1In addition to the names listed below, the following people provided 2useful inputs on many occasions: Paul D. Robertson, Simon J. Mudd. 3Apologies for any names omitted. 4 519980105 6 7 The compiled-in default value for resolve_smtp_sender was 8 wrong (from the days that it was a boolean), causing smtpd 9 to dump core when the variable was not set in main.cf. 10 11 The INSTALL instructions now have separate sections for 12 the three basic ways of running vmailer. 13 14 The INSTALL instructions now have discusses how to deal 15 with chrooted processes. 16 17 Ported to RedHat 5.0. My, these people have re-organized 18 their include files quite a bit, haven't they. 19 2019980106 21 22 On RedHat Linux 4.2/5.0, when a FIFO listener opens the 23 FIFO with mode O_RDONLY, the FIFO remains forever readable 24 after the writer has closed it. Workaround: open the FIFO 25 mode O_RDWR. 26 27 Test program: util/fifo_rdonly_bug.c 28 29 Unfortunately, the above fix triggers a bug on BSD/OS 3.1 30 where opening the FIFO mode O_RDWR causes select() to claim 31 that the FIFO is readable even before any data is written 32 to it, causing read() to block or to fail. 33 34 Test program: util/fifo_rdwr_bug.c 35 36 printfck (check arguments of printf-like function calls) 37 found a missing argument in local/command.c 38 39 Miscellaneous Makefile cleanups that I didn't finish before 40 the first alpha release. 41 4219980107 43 44 Sometimes the DNS will claim that a domain does not exist, 45 when in fact it does. Thus, it is a bad idea to reject mail 46 from apparently non-existent domains. I have changed the 47 smtpd so that it produces a soft error responses when a 48 resolve_smtp_sender test fails with HOST_NOT_FOUND. Note: 49 by default, this test is still disabled. 50 51 The DB and DBM read routines will now automagically figure 52 out if (key, value) pairs were written including a terminating 53 null byte or not. The DB and DBM write routines will use 54 this result to determine how to write, and will fall back 55 to per-system defaults otherwise. 56 57 Renamed the README to MUSINGS, and wrote up a README that 58 reflects the current status of the software. 59 60 Added -d (don't disconnect) and -c (show running counter) 61 option to te smtp-source test program. These tools are 62 great torture tests for the mail software, and for the 63 system that it runs on. 64 65 Turned down the process_limit parameter (# of parallel smtp 66 clients or servers) to avoid unpleasant surprises. You can 67 crank up the process_limit parameter in main.cf. 68 6919980111 70 71 Feature: when run by the superuser, mailq now shows the 72 mail queue even when the mail system is down. To this end, 73 mailq (sendmail -bp) runs the showq program directly instead 74 of connecting to the UNIX-domain service socket, and drops 75 privileges etc. as usual. 76 7719980119 78 79 Bugfix: Edwin Kremer spotted an oversight in the negated 80 host matching code (for name or address patterns prefixed 81 by !). 82 83 Bugfix: upon receipt of a SIGHUP signal, the master now 84 disconnects from its child processes, so that the current 85 generation of child processes commits suicide, and so that 86 the next generation of child processes will use the new 87 configuration settings. 88 89 Bugfix: the smtp server now skips the sender DNS domain 90 lookup test for foo@[address] 91 92 Bugfix: don't append the local domain to foo@[address] 93 9419980120 95 96 Bugfix: old low-priority bug in some list walk code that 97 caused the master to drop core when a service was turned 98 off in master.cf. 99 100 Robustness: the mail system should be able to start up and 101 to accept local postings even while the naming service is 102 down. For this reason, the mail system no longer uses 103 gethostbyname() to look up its own machine name. Sites 104 that use short hostnames will have to specify their FQDN 105 in main.cf (this will eventually be done by the system 106 installation/configuration procedure). Should the config 107 language support backticks so one can say `domainname`? 108 What about $name stuff between the backtics? 109 110 Security: the master now creates FIFOs and UNIX-domain 111 sockets as the mail owner instead of as root, for better 112 protection against subverted mail systems. chmod() is 113 susceptible to race conditions. fchmod(), although safer, 114 often does not work on sockets. 115 116 Portability: anticipate that all major UNIXes will create 117 UNIX-domain sockets with permissions modified by the process 118 umask (required by POSIX). For this reason, we always 119 chmod() UNIX-domain sockets, unless the system allows us 120 to use the safer fchmod() instead. 121 122 Portability: the semi-resident servers now properly handle 123 EWOULDBLOCK returns from accept() in addition to EGAIN 124 (on some systems, EAGAIN and EWOULDBLOCK have different 125 values). 126 127 Bugfix: the semi-resident servers now properly handle EINTR 128 returns From accept(). 129 130 Bugfix: Edwin Kremer found that mynetworks() would compute 131 (32 - mask) instead of mask. 132 13319980121 134 135 Feature: /etc/vmailer/relocated is used by the local delivery 136 program and specifies what mail should be bounced with a 137 "user has moved to XXX" message. The main.cf configuration 138 parameter is "relocated_maps". Just like the "virtual_maps" 139 config parameter, this feature is off by default, and the 140 parameter can have values such as "files" or "files, nis" 141 (on hosts equipped with NIS). 142 14319980123 144 145 Cleanup: virtual domain support moved from the queue manager 146 to the resolve service, where it belongs. 147 148 Feature: /etc/vmailer/canonical is used by the rewrite 149 service for all addresses, and maps a canonical address 150 (user@domain) to another address. Typical use is to generate 151 Firstname.Lastname@domain addresses, or to clean up dirty 152 addresses from non-RFC 822 mail systems. The main.cf 153 configuration parameter is "canonical_maps". Just like 154 the "virtual_maps" config parameter, this feature is off 155 by default, and the parameter can have values such as 156 "files" or "files, nis" (on hosts equipped with NIS). 157 15819980124 159 160 HPUX10 port and many little fixes from Pieter Schoenmakers. 161 162 Bugfix: isolated an old mysterious bug that could make the 163 master deaf for new connections while no child process was 164 running. A typical result was that no pickup daemon would 165 be started after the previous one had terminated voluntarily. 166 167 Bugfix: the NIS lookup code did not mystrdup() the NIS map 168 name and would access free()d memory. 169 17019980125 171 172 Bugfix: the vstream routines would sometimes ignore flushing 173 errors. The error would still be reported by vstream_fclose() 174 and vstream_ferror(). 175 176 Feature: time limit on delivery to shell commands. Config 177 parameter: command_time_limit. Default value: 100 sec. The 178 idea is to prevent one bad .forward file or alias file 179 entry from slowly using up all local delivery process slots. 180 18119980126 182 183 Code cleanup: in preparation for SMTP extensions such as 184 SIZE, allow an extended SMTP command to have a variable 185 number of options. 186 18719980127 188 189 Bugfix: moved canonical map lookups away from the rewriting 190 module to the cleanup service, so that canonical map lookups 191 do not interfere with address rewriting on behalf of other 192 programs. Back to an older trivial-rewrite program version. 193 194 Bugfix: moved virtual map lookups away from the resolver 195 back to the queue manager, so that virtual domain lookup 196 does not interfere with address resolution on behalf of 197 other programs. Back to an older qmgr program version. 198 19919980131 200 201 Feature: integrated and adapted Guido van Rooij's SIZE 202 option (RFC 1870), carefully avoiding potential problems 203 due to overflow (by multiplying large numbers) or unsigned 204 underflow (by subtracting numbers). 205 206 Code cleanup: cleaned up the code that parses the server 207 response to the HELO/EHLO command, so that we can more 208 reliably recognize what options a server supports. 209 21019980201 211 212 Portability: integrated the IRIX 6 port by Oved Ben-Aroya. 213 214 Portability: the software now figures out by itself if a 215 server should open its FIFO read-write or read-only, to 216 avoid getting stuck with a FIFO that stays readable forever. 217 218 Bugfix: the cleanup service would terminate with a fatal 219 vstream_fseek() error when the queue file was too large. 220 221 Bugfix: the cleanup service could be killed by a signal 222 when the queue file became too large. 223 22419980203 225 226 Portability: some systems have statfs(), some have statvfs(), 227 and the relevant include files are in a different place on 228 almost every system. 229 230 Portability: the makedefs script now nukes the -O compiler 231 flag when building on AIX with IBM's own compiler... 232 23319980204 234 235 Portability: HP-UX 9.x support by Pieter Schoenmakers. 236 237 Portability: added SYSV-style ulimit() file size limit 238 support for HP-UX 9.x. 239 240 Portability: added some #includes that appeared to be 241 missing according to the Digital UNIX cc compiler. 242 243 Bugfix: sys_defs.h now correctly specifies NIS support for 244 LINUX2, HPUX9 and HPUX10. 245 246 Security: fixed a file descriptor leak in the local delivery 247 agent that could give shell commands access to the VMailer 248 IPC streams. This should not cause a vulnerability, given 249 the design and implementation of the mailer, but it would 250 be like asking for trouble. 251 252 Bugfix: the sendmail -B (body type) option did not take a 253 value. 254 25519980205 256 257 Bugfix (SUNOS5): should not have deleted the SVID_GETTOD 258 definition from util/sys_defs.h. 259 260 Bugfix (HPUX9): forgot to specify whether to use statfs() 261 or statvfs(). 262 263 Bugfix (HPUX9): don't try to raise the file size ulimit. 264 265 Bugfix (HPUX9): must specify file size limit in 512-blocks. 266 26719980207 268 269 Robustness: the master process now raises the file size 270 limit when it is started with a limit that is less than 271 VMailer's file size limit. File: util/file_limit.c. 272 273 Security: the dns lookup routines now screen all result 274 names with valid_hostname(). Bad names are treated as 275 transient errors. 276 277 Feature: qmail compatibility: when the home_mailbox parameter 278 is set, mail is delivered to ~/$home_mailbox instead of to 279 /var[/spool]/mail/username. This hopefully makes it easier 280 to lure people away from qmail :-) 281 282 Robustness: several testers by accident configured relayhost 283 the same as myhostname. The programs now explicitly check 284 for this mistake. 285 286 Bugfix: deliver_request_read() would free unallocated memory 287 when it received an incomplete delivery request from the 288 queue manager. 289 290 Robustness: local_destination_concurrency=1 prevents parallel 291 delivery to the same user (with possibly disastrous effects 292 when that user has an expensive pipeline in the .forward 293 or procmail config file). Each transport can have its own 294 XXX_destination_concurrency parameter, to limit the number 295 of simultaneous deliveries to the same destination. 296 29719980208 298 299 Robustness: added "slow open" mode, to gradually increase 300 the number of simultaneous connections to the same site as 301 long as delivery succeeds, and to gradually decrease the 302 number of connections while delivery fails. Brad Knowles 303 provided the inspiration to do this. 304 305 This also solves the "thundering herd" problem (making a 306 bunch of connections to a dead host when it was time to 307 retry that host). Let's see when other mailers fix this. 308 309 Feature: Added $smtpd_banner and $mail_version, for those 310 who want to show the world what software version they are 311 running. 312 313 Bugfix: vmailer-script now properly labels each syslog 314 entry. 315 31619980210 317 318 Portability: merged in NEXTSTEP 3 port from Pieter Schoenmakers 319 320 Bugfix: the local delivery program now checks that a 321 destination is a regular file before locking it. 322 32319980211 324 325 Robustness: the local delivery agent sets HOME, LOGNAME, 326 and SHELL when delivering to a user shell command. PATH is 327 always set, and TZ is passed through if it is set. 328 32919980212 330 331 Feature: mailq (sendmail -bp) now also lists the maildrop 332 queue (with mail that hasn't been picked up yet). 333 33419980213 335 336 Feature: the smtpd now says: 502 HELP not implemented. This 337 should impress the heck out of the competition :-) 338 33919980214 340 341 Feature: local delivery to configurable system-wide command 342 (e.g. procmail) avoids the need for per-user ~/.forward 343 shell commands. Config parameter: mailbox_command. 344 34519980215 346 347 Performance: avoid running a shell when a command contains 348 no shell magic characters or built-in shell commands. This 349 speeds up delivery to all commands. File: util/exec_command.c. 350 351 Bugfix: the local delivery agent, after reading EOF from 352 a child process, now sends SIGKILL only when the child does 353 not terminate within a limited amount of time. This avoids 354 some problems with procmail. File: util/timed_wait.c. 355 35619980217 357 358 Portability: folded in NetInfo support from Pieter 359 Schoenmakers. 360 36119980218 362 363 Feature: new vmlock command to run a command while keeping 364 an exclusive lock on a mailbox. 365 366 Feature: with "recipient_delimiter = +", mail for local 367 address "user+foo" is delivered to "foo", with a "Delivered-To: 368 user+foo@domain" message header. Files: qmgr/qmgr_message.c, 369 local/recipient.c. This must be the cheapest feature. 370 37119980219 372 373 Code cleanup: moved error handling into functions that 374 should always succeed (non_blocking(), close_on_exec()). 375 37619980223 377 378 Bugfix: null pointer bug in the cleanup program after 379 processing a From: header with no mail address (or with 380 only a comment). 381 38219980226 383 384 Robustness: now detects when getpwnam() returns a name that 385 differs from the requested name. 386 387 Feature: Added %p support to the vbuf_print formatting 388 module. 389 390 Code cleanup: revamped the alias/include/.forward loop 391 detection and duplicate suppression code in the local 392 delivery agent. This must be the fourth iteration, and 393 again the code has been simplified. 394 39519980228 396 397 Robustness: don't treat anything starting with whitespace 398 as a header record. Instead, explicitly test for leading 399 whitespace where we permit it. Files: global/is_header.c, 400 bounce/bounce_flush_service.c, local/delivered.c. 401 40219980301 403 404 Compatibility: the sendmail program now accepts the -N 405 command-line option (delivery status notification) but 406 ignores it entirely, just like many other sendmail options. 407 408 Bugfix: dns_lookup.c was too conservative with buffer sizes 409 and would incorrectly report "malformed name server reply". 410 41119980302 412 413 Bugfix: the local delivery agent was not null-byte clean. 414 41519980307 416 417 Feature: integrated Pieter Schoenmaker's code for transport 418 lookup tables that list (transport, nexthop) by destination. 419 42019980309 421 422 Bugfix: delivery agents no longer rename corrupt queue 423 files, because programs might fall over each other doing 424 so. Instead, when a delivery agent detects queue file 425 corruption, it chmods the queue file, simulates a soft 426 error, and lets the queue manager take care of the problem. 427 428 Bugfix: the SMTP server implemented VRFY incorrectly. 429 430 Feature: first shot at a pipe mailer, which can be used to 431 extend VMailer with external mail transports such as UUCP 432 (provided that the remote site understands domain addressing, 433 because VMailer version 1 does not rewrite addresses). 434 435 Cleanup: extended the master/child interface so that the 436 service name (from master.cf) is passed on to the child. 437 The pipe mailer needs the service name so it can look up 438 service-specific configuration parameters (privilege level, 439 recipient limit, time limit, and so on). 440 44119980310-12 442 443 Cleanup: factored out the pipe_command() code, so it can 444 be shared between pipe mailer and local delivery agent. 445 44619980314 447 448 Compatibility: the sendmail program now parses each 449 command-line recipient as if it were an RFC 822 message 450 header; some MUAs specify comma-separated recipients in a 451 command-line argument; and some MUAs even specify "word 452 word <address>" forms as command-line arguments. 453 45419980315 455 456 Bugfix: VMailer's queue processing randomization wasn't 457 adequate for unloaded systems with small backlogs. 458 459 Bugfix: smtpd now uses double-buffered stream I/O to prevent 460 loss of input sent ahead of responses. 461 46219980316 463 464 Bugfix: the smtpd anti-relay code didn't treat all hosts 465 listed in $mydestinations as local, so it would accept mail 466 only for hosts listed in $relay_domains (default: my own 467 domain). 468 469 Bugfix: smtpd now replies with 502 when given an unknown 470 command. 471 47219980318 473 474 Cleanup: resolve/rewrite clients now automatically disconnect 475 after a configurable amount of idle time (ipc_idle). 476 47719980322 478 479 Tolerance: VRFY now permits user@domain, even though the 480 RFC requires that special characters such as @ be escaped. 481 48219980325 483 484 Bugfix: a recipient delimiter of "-" could interfere with 485 special addresses such as owner-xxx or double-bounce. 486 487 Tolerance: the SMTP client now permits blank lines in SMTP 488 server responses. 489 490 Tolerance: the SMTP client now falls back to SMTP when it 491 apparently mistook an SMTP server as ESMTP capable. 492 493 Bugfix: eliminated strtok() calls in favor of mystrtok(). 494 Symptom: master.cf parsing would break if $inet_interfaces 495 was more than one word. 496 49719980328 498 499 Bugfix: user->addr patterns in canonical and virtual tables 500 matched only $myorigin, not hosts listed in $mydestination 501 or addresses listed in $inet_interfaces. The man pages 502 were wrong too. File: global/addr_match.c. 503 50419980401 505 506 Robustness: FIFO file permissions now default to 0622. On 507 some systems, opening a FIFO read-only could deafen the 508 pickup daemon. Only the listener end (which is opened as 509 root) needs read access anyway, so there should not be a 510 loss of functionality by making FIFOs non-readable for 511 non-mail processes. 512 51319980402 514 515 Compatibility: sendmail -I and -c options added. 516 51719980403 518 519 Feature: virtual lookups are now recursive. File: 520 qmgr/qmgr_message.c 521 52219980405 523 524 Implemented sendmail -bs (stand-alone) mode. This mode runs 525 as the user and therefore deposits into the maildrop queue. 526 52719980406 528 529 The pickup service now removes malformed maildrop files. 530 53119980407 532 533 The pickup service now guards against maildrop files with 534 time stamps dated into the future. 535 53619980408 537 538 Bugfix: in the canonical and virtual maps, foo->address 539 would match foo@$myorigin only. This has been fixed to also 540 match hosts listed in main.cf:$mydestination and the 541 addresses listed in main.cf:$inet_interfaces. 542 543 Bugfix: added double buffering support to the VMailer SMTP 544 server. This makes the SMTP server robust against SMTP 545 clients that talk ahead of time, and should have been in 546 there from day one. 547 54819980409 549 550 Bugfix: the VMailer SMTP client now recognizes its own 551 hostname in the SMTP greeting banner only when that name 552 appears as the first word on the first line. 553 55419980410 555 556 Feature: smtpd now logs the local queue ID along with the 557 client name/address, and pickup now logs the local queue 558 ID along with the message owner. 559 560 Bugfix: still didn't do virtual/canonical lookups right 561 (code used the non-case-folded key instead of the case 562 folded one). 563 56419980418 565 566 Bugfix: the SMTP server did not flush the "250 OK queued 567 as XXXX" message from the SMTP conversation history. 568 56919980419 570 571 Bugfix: qmgr would not notice that a malformed message has 572 multiple senders, and would leak memory (Tom Ptacek). 573 57419980421 575 576 Portability: in the mantools scripts, the expr pattern no 577 longer has ^ at the beginning, and the scripts now use the 578 expand program instead of my own detab utility. 579 58019980425 581 582 NetBSD 1.x patch by Soren S. Jorvang. 583 58419980511 585 586 Feature: the SMTP server now logs the protocol (SMTP or 587 ESMTP) as part of the Received: header. 588 589 Feature: smtpd now logs the last command when a session is 590 aborted due to timeout, unexpected EOF, or too many client 591 errors. 592 59319980514 594 595 Bugfix: the queue manager did not update the counter for 596 in-core message structures, so the in-core message limit 597 had no effect. This can be bad when you have a large backlog 598 with many messages eligible for delivery. 599 600 Robustness: the queue manager now also limits the total 601 number of in-core recipient structures, so that it won't 602 use excessive amounts of memory on sites that have large 603 mailing lists. 604 60519980518 606 607 Bugfix: the SMTP client did not notice that the DNS client 608 received a truncated response. As a result, a backup MX 609 host could incorrectly claim that it was the best MX host 610 and declare a mailer loop. 611 612 Added start_msg/stop_msg entries to the vmailer startup 613 script, for easy installation. 614 615 Cleanup: VMailer databases are now explicitly specified as 616 type:name, for example, hash:/etc/aliases or nis:mail.aliases, 617 instead of implicitly as "files", "nis" and so on. Test 618 program: util/dict_open. This change allowed me to 619 eliminate a lot of redundant code from mkmap_xxx.c, and 620 from everything that does map lookups. 621 62219980525 623 624 Bugfix: local/dotforward.c compared the result of opening 625 a user's ~/.forward against the wrong error value. 626 62719980526 628 629 Bugfix: the smtpd VRFY command could look at free()d memory. 630 631 Robustness: the smtpd program had a fixed limit on the 632 number of token structures. The code now dynamically 633 allocates token structures. 634 635 Bugfix: the queue manager still used the deprecated parameter 636 name xxx_deliver_concurrency for concurrency control, but 637 the documentation talks about the preferred parameter name 638 xxx_destination_concurrency. Fix: try xxx_destination_concurrency 639 first, then fall back to xxx_deliver_concurrency. 640 64119980621-19980702 642 643 Cleanup: the string read routines now report the last 644 character read or VSTREAM_EOF. This change is necessary 645 for the implementation of the long SMTP line bugfix. 646 647 Bugfix: the smtp server exited the DATA command prematurely 648 when the client sent long lines. Reason: the smtp server 649 did not remember that it broke long lines, so that '.' 650 could appear to be the first character on a line when in 651 fact it wasn't. 652 653 Bugfix: the queue manager made lots of stupid errors while 654 reading $qmgr_message_recipient_limit chunks of recipients 655 from a queue file. This code has been restructured. 656 65719980706 658 659 Performance: the cleanup program now always adds return-receipt 660 and errors-to records to a queue file, so that the queue 661 manager does not have to plow through huge lists of 662 recipients. 663 664 Robustness: the initial destination concurrency now defaults 665 to 2, so that one bad message or one bad connection does 666 not stop all mail to a site. The configuration parameter 667 is called initial_destination_concurrency. 668 669 Performance: the per-message recipient limit is now enforced 670 by the queue manager instead of by the transport. Thus, a 671 large list of recipients for the same site is now mapped 672 onto several delivery requests which can be handled in 673 parallel, instead of being mapped onto one delivery request 674 that is sent to limited numbers of recipients, one group 675 after the other. 676 67719980707 678 679 Cleanup: the queue manager now does an additional recipient 680 sort after the recipients have been resolved, so that the 681 code can do better aggregation of recipients by next hop 682 destination. 683 684 Feature: lines in the master.cf file can now be continued 685 in the same manner as lines in the main.cf file, i.e. by 686 starting the next line with whitespace. 687 688 Feature: the smtp client now warns that a message may be 689 delivered multiple times when the response to "." is not 690 received (the problem described in RFC 1047). 691 692 Cleanup: when the queue manager changes its little mind 693 after contacting a delivery agent (for example, it decides 694 to skip the host because a transport or host goes bad), 695 the delivery agent no longer complains about premature EOF. 696 File: global/deliver_request.c 697 69819980709 699 700 Bugfix: when breaking long lines, the SMTP client did not 701 escape leading dots in secondary etc. line fragments. Fix: 702 don't break lines. This change makes VMailer line-length 703 transparent. Files: global/smtp_stream.c, smtp/smtp_proto.c. 704 70519980712 706 707 Cleanup: the queue manager to deliver agent protocol now 708 distinguishes between domain-specific soft errors and 709 recipient-specific soft errors. Result: many soft errors 710 with SMTP delivery no longer affect other mail the same 711 domain. 712 71319980713 714 715 Feature: the file modification time stamp of deferred queue 716 files is set to the nearest wakeup time of their recipient 717 hosts, or if delivery was deferred due to a non-host problem, 718 the time stamp is set into the future by the configurable 719 minimal backoff time. 720 721 Bugfix: the SMTP client and the MAILQ command would report 722 as message size the total queue file size. That would 723 grossly overestimate the size of a message with many 724 recipients. 725 726 Bugfix: the 19980709 fix screwed up locally-posted mail 727 that didn't end in newline. 728 72919980714 730 731 Robustness: the makedefs script now defaults to no optimization 732 when compiling for purify. 733 73419980715 735 736 Robustness: the makedefs script now defaults to no optimization 737 when compiling with gcc 2.8, until this compiler is known 738 to be OK. 739 740 Workaround: when sending multiple messages over the same 741 SMTP connection, some SMTP servers need an RSET command 742 before the second etc. MAIL FROM command. The VMailer SMTP 743 client now sends a redundant RSET command just in case. 744 745 The queue manager now logs explicitly when delivery is 746 deferred because of a "dead" message transport. 747 74819980716 749 750 Feature: mailq and mail bounces now finally report why mail 751 was deferred (the reason was logged to the syslog file 752 only). Changes were made to the bounce service (generalized 753 to be usable for defer logs), showq service (to show reasons) 754 and the queue manager. 755 756 As a result the defer directory (with one log per deferred 757 message) may contain many files; also, this directory is 758 accessed each time a message is let into the active queue, 759 in order to delete its old defer log. This means that hashed 760 directories are now a must. 761 76219980718-20 763 764 Feature: configurable timeout for establishing smtp 765 connections. Parameter: smtp_connect_timeout (default 0, 766 which means use the timeout as wired into the kernel). 767 Inspired by code from Lamont Jones. For a clean but far 768 from trivial implementation, see util/timed_connect.c 769 770 Cleaned up the interfaces that implement read/write deadlines. 771 Instead of returning -2, the routines now set errno to 772 ETIMEDOUT; the readable/writable tests are now separate. 773 77419980722 775 776 Feature: the default indexed file type (hash, btree, dbm) 777 is now configurable with the "database_type" parameter. 778 The default value for this parameter is system specific. 779 780 Feature: selectively turn on verbose logging for hosts that 781 match the patterns specified via the "debug_peer_list" 782 config parameter. Syntax is like the "bad_smtp_clients" 783 parameter (see global/peer_list.c). The verbose logging 784 level is specified with "debug_peer_level" (default 2). 785 786 Security: the local delivery agent no longer delivers to 787 files that have execute permission enabled. 788 78919980723 790 791 Workarounds for Solaris 2.x UNIX-domain sockets: they lose 792 data when you close them immediately after writing to them. 793 This could screw up the delivery agent to queue manager 794 protocol. 795 79619980724 797 798 Cleanup: spent most of the day cleaning up queue manager 799 code that defers mail when a site or transport dies, and 800 fixed a few obscure problems in the process. 801 80219980726 803 804 Feature: the admin can now configure what classes of problems 805 result in mail to the postmaster. Configuration parameter: 806 "notify_classes". Default is backwards compatible: bounce, 807 policy, protocol, resource, and software. 808 80919980726-28 810 811 Feature: the admin can now configure what smtp server access 812 control restrictions must be applied, and in what order. 813 Configuration parameters: smtpd_client_restrictions, 814 smtpd_helo_restrictions, smtpd_mail_restrictions and 815 smtpd_rcpt_restrictions. Defaults are intended to be 816 backwards compatible. The bad_senders and bad_clients lists 817 are gone and have become db (dbm, nis, etc) maps. Files: 818 smtpd/smtpd_check.c, config/main.cf. 819 82019980729-31 821 822 Feature: hashed queues. Rewrote parts of the mail queue 823 API. Configuration parameters: "hash_queue_names" specifies 824 what queue directories will be hashed (default: the defer 825 log directory), "hash_queue_depth" specifies the number of 826 subdirectories used for hashing (default 2). 827 82819980802 829 830 Bugfix: the pipe mailer should expand command-line arguments 831 with $recipient once for every recipient (producing one 832 command-line argument per recipient), instead of replacing 833 $recipient by of all recipients (i.e. producing only one 834 command-line argument). This is required for compatibility 835 with programs that expect to be run from sendmail, such as 836 uux. Thanks to Ollivier Robert for helping me to get this 837 right. 838 839 Code cleanup: for the above, cleaned up the macro expansion 840 code in dict.c and factored out the parsing into a separate 841 module, mac_parse.c. 842 84319980803 844 845 "|command" and /file/name destinations in alias databases 846 are now executed with the privileges of the database owner 847 (unless root or vmailer). Thus, with: "alias_maps = 848 hash:/etc/aliases, hash:/home/majordomo/aliases", and with 849 /home/majordomo/aliases* owned by the majordomo account, 850 you no longer need the majordomo set-uid wrapper program, 851 and you no longer need root privileges in order to install 852 a new mailing list. 853 85419980804 855 856 Added support for the real-time blackhole list. Example: 857 "client_restrictions = permit_mynetworks, reject_maps_rbl" 858 859 All SMTP server "reject" status codes are now configurable: 860 unknown_client_reject_code, mynetworks_reject_code, 861 invalid_hostname_reject_code, unknown_hostname_reject_code, 862 unknown_address_reject_code, relay_domains_reject_code, 863 access_map_reject_code, maps_rbl_reject_code. Default values 864 are documented in the smtpd/smtpd_check.c man page. 865 86619980806-8 867 868 Code cleanup: after eye balling line-by line diffs, started 869 deleting code that duplicated functionality because it was 870 at the wrong abstraction level (smtp_trouble.c), moved 871 functionality that was in the wrong place (dictionary 872 reference counts in maps.c instead of dict.c), simplified 873 code that was too complex (password-file structure cache) 874 and fixed some code that was just wrong. 875 87619980808 877 878 Robustness: the number of queue manager in-core structures 879 for dead hosts is limited; the limit scales with the limit 880 on the number of in-core recipient structures. The idea is 881 to not run out of memory under conditions of stress. 882 88319980809 884 885 Feature: mail to files and commands can now be restricted 886 by class: alias, forward file or include file. The default 887 restrictions are: "allow_mail_to_files = alias, forward" 888 and allow_mail_to_commands = alias, forward". The idea is 889 to protect against buggy mailing list managers that allow 890 intruders to subscribe /file/name or "|command". 891 89219980810-12 893 894 Cleanup: deleted a couple hundred lines of code from the 895 local delivery agent. It will never be a great program; 896 sendmail compatibility is asking a severe toll. 897 89819980814 899 900 Cleanup: made the program shut up about some benign error 901 conditions that were reported by Daniel Eisenbud. 902 90319980814-7 904 905 Documentation: made a start of HTML docs that describe all 906 configuration parameters. 907 908 Feature: while documenting things, added smtpd_helo_required. 909 91019980817 911 912 Bugfix: at startup the queue manager now updates the time 913 stamps of active queue files some time into the future. 914 This eliminates duplicate deliveries after "vmailer reload". 915 916 Bugfix: the local delivery agent now applies the recipient 917 delimiter after looking in the alias database, instead of 918 before. 919 920 Documentation bugfixes by Matt Shibla, Tom Limoncelli, 921 Eilon Gishri. 922 92319980819 924 925 GLIBC fixes from Myrdraal. 926 927 Bugfix: applied showq buffer reallocation workaround in 928 the wrong place. 929 930 Bugfix: can't use shorts in varargs lists. SunOS 4 has 931 short uid_t and gid_t. pipe_command() would complain. 932 933 Bugfix: can't use signed char in ctype macros. All ctype 934 arguments are now casted to unsigned char. Thanks, Casper 935 Dik. 936 93719980820 938 939 Bugfix: save the alias lookup result before looking up the 940 owner. The previous alpha release did this right. 941 942 Cleanup: mail_trigger() no longer complains when the trigger 943 FIFO or socket is unavailable. This change is necessary to 944 shut up the sendmail mail posting program, so that it can 945 be used on mail clients that mount their maildrop via NFS. 946 947 Experiment: pickup and pipe now run as vmailer most of the 948 time, and switch to user privileges only temporarily. 949 Files: util/set_eugid.c global/pipe_command.c pipe/pipe.c 950 pickup/pickup.c. Is this more secure/ What about someone 951 manipulating such a process while not root? It still has 952 ruid == 0. 953 95419980822 955 956 Portability: with GNU make, commands such as "(false;true)" 957 and "while :; do false; done" don't fail. Workaround: use 958 "set -e" all over the place. Problem found by Jeff Wolfe. 959 960 Feature: "check_XXX_access maptype:mapname" (XXX = client, 961 helo, sender, recipient). Now you can make recipient and 962 other SPAM restrictions dependent on client or sender access 963 tables lookup results. 964 96519980823 966 967 Bugfix: smtpd access table lookup keys were case sensitive. 968 969 Added "permit" and "reject" operators. These are useful at 970 the end of SPAM restriction lists (smtpd_XXX_restrictions). 971 972 Added a first implementation of the permit_mx_backup SPAM 973 restriction. This permits mail relaying to any domain that 974 lists this mail system as an MX host (including mail for 975 the local machine). Thanks to Ollivier Robert for useful 976 discussions. 977 97819980824 979 980 Bugfix: transport table lookup keys were case sensitive. 981 98219980825 983 984 Portability: sa_len is some ugly #define on some SGI systems, 985 so we must rename identifiers (file util/connect.c). 986 987 Bugfix: uucp delivery errors are now sent to the sender. 988 Thanks, Mark Delany. 989 990 Bugfix: the pipe delivery agent now replaces empty sender 991 by the mailer daemon address. Mark Delany, again. 992 993 Portability: GNU getopt looks at all command-line arguments. 994 Fix: insert -- into the pipe/uucp definition in master.cf. 995 996 Bugfix: the smtp server command tokenizer silently discarded 997 the [] around [text], so that HELO [x.x.x.x] was read as 998 if the client had sent: HELO x.x.x.x. Thanks, Peter Bivesand. 999 1000 Bugfix: the HELO unknown hostname/bad hostname restrictions 1001 would have treated [text] as a domain name anyway. 1002 1003 Bugfix: the $local_duplicate_filter_limit value was not 1004 picked up by the local delivery agent. This means the local 1005 delivery agent could run out of memory on large mailing 1006 list deliveries. 1007 100819980826 1009 1010 Performance: mkmap/mkalias now run with the same speed as 1011 sendmail. VMailer now uses a 4096-entry cache with 1 Mbyte 1012 of memory for DB lookups. File: util/dict_db.c. 1013 101419980902 1015 1016 Robustness: the reject_unknown_hostname restriction for 1017 HELO/EHLO hostnames will now permit names that have an MX 1018 record instead of an A record. 1019 102019980903 1021 1022 Feature: appending @$myorigin to an unqualified address is 1023 configurable with the boolean append_at_myorigin parameter 1024 (default: yes). 1025 1026 Feature: appending .$mydomain to user@host is configurable 1027 with the boolean append_dot_mydomain parameter (default: 1028 yes). 1029 1030 Feature: site!user is rewritten to user@site, under control 1031 of the boolean parameter swap_bangpath (default: yes). 1032 1033 Feature: permit a naked IP address in HELO commands (i.e. 1034 an address without the enclosing [] as required by the 1035 RFC), by specifying "permit_naked_ip_address" as one of 1036 the restrictions in the "smtpd_helo_restrictions" config 1037 parameter. 1038 103919980904 1040 1041 Code cleanup: when an SMTP client aborts a session after 1042 sending MAIL FROM, the cleanup service no longer warns that 1043 it is "skipping further client input". Files: cleanup/*.c. 1044 Thanks, Daniel Eisenbud, for prodding. 1045 1046 Code cleanup: when an SMTP server disconnects in the middle 1047 of a session, don't try to send QUIT over the non-existing 1048 connection. Files: global/smtp_stream.c, smtp/smtp.c. 1049 Thanks, Daniel Eisenbud, for prodding, again. 1050 1051 Code cleanup: the VMailer version number has moved from 1052 mail_params.h (which is included by lots of modules) to a 1053 separate file global/mail_version.h, so that a version 1054 change no longer results in massive recompilation. 1055 1056 Bugfix: Errors-To was flagged as a sender address, so the 1057 address never was picked up. 1058 1059 Code cleanup: support for Errors-To: headers completed. 1060 106119980905 1062 1063 Feature: per-message exponential delivery backoff, by 1064 looking at the amount of time a message has been queued. 1065 Thanks, Mark Delany. 1066 106719980906 1068 1069 Code cleanup: ripped out the per-host exponential backoff 1070 code. It was broken by 19980818. It was probably a bad idea 1071 anyway, because it required per-host, in-core, state kept 1072 by the queue manager. All we do now is to keep state for 1073 $minimal_backoff_time seconds, but only for a limited number 1074 of hosts. Daniel Eisenbud spotted the problem. 1075 1076 Lost feature: the SMTP session transcripts now show who 1077 said what. This feature was inadvertently dropped during 1078 development. Thanks, Daniel Eisenbud, for reminding. 1079 1080 Documentation: the hard-coded rewriting process of the 1081 trivial-rewrite program is described in html/rewrite.html. 1082 1083 Feature: the local delivery agent now does alias lookups 1084 before and after chopping off the recipient subaddress. 1085 This allows you to forward user-anything to another user, 1086 without losing the ability to redirect specific user-foo 1087 addresses. 1088 108919980909 1090 1091 Feature: the smtp client now logs a warning that a server 1092 sends a greeting banner with the client's hostname, which 1093 could imply a mailer loop. 1094 109519980910 1096 1097 Feature: separate canonical maps for sender and recipient 1098 address rewriting, so that you can rewrite an ugly sender 1099 address and still forward mail to that same ugly address 1100 without creating a mailer loop. Files: cleanup_envelope.c, 1101 cleanup_message.c, cleanup_rewrite.c. 1102 110319980911 1104 1105 Feature: virtual maps now support multiple addresses on 1106 the right-hand side. In the case of virtual domains this 1107 can eliminate the need for address expansion via local 1108 aliases, making virtual domains much easier to administer. 1109 This required that I moved the virtual table lookups from 1110 the queue manager to the cleanup service, so that every 1111 recipient has an on-disk status record. Files: qmgr.c, 1112 qmgr_message.c, cleanup_envelope.c, cleanup_rewrite.c, 1113 cleanup_virtual.c. 1114 1115 Feature: sendmail/mailq/newaliases pass on the -v flag to 1116 the program that they end up running, to make debugging a 1117 little easier. 1118 111919980914 1120 1121 Bugfix: some anti-spam measures didn't recognize some 1122 addresses as local and would do too much work. File: 1123 smtpd_check.c. 1124 1125 Bugfix: the smtp sender/recipient table lookup restriction 1126 destroyed global data, so that other restrictions could 1127 break. File: smtpd_check.c. 1128 1129 Bugfix: after vmailer reload, single-threaded servers could 1130 exit before flushing unwritten data to the client. Example: 1131 cleanup would exit before acking success to pickup, so the 1132 message would be delivered twice. Bug reported by Brian 1133 Candler. 1134 1135 Cleanup: removed spurious error output from vmailer-script. 1136 Reported by Brian Candler. 1137 1138 Tolerance: ignore non-numeric SMTP server responses. There's 1139 lot of brain damage out there on the net. 1140 114119980915 1142 1143 Feature: the smtp-sink benchmark tool now announces itself 1144 with a neutral name so that it can be run on the same 1145 machine as VMailer, without causing Postfix to complain 1146 about a mailer loop. 1147 1148 Robustness: on LINUX, vmailer-script now does chattr +S to 1149 force synchronous directory updates. Fix developed with 1150 Chris Wedgwood. 1151 115219980916 1153 1154 Bugfix: when transforming an RFC 822 address to external 1155 form, there is no need to quote " characters in comments. 1156 This didn't break anything, it just looked ugly. File: 1157 global/tok822_parse.c 1158 115919980917 1160 1161 Workaround: with deliveries to /file/name, use fsync() and 1162 ftruncate() only on regular files. File: local/file.c 1163 1164 Workaround: the plumbing code in master_spawn.c didn't 1165 check if it was dup2()/close()ing a descriptor to itself 1166 then closing it. Will have to redo the plumbing later. 1167 116819980918 1169 1170 Workaround: on multiprocessor Solaris machines, one-second 1171 rollover appears to happen on different CPUs at slightly 1172 different times. Made the queue manager more tolerant for 1173 such things. Problem reported by Daniel Eisenbud. 1174 1175 Workaround: in preparation for deployment with a network-shared 1176 maildrop directory. make pickup more tolerant against clock 1177 drift between clients and servers. 1178 117919980921 1180 1181 New vstream_popen() module that opens a two-way channel 1182 across a socketpair-based pipe. This module isn't being 1183 used yet; it is here only to complete the vstream code. 1184 118519980922 1186 1187 Code cleanup: the xxx_server_main() interface for master 1188 child processes now uses a name-value argument list instead 1189 of an ugly and inflexible data structure. 1190 1191 Bugfix: moved the test if a non-interactive process is run 1192 by hand, so that the "don't do this" error message can be 1193 printed to stderr before any significant processing. 1194 1195 Bugfix: smtpd now can talk to unix-domain sockets without 1196 bailing out on a peer lookup problem. Files: smtpd/smtpd.c, 1197 util/peer_name.c. 1198 1199 Safety: by default, the postmaster is no longer informed 1200 of protocol problems, policy violations or bounces. 1201 1202 Safety: the SMTP server now sleeps before sending a [45]xx 1203 error response, in order to prevent clients from hammering 1204 the server with a connect/error/disconnect loop. Parameter: 1205 smtpd_error_sleep_time (default: 5). 1206 1207 Feature: the logging facility is compile-time configurable 1208 (e.g., make makefiles "CCARGS=-DLOG_FACILITY=LOG_LOCAL1"). 1209 121019980923 1211 1212 Bugfix: changed virtual/canonical map search order from 1213 (user@domain, @domain, user) to (user@domain, user, @domain) 1214 so the search order is most specific to least specific. 1215 File: global/addr_map.c, lots of documentation. 1216 1217 Bugfix: after the change of 19980910, cleanup_message 1218 extracted recipients from Reply-To: etc. headers. Found 1219 by Lamont Jones. 1220 122119980925 1222 1223 Bugfix: the change in virtual/canonical map search order 1224 broke @domain entries; they would never be looked up if 1225 the address matched $myorigin or $mydestinations. Found by 1226 Chip Christian who now regrets asking for the change. 1227 1228 Bugfix: cleanup initialized an error mask incorrectly, so 1229 that it would keep writing to a file larger than the queue 1230 file size limit, and so it would treat the error as a 1231 recoverable one instead of sending a bounce. Thanks, Pieter 1232 Schoenmakers. 1233 1234 Bugfix: the "queue file cleanup on fatal error" action was 1235 no longer enabled in the sendmail mail posting agent. 1236 1237 Feature: the sendmail mail posting program now returns 1238 EX_UNAVAILABLE when the size of the input exceeds the queue 1239 file size limit. NB THIS CHANGE HAS BEEN WITHDRAWN. 1240 124119980926 1242 1243 Code cleanup: the dotlock file locking routine is no longer 1244 derived from Eric Allman's 4.3BSD port of mail.local. 1245 1246 Code cleanup: the retry strategy of the file locking routines 1247 dot_lockfile() and deliver_flock() is now configurable 1248 (deliver_flock_attempts, deliver_flock_delay, deliver_flock_stale). 1249 1250 Code cleanup: the master.pid lock file is now created with 1251 symlink paranoia, and is properly locked so that PID rollover 1252 will not cause false matches. 1253 1254 Bugfix: the vbuf_print() formatting engine did not know 1255 about the '+' format specifier. 1256 1257 Cleanup: replaced unnecessary instances of stdio calls by 1258 vstream ones. 1259 126019980929-19981002 1261 1262 Compatibility: added support for "sendmail -q". This required 1263 a change to the queue manager trigger protocol, and a code 1264 reorganization of the way queue scans were done. The queue 1265 manager socket now has become public. 1266 126719981002 1268 1269 SMTPD now logs "lost connection after end-of-message" 1270 instead of "lost connection after DATA". 1271 127219981005 1273 1274 More bullet proofing: timeouts on all triggers. 1275 127619981006 1277 1278 Bugfix: make the number of cleanup processes unlimited, in 1279 order to avoid deadlock. The number of instances needed is 1280 one per smtp/pickup process, and an indeterminate number 1281 per local delivery agent. Thanks, Thanks, David Miller and 1282 Terry Lorrah for cleueing me in. 1283 1284 Bugfix: "sendmail -t" extracted recipients weren't subjected 1285 to virtual mapping. Daniel Eisenbud strikes again. 1286 128719981007 1288 1289 Compatibility: if the first input line ends in CRLF, the 1290 sendmail posting agent will treat all CRLF as LF. Otherwise, 1291 CRLF is left alone. This is a compromise between sendmail 1292 compatibility (all lines end in CRLF) and binary transparency 1293 (some, but not all, lines contain CRLF). 1294 129519981008 1296 1297 Robustness: stop recursive virtual expansion when the 1298 left-hand side appears in its own expansion. 1299 130019981009 1301 1302 Portability: trigger servers such as pickup and qmgr can 1303 now use either FIFOs or UNIX-domain sockets; hopefully at 1304 least one of them works properly. Trigger clients were 1305 already capable of using either form of local IPC. 1306 130719981011 1308 1309 Feature: masquerading. Strip subdomains from domains listed 1310 in $masquerade_domains. Exception: envelope recipients are 1311 left alone, in order to not screw up routing. 1312 131319981015 1314 1315 Code cleanup: moved the recipient duplicate filter from 1316 the user-level sendmail posting agent to the semi-resident 1317 cleanup service, so that the filter operates on the output 1318 from address canonicalization and of virtual expansion, 1319 instead of operating on their inputs. 1320 132119981016 1322 1323 Bugfix: after kill()ing a bunch of child processes, wait() 1324 sometimes fails before all children have been reaped, and 1325 must be called again, or the master will SIGSEGV later. 1326 Problem reported by Scott Cotton. 1327 1328 Workaround: don't log a complaint when an SMTP client goes 1329 away without sending QUIT. 1330 133119981018 1332 1333 Workaround: Solaris 2.5 ioctl SIOCGIFCONF returns a hard 1334 error (EINVAL) when the result buffer is not large enough. 1335 This can happen on systems with many real or virtual 1336 interfaces. File: util/inet_addr_local.c. Problem reported 1337 by Scott Cotton. 1338 1339 Workaround: the optional HELO/EHLO hostname syntax check 1340 now allows a single trailing dot. 1341 1342 Workaround: with UNIX-domain sockets, LINUX connect() blocks 1343 until the server calls accept(). File: qmgr/qmgr_transport.c. 1344 Terry Lorrah and Scott Cotton provided the necessary 1345 evidence. 1346 134719981020 1348 1349 Robustness: recursive canonical mapping terminates when 1350 the result stops changing. 1351 1352 Code cleanup: reorganized the address rewriting and mapping 1353 code in the cleanup service, to make it easier to implement 1354 the previous enhancement. 1355 135619981022 1357 1358 Code cleanup: more general queue scanning programming 1359 interface, in preparation for hashed queues. File: 1360 qmgr/qmgr_scan.c. 1361 1362 Bugfix: a non-FIFO server with a process limit of 1 has a 1363 too short listen queue. Until now this was not a problem 1364 because only FIFO servers had a process limit of 1, and 1365 FIFOs have no listen queue. Fix: always configure a listen 1366 queue of proc_limit or more. File: master/master_listen.c. 1367 136819981023 1369 1370 Feature: by popular request, mail delay is logged when 1371 delivering, bouncing or deferring mail. 1372 137319981024 1374 1375 Cleanup: double-bounce mail is now absorbed by the queue 1376 manager, instead of the local delivery agent, so that the 1377 mail system will not go mad when no local delivery agent 1378 is configured. 1379 138019981025 1381 1382 Cleanup: moved the relocated table from the local delivery 1383 agent to the queue manager, so that the table can also be 1384 used for virtual addresses. 1385 1386 Code reorg: in order for the queue manager to absorb 1387 recipients, the queue file has to stay open until all 1388 recipients have been assigned to a destination queue. 1389 139019981026 1391 1392 vmlogger command, so that vmailer-script logging becomes 1393 consistent with the rest of the VMailer system. 1394 1395 Code reorg: logger interface now can handle multiple output 1396 handlers (e.g. syslog and stderr stream). 1397 1398 Bugfix: a first line starting with whitespace is no longer 1399 treated as an extension of our own Received: header. Files: 1400 smtpd/smtpd.c, pickup/pickup.c. 1401 140219981027 1403 1404 Bugfix: the bang-path swapping code went into a loop on an 1405 address consisting of just a single !. Eilon Gishri had 1406 the privilege of finding this one. 1407 1408 Workaround: the non-blocking UNIX-domain socket connect is 1409 now enabled only on systems that need it. It may cause 1410 kernel trouble on Solaris 2.x. 1411 1412 Bugfix: the resolver didn't implement bangpath swapping, 1413 so that mail for site!user@mydomain would be delivered to 1414 a local user named "site!user". 1415 141619981028 1417 1418 Cleanup: a VSTREAM can now use different file descriptors 1419 for reading and writing. This was necessary to prevent 1420 "sendmail -bs" and showq from writing to stdin. Eilon Gishri 1421 observed the problem. 1422 142319981029 1424 1425 The RFC 822 address manipulation routines no longer give 1426 special attention to 8-bit data. Files: global/tok822_parse.c, 1427 global/quote_822_local.c. 1428 1429 Bugfix: host:port and other non-domain stuff is no longer 1430 allowed in mail addresses. File: qmgr/qmgr_message.c. 1431 1432 Workaround: LINUX accept() wakes up before the three-way 1433 handshake is complete, so it can fail with ECONNRESET. 1434 Files: master/single_server.c, master/multi_server.c. 1435 1436 Feature: when delivering to user+foo, try ~user/.forward+foo 1437 before trying ~user/.forward. 1438 1439 Bugfix: smtpd in "sendmail -bs" (stand-alone) mode didn't 1440 clean up when terminated by a signal. 1441 1442 Bugfix: smtpd in "sendmail -bs" (stand-alone) mode should 1443 not try to enforce spam controls because it cannot access 1444 the address rewriting machinery. 1445 1446 Cleanup: the percent hack (user%domain -> user@domain) is 1447 now configurable (allow_percent_hack, default: yes). 1448 1449 Bugfix: daemons in -S (stand-alone) mode didn't change 1450 directory to the queue. This was no problem with daemons 1451 run by the sendmail compatibility program. 1452 145319981030 1454 1455 Feature: when virtual/canonical/relocated lookup fails for 1456 an address that contains the optional recipient delimiter 1457 (e.g., user+foo@domain), the search is done again with the 1458 unextended address (e.g., user@domain). File: global/addr_find.c. 1459 1460 Code reorg: the address searching is now implemented by a 1461 separate module global/addr_find.c, so that the same code 1462 can be used for both (non-mapping) relocated table lookups 1463 and for canonical and virtual mapping. The actual mapping 1464 is still done in the global/addr_map.c module. 1465 1466 Robustness: the SMTP client now skips hosts that don't send 1467 greeting banner text. File: smtp/smtp_connect.c 1468 1469 Feature: preliminary support to disable delivered-to. This 1470 is desirable for mailing list managers that don't want to 1471 advertise internal aliases. 1472 1473 Generic support: when the recipient_feature_delimiter 1474 configuration parameter is set, the local delivery agent 1475 uses it to split the recipient localpart into fields. Any 1476 field that has a known name such as "nodelivered" enables 1477 the corresponding delivery feature. 1478 147919981031 1480 1481 Code reorg: address splitting on recipient delimiter is 1482 now centralized in global/split_addr.c, which knows about 1483 all reserved names that should never be split. 1484 1485 Robustness: when a request for an internal service cannot 1486 be satisfied because the master has terminated, terminate 1487 instead of trying to reach the service every 30 seconds. 1488 1489 Safety: the local delivery agent now runs as vmailer most 1490 of the time, just like pickup and pipe. Files: local/local.c, 1491 local/mailbox.c 1492 149319981101 1494 1495 Compatibility: the tokenizer for alias/forward/etc. 1496 expansion now updates an optional counter with the number 1497 of destinations found; If no destinations is found in a 1498 .forward file, deliver to the mailbox instead. Thanks, 1499 Daniel Eisenbud, for showing the way to go. 1500 1501 Robustness: the pickup daemon should always include a 1502 posting-time record, even when the sendmail posting agent 1503 didn't. However, just like before, user-provided posting 1504 times will be ignored. Ollivier Robert found this one. 1505 1506 Robustness: duplicate entries in aliases or maps now cause 1507 a warning instead of a fatal error (and an incomplete file). 1508 1509 Robustness: mkmap now prints a warning when an entry is in 1510 "key: value" format, which is the format expected for alias 1511 databases, not for maps. 1512 1513 Portability: on LINUX, prepend "+" to the getopt() options 1514 string so that getopt() will stop at the first non-option 1515 argument. Suggestion by Marco d'Itri. 1516 151719981103 1518 1519 Cleaned up the set_eugid() and open_as() implementations, 1520 and added stat_as() and fstat_as() so that the local delivery 1521 agent would look up include files and .forward files with 1522 the right privileges. 1523 152419981104 1525 1526 Bugfix: the :include: routine now stat()s/open()s files 1527 included by root-owned aliases as root, not as nobody. 1528 1529 Bugfix: the master crashed when a service with wakeup timer 1530 was disabled or renamed. Fix: eliminate some pathological 1531 coupling between process management and wakeup management. 1532 1533 Feature: partial implementation of ETRN (causes a full 1534 deferred queue scan). Thanks Lamont Jones for reminding me 1535 that things can be useful already before they are perfect. 1536 1537 Cleanup: simplified the SMTPD tokenizer. 1538 1539 Bugfix: sendmail -bs didn't properly notify the mail system 1540 of new mail. 1541 1542 Compatibility: the MAIL FROM and RCPT TO commands now accept 1543 the most common address forms without enclosing <>. The <> 1544 is still needed for addresses that contain a "string", an 1545 [address], or a colon (:). 1546 154719981105 1548 1549 Bugfix: "master -t" would claim that the master runs when 1550 in fact the pid directory does not exist, causing trouble 1551 with first time startup (reported by several). 1552 1553 Portability: added a sane_accept() module that maps all 1554 beneficial accept() error results to EAGAIN. According to 1555 private communication with Alan Cox, Linux 2.0.x accept() 1556 can return a variety of error conditions, so we play safe 1557 and allow for any error that may happen because SYN+ACK 1558 could not be sent. 1559 1560 Portability: NETBSD1 uses dotlock files (Perry Metzger). 1561 1562 Bugfix: the local delivery agent did not canonicalize 1563 owner-foo sender addresses, so that local users would see 1564 owner-foo instead of owner-foo@$myorigin (Perry Metzger). 1565 1566 OPENSTEP4 support, similar to NEXTSTEP3 (Gerben Wierda). 1567 156819981106 1569 1570 Portability: the master startup would take a long time on 1571 AIX because AIX has a very large per-process open file 1572 limit. Fix is to check the status of only the first couple 1573 hundred file descriptors instead. File: master/master.c. 1574 1575 Bugfix: mail to user@[net.work.addr.ess] was broken because 1576 of a reversed test. File: qmgr/qmgr_message.c. 1577 157819981107 1579 1580 Compatibility: don't clobber the envelope sender address 1581 when an alias has no owner-foo alias (problem diagnosed by 1582 Christophe Kalt). 1583 1584 Bugfix: mail to local users in include files would be 1585 delivered directly if the alias didn't have an owner-foo 1586 alias, and if the alias database and include file were 1587 owned by root. 1588 1589 Feature: with user+foo addresses, any +foo address extension 1590 that is not explicitly matched in canonical, virtual or 1591 alias databases is propagated to the table lookup result. 1592 159319981108 1594 1595 Bugfix: minor memory leak in the user+foo table lookup 1596 code. 1597 1598 Configurability: specify virtual.domain in the virtual map, 1599 and mail for unknown@virtual.domain will bounce automatically. 1600 The $relay_domains default value now includes $virtual_maps, 1601 so the SMTP server will accept mail for the domain. Marco 1602 d'Itri put me on the right track. 1603 1604 Configurability: The mydestinations configuration parameter 1605 now accepts /file/name expressions and type:name lookup 1606 tables. 1607 1608 Code cleanup: in order to make the previous two enhancements 1609 possible, revised the string/host/address matching engine 1610 so it can handle any mixture of strings, /file/name patterns 1611 and type:name lookup tables. Files: util/match_{list,ops}.c, 1612 global/{domain,namadr,string}_list.c. 1613 161419981110 1615 1616 Code cleanup: replaced remaining isxxx() calls by ISXXX(). 1617 161819981111 1619 1620 Bugfix: the "bounce unknown virtual user" code was in the 1621 wrong place. Problem tackled with help of Chip Christian. 1622 1623 Portability: reportedly, Solaris 2.5.1 can hang waiting 1624 for a UNIX-domain connection to be accepted, so it gets 1625 the same workaround that was designed for LINUX. Problem 1626 reported by Scott Cotton. 1627 162819981112 1629 1630 Management: "vmailer stop" now allows delivery agents to 1631 finish what they are doing, like "vmailer reload". 1632 1633 Management; "vmailer abort" causes immediate termination. 1634 1635 Workaround: zombie processes pile up with HP-UX. Reason: 1636 select() does not return upon SIGCHLD when SA_RESTART is 1637 specified to sigaction(). Workaround: shorten the select() 1638 timer to 10 seconds, #ifdef BRAINDEAD_SELECT_RESTARTS. 1639 Thanks, Lamont Jones. 1640 164119981117 1642 1643 Rename: VMailer is now Postfix. Sigh. 1644 164519981118 1646 1647 Cleanup: generalized the safe_open() routine so that it is 1648 no longer limited to mailbox files, lock files, etc. 1649 1650 Bugfix (found during code review): vstream*printf() could 1651 run off the end of a stream buffer after an I/O error, 1652 because vbuf_print() ignored the result from VBUF_SPACE(). 1653 1654 Bugfix (found during code review): resolve_local() could 1655 clobber its argument, but the docs didn't say so. 1656 165719981121 1658 1659 Cleanup: the is_header() routine now allows 8-bit data in 1660 header labels. 1661 166219981123 1663 1664 Bugfix (found during code review): the mail_queue_enter() 1665 path argument wasn't optional. File: global/mail_queue.c 1666 166719981124 1668 1669 Cleanup: eliminated redundant tests for a zero result from 1670 vstream_fdopen(). Unlike the stdio fdopen() routine, the 1671 vstream_fdopen() routine either succeeds or never returns. 1672 1673 Bugfix: the queue manager now looks at the clock before 1674 examining a file time stamp, to avoid spurious complaints 1675 about time warps on busy machines. File: qmgr/qmgr_active.c. 1676 167719981125 1678 1679 Compatibility: allow trailing dot at the end of user@domain. 1680 Address canonicalization now strips it off. Issue brought 1681 forward by Eilon Gishri. File: trivial-rewrite/rewrite.c. 1682 1683 Robustness: changed DNS lookup order of MAIL FROM etc. 1684 domains from MX then A to A then MX, just in case the MX 1685 lookup fails with a server error. 1686 1687 Renamed vmcat, vmlock, vmlogger, vmtrigger to postcat, 1688 postlock, postlog, postkick. Also renamed mkmap and mkalias 1689 to postmap and postalias. 1690 169119981126 1692 1693 Workaround: Lamont Jones found a way for HP-UX to terminate 1694 select() after SIGCHLD. The code is #ifdef USE_SIG_RETURN. 1695 Files: util/sys_defs.h, master/master_sig.c. 1696 1697 Bugfix: the Delivered-To: loop detection code had stopped 1698 working, when long ago the is_header() routine was changed. 1699 File: local/delivered.c. 1700 170119981128 1702 1703 Bugfix: postcat opened queue files read-write, where only 1704 read access was needed. File: postcat/postcat.c. 1705 170619981129 1707 1708 Safety: added a sleep(1) to all fatal and panic exits. 1709 File: util/msg.c. 1710 171119981201 1712 1713 Robustness: postcat now insists that a file starts with a 1714 time record. 1715 1716 Consistency: added "-c config_dir" command-line options 1717 where appropriate. 1718 171919981202 1720 1721 Man pages, on-line version. 1722 172319981203 1724 1725 Man pages, html version; overview documentation. 1726 172719981206 1728 1729 Sendmail silently accepted the unsupported -qRsite and 1730 -qSsite options. It now prints an error message and 1731 terminates. 1732 1733 Separated the contributed tree from the IBM code; moved 1734 the LDAP and NEXTSTEP/OPENSTEP code to the contributed 1735 source tree because obviously I didn't write it. 1736 173719981206-9 1738 1739 Had to write a postconf configuration utility in order to 1740 reliably find out about all configuration parameters and 1741 their defaults. 1742 1743 Documentation bugfixes by Matt Shibla, Scott Drassinower, 1744 Greg A. Woods. 1745 174619981209 1747 1748 On machines with short hostnames, postconf -d cored while 1749 reporting a fatal error. It should not report that error 1750 in the first place. Thanks, Eilon Gishri. 1751 1752 Changed the FAQ entry about rejecting mail for *.my.domain 1753 on a firewall. Chip Christian was right, I was wrong. 1754 175519981214 1756 1757 Portability: with GNU getopt, optind is not initially 1, 1758 breaking an assumption in sendmail/sendmail.c. Liviu Daia. 1759 1760 Annoyance: on non-networked systems, don't warn that only 1761 one network interface was found. File: global/inet_addr_local.c. 1762 Reported by several. 1763 1764 Bugfix: on non-networked systems, the smtp client assumed 1765 that it was running in virtual host mode, and would bind 1766 to the loopback interface. File smtp/smtp_connect.c. Liviu 1767 Daia, again. 1768 176919981220 1770 1771 Robustness: when looking up an A or MX record, do not give 1772 up when the A query fails because of a server error. File 1773 dns/dns_lookup.c. Reported by Scott Drassinower. 1774 177519981221 1776 1777 Bugfix: "bounce mail for non-existent virtual user" didn't 1778 work when a non-default relay host was configured in main.cf 1779 or in the transport table. File: qmgr/qmgr_message.c. 1780 1781 Bugfix: the maildrop directory should not be world-readable. 1782 Files: conf/postfix-script, showq/showq.c. 1783 1784 Documentation: fixed several omissions and errors. 1785 1786 Documentation: removed references to the broken recipient 1787 feature delimiter configuration parameter. 1788 1789 Bugfix: write mailbox file as the recipient, so that file 1790 quota work as expected. 1791 1792 Bugfix: pickup would die when it tried to remove a non-file 1793 in the maildrop directory (Jeff Wolfe). 1794 179519981222 1796 1797 Sendmail no longer logs the queue ID when it is unable to 1798 notify the pickup daemon. This is a late addition to the 1799 "unreadable maildrop queue" patch. 1800 1801 user.lock files are now created as root, so that postfix 1802 needs no group directory write permission. 1803 180419981224 1805 1806 Security: allow queue file link counts > 1, to avoid 1807 non-delivery of maildrop files with links to a non-maildrop 1808 directory. Files: global/mail_open_ok.c, and anything 1809 that calls this code (qmgr, pickup, showq). If multiple 1810 hard links are a problem, see the set-gid "postdrop" utility 1811 below. 1812 181319981225 1814 1815 Robustness: the queue manager no longer aborts when a queue 1816 file suddenly disappears (e.g. because the file was removed 1817 by hand). 1818 1819 Feature: when a writable maildrop directory is a problem, 1820 sites can make the new "postdrop" utility set-gid. This 1821 command is never used when the maildrop directory is 1822 world-writable. 1823 1824 Robustness: make the queue file creation routine more 1825 resistant against denial of service race attack. File: 1826 global/mail_queue.c 1827 182819981226 1829 1830 New suid_priv module to enable/disable privileges in a 1831 set-uid/gid program. In the end I decided to not use it. 1832 183319981228 1834 1835 Robustness: make the pickup daemon more resistant against 1836 non-file race attack. 1837 1838 Cleanup: generic mail_stream.c interface for writing queue 1839 file streams to files, daemons or commands. This simplifies 1840 the code in smtpd and in sendmail that must be able to pipe 1841 mail through the postdrop command. The cleanup daemon has 1842 been modified to use the same interface. Result: less code. 1843 1844 Feature: smtpd now logs the only recipient in Received: 1845 headers. 1846 1847 Feature: separate command and daemon directories. Both 1848 default to $program_directory. Install conf/postfix-script 1849 if you want to use this feature. 1850 185119981230 1852 1853 Patch to avoid conflict with non-writable top-level Makefile 1854 (Lamont Jones). 1855 185619981231 1857 1858 Portability: port to UnixWare 7 by Ronald Joe Record, SCO. 1859 186019990104 1861 1862 Bugfix: fencepost (Jon Ribbens, Oaktree Internet Solutions 1863 Ltd.) Files: quote_82[12]_local.c. 1864 1865 Bugfix: wrong default for relay_domains (Juergen Kirschbaum, 1866 Bayerische Landesbank). File: mail_params.h. 1867 1868 Bugfix: changed 5xx response for "too may recipients" to 1869 4xx. File: smtpd.c. 1870 187119990106 1872 1873 Feature: defer_transports specifies the names of transports 1874 that should be used only when "sendmail -q" (or equivalent) 1875 is issued. For example, "defer_transports = smtp" is useful 1876 for sites that are disconnected most of the time. File: 1877 qmgr_message.c. 1878 187919990107 1880 1881 Feature: local_command_shell specifies a non-default shell 1882 for delivery to command by the local delivery agent. For 1883 example, "local_command_shell = /some/where/smrsh -c" 1884 restricts what may appear in "|command" destinations. 1885 File: global/pipe_command.c. 1886 188719990112-16 1888 1889 Feature: SMTP command pipelining support based on an initial 1890 version by Jon Ribbens, Oaktree Internet Solutions Ltd. 1891 This one took several days of massaging before I felt 1892 comfortable about it. Files: smtp.c, smtp_proto.c. 1893 1894 Bugfix: the SMTP server would flush responses one-by-one, 1895 which caused suboptimal performance with pipelined clients. 1896 The vstream routines now flush the write buffer when the 1897 read() routine is called, instead of flushing when the 1898 application changes from writing to reading. Delayed flush 1899 prevents the SMTP server from flushing responses one-by-one 1900 and thus triggering Nagle's algorithm. File: util/vstream.c. 1901 190219990117 1903 1904 Bugfixes and enhancements to the smtpstone tools by Drew 1905 Derbyshire, Kendra Electronic Wonderworks: send helo command, 1906 send message headers, format the message content to lines 1907 < 80, work around NT stacks, make "." recognition more 1908 robust. Files: smtp-source.c, smtp-sink.c. 1909 1910 Strategy: look at the deferred queue only when the incoming 1911 queue is empty; limit the number of recipients read from 1912 a queue file depending on the number of recipients already 1913 in core. Files: qmgr.c, qmgr_message.c. 1914 1915 Feature: postponed anti-UCE restrictions. The decision to 1916 reject junk mail on the basis of the client name/address, 1917 HELO hostname or sender address can now be postponed until 1918 the RCPT TO command (or HELO or MAIL FROM if you like). 1919 File: smtpd_check.c. 1920 192119990118 1922 1923 Feature: incremental updates of alias databases and of 1924 other lookup tables. Both postalias and postmap now take 1925 a -i option for incremental updates from standard input. 1926 Files: global/mkmap_*.c, post{map,alias}/post{map,alias}.c. 1927 1928 Compatibility: newaliases can now update multiple alias 1929 databases: list them in the "alias_database" parameter in 1930 main.cf. By the same token, postalias can now update multiple 1931 maps in one command. Files: post{map,alias}/post{map,alias}.c 1932 1933 Feature: mail to <> is now sent to the address specified 1934 with the "empty_address_recipient" configuration parameter 1935 which defaults to MAILER-DAEMON (idea by Lamont Jones, 1936 Hewlett-Packard). File: cleanup/cleanup_envelope.c. 1937 1938 Compatibility: the transport table now uses .domain.name 1939 to match subdomains, just like sendmail mailer tables (patch 1940 by Lamont Jones, Hewlett-Packard). 1941 1942 Feature: mailq now ends with a total queue size summary 1943 (Eilon Gishri, Israel Inter University Computation Center). 1944 194519990119 1946 1947 Feature: address masquerade exceptions for user names listed 1948 in the "masquerade_exceptions" configuration parameter. 1949 File: cleanup/cleanup_masquerade.c. 1950 1951 Feature: qmail-style maildir support, based on initial code 1952 by Kevin W. Brown, Quantum Internet Services Inc. 1953 1954 Workaround: Solaris 2.something connect() fails with 1955 ECONNREFUSED when the system is busy (Chris Cappuccio, 1956 Empire Net). File: global/mail_connect.c. 1957 1958 Feature: the cleanup service now adds a Return-Path: header 1959 when none is present. This header is needed for some mail 1960 delivery programs (see below). File: cleanup_message.c. 1961 1962 Feature: the pipe mailer now supports $user, $extension 1963 and $mailbox macros in command-line expansions. This, plus 1964 the Return-Path: header (see above), should be sufficient 1965 to support cyrus IMAP out of the box. Based on initial 1966 code by Joerg Henne, Cogito Informationssysteme GMBH. 1967 File: pipe/pipe.c. 1968 1969 Bugfix: with address extensions enabled, canonical and 1970 virtual lookups now are done in the proper order: 1971 user+foo@domain, user@domain, user+foo, user, @domain. 1972 File: global/mail_addr_find.c. 1973 197419990119 1975 1976 Feature: the local mailer now prepends a Received: message 1977 header with the queue ID to forwarded mail, in order to 1978 make message tracing easier. File: local/forward.c. 1979 1980 Cleanup: after "postfix reload", no more broken pipe 1981 complaints from resolve/rewrite clients. 1982 198319990121 1984 1985 Feature: pickup (again) logs uid and sender address. On 1986 repeated request by Scott Cotton, Internet Consultants 1987 Group, Inc. 1988 1989 Portability: doze() function for systems without usleep(). 1990 1991 Cleanup: clients are now consistently logged as host[address]. 1992 199319990122 1994 1995 Maildir support changed: specify "home_mailbox = Maildir/". 1996 The magic is the trailing /. Suggested by Daniel Eisenbud, 1997 University of California at Berkeley. 1998 1999 Maildir support from aliases, :include: and .forward files. 2000 Specify /file/name/ - the trailing / is required. Suggested 2001 by Daniel Eisenbud, University of California at Berkeley. 2002 2003 Workaround: watchdog timer to prevent the queue manager 2004 from locking up on some systems. 2005 2006 Bugfix: in Received: headers, the "for <recipient>" 2007 information was in the wrong place. Pointed out by Jon 2008 Ribbens, Oaktree Internet Solutions Ltd. 2009 201019990124 2011 2012 Portability: more workarounds for GNU getopt() by Liviu 2013 Daia, Institute of Mathematics, Romanian Academy. File: 2014 sendmail/sendmail.c. 2015 201619990125 2017 2018 Bugfix: Postfix should not masquerade recipient addresses 2019 extracted from message headers. Problem reported by David 2020 Blacka, Network Solutions. File: cleanup/cleanup_message.c. 2021 202219990126 2023 2024 Feature: smtpd_etrn_restrictions parameter to restrict who 2025 may use ETRN and what domains may be specified. Example: 2026 "smtpd_etrn_restrictions = permit_mynetworks, reject". 2027 Requested by Jon Ribbens, Oaktree Internet Solutions Ltd. 2028 File: smtpd/smtpd_check.c. 2029 203019990127 2031 2032 Bugfix: in an attempt to shave some cycles, the anti junk 2033 mail routines would use the wrong resolved address. This 2034 "optimization" is now turned off. Problem reported by Sam 2035 Eaton, Pavilion Internet Plc. File: smtpd/smtpd_check.c. 2036 2037 Feature: BIFF notifications. For compatibility reasons 2038 this feature is on by default. This "protocol" can be a 2039 real performance pig. Specify "biff = no" in main.cf if 2040 your machine has lots of shell users. Feature requested by 2041 Dan Farmer - it's one of the things one does for friends. 2042 Files: local/mailbox.c, local/biff_notify.c. 2043 2044 Bugfix: another case sensitivity problem, this time with 2045 virtual lookups to recognize unknown@virtual.domain. 2046 Problem reported by Bo Kleve, Linkoping University. File: 2047 qmgr/qmgr_message.c. 2048 204919990128 2050 2051 Feature: with "soft_bounce = yes", defer delivery instead 2052 of bouncing mail. This is a safety net for configuration 2053 errors with delivery agents. It has no effect on errors in 2054 virtual maps, canonical maps, or in junk mail restrictions. 2055 Feature requested by Bennett Todd. File: global/bounce.c. 2056 205719990129 2058 2059 Compatibility: the qmail maildir.5 documentation prescribes 2060 maildir file names of the form time.pid.hostname, which is 2061 wrong because Postfix processes perform multiple deliveries. 2062 Elsewhere the qmail author has documented how maildir files 2063 should be named under such conditions. Postfix has been 2064 changed to be conformant. File: local/maildir.c. 2065 206619990131 2067 2068 Feature: special treatment of owner-foo and foo-request 2069 can be turned off. Specify "owner_request_special = no". 2070 Requested by Matthew Green and others. Files: local/alias.c, 2071 global/split_addr.c. This affects canonical, virtual and 2072 alias lookups. 