xref: /netbsd/external/ibm-public/postfix/dist/HISTORY (revision 6550d01e)

In addition to the names listed below, the following people provided
useful inputs on many occasions: Paul D. Robertson, Simon J. Mudd.
Apologies for any names omitted.

19980105

	The compiled-in default value for resolve_smtp_sender was
	wrong (from the days that it was a boolean), causing smtpd
	to dump core when the variable was not set in main.cf.

	The INSTALL instructions now have separate sections for
	the three basic ways of running vmailer.

	The INSTALL instructions now have discusses how to deal
	with chrooted processes.

	Ported to RedHat 5.0. My, these people have re-organized
	their include files quite a bit, haven't they.

19980106

	On RedHat Linux 4.2/5.0, when a FIFO listener opens the
	FIFO with mode O_RDONLY, the FIFO remains forever readable
	after the writer has closed it.  Workaround: open the FIFO
	mode O_RDWR.

	Test program: util/fifo_rdonly_bug.c

	Unfortunately, the above fix triggers a bug on BSD/OS 3.1
	where opening the FIFO mode O_RDWR causes select() to claim
	that the FIFO is readable even before any data is written
	to it, causing read() to block or to fail.

	Test program:  util/fifo_rdwr_bug.c

	printfck (check arguments of printf-like function calls)
	found a missing argument in local/command.c

	Miscellaneous Makefile cleanups that I didn't finish before
	the first alpha release.

19980107

	Sometimes the DNS will claim that a domain does not exist,
	when in fact it does. Thus, it is a bad idea to reject mail
	from apparently non-existent domains. I have changed the
	smtpd so that it produces a soft error responses when a
	resolve_smtp_sender test fails with HOST_NOT_FOUND.  Note:
	by default, this test is still disabled.

	The DB and DBM read routines will now automagically figure
	out if (key, value) pairs were written including a terminating
	null byte or not. The DB and DBM write routines will use
	this result to determine how to write, and will fall back
	to per-system defaults otherwise.

	Renamed the README to MUSINGS, and wrote up a README that
	reflects the current status of the software.

	Added -d (don't disconnect) and -c (show running counter)
	option to te smtp-source test program. These tools are
	great torture tests for the mail software, and for the
	system that it runs on.

	Turned down the process_limit parameter (# of parallel smtp
	clients or servers) to avoid unpleasant surprises. You can
	crank up the process_limit parameter in main.cf.

19980111

	Feature: when run by the superuser, mailq now shows the
	mail queue even when the mail system is down. To this end,
	mailq (sendmail -bp) runs the showq program directly instead
	of connecting to the UNIX-domain service socket, and drops
	privileges etc.  as usual.

19980119

	Bugfix: Edwin Kremer spotted an oversight in the negated
	host matching code (for name or address patterns prefixed
	by !).

	Bugfix: upon receipt of a SIGHUP signal, the master now
	disconnects from its child processes, so that the current
	generation of child processes commits suicide, and so that
	the next generation of child processes will use the new
	configuration settings.

	Bugfix: the smtp server now skips the sender DNS domain
	lookup test for foo@[address]

	Bugfix: don't append the local domain to foo@[address]

19980120

	Bugfix: old low-priority bug in some list walk code that
	caused the master to drop core when a service was turned
	off in master.cf.

	Robustness: the mail system should be able to start up and
	to accept local postings even while the naming service is
	down.  For this reason, the mail system no longer uses
	gethostbyname() to look up its own machine name.  Sites
	that use short hostnames will have to specify their FQDN
	in main.cf (this will eventually be done by the system
	installation/configuration procedure). Should the config
	language support backticks so one can say `domainname`?
	What about $name stuff between the backtics?

	Security: the master now creates FIFOs and UNIX-domain
	sockets as the mail owner instead of as root, for better
	protection against subverted mail systems. chmod() is
	susceptible to race conditions. fchmod(), although safer,
	often does not work on sockets.

	Portability: anticipate that all major UNIXes will create
	UNIX-domain sockets with permissions modified by the process
	umask (required by POSIX). For this reason, we always
	chmod() UNIX-domain sockets, unless the system allows us
	to use the safer fchmod() instead.

	Portability: the semi-resident servers now properly handle
	EWOULDBLOCK returns from accept()  in addition to EGAIN
	(on some systems, EAGAIN and EWOULDBLOCK have different
	values).

	Bugfix: the semi-resident servers now properly handle EINTR
	returns From accept().

	Bugfix: Edwin Kremer found that mynetworks() would compute
	(32 - mask) instead of mask.

19980121

	Feature: /etc/vmailer/relocated is used by the local delivery
	program and specifies what mail should be bounced with a
	"user has moved to XXX" message. The main.cf configuration
	parameter is "relocated_maps".  Just like the "virtual_maps"
	config parameter, this feature is off by default, and the
	parameter can have values such as "files" or "files, nis"
	(on hosts equipped with NIS).

19980123

	Cleanup: virtual domain support moved from the queue manager
	to the resolve service, where it belongs.

	Feature: /etc/vmailer/canonical is used by the rewrite
	service for all addresses, and maps a canonical address
	(user@domain) to another address.  Typical use is to generate
	Firstname.Lastname@domain addresses, or to clean up dirty
	addresses from non-RFC 822 mail systems. The main.cf
	configuration parameter is "canonical_maps".  Just like
	the "virtual_maps" config parameter, this feature is off
	by default, and the parameter can have values such as
	"files" or "files, nis" (on hosts equipped with NIS).

19980124

	HPUX10 port and many little fixes from Pieter Schoenmakers.

	Bugfix: isolated an old mysterious bug that could make the
	master deaf for new connections while no child process was
	running.  A typical result was that no pickup daemon would
	be started after the previous one had terminated voluntarily.

	Bugfix: the NIS lookup code did not mystrdup() the NIS map
	name and would access free()d memory.

19980125

	Bugfix: the vstream routines would sometimes ignore flushing
	errors. The error would still be reported by vstream_fclose()
	and vstream_ferror().

	Feature: time limit on delivery to shell commands.  Config
	parameter: command_time_limit. Default value: 100 sec. The
	idea is to prevent one bad .forward file or alias file
	entry from slowly using up all local delivery process slots.

19980126

	Code cleanup: in preparation for SMTP extensions such as
	SIZE, allow an extended SMTP command to have a variable
	number of options.

19980127

	Bugfix: moved canonical map lookups away from the rewriting
	module to the cleanup service, so that canonical map lookups
	do not interfere with address rewriting on behalf of other
	programs. Back to an older trivial-rewrite program version.

	Bugfix: moved virtual map lookups away from the resolver
	back to the queue manager, so that virtual domain lookup
	does not interfere with address resolution on behalf of
	other programs. Back to an older qmgr program version.

19980131

	Feature: integrated and adapted Guido van Rooij's SIZE
	option (RFC 1870), carefully avoiding potential problems
	due to overflow (by multiplying large numbers) or unsigned
	underflow (by subtracting numbers).

	Code cleanup: cleaned up the code that parses the server
	response to the HELO/EHLO command, so that we can more
	reliably recognize what options a server supports.

19980201

	Portability: integrated the IRIX 6 port by Oved Ben-Aroya.

	Portability: the software now figures out by itself if a
	server should open its FIFO read-write or read-only, to
	avoid getting stuck with a FIFO that stays readable forever.

	Bugfix: the cleanup service would terminate with a fatal
	vstream_fseek() error when the queue file was too large.

	Bugfix: the cleanup service could be killed by a signal
	when the queue file became too large.

19980203

	Portability: some systems have statfs(), some have statvfs(),
	and the relevant include files are in a different place on
	almost every system.

	Portability: the makedefs script now nukes the -O compiler
	flag when building on AIX with IBM's own compiler...

19980204

	Portability: HP-UX 9.x support by Pieter Schoenmakers.

	Portability: added SYSV-style ulimit() file size limit
	support for HP-UX 9.x.

	Portability: added some #includes that appeared to be
	missing according to the Digital UNIX cc compiler.

	Bugfix: sys_defs.h now correctly specifies NIS support for
	LINUX2, HPUX9 and HPUX10.

	Security: fixed a file descriptor leak in the local delivery
	agent that could give shell commands access to the VMailer
	IPC streams. This should not cause a vulnerability, given
	the design and implementation of the mailer, but it would
	be like asking for trouble.

	Bugfix: the sendmail -B (body type) option did not take a
	value.

19980205

	Bugfix (SUNOS5): should not have deleted the SVID_GETTOD
	definition from util/sys_defs.h.

	Bugfix (HPUX9): forgot to specify whether to use statfs()
	or statvfs().

	Bugfix (HPUX9): don't try to raise the file size ulimit.

	Bugfix (HPUX9): must specify file size limit in 512-blocks.

19980207

	Robustness: the master process now raises the file size
	limit when it is started with a limit that is less than
	VMailer's file size limit.  File: util/file_limit.c.

	Security: the dns lookup routines now screen all result
	names with valid_hostname(). Bad names are treated as
	transient errors.

	Feature: qmail compatibility: when the home_mailbox parameter
	is set, mail is delivered to ~/$home_mailbox instead of to
	/var[/spool]/mail/username.  This hopefully makes it easier
	to lure people away from qmail :-)

	Robustness: several testers by accident configured relayhost
	the same as myhostname. The programs now explicitly check
	for this mistake.

	Bugfix: deliver_request_read() would free unallocated memory
	when it received an incomplete delivery request from the
	queue manager.

	Robustness: local_destination_concurrency=1 prevents parallel
	delivery to the same user (with possibly disastrous effects
	when that user has an expensive pipeline in the .forward
	or procmail config file).  Each transport can have its own
	XXX_destination_concurrency parameter, to limit the number
	of simultaneous deliveries to the same destination.

19980208

	Robustness: added "slow open" mode, to gradually increase
	the number of simultaneous connections to the same site as
	long as delivery succeeds, and to gradually decrease the
	number of connections while delivery fails. Brad Knowles
	provided the inspiration to do this.

	This also solves the "thundering herd" problem (making a
	bunch of connections to a dead host when it was time to
	retry that host). Let's see when other mailers fix this.

	Feature: Added $smtpd_banner and $mail_version, for those
	who want to show the world what software version they are
	running.

	Bugfix: vmailer-script now properly labels each syslog
	entry.

19980210

	Portability: merged in NEXTSTEP 3 port from Pieter Schoenmakers

	Bugfix: the local delivery program now checks that a
	destination is a regular file before locking it.

19980211

	Robustness: the local delivery agent sets HOME, LOGNAME,
	and SHELL when delivering to a user shell command. PATH is
	always set, and TZ is passed through if it is set.

19980212

	Feature: mailq (sendmail -bp) now also lists the maildrop
	queue (with mail that hasn't been picked up yet).

19980213

	Feature: the smtpd now says: 502 HELP not implemented. This
	should impress the heck out of the competition :-)

19980214

	Feature: local delivery to configurable system-wide command
	(e.g.  procmail) avoids the need for per-user ~/.forward
	shell commands. Config parameter: mailbox_command.

19980215

	Performance: avoid running a shell when a command contains
	no shell magic characters or built-in shell commands. This
	speeds up delivery to all commands. File: util/exec_command.c.

	Bugfix: the local delivery agent, after reading EOF from
	a child process, now sends SIGKILL only when the child does
	not terminate within a limited amount of time. This avoids
	some problems with procmail.  File:  util/timed_wait.c.

19980217

	Portability: folded in NetInfo support from Pieter
	Schoenmakers.

19980218

	Feature: new vmlock command to run a command while keeping
	an exclusive lock on a mailbox.

	Feature: with "recipient_delimiter = +", mail for local
	address "user+foo" is delivered to "foo", with a "Delivered-To:
	user+foo@domain" message header. Files: qmgr/qmgr_message.c,
	local/recipient.c. This must be the cheapest feature.

19980219

	Code cleanup: moved error handling into functions that
	should always succeed (non_blocking(), close_on_exec()).

19980223

	Bugfix: null pointer bug in the cleanup program after
	processing a From: header with no mail address (or with
	only a comment).

19980226

	Robustness: now detects when getpwnam() returns a name that
	differs from the requested name.

	Feature: Added %p support to the vbuf_print formatting
	module.

	Code cleanup: revamped the alias/include/.forward loop
	detection and duplicate suppression code in the local
	delivery agent. This must be the fourth iteration, and
	again the code has been simplified.

19980228

	Robustness: don't treat anything starting with whitespace
	as a header record. Instead, explicitly test for leading
	whitespace where we permit it. Files: global/is_header.c,
	bounce/bounce_flush_service.c, local/delivered.c.

19980301

	Compatibility: the sendmail program now accepts the -N
	command-line option (delivery status notification) but
	ignores it entirely, just like many other sendmail options.

	Bugfix: dns_lookup.c was too conservative with buffer sizes
	and would incorrectly report "malformed name server reply".

19980302

	Bugfix: the local delivery agent was not null-byte clean.

19980307

	Feature: integrated Pieter Schoenmaker's code for transport
	lookup tables that list (transport, nexthop) by destination.

19980309

	Bugfix: delivery agents no longer rename corrupt queue
	files, because programs might fall over each other doing
	so. Instead, when a delivery agent detects queue file
	corruption, it chmods the queue file, simulates a soft
	error, and lets the queue manager take care of the problem.

	Bugfix: the SMTP server implemented VRFY incorrectly.

	Feature: first shot at a pipe mailer, which can be used to
	extend VMailer with external mail transports such as UUCP
	(provided that the remote site understands domain addressing,
	because VMailer version 1 does not rewrite addresses).

	Cleanup: extended the master/child interface so that the
	service name (from master.cf) is passed on to the child.
	The pipe mailer needs the service name so it can look up
	service-specific configuration parameters (privilege level,
	recipient limit, time limit, and so on).

19980310-12

	Cleanup: factored out the pipe_command() code, so it can
	be shared between pipe mailer and local delivery agent.

19980314

	Compatibility: the sendmail program now parses each
	command-line recipient as if it were an RFC 822 message
	header; some MUAs specify comma-separated recipients in a
	command-line argument; and some MUAs even specify "word
	word <address>" forms as command-line arguments.

19980315

	Bugfix: VMailer's queue processing randomization wasn't
	adequate for unloaded systems with small backlogs.

	Bugfix: smtpd now uses double-buffered stream I/O to prevent
	loss of input sent ahead of responses.

19980316

	Bugfix: the smtpd anti-relay code didn't treat all hosts
	listed in $mydestinations as local, so it would accept mail
	only for hosts listed in $relay_domains (default: my own
	domain).

	Bugfix: smtpd now replies with 502 when given an unknown
	command.

19980318

	Cleanup: resolve/rewrite clients now automatically disconnect
	after a configurable amount of idle time (ipc_idle).

19980322

	Tolerance: VRFY now permits user@domain, even though the
	RFC requires that special characters such as @ be escaped.

19980325

	Bugfix: a recipient delimiter of "-" could interfere with
	special addresses such as owner-xxx or double-bounce.

	Tolerance: the SMTP client now permits blank lines in SMTP
	server responses.

	Tolerance: the SMTP client now falls back to SMTP when it
	apparently mistook an SMTP server as ESMTP capable.

	Bugfix: eliminated strtok() calls in favor of mystrtok().
	Symptom: master.cf parsing would break if $inet_interfaces
	was more than one word.

19980328

	Bugfix: user->addr patterns in canonical and virtual tables
	matched only $myorigin, not hosts listed in $mydestination
	or addresses listed in $inet_interfaces.  The man pages
	were wrong too. File: global/addr_match.c.

19980401

	Robustness: FIFO file permissions now default to 0622.  On
	some systems, opening a FIFO read-only could deafen the
	pickup daemon.  Only the listener end (which is opened as
	root) needs read access anyway, so there should not be a
	loss of functionality by making FIFOs non-readable for
	non-mail processes.

19980402

	Compatibility: sendmail -I and -c options added.

19980403

	Feature: virtual lookups are now recursive. File:
	qmgr/qmgr_message.c

19980405

	Implemented sendmail -bs (stand-alone) mode. This mode runs
	as the user and therefore deposits into the maildrop queue.

19980406

	The pickup service now removes malformed maildrop files.

19980407

	The pickup service now guards against maildrop files with
	time stamps dated into the future.

19980408

	Bugfix: in the canonical and virtual maps, foo->address
	would match foo@$myorigin only. This has been fixed to also
	match hosts listed in main.cf:$mydestination and the
	addresses listed in main.cf:$inet_interfaces.

	Bugfix: added double buffering support to the VMailer SMTP
	server. This makes the SMTP server robust against SMTP
	clients that talk ahead of time, and should have been in
	there from day one.

19980409

	Bugfix: the VMailer SMTP client now recognizes its own
	hostname in the SMTP greeting banner only when that name
	appears as the first word on the first line.

19980410

	Feature: smtpd now logs the local queue ID along with the
	client name/address, and pickup now logs the local queue
	ID along with the message owner.

	Bugfix: still didn't do virtual/canonical lookups right
	(code used the non-case-folded key instead of the case
	folded one).

19980418

	Bugfix: the SMTP server did not flush the "250 OK queued
	as XXXX" message from the SMTP conversation history.

19980419

	Bugfix: qmgr would not notice that a malformed message has
	multiple senders, and would leak memory (Tom Ptacek).

19980421

	Portability: in the mantools scripts, the expr pattern no
	longer has ^ at the beginning, and the scripts now use the
	expand program instead of my own detab utility.

19980425

	NetBSD 1.x patch by Soren S. Jorvang.

19980511

	Feature: the SMTP server now logs the protocol (SMTP or
	ESMTP) as part of the Received: header.

	Feature: smtpd now logs the last command when a session is
	aborted due to timeout, unexpected EOF, or too many client
	errors.

19980514

	Bugfix: the queue manager did not update the counter for
	in-core message structures, so the in-core message limit
	had no effect. This can be bad when you have a large backlog
	with many messages eligible for delivery.

	Robustness: the queue manager now also limits the total
	number of in-core recipient structures, so that it won't
	use excessive amounts of memory on sites that have large
	mailing lists.

19980518

	Bugfix: the SMTP client did not notice that the DNS client
	received a truncated response. As a result, a backup MX
	host could incorrectly claim that it was the best MX host
	and declare a mailer loop.

	Added start_msg/stop_msg entries to the vmailer startup
	script, for easy installation.

	Cleanup: VMailer databases are now explicitly specified as
	type:name, for example, hash:/etc/aliases or nis:mail.aliases,
	instead of implicitly as "files", "nis" and so on. Test
	program:  util/dict_open.  This change allowed me to
	eliminate a lot of redundant code from mkmap_xxx.c, and
	from everything that does map lookups.

19980525

	Bugfix: local/dotforward.c compared the result of opening
	a user's ~/.forward against the wrong error value.

19980526

	Bugfix: the smtpd VRFY command could look at free()d memory.

	Robustness: the smtpd program had a fixed limit on the
	number of token structures.  The code now dynamically
	allocates token structures.

	Bugfix: the queue manager still used the deprecated parameter
	name xxx_deliver_concurrency for concurrency control, but
	the documentation talks about the preferred parameter name
	xxx_destination_concurrency.  Fix: try xxx_destination_concurrency
	first, then fall back to xxx_deliver_concurrency.

19980621-19980702

	Cleanup: the string read routines now report the last
	character read or VSTREAM_EOF. This change is necessary
	for the implementation of the long SMTP line bugfix.

	Bugfix: the smtp server exited the DATA command prematurely
	when the client sent long lines. Reason: the smtp server
	did not remember that it broke long lines, so that '.'
	could appear to be the first character on a line when in
	fact it wasn't.

	Bugfix: the queue manager made lots of stupid errors while
	reading $qmgr_message_recipient_limit chunks of recipients
	from a queue file. This code has been restructured.

19980706

	Performance: the cleanup program now always adds return-receipt
	and errors-to records to a queue file, so that the queue
	manager does not have to plow through huge lists of
	recipients.

	Robustness: the initial destination concurrency now defaults
	to 2, so that one bad message or one bad connection does
	not stop all mail to a site. The configuration parameter
	is called initial_destination_concurrency.

	Performance: the per-message recipient limit is now enforced
	by the queue manager instead of by the transport. Thus, a
	large list of recipients for the same site is now mapped
	onto several delivery requests which can be handled in
	parallel, instead of being mapped onto one delivery request
	that is sent to limited numbers of recipients, one group
	after the other.

19980707

	Cleanup: the queue manager now does an additional recipient
	sort after the recipients have been resolved, so that the
	code can do better aggregation of recipients by next hop
	destination.

	Feature: lines in the master.cf file can now be continued
	in the same manner as lines in the main.cf file, i.e. by
	starting the next line with whitespace.

	Feature: the smtp client now warns that a message may be
	delivered multiple times when the response to "." is not
	received (the problem described in RFC 1047).

	Cleanup: when the queue manager changes its little mind
	after contacting a delivery agent (for example, it decides
	to skip the host because a transport or host goes bad),
	the delivery agent no longer complains about premature EOF.
	File: global/deliver_request.c

19980709

	Bugfix: when breaking long lines, the SMTP client did not
	escape leading dots in secondary etc. line fragments.  Fix:
	don't break lines. This change makes VMailer line-length
	transparent.  Files: global/smtp_stream.c, smtp/smtp_proto.c.

19980712

	Cleanup: the queue manager to deliver agent protocol now
	distinguishes between domain-specific soft errors and
	recipient-specific soft errors.  Result: many soft errors
	with SMTP delivery no longer affect other mail the same
	domain.

19980713

	Feature: the file modification time stamp of deferred queue
	files is set to the nearest wakeup time of their recipient
	hosts, or if delivery was deferred due to a non-host problem,
	the time stamp is set into the future by the configurable
	minimal backoff time.

	Bugfix: the SMTP client and the MAILQ command would report
	as message size the total queue file size. That would
	grossly overestimate the size of a message with many
	recipients.

	Bugfix: the 19980709 fix screwed up locally-posted mail
	that didn't end in newline.

19980714

	Robustness: the makedefs script now defaults to no optimization
	when compiling for purify.

19980715

	Robustness: the makedefs script now defaults to no optimization
	when compiling with gcc 2.8, until this compiler is known
	to be OK.

	Workaround: when sending multiple messages over the same
	SMTP connection, some SMTP servers need an RSET command
	before the second etc. MAIL FROM command. The VMailer SMTP
	client now sends a redundant RSET command just in case.

	The queue manager now logs explicitly when delivery is
	deferred because of a "dead" message transport.

19980716

	Feature: mailq and mail bounces now finally report why mail
	was deferred (the reason was logged to the syslog file
	only).  Changes were made to the bounce service (generalized
	to be usable for defer logs), showq service (to show reasons)
	and the queue manager.

	As a result the defer directory (with one log per deferred
	message) may contain many files; also, this directory is
	accessed each time a message is let into the active queue,
	in order to delete its old defer log. This means that hashed
	directories are now a must.

19980718-20

	Feature: configurable timeout for establishing smtp
	connections.  Parameter:  smtp_connect_timeout (default 0,
	which means use the timeout as wired into the kernel).
	Inspired by code from Lamont Jones. For a clean but far
	from trivial implementation, see util/timed_connect.c

	Cleaned up the interfaces that implement read/write deadlines.
	Instead of returning -2, the routines now set errno to
	ETIMEDOUT; the readable/writable tests are now separate.

19980722

	Feature: the default indexed file type (hash, btree, dbm)
	is now configurable with the "database_type" parameter.
	The default value for this parameter is system specific.

