr_scan*.c 8645 to prevent mail from getting stuck when rewriting a malformed 8646 message header. This limit was turned on with snapshot 8647 20030715 to harden the protocol that is used by SMTPD policy 8648 delegation. A "no code change" workaround is to specify 8649 "header_size_limit = $line_length_limit". The proper fix 8650 is to enforce request/reply size limits only for data from 8651 outside of Postfix. Problem reported by Brandon Mullenberg, 8652 Dialup USA. Files: util/attr_scan*.c. 8653 8654 Feature: "XLOGINFO address hostname" SMTP command, so that 8655 Postfix daemons behind SMTPD pass-through proxies log useful 8656 client name/address information instead of localhost[127.0.0.1]. 8657 The smtpd_authorized_xloginfo_clients parameter specifies 8658 what clients are allowed to use XLOGINFO (default: none). 8659 Files: smtpd/smtpd.c. 8660 8661 Cleanup: renamed the authorized_verp_clients parameter to 8662 smtpd_authorized_verp_clients for consistency. 8663 866420031021 8665 8666 Workaround: the demo greylist script now uses BTREE instead 8667 of HASH files for hopefully better stability. The real fix 8668 is to use a single updater process that serves multiple 8669 clients. That approach seems to work well with the verify 8670 daemon. File: examples/smtpd-policy/smtpd-policy.pl. 8671 867220031022 8673 8674 Safety: the SMTP server now warns when the queue_minfree 8675 value is less than twice the message size limit. File: 8676 smtpd/smtpd.c. 8677 8678 Safety: the SMTP server no longer accepts mail when the 8679 amount of free space is less than twice the message size 8680 limit. File: smtpd/smtpd_check.c. 8681 8682 Safety: log a warning and defer mail when canonical or 8683 virtual lookups return a non-address result (like a string 8684 that contains no address). File: global/mail_addr_map.c. 8685 8686 Safety: log a warning and defer mail when any map lookup 8687 returns an empty string result, and explain that "no result" 8688 is expected in case of a "not found" condition. This happens 8689 with incorrectly implemented SQL or LDAP tables. File: 8690 global/maps_find.c. 8691 869220031023 8693 8694 Bugfix: the MYSQL and PGSQL modules invoked dict_register(). 8695 This was fixed a while ago but never made it into the 8696 distribution. Files: util/dict*sql.c. 8697 8698 Robustness: added three ISSPACE() calls in the smtpd proxy 8699 parser. File: smtpd/smtpd_proxy.c. 8700 870120031024 8702 8703 Portability: added localhost to mydestination for sites 8704 that turn off append_dot_mydomain. File: global/mail_params.h. 8705 870620031027 8707 8708 Portability: MacOS X Bind8 compatibility. File: makedefs. 8709 871020031103 8711 8712 Robustness: flush pipelined "." and "quit" replies to avoid 8713 repeated deliveries in case of a program crash (you know, 8714 the kind of thing that happens before Postfix release :-). 8715 File: smtpd/smtpd.c. 8716 871720031105 8718 8719 Portability: turn off NETINFO support for MacOS X Panther 8720 by default. Files: makedefs, util/sys_defs.h. 8721 872220031106 8723 8724 Feature: the sample greylist policy server is now case 8725 insensitive. File: examples/smtpd-policy/smtpd-policy.pl. 8726 872720031103-20031110 8728 8729 Feature: preliminary defense against SMTP clients that 8730 hammer the SMTP server with too many simultaneous or 8731 successive connection attempts, with a whitelist capability 8732 to disable the restriction for authorized clients. Most 8733 work is implemented by a new "anvil" server. Parameters: 8734 smtpd_client_connection_count_limit, smtpd_client_connection- 8735 _rate_limit, smtpd_client_connection_limit_exceptions, and 8736 client_connection_rate_time_unit. Documentation: smtpd(8), 8737 anvil(8), sample-smtpd.cf. Files: smtpd/smtpd.c, 8738 global/anvil_clnt.[hc], anvil/anvil.c. The anvil server 8739 logs peak count and rate information per client when it 8740 terminates after running out of work or after "postfix 8741 reload". 8742 874320031110 8744 8745 Cleanup: Postfix now supports the /0 netmask (match every 8746 address). This is useful as a catch-all pattern at the 8747 end of a table. Files: util/dict_cidr.c, util/match_ops.c. 8748 8749 Cleanup: don't report that $queue_directory/etc/filename 8750 differs from /etc/filename when /etc/filename does not 8751 exist. File: conf/postfix-script. 8752 875320031112 8754 8755 Feature: client_connection_status_update_time parameter 8756 controls periodic logging of maximal connection counts or 8757 rates. The default logging interval is 10 minutes. 8758 8759 Feature: "make makefiles WARN=stuff..." overrides the 8760 built-in GCC warning options that are used when "make" is 8761 invoked from within a source subdirectory. Files: makedefs, 8762 */Makefile.in. 8763 876420031125 8765 8766 Feature: qmgr logs "queueid: deleted", just like postsuper, 8767 when it removes a message from the mail queue. 8768 8769 Performance: smtpd connects to the cleanup or proxy server 8770 AFTER the first valid RCPT TO command, instead of after 8771 the first valid MAIL FROM command. This avoid wasting 8772 real-time proxy filter resources when mail is stopped by 8773 the SMTP server's access blocks. File: smtpd/smtpd.c. 8774 877520031126 8776 8777 Bugfix: "panic: mymalloc: requested length 0" when master.cf 8778 specified an invalid host name or address. Postfix now 8779 logs more specific information. File: master/master_ent.c. 8780 Reported by several people. 8781 878220031125-20031201 8783 8784 Feature: XCLIENT support to override the SMTP server's 8785 client information for logging and/or access control. This 8786 replaces the short-lived XADDR and XLOGINFO extensions. 8787 Remotely based on code by Victor Duchovni. See FILTER_README 8788 and SMTPD_PROXY_README for usage details. Files: 8789 smtpd/{smtpd,smtpd_check,smtpd_proxy,smtpd_xclient}.c 8790 smtp/smtp_smtp_proto.c, *qmgr/qmgr_message.c, 8791 global/deliver_request.c. 8792 879320031202 8794 8795 Cleanup: postfix-files now has support for files that are 8796 no longer part of Postfix. When upgrading Postfix, the 8797 post-install script gives the user a reminder. Files: 8798 conf/postfix-files, conf/post-install. 8799 880020031203 8801 8802 Support for SMTPD access map actions (FILTER, REDIRECT, 8803 HOLD or DISCARD) that are delegated to the cleanup server, 8804 but can trigger before the first valid recipient address 8805 is accepted (and thus, before a cleanup server connection 8806 is available). Files: smtpd/{smtpd,smtpd_state,smtpd_check}.c. 8807 880820031204 8809 8810 Bugfix: conf/post-install didn't skip non-existent obsolete 8811 files. Victor Duchovni. 8812 8813 Minor cleanups of the xclient error messages; xclient 8814 command lookup tables. File: smtpd/smtpd.c. 8815 881620031206 8817 8818 Feature: reject_sender_login_mismatch allows multiple owners 8819 of a sender address. Code by Liviu Daia. Files: 8820 smtpd/smtpd_check.c and documentation. 8821 8822 reject_sender_login_mismatch is now implemented by elementary 8823 features reject_unauthenticated_sender_login_mismatch 8824 (reject if the client is not SASL logged in but the sender 8825 address has an owner in smtpd_sender_login_maps) and 8826 reject_authenticated_sender_login_mismatch (reject if the 8827 client is SASL logged in but does not own the sender 8828 address). Code by Liviu Daia. Files: smtpd/smtpd_check.c 8829 and documentation. 8830 883120031207 8832 8833 Bugfix: fallback_transport and mailbox_transport were broken 8834 because the deliver_pass.c module was not updated for the 8835 changed message delivery protocol. 8836 883720031211 8838 8839 Safety: in dynamically growing data structures, update the 8840 length info after (instead of before) updating the data 8841 size. Files: util/argv.c, util/inet_addrlist.c, util/intv.c, 8842 util/mvect.c, util/vstring.c, global/recipient_list.c, 8843 *qmgr/qmgr_rcpt_list.c. 8844 884520031212 8846 8847 Cleanup: separate extensions XCLIENT (impersonate SMTP 8848 client) and XFORWARD (down-stream logging of up-stream MTA 8849 and/or message information, not necessarily SMTP related). 8850 The protocol is extensible: the server advertises what 8851 attributes XCLIENT or XFORWARD will accept, and it is an 8852 error to send an unsupported attribute. No xtext encoding 8853 is used, since no attribute currently needs it. See also: 8854 XCLIENT_README and XFORWARD_README. 8855 885620031214 8857 8858 Feature: XFORWARD support in the LMTP client. 8859 886020031215 8861 8862 Safety: updated mail_queue_id_ok() for long fast flush 8863 logfile names. File: global/mail_queue.c. 8864 8865 Robustness: save and restore the resolver _res.options 8866 settings before and after DNS lookup, to avoid surprises 8867 in third-party code. This may eliminate some "localhost 8868 not found" problems. File: dns/dns_lookup.c. 8869 887020031216 8871 8872 Cleanup: easier to parse mailq output (no more space 8873 between short queue ID and message status). File: 8874 showq/showq.c. 8875 887620031216-21 8877 8878 Cleanup: the SMTP client now moves on to the next MX host 8879 or fallback relay when delivery fails in the middle of an 8880 SMTP session. This includes both broken connections and 8881 4xx SMTP server replies. Files: smtp/smtp.c, smtp_rcpt.c, 8882 smtp/smtp_connect.c, smtp_trouble.c. 8883 8884 Configuration parameters: smtp_mx_address_limit (limit the 8885 list of IP addresses from MX lookup), and smtp_mx_session_limit 8886 (limit the number of actual SMTP sessions per delivery 8887 attempt, ignoring unusable MX IP addresses). 8888 8889 The new code centers around a mark-and-sweep algorithm 8890 (replacing code that twiddled the rcpt->offset structure 8891 member), with paranoid sanity checks to ensure that every 8892 recipient is explicitly accounted for. 8893 889420031217 8895 8896 Update: LDAP client logging (Liviu Daia) and LDAP client 8897 documentation (Victor Duchovni). Files: util/dict_ldap.c, 8898 conf/sample-ldap.cf, README_FILES/LDAP_README. 8899 890020031222 8901 8902 Cleanup: shaved half the worst-case bits off the cleanup 8903 duplicate address filter footprint. After discussion with 8904 Victor Duchovni. File: cleanup/cleanup_out_recipient.c. 8905 8906 Safety: added "mail loops to myself" logic for destinations 8907 that don't have an MX host. File: smtp/smtp_addr.c. 8908 890920031223 8910 8911 Workaround: turn off "mail loops to myself" for non-MX 8912 destinations because it breaks SMTP-based content filters. 8913 Fix is to turn off loop detection when a non-default TCP 8914 port is specified. File: smtp/smtp_addr.c. 8915 8916 Bugfix: restore errno after write failure in SIGCHLD handler. 8917 Leandro Santi (who got the idea from Hernan Perez Masci). 8918 File: master/master_sig.c. 8919 8920 Bugfix: the auto_clnt module disconnected too early, causing 8921 unnecessary work by the anvil server. 8922 8923 Cleanup: eliminated binary hashes from anvil server. Anvil 8924 client information is now stored on top of its VSTREAM. 8925 892620031226 8927 8928 Feature: bounce_queue_lifetime parameter (default: 8929 $maximal_queue_life_time) that bounds the time that 8930 MAILER-DAEMON messages spend in the queue before they are 8931 considered undeliverable. 8932 8933 Feature: disable "mail loops back to myself" protection 8934 when SMTP mail is sent to a non-standard port. This makes 8935 setting up content filters less painful. 8936 8937 Cleanup: disallow bare x.x.x.x numeric IP addresses in 8938 email addresses. The form user@[x.x.x.x] is still allowed. 8939 8940 Cleanup: cleaned up the naming of internal symbols in the 8941 SMTP client. 8942 894320031231 8944 8945 Bugfix: stricter address syntax test broke "sendmail -bs". 8946 File: smtpd/smtpd.c. 8947 894820040101 8949 8950 Cleanup: the Postfix SMTP server rejects a MAIL FROM address 8951 that matches a local, virtual or relay domain, while the 8952 address is not listed in the corresponding local, virtual 8953 or relay recipient table. 8954 8955 Feature: the reject_unlisted_sender(recipient) SMTPD access 8956 restriction rejects an address that matches a local, virtual 8957 or relay domain, while the address is not listed in the 8958 corresponding local, virtual or relay recipient table. 8959 8960 Compatibility: the check_recipient_maps restriction works 8961 like reject_unlisted_recipient, but will eventually be 8962 removed from Postfix. 8963 896420040102 8965 8966 Misc documentation cleanup by Loic Minier. 8967 896820040104 8969 8970 Workaround: MacOSX dumps core on the 20030913 TZ censoring 8971 code. We explicitly set TZ=UTC, which will produce incorrect 8972 results when "mailq" formatting is moved from the showq 8973 daemon to the postqueue command. File: msg_syslog.c. 8974 8975 Feature: after mail is requeued with "postsuper -r", the 8976 pickup server logs the old queue ID together with the new 8977 queue ID. Victor Duchovni. File: pickup/pickup.c. 8978 8979 Feature: smtpd_sasl_application_name parameter (default: 8980 smtpd) to control the name of the SASL configuration file 8981 used by the Postfix SMTP server. Liviu Daia. Files: 8982 mail_params.h, smtpd.c, smtpd_sasl_glue.c. 8983 8984 Cleanup: the LDAP client configuration parser is now shared 8985 between the LDAP, MySQL, and PGSQL clients. Liviu Daia. 8986 Files: global/cfgparser.[hc], global/dict_ldap.c, 8987 global/dict_mysql.c, global/dict_pgsql.c and documentation. 8988 8989 Cleanup: moved "util" modules with dependencies on higher-level 8990 "global" code from the util directory to the global directory: 8991 util/dict_open.c, global/cfgparser.[hc], global/dict_ldap.c, 8992 global/dict_mysql.c, global/dict_pgsql.c, global/mail_dict.c. 8993 8994 Cleanup: the new queue manager nqmgr replaces the default 8995 queue manager qmgr, leaving behind a hard link for backwards 8996 compatibility. The old queue manager remains available as 8997 as oqmgr but will eventually be removed. 8998 8999 Bugfix: vstring_get() etc. now return VSTREAM_EOF when they 9000 terminate prematurely, instead of returning the last 9001 character stored. This avoids mis-leading warnings. File: 9002 global/vstring_vstream.c. 9003 900420040105 9005 9006 Cleanup: don't bother the flush daemon while deferring mail 9007 if the destination is not "fast flush" eligible. File: 9008 global/flush_clnt.c. 9009 9010 Safety: the SMTP server flushes recipients to the cleanup 9011 server in order to avoid SMTP timeouts when virtual or 9012 canonical expansions take a lot of time. File smtpd/smtpd.c. 9013 9014 Safety: add warnings to postmap and postalias when table 9015 lookup results in an empty string. 9016 901720040110 9018 9019 Example: script to run qmail-local from Postfix by Ron 9020 Bickers. 9021 9022 Change: queue minfree limit is now 1.5 * message size limit. 9023 File: smtpd/smtpd_check.c. 9024 9025 Bugfix: apply hostname restriction even when host address 9026 lookup fails in check_{sender,recipient}_{ns,mx}_access. 9027 File: smtpd/smtpd_check.c. 9028 902920040115 9030 9031 Performance: allow delivery concurrency to increase even 9032 while mail is deferred, as long as the delivery agent does 9033 not report really serious trouble with the destination. 9034 Files: *qmgr/qmgr_deliver.c. 9035 9036 Cleanup: in postfix-files, symbolic links and hard links 9037 are now first-class citizens with explicit mention of source 9038 and destination pathnames. Files: postfix-install, 9039 conf/postfix-files, conf/post-install. 9040 904120040116 9042 9043 Cleanup: sendmail -v caused one mail delivery report upon 9044 every delivery attempt, not just the first one. The fix is 9045 to "kill" a queue file record after the first delivery 9046 attempt. This means a new record type. Files: *qmgr/qmgr_active.c, 9047 *qmgr/qmgr_message.c, global/rec_type.c. 9048 9049 Cleanup: in anticipation of other built-in rate limiters, 9050 the client_connection_rate_time_unit parameter is renamed 9051 to client_rate_time_unit. 9052 9053 Documentation: finished the HOSTING_README file with an 9054 overview of methods to host domains with Postfix. 9055 905620040119 9057 9058 Bugfix: anvil (count and rate limiting) server race condition 9059 could result in dangling pointer. Postfix erases memory 9060 after allocating and before freeing, so it is extremely 9061 unlikely that this could be used to bring harmful data into 9062 the anvil server. File anvil/anvil.c. 9063 906420040120 9065 9066 Cleanup: new header_checks(5) and body_checks(5) manual 9067 pages. The sample-regexp* and sample-pcre* files are no 9068 longer needed and have been removed, as are the default 9069 *_table configuration files. 9070 9071 Cleanup: support for the non-standard Errors-To: header is 9072 removed. File: cleanup/cleanup_message.c. 9073 907420040121 9075 9076 Feature: "PREPEND headername: headervalue" action in Postfix 9077 access maps, to facilitate external policy servers that 9078 label mail instead of rejecting it. Files: smtpd/smtpd.c, 9079 smtpd/smtpd_check.c. 9080 908120040122 9082 9083 UNDO the 20040104 change (vstring_get() etc. return 9084 VSTREAM_EOF when they terminate prematurely, instead of 9085 returning the last character stored, to avoid mis-leading 9086 warnings). File: global/vstring_vstream.c. 9087 9088 Portability: test -e is not portable. File: conf/postfix-script. 9089 9090 Misc. documentation fixes by Victor Duchovni. 9091 9092 Documentation: the README files are now hyperlinked, and 9093 are referenced in the on-line manual pages. 9094 9095 Bugfix: the pickup daemon now strokes the watchdog frequently 9096 to prevent the watchdog from barking when mail arrives 9097 faster than it can be picked up. File: pickup/pickup.c. 9098 909920040123 9100 9101 Feature: set smtpd_reject_unlisted_{sender,recipient}=no 9102 to turn off automatic rejection of non-existent local, 9103 virtual or relay addresses. This way it can be made 9104 conditional for local clients, always on for remote clients. 9105 Files: global/mail_params.h, smtpd/smtpd.c, smtpd/smtpd_check.c. 9106 910720040124 9108 9109 Feature: PREPEND in header/body_checks, for message tagging. 9110 File: cleanup/cleanup_message.c. 9111 911220040126 9113 9114 Safety: handle the case that main.cf is updated while it 9115 is being read. File: util/dict.c. 9116 9117 Feature: "instance" attribute that links policy etc. queries 9118 to the same message instance. 9119 9120 Cleanup: the mynetworks setting may now be empty. File: 9121 global/mail_params.c. 9122 912320040127 9124 9125 Bugfix: missing flush_init() call. Introduced 20040105. 9126 File: postqueue/postqueue.c. 9127 912820040128 9129 9130 Cleanup: clnt_stream derived classes now try to detect that 9131 the server has disconnected before sending data and warning 9132 about an error. File: global/clnt_stream.c. 9133 913420040202 9135 9136 Bugfix: changed mis-leading warning about text>4096 characters 9137 into "unexpected end-of-input". File: util/attr_scan0.c. 9138 913920040201 9140 9141 Feature: sasl_method, sasl_username and sasl_sender attributes 9142 in smtpd policy queries. Files: src/smtpd/smtpd_check.c. 9143 914420040204 9145 9146 Safety: smtpd_soft_error_limit now determines when 9147 $smtpd_error_sleep_time starts to take effect. 9148 9149 Cleanup: local(8) and virtual(8) will now create maildirs 9150 in a world-writable directory. Files: util/make_dirs.c. 9151 9152 Bugfix: don't panic on a corrupt queue file. File: 9153 *qmgr/qmgr_message.c. 9154 915520040205 9156 9157 Cleanup: sample-filter.cf is gone. Better documentation is 9158 available with "man header_checks". 9159 916020040209 9161 9162 Bugfix: when delivery to smtpd_proxy_filter fails, report 9163 "451 Queue file write error" instead of repeating the 9164 previous "354 End data with <CR><LF>.<CR><LF>" response. 9165 File: smtpd/smtpd.c. 9166 916720040220 9168 9169 Compatibility: accept and ignore the sendmail -bh and -bH 9170 mode of operation requests. 9171 917220040302 9173 9174 Bugfix: SMTPD proxy didn't send QUIT as the result of code 9175 duplication. Evidence reported by Mark Martinec. File: 9176 smtpd/smtpd.c. 9177 917820040311 9179 9180 Bugfix: bad address syntax was passed to transport map 9181 lookups. Problem reported by Andrei Koulik. File: 9182 util/match_ops.c, trivial-rewrite/resolve.c. 9183 918420040324 9185 9186 Portability: ekkoBSD support by Philip Reynolds. Files: 9187 makedefs, util/sys_defs.h. 9188 918920040325 9190 9191 Cleanup: smtp_skip_4xx_greeting and smtp_skip_5xx_greeting 9192 functionality is moved from connection management to SMTP 9193 protocol processing, so that Postfix now logs the server 9194 response when a server refuses to provide service. Files: 9195 smtp/smtp_connect.c, smtp/smtp_proto.c. 9196 9197 Cleanup: smtp_skip_4xx_greeting is no longer configurable; 9198 it is now permanently turned on. 9199 920020040326 9201 9202 Workaround: in the trivial-rewrite server, turn on the code 9203 to strip trailing "." while rewriting addresses, and change 9204 the address resolver to strip trailing "." in a compatible 9205 manner. This does not eliminate the problem that the SMTP 9206 server may use a different address for recipient validation 9207 than what the cleanup server uses for virtual alias mapping. 9208 920920040329 9210 9211 Bugfix: the SMTP server did not log client (and SASL) 9212 information with the real-time content filter was enabled. 9213 Files: smtpd/smtpd.c, smtpd/smtpd_sasl_proto.c. 9214 9215 Compatibility: smtpd_reject_unlisted_sender is turned off 9216 by default, to avoid trouble with with in-house software 9217 that sends out mail software with an unreplyable address. 9218 921920040331 9220 9221 Bugfix: postdrop should not abandon mail submission after 9222 receiving a SIGHUP signal when SIGHUP was ignored by the 9223 parent process. Victor Duchovni, Morgan Stanley. File: 9224 postdrop/postdrop.c. 9225 9226 Bugfix: parsing bug in PgSQL dictionaries causing UNIX 9227 sockets to be ignored. Liviu Daia. Files: global/dict*sql.c. 9228 9229 Performance: allow MySQL and PgSQL database connections to 9230 be closed when idle for more than 1 minute; Liviu Daia. 9231 Files: global/dict*sql.c. 9232 923320040401 9234 9235 Sanity: the SMTP server no longer accepts sender or recipient 9236 addresses that end in the "@" null domain, as well as 9237 addresses that rewrite into such a form. Specify 9238 "resolve_null_domain=yes" to get the old behavior back. 9239 File: trivial-rewrite/resolve.c. 9240 924120040402 9242 9243 Cleanup: added WARN action support for access maps, for 9244 consistency with the WARN action in header and body checks. 9245 File: smtpd/smtpd_check.c. 9246 924720040407 9248 9249 Bugfix: missing return statement at the end of the 9250 FREE_MEMORY_AND_RETURN error handling macro. Adi Prasaja. 9251 File: trivial-rewrite/resolve.c. 9252 925320040411 9254 9255 Future proofing: client_rate_time_unit is renamed to 9256 anvil_rate_time_unit, so that it is no longer limited to 9257 clients only. File: src/global/mail_params.h. 9258 9259 Cleanup: postalias and postmap now log problems to syslogd. 9260 Files: postalias/postalias.c, postmap/postmap.c. 9261 926220040413 9263 9264 Feature: "postfix set-permissions" (re)sets ownership and 9265 access permissions of Postfix files and directories. 9266 9267 Feature: "postfix upgrade-configuration" updates main.cf 9268 and master.cf. This is for people who people copy over 9269 their old files after installing a newer Postfix version. 9270 9271 Feature: HTML files are now optionally installed under 9272 control of the html_directory configuration parameter. 9273 Files: postfix-install, conf/postfix-files, conf/post-install. 9274 9275 Cleanup: README file installation is now optional. Files: 9276 postfix-install, conf/postfix-files, conf/post-install. 9277 927820040414 9279 9280 Cleanup: references to sample-mumble.cf files removed, 9281 conf/mumble_table files removed, new commands added to 9282 conf/postfix-script. 9283 9284 Cleanups: function declared int but used as void, missing 9285 include file, missing const qualifier, unused variable. 9286 Matthias Andree. Files: bounce/bounce_notify_util.c, 9287 bounce/bounce_service.h, postlog/postlog.c, smtpd/smtpd_check.c, 9288 util/attr_scan64.c. 9289 9290 Bugfix: more robust version of SIGHUP test of 20040331. 9291 Victor Duchovni, Morgan Stanley. File: postdrop/postdrop.c. 9292 9293 Safety: added NOCLOBBER qualifiers to local variables that 9294 might be clobbered by longjmp(). Files: util/sys_defs.h, 9295 smtp/smtp_proto.c, lmtp/lmtp_proto.c, smtpd/smtpd_check.c, 9296 smtpstone/smtp-source.c. 9297 9298 Bugfix: sub-level Makefiles no longer turned on the extra 9299 compiler warnings. Files: Makefile.in.*, makedefs.*. 9300 930120040415 9302 9303 Bugfix: the LMTP client attempted to reuse a connection 9304 after timeout, causing protocol synchronization errors. 9305 Reported by Rob Mueller. File: lmtp/lmtp.c. 9306 930720040416 9308 9309 Cleanup: non-delivery reports now include the original 9310 recipient information. File: bounce/bounce_notify_util.c. 9311 931220040415-18 9313 9314 Typos: many documentation fixes by Rob Foehl. 9315 931620040418 9317 9318 Cleanup: "int" versus "const int" prototype mismatch between 9319 the DICT sequence method prototype and possible implementations. 9320 Files: util/dict_db.c, util/dict_dbm.c. 9321 932220040419 9323 9324 Bugfix: the code that rejects client/helo RESTRICTIONS with 9325 smtpd_delay_reject=no looked at the wrong evidence and 9326 rejected client/helo ACCESS MAP lookups instead. Michael 9327 Tokarev. Files: smtpd/smtpd.c, smtpd/smtpd_check.c. 9328 9329 Bugfix: missing # in master.cf in optional submission 9330 service. 9331 933220040420 9333 9334 Bugfix: smtpd logged the client too often. Michael Tokarev. 9335 File: smtpd/smtpd.c. 9336 9337 Cleanup: client_event_status_update_time renamed to 9338 anvil_status_update_time. Files: mantools/postlink, 9339 proto/postconf.proto, anvil/anvil.c. 9340 934120040421 9342 9343 Workaround: allow pipelined SMTP clients to overshoot the 9344 SMTP server recipient limit without triggering the server 9345 hard error limit. The SMTP server does not count "too many 9346 recipients" towards the hard error limit, as long as the 9347 number of excess recipients stays within a configurable 9348 overshoot limit (default: smtpd_recipient_overshoot_limit 9349 = 1000). Solution in cooperation with Victor Duchovni. 9350 Files: smtpd/smtpd.c, smtpd/smtpd_state.c, smtpd/smtpd.h. 9351 935220040502 9353 9354 Missing test for a never used flag (the problematic and 9355 thus never completed INSPECT feature that doesn't re-inject 9356 mail into Postfix). Victor Duchovni, Morgan Stanley. File: 9357 virtual/virtual.c. 9358 935920040503 9360 9361 Bugfix: missing "sasl enabled" guard in the SMTPD policy 9362 client. File: smtpd/smtpd_check.c. 9363 936420040606 9365 9366 Portability. UnixWare has strcasecmp() in strings.h. Patch 9367 by Andreas Winkelmann. File: util/sys_defs.h. 9368 9369 Portability. The postlink script is transformed from sed(1) 9370 to perl(1). 9371 937220040608 9373 9374 Portability. Introduced SET_H_ERRNO() macro for compilation 9375 environments where h_errno can't be used as an lvalue. 9376 Files: util/sys_defs.h, dns/dns_lookup.c. 9377 9378 Portability. Eliminate assumption on bits per byte from 9379 vbuf_print.c. 9380 938120040614 9382 9383 Bugfix: the SMTP client did not reset per-session EHLO, 9384 SASL, and history information when opening a connection to 9385 an alternate SMTP server. This is the result of abstraction 9386 no longer matching function. Reported and diagnosed by 9387 Victor Duchovni, Morgan Stanley. 9388 9389 Bugfix: non-portable reuse of variadic argument lists. 9390 Fix by Victor Duchovni, Morgan Stanley. Files: global/bounce.c, 9391 global/defer.c, global/sent.c, global/trace.c, global/verify.c. 9392 9393 Portability: NetBSD 2.0 has changed from statfs to statvfs. 9394 John Heasley. File: util/sys_defs.h. 9395 9396 Documentation: typo fixes by IKEDA Nozomu. 9397 939820040616 9399 9400 Bugfix: one missed variadic argument list fix. Victor 9401 Duchovni, Morgan Stanley. File: global/verify.c. 9402 9403 Bugfix: the resolver client cache should be context dependent 9404 because address verification probes may use a different 9405 route than normal mail deliveries. File: global/resolve_clnt.c. 9406 9407 Safety: added similar context dependence to the address 9408 rewriting client in order to avoid trouble when Postfix is 9409 changed. File: global/rewrite_clnt.c. 9410 9411 Bugfix: space in HELO commands could end up in XFORWARD 9412 commands. File: smtpd/smtpd.c. 9413 941420040619 9415 9416 Code reorganization: in preparation for SMTP session caching, 9417 the SMTP client data structures were changed from the 9418 original "one session per delivery request" model to an 9419 explicit "multiple sessions per delivery request" model. 9420 This uncovered ESMTP and SASL missing re-initialization 9421 problems that were fixed in past week. Design by Victor 9422 and Wietse, initial implementation by Victor Duchovni. 9423 942420040620 9425 9426 Future proofing: after the reorganization of SMTP request 9427 state and session state, added code to the smtp client 9428 error handling routines to more consistently deal with the 9429 possibility that session information is not available. 9430 943120040621 9432 9433 Feature: directory=pathname option for the pipe(8) delivery 9434 agent. This allows a command to run from a fixed directory. 9435 Failure to change directory causes delivery to be deferred. 9436 Files: pipe/pipe.c. 9437 9438 Feature: command_execution_directory for local(8) delivery 9439 to external command. This supports the usual $home etc. 9440 expansions, subject to filtering with the character set 9441 specified with $execution_directory_expansion_filter. 9442 Failure to change directory causes delivery to be deferred. 9443 Files: global/mail_params.h, local/command.c. 9444 9445 Support for external command execution directory. Files: 9446 global/pipe_command.[hc]. 9447 944820040622 9449 9450 Safety: when mail is delivered to a transport with per-delivery 9451 recipient limit of 1, split the recipient address on the 9452 recipient delimiter if one is defined, so that extended 9453 addresses don't get extra delivery concurrency slots. 9454 Files: *qmgr/qmgr_message.c. 9455 945620040623 9457 9458 Workaround for fragile clients: add microsecond time to 9459 maildir filename. Files: virtual/maildir.c, local/maildir.c. 9460 946120040628-20040701 9462 9463 SMTP connection caching work with Victor Duchovni. 9464 9465 New module (later renamed to global/scache_single.c) for 9466 protocol-independent session caching. The initial 9467 implementation supports in-process, single-session caching 9468 only. A later version will support a central session cache 9469 daemon. Some more work is needed for passivation/activation 9470 of session attributes. 9471 9472 New function vstream_fdclose() to destroy a VSTREAM while 9473 leaving the underlying file(s) open. Files: util/vstream.[hc]. 9474 9475 New function dns_rr_remove() to remove one record from a 9476 resource record list. Some more work is needed to turn the 9477 list into a doubly-linked one. Files: dns/dns.h, dns/dns_rr.c. 9478 9479 Restructuring of the SMTP protocol engine for session 9480 caching. File: smtp/smtp_proto.c. 9481 9482 Restructuring of the connection management module, and 9483 first implementation of SMTP connection caching. To enable, 9484 specify an smtp_connection_cache_time value greater than 9485 zero. The time unit is seconds. File: smtp/smtp_connect.c. 9486 9487 New code to passivate and re-activate SMTP_SESSION objects, 9488 and isolation of session save/lookup in its own module. 9489 Files: smtp/smtp_session.c, smtp/smtp_reuse.c. 9490 9491 Refinement: smtp_cache_reuse_limit parameter to bound the 9492 number of times a session may be reused. 9493 9494 Refinements: when a session comes from the cache, give it 9495 back to the cache anyway (even when it will not be listed 9496 under the next-hop destination name). 9497 9498 Future refinements should also include a bound on the number 9499 of consecutive and total non-delivering uses and other 9500 statistics. 9501 950220040714 9503 9504 Bugfix: the code to eliminate the local MTA from the MX 9505 address list did not handle the case that inet_interfaces 9506 produced a less preferred match than proxy_interfaces. 9507 Victor Duchovni, Morgan Stanley. File: smtp/smtp_addr.c. 9508 950920040715 9510 9511 Resume work on SMTP session caching. All good sessions 9512 are now cached under their IP address. As before, only the 9513 first good session per delivery request is cached under 9514 the original next-hop destination. 9515 9516 At this point, SMTP session caching works, with a session 9517 cache client module that uses in-process session caching. 9518 This is sufficient to demonstrate that the SMTP client is 9519 ready for session caching. 9520 952120040716 9522 9523 New modules to send file descriptors from one process into 9524 another one. This will be needed for implementing a central 9525 connection cache manager daemon. Most systems use UNIX-domain 9526 sockets as the transport for this. On Solaris we use streams 9527 instead. Applications are supposed to invoke LOCAL_SEND_FD() 9528 and LOCAL_RECV_FD(). Files: {unix,streams}_{send,recv}_fd.c. 9529 953020040717 9531 9532 First implementation of a session caching client API that 9533 actually sends to/receives from a caching server process. 9534 The old in-process, single-session caching functionality 9535 is preserved as global/scache_single.c, so that we can use 9536 it for bootstrapping the session cache server. File: 9537 global/scache_clnt.c. 9538 9539 First implementation of the scache session cache server, 9540 using the same in-process session caching code that was 9541 used to bootstrap the SMTP client. File: scache/scache.c. 9542 954320040718 9544 9545 Performance: the default RSET timeouts are reduced from 9546 120s to 20s. Perhaps there should be different RSET timeout 9547 for address probes and for session cache checks. File: 9548 global/mail_params.h. 9549 955020040719 9551 9552 Multi-session connection cache module. Implementing this 9553 was actually the easiest part of the entire connection 9554 caching project. File: global/scache_multi.c. 9555 955620040720 9557 9558 Bugfix: event_drain() falsely reported a single-entry timer 9559 queue as empty. File: util/events.c. 9560 9561 Completed the multi-session cache support for SMTP. The 9562 code can be stress tested with a driver program that reads 9563 commands from a script. It is not practical to manually 9564 test the effects of collisions in the time or in name space 9565 domains. File: global/scache.c. 9566 956720040721 9568 9569 Feature: the session cache server now logs cache hit and 9570 miss statistics every $session_cache_status_update_time 9571 seconds (default: 600s), as well as upon process exit. 9572 File: scache/scache.c. 9573 957420040722 9575 9576 Workaround: LINUX 2.4 has trouble with mixed data and file 9577 descriptor traffic on UNIX-domain stream sockets. 9578 Specifically, it cannot handle data write (read) followed 9579 by file descriptor send (receive): the receiver hangs in 9580 recvmsg(). Workaround is to insert an intervening read 9581 (write) operation. Presumably, LINUX 2.4 is confusing the 9582 data and file descriptor. Lucky Ralf Hildebrandt. Files: 9583 util/sys_defs.h, global/scache_clnt.c, scache/scache.c. 9584 958520040723 9586 9587 Safety: spawn(8) now rejects a user with the -1 UID or GID 9588 value, so that commands will not end up running as root. 9589 Files: util/spawn_command.c, spawn/spawn.c. 9590 9591 User interface: parameter smtp_connection_cache_domains 9592 renamed to smtp_connection_cache_destinations. Destinations 9593 listed here must be specified without [] or :port. File: 9594 smtp/smtp_connect.c. 9595 9596 Bugfix: "421 Timeout exceeded" wasn't guarded by setjmp(). 9597 Victor Duchovni, Morgan Stanley. File: smtpd/smtpd.c. 9598 959920040729 9600 9601 Feature: enable SMTP session caching temporarily while a 9602 postfix is able to schedule back-to-back deliveries. 9603 Parameter: smtp_connection_cache_on_demand (default: 9604 yes). Files: smtp/smtp_connect.c, *qmgr/qmgr_entry.c, 9605 *qmgr/qmgr_queue.c, *qmgr/qmgr_deliver.c. 9606 9607 Feature: smtp-source -N option to generate unique recipient 9608 addresses for (trivial-rewrite) stress testing. Victor 9609 Duchovni, Morgan Stanley. File: smtpstone/smtp-source.c. 9610 961120040730 9612 9613 Safety: disallow "opportunistic session caching" when the 9614 queue manager is unable to schedule back-to-back deliveries. 9615 File: *qmgr/qmgr_entry.c. 9616 961720040731 9618 9619 Hysteresis: turn on "opportunistic session caching" when 9620 back-to-back deliveries happen, but don't turn if off 9621 until both concurrent and back-to-back delivery ends. 9622 962320040801 9624 9625 Workaround: disable session caching for Linux < 2.2 (does 9626 not work) or Glibc < 2 (does not compile). Files: 9627 util/sys_defs.h, util/unix_{recv,send}_fd.c. 9628 9629 Portability: h_errno is not an lvalue in the UnixWare 7.1 9630 multi-threaded environment. Olivier PRENANT. 9631 963220040812 9633 9634 Bugfix: update SMTP server error counter when a client is 9635 denied access with smtpd_delay_reject=no. 9636 963720040816 9638 9639 Bugfix: The smtp_chat_cmd() forced output flushing code in 9640 the SMTP client could run before an I/O error handler was 9641 set up. Problem diagnosed by Victor Duchovni, Morgan 9642 Stanley. The fix is to disable the smtp_chat_cmd() forced 9643 output flushing code as it duplicates better code in 9644 smtp_loop(). File: smtp/smtp_chat.c. 9645 9646 Safety: set up an I/O error handler before the smtp_loop() 9647 protocol engine starts; this handler logs a warning in case 9648 it ever runs, because that means someone broke ESMTP command 9649 pipelining. File: smtp/smtp_proto.c. 9650 9651 Feature: canonical_classes parameter by Kimmo Suominen, to 9652 control what addresses are rewritten by canonical_maps. 9653 Files: cleanup/cleanup_addr.c, cleanup/cleanup_message.c. 9654 965520040817 9656 9657 Bugfix: update the vstream I/O time AFTER the completion 9658 of an I/O request, so that time-sensitive applications 9659 don't force flush output too soon and possibly trigger 9660 NAGLE delays. Problem diagnosed by Victor Duchovni, Morgan 9661 Stanley. File: util/vstream.c. 9662 9663 Portability: avoid postmap/postalias test file name clashes 9664 on Windows. Ian Lance Taylor (of Taylor UUCP fame). 9665 966620040823 9667 9668 Bugfix: vstream_popen() did not close the child pipe 9669 after failure to fork(). File: util/vstream_popen.c. 9670 967120040826 9672 9673 Feature: support for systems with closefrom(), and emulation 9674 for those without. Andrew Brown. Files: util/sys_defs.h, 9675 util/sys_compat.c. 9676 967720040827 9678 9679 Feature: {sender,recipient}_canonical_classes parameters, 9680 which give better control than sender_canonical_classes. 9681 Files: cleanup/cleanup_addr.c, cleanup/cleanup_message.c. 9682 9683 Feature: the proxymap client now recognizes when a map 9684 can't be proxied, and will open it directly instead. This 9685 makes proxy maps easier to use for virtual mailbox domains. 9686 File: global/dict_proxy.c. 9687 9688 Feature: smtp_sasl_mechanism_filter restricts what remote 9689 SMTP server mechanism names the Postfix SMTP client passes 9690 on to the SASL library. Victor Duchovni, Morgan Stanley. 9691 Files: smtp/smtp.c. smtp/smtp_sasl_glue.c, smtp/smtp_sasl_proto.c. 9692 969320040828 9694 9695 User interface: when no recipients are specified, the 9696 Postfix sendmail command now terminates with status EX_USAGE 9697 instead of accepting the mail first and bouncing it later. 9698 This gives more direct feedback in case of a common client 9699 configuration error. File: sendmail/sendmail.c. 9700 970120040829 9702 9703 Portability: Solaris closefrom() support didn't work for 9704 non-SUN compilers. Victor Duchovni, Morgan Stanley. 9705 970620040830 9707 9708 Feature: the scache(8) session cache manager now logs the 9709 peak counts of destinations, endpoints and sessions. Files: 9710 scache/scache.c, global/scache*c. 9711 971220040831 9713 9714 Portability: disable session caching support on SCO 5 9715 because of incompatible sockets API. File: util/sys_defs.h. 9716 971720040913 9718 9719 Bugfix (introduced 20020803): sent the wrong bounce message 9720 type when a Delivered-To: loop was detected for a mailing 9721 list alias. Nicolas Riendeau. File: bounce_notify_util.c. 9722 972320040918 9724 9725 Feature: authorized_flush_users, authorized_mailq_users, 9726 authorized_submit_users to restrict what users can flush 9727 the queue, list the queue, or submit mail locally. Based 9728 on code by Victor Duchovni, Morgan Stanley. Files: 9729 sendmail/sendmail.c, postdrop/postdrop.c, postqueue/postqueue.c, 9730 global/user_acl.[hc]. 9731 9732 Feature: discard(8) mail delivery agent. Victor Duchovni, 9733 Morgan Stanley. File: discard/discard.c. 9734 973520041002 9736 9737 Long overdue, a master(5) manual page based on an initial 9738 version by Magnus Baeck. 9739 9740 By popular demand, a postfix-manuals.html web page with 9741 totally useless links to UNIX-style manual pages (the same 9742 information should already be available simply by typing 9743 "apropos postfix"). To keep newbies from getting completely 9744 lost due to information overload, the document starts with 9745 a list of actually useful pointers to Postfix introductions, 9746 duplicated from the already existing documents.html. 9747 974820041006 9749 9750 Bugfix: "sendmail -bv" did not reject the -t option. File: 9751 sendmail/sendmail.c. 9752 975320041007 9754 9755 Feature: SASL authentication attributes are now stored in 9756 queue files and passed on to delivery agents, by Leandro 9757 Santi. Files: deliver_pass.c, deliver_request.c, 9758 qmgr_deliver.c, qmgr_message.c, pipe.c, smtpd.c. 9759 976020041009 9761 9762 Feature: per SMTP client message rate limit and recipient 9763 rate limit, by Ragnar Lonn, GHN network technologies. 9764 Files: smtpd/smtpd.c, anvil/anvil.c, global/anvil_clnt.[hc]. 9765 9766 Incompatibility: smtpd_client_connection_limit_exceptions 9767 renamed to smtpd_client_event_limit_exceptions, because it 9768 now also controls message and recipient rate limit control. 9769 977020041013 9771 9772 Portability: AIX 5.1/GCC. 9773 977420041014-23 9775 9776 Postfix no longer appends the local domain to header 9777 addresses from remote clients. Instead, Postfix either 9778 does not rewrite those headers at all, or it appends the 9779 domain specified with the new remote_header_rewrite_domain 9780 parameter. 9781 9782 Postfix still appends $@myorigin or .$mydomain to headers 9783 from the Postfix sendmail command, or from clients listed 9784 with the new local_header_rewrite_clients parameter (default: 9785 permit_mynetworks, permit_sasl_authenticated). 9786 9787 These changes affect the SMTP server (including XFORWARD 9788 support), the cleanup server (do or don't rewrite headers), 9789 the trivial-rewrite server (append local domain or surrogate 9790 remote domain to incomplete addresses), the queue manager 9791 (send additional attributes to delivery agents), the LMTP 9792 and SMTP clients (XFORWARD support), and the local delivery 9793 agent (preserve XFORWARD attributes when forwarding mail). 9794 979520041016 9796 9797 Bugfix: attr_clnt_request() did not properly skip hash 9798 table arguments. Luc Pardon, Skopos Consulting. File: 9799 util/attr_clnt.c. 9800 980120041018 9802 9803 The NIS+ module by Geoff Gibbs is now part of Postfix. 9804 Files: util/dict_nisplus.c, proto/nisplus_table. 9805 980620041019 9807 9808 Support for Errors-To: is permanently removed. 9809 981020041022 9811 9812 Bugfix: "smtp_connection_cache_on_demand=no" could crash 9813 the SMTP client. File: smtp/smtp_connect.c. 9814 9815 Robustness: extra sanity checks. Files: util/dict_db.c, 9816 util/dict_dbm.c, dict_nis.c. 9817 981820041025 9819 9820 Initial merge of Lutz Jaenicke's TLS patch. Initial rewrite 9821 of tlsmgr to eliminate some code duplication and to postpone 9822 calls into OpenSSL until after dropping privileges. 9823 982420041030 9825 9826 Compatibility: "session cache" renamed to "connection cache" 9827 to avoid confusion with the TLS session cache. 9828 982920041102 9830 9831 Feature: smtpd_end_of_data_restrictions allow you to specify 9832 restrictions at the end of the SMTP DATA command. The syntax 9833 is identical to that of the smtpd_data_restrictions feature. 9834 This introduces a new END-OF-DATA protocol state for the 9835 external policy server. Files: proto/SMTPD_POLICY_README.html, 9836 proto/SMTPD_ACCESS_README.html, smtpd/smtpd_check.c. 9837 983820041111 9839 9840 Cleanup: terminate the dict_eval() result buffer for verbose 9841 logging. Victor Duchovni, Morgan Stanley. File: util/dict.c. 9842 984320041112 9844 9845 Cleanup: be more careful when saving and restoring resolver(3) 9846 options to avoid problems with an HP-UX security patch 9847 (change introduced 20031215). File: dns/dns_lookup.c. 9848 984920041115 9850 9851 Bugfix: the test for "no debugger_command" was wrong. 9852 Leandro Santi. File: global/debugger_command.c. 9853 985420041117 9855 9856 Robustness: the master-child protocol now includes a process 9857 generation number besides the child process ID. The process 9858 generation number is incremented by one each time the master 9859 creates a child process. Child-to-master status updates 9860 with the wrong generation number are ignored, instead of 9861 triggering a consistency error in the master server. Files: 9862 master/*server.c, master/master_status.c, master/master_spawn.c. 9863 986420041118 9865 9866 Bugfix: the "local_header_rewrite_clients" feature (20041023) 9867 did not recognize "bare" lookup tables as documented. Victor 9868 Duchovni, Morgan Stanley. File: smtpd/smtpd_check.c. 9869 9870 Bugfix: the "local_header_rewrite_clients" feature (20041023) 9871 was broken because the local delivery agent passed on a 9872 bogus attribute value when forwarding internally generated 9873 mail, causing the mail to be rejected by the cleanup server. 9874 File: local/dotforward.c. 9875 9876 Bugfix: the "local_header_rewrite_clients" feature (20041023) 9877 was broken because the pickup server always overwrote origin 9878 information. Files: pickup/pickup.c, cleanup/cleanup_state.c, 9879 *qmgr/qmgr_message.c. 9880 9881 Workaround: enable the "can't write before sending a file 9882 descriptor" workaround for Solaris. Problem reported by 9883 Victor Duchovni for Solaris 2.5.1, but we play safe and 9884 enable it unconditionally. 9885 988620041120 9887 9888 The TLS support routines are moved to a "tls" directory, 9889 and are published via the "libtls.a" object library. 9890 989120041122 9892 9893 Infrastructure: support for binary attribute values 9894 (ATTR_TYPE_DATA) in Postfix IPC messages. Files: 9895 util/attr_scan*c, util/attr_print*c. 9896 989720041123-20041205 9898 9899 TLS support: via a process of gradual transformation, 9900 decomposed Lutz Jaenicke's pfixtls.c into separate modules 9901 for clients, servers, certificate verification, session 9902 caching, and PRNG management. Global variables were eliminated 9903 so that the code now supports multiple client and/or server 9904 contexts in the same process. Files: tls/*.[hc]. 9905 990620041205 9907 9908 TLS support: eliminated shared access (and locking) of the 9909 TLS PRNG exchange file and TLS session caches. Instead, 9910 Postfix uses a client-server protocol, and the tlsmgr 9911 becomes the sole mediator. This eliminated the need for 9912 1000+ lines of SDBM support, and eliminated the need for 9913 running a persistent tlsmgr process on systems don't enable 9914 TLS in main.cf. 9915 991620041124 9917 9918 Feature: configurable list of forbidden SMTP commands 9919 (default: smtpd_forbidden_commands = CONNECT, GET, POST) 9920 after which the Postfix SMTP server disconnects immediately. 9921 The SMTP server always disconnects immediately when the 9922 client sends a message header instead of an SMTP command. 9923 Magnus Baeck. File: smtpd/smtpd.c. 9924 992520041207 9926 9927 CDB support by Michael Tokarev, documentation by Victor 9928 Duchovni. Files: util/dict_cdb.[hc], global/mkmap_cdb.c. 9929 993020041209 9931 9932 Completed support for the Berkeley DB sequence operator. 9933 This is needed for finding and deleting old entries in TLS 9934 session databases. File: util/dict_db.c. 9935 9936 Bugfix: the DBM client's sequence operator used exclusive 9937 locking instead of shared locking. File: util/dict_dbm.c. 9938 9939 Feature: dump an entire database with the new postmap/postalias 9940 "-s" option. This works only for database types with Postfix 9941 sequence operator support: hash, btree, dbm, and sdbm. 9942 Files: postmap/postmap.c, postalias/postalias.c. 9943 994420041212 9945 9946 Solaris 10/ix86 chroot setup script update by J.D. Bronson. 9947 9948 TLS support: cosmetic changes to comments and messages; 9949 completed the code for the master -> tlsmgr trigger handshake, 9950 so that the master no longer complains about trigger 9951 responses timing out. 9952 995320041213 9954 9955 Updated the SDBM dictionary interface. It had fallen behind 9956 with the Postfix dictionary interfaces that were already 9957 bundled with Postfix. Files: util/dict_sdbm.[hc]. 9958 9959 Cleanup: "postconf -m" (show all available map types) now 9960 produces sorted output. File: util/dict_open.c. 9961 996220041215 9963 9964 No bugfix: tests with the new "postmap -s" feature show 9965 that SDBM first/next operations never worked with Postfix/TLS 9966 patch 20040829 (verified with the 20040829 dict_sdbm.c 9967 module on Linux and FreeBSD). The code stops after finding 9968 one database element. Other SDBM versions found on the 9969 Internet will find all database entries, but report an I/O 9970 error after the last database element is found. All this 9971 would be easy enough to fix, but the SDBM library is not 9972 part of Postfix, and never will be. 9973 9974 Bugfix: the sequence operator in the DBM and SDBM clients 9975 released the shared lock after reading the next key but 9976 before reading the corresponding value. This was never a 9977 problem, because the sequence operator was used only in 9978 the Postfix/TLS patch. This used the SDBM sequence operator 9979 which didn't work as discussed above. Files: util/dict_dbm.c, 9980 util/dict_sdbm.c. 9981 9982 Feature: the local(8) and pipe(8) delivery agents now make 9983 the following attributes available upon delivery (with 9984 local(8) names must be spelled in upper case): client_hostname, 9985 client_address, client_protocol, client_helo, sasl_method, 9986 sasl_sender, sasl_username. Files: local/command.c, 9987 pipe/pipe.c, and lots of documentation. 9988 998920041216 9990 9991 "postcat -o" now prints queue file record offsets; this is 9992 useful for debugging. File: postcat/postcat.c. 9993 9994 NON-PRODUCTION Bugfix: (bug introduced while adopting the 9995 Postfix/TLS patch): the new TLS certification call-back 9996 routine expects that the peer hostname is in 9997 tlscontext->peername_save, but the TLS server code never 9998 updated this field. File: tls/tls_server.c. 9999 1000020041218 10001 10002 Feature: selective suppression of SMTP extensions (pipelining, 10003 starttls, auth, etc.); this is useful to work around broken 10004 clients or servers. Specify a list of EHLO keywords with 10005 the smtp(d)_discard_ehlo_keywords parameters, or specify 10006 one or more lookup tables, indexed by remote network address, 10007 with the smtp(d)_discard_ehlo_keyword_address_maps parameters. 10008 EHLO keyword lists are case insensitive. Files: 10009 util/name_mask.[hc], global/ehlo_mask.[hc], smtpd/smtpd.c, 10010 smtp/smtp.c, smtp/smtp_proto.c. 10011 1001220041219 10013 10014 Bugfix: postcat without -o was broken. File: postcat/postcat.c. 10015 1001620041220 10017 10018 NON-PRODUCTION Bugfix: (bug introduced while adopting 10019 Postfix/TLS patch): don't call smtp_flush() after return 10020 from vstream_setjmp(), we'll call you. File: smtpd/smtpd.c. 10021 10022 Dummy VSTREAM read-write routines. Files: util/dummy_read.c, 10023 util/dummy_write.c. 10024 1002520041221 10026 10027 Fixes for TLS_README by Victor Duchovni. File: 10028 proto/TLS_README.html. 10029 10030 NON-PRODUCTION Bugfix: (bug introduced while adopting 10031 Postfix/TLS patch). The client code had become too similar 10032 to the server implementation, and also required a host 10033 certificate and key. Fix by Victor Duchovni. File: 10034 tls/tls_client.c. 10035 1003620041221 10037 10038 Bugfix: further postcat corner cases. 10039 1004020041223 10041 10042 Cosmetic: don't log disconnect events as I/O errors. 10043 File: tls/tls_bio_ops.c. 10044 1004520041221-9 10046 10047 Infrastructure: unified IPv4/IPv6 name/address API so that 10048 Postfix can support IPv6 without #ifdef INET6 everywhere. 10049 In particular, we allow #ifdef in libraries but avoid it 10050 in applications. Files: util/myaddrinfo.[hc], 10051 util/sock_addr.[hc], dns/dns_rr_to_pa.c, dns/dns_sa_to_rr.c, 10052 dns/dns_rr_eq_sa.c, dns/dns_rr_to_sa.c, inet_proto.[hc]. 10053 10054 Postfix no longer attempts to deliver mail via IPv6 when 10055 the system has no IPv6 connectivity. Network protocol 10056 support is now selected with the "inet_protocols" configuration 10057 parameter, instead of "inet_interfaces". The "inet_protocols" 10058 parameter also controls what DNS lookups Postfix will do. 10059 10060 Infrastructure: eliminated two host/port parsing routines. 10061 Only one survives: host_port(), in an extended form that 10062 allows for missing host or missing service information but 10063 not both. File: util/host_port.c. 10064 1006520041229 10066 10067 Milestone: Postfix with the unified IPv4/IPv6 socket/name 10068 API builds without compiler error on IPv4-only system and 10069 actually works. 10070 1007120041228 10072 10073 Bugfix: SMTPD_PROXY_README incorrectly claimed that ":port" 10074 in master.cf causes a server to listen only on "localhost" 10075 without exposing the service to the network. Instead, 10076 ":port" causes a client to connect to "localhost". 10077 1007820041231 10079 10080 Linux workaround: when mynetworks isn't set, a chrooted 10081 process could not read the IPv6 address information from 10082 /proc. We now invoke own_inet_addr() before chrooting, 10083 while processing main.cf. File: global/mail_params.c. 10084 1008520050101 10086 10087 Workaround for (Linux) systems without IPV6_V6ONLY support 10088 (RFC 3493). When Postfix listened on an IPv4 wild-card 10089 smtp socket, the IPv6 wild-card smtp listener would fail 10090 with EADDRINUSE (and vice versa). File: util/myaddrinfo.c. 10091 1009220050103 10093 10094 Safety: when the IPV6 netmask can't be determined, assume 10095 /128 (host only). File: util/inet_addr_local.c. 10096 1009720050104 10098 10099 Re-implemented IPv6 support for net/mask pattern matching. 10100 Files: util/cidr_match.[hc], util/dict_cidr.c, 10101 util/match_ops.[hc], proto/cidr_table. 10102 1010320050105 10104 10105 Moved mask_addr() to its own module so that it could also 10106 be called by mynetworks() and inet_addr_local() to remove 10107 non-zero host bits from IPv6 network/mask patterns. File: 10108 util/mask_addr.c. 10109 1011020050108 10111 10112 Re-implemented IPv6 support for network interface lookup 10113 via the Linux /proc file system. File: util/inet_addr_local.c. 10114 1011520050111 10116 10117 Feature: specify "inet_interfaces = loopback-only" for 10118 servers that must listen on local interfaces only, without 10119 having to specify IPv4 and/or IPv6 addresses in main.cf or 10120 master.cf. File: global/own_inet_addr.c. 10121 10122 Workaround: AIX 5.1 getaddrinfo() can't handle a null host 10123 argument with AI_PASSIVE. Instead we specify an explicit 10124 protocol family, a host of "::" or "0.0.0.0", and turn off 10125 IPV6_V6ONLY. Files: util_myaddrinfo.c, util/inet_listen.c. 10126 10127 Workaround: AIX 5.1 getaddrinfo() can't handle a "0" service 10128 argument. Instead we specify "1". Files: util/inet_addr_host.c. 10129 1013020050113 10131 10132 Cleanup: now that the over-all structure is proving itself, 10133 clean up some internal APIs to increase robustness and get 10134 rid of some clumsiness. Mainly, the getaddrinfo(3) interface. 10135 10136 Start-up performance: the hash_queue_names default setting 10137 is reduced from eight directories to just defer and deferred. 10138 This reduces time for checking the Postfix queue. Files: 10139 conf/post-install, global/mail_params.h. 10140 1014120050114 10142 10143 Further cleanup: eliminate duplicate IPv6 results when the 10144 mynetworks value is generated by Postfix. More documentation 10145 of the new internal APIs. 10146 10147 Performance: reduced start-up delay by moving warning-only 10148 startup checks into the background. File: conf/postfix-script. 10149 1015020050115 10151 10152 Further hardening of the IPv6 support: don't trust system 10153 libraries to protect Postfix against malformed IPv6 address 10154 literals. Their syntax is complex enough that errors are 10155 likely. Files: global/resolve_local.c, util/valid_hostname.c. 10156 10157 Further cleanup: RFC 2821 requires the IPv6: prefix with 10158 IPv6 address strings. The smtp and qmqp servers maintain 10159 separate address instances, the bare address and the RFC 10160 2821 compatible form, and use each where appropriate. This 10161 strict separation simplifies address syntax checks as well 10162 as the implementation of XCLIENT and XFORWARD. 10163 1016420050116 10165 10166 Infrastructure: new valid_mailhost_addr() routine to verify 10167 that an address literal satisfies RFC 2821. An IPv4 address 10168 is in dotted-quad decimal form, and an IPv6 address is in 10169 hexadecimal form, with the "IPv6:" prefix. Files: 10170 global/valid_mailhost_addr.[hc]. 10171 10172 Further cleanup: valid_hostname() no longer allows network 10173 addresses or numerical domain names. While it made some 10174 sense with IPv4 dotted quad decimal forms, with IPv6 it 10175 just made no sense anymore. Again, being stricter actually 10176 simplifies code. Files: util/valid_hostname.c and a 10177 surprisingly small number of valid_hostname() callers that 10178 did not reject numerical forms. 10179 10180 Bugfix: in the Postfix 2.2 SMTP client, the debug_peer_init() 10181 call was moved to the after-chroot initialization. 10182 1018320050117 10184 10185 Performance: reduced start-up delay by moving warning-only 10186 startup checks into the background; they now start after 10187 one minute to allow the system to finish booting. File: 10188 conf/postfix-script. 10189 10190 Milestone: first non-non-production snapshot with IPv6. 10191 1019220050119 10193 10194 Milestone: first non-non-production snapshot with TLS. 10195 1019620050124 10197 10198 Workaround: don't send mail to $fallback_relay if Postfix 10199 is MX host for the next-hop destination. This is, however, 10200 a partial solution. The documentation has been updated to 10201 cover all the cases where a fallback_relay could interfere 10202 with the operation of a backup or primary MX host. Files: 10203 smtp/smtp_addr.c, smtp/smtp_connect.c. 10204 1020520050127 10206 10207 Configuration: Postfix daemons that need privileged operation 10208 (such as local, pipe, or spawn) now log a fatal error when 10209 they are configured in master.cf as unprivileged. 10210 1021120050130 10212 10213 Cleanup: simplified the handling of receive_override_options 10214 settings. Files: pickup/pickup.c, smtpd/smtpd.c, qmqpd/qmqpd.c, 10215 global/input_transp.c. 10216 10217 Feature: permit_inet_interfaces allows a request when the 10218 client matches $inet_interfaces. This is used for generic 10219 access restrictions and for header address rewriting control. 10220 Files: global/mail_params.h, smtpd/smtpd_check.c. 10221 10222 Cleanup: by default, message header address rewriting is 10223 now enabled only for mail that originates from the machine 10224 itself. Files: global/mail_params.h, smtpd/smtpd_check.c. 10225 1022620050131 10227 10228 Bugfix: when extracting recipients from message headers, 10229 the Postfix sendmail command produced output records longer 10230 than $line_length_limit, causing postdrop to reject the 10231 mail. Diagnosis by Victor Duchovni. File: sendmail/sendmail.c. 10232 1023320050202 10234 10235 Cleanup: explicit Makefile targets for "make package" and 10236 "make non-interactive-package" to create ready-to-install 10237 packages for distribution to other systems. Added extra 10238 sanity checks to prevent attempts to overwrite your running 10239 Postfix instance. Files: Makefile.in, proto/PACKAGE_README. 10240 10241 Cleanup: when bounce_queue_lifetime > maximal_queue_lifetime, 10242 it is adjusted to maximal_queue_lifetime, and a warning is 10243 logged. Files: *qmgr/qmgr.c. 10244 1024520050203 10246 10247 Cleanup: trivial-rewrite now restarts more timely after 10248 changes in lookup tables. Of the all the alternatives 10249 tested, the simplest one produces the most bang for the 10250 buck. The other code is left in place for illustrative 10251 purposes. File: trivial-rewrite/trivial-rewrite.c. 10252 10253 Cleanup: sendmail no longer ignores null command-line 10254 recipients. File: sendmail/sendmail.c. 10255 10256 Cleanup: "postfix start" background checks moved back to 10257 the foreground so they can be stopped more easily. File: 10258 conf/postfix-script. 10259 1026020050204 10261 10262 Feature: REPLACE command in header/body_checks (implemented 10263 as a combination of PREPEND and IGNORE) by Bastiaan Bakker. 10264 File: cleanup/cleanup_message.c. 10265 10266 Cleanup: linted the manual pages for consistency in the 10267 way manuals are referenced, and in the presentation of 10268 command examples. Files: mantools/manlint, mantools/fixman, 10269 mantools/postconf2man. 10270 1027120050205 10272 10273 Cleanup: updated the mass-deletion example in the postsuper 10274 manual. 10275 1027620050206 10277 10278 Cleanup: don't count a [45]XX SMTP server greeting towards 10279 the mx_session_limit setting. File: smtp/smtp_connect.c. 10280 10281 Feature: output address rewriting in the SMTP client. The 10282 smtp_generic_maps parameter specifies an address mapping 10283 that happens only when mail is delivered via SMTP. This is 10284 typically used for hosts without a valid domain name, that 10285 use something like localdomain.local instead. This feature 10286 can replace local mail addresses by valid Internet mail 10287 addresses when mail needs to go across the Internet, but 10288 not when mail is sent between accounts on the local machine. 10289 Files: smtp/smtp_proto.c, smtp/smtp_map11.c. 10290 10291 Cleanup: don't panic in mymalloc() when master can't find 10292 any IP addresses. LaMont Jones. File: master/master_ent.c. 10293 1029420050207 10295 10296 Documentation: added a generic(5) manual page for consistency 10297 with the already existing table driven mechanisms, added 10298 references to or examples of the new generic mapping. 10299 10300 Bugfix: the header_checks REPLACE action mis-handled 10301 multi-line replacement text in message headers, for example: 10302 /(.*)/ REPLACE X-$1. File: cleanup/cleanup_message.c. 10303 10304 Bugfix: the header_checks REPLACE action should not drop 10305 the input when the action is NOT executed. File: 10306 cleanup/cleanup_message.c. 10307 10308 Bugfix? Cleanup? Documentation? main.cf now implements 10309 ${name[?:]value} as promised in the postconf(5) manual. 10310 Implemented by deleting the macro processor in dict_eval(), 10311 and using the one in mac_expand() instead. File: util/dict.c. 10312 1031320050208 10314 10315 Feature: check_ccert_access maptype:mapname for access(5) 10316 control, based on code by Victor Duchovni. File: 10317 smtpd/smtpd_check.c and documentation. 10318 10319 Safety: don't allow unlimited message size with limited 10320 mailbox size. File: local/local.c, virtual/virtual.c. 10321 10322 Feature: new smtpd policy attributes ccert_subject, 10323 ccert_issuer and ccert_fingerprint, with TLS client 10324 certificate information, but only when verification was 10325 successful. Files: src/smtpd/smtpd_check.c. 10326 10327 Cleanup: corrected the address verification data flow in 10328 the ADDRESS_VERIFICATION_README illustration. 10329 1033020050209 10331 10332 Cleanup: the smtp generic mapping did syntax check on the 10333 input address instead of the result. These tests were not 10334 going to be useful in any case, because mail_addr_map() 10335 canonicalizes the lookup result, including @dom1->@dom2 10336 mapping. File: smtp_map11.c. 10337 10338 Cleanup: made the generic mapping documentation consistent 10339 with the implementation. 10340 10341 Cleanup: documented the myorigin/mydomain address rewriting 10342 in canonical, generic and virtual alias maps. 10343 10344 Feature: updated LDAP and *SQL query interfaces using a 10345 common infrastructure so that all have the same feature set 10346 where possible. Victor Duchovni and many others. This code 10347 was tested separately and was merged into the main stream 10348 20050308. Files: global/db_common.[hc], global/dict_ldap.c, 10349 global/dict_mysql.c, global/dict_pgsql.c, plus documentation. 10350 1035120050210 10352 10353 Bugfix: spurious fallback_relay warnings after 20050202. 10354 Victor Duchovni. File: smtp/smtp_connect.c. 10355 10356 Bugfix: (introduced while adopting Postfix/TLS patch) the 10357 TLS cache scan stopped after expiring one entry. Victor 10358 Duchovni. File: tls/tls_scache.c. 10359 10360 Safety: delete-behind when removing expired entries from 10361 TLS session caches. With some maps the enumeration method 10362 mis-behaves when the current entry is deleted. File: 10363 tls/tls_scache.c. 10364 1036520050211 10366 10367 Cleanup: the "generics" feature (output address rewriting) 10368 is renamed to "generic", for consistency with "canonical" 10369 and "virtual". 10370 1037120050212 10372 10373 Cleanup: remove old trace(8) logfile before attempting 10374 delivery (and after locking the message file exclusively). 10375 Files: *qmgr/qmgr_message.c. 10376 10377 Cleanup: don't parse-then-regenerate message headers when 10378 no address is changed by address rewriting operations. This 10379 behavior was copied from the SMTP client's generic mapping 10380 code. Files: cleanup/cleanup_rewrite.c, cleanup/cleanup_map11.c, 10381 cleanup/cleanup_masquerade.c, cleanup/cleanup_message.c.. 10382 1038320050215 10384 10385 Bugfix: don't chmod queue files while running "postfix 10386 set-permissions". This prevents mail from being labeled as 10387 "corrupt" when a live Postfix system is upgraded. Found 10388 by Victor Duchovni. File: conf/post-install. 10389 1039020050216 10391 10392 Feature: in smtpd?_discard_ehlo_keyword(s|_address_maps) 10393 specify the pseudo keyword "silent-discard" in order to 10394 avoid logging that some EHLO keyword is being suppressed. 10395 File: global/ehlo_mask.[hc]. 10396 1039720050217 10398 10399 Bugfix: typo in tls_server.c, breaking CApath. Fix by 10400 Philipp Morger. File: tls/tls_server.c. 10401 1040220050227 10403 10404 Bugfix (bug introduced 20040331): with SIGHUP ignored, the 10405 postdrop signal handler would effectively ignore SIGINT, 10406 SIGQUIT and SIGTERM. Simplified the overly-conservative 10407 protection against nested signals in postdrop, and added 10408 some future proofing comments. File: postdrop/postdrop.c 10409 10410 Cleanup: when address rewriting is enabled, don't change 10411 the capitalization of header labels, i.e. don't replace 10412 FROM: or CC: by From: or Cc:. Files: cleanup/cleanup_message.c, 10413 smtp/smtp_proto.c. 10414 1041520050228 10416 10417 Cleanup/portability: missing #includes and bad prototypes. 10418 Matthias Andree, Carsten Hoeger, and others. 10419 1042020050302 10421 10422 Workaround: make TLS session caching work with perverse 10423 sites that have multiple servers per hostname or even 10424 multiple servers per IP address, but no shared TLS session 10425 cache. The SMTP client TLS session cache is now indexed by 10426 (server hostname, server address, server port, server helo 10427 hostname). After an idea by Victor Duchovni. Files: 10428 smtp/smtp_proto.c, tls/tls_client.c. 10429 1043020050303 10431 10432 Bugfix (bug inherited from Postfix/TLS patch): a rare 9kbyte 10433 memory leak when in-memory TLS session information expires; 10434 found by setting the expiry time shorter than the time to 10435 deliver one or two messages with a very slow machine. This 10436 was due to a missing SSL_SESSION_free() call in the "new 10437 session" call-back routines. Found by Victor Duchovni. 10438 Files: tls/tls_client.c, tls/tls_server.c. 10439 10440 Workaround: OpenSSL is overly agressive when purging a 10441 not-yet expired entry from a full in-memory cache: it also 10442 purges the entry from the on-disk server session cache. 10443 Workaround is to let only the tlsmgr purge entries from the 10444 on-disk server session cache. Found by Victor Duchovni. 10445 File: tls/tls_server.c. 10446 1044720050304 10448 10449 Postfix releases are now signed with Wietse's new PGP key. 10450 The old key was getting a bit short for today's standards. 10451 The new public key can be found on the Postfix download 10452 webpage. As proof of authenticity the new PGP key is signed 10453 with Wietse's old PGP key. 10454 10455 Cleanup: check_mumble_{ns,mx}_access no longer attempt to 10456 do MX or NS lookups for address literals. An address literal 10457 is treated as its own MX host; there is no meaningful 10458 equivalent for NS access control. File: smtpd/smtpd_check.c. 10459 1046020050310 10461 10462 Bugfix: the AIX and SUN compilers rightfully complained 10463 about non-portable code in the "new" LDAP/SQL client. File: 10464 global/db_common.c. 10465 10466 Workaround: some systems no longer recognize "tail +2" as 10467 valid command syntax. Instead they require "improved" syntax 10468 that is not valid on several other systems that Postfix 10469 builds on. So we have to stop using the tail command. 10470 Files: Makefile.in, src/*/Makefile.in. 10471 1047220050312 10473 10474 Bugfix: the TLS session cache cleaning code didn't always 10475 delete the right entry. Problem found by Victor Duchovni, 10476 more problems found by Wietse. File: tls/tls_scache.c. 10477 1047820050314 10479 10480 Portability: Berkeley DB changed API from version 2.5 to 10481 2.6. Rob Foehl. File: util/dict_db.c. 10482 1048320050315 10484 10485 Bugfix: when <unistd.h> is included, read is a reserved 10486 identifier. File: smtpstone/smtp-source.c. 10487 1048820050321-27 10489 10490 Support for RFC 3463 enhanced status codes. See also the 10491 ENHANCED_STATUS_README (a hacker's guide) for background. 10492 10493 New module to pass around (status code + text) instead of 10494 just text. File: Files: global/dsn_util.c. 10495 10496 Status-related lookup tables now have an extra column for 10497 enhanced status codes. Files: global/sys_exits.c, 10498 global/cleanup_strerror.c. 10499 10500 Cleanup: centralized mapping of errno values to delivery 10501 status codes after failed delivery to mailbox, maildir, or 10502 file. Error codes EAGAIN, and ESTALE are 4.2.0 temporary 10503 errors; ENOSPC is a 4.3.0 temporary error; and EDQUOT and 10504 EFBIG are 5.2.2 hard errors. For backwards compatibility, 10505 the result of other errors depends on the delivery agent: 10506 with local(8) everything else is a 5.2.0 hard error, and 10507 with virtual(8) everything else is soft 4.2.0 error. File: 10508 global/mbox_open.c. 10509 1051020050324 10511 10512 Workaround: gcc -W (version 3.4.2 [FreeBSD] 20040728) no 10513 longer warns about missing return statements. What a time 10514 waste. 10515 10516 Workaround: gcc -E (version 3.4.2 [FreeBSD] 20040728) output 10517 has changed, causing too much "make depend" output. 10518 1051920050325 10520 10521 Bugfix: when bouncing mail that was submitted with Postfix 10522 sendmail, the cleanup daemon ignored the reason specified 10523 in header/body_checks, and always produced a generic reason. 10524 File: cleanup/cleanup_api.c. 10525 10526 Workaround: don't announce pipelining support when the 10527 smtp-sink test program is configured to fail specific 10528 commands with -r or -f (the fix is to build a proper SMTP 10529 state engine into the smtp-sink test program). File: 10530 smtpstone/smtp-sink.c. 10531 1053220050326 10533 10534 Update: more PCRE error codes. File: util/dict_pcre.c. 10535 1053620050327 10537 10538 Bugfix: the SMTP and LMTP clients did not ask the queue 10539 manager to reduce destination concurrency when "lost 10540 connection" or "connection timed out" happened AFTER Postfix 10541 received the server greeting. Files: smtp/smtp_trouble.c, 10542 lmtp/lmtp-trouble.c. 10543 10544 Workaround: FreeBSD has incompatibly changed the output 10545 format from "od", breaking regression test portability. 10546 10547 The TLS client session cache ID is now derived from the 10548 server IP address, TCP Port, and server HELO hostname 10549 if available. File: smtp/smtp_proto.c. 10550 1055120050328 10552 10553 Cleanup: the REPLACE action is no longer implemented as 10554 PREPEND+IGNORE. The result remains in the input stream, 10555 and is subject to address rewriting and other processing 10556 where applicable. File: cleanup/cleanup_message.c. 10557 10558 Feature: the TLS server name verification status is moved 10559 out of the TLS session cache. This not only simplifies the 10560 client-side TLS cache implementation, but also provides 10561 better cache support for clients that connect to multiple 10562 independent MTAs under the same DNS hostname or IP address, 10563 provided that each MTA replies with a unique name in the 10564 EHLO response. Patch by Victor Duchovni. Files: tlsmgr/tlsmgr.c, 10565 tls/tls_verify.c, tls/tls_session.c, tls/tls_server.c, 10566 tls/tls_scache.h, tls/tls_scache.c, tls/tls_misc.c, 10567 tls/tls_mgr.h, tls/tls_mgr.c, tls/tls_client.c, tls/tls.h, 10568 smtp/smtp_proto.c. 10569 1057020050330 10571 10572 Bugfix: in some compilation environments the SMTP and LMTP 10573 clients could ignore enhanced status codes in server replies. 10574 Bug introduced 20050329 while polishing working code. Files: 10575 smtp/smtp_chat.c, lmtp/lmtp_chat.c. 10576 10577 Feature: add enhanced status code support to the smtp-sink 10578 test program. File: smtpstone/smtp-sink.c. 10579 1058020050331 10581 10582 Workarounds for ancient gcc compilers that can't handle 10583 valid C. Bugs reported by Victor Duchovni. Files: 10584 util/sys_defs.h, global/dsn_util.h, tls/tls_client.c. 10585 10586 Bugfix: when delivery to command failed, command output was 10587 not reported. Fix was to enable format checks for the new 10588 dsn_vstring_update() module. File: global/dsn_util.h, 10589 global/pipe_command.c. 10590 1059120050401 10592 10593 Cleanup: ignore incorrect enhanced status codes (such as 10594 5xx reply followed by a 4.x.x status), and don't look for 10595 enhanced status codes unless the server replies with a 10596 [245]XX reply. Files: smtp/smtp_chat.c, lmtp/lmtp_chat.c. 10597 1059820050402 10599 10600 Feature: enhanced status code support for errors found by 10601 the MIME processor. Files: global/mime_state.c, 10602 cleanup/cleanup_message.c, smtp/smtp_proto.c. 10603 10604 Cleanup: updated error messages about MIME processing errors 10605 in the SMTP client. These errors are no longer specific to 10606 8bit->7bit conversion; they can also happen with generic 10607 address mapping. File: smtp/smtp_proto.c. 10608 10609 Safety: SASL 2.1.19 has a version lookup routine that we 10610 can use to detect compile time / run time version mis-matches 10611 (also known as DLL hell). Files: src/smtpd/smtpd_sasl_glue.c, 10612 src/smtp/smtp_sasl_glue.c, src/lmtp/lmtp_sasl_glue.c. 10613 1061420050404 10615 10616 Typo: missing comma after dsn=x.yy.zz logging. File: 10617 global/log_adhoc.c. 10618 10619 Feature: specify "smtpd_sasl_authenticated_header = yes" 10620 to report the SASL login name in the Received: message 10621 header, so that the login name is shared with the whole 10622 world. Based on code by Branko F. Gracnar. Files: 10623 smtpd/smtpd.c, and documentation. 10624 1062520050407 10626 10627 @%^!#& Thanks to inadequate SASL documentation the client 10628 could negotiate a security layer where none was desired. 10629 Better documentation has become available since Postfix 10630 SASL support was implemented, and now Postfix needs to be 10631 fixed. Files: */*_sasl_glue.c. 10632 1063320050409 10634 10635 Safety: the CDB map now logs a warning when the source file 10636 is newer than the indexed file, just like the Berkeley DB 10637 and DBM maps. Michael Tokarev. File: util/dict_cdb.c. 10638 1063920040411 10640 10641 Portability: put the SASL DLL Hell guard after the declarations 10642 instead of before. Reported by Marcus Grando. Files: 10643 smtp/smtp_sasl_glue.c, lmtp/lmtp_sasl_glue.c. 10644 1064520050412 10646 10647 Infrastructure: change the disposition or other properties 10648 of an embryonic queue file. This is currently used only to 10649 place mail on hold. After code by Victor Duchovni. Files: 10650 global/mail_stream.[hc], cleanup/cleanup_api.c. 10651 10652 Bugfix: while updating the cleanup_flush() infrastructure 10653 eliminated a portability problem that was introduced when 10654 "REJECT text" support was added. File: cleanup/cleanup.c. 10655 1065620050413 10657 10658 Portability: don't mix socket message send/receive calls 10659 with socket stream read/write calls. The fact that you can 10660 get away with it only on some stacks implies that there is 10661 no long-term guarantee. Specify -DCAN_WRITE_BEFORE_SENDING_FD 10662 if you feel brave. File: util/sys_defs.h. 10663 10664 Robustness: re-compile all object files after the "make 10665 makefiles" options have changed. Files: src/*/Makefile.in. 10666 10667 Tweaking: reply with 5.3.4 when the message size exceeds 10668 the mail system message_size_limit, instead of 5.2.3 which 10669 is a mailbox specific status. File: smtpd/smtpd_check.c. 10670 1067120050417 10672 10673 Safety: don't call syslog from a user-triggered signal 10674 handler. File: postdrop/postdrop.c. 10675 1067620050421 10677 10678 Bugfix: don't panic when the fall-back relay can't be used 10679 because the local MTA is MX for the destination. File: 10680 smtp/smtp_connect.c. 10681 1068220050422 10683 10684 Bugfix: don't panic when the fall-back relay can't be used 10685 because it was already tried via a cached session. Produce 10686 a default excuse instead. File: smtp/smtp_connect.c. 10687 10688 Bugfix: postsuper could lose an error message after reporting 10689 a fatal error. File: postsuper/postsuper.c. 10690 1069120050426 10692 10693 Bugfix: simplified and improved the 20050422 fall-back relay 10694 fix. File: smtp/smtp_connect.c. 10695 1069620050427 10697 10698 Final solution for the 20050422 fall-back relay problem: 10699 truncate the fall-back host list when the local MTA is MX 10700 for some destination. Files: util/argv.c, smtp/smtp_connect.c. 10701 10702 Cleanup: extra dsn_vstring_update_dsn() routine to shut up 10703 GCC complaints about valid code. Files: src/global/dsn_util.c, 10704 src/global/mbox_open.c, src/lmtp/lmtp_addr.c, src/smtp/smtp_addr.c, 10705 src/smtp/smtp_connect.c. 10706 1070720050429 10708 10709 The Postfix SMTP server now announces ENHANCEDSTATUSCODES 10710 support in the EHLO response, as described in RFC 2034. 10711 File: smtpd/smtpd.c. 10712 1071320050503 10714 10715 Propagate enhanced status code from error(8) mailer to SMTP 10716 server replies. File: smtpd/smtpd_check.c. 10717 10718 Cleanup: more consistent format of smtpd warning logging, 10719 so that it is easier to sort. Files: smtpd/smtpd.c, 10720 smtpd/smtpd_check.c. 10721 1072220050504 10723 10724 Yikes. People are exposing the smtp-sink test program to 10725 hostile environments, while it was designed for controlled 10726 environments. Completed the support for write timeouts, 10727 added support for read timeouts, and added a missing exception 10728 handler for the 220 server greeting. File: smtpstone/smtp-sink.c. 10729 1073020050506 10731 10732 Cleanup: with "REJECT 4.X.Y ..." actions in header/body_checks, 10733 change the SMTP server reply code from 550 into 450, instead 10734 of having the SMTP server change the DSN into 5.X.Y. File: 10735 smtpd/smtpd.c. 10736 1073720050510 10738 10739 Usability: when reporting a sender address problem, transform 10740 a recipient DSN status (e.g., 4.1.1-4.1.6) into the 10741 corresponding sender DSN status, and vice versa; and when 10742 reporting a non-address problem, transform a sender or 10743 recipient DSN status into a generic non-address DSN status 10744 (e.g., 4.0.0). This transformation may be needed when the 10745 same access table or RBL reply template are used for client, 10746 helo, sender, or recipient restrictions; or when the same 10747 error mailer information is used for senders or recipients. 10748 Files: smtpd/smtpd_check.c, smtpd/smtpd_dsn_fix.[hc]. 10749 1075020050512 10751 10752 Feature: support for more SASL logging call-backs, if these 10753 are defined in the compile-time environment. Files: 10754 smtpd/smtpd_sasl_glue.c, smtp/smtp_sasl_glue.c. 10755 1075620050513 10757 10758 Workaround: Postfix now uses "localdomain" as the default 10759 domain name when $myhostname is not in "host.domain" form. 10760 Files: global/mail_params.[hc]. 10761 10762--------- 10763 1076420050415-20050615 10765 10766 As of 20050525, DSN support does not involve new queue file 10767 record types, so you can switch back to older Postfix 10768 versions. Older non-production releases did introduce queue 10769 file incompatibility. 10770 10771 DSN support is selected via the SMTP port by extra parameters 10772 to the MAIL FROM and RCPT TO commands, and with the Postfix 10773 sendmail command with new command-line options: -N (specify 10774 notification options such as "never", "success", "delay" 10775 or "failure") and -V (specify an envelope ID that identifies 10776 the mail submission transaction). VERP support now uses 10777 -XV instead of -V. 10778 10779 The implementation piggy-backs on the trace(8) service that 10780 was already used for "sendmail -v" (verbose delivery) and 10781 for "sendmail -bv" (what-if) reports. You can no longer 10782 requests these functions together with DSN support. 10783 10784 All this means revision of bounce/defer/trace client 10785 interfaces, of the bounce service, the record reading loops 10786 in postdrop, cleanup(8) and qmgr(8), the queue manager to 10787 delivery agent protocol, and some extra SMTP protocol 10788 parameters in smtpd(8), lmtp(8) and smtp(8). 10789 10790 New code module: global/dsn_smtp.[hc] for RFC 3461 related 10791 information (but this may still change). 10792 10793 Feature: "sendmail -G" is no longer a no-op. Message headers 10794 are treated as if the message has a remote origin. Files: 10795 sendmail/sendmail.c, postdrop/postdrop.c. 10796 10797 Feature: automatic BCC senders are now created as if they 10798 were received with NOTIFY=NEVER, in case it helps. File: 10799 cleanup/cleanup_addr.c 10800 10801 Compatibility: with large bounces, send message headers 10802 only, instead of truncating MIME messages in the middle. 10803 1080420050517 10805 10806 Bugfix: in a DSN report, the original recipient should not 10807 be xtext encoded. File: bounce/bounce_notify_util.c. 10808 1080920050523 10810 10811 Bugfix: mymalloc() panic with mistyped server host list. 10812 File: global/dict_pgsql.c. 10813 1081420050525 10815 10816 Feature: specify delay_warning_time=1 to get immediate 10817 notification of delay. File: qmgr/qmgr_active.c. 10818 1081920050526 10820 10821 Reset the Postfix original recipient when delivering to 10822 mailing list. 10823 1082420050601 10825 10826 Modified the master backgrounding procedure to not abort 10827 when the master is already a process group leader. This 10828 happens when people bypass or modify the official Postfix 10829 start-up procedure. Jacek Konieczny. File: master/master.c. 10830 1083120050602 10832 10833 Sanity check: don't report "address in use" when some Postfix 10834 socket is a directory. File: util/unix_listen.c. 10835 1083620050613 10837 10838 Now that the over-all structure of the code is proving 10839 itself, interfaces can be cleaned up. This means nicer names 10840 for variables, functions and data structures, and dedicated 10841 read/write routines for recipient and DSN information. 10842 These remove a lot of clutter from the bounce client and 10843 server code. Files: dsn_print.c dsb_scan.c, rcpt_print.c, 10844 rcpt_buf.c. 10845 10846 For Sendmail compatibility, the Postfix sendmail -V option 10847 no longer controls VERP usage, but is used to specify the 10848 DSN envelope ID. In order to provide a smooth transition, 10849 backwards compatibility code recognizes when -V is being 10850 used for VERP control. It will do the right thing, and 10851 warns the user to use -XV instead. File: sendmail/sendmail.c. 10852 1085320050614 10854 10855 The cleanup server writes bounce (delivery failure) and 10856 trace (success) records, but it no longer requests sender 10857 notification. That is now handled by the queue manager. 10858 The reason is that the cleanup server must be able to abort 10859 a request including its bounce and trace logfiles, so it 10860 must not take actions that can't be undone. 10861 1086220050615 10863 10864 Cleanup: the SMTP client now sends QUIT when the initial 10865 HELO handshake fails. it still doesn't send QUIT when the 10866 server greets with a [45]XX code, as that is handled in the 10867 connection management code before a session context exists. 10868 File: smtp/smtp_connect.c. 10869 10870 Cleanup: made the quote_821_local() routine "const" clean. 10871 File: global/quote_821_local.[hc]. 10872 1087320050616 10874 10875 Bugfix: missing or mis-placed va_end() macros, found in 10876 Postfix 2.3 code review. Files: util/netstring.c, 10877 util/myaddrinfo.c, util/attr_clnt.c, util/vstream.c. 10878 10879 Bugfix: the SMTP server now separates the message size check 10880 from the queue space check, so that the size check can be 10881 done before an SMTPD proxy filter. Files: smtpd/smtpd.c, 10882 smtpd/smtpd_check.c. 10883 1088420050617 10885 10886 Postdrop didn't recognize the new recipient attributes. 10887 File: postdrop/postdrop.c. 10888 10889 Feature: configurable MAILER-DAEMON replacement for the 10890 null sender address that is used by the pipe(8) delivery 10891 agent on the command line and in message headers. Command-line 10892 address quoting is disabled when the replacement is empty. 10893 File: pipe/pipe.c. 10894 1089520050618 10896 10897 With virtual aliasing enabled, Postfix would always report 10898 successful alias expansion, even when no alias was expanded. 10899 File: cleanup/cleanup_out_recipient.c. 10900 1090120050621 10902 10903 Portability: file descriptor passing is available for Tru64 10904 UNIX, but not for AIX4 and IRIX6. Albert Chin. File: 10905 util/sys_defs.h. 10906 1090720050622 10908 10909 Cleanup: the DNS lookup code now accommodates name server 10910 replies longer than 4 kbytes, with a hard upper limit of 10911 32kbytes. For safety reasons, the number of MX host addresses 10912 that the SMTP client will try was reduced from unlimited 10913 to just 5, so that Postfix won't spend forever trying to 10914 connect to dozens and dozens of bogus MX hosts. Files: 10915 dns/dns_lookup.c, global/mail_params.h. 10916 10917 Cleanup: the code that handles a 4xx or 5xx SMTP server 10918 greeting was moved from the connection management module 10919 to the protocol engine, for cleaner error handling. This 10920 means that the failed session now counts towards the limit 10921 on the total number of SMTP sessions per domain name (default: 10922 smtp_mx_session_limit = 2). Files: smtp/smtp_connect.c, 10923 smtp/smtp_proto.c. 10924 1092520050623 10926 10927 Cleanup: generalized the delegated attribute scan/print 10928 interfaces, and updated the deliver_pass module with delegated 10929 attribute scan/print support. Files: util/attr_scan0.c, 10930 util/attr_print0.c, global/dsb_scan.c, global/dsn_print.c, 10931 global/rcpt_buf,c global/rcpt_print.c, global/deliver_pass.c. 10932 10933 Added delegated attribute scan/print function support to 10934 the base64 and plain attribute I/O encodings. Files: 10935 util/attr_scan_plain.c util/attr_print_plain.c. 10936 1093720050624 10938 10939 Added "." to the list commands that smtp-sink can "break" 10940 (by disconnecting, or by responding with a 4XX or 5XX reply 10941 code). File: smtpstone/smtp-sink.c. 10942 1094320050625 10944 10945 Safety: allow only 4.x.x and 5.x.x enhanced status codes 10946 in header/body_checks REJECT actions. File: 10947 cleanup/cleanup_message.c. 10948 1094920050627 10950 10951 Code cleanup: generalized the smtp-sink code that simulates 10952 server errors. File: smtpstone/smtp-sink.c. 10953 1095420050629 10955 10956 Code cleanup: the smtp_mx_session_limit setting (per delivery 10957 request session count limit) now ignores sessions that fail 10958 to complete the TCP, SMTP, EHLO or TLS handshake (was: TCP 10959 and SMTP). File: smtp/smtp_proto.c. 10960 1096120050630 10962 10963 Updated the example spf.pl script to version 1.06. 10964 10965 Portability: the file descriptor passing code broke on LP64 10966 systems (inherited from Stevens Network Programming). Files: 10967 util/unix_send_fd.c, util/unix_recv_fd.c. 10968 1096920050706 10970 10971 Robustness: the SMTP client now disables connection caching 10972 when it is unable to communicate with the scache(8) server, 10973 instead of looping forever. File: global/scache_clnt.c. 10974 10975 Portability: after sending a socket, the scache(8) server 10976 now waits for an ACK from the connection cache client before 10977 closing the socket that it just sent. Files: scache/scache.c, 10978 global/scache_clnt.c. 10979 1098020050708 10981 10982 Bugfix: missing returns in 20050706 caching disabling code 10983 (in error handling code that never executes). File: 10984 global/scache_clnt.c. 10985 10986 Portability: use explicitly unsigned operands when doing 10987 bit-wise shift operations on data larger than a character. 10988 1098920050709-15 10990 10991 Migration of data object sizes and offsets from int->ssize_t 10992 and unsigned->size_t for better portability to LP64 and 10993 LLP64 systems where *size_t is 64 bits wide. This change 10994 has no effect on 32-bit systems. 10995 10996 This change not only eliminated some obscure portability 10997 bugs (see two paragraphs down), it also eliminated many 10998 unnecessary conversions back and forth between 32-bit and 10999 64-bit integers, because all relevant system library functions 11000 take *size_t arguments or return *size_t results. 11001 11002 Simply changing every data object size or offset to size_t 11003 (which is unsigned!) would be dangerous. A lot of code was 11004 written assuming signed arithmetic and rejects negative 11005 lengths, which can happen as the result of integer overflow. 11006 11007 Portability: on LP64 systems, integer expressions are int, 11008 but sizeof() and pointer difference expressions are larger. 