2073 207419990204 2075 2076 Portability: signal handling for HP-UX 9 by Lamont Jones 2077 of Hewlett Packard. File: master/master_sig.c. 2078 2079 Robustness: disable random walk inside a per-site queue to 2080 avoid message starvation under heavy load. File: qmgr_entry.c. 2081 2082 Robustness: under some conditions the queue manager could 2083 declare a host dead after just one delivery failure. File: 2084 qmgr_queue.c. 2085 208619990212 2087 2088 Feature: skip SMTP servers that greet us with a 4XX status 2089 code. Example: "smtp_skip_4xx_greeting = yes". By default, 2090 the Postfix SMTP client defers delivery when a server 2091 declines talking to us. File: smtp/smtp_connect.c. 2092 2093 Robustness: upon startup the queue manager now moves active 2094 queue files to the incoming queue instead of the deferred 2095 queue, to avoid anomalous delivery delays on systems that 2096 have a huge incoming queue. Files: qmgr/qmgr.c, 2097 qmgr/qmgr_active.c, global/mail_flush.c, conf/postfix-script* 2098 209919990213 2100 2101 Robustness: added watchdog timers to avoid getting stuck 2102 on systems with broken select() socket implementations. 2103 File: qmgr_transport.c, qmgr_deliver.c. 2104 210519990218 2106 2107 Feature: NFS-friendly delivery to mailbox by avoiding the 2108 use of root privileges as much as possible. With input by 2109 Mike Muus, Army Research Lab, USA. 2110 2111 Feature: the smtp-sink test server now supports SMTP command 2112 pipelining. To this end we had to generalize the timer and 2113 vstream support. Poor performance is fixed 19990222. 2114 2115 Cleanup: timer event routines now have the same interface 2116 as read/write event routines (event type + context). File: 2117 util/events.c. 2118 2119 Feature: new vstream_peek() routine to tell how much unread 2120 data is left in a VSTREAM buffer. This is the vstream 2121 variant of the peekfd() routine for kernel read buffers. 2122 File: util/vstream.c. 2123 2124 Feature: directory scanning support for hashed mail queue 2125 directories. So far the results are disappointing: with 2126 depth = 2 (16 directories with 16 subdirectories), mailq 2127 takes 5 seconds with an empty queue unless all directories 2128 happen to be cached in memory. We need a bit map before 2129 hashed queue directories become practical. Depth=1 hashing 2130 doesn't slow down mailq much, but doesn't help much either. 2131 Files: util/scan_dir.c, global/mail_scan_dir.c. 2132 213319990221 2134 2135 Workaround: with "ignore_mx_lookup_error = yes", the SMTP 2136 client always performs an A lookup when an MX lookup could 2137 not be completed, rather than treating MX lookup failure 2138 as a temporary error condition. Unfortunately there are 2139 many broken DNS servers on the Internet. File: smtp/smtp_addr.c. 2140 214119990222 2142 2143 Performance: rewrote the guts of the smtp-sink test server 2144 so it can do pipelining without losing performance. 2145 214619990223 2147 2148 Workaround: hotmail.com sometimes drops the connection 2149 after "." (causing misleading diagnostics to be logged) or 2150 waits minutes after receiving QUIT. Solution: do not wait 2151 for the response to QUIT. File: smtp/smtp_proto.c. This 2152 is turned off with: "smtp_skip_quit_response = no". 2153 215419990224 2155 2156 Feature: the pipe mailer accepts user=username:groupname, 2157 based on code submitted by Philip A. Prindeville, Mirapoint, 2158 Inc., USA. File: pipe/pipe.c. 2159 2160 Workaround: use file locking to prevent multiple processes 2161 from select()ing on the same socket. This causes performance 2162 problems on large BSD systems. Files: master/*_server.c. 2163 216419990225 2165 2166 Bugfix: with "inet_interfaces = 127.0.0.1", don't bind to 2167 the loopback interface. Problem reported by Steve Bellovin 2168 of AT&T. File: smtp/smtp_addr.c. 2169 2170 Feature: "postsuper" command to remove stale queue files 2171 to update queues after changes to the queue structure 2172 parameters (hash_queue_names, hash_queue_depth). This 2173 command is to be run from the postfix-script maintenance 2174 shell script. 2175 217619990301 2177 2178 Feature: new postconf -h (suppress `name = ' in output) 2179 option to make the program easier to use in, e.g., shell 2180 scripts. 2181 2182 Feature: dict_unix module so you can add the UNIX passwd 2183 table to the SMTPD access control list. 2184 218519990302 2186 2187 Feature: "luser_relay = destination" captures mail for 2188 non-existent local recipients. This works only when the 2189 local delivery agent does mailbox delivery (including 2190 delivery via mailbox_command), not when mailbox delivery 2191 is delegated to another message transport. 2192 2193 Feature: new reject_non_fqdn_{hostname,sender,recipient} 2194 restrictions to require fully.qualified.domain forms in 2195 HELO, MAIL FROM and RCPT TO commands (while still allowing 2196 the <> sender address). 2197 219819990304 2199 2200 Bugfix: backed out the 19990119 change to always insert 2201 Return-Path: if that header is not present. The pipe and 2202 local agents now are responsible for prepending Return-Path:. 2203 Files: cleanup/cleanup_message.c, global/mail_copy.[hc], 2204 pipe/pipe.c, global/header_opts.c. This causes an incompatible 2205 change to the pipe flags parameter, because Return-Path: 2206 now must be requested explicitly. 2207 220819990305 2209 2210 Bugfix: showq (the mailq server) incorrectly assumed that 2211 all recipients of a deferred message are listed in the 2212 corresponding defer logfile. It now lists all recipients. 2213 Files: showq/showq.c, cleanup/cleanup_envelope.c (ensure 2214 that sender records always precede recipient records). 2215 2216 Cleanup: smtpd HELO restrictions validate [numerical] forms. 2217 Files: util/valid_hostname.c, smtpd/smtpd_check.c. Initial 2218 code by Philip A. Prindeville, Mirapoint, Inc., USA. 2219 222019990306 2221 2222 Cleanup: re-vamped the valid_hostname module, and added a 2223 maximal label length (63) requirement. 2224 2225 Feature: fallback_relay parameter to specify extra backup 2226 hosts in case the regular relay hosts are not found or not 2227 available. Files: smtp/smtp_addr.c. 2228 2229 Feature: "always_bcc = address" specifies where to send a 2230 copy of each message that enters he system. However, if 2231 that copy bounces, the sender will be informed of the 2232 bounce. Files: smtpd/smtpd.c, pickup/pickup.c 2233 2234 Compatibility: the transport map will now route on top-level 2235 domains, so you can dump all of .bitnet to a bitnet relay. 2236 223719990307 2238 2239 Feature: LDAP lookups, updated by Jon Hensley, Merit Network, 2240 USA. 2241 2242 Feature: regular expression (PCRE) support by Andrew 2243 McNamara, connect.com.au Pty. Ltd., Australia. In order to 2244 use this code specify pcre:/file/name. You can use this 2245 anywhere you would use a DB or DBM file, NIS or LDAP. See: 2246 PCRE_README for how to enable this code. 2247 2248 Feature: "delay_warning_time = 4" causes Postfix to send 2249 a "your mail is delayed" notice after approx. 4 hours. 2250 Daniel Eisenbud, University of California at Berkeley. 2251 Files: qmgr/qmgr_active.c, qmgr/qmgr_message. Postmaster 2252 notices for delayed mail are disabled by default. In order 2253 to receive postmaster notices, specify "notify_classes = 2254 ... delay ...". 2255 2256 Cleanup: do not send undeliverable bounced mail to postmaster. 2257 This was causing lots of pain with junk mail from bogus 2258 sender addresses to non-existent recipients. This change 2259 was reversed 19990311. 2260 226119990308 2262 2263 Bugfix: the dotforward routine was too eager with throwing 2264 away extension information, so that the Delivered-To: info 2265 would differ for \mailbox and |command. Problem reported 2266 by Rafi Sadowski, Open University, Israel. 2267 2268 Bugfix: seems I never got around to fix the btree access 2269 method. I finally did. Problem reported by: Matt Smith, 2270 AvTel Communications Inc., USA. 2271 227219990311 2273 2274 Back by popular demand: with "notify_classes = 2bounce ..." 2275 Postfix will send undeliverable bounced mail to postmaster. 2276 The default is to not send double bounces. This change 2277 reverses a change made on 19990307. 2278 227919990312 2280 2281 Feature: configurable exit handler for server skeletons. 2282 Philip A. Prindeville, Mirapoint, Inc., USA. Files: 2283 master/*server.c. 2284 2285 Feature: mail_spool_directory configuration parameter to 2286 specify the UNIX mail spool directory. The default setting 2287 is system dependent. 2288 228919990313 2290 2291 Cleanup: share file descriptors for resolve and rewrite 2292 client connections. This puts less strain on the trivial-rewrite 2293 service. 2294 2295 Portability: support for UnixWare 2.1 by Dmitry E. Kiselyov, 2296 Nizhny Novgorod City Health Emergency Station. 2297 2298 Feature: configurable delays in the smtpstone test programs. 2299 With input by Philip A. Prindeville, Mirapoint, Inc., USA. 2300 Files: smtpstone/*.c. 2301 2302 Bugfix: a "signal 11" problem in the trivial-rewrite program 2303 that would occasionally happen after "postfix reload". 2304 Reason: some rewrite clients would clobber their input, 2305 and when they had to retransmit the query, the input would 2306 be a zero-length string, which trivial-rewrite isn't supposed 2307 to receive. 2308 230919990314 2310 2311 Feature: "mailbox_transport = cyrus" delegates all local 2312 mailbox delivery to a master.cf entry called "cyrus" (the 2313 same trick for procmail), including users not found in the 2314 UNIX passwd database. This gives the flexibility of $name 2315 expansions by the pipe mailer, without losing local aliases 2316 and ~/.forward processing. Result of discussions with Rupa 2317 Schomaker, RS Consulting. 2318 231919990315 2320 2321 Feature: the mydestination parameter can now be an empty 2322 string, for hosts that don't receive any mail locally. Be 2323 sure to specify a default route for mail that comes to the 2324 machine or mail will loop. 2325 232619990316 2327 2328 Bugfix: the SMTPD check scaffolding didn't apply the same 2329 sanity checks as the production code. Problem reported by 2330 Alain Thivillon, Herve Schauer Consultants, France. File: 2331 smtpd/smtpd_check.c. 2332 2333 Portability: some systems can have more than 59 seconds in 2334 a minute. Based on a fix by Liviu Daia, Institute of 2335 Mathematics, Romanian Academy. File: global/mail_date.c. 2336 2337 Enhancement: include the client network address in the 2338 rejected by RBL response. Lamont Jones, Hewlett-Packard. 2339 2340 Workaround: use fstat() to figure out if the maildrop is 2341 world-writable. access() uses the real uid, which stinks. 2342 2343 Robustness: don't do partial address lookups (user@, domain, 2344 user, @domain) with regexp-style tables. 2345 2346 Security: don't allow regexp-style tables to be used for 2347 aliases. It would be too easy to slip in "|command" or 2348 :include: or /file/name. 2349 235019990317 2351 2352 Feature: "fallback_transport = cyrus" delegates non-UNIX 2353 recipients to a master.cf entry called "cyrus", allowing 2354 you to have both UNIX and non-UNIX mailboxes side by side. 2355 235619990319 2357 2358 Workaround: on 4.4 BSD derivatives, fstat() can return 2359 EBADF on an open file descriptor. Now, that was a surprise. 2360 This caused std{out,err} from cron commands to not be 2361 delivered. 2362 2363 Bugfix: "local -v" stopped working. 2364 2365 Workaround: more watchdog timers for postfix-unfriendly 2366 systems. By now every Postfix daemon has one. Call it life 2367 insurance. 2368 2369 Robustness: increased the maximal time to receive or deliver 2370 mail from $ipc_timeout (default: 3600 seconds) to the more 2371 generous $daemon_timeout (default: 18000 seconds). We don't 2372 want false alarms. 2373 2374 Portability: IRIX 5.2 does not have usleep(). 2375 237619990320 2377 2378 Bugfix: \username was broken. Frank Dziuba was the first 2379 to notice. 2380 238119990321 2382 2383 Workaround: from now on, Postfix on Solaris uses stream 2384 pipes instead of UNIX-domain sockets. Despite workarounds, 2385 the latter were causing more trouble than anything else on 2386 all systems combined. 2387 238819990322 2389 2390 Portability: the makedefs would mis-identify IRIX 6.5.x as 2391 IRIX 5.x. Fix by Brian Truelsen of Maersk Mc-Kinney Moller 2392 Institute for Production Technology, Denmark. 2393 2394 Feature: reject_unknown_recipient_domain restriction for 2395 recipient addresses. For the sake of symmetry, we now also 2396 have reject_unknown_sender_domain. This means the old 2397 reject_unknown_address restriction is being phased out. 2398 Suggested by Rask Ingemann Lambertsen, Denmark Technical 2399 University. 2400 2401 Feature: unknown sender/recipient domain restrictions now 2402 distinguish between soft errors (always: 450) and hard 2403 errors (configurable with the unknown_address_reject_code 2404 parameter, default: 450; use 550 at your own risk). 2405 2406 Feature: no HELO junk mail restrictions means that no syntax 2407 check will be done on HELO/EHLO hostname arguments. 2408 2409 Bugfix: the initial Solaris workaround for UNIX-domain 2410 sockets could cause the queue manager to block if Postfix 2411 ran into a delivery agent process limit. After another code 2412 rewrite that problem is eliminated. Thanks to Chris 2413 Cappuccio, Empire Net, for assistance with testing. 2414 241519990323 2416 2417 Bugfix: too much forwarding when users list their own name 2418 in their .forward file (e.g. mail to user@localhost would 2419 go through .forward, would be forwarded to user@$myorigin, 2420 and would go through .forward again). Problem reported by 2421 Roman Dolejsi, Prague University of Economics. 2422 242319990324 2424 2425 Bugfix: missing map name in check_xxx_access restrictions 2426 could cause a segmentation error. Lamont Jones, Hewlett- 2427 Packard. 2428 2429 Feature: forward_path configuration parameter (default: 2430 $home/.forward$recipient_delimiter$extension,$home/.forward). 2431 Based on initial code by Philip A. Prindeville, Mirapoint, 2432 Inc., USA. Files: local/dotforward.c. 2433 243419990325 2435 2436 Workaround: Solaris NIS alias maps need special entries 2437 (YP_MASTER_NAME, YP_LAST_MODIFIED). What's worse, normal 2438 keys/values include a null byte at the end, but the YP_XXX 2439 ones don't. Problem reported by Walcir Fontanini, state 2440 university of Campinas, Brazil. File: postalias/postalias.c. 2441 2442 Compatibility: Solaris NIS apparently does include a null 2443 byte at the end of keys and values. File: util/sys_defs.h. 2444 2445 Feature: library support for config parameters that are 2446 not $name expanded at program start-up. This was needed 2447 for forward_path, and will also be needed to make message 2448 headers customizable. 2449 2450 Bugfix: pcre didn't handle \\ right. Lamont Jones, Hewlett- 2451 Packard. File: util/dict_pcre.c. 2452 245319990326 2454 2455 Compatibility: Postfix now puts two spaces after the sender 2456 in a "From sender date..." header. Found by John A. Martin, 2457 fixed by Lamont Jones, Hewlett-Packard. 2458 2459 Bugfix: when a recipient appeared multiple times in a local 2460 alias or include expansion, the delivery status could be 2461 left uninitialized, causing the mail to be deferred and 2462 delivered again. File: local/recipient.c. 2463 246419990327 2465 2466 Cleanup: the dictionary routines now take an extra flag 2467 argument to control such things as warning about duplicates, 2468 and appending null bytes to key/value. The latter was needed 2469 for a clean implementation of NIS master alias maps support. 2470 2471 Feature: POSIX regular expressions by Lamont Jones. See 2472 config/sample-regexp.c. Right now, enabled on *BSD and 2473 LINUX only. 2474 247519990328 2476 2477 Code cleanup: dictionaries now have flags that say whether 2478 lookup keys are fixed strings or whether keys are subjected 2479 to pattern matching. This is needed to avoid passing partial 2480 addresses to regexp-based lookup tables (user, @domain, 2481 user@, domain). Files: util/dict*.c. 2482 2483 Bugfix: fixed memory leaks and core dumps in the regexp 2484 and pcre routines (neither handled an empty pattern file). 2485 248619990329 2487 2488 Code cleanup: the dictionary I/O routines now do their own 2489 locking depending on dictionary flag settings. This means 2490 that the low-level dict_get() interface can now be used 2491 for safe dictionary lookups. This is needed for 19990328's 2492 partial lookup key support. Files: util/dict*.c. global/maps.c. 2493 2494 Feature: regular expression matches are no longer limited 2495 to user@domain address forms in access/canonical/virtual 2496 maps, but can also be used for domains in transport maps. 2497 This needed the partial lookup key support to avoid passing 2498 partial addresses to regexp-based lookup tables (user, 2499 @domain, user@, domain). Files: global/maps.c 2500 global/mail_addr_find.c. 2501 2502 Feature: new dictionary types can be registered with 2503 dict_open_register(). File: util/dict_open.c. 2504 250519990330 2506 2507 Bug fix: match_list membership dictionary lookups were case 2508 sensitive when they should not. Patch by Lutz Jaenicke, 2509 BTU Cottbus, Germany. 2510 251119990402 2512 2513 Feature: $domain macro support in forward_path. Philip A. 2514 Prindeville, Mirapoint, Inc., USA. File: local/dotforward.c. 2515 2516 Feature: if an address extension (+foo) is explicitly 2517 matched by the .forward+foo file name, do not propagate 2518 the extension to recipient addresses. This is more consistent 2519 with the way aliases are expanded. File: local/dotforward.c. 2520 252119990404 2522 2523 Bugfix: after receiving mail, the SMTP server didn't reset 2524 the cleanup error flag, so that multiple deliveries over 2525 the same SMTP session could fail due to errors with previous 2526 deliveries. Found by Lamont Jones, Hewlett-Packard. 2527 252819990405 2529 2530 Feature: MIME-encapsulated bounces. Philip A. Prindeville, 2531 Mirapoint, Inc., USA. File: bounce/bounce_notify_service.c 2532 2533 Cleanup: vstreams now properly look at the EOF flag before 2534 attempting to read, eliminating the need for typing Ctrl-D 2535 twice to test programs; the EOF flag is reset after each 2536 unget or seek operation. Files: util/vstream.c, util/vbuf.c. 2537 2538 Feature: in preparation for configurable message headers 2539 the mac_parse() routine now balances the parentheses in 2540 ${name} or $(name). We need this in order to support 2541 conditional expressions such as ${name?text} where `text' 2542 contains other ${name} expressions. 2543 254419990406 2545 2546 Cleanup: changed MIME header information to make bounces 2547 more RFC 1892 compliant. 2548 254919990407 2550 2551 Feature: "best_mx_transport = local" delivers mail locally 2552 if the local machine is the best mail exchanger (by default, 2553 mail is bounced with a "mail loops back to myself" error). 2554 2555 Config: in order to make feature tracking easier the source 2556 code distribution now has a copy of the default settings 2557 in conf/main.cf.default. 2558 2559 Feature: separate configurable postmaster addresses for 2560 single bounces (bounce_notice_recipient), double bounces 2561 (2bounce_notice_recipient), delayed mail (delay_notice_recipient), 2562 and for other mailer errors (error_notice_recipient). The 2563 default for all is "postmaster". 2564 256519990408 2566 2567 Workaround: on Solaris 2.x, the master appears to lose its 2568 exclusive lock on the master.pid file, so keep grabbing 2569 the lock each time the master wakes up from select(). 2570 2571 Robustness: don't flush VSTREAM buffers after I/O error. 2572 This prevents surprises when calling vstream_fclose() after 2573 truncating a mailbox to its original size. 2574 2575 Portability: on LINUX systems, if <db_185.h> exists, don't 2576 look for <db/db.h>. 2577 2578 Workaround: specify "sun_mailtool_compatibility = yes" to 2579 avoid clashes with the mailtool application. This disables 2580 kernel locks on mailbox files. Use only where needed. 2581 2582 Portability: renamed readline to readlline, to avoid clashes 2583 with mysql. 2584 258519990409 2586 2587 Bugfix: ignore temp queue files that aren't old enough. 2588 Problem reported by Vivek Khera, Khera Communications, Inc. 2589 2590 Bugfix: fixed typo in dict_db.c that caused processes to 2591 not release DB shared locks. 2592 2593 Feature: auto-detection of changes to DB or DBM lookup 2594 tables. This avoids the need to run "postfix reload" after 2595 change to the smtp access table and other tables. 2596 2597 Feature: regular expression checks for message headers. 2598 This requires support for POSIX or for PCRE regular 2599 expressions. Specify "header_checks = regexp:/file/name" 2600 or "header_checks = pcre:/file/name", and specify 2601 "/^header-name: badstuff/ REJECT" in the pattern file 2602 (patterns are case-insensitive by default). Code by Lamont 2603 Jones, Hewlett-Packard. It is to be expected that full 2604 content filtering will be delegated to an external command. 2605 260619990410 2607 2608 Bugfix: auto-detection of changes to DB or DBM lookup tables 2609 wasn't done for TCP connections. 2610 261119990410 2612 2613 Feature: $recipient expansion in forward_path. Philip A. 2614 Prindeville, Mirapoint, Inc., USA. File: local/dotforward.c 2615 2616 Feature: the smtp client consistently treats a numerical 2617 hostname as an address. File: smtp/smtp_addr.c. 2618 261919990414 2620 2621 Compatibility: support comment lines starting with # in 2622 $mydestination include files. This makes Postfix more 2623 compatible with sendmail.cw files. File: util/match_list.c. 2624 2625 Feature: if your machines have short host names, specify 2626 "mydomain = domain.name", and you no longer have to specify 2627 "myhostname = host.domain.name". Files: global/mail_params.c, 2628 postconf/postconf.c. 2629 263019990420 2631 2632 Cleanup: bounce mail when a mailbox goes over file quota, 2633 instead of deferring delivery. File: local/mailbox.c. 2634 263519990421 2636 2637 Feature: auto-detection of changes to DB or DBM lookup 2638 tables now includes the case where a file is unlinked. 2639 Philip A. Prindeville, Mirapoint, Inc., USA. File: 2640 util/dict.c. 2641 264219990422 2643 2644 Robustness: Lotus mail sends MAIL FROM: <@> instead of <>. 2645 Problem reported by Erik Toubro Nielsen, IFAD, Denmark. 2646 Files: trivial-rewrite/rewrite.c (@ becomes empty address) 2647 and global/rewrite_clnt.c (allow empty response). 2648 2649 Bugfix: showq could segfault when writing to a broken pipe. 2650 Problem reported by Bryan Fullerton, Canadian Broadcasting 2651 Corporation. Files: util/vbuf_print.c. 2652 2653 Cleanup: got rid of the "fatal: write error: Broken pipe" 2654 message when mailq output is piped into a program that 2655 terminates early. 2656 2657 Cleanup: bounce messages are multipart/mixed with the error 2658 report as part of the first message segment, because users 2659 had trouble extracting the delivery error report from the 2660 attachment. 2661 266219990423 2663 2664 Cleanup: the default junk mail reject code is now 554 2665 (service unavailable) rather than 550 (user unknown). 2666 2667 Folded in the updated dict_ldap.c module by John Hensley, 2668 Merit Network, USA. 2669 2670 Folded in the vstream_popen.c updates by Philip A. 2671 Prindeville, Mirapoint, Inc., USA. This copies a lot of 2672 code from pipe_command(); the next step is to trim that 2673 module. 2674 267519990425 2676 2677 Workaround: renamed config.h to mail_conf.h etc. in order 2678 to avoid name collisions with LINUX (yes, they have a system 2679 include file called config.h). For compatibility with people 2680 who have written software for Postfix, there's a config.h 2681 that aliases the old names to the new ones. That file will 2682 go away eventually. 2683 268419990426 2685 2686 Feature: error mailer, in order to easily bounce mail for 2687 specific destinations. In the transport table, specify: 2688 "host.domain error:host.domain is unavailable". Too bad 2689 that the transport table triggers on destination domain 2690 only; it would be nice to bounce specific users as well. 2691 269219990427 2693 2694 Cleanup: "disable_dns_lookups = yes" now should disable 2695 all DNS lookups by the SMTP client. 2696 269719990428 2698 2699 Bugfix: with DBM files, Postfix was watching the "dir" file 2700 modification time for changes. It should be watching the 2701 "pag" file instead. 2702 270319990429 2704 2705 Cleanup: all callbacks in the master to server API now pass 2706 on the service name and the application-specific argument 2707 vector. Files: master/*server.c. 2708 270919990504 2710 2711 Feature: conditional macro expansion. ${name?text} expands 2712 to text when name is defined, otherwise the result is empty. 2713 ${name:text} expands to text when name is undefined, 2714 otherwise the result is empty. File: util/mac_expand.c. 2715 2716 Feature: conditional macro expansion of the forward_path 2717 configuration parameters of $user, $home, $shell, $recipient, 2718 $extension, $domain, $mailbox and $recipient_delimiter. 2719 Files: local/dotforward.c, local/local_expand.c. 2720 272119990506 2722 2723 Cleanup: eliminated misleading warnings about unknown HELO 2724 etc. SMTPD restrictions when the HELO etc. information is 2725 not available. File: smtpd/smtpd_check.c. 2726 272719990507 2728 2729 Feature: all smtpd reject messages now contain the MAIL 2730 FROM and RCPT TO addresses, if available. 2731 273219990508 2733 2734 Feature: conditional macro expansion of the luser_relay 2735 configuration parameter. It is no longer possible to specify 2736 /file/name or "|command" destinations. File: local/unknown.c. 2737 2738 Cleanup: changed the mac_parse interface so that the 2739 application callback routine can return status information. 2740 Updated the dict_regexp and dict_pcre modules accordingly. 2741 2742 Cleanup: changed the mac_expand interface so that the caller 2743 provides an attribute lookup routine, instead of having to 2744 provide a copy of all attributes upfront. Files: 2745 util/mac_expand.c, local/local_expand.c. 2746 2747 Feature: control over how address extensions are propagated 2748 to other addresses. By default, propagation of unmatched 2749 address extensions is now restricted to canonical and 2750 virtual mappings. Specify "propagate_unmatched_extensions 2751 = canonical, virtual, alias, forward, include" to restore 2752 previous behavior. 2753 275419990509 2755 2756 Feature: USER, EXTENSION, DOMAIN, RECIPIENT (entire address) 2757 and MAILBOX (address localpart) environment variables are 2758 exported to shell commands (including mailbox_command). 2759 2760 Feature: new command_expansion_filter parameter to control 2761 what characters may appear in message attributes that are 2762 exported via environment variables. 2763 2764 Cleanup: SMTPD reject messages are more informative, and 2765 more complete sender/recipient information is logged for 2766 the local sysadmin. 2767 276819990510 2769 2770 Bugfix: missing MIME header in postmaster bounce notices. 2771 Found by Samuel Tardieu, Ecole Nationale Superieure des 2772 Telecommunications, France. 2773 2774 Feature: UCE restrictions are always delayed until RCPT 2775 TO, VRFY or ETRN. To change back to the default specify 2776 "smtpd_delay_reject = no" in /etc/postfix/main.cf. 2777 2778 Bugfix: missing duplicate filter call. This caused too many 2779 deliveries when a user is listed multiple times in an alias. 2780 Reported by Hideyuki Suzuki, School of Engineering, University 2781 of Tokyo. Backed out on 19990512 because it caused problems. 2782 Fixed 19990513 but needs further study. 2783 2784 Feature: it is now possible to move queue files back into 2785 the maildrop queue, so that they can benefit from changes 2786 in canonical and virtual mappings. In order to make this 2787 possible, some restrictions on queue file contents were 2788 relaxed. Files: pickup/pickup.c, cleanup/cleanup_extracted.c. 2789 2790 Feature: made a start with integrating Joerg Henne's 2791 dictionary extensions to remove entries and to iterate over 2792 entries. That code is almost four months old by now. 2793 279419990511 2795 2796 Feature: added a "undeliverable postmaster notification 2797 discarded" warning when mail is dropped on the floor. 2798 Requested by Michael Hasenstein, SuSE, Germany. 2799 280019990517 2801 2802 Bugfix: reject_non_fqdn_sender/recipient would pass 2803 user@[ip_address] regardless of destination. Eric Cholet 2804 had the honor of suffering from this one. 2805 280619990527 2807 2808 More SMTP client logging for easier debugging: the smtp 2809 client now logs hostname[ip.addr], and logs every failed 2810 attempt to reach an MX host, not just the last one. 2811 281219990601 2813 2814 Bugfix: emit a blank line before a MIME boundary; the line 2815 is part of the boundary. File: bounce/bounce_notify_service.c. 2816 Wolfgang Segmuller, IBM Research. 2817 281819990610 2819 2820 Bugfix: the "is this the loopback interface" test was 2821 broken. Reported by Claus Fischer @microworld.com. File: 2822 smtp/smtp_connect.c. 2823 2824 Usability: added helpful warnings about restrictions that 2825 are being ignored after check_relay_domains, etc. 2826 2827 Portability: Reliant Unix support by Gert-Jan Looy, Siemens, 2828 the Netherlands. 2829 283019990611 2831 2832 Robustness: the postfix-script start-up procedure now 2833 detects a missing master program, avoiding misleading 2834 warnings that the mail system is already running. Fix 2835 suggested by David E. Smith @technopagan.org. 2836 2837 Portability: Mac OS X Server Port by Mark Miller @swoon.net. 2838 2839 Feature: on systems that use dotlock files for mailbox 2840 locking, the local delivery agent now will attempt to use 2841 dotlock files when delivering to user-specified files. 2842 Dotlock files for user-specified destinations are created 2843 with the privileges of the user. For backwards compatibility, 2844 Postfix will attempt to create dotlocks for user-specified 2845 destinations only when the user has parent directory write 2846 permission. 2847 2848 Feature: specify "expand_owner_alias = yes" in order to 2849 use the right-hand side of an owner- alias, instead of 2850 using the left-hand side address. Needed by Juergen Georgi. 2851 285219990622 2853 2854 Bugfix: the local delivery agent did not set user attributes 2855 when delivering to root, so that forward_path did not expand 2856 properly. Found by Jozsef Kadlecsik, KFKI Research Institute 2857 for Particle and Nuclear Physics, Hungary. File: 2858 local/dotforward.c. 2859 2860 Bugfix: the unix:passwd.byname mechanism is not suitable 2861 for smtpd access control - the user name would have to end 2862 in @, or the access control software would have to be 2863 changed. Removed the example from the RELEASE_NOTES file. 2864 286519990623 2866 2867 Bugfix: the smtp server did not reset the error flag after 2868 ".". Found by James Ponder, Oaktree Internet Solutions Ltd. 2869 File: smtpd/smtpd.c. 2870 2871 Bugfix: fencepost error in the doze() routine (an usleep() 2872 replacement for systems without one). Found by Simon J 2873 Mudd. File: util/doze.c. 2874 287519990624 2876 2877 Portability: support for AIX 3.2.5 (!) by Florian Lohoff 2878 @rfc822.org. 2879 2880 Portability: Ultrix 4.3 support by Christian von Roques 2881 @pond.sub.org. 2882 2883 Feature: mysql support by Scott Cotton and Joshua Marcus, 2884 Internet Consultants Group, Inc. Files: util/dict_myqsl.*. 2885 288619990627 2887 2888 Bugfix: Postfix is now distributed under the new IBM Public 2889 License (version 1, dated June 14, 1999). 2890 2891 Feature: the Delivered-To: header can be turned off for 2892 delivery to command or file/mailbox. The default setting 2893 is: "prepend_delivered_header = command, file, forward". 2894 Turning off the Delivered-To: header when forwarding mail 2895 is not recommended. 2896 289719990628 2898 2899 Feature: the postlock command now returns EX_TEMPFAIL when 2900 the destination file is locked by another process. 2901 290219990705 2903 2904 Workaround: in the SMTP client, move the "mail loops back 2905 to myself test" from the 220 greeting to the HELO response. 2906 This change does not weaken the test, and makes Postfix 2907 more robust against broken software that greets with the 2908 client hostname. 2909 291019990706 2911 2912 Workaround: in the INSTALL file, use `&&' instead of `;' 2913 in (cd path; tar ...) pipelines because some UNIX re-invented 2914 shells don't bail out when cd fails. Matthias Andree 2915 @stud.uni-dortmund.de. 2916 291719990709 2918 2919 Bugfix: $user was not set when delivering to a non-user. 2920 Found by Vladimir Ulogov @ rohan.control.att.com when 2921 configuring a luser_relay that contained $user. 2922 292319990714 2924 2925 Robustness: add PATH statement to Solaris2 chroot setup 2926 script to avoid running the ucb commands. Problem found by 2927 Panagiotis Astithas @ ece.ntua.gr. 2928 292919990721 2930 2931 Bugfix: don't claim a "mail loops to myself" error when 2932 the best MX host was not found in the DNS. Found by Andrew 2933 McNamara, connect.com.au Pty Ltd. File: smtp/smtp_addr.c. 2934 293519990810 2936 2937 Feature: added "-c config_dir" support to the postconf 2938 command. This probably means that "-f file" will never be 2939 implemented. 2940 294119990812 2942 2943 Bugfix: showq didn't print properly when listing a maildrop 2944 file. Fix by: Andrew McNamara, connect.com.au Pty Ltd. 2945 File: showq/showq.c. 2946 2947 Feature: added SENDER to the list of parameters exported 2948 to external commands. File: local/command.c. Code by: Lars 2949 Hecking, National Microelectronics Research Centre, Ireland. 2950 295119990813 2952 2953 Bugfix: sendmail -t (extract recipients from headers) did 2954 not work when the always_bcc feature was turned on. Reported 2955 by: Denis Shaposhnikov @ neva.vlink.ru. 2956 295719990813 2958 Bugfix: "sendmail -bd" returns a bogus exit status (the 2959 child process ID). Fix by Lamont Jones of Hewlett-Packard. 2960 File: sendmail/sendmail.c. 2961 296219990824 2963 2964 Bugfix: null pointer dereference while rejecting VRFY before 2965 MAIL FROM. Found by Laurent Wacrenier @ fr.clara.net. 2966 296719990826 2968 2969 Portability: more MacOS X Server patches; some NEXTSTEP/OPENSTEP 2970 code that had been removed for the first public beta release; 2971 NEXTSTEP/OPENSTEP now defaults to netinfo for the aliases 2972 database. Submitted by Gerben Wierda. 2973 2974 Portability: workaround for a FreeBSD 3.x active network 2975 interface without IP address by Pierre Beyssac @ enst.fr. 2976 File: inet_addr_local.c. 2977 297819990831 2979 2980 Workaround: sendmail now prints a warning when installed 2981 set-uid or when run by a set-uid command. Reportedly, the 2982 linuxconf software turns on the set-uid bit, which could 2983 open up a security loophole. File: sendmail/sendmail.c. 2984 2985 Bugfix: Postfix daemons now temporarily lock DB/DBM files 2986 while opening them, in order to avoid "invalid argument" 2987 errors because some other process is changing the file. 2988 Files: util/dict_db.c, util/dict_dbm.c. 2989 2990 Robustness: Postfix locks queue files during delivery, to 2991 prevent duplicate delivery when "postfix reload" is 2992 immediately followed by "sendmail -q". This involves a 2993 change of the deliver_request interface: delivery agents 2994 no longer need to open and close queue files explicitly. 2995 Files: global/deliver_request.c, pipe/pipe.c, smtp/smtp.c, 2996 local/local.c, qmgr/qmgr_active.c, qmgr/qmgr_message.c. 2997 2998 Feature: reject_unauth_destination SMTP recipient restriction 2999 that rejects destinations not in $relay_domains. By Lamont 3000 Jones of Hewlett-Packard. File: smtpd/smtpd_check.c. 3001 3002 Security: do not allow weird characters in the expansion 3003 of $names that appear in $forward_path. Just like with 3004 shell commands, replace bad characters in expansions by 3005 underscores. Configuration parameter: forward_expansion_filter. 3006 300719990902 3008 3009 Documentation: added a sample postfix alias to the examples 3010 in the INSTALL document and in the conf/aliases file. 3011 Reminded by Simon J. Mudd @ alltrading.com. 3012 301319990903 3014 3015 Bugfix: in case of some error conditions the pickup daemon 3016 could leak small amounts of memory. 3017 301819990905 3019 3020 Bugfix: no more "skipping further client input" warnings 3021 when a message header is rejected. 3022 3023 Feature: reject_unauth_pipelining SMTP restriction that 3024 rejects mail from clients that improperly use SMTP command 3025 pipelining. 3026 3027 Robustness: the LDAP client by default no longer looks up 3028 names containing "*". See the lookup_wildcards feature in 3029 LDAP_README. Update by John Hensley. 3030 3031 Documentation: address masquerading with exceptions FAQ by 3032 Jim Seymour @ jimsun.LinxNet.com. 3033 3034 Bugfix: mysql reconnect after disconnect by Scott Cotton 3035 Internet Consultants Group, Inc. File: util/dict_myqsl.c. 3036 3037 Portability: the Postfix to PCRE interface now expects 3038 version 2.08. Postfix is no longer compatible with PCRE 3039 versions before 2.6. 3040 304119990906 3042 3043 Feature: INSTALL.sh script that makes Postfix installation 3044 a bit less painful. This script can be used for installing 3045 and for upgrading Postfix. It replaces files instead of 3046 overwriting them, and leaves existing configuration and 3047 queue files intact. 3048 304919990907 3050 3051 Bugfix: reject_non_fqdn_sender used the wrong test to see 3052 if a sender address was given and could dump core. This 3053 must have been broken ever since the UCE tests were moved 3054 to the RCPT TO stage in 19990510. 3055 3056 Bugfix: check_sender_access was recognized as a valid 3057 restriction name only if a sender had been specified. 3058 305919990908 3060 3061 Portability: Unixware has <sysexits.h> only after sendmail 3062 is installed. Changed postlock.c to use global/sys_exits.h. 3063 306419990909 3065 3066 Performance: added one-entry cache to the address rewriting 3067 client and to the address resolving client. This is because 3068 UCE restrictions tend to produce the same query repeatedly. 3069 Files: global/rewrite_clnt.c, global/resolve_clnt.c. 3070 3071 Feature: the UCE restrictions are now fully recursive so 3072 you can have per-client/helo/sender/recipient restrictions. 3073 Instead of OK, REJECT or [45]xx, you can specify a sequence 3074 of restrictions on the right-hand side of an SMTPD access 3075 table. This means you can no longer use canonical/virtual/alias 3076 maps as SMTPD access tables. But the loss is compensated 3077 for. File: smtpd/smtpd_access.c. 3078 3079 Feature: restriction classes, essentially a short-hand for 3080 restriction lists. These short hands are useful mostly on 3081 the right-hand side of SMTPD access tables. You must use 3082 restriction classes in order to have lookup tables on the 3083 right-hand side of an SMTPD access table. File: 3084 smtpd/smtpd_access.c. 3085 3086 Feature: "permit_recipient_map maptype:mapname" permits a 3087 recipient address when it matches the specified table. 3088 Lookups are done just as with canonical/virtual maps. With 3089 this, you can also use passwd/aliases as SMTPD access maps. 3090 File: smtpd/smtpd_access.c. 3091 309219990910 3093 3094 Changed "permit_address_map" into "permit_recipient_map" 3095 and added a test for the case that they specify a lookup 3096 table on the right-hand side of an SMTPD access map. File: 3097 smtpd/smtpd_access.c. 3098 3099 Cleanup: removed spurious sender address checks for <>. 3100 File: smtpd/smtpd_check.c. 3101 3102 Cleanup: the smtp client now consistently logs host[address] 3103 for all connection attempts. 3104 310519990919 3106 3107 Feature: in an SMTPD access map, an all-numeric right-hand 3108 side now means OK, for better cooperation with out-of-band 3109 authentication mechanisms. 3110 311119990922 3112 3113 Security: recipient addresses must not start with '-', in 3114 order to protect external commands. The old behavior is 3115 re-instated when main.cf specifies: "allow_min_user = 3116 yes". Credits to Mads Kiilerich @ Kiilerich.com. File: 3117 qmgr/qmgr_message.c. 3118 3119 Bugfix: after 19990831, the queue manager would throw away 3120 defer logs after deferring mail to known-to-be-dead hosts 3121 or message transports. This means that in some cases, mailq 3122 would not show why mail is delayed, and that delayed mail 3123 could be sent back with recipients missing from the error 3124 report. Reported by Giulio Orsero @ tiscalinet.it. 3125 312619990923 3127 3128 Bugfix: the above bugfix broke bounces of mail with bad 3129 address syntax and relocated users. Problem diagnosed by 3130 Dick Porter @ acm.org. 3131 3132 Documentation: added DO NOT EDIT THIS FILE. EDIT MAIN.CF 3133 INSTEAD notices to the sample-xxx.cf files. 3134 313519991007 3136 3137 Compatibility: ignore the sendmail -U (initial user 3138 submission) option. Thomas Quinot @ cuivre.fr.eu.org. 3139 314019991103 3141 3142 Code cleanup: don't send postmaster notifications when an 3143 SMTP client sends a DATA command while no recipients were 3144 accepted. This can happen when a pipelined client runs 3145 into an UCE block. File: smtpd/smtpd.c. 3146 314719991104 3148 3149 Robustness: do not apply UCE header checks to mail that is 3150 generated by Postfix (bounces, forwarded mail etc.). Files: 3151 smtpd/smtpd.c, pickup/pickup.c, cleanup/cleanup_message.c. 3152 3153 Robustness: new generic watchdog module that can deal with 3154 clocks that jump occasionally. Files: util/watchdog.c, 3155 master/master.c, master/{single,multi,trigger}_server.c. 3156 This hopefully ends the false watchdog alarms that happen 3157 when clocks are set or when laptops are resumed. 3158 3159 Code cleanup: BSMTP requires dot quoting as per RFC 821. 3160 Based on code by Florian Lohoff @ rfc822.org. Files: 3161 global/mail_copy.[hc], pipe/pipe.c. 3162 316319991105 3164 3165 Bugfix: the crufty code in inet_addr_local() did not find 3166 IP aliases. File: util/inet_addr_local.c. 3167 3168 Portability: the INSTALL.sh utility did not find users or 3169 groups in NIS or Netinfo tables. The script no longer 3170 searches the /etc/passwd and /etc/group files. Instead it 3171 now queries the unix:passwd.byname and unix:group.byname 3172 maps. For this, a -q (query) option was added to postmap 3173 (and to postalias, for symmetry). Files: util/dict_unix.c, 3174 postalias/postalias.c, postmap/postmap.c, INSTALL.sh. 3175 3176 Bugfix: LDAP lookup timeout settings were ignored. Patch 3177 by John Hensley. File: util/dict_ldap.c. 3178 317919991108 3180 3181 Bugfix: when doing a fresh install, INSTALL.sh didn't set 3182 main.cf:mail_owner properly (Simon J. Mudd). 3183 318419991109 3185 3186 Bugfix: when doing a fresh install, INSTALL.sh no longer 3187 worked (missing main.cf file). Fix: add "-c" argument to 3188 the postmap commands (Lars Hecking @ nmrc.ucc.ie). 3189 3190 Documentation: removed spurious "do not edit" comments from 3191 the sample pcre and regexp configuration files. 3192 319319991110-13 3194 3195 Code cleanup: greatly simplified the SMTPD command parser 3196 and somewhat simplified the code that groks RFC 822-style 3197 address syntax in MAIL FROM and RCPT TO commands. 3198 3199 New parameter: strict_rfc821_envelopes (default: no) to 3200 reject RFC 822 address forms (with comments etc.) in SMTP 3201 envelopes. By default, the Postfix SMTP server only logs 3202 a warning. 3203 320419991113 3205 3206 Oops, also updated the SMTP VRFY code in the light of 3207 changes to the SMTPD command parser. 3208 3209 Cleanup: the local delivery agent now explicitly rejects 3210 recipients with an empty username. 3211 321219991114 3213 3214 Workaround: with some gawk versions, postconf/extract.awk 3215 reportedly returns a non-zero exit status upon success. 3216 Added an explicit exit(0) statement. 3217 321819991115 3219 3220 Feature: DNS TXT record lookup support, based on initial 3221 code by Simon J Mudd. File: dns/dns_lookup.c. 3222 3223 Feature: RBL TXT record lookups, based on initial code by 3224 Simon J Mudd. File: smtpd/smtpd_check.c. 3225 3226 Feature: permit_auth_destination restriction based on code 3227 by Jesper Skriver @ skriver.dk. 3228 3229 Code cleanup: the transport table now can override all 3230 deliveries, including local ones. 3231 323219991116 3233 3234 Code cleanup: a new "local_transports" configuration 3235 parameter explicitly lists all transports that deliver mail 3236 locally. The first name listed there is the default local 3237 transport. This is the end of the "empty next-hop hostname" 3238 hack to indicate that a destination is local. Files: 3239 trivial-rewrite/resolve.c, global/local_transport.[hc] 3240 3241 Feature: "postconf -m" shows what lookup table types are 3242 available. Code by Scott Cotton, Internet Consultants 3243 Group, Inc. 3244 3245 Feature: "postconf -e" edits any number of main.cf parameters. 3246 The edit is done on a copy, and the copy is renamed into 3247 the place of the original. File: postconf/postconf.c, 3248 util/readlline.[hc]. 3249 325019991117 3251 3252 Portability: SunOS 4 has no SA_RESTART. File: util/watchdog.c. 3253 3254 Feature: on systems with h_errno, the "reject_unknown_client" 3255 restriction now distinguishes between soft errors (always 3256 reply with 450) and hard errors (use the user-specified 3257 reply code). This should lessen the load by broken mailers 3258 that re-connect once a minute. 3259 3260 Feature: forward/reverse name/address check for SMTP client 3261 hostnames. This fends off some hypothetical attacks by 3262 spammers who are in control of their own reverse mapping. 3263 3264 Robustness: postconf no longer aborts when it can't figure 3265 out the local domain name; it prints a warning instead. 3266 This allows you to use "postconf -e" to fix the problem. 3267 326819991118 3269 3270 Bugfix: the RFC822 address parser would misparse a leading 3271 \ as an atom all by itself. Problem reported by Keith 3272 Stevenson @ louisville.edu. File: global/tok822_parse.c. 3273 327419991119 3275 3276 Bugfix: tiny memory leak in pipe_command() when fork() 3277 fails. File: global/pipe_command.c. 3278 327919991120 3280 3281 Bugfix: reversed test for all-numerical results in SMTPD 3282 access maps. File: smtpd/smtpd_check.c. 3283 328419991121 3285 3286 Robustness: INSTALL.sh no longer uses postmap for sanity 3287 checks. 3288 3289 Feature: INSTALL.sh now has an install_root option. 3290 3291 Bugfix: INSTALL.sh now installs manual pages with proper 3292 permissions and ownership. 3293 3294 Bugfix: the LDAP client did not properly escape special 3295 characters in lookup keys (patch by John Hensley). File: 3296 util/dict_ldap.c. 3297 329819991122 3299 3300 Bugfix: missing absolute path in INSTALL.sh broke fresh 3301 install. 3302 330319991124 3304 3305 Bugfix: the local delivery agent's recipient duplicate 3306 filter did not work when configured to use unlimited memory 3307 (which is not a recommended setting). Patrik Rak @raxoft.cz. 3308 330919991125 3310 3311 Bugfix: postconf didn't have an umask(022) call at the 3312 beginning (problem experienced by Matthias Andree). 3313 331419991126 3315 3316 Bugfix: DNS TXT records now have string lengths before text 3317 (Mark Martinec @ nsc.ijs.si). 3318 331919991127 3320 3321 Update: the LDAP client code now supports escapes as per 3322 RFC2254 (John Hensley). 3323 332419991207 3325 3326 Performance: one message with many recipients no longer 3327 stops other mail from being delivered. The queue manager 3328 now frees in-memory recipients as soon as a message is 3329 delivered to one destination, rather than waiting until 3330 all in-memory destinations of that message have been tried. 3331 Patch by Patrik Rak @ raxoft.cz. Files: qmgr/qmgr_entry.c, 3332 qmgr/qmgr_message.c. 3333 3334 Performance: when delivering mail to a huge list of 3335 recipients, the queue manager now reads more recipients 3336 from the queue file before delivery concurrency drops too 3337 low. Files: qmgr/qmgr_entry.c, qmgr/qmgr_message.c. 3338 333919991208 3340 3341 Updated LDAP client code by John Hensley with escape 3342 sequences as per RFC 2254. File: util/dict_ldap.c. 3343 3344 Updated MYSQL client code by Scott Cotton. File: dict_mysql.c. 3345 3346 Feature: added -N/-n options to include/exclude terminating 3347 nulls in keys and values in postmap/postalias DB or DBM 3348 files. Normally, Postfix uses whatever is appropriate for 3349 the host system. A non-default setting can be necessary 3350 for inter-operability with third-party software. 3351 3352 Bugfix: the local delivery agent would deliver to the user 3353 instead of the .forward file when the .forward file was 3354 already visited via some non-recursive path. Patch by Patrik 3355 Rak @ raxoft.cz. Files: global/been_here.c, local/dotforward.c. 3356 3357 Robustness: attempt to deliver all addresses in the expansion 3358 of an alias or .forward file, even when some addresses must 3359 be deferred. File: local/token.c. 3360 336119991211 3362 3363 Performance: qmgr_fudge_factor controls what percentage of 3364 delivery resources Postfix will devote to one message. 3365 With 100%, delivery of one message does not begin before 3366 delivery of the previous message is completed. This is good 3367 for list performance, bad for one-to-one mail. With 10%, 3368 response time for one-to-one mail improves much, but list 3369 performance suffers. In the worst case, people near the 3370 start of a mailing list get a burst of postings today, 3371 while people near the end of the list get that same burst 3372 of postings a whole day later. Files: qmgr/qmgr_message.c, 3373 qmgr/qmgr_entry.c. 3374 3375 Bugfix: address rewriting would panic on a lone \ at the 3376 end of a line where an address was expected. Jason Hoos @ 3377 thwack.net. File: global/rewrite_clnt.c. 3378 337919991215 3380 3381 Bugfix: the strict RFC821 envelope address check should 3382 not be applied to VRFY commands. File: smtpd/smtpd.c. 3383 3384 Cleanup: permit_recipient_maps is gone, because that could 3385 only be used inside UCE restrictions. 3386 338719991216 3388 3389 Feature: allow an empty inet_interfaces parameter, just 3390 like an empty mydestination parameter. It's needed for true 3391 null clients and for firewalls that deliver no local mail. 3392 3393 Feature: "disable_vrfy_command = yes" disables some forms 3394 of address harvesting used by spammers. 3395 3396 Workaround: added the alias map parameter definition to 3397 the smtpd code. This is a symptom of a general problem 3398 with parameters that have non-empty default values: unless 3399 a program explicitly defines such a parameter, the parameter 3400 defaults to the empty string when used in other parameters. 3401 There's also a problem with evaluation order. 3402 3403 Feature: the SMTP server rejects mail for unknown users in 3404 virtual domains that are defined by Postfix virtual domain 3405 files. File: smtpd/smtpd_check.c. 3406 3407 Feature: reject mail for unknown local users at the SMTP 3408 port. The local_recipient_maps configuration parameter 3409 specifies maps with all addresses that are local with 3410 respect to $mydestination or $inet_interfaces. Example: 3411 "local_recipient_maps = $alias_maps unix:passwd.byname". 3412 This feature is disabled by default. You may have to copy 3413 the passwd file into the chroot jail. File: smtpd/smtpd_check.c. 3414 3415 Feature: the sendmail -f option now understands '<user>' 3416 and even understands address forms with RFC 822-style 3417 comments. 3418 341919991217 3420 3421 Cleanup: no more UCE checks for VRFY commands. It still 3422 reports unknown local/virtual users. File: smtpd/smtpd_check.c. 3423 3424 Robustness: upon Postfix startup, report discrepancies 3425 between system files inside and outside the chroot jail. 3426 Files: conf/postfix-script-nosgid, conf/postfix-script-sgid. 3427 342819991218 3429 3430 Cleanup: INSTALL.sh produces relative symlinks, which is 3431 necessary when install_root is not /. 3432 343319991219 3434 3435 Documentation: completely reorganized the FAQ and added 3436 many new entries. Rewrote the UCE html documentation. 3437 3438 Cleanup: INSTALL.sh uses a configurable directory for 3439 scratch files, so that it can install from a file system 3440 that is not writable by the super-user. 3441 3442 Cleanup: INSTALL.sh gives helpful hints when the "mv" 3443 command is unable to move symlinks across file system 3444 boundaries. 3445 344619991220 3447 3448 Cleanup: it is no longer necessary to list $virtual_maps 3449 as part of the relay_domains definition. The SMTP server 3450 now by default accepts mail for destinations that match 3451 $inet_interfaces, $mydestination or $virtual_maps, whether 3452 or not these are specified in relay_domains. We still need 3453 the ugly "virtual.domain whatever" hack in the virtual 3454 maps. Files: smtpd/smtpd_check.c and lots of documentation 3455 and sample config files. 3456 345719991221 3458 3459 Removed cyrus -q flag (ignore quotas) from the sample 3460 master.cf file. 3461 346219991223 3463 3464 Bugfix: smtpd should not check for unknown users when 3465 running in stand-alone (sendmail -bs) mode. Problem 3466 experienced by Chuck Mead. File: smtpd/smtpd.c. 3467 3468 Retraction: the "local_transports" configuration parameter 3469 is gone. Adjusted code and documentation accordingly. 3470 Instead, use just one "local_transport" parameter with the 3471 name of the default local transport. Files: smtpd/smtpd_check.c, 3472 qmgr/qmgr_message.c, trivial-rewrite/ resolve.c, local/resolve.c. 3473 3474 Feature: Postfix SMTPD now insists that the smtpd recipient 3475 restrictions contain at least one restriction that by 3476 default rejects mail. This should make it much more difficult 3477 to change Postfix into an open relay. File: smtpd/smtpd_check.c. 3478 3479 Retraction: null-length inet_interfaces is too confusing. 3480 348119991224 3482 3483 Bugfix: the relative symlink code in INSTALL.sh computed 3484 the ../ prefix from the wrong pathname. 3485 34861999122[5-7] 3487 3488 Feature: "allow_untrusted_routing = no" (default) prevents 3489 forwarding of source-routed mail from untrusted clients to 3490 destinations that are blessed by the relay_domains parameter 3491 (example: user@domain2@domain1 etc.). This plugs a mail 3492 relay loophole where a backup MX host forwards junk mail 3493 to a primary MX host which forwards the junk to the Internet. 3494 Files: global/quote_822_local.c, smtp/quote_821_local.c, 3495 trivial-rewrite/rewrite.c, trivial-rewrite/resolve.c, 3496 smtp/smtpd_check.c. 3497 3498 In order to make this possible, the Postfix resolver data 3499 structure and protocol has changed, so that all resolver 3500 clients need to be re-compiled. 3501 3502 Side effect from the above change: from now on, an address 3503 with @ in the recipient localpart no longer bounces with 3504 "user unknown" but instead is rejected with "relay access 3505 denied" or "source-routed relay access denied". 3506 350719991227 3508 3509 Workaround: the BSD/OS "mkdir -p" and "cmp -s" commands 3510 misbehave on boundary cases: directory exists or file does 3511 not exist. Those who re-invent... 3512 351319991229 3514 3515 Added the no source routing info requirement to addresses 3516 accepted by the permit_mx_backup UCE restriction. 3517 351819991230 3519 3520 Added a spawn daemon (not compiled and installed by default) 3521 to enable LMTP delivery over UNIX-domain sockets. The goal 3522 is to simplify the experimental LMTP delivery agent by 3523 ripping out the privileged code that forks the LMTP server. 3524 352520000102 3526 3527 Clarified documentation after early feedback on the 19991231 3528 release by Drew Derbyshire, Ollivier Robert, Khetan Gajjar. 3529 3530 Sanity check: a common error is to list Postfix virtual 3531 domains in the mydestination parameter. This causes the 3532 new optional local_recipient_maps feature to reject mail 3533 for virtual users. The SMTP server now explicitly tests 3534 for this common error and logs a warning instead of refusing 3535 the mail. File: smtpd/smtpd_check.c. 3536 353720000104 3538 3539 Bugfix: a case sensitivity bug had slipped through in the 3540 anti-relaying code, causing mail for USER@VIRTUAL.DOMAIN 3541 to be rejected with "relay access denied". This was found 3542 by Jim Maenpaa @ jmm.com. 3543 3544 Questionable feature: set "smtp_skip_5xx_greeting = yes" 3545 to make Postfix more sendmail compatible, even though this 3546 is wrong, IMNSHO. File: smtp/smtp_connect.c. 3547 3548 Portability: Ultrix patch from Simon Burge @ thistledown.com.au. 3549 3550 Portability: Siemens Pyramid (dcosx) patch by Thomas D. 3551 Knox @ vushta.com. 3552 3553 Performance: FreeBSD has bidirectional pipes that are faster 3554 than socketpairs. Anticipating on more platform-specific 3555 optimizations, all duplex pipe plumbing is now isolated in 3556 a duplex_pipe.c module that provides a system-independent 3557 interface. 3558 355920000105 3560 3561 Cleanup: the INSTALL.sh script now updates the sample files 3562 in /etc/postfix even when main.cf exists. 3563 356420000106 3565 3566 Bugfix: the SMTP server should consult the relocated map 3567 for virtual destinations (Denis Shaposhnikov). Files: 3568 smtpd/smtpd.c smtpd/smtpd_check.c. 3569 357020000108 3571 3572 Workaround: rename() over NFS can fail with ENOENT even 3573 when the operation succeeds (Graham Orndorff @ WebTV). This 3574 is not news. Any non-idempotent operation can fail over 3575 NFS when the NFS server's acknowledgment is lost and the 3576 NFS client code retries the operation (other examples are: 3577 create, symlink, link, unlink, mkdir, rmdir). Postfix has 3578 workarounds for the cases where this is most likely to 3579 cause trouble. Files: util/sane_{rename,link}.[hc]. If 3580 you want reliable mail system, do not use NFS. 3581 358220000115 3583 3584 Workaround: better detection of bad hardware. Added SIGBUS 3585 to the list of signals that the master will log before 3586 exiting. 3587 358820000122 3589 3590 Portability: preliminary SCO5 port Christopher Wong @ 3591 csports.com. This still needs to a workaround for "find" 3592 not supporting "-type s" (actually, UNIX-domain sockets 3593 have no unique representation in the file system and show 3594 up as FIFOs). 3595 359620000115-22 3597 3598 Bugfix: in case of a too long message header, don't extract 3599 recipients from message headers. With the previous behavior, 3600 Bcc information could be left in the message body, as one 3601 person found out the hard way. Files: cleanup/cleanup.c, 3602 cleanup/cleanup_extracted.c, global/cleanup_user.h. 3603 360420000124 3605 3606 Whatever: RFC 1869 amends RFC 821 and specifies that code 3607 555 is to be used when a MAIL FROM or RCPT TO parameter is 3608 not implemented or not recognized. Russ Allbery @stanford.edu. 3609 This reply code is added to the list of reply codes that 3610 cause the Postfix SMTP client to mail a transcript to the 3611 postmaster. File: smtp/smtp_trouble.c. 3612 361320000126 3614 3615 Emergency feature: qmgr_site_hog_factor (default: 90 percent) 3616 limits the amount of resources that Postfix devotes to a 3617 single destination. With less than 100, Postfix defers the 3618 excess mail so that one site with a large backlog does not 3619 block other deliveries. Files: qmgr/qmgr.c, qmgr/qmgr_message.c. 3620 362120000128 3622 3623 Cleanup: the queue manager no longer replaces the nexthop 3624 field by the recipient localpart when a destination matches 3625 $mydestination/$inet_interfaces. The price is the introduction 3626 of a new parameter local_destination_recipient_limit which 3627 defaults to 1 in order to maintain backwards compatibility. 3628 Files: qmgr/qmgr.c, qmgr/qmgr_message.c. 3629 363020000129 3631 3632 Bugfix: extracted recipients were misfiled when a message 3633 was moved back to the maildrop queue. But they still worked 3634 due to a coincidence. 3635 3636 Feature: bounce_recip() bounces a recipient immediately 3637 without accessing a bounce logfile. This is necessary for 3638 VERP bounces, for bounces by delivery agents that change 3639 the sender address, and for bounces that for some reason 3640 must not use temporary logfiles. Files: global/bounce.c, 3641 bounce/bounce_recip_service.c. 3642 364320000130 3644 3645 Bugfix: the too long header fix of 20000115-22 lost mail 3646 with too long headers that didn't need to extract recipients 3647 from message headers. 3648 3649 Bugfix: the too long header fix of 20000115-22 lost mail 3650 without (blank line + message body). 3651 3652 Code rewrite: reorganized the cleanup daemon source code 3653 so that the cleanup service can be called one record at a 3654 time (see cleanup/cleanup_api.c); also got rid of the global 3655 state variables and fixed a couple bugs that were introduced 3656 with 20000115-22. 3657 365820000204 3659 3660 Feature: in daemon mode, the MAIL FROM size check can be 3661 postponed until RCPT TO so that Postfix can log sender and 3662 recipient. Simon J Mudd. Files: smtpd/smtpd.c 3663 3664 Robustness: limit the number of recipient addresses that 3665 can be extracted from message headers. Parameter: 3666 extract_recipient_limit (default: 10240). Files: 3667 cleanup/cleanup_message.c, cleanup/cleanup_extracted.c. 3668 3669 Cleanup: the message header reject logging now includes 3670 sender and recipient address (if possible), so that the 3671 logging looks more like the other reject logging. File: 3672 cleanup/cleanup_message.c. 3673 3674 Documentation: added sections on regular expression tables 3675 to the access, canonical, virtual, transport and relocated 3676 man pages, and write new man pages that are specific to 3677 regular expressions: pcre_table.5 and regexp_table.5. 3678 367920000214 3680 3681 Bugfix: postconf reported some parameters more than once 3682 because the parameter extracting script didn't recognize 3683 lines that differ in whitespace only. File: postconf/extract.awk. 3684 Reported by Kenn Martin. 3685 368620000221 3687 3688 Logging: the SMTP client now logs log host+port when it is 3689 unable to connect to a non-MX host, just like it logs 3690 host+port when unable to connect to an MX host. 3691 369220000226 3693 3694 Bugfix: the SMTP server's "User unknown" test didn't notice 3695 LDAP etc. dictionary access errors. The code now reports 3696 a 450 status (try again instead of bounce) if the reply is 3697 not definitive. File: smtp/smtpd_check.c. 3698 3699 Robustness: the smtp-source program could stall when making 3700 hundreds of parallel connections to a Postfix system with 3701 only one SMTP server process. The fix is to use non-blocking 3702 connect() calls, very carefully. File: smtpstone/smtp-source.c. 3703 370420000303 3705 3706 Feature: with smtp_always_send_ehlo the SMTP client will 3707 send EHLO regardless of the content of the SMTP server's 3708 greeting. File: smtp/smtp_proto.c. 3709 371020000304 3711 3712 Feature: DICT_FLAG_SYNC_UPDATE flag for synchronous dictionary 3713 updates, if supported by the underlying mechanism. Files: 3714 util/dict.h, util/dict_open.c, util/dict_db.c. 3715 371620000307 3717 3718 Cleanup: the manual pages in Postfix configuration files 3719 no longer contain troff formatting codes. The text is now 3720 generated from prototype files in a new "proto" subdirectory. 3721 Requested by Matthias Andree @ stud.uni-dortmund.de. 3722 372320000308 3724 3725 Bugfix: the unused db and dbm "delete" routines would 3726 clobber the per-dictionary flags when called before reading 3727 or writing the table. Files: util/dict_dbm.c, util/dict_db.c. 3728 Lutz Jaenicke @ aet.TU-Cottbus.DE. 3729 3730 Bugfix: the SMTP server would produce a cryptic message 3731 when a queue file write error happened before it had written 3732 any recipients. Keith Stevenson. File: smtpd/smtpd.c. 3733 3734 Robustness: the db and dbm "delete" routines didn't adjust 3735 to dictionaries with/without one trailing null in lookup 3736 keys and values. Did a complete rewrite of the routines. 3737 Files: util/dict_db.c, util/dict_dbm.c. 3738 3739 Feature: specify "-d key" to postalias or postmap in order 3740 to remove one key. This still needs to be generalized to 3741 multi-key removal (read stdin?). Files: postmap/postmap.c, 3742 postalias/postalias.c. 3743 3744 Test: added test targets for the dictionary delete operations. 3745 Files: util/Makefile.in, util/dict_test.{c,in,ref}. 3746 3747 Feature: added data offset and recipient count fields to 3748 the first queue file record output from the cleanup daemon. 3749 The recipient counts provides an initial estimate for a 3750 more advanced queue manager scheduling algorithm. Files: 3751 cleanup/cleanup_envelope.c, cleanup/cleanup_extracted.c. 3752 375320000311 3754 3755 Portability: HP-UX awk can't handle bare { in regexps 3756 (Lamont Jones. HP). File: postconf/extract.awk. 3757 3758 Compatibility: sendmail now recognizes '.' as end of input. 3759 File: sendmail/sendmail.c. 3760 376120000313 3762 3763 Compatibility: dtcm (CDE desktop calendar manager) leaks 3764 a file descriptor into its child process, and requires that 3765 sendmail closes the descriptor, otherwise mail notification 3766 will hang. These GUI programmers never figured out that 3767 the child process must close the writing end of a pipe. 3768 File: sendmail/sendmail.c. 3769 377020000314 3771 3772 Feature: SASL authentication in the SMTP server and client. 3773 Based on code contributed by Till Franke, SuSE. Specify: 3774 "smtpd_sasl_auth_enable = yes" and "smtp_sasl_auth_enable 3775 = yes". The "permit_sasl_authenticated" UCE restriction 3776 gives special treatment to authenticated clients. 3777 377820000315 3779 3780 Workaround: added -blibpath option for AIX 4.x, to close 3781 hole in case postdrop needs to be set-gid. 3782 378320000320 3784 3785 Portability: FreeBSD 5.x added to the list of supported 3786 systems (Mark Huizer). 3787 378820000323 3789 3790 Portability: INSTALL.sh looks if sendmail is in /usr/lib 3791 rather than in /usr/sbin. 3792 379320000326 3794 3795 Bugfix: settings in one mysql configuration file would act 3796 as the implicit defaults for the next one, which could be 3797 confusing. Patch by Scott Cotton. File: util/dict_mysql.c. 3798 3799 Robustness: limit the number of "junk" commands that can 3800 be issued in an SMTP session (ex.: NOOP, VRFY, ETRN, RSET). 3801 Problem report by Michael Ju. Tokarev @ tls.msk.ru. Files: 3802 global/mail_params.h, smtpd/smtpd.c. 3803 380420000413 3805 3806 Portability: more MacOS X patches by Gerben Wierda. 3807 3808 Bugfix: RFC 822 requires the presence of at least one 3809 destination message header. The cleanup daemon now generates 3810 a generic "To: undisclosed-recipients:;" message header 3811 when no destination header is present. The header content 3812 is specified with the undisclosed_recipients_header parameter. 3813 Problem pointed out by Geoff Gibbs, UK-Human Genome Mapping 3814 Project-Resource Centre. 3815 381620000416 3817 3818 Workaround: allow <(comment)> as SMTP MAIL FROM address. 3819 382020000417 3821 3822 The SASL authentication in the SMTP server and client works, 3823 but only on Linux and Solaris, neither of which I wish to 3824 run on my laptop. 3825 382620000418 3827 3828 Added LMTP support to the smtp-source and smtp-sink utilities 3829 so that I don't have to install Cyrus IMAP just to test 3830 LMTP. 3831 383220000419 3833 3834 Bugfix: removed the () from the tokenized representation 3835 of RFC 822 comments, so that comments with \( or \) can be 3836 unparsed correctly. Problem reported by Bodo Moeller. 3837 383820000423 3839 3840 Bugfix: mail_copy() could prepend > or . in the middle of 3841 long lines. Found by code inspection. 3842 384320000427 3844 3845 New code: unescape module that translates C escape sequences 3846 into their equivalent character values. File: util/unescape.c. 3847 3848 Feature: the pipe mailer now has a way to specify the output 3849 record delimiter (for example, eol=\r\n). This is necessary 3850 for transports that require CRLF instead of UNIX-style LF. 3851 385220000502 3853 3854 In order to support timeouts more conveniently, VSTREAMs 3855 now have built into them the concept of timeout. Instead 3856 of calling read() and write(), the low-level VSTREAM 3857 interface now by default uses timed_read() and timed_write() 3858 which receive a timeout parameter; vstream_ctl(stream, 3859 VSTREAM_CTL_TIMEOUT...) sets the timeout deadline on a 3860 stream, and vstream_ftimeout(stream) queries a stream for 3861 timeout errors. This change simplified timeout handling 3862 considerably. Files: util/vbuf.h, util/vstream.[hc], 3863 global/smtp_stream.c, global/timed_ipc.c. 3864 386520000504 3866 3867 Added application context to VSTREAMs, which is passed on 3868 transparently to application-provided read/write routines. 3869 vstream_ctl(stream, VSTREAM_CTL_CONTEXT...) sets the context. 3870 Files: util/vstream.[hc]. 3871 3872 Added vstream_setjmp() and vstream_longjmp() support to 3873 make exception handling more convenient. Turn on exception 3874 handling with vstream_ctl(stream, VSTREAM_CTL_EXCEPT...). 3875 Files: util/vstream.[hc]. 3876 3877 Cleaned up the smtp_stream module further and got rid of 3878 the global state that limited the use of this module to 3879 one stream per process. Files: global/smtp_stream.[hc]. 3880 388120000505 3882 3883 Bugfix: the SMTP server now flushes unwritten output before 3884 tarpit delays, to avoid protocol timeouts in pipelined 3885 sessions when a client causes lots of errors. Found by 3886 Lamont Jones, HP. File: smtpd/smtpd_chat.c. 3887 3888 Finished the LMTP client, which is based on a modified 3889 version of the SMTP client by Philippe Prindeville, Mirapoint, 3890 Inc., later modified by Amos Gouaux, UTDallas, and then 3891 Wietse ripped it all up again. Currently this talks LMTP 3892 over TCP only. 3893 3894 Feature: override main.cf parameters in master.cf. Specify 3895 "-o parameter=value" after the program name. This allows 3896 you to selectively override myhostname etc. See also the 3897 new smtp_bind_address parameter below. 3898 389920000506 3900 3901 Convenience: the LMTP and SMTP clients now append the local 3902 domain to unqualified nexthop destinations. This makes it 3903 more convenient to set up transport maps. Files: 3904 lmtp/lmtp_addr.c, smtp/smtp_addr.c. 3905 3906 Sendmail compatibility: the Postfix SMTP client now skips 3907 servers that greet the client with a 4xx or 5xx status 3908 code. To disable, set both smtp_skip_4xx_greeting and 3909 smtp_skip_5xx_greeting to "no". 3910 391120000507 3912 3913 Portability: NetBSD has migrated to /etc/mail/aliases. We 3914 can expect to see this happen more often when systems start 3915 shipping Sendmail 8.10. File: util/sys_defs.h 3916 3917 Updated LDAP code by John Hensley, with support for 3918 dereferencing of LDAP aliases, which have nothing to do 3919 with Postfix aliases. 3920 3921 Feature: "smtp_bind_address=x.x.x.x" specifies the source 3922 IP address for SMTP client connections. Specify in master.cf 3923 as "smtp -o smtp_bind_address=x.x.x.x" in order to give 3924 different delivery agents different source addresses. 3925 392620000510 3927 3928 Cleanup: mailbox_transport did not work with the lmtp 3929 delivery agent. This dates back to when Postfix used empty 3930 nexthop information to indicate that a destination was 3931 local. File: global/deliver_pass.c. 3932 3933 Bugfix: configuration parameters for one mysql dictionary 3934 would become default settings for the next one. File: 3935 dict_mysql.c. This patch was merged into Postfix a while 3936 back but apparently that Postfix version was nuked when 3937 other parts were redesigned. Update by Scott Cotton. 3938 3939 Bugfix: some Postfix delivery agents would abort on addresses 3940 of the form `stuff@.' which could be generated only locally. 3941 Found by Patrik Rak. File: trivial-rewrite/resolve.c. 3942 3943 Third-party Berkeley DB support for HP-UX by Lamont Jones. 3944 File: makedefs. 3945 394620000511 3947 3948 Bugfix: Postfix would incorrectly reject domain names with 3949 adjacent - characters. File: util/valid_hostname.c. 3950 3951 Bugfix: the 20000505 pipeline tarpit delay flush was wrong 3952 and caused the client and server to get out of phase. Yuck! 3953 395420000513 3955 3956 Feature: VSTREAMs now have the concept of last fill/flush 3957 time, which is needed to prevent timeouts with pipelined 3958 SMTP sessions as detailed in the next item. 3959 3960 Bugfix: delayed SMTP command/reply flushing to prevent 3961 sender delays from accumulating too much and causing timeouts 3962 with pipelined sessions. For example, client-side delays 3963 happen when a client does DNS lookups to replace hostname 3964 aliases in MAIL FROM or RCPT TO commands; server-side delays 3965 happen when an UCE restriction involves a time-consuming 3966 DNS lookup, or when a server generates tarpit delays. 3967 Files: lmtp/lmtp_proto.c, smtp/smtp_proto.c, smtpd/smtpd_chat.c. 3968 3969 Portability: define ANAL_CAST for compilation environments 3970 that reject explicit casts between pointers and integral 3971 types. File: util/sys_defs.h, master/*server.c. Upon closer 3972 investigation, this turned out to be the result of someone's 3973 compiler configuration preferences. Therefore the change 3974 is likely to go away after a code cleanup. 3975 397620000514 3977 3978 Feature: mysql client support for multi-valued queries 3979 (select email, email2 from aliastbl where username='$local') 3980 By Loic Le Loarer @ m4x.org. File: util/dict_mysql.c. 3981 3982 Finalized the delayed SMTP command/reply flushing code in 3983 the SMTP and LMTP clients after lots of testing and review. 3984 398520000520 3986 3987 Robustness: upon receipt of mail, map the mailer-daemon 3988 sender address back into the magic null string. File: 3989 cleanup/cleanup_envelope.c. 3990 399120000524 3992 3993 Bugfix: the code for masquerade_exceptions was case sensitive. 3994 Reported by Eduard Vopicka. File: cleanup/cleanup_masquerade.c. 3995 399620000526 3997 3998 Feature: experimental queue manager by Patrik Rak with a 3999 fancy pre-emptive scheduling algorithm that improves delivery 4000 performance of mail with few recipients. This queue manager 4001 is made available as "nqmgr". 4002 400320000528 4004 4005 Feature: the SMTP client SASL password file can contain 4006 entries for destination domain names (the address remote 4007 part) not just mail server hostnames. File: smtp_sasl_glue.c. 4008 4009 Feature: smtpd_sasl_local_domain parameter (default: 4010 $myhostname) to specify the local SASL authentication realm. 4011 File: smtpd_sasl_glue.c. 4012 4013 Feature: specify "body_checks=regexp:/file/name" for a very 4014 crude one line at a time message body content filter. This 4015 feature uses the same filtering syntax as the header_checks 4016 feature. File: cleanup/cleanup_message.c. See also the 4017 conf/sample-filter.cf file. 4018 401920000530 4020 4021 Feature: full content filtering through external software. 4022 This uses existing interfaces for sending mail to the 4023 external content filter and for injecting it back into 4024 Postfix. Details in FILTER_README. Files: pickup/pickup.c, 4025 smtpd/smtpd.c, qmgr/qmgr_message.c. 4026 402720000531 4028 4029 More SASL feedback by Liviu Daia, regarding the use of 4030 authentication realms. File smtpd/smtpd_sasl_glue.c. 4031 4032 Added a simple shell-script based content filtering example 4033 to the FILTER_README file. 4034 4035 Content filtering support for nqmgr by Patrik Rak. File: 4036 nqmgr/qmgr_message.c. 4037 4038 Renamed "content inspection" etc. to "content filtering" 4039 in anticipation of a new hook for content inspection that 4040 only inspects mail without re-injecting it into Postfix. 4041 404220000601 4043 4044 Feature: limit the size of pipe mailer deliveries with the 4045 size=nnn command-line attribute. Patch by Andrew McNamara. 4046 404720000603 4048 4049 Bugfix: don't try to do SASL authentication when running 4050 in stand-alone (sendmail -bs) mode. Fix by Liviu Daia. 4051 4052 Bug: the unauthorized pipelining test fails with single 4053 recipient mail when smtpd_delay_reject = yes. 4054 405520000617 4056 4057 Bugfix: conf/sample-ldap.cf was no longer up to date with 4058 reality. Patch by Lamont Jones, HP. 4059 4060 Bugfix: the maildir delivery routine left temporary files 4061 lying around after unsuccessful delivery (problem reported 4062 by Brian Laughton @ Corp.Axxent.Ca). 4063 406420000621 4065 4066 AIX 4.x had POSIX regular expression support all the time 4067 I was working on Postfix. Better find out late than never. 4068 406920000623 4070 4071 Bugfix: the SMTP server did not reset the so-called junk 4072 command counter after successful delivery (Mark Hoffman @ 4073 wallst.com). File: smtpd/smtpd.c. 4074 407520000625 4076 4077 Cleanup: remove Content-Length from incoming mail. The 4078 sender has no authority over the format of mail as stored 4079 by the receiving system. File: global/header_opts.h. 4080 4081 Feature: rewrite Mail-Followup-To: as sender. Files: 4082 global/header_opts.