	Feature: selectively turn on verbose logging for hosts that
	match the patterns specified via the "debug_peer_list"
	config parameter.  Syntax is like the "bad_smtp_clients"
	parameter (see global/peer_list.c). The verbose logging
	level is specified with "debug_peer_level" (default 2).

	Security: the local delivery agent no longer delivers to
	files that have execute permission enabled.

19980723

	Workarounds for Solaris 2.x UNIX-domain sockets: they lose
	data when you close them immediately after writing to them.
	This could screw up the delivery agent to queue manager
	protocol.

19980724

	Cleanup: spent most of the day cleaning up queue manager
	code that defers mail when a site or transport dies, and
	fixed a few obscure problems in the process.

19980726

	Feature: the admin can now configure what classes of problems
	result in mail to the postmaster. Configuration parameter:
	"notify_classes".  Default is backwards compatible: bounce,
	policy, protocol, resource, and software.

19980726-28

	Feature: the admin can now configure what smtp server access
	control restrictions must be applied, and in what order.
	Configuration parameters:  smtpd_client_restrictions,
	smtpd_helo_restrictions, smtpd_mail_restrictions and
	smtpd_rcpt_restrictions. Defaults are intended to be
	backwards compatible. The bad_senders and bad_clients lists
	are gone and have become db (dbm, nis, etc) maps. Files:
	smtpd/smtpd_check.c, config/main.cf.

19980729-31

	Feature: hashed queues. Rewrote parts of the mail queue
	API.  Configuration parameters: "hash_queue_names" specifies
	what queue directories will be hashed (default: the defer
	log directory), "hash_queue_depth" specifies the number of
	subdirectories used for hashing (default 2).

19980802

	Bugfix: the pipe mailer should expand command-line arguments
	with $recipient once for every recipient (producing one
	command-line argument per recipient), instead of replacing
	$recipient by of all recipients (i.e.  producing only one
	command-line argument).  This is required for compatibility
	with programs that expect to be run from sendmail, such as
	uux. Thanks to Ollivier Robert for helping me to get this
	right.

	Code cleanup: for the above, cleaned up the macro expansion
	code in dict.c and factored out the parsing into a separate
	module, mac_parse.c.

19980803

	"|command" and /file/name destinations in alias databases
	are now executed with the privileges of the database owner
	(unless root or vmailer).  Thus, with: "alias_maps =
	hash:/etc/aliases, hash:/home/majordomo/aliases", and with
	/home/majordomo/aliases* owned by the majordomo account,
	you no longer need the majordomo set-uid wrapper program,
	and you no longer need root privileges in order to install
	a new mailing list.

19980804

	Added support for the real-time blackhole list.  Example:
	"client_restrictions = permit_mynetworks, reject_maps_rbl"

	All SMTP server "reject" status codes are now configurable:
	unknown_client_reject_code, mynetworks_reject_code,
	invalid_hostname_reject_code, unknown_hostname_reject_code,
	unknown_address_reject_code, relay_domains_reject_code,
	access_map_reject_code, maps_rbl_reject_code. Default values
	are documented in the smtpd/smtpd_check.c man page.

19980806-8

	Code cleanup: after eye balling line-by line diffs, started
	deleting code that duplicated functionality because it was
	at the wrong abstraction level (smtp_trouble.c), moved
	functionality that was in the wrong place (dictionary
	reference counts in maps.c instead of dict.c), simplified
	code that was too complex (password-file structure cache)
	and fixed some code that was just wrong.

19980808

	Robustness: the number of queue manager in-core structures
	for dead hosts is limited; the limit scales with the limit
	on the number of in-core recipient structures. The idea is
	to not run out of memory under conditions of stress.

19980809

	Feature: mail to files and commands can now be restricted
	by class:  alias, forward file or include file. The default
	restrictions are:  "allow_mail_to_files = alias, forward"
	and allow_mail_to_commands = alias, forward". The idea is
	to protect against buggy mailing list managers that allow
	intruders to subscribe /file/name or "|command".

19980810-12

	Cleanup: deleted a couple hundred lines of code from the
	local delivery agent. It will never be a great program;
	sendmail compatibility is asking a severe toll.

19980814

	Cleanup: made the program shut up about some benign error
	conditions that were reported by Daniel Eisenbud.

19980814-7

	Documentation: made a start of HTML docs that describe all
	configuration parameters.

	Feature: while documenting things, added smtpd_helo_required.

19980817

	Bugfix: at startup the queue manager now updates the time
	stamps of active queue files some time into the future.
	This eliminates duplicate deliveries after "vmailer reload".

	Bugfix: the local delivery agent now applies the recipient
	delimiter after looking in the alias database, instead of
	before.

	Documentation bugfixes by Matt Shibla, Tom Limoncelli,
	Eilon Gishri.

19980819

	GLIBC fixes from Myrdraal.

	Bugfix: applied showq buffer reallocation workaround in
	the wrong place.

	Bugfix: can't use shorts in varargs lists. SunOS 4 has
	short uid_t and gid_t. pipe_command() would complain.

	Bugfix: can't use signed char in ctype macros. All ctype
	arguments are now casted to unsigned char. Thanks, Casper
	Dik.

19980820

	Bugfix: save the alias lookup result before looking up the
	owner.  The previous alpha release did this right.

	Cleanup: mail_trigger() no longer complains when the trigger
	FIFO or socket is unavailable. This change is necessary to
	shut up the sendmail mail posting program, so that it can
	be used on mail clients that mount their maildrop via NFS.

	Experiment: pickup and pipe now run as vmailer most of the
	time, and switch to user privileges only temporarily.
	Files: util/set_eugid.c global/pipe_command.c pipe/pipe.c
	pickup/pickup.c. Is this more secure/ What about someone
	manipulating such a process while not root? It still has
	ruid == 0.

19980822

	Portability: with GNU make, commands such as "(false;true)"
	and "while :; do false; done" don't fail. Workaround: use
	"set -e" all over the place.  Problem found by Jeff Wolfe.

	Feature: "check_XXX_access maptype:mapname" (XXX = client,
	helo, sender, recipient). Now you can make recipient and
	other SPAM restrictions dependent on client or sender access
	tables lookup results.

19980823

	Bugfix: smtpd access table lookup keys were case sensitive.

	Added "permit" and "reject" operators. These are useful at
	the end of SPAM restriction lists (smtpd_XXX_restrictions).

	Added a first implementation of the permit_mx_backup SPAM
	restriction. This permits mail relaying to any domain that
	lists this mail system as an MX host (including mail for
	the local machine). Thanks to Ollivier Robert for useful
	discussions.

19980824

	Bugfix: transport table lookup keys were case sensitive.

19980825

	Portability: sa_len is some ugly #define on some SGI systems,
	so we must rename identifiers (file util/connect.c).

	Bugfix: uucp delivery errors are now sent to the sender.
	Thanks, Mark Delany.

	Bugfix: the pipe delivery agent now replaces empty sender
	by the mailer daemon address. Mark Delany, again.

	Portability: GNU getopt looks at all command-line arguments.
	Fix: insert -- into the pipe/uucp definition in master.cf.

	Bugfix: the smtp server command tokenizer silently discarded
	the [] around [text], so that HELO [x.x.x.x] was read as
	if the client had sent: HELO x.x.x.x. Thanks, Peter Bivesand.

	Bugfix: the HELO unknown hostname/bad hostname restrictions
	would have treated [text] as a domain name anyway.

	Bugfix: the $local_duplicate_filter_limit value was not
	picked up by the local delivery agent. This means the local
	delivery agent could run out of memory on large mailing
	list deliveries.

19980826

	Performance: mkmap/mkalias now run with the same speed as
	sendmail. VMailer now uses a 4096-entry cache with 1 Mbyte
	of memory for DB lookups.  File: util/dict_db.c.

19980902

	Robustness: the reject_unknown_hostname restriction for
	HELO/EHLO hostnames will now permit names that have an MX
	record instead of an A record.

19980903

	Feature: appending @$myorigin to an unqualified address is
	configurable with the boolean append_at_myorigin parameter
	(default: yes).

	Feature: appending .$mydomain to user@host is configurable
	with the boolean append_dot_mydomain parameter (default:
	yes).

	Feature: site!user is rewritten to user@site, under control
	of the boolean parameter swap_bangpath (default: yes).

	Feature: permit a naked IP address in HELO commands (i.e.
	an address without the enclosing [] as required by the
	RFC), by specifying "permit_naked_ip_address" as one of
	the restrictions in the "smtpd_helo_restrictions" config
	parameter.

19980904

	Code cleanup: when an SMTP client aborts a session after
	sending MAIL FROM, the cleanup service no longer warns that
	it is "skipping further client input". Files: cleanup/*.c.
	Thanks, Daniel Eisenbud, for prodding.

	Code cleanup: when an SMTP server disconnects in the middle
	of a session, don't try to send QUIT over the non-existing
	connection. Files: global/smtp_stream.c, smtp/smtp.c.
	Thanks, Daniel Eisenbud, for prodding, again.

	Code cleanup: the VMailer version number has moved from
	mail_params.h (which is included by lots of modules) to a
	separate file global/mail_version.h, so that a version
	change no longer results in massive recompilation.

	Bugfix: Errors-To was flagged as a sender address, so the
	address never was picked up.

	Code cleanup: support for Errors-To: headers completed.

19980905

	Feature: per-message exponential delivery backoff, by
	looking at the amount of time a message has been queued.
	Thanks, Mark Delany.

19980906

	Code cleanup: ripped out the per-host exponential backoff
	code. It was broken by 19980818. It was probably a bad idea
	anyway, because it required per-host, in-core, state kept
	by the queue manager.  All we do now is to keep state for
	$minimal_backoff_time seconds, but only for a limited number
	of hosts. Daniel Eisenbud spotted the problem.

	Lost feature: the SMTP session transcripts now show who
	said what. This feature was inadvertently dropped during
	development. Thanks, Daniel Eisenbud, for reminding.

	Documentation: the hard-coded rewriting process of the
	trivial-rewrite program is described in html/rewrite.html.

	Feature: the local delivery agent now does alias lookups
	before and after chopping off the recipient subaddress.
	This allows you to forward user-anything to another user,
	without losing the ability to redirect specific user-foo
	addresses.

19980909

	Feature: the smtp client now logs a warning that a server
	sends a greeting banner with the client's hostname, which
	could imply a mailer loop.

19980910

	Feature: separate canonical maps for sender and recipient
	address rewriting, so that you can rewrite an ugly sender
	address and still forward mail to that same ugly address
	without creating a mailer loop.  Files: cleanup_envelope.c,
	cleanup_message.c, cleanup_rewrite.c.

19980911

	Feature: virtual maps now support multiple addresses on
	the right-hand side. In the case of virtual domains this
	can eliminate the need for address expansion via local
	aliases, making virtual domains much easier to administer.
	This required that I moved the virtual table lookups from
	the queue manager to the cleanup service, so that every
	recipient has an on-disk status record.  Files: qmgr.c,
	qmgr_message.c, cleanup_envelope.c, cleanup_rewrite.c,
	cleanup_virtual.c.

	Feature: sendmail/mailq/newaliases pass on the -v flag to
	the program that they end up running, to make debugging a
	little easier.

19980914

	Bugfix: some anti-spam measures didn't recognize some
	addresses as local and would do too much work. File:
	smtpd_check.c.

	Bugfix: the smtp sender/recipient table lookup restriction
	destroyed global data, so that other restrictions could
	break. File: smtpd_check.c.

	Bugfix: after vmailer reload, single-threaded servers could
	exit before flushing unwritten data to the client. Example:
	cleanup would exit before acking success to pickup, so the
	message would be delivered twice. Bug reported by Brian
	Candler.

	Cleanup: removed spurious error output from vmailer-script.
	Reported by Brian Candler.

	Tolerance: ignore non-numeric SMTP server responses. There's
	lot of brain damage out there on the net.

19980915

	Feature: the smtp-sink benchmark tool now announces itself
	with a neutral name so that it can be run on the same
	machine as VMailer, without causing Postfix to complain
	about a mailer loop.

	Robustness: on LINUX, vmailer-script now does chattr +S to
	force synchronous directory updates. Fix developed with
	Chris Wedgwood.

19980916

	Bugfix: when transforming an RFC 822 address to external
	form, there is no need to quote " characters in comments.
	This didn't break anything, it just looked ugly.  File:
	global/tok822_parse.c

19980917

	Workaround: with deliveries to /file/name, use fsync() and
	ftruncate() only on regular files.  File: local/file.c

	Workaround: the plumbing code in master_spawn.c didn't
	check if it was dup2()/close()ing a descriptor to itself
	then closing it. Will have to redo the plumbing later.

19980918

	Workaround: on multiprocessor Solaris machines, one-second
	rollover appears to happen on different CPUs at slightly
	different times. Made the queue manager more tolerant for
	such things.  Problem reported by Daniel Eisenbud.

	Workaround: in preparation for deployment with a network-shared
	maildrop directory. make pickup more tolerant against clock
	drift between clients and servers.

19980921

	New vstream_popen() module that opens a two-way channel
	across a socketpair-based pipe. This module isn't being
	used yet; it is here only to complete the vstream code.

19980922

	Code cleanup: the xxx_server_main() interface for master
	child processes now uses a name-value argument list instead
	of an ugly and inflexible data structure.

	Bugfix: moved the test if a non-interactive process is run
	by hand, so that the "don't do this" error message can be
	printed to stderr before any significant processing.

	Bugfix: smtpd now can talk to unix-domain sockets without
	bailing out on a peer lookup problem. Files: smtpd/smtpd.c,
	util/peer_name.c.

	Safety: by default, the postmaster is no longer informed
	of protocol problems, policy violations or bounces.

	Safety: the SMTP server now sleeps before sending a [45]xx
	error response, in order to prevent clients from hammering
	the server with a connect/error/disconnect loop. Parameter:
	smtpd_error_sleep_time (default: 5).

	Feature: the logging facility is compile-time configurable
	(e.g., make makefiles "CCARGS=-DLOG_FACILITY=LOG_LOCAL1").

19980923

	Bugfix: changed virtual/canonical map search order from
	(user@domain, @domain, user) to (user@domain, user, @domain)
	so the search order is most specific to least specific.
	File: global/addr_map.c, lots of documentation.

	Bugfix: after the change of 19980910, cleanup_message
	extracted recipients from Reply-To: etc. headers.  Found
	by Lamont Jones.

19980925

	Bugfix: the change in virtual/canonical map search order
	broke @domain entries; they would never be looked up if
	the address matched $myorigin or $mydestinations. Found by
	Chip Christian who now regrets asking for the change.

	Bugfix: cleanup initialized an error mask incorrectly, so
	that it would keep writing to a file larger than the queue
	file size limit, and so it would treat the error as a
	recoverable one instead of sending a bounce. Thanks, Pieter
	Schoenmakers.

	Bugfix: the "queue file cleanup on fatal error" action was
	no longer enabled in the sendmail mail posting agent.

	Feature: the sendmail mail posting program now returns
	EX_UNAVAILABLE when the size of the input exceeds the queue
	file size limit. NB THIS CHANGE HAS BEEN WITHDRAWN.

19980926

	Code cleanup: the dotlock file locking routine is no longer
	derived from Eric Allman's 4.3BSD port of mail.local.

	Code cleanup: the retry strategy of the file locking routines
	dot_lockfile() and deliver_flock() is now configurable
	(deliver_flock_attempts, deliver_flock_delay, deliver_flock_stale).

	Code cleanup: the master.pid lock file is now created with
	symlink paranoia, and is properly locked so that PID rollover
	will not cause false matches.

	Bugfix: the vbuf_print() formatting engine did not know
	about the '+' format specifier.

	Cleanup: replaced unnecessary instances of stdio calls by
	vstream ones.

19980929-19981002

	Compatibility: added support for "sendmail -q". This required
	a change to the queue manager trigger protocol, and a code
	reorganization of the way queue scans were done. The queue
	manager socket now has become public.

19981002

	SMTPD now logs "lost connection after end-of-message"
	instead of "lost connection after DATA".

19981005

	More bullet proofing: timeouts on all triggers.

19981006

	Bugfix: make the number of cleanup processes unlimited, in
	order to avoid deadlock. The number of instances needed is
	one per smtp/pickup process, and an indeterminate number
	per local delivery agent. Thanks, Thanks, David Miller and
	Terry Lorrah for cleueing me in.

	Bugfix: "sendmail -t" extracted recipients weren't subjected
	to virtual mapping. Daniel Eisenbud strikes again.

19981007

	Compatibility: if the first input line ends in CRLF, the
	sendmail posting agent will treat all CRLF as LF. Otherwise,
	CRLF is left alone. This is a compromise between sendmail
	compatibility (all lines end in CRLF) and binary transparency
	(some, but not all, lines contain CRLF).

19981008

	Robustness: stop recursive virtual expansion when the
	left-hand side appears in its own expansion.

19981009

	Portability: trigger servers such as pickup and qmgr can
	now use either FIFOs or UNIX-domain sockets; hopefully at
	least one of them works properly. Trigger clients were
	already capable of using either form of local IPC.

19981011

	Feature: masquerading. Strip subdomains from domains listed
	in $masquerade_domains. Exception: envelope recipients are
	left alone, in order to not screw up routing.

19981015

	Code cleanup: moved the recipient duplicate filter from
	the user-level sendmail posting agent to the semi-resident
	cleanup service, so that the filter operates on the output
	from address canonicalization and of virtual expansion,
	instead of operating on their inputs.

19981016

	Bugfix: after kill()ing a bunch of child processes, wait()
	sometimes fails before all children have been reaped, and
	must be called again, or the master will SIGSEGV later.
	Problem reported by Scott Cotton.

	Workaround: don't log a complaint when an SMTP client goes
	away without sending QUIT.

19981018

	Workaround: Solaris 2.5 ioctl SIOCGIFCONF returns a hard
	error (EINVAL) when the result buffer is not large enough.
	This can happen on systems with many real or virtual
	interfaces. File: util/inet_addr_local.c. Problem reported
	by Scott Cotton.

	Workaround: the optional HELO/EHLO hostname syntax check
	now allows a single trailing dot.

	Workaround: with UNIX-domain sockets, LINUX connect() blocks
	until the server calls accept(). File: qmgr/qmgr_transport.c.
	Terry Lorrah and Scott Cotton provided the necessary
	evidence.

19981020

	Robustness: recursive canonical mapping terminates when
	the result stops changing.

	Code cleanup: reorganized the address rewriting and mapping
	code in the cleanup service, to make it easier to implement
	the previous enhancement.

19981022

	Code cleanup: more general queue scanning programming
	interface, in preparation for hashed queues. File:
	qmgr/qmgr_scan.c.

	Bugfix: a non-FIFO server with a process limit of 1 has a
	too short listen queue.  Until now this was not a problem
	because only FIFO servers had a process limit of 1, and
	FIFOs have no listen queue.  Fix: always configure a listen
	queue of proc_limit or more.  File: master/master_listen.c.

19981023

	Feature: by popular request, mail delay is logged when
	delivering, bouncing or deferring mail.

19981024

	Cleanup: double-bounce mail is now absorbed by the queue
	manager, instead of the local delivery agent, so that the
	mail system will not go mad when no local delivery agent
	is configured.

19981025

	Cleanup: moved the relocated table from the local delivery
	agent to the queue manager, so that the table can also be
	used for virtual addresses.

	Code reorg: in order for the queue manager to absorb
	recipients, the queue file has to stay open until all
	recipients have been assigned to a destination queue.

19981026

	vmlogger command, so that vmailer-script logging becomes
	consistent with the rest of the VMailer system.

	Code reorg: logger interface now can handle multiple output
	handlers (e.g. syslog and stderr stream).

	Bugfix: a first line starting with whitespace is no longer
	treated as an extension of our own Received: header. Files:
	smtpd/smtpd.c, pickup/pickup.c.

19981027

	Bugfix: the bang-path swapping code went into a loop on an
	address consisting of just a single !. Eilon Gishri had
	the privilege of finding this one.

	Workaround: the non-blocking UNIX-domain socket connect is
	now enabled only on systems that need it. It may cause
	kernel trouble on Solaris 2.x.

	Bugfix: the resolver didn't implement bangpath swapping,
	so that mail for site!user@mydomain would be delivered to
	a local user named "site!user".

19981028

	Cleanup: a VSTREAM can now use different file descriptors
	for reading and writing. This was necessary to prevent
	"sendmail -bs" and showq from writing to stdin. Eilon Gishri
	observed the problem.

19981029

	The RFC 822 address manipulation routines no longer give
	special attention to 8-bit data. Files: global/tok822_parse.c,
	global/quote_822_local.c.

	Bugfix: host:port and other non-domain stuff is no longer
	allowed in mail addresses.  File: qmgr/qmgr_message.c.

	Workaround: LINUX accept() wakes up before the three-way
	handshake is complete, so it can fail with ECONNRESET.
	Files: master/single_server.c, master/multi_server.c.

	Feature: when delivering to user+foo, try ~user/.forward+foo
	before trying ~user/.forward.

	Bugfix: smtpd in "sendmail -bs" (stand-alone) mode didn't
	clean up when terminated by a signal.

	Bugfix: smtpd in "sendmail -bs" (stand-alone) mode should
	not try to enforce spam controls because it cannot access
	the address rewriting machinery.

	Cleanup: the percent hack (user%domain -> user@domain) is
	now configurable (allow_percent_hack, default: yes).

	Bugfix: daemons in -S (stand-alone) mode didn't change
	directory to the queue. This was no problem with daemons
	run by the sendmail compatibility program.

19981030

	Feature: when virtual/canonical/relocated lookup fails for
	an address that contains the optional recipient delimiter
	(e.g., user+foo@domain), the search is done again with the
	unextended address (e.g., user@domain). File: global/addr_find.c.

	Code reorg: the address searching is now implemented by a
	separate module global/addr_find.c, so that the same code
	can be used for both (non-mapping) relocated table lookups
	and for canonical and virtual mapping. The actual mapping
	is still done in the global/addr_map.c module.

	Robustness: the SMTP client now skips hosts that don't send
	greeting banner text. File: smtp/smtp_connect.c

	Feature: preliminary support to disable delivered-to. This
	is desirable for mailing list managers that don't want to
	advertise internal aliases.

	Generic support: when the recipient_feature_delimiter
	configuration parameter is set, the local delivery agent
	uses it to split the recipient localpart into fields. Any
	field that has a known name such as "nodelivered" enables
	the corresponding delivery feature.

19981031

	Code reorg: address splitting on recipient delimiter is
	now centralized in global/split_addr.c, which knows about
	all reserved names that should never be split.

	Robustness: when a request for an internal service cannot
	be satisfied because the master has terminated, terminate
	instead of trying to reach the service every 30 seconds.

	Safety: the local delivery agent now runs as vmailer most
	of the time, just like pickup and pipe. Files: local/local.c,
	local/mailbox.c

19981101

	Compatibility: the tokenizer for alias/forward/etc.
	expansion now updates an optional counter with the number
	of destinations found; If no destinations is found in a
	.forward file, deliver to the mailbox instead. Thanks,
	Daniel Eisenbud, for showing the way to go.

	Robustness: the pickup daemon should always include a
	posting-time record, even when the sendmail posting agent
	didn't. However, just like before, user-provided posting
	times will be ignored. Ollivier Robert found this one.