11009 The above changes fixed a few discrepancies with function 11010 calls where *size_t was passed while the old code expected 11011 an int: clean_env() versus argv_addn(), and code that sent 11012 binary blobs via the TLS session cache manager protocol. 11013 1101420050711 11015 11016 Bugfix: don't include <> when auto-generating an ORCPT 11017 address from a client RCPT TO command. File: smtpd.c. 11018 1101920050712 11020 11021 Cleanup: cleanup_out_recipient() still generated DSN records 11022 that were incompatible with pre-DSN Postfix versions. File: 11023 cleanup/cleanup_out_recipient.c. 11024 1102520050716 11026 11027 Bugfix: the smtpd_sasl_authenticated_header code did not 11028 check if SASL was actually enabled. File: smtpd/smtpd.c. 11029 1103020050720 11031 11032 Feature: reverse client hostname. This is set at connection 11033 time with information from the SMTP client address->name 11034 mapping, and can be overruled with the REVERSE_NAME attribute 11035 in the XCLIENT command. File: smtpd/smtpd_peer.c. 11036 11037 Cleanup: renaming of several confusing restriction names: 11038 reject_unknown_client -> reject_unknown_client_hostname, 11039 reject_unknown_hostname -> reject_unknown_helo_hostname, 11040 reject_invalid_hostname -> reject_invalid_helo_hostname, 11041 and reject_non_fqdn_hostname -> reject_non_fqdn_helo_hostname. 11042 The old names are still recognized and documented. Files: 11043 global/mail_params.h, smtpd/smtpd.c, smtpd/smtpd_check.c. 11044 11045 Feature: reject_unknown_reverse_client_hostname. This rejects 11046 clients that have no address to name mapping (unlike the 11047 reject_unknown_client_hostname feature which requires that 11048 the address->name and name->address mappings resolve to the 11049 client IP address). Files: global/mail_params.h, 11050 smtpd/smtpd_peer.c, smtpd/smtpd.c, smtpd/smtpd_check.c. 11051 1105220050726 11053 11054 Horror: total rewrite of DNS client error handling because 11055 some misguided proposal attempts to give special meaning 11056 to some syntactically invalid MX hostname lookup result. 11057 Not only that, people expect sensible results with 11058 reject_unknown_sender_domain etc. Files: dns/dns_lookup.c, 11059 smtp/smtp_addr.c smtpd/smtpd_check.c, lmtp/lmtp_addr.c. 11060 11061 Cleanup: HOLD action executes only once, to reduce noise 11062 in the logfile. Files: cleanup/cleanup_message.c, smtpd/smtpd.c. 11063 1106420050806 11065 11066 Workaround: accept(2) fails with EPROTO when the client 11067 already disconnected (SunOS 5.5.1). File: sane_accept.c. 11068 1106920050815 11070 11071 Workaround: old Solaris compilers can't link an archive 11072 without globally visible symbols. File: tls/tls_misc.c. 11073 1107420050825 11075 11076 Feature: message_reject_characters and message_strip_characters 11077 specify what characters in message content Postfix will 11078 reject or remove. Based on patch by John Fawcett. Files: 11079 cleanup/cleanup_message.c, cleanup/cleanup_init.c. 11080 11081 Safety: when the cleanup server rejects the content of mail 11082 that is submitted with the Postfix sendmail command, or 11083 re-queued with "postsuper -r", strip the message body from 11084 the bounce message to reduce the risks from harmful content. 11085 Files: cleanup/cleanup_envelope.c, cleanup/cleanup_bounce.c. 11086 11087 Feature: the smtpd_proxy_filter parameter value can now be 11088 prefixed with "unix:" (for UNIX-domain socket) and "inet:" 11089 (for TCP socket). TCP sockets are the default. Patch by 11090 Edwin Kremer. File: smtpd/smtpd_proxy.c. 11091 1109220050828 11093 11094 Bugfix: after adding DSN support, error notification was 11095 broken for too large mail that was submitted with the Postfix 11096 sendmail command, forwarded by the local(8) delivery agent, 11097 or re-queued with "postsuper -r". The message would be saved 11098 to the "corrupt" queue. 11099 11100 The mistake was to leave the truncated message in the 11101 incoming queue and to ask the queue manager to notify the 11102 sender; this was not possible because the queue manager 11103 cannot (and should not) handle truncated queue files. 11104 11105 The fix is to have the cleanup server send the bounce 11106 message, just like it did before DSN support was added. As 11107 a side effect, Postfix will no longer send DSN_SUCCESS 11108 notices after virtual aliasing, when the cleanup server 11109 bounces all the recipients of the message anyway. This 11110 could be called a feature. File: cleanup/cleanup_bounce.c. 11111 11112 Also needed for this fix: a new vstream_fpurge() routine 11113 that discards unread/written data from a VSTREAM. It's 11114 needed before cleanup_bounce() can seek to the start of the 11115 queue file after a file size error. File: util/vstream.c. 11116 1111720050920 11118 11119 Cleanup: removed the legacy "tls_info" structure, factored 11120 out common code for peer_CN and issuer_CN lookup, and added 11121 sanity check to not verify subject common names that contain 11122 nulls or that are excessively long. Patch by Victor Duchovni. 11123 Files: tls_client.c, tls_server.c, tls_session.c, tls_misc.c, 11124 tls_verify.c. 11125 1112620050922 11127 11128 Bugfix: the *SQL clients did not uniformly choose the 11129 database host from the available pool of servers due to an 11130 off-by-one error, so that the "last" available server was 11131 not selected. Leandro Santi. Files: dict_mysql.c, dict_pgsql.c. 11132 11133 Update: common code factored out into db_common.c, and 11134 adoption of Liviu Daia's connection aware MySQL quoting. 11135 Patch by Victor Duchovni. Files: dict_ldap.c, dict_mysql.c, 11136 dict_pgsql.c, db_common.c. 11137 1113820050923 11139 11140 Safety: don't update the local(8) delivery agent's idea of 11141 the Delivered-To: address while expanding aliases or .forward 11142 files. When an alias or .forward file changes the Delivered-To: 11143 address, it ties up one queue file and one cleanup process 11144 instance while mail is being forwarded. To get the old 11145 behavior, specify "frozen_delivered_to = no". Problem 11146 reported by Michael Tokarev, but found independently by 11147 others. Files: local/local.c, local/aliases.c, local/dotforward.c, 11148 local/mailbox.c, local/maildir.c. 11149 11150 Logging: additional SASL debug logging by Andreas Winkelmann. 11151 Files: */*sasl_glue.c. 11152 1115320050929 11154 11155 Paranoia: don't ignore garbage in SMTP or LMTP server replies 11156 when ESMTP command pipelining is turned on. For example, 11157 after sending ".<CR><LF>QUIT<CR><LF>", Postfix could recognize 11158 the server's 2XX QUIT reply as a 2XX END-OF-DATA reply after 11159 garbage, causing mail to be lost. The SMTP and LMTP clients 11160 now report a remote protocol error and defer delivery. 11161 Files: smtp/smtp_chat.c, smtp/smtp_trouble.c, lmtp/lmtp_chat.c, 11162 lmtp/lmtp_trouble.c. 11163 11164 Performance: specify "smtpd_peername_lookup = no" to disable 11165 client hostname lookups in the SMTP server. All clients are 11166 treated as "unknown". This should be used only under extreme 11167 conditions where DNS lookup latencies are critical. File: 11168 smtpd/smtpd_peer.c. 11169 1117020051010 11171 11172 Feature: smtpd_client_new_tls_session_rate_limit parameter 11173 to limit the number of new (i.e. uncached) TLS sessions 11174 that a remote SMTP client may negotiate per unit time. This 11175 feature, which is off by default, can limit the CPU load 11176 due to expensive crypto operations. Files: global/anvil_clnt.c, 11177 anvil/anvil.c, smtpd/smtpd.c. 11178 11179 Cleanup: eliminated massive code duplication in the anvil 11180 server that resulted from adding similar features one at a 11181 time. File: anvil/anvil.c. 11182 1118320051011 11184 11185 Bugfix: raise the "policy violation" flag when a client 11186 request exceeds a concurrency or rate limit. File: 11187 smtpd/smtpd.c. 11188 11189 Bugfix (cut-and-paste error): don't reply with 421 (too 11190 many MAIL FROM or RCPT TO commands) when we aren't closing 11191 the connection. File: smtpd/smtpd.c. 11192 1119320051012 11194 11195 Polishing: content of comments and sequence of code blocks 11196 in the anvil server, TLS request rate error message in the 11197 smtp server, and documentation, but no changes in code. 11198 Files: anvil/anvil.c, smtpd/smtpd.c. 11199 1120020051013 11201 11202 Horror: some systems have basename() and dirname() and some 11203 don't; some implementations modify their input and some 11204 don't; and some implementations use a private buffer that 11205 is overwritten upon the next call. Postfix will use its own 11206 safer versions called sane_basename() and sane_dirname(). 11207 These never modify the input, and allow the caller to control 11208 how memory is allocated for the result. File: 11209 util/sane_basename.c. 11210 11211 Feature: "sendmail -C path-to-main.cf" and "sendmail -C 11212 config_directory" now do what one would expect. File: 11213 sendmail/sendmail.c. 11214 11215 Bugfix: don't do smtpd_end_of_data_restrictions after the 11216 transaction failed due to, e.g., a write error. File: 11217 smtpd/smtpd.c. 11218 11219 Cleanup: the SMTP server now enforces the message_size_limit 11220 even when the client did not send SIZE information with the 11221 MAIL FROM command. This protects before-queue content 11222 filters against over-size messages. File: smtpd/smtpd.c. 11223 1122420051017 11225 11226 Bugfix: after DSN support was added, smtp_skip_5xx_greeting 11227 no longer recognized a 5xx SMTP status as a 4xx one. Found 11228 by Ralf Hildebrandt. Fix: use the enhanced status code 11229 instead of the SMTP reply code to choose between permanent 11230 or transient errors. File: smtp/smtp_trouble.c. 11231 11232 Feature: smtp-sink can hard-reject, soft-reject or simply 11233 drop connection requests. File: smtpstone/smtp-sink.c. 11234 11235 Documentation: clarified the processing of server replies, 11236 specifically the reply code and the enhanced status code, 11237 in smtp_chat.c. 11238 1123920051024 11240 11241 Performance: new smtp_connection_reuse_time_limit parameter to 11242 limit connection reuse by elapsed time, instead of limiting 11243 the number of deliveries per connection. Bounding by time 11244 favors delivery over connections that perform well, while 11245 bounding by number of deliveries allows slow connections 11246 to drag down the performance. Insight and initial 11247 implementation by Victor Duchovni, Morgan Stanley. Files: 11248 smtp_connect.c, smtp_session.c, 11249 11250 Bugfix: the next-hop logical destination information for 11251 connection caching was reset only after a good non-TLS 11252 connection, so that cached connections to non-TLS backup 11253 servers could suck away traffic from TLS primary servers 11254 (the Postfix SMTP client cannot cache an open TLS connection). 11255 Found during code review. This is fixed with multi-valued 11256 connection caching state: expired, cachable, non-cachable, 11257 and bad. Files: smtp_connect.c, smtp_trouble.c. 11258 11259 Bugfix: adding support for "sendmail -C" broke "sendmail 11260 -q". File: sendmail/sendmail.c. 11261 1126220051101 11263 11264 Migration from a single "arrival time" stamp to a structure 11265 with time stamps from different stages of message delivery. 11266 The first iteration merely replaces "arrival time" stamps 11267 by a structure or pointer to structure, and uses only the 11268 arrival time field of that structure. This is an extensive 11269 but straightforward transformation, based on example by 11270 Victor Duchovni, Morgan Stanley. Files: anything that 11271 invokes bounce_append etc., the log_adhoc module, and 11272 anything that sends or receives a delivery request. 11273 1127420051102 11275 11276 Completion of support for time stamps from different stages 11277 of message delivery. The information is now logged as 11278 "delays=a/b/c/d" where a=time before queue manager, including 11279 message transmission; b=time in queue manager; c=connection 11280 setup including DNS, HELO and TLS; d=message transmission 11281 time. Unlike Victor's example which used time differences, 11282 this implementation uses absolute times. The decision of 11283 what numbers to subtract actually depends on program history, 11284 so we want to do it in one place. Files: global/log_adhoc.c, 11285 smtp/smtp_connect.c, smtp/smtp_proto.c, smtp/smtp_trouble.c, 11286 lmtp/lmtp_proto.c, lmtp/lmtp_trouble.c. 11287 1128820051103 11289 11290 Refinement of time stamping and delays formatting. The 11291 hand-off time is now stamped in the delivery agent, so that 11292 time is properly attributed when a transport is saturated 11293 or throttled. Delays are now logged if larger than 0.01 11294 second. Files: *qmgr/qmgr_deliver.c, global/deliver_request.c, 11295 global/log_adhoc.c. 11296 1129720051104 11298 11299 New parameter delay_logging_time_resolution (default: 10000 11300 microseconds, or 0.01 second) that controls the detail in 11301 the new "delays=a/b/c/d" logging. Specify a power of 10 11302 in the range from 1 to 100000. File: global/log_adhoc.c. 11303 Parameter renamed 20051108. 11304 1130520051105 11306 11307 All delay logging now has sub-second resolution. This means 11308 updating all code that reads or updates the records that 11309 specify when mail arrived, and ensuring that mail submitted 11310 with older Postfix versions produces sensible results. 11311 Files: global/post_mail.c, global/mail_timeofday.[hc], 11312 global/log_adhoc.c, postdrop/postdrop.c, pickup/pickup.c, 11313 cleanup/cleanup_envelope.c, cleanup/cleanup_message.c, 11314 smtpd/smtpd.c, qmqpd/qmqpd.c, *qmgr/qmgr_message.c, 11315 *qmgr/qmgr_active.c, local/forward.c. 11316 1131720051106 11318 11319 The SMTP client logs the remote server port in the form of 11320 relay=hostname[hostaddr]:port to the local maillog file. 11321 The port number is NOT included in DSN status reports, 11322 because remote users have no need to know such internal 11323 information. Files: smtp/smtp_session.c, smtp/smtp_proto.c, 11324 smtp/smtp_trouble.c. 11325 11326 Cleanup: encapsulated queue file time read/write operations 11327 with a few simple macros, to make future changes in time 11328 representation less painful. 11329 1133020051108 11331 11332 Cleanup: eliminated floating point operations from the 11333 ad-hoc delay logging code. Files: util/format_tv.[hc], 11334 global/log_adhoc.c. 11335 11336 The delay logging resolution is now controlled with the 11337 delay_logging_resolution_limit parameter, which specifies 11338 the maximal number of digits after the decimal point. 11339 11340 Bugfix: two messages could get the same message ID due to 11341 a race condition. This time window was increased when queue 11342 file creation was postponed from MAIL FROM until the first 11343 accepted RCPT TO. The window is closed again. Found by 11344 Victor. Files: global/mail_stream.c, global/mail_queue.c, 11345 cleanup/cleanup_message.c. 11346 1134720051109 11348 11349 qshape.pl updated for extra microsecond time field in Postfix 11350 queue files. 11351 11352 Cleanup: removed obsolete code that handles rejected/dropped 11353 connections before the HELO handshake. File: smtp/smtp_connect.c. 11354 11355 Bugfix: XCLIENT broke when reverse hostname support was added. 11356 Fix by Tomoyuki Sakurai. File: smtpd/smtpd.c. 11357 1135820051110 11359 11360 Workaround: don't set the delay warning timer for messages 11361 from inside or from outside that have the null sender as 11362 recipient. This was a waste of time, because the warning 11363 would always be discarded. File: cleanup/cleanup_envelope.c. 11364 11365 Feature: the built-in mail delivery status notification 11366 text is now implemented by built-in templates. Files: 11367 bounce/bounce_template.c, bounce/bounce_notify_util.c. 11368 1136920051112 11370 11371 Feature: configurable bounce message templates based on 11372 contribution by Nicolas Riendeau. I kept the general format 11373 of his templates, but placed them together in one file to 11374 reduce process initialization overhead (most requests to 11375 the bounce daemon are not for sending bounce messages). 11376 Files: bounce/bounce_template.c, bounce/dict_ml.c (to be 11377 moved to library if useful enough). A sample bounce message 11378 template file is installed as $config_directory/bounce.cf.default. 11379 1138020051113 11381 11382 Feature: "postconf -b filename" to preview the non-default 11383 bounce message templates with $name expansions in the text. 11384 The actual work is of course done by the bounce daemon. 11385 1138620051114 11387 11388 Feature: -V option to make Postfix daemons to log to stderr. 11389 This is used when a daemon is invoked in stand-alone mode 11390 by a (non-daemon) command. 11391 11392 Feature: "postconf -t" displays DSN templates, headers and 11393 all; use postconf -t ''" to view built-ins. 11394 11395 Cleanup: renamed fail_template into failure_template. 11396 1139720051117 11398 11399 Cleanup: bounce template code reorg, no functionality change. 11400 Files: bounce/bounce_template.[hc], bounce/bounce_templates.c, 11401 bounce/bounce_notify_util.c. 11402 1140320051118 11404 11405 Bugfix: new bounce template code did not return after 11406 template syntax error. File: bounce/bounce_template.c 11407 11408 Safety: permit_mx_backup now requires that the local MTA 11409 is not listed as primary MX for the recipient domain. This 11410 prevents mail loops when someone points the primary MX 11411 record to Postfix. 11412 1141320051119 11414 11415 Workaround: some SMTP servers announce multiple but different 11416 lists of SASL methods. Postfix now concatenates the lists 11417 instead of logging a warning and remembering only one. File: 11418 smtp/smtp_sasl_proto.c. 11419 11420 Bugfix: the queue manager did not write a per-recipient 11421 defer logfile record when the delivery agent crashed between 11422 receiving a delivery request, and reporting the delivery 11423 status to the queue manager. Found while redesigning the 11424 code that handles unavailable transports or destinations. 11425 Files: *qmgr/qmgr_deliver.c. 11426 1142720051121 11428 11429 Workaround: do not build the bounce.cf.default template 11430 while compiling Postfix - it breaks when the default 11431 mail_owner etc. accounts don't exist. Reported by Liviu 11432 Daia. 11433 11434 Compatibility: added permit_auth_destination emulation to 11435 the permit_mx_backup feature. This avoids surprises with 11436 sites that used permit_mx_backup to authorize all their 11437 incoming mail. 11438 1143920051122-24 11440 11441 Feature: sender_dependent_relayhost_maps, lookup tables that specify 11442 a sender-dependent override for the relayhost parameter 11443 setting. The lookup is done in the trivial-rewrite server, 11444 instead of the queue manager where it does not belong. 11445 Files: global/resolve_clnt.c, global/tok822_resolve.c, 11446 trivial-rewrite/resolve.c, trivial-rewrite/transport.c, 11447 *qmgr/qmgr_message.c. 11448 11449 Also: address_verify_sender_dependent_relayhost_maps for 11450 completeness. 11451 1145220051124 11453 11454 Feature: specify "smtp_sender_dependent_authentication = 11455 yes" to enable sender-dependent SASL passwords. This disables 11456 SMTP connection caching to ensure that mail from different 11457 senders is delivered with the appropriate credentials. This 11458 is an extended version of a patch by Mathias Hasselmann. 11459 Files: smtp/smtp_connect.c, smtp/smtp_sasl_glue.c. 11460 1146120051126 11462 11463 Workaround: log warning when REDIRECT or FILTER are used 11464 in smtpd_end_of_data_restrictions. File: smtpd/smtpd_check.c. 11465 11466 Log warning when REDIRECT, FILTER, HOLD and DISCARD are 11467 used in smtpd_etrn_restrictions. File: smtpd/smtpd_check.c. 11468 1146920051128 11470 11471 Bugfix: moved code around from one place to another to make 11472 REDIRECT, FILTER, HOLD and DISCARD access(5) table actions 11473 work in smtpd_end_of_data_restrictions. PREPEND will not 11474 be fixed; it must be specified before the message content 11475 is received. Files: smtpd/smtpd.c, smtpd/smtpd_check.c, 11476 cleanup/cleanup_extracted.c, pickup/pickup.c. 11477 11478 Safety: abort if the SMTP or QMQP server runs with non-postfix 11479 privileges while it's connected to the network. Files: 11480 smtpd/smtpd_peer.c, qmqpd/qmqpd_peer.c. 11481 1148220051201 11483 11484 Bugfix: the LMTP client would reuse a session after negative 11485 reply to the RSET command (which may happen when client and 11486 server somehow get out of sync). Problem found by Christian 11487 Theune. Files: lmtp/lmtp.c, lmtp/lmtp_proto.c. 11488 1148920051202 11490 11491 Bugfix: the 20051128 code move for "smtpd_end_of_data_restrictions" 11492 broke "postsuper -r". 11493 1149420051202-3 11495 11496 Cleanup: the SMTP client now also implements the LMTP 11497 protocol. Files: smtp/smtp.c, smtp/smtp_connect.c, 11498 smtp/smtp_proto.c, smtp/smtp_dsn.c, smtp_state.c, 11499 smtp_sasl_glue.c. 11500 11501 As before, the LMTP behavior is controlled with parameters 11502 named lmtp_xxx instead of smtp_xxx. However there are now 11503 a lot more lmtp_xxx parameters :-) With few exceptions, all 11504 SMTP features are now also available with LMTP. The exceptions 11505 are related to the HELO and EHLO commands, which exist in 11506 SMTP only. There are equivalent LHLO command parameters 11507 where it makes sense. 11508 1150920051206 11510 11511 SMTP+LMTP client connection management code rewritten to 11512 support UNIX-domain socket connections. 11513 1151420051207 11515 11516 Bugfix: race condition in the connection caching protocol, 11517 found while adding connection caching for UNIX-domain sockets 11518 (used for LMTP delivery). This was introduced with the 11519 20050706 workaround, and may the same problem that Jussi 11520 Silvennoinen experienced (in Postfix 2.2.6) with SMTP after 11521 an upgrade. Files: scache/scache.c. 11522 11523 Bugfix: smtp-sink and qmqp-sink didn't ignore SIGPIPE. 11524 1152520051208 11526 11527 Robustness: reduced timeouts in the connection caching 11528 client, so that a malfunctioning service does not prevent 11529 mail delivery. This uses similar code that already exists 11530 for the anvil(8) client and the tlsmgr(8) client. Files: 11531 global/scache_clnt.c, smtp/smtp.c. 11532 11533 To make reduced connection caching client timeouts possible, 11534 connection management was moved from the attr_clnt(3) module 11535 to the auto_clnt(3) module where it belongs. The auto_clnt(3) 11536 module is now a full alternative for the clnt_stream(3) 11537 module. Files: util/auto_clnt.c, util/attr_clnt.c. 11538 11539 Bugfix: the best_mx_transport, mailbox_transport and 11540 fallback_transport features did not write a per-recipient 11541 defer logfile record when the target delivery agent was 11542 broken. This the analog of queue manager bugfix 20051119. 11543 Files: global/deliver_pass.c. 11544 1154520051210 11546 11547 Cleanup: simplified the SMTP/LMTP connection management 11548 logic for address list and fallback relay processing. 11549 Still need to simplify deferred recipient handling. 11550 1155120051212 11552 11553 Bugfix: after a failed TLS session, the 20051210 SMTP client 11554 code cleanup broke sessions with backup servers, causing the 11555 client to get out of step with the backup server. This in 11556 turn exposed a one-year old missing exception handling 11557 context in the EHLO handstake after sending STARTTLS. Victim 11558 was Ralf Hildebrandt, detectives Victor Duchovni and Wietse. 11559 File: smtp/smtp_proto.c. 11560 1156120051213 11562 11563 Bugfix: *SQL, proxy and LDAP map types were not defined in 11564 user-land commands such as postqueue. Leandro Santi. File: 11565 postqueue/postqueue.c. 11566 1156720051212-14 11568 11569 Server-side plug-in interface for SASL authentication. This 11570 uses Cyrus SASL by default, so nothing has changed except 11571 error messages may be more informative. Files: 11572 smtpd/smtpd_sasl_proto.c smtpd/smtpd_sasl_glue.c, 11573 xsasl/xsasl_server.[hc], xsasl/cyrus_server.[hc] 11574 xsasl/cyrus_strerror.c, xsasl/cyrus_log.c, xsasl/cyrus_security.c. 11575 1157620051215 11577 11578 Portability: IRIX 6.5.28 defines sa_len as a macro, so it 11579 can't be used as a variable identifier. Zach McDanel. Files: 11580 dns/dns_rr_to_sa.c, smtpd/smtpd_peer.c, qmqpd/qmqpd_peer.c. 11581 1158220051216 11583 11584 Cleanup: removed some scar tissue that was introduced with 11585 server-side SASL plug-in support. Files: smtpd_sasl_proto.c, 11586 smtpd_sasl_glue.c. 11587 11588 Client-side plug-in interface for SASL authentication. This 11589 uses Cyrus SASL by default, so nothing has changed except 11590 error messages may be more informative. Files: smtp_sasl_glue.c, 11591 xsasl/xsasl_client.[hc], xsasl/cyrus_client.[hc]. 11592 1159320051217 11594 11595 Bugfix: when a SASL client password is required by a specific 11596 server, defer delivery when no server-announced mechanism 11597 survives the smtp_sasl_mechanism_filter, instead of ignoring 11598 the SASL announcement and trying to deliver the mail over 11599 an unauthenticated connection and risking that mail will 11600 be rejected. File: smtp/smtp_sasl_proto.c, smtp/smtp_proto.c. 11601 11602 Portability: zero the "struct msg" just in case. Both purify 11603 (Linux) and valgrind (FreeBSD) complain about uninitialized 11604 bits. Files: util/unix_{send,recv}_fd.c. 11605 1160620051219 11607 11608 Cleanup: generic smtpd_sasl_path, smtp_sasl_path and 11609 lmtp_sasl_path configuration parameters; simplified the 11610 SASL plug-in API, and made initial provisions for SASL 11611 session encryption. Files: xsasl/*.[hc]. 11612 11613 Feature: "postconf -a" lists the available SASL server 11614 plug-in types, and "postconf -A" does the same for the 11615 client. Files: postconf.c, xsasl_{client,server}.c. 11616 11617 Feature: new SMTPD policy attributes "encryption_protocol", 11618 "encryption_cipher" and "encryption_keysize", to distinguish 11619 plaintext from encrypted connections. 11620 1162120051221 11622 11623 Privacy: the new Cyrus SASL server plug-in replaces "no 11624 user" errors by "authentication failed" errors. File: 11625 xsasl/xsasl_cyrus_server.c. 11626 11627 Safety: the Postfix SMTP client no longer uses CNAME expanded 11628 hostnames for logging, SASL password lookup, TLS policy 11629 decisions, or TLS certificate verification. Instead it 11630 uses the name of the recipient domain, or the host or domain 11631 name specified in Postfix configuration files. Of course 11632 this won't prevent cheating with hostnames that appear in 11633 MX lookup results. To avoid that you will have to suppress 11634 MX lookups with explicit [hostname] entries in transport 11635 maps. Files: dns/dns_lookup.c, dns/dns_rr.c. 11636 1163720051222 11638 11639 Feature: Dovecot SASL authentication (server side) plug-in 11640 by Timo Sirainen. This builds without external library 11641 dependencies and is therefore compiled in by default. 11642 Files: xsasl/xsasl_dovecot_server.[hc]. 11643 11644 Safety: set the default LANG=C, instead of deleting LANG 11645 from the environment and assuming the right thing will 11646 happen. File: global/mail_params.h. 11647 11648 Safety: always add the ISASCII() requirement to the ISXXX() 11649 macros, because they are used for protocol and policy 11650 enforcement. File: util/sys_defs.h. 11651 11652 Bugfix: null pointer in the 20051219 policy delegation 11653 crypto attributes. File: smtpd/smtpd_check.c. 11654 11655 Compatibility: "resolve_numeric_domain = yes" will accept 11656 addresses with numeric domains instead of rejecting them as 11657 invalid. Files: trivial-rewrite/resolve.c, util/vstring.c. 11658 11659 Bugfix: 20051219 "postconf -A" produced "postconf -a" output. 11660 Andreas Winkelmann. 11661 1166220051225 11663 11664 Bugfix: the regexp map cleverly avoided scanning constant 11665 lookup results for non-existent $number expressions, but 11666 failed to subject those results to the necessary $$ -> $ 11667 replacement. Files: util/dict_regexp.c. 11668 11669 Performance: the pcre map did not optimize constant lookup 11670 results; they were always scanned for non-existent $number 11671 expressions. File: util/dict_pcre.c. 11672 11673 This round of edits eliminates architectural differences 11674 between the pcre and regexp table implementations. The 11675 remaining difference is that regexp tables still support 11676 the obsolete "/pattern1/!/pattern2/ action" syntax, for 11677 backwards compatibility with Postfix 2.0 and earlier. 11678 1167920051227 11680 11681 Bugfix: the 20051222 ISASCII paranoia broke the strcasecmp() 11682 workaround for Solaris. File: util/strcasecmp.c. 11683 11684 Bitrot: SunOS4 pre-dates size_t, ssize_t, getsid(). File: 11685 src/util/sys_defs.h. The SunOS4 tests had been suspended 11686 due to what turned out to be a broken AUI-to-UTP transceiver. 11687 11688 Bugfix: the 20061226 cosmetic change broke non-IPV6 support 11689 (example: sockaddr_to_hostaddr: Unknown error: success). 11690 File: util/myaddrinfo.c. 11691 1169220051229 11693 11694 The following workaround was removed 20060103. 11695 11696 Workaround: when mail is still queued after 3000 seconds, 11697 the SMTP client no longer pipelines the DOT+QUIT commands. 11698 The 20050929 paranoia about malformed server replies 11699 eliminated a rare occurrence of "lost mail" with sites that 11700 mis-implement DOT+QUIT pipelining, but resulted in a larger 11701 occurrence of repeated deliveries to sites with a different 11702 DOT+QUIT pipelining bug. The time threshold is set with the 11703 smtp_dot_quit_workaround_threshold_time parameter. Files: 11704 smtp/smtp_proto.c, smtp/smtp.c. 11705 11706 Feature: mailbox_transport_maps and fallback_transport_maps 11707 to search delivery transports by recipient name. Files: 11708 local/mailbox.c, local/unknown.c. 11709 11710 Feature: the master daemon now logs a warning when all 11711 servers are busy that may accept remote connections, and 11712 suggests to either increase the process count or to reduce 11713 the service time per client. Files: master/master_ent.c, 11714 master/master_avail.c. 11715 1171620051231 11717 11718 Bugfix: the anvil server would terminate after "max_idle" 11719 seconds, even when this was less than the anvil_rate_time_unit 11720 interval. File: anvil/anvil.c. 11721 1172220060102 11723 11724 Deleted the 20051229 dot-quit bug workaround. Automatically 11725 deferring delivery created "no delivery" and "repeated 11726 delivery" problems; and automatically turning off pipelining 11727 for delayed mail was a bad workaround for a bad workaround. 11728 The administrator still has the option to turn off pipelining 11729 by hand if loss of mail is a concern. 11730 1173120060103 11732 11733 Bugfix: the 20051217 fix (when a SASL client password is 11734 found, defer delivery when no server-announced mechanism 11735 survives the smtp_sasl_mechanism_filter) did the mechanism 11736 test too early, so that it could trip up with deliveries 11737 to servers that we don't have a SASL password for. Files: 11738 smtp/smtp_sasl_proto.c, smtp/smtp_proto.c. 11739 1174020060104 11741 11742 Safety: new "smtp_cname_overrides_servername" parameter. 11743 The default value ("no") is NOT backwards compatible. This 11744 avoids surprises with the hostname that is used for logging, 11745 SASL password lookup, TLS policy decisions, or TLS certificate 11746 verification. The change makes the 20051221 behavior more 11747 configurable. Files: smtp/smtp_addr.c, smtp/smtp_connect.c, 11748 proto/postconf.proto. 11749 1175020060105 11751 11752 Cleanup: removed the unused DSN "code" attribute; removed 11753 surrogate SMTP replies for errors that were not reported 11754 by a remote SMTP server, making several DSN-related functions 11755 and macros redundant; cleaned up some bizarre code for DSN 11756 attribute memory management in the SMTP client. 11757 1175820060106 11759 11760 Cleanup: eliminated the global smtp_errno variable, which 11761 had become redundant after introducing DSN support. Files: 11762 smtp/smtp_addr.c, smtp/smtp_connect.c. 11763 1176420060107 11765 11766 Cleanup: removed more bizarre code for DSN attribute memory 11767 management in the queue manager, bounce server, and in 11768 delivery agents. 11769 1177020060109 11771 11772 Bugfix: smtp_sasl_tls_opts was unimplemented. File: 11773 smtp/smtp_sasl_proto.c. 11774 11775 Cleanup: more bounce logfile code cleanup. Files: 11776 global/bounce_log.c, bounce/bounce_notify_util.c, 11777 bounce/bounce.c, bounce/bounce_notify_verp.c, 11778 bounce/bounce_one_service.c, showq/showq.c 11779 1178020060110 11781 11782 Cleanup: more bounce logfile code cleanup. Files: 11783 global/bounce_log.c, bounce/bounce_notify_util.c. 11784 11785 Bugfix: the VERP bouncer never handled the case of a missing 11786 bounce logfile. Found while doing more logfile code cleanup. 11787 File: bounce/bounce_notify_verp.c. 11788 11789 Feature: smtp_sasl_tls_verified_security_options for 11790 connections where the server certificate passed verification. 11791 The default value is $smtp_sasl_tls_security_options, which 11792 in turn defaults to $smtp_sasl_security_options. 11793 1179420060111 11795 11796 Optimization: mystrdup() and mystrndup() now return a pointer 11797 to a fixed read-only memory location instead of allocating 11798 memory for zero-length null-terminated strings. This saves 11799 lots of memory for unused recipient attributes. If this 11800 change causes problems (for example, you have an ancient 11801 sscanf() implementation that writes to its input) then 11802 compile Postfix with -DNO_SHARED_EMPTY_STRINGS. 11803 11804 Cleanup: eliminated null pointer members in DSN structures. 11805 Instead we now use the optimized mystrdup() for empty 11806 strings. For safety sake we keep the tests for null pointers 11807 in input, but we always produce empty strings on output. 11808 Files: global/dsn.c, global/dsn.h, global/dsn_buf.h, 11809 global/dsn_print.c. 11810 11811 Cleanup: eliminated ad-hoc code for passing recipients in 11812 the queue manager delivery request protocol. Postfix now 11813 uses proper object activation/passivation instead. Files: 11814 *qmgr/qmgr_deliver.c, global/deliver_request.c, 11815 global/deliver_pass.c. 11816 1181720060112 11818 11819 Feature: to simplify debugging the bounce server logs the 11820 old and new queue ID when notifying the sender or postmaster. 11821 Files: global/post_mail.c, bounce/bounce_notify_service.c, 11822 bounce/bounce_one_service.c, bounce/bounce_notify_verp.c, 11823 bounce/bounce_warn_service.c, bounce/bounce_trace_service.c. 11824 11825 Fudge: when translating recipient DSN codes into sender DSN 11826 codes, map sender address problems that have no DSN code 11827 to *.1.7 (Bad sender's mailbox address syntax) instead of 11828 *.1.0 (Other address status) because that loses the distinction 11829 between sender and recipient. File: smtpd/smtpd_dsn_fix.c. 11830 1183120060113 11832 11833 Cleanup: preserve upper case information of address localpart 11834 or extension when mapping one address to another with 11835 non-regexp/pcre tables. Files: global/mail_addr_find.c, 11836 global/maps_find.c. 11837 1183820060115 11839 11840 Bugfix: don't ignore the per-site policy when SSL library 11841 initialization fails. Introduced after adopting the TLS 11842 patch. File: smtp/smtp_session.c. 11843 1184420060117 11845 11846 [withdrawn 20060126] Safety: daemon processes that need no 11847 privileges now insist that they are configured to run without 11848 privileges. Files: master/single_server.c, master/multi_server.c, 11849 master/trigger_server.c. 11850 11851 Cleanup: preserve upper case information of address localpart 11852 or extension when mapping addresses via regexp/pcre tables. 11853 This requires that Postfix does not case fold the search 11854 string when searching regexp or pcre tables, so that $number 11855 substitutions produce the expected result. 11856 11857 In order to get a consistent handling of table operations, 11858 the search string case folding logic was moved from the 11859 application to the individual lookup table modules; the 11860 application specifies its case folding preference when it 11861 opens a table, and the table folds the search or update 11862 string as needed. 11863 11864 Files: everything that opens a map or multiple maps (to 11865 specify the case folding preference), and everything that 11866 contained ad-hoc code to lowercase search strings (which 11867 is no longer needed). 11868 11869 Bugfix: as a side effect of this revision of all code that 11870 opens tables, the postmap/postalias -n/-N options are no 11871 longer silently ignored when the -q (query) and -d (delete) 11872 options are specified. Files: postmap/postmap.c, 11873 postalias/postalias.c. 11874 11875 Safety: don't allow $number substitution in transport maps 11876 or sender-dependent relayhost maps. 11877 11878 Cleanup: smtp_sasl_passwd_maps lookup keys are folded to 11879 lowercase before searching tables such as btree:, dbm: or 11880 hash: that have fixed-case fields. File: smtp/smtp_sasl_glue.c. 11881 11882 Bugfix: per-sender relayhost maps were not locked for shared 11883 access. 11884 1188520060119 11886 11887 Cleanup: don't look up parent domain substrings in regexp/pcre 11888 like tables while searching a hostname in a domain/namaddr_list. 11889 File: util/match_ops.c. 11890 1189120060120 11892 11893 Cleanup: multiple boolean variables were replaced by a 11894 single TLS enforcement level (none, may, encrypt, verify). 11895 With Victor Duchovni. Files: smtp_session.c, smtp_proto.c, 11896 smtp.h. 11897 11898 Cleanup: the SMTP per-site policy table was re-implemented 11899 in terms of enforcement levels instead of multiple boolean 11900 variables. This greatly simplified the code and led to the 11901 elimination of non-intuitive behavior as documented next. 11902 With Victor Duchovni. Files: smtp_session.c, smtp.h. 11903 11904 Bugfix: a TLS per-site MUST_NOPEERMATCH policy could not 11905 override a main.cf MUST (with peer match) policy, while a 11906 per-site NONE policy could. 11907 11908 Bugfix: a combined TLS per-site (host, next-hop) policy of 11909 (NONE, MAY) would change the strongest main.cf MUST policy 11910 into NONE, while it changed all weaker main.cf policies 11911 into MAY. The result is now NONE for all main.cf policy 11912 settings. 11913 1191420060123 11915 11916 Feature: recipient_count attribute in SMTPD policy protocol. 11917 This is available only in the DATA and END-OF-MESSAGE stage. 11918 Based on code by Guo Black. Files: smtpd_check.c. 11919 11920 Cleanup: renamed MUMBLE_NUM to MUMBLE_INT to make type 11921 discrepancies more explicit. 11922 11923 Bugfix: change 20051208 broke when a connection could not 11924 be established. File: util/auto_clnt.c. 11925 1192620060124 11927 11928 Bugfix: the virtual(8) delivery agent did not insist on 11929 privileged operation as it should; this broke change 20060117. 11930 Ralf Hildebrandt. File: virtual/virtual.c. 11931 11932 Bugfix: the TLS sasl security options (change 20060110) 11933 should also be #ifdef USE_TLS, and not only #ifdef 11934 USE_SASL_AUTH. Such feature interference is difficult to 11935 find in testing. Liviu Daia. File: smtp/smtp_sasl_proto.c. 11936 1193720060126 11938 11939 Undo: change 20060117 (unprivileged operation test) broke 11940 "sendmail -bs", "postconf -b", "postconf -t", and probably 11941 more. Files: master/{single,multi,trigger}_server.c. 11942 1194320060130 11944 11945 Bugfix: an empty remote_header_rewrite_domain value caused 11946 trivial-rewrite to dereference a null pointer, but only in 11947 regression tests, not in production. Envelope addresses are 11948 by definition rewritten in the local domain context, because 11949 an address without domain is equivalent to an address in 11950 the local domain; and header addresses are rewritten in the 11951 remote context only when remote_header_rewrite_domain is 11952 non-empty. File: trivial-rewrite/rewrite.c. 11953 1195420060131 11955 11956 Cleanup: regression tests are now separated into "make 11957 tests" for unprivileged tests, and "make root_tests" for 11958 tests that require privileges to connect to the Postfix 11959 internal sockets. Files Makefile.in, src/*/Makefile.in. 11960 1196120060201 11962 11963 Bugfix: despite efforts to treat malformed domain names as 11964 hard errors (change 20050726) they were still processed as 11965 soft errors. File: dns/dns_lookup.c. 11966 1196720060203 11968 11969 Bugfix: smtpd core dump when SASL was compiled in, turned 11970 off (smtpd_sasl_auth_enable = no) and permit_sasl_authenticated 11971 was specified in local_header_rewrite_clients. Victor 11972 Duchovni. File: smtpd/smtpd_check.c. 11973 11974 Cleanup: don't complain about useless SASL or TLS "permit" 11975 restrictions when SASL or TLS aren't compiled in, but do 11976 reject mail when reject_plaintext_session is specified while 11977 TLS isn't compiled in. File: smtpd/smtpd_check.c. 11978 1197920060204 11980 11981 Bugfix: disable the content_filter feature for user-requested 11982 "sendmail -bv" probes, just like it is disabled for probes 11983 generated by Postfix itself. File: *qmgr/qmgr_message.c. 11984 1198520060207 11986 11987 Robustness: place the "do we have TLS" guards within method 11988 implementations, instead of putting them around method 11989 invocations. File: smtpd/smtpd_check.c. 11990 11991 Bugfix: duplicate the cleanup(8) DSN envelope ID syntax 11992 check in smtpd(8), so that clients get better error replies. 11993 File: smtpd/smtpd_check.c. 11994 11995 Bugfix: change 20060203 broke the reject_plaintext_session 11996 feature. 11997 11998 The trivial-rewrite and proxymap multi-server processes now 11999 terminate soon after all their clients disconnect, instead 12000 of waiting for another 100 seconds. This allows the processes 12001 to refresh more frequently on low-traffic systems. 12002 12003 Cleanup: smtpd_delay_open_until_valid_rcpt (default: yes) 12004 controls whether Postfix delays the start of a mail transaction 12005 until after the first valid recipient, or if it starts a 12006 transaction immediately after MAIL FROM. File: smtpd/smtpd.c. 12007 1200820060217 12009 12010 Bugfix: don't terminate with a non-standard exit status 12011 when the pipe-to-command feature has a problem before it 12012 executes the command. File: global/pipe_command.c. 12013 1201420060223 12015 12016 Bugfix: detect integer overflow when multiplying time values 12017 with non-trivial time units. File: global/conv_time.c. 12018 1201920060307 12020 12021 Bugfix: reset the msg_cleanup() fatal error handler in child 12022 processes. See also change 20060217. Files: postlock/postlock.c, 12023 master/multi_server.c, global/mail_run.c, util/vstream_popen.c. 12024 1202520060310 12026 12027 Bugfix: the MIME processor assumed that input was null 12028 terminated. This broke with CRLF input to the "sendmail -t" 12029 command in Postfix 2.1 and later (see change 20030416). 12030 Found by Leandro Santi. Based on patch by Victor Duchovni. 12031 Files: global/mime_state.c, global/is_header.c. 12032 1203320060313 12034 12035 Cleanup: the message arrival time (start of the receive 12036 transaction) no longer controls message expiration or 12037 delivery attempts. Instead, expiration and delivery are 12038 now controlled by the time when the cleanup server creates 12039 a queue file. This closes a problem that was introduced 12040 with the 20051104 change that introduced higher-resolution 12041 delay time keeping: as a result, "postsuper -r" could no 12042 longer manipulate the mail expiration schedule, so that 12043 mail "on hold" could expire too soon. 12044 1204520060315 12046 12047 Workaround. the PCRE library reports an inappropriate error 12048 code (invalid substring) when $number refers to a valid () 12049 expression that matches the null string. This caused fatal 12050 run-time errors. File: dict_pcre.c. 12051 1205220060324 12053 12054 Cleanup: eliminated name collisions between global and local 12055 variables, and other forms of shadowing. Documented switch 12056 fall-throughs with /* FALLTHROUGH */ where this wasn't 12057 already done. Replaced (var = expr) by (var = expr) != 0 12058 where this wasn't already done. 12059 1206020060324 12061 12062 Bugfix: mis-placed parenthesis in a before-filter error 12063 test. A filter timeout was mis-reported as lost connection. 12064 Found in code review. File: smtpd/smtpd_proxy.c. 12065 1206620060327 12067 12068 Cleanup: the SQL and LDAP clients now log a warning when 12069 they skip an empty lookup result, so that humans don't have 12070 to wonder why Postfix doesn't find all the database entries. 12071 File: global/db_common.c. 12072 12073 Moved SMTP/LMTP parameter initialization from global/mail_params.c 12074 to the combined smtp/lmtp delivery agent. Added missing 12075 lmtp parameters. 12076 1207720060328 12078 12079 Feature: configurable chroot directive for the pipe(8) 12080 delivery agent, by Przemyslaw Wegrzyn. Files: 12081 global/pipe_command.c, pipe/pipe.c. 12082 12083 Bugfix: cut-and-paste error: lmtp_connection_cache_limit 12084 was left with the name of smtp_connection_cache_limit. 12085 Reported by Victor? File: src/global/mail_params.h. 12086 1208720060329 12088 12089 More extensible interface for TLS client/server library, 12090 now passes property structures that combine all the relevant 12091 parameters in one type-safe structure. 12092 12093 TLS session cache activity logging now takes place at TLS 12094 log level 2 or greater. 12095 1209620060403 12097 12098 Cleanup: made fcntl/flock handling consistent with respect 12099 to EINTR (reported by Carlo Contavalli). However, Postfix 12100 is not meant to be signal safe. Only the master daemon 12101 handles signals without terminating, and it uses only a 12102 small subset of Postfix library routines. File: util/myflock.c. 12103 12104 Bugfix: the pipe-to-command error message was lost when the 12105 command could not be executed. File: global/pipe_command.c. 12106 1210720060404 12108 12109 Bugfix in sanity check: after reading a record from the 12110 address verification database, a sanity check did not reject 12111 a record with all-zero time stamp fields. Such records are 12112 never written; the test is there just in case something is 12113 broken, so that Postfix will not blindly march on and create 12114 chaos. The sanity check tested pointer values, instead of 12115 dereferencing the pointers. Found by Coverity. File: 12116 verify/verify.c. 12117 12118 Bugfix in sanity check: when the maildir delivery routine 12119 opens an output file it looks up the file attributes via 12120 the file handle it just got. There is a sanity check that 12121 detects if the attribute lookup fails, an error that never 12122 happens. The code that handles the impossible error did not 12123 close the output file. This would cause a virtual or local 12124 delivery agent to waste up to 100 file descriptors. But 12125 for that error to happen the system would have to be so 12126 sick that you would have more serious problems than a file 12127 descriptor leak. Found by Coverity. Files: local/maildir.c, 12128 virtual/maildir.c. 12129 1213020060405 12131 12132 Bugfix: the MIME parser assumed input is null terminated 12133 when reporting errors. Fix by Leandro Santi. Files: 12134 global/mime_state.c, cleanup/cleanup_message.c. 12135 1213620060411 12137 12138 Bugfix: the SMTP server logged no warning when for some 12139 reason the TLS engine was unavailable in wrappermode. Victor 12140 Duchovni. File: smtpd/smtpd.c. 12141 1214220060417 12143 12144 Cleanup: when SMTP access table lookup fails, reply with 12145 4xx instead of aborting with a fatal run-time error. The 12146 old behavior assumes local file access, and is inappropriate 12147 with deployment of LDAP and SQL tables. File: smtpd/smtpd_check.c. 12148 1214920060423 12150 12151 Bugfix: postcat did not print the attribute value of records 12152 containing a named attribute. File: postcat/postcat.c. 12153 1215420060430 12155 12156 Bugfix: dangling pointer in a function that has no caller. 12157 Found by Coverity. File: tls/tls_prng_exch.c. 12158 12159 Bugfix: the workaround for CA-2003-07 (Sendmail) did not 12160 null terminate the address before logging a warning. Reported 12161 by Kris Kennaway. File: global/tok822_parse.c. 12162 1216320060301-20060515 12164 12165 Sendmail 8 Milter support, distributed across the smtpd(8) 12166 server for SMTP commands, and the cleanup(8) server for 12167 content inspection and manipulation. The code supports all 12168 requests to add/delete recipients, and to add/delete/replace 12169 message headers, but does not yet support requests to replace 12170 the message body. See MILTER_README for more. Files: 12171 smtpd/smtpd.c, smtpd/smtpd_milter.c, cleanup/cleanup_api.c, 12172 cleanup/cleanup_envelope.c, cleanup/cleanup_extracted.c, 12173 cleanup/cleanup_milter.c, milter/milter.c, milter/milter8.c. 12174 12175 That's 89 lines in smtpd, 1010 lines in cleanup, and 2449 12176 lines of library support, comments not included. 12177 12178 A simple test Milter application for use in regression tests 12179 is in src/milter/test-milter.c. Queue file modifications are 12180 tested with a driver at the end src/cleanup/cleanup_milter.c 12181 that reads commands from a script. 12182 12183 To make debugging easier, uncomment the "#define msg_verbose 12184 2" lines at the top of cleanup_milter.c or milter8.c. This 12185 produces logging without making everything else verbose. 12186 1218720060510 12188 12189 Preliminary TLS_README and postconf(5) changes completed. 12190 Victor Duchovni. 12191 12192 Added smtp_tls_policy_maps and smtp_tls_protocols features 12193 to the smtp/lmtp client, changed smtp_tls_cipherlist to 12194 only apply when TLS is mandatory. Victor Duchovni. 12195 1219620060512 12197 12198 Destinations that share a common server may have distinct 12199 TLS protocol and cipherlist requirements, with mandatory 12200 TLS add the protocol and cipherlist values to the TLS session 12201 lookup key. Victor Duchovni. 12202 1220320060516 12204 12205 Portability: __float80 alignment, by Albert Chin. File: 12206 util/sys_defs.h. 12207 12208 Further testing of Milter support uncovered typos; a missing 12209 null pointer test while cleaning up after content miltering; 12210 the need for a workaround to not bounce+delete local 12211 submission after it triggers a temporary reject Milter 12212 action. 12213 12214 Workaround: don't bounce+delete a local submission after 12215 it triggers a "reject 4.x.x" action in header/body_checks. 12216 This means an SMTP client now sees "queue file write error" 12217 instead of the text from the "reject 4.x.x text" action. 12218 File: cleanup/cleanup_message.c. 12219 12220 Workaround: OpenSSL 0.9.8[ab] with zlib support interoperability 12221 problem. Victor Duchovni. Files: tls/tls_client.c, 12222 tls/tls_misc.c, tls/tls_server.c. 12223 12224 Added smtpd_tls_protocols parameter to complement 12225 smtp_tls_protocols. Victor Duchovni. 12226 1222720060517 12228 12229 The smtp_tls_policy_maps table now implements parent domain 12230 matching for destinations that are bare domains (without 12231 enclosing [] or optional :port suffix). This allows one to 12232 set TLS policy for a domain and all sub-domains. Victor 12233 Duchovni. 12234 1223520060519 12236 12237 The same parameter can bind to different variables in 12238 different daemons. Ignore the variable name when eliminating 12239 duplicates in extract.awk. Victor Duchovni. 12240 1224120060523 12242 12243 Improved handling of smtp_tls_protocols and smtpd_tls_protocols, 12244 names now processed via name_mask(3) and canonicalized prior 12245 to use in the SMTP/LMTP client TLS session lookup key. Also 12246 simplifies the corresponding code in the TLS driver. Victor 12247 Duchovni. 12248 1224920060524 12250 12251 Cleanup: send ETRN command parameter when using check_policy 12252 in the context of an ETRN command. Joshua Goodall. File: 12253 smtpd/smtpd_check.c. 12254 1225520060601 12256 12257 Bugfix (bug introduced 20051118): permit_mx_backup authorized 12258 domains without secondary MX records. Joshua Goodall. File: 12259 smtpd/smtpd_check.c. 12260 1226120060601 12262 12263 Fixed default value of LMTP TLS client certificate parameters, 12264 using the SMTP values as a default was wrong. Victor Duchovni. 12265 1226620060603 12267 12268 Different transports may have different CAfile or CApath 12269 settings. We need to add the transport name to the TLS 12270 session lookup key so that sessions verified with one set 12271 of trusted roots are not inadvertantly considered verified 12272 for another. Victor Duchovni. 12273 1227420060604 12275 12276 Cleanup: minor fluff found with the BEAM source code analyzer. 12277 Files: global/quote_821_local.c, global/quote_822_local.c, 12278 master/master_spawn.c, pickup/pickup.c, util/match_ops.c, 12279 util/safe_open.c, xsasl/xsasl_cyrus_client.c. 12280 1228120060606 12282 12283 Safety: mail receiving daemons (smtpd, qmqpd) now pass 12284 actual client name/address/helo attributes in addition to 12285 the attributes used for logging (xforward). This prevents 12286 Milter applications from treating qmqpd mail as if it 12287 originated locally, and prevents incorrect Milter decisions 12288 after "postsuper -r". Files: smtpd/smtpd.c, qmqpd/qmqpd.c, 12289 cleanup/cleanup_envelope.c, cleanup/cleanup_milter.c, 12290 cleanup/cleanup_state.c, global/post_mail.c, *qmgr/qmgr_message.c, 12291 *qmgr/qmgr_deliver.c, global/deliver_request.c, 12292 global/deliver_pass.c, local/forward.c. 12293 12294 Bugfix: qmgr panic after queue file corruption by Mailscanner. 12295 Files: *qmgr/qmgr_message.c. 12296 12297 Bugfix: XCLIENT didn't work with smtpd_delay_reject=no 12298 (problem reported by Joshua Goodall). To make XCLIENT work 12299 correctly with built-in restrictions and with Milter 12300 applications, the SMTP server now jumps back to the very 12301 start (the 220 phase) of an SMTP session. File: smtpd/smtpd.c. 12302 1230320060606 12304 12305 Portability: Some systems no longer support the traditional 12306 "sort +0 -2 +3". Victor Duchovni. 12307 1230820060607 12309 12310 Portability: Found by BEAM static code analyzer. SSL options 12311 (long) were stored as int. 12312 1231320060610 12314 12315 Cleanup: XCLIENT and XFORWARD attribute values are now sent 12316 as xtext encoded strings. For backwards compatibility, 12317 Postfix will still accept unencoded attribute values. Files: 12318 smtpd/smtpd.c, smtpd/smtpd_proxy.c, smtp/smtp_proto.c. 12319 1232020060611 12321 12322 Robustness: additional sanity checks for common database 12323 routines. Viktor Dukhovni. File: global/db_common.c. 12324 12325 Portability: LDAP 2.3 API support. Viktor Dukhovni. File: 12326 global/dict_ldap.c. 12327 12328 Security: the PostgreSQL client was updated after the 12329 PostgreSQL developers made major database API changes in 12330 response to PostgreSQL security issues. This breaks support 12331 for PGSQL versions prior to 8.1.4, 8.0.8, 7.4.13, and 7.3.15. 12332 Support for these requires major code changes which are not 12333 possible in the time that is left for the Postfix 2.3 stable 12334 release. 12335 12336 Specific PostgreSQL client changes: use connection-aware 12337 quoting, and more robust PQexec() result handling. Previous 12338 versions of the dict_pgsql driver didn't check the status 12339 of the result pointer, and certain exceptional events can 12340 be mis-interpreted as an empty result set. Fixes by Leandro 12341 Santi. File: global/dict_pgsql.c. 12342 1234320060612 12344 12345 Changed smtp security level parsing and level->name conversion 12346 to use name_code(3). Victor Duchovni. 12347 12348 Implemented new smtp_tls_security_level parameter, to replace 12349 the unnecessarily complex smtp_use_tls, smtp_enforce_tls 12350 and smtp_tls_enforce_peername parameters. The main.cf 12351 security level settings are now consistent with the new 12352 policy table. Victor Duchovni. 12353 12354 The smtp_sasl_tls_verified_security_options feature is not 12355 yet complete, added #ifdef SNAPSHOT and changed documentation 12356 to delay introduction until Postfix 2.4. Victor Duchovni. 12357 1235820060614 12359 12360 Merged in Victor's work including the new TLS policy table 12361 and a complete set of configuration parameters for the LMTP 12362 personality of the unified SMTP/LMTP client. 12363 12364 Allow mandatory TLS encryption with LMTP over UNIX-domain 12365 sockets. Victor Duchovni. 12366 12367 Safety: improved code to avoid I/O on connections after the 12368 TLS handshake fails. Victor Duchovni. 12369 1237020060615 12371 12372 Cosmetic patch for const strings. Stefan Huehner. 12373 12374 Other cosmetic changes, mainly whitespace. 12375 1237620060616 12377 12378 The qshape.pl script was updated for the pointer records 12379 that were introduced to support message content modification 12380 by Milter applications. Victor Duchovni. 12381 1238220060620 12383 12384 Feature: Substantially better cipherlist specification 12385 interface and support for anonymous ciphers when certificates 12386 are not needed. The primary interface in main.cf and the 12387 policy table selects one of 5 grades for mandatory TLS with 12388 smtp(8) or lmtp(8) or for all TLS sessions with smtpd(8). 12389 The levels are "high", "medium" (or better), "low" (or 12390 better), "export" (or better) and "null". The underlying 12391 definitions of these levels are configurable, but users are 12392 strongly encouraged to not change those definitions. Victor 12393 Duchovni. 12394 1239520060626 12396 12397 Bugfix: the Milter reply syntax checker was off by one. 12398 File: milter/milter8.c. 12399 12400 Workaround: disable SMTP connection cache lookup by server 12401 IP address when the tls_per_site policy table is enabled. 12402 This is a workaround for a shortcoming in the SMTP connection 12403 cache implementation, which retrieves the server hostname 12404 from the cached connection. Since this server name is not 12405 obtained in a secure manner, it must not be allowed to 12406 control the tls_per_site policy. File: smtp/smtp_reuse.c. 12407 1240820060627 12409 12410 Cleanup: mumble_mandatory_tls_mumble parameters renamed to 12411 mumble_tls_mandatory_mumble; added _mandatory_ qualifier 12412 to names of parameters that affect only mandatory TLS. 12413 1241420060630 12415 12416 Features promoted from SNAPSHOT to STABLE: the "sleep" 12417 pseudo restriction; Postfix daemons now read the local 12418 timezone file before chrooting; trivial-rewrite now detects 12419 table changes every 10 seconds, so it restarts more timely. 12420 12421 Features that stay #ifdef SNAPSHOT: tcp_table, 12422 lmtp_sasl_tls_verified_security_options, and 12423 smtp_sasl_tls_verified_security_options. 12424 12425 Compatibility: Sendmail does not send its own Received: 12426 header to Milter applications. Offsets in header replace 12427 requests are relative to the message content as received 12428 (i.e. without our own Received: header), while offsets in 12429 header insert requests are relative to the message as 12430 delivered (i.e. they include our own Received: header). 12431 This explains why dk-filter would sign our own Received: 12432 header but place the signature between our own Received: 12433 header and the rest of the message, violating the draft 12434 domainkeys spec. 12435 1243620060702 12437 12438 Cleanup: more graceful handling of queue file read/write 12439 errors while processing milter message modification requests. 12440 Files: cleanup/cleanup_milter.c, milter/milter8.c. 12441 1244220060703 12443 12444 Debugging: the Postfix milter client gives more context 12445 when it experiences trouble while talking to an uncooperative 12446 Milter application. File: milter/milter8.c. 12447 12448 Compatibility: with OpenBSD 2.7 and later, the alias file 12449 is now in /etc/mail/aliases. 12450 1245120060704 12452 12453 Bugfix: the Milter client skipped zero-length body lines. 12454 File: milter/milter8.c. 12455 12456 Feature (just this one): RFC 3834 "Auto-Submitted:" message 12457 header in DSNs. File: bounce/bounce_notify_util.c. 12458 1245920060705 12460 12461 Portability: LP64 systems required a few ssize_t->int casts 12462 in debug logging statements. Files: milter/test_milter.c, 12463 cleanup/cleanup_milter.c. 12464 12465 Cleanup: comments, error messages, and crumbling interfaces. 12466 1246720060707 12468 12469 Workaround: apparently, Solaris gettimeofday() can return 12470 out-of range microsecond values. File: src/global/log_adhoc.c. 12471 12472 Robustness: the SMTPD policy client now encodes the 12473 ccert_subject and ccert-issuer attributes as xtext. Some 12474 characters are replaced by +XX, where XX is the two-digit 12475 hexadecimal code for the character value. File: 12476 smtpd/smtpd_check.c. 12477 12478 Safety: the SMTP/LMTP client now defers delivery when a 12479 SASL password exists, but the server does not offer SASL 12480 authentication. Mail could be rejected otherwise. This may 12481 become an issue now that Postfix retries delivery in plaintext 12482 after an opportunistic TLS handshake fails. Specify 12483 "smtp_sasl_auth_enforce = no" to deliver mail anyway. File: 12484 smtp/smtp_proto.c. See workaround 20060711 for sender-dependent 12485 SASL passwords. This was undone with the 20060719 workaround. 12486 1248720060709 12488 12489 Cleanup: the new single smtpd_tls_security_level parameter 12490 obsoletes the multiple smtpd_use_tls and smtpd_enforce_tls 12491 parameters. This is done for consistency with the Postfix 12492 SMTP client. In the Postfix SMTP server, the levels "verify" 12493 and "secure" are currently not applicable, and are treated 12494 as "encrypt", after logging a warning. Files: smtpd/smtpd.c, 12495 tls/tls_level.c, smtp/smtp_session.c. 12496 12497 Compatibility: don't send the first (blank) body line to 12498 Milter applications. This broke domain key etc. signatures 12499 when verified by non-Postfix MTAs. File: milter/milter8.c. 12500 1250120060710 12502 12503 Cleanup: more consistency between smtpd(8) and smtp(8) TLS 12504 configuration interfaces: smtpd_tls_mandatory_exclude_ciphers, 12505 smtpd_tls_mandatory_ciphers, smtpd_tls_mandatory_protocols. 12506 By Victor. Files:smtpd/smtpd.c. 12507 12508 Cleanup: to support domainkey signing of bounces and 12509 Postmaster notices, enable content inspection of Postfix- 12510 generated mail with the new internal_mail_filter_classes 12511 feature. This is disabled by default, because it is not 12512 yet safe enough. Files: global/int_filt.[hc] and everything 12513 that calls post_mail_fopen*(). 12514 1251520060711 12516 12517 Cleanup: smtpd_tls_mumble -> smtpd_tls_mandatory_mumble, 12518 and finer control over the Postfix SMTP server TLS ciphers, 12519 all this for consistency with the same functionality in the 12520 Postfix SMTP client. Victor Duchovni. 12521 12522 Compatibility: Sendmail's milter client handles whitespace 12523 after the header label and ":" in an interesting manner. 12524 It eats one space (not tab). File: milter/milter8.c. 12525 12526 Workaround: if sender-dependent SASL passwords are enabled, 12527 don't defer delivery when a SASL password exists but the 12528 server doesn't announce SASL support. File: smtp/smtp_proto.c. 12529 This was undone with the 20060719 workaround. 12530 12531 Cleanup: format of cleanup milter reject messages. File: 12532 cleanup_milter.c. 12533 12534 Bugfix: file/memory leak if a transfer of multiple milters 12535 from smtpd to cleanup broke in the middle. Found by Coverity. 12536 File: milter/milter.c. 12537 1253820060716 12539 12540 Bugfix: "sendmail -bs" panic caused by a missing 12541 SMTPD_STATE_ALONE() guard before a milter_abort() call. 12542 File: smtpd/smtpd.c. 12543 12544 Bugfix (bug introduced with Postfix 2.2): the Postfix SMTP 12545 client enforced Mandatory TLS only when talking to an ESMTP 12546 server; enforcement did not happen if Postfix could somehow 12547 be forced to send HELO instead of EHLO. Victor Duchovni. 12548 File: src/smtp/smtp_proto.c. 12549 1255020060718 12551 12552 Bugfix (bug introduced 20060711): null pointer bug when 12553 rejecting SMTP mail with Milter application. File: 12554 cleanup/cleanup_milter.c. 12555 12556 Workaround (problem introduced in 200605/200606 TLS update): 12557 the Postfix SMTP server now issues TLS session IDs even 12558 when TLS session caching is turned off, otherwise MS Outlook 12559 fails to deliver mail. There may also be interoperability 12560 issues with other MTAs that we haven't discovered yet. 12561 Specify "smtpd_tls_always_issue_session_ids = no" to disable 12562 the workaround. Victor Duchovni. Files: smtpd/smtpd.c, 12563 tls/tls_server.c. 12564 1256520060719 12566 12567 Cleanup: the smtp_sasl_auth_enforce feature is gone. It was 12568 meant to work around a problem that was introduced with 12569 plaintext fallback after a failed TLS handshake. Unfortunately, 12570 it created more problems than it solved. We now address the 12571 underlying problem more directly as described next. File: 12572 smtp/smtp_proto.c. 12573 12574 Safety: don't fall back to plaintext delivery after failed 12575 TLS handshake, when the Postfix SMTP client would have 12576 attempted to log in with SASL after successful TLS handshake. 12577 This avoids undesirable behavior regardless of whether the 12578 server does support SASL over plaintext (unexpected password 12579 disclosure) and whether the server doesn't support SASL 12580 over plaintext (insufficient mail relay permission). Files: 12581 smtp/smtp_connect.c, smtp/smtp_session.c, smtp/smtp_proto.c. 12582 1258320060720 12584 12585 Compatibility: replace %% in milter replies by %, and strip 12586 single (i.e. invalid) % characters. File: milter/milter8.c. 12587 12588 Compatibility: $_ macro support for Milter applications. 12589 Files: smtpd/smtpd.c, smtpd/smtpd_milter.c, 12590 cleanup/cleanup_state.c, cleanup/cleanup_milter.c. 12591 1259220060721 12593 12594 Safety: disable Milter processing after "postsuper -r". If 12595 the mail has been filtered there is no need to do it again. 12596 Moreover, when mail has passed through an external content 12597 filter, we don't have sufficient information to reproduce 12598 the exact same SMTP events and Sendmail macros that Milters 12599 received when the mail originally arrived in Postfix. This 12600 change does not affect Milter applications that run behind 12601 an after-queue content filter. File: pickup/pickup.c. 12602 12603 Bugfix: Milters received a truncated ORCPT=xxx parameter 12604 due to destructive parsing of something that didn't have 12605 to be preserved before Milter support was added to Postfix. 12606 File: smtpd/smtpd.c. 12607 1260820060724 12609 12610 Bugfix: when updating the same header multiple times, the 12611 Postfix Milter client created a queue file that caused 12612 delivery agents to loop. File: cleanup/cleanup_milter.c. 12613 1261420060725 12615 12616 Bugfix: damaged queue file record after a Milter request 12617 to modify a message header when 1) it was the last header 12618 in the unmodified message, and 2) the old header was less 12619 than 15 characters long. File: cleanup/cleanup_milter.c. 12620 12621 Bugfix: don't panic in smtp_rcpt_cleanup() after detecting 12622 a damaged queue file record. File: smtp/smtp_proto.c. 12623 1262420060726 12625 12626 Bugfix: the 20051013 change to enforce the message size 12627 limit in the SMTP server didn't work for size limits close 12628 enough to INT_MAX. File: smtpd/smtpd.c. 12629 12630 Bugfix (introduced Postfix 2.3): after an SMTP client was 12631 rejected with "smtpd_delay_reject = no", the SMTP server 12632 would panic as it generated spurious Milter requests for 12633 unrecognized commands. File: smtpd/smtpd.c. 12634 1263520060727 12636 12637 Cleanup: change redundant milter_abort() and milter_disc_event() 12638 calls into NO-OPs. This avoids unnecessary panic() events 12639 for completely harmless conditions. File: milter/milter8.c. 12640 1264120060805 12642 12643 Bugfix (introduced Postfix 2.3): #ifdef damage caused 12644 smtp_sasl_start() to be invoked twice. Reported by C-J 12645 Lofstedt. File: smtp/smtp_sasl_proto.c. 12646 1264720060806 12648 12649 Postfix no longer announces its name in delivery status 12650 notifications. Users believe that Wietse provides a free 12651 helpdesk service that solves all their email problems. 12652 Credits to Jonathan Balester. File: bounce/bounce_templates.c. 12653 1265420060807 12655 12656 Bugfix (introduced Postfix 2.2): when upgrading from Postfix 12657 < 2.2 with the third-party TLS patch, the post-install 12658 upgrade procedure didn't put a "?" in the existing tlsmgr 12659 entry, causing tlsmgr to repeatedly start and exit when TLS 12660 support was not compiled in. File: conf/post-install. 12661 1266220060812 12663 12664 Bugfix (introduced < Postfix alpha): safety mechanism in 12665 mail_date() didn't work. Found in code review. File: 12666 global/mail_date.c. 12667 1266820060817 12669 12670 Test programs for host address->name and name->address 12671 lookups to debug name service inconsistencies, typically 12672 when the Postfix SMTP server claims that a hostname is 12673 "unknown". Files: auxiliary/name-addr-test/*. 12674 1267520060822 12676 12677 Added missing logging for "message to large" etc. Files: 12678 smtpd/smtpd.c, cleanup/cleanup_milter.c. 12679 1268020060823 12681 12682 Bugfix (introduced Postfix 2.2): segfault when vstream_fclose() 12683 attempted to flush unwritten output, after vstream_fdclose() 12684 had already disconnected the stream from its file descriptor. 12685 File: util/vstream.c. 12686 12687 Bugfix (introduced Postfix 2.2): vstream_fdclose() did not 12688 flush unwritten output before disconnecting a stream from 12689 its file descriptor(s). File: util/vstream.c. 12690 12691 Feature: smtp-sink can capture mail to file, either as one 12692 individual message per file, or as multiple messages per 12693 file. After an initial implementation by Weidong Cui. File: 12694 smtpstone/smtp-sink.c. 12695 12696 Bugfix (introduced < Postfix alpha): smtp-sink did not 12697 correctly recognize DOT-CR-LF immediately after DATA. File: 12698 smtpstone/smtp-sink.c. 12699 12700 Cleanup: smtp-sink now requires that MAIL FROM, RCPT TO and 12701 DATA be send in the correct order. This simplified the 12702 implementation of the capture to file feature. File: 12703 smtpstone/smtp-sink.c. 12704 1270520050824 12706 12707 Portability: inside functions, GCC 4 refuses forward 12708 declarations of static functions. File: smtpstone/smtp-sink.c. 12709 1271020060825 12711 12712 Bugfix (introduced Postfix 2.3): with headers-only mail, a 12713 Milter "header insert" action corrupted the queue file. The 12714 cleanup server executed some end-of-body action before the 12715 end-of-header actions. File: cleanup/cleanup_message.c. 12716 12717 Robustness: mail delivery agents now detect loops in queue 12718 files. Files with too many backward jumps are saved to the 12719 "corrupt" directory. File: global/record.c. 12720 1272120060831 12722 12723 Bugfix (introduced with initial implementation): missing 12724 "dict_errno = 0" caused mis-leading error messages after 12725 non-error lookup failure. Victor Duchovni. File: 12726 util/dict_cidr.c. 12727 12728 Robustness: the default TLS cipher lists were changed from 12729 !foo:ALL into ALL:!foo. Victor Duchovni. Files: 12730 global/mail_params.h and documentation. 12731 1273220060902 12733 12734 Bugfix (introduced Postfix 2.3): the LMTP client stripped 12735 "inet": from the next-hop destination, but still used the 12736 complete next-hop from the delivery request. File: 12737 smtp/smtp_connect.c. 12738 1273920060903 12740 12741 Cleanup: record loop detection. File: global/record.c. 12742 1274320060929 12744 12745 Workaround: AIX 5.[1-3] getaddrinfo() creates socket address 12746 structures with a non-zero port value. This breaks the 12747 smtp_bind_address etc. features, and breaks inet_interfaces 12748 settings with only one IP address. Problem reported by 12749 Hamish Marson. Files: util/sock_addr.[hc], util/myaddrinfo.c. 12750 12751 Bugfix (introduced with the Postfix TLS patch): memory leak 12752 in verify_extract_peer(). The OpenSSL documentation provides 12753 no information on how subjectAltNames are managed. Sam 12754 Rushing, ironport. File: tls/tls_client.c. 12755 12756 Bugfix (introduced with Postfix 2.2): smtp_generic_maps 12757 turned on MIME conversion. File: smtp/smtp_proto.c. 12758 12759 Workaround: don't send SIZE information in the MAIL FROM 12760 command when message content will be subject to 8bit -> 12761 quoted-printable conversion. File: smtp/smtp_proto.c. 12762 1276320061002 12764 12765 Compatibility: Sendmail now invokes the Milter connect 12766 action with the verified hostname instead of the name 12767 obtained with PTR lookup. File: smtpd/smtpd.c. 12768 1276920061004 12770 12771 Cleanup: force space between mailq queueid+status and file 12772 size items. File: showq/showq.c. 12773 1277420061005 12775 12776 Cleanup: make CISCO PIX bug workarounds configurable. This 12777 introduces new parameters: smtp_pix_workarounds (default: 12778 disable_esmtp, delay_dotcrlf) and smtp_pix_workaround_maps 12779 (workarounds indexed by server IP address). The default 12780 settings are backwards compatible. File: smtp/smtp.c, 12781 smtp/smtp_proto.c. 12782 1278320061006 12784 12785 Workaround: include the smtpd(8) service name when searching 12786 the TLS session cache, to avoid cross-talk between multiple 12787 master.cf entries. This does not eliminate cross-talk between 12788 multiple (x)inetd.conf entries. Victor Duchovni. Files: 12789 smtpd/smtpd.c, tls/tls_server.c. 12790 1279120061015 12792 12793 Cleanup: convert the Milter {mail_addr} and {rcpt_addr} 12794 macro values to external form. File: smtpd/smtpd_milter.c. 12795 12796 Cleanup: the Milter {mail_addr} and {rcpt_addr} macros are 12797 now available with non-SMTP mail. File: cleanup/cleanup_milter.c. 12798 12799 Cleanup: convert addresses in Milter recipient add/delete 12800 requests to internal form. File: cleanup/cleanup_milter.c. 12801 12802 Cleanup: with non-SMTP mail, convert addresses in simulated 12803 MAIL FROM and RCPT TO events to external form. File: 12804 cleanup/cleanup_milter.c. 12805 1280620061017 12807 12808 Cleanup: removed spurious warning when the cleanup server 12809 attempts to bounce mail with soft_bounce=yes. Problem 12810 reported by Ralf Hildebrandt. File: cleanup/cleanup_bounce.c. 12811 12812 Bugfix: null pointer bug when receiving a non-protocol 12813 response on a cached SMTP/LMTP connection. Report by Brian 12814 Kantor. Fix by Victor Duchovni. File: smtp/smtp_reuse.c. 12815 1281620061106 12817 12818 Feature: new retry delivery agent, to avoid the synchronous 12819 defer service client in the queue manager. This code is 12820 co-located with the error(8) server. File: error/error.c. 12821 12822 Performance: the queue manager could spend too much time 12823 in the synchronous defer service client, causing the watchdog 12824 timer to go off. Where possible, the queue manager now 12825 bounces or defers recipients asynchronously, by routing 12826 them to the error or the retry delivery agent. Code by 12827 Wietse and Patrik Rak. Files: global/recipient_list.c, 12828 *qmgr/qmgr_error.c, *qmgr/qmgr_defer.c, *qmgr/qmgr_entry.c, 12829 *qmgr/qmgr_deliver.c, *qmgr/qmgr_message.c. 12830 12831 Performance: refined recipient and job grouping, and more 12832 agressive early refill of in-memory recipients to prevent 12833 a worst-case scenario where the queue manager became starved 12834 until after the last batch of slow in-memory recipients of 12835 jumbo multi-recipient mail. Code by Patrik Rak. Files: 12836 global/mail_conf_time.c, qmgr/qmgr_message.c, qmgr/qmgr.c, 12837 qmgr/qmgr.h, qmgr/qmgr_entry.c, qmgr/qmgr_job.c, 12838 qmgr/qmgr_message.c, qmgr/qmgr_transport.c. 12839 1284020061113 12841 12842 Bugfix: the Postfix install/upgrade procedure broke with 12843 non-default config_directory. File: conf/post-install. 12844 1284520061115 12846 12847 Bugfix: null pointer bug in end-of-header Milter action 12848 when the last header line is too large. Reported by Mark 12849 Martinec. The root of the problem is that the MIME state 12850 engine may execute up to three call-back functions when it 12851 reaches the end of the headers, before it returns to the 12852 caller; as long as call-backs return no result, each call-back 12853 has to check for itself if a previous call-back ran into a 12854 problem. File: milter/milter8.c. 12855 12856 Workaround: reduce effective header_size_limit to 60000 12857 when Milter inspection is enabled, to avoid breaking the 12858 Milter protocol request length limit. File: 12859 cleanup/cleanup_message.c. 12860 1286120061123 12862 12863 Safety: don't read more than 5000 recipients at a time, to 12864 avoid spending too much time away from interrupts. File: 12865 qmgr/qmgr_message.c. 12866 1286720061201 12868 12869 Workaround: don't complain with "Error 0" in the trivial-rewrite, 12870 verify, proxymap or connection cache client when the server 12871 exits after the client sends its request. We still complain, 12872 however, when the problem persists. Files: global/rewrite_clnt.c, 12873 global/resolve_clnt.c, global/verify_clnt.c, global/scache_clnt.c, 12874 global/dict_proxy.c. 12875 12876 Safety: the header_size_limit is now enforced more strictly, 12877 to avoid inter-operability problems with the Milter protocol. 12878 Long headers are truncated at a line boundary if possible, 12879 otherwise they are cut between line boundaries. File: 12880 cleanup/cleanup_out.c. 12881 1288220061203 12883 12884 Bugfix (introduced with Postfix 2.2): with SMTP server 12885 tarpit delays of smtp_rset_timeout or larger, the SMTP 12886 client could get out of sync with the server while reusing 12887 a connection. The symptoms were "recipient rejected .. in 12888 reply to DATA". Fix by Victor Duchovni and Wietse. Files: 12889 smtp/smtp_proto.c, smtp/smtp_connect.c. 12890 12891 Robustness: the vbuf and vstream documentation claimed that 12892 their *error() macros reported timeout errors, but they 12893 didn't really. The implementation was fixed, and redundant 12894 vstream_ftimeout() calls were removed. As a result, many 12895 Postfix daemons now properly detect write timeout errors 12896 on internal connections. Files: util/vbuf.h. 12897 12898 Workaround: some broken SMTP servers reply and hang up in 12899 the middle of DATA. The Postfix SMTP client now stops sending 12900 and tries to receive the server response. This can help to 12901 avoid repeated delivery attempts. Initial implementation 12902 by Wietse, later work by Victor Duchovni. Files: 12903 smtp/smtp_proto.c, smtpstone/smtp-sink.c, util/vstream.c, 12904 plus trivial mods for code thatr calls vstream_fpurge(). 12905 1290620061204 12907 12908 Compatibility: The Postfix installation/upgrade procedure 12909 no longer sets "unknown_local_recipient_code = 450" in 12910 main.cf. This was a safety net for upgrades from Postfix 12911 1.x. Four years later is no longer needed. File: 12912 conf/post-install. 12913 12914 Cleanup: removed vstream_fclose() error warning in the code 12915 that disconnects from a delivery agent. There is no need 12916 to report errors here because they would already be reported 12917 earlier. Files: *qmgr/qmgr_deliver.c. 12918 12919 Robustness: "kill me after N seconds" feature to ensure 12920 that a daemon process does not get stuck while preparing 12921 for exit after signal arrival. File: util/killme_after.[hc], 12922 util/watchdog.c, master/master_sig.c. 12923 1292420061206 12925 12926 Robustness: low-cost re-entrancy guard that allows daemons 12927 to safely call msg_fatal() etc. from a signal handler, 12928 without risking memory corruption, or deadlock on Redhat 12929 Linux. This works provided that the signal handler terminates 12930 the process. In that special case we need not guarantee 12931 after-the-fact consistency of the thread that was interrupted. 12932 File: util/msg_output.c. 12933 12934 Robustness: replace exit() calls by _exit(). File: util/msg.c, 12935 bounce/bounce_cleanup.c. 12936 1293720061207 12938 12939 Workaround: on systems with usable futimes() or equivalent 12940 (Solaris, *BSD, MacOS, but not Linux), always explicitly 12941 set the queue file last modification time stamps while 12942 creating a queue file. With this, Postfix can avoid logging 12943 warnings when the file system clock is ahead of the local 12944 clock. Clock skew can be a problem, because Postfix does 12945 not deliver mail until the local clock catches up with the 12946 queue file's last modification time stamp. File: 12947 global/mail_stream.c. 12948 12949 Workaround: on systems without usable futimes() or equivalent, 12950 log a warning when the file system clock is more than 100 12951 seconds behind the local clock. This does not cause mail 12952 delivery problems, but it just looks silly in message 12953 headers. File: global/mail_stream.c. 12954 12955 On systems without usable futimes() (Linux, and ancient 12956 versions of Solaris, SunOS and *BSD) Postfix will keep using 12957 the slower utime() system call to update queue file time 12958 stamps when the file system clock is off with respect to 12959 the local system clock. 12960 12961 Compatibility with Postfix < 2.3: undo the change to bounce 12962 instead of defer after pipe-to-command delivery fails with 12963 a signal. File: global/pipe_command.c. 12964 1296520061208 12966 12967 Workaround: apparently, some mail software removes or hides 12968 "<postmaster>" in the Postfix bounce text, because it 12969 processes the text as if it were HTML. This confuses users. 12970 The bounce template has been updated to remove the < and 12971 >. File: bounce/bounce_templates.c. 12972 12973 Cleanup: when smtp_generic_maps is turned on, don't parse 12974 MIME structures in the message body. Victor Duchovni. File: 12975 smtp/smtp_proto.c. 12976 1297720061210 12978 12979 Cleanup: streamline the signal handler reentrancy protections, 12980 and document under what conditions these protections work, 12981 with REENTRANCY sections in the relevant man pages. Files: 12982 util/vbuf_print.c. util/msg.c, util/msg_output.c. 12983 1298420061211 12985 12986 Cleanup: when doing server access control by the remote TLS 12987 client fingerprint, do not require client certificate 12988 verification. Victor Duchovni. File: smtpd/smtpd_check.c. 12989 12990 Safety: when the remote TLS client certificate isn't verified, 12991 don't send ccert_subject and ccert_issuer attributes in 12992 check_policy_service requests. Victor Duchovni. File: 12993 smtpd/smtpd_check.c. 12994 12995 Bugfix: the postconf command still complained about an 12996 unqualified machine name, because it was not updated with 12997 the 20050513 change that introduced a default "mydomain = 12998 localdomain". File: postconf/postconf.c. 12999 1300020061213 13001 13002 Bugfix: race condition in "ETRN site", "sendmail -qRsite" 13003 and "postqueue -s site". When the command arrived while an 13004 incoming queue scan was already in progress, mail could 13005 stay deferred instead of being flushed. The fix was to 13006 unthrottle the queue manager before moving files from the 13007 deferred queue to the incoming queue. Files: flush/flush.c, 13008 qmgr/qmgr_scan.c. 13009 13010 Cleanup: the sendmail and postqueue commands no longer 13011 terminate with a non-standard error status after a run-time 13012 error in some Postfix internal routine (typically, some 13013 essential file is not accessible, or the system is out of 13014 memory). Files: sendmail/sendmail.c, postqueue/postqueue.c. 13015 13016 Feature: "sendmail -qIqueueid" and "postqueue -i queueid" 13017 to flush a specific queue file. Files: sendmail/sendmail.c, 13018 postqueue/postqueue.c, global/flush_clnt.c, flush/flush.c. 13019 1302020061214 13021 13022 Performance: "sendmail -qIqueueid" and "postqueue -i queueid" 13023 unthrottle only the necessary message delivery transports 13024 and queues. The unthrottle request now is propagated to the 13025 queue manager via queue file group read permission bits. 13026 Based on initial implementation by Victor Duchovni. Files: 13027 flush/flush.c, *qmgr/qmgr.c, *qmgr/qmgr_scan.c, 13028 *qmgr/qmgr_active.c, *qmgr/qmgr_message.c. 13029 1303020061220 13031 13032 Workaround: PMilter 0.95 does not deliver SMFIC_EOB+data 13033 to the application as SMFIC_BODY+data followed by SMFIC_EOB. 13034 To avoid compatibility problems, Postfix now sends 13035 SMFIC_BODY+data followed by SMFIC_EOB. File: milter/milter8.c. 13036 13037 Bugfix (introduced with Postfix 2.3): when inserting 13038 Milter-generated headers at increasing positions in a 13039 message, a later header could end up at a previously used 13040 insertion point. Thus, inserting headers at positions (N, 13041 N+M) could work as if (N, N) had been specified. Problem 13042 reported by Mark Martinec. File: milter/milter8.c. 13043 1304420061221 13045 13046 Feature: time unit suffix support in _command_time_limit. 13047 Files: pipe/pipe.c, spawn/spawn.c. 13048 1304920061227 13050 13051 Bugfix (introduced with Postfix 2.3): the MX hostname syntax 13052 check was skipped with reject_unknown_helo_hostname and 13053 reject_unknown_sender/recipient_domain, so that Postfix 13054 would still accept mail from domains with a zero-length MX 13055 hostname. File: smtpd/smtpd_check.c. 13056 1305720061229 13058 13059 Cleanup: use separate TLS_LEGACY_README to document the old 13060 TLS user interface. This will simplify TLS_README dramatically. 13061 13062 Cleanup: untangled spaghetti code. File: util/inet_listen.c. 13063 1306420070104 13065 13066 Bugfix (introduced Postfix 2.3): when creating an alias map 13067 on a NIS-enabled system, don't case-fold the YP_MASTER_NAME 13068 and YP_LAST_MODIFIED lookup keys. This requires that an 13069 application can turn on/off case folding on the fly. Files: 13070 postalias/postalias.c, global/dict_mumble.c, util/dict_mumble.c, 13071 proxymap/proxymap.c. 13072 13073 Cleanup: after the above revision of the proxymap protocol, 13074 the proxymap server can now share the same map with clients 13075 that have only minor differences in dictionary open/access 13076 options. 13077 1307820070105 13079 13080 Performance: pipeline of pending delivery agent connections, 13081 to improve Linux/Solaris mail delivery performance by another 13082 10% while going down-hill with the wind from behind. Design 13083 and implementation Victor and Wietse. Files: *qmgr/qmgr.c, 13084 *qmgr/qmgr.h, *qmgr/qmgr_transport.c. 13085 1308620070106 13087 13088 Cleanup: eliminate the Linux/Solaris "wait for accept()" 13089 stage from the queue manager to delivery agent protocol. 13090 This alone achieves 99.99% of the Linux/Solaris speed up 13091 from the preceding change. The pending connection pipeline 13092 takes care of the rest. Tested on Linux kernels dating 13093 back to 2.0.27 (that's more than 10 years ago). Files: 13094 *qmgr/qmgr_transport.c. 13095 1309620070112 13097 13098 Bugfix (introduced 20011008): after return from nested 13099 access restriction, possible longjump into exited stack 13100 frame upon configuration error or table lookup error. Victor 13101 Duchovni. Files: smtpd/smtpd_check.c. 13102 13103 Workaround: don't insert header/body blank line separator 13104 in malformed attachments, to avoid breaking digital signatures. 13105 Switch from header to body state, for robust MIME parsing. 13106 People concerned about MIME evasion can use a MIME normalizer 13107 to corrupt their user's legitimate email. File: 13108 global/mime_state.c. 13109 1311020070114 13111 13112 Feature: body replacement support for Milter applications. 13113 Postfix 2.3 and older 2.4 versions will be able to deliver 13114 body-replaced queue files, but will report the message size 13115 as it was before the body was replaced. Files: milter/milter8.c, 13116 cleanup/cleanup_milter.c, cleanup/cleanup_body_region.c. 13117 1311820070117 13119 13120 Cleanup: reusable infrastructure for body replacement. 13121 Files: cleanup/cleanup_body_edit.c, cleanup/cleanup_region.c. 13122 1312320070118 13124 13125 Bugfix: match lists didn't implement ![ipv6address]. Problem 13126 reported by Paulo Pacheco. File: util/match_list.c. 13127 13128 Cleanup: revised the matchlist "!" support, added support 13129 for !/file/name, and updated the documentation. File: 13130 util/match_list.c. 13131 1313220070119-21 13133 13134 Cleanup: pad short message headers with a filler record, 13135 so that the result is never shorter than a pointer record. 13136 This immensely simplified the support for Milter header 13137 modification requests: three complex loops could be replaced 13138 by one simpler loop. The DTXT record type was re-purposed 13139 from "deleted header text" to "short header padding", keeping 13140 the change backwards compatible. Files: cleanup/cleanup_out.c, 13141 cleanup/cleanup_milter.c, global/record.c. 13142 13143 Cleanup: the Milter "add recipient" action always added the 13144 recipient to the initial envelope segment, causing added 13145 recipients to be separate from "sendmail -t" recipients. 13146 This violated design, without impact on delivery (always_bcc 13147 recipient are always at the end of the queue file even when 13148 all other recipients are in the initial segment). File: 13149 global/rec_types.h. 13150 1315120070123 13152 13153 Workaround: OpenSSL falsely concludes that AES256 support 13154 is present when only AES128 is available. Code by Victor 13155 Duchovni. File: tls/tls_misc.c. 13156 1315720070125 13158 13159 Disable workaround pending completion of updated TLS] 13160 support in non-production releases. 13161 1316220070131 13163 13164 Assorted code cleanup, portability fixes/workarounds, and 13165 minor updates: global/dict_ldap.c, mantools/postlink, 13166 tlsmgs/tlsmgr.c, conf/master.cf. LaMont Jones. 13167 1316820070101 13169 13170 Portability: GNU Hurd support for multiple kernel environments. 13171 LaMont Jones. Files: util/sys_defs.h, makedefs. 13172 13173 Cleanup: some default settings were adjusted to better fit 13174 today's environment: queue_run_delay and minimal_backoff_time 13175 were reduced from 1000s to 300s, so that deliveries are 13176 retried earlier after the first failure; ipc_idle was reduced 13177 from 100s to 5s, so that tlsmgr and scache clients will 13178 more quickly release unused file handles. Files: 13179 global/mail_params.h, proto/postconf.5.html 13180 1318120070202 13182 13183 Catch-up: FreeBSD kqueue support. File: util/events.c. 13184 1318520070205 13186 13187 System-V poll(2) support. This is now the preferred method 13188 to test a single file descriptor on sufficiently recent 13189 versions of FreeBSD, NetBSD, OpenBSD, Solaris and Linux; 13190 other systems will be added as evidence becomes available 13191 of usable poll(2) implementations. Files: util/read_wait.c, 13192 util/write_wait.c, util/readble.c, util/writable.c. 13193 13194 Streamlined the event_enable_read/write implementation to 13195 speed up smtp-source performance, by eliminating expensive 13196 kqueue/devpoll/epoll system calls when only the application 13197 call-back information changes. On FreeBSD, smtp-sink/source 13198 tests now run 5% faster than with the old select(2) based 13199 implementation. File util/events.c. 13200 1320120070206 13202 13203 Catch-up: Solaris /dev/poll support. File: util/events.c. 13204 13205 Bugfix (introduced 20060823): initial state was not in state 13206 machine, causing memory access outside the lookup table. 