[hc]. 4083 4084 Cleanup: rewrite Reply-To, Errors-To, Return-Receipt-To as 4085 sender, so that address masquerading works as expected. 4086 Files: global/header_opts.c. 4087 4088 Feature: specify "require_home_directory = yes" to prevent 4089 mail from being delivered to a user whose home directory 4090 is not mounted. File: local/dotforward.c. 4091 4092 Cleanup: the pipe deliver agent no longer appends a blank 4093 line when the F flag (prepend From_ line) is specified. 4094 Specify the B flag if you need that blank line. The local 4095 delivery agent no longer appends a blank line to mail that 4096 is delivered to external command. Files: pipe/pipe.c, 4097 global/mail_copy.[hc]. 4098 409920000708 4100 4101 Portability: support for NEXT/OPENSTEP requires extra 4102 include file in util/watchdog.c (Masaki Murase). 4103 410420000715 4105 4106 Added macros to turn on vstream/vstring/etc. format string 4107 checking by gcc, in addition to the checking that was 4108 already implemented with printfck. File: util/sys_defs.h, 4109 the macros for PRINTFLIKE and SCANFLIKE. Problem - unlike 4110 the printfck tool, gcc finds format argument type mismatches 4111 only in code that isn't #ifdef-ed out. 4112 411320000718 4114 4115 Robustness: make_dirs() now continues when a missing 4116 directory is created by another process. 4117 411820000720 4119 4120 Feature: the queue manager now logs the number of recipients 4121 when opening a queue file (a zero recipient count is logged 4122 with older queue files). File: global/opened.c. 4123 412420000726 4125 4126 Robustness: added watchdog_pat() routine to keep the watchdog 4127 quiet if a client stays connected for a lot of time. Files: 4128 util/watchdog.[hc], smtpd/smtpd.c. 4129 413020000729 4131 4132 Robustness: if relayhost is specified but the host does 4133 not exist, defer mail instead of bouncing it (which would 4134 lose the mail if the bounce would have to be delivered to 4135 that same non-existent relayhost). Problem reported by 4136 Chris Cooper @ maths.ox.ac.uk. File: smtp/smtp_connect.c. 4137 413820000821 4139 4140 Feature: added -r (replace key+value) option to postalias 4141 and postmap. 4142 4143 Cleanup: smtpd now replies with 555 when the client sends 4144 unrecognized RCPT TO parameters, as required by RFC 1869 4145 (problem report by Robert Norris @ its.monash.edu.au). 4146 File: smtpd/smtpd.c. 4147 414820000822 4149 4150 Logging: the SMTP server's SASL code logs the authentication 4151 method along with an authentication failure. Suggested by 4152 Ronald F. Guilmette @ monkeys.com. 4153 4154 Workaround: some systems have file size resource limits 4155 that cannot be represented with the off_t type that is used 4156 by standard functions such as lseek(2). Problem reported 4157 by Blaz Zupan @ amis.net. 4158 415920000823 4160 4161 Feature: all this discussion about when to reject mail and 4162 when not made me decide to implement a TCP-based map type 4163 so that it becomes relatively simple to implement dynamic 4164 access controls, for example, hold off mail from an unknown 4165 client or sender until we have completed some investigation, 4166 after which we will either reject or accept. 4167 4168 However, this code is turned off until it is finished. 4169 417020000905 4171 4172 Robustness: the dns client now rejects malformed domain 4173 names rather than depending on the DNS to report that the 4174 name does not exist. Linux returns a rather misleading 4175 server failure code as found out by Patrik Rak. File: 4176 dns/dns_lookup.c. 4177 417820000911 4179 4180 Feature: added IGNORE keyword to header_checks and body_checks 4181 to pretend that certain data does not exist. File: 4182 cleanup/cleanup_message.c. 4183 418420000911 4185 4186 Bugfix: the SASL code did not allow MAIL FROM... AUTH=sender 4187 without prior authentication. The RFC allows this, although 4188 one wonders what the reasoning behind this is. File: 4189 smtpd/smtpd_sasl_proto.c. 4190 419120000913 4192 4193 Bugfix: the rmail script did not handle remote UUCP systems 4194 that send a from_ line with unqualified envelope sender. 4195 Reported by Luciano Mannucci. 4196 4197 Compatibility: don't insert Sender: header lines. Sendmail 4198 has not done so for at least 10 years, if it ever did. 4199 Problem reported by Brad Knowles. File: cleanup/cleanup_message.c. 4200 420120000916 4202 4203 Bugfix: when propagating an address extension in a virtual 4204 or canonical mapping, cleanup accesses memory that is no 4205 longer allocated. This can happen when the result address 4206 length is more than 100 characters. Problem reported by 4207 Adi Prasaja @ satunet.com. File: global/mail_addr_crunch.c. 4208 4209 Bugfix: fixed a misleading error message when the cleanup 4210 server reaches the queue file size limit. Fix by Robby 4211 Griffin @ MIT.EDU. File: cleanup/cleanup_extracted.c. 4212 421320000917 4214 4215 Bugfix: postalias -i would complain about duplicate entries 4216 for the Sendmail-compatible @ entry and for the NIS-compatible 4217 YP_LAST_MODIFIED and YP_MASTER_NAME entries. 4218 421920000918 4220 4221 Gross hack: prevent looping on a bad recipient by always 4222 forwarding recipients in :include: files to a new mail 4223 delivery request, even when owner-listname is not set. 4224 File: local/recipient.c. 4225 422620000919 4227 4228 Convenience: INSTALL.sh now imports default settings from 4229 the process environment, in order to make scripting easier. 4230 4231 Robustness: INSTALL.sh now systematically skips over CVS, 4232 RCS and SCCS cruft. 4233 4234 Portability: another fix for NEXTSTEP (Masaki MURASE). 4235 File: util/spawn_command.h. 4236 423720000920 4238 4239 Cleanup: in a transport table entry, do not ignore port 4240 numbers specified as [host]:port. In fact, this is now 4241 becoming the preferred form, in order to avoid parsing 4242 problems with IPV6 addresses. Postfix supports both forms, 4243 but future versions will print a warning for the old form. 4244 Problem reported by Claus Fischer @ werhats.at 4245 4246 Bugfix: missing initialization for state->sasl_method can 4247 cause permit_sasl_authenticated to always succeed. Report 4248 and fix by Lutz Jaenicke @ aet.TU-Cottbus.DE. 4249 4250 FAQ: added notes about how to delete, copy or restore queue 4251 files in a safe manner. 4252 425320000921 4254 4255 File reorganization. No code change except Makefiles. All 4256 sources are pushed down by one directory level to keep file 4257 listings usable. Released as 20000922, so that I have a 4258 reference to run "diff -cr against. 4259 4260 Bugfix: the spawn service was installed without man pages. 4261 4262 Portability: MacOSX hints and tips by Joe Block, University 4263 of Central Florida School of Optics/CREOL 4264 4265 Portability: The MacOSX gcc compiler does not understand 4266 the new printf_like/scanf_like attributes. File: util/sys_defs.h. 4267 426820000922 4269 4270 nqmgr update from Patrik Rak for the changed queue manager 4271 to delivery agent protocol. 4272 4273 Lame feature: syslog_facility parameter to control where 4274 syslogd sends Postfix logging (default: syslog_facility = 4275 mail). However, errors during command-line parsing are 4276 still logged with the default syslog facility, as are errors 4277 while processing the main.cf file (surprise). Based on 4278 code by Andrew McNamara. 4279 428020000923 4281 4282 Cleanup: new bounce logfile API so that Postfix can change 4283 to an extensible bounce logfile format with per-recipient 4284 sender addresses (needed for VERP and for reporting local 4285 list delivery problems to the list owner) and other 4286 attributes. File: global/bounce_log.[hc]. 4287 4288 Cleanup: replaced the ad-hoc logfile parsing code in showq 4289 by something that uses the generic bounce logfile API. 4290 429120000924 4292 4293 Feature: Postfix bounced mail and delayed mail notifications 4294 now have the standard RFC 1894 form (DSN). The bounce 4295 service now uses the generic bounce logfile API. File: 4296 bounce/bounce_notify_service.c, bounce/bounce_notify_util.c. 4297 4298 Cleanup: deleted the per-recipient bounce protocol. Future 4299 bounce logfiles will support per-recipient bounce addresses. 4300 Files: global/bounce.c, bounce/bounce_recip_service. 4301 430220000925 4303 4304 Workaround: sendmail allows MAIL FROM and RCPT TO envelope 4305 addresses like <the dude <dude@site>> so we will never get 4306 rid of them. To disallow, specify "strict_rfc821_envelopes 4307 = yes". File: smtpd/smtpd.c. 4308 430920000926-20001003 4310 4311 Feature: a "flush" server that keeps per-destination records 4312 of deferred mail. It is the basis of a faster ETRN and 4313 "sendmail -qRsite" implementation. This code was rewritten 4314 half a dozen times. 4315 431620000928 4317 4318 Bugfix: the stricter dns_lookup() argument checks revealed 4319 that Postfix was doing DNS lookups for domain literals 4320 ([ip.address]) when expanding aliases in MAIL FROM and RCPT 4321 TO address parameters. Reported by Jim Littlefield. File: 4322 smtp/smtp_unalias.c. 4323 4324 Documentation: added text on the biff=yes/no parameter to 4325 conf/sample-local.cf (text provided by Paul Wagland, 4326 relational-consultancy.com. 4327 4328 Robustness? Log errors from SASL library code as warnings 4329 not as fatal errors. Files: smtp*/*glue.c. 4330 433120001001 4332 4333 Feature: in master.cf, specify ? after wakeup time to avoid 4334 waking up services that aren't being used. 4335 433620001003 4337 4338 Feature: the fast flush refresh and purge time interval 4339 parameters can now be specified in user-specified units by 4340 providing an appropriate suffix: s (seconds), m (minutes), 4341 h (hours), d (days), w (weeks). unit. This was needed so 4342 that I could test the flush server code in a reasonable 4343 way (its timeouts are normally specified in days or hours, 4344 and I don't have that much time for testing). Other Postfix 4345 time interval parameters will be migrated as time permits. 4346 Files: conf/sample-flush.cf, global/mail_conf_time.c, 4347 postconf/postconf.c. 4348 4349 Unfeature: qmgr_hog_factor is now disabled by default. It 4350 was just too confusing. If you don't know what this means, 4351 do not worry. 4352 435320001005 4354 4355 Cleanup: after "postfix reload" do not penalize mail that 4356 was in the active queue, but make it ready for immediate 4357 delivery so that ETRN etc. works as intended. Files: 4358 *qmgr/qmgr.c, *qmgr/qmgr_active.c. 4359 4360 Portability: Redhat 7 library interfaces have changed 4361 incompatibly, which breaks existing software. File makedefs. 4362 4363 Consistency: the fallback_relay parameter did not understand 4364 the [] or host:port syntax, and there was no way to suppress 4365 MX record lookups. Files: smtp/smtp_addr.c, smtp/smtp_connect.c. 4366 4367 Convenience: you can now specify multiple SMTP destinations 4368 in the relayhost or fallback_relay configuration parameters. 4369 The specified destinations will be tried in the specified 4370 order. File: smtp/smtp_connect.c. 4371 4372 Many typographical corrections by Matthias Andree. 4373 437420001024 4375 4376 Documentation: the canonical, virtual etc. manual pages 4377 did not document the effect of leading whitespace. 4378 437920001025 4380 4381 Bugfix: virtual map expansion stopped too early with 4382 self-referential aliases. Reported by Michael Douglass @ 4383 datafoundry.net. File: cleanup/cleanup_map1n.c. 4384 438520001026 4386 4387 Horror: postmap and postalias (newaliases) silently lose 4388 the file lock while building a lookup table with Berkeley 4389 DB 2.x and later on Solaris, HP-UX, IRIX, and UNIXWARE. 4390 The result is that table lookups fail while the table is 4391 being built, so that mail is lost. In order to avoid this 4392 misbehavior one has to use an undocumented feature that is 4393 NOT available with the DB1.85 compatibility interface. 4394 Therefore, Postfix now supports three Berkeley DB programming 4395 interfaces of increasing complexity. File: util/dict_db.c. 4396 4397 Bugfix: some character manipulations were not portable for 4398 signed/unsigned characters. Files: global/quote_821_local.c, 4399 global/quote_822_local.c. 4400 4401 Workaround: apparently, some software sends SMTP mail that 4402 begins with "From sender time-stamp". Sendmail silently 4403 ignores such RFC violating garbage, and therefore Postfix 4404 needs to jump another hoop. File: smtpd/smtpd.c. 4405 440620001028 4407 4408 Bugfix: the flush server tried to access config files after 4409 going to the chroot jail. Found by Lutz Jaenicke, TU-Cottbus.DE. 4410 File: flush/flush.c. 4411 4412 Update: revised LDAP module from primary maintainer John 4413 Hensley, with contributions from many other people. Files: 4414 util/dict_ldap.c, LDAP_README. 4415 4416 Update: LINUX2 chroot setup script by Matthias Andree, 4417 uni-dortmund.de. 4418 4419 Feature: specify unix:/path/name for LMTP connections over 4420 UNIX-domain sockets, and specify inet:host or inet:host:port 4421 for IPV4. If no unix: or inet: is specified, IPV4 is assumed. 4422 File: lmtp/lmtp_connect.c. 4423 4424 Feature: added UNIX-domain support to the smtpstone test 4425 programs in order to test the LMTP client UNIX-domain 4426 support. 4427 442820001030 4429 4430 Bugfix: further testing in preparation for 19991231-pl10 4431 revealed that the DB map code was now broken for every 4432 platform. 4433 443420001031 4435 4436 Performance: the slow start (gradually increase number of 4437 parallel connections to the same site) was too gentle and 4438 Postfix would back off too quickly. Files: qmgr/qmgr_queue.c 4439 and nqmgr/qmgr_queue.c. 4440 444120001101 4442 4443 FAQ update by Ralph Hildebrandt. 4444 444520001104 4446 4447 Portability: RedHat Linux has changed incompatibly, again. 4448 Fixed with the help of Matthias Andree. File: makedefs. 4449 445020001109 4451 4452 Cleanup: changed prototype of internal function that did 4453 not return a useful result. File: src/util/vstream_popen.c. 4454 445520001110 4456 4457 Workaround: the Debian post install script passes an open 4458 file descriptor into the master server and waits forever. 4459 Reported by Lamont Jones. File: master/master.c. 4460 446120001114 4462 4463 Compatibility: added sendmail -G (gateway submission) option 4464 for compatibility with the sendmail rmail command. Requested 4465 by David Gilbert, Velocet Communications. 4466 446720001116 4468 4469 Documentation: added MAILER-DAEMON to the list of sample 4470 masquerade_exceptions settings in conf/sample-rewrite.cf. 4471 Suggested by Karl O. Pinc, pop.artic.edu. 4472 4473 Performance: the slow start (gradually increase number of 4474 parallel connections to the same site) was too gentle and 4475 Postfix would back off too quickly. Files: qmgr/qmgr_queue.c 4476 and nqmgr/qmgr_queue.c. Yup, changed the same code, again. 4477 We now allow for a margin above the actual concurrency, 4478 with the size of the initial destination concurrency. 4479 Final solution by Patrik Rak. 4480 4481 Bugfix: the recipient home directory test broke mailbox_transport 4482 support for non-UNIX recipients. File: local/recipient.c. 4483 448420001117 4485 4486 Robustness: additional integrity tests for the nqmgr by 4487 Patrik Rak. File: nqmgr/qmgr_message.c. 4488 448920001118 4490 4491 Bugfix: the new LDAP client code did not work properly if 4492 the new ldap_domain parameter was not specified. LaMont 4493 Jones, HP. File: util/dict_ldap.c. 4494 4495 Feature: the soft_bounce safety net is extended to the SMTP 4496 server. With "soft_bounce = yes", The SMTP server changes 4497 all 5xx (reject) replies into 4xx (try again) replies. 4498 4499 Documentation: the virtual(5) man page now documents both 4500 Postfix-style virtual domains and Sendmail-style virtual 4501 domains, including their interaction with local usernames, 4502 aliases and mailing lists. Hopefully, this ends some of 4503 the confusion surrounding virtual domain support. Updated 4504 several FAQ entries concerning virtual domain support. 4505 4506 Documentation: added FAQ entry for the biff service. 4507 450820001119 4509 4510 Bugfix: per-destination queue names were case sensitive so 4511 that the same site could have multiple queues. Reported 4512 by Patrik Rak. Files: *qmgr/qmgr_message.c. 4513 451420001120 4515 4516 Bugfix: per-destination deferred mail logfiles were case 4517 sensitive so that the same site could have multiple deferred 4518 mail logfiles, so that not all mail would be flushed with 4519 ETRN. Reported by Ralph Hildebrandt. Files: flush/flush.c. 4520 4521 Portability: added (int) casts to printf-like arguments 4522 that specify the width of %*letter conversions. On some 4523 systems, sizeof and pointer difference expressions are 4524 wider than an int. Reported by Valentin Nechayev @ lucky.net. 4525 452620001121: 4527 4528 Compatibility: Postfix now retries delivery when an external 4529 command is killed by a signal, because people expect such 4530 behavior from Sendmail. File: global/pipe_command.c. 4531 453220001123-30 4533 4534 Feature: mailbox locking is now configurable. The configuration 4535 parameter name is "mailbox_delivery_lock". Depending on 4536 the operating system one can specify one or more of "flock", 4537 "fcntl" and "dotlock". Use "postconf -l" to find out what 4538 locking methods Postfix supports. The default setting is 4539 system dependent. All mailbox file opens are now done by 4540 one central mbox_open() routine. This affects the operation 4541 of the postlock command, and of local delivery to mailbox 4542 or /file/name. Files: util/safe_open.c, util/myflock.c, 4543 global/deliver_flock.c, global/mbox_conf.c, global/mbox_open.c. 4544 local/mailbox.c, local/file.c, postlock/postlock.c. 4545 4546 Compatibility: the old sun_mailtool_compatibility parameter 4547 is being phased out. It still works (by turning off 4548 flock/fcntl locks), but logs a warning as a reminder that 4549 it will go away. 4550 4551 Compatibility: when delivering to /file/name, the local 4552 delivery agent now logs a warning when it is unable to 4553 create a /file/name.lock file, and then delivers the mail 4554 (older Postfix versions would silently deliver). 4555 455620001202 4557 4558 Feature: specify "smtp_never_send_ehlo = no" to disable 4559 ESMTP. Someone asked for this long ago. Files: smtp/smtp.c, 4560 smtp/smtp_proto.c. 4561 4562 Feature? Bugfix? The smtp client now skips server replies 4563 that do not start with "CODE SPACE" or with "CODE HYPHEN", 4564 and flags them as protocol errors. Older versions silently 4565 treat "CODE TEXT" as "CODE SPACE TEXT". File: smtp/smtp_chat.c. 4566 456720001203 4568 4569 Documentation: postmap(1) and postalias(1) did not document 4570 the process exit status for "-q key". 4571 457220001204 4573 4574 Bugfix: the Postfix master daemon no longer imported 4575 MAIL_CONF and some other necessary environment parameters. 4576 Postfix now has explicit "import_environment" and 4577 "export_environment" configuration parameters that control 4578 what environment parameters are shared with non-Postfix 4579 processes. Files: util/clean_env.c, util/spawn_command.c, 4580 util/vstream_popen.c, global/pipe_command.c, and everything 4581 that invokes this code. 4582 458320001208 4584 4585 Bugfix: while processing massive amounts of one-recipient 4586 mail, qmgr could deadlock for 10 seconds while sending a 4587 bounce message. All queue manager bounce send requests are 4588 now implemented asynchronously. Files: global/abounce.[hc] 4589 (asynchronous bounce client), qmgr/qmgr_active.c. Problem 4590 reported by El Bunzo (webpower.nl) and Tiger Technologies 4591 (tigertech.com). 4592 459320001209 4594 4595 Feature: mailbox_transport and fallback_transport can now 4596 have the form transport:nexthop, with suitable defaults 4597 when either transport or nexthop are omitted, just like in 4598 the Postfix transport map. This allows you to specify for 4599 example, "mailbox_transport = lmtp:unix:/file/name". File: 4600 global/deliver_pass.c. 4601 460220001210 4603 4604 Bugfix: the local_destination_concurrency_limit paramater 4605 no longer worked as per-user concurrency limit but instead 4606 worked as per-domain limit, so that the limit of "2" in 4607 the default main.cf files resulted in poor local delivery 4608 performance. Files: qmgr/qmgr_message.c, qmgr/qmgr_deliver.c. 4609 Problem reported by David Schweikert (ee.ethz.ch) and Dallas 4610 Wisehaupt (cynicism.com). 4611 461220001210 4613 4614 Feature: support for MYSQL connections over UNIX-domain 4615 sockets by Piotr Klaban. Files: util/dict_mysql.c, 4616 MYSQL_README. 4617 461820001211 4619 4620 Small dirt: postconf -m produced too much output due to a 4621 missing "else", and the optional SASL code needed a fix 4622 for the changed name_mask API. 4623 462420001212 4625 4626 Workaround: due to an error, record type L for "filter 4627 transport name" was the same as that for the already existing 4628 record type L for "record not ending in newline", causing 4629 the pickup daemon to discard all records not ending in 4630 newline. The code cannot be changed without breaking 4631 compatibility with queued mail, so the pickup server is 4632 changed to discard type L records only from the message 4633 envelope, not from the content. File: pickup/pickup.c. 4634 463520001213 4636 4637 Bugfix: dict_ldap did not properly initialize a handle 4638 after connection timeout. Problem reported by Alain Thivillon. 4639 File: util/dict_ldap.c. 4640 464120001214 4642 4643 Feature: local_transport and default_transport now also 4644 understand the transport[:destination] notation, so that 4645 all transport config parameters are similar again. File: 4646 trivial-rewrite/resolve.c, trivial-rewrite/transport.c. 4647 4648 Code cleanup: mailbox_transport and fallback_transport no 4649 longer allow the user to omit the transport part of a 4650 transport:destination specification. That just did not make 4651 any sense at all. The :destination part is still optional. 4652 File: global/deliver_pass.c. 4653 4654 Feature: most time-related configuration parameters take 4655 a one-letter suffix that specifies the time unit: s 4656 (second), m (minutes), h (hours), d (days), w (weeks). 4657 "postconf -d" output includes the default time unit. Files: 4658 many. 4659 4660 Code cleanup: in a CONFIG_TIME_TABLE, the default time unit 4661 is now always the last character of a default time value. 4662 It is no longer necessary to specify the default time unit 4663 separately. This change means that it will not be possible 4664 to specify default values in the form of function calls, 4665 but that was unused anyway. Files: global/mail_conf_time.c, 4666 and user code. 4667 466820001217 4669 4670 Bugfix: reorganized some code in the MYSQL client to end 4671 a number of memory allocation/deallocation problems. This 4672 code needs more work. File: dict_mysql.c. 4673 467420001218 4675 4676 Bugfix: the MYSQL client did not provide function pointers 4677 for unimplemented operations, causing "postmap -d" to dump 4678 core instead if issuing an error message. This is what I 4679 get for accepting code that I cannot test myself. 4680 468120001221 4682 4683 Code cleanup: configuration parameters that are $name 4684 expanded at run-time now have their own data type hierarchy 4685 instead of being piggy-backed on top of strings that are 4686 $name expanded at program initialization time. Files: 4687 global/mail_conf.h, global/mail_conf_raw.c, and code that 4688 calls it. 4689 469020001230 4691 4692 Update: replaced the default rbl.maps.vix.com setting by 4693 the current blackholes.mail-abuse.org. 4694 469520010102 4696 4697 Code cleanup: the queue manager is a bit greedier with 4698 allocating a delivery agent. Problem pointed out by Patrik 4699 Rak. All bugs in the solution are mine. Files: 4700 *qmgr/qmgr_active.c. 4701 470220010105 4703 4704 Bugfix: the FILTER_README shell script example did not 4705 correctly pass exit status to the parent. 4706 4707 Bugfix: soft errors in client hostname lookups would be 4708 treated as hard errors. Fix by Michael Herrmann 4709 (informatik.tu-muenchen.de). File: smtpd/smtpd_peer.c. 4710 471120010110 4712 4713 Bugfix: the mkdir() EEXIST race condition workaround was 4714 not complete. Matthias Andree, Daniel Roesen. Files: 4715 global/mail_queue.c, util/make_dirs.c. 4716 471720010111 4718 4719 Portability: IRIX 6.5.10 defines sa_len as a macro, causing 4720 a name collision with a variable used by Postfix. Roberto 4721 Totaro, enigma.ethz.ch. File: smtpstone/smtp-source.c. 4722 472320010116 4724 4725 Bugfix: REJECT by header/body_checks was flagged in smtpd 4726 as a bounce, should be policy, in order to make postmaster 4727 notifications more consistent. File: smtpd/smtpd.c. 4728 4729 Merged updated chroot setup procedure by Matthias Andree. 4730 Files: examples/chroot-setup/LINUX2. 4731 473220010117 4733 4734 Formatting: changed the seconds and days formats in the 4735 "your mail is delayed" text so that it does not switch to 4736 scientific notation. File: bounce/bounce_notify_util.c. 4737 473820010119 4739 4740 Feature: SASL support for the LMTP client. Recent CYRUS 4741 software requires this for Postfix over TCP sockets. 4742 474320010120 4744 4745 Bugfix: the 20001005 revised fallback_relay support caused 4746 Postfix to send mail to the fallback even when the local 4747 machine was an MX host for the final destination. Result: 4748 mailer loop. Found by Laurent Wacrenier (teaser.fr). Files: 4749 smtp/smtp_connect.c, smtp/smtp_addr.c. 4750 475120010121 4752 4753 Workaround: specify "broken_sasl_auth_clients = yes" in 4754 order to support old Microsoft clients that implement a 4755 non-standard version of RFC 2554 (AUTH command). 4756 4757 Workaround: Lotus Domino 5.0.4 violates RFC 2554 and replies 4758 to EHLO with AUTH=LOGIN. File: smtp/smtp_proto.c. 4759 476020010125 4761 4762 Code cleanup: wrote creator/destructor for dictionary 4763 objects that provides default methods that trap all attempts 4764 to perform an unimplemented operation. Based on an ansatz 4765 by Laurent Wacrenier (teaser.fr). Files: util/dict*.[hc]. 4766 4767 Code cleanup: INSTALL.sh does not ask questions when stdin 4768 is not connected to a tty (as in: make install</dev/null). 4769 To automate a customized install, the script imports 4770 environment variables for install_root etc. 4771 477220010127 4773 4774 Workaround: randomize the delay between attempts to lock 4775 a file, so that multiple bounce or defer servers are less 4776 likely to retry all at the same time. likely. File: 4777 util/rand_sleep.c, global/deliver_flock.c, global/dot_lockfile.c. 4778 477920010128 4780 4781 Code cleanup: complaints about invalid or numeric hostnames 4782 either provide specific context or are removed as redundant. 4783 Files: util/valid_hostname.c dns/dns_lookup.c. 4784 4785 Code cleanup: new mailbox_size_limit parameter (default: 4786 20MB). Until now, the mailbox size limit was the same as 4787 the message size limit, due to artefact of implementation. 4788 Files: global/mail_params.h, local/local.c. 4789 4790 Bugfix: fix for the ldap_domains parameter, both semantics 4791 and documentation by LaMont Jones. Files: LDAP_README, 4792 conf/sample-ldap.cf, util/dict_ldap.c. 4793 4794 Update: merged in the virtual delivery agent by Andrew 4795 McNamara. See VIRTUAL_README for detailed examples. 4796 4797 Update: merged a re-vamped nqmgr by Patrik Rak. 4798 479920010129 4800 4801 Tweak: several little nqmgr tweaks by Patrik Rak. Files: 4802 global/mail_params.h, nqmgr/qmgr_job.c. 4803 4804 Bugfix: the virtual delivery agent did not save maps_find() 4805 results timely. J?rgen Thomsen, postfix.jth.net. File: 4806 virtual/mailbox.c. 4807 4808 Security: disallow regexp tables in the virtual delivery 4809 agent. The $1 etc. substitution mechanism gives too much 4810 power to the sender. File: virtual/mailbox.c. 4811 4812 Cleanup: clarified documentation and boundary cases in the 4813 random_sleep() routine. 4814 4815 Bugfix: the MISSING_USLEEP feature was used backwards. 4816 Patrik Rak. File: util/random_sleep.c. 4817 481820010130 4819 4820 Workaround: Linux usleep() is void, BSD/Solaris usleep() 4821 returns int, don't use it. File util/random_sleep.c. 4822 4823 Made local maildir bounce/defer handling mode consistent 4824 with local mailbox delivery. File local/maildir.c. 4825 4826 The smtp client now defers delivery when all MX hosts have 4827 no A record. File: smtp/smtp_addr.c 4828 4829 Bundled the man2html and postlink quick hacks so people 4830 can do their own manual page processing. See scripts in 4831 the mantools directory. 4832 4833 Documentation: updated the reference to sendmail in the 4834 html/index.html page. 4835 4836 Documentation: added note about the Cisco PIX "fixup smtp" 4837 bug that causes mail delivery problems when "." and "CRLF" 4838 arrive in separate packets. File: html/faq.html. 4839 484020010201 4841 4842 Bugfix: another missing initialization in the mysql client. 4843 File: util/dict_mysql.c. 4844 4845 Sanitized time routine by Patrik Rak, to make his nqmgr 4846 robust against people who set their clock back. Files: 4847 util/sane_time.[hc]. 4848 4849 Bumped the default mailbox file size limits to 50MB. 4850 485120010202 4852 4853 Bugfix: fixed the way the master resets the file size limit 4854 to avoid problems when a Postfix daemon updates a queue 4855 file. The file size limit is now increased to INT_MAX if 4856 it is smaller than INT_MAX, so that it is less likely to 4857 interfere than the old setting of message_size_limit. 4858 4859 Feature: disable mailbox size limits for the local and 4860 virtual delivery agents by setting mailbox_size_limit or 4861 virtual_mailbox_limit to zero. 4862 486320010203 4864 4865 Update: null candidate patch from Patrik Rak. Files: 4866 nqmgr/qmgr_entry.c nqmgr/qmgr_job.c nqmgr/qmgr_message.c. 4867 4868 Cleanup: added one gruesome command to the postlink script 4869 for hyperlinking nroff manual page output. Word abbreviation 4870 broke some <a href...> </a> instances across line boundaries. 4871 sed(1) is an amazing tool. File: mantools/postlink. 4872 487320010204 4874 4875 Laid the ground work for logging of table accesses. This 4876 will give more insight into how Postfix uses its lookup 4877 tables. User interface comes later. File: util/dict_debug.c. 4878 487920010216 4880 4881 Bugfix: the pipe delivery agent expanded $size as if it 4882 were a recipient, instead of expanding it as $nexthop or 4883 as $sender. Reported by Michael Tokarev. File: pipe/pipe.c. 4884 488520010221 4886 4887 Bugfix: poor LMTP performance for domains that are listed 4888 in $mydestination, because Postfix would send one recipient 4889 at a time, with multiple deliveries of recipients of the 4890 same message in parallel; a similar problem could exist 4891 with virus scanning and with firewall relay hosts that 4892 forward mail for $mydestination to an inside machine. This 4893 behavior is now changed to depend on the transport-specific 4894 xxx_destination_recipient_limit parameter. This also means 4895 that you can now get qmail behavior for SMTP deliveries by 4896 setting smtp_destination_recipient_limit=1. File: 4897 {qmgr,nqmgr}/qmgr_message.c. 4898 4899 Workaround: Solaris socketpair() can fail with EINTR. Added 4900 a sane_socketpair.c module that joins the ranks of the 4901 other sane_whatever workarounds. Reported by Andrew McNamara. 4902 File: util/sane_socketpair.[hc] 4903 490420010222 4905 4906 Documentation: the default main.cf file has a prominent 4907 warning that mynetworks should be properly configured in 4908 order to reject unauthorized mail relay requests from 4909 strangers. 4910 4911 Documentation: the INSTALL document, section "mandatory 4912 configuration file edits" has a section that explains that 4913 mynetworks should be properly configured in order to reject 4914 unauthorized mail relay requests from strangers. 4915 491620010223 4917 4918 Documentation: the basic.html document has a section that 4919 explains that mynetworks should be properly configured in 4920 order to reject unauthorized mail relay requests from 4921 strangers. 4922 4923 Feature: new "mynetworks_style" parameter that controls 4924 how mynetworks (trusted networks) is derived from the 4925 inet_interfaces (machine interfaces) setting. Specify 4926 "class" for entire class A, B, C networks; "subnet" for 4927 the local subnets only; or "host" for maximal privacy. 4928 Files: util/inet_addr_local.[hc], global/own_inet_addr.[hc], 4929 global/mynetworks.[hc], postconf/postconf.c. 4930 4931 Portability: MACOSX patches by Gerben Wierda. 4932 4933 Portability: Solaris /dev/null is a symlink, which tripped 4934 up the code to safely open a file before local delivery. 4935 We now grudgingly allow symlinks owned by root. File: 4936 util/safe_open.c. 4937 493820010224 4939 4940 Bugfix: "postconf mynetworks" ignored the inet_interfaces 4941 setting. That was a very old one. File: postconf/postconf.c. 4942 4943 INCOMPATIBLE CHANGE: POSTFIX NO LONGER RELAYS MAIL FOR 4944 CLIENTS IN THE ENTIRE CLASS A/B/C NETWORK. POSTFIX BY 4945 DEFAULT RELAYS MAIL FOR CLIENTS IN THE LOCAL SUBNETWORK. 4946 Specify "mynetworks_style = class" to get the old behavior. 4947 494820010225 4949 4950 Portability: master sigchld handler based on writing to a 4951 pipe, so that the master wakes up from select(). Based on 4952 code by Erik Forsberg, Linkoping University, Sweden. File: 4953 master/master_sig.c. Disabled until after the major release. 4954 4955 Code cleanup: Postfix should now run with no alias database. 4956 4957 Code cleanup: local_destination_recipient_limit and 4958 local_destination_concurrency_limit have become first-class 4959 configuration parameters. Files: global/mail_params.h, 4960 *qmgr/qmgr.c, postconf/postconf.c. 4961 496220010226 4963 4964 Documentation suggestions by Lars Hecking and Richard 4965 Huxton, Matthias Andree and many others. 4966 4967 Code cleanup: some queue/transport operations need to be 4968 moved, after the code cleanup of the recipient/concurrency 4969 limit handling. Patrik Rak. Files: *qmgr/qmgr_message.c. 4970 497120010301 4972 4973 Feature: configurable name in syslog output (default: 4974 "syslog_name = postfix") so that different Postfix instances 4975 can be recognized by their logging. File: global/mail_task.c. 4976 497720010313 4978 4979 Workaround for logic mismatch in nqmgr that was exposed 4980 with the introduction of the asynchronous bounce client. 4981 Patrik Rak. 4982 498320010313 4984 4985 Bugfix: the RFC 822 untokenizer quoted newlines inside 4986 comments. File: global/tok822_parse.c. 4987 498820010316 4989 4990 Cleanup: removed an extraneous warning when a queue file 4991 write error happened. 4992 499320010321 4994 4995 Workaround: LMTP connection caching never worked for 4996 destinations starting with unix: or inet:. File: 4997 lmtp/lmtp_connect.c. 4998 499920010322 5000 5001 Portability: Solaris <2.6 does not have srandom() and 5002 random() in libc. File: util/rand_sleep.c. It does not have 5003 to be cryptographically strong. 5004 5005 Bugfix: the fast ETRN flush server could not handle [ipaddr] 5006 or domain names with one-character hostname part. This 5007 fix changes the destination to logfile name mapping, so 5008 that you need to populate the new files with "sendmail -q". 5009 The old files go away automatically. File: flush/flush.c. 5010 501120010327 5012 5013 Speed up mailq (sendmail -bp) display by flushing output 5014 after each file. File: showq/showq.c. 5015 5016 Portability: missing string.h includes, %p wants (void *), 5017 Lamont Jones, HP. 5018 501920010328 5020 5021 Bugfix: swapped logic caused cleanup to stall when the 5022 queue file size exceeded the file size limit by less than 5023 one the VSTREAM buffer size, so that the "file too big" 5024 was detected after flushing the last queue file record. 5025 File: cleanup/cleanup.c. 5026 502720010329 5028 5029 Portability: workaround for missing prototype problem in 5030 dict_ldap.c. This module should move to the global directory, 5031 because it depends on Postfix main.cf parameter information. 5032 5033 Workaround: after sending a trigger message over a socket, 5034 do not immediately close the client side, but close it from 5035 a background thread that waits until the server closes the 5036 socket first. This avoids trouble with socket implementations 5037 that destroy a socket when the client closes a socket before 5038 the server has received the client's data. Files: 5039 util/{inet,unix,stream}_trigger.c, util/events.c, 5040 master/master_trigger.c, postkick/postkick.c. 5041 504220010403 5043 5044 Workaround: the mysql library can return null pointers 5045 rather than zero-length strings. File: util/dict_mysql.c. 5046 504720010404 5048 5049 Ergonomics: log additional information about the reason 5050 why "mail for XXX loops back to myself" when the local 5051 machine is the best MX host. File: smtp/smtp_addr.c. 5052 505320010406 5054 5055 Changed some noisy LDAP client warnings into optional 5056 logging. LaMont Jones, util/dict_ldap.c. 5057 505820010411 5059 5060 Bugfix: the SMTP server now replies with 550 instead of 5061 503 when it receives the DATA command without having received 5062 a valid recipient address. This is needed for the Sendmail 5063 client-side pipelining implementation. Problem reported by 5064 Lutz Jaenicke. File: smtpd/smtpd.c. 5065 5066 Cleanup: shut up if chattr fails on Reiserfs and other file 5067 systems that do not support the respective attributes. 5068 Files: conf/postfix-script-{no,}sgid. 5069 507020010413 5071 5072 Ergonomics: Postfix applications now warn when a DB or DBM 5073 file is out of date, and recommend to rebuild the table. 5074 Files: util/dict_db.c, util/dict_dbm.c. 5075 507620010414 5077 5078 Feature: specify a key of "-" to the postmap or postalias 5079 -q or -d option, and the keys will be read from standard 5080 input, one key per line. Files: postmap/postmap.c, 5081 postalias/postalias.c. 5082 5083 Bugfix: with a non-default inet_interfaces setting, the 5084 master ignored host information in master.cf host:port 5085 settings. Fix by Jun-ichiro itojun Hagino @ iijlab.net. 5086 Files: master/master.h, master/master_ent.c. 5087 508820010426 5089 5090 Bugfix: the SMTP server did not parse invalid MAIL FROM or 5091 RCPT TO addresses such as <first last <user@domain>> the 5092 way it was supposed to do. I thought this was taken care 5093 of years ago. File: smtpd/smtpd.c. 5094 509520010427 5096 5097 Bugfix: smtpd would reject mail instead of replying with 5098 a 4xx temporary error code when, for example, an LDAP or 5099 mysql server was unavailable. Remotely based on a fix by 5100 Robert Kiessling @ de.easynet.net. File: smtpd/smtpd_check.c. 5101 510220010429 5103 5104 Feature: the Postfix SMTP client now by default randomly 5105 shuffles destination IP addresses of equal preference. 5106 Specify "smtp_randomize_addresses = no" to disable. 5107 Shuffling code by Elias Levy @ SecurityFocus.com Files: 5108 dns/dns_rr.c, smtp/smtp_addr.c. 5109 511020010501 5111 5112 Bugfix: The SMTP server's 550 in reply to DATA should be 5113 a 554 response. And it wasn't Sendmail. Claus Assman. 5114 5115 Bugfix: the INSTALL.sh test for non-interactive upgrade 5116 broke rooted installations that specify settings via the 5117 environment. Simon Mudd. 5118 5119 Bugfix: mailq output is now really flushed one message at 5120 a time. File: sendmail/sendmail.c. 5121 5122 Feature: "postsuper -d queueID" deletes one message queue 5123 file; "postsuper -d -" reads zero or more queue IDs from 5124 standard input, and deletes one instance of each file. 5125 File: postsuper/postsuper.c. 5126 5127 Code cleanup: in order to make postsuper -d safe with a 5128 running Postfix mail system, some routines had to be made 5129 tolerant for sudden queue file disappearances. Files: 5130 global/deliver_request.c, *qmgr/qmgr_move.c. 5131 5132 Code cleanup: in order to make postsuper -d more usable, 5133 the showq command was extended to safely list the possibly 5134 world-writable maildrop directory. File: showq/showq.c. 5135 513620010504 5137 5138 Feature: postsuper -d will also delete defer and bounce 5139 logfiles when the named queue file is found. 5140 514120010505 5142 5143 RFC 2821 feature: an SMTP server must reset all buffers 5144 upon receipt of EHLO. File: smtpd/smtpd_check.c. 5145 5146 RFC 2821 feature: an SMTP server must accept a recipient 5147 address of "postmaster" without domain name. File: 5148 smtpd/smtpd_check.c. 5149 5150 RFC 2821 recommendation: reply with 503 to commands sent 5151 after 554 greeting. File: smtpd/smtpd.c. 5152 5153 RFC 2821 recommendation: if VRFY is enabled, list it in 5154 the EHLO response. File: smtpd/smtpd.c. 5155 5156 RFC 2821 recommendation: SMTP clients should use EHLO. 5157 The default setting of smtp_always_send_ehlo has changed 5158 from 0 (send EHLO if server greets with ESMTP) to 1 (always 5159 send EHLO). In all cases, Postfix falls back to HELO if 5160 the server does not support EHLO. File: smtp/smtp_proto.c. 5161 516220010507 5163 5164 Bugfix: with soft_bounce=yes, the SMTP server would log 5165 5xx replies even though it would send 4xx replies to the 5166 client (Phil Howard, ipal.net). File: smtpd/smtpd_check.c. 5167 516820010515 5169 5170 Compatibility: Microsoft sends "AUTH=MBS_BASIC LOGIN". 5171 Updated the parsing code in smtp/smtp_proto.c. Problem 5172 reported by Ralf Tessmann, Godot GmbH. 5173 517420010520 5175 5176 Standard: deleted the non-standard "via" portion from 5177 Received: headers generated by Postfix bounce or other 5178 notification processes. File: global/post_mail.c. 5179 5180 Robustness: eliminated stack-based recursion from the RFC 5181 822 address parser. File: global/tok822_parse.c. 5182 5183 Standard: annotated the source code with comments based on 5184 RFC 2821 and 2822. Not all the RFC changes make sense. 5185 5186 RFC 2821 recommendation: treat a RCPT 552 reply as if the 5187 server sent 452. Files: smtp/smtp_proto.c, lmtp/lmtp_proto.c. 5188 5189 Cleanup: moved ownership of the debug_peer parameters from 5190 the applications to the library, so that a Postfix shared 5191 library does not suffer from undefined references. Files: 5192 smtp/smtp.c, lmtp/lmtp.c, smtpd/smtpd.c, global/mail_params.c. 5193 LaMont Jones, for Debian. 5194 519520010522 5196 5197 Feature: "postsuper -r queueID" re-queues a message, and 5198 "postsuper -r ALL" re-queues all mail. The message is moved 5199 to the maildrop queue so that the pickup daemon will copy 5200 it to a new queue file, and so that address rewriting will 5201 be done again. This is useful after changes of address 5202 rewriting or virtual mappings. 5203 5204 Feature: "postsuper -d ALL [queue-name]" deletes a bunch 5205 of mail. 5206 520720010523 5208 5209 Feature: "postsuper -s" (which is done by default) renames 5210 queue files whose name (queue ID) does not match the message 5211 file inode number. 5212 5213 Bugfix: memory leak in the LDAP client module. Alain 5214 Thivillon, France Teaser - Groupe Firstream. 5215 521620010525 5217 5218 Portability: gcc 2.6.3 does not have __attribute__ (Clive 5219 Jones, dgw.co.uk). File: util/sys_defs.h. 5220 5221 Bugfix: the SMTP and LMTP clients claimed that a queue file 5222 needed to be delivered again (even when all recipients were 5223 erased from the queue file) when no QUIT or RSET reply was 5224 received (by default, this does not happen with SMTP mail 5225 because the SMTP client does not wait for QUIT replies and 5226 does not send RSET to deliver mail). As a result of the 5227 same bug the LMTP client followed a dangling pointer when 5228 sending QUIT after process idle timeout while the LMTP 5229 server had disconnected. Files: smtp/smtp_proto.c, 5230 lmtp/lmtp_proto.c. 5231 523220010526 5233 5234 newaliases no longer complains when an empty list is 5235 specified with the alias_database configuration parameter. 5236 File: sendmail/sendmail.c. 5237 523820010529 5239 5240 Workaround: old PIX firewall code messes up when the final 5241 ".<CR><LF>" at the end of DATA spans a packet boundary. 5242 When Postfix detects PIX SMTP fixup mode, Postfix flushes 5243 the output buffers before sending the final ".<CR><LF>". 5244 File: smtp/smtp_proto.c. 5245 524620010530 5247 5248 Portability: updated code for Mac OS X, accounting for the 5249 post-Beta changes. Code by Joe Block, UCF School of 5250 Optics/CREOL. 5251 525220010601 5253 5254 Safety: postdrop turns off interrupts when cleaning up 5255 after interrupt. The additional safety does not hurt anyone. 5256 File: src/postdrop/postdrop.c. 5257 525820010607 5259 5260 Safety: dropped the RFC 2821 compliant code that treats 5261 552 RCPT TO replies as 452. It created more problems than 5262 it solved. Files: smtp/smtp_proto.c, lmtp/lmtp_proto.c. 5263 5264 Logging: the SMTP server now logs a warning if RBL lookups 5265 have problems other than "not found". file: smtpd/smtpd_check.c. 5266 526720010610 5268 5269 Feature: address quoting and case folding flags for the 5270 pipe(8) mailer. 5271 527220010611 5273 5274 Workaround: some MTAs fall on their face when they receive 5275 unexpectedly long lines. From now on, Postfix defaults to 5276 breaking long lines at 2048 (like Sendmail so it has got 5277 to be right). To get the old, content preserving, behavior 5278 specify "smtp_truncate_lines = no". File: smtp/smtp_proto.c. 5279 528020010614 5281 5282 Bugfix: did not really undo 2821 552->452 mapping. 5283 528420010628 5285 5286 Bugfix: postfix-script used a hard-coded maildrop group 5287 owner instead of using the install-time specified name 5288 stored in /etc/postfix/install.cf. Problem reported by 5289 David Terrell @ meat.net. 5290 529120010701 5292 5293 Feature: mail_spool_directory ending in / causes maildir 5294 style delivery. 5295 5296 Bugfix: the FreeBSD kernel parameters kern.ipc.nmbclusters 5297 and kern.ipc.maxsockets cannot be set with sysctl commands. 5298 File: html/faq.html. Len Conrad @ Go2France.com. 5299 5300 Cleanup: the virtual delivery agent was poorly integrated 5301 so that the SMTP server and queue manager did not reject 5302 mail for unknown users. Files: smtpd/smtpd_check.c. 5303 530420010705 5305 5306 Feature: QMQP server, compatible with qmail and the ezmlm 5307 list manager. Files: util/netstring.[hc], qmqpd/qmqpd*.c. 5308 530920010706 5310 5311 Feature: QMQP stress test message generator program. Files: 5312 smtpstone/qmqp-source.c, smtpstone/qmqp-sink.c. 5313 531420010708 5315 5316 Bugfix: with disable_dns=yes, the SMTP client treated all 5317 host lookup errors as permanent. File: smtp/smtp_addr.c. 5318 531920010709 5320 5321 Feature: VERP support, based on a patch by Peng Yong, and 5322 with the missing parts filled in so that the Postfix bounce 5323 daemon can send one VERP bounce per undeliverable recipient. 5324 Files: , sendmail/sendmail.c, smtpd/smtpd.c, qmgr/qmgr_deliver.c, 5325 bounce/bounce_notify_verp.c, qmqpd/qmqpd.c, plus a couple 5326 support routines in the global library. 5327 5328 Cleanup: with recipient_delimiter=+ (or any character other 5329 than -) Postfix will now recognize address extensions even 5330 with owner-foo+extension addresses. This is necessary to 5331 make VERP work for mailing lists. 5332 533320010710 5334 5335 Bugfix: potential memory leak in the queue managers with 5336 the new VERP delimiter record. Fix by Patrik Rak. 5337 533820010711 5339 5340 Cleanup: you can now specify the VERP delimiter characters 5341 on the sendmail(1) command line, but they are still optional. 5342 5343 Safety: with maildir style delivery and with hashed mailboxes 5344 the system mail spool directory must not be world writable. 5345 534620010713 5347 5348 Safety: the verp_delimiter_filter parameter (default: -=+) 5349 limits what characters Postfix accepts as VERP delimiter 5350 characters. 5351 535220010714 5353 5354 Logging: the queue manager now logs a "status=expired" 5355 record when it returns a message that is too old. Files: 5356 *qmgr/qmgr_active.c. 5357 535820010719 5359 5360 Feature: stiffer coupling between mail receiving rates and 5361 mail delivery rates, using a trivial token-based scheme, 5362 implemented by reading and writing an in-memory pipe. The 5363 queue manager produces one token when it retrieves mail 5364 from the incoming queue. The cleanup daemon consumes one 5365 token when it adds mail to the incoming queue. If no token 5366 is available the cleanup server pauses for $in_flow_delay 5367 seconds and proceeds anyway. The delay allows mail sending 5368 process to catch up and access the disk while not blocking 5369 inbound mail. Valid delays are 0..10 seconds. 5370 537120010727 5372 5373 Bugfix: updated LDAP client module from LaMont Jones, HP. 5374 This also introduces new LDAP query filter patterns: %u 5375 (address localpart) and %d (domain part). Files: 5376 conf/sample-ldap.cf, util/dict_ldap.c. 5377 537820010729 5379 5380 Bugfix: recursive smtpd_whatever_restrictions clobbered 5381 intermediate results when switching between sender and 5382 recipient address restrictions. Problem found by Victor 5383 Duchovni, morganstanley.com. In order to fix, introduced 5384 address resolver result caching, which should also help to 5385 speed up sender/recipient address restriction processing. 5386 5387 Bugfix: the not yet announced DUNNO access table lookup 5388 result did not prevent lookups with substrings of the same 5389 lookup key. Found by Victor Duchovni, morganstanley.com. 5390 539120010730 5392 5393 Robustness: trim trailing whitespace from regexp and pcre 5394 right-hand sides, for consistency with DB/DBM tables. 5395 Files: util/dict_pcre.c, util/dict_regexp.c. 5396 539720010731 5398 5399 Robustness: eliminate duplicate IP addresses after expansion 5400 of hostnames in $inet_interfaces, so that Postfix does not 5401 suddenly refuse to start up after someone changes the DNS. 5402 Files: util/inet_addr_list.c global/own_inet_addr.c. 5403 5404 Feature: specify "disable_verp_bounces = yes" to have 5405 Postfix send one RFC-standard, non-VERP, bounce report for 5406 multi-recipient mail, even when VERP style delivery was 5407 requested. 5408 540920010801 5410 5411 Bugfix: postconf was using unexpanded values internally 5412 for myhostname, inet_interfaces, and mynetworks_style. 5413 This broke the "postconf -d" mynetworks computation. File: 5414 postconf/postconf.c. 5415 541620010803 5417 5418 Feature: masquerade_classes parameter for fine control of 5419 address masquerading. The default setting is backwards 5420 compatible: envelope_sender header_sender header_recipient. 5421 Files: cleanup/whatever.c. 5422 542320010822 5424 5425 Code cleanup: the bounce daemon complained about data that 5426 it was not going to send back anyway. Fix: stop reading 5427 the original message when the bounce message reaches the 5428 bounce message size limit. File: bounce/bounce_notify_util.c. 5429 543020010826 5431 5432 Logging: postsuper now logs the queue ID when it requeues 5433 a message, or when it deletes a message from the mail queue. 5434 File: postsuper/postsuper.c. 5435 543620010830 5437 5438 Safety: the SMTP server now sends a 4xx (try again later) 5439 response when an UCE restriction is misconfigured, instead 5440 of ignoring the bad restriction and possibly accepting mail 5441 that it should not accept. File: smtpd/smtpd_check.c. 5442 544320010907 5444 5445 Workaround: the Postfix qmqp-source program produced mail 5446 not ending in newline. qmail-qmqpd accepts such mail, but 5447 qmail-remote is unable to deliver it. Matthias Andree, 5448 uni-dortmund.de. File: smtpstone/qmqp-source.c. 5449 545020010910 5451 5452 Bugfix: the smtp-sink stress test program broke when RCPT 5453 TO commands crossed network packet boundaries. Problem 5454 reported by Matthias Andree, uni-dortmund.de. File: 5455 smtpstone/smtp-sink.c. 5456 545720010917 5458 5459 Code cleanup: permit_mx_backup implements the old behavior 5460 (accept mail if the local MTA is MX relay), and allows an 5461 additional restriction via the permit_mx_backup_networks 5462 parameter (accept mail only if the primary MX hosts match 5463 the specified list of network blocks). This second restriction 5464 is now entirely optional, for backwards compatibility. 5465 5466 Bugfix: an address extension could be appended multiple 5467 times to the result of a canonical or virtual map lookup. 5468 File: global/mail_addr_map.c. Fix by Victor Duchovni, 5469 Morgan Stanley. 5470 5471 Bugfix: split_addr() would split an address even when there 5472 was no data before the recipient delimiter. In combination 5473 with the above bug, this could cause an address to grow 5474 exponentially in size. Problem reported by Victor Duchovni, 5475 Morgan Stanley. File: global/split_addr.c. 5476 547720010918 5478 5479 Bugfix: the mail_addr_map() fix was almost but not quite 5480 right. It took two clever people and several iterations of 5481 email to really fix the mail_addr_map() problem. Thanks 5482 to Victor Duchovni and Liviu Daia. 5483 548420011006 5485 5486 Cleanup: Postfix no longer flushes the whole deferred queue 5487 after an ETRN request for a random domain name (i.e. a 5488 domain name not matched by $fast_flush_domains); the SMTP 5489 server instead replies with "459 service unavailable". 5490 Files: smtpd/smtpd.c, global/flush_clnt.c, flush/flush.c. 5491 549220011008 5493 5494 Bugfix: there was a minute memory leak when an smtpd access 5495 restriction was misconfigured. File: smtpd/smtpd_check.c. 5496 549720011010 5498 5499 Code cleanup: Postfix daemons now print the name of the 5500 UNIX-domain socket (instead of "unknown stream") in case 5501 of a malformed client request. Files: master/*server.c. 5502 550320011010-14 5504 5505 Code cleanup: replaced the ugly mail_print() and mail-scan() 5506 protocols by (name,value) attribute lists. This gives better 5507 error detection when we make changes to internal protocols, 5508 and allows new attributes to be introduced without breaking 5509 everything immediately. Files: util/attr_print.c util/attr_scan.c 5510 global/mail_command_server.c global/mail_command_client.c 5511 as wel as most Postfix applications and daemons. 5512 551320011015 5514 5515 Put base 64 encoding into place on the replaced internal 5516 protocols. Files: util/base64_code.[hc]. 5517 5518 Feature: header/body REJECT rules can now provide text that 5519 is sent to the originator. Files: cleanup/cleanup.c, 5520 cleanup/cleanup_message.c, conf/sample-filter.cf. 5521 552220011016 5523 5524 Bugfix: As of 20000625, Errors-To: was broken, because the 5525 code to extract the address was not moved from recipient 5526 address rewriting to sender address rewriting. Problem 5527 reported by Roelof Osinga @ nisser.com. File: 5528 cleanup/cleanup_message.c. 5529 553020011029 5531 5532 Bugfix: virtual map expansion terminated early because the 5533 detection of self-referential entries was flawed. File: 5534 cleanup/cleanup_map1n.c. 5535 553620011031 5537 5538 Bugfix: mail_date() mis-formatted negative time zone offsets 5539 with fractional hours (-03-30 instead of -0330). Fix by 5540 Chad House, greyfirst.ca. File: global/mail_date.c. 5541 554220011102 5543 5544 Feature: new -f option to postmap and postalias (do not 5545 lowercase the lookup key while creating a table). Files: 5546 util/dict.h postmap/postmap.c postalias/postalias.c. 5547 5548 Code cleanup: simplified the attribute print/scan routines, 5549 and removed the never-used support for sending and receiving 5550 integer arrays and string arrays. Files: util/attr_print.c, 5551 util/attr_scan.c. 5552 5553 Bugfix: qmqpd could read past the end of a string while 5554 looking for qmail's VERP magic token in the envelope sender 5555 address. File: qmqpd/qmqpd.c. 5556 5557 Code cleanup: finished testing the new internal protocols. 5558 The only bug was with the flush server, which still needs 5559 to support the old (string + null byte) protocol for triggers 5560 from the Postfix master daemon. 5561 556220011103 5563 5564 Bugfix: Postfix would log the wrong error text when locally 5565 submitted mail was deferred due to "soft_bounce = yes". 5566 5567 Bugfix: The LDAP client dropped any entries that don't have 5568 the result_attribute, but errored out when a DN didn't 5569 exist. The behavior is now consistent: treat non-existant 5570 DN's in a special result attribute expansion the same as 5571 DN's with no attribute. LaMont Jones, HP. 5572 557320011104 5574 5575 Bugfix: the new smtp-sink -n option (terminate after the 5576 specified number of deliveries) wasn't optional. 5577 5578 Portability: updated Mac OS X documentation and install 5579 scripts by Gerben Wierda. 5580 558120011105 5582 5583 Bugfix: missing terminator in new attribute-based function 5584 call caused signal 11. File: src/cleanup/cleanup.c. 5585 5586 Lame workaround for ESTALE errors with mail delivery over 5587 NFS. Additional bandages were added to the local delivery 5588 agent. However, Wietse maintains that Postfix offers no 5589 guarantee for reliable delivery over NFS. 5590 5591 Feature: put "warn_if_reject" before an smtpd restriction, 5592 and that restriction logs warnings without rejecting mail. 5593 This makes it easier to test configurations "live" without 5594 having to lose mail. File: smtpd/smtpd_check.c. 5595 559620011107 5597 5598 Workaround: in order to get mail past PIX firewall bugs, 5599 the Postfix SMTP client now blocks until the socket send 5600 buffer is empty before sending the final ".<CR><LF>". Files: 5601 util/sock_empty_wait.c, smtp/smtp_proto.c. Changed into 5602 sleep(10) on 20011119. Sleep suggested by Hobbit. 5603 560420011108 5605 5606 Feature: added string-null encoding for internal protocols. 5607 Files: util/attr_print0.c, util/attr_scan0.c. 5608 5609 Feature: configurable parent domain matching for domain 5610 and hostname/address match lists: either .domain or the 5611 domain name itself. Files: util/match_ops.c util/match_list.c 5612 5613 Feature: added pretend-to-be-behind-PIX mode to the smtp-sink 5614 test program, in order to stress test some PIX bug workaround 5615 code. 5616 561720011109 5618 5619 Workaround: Linux and Solaris systems have no reasonable 5620 way to block until a socket drains. On these systems Postfix 5621 simply waits for 10 seconds, in order to work around PIX 5622 ".<CR><LF>" bugs. File: util/sock_empty_wait.c. 5623 562420011114 5625 5626 Bugfix: reset the smtpd command transaction log between 5627 deliveries. File: smtpd/smtpd.c. 5628 562920011115 5630 5631 Feature: mailbox_command_maps no longer requires that every 5632 user has an entry. If the user does not have a command 5633 entry, the local delivery agent tries the other delivery 5634 methods (mailbox_command, home_mailbox). File: local/mailbox.c. 5635 5636 Bugfix: reset the smtpd command transaction log between 5637 non-deliveries. File: smtpd/smtpd.c. 5638 563920011116 5640 5641 Bugfix: consolidated all the command transaction log resets 5642 and eliminated one missing reset (Victor Duchovni, Morgan 5643 Stanley). File: smtpd/smtpd.c. 5644 564520011118 5646 5647 Cleanup: replaced unnecessary match_list wrapper code by 5648 macros. Files: global/{string,domain,namadr}_list.[hc]. 5649 565020011119 5651 5652 Feature: configurable parent domain matching strategy for 5653 transport map lookups. File: trivial-rewrite/transport.c. 5654 5655 New parent_domain_matches_subdomains parameter. This lists 5656 all the Postfix features where a domain name matches itself 5657 and all its subdomains (instead of requiring ".domain.name" 5658 for subdomain matches). Planning for future backwards 5659 compatibility :-) File: global/match_parent_style.c. 5660 5661 Workaround: simplified the PIX ".<CR><LF>" bug to always 5662 sleep for 10 seconds. File: smtp/smtp_proto.c. 5663 566420011120 5665 5666 Workaround: disable attribute string length restriction so 5667 that trivial-rewrite does not refuse to rewrite broken mail 5668 headers. Files: util/attr_scan*.c. 5669 567020011121 5671 5672 Bugfix: missing long integer support in the new IPC protocols. 5673 Files: util/attr_scan*.c, util/attr_print*.c. 5674 5675 Portability: AIX5 (Adrian P. van Bloois), MAC OS X 10.1.1 5676 (Gerben Wierda). 5677 567820011125 5679 5680 Bugfix: spurious postmaster notifications because some flag 5681 was not reset. 5682 5683 Feature: new parameter smtpd_sender_login_maps that specifies 5684 the (SASL) login name that owns a MAIL FROM address. 5685 Specify a regexp table in order to require a simple one-to-one 5686 mapping. This is used in the reject_sender_login_mismatch 5687 sender anti-spoofing feature. 5688 5689 Feature: restriction reject_sender_login_mismatch refuses 5690 a MAIL FROM address when $smtpd_sender_login_maps specifies 5691 an owner but the client is not (SASL) logged in as the MAIL 5692 FROM address owner, or when a client is (SASL) logged in 5693 but the client login name does not own the MAIL FROM address 5694 according to $smtpd_sender_login_maps. File: smtpd/smpd_check.c. 5695 5696 Documentation: added some redundancy to the LMTP_README 5697 file so people can keep track of the difference between 5698 the Postfix LMTP client and the non-Postfix LMTP server. 5699 570020011126 5701 5702 Feature: smtpd_noop_commands specifies a list of commands 5703 that are treated as NOOP (no operation) commands, without 5704 syntax check or state change. File: smtpd/smtpd.c. 5705 5706 Bugfix: the "mark queue file as corrupt" code did not work 5707 because it was never used. Files: global/mark_corrupt.c, 5708 global/mail_copy.c, global/pipe_command.c, *qmgr/qmgr_active.c, 5709 local/maildir.c, local/mailbox.c, local/command.c, pipe/pipe.c, 5710 virtual/mailbox.c, virtual/maildir.c. 5711 5712 Bugfix: the bounce daemon broke in the unlikely case of a 5713 non-existing queue file. File: bounce/bounce_notify_util.c. 5714 571520011127 5716 5717 Feature: added WARN command to header/body_checks files as 5718 proposed by Michael Tokarev. File: cleanup/cleanup_message.c. 5719 5720 Bugfix: the postdrop program was broken after the change 5721 of Postfix internal protocols. This broke "sendmail -bs" 5722 mail submissions with "secure" maildrop directory. Reported 5723 by Craig Loomis, apo.nmsu.edu. File: postdrop/postdrop.c. 5724 5725 Feature: a first start at fault injection for testing 5726 unlikely error scenarios (such as corrupt queue files). 5727 Parameter: fault_injection_code, must be left at zero for 5728 production use. 5729 573020011128 5731 5732 Robustness: add a file size limit to the sendmail and 5733 postdrop submission programs to stop run-away process 5734 accidents. This is not a defense against DOS attack. Files: 5735 sendmail/sendmail.c, postdrop/postdrop.c. 5736 5737 That resulted in a considerable amount of work to properly 5738 propagate "file too large" conditions back to the sendmail 5739 mail posting user interface. Took the opportunity to express 5740 other mail submission fatal exits with the <sysexits.h> 5741 exit status codes. Files: sendmail/sendmail.c, 5742 postdrop/postdrop.c. 5743 574420011129 5745 5746 Maintenance: dict_ldap.c wasn't updated after the revision 5747 of the string matching routines. File: util/dict_ldap.c. 5748 574920011208 5750 5751 Maintenance: LDAP module and documentation from LaMont 5752 Jones. This version adds verbose logging for LDAP library 5753 routines. Files: src/util/dict_ldap.[hc], LDAP_README, 5754 conf/sample-ldap.cf 5755 5756 Portability: made memory alignment restrictions configurable. 5757 File: util/mymalloc.c. 5758 5759 Bugfix? Avoid surprises with source routed destinations 5760 and OK entries in SMTPD access maps. File: smtpd/smtpd_access.c. 5761 5762 Security: "postfix check" looks for damage by well-intended 5763 but misguided use of "chown -R postfix /var/spool/postfix". 5764 That would make chrooted Postfix less secure than non-chrooted 5765 Postfix. These extra tests may cause complaints with 5766 third-party patches such as TLS that introduce their own 5767 files into the jail. 5768 5769 Feature: static map type that always returns the map name 5770 as lookup value, regardless of lookup key value. Contributed 5771 Jeff Miller (jeffm at ghostgun.com) 5772 5773 Feature: turn off the PIX <CR><LF>.<CR><LF> workaround for 5774 the first mail delivery attempt, i.e. when mail is queued 5775 for less than $smtp_pix_workaround_threshold_time (default: 5776 500) seconds. New parameter $smtp_pix_workaround_delay_time 5777 to control the delay before sending .<CR><LF> (default: 10 5778 seconds) when doing the PIX <CR><LF>.<CR><LF> workaround. 5779 578020011210 5781 5782 Bugfix: the 20011128 change in sendmail and postdrop did 5783 not handle the case of message_size_limit=0. Fix by Will 5784 Day, Georgia Tech. 5785 578620011212 5787 5788 Compatibility: The SMTP server now accepts <CR><CR><LF> as 5789 if the client sent <CR><LF>. Reportedly, some badly written 5790 windows software produces such garbage, and some badly 5791 written windows anti-VIRUS software cannot handle such 5792 garbage. File: global/smtp_stream.c. 5793 579420011214 5795 5796 Bugfix: postmap/postalias queries ignored the -f flag. 5797 Reported by Hamish Marson. 5798 579920011217 5800 5801 Compatibility: Sendmail now has a -L option to set the 5802 syslogging label. Postfix sendmail uses syslog_name instead, 5803 and ignores the -L option. 5804 5805 Security: subtle hardening of the Postfix chroot jail, 5806 Postfix queue file permissions and access methods, in case 5807 someone compromises the postfix account. Michael Tokarev, 5808 who received the insights from Solar Designer, who tested 5809 Postfix with a kernel module that is paranoid about open() 5810 calls. Files: master/master_wakeup.c, util/fifo_trigger.c, 5811 postfix-script. 5812 5813 Convenience: issue a warning instead of aborting when the 5814 local machine name is not in fully-qualified domain form. 5815 This would otherwise break initial postfix installation 5816 which needs the postconf command. File: global/mail_params.c. 5817 581820011220 5819 5820 Added more garbage detection to postconf -e input processing. 5821 582220011221 5823 5824 Feature: SMTPD access map lookups of null sender addresses. 5825 If your access maps cannot store or look up null string 5826 key values, specify "smtpd_null_access_lookup_key = <>" 5827 and the null sender address will be looked up as <> instead. 5828 File: src/smtpd_access.c. 5829 583020011223 5831 5832 Safety: configuration file comments no longer span multiple 5833 lines when the next line begins with whitespace; multi-line 5834 input is no longer terminated by a comment line, by an all 5835 white space line, or by an empty line. Michael Tokarev made 5836 the crucial suggestion to simplify the readline routine. 5837 Files: util/readlline.c, postconf/postconf.c. 5838 5839 Cleanup: proper detection of big number overflow in EHLO 5840 and MAIL FROM size announcements, with input from Victor 5841 Duchovni, Morgan Stanley. Files: global/off_cvt.c, 5842 smtpd/smtpd.c, smtp/smtp_proto.c, util/alldig.c. 5843 5844 Forward compatibility: added queue file record types for 5845 original recipient and for generic named attributes. 5846 5847 Cleanup: safe_open() now returns sensible errno values so 5848 that the fifo_trigger() external interface is restored. 5849 585020011225 5851 5852 Upgrade: PCRE_README now describes PCRE version 3.x. 5853 5854 Cleanup: flush SMTPD command history upon receipt of EHLO, 5855 RSET, and upon DATA completion, only if it exceeds 5856 $smtpd_history_flush_threshold lines (default: 100). 5857 Distant derivative of code by Michael Tokarev. File: 5858 smtpd/smtpd.c. 5859 586020011228 5861 5862 Bugfix: a readlline() error message showed less text than 5863 intended. Christian von Roques. 5864 5865 Cleanup: postfix now installs with group-writable maildrop 5866 directory and with a set-gid postdrop mail submission 5867 command. The pickup service is now unprivileged. The 5868 world-writable maildrop directory no longer exists. 5869 5870 The cleanup service is now public, in preparation for local 5871 sendmail/postdrop mail submission that avoids the maildrop 5872 queue directory while Postfix is up. 5873 5874 Cleanup: moved the main.cf/master.cf file editing from the 5875 postfix-script file to the INSTALL.sh file. 5876 5877 Cleanup: INSTALL.sh no longer accepts "no" as the destination 5878 of Postfix manual pages. 5879 588020011230 5881 5882 Cleanup: the code for "mailq", "sendmail -q", and for 5883 "sendmail -qRsite" was moved from the sendmail command to 5884 a new set-gid postqueue command. The pickup and qmgr FIFOs 5885 are no longer world writable. Files: sendmail/sendmail.c, 5886 postqueue/postqueue.c. 5887 588820020101 5889 5890 Security: new alternate_config_directories parameter that 5891 specifies what directories a set-gid command will accept 5892 as its configuration directory. The list must be specified 5893 in the default main.cf file. File: global/mail_conf.c. 5894 5895 Cleanup: "sendmail -qRsite" is no longer implemented by 5896 connecting to the SMTP port. It is now implemented by 5897 talking to the fast flush service. File: postqueue/postqueue.c. 5898 589920020203 5900 5901 Cleanup: INSTALL.sh now records all installation information 5902 in the main.cf file. The now obsolete install.cf file is 5903 used only when upgrading from an older Postfix release. 5904 5905 Cleanup: INSTALL.sh now takes name=value settings on the 5906 command line, and has a new "-upgrade" command line option 5907 to turn on non-interactive installation. 5908 5909 Security: additional run-time checks to discourage sharing 5910 of Postfix user/group ID values with other accounts. 5911 591220020105 5913 5914 Cleanup: SMTPD access maps now return DUNNO (undetermined) 5915 instead of OK when a recipient address contains multiple 5916 domains (user@dom1@dom2, etcetera). Victor Duchovni, Morgan 5917 Stanley. File: smtpd/smtpd_check.c. 5918 591920020106 5920 5921 Bugfix: SMTPD access maps did not handle address extensions. 5922 File: smtpd/smtpd_check.c. 5923 592420020107 5925 5926 Bugfix: postfix-script, when creating a missing maildrop 5927 queue directory, still referenced install.cf when setting 5928 maildrop directory group ownership; and the postfix command 5929 did not export the setgid_group parameter to the postfix-script 5930 shell script. Victor Duchovni. 5931 5932 Bugfix: postfix-script, when creating a missing public 5933 queue directory, did not set group ownership of the public 5934 directory. 5935 593620020109 5937 5938 Cleanup: rewrote the Postfix installation procedure again. 5939 It is now separated into 1) a primary installation script 5940 (postfix-install) that installs files locally or that builds 5941 a package for distribution and that stores file owner and 5942 permission information in /etc/postfix/post-files, and 2) 5943 a post-installation script (/etc/postfix/post-install) that 5944 creates missing directories, that sets file/directory 5945 ownership and permissions, and that upgrades existing 5946 configuration files if necessary. 5947 594820020110 5949 5950 Workaround: AIX null read() return on an empty but open 5951 non-blocking pipe. File: master/master_flow.c. Report: 5952 Hamish Marson. 5953 595420020111 5955 5956 Feedback: feedback, bugfixes, and brain-dead shell workarounds 5957 for the install scripts by Victor Duchovni and Simon Mudd. 5958 595920020113 5960 5961 Rewrote postfix-install. The postfix-files file now controls 5962 what is installed. Refined the semantics of many post-install 5963 operations. post-install now auto-saves settings that 5964 override main.cf. 5965 596620020114 5967 5968 Bugfix: alternate_config_directories did not take comma or 5969 whitespace as separators. File: global/mail_conf.c. Victor 5970 Duchovni, Morgan Stanley. 5971 5972 Bugfix: the rewritten postfix-install script did not chattr 5973 +S the Postfix queue. 5974 597520020115 5976 5977 Cleanup: added sample_directory and readme_directory 5978 installation parameters for sample configuration files and 5979 for README files. Files: postconf.c, postfix-install, 5980 conf/postfix-files, conf/post-install. 5981 5982 Robustness: the postfix command now exports all installation 5983 parameter settings, and input filters the environment, so 5984 that the startup shell scripts produce a consistent result. 5985 Files: postconf.c. 5986 598720020117 5988 5989 Portability: patch from LaMont Jones for compiling dict_ldap.c 5990 with the Netscape SDK. 5991 5992 Feature: added "r" (recursive chown/chgrp) flag to the 5993 postfix-files database, for more convenient change of 5994 Postfix queue ownership. Files: conf/postfix-files, 5995 conf/post-install. 5996 599720020122 5998 5999 Documentation: lots of little fixes. 6000 6001 Documentation: updates for the VIRTUAL_README file by Victor 6002 Duchovni, Morgan Stanley. 6003 6004 Bugfix: postqueue -s dereferenced a null pointer when given 6005 a numerical domain argument. LaMont Jones, HP. 6006 6007 Cleanup: smtpd now logs a warning when permit_sasl_authenticated 6008 is used while SASL authentication is disabled, instead of 6009 simply ignoring the restriction. LaMont Jones, HP. File: 6010 smtpd/smtpd.c. 6011 6012 Safety: when postmap creates a non-existent file, the new 6013 file inherits group/other read permissions from the source 6014 file. Based on code by LaMont Jones, HP. File: 6015 postmap/postmap.c. 6016 601720020123 6018 6019 Portability: some Linux systems install libnsl.so without 6020 libnsl.a file, causing an yp_match undefined reference 6021 problem. File: makedefs. 6022 602320020124 6024 6025 Portability: post-install now requests that command_directory 6026 is given on the command line when the postconf command is 6027 in an unusual place. 6028 6029 Safety: extra code to detect and report Berkeley DB version 6030 mismatches between compile time and run time. This test 6031 is limited to mismatches in the major version number only. 6032 File: util/dict_db.c. Based on code by Lawrence Greenfield, 6033 Carnegie-Mellon university. 6034 6035 Safety: the postfix command and the master daemon abort if 6036 they are running set-uid. 6037 6038 Documentation: the postmap manual page described an out of 6039 date input file format. 6040 604120020129 6042 6043 Workaround: SCO version 3.2 can't ioctl(FIONREAD) a pipe. 6044 Therefore, input mail flow control is disabled by default. 6045 Files: makedefs, global/mail_params.h, conf/main.cf. 6046 Problem reported by Kurt Andersen, Agilent. 6047 604820020201 6049 6050 Workaround: changed the default smtpd_null_access_lookup_key 6051 setting to <>, because some Bezerkeloid DB implementations 6052 can't handle null-length lookup keys. File: global/mail_params.h. 6053 6054 Bugfix: backed out a null-length address panic call by 6055 ignoring the problem, like Postfix did in the past. File: 6056 global/resolve_local.c. 6057 6058 Safety: "postfix check" will now warn if /usr/lib/sendmail 6059 and /usr/sbin/sendmail differ, and will propose to replace 6060 one by a symlink to the other. File: conf/postfix-script. 6061 606220020204 6063 6064 Sanity: additional permission checks for "postfix check" 6065 that warn for setgid_group group ownership mismatches. by 6066 Matthias Andree, uni-dortmund.de. File: conf/postfix-script. 6067 6068 Bugfix: "postfix check" used a too simplistic way to 6069 recognize file ownership (grepping ls output). It now uses 6070 the recently discovered "find -prune". Peter Bieringer, 6071 Matthias Andree. File: conf/postfix-script. 6072 607320020218 6074 6075 Workaround: log a warning and disconnect when an SMTP client 6076 ignores our negative replies and starts sending message 6077 content without permission. File: smtpd/smtpd.c. 6078 607920020220 6080 6081 Bugfix: mismatch in the file being locked by dict_dbm and 6082 the file being locked by postmap, so that locks did not 6083 work correctly. Victor Duchovni, Morgan Stanley. 6084 608520020222 6086 6087 Workaround: Solaris bug 4380626: strcasecmp() and strncasecmp() 6088 produce incorrect results with 8-bit characters. For example, 6089 non-ASCII characters could compare equal to ASCII characters, 6090 and that could result in any number of security problems. 6091 Files: util/strcasecmp.c, COPYRIGHT (the BSD license). 6092 6093 Bugfix: off-by-one error, causing a null byte to be written 6094 outside dynamically allocated memory in the queue manager 6095 with addresses of exactly 100 bytes long, resulting in 6096 SIGSEGV on systems with an "exact fit" malloc routine. 6097 Experienced by Ralf Hildebrandt; diagnosed by Victor 6098 Duchovni. Files: *qmgr/qmgr_message.c. This is not a 6099 security problem. 6100 6101 Bugfix: make all recipient comparisons transitive, because 6102 Solaris qsort() causes SIGSEGV errors otherwise. Victor 6103 Duchovni, Morgan Stanley. File: *qmgr/qmgr_message.c. 6104 610520020302 6106 6107 Bugfix: don't strip source route (@domain...:) when the 6108 result would be an empty address. This avoids problems when 6109 append_at_myorigin is set to "no" (which is not supported). 