	Robustness: duplicate entries in aliases or maps now cause
	a warning instead of a fatal error (and an incomplete file).

	Robustness: mkmap now prints a warning when an entry is in
	"key: value" format, which is the format expected for alias
	databases, not for maps.

	Portability: on LINUX, prepend "+" to the getopt() options
	string so that getopt() will stop at the first non-option
	argument. Suggestion by Marco d'Itri.

19981103

	Cleaned up the set_eugid() and open_as() implementations,
	and added stat_as() and fstat_as() so that the local delivery
	agent would look up include files and .forward files with
	the right privileges.

19981104

	Bugfix: the :include: routine now stat()s/open()s files
	included by root-owned aliases as root, not as nobody.

	Bugfix: the master crashed when a service with wakeup timer
	was disabled or renamed.  Fix: eliminate some pathological
	coupling between process management and wakeup management.

	Feature: partial implementation of ETRN (causes a full
	deferred queue scan). Thanks Lamont Jones for reminding me
	that things can be useful already before they are perfect.

	Cleanup: simplified the SMTPD tokenizer.

	Bugfix: sendmail -bs didn't properly notify the mail system
	of new mail.

	Compatibility: the MAIL FROM and RCPT TO commands now accept
	the most common address forms without enclosing <>. The <>
	is still needed for addresses that contain a "string", an
	[address], or a colon (:).

19981105

	Bugfix: "master -t" would claim that the master runs when
	in fact the pid directory does not exist, causing trouble
	with first time startup (reported by several).

	Portability: added a sane_accept() module that maps all
	beneficial accept() error results to EAGAIN. According to
	private communication with Alan Cox, Linux 2.0.x accept()
	can return a variety of error conditions, so we play safe
	and allow for any error that may happen because SYN+ACK
	could not be sent.

	Portability: NETBSD1 uses dotlock files (Perry Metzger).

	Bugfix: the local delivery agent did not canonicalize
	owner-foo sender addresses, so that local users would see
	owner-foo instead of owner-foo@$myorigin (Perry Metzger).

	OPENSTEP4 support, similar to NEXTSTEP3 (Gerben Wierda).

19981106

	Portability: the master startup would take a long time on
	AIX because AIX has a very large per-process open file
	limit.  Fix is to check the status of only the first couple
	hundred file descriptors instead. File: master/master.c.

	Bugfix: mail to user@[net.work.addr.ess] was broken because
	of a reversed test. File: qmgr/qmgr_message.c.

19981107

	Compatibility: don't clobber the envelope sender address
	when an alias has no owner-foo alias (problem diagnosed by
	Christophe Kalt).

	Bugfix: mail to local users in include files would be
	delivered directly if the alias didn't have an owner-foo
	alias, and if the alias database and include file were
	owned by root.

	Feature: with user+foo addresses, any +foo address extension
	that is not explicitly matched in canonical, virtual or
	alias databases is propagated to the table lookup result.

19981108

	Bugfix: minor memory leak in the user+foo table lookup
	code.

	Configurability: specify virtual.domain in the virtual map,
	and mail for unknown@virtual.domain will bounce automatically.
	The $relay_domains default value now includes $virtual_maps,
	so the SMTP server will accept mail for the domain. Marco
	d'Itri put me on the right track.

	Configurability: The mydestinations configuration parameter
	now accepts /file/name expressions and type:name lookup
	tables.

	Code cleanup: in order to make the previous two enhancements
	possible, revised the string/host/address matching engine
	so it can handle any mixture of strings, /file/name patterns
	and type:name lookup tables. Files: util/match_{list,ops}.c,
	global/{domain,namadr,string}_list.c.

19981110

	Code cleanup: replaced remaining isxxx() calls by ISXXX().

19981111

	Bugfix: the "bounce unknown virtual user" code was in the
	wrong place. Problem tackled with help of Chip Christian.

	Portability: reportedly, Solaris 2.5.1 can hang waiting
	for a UNIX-domain connection to be accepted, so it gets
	the same workaround that was designed for LINUX. Problem
	reported by Scott Cotton.

19981112

	Management: "vmailer stop" now allows delivery agents to
	finish what they are doing, like "vmailer reload".

	Management; "vmailer abort" causes immediate termination.

	Workaround: zombie processes pile up with HP-UX. Reason:
	select() does not return upon SIGCHLD when SA_RESTART is
	specified to sigaction(). Workaround: shorten the select()
	timer to 10 seconds, #ifdef BRAINDEAD_SELECT_RESTARTS.
	Thanks, Lamont Jones.

19981117

	Rename: VMailer is now Postfix. Sigh.

19981118

	Cleanup: generalized the safe_open() routine so that it is
	no longer limited to mailbox files, lock files, etc.

	Bugfix (found during code review): vstream*printf() could
	run off the end of a stream buffer after an I/O error,
	because vbuf_print() ignored the result from VBUF_SPACE().

	Bugfix (found during code review): resolve_local() could
	clobber its argument, but the docs didn't say so.

19981121

	Cleanup: the is_header() routine now allows 8-bit data in
	header labels.

19981123

	Bugfix (found during code review): the mail_queue_enter()
	path argument wasn't optional.  File: global/mail_queue.c

19981124

	Cleanup: eliminated redundant tests for a zero result from
	vstream_fdopen(). Unlike the stdio fdopen() routine, the
	vstream_fdopen() routine either succeeds or never returns.

	Bugfix: the queue manager now looks at the clock before
	examining a file time stamp, to avoid spurious complaints
	about time warps on busy machines. File:  qmgr/qmgr_active.c.

19981125

	Compatibility: allow trailing dot at the end of user@domain.
	Address canonicalization now strips it off. Issue brought
	forward by Eilon Gishri. File: trivial-rewrite/rewrite.c.

	Robustness: changed DNS lookup order of MAIL FROM etc.
	domains from MX then A to A then MX, just in case the MX
	lookup fails with a server error.

	Renamed vmcat, vmlock, vmlogger, vmtrigger to postcat,
	postlock, postlog, postkick. Also renamed mkmap and mkalias
	to postmap and postalias.

19981126

	Workaround: Lamont Jones found a way for HP-UX to terminate
	select() after SIGCHLD. The code is #ifdef USE_SIG_RETURN.
	Files:  util/sys_defs.h, master/master_sig.c.

	Bugfix: the Delivered-To: loop detection code had stopped
	working, when long ago the is_header() routine was changed.
	File: local/delivered.c.

19981128

	Bugfix: postcat opened queue files read-write, where only
	read access was needed. File: postcat/postcat.c.

19981129

	Safety: added a sleep(1) to all fatal and panic exits.
	File: util/msg.c.

19981201

	Robustness: postcat now insists that a file starts with a
	time record.

	Consistency: added "-c config_dir" command-line options
	where appropriate.

19981202

	Man pages, on-line version.

19981203

	Man pages, html version; overview documentation.

19981206

	Sendmail silently accepted the unsupported -qRsite and
	-qSsite options.  It now prints an error message and
	terminates.

	Separated the contributed tree from the IBM code; moved
	the LDAP and NEXTSTEP/OPENSTEP code to the contributed
	source tree because obviously I didn't write it.

19981206-9

	Had to write a postconf configuration utility in order to
	reliably find out about all configuration parameters and
	their defaults.

	Documentation bugfixes by Matt Shibla, Scott Drassinower,
	Greg A. Woods.

19981209

	On machines with short hostnames, postconf -d cored while
	reporting a fatal error. It should not report that error
	in the first place. Thanks, Eilon Gishri.

	Changed the FAQ entry about rejecting mail for *.my.domain
	on a firewall. Chip Christian was right, I was wrong.

19981214

	Portability: with GNU getopt, optind is not initially 1,
	breaking an assumption in sendmail/sendmail.c. Liviu Daia.

	Annoyance: on non-networked systems, don't warn that only
	one network interface was found. File:  global/inet_addr_local.c.
	Reported by several.

	Bugfix: on non-networked systems, the smtp client assumed
	that it was running in virtual host mode, and would bind
	to the loopback interface. File smtp/smtp_connect.c.  Liviu
	Daia, again.

19981220

	Robustness: when looking up an A or MX record, do not give
	up when the A query fails because of a server error.  File
	dns/dns_lookup.c. Reported by Scott Drassinower.

19981221

	Bugfix: "bounce mail for non-existent virtual user" didn't
	work when a non-default relay host was configured in main.cf
	or in the transport table. File: qmgr/qmgr_message.c.

	Bugfix: the maildrop directory should not be world-readable.
	Files: conf/postfix-script, showq/showq.c.

	Documentation: fixed several omissions and errors.

	Documentation: removed references to the broken recipient
	feature delimiter configuration parameter.

	Bugfix: write mailbox file as the recipient, so that file
	quota work as expected.

	Bugfix: pickup would die when it tried to remove a non-file
	in the maildrop directory (Jeff Wolfe).

19981222

	Sendmail no longer logs the queue ID when it is unable to
	notify the pickup daemon. This is a late addition to the
	"unreadable maildrop queue" patch.

	user.lock files are now created as root, so that postfix
	needs no group directory write permission.

19981224

	Security: allow queue file link counts > 1, to avoid
	non-delivery of maildrop files with links to a non-maildrop
	directory.  Files:  global/mail_open_ok.c, and anything
	that calls this code (qmgr, pickup, showq). If multiple
	hard links are a problem, see the set-gid "postdrop" utility
	below.

19981225

	Robustness: the queue manager no longer aborts when a queue
	file suddenly disappears (e.g. because the file was removed
	by hand).

	Feature: when a writable maildrop directory is a problem,
	sites can make the new "postdrop" utility set-gid. This
	command is never used when the maildrop directory is
	world-writable.

	Robustness: make the queue file creation routine more
	resistant against denial of service race attack. File:
	global/mail_queue.c

19981226

	New suid_priv module to enable/disable privileges in a
	set-uid/gid program. In the end I decided to not use it.

19981228

	Robustness: make the pickup daemon more resistant against
	non-file race attack.

	Cleanup: generic mail_stream.c interface for writing queue
	file streams to files, daemons or commands. This simplifies
	the code in smtpd and in sendmail that must be able to pipe
	mail through the postdrop command. The cleanup daemon has
	been modified to use the same interface. Result: less code.

	Feature: smtpd now logs the only recipient in Received:
	headers.

	Feature: separate command and daemon directories. Both
	default to $program_directory. Install conf/postfix-script
	if you want to use this feature.

19981230

	Patch to avoid conflict with non-writable top-level Makefile
	(Lamont Jones).

19981231

	Portability: port to UnixWare 7 by Ronald Joe Record, SCO.

19990104

	Bugfix: fencepost (Jon Ribbens, Oaktree Internet Solutions
	Ltd.) Files: quote_82[12]_local.c.

	Bugfix: wrong default for relay_domains (Juergen Kirschbaum,
	Bayerische Landesbank). File: mail_params.h.

	Bugfix: changed 5xx response for "too may recipients" to
	4xx. File: smtpd.c.

19990106

	Feature: defer_transports specifies the names of transports
	that should be used only when "sendmail -q" (or equivalent)
	is issued. For example, "defer_transports = smtp" is useful
	for sites that are disconnected most of the time. File:
	qmgr_message.c.

19990107

	Feature: local_command_shell specifies a non-default shell
	for delivery to command by the local delivery agent. For
	example, "local_command_shell = /some/where/smrsh -c"
	restricts what may appear in "|command" destinations.
	File: global/pipe_command.c.

19990112-16

	Feature: SMTP command pipelining support based on an initial
	version by Jon Ribbens, Oaktree Internet Solutions Ltd.
	This one took several days of massaging before I felt
	comfortable about it. Files: smtp.c, smtp_proto.c.

	Bugfix: the SMTP server would flush responses one-by-one,
	which caused suboptimal performance with pipelined clients.
	The vstream routines now flush the write buffer when the
	read() routine is called, instead of flushing when the
	application changes from writing to reading. Delayed flush
	prevents the SMTP server from flushing responses one-by-one
	and thus triggering Nagle's algorithm. File: util/vstream.c.

19990117

	Bugfixes and enhancements to the smtpstone tools by Drew
	Derbyshire, Kendra Electronic Wonderworks: send helo command,
	send message headers, format the message content to lines
	< 80, work around NT stacks, make "." recognition more
	robust. Files: smtp-source.c, smtp-sink.c.

	Strategy: look at the deferred queue only when the incoming
	queue is empty; limit the number of recipients read from
	a queue file depending on the number of recipients already
	in core. Files: qmgr.c, qmgr_message.c.

	Feature: postponed anti-UCE restrictions. The decision to
	reject junk mail on the basis of the client name/address,
	HELO hostname or sender address can now be postponed until
	the RCPT TO command (or HELO or MAIL FROM if you like).
	File: smtpd_check.c.

19990118

	Feature: incremental updates of alias databases and of
	other lookup tables. Both postalias and postmap now take
	a -i option for incremental updates from standard input.
	Files: global/mkmap_*.c, post{map,alias}/post{map,alias}.c.

	Compatibility: newaliases can now update multiple alias
	databases: list them in the "alias_database" parameter in
	main.cf. By the same token, postalias can now update multiple
	maps in one command. Files:  post{map,alias}/post{map,alias}.c

	Feature: mail to <> is now sent to the address specified
	with the "empty_address_recipient" configuration parameter
	which defaults to MAILER-DAEMON (idea by Lamont Jones,
	Hewlett-Packard). File: cleanup/cleanup_envelope.c.

	Compatibility: the transport table now uses .domain.name
	to match subdomains, just like sendmail mailer tables (patch
	by Lamont Jones, Hewlett-Packard).

	Feature: mailq now ends with a total queue size summary
	(Eilon Gishri, Israel Inter University Computation Center).

19990119

	Feature: address masquerade exceptions for user names listed
	in the "masquerade_exceptions" configuration parameter.
	File: cleanup/cleanup_masquerade.c.

	Feature: qmail-style maildir support, based on initial code
	by Kevin W. Brown, Quantum Internet Services Inc.

	Workaround: Solaris 2.something connect() fails with
	ECONNREFUSED when the system is busy (Chris Cappuccio,
	Empire Net). File: global/mail_connect.c.

	Feature: the cleanup service now adds a Return-Path: header
	when none is present. This header is needed for some mail
	delivery programs (see below). File: cleanup_message.c.

	Feature: the pipe mailer now supports $user, $extension
	and $mailbox macros in command-line expansions. This, plus
	the Return-Path: header (see above), should be sufficient
	to support cyrus IMAP out of the box. Based on  initial
	code by Joerg Henne, Cogito Informationssysteme GMBH.
	File: pipe/pipe.c.

	Bugfix: with address extensions enabled, canonical and
	virtual lookups now are done in the proper order:
	user+foo@domain, user@domain, user+foo, user, @domain.
	File: global/mail_addr_find.c.

19990119

	Feature: the local mailer now prepends a Received: message
	header with the queue ID to forwarded mail, in order to
	make message tracing easier.  File: local/forward.c.

	Cleanup: after "postfix reload", no more broken pipe
	complaints from resolve/rewrite clients.

19990121

	Feature: pickup (again) logs uid and sender address.  On
	repeated request by Scott Cotton, Internet Consultants
	Group, Inc.

	Portability: doze() function for systems without usleep().

	Cleanup: clients are now consistently logged as host[address].

19990122

	Maildir support changed: specify "home_mailbox = Maildir/".
	The magic is the trailing /. Suggested by Daniel Eisenbud,
	University of California at Berkeley.

	Maildir support from aliases, :include: and .forward files.
	Specify /file/name/ - the trailing / is required. Suggested
	by Daniel Eisenbud, University of California at Berkeley.

	Workaround: watchdog timer to prevent the queue manager
	from locking up on some systems.

	Bugfix: in Received: headers, the "for <recipient>"
	information was in the wrong place. Pointed out by Jon
	Ribbens, Oaktree Internet Solutions Ltd.

19990124

	Portability: more workarounds for GNU getopt() by Liviu
	Daia, Institute of Mathematics, Romanian Academy. File:
	sendmail/sendmail.c.

19990125

	Bugfix: Postfix should not masquerade recipient addresses
	extracted from message headers. Problem reported by David
	Blacka, Network Solutions. File: cleanup/cleanup_message.c.

19990126

	Feature: smtpd_etrn_restrictions parameter to restrict who
	may use ETRN and what domains may be specified.  Example:
	"smtpd_etrn_restrictions = permit_mynetworks, reject".
	Requested by Jon Ribbens, Oaktree Internet Solutions Ltd.
	File: smtpd/smtpd_check.c.

19990127

	Bugfix: in an attempt to shave some cycles, the anti junk
	mail routines would use the wrong resolved address. This
	"optimization" is now turned off. Problem reported by Sam
	Eaton, Pavilion Internet Plc. File: smtpd/smtpd_check.c.

	Feature: BIFF notifications.  For compatibility reasons
	this feature is on by default.  This "protocol" can be a
	real performance pig.  Specify "biff = no" in main.cf if
	your machine has lots of shell users. Feature requested by
	Dan Farmer - it's one of the things one does for friends.
	Files:  local/mailbox.c, local/biff_notify.c.

	Bugfix: another case sensitivity problem, this time with
	virtual lookups to recognize unknown@virtual.domain.
	Problem reported by Bo Kleve, Linkoping University. File:
	qmgr/qmgr_message.c.

19990128

	Feature: with "soft_bounce = yes", defer delivery instead
	of bouncing mail. This is a safety net for configuration
	errors with delivery agents. It has no effect on errors in
	virtual maps, canonical maps, or in junk mail restrictions.
	Feature requested by Bennett Todd. File: global/bounce.c.

19990129

	Compatibility: the qmail maildir.5 documentation prescribes
	maildir file names of the form time.pid.hostname, which is
	wrong because Postfix processes perform multiple deliveries.
	Elsewhere the qmail author has documented how maildir files
	should be named under such conditions. Postfix has been
	changed to be conformant. File: local/maildir.c.

19990131

	Feature: special treatment of owner-foo and foo-request
	can be turned off. Specify "owner_request_special = no".
	Requested by Matthew Green and others. Files: local/alias.c,
	global/split_addr.c. This affects canonical, virtual and
	alias lookups.

19990204

	Portability: signal handling for HP-UX 9 by Lamont Jones
	of Hewlett Packard. File: master/master_sig.c.

	Robustness: disable random walk inside a per-site queue to
	avoid message starvation under heavy load. File: qmgr_entry.c.

	Robustness: under some conditions the queue manager could
	declare a host dead after just one delivery failure.  File:
	qmgr_queue.c.

19990212

	Feature: skip SMTP servers that greet us with a 4XX status
	code. Example: "smtp_skip_4xx_greeting = yes". By default,
	the Postfix SMTP client defers delivery when a server
	declines talking to us. File:  smtp/smtp_connect.c.

	Robustness: upon startup the queue manager now moves active
	queue files to the incoming queue instead of the deferred
	queue, to avoid anomalous delivery delays on systems that
	have a huge incoming queue.  Files: qmgr/qmgr.c,
	qmgr/qmgr_active.c, global/mail_flush.c, conf/postfix-script*

19990213

	Robustness: added watchdog timers to avoid getting stuck
	on systems with broken select() socket implementations.
	File: qmgr_transport.c, qmgr_deliver.c.

19990218

	Feature: NFS-friendly delivery to mailbox by avoiding the
	use of root privileges as much as possible. With input by
	Mike Muus, Army Research Lab, USA.

	Feature: the smtp-sink test server now supports SMTP command
	pipelining. To this end we had to generalize the timer and
	vstream support. Poor performance is fixed 19990222.

	Cleanup: timer event routines now have the same interface
	as read/write event routines (event type + context). File:
	util/events.c.

	Feature: new vstream_peek() routine to tell how much unread
	data is left in a VSTREAM buffer. This is the vstream
	variant of the peekfd() routine for kernel read buffers.
	File: util/vstream.c.

	Feature: directory scanning support for hashed mail queue
	directories. So far the results are disappointing: with
	depth = 2 (16 directories with 16 subdirectories), mailq
	takes 5 seconds with an empty queue unless all directories
	happen to be cached in memory.  We need a bit map before
	hashed queue directories become practical. Depth=1 hashing
	doesn't slow down mailq much, but doesn't help much either.
	Files: util/scan_dir.c, global/mail_scan_dir.c.

19990221

	Workaround: with "ignore_mx_lookup_error = yes", the SMTP
	client always performs an A lookup when an MX lookup could
	not be completed, rather than treating MX lookup failure
	as a temporary error condition.  Unfortunately there are
	many broken DNS servers on the Internet. File: smtp/smtp_addr.c.

19990222

	Performance: rewrote the guts of the smtp-sink test server
	so it can do pipelining without losing performance.

19990223

	Workaround: hotmail.com sometimes drops the connection
	after "." (causing misleading diagnostics to be logged) or
	waits minutes after receiving QUIT. Solution: do not wait
	for the response to QUIT. File: smtp/smtp_proto.c.  This
	is turned off with: "smtp_skip_quit_response = no".

19990224

	Feature: the pipe mailer accepts user=username:groupname,
	based on code submitted by Philip A. Prindeville, Mirapoint,
	Inc., USA.  File: pipe/pipe.c.

	Workaround: use file locking to prevent multiple processes
	from select()ing on the same socket. This causes performance
	problems on large BSD systems. Files: master/*_server.c.

19990225

	Bugfix: with "inet_interfaces = 127.0.0.1", don't bind to
	the loopback interface. Problem reported by Steve Bellovin
	of AT&T. File: smtp/smtp_addr.c.

	Feature: "postsuper" command to remove stale queue files
	to update queues after changes to the queue structure
	parameters (hash_queue_names, hash_queue_depth). This
	command is to be run from the postfix-script maintenance
	shell script.

19990301

	Feature: new postconf -h (suppress `name = ' in output)
	option to make the program easier to use in, e.g., shell
	scripts.

	Feature: dict_unix module so you can add the UNIX passwd
	table to the SMTPD access control list.

19990302

	Feature: "luser_relay = destination" captures mail for
	non-existent local recipients. This works only when the
	local delivery agent does mailbox delivery (including
	delivery via mailbox_command), not when mailbox delivery
	is delegated to another message transport.

	Feature: new reject_non_fqdn_{hostname,sender,recipient}
	restrictions to require fully.qualified.domain forms in
	HELO, MAIL FROM and RCPT TO commands (while still allowing
	the <> sender address).

19990304

	Bugfix: backed out the 19990119 change to always insert
	Return-Path:  if that header is not present. The pipe and
	local agents now are responsible for prepending Return-Path:.
	Files:  cleanup/cleanup_message.c, global/mail_copy.[hc],
	pipe/pipe.c, global/header_opts.c.  This causes an incompatible
	change to the pipe flags parameter, because Return-Path:
	now must be requested explicitly.

19990305

	Bugfix: showq (the mailq server) incorrectly assumed that
	all recipients of a deferred message are listed in the
	corresponding defer logfile. It now lists all recipients.
	Files: showq/showq.c, cleanup/cleanup_envelope.c (ensure
	that sender records always precede recipient records).

	Cleanup: smtpd HELO restrictions validate [numerical] forms.
	Files: util/valid_hostname.c, smtpd/smtpd_check.c.  Initial
	code by Philip A. Prindeville, Mirapoint, Inc., USA.

19990306

	Cleanup: re-vamped the valid_hostname module, and added a
	maximal label length (63) requirement.

	Feature: fallback_relay parameter to specify extra backup
	hosts in case the regular relay hosts are not found or not
	available.  Files:  smtp/smtp_addr.c.