13207 File: smtpstone/smtp-sink.c. 13208 1320920070210 13210 13211 Catch-up: Linux epoll support. File: util/events.c. 13212 1321320070211 13214 13215 Polished the kqueue/devpoll/epoll support; this is now 13216 enabled by default on sufficiently recent versions of 13217 FreeBSD, NetBSD, OpenBSD, Solaris and Linux; other systems 13218 will be added as evidence becomes available of usable 13219 implementations. File: util/events.c. 13220 1322120070212 13222 13223 Further polish: removed some typos from new code in the 13224 events.c handler, undid some unnecessary changes to the 13225 {read,write}{_wait,able}.c modules, and addressed Victor's 13226 paranoia for multi-client servers with a thousand clients 13227 while linked with library routines that can't handle file 13228 descriptors >= FD_SETSIZE. 13229 13230 Cleanup: while debugging the new events.c handler, removed 13231 an unnecessary "write after connect" call-back event. File: 13232 global/post_mail.c. 13233 1323420070214 13235 13236 Robustness: in the queue manager keep a number of free file 13237 descriptor slots at the low end, to work around library 13238 routines that can't handle file descriptors >= FD_SETSIZE. 13239 Files: *qmgr/qmgr_transport.c, util/vstream.[hc] 13240 1324120070215 13242 13243 Bugfix (introduced 20070114 with Milter body edit support): 13244 the cleanup server terminated with a fatal error when SMTP 13245 mail exceeded the message size limit, instead of handling 13246 it as a non-fatal error. Files: cleanup/cleanup_extracted.c, 13247 cleanup/cleanup_final.c, cleanup/cleanup_bounce.c, 13248 cleanup/cleanup_api.c. 13249 1325020070217 13251 13252 Streamline the compile time selection of event handling 13253 styles, replacing multiple on/off macros by just one 13254 multi-valued macro. Files: util/sys_defs.h, util/events.c, 13255 master/multi_server.c, *qmgr/qmgr_transport.c. 13256 1325720070220 13258 13259 Work-around: Disable SSL/TLS ciphers when the underlying 13260 symmetric algorithm is not available in the OpenSSL crypto 13261 library at the required bit strength. Problem observed with 13262 SunOS 5.10's bundled OpenSSL 0.9.7 and AES 256. Also possible 13263 with OpenSSL 0.9.8 and CAMELLIA 256. Root cause fixed in 13264 upcoming OpenSSL 0.9.7m, 0.9.8e and 0.9.9 releases. Victor 13265 Duchovni, Morgan Stanley. Files: src/smtp/smtp_proto.c, 13266 src/smtpd/smtpd.c, src/tls/tls.h, src/tls/tls_client.c, 13267 src/tls/tls_misc.c and src/tls/tls_server.c. 13268 1326920070222 13270 13271 Workaround: delayed "postfix reload" with ancient FreeBSD4 13272 kqueue implementations, causing the first external or 13273 internal clients after "postfix reload" to experience a 13274 quick disconnect. Apparently, these kqueue implementations 13275 do not deliver a read notification when the master closes 13276 the per-service shared master/child status pipe (even when 13277 there is only one child; note that the master keeps a handle 13278 to both ends of each status pipe). A child process remains 13279 ignorant that the status pipe was closed until the arrival 13280 of the next client request, and then terminates. The 13281 workaround is to ignore master status write errors before 13282 handling a service request. Files: master/*_server.c. 13283 13284 Cleanup: fix race condition that caused unnecessary "premature 13285 end-of-input" warning messages when "postfix reload" was 13286 issued on a busy mail server. Files: util/attr_scan*c. 13287 1328820070223 13289 13290 Cleanup: syslog_name now works as documented with both 13291 daemons and commands (including set-gid commands). Files: 13292 global/mail_task.c postlog/postlog.c, global/mail_version.h, 13293 sendmail/sendmail.c, postsuper/postsuper.c, postalias/postalias.c, 13294 postmap/postmap.c, postqueue/postqueue.c, postdrop/postdrop.c, 13295 master/trigger_server.c, master/single_server.c, 13296 master/multi_server.c. 13297 1329820070224 13299 13300 Workaround: GNU POP3D creates a new mailbox and deletes the 13301 old one. Postfix now backs off and retries delivery later, 13302 instead of appending mail to a deleted file. To minimize 13303 the use of this workaround, Postfix now by default creates 13304 mailbox dotlock files on all systems, and creates dotlock 13305 files before opening mailbox files. Files: util/sys_defs.h, 13306 global/mbox_open.c. 13307 1330820070301 13309 13310 Workaround: updated workaround for broken Solaris accept(). 13311 File: util/inet_listen.c. 13312 13313 Workaround: on some FreeBSD versions, accept(2) can fail 13314 with a bogus EINVAL error. We now allow accept(2) to fail 13315 for a limited number of times before terminating the process. 13316 Files: master/single_server.c, master/multi_server.c. 13317 1331820070306 13319 13320 Bugfix (introduced with Postfix 2.3 Milter support): postdrop 13321 reported "illegal seek" instead of "file too large". File: 13322 postdrop/postdrop.c. 13323 1332420070310 13325 13326 Cleanup: specify "undisclosed_recipients_header =" to disable 13327 Postfix's "To: undisclosed-recipients:;" header for mail 13328 that lists no recipient. The To: header is not required as 13329 of RFC 2822. The undisclosed_recipients_header parameter 13330 value can now be an empty string, a value that was not 13331 allowed with earlier Postfix versions. With Postfix 2.5 it 13332 will be empty by default. Files: cleanup/cleanup.c, 13333 cleanup/cleanup_message.c. 13334 1333520070312 13336 13337 Backwards compatibility: don't pad short message header 13338 records when Milter support is turned off. This maintains 13339 compatibility with Postfix versions that pre-date Milter 13340 support. File: cleanup/cleanup_out.c. 13341 1334220070314 13343 13344 Bitrot: move the "don't run this daemon by hand" message 13345 before other tests. Files: master/*server.c. 13346 1334720070315 13348 13349 Bitrot: New OpenLDAP APIs deprecate simplified interfaces, 13350 that are the only ones available in Sun's LDAP SDK. Define 13351 suitable macros that work with new OpenLDAP and Sun's code. 13352 Victor Duchovni, Morgan Stanley. File: src/global/dict_ldap.c 13353 13354 Cleanup: new "leaf" and "terminal" result attributes support 13355 fine-tuning of LDAP group expansion, and provide a solution 13356 for the problem case where DN recursion returns both the 13357 group address and the addresses of the member objects. 13358 Victor Duchovni, Morgan Stanley. Files: src/global/dict_ldap.c, 13359 proto/LDAP_README.html, proto/ldap_table 13360 1336120070317 13362 13363 Idioten Sicherheit: stamp every executable file and every 13364 core dump file with "mail_version=xxxxx". Adding version 13365 stamps and checks to every IPC message is too much change 13366 after code freeze, and requires too much time for testing. 13367 File: src/global/mail_version.h and every main program file. 13368 1336920070320 13370 13371 Bugfix (introduced between 20070120 and 20070121): the 13372 cleanup server stored no "delayed mail warning" queue file 13373 records with "sendmail -t", and no header_checks filter/redirect 13374 records or content encoding records with other mail. File: 13375 global/rec_type.h. 13376 1337720070321 13378 13379 Bugfix (introduced 20070224): local(8) or virtual(8) could 13380 log a misleading error message after failure to open a 13381 mailbox file. File: global/mbox_open.c. 13382 13383 Bugfix (code should have been updated 20070104): the proxymap 13384 client did not propagate changes in case folding flags. 13385 Currently, nothing in Postfix uses this functionality. 13386 File: global/dict_proxy.c. 13387 1338820070325 13389 13390 Bugfix: postfix-install didn't work for symlink or hardlink 13391 targets, when the parent directory had a value of "no". 13392 1339320070326 13394 13395 Workaround: Eric Raymond's man page formatters don't handle 13396 low-level *roff .in or .ti controls. We now use .nf and .fi 13397 instead. Files: many. 13398 1339920070331 13400 13401 Bugfix (introduced Postfix 2.3): segfault with HOLD action 13402 in access/header_checks/body_checks on 64-bit platforms. 13403 File: cleanup/cleanup_api.c. 13404 1340520070402 13406 13407 Portability (introduced 20070325): the fix for hardlinks 13408 and symlinks in postfix-install forgot to work around shells 13409 where "IFS=/ command" makes the IFS setting permanent. This 13410 is allowed by some broken standard, and affects Solaris. 13411 File: postfix-install. 13412 13413 Portability (introduced 20070212): the workaround for 13414 non-existent library bugs with descriptors >= FD_SETSIZE 13415 broke with "fcntl F_DUPFD: Invalid argument" on 64-bit 13416 Solaris. Files: master/multi_server.c, *qmgr/qmgr_transport.c. 13417 1341820070405 13419 13420 Feature: BCC access/policy action, to demonstrate that this 13421 is not a good feature. The action's behavior is non-intuitive 13422 and requires too much documentation to explain. It's 13423 therefore snapshot only. File: smtpd/smtpd_check.c. 13424 1342520070414 13426 13427 Cleanup: expire cached results from address rewriting, address 13428 resolution, and from transport map lookups. Results expire 13429 after 30 seconds; short enough that it doesn't freak out 13430 people who run the same test repeatedly, and long enough 13431 that it doesn't upset other people with continuous streams 13432 of "*" transport map lookups. Files: global/rewrite_clnt.c, 13433 global/resolve_clnt.c, trivial-rewrite/transport.c. 13434 1343520070421 13436 13437 Cleanup: on (Linux) platforms that cripple signal handlers 13438 with deadlock, "postfix stop" now forcefully stops all the 13439 processes in the master's process group, not just the master 13440 process alone. File: conf/postfix-script. 13441 1344220070422 13443 13444 Cleanup: the "Delivered-To:" loop detection implementation 13445 was moved from the local(8) delivery agent to the library, 13446 where it can also be used by other delivery agents. Files: 13447 global/delivered_hdr.[hc]. 13448 13449 Safety: the "Delivered-To:" loop detection implementation 13450 keeps state for no more than 1000 "Delivered-To:" headers. 13451 13452 Feature: $domain command-line macro support, to get access 13453 to the recipient address domain portion. Based on code by 13454 Koen Vermeer. File: pipe/pipe.c. 13455 13456 Cleanup: support for "Delivered-To:" loop detection in the 13457 pipe(8) delivery agent. This follows a general principle: 13458 if a program creates the "Delivered-To:" header, then it 13459 is also responsible for "Delivered-To:" loop detection. 13460 File pipe/pipe.c. 13461 1346220070423 13463 13464 The cache expiring transport map lookups did not distinguish 13465 between wildcard transport map entry with an "empty" transport 13466 field, or no wildcard transport map entry. 13467 1346820070424 13469 13470 Cleanup: making hard-coded behavior configurable. In this 13471 case, extracting 8BITMIME encoding information from 13472 Content-Transfer-Encoding: message headers. The default 13473 behavior, "detect_8bit_encoding_header = yes", is backwards 13474 compatible. This behavior was introduced to generate 13475 RFC-compliant bounce messages before Postfix supported the 13476 8BITMIME option in the MAIL FROM command and on the Postfix 13477 sendmail command line. Files: cleanup/cleanup_init.c, 13478 cleanup/cleanup_message.c, global/mail_params.h. 13479 1348020070425 13481 13482 Bugfix: don't falsely report "lost connection from 13483 localhost[127.0.0.1]" when Postfix is being portscanned. 13484 Files: smtpd/smtpd_peer.c, qmqpd/qmqpd_peer.c. 13485 1348620070429 13487 13488 Feature: "postfix status" to report whether Postfix is 13489 running. By Mike Cappella. 13490 13491 Cleanup: configurable address case folding moved from the 13492 pipe(8) delivery agent to the library, where it can also 13493 be used by other delivery agents. Files: global/fold_addr.[hc]. 13494 1349520070430 13496 13497 Robustness: recommend a "0" process limit for policy servers 13498 to avoid "connection refused" problems when the smtpd process 13499 limit exceeds the default process limit. File: 13500 proto/SMTPD_POLICY_README.html. 13501 1350220070501 13503 13504 Workaround: turn on KEEPALIVE probes to avoided "lost 13505 connection after sending end-of-data" problems when some 13506 stateful (NAT) filter expires an idle connection too soon. 13507 This requires that the kernel's TCP keepalive timer be set 13508 to a sufficiently short time (perhaps 100s or less). Files: 13509 util/sane_accept.c, util/sane_connect.c. 13510 13511 Safety: when IPv6 (or IPv4) is turned off, don't treat an 13512 IPv6 (or IPv4) connection from e.g. inetd as if it comes 13513 from localhost[127.0.0.1]. Files: smtpd/smtpd_peer.c, 13514 qmqpd/qmqpd_peer.c. 13515 1351620070502 13517 13518 Workaround: build without EPOLL support when an epoll-enabled 13519 kernel sits underneath a retarded libc. File: makedefs. 13520 13521 Cleanup: missing support for SASL security properties with 13522 Dovecot SASL authentication. Based on an initial version 13523 by Lev A. Serebryakov. File: xsasl/xsasl_dovecot_server.c. 13524 1352520070503 13526 13527 Cleanup: changed the default address verification sender 13528 from "postmaster" to "double-bounce", so that the Postfix 13529 SMTP server no longer surprises unsuspecting people by 13530 excluding "postmaster" from SMTPD access controls. File: 13531 global/mail_params.h. 13532 1353320070508 13534 13535 Bugfix: Content-Transfer-Encoding: attribute values are 13536 case insensitive. File: src/cleanup/cleanup_message.c. 13537 1353820070514 13539 13540 Bugfix: the makedefs EPOLL workaround broke any attempt to 13541 build on a 2.6 kernel. And that two weeks after the workaround 13542 had been posted to the mailing list. File: makedefs. 13543 13544 Bugfix: mailbox_transport(_maps) and fallback_transport(_maps) 13545 were broken when used with the error(8) or discard(8) 13546 transports. Cause: insufficient documentation. Files: 13547 error/error.c, discard/discard.c. 13548 1354920070520 13550 13551 Bugfix (problem introduced Postfix 2.3): when DSN support 13552 was introduced it broke "agressive" recipient duplicate 13553 elimination with "enable_original_recipient = no". File: 13554 cleanup/cleanup_out_recipient.c. 13555 1355620070523 13557 13558 Feature: cyrus_sasl_config_path to specify a search path 13559 for Cyrus SASL configuration files (currently used only to 13560 locate the smtpd.conf file). Based on code by Victor 13561 Duchovni. Files: smtpd/smtpd.c xsasl/xsasl_cyrus_server.c, 13562 (and xsasl/xsasl_cyrus_client.c for future expansion). 13563 1356420070525 13565 13566 Bugfix (introduced 20070523): the sasl_set_path() function 13567 name was mis-speeled. 13568 1356920070529 13570 13571 Bugfix (introduced Postfix 2.3): the sendmail/postdrop 13572 commands would hang when trying to submit a message larger 13573 than the per-message size limit. File: postdrop/postdrop.c. 13574 1357520070530 13576 13577 Sabotage the saboteur who insists on breaking Postfix by 13578 adding gethostbyname() calls that cause maildir delivery 13579 to fail when the machine name is not found in /etc/hosts, 13580 or that cause Postfix processes to hang when the network 13581 is down. 13582 1358320070531 13584 13585 Portability: Victor helpfully pointed out that change 13586 20070425 broke on non-IPv6 systems. Files: smtpd/smtpd_peer.c, 13587 qmqpd/qmqpd_peer.c. 13588 1358920070610 13590 13591 Isolation: don't allow the pipe(8) delivery agent to leak 13592 postdrop group privileges with "user=xxx:postdrop". File: 13593 pipe/pipe.c. 13594 1359520070613 13596 13597 Bugfix: the Milter client assumed that a Milter application 13598 does not modify the message header or envelope, after that 13599 same Milter application has modified the message body of 13600 that same email message. This is not a problem with updates 13601 by different Milter applications. Problem was triggered 13602 by Jose-Marcio Martins da Cruz. Also simplified the handling 13603 of queue file update errors. File: milter/milter8.c. 13604 1360520070614 13606 13607 Workaround: some non-Cyrus SASL SMTP servers require SASL 13608 login without authzid (authoriZation ID), i.e. the client 13609 must send only the authcid (authentiCation ID) + the authcid's 13610 password. In this case the server is supposed to derive 13611 the authzid from the authcid. This works as expected when 13612 authenticating to a Cyrus SASL SMTP server. To get the old 13613 behavior specify "send_cyrus_sasl_authzid = yes", in which 13614 case Postfix sends the (authzid, authcid, password), with 13615 the authzid equal to the authcid. File: xsasl/xsasl_cyrus_client.c. 13616 1361720070619 13618 13619 Portability: /dev/poll support for Solaris chroot jail setup 13620 scripts. Files: examples/chroot-setup/Solaris8, 13621 examples/chroot-setup/Solaris10. 13622 1362320070713 13624 13625 The RFC documents at www.faqs.org are being polluted with 13626 "feedback" spam. The Postfix hypertext documentation now 13627 points to tools.ietf.org. File: mantools/postlink. 13628 1362920070719 13630 13631 Feature: updated smtp-sink with new options to send a 13632 pre-formatted message from file, and to handle replies other 13633 than the expected 2xx or 3xx. File: smtpstone/smtp-source.c. 13634 13635 Cleanup: Milter client error handling, so that the (Postfix 13636 SMTP server's Milter client) does not get out of sync with 13637 Milter applications after the (cleanup server's Milter 13638 client) encounters some non-recoverable problem. Files: 13639 milter/milter8.c, smtpd/smtpd.c. 13640 1364120070720 13642 13643 Support for RFC 4954 (SASL AUTH, updates RFC 2554, refines 13644 some reply codes and introduces DSN enhanced status codes) 13645 and RFC 3848 ("Received ... with ESMTPS?A? ...). Currently, 13646 support for the latter is always on. Files: smtpd/smtpd.c, 13647 smtpd/smtpd_sasl_proto.c, smtpd/smtpd_sasl_glue.c. 13648 1364920070727 13650 13651 Workaround: the queue manager no longer logs a warning for 13652 mail sent to the local double-bounce address (normally, the 13653 this is used as the sender while reporting an undeliverable 13654 bounce message to the local postmaster). As of 20070503 13655 the local double-bounce address is the default sender for 13656 sender/recipient address verification probes, and it now 13657 shows up as a spam target. Files: *qmgr/qmgr_message.c. 13658 1365920070729 13660 13661 Performance: fix for poor TCP performance for loopback 13662 (127.0.0.1) connections. Problem reported by Mark Martinec. 13663 Files: util/vstream.c, util/vstream_tweak.c, milter/milter8.c, 13664 smtp/smtp_connect.c, smtpstone/*source.c. 13665 1366620070730 13667 13668 Bugfix: when a milter replied with ACCEPT at or before the 13669 first RCPT command, the cleanup server would apply the 13670 non_smtpd_milters setting as if the message was a local 13671 submission. Problem reported by Jukka Salmi. Also, the 13672 cleanup server would get out of sync with the milter when 13673 a milter replied with ACCEPT at the DATA command. Files: 13674 cleanup/cleanup_envelope.c, smtpd/smtpd.c, milter/milters.c. 13675 1367620070811 13677 13678 Cleanup: unlike smtpd_mumble_restrictions, the Postfix SMTP 13679 server Milter reject logging did not show the (helo argument, 13680 sender address, or recipient address) that was being rejected. 13681 File: smtpd/smtpd.c. 13682 1368320070824 13684 13685 Bugfix (introduced snapshot 20070429): the pipe(8) delivery 13686 agent 'q' flag (quote address local-part) used the same bit 13687 mask as the 'B' flag (append blank line). Setting one flag 13688 also turned on the other. File: pipe/pipe.c. 13689 13690 Feature: specify the 'X' flag to indicate that the pipe(8) 13691 delivery agent performs final delivery. This changes the 13692 status in DSN "success" messages from "relayed" into 13693 "delivered". File: pipe/pipe.c. 13694 1369520070904-6 13696 13697 Feature: stress-adaptive behavior. When a "public" network 13698 service runs into an "all processes are busy" condition, 13699 the master(8) daemon logs a warning, restarts the service, 13700 and runs it with "-o stress=yes" on the command line (normally 13701 it runs the service with "-o stress="). This can be used 13702 to make main.cf parameter settings stress dependent. 13703 Examples: "smtpd_timeout = ${stress?10}${stress:300}" and 13704 "smtpd_hard_error_limit = ${stress?1}${stress:20}". Files: 13705 master/master_avail.c, master/master_spawn.c, master/master_ent.c. 13706 1370720070911 13708 13709 Bugfix (introduced Postfix 2.2.11): TLS client certificate 13710 with unparsable canonical name caused the SMTP server's 13711 policy client to allocate zero-length memory, triggering 13712 an assertion that it shouldn't do such things. File: 13713 smtpd/smtpd_check.c. 13714 1371520070912 13716 13717 Bugfix (introduced Postfix 2.4) missing initialization of 13718 event mask in the event_mask_drain() routine (used by the 13719 obsolete postkick(1) command). Found by Coverity. File: 13720 util/events.c. 13721 1372220070917 13723 13724 Workaround: the flush daemon forces an access time update 13725 for the per-destination logfile, to prevent an excessive 13726 rate of delivery attempts when the queue file system is 13727 mounted with "noatime". File: flush/flush.c. 13728 1372920070923 13730 13731 Cleanup: don't complain when a "corrupt" queue file is 13732 deleted before it can be saved to the "corrupt" queue. 13733 Files: *qmgr/qmgr_active.c. 13734 1373520071003 13736 13737 Logging: the Postfix SMTP server now logs the number of 13738 bytes received after the DATA command when a connection 13739 breaks before mail delivery completes. This may help finding 13740 the cause of the problem: packet loss, MTU, or other. File: 13741 smtpd/smtpd.c. 13742 1374320071004 13744 13745 Logging: all daemons now log the TCP port number of remote 13746 SMTP or QMQP clients. The information is overruled with 13747 the SMTP XCLIENT command, is propagated through SMTP-based 13748 content filters with XFORWARD, and is sent to Milter 13749 applications. Files: smtpd/smtpd_peer.c, smtpd/smtpd.c, 13750 smtpd/smtpd_proxy.c, smtpd/smtpd_milter.c, qmqpd/qmqpd_peer.c, 13751 cleanup/cleanup_milter.c, *qmgr/qmgr_message.c, 13752 *qmgr/qmgr_deliver.c, smtp/smtp_proto.c, pipe/pipe.c, 13753 global/deliver_request.c, global/deliver_pass.c, 13754 proto/XFORWARD_README, proto/XCLIENT_README. 13755 13756 Feature: per-command delays in smtp-sink. File: 13757 smtpstone/smtp-sink.c. Victor Duchovni. 13758 1375920071006 13760 13761 Cleanup: updated a bunch of hard-coded host[addr] logging 13762 statements. Files: smtpd/smtpd.c, smtpd/smtpd_chat.c, 13763 smtpd/smtpd_sasl_glue.c. 13764 13765 Cleanup: client port logging is now configurable (off by 13766 default). Parameters: smtpd_client_port_logging and 13767 qmqpd_client_port_logging. Files: smtpd/smtpd_peer.c, 13768 qmqpd/qmqpd_peer.c. 13769 13770 Cleanup: send client port information "0" instead of "unknown" 13771 to Milter applications. Files: smtpd/smtpd.c, smtpd/smtpd_milter.c, 13772 cleanup/cleanup_milter.c. 13773 1377420071025 13775 13776 Portability: on Linux we no longer need /proc to find out 13777 local IPv6 interface address information. LaMont Jones. 13778 Files: util/sys_defs.h. 13779 1378020071030 13781 13782 Bugfix (introduced Postfix 2.3): Postfix mistakenly enforced 13783 the 64kbyte limit (for sending body parts TO Milter 13784 applications) also while receiving packets FROM Milter 13785 applications. The limit is now at least 1GB. File: 13786 milter/milter8.c. 13787 1378820071105 13789 13790 Feature: ORIGINAL_RECIPIENT environment variable. Corey 13791 Hickey. File: local/local.c. 13792 1379320071108-10 13794 13795 Feature: general-purpose header/body_checks library module, 13796 first used in the SMTP client. Actions that change the 13797 message delivery time or destination can be implemented 13798 with a simple extension mechanism (they make sense only in 13799 before-queue filters). Configuration parameters: 13800 smtp_header_checks, smtp_mime_header_checks, 13801 smtp_nested_header_checks, smtp_body_checks. Unlike the 13802 cleanup server, the mime and nested header checks don't by 13803 default assume the header_checks value. Files: 13804 global/header_body_checks.[hc], smtp/smtp_proto.c, 13805 smtp/smtp_session.c. 13806 1380720071110 13808 13809 Feature: ${original_recipient} command-line macro. Corey 13810 Hickey. File: pipe/pipe.c. 13811 13812 Bugfix (introduced: 20071004) missing exception handling 13813 in smtp-sink per-command delay feature. Victor Duchovni. 13814 File: smtpstone/smtp-sink.c. 13815 138162007117-20 13817 13818 Revised queue manager with separate mechanisms for 13819 per-destination concurrency control and dead destination 13820 detection. The concurrency control supports non-integer 13821 feedback for more gradual concurrency adjustments, and uses 13822 hysteresis to avoid rapid oscillations. A destination is 13823 declared "dead" after a configurable number of pseudo-cohorts 13824 (number of deliveries equal to a destination's concurrency) 13825 reports connection or handshake failure. This work began 13826 with a discussion that Wietse started with Patrik Rak and 13827 Victor Duchovni late January 2004, and that Victor revived 13828 late October 2007. To establish a baseline for further 13829 improvement, Wietse implemented a few simple mechanisms. 13830 13831 Configuration parameters for debugging, positive/negative 13832 hysteresis, and positive/negative feedback. Some have since 13833 been removed or renamed, so no point naming them here. 13834 Files: global/mail_params.h, qmgr/qmgr_queue.c, 13835 qmgr/qmgr_deliver.c. 13836 1383720071121 13838 13839 Boundary condition: Patrik Rak pointed out that handling 13840 of negative feedback with concurrency window 1 could 13841 be improved. 13842 13843 Feature: support to look up null sender addresses in 13844 sender-dependent relayhost maps. Parameter name: 13845 empty_address_relayhost_maps_lookup_key (default; <>). 13846 Keean Schupke. File: trivial-rewrite/resolve.c. 13847 1384820071127-9 13849 13850 Revision 2 of queue manager scheduler interface, allowing 13851 feedback parameter settings with constants and variables 13852 such as 1/8 or 1/concurrency. Some experimental parameters 13853 were removed and others were renamed. The new names are: 13854 default_destination_concurrency_negative_feedback, 13855 default_destination_concurrency_positive_feedback, 13856 default_destination_concurrency_failed_cohort_limit, 13857 destination_concurrency_feedback_debug. 13858 13859 Also available are transport-specific overrides: 13860 <transport>_initial_destination_concurrency, 13861 <transport>_destination_concurrency_negative_feedback, 13862 <transport>_destination_concurrency_positive_feedback, 13863 <transport>_destination_concurrency_failed_cohort_limit. 13864 13865 Files: global/mail_params.h, *qmgr/qmgr.c, *qmgr/qmgr_transport.c, 13866 *qmgr/qmgr_queue.c, *qmgr/qmgr_feedback.c, postconf/auto.awk. 13867 1386820071202 13869 13870 Feature: output rate control. For example, specify 13871 "smtp_destination_rate_delay = 5m" to insert a five-minute 13872 delay between deliveries. This was an opportunity to define 13873 the mutually exclusive states that a queue can have, and 13874 to detect invalid transitions. This will make adding new 13875 features code easier. Files: *qmgr/qmgr_transport.c, 13876 *qmgr/qmgr_queue.c, *qmgr/qmgr_entry.c. 13877 13878 Bugfix (introduced Postfix 2.2): don't update the back-to-back 13879 delivery time stamp while deferring mail. File: *qmgr/qmgr_entry.c. 13880 1388120071203 13882 13883 Feature: support for read-write tables in the proxymap 13884 service. This is implemented with a separate master.cf entry 13885 named "proxywrite" that should run with process limit of 1 13886 if you want to update Berkeley DB like tables. This feature 13887 requires that tables be authorized with the proxy_write_maps 13888 configuration parameter. Files: global/dict_procy.[hc], 13889 proxymap/proxymap.c. 13890 13891 Human factors: the postmap and postalias commands now produce 13892 nicer diagnostics when asked to do something with a proxied 13893 map that they can't do. Files: postmap/postmap.c, 13894 postalias/postalias.c. 13895 13896 Bugfix: the proxymap client didn't properly propagate user 13897 options to the proxymap server. File: util/dict.h. 13898 13899 Workaround: force synchronous updates in the proxymap server 13900 so that maps will be in a consistent state between updates. 13901 File: proxymap/proxymap.c. 13902 13903 Bugfix: an empty rate-limited queue wasn't removed after 13904 timer expiry. Files: *qmgr/qmgr_queue.c. 13905 1390620071204 13907 13908 Use different sockets for proxymap (read-only) and proxywrite 13909 (read-write) services in the proxy: client. Victor Duchovni. 13910 File: global/dict_proxy.c. 13911 13912 Feature: proxymap delete support by Victor Duchovni. Files: 13913 global/dict_proxy.c, proxymap/proxymap.c. 13914 13915 Feature: proxymap delete support. Files: postmap/postmap.c 13916 postalias/postalias.c. 13917 13918 Cleanup: the Postfix sendmail command did not include the 13919 user (name/uid) information in all error messages. File: 13920 sendmail/sendmail.c. 13921 13922 Feature: data_directory configuration parameter for 13923 Postfix-writable data such as caches and random numbers. 13924 Files: postfix-install, conf/postfix-files. 13925 1392620071206 13927 13928 Security: tlsmgr(8) and verify(8) no longer use root 13929 privileges when opening their cache files. This avoids a 13930 potential security loophole where the ownership of a file 13931 (or directory) does not match the trust level of the content 13932 of that file (or directory). See RELEASE_NOTES for how to 13933 use pre-existing data. Files: util/set_eugid.[hc], 13934 tlsmgr/tlsmgr.c, verify/verify.c. 13935 13936 Compatibility: as a migration tool, redirect attempts by 13937 tlsmgr(8) or verify(8) to open files in non-Postfix directories 13938 to the Postfix-owned data_directory. File: global/data_redirect.c. 13939 13940 Lots of pathname fixes in the examples of TLS_README and 13941 postconf(5); -lm library screw-up in queue manager Makefiles. 13942 1394320071207 13944 13945 Cleanup: pathname fixes in documentation; unnecessary queue 13946 scan in the queue manager rate limiter; inverse square root 13947 feedback in the queue manager concurrency scheduler. Files: 13948 mantools/postlink, proto/TLS_README.html, *qmgr/qmgr_queue.c. 13949 13950 All changes up to this point should be ready for Postfix 2.5. 13951 13952 Documentation: updated nqmgr preemptive scheduler documentation 13953 by Patrik Rak. File: proto/SCHEDULER_README.html. 13954 1395520071211 13956 13957 Bugfix (introduced 19980315): the "write" equivalent of 13958 bugfix 20030104. File: util/vstream.c. 13959 1396020071212 13961 13962 Feature: "stress=" or "stress=yes" attribute in the SMTPD 13963 policy delegation protocol. File: smtp/smtpd_check.c. 13964 13965 Cleanup: allow_min_user now rejects recipients (and senders) 13966 starting with '-' at SMTP session time. To make this possible 13967 the feature was moved from qmgr(8) to trivial-rewrite(8). 13968 Files: *qmgr/qmgr_message.c, trivial-rewrite/resolve.c. 13969 1397020071213: 13971 13972 Cleanup: the queue manager and SMTP client now distinguish 13973 between connection cache store and retrieve hints. Once the 13974 queue manager enables connection caching (store and load) 13975 hints on a per-destination queue, it keeps sending connection 13976 cache retrieve hints to the delivery agent even after it 13977 stops sending connection cache store hints. This prevents 13978 the SMTP client from making a new connection without checking 13979 the connection cache first. Victor Duchovni. Files: 13980 *qmgr/qmgr_entry.c, smtp/smtp_connect.c. 13981 13982 Bugfix (introduced Postfix 2.3): the SMTP client never 13983 marked corrupt files as corrupt. Victor Duchovni. File: 13984 smtp/smtp_proto.c. 13985 13986 Cleanup: the SMTP client won't mark a destination as 13987 unavailable when at least one SMTP session was completed 13988 without connect or handshake error. Victor Duchovni. Files: 13989 smtp/smtp_connect.c, smtp/smtp_session.c, smtp/smtp_proto.c, 13990 smtp/smtp_trouble.c. 13991 1399220071215 13993 13994 Documentation and code cleanup. Files: global/deliver_request.h, 13995 *qmgr/qmgr_entry.c, smtp/smtp_connect.c, 13996 proto/SCHEDULER_README.html. 13997 13998 Bugfix (introduced snapshot 20071006): qmqpd ignored the 13999 qmqpd_client_port_logging parameter setting. File: 14000 qmqpd/qmqpd.c. 14001 1400220071216 14003 14004 Cleanup: show the remote SMTP server port in verbose logging, 14005 warnings and postmaster notices. Still don't show the port 14006 in delivery status notifications. Files: smtp/smtp_chat.c, 14007 smtp/smtp_sasl_glue.c, smtp/smtp_sasl_proto.c. 14008 14009 The "tls_require_cert" is now compatible with OpenLDAP 2.1 14010 and later. Victor Duchovni. Files: proto/ldap_table, 14011 global/dict_ldap.c. 14012 1401320071218 14014 14015 Cleanup: removed the "#ifdef USE_LIBMILTER_INCLUDES" 14016 dependencies on system-installed Milter protocol include 14017 files. Verified that the object code has not changed. File: 14018 milter/milter8.c. 14019 14020 Sanity check: idiot filter to detect attempts to use the 14021 same database file for different TLS session caches. File: 14022 tlsmgr/tlsmgr.c. 14023 14024 Cleanup: updated the spell check stoplist and the spell 14025 check script. Files: mantools/spell, proto/stop. 14026 14027 Cleanup: replaced documentation references to xxgdb by ddd. 14028 The xxgdb program hasn't been updated in more than 10 years. 14029 Files: proto/postconf.proto, conf/main.cf. 14030 1403120071219-20 14032 14033 Feature: support for all new Sendmail 8.14 Milter features 14034 except SMFIR_SKIP (skip further events of this type), 14035 SMFIP_RCPT_REJ (report rejected recipients to the mail 14036 filter), SMFIR_CHGFROM (replace sender, with optional ESMTP 14037 command parameters), and SMFIR_ADDRCPT_PAR (add recipient, 14038 with optional ESMTP command parameters). Files: milter/milters.c, 14039 milter/milter8.c, milter/test-milter.c, cleanup/cleanup_milter.c. 14040 1404120071221 14042 14043 Feature: support for Sendmail 8.14 Milter SMFIR_SKIP (skip 14044 further events of this type). Files: milter/milter8.c, 14045 milter/test-milter.c. 14046 14047 Cleanup: don't try sending HELO after a 421 EHLO reply. 14048 File: smtp/smtp_proto.c. 14049 1405020071221-nonprod 14051 14052 Using 20071221 as reference point. 14053 14054 Cleanup: Simplified TLS library cipher and protocol API to 14055 just pass string-valued properties to tls_client_init() and 14056 tls_client_start(). The client is now agnostic of the 14057 mechanics of cipher management internal to the library. The 14058 main.cf parameters used internally in the library are now 14059 loaded by the library, not the caller. Files: 14060 src/smtp/lmtp_params.c, src/smtp/smtp.c, src/smtp/smtp.h, 14061 src/smtp/smtp_params.c, src/smtp/smtp_proto.c, 14062 src/smtp/smtp_session.c, src/smtpd/smtpd.c, src/tls/tls.h, 14063 src/tls/tls_client.c, src/tls/tls_level.c, src/tls/tls_misc.c, 14064 src/tls/tls_server.c, src/tls/tls_session.c, src/tls/tls_verify.c 14065 and src/tlsmgr/tlsmgr.c 14066 14067 Cleanup: Client session lookup key "salting" is now handled 14068 internally in the tls library. Files: src/tls/tls_client.c 14069 14070 Cleanup: Cipher state is cached, and only updated when 14071 necessary. Files: src/tls/tls_misc.c 14072 14073 Feature: Extended the syntax of protocol selection to allow 14074 exclusions as well as inclusions. Files: src/tls/tls_misc.c 14075 14076 Cleanup: Updated default verification depth to match reality: 14077 default is 9 in OpenSSL and we don't yet override it. When 14078 we do (soon), the default will match previous behavior. 14079 Files: src/global/mail_params.h 14080 14081 Bugfix: Reference to obsolete "pfixtls" code won't compile 14082 inside #ifdef for OpenSSL <= 0.9.5a. Using an OpenSSL release 14083 that old has not been tested for some time, but may now 14084 work. Files: src/tls/tls_bio_ops.c. 14085 14086 Replaced "void *" TLS library application handles by explicit 14087 pointer types, while hiding data structure implementation 14088 details from the TLS library users. Files: tls/tls_client.c, 14089 tls/tls_server.c, smtp/smtp.c, smtpd/smtpd.c. 14090 14091 The TLS library no longer modifies VSTRINGs passed in by 14092 the caller. Where possible, information is passed as "const" 14093 from application to library. Files: smtp/smtp_proto.c, 14094 tls/tls_client.c. 14095 1409620071227-nonprod 14097 14098 Replaced explicit initialization of props structures by 14099 emulating function calls with named parameter lists. Files: 14100 tls/tls.h, smtp/smtp.c, smtp/smtp_proto.c, smtpd/smtpd.c. 14101 1410220071222 14103 14104 Further polishing of the Milter code and logging. File: 14105 milter/milter8.c. 14106 1410720071123 14108 14109 Further polishing of the Milter code. With SETSYMLIST, each 14110 Milter can now update its own macros instead of clobbering 14111 the global copy that is shared with other Milters. Also an 14112 opportunity to clean up some ad-hoc code for sending macro 14113 lists from smtpd(8) to cleanup(8). Files: milter/milter.c, 14114 milter/milter8.c, milter/milter_macros.c. 14115 1411620071224 14117 14118 Further polishing of the Milter code. Eliminated unnecessary 14119 steps from the initial smtpd/cleanup Milter handshake. Files: 14120 milter/milter.c, milter/milter8.c, milter/milter_macros.c. 14121 14122 Cleanup: name_code(3) and name_mask(3) now support read-only 14123 tables. Files: util/name_code.[hc], util/name_mask.[hc]. 14124 1412520071227 14126 14127 Cleanup: further refinements of the Milter code, allowing 14128 for multiple macro overrides. The code is now ready for 14129 serious testing. File: milter/milter8.c. 14130 1413120071229 14132 14133 Bugfix: the Milter client did not replace the Postfix-specific 14134 form for unknown host names by the Sendmail-specific form. 14135 File: milter/milter8.c. 14136 14137 Cleanup: when a cleanup milter reports a problem don't log 14138 generic "4.3.0 Sevice unavailable", but log the text for 14139 the actual error. File: cleanup/cleanup_milter.c. 14140 1414120080102-nonprod 14142 14143 SMTP client fingerprint security level support and configurable 14144 fingerprint digest algorithm. Victor Duchovni. Files: 14145 smtp/lmtp_params.c, smtp/smtp.c, smtp/smtp.h, 14146 src/smtp/smtp_params.c, src/smtp/smtp_proto.c, 14147 src/smtp/smtp_session.c, tls/tls_client.c, tls/tls_level.c, 14148 tls/tls_verify.c. 14149 1415020080103-nonprod 14151 14152 Missed "invalid TLS configuration" patch for SMTP client. 14153 Victor Duchovni. File: smtp/smtp_proto.c. 14154 14155 SMTP server configurable fingerprint digest algorithm. 14156 Victor Duchovni. Files: smtpd/smtpd.c, tls/tls.h, 14157 tls/tls_server.c, tls/tls_verify.c. 14158 1415920080104-nonprod 14160 14161 Cleanup: finally implemented certificate verification depth 14162 limit parameters. Prior to Postfix 2.5 these were ignored. 14163 For backwards compatibility, the default verification depth 14164 limit is now 9, the OpenSSL default. Victor Duchovni. Files: 14165 src/tls/tls_client.c, src/tls/tls_server.c, src/tls/tls_verify.c. 14166 14167 Robustness: Avoid possibility of NULL pointer issues in 14168 application code that checks certificate names, by providing 14169 "empty string" values when no data is available. Victor 14170 Duchovni. Files: src/tls/tls_verify.c, src/tls/tls_client.c, 14171 src/tls/tls_server.c, src/smtpd/smtpd_check.c, src/smtpd/smtpd.c. 14172 14173 Cleanup: separation of TLS handshake from security level 14174 enforcement. The library shakes hands; the application 14175 decides if the resulting security is acceptable. Victor 14176 Duchovni. Files: smtpd/smtpd.c, smtpd/smtpd_proto.c, 14177 tls/tls_server.c, tls/tls_client.c, tls/tls_verify.c. 14178 14179 Robustness: more robust processing of ASN.1 string attributes 14180 in x509v3 certificates, plus additional sanity checks (e.g. 14181 embedded null characters). Victor Duchovni. File: 14182 src/tls/tls_verify.c. 14183 1418420080104 14185 14186 Workaround: minor change to the Dovecot AUTH request to 14187 prevent dovecot-auth memory wastage. Timo Sirainen. File: 14188 xsasl/xsasl_dovecot_server.c. 14189 1419020080105-nonprod 14191 14192 Cleanup: renamed TLS-related symbols for consistency (always 14193 include the init, start, stop prefix in the TLS library 14194 function and data structure names; consistently distinguish 14195 between per-application TLS state and per-session TLS state; 14196 consistently use the fpt prefix for fingerprint related 14197 variables and structure members; consistent use of monocase 14198 typedef-ed names). 14199 1420020080106-nonprod 14201 14202 Cleanup: consistent use of <pre> and <blockquote> in examples; 14203 instead of emphasizing new Postfix 2.5 behavior in reference 14204 documentation, describe the new behavior as "current", with 14205 historical behavior as a supplemental note. 14206 1420720080107 14208 14209 Feature: new "pass" service type (in addition to "inet", 14210 "unix" and "fifo"). The "pass" service type supports 14211 front-end daemons that accept all inbound connections and 14212 that permit only well-behaved clients to talk to the MTA. 14213 This service type had been sitting in the master daemon for 14214 years but was disabled by default. Actual applications for 14215 this will have to be developed later. Files: util/upass_connect.c, 14216 util/upass_trigger.c. 14217 1421820080108 14219 14220 Cleanup: where possible, store data structures in read-only 14221 memory. Besides the security advantage of no write access, 14222 this also gives slightly better memory utilization when 14223 many processes execute the same file. Files: pretty much 14224 everything that has a static table, except for a few tables 14225 in the benchmark tools with flags that are controlled by 14226 command-line information. 14227 1422820080109 14229 14230 Cleanup: more read-only data. Files: everything that passes 14231 around a HEADER_OPTS pointer. 14232 1423320080112 14234 14235 Safety: optional lookup table to prevent the Postfix SMTP 14236 client from making repeated SASL login failures with the 14237 same hostname, username and password. This introduces new 14238 parameters: smtp_sasl_auth_cache_name, smtp_sasl_auth_cache_time. 14239 Based on code by Keean Schupke. Files: smtp/smtp_sasl_glue.c, 14240 smtp/smtp_sasl_auth_cache.c. 14241 14242 Safety: the Postfix SMTP client now by default defers mail 14243 after the server rejects a SASL login attempt with a 535 14244 status code. Specify "smtp_sasl_auth_soft_bounce = no" to 14245 get the earlier behavior. Based on code by Keean Schupke. 14246 Files: smtp/smtp_sasl_glue.c. 14247 1424820080114 14249 14250 Safety: the smtpd_client_new_tls_session_rate_limit setting 14251 now also limits the number of failed TLS handshakes. This 14252 limits the impact of broken configurations. File: smtpd/smtpd.c. 14253 1425420080115 14255 14256 Bugfix (introduced 20080112): Patrik Rak found two bugs 14257 that largely canceled each other out, causing Postfix not 14258 to complain about a missing "proxy:" prefix with the new 14259 smtp_sasl_auth_cache_name parameter setting. File: 14260 smtp/smtp_sasl_glue.c. 14261 14262 Documentation: new SOHO_README file for small/home offices. 14263 The text is automatically generated from bits and pieces of 14264 information that are scattered across other documents. 14265 File: mantools/make_soho_readme. 14266 1426720080116 14268 14269 Bugfix (introduced 20080112): missing #ifdef for the SASL 14270 login failure cache. File: smtp/smtp_sasl_auth_cache.h. 14271 1427220080123 14273 14274 Name fix: renamed the mumble_delivery_rate_delay parameter 14275 to mumble_destination_rate_delay, because it really is a 14276 per-destination feature. With this change we keep the option 14277 of implementing a future per-transport rate delay. 14278 1427920080125 14280 14281 Bugfix (introduced 20071216): missing {} in the LDAP client 14282 broke OpenLDAP TLS. The setting tls_require_cert=no was 14283 further broken because Postfix used OpenLDAP incorrectly. 14284 Victor Duchovni. This broke tls_require_cert=no File: 14285 global/dict_ldap.c. 14286 1428720080126 14288 14289 Cleanup: the post-install script now requires that it is 14290 invoked via the postfix(1) command. This was the intended 14291 use since Postfix 2.1, but it was never enforced. The 14292 documentation for package maintainers has been updated 14293 accordingly. File: conf/post-install. 14294 1429520080130 14296 14297 Bugfix (introduced 20071204): wrong proxywrite process limit 14298 in the default master.cf file. File: conf/master.cf. 14299 1430020080131 14301 14302 Bugfix (introduced 20080126): the new "do not execute 14303 directly" test in post-install got broken during code 14304 cleanup. File: conf/post-install. 14305 1430620080201 14307 14308 Workaround: undo the changes that require that post-install 14309 is invoked via the postfix command, because this breaks 14310 when "postfix start" is invoked with an obsolete postfix 14311 command that doesn't export the new data_directory parameter. 14312 14313 Workaround: pick up a missing data_directory setting from 14314 main.cf when "postfix start" is invoked with an obsolete 14315 postfix command. File: conf/post-install. 14316 1431720080207 14318 14319 Cleanup: soft_bounce support for multi-line Milter replies. 14320 File: src/milter/milter8.c. 14321 14322 Cleanup: preserve multi-line format of header/body Milter 14323 replies. Files: cleanup/cleanup_milter.c, smtpd/smtpd.c. 14324 14325 Cleanup: multi-line support in SMTP server replies. File: 14326 smtpd/smtpd_chat.c. 14327 14328 SAFETY: postfix-script, postfix-files and post-install are 14329 moved away from /etc/postfix to $daemon_directory. There 14330 were too many accidents where people clobbered these files 14331 with versions from an older Postfix release and ended up 14332 with an unusable Postfix setup. Files: postfix-install, 14333 Makefile.in, postfix/postfix.c, conf/postfix-files, 14334 conf/postfix-script, conf/post-install. 14335 1433620080212 14337 14338 Feature: check_reverse_client_hostname_access, to make 14339 access decisions based on the unverified client hostname. 14340 For safety reasons an OK result is not allowed. Noel Jones. 14341 Files: smtpd/smtpd_check.c plus header files and documentation. 14342 1434320080215 14344 14345 Safety: break SASL loop in case both the SASL library and 14346 the remote SMTP server are confused. File: smtp/smtp_sasl_glue.c. 14347 1434820080220 14349 14350 Safety: the master daemon now sets an exclusive lock on a 14351 file $data_directory/master.lock, so that the data directory 14352 can't be shared between multiple Postfix instances. This 14353 would corrupt files that rely on single-writer updates 14354 (examples: verify(8) cache, tlsmgr(8) caches, etc.). File: 14355 master/master.c. 14356 1435720080226 14358 14359 Cleanup: the postfix command did not set argv[0] to a sane 14360 value when invoking postfix-script. Reported by Victor 14361 Duchovni. File: postfix/postfix.c. 14362 1436320080228 14364 14365 Bugfix: bounce(8) segfault on one-line template text. 14366 Problem found by Sacha Chlytor. File: bounce/bounce_template.c. 14367 1436820080310 14369 14370 Safety: the SMTP server's Dovecot authentication client now 14371 enforces the SASL mechanism output filter also on client 14372 command input. File: src/xsasl/xsasl_dovecot_server.c. 14373 1437420080311 14375 14376 Bugfix (introduced 20070811): the MAIL and RCPT Milter 14377 application call-backs no longer received {mail_addr} or 14378 {rcpt_addr} information. Problem reported by Anton Yuzhaninov. 14379 File: smtpd/smtpd.c. 14380 14381 Bugfix (introduced 20080207): "cleanup -v" panic because 14382 the new "SMTP reply" request flag did not have a printable 14383 name. File: global/cleanup_strflags.c. 14384 1438520080318 14386 14387 Human factors: the PCRE and regexp maps now give more 14388 comprehensible error messages when people make the common 14389 mistake of indenting if/endif blocks. Files: util/dict_pcre.c, 14390 util/dict_regexp.c. 14391 1439220080324 14393 14394 Cleanup: the event_drain() function is now a proper event 14395 processing loop. File: util/events.c 14396 14397 Feature: when the "postmap -q -" command reads lookup keys 14398 from standard input, it now understands RFC822 and MIME 14399 message format. Specify -h or -b to use headers or body 14400 lines as lookup keys, and specify -hm or -bm to simulate 14401 header_checks or body_checks. The postmap -h option (without 14402 -m) will be compatible with a future postcat -h option. 14403 File: postmap/postmap.c. 14404 1440520080411 14406 14407 Bugfix (introduced Postfix 2.0): after "warn_if_reject 14408 reject_unlisted_recipient/sender", the SMTP server mistakenly 14409 remembered that recipient/sender validation was already 14410 done. File: smtpd/smtpd_check.c. 14411 14412 Bugfix (introduced Postfix 2.3): the queue manager would 14413 initialize missing client logging attributes (from xforward) 14414 with real client attributes. Fix: enable this backwards 14415 compatibility feature only with queue files that don't 14416 contain logging attributes. Problem reported by Liviu Daia. 14417 Files *qmgr/qmgr_message.c. 14418 1441920080424 14420 14421 Cleanup: some warning messages said "regexp" or "regexp 14422 map" instead of "pcre map". File: util/dict_pcre.c. 14423 1442420080426 14425 14426 Feature: finer control over address verification error 14427 handling and amount of information disclosed in the SMTP 14428 reject message. Parameters: unverified_recipient_defer_code, 14429 unverified_recipient_reject_reason, unverified_sender_defer_code, 14430 unverified_sender_reject_reason. If I don't do this properly, 14431 then someone will do it anyway. File: src/smtpd/smtpd_check.c. 14432 1443320080428 14434 14435 Cleanup: the proxy_read_maps (Postfix 2.0) default setting 14436 was not updated when adding sender/recipient_bcc_maps 14437 (Postfix 2.1) and smtp/lmtp_generic_maps (Postfix 2.3). 14438 File: global/mail_params.h. 14439 14440 Cleanup: the SMTP server's XFORWARD and XCLIENT support was 14441 not updated when the smtpd_client_port_logging configuration 14442 parameter was added. Code by Victor Duchovni. Files: 14443 smtpd/smtpd.c, smtpd/smtpd_peer.c. 14444 1444520080508 14446 14447 Cleanup: delivery status notifications now prepend a 14448 Return-Path: message header to the returned message. 14449 File: bounce/bounce_notify_util.c. 14450 1445120080509 14452 14453 Bugfix: null-terminate CN comment string after sanitization. 14454 File: smtpd/smtpd.c. 14455 1445620080510 14457 14458 Cleanup: when extracting peer and issuer common name from 14459 TLS certificates, convert the result into UTF-8, and use 14460 RFC 2047 encoding when logging these as Received: header 14461 comment fields. Based remotely on code by Victor Duchovni. 14462 Files: smtpd/smtpd.c, tls/tls_verify.c. 14463 1446420080511 14465 14466 Cleanup: the RFC 2047 encoding of RFC*822 comments is too 14467 problematic. The text that explains the problems is as 14468 long as the code itself. That is usually a good indication 14469 that code is not ready for use. File: smtpd/smtpd.c. 14470 14471 Cleanup: block non-printable ASCII text in UTF8 encoded TLS 14472 peer and issuer common names. File: tls/tls_verify.c. 14473 1447420080602 14475 14476 Workaround: avoid watchdog timeout in the local pickup 14477 daemon when the cleanup server expands a very large virtual 14478 alias list. Files: master/trigger_server.c, pickup/pickup.c. 14479 1448020080603 14481 14482 Workaround: avoid "bad address pattern" errors with non-address 14483 patterns in namadr_list_match() calls. File: util/match_ops.c. 14484 14485 Feature: print fsstone elapsed time with sub-second time 14486 resolution. Kenji Kikuchi. File: fsstone/fsstone.c. 14487 1448820080606 14489 14490 Bitrot: "make test" was broken due to recent changes in 14491 code and due to recent changes at mail-abuse.org. 14492 1449320080618 14494 14495 Add a note to SMTP session transcript email messages that 14496 other details may be found in the maillog file. Files: 14497 smtpd/smtpd_chat.c, smtp/smtp_chat.c. 14498 1449920080620 14500 14501 Cleanup: with the "Before-queue content filter", RFC3848 14502 information was not added to the headers. Carlos Velasco. 14503 File smtpd/smtpd.c. 14504 1450520080621 14506 14507 Cleanup: include unread byte count in the SMTP server's "lost 14508 connection after DATA (xx bytes)" logging. Files: smtpd/smtpd.c. 14509 1451020080629 14511 14512 Bugfix (introduced Postfix 2.2): multiple inconsistencies 14513 in SASL support after introduction of TLS. The Postfix 14514 SMTP server 1) complained about plain-text SASL configuration 14515 details when SASL was forbidden for plain-text sessions, 14516 and 2) ignored the smtpd_tls_auth_only parameter setting 14517 when built without TLS support. Files: smtpd/smtpd.c, 14518 smtpd/smtpd_check.c, smtpd/smtpd_sasl_glue.[hc], 14519 smtpd/smtpd_state.c. 14520 14521 Some clarification about recipient address versus domain, 14522 and recipients per message versus session. File: 14523 proto/postconf.proto. 14524 14525 The description of SASL authentication attributes was 14526 garbled. File: pipe/pipe.c. 14527 14528 Information: the master(8) server now logs the version 14529 besides the configuration directory upon "postfix reload". 14530 File: master/master.c. 14531 1453220080717 14533 14534 Cleanup: a poorly-implemented integer overflow check for 14535 TCP MSS calculation had the unexpected effect that people 14536 broke Postfix on LP64 systems while attempting to silence 14537 a compiler warning. File: util/vstream_tweak.c. 14538 1453920080721 14540 14541 The cleanup server now rejects undisclosed_recipients_header 14542 parameter values with invalid message header syntax. 14543 File: cleanup/cleanup_message.c. 14544 1454520080725 14546 14547 Paranoia: defer delivery when a mailbox file is not owned 14548 by the recipient. Sebastian Krahmer, SuSE. Files: 14549 local/mailbox.c, virtual/mailbox.c. 14550 1455120080804 14552 14553 Bugfix: dangling pointer in vstring_sprintf_prepend(). 14554 File: util/vstring.c. 14555 1455620080814 14557 14558 Security: some systems have changed their link() semantics, 14559 and will hardlink a symlink, contrary to POSIX and XPG4. 14560 Sebastian Krahmer, SuSE. File: util/safe_open.c. 14561 14562 The solution introduces the following incompatible change: 14563 when the target of mail delivery is a symlink, the parent 14564 directory of that symlink must now be writable by root only 14565 (in addition to the already existing requirement that the 14566 symlink itself is owned by root). This change will break 14567 legitimate configurations that deliver mail to a symbolic 14568 link in a directory with less restrictive permissions. 14569 1457020080815 14571 14572 Feature: the milter_default_action parameter now accepts 14573 the "quarantine" action. This works like "accept" but also 14574 freezes the mail in the "hold" queue. File: milter/milter8.c. 14575 14576 Robustness: transition from setjmp()/longjmp() to the signal 14577 mask saving/restoring versions sigsetjmp()/siglongjmp(). 14578 These functions have been around for 15 years, but they 14579 have had bugs on supported platforms, so makedefs tests for 14580 them. Files: makedefs, util/sys_defs.h, util/vstream.h. 14581 1458220080822 14583 14584 Cleanup: the proxymap_service_name and proxywrite_service_name 14585 parameters make the proxymap service names configurable. 14586 This paves the way for a future option where the proxymap 14587 services are accessible via TCP so that they can be shared 14588 among multiple Postfix hosts. File: global/dict_proxy.c. 14589 14590 Feature: MacOS X support for kqueue style event handling, 14591 with workaround for broken MacOS X versions. Files: 14592 util/sys_defs.h, makedefs. 14593 14594 Cleanup: the makedefs script now keeps its test programs 14595 in a directory makedefs.d, instead of inlining them as 14596 fragile "here documents". Files: makedefs, makedefs.d/*. 14597 1459820080823 14599 14600 Feature: IPv6 dns blocklist lookup. File: smtpd/smtpd_check.c. 14601 1460220080824 14603 14604 Cleanup: untangled the MacOS X version dependent sections 14605 in the makedefs script, to make future updates easier. File: 14606 makedefs. 14607 14608 Cleanup: don't log multiple Milter "hold" actions for the 14609 same email message. File: cleanup/cleanup_milter.c. 14610 1461120080826 14612 14613 Cleanup: moving test programs from makedefs into a makedefs.d 14614 directory brought more pain than gain. 14615 14616 Cleanup: untangled the Linux version dependent sections in 14617 the makedefs script, to make future updates easier. File: 14618 makedefs. 14619 14620 Documentation: MacOS process limit configuration by Quanah 14621 Gibson-Mount. File: proto/TUNING_README.html. 14622 14623 Feature: smtp-sink -M option to terminate after receiving 14624 a specified number of messages. Laurent Gentil. File: 14625 smtpstone/smtp-sink.c. 14626 14627 Bugfix (introduced Postfix 2.4): epoll file descriptor leak. 14628 With Postfix >= 2.4 on Linux >= 2.6, Postfix has an epoll 14629 file descriptor leak when it executes non-Postfix commands 14630 in, for example, user-controlled $HOME/.forward files. A 14631 local user can access a leaked epoll file descriptor to 14632 implement a denial of service attack on Postfix. Data 14633 confidentiality and integrity are not affected. File: 14634 util/events.c. 14635 1463620080903 14637 14638 Don't enable kqueue (which requires poll) support on 14639 MacOS X. File: makedefs. 14640 14641 Cleanup: remove obsolete Rhapsody and MacOS targets from 14642 makedefs. 14643 1464420080929 14645 14646 Workaround: don't log "file has 2 links" warnings when the 14647 condition appears to be temporary. As kernels have evolved 14648 from non-interruptible system calls towards fine-grained 14649 locks, the showq command has become likely to observe a 14650 file while the queue manager is in the middle of a rename 14651 operation, when the file has links to both the old and new 14652 name. File: global/mail_open_ok.c. 14653 14654 Workaround: don't loop forever when write() fails with a 14655 persistent EAGAIN error on a writable file descriptor. 14656 File: util/write_buf.c. 14657 1465820081003 14659 14660 Bugfix (introduced Postfix 2.1): when XFORWARD support was 14661 introduced with Postfix 2.1, the specification failed to 14662 clearly distinguish between missing and non-existent client 14663 information. This ambiguity affected the implementation: 14664 in $name expansions by delivery agents, unknown client 14665 hostnames could became empty strings (as if a submission 14666 was local), and local submissions could appear to originate 14667 from an SMTP-based content filter. This was fixed with a 14668 a minor semantic change to the XFORWARD protocol. Files: 14669 smtpd/smtpd.c, qmqpd/qmqpd.c, smtp/smtp_proto.c, 14670 cleanup/cleanup_envelope.c, proto/XFORWARD.html. Note: the 14671 changes to propagate local submission details were undone 14672 20082012. 14673 14674 Feature: a DUNNO lookup result in per_sender_relayhost_maps 14675 stops the search without replacing the next-hop destination. 14676 File: trivial-rewrite/resolve.c. 14677 1467820081005 14679 14680 Bugfix: further refinements to the handling of missing or 14681 non-existent remote client attributes. Files: smtpd/smtpd.c, 14682 smtpd/smtpd.h. 14683 14684 Documentation: the XFORWARD specification of the ADDR 14685 attribute did not agree with the actual on-the-wire protocol. 14686 Since we can't change already existing deployments, the 14687 spec has been updated. File: proto/XFORWARD_README.html. 14688 1468920081006 14690 14691 Bugfix: further refinements to the handling of remote client 14692 attributes. Introduced a dummy "we have forwarded client 14693 info" record, to eliminate the need for the backwards 14694 incompatible queue file change that was introduced 20081003. 14695 Files: smtpd/smtpd.c, cleanup/cleanup_envelope.c, 14696 *qmgr/qmgr_message.c. 14697 14698 Security: hardened the proxymap client, in case it ever 14699 ends up in a set-gid program. File: global/dict_proxy.c. 14700 1470120081007 14702 14703 Workaround: undo the proxymap client change. It broke 14704 chrooted servers when they attempted to reconnect to the 14705 proxy read/write service. File: global/dict_proxy.c. 14706 1470720081008 14708 14709 Safety: added checks that $queue_directory/pid is owned by 14710 root, and that $queue_directory/saved is owned by $mail_owner. 14711 File: conf/postfix-script. 14712 1471320081010 14714 14715 Feature: controls for opportunistic TLS protocols and 14716 ciphers. The smtp_tls_protocols, smtp_tls_ciphers, and 14717 equivalent parameters for lmtp and smtpd provide global 14718 settings; the SMTP client TLS policy table provides ciphers 14719 and protocols settings for specific peers. Code by Victor 14720 Duchovni. Files: smtp/smtp.c, smtp/smtp_session.c, smtpd/smtpd.c 14721 and documentation. 14722 1472320081012 14724 14725 Cleanup: simplify the 20081003 changes and don't try to 14726 propagate local submission information through XFORWARD. 14727 Files: smtpd/smtpd.c, qmqpd/qmqpd.c, smtp/smtp_proto.c, 14728 cleanup/cleanup_envelope.c, proto/XFORWARD.html. 14729 1473020081015 14731 14732 Bugfix: GLIBC API version detection. Rob Foehl. File: 14733 util/sys_defs.h. 14734 1473520081022 14736 14737 Documentation: removed inapplicable daemon_timeout reference 14738 from qmgr(8), oqmgr(8), pickup(8). These daemons need to 14739 use a much shorter watchdog timer. 14740 1474120081108 14742 14743 Feature: smtp_sasl_tls_verified_security_options is no 14744 longer #ifdef SNAPSHOT. 14745 14746 Feature: elliptic curve support. This requires OpenSSL 14747 version 0.9.9 or later. Victor Duchovni. Files: TLS_README, 14748 smtpd/smtpd.c, smtp/smtp.c, tls/tls_dh.c, tls/tls_certkey.c, 14749 tls/tls_server.c, tls/tls_client.c, tls/tls.h, tls/tls_misc.c. 14750 14751 Bugfix (introduced Postfix 2.5): the Postfix SMTP server 14752 did not ask for a client certificate with "smtpd_tls_req_ccert 14753 = yes". Reported by Rob Foehl. File: smtpd/smtpd.c. 14754 1475520081109 14756 14757 Cleanup: confusing names of variables. File: smtpd/smtpd.c. 14758 1475920081126 14760 14761 Documentation: pcre_table(5) incorrectly claimed that the 14762 'x' flag supports #comment after text. File: proto/pcre_table. 14763 1476420081202 14765 14766 Cleanup: vstream_bufstat() provides a more systematic 14767 approach to get information about VSTREAM buffers. The 14768 vstream_peek() function is now a backwards compatibility 14769 wrapper. Files: util/vstream.[hc]. 14770 14771 Cleanup: the SMTP server should warn about "lost connection 14772 after QUIT" only when the "." reply was pipelined together 14773 with the "QUIT" reply. File: smtpd/smtpd.c. 14774 14775 Cleanup: the SMTP client's code was duplicating buffer 14776 management that was already done in the VSTREAM module. 14777 File: smtp/smtp_proto.c. 14778 1477920081203 14780 14781 Cleanup: adjust the VSTREAM buffer strategy when reusing 14782 an SMTP connection with a large TCP MSS value. File: 14783 smtp/smtp_reuse.c. 14784 1478520081204 14786 14787 Cleanup: state the SMTP client PIPELINING implementation's 14788 dependency on monotonic VSTREAM buffer size behavior, and 14789 add some checks for boundary cases with VSTREAM buffer size 14790 change requests. Files: util/vstream.c, smtp/smtp_proto.c. 14791 1479220081205 14793 14794 Fix 20081202 flush code. Victor Duchovni. File: smtpd/smtpd.c. 14795 14796 Safety: add another check to "postfix check", in this case 14797 for group or other writable queue_directory. File: 14798 conf/postfix-script. 14799 1480020081217 14801 14802 Debugging: ad-hoc code to log the TLS error stack after 14803 VSTREAM read/write error. File: tls/tls_bio_ops.c. In a 14804 better implementation, each I/O "object" would provide an 14805 optional error reporting method (besides timed_read and 14806 timed_write) that could be queried via the vstream module. 14807 1480820081222 14809 14810 Documentation: log the "*" pattern as the last transport 14811 map lookup. File: proto/transport. 14812 1481320090103 14814 14815 Documentation: rewrote NFS_README, to clarify the support 14816 status of Postfix and NFS, and to describe the NFS workarounds 14817 that Postfix actually implements. 14818 1481920090106 14820 14821 Feature: "postconf -# parametername ..." to comment out 14822 named parameter entries. Victor Duchovni. File: 14823 postconf/postconf.c. 14824 1482520090107 14826 14827 Library: edit_file(3) module for cooperative editing of a 14828 file. Inspired by the postconf command, this creates a new 14829 version under a deterministic temporary name and renames 14830 it into place. The implementation uses an open/lock/stat 14831 protocol before updating the new file, and rename/unlock/close 14832 afterwards. Based on pieces of code by Victor Duchovni, 14833 with minor improvements by Wietse. Files: util/edit_file.[hc]. 14834 14835 Cleanup: the postconf command now uses the edit_file(3) 14836 module to manage collisions when multiple processes attempt 14837 to update the main.cf file. 14838 1483920090108 14840 14841 Feature: master_service_disable parameter (default: empty) 14842 to easily turn off/on master.cf services by type or by name 14843 and type. For example, to turn off the main SMTP listener 14844 use "master_service_disable = smtp.inet", and to turn off 14845 all TCP/IP listeners use "master_service_disable = inet". 14846 This immediately terminates all processes that provide the 14847 specified services. The master_service_disable feature does 14848 not distinguish services by their privacy property; some 14849 day, clients will not need to specify that anymore. Files: 14850 global/mail_params.h, master/master.c, master/master_vars.c, 14851 master/master_ent.c. 14852 14853 Bugfix (introduced May 19, 1997): removing a parameter 14854 setting from main.cf did not reset the parameter to its 14855 default value. This was a problem only in the master daemon. 14856 File: global/mail_conf.c, master/master_vars.c. 14857 1485820090109 14859 14860 Cleanup: "defer" action in access maps, and a corresponding 14861 access_map_defer_code parameter. No idea what was behind 14862 this omission. Files: global/mail_params.h, smtpd/smtpd.c, 14863 smtpd/smtpd_check.c, proto/access. 14864 14865 Workaround: specify "tcp_windowsize = 65535" (or less) to 14866 work around broken TCP window scaling implementations. This 14867 is perhaps easier than collecting tcpdump output and tuning 14868 kernel parameters by hand. See RELEASE_NOTES for how to 14869 change this setting without stopping Postfix. Files: 14870 util/inet_connect.c, inet_listen.c, global/mail_params.[hc]. 14871 1487220090110 14873 14874 Cleanup: create separate code modules for TCP window size 14875 handling, master.cf service name matching, and main.cf 14876 change monitoring. Files: util/inet_windowsize.c, 14877 global/match_service.c, master/master_watch.c. 14878 14879 Feature: TCP window size override for the Postfix SMTP/LMTP 14880 client, and for the smtp-source and smtp-sink test programs. 14881 Files: smtp/smtp_connect.c, smtpstone/smtp-source.c, 14882 smtpstone/smtp-sink.c. 14883 1488420090114 14885 14886 Bugfix: VERP now uses the Postfix original recipient, if 14887 available, because that is what the VERP consumer expects. 14888 Files: *qmgr/qmgr_deliver.c, bounce/bounce_notify_verp.c. 14889 14890 Safety: extra check for broken third-party patches that 14891 allow file size limit < message size limit. This can cause 14892 mail to be stuck in the queue forever. 14893 14894 Invisible change, in preparation for multi-instance support. 14895 Except for main.cf and master.cf, all files are optional 14896 for non-default Postfix configuration directories. File: 14897 conf/postfix-files. 14898 1489920090115 14900 14901 Cleanup: rewrote the 20090114 VERP bugfix, to replace code 14902 that "works" by code that is "right". Files: *qmgr/qmgr_deliver.c, 14903 bounce/bounce_notify_verp.c, global/verp_sender.c. 14904 1490520090118 14906 14907 Documentation: some URLs to enable/disable client-side TLS 14908 jumped into the middle of an enumeration. File: 14909 proto/TLS_README.html. 14910 1491120090119-21 14912 14913 Feature: multi-instance manager plug-in API. A sample 14914 multi-instance manager with instructions is available as 14915 $daemon_directory/postfix-wrapper. The plug-in API itself 14916 is described in postfix-wrapper(5). Files: postfix/postfix.c, 14917 global/mail_params.[hc], proto/postfix-wrapper, 14918 conf/postfix-wrapper, conf/postfix-script, conf/postfix-files. 14919 14920 Support to check/update shared files only in the context 14921 of the default Postfix instance. Files: conf/post-install, 14922 conf/postfix-script. 14923 1492420090122 14925 14926 Refinements: the multi-instance manager always replaces 14927 "start" by "check" when a Postfix instance is multi-instance 14928 disabled, so that problems will still be reported; polish 14929 documentation; delete unnecessary multi_instance_order 14930 parameter. Files: conf/postfix-wrapper, proto/postfix-wrapper, 14931 global/mail_params.[hc] and documentation. 14932 14933 Bugfix: the data_directory was not automatically created! 14934 File: conf/postfix-files. 14935 1493620090123 14937 14938 More little fixes in the "trivial but useful" postfix-wrapper 14939 including instructions. It's ready for testing in the field. 14940 File: conf/postfix-wrapper. 14941 1494220090125 14943 14944 Documentation: more precise description of multi-instance 14945 manager API, and minor edits of the example program. Files: 14946 conf/postfix-wrapper, proto/postfix-wrapper. 14947 1494820090208 14949 14950 Cleanup: enable multi-instance shared-file logic only when 14951 the instance is listed in multi_instance_directories. Files: 14952 conf/post-install, conf/postfix-script. 14953 1495420090210 14955 14956 Feature: specify "reject_tempfail_action = defer" to 14957 immediately defer a remote SMTP client request after a 14958 reject-type restriction fails with a temporary error. Based 14959 on code by Rob Foehl. File: smtpd/smtpd_check.c. 14960 14961 Feature: finer control of reject_tempfail_action with 14962 unknown_address_tempfail_action, unverified_sender_tempfail_action 14963 unverified_recipient_tempfail_action, and 14964 unknown_helo_hostname_tempfail_action. See documentation 14965 for details. File: smtpd/smtpd_check.c. 14966 1496720090211 14968 14969 Workaround: pass the SMTP server socket's local and remote 14970 peer address information to the Dovecot authentication server. 14971 This is incomplete code: it ignores XCLIENT server address 14972 overrides. File: xsasl/xsasl_dovecot_server.c. 14973 1497420090212 14975 14976 Testing revealed that with mumble_tempfail_action=defer, 14977 the "defer" action was ignored. Cause: the DEFER_IF_PERMIT[0-9] 14978 macros lost the SMTPD_CHECK_REJECT result value. File: 14979 smtpd/smtpd_check.c. 14980 14981 Feature: stress-dependent smtpd_timeout (normal: 300s, 14982 overload: 10s), smtpd_hard_error_limit (normal: 20, overload: 14983 1) and smtpd_junk_command_limit (normal: 100, overload: 1). 14984 Files: global/mail_params.h, global/mail_conf_nint.c, 14985 master/*_server.c, smtpd/smtpd.c. 14986 1498720090213 14988 14989 Fine tuning: don't enforce smtpd_junk_command_limit for 14990 XCLIENT and XFORWARD commands. These commands can be issued 14991 only by authorized clients. File: src/smtpd/smtpd.c. 14992 1499320090215 14994 14995 Feature: the Postfix SMTP server hangs up after replying 14996 with "521". This makes overload handling more effective. 14997 See also RFC 1846. File: smtpd/smtpd.c. 14998 14999 Feature: postmulti mult-instance manager command, very 15000 lightly tested. The MULTI_INSTANCE_README still needs to 15001 be proofread. Originally by Victor Duchovni. Files: 15002 src/postmulti/*, proto/MULTI_INSTANCE_README.html, 15003 conf/postmulti-script. 15004 1500520090216-24 15006 15007 Cleanup: assorted code cleanups in postmulti. File: 15008 src/postmulti/postmulti.c. 15009 1501020090223 15011 15012 Cleanup: multiple instances of the same global. Files: 15013 util/inet_windowsize.c, util/inet_listen.c. 15014 1501520090228 15016 15017 Cleanup: the Postfix SMTP server now maintains a per-session 15018 "improper command pipelining detected" flag. This flag can 15019 be tested at any time with reject_unauth_pipelining, and 15020 is raised whenever a client command is followed by unexpected 15021 commands or message content. Files: smtpd/smtpd.c, 15022 smtpd/smtpd_check.c. 15023 15024 Logging: the Postfix SMTP server now logs the first command 15025 pipelining transgression as "improper command pipelining 15026 after <command> from <hostname>[<hostaddress>]". 15027 15028 Cleanup: after DATA command failure, log "(approximately 15029 XX bytes)" only if Postfix actually accepted the DATA 15030 command. File: smtpd/smtpd.c. 15031 1503220090303 15033 15034 Cleanup: word smithing of "sendmail -bv" probe message. 15035 File: sendmail/sendmail.c. 15036 15037 Cleanup: OpenLDAP now provides a sane solution for conflicts 15038 with PAM ldap-over-tls. Victor Duchovni. File: global/dict_ldap.c. 15039 1504020090304 15041 15042 Cleanup: skip over suspended or throttled queues while 15043 looking for delivery requests. File: *qmgr/qmgr_transport.c. 15044 1504520090305 15046 15047 Bugfix: in the "new queue manager", the _destination_rate_delay 15048 code needed to postpone the job scheduler updates after 15049 delivery completion, otherwise the scheduler could loop on 15050 blocked jobs. Victor & Wietse. File: qmgr/qmgr_entry.c, 15051 qmgr/qmgr_queue.c, qmgr/qmgr_job.c. 15052 15053 Cleanup: report a "queue file write error", instead of 15054 passing though bogus 2xx replies from proxy filters to SMTP 15055 clients. File: smtpd/smtpd_proxy.c. 15056 1505720090307 15058 15059 Cleanup: with "lmtp_assume_final = yes", the Postfix LMTP 15060 delivery agent assumes that delivery is final when talking 15061 to an LMTP server that announces no DSN support. Otherwise, 15062 the Postfix LMTP delivery agent assumes that delivery is 15063 "relayed", to maintain compatibility with simple LMTP-based 15064 content filters. Based on code by Michel Sebastien, ATOS 15065 Origin. File: smtp/smtp_rcpt.c. 15066 1506720090310 15068 15069 Bugfix: Postfix used mumble_concurrency_failed_cohort_limit 15070 instead of mumble_destination_concurrency_failed_cohort_limit 15071 as documented. File: global/mail_params.h. 15072 1507320090330 15074 15075 Cleanup: add (Resent-) From:, Date:, Message-ID: or To: 15076 headers only when clients match $local_header_rewrite_clients. 15077 Specify "always_add_missing_headers = yes" for backwards 15078 compatibility. Adding such headers to remote mail can break 15079 DKIM signatures that cover headers that are not present. 15080 File: cleanup/cleanup_message.c. 15081 1508220090415 15083 15084 Workaround: to avoid unnecessary "fatal" delivery agent 15085 exits, delivery agents retry getting a shared lock on a 15086 queue file. This is necessary since the queue manager's 15087 behavior was changed years ago to refill the in-memory 15088 recipient list before it was completely empty. File: 15089 global/deliver_request.c. 15090 15091 Documentation: updated STRESS_README. 15092 1509320090416 15094 15095 Workaround: some AWK implementations have a limit of 10 15096 output files and lack a working close() function. It is too 15097 much trouble to find out what systems have this limitation, 15098 and where, if any, such systems store their XPG4-compatible 15099 AWK program. So instead we generate a stream of here 15100 documents and let the shell split the stream into files. 15101 File: postconf/extract.awk. 15102 15103 Documentation: clarification of certificate file usage. 15104 Victor Duchovni. Files: proto/postconf.proto, 15105 proto/TLS_README.html. 15106 15107 Feature: pass a "TLS is active" flag to the server-side 15108 SASL support. Based on code by Timo Sirainen, except that 15109 the implementation uses an extensible API so that it will 15110 be less painful to add more attributes in future Postfix 15111 versions. Files: xsasl/xsasl.h, xsasl/xsasl_*server.c, 15112 smtpd/smtpd_sasl_glue.c. 15113 1511420090417 15115 15116 Documentation: re-generate READMEs and manpages for updated 15117 hyperlinks. 15118 15119 Documentation: missing hyperlinks and missing parameters 15120 in manpages. File: mantools/postlink, mantools/check-postlink. 15121 1512220090418 15123 15124 Cleanup: use the extensible API to pass SMTP client address 15125 information to the dovecot SASL plugin, and prepare for 15126 passing server address information. Files: xsasl/xsasl.h, 15127 xsasl/xsasl_dovecot_server.c, smtpd/smtpd_sasl_glue.c. 15128 15129 Same extensible API transformation for the SASL client-side 15130 code to make future extensions less painful. Files: 15131 xsasl/xsasl.h, xsasl/xsasl*client.c, smtp/smtp_sasl_glue.c. 15132 15133 More postlink fixes. File: mantools/postlink. 15134 1513520090419 15136 15137 Bugfix: don't re-enable SIGHUP if it is ignored in the 15138 parent. This may cause random "Postfix integrity check 15139 failed" errors at boot time (POSIX SIGHUP death), causing 15140 Postfix not to start. We duplicate code from postdrop and 15141 thus avoid past mistakes. File: postsuper/postsuper.c. 15142 15143 Robustness: don't re-enable SIGTERM if it is ignored in the 15144 parent. Files: postsuper/postsuper.c, postdrop/postdrop.c. 15145 1514620090422 15147 15148 Undo delivery agent change 20090415. The queue manager never 15149 locks a queue file to read additional recipients into memory, 15150 so if a delivery agent runs into a locked file, then something 15151 is seriously wrong. File: global/deliver_request.c. 15152 1515320090424 15154 15155 Compatibility: the Postfix SMTP client no longer uses the 15156 obsolete SSLv2 by default for opportunistic encryption. 15157 This has nothing to do with security (we're willing to send 15158 plaintext over an unauthenticated connection) but with the 15159 loss of advanced options that give better performance. 15160 Victor Duchovni. Files: proto/postconf.proto, global/mail_params.h. 15161 1516220090426 15163 15164 Feature: more accurate support for Milter macros {mail_addr} 15165 and {rcpt_addr}, and new support for Milter macros {mail_host}, 15166 {mail_mailer}, {rcpt_host}, and {rcpt_mailer}. Files: 15167 milter/milter.[hc], smtpd/smtpd.[hc], smtpd/smtpd_milter.c, 15168 smtpd/smtpd_resolve.c. 15169 15170 Feature: support to report rejected recipients to Milters 15171 (SMFIP_RCPT_REJ). Postfix reports the event as decribed in 15172 Sendmail 8.14.0 documentation: {rcpt_mailer} = "error", 15173 {rcpt_host} = enhanced status code (e.g., "5.7.1"), and 15174 {rcpt_addr} = reason to reject (e.g., "Relay access denied"). 15175 Files: milter/milter.[hc], milter/milter8.c, smtpd/smtpd.[hc], 15176 smtpd/smtpd_milter.c. 15177 1517820090427 15179 15180 Feature: Milter support for replacing the envelope sender 15181 and adding recipients (SMFIR_CHGFROM, SMFIR_ADDRCPT_PAR). 15182 This support currently ignores ESMTP command parameters. 15183 Files: milter/milter8.c, cleanup/cleanup_milter.c. 15184 1518520090428 15186 15187 Compatibility: to make all the new Milter features usable, 15188 raise the default milter_protocol setting from 2 to 6. 15189 This has been tested with a Sendmail 8.14 libmilter. 15190 File: global/mail_params.h. 15191 15192 Bugfix: don't disable MIME parsing with smtp_header_checks, 15193 smtp_mime_header_checks, smtp_nested_header_checks or with 15194 smtp_body_checks. Bug reported by Victor. File: smtp/smtp_proto.c. 15195 15196 Code cleanups: respect VSTRING invariants by using VSTRING_RESET 15197 and VSTRING_TERMINATE instead of directly groping the 15198 underlying character buffer. Files: global/dsn_buf.c, 15199 milter/milter8.c. 15200 1520120090507 15202 15203 main.cf:tls_random_source now defaults to /dev/arandom on 15204 OpenBSD. This device was introduced before Postfix development 15205 began. Files: util/sys_defs.h, global/mail_params.h. 15206 1520720090510 15208 15209 Code cleanups: while emulating SMTP client requests for 15210 Milter applications, use user@domain form addresses as 15211 required by the SMTP protocol, instead of bare usernames. 15212 This avoids hard to debug errors from some Milter applications. 15213 Files: cleanup/cleanup_envelope.c, cleanup/cleanup_extracted.c, 15214 cleanup/cleanup_addr.c. 15215 1521620090511 15217 15218 Code cleanups: don't clobber -o command-line arguments so 15219 that Linux people can debug daemon command lines more easily. 15220 Files: master/*server.c. 15221 1522220090513 15223 15224 Code cleanups: better parsing of Postfix daemon "-o" 15225 command-line options, with better error handling. Files: 15226 master/*server.c. 15227 1522820090518 15229 15230 Documentation: missing dummy entries for lmtp_mumble_checks. 15231 File: proto/postconf.proto. 15232 1523320090519 15234 15235 Bugfix (introduced: Postfix 2.3, but did not cause trouble 15236 until 20090427). Queue file corruption with (smtpd_milters 15237 or non_smtpd_milters) enabled, AND with delay_warning_time 15238 enabled, AND with short envelope sender addresses (e.g., 15239 local submissions with bare usernames, but not bounces). 15240 The queue file would be corrupted when the delay_warning_time 15241 record was marked as "done" after sending the "your mail 15242 is delayed" notice. File: qmgr/qmgr_message.c. 15243 1524420090522 15245 15246 Bugfix (introduced: Postfix 2.3). The cleanup server 15247 rejected mail with records of type REC_TYPE_DRCP (recipient 15248 deleted by Milter), but such records could be present in 15249 mail re-submitted with "postsuper -r". Found during code 15250 review. Files: global/record.h, cleanup/cleanup_envelope.c. 15251 1525220090524 15253 15254 Feature: new postcat options: -e (print envelope), -h (print 15255 header), and -b (print body). Specify "postcat -bh" to 15256 suppress information about envelope records, and "postcat 15257 -h" to get the message header only. With large messages, 15258 "postcat -h" is much faster than manually stripping the 15259 message body from the output. File: postcat/postcat.c. 15260 1526120090528 15262 15263 Bugfix (introduced: Postfix 2.6 change 20080629): with 15264 plaintext sessions, smtpd_tls_auth_only=yes caused spurious 15265 warnings with reject_authenticated_sender_login_mismatch, 15266 and broke reject_unauthenticated_sender_login_mismatch and 15267 reject_sender_login_mismatch. Based on fix by Victor 15268 Duchovni. File: smtpd/smtpd_check.c. 15269 1527020090603 15271 15272 Cleanup: Postfix 2.3 adopted a file descriptor passing 15273 workaround for OpenBSD. This workaround was hard-coded for 15274 all platforms because there were no have adverse effects. 15275 This is no longer the case: OpenBSD is fixed, and NetBSD 15276 does not like the workaround. We now default back to the 15277 non-workaround code and turn on the workaround dynamically. 15278 Files: util/unix_send_fd.c, unix_recv_fd.c, unix_pass_fd_fix.c. 15279 1528020090605 15281 15282 Portability: modern kernels below ancient user-land. File: 15283 makedefs. 15284 1528520090606 15286 15287 Feature: post-Milter header checks, with all actions except 15288 PREPEND. To enable, specify for example "milter_header_checks 15289 = pcre:/path/to/file". Files: cleanup/cleanup_init.c, 15290 cleanup/cleanup_milter.c, cleanup/cleanup_extracted.c, 15291 cleanup/cleanup_state.c. 15292 15293 Bugfix: non-portable command pathname in postmulti-script. 15294 15295 Safety: "postmulti -e destroy" no longer attempts to remove 15296 files that are created AFTER "postmulti -e create". Rationale: 15297 by design, postfix queue/data directories are not trusted; 15298 actions within those directory trees must not affect files 15299 outside those those trees (e.g. by symlink race attacks). 15300 We don't want to be nailed with a bunch of CVEs for unsafe 15301 pathname handling. File: conf/postmulti-script. 15302 1530320090607 15304 15305 Cleanup: revise milter_header_checks action implementation, 15306 and avoid redundant logging and work when milter_header_checks 15307 and Milters make redundant or conflicting decisions. File: 15308 cleanup_milter.c. 15309 1531020090614 15311 15312 Preliminary postscreen triage server for all inbound SMTP 15313 connections. This is not a proxy: it rejects bad clients 15314 and forwards the rest of the connections to a real Postfix 15315 SMTP server. The initial version does a simple "friend or 15316 foe" based on whether the client starts talking too soon. 15317 Decisions are cached, so "good" clients have no overhead. 15318 File: postscreen/postscreen.c. 15319 15320 Cleanup: more robust code for receiving file descriptors 15321 via the "pass" master service protocol. File: 15322 util/upass_listen.c. 15323 1532420090617 15325 15326 Temporary helper daemon that does parallel DNSBL lookups 15327 for postscreen(8). It logs successful lookups to the maillog 15328 file without blocking the client. postscreen(8) will use 15329 the results in a later non-production version. To enable 15330 DNSBL lookups, specify "postscreen_dnsbl_sites = name, 15331 name, etc". and restart postscreen(8) with "postfix reload". 15332 File: src/dnsblog/dnblog.c. 15333 1533420090618 15335 15336 postscreen(8) logging and actions are now documented in the 15337 postscreen(8) manpage. When a client is listed in DNSBLs 15338 specified with postscreen_dnsbl_sites, it is no longer 15339 whitelisted. Instead the number of blocklist hits is logged. 15340 File: postscreen/postscreen.c. 15341 1534220090619 15343 15344 postscreen(8) by default no longer immediately drops 15345 connections. Specify "postscreen_greet_action = drop" and 15346 "postscreen_hangup_action = drop" for the old behavior. 15347 There is also a new postscreen_dnsbl_action parameter, for 15348 completeness. File: postscreen/postscreen.c. 15349 1535020090708 15351 15352 Portability: FreeBSD 8 has closefrom(). File: uti/sys_defs.h. 15353 1535420090710 15355 15356 Bugfix (introduced Postfix 2.3): Postfix got out of sync 15357 with a Milter application after the application sent a 15358 "quarantine" request at end-of-message time. The milter 15359 application would still be in the end-of-message state, 15360 while Postfix would already be working on the next SMTP 15361 event (typically, QUIT or MAIL FROM). Problem diagnosed 15362 with help from Alban Deniz. File: milter/milter8.c. 15363 1536420090711-2 15365 15366 New "event_server" Postfix server framework. It is similar 15367 to the "multi_server" framework but does not manage client 15368 I/O events. This framework is suitable for servers such 15369 as postscreen that have complex event management requirements. 15370 File: master/event_server.c. 15371 15372 New event_fork() primitive to resume event processing in a 15373 child process after it is created with fork(). This is 15374 needed by postscreen to complete work-in-progress in the 15375 background after "postfix reload". File: util/events.c. 15376 15377 Cleanup: postscreen migrated to the "event_server" framework. 15378 File: postscreen/postscreen.c. 15379 1538020090712 15381 15382 Cleanup: ${multi_instance_name:postfix}${multi_instance_name 15383 ?$multi_instance_name} garbage in Postfix logging is now 15384 hopefully gone. File: global/mail_task.c. 15385 1538620090715 15387 15388 Documentation: as of Postfix 2.6, the reject_unauth_pipelining 15389 feature can be used meaningfully at any protocol stage. 15390 File: proto/postconf.proto. 15391 1539220090717 15393 15394 Cleanup: postscreen PREGREET detection now uses non-destructive 15395 read, so that the real SMTP server can still receive the 15396 HELO command (apparently some sites allow pregreeters to 15397 talk to their servers). File: postscreen/postscreen.c. 15398 1539920090805 15400 15401 Bugfix: don't panic when an unexpected smtpd access map is 15402 specified. File: smtpd/smtpd_check.c. 15403 1540420090918 15405 15406 Bugfix (introduced Postfix 2.3): with Milter RCPT TO replies 15407 turned off, there was no automatic flush-before-read on the 15408 smtpd-to-milter stream, because the read was done on the 15409 cleanup-to-milter stream. Problem reported by Stephen Warren. 15410 File: milter/milter8.c. 15411 1541220091005 15413 15414 Bugfix: core dump while printing error message for malformed 15415 %<letter> sequence in LDAP, MySQL or PostgreSQL configuration. 15416 File: global/db_common.c. Fix by Victor Duchovni. 15417 1541820091006 15419 15420 Feature: "postscreen_whitelist_networks = $mynetworks" (the 15421 default) to avoid problems with buggy SMTP implementations 15422 in network appliances. Note: this feature never uses the 15423 remote SMTP client hostname. Files: global/addr_match_list.[hc], 15424 postscreen/postscreen.c. 15425 15426 Feature: postscreen_blacklist_networks (default: empty) to 15427 permanently blacklist hosts or networks. Address syntax is 15428 as with mynetworks. Note: this feature never uses the remote 15429 SMTP client hostname. File: postscreen/postscreen.c. 15430 15431 Feature: postscreen_blacklist_action (default: continue) 15432 to control what happens with a permanently blacklisted 15433 client. File: postscreen/postscreen.c. 15434 1543520091007 15436 15437 Feature: hostname-based check_client_{mx,ns}_access, 15438 check_reverse_client_hostname_{mx,ns}_access (the client 15439 IP address is not used). Rob Foehl. Files: smtpd/smtpd_check.c, 15440 global/mail_params.h, proto/postconf.proto, mantools/postlink. 15441 1544220091008 15443 15444 Documentation: restructured the postscreen(8) manpage 15445 as a sequence of tests. File: postscreen/postscreen.c. 15446 1544720091012 15448 15449 Bugfix: postmulti did not skip commands with -p. Luca 15450 Berra. File: postmulti/postmulti.c. 15451 1545220091023 15453 15454 Feature: specify "smtpd_command_filter = pcre:/file/name" 15455 to replace remote SMTP client commands before they are 15456 executed by the Postfix SMTP server. This a last-resort 15457 tool to fix inter-operability problems. See examples in 15458 the postconf(5) manual page. File: smtpd/smtpd.c. 15459 1546020091026 15461 15462 Cleanup: changed parameter evaluation order so that the 15463 multi_instance_wrapper parameter value is evaluated after 15464 the command and daemon directory parameters. File: 15465 global/mail_params.h. 15466 1546720091101 15468 15469 Performance: specify "smtpd_proxy_options = speed_adjust" 15470 to receive an entire message before sending it through a 15471 before-queue content filter. This reduces the number of 15472 simultaneous content filtering processes, and thus, the 15473 system memory requirements. Files: smtpd/smtpd.