6110 Problem reported by Charles McColgan, Big Fish Communications. 6111 File: trivial-rewrite/rewrite.c. 6112 611320020304 6114 6115 Cleanup: postqueue should not not complain when output 6116 fails with "broken pipe". 6117 611820020308 6119 6120 Bugfix? reply with 550 not 552 when content is rejected. 6121 552 is reserved for "too much mail". 6122 6123 Documentation: add note to sendmail manual page that running 6124 "sendmail -bs" as $mail_owner enables SMTP server UCE and 6125 access control checks. This is meant for use from inetd 6126 etc. Matthias Andree. 6127 612820020311 6129 6130 Bugfix: DBM maps should use different files for locking 6131 and for change detection. Problem reported by Victor 6132 Duchovni, Morgan Stanley. Files: util/dict.h util/dict.c 6133 util/dict_db.c util/dict_dbm.c global/mkmap.c local/alias.c. 6134 613520020313 6136 6137 Bugfix: mailq could show addresses with unusual characters 6138 twice. Problem reported by Victor Duchovni, Morgan Stanley. 6139 File: showq/showq.c. 6140 6141 Bugfix: null recipients weren't properly recorded in 6142 bounce/defer logfiles. Such recipient addresses are not 6143 accepted in SMTP mail, but they could appear within locally 6144 submitted mail. File: bounce/bounce_append_service.c. 6145 614620020318 6147 6148 Workaround: Berkeley DB can't handle null key lookups, 6149 which happen with HELO names ending in ".". Victor Duchovni, 6150 Morgan Stanley. File: smtpd/smtpd_check.c. 6151 6152 Logging: log a hint when mail is deferred because the 6153 soft_bounce parameter is set. People sometimes forget to 6154 turn it off. File: global/bounce.c. 6155 615620020319 6157 6158 Cleanup: add a msg_warn() call when fork() fails in 6159 pipe_command(), to make problems easier to investigate. 6160 Chris Wedgwood. File: global/pipe_command.c. 6161 616220020320 6163 6164 Feature: smtp_helo_name parameter to specify the hostname 6165 or [ip.address] in HELO or EHLO commands. Files: smtp/smtp.c 6166 smtp/smtp_proto.c. 6167 616820020324 6169 6170 Cleanup: more graceful handling of long physical message 6171 header lines upon input. Physical header lines can now 6172 extend up to $header_size_limit characters. When a logical 6173 message header is too long, the excess text is discarded 6174 and Postfix no longer switches to body mode, to avoid 6175 breaking MIME encapsulation. Based on code by Victor 6176 Duchovni, Morgan Stanley. Files: cleanup/cleanup_out.c, 6177 cleanup/cleanup_message.c. 6178 6179 Cleanup: more graceful handling of long physical message 6180 header or body lines upon output by the SMTP client. The 6181 SMTP client output line length is controlled by a new 6182 parameter smtp_line_length_limit (default: 990; specify 0 6183 to disable the limit). Long lines are folded by inserting 6184 <CR> <LF> <SPACE>, to avoid breaking MIME encapsulation. 6185 Based on code by Victor Duchovni, Morgan Stanley. File: 6186 smtp/smtp_proto.c. 6187 618820020325 6189 6190 Cleanup: allow additional text after a WARN command in a 6191 header/body_checks pattern file, so that one can change 6192 REJECT+text into WARN+text and vice versa. Based on code 6193 by Fredrik Thulin, Stockholm University. 6194 6195 Cleanup: log a warning when an unknown command is found in 6196 a header/body_checks pattern file, or when additional text 6197 is found after a command that does not expect additional 6198 text. Based on code by Fredrik Thulin, Stockholm University. 6199 6200 Bugfix: sendmail should not recognize "." as the end of 6201 input when the current read operation started in the middle 6202 of a line. Victor Duchovni, Morgan Stanley. File: 6203 sendmail/sendmail.c. 6204 620520020328 6206 6207 Portability fix for OPENSTEP and NEXTSTEP by Gerben Wierda. 6208 File: util/sys_defs.h. 6209 621020020329 6211 6212 Bugfix: defer_transports broke because the flush server 6213 triggered mail delivery (as if ETRN was sent) while doing 6214 some internal housekeeping of per-destination logfiles. 6215 Problem experienced by LaMont Jones, HP. File: flush/flush.c. 6216 6217 Bugfix: virtual mapping broke for addresses with embedded 6218 whitespace. Fix by Victor Duchovni, Morgan Stanley. File: 6219 cleanup/cleanup_map1n.c. 6220 6221 Feature: configurable service name for the internal services: 6222 bounce, cleanup, defer, error, flush, pickup, queue, rewrite, 6223 showq. This allows you to specify, for example, a non-default 6224 cleanup service (smtpd -o cleanup_service_name=alt_cleanup). 6225 Files: global/mail_params.[hc]. 6226 6227 Feature: SASL version 2 support by Jason Hoos. Files: 6228 */*_sasl_glue.c, SASL_README, conf/sample-auth.cf. 6229 623020020330 6231 6232 Bugfix: postqueue did not pass on non-default configuration 6233 directory settings when running showq while the mail system 6234 is down. The super-user is now exempted from environment 6235 stripping in postqueue/postqueue.c. Problem reported by 6236 Victor Duchovni, Morgan Stanley. 6237 623820020402 6239 6240 Workaround: recognize more headers that are sent instead 6241 of SMTP commands. File: smtpd/smtpd.c. 6242 624320020413 6244 6245 Feature: new pipe delivery agent "D" flag to prepend a 6246 Delivered-To: message header. This requires single recipient 6247 deliveries. Based on code by Matthias Andree. File: 6248 pipe/pipe.c. 6249 625020020414 6251 6252 Portability: Postfix will no longer attempt to build with 6253 gdbm support, because gdbm is broken. File: makedefs. 6254 625520020415 6256 6257 Cleanup: the attribute list IPC code did not distinguish 6258 between "disconnect" and "timeout" while reading an attribute 6259 list, making trouble shooting more difficult than necessary. 6260 Files: util/attr_scan0.c, util/attr_scan64.c. 6261 6262 Cleanup: install parameter defaults can now be overruled 6263 from makedefs: sendmail_path, mailq_path, newaliases_path, 6264 command_directory, daemon_directory. Based on code by Victor 6265 Duchovni, Morgan Stanley. File: util/sys_defs.h. 6266 626720020411 6268 6269 Cleanup: Use more robust quoting passing makedefs/Makefile 6270 settings. This also simplifies the seven backslashes example 6271 in the INSTALL file. Victor Duchovni, Morgan Stanley. 6272 Files: makedefs, INSTALL. 6273 627420020417 6275 6276 Bugfix: the post-install script failed to upgrade master.cf 6277 settings from private to public if the service was explicitly 6278 configured as private. 6279 628020020418 6281 6282 Documentation: added CPU saving patterns for quickly skipping 6283 base 64 encoded text in message bodies. Liviu Daia. Files: 6284 {proto,conf}/pcre_table, {proto,conf}/regexp_table, 6285 conf/sample_{regexp,pcre}_body.cf. 6286 628720020426 6288 6289 Bugfix: the SMTP client forgot to quote whitespace etc. 6290 in a sender/recipient address when DNS lookup was turned 6291 off (disable_dns_lookups = yes). Problem experienced by 6292 Chip Paswater. Files: smtp/smtp_proto.c. 6293 629420020501 6295 6296 Feature: wildcard lookup in transport maps (lookup key 6297 "*"). Code developed with Lamont Jones, HP. 6298 6299 Feature: a null transport:destination transport map entry 6300 means proceed as if the transport map lookup failed. Code 6301 developed with Lamont Jones, HP. 6302 6303 Feature: more efficient use of cache memory when a process 6304 opens multiple Berkeley DB tables; and faster performance 6305 creating large tables by using more buffer memory. Files: 6306 util/dict_db.[hc], global/mkmap_db.c. Victor Duchovni, 6307 Morgan Stanley. 6308 630920020503 6310 6311 Cleanup: postqueue silently ignored command-line arguments 6312 following -p or -f options, instead of complaining; postqueue 6313 produced an incorrect error message (mail system down) when 6314 the command was installed with incorrect privileges. File: 6315 postqueue/postqueue.c. 6316 6317 Bugfix: while reporting a domain name or IP address syntax 6318 error, postqueue could dereference a dangling pointer with 6319 some getopt() implementations. LaMont Jones, HP. File: 6320 postqueue/postqueue.c. 6321 6322 Safety: postalias and postmap now drop root privileges 6323 while processing a non-root input file. Thus, the result 6324 should be writable to the source file owner. Specify the 6325 -o option if this is a problem. Files: postmap/postmap.c, 6326 postalias/postalias.c. 6327 6328 Consistency: just like postmap, postalias now copies file 6329 permissions from the source file when it creates a new 6330 table for the first time. File: postalias/postalias.c. 6331 633220020504 6333 6334 Portability: run-time test to avoid GDBM trouble. File: 6335 util/dict_dbm.c. 6336 633720020505 6338 6339 Cleanup: revised and simplified the transport map semantics. 6340 Null transport or nexhop fields now mean: "do not change": 6341 use what would be used if the transport map did not exist. 6342 This change eliminated a lot of code. The incompatibility 6343 is that a null transport field no longer defaults to 6344 $default_transport, but to $local_transport or $default_transport 6345 depending on the destination, and that a transport map only 6346 overrides relayhost when the table specifies explicit 6347 nexthop information. Files: trivial-rewrite/transport.c, 6348 trivial-rewrite/resolve.c. 6349 6350 Cleanup: revised the user interface for controlling the 6351 Berkeley DB create and read buffer size controls. Files: 6352 util/dict_db.[hc], global/mail_params.[hc], global/mkmap_db.c. 6353 635420020507 6355 6356 Cleanup: simplified the hash/btree cache management code. 6357 The caches are now per table instead of shared, and the 6358 default read cache size is reduced to 128 kBytes. File: 6359 util/dict_db.c. 6360 636120020508 6362 6363 Bugfix: close user@domain@postfix-style.virtual.domain 6364 source routing relaying loophole involving postfix-style 6365 virtual domains with @virtual.domain catch-all patterns. 6366 Problem reported by Victor Duchovni. File: smtpd/smtpd_check.c. 6367 6368 Bugfix: mail_addr_map() used the "wrong" @ character in 6369 addresses with multiple @. Victor Duchovni. File: 6370 global/mail_addr_map.c. 6371 6372 Bugfix: for address localpart quoting, now quote @ as a 6373 special character everywhere, except when resolving addresses. 6374 Previously, the @ was nowhere quoted as a special character, 6375 not even in SMTP commands. Files: global/quote_82[12]_local.c 6376 and clients. 6377 637820020509 6379 6380 Safety: don't allow an OK access rule lookup result for 6381 user@domain@postfix-style.virtual.domain. Suggested by 6382 Victor Duchovni, Morgan Stanley. File: smtpd/smtpd_check.c. 6383 6384 Bugfix: quote unquoted address localparts that need quoting. 6385 Files: global/tok822_parse.c, global/quote_82[12]_local.c. 6386 6387 Documentation: simplified the advanced content filtering 6388 example, and included a more advanced example for those 6389 who want to squeeze out more performance without running 6390 multiple Postfix instances. Text by Victor Duchovni, Morgan 6391 Stanley. File: README_FILES/FILTER_README. 6392 639320020510 6394 6395 Feature: header/body filters now log the origin of the 6396 message that is being rejected. Files: smtpd/smtpd.c, 6397 qmqpd/qmqpd.c, pickup/pickup.c, cleanup/cleanup_envelope.c, 6398 cleanup/cleanup_message.c. Requested by Craig Sanders, if 6399 I remember correctly. 6400 6401 Feature: the Postfix SMTP client now passes on MIME body 6402 type information (8bit, 7bit) received via SMTP, via MIME 6403 headers, or via the sendmail command line. Files: 6404 global/deliver_request.c, smtpd/smtpd.c, sendmail/sendmail.c, 6405 cleanup/cleanup_envelope.c, cleanup/cleanup_message.c, 6406 cleanup/cleanup_extracted.c, *qmgr/qmgr_message.c, 6407 *qmgr/qmgr_deliver.c, smtp/smtp_proto.c, lmtp/lmtp_proto.c. 6408 640920020511 6410 6411 Feature: bounces now specify the proper MIME encoding (8bit, 6412 7bit), depending on the MIME body type information received 6413 via SMTP, via MIME headers, or via the sendmail command 6414 line. Files: global/bounce.c, global/defer.c, global/abounce.c, 6415 bounce/bounce_service.c, bounce/bounce_notify_util.c. 6416 641720020512 6418 6419 Cleanup: the SMTP client logged and bounced the CNAME 6420 expanded recipient address, and thereby complicated trouble 6421 shooting. File: src/smtp_proto.c. 6422 6423 Bugfix: the SMTP and LMTP clients bounced the quoted 6424 recipient address, resulting in too much quoting in bounce 6425 reports. Files: src/smtp_proto.c, lmtp/lmtp_proto.c. 6426 642720020513 6428 6429 Bugfix: the LDAP client used the "wrong" @ character in 6430 addresses with multiple @. LaMont Jones, HP. File: 6431 util/dict_ldap.c. 6432 6433 Feature: lots of new LDAP stuff: result_filter (filter to 6434 expand results from queries), chase_referrals, LaMont Jones, 6435 HP. The LDAP bind timeout now works thanks to Victor 6436 Duchovni, Morgan Stanley. File: util/dict_ldap.c. 6437 6438 Cleanup: specify "resolve_dequoted_address = no" to prevent 6439 Postfix from looking inside quotes for extra @ etc. characters 6440 when resolving an address. This behavior is technically 6441 more correct, but it opens a mail relay loophole with "user 6442 @domain"@domain when relaying mail to a Sendmail system. 6443 644420020514 6445 6446 Bugfix: the new code for header address quoting sometimes 6447 did not null terminate strings so that arbitrary garbage 6448 could appear at the end of message headers. Reported by 6449 Ralf Hildebrandt. File: global/tok822_parse.c. 6450 6451 Safety: user@domain@domain is no longer accepted by the 6452 permit_mx_backup uce restriction (unless Postfix is configured 6453 with "resolve_dequoted_address = no"). Victor Duchovni, 6454 Morgan Stanley. File: smtpd/smtpd_check.c. 6455 645620020515 6457 6458 Workaround: flush the SMTP client output buffer when no 6459 output has happened for 10+ seconds. This prevents the 6460 socket from timing out, in case DNS CNAME expansion is 6461 slow. Problem experienced by Alex Erdelyi, peregrine.com. 6462 File: smtp/smtp_chat.c. We did the same thing for the SMTP 6463 server years ago, and one wonders why the coin didn't drop 6464 at the time that the SMTP client could suffer from a similar 6465 problem. 6466 646720020516 6468 6469 Updated the FILTER_README file to turn off DNS lookups in 6470 the SMTP client that feeds mail into a content filter. 6471 647220020517 6473 6474 Cleanup: Mailbox-Line: message header labels should be 6475 X-Mailbox-Line: labels. Files: smtpd/smtpd.c, qmqpd/qmqpd.c. 6476 647720020515-21 6478 6479 Feature: new MIME parser, written from scratch, that 6480 recognizes the structure of MIME encapsulated mail. Influenced 6481 by comments from Victor Duchovni. This code can detect but 6482 will not decode obscure MIME formats or obscure character 6483 string encoding that Liviu Daia expresses concern about. 6484 6485 MIME header scanning now happens in header_checks, and is 6486 faster than body_checks could ever be. This also eliminates 6487 the problem with multi-line MIME headers being matched one 6488 line at a time. Files: global/mime_state.[hc], 6489 cleanup/cleanup_message.c. 6490 649120020521-22 6492 6493 Feature: 8-bit to quoted-printable conversion. First use 6494 in the Postfix SMTP client. File: smtp/smtp_proto.c. 6495 6496 Logging: the Postfix SMTP and LMTP clients now report the 6497 the protocol stage when they report a server reply. File: 6498 smtp/smtp_proto.c, lmtp/lmtp_proto.c. 6499 6500 Bugfix: the SMTP server warned about ignored client attributes 6501 (these were introduced 20020510) in mail that was submitted 6502 with "sendmail -bs". File: smtpd/smtpd.c. 6503 650420020525 6505 6506 Feature: separation of header checks into header_checks 6507 (all primary headers except MIME related headers), 6508 mime_header_checks (all MIME headers including MIME headers 6509 at the start of messages) and nested_header_checks (headers 6510 of attached messages, except MIME related headers). 6511 6512 Cleanup: broke out the header value parser from the MIME 6513 processor so that the code can be reused elsewhere. File: 6514 global/header_token.c. 6515 6516 Compatibility: Postfix now recognizes "name :" as a valid 6517 message header, but normalizes it to "name:" form or else 6518 lots of things would break all over the place. Files: 6519 global/is_header.c, global/mime_state.c. 6520 652120020526 6522 6523 Bugfix: the SMTP server now disallows RCPT TO:<"">, just 6524 like it disallows RCPT TO:<>. File: smtpd/smtpd.c. 6525 6526 Feature: disable_mime_input_processing=yes/no controls 6527 whether Postfix recognizes (and optionally enforces) MIME 6528 formats while receiving mail. Default is NO. 6529 6530 Feature: disable_mime_output_conversion=yes/no controls 6531 whether Postfix will convert 8BITMIME to 7BIT mail when 6532 delivering mail to an SMTP server that does not announce 6533 8BITMIME support. Default is NO. 6534 6535 Feature: strict_8bitmime=yes/no controls whether Postfix 6536 rejects 8-bit characters in headers and 7-bit body parts. 6537 This blocks mail from poorly written software, including 6538 majordomo approval requests that contain a valid 8BITMIME 6539 email message, as well as mail that is piped into ancient 6540 /bin/mail implementations that do not MIME format 8-bit 6541 content. Default is NO. 6542 6543 Feature: strict_mime_encoding_domain=yes/no controls whether 6544 Postfix rejects illegal content transfer encodings for 6545 multipart/* and message/*. This blocks mail from poorly 6546 written software. Default is NO. 6547 654820020527 6549 6550 Feature: "FILTER transport:nexthop" in header/body checks. 6551 After the message is queued, the message is sent through 6552 a content filter. This requires different cleanup servers 6553 before and after the filter, with header/body checks turned 6554 off in the second cleanup server. 6555 655620020528 6557 6558 Feature: strict_7bit_headers and strict_8bitmime_body are 6559 now separately available. To to turn on both, use 6560 strict_8bitmime. 6561 6562 Cleanup: abandon the use of isspace(3) in the parsing of 6563 RFC822 message headers. Files: global/lex_822.h and lots 6564 of little places. 6565 6566 Documentation: replace domain.name by domain.tld in the 6567 example config files. The domain exists. They were getting 6568 mail from poorly configured Postfix boxes. 6569 6570 Bugfix: The Postfix sendmail command did not export the 6571 MAIL_CONFIG environment setting to the postdrop command. 6572 File: global/mail_config.h. 6573 6574 Incompatibility: by default, turn on the PCRE_DOTALL flag, 6575 so that PCRE patterns will match multi-line message headers 6576 without causing pain. Suggested by Michael Tokarev. Also 6577 documented all those darned undocumented PCRE flags in the 6578 pcre_table(5) manual page. Files: util/dict_pcre.c, 6579 proto/pcre_table. 6580 658120020529 6582 6583 Bugfix: mail rejected due to MIME errors was rejected 6584 without proper logging. Files: global/mime_state.c, 6585 cleanup/cleanup_message.c. 6586 658720020531 6588 6589 Bugfix: the SMTP client code that prepends '.' to lines 6590 starting with '.' had to be moved from its old place to 6591 after the MIME output conversion. Problem found by Mark 6592 Martinec. File: smtp/smtp_proto.c. 6593 659420020601 6595 6596 Bugfix: the deliver_pass() routine needed updating for the 6597 extra MIME encoding attribute that was introduced 20020510. 6598 Patch by Sebastian Schaffert @ wastl.net. File: 6599 global/deliver_pass.c. 6600 660120020604 6602 6603 Workaround: Solaris non-blocking read() can fail on a socket 6604 with unread data according to ioctl FIONREAD. Incredible. 6605 Diagnosis by Max Pashkov. File: smtp/smtp-sink.c. 6606 6607 Weird feature: sender-based routing. This will become more 6608 useful once per-address transport map entries are done. 6609 File: src/*qmgr/qmgr_message.c. 6610 661120020605 6612 6613 Safety: header_address_token_limit limits the amount of 6614 memory and CPU that we're willing to spend while parsing 6615 addresses in message headers. The limit is expressed as a 6616 number of tokens. File: global/tok822_parse.c 6617 661820020608 6619 6620 Feature: user@domain transport map lookup, based on code 6621 by Scott Cotton, from several years ago. Adding this code 6622 now was much less painful than it was in the past. Files: 6623 global/strip_addr.c, trivial-rewrite/transport.c. 6624 662520020610 6626 6627 Cleanup: making user@domain transport map lookups work with 6628 sender-based routing was a bit tricky, because the null 6629 address must be handled sensibly. Files: global/resolve_clnt.c, 6630 trivial-rewrite/resolve.c. It ain't perfect yet, but close. 6631 663220020613 6633 6634 Bugfix: postsuper -r was broken as of 20020510. The cleanup 6635 daemon would discard mail with MIME type information. Moved 6636 a bunch of sanity checks from the cleanup daemon to the 6637 pickup daemon, so the checks are in one place. Problem 6638 experienced by Pavol Luptak. Files: pickup/pickup.c, 6639 cleanup/cleanup_extracted.c. 6640 664120020705 6642 6643 Safety: log a warning when a domain is listed in mydestination 6644 and (virtual_maps or virtual_mailbox_maps). This configuration 6645 error causes the Postfix SMTP server to reject recipients 6646 when the local_recipient_maps feature is enabled. File: 6647 smtpd/smtpd_check.c. 6648 6649200207011 6650 6651 Portability: in the master daemon, the default now is to 6652 enable the signal handler code that writes a byte into a 6653 pipe, instead of the signal handler code that sets a global 6654 flag and hopes that select() will somehow wake up. File: 6655 master/master_sig.c. This is needed for some IRIX and 6656 UnixWare versions, but it should also produce a robust 6657 result on all other supported systems. 6658 6659 Performance: the default SMTP connection establishment 6660 timeout is now 30 seconds, instead of the system default 6661 which can be atrociously large. 6662 666320020712 6664 6665 When DNS lookup fails while delivering mail, report not 6666 only the domain name but also the DNS record type. This 6667 should clue in people who ask why Postfix can't find a 6668 domain while nslookup can. File: dns/dns_lookup.c. 6669 667020020713 6671 6672 Bugfix: undo change made at 20020610 that causes the trivial 6673 resolver client to loop when an address consists entirely 6674 of @ and . characters. File: trivial-rewrite/resolve.c. 6675 6676 Cleanup: Postfix no longer strips multiple '.' at the end 6677 of a domain name. One '.' is silently tolerated. Files: 6678 trivial-rewrite/rewrite.c, trivial-rewrite/resolve.c, 6679 global/resolve_local.c. This policy is too distributed. 6680 668120020715 6682 6683 Feature: @domain.tld catch-all map entries for the virtual 6684 mail delivery agent. Files: global/virtual8_maps_find.c, 6685 virtual/mailbox.c, smtpd/smtpd_check.c. 6686 6687 Feature: the virtual mail delivery agent now accepts address 6688 extensions (user+foo@domain.tld), ignores them when looking 6689 up users in its tables, but displays them in Delivered-To: 6690 message headers. File: global/virtual8_maps_find.c. 6691 669220020716 6693 6694 Feature: domain names in a masquerade_domains list can now 6695 be prefixed with !, in order to disable masquerading for 6696 that domain name and for its subdomains. File: 6697 cleanup/cleanup_masquerade.c. 6698 669920020717 6700 6701 Bugfix: Mac OS X niscript (Netinfo) update by Gerben Wierda. 6702 File: auxiliary/MacOSX/niscript. 6703 6704 Feature: The SMTP server reject_unknown_whatever restrictions 6705 now also attempt to look up AAAA (IPV6 address) records. 6706 Jun-ichiro itojun Hagino, IIJ labs. Files: smtpd/smtpd_check.c, 6707 dns/dns_lookup.c. 6708 670920020718 6710 6711 Bugfix: unnecessary lookups for extended addresses by the 6712 virtual8_maps_find() routine. Victor Duchovni. His patch 6713 did not work, nor did my own, but the present version should 6714 be OK. File: global/virtual8_maps_find.c. 6715 671620020719 6717 6718 Workaround: log a warning when an SMTP client name->address 6719 lookup results in a numeric IP address, and set the client 6720 hostname to "unknown". Some gethostbyname() implementations 6721 will actually accept such garbage and thereby allow sites 6722 to defeat the "reject_unknown_client" restriction. Problem 6723 reported by Wolfgang Rupprecht, fix based on analysis (but 6724 not code) by Victor Duchovni. 6725 6726 Bugfix: memory leaks in the LDAP client by Victor Duchovni. 6727 File: util/dict_ldap.c. 6728 6729 Bugfix: garbage in verbose "flush" server logging. Victor 6730 Duchovni. File: flush/flush.c. 6731 673220020723 6733 6734 Incompatibility: smtpd_sasl_local_domain now defaults to 6735 the null string. File: smtpd/smtpd.c, smtpd/smtpd_sasl_glue.c. 6736 673720020726 6738 6739 Documentation: added GDB debugging instructions for sites 6740 that do not have X installed on the Postfix machine. Henrik 6741 Larsson, spambox.dk. 6742 674320020729 6744 6745 Weird: installed RedHat 3.03 inside VMware, and no change 6746 was needed to build Postfix, except to recognize the Linux 6747 version. 6748 6749 Bugfix: some mailers will announce ESMTP features in their 6750 HELO (not EHLO) response. Postfix did not ignore them. 6751 File: smtp/smtp_proto.c. 6752 675320020731 6754 6755 Cleanup: permit_naked_ip_address is unsafe (especially when 6756 used with smtpd_recipient_restrictions) and will go away. 6757 Postfix now logs a warning. File: smtpd/smtpd_check.c. 6758 675920020801 6760 6761 Cleanup: the warning message for matched header/body content 6762 was misleading. File: cleanup/cleanup_message.c. 6763 6764 Safety: moved the "postsuper -r ALL" operation after the 6765 "postsuper -s" check that makes queue file names match 6766 inode numbers. This avoids loss of mail in the unlikely 6767 case that someone runs "postsuper -sr ALL" on a queue that 6768 was copied from another place. 6769 6770 Feature: "postsuper -h" to put mail "on hold" and "postsuper 6771 -H" to release mail that was placed "on hold". This involves 6772 a new queue, which is appropriately named "hold". Files: 6773 postsuper/postsuper.c, showq/showq.c. 6774 677520020803 6776 6777 Feature: when a Delivered-To: mail delivery loop is detected, 6778 send the bounce to the mailing list owner. This required 6779 changes to the local delivery agent, a new bounce client 6780 stub, and a new bounce server stub and support routines 6781 for one recipient bouncing. Files: local/recipient.c, 6782 global/bounce_log.c, global/bounce.c, bounce/bounce.c, 6783 bounce/bounce_notify_util.c, bounce/bounce_one_service.c. 6784 678520020809 6786 6787 Bugfix: the 20020531 bugfix could prepend '.' to lines when 6788 it shouldn't (but only when converting 8-bit mail to 7-bit). 6789 Problem experienced by Ralf Hildebrandt. File: 6790 smtp/smtp_proto.c. 6791 6792 Bugfix: smtpd_sender_login_maps did not do the @domain etc. 6793 wild-card lookups that were promised. Problem experienced 6794 by Sven Michels. File: smtpd/smtpd_check.c. 6795 679620020810 6797 6798 Feature: new smtp-sink command-line options to specify the 6799 SMTP hostname, to disable ESMTP protocol support, to disable 6800 8BITMIME support, and to syslog selected commands. File: 6801 smtpstone/smtp-sink.c. 6802 680320020814 6804 6805 Feature: the queue manager now warns when mail for some 6806 destination is piling up in the active queue, and suggests 6807 a variety of remedies. The qmgr_clog_warn_time parameter 6808 controls the time between warnings, mainly so that I could 6809 test the code. To disable these warnings, specify 6810 "qmgr_clog_warn_time = 0". Files: *qmgr/qmgr_entry.c. 6811 681220020815 6813 6814 Paranoia: truncate the DNS response length result value in 6815 case it is larger than the result buffer length (the resolver 6816 documentation is vague about this). File: dns/dns_lookup.c. 6817 681820020816 6819 6820 Cleanup: "postqueue -f" now also triggers delivery of mail 6821 in the maildrop directory. This is needed when the master 6822 does not frequently wake up the pickup service. Files: 6823 global/mail_flush.c, postqueue/postqueue.c. 6824 682520020818 6826 6827 Cleanup: the qmgr_site_hog_factor feature is gone (defer 6828 mail if a site uses up too much space in the active queue). 6829 Instead, the qmgr_clog_warn_time feature provides better 6830 solutions. File: qmgr/qmgr_message.c. 6831 683220020819 6833 6834 Feature: new header/body_checks HOLD pattern that causes 6835 mail to be placed on the "hold" queue for manual inspection. 6836 Files: global/hold_message.[hc], cleanup/cleanup_message.c. 6837 683820020820 6839 6840 Bugfix: yesterday's HOLD pattern code did not update the 6841 cleanup server's idea of the queue file name for error 6842 recovery and for error reporting purposes, so that incomplete 6843 or content rejected mail would not be deleted from the 6844 queue, and so that the bouncer would not find the queue 6845 file. 6846 6847 Bugfix: the #ifdef that detects too old LDAP libraries was 6848 in the wrong place. Victor Duchovni. File: util/dict_ldap.c. 6849 6850 Feature: new header/body_checks DISCARD pattern that causes 6851 mail to be silently discarded. Files: global/cleanup_user.h, 6852 cleanup/cleanup_message.c, cleanup/cleanup_api.c. 6853 6854 Bugfix: the local delivery agent's mailbox duplicate delivery 6855 eliminator was not updated in the days that address extensions 6856 were added to Postfix. The other local duplicate eliminators 6857 probably need revision as well. File: local/mailbox.c. 6858 685920020821 6860 6861 Feature: HOLD and DISCARD actions in SMTPD access tables. 6862 These requests are propagated to the cleanup daemon. Files: 6863 cleanup/cleanup_envelope.c smtpd/smtpd_check.c. 6864 6865 Cleanup: eliminate unnecessary references to the obsolete 6866 program_directory configuration parameter (but keep the 6867 parameter so as to not break existing installations). 6868 Matthias Andree, many little changes in documentation. 6869 687020020822 6871 6872 Bit Rot: OpenLDAP incompatible change with URL parsing. 6873 Patches by Will Day, Georgia Tech, and Carsten Hoeger, 6874 SUSE. File: util/dict_ldap.c. 6875 687620020823 6877 6878 Bugfix: added a missing memset() call to wipe the lookup 6879 key in dict_db_delete(). This is needed by some Berkeley 6880 DB implementations. Patch by Katsu Yamamoto, Fujitsu. 6881 6882 Bugfix: when permit_mx_backup is unable to make a decision 6883 due to DNS problems, set the "defer if reject" flag so that 6884 other restrictions will not cause mail to be rejected. 6885 File: smtpd/smtpd_check.c. 6886 6887 Feature: instead of giving up immediately after DNS failure, 6888 turn on the "defer_if_permit" flag when reject_unknown_hostname, 6889 reject_unknown_sender_domain or reject_unknown_recipient_domain 6890 are unable to make a decision, and see if any subsequent 6891 restrictions would still cause the mail to be rejected. 6892 File: smtpd/smtpd_check.c. 6893 6894 Feature: "FILTER transport:nexthop" is now also available 6895 in SMTPD access tables. 6896 689720020826 6898 6899 Workaround: HP-UX 11 accept() fails with ENOBUFS when the 6900 client disconnects early. File: sane_accept.c. 6901 690220020901 6903 6904 Cleanup: postfix-install no longer installs all the manual 6905 pages under $POSTFIXSOURCE/man, so we can generate manual 6906 pages for smtp-sink etc. File: man/Makefile.in. 6907 690820020903 6909 6910 Bugfix: the rmail script should have been updated when 6911 Postfix sendmail was changed to recognize `.' as the end 6912 of input. Problem fix by Christian Kratzer, cksoft.de. 6913 File: auxiliary/rmail/rmail. 6914 6915 Feature: specify "maximal_queue_lifetime = 0" for mail that 6916 should be returned immediately after the first unsuccessful 6917 delivery attempt. Files: qmgr/qmgr.c, nqmgr/nqmgr.c. 6918 691920020904 6920 6921 Bugfix: qmail compatibility: qmqpd should support any 6922 character at the end of the VERP prefix in prefix@host-@[]. 6923 Based on a patch by LaMont Jones, HP. 6924 692520020905 6926 6927 Feature: "smtpd_data_restrictions = reject_unauth_pipelining" 6928 blocks mail from SMTP clients that send message content 6929 before Postfix has replied to the DATA command. File: 6930 smtpd/smtpd.c, smtpd/smtpd_check.c. 6931 6932 Bugfix: the LDAP client dumped core in verbose mode. 6933 Reported by Will Day and others. File: util/dict_ldap.c. 6934 693520020906 6936 6937 Cleanup: dict_regexp module speedups by avoiding unnecessary 6938 substring overhead while matching strings. Based on a 6939 suggestion by Liviu Daia. This involved major rewriting of 6940 the regexp map code. File: util/dict_regexp.c. 6941 694220020907 6943 6944 Feature: IF..ENDIF support based on code by Bert Driehuis. 6945 This involved a further rewrite of the regexp map code. 6946 File: util/dict_regexp.c. 6947 6948200209010 6949 6950 Bugfix: the SMTP client produced suprious warnings about 6951 trouble with fallback_relay hosts. File: smtp/smtp_connect.c. 6952 6953 Robustness: don't wait with detecting broken SMTP connections 6954 until reading input. Leandro Santi. File: smtpd/smtpd_chat.c. 6955 6956200209011 6957 6958 Workaround: IRIX 6 can't do ioctl FIONREAD on pipes. This 6959 breaks the in_flow_delay feature. File: util/sys_defs.h. 6960 696120020912 6962 6963 Bugfix: canonical/virtual mapping core dump with a null 6964 right-hand side address. Report by Jussi Silvennoinen. 6965 File: global/mail-addr_crunch.c. 6966 6967 Feature: IF..ENDIF support based on code by Bert Driehuis. 6968 This involved a rewrite of the pcre map code similar to 6969 the regexp map code. File: util/dict_pcre.c. 6970 697120020917 6972 6973 Feature: on Linux, support for PCRE lookup tables is now 6974 compiled in if the PCRE library code is found under 6975 /usr/include and /usr/lib. File: makedefs. 6976 697720020918 6978 6979 Documentation: postsuper(1) did not document the -c option. 6980 6981 Bugfix: possible longjump() before setjmp(). File: 6982 smtpd/smtpd.c. 6983 6984 Bugfix: pickup should not preserve INSPECT or FILTER records 6985 from "postsuper -r". File: pickup/pickup.c. 6986 698720020919 6988 6989 Feature: "reject_rbl <domain>" for client address blacklisting 6990 by LaMont Jones, including $name expansion for per-domain 6991 customized response messages. The obsolete reject_maps_rbl 6992 is now a wrapper that uses the new code. 6993 699420020921 6995 6996 Internal: added caching and factored out common code that 6997 will be used for both reject_rbl and for the upcoming 6998 reject_rhsbl restriction. 6999 700020020922 7001 7002 Feature: "reject_rhsbl <domain>" for sender domain 7003 blacklisting. Provides the same per-domain customized 7004 response message mechanisms with $name expansion as 7005 reject_rbl. 7006 7007 Safety: the smtpd_expansion_filter parameter controls what 7008 characters are allowed in the expansion of $name macros in 7009 template RBL responses. 7010 7011 Cleanup. In order to make sensible warnings possible when 7012 expanding a non-existent $name in RBL reply templates, 7013 mac_expand() had to be changed so that an empty string 7014 result (i.e. the name does exist) will no longer cause 7015 ${name?text} to succeed. File: util/mac_expand.c. 7016 701720020923 7018 7019 Cleanup. Renamed the RBL features according to a scheme 7020 that was suggested by Liviu Daia in October 2001. The names 7021 are reject_rbl_client and reject_rhsbl_sender, respectively. 7022 Added domain name based reject_rhsbl_client and 7023 reject_rhsbl_recipient restrictions for completeness. The 7024 reject_rbl restriction name is still recognized for 7025 compatibility with systems maintained by LaMont Jones. 7026 702720020924 7028 7029 Bugfix: reject_rhsbl_<mumble> was broken when <mumble> was 7030 unavailable, causing the restrictions parser to get out if 7031 sync. Spotted by Ralf Hildebrandt. File: smtpd/smtpd_check.c. 7032 703320020928 7034 7035 Bugfix: missing %s in the 20020923 RBL code. This was not 7036 exploitable because Postfix implements only a safe subset 7037 of all printf format operators and because memory for the 7038 result is dynamically allocated. Victor Duchovni. File: 7039 smtpd/smtpd_check.c. 7040 704120020929 7042 7043 Updated MacOSX support scripts from Gerben Wierda. Files: 7044 auxiliary/MacOSX/*. 7045 704620021009 7047 7048 Bugfix: SIZE errors should be reported at MAIL FROM time, 7049 and should not be postponed (with smtpd_delay_reject = yes) 7050 until RCPT TO time. Reported by Jeroen Scheerder, Utrecht 7051 University. Files: smtpd/smtpd.c smtpd/smtpd_check.c. 7052 705320021013 7054 7055 When Postfix development started, Linux mail delivery 7056 software such as procmail did not use kernel locks, and 7057 Postfix picked one that seemed plausible, namely, flock(). 7058 In the mean time, Linux mail delivery software seems to 7059 have standardized on fcntl() locks. File: util/sys_defs.h. 7060 7061 Feature: body_checks_size_limit parameter to specify how 7062 much of a message body segment (or attachment, if you prefer 7063 to use that term) is subjected to body_checks inspection. 7064 Default limit: 50 kbytes. Files: global/mime_state.c, 7065 cleanup/cleanup_message.c. 7066 706720021015 7068 7069 Bugfix: the code for missing postmaster/mailer-daemon 7070 aliases had to be moved after the code that implements the 7071 luser_relay feature. Files: local/alias.c, local/unknown.c. 7072 7073 Weird? The LMTP client lowercased the MAIL FROM and RCPT 7074 TO addresses. Some remnant of code that someone put in 7075 there long ago. File: lmtp/lmtp_proto.c. 7076 707720021024 7078 7079 Feature: proxy_interfaces parameter. Specify your NAT or 7080 other proxy addresses here to avoid mail delivery loops. 7081 Files: global/mail_params.[hc] global/own_inet_addr.[hc] 7082 global/resolve_local.c smtp/smtp_addr.c smtpd/smtpd_check.c. 7083 7084 Paranoia: defend against a very unlikely false alarm in 7085 safe_open(). 7086 708720021025 7088 7089 Feature: X-Original-To: message headers with the raw original 7090 envelope recipient. 7091 7092 Logging: status=sent/deferred/bounced/ logging now includes 7093 the original recipient address if it differs from the final 7094 address. 7095 709620021026 7097 7098 Logging: SMTP UCE reject/warn/hold/discard logging now 7099 includes queue ID. This will break some logfile analyzers. 7100 7101 Logging: SMTP UCE reject/warn/hold/discard logging now 7102 includes the protocol name and, if available, the hostname 7103 given in the SMTP HELO or EHLO command. 7104 7105 Logging: header/body_checks reject/warn/hold/discard logging 7106 now includes the protocol name and, if available, the 7107 hostname given in the SMTP HELO or EHLO command. 7108 710920021028 7110 7111 Bugfix: don't reset state after rejected EHLO. Reset state 7112 after HELO. Reported by Karthikeyan Bhargavan, upenn.edu. 7113 Files: smtpd/smtpd.c. 7114 711520021029 7116 7117 Bugfix: local(8) did not prepend an X-Original-To: message 7118 header while delivering to command, and local(8) did not 7119 document the X-Original-To: message header. 7120 7121 Workaround: DJBDNS produces a bogus A record when given a 7122 numerical hostname. File: dns/dns_lookup.c. 7123 712420021030 7125 7126 Portability: support for Berkeley DB version 4.0 but not 7127 for Berkeley DB version 4.1 (yes, the API is different). 7128 Postfix is now going to be paranoid about the minor version 7129 number, too. File: util/dict_db.c. 7130 7131 Documentation: updated LMTP_README file by Amos Gouaux. 7132 713320021031 7134 7135 Bugfix: (bug introduced 20021026) log NOQUEUE when rejecting 7136 ETRN, instead of trying to log a non-existent queue ID. 7137 Victor Duchovni, Morgan Stanley. File: smtpd/smtpd_check.c. 7138 7139 Cleanup: allow optional text after commands in SMTPD access 7140 maps. Based on initial effort by Victor Duchovni, Morgan 7141 Stanley. File: smtpd/smtpd_check.c. 7142 7143 Portability: support for Berkeley DB version 4.1. This 7144 version refuses to open zero-length files. This complicates 7145 lock management and requires extra code to remove broken 7146 files. Files: util/dict_db.c, global/mkmap*.[hc]. 7147 714820021101 7149 7150 Bugfix: don't complain about out-of-order original recipient 7151 records for finished recipients. Files: *qmgr/qmgr_message.c, 7152 cleanup/cleanup_envelope.c, cleanup/cleanup_extracted.c. 7153 7154 Cleanup: further simplified the mkmap wrapper (used by 7155 postmap and postalias only) to remove some hurdles for 7156 Michael Tokarev's CDB support. Files: global/mkmap*.[hc]. 7157 715820021105 7159 7160 Postalias now produces YP_LAST_MODIFIED and YP_MASTER_NAME 7161 records only when NIS support is compiled in. File: 7162 postalias.c. 7163 716420021106 7165 7166 Postalias now puts $myhostname in the YP_MASTER_NAME record, 7167 instead of the possibly bogus gethostname() result. File: 7168 postalias.c. 7169 7170 The PCRE map code did not reject non-numeric replacement 7171 indices in replacement text, and silently treated $text as 7172 $0. Found by Michael Tokarev. File: dict_pcre.c. 7173 717420021108 7175 7176 Cleanup: the behavior of the SMTP server's defer_if_permit 7177 flag was changed, in order to maximize the opportunity to 7178 permanently reject mail without opening opportunities for 7179 losing legitimate mail. This was done in cooperation with 7180 Victor Duchovni, Morgan Stanley. File: smtpd/smtpd_check.c. 7181 7182 The defer_if_permit flag is still set when an UCE reject 7183 restriction fails due to a temporary (e.g., DNS) problem, 7184 to prevent unwanted mail from slipping through. However, 7185 the flag is no longer tested at the end of client, helo or 7186 sender restrictions. Instead, the flag is now tested at 7187 the end of the ETRN and recipient restrictions only. 7188 7189 The behavior of the warn_if_reject restriction has changed. 7190 It no longer activates any already made defer_if_permit or 7191 defer_if_reject decisions (the defer_if_reject flag is set 7192 when some UCE permit restriction fails due to a temporary 7193 (DNS) problem, to avoid loss of legitimate mail). 7194 7195 Bugfix: instead of setting the defer_if_permit flag, a 7196 failing reject restriction after warn_if_reject now merely 7197 logs that it would have caused mail to be deferred. 7198 7199 A failing permit restriction after warn_if_reject still 7200 raises the defer_if_reject flag, to avoid loss of legitimate 7201 mail. 7202 720320021109 7204 7205 Bugfix: a misguided change to the .forward macro expansion 7206 filter broke .forward file lookup. 7207 7208 Bugfix: missing defer_if_permit test in smtpd_data_restrictions. 7209 Victor Duchovni. File: smtpd/smtpd_check.c. 7210 721120021112 7212 7213 Robustness: increase the mime_nesting_limit from 20 to 100, 7214 so that bounces can't loop. Each bounces increases the MIME 7215 nesting level by one. Ralf Hildebrandt and Victor Duchovni. 7216 721720021113 7218 7219 Robustness: reinstated SMTP client command flushing to 7220 avoid pipeline stalls. File: smtp/smtp_chat.c. 7221 722220021114 7223 7224 Robustness: distinguish between timeout and "lost connection" 7225 when the SMTP server is unable to send a reply to the remote 7226 client. File: smtpd/smtpd_chat.c. 7227 722820021115 7229 7230 Bugfix: initialization error with "*" transport table 7231 lookup, reported by LaMont Jones. The transport map lookup 7232 code had grown into a monster and needed to be replaced. 7233 trivial-rewrite/transport.c. 7234 723520021115 7236 7237 Start implementing recipient verification. For now this is 7238 done by adding trace flags to queue files. In case of a 7239 verification request, a delivery agent does not deliver, 7240 deliver, it just records what would happen. 7241 7242 This required instrumenting the bounce/defer/sent logging 7243 routines to send their data to the right place depending 7244 on the type of delivery request. 7245 724620021116 7247 7248 New trace service. This is used for reporting if a recipient 7249 is deliverable (sendmail -bv) and for producing a record 7250 of delivery attempts (sendmail -v). The report is sent via 7251 email, using the bounce daemon. Files: global/trace.[hc]. 7252 7253 This required replacing the bounce/defer logfile format by 7254 an extensible name=value format. Files: global/bounce_log.c, 7255 bounce/bounce_append_service.c. 7256 725720021117 7258 7259 New address verification service with simple expiration 7260 and refresh policy. Storage can be in-core or in permanent 7261 table. The daemon is appropriately called "verify". Files: 7262 global/verify_clnt.[hc], verify/verify.c. 7263 726420021118 7265 7266 Cleaning up the code for tracing and verification. Files: 7267 global/{log_adhoc,bounce,defer,trace,verify}.[hc]. 7268 726920021119 7270 7271 New address_verification_negative_cache = yes/no parameter 7272 controls whether Postfix stores the result of negatieve 7273 address verification probes. This reduces cache pollution 7274 but causes Postfix to send a probe for each address 7275 verification service query. File: verify/verify.c. 7276 7277 Added optimistic caching to the verify daemon, so that one 7278 failed probe will not clobber a known to be good address. 7279 As long as some probes succeeed, a good address will stay 7280 cached as OK. 7281 7282 Cleaning up of the bounce daemon's code for bounce, delayed 7283 mail warning and trace notification. Files: bounce/*.[hc], 7284 global/bounce_log.c. 7285 728620021120 7287 7288 Changed the probe's sender address to "postmaster" so that 7289 we get better information about the address we're testing. 7290 File: verify/verify.c. 7291 7292 Added some paranoia to the routine that reads data from 7293 the address verification cache. Ignore data that is obviously 7294 bogus. File: verify/verify.c. 7295 729620021121 7297 7298 Bugfix: garbage in "user@garbage"@domain address forms may 7299 cause the SMTP or LMTP client to terminate with a fatal 7300 error exit because garbage/tcp is not an existing service. 7301 This cannot be abused to cause the SMTP or LMTP client to 7302 send data into unauthorized ports. Files: *qmgr/qmgr_message.c, 7303 trivial-rewrite/resolve.c. 7304 730520021124 7306 7307 Bugfix: don't use same VSTRING buffer for reading and 7308 writing. File: verify/verify.c. 7309 731020021128 7311 7312 Feature: hashed hold queue support, with hashing turned on 7313 by default. Omission spotted by Victor Duchovni, Morgan 7314 Stanley. Files: global/hold_message.c, global/mail_params.h. 7315 7316 Bugfix: the LMTP client lost the port(service) information 7317 when parsing host:port information. Victor Duchovni, Morgan 7318 Stanley. Fix is to have a new host_port(3) module that does 7319 the parsing for the SMTP and LMTP clients. 7320 7321 Cleanup: host_port() routine that parses host/port information 7322 more consistently than the existing code in the LMTP and 7323 SMTP clients. Files: smtp/smtp_connect.c, lmtp/lmtp_connect.c, 7324 util/host_port.[hc]. 7325 732620021130 7327 7328 Cleanup: defer mail when recipient verification takes too 7329 long. File: smtpd/smtpd_proto.c. 7330 7331 Feature: new reject_multi_recipient_bounce restriction, to 7332 reject "MAIL FROM: <>" with multiple recipients. File: 7333 smtpd/smtpd_check.c. 7334 733520021201 7336 7337 Compatibility: ignore the new Sendmail -A option. File: 7338 sendmail/sendmail.c. 7339 7340 Workaround: sendmail -v now produces no output. You need 7341 to specify -v -v instead. This is to avoid problems when 7342 people request verbose mail delivery in their mail.rc file. 7343 File: sendmail/sendmail.c. 7344 734520021202 7346 7347 Cleanup: hash_queue_depth now defaults to 1 level of 7348 subdirectories. This makes "mailq" faster on most systems, 7349 but will result in poorer worst-case performance when lots 7350 of mail is queued. 7351 7352 The check_relay_domains restriction is going away. The SMTP 7353 server logs a warning and suggests using reject_unauth_destination 7354 instead. 7355 7356 Cleanup: the local(8) and virtual(8) delivery agents did 7357 not prepend X-Original-To: addresses to maildir files. 7358 Omission spotted by Matthias Andree. 7359 7360 Specify "address_verify_sender=" or "address_verify_sender=<>" 7361 to use a null sender address while doing address verification 7362 probes. Beware, doing so may trigger false negatives 7363 because some sites reject mail from the null sender, even 7364 though this is required by RFC standards. 7365 7366 Bugfix: too many levels of dereferencing while testing for 7367 missing reject_rbl_mumble domain names. Patrik Rak. File: 7368 smtpd/smtpd_check.c. 7369 737020021203 7371 7372 Bugfix: the FILTER access table action included the FILTER 7373 command in the filter request, where only the transport+destination 7374 were expected. Noel Jones. File smtpd/smtpd_check.c. 7375 7376 Cleanup: virtual_maps is now called virtual_alias_maps, in 7377 order to better distinguish it from virtual_mailbox_maps. 7378 The default value is $virtual_maps for backwards compatibility. 7379 7380 New parameters virtual_alias_domains and virtual_mailbox_domains 7381 for the "domain.tld whatever" lookups. These use the same 7382 syntax as the mydestination parameter. Default settings 7383 are backwards compatible with Postfix 1.1. 7384 7385 Concept: just like $mydestination+$inet_interfaces control 7386 what routes to $local_transport, $virtual_mailbox_domains 7387 now controls what routes to $virtual_transport (default 7388 transport: virtual), and $relay_domains now controls what 7389 routes to $relay_transport (default transport: relay, a 7390 clone of the smtp transport). Everything else routes to 7391 $default_transport as before. This eliminates the need 7392 for transport map entries for every virtual(8) domain, and 7393 avoids performance problems with inbound relay mail. This 7394 was improvement was suggested by Victor Duchovni. File: 7395 trivial-rewrite/resolve.c. 7396 739720021206 7398 7399 Cleanup: do allow regexps in aliases, virtual mailbox maps 7400 but do not allow regular expression substitutions. Files: 7401 util/dict.h, util/dict_regexp.c, util/dict_pcre.c. 7402 740320021207 7404 7405 Cleanup: deleted the description of sendmail-style virtual 7406 domains from the virtual(5) manual page. This part of 7407 Postfix was too confusing. 7408 7409 Performance: RFC 2821 blesses the use of CNAME domain names 7410 in MAIL FROM and RCPT TO. Not having to expand CNAME domain 7411 names speeds things up a bit. File: smtp/smtp_proto.c. 7412 7413 Workaround: exclude error mailer destinations from transport 7414 mapping lookups :-(. File: trivial-rewrite/resolve.c. 7415 7416 Cleanup: relocated_maps lookups are now moved to the 7417 trivial-rewrite server. As of now, the queue manager no 7418 longer does any map lookups, so it won't restart when maps 7419 change. Files: *qmgr/qmgr_message.c, trivial-rewrite/resolve.c. 7420 7421 Robustness: because the trivial-rewrite server now does 7422 many more table lookups, some of which are often LDAP or 7423 SQL based, trivial-rewrite clients must be be prepared for 7424 the case that the resolver reports a failure while processing 7425 a request (when it was unable to access a lookup table). 7426 Files: trivial-rewrite/resolve.c, local/resolve.c, 7427 smtpd/smtpd_check.c. 7428 7429 Robustness: moving possible LDAP or SQL table lookups into 7430 the trivial-rewrite server also required that trivial-rewrite 7431 be running as multiple processes to reduce lookup latencies. 7432 Files: master/multi-server.c. 7433 7434 Workaround: don't discard all the DNS lookup results when 7435 only one of the results has a malformed name or address. 7436 File: dns/dns_lookup.c. 7437 743820021208 7439 7440 Cleanup: with the preliminary address domain classification 7441 concept as implemented by the trivial-rewrite address 7442 resolver, a lot of table lookups could be eliminated from 7443 the SMTP server. Files: smtpd/smtpd_check.c. 7444 7445 Feature: new relay_recipient_maps parameter, for optional 7446 maps with all the recipients in the domains that match 7447 $relay_domains (so you can reject mail for unknown relay 7448 recipients). This is for consistency with virtual_xx_maps 7449 and virtual_xx_domains, and with local_recipient_maps and 7450 the local delivery agent. File: smtpd/smtpd_check.c. 7451 7452 Cleanup: removed support for obsolete #number domain forms. 7453 File: smtpd/smtpd_check.c. 7454 745520021209 7456 7457 The Postfix installation procedure no longer sets the 7458 "chattr +S" bit on Linux queue directories. Wietse has 7459 gotten too annoyed with naive reviewers who complain about 7460 performance without having a clue of what they are comparing. 7461 7462 "Security": local_recipient_maps is now turned on by default, 7463 to reject mail for non-existent users at the SMTP port. 7464 See conf/main.cf for instructions, section REJECTING UNKNOWN 7465 LOCAL USERS. 7466 7467 Safety: detection of missing or inaccessible passwd file 7468 database, to prevent massive complaints from people who 7469 suddenly lose all their mail because local_recipient_maps 7470 is now turned on by default. 7471 747220021210 7473 7474 Feature: recipient address verification, using the code 7475 that already implements sender address verification. Based 7476 on suggestion by Matthias Andree. Files: src/smtpd/smtpd.c, 7477 src/smtpd/smtpd_check.c. 7478 747920021211 7480 7481 Performance: doubled the default process limit (50->100) 7482 and default queue manager active queue message/recipient 7483 limits (10k->20k). File: global/mail_params.h. 7484 7485 Bugfix: the change that begot us multiple trivial-rewrite 7486 processes (good) also gave us multiple verify daemons (bad). 7487 File: conf/post-install. 7488 748920021212 7490 7491 Cleanup: allow transport map lookups to override error 7492 mailer results (to avoid breaking existing installations), 7493 and do transport map lookups before relocated map lookups. 7494 Files: trivial-rewrite/resolve.c, trivial-rewrite/transport.c. 7495 7496 Shortened the verify server's negative cache refresh time 7497 from 12 hours to 2 hours. File: global/mail_params.h. 7498 7499 Admin friendliness: the SMTP server now reports "User 7500 unknown in {local recipient | virtual alias | virtual 7501 mailbox | relay recipient} table". This will make trouble 7502 shooting a little easier. Files: smtpd/smtpd_check.c, 7503 trivial-rewrite/resolve.c. 7504 750520021213 7506 7507 Cleanup: transport map entries with null nexthop ignored 7508 relayhost settings. Making the code simpler also made it 7509 more correct. Files: trivial-rewrite/resolve.c, 7510 trivial-rewrite/transport.c. 7511 7512 Feature: "helpful_warnings" (default: yes) that can be 7513 turned off if you really know what you're doing and want 7514 to eliminate some unnecessary work. 7515 7516 Feature: enforcement of master.cf process limits for 7517 processes such as qmgr and pickup that must run alone, and 7518 processes such as cleanup and bounce that must run without 7519 explicit process count limit. If an incorrect process limit 7520 is specified in master.cf the service aborts. 7521 752220021214 7523 7524 Cleanup: it looks like we finally get it right with transport 7525 lookup table entries that either override or specify an 7526 error transport without updating the nexthop information. 7527 File: trivial-rewrite/resolve.c. 7528 7529 Robustness: don't probe the sender address when probed for 7530 our own address verification probe sender address. File: 7531 smtpd/smtpd_check.c. 7532 7533 Performance: don't do UCE checks (which may result in 4xx 7534 SMTP reply codes, and thus, repeated delivery attempts) 7535 when we already know that the recipient does not exist. 7536 Files: smtpd/smtpd.c, smtpd/smtpd_check.c. 7537 753820021215 7539 7540 Cleanup: further simplification of transport map handling 7541 after some really fine hair splitting with Victor Duchovni. 7542 Files: trivial-rewrite/resolve.c, trivial-rewrite/transport.c. 7543 754420021216 7545 7546 Workaround: transform the address local-part into unquoted 7547 form only when the address domain is local and the local-part 7548 contains routing operators. Otherwise, we may damage the 7549 address local-part by inserting space between non-operator 7550 tokens. Some people use weird addresses and expect them to 7551 be handled without damage. File: trivial-rewrite/resolve.c. 7552 7553 Robustness: scan the resolved recipient address for routing 7554 operators in the address local-part, even when the local 7555 MTA does not recognize ! and % as valid operators. File: 7556 trivial-rewrite/resolve.c. 7557 7558 Cleanup: the address rewriting code no longer tries to 7559 rewrite broken user@ or user@. address forms into even more 7560 broken forms. bother. File: trivial-rewrite/rewrite.c. 7561 7562 Cleanup: the address resolver code now treates forms ending 7563 in @ in a more rational manner (because the address rewriting 7564 code no longer messes up by appending .my.domain). 7565 7566 Bugfix: a null address local-part before @domain now is 7567 properly quoted just like the null address. File: 7568 global/quote_82[12]_local.c. 7569 757020021217 7571 7572 Cleanup: more work on the trivial-rewrite address rewriting 7573 and address resolving code. New regression tests for address 7574 rewriting and resolving that make some assumptions about 7575 main.cf settings. Files: global/Makefile.in (assumptions), 7576 global/rewrite_clnt.in, global/rewrite_clnt.ref, 7577 global/resolve_clnt.in, global/resolve_clnt.ref. 7578 7579 Safety: configurable SMTPD reject codes for recipients not 7580 in {local,relay}_recipient,virtual_{alias,mailbox}}_maps, 7581 aptly named unknown_mumble_reject_code. Postfix installs 7582 with unknown_local_recipient_reject_code=450, unless the 7583 site already ran Postfix with local_recipient_maps enabled. 7584 Files: smtpd/smtpd.c, smtpd/smtpd_check.c, conf/post-install. 7585 758620021218 7587 7588 Feature: specify unverified_recipient_reject_code=250 or 7589 unverified_sender_reject_code=250 to accept mail for an 7590 address that is known to bounce. File: smtpd/smtpd_check.c. 7591 759220021219 7593 7594 Bugfix: longjmp() while sending "go away" without setjmp() 7595 in the QMQP server. Patrik Rak. File: qmqpd/qmqpd.c. 7596 7597 Safety: the XVERP extension is restricted to clients listed 7598 in the authorized_verp_clients list (default: $mynetworks). 7599 File: smtpd/smtpd.c. 7600 7601 Workaround: preliminary IPV6 support in valid_hostliteral(). 7602 File: util/valid_hostname.c. 7603 760420021220 7605 7606 Bugfix: the reject_multi_recipient_bounce restriction had 7607 an off-by-one error when used in smtpd_data_restrictions. 7608 File: smtpd/smtpd_check.c. 7609 7610 Feature: new check_recipient_maps restriction that gives 7611 finer control over when unknown recipients are rejected. 7612 As with Postfix 1.1, the default is to do this at the end 7613 of the recipient restrictions. Sites that want to improve 7614 performance can put check_recipient_maps at the start of 7615 the smtpd_client_restrictions list and avoid doing unnecessary 7616 RBL lookups etc. File: smtpd/smtpd_check.c. 7617 7618 Feature: new show_user_unknown_recipient_table parameter 7619 controls whether or not to reveal the lookup table name in 7620 "User unknown" responses. The extra detail makes trouble 7621 shooting easier but also reveals information that is nobody 7622 elses business. 7623 762420021221 7625 7626 Workaround: don't allow the transport map to override the 7627 virtual alias class (error:User unknown) result. File: 7628 trivial-rewrite/transport.c. 7629 763020030101 7631 7632 Documentation update: new-style virtual domains broke the 7633 advanced content filtering example. Files: FILTER_README, 7634 RELEASE_NOTES-2.0. 7635 763620030102 7637 7638 Cleanup: use different client instances when the same map 7639 is opened with different flags. File: global/maps.c. 7640 7641 Feature: proxymap server for Postfix table lookups. This 7642 helps to consolidate the number of open lookup tables (such 7643 as MYSQL or LDAP), or to overcome chroot restrictions 7644 (example: specify proxy:unix:passwd.byname to avoid the 7645 need for a copy of the UNIX passwd file in chroot jails). 7646 Files: global/dict_proxy.[hc], proxymap/proxymap.c 7647 7648 Cleanup: multiservers such as trivial-rewrite and the new 7649 proxymap server now enforce the max_use total client number 7650 limit more agressively, by not accepting new connections 7651 after the limit is reached. Based on a patch by Victor 7652 Duchovni, Morgan Stanley. File: master/multi_server.c. 7653 765420030103 7655 7656 Cleanup: client stream endpoints not only have an idle time 7657 limit ($ipc_idle) before a connection is closed, they now 7658 also have a time to live ($ipc_ttl) to prevent connections 7659 from becoming too persistent. This allows multi-servers 7660 such as trivial-rewrite or the proxymap server to refresh 7661 more frequently on busy systems. File: global/clnt_stream.c. 7662 766320030104 7664 7665 Cleanup: avoid warnings about flag mismatches when the same 7666 lookup table is listed under both virtual_alias_maps and 7667 virtual_mailbox_maps. Files: global/virtual8.h, virtual/virtual.c. 7668 7669 Bugfix: an obscure memory leak that puzzled me for more 7670 than a year until I found out how to reproduce it. File: 7671 util/vstream.c. 7672 767320030105 7674 7675 Cleanup: removed the address syntax check from the queue 7676 manager, since a better test was implemented recently in 7677 the trivial-rewrite server. Files: *qmgr/qmgr_message.c. 7678 7679 Bugfix: redirect bounce/defer to the address verification 7680 service where appropriate. Files: *qmgr/qmgr_bounce.c, 7681 *qmgr/qmgr_defer.c. 7682 7683 Bugfix: "no such file or directory" warnings after "postfix 7684 reload" when a chrooted smtpd reconnects to the proxy 7685 service. Fix: use "private/proxymap" if possible, otherwise 7686 use "$queue_dir/private/proxymap". File: global/dict_proxy.c. 7687 7688 Robustness: daemons now chdir() to the queue directory 7689 before running the pre-jail initialization code, so that 7690 daemons running in stand-alone mode produce more consistent 7691 results. Files: master/single_server.c, master/multi_server.c. 7692 master/trigger_server.c. 7693 7694 Bugfix: "sendmail -bs" tried to access the proxymap service. 7695 It should not try to open any user/domain/uce related tables 7696 at all. File: smtpd/smtpd.c. 7697 769820030106 7699 7700 Bugfix: bouncing to owner-alias was broken, i.e. the mail 7701 kept being deferred, and when that was fixed, another buglet 7702 came to light. File: bounce/bounce.c. 7703 7704 Robustness: the master no longer aborts with "address 7705 already in use" when inet_interfaces specifies the same IP 7706 address multiple times, or when a TCP service in master.cf 7707 specifies a hostname for which the same IP address is listed 7708 multiple times. File: master/master_ent.c. 7709 771020030107 7711 7712 Robustness: check that FILTER actions in SMTPD access maps 7713 or cleanup header/body_checks have plausible syntax. Files: 7714 smtpd/smtpd_check.c, cleanup/cleanup_message.c. 7715 771620030109 7717 7718 Cleanup: unnecessary "premature end of file on xxx while 7719 reading yyy" warnings became exposed after some code 7720 simplification. Files" global/*_clnt.c, global/dict_proxy.c 7721 7722 Robustness: undo the change that causes a multi-server 7723 process to stop accepting new connections while it still 7724 services existing clients for an extended amount of time. 7725 We need a better process retirement strategy. File: 7726 master/multi_server.c. 7727 772820030110 7729 7730 Cleanup: the virtual_mailbox_maps parameter is now optional 7731 even when virtual_mailbox_domains is. This makes virtual 7732 mailbox domains more like relay domains and the local 7733 domain. 7734 7735 Portability: the makedefs script now uses the pcre-config 7736 utility to find out where things are installed. 7737 7738 Bugfix: the SMTP server did not recognize the local built-in 7739 double bounce address as local. Reported by Matthias Andree. 7740 For safety sake, threw in the local postmaster address as 7741 well. File: smtpd/smtpd_check.c. 7742 774320030113 7744 7745 Added MAILER-DAEMON to the list of always recognized local 7746 addresses, since it is generated by Postfix bounces. File: 7747 smtpd/smtpd_check.c. 7748 774920030114 7750 7751 Bugfix: transport_errno was not reset upon successful 7752 transport map wildcard lookup after an earlier failure. 7753 Reported by Victor Duchovni. File: trivial-rewrite/transport.c. 7754 7755 Cleanup: unnecessary warnings from the proxymap client 7756 after proxymap server disconnect. File: global/dict_proxy.c. 7757 7758 Cleanup: Patrik Rak found a few more chattr invocations 7759 that were missed 20021209. Files: postfix-install, 7760 conf/post-install. 7761 7762 Cleanup: the pcre-config command can produce null outputs. 7763 Matthias Andree. File: makedefs. 7764 7765 Bugfix: the virtual(8) Makefile included $(AUXLIBS) in the 7766 dependencies. 7767 776820030118 7769 7770 Typos: some hyperlinks referred to flushd, which is the 7771 name that was used before the flush service was released. 7772 Reported by Victor Duchovni. 7773 7774 Cleanup: smtpd no longer needed to open relocated_maps. 7775 777620030119 7777 7778 Cleanup: bounce messages used "X-Postfix" even when mail_name 7779 was set to something other than the default "Postfix" name. 7780 File: bounce/bounce-notify_util.c. 7781 778220030120 7783 7784 Bugfix: wrong FILTER_README instructions for disabling 7785 virtual alias mapping in the cleanup server before the 7786 content filter. 7787 7788 Bugfix: wrong FILTER_README instructions for destination-dependent 7789 filtering, because relay_domains was specified incorrectly. 7790 779120030122 7792 7793 Bugfix: 20021207 (move relocated table lookup from queue 7794 manager to trivial-rewrite server) broke relocated table 7795 lookup results with mail not rejected at the SMTP port. 7796 Files: *qmgr/qmgr_deliver.c, *qmgr/qmgr_message.c. 7797 779820030123 7799 7800 Bugfix: a widely used maildir filename algorithm was broken. 7801 Postfix now uses TIME.DEVICE_INODE.HOST. Files: local/maildir.c, 7802 virtual/maildir.c. 7803 780420030124 7805 7806 Cleanup: queue structures no longer overload queue name 7807 and nexthop destination. Files: *qmgr/qmgr_message.c, 7808 *qmgr/qmgr_queue.c, *qmgr/qmgr_deliver.c. 7809 781020030125 7811 7812 Feature: "REDIRECT user@domain" action in access maps or 7813 in header/body_checks causes mail to be sent to the specified 7814 address instead of the intended recipient(s). I would never 7815 recommend that people use this to redirect (bounced) SPAM 7816 to the beneficiaries of an advertisement campaign. Files: 7817 smtpd/smtpd_check.c, cleanup/cleanup_message.c, 7818 *qmgr/qmgr_message.c. 7819 782020030126 7821 7822 Update: maildir filename algorithm updated according to 7823 today's version of http://cr.yp.to/proto/maildir.html. 7824 782520030127 7826 7827 Cleanup: use separate error messages for separate problems 7828 with computing the list of SASL authentication mechanisms. 7829 File: smtpd/smtpd_sasl_glue.c. 7830 783120030130 7832 7833 Bugfix: allow $name in default time values. File: 7834 global/mail_conf_time.c. 7835 783620030205 7837 7838 Feature: allow !, /file/name and map:name in masquerade_exceptions. 7839 By Liviu Daia. Files:cleanup_init.c, cleanup.h, 7840 cleanup_masquerade.c. 7841 784220030219 7843 7844 Bugfix: the local pickup daemon skipped unterminated records, 7845 since they happened to have the same record type code as 7846 content filtering instructions. Victor Duchovni. Files: 7847 global/rec_type.h, pickup/pickup.c. 7848 7849 Portability: Postfix could block, and thus not enforce 7850 command execution time limits, while delivering mail to 7851 command. File: global/pipe_command.c. 7852 7853 Bugfix: command execution time limits were not enforced 7854 because the child process killing code in pipe_command() 7855 was running with the wrong privileges. Problem reported by 7856 Ben Rosengart, Panix. File: global/pipe_command.c. 7857 7858 Bugfix: duplicate recipient filtering in the cleanup server 7859 did not eliminate virtual expansion duplicates with the 7860 same original recipient. File: cleanup/cleanup_out_recipient.c. 7861 786220030223 7863 7864 Cleanup: added postmap/postalias -p option (do not inherit 7865 the source file permissions when creating a new file), for 7866 completeness. A feature that can't be turned off is a bug. 7867 Files: postmap/postmap.c, postalias/postalias.c. 7868 7869 Bugfix: smtpd_hard/soft_error_limit off-by-one error, so 7870 that the real limit was one larger than the configured 7871 value. File: smtpd/smtpd.c, smtpd/smtpd_chat.c. 7872 787320030226 7874 7875 Safety: proxymap server defense against potential deadlock 7876 when some library routine wants to open a proxied table. 7877 Instead, proxymap opens the requested table directly. File: 7878 proxymap/proxymap.c. 7879 7880 Portability: updated AIX 5.x system dependent definitions. 7881 File: util/sys_defs.h. 7882 788320030227 7884 7885 Bugfix: added mynetworks to the list of proxy_read_maps 7886 parameter settings that are pre-authorized to use proxied 7887 table lookups. File: global/mail_params.h. 7888 7889 Cleanup: daemons now log what table has changed before 7890 restarting. Files: dict.c, and anything that invoked 7891 dict_changed(). 7892 7893 Cleanup: more consistency in the naming of lookup table 7894 handles as generated by maps(3) and by match_list(3). 7895 789620030305 7897 7898 Workaround: Postfix removes too long non-address text from 7899 message headers in order to protect vulnerable Sendmail 7900 systems against exploitation of the remote buffer overflow 7901 vulnerability described in CERT advisory CA-2003-07. 7902 790320030311-19 7904 7905 Bugfix: the access map actions HOLD, DISCARD, FILTER and 7906 REDIRECT were broken with smtpd_delay_reject=no and with 7907 ETRN. This required re-architecting of the actions code. 7908 Files: smtpd/smtpd.[hc], smtpd/smtpd_check.c, smtpd/smtpd_state.c. 7909 791020030315 7911 7912 Bugfix: the postsuper manual page documented support for 7913 the -c command line option, but it was not implemented. 7914 File: postsuper/postsuper.c. 7915 7916 Bugfix: the Postfix 2.0 recipient map checking code broke 7917 the VRFY command, causing it to reply with status code 252 7918 for non-existent addresses. This required re-architecting 7919 the recipient table lookup code. File: smtpd/smtpd_check.c. 7920 792120030319 7922 7923 Feature: configurable limit on virtual alias expansion size 7924 and nesting depth, via the virtual_alias_expansion_limit 7925 and virtual_alias_recursion_limit parameters. The default 7926 limits are compatible with past Postfix versions. Victor 7927 Duchovni, Morgan Stanley. Files: /sample-resource.cf, 7928 html/resource.html, cleanup/cleanup.c, cleanup/cleanup_init.c, 7929 cleanup/cleanup_map1n.c. 7930 7931 Feature: the installation procedure records build information 7932 (by default: in /etc/postfix/makedefs.out). 7933 793420030324 7935 7936 Bugfix: smtp-source flushed too often, causing suboptimal 7937 performance with smtp-source sending directly into smtp-sink. 7938 Files: smtpstone/smtp-source.c. 7939 794020030410 7941 7942 Safety: log a fatal error when a net/mask pattern has a 7943 non-zero host part, so that mail delivery is deferred. 7944 File: util/match_ops.c. 7945 794620030411 7947 7948 Bugfix: extraneous warning about out-of-order original 7949 recipient records by Patrik Rak. Files: *qmgr/qmgr_message.c. 7950 795120030412 7952 7953 Workaround: log a warning and reset the queue file time 7954 stamps when the file system clock is ahead of the local 7955 clock. File: global/mail_stream.c. 7956 795720030414 7958 7959 Feature: PostgreSQL client module, adopted by LaMont Jones. 7960 Files: README_FILES/PGSQL_README, util/dict_pgsql.c, 7961 util/dict_pgsql.h, conf/sample-pgsql-aliases.cf. 7962 7963 Cleanup: the generic smtp client/server code in smtp_stream.c 7964 now has an explicit flush operation, and the smtp-source/sink 7965 programs are updated to take advantage of this. 7966 7967 Cleanup: the file system clock drift detection code now 7968 runs only once per process instance, to minimize the 7969 performance impact. File: global/mail_stream.c. 7970 7971 Robustness: avoid TIME_WAIT state with smtp/qmqp-source 7972 client sockets. This puts less strain on local system 7973 resources. 7974 797520030415 7976 7977 Cleanup: the file system clock drift detection code now 7978 runs only for incoming mail. File: global/mail_stream.c. 7979 798020030416 7981 7982 Bugfix: missing partial last line when 1) someone submits 7983 8-bit mail not ending in newline via /usr/sbin/sendmail 7984 and 2) MIME input processing is turned off, and 3) MIME 7985 8bit->7bit conversion is requested upon delivery via SMTP. 7986 7987 Cleanup: auto-bcc recipients are now added in one place 7988 (the cleanup server) instead of by individual front-end 7989 servers (pickup, smtpd, qmqpd). This makes it easier to 7990 add auto-bcc features that trigger on sender or recipient 7991 addresses. 7992 7993 Cleanup: "sendmail -t" (recipients from headers) is now 7994 implemented by the sendmail command instead of by the 7995 cleanup server. This means that the extract_recipient_limit 7996 configuration parameter is no longer needed. Files: 7997 sendmail/sendmail.c, cleanup/cleanup_message.c, 7998 cleanup/cleanup_extracted.c. 7999 8000 Compatibility: "sendmail -t" (recipients from headers) now 8001 accepts command-line recipients instead of complaining. 8002 The extracted header recipients are added to the command-line 8003 recipients. 8004 8005 Feature: sender/recipient_bcc_maps. These are indexed by 8006 sender/recipient address and are examined when mail enters 8007 from outside of Postfix. Files: cleanup/cleanup_addr.c. 8008 cleanup/cleanup_envelope.c cleanup/cleanup_extracted.c. 8009 801020030417 8011 8012 Feature: the SMTP client now falls back to native name 8013 service lookups (including /etc/hosts) when a host cannot 8014 be found in the DNS. This is controlled by a new parameter 8015 smtp_host_lookup (default: dns, native). Files: smtp/smtp.c, 8016 smtp/smtp_addr.c. 8017 801820030418 8019 8020 Bugfix: "sendmail -t" broke with unrecognized message 8021 headers. 8022 802320030419 8024 8025 Feature: "postcat -q" searches the queue for the named 8026 file. 8027 8028 Cleanup: made postcat "record names" output more consistent. 8029 803020030421 8031 8032 Debugging: added some extra detailed error logging to the 8033 pipe-to-command delivery, to help folks with bizarre file 8034 truncation problems. File: global/pipe_command.c. 8035 803620030424 8037 8038 Cleanup: readlline() did not terminate the result before 8039 complaining about lines starting with whitespace. 8040 8041 Cleanup: eliminated valid_hostname warning for invalid 8042 queue file names. File: global/mail_queue.c. 8043 8044 Bugfix: lost three lines of code when readying the postcat 8045 command for release, which broke postcat -q. File: 8046 postcat/postcat.c. 8047 8048 Bugfix: the Postfix sendmail command applied the message 8049 size limit when running as newaliases. The limiting code 8050 is now moved to the message enqueuing branch of the code. 8051 File: sendmail/sendmail.c. 8052 8053 Documentation: start of documentation for the algorithm of 8054 Patrik Rak's clever queue manager scheduler (nqmgr). Files: 8055 conf/sample-scheduler.cf, README_FILES/SCHEDULER_README. 8056 805720030429 8058 8059 Bugfix: while verifying an address, the LMTP client entered 8060 a forbidden "next" sender state after the last recipient. 8061 Fix by Vladimir Davydoff. File: lmtp/lmtp_proto.c. 8062 8063 Bugfix: "," was not recognized in proxy_read_maps settings. 8064 Fix by Leandro Santi. File: proxymap/proxymap.c. 8065 806620030502 8067 8068 Bugfix: defer delivery after .forward etc. file read error. 8069 File: local/token.c. Problem reported by Ben Rosengart, 8070 Panix. 8071 807220030503 8073 8074 Bugfix: the Postfix LMTP client used the wrong service 8075 name, causing trouble with SASL 2.1.13. Daniel Schales, 8076 Louisiana Tech. File: lmtp/lmtp_sasl_glue.c. 8077 807820030518 8079 8080 Workaround: IRIX select() reports that a non-blocking file 8081 descriptor is writable while write() transfers zero bytes. 8082 File: util/vstream.c. Superseded by change 20030523. 8083 808420030520 8085 8086 Cleanup: future time stamps in Received: headers and negative 8087 delays in delivery agent logging after "postdrop -r", 8088 because deferred queue files had future file modification 8089 times. File: src/postsuper/postsuper.c. 8090 809120030521 8092 8093 Cleanup: nqmgr warnings about "recipient count mismatch" 8094 after "postdrop -r", because the cleanup server did not 8095 count the "already done" recipients. Problem reported by 8096 Richard Stockton, Gramma Software. Files: 8097 cleanup/cleanup_envelope.c, cleanup/cleanup_extracted.c. 8098 809920030523 8100 8101 Workaround: IRIX select() reports that a non-blocking file 8102 descriptor is writable while write() transfers zero bytes. 