	Feature: "always_bcc = address" specifies where to send a
	copy of each message that enters he system. However, if
	that copy bounces, the sender will be informed of the
	bounce. Files: smtpd/smtpd.c, pickup/pickup.c

	Compatibility: the transport map will now route on top-level
	domains, so you can dump all of .bitnet to a bitnet relay.

19990307

	Feature: LDAP lookups, updated by Jon Hensley, Merit Network,
	USA.

	Feature: regular expression (PCRE) support by Andrew
	McNamara, connect.com.au Pty. Ltd., Australia. In order to
	use this code specify pcre:/file/name. You can use this
	anywhere you would use a DB or DBM file, NIS or LDAP.  See:
	PCRE_README for how to enable this code.

	Feature: "delay_warning_time = 4" causes Postfix to send
	a "your mail is delayed" notice after approx. 4 hours.
	Daniel Eisenbud, University of California at Berkeley.
	Files:  qmgr/qmgr_active.c, qmgr/qmgr_message. Postmaster
	notices for delayed mail are disabled by default. In order
	to receive postmaster notices, specify "notify_classes =
	...  delay ...".

	Cleanup: do not send undeliverable bounced mail to postmaster.
	This was causing lots of pain with junk mail from bogus
	sender addresses to non-existent recipients.  This change
	was reversed 19990311.

19990308

	Bugfix: the dotforward routine was too eager with throwing
	away extension information, so that the Delivered-To: info
	would differ for \mailbox and |command. Problem reported
	by Rafi Sadowski, Open University, Israel.

	Bugfix: seems I never got around to fix the btree access
	method. I finally did. Problem reported by: Matt Smith,
	AvTel Communications Inc., USA.

19990311

	Back by popular demand: with "notify_classes = 2bounce ..."
	Postfix will send undeliverable bounced mail to postmaster.
	The default is to not send double bounces.  This change
	reverses a change made on 19990307.

19990312

	Feature: configurable exit handler for server skeletons.
	Philip A.  Prindeville, Mirapoint, Inc., USA. Files:
	master/*server.c.

	Feature: mail_spool_directory configuration parameter to
	specify the UNIX mail spool directory.  The default setting
	is system dependent.

19990313

	Cleanup: share file descriptors for resolve and rewrite
	client connections. This puts less strain on the trivial-rewrite
	service.

	Portability: support for UnixWare 2.1 by Dmitry E. Kiselyov,
	Nizhny Novgorod City Health Emergency Station.

	Feature: configurable delays in the smtpstone test programs.
	With input by Philip A.  Prindeville, Mirapoint, Inc., USA.
	Files:  smtpstone/*.c.

	Bugfix: a "signal 11" problem in the trivial-rewrite program
	that would occasionally happen after "postfix reload".
	Reason: some rewrite clients would clobber their input,
	and when they had to retransmit the query, the input would
	be a zero-length string, which trivial-rewrite isn't supposed
	to receive.

19990314

	Feature: "mailbox_transport = cyrus" delegates all local
	mailbox delivery to a master.cf entry called "cyrus" (the
	same trick for procmail), including users not found in the
	UNIX passwd database.  This gives the flexibility of $name
	expansions by the pipe mailer, without losing local aliases
	and ~/.forward processing.  Result of discussions with Rupa
	Schomaker, RS Consulting.

19990315

	Feature: the mydestination parameter can now be an empty
	string, for hosts that don't receive any mail locally. Be
	sure to specify a default route for mail that comes to the
	machine or mail will loop.

19990316

	Bugfix: the SMTPD check scaffolding didn't apply the same
	sanity checks as the production code. Problem reported by
	Alain Thivillon, Herve Schauer Consultants, France. File:
	smtpd/smtpd_check.c.

	Portability: some systems can have more than 59 seconds in
	a minute. Based on a fix by Liviu Daia, Institute of
	Mathematics, Romanian Academy.  File:  global/mail_date.c.

	Enhancement: include the client network address in the
	rejected by RBL response. Lamont Jones, Hewlett-Packard.

	Workaround: use fstat() to figure out if the maildrop is
	world-writable. access() uses the real uid, which stinks.

	Robustness: don't do partial address lookups (user@, domain,
	user, @domain) with regexp-style tables.

	Security: don't allow regexp-style tables to be used for
	aliases. It would be too easy to slip in "|command" or
	:include: or /file/name.

19990317

	Feature: "fallback_transport = cyrus" delegates non-UNIX
	recipients to a master.cf entry called "cyrus", allowing
	you to have both UNIX and non-UNIX mailboxes side by side.

19990319

	Workaround: on 4.4 BSD derivatives, fstat() can return
	EBADF on an open file descriptor. Now, that was a surprise.
	This caused std{out,err} from cron commands to not be
	delivered.

	Bugfix: "local -v" stopped working.

	Workaround: more watchdog timers for postfix-unfriendly
	systems. By now every Postfix daemon has one. Call it life
	insurance.

	Robustness: increased the maximal time to receive or deliver
	mail from $ipc_timeout (default: 3600 seconds) to the more
	generous $daemon_timeout (default: 18000 seconds). We don't
	want false alarms.

	Portability: IRIX 5.2 does not have usleep().

19990320

	Bugfix: \username was broken. Frank Dziuba was the first
	to notice.

19990321

	Workaround: from now on, Postfix on Solaris uses stream
	pipes instead of UNIX-domain sockets. Despite workarounds,
	the latter were causing more trouble than anything else on
	all systems combined.

19990322

	Portability: the makedefs would mis-identify IRIX 6.5.x as
	IRIX 5.x. Fix by Brian Truelsen of Maersk Mc-Kinney Moller
	Institute for Production Technology, Denmark.

	Feature: reject_unknown_recipient_domain restriction for
	recipient addresses. For the sake of symmetry, we now also
	have reject_unknown_sender_domain. This means the old
	reject_unknown_address restriction is being phased out.
	Suggested by Rask Ingemann Lambertsen, Denmark Technical
	University.

	Feature: unknown sender/recipient domain restrictions now
	distinguish between soft errors (always: 450) and hard
	errors (configurable with the unknown_address_reject_code
	parameter, default: 450; use 550 at your own risk).

	Feature: no HELO junk mail restrictions means that no syntax
	check will be done on HELO/EHLO hostname arguments.

	Bugfix: the initial Solaris workaround for UNIX-domain
	sockets could cause the queue manager to block if Postfix
	ran into a delivery agent process limit. After another code
	rewrite that problem is eliminated.  Thanks to Chris
	Cappuccio, Empire Net, for assistance with testing.

19990323

	Bugfix: too much forwarding when users list their own name
	in their .forward file (e.g. mail to user@localhost would
	go through .forward, would be forwarded to user@$myorigin,
	and would go through .forward again). Problem reported by
	Roman Dolejsi, Prague University of Economics.

19990324

	Bugfix: missing map name in check_xxx_access restrictions
	could cause a segmentation error. Lamont Jones, Hewlett-
	Packard.

	Feature: forward_path configuration parameter (default:
	$home/.forward$recipient_delimiter$extension,$home/.forward).
	Based on initial code by Philip A.  Prindeville, Mirapoint,
	Inc., USA.  Files:  local/dotforward.c.

19990325

	Workaround: Solaris NIS alias maps need special entries
	(YP_MASTER_NAME, YP_LAST_MODIFIED). What's worse, normal
	keys/values include a null byte at the end, but the YP_XXX
	ones don't. Problem reported by Walcir Fontanini, state
	university of Campinas, Brazil.  File: postalias/postalias.c.

	Compatibility: Solaris NIS apparently does include a null
	byte at the end of keys and values. File: util/sys_defs.h.

	Feature: library support for config parameters that are
	not $name expanded at program start-up. This was needed
	for forward_path, and will also be needed to make message
	headers customizable.

	Bugfix: pcre didn't handle \\ right. Lamont Jones, Hewlett-
	Packard. File: util/dict_pcre.c.

19990326

	Compatibility: Postfix now puts two spaces after the sender
	in a "From sender date..." header. Found by John A. Martin,
	fixed by Lamont Jones, Hewlett-Packard.

	Bugfix: when a recipient appeared multiple times in a local
	alias or include expansion, the delivery status could be
	left uninitialized, causing the mail to be deferred and
	delivered again. File: local/recipient.c.

19990327

	Cleanup: the dictionary routines now take an extra flag
	argument to control such things as warning about duplicates,
	and appending null bytes to key/value. The latter was needed
	for a clean implementation of NIS master alias maps support.

	Feature: POSIX regular expressions by Lamont Jones. See
	config/sample-regexp.c. Right now, enabled on *BSD and
	LINUX only.

19990328

	Code cleanup: dictionaries now have flags that say whether
	lookup keys are fixed strings or whether keys are subjected
	to pattern matching. This is needed to avoid passing partial
	addresses to regexp-based lookup tables (user, @domain,
	user@, domain). Files: util/dict*.c.

	Bugfix: fixed memory leaks and core dumps in the regexp
	and pcre routines (neither handled an empty pattern file).

19990329

	Code cleanup: the dictionary I/O routines now do their own
	locking depending on dictionary flag settings. This means
	that the low-level dict_get() interface can now be used
	for safe dictionary lookups. This is needed for 19990328's
	partial lookup key support. Files: util/dict*.c. global/maps.c.

	Feature: regular expression matches are no longer limited
	to user@domain address forms in access/canonical/virtual
	maps, but can also be used for domains in transport maps.
	This needed the partial lookup key support to avoid passing
	partial addresses to regexp-based lookup tables (user,
	@domain, user@, domain). Files: global/maps.c
	global/mail_addr_find.c.

	Feature: new dictionary types can be registered with
	dict_open_register(). File: util/dict_open.c.

19990330

	Bug fix: match_list membership dictionary lookups were case
	sensitive when they should not. Patch by Lutz Jaenicke,
	BTU Cottbus, Germany.

19990402

	Feature: $domain macro support in forward_path.  Philip A.
	Prindeville, Mirapoint, Inc., USA.  File:  local/dotforward.c.

	Feature: if an address extension (+foo) is explicitly
	matched by the .forward+foo file name, do not propagate
	the extension to recipient addresses. This is more consistent
	with the way aliases are expanded. File:  local/dotforward.c.

19990404

	Bugfix: after receiving mail, the SMTP server didn't reset
	the cleanup error flag, so that multiple deliveries over
	the same SMTP session could fail due to errors with previous
	deliveries. Found by Lamont Jones, Hewlett-Packard.

19990405

	Feature: MIME-encapsulated bounces. Philip A.  Prindeville,
	Mirapoint, Inc., USA.  File:  bounce/bounce_notify_service.c

	Cleanup: vstreams now properly look at the EOF flag before
	attempting to read, eliminating the need for typing Ctrl-D
	twice to test programs; the EOF flag is reset after each
	unget or seek operation.  Files: util/vstream.c, util/vbuf.c.

	Feature: in preparation for configurable message headers
	the mac_parse() routine now balances the parentheses in
	${name} or $(name). We need this in order to support
	conditional expressions such as ${name?text} where `text'
	contains other ${name} expressions.

19990406

	Cleanup: changed MIME header information to make bounces
	more RFC 1892 compliant.

19990407

	Feature: "best_mx_transport = local" delivers mail locally
	if the local machine is the best mail exchanger (by default,
	mail is bounced with a "mail loops back to myself" error).

	Config: in order to make feature tracking easier the source
	code distribution now has a copy of the default settings
	in conf/main.cf.default.

	Feature: separate configurable postmaster addresses for
	single bounces (bounce_notice_recipient), double bounces
	(2bounce_notice_recipient), delayed mail (delay_notice_recipient),
	and for other mailer errors (error_notice_recipient).  The
	default for all is "postmaster".

19990408

	Workaround: on Solaris 2.x, the master appears to lose its
	exclusive lock on the master.pid file, so keep grabbing
	the lock each time the master wakes up from select().

	Robustness: don't flush VSTREAM buffers after I/O error.
	This prevents surprises when calling vstream_fclose() after
	truncating a mailbox to its original size.

	Portability: on LINUX systems, if <db_185.h> exists, don't
	look for <db/db.h>.

	Workaround: specify "sun_mailtool_compatibility = yes" to
	avoid clashes with the mailtool application. This disables
	kernel locks on mailbox files. Use only where needed.

	Portability: renamed readline to readlline, to avoid clashes
	with mysql.

19990409

	Bugfix: ignore temp queue files that aren't old enough.
	Problem reported by Vivek Khera, Khera Communications, Inc.

	Bugfix: fixed typo in dict_db.c that caused processes to
	not release DB shared locks.

	Feature: auto-detection of changes to DB or DBM lookup
	tables.  This avoids the need to run "postfix reload" after
	change to the smtp access table and other tables.

	Feature: regular expression checks for message headers.
	This requires support for POSIX or for PCRE regular
	expressions.  Specify "header_checks = regexp:/file/name"
	or "header_checks = pcre:/file/name", and specify
	"/^header-name:  badstuff/ REJECT" in the pattern file
	(patterns are case-insensitive by default).  Code by Lamont
	Jones, Hewlett-Packard.  It is to be expected that full
	content filtering will be delegated to an external command.

19990410

	Bugfix: auto-detection of changes to DB or DBM lookup tables
	wasn't done for TCP connections.

19990410

	Feature: $recipient expansion in forward_path.  Philip A.
	Prindeville, Mirapoint, Inc., USA.  File: local/dotforward.c

	Feature: the smtp client consistently treats a numerical
	hostname as an address. File: smtp/smtp_addr.c.

19990414

	Compatibility: support comment lines starting with # in
	$mydestination include files. This makes Postfix more
	compatible with sendmail.cw files. File: util/match_list.c.

	Feature: if your machines have short host names, specify
	"mydomain = domain.name", and you no longer have to specify
	"myhostname = host.domain.name". Files:  global/mail_params.c,
	postconf/postconf.c.

19990420

	Cleanup: bounce mail when a mailbox goes over file quota,
	instead of deferring delivery.  File:  local/mailbox.c.

19990421

	Feature: auto-detection of changes to DB or DBM lookup
	tables now includes the case where a file is unlinked.
	Philip A.  Prindeville, Mirapoint, Inc., USA.  File:
	util/dict.c.

19990422

	Robustness: Lotus mail sends MAIL FROM: <@> instead of <>.
	Problem reported by Erik Toubro Nielsen, IFAD, Denmark.
	Files:  trivial-rewrite/rewrite.c (@ becomes empty address)
	and global/rewrite_clnt.c (allow empty response).

	Bugfix: showq could segfault when writing to a broken pipe.
	Problem reported by Bryan Fullerton, Canadian Broadcasting
	Corporation. Files: util/vbuf_print.c.

	Cleanup: got rid of the "fatal: write error: Broken pipe"
	message when mailq output is piped into a program that
	terminates early.

	Cleanup: bounce messages are multipart/mixed with the error
	report as part of the first message segment, because users
	had trouble extracting the delivery error report from the
	attachment.

19990423

	Cleanup: the default junk mail reject code is now 554
	(service unavailable) rather than 550 (user unknown).

	Folded in the updated dict_ldap.c module by John Hensley,
	Merit Network, USA.

	Folded in the vstream_popen.c updates by Philip A.
	Prindeville, Mirapoint, Inc., USA.  This copies a lot of
	code from pipe_command(); the next step is to trim that
	module.

19990425

	Workaround: renamed config.h to mail_conf.h etc. in order
	to avoid name collisions with LINUX (yes, they have a system
	include file called config.h). For compatibility with people
	who have written software for Postfix, there's a config.h
	that aliases the old names to the new ones. That file will
	go away eventually.

19990426

	Feature: error mailer, in order to easily bounce mail for
	specific destinations. In the transport table, specify:
	"host.domain    error:host.domain is unavailable". Too bad
	that the transport table triggers on destination domain
	only; it would be nice to bounce specific users as well.

19990427

	Cleanup: "disable_dns_lookups = yes" now should disable
	all DNS lookups by the SMTP client.

19990428

	Bugfix: with DBM files, Postfix was watching the "dir" file
	modification time for changes. It should be watching the
	"pag" file instead.

19990429

	Cleanup: all callbacks in the master to server API now pass
	on the service name and the application-specific argument
	vector. Files: master/*server.c.

19990504

	Feature: conditional macro expansion. ${name?text} expands
	to text when name is defined, otherwise the result is empty.
	${name:text} expands to text when name is undefined,
	otherwise the result is empty. File: util/mac_expand.c.

	Feature: conditional macro expansion of the forward_path
	configuration parameters of $user, $home, $shell, $recipient,
	$extension, $domain, $mailbox and $recipient_delimiter.
	Files:  local/dotforward.c, local/local_expand.c.

19990506

	Cleanup: eliminated misleading warnings about unknown HELO
	etc. SMTPD restrictions when the HELO etc. information is
	not available. File: smtpd/smtpd_check.c.

19990507

	Feature: all smtpd reject messages now contain the MAIL
	FROM and RCPT TO addresses, if available.

19990508

	Feature: conditional macro expansion of the luser_relay
	configuration parameter. It is no longer possible to specify
	/file/name or "|command" destinations. File: local/unknown.c.

	Cleanup: changed the mac_parse interface so that the
	application callback routine can return status information.
	Updated the dict_regexp and dict_pcre modules accordingly.

	Cleanup: changed the mac_expand interface so that the caller
	provides an attribute lookup routine, instead of having to
	provide a copy of all attributes upfront. Files:
	util/mac_expand.c, local/local_expand.c.

	Feature: control over how address extensions are propagated
	to other addresses. By default, propagation of unmatched
	address extensions is now restricted to canonical and
	virtual mappings. Specify "propagate_unmatched_extensions
	= canonical, virtual, alias, forward, include" to restore
	previous behavior.

19990509

	Feature: USER, EXTENSION, DOMAIN, RECIPIENT (entire address)
	and MAILBOX (address localpart) environment variables are
	exported to shell commands (including mailbox_command).

	Feature: new command_expansion_filter parameter to control
	what characters may appear in message attributes that are
	exported via environment variables.

	Cleanup: SMTPD reject messages are more informative, and
	more complete sender/recipient information is logged for
	the local sysadmin.

19990510

	Bugfix: missing MIME header in postmaster bounce notices.
	Found by Samuel Tardieu, Ecole Nationale Superieure des
	Telecommunications, France.

	Feature: UCE restrictions are always delayed until RCPT
	TO, VRFY or ETRN. To change back to the default specify
	"smtpd_delay_reject = no" in /etc/postfix/main.cf.

	Bugfix: missing duplicate filter call. This caused too many
	deliveries when a user is listed multiple times in an alias.
	Reported by Hideyuki Suzuki, School of Engineering, University
	of Tokyo. Backed out on 19990512 because it caused problems.
	Fixed 19990513 but needs further study.

	Feature: it is now possible to move queue files back into
	the maildrop queue, so that they can benefit from changes
	in canonical and virtual mappings. In order to make this
	possible, some restrictions on queue file contents were
	relaxed. Files: pickup/pickup.c, cleanup/cleanup_extracted.c.

	Feature: made a start with integrating Joerg Henne's
	dictionary extensions to remove entries and to iterate over
	entries. That code is almost four months old by now.

19990511

	Feature: added a "undeliverable postmaster notification
	discarded" warning when mail is dropped on the floor.
	Requested by Michael Hasenstein, SuSE, Germany.

19990517

	Bugfix: reject_non_fqdn_sender/recipient would pass
	user@[ip_address] regardless of destination. Eric Cholet
	had the honor of suffering from this one.

19990527

	More SMTP client logging for easier debugging: the smtp
	client now logs hostname[ip.addr], and logs every failed
	attempt to reach an MX host, not just the last one.

19990601

	Bugfix: emit a blank line before a MIME boundary; the line
	is part of the boundary. File: bounce/bounce_notify_service.c.
	Wolfgang Segmuller, IBM Research.

19990610

	Bugfix: the "is this the loopback interface" test was
	broken.  Reported by Claus Fischer @microworld.com.  File:
	smtp/smtp_connect.c.

	Usability: added helpful warnings about restrictions that
	are being ignored after check_relay_domains, etc.

	Portability: Reliant Unix support by Gert-Jan Looy, Siemens,
	the Netherlands.

19990611

	Robustness: the postfix-script start-up procedure now
	detects a missing master program, avoiding misleading
	warnings that the mail system is already running.  Fix
	suggested by David E. Smith @technopagan.org.

	Portability: Mac OS X Server Port by Mark Miller @swoon.net.

	Feature: on systems that use dotlock files for mailbox
	locking, the local delivery agent now will attempt to use
	dotlock files when delivering to user-specified files.
	Dotlock files for user-specified destinations are created
	with the privileges of the user. For backwards compatibility,
	Postfix will attempt to create dotlocks for user-specified
	destinations only when the user has parent directory write
	permission.

	Feature: specify "expand_owner_alias = yes" in order to
	use the right-hand side of an owner- alias, instead of
	using the left-hand side address. Needed by Juergen Georgi.

19990622

	Bugfix: the local delivery agent did not set user attributes
	when delivering to root, so that forward_path did not expand
	properly. Found by Jozsef Kadlecsik, KFKI Research Institute
	for Particle and Nuclear Physics, Hungary.  File:
	local/dotforward.c.

	Bugfix: the unix:passwd.byname mechanism is not suitable
	for smtpd access control - the user name would have to end
	in @, or the access control software would have to be
	changed. Removed the example from the RELEASE_NOTES file.

19990623

	Bugfix: the smtp server did not reset the error flag after
	".". Found by James Ponder, Oaktree Internet Solutions Ltd.
	File: smtpd/smtpd.c.

	Bugfix: fencepost error in the doze() routine (an usleep()
	replacement for systems without one). Found by Simon J
	Mudd.  File: util/doze.c.

19990624

	Portability: support for AIX 3.2.5 (!) by Florian Lohoff
	@rfc822.org.

	Portability: Ultrix 4.3 support by Christian von Roques
	@pond.sub.org.

	Feature: mysql support by Scott Cotton and Joshua Marcus,
	Internet Consultants Group, Inc. Files: util/dict_myqsl.*.

19990627

	Bugfix: Postfix is now distributed under the new IBM Public
	License (version 1, dated June 14, 1999).

	Feature: the Delivered-To: header can be turned off for
	delivery to command or file/mailbox. The default setting
	is:  "prepend_delivered_header = command, file, forward".
	Turning off the Delivered-To: header when forwarding mail
	is not recommended.

19990628

	Feature: the postlock command now returns EX_TEMPFAIL when
	the destination file is locked by another process.

19990705

	Workaround: in the SMTP client, move the "mail loops back
	to myself test" from the 220 greeting to the HELO response.
	This change does not weaken the test, and makes Postfix
	more robust against broken software that greets with the
	client hostname.

19990706

	Workaround: in the INSTALL file, use `&&' instead of `;'
	in (cd path; tar ...) pipelines because some UNIX re-invented
	shells don't bail out when cd fails. Matthias Andree
	@stud.uni-dortmund.de.

19990709

	Bugfix: $user was not set when delivering to a non-user.
	Found by Vladimir Ulogov @ rohan.control.att.com when
	configuring a luser_relay that contained $user.

19990714

	Robustness: add PATH statement to Solaris2 chroot setup
	script to avoid running the ucb commands. Problem found by
	Panagiotis Astithas @ ece.ntua.gr.