[hc], 15474 smtpd/smtpd_proxy.[hc]. 15475 1547620091103-4 15477 15478 Cleaned up the speed-adjust code, streamlined the error 15479 handling, and updated documentation. Files: smtpd/smtpd.[hc], 15480 smtpd/smtpd_proxy.[hc], proto/SMTPD_PROXY_README.html. 15481 1548220091105 15483 15484 Cleaning up after speed_adjust introduction: smtpd segfault 15485 caused by an incomplete API change; refined the queue space 15486 check; release scratch space immediately after delivering 15487 mail to the before-queue filter. Files: smtpd.c, smtpd_proxy.c. 15488 1548920091110 15490 15491 Workaround: specify "smtp_tls_block_early_mail_reply = yes" 15492 to detect a mail hijacking attack based on a TLS protocol 15493 vulnerability (CVE-2009-3555). The attack involves prepending 15494 malicious HELO/MAIL/RCPT/DATA commands to a Postfix SMTP 15495 client TLS session. The attack would succeed with non-Postfix 15496 SMTP servers that reply to the malicious commands after 15497 negotiating the Postfix SMTP client TLS session. File: 15498 smtp/smtp_proto.c. 15499 1550020091113 15501 15502 Workaround: skip interfaces without netmask, to avoid 15503 segfaults (reported by Dmitry Karasik). Don't supply a dummy 15504 null netmask, as that would turn Postfix into an open relay 15505 (mynetworks = 0.0.0.0/0). File: util/inet_addr_local.c. 15506 15507 Bugfix: forgot to flush output to the smtpd_proxy speed-adjust 15508 buffer before truncating the file. Reported by Mark Martinec, 15509 fix by Victor Duchovni. File: smtpd/smtpd_proxy.c. 15510 1551120091114 15512 15513 Feature: specify "smtp_reply_filter = pcre:/file/name" to 15514 replace remote SMTP server reply lines before they are 15515 parsed by the Postfix SMTP client. This a last-resort tool 15516 to fix inter-operability problems. See examples in the 15517 postconf(5) manual page. File: smtp/smtp_chat.c. 15518 15519 Safety: don't send postmaster notifications to report 15520 problems delivering (possible) postmaster notifications. 15521 File: smtp/smtp_connect.c. 15522 1552320091121 15524 15525 Feature: sender_dependent_default_transport_maps, to override 15526 the default transport in a sender-dependent manner. This 15527 is not a transport_maps override, and therefore it does not 15528 use the transport_maps syntax for null transport, null 15529 nexthop, or null email address. 15530 1553120091127 15532 15533 Usability: the Postfix SMTP client now logs a warning that 15534 wrappermode TLS is not supported, when configured to connect 15535 to port smtps/465. File: smtp/smtp_connect.c. 15536 1553720091203 15538 15539 Safety: the postscreen daemon logs a warning when table 15540 lookup is slow. Slow lookups cause postscreen to fall behind, 15541 and worse, to catch up in bursts, which results in overload 15542 elsewhere. File: postscreen/postscreen.c. 15543 1554420091206 15545 15546 Feature: by popular demand, the Postfix SMTP server now 15547 logs the before-queue content filter's end-of-message 15548 accept/reject response. File: smtpd/smtpd.c. 15549 1555020091209 15551 15552 Portability: as the result of continuous improvement, 15553 Berkeley DB no longer allows fork-then-close. File: 15554 postscreen/postscreen.c. 15555 15556 Bugfix: sender_dependent_relayhost_maps did not reject an 15557 empty lookup result, and did not recognize lookup errors, 15558 thus treating errors as "not found". Problem found during 15559 code maintenance. File: trivial-rewrite/resolve.c. 15560 15561 Cleanup: the postscreen daemon now applies the permanent 15562 whitelist first. It is a safety feature that prevents mail 15563 from being blocked. File: postscreen/postscreen.c. 15564 1556520091224 15566 15567 Bugfix (introduced 20041215): dict_dbm_sequence() did not 15568 release the shared lock when the end of the sequence was 15569 reached. File: util/dict_dbm.c. 15570 1557120091227 15572 15573 Cleanup: postscreen and verify periodic cache cleanup 15574 (default: 12 hours after the previous cache cleanup run). 15575 This is based on a new dict_cache(3) module that implements 15576 a generalized version of the tlsmgr(8) cache maintenance 15577 code. Once the new dict_cache(3) code is burned in, the 15578 tlsmgr(8) will be migrated to it. See the RELEASE_NOTES for 15579 user interface details. Files: util/htable.[hc], util/dict_ht.c, 15580 util/dict_cache.[hc], postscreen/postscreen.c, verify/verify.c. 15581 15582 Bugfix: the event handler starved I/O events when a timer 15583 call-back routine scheduled a zero-delay timer request. 15584 This bug was exposed when adding the new dict_cache(3) 15585 module for cache expiration. File: util/events.c. 15586 1558720091228 15588 15589 Cleanup: postscreen and verify periodic cache cleanup is 15590 now optional (specify a null time interval between cache 15591 cleanup runs). 15592 1559320091229 15594 15595 Cleanup: the address_verify_poll_count default parameter 15596 value is now stress-dependent, so that the Postfix SMTP 15597 server will not wait (up to 6 seconds) for the address 15598 verification result. File: global/mail_params.h. 15599 15600 Final solution for the I/O event starvation problem when a 15601 timer call-back schedules a zero-delay timer request. File: 15602 util/events.c. 15603 1560420091231 15605 15606 Cleanup: the non-shared, in-memory hash table is now 15607 accessible as the "internal:" map type. This simplifies 15608 code by eliminating some special cases. Files: util/dict_ht.c, 15609 util/dict_open.c, and documentation. 15610 1561120100101 15612 15613 Bugfix: the mantools/postlink script applied hyperlinks 15614 for the "virtual:" transport to "/etc/postfix/virtual:". 15615 Symptom reported by Christoph Anton Mitterer. 15616 1561720100102 15618 15619 Workaround: don't report bogus Berkeley DB close errors as 15620 fatal errors. All operations before close are already error 15621 checked, so the data is known to be safe. File: util/dict_db.c. 15622 1562320100107 15624 15625 Documentation: the access(5) manual page did not document 15626 the "send 521 and disconnect" behavior in the Postfix SMTP 15627 server (introduced with Postfix 2.6). File: proto/access. 15628 15629 Bugfix: the pickup daemon did not discard messages that 15630 were requeued after all recipients were delivered (or 15631 bounced), and the cleanup server tried to bounce such 15632 messages. Files: pickup/pickup.c, global/cleanup_user.h. 15633 15634 Future proofing: redundant code in postdrop to reject a 15635 submission without recipient record. File: postdrop/postdrop.c. 15636 1563720100109 15638 15639 Cleanup: "postcat -q" will now access files in the "saved" 15640 queue directory (for corrupted queue files). As before, the 15641 "postsuper" command will not, to avoid suddenly deleting 15642 such files. Files: global/mail_queue.h postcat/postcat.c. 15643 1564420100113 15645 15646 Cleanup: don't supply the "-o stress" command-line option 15647 with a single-process service. File: master/master_ent.c. 15648 1564920100115 15650 15651 Bugfix: the valid_hostname() fuction did not set the 15652 "non-numeric" flag after encountering the '-' character. 15653 Reported by Jan Schampera. File: util/valid_hostname.c. 15654 1565520100116 15656 15657 Documentation: the content_filter and FILTER features never 15658 supported the special cases of transport_maps. References 15659 to transport_maps syntax are now removed from content filter 15660 discussions. Files: proto/postconf.proto, proto/FILTER_README. 15661 15662 Workaround: as of Postfix 2.3 the VRFY command did not allow 15663 a mailbox address inside <>, which broke expectations. RFC 15664 2821 (and 5321) is vague about the VRFY request format, but 15665 spends lots of text on the reply format. File: smtpd/smtpd.c. 15666 1566720100117 15668 15669 Cleanup: when a content_filter parameter or FILTER command 15670 specifies an empty next-hop destination, the queue manager 15671 now uses the recipient domain instead of $myhostname. Specify 15672 "default_filter_nexthop = $myhostname" for compatibility 15673 with Postfix 2.6 and earlier, or specify a non-empty next-hop 15674 filter destination. Files: *qmgr/qmgr_message.c proto/access, 15675 proto/header_checks, proto/postconf.proto, proto/FILTER_README. 15676 1567720100120 15678 15679 Cleanup: detect illegal pipelining after HELO, EHLO. File: 15680 smtpd/smtpd.c. 15681 1568220100128 15683 15684 Documentation: streamlined the decriptions of protocol and 15685 cipher tweaks. Victor Duchovni. Files: proto/TLS_README, 15686 proto/postconf.proto. 15687 1568820100131 15689 15690 Documentation: the address verification database is now 15691 persistent by default. This, combined with the now default 15692 stress-dependent configuration, improves the performance 15693 limits and simplifies database maintenance. Files: 15694 proto/ADDRESS_VERIFICATION_README, verify/verify.c. 15695 15696 Cleanup: undo the proxymap and trivial-rewrite max_idle=1s 15697 override that was introduced with Postfix 2.3. It did not 15698 help to retire long-lived proxymap or trivial-rewrite 15699 processes on busy servers, and worsened performance on 15700 low-traffic servers. The reduced ipc_ttl value (introduced 15701 with Postfix 2.4) already solves the problem of retiring 15702 long-lived proxymap or trivial-rewrite processes. Files: 15703 proxymap/proxymap.c, trivial-rewrite/trivial-rewrite.c. 15704 1570520100202 15706 15707 Documentation: major revision of SASL_README with many 15708 details on how to configure Cyrus SASL internals. Patrick 15709 Koetter. File: proto/SASL_README.html 15710 1571120100204 15712 15713 Feature: added "forward_secrecy" option for Cyrus SASL. 15714 File: xsasl/xsasl_cyrus_security.c. 15715 1571620100206 15717 15718 Bugfix (from day zero): the local delivery agent returned 15719 undeliverable mail to the envelope sender instead of the 15720 owner- alias, when delivering to command or file. This 15721 reuses the workaround that was implemented to report a 15722 Delivered-To: loop. Files: local/file.c, local/command.c, 15723 local/recipient.c, local/bounce_workaround.c. 15724 1572520100209 15726 15727 The tcp_table(5) interface is now part of the stable release. 15728 The last protocol change was in Postfix 2.1. File: 15729 util/dict_open.c. 15730 1573120100305 15732 15733 Feature: reject_rhsbl_reverse_client, to reject a remote 15734 SMTP client based on its unverified reverse hostname. Code 15735 by Noel Jones. Files: smtpd/smtpd_check.c, proto/postconf.proto. 15736 15737 Feature: smtp_address_preference (default: ipv6) to control 15738 the order in which the Postfix SMTP client will connect to 15739 a destination that has IPv6 and IPv4 addresses with equal 15740 MX preference. Files: global/mail_params.h, smtp/smtp.c, 15741 smtp/smtp_params.c, smtp/smtp_addr.c, dns/dns_rr.c, 15742 and documentation. 15743 1574420100321 15745 15746 Feature: allow Milter applications to use a lower protocol 15747 version than the version that Postfix is configured for. 15748 Based on an idea by Kouhei Sutou. File: milter/milter8.c. 15749 1575020100322 15751 15752 Bugfix (introduced 20100305) the new smtp_address_preference 15753 feature was not tested with LMTP support. Problem reported 15754 by Stefan Foerster. File: smtp/smtp.c. 15755 1575620100407 15757 15758 Bugfix (introduced 20100305): reject_rhsbl_reverse_client 15759 was skipped if the forward-confirmed reverse DNS (FCRDNS) 15760 remote SMTP client hostname was "unknown". Victor Duchovni. 15761 File: smtpd/smtpd_check.c. 15762 1576320100422 15764 15765 Workaround (introduced: postfix-19990906 a.k.a. Postfix 15766 0.8.0). The Postfix local delivery agent did not properly 15767 distinguish between "address has no extension" and "address 15768 has an extension, but the extension is invalid". In both 15769 cases it would run only the full recipient local-part through 15770 the alias maps. Instead, it now drops the faulty extension 15771 from the recipient address local-part (it would be too 15772 error-prone to replace all tests for "no extension" by tests 15773 for "no valid extension". File: local/recipient.c. 15774 1577520100430 15776 15777 Feature: customized hard/soft reject responses by Jason 15778 Parsons. File: smtpstone/smtp-sink.c. 15779 1578020100515 15781 15782 Bugfix (introduced Postfix 2.6): the Postfix SMTP client 15783 XFORWARD implementation did not skip "unknown" SMTP client 15784 attributes, causing a syntax error when sending a PORT 15785 attribute. Reported by Victor Duchovni. File: smtp/smtp_proto.c. 15786 1578720100526 15788 15789 Cleanup: a unit-test driver was not updated after an internal 15790 API change. Vesa-Matti J Kari File: milter/milter.c. 15791 1579220100529 15793 15794 Portability: OpenSSL 1.0.0 changes the priority of anonymous 15795 cyphers. Victor Duchovni. Files: postconf.proto, 15796 global/mail_params.h, tls/tls_certkey.c, tls/tls_client.c, 15797 tls/tls_dh.c, tls/tls_server.c. 15798 15799 Portability: Mac OS 10.6.3 requires <arpa/nameser_compat.h> 15800 instead of <nameser8_compat.h>. Files: makedefs, util/sys_defs.h, 15801 dns/dns.h. 15802 1580320100531 15804 15805 Robustness: skip LDAP queries with non-UTF-8 search strings 15806 (in anticipation of UTF8SMTP support). File: global/dict_ldap.c. 15807 15808 Strict UTF-8 validator per RFC 3629. File: util/valid_utf8_string.c. 15809 1581020100601 15811 15812 Cleanup: Postfix LDAP client support for RFC 2255 LDAP URLs. 15813 Victor Duchovni. Files: proto/ldap_table global/dict_ldap.c. 15814 15815 Safety: Postfix processes log a warning when a matchlist 15816 has a #comment at the end of a line (for example mynetworks 15817 or relay_domains). File: util/match_list.c. 15818 15819 Portability: Berkeley DB 5.x has the same API as Berkeley 15820 DB 4.1 and later. File: util/dict_db.c. 15821 1582220100610 15823 15824 Bugfix (introduced Postfix 2.2): Postfix no longer appends 15825 the system default CA certificates to the lists specified 15826 with *_tls_CAfile or with *_tls_CApath. This prevents 15827 third-party certificates from getting mail relay permission 15828 with the permit_tls_all_clientcerts feature. Unfortunately 15829 this may cause compatibility problems with configurations 15830 that rely on certificate verification for other purposes. 15831 To get the old behavior, specify "tls_append_default_CA = 15832 yes". Files: tls/tls_certkey.c, tls/tls_misc.c, 15833 global/mail_params.h. proto/postconf.proto, mantools/postlink. 15834 1583520100615 15836 15837 Cleanup: the master no longer logs "process P killed with 15838 signal S" when it shuts down a running service (for example, 15839 the service is removed from master.cf, or the service is 15840 disabled via the main.cf master_service_disable parameter). 15841 File: master/master_spawn.c. 15842 1584320100617 15844 15845 Feature: read-only sqlite support based on code by Axel 15846 Steiner and documentation by Jesus Garcia Crespo. Files: 15847 conf/postfix-files, mantools/postlink, proto/DATABASE_README.html, 15848 proto/Makefile.in, proto/INSTALL.html, proto/mysql_table, 15849 proto/pgsql_table, proto/sqlite_table, proto/SQLITE_README.html, 15850 global/Makefile.in, global/mail_dict.c, global/dict_sqlite.c, 15851 global/dict_sqlite.h, postconf/postconf.c, postfix/postfix.c. 15852 1585320100618 15854 15855 Cleanup: SQLite read-only driver and documentation. Files: 15856 global/dict_sqlite.c, proto/mysql_table, proto/SQLITE_README.html. 15857 1585820100707 15859 15860 Completed the 20100610 bugfix. File: tls/tls_misc.c. 15861 1586220100714 15863 15864 Compatibility with Postfix < 2.3: fix 20061207 was incomplete 15865 (undoing the change to bounce instead of defer after 15866 pipe-to-command delivery fails with a signal). Fix by Thomas 15867 Arnett. File: global/pipe_command.c. 15868 1586920100715 15870 15871 Convenience: "postconf name=value ..." is now equivalent to 15872 "postconf -e name=value ...". File: postconf/postconf.c. 15873 1587420100724 15875 15876 Feature: INFO header/body_checks action for non-warning 15877 messages (for example, to log all Milter-inserted headers). 15878 File: global/header_body_checks.c, proto/header_checks. 15879 15880 Cleanup: after-filter Postfix SMTP servers now log before-filter 15881 queue IDs. For this, the XFORWARD protocol was extended 15882 with an IDENT attribute for the before-filter queue ID. 15883 This code was started in Postfix 2.1, but it was never 15884 finished due to time constraints. Files: smtpd/smtpd.[hc] 15885 smtpd/smtpd_proxy.c, smtpd/smtpd_sasl_proto.c, 15886 *qmgr/qmgr_message.c, *qmgr/qmgr_deliver.c, 15887 global/deliver_request.[hc], global/mail_proto.h, 15888 global/deliver_pass.c, smtp/smtp_proto.c. 15889 1589020100727 15891 15892 Bugfix: the milter_header_checks parser provided only the 15893 actions that change the message flow (reject, filter, 15894 discard, redirect) but disabled the non-flow actions (warn, 15895 replace, prepend, ignore, dunno, ok). File: 15896 cleanup/cleanup_milter.c. 15897 1589820100827 15899 15900 Performance: fix for poor smtpd_proxy_filter TCP performance 15901 over loopback (127.0.0.1) connections. Problem reported by 15902 Mark Martinec. Files: smtpd/smtpd_proxy.c. 15903 15904 Bugfix: the Postfix SMTP client no longer appends the local 15905 domain when looking up a DNS name without ".". Specify 15906 "smtp_dns_resolver_options = res_defnames" to get the old 15907 behavior, which can produce unexpected results. Files: 15908 smtp/smtp.c, smtp/smtp_params.c, smtp/smtp_addr.c. 15909 1591020100828 15911 15912 Refactoring: postscreen source code broken up into multiple 15913 files, and identifiers updated to match changes in their 15914 purpose. This will be the baseline for adding support for 15915 DNSBL weighting, then a dummy engine to collect forensic 15916 evidence with the option of future protocol checks. Files: 15917 postscreen/*.[hc], Makefile.in. 15918 1591920100829 15920 15921 Postscreen DNSBL support for optional fixed-string filters 15922 and optional integral weight factors (use negative weights 15923 for whitelisting). See RELEASE_NOTES and postconf(5) for 15924 details. Files: postscreen/postscreen_dnsbl.c, 15925 proto/postconf.proto, mantools.postlink, global/mail_params.h. 15926 15927 Incompatibility: the postscreen-to-dnsblog protocol was 15928 changed to support DNSBL query result filters. Use "postfix 15929 reload" after installing the new version otherwise the 15930 dnsblog(8) server may complain. 15931 1593220100830 15933 15934 Polished the postscreen documentation and comments to clarify 15935 the user interface and implementation. No code changes. 15936 1593720100831-910 15938 15939 Restructured postscreen and added support for a dummy SMTP 15940 protocol engine. This engine logs rejected attempts to 15941 deliver mail with helo/sender/recipient information, and 15942 implements deep protocol tests. The first deep protocol 15943 test is for command pipelining, where a client sends multiple 15944 commands instead of waiting for the server to respond to 15945 each command. The second one implements the Postfix SMTP 15946 server's smtpd_forbidden_commands feature. Files: 15947 postscreen/*.[hc]. See RELEASE_NOTES, postconf(5) and 15948 postscreen(8) for incompatibilities, features, and configuration 15949 parameters. 15950 1595120100910 15952 15953 Feature: boolean configuration parameters with string-valued 15954 defaults, so that they can be subject to macro expansions. 15955 This was needed to make some postscreen parameter defaults 15956 to the values of the corresponding smtpd parameters. Files: 15957 global/mail_conf.h, global/mail_conf_nbool.c, 15958 master/event_server.c, master/mail_server.h, master/multi_server.c, 15959 master/single_server.c, master/trigger_server.c, 15960 postconf/extract.awk, postconf/postconf.c. 15961 1596220100911 15963 15964 Feature: texthash read-only database. This is similar to 15965 hash: files, except that you don't need to run the postmap(1) 15966 command before you can use the file, and that it does not 15967 detect changes after the file is read. All information is 15968 read into memory. Files: util/dict_open.c, util/dict_thash.[hc], 15969 proto/DATABASE_README.html, postconf/postconf.c 15970 1597120100912 15972 15973 Feature: bare newline detection in postscreen. Real spambots 15974 don't make this mistake anymore, but poorly-written software 15975 still does. File: postscreen/smtpd.c. 15976 15977 Documentation: POSTSCREEN_README including instructions for 15978 turning postscreen(8) on without blocking mail, and more. 15979 Trimmed the text in the postscreen(8) manpage. File: 15980 proto/POSTSCREEN_README.html, postscreen/postscreen.c. 15981 1598220100914 15983 15984 Cleanup: the "postscreen_greet_wait" delay now ends as soon 15985 as both the pregreet and DNSBL tests complete (the postscreen 15986 documentation mentions in history/credits that the program 15987 started as a crude prototype). The default postscreen_dnsbl_ttl 15988 caching time is now reduced to 1h from 24h, allowing 15989 postscreen to catch up on DNSBL updates more quickly. If 15990 this increases the database update frequency too much then 15991 we'll need to make dnsbl result non-cachable. Files: 15992 postscreen/postscreen_dnsbl.c, global/mail_params.h. 15993 1599420100915 15995 15996 Bugfix (introduced 20100914): missing precondition for 15997 call-back notification. File: postscreen/postscreen_dnsbl.c. 15998 15999 Bugfix (introduced 20100914): the "postscreen_greet_wait" 16000 delay speedup worked only for DNSBL listed sites. File: 16001 postscreen/postscreen_dnsbl.c. 16002 16003 Workaround: better handling of pregreeting spambots. The 16004 postscreen built-in SMTP engine no longer sends a 220 banner 16005 to a client that falls into the pregreet trap. This eliminates 16006 many "NON-SMTP COMMAND" records in postscreen logging, as 16007 the SMTP client and server no longer get out of sync. It 16008 also results in better logging of sender/recipient information. 16009 File: postscreen/postscreen_smtpd.c. 16010 1601120100916 16012 16013 Cleanup: postscreen now uses the first responding DNSBL 16014 name in the "5.7.1 Service unavailable" reply, instead of 16015 the last responding one. File: postscreen/postscreen_dnsbl.c. 16016 16017 Cleanup: the 20100914 "postscreen_greet_wait" speedup did 16018 not happen as often as it should, because some older code 16019 still turned on PREGREET tests gratuitously, causing a full 16020 greet-wait delay. File: postscreen/postscreen_tests.c. 16021 16022 Cleanup: to avoid "address in use" problems, postscreen now 16023 closes the listening socket after "postfix stop". It also 16024 closes the socket after "postfix reload" but that does not 16025 hurt. Files: master/event_server.c, master/multi_server.c. 16026 16027 Cleanup: postscreen now logs CONNECT and DISCONNECT events. 16028 Files: postscreen/postscreen.c, postscreen/postscreen_misc.c. 16029 1603020100917 16031 16032 Bugfix: cut-and-paste error. Postscreen used pregreet_ttl 16033 instead of dnsbnl_ttl. File: postscreen/postscreen_early.c. 16034 1603520100920 16036 16037 Cleanup: minor cleanups and invisible fixes. Files: 16038 postscreen/postscreen_misc.c, postscreen/postscreen.h, 16039 postscreen/postscreen_tests.c. 16040 16041 Feature: preliminary postscreen penalty mechanism. Basic 16042 idea: when a client exceeds some threshold, don't allow it 16043 to pass any tests until the penalty expires. Penalties 16044 provide a way to slow down clients without blocking mail 16045 permanently. Files: postscreen/postscreen_misc.c, 16046 postscreen/postscreen_tests.c, postscreen/postscreen.c. 16047 16048 A first application of the postscreen penalty mechanism 16049 triggers on clients that make brief connections to find out 16050 if the mail server is up. With "postscreen_early_hangup_penalty 16051 = 600" they will disqualify themselves for 10 minutes. 16052 Unfortunately, this behavior is used by legitimate bulk 16053 mail services. This application was removed 20101103. The 16054 penalty mechanism itself is left in place as #ifdef NONPROD. 16055 1605620100923 16057 16058 Cleanup: renamed MUMBLE_FLAG_MUMBLE aggregates to 16059 MUMBLE_MASK_MUMBLE for consistency with other Postfix code. 16060 Files: postscreen/*.[hc]. 16061 1606220100930 16063 16064 Cleanup: flag PIPELINING errors with NOOP and VRFY. File: 16065 smtpd/smtpd.c. 16066 1606720101006 16068 16069 Bugfix (introduced: 20100914) dangling pointer when a client 16070 makes N > 1 simultaneous connections and closes M < N 16071 connections before postscreen has delivered the DNSBL score 16072 to the corresponding pseudothreads. In practice the pointer 16073 will refer to a block of 0xff bytes; the program terminates 16074 with a segmentation violation, and is restarted immediately 16075 by the master daemon. Files: postscreen/postscreen_early.c, 16076 postscreen/postscreen_dnsbl.c. 16077 16078 Cleanup: avoid repeated delivery to mailing list members 16079 with pathological nested alias configurations. The local(8) 16080 delivery agent now keeps the owner-alias attribute of the 16081 parent alias, when delivering mail to a child alias that 16082 does not have its own owner alias. With this change, local 16083 addresses from that child alias will be written to a new 16084 queue file, and a temporary error with one local address 16085 will no longer result in repeated delivery to other mailing 16086 list members. Specify "reset_owner_alias = yes" for the 16087 older behavior. File: local/alias.c. 16088 1608920101007 16090 16091 Bugfix (introduced: 2100923): duplicate "PASS OLD" logging. 16092 File: postscreen/postscreen_misc.c. 16093 1609420101008 16095 16096 Cleanup: dnsblog now logs "addr X listed by domain Y as Z" 16097 instead of "addr X blocked by domain Y as Z", because the 16098 service may be used for whitelist lookups. File: 16099 dnsblog/dnsblog.c. 16100 1610120101023 16102 16103 Cleanup: don't apply reject_rhsbl_helo to non-domain forms 16104 such as network addresses. This would cause false positives 16105 with dbl.spamhaus.org. File: smtpd/smtpd_check.c. 16106 1610720101103 16108 16109 Cleanup: new qmgr_ipc_timeout parameter (default: 60s) to 16110 override the system-wide ipc_timeout setting (default: 16111 3600s). The shorter timeout allows the queue manager to 16112 reset a deadlocked IPC connection before the watchdog timer 16113 goes off. Files: *qmgr/qmgr.c. 16114 16115 Cleanup: new qmgr_daemon_timeout parameter (default: 1000s) 16116 to make the hard-coded 1000s watchdog timeout configurable. 16117 Files: *qmgr/qmgr.c. 16118 16119 Cleanup: request default DSN notification when adding a 16120 recipient with smfi_addrcpt, instead of requesting "never 16121 notify" as with Postfix automatically-added BCC recipients. 16122 Files: cleanup/cleanup_addr.c, cleanup/cleanup.h, 16123 cleanup/cleanup_milter.c. 16124 1612520101105 16126 16127 Feature: DNS whitelist support in the Postfix SMTP server. 16128 permit_dnswl_client whitelists a client by IP address, and 16129 permit_rhswl_client whitelists a client by its hostname. 16130 The syntax is the same as reject_rbl_client etc., but the 16131 result is PERMIT instead of REJECT. For safety reasons, 16132 permit_xxx_client are silently ignored when they would 16133 override reject_unauth_destination. The result is 16134 DEFER_IF_REJECT when DNSWL lookup fails. The implementation 16135 is based on a design documented by Noel Jones (August 2010). 16136 File: smtpd/smtpd_check.c. 16137 1613820101108 16139 16140 Workaround: strip off IPv6 datalink suffix from peer address 16141 to avoid problems with strict address checking code. Files: 16142 smtpd/smtpd_peer.c, qmqpd/qmqpd_peer.c. 16143 1614420101114 16145 16146 Robustness: postscreen(8) now implements a time limit on 16147 reading an entire command, instead of a time limit for 16148 reading individual characters. File: postscreen/postscreen_smtpd.c. 16149 1615020101023 16151 16152 Cleanup: don't apply reject_rhsbl_helo to non-domain forms 16153 such as network addresses. This would cause false positives 16154 with dbl.spamhaus.org. File: smtpd/smtpd_check.c. 16155 1615620101117 16157 16158 Bugfix: the "421" reply after Milter error was overruled 16159 by Postfix 1.1 code that replied with "503" for RFC 2821 16160 compliance. We now make an exception for "final" replies, 16161 as permitted by RFC. Solution by Victor Duchovni. File: 16162 smtpd/smtpd.c. 16163 1616420101124-6 16165 16166 Feature: pattern matching for DNSWL/DNSBL responses. For 16167 example, with "reject_rbl_client example.com=d.d.d.d", each 16168 "d" can now be a pattern inside "[]" that contains one or 16169 more comma-separated decimal numbers or number..number 16170 ranges. Files: smtpd/smtpd_check.c, postscreen/postscreen_dnsbl.c, 16171 util/ip_match.c, util/ip_match.h. 16172 1617320101126 16174 16175 Cleanup: don't log "blocked using example.com=127.0.0.1", 16176 just log the domain name. File: smtpd/smtpd_check.c. 16177 1617820101129 16179 16180 Cleanup: postscreen_client_connection_count_limit (default: 16181 $smtpd_client_connection_count_limit) to limit the number 16182 of connections from the same IP address to the postscreen(8) 16183 daemon. Files: postscreen/postscreen.c, postscreen/postscreen.h, 16184 postscreen/postscreen_state.c. 16185 1618620101130 16187 16188 Cleanup: all postscreen(8) logging now reports the client 16189 as [address]:port. This requires an update of tools that 16190 process postscreen logging. Files: postscreen/*.c, 16191 proto/POSTSCREEN_README.html. 16192 16193 Cleanup: polishing recent documentation and code. Files: 16194 postscreen/postscreen_dnsbl.c, util/ip_match.c. 16195 1619620101201 16197 16198 Bugfix (introduced 20101129): broken default value for 16199 postscreen_client_connection_count_limit if the 16200 smtpd_client_connection_count_limit parameter was left at 16201 its default. File: postscreen/postscreen.c. 16202 16203 Workaround: BSD-ish mkdir() ignores the effective GID 16204 and copies group ownership from the parent directory. 16205 File: util/make_dirs.c. 16206 1620720101202 16208 16209 Feature: the LDAP client can now authenticate to LDAP servers 16210 via SASL. This is tested with SASL GSSAPI and Kerberos 5. 16211 Original code by Quanah Gibson-Mount adapted by Victor 16212 Duchovni. Files: global/dict_ldap.c, proto/LDAP_README.html, 16213 proto/ldap_table. 16214 16215 Cleanup: the cleanup server now reports a temporary delivery 16216 error when it reaches the virtual_alias_expansion_limit or 16217 virtual_alias_recursion_limit. Previously, it would silently 16218 ignore the excess recipients and deliver the message. File: 16219 cleanup/cleanup_map1n.c. 16220 1622120101205 16222 16223 Cleanup: sache_clnt_create() had an unnecessary data 16224 dependency on the non-library var_scache_service variable, 16225 causing problems with shared library builds. Instead, it 16226 should use its service argument (which has the same value). 16227 File: global/scache.c. 16228 16229 Cleanup: pipe_command.c had an unnecessary data dependency 16230 on the non-library var_command_maxtime variable, causing 16231 problems with shared library builds. The dependency was not 16232 necessary because the callers already specify an explicit 16233 time limit. File: global/pipe_command.c. 16234 1623520101206 16236 16237 Bugfix (introduced 20101205): postscreen hung up due to 16238 incorrect output error test. File: postscreen/postscreen_send.c. 16239 1624020101207 16241 16242 Cleanup: the undisclosed_recipients_header default value 16243 is now the empty string. The Internet mail RFCs have supported 16244 messages without recipient header for almost 10 years now. 16245 File: global/mail_params.h. 16246 16247 Cleanup: use strtol() instead of sscanf() for consistent 16248 handling of out-of-range numbers. Files: global/cfg_parser.c, 16249 global/conv_time.c, global/mail_conf_int.c, 16250 global/mail_conf_long.c, global/mail_conf_nint.c. 16251 1625220101217 16253 16254 Cleanup: eliminated the code that copied TLS protocol 16255 messages between the OpenSSL TLS engine and the network. 16256 This change hopefully simplifies the TLS library enough 16257 that it can be used in an event-driven TLS proxy in front 16258 of postscreen. Files: tls/tls_bio.c, tls/tls_server.c, 16259 tls/tls_client.c. 16260 16261 This change eliminates an obscure bug where the SMTP server 16262 would wait for another $smtpd_timeout seconds after sending 16263 the "421 Error: timeout exceeded" message to the client. 16264 1626520101221 16266 16267 Cleanup: simplified the VSTREAM "large buffer" support by 16268 dropping the Postfix 2.4 "binary compatibility" requirement. 16269 Files: util/vstream.c, util/vstream.h. 16270 1627120101222 16272 16273 Cleanup: the SMTP client PIPELINING code did not account 16274 for TLS protocol overhead. This could (only in theory) 16275 result in deadlock when the remote SMTP server announces a 16276 very small receive window after the client and server have 16277 synchronized their SMTP state. Victor Duchovni. File: 16278 smtp/smtp_proto.c. 16279 1628020101223 16281 16282 Feature: with "tls_preempt_cipherlist = yes" the Postfix 16283 SMTP server will preempt the remote SMTP client's cipher 16284 preference order. This requires OpenSSL 0.9.7 and later. 16285 Victor Duchovni. Files: src/smtpd/smtpd.c, src/tls/tls_server.c, 16286 proto/TLS_README.html, proto/postconf.proto. 16287 16288 Future proofing: specify "tls_disable_workarounds = a list 16289 or bit-mask of OpenSSL bug work-arounds to disable". This 16290 may become necessary when a bug workaround is found to cause 16291 problems (security or interoperability). Victor Duchovni. 16292 Files: tls/tls_misc.c, proto/TLS_README.html, proto/postconf.proto. 16293 16294 Infrastructure: extended name_mask module feature set with 16295 extensive documentation and 32-bit regression tests. Victor 16296 and Wietse. File: util/name_mask.[hc]. 16297 1629820101224 16299 16300 Cleanup: sanitized the name_mask API so that errors will be 16301 ignored only upon explicit request. Files: util/name_mask.[hc], 16302 src/global/ehlo_mask.c, src/smtp/smtp_proto.c, 16303 src/util/name_mask.c, src/xsasl/xsasl_dovecot_server.c. 16304 16305 Cleanup: more TLS overhead horrors for the SMTP client's 16306 PIPELINING engine. Wietse and Victor. File: smtp/smtp_proto.c. 16307 1630820101226 16309 16310 Cleanup: the SMTP client logic for pipelining the "." and 16311 "QUIT" commands was bogus - the pipelining engine could not 16312 know how much unacknowledged data is pending in the local 16313 TCP stack. We now ignore the buffer check for sending 16314 "QUIT" after ".". Wietse and Victor. File: smtp/smtp_proto.c. 16315 1631620110101 16317 16318 Cleanup: the Postfix SMTP server now always refreshes the 16319 SASL authentication mechanism list after STARTTLS. Some 16320 Dovecot versions may change their responses when they know 16321 that the SMTP connection is encrypted. File: smtpd/smtpd.c. 16322 16323 Cleanup: the smtpd_starttls_timeout default value is now 16324 stress-dependent. Files: global/mail_params.h, 16325 proto/postconf.proto. 16326 16327 Compatibility: postscreen_discard_ehlo_keyword(s|maps) 16328 support for compatibility with smtpd_discard_ehlo_keyword(s|maps). 16329 Files: postscreen/postscreen_smtpd.c. 16330 1633120110102 16332 16333 Feature: STARTTLS support for the postscreen(8) daemon. 16334 With early testing feedback from Victor Duchovni and Ralf 16335 Hildebrandt. Files: postscreen/postscreen_smtpd, 16336 postscreen/postscreen_starttls.c. 16337 16338 Feature: event-driven tlsproxy(8) daemon that translates 16339 TLS <=> plaintext for postscreen(8). One tlsproxy(8) process 16340 can translate traffic for multiple remote SMTP clients. 16341 With early testing feedback from Victor Duchovni and Christian 16342 Roessner. Files: util/nbbio.[hc], tlsproxy/*.[hc], 16343 postscreen/postscreen_starttlsd.c, postscreen/postscreen_smtpd.c. 16344 1634520110103 16346 16347 Cleanup: missing tls_level support in tlsproxy (it has no 16348 way to send plaintext, but perhaps an informative error 16349 message is in order anyway). File: tlsproxy/tlsproxy.c. 16350 16351 Cleanup: simplified the handling of throttled output (i.e. 16352 output that can't be sent because the receiver tries to be 16353 nasty). File: postscreen/postscreen_send.c. 16354 1635520110104 16356 16357 Feature: add contact information to each SMTP server reject 16358 message. For example, "smtpd_reject_footer = call 800-555-0101 16359 for assistance", with macro expansion and with multi-line 16360 support. Files: global/mail_params.h, mantools/postlink, 16361 proto/postconf.proto, smtpd/smtpd.c, smtpd/smtpd_chat.c, 16362 smtpd/smtpd_expand.[hc], util/mac_expand.[hc]. 16363 1636420110105 16365 16366 Cleanup: the forest of TLS-related booleans was shrunk. 16367 Victor Duchovni. Files: smtpd/smtpd.c, postscreen/postscreen.c, 16368 postscreen/postscreen_smtpd.c, tlsproxy/tlsproxy.c. 16369 16370 Non-production: tlsproxy support in the Postfix SMTP server 16371 for stress testing of the tlsproxy daemon (#ifdef TLSPROXY). 16372 Seen from outside, Postfix works just as if it has TLS 16373 support built into in smtpd(8). Files: smtpd/smtpd.c, 16374 tls/tls_proxy*.[hc], tlsproxy/tlsproxy.c, util/vstream.[hc]. 16375 16376 Bugfix (introduced with the Postfix TLS patch): discard 16377 plaintext following the STARTTLS command or response. This 16378 matters only for the minority of SMTP clients that actually 16379 verify server certificates. Files: smtpd/smtpd.c, 16380 smtp/smtp_proto.c. 16381 1638220110106 16383 16384 Non-production: cleaned up the tlsproxy support in the 16385 Postfix SMTP server for stress testing of the tlsproxy 16386 daemon (still #ifdef TLSPROXY). File: smtpd/smtpd.c. 16387 1638820110107 16389 16390 Cleanup: smtpd_reject_contact_information is renamed to 16391 smtpd_reject_footer, because it can be used for non-contact 16392 information. 16393 16394 Compatibility: postscreen_reject_footer support for 16395 compatibility with smtpd_reject_footer. Files: 16396 global/smtp_reply_footer.[hc], global/mail_conf.[hc], 16397 postscreen/postscreen_expand.c, postscreen/postscreen_send.c, 16398 postscreen/postscreen.c, smtpd/smtpd_chat.c. 16399 16400 Compatibility: postscreen_command_filter support for 16401 compatibility with smtpd_command_filter. Files: 16402 postscreen/postscreen_dict.c, postscreen/postscreen_smtpd.c 16403 1640420110108 16405 16406 Cleanup: postscreen(8) now displays control characters in 16407 PREGREET responses as C-style \letter escapes, instead of 16408 "?". File: postscreen/postscreen_early.c. 16409 1641020110109 16411 16412 Cleanup: Solaris support for "pass" (file descriptor passing 16413 based) services in master.cf. This was needed by postscreen(8). 16414 Also, renamed upass_xxx.c to unix_pass_xxx.c. One-character 16415 prefixes are too short. Removed upass_connect.c because it 16416 was useless code. Files: util/stream_pass_connect.c, 16417 util/unix_pass_listen.c, util/unix_pass_trigger.c. 16418 16419 Bugfix (introduced Postfix 2.4): on Solaris the Postfix 16420 event engine was deaf for SIGHUP and SIGALRM signals after 16421 the switch to /dev/poll. Symptoms were delayed "postfix 16422 reload" response, and killed processes when the watchdog 16423 timeout was less than max_idle. The fix is to set up SIGHUP 16424 and SIGALRM handlers that write to a pipe, and to monitor 16425 that pipe for read events via the Postfix event engine. 16426 Files: master/master_sig.c, util/watchdog.c, util/sys_defs.h. 16427 1642820110111 16429 16430 Cleanup: replaced the postscreen(8) separate blacklist and 16431 whitelist lookup tables by one postscreen_access_list table. 16432 See postconf(5) and POSTSCREEN_README for examples. Files: 16433 postscreen/postscreen_access.c, postscreen/postscreen.c, 16434 proto/postconf.proto, proto/POSTSCREEN_README.html. 16435 1643620110112 16437 16438 Cleanup: suspend/resume logic for postscreen(8) SMTP sessions 16439 that temporarily switch control to an external program such 16440 as tlsproxy, or perhaps a future policy plugin. Files: 16441 postscreen/postscreen_smtpd, postscreen/postscreen_starttls.c. 16442 1644320110113 16444 16445 Cleanup: ps_cache and psc_cache are now postscreen_cache. 16446 There is no need for obscure name abbrevations. File: 16447 src/global/mail_params.h. 16448 1644920110115 16450 16451 Workaround: malloc fuzz (safety margin for malloc requests). 16452 Files: util/sys_defs.h, util/mymalloc.c. 16453 16454 Cleanup: dnsblog_service_name and tlsproxy_service_name are 16455 now configurable, in case someone needs this. Files: 16456 global/mail_params.h, postscreen/postscreen.c, mantools/postlink, 16457 proto/postconf.proto. 16458 1645920110116 16460 16461 Cleanup: soft_bounce support for postscreen(8). Files: 16462 postscreen/postscreen_smtpd.c, postscreen/postscreen_send.c. 16463 16464 Cleanup: for smtpd(8) compatibility, postscreen(8) now 16465 strips deprecated route address prefixes from email addresses 16466 (@here,@there:user@example becomes user@example). This is 16467 primarily to make postscreen(8) logging more similar to 16468 that of smtpd(8). File: postscreen/postscreen_smtpd.c. 16469 16470 Cleanup: documentation, in preparation for the Postfix 2.8 16471 stable release. 16472 1647320110117 16474 16475 Bugfix (introduced Postfix alpha, or thereabouts): on HP-UX 16476 the Postfix event engine was deaf for SIGALRM signals. 16477 Symptoms were killed processes when the watchdog timeout 16478 was less than max_idle. The fix is the same as Solaris fix 16479 20110109. Since we can't know what other systems need this, 16480 the workaround is enabled by default. Files: util/sys_defs.h. 16481 16482 Cleanup: "smtpd_tls_eecdh_grade = strong" by default, instead 16483 of snapshot-only. File: global/mail_params.h, proto/postconf.proto. 16484 16485 Cleanup: missing "#include <errno.h>" in util/watchdog.c. 16486 16487 Bugfix: when compiled without -DUSE_TLS, tlsproxy used the 16488 wrong server skeleton (multi_server instead of event_server). 16489 File: tlsproxy/tlsproxy.c. 16490 16491 Workaround: added a panic check for code that is mis-compiled 16492 by the HP-UX compiler. File: postscreen/postscreen.c, 16493 postscreen/postscreen.h, postscreen/postscreen_state.c. 16494 1649520110118 16496 16497 Bugfix: the tls_disable_workarounds word list only included 16498 workarounds in SSL_OP_ALL. Problem report by Steve Jenkins, 16499 problem fix by Victor Duchovni. File: tls/tls_misc.c. 16500 16501 Last-minute incompatible syntax change: Postfix now uses 16502 ";" instead of "," to separate DNSBL/DNSWL address filter 16503 fields inside "[]". The compatibility break is not an issue, 16504 because the syntax never worked in main.cf. Problem reported 16505 by Mark Martinec. Files: util/ip_match.c, util/ip_match.in, 16506 util/ip_match.ref, proto/postconf.proto. 16507 16508 Cleanup: postscreen now monitors the AVERAGE latency of 16509 table access, and complains at most once per minute. File: 16510 postscreen/postscreen_dict.c. 16511 16512 Bugfix: support for the "dunno" command somehow disappeared 16513 from the postscreen_access_list implementation. File: 16514 postscreen/postscreen_access.c. 16515 1651620110123 16517 16518 Feature: read/write deadlines. Deadlines were introduced 16519 with postscreen's dummy SMTP engine. In the Postfix SMTP 16520 client and server, deadlines limit the total amount of time 16521 to read or write one command line, one response line, or 16522 one line of message content. This reduces the impact of 16523 application exhaustion attacks that trickle data one byte 16524 at a time. Files: util/vstream.[hc], global/smtp_stream.c. 16525 16526 Cleanup: remove #ifdef MIGRATION_WARNING transitional code 16527 from postscreen. File: postscreen/postscreen.c. 16528 1652920110125 16530 16531 Cleaned up and finalized read/write deadline support. Once 16532 this code has been fielded it can go into Postfix 2.8.1, 16533 and made available as optional patch for earlier releases. 16534 Further refinements have only diminishing returns and can 16535 evolve in the 2.9 release cycle. File: util/vstream.c. 16536 1653720110128 16538 16539 Infrastructure: separate VSTREAM flags for read or write 16540 errors. Files: util/vbuf.[hc], util/vstream.[hc]. 16541 16542 Cleanup: after write error, the smtp_stream routines now 16543 disable further network writes. This eliminates the need 16544 for clumsy code to avoid unwanted I/O while shutting down 16545 a TLS engine or closing a VSTREAM. File: util/smtp_stream.c. 16546 1654720110201 16548 16549 Cleanup: when verifying that the client_address->client_name 16550 lookup result resolves to the client_address, request 16551 hostname->address lookup with the same protocol family (IPv4 16552 or IPv6) as the client_address. Files: util/myaddrinfo.[hc], 16553 smtpd/smtpd_peer.c, qmqpd/qmqpd_peer.c. 16554 1655520110205 16556 16557 Infrastructure: vstream_peek_data() primitive to look ahead 16558 at buffered input. Use vstream_peek() to find out how much, 16559 and escape() for human presentation. Files: util/vstream.[hc]. 16560 16561 Cleanup: smtpd(8) and postscreen(8) now log the input that 16562 triggers an SMTP command pipelining violation. File: 16563 postscreen/postscreen_smtpd.c, smtpd/smtpd.c. 16564 16565 Infrastructure: smtp_get() option to skip over input in 16566 excess of the line length limit. Files: smtp/smtp_stream.[hc]. 16567 16568 Cleanup: handle excessively-long client requests and server 16569 responses more gracefully, i.e. without losing synchronization. 16570 Files: smtpd/smtpd_chat.c, smtpd/smtpd_proxy.c, smtp/smtp_chat.c, 16571 smtpstone/smtp-source.c. 16572 1657320110207 16574 16575 Bugfix (introduced Postfix 2.8): segfault with smtpd_tls_loglevel 16576 >= 3. Files: tls/tls_server.c, tls.h, smtpd.c, tlsproxy.c. 16577 16578 Cleanup: read/write deadline support for single_server TLS 16579 applications (i.e. smtpd(8), smtp(8)). File: tls/tls_bio_ops.c. 16580 1658120110212 16582 16583 Infrastructure: run-time switch for read/write deadline 16584 support. Files: util/vstream.[hc], global/smtp_stream.[hc], 16585 tls/tls_bio_ops.c. 16586 16587 Cleanup: configurable read/write deadline support with 16588 smtpd_per_record_deadline (normal: "no", overload: "yes") 16589 and smtp_per_record_deadline (default: "no"). Files: 16590 global/mail_params.h, smtpd/smtpd.c, smtp/smtp.c, 16591 smtp/smtp_proto.c, proto/postconf.proto, mantools/postlink. 16592 1659320110213 16594 16595 Workaround: the TLS library passes the same information via 16596 different function arguments, and this same information is 16597 maintained by different functions, so things get out of 16598 step when code is updated. As of 20110212, tls_client_start() 16599 needs to set the VSTREAM property of the TLS session object. 16600 File: tls/tls_client.c. 16601 1660220110215 16603 16604 Human factors: the FCRDNS (forward-confirmed reverse DNS) 16605 checking code now logs "hostname X does not resolve to 16606 address Y", when a "reverse hostname" lookup result does 16607 not resolve to the client IP address. Files: smtpd/smtpd_peer.c, 16608 qmqpr/qmqpd_peer.c. 16609 1661020110216 16611 16612 Cleanup: don't log a "connection reset by peer" error when 16613 postscreen(8) tries to send a server response. File: 16614 postscreen/postscreen_send.c. 16615 1661620110218 16617 16618 Cleanup: Postfix now uses long integers for message_size_limit, 16619 mailbox_size_limit and virtual_mailbox_limit. On LP64 (64-bit 16620 long and pointer, but 32-bit integer) systems, these message 16621 and mailbox limits can now exceed 2GB. Files: global/mail_params.c 16622 global/mail_params.h local/local.c master/event_server.c 16623 master/mail_server.h master/multi_server.c master/single_server.c 16624 master/trigger_server.c virtual/virtual.c postconf/extract.awk 16625 postconf/postconf.c. 16626 1662720110220 16628 16629 Cleanup: compiler gripe. File: util/vstream.c. 16630 1663120110223 16632 16633 Cleanup: Debian build tool gripe. File: smtpstone/smtp-sink.c. 16634 1663520110224 16636 16637 postscreen(8) support to enforce proper client MX lookup 16638 policy. Some spambots connect first to a backup MX address 16639 in the hope that the server has a weaker anti-spam policy. 16640 By listening on both primary and backup MX addresses, 16641 postscreen(8) can deny the temporary whitelist status to 16642 clients that connect only to backup MX hosts, and prevent 16643 them from talking to a Postfix SMTP server process. 16644 16645 For example, when 1.2.3.4 is a local backup IP address, 16646 specify "postscreen_whitelist_interfaces = !1.2.3.4 static:all" 16647 to disable dynamic whitelisting for clients that connect 16648 (only) to the backup MX address. Files: mantools/postlink, 16649 proto/postconf.proto, proto/POSTSCREEN_README.html, 16650 global/mail_params.h, postscreen/postscreen.c, 16651 postscreen/postscreen.h, postscreen/postscreen_state.c. 16652 1665320110225 16654 16655 Workaround (problem introduced with IPv6 support in Postfix 16656 2.2): the SMTP client did not support mail to [ipv6:ipv6addr]. 16657 Fix based on a patch by Gurusamy Sarathy (Sophos). File: 16658 util/host_port.c and regression test files. 16659 1666020110227 16661 16662 Portability: FreeBSD closefrom() support time window. Sahil 16663 Tandon. File: util/sys_defs.h. 16664 16665 Cleanup: each lookup table now has an owner status and UID 16666 attributes for provenance purposes, even memory-resident 16667 tables such as pcre, regexp and cidr. This fixes a problem 16668 where local(8) ignored the non-root ownership of a regular 16669 expression-based aliases(5) file. The table owner status 16670 is TRUSTED (data straight from root-owned configuration 16671 file), UNKNOWN (unauthenticated data from proxy or tcp) or 16672 KNOWN (we actually have an owner UID). With most tables, 16673 the owner UID is the file owner UID. With LDAP and *SQL, 16674 the owner UID is the Postfix configuration file owner. 16675 Files: src/util/dict_unix.c src/util/dict_thash.c 16676 src/util/dict_static.c src/util/dict_sdbm.c src/util/dict_regexp.c 16677 src/util/dict_pcre.c src/util/dict_nisplus.c src/util/dict_nis.c 16678 src/util/dict_ni.c src/util/dict_ht.c src/util/dict_env.c 16679 src/util/dict_dbm.c src/util/dict_db.c src/util/dict_cidr.c 16680 src/util/dict_cdb.c src/util/dict_alloc.c src/util/dict.h 16681 src/util/dict.c src/local/alias.c src/global/dict_sqlite.c 16682 src/global/dict_pgsql.c src/global/dict_mysql.c 16683 src/global/dict_ldap.c src/global/cfg_parser.h 16684 src/global/cfg_parser.c. 16685 1668620110311 16687 16688 Feature: Base 32 encoder/decoder per RFC 4648. This code 16689 was going to be used for long queue IDs, but plans were 16690 changed. Files: src/util/base32_code.[hc]. 16691 1669220110313 16693 16694 Bugfix (introduced Postfix 2.8): postscreen DNSBL scoring 16695 error. When a client disconnected and then reconnected 16696 before all DNSBL results for the earlier session arrived, 16697 DNSBL results for the earlier session would be added to the 16698 score for the later session. Problem report by Larry Vaden. 16699 Files: dnsblog/dnsblog.c, postscreen/postscreen_dnsbl.c. 16700 16701 Cleanup: protocol description in dnsblog(8) manpage. File: 16702 dnsblog/dnsblog.c. 16703 1670420110314 16705 16706 Portability: the SUN compiler had trouble with a pointer 16707 expression of the form ``("text1" "text2") + constant'' so 16708 we don't try to be so clever. Fix by Victor Duchovni. File: 16709 global/mail_params.h. 16710 1671120110320 16712 16713 Feature: specify "enable_long_queue_ids = yes" to enable 16714 support for non-repeating queue IDs (also used as queue 16715 file names). These queue IDs encode the time and inode 16716 number with a safe alphabet of the 52 characters 0-9B-Zb-z. 16717 The alphabet excludes vowels (AEIOUaeiou) to avoid creating 16718 real words. The queue ID format is: time in seconds, time 16719 in microseconds, 'z', inode number (the inode number is 16720 encoded without using the 'z' character of the safe alphabet). 16721 Turning on long queue IDs changes the width of the first 16722 output column of the mailq (postqueue -p) command, and 16723 changes the appearance of Postfix Message-ID headers to 16724 queueID@myhostname. Files: global/file_id.[hc], 16725 global/safe_ultostr.[hc], global/mail_queue.[hc], 16726 postsuper/postsuper.c, showq/showq.c 16727 1672820110321 16729 16730 Performance: with long queue file names, queue hashing now 16731 produces the same result as with short names. Postfix uses 16732 the hexadecimal representation of the file creation time 16733 in microseconds, instead of the beginning of the file name 16734 which changes once every year or so, a problem that was 16735 reported by Victor Duchovni. The base 16 encoding gives 16736 finer control over the number of directories than possible 16737 with base 52 encoding. Files: global/mail_queue.[hc]. This 16738 change requires "postfix reload". 16739 1674020110322 16741 16742 Cleanup: preserve the microseconds value when renaming 16743 long->short or short->short queue file names. As a side 16744 benefit, renaming long->short queue IDs will not change the 16745 result from queue hashing. File: postsuper/postsuper.c. 16746 1674720110323 16748 16749 Bitrot: qshape regexp pattern for long queue file names. 16750 Ralf Hildebrandt. File: auxiliary/qshape/qshape.pl. 16751 16752 Bitrot: text about queue ID reuse in the postsuper manpage. 16753 File: postsuper/postsuper.c. 16754 1675520110328 16756 16757 Cleanup: don't log warnings about socket shutdown() errors 16758 after a connection breaks. Postfix calls shutdown() to avoid 16759 unnecessary socket write timeouts. This is only an optimization, 16760 and failure is not critical. File: global/smtp_stream.c. 16761 1676220110411 16763 16764 Cleanup: postscreen(8) and verify(8) daemons now lock their 16765 respective cache file exclusively upon open, to avoid massive 16766 cache corruption by unsupported sharing. Files: util/dict.h, 16767 util/dict_open.c, verify/verify.c, postscreen/postscreen.c. 16768 1676920110414 16770 16771 Bugfix (introduced with Postfix SASL patch 20000314): don't 16772 reuse a server Cyrus SASL handle after authentication 16773 failure. File: smtpd/smtpd_proto.c. 16774 1677520110418 16776 16777 Bugfix (introduced Postfix 2.3 and Postfix 2.7): the Milter 16778 client reported some "file too large" errors as temporary 16779 errors. Problem reported by Michael Tokarev. Files: 16780 milter/milter8.c, cleanup/cleanup_milter.c. 16781 1678220110420 16783 16784 Performance: a high load of DSN success notification requests 16785 could stall the queue manager. Solution: make the trace 16786 client asynchronous, just like the bounce and defer clients. 16787 Problem reported by Eduardo M. Stelmaszczyk of terra.com.br. 16788 Files: global/abounce.[hc], *qmgr/qmgr_active.c (the 16789 qmgr_active.c files are identical). 16790 1679120110421 16792 16793 Cleanup: updated abounce warning message, and added a safety 16794 timeout to abounce() etc. requests. File: global/abounce.c. 16795 1679620110426 16797 16798 Bugfix (introduced in Postfix 1.1, duplicated in Postfix 16799 2.3, unrelated mistake in Postfix 2.7): the local(8) delivery 16800 agent ignored table lookup errors in mailbox_command_maps, 16801 mailbox_transport_maps, fallback_transport_maps and (while 16802 bouncing mail to alias) alias owner lookup. Problem reported 16803 by William Ono. Files: local/command.c, local/mailbox.c, 16804 local/unknown.c, local/bounce_workaround.c. 16805 1680620110516 16807 16808 Update the warning when permit_naked_ip_address is used, 16809 and add permit_sasl_authenticated to the list of suggested 16810 alternatives. File: smtpd/smtpd_check.c. 16811 1681220110601 16813 16814 Bugfix (introduced Postfix 2.6 with master_service_disable) 16815 loop control error when parsing a malformed master.cf file. 16816 Found by Coverity. File: master/master_ent.c. 16817 1681820110602 16819 16820 Bugfix (introduced: Postfix 2.7): "sendmail -t" reported 16821 "protocol error" after queue file write error. File: 16822 postdrop/postdrop.c. 16823 1682420110605 16825 16826 Cleanup: removed the PSC_STATE_FLAG_CACHE_EXPIRED flag. 16827 Nothing uses this anymore. Files: postscreen/postscreen.h, 16828 postscreen/postscreen_state.c, postscreen/postscreen_tests.c. 16829 1683020110614 16831 16832 Linux kernel version 3 support. Linus Torvalds has reset 16833 the counters for reasons not related to changes in code. 16834 Files: makedefs, util/sys_defs.h. 16835 1683620110615 16837 16838 Workaround: some Spamhaus RHSBL rejects lookups with "No 16839 IP queries" even if the name has an alphanumerical prefix. 16840 We play safe, and skip both RHSBL and RHSWL queries for 16841 names ending in a numerical suffix. File: smtpd/smtpd_check.c. 16842 1684320110624 16844 16845 Cleanup: added error checks for smtpd access primitives 16846 that don't automatically terminate the program after table 16847 lookup error: these primitives are permit_tls_clientcerts, 16848 permit_tls_all_clientcerts, and check_address_map (the last 16849 one is used in local_header_rewrite_clients only). File: 16850 smtpd/smtpd_check.c. 16851 1685220110729 16853 16854 Workaround: some getpwnam() and getpwuid() implementations 16855 cause mail to bounce ("user unknown") after LDAP etc. lookup 16856 error. Postfix now uses POSIX getpwnam_r() and getpwuid_r() 16857 where available. Initially, this workaround supports FreeBSD, 16858 Solaris and Linux. Files: makedefs, util/sys_defs.h, 16859 global/mypwd.[hc], local/alias.c, local/dotforward.c, 16860 local/include.c, local/mailbox.c, local/recipient.c. 16861 1686220110731 16863 16864 MacOS X 10.5 supports POSIX getpwnam_r() and getpwuid_r() 16865 (source: MacOS manpages at www.freebsd.org). If MacOS turns 16866 out to make a false promise, then we will undo this change. 16867 Files: makedefs, util/sys_defs.h. 16868 1686920110810 16870 16871 Cleanup: optimize an optimization to avoid uid->name lookup 16872 when all users are authorized with authorized_submit_users, 16873 authorized_mailq_users, authorized_flush_users. File: 16874 global/user_acl.c. 16875 1687620110811 16877 16878 Workaround: report a {client_connections} Milter macro value 16879 of zero instead of garbage, when the remote SMTP client is 16880 not subject to any smtpd_client_* limits. Problem reported 16881 by Christian Roessner. Files: smtpd/smtpd_state.c, 16882 proto/MILTER_README.html. 16883 1688420110817 16885 16886 Cleanup: avoid misleading error messages after future code 16887 change. The tls_bio_ops(3) module now returns non-zero errno 16888 values only when requests fail due to a system-call error. 16889 File: tls/tls_bio_ops.c. 16890 16891 Cleanup: TLS handshake error messages. The SMTP client and 16892 server now report STARTTLS network errors as "connection 16893 timed out", "connection reset by peer", etc., instead of 16894 reporting TLS error number 0. Files: tls/tls_bio_ops.c, 16895 tls/tls_server.c, tls/tls_client.c. 16896 1689720110818 16898 16899 Cleanup: VSTREAM-over-TLS error return values, for robustness 16900 against future change. For consistency with VSTREAM internal 16901 interfaces, the tls_stream(3) read/write routines now return 16902 -1 instead of unspecified negative OpenSSL results. File: 16903 tls/tls_stream.c. 16904 1690520110819 16906 16907 Cleanup: further TLS code cleanups, for robustness against 16908 future change. Unexpected TLS errors are no longer silently 16909 treated as ordinary errors, and one corner-case error in TLS 16910 timeout handling was fixed before it could cause trouble. 16911 File: tls/tls_bio_ops.c. 16912 1691320110821-24 16914 16915 Cleanup: simplified the TLS read/write deadline implementation, 16916 and documented why this same simplification is not possible 16917 higher-up, at the VSTREAM level. Files: tls/tls_bio_ops.c, 16918 util/vstream.c. 16919 1692020110831 16921 16922 Bugfix: allow for Milters that send an SMTP server reply 16923 without RFC 3463 enhanced status code. Reported by Vladimir 16924 Vassiliev. File: milter/milter8.c. 16925 1692620110902 16927 16928 Cleanup: don't log vstream_tweak "connection reset by peer" 16929 errors. File: util/vstream_tweak.c. 16930 1693120110904-7 16932 16933 Bugfix: master daemon panic with "master_spawn: at process 16934 limit", when "postfix reload" reduces the process limit 16935 from (a value larger than the current process count for 16936 some service) to (a value <= the current process count), 16937 and then a new connection is made to that service. This 16938 structural solution centralizes the decision to monitor a 16939 service port (or not). To improve robustness against future 16940 code changes, it clarifies some of the internal dependencies 16941 that exist inside the master daemon. Files: master/master.h, 16942 master/master_avail.c, master/master_conf.c, 16943 master/master_service.c, master/master_spawn.c. 16944 1694520110911 16946 16947 Debugging: report the request size when memory allocation 16948 fails. File util/mymalloc.c. 16949 1695020110914 16951 16952 Incompatibility: the default inet_protocols value is now 16953 "all" instead of "ipv4", meaning use both IPv4 and IPv6. 16954 As a compatibility workaround for sites without global IPv6 16955 connectivity, the commands "make upgrade" and "postfix 16956 upgrade-configuration" append "inet_protocols = ipv4" to 16957 main.cf when no explicit setting is present. This compatibility 16958 workaround will be phased out in a future release. Files: 16959 util/sys_defs.h, conf/post-install, proto/postconf.proto. 16960 16961 Incompatibility: the default smtp_address_preference value 16962 is now "any" instead of "ipv6", meaning choose randomly 16963 between IPv6 and IPv4. With this the Postfix SMTP client 16964 will have more success delivering mail to sites that have 16965 problematic IPv6 configurations. Files: global/mail_params.h, 16966 proto/postconf.proto. 16967 1696820110918 16969 16970 Workaround for multiple ancient FreeBSD getsockopt() bugs 16971 after non-blocking connect fails with 'host unreachable' 16972 that resulted in a unreasonable memory allocation request. 16973 File: util/vstream_tweak.c. 16974 1697520110921 16976 16977 Bugfix (introduced: Postfix 1.1): smtpd(8) did not sanitize 16978 newline characters in cleanup(8) REJECT messages, causing 16979 them to be sent out via SMTP as bare newline characters. 16980 This happened when a REJECT pattern matched multi-line 16981 header text. Discovered by Kevin Locke. File: smtpd/smtpd.c. 16982 1698320110922 16984 16985 Bugfix (introduced: Postfix 2.1): smtpd(8) sent multi-line 16986 responses from a before-queue content filter as text with 16987 bare <LF> instead of <CR><LF>. Found during code maintenance. 16988 File: smtpd/smtpd_proxy.c. 16989 1699020111011 16991 16992 Cleanup: for consistency with the SMTP standard, the 16993 smtp_line_length_limit default value was increased from 990 16994 characters to 998 (i.e. 1000 characters including <CR><LF>). 16995 File: global/mail_params.h, proto/postconf.proto. 16996 16997 Cleanup: the Postfix sendmail command now always transforms 16998 all input lines ending in <CR><LF> into UNIX format (lines 16999 ending in <LF>). This simplifies integration with third-party 17000 mail generating applications. Specify "sendmail_fix_line_endings 17001 = strict" to restore historical Postfix behavior (i.e. convert 17002 all input lines ending in <CR><LF> only if the first input 17003 line ends in <CR><LF>). Files: sendmail/sendmail.c, 17004 global/mail_params.h, proto/postconf.proto. 17005 1700620111017 17007 17008 Cleanup: refined the heuristic that automagically transforms 17009 legacy "sendmail -V" VERP requests into contemporary "sendmail 17010 -XV" syntax. File: sendmail/sendmail.c. 17011 17012 Cleanup: when the cleanup daemon goes into discard mode, 17013 don't get stuck when it runs onto milter file descriptor 17014 information. File: cleanup/cleanup.c. 17015 1701620111020 17017 17018 EAI Future-proofing: don't apply strict_mime_encoding_domain 17019 checks to unknown message subtypes such as message/global*. 17020 File: global/mime_state.c. 17021 1702220111025 17023 17024 Bugfix (introduced: Postfix 2.8): postscreen sent non-compliant 17025 SMTP responses (220- followed by 421) when it could not 17026 hand off a connection to a real smtpd process, causing some 17027 remote SMTP clients to bounce mail. The fix redirects the 17028 client to the dummy SMTP engine which sends the 421 reply 17029 at the first legitimate opportunity. Problem reported by 17030 Ralf Hildebrandt. Files: postscreen/postscreen_send.c, 17031 postscreen/postscreen_smtpd.c, postscreen/postscreen.h. 17032 1703320111102 17034 17035 Workaround: to improve inter-operability with broken remote 17036 SMTP servers, the Postfix SMTP client by default no longer 17037 appends the "AUTH=<>" option to the MAIL FROM command. 17038 Specify "smtp_send_dummy_mail_auth = yes" to restore the 17039 old behavior. 17040 1704120111106 17042 17043 Feature: "postconf -M" support to show Postfix's idea of 17044 what is in the master.cf file. File: postconf/postconf.c. 17045 17046 Feature: postconf "-f" option to "nicely" format long lines 17047 from main.cf or master.cf. File: postconf/postconf.c. 17048 1704920111108 17050 17051 Cleanup: postconf finally supports dynamic configuration 17052 parameter names: parameters whose name depend on a mail 17053 delivery transport or spawn service in master.cf, and 17054 parameters whose names are specified with smtpd_restriction_classes 17055 in main.cf. This adds 70 parameters to the "postconf" output, 17056 more if additional mail delivery transports are defined in 17057 master.cf. File: postconf/postconf.c. 17058 1705920111109 17060 17061 Cleanup: account for "," in smtpd_restriction_classes 17062 value (Victor Duchovni). File: postconf/postconf.c. 17063 1706420111112 17065 17066 Cleanup: postconf finally warns about possible mis-typed 17067 main.cf and master.cf parameter names (i.e. parameters that 17068 aren't used anywhere), and it finally displays user-defined 17069 main.cf parameters that *are* used. File: postconf/postconf.c. 17070 1707120111113 17072 17073 Portability: specify ``make makefiles "CCARGS=-DNO_NIS 17074 ..."'' to build on systems without NIS support. Files: 17075 makedefs, util/sys_defs.h. 17076 17077 Cleanup: documented the postconf algorithms and their 17078 limitations, and added regression tests to speed up future 17079 development. File: postconf/postconf.c 17080 1708120111117 17082 17083 Cleanup: postconf didn't "bless" type "inet" service names. 17084 17085 Cleanup: with pipelined sessions, smtp-sink flushed the 17086 output too often. Reported by Mark Martinec. File: 17087 smtpstone/smtp-sink.c. 17088 17089 Workaround: don't use IPv6 at build time. File: conf/main.cf. 17090 17091 Workaround: don't abort when IPv6 is present but busted. 17092 File: util/inet_proto.c. 17093 17094 Portability: the Dovecot 2.0 authentication server supports 17095 more socket types for its authentication server. File: 17096 xsasl/xsasl_dovecot_server.c. 17097 17098 Documentation: the Dovecot 2.0 authentication server supports 17099 communication over TCP sockets. Patrick Ben Koetter. File: 17100 proto/SASL_README.html. 17101 1710220111118 17103 17104 Cleanup: "postconf -M" now supports filtering. For example, 17105 "postconf -M inet" shows only services that listen on the 17106 network, and "postconf -M smtp.unix" shows the SMTP delivery 17107 agent. File: postconf.c. 17108 1710920111119 17110 17111 Cleanup: "postconf" commands in postfix-install needed to 17112 be updated before master.cf was installed. Reported by 17113 Sahil Tandon. File: postfix-install. 17114 1711520111120 17116 17117 Cleanup: support for parameter name spaces for master.cf 17118 entries. With this, postconf should no longer log false 17119 warnings for "-o user-defined-name=value" in master.cf. As 17120 a benefit, it will warn for user-defined parameters with 17121 "name=value" entries that are unused because they are hidden 17122 by master.cf "-o name=value" entries with the same parameter 17123 name. File: postconf/postconf.c. 17124 1712520111121 17126 17127 Cleanup: documentation fixes. File: postconf/postconf.c. 17128 17129 Cleanup: in postconf "main.cf management" mode, errors 17130 opening master.cf are non-fatal. File: postconf/postconf.c. 17131 1713220111122 17133 17134 Documentation: examples to request VERP-style delivery at 17135 SMTP time with the smtpd_command_filter feature. Files: 17136 proto/VERP_README.html, proto/postconf.proto. 17137 17138 Feature: TLS certificate public-key fingerprint matching 17139 (SMTP server and client), and TLS logging cleanup. Victor 17140 Duchovni. Files: proto/SMTPD_POLICY_README.html, 17141 proto/TLS_README.html, proto/postconf.proto, global/mail_proto.h, 17142 smtpd/smtpd_check.c, tls/tls.h, tls/tls_client.c, tls/tls_misc.c, 17143 tls/tls_proxy_print.c, tls/tls_proxy_scan.c, tls/tls_server.c, 17144 tls/tls_stream.c, tls/tls_verify.c. 17145 17146 Documentation: complete list of "make makefiles" overrides. 17147 File: proto/INSTALL.html. 17148 17149 Cleanup: postscreen now logs more than the first word of 17150 non-SMTP commands. File: postscreen/postscreen_smtpd.c. 17151 1715220111124 17153 17154 Cleanup: eliminated false postconf "unused parameter" 17155 warnings with legacy parameters such as $virtual_maps, and 17156 with non-default parameter values for smtpd_expansion_filter 17157 that can contain legitimate "$" without a macro name. 17158 17159 Cleanup: split postconf source into separate modules. 17160 Files: postconf/postconf.c, postconf/postconf_builtin.c, 17161 postconf/postconf_edit.c, postconf/postconf_main.c, 17162 postconf/postconf_master.c, postconf/postconf_misc.c, 17163 postconf/postconf_node.c, postconf/postconf_other.c, 17164 postconf/postconf_service.c postconf/postconf_unused.c, 17165 postconf/postconf_user.c, postconf/postconf.h. 17166 1716720111126 17168 17169 Bitrot: changes in error reporting to the under-documented 17170 OpenLDAP API. Problem reported by Quanah Gibson-Mount. Fix 17171 by Viktor Dukhovni. File: global/dict_ldap.c. 17172 17173 Cleanup: four-space indentation had become a tab character. 17174 Files: postconf/postconf.h, postconf/test20.ref, 17175 postconf/test21.ref. 17176 1717720111127 17178 17179 Cleanup: documented <transport>_suffix parameters that don't 17180 show in postconf command output of earlier Postfix versions. 17181 Files: proto/SMTPD_POLICY_README.html, proto/postconf.proto, 17182 proto/SCHEDULER_README.html. 17183 17184 Cleanup: added the pipe(8) delivery agent to the list of 17185 programs that implement transport_time_limit parameters. 17186 File: postconf/postconf_service.c, postconf/test6.ref, 17187 postconf/test22.ref. 17188 1718920111128 17190 17191 Feature: "postconf -C class,..." support to print parameters 17192 in one or more classes (builtin= built-in parameter names, 17193 service=service-defined parameter names, user=user-defined 17194 parameter names). Files: postconf/postconf.c, postconf/postconf.h, 17195 postconf_service.c, postconf/postconf_user.c. 17196 1719720111129 17198 17199 Cleanup: TLS logging level configuration. Files: 17200 global/mail_params.h, smtp/lmtp_params.c, smtp/smtp.c, 17201 smtp/smtp_params.c, smtp/smtp_proto.c, smtpd/smtpd.c, 17202 tls/tls.h, tls/tls_client.c, tls/tls_misc.c, tls/tls_server.c, 17203 tlsmgr/tlsmgr.c, tlsproxy/tlsproxy.c. 17204 1720520111203 17206 17207 Cleanup: time-dependent sender addresses of address 17208 verification probes. Specify an address_verify_sender_ttl 17209 value of several hours or more to frustrate address harvesting. 17210 Files: global/verify_sender_addr.[hc], smtpd/smtpd.c, 17211 smtpd/smtpd_check.c, verify/verify.c, proto/postconf.proto, 17212 proto/ADDRESS_VERIFICATION_README.html. 17213 1721420111204 17215 17216 Cleanup: removed the log_level arguments from tls_client_start() 17217 and tls_server_start() calls. This information is already 17218 given to tls_client_init() and tls_server_init(). Files: 17219 smtpd/smtpd.c, tlsproxy/tlsproxy.c, smtp/smtp_proto.c, 17220 tls/tls.h, tls/tls_client.c, tls/tls_server.c, tls/tls_misc.c. 17221 1722220111205 17223 17224 Documentation: made the postconf(5) manpage more precise 17225 in its use of "client" and "server"; reorganized the 17226 TLS_README presentation of client configuration so that 17227 most relevant information is presented earlier. Files: 17228 proto/postconf.proto, proto/TLS_README.html. 17229 17230 Bugfix: tlsproxy(8) stored TLS sessions with a serverID of 17231 "tlsproxy" instead of "smtpd", wasting an opportunity for 17232 session reuse. File: tlsproxy/tlsproxy.c. 17233 1723420111206 17235 17236 Documentation: removed descriptions of Postfix < 2.3 user 17237 interface from TLS_README. Users of earlier releases are 17238 referred to TLS_LEGACY_README. File: proto/TLS_README.html. 17239 1724020111207 17241 17242 Cleanup: tlsproxy(8) now receives the session cache serverID 17243 from its client (postscreen(8)). Files: global/mail_proto.h, 17244 postscreen/postscreen_starttls.c, tlsproxy/tlsproxy.[hc], 17245 tlsproxy_state.c. 17246 17247 Cleanup: the postscreen(8) daemon did not support a zero 17248 cache cleanup interval. This is needed for memcache support. 17249 File: postscreen/postscreen.c. 17250 17251 Bugfix (introduced: 20110227): null pointer bug while 17252 updating dictionary owner attributes, after reading an empty 17253 (database) configuration file. File: util/dict.c. 17254 1725520111208 17256 17257 Cleanup: db_common_parse_domain() could not be called without 17258 preceding db_common_parse() call. Files: global/db_common.[hc]. 17259 1726020111209 17261 17262 Feature: memcache client support. This implementation is 17263 based on the under-documented libmemcache library, and 17264 therefore supports only libmemcache version 1.4.0. Files: 17265 conf/postfix-files, global/dict_memcache.[hc], global/mail_dict.c, 17266 html/index.html, mantools/postlink, postconf/postconf.c, 17267 postfix/postfix.c, proto/DATABASE_README.html, 17268 proto/MEMCACHE_README.html, proto/memcache_table. 17269 1727020111209 17271 17272 Cleanup: support for scripted and manual database tests with 17273 LDAP, *SQL, and memcache. Files: util/dict_test.c, util/dict.c, 17274 global/mail_dict.c. 17275 17276 Workaround: apparently, some distributions use Postfix 17277 shared libraries without proper so-number versioning. This 17278 causes programs to fail mysteriously, after an update 17279 replaces the Postfix library but not the program (someone 17280 experienced this with an extra copy of the Postfix SMTP 17281 server). Files: global/mail_version.[hc], master/*server.c, 17282 master/master.c, src/postalias/postalias.c, 17283 src/postdrop/postdrop.c, src/postfix/postfix.c, 17284 src/postlog/postlog.c, src/postmap/postmap.c, 17285 src/postmulti/postmulti.c, src/postqueue/postqueue.c, 17286 src/postsuper/postsuper.c, src/sendmail/sendmail.c. 17287 1728820111211 17289 17290 Feature: first/next (sequence) support in the proxymap 17291 protocol. This is needed for cache cleanup of a proxied 17292 postscreen or verify persistent cache. Files: 17293 global/dict_proxy.[hc], proxymap/proxymap.c. 17294 17295 Feature: memcache client support without libmemcache 17296 dependencies. Files: global/memcache_proto.[hc], 17297 global/dict_memcache.c. 17298 17299 Bugfix: missing lookup table entry and terminator, causing 17300 proxymap(8) server segfault when postscreen(8) or verify(8) 17301 attempted to access their cache via the proxymap(8) server. 17302 This could never have worked anyway, because the Postfix 17303 proxymap protocol did not support cache cleanup. File 17304 util/dict.c. 17305 17306 Feature: support for persistent backup database in the 17307 memcache client. The database can be shared with the proxymap 17308 service, but it needs to be listed as "proxy:maptype:mapname" 17309 in the proxy_read_maps or proxy_write_maps parameter value 17310 (depending on whether the access is read-only or read-write). 17311 Support for proxymap-over-tcp (proxy:maptype:mapname@host:port) 17312 is under development. File: global/dict_memcache.c. 17313 1731420111214 17315 17316 Documentation: updated the submission and smtps examples 17317 in the sample master.cf file, so that their logging is 17318 easier to recognize. File: conf/master.cf. 17319 1732020111215 17321 17322 Documentation: use different hosts to separate MUA "port 17323 25" traffic from the "port 25" MX service. Files: 17324 postscreen/postscreen.c, proto/POSTSCREEN_README.html. 17325 1732620111216 17327 17328 Cleanup: the proxymap client did not correctly propagate 17329 the "open_lock" flag, causing the proxymap service to open 17330 postscreen(8) and verify(8) caches twice, instead of once. 17331 File: global/dict_proxy.c. 17332 17333 Cleanup: the verify and postscreen caches were not listed 17334 as "authorized" for access via the proxywrite service. File: 17335 global/mail_params.h. 17336 17337 Refactoring: the postscreen permanent access list code is 17338 now a library module, so that it can be also used for remote 17339 access to the proxymap server. Files: global/server_acl.[hc]. 17340 17341 Hardening: read/write deadlines, to make the proxymap server 17342 suitable for remote access. File: proxymap/proxymap.c. 17343 1734420111217 17345 17346 Cleanup: more orthogonal definition of when the proxymap 17347 server can/cannot share a single map instance among multiple 17348 requestors, and corresponding code cleanup in the proxymap 17349 client and server. Files: util/dict.h, util/dict_test.c, 17350 global/dict_proxy.c, proxymap/proxymap.c. 17351 17352 Human factors: the postscreen/verify cache manager now logs 17353 the full database name including the proxy: prefix, to avoid 17354 WTF surprises. File: util/dict_cache.c. 17355 1735620111218 17357 17358 Cleanup: more configurable memcache client error handling. 17359 Files: global/dict_memcache.c, proto/memcache_table. 17360 17361 Feature: the Postfix SMTP server XCLIENT command now supports 17362 the LOGIN attribute (e.g., login information from nginx). 17363 Based on the nginx:xclient-login-patch from citrin.ru (Anton 17364 Yuzhis). The patch was further enhanced to support SASL 17365 login information everywhere in the Postfix SMTP server 17366 without having to specify "smtpd_sasl_auth_enable = yes" 17367 in main.cf. Files: smtpd.[hc], smtpd_sasl_glue.[hc], 17368 smtpd_check.c, smtpd_sasl_proto.[hc], smtpd_state.c, 17369 proto/XCLIENT_README.html. 17370 17371 Incompatibility: the Postfix SMTP server now always checks 17372 the smtpd_sender_login_maps table, even without having 17373 "smtpd_sasl_auth_enable = yes" in main.cf. 17374 1737520111219 17376 17377 Cleanup: the match_list-based primitives now provide an 17378 option to return an error result instead of terminating the 17379 process with a fatal error. Files: util/match_ops.[hc], 17380 util/match_list.c, global/addr_list_match.c, domain_list.c, 17381 string_list.c, namadr_list.c. 17382 17383 Cleanup: a "fail:" database type that reliably fails all 17384 requests. The lookup table name specifies the internal error 17385 result code. having this table facilitates a systematic 17386 review of all Postfix table lookup error handling. 17387 17388 Cleanup: trivial-rewrite now "catches" errors with implicit 17389 database lookups in virtual_alias_domains, relay_domains, 17390 virtual_mailbox_domains, just like it already caught explicit 17391 database lookup errors. This means there are fewer occasions 17392 where trivial-rewrite clients will appear to hang. File: 17393 trivial-rewrite/resolve.c. 17394 17395 Cleanup: a broken relay_domains table would cause many 17396 Postfix processes to terminate with fatal error as they 17397 initialized the flush() client (used by defer_append() 17398 etc.). Postfix now logs a warning instead. File: 17399 global/flush_clnt.c. 17400 17401 Cleanup: the Postfix SMTP server now "catches" errors with 17402 implicit database lookups in mynetworks, TLS client certificate 17403 tables, and local_header_rewrite_clients, and reports "server 17404 configuration error" or "table lookup error" instead of 17405 terminating with a fatal error. This is work in progress; 17406 errors with opening a database may be covered later. Files: 17407 smtpd/smtpd.c, smtpd/smtpd_check.c. 17408 1740920111220 17410 17411 Cleanup: the Postfix SMTP server now "catches" errors with 17412 implicit database lookups in mynetworks, debug_peer_list, 17413 smtpd_client_event_limit_exceptions, permit_mx_backup_networks. 17414 This continues work started 20111219, and does not cover 17415 errors with opening a database. Files: smtpd/smtpd.c, 17416 smtpd/smtpd_checks.c, smtpd/smtpd_error.in, smtpd/smtpd_error.ref. 17417 17418 Cleanup: memory leak testing of error handling. File: 17419 util/name_mask.c. 17420 1742120111222 17422 17423 Cleanup: memory leak testing of error handling. File: 17424 util/name_mask.c. 17425 17426 Cleanup: simplified the match_list error reporting, thereby 17427 reducing the footprint of the changes to "catch" errors 17428 with implicit database lookups in mynetworks, and other 17429 lists. Files: util/match_ops.[hc], util/match_list.c, 17430 global/addr_list_match.c, domain_list.c, string_list.c, 17431 namadr_list.c, trivial-rewrite/resolve.c, smtpd/smtpd.c, 17432 smtpd/smtpd_check.c, global/flush_clnt.c, flush/flush.c. 17433 1743420111224 17435 17436 Cleanup: eliminated the global dict_errno variable that 17437 made error reporting convenient but not necessarily precise. 17438 This was a straightforward change except in the few modules 17439 that propagate errors from one dictionary API to another: 17440 dict_cache.c, dict_debug.c, maps.c, dict_memcache.c. Files: 17441 src/cleanup/cleanup_map11.c, src/cleanup/cleanup_map1n.c, 17442 src/global/addr_match_list.c, src/global/dict_ldap.c, 17443 src/global/dict_memcache.c, src/global/dict_mysql.c, 17444 src/global/dict_pgsql.c, src/global/dict_proxy.c, 17445 src/global/dict_sqlite.c, src/global/domain_list.c, 17446 src/global/flush_clnt.c, src/global/mail_addr_find.c, 17447 src/global/mail_addr_map.c, src/global/maps.c, src/global/maps.h, 17448 src/global/match_parent_style.h, src/global/namadr_list.c, 17449 src/global/resolve_local.c, src/global/resolve_local.h, 17450 src/global/server_acl.c, src/global/string_list.c, 17451 src/local/alias.c, src/local/bounce_workaround.c, 17452 src/local/mailbox.c, src/local/unknown.c, src/proxymap/proxymap.c, 17453 src/qmqpd/qmqpd.c, src/smtp/smtp_map11.c, src/smtpd/smtpd_check.c, 17454 src/trivial-rewrite/resolve.c, src/trivial-rewrite/transport.c, 17455 src/util/dict.h, src/util/dict_alloc.c, src/util/dict_cache.c, 17456 src/util/dict_cidr.c, src/util/dict_db.c, src/util/dict_debug.c, 17457 src/util/dict_env.c, src/util/dict_fail.c, src/util/dict_ht.c, 17458 src/util/dict_pcre.c, src/util/dict_regexp.c, 17459 src/util/dict_static.c, src/util/dict_tcp.c, src/util/dict_test.c, 17460 src/util/dict_thash.c, src/util/dict_unix.c, src/util/match_list.c, 17461 src/util/match_list.h, src/util/match_ops.c, src/virtual/mailbox.c. 17462 1746320111226 17464 17465 Bugfix (introduced 20110426): after lookup error with 17466 mailbox_transport_maps, mailbox_command_maps or 17467 fallback_transport_maps, the local delivery agent did not 17468 log the problem before deferring mail, and produced no defer 17469 logfile record. Files: local/mailbox.c, local/unknown.c. 17470 1747120120102 17472 17473 Workaround: degrade gracefully when the network protocols 17474 specified with inet_protocols are unavailable. Files: 17475 global/mail_params.c, global/mynetworks.c, global/own_inet_addr.c 17476 master/master_ent.c, master/master_vars.c, postscreen/postscreen.c, 17477 qmqpd/qmqpd.c, smtp/smtp_connect.c, smtpd/smtpd.c, 17478 util/inet_proto.c. 17479 1748020120107 17481 17482 Workaround: degrade gracefully when the "domain" feature 17483 of LDAP, *SQL and memcache databases has a table lookup 17484 problem. Files: global/db_common.c, global/dict_ldap.c, 17485 global/dict*sql*.c, global/dict_memcache.c. 17486 17487 Cleanup: fixed memcache client error handling for things 17488 that never happen. global/dict_memcache.c. 17489 17490 Future proofing: prepare postmap/postalias error logging 17491 for future changes to database code. Files: postalias/postalias.c, 17492 postmap/postmap.c. 17493 1749420120108 17495 17496 Cleanup: the postscreen(8) and verify(8) cache managers log 17497 warnings at a reduced rate of one per second per cache 17498 operation, to avoid logging large numbers of warnings about 17499 a problem with low-value information. File: util/msg_rate_delay.c, 17500 util/dict_cache.c. 17501 1750220120110 17503 17504 Cleanup: added logging for failed table lookups, and replaced 17505 some "fatal" errors by warnings. Files: cleanup/cleanup_addr.c, 17506 cleanup/cleanup_message.c, cleanup/cleanup_milter.c, 17507 cleanup/cleanup_masquerade.c, global/header_body_checks.c, 17508 global/smtp_stream.c, postscreen/postscreen_dnsbl.c, 17509 postscreen/postscreen_smtpd.c, smtp/smtp_chat.c, 17510 smtp/smtp_proto.c, smtp/smtp_sasl_auth_cache.c, 17511 smtp/smtp_sasl_glue.c, smtp/smtp_session.c, smtp/smtp_trouble.c, 17512 smtpd/smtpd.c, smtpd/smtpd_check.c. 17513 1751420120114 17515 17516 Cleanup: gradual degradation after database file open errors. 17517 Instead of terminating immediately with a "fatal" error, a 17518 Postfix daemon logs an error and continues execution with 17519 reduced functionality. In other words, features that don't 17520 depend on the unavailable table will keep working. However, 17521 for the sake of sanity, the number of such errors over the 17522 life of a process is limited to 13. Files: 17523 src/global/cfg_parser.c, src/util/dict_thash.c, 17524 src/util/dict_cidr.c, src/util/dict_nis.c, src/util/dict_nisplus.c, 17525 src/global/dict_ldap.c, src/global/dict_mysql.c, 17526 src/global/dict_pgsql.c, src/global/dict_sqlite.c, 17527 src/postconf/postconf_main.c, src/global/mail_conf.c, 17528 src/util/dict.h, src/util/dict.c, src/global/dict_memcache.c, 17529 src/util/dict_tcp.c, src/util/dict_unix.c, src/util/dict_pcre.c, 17530 src/util/dict_regexp.c, src/master/trigger_server.c, 17531 src/master/single_server.c, src/master/multi_server.c, 17532 src/master/event_server.c, src/util/dict_test.c, 17533 src/util/dict_surrogate.c, src/util/dict_alloc.c, src/util/msg.c, 17534 src/util/dict_cdb.c, src/util/dict_dbm.c, src/util/msg.h, 17535 src/util/dict_db.c. 17536 17537 Incompatibility: the Postfix SMTP server no longer reports 17538 transcripts of sessions where a client command is rejected 17539 because a table is unavailable. To receive such reports, 17540 add the new "data" class to the notify_classes parameter 17541 value. The reports will be sent to the error_notice_recipient 17542 address as before. This class is also used by the Postfix 17543 SMTP client to report about sessions that fail because a 17544 table is unavailable. Files: global/mail_error.[hc], 17545 smtpd/smtpd_check.c, smtp/smtp_trouble.c. 17546 1754720120115 17548 17549 Fine tuning: SMTP server error messages. File: smtpd/smtpd.c. 17550 17551 Fine tuning: documentation. Files: proto/MEMCACHE_README.html. 17552 proto/memcache_table.html. 17553 17554 Apply "gradual degradation" also when an unsupported database 17555 *type* is specified. File: util/dict_open.c. 17556 17557 Cleanup: tiny memory leaks after surrogate database opens. 17558 Files: util/dict_cidr.c, util/dict_db.c. 17559 1756020120117 17561 17562 Cleanup: support for legacy-style database configuration 17563 where parameter names are generated by appending suffixes 17564 to the database name. Files: postconf/postconf_dbms.c. 17565 17566 Other: build without Berkeley DB support (make makefiles 17567 "CCARGS=$CCARGS -DNO_DB"). Files: makedefs, util/sys_defs.h, 17568 proto/DB_README.html, proto/INSTALL.html. 17569 1757020120120 17571 17572 Compatibility: added file pflogsumm_quickfix.txt with quick 17573 patches for pflogsumm that handle the new default master.cf 17574 entries for the submission and smtps services. 17575 1757620120121 17577 17578 Cleanup: getopt(3) compatibility in the postconf(1) master.cf 17579 parser. Process "--" as the end-of-options indicator, and 17580 process "-oname=value" as "-o name=value". Files: 17581 util/argv.[hc], postconf/postconf_master.cf, 17582 postconf/postconf_user.c. 17583 1758420120122 17585 17586 Workaround: log a warning and suggested solution for common 17587 stat()/fstat()/lstat() problems caused by 32-bit overflow. 17588 This is a real stinker that causes Postfix to fail without 17589 any prior warning. File: util/warn_stat.[hc], and everything 17590 that directly calls stat(), fstat() or lstat(). 17591 1759220120127 17593 17594 Bugfix (introduced: Postfix 2.8): the Postfix client sqlite 17595 quoting routine returned the unquoted result instead of the 17596 quoted text. The opportunities for misuse are limited, 17597 because Postfix sqlite files are usually owned by root, and 17598 Postfix daemons usually run with non-root privileges so 17599 they can't corrupt the database. Problem reported by Rob 17600 McGee (rob0). File: global/dict_sqlite.c. 17601 1760220120130 17603 17604 Bugfix (introduced: Postfix 2.3): the trace service did not 17605 distinguish between DSN SUCCESS notifications for a non-bounce 17606 or a bounce message. This code pre-dates DSN support and 17607 should have been updated when it was re-purposed to handle 17608 DSN SUCCESS notifications. Problem reported by Sabahattin 17609 Gucukoglu. File: bounce/bounce_trace_service.c. 17610 1761120120202 17612 17613 Bugfix (introduced: Postfix 2.3): the "change header" milter 17614 request could replace the wrong header. A long header name 17615 could match a shorter one, because a length check was done 17616 on the wrong string. Reported by Vladimir Vassiliev. File: 17617 cleanup/cleanup_milter.c. 17618 1761920120214 17620 17621 Bugfix (introduced: Postfix 2.4): extraneous null assignment 17622 caused core dump when postlog emitted the "usage" message. 17623 Reported by Kant (fnord.hammer). File: postlog/postlog.c. 17624 1762520120217 17626 17627 Bugfix (introduced 20111219): sendmail -bs segfault, due 17628 to a missing guard statement after an smtpd_check_rewrite() 17629 call was moved closer to the command processor loop. Fix 17630 by Bartek Szady. File: smtpd/smtpd.c. 17631 1763220120220 17633 17634 Cleanup: documentation of how to use only system-supplied 17635 certificates with *CAfile and *CApath. File: proto/postconf.proto. 17636 17637 Cleanup: documentation of smtp_sasl_mechanism_filter. File: 17638 proto/postconf.proto. 17639 1764020120222 17641 17642 Cleanup: when multiple DNSBLs block an SMTP client, the 17643 postscreen "reject" message now gives credit to the DNSBL 17644 with the largest weight, instead of the DNSBL that replies 17645 first. File: postscreen/postscreen_dnsbl.c. 17646 17647 Cleanup: memcache_table(5) manpage. File proto/memcache_table. 17648 1764920120225 17650 17651 Cleanup: eliminated the build-time Perl dependency. File: 17652 bounce/annotate.sh. 17653 17654 Cleanup: when -DNO_DB support was added, the makedefs script 17655 was not updated to skip the Linux Berkeley DB tests. 