8103 File: global/pipe_command.c. 8104 810520030523-20030605 8106 8107 Cleanup: rewrote the queue file record processing loops in 8108 pickup, cleanup and in [n]qmgr. This code had deteriorated 8109 a lot as the result of small changes over the years. This 8110 change brings the code closer to "obviously correct". Files: 8111 cleanup/cleanup_envelope.c, cleanup/cleanup_extracted.c, 8112 *qmgr/qmgr_message.c. 8113 8114 Cleanup: Postfix no longer produces queue files with 8115 backwards compatibility data for Postfix versions < 1.0 8116 (a.k.a. 20010228). Files: cleanup/cleanup_extracted.c, 8117 showq/showq.c. 8118 8119 Performance: the queue manager no longer has to examine 8120 every queue file record before it can start deliveries. 8121 This helps to avoid thrashing with very large mailing lists. 8122 Postfix queue files have an extra field in the size record 8123 with queue manager processing hints. This change is backward 8124 and forward compatible. Files: cleanup/cleanup_envelope.c, 8125 cleanup/cleanup_extracted.c, *qmgr/qmgr_message.c. 8126 812720030528 8128 8129 Compatibility: "sendmail -q<time>" without -bd option now 8130 exits immediately, instead of waiting for input on the 8131 standard input stream and screwing up system boot sequences. 8132 File: sendmail/sendmail.c. 8133 813420030530 8135 8136 Bugfix: client access denied with smtpd_delay_reject=no 8137 broke "sendmail -bs". Fix by Victor Duchovni, Morgan Stanley. 8138 File: smtpd/smtpd.c. 8139 814020030531 8141 8142 Compatibility: allow <@site,@site:address> route addresses 8143 in SMTP commands. File: smtpd/smtpd.c. 8144 814520030605 8146 8147 Cleanup: input checks moved from the pickup daemon to the 8148 postdrop mail submission command; this is to prepare for 8149 direct mail submission from postdrop->cleanup without going 8150 through the maildrop directory and the pickup service. 8151 Files: pickup/pickup.c, postdrop/postdrop.c. 8152 8153 Bugfix: the "dead host" backoff timer in the MySQL client 8154 didn't work. Fix by Leandro Santi. File: util/dict_mysql.c. 8155 8156 Bugfix: same problem in the PostgreSQL client. File: 8157 util/dict_pgsql.c. 8158 8159 Workaround: turned off non-blocking write to pipe because 8160 too many systems give a weird write() result. File: 8161 global/pipe_command.c. 8162 8163 Cleanup: added support for vstream_fseek(.., .., SEEK_END). 8164 File: util/vstream.c. 8165 816620030608 8167 8168 Feature: separate address resolver controls for address 8169 verification probe messages: address_verify_{local,virtual, 8170 relay,default}_transport, address_verify_relayhost, and 8171 address_verify_transport_maps. The default values are the 8172 regular versions of the same controls. Files: trivial-rewrite/*, 8173 global/resolve_clnt.[hc], *qmgr/qmgr_message.c. 8174 817520030609 8176 8177 Workaround: Solaris blocking socket read() may hang. Hernan 8178 Perez Masci and Leandro Santi. File: smtpd/smtpd.c. 8179 8180 Bugfix: the "unread recipient" counter needs to be restored 8181 after the queue manager has a problem reading a queue file. 8182 Fix by Patrik Rak. File: nqmgr/qmgr_message.c. 8183 818420030610 8185 8186 Cleanup: the verify server now uses asynchronous submission 8187 of mail probes, so it will no longer block for in_flow_delay 8188 seconds when mail arrives faster than it is delivered. 8189 Still need to make mail_stream_finish() asynchronous in 8190 order to avoid blocking for trigger_timeout seconds when 8191 the queue manager is overwhelmed. Files: global/post_mail.c, 8192 verify/verify.c. 8193 8194 Bugfix: removed extraneous sleep() after the last attempt 8195 to retrieve address verification status. File: smtpd/smtpd.c. 8196 819720030611 8198 8199 Bugfix: the stricter postdrop input filter broke "sendmail 8200 -bs". Found by Lutz Jaenicke. File: smtpd/smtpd.c. 8201 820220030614 8203 8204 Portability: Dropped support for client side LDAP caching. 8205 As of release 2.1.13 OpenLDAP no longer supports client 8206 side caching, it has been deprecated for some time, and 8207 never worked well. Implemented by Victor Duchovni, Morgan 8208 Stanley, and further enhanced by Lamont Jones, HP. Files: 8209 src/util/dict_ldap.c, conf/sample-ldap.cf, 8210 README_FILES/LDAP_README. 8211 8212 Safety: Given suitable invalid database contents, LDAP 8213 lookups can produce too many results, enter an infinite 8214 loop in the expansion of "special result attributes" (LDAP 8215 DNs and LDAP URLs) or just consume excessive server resources 8216 returning large result sets. Three new (per LDAP map) 8217 configuration parameters enable one to set limits on 8218 recursive nesting, result expansion and the server response 8219 "entry" count. Implemented by Victor Duchovni, Morgan 8220 Stanley, further enanced by Lamont Jones, HP. Files: 8221 src/util/dict_ldap.c, conf/sample-ldap.cf, 8222 README_FILES/LDAP_README. 8223 822420030616 8225 8226 Feature: in mail delivery status reports, report the sender 8227 address as X-Postfix-Sender. Matthias Andree. File: 8228 bounce/bounce_notify_util.c. 8229 8230 Cleanup: in mail delivery status reports, transform the 8231 original recipient into xtext format as required by RFC 8232 1891. Files: bounce/bounce_notify_util.c, util/xtext.[hc]. 8233 8234 Cleanup: more accurate "postfix check" warning for files 8235 that miss one or more of the required mode 02111 execute 8236 permission bits. Matthias Andree. File: conf/postfix-script. 8237 823820030618 8239 8240 After "postfix reload", the master daemon now warns when 8241 inet_interfaces has changed, and ignores the change, instead 8242 of passing incorrect information to the smtp server. File: 8243 master/master_ent.c. 8244 824520030619 8246 8247 Feature: the Postfix SMTP server can send all mail into a 8248 proxy server, for example a real-time SPAM filter. This 8249 proxy is supposed to send the mail into another Postfix 8250 SMTP server process for normal delivery. Files: smtpd/smtpd.c 8251 smtpd/smtpd_proxy.[hc]. 8252 825320030620 8254 8255 Bugfix: a cut-and-paste error caused the proxy server's 8256 354 status code to be reported when a proxy connection 8257 broke during the DATA phase. File: smtpd.c. 8258 825920030620 8260 8261 Bugfix: after the last change to postdrop, postcat no longer 8262 recognized maildrop files as valid. File: postcat/postcat.c. 8263 8264 Bugfix: after moving "sendmail -t" address extraction to 8265 sendmail, "-t" broke multi-line recipient headers. Victor 8266 Duchovni, Morgan Stanley. File: sendmail/sendmail.c. 8267 826820030621 8269 8270 Workaround: the safe_open(O_CREAT) race condition exploit 8271 avoiding code tries a little harder when it encounters a 8272 race condition. File: util/safe_open.c. 8273 827420030624 8275 8276 Bugfix: reject_unverified_address() set the defer_if_reject 8277 flag when the verify service was unavailable (which never 8278 happens). Victor Duchovni, Morgan Stanley. File: 8279 smtpd/smtpd_check.c. 8280 8281 New parameters address_verify_poll_{count,delay} that 8282 control how often to poll the address verification service 8283 for the completion of an address verification request. 8284 Specify address_verify_poll_count=1 to implement a crude 8285 form of greylisting, that is, always defer the first delivery 8286 attempt for an unknown address. File: smtpd/smtpd_check.c. 8287 8288 Bugfix: after the last change to postdrop, postcat no longer 8289 recognized non-maildrop queue files as valid. File: 8290 postcat/postcat.c. 8291 829220030629 8293 8294 Cleanup: replaced references to "simulated virtual domains" 8295 by "virtual alias domains". Victor Duchovni, Morgan Stanley. 8296 829720030630 8298 8299 Feature: smtp_quote_rfc821_envelope=(yes|no) to control 8300 RFC 821 style quoting of MAIL FROM and RCPT TO addresses. 8301 Files: global/mail_params.h, smtp/smtp.c, smtp/smtp_proto.c. 8302 830320030701 8304 8305 Bugfix: multi-recipient probes triggered a bug in the SMTP 8306 client. File: smtp/smtp_proto.c. 8307 8308 Feature: enable_original_recipient (default: yes) to control 8309 whether Postfix keeps track of original recipient address 8310 information. Victor Duchovni, Morgan Stanley. Files: 8311 cleanup/cleanup.c, cleanup/cleanup_init.c, 8312 cleanup/cleanup_out_recipient.c, global/log_adhoc.c, 8313 global/mail_copy.c, *qmgr/qmgr_message.c. 8314 8315 Feature: !/pattern/ support for PCRE lookup tables. Victor 8316 Duchovni, Morgan Stanley. Files: util/dict_pcre.c. 8317 8318 Cleanup: allow whitespace after patterns in repexp and pcre 8319 tables. Victor Duchovni, Morgan Stanley. Files: 8320 util/dict_pcre.c, util/dict_regexp.c. 8321 832220030702 8323 8324 Feature: CIDR lookup table support, very remotely based on 8325 code by Jozsef Kadlecsik. Files: proto/cidr_table, 8326 util/dict_cidr.[hc]. 8327 8328 Feature: TCP lookup table support, finally finished. Files: 8329 proto/tcp_table, proto/dict_tcp.[hc]. 8330 833120030705 8332 8333 Feature: new receive_override_options parameter controls 8334 what happens before or after an external content filter: 8335 rejecting unknown recipients, canonical and virtual address 8336 mapping, address masquerading, automatic BCC recipients 8337 and header/body checks. This eliminates the need to configure 8338 multiple cleanup services in the master.cf file. 8339 834020030707 8341 8342 Feature: context dependent SASL security options (i.e. 8343 different options when TLS is enabled/disabled). Lutz 8344 Jaenicke. Files: */*sasl_glue.[hc]. 8345 834620030708 8347 8348 Hardened the attr_scan routines for exposure to an untrusted 8349 environment, in preparation for possible use with SMTP 8350 policy delegation to an external server. 8351 8352 Feature: address filter for RBL lookups, for use with 8353 multi-valued RBL services. File: smtpd/smtpd_check.c. 8354 835520030709 8356 8357 Cleanup: use off_t instead of int for VSTREAM file offsets. 8358 This was needed for mailboxes > 2GB on 32-bit systems. 8359 Files: util/vstream.c, global/mail_copy.c. 8360 836120030710 8362 8363 Support for multiple A and TXT results in RBL lookups. 8364 Victor Duchovni, Morgan Stanley. File: smtpd/smtpd_check.c. 8365 8366 Support for attribute-based query-reply protocols. Files: 8367 util/attr_clnt.[hc], util/auto_clnt.[hc]. 8368 836920030711 8370 8371 Support for plain "name=value\n" attribute protocol. Files: 8372 util/attr_{scan,print}_plain.c. 8373 8374 Bugfix: the LMTP session caching code did not reset the 8375 EHLO server feature list when it needed to reconnect. 8376 Problem found by Tobias Erbsland. 8377 837820030712 8379 8380 Feature: delegated SMTP policy server. As an example, see 8381 the greylisting server in examples/smtpd-policy. Specify 8382 "check_smtpd_policy_service" in smtpd_mumble_restrictions. 8383 See SMTPD_POLICY_SERVICE_README for details. 8384 838520030716 8386 8387 Bugfix: in the sample policy server, changed "ok" into 8388 "dunno" so the server can be used in the middle of a 8389 restriction list. 8390 8391 Cleanup: when an RBL reply has multiple TXT records, 8392 concatenate them up to some reasonable limit, instead of 8393 selecting one randomly. File: smtpd/smtpd_check.c. 8394 8395 Safety: always truncate SMTP server error replies to 512 8396 bytes. File: smtpd/smtpd_check.c. 8397 839820030717 8399 8400 Documentation: added description of policy_time_limit to 8401 the SMTPD_POLICY_README document. 8402 8403 Documentation: corrected the command time limit parameter 8404 syntax in the spawn(8) manual page. 8405 8406 Feature: defer_if_permit and defer_if_reject actions in 8407 access tables, mainly for use by the delegated policy 8408 server. Files: smtpd/smtpd_check.c, proto/access. 8409 841020030725 8411 8412 The dict_pgsql module did not use dict_alloc() and dict_free(), 8413 causing improper initialization and a memory leak. Leandro 8414 Santi. File: util/dict_pgsql.c. 8415 8416 Cleanup: added open_flags sanity checks to the dict_pgsql 8417 and dict_mysql modules. These maps must be opened in 8418 read-only mode. 8419 842020030731 8421 8422 Bugfix: virtual(8) was changed to use mail_addr_find() 8423 instead of virtual8_maps_find(), but the SMTP server's 8424 virtual mailbox recipient validation was not updated. 8425 842620030804 8427 8428 Bugfix: the 20030712 safety against invalid DNS results 8429 was broken. Reported by Ralf Hildebrandt. File: 8430 dns/dns_lookup.c. 8431 843220030805-12 8433 8434 Safety: the pipe daemon now defers delivery with a warning 8435 when it is given a non-existent command-line macro name. 8436 File: pipe/pipe.c. 8437 843820030810 8439 8440 Bugfix: dict_ldap had a few harmless memory leaks. By 8441 Liviu Daia. File: util/dict_ldap.c. 8442 8443 Feature: support for LDAP URLs in the LDAP parameter 8444 "server_host", if Postfix is linked against OpenLDAP. This 8445 allows Postfix to connect to LDAP SSL sources. By Liviu 8446 Daia. File: util/dict_ldap.c. 8447 844820030811 8449 8450 Cleanup: produce a warning when host:port specifies a badly 8451 formatted numerical port. Files: util/find_inet.c, 8452 smtp/smtp_connect.c, lmtp/lmtp_connect.c. 8453 845420030822 8455 8456 Feature: the export_environment and import_environment 8457 parameters now accept name=value information that will be 8458 entered into the new environment. File: util/clean_env.c. 8459 846020030823 8461 8462 Feature: smtpd_sasl_exceptions_networks parameter to prevent 8463 Postfix from offering AUTH to clients that match the listed 8464 networks. Based on code by Ben Rosengart, Panix. Files: 8465 conf/sample-auth.cf, smtpd/smtpd.c. 8466 846720030902 8468 8469 Portability: the Postfix master resets the file size to 8470 the largest possible off_t value when the actual limit 8471 appears to overflow the off_t range. Files: util/sys_defs.h, 8472 util/file_limit.c. A fine sample of bit banging. 8473 847420030905 8475 8476 Workaround: Solaris 8 select() claims that a non-blocking 8477 socket is readable and then read() fails with EAGAIN. Files: 8478 util/timed_read.c and as precautionary measure, 8479 util/timed_write.c. 8480 8481 Bugfix: dict_register() should not be called from dict_open() 8482 in dict_mysql and dict_pgsql. Liviu Daia. Files: 8483 util/dict_mysql.c, util/dict_pgsql.c. 8484 8485 Feature: LDAP parameters can now be specified in external 8486 files. This makes it possible to securely store bind 8487 passwords for plain auth outside of main.cf (which is world 8488 readable). By Liviu Daia, based on a suggestion by Victor 8489 Duchovni and Lamont Jones. File: util/dict_ldap.c. 8490 8491 Feature: STARTTLS option for LDAP, if Postfix is linked 8492 against OpenLDAP. By Liviu Daia, amended by Victor Duchovni. 8493 File: util/dict_ldap.c. 8494 8495 Cleanup: connections to LDAP sources are now postponed 8496 until they are actually needed. By Liviu Daia. File: 8497 util/dict_ldap.c. 8498 849920030908 8500 8501 The 20030905 Solaris workaround triggers too many warnings. 8502 TCP sockets are back to blocking, and keepalives are turned 8503 on to kill off dead sockets, as suggested by Leandro Santi. 8504 Files: master/{single,multi}_server.c, smtpd/smtpd.c, 8505 util/sys_defs.h. 8506 850720030909 8508 8509 Bugfix: the LMTP session caching code had problems with 8510 SASL authentication after the first connection, and pipelining 8511 was working poorly. Fix by Victor Duchovni, Morgan Stanley. 8512 Files: lmtp/lmtp.c, lmtp/lmtp_proto.c. 8513 851420030912 8515 8516 Workaround: besides SMTP server sockets, SMTP client sockets 8517 can also hang on Solaris, as reported by Leandro Santi. In 8518 order to deal with this at the root, all connection management 8519 is now done by sane_accept() and sane_connect(). Both turn 8520 on keepalives on Solaris. 8521 852220030913 8523 8524 Safety: set-gid commands don't trust TZ. File: msg_syslog.c. 8525 852620030914 8527 8528 Address extension propagation wasn't documented enough when 8529 it was added to Postfix. Based on patches by Roman Neuhauser. 8530 8531 Added clarifying notes to main.cf, master.cf and access by 8532 Dean Gibson. 8533 8534 In header/body_checks, DUNNO is now the preferred action 8535 instead of the now deprecated OK. This may confuse fewer 8536 people. 8537 8538 In header/body_checks, allow text after IGNORE and DUNNO, 8539 suggested by Victor Duchovni, Morgan Stanley. File: 8540 src/cleanup/cleanup_message.c. 8541 8542 Feature: reject_rhsbl_helo. File: smtpd/smtpd_check.c. 8543 8544 Bugfix? The LMTP and SMTP clients now send "MAIL FROM:<sender> 8545 AUTH=<>" when SASL authenticated. Suggested by by Victor 8546 Duchovni, Morgan Stanley. Files: smtp/smtp_proto.c, 8547 lmtp/lmtp_proto.c. 8548 854920030915 8550 8551 Bugfix: mail rejected by the before-queue content filter 8552 was mis-labeled as a software error; it should be labeled 8553 as a policy error instead. File: smtpd/smtpd.c. 8554 8555 Cleanup: postcat is now null-byte transparent. File: 8556 postcat/postcat.c. 8557 855820030916 8559 8560 Feature: ``check_{sender,recipient}_mx_access maptype:mapname'' 8561 applies the named Postfix access table to the MX host name 8562 and IP addresses for the sender or recipient address. If 8563 no MX record is found, the A record is used instead. File: 8564 smtpd/smtpd_check.c. 8565 8566 Feature: ``check_{sender,recipient}_ns_access maptype:mapname'' 8567 applies the named Postfix access table to the DNS server 8568 hostname and IP addresses for the sender or recipient 8569 address. If no NS record is found, the parent domain is 8570 used instead. File: smtpd/smtpd_check.c. 8571 857220030917 8573 8574 Feature: ``check_helo_{ns,mx}_access maptype:mapname'', 8575 same semantics as sender and recipient. 8576 8577 Multiple LDAP lookup tables in the one Postfix process now 8578 share one LDAP connection. Code by Victor Duchovni, Morgan 8579 Stanley. File: util/dict_ldap.c. 8580 8581 Performance: with prefix_domain specified for an LDAP lookup 8582 table, lookups of @domain are skipped. Code by Victor 8583 Duchovni, Morgan Stanley. File: util/dict_ldap.c. 8584 8585 Safety: check_mumble_{mx,ns}_access refuses to be used for 8586 whitelisting. The Postfix SMTP server will reject the 8587 request with "451 server configuration error" and will log 8588 a warning explaining why. File: smtpd/smtpd_check.c. 8589 859020030918 8591 8592 Bugfix: check_mumble_ns_access did not correctly look up 8593 NS records of parent domains, causing mail to be deferred 8594 with a 450 status code. File: smtpd/smtpd_check.c. 8595 859620030919 8597 8598 Robustness: check_mumble_{mx,ns}_access skip over DNS lookup 8599 failures instead of deferring mail. This is not as bad as 8600 it appears to be because the restrictions can't be used 8601 for whitelisting. File: smtpd/smtpd_check.c. 8602 860320030920 8604 8605 Bugfix: the 20030917 LDAP connection sharing code introduced 8606 a compilation problem with non-OpenLDAP implementations. 8607 Fix by Liviu Daia. File: util/dict_ldap.c 8608 8609 Compatibility: the LDAP server_host parameter now supports 8610 all the usual Postfix list element delimiters. Some LDAP 8611 libraries support just SPACE, others SPACE and ",". Postfix 8612 now normalizes the host list into a space separated format. 8613 This is less surprising to Postfix users used to the full 8614 range of delimeters in other contexts. Implemented by Liviu 8615 Daia. File: util/dict_ldap.c 8616 8617 Bugfix: after returning too old mail, the bounce daemon 8618 now locks the original queue file and deletes deferred 8619 recipients, to avoid repeated bounce notifications when 8620 the queue manager is restarted. Files: bounce/*.[hc], 8621 global/bounce_log.[hc], global/{bounce,defer}.[hc] and 8622 everything that invokes these routines including queue 8623 manager and delivery agents. 8624 862520030922 8626 8627 Feature: "XADDR address hostname" SMTP command, for SMTPD 8628 restriction debugging, and for sites with fetchmail-like 8629 software that extracts client information from the first 8630 Received: header. The smtpd_authorized_xaddr_clients 8631 parameter specifies what clients are allowed to use XADDR 8632 (default: none). Files: smtpd/smtpd.c. 8633 863420031015 8635 8636 Workaround: smtpd access maps should not apply subdomain 8637 name magic to numerical hostnames. File: smtpd/smtpd_check.c. 8638 8639 Safety: the local delivery agent now defers delivery when 8640 alias lookup produces an empty result. File: local/alias.c. 8641 864220031019 8643 8644 Workaround: disable request/reply size limit in attr_scan*.c 8645 to prevent mail from getting stuck when rewriting a malformed 8646 message header. This limit was turned on with snapshot 8647 20030715 to harden the protocol that is used by SMTPD policy 8648 delegation. A "no code change" workaround is to specify 8649 "header_size_limit = $line_length_limit". The proper fix 8650 is to enforce request/reply size limits only for data from 8651 outside of Postfix. Problem reported by Brandon Mullenberg, 8652 Dialup USA. Files: util/attr_scan*.c. 8653 8654 Feature: "XLOGINFO address hostname" SMTP command, so that 8655 Postfix daemons behind SMTPD pass-through proxies log useful 8656 client name/address information instead of localhost[127.0.0.1]. 8657 The smtpd_authorized_xloginfo_clients parameter specifies 8658 what clients are allowed to use XLOGINFO (default: none). 8659 Files: smtpd/smtpd.c. 8660 8661 Cleanup: renamed the authorized_verp_clients parameter to 8662 smtpd_authorized_verp_clients for consistency. 8663 866420031021 8665 8666 Workaround: the demo greylist script now uses BTREE instead 8667 of HASH files for hopefully better stability. The real fix 8668 is to use a single updater process that serves multiple 8669 clients. That approach seems to work well with the verify 8670 daemon. File: examples/smtpd-policy/smtpd-policy.pl. 8671 867220031022 8673 8674 Safety: the SMTP server now warns when the queue_minfree 8675 value is less than twice the message size limit. File: 8676 smtpd/smtpd.c. 8677 8678 Safety: the SMTP server no longer accepts mail when the 8679 amount of free space is less than twice the message size 8680 limit. File: smtpd/smtpd_check.c. 8681 8682 Safety: log a warning and defer mail when canonical or 8683 virtual lookups return a non-address result (like a string 8684 that contains no address). File: global/mail_addr_map.c. 8685 8686 Safety: log a warning and defer mail when any map lookup 8687 returns an empty string result, and explain that "no result" 8688 is expected in case of a "not found" condition. This happens 8689 with incorrectly implemented SQL or LDAP tables. File: 8690 global/maps_find.c. 8691 869220031023 8693 8694 Bugfix: the MYSQL and PGSQL modules invoked dict_register(). 8695 This was fixed a while ago but never made it into the 8696 distribution. Files: util/dict*sql.c. 8697 8698 Robustness: added three ISSPACE() calls in the smtpd proxy 8699 parser. File: smtpd/smtpd_proxy.c. 8700 870120031024 8702 8703 Portability: added localhost to mydestination for sites 8704 that turn off append_dot_mydomain. File: global/mail_params.h. 8705 870620031027 8707 8708 Portability: MacOS X Bind8 compatibility. File: makedefs. 8709 871020031103 8711 8712 Robustness: flush pipelined "." and "quit" replies to avoid 8713 repeated deliveries in case of a program crash (you know, 8714 the kind of thing that happens before Postfix release :-). 8715 File: smtpd/smtpd.c. 8716 871720031105 8718 8719 Portability: turn off NETINFO support for MacOS X Panther 8720 by default. Files: makedefs, util/sys_defs.h. 8721 872220031106 8723 8724 Feature: the sample greylist policy server is now case 8725 insensitive. File: examples/smtpd-policy/smtpd-policy.pl. 8726 872720031103-20031110 8728 8729 Feature: preliminary defense against SMTP clients that 8730 hammer the SMTP server with too many simultaneous or 8731 successive connection attempts, with a whitelist capability 8732 to disable the restriction for authorized clients. Most 8733 work is implemented by a new "anvil" server. Parameters: 8734 smtpd_client_connection_count_limit, smtpd_client_connection- 8735 _rate_limit, smtpd_client_connection_limit_exceptions, and 8736 client_connection_rate_time_unit. Documentation: smtpd(8), 8737 anvil(8), sample-smtpd.cf. Files: smtpd/smtpd.c, 8738 global/anvil_clnt.[hc], anvil/anvil.c. The anvil server 8739 logs peak count and rate information per client when it 8740 terminates after running out of work or after "postfix 8741 reload". 8742 874320031110 8744 8745 Cleanup: Postfix now supports the /0 netmask (match every 8746 address). This is useful as a catch-all pattern at the 8747 end of a table. Files: util/dict_cidr.c, util/match_ops.c. 8748 8749 Cleanup: don't report that $queue_directory/etc/filename 8750 differs from /etc/filename when /etc/filename does not 8751 exist. File: conf/postfix-script. 8752 875320031112 8754 8755 Feature: client_connection_status_update_time parameter 8756 controls periodic logging of maximal connection counts or 8757 rates. The default logging interval is 10 minutes. 8758 8759 Feature: "make makefiles WARN=stuff..." overrides the 8760 built-in GCC warning options that are used when "make" is 8761 invoked from within a source subdirectory. Files: makedefs, 8762 */Makefile.in. 8763 876420031125 8765 8766 Feature: qmgr logs "queueid: deleted", just like postsuper, 8767 when it removes a message from the mail queue. 8768 8769 Performance: smtpd connects to the cleanup or proxy server 8770 AFTER the first valid RCPT TO command, instead of after 8771 the first valid MAIL FROM command. This avoid wasting 8772 real-time proxy filter resources when mail is stopped by 8773 the SMTP server's access blocks. File: smtpd/smtpd.c. 8774 877520031126 8776 8777 Bugfix: "panic: mymalloc: requested length 0" when master.cf 8778 specified an invalid host name or address. Postfix now 8779 logs more specific information. File: master/master_ent.c. 8780 Reported by several people. 8781 878220031125-20031201 8783 8784 Feature: XCLIENT support to override the SMTP server's 8785 client information for logging and/or access control. This 8786 replaces the short-lived XADDR and XLOGINFO extensions. 8787 Remotely based on code by Victor Duchovni. See FILTER_README 8788 and SMTPD_PROXY_README for usage details. Files: 8789 smtpd/{smtpd,smtpd_check,smtpd_proxy,smtpd_xclient}.c 8790 smtp/smtp_smtp_proto.c, *qmgr/qmgr_message.c, 8791 global/deliver_request.c. 8792 879320031202 8794 8795 Cleanup: postfix-files now has support for files that are 8796 no longer part of Postfix. When upgrading Postfix, the 8797 post-install script gives the user a reminder. Files: 8798 conf/postfix-files, conf/post-install. 8799 880020031203 8801 8802 Support for SMTPD access map actions (FILTER, REDIRECT, 8803 HOLD or DISCARD) that are delegated to the cleanup server, 8804 but can trigger before the first valid recipient address 8805 is accepted (and thus, before a cleanup server connection 8806 is available). Files: smtpd/{smtpd,smtpd_state,smtpd_check}.c. 8807 880820031204 8809 8810 Bugfix: conf/post-install didn't skip non-existent obsolete 8811 files. Victor Duchovni. 8812 8813 Minor cleanups of the xclient error messages; xclient 8814 command lookup tables. File: smtpd/smtpd.c. 8815 881620031206 8817 8818 Feature: reject_sender_login_mismatch allows multiple owners 8819 of a sender address. Code by Liviu Daia. Files: 8820 smtpd/smtpd_check.c and documentation. 8821 8822 reject_sender_login_mismatch is now implemented by elementary 8823 features reject_unauthenticated_sender_login_mismatch 8824 (reject if the client is not SASL logged in but the sender 8825 address has an owner in smtpd_sender_login_maps) and 8826 reject_authenticated_sender_login_mismatch (reject if the 8827 client is SASL logged in but does not own the sender 8828 address). Code by Liviu Daia. Files: smtpd/smtpd_check.c 8829 and documentation. 8830 883120031207 8832 8833 Bugfix: fallback_transport and mailbox_transport were broken 8834 because the deliver_pass.c module was not updated for the 8835 changed message delivery protocol. 8836 883720031211 8838 8839 Safety: in dynamically growing data structures, update the 8840 length info after (instead of before) updating the data 8841 size. Files: util/argv.c, util/inet_addrlist.c, util/intv.c, 8842 util/mvect.c, util/vstring.c, global/recipient_list.c, 8843 *qmgr/qmgr_rcpt_list.c. 8844 884520031212 8846 8847 Cleanup: separate extensions XCLIENT (impersonate SMTP 8848 client) and XFORWARD (down-stream logging of up-stream MTA 8849 and/or message information, not necessarily SMTP related). 8850 The protocol is extensible: the server advertises what 8851 attributes XCLIENT or XFORWARD will accept, and it is an 8852 error to send an unsupported attribute. No xtext encoding 8853 is used, since no attribute currently needs it. See also: 8854 XCLIENT_README and XFORWARD_README. 8855 885620031214 8857 8858 Feature: XFORWARD support in the LMTP client. 8859 886020031215 8861 8862 Safety: updated mail_queue_id_ok() for long fast flush 8863 logfile names. File: global/mail_queue.c. 8864 8865 Robustness: save and restore the resolver _res.options 8866 settings before and after DNS lookup, to avoid surprises 8867 in third-party code. This may eliminate some "localhost 8868 not found" problems. File: dns/dns_lookup.c. 8869 887020031216 8871 8872 Cleanup: easier to parse mailq output (no more space 8873 between short queue ID and message status). File: 8874 showq/showq.c. 8875 887620031216-21 8877 8878 Cleanup: the SMTP client now moves on to the next MX host 8879 or fallback relay when delivery fails in the middle of an 8880 SMTP session. This includes both broken connections and 8881 4xx SMTP server replies. Files: smtp/smtp.c, smtp_rcpt.c, 8882 smtp/smtp_connect.c, smtp_trouble.c. 8883 8884 Configuration parameters: smtp_mx_address_limit (limit the 8885 list of IP addresses from MX lookup), and smtp_mx_session_limit 8886 (limit the number of actual SMTP sessions per delivery 8887 attempt, ignoring unusable MX IP addresses). 8888 8889 The new code centers around a mark-and-sweep algorithm 8890 (replacing code that twiddled the rcpt->offset structure 8891 member), with paranoid sanity checks to ensure that every 8892 recipient is explicitly accounted for. 8893 889420031217 8895 8896 Update: LDAP client logging (Liviu Daia) and LDAP client 8897 documentation (Victor Duchovni). Files: util/dict_ldap.c, 8898 conf/sample-ldap.cf, README_FILES/LDAP_README. 8899 890020031222 8901 8902 Cleanup: shaved half the worst-case bits off the cleanup 8903 duplicate address filter footprint. After discussion with 8904 Victor Duchovni. File: cleanup/cleanup_out_recipient.c. 8905 8906 Safety: added "mail loops to myself" logic for destinations 8907 that don't have an MX host. File: smtp/smtp_addr.c. 8908 890920031223 8910 8911 Workaround: turn off "mail loops to myself" for non-MX 8912 destinations because it breaks SMTP-based content filters. 8913 Fix is to turn off loop detection when a non-default TCP 8914 port is specified. File: smtp/smtp_addr.c. 8915 8916 Bugfix: restore errno after write failure in SIGCHLD handler. 8917 Leandro Santi (who got the idea from Hernan Perez Masci). 8918 File: master/master_sig.c. 8919 8920 Bugfix: the auto_clnt module disconnected too early, causing 8921 unnecessary work by the anvil server. 8922 8923 Cleanup: eliminated binary hashes from anvil server. Anvil 8924 client information is now stored on top of its VSTREAM. 8925 892620031226 8927 8928 Feature: bounce_queue_lifetime parameter (default: 8929 $maximal_queue_life_time) that bounds the time that 8930 MAILER-DAEMON messages spend in the queue before they are 8931 considered undeliverable. 8932 8933 Feature: disable "mail loops back to myself" protection 8934 when SMTP mail is sent to a non-standard port. This makes 8935 setting up content filters less painful. 8936 8937 Cleanup: disallow bare x.x.x.x numeric IP addresses in 8938 email addresses. The form user@[x.x.x.x] is still allowed. 8939 8940 Cleanup: cleaned up the naming of internal symbols in the 8941 SMTP client. 8942 894320031231 8944 8945 Bugfix: stricter address syntax test broke "sendmail -bs". 8946 File: smtpd/smtpd.c. 8947 894820040101 8949 8950 Cleanup: the Postfix SMTP server rejects a MAIL FROM address 8951 that matches a local, virtual or relay domain, while the 8952 address is not listed in the corresponding local, virtual 8953 or relay recipient table. 8954 8955 Feature: the reject_unlisted_sender(recipient) SMTPD access 8956 restriction rejects an address that matches a local, virtual 8957 or relay domain, while the address is not listed in the 8958 corresponding local, virtual or relay recipient table. 8959 8960 Compatibility: the check_recipient_maps restriction works 8961 like reject_unlisted_recipient, but will eventually be 8962 removed from Postfix. 8963 896420040102 8965 8966 Misc documentation cleanup by Loic Minier. 8967 896820040104 8969 8970 Workaround: MacOSX dumps core on the 20030913 TZ censoring 8971 code. We explictly set TZ=UTC, which will produce incorrect 8972 results when "mailq" formatting is moved from the showq 8973 daemon to the postqueue command. File: msg_syslog.c. 8974 8975 Feature: after mail is requeued with "postsuper -r", the 8976 pickup server logs the old queue ID together with the new 8977 queue ID. Victor Duchovni. File: pickup/pickup.c. 8978 8979 Feature: smtpd_sasl_application_name parameter (default: 8980 smtpd) to control the name of the SASL configuration file 8981 used by the Postfix SMTP server. Liviu Daia. Files: 8982 mail_params.h, smtpd.c, smtpd_sasl_glue.c. 8983 8984 Cleanup: the LDAP client configuration parser is now shared 8985 between the LDAP, MySQL, and PGSQL clients. Liviu Daia. 8986 Files: global/cfgparser.[hc], global/dict_ldap.c, 8987 global/dict_mysql.c, global/dict_pgsql.c and documentation. 8988 8989 Cleanup: moved "util" modules with dependencies on higher-level 8990 "global" code from the util directory to the global directory: 8991 util/dict_open.c, global/cfgparser.[hc], global/dict_ldap.c, 8992 global/dict_mysql.c, global/dict_pgsql.c, global/mail_dict.c. 8993 8994 Cleanup: the new queue manager nqmgr replaces the default 8995 queue manager qmgr, leaving behind a hard link for backwards 8996 compatibility. The old queue manager remains available as 8997 as oqmgr but will eventually be removed. 8998 8999 Bugfix: vstring_get() etc. now return VSTREAM_EOF when they 9000 terminate prematurely, instead of returning the last 9001 character stored. This avoids mis-leading warnings. File: 9002 global/vstring_vstream.c. 9003 900420040105 9005 9006 Cleanup: don't bother the flush daemon while deferring mail 9007 if the destination is not "fast flush" eligible. File: 9008 global/flush_clnt.c. 9009 9010 Safety: the SMTP server flushes recipients to the cleanup 9011 server in order to avoid SMTP timeouts when virtual or 9012 canonical expansions take a lot of time. File smtpd/smtpd.c. 9013 9014 Safety: add warnings to postmap and postalias when table 9015 lookup results in an empty string. 9016 901720040110 9018 9019 Example: script to run qmail-local from Postfix by Ron 9020 Bickers. 9021 9022 Change: queue minfree limit is now 1.5 * message size limit. 9023 File: smtpd/smtpd_check.c. 9024 9025 Bugfix: apply hostname restriction even when host address 9026 lookup fails in check_{sender,recipient}_{ns,mx}_access. 9027 File: smtpd/smtpd_check.c. 9028 902920040115 9030 9031 Performance: allow delivery concurrency to increase even 9032 while mail is deferred, as long as the delivery agent does 9033 not report really serious trouble with the destination. 9034 Files: *qmgr/qmgr_deliver.c. 9035 9036 Cleanup: in postfix-files, symbolic links and hard links 9037 are now first-class citizens with explicit mention of source 9038 and destination pathnames. Files: postfix-install, 9039 conf/postfix-files, conf/post-install. 9040 904120040116 9042 9043 Cleanup: sendmail -v caused one mail delivery report upon 9044 every delivery attempt, not just the first one. The fix is 9045 to "kill" a queue file record after the first delivery 9046 attempt. This means a new record type. Files: *qmgr/qmgr_active.c, 9047 *qmgr/qmgr_message.c, global/rec_type.c. 9048 9049 Cleanup: in anticipation of other built-in rate limiters, 9050 the client_connection_rate_time_unit parameter is renamed 9051 to client_rate_time_unit. 9052 9053 Documentation: finished the HOSTING_README file with an 9054 overview of methods to host domains with Postfix. 9055 905620040119 9057 9058 Bugfix: anvil (count and rate limiting) server race condition 9059 could result in dangling pointer. Postfix erases memory 9060 after allocating and before freeing, so it is extremely 9061 unlikely that this could be used to bring harmful data into 9062 the anvil server. File anvil/anvil.c. 9063 906420040120 9065 9066 Cleanup: new header_checks(5) and body_checks(5) manual 9067 pages. The sample-regexp* and sample-pcre* files are no 9068 longer needed and have been removed, as are the default 9069 *_table configuration files. 9070 9071 Cleanup: support for the non-standard Errors-To: header is 9072 removed. File: cleanup/cleanup_message.c. 9073 907420040121 9075 9076 Feature: "PREPEND headername: headervalue" action in Postfix 9077 access maps, to facilitate external policy servers that 9078 label mail instead of rejecting it. Files: smtpd/smtpd.c, 9079 smtpd/smtpd_check.c. 9080 908120040122 9082 9083 UNDO the 20040104 change (vstring_get() etc. return 9084 VSTREAM_EOF when they terminate prematurely, instead of 9085 returning the last character stored, to avoid mis-leading 9086 warnings). File: global/vstring_vstream.c. 9087 9088 Portability: test -e is not portable. File: conf/postfix-script. 9089 9090 Misc. documentation fixes by Victor Duchovni. 9091 9092 Documentation: the README files are now hyperlinked, and 9093 are referenced in the on-line manual pages. 9094 9095 Bugfix: the pickup daemon now strokes the watchdog frequently 9096 to prevent the watchdog from barking when mail arrives 9097 faster than it can be picked up. File: pickup/pickup.c. 9098 909920040123 9100 9101 Feature: set smtpd_reject_unlisted_{sender,recipient}=no 9102 to turn off automatic rejection of non-existent local, 9103 virtual or relay addresses. This way it can be made 9104 conditional for local clients, always on for remote clients. 9105 Files: global/mail_params.h, smtpd/smtpd.c, smtpd/smtpd_check.c. 9106 910720040124 9108 9109 Feature: PREPEND in header/body_checks, for message tagging. 9110 File: cleanup/cleanup_message.c. 9111 911220040126 9113 9114 Safety: handle the case that main.cf is updated while it 9115 is being read. File: util/dict.c. 9116 9117 Feature: "instance" attribute that links policy etc. queries 9118 to the same message instance. 9119 9120 Cleanup: the mynetworks setting may now be empty. File: 9121 global/mail_params.c. 9122 912320040127 9124 9125 Bugfix: missing flush_init() call. Introduced 20040105. 9126 File: postqueue/postqueue.c. 9127 912820040128 9129 9130 Cleanup: clnt_stream derived classes now try to detect that 9131 the server has disconnected before sending data and warning 9132 about an error. File: global/clnt_stream.c. 9133 913420040202 9135 9136 Bugfix: changed mis-leading warning about text>4096 characters 9137 into "unexpected end-of-input". File: util/attr_scan0.c. 9138 913920040201 9140 9141 Feature: sasl_method, sasl_username and sasl_sender attributes 9142 in smtpd policy queries. Files: src/smtpd/smtpd_check.c. 9143 914420040204 9145 9146 Safety: smtpd_soft_error_limit now determines when 9147 $smtpd_error_sleep_time starts to take effect. 9148 9149 Cleanup: local(8) and virtual(8) will now create maildirs 9150 in a world-writable directory. Files: util/make_dirs.c. 9151 9152 Bugfix: don't panic on a corrupt queue file. File: 9153 *qmgr/qmgr_message.c. 9154 915520040205 9156 9157 Cleanup: sample-filter.cf is gone. Better documentation is 9158 available with "man header_checks". 9159 916020040209 9161 9162 Bugfix: when delivery to smtpd_proxy_filter fails, report 9163 "451 Queue file write error" instead of repeating the 9164 previous "354 End data with <CR><LF>.<CR><LF>" response. 9165 File: smtpd/smtpd.c. 9166 916720040220 9168 9169 Compatibility: accept and ignore the sendmail -bh and -bH 9170 mode of operation requests. 9171 917220040302 9173 9174 Bugfix: SMTPD proxy didn't send QUIT as the result of code 9175 duplication. Evidence reported by Mark Martinec. File: 9176 smtpd/smtpd.c. 9177 917820040311 9179 9180 Bugfix: bad address syntax was passed to transport map 9181 lookups. Problem reported by Andrei Koulik. File: 9182 util/match_ops.c, trivial-rewrite/resolve.c. 9183 918420040324 9185 9186 Portability: ekkoBSD support by Philip Reynolds. Files: 9187 makedefs, util/sys_defs.h. 9188 918920040325 9190 9191 Cleanup: smtp_skip_4xx_greeting and smtp_skip_5xx_greeting 9192 functionality is moved from connection management to SMTP 9193 protocol processing, so that Postfix now logs the server 9194 response when a server refuses to provide service. Files: 9195 smtp/smtp_connect.c, smtp/smtp_proto.c. 9196 9197 Cleanup: smtp_skip_4xx_greeting is no longer configurable; 9198 it is now permanently turned on. 9199 920020040326 9201 9202 Workaround: in the trivial-rewrite server, turn on the code 9203 to strip trailing "." while rewriting addresses, and change 9204 the address resolver to strip trailing "." in a compatible 9205 manner. This does not eliminate the problem that the SMTP 9206 server may use a different address for recipient validation 9207 than what the cleanup server uses for virtual alias mapping. 9208 920920040329 9210 9211 Bugfix: the SMTP server did not log client (and SASL) 9212 information with the real-time content filter was enabled. 9213 Files: smtpd/smtpd.c, smtpd/smtpd_sasl_proto.c. 9214 9215 Compatibility: smtpd_reject_unlisted_sender is turned off 9216 by default, to avoid trouble with with in-house software 9217 that sends out mail software with an unreplyable address. 9218 921920040331 9220 9221 Bugfix: postdrop should not abandon mail submission after 9222 receiving a SIGHUP signal when SIGHUP was ignored by the 9223 parent process. Victor Duchovni, Morgan Stanley. File: 9224 postdrop/postdrop.c. 9225 9226 Bugfix: parsing bug in PgSQL dictionaries causing UNIX 9227 sockets to be ignored. Liviu Daia. Files: global/dict*sql.c. 9228 9229 Performance: allow MySQL and PgSQL database connections to 9230 be closed when idle for more than 1 minute; Liviu Daia. 9231 Files: global/dict*sql.c. 9232 923320040401 9234 9235 Sanity: the SMTP server no longer accepts sender or recipient 9236 addresses that end in the "@" null domain, as well as 9237 addresses that rewrite into such a form. Specify 9238 "resolve_null_domain=yes" to get the old behavior back. 9239 File: trivial-rewrite/resolve.c. 9240 924120040402 9242 9243 Cleanup: added WARN action support for access maps, for 9244 consistency with the WARN action in header and body checks. 9245 File: smtpd/smtpd_check.c. 9246 924720040407 9248 9249 Bugfix: missing return statement at the end of the 9250 FREE_MEMORY_AND_RETURN error handling macro. Adi Prasaja. 9251 File: trivial-rewrite/resolve.c. 9252 925320040411 9254 9255 Future proofing: client_rate_time_unit is renamed to 9256 anvil_rate_time_unit, so that it is no longer limited to 9257 clients only. File: src/global/mail_params.h. 9258 9259 Cleanup: postalias and postmap now log problems to syslogd. 9260 Files: postalias/postalias.c, postmap/postmap.c. 9261 926220040413 9263 9264 Feature: "postfix set-permissions" (re)sets ownership and 9265 access permissions of Postfix files and directories. 9266 9267 Feature: "postfix upgrade-configuration" updates main.cf 9268 and master.cf. This is for people who people copy over 9269 their old files after installing a newer Postfix version. 9270 9271 Feature: HTML files are now optionally installed under 9272 control of the html_directory configuration parameter. 9273 Files: postfix-install, conf/postfix-files, conf/post-install. 9274 9275 Cleanup: README file installation is now optional. Files: 9276 postfix-install, conf/postfix-files, conf/post-install. 9277 927820040414 9279 9280 Cleanup: references to sample-mumble.cf files removed, 9281 conf/mumble_table files removed, new commands added to 9282 conf/postfix-script. 9283 9284 Cleanups: function declared int but used as void, missing 9285 include file, missing const qualifier, unused variable. 9286 Matthias Andree. Files: bounce/bounce_notify_util.c, 9287 bounce/bounce_service.h, postlog/postlog.c, smtpd/smtpd_check.c, 9288 util/attr_scan64.c. 9289 9290 Bugfix: more robust version of SIGHUP test of 20040331. 9291 Victor Duchovni, Morgan Stanley. File: postdrop/postdrop.c. 9292 9293 Safety: added NOCLOBBER qualifiers to local variables that 9294 might be clobbered by longjmp(). Files: util/sys_defs.h, 9295 smtp/smtp_proto.c, lmtp/lmtp_proto.c, smtpd/smtpd_check.c, 9296 smtpstone/smtp-source.c. 9297 9298 Bugfix: sub-level Makefiles no longer turned on the extra 9299 compiler warnings. Files: Makefile.in.*, makedefs.*. 9300 930120040415 9302 9303 Bugfix: the LMTP client attempted to reuse a connection 9304 after timeout, causing protocol synchronization errors. 9305 Reported by Rob Mueller. File: lmtp/lmtp.c. 9306 930720040416 9308 9309 Cleanup: non-delivery reports now include the original 9310 recipient information. File: bounce/bounce_notify_util.c. 9311 931220040415-18 9313 9314 Typos: many documentation fixes by Rob Foehl. 9315 931620040418 9317 9318 Cleanup: "int" versus "const int" prototype mismatch between 9319 the DICT sequence method prototype and possible implementations. 9320 Files: util/dict_db.c, util/dict_dbm.c. 9321 932220040419 9323 9324 Bugfix: the code that rejects client/helo RESTRICTIONS with 9325 smtpd_delay_reject=no looked at the wrong evidence and 9326 rejected client/helo ACCESS MAP lookups instead. Michael 9327 Tokarev. Files: smtpd/smtpd.c, smtpd/smtpd_check.c. 9328 9329 Bugfix: missing # in master.cf in optional submission 9330 service. 9331 933220040420 9333 9334 Bugfix: smtpd logged the client too often. Michael Tokarev. 9335 File: smtpd/smtpd.c. 9336 9337 Cleanup: client_event_status_update_time renamed to 9338 anvil_status_update_time. Files: mantools/postlink, 9339 proto/postconf.proto, anvil/anvil.c. 9340 934120040421 9342 9343 Workaround: allow pipelined SMTP clients to overshoot the 9344 SMTP server recipient limit without triggering the server 9345 hard error limit. The SMTP server does not count "too many 9346 recipients" towards the hard error limit, as long as the 9347 number of excess recipients stays within a configurable 9348 overshoot limit (default: smtpd_recipient_overshoot_limit 9349 = 1000). Solution in cooperation with Victor Duchovni. 9350 Files: smtpd/smtpd.c, smtpd/smtpd_state.c, smtpd/smtpd.h. 9351 935220040502 9353 9354 Missing test for a never used flag (the problematic and 9355 thus never completed INSPECT feature that doesn't re-inject 9356 mail into Postfix). Victor Duchovni, Morgan Stanley. File: 9357 virtual/virtual.c. 9358 935920040503 9360 9361 Bugfix: missing "sasl enabled" guard in the SMTPD policy 9362 client. File: smtpd/smtpd_check.c. 9363 936420040606 9365 9366 Portability. UnixWare has strcasecmp() in strings.h. Patch 9367 by Andreas Winkelmann. File: util/sys_defs.h. 9368 9369 Portability. The postlink script is transformed from sed(1) 9370 to perl(1). 9371 937220040608 9373 9374 Portability. Introduced SET_H_ERRNO() macro for compilation 9375 environments where h_errno can't be used as an lvalue. 9376 Files: util/sys_defs.h, dns/dns_lookup.c. 9377 9378 Portability. Eliminate assumption on bits per byte from 9379 vbuf_print.c. 9380 938120040614 9382 9383 Bugfix: the SMTP client did not reset per-session EHLO, 9384 SASL, and history information when opening a connection to 9385 an alternate SMTP server. This is the result of abstraction 9386 no longer matching function. Reported and diagnosed by 9387 Victor Duchovni, Morgan Stanley. 9388 9389 Bugfix: non-portable reuse of variadic argument lists. 9390 Fix by Victor Duchovni, Morgan Stanley. Files: global/bounce.c, 9391 global/defer.c, global/sent.c, global/trace.c, global/verify.c. 9392 9393 Portability: NetBSD 2.0 has changed from statfs to statvfs. 9394 John Heasley. File: util/sys_defs.h. 9395 9396 Documentation: typo fixes by IKEDA Nozomu. 9397 939820040616 9399 9400 Bugfix: one missed variadic argument list fix. Victor 9401 Duchovni, Morgan Stanley. File: global/verify.c. 9402 9403 Bugfix: the resolver client cache should be context dependent 9404 because address verification probes may use a different 9405 route than normal mail deliveries. File: global/resolve_clnt.c. 9406 9407 Safety: added similar context dependence to the address 9408 rewriting client in order to avoid trouble when Postfix is 9409 changed. File: global/rewrite_clnt.c. 9410 9411 Bugfix: space in HELO commands could end up in XFORWARD 9412 commands. File: smtpd/smtpd.c. 9413 941420040619 9415 9416 Code reorganization: in preparation for SMTP session caching, 9417 the SMTP client data structures were changed from the 9418 original "one session per delivery request" model to an 9419 explicit "multiple sessions per delivery request" model. 9420 This uncovered ESMTP and SASL missing re-initialization 9421 problems that were fixed in past week. Design by Victor 9422 and Wietse, initial implementation by Victor Duchovni. 9423 942420040620 9425 9426 Future proofing: after the reorganization of SMTP request 9427 state and session state, added code to the smtp client 9428 error handling routines to more consistently deal with the 9429 possibility that session information is not available. 9430 943120040621 9432 9433 Feature: directory=pathname option for the pipe(8) delivery 9434 agent. This allows a command to run from a fixed directory. 9435 Failure to change directory causes delivery to be deferred. 9436 Files: pipe/pipe.c. 9437 9438 Feature: command_execution_directory for local(8) delivery 9439 to external command. This supports the usual $home etc. 9440 expansions, subject to filtering with the character set 9441 specified with $execution_directory_expansion_filter. 9442 Failure to change directory causes delivery to be deferred. 9443 Files: global/mail_params.h, local/command.c. 9444 9445 Support for external command execution directory. Files: 9446 global/pipe_command.[hc]. 9447 944820040622 9449 9450 Safety: when mail is delivered to a transport with per-delivery 9451 recipient limit of 1, split the recipient address on the 9452 recipient delimiter if one is defined, so that extended 9453 addresses don't get extra delivery concurrency slots. 9454 Files: *qmgr/qmgr_message.c. 9455 945620040623 9457 9458 Workaround for fragile clients: add microsecond time to 9459 maildir filename. Files: virtual/maildir.c, local/maildir.c. 9460 946120040628-20040701 9462 9463 SMTP connection caching work with Victor Duchovni. 9464 9465 New module (later renamed to global/scache_single.c) for 9466 protocol-independent session caching. The initial 9467 implementation supports in-process, single-session caching 9468 only. A later version will support a central session cache 9469 daemon. Some more work is needed for passivation/activation 9470 of session attributes. 9471 9472 New function vstream_fdclose() to destroy a VSTREAM while 9473 leaving the underlying file(s) open. Files: util/vstream.[hc]. 9474 9475 New function dns_rr_remove() to remove one record from a 9476 resource record list. Some more work is needed to turn the 9477 list into a doubly-linked one. Files: dns/dns.h, dns/dns_rr.c. 9478 9479 Restructuring of the SMTP protocol engine for session 9480 caching. File: smtp/smtp_proto.c. 9481 9482 Restructuring of the connection management module, and 9483 first implementation of SMTP connection caching. To enable, 9484 specify an smtp_connection_cache_time value greater than 9485 zero. The time unit is seconds. File: smtp/smtp_connect.c. 9486 9487 New code to passivate and re-activate SMTP_SESSION objects, 9488 and isolation of session save/lookup in its own module. 9489 Files: smtp/smtp_session.c, smtp/smtp_reuse.c. 9490 9491 Refinement: smtp_cache_reuse_limit parameter to bound the 9492 number of times a session may be reused. 9493 9494 Refinements: when a session comes from the cache, give it 9495 back to the cache anyway (even when it will not be listed 9496 under the next-hop destination name). 9497 9498 Future refinements should also include a bound on the number 9499 of consecutive and total non-delivering uses and other 9500 statistics. 9501 950220040714 9503 9504 Bugfix: the code to eliminate the local MTA from the MX 9505 address list did not handle the case that inet_interfaces 9506 produced a less preferred match than proxy_interfaces. 9507 Victor Duchovni, Morgan Stanley. File: smtp/smtp_addr.c. 9508 950920040715 9510 9511 Resume work on SMTP session caching. All good sessions 9512 are now cached under their IP address. As before, only the 9513 first good session per delivery request is cached under 9514 the original next-hop destination. 9515 9516 At this point, SMTP session caching works, with a session 9517 cache client module that uses in-process session caching. 9518 This is sufficient to demonstrate that the SMTP client is 9519 ready for session caching. 9520 952120040716 9522 9523 New modules to send file descriptors from one process into 9524 another one. This will be needed for implementing a central 9525 connection cache manager daemon. Most systems use UNIX-domain 9526 sockets as the transport for this. On Solaris we use streams 9527 instead. Applications are supposed to invoke LOCAL_SEND_FD() 9528 and LOCAL_RECV_FD(). Files: {unix,streams}_{send,recv}_fd.c. 9529 953020040717 9531 9532 First implementation of a session caching client API that 9533 actually sends to/receives from a caching server process. 9534 The old in-process, single-session caching functionality 9535 is preserved as global/scache_single.c, so that we can use 9536 it for bootstrapping the session cache server. File: 9537 global/scache_clnt.c. 9538 9539 First implementation of the scache session cache server, 9540 using the same in-process session caching code that was 9541 used to bootstrap the SMTP client. File: scache/scache.c. 9542 954320040718 9544 9545 Performance: the default RSET timeouts are reduced from 9546 120s to 20s. Perhaps there should be different RSET timeout 9547 for address probes and for session cache checks. File: 9548 global/mail_params.h. 9549 955020040719 9551 9552 Multi-session connection cache module. Implementing this 9553 was actually the easiest part of the entire connection 9554 caching project. File: global/scache_multi.c. 9555 955620040720 9557 9558 Bugfix: event_drain() falsely reported a single-entry timer 9559 queue as empty. File: util/events.c. 9560 9561 Completed the multi-session cache support for SMTP. The 9562 code can be stress tested with a driver program that reads 9563 commands from a script. It is not practical to manually 9564 test the effects of collisions in the time or in name space 9565 domains. File: global/scache.c. 9566 956720040721 9568 9569 Feature: the session cache server now logs cache hit and 9570 miss statistics every $session_cache_status_update_time 9571 seconds (default: 600s), as well as upon process exit. 9572 File: scache/scache.c. 9573 957420040722 9575 9576 Workaround: LINUX 2.4 has trouble with mixed data and file 9577 descriptor traffic on UNIX-domain stream sockets. 9578 Specifically, it cannot handle data write (read) followed 9579 by file descriptor send (receive): the receiver hangs in 9580 recvmsg(). Workaround is to insert an intervening read 9581 (write) operation. Presumably, LINUX 2.4 is confusing the 9582 data and file descriptor. Lucky Ralf Hildebrandt. Files: 9583 util/sys_defs.h, global/scache_clnt.c, scache/scache.c. 9584 958520040723 9586 9587 Safety: spawn(8) now rejects a user with the -1 UID or GID 9588 value, so that commands will not end up running as root. 9589 Files: util/spawn_command.c, spawn/spawn.c. 9590 9591 User interface: parameter smtp_connection_cache_domains 9592 renamed to smtp_connection_cache_destinations. Destinations 9593 listed here must be specified without [] or :port. File: 9594 smtp/smtp_connect.c. 9595 9596 Bugfix: "421 Timeout exceeded" wasn't guarded by setjmp(). 9597 Victor Duchovni, Morgan Stanley. File: smtpd/smtpd.c. 9598 959920040729 9600 9601 Feature: enable SMTP session caching temporarily while a 9602 postfix is able to schedule back-to-back deliveries. 9603 Parameter: smtp_connection_cache_on_demand (default: 9604 yes). Files: smtp/smtp_connect.c, *qmgr/qmgr_entry.c, 9605 *qmgr/qmgr_queue.c, *qmgr/qmgr_deliver.c. 9606 9607 Feature: smtp-source -N option to generate unique recipient 9608 addresses for (trivial-rewrite) stress testing. Victor 9609 Duchovni, Morgan Stanley. File: smtpstone/smtp-source.c. 9610 961120040730 9612 9613 Safety: disallow "opportunistic session caching" when the 9614 queue manager is unable to schedule back-to-back deliveries. 9615 File: *qmgr/qmgr_entry.c. 9616 961720040731 9618 9619 Hysteresis: turn on "opportunistic session caching" when 9620 back-to-back deliveries happen, but don't turn if off 9621 until both concurrent and back-to-back delivery ends. 9622 962320040801 9624 9625 Workaround: disable session caching for Linux < 2.2 (does 9626 not work) or Glibc < 2 (does not compile). Files: 9627 util/sys_defs.h, util/unix_{recv,send}_fd.c. 9628 9629 Portability: h_errno is not an lvalue in the UnixWare 7.1 9630 multi-threaded environment. Olivier PRENANT. 9631 963220040812 9633 9634 Bugfix: update SMTP server error counter when a client is 9635 denied access with smtpd_delay_reject=no. 9636 963720040816 9638 9639 Bugfix: The smtp_chat_cmd() forced output flushing code in 9640 the SMTP client could run before an I/O error handler was 9641 set up. Problem diagnosed by Victor Duchovni, Morgan 9642 Stanley. The fix is to disable the smtp_chat_cmd() forced 9643 output flushing code as it duplicates better code in 9644 smtp_loop(). File: smtp/smtp_chat.c. 9645 9646 Safety: set up an I/O error handler before the smtp_loop() 9647 protocol engine starts; this handler logs a warning in case 9648 it ever runs, because that means someone broke ESMTP command 9649 pipelining. File: smtp/smtp_proto.c. 9650 9651 Feature: canonical_classes parameter by Kimmo Suominen, to 9652 control what addresses are rewritten by canonical_maps. 9653 Files: cleanup/cleanup_addr.c, cleanup/cleanup_message.c. 9654 965520040817 9656 9657 Bugfix: update the vstream I/O time AFTER the completion 9658 of an I/O request, so that time-sensitive applications 9659 don't force flush output too soon and possibly trigger 9660 NAGLE delays. Problem diagnosed by Victor Duchovni, Morgan 9661 Stanley. File: util/vstream.c. 9662 9663 Portability: avoid postmap/postalias test file name clashes 9664 on Windows. Ian Lance Taylor (of Taylor UUCP fame). 9665 966620040823 9667 9668 Bugfix: vstream_popen() did not close the child pipe 9669 after failure to fork(). File: util/vstream_popen.c. 9670 967120040826 9672 9673 Feature: support for systems with closefrom(), and emulation 9674 for those without. Andrew Brown. Files: util/sys_defs.h, 9675 util/sys_compat.c. 9676 967720040827 9678 9679 Feature: {sender,recipient}_canonical_classes parameters, 9680 which give better control than sender_canonical_classes. 9681 Files: cleanup/cleanup_addr.c, cleanup/cleanup_message.c. 9682 9683 Feature: the proxymap client now recognizes when a map 9684 can't be proxied, and will open it directly instead. This 9685 makes proxy maps easier to use for virtual mailbox domains. 9686 File: global/dict_proxy.c. 9687 9688 Feature: smtp_sasl_mechanism_filter restricts what remote 9689 SMTP server mechanism names the Postfix SMTP client passes 9690 on to the SASL library. Victor Duchovni, Morgan Stanley. 9691 Files: smtp/smtp.c. smtp/smtp_sasl_glue.c, smtp/smtp_sasl_proto.c. 9692 969320040828 9694 9695 User interface: when no recipients are specified, the 9696 Postfix sendmail command now terminates with status EX_USAGE 9697 instead of accepting the mail first and bouncing it later. 9698 This gives more direct feedback in case of a common client 9699 configuration error. File: sendmail/sendmail.c. 9700 970120040829 9702 9703 Portability: Solaris closefrom() support didn't work for 9704 non-SUN compilers. Victor Duchovni, Morgan Stanley. 9705 970620040830 9707 9708 Feature: the scache(8) session cache manager now logs the 9709 peak counts of destinations, endpoints and sessions. Files: 9710 scache/scache.c, global/scache*c. 9711 971220040831 9713 9714 Portability: disable session caching support on SCO 5 9715 because of incompatible sockets API. File: util/sys_defs.h. 9716 971720040913 9718 9719 Bugfix (introduced 20020803): sent the wrong bounce message 9720 type when a Delivered-To: loop was detected for a mailing 9721 list alias. Nicolas Riendeau. File: bounce_notify_util.c. 9722 972320040918 9724 9725 Feature: authorized_flush_users, authorized_mailq_users, 9726 authorized_submit_users to restrict what users can flush 9727 the queue, list the queue, or submit mail locally. Based 9728 on code by Victor Duchovni, Morgan Stanley. Files: 9729 sendmail/sendmail.c, postdrop/postdrop.c, postqueue/postqueue.c, 9730 global/user_acl.[hc]. 9731 9732 Feature: discard(8) mail delivery agent. Victor Duchovni, 9733 Morgan Stanley. File: discard/discard.c. 9734 973520041002 9736 9737 Long overdue, a master(5) manual page based on an initial 9738 version by Magnus Baeck. 9739 9740 By popular demand, a postfix-manuals.html web page with 9741 totally useless links to UNIX-style manual pages (the same 9742 information should already be available simply by typing 9743 "apropos postfix"). To keep newbies from getting completely 9744 lost due to information overload, the document starts with 9745 a list of actually useful pointers to Postfix introductions, 9746 duplicated from the already existing documents.html. 9747 974820041006 9749 9750 Bugfix: "sendmail -bv" did not reject the -t option. File: 9751 sendmail/sendmail.c. 9752 975320041007 9754 9755 Feature: SASL authentication attributes are now stored in 9756 queue files and passed on to delivery agents, by Leandro 9757 Santi. Files: deliver_pass.c, deliver_request.c, 9758 qmgr_deliver.c, qmgr_message.c, pipe.c, smtpd.c. 9759 976020041009 9761 9762 Feature: per SMTP client message rate limit and recipient 9763 rate limit, by Ragnar Lonn, GHN network technologies. 9764 Files: smtpd/smtpd.c, anvil/anvil.c, global/anvil_clnt.[hc]. 9765 9766 Incompatibility: smtpd_client_connection_limit_exceptions 9767 renamed to smtpd_client_event_limit_exceptions, because it 9768 now also controls message and recipient rate limit control. 9769 977020041013 9771 9772 Portability: AIX 5.1/GCC. 9773 977420041014-23 9775 9776 Postfix no longer appends the local domain to header 9777 addresses from remote clients. Instead, Postfix either 9778 does not rewrite those headers at all, or it appends the 9779 domain specified with the new remote_header_rewrite_domain 9780 parameter. 9781 9782 Postfix still appends $@myorigin or .$mydomain to headers 9783 from the Postfix sendmail command, or from clients listed 9784 with the new local_header_rewrite_clients parameter (default: 9785 permit_mynetworks, permit_sasl_authenticated). 9786 9787 These changes affect the SMTP server (including XFORWARD 9788 support), the cleanup server (do or don't rewrite headers), 9789 the trivial-rewrite server (append local domain or surrogate 9790 remote domain to incomplete addresses), the queue manager 9791 (send additional attributes to delivery agents), the LMTP 9792 and SMTP clients (XFORWARD support), and the local delivery 9793 agent (preserve XFORWARD attributes when forwarding mail). 9794 979520041016 9796 9797 Bugfix: attr_clnt_request() did not properly skip hash 9798 table arguments. Luc Pardon, Skopos Consulting. File: 9799 util/attr_clnt.c. 9800 980120041018 9802 9803 The NIS+ module by Geoff Gibbs is now part of Postfix. 9804 Files: util/dict_nisplus.c, proto/nisplus_table. 9805 980620041019 9807 9808 Support for Errors-To: is permanently removed. 9809 981020041022 9811 9812 Bugfix: "smtp_connection_cache_on_demand=no" could crash 9813 the SMTP client. File: smtp/smtp_connect.c. 9814 9815 Robustness: extra sanity checks. Files: util/dict_db.c, 9816 util/dict_dbm.c, dict_nis.c. 9817 981820041025 9819 9820 Initial merge of Lutz Jaenicke's TLS patch. Initial rewrite 9821 of tlsmgr to eliminate some code duplication and to postpone 9822 calls into OpenSSL until after dropping privileges. 9823 982420041030 9825 9826 Compatibility: "session cache" renamed to "connection cache" 9827 to avoid confusion with the TLS session cache. 9828 982920041102 9830 9831 Feature: smtpd_end_of_data_restrictions allow you to specify 9832 restrictions at the end of the SMTP DATA command. The syntax 9833 is identical to that of the smtpd_data_restrictions feature. 9834 This introduces a new END-OF-DATA protocol state for the 9835 external policy server. Files: proto/SMTPD_POLICY_README.html, 9836 proto/SMTPD_ACCESS_README.html, smtpd/smtpd_check.c. 9837 983820041111 9839 9840 Cleanup: terminate the dict_eval() result buffer for verbose 9841 logging. Victor Duchovni, Morgan Stanley. File: util/dict.c. 9842 984320041112 9844 9845 Cleanup: be more careful when saving and restoring resolver(3) 9846 options to avoid problems with an HP-UX security patch 9847 (change introduced 20031215). File: dns/dns_lookup.c. 9848 984920041115 9850 9851 Bugfix: the test for "no debugger_command" was wrong. 9852 Leandro Santi. File: global/debugger_command.c. 9853 985420041117 9855 9856 Robustness: the master-child protocol now includes a process 9857 generation number besides the child process ID. The process 9858 generation number is incremented by one each time the master 9859 creates a child process. Child-to-master status updates 9860 with the wrong generation number are ignored, instead of 9861 triggering a consistency error in the master server. Files: 9862 master/*server.c, master/master_status.c, master/master_spawn.c. 9863 986420041118 9865 9866 Bugfix: the "local_header_rewrite_clients" feature (20041023) 9867 did not recognize "bare" lookup tables as documented. Victor 9868 Duchovni, Morgan Stanley. File: smtpd/smtpd_check.c. 9869 9870 Bugfix: the "local_header_rewrite_clients" feature (20041023) 9871 was broken because the local delivery agent passed on a 9872 bogus attribute value when forwarding internally generated 9873 mail, causing the mail to be rejected by the cleanup server. 9874 File: local/dotforward.c. 9875 9876 Bugfix: the "local_header_rewrite_clients" feature (20041023) 9877 was broken because the pickup server always overwrote origin 9878 information. Files: pickup/pickup.c, cleanup/cleanup_state.c, 9879 *qmgr/qmgr_message.c. 9880 9881 Workaround: enable the "can't write before sending a file 9882 descriptor" workaround for Solaris. Problem reported by 9883 Victor Duchovni for Solaris 2.5.1, but we play safe and 9884 enable it unconditionally. 9885 988620041120 9887 9888 The TLS support routines are moved to a "tls" directory, 9889 and are published via the "libtls.a" object library. 9890 989120041122 9892 9893 Infrastructure: support for binary attribute values 9894 (ATTR_TYPE_DATA) in Postfix IPC messages. Files: 9895 util/attr_scan*c, util/attr_print*c. 9896 989720041123-20041205 9898 9899 TLS support: via a process of gradual transformation, 9900 decomposed Lutz Jaenicke's pfixtls.c into separate modules 9901 for clients, servers, certificate verification, session 9902 caching, and PRNG management. Global variables were eliminated 9903 so that the code now supports multiple client and/or server 9904 contexts in the same process. Files: tls/*.[hc]. 9905 990620041205 9907 9908 TLS support: eliminated shared access (and locking) of the 9909 TLS PRNG exchange file and TLS session caches. Instead, 9910 Postfix uses a client-server protocol, and the tlsmgr 9911 becomes the sole mediator. This eliminated the need for 9912 1000+ lines of SDBM support, and eliminated the need for 9913 running a persistent tlsmgr process on systems don't enable 9914 TLS in main.cf. 9915 991620041124 9917 9918 Feature: configurable list of forbidden SMTP commands 9919 (default: smtpd_forbidden_commands = CONNECT, GET, POST) 9920 after which the Postfix SMTP server disconnects immediately. 9921 The SMTP server always disconnects immediately when the 9922 client sends a message header instead of an SMTP command. 9923 Magnus Baeck. File: smtpd/smtpd.c. 9924 992520041207 9926 9927 CDB support by Michael Tokarev, documentation by Victor 9928 Duchovni. Files: util/dict_cdb.[hc], global/mkmap_cdb.c. 9929 993020041209 9931 9932 Completed support for the Berkeley DB sequence operator. 9933 This is needed for finding and deleting old entries in TLS 9934 session databases. File: util/dict_db.c. 9935 9936 Bugfix: the DBM client's sequence operator used exclusive 9937 locking instead of shared locking. File: util/dict_dbm.c. 9938 9939 Feature: dump an entire database with the new postmap/postalias 9940 "-s" option. This works only for database types with Postfix 9941 sequence operator support: hash, btree, dbm, and sdbm. 9942 Files: postmap/postmap.c, postalias/postalias.c. 9943 994420041212 9945 9946 Solaris 10/ix86 chroot setup script update by J.D. Bronson. 9947 9948 TLS support: cosmetic changes to comments and messages; 9949 completed the code for the master -> tlsmgr trigger handshake, 9950 so that the master no longer complains about trigger 9951 responses timing out. 9952 995320041213 9954 9955 Updated the SDBM dictionary interface. It had fallen behind 9956 with the Postfix dictionary interfaces that were already 9957 bundled with Postfix. Files: util/dict_sdbm.[hc]. 9958 9959 Cleanup: "postconf -m" (show all available map types) now 9960 produces sorted output. File: util/dict_open.c. 9961 996220041215 9963 9964 No bugfix: tests with the new "postmap -s" feature show 9965 that SDBM first/next operations never worked with Postfix/TLS 9966 patch 20040829 (verified with the 20040829 dict_sdbm.c 9967 module on Linux and FreeBSD). The code stops after finding 9968 one database element. Other SDBM versions found on the 9969 Internet will find all database entries, but report an I/O 9970 error after the last database element is found. All this 9971 would be easy enough to fix, but the SDBM library is not 9972 part of Postfix, and never will be. 9973 9974 Bugfix: the sequence operator in the DBM and SDBM clients 9975 released the shared lock after reading the next key but 9976 before reading the corresponding value. This was never a 9977 problem, because the sequence operator was used only in 9978 the Postfix/TLS patch. This used the SDBM sequence operator 9979 which didn't work as discussed above. Files: util/dict_dbm.c, 9980 util/dict_sdbm.c. 9981 9982 Feature: the local(8) and pipe(8) delivery agents now make 9983 the following attributes available upon delivery (with 9984 local(8) names must be spelled in upper case): client_hostname, 9985 client_address, client_protocol, client_helo, sasl_method, 9986 sasl_sender, sasl_username. Files: local/command.c, 9987 pipe/pipe.c, and lots of documentation. 9988 998920041216 9990 9991 "postcat -o" now prints queue file record offsets; this is 9992 useful for debugging. File: postcat/postcat.c. 9993 9994 NON-PRODUCTION Bugfix: (bug introduced while adopting the 9995 Postfix/TLS patch): the new TLS certification call-back 9996 routine expects that the peer hostname is in 9997 tlscontext->peername_save, but the TLS server code never 9998 updated this field. File: tls/tls_server.c. 9999 1000020041218 10001 10002 Feature: selective suppression of SMTP extensions (pipelining, 10003 starttls, auth, etc.); this is useful to work around broken 10004 clients or servers. Specify a list of EHLO keywords with 10005 the smtp(d)_discard_ehlo_keywords parameters, or specify 10006 one or more lookup tables, indexed by remote network address, 10007 with the smtp(d)_discard_ehlo_keyword_address_maps parameters. 10008 EHLO keyword lists are case insensitive. Files: 10009 util/name_mask.[hc], global/ehlo_mask.[hc], smtpd/smtpd.c, 10010 smtp/smtp.c, smtp/smtp_proto.c. 10011 1001220041219 10013 10014 Bugfix: postcat without -o was broken. File: postcat/postcat.c. 10015 1001620041220 10017 10018 NON-PRODUCTION Bugfix: (bug introduced while adopting 10019 Postfix/TLS patch): don't call smtp_flush() after return 10020 from vstream_setjmp(), we'll call you. File: smtpd/smtpd.c. 10021 10022 Dummy VSTREAM read-write routines. Files: util/dummy_read.c, 10023 util/dummy_write.c. 10024 1002520041221 10026 10027 Fixes for TLS_README by Victor Duchovni. File: 10028 proto/TLS_README.html. 10029 10030 NON-PRODUCTION Bugfix: (bug introduced while adopting 10031 Postfix/TLS patch). The client code had become too similar 10032 to the server implementation, and also required a host 10033 certificate and key. Fix by Victor Duchovni. File: 10034 tls/tls_client.c. 10035 1003620041221 10037 10038 Bugfix: further postcat corner cases. 10039 1004020041223 10041 10042 Cosmetic: don't log disconnect events as I/O errors. 10043 File: tls/tls_bio_ops.c. 10044 1004520041221-9 10046 10047 Infrastructure: unified IPv4/IPv6 name/address API so that 10048 Postfix can support IPv6 without #ifdef INET6 everywhere. 10049 In particular, we allow #ifdef in libraries but avoid it 10050 in applications. Files: util/myaddrinfo.[hc], 10051 util/sock_addr.[hc], dns/dns_rr_to_pa.c, dns/dns_sa_to_rr.c, 10052 dns/dns_rr_eq_sa.c, dns/dns_rr_to_sa.c, inet_proto.[hc]. 10053 10054 Postfix no longer attempts to deliver mail via IPv6 when 10055 the system has no IPv6 connectivity. Network protocol 10056 support is now selected with the "inet_protocols" configuration 10057 parameter, instead of "inet_interfaces". The "inet_protocols" 10058 parameter also controls what DNS lookups Postfix will do. 10059 10060 Infrastructure: eliminated two host/port parsing routines. 10061 Only one survives: host_port(), in an extended form that 10062 allows for missing host or missing service information but 10063 not both. File: util/host_port.c. 10064 1006520041229 10066 10067 Milestone: Postfix with the unified IPv4/IPv6 socket/name 10068 API builds without compiler error on IPv4-only system and 10069 actually works. 10070 1007120041228 10072 10073 Bugfix: SMTPD_PROXY_README incorrectly claimed that ":port" 10074 in master.cf causes a server to listen only on "localhost" 10075 without exposing the service to the network. Instead, 10076 ":port" causes a client to connect to "localhost". 10077 1007820041231 10079 10080 Linux workaround: when mynetworks isn't set, a chrooted 10081 process could not read the IPv6 address information from 10082 /proc. We now invoke own_inet_addr() before chrooting, 10083 while processing main.cf. File: global/mail_params.c. 10084 1008520050101 10086 10087 Workaround for (Linux) systems without IPV6_V6ONLY support 10088 (RFC 3493). When Postfix listened on an IPv4 wild-card 10089 smtp socket, the IPv6 wild-card smtp listener would fail 10090 with EADDRINUSE (and vice versa). File: util/myaddrinfo.c. 10091 1009220050103 10093 10094 Safety: when the IPV6 netmask can't be determined, assume 10095 /128 (host only). File: util/inet_addr_local.c. 10096 1009720050104 10098 10099 Re-implemented IPv6 support for net/mask pattern matching. 10100 Files: util/cidr_match.[hc], util/dict_cidr.c, 10101 util/match_ops.[hc], proto/cidr_table. 10102 1010320050105 10104 10105 Moved mask_addr() to its own module so that it could also 10106 be called by mynetworks() and inet_addr_local() to remove 10107 non-zero host bits from IPv6 network/mask patterns. File: 10108 util/mask_addr.c. 10109 1011020050108 10111 10112 Re-implemented IPv6 support for network interface lookup 10113 via the Linux /proc file system. File: util/inet_addr_local.c. 10114 1011520050111 10116 10117 Feature: specify "inet_interfaces = loopback-only" for 10118 servers that must listen on local interfaces only, without 10119 having to specify IPv4 and/or IPv6 addresses in main.cf or 10120 master.cf. File: global/own_inet_addr.c. 10121 10122 Workaround: AIX 5.1 getaddrinfo() can't handle a null host 10123 argument with AI_PASSIVE. Instead we specify an explicit 10124 protocol family, a host of "::" or "0.0.0.0", and turn off 10125 IPV6_V6ONLY. Files: util_myaddrinfo.c, util/inet_listen.c. 10126 10127 Workaround: AIX 5.1 getaddrinfo() can't handle a "0" service 10128 argument. Instead we specify "1". Files: util/inet_addr_host.c. 10129 1013020050113 10131 10132 Cleanup: now that the over-all structure is proving itself, 10133 clean up some internal APIs to increase robustness and get 10134 rid of some clumsiness. Mainly, the getaddrinfo(3) interface. 10135 10136 Start-up performance: the hash_queue_names default setting 10137 is reduced from eight directories to just defer and deferred. 