19990721

	Bugfix: don't claim a "mail loops to myself" error when
	the best MX host was not found in the DNS. Found by Andrew
	McNamara, connect.com.au Pty Ltd. File: smtp/smtp_addr.c.

19990810

	Feature: added "-c config_dir" support to the postconf
	command. This probably means that "-f file" will never be
	implemented.

19990812

	Bugfix: showq didn't print properly when listing a maildrop
	file.  Fix by: Andrew McNamara, connect.com.au Pty Ltd.
	File: showq/showq.c.

	Feature: added SENDER to the list of parameters exported
	to external commands. File: local/command.c. Code by: Lars
	Hecking, National Microelectronics Research Centre, Ireland.

19990813

	Bugfix: sendmail -t (extract recipients from headers) did
	not work when the always_bcc feature was turned on. Reported
	by: Denis Shaposhnikov @ neva.vlink.ru.

19990813
	Bugfix: "sendmail -bd" returns a bogus exit status (the
	child process ID). Fix by Lamont Jones of Hewlett-Packard.
	File:  sendmail/sendmail.c.

19990824

	Bugfix: null pointer dereference while rejecting VRFY before
	MAIL FROM. Found by Laurent Wacrenier @ fr.clara.net.

19990826

	Portability: more MacOS X Server patches; some NEXTSTEP/OPENSTEP
	code that had been removed for the first public beta release;
	NEXTSTEP/OPENSTEP now defaults to netinfo for the aliases
	database.  Submitted by Gerben Wierda.

	Portability: workaround for a FreeBSD 3.x active network
	interface without IP address by Pierre Beyssac @ enst.fr.
	File:  inet_addr_local.c.

19990831

	Workaround: sendmail now prints a warning when installed
	set-uid or when run by a set-uid command. Reportedly, the
	linuxconf software turns on the set-uid bit, which could
	open up a security loophole. File: sendmail/sendmail.c.

	Bugfix: Postfix daemons now temporarily lock DB/DBM files
	while opening them, in order to avoid "invalid argument"
	errors because some other process is changing the file.
	Files: util/dict_db.c, util/dict_dbm.c.

	Robustness: Postfix locks queue files during delivery, to
	prevent duplicate delivery when "postfix reload" is
	immediately followed by "sendmail -q". This involves a
	change of the deliver_request interface:  delivery agents
	no longer need to open and close queue files explicitly.
	Files:  global/deliver_request.c, pipe/pipe.c, smtp/smtp.c,
	local/local.c, qmgr/qmgr_active.c, qmgr/qmgr_message.c.

	Feature: reject_unauth_destination SMTP recipient restriction
	that rejects destinations not in $relay_domains.  By Lamont
	Jones of Hewlett-Packard.  File: smtpd/smtpd_check.c.

	Security: do not allow weird characters in the expansion
	of $names that appear in $forward_path. Just like with
	shell commands, replace bad characters in expansions by
	underscores.  Configuration parameter:  forward_expansion_filter.

19990902

	Documentation: added a sample postfix alias to the examples
	in the INSTALL document and in the conf/aliases file.
	Reminded by Simon J.  Mudd @ alltrading.com.

19990903

	Bugfix: in case of some error conditions the pickup daemon
	could leak small amounts of memory.

19990905

	Bugfix: no more "skipping further client input" warnings
	when a message header is rejected.

	Feature: reject_unauth_pipelining SMTP restriction that
	rejects mail from clients that improperly use SMTP command
	pipelining.

	Robustness: the LDAP client by default no longer looks up
	names containing "*". See the lookup_wildcards feature in
	LDAP_README. Update by John Hensley.

	Documentation: address masquerading with exceptions FAQ by
	Jim Seymour @ jimsun.LinxNet.com.

	Bugfix: mysql reconnect after disconnect by Scott Cotton
	Internet Consultants Group, Inc. File: util/dict_myqsl.c.

	Portability: the Postfix to PCRE interface now expects
	version 2.08.  Postfix is no longer compatible with PCRE
	versions before 2.6.

19990906

	Feature: INSTALL.sh script that makes Postfix installation
	a bit less painful. This script can be used for installing
	and for upgrading Postfix. It replaces files instead of
	overwriting them, and leaves existing configuration and
	queue files intact.

19990907

	Bugfix: reject_non_fqdn_sender used the wrong test to see
	if a sender address was given and could dump core. This
	must have been broken ever since the UCE tests were moved
	to the RCPT TO stage in 19990510.

	Bugfix: check_sender_access was recognized as a valid
	restriction name only if a sender had been specified.

19990908

	Portability: Unixware has <sysexits.h> only after sendmail
	is installed. Changed postlock.c to use global/sys_exits.h.

19990909

	Performance: added one-entry cache to the address rewriting
	client and to the address resolving client. This is because
	UCE restrictions tend to produce the same query repeatedly.
	Files: global/rewrite_clnt.c, global/resolve_clnt.c.

	Feature: the UCE restrictions are now fully recursive so
	you can have per-client/helo/sender/recipient restrictions.
	Instead of OK, REJECT or [45]xx, you can specify a sequence
	of restrictions on the right-hand side of an SMTPD access
	table. This means you can no longer use canonical/virtual/alias
	maps as SMTPD access tables. But the loss is compensated
	for.  File: smtpd/smtpd_access.c.

	Feature: restriction classes, essentially a short-hand for
	restriction lists.  These short hands are useful mostly on
	the right-hand side of SMTPD access tables. You must use
	restriction classes in order to have lookup tables on the
	right-hand side of an SMTPD access table.  File:
	smtpd/smtpd_access.c.

	Feature: "permit_recipient_map maptype:mapname" permits a
	recipient address when it matches the specified table.
	Lookups are done just as with canonical/virtual maps.  With
	this, you can also use passwd/aliases as SMTPD access maps.
	File: smtpd/smtpd_access.c.

19990910

	Changed "permit_address_map" into "permit_recipient_map"
	and added a test for the case that they specify a lookup
	table on the right-hand side of an SMTPD access map.  File:
	smtpd/smtpd_access.c.

	Cleanup: removed spurious sender address checks for <>.
	File: smtpd/smtpd_check.c.

	Cleanup: the smtp client now consistently logs host[address]
	for all connection attempts.

19990919

	Feature: in an SMTPD access map, an all-numeric right-hand
	side now means OK, for better cooperation with out-of-band
	authentication mechanisms.

19990922

	Security: recipient addresses must not start with '-', in
	order to protect external commands. The old behavior is
	re-instated when main.cf specifies:  "allow_min_user =
	yes".  Credits to Mads Kiilerich @ Kiilerich.com.  File:
	qmgr/qmgr_message.c.

	Bugfix: after 19990831, the queue manager would throw away
	defer logs after deferring mail to known-to-be-dead hosts
	or message transports. This means that in some cases, mailq
	would not show why mail is delayed, and that delayed mail
	could be sent back with recipients missing from the error
	report. Reported by Giulio Orsero @ tiscalinet.it.

19990923

	Bugfix: the above bugfix broke bounces of mail with bad
	address syntax and relocated users. Problem diagnosed by
	Dick Porter @ acm.org.

	Documentation: added DO NOT EDIT THIS FILE. EDIT MAIN.CF
	INSTEAD notices to the sample-xxx.cf files.

19991007

	Compatibility: ignore the sendmail -U (initial user
	submission) option. Thomas Quinot @ cuivre.fr.eu.org.

19991103

	Code cleanup: don't send postmaster notifications when an
	SMTP client sends a DATA command while no recipients were
	accepted.  This can happen when a pipelined client runs
	into an UCE block. File:  smtpd/smtpd.c.

19991104

	Robustness: do not apply UCE header checks to mail that is
	generated by Postfix (bounces, forwarded mail etc.).  Files:
	smtpd/smtpd.c, pickup/pickup.c, cleanup/cleanup_message.c.

	Robustness: new generic watchdog module that can deal with
	clocks that jump occasionally. Files: util/watchdog.c,
	master/master.c, master/{single,multi,trigger}_server.c.
	This hopefully ends the false watchdog alarms that happen
	when clocks are set or when laptops are resumed.

	Code cleanup: BSMTP requires dot quoting as per RFC 821.
	Based on code by Florian Lohoff @ rfc822.org. Files:
	global/mail_copy.[hc], pipe/pipe.c.

19991105

	Bugfix: the crufty code in inet_addr_local() did not find
	IP aliases. File: util/inet_addr_local.c.

	Portability: the INSTALL.sh utility did not find users or
	groups in NIS or Netinfo tables. The script no longer
	searches the /etc/passwd and /etc/group files.  Instead it
	now queries the unix:passwd.byname and unix:group.byname
	maps.  For this, a -q (query) option was added to postmap
	(and to postalias, for symmetry).  Files: util/dict_unix.c,
	postalias/postalias.c, postmap/postmap.c, INSTALL.sh.

	Bugfix: LDAP lookup timeout settings were ignored. Patch
	by John Hensley. File: util/dict_ldap.c.

19991108

	Bugfix: when doing a fresh install, INSTALL.sh didn't set
	main.cf:mail_owner properly (Simon J. Mudd).

19991109

	Bugfix: when doing a fresh install, INSTALL.sh no longer
	worked (missing main.cf file).  Fix: add "-c" argument to
	the postmap commands (Lars Hecking @ nmrc.ucc.ie).

	Documentation: removed spurious "do not edit" comments from
	the sample pcre and regexp configuration files.

19991110-13

	Code cleanup: greatly simplified the SMTPD command parser
	and somewhat simplified the code that groks RFC 822-style
	address syntax in MAIL FROM and RCPT TO commands.

	New parameter: strict_rfc821_envelopes (default: no) to
	reject RFC 822 address forms (with comments etc.) in SMTP
	envelopes. By default, the Postfix SMTP server only logs
	a warning.

19991113

	Oops, also updated the SMTP VRFY code in the light of
	changes to the SMTPD command parser.

	Cleanup: the local delivery agent now explicitly rejects
	recipients with an empty username.

19991114

	Workaround: with some gawk versions, postconf/extract.awk
	reportedly returns a non-zero exit status upon success.
	Added an explicit exit(0) statement.

19991115

	Feature: DNS TXT record lookup support, based on initial
	code by Simon J Mudd.  File: dns/dns_lookup.c.

	Feature: RBL TXT record lookups, based on initial code by
	Simon J Mudd.  File: smtpd/smtpd_check.c.

	Feature: permit_auth_destination restriction based on code
	by Jesper Skriver @ skriver.dk.

	Code cleanup: the transport table now can override all
	deliveries, including local ones.

19991116

	Code cleanup: a new "local_transports" configuration
	parameter explicitly lists all transports that deliver mail
	locally. The first name listed there is the default local
	transport.  This is the end of the "empty next-hop hostname"
	hack to indicate that a destination is local.  Files:
	trivial-rewrite/resolve.c, global/local_transport.[hc]

	Feature: "postconf -m" shows what lookup table types are
	available.  Code by Scott Cotton, Internet Consultants
	Group, Inc.

	Feature: "postconf -e" edits any number of main.cf parameters.
	The edit is done on a copy, and the copy is renamed into
	the place of the original. File: postconf/postconf.c,
	util/readlline.[hc].

19991117

	Portability: SunOS 4 has no SA_RESTART. File: util/watchdog.c.

	Feature: on systems with h_errno, the "reject_unknown_client"
	restriction now distinguishes between soft errors (always
	reply with 450) and hard errors (use the user-specified
	reply code).  This should lessen the load by broken mailers
	that re-connect once a minute.

	Feature: forward/reverse name/address check for SMTP client
	hostnames. This fends off some hypothetical attacks by
	spammers who are in control of their own reverse mapping.

	Robustness: postconf no longer aborts when it can't figure
	out the local domain name; it prints a warning instead.
	This allows you to use "postconf -e" to fix the problem.

19991118

	Bugfix: the RFC822 address parser would misparse a leading
	\ as an atom all by itself. Problem reported by Keith
	Stevenson @ louisville.edu. File: global/tok822_parse.c.

19991119

	Bugfix: tiny memory leak in pipe_command() when fork()
	fails.  File: global/pipe_command.c.

19991120

	Bugfix: reversed test for all-numerical results in SMTPD
	access maps. File: smtpd/smtpd_check.c.

19991121

	Robustness: INSTALL.sh no longer uses postmap for sanity
	checks.

	Feature: INSTALL.sh now has an install_root option.

	Bugfix: INSTALL.sh now installs manual pages with proper
	permissions and ownership.

	Bugfix: the LDAP client did not properly escape special
	characters in lookup keys (patch by John Hensley).  File:
	util/dict_ldap.c.

19991122

	Bugfix: missing absolute path in INSTALL.sh broke fresh
	install.

19991124

	Bugfix: the local delivery agent's recipient duplicate
	filter did not work when configured to use unlimited memory
	(which is not a recommended setting). Patrik Rak @raxoft.cz.

19991125

	Bugfix: postconf didn't have an umask(022) call at the
	beginning (problem experienced by Matthias Andree).

19991126

	Bugfix: DNS TXT records now have string lengths before text
	(Mark Martinec @ nsc.ijs.si).

19991127

	Update: the LDAP client code now supports escapes as per
	RFC2254 (John Hensley).

19991207

	Performance: one message with many recipients no longer
	stops other mail from being delivered. The queue manager
	now frees in-memory recipients as soon as a message is
	delivered to one destination, rather than waiting until
	all in-memory destinations of that message have been tried.
	Patch by Patrik Rak @ raxoft.cz.  Files: qmgr/qmgr_entry.c,
	qmgr/qmgr_message.c.

	Performance: when delivering mail to a huge list of
	recipients, the queue manager now reads more recipients
	from the queue file before delivery concurrency drops too
	low.  Files:  qmgr/qmgr_entry.c, qmgr/qmgr_message.c.

19991208

	Updated LDAP client code by John Hensley with escape
	sequences as per RFC 2254. File: util/dict_ldap.c.

	Updated MYSQL client code by Scott Cotton. File: dict_mysql.c.

	Feature: added -N/-n options to include/exclude terminating
	nulls in keys and values in postmap/postalias DB or DBM
	files. Normally, Postfix uses whatever is appropriate for
	the host system.  A non-default setting can be necessary
	for inter-operability with third-party software.

	Bugfix: the local delivery agent would deliver to the user
	instead of the .forward file when the .forward file was
	already visited via some non-recursive path. Patch by Patrik
	Rak @ raxoft.cz. Files: global/been_here.c, local/dotforward.c.

	Robustness: attempt to deliver all addresses in the expansion
	of an alias or .forward file, even when some addresses must
	be deferred.  File: local/token.c.

19991211

	Performance: qmgr_fudge_factor controls what percentage of
	delivery resources Postfix will devote to one message.
	With 100%, delivery of one message does not begin before
	delivery of the previous message is completed. This is good
	for list performance, bad for one-to-one mail. With 10%,
	response time for one-to-one mail improves much, but list
	performance suffers. In the worst case, people near the
	start of a mailing list get a burst of postings today,
	while people near the end of the list get that same burst
	of postings a whole day later.  Files: qmgr/qmgr_message.c,
	qmgr/qmgr_entry.c.

	Bugfix: address rewriting would panic on a lone \ at the
	end of a line where an address was expected. Jason Hoos @
	thwack.net. File: global/rewrite_clnt.c.

19991215

	Bugfix: the strict RFC821 envelope address check should
	not be applied to VRFY commands. File: smtpd/smtpd.c.

	Cleanup: permit_recipient_maps is gone, because that could
	only be used inside UCE restrictions.

19991216

	Feature: allow an empty inet_interfaces parameter, just
	like an empty mydestination parameter. It's needed for true
	null clients and for firewalls that deliver no local mail.

	Feature: "disable_vrfy_command = yes" disables some forms
	of address harvesting used by spammers.

	Workaround: added the alias map parameter definition to
	the smtpd code.  This is a symptom of a general problem
	with parameters that have non-empty default values:  unless
	a program explicitly defines such a parameter, the parameter
	defaults to the empty string when used in other parameters.
	There's also a problem with evaluation order.

	Feature: the SMTP server rejects mail for unknown users in
	virtual domains that are defined by Postfix virtual domain
	files. File: smtpd/smtpd_check.c.

	Feature: reject mail for unknown local users at the SMTP
	port.  The local_recipient_maps configuration parameter
	specifies maps with all addresses that are local with
	respect to $mydestination or $inet_interfaces. Example:
	"local_recipient_maps = $alias_maps unix:passwd.byname".
	This feature is disabled by default. You may have to copy
	the passwd file into the chroot jail. File:  smtpd/smtpd_check.c.

	Feature: the sendmail -f option now understands '<user>'
	and even understands address forms with RFC 822-style
	comments.

19991217

	Cleanup: no more UCE checks for VRFY commands. It still
	reports unknown local/virtual users. File:  smtpd/smtpd_check.c.

	Robustness: upon Postfix startup, report discrepancies
	between system files inside and outside the chroot jail.
	Files: conf/postfix-script-nosgid, conf/postfix-script-sgid.

19991218

	Cleanup: INSTALL.sh produces relative symlinks, which is
	necessary when install_root is not /.

19991219

	Documentation: completely reorganized the FAQ and added
	many new entries. Rewrote the UCE html documentation.

	Cleanup: INSTALL.sh uses a configurable directory for
	scratch files, so that it can install from a file system
	that is not writable by the super-user.

	Cleanup: INSTALL.sh gives helpful hints when the "mv"
	command is unable to move symlinks across file system
	boundaries.

19991220

	Cleanup: it is no longer necessary to list $virtual_maps
	as part of the relay_domains definition. The SMTP server
	now by default accepts mail for destinations that match
	$inet_interfaces, $mydestination or $virtual_maps, whether
	or not these are specified in relay_domains.  We still need
	the ugly "virtual.domain whatever" hack in the virtual
	maps. Files:  smtpd/smtpd_check.c and lots of documentation
	and sample config files.

19991221

	Removed cyrus -q flag (ignore quotas) from the sample
	master.cf file.

19991223

	Bugfix: smtpd should not check for unknown users when
	running in stand-alone (sendmail -bs) mode. Problem
	experienced by Chuck Mead.  File: smtpd/smtpd.c.

	Retraction: the "local_transports" configuration parameter
	is gone. Adjusted code and documentation accordingly.
	Instead, use just one "local_transport" parameter with the
	name of the default local transport. Files:  smtpd/smtpd_check.c,
	qmgr/qmgr_message.c, trivial-rewrite/ resolve.c, local/resolve.c.

	Feature: Postfix SMTPD now insists that the smtpd recipient
	restrictions contain at least one restriction that by
	default rejects mail. This should make it much more difficult
	to change Postfix into an open relay.  File:  smtpd/smtpd_check.c.

	Retraction: null-length inet_interfaces is too confusing.

19991224

	Bugfix: the relative symlink code in INSTALL.sh computed
	the ../ prefix from the wrong pathname.

1999122[5-7]

	Feature: "allow_untrusted_routing = no" (default) prevents
	forwarding of source-routed mail from untrusted clients to
	destinations that are blessed by the relay_domains parameter
	(example:  user@domain2@domain1 etc.).  This plugs a mail
	relay loophole where a backup MX host forwards junk mail
	to a primary MX host which forwards the junk to the Internet.
	Files:  global/quote_822_local.c, smtp/quote_821_local.c,
	trivial-rewrite/rewrite.c, trivial-rewrite/resolve.c,
	smtp/smtpd_check.c.

	In order to make this possible, the Postfix resolver data
	structure and protocol has changed, so that all resolver
	clients need to be re-compiled.

	Side effect from the above change: from now on, an address
	with @ in the recipient localpart no longer bounces with
	"user unknown" but instead is rejected with "relay access
	denied" or "source-routed relay access denied".

19991227

	Workaround: the BSD/OS "mkdir -p" and "cmp -s" commands
	misbehave on boundary cases: directory exists or file does
	not exist. Those who re-invent...

19991229

	Added the no source routing info requirement to addresses
	accepted by the permit_mx_backup UCE restriction.

19991230

	Added a spawn daemon (not compiled and installed by default)
	to enable LMTP delivery over UNIX-domain sockets. The goal
	is to simplify the experimental LMTP delivery agent by
	ripping out the privileged code that forks the LMTP server.

20000102

	Clarified documentation after early feedback on the 19991231
	release by Drew Derbyshire, Ollivier Robert, Khetan Gajjar.

	Sanity check: a common error is to list Postfix virtual
	domains in the mydestination parameter. This causes the
	new optional local_recipient_maps feature to reject mail
	for virtual users.  The SMTP server now explicitly tests
	for this common error and logs a warning instead of refusing
	the mail.  File:  smtpd/smtpd_check.c.

20000104

	Bugfix: a case sensitivity bug had slipped through in the
	anti-relaying code, causing mail for USER@VIRTUAL.DOMAIN
	to be rejected with "relay access denied". This was found
	by Jim Maenpaa @ jmm.com.

	Questionable feature: set "smtp_skip_5xx_greeting = yes"
	to make Postfix more sendmail compatible, even though this
	is wrong, IMNSHO. File: smtp/smtp_connect.c.

	Portability: Ultrix patch from Simon Burge @ thistledown.com.au.

	Portability: Siemens Pyramid (dcosx) patch by Thomas D.
	Knox @ vushta.com.

	Performance: FreeBSD has bidirectional pipes that are faster
	than socketpairs. Anticipating on more platform-specific
	optimizations, all duplex pipe plumbing is now isolated in
	a duplex_pipe.c module that provides a system-independent
	interface.

20000105

	Cleanup: the INSTALL.sh script now updates the sample files
	in /etc/postfix even when main.cf exists.

20000106

	Bugfix: the SMTP server should consult the relocated map
	for virtual destinations (Denis Shaposhnikov). Files:
	smtpd/smtpd.c smtpd/smtpd_check.c.

20000108

	Workaround: rename() over NFS can fail with ENOENT even
	when the operation succeeds (Graham Orndorff @ WebTV). This
	is not news. Any non-idempotent operation can fail over
	NFS when the NFS server's acknowledgment is lost and the
	NFS client code retries the operation (other examples are:
	create, symlink, link, unlink, mkdir, rmdir).  Postfix has
	workarounds for the cases where this is most likely to
	cause trouble. Files:  util/sane_{rename,link}.[hc].  If
	you want reliable mail system, do not use NFS.

20000115

	Workaround: better detection of bad hardware. Added SIGBUS
	to the list of signals that the master will log before
	exiting.

20000122

	Portability: preliminary SCO5 port Christopher Wong @
	csports.com. This still needs to a workaround for "find"
	not supporting "-type s" (actually, UNIX-domain sockets
	have no unique representation in the file system and show
	up as FIFOs).

20000115-22

	Bugfix: in case of a too long message header, don't extract
	recipients from message headers.  With the previous behavior,
	Bcc information could be left in the message body, as one
	person found out the hard way.  Files:  cleanup/cleanup.c,
	cleanup/cleanup_extracted.c, global/cleanup_user.h.

20000124

	Whatever: RFC 1869 amends RFC 821 and specifies that code
	555 is to be used when a MAIL FROM or RCPT TO parameter is
	not implemented or not recognized. Russ Allbery @stanford.edu.
	This reply code is added to the list of reply codes that
	cause the Postfix SMTP client to mail a transcript to the
	postmaster.  File: smtp/smtp_trouble.c.

20000126

	Emergency feature: qmgr_site_hog_factor (default: 90 percent)
	limits the amount of resources that Postfix devotes to a
	single destination. With less than 100, Postfix defers the
	excess mail so that one site with a large backlog does not
	block other deliveries. Files: qmgr/qmgr.c, qmgr/qmgr_message.c.