17656 17657 FreeBSD9 is now a supported platform. Files: makedefs, 17658 util/sys_defs.h. 17659 1766020120226 17661 17662 Cleanup: documentation in postfix-install. 17663 1766420120229 17665 17666 Feature: smtpd_log_access_permit_actions to enable logging 17667 of specific permit-like actions in Postfix SMTP server 17668 access lists. Files: mantools/postlink, proto/postconf.proto, 17669 global/mail_params.h, smtpd/smtpd.c, smtpd/smtpd_check.c. 17670 1767120120306 17672 17673 To improve the interaction with start-up scripts, "postfix 17674 start" now waits for master daemon process initialization 17675 to complete, and returns a non-zero exit status if daemon 17676 initialization failed or if it did not complete in a 17677 reasonable amount of time. This involves a new "-w" master 17678 option. Files: conf/postfix-script, master/master.c, 17679 master/master.h. master/master_monitor.c. 17680 1768120120307 17682 17683 postconf -X option to exclude parameters from main.cf 17684 (require two-finger action, because this is irreversible). 17685 Files: postconf/postconf.[hc], postconf/postconf_edit.c. 17686 1768720120317 17688 17689 Feature: Sendmail-style socketmap. Files: util/dict_sockmap.[hc], 17690 util/netstring.[hc], proto/DATABASE_README.html, 17691 postconf/postconf.c. 17692 1769320120330 17694 17695 Workaround: specify "\c" at the start of an smtpd_reject_footer 17696 template to suppress the line break between the reply text 17697 and the footer text. Files: global/smtp_reply_footer.c, 17698 proto/postconf.proto. 17699 1770020120401 17701 17702 Bugfix (introduced Postfix 2.6): irrelevant memory leak 17703 that was introduced with postconf -#. File: 17704 postconf/postconf_edit.c. 17705 17706 Bitrot: shut up useless warnings about Cyrus SASL call-back 17707 function pointer type mis-matches. Files: xsasl/xsasl_cyrus.h, 17708 xsasl/xsasl_cyrus_server.c, xsasl/xsasl_client.c. 17709 1771020120404 17711 17712 Cleanup: added smtpd_sender_login_maps to the default 17713 proxy_read_maps value. Files: global/mail_params.h, 17714 proxymap/proxymap.c. 17715 17716 Cleanup: weed out stale TODO's from the WISHLIST, and moved 17717 some CYA text from WISHLIST into the code. Files: WISHLIST, 17718 smtpd/smtpd_proxy.c. 17719 1772020120407 17721 17722 Bugfix (introduced: 20120330): don't replace <reply-code> 17723 <space> by <reply-code> <hyphen> when a reply footer starts 17724 with \c and contains no \n. File: global/smtp_reply_footer.c. 17725 1772620120422 17727 17728 Bit-rot: OpenSSL 1.0.1 introduces new protocols. Update the 17729 known TLS protocol list so that protocols can be turned off 17730 selectively to work around implementation bugs. Based on 17731 a patch by Victor Duchovni. Files: proto/TLS_README.html, 17732 proto/postconf.proto, tls/tls.h, tls/tls_misc.c, tls/tls_client.c, 17733 tls/tls_server.c. 17734 1773520120425 17736 17737 Workaround: bugs in 10-year old gcc versions break compilation 17738 with #ifdef inside a macro invocation (NOT: definition). 17739 Files: tls/tls.h, tls/tls_client.c, tls/tls_server.c. 17740 1774120120426 17742 17743 Bugfix (introduced Postfix 2.9): the postconf command flagged 17744 parameters defined in master.cf as "unused" when they were 17745 used only in main.cf. Problem reported by Michael Tokarev. 17746 Files: postconf/postconf_user.c, postconf/test4b.ref, 17747 postconf Makefile.in. 17748 1774920120513 17750 17751 Cleanup: report both the first and last line number when a 17752 malformed main.cf entry spans multiple lines, instead of 17753 reporting the last line number only. File: util/dict.c, 17754 util/line_number.[hc]. 17755 1775620120516 17757 17758 Workaround: apparently, FreeBSD 8.3 kqueue notifications 17759 sometimes break when a dnsblog(8) process loses an accept() 17760 race on a shared socket, resulting in repeated "connect to 17761 private/dnsblog service: Connection refused" warnings. This 17762 condition is unique to dnsblog(8). The postscreen(8) daemon 17763 closes a postscreen-to-dnsblog connection as soon as it 17764 receives a dnsblog(8) reply, resulting in hundreds or 17765 thousands of connection requests per second. All other 17766 multi-server daemons such as anvil(8) or proxymap(8) have 17767 connection lifetimes ranging from 5s to 1000s depending on 17768 server load. The workaround is for dnsblog to use the 17769 single_server driver instead of the multi_server driver. 17770 This one-line code change eliminates the accept() race 17771 without any Postfix performance impact. Problem reported 17772 by Sahil Tandon. File: dnsblog/dnsblog.c. 17773 17774 Logging: postscreen now logs a warning when a dnsblog(8) 17775 request takes longer than the hard-coded time limit of 10s. 17776 File: postscreen/postscreen_dnsbl.c. 17777 1777820120517 17779 17780 Workaround: to avoid crashes when the OpenSSL library is 17781 updated without "postfix reload", the Postfix TLS session 17782 cache ID now includes the OpenSSL library version number. 17783 Note: this problem cannot be fixed in tlsmgr(8). Code by 17784 Victor Duchovni. Files: tls/tls_server.c, tls_client.c. 17785 1778620120520 17787 17788 Bugfix (introduced Postfix 2.4): the event_drain() function 17789 was comparing bitmasks incorrectly causing the program to 17790 always wait for the full time limit. This error affected 17791 the unused postkick command, but only after s/fifo/unix/ 17792 in master.cf. File: util/events.c. 17793 17794 Cleanup: laptop users have always been able to avoid 17795 unnecessary disk spin-up by doing s/fifo/unix/ in master.cf 17796 (this is currently not supported on Solaris systems). 17797 However, to make this work reliably, the "postqueue -f" 17798 command must wait until its requests have reached the pickup 17799 and qmgr servers before closing the UNIX-domain request 17800 sockets. Files: postqueue/postqueue.c, postqueue/Makefile.in. 17801 1780220120522 17803 17804 Robustness: set LC_ALL=C in post-install to avoid surprises 17805 when parsing output from Postfix or non-Postfix commands. 17806 File: postfix-install. 17807 1780820120611 17809 17810 Bugfix (introduced: 20031216-21): with soft_bounce=yes, the 17811 SMTP client did not move on to the next MX host or fallback 17812 relay after a 5xx reply. File: smtp/smtp_trouble.c. 17813 1781420120527-8 17815 17816 Infrastructure: limited support to shrink VSTREAM buffers. 17817 The change takes place when reading from (a stream for the 17818 first time | an empty buffer) or when writing to (a stream 17819 for the first time | a full buffer). TODO: the change should 17820 also happen after purging or flushing a buffer. File: 17821 util/vstream.c. 17822 1782320120531-617 17824 17825 Feature: haproxy support in postscreen(8) and smtpd(8). To 17826 enable, specify "smtpd_upstream_proxy_protocol = haproxy" 17827 or "postscreen_upstream_proxy_protocol = haproxy". Files: 17828 mantools/postlink, proto/postconf.proto, global/Makefile.in, 17829 global/haproxy_srvr.c, global/haproxy_srvr.h, global/mail_params.h, 17830 global/mail_proto.h, master/single_server.c, master/multi_server.c, 17831 master/event_server.c, postscreen/Makefile.in, 17832 postscreen/postscreen.c, postscreen/postscreen.h, 17833 postscreen/postscreen_endpt.c, postscreen/postscreen_haproxy.c, 17834 postscreen/postscreen_haproxy.h, postscreen/postscreen_send.c, 17835 postscreen/postscreen_state.c, smtpd/Makefile.in, smtpd/smtpd.h, 17836 smtpd/smtpd_peer.c, smtpd/smtpd_sasl_glue.c, smtpd/smtpd_haproxy.c, 17837 util/Makefile.in, util/listen.h, util/recv_pass_attr.c, 17838 util/stream_listen.c, util/sys_defs.h, util/unix_pass_listen.c. 17839 1784020120618 17841 17842 Cleanup: made the postscreen-to-smtpd haproxy attribute 17843 transmission more robust for Solaris. Files: util/sys_defs.h, 17844 util/connect.h, util/steam_listen.c, postscreen/postscreen_send.c. 17845 17846 Cleanup: simplified the "stream used" workaround. Files: 17847 util/vstream.h, master/event_server.c, master/multi_server.c. 17848 1784920120621 17850 17851 Cleanup: simplified workarounds for Solaris streams versus 17852 UNIX-domain sockets. Files: util/pass_accept.c (new), 17853 util/pass_trigger.c (new), util/stream_pass_connect.c 17854 (deleted), util/unix_pass_listen.c (deleted), 17855 util/unix_pass_trigger.c (deleted), updated header files, 17856 and replaced PASS_XXX macros by pass_xxx function calls. 17857 17858 Cleanup: don't clobber errno when logging a problem. 17859 File util/msg_output.c. 17860 1786120120627 17862 17863 Bugfix (introduced: 20120531-617): in the postscreen module 17864 for HAproxy sypport, a VSTREAM buffer size request was not 17865 LP64-clean. File: postscreen/postscreen_haproxy.c. 17866 17867 Cleanup: avoid single-character reads in the postscreen 17868 HAproxy module. File: postscreen/postscreen_haproxy.c. 17869 1787020120628 17871 17872 Workaround: heuristic to detect missing (ssize_t) type-cast 17873 in VSTREAM buffer size requests. File: util/vstream.c. 17874 1787520120629 17876 17877 Workaround: "sendmail -bl" emulation. File: sendmail/sendmail.c. 17878 1787920120630 17880 17881 Cleanup: sub-optimal hash performance on systems where the 17882 "char" type is signed. Files: util/htable.c, util/binhash.c. 17883 1788420120702 17885 17886 Bugfix (introduced: 19990127): the BIFF client leaked an 17887 unprivileged UDP socket. Fix by Jaroslav Skarvada. File: 17888 local/biff_notify.c. 17889 1789020120713 17891 17892 Bugfix (introduced: 20120527-8): infrastructure to specify 17893 a smaller-than-default VSTREAM buffer, without the complex 17894 run-time checks. File: util/vstream.c, vstream_tweak.c. 17895 1789620120714 17897 17898 Cleanup: semantics of requests to query or modify the VSTREAM 17899 buffer size that will be used with the next read(2) or 17900 write(2) operation. Files: util/vstream.c, util/vstream.h, 17901 util/vstream_tweak.c. 17902 1790320120717 17904 17905 Documentation: update to RFC5321. 17906 1790720120730 17908 17909 Bugfix (introduced: 20000314): AUTH is not allowed after 17910 MAIL. Timo Sirainen. Files: smtpd/smtpd.c, smtpd/smtpd.h, 17911 smtpd/smtpd_sasl_proto.c. 17912 1791320120801 17914 17915 Documentation: point of what virtual_xxx parameters are 17916 specific to the virtual(8) delivery agent, and will have 17917 no effect when mail is delivered with a different program. 17918 Files: proto/postconf.proto, proto/VIRTUAL_README.html. 17919 1792020120824 17921 17922 Feature: support for "sendmail -R hdrs|full". Jan Kundr?t. 17923 File: sendmail/sendmail.c. 17924 1792520120902 17926 17927 Documentation: updated TUNING_README with new pointers to 17928 the STRESS_README and POSTSCREEN_README documents. Miscellaneous 17929 documentation clarifications based on postfix-users discussions. 17930 1793120120903 17932 17933 Bugfix (introduced 20120317): the socketmap client should 17934 not share unrelated client endpoint handles. File: 17935 util/dict_sockmap.c. 17936 1793720120907 17938 17939 Cleanup (for change 20120824): the DSN RET attribute should 17940 not be stored once per recipient. It is a message property 17941 just like DSN ENVID. File: sendmail/sendmail.c. 17942 1794320120911 17944 17945 Documentation: more explicit enumeration of what happens 17946 when setting a per-destination recipient limit value to 1. 17947 File: proto/postconf.proto. 17948 1794920120918 17950 17951 Documentation: clarified the bounce/queue_life-time parameter 17952 descriptions. File: proto/postconf.proto. 17953 1795420120920 17955 17956 Documentation: the postscreen_whitelist_interfaces parameter 17957 syntax was defined only by example. File: proto/postconf.proto. 17958 1795920120923 17960 17961 Infrastructure: cleaned up the support for database 17962 lock-on-open. This is needed for databases that are not 17963 multi-updater safe. Files: util/dict_alloc.c, util/dict.c, 17964 util/dict_open.c, util/dict.h. tls/tls_scache.c. 17965 1796620120924 17967 17968 Documentation: some people are read-challenged distribute 17969 their own incorrect understanding of master.cf syntax. 17970 File: proto/master. 17971 17972 Cleanup: don't emulate UNIX-domain sockets over FIFOs on 17973 Solaris systems less than 10 years old. This allows us to 17974 globally s/fifo/unix/ in master.cf. Files: makedefs, 17975 util/sys_defs.h. 17976 17977 Laptop-friendliness: avoid disk spin-up on idle systems by 17978 s/fifo/unix/ in master.cf. Files: conf/master.cf. 17979 1798020120928-30 17981 17982 Feature: smtpd_relay_restrictions, proposed long ago by 17983 Victor. The idea is to separate the mail relay policy from 17984 the spam blocking policy, so that a permissive spam blocking 17985 policy under smtpd_recipient_restrictions will no longer 17986 unexpectedly result in a permissive mail relay policy. 17987 17988 This involves a change in default settings. Similar to the 17989 way that local_recipient_maps was introduced, there is a 17990 safety net that prevents unexpected mail bounces when a 17991 site upgrades to Postfix 2.10 or later, and there is no 17992 change in documented smtpd_recipient_restrictions behavior. 17993 See the RELEASE_NOTES file for details. Files: 17994 global/mail_params.h, smtpd/smtpd.c, smtpd/smtpd_check.c, 17995 proto/postconf.proto, proto/SMTPD_ACCESS_README.html, 17996 mantools/postlink, conf/post-install, RELEASE_NOTES. 17997 1799820120931-1001 17999 18000 Documentation: updated the remainder of the README files 18001 and manual pages that discuss smtpd_recipient_restrictions. 18002 1800320121001 18004 18005 Cleanup: prepend 5.1.1 status code to "User unknown in 18006 virtual alias table". File: trivial-rewrite/resolve.c. 18007 1800820121003 18009 18010 Bugfix: the postscreen_access_list feature was case-sensitive 18011 in the first character of permit, reject, etc. Reported by 18012 Francis Picabia. File: global/server_acl.c. 18013 1801420121009 18015 18016 Documentation: interaction between delay_warning_time, 18017 notify_classes and delay_notice_recipient. File: 18018 proto/postconf.proto. 18019 1802020101009 18021 18022 Human factors: log a warning that the postcat option -m 18023 without -h or -b has no effect. File: postcat/postcat.c. 18024 1802520121010 18026 18027 Bugfix (introduced: Postfix 2.5): memory leak in program 18028 initialization. Reported by Coverity. File: tls/tls_misc.c. 18029 18030 Bugfix (introduced: Postfix 2.3): memory leak in the unused 18031 oqmgr program. Reported by Coverity. File: oqmgr/qmgr_message.c. 18032 1803320121011 18034 18035 Documentation: how to enable /etc/hosts multi-record lookups 18036 with main.cf settings. File: proto/LINUX_README.html. 18037 18038 Documentation: clarified the postscreen-tlsproxy interface. 18039 File: tlsproxy/tlsproxy.c. 18040 1804120121012 18042 18043 Documentation: a simpler null-client example. File: 18044 proto/STANDARD_CONFIGURATION_README.html 18045 1804620121013 18047 18048 Cleanup: to compute the LDAP connection cache lookup key, 18049 join the numeric fields with null, just like string fields. 18050 Viktor Dukhovni. File: global/dict_ldap.c. 18051 1805220121015 18053 18054 Documentation: added section on regular-expression tables 18055 to the aliases(5) manpage. File: proto/aliases. 18056 18057 Documentation: why "smtp_address_preference = any" is the 18058 preferred setting. File: proto/postconf.proto. 18059 1806020121022 18061 18062 Bugfix (introduced 20101009) don't complain about stray -m 18063 option if none of -[bhm] is specified. Ralf Hildebrandt. 18064 File: postmap/postmap.c. 18065 1806620121029 18067 18068 Workaround: strip datalink suffix from IPv6 addresses 18069 returned by the system getaddrinfo() routine. Such suffixes 18070 mess up the default mynetworks value, host name/address 18071 verification and possibly more. This change obsoletes the 18072 20101108 change that removes datalink suffixes in the SMTP 18073 and QMQP servers. Files: util/myaddrinfo.c, smtpd/smtpd_peer.c, 18074 qmqpd/qmqpd_peer.c. 18075 1807620121031 18077 18078 Bugfix: smtpd_relay_restrictions compatibility shim did not 18079 detect "empty" value. Sahil Tandon. The same problem existed 18080 with the inet_protocols shim. File: conf/post-install. 18081 1808220121105 18083 18084 Cleanup: the postscreen(8) "deep protocol" tests now log 18085 the SMTP command that precedes a protocol violation. Files: 18086 postscreen/postscreen_smtpd.c, proto/POSTSCREEN_README.html. 18087 18088 Bugfix (introduced: Postfix 1.1): wrong string termination 18089 when handling an MBOX From_ line at the start of a message. 18090 File: qmqpd/qmqpd.c. 18091 1809220121110 18093 18094 Cleanup: specify $(WARN) on the MacOS X compiler command 18095 line to suppress "nested comment" and possibly other unwanted 18096 warnings. Problem reported by Jim Reid. File: makedefs, 18097 Makefile.in. 18098 1809920121119 18100 18101 Documentation: added a note that key_format is required 18102 when postscreen(8) and verify(8) share the same memcache 18103 (with different persistent backup databases, or course) 18104 otherwise automatic cache cleanup breaks due to a name 18105 collision for the "last cache cleanup" database record. 18106 File: proto/memcache. 18107 1810820121122 18109 18110 Cleanup: the safety-check for smtpd_recipient_restrictions 18111 and smtpd_relay_restrictions now detects permit before 18112 reject. File: smtpd/smtpd_check.c. 18113 18114 Cleanup: the safety-check for smtpd_recipient_restrictions 18115 and smtpd_relay_restrictions is no longer case-sensitive. 18116 File: smtpd/smtpd_check.c. 18117 1811820121123 18119 18120 Cleanup: consistent escaping of commands in postscreen deep 18121 protocol test logging. File: postscreen/postscreen_smtpd.c. 18122 1812320121124 18124 18125 Documentation: the bounce behavior for automatically-added 18126 BCC recipients has changed with Postfix 2.3 when DSN support 18127 was introduced. File: proto/postconf.proto. 18128 1812920121203 18130 18131 Documentation: added explicit example for -o name=value. 18132 File: proto/master. 18133 1813420121210 18135 18136 Bugfix (introduced: Postfix 2.9) nesting count error while 18137 stripping the optional [] around a DNS[BW]L address pattern. 18138 This part of the code is not documented and had escaped 18139 testing. Files: util/ip_match.c, util/ip_match.in, 18140 util/ip_match.ref. 18141 1814220121215 18143 18144 Bugfix (introduced: 19980218, when recipient_delimiter 18145 support was added): The error message for unknown local 18146 users (or missing required aliases) should report the user 18147 name instead of the full localpart which may contain an 18148 address extension. Problem reported by Christian Holler. 18149 File: local/unknown.c. 18150 1815120121221 18152 18153 Feature: "postconf -x" support to expand $name in main.cf 18154 parameter values. Files: postconf/postconf_main.c, 18155 postconf/postconf.h, postconf/postconf_node.c, postconf/postconf.c. 18156 1815720121222 18158 18159 Feature: postconf support to warn about an attempt to modify 18160 a read-only parameter (process_name etc.) in main.cf or 18161 master.cf. Files: postconf/postconf_readonly.c, 18162 postconf/postconf_builtin.c. 18163 1816420121223 18165 18166 Feature: postconf support to warn about an undefined $name 18167 in a parameter value in main.cf or master.cf (except for 18168 backwards-compatibility parameters such as $virtual_maps) 18169 Files: postconf/postconf_user.c, postconf_dbms.c, 18170 postconf_builtin.c, util/dict_ht.c, util/htable.c. 18171 18172 Feature: "postconf -Mx" support to expand $name in master.cf 18173 parameter values. Files: postconf/postconf_master.c, 18174 postconf/postconf_lookup.c, postconf/postconf_main.c, 18175 postconf/postconf.c. 18176 1817720121224 18178 18179 Feature: "postconf -Mn" support to print only master.cf 18180 entries that have "-o name=value" parameter setttings. 18181 Files: postconf/postconf_master.c. 18182 1818320121226 18184 18185 Miscellaneous cleanups of postconf internal APIs, identifiers 18186 and comments. No changes in behavior. 18187 18188 Bugfix (omission in feature 20111203): the SMTP server only 18189 supported time-dependent address-verification sender addresses 18190 with RCPT TO but not with MAIL FROM. File: smtpd/smtpd.c. 18191 1819220121227 18193 18194 Feature: "postconf -o name=value" support to override main.cf 18195 settings (for example, "postconf -x -o stress=whatever" 18196 shows effective settings under overload). Files: 18197 postconf/postconf.c, postconf/postconf_main.c. 18198 1819920121230 18200 18201 Cleanup: postconf(1) master.cf options parser. Files: 18202 postconf/postconf_master.c, postconf/postconf_user.c. 18203 18204 Bugfix (omission in feature 20111106): the postconf(1) 18205 master.cf options parser didn't support "clusters" of 18206 command-line option letters. Files: postconf/postconf_master.c, 18207 postconf/test40.ref. 18208 1820920130105 18210 18211 Undo a change made around 20121224, and always whitelist 18212 configuration parameter names for legacy-style proxy:ldap:prefix 18213 etc. lookup tables. Files: postconf/postconf_dbms.c, 18214 postconf/test28.ref, postconf/test29.ref, postconf/Makefile.in. 18215 1821620130107 18217 18218 Factor out the master.cf line parser so that it can be 18219 reused for "postconf -Me". File: postconf/postconf_master.c. 18220 1822120130113 18222 18223 Feature: master.cf attribute namespace. "postconf -F" shows 18224 individual master.cf fields as "service/type/attribute = 18225 value", where attribute is "service", "type", "private", 18226 "unprivileged", "wakeup", "process_limit", or "command". 18227 1822820130121 18229 18230 Bugfix (introduced 20120307): the postconf -X option erased 18231 other options. File: postconf/postconf.c. 18232 1823320130131 18234 18235 Bugfix: the local(8) delivery agent dereferenced a null 18236 pointer while delivering to null command (for example, "|" 18237 in a .forward file). Reported by Gilles Chehade. 18238 1823920130203 18240 18241 Bugfix: the undocumented OpenSSL X509_pubkey_digest() 18242 function is unsuitable for computing certificate PUBLIC KEY 18243 fingerprints. Postfix now provides a correct procedure 18244 that accounts for the algorithm and parameters in addition 18245 to the key data. Specify "tls_legacy_public_key_fingerprints 18246 = yes" if you need backwards compatibility. Fix by Victor 18247 Duchovni, BC added by Wietse. Files: tls/tls_verify.c, 18248 tls/tls_misc.c, proto/TLS_README.html, global/mail_params.h. 18249 1825020130210 18251 18252 Bugfix: an error handler for smtp_tls_policy_maps lookups 18253 was never invoked. File: smtp/smtp_session.c. 18254 1825520130212 18256 18257 Cleanup: logfile message formatting (X: subject_CN=X, 18258 issuer_CN=X, fingerprint=X, pkey_fingerprint=X). File: 18259 tls/tls_client.c. 18260 1826120130315 18262 18263 Feature: LMDB (memory-mapped persistent file) support by 18264 Howard Chu. This implementation has unexpected failure modes 18265 that don't exist with other Postfix databases, so don't 18266 just yet abandon CDB. See LMDB_README for details. Files: 18267 proto/postconf.proto, proto/LMDB_README.html, 18268 proto/DATABASE_README.html, proto/INSTALL.html util/dict_lmdb.[hc], 18269 util/dict_open.c, global/mkmap_lmdb.[hc], global/mkmap_open.c, 18270 postconf/postconf.c. 18271 1827220130316 18273 18274 Cleanup: new Postfix dictionary API flag to control the use 18275 of (LMDB) bulk database transactions. With this, LMDB 18276 databases no longer fail to commit any transactions with 18277 tlsmgr(8), and LMDB databases no longer perform glacially 18278 slow with postmap -i/postalias -i. Files: util/dict.h, 18279 util/dict_lmdb.c, postmap/postmap.c, postalias/postalias.c. 18280 1828120130317 18282 18283 Debugging: generalized setting of dictionary API flags. 18284 File: util/dict.[hc], util/dict_test.c. 18285 18286 Robustness: Postfix programs can now recover from LMDB 18287 "database full" errors without requiring human intervention. 18288 When a program opens an LMDB file larger than lmdb_map_size/3, 18289 it logs a warning and uses a larger size limit instead. 18290 Files: util/dict_lmdb.c, proto/LMDB_README.html. 18291 1829220130318 18293 18294 Portability: botched #ifdef. File: util/dict_lmdb.c. 18295 1829620130319 18297 18298 Postfix support for LMDB databases is suspended due to the 18299 existence of a hard limit (an "out of storage" failure mode 18300 that cannot be resolved by increasing the database size). 18301 18302 Postfix may support LMDB again when it no longer limits the 18303 size of Postfix transactions, whether the limit is built 18304 into LMDB itself, or implicit by requiring an unbounded 18305 amount of memory to handle a large transaction. 18306 1830720130322 18308 18309 Documentation: smtp_skip_5xx_greeting wording updated to 18310 reflect text in RFC 2821, which appears to say that a 554 18311 greeting is not a hard delivery error (note that RFC 2821 18312 was published later than smtp_skip_5xx_greeting). File: 18313 proto/postconf.proto. 18314 1831520130324 18316 18317 Workaround: MacOS 10.8 (Darwin 12) getrlimit(RLIMIT_NOFILE) 18318 incorrectly reports that rlim_max, the hard limit on the 18319 number of open files per process, is equal to RLIM_INFINITY 18320 (i.e. no limit is enforced). In reality, setrlimit(RLIMIT_NOFILE) 18321 rejects requests where rlim_cur, the current limit, contains 18322 any value > kern.maxfilesperproc. Axel Luttgens. File: 18323 util/open_limit.c. 18324 18325 Portability: MacOS 10.8 (Darwin 12) kqueue support works. 18326 Axel Luttgens. Files: makedefs. 18327 1832820130324 18329 18330 Support for anonymous certificates. Viktor Dukhovni. File: 18331 tls/tls_verify.c. 18332 18333 Feature: support for DNSSEC-validated lookups and TLSA 18334 RRsets. Viktor Dukhovni. Files: dns/Makefile.in, dns/dns.h, 18335 dns/dns_lookup.c, dns/dns_rr.c, dns/dns_strtype.c, 18336 dns/test_dns_lookup.c, 18337 18338 Cleanup: the personality switch between "smtp" and "lmtp". 18339 This streamlines the switch in the SMTP/LMTP protocol, DNS 18340 MX lookups, and configuration parameter names in error 18341 messages. Viktor Dukhovni. Files: smtp/smtp.c, smtp/smtp.h, 18342 smtp/smtp_chat.c, smtp/smtp_connect.c, smtp/smtp_proto.c, 18343 smtp/smtp_rcpt.c, smtp/smtp_sasl_glue.c, smtp/smtp_sasl_proto.c, 18344 smtp/smtp_session.c, smtp/smtp_state.c. 18345 18346 Feature: replace disable_dns_lookups with smtp_dns_support_level, 18347 enable secure DNSSEC lookups in the Postfix SMTP client, 18348 and use the DNSSEC-validated remote SMTP server name to 18349 select the SMTP and TLS policies. Viktor Dukhovni. Files: 18350 dns/Makefile.in, dns/dns.h, dns/dns_lookup.c, dns/dns_rr.c, 18351 dns/dns_strtype.c, dns/test_dns_lookup.c. 18352 1835320130325 18354 18355 Portability: on MacOS X, use kqueue() for event handling 18356 but use select() instead of poll() for read/write timeouts 18357 (with a workaround to handle file decriptors >=FD_SETSIZE). 18358 Files: util/sys_defs.h, util/readable.c, util/writable.c, 18359 util/read_wait.c, util/write_wait.c. 18360 18361 Portability: support for NetBSD 5.x, NetBSD 6.x and DragonFly 18362 BSD. Viktor Dukhovni. Files: makedefs, util/sys_defs.h. 18363 1836420130326 18365 18366 Cleanup: new module that consolidates all system-dependent 18367 code to enforce read/write timeouts. This includes a final 18368 workaround for MacOS X that uses poll() first, and select() 18369 if that fails. This makes their /dev/urandom workaround 18370 unnecessary. Files: util/poll_fd.c, util/iostuff.h. Removed: 18371 util/readable.c, util/writable.c, util/read_wait.c, 18372 util/write_wait.c. 18373 18374 Cleanup: refactor TLS digest functions, improved signature 18375 for TLS session cache. Viktor Dukhovni. Files: smtp/smtp.c, 18376 smtp/smtp_proto.c, smtpd/smtpd.c, tls/Makefile.in, tls/tls.h, 18377 tls/tls_client.c, tls/tls_fprint.c, tls/tls_level.c, 18378 tls/tls_misc.c, tls/tls_server.c, tls/tls_verify.c, 18379 tlsproxy/tlsproxy.c. 18380 1838120130327 18382 18383 Cleanup: final polish for MacOSX workarounds; replaced 18384 #ifdef MacOSX by feature test as required by PORTING document. 18385 Files: util/poll_fd.c, util/open_limit.c. 18386 18387 Export tls_fprint() and tls_digest_encode() for use in DANE. 18388 Viktor Dukhovni. Files: tls/tls.h, tls/tls_fprint.c. 18389 1839020130331 18391 18392 Refactoring: TLS verification callback processing in 18393 preparation for DANE support. Viktor Dukhovni. Files: 18394 tls/tls.h, tls/tls_client.c, tls/tls_misc.c, tls/tls_verify.c. 18395 18396 Refactoring: split off SMTP client per-session TLS policy 18397 data and code in preparation for DANE support. Viktor 18398 Dukhovni. Files: smtp/Makefile.in, smtp/smtp.h, 18399 smtp/smtp_connect.c, smtp/smtp_proto.c, smtp/smtp_reuse.c, 18400 smtp/smtp_session.c, smtp/smtp_tls_sess.c. 18401 18402 Cleanup: "zero time limit" corner case in read_wait() and 18403 write_wait() emulation. Files: util/poll_fd.c, util/iostuff.h. 18404 1840520130401 18406 18407 Refactoring: allow smtp_session_alloc() to fail gracefully 18408 and report an error. 18409 1841020130403 18411 18412 Documentation: in smtpd.c, the comment that justifies the 18413 454 reply for "TLS unavailable" cited the wrong RFC. 18414 1841520130404 18416 18417 Human factors: warning when a main.cf parameter has multiple 18418 entries with different values. File: util/dict.c. 18419 1842020130405 18421 18422 Feature: the recipient_delimiter parameter can now specify 18423 a set of characters. A user name is now separated from its 18424 address extension by the first character that matches the 18425 recipient_delimiter set. Files: proto/postconf.proto, 18426 src/global/mail_addr_find.c, src/global/mail_params.c, 18427 src/global/split_addr.c, src/global/split_addr.h, 18428 src/global/strip_addr.c, src/global/strip_addr.h, 18429 src/global/strip_addr.ref, src/local/bounce_workaround.c, 18430 src/local/local.c, src/local/local_expand.c, src/local/recipient.c, 18431 src/local/resolve.c, src/oqmgr/qmgr_message.c, src/pipe/pipe.c, 18432 src/qmgr/qmgr_message.c, src/smtpd/smtpd.c, 18433 src/smtpd/smtpd_check.c, src/trivial-rewrite/transport.c, 18434 src/trivial-rewrite/trivial-rewrite.c. 18435 18436 Feature: support for trust anchors, i.e. CA certificates 18437 or public keys that will be used instead of conventional 18438 root certificates, and revised fingerprint support. This 18439 can be used by itself, and this provides support for an 18440 upcoming DANE implementation. Victor Duchovni. Files: 18441 mantools/postlink, proto/TLS_README.html, proto/postconf.proto, 18442 global/mail_params.h, smtp/lmtp_params.c, smtp/smtp.c, 18443 smtp/smtp.h, smtp/smtp_params.c, smtp/smtp_proto.c, 18444 smtp/smtp_session.c, smtp/smtp_state.c, smtp/smtp_tls_sess.c, 18445 tls/Makefile.in, tls/tls.h, tls/tls_client.c, tls/tls_dane.c, 18446 tls/tls_fprint.c, tls/tls_misc.c, tls/tls_verify.c, 18447 util/argv.c, util/argv.h. 18448 1844920130409 18450 18451 Documentation: pointers to other actions under "ACCEPT 18452 ACTIONS" and "REJECT ACTIONS". File: proto/access. 18453 1845420130410 18455 18456 Cleanup: more uniform permutation in dns_rr() by Victor 18457 Duchovni & Son. File: dns/dns_rr.c. 18458 1845920130411 18460 18461 Documentation: clarified text about result formats. Files: 18462 proto/canonical, proto/virtual. 18463 1846420130414 18465 18466 Cleanup: the SMTP client connection management code now 18467 maintains iterator state with a structure that contains 18468 next-hop, host name, address, port and other information. 18469 This iterator structure replaces random variables that were 18470 updated by add-hoc code, and replaces random function 18471 argument lists. The more structured approach is easier to 18472 maintain and has already paid off by exposing opportunities 18473 to improve SMTP connection cache usage. Wietse Venema. 18474 Files: smtp/smtp.h, smtp/smtp_connect.c, smtp/smtp_session.c, 18475 smtp_reuse.c. 18476 18477 Cleanup: eliminated minor false SMTP connection cache-sharing 18478 problems due to mis-aligned lookup keys for caches and 18479 lookup tables (for example some used the nexthop, and some 18480 the domain name). Information that is used in more than 18481 one lookup key is now generated by a centralized function. 18482 This replaces ad-hoc code in random places that was 18483 concatenating ad-hoc data to construct lookup keys. The 18484 more structured approach is easier to maintain and makes 18485 future cache-sharing issues easier to prevent. Wietse 18486 Venema. Files: smtp/smtp.h, smtp/smtp_connect.c, smtp_reuse.c, 18487 smtp_key.c, smtp_tls_sess.c. 18488 18489 Cleanup and fix of non-production code: the trust anchor-digest 18490 code and smtp_sess_tls_required() function. Victor Duchovni. 18491 Files: smtp/smtp_connect.c, smtp/smtp_proto.c, 18492 smtp/smtp_tls_sess.c, tls/tls.h, tls/tls_client.c, 18493 tls/tls_dane.c, tls/tls_level.c, tls/tls_verify.c. 18494 1849520130417 18496 18497 Cleanup and fix of non-production code: add the SASL 18498 credentials or absence thereof to the connection cache 18499 endpoint label; better reuse of SASL-authenticated connections 18500 over UNIX-domains sockets, however unlikely these may be; 18501 a first step towards refinement of connection cache lookup 18502 by IP address for plaintext or SASL-unauthenticated connections. 18503 Files: smtp/smtp.h smtp/smtp_connect.c, smtp/smtp_reuse.c, 18504 smtp/smtp_key.c, smtp/smtp_tls_sess.s. 18505 1850620130418 18507 18508 Cleanup: configurable field delimiter and optional "not 18509 available" field place holder for cache and table lookup 18510 keys; automatic base64 encoding for key fields that contain 18511 these. Files: smtp/smtp_key,c, smtp/smtp_reuse.c, 18512 smtp/smtp_proto.c, smtp/smtp_tls_sess.c. 18513 1851420130420-21 18515 18516 Documentation: "dane" TLS security level and parameters. 18517 Viktor Dukhovni. Files: mantools/postlink, proto/TLS_README.html, 18518 proto/postconf.proto. 18519 18520 Feature: implemented and enabled DNS-based DANE security 18521 level. Viktor Dukhovni. Files: global/mail_params.h, 18522 smtp/lmtp_params.c, smtp/smtp.c, smtp/smtp.h, smtp/smtp_params.c, 18523 smtp/smtp_proto.c, smtp/smtp_tls_sess.c, tls/tls.h, 18524 tls/tls_client.c, tls/tls_dane.c, tls/tls_fprint.c, 18525 tls/tls_level.c, tls/tls_misc.c, util/Makefile.in, 18526 util/ctable.c, util/ctable.h, util/timecmp.c, util/timecmp.h. 18527 18528 Cleanup: rename (unchanged) smtp_tls_sess.c to smtp_tls_policy.c. 18529 Viktor Dukhovni. Files: smtp/Makefile.in, smtp/smtp_tls_policy.c, 18530 smtp/smtp_tls_sess.c. 18531 18532 Portability: OpenSSL workarounds for versions before 0.9.7 18533 are removed from the source code. Viktor Dukhovni. Files: 18534 tls/tls.h, tls/tls_bio_ops.c, tls/tls_client.c. 18535 18536 Non-production fixes: when falling back from opportunistic 18537 TLS to plaintext, don't modify the cached TLS policy "retry 18538 as plaintext" and "level" members. Files: smtp/smtp_session.c. 18539 18540 Non-production fixes: move TLS policy lookup to the main 18541 connection iterator loop, so that the policy is known before 18542 attempting connection reuse and before SMTP connection 18543 creation. Temporarily link session->tls to state->tls. 18544 Files: smtp/smtp.h, smtp/smtp_connect.c, smtp/smtp_reuse.c, 18545 smtp/smtp_tls_policy.c. 18546 1854720130422 18548 18549 Feature: smtptls-finger test program for SMTP over TLS. 18550 Viktor Dukhovni. Files: Makefile.in, html/Makefile.in, 18551 man/Makefile.in, mantools/postlink, posttls-finger/.indent.pro, 18552 posttls-finger/Makefile.in, posttls-finger/posttls-finger.c, 18553 posttls-finger/tlsmgrmem.c, posttls-finger/tlsmgrmem.h, 18554 tls/tls.h, tls/tls_misc.c. 18555 1855620130423 18557 18558 Bugfix (introduced: Postfix 2.0): when myhostname is not 18559 listed in mydestination, the trivial-rewrite resolver may 18560 log "do not list <myhostname value> in both mydestination 18561 and <name of non-mydestination domain list>". The fix is 18562 to re-resolve a domain-less address after adding $myhostname 18563 as the surrogate domain, so that it pops out with the right 18564 address-class label. Problem reported by Quanah Gibson-Mount. 18565 File: trivial-rewrite/resolve.c. 18566 1856720130425 18568 18569 Non-production fixes: revert to using proxies (sender, 18570 nexthop, hostname) to distinguish between different SASL 18571 credentials for connections to the same IP address and port. 18572 Files: smtp/smtp.h smtp/smtp_connect.c, smtp/smtp_key.c. 18573 18574 Non-production cleanup: documentation, identifiers. Viktor 18575 Dukhovni. Files: proto/postconf.proto, src/dns/dns.h, 18576 src/dns/dns_lookup.c, src/dns/dns_rr.c, src/dns/test_dns_lookup.c, 18577 src/global/mail_proto.h, src/posttls-finger/posttls-finger.c, 18578 src/smtp/smtp.h, src/smtp/smtp_addr.c, src/smtp/smtp_connect.c, 18579 src/smtp/smtp_session.c, src/smtp/smtp_tls_policy.c, 18580 src/smtpd/smtpd_check.c, src/tls/tls.h, src/tls/tls_client.c, 18581 src/tls/tls_dane.c, src/tls/tls_fprint.c, src/tls/tls_misc.c, 18582 src/tls/tls_proxy_clnt.c, src/tls/tls_proxy_print.c, 18583 src/tls/tls_proxy_scan.c, src/tls/tls_server.c, 18584 src/tls/tls_verify.c. 18585 1858620130426 18587 18588 Non-production fixes: refinement of SASL-dependent context 18589 for connection-cache reuse, documentation. Viktor Dukhovni 18590 and Wietse Venema. Files: smtp/smtp.h, smtp/smtp_key.c, 18591 tls/tls_client.c. 18592 1859320130506 18594 18595 Non-production bugfix: macros must use distinct names for 18596 temporary variables, to avoid name collision problems. 18597 Problem report: Ralf Hildebrandt. Problem fix: Viktor 18598 Dukhovni. File: smtp/smtp.h. 18599 18600 Non-production cleanup: simplified "dane" user interface, 18601 replacing one "dane" security level plus multiple fall-back 18602 options, with two "dane" security levels, one opportunistic 18603 and one mandatory. Viktor Dukhovni. Files: proto/TLS_README.html, 18604 proto/postconf.proto, mantools/postlink, proto/TLS_README.html, 18605 proto/postconf.proto, global/mail_params.h, 18606 posttls-finger/posttls-finger.c, smtp/lmtp_params.c, 18607 smtp/smtp.c, smtp/smtp.h, smtp/smtp_params.c, 18608 smtp/smtp_tls_policy.c, tls/tls.h, tls/tls_level.c. 18609 1861020130512 18611 18612 Feature: allow an SMTP client to skip postscreen(8) tests 18613 before or after the 220 greeting, based on its DNSBL score. 18614 Suggested by Rob McGee (/dev/rob0). Files: mantools/postlink, 18615 proto/postconf.proto, global/mail_params.h, 18616 postscreen/postscreen.c, postscreen/postscreen.h, 18617 postscreen/postscreen_early.c, postscreen/postscreen_state.c, 18618 postscreen/postscreen_tests.c. 18619 1862020130513 18621 18622 Bugfix (introduced: 20130512): postscreen logged no "PASS 18623 NEW" event when the pregreet tests were turned off and the 18624 postscreen_dnsbl_whitelist_treshold feature was turned on. 18625 Reported by Rob McGee (/dev/rob0). Files: postscreen/postscreen.h, 18626 postscreen/postscreen_early.c. 18627 18628 Bugfix (introduced: 20130512): postscreen panic because the 18629 logic for dnsbl result retrieval was changed. Reported by 18630 Noel Jones. File: postscreen/postscreen_early.c. 18631 1863220130517 18633 18634 Cleanup: just like the postscreen DNS block test will use 18635 partial scores when some DNS lookup result is unavailable, 18636 the postscreen_dnsbl_whitelist_treshold feature will now 18637 use partial scores instead of ignoring them. File: 18638 postscreen/postscreen_early.c. 18639 1864020130518 18641 18642 Bugfix (introduced: 1997): memory leak after error while 18643 forwarding mail through the cleanup server. Viktor found 18644 one, Wietse eliminated the rest. File: local/forward.c. 18645 18646 Feature: posttls-finger protocol and cipher grade selection 18647 options. Leave protocol debug flags active across reconnects, 18648 only suppress redundant logging of the certificate details. 18649 Viktor Dukhovni. File: posttls-finger/posttls-finger.c. 18650 18651 Robustness: send SNI even when trying to reuse a DANE 18652 session, because a new session may be negotiated anyway. 18653 Viktor Dukhovni. File: tls/tls_client.c. 18654 18655 Cleanup: eliminate variable that is redundant with respect 18656 to more authoritative state. Viktor Dukhovni. File: 18657 posttls-finger/posttls-finger.c. 18658 18659 Feature: new tls_ssl_options parameter to enable OpenSSL 18660 features (as opposed to tls_disable_workarounds which is 18661 disables bug workarounds that are on by default). Viktor 18662 Dukhovni. Files: proto/TLS_README.html, proto/postconf.proto, 18663 src/global/mail_params.h, src/tls/tls.h, src/tls/tls_client.c, 18664 src/tls/tls_misc.c. 18665 1866620130520 18667 18668 Documentation: removed resolve_null_domain from the list 18669 of smtpd(8) parameters. File: smtpd/smtpd.c. 18670 1867120130523 18672 18673 Documentation: add cidr: and texthash: to the list of maps 18674 that don't have automatic change detection. File: 18675 proto/DATABASE_README.html. 18676 18677 Documentation: define the netmask format of CIDR maps. 18678 File: proto/cidr_table. 18679 1868020130530 18681 18682 Cleanup: replace alloca() with mymalloc()/myfree() for 18683 better error handling. Reported by Bill Parker. File: 18684 util/dict_ni.c (does anyone still use this code?). 18685 1868620130531 18687 18688 Feature: tls_wildcard_matches_multiple_labels (default: 18689 yes) to match multiple DNS labels with "*" in wildcard 18690 certificates. Viktor Dukhovni. Files: proto/postconf.proto, 18691 mantools/postlink, global/mail_params.h, tls/tls_client.c, 18692 tls/tls_misc.c. 18693 1869420130607 18695 18696 Bugfix (DANE support): with multiple TLSA RR that carry "x 18697 0 0" certificates or "x 1 0" keys, Postfix failed to reset 18698 the cert/key pointer before calling d2i_mumble(), causing 18699 OpenSSL to clobber the previous cert or key. Viktor Dukhovni. 18700 tls/tls_dane.c. 18701 18702 Robustness: check that TLSA-supplied certs have valid keys. 18703 It is not clear whether that check is performed in d2i(). 18704 Viktor Dukhovni. tls/tls_dane.c. 18705 1870620130608 18707 18708 Cleanup (DANE support): be more explicit in the logging of 18709 object digests. Viktor Dukhovni. tls/tls_dane.c. 18710 1871120100613 18712 18713 Workaround: unhelpful down-stream maintainers fail to install 18714 the new smtpd_relay_restrictions safety net, causing breakage 18715 that could have been avoided. We now hard-code the safety 18716 net instead. Files: global/mail_params.h, conf/post-install, 18717 RELEASE_NOTES_2.10. 18718 18719 Bugfix (DANE support): when TLSA records are insecure, 18720 report that none are found. Viktor Dukhovni. Files: 18721 posttls-finger/posttls-finger.c, smtp/smtp_tls_policy.c, 18722 tls/tls_dane.c. 18723 1872420130615 18725 18726 TLS Interoperability: turn on SHA-2 digests by force. This 18727 improves interoperability with clients and servers that 18728 deploy SHA-2 digests without the required support for 18729 TLSv1.2-style digest negotiation. Based on patch by Viktor 18730 Dukhovni. Files: tls/tls_client.c, tls/tls_server.c. 18731 1873220130616 18733 18734 Workaround: The Postfix SMTP server TLS session cache was 18735 broken because OpenSSL now enables session tickets by 18736 default, resulting in different ticket encryption key for 18737 each smtpd(8) process. the workaround turns off session 18738 tickets. In 2.11 we'll enable session tickets properly. 18739 Viktor Dukhovni. File: tls/tls_server.c. 18740 18741 Updated DANE support (trust in DNS instead of PKI). With 18742 OpenSSL 1.0.2 (under development) trusted certificates don't 18743 need to be self-signed roots. Otherwise we use an ephemeral 18744 root certificate to sign the trust anchor. Viktor Dukhovni. 18745 Files: posttls-finger/posttls-finger.c, smtp/smtp_proto.c, 18746 smtp/smtp_tls_policy.c, tls/tls.h, tls/tls_client.c, 18747 tls/tls_dane.c, tls/tls_fprint.c, tls/tls_misc.c, 18748 tls/tls_verify.c. 18749 1875020130619 18751 18752 Documentation: troff lint. Patch by ES Raymond's bot. File: 18753 proto/header_checks. 18754 18755 Cleanup: enforce smtpd_client_recipient_rate_limit for VRFY 18756 commands. File: smtpd/smtpd.c. 18757 1875820130622 18759 18760 Bugfix: typo in the 20130613 smtpd_relay_restrictions default 18761 setting. File: global/mail_params.h. 18762 1876320130623 18764 18765 Cleanup: configurable tlsmgr(8) service name. Files: 18766 mantools/postlink, proto/postconf.proto, tls/tls_mgr.c, 18767 tls/tls_misc.c, tlsproxy/tls-proxy.c, smtp/smtp.c, 18768 smtpd/smtpd.c. 18769 1877020130629 18771 18772 Cleanup: documentation. Files: proto/CONNECTION_CACHE_README.html, 18773 proto/SCHEDULER_README.html. 18774 1877520130708 18776 18777 Cleanup: postscreen_upstream_proxy_protocol setting. Files: 18778 global/mail_params.h, postscreen/postscreen_endpt.c. 18779 1878020130709 18781 18782 Cleanup: qmgr documentation clarification by Patrik Rak. 18783 Files: proto/SCHEDULER_README.html, qmgr/qmgr_job.c. 18784 18785 Cleanup: re-indented code. File: qmgr/qmgr_job.c. 18786 18787 Logging: minimal DNAME support. Viktor Dukhovni. dns/dns.h, 18788 dns/dns_lookup.c, dns/dns_strtype.c, dns/test_dns_lookup.c. 18789 1879020130710 18791 18792 Workaround: smtp_connection_reuse_count_limit (default 0, 18793 i.e. unlimited) for sites that must deal with hostile 18794 connection reuse policies. The documentation comes with a 18795 warning that this feature introduces a "fatal attractor" 18796 failure mode. Files: global/mail_params.h, mantools/postlink, 18797 proto/postconf.proto, smtp/smtp.c, smtp/smtp_params.c, 18798 smtp/lmtp_params.c, smtp/smtp.h. 18799 18800 Workaround: FreeBSD9 nroff outputs ANSI escape sequences 18801 instead of overstrike sequences. To make matters worse, it 18802 uses the ESC[0m sequence sometimes for end-of-bold and 18803 sometimes for end-of-italic. File: mantools/man2html. 18804 1880520130714 18806 18807 Cleanup: added smtpd_relay_restrictions entries to the 18808 default master.cf file, so that main.cf settings won't 18809 affect the submission and smtps services. Simon Matter. 18810 File: conf/master.cf. 18811 1881220130728 18813 18814 Cleanup: wrong function name in error message. John Fawcett. 18815 File: util/vstring_vstream.c. 18816 1881720130801 18818 18819 Cleanup: with ``make makefiles CCARGS="-DHAS_DB...'', the 18820 makedefs script no longer tries to locate the Linux Berkeley 18821 DB include and library files. Instead it assumes that the 18822 locations are given on the command line, as shown in the 18823 DB_README examples. Leo Baltus. File: makedefs. 18824 1882520130805 18826 18827 Documentation: clarified reject_non_fqdn_helo_hostname. 18828 File: proto/postconf.proto. 18829 1883020130809 18831 18832 Cleanup: the lmdb_map_size parameter is now a long integer. 18833 Howard Chu. Files: global/mail_params.[hc]. 18834 1883520130815 18836 18837 Documentation: added pointer to Dovecot 2 configuration. 18838 File: proto/SASL_README.html 18839 1884020130818 18841 18842 Update: LMDB client updated to LMDB 0.9.7, which hopefully 18843 fixes the unrecoverable "transaction full" error. With a 18844 new MDB_MAP_FULL workaround by Howard Chu that ensures that 18845 postfix will make progress as long as the disk is not full. 18846 File: util/dict_lmdb.c. 18847 1884820130822 18849 18850 The status of LMDB databases is "not recommended". Unlike 18851 other Postfix databases, LMDB does not grow beyond a specified 18852 limit even when the file system has room. This show-stopper 18853 bug breaks applications whose requirements grow with load: 18854 postscreen(8), greylisting, tlsmgr(8) and verify(8). 18855 1885620130825 18857 18858 Bitrot: Arrange for shared keys in SMTP server session 18859 tickets. Otherwise, with clients that enable session 18860 tickets, the SMTP session cache is per-process and largely 18861 ineffective. Older releases should add SSL_OP_NO_TICKET 18862 to the SSL options bit mask in the SMTP server only. The 18863 session ticket key validity interval (sum of initial issuing 18864 and retired key validation intervals) must not exceed the 18865 SSL session lifetime. Otherwise, clients may send valid 18866 tickets for expired sessions, which the OpenSSL server code 18867 mishandles (does not send a replacement ticket, patch 18868 pending...). 18869 18870 We set the session lifetime to 2 times the configured cache 18871 lifetime which is also the ticket issuing and retired 18872 validation lifetime, so ticketed sessions last 1 to 2 times 18873 the configured session lifetime and never longer than a 18874 session's expiration time. 18875 18876 Code by Viktor Dukhovni. Files: .indent.pro, mantools/postlink, 18877 proto/TLS_README.html, proto/postconf.proto, global/mail_params.h, 18878 posttls-finger/posttls-finger.c, posttls-finger/tlsmgrmem.c, 18879 smtpd/smtpd.c, tls/tls.h, tls/tls_client.c, tls/tls_mgr.c, 18880 tls/tls_mgr.h, tls/tls_scache.c, tls/tls_scache.h, 18881 tls/tls_server.c, tlsmgr/tlsmgr.c, tlsproxy/tlsproxy.c. 18882 18883 Robustness: Search for TLSA RRs at the resolved server name 18884 (rname) and failing that request server name (qname), and 18885 use whichever was found as the TLSA base domain for certificate 18886 matching. 18887 18888 When we find a DNSSEC validated MX RRset, and the initial 18889 next-hop domain is a CNAME, include both the initial and 18890 final (the one with the actual MX RRs) domains in the list 18891 of valid server certificate names. 18892 18893 When we find no MX records, then the initial next-hop domain 18894 is obtained securely from the recipient domain or transport 18895 next-hop. Without MX records, this is a destination hostname, 18896 so we should generally do a TLSA lookup. If however the 18897 address lookup yields an insecure result, and its rname is 18898 equal to its qname (no CNAMEs), we reasonably assume that 18899 the its child "_port._tcp" sub-domain is likewise insecure 18900 (security here would require DLV just for this sub-domain). 18901 This allows us to skip futile TLSA queries for most non-MX 18902 destinations (those that are in insecure zones and are not 18903 CNAMEs). This heuristic can be disabled by setting the new 18904 main.cf parameter smtp_tls_force_insecure_host_tlsa_lookup 18905 to "yes", the default is "no". 18906 18907 Finally, with MX hostnames, if the MX RRset is secure, we 18908 look for TLSA RRs at the qname only when the MX host is an 18909 alias with an insecure rname. If both the qname and the 18910 rname are secure, as before we prefer the rname, but when 18911 nothing is found there, fall back to the qname. 18912 18913 Code by Viktor Dukhovni. Files: mantools/postlink, 18914 proto/postconf.proto, src/global/mail_params.h, 18915 src/posttls-finger/posttls-finger.c, src/smtp/lmtp_params.c, 18916 src/smtp/smtp.c, src/smtp/smtp.h, src/smtp/smtp_addr.c, 18917 src/smtp/smtp_addr.h, src/smtp/smtp_connect.c, 18918 src/smtp/smtp_params.c, src/smtp/smtp_tls_policy.c, 18919 src/tls/tls.h, src/tls/tls_dane.c. 18920 1892120130826 18922 18923 Documentation: re-ordered STRESS_README, now that all 18924 supported releases have stress-adaptive behavior built in. 18925 File: proto/STRESS_README.html. 18926 1892720130903 18928 18929 Cleanup: made the default_database_type compile-time 18930 configurable. Files: util/sys_defs.h, makedefs, proto/INSTALL. 18931 1893220130916 18933 18934 Feature: reject_known_sender_login_mismatch, which applies 18935 reject_sender_login_mismatch only to MAIL FROM addresses 18936 that are known in $smtpd_sender_login_maps. Viktor & Wietse. 18937 Files: mantools/postlink, proto/SASL_README.html, 18938 proto/postconf.proto, global/mail_params.h, smtpd/smtpd_check.c. 18939 1894020130927 18941 18942 Cleanup: no more LMDB "database full" errors. Postfix now 18943 requires LMDB >= 0.9.8 which supports on-the-fly database 18944 resizing. When a database becomes full, its size limit is 18945 automatically doubled, and other processes automatically 18946 pick up the new database size limit. Files: util/dict.h, 18947 util/dict_open.c, util/dict_alloc.c, util/dict_lmdb.c, 18948 postmap/postmap.c, postalias/postalias.c, proto/LMDB_README.html, 18949 proto/postconf.proto. 18950 1895120130928 18952 18953 Cleanup: the lmdb_max_readers property is now configurable. 18954 This is a hard limit built into the OpenLDAP library that 18955 causes requests to fail when the number of open read 18956 transactions exceeds the limit. When this happens the LMDB 18957 client logs an MDB_READERS_FULL warning and continues with 18958 reduced performance. Files: util/dict_lmdb.c, util/dict_lmdb.h, 18959 global/mail_params.h, global/mail_params.c, proto/postconf.proto, 18960 proto/LMDB_README.html. 18961 1896220130929 18963 18964 Security violation: LMDB opens files with read/write access 18965 for lock management purposes. This gives unprivileged 18966 daemon processes read/write file handles for root-owned 18967 files under /etc/postfix. This also breaks when a non-root 18968 process needs to access a root-owned database. Even if 18969 LMDB lock files were world-writable, and kept in a dedicated 18970 directory, they would still violate the principle of least 18971 privilege. For all these reasons, support to create LMDB 18972 files is removed from the postmap and postalias commands. 18973 LMDB files can still be created by unprivileged Postfix 18974 daemon processes under the postfix-owned data_directory. 18975 Files: proto/LMDB_README.html, global/mkmap.c. 18976 1897720131001 18978 18979 Cleanup: LMDB support is forbidden due to problems with 18980 LMDB lock management. These problems hinder error recovery 18981 in multi-programmed systems, and prohibit database sharing 18982 between privileged writer processes and unprivileged reader 18983 processes. 18984 1898520131009 18986 18987 Documentation: inet_protols description was not updated 18988 when smtp_address_preference was added. File: proto/postconf.proto 18989 1899020131013 18991 18992 Documentation: why postscreen(8) uses hash-table lookups 18993 instead of direct pointers to find the DNSBL lookup result 18994 for a specific session. File: postscreen/postscreen_early.c. 18995 1899620131022 18997 18998 Cleanup: add more &code; to postconf2man. Someone has been 18999 writing documentation without checking the result, File: 19000 mantools/postconf2man. 19001 19002 Documentation: in the discard(8) manpage, the reason is not 19003 a host or domain name. File: discard/discard.c. 19004 1900520131025 19006 19007 Documentation: specify the expected result format with 19008 "list" tables. File: proto/DATABASE_README.html. 19009 1901020131026 19011 19012 Future proofing: API changes in the PCRE library. File: 19013 util/dict_pcre.c. 19014 1901520131028 19016 19017 Feature: check_sasl_access to block hijacked logins. Files: 19018 mantools/postlink, proto/postconf.proto, global/mail_params.h, 19019 smtpd/smtpd_check.c, smtpd/smtpd_dsn_fix.h. 19020 1902120131029-31 19022 19023 Cleanup: slmdb(3) simplified LMDB API that hides recoverable 19024 LMDB errors from applications so that they can focus on 19025 their own job. Files: util/slmdb.[hc]. 19026 19027 Cleanup: LMDB functionality restored, after elimination of 19028 1) world-writable lockfiles, 2) hard limits on the number 19029 of concurrent readers, and 3) hard-coded database file inode 19030 numbers in lockfiles that can prevent automatic crash 19031 recovery. Files: proto/LMDB_README.html, proto/postconf.proto, 19032 mantools/postlink, util/dict_lmdb.c. 19033 1903420131101 19035 19036 Cleanup: restore ability to build without LMDB support; 19037 further slmdb API streamlining. Files: util/slmdb.[hc], 19038 util/dict_lmdb.c. 19039 19040 Bugfix: uninitialized variable. File: util/slmdb.c. 19041 19042 Documentation: added SASL_README example for check_sasl_access. 19043 File: proto/SASL_README.html. 19044 1904520131102-3 19046 19047 Security violation: by default, LMDB 0.9.9 writes uninitialized 19048 heap memory to a world-readable database file, as chunks 19049 of up to 4096 bytes. This is a huge memory disclosure 19050 vulnerability: memory content that a program does not intend 19051 to share ends up in a world-readable file. The content of 19052 uninitialized heap memory depends on program execution 19053 history. That history includes code execution in other 19054 libraries that are linked into the program. 19055 19056 This is a problem whenever the user who writes the database 19057 file differs from the user who reads the database file. For 19058 example, a privileged writer and an unprivileged reader. 19059 In the case of Postfix, the postmap(1) and postalias(1) 19060 commands would leak uninitialized heap memory, as chunks 19061 of up to 4096 bytes, from a root-privileged process that 19062 writes to a database file, to unprivileged processes that 19063 read from that database file. 19064 19065 To work around this problem the postmap(1) and postalias(1) 19066 commands disable the use of malloc() in LMDB. However, that 19067 does not address several disclosures of stack memory. Other 19068 Postfix databases do not need this workaround: those databases 19069 are maintained by Postfix daemon processes, and are accessible 19070 only by the postfix user. File: util/dict_lmdb.c. 19071 1907220131102-3 19073 19074 Cleanup: expand TAB characters when generating documentation. 19075 This was primarily an issue with non-HTML output, but it does 19076 not hurt to do this also for HTML. Files: proto/Makefile.in, 19077 proto/MULTI_INSTANCE_README.html. 19078 1907920131104 19080 19081 Feature: ${queue_id} macro support for the pipe(8) delivery 19082 agent by Andreas Schulze. File: pipe/pipe.c. 19083 1908420131107 19085 19086 Cleanup: after 16 years the SKIP() and TRIM() macros were 19087 triggering compiler warnings. Files: global/mail_params.c, 19088 smtpstone/smtp-sink.c, util/mac_parse.c, util/split_nameval.c. 19089 1909020131110 19091 19092 Bugfix (introduced Oct 26 1997): don't clobber errno before 19093 expanding %m. File: util/vbuf_print.c. 19094 1909520131114 19096 19097 Cleanup: LMDB >= 0.9.10 does not need the MDB_WRITEMAP 19098 workaround to avoid heap memory information leaks. File: 19099 util/dict_lmdb.c. 19100 1910120131114 19102 19103 Cleanup: Coverity found a harmless memory leak in the 19104 postconf master.cf parser. Reported by Christos Zoulas, 19105 NetBSD. File: postconf/postconf_master.c. 19106 19107 Cleanup: graceful degradation after database open() error. 19108 Several instances of that code introduced a harmless memory 19109 leak, and Coverity complained about one of them (Christos 19110 Zoulas, NetBSD). Instead of adding random code in random 19111 places, restructured dict_foo_open() routines with consistent 19112 code to dispose of memory or file handles. Files: dict_thash.c, 19113 dict_sockmap.c, dict_regexp.c, dict_pcre.c, dict_lmdb.c, 19114 dict_dbm.c, dict_cidr.c, dict_cdb.c. 19115 19116 Cleanup: warning message after canonical/virtual/etc. 19117 table lookup error. Files: cleanup/cleanup_addr.c, 19118 cleanup/cleanup_map11.c, cleanup/cleanup_map1n.c, 19119 cleanup/cleanup_masquerade.c, cleanup/cleanup_message.c, 19120 cleanup/cleanup_milter.c. 19121 1912220131116 19123 19124 Feature: MySQL client support for option_file, option_group, 19125 tls_cert_file, tls_key_file, tls_CAfile, tls_CApath, 19126 tls_verify_cert. See mysql_table(5). Code by Gareth Palmer. 19127 Files: proto/mysql_table, global/dict_mysql.c. 19128 19129 Cleanup: DANE support. Keep the attributes of TA certificates 19130 obtained via "IN TLSA 2 0 X" RRs, while continuing to only 19131 use the key from "IN TLSA 2 1 X" RRs. This means in the 19132 "2 0 X" case that we re-sign the TA certificate in place, 19133 rather than synthesize a vanilla cert around just the key. 19134 Viktor Dukhovni. File: tls/tls_dane.c. 19135 19136 Bugfix: posttls-finger parsing of destination and optional 19137 match values. Viktor Dukhovni. File: 19138 posttls-finger/posttls-finger.c. 19139 19140 Cleanup: When wrap_signed is false (OpenSSL 1.0.2 some day), 19141 we don't have to sign trust anchors, and don't generate a 19142 key to do so. Thus don't attempt to re-sign trust-anchor 19143 certificates (IN TLSA 2 0 X) in this case. Viktor Dukhovni. 19144 File: tls/tls_dane.c. 19145 19146 Feature: configurable DANE digest algorithm priority. Use 19147 only the most-preferred, shared, digest algorithm for any 19148 give (usage, selector) combination. Viktor Dukhovni. 19149 mantools/postlink, proto/postconf.proto, global/mail_params.h, 19150 tls/tls_dane.c, tls/tls_misc.c. 19151 19152 Bugfix: FreeBSD nroff workaround messed up. File: 19153 mantools/postlink. 19154 1915520131118 19156 19157 Cleanup: FreeBSD nroff workaround. Files: man/Makefile.in, 19158 proto/Makefile.in. 19159 19160 Cleanup: the smtpd_proxy_filter client now sends QUIT before 19161 closing the connection to a content filter. Files: 19162 smtpd/smtpd_proxy.c, smtpd/smtpd.c. 19163 19164 Portability: C99 va_copy() compatibility, in case some 19165 implementation does not permit multiple va_start() calls 19166 on the same argument list. Files: global/memcache_proto.c, 19167 milter/milter8.c, smtpstone/smtp-source.c, util/attr_clnt.c, 19168 util/concatenate.c, util/dict_surrogate.c, util/netstring.c, 19169 util/compat_va_copy.h. 19170 19171 Cleanup: comment formatting. Viktor Dukhovni. File: dns/dns.h. 19172 19173 Cleanup: removed redundant sort operation. Viktor Dukhovni. 19174 File: tls/tls_dane.c. 19175 1917620131119 19177 19178 Feature: a Postfix LMDB database can now be used as shared 19179 persistent cache with multiple postscreen(8) or verify(8) 19180 daemons (but not both), without the need for a shared 19181 proxymap server. Files: util/dict.h, util/dict_alloc.c, 19182 util/dict_open.c, util/dict_lmdb.c. 19183 19184 Internal: DNS client support to report reply RCODE information, 19185 in addition to the simplified DNS_NOTFOUND, DNS_RETRY etc. 19186 Portability note: this requires the C99 __VA_ARGS__ feature. 19187 Files: dns/dns.h. dns/dns_lookup.c, dns/test_dns_lookup.c. 19188 1918920131120 19190 19191 Cleanup: reduced the code footprint for the LMDB < 0.9.10 19192 heap-to-file information leak workaround, and simplified 19193 the implementation to "good enough". Files: util/dict.h, 19194 util/dict.c, util/dict_lmdb.c, postalias/postalias.c, 19195 postmap/postmap.c. 19196 19197 Cleanup: reduced the code footprint for the handling of 19198 multi-writer safe maps. A map only needs to assert that it 19199 is multi-writer safe, and the rest just happens. Files: 19200 util/dict.h, util/dict_open.c, util/dict_lmdb.c, 19201 global/dict_memcache.c. 19202 19203 Cleanup: Postfix daemons no longer restart when a multi-writer 19204 safe map is updated. File: util/dict.c. 19205 19206 Documentation: sharing an LMDB cache between multiple 19207 verify(8) or postscreen(8) servers (but not both). Files: 19208 proto/ADDRESS_VERIFICATION_README.html, 19209 proto/POSTSCREEN_README.html. 19210 19211 Cleanup: improve suppression of TLSA lookups in insecure 19212 zones. This is now applied not only to non-MX destinations, 19213 but also to each MX record. Viktor Dukhovni. Files: 19214 src/posttls-finger/posttls-finger.c, src/smtp/smtp_tls_policy.c, 19215 src/tls/tls.h, src/tls/tls_dane.c. 19216 19217 Workaround: increased the 5s connection timeout to 30s. 19218 Viktor Dukhovni. File: posttls-finger/posttls-finger.c. 19219 1922020131121 19221 19222 Documentation: new socketmap_table(5) and lmdb_table(5) 19223 manpages. Files: mantools/postlink, conf/postfix-files, 19224 html/Makefile.in, man/Makefile.in, proto/DATABASE_README.html, 19225 postconf/postconf.c, proto/socketmap_table, proto/lmdb_table. 19226 1922720131122 19228 19229 Documentation: missing database hyperlinks, refined text 19230 about partial lookup keys. Files: mantools/postlink, 19231 proto/DATABASE_README.html, proto/lmdb_table, 19232 proto/socketmap_table. 19233 1923420131123 19235 19236 Feature: support for NOTIFY parameter in the Milter 19237 SMFIR_ADDRCPT_PAR request. Contributed by by Andrew Ayer. 19238 Wietse added support for ORCPT. Files: cleanup/cleanup.h, 19239 cleanup/cleanup_milter.c, cleanup/cleanup_state.c, 19240 global/xtext.c, global/xtext.h, milter/test-milter.c. 19241 1924220131122 19243 19244 Feature: "postconf -Fe service/type/attribute = value" edits 19245 master.cf attribute values. The -e is optional. Example: 19246 use "postconf -F "*/*/chroot = n" to turn off chroot on all 19247 master.cf services. Files: postconf/postconf.h, 19248 postconf/postconf.c, postconf/postcof_master.c, 19249 postconf/postconf_edit.c. 19250 1925120131124 19252 19253 Cleanup: remove extra blank line from ccformat output, 19254 making it compatible with the script that Wietse actually 19255 uses (this line was part of a test to detect file truncation, 19256 but it is now obsolete). File: mantools/ccformat. 19257 19258 Feature: master.cf parameter namespace. "postconf -P" shows 19259 master.cf parameter settings as "service/type/parameter = 19260 value". This is applicable only to parameter settings in 19261 master.cf. Files: postconf/postconf.h, postconf/postconf.c, 19262 postconf/postcof_master.c, postconf/postconf_print.c. 19263 19264 Incompatibility: the master_service_disable syntax has 19265 changed: use "service/type" instead of "service.type". The 19266 new form is consistent with master.cf parameter namespaces. 19267 The old form is still supported to avoid breaking existing 19268 configurations. Files: global/master_service.c, 19269 master/master_ent.c. 19270 1927120131125 19272 19273 Feature: change, add or delete "-o parameter=value" setting 19274 in master.cf. Examples: "postconf -P smtp/inet/parameter=value" 19275 (add or modify "-o name=value" setting) and "postconf -P 19276 smtp/inet/parameter" (delete "-o parameter=value" setting). 19277 Files: util/argv.[hc], postconf/postconf.h, 19278 postconf/postconf_edit.c, postconf_master.c. 19279 1928020131126 19281 19282 Cleanup: Leave SSLv3 enabled with DANE. Viktor Dukhovni. 19283 Files: proto/TLS_README.html proto/postconf.proto 19284 tls/tls_client.c. 19285 19286 Cleanup: DANE support: Drop support for usage 0. It SHOULD 19287 NOT be supported in DANE with SMTP, and we already don't 19288 support digest TLSA RRs in this case, while full content 19289 TLSA RRs are not recommended for DNS bloat reasons. Viktor 19290 Dukhovni. Files: proto/postconf.proto src/global/mail_params.h 19291 src/smtp/smtp.c src/tls/tls_dane.c src/tls/tls_misc.c. 19292 19293 Feature: TLS support: Support future digest algorithms 19294 without re-compilation. Viktor Dukhovni. Files: .indent.pro 19295 proto/postconf.proto src/tls/tls_dane.c. 19296 19297 Feature: DNS support: New configurable digest agility. 19298 Viktor Dukhovni. Files: .indent.pro proto/TLS_README.html 19299 proto/postconf.proto src/global/mail_params.h src/tls/tls_dane.c 19300 src/tls/tls_misc.c. 19301 1930220131127 19303 19304 Bugfix (introduced: 20090106): the postconf '-#' option 19305 erased prior options. File: postconf/postconf.c. 19306 1930720131129 19308 19309 Bugfix: Makefile example in MULTI_INSTANCE_README. Viktor 19310 Dukhovni. File: proto/MULTI_INSTANCE_README.html. 19311 1931220131130 19313 19314 Cleanup: simplify fingerprint security level implementation 19315 in new DANE code. Viktor Dukhovni. Files: src/tls/tls.h 19316 src/smtp/smtp_tls_policy.c src/tls/tls_dane.c 19317 src/posttls-finger/posttls-finger.c. 19318 1931920131209 19320 19321 Cleanup: safe_strtoul() did not report an error for empty 19322 or all-space input (the code to report this was in the wrong 19323 place). This was not a problem as long as safe_strtoul() 19324 was used only for output from safe_ultostr(). Files: 19325 global/safe_ultostr.c, global/safe_ultostr.in, 19326 global/safe_ultostr.ref. 19327 1932820131210 19329 19330 Documentation: updated description of SSL protocol controls. 19331 In particular, enabled protocols are part of a contiguous 19332 range. Viktor Dukhovni. Files: proto/TLS_README.html, 19333 proto/postconf.proto. 19334 19335 Bugfix: DANE support: handle OpenSSL memory allocation 19336 error. Viktor Dukhovni. File: tls/tls_dane.c. 19337 19338 Cleanup: LMDB_README was not installed. File: conf/postfix-files. 19339 1934020131214 19341 19342 Portability: on some platforms posttls-finger now requires 19343 explicitly linking libdl. File: posttls-finger/Makefile.in. 19344 19345 Cleanup: DANE support: extension gymnastics. Viktor Dukhovni. 19346 File: tls/tls_dane.c. 19347 19348 Bugfix: DANE support: the wrap_cert() and wrap_key() calls 19349 should never fail, but some callers ignored the return 19350 value. The only failure is for lack of memory, so we use 19351 msg_fatal() internally and change wrap_cert() and wrap_key() 19352 to return void. Viktor Dukhovni. File: tls/tls_dane.c. 19353 19354 Bugfix: DANE support: avoid making DANE certificates with 19355 replaced public-keys appear as if they were self-signed. 19356 Viktor Dukhovni. File: tls/tls_dane.c. 19357 19358 Cleanup: DANE support: simplify grow_chain() to always apply 19359 trust consistently. Viktor Dukhovni. File: tls/tls_dane.c. 19360 19361 Bugfix: DANE support: backport fixes from OpenSSL DANE 19362 testing. Discard errors generated by raw TA key signature 19363 checks. Record the tadepth as zero with self-signed depth 19364 0 TAs. Robustness: Though it should never happen, don't 19365 update the tadepth if already set. Viktor Dukhovni. Files: 19366 tls/tls_dane.c, tls/tls_server.c. 19367 1936820131215 19369 19370 Cleanup: OpenSSL "const" declarations have changed over 19371 time. Viktor Dukhovni. Files: src/tls/tls.h, src/tls/tls_client.c, 19372 src/tls/tls_dane.c, src/tls/tls_server.c. 19373 1937420131216 19375 19376 Cleanup: TLS support. Eliminate calls of deprecated functions 19377 before they are removed from OpenSSL. CRYPTO_thread_id is 19378 deprecated and we don't need it. Replace the deprecated 19379 ERR_remove_state() call with ERR_remove_thread_state(), and 19380 use RSA_generate_key_ex(). Viktor Dukhovni. Files: 19381 posttls-finger/posttls-finger.c, tls/tls_misc.c, tls/tls_rsa.c. 19382 19383 Cleanup: DANE support: Reduce #ifdef clutter to improve 19384 redability and maintainability. Viktor Dukhovni. File: 19385 tls/tls_dane.c. 19386 19387 Future proofing: Tolerate disappearance of named bug-workaround 19388 bits without invalidating user configurations. When support 19389 for a bug workaround is removed from OpenSSL, the corresponding 19390 bit is defined as zero (i.e. NOOP) instead of causing 19391 programs to break. Viktor Dukhovni. File: tls/tls_misc.c. 19392 1939320131217 19394 19395 Portability: RSA_generate_key_ex() is not available on all 19396 supported platforms, so this change is made conditional. 19397 Enforce that this function will be used only for creating 19398 a 512-bit ephemeral RSA key. Viktor Dukhovni. File: 19399 tls/tls_rsa.c. 19400 1940120131218 19402 19403 Documentation: new document FORWARD_SECRECY_README that 19404 describes how different versions of Postfix >= 2.2 implement 19405 "perfect" forward secrecy. Viktor Dukhovni. File: 19406 proto/FORWARD_SECRECY_README.html, proto/Makefile.in, 19407 conf/postfix-files, html/index.html. 19408 1940920131219 19410 19411 Cleanup: renamed postconf(1) internal identifiers according 19412 to a consistent scheme, to avoid future name conflicts as 19413 Postfix evolves. This is a no-feature change. Files: 19414 postconf/*.[hc], postconf/extract.awk. 19415 19416 Documentation: linearized the order of exposition in 19417 FORWARD_SECRECY_README. File: proto/FORWARD_SECRECY_README.html. 19418 1941920131220 19420 19421 Bugfix: DANE support: segfault. Viktor Dukhovni. File: 19422 tls/tls_dane.c. 19423 19424 Documentation: typo in SASL_README. Patrick Ben Koetter. 19425 File: proto/SASL_README.html. 19426 19427 Documentation: increased the *.[0-9].html manpage width 19428 from the historical 65 columns to the more contemporary 78 19429 columns, and future-proofed the pattern that eliminates 19430 redundant text from the "README FILES" section. Files: 19431 mantools/postlink, mantools/man2html, man/Makefile.in. 19432 19433 Documentation: misc manual page cleanups. Files: 19434 postconf/postconf.c, postmulti/postmulti.c. 19435 1943620131221 19437 19438 Testbed: TLS support. Viktor Dukhovni. Files: tls/Makefile.in, 19439 tls/tls_dane.c, tls/tls_dane.sh, tls/tls_mgr.c, .indent.pro. 19440 19441 Documentation: added section on how to verify that forward 19442 secrecy works. File: proto/FORWARD_SECRECY_README.html. 19443 1944420131222 19445 19446 Documentation: forward secrecy, with feedback from Adam 19447 Shostack. Viktor Dukhovni and Wietse Venema. File: 19448 proto/FORWARD_SECRECY_README.html. 19449 1945020131224 19451 19452 Feature: smtpd_sasl_service (until now, this was hard-coded 19453 internally as "smtp"). On request by Michal (sksoft.cz). 19454 Files: global/mail_params.h, proto/postconf.proto, 19455 mantools/postlink, smtpd/smtpd.c, smtpd/smtpd_sasl_glue.c. 19456 19457 Documentation: updated example to Dovecot version 2 syntax. 19458 File: proto/SASL_README/html. 19459 1946020131228 19461 19462 Cleanup: DANE support: test script. Viktor Dukhovni. File 19463 tls/tls_dane.sh. 19464 19465 Debugging: test driver for LMDB debugging and stress testing. 19466 Shockingly, LMDB terminates the postscreen daemon without 19467 logfile record. File: util/dict_cache.c. 19468 1946920140102 19470 19471 Bugfix: close the LMDB database cursor's read transaction 19472 before writing with MDB_NOLOCK and before changing the 19473 database memory map size. File: util/slmdb.c. 19474 1947520140103 19476 19477 Cleanup: eliminated data duplication from the new SMTP_ITERATOR 19478 structure to the old SMTP_SESSION structure. The SMTP_ITERATOR 19479 structure now maintains the sole copy. Files: smtp/smtp.h, 19480 smtp_sasl_auth_cache.c, smtp_reuse.c, smtp_sasl_glue.c, 19481 smtp_rcpt.c, smtp_session.c, smtp_chat.c, smtp_proto.c, 19482 smtp_connect.c. 19483 1948420140104 19485 19486 Feature: support for optional configuration files 19487 "$daemon-directory/postfix-files.d/*". These are processed 19488 in sorted order after "$daemon-directory/postfix-files", 19489 This avoids breaking "postfix set-permissions" etc. when a 19490 Postfix distribution comes in multiple packages. File: 19491 conf/post-install. 19492 1949320140107 19494 19495 Feature: LMDB 0.9.11 allows Postfix daemons to log an LMDB 19496 error message, instead of falling out of the sky without 19497 any notification. Files: util/slmdb.[hc], util/dict_lmdb.c. 19498 1949920140108 19500 19501 Bugfix: every Postfix LMDB transaction is now protected by 19502 an external lock for its entire life time. File: util/slmdb.c. 19503 1950420140109 19505 19506 Cleanup: turn off DNSSEC lookup after CNAME redirection to 19507 an insecure zone. This is an optimization for resolvers 19508 that do not automatically resolve CNAME chains. Viktor 19509 Dukhovni. File: dns/dns_lookup.c. 19510 19511 Cleanup: do not salt the SMTP TLS policy lookup cache key 19512 with the DNSSEC status. The DNSSEC status will not change 19513 when the same nexthop/host pair is looked up repeatedly. 19514 Viktor Dukhovni. File: smtp/smtp_tls_policy.c. 19515 19516 Robustness: Suppress TLSA lookups only when the qname zone 19517 is insecure, not just because the rname zone is insecure. 19518 This requires an extra T_CNAME lookup for the qname, since 19519 nameservers are often "too helpful" and report CNAME records 19520 together with the CNAME targets. When the targets are 19521 insecure the whole reply is marked as insecure. Viktor 19522 Dukhovni. File: tls/tls_dane.c. 19523 19524 Cleanup: Unify/simplify reporting of configuration or other 19525 conditions that prevent DANE security. Viktor Dukhovni. 19526 Files: global/dsn_buf.[hc], tls/tls_dane.c, smtp/smtp_tls_policy.c. 19527 1952820140110-15 19529 19530 Miscellaneous documentation cleanups. 19531 1953220140116 19533 19534 Workaround: prepend "-I. -I../../include" to CCARGS, to 19535 avoid name clashes with non-Postfix header files. File: 19536 makedefs. 19537 1953820140125 19539 19540 Cleanup: assorted documentation glitches. 19541 1954220140209 19543 19544 Workaround: the Postfix SMTP client now also falls back to 19545 plaintext when TLS fails after the TLS protocol handshake. 19546 Files: smtp/smtp.h, smtp/smtp_connect.c, smtp/smtp_trouble.c. 19547 19548 Testbed: unsupported HANGUP access map action that drops 19549 the connection without responding to the remote SMTP client. 19550 File: smtpd/smtpd_check.c. 19551 1955220140214 19553 19554 Workaround: apparently some buggy kernels report WIFSTOPPED 19555 events to the parent process (master daemon) instead of the 19556 tracing process (e.g., gdb). File: master/master_spawn.c. 19557 1955820140218 19559 19560 Workaround: require that a queue file is older than 19561 $minimal_backoff_time, before falling back from failed TLS 19562 to plaintext (both during or after the TLS handshake). 19563 Viktor Dukhovni. Files: smtp/smtp.h, smtp/smtp.c, 19564 smtp/lmtp_params.c, smtp/smtp_params.c. 19565 1956620140220 19567 19568 Workaround: in case "minimal_backoff_time = $queue_run_delay". 19569 Files: smtp/smtp.c, smtp/smtp_params.c, smtp/lmtp_params.c. 19570 19571 Cleanup: consolidate the code to log the start of a new 19572 mail transaction in one place, so that code can easily be 19573 added to log TLS status information in addition to the 19574 existing client and SASL status information. Files: 19575 smtpd/smtpd_sasl_proto.h, smtpd/smtpd_sasl_proto.c, 19576 smtpd/smtpd.c. 19577 1957820140223 19579 19580 Workaround: when a session breaks after the TLS handshake, 19581 do not fall back from TLS to plaintext when all recipients 19582 were deferred or rejected during the TLS phase. Files: 19583 smtp/smtp.h, smtp/smtp_rcpt.c. 19584 19585 Logging: the TLS client logged that an "Untrusted" TLS 19586 connection was established instead of "Anonymous". Viktor 19587 Dukhovni. File: tls/tls_client.c. 19588 19589 Documentation: new self-signed certificate example and 19590 updated private CA example. File: proto/TLS_README.html. 19591 1959220140224 19593 19594 Bugfix (introduced: 20061106): when the "retry" transport 19595 was added to Postfix, it was not given special status like 19596 the "error" transport. The Postfix SMTP server did not defer 19597 mail that resolves to the "retry" transport, and the 19598 trivial-rewrite daemon would override the null nexthop 19599 destination in "retry:" with the current nexthop destination. 19600 Files: smtpd/smtpd_check.c, trivial-rewrite/transport.c. 19601 1960220140227 19603 19604 Bugfix: Enforce TLS when TLSA records exist, but all are 19605 unusable; Don't leak dane handle when all TLSA records are 19606 unusable. Viktor Dukhovni. File: smtp/smtp_tls_policy.c. 19607 19608 Cleanup: log TLS policy lookup errors as warnings. Viktor 19609 Dukhovni. File: smtp/smtp_connect.c. 19610 1961120140316 19612 19613 Feature: preliminary support to change arbitrary hard 19614 delivery errors into soft errors and vice versa, or to 19615 replace the descriptive text of non-delivery notifications. 19616 This was originally introduced for sites that want to bounce 19617 mail when no remote SMTP server announces TLS support. New 19618 parameters: {default,smtp,pipe,virtual}_bounce_defer_filter. 19619 Files: proto/postconf.proto, mantools/postlink, global/bounce.[hc], 19620 bounce/defer.[hc], global/ndr_filter.[hc], global/mail_params.[hc], 19621 master/event_server.c, master/multi_server.c, 19622 master/single_server.c, master/trigger_server.c, smtp/smtp.c, 19623 pipe/pipe.c, virtual/virtual.c. 19624 1962520140317 19626 19627 Feature: local_bounce_defer_filter support. Files: 19628 global/bounce.[hc], global/defer.[hc], local/command.c, 19629 local/file.c, local/bounce_workaround.c, local/local.c, 19630 global/mail_params.h, mantools/postlink. 19631 1963220140318 19633 19634 Refinement: don't throttle an SMTP destination when the new 19635 smtp_bounce_defer_filter feature turns a soft bounce into 19636 a hard bounce. File: smtp/smtp_trouble.c. 19637 1963820140320 19639 19640 Feature: support to replace successful delivery status code 19641 and explanatory text. This can be used to to hide local 19642 details such as destination commands or file names when a 19643 remote sender requests confirmation of delivery. As of now 19644 *_bounce_defer_filter is renamed into *_delivery_status_filter. 19645 Files: global/bounce.c, global/bounce.h, global/defer.c, 19646 global/defer.h, global/dsn_filter.c, global/dsn_filter.h, 19647 global/mail_params.c, global/mail_params.h, global/sent.c, 19648 local/local.c, master/event_server.c, master/multi_server.c, 19649 master/single_server.c, master/trigger_server.c, pipe/pipe.c, 19650 smtp/lmtp_params.c, smtp/smtp.c, smtp/smtp_params.c, 19651 virtual/virtual.c, mantools/postlink. 19652 1965320140322 19654 19655 Cleanup: code comments and identifier names to reflect the 19656 evolution from "NDR filter" to "delivery status filter". 19657 Files: global/mail_params.h, smtp/smtp.c, global/dsn_filter.c, 19658 global/dsn_filter.h, local/local.c, pipe/pipe.c, 19659 smtp/lmtp_params.c, smtp/smtp_params.c, virtual/virtual.c, 19660 global/bounce.c. 19661 1966220140323 19663 19664 Feature: initial merge of Debian-style dynamic linking. 19665 Viktor Dukhovni. 19666 1966720140406 19668 19669 Bugfix: when testing session caching, stop reconnecting 19670 after encountering a previously-used server (when the session 19671 is re-used or not). Viktor Dukhovni. File: 19672 posttls-finger/posttls-finger.c. 19673 19674 Feature: configurable TLS session-ticket cipher (default: 19675 tls_session_ticket_cipher = aes-128-cbc). Viktor Dukhovni 19676 and Wietse. Files: mantools/postlink, smtpd/smtpd.c, 19677 proto/postconf.proto, global/mail_params.h, tls/tls_misc.c, 19678 tls/tls_scache.h, tls/tls_server.c. 19679 1968020140416 19681 19682 Cleanup: replace "~0 << positive" with "~0U << positive" 19683 even if we use only the lower bytes. Jeffrey Walton. File: 19684 util/mask_addr.c. 19685 1968620140407 19687 19688 Documentation: the documentation for Postfix > 2.8 TLS 19689 activity logging was incorrect. Loglevel 0 produces no 19690 logging. Instead, information is logged only with loglevel 19691 1 or higher. Viktor Dukhovni. Files: proto/TLS_README.html, 19692 proto/postconf.proto. 19693 1969420140501 19695 19696 Cleanup: postscreen_dnsbl_timeout parameter. Files: 19697 mantools/postlink, proto/postconf.proto, global/mail_params.h, 19698 postscreen/postscreen.c, postscreen/postscreen_dnsbl.c. 19699 19700 Cleanup: added table search order information to the 19701 postconf(5) manpage. File: proto/postconf.proto. 19702 1970320140505 19704 19705 Cleanup: added a client port attribute to the policy 19706 delegation protocol. Jernej Porenta. File: smtpd/smtpd_check.c. 19707 1970820140507 19709 19710 Bugfix (introduced: Postfix 2.11): with connection caching 19711 enabled (the default), recipients could be given to the 19712 wrong mail server. Root cause: due to an incorrect predicate, 19713 the Postfix SMTP client could save and restore plaintext 19714 connections that should not be cached, under nonsensical 19715 lookup keys that did not distinguish by destination. Problem 19716 reported by Sahil Tandon, predicate error found by Viktor, 19717 redundant connection restore request eliminated by Wietse. 19718 File: smtp/smtp_connect.c. 19719 19720 Cleanup: the macros that control SMTP connection reuse 19721 poorly reflected their purpose. "DEAD" is replaced with 19722 "FORBIDDEN" (no I/O allowed) and "BAD" is replaced with 19723 "THROTTLED" (anything that causes the queue manager to back 19724 off from some destination). Files: smtp.h, smtp_connect.c, 19725 smtp_proto.c, smtp_trouble.c. 19726 19727 Cleanup: enable SMTP connection cache lookup by destination 19728 name while a surge of mail dries up. File: smtp_connect.c. 19729 1973020140505 19731 19732 Bugfix: the postdrop authorized_submit_users feature requires 19733 that lookup table support is initialized so that it can use 19734 libglobal or dynamicmaps maps. File: postdrop/postdrop.c. 19735 19736 Cleanup: moved dynamicmaps initialization from parameter 19737 initialization (mail_conf_suck()) to dictionary initialization 19738 (mail_dict_init()). A benefit of this is that dynamicmaps.cf 19739 is no longer read by programs that don't use Postfix lookup 19740 tables. Files: global/mail_conf.[hc], global/mail_dict.c. 19741 19742 Cleanup: move the mail_dict_init() call after the 19743 mail_conf_read() or mail_params_init() call, to prepare for 19744 a configurable dynamicmaps.cf directory. Files: 19745 master/event_server.c, master/multi_server.c, 19746 master/single_server.c, master/trigger_server.c. 19747 1974820140506 19749 19750 Cleanup: you can now specify "make makefiles parameter=value" 19751 for selected compile-time parameter default overrides. The 19752 old "make makefiles 'CCARGS=-DDEF_MUMBLE=\"mumble\"'" 19753 approach remains supported. File: makedefs. 19754 1975520140508 19756 19757 Cleanup: dynamicmaps.cf is now installed into $daemon_directory 19758 because the file is shared among Postfix instances just 19759 like postfix-files and other files. Files: conf/dynamicmaps.cf, 19760 Makefile.in, conf/postfix-files. 19761 19762 Cleanup: INSTALL is now plain ASCII instead of README format, 19763 to avoid a chicken-and-egg problem (the instructions to 19764 print/view README-format files are in the INSTALL file). 19765 19766 Documentation: updated INSTALL instructions and RELEASE_NOTES. 19767 1976820140512 19769 19770 Portability: Berkeley DB6 support. File: util/dict_db.c. 19771 1977220140514 19773 19774 Cleanup: replace #ifdef/endif containing hard-coded calls 19775 of dynamicmaps functions with an extension mechanism that 19776 dynamicmaps functions invoke instead. Files: util/dict.h, 19777 util/dict_open.c, global/dynamicmaps.[hc], global/mkmap.h, 19778 global/mkmap_open.c. 19779 1978020140515 19781 19782 Bugfix (introduced: 20140320): missing initialization. 19783 Viktor Dukhovni. File pipe/pipe.c. 19784 19785 Cleanup: mkmap_open() now caches a dynamically-loaded 19786 function. This is useful because postmap/postalias may open 19787 the same database type multiple times. Files: global/mkmap.h, 19788 global/mkmap_open.c. 19789 19790 Security: the dynamicmaps.cf file and its and shared-object 19791 files must not be writable by non-root users. File: 19792 global/dynamicmaps.c. 19793 1979420140517 19795 19796 Cleanup: dynamic linking and hooking. Files: util/dict.h, 19797 util/load_lib.[hc], global/dynamicmaps.c. 19798 1979920140518 19800 19801 Preliminary "make plugins" support. Todo: macros to dynamically 19802 remove pluggable maps from compile-time tables in dict_open.c 19803 and mkmap_open.c, and from the OBJS lists in Makefile.in. 19804 1980520140522 19806 19807 Support for "make shared=yes" and "make dynamicmaps=yes". 19808 New plugin_directory parameter for the location of the 19809 dynamicmaps.cf file and for plugins with a relative pathname. 19810 See RELEASE_NOTES and INSTALL for details. Files: postfix.c, 19811 mail_params.[hc], dynamicmaps.c, mail_dict.c, makedefs, 19812 postfix-files, dynamicmaps.cf, Makefile.in, util/Makefile.in, 19813 global/Makefile.in, postlink, postconf.proto. INSTALL.html, 19814 RELEASE_NOTES. 19815 1981620140523 19817 19818 Cleanup: don't install plugins for unsupported databases, 19819 and don't make dynamicmaps.cf entries for them. Files: 19820 makedefs, Makefile.in, util/Makefile.in, global/Makefile.in. 19821 19822 Cleanup: added support for symlinks where the "source" is 19823 specified as a relative pathname. File: postfix-install. 19824 19825 Cleanup: moved instructions from RELEASE_NOTES to INSTALL 19826 to avoid duplication. Files: RELEASE_NOTES, proto/INSTALL.html. 19827 19828 Cleanup: include <dict_lmdb.h> unconditionally so that 19829 dict_lmdb_map_size is always defined. Files: mail_params.c, 19830 dict_test.c. 19831 19832 Cleanup: port for ancient Solaris9 revealed some non-portability. 19833 Files: master/Makefile.in, makedefs, sys_defs.h. 19834 1983520140524 19836 19837 Cleanup: specify database library dependencies with variables 19838 named AUXLIBS_CDB, AUXLIBS_LDAP, etc. The global AUXLIBS 19839 variable is still supported, but the new variables are 19840 required when building dynamically-loadable building database 19841 plugins. Files: RELEASE_NOTES, INSTALL.html, CDB_README.html, 19842 LDAP_README.html, LMDB_README.html, MYSQL_README.html, 19843 PCRE_README.html, PGSQL_README.html, SQLITE_README.html, 19844 makedefs, util/Makefile.in, global/Makefile.in. 19845 19846 Workaround: reportedly, MacOS can fail to move a symlink 19847 with a relative target across file system boundaries, because 19848 it examines the symlink with stat() instead of lstat(). 19849 Files: makedefs, Makefile.in. 19850 19851 Cleanup: use readlink to verify symlink target. File: 19852 postfix-install. 19853 1985420140528 19855 19856 Cleanup: the configuration file dynamicmaps.cf will now 19857 automatically include files under the directory dynamicmaps.cf.d, 19858 just like the configuration file postfix-files will 19859 automatically include files under the directory postfix-files.d. 19860 See INSTALL section "Building with Postfix shared libraries 19861 and database plugins". File: dynamicmaps.c. 19862 1986320140530 19864 19865 Cleanup: add shlib_directory and plugin_directory to the 19866 postmulti-script list of shared parameters. Viktor Dukhovni. 19867 File: postmulti-script. 19868 19869 Cleanup: to avoid "postfix set-permission" errors, don't 19870 create postfix-files entries for non-existent database 19871 plugins. Problem reported by Viktor. File: Makefile.in. 19872 19873 Bugfix: we can't use "mv" to replace a symlink-to-directory. 19874 Instead we now create all symlinks in place. Unfortunately 19875 the "ln -n" option is not universally implemented, so we 19876 remove the old symlink first. Problem reported by Viktor. 19877 File: postfix-install. 19878 1987920140603 19880 19881 Cleanup: use the OpenSSL session id accessor (available 19882 since OpenSSL 0.9.8 or so) instead of groping a session 19883 object directly. Viktor Dukhovni. File: tls_server.c. 19884 1988520140605 19886 19887 Feature: the pipe(8) daemon logs some command output after 19888 successful delivery as "dsn=2.0.0, status=sent (delivered 19889 via XXX service (YYY))" where XXX is the master.cf service 19890 name, and YYY is command output. Files: pipe/command.c, 19891 pipe.c. 19892 1989320140613 19894 19895 Feature: the "pipeline" table implements a table pipeline. 19896 Example "pipeline:!type_1:name_1!...!type_n:name_n". The 19897 ASCII character after "pipeline:" will be used as the 19898 separator between the lookup tables that follow (do not use 19899 space, ",", ":" or non-ASCII). Each "pipeline:" query is 19900 given to the first table. Each lookup result becomes the 19901 query for the next table in the pipeline, and the last table 19902 produces the final result. When any table lookup produces 19903 no result, the pipeline produces no result. Files: 19904 dict_pipe.[hc], dict_open.c, postlink, DATABASE_README.html, 19905 postconf.c. 19906 1990720140617 19908 19909 Feature: the "random" table performs random selection. 19910 Example: "random:!result_1!...!result_n". Each table query 19911 returns a random choice from the specified results. The 19912 ASCII character after "random:" will be used as the separator 19913 between the results that follow (do not use space, ",", ":" 19914 or non-ASCII). Files: dict_random.