10138 This reduces time for checking the Postfix queue. Files: 10139 conf/post-install, global/mail_params.h. 10140 1014120050114 10142 10143 Further cleanup: eliminate duplicate IPv6 results when the 10144 mynetworks value is generated by Postfix. More documentation 10145 of the new internal APIs. 10146 10147 Performance: reduced start-up delay by moving warning-only 10148 startup checks into the background. File: conf/postfix-script. 10149 1015020050115 10151 10152 Further hardening of the IPv6 support: don't trust system 10153 libraries to protect Postfix against malformed IPv6 address 10154 literals. Their syntax is complex enough that errors are 10155 likely. Files: global/resolve_local.c, util/valid_hostname.c. 10156 10157 Further cleanup: RFC 2821 requires the IPv6: prefix with 10158 IPv6 address strings. The smtp and qmqp servers maintain 10159 separate address instances, the bare address and the RFC 10160 2821 compatible form, and use each where appropriate. This 10161 strict separation simplifies address syntax checks as well 10162 as the implementation of XCLIENT and XFORWARD. 10163 1016420050116 10165 10166 Infrastructure: new valid_mailhost_addr() routine to verify 10167 that an address literal satisfies RFC 2821. An IPv4 address 10168 is in dotted-quad decimal form, and an IPv6 address is in 10169 hexadecimal form, with the "IPv6:" prefix. Files: 10170 global/valid_mailhost_addr.[hc]. 10171 10172 Further cleanup: valid_hostname() no longer allows network 10173 addresses or numerical domain names. While it made some 10174 sense with IPv4 dotted quad decimal forms, with IPv6 it 10175 just made no sense anymore. Again, being stricter actually 10176 simplifies code. Files: util/valid_hostname.c and a 10177 surprisingly small number of valid_hostname() callers that 10178 did not reject numerical forms. 10179 10180 Bugfix: in the Postfix 2.2 SMTP client, the debug_peer_init() 10181 call was moved to the after-chroot initialization. 10182 1018320050117 10184 10185 Performance: reduced start-up delay by moving warning-only 10186 startup checks into the background; they now start after 10187 one minute to allow the system to finish booting. File: 10188 conf/postfix-script. 10189 10190 Milestone: first non-non-production snapshot with IPv6. 10191 1019220050119 10193 10194 Milestone: first non-non-production snapshot with TLS. 10195 1019620050124 10197 10198 Workaround: don't send mail to $fallback_relay if Postfix 10199 is MX host for the next-hop destination. This is, however, 10200 a partial solution. The documentation has been updated to 10201 cover all the cases where a fallback_relay could interfere 10202 with the operation of a backup or primary MX host. Files: 10203 smtp/smtp_addr.c, smtp/smtp_connect.c. 10204 1020520050127 10206 10207 Configuration: Postfix daemons that need privileged operation 10208 (such as local, pipe, or spawn) now log a fatal error when 10209 they are configured in master.cf as unprivileged. 10210 1021120050130 10212 10213 Cleanup: simplified the handling of receive_override_options 10214 settings. Files: pickup/pickup.c, smtpd/smtpd.c, qmqpd/qmqpd.c, 10215 global/input_transp.c. 10216 10217 Feature: permit_inet_interfaces allows a request when the 10218 client matches $inet_interfaces. This is used for generic 10219 access restrictions and for header address rewriting control. 10220 Files: global/mail_params.h, smtpd/smtpd_check.c. 10221 10222 Cleanup: by default, message header address rewriting is 10223 now enabled only for mail that originates from the machine 10224 itself. Files: global/mail_params.h, smtpd/smtpd_check.c. 10225 1022620050131 10227 10228 Bugfix: when extracting recipients from message headers, 10229 the Postfix sendmail command produced output records longer 10230 than $line_length_limit, causing postdrop to reject the 10231 mail. Diagnosis by Victor Duchovni. File: sendmail/sendmail.c. 10232 1023320050202 10234 10235 Cleanup: explicit Makefile targets for "make package" and 10236 "make non-interactive-package" to create ready-to-install 10237 packages for distribution to other systems. Added extra 10238 sanity checks to prevent attempts to overwrite your running 10239 Postfix instance. Files: Makefile.in, proto/PACKAGE_README. 10240 10241 Cleanup: when bounce_queue_lifetime > maximal_queue_lifetime, 10242 it is adjusted to maximal_queue_lifetime, and a warning is 10243 logged. Files: *qmgr/qmgr.c. 10244 1024520050203 10246 10247 Cleanup: trivial-rewrite now restarts more timely after 10248 changes in lookup tables. Of the all the alternatives 10249 tested, the simplest one produces the most bang for the 10250 buck. The other code is left in place for illustrative 10251 purposes. File: trivial-rewrite/trivial-rewrite.c. 10252 10253 Cleanup: sendmail no longer ignores null command-line 10254 recipients. File: sendmail/sendmail.c. 10255 10256 Cleanup: "postfix start" background checks moved back to 10257 the foreground so they can be stopped more easily. File: 10258 conf/postfix-script. 10259 1026020050204 10261 10262 Feature: REPLACE command in header/body_checks (implemented 10263 as a combination of PREPEND and IGNORE) by Bastiaan Bakker. 10264 File: cleanup/cleanup_message.c. 10265 10266 Cleanup: linted the manual pages for consistency in the 10267 way manuals are referenced, and in the presentation of 10268 command examples. Files: mantools/manlint, mantools/fixman, 10269 mantools/postconf2man. 10270 1027120050205 10272 10273 Cleanup: updated the mass-deletion example in the postsuper 10274 manual. 10275 1027620050206 10277 10278 Cleanup: don't count a [45]XX SMTP server greeting towards 10279 the mx_session_limit setting. File: smtp/smtp_connect.c. 10280 10281 Feature: output address rewriting in the SMTP client. The 10282 smtp_generic_maps parameter specifies an address mapping 10283 that happens only when mail is delivered via SMTP. This is 10284 typically used for hosts without a valid domain name, that 10285 use something like localdomain.local instead. This feature 10286 can replace local mail addresses by valid Internet mail 10287 addresses when mail needs to go across the Internet, but 10288 not when mail is sent between accounts on the local machine. 10289 Files: smtp/smtp_proto.c, smtp/smtp_map11.c. 10290 10291 Cleanup: don't panic in mymalloc() when master can't find 10292 any IP addresses. LaMont Jones. File: master/master_ent.c. 10293 1029420050207 10295 10296 Documentation: added a generic(5) manual page for consistency 10297 with the already existing table driven mechanisms, added 10298 references to or examples of the new generic mapping. 10299 10300 Bugfix: the header_checks REPLACE action mis-handled 10301 multi-line replacement text in message headers, for example: 10302 /(.*)/ REPLACE X-$1. File: cleanup/cleanup_message.c. 10303 10304 Bugfix: the header_checks REPLACE action should not drop 10305 the input when the action is NOT executed. File: 10306 cleanup/cleanup_message.c. 10307 10308 Bugfix? Cleanup? Documentation? main.cf now implements 10309 ${name[?:]value} as promised in the postconf(5) manual. 10310 Implemented by deleting the macro processor in dict_eval(), 10311 and using the one in mac_expand() instead. File: util/dict.c. 10312 1031320050208 10314 10315 Feature: check_ccert_access maptype:mapname for access(5) 10316 control, based on code by Victor Duchovni. File: 10317 smtpd/smtpd_check.c and documentation. 10318 10319 Safety: don't allow unlimited message size with limited 10320 mailbox size. File: local/local.c, virtual/virtual.c. 10321 10322 Feature: new smtpd policy attributes ccert_subject, 10323 ccert_issuer and ccert_fingerprint, with TLS client 10324 certificate information, but only when verification was 10325 successful. Files: src/smtpd/smtpd_check.c. 10326 10327 Cleanup: corrected the address verification data flow in 10328 the ADDRESS_VERIFICATION_README illustration. 10329 1033020050209 10331 10332 Cleanup: the smtp generic mapping did syntax check on the 10333 input address instead of the result. These tests were not 10334 going to be useful in any case, because mail_addr_map() 10335 canonicalizes the lookup result, including @dom1->@dom2 10336 mapping. File: smtp_map11.c. 10337 10338 Cleanup: made the generic mapping documentation consistent 10339 with the implementation. 10340 10341 Cleanup: documented the myorigin/mydomain address rewriting 10342 in canonical, generic and virtual alias maps. 10343 10344 Feature: updated LDAP and *SQL query interfaces using a 10345 common infrastructure so that all have the same feature set 10346 where possible. Victor Duchovni and many others. This code 10347 was tested separately and was merged into the main stream 10348 20050308. Files: global/db_common.[hc], global/dict_ldap.c, 10349 global/dict_mysql.c, global/dict_pgsql.c, plus documentation. 10350 1035120050210 10352 10353 Bugfix: spurious fallback_relay warnings after 20050202. 10354 Victor Duchovni. File: smtp/smtp_connect.c. 10355 10356 Bugfix: (introduced while adopting Postfix/TLS patch) the 10357 TLS cache scan stopped after expiring one entry. Victor 10358 Duchovni. File: tls/tls_scache.c. 10359 10360 Safety: delete-behind when removing expired entries from 10361 TLS session caches. With some maps the enumeration method 10362 mis-behaves when the current entry is deleted. File: 10363 tls/tls_scache.c. 10364 1036520050211 10366 10367 Cleanup: the "generics" feature (output address rewriting) 10368 is renamed to "generic", for consistency with "canonical" 10369 and "virtual". 10370 1037120050212 10372 10373 Cleanup: remove old trace(8) logfile before attempting 10374 delivery (and after locking the message file exclusively). 10375 Files: *qmgr/qmgr_message.c. 10376 10377 Cleanup: don't parse-then-regenerate message headers when 10378 no address is changed by address rewriting operations. This 10379 behavior was copied from the SMTP client's generic mapping 10380 code. Files: cleanup/cleanup_rewrite.c, cleanup/cleanup_map11.c, 10381 cleanup/cleanup_masquerade.c, cleanup/cleanup_message.c.. 10382 1038320050215 10384 10385 Bugfix: don't chmod queue files while running "postfix 10386 set-permissions". This prevents mail from being labeled as 10387 "corrupt" when a live Postfix system is upgraded. Found 10388 by Victor Duchovni. File: conf/post-install. 10389 1039020050216 10391 10392 Feature: in smtpd?_discard_ehlo_keyword(s|_address_maps) 10393 specify the pseudo keyword "silent-discard" in order to 10394 avoid logging that some EHLO keyword is being suppressed. 10395 File: global/ehlo_mask.[hc]. 10396 1039720050217 10398 10399 Bugfix: typo in tls_server.c, breaking CApath. Fix by 10400 Philipp Morger. File: tls/tls_server.c. 10401 1040220050227 10403 10404 Bugfix (bug introduced 20040331): with SIGHUP ignored, the 10405 postdrop signal handler would effectively ignore SIGINT, 10406 SIGQUIT and SIGTERM. Simplified the overly-conservative 10407 protection against nested signals in postdrop, and added 10408 some future proofing comments. File: postdrop/postdrop.c 10409 10410 Cleanup: when address rewriting is enabled, don't change 10411 the capitalization of header labels, i.e. don't replace 10412 FROM: or CC: by From: or Cc:. Files: cleanup/cleanup_message.c, 10413 smtp/smtp_proto.c. 10414 1041520050228 10416 10417 Cleanup/portability: missing #includes and bad prototypes. 10418 Matthias Andree, Carsten Hoeger, and others. 10419 1042020050302 10421 10422 Workaround: make TLS session caching work with perverse 10423 sites that have multiple servers per hostname or even 10424 multiple servers per IP address, but no shared TLS session 10425 cache. The SMTP client TLS session cache is now indexed by 10426 (server hostname, server address, server port, server helo 10427 hostname). After an idea by Victor Duchovni. Files: 10428 smtp/smtp_proto.c, tls/tls_client.c. 10429 1043020050303 10431 10432 Bugfix (bug inherited from Postfix/TLS patch): a rare 9kbyte 10433 memory leak when in-memory TLS session information expires; 10434 found by setting the expiry time shorter than the time to 10435 deliver one or two messages with a very slow machine. This 10436 was due to a missing SSL_SESSION_free() call in the "new 10437 session" call-back routines. Found by Victor Duchovni. 10438 Files: tls/tls_client.c, tls/tls_server.c. 10439 10440 Workaround: OpenSSL is overly agressive when purging a 10441 not-yet expired entry from a full in-memory cache: it also 10442 purges the entry from the on-disk server session cache. 10443 Workaround is to let only the tlsmgr purge entries from the 10444 on-disk server session cache. Found by Victor Duchovni. 10445 File: tls/tls_server.c. 10446 1044720050304 10448 10449 Postfix releases are now signed with Wietse's new PGP key. 10450 The old key was getting a bit short for today's standards. 10451 The new public key can be found on the Postfix download 10452 webpage. As proof of authenticity the new PGP key is signed 10453 with Wietse's old PGP key. 10454 10455 Cleanup: check_mumble_{ns,mx}_access no longer attempt to 10456 do MX or NS lookups for address literals. An address literal 10457 is treated as its own MX host; there is no meaningful 10458 equivalent for NS access control. File: smtpd/smtpd_check.c. 10459 1046020050310 10461 10462 Bugfix: the AIX and SUN compilers rightfully complained 10463 about non-portable code in the "new" LDAP/SQL client. File: 10464 global/db_common.c. 10465 10466 Workaround: some systems no longer recognize "tail +2" as 10467 valid command syntax. Instead they require "improved" syntax 10468 that is not valid on several other systems that Postfix 10469 builds on. So we have to stop using the tail command. 10470 Files: Makefile.in, src/*/Makefile.in. 10471 1047220050312 10473 10474 Bugfix: the TLS session cache cleaning code didn't always 10475 delete the right entry. Problem found by Victor Duchovni, 10476 more problems found by Wietse. File: tls/tls_scache.c. 10477 1047820050314 10479 10480 Portability: Berkeley DB changed API from version 2.5 to 10481 2.6. Rob Foehl. File: util/dict_db.c. 10482 1048320050315 10484 10485 Bugfix: when <unistd.h> is included, read is a reserved 10486 identifier. File: smtpstone/smtp-source.c. 10487 1048820050321-27 10489 10490 Support for RFC 3463 enhanced status codes. See also the 10491 ENHANCED_STATUS_README (a hacker's guide) for background. 10492 10493 New module to pass around (status code + text) instead of 10494 just text. File: Files: global/dsn_util.c. 10495 10496 Status-related lookup tables now have an extra column for 10497 enhanced status codes. Files: global/sys_exits.c, 10498 global/cleanup_strerror.c. 10499 10500 Cleanup: centralized mapping of errno values to delivery 10501 status codes after failed delivery to mailbox, maildir, or 10502 file. Error codes EAGAIN, and ESTALE are 4.2.0 temporary 10503 errors; ENOSPC is a 4.3.0 temporary error; and EDQUOT and 10504 EFBIG are 5.2.2 hard errors. For backwards compatibility, 10505 the result of other errors depends on the delivery agent: 10506 with local(8) everything else is a 5.2.0 hard error, and 10507 with virtual(8) everything else is soft 4.2.0 error. File: 10508 global/mbox_open.c. 10509 1051020050324 10511 10512 Workaround: gcc -W (version 3.4.2 [FreeBSD] 20040728) no 10513 longer warns about missing return statements. What a time 10514 waste. 10515 10516 Workaround: gcc -E (version 3.4.2 [FreeBSD] 20040728) output 10517 has changed, causing too much "make depend" output. 10518 1051920050325 10520 10521 Bugfix: when bouncing mail that was submitted with Postfix 10522 sendmail, the cleanup daemon ignored the reason specified 10523 in header/body_checks, and always produced a generic reason. 10524 File: cleanup/cleanup_api.c. 10525 10526 Workaround: don't announce pipelining support when the 10527 smtp-sink test program is configured to fail specific 10528 commands with -r or -f (the fix is to build a proper SMTP 10529 state engine into the smtp-sink test program). File: 10530 smtpstone/smtp-sink.c. 10531 1053220050326 10533 10534 Update: more PCRE error codes. File: util/dict_pcre.c. 10535 1053620050327 10537 10538 Bugfix: the SMTP and LMTP clients did not ask the queue 10539 manager to reduce destination concurrency when "lost 10540 connection" or "connection timed out" happened AFTER Postfix 10541 received the server greeting. Files: smtp/smtp_trouble.c, 10542 lmtp/lmtp-trouble.c. 10543 10544 Workaround: FreeBSD has incompatibly changed the output 10545 format from "od", breaking regression test portability. 10546 10547 The TLS client session cache ID is now derived from the 10548 server IP address, TCP Port, and server HELO hostname 10549 if available. File: smtp/smtp_proto.c. 10550 1055120050328 10552 10553 Cleanup: the REPLACE action is no longer implemented as 10554 PREPEND+IGNORE. The result remains in the input stream, 10555 and is subject to address rewriting and other processing 10556 where applicable. File: cleanup/cleanup_message.c. 10557 10558 Feature: the TLS server name verification status is moved 10559 out of the TLS session cache. This not only simplifies the 10560 client-side TLS cache implementation, but also provides 10561 better cache support for clients that connect to multiple 10562 independent MTAs under the same DNS hostname or IP address, 10563 provided that each MTA replies with a unique name in the 10564 EHLO response. Patch by Victor Duchovni. Files: tlsmgr/tlsmgr.c, 10565 tls/tls_verify.c, tls/tls_session.c, tls/tls_server.c, 10566 tls/tls_scache.h, tls/tls_scache.c, tls/tls_misc.c, 10567 tls/tls_mgr.h, tls/tls_mgr.c, tls/tls_client.c, tls/tls.h, 10568 smtp/smtp_proto.c. 10569 1057020050330 10571 10572 Bugfix: in some compilation environments the SMTP and LMTP 10573 clients could ignore enhanced status codes in server replies. 10574 Bug introduced 20050329 while polishing working code. Files: 10575 smtp/smtp_chat.c, lmtp/lmtp_chat.c. 10576 10577 Feature: add enhanced status code support to the smtp-sink 10578 test program. File: smtpstone/smtp-sink.c. 10579 1058020050331 10581 10582 Workarounds for ancient gcc compilers that can't handle 10583 valid C. Bugs reported by Victor Duchovni. Files: 10584 util/sys_defs.h, global/dsn_util.h, tls/tls_client.c. 10585 10586 Bugfix: when delivery to command failed, command output was 10587 not reported. Fix was to enable format checks for the new 10588 dsn_vstring_update() module. File: global/dsn_util.h, 10589 global/pipe_command.c. 10590 1059120050401 10592 10593 Cleanup: ignore incorrect enhanced status codes (such as 10594 5xx reply followed by a 4.x.x status), and don't look for 10595 enhanced status codes unless the server replies with a 10596 [245]XX reply. Files: smtp/smtp_chat.c, lmtp/lmtp_chat.c. 10597 1059820050402 10599 10600 Feature: enhanced status code support for errors found by 10601 the MIME processor. Files: global/mime_state.c, 10602 cleanup/cleanup_message.c, smtp/smtp_proto.c. 10603 10604 Cleanup: updated error messages about MIME processing errors 10605 in the SMTP client. These errors are no longer specific to 10606 8bit->7bit conversion; they can also happen with generic 10607 address mapping. File: smtp/smtp_proto.c. 10608 10609 Safety: SASL 2.1.19 has a version lookup routine that we 10610 can use to detect compile time / run time version mis-matches 10611 (also known as DLL hell). Files: src/smtpd/smtpd_sasl_glue.c, 10612 src/smtp/smtp_sasl_glue.c, src/lmtp/lmtp_sasl_glue.c. 10613 1061420050404 10615 10616 Typo: missing comma after dsn=x.yy.zz logging. File: 10617 global/log_adhoc.c. 10618 10619 Feature: specify "smtpd_sasl_authenticated_header = yes" 10620 to report the SASL login name in the Received: message 10621 header, so that the login name is shared with the whole 10622 world. Based on code by Branko F. Gracnar. Files: 10623 smtpd/smtpd.c, and documentation. 10624 1062520050407 10626 10627 @%^!#& Thanks to inadequate SASL documentation the client 10628 could negotiate a security layer where none was desired. 10629 Better documentation has become available since Postfix 10630 SASL support was implemented, and now Postfix needs to be 10631 fixed. Files: */*_sasl_glue.c. 10632 1063320050409 10634 10635 Safety: the CDB map now logs a warning when the source file 10636 is newer than the indexed file, just like the Berkeley DB 10637 and DBM maps. Michael Tokarev. File: util/dict_cdb.c. 10638 1063920040411 10640 10641 Portability: put the SASL DLL Hell guard after the declarations 10642 instead of before. Reported by Marcus Grando. Files: 10643 smtp/smtp_sasl_glue.c, lmtp/lmtp_sasl_glue.c. 10644 1064520050412 10646 10647 Infrastructure: change the disposition or other properties 10648 of an embryonic queue file. This is currently used only to 10649 place mail on hold. After code by Victor Duchovni. Files: 10650 global/mail_stream.[hc], cleanup/cleanup_api.c. 10651 10652 Bugfix: while updating the cleanup_flush() infrastructure 10653 eliminated a portability problem that was introduced when 10654 "REJECT text" support was added. File: cleanup/cleanup.c. 10655 1065620050413 10657 10658 Portability: don't mix socket message send/receive calls 10659 with socket stream read/write calls. The fact that you can 10660 get away with it only on some stacks implies that there is 10661 no long-term guarantee. Specify -DCAN_WRITE_BEFORE_SENDING_FD 10662 if you feel brave. File: util/sys_defs.h. 10663 10664 Robustness: re-compile all object files after the "make 10665 makefiles" options have changed. Files: src/*/Makefile.in. 10666 10667 Tweaking: reply with 5.3.4 when the message size exceeds 10668 the mail system message_size_limit, instead of 5.2.3 which 10669 is a mailbox specific status. File: smtpd/smtpd_check.c. 10670 1067120050417 10672 10673 Safety: don't call syslog from a user-triggered signal 10674 handler. File: postdrop/postdrop.c. 10675 1067620050421 10677 10678 Bugfix: don't panic when the fall-back relay can't be used 10679 because the local MTA is MX for the destination. File: 10680 smtp/smtp_connect.c. 10681 1068220050422 10683 10684 Bugfix: don't panic when the fall-back relay can't be used 10685 because it was already tried via a cached session. Produce 10686 a default excuse instead. File: smtp/smtp_connect.c. 10687 10688 Bugfix: postsuper could lose an error message after reporting 10689 a fatal error. File: postsuper/postsuper.c. 10690 1069120050426 10692 10693 Bugfix: simplified and improved the 20050422 fall-back relay 10694 fix. File: smtp/smtp_connect.c. 10695 1069620050427 10697 10698 Final solution for the 20050422 fall-back relay problem: 10699 truncate the fall-back host list when the local MTA is MX 10700 for some destination. Files: util/argv.c, smtp/smtp_connect.c. 10701 10702 Cleanup: extra dsn_vstring_update_dsn() routine to shut up 10703 GCC complaints about valid code. Files: src/global/dsn_util.c, 10704 src/global/mbox_open.c, src/lmtp/lmtp_addr.c, src/smtp/smtp_addr.c, 10705 src/smtp/smtp_connect.c. 10706 1070720050429 10708 10709 The Postfix SMTP server now announces ENHANCEDSTATUSCODES 10710 support in the EHLO response, as described in RFC 2034. 10711 File: smtpd/smtpd.c. 10712 1071320050503 10714 10715 Propagate enhanced status code from error(8) mailer to SMTP 10716 server replies. File: smtpd/smtpd_check.c. 10717 10718 Cleanup: more consistent format of smtpd warning logging, 10719 so that it is easier to sort. Files: smtpd/smtpd.c, 10720 smtpd/smtpd_check.c. 10721 1072220050504 10723 10724 Yikes. People are exposing the smtp-sink test program to 10725 hostile environments, while it was designed for controlled 10726 environments. Completed the support for write timeouts, 10727 added support for read timeouts, and added a missing exception 10728 handler for the 220 server greeting. File: smtpstone/smtp-sink.c. 10729 1073020050506 10731 10732 Cleanup: with "REJECT 4.X.Y ..." actions in header/body_checks, 10733 change the SMTP server reply code from 550 into 450, instead 10734 of having the SMTP server change the DSN into 5.X.Y. File: 10735 smtpd/smtpd.c. 10736 1073720050510 10738 10739 Usability: when reporting a sender address problem, transform 10740 a recipient DSN status (e.g., 4.1.1-4.1.6) into the 10741 corresponding sender DSN status, and vice versa; and when 10742 reporting a non-address problem, transform a sender or 10743 recipient DSN status into a generic non-address DSN status 10744 (e.g., 4.0.0). This transformation may be needed when the 10745 same access table or RBL reply template are used for client, 10746 helo, sender, or recipient restrictions; or when the same 10747 error mailer information is used for senders or recipients. 10748 Files: smtpd/smtpd_check.c, smtpd/smtpd_dsn_fix.[hc]. 10749 1075020050512 10751 10752 Feature: support for more SASL logging call-backs, if these 10753 are defined in the compile-time environment. Files: 10754 smtpd/smtpd_sasl_glue.c, smtp/smtp_sasl_glue.c. 10755 1075620050513 10757 10758 Workaround: Postfix now uses "localdomain" as the default 10759 domain name when $myhostname is not in "host.domain" form. 10760 Files: global/mail_params.[hc]. 10761 10762--------- 10763 1076420050415-20050615 10765 10766 As of 20050525, DSN support does not involve new queue file 10767 record types, so you can switch back to older Postfix 10768 versions. Older non-production releases did introduce queue 10769 file incompatibilty. 10770 10771 DSN support is selected via the SMTP port by extra parameters 10772 to the MAIL FROM and RCPT TO commands, and with the Postfix 10773 sendmail command with new command-line options: -N (specify 10774 notification options such as "never", "success", "delay" 10775 or "failure") and -V (specify an envelope ID that identifies 10776 the mail submission transaction). VERP support now uses 10777 -XV instead of -V. 10778 10779 The implementation piggy-backs on the trace(8) service that 10780 was already used for "sendmail -v" (verbose delivery) and 10781 for "sendmail -bv" (what-if) reports. You can no longer 10782 requests these functions together with DSN support. 10783 10784 All this means revision of bounce/defer/trace client 10785 interfaces, of the bounce service, the record reading loops 10786 in postdrop, cleanup(8) and qmgr(8), the queue manager to 10787 delivery agent protocol, and some extra SMTP protocol 10788 parameters in smtpd(8), lmtp(8) and smtp(8). 10789 10790 New code module: global/dsn_smtp.[hc] for RFC 3461 related 10791 information (but this may still change). 10792 10793 Feature: "sendmail -G" is no longer a no-op. Message headers 10794 are treated as if the message has a remote origin. Files: 10795 sendmail/sendmail.c, postdrop/postdrop.c. 10796 10797 Feature: automatic BCC senders are now created as if they 10798 were received with NOTIFY=NEVER, in case it helps. File: 10799 cleanup/cleanup_addr.c 10800 10801 Compatibility: with large bounces, send message headers 10802 only, instead of truncating MIME messages in the middle. 10803 1080420050517 10805 10806 Bugfix: in a DSN report, the original recipient should not 10807 be xtext encoded. File: bounce/bounce_notify_util.c. 10808 1080920050523 10810 10811 Bugfix: mymalloc() panic with mistyped server host list. 10812 File: global/dict_pgsql.c. 10813 1081420050525 10815 10816 Feature: specify delay_warning_time=1 to get immediate 10817 notification of delay. File: qmgr/qmgr_active.c. 10818 1081920050526 10820 10821 Reset the Postfix original recipient when delivering to 10822 mailing list. 10823 1082420050601 10825 10826 Modified the master backgrounding procedure to not abort 10827 when the master is already a process group leader. This 10828 happens when people bypass or modify the official Postfix 10829 start-up procedure. Jacek Konieczny. File: master/master.c. 10830 1083120050602 10832 10833 Sanity check: don't report "address in use" when some Postfix 10834 socket is a directory. File: util/unix_listen.c. 10835 1083620050613 10837 10838 Now that the over-all structure of the code is proving 10839 itself, interfaces can be cleaned up. This means nicer names 10840 for variables, functions and data structures, and dedicated 10841 read/write routines for recipient and DSN information. 10842 These remove a lot of clutter from the bounce client and 10843 server code. Files: dsn_print.c dsb_scan.c, rcpt_print.c, 10844 rcpt_buf.c. 10845 10846 For Sendmail compatibility, the Postfix sendmail -V option 10847 no longer controls VERP usage, but is used to specify the 10848 DSN envelope ID. In order to provide a smooth transition, 10849 backwards compatibility code recognizes when -V is being 10850 used for VERP control. It will do the right thing, and 10851 warns the user to use -XV instead. File: sendmail/sendmail.c. 10852 1085320050614 10854 10855 The cleanup server writes bounce (delivery failure) and 10856 trace (success) records, but it no longer requests sender 10857 notification. That is now handled by the queue manager. 10858 The reason is that the cleanup server must be able to abort 10859 a request including its bounce and trace logfiles, so it 10860 must not take actions that can't be undone. 10861 1086220050615 10863 10864 Cleanup: the SMTP client now sends QUIT when the initial 10865 HELO handshake fails. it still doesn't send QUIT when the 10866 server greets with a [45]XX code, as that is handled in the 10867 connection management code before a session context exists. 10868 File: smtp/smtp_connect.c. 10869 10870 Cleanup: made the quote_821_local() routine "const" clean. 10871 File: global/quote_821_local.[hc]. 10872 1087320050616 10874 10875 Bugfix: missing or mis-placed va_end() macros, found in 10876 Postfix 2.3 code review. Files: util/netstring.c, 10877 util/myaddrinfo.c, util/attr_clnt.c, util/vstream.c. 10878 10879 10880 Bugfix: the SMTP server now separates the message size check 10881 from the queue space check, so that the size check can be 10882 done before an SMTPD proxy filter. Files: smtpd/smtpd.c, 10883 smtpd/smtpd_check.c. 10884 1088520050617 10886 10887 Postdrop didn't recognize the new recipient attributes. 10888 File: postdrop/postdrop.c. 10889 10890 Feature: configurable MAILER-DAEMON replacement for the 10891 null sender address that is used by the pipe(8) delivery 10892 agent on the command line and in message headers. Command-line 10893 address quoting is disabled when the replacement is empty. 10894 File: pipe/pipe.c. 10895 1089620050618 10897 10898 With virtual aliasing enabled, Postfix would always report 10899 successful alias expansion, even when no alias was expanded. 10900 File: cleanup/cleanup_out_recipient.c. 10901 1090220050621 10903 10904 Portability: file descriptor passing is available for Tru64 10905 UNIX, but not for AIX4 and IRIX6. Albert Chin. File: 10906 util/sys_defs.h. 10907 1090820050622 10909 10910 Cleanup: the DNS lookup code now accommodates name server 10911 replies longer than 4 kbytes, with a hard upper limit of 10912 32kbytes. For safety reasons, the number of MX host addresses 10913 that the SMTP client will try was reduced from unlimited 10914 to just 5, so that Postfix won't spend forever trying to 10915 connect to dozens and dozens of bogus MX hosts. Files: 10916 dns/dns_lookup.c, global/mail_params.h. 10917 10918 Cleanup: the code that handles a 4xx or 5xx SMTP server 10919 greeting was moved from the connection management module 10920 to the protocol engine, for cleaner error handling. This 10921 means that the failed session now counts towards the limit 10922 on the total number of SMTP sessions per domain name (default: 10923 smtp_mx_session_limit = 2). Files: smtp/smtp_connect.c, 10924 smtp/smtp_proto.c. 10925 1092620050623 10927 10928 Cleanup: generalized the delegated attribute scan/print 10929 interfaces, and updated the deliver_pass module with delegated 10930 attribute scan/print support. Files: util/attr_scan0.c, 10931 util/attr_print0.c, global/dsb_scan.c, global/dsn_print.c, 10932 global/rcpt_buf,c global/rcpt_print.c, global/deliver_pass.c. 10933 10934 Added delegated attribute scan/print function support to 10935 the base64 and plain attribute I/O encodings. Files: 10936 util/attr_scan_plain.c util/attr_print_plain.c. 10937 1093820050624 10939 10940 Added "." to the list commands that smtp-sink can "break" 10941 (by disconnecting, or by responding with a 4XX or 5XX reply 10942 code). File: smtpstone/smtp-sink.c. 10943 1094420050625 10945 10946 Safety: allow only 4.x.x and 5.x.x enhanced status codes 10947 in header/body_checks REJECT actions. File: 10948 cleanup/cleanup_message.c. 10949 1095020050627 10951 10952 Code cleanup: generalized the smtp-sink code that simulates 10953 server errors. File: smtpstone/smtp-sink.c. 10954 1095520050629 10956 10957 Code cleanup: the smtp_mx_session_limit setting (per delivery 10958 request session count limit) now ignores sessions that fail 10959 to complete the TCP, SMTP, EHLO or TLS handshake (was: TCP 10960 and SMTP). File: smtp/smtp_proto.c. 10961 1096220050630 10963 10964 Updated the example spf.pl script to version 1.06. 10965 10966 Portability: the file descriptor passing code broke on LP64 10967 systems (inherited from Stevens Network Programming). Files: 10968 util/unix_send_fd.c, util/unix_recv_fd.c. 10969 1097020050706 10971 10972 Robustness: the SMTP client now disables connection caching 10973 when it is unable to communicate with the scache(8) server, 10974 instead of looping forever. File: global/scache_clnt.c. 10975 10976 Portability: after sending a socket, the scache(8) server 10977 now waits for an ACK from the connection cache client before 10978 closing the socket that it just sent. Files: scache/scache.c, 10979 global/scache_clnt.c. 10980 1098120050708 10982 10983 Bugfix: missing returns in 20050706 caching disabling code 10984 (in error handling code that never executes). File: 10985 global/scache_clnt.c. 10986 10987 Portability: use explicitly unsigned operands when doing 10988 bit-wise shift operations on data larger than a character. 10989 1099020050709-15 10991 10992 Migration of data object sizes and offsets from int->ssize_t 10993 and unsigned->size_t for better portability to LP64 and 10994 LLP64 systems where *size_t is 64 bits wide. This change 10995 has no effect on 32-bit systems. 10996 10997 This change not only eliminated some obscure portability 10998 bugs (see two paragraphs down), it also eliminated many 10999 unnecessary conversions back and forth between 32-bit and 11000 64-bit integers, because all relevant system library functions 11001 take *size_t arguments or return *size_t results. 11002 11003 Simply changing every data object size or offset to size_t 11004 (which is unsigned!) would be dangerous. A lot of code was 11005 written assuming signed arithmetic and rejects negative 11006 lengths, which can happen as the result of integer overflow. 11007 11008 Portability: on LP64 systems, integer expressions are int, 11009 but sizeof() and pointer difference expressions are larger. 11010 The above changes fixed a few discrepancies with function 11011 calls where *size_t was passed while the old code expected 11012 an int: clean_env() versus argv_addn(), and code that sent 11013 binary blobs via the TLS session cache manager protocol. 11014 1101520050711 11016 11017 Bugfix: don't include <> when auto-generating an ORCPT 11018 address from a client RCPT TO command. File: smtpd.c. 11019 1102020050712 11021 11022 Cleanup: cleanup_out_recipient() still generated DSN records 11023 that were incompatible with pre-DSN Postfix versions. File: 11024 cleanup/cleanup_out_recipient.c. 11025 1102620050716 11027 11028 Bugfix: the smtpd_sasl_authenticated_header code did not 11029 check if SASL was actually enabled. File: smtpd/smtpd.c. 11030 1103120050720 11032 11033 Feature: reverse client hostname. This is set at connection 11034 time with information from the SMTP client address->name 11035 mapping, and can be overruled with the REVERSE_NAME attribute 11036 in the XCLIENT command. File: smtpd/smtpd_peer.c. 11037 11038 Cleanup: renaming of several confusing restriction names: 11039 reject_unknown_client -> reject_unknown_client_hostname, 11040 reject_unknown_hostname -> reject_unknown_helo_hostname, 11041 reject_invalid_hostname -> reject_invalid_helo_hostname, 11042 and reject_non_fqdn_hostname -> reject_non_fqdn_helo_hostname. 11043 The old names are still recognized and documented. Files: 11044 global/mail_params.h, smtpd/smtpd.c, smtpd/smtpd_check.c. 11045 11046 Feature: reject_unknown_reverse_client_hostname. This rejects 11047 clients that have no address to name mapping (unlike the 11048 reject_unknown_client_hostname feature which requires that 11049 the address->name and name->address mappings resolve to the 11050 client IP address). Files: global/mail_params.h, 11051 smtpd/smtpd_peer.c, smtpd/smtpd.c, smtpd/smtpd_check.c. 11052 1105320050726 11054 11055 Horror: total rewrite of DNS client error handling because 11056 some misguided proposal attempts to give special meaning 11057 to some syntactically invalid MX hostname lookup result. 11058 Not only that, people expect sensible results with 11059 reject_unknown_sender_domain etc. Files: dns/dns_lookup.c, 11060 smtp/smtp_addr.c smtpd/smtpd_check.c, lmtp/lmtp_addr.c. 11061 11062 Cleanup: HOLD action executes only once, to reduce noise 11063 in the logfile. Files: cleanup/cleanup_message.c, smtpd/smtpd.c. 11064 1106520050806 11066 11067 Workaround: accept(2) fails with EPROTO when the client 11068 already disconnected (SunOS 5.5.1). File: sane_accept.c. 11069 1107020050815 11071 11072 Workaround: old Solaris compilers can't link an archive 11073 without globally visible symbols. File: tls/tls_misc.c. 11074 1107520050825 11076 11077 Feature: message_reject_characters and message_strip_characters 11078 specify what characters in message content Postfix will 11079 reject or remove. Based on patch by John Fawcett. Files: 11080 cleanup/cleanup_message.c, cleanup/cleanup_init.c. 11081 11082 Safety: when the cleanup server rejects the content of mail 11083 that is submitted with the Postfix sendmail command, or 11084 re-queued with "postsuper -r", strip the message body from 11085 the bounce message to reduce the risks from harmful content. 11086 Files: cleanup/cleanup_envelope.c, cleanup/cleanup_bounce.c. 11087 11088 Feature: the smtpd_proxy_filter parameter value can now be 11089 prefixed with "unix:" (for UNIX-domain socket) and "inet:" 11090 (for TCP socket). TCP sockets are the default. Patch by 11091 Edwin Kremer. File: smtpd/smtpd_proxy.c. 11092 1109320050828 11094 11095 Bugfix: after adding DSN support, error notification was 11096 broken for too large mail that was submitted with the Postfix 11097 sendmail command, forwarded by the local(8) delivery agent, 11098 or re-queued with "postsuper -r". The message would be saved 11099 to the "corrupt" queue. 11100 11101 The mistake was to leave the truncated message in the 11102 incoming queue and to ask the queue manager to notify the 11103 sender; this was not possible because the queue manager 11104 cannot (and should not) handle truncated queue files. 11105 11106 The fix is to have the cleanup server send the bounce 11107 message, just like it did before DSN support was added. As 11108 a side effect, Postfix will no longer send DSN_SUCCESS 11109 notices after virtual aliasing, when the cleanup server 11110 bounces all the recipients of the message anyway. This 11111 could be called a feature. File: cleanup/cleanup_bounce.c. 11112 11113 Also needed for this fix: a new vstream_fpurge() routine 11114 that discards unread/written data from a VSTREAM. It's 11115 needed before cleanup_bounce() can seek to the start of the 11116 queue file after a file size error. File: util/vstream.c. 11117 1111820050920 11119 11120 Cleanup: removed the legacy "tls_info" structure, factored 11121 out common code for peer_CN and issuer_CN lookup, and added 11122 sanity check to not verify subject common names that contain 11123 nulls or that are execessively long. Patch by Victor Duchovni. 11124 Files: tls_client.c, tls_server.c, tls_session.c, tls_misc.c, 11125 tls_verify.c. 11126 1112720050922 11128 11129 Bugfix: the *SQL clients did not uniformly choose the 11130 database host from the available pool of servers due to an 11131 off-by-one error, so that the "last" available server was 11132 not selected. Leandro Santi. Files: dict_mysql.c, dict_pgsql.c. 11133 11134 Update: common code factored out into db_common.c, and 11135 adoption of Liviu Daia's connection aware MySQL quoting. 11136 Patch by Victor Duchovni. Files: dict_ldap.c, dict_mysql.c, 11137 dict_pgsql.c, db_common.c. 11138 1113920050923 11140 11141 Safety: don't update the local(8) delivery agent's idea of 11142 the Delivered-To: address while expanding aliases or .forward 11143 files. When an alias or .forward file changes the Delivered-To: 11144 address, it ties up one queue file and one cleanup process 11145 instance while mail is being forwarded. To get the old 11146 behavior, specify "frozen_delivered_to = no". Problem 11147 reported by Michael Tokarev, but found independently by 11148 others. Files: local/local.c, local/aliases.c, local/dotforward.c, 11149 local/mailbox.c, local/maildir.c. 11150 11151 Logging: additional SASL debug logging by Andreas Winkelmann. 11152 Files: */*sasl_glue.c. 11153 1115420050929 11155 11156 Paranoia: don't ignore garbage in SMTP or LMTP server replies 11157 when ESMTP command pipelining is turned on. For example, 11158 after sending ".<CR><LF>QUIT<CR><LF>", Postfix could recognize 11159 the server's 2XX QUIT reply as a 2XX END-OF-DATA reply after 11160 garbage, causing mail to be lost. The SMTP and LMTP clients 11161 now report a remote protocol error and defer delivery. 11162 Files: smtp/smtp_chat.c, smtp/smtp_trouble.c, lmtp/lmtp_chat.c, 11163 lmtp/lmtp_trouble.c. 11164 11165 Performance: specify "smtpd_peername_lookup = no" to disable 11166 client hostname lookups in the SMTP server. All clients are 11167 treated as "unknown". This should be used only under extreme 11168 conditions where DNS lookup latencies are critical. File: 11169 smtpd/smtpd_peer.c. 11170 1117120051010 11172 11173 Feature: smtpd_client_new_tls_session_rate_limit parameter 11174 to limit the number of new (i.e. uncached) TLS sessions 11175 that a remote SMTP client may negotiate per unit time. This 11176 feature, which is off by default, can limit the CPU load 11177 due to expensive crypto operations. Files: global/anvil_clnt.c, 11178 anvil/anvil.c, smtpd/smtpd.c. 11179 11180 Cleanup: eliminated massive code duplication in the anvil 11181 server that resulted from adding similar features one at a 11182 time. File: anvil/anvil.c. 11183 1118420051011 11185 11186 Bugfix: raise the "policy violation" flag when a client 11187 request exceeds a concurrency or rate limit. File: 11188 smtpd/smtpd.c. 11189 11190 Bugfix (cut-and-paste error): don't reply with 421 (too 11191 many MAIL FROM or RCPT TO commands) when we aren't closing 11192 the connection. File: smtpd/smtpd.c. 11193 1119420051012 11195 11196 Polishing: content of comments and sequence of code blocks 11197 in the anvil server, TLS request rate error message in the 11198 smtp server, and documentation, but no changes in code. 11199 Files: anvil/anvil.c, smtpd/smtpd.c. 11200 1120120051013 11202 11203 Horror: some systems have basename() and dirname() and some 11204 don't; some implementations modify their input and some 11205 don't; and some implementations use a private buffer that 11206 is overwritten upon the next call. Postfix will use its own 11207 safer versions called sane_basename() and sane_dirname(). 11208 These never modify the input, and allow the caller to control 11209 how memory is allocated for the result. File: 11210 util/sane_basename.c. 11211 11212 Feature: "sendmail -C path-to-main.cf" and "sendmail -C 11213 config_directory" now do what one would expect. File: 11214 sendmail/sendmail.c. 11215 11216 Bugfix: don't do smtpd_end_of_data_restrictions after the 11217 transaction failed due to, e.g., a write error. File: 11218 smtpd/smtpd.c. 11219 11220 Cleanup: the SMTP server now enforces the message_size_limit 11221 even when the client did not send SIZE information with the 11222 MAIL FROM command. This protects before-queue content 11223 filters against over-size messages. File: smtpd/smtpd.c. 11224 1122520051017 11226 11227 Bugfix: after DSN support was added, smtp_skip_5xx_greeting 11228 no longer recognized a 5xx SMTP status as a 4xx one. Found 11229 by Ralf Hildebrandt. Fix: use the enhanced status code 11230 instead of the SMTP reply code to choose between permanent 11231 or transient errors. File: smtp/smtp_trouble.c. 11232 11233 Feature: smtp-sink can hard-reject, soft-reject or simply 11234 drop connection requests. File: smtpstone/smtp-sink.c. 11235 11236 Documentation: clarified the processing of server replies, 11237 specifically the reply code and the enhanced status code, 11238 in smtp_chat.c. 11239 1124020051024 11241 11242 Performance: new smtp_connection_reuse_time_limit parameter to 11243 limit connection reuse by elapsed time, instead of limiting 11244 the number of deliveries per connection. Bounding by time 11245 favors delivery over connections that perform well, while 11246 bounding by number of deliveries allows slow connections 11247 to drag down the performance. Insight and initial 11248 implementation by Victor Duchovni, Morgan Stanley. Files: 11249 smtp_connect.c, smtp_session.c, 11250 11251 Bugfix: the next-hop logical destination information for 11252 connection caching was reset only after a good non-TLS 11253 connection, so that cached connections to non-TLS backup 11254 servers could suck away traffic from TLS primary servers 11255 (the Postfix SMTP client cannot cache an open TLS connection). 11256 Found during code review. This is fixed with multi-valued 11257 connection caching state: expired, cachable, non-cachable, 11258 and bad. Files: smtp_connect.c, smtp_trouble.c. 11259 11260 Bugfix: adding support for "sendmail -C" broke "sendmail 11261 -q". File: sendmail/sendmail.c. 11262 1126320051101 11264 11265 Migration from a single "arrival time" stamp to a structure 11266 with time stamps from different stages of message delivery. 11267 The first iteration merely replaces "arrival time" stamps 11268 by a structure or pointer to structure, and uses only the 11269 arrival time field of that structure. This is an extensive 11270 but straightforward transformation, based on example by 11271 Victor Duchovni, Morgan Stanley. Files: anything that 11272 invokes bounce_append etc., the log_adhoc module, and 11273 anything that sends or receives a delivery request. 11274 1127520051102 11276 11277 Completion of support for time stamps from different stages 11278 of message delivery. The information is now logged as 11279 "delays=a/b/c/d" where a=time before queue manager, including 11280 message transmission; b=time in queue manager; c=connection 11281 setup including DNS, HELO and TLS; d=message transmission 11282 time. Unlike Victor's example which used time differences, 11283 this implementation uses absolute times. The decision of 11284 what numbers to subtract actually depends on program history, 11285 so we want to do it in one place. Files: global/log_adhoc.c, 11286 smtp/smtp_connect.c, smtp/smtp_proto.c, smtp/smtp_trouble.c, 11287 lmtp/lmtp_proto.c, lmtp/lmtp_trouble.c. 11288 1128920051103 11290 11291 Refinement of time stamping and delays formatting. The 11292 hand-off time is now stamped in the delivery agent, so that 11293 time is properly attributed when a transport is saturated 11294 or throttled. Delays are now logged if larger than 0.01 11295 second. Files: *qmgr/qmgr_deliver.c, global/deliver_request.c, 11296 global/log_adhoc.c. 11297 1129820051104 11299 11300 New parameter delay_logging_time_resolution (default: 10000 11301 microseconds, or 0.01 second) that controls the detail in 11302 the new "delays=a/b/c/d" logging. Specify a power of 10 11303 in the range from 1 to 100000. File: global/log_adhoc.c. 11304 Parameter renamed 20051108. 11305 1130620051105 11307 11308 All delay logging now has sub-second resolution. This means 11309 updating all code that reads or updates the records that 11310 specify when mail arrived, and ensuring that mail submitted 11311 with older Postfix versions produces sensible results. 11312 Files: global/post_mail.c, global/mail_timeofday.[hc], 11313 global/log_adhoc.c, postdrop/postdrop.c, pickup/pickup.c, 11314 cleanup/cleanup_envelope.c, cleanup/cleanup_message.c, 11315 smtpd/smtpd.c, qmqpd/qmqpd.c, *qmgr/qmgr_message.c, 11316 *qmgr/qmgr_active.c, local/forward.c. 11317 1131820051106 11319 11320 The SMTP client logs the remote server port in the form of 11321 relay=hostname[hostaddr]:port to the local maillog file. 11322 The port number is NOT included in DSN status reports, 11323 because remote users have no need to know such internal 11324 information. Files: smtp/smtp_session.c, smtp/smtp_proto.c, 11325 smtp/smtp_trouble.c. 11326 11327 Cleanup: encapsulated queue file time read/write operations 11328 with a few simple macros, to make future changes in time 11329 representation less painful. 11330 1133120051108 11332 11333 Cleanup: eliminated floating point operations from the 11334 ad-hoc delay logging code. Files: util/format_tv.[hc], 11335 global/log_adhoc.c. 11336 11337 The delay logging resolution is now controlled with the 11338 delay_logging_resolution_limit parameter, which specifies 11339 the maximal number of digits after the decimal point. 11340 11341 Bugfix: two messages could get the same message ID due to 11342 a race condition. This time window was increased when queue 11343 file creation was postponed from MAIL FROM until the first 11344 accepted RCPT TO. The window is closed again. Found by 11345 Victor. Files: global/mail_stream.c, global/mail_queue.c, 11346 cleanup/cleanup_message.c. 11347 1134820051109 11349 11350 qshape.pl updated for extra microsecond time field in Postfix 11351 queue files. 11352 11353 Cleanup: removed obsolete code that handles rejected/dropped 11354 connections before the HELO handshake. File: smtp/smtp_connect.c. 11355 11356 Bugfix: XCLIENT broke when reverse hostname support was added. 11357 Fix by Tomoyuki Sakurai. File: smtpd/smtpd.c. 11358 1135920051110 11360 11361 Workaround: don't set the delay warning timer for messages 11362 from inside or from outside that have the null sender as 11363 recipient. This was a waste of time, because the warning 11364 would always be discarded. File: cleanup/cleanup_envelope.c. 11365 11366 Feature: the built-in mail delivery status notification 11367 text is now implemented by built-in templates. Files: 11368 bounce/bounce_template.c, bounce/bounce_notify_util.c. 11369 1137020051112 11371 11372 Feature: configurable bounce message templates based on 11373 contribution by Nicolas Riendeau. I kept the general format 11374 of his templates, but placed them together in one file to 11375 reduce process initialization overhead (most requests to 11376 the bounce daemon are not for sending bounce messages). 11377 Files: bounce/bounce_template.c, bounce/dict_ml.c (to be 11378 moved to library if useful enough). A sample bounce message 11379 template file is installed as $config_directory/bounce.cf.default. 11380 1138120051113 11382 11383 Feature: "postconf -b filename" to preview the non-default 11384 bounce message templates with $name expansions in the text. 11385 The actual work is of course done by the bounce daemon. 11386 1138720051114 11388 11389 Feature: -V option to make Postfix daemons to log to stderr. 11390 This is used when a daemon is invoked in stand-alone mode 11391 by a (non-daemon) command. 11392 11393 Feature: "postconf -t" displays DSN templates, headers and 11394 all; use postconf -t ''" to view built-ins. 11395 11396 Cleanup: renamed fail_template into failure_template. 11397 1139820051117 11399 11400 Cleanup: bounce template code reorg, no functionality change. 11401 Files: bounce/bounce_template.[hc], bounce/bounce_templates.c, 11402 bounce/bounce_notify_util.c. 11403 1140420051118 11405 11406 Bugfix: new bounce template code did not return after 11407 template syntax error. File: bounce/bounce_template.c 11408 11409 Safety: permit_mx_backup now requires that the local MTA 11410 is not listed as primary MX for the recipient domain. This 11411 prevents mail loops when someone points the primary MX 11412 record to Postfix. 11413 1141420051119 11415 11416 Workaround: some SMTP servers announce multiple but different 11417 lists of SASL methods. Postfix now concatenates the lists 11418 instead of logging a warning and remembering only one. File: 11419 smtp/smtp_sasl_proto.c. 11420 11421 Bugfix: the queue manager did not write a per-recipient 11422 defer logfile record when the delivery agent crashed between 11423 receiving a delivery request, and reporting the delivery 11424 status to the queue manager. Found while redesigning the 11425 code that handles unavailable transports or destinations. 11426 Files: *qmgr/qmgr_deliver.c. 11427 1142820051121 11429 11430 Workaround: do not build the bounce.cf.default template 11431 while compiling Postfix - it breaks when the default 11432 mail_owner etc. accounts don't exist. Reported by Liviu 11433 Daia. 11434 11435 Compatibility: added permit_auth_destination emulation to 11436 the permit_mx_backup feature. This avoids surprises with 11437 sites that used permit_mx_backup to authorize all their 11438 incoming mail. 11439 1144020051122-24 11441 11442 Feature: sender_dependent_relayhost_maps, lookup tables that specify 11443 a sender-dependent override for the relayhost parameter 11444 setting. The lookup is done in the trivial-rewrite server, 11445 instead of the queue manager where it does not belong. 11446 Files: global/resolve_clnt.c, global/tok822_resolve.c, 11447 trivial-rewrite/resolve.c, trivial-rewrite/transport.c, 11448 *qmgr/qmgr_message.c. 11449 11450 Also: address_verify_sender_dependent_relayhost_maps for 11451 completeness. 11452 1145320051124 11454 11455 Feature: specify "smtp_sender_dependent_authentication = 11456 yes" to enable sender-dependent SASL passwords. This disables 11457 SMTP connection caching to ensure that mail from different 11458 senders is delivered with the appropriate credentials. This 11459 is an extended version of a patch by Mathias Hasselmann. 11460 Files: smtp/smtp_connect.c, smtp/smtp_sasl_glue.c. 11461 1146220051126 11463 11464 Workaround: log warning when REDIRECT or FILTER are used 11465 in smtpd_end_of_data_restrictions. File: smtpd/smtpd_check.c. 11466 11467 Log warning when REDIRECT, FILTER, HOLD and DISCARD are 11468 used in smtpd_etrn_restrictions. File: smtpd/smtpd_check.c. 11469 1147020051128 11471 11472 Bugfix: moved code around from one place to another to make 11473 REDIRECT, FILTER, HOLD and DISCARD access(5) table actions 11474 work in smtpd_end_of_data_restrictions. PREPEND will not 11475 be fixed; it must be specified before the message content 11476 is received. Files: smtpd/smtpd.c, smtpd/smtpd_check.c, 11477 cleanup/cleanup_extracted.c, pickup/pickup.c. 11478 11479 Safety: abort if the SMTP or QMQP server runs with non-postfix 11480 privileges while it's connected to the network. Files: 11481 smtpd/smtpd_peer.c, qmqpd/qmqpd_peer.c. 11482 1148320051201 11484 11485 Bugfix: the LMTP client would reuse a session after negative 11486 reply to the RSET command (which may happen when client and 11487 server somehow get out of sync). Problem found by Christian 11488 Theune. Files: lmtp/lmtp.c, lmtp/lmtp_proto.c. 11489 1149020051202 11491 11492 Bugfix: the 20051128 code move for "smtpd_end_of_data_restrictions" 11493 broke "postsuper -r". 11494 1149520051202-3 11496 11497 Cleanup: the SMTP client now also implements the LMTP 11498 protocol. Files: smtp/smtp.c, smtp/smtp_connect.c, 11499 smtp/smtp_proto.c, smtp/smtp_dsn.c, smtp_state.c, 11500 smtp_sasl_glue.c. 11501 11502 As before, the LMTP behavior is controlled with parameters 11503 named lmtp_xxx instead of smtp_xxx. However there are now 11504 a lot more lmtp_xxx parameters :-) With few exceptions, all 11505 SMTP features are now also available with LMTP. The exceptions 11506 are related to the HELO and EHLO commands, which exist in 11507 SMTP only. There are equivalent LHLO command parameters 11508 where it makes sense. 11509 1151020051206 11511 11512 SMTP+LMTP client connection management code rewritten to 11513 support UNIX-domain socket connections. 11514 1151520051207 11516 11517 Bugfix: race condition in the connection caching protocol, 11518 found while adding connection caching for UNIX-domain sockets 11519 (used for LMTP delivery). This was introduced with the 11520 20050706 workaround, and may the same problem that Jussi 11521 Silvennoinen experienced (in Postfix 2.2.6) with SMTP after 11522 an upgrade. Files: scache/scache.c. 11523 11524 Bugfix: smtp-sink and qmqp-sink didn't ignore SIGPIPE. 11525 1152620051208 11527 11528 Robustness: reduced timeouts in the connection caching 11529 client, so that a malfunctioning service does not prevent 11530 mail delivery. This uses similar code that already exists 11531 for the anvil(8) client and the tlsmgr(8) client. Files: 11532 global/scache_clnt.c, smtp/smtp.c. 11533 11534 To make reduced connection caching client timeouts possible, 11535 connection management was moved from the attr_clnt(3) module 11536 to the auto_clnt(3) module where it belongs. The auto_clnt(3) 11537 module is now a full alternative for the clnt_stream(3) 11538 module. Files: util/auto_clnt.c, util/attr_clnt.c. 11539 11540 Bugfix: the best_mx_transport, mailbox_transport and 11541 fallback_transport features did not write a per-recipient 11542 defer logfile record when the target delivery agent was 11543 broken. This the analog of queue manager bugfix 20051119. 11544 Files: global/deliver_pass.c. 11545 1154620051210 11547 11548 Cleanup: simplified the SMTP/LMTP connection management 11549 logic for address list and fallback relay processing. 11550 Still need to simplify deferred recipient handling. 11551 1155220051212 11553 11554 Bugfix: after a failed TLS session, the 20051210 SMTP client 11555 code cleanup broke sessions with backup servers, causing the 11556 client to get out of step with the backup server. This in 11557 turn exposed a one-year old missing exception handling 11558 context in the EHLO handstake after sending STARTTLS. Victim 11559 was Ralf Hildebrandt, detectives Victor Duchovni and Wietse. 11560 File: smtp/smtp_proto.c. 11561 1156220051213 11563 11564 Bugfix: *SQL, proxy and LDAP map types were not defined in 11565 user-land commands such as postqueue. Leandro Santi. File: 11566 postqueue/postqueue.c. 11567 1156820051212-14 11569 11570 Server-side plug-in interface for SASL authentication. This 11571 uses Cyrus SASL by default, so nothing has changed except 11572 error messages may be more informative. Files: 11573 smtpd/smtpd_sasl_proto.c smtpd/smtpd_sasl_glue.c, 11574 xsasl/xsasl_server.[hc], xsasl/cyrus_server.[hc] 11575 xsasl/cyrus_strerror.c, xsasl/cyrus_log.c, xsasl/cyrus_security.c. 11576 1157720051215 11578 11579 Portability: IRIX 6.5.28 defines sa_len as a macro, so it 11580 can't be used as a variable identifier. Zach McDanel. Files: 11581 dns/dns_rr_to_sa.c, smtpd/smtpd_peer.c, qmqpd/qmqpd_peer.c. 11582 1158320051216 11584 11585 Cleanup: removed some scar tissue that was introduced with 11586 server-side SASL plug-in support. Files: smtpd_sasl_proto.c, 11587 smtpd_sasl_glue.c. 11588 11589 Client-side plug-in interface for SASL authentication. This 11590 uses Cyrus SASL by default, so nothing has changed except 11591 error messages may be more informative. Files: smtp_sasl_glue.c, 11592 xsasl/xsasl_client.[hc], xsasl/cyrus_client.[hc]. 11593 1159420051217 11595 11596 Bugfix: when a SASL client password is required by a specific 11597 server, defer delivery when no server-announced mechanism 11598 survives the smtp_sasl_mechanism_filter, instead of ignoring 11599 the SASL announcement and trying to deliver the mail over 11600 an unauthenticated connection and risking that mail will 11601 be rejected. File: smtp/smtp_sasl_proto.c, smtp/smtp_proto.c. 11602 11603 Portability: zero the "struct msg" just in case. Both purify 11604 (Linux) and valgrind (FreeBSD) complain about uninitialized 11605 bits. Files: util/unix_{send,recv}_fd.c. 11606 1160720051219 11608 11609 Cleanup: generic smtpd_sasl_path, smtp_sasl_path and 11610 lmtp_sasl_path configuration parameters; simplified the 11611 SASL plug-in API, and made initial provisions for SASL 11612 session encryption. Files: xsasl/*.[hc]. 11613 11614 Feature: "postconf -a" lists the available SASL server 11615 plug-in types, and "postconf -A" does the same for the 11616 client. Files: postconf.c, xsasl_{client,server}.c. 11617 11618 Feature: new SMTPD policy attributes "encryption_protocol", 11619 "encryption_cipher" and "encryption_keysize", to distinguish 11620 plaintext from encrypted connections. 11621 1162220051221 11623 11624 Privacy: the new Cyrus SASL server plug-in replaces "no 11625 user" errors by "authentication failed" errors. File: 11626 xsasl/xsasl_cyrus_server.c. 11627 11628 Safety: the Postfix SMTP client no longer uses CNAME expanded 11629 hostnames for logging, SASL password lookup, TLS policy 11630 decisions, or TLS certificate verification. Instead it 11631 uses the name of the recipient domain, or the host or domain 11632 name specified in Postfix configuration files. Of course 11633 this won't prevent cheating with hostnames that appear in 11634 MX lookup results. To avoid that you will have to suppress 11635 MX lookups with explicit [hostname] entries in transport 11636 maps. Files: dns/dns_lookup.c, dns/dns_rr.c. 11637 1163820051222 11639 11640 Feature: Dovecot SASL authentication (server side) plug-in 11641 by Timo Sirainen. This builds without external library 11642 dependencies and is therefore compiled in by default. 11643 Files: xsasl/xsasl_dovecot_server.[hc]. 11644 11645 Safety: set the default LANG=C, instead of deleting LANG 11646 from the environment and assuming the right thing will 11647 happen. File: global/mail_params.h. 11648 11649 Safety: always add the ISASCII() requirement to the ISXXX() 11650 macros, because they are used for protocol and policy 11651 enforcement. File: util/sys_defs.h. 11652 11653 Bugfix: null pointer in the 20051219 policy delegation 11654 crypto attributes. File: smtpd/smtpd_check.c. 11655 11656 Compatibility: "resolve_numeric_domain = yes" will accept 11657 addresses with numeric domains instead of rejecting them as 11658 invalid. Files: trivial-rewrite/resolve.c, util/vstring.c. 11659 11660 Bugfix: 20051219 "postconf -A" produced "postconf -a" output. 11661 Andreas Winkelmann. 11662 1166320051225 11664 11665 Bugfix: the regexp map cleverly avoided scanning constant 11666 lookup results for non-existent $number expressions, but 11667 failed to subject those results to the necessary $$ -> $ 11668 replacement. Files: util/dict_regexp.c. 11669 11670 Performance: the pcre map did not optimize constant lookup 11671 results; they were always scanned for non-existent $number 11672 expressions. File: util/dict_pcre.c. 11673 11674 This round of edits eliminates architectural differences 11675 between the pcre and regexp table implementations. The 11676 remaining difference is that regexp tables still support 11677 the obsolete "/pattern1/!/pattern2/ action" syntax, for 11678 backwards compatibility with Postfix 2.0 and earlier. 11679 1168020051227 11681 11682 Bugfix: the 20051222 ISASCII paranoia broke the strcasecmp() 11683 workaround for Solaris. File: util/strcasecmp.c. 11684 11685 Bitrot: SunOS4 pre-dates size_t, ssize_t, getsid(). File: 11686 src/util/sys_defs.h. The SunOS4 tests had been suspended 11687 due to what turned out to be a broken AUI-to-UTP transceiver. 11688 11689 Bugfix: the 20061226 cosmetic change broke non-IPV6 support 11690 (example: sockaddr_to_hostaddr: Unknown error: success). 11691 File: util/myaddrinfo.c. 11692 1169320051229 11694 11695 The following workaround was removed 20060103. 11696 11697 Workaround: when mail is still queued after 3000 seconds, 11698 the SMTP client no longer pipelines the DOT+QUIT commands. 11699 The 20050929 paranoia about malformed server replies 11700 eliminated a rare occurrence of "lost mail" with sites that 11701 mis-implement DOT+QUIT pipelining, but resulted in a larger 11702 occurrence of repeated deliveries to sites with a different 11703 DOT+QUIT pipelining bug. The time threshold is set with the 11704 smtp_dot_quit_workaround_threshold_time parameter. Files: 11705 smtp/smtp_proto.c, smtp/smtp.c. 11706 11707 Feature: mailbox_transport_maps and fallback_transport_maps 11708 to search delivery transports by recipient name. Files: 11709 local/mailbox.c, local/unknown.c. 11710 11711 Feature: the master daemon now logs a warning when all 11712 servers are busy that may accept remote connections, and 11713 suggests to either increase the process count or to reduce 11714 the service time per client. Files: master/master_ent.c, 11715 master/master_avail.c. 11716 1171720051231 11718 11719 Bugfix: the anvil server would terminate after "max_idle" 11720 seconds, even when this was less than the anvil_rate_time_unit 11721 interval. File: anvil/anvil.c. 11722 1172320060102 11724 11725 Deleted the 20051229 dot-quit bug workaround. Automatically 11726 deferring delivery created "no delivery" and "repeated 11727 delivery" problems; and automatically turning off pipelining 11728 for delayed mail was a bad workaround for a bad workaround. 11729 The administrator still has the option to turn off pipelining 11730 by hand if loss of mail is a concern. 11731 1173220060103 11733 11734 Bugfix: the 20051217 fix (when a SASL client password is 11735 found, defer delivery when no server-announced mechanism 11736 survives the smtp_sasl_mechanism_filter) did the mechanism 11737 test too early, so that it could trip up with deliveries 11738 to servers that we don't have a SASL password for. Files: 11739 smtp/smtp_sasl_proto.c, smtp/smtp_proto.c. 11740 1174120060104 11742 11743 Safety: new "smtp_cname_overrides_servername" parameter. 11744 The default value ("no") is NOT backwards compatible. This 11745 avoids surprises with the hostname that is used for logging, 11746 SASL password lookup, TLS policy decisions, or TLS certificate 11747 verification. The change makes the 20051221 behavior more 11748 configurable. Files: smtp/smtp_addr.c, smtp/smtp_connect.c, 11749 proto/postconf.proto. 11750 1175120060105 11752 11753 Cleanup: removed the unused DSN "code" attribute; removed 11754 surrogate SMTP replies for errors that were not reported 11755 by a remote SMTP server, making several DSN-related functions 11756 and macros redundant; cleaned up some bizarre code for DSN 11757 attribute memory management in the SMTP client. 11758 1175920060106 11760 11761 Cleanup: eliminated the global smtp_errno variable, which 11762 had become redundant after introducing DSN support. Files: 11763 smtp/smtp_addr.c, smtp/smtp_connect.c. 11764 1176520060107 11766 11767 Cleanup: removed more bizarre code for DSN attribute memory 11768 management in the queue manager, bounce server, and in 11769 delivery agents. 11770 1177120060109 11772 11773 Bugfix: smtp_sasl_tls_opts was unimplemented. File: 11774 smtp/smtp_sasl_proto.c. 11775 11776 Cleanup: more bounce logfile code cleanup. Files: 11777 global/bounce_log.c, bounce/bounce_notify_util.c, 11778 bounce/bounce.c, bounce/bounce_notify_verp.c, 11779 bounce/bounce_one_service.c, showq/showq.c 11780 1178120060110 11782 11783 Cleanup: more bounce logfile code cleanup. Files: 11784 global/bounce_log.c, bounce/bounce_notify_util.c. 11785 11786 Bugfix: the VERP bouncer never handled the case of a missing 11787 bounce logfile. Found while doing more logfile code cleanup. 11788 File: bounce/bounce_notify_verp.c. 11789 11790 Feature: smtp_sasl_tls_verified_security_options for 11791 connections where the server certificate passed verification. 11792 The default value is $smtp_sasl_tls_security_options, which 11793 in turn defaults to $smtp_sasl_security_options. 11794 1179520060111 11796 11797 Optimization: mystrdup() and mystrndup() now return a pointer 11798 to a fixed read-only memory location instead of allocating 11799 memory for zero-length null-terminated strings. This saves 11800 lots of memory for unused recipient attributes. If this 11801 change causes problems (for example, you have an ancient 11802 sscanf() implementation that writes to its input) then 11803 compile Postfix with -DNO_SHARED_EMPTY_STRINGS. 11804 11805 Cleanup: eliminated null pointer members in DSN structures. 11806 Instead we now use the optimized mystrdup() for empty 11807 strings. For safety sake we keep the tests for null pointers 11808 in input, but we always produce empty strings on output. 11809 Files: global/dsn.c, global/dsn.h, global/dsn_buf.h, 11810 global/dsn_print.c. 11811 11812 Cleanup: eliminated ad-hoc code for passing recipients in 11813 the queue manager delivery request protocol. Postfix now 11814 uses proper object activation/passivation instead. Files: 11815 *qmgr/qmgr_deliver.c, global/deliver_request.c, 11816 global/deliver_pass.c. 11817 1181820060112 11819 11820 Feature: to simplify debugging the bounce server logs the 11821 old and new queue ID when notifying the sender or postmaster. 11822 Files: global/post_mail.c, bounce/bounce_notify_service.c, 11823 bounce/bounce_one_service.c, bounce/bounce_notify_verp.c, 11824 bounce/bounce_warn_service.c, bounce/bounce_trace_service.c. 11825 11826 Fudge: when translating recipient DSN codes into sender DSN 11827 codes, map sender address problems that have no DSN code 11828 to *.1.7 (Bad sender's mailbox address syntax) instead of 11829 *.1.0 (Other address status) because that loses the distinction 11830 between sender and recipient. File: smtpd/smtpd_dsn_fix.c. 11831 1183220060113 11833 11834 Cleanup: preserve upper case information of address localpart 11835 or extension when mapping one address to another with 11836 non-regexp/pcre tables. Files: global/mail_addr_find.c, 11837 global/maps_find.c. 11838 1183920060115 11840 11841 Bugfix: don't ignore the per-site policy when SSL library 11842 initialization fails. Introduced after adopting the TLS 11843 patch. File: smtp/smtp_session.c. 11844 1184520060117 11846 11847 [withdrawn 20060126] Safety: daemon processes that need no 11848 privileges now insist that they are configured to run without 11849 privileges. Files: master/single_server.c, master/multi_server.c, 11850 master/trigger_server.c. 11851 11852 Cleanup: preserve upper case information of address localpart 11853 or extension when mapping addresses via regexp/pcre tables. 11854 This requires that Postfix does not case fold the search 11855 string when searching regexp or pcre tables, so that $number 11856 substitutions produce the expected result. 11857 11858 In order to get a consistent handling of table operations, 11859 the search string case folding logic was moved from the 11860 application to the individual lookup table modules; the 11861 application specifies its case folding preference when it 11862 opens a table, and the table folds the search or update 11863 string as needed. 11864 11865 Files: everything that opens a map or multiple maps (to 11866 specify the case folding preference), and everything that 11867 contained ad-hoc code to lowercase search strings (which 11868 is no longer needed). 11869 11870 Bugfix: as a side effect of this revision of all code that 11871 opens tables, the postmap/postalias -n/-N options are no 11872 longer silently ignored when the -q (query) and -d (delete) 11873 options are specified. Files: postmap/postmap.c, 11874 postalias/postalias.c. 11875 11876 Safety: don't allow $number substitution in transport maps 11877 or sender-dependent relayhost maps. 11878 11879 Cleanup: smtp_sasl_passwd_maps lookup keys are folded to 11880 lowercase before searching tables such as btree:, dbm: or 11881 hash: that have fixed-case fields. File: smtp/smtp_sasl_glue.c. 11882 11883 Bugfix: per-sender relayhost maps were not locked for shared 11884 access. 11885 1188620060119 11887 11888 Cleanup: don't look up parent domain substrings in regexp/pcre 11889 like tables while searching a hostname in a domain/namaddr_list. 11890 File: util/match_ops.c. 11891 1189220060120 11893 11894 Cleanup: multiple boolean variables were replaced by a 11895 single TLS enforcement level (none, may, encrypt, verify). 11896 With Victor Duchovni. Files: smtp_session.c, smtp_proto.c, 11897 smtp.h. 11898 11899 Cleanup: the SMTP per-site policy table was re-implemented 11900 in terms of enforcement levels instead of multiple boolean 11901 variables. This greatly simplified the code and led to the 11902 elimination of non-intuitive behavior as documented next. 11903 With Victor Duchovni. Files: smtp_session.c, smtp.h. 11904 11905 Bugfix: a TLS per-site MUST_NOPEERMATCH policy could not 11906 override a main.cf MUST (with peer match) policy, while a 11907 per-site NONE policy could. 11908 11909 Bugfix: a combined TLS per-site (host, next-hop) policy of 11910 (NONE, MAY) would change the strongest main.cf MUST policy 11911 into NONE, while it changed all weaker main.cf policies 11912 into MAY. The result is now NONE for all main.cf policy 11913 settings. 11914 1191520060123 11916 11917 Feature: recipient_count attribute in SMTPD policy protocol. 11918 This is available only in the DATA and END-OF-MESSAGE stage. 11919 Based on code by Guo Black. Files: smtpd_check.c. 11920 11921 Cleanup: renamed MUMBLE_NUM to MUMBLE_INT to make type 11922 discrepancies more explicit. 11923 11924 Bugfix: change 20051208 broke when a connection could not 11925 be established. File: util/auto_clnt.c. 11926 1192720060124 11928 11929 Bugfix: the virtual(8) delivery agent did not insist on 11930 privileged operation as it should; this broke change 20060117. 11931 Ralf Hildebrandt. File: virtual/virtual.c. 11932 11933 Bugfix: the TLS sasl security options (change 20060110) 11934 should also be #ifdef USE_TLS, and not only #ifdef 11935 USE_SASL_AUTH. Such feature interference is difficult to 11936 find in testing. Liviu Daia. File: smtp/smtp_sasl_proto.c. 11937 1193820060126 11939 11940 Undo: change 20060117 (unprivileged operation test) broke 11941 "sendmail -bs", "postconf -b", "postconf -t", and probably 11942 more. Files: master/{single,multi,trigger}_server.c. 11943 1194420060130 11945 11946 Bugfix: an empty remote_header_rewrite_domain value caused 11947 trivial-rewrite to dereference a null pointer, but only in 11948 regression tests, not in production. Envelope addresses are 11949 by definition rewritten in the local domain context, because 11950 an address without domain is equivalent to an address in 11951 the local domain; and header addresses are rewritten in the 11952 remote context only when remote_header_rewrite_domain is 11953 non-empty. File: trivial-rewrite/rewrite.c. 11954 1195520060131 11956 11957 Cleanup: regression tests are now separated into "make 11958 tests" for unprivileged tests, and "make root_tests" for 11959 tests that require privileges to connect to the Postfix 11960 internal sockets. Files Makefile.in, src/*/Makefile.in. 11961 1196220060201 11963 11964 Bugfix: despite efforts to treat malformed domain names as 11965 hard errors (change 20050726) they were still processed as 11966 soft errors. File: dns/dns_lookup.c. 11967 1196820060203 11969 11970 Bugfix: smtpd core dump when SASL was compiled in, turned 11971 off (smtpd_sasl_auth_enable = no) and permit_sasl_authenticated 11972 was specified in local_header_rewrite_clients. Victor 11973 Duchovni. File: smtpd/smtpd_check.c. 11974 11975 Cleanup: don't complain about useless SASL or TLS "permit" 11976 restrictions when SASL or TLS aren't compiled in, but do 11977 reject mail when reject_plaintext_session is specified while 11978 TLS isn't compiled in. File: smtpd/smtpd_check.c. 11979 1198020060204 11981 11982 Bugfix: disable the content_filter feature for user-requested 11983 "sendmail -bv" probes, just like it is disabled for probes 11984 generated by Postfix itself. File: *qmgr/qmgr_message.c. 11985 1198620060207 11987 11988 Robustness: place the "do we have TLS" guards within method 11989 implementations, instead of putting them around method 11990 invocations. File: smtpd/smtpd_check.c. 11991 11992 Bugfix: duplicate the cleanup(8) DSN envelope ID syntax 11993 check in smtpd(8), so that clients get better error replies. 11994 File: smtpd/smtpd_check.c. 11995 11996 Bugfix: change 20060203 broke the reject_plaintext_session 11997 feature. 11998 11999 The trivial-rewrite and proxymap multi-server processes now 12000 terminate soon after all their clients disconnect, instead 12001 of waiting for another 100 seconds. This allows the processes 12002 to refresh more frequently on low-traffic systems. 