20000128

	Cleanup: the queue manager no longer replaces the nexthop
	field by the recipient localpart when a destination matches
	$mydestination/$inet_interfaces. The price is the introduction
	of a new parameter local_destination_recipient_limit which
	defaults to 1 in order to maintain backwards compatibility.
	Files: qmgr/qmgr.c, qmgr/qmgr_message.c.

20000129

	Bugfix: extracted recipients were misfiled when a message
	was moved back to the maildrop queue. But they still worked
	due to a coincidence.

	Feature: bounce_recip() bounces a recipient immediately
	without accessing a bounce logfile.  This is necessary for
	VERP bounces, for bounces by delivery agents that change
	the sender address, and for bounces that for some reason
	must not use temporary logfiles.  Files: global/bounce.c,
	bounce/bounce_recip_service.c.

20000130

	Bugfix: the too long header fix of 20000115-22 lost mail
	with too long headers that didn't need to extract recipients
	from message headers.

	Bugfix: the too long header fix of 20000115-22 lost mail
	without (blank line + message body).

	Code rewrite: reorganized the cleanup daemon source code
	so that the cleanup service can be called one record at a
	time (see cleanup/cleanup_api.c); also got rid of the global
	state variables and fixed a couple bugs that were introduced
	with 20000115-22.

20000204

	Feature: in daemon mode, the MAIL FROM size check can be
	postponed until RCPT TO so that Postfix can log sender and
	recipient. Simon J Mudd.  Files: smtpd/smtpd.c

	Robustness: limit the number of recipient addresses that
	can be extracted from message headers. Parameter:
	extract_recipient_limit (default:  10240). Files:
	cleanup/cleanup_message.c, cleanup/cleanup_extracted.c.

	Cleanup: the message header reject logging now includes
	sender and recipient address (if possible), so that the
	logging looks more like the other reject logging.  File:
	cleanup/cleanup_message.c.

	Documentation: added sections on regular expression tables
	to the access, canonical, virtual, transport and relocated
	man pages, and write new man pages that are specific to
	regular expressions: pcre_table.5 and regexp_table.5.

20000214

	Bugfix: postconf reported some parameters more than once
	because the parameter extracting script didn't recognize
	lines that differ in whitespace only. File: postconf/extract.awk.
	Reported by Kenn Martin.

20000221

	Logging: the SMTP client now logs log host+port when it is
	unable to connect to a non-MX host, just like it logs
	host+port when unable to connect to an MX host.

20000226

	Bugfix: the SMTP server's "User unknown" test didn't notice
	LDAP etc. dictionary access errors. The code now reports
	a 450 status (try again instead of bounce) if the reply is
	not definitive.  File: smtp/smtpd_check.c.

	Robustness: the smtp-source program could stall when making
	hundreds of parallel connections to a Postfix system with
	only one SMTP server process. The fix is to use non-blocking
	connect() calls, very carefully. File: smtpstone/smtp-source.c.

20000303

	Feature: with smtp_always_send_ehlo the SMTP client will
	send EHLO regardless of the content of the SMTP server's
	greeting.  File: smtp/smtp_proto.c.

20000304

	Feature: DICT_FLAG_SYNC_UPDATE flag for synchronous dictionary
	updates, if supported by the underlying mechanism. Files:
	util/dict.h, util/dict_open.c, util/dict_db.c.

20000307

	Cleanup: the manual pages in Postfix configuration files
	no longer contain troff formatting codes.  The text is now
	generated from prototype files in a new "proto" subdirectory.
	Requested by Matthias Andree @ stud.uni-dortmund.de.

20000308

	Bugfix: the unused db and dbm "delete" routines would
	clobber the per-dictionary flags when called before reading
	or writing the table. Files: util/dict_dbm.c, util/dict_db.c.
	Lutz Jaenicke @ aet.TU-Cottbus.DE.

	Bugfix: the SMTP server would produce a cryptic message
	when a queue file write error happened before it had written
	any recipients.  Keith Stevenson. File: smtpd/smtpd.c.

	Robustness: the db and dbm "delete" routines didn't adjust
	to dictionaries with/without one trailing null in lookup
	keys and values. Did a complete rewrite of the routines.
	Files: util/dict_db.c, util/dict_dbm.c.

	Feature: specify "-d key" to postalias or postmap in order
	to remove one key. This still needs to be generalized to
	multi-key removal (read stdin?). Files: postmap/postmap.c,
	postalias/postalias.c.

	Test: added test targets for the dictionary delete operations.
	Files: util/Makefile.in, util/dict_test.{c,in,ref}.

	Feature: added data offset and recipient count fields to
	the first queue file record output from the cleanup daemon.
	The recipient counts provides an initial estimate for a
	more advanced queue manager scheduling algorithm. Files:
	cleanup/cleanup_envelope.c, cleanup/cleanup_extracted.c.

20000311

	Portability: HP-UX awk can't handle bare { in regexps
	(Lamont Jones. HP). File: postconf/extract.awk.

	Compatibility: sendmail now recognizes '.' as end of input.
	File: sendmail/sendmail.c.

20000313

	Compatibility: dtcm (CDE desktop calendar manager) leaks
	a file descriptor into its child process, and requires that
	sendmail closes the descriptor, otherwise mail notification
	will hang.  These GUI programmers never figured out that
	the child process must close the writing end of a pipe.
	File:  sendmail/sendmail.c.

20000314

	Feature: SASL authentication in the SMTP server and client.
	Based on code contributed by Till Franke, SuSE.  Specify:
	"smtpd_sasl_auth_enable = yes" and "smtp_sasl_auth_enable
	= yes". The "permit_sasl_authenticated" UCE restriction
	gives special treatment to authenticated clients.

20000315

	Workaround: added -blibpath option for AIX 4.x, to close
	hole in case postdrop needs to be set-gid.

20000320

	Portability: FreeBSD 5.x added to the list of supported
	systems (Mark Huizer).

20000323

	Portability: INSTALL.sh looks if sendmail is in /usr/lib
	rather than in /usr/sbin.

20000326

	Bugfix: settings in one mysql configuration file would act
	as the implicit defaults for the next one, which could be
	confusing.  Patch by Scott Cotton. File: util/dict_mysql.c.

	Robustness: limit the number of "junk" commands that can
	be issued in an SMTP session (ex.: NOOP, VRFY, ETRN, RSET).
	Problem report by Michael Ju. Tokarev @ tls.msk.ru.  Files:
	global/mail_params.h, smtpd/smtpd.c.

20000413

	Portability: more MacOS X patches by Gerben Wierda.

	Bugfix: RFC 822 requires the presence of at least one
	destination message header. The cleanup daemon now generates
	a generic "To: undisclosed-recipients:;" message header
	when no destination header is present.  The header content
	is specified with the undisclosed_recipients_header parameter.
	Problem pointed out by Geoff Gibbs, UK-Human Genome Mapping
	Project-Resource Centre.

20000416

	Workaround: allow <(comment)> as SMTP MAIL FROM address.

20000417

	The SASL authentication in the SMTP server and client works,
	but only on Linux and Solaris, neither of which I wish to
	run on my laptop.

20000418

	Added LMTP support to the smtp-source and smtp-sink utilities
	so that I don't have to install Cyrus IMAP just to test
	LMTP.

20000419

	Bugfix: removed the () from the tokenized representation
	of RFC 822 comments, so that comments with \( or \) can be
	unparsed correctly.  Problem reported by Bodo Moeller.

20000423

	Bugfix: mail_copy() could prepend > or . in the middle of
	long lines. Found by code inspection.

20000427

	New code: unescape module that translates C escape sequences
	into their equivalent character values.  File: util/unescape.c.

	Feature: the pipe mailer now has a way to specify the output
	record delimiter (for example, eol=\r\n). This is necessary
	for transports that require CRLF instead of UNIX-style LF.

20000502

	In order to support timeouts more conveniently, VSTREAMs
	now have built into them the concept of timeout.  Instead
	of calling read() and write(), the low-level VSTREAM
	interface now by default uses timed_read() and timed_write()
	which receive a timeout parameter; vstream_ctl(stream,
	VSTREAM_CTL_TIMEOUT...) sets the timeout deadline on a
	stream, and vstream_ftimeout(stream) queries a stream for
	timeout errors.  This change simplified timeout handling
	considerably.  Files: util/vbuf.h, util/vstream.[hc],
	global/smtp_stream.c, global/timed_ipc.c.

20000504

	Added application context to VSTREAMs, which is passed on
	transparently to application-provided read/write routines.
	vstream_ctl(stream, VSTREAM_CTL_CONTEXT...) sets the context.
	Files:  util/vstream.[hc].

	Added vstream_setjmp() and vstream_longjmp() support to
	make exception handling more convenient. Turn on exception
	handling with vstream_ctl(stream, VSTREAM_CTL_EXCEPT...).
	Files:  util/vstream.[hc].

	Cleaned up the smtp_stream module further and got rid of
	the global state that limited the use of this module to
	one stream per process. Files: global/smtp_stream.[hc].

20000505

	Bugfix: the SMTP server now flushes unwritten output before
	tarpit delays, to avoid protocol timeouts in pipelined
	sessions when a client causes lots of errors. Found by
	Lamont Jones, HP. File:  smtpd/smtpd_chat.c.

	Finished the LMTP client, which is based on a modified
	version of the SMTP client by Philippe Prindeville, Mirapoint,
	Inc., later modified by Amos Gouaux, UTDallas, and then
	Wietse ripped it all up again. Currently this talks LMTP
	over TCP only.

	Feature: override main.cf parameters in master.cf. Specify
	"-o parameter=value" after the program name. This allows
	you to selectively override myhostname etc. See also the
	new smtp_bind_address parameter below.

20000506

	Convenience: the LMTP and SMTP clients now append the local
	domain to unqualified nexthop destinations. This makes it
	more convenient to set up transport maps. Files:
	lmtp/lmtp_addr.c, smtp/smtp_addr.c.

	Sendmail compatibility: the Postfix SMTP client now skips
	servers that greet the client with a 4xx or 5xx status
	code.  To disable, set both smtp_skip_4xx_greeting and
	smtp_skip_5xx_greeting to "no".

20000507

	Portability: NetBSD has migrated to /etc/mail/aliases. We
	can expect to see this happen more often when systems start
	shipping Sendmail 8.10. File: util/sys_defs.h

	Updated LDAP code by John Hensley, with support for
	dereferencing of LDAP aliases, which have nothing to do
	with Postfix aliases.

	Feature: "smtp_bind_address=x.x.x.x" specifies the source
	IP address for SMTP client connections. Specify in master.cf
	as "smtp -o smtp_bind_address=x.x.x.x" in order to give
	different delivery agents different source addresses.

20000510

	Cleanup: mailbox_transport did not work with the lmtp
	delivery agent. This dates back to when Postfix used empty
	nexthop information to indicate that a destination was
	local. File: global/deliver_pass.c.

	Bugfix: configuration parameters for one mysql dictionary
	would become default settings for the next one. File:
	dict_mysql.c. This patch was merged into Postfix a while
	back but apparently that Postfix version was nuked when
	other parts were redesigned. Update by Scott Cotton.

	Bugfix: some Postfix delivery agents would abort on addresses
	of the form `stuff@.' which could be generated only locally.
	Found by Patrik Rak. File:  trivial-rewrite/resolve.c.

	Third-party Berkeley DB support for HP-UX by Lamont Jones.
	File: makedefs.

20000511

	Bugfix: Postfix would incorrectly reject domain names with
	adjacent - characters. File: util/valid_hostname.c.

	Bugfix: the 20000505 pipeline tarpit delay flush was wrong
	and caused the client and server to get out of phase. Yuck!

20000513

	Feature: VSTREAMs now have the concept of last fill/flush
	time, which is needed to prevent timeouts with pipelined
	SMTP sessions as detailed in the next item.

	Bugfix: delayed SMTP command/reply flushing to prevent
	sender delays from accumulating too much and causing timeouts
	with pipelined sessions.  For example, client-side delays
	happen when a client does DNS lookups to replace hostname
	aliases in MAIL FROM or RCPT TO commands; server-side delays
	happen when an UCE restriction involves a time-consuming
	DNS lookup, or when a server generates tarpit delays.
	Files:  lmtp/lmtp_proto.c, smtp/smtp_proto.c, smtpd/smtpd_chat.c.

	Portability: define ANAL_CAST for compilation environments
	that reject explicit casts between pointers and integral
	types. File: util/sys_defs.h, master/*server.c.  Upon closer
	investigation, this turned out to be the result of someone's
	compiler configuration preferences.  Therefore the change
	is likely to go away after a code cleanup.

20000514

	Feature: mysql client support for multi-valued queries
	(select email, email2 from aliastbl where username='$local')
	By Loic Le Loarer @ m4x.org. File: util/dict_mysql.c.

	Finalized the delayed SMTP command/reply flushing code in
	the SMTP and LMTP clients after lots of testing and review.

20000520

	Robustness: upon receipt of mail, map the mailer-daemon
	sender address back into the magic null string. File:
	cleanup/cleanup_envelope.c.

20000524

	Bugfix: the code for masquerade_exceptions was case sensitive.
	Reported by Eduard Vopicka.  File: cleanup/cleanup_masquerade.c.

20000526

	Feature: experimental queue manager by Patrik Rak with a
	fancy pre-emptive scheduling algorithm that improves delivery
	performance of mail with few recipients. This queue manager
	is made available as "nqmgr".

20000528

	Feature: the SMTP client SASL password file can contain
	entries for destination domain names (the address remote
	part) not just mail server hostnames. File: smtp_sasl_glue.c.

	Feature: smtpd_sasl_local_domain parameter (default:
	$myhostname) to specify the local SASL authentication realm.
	File: smtpd_sasl_glue.c.

	Feature: specify "body_checks=regexp:/file/name" for a very
	crude one line at a time message body content filter.  This
	feature uses the same filtering syntax as the header_checks
	feature.  File:  cleanup/cleanup_message.c. See also the
	conf/sample-filter.cf file.

20000530

	Feature: full content filtering through external software.
	This uses existing interfaces for sending mail to the
	external content filter and for injecting it back into
	Postfix.  Details in FILTER_README.  Files: pickup/pickup.c,
	smtpd/smtpd.c, qmgr/qmgr_message.c.

20000531

	More SASL feedback by Liviu Daia, regarding the use of
	authentication realms. File smtpd/smtpd_sasl_glue.c.

	Added a simple shell-script based content filtering example
	to the FILTER_README file.

	Content filtering support for nqmgr by Patrik Rak.  File:
	nqmgr/qmgr_message.c.

	Renamed "content inspection" etc. to "content filtering"
	in anticipation of a new hook for content inspection that
	only inspects mail without re-injecting it into Postfix.

20000601

	Feature: limit the size of pipe mailer deliveries with the
	size=nnn command-line attribute. Patch by Andrew McNamara.

20000603

	Bugfix: don't try to do SASL authentication when running
	in stand-alone (sendmail -bs) mode. Fix by Liviu Daia.

	Bug: the unauthorized pipelining test fails with single
	recipient mail when smtpd_delay_reject = yes.

20000617

	Bugfix: conf/sample-ldap.cf was no longer up to date with
	reality. Patch by Lamont Jones, HP.

	Bugfix: the maildir delivery routine left temporary files
	lying around after unsuccessful delivery (problem reported
	by Brian Laughton @ Corp.Axxent.Ca).

20000621

	AIX 4.x had POSIX regular expression support all the time
	I was working on Postfix. Better find out late than never.

20000623

	Bugfix: the SMTP server did not reset the so-called junk
	command counter after successful delivery (Mark Hoffman @
	wallst.com).  File: smtpd/smtpd.c.

20000625

	Cleanup: remove Content-Length from incoming mail. The
	sender has no authority over the format of mail as stored
	by the receiving system. File: global/header_opts.h.

	Feature: rewrite Mail-Followup-To: as sender. Files:
	global/header_opts.[hc].

	Cleanup: rewrite Reply-To, Errors-To, Return-Receipt-To as
	sender, so that address masquerading works as expected.
	Files: global/header_opts.c.

	Feature: specify "require_home_directory = yes" to prevent
	mail from being delivered to a user whose home directory
	is not mounted. File: local/dotforward.c.

	Cleanup: the pipe deliver agent no longer appends a blank
	line when the F flag (prepend From_ line) is specified.
	Specify the B flag if you need that blank line. The local
	delivery agent no longer appends a blank line to mail that
	is delivered to external command. Files:  pipe/pipe.c,
	global/mail_copy.[hc].

20000708

	Portability: support for NEXT/OPENSTEP requires extra
	include file in util/watchdog.c (Masaki Murase).

20000715

	Added macros to turn on vstream/vstring/etc. format string
	checking by gcc, in addition to the checking that was
	already implemented with printfck.  File: util/sys_defs.h,
	the macros for PRINTFLIKE and SCANFLIKE. Problem - unlike
	the printfck tool, gcc finds format argument type mismatches
	only in code that isn't #ifdef-ed out.

20000718

	Robustness: make_dirs() now continues when a missing
	directory is created by another process.

20000720

	Feature: the queue manager now logs the number of recipients
	when opening a queue file (a zero recipient count is logged
	with older queue files). File: global/opened.c.

20000726

	Robustness: added watchdog_pat() routine to keep the watchdog
	quiet if a client stays connected for a lot of time. Files:
	util/watchdog.[hc], smtpd/smtpd.c.

20000729

	Robustness: if relayhost is specified but the host does
	not exist, defer mail instead of bouncing it (which would
	lose the mail if the bounce would have to be delivered to
	that same non-existent relayhost). Problem reported by
	Chris Cooper @ maths.ox.ac.uk. File: smtp/smtp_connect.c.

20000821

	Feature: added -r (replace key+value) option to postalias
	and postmap.

	Cleanup: smtpd now replies with 555 when the client sends
	unrecognized RCPT TO parameters, as required by RFC 1869
	(problem report by Robert Norris @ its.monash.edu.au).
	File: smtpd/smtpd.c.

20000822

	Logging: the SMTP server's SASL code logs the authentication
	method along with an authentication failure. Suggested by
	Ronald F. Guilmette @ monkeys.com.

	Workaround: some systems have file size resource limits
	that cannot be represented with the off_t type that is used
	by standard functions such as lseek(2). Problem reported
	by Blaz Zupan @ amis.net.

20000823

	Feature: all this discussion about when to reject mail and
	when not made me decide to implement a TCP-based map type
	so that it becomes relatively simple to implement dynamic
	access controls, for example, hold off mail from an unknown
	client or sender until we have completed some investigation,
	after which we will either reject or accept.

	However, this code is turned off until it is finished.

20000905

	Robustness: the dns client now rejects malformed domain
	names rather than depending on the DNS to report that the
	name does not exist. Linux returns a rather misleading
	server failure code as found out by Patrik Rak. File:
	dns/dns_lookup.c.

20000911

	Feature: added IGNORE keyword to header_checks and body_checks
	to pretend that certain data does not exist. File:
	cleanup/cleanup_message.c.

20000911

	Bugfix: the SASL code did not allow MAIL FROM... AUTH=sender
	without prior authentication. The RFC allows this, although
	one wonders what the reasoning behind this is. File:
	smtpd/smtpd_sasl_proto.c.

20000913

	Bugfix: the rmail script did not handle remote UUCP systems
	that send a from_ line with unqualified envelope sender.
	Reported by Luciano Mannucci.

	Compatibility: don't insert Sender: header lines. Sendmail
	has not done so for at least 10 years, if it ever did.
	Problem reported by Brad Knowles. File: cleanup/cleanup_message.c.

20000916

	Bugfix: when propagating an address extension in a virtual
	or canonical mapping, cleanup accesses memory that is no
	longer allocated. This can happen when the result address
	length is more than 100 characters.  Problem reported by
	Adi Prasaja @ satunet.com. File: global/mail_addr_crunch.c.

	Bugfix: fixed a misleading error message when the cleanup
	server reaches the queue file size limit. Fix by Robby
	Griffin @ MIT.EDU.  File: cleanup/cleanup_extracted.c.

20000917

	Bugfix: postalias -i would complain about duplicate entries
	for the Sendmail-compatible @ entry and for the NIS-compatible
	YP_LAST_MODIFIED and YP_MASTER_NAME entries.

20000918

	Gross hack: prevent looping on a bad recipient by always
	forwarding recipients in :include: files to a new mail
	delivery request, even when owner-listname is not set.
	File: local/recipient.c.

20000919

	Convenience: INSTALL.sh now imports default settings from
	the process environment, in order to make scripting easier.

	Robustness: INSTALL.sh now systematically skips over CVS,
	RCS and SCCS cruft.

	Portability: another fix for NEXTSTEP (Masaki MURASE).
	File: util/spawn_command.h.

20000920

	Cleanup: in a transport table entry, do not ignore port
	numbers specified as [host]:port. In fact, this is now
	becoming the preferred form, in order to avoid parsing
	problems with IPV6 addresses. Postfix supports both forms,
	but future versions will print a warning for the old form.
	Problem reported by Claus Fischer @ werhats.at

	Bugfix: missing initialization for state->sasl_method can
	cause permit_sasl_authenticated to always succeed.  Report
	and fix by Lutz Jaenicke @ aet.TU-Cottbus.DE.

	FAQ: added notes about how to delete, copy or restore queue
	files in a safe manner.

20000921

	File reorganization. No code change except Makefiles. All
	sources are pushed down by one directory level to keep file
	listings usable. Released as 20000922, so that I have a
	reference to run "diff -cr against.

	Bugfix: the spawn service was installed without man pages.

	Portability: MacOSX hints and tips by Joe Block, University
	of Central Florida School of Optics/CREOL

	Portability: The MacOSX gcc compiler does not understand
	the new printf_like/scanf_like attributes. File: util/sys_defs.h.

20000922

	nqmgr update from Patrik Rak for the changed queue manager
	to delivery agent protocol.

	Lame feature: syslog_facility parameter to control where
	syslogd sends Postfix logging (default: syslog_facility =
	mail).  However, errors during command-line parsing are
	still logged with the default syslog facility, as are errors
	while processing the main.cf file (surprise).  Based on
	code by Andrew McNamara.

20000923

	Cleanup: new bounce logfile API so that Postfix can change
	to an extensible bounce logfile format with per-recipient
	sender addresses (needed for VERP and for reporting local
	list delivery problems to the list owner) and other
	attributes.  File:  global/bounce_log.[hc].

	Cleanup: replaced the ad-hoc logfile parsing code in showq
	by something that uses the generic bounce logfile API.

20000924

	Feature: Postfix bounced mail and delayed mail notifications
	now have the standard RFC 1894 form (DSN). The bounce
	service now uses the generic bounce logfile API.  File:
	bounce/bounce_notify_service.c, bounce/bounce_notify_util.c.

	Cleanup: deleted the per-recipient bounce protocol.  Future
	bounce logfiles will support per-recipient bounce addresses.
	Files:  global/bounce.c, bounce/bounce_recip_service.

20000925

	Workaround: sendmail allows MAIL FROM and RCPT TO envelope
	addresses like <the dude <dude@site>> so we will never get
	rid of them. To disallow, specify "strict_rfc821_envelopes
	= yes".  File: smtpd/smtpd.c.

20000926-20001003

	Feature: a "flush" server that keeps per-destination records
	of deferred mail. It is the basis of a faster ETRN and
	"sendmail -qRsite" implementation. This code was rewritten
	half a dozen times.