[hc], dict_open.c, 19915 postlink, DATABASE_README.html, postconf.c. 19916 1991720140618 19918 19919 Cleanup: INFO action in access(5) tables, for consistency 19920 with header/body_checks. Viktor Dukhovni. Files: 19921 smtpd/smtpd_check.c, proto/access. 19922 1992320140619 19924 19925 Cleanup: process LaMont Jones feedback for shared-library 19926 and database-plugin builds. Changes: 1) move non-executable 19927 files from $daemon_directory to the default $config_directory 19928 (postfix-files*, dynamicmaps.cf*, main.cf.proto/master.cf.proto 19929 for multi-instance support); 2) add foo.so -> foo.so.version 19930 symlinks; 3) change $shlib_directory and $plugin_directory 19931 defaults to /usr/lib/postfix to reduce sprawl. Files: 19932 conf/main.cf.proto, conf/master.cf.proto, conf/postfix-files.proto, 19933 conf/post-install, conf/postmulti-script, makedefs, 19934 postfix-install, proto/INSTALL.html, global/dynamicmaps.c, 19935 global/dynamicmaps.h, global/mail_dict.c, global/mail_params.h, 19936 postmulti/postmulti.c. 19937 19938 Bugfix (introduced: 2001): qmqpd null pointer bug when it 19939 logs a lost connection while not in a mail transaction. 19940 Reported by Michal Adamek. File: qmqpd/qmqpd.c. 19941 19942 Cleanup: filter non-printable characters in X509 subject 19943 or issuer names. Viktor Dukhovni. File: tls/tls_server.c. 19944 1994520140620 19946 19947 Cleanup: for compliance with file system policies, some 19948 files have been moved from $daemon-directory to the directory 19949 specified with the new meta_directory parameter which has 19950 the same default value as config_directory. This change 19951 affects non-executable files that are shared among multiple 19952 Postfix instances, such as postfix-files, dynamicmaps.cf, 19953 and multi-instance template files. 19954 19955 For backwards compatibility with Postfix 2.6..2.11, specify 19956 "meta_directory = $daemon_directory" in main.cf before 19957 installing Postfix, or specify "meta_directory = /path/name" 19958 on the "make makefiles", "make install" or "make upgrade" 19959 command line. 19960 19961 Files: Makefile.in, RELEASE_NOTES, conf/post-install, 19962 conf/postfix-files.proto, conf/postmulti-script, makedefs, 19963 mantools/postlink, postfix-install, proto/INSTALL.html, 19964 proto/postconf.proto, global/mail_params.c, global/mail_params.h, 19965 postfix/postfix.c, postmulti/postmulti.c. 19966 19967 Feature: check_xxx_a_access (for xxx in client, reverse_client, 19968 helo, sender, recipient) implements access control on all 19969 A and AAAA IP addresses for the client hostname, helo 19970 parameter, sender domain or recipient domain. Some spam has 19971 sender domains with the same IP address but different MX 19972 hosts. Files: global/mail_params.h, smtpd/smtpd_check.c, 19973 proto/postconf.proto. 19974 1997520140622 19976 19977 Cleanup: eliminated plugin_directory to reduce configuration 19978 parameter sprawl. Files: Makefile.in, RELEASE_NOTES, 19979 conf/post-install, conf/postfix-files.proto, conf/postfix-script, 19980 conf/postmulti-script, makedefs, mantools/postlink, 19981 postfix-install, proto/INSTALL.html, proto/postconf.proto, 19982 global/Makefile.in, global/mail_dict.c, global/mail_params.c, 19983 global/mail_params.h, global/mail_version.h, postfix/postfix.c, 19984 postmulti/postmulti.c, smtpd/smtpd_check.c, util/Makefile.in. 19985 1998620140623 19987 19988 Cleanup: eliminated the use of Postfix release versions as 19989 file name suffixes for shared libraries, database plugins 19990 and dynamicmaps.cf. The shared-library version suffixes 19991 were fighting against assumptions and conventions in run-time 19992 linkers, including the assumption that ABIs are preserved 19993 from one version to the next. The Postfix version can now 19994 be embedded in the shlib_directory parameter. As this is 19995 sufficient to permit upgrade of a running Postfix system 19996 without risking that old binaries will link against newer 19997 shared objects, we no longer need a version suffix for 19998 dynamicmaps.cf. Files: Makefile.in, RELEASE_NOTES, 19999 conf/postfix-files.proto, makedefs, proto/INSTALL.html, 20000 proto/postconf.proto, global/mail_params.h, global/mail_version.h, 20001 2000220140624 20003 20004 Cleanup: the commands "make (makefiles|install|upgrade|package) 20005 parameter=value" now replace the string MAIL_VERSION in a 20006 configuration parameter value with the Postfix release 20007 version. Unfortunately, the more obvious approach, a 20008 parameter value with the unexpanded '$mail_version', produces 20009 inconsistent results with different make implementations. 20010 Files: makedefs, Makefile.in, postfix-install, proto/INSTALL.html, 20011 proto/PACKAGE_README.html 20012 20013 Cleanup: postmulti now requires "postmulti -e init" before 20014 accepting other multi-instance requests. Viktor Dukhovni. 20015 File: conf/postmulti-script. 20016 2001720140625 20018 20019 Kludge: moved dict_db_cache_size away from dict_db.c in 20020 preparation for Berkeley DB database plugin support (a 20021 similar kludge was implemented for LMDB). Files: 20022 util/dict_db.[hc], util/dict_test.c, global/mail_params.c. 20023 20024 Cleanup: don't leak build directory information via SHLIB_ENV 20025 in makedefs.out. Files: Makefile.in, conf/postfix-files. 20026 2002720140626 20028 20029 Cleanup: construction debris. Files: Makefile.in, 20030 conf/postfix-script. 20031 20032 Cleanup: replace the result of MAIL_VERSION expansion with 20033 $mail_version in main.cf installation parameter settings, 20034 to permit safe upgrade of a running mail system. File: 20035 postfix-install. 20036 20037 Cleanup: replace the result of MAIL_VERSION expansion with 20038 $mail_version in built-in default installation parameter 20039 settings, for consistency with main.cf. File: makedefs, 20040 postfix-install, conf/post-install. 20041 20042 Cleanup: removed $mail_version from the default shlib_directory 20043 value. Files: global/mail_params.h, proto/INSTALL.html. 20044 20045 Cleanup: in postfix-script, use find instead of ls to 20046 determine permissions or ownership, and group some checks 20047 with "pathname/." and "pathname/*" into one. Downside: 20048 more warnings will now have "/./" in the middle of a pathname. 20049 File: conf/postfix-script. 20050 20051 Cleanup: need to evaluate mail_version before evaluating 20052 parameters that may contain $mail_version. File: 20053 global/mail_params.c. 20054 20055 Cleanup: the postmulti command now exercises the postconf 20056 "-x" option to expand $parameter_name in secondary-instance 20057 parameter values. File: postmulti/postmulti.c. 20058 20059 Cleanup: post-install also needed to replace the result of 20060 MAIL_VERSION expansion with $mail_version, for the same 20061 reasons as postfix-script. Viktor Dukhovni. File: 20062 conf/post-install. 20063 2006420140627 20065 20066 Bugfix (introduced: 20140626) broken build and broken install 20067 with default shlib_directory. Files: makedefs. 20068 20069 Bugfix (introduced: 20140627) "make install" stopped with 20070 a bogus error when there was no real "make install name=value" 20071 parameter override. Files: conf/post-install. 20072 20073 Cleanup: support MAIL_VERSION magic (see INSTALL) only at 20074 the end of a parameter value. Files: proto/INSTALL.html 20075 makedefs, postfix-install, conf/postfix-files. 20076 20077 Cleanup: use ${mail_version} as the MAIL_VERSION-unexpanded 20078 form. Viktor Dukhovni. Files: makedefs, postfix-install, 20079 conf/postfix-files. 20080 2008120140630 20082 20083 Cleanup: the pipeline and random lookup tables are now 20084 called pipemap and randmap, respectively. These names are 20085 more specific. The old names remain available, at least 20086 temporarily. Files: util/dict_pipe.[hc], util/dict_random.[hc], 20087 postconf/postconf.c, mantools/postlink, proto/DATABASE_README.html. 20088 20089 Feature: smtpd_policy_service_request_limit to limit the 20090 number of requests per Postfix SMTP server policy connection. 20091 This is a workaround to avoid error-recovery delays with 20092 policy servers that cannot maintain a persistent connection. 20093 Based on code by Markus Benning. Files: global/mail_params.h, 20094 mantools/postlink, proto/SMTPD_POLICY_README.html, 20095 proto/postconf.proto, smtpd/smtpd.c, smtpd/smtpd_check.c, 20096 util/attr_clnt.[hc]. 20097 2009820140701 20099 20100 Cleanup: documented how Postfix maintains dictionary 20101 provenance. Provenance matters: for example, the owner UID 20102 of an aliases(5) database file determines the execution 20103 privileges for delivery to |command or /file/name. Refined 20104 the algorithm that computes the provenance of a pipemap, 20105 based on the provenance of its constituent lookup tables. 20106 Files: util/dict.[hc], util/dict_pipe.c. 20107 20108 Cleanup: made mail_spool_directory configurable with "make 20109 makefiles mail_spool_directory=/path/name". This allows 20110 Postfix to be built without any pathnames that reference 20111 system directories. This is useful for testing and sandboxing. 20112 Files: global/mail_params.h, makedefs. 20113 20114 Cleanup: configurable attr_clnt(3) retry strategy (try limit 20115 and retry delay). Files: util/attr_clnt.[hc]. 20116 20117 Feature: control over SMTPD policy lookup error handling: 20118 smtpd_policy_service_try_limit, smtpd_policy_service_retry_delay, 20119 smtpd_policy_service_default_action determine how many times 20120 to try to send a policy request before giving up, the delay 20121 before resending a failed policy request, and a default 20122 action when giving up. The defaults are backwards-compatible. 20123 Files: global/mail_params.h, mantools/postlink, 20124 proto/postconf.proto, smtpd/smtpd.c, smtpd/smtpd_check.c. 20125 2012620140709 20127 20128 Cleanup: bitrot in unused function. File: global/defer.c. 20129 20130 Cleanup: add SYSLIBS minus static libraries while building 20131 Postfix shared-library objects. Files: makedefs, util/Makefile.in, 20132 global/Makefile.in, dns/Makefile.in, master/Makefile.in/. 20133 2013420140708 20135 20136 Bugfix (introduced 20140701): did not restore jumpbuf while 20137 evaluatingsmtpd_policy_service_default_action. Viktor 20138 Dukhovni. File: smtpd/smtpd_check.c. 20139 20140 Feature: VERY PRELIMINARY support for SMTPUTF8 based on an 20141 initial implementation by Arnt Gulbrandsen, funded by CNNIC. 20142 This implements the syntax of SMTP commands and DSN delivery 20143 status notifications. It does not address the problem that 20144 the same domain name may show up in different forms: an 20145 UTF8-encoded name with non-ASCII characters, or an IDNA-encoded 20146 (xn--mumble) name with ASCII-only characters. This means 20147 that access policies, mydestination, virtual_*_domains and 20148 relay_domans will have to understand both forms in order 20149 to provide complete coverage. For now, SMTPUTF8 support 20150 must not be enabled except for testing. 20151 2015220140710 20153 20154 Portability: add '-Wl,--enable-new-dtags' to the linker 20155 command line with building with Postfix shared libraries 20156 on Linux. Viktor Dukhovni. file: makedefs. 20157 2015820140711 20159 20160 Background: What is SMTPUTF8 autodetection? Postfix cannot 20161 rely solely on the sender's declaration that a message 20162 requires SMTPUTF8 support, because UTF8 may be introduced 20163 during local processing (for example, the client hostname 20164 in Postfix's Received: header, adding @$myorigin or .$mydomain 20165 to an incomplete address, address rewriting, alias expansion, 20166 automatic BCC recipients, local forwarding, and modifications 20167 made by header checks or Milter applications). This means 20168 that some form of autodetection is needed that a message 20169 requires SMTPUTF8 support. 20170 20171 Cleanup: don't try to distinguish between UTF that is already 20172 present in a message or envelope, and UTF8 that is introduced 20173 during local processing (see above). Maintaining this 20174 distinction is too problematic. 20175 20176 Cleanup: mailing list friendliness. Allow delivery of 20177 SMTPUTF8 mail to non-SMTPUTF8 servers when a message has 20178 no UTF8 headers, no UTF8 envelope sender, and when the 20179 specific delivery request contains no UTF8 envelope recipient. 20180 This is needed for mailing lists that may have a mix of 20181 UTF8 and non-UTF8 subscriber addresses. File: global/smtputf8.h, 20182 smtp/smtp_proto.c. 20183 20184 Cleanup: moved all SMTPUTF8 detection to the cleanup server, 20185 so that it can apply equally to sendmail command-line 20186 submission, forwarded mail, postmaster notifications, 20187 delivery status notifications, mail received with the qmqpd 20188 server, address verification probes, as well as UTF8 20189 introduced during local processing (see above). Files: 20190 cleanup/cleanup_out.c, cleanup/cleanup_addr.c. 20191 20192 Cleanup: store the SMTPUTF8 message (i.e. non-recipient) 20193 flags in the first queue file record, so that the queue 20194 manager can find the information without having to read 20195 every queue file record. Files: cleanup/cleanup_final.c, 20196 *qmgr/qmgr_message.c. 20197 2019820140713 20199 20200 Interoperability: new parameter smtputf8_autodetect_classes 20201 for selective autodetection that a message requires UTF8SMTP 20202 support. During the initial SMTPUTF8 rollout, this is limited 20203 by default to Postfix sendmail command-line submissions and 20204 address verification probes. Sites that introduce UTF8 20205 during local processing (see above) will have to enable 20206 SMTPUTF8 autodetection for all mail sources. This feature 20207 shares infrastructure with the older internal_filter_classes 20208 feature. Files: bounce/bounce_notify_service.c, 20209 bounce/bounce_notify_verp.c, bounce/bounce_one_service.c, 20210 bounce/bounce_trace_service.c, bounce/bounce_warn_service.c, 20211 global/int_filt.c, global/mail_proto.h, global/smtputf8.c, 20212 local/forward.c, pickup/pickup.c, qmqpd/qmqpd.c, smtp/smtp_chat.c, 20213 smtpd/smtpd.c, smtpd/smtpd_chat.c, verify/verify.c. 20214 20215 Feature: preliminary message/global support. This does not 20216 yet parse encoded message/global (such as message/global 20217 sent through an non-8BITMIME system). Such mail cannot yet 20218 be inspected with header_checks. File: global/mime_state.c. 20219 2022020140714 20221 20222 Cleanup: update the "smtputf8" delivery request flags when 20223 VERP expansion causes an UTF8 recipient address to appear 20224 in the envelope sender address. Files: *qmgr/qmgr_deliver.c. 20225 20226 Cleanup: emit the correct content transfer encoding name 20227 when downgrading message/global as quoted-printable. File: 20228 global/mime_state.c. 20229 20230 Cleanup: generate a bounce message with MIME type *global* 20231 only when the original message requested SMTPUTF8 support. 20232 File: bounce/bounce_notify_util.c. 20233 20234 Cleanup: propagate the "SMTPUTF8 support requested" flag 20235 when bouncing a message or when forwarding a message through 20236 a local alias or .forward file. Files: local/forward.c, 20237 bounce/bounce_notify_util.c, src/global/post_mail.[hc], and 20238 specify a dummy argument SMTPUTF8_FLAGS_NONE in all other 20239 programs that programs that invoke post_mail_fopen*(), 20240 2024120140715 20242 20243 Cleanup: change extract_addr() API to indicate that an 20244 address is parsed in SMTPUTF8 context. File: smtpd/smtpd.c. 20245 20246 Cleanup: shared-library build fixes. Viktor Dukhovni. Files: 20247 makedefs, dns/Makefile.in, global/Makefile.in, master/Makefile.in, 20248 tls/Makefile.in, util/Makefile.in. 20249 20250 First general release with SMTPUTF8 support; see RELEASE_NOTES 20251 for an initial writeup. The last pre-SMTPUTF8 release is 20252 snapshot 20140713. 20253 2025420140716 20255 20256 Paranoia: validate UTF8 before exposing it to libicuuc. 20257 File: util/midna.c. 20258 20259 Typo: Postfix did not warn when smtputf8_enable=yes while 20260 UTF-8 support is not compiled in. File: global/mail_params.c. 20261 20262 Cleanup: hard-coded GCC dependencies. Eray Aslan. File: 20263 makedefs. 20264 2026520140717 20266 20267 Safety: manipulate unsigned characters while decoding. 20268 Files: global/xtext.c, global/uxtext.c. 20269 20270 Infrastructure: ACE label to UTF-8 conversion. Files: 20271 util/midna.[hc]. 20272 20273 Infrastructure: macro expansion with printable() filter. 20274 Files: util/mac_expand.[hc]. 20275 20276 Feature: when expanding myhostname or mydomain in bounce 20277 template messages, and smtputf8_enable=yes, convert ACE 20278 (xn--mumble) labels into UTF-8. bounce/bounce_template.c. 20279 2028020140720 20281 20282 Cleanup: charset selection and content-transfer encoding 20283 in bounce messages (work in progress). The proper solution 20284 requires separate handling of the returned-message MIME 20285 properties and of the (boiler-plate text, delivery status) 20286 MIME properties. File: bounce/bounce_notify_util.c. 20287 2028820140722 20289 20290 Documentation: the TLS_README example for creating a 20291 self-signed certificate was incomplete. Also, added 20292 "smtp_tls_loglevel = 1" and "smtpd_tls_loglevel = 1" settings 20293 to cookbook recipes, so that TLS handshake results will be 20294 logged. Viktor Dukhovni. File: proto/TLS_README.html. 20295 20296 Documentation: update Perl MIME::Base64 example. File: 20297 proto/SASL_README.html. 20298 20299 Documentation: update pointer to Bennett Todd's SMTP proxy. 20300 File: proto/SMTPD_PROXY_README.html. 20301 2030220140725 20303 20304 Documentation: describe what features are controlled by 20305 parent_domain_matches_subdomains, both in the description 20306 of the controlled feature, and in the description of 20307 parent_domain_matches_subdomains. File: proto/postconf.proto. 20308 20309 Cleanup: smtpd_client_event_limit_exceptions is now controlled 20310 with parent_domain_matches_subdomains, with backwards-compatible 20311 default (specify .example.com in order to match subdomains 20312 of example.com). Files: smtpd/smtpd.c. 20313 20314 Documentation: SMTPUTF8_README, an updated version of text 20315 that was originally part of the RELEASE_NOTES file. Files: 20316 proto/SMTPUTF8_README.html, proto/Makefile.in, html/index.html. 20317 2031820140731 20319 20320 Feature: the Postfix SMTP server now logs at the end of a 20321 session how many times each SMTP command was successfully 20322 invoked, followed by the total number of invocations if it 20323 is different. File: smtpd/smtpd.c. 20324 2032520140802 20326 20327 Workaround: detect mis-configuration where Postfix talks 20328 to the Dovecot master socket instead of the Dovecot userdb 20329 socket. Timo Sirainen. File: xsasl/xsasl_dovecot_server.c. 20330 2033120140904 20332 20333 Logging: the MySQL client now logs a warning when a match 20334 against the "domain" list fails due to table lookup error 20335 (the underlying mechanism already logs a warning, but it 20336 has less context information). File: global/dict_mysql.c. 20337 2033820140907 20339 20340 Feature: with "confirm_delay_cleared = yes", Postfix informs 20341 the sender when delayed mail leaves the queue. This can 20342 result in a sudden burst of notifications at the end of a 20343 prolonged network outage, and is therefore disabled by 20344 default. Files: mantools/postlink, proto/postconf.proto, 20345 global/deliver_request.h, global/mail_params.h, global/sent.c, 20346 *qmgr/qmgr.c, *qmgr/qmgr_active.c, *qmgr/qmgr_message.c. 20347 2034820140908-14 20349 20350 Feature: for the first time in 17 years, support for 20351 ${name?if-nonempty:if-empty} macro expressions, and for 20352 logical expressions ${logical-expr?if-true:if-false}. In 20353 preparation for configurable message headers and logging. 20354 Files: util/mac_expand.c. 20355 2035620140914 20357 20358 Bugfix (introduced: 19971026): a zero precision value in 20359 %.*s and $.<digits>s was implemented as if no precision 20360 value was specified, i.e. print the entire string. This was 20361 not harmful, it just looked weird. File: util/vbuf_print.c. 20362 2036320140917 20364 20365 Feature: RFC 7372 enhanced status code for unknown SMTP 20366 client hostnames. File: smtpd/smtpd_check.c 20367 20368 Bugfix: the accept() calls in test progams escaped attention 20369 when Postfix 2.2 was ported to IPv6. Problem found by Mark 20370 Martinec. Files: smtpstone/smtp-sink.c, smtpstone/qmqp-sink.c. 20371 2037220140918 20373 20374 Cleanup: log a warning when the cleanup server detects too 20375 many hops. smtpd(8) does not log any of the CLEANUP_STAT_XXX 20376 results. The pickup server logs some because there is no 20377 client to send the problem description to. This logic of 20378 who logs what needs to be revisited. File: 20379 cleanup/cleanup_message.c. 20380 2038120140919 20382 20383 Usability: randmap and pipemap syntax, for example, 20384 pipemap:{type_1:name_1, ..., type_n:name_n}. This required 20385 small updates to code that parses input into lookup table 20386 names. Files: global/data_redirect.c, global/maps.c, 20387 global/server_acl.c, postconf/postconf.c, postconf/postconf_dbms.c, 20388 postconf/test58.ref, proto/DATABASE_README.html, 20389 proxymap/proxymap.c, smtpd/smtpd_check.c, util/argv.h, 20390 util/balpar.c, util/dict_pipe.c, util/dict_random.c, 20391 util/match_list.c, util/mystrtok.c, util/argv_splitq.c, 20392 util/stringops.h. 20393 20394 Cleanup: added PRINTFLIKE() to enable missing format string 20395 checks. Files: bounce/bounce_template.h, global/memcache_proto.h, 20396 global/dict_memcache, postconf/postconf.h, util/dict.h, 20397 util/msg.h. 20398 2039920140920 20400 20401 Bugfix (introduced: 20080212): incorrect client name in 20402 reject messages from check_reverse_client_hostname_access 20403 and check_reverse_client_hostname_{a,mx,ns}_access. They 20404 replied with the verified client name, instead of the name 20405 that was rejected. Problem reported by Reindl Harald. File: 20406 smtpd/smtpd_check.c. 20407 2040820140921 20409 20410 Cleanup: postconf code to determine the default mydomain 20411 value had not evolved since 1997, while the rest of Postfix 20412 changed in 2000. File: postconf/postconf-dbms.c. 20413 2041420140922 20415 20416 Cleanup: the confirm_delay_cleared feature now sends no 20417 notification when the sender requests NOTIFY options that 20418 do not include NOTIFY=DELAY. Files: global/deliver_request,h, 20419 global/sent.c, *qmgr/qmgr_active.c, *qmgr/qmgr_message.c. 20420 20421 Bugfix (introduced: yesterday): missing print arguments. 20422 File: postconf/postconf_dbms.c. 20423 20424 Cleanup: simplified "nested" lookup table checks. 20425 20426 Cleanup: replace stress-dependent main.cf defaults with the 20427 ternary form: "${stress?{x}:{y}}" File: global/mail_params.h, 20428 proto/postconf.proto, postscreen/postscreen.c (comments). 20429 2043020140923 20431 20432 Cleanup: dict_db and dict_lmdb global settings. Files: 20433 global/mail_params.c, util/dict_open.c. 20434 20435 Feature: unionmap, based on contribution by Roel van Meer. 20436 Files: mantools/postlink, postconf/postconf.c (manpage), 20437 proto/DATABASE_README.html, util/dict_open.c, util/dict_union.[hc]. 20438 2043920140924 20440 20441 Bugfix (introduced: 20060117): the escape function didn't 20442 correctly convert non-ASCII. File: util/unescape.c. 20443 20444 Bugfix (introduced: 201407): missing conversions for non-ASCII 20445 domain names in permit_mx_backup, check_mumble_{a,mx,ns}_access 20446 and reject_unknown_{sender,recipient}_domain. Mark Martinec. 20447 File: smtpd/smtpd_check.c. 20448 2044920140925 20450 20451 Cleanup: support for per-Milter settings, for example: 20452 smtpd_milters = {inet:host:port, default_action=accept, 20453 ...}. Specify the Milter endpoint address followed by zero 20454 or more attribute=value pairs separated by comma or space. 20455 The supported attributes are command_timeout, connect_timeout, 20456 content_timeout, default_action, and protocol. These have 20457 the same names as the corresponding main.cf parameters, 20458 minus the "milter_" prefix. Files: global/mail_conf_over.c, 20459 global/mail_conf_str.c, global/mail_conf_time.c, 20460 global/mail_conf.h, milter/milters.c. 20461 2046220140927 20463 20464 Cleanup: specify { name = value } in per-Milter settings, 20465 to support space around the "=" or comma/space within the 20466 value. Files: global/attr_over.[hc]. 20467 20468 Cleanup: "postconf -n" now only shows config_directory when 20469 an override is in effect (environment, -c or -o). 20470 20471 Cleanup: support for master.cf arguments inside {}, to 20472 protect arguments that contain whitespace. File: 20473 master/master_ent.c, postconf/postconf_master.c, 20474 postconf/test59.ref. 20475 20476 Cleanup: support for per-policy client settings, for example: 20477 check_policy_service {inet:host:port, default_action=dunno, 20478 timeout=50s, ...}. Specify the policy server endpoint address 20479 followed by zero or more attribute=value pairs separated 20480 by comma or space. Specify { name = value } for attributes 20481 that contain whitespace; otherwise, space is not allowed 20482 around the "=". The supported attributes are default_action, 20483 max_idle, max_ttl, request_limit, retry_delay, timeout, and 20484 try_limit. These have the same names as the corresponding 20485 main.cf parameters, minus the "smtpd_policy_service_" prefix. 20486 Files: global/mail_conf_int.c, global/mail_conf.h, 20487 global/attr_override.[hc], smtpd/smtpd_check.c. 20488 2048920140928 20490 20491 Cleanup: extpar.c module to reduce code duplication. Files: 20492 global/attr_override.c, master/master_ent.c, milter/milter.c, 20493 postconf/postconf_dbms.c, postconf/postconf_master.c, 20494 smtpd/smtpd_check.c, util/extpar.c, util/stringops.h. 20495 20496 Cleanup: the table-driven code for per-Milter and per-policy 20497 overrides now updates stack-based variables, instead of 20498 (ugh) statically-allocated variables. Files: 20499 global/attr_override.[hc], smtpd/smtpd_check.c, milter/milter.c. 20500 20501 Documentation: added advanced configuration sections for 20502 how to use per-Milter and per-policy settings. Files: 20503 proto/SMTPD_POLICY_README.html, proto/MILTER_README.html. 20504 20505 Cleanup: force LANG=C to prevent groff from outputting 20506 non-ASCII cruft into the HTML-ized manpages. Files: 20507 html/Makefile.in, proto/Makefile.in, many HTML output files. 20508 2050920140929 20510 20511 Cleanup: the table-driven code for per-Milter and per-policy 20512 overrides now updates arbitrary variables, so that it can 20513 also be used for, say, TLS policies. Files: 20514 global/attr_override.[hc], smtpd/smtpd_check.c, milter/milter.c. 20515 20516 Documentation: support for "{ argument with whitespace }" 20517 in master(5) and pipe(8). Files: proto/master, src/pipe/pipe.c. 20518 20519 Documentation: in ADDRES_VERIFY_README, replaced "nearest 20520 MTA" with "preferred MTA". The SMTP client was changed years 20521 ago to try alternate MXes after a 4XX SMTP server response. 20522 File: proto/ADDRES_VERIFY_README.html. 20523 2052420141001 20525 20526 Safety: backwards-compatibility safety net that forces 20527 Postfix to run with backwards-compatible default settings 20528 after an upgrade to a newer Postfix version. Postfix logs 20529 all uses of those backwards-compatible default settings so 20530 that the system administator can determine whether or not 20531 some backwards-compatible default settings need to be made 20532 permanent in main.cf or master.cf. All this is controlled 20533 with a new compatibility_level parameter, default value 0. 20534 Files: global/mail_params.[hc], trivial-rewrite/rewrite.c, 20535 master/master_ent.c, smtpd/smtpd.c, postfix/postfix.c. 20536 20537 New defaults for master.cf chroot (n), append_dot_mydomain 20538 (no) and smtputf8_enable (yes). File: global/mail_params.h, 20539 global/mail_params.c, smtp/smtp.c (manpage), smtpd/smtpd.c 20540 (manpage), trivial-rewrite/trivial-rewrite.c. 20541 20542 Simple relational expression evaluator so that main.cf 20543 defaults can be made dependent on comparisons with the 20544 compatibility_level parameter value. File: util/mac_expand.c. 20545 20546 Bugfix: do not reset the mail transaction after receiving 20547 a non-ASCII recipient. File: smtpd/smtpd.c. 20548 2054920141002 20550 20551 Cleanup: moved the details of BC safety-net messages from 20552 RELEASE_NOTES to postconf(5) manpage, and changed the wording 20553 of the BC messages. Files: RELEASE_NOTES, proto/postconf.proto, 20554 master/master_ent.c, smtpd/smtpd.c, trivial-rewrite/rewrite.c. 20555 2055620141003 20557 20558 Workaround: kludge for multiple paragraphs of text in 20559 indented paragraphs. Files: mantools/postconf2html, 20560 mantools/postconf2man, proto/Makefile.in, proto/postconf.proto 20561 2056220141005 20563 20564 Cleanup: CHARSET_COMMA_SP, CHARSET_SPACE and CHARSET_BRACE 20565 to prepare for the elimination of ad-hoc string constants. 20566 File: util/sys_defs.h. 20567 20568 Cleanup: allow "{ name=value }" to protect whitespace in 20569 import_environment and export_environment. Files: 20570 proto/postconf.proto, global/mail_parm_split.c, global 20571 /mail_parm_split.h, global/mail_stream.c, local/command.c, 20572 master/master.c, pipe/pipe.c, postdrop/postdrop.c, 20573 postfix/postfix.c, postmulti/postmulti.c, postqueue/postqueue.c, 20574 spawn/spawn.c. 20575 2057620141006 20577 20578 Backwards compatibility: log a helpful message when "localhost" 20579 is missing from mydestination. Files: trivial_rewrite/rewrite.c, 20580 trivial_rewrite/resolve.c, trivial-rewrite/trivial-rewrite.h, 20581 proto/postconf.proto. 20582 20583 Cleanup: message_drop_header for configurable header dropping 20584 (default: bcc, content-length, resent-bcc, return-path). 20585 The list of supported header names covers RFC 5321, 5322, 20586 MIME RFCs, and some historical names. File: global/header_opts.c, 20587 global/mail_params.[hc], cleanup/cleanup.c (manpage), 20588 proto/postconf.proto, mantools/postlink. 20589 2059020141008 20591 20592 New defaults: "relayhost=" and "mynetworks_style = host", 20593 plus a backwards-compatibility safety net that warns when 20594 the change in defaults could result in rejection of mail 20595 (with mynetworks_style this requires that Postfix evaluates 20596 both old and new default values). Files: proto/postconf.proto, 20597 global/flush_clnt.c, global/mail_params.c, global/mail_params.h, 20598 global/mynetworks.c, global/mynetworks.h, global/server_acl.c, 20599 postconf/postconf_builtin.c, smtpd/smtpd.c, smtpd/smtpd_check.c. 20600 2060120141009 20602 20603 Documentation: moved the gory details from postconf(5) to 20604 a new COMPATIBILITY_README document. Files: proto/postconf.proto, 20605 proto/COMPATIBILITY_README.html html/index.html. 20606 20607 Documentation: update the conf/main.cf compatibility_level 20608 setting for new Postfix installs, and updated a reminder 20609 in mail_params.h. 20610 2061120141010 20612 20613 Cleanup: make "const char myname[]" declarations static. 20614 global/attr_override.c, global/bounce.c, global/dsn_filter.c, 20615 global/dynamicmaps.c, global/mkmap_open.c, global/smtputf8.c, 20616 smtp/smtp_key.c, smtpd/smtpd_check.c, util/dict_pipe.c, 20617 util/dict_union.c, util/mac_expand.c, util/midna.c, 20618 util/valid_utf8_hostname.c. 20619 20620 Documentation: summarize the user-specified "make makefiles" 20621 settings at the top of makedefs.out. This file now has so 20622 many internal variables that people would get lost. 20623 2062420141011 20625 20626 Cleanup: replaced cryptic macros X_SMTP() and SMTP_X() with 20627 more descriptive names: LMTP_SMTP_SUFFIX() and VAR_LMTP_SMTP(). 20628 Files: smtp/smtp.c, smtp/smtp.h, smtp/smtp_chat.c, 20629 smtp/smtp_connect.c, smtp/smtp_proto.c, smtp/smtp_sasl_glue.c, 20630 smtp/smtp_sasl_proto.c, smtp/smtp_tls_policy.c. 20631 2063220141012 20633 20634 Cleanup: missing format-string checks. Files: master/master_ent.c, 20635 posttls-finger/posttls-finger.c, smtpd/smtpd_proxy.c. 20636 20637 Bugfix (introduced: Postfix 2.3): the PREPEND access/policy 20638 action added headers ABOVE Postfix's own Received: header, 20639 exposing Postfix's own Received: header to Milters (protocol 20640 violation) and hiding the PREPENDed header from Milters. 20641 The latter caused problems for DMARC implementations with 20642 SPF policy plus DKIM Milter. PREPENDed headers are now 20643 added BELOW Postfix's own Received: header and remain visible 20644 to Milters. File: smtpd/smtpd.c. 20645 2064620141013 20647 20648 Cleanup: configuration file line numbers in error/warning 20649 messages could point to comment lines before or after the 20650 problem. Files: util/readlline.[hc], master/master_ent.c, 20651 postalias/postalias.c, postmap/postmap.c, util/dict.c, 20652 util/dict_cidr.c, util/dict_pcre.e, util/dict_regexp.c, 20653 util/dict_thash.c, postconf/postconf_master.c. 20654 2065520141014 20656 20657 Portability: Darwin 11.x needs to link with -lresolv. Viktor 20658 Dukhovni. File: makedefs. 20659 20660 Documentation: ICU (unicode) library package names. File: 20661 proto/SMTPUTF*_README.html. 20662 2066320141015 20664 20665 Cleanup: master.cf line number reporting made more consistent 20666 with similar code elsewhere. File: master/master_ent.c. 20667 20668 Backed out SMTP client TLS fallback due to multiple problems. 20669 2067020141018 20671 20672 Bugfix (introduced: Postfix 2.3): when a Milter inserted a 20673 header ABOVE Postfix's own Received: header, Postfix would 20674 expose its own Received: header to Milters (violating 20675 protocol) and hide the Milter-inserted header from Milters 20676 (wtf). Files: cleanup/cleanup.h, cleanup/cleanup_message.c, 20677 cleanup/cleanup_state.c, milter/milter.[hc], milter/milter8.c. 20678 20679 Cleanup: revert the workaround that places headers inserted 20680 with PREPEND actions or policy requests BELOW Postfix's own 20681 Received: message header. File: smtpd/smtpd.c. 20682 2068320141019 20684 20685 Cleanup: replace dozens and dozens of ad-hoc string constants 20686 with CHARS_SPACE, CHARS_COMMA_SP, and CHARS_BRACE. Files: 20687 52, too many files to mention here. 20688 20689 Bugfix: the recently-introduced randmap, pipemap, and 20690 unionmap did not check for all possible forms of "empty 20691 list". Files: util/dict_random.c, util/dict_pipe.c, 20692 util/dict_union.c. 20693 20694 Documentation: word smithing. File: proto/master. 20695 20696 Cleanup: the last remaining remnants of the withdrawn 20697 smtp_tls_fallback_level feature. Files: mantools/postlink, 20698 global/mail_params.h. 20699 2070020141021 20701 20702 Per IETF TLS WG consensus, the tls_session_ticket_cipher 20703 default setting was changed from aes-128-cbc to aes-256-cbc. 20704 Take that, you quantum computer attackers! Viktor Dukhovni. 20705 Files: proto/postconf.proto, global/mail_params.h. 20706 2070720141024 20708 20709 Cleanup: added $smtpd_mumble_restrictions to the proxy_read_maps 20710 default setting. File: global/mail_params.h. 20711 20712 Documentation: different header/body checks for MX service 20713 and SMTP submissions. File: proto/BUILTIN_FILTER_README.html. 20714 20715 Cleanup: don't send "bare" original recipient in SMTP DSN 20716 attributes. File: cleanup/cleanup_addr.c. 20717 20718 Feature: smtp-sink -N option to suppress DSN announcement. 20719 File: smtpstone/smtp-sink.c. 20720 2072120141025 20722 20723 Bugfix (introduced: Postfix 2,11): core dump when 20724 smtp_policy_maps specifies an invalid TLS level. Viktor 20725 Dukhovni. File: smtp/smtp_tls_policy.c. 20726 2072720141103 20728 20729 Logging: when a connection is closed, log the request counts 20730 for unimplemented STARTTLS or AUTH commands separately, 20731 instead of logging such commands as "unknown". File: 20732 smtpd/smtpd.c. 20733 2073420141106 20735 20736 Cleanup: set errno to ETIMEDOUT after postscreen handshake 20737 timeout event, so that warnings report the correct error. 20738 File: tlsproxy/tlsproxy.c. 20739 2074020141112 20741 20742 Documentation: 24 identical typos. File: proto/postconf.proto. 20743 20744 Workaround: support space after "MAIL FROM:" and "RCPT TO:" 20745 in smtpd_command_filter examples. Reportedly, cashedge.com's 20746 software (used by banks) needs this (source: Claus Assmann). 20747 File: proto/postconf.proto. 20748 2074920141117 20750 20751 Cleanup: use ~0U instead of (unsigned) -1. Based on 20752 complaints from the BEAM static analyzer. Files: 20753 global/mynetworks.c, postconf/postconf.c, util/cidr_match.c. 20754 20755 Cleanup: forgot the "do" in "do { stuff } while (0)" macros. 20756 Luckily, this had caused no problem. Based on complaints 20757 from the BEAM static analyzer. Files: util/dict_cdb.c, 20758 util/dict_dbm.c, util/dict_lmdb.c, util/dict_pcre.c, 20759 util/dict_regexp.c, util/dict_sockmap.c, util/dict_thash.c. 20760 20761 Bugfix (introduced: Postfix 2.9): lockfile descriptor leak 20762 after error. Based on complaints from the BEAM static 20763 analyzer. File: util/dict_db.c. 20764 20765 Bugfix (introduced: Postfix 1.1): don't "set" the null byte 20766 element in the base64 and base32 decoding maps. Based on 20767 complaints from the BEAM static analyzer. Files: util/base64_code, 20768 util/base32_code.c. 20769 20770 Cleanup: don't exit(0) after failing to run showq(8). Based 20771 on complaints from the BEAM static analyzer. File: 20772 postqueue/postqueue.c. 20773 20774 Bugfix: memory leak when getaddrinfo() returns a result 20775 that is neither IPv4 nor IPv6. Based on complaints from 20776 the BEAM static analyzer. File: smtp/smtp_addr.c. 20777 20778 Cleanup: use more meaningful name for global variable so 20779 that it isn't shadowed by a local variable. Based on 20780 complaints from the BEAM static analyzer. smtpstone/smtp-sink.c. 20781 2078220141119 20783 20784 Cleanup: base64 test driver. File: base64_code.c. 20785 20786 Cleanup: make the CONST_CHAR_STAR typedef project-wide. 20787 Files: global/attr_override.h, util/sys_defs.h. 20788 20789 Feature: BCC action in header/body_checks and milter_header_checks. 20790 Files: proto/header_checks, cleanup/cleanup.h, 20791 cleanup/cleanup_extracted.c, cleanup/cleanup_message.c, 20792 cleanup/cleanup_milter.c, cleanup/cleanup_milter.in16a, 20793 cleanup/cleanup_milter.ref16a1, cleanup/cleanup_milter.ref16a2, 20794 cleanup/cleanup_milter.reg16a, cleanup/cleanup_state.c, 20795 cleanup/test-queue-file16, global/attr_override.h, 20796 global/cleanup_strflags.c, global/cleanup_user.h, 20797 util/sys_defs.h. 20798 20799 Cleanup: don't write back-to-back queue file pointer records 20800 when the "add recipient" action was a NOOP (e.g., because 20801 the recipient was a duplicate). File: cleanup/cleanup_milter.c. 20802 2080320141120 20804 20805 Documentation: COMPATIBILITY_README now has "purpose of 20806 this document" section, plus a separate section for turning 20807 off the safety net. File: proto/COMPATIBILITY_README.html 20808 2080920131121 20810 20811 Cleanup: replace mua_mumble with msa_mumble in master.cf 20812 submission and smtps service parameter overrides. File: 20813 proto/BUILTIN_FILTER_README.html. 20814 20815 Feature: "static:{ text with whitespace }". This could be 20816 used as check_mumble_access static:{reject text...} at the 20817 end of smtpd_mumble_restrictions. Files: util/dict_static.c, 20818 util/Makefile.in, util/dict_static_test.ref, 20819 proto/DATABASE_README.html. postconf/postconf.c (manpage). 20820 2082120141126 20822 20823 Feature: "inline:{key=value, { key = text with comma/space}}" 20824 avoids the need to create a database for just a few entries. 20825 Files: util/dict_inline.[hc], mantools/postlink, 20826 proto/DATABASE_README.html. postconf/postconf.c (manpage), 20827 util/dict_inline.[hc], util/dict_open.c, util/Makefile.in, 20828 util/dict_inline_test.ref. 20829 20830 Cleanup: report nullmx DNS records as "domain does not 20831 accept mail", instead of "invalid DNS response". The Postfix 20832 SMTP client already bounced mail for such domains, and the 20833 Postfix SMTP server already rejected such domains with 20834 reject_unknown_sender/recipient_domain. This introduces a 20835 new SMTP server configuration parameter nullmx_reject_code 20836 (default: 556). Files: src/dns/dns_lookup.[hc], dns/Makefile,in, 20837 dns/nullmx_test.ref, src/smtp/smtp_addr.c, smtpd/smtpd_check.c, 20838 smtpd/smtpd_check_nullmx.in, smtpd/smtpd_check_nullmx.ref, 20839 mantools/postlink, proto/postconf.proto, smtpd/smtpd.c. 20840 20841 Cleanup: added some missing libdns tests: dns/Makefile,in, 20842 dns/mxonly_test,ref, dns/nxdomain_test.ref 20843 20844 Cleanup: libglobal "make test" had suffered from bitrot. 20845 Files: global/mime_state.c, global/header_body_checks.c. 20846 2084720141127 20848 20849 Feature: DNS reply filter, configured with smtp_dns_reply_filter, 20850 smtpd_dns_reply_filter, and lmtp_dns_reply_filter. Files: 20851 mantools/postlink, proto/postconf.proto, dns/dns.h, 20852 dns/dns_lookup.c, dns/dns_rr_filter.c, dns/dns_strrecord.c, 20853 dns/error.ref, dns/error.reg, dns/mxonly_test.ref, dns/no-a.ref, 20854 dns/no-a.reg, dns/no-aaaa.ref, dns/no-aaaa.reg, dns/no-mx.ref, 20855 dns/no-mx.reg, dns/nullmx_test.ref, dns/test_dns_lookup.c, 20856 global/mail_params.h, smtp/lmtp_params.c, smtp/smtp.c, 20857 smtp/smtp_addr.c, smtp/smtp_params.c, smtpd/smtpd.c, 20858 smtpd/smtpd_check.c, smtpd/smtpd_dns_filter.{in,ref}. 20859 2086020141130 20861 20862 Cleanup: when searching multiple DNS record types for a 20863 specific name, and not all queries return the same result 20864 status, do not blindly return the last query's rcode and 20865 diagnostic text. Instead, return rcode and text that is 20866 consistent with the aggregate result status. 20867 20868 Cleanup: un-broke several smtpd regression tests (work in 20869 progress, with three more to go). Files: smtpd/smtpd_check.c, 20870 smtpd/smtpd_server.{in,ref}, smtpd/smtpd_exp.{in,ref}. 20871 smtpd/smtpd_dnswl.{in,ref}. 20872 20873 Documentation: added note on Milter-signing bounces. 20874 2087520141201 20876 20877 Bugfix (introduced: 20141130): memory leak. File: dns_lookup.c. 20878 20879 Cleanup: un-broke several dns regression tests by sorting 20880 getaddrinfo() results by address family. Files: dns/dns_rr_eq_sa.c, 20881 dns/dns_rr_eq_sa.ref, dns/dns_sa_to_rr.c, dns/dns_sa_to_rr.ref. 20882 20883 Cleanup: missing #ifdef in smtpd_check test driver. File: 20884 smtpd/smtpd_check.c. 20885 20886 Cleanup: fix google.com regexp in smtp_dns_reply_filter 20887 example. Viktor Dukhovni. File: proto/postconf.proto. 20888 20889 Cleanup: in the ASCII form of DNS resource records, add 20890 space after the TLSA match-type field. Viktor Dukhovni. 20891 File: dns/dns_strrecord.c. 20892 2089320141202 20894 20895 Cleanup: to increase clarity. rename DNS result status from 20896 DNS_UNAVAIL to DNS_NULLMX. If someone uses the same zero-length 20897 name trick with some other resource type, then we will worry 20898 about that later. Files: smtpd/smtpd_check.c, smtp/smtp_addr.c, 20899 dns/dns.h, dns/dns_lookup.c. 20900 20901 Cleanup: eliminate TLS state duplication from state->tls 20902 to session->tls. Viktor Dukhovni. Files: src/smtp/smtp.h, 20903 src/smtp/smtp_connect.c, src/smtp/smtp_proto.c, 20904 src/smtp/smtp_reuse.c, src/smtp/smtp_session.c. 20905 2090620141203 20907 20908 Feature: support to match UTF8 domain names against ASCII 20909 names in TLS certificates. Viktor Dukhovni. Files: 20910 posttls-finger/posttls-finger.c, tls/tls_client.c. 20911 2091220141206 20913 20914 Cleanup: use (char *) only for strings, not for data. The 20915 "void *" type was not fully portable during initial Postfix 20916 development, but we no longer have that problem. Also started 20917 the migration of data structure sizes/counters to ssize_t/size_t 20918 (the IBM Beam analyzer identified lots of unnecessary 64-bit 20919 to 32-bit conversions). The transformation and verification 20920 were mostly mechanical with manual supervision. Files: 20921 anvil/anvil.c, bounce/bounce.c, bounce/bounce_notify_util.c, 20922 bounce/bounce_template.c, bounce/bounce_templates.c, 20923 cleanup/cleanup_message.c, cleanup/cleanup_region.c, 20924 cleanup/cleanup_state.c, dns/dns_lookup.c, dns/dns_rr.c, 20925 dns/dns_rr_eq_sa.c, dns/dns_rr_to_sa.c, dns/test_dns_lookup.c, 20926 flush/flush.c, global/abounce.c, global/abounce.h, 20927 global/been_here.c, global/bounce_log.c, global/clnt_stream.c, 20928 global/db_common.c, global/deliver_request.c, 20929 global/delivered_hdr.c, global/dict_ldap.c, global/dict_mysql.c, 20930 global/dict_pgsql.c, global/dsn.c, global/dsn_buf.c, 20931 global/dsn_filter.c, global/dynamicmaps.c, 20932 global/header_body_checks.c, global/header_opts.c, 20933 global/mail_addr_crunch.c, global/mail_stream.c, 20934 global/mail_version.c, global/maps.c, global/mbox_open.c, 20935 global/mime_state.c, global/mkmap_open.c, global/msg_stats_scan.c, 20936 global/mypwd.c, global/post_mail.c, global/rcpt_buf.c, 20937 global/recipient_list.c, global/scache_clnt.c, 20938 global/scache_multi.c, global/scache_single.c, 20939 global/smtp_reply_footer.c, global/smtp_reply_footer.h, 20940 global/tok822_node.c, local/biff_notify.c, local/forward.c, 20941 local/local_expand.c, local/unknown.c, master/event_server.c, 20942 master/master.c, master/master_avail.c, master/master_ent.c, 20943 master/master_monitor.c, master/master_proto.c, 20944 master/master_sig.c, master/master_spawn.c, master/master_status.c, 20945 master/master_vars.c, master/master_wakeup.c, 20946 master/multi_server.c, master/single_server.c, 20947 master/trigger_server.c, milter/milter.c, milter/milter8.c, 20948 milter/milter_macros.c, oqmgr/qmgr.c, oqmgr/qmgr_active.c, 20949 oqmgr/qmgr_deliver.c, oqmgr/qmgr_entry.c, oqmgr/qmgr_message.c, 20950 oqmgr/qmgr_queue.c, oqmgr/qmgr_transport.c, pipe/pipe.c, 20951 postalias/postalias.c, postconf/postconf.h, 20952 postconf/postconf_builtin.c, postconf/postconf_edit.c, 20953 postconf/postconf_lookup.c, postconf/postconf_main.c, 20954 postconf/postconf_master.c, postconf/postconf_node.c, 20955 postconf/postconf_service.c, postconf/postconf_user.c, 20956 postmap/postmap.c, postmulti/postmulti.c, postscreen/postscreen.c, 20957 postscreen/postscreen.h, postscreen/postscreen_dnsbl.c, 20958 postscreen/postscreen_early.c, postscreen/postscreen_expand.c, 20959 postscreen/postscreen_haproxy.c, postscreen/postscreen_send.c, 20960 postscreen/postscreen_smtpd.c, postscreen/postscreen_starttls.c, 20961 postscreen/postscreen_state.c, posttls-finger/posttls-finger.c, 20962 posttls-finger/tlsmgrmem.c, proxymap/proxymap.c, qmgr/qmgr.c, 20963 qmgr/qmgr_active.c, qmgr/qmgr_deliver.c, qmgr/qmgr_entry.c, 20964 qmgr/qmgr_job.c, qmgr/qmgr_message.c, qmgr/qmgr_peer.c, 20965 qmgr/qmgr_queue.c, qmgr/qmgr_transport.c, qmqpd/qmqpd_peer.c, 20966 qmqpd/qmqpd_state.c, scache/scache.c, sendmail/sendmail.c, 20967 showq/showq.c, smtp/smtp_chat.c, smtp/smtp_connect.c, 20968 smtp/smtp_proto.c, smtp/smtp_reuse.c, smtp/smtp_session.c, 20969 smtp/smtp_state.c, smtp/smtp_tls_policy.c, smtpd/smtpd.c, 20970 smtpd/smtpd_chat.c, smtpd/smtpd_check.c, smtpd/smtpd_expand.c, 20971 smtpd/smtpd_expand.h, smtpd/smtpd_peer.c, smtpd/smtpd_proxy.c, 20972 smtpstone/qmqp-sink.c, smtpstone/qmqp-source.c, 20973 smtpstone/smtp-sink.c, smtpstone/smtp-source.c, tls/tls_dane.c, 20974 tls/tls_mgr.c, tls/tls_misc.c, tls/tls_prng_dev.c, 20975 tls/tls_prng_egd.c, tls/tls_prng_exch.c, tls/tls_prng_file.c, 20976 tls/tls_proxy_clnt.c, tls/tls_scache.c, tls/tls_server.c, 20977 tlsmgr/tlsmgr.c, tlsproxy/tlsproxy.c, tlsproxy/tlsproxy_state.c, 20978 trivial-rewrite/transport.c, trivial-rewrite/trivial-rewrite.c, 20979 util/argv.c, util/attr_clnt.c, util/attr_print0.c, 20980 util/attr_print64.c, util/attr_print_plain.c, util/attr_scan0.c, 20981 util/attr_scan64.c, util/attr_scan_plain.c, util/auto_clnt.c, 20982 util/binhash.c, util/binhash.h, util/ctable.c, util/ctable.h, 20983 util/dict.c, util/dict.h, util/dict_alloc.c, util/dict_cache.c, 20984 util/dict_cache.h, util/dict_cidr.c, util/dict_db.c, 20985 util/dict_ht.c, util/dict_open.c, util/dict_pcre.c, 20986 util/dict_regexp.c, util/dict_sockmap.c, util/dict_surrogate.c, 20987 util/dict_thash.c, util/edit_file.c, util/events.c, 20988 util/events.h, util/fifo_trigger.c, util/find_inet.c, 20989 util/htable.c, util/htable.h, util/inet_addr_host.c, 20990 util/inet_addr_list.c, util/inet_addr_local.c, util/inet_listen.c, 20991 util/inet_proto.c, util/inet_trigger.c, util/inet_windowsize.c, 20992 util/iostuff.h, util/line_wrap.c, util/line_wrap.h, 20993 util/mac_expand.c, util/mac_expand.h, util/mac_parse.c, 20994 util/mac_parse.h, util/match_list.c, util/msg_output.c, 20995 util/mvect.c, util/myaddrinfo.c, util/myflock.c, util/mymalloc.c, 20996 util/mymalloc.h, util/nbbio.c, util/nbbio.h, util/netstring.c, 20997 util/nvtable.c, util/nvtable.h, util/pass_trigger.c, 20998 util/sane_accept.c, util/sane_connect.c, util/scan_dir.c, 20999 util/sock_addr.c, util/stream_trigger.c, util/sys_compat.c, 21000 util/sys_defs.h, util/timecmp.c, util/timed_connect.c, 21001 util/timed_write.c, util/unix_connect.c, util/unix_listen.c, 21002 util/unix_recv_fd.c, util/unix_send_fd.c, util/unix_trigger.c, 21003 util/vbuf.c, util/vbuf.h, util/vstream.c, util/vstream_tweak.c, 21004 util/vstring.c, util/watchdog.c, verify/verify.c, 21005 xsasl/xsasl_cyrus_client.c, xsasl/xsasl_cyrus_server.c, 21006 xsasl/xsasl_dovecot_server.c. 21007 21008 Cleanup: removed unnecessary casts. File: global/cfg_parser.c. 21009 21010 Cleanup: dont cast away "const". File: global/dict_sqlite.c. 21011 2101220141208 21013 21014 Bugfix (introduced: 20141207): in new #ifdef, && should be 21015 ||. File: smtpd.c. 21016 2101720141210 21018 21019 Cleanup: the "inline" table now supports case-insensitive 21020 search, and an iterator. File: util/dict_inline.c. 21021 21022 Cleanup: minuscule memory leaks in graceful degradation 21023 after lookup table open error. Files: util/dict_inline.c, 21024 util/dict_static.c. 21025 2102620141211 21027 21028 Cleanup: memory leaks in unit-test driver programs (i.e. 21029 code used only during development). Files: 21030 cleanup/cleanup_milter.c, util/base64_code.c. 21031 21032 Bugfix (introduced 20141001): mac_expand() error message 21033 with "??" due to dangling pointer. File: util/mac_expand.c. 21034 21035 Portability: unit-test driver programs. Files: util/myaddrinfo.c, 21036 util/myaddrinfo.ref. 21037 21038 Portability: Clang support. Files: makedefs, util/sys_defs.h. 21039 21040 Portability: FreeBSD 10 support. Files: makedefs, 21041 util/sys_defs.h. 21042 21043 Cleanup: in makedefs, the CC and WARN features are now 21044 independent. File: makedefs. 21045 21046 Shut up some Clang format-string nags: util/events.c. 21047 21048 Cleanup: eliminated unnecessary 64->32bit (and back) 21049 conversions on LP64 platforms. Files: util/htable.c, 21050 util/binhash.c util/mvect.[hc], util/name_mask.c, 21051 util/sane_time.c, util/unix_listen.c, util/unix_connect.c, 21052 util/stringops.h, util/trimblanks.c, and dependent code in 21053 smtpd/smtpd_token.c. 21054 21055 Cleanup: unused inet_proto_init() results. Files: 21056 global/mail_params.c, postconf/postconf_builtin.c, 21057 smtpstone/qmqp-sink.c, smtpstone/qmqp-source.c, 21058 smtpstone/smtp-source.c/ 21059 21060 Shut up some Clang nags about unused functions in network 21061 interface API selection. File: util/inet_addr_local.c. 21062 21063 Portability: a historical compiler lacks printf-like 21064 format-string checks for function pointers. Files: util/msg.h, 21065 bounce/bounce_template.h. 21066 2106720141212 21068 21069 Shut up some Clang format-string nags: util/line_number.c, 21070 sendmail/sendmail.c, smtpd/smtpd_proxy.c, smtp/smtp_sasl_proto.c. 21071 21072 Cleanup: eliminated unnecessary 64->32bit (and back) 21073 conversions on LP64 platforms. Files: dict_memcache.c, 21074 header_body_checks.[hc], log_adhoc.c, pipe_command.c, 21075 record.[hc], smtp_reply_footer.c, split_addr.c. 21076 cleanup/cleanup_milter.c, master/mail_server.h, 21077 src/master/trigger_server.c, oqmgr/qmgr.c, qmgr/qmgr.c, 21078 pickup/pickup.c. 21079 21080 Cleanup: nullmx SMTP reply codes 550 and 556, and enhanced 21081 status codes X.1.10 and X.7.27. The nullmx SMTP reply codes 21082 are no longer configurable. Files: global/mail_params.h, 21083 smtpd/smtpd.c, smtpd/smtpd_check.c. 21084 21085 Portability: default table owner UID for testing. Files: 21086 util/dict_alloc.c, util/dict_open.c. 21087 21088 Shut up Clang unused assignment nag: global/mail_queue.h. 21089 sendmail/sendmail.c, smtpd/smtpd_proxy.c, smtp/smtp_sasl_proto.c. 21090 2109120141214 21092 21093 Bugfix (introduced: 20141212): typo in Clang function pointer 21094 format check, making it a noop. Viktor Dukhovni. File: 21095 util/sys_defs.h. 21096 21097 Maintainability: compile-time argument typechecking for 21098 variadic attribute-value read/write functions. Files: 21099 anvil/anvil.c, bounce/bounce.c, cleanup/cleanup.c, 21100 dnsblog/dnsblog.c, flush/flush.c, global/abounce.c, 21101 global/anvil_clnt.c, global/bounce.c, global/defer.c, 21102 global/deliver_pass.c, global/deliver_request.c, 21103 global/dict_proxy.c, global/dsb_scan.c, global/dsn_print.c, 21104 global/flush_clnt.c, global/mail_command_client.c, 21105 global/mail_stream.c, global/msg_stats_print.c, 21106 global/msg_stats_scan.c, global/post_mail.c, global/rcpt_buf.c, 21107 global/rcpt_print.c, global/resolve_clnt.c, global/rewrite_clnt.c, 21108 global/scache_clnt.c, global/trace.c, global/verify_clnt.c, 21109 local/forward.c, milter/milter.c, milter/milter8.c, 21110 milter/milter_macros.c, oqmgr/qmgr_deliver.c, pickup/pickup.c, 21111 postdrop/postdrop.c, postscreen/postscreen_dnsbl.c, 21112 postscreen/postscreen_send.c, postscreen/postscreen_starttls.c, 21113 proxymap/proxymap.c, qmgr/qmgr_deliver.c, qmqpd/qmqpd.c, 21114 scache/scache.c, smtpd/smtpd.c, smtpd/smtpd_check.c, 21115 tls/tls_mgr.c, tls/tls_proxy_clnt.c, tls/tls_proxy_print.c, 21116 tls/tls_proxy_scan.c, tlsmgr/tlsmgr.c, tlsproxy/tlsproxy.c, 21117 trivial-rewrite/resolve.c, trivial-rewrite/rewrite.c, 21118 trivial-rewrite/trivial-rewrite.c, util/attr.h. 21119 2112020141217 21121 21122 Replaced compile-time argument typechecking based on inline 21123 functions with an implementation based on ternary expressions 21124 with unreachable assignments to dummy variables. This 21125 should produce the exact same result as the approach based 21126 on inline functions (which were standardized with C99). 21127 Files: util/check_arg.h, util/attr.h, util/attr.c. 21128 2112920141221 21130 21131 Portability: proof-of-concept template for OpenBSD build 21132 with shared libpostfix etc. libraries. File: makedefs. 21133 2113420141223 21135 21136 Cleanup: compile-time variadic argument type checking for 21137 attribute-value APIs of vstream, vstream_popen, vstring, 21138 pipe_command, spawn_command, attr_override, and mail_server 21139 skeletons. Based on mostly automatic conversion and checking, 21140 with a manual inspection of the remainder. Files: 21141 anvil/anvil.c, bounce/bounce.c, cleanup/cleanup.c, 21142 cleanup/cleanup_api.c, discard/discard.c, dnsblog/dnsblog.c, 21143 error/error.c, flush/flush.c, global/attr_override.c, 21144 global/attr_override.h, global/mail_connect.c, global/mail_queue.c, 21145 global/mail_stream.c, global/mail_stream.h, global/pipe_command.c, 21146 global/pipe_command.h, global/smtp_stream.c, global/timed_ipc.c, 21147 local/command.c, local/local.c, master/event_server.c, 21148 master/mail_server.h, master/multi_server.c, 21149 master/single_server.c, milter/milter.c, milter/milter8.c, 21150 oqmgr/qmgr.c, oqmgr/qmgr_transport.c, pickup/pickup.c, 21151 pipe/pipe.c, postalias/postalias.c, postcat/postcat.c, 21152 postdrop/postdrop.c, postmap/postmap.c, postscreen/postscreen.c, 21153 postscreen/postscreen_dnsbl.c, postscreen/postscreen_haproxy.c, 21154 postscreen/postscreen_starttls.c, posttls-finger/posttls-finger.c, 21155 proxymap/proxymap.c, qmgr/qmgr.c, qmgr/qmgr_transport.c, 21156 qmqpd/qmqpd.c, scache/scache.c, showq/showq.c, smtp/smtp.c, 21157 smtpd/smtpd.c, smtpd/smtpd_check.c, smtpd/smtpd_proxy.c, 21158 smtpstone/smtp-source.c, spawn/spawn.c, tls/tls_proxy_clnt.c, 21159 tls/tls_stream.c, tlsmgr/tlsmgr.c, tlsproxy/tlsproxy.c, 21160 trivial-rewrite/trivial-rewrite.c, util/auto_clnt.c, 21161 util/ctable.c, util/dict_cache.c, util/dict_cache.h, 21162 util/dict_lmdb.c, util/dict_tcp.c, util/netstring.c, 21163 util/recv_pass_attr.c, util/slmdb.c, util/slmdb.h, 21164 util/spawn_command.c, util/spawn_command.h, util/vstream.c, 21165 util/vstream.h, util/vstream_popen.c, util/vstream_tweak.c, 21166 util/vstring.c, util/vstring.h, verify/verify.c, 21167 virtual/virtual.c, xsasl/xsasl_dovecot_server.c. 21168 2116920141224 21170 21171 Cleanup: the compile-time argument typechecks for attribute-value 21172 APIs are now by default implemented with inline functions. 21173 Compile with -DNO_INLINE to implement the argument typechecks 21174 with ternary operators and unreachable assignments. Files: 21175 util/check_arg.h and its consumers. 21176 2117720141226 21178 21179 NetBSD6/7 dynamic linking support. Viktor Dukhovni. 21180 21181 Cleanup: instead of making up new names, use a consistent 21182 CA_ prefix for macros that implement compile-time argument 21183 typechecks for non-protocol attribute-value APIs. This 21184 transformation and its verification are mechanical. 21185 21186 Bugfix (introduced: Postfix 1.1, but latent before 3.0): 21187 "postfix-install: daemon_directory: not found" error with 21188 an ancient Solaris shell. Fixed by ALSO resetting IFS after 21189 the end of a ``while IFS=foo command'' loop; counter to 21190 expectation, the IFS reset in the loop body executed in a 21191 child process. Background: some shells implement "IFS=foo 21192 command" as a permanent IFS change; this was allowed by 21193 standards at some point in time. File: postfix-install. 21194 2119520141227 21196 21197 Feature: smtp_address_verify_target (default: rcpt) that 21198 determines what protocol stage decides if a recipient is 21199 valid. Specify "data" for servers that reject recipients 21200 after the DATA command. Files: mantools/postlink, 21201 proto/postconf.proto, proto/ADDRESS_VERIFICATION_README.html, 21202 global/mail_params.h, smtp/lmtp_params.c, smtp/smtp.c, 21203 smtp/smtp.h, smtp/smtp_params.c, smtp/smtp_proto.c. 21204 2120520141228 21206 21207 Cleanup: the IDNA conversion routines now accept both ASCII 21208 and UTF8 inputs. The functions als verify that either their 21209 result is a valid ASCII domain name or that it converts 21210 into a valid ASCII domain name. Files: util/midna.c, 21211 util/midna_test.in, util/midna_test.ref. 21212 2121320141230 21214 21215 Cleanup: s/midna/midna_domain/ for better specificity, 21216 because we also need functions that act only on the domain 21217 portion of an email address. Files: bounce/bounce_template.c, 21218 global/midna_adomain.c, posttls-finger/posttls-finger.c, 21219 smtp/smtp_addr.c, smtpd/smtpd_check.c, tls/tls_client.c, 21220 util/midna_domain.[hc], util/valid_utf8_hostname.c. 21221 21222 Infrastructure: function midna_adomain_to_utf8() (and 21223 midna_adomain_to_ascii) to convert the domain portion of 21224 an email address before table lookup. Files: 21225 global/midna_adomain.[hc]. 21226 2122720141230-20140109 21228 21229 What is described here is the result of four iterations to 21230 deal with malformed UTF-8 without massively contaminating 21231 every Postfix program with new error-handling code paths, 21232 in particular without triggering fatal errors that didn't 21233 happen before. 21234 21235 Infrastructure: function casefold() to support caseless 21236 string comparison, primarily for table lookups. This function 21237 supports two modes: case folding a la lowercase() for ASCII 21238 byte values, and UTF-8 case folding. As recommended at 21239 http://www.w3.org/International/wiki/Case_folding for 21240 caseless string comparison, this uses the en_US locale to 21241 avoid surprises. The implementatin handles the entire RFC 21242 3629 Unicode range (code points U+0000..U+10FFFF including 21243 surrogates) and is chroot(2) safe. Files: casefold.c, 21244 stringops.h. 21245 21246 Infrastructure: revised the midna_domain_to_ascii and 21247 midna_domain_to_utf8 domain name conversion functions after 21248 careful reading of the UTS #46 specification, and after 21249 observing that ICU 4.8 library functions indeed implement 21250 this spec, at least with default options. In particular, 21251 midna_domain_to_utf8 takes an UTF-8 domain name and verifies 21252 that its A-label form will pass the valid_hostname() test. 21253 File: util/midna_domain.c. 21254 21255 Infrastructure: handle UTF-8 errors in lookup table keys 21256 or values without massively contaminating every Postfix 21257 program with new error-handling code paths, in particular 21258 without triggering fatal errors that didn't happen before. 21259 The lookup/update/delete functions log a warning and ignore 21260 a request with a bad key (it cannot exist); the update 21261 functions ignore a request to store a bad value (it cannot 21262 exist); and the lookup function reports a bad value as a 21263 configuration error (it should not exist, but there it is). 21264 Table iterators still report all (key, value) pairs in a 21265 table. Files: util/dict.h, util/dict_open.c, util/dict_utf8.c, 21266 global/mkmap_open.c. 21267 21268 Note that with SMTPUTF8 turned on, each table-driven mechanism 21269 (access, aliases, etc.) needs to make its own decision 21270 whether UTF-8 syntax is required. We cannot blindly require 21271 that everything has valid UTF-8 syntax. That would make 21272 header/body_checks useless for content inspection, because 21273 headers may be malformed and bodies may contain legitimate 21274 binary content that isn't UTF-8. 21275 21276 Note that with SMTPUTF8 turned off, Postfix must remain 21277 8-bit clean as it always has been. Table operations must 21278 not complain that something violates UTF-8 syntax rules. 21279 21280 UTF-8 sanitization in the Postfix SMTP server. With 21281 smtputf8_enable=yes, SMTP commands with UTF-8 syntax errors 21282 are rejected, table lookup results with invalid UTF-8 syntax 21283 are handled as configuration errors, and UTF-8 syntax errors 21284 in policy server replies result in execution of the policy 21285 server's default action. 21286 2128720150102 21288 21289 Cleanup: propagate DICT_ERR_CONFIG through the proxymap 21290 protocol. Files: global/dict_proxy.[hc], proxymap/proxymap.c. 21291 2129220150106 21293 21294 Robustness: don't segfault due to excessive recursion in 21295 tok822_free_tree() after a faulty configuration runs into 21296 the virtual_alias_recursion_limit. File: global/tok822_tree.c. 21297 2129820150109 21299 21300 Cleanup: the dict debug module now proxies dict flags. 21301 File: util/dict_debug.c. 21302 21303 With "smtputf8_enable = yes", the postmap and postalias 21304 commands now enable UTF-8 by default (use "-u" to disable) 21305 with one exception: UTF-8 remains disabled for header/body_checks 21306 emulation (use "-U" to enable). Files: postmap/postmap.c, 21307 postalias/postalias.c. 21308 2130920150110 21310 21311 Cleanup: the "inline" and "texthash" implementations now 21312 reuse the "internal" database instead of reinventing the 21313 wheel. Files: util/dict_inline.c, util/dict_thash.c. 21314 21315 As a first step, with "smtputf8_enable = yes" all features 21316 based on Postfix matchlists enable UTF-8 syntax checks and 21317 UTF-8 casefolding for table patterns, but NOT YET for string 21318 patterns. The list of features includes authorized_flush_users, 21319 authorized_mailq_users, authorized_submit_users, debug_peer_list, 21320 fast_flush_domains, mydestination, permit_mx_backup_networks, 21321 qmqpd_authorized_clients, smtp_connection_cache_destinations, 21322 smtpd_authorized_verp_clients, smtpd_authorized_xclient_hosts, 21323 smtpd_authorized_xforward_hosts, 21324 smtpd_client_event_limit_exceptions, 21325 smtpd_log_access_permit_actions, smtpd_sasl_exceptions_networks, 21326 the "domains" feature in ldap_table(5), memcache_table(5) 21327 mysql_table(5), pgsql_table(5) and sqlite_table(5), 21328 virtual_alias_domains, virtual_mailbox_domains. 21329 2133020150111 21331 21332 Cleanup: simplified the interposition layer that adds UTF-8 21333 support to Postfix lookup tables. Files: util/dict_utf8.c. 21334 21335 With "smtputf8_enable = yes", Enable UTF-8 syntax checks 21336 and UTF-8 casefolding for SMTP server access maps, alias_maps, 21337 canonical_maps, fallback_transport_maps, 21338 lmtp_tls_session_cache_database, local_recipient_maps, 21339 mailbox_command_maps, mailbox_transport_maps, rbl_reply_maps, 21340 recipient_bcc_maps, recipient_canonical_maps, relay_recipient_maps, 21341 relocated_maps, sender_bcc_maps, sender_canonical_maps, 21342 sender_dependent_relayhost_maps, sender_dependent_transport_maps, 21343 smtp_generic_maps, smtp_sasl_auth_cache_name, 21344 smtp_sasl_password_maps, smtp_tls_per_site, smtp_tls_policy_maps, 21345 smtp_tls_session_cache_database, smtpd_sender_login_maps, 21346 smtpd_tls_session_cache_database, transport_maps, 21347 virtual_alias_maps, virtual_gid_maps, virtual_mailbox_maps, 21348 virtual_uid_maps. 21349 2135020150112 21351 21352 Infrastructure: support for UTF-8 casefolding in match_lists. 21353 Instead of using strcasecmp(), casefold all fixed-string 21354 patterns during initialization, casefold a search string 21355 at the beginning of the search, and use strcmp() for 21356 comparison. Files: util/casefold.c util/dict.h, util/dict_utf8.c, 21357 util/match_list.c, util/match_list.h, util/match_ops.c, 21358 util/stringops.h, global/addr_match_list.c, global/domain_list.c, 21359 global/namadr_list.c, global/string_list.c. 21360 2136120150113 21362 21363 Cleanup: show the configuration parameter name in error 21364 messages while parsing or searching match_list-based features 21365 such as mydestination, relay_domains and a few dozen more. 21366 Files: cleanup/cleanup_init.c, flush/flush.c, 21367 global/addr_match_list.c, global/debug_peer.c, 21368 global/domain_list.c, global/flush_clnt.c, 21369 global/match_parent_style.c, global/namadr_list.c, 21370 global/resolve_local.c, global/string_list.c, global/user_acl.[hc], 21371 postdrop/postdrop.c, postqueue/postqueue.c, 21372 postscreen/postscreen.c, qmqpd/qmqpd.c, sendmail/sendmail.c., 21373 smtp/smtp.c, smtp/smtp_sasl_glue.c, smtpd/smtpd.c, 21374 smtpd/smtpd_check.c, trivial-rewrite/resolve.c, 21375 util/match_list.[hc], util/match_ops.c. 21376 21377 Cleanup: apply printable() to all bounce(8) service 21378 string-valued protocol fields. File: bounce/bounce.c. 21379 21380 Apparently the UCI 4.8 ucasemap_utf8FoldCase() function does 21381 not complain about UTF-8 syntax errors, so we add our own 21382 redundant check. File: util/casefold.c. 21383 2138420150115 21385 21386 Bitrot: prepare for future changes in OpenSSL. Viktor 21387 Dukhovni. Files: tls/tls.h, tls/tls_dh.c, tls/tls_misc.c, 21388 tls/tls_rsa.c, tls/tls_server.c. 21389 21390 Documentation: "avoid hash files here, use btree or lmdb 21391 instead". File: proto/ADDRESS_VERIFICATION_README.html. 21392 21393 Safety: virtual_alias_address_length_limit (default: 1000) 21394 to stop aliasing loops that exponentially increase the 21395 address length with each iteration. Files: global/mail_params.h, 21396 mantools/postlink, proto/postconf.proto, cleanup/cleanup.c, 21397 cleanup/cleanup_init.c, cleanup/cleanup_map1n.c. 21398 2139920150116 21400 21401 TLS wrappermode in the Postfix smtp(8) client. This introduces 21402 a new parameter "smtp_tls_wrappermode" (default: no). Files: 21403 global/mail_params.h, mantools/postlink, proto/postconf.proto, 21404 smtp/lmtp_params.c, smtp/smtp.[hc], smtp/smtp_connect.c, 21405 smtp/smtp_params.c, smtp/smtp_proto.c. 21406 21407 TLS wrappermode in posttls-finger(1), and some DANE-related 21408 cleanups. This introduces a new option "-w". Viktor Dukhovni. 21409 Files: posttls-finger/posttls-finger.c, smtp/smtp_tls_policy.c, 21410 tls/tls.h, tls/tls_client.c, tls/tls_fprint.c. 21411 2141220150117 21413 21414 Cleanup: missing " in \%s\" in postscreen(8) fatal error 21415 messages. Iain Hibbert. File: postconf/postconf_master.c. 21416 2141720150118 21418 21419 Bugfix (introduced: 20140731): when a connection timed out 21420 before any command was received, the Postfix SMTP server 21421 "disconnect from" logging would show the content of the 21422 last SMTP server response (421 4.4.2 $myhostname error: 21423 timeout exceeded) instead of per-command statistics, because 21424 there were no statistics to report. The Postfix SMTP server 21425 now always logs the total number of commands (commands=x/y) 21426 even when the client did not send any. This helps logfile 21427 analyzers to recognize sessions without commands. File: 21428 smtpd/smtpd.c. 21429 2143020150120 21431 21432 Bugfix (introduced: 20141230-20140109): do not reallocate 21433 a dictionary handle after it is initialized. This breaks 21434 CDB. Problem reported by Andreas Schulze. Files: util/dict.h, 21435 util/dict_alloc.c, util/dict_utf8.c. 21436 21437 Cleanup: simplified the dict_utf8 wrapper implementation. 21438 Files: util/dict.h, util/dict_alloc.c, util/dict_utf8.c. 21439 2144020150121 21441 21442 Cleanup: undo changes in check_mumble_access() that replaced 21443 error handling with longjmp() calls. This could introduce 21444 memory leaks in check_mumble_access() callers. Files: 21445 smtpd/smtpd_check.c, smtpd/smtpd_error.ref. 21446 2144720150122 21448 21449 Cleanup: miscellaneous cruft, typos, comments, error messages. 21450 proto/COMPATIBILITY_README.html, global/addr_match_list.c, 21451 global/domain_list.c, global/namadr_list.c, global/string_list.c, 21452 global/user_acl.c, postalias/postalias.c, postmap/postmap.c, 21453 tls/tls_client.c, util/dict_alloc.c, util/dict_open.c, 21454 util/match_list.c. 21455 2145620150124 21457 21458 Workaround: nroff has been improved so that "-" comes out as 21459 some non-ASCII character, unlike HTML where it comes out 21460 as itself. Andreas Schulze. This requires jumping a few 21461 hops to generate HTML and nroff input from the same source 21462 text. Files; mantools/srctoman, mantools/postconf2man. 21463 21464 Cleanup: UTF-8 support in masquerade_domains. File: 21465 cleanup/cleanup_masquerade.c. 21466 2146720150125 21468 21469 Cleanup: simplified the casefold() API: no input-dependent 21470 failure modes. Files: cleanup/cleanup_masquerade.c, 21471 util/casefold.c, util/dict_utf8.c, util/match_list.c, 21472 util/strcasecmp_utf8.c, util/stringops.h. 21473 21474 Cleanup: replaced str*casecmp() calls with UTF8-enabled 21475 versions. Files: bounce/bounce.c, bounce/bounce_append_service.c, 21476 bounce/bounce_notify_service.c, bounce/bounce_notify_verp.c, 21477 bounce/bounce_one_service.c, bounce/bounce_trace_service.c, 21478 bounce/bounce_warn_service.c, cleanup/cleanup_addr.c, 21479 cleanup/cleanup_map11.c, cleanup/cleanup_map1n.c, 21480 global/log_adhoc.c, global/mail_addr_find.c, global/mail_params.c, 21481 global/split_addr.c, global/verify.c, global/verify_sender_addr.c, 21482 local/alias.c, local/recipient.c, oqmgr/qmgr_message.c, 21483 qmgr/qmgr_message.c, smtp/smtp_tls_policy.c, smtpd/smtpd_check.c, 21484 smtpd/smtpd_milter.c, trivial-rewrite/resolve.c, 21485 util/strcasecmp_utf8.c, util/stringops.h. 21486 2148720150126 21488 21489 Portability: added missing #ifdef STRCASECMP_IN_STRINGS_H 21490 for platforms that require it. Files: dns/dns_rr_filter.c, 21491 milter/milter8.c, posttls-finger/posttls-finger.c, 21492 tls/tls_dane.c, tlsproxy/tlsproxy.c, util/dict_test.c. 21493 21494 Cleanup: replaced lowercase() calls with UTF-8-enabled 21495 versions. Files: flush/flush.c, global/been_here.c, 21496 global/delivered_hdr.c, global/fold_addr.c, global/fold_addr.h, 21497 local/forward.c, local/recipient.c, pipe/pipe.c, 21498 smtpd/smtpd_resolve.c, util/casefold.c, util/stringops.h, 21499 virtual/recipient.c. 21500 2150120150127 21502 21503 Cleanup: simplified the 20150125 and 20150126 APIs, replacing 21504 the most-common use cases with convenience macros that have 21505 fewer arguments. Files: anything that implements or invokes 21506 casefold*() or str*casecmp(). 21507 21508 Documentation: missing words and typos. Matthew Selsky. Files: 21509 proto/SMTPUTF8_README.html, util/dict_open.c, util/vstream.c. 21510 2151120150128 21512 21513 Bugfix: the ICU casemapping API can report success, while 21514 producing output that is not null-terminated. But we can 21515 deal with that. File: util/casefold.c. 21516 21517 Cleanup: unnecessary buffers. File: util/strcasecmp_utf8.c. 21518 21519 Cleanup: whitespace in source-code documentation has gotten 21520 damaged through the years. Files: util/iostuff.h, 21521 util/msg_vstream.h, util/msg_syslog.h, util/msg_output.h, 21522 util/msg.h, util/inet_proto.c, trivial-rewrite/trivial-rewrite.c, 21523 tls/tls.h, postconf/postconf.c, master/multi_server.c, 21524 master/event_server.c, global/memcache_proto.h, 21525 global/dict_mysql.c, global/dict_ldap.c, discard/discard.c, 21526 error/error.c, global/dict_proxy.c, global/mail_conf_int.c, 21527 global/match_parent_style.c, global/scache.c, global/scache.h, 21528 qmgr/qmgr_entry.c, qmgr/qmgr_peer.c, smtp/smtp_rcpt.c, 21529 smtpd/smtpd_peer.c, tls/tls_mgr.c, util/attr_scan0.c, 21530 util/dict_tcp.c, util/hex_code.c, util/valid_hostname.c. 21531 21532 Cleanup: typos. Files: proto/socketmap_table, proto/mysql_table, 21533 global/dict_mysql.c, proto/lmdb_table, smtpstone/smtp-sink.c, 21534 posttls-finger/posttls-finger.c. 21535 21536 Bugfix: restart the Postfix SMTP server SASL client after 21537 XCLIENT may have changed the client IP address. Matthew 21538 Via. File: smtpd/smtpd.c. 21539 2154020150129 21541 21542 More whitespace in source-code comment regressions. Viktor 21543 (mostly) and Wietse. smtpd/smtpd_proxy.c, util/format_tv.c, 21544 util/line_wrap.c, util/slmdb.c, qmgr/qmgr_peer.c, 21545 smtp/smtp_rcpt.c, smtpd/smtpd_peer.c, tls/tls_mgr.c, 21546 trivial-rewrite/trivial-rewrite.c, util/attr_scan0.c, 21547 util/dict_tcp.c, util/hex_code.c, util/valid_hostname.c, 21548 discard/discard.c, error/error.c, global/dict_proxy.c, 21549 global/mail_conf_int.c, global/match_parent_style.c, 21550 global/scache.c, qmgr/qmgr_entry.c, global/dict_ldap.c, 21551 global/dict_mysql.c, posttls-finger/posttls-finger.c, 21552 smtp/smtp.c, tls/tls_certkey.c. 21553 21554 Cleanup: avoid hidden buffer allocation in casefold(). 21555 Files: local/forward.c, local/recipient.c, virtual/recipient.c. 21556 21557 Cleanup: HTML validator errors. Files: proto/postconf.proto, 21558 proto/TLS_README.html, proto/MILTER_README.html. 21559 21560 Great rename from 2.12 to 3.0. Lots of files, 99% mechanical. 21561 21562 Cleanup: HTML entities in *roff manpage source. File: 21563 mantools/fixman, proto/postconf.proto, smtpd/smtpd.c, 21564 trivial-rewrite/trivial-rewrite.c. 21565 2156620150201 21567 21568 Usability: in error messages, print the CAfile and CApath 21569 value in double quotes, to clue in people who specify quoted 21570 pathnames in main.cf. Viktor Dukhovni. Files: tls/tls_certkey.c 21571 and testing code in posttls-finger/posttls-finger.c. 21572 2157320150202 21574 21575 Cleanup: make posttls-finger -k/-K documentation consistent 21576 with behavior. File: posttls-finger/posttls-finger.c. 21577 2157820150203 21579 21580 Cleanup: API minimization, by making some functions static. 21581 Files: util/dict.h, util/dict_utf8.c. 21582 2158320150205 21584 21585 Preliminary feature: support for building position-independent 21586 executables (PIE), tested on Fedora Core 20, Ubuntu 14.04, 21587 FreeBSD 9 and 10, and NetBSD 6. See INSTALL section 4.3 for 21588 details and limitations. Files: makedefs, proto/INSTALL.html, 21589 RELEASE_NOTES-3.0. 21590 2159120150208 21592 21593 Cleanup: after many years, the access(5) map BCC action is 21594 part of the stable release. Files: smtpd/smtpd_check.c, 21595 proto/acces. 21596 2159720150210 21598 21599 Cleanup: socketmap documentation. File: proto/socketmap_table. 21600 2160120150211 21602 21603 Cleanup: strncasecmp_utf8() streamlining. Files: util/stringops.h, 21604 util/allascii.c, util/strcasecmp_utf8.c. 21605 2160620150212 21607 21608 Cleanup: in code after reading main.cf, removed bogus guard 21609 before re-evaluating the mail_task() syslog prefix. File: 21610 postlog/postlog.c. 21611 2161220150214 21613 21614 Bugfix (introduced: Postfix 3.0): missing #ifdef USE_TLS 21615 inside #ifdef USE_SASL_AUTH broke the build. Viktor Dukhovni. 21616 File: smtpd/smtpd.c. 21617 21618 Cleanup: missing errno logging in bounce daemon clients. 21619 This made troubleshooting significantly more difficult. 21620 File: global/mail_command_client.c. 21621 2162220150216 21623 21624 Cleanup: documented that mail_connect() produces no errno 21625 logging. The functions that call it should log the error 21626 (and the majority does). File: global/mail_connect.c. 21627 21628 Cleanup: added errno logging after mail_connect() failure. 21629 Files: global/post_mail.c, local/forward.c. 21630 21631 Cleanup: in code after reading main.cf, removed bogus guard 21632 before re-evaluating the mail_task() syslog prefix. Files: 21633 postalias/postalias.c, postdrop/postdrop.c, postmap/postmap.c, 21634 postqueue/postqueue.c, postsuper/postsuper.c, sendmail/sendmail.c. 21635 2163620150218 21637 21638 Documentation: header/body_checks additional text about whether 21639 an action stops further inspection of the input stream. File: 21640 proto/header_checks. 21641 21642 Robustness: reject installation pathnames with whitespace. 21643 File: postfix-install. 21644 2164520150217 21646 21647 Cleanup: missing <string.h> include. File: util/allascii.c. 21648 2164920150221 21650 21651 Bugfix (introduced: Postfix 3.0): don't append '.' to the 21652 DNS resource record value, when converting TXT records to 21653 the string form that is used used by xxx_dns_reply_filter. 21654 File: dns/dns_strrecord.c. 21655 2165620150313 21657 21658 Documentation: incorrect Postfix version number for 21659 postscreen_dnsbl_timeout. Quanah Gibson-Mount. File: 21660 postscreen/postscreen.c. 21661 2166220150320 21663 21664 Cleanup: better sorting order for the default tls_*_cipherlist 21665 settings. OpenSSL does not order "ALL" quite right: some 21666 MEDIUM ciphers (SEED and IDEA) sneak up above some 128-bit 21667 HIGH ciphers. Also previously, when we prefer "aNULL" we 21668 moved MEDIUM with aNULL above same bit-length HIGH but not 21669 aNULL. Viktor Dukhovni. File: global/mail_params.h. 21670 2167120150324 21672 21673 Bugfix (introduced: Postfix 2.6): sender_dependent_relayhost_maps 21674 ignored the relayhost setting in the case of a DUNNO lookup 21675 result. It would use the recipient domain instead. Viktor 21676 Dukhovni. Wietse took the pieces of code that enforce the 21677 precedence of a sender-dependent relayhost, the global 21678 relayhost, and the recipient domain, and put that code 21679 together in once place so that it is easier to maintain. 21680 File: trivial-rewrite/resolve.c. 21681 2168220150326 21683 21684 Feature: lmtp_fallback_relay, limited to TCP destinations 21685 only. Viktor Dukhovni. Wietse updated the postlink, smtp.c, 21686 and smtp-only files, and added a warning when lmtp_fallback_relay 21687 is specified for a non-TCP destination. Files: mantools/postlink, 21688 smtp/smtp.c, smtp/smtp-only, smtp/smtp_connect.c, 21689 smtp/smtp_params.c, global/mail_params.h, proto/postconf.proto. 21690 2169120150328 21692 21693 Bugfix (introduced: Postfix 1.1.0): post-install expanded 21694 macros in parameter values when trying to detect parameter 21695 overrides, causing unnecessary main.cf updates during Postfix 21696 start-up. Julian Reich, Viktor Dukhovni, and Wietse. File: 21697 conf/post-install. 21698 2169920150330 21700 21701 Bitrot: prepare for future changes in OpenSSL API. Viktor 21702 Dukhovni. File: tls_dane.c. 21703 21704 Safety: instead of bouncing mail, report a soft error when 21705 SASL infrastucture breaks. Viktor Dukhovni, Emmanuel Fuste. 21706 Files: smtpd/smtpd_sasl_glue.c, xsasl/xsasl.h, 21707 xsasl/xsasl_cyrus_server.c, xsasl/xsasl_dovecot_server.c. 21708 2170920150401 21710 21711 Documentation: update the mydestination default value in 21712 the stock main.cf file. File: conf/main.cf. 21713 2171420150404 21715 21716 Documentation: add "postconf -m" output to problem reports. File: 21717 proto/DEBUG_README.html. 21718 2171920150418 21720 21721 Portability: use the icu-config utility to locate the ICU 21722 include and library files. With this, Postfix builds out 21723 of the box on MacOS X. File: makedefs. 21724 2172520150421 21726 21727 Bugfix (introduced: 19970309): reset errno before calling 21728 readdir(), in order to distinguish between end-of-directory and 21729 an error condition. File: scandir.c. 21730 2173120150426 21732 21733 Cleanup: when transmitting an attribute-value sequence 21734 between Postfix processes, a hash table may now appear at 21735 any position instead of only at the end. Files: 21736 util/attr_scan{0,64,plain}.c, util/attr_print{0,64,plain}.c, 21737 util/attr_scan{0,64,plain}.ref. 21738 21739 Feature: milter_macro_defaults, an optional list of macro 21740 name=value pairs that specify default values for Milter 21741 macros. When a macro is to be sent to a Milter application, 21742 Postfix will send its default value when no value is available 21743 from the mail delivery context. For example, with 21744 "milter_macro_defaults = auth_type=TLS", Postfix will send 21745 an auth_type of "TLS" unless a remote client authenticates 21746 with SASL. Files: mantools/postlink, proto/MILTER_README.html, 21747 proto/postconf.proto, cleanup/cleanup.c, cleanup/cleanup_init.c, 21748 cleanup/cleanup_milter.c, global/mail_params.h, milter/milter.c, 21749 milter/milter.h, smtpd/smtpd.c, smtpd/smtpd_milter.c. 21750 2175120150501 21752 21753 Support for Linux 4.*, and some simplification for future 21754 makedefs files. Files: makedefs, util/sys_defs.h. 21755 2175620150502 21757 21758 Cleanup: updated the examples in MILTER_README. File: 21759 proto/MILTER_README.html 21760 2176120150529 21762 21763 Support for DNS reply TTL values in dnsblog and postscreen. 21764 Files: dnsblog/dnsblog.c, postscreen/postscreen_early.c, 21765 postscreen/postscreen_dnsbl.c. 21766 2176720150607 21768 21769 Support for DNS reply TTL values for "not found" responses 21770 (negative reply caching). The postscreen daemon needs this to 21771 accurately whitelist an SMTP client that is not found on any 21772 DNSBL. Files: dns/dns_lookup.c, dns/dns_strrecord.c, dns/dns.h, 21773 dns/test_dns_lookup.c. 21774 2177520150615 21776 21777 Two new parameters to limit how long a DNSBL or DNSWL lookup 21778 result remains valid: postscreen_dnsbl_max_ttl is an upper 21779 limit for the TTL from a DNS query, and postscreen_dnsbl_min_ttl 21780 is a lower limit. The old postscreen_dnsbl_ttl provides a 21781 backwards-compatible default for postscreen_dnsbl_max_ttl. 21782 Files: global/mail_params.h, postscreen/postscreen.c, 21783 postscreen/postscreen_early.c, mantools/postlink, 21784 proto/postconf.proto. 21785 2178620150616 21787 21788 Refinement: the postscreen daemon now computes two combined 21789 DNS reply TTLs: one combined TTL for replies that the client 21790 should be blocked, and one combined TTL for replies that the 21791 client should be allowed. This is more conservative than 21792 simply combining all reply TTLs into one number. File: 21793 postscreen/postscreen_dnsbl.c. 21794 2179520150621 21796 21797 Feature: default_transport_rate_delay (and the transport-specific 21798 *transport*_transport_rate_delay) to enforce a destination- 21799 independent rate limit on deliveries. Files: mantools/postlink, 21800 proto/postconf.proto, *qmgr/qmgr.h, *qmgr/qmgr_transport.c, 21801 *qmgr/qmgr_deliver.c, *qmgr/qmgr.c. 21802 2180320150707 21804 21805 Workaround: some DNS servers reply with NXDOMAIN for type 21806 NS queries with names that actually have an A record. This 21807 broke check_mumble_ns_access. File: smtpd/smtpd_check.c. 21808 2180920150711 21810 21811 Workaround: conditional time default value can result in 21812 multiple time unit suffixes. Files: global/conv_time.c 21813 global/mail_conf_time.c. 21814 2181520150712 21816 21817 Cleanup: configurable workaround (dns_ncache_ttl_fix_enable) 21818 in case some future libc change breaks a promise made by 21819 current resolver(3) documentation. Files: global/mail_params.[hc]. 21820 21821 Cleanup: removed unused libdns dependencies. No-one remembers 21822 why they were introduced. Files: postscreen/Makefile.in, 21823 qmqpd/Makefile.in, smtpd/Makefile.in, tlsmgr/Makefile.in. 21824 21825 Cleanup: code indentation. Viktor Dukhovni. File: 21826 smtp/smtp_addr.c. 21827 21828 Workaround: With Solaris10, write_wait() hangs in poll() 21829 until timeout, when invoked after peekfd() has received an 21830 ECONNRESET error indication. This happens when a client 21831 sends QUIT and closes the connection immediately. File: 21832 util/peekfd.c. 21833 2183420150715 21835 21836 Security: updated default Diffie-Hellman export (512 bit) 21837 primes and non-export (from 1024 to 2048 bit) primes, and 21838 updated text on non-export DH primes. Viktor Dukhovni. 21839 Files: tls/tls_dh.c, proto/FORWARD_SECRECY_README.html. 21840 2184120150718 21842 21843 Security: opportunistic TLS by default uses "medium" or 21844 stronger ciphers instead of "export" or stronger. See the 21845 RELEASE_NOTES file for how to get the old settings back. 21846 Files: global/mail_params.h, proto/TLS_README.html, 21847 proto/postconf.proto, and files derived from those. 21848 2184920150719 21850 21851 Security: Postfix TLS support by default no longer uses 21852 SSLv2 or SSLv3. See the RELEASE_NOTES file for how to get 21853 the old settings back. Files: global/mail_params.h, 21854 proto/postconf.proto, and files derived from those. 21855 2185620150722 21857 21858 Cleanup: the COMPATIBILITY_README* files were not installed. 21859 File: conf/postfix-files. 21860 2186120150726 21862 21863 Cleanup: some lost edits for the SASL_README file. File: 21864 proto/SASL_README.html. 21865 2186620150816 21867 21868 Workaround: updated the 20150707 fix for DNS servers that 21869 reply with NXDOMAIN for type NS queries instead of (NOERROR, 21870 zero answers). File: smtpd/smtpd_check.c. 21871 2187220150829 21873 21874 Documentation: TLS session tickets are preferred over the 21875 local server-side smtpd_tls_session_cache_database storage. 21876 TLS session tickets are supported as of OpenSSL 0.9.8h (May 21877 2008). Files: mantools/postlink, proto/TLS_README.html, 21878 proto/postconf.proto. 21879 2188020150831 21881 21882 Cleanup: obsolete comments in Makefile.init. 21883 2188420150903 21885 21886 Workaround: disable DNSSEC support for AIX 7x and earlier. 21887 The AIX 6/7 resolver(5) API defines RES_USE_DNSSEC without 21888 defining the "ad" bit. Viktor Dukhovni. Files: makedefs, 21889 proto/INSTALL.html, dns/dns.h. 21890 2189120150912 21892 21893 Future-proofing and code cleanup: exploit GCC and Clang 21894 "warn_unused_result" feature to flag missing error checks. 21895 Files: util/sys_defs.h, util/attr.h, util/edit_file.h, 21896 util/listen.h, util/lstat_as.h, util/mac_expand.h, 21897 util/mac_parse.h, util/myaddrinfo.h, util/myflock.h, 21898 util/sane_fsops.h, util/sane_socketpair.h, util/stat_as.h, 21899 util/base32_code.h, util/base64_code.h, util/hex_code.h, 21900 util/timed_wait.h, util/vstream.h, src/util/vstring_vstream.h. 21901 21902 Cleanup: incomplete error check. Found with WARN_UNUSED_RESULT 21903 check. File: util/recv_pass_attr.c. 21904 21905 Future-proofing: added type mis-match detection for 21906 ATTR_TYPE_FUNC function-pointer arguments. File: util/attr.h. 21907 21908 Cleanup: don't ignore seek-to-end-of-file errors. File: 21909 global/record.c. 21910 21911 Cleanup: use vstream_fpurge() to purge VSTREAM buffers, 21912 instead of calling vstream_fseek() and ignoring ESPIPE 21913 errors. File: smtpstone/qmqp-sink.c. 21914 2191520150913 21916 21917 Feature: SMTPD policy service "policy_context" attribute 21918 and smtpd_policy_service_policy_context main.cf parameter. 21919 Originally, to share the same SMTPD policy service endpoint 21920 among multiple check_policy_service clients. Markus Benning. 21921 Files: mantools/postlink, proto/SMTPD_POLICY_README.html, 21922 proto/postconf.proto, global/mail_params.h, global/mail_proto.h, 21923 smtpd/smtpd.c, smtpd/smtpd_check.c. 21924 2192520150923 21926 21927 Bugfix (introduced: 20120531-617): the Postfix SMTP server 21928 used a larger-than-1 VSTREAM buffer to read the HAProxy 21929 connection hand-off information. This broke TLS wrappermode, 21930 as the TLS helo packet would end up in the plaintext VSTREAM 21931 buffer. Reported by Lukas Erlacher. File: smtpd/smtpd_haproxy.c. 21932 2193320150924 21934 21935 Cleanup (introduced: 20060510, exposed 20150912): eliminated 21936 a harmless warning message "seek error after reading END 21937 record: Illegal seek" from the cleanup server after a 21938 check_sender_access DISCARD action. File: cleanup/cleanup.c. 21939 21940 Bugfix (introduced: 20090216-24): incorrect postmulti error 21941 message. Reported by Patrik Koetter. Fix by Viktor Dukhovni. 21942 File: postmulti/postmulti.c. 21943 21944 Workaround: don't create a new instance when the template 21945 main.cf and master.cf files are missing, as happens on 21946 Debian-like systems. Viktor Dukhovni. File: conf/postmulti-script. 21947 2194820150930 21949 21950 Bugfix (introduced: 20040124): Milter client panic while 21951 adding a header, because the PREPEND action used the same 21952 output function for header_checks and body_checks. Viktor 21953 Dukhovni and Wietse. File: cleanup/cleanup_message.c. 21954 21955 Bugfix (introduced: 20031128): xtext_unquote() did not 21956 propagate error reports from xtext_unquote_append(), causing 21957 the decoder to return partial output, instead of rejecting 21958 malformed input. Fix by Krzysztof Wojta. File: global/xtext.c. 21959 2196020151003 21961 21962 Bugfix (copied from xtext): uxtext_unquote() did not propagate 21963 error reports from uxtext_unquote_append(), causing the 21964 decoder to return partial output, instead of rejecting 21965 malformed input. Found by searching the code for similar 21966 error patterns as with xtext_unquote(). File: global/uxtext.c. 21967 21968 Cleanup: added missing "negative" unit tests. Files: 21969 global/xtext.c, global/uxtext.c. 21970 2197120151004 21972 21973 Future proofing: use a real VSTRING in the 20150930 header 21974 PREPEND fix. File: cleanup/cleanup_message.c. 21975 21976 Future proofing: make vstring_import() consistent with 21977 vstring_alloc(). The alternative would be to remove the 21978 function as it is unused and exists only for symmetry with 21979 vstring_export(). File: usr/vstring.c. 21980 2198120151010 21982 21983 Cleanup: the 20150903 workaround for AIX DNSSEC used the 21984 wrong name in #ifdef. File: dns/dns.h. 21985 2198620151011 21987 21988 Cleanup: in the PCRE client, turn fatal lookup errors into 21989 warnings, and skip the failing pattern as in dict_regexp.c. 21990 Also, fixed the error text when running into the matcher's 21991 backtracking limit. File: util/dict_pcre.c. 21992 2199320151017 21994 21995 Feature: smtpd_client_auth_rate_limit enforces a rate 21996 limit on the number of AUTH commands per client IP address. 