12003 12004 Cleanup: smtpd_delay_open_until_valid_rcpt (default: yes) 12005 controls whether Postfix delays the start of a mail transaction 12006 until after the first valid recipient, or if it starts a 12007 transaction immediately after MAIL FROM. File: smtpd/smtpd.c. 12008 1200920060217 12010 12011 Bugfix: don't terminate with a non-standard exit status 12012 when the pipe-to-command feature has a problem before it 12013 executes the command. File: global/pipe_command.c. 12014 1201520060223 12016 12017 Bugfix: detect integer overflow when multiplying time values 12018 with non-trivial time units. File: global/conv_time.c. 12019 1202020060307 12021 12022 Bugfix: reset the msg_cleanup() fatal error handler in child 12023 processes. See also change 20060217. Files: postlock/postlock.c, 12024 master/multi_server.c, global/mail_run.c, util/vstream_popen.c. 12025 1202620060310 12027 12028 Bugfix: the MIME processor assumed that input was null 12029 terminated. This broke with CRLF input to the "sendmail -t" 12030 command in Postfix 2.1 and later (see change 20030416). 12031 Found by Leandro Santi. Based on patch by Victor Duchovni. 12032 Files: global/mime_state.c, global/is_header.c. 12033 1203420060313 12035 12036 Cleanup: the message arrival time (start of the receive 12037 transaction) no longer controls message expiration or 12038 delivery attempts. Instead, expiration and delivery are 12039 now controlled by the time when the cleanup server creates 12040 a queue file. This closes a problem that was introduced 12041 with the 20051104 change that introduced higher-resolution 12042 delay time keeping: as a result, "postsuper -r" could no 12043 longer manipulate the mail expiration schedule, so that 12044 mail "on hold" could expire too soon. 12045 1204620060315 12047 12048 Workaround. the PCRE library reports an inappropriate error 12049 code (invalid substring) when $number refers to a valid () 12050 expression that matches the null string. This caused fatal 12051 run-time errors. File: dict_pcre.c. 12052 1205320060324 12054 12055 Cleanup: eliminated name collisions between global and local 12056 variables, and other forms of shadowing. Documented switch 12057 fall-throughs with /* FALLTHROUGH */ where this wasn't 12058 already done. Replaced (var = expr) by (var = expr) != 0 12059 where this wasn't already done. 12060 1206120060324 12062 12063 Bugfix: mis-placed parenthesis in a before-filter error 12064 test. A filter timeout was mis-reported as lost connection. 12065 Found in code review. File: smtpd/smtpd_proxy.c. 12066 1206720060327 12068 12069 Cleanup: the SQL and LDAP clients now log a warning when 12070 they skip an empty lookup result, so that humans don't have 12071 to wonder why Postfix doesn't find all the database entries. 12072 File: global/db_common.c. 12073 12074 Moved SMTP/LMTP parameter initialization from global/mail_params.c 12075 to the combined smtp/lmtp delivery agent. Added missing 12076 lmtp parameters. 12077 1207820060328 12079 12080 Feature: configurable chroot directive for the pipe(8) 12081 delivery agent, by Przemyslaw Wegrzyn. Files: 12082 global/pipe_command.c, pipe/pipe.c. 12083 12084 Bugfix: cut-and-paste error: lmtp_connection_cache_limit 12085 was left with the name of smtp_connection_cache_limit. 12086 Reported by Victor? File: src/global/mail_params.h. 12087 1208820060329 12089 12090 More extensible interface for TLS client/server library, 12091 now passes property structures that combine all the relevant 12092 parameters in one type-safe structure. 12093 12094 TLS session cache activity logging now takes place at TLS 12095 log level 2 or greater. 12096 1209720060403 12098 12099 Cleanup: made fcntl/flock handling consistent with respect 12100 to EINTR (reported by Carlo Contavalli). However, Postfix 12101 is not meant to be signal safe. Only the master daemon 12102 handles signals without terminating, and it uses only a 12103 small subset of Postfix library routines. File: util/myflock.c. 12104 12105 Bugfix: the pipe-to-command error message was lost when the 12106 command could not be executed. File: global/pipe_command.c. 12107 1210820060404 12109 12110 Bugfix in sanity check: after reading a record from the 12111 address verification database, a sanity check did not reject 12112 a record with all-zero time stamp fields. Such records are 12113 never written; the test is there just in case something is 12114 broken, so that Postfix will not blindly march on and create 12115 chaos. The sanity check tested pointer values, instead of 12116 dereferencing the pointers. Found by Coverity. File: 12117 verify/verify.c. 12118 12119 Bugfix in sanity check: when the maildir delivery routine 12120 opens an output file it looks up the file attributes via 12121 the file handle it just got. There is a sanity check that 12122 detects if the attribute lookup fails, an error that never 12123 happens. The code that handles the impossible error did not 12124 close the output file. This would cause a virtual or local 12125 delivery agent to waste up to 100 file descriptors. But 12126 for that error to happen the system would have to be so 12127 sick that you would have more serious problems than a file 12128 descriptor leak. Found by Coverity. Files: local/maildir.c, 12129 virtual/maildir.c. 12130 1213120060405 12132 12133 Bugfix: the MIME parser assumed input is null terminated 12134 when reporting errors. Fix by Leandro Santi. Files: 12135 global/mime_state.c, cleanup/cleanup_message.c. 12136 1213720060411 12138 12139 Bugfix: the SMTP server logged no warning when for some 12140 reason the TLS engine was unavailable in wrappermode. Victor 12141 Duchovni. File: smtpd/smtpd.c. 12142 1214320060417 12144 12145 Cleanup: when SMTP access table lookup fails, reply with 12146 4xx instead of aborting with a fatal run-time error. The 12147 old behavior assumes local file access, and is inappropriate 12148 with deployment of LDAP and SQL tables. File: smtpd/smtpd_check.c. 12149 1215020060423 12151 12152 Bugfix: postcat did not print the attribute value of records 12153 containing a named attribute. File: postcat/postcat.c. 12154 1215520060430 12156 12157 Bugfix: dangling pointer in a function that has no caller. 12158 Found by Coverity. File: tls/tls_prng_exch.c. 12159 12160 Bugfix: the workaround for CA-2003-07 (Sendmail) did not 12161 null terminate the address before logging a warning. Reported 12162 by Kris Kennaway. File: global/tok822_parse.c. 12163 1216420060301-20060515 12165 12166 Sendmail 8 Milter support, distributed across the smtpd(8) 12167 server for SMTP commands, and the cleanup(8) server for 12168 content inspection and manipulation. The code supports all 12169 requests to add/delete recipients, and to add/delete/replace 12170 message headers, but does not yet support requests to replace 12171 the message body. See MILTER_README for more. Files: 12172 smtpd/smtpd.c, smtpd/smtpd_milter.c, cleanup/cleanup_api.c, 12173 cleanup/cleanup_envelope.c, cleanup/cleanup_extracted.c, 12174 cleanup/cleanup_milter.c, milter/milter.c, milter/milter8.c. 12175 12176 That's 89 lines in smtpd, 1010 lines in cleanup, and 2449 12177 lines of library support, comments not included. 12178 12179 A simple test Milter application for use in regression tests 12180 is in src/milter/test-milter.c. Queue file modifications are 12181 tested with a driver at the end src/cleanup/cleanup_milter.c 12182 that reads commands from a script. 12183 12184 To make debugging easier, uncomment the "#define msg_verbose 12185 2" lines at the top of cleanup_milter.c or milter8.c. This 12186 produces logging without making everything else verbose. 12187 1218820060510 12189 12190 Preliminary TLS_README and postconf(5) changes completed. 12191 Victor Duchovni. 12192 12193 Added smtp_tls_policy_maps and smtp_tls_protocols features 12194 to the smtp/lmtp client, changed smtp_tls_cipherlist to 12195 only apply when TLS is mandatory. Victor Duchovni. 12196 1219720060512 12198 12199 Destinations that share a common server may have distinct 12200 TLS protocol and cipherlist requirements, with mandatory 12201 TLS add the protocol and cipherlist values to the TLS session 12202 lookup key. Victor Duchovni. 12203 1220420060516 12205 12206 Portability: __float80 alignment, by Albert Chin. File: 12207 util/sys_defs.h. 12208 12209 Further testing of Milter support uncovered typos; a missing 12210 null pointer test while cleaning up after content miltering; 12211 the need for a workaround to not bounce+delete local 12212 submission after it triggers a temporary reject Milter 12213 action. 12214 12215 Workaround: don't bounce+delete a local submission after 12216 it triggers a "reject 4.x.x" action in header/body_checks. 12217 This means an SMTP client now sees "queue file write error" 12218 instead of the text from the "reject 4.x.x text" action. 12219 File: cleanup/cleanup_message.c. 12220 12221 Workaround: OpenSSL 0.9.8[ab] with zlib support interoperability 12222 problem. Victor Duchovni. Files: tls/tls_client.c, 12223 tls/tls_misc.c, tls/tls_server.c. 12224 12225 Added smtpd_tls_protocols parameter to complement 12226 smtp_tls_protocols. Victor Duchovni. 12227 1222820060517 12229 12230 The smtp_tls_policy_maps table now implements parent domain 12231 matching for destinations that are bare domains (without 12232 enclosing [] or optional :port suffix). This allows one to 12233 set TLS policy for a domain and all sub-domains. Victor 12234 Duchovni. 12235 1223620060519 12237 12238 The same parameter can bind to different variables in 12239 different daemons. Ignore the variable name when eliminating 12240 duplicates in extract.awk. Victor Duchovni. 12241 1224220060523 12243 12244 Improved handling of smtp_tls_protocols and smtpd_tls_protocols, 12245 names now processed via name_mask(3) and canonicalized prior 12246 to use in the SMTP/LMTP client TLS session lookup key. Also 12247 simplifies the corresponding code in the TLS driver. Victor 12248 Duchovni. 12249 1225020060524 12251 12252 Cleanup: send ETRN command parameter when using check_policy 12253 in the context of an ETRN command. Joshua Goodall. File: 12254 smtpd/smtpd_check.c. 12255 1225620060601 12257 12258 Bugfix (bug introduced 20051118): permit_mx_backup authorized 12259 domains without secondary MX records. Joshua Goodall. File: 12260 smtpd/smtpd_check.c. 12261 1226220060601 12263 12264 Fixed default value of LMTP TLS client certificate parameters, 12265 using the SMTP values as a default was wrong. Victor Duchovni. 12266 1226720060603 12268 12269 Different transports may have different CAfile or CApath 12270 settings. We need to add the transport name to the TLS 12271 session lookup key so that sessions verified with one set 12272 of trusted roots are not inadvertantly considered verified 12273 for another. Victor Duchovni. 12274 1227520060604 12276 12277 Cleanup: minor fluff found with the BEAM source code analyzer. 12278 Files: global/quote_821_local.c, global/quote_822_local.c, 12279 master/master_spawn.c, pickup/pickup.c, util/match_ops.c, 12280 util/safe_open.c, xsasl/xsasl_cyrus_client.c. 12281 1228220060606 12283 12284 Safety: mail receiving daemons (smtpd, qmqpd) now pass 12285 actual client name/addres/helo attributes in addition to 12286 the attributes used for logging (xforward). This prevents 12287 Milter applications from treating qmqpd mail as if it 12288 originated locally, and prevents incorrect Milter decisions 12289 after "postsuper -r". Files: smtpd/smtpd.c, qmqpd/qmqpd.c, 12290 cleanup/cleanup_envelope.c, cleanup/cleanup_milter.c, 12291 cleanup/cleanup_state.c, global/post_mail.c, *qmgr/qmgr_message.c, 12292 *qmgr/qmgr_deliver.c, global/deliver_request.c, 12293 global/deliver_pass.c, local/forward.c. 12294 12295 Bugfix: qmgr panic after queue file corruption by Mailscanner. 12296 Files: *qmgr/qmgr_message.c. 12297 12298 Bugfix: XCLIENT didn't work with smtpd_delay_reject=no 12299 (problem reported by Joshua Goodall). To make XCLIENT work 12300 correctly with built-in restrictions and with Milter 12301 applications, the SMTP server now jumps back to the very 12302 start (the 220 phase) of an SMTP session. File: smtpd/smtpd.c. 12303 1230420060606 12305 12306 Portability: Some systems no longer support the traditional 12307 "sort +0 -2 +3". Victor Duchovni. 12308 1230920060607 12310 12311 Portability: Found by BEAM static code analyzer. SSL options 12312 (long) were stored as int. 12313 1231420060610 12315 12316 Cleanup: XCLIENT and XFORWARD attribute values are now sent 12317 as xtext encoded strings. For backwards compatibility, 12318 Postfix will still accept unencoded attribute values. Files: 12319 smtpd/smtpd.c, smtpd/smtpd_proxy.c, smtp/smtp_proto.c. 12320 1232120060611 12322 12323 Robustness: additional sanity checks for common database 12324 routines. Viktor Dukhovni. File: global/db_common.c. 12325 12326 Portability: LDAP 2.3 API support. Viktor Dukhovni. File: 12327 global/dict_ldap.c. 12328 12329 Security: the PostgreSQL client was updated after the 12330 PostgreSQL developers made major database API changes in 12331 response to PostgreSQL security issues. This breaks support 12332 for PGSQL versions prior to 8.1.4, 8.0.8, 7.4.13, and 7.3.15. 12333 Support for these requires major code changes which are not 12334 possible in the time that is left for the Postfix 2.3 stable 12335 release. 12336 12337 Specific PostgreSQL client changes: use connection-aware 12338 quoting, and more robust PQexec() result handling. Previous 12339 versions of the dict_pgsql driver didn't check the status 12340 of the result pointer, and certain exceptional events can 12341 be mis-interpreted as an empty result set. Fixes by Leandro 12342 Santi. File: global/dict_pgsql.c. 12343 1234420060612 12345 12346 Changed smtp security level parsing and level->name conversion 12347 to use name_code(3). Victor Duchovni. 12348 12349 Implemented new smtp_tls_security_level parameter, to replace 12350 the unnecessarily complex smtp_use_tls, smtp_enforce_tls 12351 and smtp_tls_enforce_peername parameters. The main.cf 12352 security level settings are now consistent with the new 12353 policy table. Victor Duchovni. 12354 12355 The smtp_sasl_tls_verified_security_options feature is not 12356 yet complete, added #ifdef SNAPSHOT and changed documentation 12357 to delay introduction until Postfix 2.4. Victor Duchovni. 12358 1235920060614 12360 12361 Merged in Victor's work including the new TLS policy table 12362 and a complete set of configuration parameters for the LMTP 12363 personality of the unified SMTP/LMTP client. 12364 12365 Allow mandatory TLS encryption with LMTP over UNIX-domain 12366 sockets. Victor Duchovni. 12367 12368 Safety: improved code to avoid I/O on connections after the 12369 TLS handshake fails. Victor Duchovni. 12370 1237120060615 12372 12373 Cosmetic patch for const strings. Stefan Huehner. 12374 12375 Other cosmetic changes, mainly whitespace. 12376 1237720060616 12378 12379 The qshape.pl script was updated for the pointer records 12380 that were introduced to support message content modification 12381 by Milter applications. Victor Duchovni. 12382 1238320060620 12384 12385 Feature: Substantially better cipherlist specification 12386 interface and support for anonymous ciphers when certificates 12387 are not needed. The primary interface in main.cf and the 12388 policy table selects one of 5 grades for mandatory TLS with 12389 smtp(8) or lmtp(8) or for all TLS sessions with smtpd(8). 12390 The levels are "high", "medium" (or better), "low" (or 12391 better), "export" (or better) and "null". The underlying 12392 definitions of these levels are configurable, but users are 12393 strongly encouraged to not change those definitions. Victor 12394 Duchovni. 12395 1239620060626 12397 12398 Bugfix: the Milter reply syntax checker was off by one. 12399 File: milter/milter8.c. 12400 12401 Workaround: disable SMTP connection cache lookup by server 12402 IP address when the tls_per_site policy table is enabled. 12403 This is a workaround for a shortcoming in the SMTP connection 12404 cache implementation, which retrieves the server hostname 12405 from the cached connection. Since this server name is not 12406 obtained in a secure manner, it must not be allowed to 12407 control the tls_per_site policy. File: smtp/smtp_reuse.c. 12408 1240920060627 12410 12411 Cleanup: mumble_mandatory_tls_mumble parameters renamed to 12412 mumble_tls_mandatory_mumble; added _mandatory_ qualifier 12413 to names of parameters that affect only mandatory TLS. 12414 1241520060630 12416 12417 Features promoted from SNAPSHOT to STABLE: the "sleep" 12418 pseudo restriction; Postfix daemons now read the local 12419 timezone file before chrooting; trivial-rewrite now detects 12420 table changes every 10 seconds, so it restarts more timely. 12421 12422 Features that stay #ifdef SNAPSHOT: tcp_table, 12423 lmtp_sasl_tls_verified_security_options, and 12424 smtp_sasl_tls_verified_security_options. 12425 12426 Compatibility: Sendmail does not send its own Received: 12427 header to Milter applications. Offsets in header replace 12428 requests are relative to the message content as received 12429 (i.e. without our own Received: header), while offsets in 12430 header insert requests are relative to the message as 12431 delivered (i.e. they include our own Received: header). 12432 This explains why dk-filter would sign our own Received: 12433 header but place the signature between our own Received: 12434 header and the rest of the message, violating the draft 12435 domainkeys spec. 12436 1243720060702 12438 12439 Cleanup: more graceful handling of queue file read/write 12440 errors while processing milter message modification requests. 12441 Files: cleanup/cleanup_milter.c, milter/milter8.c. 12442 1244320060703 12444 12445 Debugging: the Postfix milter client gives more context 12446 when it experiences trouble while talking to an uncooperative 12447 Milter application. File: milter/milter8.c. 12448 12449 Compatibility: with OpenBSD 2.7 and later, the alias file 12450 is now in /etc/mail/aliases. 12451 1245220060704 12453 12454 Bugfix: the Milter client skipped zero-length body lines. 12455 File: milter/milter8.c. 12456 12457 Feature (just this one): RFC 3834 "Auto-Submitted:" message 12458 header in DSNs. File: bounce/bounce_notify_util.c. 12459 1246020060705 12461 12462 Portability: LP64 systems required a few ssize_t->int casts 12463 in debug logging statements. Files: milter/test_milter.c, 12464 cleanup/cleanup_milter.c. 12465 12466 Cleanup: comments, error messages, and crumbling interfaces. 12467 1246820060707 12469 12470 Workaround: apparently, Solaris gettimeofday() can return 12471 out-of range microsecond values. File: src/global/log_adhoc.c. 12472 12473 Robustness: the SMTPD policy client now encodes the 12474 ccert_subject and ccert-issuer attributes as xtext. Some 12475 characters are replaced by +XX, where XX is the two-digit 12476 hexadecimal code for the character value. File: 12477 smtpd/smtpd_check.c. 12478 12479 Safety: the SMTP/LMTP client now defers delivery when a 12480 SASL password exists, but the server does not offer SASL 12481 authentication. Mail could be rejected otherwise. This may 12482 become an issue now that Postfix retries delivery in plaintext 12483 after an opportunistic TLS handshake fails. Specify 12484 "smtp_sasl_auth_enforce = no" to deliver mail anyway. File: 12485 smtp/smtp_proto.c. See workaround 20060711 for sender-dependent 12486 SASL passwords. This was undone with the 20060719 workaround. 12487 1248820060709 12489 12490 Cleanup: the new single smtpd_tls_security_level parameter 12491 obsoletes the multiple smtpd_use_tls and smtpd_enforce_tls 12492 parameters. This is done for consistency with the Postfix 12493 SMTP client. In the Postfix SMTP server, the levels "verify" 12494 and "secure" are currently not applicable, and are treated 12495 as "encrypt", after logging a warning. Files: smtpd/smtpd.c, 12496 tls/tls_level.c, smtp/smtp_session.c. 12497 12498 Compatibility: don't send the first (blank) body line to 12499 Milter applications. This broke domain key etc. signatures 12500 when verified by non-Postfix MTAs. File: milter/milter8.c. 12501 1250220060710 12503 12504 Cleanup: more consistency between smtpd(8) and smtp(8) TLS 12505 configuration interfaces: smtpd_tls_mandatory_exclude_ciphers, 12506 smtpd_tls_mandatory_ciphers, smtpd_tls_mandatory_protocols. 12507 By Victor. Files:smtpd/smtpd.c. 12508 12509 Cleanup: to support domainkey signing of bounces and 12510 Postmaster notices, enable content inspection of Postfix- 12511 generated mail with the new internal_mail_filter_classes 12512 feature. This is disabled by default, because it is not 12513 yet safe enough. Files: global/int_filt.[hc] and everything 12514 that calls post_mail_fopen*(). 12515 1251620060711 12517 12518 Cleanup: smtpd_tls_mumble -> smtpd_tls_mandatory_mumble, 12519 and finer control over the Postfix SMTP server TLS ciphers, 12520 all this for consistency with the same functionality in the 12521 Postfix SMTP client. Victor Duchovni. 12522 12523 Compatibility: Sendmail's milter client handles whitespace 12524 after the header label and ":" in an interesting manner. 12525 It eats one space (not tab). File: milter/milter8.c. 12526 12527 Workaround: if sender-dependent SASL passwords are enabled, 12528 don't defer delivery when a SASL password exists but the 12529 server doesn't announce SASL support. File: smtp/smtp_proto.c. 12530 This was undone with the 20060719 workaround. 12531 12532 Cleanup: format of cleanup milter reject messages. File: 12533 cleanup_milter.c. 12534 12535 Bugfix: file/memory leak if a transfer of multiple milters 12536 from smtpd to cleanup broke in the middle. Found by Coverity. 12537 File: milter/milter.c. 12538 1253920060716 12540 12541 Bugfix: "sendmail -bs" panic caused by a missing 12542 SMTPD_STATE_ALONE() guard before a milter_abort() call. 12543 File: smtpd/smtpd.c. 12544 12545 Bugfix (bug introduced with Postfix 2.2): the Postfix SMTP 12546 client enforced Mandatory TLS only when talking to an ESMTP 12547 server; enforcement did not happen if Postfix could somehow 12548 be forced to send HELO instead of EHLO. Victor Duchovni. 12549 File: src/smtp/smtp_proto.c. 12550 1255120060718 12552 12553 Bugfix (bug introduced 20060711): null pointer bug when 12554 rejecting SMTP mail with Milter application. File: 12555 cleanup/cleanup_milter.c. 12556 12557 Workaround (problem introduced in 200605/200606 TLS update): 12558 the Postfix SMTP server now issues TLS session IDs even 12559 when TLS session caching is turned off, otherwise MS Outlook 12560 fails to deliver mail. There may also be interoperability 12561 issues with other MTAs that we haven't discovered yet. 12562 Specify "smtpd_tls_always_issue_session_ids = no" to disable 12563 the workaround. Victor Duchovni. Files: smtpd/smtpd.c, 12564 tls/tls_server.c. 12565 1256620060719 12567 12568 Cleanup: the smtp_sasl_auth_enforce feature is gone. It was 12569 meant to work around a problem that was introduced with 12570 plaintext fallback after a failed TLS handshake. Unfortunately, 12571 it created more problems than it solved. We now address the 12572 underlying problem more directly as described next. File: 12573 smtp/smtp_proto.c. 12574 12575 Safety: don't fall back to plaintext delivery after failed 12576 TLS handshake, when the Postfix SMTP client would have 12577 attempted to log in with SASL after successful TLS handshake. 12578 This avoids undesirable behavior regardless of whether the 12579 server does support SASL over plaintext (unexpected password 12580 disclosure) and whether the server doesn't support SASL 12581 over plaintext (insufficient mail relay permission). Files: 12582 smtp/smtp_connect.c, smtp/smtp_session.c, smtp/smtp_proto.c. 12583 1258420060720 12585 12586 Compatibility: replace %% in milter replies by %, and strip 12587 single (i.e. invalid) % characters. File: milter/milter8.c. 12588 12589 Compatibility: $_ macro support for Milter applications. 12590 Files: smtpd/smtpd.c, smtpd/smtpd_milter.c, 12591 cleanup/cleanup_state.c, cleanup/cleanup_milter.c. 12592 1259320060721 12594 12595 Safety: disable Milter processing after "postsuper -r". If 12596 the mail has been filtered there is no need to do it again. 12597 Moreover, when mail has passed through an external content 12598 filter, we don't have sufficient information to reproduce 12599 the exact same SMTP events and Sendmail macros that Milters 12600 received when the mail originally arrived in Postfix. This 12601 change does not affect Milter applications that run behind 12602 an after-queue content filter. File: pickup/pickup.c. 12603 12604 Bugfix: Milters received a truncated ORCPT=xxx parameter 12605 due to destructive parsing of something that didn't have 12606 to be preserved before Milter support was added to Postfix. 12607 File: smtpd/smtpd.c. 12608 1260920060724 12610 12611 Bugfix: when updating the same header multiple times, the 12612 Postfix Milter client created a queue file that caused 12613 delivery agents to loop. File: cleanup/cleanup_milter.c. 12614 1261520060725 12616 12617 Bugfix: damaged queue file record after a Milter request 12618 to modify a message header when 1) it was the last header 12619 in the unmodified message, and 2) the old header was less 12620 than 15 characters long. File: cleanup/cleanup_milter.c. 12621 12622 Bugfix: don't panic in smtp_rcpt_cleanup() after detecting 12623 a damaged queue file record. File: smtp/smtp_proto.c. 12624 1262520060726 12626 12627 Bugfix: the 20051013 change to enforce the message size 12628 limit in the SMTP server didn't work for size limits close 12629 enough to INT_MAX. File: smtpd/smtpd.c. 12630 12631 Bugfix (introduced Postfix 2.3): after an SMTP client was 12632 rejected with "smtpd_delay_reject = no", the SMTP server 12633 would panic as it generated spurious Milter requests for 12634 unrecognized commands. File: smtpd/smtpd.c. 12635 1263620060727 12637 12638 Cleanup: change redundant milter_abort() and milter_disc_event() 12639 calls into NO-OPs. This avoids unnecessary panic() events 12640 for completely harmless conditions. File: milter/milter8.c. 12641 1264220060805 12643 12644 Bugfix (introduced Postfix 2.3): #ifdef damage caused 12645 smtp_sasl_start() to be invoked twice. Reported by C-J 12646 Lofstedt. File: smtp/smtp_sasl_proto.c. 12647 1264820060806 12649 12650 Postfix no longer announces its name in delivery status 12651 notifications. Users believe that Wietse provides a free 12652 helpdesk service that solves all their email problems. 12653 Credits to Jonathan Balester. File: bounce/bounce_templates.c. 12654 1265520060807 12656 12657 Bugfix (introduced Postfix 2.2): when upgrading from Postfix 12658 < 2.2 with the third-party TLS patch, the post-install 12659 upgrade procedure didn't put a "?" in the existing tlsmgr 12660 entry, causing tlsmgr to repeatedly start and exit when TLS 12661 support was not compiled in. File: conf/post-install. 12662 1266320060812 12664 12665 Bugfix (introduced < Postfix alpha): safety mechanism in 12666 mail_date() didn't work. Found in code review. File: 12667 global/mail_date.c. 12668 1266920060817 12670 12671 Test programs for host address->name and name->address 12672 lookups to debug name service inconsistencies, typically 12673 when the Postfix SMTP server claims that a hostname is 12674 "unknown". Files: auxiliary/name-addr-test/*. 12675 1267620060822 12677 12678 Added missing logging for "message to large" etc. Files: 12679 smtpd/smtpd.c, cleanup/cleanup_milter.c. 12680 1268120060823 12682 12683 Bugfix (introduced Postfix 2.2): segfault when vstream_fclose() 12684 attempted to flush unwritten output, after vstream_fdclose() 12685 had already disconnected the stream from its file descriptor. 12686 File: util/vstream.c. 12687 12688 Bugfix (introduced Postfix 2.2): vstream_fdclose() did not 12689 flush unwritten output before disconnecting a stream from 12690 its file descriptor(s). File: util/vstream.c. 12691 12692 Feature: smtp-sink can capture mail to file, either as one 12693 individual message per file, or as multiple messages per 12694 file. After an initial implementation by Weidong Cui. File: 12695 smtpstone/smtp-sink.c. 12696 12697 Bugfix (introduced < Postfix alpha): smtp-sink did not 12698 correctly recognize DOT-CR-LF immediately after DATA. File: 12699 smtpstone/smtp-sink.c. 12700 12701 Cleanup: smtp-sink now requires that MAIL FROM, RCPT TO and 12702 DATA be send in the correct order. This simplified the 12703 implementation of the capture to file feature. File: 12704 smtpstone/smtp-sink.c. 12705 1270620050824 12707 12708 Portability: inside functions, GCC 4 refuses forward 12709 declarations of static functions. File: smtpstone/smtp-sink.c. 12710 1271120060825 12712 12713 Bugfix (introduced Postfix 2.3): with headers-only mail, a 12714 Milter "header insert" action corrupted the queue file. The 12715 cleanup server executed some end-of-body action before the 12716 end-of-header actions. File: cleanup/cleanup_message.c. 12717 12718 Robustness: mail delivery agents now detect loops in queue 12719 files. Files with too many backward jumps are saved to the 12720 "corrupt" directory. File: global/record.c. 12721 1272220060831 12723 12724 Bugfix (introduced with initial implementation): missing 12725 "dict_errno = 0" caused mis-leading error messages after 12726 non-error lookup failure. Victor Duchovni. File: 12727 util/dict_cidr.c. 12728 12729 Robustness: the default TLS cipher lists were changed from 12730 !foo:ALL into ALL:!foo. Victor Duchovni. Files: 12731 global/mail_params.h and documentation. 12732 1273320060902 12734 12735 Bugfix (introduced Postfix 2.3): the LMTP client stripped 12736 "inet": from the next-hop destination, but still used the 12737 complete next-hop from the delivery request. File: 12738 smtp/smtp_connect.c. 12739 1274020060903 12741 12742 Cleanup: record loop detection. File: global/record.c. 12743 1274420060929 12745 12746 Workaround: AIX 5.[1-3] getaddrinfo() creates socket address 12747 structures with a non-zero port value. This breaks the 12748 smtp_bind_address etc. features, and breaks inet_interfaces 12749 settings with only one IP address. Problem reported by 12750 Hamish Marson. Files: util/sock_addr.[hc], util/myaddrinfo.c. 12751 12752 Bugfix (introduced with the Postfix TLS patch): memory leak 12753 in verify_extract_peer(). The OpenSSL documentation provides 12754 no information on how subjectAltNames are managed. Sam 12755 Rushing, ironport. File: tls/tls_client.c. 12756 12757 Bugfix (introduced with Postfix 2.2): smtp_generic_maps 12758 turned on MIME conversion. File: smtp/smtp_proto.c. 12759 12760 Workaround: don't send SIZE information in the MAIL FROM 12761 command when message content will be subject to 8bit -> 12762 quoted-printable conversion. File: smtp/smtp_proto.c. 12763 1276420061002 12765 12766 Compatibility: Sendmail now invokes the Milter connect 12767 action with the verified hostname instead of the name 12768 obtained with PTR lookup. File: smtpd/smtpd.c. 12769 1277020061004 12771 12772 Cleanup: force space between mailq queueid+status and file 12773 size items. File: showq/showq.c. 12774 1277520061005 12776 12777 Cleanup: make CISCO PIX bug workarounds configurable. This 12778 introduces new parameters: smtp_pix_workarounds (default: 12779 disable_esmtp, delay_dotcrlf) and smtp_pix_workaround_maps 12780 (workarounds indexed by server IP address). The default 12781 settings are backwards compatible. File: smtp/smtp.c, 12782 smtp/smtp_proto.c. 12783 1278420061006 12785 12786 Workaround: include the smtpd(8) service name when searching 12787 the TLS session cache, to avoid cross-talk between multiple 12788 master.cf entries. This does not eliminate cross-talk between 12789 multiple (x)inetd.conf entries. Victor Duchovni. Files: 12790 smtpd/smtpd.c, tls/tls_server.c. 12791 1279220061015 12793 12794 Cleanup: convert the Milter {mail_addr} and {rcpt_addr} 12795 macro values to external form. File: smtpd/smtpd_milter.c. 12796 12797 Cleanup: the Milter {mail_addr} and {rcpt_addr} macros are 12798 now available with non-SMTP mail. File: cleanup/cleanup_milter.c. 12799 12800 Cleanup: convert addresses in Milter recipient add/delete 12801 requests to internal form. File: cleanup/cleanup_milter.c. 12802 12803 Cleanup: with non-SMTP mail, convert addresses in simulated 12804 MAIL FROM and RCPT TO events to external form. File: 12805 cleanup/cleanup_milter.c. 12806 1280720061017 12808 12809 Cleanup: removed spurious warning when the cleanup server 12810 attempts to bounce mail with soft_bounce=yes. Problem 12811 reported by Ralf Hildebrandt. File: cleanup/cleanup_bounce.c. 12812 12813 Bugfix: null pointer bug when receiving a non-protocol 12814 response on a cached SMTP/LMTP connection. Report by Brian 12815 Kantor. Fix by Victor Duchovni. File: smtp/smtp_reuse.c. 12816 1281720061106 12818 12819 Feature: new retry delivery agent, to avoid the synchronous 12820 defer service client in the queue manager. This code is 12821 co-located with the error(8) server. File: error/error.c. 12822 12823 Performance: the queue manager could spend too much time 12824 in the synchronous defer service client, causing the watchdog 12825 timer to go off. Where possible, the queue manager now 12826 bounces or defers recipients asynchronously, by routing 12827 them to the error or the retry delivery agent. Code by 12828 Wietse and Patrik Rak. Files: global/recipient_list.c, 12829 *qmgr/qmgr_error.c, *qmgr/qmgr_defer.c, *qmgr/qmgr_entry.c, 12830 *qmgr/qmgr_deliver.c, *qmgr/qmgr_message.c. 12831 12832 Performance: refined recipient and job grouping, and more 12833 agressive early refill of in-memory recipients to prevent 12834 a worst-case scenario where the queue manager became starved 12835 until after the last batch of slow in-memory recipients of 12836 jumbo multi-recipient mail. Code by Patrik Rak. Files: 12837 global/mail_conf_time.c, qmgr/qmgr_message.c, qmgr/qmgr.c, 12838 qmgr/qmgr.h, qmgr/qmgr_entry.c, qmgr/qmgr_job.c, 12839 qmgr/qmgr_message.c, qmgr/qmgr_transport.c. 12840 1284120061113 12842 12843 Bugfix: the Postfix install/upgrade procedure broke with 12844 non-default config_directory. File: conf/post-install. 12845 1284620061115 12847 12848 Bugfix: null pointer bug in end-of-header Milter action 12849 when the last header line is too large. Reported by Mark 12850 Martinec. The root of the problem is that the MIME state 12851 engine may execute up to three call-back functions when it 12852 reaches the end of the headers, before it returns to the 12853 caller; as long as call-backs return no result, each call-back 12854 has to check for itself if a previous call-back ran into a 12855 problem. File: milter/milter8.c. 12856 12857 Workaround: reduce effective header_size_limit to 60000 12858 when Milter inspection is enabled, to avoid breaking the 12859 Milter protocol request length limit. File: 12860 cleanup/cleanup_message.c. 12861 1286220061123 12863 12864 Safety: don't read more than 5000 recipients at a time, to 12865 avoid spending too much time away from interrupts. File: 12866 qmgr/qmgr_message.c. 12867 1286820061201 12869 12870 Workaround: don't complain with "Error 0" in the trivial-rewrite, 12871 verify, proxymap or connection cache client when the server 12872 exits after the client sends its request. We still complain, 12873 however, when the problem persists. Files: global/rewrite_clnt.c, 12874 global/resolve_clnt.c, global/verify_clnt.c, global/scache_clnt.c, 12875 global/dict_proxy.c. 12876 12877 Safety: the header_size_limit is now enforced more strictly, 12878 to avoid inter-operability problems with the Milter protocol. 12879 Long headers are truncated at a line boundary if possible, 12880 otherwise they are cut between line boundaries. File: 12881 cleanup/cleanup_out.c. 12882 1288320061203 12884 12885 Bugfix (introduced with Postfix 2.2): with SMTP server 12886 tarpit delays of smtp_rset_timeout or larger, the SMTP 12887 client could get out of sync with the server while reusing 12888 a connection. The symptoms were "recipient rejected .. in 12889 reply to DATA". Fix by Victor Duchovni and Wietse. Files: 12890 smtp/smtp_proto.c, smtp/smtp_connect.c. 12891 12892 Robustness: the vbuf and vstream documentation claimed that 12893 their *error() macros reported timeout errors, but they 12894 didn't really. The implementation was fixed, and redundant 12895 vstream_ftimeout() calls were removed. As a result, many 12896 Postfix daemons now properly detect write timeout errors 12897 on internal connections. Files: util/vbuf.h. 12898 12899 Workaround: some broken SMTP servers reply and hang up in 12900 the middle of DATA. The Postfix SMTP client now stops sending 12901 and tries to receive the server response. This can help to 12902 avoid repeated delivery attempts. Initial implementation 12903 by Wietse, later work by Victor Duchovni. Files: 12904 smtp/smtp_proto.c, smtpstone/smtp-sink.c, util/vstream.c, 12905 plus trivial mods for code thatr calls vstream_fpurge(). 12906 1290720061204 12908 12909 Compatibility: The Postfix installation/upgrade procedure 12910 no longer sets "unknown_local_recipient_code = 450" in 12911 main.cf. This was a safety net for upgrades from Postfix 12912 1.x. Four years later is no longer needed. File: 12913 conf/post-install. 12914 12915 Cleanup: removed vstream_fclose() error warning in the code 12916 that disconnects from a delivery agent. There is no need 12917 to report errors here because they would already be reported 12918 earlier. Files: *qmgr/qmgr_deliver.c. 12919 12920 Robustness: "kill me after N seconds" feature to ensure 12921 that a daemon process does not get stuck while preparing 12922 for exit after signal arrival. File: util/killme_after.[hc], 12923 util/watchdog.c, master/master_sig.c. 12924 1292520061206 12926 12927 Robustness: low-cost re-entrancy guard that allows daemons 12928 to safely call msg_fatal() etc. from a signal handler, 12929 without risking memory corruption, or deadlock on Redhat 12930 Linux. This works provided that the signal handler terminates 12931 the process. In that special case we need not guarantee 12932 after-the-fact consistency of the thread that was interrupted. 12933 File: util/msg_output.c. 12934 12935 Robustness: replace exit() calls by _exit(). File: util/msg.c, 12936 bounce/bounce_cleanup.c. 12937 1293820061207 12939 12940 Workaround: on systems with usable futimes() or equivalent 12941 (Solaris, *BSD, MacOS, but not Linux), always explicitly 12942 set the queue file last modification time stamps while 12943 creating a queue file. With this, Postfix can avoid logging 12944 warnings when the file system clock is ahead of the local 12945 clock. Clock skew can be a problem, because Postfix does 12946 not deliver mail until the local clock catches up with the 12947 queue file's last modification time stamp. File: 12948 global/mail_stream.c. 12949 12950 Workaround: on systems without usable futimes() or equivalent, 12951 log a warning when the file system clock is more than 100 12952 seconds behind the local clock. This does not cause mail 12953 delivery problems, but it just looks silly in message 12954 headers. File: global/mail_stream.c. 12955 12956 On systems without usable futimes() (Linux, and ancient 12957 versions of Solaris, SunOS and *BSD) Postfix will keep using 12958 the slower utime() system call to update queue file time 12959 stamps when the file system clock is off with respect to 12960 the local system clock. 12961 12962 Compatibility with Postfix < 2.3: undo the change to bounce 12963 instead of defer after pipe-to-command delivery fails with 12964 a signal. File: global/pipe_command.c. 12965 1296620061208 12967 12968 Workaround: apparently, some mail software removes or hides 12969 "<postmaster>" in the Postfix bounce text, because it 12970 processes the text as if it were HTML. This confuses users. 12971 The bounce template has been updated to remove the < and 12972 >. File: bounce/bounce_templates.c. 12973 12974 Cleanup: when smtp_generic_maps is turned on, don't parse 12975 MIME structures in the message body. Victor Duchovni. File: 12976 smtp/smtp_proto.c. 12977 1297820061210 12979 12980 Cleanup: streamline the signal handler reentrancy protections, 12981 and document under what conditions these protections work, 12982 with REENTRANCY sections in the relevant man pages. Files: 12983 util/vbuf_print.c. util/msg.c, util/msg_output.c. 12984 1298520061211 12986 12987 Cleanup: when doing server access control by the remote TLS 12988 client fingerprint, do not require client certificate 12989 verification. Victor Duchovni. File: smtpd/smtpd_check.c. 12990 12991 Safety: when the remote TLS client certificate isn't verified, 12992 don't send ccert_subject and ccert_issuer attributes in 12993 check_policy_service requests. Victor Duchovni. File: 12994 smtpd/smtpd_check.c. 12995 12996 Bugfix: the postconf command still complained about an 12997 unqualified machine name, because it was not updated with 12998 the 20050513 change that introduced a default "mydomain = 12999 localdomain". File: postconf/postconf.c. 13000 1300120061213 13002 13003 Bugfix: race condition in "ETRN site", "sendmail -qRsite" 13004 and "postqueue -s site". When the command arrived while an 13005 incoming queue scan was already in progress, mail could 13006 stay deferred instead of being flushed. The fix was to 13007 unthrottle the queue manager before moving files from the 13008 deferred queue to the incoming queue. Files: flush/flush.c, 13009 qmgr/qmgr_scan.c. 13010 13011 Cleanup: the sendmail and postqueue commands no longer 13012 terminate with a non-standard error status after a run-time 13013 error in some Postfix internal routine (typically, some 13014 essential file is not accessible, or the system is out of 13015 memory). Files: sendmail/sendmail.c, postqueue/postqueue.c. 13016 13017 Feature: "sendmail -qIqueueid" and "postqueue -i queueid" 13018 to flush a specific queue file. Files: sendmail/sendmail.c, 13019 postqueue/postqueue.c, global/flush_clnt.c, flush/flush.c. 13020 1302120061214 13022 13023 Performance: "sendmail -qIqueueid" and "postqueue -i queueid" 13024 unthrottle only the necessary message delivery transports 13025 and queues. The unthrottle request now is propagated to the 13026 queue manager via queue file group read permission bits. 13027 Based on initial implementation by Victor Duchovni. Files: 13028 flush/flush.c, *qmgr/qmgr.c, *qmgr/qmgr_scan.c, 13029 *qmgr/qmgr_active.c, *qmgr/qmgr_message.c. 13030 1303120061220 13032 13033 Workaround: PMilter 0.95 does not deliver SMFIC_EOB+data 13034 to the application as SMFIC_BODY+data followed by SMFIC_EOB. 13035 To avoid compatibility problems, Postfix now sends 13036 SMFIC_BODY+data followed by SMFIC_EOB. File: milter/milter8.c. 13037 13038 Bugfix (introduced with Postfix 2.3): when inserting 13039 Milter-generated headers at increasing positions in a 13040 message, a later header could end up at a previously used 13041 insertion point. Thus, inserting headers at positions (N, 13042 N+M) could work as if (N, N) had been specified. Problem 13043 reported by Mark Martinec. File: milter/milter8.c. 13044 1304520061221 13046 13047 Feature: time unit suffix support in _command_time_limit. 13048 Files: pipe/pipe.c, spawn/spawn.c. 13049 1305020061227 13051 13052 Bugfix (introduced with Postfix 2.3): the MX hostname syntax 13053 check was skipped with reject_unknown_helo_hostname and 13054 reject_unknown_sender/recipient_domain, so that Postfix 13055 would still accept mail from domains with a zero-length MX 13056 hostname. File: smtpd/smtpd_check.c. 13057 1305820061229 13059 13060 Cleanup: use separate TLS_LEGACY_README to document the old 13061 TLS user interface. This will simplify TLS_README dramatically. 13062 13063 Cleanup: untangled spaghetti code. File: util/inet_listen.c. 13064 1306520070104 13066 13067 Bugfix (introduced Postfix 2.3): when creating an alias map 13068 on a NIS-enabled system, don't case-fold the YP_MASTER_NAME 13069 and YP_LAST_MODIFIED lookup keys. This requires that an 13070 application can turn on/off case folding on the fly. Files: 13071 postalias/postalias.c, global/dict_mumble.c, util/dict_mumble.c, 13072 proxymap/proxymap.c. 13073 13074 Cleanup: after the above revision of the proxymap protocol, 13075 the proxymap server can now share the same map with clients 13076 that have only minor differences in dictionary open/access 13077 options. 13078 1307920070105 13080 13081 Performance: pipeline of pending delivery agent connections, 13082 to improve Linux/Solaris mail delivery performance by another 13083 10% while going down-hill with the wind from behind. Design 13084 and implementation Victor and Wietse. Files: *qmgr/qmgr.c, 13085 *qmgr/qmgr.h, *qmgr/qmgr_transport.c. 13086 1308720070106 13088 13089 Cleanup: eliminate the Linux/Solaris "wait for accept()" 13090 stage from the queue manager to delivery agent protocol. 13091 This alone achieves 99.99% of the Linux/Solaris speed up 13092 from the preceding change. The pending connection pipeline 13093 takes care of the rest. Tested on Linux kernels dating 13094 back to 2.0.27 (that's more than 10 years ago). Files: 13095 *qmgr/qmgr_transport.c. 13096 1309720070112 13098 13099 Bugfix (introduced 20011008): after return from nested 13100 access restriction, possible longjump into exited stack 13101 frame upon configuration error or table lookup error. Victor 13102 Duchovni. Files: smtpd/smtpd_check.c. 13103 13104 Workaround: don't insert header/body blank line separator 13105 in malformed attachments, to avoid breaking digital signatures. 13106 Switch from header to body state, for robust MIME parsing. 13107 People concerned about MIME evasion can use a MIME normalizer 13108 to corrupt their user's legitimate email. File: 13109 global/mime_state.c. 13110 1311120070114 13112 13113 Feature: body replacement support for Milter applications. 13114 Postfix 2.3 and older 2.4 versions will be able to deliver 13115 body-replaced queue files, but will report the message size 13116 as it was before the body was replaced. Files: milter/milter8.c, 13117 cleanup/cleanup_milter.c, cleanup/cleanup_body_region.c. 13118 1311920070117 13120 13121 Cleanup: reusable infrastructure for body replacement. 13122 Files: cleanup/cleanup_body_edit.c, cleanup/cleanup_region.c. 13123 1312420070118 13125 13126 Bugfix: match lists didn't implement ![ipv6address]. Problem 13127 reported by Paulo Pacheco. File: util/match_list.c. 13128 13129 Cleanup: revised the matchlist "!" support, added support 13130 for !/file/name, and updated the documentation. File: 13131 util/match_list.c. 13132 1313320070119-21 13134 13135 Cleanup: pad short message headers with a filler record, 13136 so that the result is never shorter than a pointer record. 13137 This immensely simplified the support for Milter header 13138 modification requests: three complex loops could be replaced 13139 by one simpler loop. The DTXT record type was re-purposed 13140 from "deleted header text" to "short header padding", keeping 13141 the change backwards compatible. Files: cleanup/cleanup_out.c, 13142 cleanup/cleanup_milter.c, global/record.c. 13143 13144 Cleanup: the Milter "add recipient" action always added the 13145 recipient to the initial envelope segment, causing added 13146 recipients to be separate from "sendmail -t" recipients. 13147 This violated design, without impact on delivery (always_bcc 13148 recipient are always at the end of the queue file even when 13149 all other recipients are in the initial segment). File: 13150 global/rec_types.h. 13151 1315220070123 13153 13154 Workaround: OpenSSL falsely concludes that AES256 support 13155 is present when only AES128 is available. Code by Victor 13156 Duchovni. File: tls/tls_misc.c. 13157 1315820070125 13159 13160 Disable workaround pending completion of updated TLS] 13161 support in non-production releases. 13162 1316320070131 13164 13165 Assorted code cleanup, portability fixes/workarounds, and 13166 minor updates: global/dict_ldap.c, mantools/postlink, 13167 tlsmgs/tlsmgr.c, conf/master.cf. LaMont Jones. 13168 1316920070101 13170 13171 Portability: GNU Hurd support for multiple kernel environments. 13172 LaMont Jones. Files: util/sys_defs.h, makedefs. 13173 13174 Cleanup: some default settings were adjusted to better fit 13175 today's environment: queue_run_delay and minimal_backoff_time 13176 were reduced from 1000s to 300s, so that deliveries are 13177 retried earlier after the first failure; ipc_idle was reduced 13178 from 100s to 5s, so that tlsmgr and scache clients will 13179 more quickly release unused file handles. Files: 13180 global/mail_params.h, proto/postconf.5.html 13181 1318220070202 13183 13184 Catch-up: FreeBSD kqueue support. File: util/events.c. 13185 1318620070205 13187 13188 System-V poll(2) support. This is now the preferred method 13189 to test a single file descriptor on sufficiently recent 13190 versions of FreeBSD, NetBSD, OpenBSD, Solaris and Linux; 13191 other systems will be added as evidence becomes available 13192 of usable poll(2) implementations. Files: util/read_wait.c, 13193 util/write_wait.c, util/readble.c, util/writable.c. 13194 13195 Streamlined the event_enable_read/write implementation to 13196 speed up smtp-source performance, by eliminating expensive 13197 kqueue/devpoll/epoll system calls when only the application 13198 call-back information changes. On FreeBSD, smtp-sink/source 13199 tests now run 5% faster than with the old select(2) based 13200 implementation. File util/events.c. 13201 1320220070206 13203 13204 Catch-up: Solaris /dev/poll support. File: util/events.c. 13205 13206 Bugfix (introduced 20060823): initial state was not in state 13207 machine, causing memory access outside the lookup table. 13208 File: smtpstone/smtp-sink.c. 13209 1321020070210 13211 13212 Catch-up: Linux epoll support. File: util/events.c. 13213 1321420070211 13215 13216 Polished the kqueue/devpoll/epoll support; this is now 13217 enabled by default on sufficiently recent versions of 13218 FreeBSD, NetBSD, OpenBSD, Solaris and Linux; other systems 13219 will be added as evidence becomes available of usable 13220 implementations. File: util/events.c. 13221 1322220070212 13223 13224 Further polish: removed some typos from new code in the 13225 events.c handler, undid some unnecessary changes to the 13226 {read,write}{_wait,able}.c modules, and addressed Victor's 13227 paranoia for multi-client servers with a thousand clients 13228 while linked with library routines that can't handle file 13229 descriptors >= FD_SETSIZE. 13230 13231 Cleanup: while debugging the new events.c handler, removed 13232 an unnecessary "write after connect" call-back event. File: 13233 global/post_mail.c. 13234 1323520070214 13236 13237 Robustness: in the queue manager keep a number of free file 13238 descriptor slots at the low end, to work around library 13239 routines that can't handle file descriptors >= FD_SETSIZE. 13240 Files: *qmgr/qmgr_transport.c, util/vstream.[hc] 13241 1324220070215 13243 13244 Bugfix (introduced 20070114 with Milter body edit support): 13245 the cleanup server terminated with a fatal error when SMTP 13246 mail exceeded the message size limit, instead of handling 13247 it as a non-fatal error. Files: cleanup/cleanup_extracted.c, 13248 cleanup/cleanup_final.c, cleanup/cleanup_bounce.c, 13249 cleanup/cleanup_api.c. 13250 1325120070217 13252 13253 Streamline the compile time selection of event handling 13254 styles, replacing multiple on/off macros by just one 13255 multi-valued macro. Files: util/sys_defs.h, util/events.c, 13256 master/multi_server.c, *qmgr/qmgr_transport.c. 13257 1325820070220 13259 13260 Work-around: Disable SSL/TLS ciphers when the underlying 13261 symmetric algorithm is not available in the OpenSSL crypto 13262 library at the required bit strength. Problem observed with 13263 SunOS 5.10's bundled OpenSSL 0.9.7 and AES 256. Also possible 13264 with OpenSSL 0.9.8 and CAMELLIA 256. Root cause fixed in 13265 upcoming OpenSSL 0.9.7m, 0.9.8e and 0.9.9 releases. Victor 13266 Duchovni, Morgan Stanley. Files: src/smtp/smtp_proto.c, 13267 src/smtpd/smtpd.c, src/tls/tls.h, src/tls/tls_client.c, 13268 src/tls/tls_misc.c and src/tls/tls_server.c. 13269 1327020070222 13271 13272 Workaround: delayed "postfix reload" with ancient FreeBSD4 13273 kqueue implementations, causing the first external or 13274 internal clients after "postfix reload" to experience a 13275 quick disconnect. Apparently, these kqueue implementations 13276 do not deliver a read notification when the master closes 13277 the per-service shared master/child status pipe (even when 13278 there is only one child; note that the master keeps a handle 13279 to both ends of each status pipe). A child process remains 13280 ignorant that the status pipe was closed until the arrival 13281 of the next client request, and then terminates. The 13282 workaround is to ignore master status write errors before 13283 handling a service request. Files: master/*_server.c. 13284 13285 Cleanup: fix race condition that caused unnecessary "premature 13286 end-of-input" warning messages when "postfix reload" was 13287 issued on a busy mail server. Files: util/attr_scan*c. 13288 1328920070223 13290 13291 Cleanup: syslog_name now works as documented with both 13292 daemons and commands (including set-gid commands). Files: 13293 global/mail_task.c postlog/postlog.c, global/mail_version.h, 13294 sendmail/sendmail.c, postsuper/postsuper.c, postalias/postalias.c, 13295 postmap/postmap.c, postqueue/postqueue.c, postdrop/postdrop.c, 13296 master/trigger_server.c, master/single_server.c, 13297 master/multi_server.c. 13298 1329920070224 13300 13301 Workaround: GNU POP3D creates a new mailbox and deletes the 13302 old one. Postfix now backs off and retries delivery later, 13303 instead of appending mail to a deleted file. To minimize 13304 the use of this workaround, Postfix now by default creates 13305 mailbox dotlock files on all systems, and creates dotlock 13306 files before opening mailbox files. Files: util/sys_defs.h, 13307 global/mbox_open.c. 13308 1330920070301 13310 13311 Workaround: updated workaround for broken Solaris accept(). 13312 File: util/inet_listen.c. 13313 13314 Workaround: on some FreeBSD versions, accept(2) can fail 13315 with a bogus EINVAL error. We now allow accept(2) to fail 13316 for a limited number of times before terminating the process. 13317 Files: master/single_server.c, master/multi_server.c. 13318 1331920070306 13320 13321 Bugfix (introduced with Postfix 2.3 Milter support): postdrop 13322 reported "illegal seek" instead of "file too large". File: 13323 postdrop/postdrop.c. 13324 1332520070310 13326 13327 Cleanup: specify "undisclosed_recipients_header =" to disable 13328 Postfix's "To: undisclosed-recipients:;" header for mail 13329 that lists no recipient. The To: header is not required as 13330 of RFC 2822. The undisclosed_recipients_header parameter 13331 value can now be an empty string, a value that was not 13332 allowed with earlier Postfix versions. With Postfix 2.5 it 13333 will be empty by default. Files: cleanup/cleanup.c, 13334 cleanup/cleanup_message.c. 13335 1333620070312 13337 13338 Backwards compatibility: don't pad short message header 13339 records when Milter support is turned off. This maintains 13340 compatibility with Postfix versions that pre-date Milter 13341 support. File: cleanup/cleanup_out.c. 13342 1334320070314 13344 13345 Bitrot: move the "don't run this daemon by hand" message 13346 before other tests. Files: master/*server.c. 13347 1334820070315 13349 13350 Bitrot: New OpenLDAP APIs deprecate simplified interfaces, 13351 that are the only ones available in Sun's LDAP SDK. Define 13352 suitable macros that work with new OpenLDAP and Sun's code. 13353 Victor Duchovni, Morgan Stanley. File: src/global/dict_ldap.c 13354 13355 Cleanup: new "leaf" and "terminal" result attributes support 13356 fine-tuning of LDAP group expansion, and provide a solution 13357 for the problem case where DN recursion returns both the 13358 group address and the addresses of the member objects. 13359 Victor Duchovni, Morgan Stanley. Files: src/global/dict_ldap.c, 13360 proto/LDAP_README.html, proto/ldap_table 13361 1336220070317 13363 13364 Idioten Sicherheit: stamp every executable file and every 13365 core dump file with "mail_version=xxxxx". Adding version 13366 stamps and checks to every IPC message is too much change 13367 after code freeze, and requires too much time for testing. 13368 File: src/global/mail_version.h and every main program file. 13369 1337020070320 13371 13372 Bugfix (introduced between 20070120 and 20070121): the 13373 cleanup server stored no "delayed mail warning" queue file 13374 records with "sendmail -t", and no header_checks filter/redirect 13375 records or content encoding records with other mail. File: 13376 global/rec_type.h. 13377 1337820070321 13379 13380 Bugfix (introduced 20070224): local(8) or virtual(8) could 13381 log a misleading error message after failure to open a 13382 mailbox file. File: global/mbox_open.c. 13383 13384 Bugfix (code should have been updated 20070104): the proxymap 13385 client did not propagate changes in case folding flags. 13386 Currently, nothing in Postfix uses this functionality. 13387 File: global/dict_proxy.c. 13388 1338920070325 13390 13391 Bugfix: postfix-install didn't work for symlink or hardlink 13392 targets, when the parent directory had a value of "no". 13393 1339420070326 13395 13396 Workaround: Eric Raymond's man page formatters don't handle 13397 low-level *roff .in or .ti controls. We now use .nf and .fi 13398 instead. Files: many. 13399 1340020070331 13401 13402 Bugfix (introduced Postfix 2.3): segfault with HOLD action 13403 in access/header_checks/body_checks on 64-bit platforms. 13404 File: cleanup/cleanup_api.c. 13405 1340620070402 13407 13408 Portability (introduced 20070325): the fix for hardlinks 13409 and symlinks in postfix-install forgot to work around shells 13410 where "IFS=/ command" makes the IFS setting permanent. This 13411 is allowed by some broken standard, and affects Solaris. 13412 File: postfix-install. 13413 13414 Portability (introduced 20070212): the workaround for 13415 non-existent library bugs with descriptors >= FD_SETSIZE 13416 broke with "fcntl F_DUPFD: Invalid argument" on 64-bit 13417 Solaris. Files: master/multi_server.c, *qmgr/qmgr_transport.c. 13418 1341920070405 13420 13421 Feature: BCC access/policy action, to demonstrate that this 13422 is not a good feature. The action's behavior is non-intuitive 13423 and requires too much documentation to explain. It's 13424 therefore snapshot only. File: smtpd/smtpd_check.c. 13425 1342620070414 13427 13428 Cleanup: expire cached results from addres rewriting, address 13429 resolution, and from transport map lookups. Results expire 13430 after 30 seconds; short enough that it doesn't freak out 13431 people who run the same test repeatedly, and long enough 13432 that it doesn't upset other people with continuous streams 13433 of "*" transport map lookups. Files: global/rewrite_clnt.c, 13434 global/resolve_clnt.c, trivial-rewrite/transport.c. 13435 1343620070421 13437 13438 Cleanup: on (Linux) platforms that cripple signal handlers 13439 with deadlock, "postfix stop" now forcefully stops all the 13440 processes in the master's process group, not just the master 13441 process alone. File: conf/postfix-script. 13442 1344320070422 13444 13445 Cleanup: the "Delivered-To:" loop detection implementation 13446 was moved from the local(8) delivery agent to the library, 13447 where it can also be used by other delivery agents. Files: 13448 global/delivered_hdr.[hc]. 13449 13450 Safety: the "Delivered-To:" loop detection implementation 13451 keeps state for no more than 1000 "Delivered-To:" headers. 13452 13453 Feature: $domain command-line macro support, to get access 13454 to the recipient address domain portion. Based on code by 13455 Koen Vermeer. File: pipe/pipe.c. 13456 13457 Cleanup: support for "Delivered-To:" loop detection in the 13458 pipe(8) delivery agent. This follows a general principle: 13459 if a program creates the "Delivered-To:" header, then it 13460 is also responsible for "Delivered-To:" loop detection. 13461 File pipe/pipe.c. 13462 1346320070423 13464 13465 The cache expiring transport map lookups did not distinguish 13466 between wildcard transport map entry with an "empty" transport 13467 field, or no wildcard transport map entry. 13468 1346920070424 13470 13471 Cleanup: making hard-coded behavior configurable. In this 13472 case, extracting 8BITMIME encoding information from 13473 Content-Transfer-Encoding: message headers. The default 13474 behavior, "detect_8bit_encoding_header = yes", is backwards 13475 compatible. This behavior was introduced to generate 13476 RFC-compliant bounce messages before Postfix supported the 13477 8BITMIME option in the MAIL FROM command and on the Postfix 13478 sendmail command line. Files: cleanup/cleanup_init.c, 13479 cleanup/cleanup_message.c, global/mail_params.h. 13480 1348120070425 13482 13483 Bugfix: don't falsely report "lost connection from 13484 localhost[127.0.0.1]" when Postfix is being portscanned. 13485 Files: smtpd/smtpd_peer.c, qmqpd/qmqpd_peer.c. 13486 1348720070429 13488 13489 Feature: "postfix status" to report whether Postfix is 13490 running. By Mike Cappella. 13491 13492 Cleanup: configurable address case folding moved from the 13493 pipe(8) delivery agent to the library, where it can also 13494 be used by other delivery agents. Files: global/fold_addr.[hc]. 13495 1349620070430 13497 13498 Robustness: recommend a "0" process limit for policy servers 13499 to avoid "connection refused" problems when the smtpd process 13500 limit exceeds the default process limit. File: 13501 proto/SMTPD_POLICY_README.html. 13502 1350320070501 13504 13505 Workaround: turn on KEEPALIVE probes to avoided "lost 13506 connection after sending end-of-data" problems when some 13507 stateful (NAT) filter expires an idle connection too soon. 13508 This requires that the kernel's TCP keepalive timer be set 13509 to a sufficiently short time (perhaps 100s or less). Files: 13510 util/sane_accept.c, util/sane_connect.c. 13511 13512 Safety: when IPv6 (or IPv4) is turned off, don't treat an 13513 IPv6 (or IPv4) connection from e.g. inetd as if it comes 13514 from localhost[127.0.0.1]. Files: smtpd/smtpd_peer.c, 13515 qmqpd/qmqpd_peer.c. 13516 1351720070502 13518 13519 Workaround: build without EPOLL support when an epoll-enabled 13520 kernel sits underneath a retarded libc. File: makedefs. 13521 13522 Cleanup: missing support for SASL security properties with 13523 Dovecot SASL authentication. Based on an initial version 13524 by Lev A. Serebryakov. File: xsasl/xsasl_dovecot_server.c. 13525 1352620070503 13527 13528 Cleanup: changed the default address verification sender 13529 from "postmaster" to "double-bounce", so that the Postfix 13530 SMTP server no longer surprises unsuspecting people by 13531 excluding "postmaster" from SMTPD access controls. File: 13532 global/mail_params.h. 13533 1353420070508 13535 13536 Bugfix: Content-Transfer-Encoding: attribute values are 13537 case insensitive. File: src/cleanup/cleanup_message.c. 13538 13539 1354020070514 13541 13542 Bugfix: the makedefs EPOLL workaround broke any attempt to 13543 build on a 2.6 kernel. And that two weeks after the workaround 13544 had been posted to the mailing list. File: makedefs. 13545 13546 Bugfix: mailbox_transport(_maps) and fallback_transport(_maps) 13547 were broken when used with the error(8) or discard(8) 13548 transports. Cause: insufficient documentation. Files: 13549 error/error.c, discard/discard.c. 13550 1355120070520 13552 13553 Bugfix (problem introduced Postfix 2.3): when DSN support 13554 was introduced it broke "agressive" recipient duplicate 13555 elimination with "enable_original_recipient = no". File: 13556 cleanup/cleanup_out_recipient.c. 13557 1355820070523 13559 13560 Feature: cyrus_sasl_config_path to specify a search path 13561 for Cyrus SASL configuration files (currently used only to 13562 locate the smtpd.conf file). Based on code by Victor 13563 Duchovni. Files: smtpd/smtpd.c xsasl/xsasl_cyrus_server.c, 13564 (and xsasl/xsasl_cyrus_client.c for future expansion). 13565 1356620070525 13567 13568 Bugfix (introduced 20070523): the sasl_set_path() function 13569 name was mis-speeled. 13570 1357120070529 13572 13573 Bugfix (introduced Postfix 2.3): the sendmail/postdrop 13574 commands would hang when trying to submit a message larger 13575 than the per-message size limit. File: postdrop/postdrop.c. 13576 1357720070530 13578 13579 Sabotage the saboteur who insists on breaking Postfix by 13580 adding gethostbyname() calls that cause maildir delivery 13581 to fail when the machine name is not found in /etc/hosts, 13582 or that cause Postfix processes to hang when the network 13583 is down. 13584 1358520070531 13586 13587 Portability: Victor helpfully pointed out that change 13588 20070425 broke on non-IPv6 systems. Files: smtpd/smtpd_peer.c, 13589 qmqpd/qmqpd_peer.c. 13590 1359120070610 13592 13593 Isolation: don't allow the pipe(8) delivery agent to leak 13594 postdrop group privileges with "user=xxx:postdrop". File: 13595 pipe/pipe.c. 13596 1359720070613 13598 13599 Bugfix: the Milter client assumed that a Milter application 13600 does not modify the message header or envelope, after that 13601 same Milter application has modified the message body of 13602 that same email message. This is not a problem with updates 13603 by different Milter applications. Problem was triggered 13604 by Jose-Marcio Martins da Cruz. Also simplified the handling 13605 of queue file update errors. File: milter/milter8.c. 13606 1360720070614 13608 13609 Workaround: some non-Cyrus SASL SMTP servers require SASL 13610 login without authzid (authoriZation ID), i.e. the client 13611 must send only the authcid (authentiCation ID) + the authcid's 13612 password. In this case the server is supposed to derive 13613 the authzid from the authcid. This works as expected when 13614 authenticating to a Cyrus SASL SMTP server. To get the old 13615 behavior specify "send_cyrus_sasl_authzid = yes", in which 13616 case Postfix sends the (authzid, authcid, password), with 13617 the authzid equal to the authcid. File: xsasl/xsasl_cyrus_client.c. 13618 1361920070619 13620 13621 Portability: /dev/poll support for Solaris chroot jail setup 13622 scripts. Files: examples/chroot-setup/Solaris8, 13623 examples/chroot-setup/Solaris10. 13624 1362520070713 13626 13627 The RFC documents at www.faqs.org are being polluted with 13628 "feedback" spam. The Postfix hypertext documentation now 13629 points to tools.ietf.org. File: mantools/postlink. 13630 1363120070719 13632 13633 Feature: updated smtp-sink with new options to send a 13634 pre-formatted message from file, and to handle replies other 13635 than the expected 2xx or 3xx. File: smtpstone/smtp-source.c. 13636 13637 Cleanup: Milter client error handling, so that the (Postfix 13638 SMTP server's Milter client) does not get out of sync with 13639 Milter applications after the (cleanup server's Milter 13640 client) encounters some non-recoverable problem. Files: 13641 milter/milter8.c, smtpd/smtpd.c. 13642 1364320070720 13644 13645 Support for RFC 4954 (SASL AUTH, updates RFC 2554, refines 13646 some reply codes and introduces DSN enhanced status codes) 13647 and RFC 3848 ("Received ... with ESMTPS?A? ...). Currently, 13648 support for the latter is always on. Files: smtpd/smtpd.c, 13649 smtpd/smtpd_sasl_proto.c, smtpd/smtpd_sasl_glue.c. 13650 1365120070727 13652 13653 Workaround: the queue manager no longer logs a warning for 13654 mail sent to the local double-bounce address (normally, the 13655 this is used as the sender while reporting an undeliverable 13656 bounce message to the local postmaster). As of 20070503 13657 the local double-bounce address is the default sender for 13658 sender/recipient address verification probes, and it now 13659 shows up as a spam target. Files: *qmgr/qmgr_message.c. 13660 1366120070729 13662 13663 Performance: fix for poor TCP performance for loopback 13664 (127.0.0.1) connections. Problem reported by Mark Martinec. 13665 Files: util/vstream.c, util/vstream_tweak.c, milter/milter8.c, 13666 smtp/smtp_connect.c, smtpstone/*source.c. 13667 1366820070730 13669 13670 Bugfix: when a milter replied with ACCEPT at or before the 13671 first RCPT command, the cleanup server would apply the 13672 non_smtpd_milters setting as if the message was a local 13673 submission. Problem reported by Jukka Salmi. Also, the 13674 cleanup server would get out of sync with the milter when 13675 a milter replied with ACCEPT at the DATA command. Files: 13676 cleanup/cleanup_envelope.c, smtpd/smtpd.c, milter/milters.c. 13677 1367820070811 13679 13680 Cleanup: unlike smtpd_mumble_restrictions, the Postfix SMTP 13681 server Milter reject logging did not show the (helo argument, 13682 sender address, or recipient address) that was being rejected. 13683 File: smtpd/smtpd.c. 13684 1368520070824 13686 13687 Bugfix (introduced snapshot 20070429): the pipe(8) delivery 13688 agent 'q' flag (quote address local-part) used the same bit 13689 mask as the 'B' flag (append blank line). Setting one flag 13690 also turned on the other. File: pipe/pipe.c. 13691 13692 Feature: specify the 'X' flag to indicate that the pipe(8) 13693 delivery agent performs final delivery. This changes the 13694 status in DSN "success" messages from "relayed" into 13695 "delivered". File: pipe/pipe.c. 13696 1369720070904-6 13698 13699 Feature: stress-adaptive behavior. When a "public" network 13700 service runs into an "all processes are busy" condition, 13701 the master(8) daemon logs a warning, restarts the service, 13702 and runs it with "-o stress=yes" on the command line (normally 13703 it runs the service with "-o stress="). This can be used 13704 to make main.cf parameter settings stress dependent. 13705 Examples: "smtpd_timeout = ${stress?10}${stress:300}" and 13706 "smtpd_hard_error_limit = ${stress?1}${stress:20}". Files: 13707 master/master_avail.c, master/master_spawn.c, master/master_ent.c. 13708 1370920070911 13710 13711 Bugfix (introduced Postfix 2.2.11): TLS client certificate 13712 with unparsable canonical name caused the SMTP server's 13713 policy client to allocate zero-length memory, triggering 13714 an assertion that it shouldn't do such things. File: 13715 smtpd/smtpd_check.c. 13716 1371720070912 13718 13719 Bugfix (introduced Postfix 2.4) missing initialization of 13720 event mask in the event_mask_drain() routine (used by the 13721 obsolete postkick(1) command). Found by Coverity. File: 13722 util/events.c. 13723 1372420070917 13725 13726 Workaround: the flush daemon forces an access time update 13727 for the per-destination logfile, to prevent an excessive 13728 rate of delivery attempts when the queue file system is 13729 mounted with "noatime". File: flush/flush.c. 13730 1373120070923 13732 13733 Cleanup: don't complain when a "corrupt" queue file is 13734 deleted before it can be saved to the "corrupt" queue. 13735 Files: *qmgr/qmgr_active.c. 13736 1373720071003 13738 13739 Logging: the Postfix SMTP server now logs the number of 13740 bytes received after the DATA command when a connection 13741 breaks before mail delivery completes. This may help finding 13742 the cause of the problem: packet loss, MTU, or other. File: 13743 smtpd/smtpd.c. 13744 1374520071004 13746 13747 Logging: all daemons now log the TCP port number of remote 13748 SMTP or QMQP clients. The information is overruled with 13749 the SMTP XCLIENT command, is propagated through SMTP-based 13750 content filters with XFORWARD, and is sent to Milter 13751 applications. Files: smtpd/smtpd_peer.c, smtpd/smtpd.c, 13752 smtpd/smtpd_proxy.c, smtpd/smtpd_milter.c, qmqpd/qmqpd_peer.c, 13753 cleanup/cleanup_milter.c, *qmgr/qmgr_message.c, 13754 *qmgr/qmgr_deliver.c, smtp/smtp_proto.c, pipe/pipe.c, 13755 global/deliver_request.c, global/deliver_pass.c, 13756 proto/XFORWARD_README, proto/XCLIENT_README. 13757 13758 Feature: per-command delays in smtp-sink. File: 13759 smtpstone/smtp-sink.c. Victor Duchovni. 13760 1376120071006 13762 13763 Cleanup: updated a bunch of hard-coded host[addr] logging 13764 statements. Files: smtpd/smtpd.c, smtpd/smtpd_chat.c, 13765 smtpd/smtpd_sasl_glue.c. 13766 13767 Cleanup: client port logging is now configurable (off by 13768 default). Parameters: smtpd_client_port_logging and 13769 qmqpd_client_port_logging. Files: smtpd/smtpd_peer.c, 13770 qmqpd/qmqpd_peer.c. 13771 13772 Cleanup: send client port information "0" instead of "unknown" 13773 to Milter applications. Files: smtpd/smtpd.c, smtpd/smtpd_milter.c, 13774 cleanup/cleanup_milter.c. 13775 1377620071025 13777 13778 Portability: on Linux we no longer need /proc to find out 13779 local IPv6 interface address information. LaMont Jones. 13780 Files: util/sys_defs.h. 13781 1378220071030 13783 13784 Bugfix (introduced Postfix 2.3): Postfix mistakenly enforced 13785 the 64kbyte limit (for sending body parts TO Milter 13786 applications) also while receiving packets FROM Milter 13787 applications. The limit is now at least 1GB. File: 13788 milter/milter8.c. 13789 1379020071105 13791 13792 Feature: ORIGINAL_RECIPIENT environment variable. Corey 13793 Hickey. File: local/local.c. 13794 1379520071108-10 13796 13797 Feature: general-purpose header/body_checks library module, 13798 first used in the SMTP client. Actions that change the 13799 message delivery time or destination can be implemented 13800 with a simple extension mechanism (they make sense only in 13801 before-queue filters). Configuration parameters: 13802 smtp_header_checks, smtp_mime_header_checks, 13803 smtp_nested_header_checks, smtp_body_checks. Unlike the 13804 cleanup server, the mime and nested header checks don't by 13805 default assume the header_checks value. Files: 13806 global/header_body_checks.[hc], smtp/smtp_proto.c, 13807 smtp/smtp_session.c. 13808 1380920071110 13810 13811 Feature: ${original_recipient} command-line macro. Corey 13812 Hickey. File: pipe/pipe.c. 13813 13814 Bugfix (introduced: 20071004) missing exception handling 13815 in smtp-sink per-command delay feature. Victor Duchovni. 13816 File: smtpstone/smtp-sink.c. 13817 138182007117-20 13819 13820 Revised queue manager with separate mechanisms for 13821 per-destination concurrency control and dead destination 13822 detection. The concurrency control supports non-integer 13823 feedback for more gradual concurrency adjustments, and uses 13824 hysteresis to avoid rapid oscillations. A destination is 13825 declared "dead" after a configurable number of pseudo-cohorts 13826 (number of deliveries equal to a destination's concurrency) 13827 reports connection or handshake failure. This work began 13828 with a discussion that Wietse started with Patrik Rak and 13829 Victor Duchovni late January 2004, and that Victor revived 13830 late October 2007. To establish a baseline for further 13831 improvement, Wietse implemented a few simple mechanisms. 13832 13833 Configuration parameters for debugging, positive/negative 13834 hysteresis, and positive/negative feedback. Some have since 13835 been removed or renamed, so no point naming them here. 13836 Files: global/mail_params.h, qmgr/qmgr_queue.c, 13837 qmgr/qmgr_deliver.c. 13838 1383920071121 13840 13841 Boundary condition: Patrik Rak pointed out that handling 13842 of negative feedback with concurrency window 1 could 13843 be improved. 13844 13845 Feature: support to look up null sender addresses in 13846 sender-dependent relayhost maps. Parameter name: 13847 empty_address_relayhost_maps_lookup_key (default; <>). 13848 Keean Schupke. File: trivial-rewrite/resolve.c. 13849 1385020071127-9 13851 13852 Revision 2 of queue manager scheduler interface, allowing 13853 feedback parameter settings with constants and variables 13854 such as 1/8 or 1/concurrency. Some experimental parameters 13855 were removed and others were renamed. The new names are: 13856 default_destination_concurrency_negative_feedback, 13857 default_destination_concurrency_positive_feedback, 13858 default_destination_concurrency_failed_cohort_limit, 13859 destination_concurrency_feedback_debug. 13860 13861 Also available are transport-specific overrides: 13862 <transport>_initial_destination_concurrency, 13863 <transport>_destination_concurrency_negative_feedback, 13864 <transport>_destination_concurrency_positive_feedback, 13865 <transport>_destination_concurrency_failed_cohort_limit. 13866 13867 Files: global/mail_params.h, *qmgr/qmgr.c, *qmgr/qmgr_transport.c, 13868 *qmgr/qmgr_queue.c, *qmgr/qmgr_feedback.c, postconf/auto.awk. 13869 1387020071202 13871 13872 Feature: output rate control. For example, specify 13873 "smtp_destination_rate_delay = 5m" to insert a five-minute 13874 delay between deliveries. This was an opportunity to define 13875 the mutually exclusive states that a queue can have, and 13876 to detect invalid transitions. This will make adding new 13877 features code easier. Files: *qmgr/qmgr_transport.c, 13878 *qmgr/qmgr_queue.c, *qmgr/qmgr_entry.c. 13879 13880 Bugfix (introduced Postfix 2.2): don't update the back-to-back 13881 delivery time stamp while deferring mail. File: *qmgr/qmgr_entry.c. 13882 1388320071203 13884 13885 Feature: support for read-write tables in the proxymap 13886 service. This is implemented with a separate master.cf entry 13887 named "proxywrite" that should run with process limit of 1 13888 if you want to update Berkeley DB like tables. This feature 13889 requires that tables be authorized with the proxy_write_maps 13890 configuration parameter. Files: global/dict_procy.