20000928

	Bugfix: the stricter dns_lookup() argument checks revealed
	that Postfix was doing DNS lookups for domain literals
	([ip.address]) when expanding aliases in MAIL FROM and RCPT
	TO address parameters.  Reported by Jim Littlefield. File:
	smtp/smtp_unalias.c.

	Documentation: added text on the biff=yes/no parameter to
	conf/sample-local.cf (text provided by Paul Wagland,
	relational-consultancy.com.

	Robustness? Log errors from SASL library code as warnings
	not as fatal errors. Files: smtp*/*glue.c.

20001001

	Feature: in master.cf, specify ? after wakeup time to avoid
	waking up services that aren't being used.

20001003

	Feature: the fast flush refresh and purge time interval
	parameters can now be specified in user-specified units by
	providing an appropriate suffix:  s (seconds), m (minutes),
	h (hours), d (days), w (weeks).  unit.  This was needed so
	that I could test the flush server code in a reasonable
	way (its timeouts are normally specified in days or hours,
	and I don't have that much time for testing).  Other Postfix
	time interval parameters will be migrated as time permits.
	Files:  conf/sample-flush.cf, global/mail_conf_time.c,
	postconf/postconf.c.

	Unfeature: qmgr_hog_factor is now disabled by default. It
	was just too confusing. If you don't know what this means,
	do not worry.

20001005

	Cleanup: after "postfix reload" do not penalize mail that
	was in the active queue, but make it ready for immediate
	delivery so that ETRN etc. works as intended. Files:
	*qmgr/qmgr.c, *qmgr/qmgr_active.c.

	Portability: Redhat 7 library interfaces have changed
	incompatibly, which breaks existing software. File makedefs.

	Consistency: the fallback_relay parameter did not understand
	the [] or host:port syntax, and there was no way to suppress
	MX record lookups. Files: smtp/smtp_addr.c, smtp/smtp_connect.c.

	Convenience: you can now specify multiple SMTP destinations
	in the relayhost or fallback_relay configuration parameters.
	The specified destinations will be tried in the specified
	order. File:  smtp/smtp_connect.c.

	Many typographical corrections by Matthias Andree.

20001024

	Documentation: the canonical, virtual etc. manual pages
	did not document the effect of leading whitespace.

20001025

	Bugfix: virtual map expansion stopped too early with
	self-referential aliases. Reported by Michael Douglass @
	datafoundry.net. File: cleanup/cleanup_map1n.c.

20001026

	Horror:  postmap and postalias (newaliases) silently lose
	the file lock while building a lookup table with Berkeley
	DB 2.x and later on Solaris, HP-UX, IRIX, and UNIXWARE.
	The result is that table lookups fail while the table is
	being built, so that mail is lost.  In order to avoid this
	misbehavior one has to use an undocumented feature that is
	NOT available with the DB1.85 compatibility interface.
	Therefore, Postfix now supports three Berkeley DB programming
	interfaces of increasing complexity. File: util/dict_db.c.

	Bugfix: some character manipulations were not portable for
	signed/unsigned characters. Files: global/quote_821_local.c,
	global/quote_822_local.c.

	Workaround: apparently, some software sends SMTP mail that
	begins with "From sender time-stamp". Sendmail silently
	ignores such RFC violating garbage, and therefore Postfix
	needs to jump another hoop.  File: smtpd/smtpd.c.

20001028

	Bugfix: the flush server tried to access config files after
	going to the chroot jail. Found by Lutz Jaenicke, TU-Cottbus.DE.
	File: flush/flush.c.

	Update: revised LDAP module from primary maintainer John
	Hensley, with contributions from many other people. Files:
	util/dict_ldap.c, LDAP_README.

	Update: LINUX2 chroot setup script by Matthias Andree,
	uni-dortmund.de.

	Feature: specify unix:/path/name for LMTP connections over
	UNIX-domain sockets, and specify inet:host or inet:host:port
	for IPV4. If no unix: or inet: is specified, IPV4 is assumed.
	File: lmtp/lmtp_connect.c.

	Feature: added UNIX-domain support to the smtpstone test
	programs in order to test the LMTP client UNIX-domain
	support.

20001030

	Bugfix: further testing in preparation for 19991231-pl10
	revealed that the DB map code was now broken for every
	platform.

20001031

	Performance: the slow start (gradually increase number of
	parallel connections to the same site) was too gentle and
	Postfix would back off too quickly. Files: qmgr/qmgr_queue.c
	and nqmgr/qmgr_queue.c.

20001101

	FAQ update by Ralph Hildebrandt.

20001104

	Portability: RedHat Linux has changed incompatibly, again.
	Fixed with the help of Matthias Andree.  File: makedefs.

20001109

	Cleanup: changed prototype of internal function that did
	not return a useful result. File: src/util/vstream_popen.c.

20001110

	Workaround: the Debian post install script passes an open
	file descriptor into the master server and waits forever.
	Reported by Lamont Jones. File: master/master.c.

20001114

	Compatibility: added sendmail -G (gateway submission) option
	for compatibility with the sendmail rmail command. Requested
	by David Gilbert, Velocet Communications.

20001116

	Documentation: added MAILER-DAEMON to the list of sample
	masquerade_exceptions settings in conf/sample-rewrite.cf.
	Suggested by Karl O. Pinc, pop.artic.edu.

	Performance: the slow start (gradually increase number of
	parallel connections to the same site) was too gentle and
	Postfix would back off too quickly. Files: qmgr/qmgr_queue.c
	and nqmgr/qmgr_queue.c. Yup, changed the same code, again.
	We now allow for a margin above the actual concurrency,
	with the size of the initial destination concurrency.
	Final solution by Patrik Rak.

	Bugfix: the recipient home directory test broke mailbox_transport
	support for non-UNIX recipients.  File:  local/recipient.c.

20001117

	Robustness: additional integrity tests for the nqmgr by
	Patrik Rak. File: nqmgr/qmgr_message.c.

20001118

	Bugfix: the new LDAP client code did not work properly if
	the new ldap_domain parameter was not specified. LaMont
	Jones, HP.  File: util/dict_ldap.c.

	Feature: the soft_bounce safety net is extended to the SMTP
	server. With "soft_bounce = yes", The SMTP server changes
	all 5xx (reject) replies into 4xx (try again) replies.

	Documentation: the virtual(5) man page now documents both
	Postfix-style virtual domains and Sendmail-style virtual
	domains, including their interaction with local usernames,
	aliases and mailing lists. Hopefully, this ends some of
	the confusion surrounding virtual domain support. Updated
	several FAQ entries concerning virtual domain support.

	Documentation: added FAQ entry for the biff service.

20001119

	Bugfix: per-destination queue names were case sensitive so
	that the same site could have multiple queues.  Reported
	by Patrik Rak. Files: *qmgr/qmgr_message.c.

20001120

	Bugfix: per-destination deferred mail logfiles were case
	sensitive so that the same site could have multiple deferred
	mail logfiles, so that not all mail would be flushed with
	ETRN. Reported by Ralph Hildebrandt. Files:  flush/flush.c.

	Portability: added (int) casts to printf-like arguments
	that specify the width of %*letter conversions.  On some
	systems, sizeof and pointer difference expressions are
	wider than an int.  Reported by Valentin Nechayev @ lucky.net.

20001121:

	Compatibility: Postfix now retries delivery when an external
	command is killed by a signal, because people expect such
	behavior from Sendmail. File: global/pipe_command.c.

20001123-30

	Feature: mailbox locking is now configurable. The configuration
	parameter name is "mailbox_delivery_lock". Depending on
	the operating system one can specify one or more of "flock",
	"fcntl" and "dotlock". Use "postconf -l" to find out what
	locking methods Postfix supports. The default setting is
	system dependent.  All mailbox file opens are now done by
	one central mbox_open() routine. This affects the operation
	of the postlock command, and of local delivery to mailbox
	or /file/name.  Files: util/safe_open.c, util/myflock.c,
	global/deliver_flock.c, global/mbox_conf.c, global/mbox_open.c.
	local/mailbox.c, local/file.c, postlock/postlock.c.

	Compatibility: the old sun_mailtool_compatibility parameter
	is being phased out. It still works (by turning off
	flock/fcntl locks), but logs a warning as a reminder that
	it will go away.

	Compatibility: when delivering to /file/name, the local
	delivery agent now logs a warning when it is unable to
	create a /file/name.lock file, and then delivers the mail
	(older Postfix versions would silently deliver).

20001202

	Feature: specify "smtp_never_send_ehlo = no" to disable
	ESMTP.  Someone asked for this long ago. Files:  smtp/smtp.c,
	smtp/smtp_proto.c.

	Feature? Bugfix? The smtp client now skips server replies
	that do not start with "CODE SPACE" or with "CODE HYPHEN",
	and flags them as protocol errors. Older versions silently
	treat "CODE TEXT" as "CODE SPACE TEXT".  File:  smtp/smtp_chat.c.

20001203

	Documentation: postmap(1) and postalias(1) did not document
	the process exit status for "-q key".

20001204

	Bugfix: the Postfix master daemon no longer imported
	MAIL_CONF and some other necessary environment parameters.
	Postfix now has explicit "import_environment" and
	"export_environment" configuration parameters that control
	what environment parameters are shared with non-Postfix
	processes. Files: util/clean_env.c, util/spawn_command.c,
	util/vstream_popen.c, global/pipe_command.c, and everything
	that invokes this code.

20001208

	Bugfix: while processing massive amounts of one-recipient
	mail, qmgr could deadlock for 10 seconds while sending a
	bounce message. All queue manager bounce send requests are
	now implemented asynchronously.  Files: global/abounce.[hc]
	(asynchronous bounce client), qmgr/qmgr_active.c.  Problem
	reported by El Bunzo (webpower.nl) and Tiger Technologies
	(tigertech.com).

20001209

	Feature: mailbox_transport and fallback_transport can now
	have the form transport:nexthop, with suitable defaults
	when either transport or nexthop are omitted, just like in
	the Postfix transport map. This allows you to specify for
	example, "mailbox_transport = lmtp:unix:/file/name". File:
	global/deliver_pass.c.

20001210

	Bugfix: the local_destination_concurrency_limit paramater
	no longer worked as per-user concurrency limit but instead
	worked as per-domain limit, so that the limit of "2" in
	the default main.cf files resulted in poor local delivery
	performance.  Files:  qmgr/qmgr_message.c, qmgr/qmgr_deliver.c.
	Problem reported by David Schweikert (ee.ethz.ch) and Dallas
	Wisehaupt (cynicism.com).

20001210

	Feature: support for MYSQL connections over UNIX-domain
	sockets by Piotr Klaban.  Files: util/dict_mysql.c,
	MYSQL_README.

20001211

	Small dirt: postconf -m produced too much output due to a
	missing "else", and the optional SASL code needed a fix
	for the changed name_mask API.

20001212

	Workaround: due to an error, record type L for "filter
	transport name" was the same as that for the already existing
	record type L for "record not ending in newline", causing
	the pickup daemon to discard all records not ending in
	newline. The code cannot be changed without breaking
	compatibility with queued mail, so the pickup server is
	changed to discard type L records only from the message
	envelope, not from the content. File: pickup/pickup.c.

20001213

	Bugfix: dict_ldap did not properly initialize a handle
	after connection timeout. Problem reported by Alain Thivillon.
	File: util/dict_ldap.c.

20001214

	Feature: local_transport and default_transport now also
	understand the transport[:destination] notation, so that
	all transport config parameters are similar again. File:
	trivial-rewrite/resolve.c, trivial-rewrite/transport.c.

	Code cleanup: mailbox_transport and fallback_transport no
	longer allow the user to omit the transport part of a
	transport:destination specification. That just did not make
	any sense at all. The :destination part is still optional.
	File: global/deliver_pass.c.

	Feature: most time-related configuration parameters take
	a one-letter suffix that specifies the time unit:  s
	(second), m (minutes), h (hours), d (days), w (weeks).
	"postconf -d" output includes the default time unit. Files:
	many.

	Code cleanup: in a CONFIG_TIME_TABLE, the default time unit
	is now always the last character of a default time value.
	It is no longer necessary to specify the default time unit
	separately. This change means that it will not be possible
	to specify default values in the form of function calls,
	but that was unused anyway.  Files: global/mail_conf_time.c,
	and user code.

20001217

	Bugfix: reorganized some code in the MYSQL client to end
	a number of memory allocation/deallocation problems.  This
	code needs more work. File: dict_mysql.c.

20001218

	Bugfix: the MYSQL client did not provide function pointers
	for unimplemented operations, causing "postmap -d" to dump
	core instead if issuing an error message. This is what I
	get for accepting code that I cannot test myself.

20001221

	Code cleanup: configuration parameters that are $name
	expanded at run-time now have their own data type hierarchy
	instead of being piggy-backed on top of strings that are
	$name expanded at program initialization time.  Files:
	global/mail_conf.h, global/mail_conf_raw.c, and code that
	calls it.

20001230

	Update: replaced the default rbl.maps.vix.com setting by
	the current blackholes.mail-abuse.org.

20010102

	Code cleanup: the queue manager is a bit greedier with
	allocating a delivery agent. Problem pointed out by Patrik
	Rak. All bugs in the solution are mine.  Files:
	*qmgr/qmgr_active.c.

20010105

	Bugfix: the FILTER_README shell script example did not
	correctly pass exit status to the parent.

	Bugfix: soft errors in client hostname lookups would be
	treated as hard errors. Fix by Michael Herrmann
	(informatik.tu-muenchen.de). File: smtpd/smtpd_peer.c.

20010110

	Bugfix: the mkdir() EEXIST race condition workaround was
	not complete.  Matthias Andree, Daniel Roesen.  Files:
	global/mail_queue.c, util/make_dirs.c.

20010111

	Portability: IRIX 6.5.10 defines sa_len as a macro, causing
	a name collision with a variable used by Postfix. Roberto
	Totaro, enigma.ethz.ch. File:  smtpstone/smtp-source.c.

20010116

	Bugfix: REJECT by header/body_checks was flagged in smtpd
	as a bounce, should be policy, in order to make postmaster
	notifications more consistent. File: smtpd/smtpd.c.

	Merged updated chroot setup procedure by Matthias Andree.
	Files: examples/chroot-setup/LINUX2.

20010117

	Formatting: changed the seconds and days formats in the
	"your mail is delayed" text so that it does not switch to
	scientific notation. File: bounce/bounce_notify_util.c.

20010119

	Feature: SASL support for the LMTP client. Recent CYRUS
	software requires this for Postfix over TCP sockets.

20010120

	Bugfix: the 20001005 revised fallback_relay support caused
	Postfix to send mail to the fallback even when the local
	machine was an MX host for the final destination. Result:
	mailer loop. Found by Laurent Wacrenier (teaser.fr).  Files:
	smtp/smtp_connect.c, smtp/smtp_addr.c.

20010121

	Workaround: specify "broken_sasl_auth_clients = yes" in
	order to support old Microsoft clients that implement a
	non-standard version of RFC 2554 (AUTH command).

	Workaround: Lotus Domino 5.0.4 violates RFC 2554 and replies
	to EHLO with AUTH=LOGIN. File: smtp/smtp_proto.c.

20010125

	Code cleanup: wrote creator/destructor for dictionary
	objects that provides default methods that trap all attempts
	to perform an unimplemented operation. Based on an ansatz
	by Laurent Wacrenier (teaser.fr).  Files: util/dict*.[hc].

	Code cleanup: INSTALL.sh does not ask questions when stdin
	is not connected to a tty (as in: make install</dev/null).
	To automate a customized install, the script imports
	environment variables for install_root etc.

20010127

	Workaround: randomize the delay between attempts to lock
	a file, so that multiple bounce or defer servers are less
	likely to retry all at the same time.  likely.  File:
	util/rand_sleep.c, global/deliver_flock.c, global/dot_lockfile.c.

20010128

	Code cleanup: complaints about invalid or numeric hostnames
	either provide specific context or are removed as redundant.
	Files:  util/valid_hostname.c dns/dns_lookup.c.

	Code cleanup: new mailbox_size_limit parameter (default:
	20MB).  Until now, the mailbox size limit was the same as
	the message size limit, due to artefact of implementation.
	Files: global/mail_params.h, local/local.c.

	Bugfix: fix for the ldap_domains parameter, both semantics
	and documentation by LaMont Jones. Files:  LDAP_README,
	conf/sample-ldap.cf, util/dict_ldap.c.

	Update: merged in the virtual delivery agent by Andrew
	McNamara.  See VIRTUAL_README for detailed examples.

	Update: merged a re-vamped nqmgr by Patrik Rak.

20010129

	Tweak: several little nqmgr tweaks by Patrik Rak. Files:
	global/mail_params.h, nqmgr/qmgr_job.c.

	Bugfix: the virtual delivery agent did not save maps_find()
	results timely. J?rgen Thomsen, postfix.jth.net. File:
	virtual/mailbox.c.

	Security: disallow regexp tables in the virtual delivery
	agent.  The $1 etc. substitution mechanism gives too much
	power to the sender. File: virtual/mailbox.c.

	Cleanup: clarified documentation and boundary cases in the
	random_sleep() routine.

	Bugfix: the MISSING_USLEEP feature was used backwards.
	Patrik Rak. File: util/random_sleep.c.

20010130

	Workaround: Linux usleep() is void, BSD/Solaris usleep()
	returns int, don't use it. File util/random_sleep.c.

	Made local maildir bounce/defer handling mode consistent
	with local mailbox delivery. File local/maildir.c.

	The smtp client now defers delivery when all MX hosts have
	no A record. File: smtp/smtp_addr.c

	Bundled the man2html and postlink quick hacks so people
	can do their own manual page processing. See scripts in
	the mantools directory.

	Documentation: updated the reference to sendmail in the
	html/index.html page.

	Documentation: added note about the Cisco PIX "fixup smtp"
	bug that causes mail delivery problems when "." and "CRLF"
	arrive in separate packets. File:  html/faq.html.

20010201

	Bugfix: another missing initialization in the mysql client.
	File: util/dict_mysql.c.

	Sanitized time routine by Patrik Rak, to make his nqmgr
	robust against people who set their clock back.  Files:
	util/sane_time.[hc].

	Bumped the default mailbox file size limits to 50MB.

20010202

	Bugfix: fixed the way the master resets the file size limit
	to avoid problems when a Postfix daemon updates a queue
	file.  The file size limit is now increased to INT_MAX if
	it is smaller than INT_MAX, so that it is less likely to
	interfere than the old setting of message_size_limit.

	Feature: disable mailbox size limits for the local and
	virtual delivery agents by setting mailbox_size_limit or
	virtual_mailbox_limit to zero.

20010203

	Update: null candidate patch from Patrik Rak. Files:
	nqmgr/qmgr_entry.c nqmgr/qmgr_job.c nqmgr/qmgr_message.c.

	Cleanup: added one gruesome command to the postlink script
	for hyperlinking nroff manual page output. Word abbreviation
	broke some <a href...> </a> instances across line boundaries.
	sed(1) is an amazing tool.  File: mantools/postlink.

20010204

	Laid the ground work for logging of table accesses. This
	will give more insight into how Postfix uses its lookup
	tables. User interface comes later.  File:  util/dict_debug.c.

20010216

	Bugfix: the pipe delivery agent expanded $size as if it
	were a recipient, instead of expanding it as $nexthop or
	as $sender. Reported by Michael Tokarev. File: pipe/pipe.c.

20010221

	Bugfix: poor LMTP performance for domains that are listed
	in $mydestination, because Postfix would send one recipient
	at a time, with multiple deliveries of recipients of the
	same message in parallel; a similar problem could exist
	with virus scanning and with firewall relay hosts that
	forward mail for $mydestination to an inside machine. This
	behavior is now changed to depend on the transport-specific
	xxx_destination_recipient_limit parameter.  This also means
	that you can now get qmail behavior for SMTP deliveries by
	setting smtp_destination_recipient_limit=1.  File:
	{qmgr,nqmgr}/qmgr_message.c.

	Workaround: Solaris socketpair() can fail with EINTR. Added
	a sane_socketpair.c module that joins the ranks of the
	other sane_whatever workarounds. Reported by Andrew McNamara.
	File: util/sane_socketpair.[hc]

20010222

	Documentation: the default main.cf file has a prominent
	warning that mynetworks should be properly configured in
	order to reject unauthorized mail relay requests from
	strangers.

	Documentation: the INSTALL document, section "mandatory
	configuration file edits" has a section that explains that
	mynetworks should be properly configured in order to reject
	unauthorized mail relay requests from strangers.

20010223

	Documentation: the basic.html document has a section that
	explains that mynetworks should be properly configured in
	order to reject unauthorized mail relay requests from
	strangers.

	Feature: new "mynetworks_style" parameter that controls
	how mynetworks (trusted networks) is derived from the
	inet_interfaces (machine interfaces) setting. Specify
	"class" for entire class A, B, C networks; "subnet" for
	the local subnets only; or "host" for maximal privacy.
	Files:  util/inet_addr_local.[hc], global/own_inet_addr.[hc],
	global/mynetworks.[hc], postconf/postconf.c.

	Portability: MACOSX patches by Gerben Wierda.

	Portability: Solaris /dev/null is a symlink, which tripped
	up the code to safely open a file before local delivery.
	We now grudgingly allow symlinks owned by root. File:
	util/safe_open.c.

20010224

	Bugfix: "postconf mynetworks" ignored the inet_interfaces
	setting. That was a very old one. File: postconf/postconf.c.

	INCOMPATIBLE CHANGE: POSTFIX NO LONGER RELAYS MAIL FOR
	CLIENTS IN THE ENTIRE CLASS A/B/C NETWORK. POSTFIX BY
	DEFAULT RELAYS MAIL FOR CLIENTS IN THE LOCAL SUBNETWORK.
	Specify "mynetworks_style = class" to get the old behavior.

20010225

	Portability: master sigchld handler based on writing to a
	pipe, so that the master wakes up from select(). Based on
	code by Erik Forsberg, Linkoping University, Sweden.  File:
	master/master_sig.c. Disabled until after the major release.

	Code cleanup: Postfix should now run with no alias database.

	Code cleanup: local_destination_recipient_limit and
	local_destination_concurrency_limit have become first-class
	configuration parameters. Files: global/mail_params.h,
	*qmgr/qmgr.c, postconf/postconf.c.

20010226

	Documentation suggestions by Lars Hecking and Richard
	Huxton, Matthias Andree and many others.

	Code cleanup: some queue/transport operations need to be
	moved, after the code cleanup of the recipient/concurrency
	limit handling. Patrik Rak.  Files: *qmgr/qmgr_message.c.

20010301

	Feature: configurable name in syslog output (default:
	"syslog_name = postfix") so that different Postfix instances
	can be recognized by their logging. File: global/mail_task.c.

20010313

	Workaround for logic mismatch in nqmgr that was exposed
	with the introduction of the asynchronous bounce client.
	Patrik Rak.

20010313

	Bugfix: the RFC 822 untokenizer quoted newlines inside
	comments. File: global/tok822_parse.c.

20010316

	Cleanup: removed an extraneous warning when a queue file
	write error happened.

20010321

	Workaround: LMTP connection caching never worked for
	destinations starting with unix: or inet:. File:
	lmtp/lmtp_connect.c.

20010322

	Portability: Solaris <2.6 does not have srandom() and
	random() in libc. File: util/rand_sleep.c. It does not have
	to be cryptographically strong.