21997 mantools/postlink, proto/postconf.proto, anvil/anvil.c, 21998 global/anvil_clnt.c, global/anvil_clnt.h, global/mail_params.h, 21999 smtpd/smtpd.c. 22000 2200120151018 22002 22003 Added RFC 7672 (SMTP security via opportunistic DANE TLS) 22004 and RFC 7505 ("Null MX" No Service Resource Record) to the 22005 lists of supported RFCs in manpages. Viktor Dukhovni. Files: 22006 smtp/smtp.c, smtpd/smtpd.c. 22007 2200820151031 22009 22010 Bitrot: OpenSSL API cleanups. Viktor Dukhovni. Files: 22011 .indent.pro, tls/tls.h, tls/tls_dane.c, tls/tls_fprint.c, 22012 tls/tls_misc.c, tls/tls_server.c, tls/tls_verify.c. 22013 2201420151124 22015 22016 Bugfix (introduced: Postfix 3.0): don't throttle a destination 22017 after opportunistic TLS failure. Viktor Dukhovni and Wietse. 22018 Files: smtp/smtp_proto.c, smtp/smtp.h, smtp/smtp_trouble.c. 22019 2202020151128 22021 22022 Feature: JSON-formatted queue listing with "postqueue -j". 22023 Output is a stream of JSON objects, one per queue file. To 22024 simplify stream-mode parsing, each JSON object is followed by 22025 a newline character. Files: postqueue/postqueue.c, 22026 postqueue/postqueue.h, postqueue/showq_compat.c, 22027 postqueue/showq_json.c, showq/showq.c. 22028 2202920151216 22030 22031 Bugfix (introduced: 20151128) bogus queue file parsing error. 22032 File: showq/showq.c. 22033 2203420151226 22035 22036 Cleanup: postlog(1) now pauses for 1s after reporting a 22037 fatal or panic error. This makes behavior of scripts such 22038 as postfix-script consistent with built-in error messages. 22039 File: postlog/postlog.c. 22040 2204120151227 22042 22043 Robustness: don't allow for whitespace in command-line 22044 arguments. Files; postfix-install, conf/post-install. 22045 22046 Robustness: added a comment to discourage people who keep 22047 adding code that calls gethostbyname() to determine the 22048 default myhostname setting. This is a mistake: all Postfix 22049 programs will hang when the DNS is unavailable. File: 22050 global/mail_params.c. 22051 22052 Safety: a limit on the number of address verification probes 22053 in the active queue (address_verify_pending_request_limit), 22054 by default 1/4 of the active queue maximum size. The queue 22055 manager tempfails probe messages that exceed the limit. 22056 Files: mantools/postlink, proto/postconf.proto, cleanup/cleanup.h, 22057 cleanup/cleanup_envelope.c, cleanup/cleanup_out_recipient.c, 22058 cleanup/cleanup_state.c, global/mail_params.h, global/post_mail.c, 22059 global/post_mail.h, global/verify.c, oqmgr/qmgr.c, oqmgr/qmgr.h, 22060 oqmgr/qmgr_message.c, qmgr/qmgr.c, qmgr/qmgr.h, 22061 qmgr/qmgr_message.c, verify/verify.c. 22062 2206320160102 22064 22065 Workaround: MacOS/X 10.11.x /bin/sh unsets DYLD_LIBRARY_PATH, 22066 which breaks the build and install. Viktor Dukhovni and 22067 Wietse. Files: makedefs, postfix-install, Makefile.in. 22068 22069 Bitrot: OpenSSL 1.1.0-dev drops support for EXPORT ciphers 22070 and ephemeral RSA. Viktor Dukhovni. Files: tls/tls_client.c, 22071 tls/tls_rsa.c, tls/tls_server.c. 22072 22073 Bugfix: memory leak in tls_set_eecdh_curve(). Viktor Dukhovni. 22074 File: tls/tls_dh.c. 22075 22076 Bugfix (introduced 20150326): when lmtp_fallback_relay 22077 support was added, the code that generates lmtp_mumble 22078 parameters from smtp_mumble parameters wasn't updated. File: 22079 smtp/smtp-only. 22080 22081 Bugfix (introduced 20151017): the smtpd_client_auth_rate_limit 22082 implementation was not guarded with #ifdef USE_SASL_AUTH. 22083 File: smtpd/smtpd.c. 22084 2208520160103 22086 22087 Feature: enable DANE policies when an MX host has a secure 22088 TLSA DNS record, even if the MX DNS record was obtained 22089 with insecure lookups. The existence of a secure TLSA record 22090 implies that the host wants to talk TLS and not plaintext. 22091 This behavior is controlled with smtp_tls_dane_insecure_mx_policy 22092 (default: "dane", other settings: "encrypt" and "may"; the 22093 latter is backwards-compatible with earlier Postfix releases). 22094 Viktor Dukhovni. Files: mantools/postlink, proto/postconf.proto, 22095 src/global/mail_params.h, src/posttls-finger/posttls-finger.c, 22096 src/smtp/smtp-only, src/smtp/smtp.c, src/smtp/smtp.h, 22097 src/smtp/smtp_addr.c, src/smtp/smtp_params.c, 22098 src/smtp/smtp_tls_policy.c, src/tls/tls.h, src/tls/tls_client.c. 22099 2210020160104 22101 22102 Cleanup: distinct TLS levels for "full" DANE and for DANE 22103 with insecure MX records. Viktor Dukhovni. Files: 22104 posttls-finger/posttls-finger.c, smtp/smtp_tls_policy.c, 22105 tls/tls.h, tls/tls_client.c, tls/tls_level.c. 22106 2210720160108 22108 22109 Cleanup: smtp_reply_footer() now restores state in case of 22110 input error; unit tests that cover most if not all error 22111 and non-error cases. Files: global/smtp_reply_footer.c, 22112 global/smtp_reply_footer.ref. 22113 2211420160110 22115 22116 Bitrot: const-ification for OpenSSL 1.1.0. Viktor Dukhovni. 22117 File: tls/tls_misc.c. 22118 2211920160116 22120 22121 "postconf -H" support (show names without the =value). 22122 Initial use case: mass reversal of TLS-related main.cf 22123 parameters (postconf -nH | grep _tls_ | xargs postconf -X). 22124 This flag also works with "postconf -F" and "postconf -P". 22125 Added missing documentation that -h works with "postconf 22126 -F" and "postconf -P". Files: postconf.c, postconf.h, 22127 postconf_master.c, postconf_main.c. 22128 22129 Robustness: force html2text to produce ASCII output. File: 22130 mantools/html2readme. 22131 22132 Feature: "postfix tls" commands to enable opportunistic TLS 22133 in the Postfix SMTP client or server, or generate or replace 22134 Postfix SMTP server TLS private keys and server certificates. 22135 Viktor Dukhovni, Wietse. Files: conf/postfix-files, 22136 conf/postfix-script, conf/postfix-tls-script, makedefs, 22137 proto/INSTALL.html, proto/postconf.proto, global/mail_params.h, 22138 postfix/postfix.c, tls/tls_misc.c. 22139 22140 Portability: added a tls_random_source default setting for 22141 MacOS X. Viktor Dukhovni. File: util/sys_defs.h. 22142 2214320160118 22144 22145 Bitrot: OpenSSL 1.1.0-dev (aka the "master" branch) has new 22146 security levels ranging from 0 to 5. Level "0" is backwards 22147 compatible, and other levels are increasingly restrictive. 22148 Viktor Dukhovni. Files: tls/tls_server.c, tls/tls_client.c. 22149 2215020160205 22151 22152 Portability: Postfix TLS support uses /dev/urandom if 22153 available and no system-specific setting exists in sys_defs.h. 22154 Files: makedefs, util/sys_defs.h. 22155 2215620160208 22157 22158 Cleanup: building the INSTALL file had failed, added 22159 hyperlinks for "postfix tls". Files: mantools/postlink. 22160 2216120160210 22162 22163 Feature: all-default-client and all-default-server subcommands. 22164 Eray Aslan. File: conf/postfix-tls-script. 22165 22166 Bugfix: the postqueue(1) JSON formatter wrote a spurious 22167 comma after the delay reason. Reported by Christian Roessner. 22168 File: postqueue/showq_json.c. 22169 2217020160212 22171 22172 Cleanup: Bold/Italic cleanup in manpages. 22173 2217420160213 22175 22176 Added Google credits to external manpages. 22177 2217820160214 22179 22180 More manpage cleanups. Viktor, Wietse. 22181 2218220160215 22183 22184 Cleanup: "match_list_match: permit_mynetworks: no match" after 22185 a SUCCESSFUL permit_mynetworks match of a client IP address was 22186 complicating troubleshooting. The fix is to log additional 22187 context to clarify that this "no match" condition is for 22188 smtpd_log_access_permit_actions. File: smtpd/smtpd_check.c. 22189 2219020160224 22191 22192 Cleanup: un-break some DNS unit tests by replacing non-portable 22193 numerical flags with portable symbolic names in the verbose 22194 command output. Files: dns/dns_str_resflags.c, dns/dns_lookup.c, 22195 dns/Makefile.in, many *.ref files. 22196 2219720160227 22198 22199 Cleanup: remember multiple BCC actions in access maps. 22200 Files: smtpd/smtpd.h, smtpd/smtpd.c, smtpd/smtpd_check.c, 22201 smtpd/smtpd_state.c, proto/access. 22202 2220320160228 22204 22205 Documentation: STRESS_README. File: proto/STRESS_README.html. 22206 2220720160229 22208 22209 Documentation: postmulti manpage. File: postmulti/postmulti.c. 22210 2221120160305 22212 22213 Future-proofing: detect integer overflow before it happens. 22214 After-the-fact detection relies on assumptions about 22215 undefined behavior that are invalidated by compilers. Files: 22216 util/mymalloc.c, util/vstring.c. 22217 2221820160310 22219 22220 Bugfix (introduced: Postfix 2.6): the Milter SMFIR_CHGFROM 22221 (replace sender) request lost the sender_bcc_maps address. 22222 Fixed by moving some record keeping to the sender output 22223 function. Files: cleanup/cleanup_envelope.c, 22224 cleanup/cleanup_addr.c, cleanup/cleanup_milter.c, 22225 cleanup/cleanup.h, regression tests. 22226 2222720160314 22228 22229 Future-proofing: revised off_t integer conversion (detect off_t 22230 overflow before it happens). After-the-fact detection relies 22231 on assumptions about undefined behavior that are invalidated by 22232 compilers. Files: global/off_cvt.c. 22233 22234 Cleanup: include <sys/types.h> once, instead of making it 22235 system-dependent. File: util/sys_defs.h. 22236 22237 Cleanup: make sorting in "make depend" locale-independent. 22238 Files: */Makefile.in. 22239 22240 Cleanup: postmulti manpage. File: postmulti/postmulti.c. 22241 2224220160319 22243 22244 Future-proofing: revised format-string width or precision integer 22245 conversion (detect integer overflow before it happens), plus 22246 some tests to ensure that format-string widths and precisions 22247 are parsed correctly, and that output buffers are sized 22248 correctly. Files: util/vbuf_print.c, util/vbuf_print_test.in, 22249 util/vbuf_print_test.ref. 22250 2225120160320 22252 22253 Testing: exact-size VSTRING allocation. Files: util/vstring.[hc]. 22254 22255 Cleanup: switch to snprintf() for redundancy, keeping 22256 existing code in place to censor unnecessary format-string 22257 features. Specify "make makefiles CCARGS=-DNO_SNPRINTF" for 22258 ancient systems. File: vbuf_print.c, makedefs, util/sys_defs.h, 22259 proto/INSTALL.html. 22260 2226120160324 22262 22263 Future-proofing: revised netstring length integer conversion 22264 (detect integer overflow before it happens). File: 22265 util/netstring.c. 22266 22267 Cleanup: report unsupported usage of '%ls' and '%lc' in 22268 format strings. File: util/vbuf_print.c. 22269 2227020160326 22271 22272 Future-proofing: regression test for global/off_cvt.c. 22273 Files: global/off_cvt.in, global/off_cvt.ref. 22274 2227520160327 22276 22277 Cleanup: postconf(1) manpage. File: postconf/postconf.c. 22278 22279 Cleanup: un-broke regression tests. Files: dns/mxonly_test.ref, 22280 dns/no-mx.ref, smtpd/smtpd_server.ref, smtpd/smtpd_server.in. 22281 22282 Added Postfix version information to the "postconf -m" manpage 22283 section. File: postconf/postconf.c. 22284 2228520160330 22286 22287 The collate.pl script by Viktor Dukhovni for grouping Postfix 22288 logfile records into "sessions" based on queue ID and process 22289 ID information. Files: auxiliary/collate/*. 22290 2229120160407 22292 22293 Treat SASL_FAIL and SASL_NOMEM as temporary errors. 22294 Markus Benning. File: xsasl/xsasl_cyrus_server.c. 22295 2229620160410 22297 22298 Bugfix (introduced: Postfix 2.6): the "bad filetype" 22299 header_checks pattern falsely rejected Content-Mumble headers 22300 with ``name="example"; x-apple-part-url="example.com"''. 22301 Fixed by respecting the ";" separator between content 22302 attribute values. Reported by Cedric Knight. File: 22303 proto/header_checks. 22304 2230520160515 22306 22307 Portability: OpenBSD 6.0. Files: makedefs, util/sys_defs.h, 22308 dns/dns_str_resflags.c. 22309 2231020160521 22311 22312 Bugfix (introduced: Postfix beta): the never-used function 22313 mvect_free() attempted to free memory that it has not 22314 allocated. File: util/mvect.c. 22315 22316 Cleanup: existing if/endif support for pcre and regexp 22317 tables, in preparation for new if/endif support for cidr 22318 tables. Files: util/dict_regexp.c, util/dict_pcre.c. 22319 2232020160526 22321 22322 Feature: cidr tables now support if/endif and negation (by 22323 prepending "!" to a pattern), just like regexp and pcre 22324 tables. The primarily purpose is to improve readability of 22325 complex tables. Files: util/cidr_match.[hc], util/dict_cidr.c, 22326 proto/cidr_table. 22327 22328 Cleanup: make regexp: and pcre: parser warning messages more 22329 similar. Files: dict_regexp.c, dict_pcre.c. 22330 2233120160601 22332 22333 Cleanup: moved parsing of '!' operators from cidr_match.c 22334 to dict_cidr.c. Files: util/cidr_match.[hc], util/dict_cidr.c, 22335 util/match_ops.c. 22336 2233720160604 22338 22339 Cleanup: made parsing of '!' operators in regexp and pcre 22340 tables consistent with cidr tables. Files: util/dict_regexp.c, 22341 util/dict_pcre.c. 22342 2234320160605 22344 22345 Cleanup: integer wrap-around detection in the MySQL and 22346 PostgreSQL clients. This is totally non-critical because 22347 Postfix strings are size-limited by design. Files: 22348 global/dict_mysqql.c, global/dict_pgsql.c. 22349 2235020160607 22351 22352 Documentation: dnsblog. 22353 2235420160609 22355 22356 Documentation: postsuper(1) manpage text for multiple -[dhH] 22357 options. File: postsuper/postsuper.c. 22358 2235920160611 22360 22361 Cleanup: Postfix SMTP server local IP address and port 22362 attributes in the policy delegation protocol (attribute 22363 names: server_address, server_port), in the Milter protocol 22364 (macro names: {daemon_addr}, {daemon_port}) and in the 22365 XCLIENT protocol (attribute names: DESTADDR, DESTPORT). 22366 Files: proto/MILTER_README.html, proto/SMTPD_POLICY_README.html, 22367 cleanup/cleanup.h, cleanup/cleanup_milter.c, global/mail_proto.h, 22368 milter/milter.h, smtpd/smtpd.c, smtpd/smtpd.h, smtpd/smtpd_check.c, 22369 smtpd/smtpd_haproxy.c, smtpd/smtpd_milter.c, smtpd/smtpd_peer.c. 22370 2237120160612 22372 22373 Bugfix (introduced: 20090211): missing server address 22374 conversion for non-proxy, non-postscreen connections. File: 22375 smtpd/smtpd_peer.c. 22376 22377 Bugfix (introduced: 20160611) missing server port conversion 22378 for non-proxy, non-postscreen connections, because there was 22379 no server address conversion. File: smtpd/smtpd_peer.c. 22380 2238120160618 22382 22383 Bugfix (introduced: 20091121): with the introduction of 22384 sender_dependent_default_transport_maps, the SMTP daemon 22385 was not updated. This resulted in false rejects with 22386 sender-dependent "error" transports. Based on a fix by 22387 Russell Yanofsky. Files: global/resolve_clnt.c, 22388 global/resolve_clnt.h, smtpd/smtpd_check.c, smtpd/smtpd_check.h, 22389 smtpd/smtpd_milter.c, smtpd/smtpd_resolve.c, smtpd/smtpd_resolve.h. 22390 2239120160619 22392 22393 Refinements to the 20160618 fix. For more consistent results 22394 with sender address validation, use the recipient address 22395 (if available) as the sender-dependent address resolver 22396 context. For better caching, pass sender context with all 22397 attempts to resolve an email address. File: smtpd/smtpd.c, 22398 smtpd/smtpd_check.c, smtpd/smtpd_milter.c. 22399 2240020160625 22401 22402 Cleanup: the Postfix SMTP server now passes network address 22403 and port information to the Cyrus SASL library. Build with 22404 ``make makefiles "CCARGS=$CCARGS -DNO_IP_CYRUS_SASL_AUTH"'' 22405 for backwards compatibility. Files: makedefs, 22406 smtpd/smtpd_sasl_glue.c, xsasl/xsasl.h, xsasl/xsasl_cyrus_server.c, 22407 xsasl/xsasl_server.c. 22408 22409 Cleanup: dnsblog manpage. File: dnsblog/dnsblog.c. 22410 2241120160717 22412 22413 Bugfix (introduced: Postfix 1.1): the virtual(8) delivery 22414 agent discarded the error result from vstream_fseek(). 22415 2241620160728 22417 22418 Bugfix (introduced: 20090614): with concurrent connections 22419 from the same client IP address, and after-220 tests enabled, 22420 postscreen could overwrite the cached "all tests completed" 22421 result of one connection that completed the after-220 tests, 22422 with the "some tests not completed" result of a concurrent 22423 connection where the client hung up before completing the 22424 after-220 tests. Files: postscreen_misc.c, postscreen_state.c, 22425 postscreen.h, postscreen_tests.c, postscreen.c, postscreen_smtpd.c, 22426 postscreen_early.c. 22427 2242820160730 22429 22430 Cleanup: don't try to optimize away postscreen cache updates. 22431 File: postscreen_misc.c. 22432 22433 Cleanup: removed compatibility crutches that emulated a 22434 historical data organization from four years ago. Files: 22435 postscreen/postscreen.[hc], postscreen/postscreen_early.c, 22436 postscreen/postscreen_smtpd.c, postscreen/postscreen_tests.c. 22437 2243820160808 22439 22440 Cleanup: preserve the new file mtimes when installing Postfix. 22441 Ondřej Lysoněk. File: postfix-install. 22442 REVERTED 20160828. 22443 2244420160819 22445 22446 Bugfix (introduced: Postfix 3.0): the makedefs script ignored 22447 readme_directory=pathname overrides. Fix by Todd C. Olson. 22448 File: makedefs. 22449 2245020160821 22451 22452 Bugfix (introduced: Postfix 3.0): the tls_session_ticket_cipher 22453 documentation says aes-256-cbc, but the implementation was 22454 using aes-128-cbc (note that Postfix session ticket keys 22455 are rotated after 1/2 hour, to limit the impact of attacks 22456 on session ticket keys). 22457 2245820160828 22459 22460 Bitrot: fixes for incompatible OpenSSL 1.1.0 API changes. 22461 Viktor Dukhovni. Files: posttls-finger/posttls-finger.c, 22462 tls/tls.h, tls/tls_dane.c, tls/tls_verify.c, tls/tls_server.c, 22463 tls/tls_client.c. 22464 22465 Cleanup: disable reuse of ECDH ephemeral keys. Viktor 22466 Dukhovni. File: tls/tls_misc.h. 22467 2246820160908 22469 22470 Documentation: add a pointer to hosts(5) and services(5) 22471 for symbolic host and port syntax. File: proto/master. 22472 2247320160911 22474 22475 Bugfix (introduced: Postfix 3.0): the SMTP daemon did not 22476 reset a previous session's command counts before rejecting 22477 a client that exceeds request or concurrency rates. File: 22478 smtpd/smtpd.c. 22479 2248020160912 22481 22482 Feature: preserve the new file mtimes when installing 22483 Postfix. Ondřej Lysoněk. Wietse made this conditional on 22484 the presence of a new -keep-new-mtime flag. File: postfix-install. 22485 [this flag was renamed to "-keep-build-mtime" on 20161126] 22486 2248720160917 22488 22489 Bugfix (introduced: Postfix 3.0): the unionmap did not 22490 propagate table lookup errors. Based on patch by Roel van 22491 Meer. Files: util/dict_union.c, util/dict_union_test.*. 22492 22493 Cleanup: added unit test for pipemap. Files: util/dict_pipe.c, 22494 util/dict_pipe_test.*. 22495 22496 Documentation: added a note about the order of search 22497 patterns and table lookup order. Files: proto/canonical, 22498 proto/generic, proto/virtual. 22499 22500 Documentation: bitrot in postsuper(1) example. Different 22501 groff versions produce different results; some systems no 22502 longer support historical "tail -number" command syntax. 22503 Fix by Geert Stappers. File: postsuper/postsuper.c. 22504 2250520160918 22506 22507 Logging: the Postfix SMTP server logs the sasl_username 22508 after rejected SMTP commands. As before, the SMTP server 22509 does not forward SASL login information to other Postfix 22510 subsystems, and it does not receive SASL login information 22511 in XFORWARD commands. File/smtpd/smtpd.c. 22512 2251320160925 22514 22515 Bugfix (introduced: Postfix 2.11): changed the default MySQL 22516 option_group value to "client" to enable the reading of 22517 "client" option group settings in the MySQL option file. 22518 This fixes false "not found" errors with Postfix queries 22519 that contain UTF8-encoded text. Fix by John Fawcett. 22520 Specify an empty option_group value to get backwards-compatible 22521 behavior. Files: global/dict_mysql.c, proto/mysql_table. 22522 2252320161007 22524 22525 Bitrot: API for the ersatz inet_ntop() function, when 22526 compiling with -DNO_IPV6 (which exists only for debugging). 22527 Files: util/sys_defs.h, util/sys_compat.c. 22528 2252920161008 22530 22531 Feature: smtp_tcp_port, similar to the existing lmtp_tcp_port. 22532 Files: mantools/postlink, proto/postconf.proto, 22533 global/mail_params.h, smtp/smtp.c, smtp/smtp_connect.c, 22534 smtp/smtp_params.c. 22535 22536 Feature: "PASS" and "STRIP" actions in header/body_checks. 22537 "STRIP" is similar to "IGNORE" but also logs the action, 22538 and "PASS" disables header, body, and Milter inspection for 22539 the remainder of the message content. Contributed by Hobbit. 22540 Files: cleanup/cleanup_message.c, global/header_body_checks.c. 22541 2254220161024 22543 22544 Feature: smtpd_milter_maps, per-client Milter configuration 22545 that overrides smtpd_milters, and that has the same syntax. 22546 Files: mantools/postlink, proto/MILTER_README.html, 22547 proto/postconf.proto, global/mail_params.h, smtpd/smtpd.c, 22548 smtpd/smtpd.h, smtpd/smtpd_sasl_proto.c, smtpd/smtpd_state.c. 22549 2255020161103 22551 22552 Cleanup: error reporting for IDNA (non-ASCII domain name) 22553 conversion errors. File: util/midna_domain.c. 22554 22555 Cleanup: non-transitional conversion of UTF8 to/from ASCII 22556 domain name labels used in DNS queries. This disables 22557 'transitional' compatibility between IDNA2003 and IDNA2008, 22558 and affects some corner cases such as German sz and Greek 22559 zeta. Specify "enable_idna2003_compatibility = yes" to 22560 restore historical behavior. Files: util/midna_domain.[hc], 22561 mantools/postlink, global/mail_params.[hc], proto/postconf.proto, 22562 proto/SMTPUTF8_README.html. 22563 2256420161105 22565 22566 Bugfix (introduced: Postfix 1.1): the postsuper command did 22567 not count a successful rename operation after error recovery. 22568 Problem reported by Markus Schönhaber. File: postsuper/postsuper.c. 22569 22570 Cleanup: error reporting for IDNA (non-ASCII domain name) 22571 conversion errors, and enable_idna2003_compatibility 22572 configuration. File: util/midna_domain.c. 22573 2257420161106 22575 22576 Documentation: specify the minimum ICU library version (4.6). 22577 File: proto/SMTPUTF8_README.html. 22578 2257920161109 22580 22581 Portability: force LC_ALL=C in dict_utf8 test. This should 22582 probably be in every shell script. 22583 2258420161120 22585 22586 Documentation: clarified the syntax of $name and ${name...} 22587 in parameter values, and some wordsmithing. Files: 22588 proto/postconf.html.prolog, proto/postconf.man.prolog. 22589 2259020161123 22591 22592 Documentation: clarified reject_non_fqdn_{sender,recipient}. 22593 The syntax check applies only for domains that are actually 22594 specified, not for missing domains. File: proto/postconf.proto. 22595 2259620161126 22597 22598 Cleanup: the postfix-install option "-keep-new-mtime" was 22599 renamed to "-keep-build-mtime". File: postfix-install. 22600 22601 Feature: "make makefiles POSTFIX_INSTALL_OPTS=-keep-build-mtime" 22602 to set the installed file mtimes to their build time instead 22603 of their installation time. Based on code by Ondřej Lysoněk. 22604 Wietse added a guard to prevent POSTFIX_INSTALL_OPTS from 22605 passing arbitrary options. Files: makedefs, Makefile.in, 22606 proto/INSTALL.html. 22607 2260820161201 22609 22610 Documentation: add 'smtpd_tls_auth_only=yes' to the master.cf 22611 submission service example. File: conf/master.cf. 22612 2261320161202 22614 22615 Documentation: typos in postconf(1) manpage. File: 22616 postconf/postconf.c. 22617 2261820161204 22619 22620 Cleanup: properly report numerical conversion errors in 22621 ${{number} relational-operator ${number}}, and wordsmithing. 22622 File: util/mac_expand.c. 22623 22624 Updated auxiliary/collate/collate.pl with Viktor's suggestion 22625 in <98D25E24-EAB1-42BB-82FD-794F5DDD4E7F@dukhovni.org> for 22626 better tracking of message flows. 22627 22628 Cleanup: remove tentative features that were implemented 22629 before the DANE spec was finalized: support for certificate 22630 usage PKIX-EE(1), the ability to disable digest agility 22631 (Postfix now behaves as if "tls_dane_digest_agility = on"), 22632 and the ability to disable support for "TLSA 2 [01] [12]" 22633 records that specify the digest of a trust anchor (Postfix 22634 now behaves as if "tls_dane_trust_anchor_digest_enable = 22635 yes). Viktor Dukhovni. Files: mantools/postlink, 22636 proto/postconf.proto, proto/TLS_README.html, tls/tls.h, 22637 tls/tls_dane.c, smtp/smtp.c. 22638 22639 Bugfix (introduced: Postfix 3.1): cut-and-paste error in 22640 the "postfix tls deploy-server-cert" command, causing the 22641 wrong certfile and keyfile to be used. Viktor Dukhovni. 22642 File: conf/postfix-tls-script. 22643 22644 Robustness: create a new keyfile when "postfix tls 22645 new-server-cert" is invoked, and main.cf specifies a 22646 non-existent keyfile. Viktor Dukhovni. File: 22647 conf/postfix-tls-script. 22648 2264920161205 22650 22651 Cleanup: log the sender address when rejecting a too large 22652 message size in a "MAIL FROM:<sender> SIZE=nnn" command. 22653 File: smtpd/smtpd.c. 22654 2265520161206 22656 22657 Bugfix (introduced: Postfix 3.0): when receiving a MAIL 22658 FROM...SMTPUTF8 command while smtpd_delay_reject=no, enable 22659 SMTPUTF8 support before processing smtpd_sender_restrictions. 22660 Problem reported by Viktor Dukhovni. File: smtpd/smtpd.c. 22661 22662 Bugfix (introduced: Postfix 3.0): when receiving a 22663 VRFY...SMTPUTF8 command, enable SMTPUTF8 support while 22664 processing smtpd_recipient_restrictions. File: smtpd/smtpd.c. 22665 2266620161220 22667 22668 Bugfix (introduced: Postfix 2.1.0): the Postfix SMTP daemon 22669 did not query sender_canonical_maps when rejecting unknown 22670 senders with "smtpd_reject_unlisted_recipient = yes" or 22671 with reject_unlisted_sender. Stephen R. van den Berg (Mr. 22672 procmail). Files: smtpd/smtpd.c, smtpd/smtpd_check.c. 22673 2267420161217 22675 22676 Enable elliptic curve negotiation with OpenSSL >= 1.0.2. 22677 This changes the default smtpd_tls_eecdh_grade setting to 22678 "auto", and introduces a new parameter tls_eecdh_auto_curves 22679 with the names of curves that may be negotiated. The default 22680 tls_eecdh_auto_curves setting is determined at compile time, 22681 and depends on the Postfix and OpenSSL versions. At runtime, 22682 Postfix will skip curve names that aren't supported by the 22683 OpenSSL library. Viktor Dukhovni. Files: mantools/postlink, 22684 proto/FORWARD_SECRECY_README.html, proto/TLS_README.html, 22685 proto/postconf.proto, global/mail_params.h, smtpd/smtpd.c, 22686 tls/tls.h, tls/tls_client.c, tls/tls_dh.c, tls/tls_misc.c, 22687 tls/tls_server.c. 22688 22689 Feature: stored-procedure support for MySQL databases. 22690 John Fawcett. Files: global/dict_mysql.c, proto/mysql_table. 22691 2269220161223 22693 22694 Bugfix (introduced: Postfix 3.2 snapshots): the makedefs 22695 script produced a garbled CCARGS setting when no suitable 22696 ICU library was found. File: makedefs. 22697 2269820161225 22699 22700 Cleanup: simplified handling of unsupported curve names in 22701 the tls_eecdh_auto_curves parameter value. File: tls/tls_dh.c. 22702 22703 Cleanup: simplified code structure in the MySQL client 22704 support for stored procedures. File: global/dict_mysql.c. 22705 2270620161226 22707 22708 Cleanup: more MySQL client code simplification, better error 22709 messages, new per-database "require_result_set" parameter 22710 (default: yes) which can be set to "no" to avoid the need 22711 for dummy SELECT statements in stored procedures. Files: 22712 global/dict_mysql.c, proto/mysql_table, postconf/postconf_dbms.c. 22713 22714 Portability: SSL_CTX_set_ecdh_auto() is part of the deprecated 22715 OpenSSL API, so it must be used under #ifdef. Viktor Dukhovni. 22716 File: src/tls/tls_dh.c. 22717 2271820161227 22719 22720 Safety: the sendmail -C option must specify an authorized 22721 configuration directory: the default configuration directory, 22722 a directory that is listed in the default main.cf file with 22723 alternate_config_directories or multi_instance_directories, 22724 or the command must be invoked with root privileges. This 22725 mitigates a problem with the PHP mail() function. Files: 22726 global/mail_conf.[hc], sendmail/sendmail.c. 22727 2272820161228 22729 22730 Documentation: moved the "BACKWARDS COMPATIBILITY" sections 22731 to the end of ldap_table, mysql_table, pgsql_table, and 22732 sqlite_table, renamed to "OBSOLETE MAIN.CF PARAMETERS". 22733 2273420161231 22735 22736 Bugfix (introduced: 20160521): segfault (null pointer) in 22737 cidr, pcre, and regexp table when an input does not match 22738 an ENDIF-less IF operator. Found during code maintenance. 22739 File: util/cidr_map.c, util/dict_regexp.c, util/dict_pcre.c. 22740 2274120170101 22742 22743 Portability; SunOS5 builds broke after moving the sys/types.h 22744 include statement to the top of sys_defs.h. 22745 22746 Portability: declaration after code is GNU dialect. File: 22747 util/vbuf_print.c. 22748 22749 Portability: compatibility macros for SSLv23_client_method() 22750 etc. deprecation. Files: tls/tls.h, tls/tls_client.c, 22751 tls/tls_dane.c, tls_server.c. 22752 22753201606-20170108 22754 22755 Cleanup: handling of address extensions with email addresses 22756 that contain spaces. The virtual_alias_maps, canonical_maps, 22757 and smtp_generic_maps features now correctly propagate an 22758 address extension from "aa bb+ext"@example.com to "cc 22759 dd+ext"@other.example, instead of producing broken output. 22760 22761 Files updated to support conversion between unquoted and 22762 quoted address forms, as required for addresses that contain 22763 spaces: global/mail_addr_map.*, global/mail_addr_find.* and 22764 global/mail_addr_crunch.*. 22765 22766 Files updated to enable these address conversions to correctly 22767 propagate address extensions: cleanup/cleanup_map11.c 22768 (canonical_maps), cleanup/cleanup_map1n.c (virtual_alias_maps), 22769 and smtp/smtp_generic.c (smtp_generic_maps). 22770 22771 Files updated to rename functions to better reflect their 22772 input and output forms: global/split_addr.*, global/strip_addr.*. 22773 22774 Files updated to support quoted lookup keys: util/dict_inline.c, 22775 util/dict_thash.c, postmap/postmap.c. 22776 22777 Files updated to invoke a backwards-compatible mail_addr_find() 22778 version that disables quoted/unquoted address conversions: 22779 smtp/smtp/smtp_sasl_glue.c (smtp_sasl_password_maps), 22780 smtpd/smtpd_check.c (SMTP server address validation), 22781 cleanup/cleanup_addr.c (sender_bcc_maps and recipient_bcc_maps), 22782 virtual/mailbox.c (user-related table lookups), 22783 trivial-rewrite/transport.c (transport_maps), 22784 trivial-rewrite/resolve.c (sender_dependent_mumble_maps, 22785 relocated_maps). These features may be migrated later to 22786 enable quoted-form address lookup keys, for consistency 22787 with other Postfix features. 22788 2278920170109 22790 22791 Cleanup: reduce the number of modified files relative to 22792 the last regular release, to make a back-port more feasible. 22793 This renames the new mail_addr_find() to mail_addr_find_opt(), 22794 and renames the backwards_compatibility mail_addr_find_noconv() 22795 to its old name mail_addr_find(). Added backwards-compatible 22796 aliases {split,strip}_addr() for {split,strip}_addr_local(). 22797 To ensure correctness these edits were done mechanically, 22798 and verified mechanically. 22799 2280020170111 22801 22802 Documentation: when (smtp|lmtp)_delivery_status_filter is 22803 applied. File: proto/postconf.proto. 22804 2280520170114 22806 22807 Cleanup: careful handling of local-parts that contain '@', 22808 as they are converted into quoted form. Files: 22809 global/mail_addr_find.*, global/quote_822_local.*, 22810 global/quote_flags.*. 22811 22812 Cleanup: added unit tests for malformed inputs. Files: 22813 util/dict_thash{in,ref}. 22814 22815 Cleanup: minimize the patch size of the quoting fixes, and 22816 a preliminary back-port to Postfix 3.1.4. 22817 2281820170115 22819 22820 Cleanup: enable "externalized" address lookup by default, 22821 with legacy-style "internalized" lookup for backwards 22822 compatibility, for sender_bcc_maps, recipient_bcc_maps, 22823 smtp_sasl_passwd_maps, smtpd_sender_login_maps, relocated_maps, 22824 sender_dependent_mumble_maps, virtual_{mailbox,uid,gid}_maps. 22825 File: global/mail_addr_find.c. 22826 22827 Cleanup: enable "externalized" address lookup by default, 22828 with legacy-style "internalized" lookup for backwards 22829 compatibility, for transport_maps. Files: global/mail_addr_find.*, 22830 trivial-rewrite/transport.*. 22831 22832 Cleanup: mail_addr_find_() now has a configurable strategy 22833 for full and partial address lookup, so that it may also 22834 be used for localpart lookup in access maps. 22835 2283620170116: 22837 22838 Cleanup: parent domain matching is now implemented in the 22839 mail_addr_find() engine. Simplified the transport_maps 22840 lookup to just one mail_addr_find_() call. Files: 22841 global/mail_addr_find.*, trivial-rewrite/transport.*. 22842 22843 Cleanup: enabled "externalized" address lookup by default, 22844 with legacy-style "internalized" lookup for backwards 22845 compatibility, for check_sender_access and check_recipient_access. 22846 This now uses 'user@' lookup support in the mail_addr_find() 22847 engine. File: global/mail_addr_find.*, smtpd/smtpd_check.c. 22848 2284920170122 22850 22851 Cleanup: separated the database query form from the address 22852 form that is input to mail_addr_find_() or mail_addr_map*(), 22853 in attempt to make code more obviously correct. Files: 22854 global/mail_addr_find.c, global/mail_addr_map.c. 22855 22856 Abandoned an experiment that used internal-form queries for 22857 all maps, because it would be very difficult to test. The 22858 tests inputs would have to compensate for multiple levels 22859 of unquoting by postmap, C compilers, or shell interpreters. 22860 22861 Cleanup: moved the backwards-compatibility lookup strategy 22862 (try the external address form first, then the internal 22863 address form if it is different) inside the loop that 22864 iterates over full and partial address forms. File: 22865 global/mail_addr_find.c. 22866 2286720170125 22868 22869 Cleanup: mail_addr_find test scripting. Eliminate main.cf 22870 dependencies, and allow all tests to run in one process. 22871 Files: global/mail_addr_find.* 22872 2287320170127 22874 22875 Cleanup: mail_addr_find and mail_addr_form named constants. 22876 Files: global/mail_addr_form.h, mail_addr_find.h, and 22877 dependents. 22878 2287920170128 22880 22881 Cleanup: smtp_generic_maps implementation. Reduced the 22882 number of internal<->external form address conversions, 22883 added more rigorous tests, and eliminated the main.cf and 22884 trivial-rewrite dependencies. Files: smtp_map11.*. 22885 2288620170129 22887 22888 Cleanup: bogus UTC timezone setting for postqueue/mailq 22889 command output, and other environment settings for root and 22890 non-root users in set-gid programs. File: postqueue/postqueue.c 22891 (enforce import_environment name=value overrides for root 22892 users), util/msg_syslog_init.c (don't override non-existent 22893 TZ settings with UTC), util/unsafe.c (exclude uid==0, euid==0 22894 super-user from privilege escalation concerns). 22895 2289620170131 22897 22898 Cleanup: more complete VALGRIND coverage for test build targets 22899 and scripts. Files: postalias/fail_test.in, postmap/fail_test.in, 22900 postmap/quote_test.in, util/dict_pipe_test.in, 22901 util/dict_union_test.in, util/dict_utf8_test.in. 22902 22903 2290420170201 22905 22906 Portability: unsetenv() for ancient platforms. File: 22907 makedefs, util/sys_compat.c. 22908 2290920170205 22910 22911 Cleanup: security checks for config_directory overrides. 22912 File: global/mail_conf.c. 22913 22914 Cleanup: enforce import_environment name=value settings in 22915 command-line utilities, for consistency with Postfix daemons (but 22916 without removing environment variables). This is not enforced 22917 in the postconf command which must be able to process main.cf 22918 files with incomplete settings. Files: postalias/postalias.c, 22919 postcat/postcat.c, postkick/postkick.c, postlock/postlock.c, 22920 postlog/postlog.c, postmap/postmap.c, postsuper/postsuper.c, 22921 posttls-finger/posttls-finger.c, sendmail/sendmail.c, 22922 util/clean_env.[hc]. 22923 2292420170206 22925 22926 Bugfix (introduced: Postfix 3.0): check_mumble_a_access 22927 did not handle [ipaddress], unlike check_mumble_mx_access. 22928 When check_mumble_a_access was introduced, some condition 22929 was not updated. Reported by James (postfix_tracker). File: 22930 smtpd/smtpd_check.c. 22931 2293220170207 22933 22934 Cleanup: rephrased paranoia precondition. File: global/mail_conf.c. 22935 2293620170211 22937 22938 Cleanup: rephrased paranoia precondition. File: util/unsafe.c. 22939 2294020170218 22941 22942 Cleanup: typofixes from klemens. The only change in compiled 22943 code is in one identical mysql error message that also 22944 appears in the pgsql client. Files: about 50. 22945 2294620170221 22947 22948 Compatibility fix (introduced: Postfix 3.1): some Milter 22949 applications do not recognize macros sent as {name} when macros 22950 have single-character names. Postfix now sends such macros 22951 without {} as it has done historically. Viktor Dukhovni. File: 22952 milter/milter.c. 22953 2295420170228 22955 22956 Documentation: re-word scary warnings at the top of SASL_README 22957 and TLS_README. 22958 2295920170402 22960 22961 Bugfix (introduced: Postfix 3.2): restore the SMTP server 22962 receive override options at the end of an SMTP session, 22963 after the options may have been modified by an smtpd_milter_maps 22964 setting of "DISABLE". Problem report by Christian Rößner, 22965 root cause analysis by Viktor Dukhovni. File: smtpd/smtpd.c. 22966 2296720170430 22968 22969 Safety net: append a null byte to vstring buffers, so that 22970 C-style string operations won't scribble past the end. File: 22971 vstring.[hc]. 22972 2297320170505 22974 22975 Workaround for a current problem where some destination 22976 announces primarily IPv6 MX addresses, the smtp_address_limit 22977 eliminates most or all IPv4 addresses, and the destination 22978 is not reachable over IPv6. This workaround is enabled with 22979 "smtp_balance_mx_inet_protocols = yes", which is the default. 22980 Files: smtp/smtp.c, smtp/smtp_params.c, smtp/smtp_addr.c, 22981 global/mail_params.h, proto/postconf.proto. 22982 2298320170506 22984 22985 A last-minute cosmetic fix had introduced a bug in 22986 smtp/smtp_addr.c. 22987 2298820170512 22989 22990 Bugfix (introduced: Postfix 2.0): the MIME nesting level 22991 counter was not initialized (i.e. left at the memory fill 22992 pattern 0xffffffff which equals -1). This broke unit tests 22993 with a different memory allocator. Changing the value to 22994 zero would break backwards compatibility (reject mail that 22995 was previously not rejected). Files: global/mime_state.c. 22996 2299720170531 22998 22999 Bugfix (introduced: Postfix 3.2): after the table lookup 23000 overhaul, the check_sender_access and check_recipient_access 23001 features ignored the parent_domain_matches_subdomains 23002 setting. Reported by Henrik Larsson. File: smtpd/smtpd_check.c. 23003 23004 Workaround (introduced: Postfix 3.2): mail_addr_find() logs 23005 a warning that it does not support both parent-domain and 23006 dot-parent-domain style lookups in the same call. File: 23007 global/mail_addr_find.c 23008 2300920170610 23010 23011 Workaround (introduced: Postfix 3.0 20140718): prevent MIME 23012 downgrade of Postfix-generated message/delivery-status. 23013 It's supposed to be 7bit, therefore quoted-printable encoding 23014 is not expected. Problem reported by Griff. File: 23015 bounce/bounce_notify_util.c. 23016 23017 Documentation: indicate that the transport_mumble parameters 23018 are implemented by the queue manager, not by delivery agents. 23019 Files: mantools/postlink, local/local.c, pipe/pipe.c, 23020 *qmgr/qmgr.c, smtp/smtp.c, virtual/virtual.c. 23021 2302220170611 23023 23024 Security: Berkeley DB 2 and later try to read settings from 23025 a file DB_CONFIG in the current directory. This undocumented 23026 feature may introduce undisclosed vulnerabilities resulting 23027 in privilege escalation with Postfix set-gid programs 23028 (postdrop, postqueue) before they chdir to the Postfix queue 23029 directory, and with the postmap and postalias commands 23030 depending on whether the user's current directory is writable 23031 by other users. This fix does not change Postfix behavior 23032 for Berkeley DB < 3, but reduces file create performance 23033 for Berkeley DB 3 .. 4.6. File: util/dict_db.c. 23034 2303520170617 23036 23037 Cleanup: the postconf command warns about unknown parameter 23038 names in a database configuration file, specified as an 23039 absolute pathname (for example, ldap:/path/to/file). This 23040 code was mostly written in January 2017, and it still is a 23041 partial implementation. Files: postconf/postconf_dbms.c, 23042 postconf/Makefile.in, postconf/test66.ref. 23043 2304420170618 23045 23046 Cleanup: added missing "defined(__GLIBC__)" guards for 23047 GLIBC version tests. File: util/sys_defs.h. 23048 2304920170620 23050 23051 Bugfix (introduced: Postfix 3.2) extension propagation was 23052 broken with "recipient_delimiter = .". This change reverts 23053 a change that was trying to be too clever. Files: 23054 global/mail_adr_crunch.c, global/mail_addr_crunch.ref. 23055 2305620170704 23057 23058 Typos (introduced: Postfix 2.10): in comments about 23059 IPv4-in-IPv6 addresses, replace :ffff::1.2.3.4 with the 23060 correct form ::ffff:1.2.3.4. Incorrect or misleading comments 23061 are worse than no comments. Files: smtpd/smtpd_haproxy.c, 23062 postscreen/postscreen_haproxy.c. 23063 2306420170721 23065 23066 Bitrot: updated postconf LDAP database configuration check with 23067 SASL and TLS-related parameters. Reported by Ralf Hildebrandt. 23068 File: postconf/postconf_dbms.c. 23069 2307020170722 23071 23072 Cleanup: don't log the 'delay_dotcrlf' workaround for CISCO 23073 PIX bugs before the smtp_pix_workaround_threshold_time has 23074 passed. Reported by Ralf Hildebrandt. File: smtp/smtp_proto.c. 23075 2307620170727 23077 23078 Cleanup: the postconf command now uses mechanically-generated 23079 lists of DBMS parameter names. This eliminates false positives 23080 with mysql databases. Files: postconf/Makefile.in, 23081 postconf/extract_cfg.sh, postconf/postconf_dbms.c. 23082 23083 Cleanup: removed `#if 0/#endif' dead code from dict_ldap.c, 23084 to avoid spurious output from the extract_cfg.sh parameter name 23085 extraction tool. 23086 2308720170728 23088 23089 Documentation: added warnings that "enable_original_recipient 23090 = no" prevents Postfix <= 3.2 from saving the address 23091 verification result under the original probe destination 23092 address, if it is changed by aliasing or canonical mapping. 23093 Files: proto/ADDRESS_VERIFICATION_README.html, 23094 proto/postconf.proto. 23095 23096 Cleanup: don't store an empty address in the verify cache 23097 (this could happen with "enable_original_recipient = no"). 23098 File: global/verify.c. 23099 2310020170729 23101 23102 Cleanup: the setting "enable_original_recipient = no" no 23103 longer breaks address verification for aliased addresses. 23104 This does not change the behavior of the X-Original-To 23105 header and of recipient deduplication. The fix is to always 23106 store the original recipient in queue files. Some other 23107 changes were needed to move ownership of the var_enable_orcpt 23108 parameter from the cleanup daemon to the global library. 23109 Files: cleanup/cleanup_init.c, cleanup/cleanup_milter.c, 23110 cleanup_out_recipient.c, global/mail_params.c, global/mail_copy.c, 23111 proto/postconf.proto proto/ADDRESS_VERIFICATION_README.html, 23112 local/local.c, virtual/virtual.c, pipe/pipe.c. 23113 2311420170730 23115 23116 Bugfix (introduced: yesterday): revert global/verify.c code 23117 to always store the verify result under the original address, 23118 and to conditionally store it under the rewritten address. 23119 File: global/verify.c. 23120 2312120170827 23122 23123 Safety: in vstream_buf_space(), add a sanity check to reject 23124 negative request sizes, instead of letting the program fail 23125 later. File: util/vstream.c 23126 23127 Bugfix: in tests that enable the VSTRING_FLAG_EXACT flag, 23128 vstring_buf_put_ready() could fail to extend the buffer, 23129 causing infinite recursion in VBUF_PUT(). File: util/vstring.c. 23130 2313120170830 23132 23133 Bugfix: in vbuf_print(), save the parser-produced format 23134 string before calling msg_panic(), so that the panic message 23135 will not display its own format string. File: util/vbuf_print.c. 23136 2313720170831 23138 23139 Undefined behavior (introduced Postfix 1.0): after subtracting 23140 a larger unsigned integer from a smaller one, do not assign 23141 the result to a signed integer. File: postqueue/showq_compat.c. 23142 2314320170910 23144 23145 Safety: restore sanity checks for dynamically-specified 23146 width and precision in format strings (%*, %.*, and %*.*). 23147 These checks were lost with the Postfix 3.2 rewrite of 23148 the vbuf_print formatter. File: vbuf_print.c. 23149 23150 Bugfix (introduced: postfix-alpha): improve the 'fatal: 23151 invalid option' message to show the optopt value instead of 23152 the getopt() result. Files: master/*server.c. 23153 2315420170923 23155 23156 Bugfix (introduced: Postfix 3.2): panic in the postqueue 23157 command after output write error while listing the queue. 23158 This change restores a write error check that was lost with 23159 the Postfix 3.2 rewrite of the vbuf_print formatter. 23160 Problem reported by Andreas Schulze. File: util/vbuf_print.c. 23161 2316220170924 23163 23164 Cleanup: terminate early after output write error. Files: 23165 showq/show_compat.c, showq/show_json.c. 23166 2316720171009 23168 23169 Bugfix (introduced: Postfix 3.1): DANE support. Postfix 23170 builds with OpenSSL 1.0.0 or 1.0.1 failed to send email to 23171 some sites with "TLSA 2 X X" records associated with an 23172 intermediate CA certificate. Problem report and initial 23173 fix by Erwan Legrand. File: src/tls/tls_dane.c. 23174 2317520171024 23176 23177 Bugfix (introduced: Postfix 3.0) missing dynamicmaps support 23178 in the Postfix sendmail command broke authorized_submit_users 23179 with a dynamically-loaded map type. File: sendmail/sendmail.c. 23180 2318120171116 23182 23183 Bugfix (introduced: Postfix 2.1): don't log warnings 23184 that some restriction returns OK, when the access map 23185 DISCARD feature is in effect. File: smtpd/smtpd_check.c. 23186 2318720171209 23188 23189 Documentation: the effects of owner_request_special and 23190 reset_owner_alias on alias expansion. Files: proto/aliases, 23191 proto/postconf.proto. 23192 2319320171215 23194 23195 Bugfix (introduced: 20170611): the DB_CONFIG bugfix broke 23196 Berkeley DB configurations with a relative pathname. File: 23197 util/dict_db.c. 23198 2319920171218 23200 23201 Workaround: reportedly, some res_query(3) implementation 23202 can return -1 with h_errno==0. Instead of terminating with 23203 a panic, the Postfix DNS client now logs a warning and sets 23204 h_errno to TRY_AGAIN. File: dns/dns_lookup.c. 23205 23206 Cleanup: allow XCLIENT before STARTTLS, when TLS is required. 23207 File: smtpd/smtpd.c. 23208 2320920171219 23210 23211 Feature: preliminary support to run Postfix in the foreground. 23212 This requires that multi-instance support is disabled. 23213 Files: conf/postfix-script, postfix/postfix.c. 23214 2321520171223 23216 23217 Feature: Milters can now send RET and ENVID arguments in 23218 SMFIR_CHGFROM requests. Files: cleanup/Makefile.in, 23219 cleanup/cleanup.h, cleanup/cleanup_envelope.c, 23220 cleanup/cleanup_milter.c, cleanup/cleanup_milter.in13h, 23221 cleanup/cleanup_milter.in13i, cleanup/cleanup_milter.ref13c, 23222 cleanup/cleanup_milter.ref13d, cleanup/cleanup_milter.ref13f, 23223 cleanup/cleanup_milter.ref13g, cleanup/cleanup_milter.ref13h, 23224 cleanup/cleanup_milter.ref13i, cleanup/cleanup_state.c, 23225 cleanup/test-queue-file13h, cleanup/test-queue-file13i, 23226 oqmgr/qmgr_message.c, qmgr/qmgr_message.c. 23227 2322820171226 23229 23230 Documentation patches by Sven Neuhaus. Files: 23231 proto/FORWARD_SECRECY_README.html, proto/MILTER_README.html, 23232 proto/SMTPD_ACCESS_README.html. 23233 2323420171227 23235 23236 Feature: postgresql:// URI support by Magosányi Árpád. 23237 Files: global/dict_pgsql.c, proto/pgsql_table. 23238 23239 Cleanup: added employer attributions for non-trivial changes 23240 after Wietse changed employers. 23241 2324220180106 23243 23244 Compatibility: with compatibility_level < 1, the SMTP server 23245 now warns for mail that would be blocked by the Postfix 23246 2.10 smtpd_relay_restrictions feature. This extends the 23247 safety net for sites that upgrade from earlier Postfix 23248 versions (questions on the postfix-users list show a steady 23249 trickle). Files: proto/COMPATIBILITY_README.html, 23250 global/mail_params[hc], smtpd/smtpd_check.c. 23251 23252 Cleanup: reset compatibility_level warnings after 'postfix 23253 reload'. This is relevant primarily for the master daemon. 23254 File: global/mail_params.c. 23255 23256 Cleanup: missing mailbox seek-to-end error check in the 23257 local(8) delivery agent. File: local/mailbox.c. 23258 23259 Cleanup: incorrect mailbox seek-to-end error message in the 23260 virtual(8) delivery agent. File: virtual/mailbox.c. 23261 2326220180107 23263 23264 Cleanup: Postfix-generated From: headers with 'full name' 23265 information are now formatted as "From: name <address>" by 23266 default. Specify "header_from_format = obsolete" for the 23267 earlier form "From: address (name)". Files: proto/postconf.proto, 23268 cleanup/cleanup.h, cleanup_init.c, cleanup_message.c, 23269 mail_params.h. 23270 2327120180113 23272 23273 Bugfix: "postconf -M" commands did not warn about unused 23274 name=value settings in master.cf. File: postconf/postconf.c. 23275 23276 Bugfix: "postconf -xM" now expands $process_name using the 23277 daemon file name in master.cf, instead of the "postconf" 23278 command process name. Files: postconf/postconf.h, 23279 postconf/postconf_lookup.c, postconf/postconf_master.c. 23280 23281 Feature: read-only service_name parameter that contains the 23282 master.cf service name. This allows, for example, setting 23283 the syslog_name with "-o syslog_name=postfix/$service_name" 23284 for the "submission" and "smtps" services. Files: 23285 proto/postconf.proto global/mail_params.h, global/mail_params.c, 23286 master/single_server.c, master/multi_server.c, 23287 master/trigger_server.c, master/event_server.c, 23288 postconf/postconf_master.c, postconf/postconf_builtin.c, 23289 and daemon manpages. 23290 2329120180114 23292 23293 Paranoia: censor the postqueue process name, similar to the 23294 set-gid postdrop program. File: postqueue/postqueue.c. 23295 23296 Cleanup: the new "service_name" parameter is applicable 23297 only to Postfix daemons configured in master.cf; hyperlink 23298 the parameter name in documentation. Files: proto/postconf.proto, 23299 mantools/postlink, daemon manpages. 23300 23301 Cleanup: allow whitespace between $[{(], parameter name, 23302 and [:?)}]. This allows making complex expressions more 23303 readable with line breaks. File: util/mac_expand.c. 23304 23305 Cleanup: don't initialize the service_name parameter with 23306 the process_name value. Files: postconf/postconf.[hc], 23307 postconf/postconf_builtin.c. 23308 2330920180121 23310 23311 Bugfix (introduced: 20180106): too many arguments for format 23312 string. File: local/mailbox.c. 23313 2331420180128 23315 23316 Documentation: the tcp_table(5) manpage now documents the 23317 absence of substring lookups. File: proto/tcp_table. 23318 2331920180203 23320 23321 Licence: in addition to the historical IBM Public License 23322 1.0, this software is now also distributed with the more 23323 recent Eclipse Public License 2.0. Recipients can choose 23324 to take the software under the license of their choice. 23325 Those who are more comfortable with the IPL can continue 23326 with that license. File: LICENSE. 23327 2332820180217 23329 23330 Cleanup: added 22 missing *_maps parameters to the default 23331 proxy_read_maps setting. Files: global/mail_params.h, 23332 mantools/missing-proxy-read-maps. 23333 2333420180218 23335 23336 Cleanup: back-ported the missing-proxy-read-maps script to 23337 older Postfix releases, and added error checks. Undid some 23338 of the 20180217 changes in mail_params.h that are no longer 23339 needed. 23340 23341 Bugfix (introduced: 20120117): postconf should scan only 23342 built-in or service-defined parameters for ldap, *sql, etc. 23343 database names. Problem reported by Christian Rößner. Files: 23344 postconf/postconf_user.c. 23345 2334620180224 23347 23348 Workaround: postconf build did not abort if the m4 command 23349 is not installed (on a system that does have the make command, 23350 the awk command, the perl command, and the C compiler?!). 23351 File: postconf/extract_cfg.sh. 23352 2335320180303 23354 23355 Portability: slight differences between MySQL and MariaDB. 23356 Olli Hauer. File: global/dict_mysql.c. 23357 2335820180306 23359 23360 Bugfix (introduced: 19990302): when luser_relay specifies 23361 a non-existent local address, the luser_relay feature becomes 23362 a black hole. Reported by Jørgen Thomsen. File: local/unknown.c. 23363 23364 Portability: FreeBSD 11 is supported. Files: makedefs, 23365 util/sys_defs.h. 23366 2336720180403 23368 23369 Containers: "postfix start-fg" will now attempt to run the 23370 master daemon as PID 1, and "postfix stop" will use a 23371 stronger signal if the master does not stop. Files: 23372 conf/postfix-script, master/master.c, master/master_sig.c, 23373 postfix/postfix.c. 23374 2337520180404 23376 23377 Containers: "postfix start-fg" running as PID=1 will now 23378 properly terminate after "postfix stop". With assistance 23379 from Andreas Schulze and Eray Aslan. Files: master/master.c, 23380 master/master.h, master/master_sig.c. 23381 2338220180421 23383 23384 Documentation: in the protocol description mention early 23385 on that a policy server must not close the connection unless 23386 there is an error. File: proto/SMTPD_POLICY_README.html. 23387 2338820180422 23389 23390 Undocumented: when running in PID=1 mode on Linux, a signal 23391 won't be delivered unless the process specifies a handler. 23392 Conveniently, _exit() can be used directly as a signal 23393 handler. This changes the wait status that a parent would 23394 see, but in the case of PID=1 mode on Linux, no-one would 23395 care. Viktor Dukhovni. File: util/killme_after.c. 23396 23397 Bugfix (introduced: Postfix 2.8): missing tls_server_start() 23398 error propagation in tlsproxy(8) resulting in segfault after 23399 TLS handshake error. Found during code maintenance. File: 23400 tlsproxy/tlsproxy.c. 23401 23402 Connection reuse for TLS-encrypted SMTP sessions. This is 23403 work-in-progress, #ifdef USE_TLSPROXY, to avoid contamination 23404 of existing code. 23405 23406 The idea is to have smtp(8) talk plaintext while tlsproxy(8) 23407 converts between local plaintext and remote ciphertext. 23408 Then, smtp(8) can save plaintext connections to the cache, 23409 and scache(8) holds the handles to the tlsproxy(8) processes. 23410 23411 This preliminary implementation does not yet support proxying 23412 of DANE attributes from smtp(8) to tlsproxy(8). tlsproxy(8) 23413 does not have permissions to read private key files that 23414 smtp(8) can read. And the name of a connection cache entry 23415 does not yet depend on whether the cached connection uses 23416 TLS, nor does it depend on DANE information. 23417 23418 Files: global/mail_proto.h, postscreen/postscreen_starttls.c, 23419 posttls-finger/posttls-finger.c, smtp/smtp.c, smtp/smtp.h, 23420 smtp/smtp_params.c, smtp/smtp_proto.c, smtp/smtp_session.c, 23421 smtpd/smtpd.c, tls/tls.h, tls/tls_client.c, tls/tls_proxy.h, 23422 tls/tls_proxy_client_init_print.c, 23423 tls/tls_proxy_client_init_scan.c, 23424 tls/tls_proxy_client_start_print.c, 23425 tls/tls_proxy_client_start_scan.c, tls/tls_proxy_clnt.c, 23426 tls/tls_proxy_context_print.c, tls/tls_proxy_context_scan.c, 23427 tls/tls_proxy_server_init_print.c, 23428 tls/tls_proxy_server_init_scan.c, 23429 tls/tls_proxy_server_start_print.c, 23430 tls/tls_proxy_server_start_scan.c, tlsproxy/tlsproxy.c, 23431 tlsproxy/tlsproxy.h, tlsproxy/tlsproxy_state.c, util/argv_attr.h, 23432 util/argv_attr_print.c, util/argv_attr_scan.c. 23433 2343420180425 23435 23436 Cleanup: dnsblog proccesses now retire voluntarily after 23437 max_use*max_idle seconds. Files: master/mail_server.h, 23438 master/single_server.c, dnsblog/dnsblog.c. 23439 2344020180429 23441 23442 Documentation: smtpd_relay_restrictions was incorrectly 23443 listed before smtpd_recipient_restrictions. File: 23444 proto/SMTPD_ACCESS_README.html. 23445 2344620180509 23447 23448 Bugfix (introduced: 20170617): postconf(1) command segfault 23449 if unable to open a Postfix database configuration file due 23450 to a file permission error. Report by Andreas Hasenack, fix 23451 by Viktor Dukhovni. File: postconf/postconf_dbms.c. 23452 2345320180519 23454 23455 Documentation: updated descriptions of PID 1 mode in manpages 23456 and source-code comments. Files: postfix/postfix.c, 23457 master/master.c, master/master_sig.c, util/killme_after.c. 23458 23459 Documentation: document non-iterative lookup behavior 23460 in postmap(1) and postalias(1) manpages. Files: postmap/postmap.c, 23461 postalias/postalias.c. 23462 23463 Cleanup: the init-mode change should not forbid the combined 23464 use of -D, -d and -w. File: master/master.c. 23465 2346620180520 23467 23468 Documentation: add backscatter remediation to the virtual(5) 23469 and canonical(5) manpages. Files: proto/virtual, proto/canonical. 23470 23471 Bugfix (introduced: 20180425): broken implementation of 23472 voluntary dnsblog retirement after max_use*max_idle seconds. 23473 File: master/single_server.c. 23474 2347520180531 23476 23477 Documentation: bash syntax to eliminate or view default 23478 settings in "postconf -n" output. File: postconf/postconf.c. 23479 Contributed by various postfix-users list members. 23480 2348120180603 23482 23483 TLS reuse: serializer/deserializer support for TLS_DANE and 23484 related data structures. Files: tls/tls_proxy_client_print.c, 23485 tls/tls_proxy_client_scan.c, tls/tls_proxy.h, util/argv_attr.h, 23486 util/argv_attr_print.c, util/argv_attr_scan.c. 23487 23488 TLS reuse: posttls-finger -X test flag for quick tests. 23489 File: posttls-finger/posttls-finger.c. 23490 23491 TLS reuse: smtp_use_tlsproxy boolean parameter. This is a 23492 preliminary implementation that should support override via 23493 smtp_tls_policy_maps. Files: smtp.c, smtp_connect.c, 23494 smtp_params.c, smtp_proto.c, smtp_session.c. 23495 23496 TLS reuse: the SMTP client now includes the requested TLS 23497 security level in the scache(8) key. 23498 23499 TLS reuse: address-based reuse is allowed only for TLS 23500 levels that require no certificate checks. Perhaps it still 23501 makes sense to save such sessions for reuse by less sensitive 23502 deliveries. Files: smtp/smtp.h smtp/smtp_reuse.c. 23503 2350420180604 23505 23506 TLS reuse: smtp_tls_connection_reuse boolean parameter, and 23507 corresponding override with "connection_reuse" boolean 23508 attribute in smtp_policy_maps. Files: global/mail_params.h, 23509 smtp.c, smtp.h, smtp_params.c, smtp_proto.c, smtp_session.c, 23510 smtp_tls_policy.c. proto/postconf.proto. mantools/postlink. 23511 2351220180605 23513 23514 TLS reuse: updated TLS_README and CONNECTION_CACHE_README, 23515 added comments in tlsproxy.c to explain why it works. 23516 2351720180617 23518 23519 Bugfix (introduced: Postfix 2.11): minor memory leak when 23520 minting issuer certs. This affects a tiny minority of use 23521 cases. Fix by Viktor Dukhovni, based on a fix by Juan 23522 Altmayer Pizzorno for Viktor's ssl_dane library. 23523 23524 Cleanup: support for longer timeouts after the TLS handshake, 23525 so that the tlsproxy server won't time out too soon, while 23526 the SMTP client waits for the end-of-data response. This 23527 tlxproxy timeout is a redundant safety feature for the case 23528 that the SMTP client does not enforce the SMTP-level time 23529 limit. Files: tls/tls_proxy.h, tls/tls_proxy_clnt.c, 23530 tlsproxy/tlsproxy.c, posttls-finger/posttls-finger.c, 23531 postcreen/postscreen_starttls.c, smtp/smtp_proto.c. 23532 23533 Cleanup: earlier purging of unexpected plaintext. Files: 23534 posttls-finger/posttls-finger.c, smtp/smtp_proto.c. 23535 23536 Release: first production snapshot with multiple outbound 23537 deliveries per TLS-encrypted connection. 23538 2353920180618 23540 23541 Quick tlsproxy workaround: after the remote TLS peer shuts 23542 down TLS, allow unsent inbound plaintext to trickle out 23543 before tearing down the proxied connection. This addresses 23544 a sporadic "lost connection after end-of-data" error in the 23545 Postfix SMTP client, and addresses a sporadic "lost connection 23546 after sending QUIT" error with "posttls-finger -X". File: 23547 tlsproxy/tlsproxy.c. 23548 2354920180619 23550 23551 Segfault: don't lookup the TLS security level for nexthop-based 23552 connection cache storage keys. The combination of (service, 23553 nexthop, etc.) should be stable enough over the time range 23554 of interest, and the policy is still enforced on an individual 23555 connection to an MX host, before that connection is stored 23556 under a nexthop- or host-based storage key. Files: 23557 smtp/smtp_connect.c, smtp/smtp.h. 23558 2355920180620 23560 23561 TLS connection reuse: save and restore the TLS level for a 23562 reused connection, so that the reused connection will be 23563 saved under a key that matches the connection's original 23564 TLS level. This was not a problem for destinations that 23565 require certificate verification, because we currently reuse 23566 connections that require certificate checks only if they 23567 are looked up by their nexthop destination. File: 23568 smtp/smtp_session.c. 23569 23570 TLS connection reuse: with TLS level > encrypt, prohibit 23571 sharing of the same connection endpoint under different 23572 nexthops, by making the nexthop part of the endpoint-based 23573 connection cache lookup key. File: smtp/smtp.h. 23574 2357520180623 23576 23577 TLS connection reuse: replaced random logic with TLS_MUST_MATCH() 23578 when deciding under what conditions an authenticated 23579 connection may be reused. Files: smtp/smtp_proto.c, 23580 smtp/smtp.h. 23581 23582 TLS connection reuse: a tlsproxy(8) process will retire 23583 after max_idle*max_use, or some sane constant if either is 23584 set to zero. Files: master/event_server.c, tlsproxy/tlsproxy.c. 23585 23586 Documentation: automatic retirement. File: master/single_server.c. 23587 23588 Documentation: the connection caching limitation for SMTP 23589 over TLS is now obsolete. File: proto/CONNECTION_CACHE_README.html. 23590 2359120180701 23592 23593 Incompatibility: the tlsproxy(8) daemon now requires a zero 23594 process limit in master.cf (this setting is provided with 23595 the default master.cf file). See RELEASE_NOTES for how to 23596 change the tlsproxy process limit. File: tlsproxy/tlsproxy.c. 23597 2359820180707 23599 23600 Bugfix (introduced: Postfix 3.0): with smtputf8_enable=yes, 23601 table lookups could casefold the search string when searching 23602 a lookup table that does not use fixed-string keys (regexp, 23603 pcre, tcp, etc.). Historically, Postfix would not case-fold 23604 the search string with such tables. File: util/dict_utf8.c. 23605 23606 Cleanup: removed unimplemented VSTRING support to enforce 23607 a buffer size limit (by returning an error of sorts). In 23608 practice, the limit was enforced in smtp_get(). Also made 23609 the VSTRING inplementation more VSTREAM-compatible. Files: 23610 util/vstring.[hc], posttls-finger/posttls-finger.c, 23611 smtpstone/smtp-source.c. 23612 23613 Cleanup: unused variable. File: postqueue/postqueue.c. 23614 23615 Feature: VSTREAM support to "open" a VSTRING for read, write 23616 or append mode, enabling the reuse of existing stream-based 23617 code to serialize/deserialize Postfix data structures to/from 23618 memory. File: vstream.[hc]. 23619 23620 Cleanup: "make manpages" now generates a makedefs(1) manpage 23621 for publication on the web. Also cleaned up some makedefs(1) 23622 content. Files: man/Makefile.in, man/man1/makedefs.1, 23623 html/Makefile.in, html/makedefs.1.html. 23624 2362520180708 23626 23627 Cleanup: VSTREAM support to "open" a VSTRING: added 23628 vstream_ftell() support; documented what changes are needed 23629 before this can support vstream_fseek(), without breaking a 23630 VSTRING during vstream_fflush(); added a simple 'allow' 23631 filter for vstream_control() requests; added a unit test. 23632 File: util/vstream.c. 23633 2363420180812 23635 23636 Feature: smtpd_reject_footer_maps (as well as the postscreen 23637 variant postscreen_reject_footer_maps). This is indexed 23638 with the SMTP server response text, and overrides the footer 23639 specified with smtpd_reject_footer. Files: global/mail_params.h, 23640 mantools/postlink, postscreen/postscreen.c, 23641 postscreen/postscreen_send.c, postscreen/postscreen_smtpd.c, 23642 proto/postconf.proto, smtpd/smtpd.c, smtpd/smtpd_chat.c. 23643 23644 Minor wordsmithing. File: makedefs. 23645 2364620180823 23647 23648 Bugfix (introduced: 20180812): postscreen_send.c did not 23649 build without warnings. Viktor Dukhovni. 23650 2365120180824 23652 23653 Cleanup: with SMTPUTF8 turned off, the MySQL and PgSQL maps 23654 accept only well-formed UTF-8 queries, and return NOT FOUND 23655 otherwise. This was in introduced in Postfix 3.0 for LDAP 23656 and SQLite, with no complaints coming forth. Files: 23657 global/dict_mysql.c, global/dict_pgsql.c. 23658 2365920180805-20180825 Chunking support 23660 23661 Cleanup: vbuf_get() now sets the EOF flag, so that reading 23662 from a VSTRING stream works as expected. File: util/vbuf.c. 23663 23664 Cleanup: added an append-mode flag to functions that read 23665 a VSTRING from a stream. The historical APIs are preserved 23666 in the form of aliases. Files: util/vstring_vstream.[hc], 23667 global/smtp_stream.[hc]. 23668 23669 SMTP server support for CHUNKING (BDAT) per RFC 3030. The 23670 SMTP server is the only program that knows the difference 23671 between mail received with BDAT or DATA. Both use the same 23672 smtpd_data_restrictions and smtpd_end_of_data_restrictions, 23673 both send one Milter DATA event per mail transaction, and 23674 both send one DATA command ending in <CR><LF>.<CR><LF> 23675 to an smtpd_proxy_filter. Files: global/ehlo_mask.h, 23676 global/smtp_stream.c, global/smtp_stream.c, global/smtp_stream.h, 23677 postscreen/postscreen_smtpd.c, smtpd/smtpd.c, smtpd/smtpd.h, 23678 smtpd/smtpd_chat.c, smtpd/smtpd_chat.h, smtpd/smtpd_state.c. 23679 23680 Cleanup: the postscreen(8) daemon now hangs up after receiving 23681 the DATA command. Justification: it should never receive DATA 23682 from a legitimate client, because 1) postscreen(8) rejects all 23683 recipients, and 2) postscreen(8) does not announce PIPELINING. 23684 This makes postscreen(8) DATA and BDAT behavior more 23685 consistent. File: postscreen/postscreen_smtpd.c. 23686 23687 BDAT final touches: report accurate BDAT byte counts after 23688 timeout or lost connection; send DATA instead of BDAT in 23689 policy delegation protocol. Files: smtpd/smtpd.[hc], 23690 smtpd/smtpd_check.c. 23691 23692 BDAT final touches: if the BDAT EHLO announcement is disabled, 23693 then smtpd(8) and postscreen(8) will not accept BDAT commands. 23694 Files: smtpd/smtpd.c, postscreen/postscreen_smtpd.c. 23695 2369620180826 23697 23698 Cleanup: with GSSAPI, the Postfix SMTP client's initial 23699 SASL response may be as large as 12288 bytes. When the "AUTH 23700 <method> <initial-response>" command would exceed the SMTP 23701 command length of 512 bytes, send the initial response 23702 during the SASL dialog. Viktor Dukhovni. File: 23703 smtp/smtp_sasl_glue.c. 23704 23705 Cleanup: prepare the Postfix SMTP server needs to receive 23706 SASL responses that exceed the line_length_limit value. 23707 This introduces a new parameter smtpd_sasl_response_limit 23708 (default: 12288). Viktor Dukhovni. Files: mantools/postlink, 23709 proto/postconf.proto, global/mail_params.h, smtpd/smtpd.c, 23710 smtpd/smtpd_chat.c, smtpd/smtpd_chat.h, smtpd/smtpd_sasl_glue.c. 23711 2371220180827 23713 23714 Miscellaneous documentation updates, and a correction in 23715 the byte count for sending a large SASL initial response. 23716 2371720181014 23718 23719 Cleanup: figured out why vstring_get() did not return 23720 VSTREAM_EOF in APPEND mode. File: util/vstring_vstream.c. 23721 2372220180903 23723 23724 Bugfix (introduced: 20180825): postscreen falsely claimed 23725 that the remote SMTP client was pipelining after sending 23726 BDAT. Found by Ralf Hildebrandt. File: 23727 postscreen/postscreen_smtpd.c. 23728 2372920180904 23730 23731 Bugfix (introduced: 20180812): parameter name error 23732 (postscreen_reject_footer should have been 23733 postscreen_reject_footer_maps). Noel Jones (finder) and 23734 Viktor Dukhovni (fixer). 23735 2373620181104 23737 23738 Multiple 'bit rot' fixes for OpenSSL API changes, including 23739 support to disable TLSv1.3, to avoid issuing multiple session 23740 tickets, and to allow OpenSSL >= 1.1.0 run-time micro version 23741 bumps without complaining about library version mismatches. 23742 Viktor Dukhovni. Files: proto/postconf.proto, 23743 proto/TLS_README.html, tls/tls.h, tls/tls_dane.c, 23744 tls/tls_server.c, tls/tls_misc.c 23745 2374620181105 23747 23748 Feature: "postmap -F" reads a source file with (key, filename) 23749 entries, and creates database records with (key, base64-encoded 23750 filecontent). This feature will be used for SNI lookup 23751 table support, where each key will be a domainname, and 23752 each value will contain a sequence of (private key, certificate 23753 hierarchy) for that domainname. The same 'value is filename' 23754 behavior is implemented in cidr:, inline:, pcre:, randmap:, 23755 regexp:, and static: maps if the application sets the flag 23756 DICT_FLAG_RHS_IS_FILE. In the forseeable future, this will 23757 be used for specific TLS features. Files: postmap/postmap.c, 23758 util/dict.c, util/dict.h, util/dict_cidr.c, util/dict_file.c, 23759 util/dict_inline.c, util/dict_pcre.c, util/dict_random.c, 23760 util/dict_regexp.c, util/dict_static.c. 23761 2376220181106 23763 23764 Bugfix (introduced: 3.0): smtpd_discard_ehlo_keywords could 23765 not disable "SMTPUTF8". because the lookup table was using 23766 "EHLO_MASK_SMTPUTF8" instead. File: global/ehlo_mask.c. 23767 23768 Documentation: the postmap(1) manpage no longer refers to 23769 compatibility with Sendmail's makemap command. File: 23770 postmap/postmap.c. 23771 23772 Cleanup: don't use ssize_t for boolean result. File: 23773 global/smtp_stream.c. 23774 23775 Cleanup: memory leak caused by missing dbenv->close() call 23776 after failing to open a Berkeley DB table. File: util/dict_db.c. 23777 2377820181112 23779 23780 Improved logging of TLS 1.3 summary information, and improved 23781 reporting of the same info in Received: message headers. 23782 Viktor Dukhovni. Files: proto/FORWARD_SECRECY_README.html, 23783 smtpd/smtpd.c, tls/tls.h, tls/tls_client.c, tls/tls_misc.c, 23784 tls/tls_proxy.h, tls/tls_proxy_context_print.c, 23785 tls/tls_proxy_context_scan.c, tls/tls_server.c. 23786 2378720181116 23788 23789 Library function to log TLS 1.3 summary information, and 23790 some wordsmithing of TLS context member names. Viktor 23791 Dukhovni. Files: tls/tls.h, tls/tls_misc.c, tls/tls_proxy.h, 23792 tls/tls_proxy_context_print.c, tls/tls_proxy_context_scan.c, 23793 tls/tls_client.c, tls/tls_server.c, smtpd/smtpd.c, 23794 posttls-finger/posttls-finger.c. 23795 23796 Cleanup: vstream_memopen() flags handling. File: 23797 util/vstream.c. 23798 23799 Cleanup: the SMTP client now uses 'attr_print_plain' 23800 serialization and 'attr_scan_plain' deserialization for 23801 connection cache lookup keys, which now contain a serialized 23802 version of the TLS context. File: smtp/smtp_session.c. 23803 2380420181117 23805 23806 The Postfix SMTP client now logs whether an SMTP-over-TLS 23807 connection is newly established ("TLS connection established") 23808 or whether the connection is reused ("TLS connection reused"). 23809 Files: smtp/smtp.h, smtp/smtp_proto.c, smtp/smtp_session.c. 23810 23811 (20181117-nonprod) Unified summary logging in the SMTP 23812 client, SMTP server, and posttls-finger. Viktor Dukhovni. 23813 Files: tls/tls.h, tls/tls_misc.c, tls/tls_proxy.h, 23814 tls/tls_proxy_context_print.c, tls/tls_proxy_context_scan.c, 23815 tls/tls_client.c, src/tls/tls_server.c, smtpd/smtpd.c, 23816 posttls-finger/posttls-finger.c. 23817 23818 (20181117-nonprod) Improved logging of TLS 1.3 summary 23819 information. On the server side this also affects the TLS 23820 information optionally recorded in "Received" headers. 23821 Viktor Dukhovni. Files: smtpd/smtpd.c, tls/tls.h, 23822 tls/tls_client.c, tls/tls_misc.c, tls/tls_proxy.h, 23823 tls/tls_proxy_context_print.c, tls/tls_proxy_context_scan.c, 23824 tls/tls_server.c. 23825 23826 (20181117-nonprod) FORWARD_SECRECY examples with TLS 1.3 23827 logging. Viktor Dukhovni. File: proto/FORWARD_SECRECY_README.html. 23828 2382920181118 23830 23831 Cleanup, no behavior change: updated comments concerning 23832 connection reuse, and updated some identifiers to reflect 23833 current reality. Files: smtp_reuse.c, smtp_key.c, smtp_proto.c, 23834 smtp_tls_policy.c, smtp.h, smtp_connect.c. 23835 2383620181119 23837 23838 Bitrot: makedefs will use "pkg-config" to locate ICU build 23839 information, falling back to "icu-config" if "pkg-config" 23840 is not found. File: makedefs. 23841 2384220181122 23843 23844 Cleanup: tlsproxy loads the same TLS client configuration 23845 at pre-jail time as the Postfix SMTP client, so that secret 23846 keys can remain read-only for root. This is sufficient for 23847 MTAs that have a fixed TLS client identity. tlsproxy will 23848 log a warning if it is requested to assume a different TLS 23849 client identity, and will log suggestions for a workaround. 23850 The long-term solution is to stop loading certs/keys from 23851 files, and to use the same approach as planned for server-side 23852 SNI support: open a cert/key map at pre-jail time, and read 23853 cert/key information on-the-fly at post-jail time. Files: 23854 proto/postconf.proto, mantools/postlink, global/mail_params.h, 23855 tlsproxy/tlsproxy.c. 23856 2385720181123 23858 23859 Cleanup: tlsproxy now logs better instructions when a 23860 tls_client_init request specifies an unexpected client 23861 identity, and the test for that condition is now moved to 23862 the right place. File: tlsproxy/tlsproxy.c. 23863 2386420181124 23865 23866 Documentation: clarified the behavior of whitespace within 23867 "{}". Files: proto/DATABASE_README.html, proto/postconf.proto, 23868 pipe/pipe.c, postconf/postconf.c, 23869 2387020181125 23871 23872 Cleanup: dict_file_to_xxx() takes a list of file names 23873 separated by CHARS_COMMA_SP. Shoe-horned into the existing 23874 API, make it nicer when there is time. File: util/dict_file.c. 23875 2387620181127 23877 23878 Cleanup: encapsulated clumsy 'read into VSTRING' code with 23879 easier-to-use vstream_fread_buf() and vstream_fread_app() 23880 primitives. Files: global/memcache_proto.c, global/record.c, 23881 global/smtp_stream.c, global/smtp_stream.h, global/uxtext.c, 23882 global/xtext.c, milter/milter8.c, util/dict_file.c, 23883 util/hex_quote.c, util/netstring.c, util/vstream.c, 23884 util/vstream.h. Verified with "make tests". 23885 23886 Cleanup: simplified the smtp_fread() API (introduced for 23887 BDAT support), and changed the name to smtp_fread_buf(). 23888 Files: global/smtp_stream.c, smtpd/smtpd.c. Verified with 23889 ~megabyte BDAT commands. 23890 23891 Cleanup: simplified a tlsproxy-internal API. File: 23892 tlsproxy/tlsproxy.c. 23893 2389420181128 23895 23896 Initial support for key/certificate chain files that will 23897 replace the proliferation of separate parameters for 23898 RSA/DSA/ECC/etc. key and certificate files. Viktor 23899 Dukhovni. 23900 2390120181201 23902 23903 Cleanup: replaced the remaining unsafe VSTRING_AT_OFFSET() 23904 calls with safe vstring_set_payload_size() calls, in code 23905 that directly writes into VSTRING. Files: tls/tls_session.c, 23906 tlsmgr/tlsmgr.c, util/casefold.c, util/vstring.c, util/vstring.h, 23907 xsasl/xsasl_cyrus_client.c. 23908 23909 Cleanup: postscreen_command_time_limit did not need to be 23910 a 'raw' parameter. This makes "postconf -x" behavior more 23911 consistent. Files: global/mail_params.h, postscreen/postscreen.c. 23912 23913 Documentation: added text that the following parameter 23914 values are not subject to Postfix parameter $name expansion: 23915 default_rbl_reply, command_execution_directory, luser_relay, 23916 smtpd_reject_footer. These have their own documented $name 23917 substitution mechanism. File: proto/postconf.proto. 23918 2391920181202 23920 23921 Bugfix: posttls-finger reported an error for UNIX-domain 23922 connections, even if they did not fail. Found by Coverity. 23923 File: posttls-finger/posttls-finger.c. 23924 2392520181208 23926 23927 Documentation: add even more redundancy to the rate-delay 23928 description. File: proto/postconf.proto. 23929 2393020181210 23931 23932 Cleanup: code deduplication. File: util/dict_file.c. 23933 2393420181226 23935 23936 Cleanup: code deduplication and better encapsulation with 23937 PSC_DEL_CLIENT_STATE() and PSC_DEL_SERVER_STATE() macros. 23938 Files: postscreen/postscreen.h, postscreen/postscreen_state.c. 23939 23940 Documentation: POSTSCREEN_README did not describe the 23941 postscreen_post_queue_limit, and attributed the wrong reject 23942 message to the postscreen_pre_queue_limit. Problem reported 23943 by Michael Orlitzky. File: proto/POSTSCREEN_README.html. 23944 23945 (20181226-nonprod) Compatibility: removed support for OpenSSL 23946 1.0.1 (not supported since December 31, 2016) and earlier 23947 releases. This eliminated a large number of #ifdefs with 23948 bitrot workarounds. Viktor Dukhovni. Files: global/mail_params.h, 23949 posttls-finger/posttls-finger.c, tls/tls.h, tls/tls_certkey.c, 23950 tls/tls_client.c, tls/tls_dane.c, tls/tls_dh.c, tls/tls_misc.c, 23951 tls/tls_proxy_client_scan.c, tls/tls_rsa.c, tls/tls_server.c, 23952 tls/tls_session.c. 23953 23954 (20181226-nonprod) Use the OpenSSL 1.0.2 and later API for 23955 setting ECDHE curves. Viktor Dukhovni. Files: tls/tls.h, 23956 tls/tls_client.c, tls/tls_dh.c. 23957 23958 (20181226-nonprod) Documentation update for TLS support. 23959 Viktor Dukhovni. Files: mantools/postlink, proto/TLS_README.html, 23960 proto/postconf.proto, src/sendmail/sendmail.c, src/smtpd/smtpd.c. 23961 2396220181229 23963 23964 Explicit maps_file_find() and dict_file_lookup() methods 23965 that decode base64 content. Decoding content is not built 23966 into the dict->lookup() method, because that would complicate 23967 the implementation of map nesting (inline, thash), map 23968 composition (pipemap, unionmap), and map proxying. For 23969 consistency, decoding base64 file content is also not built 23970 into the maps_find() method. Files: util/dict.h. 23971 util/dict_file.c, global/maps.[hc], postmap/postmap.c. 23972 2397320190106 23974 23975 Documentation: documented the SRC_RHS_IS_FILE flag in 23976 dict_open.c, and updated the -F description in the postmap 23977 manpage. Files: util/dict_open.c, postmap/postmap.c. 23978 23979 (20190106-nonprod) Feature: support for files that combine 23980 multiple (key, certificate, trust chain) instances in one 23981 file, to avoid separate files for RSA, DSA, Elliptic Curve, 23982 and so on. Viktor Dukhovni. Files: .indent.pro, 23983 global/mail_params.h, posttls-finger/posttls-finger.c, 23984 smtp/lmtp_params.c, smtp/smtp.c, smtp/smtp_params.c, 23985 smtp/smtp_proto.c, smtpd/smtpd.c, tls/tls.h, tls/tls_certkey.c, 23986 tls/tls_client.c, tls/tls_proxy.h, tls/tls_proxy_client_print.c, 23987 tls/tls_proxy_client_scan.c, tls/tls_proxy_server_print.c, 23988 tls/tls_proxy_server_scan.c, tls/tls_server.c, tlsproxy/tlsproxy.c. 23989 23990 (20190106-nonprod) Create a second, no-key no-cert, SSL_CTX 23991 for use with SNI. Viktor Dukhovni. Files: src/tls/tls.h, 23992 src/tls/tls_client.c, src/tls/tls_misc.c, src/tls/tls_server.c. 23993 23994 (20190106-nonprod) Server-side SNI support. Viktor Dukhovni. 23995 Files: src/global/mail_params.h, src/smtp/smtp.c, 23996 src/smtpd/smtpd.c, src/tls/tls.h, src/tls/tls_certkey.c, 23997 src/tls/tls_misc.c, src/tlsproxy/tlsproxy.c, 23998 23999 (20190106-nonprod) Configurable client-side SNI signal. 24000 Viktor Dukhovni. Files: global/mail_params.h, 24001 posttls-finger/posttls-finger.c, smtp/lmtp_params.c, 24002 smtp/smtp.c, smtp/smtp.h, smtp/smtp_params.c, smtp/smtp_proto.c, 24003 smtp/smtp_tls_policy.c, tls/tls.h, tls/tls_client.c, 24004 tls/tls_proxy.h, tls/tls_proxy_client_print.c, 24005 tls/tls_proxy_client_scan.c. 24006 2400720190121 24008 24009 Logging: support for internal logging file, without using 24010 syslog (it uses the new postlogd daemon instead). This 24011 solves a usability problem for MacOS, may help getting 24012 around systemd, and solves 99% of the problem for logging 24013 to stdout in a container (hopefully we have 100% soon). 24014 Enable by setting, for example, "maillog_file = 24015 /var/log/postfix.log"). This works fine for daemons, and 24016 with some limitations for non-daemon programs. See 24017 RELEASE_NOTES for more details. Files: conf/master.cf, 24018 conf/post-install, conf/postfix-files, conf/postfix-script, 24019 mantools/postlink, proto/master, proto/postconf.proto, 24020 global/mail_params.c, global/mail_params.h, global/mail_proto.h, 24021 global/maillog_client.c, global/maillog_client.h, 24022 master/dgram_server.c, master/event_server.c, master/mail_server.h, 24023 master/master.c, master/master.h, master/master_ent.c, 24024 master/master_listen.c, master/master_proto.h, 24025 master/master_wakeup.c, master/multi_server.c, 24026 master/single_server.c, master/trigger_server.c, 24027 postalias/postalias.c, postconf/postconf_master.c, 24028 postdrop/postdrop.c, postfix/postfix.c, postkick/postkick.c, 24029 postlog/postlog.c, postlogd/postlogd.c, postmap/postmap.c, 24030 postmulti/postmulti.c, postqueue/postqueue.c, 24031 postsuper/postsuper.c, sendmail/sendmail.c, util/connect.h, 24032 util/listen.h, util/logwriter.c, util/logwriter.h, 24033 util/msg_logger.c, util/msg_logger.h, util/msg_output.c, 24034 util/msg_output.h, util/unix_dgram_connect.c, 24035 util/unix_dgram_listen.c. 24036 24037 Cleanup: cert/key/chain loading, plus unit tests to exercise 24038 non-error and error cases. Viktor Dukhovni. Files: tls/*.pem, 24039 tls*.pem.ref, tls/tls_certkey.c. 24040 2404120190126 24042 24043 Safety: Postfix programs will log to either syslog or postlog 24044 but not both; and postlogd forwards postlog logging to 24045 syslog, when a configuration change removes the maillog_file 24046 pathname, but some programs still use the old configuration. 24047 Files: util/msg_syslog.[hc], util/msg_logger.c, 24048 global/maillog_client.c, postlogd/postlogd.c, 24049 24050 Bugfix (introduced: Postfix 20110109, Postfix 2.10): watchdog 24051 pipe file descriptor leak. This pipe provides one source 24052 of liveness, data from this pipe is discarded, and therefore 24053 this does not enable privilege escalation or DOS. File: 24054 util/watchdog.c. 24055 24056 Feature: stdout logging support; requires "postfix start-fg" 24057 and "maillog_file = /dev/stdout". Files: master/master.c, 24058 conf/postfix-script. 24059 2406020190127 24061 24062 Safety: when maillog_file is specified, 'postfix check' now 24063 requires that the postlog service is enabled in master.cf. 24064 Otherwise 'postfix start' etc. will log a fatal error. File: 24065 conf/postfix-script. 24066 24067 Documentation: added policy_context example. File: 24068 proto/SMTPD_POLICY_README.html. 24069 2407020190128 24071 24072 Testing: run libtls tests under Valgrind. File tls/Makefile.in. 24073 2407420190129 24075 24076 Safety: require that $maillog_file matches one of the 24077 pathname prefixes specified in $maillog_file_prefixes. The 24078 maillog file is created by root, and the prefixes limit the 24079 damage from a single configuration error. Files: 24080 global/mail_params.[hc], global/maillog_client.c. 24081 2408220191201 24083 24084 Feature: "postfix logrotate" command with configurable 24085 compression program and datestamp filename suffix. File: 24086 conf/postfix-script. 24087 2408820190202 24089 24090 Cleanup: log a warning when the client sends a malformed 24091 SNI; log an info message when the client sends a valid SNI 24092 that does not match the SNI lookup tables; update the 24093 FORWARD_SECRECY_README logging examples. Viktor Dukhovni. 24094 Files: proto/FORWARD_SECRECY_README.html, tls/tls.h, 24095 tls/tls_client.c, tls/tls_misc.c. 24096 2409720190208 24098 24099 Debugging: the master(8) daemon now logs a warning if a 24100 master.cf entry is defined multiple times. File: 24101 src/master/master_conf.c. 24102 2410320190209 24104 24105 Debugging: tlsproxy(8) now logs more details about unexpected 24106 configuration differences between the Postfix SMTP client 24107 and the tlsproxy(8) daemon. 24108 2410920190210 24110 24111 Documentation: Postfix 3.4.0 RELEASE NOTES. 24112 24113 Documentation: added BDAT_README. 24114 24115 Documentation: global TLS settings. Files: mantools/postlink, 24116 smtp/smtp.c, tlsproxy/tlsproxy.c. 24117 2411820190211 24119 24120 Cleanup: removed obsolete parameters: tls_dane_digest_agility, 24121 tls_dane_trust_anchor_digest_enable; removed openssl_path 24122 parameter from configuration difference checks in tlsproxy. 24123 Files: global/mail_params.h, tls/tls_misc.c, 24124 tls/tls_proxy_client_misc.c, tls/tls_proxy_client_print.c, 24125 tls/tls_proxy_client_scan.c, tls/tls_proxy.h. 24126 2412720190212 24128 24129 Cleanup: missing #ifdef USE_TLS. Files: smtp/smtp_session.c, 24130 posttls-finger/posttls-finger.c. 24131 2413220190217 24133 24134 Cleanup: when the master daemon runs with PID=1 (init mode), 24135 reap orhpan processes from non-Postfix code running in the 24136 same container, instead of terminating with a panic. File: 24137 master/master_spawn.c. 24138 2413920190218 24140 24141 Bugfix: tlsproxy did not enable DANE-style PKI because 24142 libtls seems to have to accreted multiple init functions 24143 instead of reusing the tls_client_init() and tls_client_start() 24144 API. And some functions that do initialization don't even 24145 have init in their name! Problem report by Andreas Schulze. 24146 Viktor Dukhovni. Files: tls/tls_misc.c, tlsproxy/tlsproxy.c. 24147 24148 Workaround: Postfix libtls makes DANE-specific changes to 24149 the shared SSL_CTX. To avoid false sharing, tlsproxy needs 24150 to label the SSL_CTX cache with DANE bits until we can 24151 remove the code that modifies SSL_CTX. File: tlsproxy/tlsproxy.c. 24152 24153 Cleanup: Postfix libtls changed the shared SSL_CTX to 24154 override ciphers. instead of changing the SSL handle. To 24155 avoid false sharing in tlsproxy, the changes are now made 24156 to the SSL handle. Viktor Dukhovni. Files: tls/tls.h, 24157 tls/tls_client.c, tls/tls_misc.c, tls/tls_server.c. 24158 2415920190219 24160 24161 Bugfix: in the Postfix SMTP client, TLS wrappermode was not 24162 tested in tlsproxy mode. It needed some setup for buffering 24163 and timeouts. Problem report by Andreas Schulze. File: 24164 smtp/smtp_proto.c. 24165 2416620190226 24167 24168 Documentation: postconf(1) and DATABASE_README were out of 24169 sync. Added a note that this should be deduplicated. File: 24170 proto/DATABASE_README.html. 24171 2417220190227 24173 24174 Documentation: strict_smtputf8 in SMTPUTF8_README. 24175 2417620190304 24177 24178 Bugfix: a reversed test broke TLS configurations that specify 24179 the same filename for a private key and certificate. Reported 24180 by Mike Kazantsev. Fix by Viktor Dukhovni. Wietse fixed the 24181 test. Files: tls/tls_certkey.c, tls/Makefile.in. 24182 2418320190310 24184 24185 Bitrot: LINUX5s support, after some sanity checks with a 24186 rawhide prerelease version. Files: makedefs, util/sys_defs.h. 24187 24188 Bugfix (introduced: 20181226): broken DANE trust anchor 24189 file support, caused by left-over debris from the 20181226 24190 TLS library overhaul. By intrigeri. File: tls/tls_dane.c. 24191 24192 Bugfix (introduced: Postfix-1.0.1): null pointer read, while 24193 logging a warning after reading a corrupted bounce log file. 24194 File: global/bounce_log.c. 24195 24196 Bugfix (introduced: Postfix-2.9.0): null pointer read, while 24197 logging a warning after a postscreen_command_filter read 24198 error. File: postscreen/postscreen_smtpd.c. 24199 2420020190312 24201 24202 Bugfix (introduced: Postfix 2.2): reject_multi_recipient_bounce 24203 has been producing false rejects starting with the Postfix 24204 2.2 smtpd_end_of_data_restrictons, and for the same reasons, 24205 did the same with the Postfix 3.4 BDAT command. The latter 24206 was reported by Andreas Schulze. File: smtpd/smtpd_check.c. 24207 2420820190319 24209 24210 With message_size_limit=0 (which is NOT DOCUMENTED), BDAT 24211 chunks were always too large. Reported by Thorben Thuermer. 24212 fix by Viktor Dukhovni. File: src/smtpd/smtpd.c. 24213 2421420190328 24215 24216 Bugfix (introduced: Postfix 3.0): LMTP connections over 24217 UNIX-domain sockets were cached but not reused, due to a 24218 cache lookup key mismatch. Therefore, idle cached connections 24219 could exhaust LMTP server resources, resulting in two-second 24220 pauses between email deliveries. This problem was investigated 24221 by Juliana Rodrigueiro. File: smtp/smtp_connect.c. 24222 2422320190331 24224 24225 Documentation: tlsext_padding is not a tls_ssl_options 24226 feature. File: proto/postconf.proto. 