[hc], 13891 proxymap/proxymap.c. 13892 13893 Human factors: the postmap and postalias commands now produce 13894 nicer diagnostics when asked to do something with a proxied 13895 map that they can't do. Files: postmap/postmap.c, 13896 postalias/postalias.c. 13897 13898 Bugfix: the proxymap client didn't properly propagate user 13899 options to the proxymap server. File: util/dict.h. 13900 13901 Workaround: force synchronous updates in the proxymap server 13902 so that maps will be in a consistent state between updates. 13903 File: proxymap/proxymap.c. 13904 13905 Bugfix: an empty rate-limited queue wasn't removed after 13906 timer expiry. Files: *qmgr/qmgr_queue.c. 13907 1390820071204 13909 13910 Use different sockets for proxymap (read-only) and proxywrite 13911 (read-write) services in the proxy: client. Victor Duchovni. 13912 File: global/dict_proxy.c. 13913 13914 Feature: proxymap delete support by Victor Duchovni. Files: 13915 global/dict_proxy.c, proxymap/proxymap.c. 13916 13917 Feature: proxymap delete support. Files: postmap/postmap.c 13918 postalias/postalias.c. 13919 13920 Cleanup: the Postfix sendmail command did not include the 13921 user (name/uid) information in all error messages. File: 13922 sendmail/sendmail.c. 13923 13924 Feature: data_directory configuration parameter for 13925 Postfix-writable data such as caches and random numbers. 13926 Files: postfix-install, conf/postfix-files. 13927 1392820071206 13929 13930 Security: tlsmgr(8) and verify(8) no longer use root 13931 privileges when opening their cache files. This avoids a 13932 potential security loophole where the ownership of a file 13933 (or directory) does not match the trust level of the content 13934 of that file (or directory). See RELEASE_NOTES for how to 13935 use pre-existing data. Files: util/set_eugid.[hc], 13936 tlsmgr/tlsmgr.c, verify/verify.c. 13937 13938 Compatibility: as a migration tool, redirect attempts by 13939 tlsmgr(8) or verify(8) to open files in non-Postfix directories 13940 to the Postfix-owned data_directory. File: global/data_redirect.c. 13941 13942 Lots of pathname fixes in the examples of TLS_README and 13943 postconf(5); -lm library screw-up in queue manager Makefiles. 13944 1394520071207 13946 13947 Cleanup: pathname fixes in documentation; unnecessary queue 13948 scan in the queue manager rate limiter; inverse square root 13949 feedback in the queue manager concurrency scheduler. Files: 13950 mantools/postlink, proto/TLS_README.html, *qmgr/qmgr_queue.c. 13951 13952 All changes up to this point should be ready for Postfix 2.5. 13953 13954 Documentation: updated nqmgr preemptive scheduler documentation 13955 by Patrik Rak. File: proto/SCHEDULER_README.html. 13956 1395720071211 13958 13959 Bugfix (introduced 19980315): the "write" equivalent of 13960 bugfix 20030104. File: util/vstream.c. 13961 1396220071212 13963 13964 Feature: "stress=" or "stress=yes" attribute in the SMTPD 13965 policy delegation protocol. File: smtp/smtpd_check.c. 13966 13967 Cleanup: allow_min_user now rejects recipients (and senders) 13968 starting with '-' at SMTP session time. To make this possible 13969 the feature was moved from qmgr(8) to trivial-rewrite(8). 13970 Files: *qmgr/qmgr_message.c, trivial-rewrite/resolve.c. 13971 1397220071213: 13973 13974 Cleanup: the queue manager and SMTP client now distinguish 13975 between connection cache store and retrieve hints. Once the 13976 queue manager enables connection caching (store and load) 13977 hints on a per-destination queue, it keeps sending connection 13978 cache retrieve hints to the delivery agent even after it 13979 stops sending connection cache store hints. This prevents 13980 the SMTP client from making a new connection without checking 13981 the connection cache first. Victor Duchovni. Files: 13982 *qmgr/qmgr_entry.c, smtp/smtp_connect.c. 13983 13984 Bugfix (introduced Postfix 2.3): the SMTP client never 13985 marked corrupt files as corrupt. Victor Duchovni. File: 13986 smtp/smtp_proto.c. 13987 13988 Cleanup: the SMTP client won't mark a destination as 13989 unavailable when at least one SMTP session was completed 13990 without connect or handshake error. Victor Duchovni. Files: 13991 smtp/smtp_connect.c, smtp/smtp_session.c, smtp/smtp_proto.c, 13992 smtp/smtp_trouble.c. 13993 1399420071215 13995 13996 Documentation and code cleanup. Files: global/deliver_request.h, 13997 *qmgr/qmgr_entry.c, smtp/smtp_connect.c, 13998 proto/SCHEDULER_README.html. 13999 14000 Bugfix (introduced snapshot 20071006): qmqpd ignored the 14001 qmqpd_client_port_logging parameter setting. File: 14002 qmqpd/qmqpd.c. 14003 1400420071216 14005 14006 Cleanup: show the remote SMTP server port in verbose logging, 14007 warnings and postmaster notices. Still don't show the port 14008 in delivery status notifications. Files: smtp/smtp_chat.c, 14009 smtp/smtp_sasl_glue.c, smtp/smtp_sasl_proto.c. 14010 14011 The "tls_require_cert" is now compatible with OpenLDAP 2.1 14012 and later. Victor Duchovni. Files: proto/ldap_table, 14013 global/dict_ldap.c. 14014 1401520071218 14016 14017 Cleanup: removed the "#ifdef USE_LIBMILTER_INCLUDES" 14018 dependencies on system-installed Milter protocol include 14019 files. Verified that the object code has not changed. File: 14020 milter/milter8.c. 14021 14022 Sanity check: idiot filter to detect attempts to use the 14023 same database file for different TLS session caches. File: 14024 tlsmgr/tlsmgr.c. 14025 14026 Cleanup: updated the spell check stoplist and the spell 14027 check script. Files: mantools/spell, proto/stop. 14028 14029 Cleanup: replaced documentation references to xxgdb by ddd. 14030 The xxgdb program hasn't been updated in more than 10 years. 14031 Files: proto/postconf.proto, conf/main.cf. 14032 1403320071219-20 14034 14035 Feature: support for all new Sendmail 8.14 Milter features 14036 except SMFIR_SKIP (skip further events of this type), 14037 SMFIP_RCPT_REJ (report rejected recipients to the mail 14038 filter), SMFIR_CHGFROM (replace sender, with optional ESMTP 14039 command parameters), and SMFIR_ADDRCPT_PAR (add recipient, 14040 with optional ESMTP command parameters). Files: milter/milters.c, 14041 milter/milter8.c, milter/test-milter.c, cleanup/cleanup_milter.c. 14042 1404320071221 14044 14045 Feature: support for Sendmail 8.14 Milter SMFIR_SKIP (skip 14046 further events of this type). Files: milter/milter8.c, 14047 milter/test-milter.c. 14048 14049 Cleanup: don't try sending HELO after a 421 EHLO reply. 14050 File: smtp/smtp_proto.c. 14051 1405220071221-nonprod 14053 14054 Using 20071221 as reference point. 14055 14056 Cleanup: Simplified TLS library cipher and protocol API to 14057 just pass string-valued properties to tls_client_init() and 14058 tls_client_start(). The client is now agnostic of the 14059 mechanics of cipher management internal to the library. The 14060 main.cf parameters used internally in the library are now 14061 loaded by the library, not the caller. Files: 14062 src/smtp/lmtp_params.c, src/smtp/smtp.c, src/smtp/smtp.h, 14063 src/smtp/smtp_params.c, src/smtp/smtp_proto.c, 14064 src/smtp/smtp_session.c, src/smtpd/smtpd.c, src/tls/tls.h, 14065 src/tls/tls_client.c, src/tls/tls_level.c, src/tls/tls_misc.c, 14066 src/tls/tls_server.c, src/tls/tls_session.c, src/tls/tls_verify.c 14067 and src/tlsmgr/tlsmgr.c 14068 14069 Cleanup: Client session lookup key "salting" is now handled 14070 internally in the tls library. Files: src/tls/tls_client.c 14071 14072 Cleanup: Cipher state is cached, and only updated when 14073 necessary. Files: src/tls/tls_misc.c 14074 14075 Feature: Extended the syntax of protocol selection to allow 14076 exclusions as well as inclusions. Files: src/tls/tls_misc.c 14077 14078 Cleanup: Updated default verification depth to match reality: 14079 default is 9 in OpenSSL and we don't yet override it. When 14080 we do (soon), the default will match previous behavior. 14081 Files: src/global/mail_params.h 14082 14083 Bugfix: Reference to obsolete "pfixtls" code won't compile 14084 inside #ifdef for OpenSSL <= 0.9.5a. Using an OpenSSL release 14085 that old has not been tested for some time, but may now 14086 work. Files: src/tls/tls_bio_ops.c. 14087 14088 Replaced "void *" TLS library application handles by explicit 14089 pointer types, while hiding data structure implementation 14090 details from the TLS library users. Files: tls/tls_client.c, 14091 tls/tls_server.c, smtp/smtp.c, smtpd/smtpd.c. 14092 14093 The TLS library no longer modifies VSTRINGs passed in by 14094 the caller. Where possible, information is passed as "const" 14095 from application to library. Files: smtp/smtp_proto.c, 14096 tls/tls_client.c. 14097 1409820071227-nonprod 14099 14100 Replaced explicit initialization of props structures by 14101 emulating function calls with named parameter lists. Files: 14102 tls/tls.h, smtp/smtp.c, smtp/smtp_proto.c, smtpd/smtpd.c. 14103 1410420071222 14105 14106 Further polishing of the Milter code and logging. File: 14107 milter/milter8.c. 14108 1410920071123 14110 14111 Further polishing of the Milter code. With SETSYMLIST, each 14112 Milter can now update its own macros instead of clobbering 14113 the global copy that is shared with other Milters. Also an 14114 opportunity to clean up some ad-hoc code for sending macro 14115 lists from smtpd(8) to cleanup(8). Files: milter/milter.c, 14116 milter/milter8.c, milter/milter_macros.c. 14117 1411820071224 14119 14120 Further polishing of the Milter code. Eliminated unnecessary 14121 steps from the initial smtpd/cleanup Milter handshake. Files: 14122 milter/milter.c, milter/milter8.c, milter/milter_macros.c. 14123 14124 Cleanup: name_code(3) and name_mask(3) now support read-only 14125 tables. Files: util/name_code.[hc], util/name_mask.[hc]. 14126 1412720071227 14128 14129 Cleanup: further refinements of the Milter code, allowing 14130 for multiple macro overrides. The code is now ready for 14131 serious testing. File: milter/milter8.c. 14132 1413320071229 14134 14135 Bugfix: the Milter client did not replace the Postfix-specific 14136 form for unknown host names by the Sendmail-specific form. 14137 File: milter/milter8.c. 14138 14139 Cleanup: when a cleanup milter reports a problem don't log 14140 generic "4.3.0 Sevice unavailable", but log the text for 14141 the actual error. File: cleanup/cleanup_milter.c. 14142 1414320080102-nonprod 14144 14145 SMTP client fingerprint security level support and configurable 14146 fingerprint digest algorithm. Victor Duchovni. Files: 14147 smtp/lmtp_params.c, smtp/smtp.c, smtp/smtp.h, 14148 src/smtp/smtp_params.c, src/smtp/smtp_proto.c, 14149 src/smtp/smtp_session.c, tls/tls_client.c, tls/tls_level.c, 14150 tls/tls_verify.c. 14151 1415220080103-nonprod 14153 14154 Missed "invalid TLS configuration" patch for SMTP client. 14155 Victor Duchovni. File: smtp/smtp_proto.c. 14156 14157 SMTP server configurable fingerprint digest algorithm. 14158 Victor Duchovni. Files: smtpd/smtpd.c, tls/tls.h, 14159 tls/tls_server.c, tls/tls_verify.c. 14160 1416120080104-nonprod 14162 14163 Cleanup: finally implemented certificate verification depth 14164 limit parameters. Prior to Postfix 2.5 these were ignored. 14165 For backwards compatibility, the default verification depth 14166 limit is now 9, the OpenSSL default. Victor Duchovni. Files: 14167 src/tls/tls_client.c, src/tls/tls_server.c, src/tls/tls_verify.c. 14168 14169 Robustness: Avoid possibility of NULL pointer issues in 14170 application code that checks certificate names, by providing 14171 "empty string" values when no data is available. Victor 14172 Duchovni. Files: src/tls/tls_verify.c, src/tls/tls_client.c, 14173 src/tls/tls_server.c, src/smtpd/smtpd_check.c, src/smtpd/smtpd.c. 14174 14175 Cleanup: separation of TLS handshake from security level 14176 enforcement. The library shakes hands; the application 14177 decides if the resulting security is acceptable. Victor 14178 Duchovni. Files: smtpd/smtpd.c, smtpd/smtpd_proto.c, 14179 tls/tls_server.c, tls/tls_client.c, tls/tls_verify.c. 14180 14181 Robustness: more robust processing of ASN.1 string attributes 14182 in x509v3 certificates, plus additional sanity checks (e.g. 14183 embedded null characters). Victor Duchovni. File: 14184 src/tls/tls_verify.c. 14185 1418620080104 14187 14188 Workaround: minor change to the Dovecot AUTH request to 14189 prevent dovecot-auth memory wastage. Timo Sirainen. File: 14190 xsasl/xsasl_dovecot_server.c. 14191 1419220080105-nonprod 14193 14194 Cleanup: renamed TLS-related symbols for consistency (always 14195 include the init, start, stop prefix in the TLS library 14196 function and data structure names; consistently distinguish 14197 between per-application TLS state and per-session TLS state; 14198 consistently use the fpt prefix for fingerprint related 14199 variables and structure members; consistent use of monocase 14200 typedef-ed names). 14201 1420220080106-nonprod 14203 14204 Cleanup: consistent use of <pre> and <blockquote> in examples; 14205 instead of emphasizing new Postfix 2.5 behavior in reference 14206 documentation, describe the new behavior as "current", with 14207 historical behavior as a supplemental note. 14208 1420920080107 14210 14211 Feature: new "pass" service type (in addition to "inet", 14212 "unix" and "fifo"). The "pass" service type supports 14213 front-end daemons that accept all inbound connections and 14214 that permit only well-behaved clients to talk to the MTA. 14215 This service type had been sitting in the master daemon for 14216 years but was disabled by default. Actual applications for 14217 this will have to be developed later. Files: util/upass_connect.c, 14218 util/upass_trigger.c. 14219 1422020080108 14221 14222 Cleanup: where possible, store data structures in read-only 14223 memory. Besides the security advantage of no write access, 14224 this also gives slightly better memory utilization when 14225 many processes execute the same file. Files: pretty much 14226 everything that has a static table, except for a few tables 14227 in the benchmark tools with flags that are controlled by 14228 command-line information. 14229 1423020080109 14231 14232 Cleanup: more read-only data. Files: everything that passes 14233 around a HEADER_OPTS pointer. 14234 1423520080112 14236 14237 Safety: optional lookup table to prevent the Postfix SMTP 14238 client from making repeated SASL login failures with the 14239 same hostname, username and password. This introduces new 14240 parameters: smtp_sasl_auth_cache_name, smtp_sasl_auth_cache_time. 14241 Based on code by Keean Schupke. Files: smtp/smtp_sasl_glue.c, 14242 smtp/smtp_sasl_auth_cache.c. 14243 14244 Safety: the Postfix SMTP client now by default defers mail 14245 after the server rejects a SASL login attempt with a 535 14246 status code. Specify "smtp_sasl_auth_soft_bounce = no" to 14247 get the earlier behavior. Based on code by Keean Schupke. 14248 Files: smtp/smtp_sasl_glue.c. 14249 1425020080114 14251 14252 Safety: the smtpd_client_new_tls_session_rate_limit setting 14253 now also limits the number of failed TLS handshakes. This 14254 limits the impact of broken configurations. File: smtpd/smtpd.c. 14255 1425620080115 14257 14258 Bugfix (introduced 20080112): Patrik Rak found two bugs 14259 that largely canceled each other out, causing Postfix not 14260 to complain about a missing "proxy:" prefix with the new 14261 smtp_sasl_auth_cache_name parameter setting. File: 14262 smtp/smtp_sasl_glue.c. 14263 14264 Documentation: new SOHO_README file for small/home offices. 14265 The text is automatically generated from bits and pieces of 14266 information that are scattered across other documents. 14267 File: mantools/make_soho_readme. 14268 1426920080116 14270 14271 Bugfix (introduced 20080112): missing #ifdef for the SASL 14272 login failure cache. File: smtp/smtp_sasl_auth_cache.h. 14273 1427420080123 14275 14276 Name fix: renamed the mumble_delivery_rate_delay parameter 14277 to mumble_destination_rate_delay, because it really is a 14278 per-destination feature. With this change we keep the option 14279 of implementing a future per-transport rate delay. 14280 1428120080125 14282 14283 Bugfix (introduced 20071216): missing {} in the LDAP client 14284 broke OpenLDAP TLS. The setting tls_require_cert=no was 14285 further broken because Postfix used OpenLDAP incorrectly. 14286 Victor Duchovni. This broke tls_require_cert=no File: 14287 global/dict_ldap.c. 14288 1428920080126 14290 14291 Cleanup: the post-install script now requires that it is 14292 invoked via the postfix(1) command. This was the intended 14293 use since Postfix 2.1, but it was never enforced. The 14294 documentation for package maintainers has been updated 14295 accordingly. File: conf/post-install. 14296 1429720080130 14298 14299 Bugfix (introduced 20071204): wrong proxywrite process limit 14300 in the default master.cf file. File: conf/master.cf. 14301 1430220080131 14303 14304 Bugfix (introduced 20080126): the new "do not execute 14305 directly" test in post-install got broken during code 14306 cleanup. File: conf/post-install. 14307 1430820080201 14309 14310 Workaround: undo the changes that require that post-install 14311 is invoked via the postfix command, because this breaks 14312 when "postfix start" is invoked with an obsolete postfix 14313 command that doesn't export the new data_directory parameter. 14314 14315 Workaround: pick up a missing data_directory setting from 14316 main.cf when "postfix start" is invoked with an obsolete 14317 postfix command. File: conf/post-install. 14318 1431920080207 14320 14321 Cleanup: soft_bounce support for multi-line Milter replies. 14322 File: src/milter/milter8.c. 14323 14324 Cleanup: preserve multi-line format of header/body Milter 14325 replies. Files: cleanup/cleanup_milter.c, smtpd/smtpd.c. 14326 14327 Cleanup: multi-line support in SMTP server replies. File: 14328 smtpd/smtpd_chat.c. 14329 14330 SAFETY: postfix-script, postfix-files and post-install are 14331 moved away from /etc/postfix to $daemon_directory. There 14332 were too many accidents where people clobbered these files 14333 with versions from an older Postfix release and ended up 14334 with an unusable Postfix setup. Files: postfix-install, 14335 Makefile.in, postfix/postfix.c, conf/postfix-files, 14336 conf/postfix-script, conf/post-install. 14337 1433820080212 14339 14340 Feature: check_reverse_client_hostname_access, to make 14341 access decisions based on the unverified client hostname. 14342 For safety reasons an OK result is not allowed. Noel Jones. 14343 Files: smtpd/smtpd_check.c plus header files and documentation. 14344 1434520080215 14346 14347 Safety: break SASL loop in case both the SASL library and 14348 the remote SMTP server are confused. File: smtp/smtp_sasl_glue.c. 14349 1435020080220 14351 14352 Safety: the master daemon now sets an exclusive lock on a 14353 file $data_directory/master.lock, so that the data directory 14354 can't be shared between multiple Postfix instances. This 14355 would corrupt files that rely on single-writer updates 14356 (examples: verify(8) cache, tlsmgr(8) caches, etc.). File: 14357 master/master.c. 14358 1435920080226 14360 14361 Cleanup: the postfix command did not set argv[0] to a sane 14362 value when invoking postfix-script. Reported by Victor 14363 Duchovni. File: postfix/postfix.c. 14364 1436520080228 14366 14367 Bugfix: bounce(8) segfault on one-line template text. 14368 Problem found by Sacha Chlytor. File: bounce/bounce_template.c. 14369 1437020080310 14371 14372 Safety: the SMTP server's Dovecot authentication client now 14373 enforces the SASL mechanism output filter also on client 14374 command input. File: src/xsasl/xsasl_dovecot_server.c. 14375 1437620080311 14377 14378 Bugfix (introduced 20070811): the MAIL and RCPT Milter 14379 application call-backs no longer received {mail_addr} or 14380 {rcpt_addr} information. Problem reported by Anton Yuzhaninov. 14381 File: smtpd/smtpd.c. 14382 14383 Bugfix (introduced 20080207): "cleanup -v" panic because 14384 the new "SMTP reply" request flag did not have a printable 14385 name. File: global/cleanup_strflags.c. 14386 1438720080318 14388 14389 Human factors: the PCRE and regexp maps now give more 14390 comprehensible error messages when people make the common 14391 mistake of indenting if/endif blocks. Files: util/dict_pcre.c, 14392 util/dict_regexp.c. 14393 1439420080324 14395 14396 Cleanup: the event_drain() function is now a proper event 14397 processing loop. File: util/events.c 14398 14399 Feature: when the "postmap -q -" command reads lookup keys 14400 from standard input, it now understands RFC822 and MIME 14401 message format. Specify -h or -b to use headers or body 14402 lines as lookup keys, and specify -hm or -bm to simulate 14403 header_checks or body_checks. The postmap -h option (without 14404 -m) will be compatible with a future postcat -h option. 14405 File: postmap/postmap.c. 14406 1440720080411 14408 14409 Bugfix (introduced Postfix 2.0): after "warn_if_reject 14410 reject_unlisted_recipient/sender", the SMTP server mistakenly 14411 remembered that recipient/sender validation was already 14412 done. File: smtpd/smtpd_check.c. 14413 14414 Bugfix (introduced Postfix 2.3): the queue manager would 14415 initialize missing client logging attributes (from xforward) 14416 with real client attributes. Fix: enable this backwards 14417 compatibility feature only with queue files that don't 14418 contain logging attributes. Problem reported by Liviu Daia. 14419 Files *qmgr/qmgr_message.c. 14420 1442120080424 14422 14423 Cleanup: some warning messages said "regexp" or "regexp 14424 map" instead of "pcre map". File: util/dict_pcre.c. 14425 1442620080426 14427 14428 Feature: finer control over address verification error 14429 handling and amount of information disclosed in the SMTP 14430 reject message. Parameters: unverified_recipient_defer_code, 14431 unverified_recipient_reject_reason, unverified_sender_defer_code, 14432 unverified_sender_reject_reason. If I don't do this properly, 14433 then someone will do it anyway. File: src/smtpd/smtpd_check.c. 14434 1443520080428 14436 14437 Cleanup: the proxy_read_maps (Postfix 2.0) default setting 14438 was not updated when adding sender/recipient_bcc_maps 14439 (Postfix 2.1) and smtp/lmtp_generic_maps (Postfix 2.3). 14440 File: global/mail_params.h. 14441 14442 Cleanup: the SMTP server's XFORWARD and XCLIENT support was 14443 not updated when the smtpd_client_port_logging configuration 14444 parameter was added. Code by Victor Duchovni. Files: 14445 smtpd/smtpd.c, smtpd/smtpd_peer.c. 14446 1444720080508 14448 14449 Cleanup: delivery status notifications now prepend a 14450 Return-Path: message header to the returned message. 14451 File: bounce/bounce_notify_util.c. 14452 1445320080509 14454 14455 Bugfix: null-terminate CN comment string after sanitization. 14456 File: smtpd/smtpd.c. 14457 1445820080510 14459 14460 Cleanup: when extracting peer and issuer common name from 14461 TLS certificates, convert the result into UTF-8, and use 14462 RFC 2047 encoding when logging these as Received: header 14463 comment fields. Based remotely on code by Victor Duchovni. 14464 Files: smtpd/smtpd.c, tls/tls_verify.c. 14465 1446620080511 14467 14468 Cleanup: the RFC 2047 encoding of RFC*822 comments is too 14469 problematic. The text that explains the problems is as 14470 long as the code itself. That is usually a good indication 14471 that code is not ready for use. File: smtpd/smtpd.c. 14472 14473 Cleanup: block non-printable ASCII text in UTF8 encoded TLS 14474 peer and issuer common names. File: tls/tls_verify.c. 14475 1447620080602 14477 14478 Workaround: avoid watchdog timeout in the local pickup 14479 daemon when the cleanup server expands a very large virtual 14480 alias list. Files: master/trigger_server.c, pickup/pickup.c. 14481 1448220080603 14483 14484 Workaround: avoid "bad address pattern" errors with non-address 14485 patterns in namadr_list_match() calls. File: util/match_ops.c. 14486 14487 Feature: print fsstone elapsed time with sub-second time 14488 resolution. Kenji Kikuchi. File: fsstone/fsstone.c. 14489 1449020080606 14491 14492 Bitrot: "make test" was broken due to recent changes in 14493 code and due to recent changes at mail-abuse.org. 14494 1449520080618 14496 14497 Add a note to SMTP session transcript email messages that 14498 other details may be found in the maillog file. Files: 14499 smtpd/smtpd_chat.c, smtp/smtp_chat.c. 14500 1450120080620 14502 14503 Cleanup: with the "Before-queue content filter", RFC3848 14504 information was not added to the headers. Carlos Velasco. 14505 File smtpd/smtpd.c. 14506 1450720080621 14508 14509 Cleanup: include unread byte count in the SMTP server's "lost 14510 connection after DATA (xx bytes)" logging. Files: smtpd/smtpd.c. 14511 1451220080629 14513 14514 Bugfix (introduced Postfix 2.2): multiple inconsistencies 14515 in SASL support after introduction of TLS. The Postfix 14516 SMTP server 1) complained about plain-text SASL configuration 14517 details when SASL was forbidden for plain-text sessions, 14518 and 2) ignored the smtpd_tls_auth_only parameter setting 14519 when built without TLS support. Files: smtpd/smtpd.c, 14520 smtpd/smtpd_check.c, smtpd/smtpd_sasl_glue.[hc], 14521 smtpd/smtpd_state.c. 14522 14523 Some clarification about recipient address versus domain, 14524 and recipients per message versus session. File: 14525 proto/postconf.proto. 14526 14527 The description of SASL authentication attributes was 14528 garbled. File: pipe/pipe.c. 14529 14530 Information: the master(8) server now logs the version 14531 besides the configuration directory upon "postfix reload". 14532 File: master/master.c. 14533 1453420080717 14535 14536 Cleanup: a poorly-implemented integer overflow check for 14537 TCP MSS calculation had the unexpected effect that people 14538 broke Postfix on LP64 systems while attempting to silence 14539 a compiler warning. File: util/vstream_tweak.c. 14540 1454120080721 14542 14543 The cleanup server now rejects undisclosed_recipients_header 14544 parameter values with invalid message header syntax. 14545 File: cleanup/cleanup_message.c. 14546 1454720080725 14548 14549 Paranoia: defer delivery when a mailbox file is not owned 14550 by the recipient. Sebastian Krahmer, SuSE. Files: 14551 local/mailbox.c, virtual/mailbox.c. 14552 1455320080804 14554 14555 Bugfix: dangling pointer in vstring_sprintf_prepend(). 14556 File: util/vstring.c. 14557 1455820080814 14559 14560 Security: some systems have changed their link() semantics, 14561 and will hardlink a symlink, contrary to POSIX and XPG4. 14562 Sebastian Krahmer, SuSE. File: util/safe_open.c. 14563 14564 The solution introduces the following incompatible change: 14565 when the target of mail delivery is a symlink, the parent 14566 directory of that symlink must now be writable by root only 14567 (in addition to the already existing requirement that the 14568 symlink itself is owned by root). This change will break 14569 legitimate configurations that deliver mail to a symbolic 14570 link in a directory with less restrictive permissions. 14571 1457220080815 14573 14574 Feature: the milter_default_action parameter now accepts 14575 the "quarantine" action. This works like "accept" but also 14576 freezes the mail in the "hold" queue. File: milter/milter8.c. 14577 14578 Robustness: transition from setjmp()/longjmp() to the signal 14579 mask saving/restoring versions sigsetjmp()/siglongjmp(). 14580 These functions have been around for 15 years, but they 14581 have had bugs on supported platforms, so makedefs tests for 14582 them. Files: makedefs, util/sys_defs.h, util/vstream.h. 14583 1458420080822 14585 14586 Cleanup: the proxymap_service_name and proxywrite_service_name 14587 parameters make the proxymap service names configurable. 14588 This paves the way for a future option where the proxymap 14589 services are accessible via TCP so that they can be shared 14590 among multiple Postfix hosts. File: global/dict_proxy.c. 14591 14592 Feature: MacOS X support for kqueue style event handling, 14593 with workaround for broken MacOS X versions. Files: 14594 util/sys_defs.h, makedefs. 14595 14596 Cleanup: the makedefs script now keeps its test programs 14597 in a directory makedefs.d, instead of inlining them as 14598 fragile "here documents". Files: makedefs, makedefs.d/*. 14599 1460020080823 14601 14602 Feature: IPv6 dns blocklist lookup. File: smtpd/smtpd_check.c. 14603 1460420080824 14605 14606 Cleanup: untangled the MacOS X version dependent sections 14607 in the makedefs script, to make future updates easier. File: 14608 makedefs. 14609 14610 Cleanup: don't log multiple Milter "hold" actions for the 14611 same email message. File: cleanup/cleanup_milter.c. 14612 1461320080826 14614 14615 Cleanup: moving test programs from makedefs into a makedefs.d 14616 directory brought more pain than gain. 14617 14618 Cleanup: untangled the Linux version dependent sections in 14619 the makedefs script, to make future updates easier. File: 14620 makedefs. 14621 14622 Documentation: MacOS process limit configuration by Quanah 14623 Gibson-Mount. File: proto/TUNING_README.html. 14624 14625 Feature: smtp-sink -M option to terminate after receiving 14626 a specified number of messages. Laurent Gentil. File: 14627 smtpstone/smtp-sink.c. 14628 14629 Bugfix (introduced Postfix 2.4): epoll file descriptor leak. 14630 With Postfix >= 2.4 on Linux >= 2.6, Postfix has an epoll 14631 file descriptor leak when it executes non-Postfix commands 14632 in, for example, user-controlled $HOME/.forward files. A 14633 local user can access a leaked epoll file descriptor to 14634 implement a denial of service attack on Postfix. Data 14635 confidentiality and integrity are not affected. File: 14636 util/events.c. 14637 1463820080903 14639 14640 Don't enable kqueue (which requires poll) support on 14641 MacOS X. File: makedefs. 14642 14643 Cleanup: remove obsolete Rhapsody and MacOS targets from 14644 makedefs. 14645 1464620080929 14647 14648 Workaround: don't log "file has 2 links" warnings when the 14649 condition appears to be temporary. As kernels have evolved 14650 from non-interruptible system calls towards fine-grained 14651 locks, the showq command has become likely to observe a 14652 file while the queue manager is in the middle of a rename 14653 operation, when the file has links to both the old and new 14654 name. File: global/mail_open_ok.c. 14655 14656 Workaround: don't loop forever when write() fails with a 14657 persistent EAGAIN error on a writable file descriptor. 14658 File: util/write_buf.c. 14659 1466020081003 14661 14662 Bugfix (introduced Postfix 2.1): when XFORWARD support was 14663 introduced with Postfix 2.1, the specification failed to 14664 clearly distinguish between missing and non-existent client 14665 information. This ambiguity affected the implementation: 14666 in $name expansions by delivery agents, unknown client 14667 hostnames could became empty strings (as if a submission 14668 was local), and local submissions could appear to originate 14669 from an SMTP-based content filter. This was fixed with a 14670 a minor semantic change to the XFORWARD protocol. Files: 14671 smtpd/smtpd.c, qmqpd/qmqpd.c, smtp/smtp_proto.c, 14672 cleanup/cleanup_envelope.c, proto/XFORWARD.html. Note: the 14673 changes to propagate local submission details were undone 14674 20082012. 14675 14676 Feature: a DUNNO lookup result in per_sender_relayhost_maps 14677 stops the search without replacing the next-hop destination. 14678 File: trivial-rewrite/resolve.c. 14679 1468020081005 14681 14682 Bugfix: further refinements to the handling of missing or 14683 non-existent remote client attributes. Files: smtpd/smtpd.c, 14684 smtpd/smtpd.h. 14685 14686 Documentation: the XFORWARD specification of the ADDR 14687 attribute did not agree with the actual on-the-wire protocol. 14688 Since we can't change already existing deployments, the 14689 spec has been updated. File: proto/XFORWARD_README.html. 14690 1469120081006 14692 14693 Bugfix: further refinements to the handling of remote client 14694 attributes. Introduced a dummy "we have forwarded client 14695 info" record, to eliminate the need for the backwards 14696 incompatible queue file change that was introduced 20081003. 14697 Files: smtpd/smtpd.c, cleanup/cleanup_envelope.c, 14698 *qmgr/qmgr_message.c. 14699 14700 Security: hardened the proxymap client, in case it ever 14701 ends up in a set-gid program. File: global/dict_proxy.c. 14702 1470320081007 14704 14705 Workaround: undo the proxymap client change. It broke 14706 chrooted servers when they attempted to reconnect to the 14707 proxy read/write service. File: global/dict_proxy.c. 14708 1470920081008 14710 14711 Safety: added checks that $queue_directory/pid is owned by 14712 root, and that $queue_directory/saved is owned by $mail_owner. 14713 File: conf/postfix-script. 14714 1471520081010 14716 14717 Feature: controls for opportunistic TLS protocols and 14718 ciphers. The smtp_tls_protocols, smtp_tls_ciphers, and 14719 equivalent parameters for lmtp and smtpd provide global 14720 settings; the SMTP client TLS policy table provides ciphers 14721 and protocols settings for specific peers. Code by Victor 14722 Duchovni. Files: smtp/smtp.c, smtp/smtp_session.c, smtpd/smtpd.c 14723 and documentation. 14724 1472520081012 14726 14727 Cleanup: simplify the 20081003 changes and don't try to 14728 propagate local submission information through XFORWARD. 14729 Files: smtpd/smtpd.c, qmqpd/qmqpd.c, smtp/smtp_proto.c, 14730 cleanup/cleanup_envelope.c, proto/XFORWARD.html. 14731 1473220081015 14733 14734 Bugfix: GLIBC API version detection. Rob Foehl. File: 14735 util/sys_defs.h. 14736 1473720081022 14738 14739 Documentation: removed inapplicable daemon_timeout reference 14740 from qmgr(8), oqmgr(8), pickup(8). These daemons need to 14741 use a much shorter watchdog timer. 14742 1474320081108 14744 14745 Feature: smtp_sasl_tls_verified_security_options is no 14746 longer #ifdef SNAPSHOT. 14747 14748 Feature: elliptic curve support. This requires OpenSSL 14749 version 0.9.9 or later. Victor Duchovni. Files: TLS_README, 14750 smtpd/smtpd.c, smtp/smtp.c, tls/tls_dh.c, tls/tls_certkey.c, 14751 tls/tls_server.c, tls/tls_client.c, tls/tls.h, tls/tls_misc.c. 14752 14753 Bugfix (introduced Postfix 2.5): the Postfix SMTP server 14754 did not ask for a client certificate with "smtpd_tls_req_ccert 14755 = yes". Reported by Rob Foehl. File: smtpd/smtpd.c. 14756 1475720081109 14758 14759 Cleanup: confusing names of variables. File: smtpd/smtpd.c. 14760 1476120081126 14762 14763 Documentation: pcre_table(5) incorrectly claimed that the 14764 'x' flag supports #comment after text. File: proto/pcre_table. 14765 1476620081202 14767 14768 Cleanup: vstream_bufstat() provides a more systematic 14769 approach to get information about VSTREAM buffers. The 14770 vstream_peek() function is now a backwards compatibility 14771 wrapper. Files: util/vstream.[hc]. 14772 14773 Cleanup: the SMTP server should warn about "lost connection 14774 after QUIT" only when the "." reply was pipelined together 14775 with the "QUIT" reply. File: smtpd/smtpd.c. 14776 14777 Cleanup: the SMTP client's code was duplicating buffer 14778 management that was already done in the VSTREAM module. 14779 File: smtp/smtp_proto.c. 14780 1478120081203 14782 14783 Cleanup: adjust the VSTREAM buffer strategy when reusing 14784 an SMTP connection with a large TCP MSS value. File: 14785 smtp/smtp_reuse.c. 14786 1478720081204 14788 14789 Cleanup: state the SMTP client PIPELINING implementation's 14790 dependency on monotonic VSTREAM buffer size behavior, and 14791 add some checks for boundary cases with VSTREAM buffer size 14792 change requests. Files: util/vstream.c, smtp/smtp_proto.c. 14793 1479420081205 14795 14796 Fix 20081202 flush code. Victor Duchovni. File: smtpd/smtpd.c. 14797 14798 Safety: add another check to "postfix check", in this case 14799 for group or other writable queue_directory. File: 14800 conf/postfix-script. 14801 1480220081217 14803 14804 Debugging: ad-hoc code to log the TLS error stack after 14805 VSTREAM read/write error. File: tls/tls_bio_ops.c. In a 14806 better implementation, each I/O "object" would provide an 14807 optional error reporting method (besides timed_read and 14808 timed_write) that could be queried via the vstream module. 14809 1481020081222 14811 14812 Documentation: log the "*" pattern as the last transport 14813 map lookup. File: proto/transport. 14814 1481520090103 14816 14817 Documentation: rewrote NFS_README, to clarify the support 14818 status of Postfix and NFS, and to describe the NFS workarounds 14819 that Postfix actually implements. 14820 1482120090106 14822 14823 Feature: "postconf -# parametername ..." to comment out 14824 named parameter entries. Victor Duchovni. File: 14825 postconf/postconf.c. 14826 1482720090107 14828 14829 Library: edit_file(3) module for cooperative editing of a 14830 file. Inspired by the postconf command, this creates a new 14831 version under a deterministic temporary name and renames 14832 it into place. The implementation uses an open/lock/stat 14833 protocol before updating the new file, and rename/unlock/close 14834 afterwards. Based on pieces of code by Victor Duchovni, 14835 with minor improvements by Wietse. Files: util/edit_file.[hc]. 14836 14837 Cleanup: the postconf command now uses the edit_file(3) 14838 module to manage collisions when multiple processes attempt 14839 to update the main.cf file. 14840 1484120090108 14842 14843 Feature: master_service_disable parameter (default: empty) 14844 to easily turn off/on master.cf services by type or by name 14845 and type. For example, to turn off the main SMTP listener 14846 use "master_service_disable = smtp.inet", and to turn off 14847 all TCP/IP listeners use "master_service_disable = inet". 14848 This immediately terminates all processes that provide the 14849 specified services. The master_service_disable feature does 14850 not distinguish services by their privacy property; some 14851 day, clients will not need to specify that anymore. Files: 14852 global/mail_params.h, master/master.c, master/master_vars.c, 14853 master/master_ent.c. 14854 14855 Bugfix (introduced May 19, 1997): removing a parameter 14856 setting from main.cf did not reset the parameter to its 14857 default value. This was a problem only in the master daemon. 14858 File: global/mail_conf.c, master/master_vars.c. 14859 1486020090109 14861 14862 Cleanup: "defer" action in access maps, and a corresponding 14863 access_map_defer_code parameter. No idea what was behind 14864 this omission. Files: global/mail_params.h, smtpd/smtpd.c, 14865 smtpd/smtpd_check.c, proto/access. 14866 14867 Workaround: specify "tcp_windowsize = 65535" (or less) to 14868 work around broken TCP window scaling implementations. This 14869 is perhaps easier than collecting tcpdump output and tuning 14870 kernel parameters by hand. See RELEASE_NOTES for how to 14871 change this setting without stopping Postfix. Files: 14872 util/inet_connect.c, inet_listen.c, global/mail_params.[hc]. 14873 1487420090110 14875 14876 Cleanup: create separate code modules for TCP window size 14877 handling, master.cf service name matching, and main.cf 14878 change monitoring. Files: util/inet_windowsize.c, 14879 global/match_service.c, master/master_watch.c. 14880 14881 Feature: TCP window size override for the Postfix SMTP/LMTP 14882 client, and for the smtp-source and smtp-sink test programs. 14883 Files: smtp/smtp_connect.c, smtpstone/smtp-source.c, 14884 smtpstone/smtp-sink.c. 14885 1488620090114 14887 14888 Bugfix: VERP now uses the Postfix original recipient, if 14889 available, because that is what the VERP consumer expects. 14890 Files: *qmgr/qmgr_deliver.c, bounce/bounce_notify_verp.c. 14891 14892 Safety: extra check for broken third-party patches that 14893 allow file size limit < message size limit. This can cause 14894 mail to be stuck in the queue forever. 14895 14896 Invisible change, in preparation for multi-instance support. 14897 Except for main.cf and master.cf, all files are optional 14898 for non-default Postfix configuration directories. File: 14899 conf/postfix-files. 14900 1490120090115 14902 14903 Cleanup: rewrote the 20090114 VERP bugfix, to replace code 14904 that "works" by code that is "right". Files: *qmgr/qmgr_deliver.c, 14905 bounce/bounce_notify_verp.c, global/verp_sender.c. 14906 1490720090118 14908 14909 Documentation: some URLs to enable/disable client-side TLS 14910 jumped into the middle of an enumeration. File: 14911 proto/TLS_README.html. 14912 1491320090119-21 14914 14915 Feature: multi-instance manager plug-in API. A sample 14916 multi-instance manager with instructions is available as 14917 $daemon_directory/postfix-wrapper. The plug-in API itself 14918 is described in postfix-wrapper(5). Files: postfix/postfix.c, 14919 global/mail_params.[hc], proto/postfix-wrapper, 14920 conf/postfix-wrapper, conf/postfix-script, conf/postfix-files. 14921 14922 Support to check/update shared files only in the context 14923 of the default Postfix instance. Files: conf/post-install, 14924 conf/postfix-script. 14925 1492620090122 14927 14928 Refinements: the multi-instance manager always replaces 14929 "start" by "check" when a Postfix instance is multi-instance 14930 disabled, so that problems will still be reported; polish 14931 documentation; delete unnecessary multi_instance_order 14932 parameter. Files: conf/postfix-wrapper, proto/postfix-wrapper, 14933 global/mail_params.[hc] and documentation. 14934 14935 Bugfix: the data_directory was not automatically created! 14936 File: conf/postfix-files. 14937 1493820090123 14939 14940 More little fixes in the "trivial but useful" postfix-wrapper 14941 including instructions. It's ready for testing in the field. 14942 File: conf/postfix-wrapper. 14943 1494420090125 14945 14946 Documentation: more precise description of multi-instance 14947 manager API, and minor edits of the example program. Files: 14948 conf/postfix-wrapper, proto/postfix-wrapper. 14949 1495020090208 14951 14952 Cleanup: enable multi-instance shared-file logic only when 14953 the instance is listed in multi_instance_directories. Files: 14954 conf/post-install, conf/postfix-script. 14955 1495620090210 14957 14958 Feature: specify "reject_tempfail_action = defer" to 14959 immediately defer a remote SMTP client request after a 14960 reject-type restriction fails with a temporary error. Based 14961 on code by Rob Foehl. File: smtpd/smtpd_check.c. 14962 14963 Feature: finer control of reject_tempfail_action with 14964 unknown_address_tempfail_action, unverified_sender_tempfail_action 14965 unverified_recipient_tempfail_action, and 14966 unknown_helo_hostname_tempfail_action. See documentation 14967 for details. File: smtpd/smtpd_check.c. 14968 1496920090211 14970 14971 Workaround: pass the SMTP server socket's local and remote 14972 peer address information to the Dovecot authentication server. 14973 This is incomplete code: it ignores XCLIENT server address 14974 overrides. File: xsasl/xsasl_dovecot_server.c. 14975 1497620090212 14977 14978 Testing revealed that with mumble_tempfail_action=defer, 14979 the "defer" action was ignored. Cause: the DEFER_IF_PERMIT[0-9] 14980 macros lost the SMTPD_CHECK_REJECT result value. File: 14981 smtpd/smtpd_check.c. 14982 14983 Feature: stress-dependent smtpd_timeout (normal: 300s, 14984 overload: 10s), smtpd_hard_error_limit (normal: 20, overload: 14985 1) and smtpd_junk_command_limit (normal: 100, overload: 1). 14986 Files: global/mail_params.h, global/mail_conf_nint.c, 14987 master/*_server.c, smtpd/smtpd.c. 14988 1498920090213 14990 14991 Fine tuning: don't enforce smtpd_junk_command_limit for 14992 XCLIENT and XFORWARD commands. These commands can be issued 14993 only by authorized clients. File: src/smtpd/smtpd.c. 14994 1499520090215 14996 14997 Feature: the Postfix SMTP server hangs up after replying 14998 with "521". This makes overload handling more effective. 14999 See also RFC 1846. File: smtpd/smtpd.c. 15000 15001 Feature: postmulti mult-instance manager command, very 15002 lightly tested. The MULTI_INSTANCE_README still needs to 15003 be proofread. Originally by Victor Duchovni. Files: 15004 src/postmulti/*, proto/MULTI_INSTANCE_README.html, 15005 conf/postmulti-script. 15006 1500720090216-24 15008 15009 Cleanup: assorted code cleanups in postmulti. File: 15010 src/postmulti/postmulti.c. 15011 1501220090223 15013 15014 Cleanup: multiple instances of the same global. Files: 15015 util/inet_windowsize.c, util/inet_listen.c. 15016 1501720090228 15018 15019 Cleanup: the Postfix SMTP server now maintains a per-session 15020 "improper command pipelining detected" flag. This flag can 15021 be tested at any time with reject_unauth_pipelining, and 15022 is raised whenever a client command is followed by unexpected 15023 commands or message content. Files: smtpd/smtpd.c, 15024 smtpd/smtpd_check.c. 15025 15026 Logging: the Postfix SMTP server now logs the first command 15027 pipelining transgression as "improper command pipelining 15028 after <command> from <hostname>[<hostaddress>]". 15029 15030 Cleanup: after DATA command failure, log "(approximately 15031 XX bytes)" only if Postfix actually accepted the DATA 15032 command. File: smtpd/smtpd.c. 15033 1503420090303 15035 15036 Cleanup: word smithing of "sendmail -bv" probe message. 15037 File: sendmail/sendmail.c. 15038 15039 Cleanup: OpenLDAP now provides a sane solution for conflicts 15040 with PAM ldap-over-tls. Victor Duchovni. File: global/dict_ldap.c. 15041 1504220090304 15043 15044 Cleanup: skip over suspended or throttled queues while 15045 looking for delivery requests. File: *qmgr/qmgr_transport.c. 15046 1504720090305 15048 15049 Bugfix: in the "new queue manager", the _destination_rate_delay 15050 code needed to postpone the job scheduler updates after 15051 delivery completion, otherwise the scheduler could loop on 15052 blocked jobs. Victor & Wietse. File: qmgr/qmgr_entry.c, 15053 qmgr/qmgr_queue.c, qmgr/qmgr_job.c. 15054 15055 Cleanup: report a "queue file write error", instead of 15056 passing though bogus 2xx replies from proxy filters to SMTP 15057 clients. File: smtpd/smtpd_proxy.c. 15058 1505920090307 15060 15061 Cleanup: with "lmtp_assume_final = yes", the Postfix LMTP 15062 delivery agent assumes that delivery is final when talking 15063 to an LMTP server that announces no DSN support. Otherwise, 15064 the Postfix LMTP delivery agent assumes that delivery is 15065 "relayed", to maintain compatibility with simple LMTP-based 15066 content filters. Based on code by Michel Sebastien, ATOS 15067 Origin. File: smtp/smtp_rcpt.c. 15068 1506920090310 15070 15071 Bugfix: Postfix used mumble_concurrency_failed_cohort_limit 15072 instead of mumble_destination_concurrency_failed_cohort_limit 15073 as documented. File: global/mail_params.h. 15074 1507520090330 15076 15077 Cleanup: add (Resent-) From:, Date:, Message-ID: or To: 15078 headers only when clients match $local_header_rewrite_clients. 15079 Specify "always_add_missing_headers = yes" for backwards 15080 compatibility. Adding such headers to remote mail can break 15081 DKIM signatures that cover headers that are not present. 15082 File: cleanup/cleanup_message.c. 15083 1508420090415 15085 15086 Workaround: to avoid unnecessary "fatal" delivery agent 15087 exits, delivery agents retry getting a shared lock on a 15088 queue file. This is necessary since the queue manager's 15089 behavior was changed years ago to refill the in-memory 15090 recipient list before it was completely empty. File: 15091 global/deliver_request.c. 15092 15093 Documentation: updated STRESS_README. 15094 1509520090416 15096 15097 Workaround: some AWK implementations have a limit of 10 15098 output files and lack a working close() function. It is too 15099 much trouble to find out what systems have this limitation, 15100 and where, if any, such systems store their XPG4-compatible 15101 AWK program. So instead we generate a stream of here 15102 documents and let the shell split the stream into files. 15103 File: postconf/extract.awk. 15104 15105 Documentation: clarification of certificate file usage. 15106 Victor Duchovni. Files: proto/postconf.proto, 15107 proto/TLS_README.html. 15108 15109 Feature: pass a "TLS is active" flag to the server-side 15110 SASL support. Based on code by Timo Sirainen, except that 15111 the implementation uses an extensible API so that it will 15112 be less painful to add more attributes in future Postfix 15113 versions. Files: xsasl/xsasl.h, xsasl/xsasl_*server.c, 15114 smtpd/smtpd_sasl_glue.c. 15115 1511620090417 15117 15118 Documentation: re-generate READMEs and manpages for updated 15119 hyperlinks. 15120 15121 Documentation: missing hyperlinks and missing parameters 15122 in manpages. File: mantools/postlink, mantools/check-postlink. 15123 1512420090418 15125 15126 Cleanup: use the extensible API to pass SMTP client address 15127 information to the dovecot SASL plugin, and prepare for 15128 passing server address information. Files: xsasl/xsasl.h, 15129 xsasl/xsasl_dovecot_server.c, smtpd/smtpd_sasl_glue.c. 15130 15131 Same extensible API transformation for the SASL client-side 15132 code to make future extensions less painful. Files: 15133 xsasl/xsasl.h, xsasl/xsasl*client.c, smtp/smtp_sasl_glue.c. 15134 15135 More postlink fixes. File: mantools/postlink. 15136 1513720090419 15138 15139 Bugfix: don't re-enable SIGHUP if it is ignored in the 15140 parent. This may cause random "Postfix integrity check 15141 failed" errors at boot time (POSIX SIGHUP death), causing 15142 Postfix not to start. We duplicate code from postdrop and 15143 thus avoid past mistakes. File: postsuper/postsuper.c. 15144 15145 Robustness: don't re-enable SIGTERM if it is ignored in the 15146 parent. Files: postsuper/postsuper.c, postdrop/postdrop.c. 15147 1514820090422 15149 15150 Undo delivery agent change 20090415. The queue manager never 15151 locks a queue file to read additional recipients into memory, 15152 so if a delivery agent runs into a locked file, then something 15153 is seriously wrong. File: global/deliver_request.c. 15154 1515520090424 15156 15157 Compatibility: the Postfix SMTP client no longer uses the 15158 obsolete SSLv2 by default for opportunistic encryption. 15159 This has nothing to do with security (we're willing to send 15160 plaintext over an unauthenticated connection) but with the 15161 loss of advanced options that give better performance. 15162 Victor Duchovni. Files: proto/postconf.proto, global/mail_params.h. 15163 1516420090426 15165 15166 Feature: more accurate support for Milter macros {mail_addr} 15167 and {rcpt_addr}, and new support for Milter macros {mail_host}, 15168 {mail_mailer}, {rcpt_host}, and {rcpt_mailer}. Files: 15169 milter/milter.[hc], smtpd/smtpd.[hc], smtpd/smtpd_milter.c, 15170 smtpd/smtpd_resolve.c. 15171 15172 Feature: support to report rejected recipients to Milters 15173 (SMFIP_RCPT_REJ). Postfix reports the event as decribed in 15174 Sendmail 8.14.0 documentation: {rcpt_mailer} = "error", 15175 {rcpt_host} = enhanced status code (e.g., "5.7.1"), and 15176 {rcpt_addr} = reason to reject (e.g., "Relay access denied"). 15177 Files: milter/milter.[hc], milter/milter8.c, smtpd/smtpd.[hc], 15178 smtpd/smtpd_milter.c. 15179 1518020090427 15181 15182 Feature: Milter support for replacing the envelope sender 15183 and adding recipients (SMFIR_CHGFROM, SMFIR_ADDRCPT_PAR). 15184 This support currently ignores ESMTP command parameters. 15185 Files: milter/milter8.c, cleanup/cleanup_milter.c. 15186 1518720090428 15188 15189 Compatibility: to make all the new Milter features usable, 15190 raise the default milter_protocol setting from 2 to 6. 15191 This has been tested with a Sendmail 8.14 libmilter. 15192 File: global/mail_params.h. 15193 15194 Bugfix: don't disable MIME parsing with smtp_header_checks, 15195 smtp_mime_header_checks, smtp_nested_header_checks or with 15196 smtp_body_checks. Bug reported by Victor. File: smtp/smtp_proto.c. 15197 15198 Code cleanups: respect VSTRING invariants by using VSTRING_RESET 15199 and VSTRING_TERMINATE instead of directly groping the 15200 underlying character buffer. Files: global/dsn_buf.c, 15201 milter/milter8.c. 15202 1520320090507 15204 15205 main.cf:tls_random_source now defaults to /dev/arandom on 15206 OpenBSD. This device was introduced before Postfix development 15207 began. Files: util/sys_defs.h, global/mail_params.h. 15208 1520920090510 15210 15211 Code cleanups: while emulating SMTP client requests for 15212 Milter applications, use user@domain form addresses as 15213 required by the SMTP protocol, instead of bare usernames. 15214 This avoids hard to debug errors from some Milter applications. 15215 Files: cleanup/cleanup_envelope.c, cleanup/cleanup_extracted.c, 15216 cleanup/cleanup_addr.c. 15217 1521820090511 15219 15220 Code cleanups: don't clobber -o command-line arguments so 15221 that Linux people can debug daemon command lines more easily. 15222 Files: master/*server.c. 15223 1522420090513 15225 15226 Code cleanups: better parsing of Postfix daemon "-o" 15227 command-line options, with better error handling. Files: 15228 master/*server.c. 15229 1523020090518 15231 15232 Documentation: missing dummy entries for lmtp_mumble_checks. 15233 File: proto/postconf.proto. 15234 1523520090519 15236 15237 Bugfix (introduced: Postfix 2.3, but did not cause trouble 15238 until 20090427). Queue file corruption with (smtpd_milters 15239 or non_smtpd_milters) enabled, AND with delay_warning_time 15240 enabled, AND with short envelope sender addresses (e.g., 15241 local submissions with bare usernames, but not bounces). 15242 The queue file would be corrupted when the delay_warning_time 15243 record was marked as "done" after sending the "your mail 15244 is delayed" notice. File: qmgr/qmgr_message.c. 15245 1524620090522 15247 15248 Bugfix (introduced: Postfix 2.3). The cleanup server 15249 rejected mail with records of type REC_TYPE_DRCP (recipient 15250 deleted by Milter), but such records could be present in 15251 mail re-submitted with "postsuper -r". Found during code 15252 review. Files: global/record.h, cleanup/cleanup_envelope.c. 15253 1525420090524 15255 15256 Feature: new postcat options: -e (print envelope), -h (print 15257 header), and -b (print body). Specify "postcat -bh" to 15258 suppress information about envelope records, and "postcat 15259 -h" to get the message header only. With large messages, 15260 "postcat -h" is much faster than manually stripping the 15261 message body from the output. File: postcat/postcat.c. 15262 1526320090528 15264 15265 Bugfix (introduced: Postfix 2.6 change 20080629): with 15266 plaintext sessions, smtpd_tls_auth_only=yes caused spurious 15267 warnings with reject_authenticated_sender_login_mismatch, 15268 and broke reject_unauthenticated_sender_login_mismatch and 15269 reject_sender_login_mismatch. Based on fix by Victor 15270 Duchovni. File: smtpd/smtpd_check.c. 15271 1527220090603 15273 15274 Cleanup: Postfix 2.3 adopted a file descriptor passing 15275 workaround for OpenBSD. This workaround was hard-coded for 15276 all platforms because there were no have adverse effects. 15277 This is no longer the case: OpenBSD is fixed, and NetBSD 15278 does not like the workaround. We now default back to the 15279 non-workaround code and turn on the workaround dynamically. 15280 Files: util/unix_send_fd.c, unix_recv_fd.c, unix_pass_fd_fix.c. 15281 1528220090605 15283 15284 Portability: modern kernels below ancient user-land. File: 15285 makedefs. 15286 1528720090606 15288 15289 Feature: post-Milter header checks, with all actions except 15290 PREPEND. To enable, specify for example "milter_header_checks 15291 = pcre:/path/to/file". Files: cleanup/cleanup_init.c, 15292 cleanup/cleanup_milter.c, cleanup/cleanup_extracted.c, 15293 cleanup/cleanup_state.c. 15294 15295 Bugfix: non-portable command pathname in postmulti-script. 15296 15297 Safety: "postmulti -e destroy" no longer attempts to remove 15298 files that are created AFTER "postmulti -e create". Rationale: 15299 by design, postfix queue/data directories are not trusted; 15300 actions within those directory trees must not affect files 15301 outside those those trees (e.g. by symlink race attacks). 15302 We don't want to be nailed with a bunch of CVEs for unsafe 15303 pathname handling. File: conf/postmulti-script. 15304 1530520090607 15306 15307 Cleanup: revise milter_header_checks action implementation, 15308 and avoid redundant logging and work when milter_header_checks 15309 and Milters make redundant or conflicting decisions. File: 15310 cleanup_milter.c. 15311 1531220090614 15313 15314 Preliminary postscreen triage server for all inbound SMTP 15315 connections. This is not a proxy: it rejects bad clients 15316 and forwards the rest of the connections to a real Postfix 15317 SMTP server. The initial version does a simple "friend or 15318 foe" based on whether the client starts talking too soon. 15319 Decisions are cached, so "good" clients have no overhead. 15320 File: postscreen/postscreen.c. 15321 15322 Cleanup: more robust code for receiving file descriptors 15323 via the "pass" master service protocol. File: 15324 util/upass_listen.c. 15325 1532620090617 15327 15328 Temporary helper daemon that does parallel DNSBL lookups 15329 for postscreen(8). It logs successful lookups to the maillog 15330 file without blocking the client. postscreen(8) will use 15331 the results in a later non-production version. To enable 15332 DNSBL lookups, specify "postscreen_dnsbl_sites = name, 15333 name, etc". and restart postscreen(8) with "postfix reload". 15334 File: src/dnsblog/dnblog.c. 15335 1533620090618 15337 15338 postscreen(8) logging and actions are now documented in the 15339 postscreen(8) manpage. When a client is listed in DNSBLs 15340 specified with postscreen_dnsbl_sites, it is no longer 15341 whitelisted. Instead the number of blocklist hits is logged. 15342 File: postscreen/postscreen.c. 15343 1534420090619 15345 15346 postscreen(8) by default no longer immediately drops 15347 connections. Specify "postscreen_greet_action = drop" and 15348 "postscreen_hangup_action = drop" for the old behavior. 15349 There is also a new postscreen_dnsbl_action parameter, for 15350 completeness. File: postscreen/postscreen.c. 15351 1535220090708 15353 15354 Portability: FreeBSD 8 has closefrom(). File: uti/sys_defs.h. 15355 1535620090710 15357 15358 Bugfix (introduced Postfix 2.3): Postfix got out of sync 15359 with a Milter application after the application sent a 15360 "quarantine" request at end-of-message time. The milter 15361 application would still be in the end-of-message state, 15362 while Postfix would already be working on the next SMTP 15363 event (typically, QUIT or MAIL FROM). Problem diagnosed 15364 with help from Alban Deniz. File: milter/milter8.c. 15365 1536620090711-2 15367 15368 New "event_server" Postfix server framework. It is similar 15369 to the "multi_server" framework but does not manage client 15370 I/O events. This framework is suitable for servers such 15371 as postscreen that have complex event management requirements. 15372 File: master/event_server.c. 15373 15374 New event_fork() primitive to resume event processing in a 15375 child process after it is created with fork(). This is 15376 needed by postscreen to complete work-in-progress in the 15377 background after "postfix reload". File: util/events.c. 15378 15379 Cleanup: postscreen migrated to the "event_server" framework. 15380 File: postscreen/postscreen.c. 15381 1538220090712 15383 15384 Cleanup: ${multi_instance_name:postfix}${multi_instance_name 15385 ?$multi_instance_name} garbage in Postfix logging is now 15386 hopefully gone. File: global/mail_task.c. 15387 1538820090715 15389 15390 Documentation: as of Postfix 2.6, the reject_unauth_pipelining 15391 feature can be used meaningfully at any protocol stage. 15392 File: proto/postconf.proto. 15393 1539420090717 15395 15396 Cleanup: postscreen PREGREET detection now uses non-destructive 15397 read, so that the real SMTP server can still receive the 15398 HELO command (apparently some sites allow pregreeters to 15399 talk to their servers). File: postscreen/postscreen.c. 15400 1540120090805 15402 15403 Bugfix: don't panic when an unexpected smtpd access map is 15404 specified. File: smtpd/smtpd_check.c. 15405 1540620090918 15407 15408 Bugfix (introduced Postfix 2.3): with Milter RCPT TO replies 15409 turned off, there was no automatic flush-before-read on the 15410 smtpd-to-milter stream, because the read was done on the 15411 cleanup-to-milter stream. Problem reported by Stephen Warren. 15412 File: milter/milter8.c. 15413 1541420091005 15415 15416 Bugfix: core dump while printing error message for malformed 15417 %<letter> sequence in LDAP, MySQL or PostgreSQL configuration. 15418 File: global/db_common.c. Fix by Victor Duchovni. 15419 1542020091006 15421 15422 Feature: "postscreen_whitelist_networks = $mynetworks" (the 15423 default) to avoid problems with buggy SMTP implementations 15424 in network appliances. Note: this feature never uses the 15425 remote SMTP client hostname. Files: global/addr_match_list.[hc], 15426 postscreen/postscreen.c. 15427 15428 Feature: postscreen_blacklist_networks (default: empty) to 15429 permanently blacklist hosts or networks. Address syntax is 15430 as with mynetworks. Note: this feature never uses the remote 15431 SMTP client hostname. File: postscreen/postscreen.c. 15432 15433 Feature: postscreen_blacklist_action (default: continue) 15434 to control what happens with a permanently blacklisted 15435 client. File: postscreen/postscreen.c. 15436 1543720091007 15438 15439 Feature: hostname-based check_client_{mx,ns}_access, 15440 check_reverse_client_hostname_{mx,ns}_access (the client 15441 IP address is not used). Rob Foehl. Files: smtpd/smtpd_check.c, 15442 global/mail_params.h, proto/postconf.proto, mantools/postlink. 15443 1544420091008 15445 15446 Documentation: restructured the postscreen(8) manpage 15447 as a sequence of tests. File: postscreen/postscreen.c. 15448 1544920091012 15450 15451 Bugfix: postmulti did not skip commands with -p. Luca 15452 Berra. File: postmulti/postmulti.c. 15453 1545420091023 15455 15456 Feature: specify "smtpd_command_filter = pcre:/file/name" 15457 to replace remote SMTP client commands before they are 15458 executed by the Postfix SMTP server. This a last-resort 15459 tool to fix inter-operability problems. See examples in 15460 the postconf(5) manual page. File: smtpd/smtpd.c. 15461 1546220091026 15463 15464 Cleanup: changed parameter evaluation order so that the 15465 multi_instance_wrapper parameter value is evaluated after 15466 the command and daemon directory parameters. File: 15467 global/mail_params.h. 15468 1546920091101 15470 15471 Performance: specify "smtpd_proxy_options = speed_adjust" 15472 to receive an entire message before sending it through a 15473 before-queue content filter. This reduces the number of 15474 simultaneous content filtering processes, and thus, the 15475 system memory requirements. Files: smtpd/smtpd.[hc], 15476 smtpd/smtpd_proxy.[hc]. 15477 1547820091103-4 15479 15480 Cleaned up the speed-adjust code, streamlined the error 15481 handling, and updated documentation. Files: smtpd/smtpd.[hc], 15482 smtpd/smtpd_proxy.[hc], proto/SMTPD_PROXY_README.html. 15483 1548420091105 15485 15486 Cleaning up after speed_adjust introduction: smtpd segfault 15487 caused by an incomplete API change; refined the queue space 15488 check; release scratch space immediately after delivering 15489 mail to the before-queue filter. Files: smtpd.c, smtpd_proxy.c. 15490 1549120091110 15492 15493 Workaround: specify "smtp_tls_block_early_mail_reply = yes" 15494 to detect a mail hijacking attack based on a TLS protocol 15495 vulnerability (CVE-2009-3555). The attack involves prepending 15496 malicious HELO/MAIL/RCPT/DATA commands to a Postfix SMTP 15497 client TLS session. The attack would succeed with non-Postfix 15498 SMTP servers that reply to the malicious commands after 15499 negotiating the Postfix SMTP client TLS session. File: 15500 smtp/smtp_proto.c. 15501 1550220091113 15503 15504 Workaround: skip interfaces without netmask, to avoid 15505 segfaults (reported by Dmitry Karasik). Don't supply a dummy 15506 null netmask, as that would turn Postfix into an open relay 15507 (mynetworks = 0.0.0.0/0). File: util/inet_addr_local.c. 15508 15509 Bugfix: forgot to flush output to the smtpd_proxy speed-adjust 15510 buffer before truncating the file. Reported by Mark Martinec, 15511 fix by Victor Duchovni. File: smtpd/smtpd_proxy.c. 15512 1551320091114 15514 15515 Feature: specify "smtp_reply_filter = pcre:/file/name" to 15516 replace remote SMTP server reply lines before they are 15517 parsed by the Postfix SMTP client. This a last-resort tool 15518 to fix inter-operability problems. See examples in the 15519 postconf(5) manual page. File: smtp/smtp_chat.c. 15520 15521 Safety: don't send postmaster notifications to report 15522 problems delivering (possible) postmaster notifications. 15523 File: smtp/smtp_connect.c. 15524 1552520091121 15526 15527 Feature: sender_dependent_default_transport_maps, to override 15528 the default transport in a sender-dependent manner. This 15529 is not a transport_maps override, and therefore it does not 15530 use the transport_maps syntax for null transport, null 15531 nexthop, or null email address. 15532 1553320091127 15534 15535 Usability: the Postfix SMTP client now logs a warning that 15536 wrappermode TLS is not supported, when configured to connect 15537 to port smtps/465. File: smtp/smtp_connect.c. 15538 1553920091203 15540 15541 Safety: the postscreen daemon logs a warning when table 15542 lookup is slow. Slow lookups cause postscreen to fall behind, 15543 and worse, to catch up in bursts, which results in overload 15544 elsewhere. File: postscreen/postscreen.c. 15545 1554620091206 15547 15548 Feature: by popular demand, the Postfix SMTP server now 15549 logs the before-queue content filter's end-of-message 15550 accept/reject response. File: smtpd/smtpd.c. 15551 1555220091209 15553 15554 Portability: as the result of continuous improvement, 15555 Berkeley DB no longer allows fork-then-close. File: 15556 postscreen/postscreen.c. 15557 15558 Bugfix: sender_dependent_relayhost_maps did not reject an 15559 empty lookup result, and did not recognize lookup errors, 15560 thus treating errors as "not found". Problem found during 15561 code maintenance. File: trivial-rewrite/resolve.c. 15562 15563 Cleanup: the postscreen daemon now applies the permanent 15564 whitelist first. It is a safety feature that prevents mail 15565 from being blocked. File: postscreeb/postscreen.c. 15566 1556720091224 15568 15569 Bugfix (introduced 20041215): dict_dbm_sequence() did not 15570 release the shared lock when the end of the sequence was 15571 reached. File: util/dict_dbm.c. 15572 1557320091227 15574 15575 Cleanup: postscreen and verify periodic cache cleanup 15576 (default: 12 hours after the previous cache cleanup run). 15577 This is based on a new dict_cache(3) module that implements 15578 a generalized version of the tlsmgr(8) cache maintenance 15579 code. Once the new dict_cache(3) code is burned in, the 15580 tlsmgr(8) will be migrated to it. See the RELEASE_NOTES for 15581 user interface details. Files: util/htable.[hc], util/dict_ht.c, 15582 util/dict_cache.[hc], postscreen/postscreen.c, verify/verify.c. 15583 15584 Bugfix: the event handler starved I/O events when a timer 15585 call-back routine scheduled a zero-delay timer request. 15586 This bug was exposed when adding the new dict_cache(3) 15587 module for cache expiration. File: util/events.c. 15588 1558920091228 15590 15591 Cleanup: postscreen and verify periodic cache cleanup is 15592 now optional (specify a null time interval between cache 15593 cleanup runs). 15594 1559520091229 15596 15597 Cleanup: the address_verify_poll_count default parameter 15598 value is now stress-dependent, so that the Postfix SMTP 15599 server will not wait (up to 6 seconds) for the address 15600 verification result. File: global/mail_params.h. 15601 15602 Final slution for the I/O event starvation problem when a 15603 timer call-back schedules a zero-delay timer request. File: 15604 util/events.c. 15605 1560620091231 15607 15608 Cleanup: the non-shared, in-memory hash table is now 15609 accessible as the "internal:" map type. This simplifies 15610 code by eliminating some special cases. Files: util/dict_ht.c, 15611 util/dict_open.c, and documentation. 15612 1561320100101 15614 15615 Bugfix: the mantools/postlink script applied hyperlinks 15616 for the "virtual:" transport to "/etc/postfix/virtual:". 15617 Symptom reported by Christoph Anton Mitterer. 15618 1561920200102 15620 15621 Workaround: don't report bogus Berkeley DB close errors as 15622 fatal errors. All operations before close are already error 15623 checked, so the data is known to be safe. File: util/dict_db.c. 15624 1562520100107 15626 15627 Documentation: the access(5) manual page did not document 15628 the "send 521 and disconnect" behavior in the Postfix SMTP 15629 server (introduced with Postfix 2.6). File: proto/access. 15630 15631 Bugfix: the pickup daemon did not discard messages that 15632 were requeued after all recipients were delivered (or 15633 bounced), and the cleanup server tried to bounce such 15634 messages. Files: pickup/pickup.c, global/cleanup_user.h. 15635 15636 Future proofing: redundant code in postdrop to reject a 15637 submission without recipient record. File: postdrop/postdrop.c. 15638 1563920100109 15640 15641 Cleanup: "postcat -q" will now access files in the "saved" 15642 queue directory (for corrupted queue files). As before, the 15643 "postsuper" command will not, to avoid suddenly deleting 15644 such files. Files: global/mail_queue.h postcat/postcat.c. 15645 1564620100113 15647 15648 Cleanup: don't supply the "-o stress" command-line option 15649 with a single-process service. File: master/master_ent.c. 15650 1565120100115 15652 15653 Bugfix: the valid_hostname() fuction did not set the 15654 "non-numeric" flag after encountering the '-' character. 15655 Reported by Jan Schampera. File: util/valid_hostname.c. 15656 1565720100116 15658 15659 Documentation: the content_filter and FILTER features never 15660 supported the special cases of transport_maps. References 15661 to transport_maps syntax are now removed from content filter 15662 discussions. Files: proto/postconf.proto, proto/FILTER_README. 15663 15664 Workaround: as of Postfix 2.3 the VRFY command did not allow 15665 a mailbox address inside <>, which broke expectations. RFC 15666 2821 (and 5321) is vague about the VRFY request format, but 15667 spends lots of text on the reply format. File: smtpd/smtpd.c. 15668 1566920010117 15670 15671 Cleanup: when a content_filter parameter or FILTER command 15672 specifies an empty next-hop destination, the queue manager 15673 now uses the recipient domain instead of $myhostname. Specify 15674 "default_filter_nexthop = $myhostname" for compatibility 15675 with Postfix 2.6 and earlier, or specify a non-empty next-hop 15676 filter destination. Files: *qmgr/qmgr_message.c proto/access, 15677 proto/header_checks, proto/postconf.proto, proto/FILTER_README. 15678 1567920100120 15680 15681 Cleanup: detect illegal pipelining after HELO, EHLO. File: 15682 smtpd/smtpd.c. 15683 1568420100128 15685 15686 Documentation: streamlined the decriptions of protocol and 15687 cipher tweaks. Victor Duchovni. Files: proto/TLS_README, 15688 proto/postconf.proto. 15689 1569020100131 15691 15692 Documentation: the address verification database is now 15693 persistent by default. This, combined with the now default 15694 stress-dependent configuration, improves the performance 15695 limits and simplifies database maintenance. Files: 15696 proto/ADDRESS_VERIFICATION_README, verify/verify.c. 15697 15698 Cleanup: undo the proxymap and trivial-rewrite max_idle=1s 15699 override that was introduced with Postfix 2.3. It did not 15700 help to retire long-lived proxymap or trivial-rewrite 15701 processes on busy servers, and worsened performance on 15702 low-traffic servers. The reduced ipc_ttl value (introduced 15703 with Postfix 2.4) already solves the problem of retiring 15704 long-lived proxymap or trivial-rewrite processes. Files: 15705 proxymap/proxymap.c, trivial-rewrite/trivial-rewrite.c. 15706 1570720100202 15708 15709 Documentation: major revision of SASL_README with many 15710 details on how to configure Cyrus SASL internals. Patrick 15711 Koetter. File: proto/SASL_README.html 15712 1571320100204 15714 15715 Feature: added "forward_secrecy" option for Cyrus SASL. 15716 File: xsasl/xsasl_cyrus_security.c. 15717 1571820100206 15719 15720 Bugfix (from day zero): the local delivery agent returned 15721 undeliverable mail to the envelope sender instead of the 15722 owner- alias, when delivering to command or file. This 15723 reuses the workaround that was implemented to report a 15724 Delivered-To: loop. Files: local/file.c, local/command.c, 15725 local/recipient.c, local/bounce_workaround.c. 15726 1572720100209 15728 15729 The tcp_table(5) interface is now part of the stable release. 15730 The last protocol change was in Postfix 2.1. File: 15731 util/dict_open.c. 15732 1573320100515 15734 15735 Bugfix (introduced Postfix 2.6): the Postfix SMTP client 15736 XFORWARD implementation did not skip "unknown" SMTP client 15737 attributes, causing a syntax error when sending a PORT 15738 attribute. Reported by Victor Duchovni. File: smtp/smtp_proto.c. 15739 1574020100526 15741 15742 Cleanup: a unit-test driver (for stand-alone tests) was not 15743 updated after an internal API change. Vesa-Matti J Kari 15744 File: milter/milter.c. 15745 1574620100529 15747 15748 Portability: OpenSSL 1.0.0 changes the priority of anonymous 15749 cyphers. Victor Duchovni. Files: postconf.proto, 15750 global/mail_params.h, tls/tls_certkey.c, tls/tls_client.c, 15751 tls/tls_dh.c, tls/tls_server.c. 15752 15753 Portability: Mac OS 10.6.3 requires <arpa/nameser_compat.h> 15754 instead of <nameser8_compat.h>. Files: makedefs, util/sys_defs.h, 15755 dns/dns.h. 15756 1575720100531 15758 15759 Robustness: skip LDAP queries with non-ASCII search strings. 15760 The LDAP library requires well-formed UTF-8. Victor Duchovni. 15761 File: global/dict_ldap.c. 15762 1576320100601 15764 15765 Safety: Postfix processes log a warning when a matchlist 15766 has a #comment at the end of a line (for example mynetworks 15767 or relay_domains). File: util/match_list.c. 15768 15769 Portability: Berkeley DB 5.x has the same API as Berkeley 15770 DB 4.1 and later. File: util/dict_db.c. 15771 1577220100610 15773 15774 Bugfix (introduced Postfix 2.2): Postfix no longer appends 15775 the system default CA certificates to the lists specified 15776 with *_tls_CAfile or with *_tls_CApath. This prevents 15777 third-party certificates from getting mail relay permission 15778 with the permit_tls_all_clientcerts feature. Unfortunately 15779 this may cause compatibility problems with configurations 15780 that rely on certificate verification for other purposes. 15781 To get the old behavior, specify "tls_append_default_CA = 15782 yes". Files: tls/tls_certkey.c, tls/tls_misc.c, 15783 global/mail_params.h. proto/postconf.proto, mantools/postlink. 15784 1578520100714 15786 15787 Compatibility with Postfix < 2.3: fix 20061207 was incomplete 15788 (undoing the change to bounce instead of defer after 15789 pipe-to-command delivery fails with a signal). Fix by Thomas 15790 Arnett. File: global/pipe_command.c. 15791 1579220100727 15793 15794 Bugfix: the milter_header_checks parser provided only the 15795 actions that change the message flow (reject, filter, 15796 discard, redirect) but disabled the non-flow actions (warn, 15797 replace, prepend, ignore, dunno, ok). File: 15798 cleanup/cleanup_milter.c. 15799 1580020100827 15801 15802 Performance: fix for poor smtpd_proxy_filter TCP performance 15803 over loopback (127.0.0.1) connections. Problem reported by 15804 Mark Martinec. Files: smtpd/smtpd_proxy.c. 15805 1580620101023 15807 15808 Cleanup: don't apply reject_rhsbl_helo to non-domain forms 15809 such as network addresses. This would cause false positives 15810 with dbl.spamhaus.org. File: smtpd/smtpd_check.c. 15811 1581220101117 15813 15814 Bugfix: the "421" reply after Milter error was overruled 15815 by Postfix 1.1 code that replied with "503" for RFC 2821 15816 compliance. We now make an exception for "final" replies, 15817 as permitted by RFC. Solution by Victor Duchovni. File: 15818 smtpd/smtpd.c. 15819