24227 2422820190401 24229 24230 Portability: to avoid a compile-time error on Solaris, added 24231 "#undef sun" to util/unix_dgram_connect.c. 24232 2423320190403 24234 24235 Bugfix (introduced: Postfix 2.3): a censoring filter broke 24236 multiline Milter responses for header/body events. Problem 24237 report by Andreas Thienemann. Files: util/printable.c, 24238 util/stringops.h, smtpd/smtpd.c. 24239 24240 Bugfix (introduced: Postfix 3.3): "smtp_mx_address_limit = 0" 24241 no longer meant 'unlimited'. Problem report by Luc Pardon. 24242 File: smtp/smtp_addr.c. 24243 2424420190427 24245 24246 Cleanup: normalize the IP address string forms received with 24247 XCLIENT, XFORWARD, and HaProxy, for consistency with address 24248 information for direct connections to Postfix, and add unit 24249 tests. This casefolds and removes redundant nulls from the 24250 string representation of an IPv6 address, normalizes the 24251 "IPv6:" address prefix of RFC 2821 IPv6 address forms, and 24252 converts IPv4 address octets with leading zeros (octal form) 24253 into decimal form. Files: global/haproxy.c, 24254 global/normalize_mailhost_addr.[hc], smtpd/smtpd.c. 24255 24256 Incompatibility: this may change the appearance of logging, 24257 and the way that check_client_access will match subnets of 24258 an IPv6 address. 24259 2426020190428 24261 24262 Cleanup: replace "(whatever *) 0" with meaningfully-named 24263 constants. Sheesh. File: smtpd/smtpd.c. 24264 24265 Documentation: BASIC_CONFIGURATION_README example default 24266 setting was not updated after Postfix 3.0 change. File: 24267 proto/BASIC_CONFIGURATION_README.html 24268 2426920190505 24270 24271 Workaround: uClibc has no res_send. Log a warning if this 24272 code path would be used, and ignore dns_ncache_ttl_fix_enable. 24273 Files: util/sys_defs.h, dns/dns_lookup.c, TODO: makedefs 24274 and INSTALL documentation. 24275 2427620190516 24277 24278 Initial search order support for check_ccert_access. The 24279 default behavior is backwards-compatible. This is work in 24280 progress; see the RELEASE_NOTES for examples. Files: 24281 global/map_search.[hc], smtpd/smtpd_check.c. 24282 2428320190517 24284 24285 Bugfix: postconf mis-parsed text starting with "{" such as 24286 "check_ccert_access { inline:{a=b} { search_order=c,d } }". 24287 Fixed by adding another level of recursion. File: 24288 postconf/postconf_dbms.c. 24289 2429020190525 24291 24292 Infrastructure: reject_deliver_request() to reject an entire 24293 delivery request and bounce or defer all its recipients. 24294 File: global/reject_deliver_request.c. 24295 2429620190609 24297 24298 Infrastructure: byte_mask() to convert "flags=mumble" into 24299 a byte mask. This is similar to name_mask(). Files: 24300 util/byte_mask.[hc] and tests. 24301 2430220190615 24303 24304 Dovecot usability: SMTP/LMTP client support for 'D', 'O', 24305 'R', 'X' flags similar to the pipe(8) daemon, to produce 24306 Delivered-To, X-Original-To, and Return-Path headers, and 24307 to indicate final delivery. Files: smtp/smtp.c, smtp/smtp.h, 24308 smtp/smtp_misc.c, smtp/smtp_proto.c, smtp/smtp_rcpt.c. 24309 24310 Workaround for implementations that hang Postfix while 24311 shutting down a TLS session, until Postfix times out. With 24312 "tls_fast_shutdown_enable = yes" (the default), Postfix no 24313 longer waits for the TLS peer to respond to a TLS 'close' 24314 request. This is recommended with TLSv1.0 and later. Files: 24315 global/mail_params.h, tls/tls_session.c, and documentation. 24316 2431720190618 24318 24319 Documentation: corrected comments about the code change to 24320 not wait for the TLS peer's response after sending a TLS 24321 'close' notification. Viktor Dukhovni. Files: HISTORY, 24322 RELEASE_NOTES, proto/postconf.proto smtp/smtp.c smtpd/smtpd.c 24323 tlsproxy/tlsproxy.c 24324 2432520190621 24326 24327 Workaround: don't reuse an SMTP connection after an SMTP 24328 protocol error. This limits the impact of, for example, 24329 pipelining synchronization errors. File: smtp/smtp_trouble.c. 24330 24331 Bugfix (introduced: Postfix 3.0): the code to reset Postfix 24332 SMTP server command counts was not called after a HaProxy 24333 handshake failure, causing stale numbers to be reported. 24334 The command counts are now reset in the function that reports 24335 the counts. Problem report by Joseph Ward. File: smtpd/smtpd.c. 24336 2433720190719 24338 24339 Bitrot: OpenBSD stopped having /dev/arandom 8 years ago. 24340 Brad Smith. File: util/sys_defs.h. 24341 2434220190723 24343 24344 Bugfix: the documentation said tls_fast_shutdown_enable, 24345 but the code said tls_fast_shutdown. Viktor Dukhovni. Changed 24346 the code because no-one is expected to override the default. 24347 File: global/mail_params.h. 24348 2434920190724 24350 24351 Cleanup: proxymap(8) support for table search order syntax. 24352 File: proxymap/proxymap.c. 24353 24354 Safety: vstring_set_payload_size() now checks that the 24355 payload has not overwritten the safety terminator at the 24356 end of the VSTRING buffer. File: util/vstring.c. 24357 2435820190813 24359 24360 Documentation: access(5) map network address pattern syntax. 24361 File: proto/access. 24362 2436320190820 24364 24365 Workaround for poor TCP loopback performance on LINUX, where 24366 getsockopt(..., TCP_MAXSEG, ..) reports a TCP maximal segment 24367 size that is 1/2 to 1/3 of the MTU. For example, with kernel 24368 5.1.16-300.fc30.x86_64 the TCP client and server announce 24369 an mss of 65495 in the TCP handshake, but getsockopt() 24370 returns 32741 (less than half). As a matter of principle, 24371 Postfix won't turn on client-side TCP_NODELAY because that 24372 hides application performance bugs, and because that still 24373 suffers from server-side delayed ACKs. Instead, Postfix 24374 avoids sending "small" writes back-to-back, by choosing a 24375 VSTREAM buffer size that is a multiple of the reported MSS. 24376 This workaround bumps the multiplier from 2x to 4x. File: 24377 util/vstream_tweak.c. 24378 2437920190825 24380 24381 Bugfix (introduced: 20051222): the Dovecot client could 24382 segfault (null pointer read) or cause an SMTP server assertion 24383 to fail when talking to a fake Dovecot server. The client 24384 now logs a proper error instead. Problem reported by Tim 24385 Düsterhus. File: xsasl/xsasl_dovecot_server.c. 24386 2438720190908 24388 24389 Documentation: updated postconf(5) description of the 24390 tls_server_sni_maps configuration parameter. Viktor Dukhovni. 24391 File: proto/postconf.proto. 24392 2439320190914 24394 24395 Bugfix (introduced: Postfix 3.4): don't whitewash OpenSSL 24396 error results after a plaintext output error. The code could 24397 loop, and with some OpenSSL error results could flood the 24398 log with error messages (see below for a specific case). 24399 Problem reported by Andreas Schulze. File: tlsproxy/tlsproxy.c. 24400 24401 Bitrot: don't invoke SSL_shutdown() when the SSL engine 24402 thinks it is processing a TLS handshake. The commit at 24403 https://github.com/openssl/openssl/commit/64193c8218540499984cd63cda41f3cd491f3f59 24404 changed the error status, incompatibly, from SSL_ERROR_NONE 24405 into SSL_ERROR_SSL. File: tlsproxy/tlsproxxy.c. 24406 2440720190918 24408 24409 Cleanup: the nbbio(3) library now accepts a sequence of 24410 nbbio_enable_read() calls or a sequence of nbbio_enable_write() 24411 calls. This allows tlsproxy(8) to reset an I/O timer after 24412 each event without having to make an nbbio_disable_readwrite() 24413 call. Files: util/nbbio.c, tlsproxy/tlsproxy.c. 24414 2441520191013 24416 24417 Cleanup: code pattern ENFORCING_SIZE_LIMIT() for more 24418 consistent enforcement of the 'no size limit' case (it now 24419 requires "> 0" where previous code used "!= 0" or "> 0"). 24420 More relevant, this explicit pattern will help finding code 24421 that does not implement the 'no size limit' case with 24422 var_message_limit, etc. Files: cleanup/cleanup_init.c, 24423 local/local.c, postdrop/postdrop.c, postscreen/postscreen_smtpd.c, 24424 sendmail/sendmail.c, smtpd/smtpd.c, smtpd/smtpd_check.c, 24425 util/netstring.c, util/sys_defs.h, virtual/virtual.c. 24426 24427 Cleanup; with message_size_limit>0, local(8) and virtual(8) 24428 mailbox size limit checks would produce a misleading error 24429 message when the mailbox size was unlimited. Files: 24430 local/local.c, virtual/virtual.c. 24431 24432 Cleanup: queue_minfree changed from 'int' to 'long'. File: 24433 global/mail_params.h, src/smtpd/smtpd.c. 24434 24435 Attribution: updated AUTHOR in file headers. Files: 24436 global/bounce_log.c, global/deliver_request.h, smtp/smtp_chat.c, 24437 smtp/smtp_rcpt.c, tls/tls_certkey.c, util/nbbio.c, 24438 util/vstream_tweak.c. 24439 2444020191014 24441 24442 Bugfix (introduced: Postfix 2.8): don't gratuitously enable 24443 all after-220 tests when only one such test is enabled. 24444 This made selective tests impossible with 'good' clients. 24445 File: postscreen/postscreen_smtpd.c. 24446 24447 Bugfix: the 20180903 postscreen fix for a misleading 24448 "PIPELINING after BDAT" warning looked at the wrong variable. 24449 The warning now says "BDAT without valid RCPT", and the 24450 error is no longer treated as a command PIPELINING error 24451 (but sending BDAT is still a client error, because postscreen 24452 rejects all RCPT commands and does not announce PIPELINING 24453 support). File: postscreen/postscreen_smtpd.c. 24454 2445520190922 24456 24457 Documentation: replaced the link to "Suite B" cryptography 24458 with a link to web.archive.org. File: proto/postconf.proto. 24459 2446020191109 24461 24462 Cleanup: Postfix daemon processes now log the from= and to= 24463 addresses in external (quoted) form in non-debug logging 24464 (info, warning, etc.). This is consistent with the address 24465 form that Postfix 3.2 and later prefer for table lookups. 24466 It is therefore the more useful form for non-debug logging. 24467 Files: cleanup/cleanup.c, cleanup/cleanup_message.c, 24468 cleanup/cleanup_milter.c, global/info_log_addr_form.c, 24469 global/info_log_addr_form.h, global/log_adhoc.c, 24470 global/mail_params.c, global/mail_params.h, global/opened.c, 24471 local/local.c, oqmgr/qmgr.c, oqmgr/qmgr_active.c, 24472 pickup/pickup.c, pipe/pipe.c, postscreen/postscreen.c, 24473 postscreen/postscreen_smtpd.c, proto/postconf.proto, 24474 qmgr/qmgr.c, qmgr/qmgr_active.c, smtp/smtp.c, smtpd/smtpd.c, 24475 smtpd/smtpd_check.c, virtual/virtual.c. 24476 24477 Usability: the parser for key/certificate chain files 24478 rejected inputs that contain an EC PARAMETERS object. While 24479 this is technically correct (the documentation says what 24480 types are allowed) this is surprising behavior because the 24481 legacy cert/key parameters will accept such inputs. For 24482 now, the parser skips object types that it does not know 24483 about usability, and logs a warning because ignoring inputs 24484 is not kosher. Viktor and Wietse. File: tls/tls_certkey.c. 24485 2448620191201 24487 24488 Compatibility: added '_' to the milter_connect_macros default 24489 value. Reportedly some software produces an ugly warning 24490 message if Postfix does not send the macro, and there is 24491 no harm in sending it. File: global/mail_params.h. 24492 2449320191214 24494 24495 Bugfix (introduced: Postfix 3.1): support for 24496 smtp_dns_resolver_options was broken while adding support 24497 for negative DNS response caching in postscreen. Postfix 24498 was inadvertently changed to call res_query() instead of 24499 res_search(). Reported by Jaroslav Skarvada. File: 24500 dns/dns_lookup.c. 24501 24502 Bugfix: sanitize server responses before storing them in 24503 the verify database, to avoid Postfix warnings about malformed 24504 UTF8. File: verify/verify.c. 24505 2450620191215 24507 24508 Future proofing: the Postfix DNS library logs a warning if 24509 the DNS_REQ_FLAG_NCACHE_TTL dns_lookup flag is set and the 24510 RES_DNSRCH or RES_DEFNAMES resolver flags are set, and 24511 disables those resolver flags. File: dns/dns_lookup.c. 24512 2451320191230 24514 24515 Documentation: added the 'X' flag (final delivery) to the 24516 pipe-based final delivery examples in the default master.cf 24517 file. File: conf/master.cf 24518 2451920201005 24520 24521 Workaround: postlog clients open the socket before entering 24522 the chroot jail and before dropping privileges. This is needed 24523 on MacOS and would not hurt otherwise. Files: util/msg_logger.[hc], 24524 global/maillog_client.c. 24525 2452620200108 24527 24528 UI cleanup: SMTP (and LMTP) client support for a list of 24529 nexthop destinations separated by comma or whitespace. These 24530 will be tried in the specified order. The list form can be 24531 specified in relayhost, transport_maps, default_transport, 24532 and sender_dependent_default_transport_maps. Examples: 24533 "relayhost = foo.example, bar.example", and "default_transport 24534 = smtp:foo.example, bar.example". Files: smtp/smtp.c, 24535 smtp/smtp_connect.c, trivial-rewrite/resolve.c, proto/transport, 24536 proto/postconf.proto, global/mail_params.c. 24537 2453820200112 24539 24540 [initially released as part of postfix-20200101-nonprod] 24541 Refactored the haproxy infrastructure in preparation for 24542 haproxy version 2 support. This is necessary because version 24543 2 introduces a dependency of the reader on the parser. 24544 Additionally, version 2 introduces support for non-proxied 24545 connections (used by health checks). Files: global/haproxy_srvr.c, 24546 smtpd/smtpd_peer.c, smtpd/smtpd_haproxy.c, smtpd/smtpd.h, 24547 postscreen/postscreen.h, postscreen/postscreen_endpt.c, 24548 postscreen/postscreen_haproxy.c, postscreen/postscreen_haproxy.h, 24549 global/haproxy_srvr.h. Initial release 3.5-20200101-nonprod. 24550 24551 [initially released as part of postfix-20200105-nonprod] 24552 Support for the haproxy v2 protocol. The haproxy v2 protocol 24553 support is limited to TCP over IPv4 and TCP over IPv6. It 24554 also supports non-proxied connections (typically used for 24555 heartbeat tests). File: global/haproxy_srvr.c. 24556 24557 [initially released as part of postfix-20200105-nonprod] 24558 Cleanup: after haproxy handshake error, the Postfix SMTP 24559 daemon now logs the proxy connection information instead 24560 of unknown/unknown, and replies with "421 4.3.0 $myhostname 24561 Server local error" instead of just hanging up. Error 24562 details are logged to the maillog file. File: smtpd/smtpd.c. 24563 24564 Cleanup: miscellaneous comments, constants, error checks, 24565 no normal behavior change. Files: global/haproxy_srvr.c, 24566 postscreen/postscreen_haproxy.c. 24567 2456820200126 24569 24570 Cleanup: missing 'extern' declarations in some header files. 24571 Eray Aslan. Files: global/mail_params.h, postconf/postconf.h, 24572 smtpd/smtpd_expand.h, trivial-rewrite/trivial-rewrite.h 24573 24574 Typos: Viktor Dukhovni. File: HISTORY. 24575 24576 Documentation: haproxy2 support. File: proto/postconf.proto. 24577 2457820200120 24579 24580 [initially released as part of postfix-20200125-nonprod] 24581 Feature: forced message expiration. The "postsuper -e" 24582 option sets an 'expired' bit on one or more messages selected 24583 by their message ID. The queue manager returns a message 24584 as undeliverable when it moves the message to the active 24585 queue. Messages in the hold queue stay in that queue. 24586 24587 If a force-expired message was deferred, then it is returned 24588 with the reason for the delay. Otherwise, the message is 24589 returned with "message is administratively expired". Design 24590 by Wietse; Viktor suggested using the group execute permission 24591 bit. Files: global/mail_queue.h, *qmgr/qmgr.h, *qmgr/qmgr_active.c, 24592 *qmgr/qmgr_message.c, postsuper/Makefile.in, postsuper/postsuper.c. 24593 2459420200125 24595 24596 [initially released as part of postfix-20200125-nonprod] 24597 Added support for "postsuper -f" to expire and optionally 24598 release a message. Restructured the postsuper command so 24599 that it will execute actions in the order of the -[defhr] 24600 flags, instead of using an invisible fixed internal order. 24601 The -e and -f options are idempotent (just like -h and -H). 24602 Adjusted the summary at the end to make this more clear. 24603 File: postsuper/postsuper.c. 24604 2460520200126 24606 24607 [initially released as part of postfix-20200126-nonprod] 24608 Updated the mailq/postqueue commands to make forced message 24609 expiration status available. In ASCII ouput this is indicated 24610 with "#" appended to the queue file name, and in JSON output 24611 this is indicated with the boolean "force_expired" attribute. 24612 Files: showq/showq.c, postqueue/showq_compat.c, 24613 postqueue/showq_json.c. 24614 24615 [initially released as part of postfix-20200126-nonprod] 24616 Cleanup: minor tweaks to comments and code. 24617 24618 Safety: give maildrop queue files more time (week instead 24619 of day) to reach completion, in case a message is submitted 24620 by a really long-running program. File: postsuper/postsuper.c. 24621 24622 Cleanup: postsuper manpage indentation, word abbreviation. 24623 Files: mantools/postlink, postsuper/postsuper.c. 24624 2462520200202 24626 24627 Cleanup: nags about strcpy()/sprintf() from naive checkers. 24628 Files: global/mail_conf_int.c, global/mail_conf_long.c, 24629 global/mail_conf_nint.c, global/mail_conf_time.c, 24630 global/maillog_client.c, util/mymalloc.c. 24631 24632 Documentation: rephrased the postconf(5) manual page entry 24633 for milter_default_action. File: proto/postconf.proto. 24634 24635 Bugfix (introduced: Postfix 2.5): Milter SMTP connect event 24636 macros were evaluated before the Postfix-to-Milter connection 24637 had been negotiated. Problem reported by David Bürgin. 24638 Files: milter/milter.h, milter/milter.c, milter/milter8.c 24639 2464020200308 24641 24642 Cleanup: spellchecks, attributions. Files: HISTORY, 24643 auxiliary/name-addr-test/gethostbyaddr.c, 24644 auxiliary/name-addr-test/getnameinfo.c, proto/postconf.proto, 24645 global/haproxy_srvr.c, global/mail_version.h, global/map_search.c, 24646 global/map_search.h, postsuper/postsuper.c, smtp/smtp.c, 24647 smtp/smtp_misc.c, smtpd/smtpd.c, smtpd/smtpd_check.c, 24648 smtpd/smtpd_expand.h, tls/tls_client.c, tls/tls_server.c, 24649 tlsproxy/tlsproxy.c, trivial-rewrite/trivial-rewrite.h, 24650 util/byte_mask.c, util/vstream_tweak.c. 24651 24652 Cleanup: bitrot in tests. File: cleanup/cleanup_milter.c. 24653 24654 Cleanup: harmless memory leak in postconf. File: 24655 postconf/postconf_master.c. 24656 24657 Bugfix (introduced: Postfix 2.3): panic with Postfix 24658 multi-Milter configuration during MAIL FROM. Milter client 24659 state was not properly reset after one of the Milters failed. 24660 Reported by WeiYu Wu. 24661 2466220200312 24663 24664 Usability: the Postfix SMTP server now logs a warning when 24665 a configuration requests access control by client certificate, 24666 but "smtpd_tls_ask_ccert = no". Files: proto/postconf.proto, 24667 smtpd/smtpd_check.c. 24668 2466920200316 24670 24671 Removed the issuer_cn and subject_cn matches from 24672 check_ccert_access. Files: smtpd/smtpd_check.c, 24673 proto/postconf.proto. 24674 2467520200407 24676 24677 Helper script by Viktor Dukhovni to report TLS information 24678 per message delivery. This processes output from the 24679 collate.pl script. Files: auxiliary/collate/README.tlstype, 24680 auxiliary/collate/tlstype.pl. 24681 2468220200416 24683 24684 Workaround for broken builds after an incompatible change 24685 in GCC 10. Files: makedefs, Makefile.in. 24686 24687 Workaround for broken DANE support after an incompatible 24688 change in GLIBC 2.31. This avoids the need for new options 24689 in /etc/resolv.conf. Files: dns/dns.h, dns/dns_lookup.c. 24690 24691 Misc fixes for gcc 'multiple definition' errors. Files: 24692 master/master_vars.c, smtp/smtp.c, proxymap/proxymap.c. 24693 2469420200419 24695 24696 Bugfix (introduced: Postfix 3.4): segfault in the tlsproxy 24697 client role when the server role was disabled. This typically 24698 happens with a first-time Postfix install and after configuring 24699 only outbound TLS. Found during program maintenance. File: 24700 tlsproxy/tlsproxy.c. 24701 2470220200420 24703 24704 Noise suppression: shut up a compiler that special-cases 24705 string literals. Viktor Dukhovni. File milter/milter.c. 24706 2470720200422 24708 24709 Security: disable DANE support on Alpine Linux because 24710 libc-musl provides no indication whether DNS responses are 24711 authentic. This broke DANE support without a clear explanation. 24712 File: makedefs. 24713 2471420200425 24715 24716 Robustness: enable the socket option SO_REUSEPORT_LB or 24717 SO_REUSEPORT on systems that support it. It allows multiple 24718 processes to create distinct listen sockets for the same 24719 address and port, and makes Postfix easier to restart. 24720 However, with a SHARED listen socket as used in Postfix, 24721 kernel-based load balancing does not help, and Postfix still 24722 requires locking to avoid waking up multiple processes when 24723 a connection arrives. Files: util/inet_listen.c, 24724 2472520200502 24726 24727 Documentation: update SNI support status in TLS_README. 24728 File: proto/TLS_READNE.html. 24729 2473020200503 24731 24732 Portability: declaration should be before executable 24733 statement. File: util/msg_logger.c. 24734 24735 Portability: replace res_xxx() calls with res_nxxx() not 24736 because those are threadsafe, but because new features are 24737 being added there. To build old style, build with "make 24738 makefiles CCARGS="-DNO_RES_NCALLS...". Files: makedefs. 24739 util/sys_defs.h, dns/dns_lookup.c. 24740 24741 Portability: libc-musl does not have res_nxxx() support, 24742 so it builds with -DNO_RES_NCALLS. 24743 2474420200505 24745 24746 Noise suppression: shut up a compiler that special-cases 24747 string literals. Viktor Dukhovni. File smtpd/smtpd_check.c. 24748 24749 Portability: not all supported systems have ldd(1). Viktor 24750 Dukhovni. File: makedefs. 24751 2475220200509 24753 24754 Bugfix (introduced: Postfix 3.4): maillog_file_rotate_suffix 24755 default value used the minute instead of the month. Reported 24756 by Larry Stone. Files: conf/postfix-tls-script, 24757 proto/MAILLOG_README.html, proto/postconf.proto. 24758 2475920200510 24760 24761 Bitrot: avoid U_FILE_ACCESS_ERROR after chroot(), by 24762 initializing the ICU library before making the chroot() 24763 call. Files: util/midna_domain.[hc], global/mail_params.c. 24764 2476520200511 24766 24767 Noise suppression: avoid "SSL_Shutdown:shutdown while in 24768 init" warnings. File: tls/tls_session.c. 24769 24770 Debugging: with a single -v, the cleanup server now also 24771 logs output envelope records, so that one -v option shows 24772 the input and output. File: cleanup_out.c. 24773 2477420200515 24775 24776 Bugfix (introduced: Postfix 2.2): a TLS error for a PostgreSQL 24777 client caused a false 'lost connection' error for an SMTP 24778 over TLS session in the same Postfix process. Reported by 24779 Alexander Vasarab, diagnosed by Viktor Dukhovni. File: 24780 tls/tls_bio_ops.c. 24781 24782 Bugfix (introduced: Postfix 2.8): a TLS error for one TLS 24783 session may cause a false 'lost connection' error for a 24784 concurrent TLS session in the same tlsproxy process. File: 24785 tlsproxy/tlsproxy.c. 24786 2478720200518 24788 24789 Documentation: updated the wording of recent HISTORY entries, 24790 based on the text in the 20200516 stable releases. 24791 2479220200521 24793 24794 Cleanup: the value of __RES (defined in resolv.h) determines 24795 whether the res_nxxx() API is available. Credit to Rich 24796 Felker. Files: util/sys_defs.h, dns/dns_lookup.c. 24797 2479820200522 24799 24800 Cleanup: the postconf command builds with -fno-common. 24801 Files: makedefs, Makefile.in, postconf/extract.awk, 24802 postconf/install_vars.h. 24803 2480420200523 24805 24806 Cleanup: the 20200503 change did not prevent direct access 24807 to the obsolete h_errno variable in smtpd_checks.c. This 24808 variable may still be updated, but we should not count on 24809 that. Files: dns/dns.h, dns/dns_lookup.c, smtpd/smtpd_check.c. 24810 24811 Cleanup: unit tests now build with -fno-common. Files: 24812 global/server_acl.c, smtpd/smtpd_check.c, global/strip_addr.c, 24813 proxymap/proxymap.c. 24814 2481520200525 24816 24817 Documentation: revised text about TLS connection reuse. 24818 File: proto/CONNECTION_CACHE_README.html 24819 2482020200530 24821 24822 Bugfix (introduced: Postfix 3.1): "postfix tls deploy-server-cert" 24823 did not handle a missing optional argument. File: 24824 conf/postfix-tls-script. 24825 2482620200531 24827 24828 Debugging: per-nexthop SMTP client "debug peer" logging so 24829 that we can also see what happens before, between, and after 24830 SMTP sessions; add explicit SMTP client debug logging for 24831 non-DNS host lookups. Files: smtp/smtp.c, proto/postconf.proto, 24832 smtp/smtp_addr.c, smtp/smtp.c, smtp/smtp.h, smtp/smtp_session.c, 24833 smtp/smtp_state.c. 24834 24835 Postfix delivery agents now log an explicit record when 24836 delegating delivery to a different Postfix delivery agent. 24837 Example: "postfix/smtp[pid] queueid: passing <recipient> 24838 to transport=local". This makes the delegating delivery 24839 agent visible, where it would otherwise have remained 24840 invisible, which would complicate troubleshooting. File: 24841 global/deliver_pass.c. 24842 2484320200610 24844 24845 Respectful code: replace 'slave' in internal identifiers 24846 and comments, and make the master(5) description more 24847 consistent with that in master(8). Postfix does not have a 24848 master/slave architecture, and these identifiers and comments 24849 were just poorly worded. Files: conf/postmulti-script, 24850 html/master.5.html, man/man5/master.5, proto/master, 24851 global/dsb_scan.c, global/dsb_scan.h, global/dsn_print.c, 24852 global/dsn_print.h, global/msg_stats.h, global/msg_stats_print.c, 24853 global/msg_stats_scan.c, global/rcpt_buf.c, global/rcpt_buf.h, 24854 global/rcpt_print.c, global/rcpt_print.h, milter/milter.h, 24855 milter/milter_macros.c, tls/tls_proxy.h, 24856 tls/tls_proxy_client_print.c, tls/tls_proxy_client_scan.c, 24857 tls/tls_proxy_context_print.c, tls/tls_proxy_context_scan.c, 24858 tls/tls_proxy_server_print.c, tls/tls_proxy_server_scan.c, 24859 util/argv_attr.h, util/argv_attr_print.c, util/argv_attr_scan.c, 24860 util/attr.h, util/attr_print0.c, util/attr_print64.c, 24861 util/attr_print_plain.c, util/attr_scan0.c, util/attr_scan64.c, 24862 util/attr_scan_plain.c. 24863 24864 Bugfix (introduced: Postfix 3.4): in the Postfix SMTP server, 24865 the SNI callback reported an error when it was called a 24866 second time. This happened after the server-side TLS engine 24867 sent a TLSv1.3 HelloRetryRequest (HRR) to a remote SMTP 24868 client. Reported by Ján Máté, fixed by Viktor Dukhovni. 24869 File: tls/tls_misc.c. 24870 2487120200617 24872 24873 Bugfix (introduced: Postfix 3.4): the connection_reuse 24874 attribute in smtp_tls_policy_maps resulted in an "invalid 24875 attribute name" error. Fix by Thorsten Habich. File: 24876 smtp/smtp_tls_policy.c. 24877 2487820200618 24879 24880 Documentation: documented that smtp_line_length_limit=0 24881 disables the feature, and made this more explicit in the 24882 code by using the ENFORCING_SIZE_LIMIT macro. Files: 24883 proto/postconf.proto, smtp/smtp_proto.c. 24884 2488520200619 24886 24887 Bugfix (introduced: Postfix 3.4): SMTP over TLS connection 24888 reuse was broken for configurations that use explicit trust 24889 anchors. Reported by Thorsten Habich. Cause: the tlsproxy 24890 client was sending a zero certificate length. File: 24891 tls/tls_proxy_client_print.c. 24892 24893 Bugfix: posttls-finger reported a conflict betwen -X and 24894 -r when only -X was used. File: posttls-finger/posttls-finger.c. 24895 2489620200620 24897 24898 Bugfix (introduced: Postfix 3.4): SMTP over TLS connection 24899 reuse was broken for configurations that use explicit trust 24900 anchors. Reported by Thorsten Habich. Fixed by calling DANE 24901 initialization unconditionally (WTF). File: tlsproxy/tlsproxy.c. 24902 2490320200626 24904 24905 Typo: in postconf(5) documentation, AAAAA should be AAAA. 24906 Christian Franke. File: proto/postconf.proto. 24907 24908 Bugfix (introduced: Postfix 2.11): The Postfix smtp(8) 24909 client did not send the right SNI name when the TLSA base 24910 domain was a secure CNAME expansion of the MX hostname (or 24911 non-MX nexthop domain). Domains with CNAME expanded MX hosts 24912 are not conformant with RFC5321, and so are rare. Even more 24913 rare are MX hosts with TLSA records for their CNAME expansion. 24914 For this to matter, the remote SMTP server would also have 24915 to select its certificate based on the SNI name in such a 24916 way that the original MX host would yield a different 24917 certificate. Among the ~2 million hosts in the DANE survey, 24918 none meet the conditions for returning a different certificate 24919 for the expanded CNAME. Therefore, sending the correct SNI 24920 name should not break existing mail flows. Fixed by Viktor 24921 Dukhovni. File: src/tls/tls_client.c. 24922 2492320200705 24924 24925 Cleanup: OpenSSL-1.1.1 is the minimum supported version. 24926 This is an LTS (long-term support) version that will reach 24927 the end of life by 2023-09-11. This removes support for 24928 export ciphers. 24929 24930 This also changes the Postfix default fingerprint digest 24931 from MD5 to SHA256, but only when the compatibility_level 24932 is set to '3' or higher. 24933 24934 Code by Viktor Dukhovni. Files: global/mail_params.c, 24935 global/mail_params.h, posttls-finger/posttls-finger.c, 24936 proto/COMPATIBILITY_README.html, proto/TLS_README.html, 24937 proto/postconf.proto, smtp/smtp.c, smtp/smtp_tls_policy.c, 24938 smtpd/smtpd.c, smtpd/smtpd_check.c, tls/Makefile.in, 24939 tls/tls.h, tls/tls_certkey.c, tls/tls_client.c, tls/tls_dane.c, 24940 tls/tls_dh.c, tls/tls_misc.c, tls/tls_rsa.c, tls/tls_server.c, 24941 tls/tls_verify.c. 24942 2494320200710 24944 24945 Security: added a section to the sendmail(1) manpage for 24946 security researchers and application developers, with an 24947 example of using '--' to disable command option processing 24948 for user-specified data. File sendmail/sendmail.c. 24949 24950 Error reporting: added '--' to a postalias command line to 24951 make an obsecure error message less confusing. File 24952 sendmail/sendmail.c. 24953 24954 Conversion from Postfix built-in DANE support to OpenSSL 24955 DANE support. Code by Viktor Dukhovni. Files: 24956 posttls-finger/posttls-finger.c, proto/postconf.proto, 24957 smtp/smtp.c, smtp/smtp_proto.c, smtp/smtp_tls_policy.c, 24958 tls/Makefile.in, tlsproxy/tlsproxy.c, tls/tls_client.c, 24959 tls/tls_dane.c, tls/tls_fprint.c, tls/tls.h, tls/tls_misc.c, 24960 tls/tls_proxy_client_print.c, tls/tls_proxy_client_scan.c, 24961 tls/tls_proxy_context_print.c, tls/tls_proxy_context_scan.c, 24962 tls/tls_proxy.h, tls/tls_verify.c, util/hex_code.c. 24963 24964 Bugfix (introduced: Postfix 3.0): minor memory leaks in the 24965 Postfix TLS library, found during tests. File: tls/tls_misc.c. 24966 2496720200712 24968 24969 Cleanup: non-TLS builds were failing. File: util/tls_misc.c. 24970 24971 Bugfix (introduced: Postfix 3.0): 4kbyte per session memory 24972 leak in the Postfix TLS library, found during tests. File: 24973 tls/tls_misc.c. 24974 2497520200718 24976 24977 Cleanup TLS library: coding style, additional error message, 24978 additional handling of internationalized domain name, and 24979 dropping an unused variable. Files: tls.h, tls_dane.c, 24980 tls_proxy_client_scan.c, tls_client.c. 24981 24982 Noise suppression: shut up compilers that warn about 24983 sizeof("text"). File: smtpstone/smtp-sink.c. 24984 2498520200719 24986 24987 Cleanup old API: mymemdup() should return "void *", the 24988 same value type as its main argument, and the same result 24989 type as mymalloc(). In a future update we can remove all 24990 the noisy but unnecessary casts of their result values to 24991 character pointer. Files: util/mymalloc.c, util/mymalloc.h. 24992 24993 Cleanup: don't split the sendmail -oA option value on comma 24994 or whitespace, before passing the value to the postalias 24995 command line. This results in unexpected behavior. File: 24996 sendmail/sendmail.c. 24997 24998 Documentation: updated the manpage of the unprivileged(!) 24999 sendmail(1) command with instructions to avoid privilege 25000 esclation attacks in naive programs that run Postfix programs 25001 with user-specified arguments. File: sendmail/sendmail.c. 25002 2500320200720 25004 25005 Bugfix (introduced: postfix 3.4): nullpointer dereference 25006 in debug logging when tlsproxy is unavailable. File: 25007 posttls-finger/posttls-finger.c. 25008 25009 Final cleanups of the peername matching code. File: 25010 tls/tls_client.c. 25011 25012202000725 25013 25014 Documentation of how to set the minimum and maximum allowed 25015 TLS protocol versions (these override system-wide OpenSSL 25016 configuration), some related code cleanups including better 25017 warning messages. Viktor Dukhovni. Files: proto/TLS_README.html, 25018 proto/postconf.proto, global/mail_params.h, 25019 posttls-finger/posttls-finger.c, tls/tls.h, tls/tls_client.c, 25020 tls/tls_fprint.c, tls/tls_misc.c, tls/tls_server.c. 25021 25022 The Postfix TLS library did not override the system-wide 25023 OpenSSL configuration of allowed TLS protocol versions, for 25024 sessions where the remote SMTP client sends SNI. File: 25025 tls/tls_server.c. 25026 2502720200726 25028 25029 Code health: the tls_get_signature_params() function reused 25030 variable names for different objects that have up to three 25031 different life-cycle management models. To avoid more 25032 accidents we now use distinct names for distinct purposes. 25033 File: tls/tls_misc.c. 25034 2503520200727 25036 25037 Code health: inet_proto_info() should return a const pointer. 25038 This is global data that callers should not change. Files: 25039 cleanup/cleanup_milter.c, global/haproxy_srvr.c, 25040 global/mynetworks.c, global/normalize_mailhost_addr.c, 25041 global/own_inet_addr.c, postscreen/postscreen_endpt.c, 25042 posttls-finger/posttls-finger.c, qmqpd/qmqpd_peer.c, 25043 smtpd/smtpd_check.c, smtpd/smtpd_peer.c, smtp/smtp_addr.c, 25044 smtpstone/smtp-sink.c, util/inet_addr_host.c, 25045 util/inet_addr_list.c, util/inet_addr_local.c, util/inet_connect.c, 25046 util/inet_listen.c, util/inet_proto.c, util/inet_proto.h. 25047 2504820200728 25049 25050 Code health: deleted a mis-spelled macro from code and 25051 documentation. Files: bounce/bounce_template.[hc]. 25052 2505320200829 25054 25055 Other debt: updated the encoding in HTML from us-ascii to 25056 utf-8. Files: mantools/makemanidx, mantools/make_soho_readme, 25057 mantools/man2html, mantools/readme2html, proto/*_README.html, 25058 proto/INSTALL.html, proto/postconf.html.prolog, html/index.html. 25059 2506020200830 25061 25062 Refactor: moved the SASL mechanism filter code from the 25063 Postfix SMTP client to a library module, so that it can be 25064 reused in the Postfix SMTP server. Files: smtp/smtp_sasl_proto.c, 25065 global/sacl_mech_filter.[hc]. 25066 25067 Bugfix (introduced: Postfix 2.0): smtp_sasl_mechanism_filter 25068 ignored table lookup errors, treating them as 'not found'. 25069 Found while refactoring code. File: smtp/smtp_sasl_proto.c. 25070 25071 Feature: smtpd_sasl_mechanism_list (default: !external, 25072 static:rest) to avoid confusing errors when a SASL backend 25073 wants to anounce EXTERNAL support for which Postfix support 25074 does not exist. Files: smtpd/smtpd.[hc], smtpd_sasl_glue.[hc], 25075 global/mail_params.h, proto/postconf.proto, mantools/postlink. 25076 2507720200906 25078 25079 Cleanup: missing file. File: src/postqueue/.indent.pro. 25080 25081 Cleanup: uninitialized value in unit test code. File: 25082 global/haproxy_srvr.c. 25083 25084 Cleanup: duplicate 'const' in argument declaration. File: 25085 src/global/sasl_mech_filter.c. 25086 2508720200906-18 25088 25089 Other debt: internal protocol identification. Each server 25090 sends the name of the internal protocol that it implements, 25091 and each client logs a warning if it receives the wrong 25092 protocol name. With this, a client-server mismatch results 25093 in a better error message. It is a good idea to "postfix 25094 stop" before updating, or before backing out to an earlier 25095 relase. To make this work consistently, a few internal 25096 protocols were converted from "client speaks first" to 25097 "server speaks first". Files: anvil/anvil.c, bounce/bounce.c, 25098 cleanup/cleanup.c, flush/flush.c, global/abounce.c, 25099 global/anvil_clnt.c, global/bounce.c, global/clnt_stream.c, 25100 global/clnt_stream.h, global/defer.c, global/deliver_pass.c, 25101 global/deliver_request.c, global/dict_proxy.c, global/flush_clnt.c, 25102 global/mail_command_client.c, global/mail_proto.h, 25103 global/mail_stream.c, global/mail_version.h, global/post_mail.c, 25104 global/resolve_clnt.c, global/rewrite_clnt.c, global/scache_clnt.c, 25105 global/trace.c, global/verify_clnt.c, local/forward.c, 25106 master/event_server.c, master/mail_server.h, master/multi_server.c, 25107 oqmgr/qmgr_deliver.c, pickup/pickup.c, postdrop/postdrop.c, 25108 postqueue/postqueue.c, postscreen/postscreen_starttls.c, 25109 proxymap/proxymap.c, qmgr/qmgr_deliver.c, scache/scache.c, 25110 showq/showq.c, tls/tls_mgr.c, tls/tls_proxy_clnt.c, 25111 tlsmgr/tlsmgr.c, tlsproxy/tlsproxy.c, 25112 trivial-rewrite/trivial-rewrite.c, util/attr.h, util/attr_clnt.c, 25113 util/attr_clnt.h, util/attr_print0.c, util/attr_print64.c, 25114 util/attr_print_plain.c, util/attr_scan0.c, util/attr_scan64.c, 25115 util/attr_scan_plain.c, util/auto_clnt.c, util/auto_clnt.h, 25116 verify/verify.c. 25117 25118 Debt: during the conversion of some internal protocols to 25119 "server speaks first", took the opportunity to improve how 25120 event-driven client implementations handle a server that 25121 is locked up. Files: global/abounce.c, 25122 postscreen/postscreen_starttls.c. 25123 2512420200919 25125 25126 Cleanup: eliminated a silly optimization for lazy clients 25127 that read the "server speaks first" protocol announcement 25128 after sending a client request. Files: src/anvil/anvil.c, 25129 src/bounce/bounce.c, src/flush/flush.c, src/global/abounce.c, 25130 src/global/anvil_clnt.c, src/global/deliver_pass.c, 25131 src/global/deliver_request.c, src/global/dict_proxy.c, 25132 src/global/mail_command_client.c, src/global/mail_stream.c, 25133 src/global/resolve_clnt.c, src/global/rewrite_clnt.c, 25134 src/global/scache_clnt.c, src/global/verify_clnt.c, 25135 src/local/forward.c, src/oqmgr/qmgr_deliver.c, src/pickup/pickup.c, 25136 src/postqueue/postqueue.c, src/postscreen/postscreen_starttls.c, 25137 src/proxymap/proxymap.c, src/qmgr/qmgr_deliver.c, 25138 src/scache/scache.c, src/showq/showq.c, src/tlsmgr/tlsmgr.c, 25139 src/tlsproxy/tlsproxy.c, src/tls/tls_mgr.c, 25140 src/tls/tls_proxy_clnt.c, src/trivial-rewrite/trivial-rewrite.c, 25141 src/verify/verify.c. 25142 25143 Cleanup: factored out some duplicate showq client code. 25144 File: postqueue/postqueue.c. 25145 2514620200920 25147 25148 Cleanup: deleted the percentm module. It was obsoleted in 25149 19971027 by the vbuf_print() string formatter for VSTREAM 25150 and VSTRING objects. Files: util/percentm.[hc]. 25151 25152 Cleanup: replaced hard-coded 'private' with named constant. 25153 File: global/scache_clnt.c. 25154 25155 Bugfix (introduced: Postfix 2.3): when deleting a recipient 25156 with a milter, delete the recipient from the duplicate 25157 filter, so that the recipient can be added back. Files: 25158 global/been_here.[hc], cleanup/cleanup_milter.c, 25159 cleanup/Makefile.in, lots of cleanup unit test files. 25160 2516120200925 25162 25163 Cleanup: vstream_fseek() support for reading or writing 25164 memory buffer streams, and minor cleanups in VSTREAM support 25165 for reading/writing VSTRINGs. Also added unit tests. Files: 25166 util/vstream.c, util/vstring.h. 25167 25168 Bugfix (introduced: before Postfix alpha): the code that 25169 looks for Delivered-To: headers ignored headers longer than 25170 $line_length_limit. Also added unit tests. File: 25171 global/delivered_hdr.c. 25172 2517320200930 25174 25175 Feature: when a Postfix program makes a DNS query that 25176 requests DNSSEC validation (usually for Postfix DANE support) 25177 but the DNS response is not DNSSEC validated, Postfix will 25178 send a DNS query configured with the "dnssec_probe" parameter 25179 to determine if DNSSEC support is available, and logs a 25180 warning if it is not. By default, the probe has type "ns" 25181 and domain name ".". The probe is sent once per process 25182 lifetime. Files: dns/dns.h, dns/dns_lookup.c, dns/dns_sec.c, 25183 test_dns_lookup.c, global/mail_params.[hc], mantools/postlink.. 25184 2518520201003 25186 25187 The makedefs script no longer disables DNSSEC when Postfix 25188 is built with libc-musl. Instead Postfix will rely on the 25189 new dnssec_probe feature, and will log a warning when Postfix 25190 requests DNSSEC validation, but the infrastructure does not 25191 validate DNSSEC signatures. File: makedefs. 25192 25193 Cleanup: some wordsmithing of warnings when DNSSEC validation 25194 is unavailable. File: dns/dns_sec.c. 25195 25196 Cleanup: add missing warnings for libpostfix version 25197 mismatches. This will help folks with build processes that 25198 mistakenly run newly-built Postfix installation commands 25199 with previously-installed libpostfix files. Files: 25200 postcat/postcat.c, postconf/postconf.c, postkick/postkick.c, 25201 postlock/postlock.c. 25202 25203 Documentation: hyperlink occurrences of the info_log_address_format 25204 parameter name in daemon manpages. 25205 2520620201005 25207 25208 Cleanup: move the submit_users check after the postdrop 25209 initializations that strip the environment, set up signal 25210 handlers, etc. File: postdrop/postdrop.c. 25211 25212 Documentation: descriptions of Postfix TLS wrappermode 25213 support. File: proto/TLS_README.html, proto/SASL_README.html. 25214 2521520201011 25216 25217 Bugfix (introduced: Postfix 2.8): save a copy of the 25218 postscreen_dnsbl_reply_map lookup result. This has no effect 25219 when the recommended texthash: look table is used, but it 25220 may avoid stale data with other lookup tables. File: 25221 postscreen/postscreen_dnsbl.c. 25222 2522320201015 25224 25225 Documentation: simplified the recipient_delimiter 25226 description. File: proto/postconf.proto. 25227 2522820201022 25229 25230 Bugfix (introduced: Postfix 2.2): after processing an 25231 XCLIENT command, the smtps service was waiting for a TLS 25232 handshake. Found by Aki Tuomi. File: smtpd/smtpd.c. 25233 2523420201025 25235 25236 Feature: local_login_sender_maps to lock down the envelope 25237 sender addresses that the postdrop command will accept. The 25238 default is backwards compatible. Developed with input from 25239 Demi M. Obenour. Files: postdrop/postdrop.c, global/mail_params.h, 25240 global/local_sender_login_match.[hc], 25241 global/local_sender_login_match.in, 25242 global/local_sender_login_match.ref, global/quote_822_local.c, 25243 global/quote_822_local.in, global/quote_822_local.ref, 25244 mantools/postlink, proto/postconf.proto. 25245 25246 Bugfix (introduced: Postfix 2.3): static maps did not free 25247 their casefolding buffer. File: util/dict_static.c. 25248 2524920201026 25250 25251 Cleanup: changed the postdrop numerical UID prefix from "#" 25252 to "uid:", and tweaked some local_login_sender_maps 25253 documentation. Files: proto/postconf.proto, postdrop/postdrop.c. 25254 2525520201031 25256 25257 Cleanup: don't split a space-comma separated address list 25258 on space or comma inside a quoted string. Files: util/mystrtok.c, 25259 util/mystrtok.ref, global/login_sender_match.c. 25260 2526120201101 25262 25263 Cleanup: the default "smtp_tls_dane_insecure_mx_policy = dane" 25264 was forcing too many A/AAAA lookups for MX hosts in DANE mode. 25265 The default is now "dane" when smtp_tls_security_level is "dane". 25266 otherwise it is "may". File: global/mail_params.h. 25267 2526820201104 25269 25270 Bugfix (introduced: Postfix 3.5): the Postfix SMTP client 25271 broke message headers longer than $line_length_limit, causing 25272 subsequent header content to become message body content. 25273 Reported by Andreas Weigel, fix by Viktor Dukhovni. File: 25274 smtp/smtp_proto.c. 25275 25276 Added missing employer attributions to .c and .h files. 25277 2527820201116 25279 25280 Documentation: document that check_mumble_mx_access will 25281 look up A or AAAA records when a domain name has no MX 25282 record, just like the Postfix SMTP client would. File: 25283 proto/postconf.proto. 25284 2528520201122 25286 25287 Cleanup: log "Application error" instead of "Success" or 25288 "Unknown error: 0" when an operation fails with errno == 25289 0. File: util/vbuf_print.c. 25290 2529120201125 25292 25293 Documentation: in the cleanup(8) description of message 25294 transformations, mention how some transformations are 25295 controlled with the local_header_rewrite_clients, 25296 always_add_missing_headers, and message_drop_headers parameter 25297 settings. File: cleanup/cleanup.c. 25298 2529920201129 25300 25301 Cleanup: future-proofing a condition in delivered_hdr_init(). 25302 The code was not wrong, but the new code is more consistent 25303 with new code in the bounce daemon where the difference does 25304 matter. File: global/delivered_hdr.c 25305 2530620201205 25307 25308 Testing: generic test_main() routine to initialize configuration 25309 parameters before running a test routine. Files: 25310 global/test_main.[hc]. 25311 25312 Feature: specify "enable_threaded_bounces = yes" to enable 25313 bounce messages that link to the original message with a 25314 References: and In-Reply_to: header. Based on code by Andreas 25315 Thienemann. See RELEASE_NOTES for caveats. Files: 25316 proto/postconf.proto, bounce/bounce_notify_tester.c, many 25317 test data files to exercise corner cases. 25318 2531920201220 25320 25321 Infrastructure: support to add custom comparison operators 25322 for Postfix configuration files. This will be used to implement 25323 custom comparison operators for compatibility_level values 25324 that contain both the Postfix major and minor version and 25325 maybe patchlevel. Files: util/alldig.c, util/stringops.h, 25326 util/mac_expand.[hc] and test files. 25327 2532820210102 25329 25330 Infrastructure: support for the <=level, <level, and other 25331 operators to compare compatibility levels. With the standard 25332 <=, <, etc. operators, compatibility level 3.10 would be 25333 less than 3.9 which is undesirable. Files: global/compat_level.[hc] 25334 and test files. 25335 2533620210107 25337 25338 Documentation: added lmdb to the postmap/postalias pages. 25339 Files: postmap/postmap.c, postalias/postalias.c. 25340 2534120210109 25342 25343 Feature: support for compatibility levels of the form 25344 "major.minor.patch". Files: global/mail_params.[hc], 25345 master/master_ent.c, postconf/postconf.c, postfix/postfix.c, 25346 proto/COMPATIBILITY_README.html, proto/postconf.proto. 25347 2534820210110 25349 25350 Documentation: the postfix(1) manpage missed some changes 25351 that were introduced in the Postfix 3.0 development 25352 cycle. File:postfix/postfix.c. 25353 25354 Bugfix: the 20210109 change broke 'postfix reload' for the 25355 master daemon. File: global/mail_params.c. 25356 2535720210111 25358 25359 Cleanup: compiler warning for casting '0' to the wrong type 25360 (zero impact). File: dns/dns_sec.c . 25361 25362 Cleanup: after back-porting the dnssec_probe implementation 25363 to Postfix 3.5 and earlier versions, forward-ported some 25364 comment and documentation changes to the 3.6 releases. 25365 Files: proto/postconf.proto, RELEASE_NOTES, dns/dns.h. 25366 2536720210113 25368 25369 Workaround: STRREF() macro to shut up compiler warnings for 25370 legitimate expressions involving string constants. Files: 25371 util.stringops.h, flush/flush.c. 25372 2537320210130 25374 25375 Feature: with smtpd_relay_before_recipient_restrictions=yes, 25376 the Postfix SMTP server will evaluate smtpd_relay_restrictions 25377 before smtpd_recipient_restrictions. This is the default 25378 behavior with compatibility_level >= 3.6. This makes the 25379 implemented behavior consistent with existing documentation. 25380 There is a backwards-compatibility warning that allows users 25381 to freeze historical behavior. Files: mantools/postlink, 25382 proto/COMPATIBILITY_README.html, proto/postconf.proto, 25383 global/mail_params.c, global/mail_params.h, smtpd/smtpd.c, 25384 smtpd/smtpd_check.c. 25385 2538620210201 25387 25388 Flipped a bit in the smtpd_relay_before_recipient_restrictions 25389 implementation. File: smtpd/smtpd_check.c. 25390 2539120210206 25392 25393 Documentation: the inet_protocols default setting is compile-time 25394 dependent. Files: proto/postconf.proto, proto/IPV6_README.html, 25395 and documentation in smtpd/smtpd.c, smtp/smtp.c, master/master.c. 25396 2539720210212 25398 25399 Documentation: added a jq example to the postsuper(1) manpage. 25400 File: postsuper/postsuper.c. 25401 2540220210216 25403 25404 Respectful code: avoid using terminology that implies white 25405 is better than black. Instead, use 'allowlist', 'denylist', 25406 and variations on those words. This continues work started 25407 with Noel Jones a year ago. 25408 25409 Documentation: replaced white/blacklist with allow/denylist, 25410 except in parameter names and logging. Files: 25411 proto/ADDRESS_VERIFICATION_README.html, proto/cidr_table, 25412 proto/OVERVIEW.html, proto/postconf.proto, 25413 proto/POSTSCREEN_README.html, proto/SMTPD_ACCESS_README.html, 25414 proto/SMTPD_POLICY_README.html, proto/STRESS_README.html, 25415 dns/dns_lookup.c, dnsblog/dnsblog.c, global/server_acl.c, 25416 postfix/postfix.c, postscreen/postscreen.c, 25417 postscreen/postscreen_dnsbl.c, postscreen/postscreen_early.c, 25418 postscreen/postscreen.h, postscreen/postscreen_misc.c, 25419 postscreen/postscreen_smtpd.c, postscreen/postscreen_tests.c, 25420 proxymap/proxymap.c, smtpd/smtpd.c, smtpd/smtpd_check.c, 25421 smtpd/smtpd_dnswl.in, smtpd/smtpd_dnswl.ref, tlsproxy/tlsproxy.c, 25422 verify/verify.c. 25423 2542420210220 25425 25426 Renamed postscreen_dnsbl_whitelist_threshold, 25427 postscreen_blacklist_action, and postscreen_whitelist_interfaces, 25428 with backwards-compatible default settings, and updated 25429 documentation. 25430 25431 Forked POSTSCREEN_README for readability, to avoid deprecated 25432 parameter names and logging examples. The historical parameter 25433 names and logging are still described in POSTSCREEN_3_5_README. 25434 Files: proto/Makefile.in, proto/POSTSCREEN_3_5_README.html, 25435 proto/POSTSCREEN_README.html. 25436 25437 Renamed internal variables with names that contain 'white' or 25438 'black'. Files: postscreen/postscreen.c, postscreen/postscreen.h. 25439 25440 Feature: respectful_logging configuration parameter (the 25441 default depends on the compatibility_level) to choose 25442 between respectful and deprecated logging formats. Files: 25443 mantools/postlink, proto/postconf.proto, global/mail_params.[hc], 25444 postscreen/postscreen.c, proto/COMPATIBILITY_README. 25445 2544620210224 25447 25448 Typo: the "respectful_logging" parameter had a typo and a 25449 "postscreen_" prefix that should have been deleted. File: 25450 global/mail_params.h 25451 2545220210313 25453 25454 Documentation: enable_threaded_bounces also applies to 25455 "success" and "delay" delivery status notiifications. File: 25456 proto/postconf.proto. 25457 2545820210403 25459 25460 Missing null pointer checks (introduced: Postfix 3.4) after 25461 an internal I/O error during the smtp(8) to tlsproxy(8) 25462 handshake. Found by Coverity, reported by Jaroslav Skarvada. 25463 Based on fix by Viktor Dukhovni. File: tls/tls_proxy_client_scan.c. 25464 25465 Null pointer bug (introduced: Postfix 3.0) and memory leak 25466 (introduced: Postfix 3.4) after an inline: table syntax 25467 error in main.cf or master.cf. Found by Coverity, reported 25468 by Jaroslav Skarvada. Based on fix by Viktor Dukhovni. File: 25469 util/dict_inline.c. 25470 25471 Incomplete null pointer check (introduced: Postfix 2.10) 25472 after truncated HaProxy version 1 handshake message. Found 25473 by Coverity, reported by Jaroslav Skarvada. Fix by Viktor 25474 Dukhovni. File: global/haproxy_srvr.c. 25475 2547620210404 25477 25478 Unbroke a ton of regression tests after DNS-related changes. 25479 2548020210406 25481 25482 More specific warnings for incorrect net/mask syntax. Files: 25483 util/cidr_match.c, util/dict_cidr.ref. 25484 2548520210410 25486 25487 Documentation: updated containerization suggestions in 25488 the postfix(1) manpage. File: postfix/postfix.c. 25489 25490 Documentation: added text and ASCII art to illustrate how 25491 tlsproxy(8) is used for outbound SMTP connection caching 25492 and for inbound postscreen(8) TLS support. File: 25493 proto/OVERVIEW.html. 25494 25495 Documentation: added text and ASCII art to illustrate how 25496 postlogd(8) provides an alternative to syslog logging. 25497 File: proto/OVERVIEW.html. 25498 2549920210411 25500 25501 Updated the missing null pointer check (introduced: Postfix 25502 alpha) after null argv[0] value. File: global/mail_task.c. 25503 25504 Cleanup: added a test case for a missing haproxy v1 protocol 25505 type, and improved the haproxy parser error messages. File: 25506 global/haproxy_srvr.c. 25507 25508 Documentation: updated examples and TLS configuration. File 25509 proto/CONNECTION_CACHE_README.html. 25510 2551120210418 25512 25513 Bitrot: new "known_tcp_ports" configuration parameter to 25514 reduce Postfix dependency on the services(5) database. 25515 There is no agreement about the name of the port 465 service: 25516 the intersection of different systems is reportedly empty. 25517 By default, Postfix now "knows" the port numbers for SMTP 25518 services. Files: proto/postconf.proto, global/Makefile.in, 25519 global/config_known_tcp_ports.c, global/config_known_tcp_ports.h, 25520 global/config_known_tcp_ports.ref, global/mail_params.c, 25521 global/mail_params.h, global/mail_version.h, 25522 global/namadr_list.ref, master/master.c, 25523 posttls-finger/Makefile.in, posttls-finger/posttls-finger.c, 25524 smtp/Makefile.in, smtp/smtp.c, smtp/smtp_connect.c, 25525 smtpd/smtpd.c, util/Makefile.in, util/find_inet.c, 25526 util/known_tcp_ports.c, util/known_tcp_ports.h, 25527 util/known_tcp_ports.ref, util/myaddrinfo.c. 25528 2552920210419 25530 25531 Bugfix (bug introduced 20210102): panic in some postconf 25532 commands due to duplicate initialization of compatibility 25533 level comparison operators. File: global/compat_level.c. 25534 25535 Cleanup: stricter parsing of known_tcp_port settings. Files: 25536 util/argv_split_at.c, util/argv.h, global/config_known_tcp_ports.c. 25537 2553820210420 25539 25540 Documentation: typofixes by Paul Menzel. File: RELEASE_NOTES. 25541 25542 Documentation: numeric IP address examples. File: conf/master.cf. 25543 25544 Documentation: added "-Wl,-R,/path/to/directory" hints to 25545 optional build instructions. Files: proto/DB_README.html, 25546 proto/LDAP_README.html, proto/LMDB_README.html, 25547 proto/MYSQL_README.html, proto/PGSQL_README.html, 25548 proto/SASL_README.html, proto/SQLITE_README.html, 25549 proto/TLS_README.html. 25550 2555120210422 25552 25553 Cleanup: in the Postfix SMTP and LMTP client, prepend Return-Path 25554 and other headers in the same order as in other Postfix delivery 25555 agents. Adi Prasaja. File: smtp/smtp_proto.c. 25556 2555720210428 25558 25559 Documentation: update by Paul Menzel. File: proto/SASL_README.html. 25560 2556120210529 25562 25563 Cleanup: simplified master.cf stanzas for the submission 25564 and submissions (formerly: smtps) services, to avoid 25565 surprising warnings for undefined mua_smtpd_xxx_restrictions 25566 parameters. File: conf/master.cf. 25567 25568 Bugfix (introduced: Postfix 2.11): "postmap lmdb:/file/name" 25569 handled duplicate keys ungracefully, with a dangling pointer 25570 resulting in a double free() call with lmdb versions 0.9.17 25571 and later. Reported by Adi Prasaja, root cause analysis by 25572 Howard Chu. In addition, "postmap lmdb:/file/name" forgot 25573 entries stored up to and including the duplicate key. File: 25574 util/slmdb.c. 25575 2557620210605 25577 25578 Fixed a few more potential dangling pointer cases in the 25579 LMDB client, future-proofing code paths that sofar aren't 25580 used. File: util/slmdb.c. 25581 25582 Added LMDB integration tests using the postmmap command. 25583 Files: postmap/Makefile.in, postmap/lmdb_abb, postmap/lmdb_abb.ref. 25584 25585 Cleanup: reset errno in the fail: database methods for 25586 consistent error messages. File: util/dict_fail.c. 25587 25588 Cleanup: new vstream_control() option to give a memory stream 25589 ownership of the underlying VSTRING. This simplifies resource 25590 management for read-only streams. Files: util/vstream.[hc]. 25591 25592 Cleanup: extpar() returns an error in case of a missing 25593 initial '{', instead of aborting. This simplifies the 25594 implementation of some callers. File: util/extpar.c. 25595 25596 Feature: inline pcre, regexp, and cidr table definition in main.cf 25597 or master.cf, to improve their usability in matchlists. Files: 25598 util/dict_stream.c, util/dict.h, util/dict_pcre.c, 25599 util/dict_regexp.c, util/dict_cidr.c, and test files. 25600 25601 The smtpd_forbidden_commands default setting now also inludes 25602 a regular expression regexp:{{/^[^A-Z]/ Bogus}} for bogus inputs. 25603 File: global/mail_params.h. 25604 2560520210606 25606 25607 Cleanup: "Postfix is running with backwards-compatible..." 25608 did not make sense when Postfix is down. File: postfix/postfix.c. 25609 25610 Cleanup: the postscreen BDAT handler now replies with "need 25611 MAIL command" when the client did not provide a sender address. 25612 File: postscreen/postscreen_smtpd.c. 25613 25614 Typo: silent_discard should be silent-discard. File: 25615 proto/BDAT_README.html. 25616 2561720210610 25618 25619 Cleanup: escape non-printable characters in non-SMTP commands, 25620 instead of replacing them with '?'. File: smtpd/smtpd.c. 25621 25622 Misc typofixes by Viktor Dukhovni. Files: conf/master.cf, 25623 proto/regexp_table, proto/cidr_table. 25624 25625 Cleanup: simplify the LMDB error recovery code. File: 25626 util/slmdb.c. 25627 2562820210615 25629 25630 Bugfix (introduced: Postfix 3.4): the texthash: map 25631 implementation did not support "postmap -F" behavior. 25632 Reported by Christopher Gurnee, who also found the missing 25633 code in the postmap source. File: util/dict_thash.c. 25634 25635 Cleanup: documentation for the postmap -F option. File: 25636 postmap/postmap.c. 25637 25638 Cleanup: simplify the LMDB error recovery code. File: 25639 util/slmdb.c. 25640 2564120210623 25642 25643 Cleanup: the known_tcp_ports parameter was not hyperlinked. 25644 File: mantools/postlink. 25645 25646 Bugfix: some strtou?l() calls had no 'errno=0' statement 25647 before the call. Fixed with strtou?l() wrapper functions 25648 that reset errno before calling strtou?l(), and calling 25649 these from code that did not explicitly reset errno. Other 25650 strtou?l() can be migrated later. Problem reported by David 25651 Bohman. Files: util/sane_strtol.[hc], global/compat_level.c, 25652 postscreen/postscreen_tests.c, util/mac_expand.c. 25653 2565420210705 25655 25656 Bugfix (introduced: Postfix 3.3): "null pointer read" error 25657 in the cleanup daemon when "header_from_format = standard" 25658 (the default as of Postfix 3.3) and email was submitted 25659 with /usr/sbin/sendmail without From: header, and an all-space 25660 full name was specified in 1) the password file, 2) with 25661 "sendmail -F", or 3) with the NAME environment variable. 25662 Found by Renaud Metrich. File: cleanup/cleanup_message.c. 25663 2566420210708 25665 25666 Bugfix (introduced: 1999): the Postfix SMTP server was 25667 sending all session transcripts to the error_notice_recipient, 25668 instead of sending transcripts of bounced mail to the 25669 bounce_notice_recipient. Reported by Hans van Zijst. File: 25670 smtpd/smtpd_chat.c. 25671 2567220210713 25673 25674 Bugfix (introduced: Postfix 2.4): false "too many reverse 25675 jump" warnings in the showq daemon. The loop detection code 25676 was comparing memory addresses instead of queue file names. 25677 It now properly compares strings. Reported by Mehmet Avcioglu. 25678 File: global/record.c. 25679 2568020210724 25681 25682 Cleanup: missing const in the 20210713 bugfix. File: 25683 global/record.c. 25684 2568520210728 25686 25687 Bitrot: GLIBC 2.34 has closefrom(), and of course their 25688 interface is different. File: util/sys_defs.h. 25689 2569020210804 25691 25692 Cleanup: replace ad-hoc object-to-VSTRING serialization with 25693 attr_print*() based serialization. Files: tls/tls_proxy.h, 25694 tls/tls_proxy_client_misc.c, tlsproxy.c/tlsproxy.c. 25695 25696 Cleanup: left-over code from a DANE on/off workaround. File: 25697 tlsproxy.c/tlsproxy.c. 25698 2569920210806 25700 25701 Constified the object argument of functions that write objects 25702 to VSTREAM. Files: global/bounce.c, global/defer.c, 25703 global/deliver_pass.c, global/deliver_request.c, 25704 global/dsn_print.c, global/dsn_print.h, 25705 global/msg_stats.h, global/msg_stats_print.c, 25706 global/rcpt_print.c, global/rcpt_print.h, global/trace.c, 25707 milter/milter8.c, milter/milter.c, milter/milter.h, 25708 milter/milter_macros.c, oqmgr/qmgr_deliver.c, 25709 qmgr/qmgr_deliver.c, tls/tls_proxy_client_misc.c, 25710 tls/tls_proxy_client_print.c, tls/tls_proxy_context_print.c, 25711 tls/tls_proxy.h, tls/tls_proxy_server_print.c, util/argv_attr.h, 25712 util/argv_attr_print.c, util/attr.h. 25713 2571420210810 25715 25716 Pedantism: the Postfix SMTP server now replies with status 25717 500 when a command is not recogized (status 502 is applicable 25718 when a command is recognized but not implemented). File: 25719 smtpd/smtpd.c. 25720 25721 Wordsmithing: in inet_connect() replaced "host/service xxx/yyy 25722 not found" with "host or service xxx:yyy not found". The former 25723 suggests UNIX-domain pathname syntax which is confusing. File: 25724 until/inet_connect.c. 25725 2572620210815 25727 25728 To make the maillog_file feature more useful, the postlog(1) 25729 command is now set-gid postdrop, so that unprivileged 25730 programs can write logging through the postlogd(8) daemon. 25731 Adopted some code from postqueue(1) and postdrop(1) to 25732 harden postlog(1) against privilege escalation attacks. 25733 Files: postlog/postlog.c, conf/postfix-files. 25734 25735 Hardening: specify smtpd_per_request_deadline=yes to limit 25736 the combined amount of time to receive a complete SMTP 25737 request and to send a complete SMTP response. Specify 25738 smtpd_min_data_rate to enforce a minimum data rate during 25739 DATA and BDAT. This replaces smtpd_per_record_deadline; the 25740 new smtpd_per_request_deadline parameter has a backwards- 25741 compatible default value. 25742 25743 Hardening: specify {smtp,lmtp}_per_request_deadline=yes to 25744 limit the combined amount of time to send a complete SMTP 25745 request and to receive a complete SMTP response. Specify 25746 {smtp,lmtp}_min_data_rate to enforce a minimum data rate 25747 during DATA. This replaces {smtp,lmtp}_per_record_deadline. 25748 The new {smtp,lmtp}_per_request_deadline parameters have a 25749 backwards-compatible default value. 25750 25751 Minor text and code cleanups. File: postlog/postlog.c. 25752 2575320210925 25754 25755 Prevent sharing of xxx_tls_session_cache_database instances 25756 between different Postfix instances when a database is 25757 not multi-writer safe. Like postscreen(8) and verify(8), 25758 open such a database with a permanent lock, and raise 25759 a fatal error when that database is already opened as 25760 xxx_tls_session_cache_database. File: src/tls/tls_scache.c. 25761 25762 Bugfix (bug introduced: Postfix 2.10): postconf -x produced 25763 incorrect output, because different functions were implicitly 25764 sharing a buffer for intermediate results. Reported by raf, root 25765 cause analysis by Viktor Dukhovni, and Wietse eliminated the 25766 underlying anti-pattern. Files: postconf/postconf_builtin.c, 25767 postconf/postconf_dbms.c, postconf/postconf_lookup.c, 25768 postconf/postconf_main.c, postconf/postconf_master.c. 25769 25770 Documentation: missing lmtp_tls_wrappermode parameter 25771 documentation. Viktor Dukhovni. Files: mantools/postlink, 25772 proto/postconf.proto. 25773 2577420210926 25775 25776 OpenSSL 3.0.0 feature and bitrot updates. Viktor Dukhovni. 25777 Files: proto/FORWARD_SECRECY_README.html, proto/postconf.proto, 25778 tls/tls_client.c, tls/tls_dh.c, tls/tls.h, tls/tls_misc.c, 25779 tls/tls_server.c/^+ 25780 25781 Cleanup: don't hyperlink text that is already hyperlinked. 25782 File: mantools/postlink. 25783 2578420211002 25785 25786 Bugfix (introduced: Postfix 3.3): the header_from_format 25787 feature was not implemented for From: headers from the 25788 bounce daemon, and for Postfix SMTP server and client 25789 postmaster notifications. Reported by Vladimir Mishonov. 25790 Files: bounce/bounce.c, bounce/bounce_notify_util_tester.c, 25791 bounce/bounce_service.h, bounce/bounce_template.c, 25792 bounce/bounce_template.h, bounce/bounce_templates.c, 25793 cleanup/cleanup.h, cleanup/cleanup_init.c, 25794 cleanup/cleanup_message.c, smtp/lmtp_params.c, smtp/smtp.c, 25795 smtp/smtp.h, smtp/smtp_chat.c, smtp/smtp_params.c, 25796 smtpd/smtpd.c, smtpd/smtpd.h, smtpd/smtpd_chat.c, and test 25797 data. 25798 2579920211006 25800 25801 Documentation: http://tools.ietf.org/html/rfc[0-9]+ sometimes 25802 does not redirect to the https site. Max-Julian Pogner. 25803 Fixed by updating mantools/postlink and rebuilding the HTML 25804 files that reference RFCs. 25805 2580620211016 25807 25808 Documentation: clarified the difference between private and 25809 public services in master.cf. File: proto/master. 25810 2581120211022 25812 25813 Bugfix (introduced: Postfix 3.6): the known_tcp_ports setting 25814 had no effect. Reported by Peter. The feature wasn't fully 25815 implemented. Files: config_known_tcp_ports.c, mail_params.c, 25816 posttls-finger/posttls-finger.c, smtp/smtp_connect.c, 25817 util/find_inet.c, util/myaddrinfo.c. 25818 2581920211023 25820 25821 Documentation: fixed a jq example in the postsuper manpage, to 25822 delete the quotes around a queue ID. File: postsuper/postsuper.c. 25823 25824 Cleanup: with "smtputf8_enable = yes" (the default), the 25825 postscreen(8) dummy SMTP engine will no longer log a "non-UTF-8 25826 key" warning when a remote SMTP client sends garbage. Instead, 25827 postscreen(8) will reject the command with the same server 25828 response as smtpd(8). File: postscreen/postscreen_smtpd.c. 25829 2583020211025 25831 25832 Bugfix (introduced: Postfix 3.6): mangled warning where a 25833 hostname and warning message ran together. Viktor Dukhovni. 25834 File: tls/tls_dane.c. 25835 2583620211026 25837 25838 Feature: with "smtp_bind_address_enforce = yes" the Postfix 25839 SMTP client will defer delivery when it is unable to apply 25840 the smtp_bind_address or smtp_bind_address6 setting. By 25841 default, the Postfix SMTP client continues with delivery, 25842 after logging a warning. File: src/smtp/smtp_connect.c. 25843 2584420211027 25845 25846 Documentation: readability fix for the text about automatic 25847 or explicit daemon restart (postfix reload) after LMDB table 25848 change. raj. File: proto/lmdb_table. 25849 25850 Safety: the postqueue command now sanitizes strings before they 25851 are formatted as json output or legacy output. These outputs are 25852 piped into other programs that are run by administrative 25853 users. This closes a hypothetical opportunity for privilege 25854 escalation. Files: util/attr.h, util/attr_scan*.c, 25855 postqueue/showq_json.c, postqueue/showq_compat.c. 25856 2585720211030 25858 25859 Bugfix: check_ccert_access worked as expected, but produced 25860 a spurious warning when Postfix was built without SASL 25861 support. Fix by Brad Barden. File: smtpd/smtpd_check.c. 25862 2586320211102 25864 25865 Bugfix for smtp_bind_address_enforce (change 20211026), file 25866 descriptor leak. Found by Viktor. File: smtp/smtp_connect.c. 25867 2586820211105 25869 25870 Bugfix (introduced: Postfix 2.4): queue file corruption 25871 after a Milter (for example, MIMEDefang) made a request to 25872 replace the message body with a copy of that message body 25873 plus additional text (for example, a SpamAssassin report). 25874 25875 The most likely impacts were a) the queue manager reporting 25876 a fatal error resulting in email delivery delays, or b) the 25877 queue manager reporting the corruption and moving the message 25878 to the corrupt queue for damaged messages. 25879 25880 However, a determined adversary could craft an email message 25881 that would trigger the bug, and insert a content filter 25882 destination or a redirect email address into its queue file. 25883 Postfix would then deliver the message headers there, in 25884 most cases without delivering the message body. With enough 25885 experimentation, an attacker could make Postfix deliver 25886 both the message headers and body. 25887 25888 The details of a successful attack depend on the Milter 25889 implementation, and on the Postfix and Milter configuration 25890 details; these can be determined remotely through 25891 experimentation. Failed experiments may be detected when 25892 the queue manager terminates with a fatal error, or when 25893 the queue manager moves damaged files to the "corrupt" queue 25894 as evidence. 25895 25896 Technical details: when Postfix executes a "replace body" 25897 Milter request it will reuse queue file storage that was 25898 used by the existing email message body. If the new body 25899 is larger, Postfix will append body content to the end of 25900 the queue file. The corruption happened when a Milter (for 25901 example, MIMEDefang) made a request to replace the body of 25902 a message with a new body that contained a copy of the 25903 original body plus some new text, and the original body 25904 contained a line longer than $line_length_limit bytes (for 25905 example, an image encoded in base64 without hard or soft 25906 line breaks). In queue files, Postfix stores a long text 25907 line as multiple records with up to $line_length_limit bytes 25908 each. Unfortunately, Postfix's "replace body" support did 25909 not account for the additional queue file space needed to 25910 store the second etc. record headers. And thus, the last 25911 record(s) of a long text line could overwrite one or more 25912 queue file records immediately after the space that was 25913 previously occupied by the original message body. 25914 25915 Problem report by Benoît Panizzon. 25916 2591720211107 25918 25919 Additional postcat flags for debuging a corrupted queue 25920 file (-s: skip to offset; -r: don't follow pointer records). 25921 File: postcat/postcat.c. 25922 2592320211110 25924 25925 Minor edits of 20211107 postcat changes. File: postcat.c. 25926 25927 Regression prevention: added sanity check in the queue file 25928 editing code. File: cleanup/cleanup_body_edit.c 25929 25930 Regression prevention: copied a queue file record typecheck 25931 from the pickup daemon. Files: *qmgr/qmgr_message.c. 25932 2593320211115 25934 25935 Bugfix (introduced: 20210708): duplicate bounce_notice_recipient 25936 entries in postconf output. The fix to send SMTP session 25937 transcripts to bounce_notice_recipient was incomplete. 25938 Reported by Vincent Lefevre. File: smtpd/smtpd.c. 25939 2594020211127 25941 25942 Feature: support for the pcre2 library (the legacy pcre 25943 library is still supported). See RELEASE_NOTES for details. 25944 Files: makedefs, util/dict_open.c, util.dict_pcre.c, 25945 proto/pcre_table, proto/PCRE_README.html. 25946 2594720211129 25948 25949 Portability: defines for FreeBSD <= 14.x, OpenBSD 7.x, NetBSD <= 25950 10.x. Brad Smith. Files: makedefs, util/sys_defs.h. 25951 2595220211202 25953 25954 Cleanup: warning messages when a Diffie-Hellman parameter 25955 file cannot be opened or parsed. Viktor Dukhovni. File: 25956 tls/tls_dh.c. 25957 2595820211204 25959 25960 Cleanup: parameter descriptions in manpages were frozen in the 25961 past. Files: proto/aliases, src/local/local.c, src/pipe/pipe.c, 25962 src/qmqpd/qmqpd.c, src/trivial-rewrite/trivial-rewrite.c. 25963 25964 Documentation: added a "howto tip" to the stock main.cf 25965 file. File: conf/main.cf 25966 2596720211211 25968 25969 Logging: the Postfix SMTP client logs an info message when it 25970 breaks a long line with "<CR><LF><SP>". 25971 2597220211216 25973 25974 Bugfix (introduced: Postfix 3.0): the proxymap daemon did not 25975 automatically authorize proxied maps inside pipemap (example: 25976 pipemap:{proxy:maptype:mapname, ...}) or inside unionmap. Problem 25977 reported by Mirko Vogt. Files: proxymap/proxymap.c. 25978 2597920211218 25980 25981 Typo fixes based on automated scans of C source code comments. 25982 Verified that the .o files have not changed. Files: 25983 bounce/bounce_notify_util.c, cleanup/cleanup_api.c, 25984 cleanup/cleanup_message.c, dns/dns_lookup.c, flush/flush.c, 25985 global/compat_level.c, global/db_common.c, 25986 global/deliver_request.c, global/dict_ldap.c, global/dict_sqlite.c, 25987 global/dynamicmaps.c, global/mail_conf_time.c, global/mail_copy.c, 25988 global/mail_params.h, global/mail_proto.h, global/memcache_proto.c, 25989 global/normalize_mailhost_addr.c, global/quote_822_local.c, 25990 global/test_main.c, global/verify.c, global/verify_sender_addr.c, 25991 local/unknown.c, master/dgram_server.c, master/event_server.c, 25992 master/multi_server.c, master/single_server.c, 25993 master/trigger_server.c, oqmgr/qmgr_entry.c, 25994 postconf/postconf_dbms.c, postconf/postconf_master.c, 25995 postconf/postconf_user.c, postdrop/postdrop.c, postmap/postmap.c, 25996 postmulti/postmulti.c, postqueue/showq_compat.c, 25997 postscreen/postscreen_smtpd.c, postscreen/postscreen_starttls.c, 25998 posttls-finger/posttls-finger.c, proxymap/proxymap.c, 25999 qmgr/qmgr_entry.c, qmqpd/qmqpd_peer.c, smtp/smtp.h, 26000 smtp/smtp_proto.c, smtpd/smtpd_check.c, smtpd/smtpd_peer.c, 26001 tls/tls_certkey.c, tls/tls_client.c, tls/tls_fprint.c, 26002 tls/tls_misc.c, tls/tls_server.c, tlsmgr/tlsmgr.c, 26003 tlsproxy/tlsproxy.c, trivial-rewrite/resolve.c, 26004 trivial-rewrite/transport.c, trivial-rewrite/trivial-rewrite.c, 26005 util/argv.c, util/dict_cache.c, util/dict_cdb.c, util/dict_file.c, 26006 util/dict_random.c, util/dict_random.h, util/dict_thash.c, 26007 util/dup2_pass_on_exec.c, util/edit_file.c, util/extpar.c, 26008 util/gccw.c, util/mac_expand.c, util/mac_expand.h, 26009 util/myaddrinfo.c, util/name_mask.c, util/sane_link.c, 26010 util/sane_rename.c, util/unix_dgram_connect.c, 26011 util/unix_dgram_listen.c, util/unix_pass_fd_fix.c, 26012 util/vstring.c, xsasl/xsasl_dovecot_server.c. 26013 26014 Typo fixes based on automated scans of other files. Files: 26015 auxiliary/qshape/qshape.pl, conf/post-install, 26016 conf/postmulti-script, makedefs, postfix-install, 26017 proto/postconf.proto, TLS_ACKNOWLEDGEMENTS, TLS_CHANGES. 26018 26019 Documentation: added a note to the cidr_table manpage that 26020 with an inline CIDR map, "$" needs to be specified as "$$" 26021 to avoid $name expansion surprises. File: proto/cidr_table. 26022 2602320211220 26024 26025 Bugfix (introduced: Postfix 2.5): off-by-one error while 26026 writing a string terminator. This code had passed all memory 26027 corruption tests, presumably because it wrote over an 26028 alignment padding byte, or over an adjacent character byte 26029 that was never read. Reported by Robert Siemer. Files: 26030 *qmgr/qmgr_feedback.c. 26031 26032 Typo fixes from Raf, based on manual inspection. Verified 26033 that the .o files have not changed. Files: conf/main.cf, 26034 mantools/postlink, proto/ADDRESS_REWRITING_README.html, 26035 proto/BACKSCATTER_README.html, 26036 proto/BASIC_CONFIGURATION_README.html, proto/BDAT_README.html, 26037 proto/BUILTIN_FILTER_README.html, proto/COMPATIBILITY_README.html, 26038 proto/CONNECTION_CACHE_README.html, proto/DATABASE_README.html, 26039 proto/DEBUG_README.html, proto/FORWARD_SECRECY_README.html, 26040 proto/INSTALL.html, proto/IPV6_README.html, proto/LDAP_README.html, 26041 proto/LINUX_README.html, proto/MAILLOG_README.html, 26042 proto/MILTER_README.html, proto/MULTI_INSTANCE_README.html, 26043 proto/MYSQL_README.html, proto/POSTSCREEN_3_5_README.html, 26044 proto/POSTSCREEN_README.html, proto/QSHAPE_README.html, 26045 proto/SASL_README.html, proto/SCHEDULER_README.html, 26046 proto/SMTPD_ACCESS_README.html, proto/SMTPD_POLICY_README.html, 26047 proto/SMTPD_PROXY_README.html, proto/SMTPUTF8_README.html, 26048 proto/SQLITE_README.html, proto/STANDARD_CONFIGURATION_README.html, 26049 proto/STRESS_README.html, proto/TLS_LEGACY_README.html, 26050 proto/TLS_README.html, proto/TUNING_README.html, 26051 proto/VIRTUAL_README.html, proto/access, proto/canonical, 26052 proto/generic, proto/ldap_table, proto/master, proto/mysql_table, 26053 proto/pgsql_table, proto/postconf.proto, proto/relocated, 26054 proto/sqlite_table, proto/transport, proto/virtual, 26055 global/mail_version.h, local/local.c, pipe/pipe.c, 26056 postalias/postalias.c, postconf/postconf.c, postfix/postfix.c, 26057 postmap/postmap.c, postmulti/postmulti.c, 26058 posttls-finger/posttls-finger.c, sendmail/sendmail.c, 26059 smtpstone/smtp-sink.c, tlsproxy/tlsproxy.c, 26060 trivial-rewrite/trivial-rewrite.c, virtual/virtual.c. 26061 2606220211221 26063 26064 Documentation: reverted some postconf(5) changes from 26065 "Specify a non-zero time value" to "Specify a non-negative 26066 time value". File: proto/postconf.proto. 26067 26068 Documentation: reverted "destination concurrency limit" to 26069 "destination recipient limit". File: proto/SCHEDULER_README.html. 26070 26071 Documentation: rephrased conditional $name expositions for 26072 forward_path and command_execution_directory. File: 26073 local/local.c. 26074 26075 Documentation: added Postfix 3.0 syntax to postconf(5) 26076 descriptions of command_execution_directory, default_rbl_reply, 26077 forward_path, luser_relay, recipient_delimiter. File: 26078 proto/postconf.proto. 26079 26080 Documentation: updated descriptions of smtpd_error_sleep_time 26081 and smtpd_soft_error_limit. File: proto/postconf.proto. 26082 26083 Fixed non-UTF8 quotes in TLS_CHANGES that caused nvi to 26084 truncate the file. 26085 26086 Fixed a remaining typo in util/load_lib.c. 26087 2608820211222 26089 26090 Added a top-level 'make typo-check' target to automate 26091 the typo checks (this only works on Wietse's development 26092 system, because it depends on specific implementations of 26093 spell and lynx). Files: Makefile.in, mantools/comment.c, 26094 mantools/deroff, mantools/check-double-cc, 26095 mantools/check-double-install-proto-text, 26096 mantools/check-double-proto-html, mantools/check-spell-cc, 26097 mantools/check-spell-install-proto-text, 26098 mantools/check-spell-proto-html, proto/stop, proto/stop.double-cc, 26099 proto/stop.double-install-proto-text, proto/stop.double-proto-html, 26100 proto/stop.spell-cc, proto/stop.spell-proto-html. 26101 26102 Cleanup: manpages don't need \' - that causes groff to emit 26103 non-ASCII text (depending on the locale). Christian Goettsche. 26104 Files: sendmail/sendmail.c, spawn/spawn.c. 26105 2610620211223 26107 26108 Report unsupported usage. Do not link Postfix database 26109 plugins against libpostfix-util or libpostfix-global. This 26110 introduces false build dependencies. File: makedefs. 26111 26112 Report unsupported usage. Do not build with LD_LIBRARY_PATH. 26113 File: makedefs. 26114 26115 Documented the implementation-dependent mailbox_size_limit 26116 and message_size_limit maximal values. File: proto/postconf.proto. 26117 26118 Cleanup: make typo-check tests portable across differernt 26119 spellcheck implementations. Files: proto/stop.spell-proto-html, 26120 proto/stop.spell-cc. 26121 26122 Cleanup: added missing parameters to the mantools/postlink 26123 script, based on output from the mantools/check-postlink 26124 script. 26125 26126 Cleanup: added missing _maps parameter names to the 26127 proxy_read_maps default value, based on output from the 26128 mantools/missing-proxy-read-maps script. File: 26129 global/mail_params.h. 26130 26131 Sanity: added LANG=C to the typo-check scripts to get 26132 consistent output. Files: mantools/check-spell-proto-html, 26133 mantools/check-spell-install-proto-text, mantools/check-spell-cc, 26134 mantools/check-double-proto-html, 26135 mantools/check-double-install-proto-text, mantools/check-double-cc. 26136 2613720211224 26138 26139 Cleanup: some compilter complains about indentation in a 26140 multiline macro. File: util/dict_db.c. 26141 2614220211231 26143 26144 Cleanup: informative error message after failure to connect 26145 to 'dovecot' socket. File: src/xsasl/xsasl_dovecot_server.c. 26146 2614720220101 26148 26149 Cleanup: AppArmor may return EPERM for permission errors. 26150 This could result in a false "mail system is down" error 26151 message from the postqueue command. File: postqueue/postqueue.c. 26152 26153202220102 26154 26155 Cleanup: log the reason why the postqueue command thinks 26156 that the mail system is down, in case some security software 26157 or kernel bug emits a weird error. File: postqueue/postqueue.c. 26158 26159 Robustness: randomize the initial state of Postfix in-memory 26160 hash tables, to defend against collision attacks involving 26161 a large number of attacker-chosen lookup keys. Presently, 26162 the only known opportunity for such attacks involves remote 26163 SMTP client IPv6 addresses in the anvil service. Other 26164 tables with attacker-chosen lookup keys are limited in size. 26165 The fix is cheap, and therefore implemented for all Postfix 26166 in-memory hash tables. Problem reported by Pascal Junod. 26167 File: util/htable.c. 26168 2616920210103 26170 26171 Documentation: CIDR example for mynetworks. Scott Kitterman. 26172 File: proto/postconf.proto. 26173 26174 Updated the hash function to make the distance between 26175 colliding inputs seed-dependent, which is really the only 26176 property that we needed. File: util/htable.c. 26177 2617820210105 26179 26180 Cleanup: deleting the \ before \' broke other things. Now 26181 we need to escape \ at the start of an nroff input line. 26182 Files: mantools/postconf2man, mantools/srctoman. 26183 2618420220107 26185 26186 Updated the hash function to avoid losing state when an 26187 input byte is 0 (can never happen with a null-terminated 26188 string, but makes the hash function usable in other contexts. 26189 File: util/htable.c. 26190 2619120220116 26192 26193 Added more pre-release checks: missing postlink rules, 26194 missing maps in proxy_read_maps. File: Makefile.in. 26195 2619620220117 26197 26198 Cleanup: the nullmx_reject_code parameter was removed from 26199 Postfix 3.0 before it was released, but the manpage was not 26200 updated. File: proto/postconf.proto. 26201 26202 Cleanup: after seeking past the end of a writable memory-backed 26203 VSTREAM (i.e. backed by a VSTRING), write nulls over the 26204 newly allocated bytes. This behavior is compatible with 26205 seeking past the end of a writable regular file. File: 26206 util/vstream.c. 26207 26208 Cleanup: unit tests. File: cleanup/cleanup_milter.c. 26209 26210 Cleamup: disable hash-table seed in unit tests. Many 26211 Makefiles, some unit test 'reference' files. 26212 26213 Bugfix (documented but not implemented since Postfix 2.2): 26214 missing support for [address] in smtp_bind_address and 26215 smtp_bind_address6. Reported by Vincent Pelletier. File: 26216 smtp/smtp_connect.c. 26217 2621820220119 26219 26220 Cleanup: the 20211211 change could result in logfile spam. 26221 Added a 1-bit counter to log "breaking long line" only once per 26222 delivery request. File: smtp/smtp_proto.c. 26223 2622420220121 26225 26226 Cleanup: added a pre-release check for missing entries 26227 in postfix-files. Problem reported by Jaroslav Skarvada. 26228 Files: Makefile.in, conf/postfix-files, 26229 mantools/check-postfix-files. Deleted: CYRUS_README. 26230 26231 Cleanup: added the RELEASE_NOTES file to the pre-release 26232 checks, after Viktor Dukhovni reported a typo. Files: 26233 mantools/check-double-install-proto-text, 26234 mantools/check-spell-install-proto-text. 26235 26236 Cleanup: for consistent parameter naming (tlsproxy_client_xxx 26237 correspnds to smtp_tls_xxx), renamed tlsproxy_client_level 26238 to tlsproxy_client_security_level, and tlsproxy_client_policy 26239 to tlsproxy_client_policy_maps, with backwards-compatible 26240 defaults and updated documentation. Problem reported by 26241 Raf. Files: global/mail_params.h, mantools/postlink, 26242 postconf/postconf_builtin.c. 26243 2624420220123 26245 26246 Documentation: added LINUX_README sections for logging in 26247 a container, and for systemd logging workarounds. File: 26248 proto/LINUX_README.hmtl. 26249 2625020220126 26251 26252 Added defensive logging while waiting for the master daemon 26253 to initialize in the background. File: master/master_monitor.c. 26254 2625520220127 26256 26257 Cleanup: smtpprox hyperlink. File: proto/FILTER_README.html. 26258 2625920220128 26260 26261 Clenaup: standardize on FNV hash, after having verified 26262 that collisions will change with the hash seed value, and 26263 that the collision rate is low. Files: util/htable.c, 26264 util/hash_fnv.[hc]. 26265 2626620220129 26267 26268 Cleanup: factored out the non-cryptographic seeder. Files: 26269 ldseed.[hc]. 26270 2627120220130 26272 26273 Cleanup: added a binhash unit test, and updated the htable 26274 unit test. Files: util/Makefile.in, util/binhash.[hc], 26275 util/htable.c. 26276 26277 Cleanup: names of hash_fnv(3) build options. File: hash:fnv.c. 26278 2627920220202 26280 26281 Bitrot: Berkeley DB 18 is like Berkeley DB 6. Yasuhiro 26282 Kimura. File: util/dict_db.c. 26283 2628420220217 26285 26286 Typo (introduced: Postfix.3.7): "pcre2 --libs" should be 26287 "pcre2 --libs8". Reported by Carlos Velasco. File 26288 proto/PCRE_README.html. 26289 2629020220322 26291 26292 Cleanup: added missing _checks, _reply_footer, _reply_filter, 26293 _command_filter, and _delivery_status_filter parameter names 26294 to the proxy_read_maps default value. Files: global/mail_params.h, 26295 mantools/missing-proxy-read-maps. 26296 2629720220330 26298 26299 Documentation: updated the postlogd(8) daemon manpage, 26300 adding that the Postfix >= 3.7 postlog(1) command can run 26301 with setgid permissions. File: postlogd/postlogd.c. 26302 2630320220404 26304 26305 Bugfix: in an internal client module, "host or service not 26306 found" was a fatal error, causing the milter_default_action 26307 setting to be ignored. It is now a non-fatal error. The 26308 same client is used by many Postfix clients (smtpd_proxy, 26309 dovecot auth, tcp_table, memcache, socketmap, and so on). 26310 Problem reported by Christian Degenkolb. File: util/inet_connect.c. 26311 2631220220415 26313 26314 Cleanup (problem introduced: Postfix 3.0): with dynamic map 26315 loading enabled, an attempt to create a map with "postmap 26316 regexp:path" would result in a bogus error message "Is the 26317 postfix-regexp package installed?" instead of "unsupported 26318 map type for this operation". This happened with all built-in 26319 map types (static, cidr, etc.) that have no 'bulk create' 26320 support. Problem reported by Greg Klanderman. File: 26321 global/dynamicmaps.c. 26322 2632320220417 26324 26325 Cleanup (problem introduced: Postfix 2.7): milter_header_checks 26326 maps are now opened before the cleanup server enters the 26327 chroot jail. Problem reported by Jesper Dybdal. Files: 26328 cleanup/cleanup.h, cleanup/cleanup_init.c, 26329 cleanup/cleanup_milter.c, cleanup/cleanup_state.c. 26330 2633120220421 26332 26333 Bugfix (introduced: Postfix 3.7): reverted an overly complex 26334 change in the postscreen SMTP engine from 20211023, and 26335 replaced it with a much simpler change. The bad change was 26336 segfaulting on some systems after receiving malformed input 26337 (for example, TLS "hello"). File: postscreen/postscreen_smtpd.c. 26338 26339 Under conditions described below, the postscreen program 26340 attempted to read through an uninitialized 'const' pointer. 26341 The pointer value depended on the compiler type and compiler 26342 options, but crucially, it did not depend on network inputs. 26343 26344 The conditions were that SMTPUTF8 support was enabled (the 26345 default), and that postscreen received non-UTF8 input, for 26346 example, a TLS or RDP handshake request. Depending on 26347 compiler details, the result of the read operation could 26348 be uninteresting, a combined memory leak and file handle 26349 leak, or a segmentation violation (signal 11). 26350 26351 The segmentation violation result was reported by Michael 26352 Grimm who used a FreeBSD 13.1 early version. The result was 26353 "uninteresting" with FreeBSD 13.0. Both FreeBSD systems use 26354 Clang instead of GCC. The result was also "uninteresting" 26355 on Linux-based systems that use GCC, or on a few older 26356 systems that use GCC. 26357 2635820220719 26359 26360 Cleanup: Postfix 3.5.0 introduced debug logging noise in 26361 map_search_create(). Files: global/map_search.c. 26362 2636320220724 26364 26365 Workaround: in a TLS server disable Postfix's 1-element 26366 internal session cache, to work around an OpenSSL 3.0 26367 regression that broke TLS handshakes. It is rarely useful. 26368 Report by Spil Oss, fix by Viktor Dukhovni. File: 26369 tls/tls_server.c. 26370 2637120220905 26372 26373 Cleanup: Postfix 3.3.0 introduced an uninitialized 26374 verify_append() request status in case of a null original 26375 recipient address. File: global/verify.c. 26376 2637720220906 26378 26379 Cleanup: Postfix 3.7.1 introduced a missing msg_panic() 26380 argument (in code that never executes). File: 26381 cleanup/cleanup_milter.c. 26382 2638320221006 26384 26385 Bugfix (introduced: Postfix 3.7.0). A message could falsely 26386 be flagged as corrupt with "warning: Unexpected record type 26387 'X'". Such messages were moved to the "corrupt" queue directory, 26388 where they may still be found. See below for instructions to 26389 deal with these falsely flagged messages. 26390 26391 This could happen for messages with 5000 or more recipients, 26392 or with fewer recipients on a busy mail server. Problem 26393 reported by Frank Brendel, reproduced by John Alex. Files: 26394 qmgr/qmgr_message.c, oqmgr/qmgr_message.c. 26395 26396 A file in the "corrupt" queue directory may be inspected 26397 with the command "postcat /var/spool/postfix/corrupt/<filename>. 26398 If delivery of the file is still desired, the file can be 26399 moved back to /var/spool/postfix/incoming after updating 26400 Postfix and executing "postfix reload". 26401