	Bugfix: the fast ETRN flush server could not handle [ipaddr]
	or domain names with one-character hostname part.  This
	fix changes the destination to logfile name mapping, so
	that you need to populate the new files with "sendmail -q".
	The old files go away automatically. File:  flush/flush.c.

20010327

	Speed up mailq (sendmail -bp) display by flushing output
	after each file.  File: showq/showq.c.

	Portability: missing string.h includes, %p wants (void *),
	Lamont Jones, HP.

20010328

	Bugfix: swapped logic caused cleanup to stall when the
	queue file size exceeded the file size limit by less than
	one the VSTREAM buffer size, so that the "file too big"
	was detected after flushing the last queue file record.
	File: cleanup/cleanup.c.

20010329

	Portability: workaround for missing prototype problem in
	dict_ldap.c. This module should move to the global directory,
	because it depends on Postfix main.cf parameter information.

	Workaround: after sending a trigger message over a socket,
	do not immediately close the client side, but close it from
	a background thread that waits until the server closes the
	socket first. This avoids trouble with socket implementations
	that destroy a socket when the client closes a socket before
	the server has received the client's data.  Files:
	util/{inet,unix,stream}_trigger.c, util/events.c,
	master/master_trigger.c, postkick/postkick.c.

20010403

	Workaround: the mysql library can return null pointers
	rather than zero-length strings. File: util/dict_mysql.c.

20010404

	Ergonomics: log additional information about the reason
	why "mail for XXX loops back to myself" when the local
	machine is the best MX host. File: smtp/smtp_addr.c.

20010406

	Changed some noisy LDAP client warnings into optional
	logging. LaMont Jones, util/dict_ldap.c.

20010411

	Bugfix: the SMTP server now replies with 550 instead of
	503 when it receives the DATA command without having received
	a valid recipient address. This is needed for the Sendmail
	client-side pipelining implementation. Problem reported by
	Lutz Jaenicke. File: smtpd/smtpd.c.

	Cleanup: shut up if chattr fails on Reiserfs and other file
	systems that do not support the respective attributes.
	Files: conf/postfix-script-{no,}sgid.

20010413

	Ergonomics: Postfix applications now warn when a DB or DBM
	file is out of date, and recommend to rebuild the table.
	Files: util/dict_db.c, util/dict_dbm.c.

20010414

	Feature: specify a key of "-" to the postmap or postalias
	-q or -d option, and the keys will be read from standard
	input, one key per line. Files: postmap/postmap.c,
	postalias/postalias.c.

	Bugfix: with a non-default inet_interfaces setting, the
	master ignored host information in master.cf host:port
	settings.  Fix by Jun-ichiro itojun Hagino @ iijlab.net.
	Files: master/master.h, master/master_ent.c.

20010426

	Bugfix: the SMTP server did not parse invalid MAIL FROM or
	RCPT TO addresses such as <first last <user@domain>> the
	way it was supposed to do.  I thought this was taken care
	of years ago. File:  smtpd/smtpd.c.

20010427

	Bugfix: smtpd would reject mail instead of replying with
	a 4xx temporary error code when, for example, an LDAP or
	mysql server was unavailable. Remotely based on a fix by
	Robert Kiessling @ de.easynet.net. File: smtpd/smtpd_check.c.

20010429

	Feature: the Postfix SMTP client now by default randomly
	shuffles destination IP addresses of equal preference.
	Specify "smtp_randomize_addresses = no" to disable.
	Shuffling code by Elias Levy @ SecurityFocus.com Files:
	dns/dns_rr.c, smtp/smtp_addr.c.

20010501

	Bugfix: The SMTP server's 550 in reply to DATA should be
	a 554 response.  And it wasn't Sendmail. Claus Assman.

	Bugfix: the INSTALL.sh test for non-interactive upgrade
	broke rooted installations that specify settings via the
	environment.  Simon Mudd.

	Bugfix: mailq output is now really flushed one message at
	a time. File: sendmail/sendmail.c.

	Feature: "postsuper -d queueID" deletes one message queue
	file; "postsuper -d -" reads zero or more queue IDs from
	standard input, and deletes one instance of each file.
	File: postsuper/postsuper.c.

	Code cleanup: in order to make postsuper -d safe with a
	running Postfix mail system, some routines had to be made
	tolerant for sudden queue file disappearances.  Files:
	global/deliver_request.c, *qmgr/qmgr_move.c.

	Code cleanup: in order to make postsuper -d more usable,
	the showq command was extended to safely list the possibly
	world-writable maildrop directory.  File:  showq/showq.c.

20010504

	Feature: postsuper -d will also delete defer and bounce
	logfiles when the named queue file is found.

20010505

	RFC 2821 feature: an SMTP server must reset all buffers
	upon receipt of EHLO. File:  smtpd/smtpd_check.c.

	RFC 2821 feature: an SMTP server must accept a recipient
	address of "postmaster" without domain name. File:
	smtpd/smtpd_check.c.

	RFC 2821 recommendation: reply with 503 to commands sent
	after 554 greeting. File:  smtpd/smtpd.c.

	RFC 2821 recommendation: if VRFY is enabled, list it in
	the EHLO response. File:  smtpd/smtpd.c.

	RFC 2821 recommendation: SMTP clients should use EHLO.
	The default setting of smtp_always_send_ehlo has changed
	from 0 (send EHLO if server greets with ESMTP) to 1 (always
	send EHLO). In all cases, Postfix falls back to HELO if
	the server does not support EHLO. File: smtp/smtp_proto.c.

20010507

	Bugfix: with soft_bounce=yes, the SMTP server would log
	5xx replies even though it would send 4xx replies to the
	client (Phil Howard, ipal.net). File: smtpd/smtpd_check.c.

20010515

	Compatibility: Microsoft sends "AUTH=MBS_BASIC LOGIN".
	Updated the parsing code in smtp/smtp_proto.c.  Problem
	reported by Ralf Tessmann, Godot GmbH.

20010520

	Standard: deleted the non-standard "via" portion from
	Received: headers generated by Postfix bounce or other
	notification processes.  File: global/post_mail.c.

	Robustness: eliminated stack-based recursion from the RFC
	822 address parser. File: global/tok822_parse.c.

	Standard: annotated the source code with comments based on
	RFC 2821 and 2822. Not all the RFC changes make sense.

	RFC 2821 recommendation: treat a RCPT 552 reply as if the
	server sent 452. Files: smtp/smtp_proto.c, lmtp/lmtp_proto.c.

	Cleanup: moved ownership of the debug_peer parameters from
	the applications to the library, so that a Postfix shared
	library does not suffer from undefined references.  Files:
	smtp/smtp.c, lmtp/lmtp.c, smtpd/smtpd.c, global/mail_params.c.
	LaMont Jones, for Debian.

20010522

	Feature: "postsuper -r queueID" re-queues a message, and
	"postsuper -r ALL" re-queues all mail. The message is moved
	to the maildrop queue so that the pickup daemon will copy
	it to a new queue file, and so that address rewriting will
	be done again. This is useful after changes of address
	rewriting or virtual mappings.

	Feature: "postsuper -d ALL [queue-name]" deletes a bunch
	of mail.

20010523

	Feature: "postsuper -s" (which is done by default) renames
	queue files whose name (queue ID) does not match the message
	file inode number.

	Bugfix: memory leak in the LDAP client module. Alain
	Thivillon, France Teaser - Groupe Firstream.

20010525

	Portability: gcc 2.6.3 does not have __attribute__ (Clive
	Jones, dgw.co.uk). File: util/sys_defs.h.

	Bugfix: the SMTP and LMTP clients claimed that a queue file
	needed to be delivered again (even when all recipients were
	erased from the queue file) when no QUIT or RSET reply was
	received (by default, this does not happen with SMTP mail
	because the SMTP client does not wait for QUIT replies and
	does not send RSET to deliver mail).  As a result of the
	same bug the LMTP client followed a dangling pointer when
	sending QUIT after process idle timeout while the LMTP
	server had disconnected.  Files:  smtp/smtp_proto.c,
	lmtp/lmtp_proto.c.

20010526

	newaliases no longer complains when an empty list is
	specified with the alias_database configuration parameter.
	File:  sendmail/sendmail.c.

20010529

	Workaround: old PIX firewall code messes up when the final
	".<CR><LF>" at the end of DATA spans a packet boundary.
	When Postfix detects PIX SMTP fixup mode, Postfix flushes
	the output buffers before sending the final ".<CR><LF>".
	File:  smtp/smtp_proto.c.

20010530

	Portability: updated code for Mac OS X, accounting for the
	post-Beta changes. Code by Joe Block, UCF School of
	Optics/CREOL.

20010601

	Safety: postdrop turns off interrupts when cleaning up
	after interrupt. The additional safety does not hurt anyone.
	File: src/postdrop/postdrop.c.

20010607

	Safety: dropped the RFC 2821 compliant code that treats
	552 RCPT TO replies as 452. It created more problems than
	it solved. Files: smtp/smtp_proto.c, lmtp/lmtp_proto.c.

	Logging: the SMTP server now logs a warning if RBL lookups
	have problems other than "not found". file: smtpd/smtpd_check.c.

20010610

	Feature: address quoting and case folding flags for the
	pipe(8) mailer.

20010611

	Workaround: some MTAs fall on their face when they receive
	unexpectedly long lines. From now on, Postfix defaults to
	breaking long lines at 2048 (like Sendmail so it has got
	to be right). To get the old, content preserving, behavior
	specify "smtp_truncate_lines = no". File: smtp/smtp_proto.c.

20010614

	Bugfix: did not really undo 2821 552->452 mapping.

20010628

	Bugfix: postfix-script used a hard-coded maildrop group
	owner instead of using the install-time specified name
	stored in /etc/postfix/install.cf. Problem reported by
	David Terrell @ meat.net.

20010701

	Feature: mail_spool_directory ending in / causes maildir
	style delivery.

	Bugfix: the FreeBSD kernel parameters kern.ipc.nmbclusters
	and kern.ipc.maxsockets cannot be set with sysctl commands.
	File: html/faq.html. Len Conrad @ Go2France.com.

	Cleanup: the virtual delivery agent was poorly integrated
	so that the SMTP server and queue manager did not reject
	mail for unknown users. Files: smtpd/smtpd_check.c.

20010705

	Feature: QMQP server, compatible with qmail and the ezmlm
	list manager.  Files:  util/netstring.[hc], qmqpd/qmqpd*.c.

20010706

	Feature: QMQP stress test message generator program.  Files:
	smtpstone/qmqp-source.c, smtpstone/qmqp-sink.c.

20010708

	Bugfix: with disable_dns=yes, the SMTP client treated all
	host lookup errors as permanent. File: smtp/smtp_addr.c.

20010709

	Feature: VERP support, based on a patch by Peng Yong, and
	with the missing parts filled in so that the Postfix bounce
	daemon can send one VERP bounce per undeliverable recipient.
	Files: , sendmail/sendmail.c, smtpd/smtpd.c, qmgr/qmgr_deliver.c,
	bounce/bounce_notify_verp.c, qmqpd/qmqpd.c, plus a couple
	support routines in the global library.

	Cleanup: with recipient_delimiter=+ (or any character other
	than -) Postfix will now recognize address extensions even
	with owner-foo+extension addresses. This is necessary to
	make VERP work for mailing lists.

20010710

	Bugfix: potential memory leak in the queue managers with
	the new VERP delimiter record. Fix by Patrik Rak.

20010711

	Cleanup: you can now specify the VERP delimiter characters
	on the sendmail(1) command line, but they are still optional.

	Safety: with maildir style delivery and with hashed mailboxes
	the system mail spool directory must not be world writable.

20010713

	Safety: the verp_delimiter_filter parameter (default: -=+)
	limits what characters Postfix accepts as VERP delimiter
	characters.

20010714

	Logging: the queue manager now logs a "status=expired"
	record when it returns a message that is too old.  Files:
	*qmgr/qmgr_active.c.

20010719

	Feature: stiffer coupling between mail receiving rates and
	mail delivery rates, using a trivial token-based scheme,
	implemented by reading and writing an in-memory pipe.  The
	queue manager produces one token when it retrieves mail
	from the incoming queue. The cleanup daemon consumes one
	token when it adds mail to the incoming queue. If no token
	is available the cleanup server pauses for $in_flow_delay
	seconds and proceeds anyway. The delay allows mail sending
	process to catch up and access the disk while not blocking
	inbound mail. Valid delays are 0..10 seconds.

20010727

	Bugfix: updated LDAP client module from LaMont Jones, HP.
	This also introduces new LDAP query filter patterns: %u
	(address localpart) and %d (domain part). Files:
	conf/sample-ldap.cf, util/dict_ldap.c.

20010729

	Bugfix: recursive smtpd_whatever_restrictions clobbered
	intermediate results when switching between sender and
	recipient address restrictions. Problem found by Victor
	Duchovni, morganstanley.com. In order to fix, introduced
	address resolver result caching, which should also help to
	speed up sender/recipient address restriction processing.

	Bugfix: the not yet announced DUNNO access table lookup
	result did not prevent lookups with substrings of the same
	lookup key. Found by Victor Duchovni, morganstanley.com.

20010730

	Robustness: trim trailing whitespace from regexp and pcre
	right-hand sides, for consistency with DB/DBM tables.
	Files: util/dict_pcre.c, util/dict_regexp.c.

20010731

	Robustness: eliminate duplicate IP addresses after expansion
	of hostnames in $inet_interfaces, so that Postfix does not
	suddenly refuse to start up after someone changes the DNS.
	Files:  util/inet_addr_list.c global/own_inet_addr.c.

	Feature: specify "disable_verp_bounces = yes" to have
	Postfix send one RFC-standard, non-VERP, bounce report for
	multi-recipient mail, even when VERP style delivery was
	requested.

20010801

	Bugfix: postconf was using unexpanded values internally
	for myhostname, inet_interfaces, and mynetworks_style.
	This broke the "postconf -d" mynetworks computation.  File:
	postconf/postconf.c.

20010803

	Feature: masquerade_classes parameter for fine control of
	address masquerading. The default setting is backwards
	compatible: envelope_sender header_sender header_recipient.
	Files: cleanup/whatever.c.

20010822

	Code cleanup: the bounce daemon complained about data that
	it was not going to send back anyway. Fix: stop reading
	the original message when the bounce message reaches the
	bounce message size limit. File: bounce/bounce_notify_util.c.

20010826

	Logging: postsuper now logs the queue ID when it requeues
	a message, or when it deletes a message from the mail queue.
	File: postsuper/postsuper.c.

20010830

	Safety: the SMTP server now sends a 4xx (try again later)
	response when an UCE restriction is misconfigured, instead
	of ignoring the bad restriction and possibly accepting mail
	that it should not accept.   File: smtpd/smtpd_check.c.

20010907

	Workaround: the Postfix qmqp-source program produced mail
	not ending in newline. qmail-qmqpd accepts such mail, but
	qmail-remote is unable to deliver it.  Matthias Andree,
	uni-dortmund.de. File: smtpstone/qmqp-source.c.

20010910

	Bugfix: the smtp-sink stress test program broke when RCPT
	TO commands crossed network packet boundaries. Problem
	reported by Matthias Andree, uni-dortmund.de.  File:
	smtpstone/smtp-sink.c.

20010917

	Code cleanup: permit_mx_backup implements the old behavior
	(accept mail if the local MTA is MX relay), and allows an
	additional restriction via the permit_mx_backup_networks
	parameter (accept mail only if the primary MX hosts match
	the specified list of network blocks). This second restriction
	is now entirely optional, for backwards compatibility.

	Bugfix: an address extension could be appended multiple
	times to the result of a canonical or virtual map lookup.
	File: global/mail_addr_map.c.  Fix by Victor Duchovni,
	Morgan Stanley.

	Bugfix: split_addr() would split an address even when there
	was no data before the recipient delimiter. In combination
	with the above bug, this could cause an address to grow
	exponentially in size.  Problem reported by Victor Duchovni,
	Morgan Stanley.  File:  global/split_addr.c.

20010918

	Bugfix: the mail_addr_map() fix was almost but not quite
	right. It took two clever people and several iterations of
	email to really fix the mail_addr_map() problem.  Thanks
	to Victor Duchovni and Liviu Daia.

20011006

	Cleanup: Postfix no longer flushes the whole deferred queue
	after an ETRN request for a random domain name (i.e. a
	domain name not matched by $fast_flush_domains); the SMTP
	server instead replies with "459 service unavailable".
	Files:  smtpd/smtpd.c, global/flush_clnt.c, flush/flush.c.

20011008

	Bugfix: there was a minute memory leak when an smtpd access
	restriction was misconfigured. File: smtpd/smtpd_check.c.

20011010

	Code cleanup: Postfix daemons now print the name of the
	UNIX-domain socket (instead of "unknown stream") in case
	of a malformed client request. Files:  master/*server.c.

20011010-14

	Code cleanup: replaced the ugly mail_print() and mail-scan()
	protocols by (name,value) attribute lists. This gives better
	error detection when we make changes to internal protocols,
	and allows new attributes to be introduced without breaking
	everything immediately. Files: util/attr_print.c util/attr_scan.c
	global/mail_command_server.c global/mail_command_client.c
	as wel as most Postfix applications and daemons.

20011015

	Put base 64 encoding into place on the replaced internal
	protocols.  Files: util/base64_code.[hc].

	Feature: header/body REJECT rules can now provide text that
	is sent to the originator. Files: cleanup/cleanup.c,
	cleanup/cleanup_message.c, conf/sample-filter.cf.

20011016

	Bugfix: As of 20000625, Errors-To: was broken, because the
	code to extract the address was not moved from recipient
	address rewriting to sender address rewriting. Problem
	reported by Roelof Osinga @ nisser.com. File:
	cleanup/cleanup_message.c.

20011029

	Bugfix: virtual map expansion terminated early because the
	detection of self-referential entries was flawed.  File:
	cleanup/cleanup_map1n.c.

20011031

	Bugfix: mail_date() mis-formatted negative time zone offsets
	with fractional hours (-03-30 instead of -0330). Fix by
	Chad House, greyfirst.ca. File: global/mail_date.c.

20011102

	Feature: new -f option to postmap and postalias (do not
	lowercase the lookup key while creating a table). Files:
	util/dict.h postmap/postmap.c postalias/postalias.c.

	Code cleanup: simplified the attribute print/scan routines,
	and removed the never-used support for sending and receiving
	integer arrays and string arrays. Files: util/attr_print.c,
	util/attr_scan.c.

	Bugfix: qmqpd could read past the end of a string while
	looking for qmail's VERP magic token in the envelope sender
	address.  File: qmqpd/qmqpd.c.

	Code cleanup: finished testing the new internal protocols.
	The only bug was with the flush server, which still needs
	to support the old (string + null byte) protocol for triggers
	from the Postfix master daemon.

20011103

	Bugfix: Postfix would log the wrong error text when locally
	submitted mail was deferred due to "soft_bounce = yes".

	Bugfix: The LDAP client dropped any entries that don't have
	the result_attribute, but errored out when a DN didn't
	exist.  The behavior is now consistent: treat non-existant
	DN's in a special result attribute expansion the same as
	DN's with no attribute.  LaMont Jones, HP.

20011104

	Bugfix: the new smtp-sink -n option (terminate after the
	specified number of deliveries) wasn't optional.

	Portability: updated Mac OS X documentation and install
	scripts by Gerben Wierda.

20011105

	Bugfix: missing terminator in new attribute-based function
	call caused signal 11. File: src/cleanup/cleanup.c.

	Lame workaround for ESTALE errors with mail delivery over
	NFS. Additional bandages were added to the local delivery
	agent. However, Wietse maintains that Postfix offers no
	guarantee for reliable delivery over NFS.

	Feature: put "warn_if_reject" before an smtpd restriction,
	and that restriction logs warnings without rejecting mail.
	This makes it easier to test configurations "live" without
	having to lose mail. File: smtpd/smtpd_check.c.

20011107

	Workaround: in order to get mail past PIX firewall bugs,
	the Postfix SMTP client now blocks until the socket send
	buffer is empty before sending the final ".<CR><LF>". Files:
	util/sock_empty_wait.c, smtp/smtp_proto.c. Changed into
	sleep(10) on 20011119. Sleep suggested by Hobbit.

20011108

	Feature: added string-null encoding for internal protocols.
	Files: util/attr_print0.c, util/attr_scan0.c.

	Feature: configurable parent domain matching for domain
	and hostname/address match lists: either .domain or the
	domain name itself. Files: util/match_ops.c util/match_list.c

	Feature: added pretend-to-be-behind-PIX mode to the smtp-sink
	test program, in order to stress test some PIX bug workaround
	code.

20011109

	Workaround: Linux and Solaris systems have no reasonable
	way to block until a socket drains. On these systems Postfix
	simply waits for 10 seconds, in order to work around PIX
	".<CR><LF>" bugs.  File: util/sock_empty_wait.c.

20011114

	Bugfix: reset the smtpd command transaction log between
	deliveries. File: smtpd/smtpd.c.

20011115

	Feature: mailbox_command_maps no longer requires that every
	user has an entry. If the user does not have a command
	entry, the local delivery agent tries the other delivery
	methods (mailbox_command, home_mailbox).  File: local/mailbox.c.

	Bugfix: reset the smtpd command transaction log between
	non-deliveries. File: smtpd/smtpd.c.

20011116

	Bugfix: consolidated all the command transaction log resets
	and eliminated one missing reset (Victor Duchovni, Morgan
	Stanley). File: smtpd/smtpd.c.

20011118

	Cleanup: replaced unnecessary match_list wrapper code by
	macros. Files:  global/{string,domain,namadr}_list.[hc].

20011119

	Feature: configurable parent domain matching strategy for
	transport map lookups. File:  trivial-rewrite/transport.c.

	New parent_domain_matches_subdomains parameter. This lists
	all the Postfix features where a domain name matches itself
	and all its subdomains (instead of requiring ".domain.name"
	for subdomain matches).  Planning for future backwards
	compatibility :-)  File:  global/match_parent_style.c.

	Workaround: simplified the PIX ".<CR><LF>" bug to always
	sleep for 10 seconds.  File: smtp/smtp_proto.c.

20011120

	Workaround: disable attribute string length restriction so
	that trivial-rewrite does not refuse to rewrite broken mail
	headers.  Files:  util/attr_scan*.c.

20011121

	Bugfix: missing long integer support in the new IPC protocols.
	Files: util/attr_scan*.c, util/attr_print*.c.

	Portability: AIX5 (Adrian P. van Bloois), MAC OS X 10.1.1
	(Gerben Wierda).

20011125

	Bugfix: spurious postmaster notifications because some flag
	was not reset.

	Feature: new parameter smtpd_sender_login_maps that specifies
	the (SASL) login name that owns a MAIL FROM address.
	Specify a regexp table in order to require a simple one-to-one
	mapping. This is used in the reject_sender_login_mismatch
	sender anti-spoofing feature.

	Feature: restriction reject_sender_login_mismatch refuses
	a MAIL FROM address when $smtpd_sender_login_maps specifies
	an owner but the client is not (SASL) logged in as the MAIL
	FROM address owner, or when a client is (SASL) logged in
	but the client login name does not own the MAIL FROM address
	according to $smtpd_sender_login_maps.  File: smtpd/smpd_check.c.

	Documentation: added some redundancy to the LMTP_README
	file so people can keep track of the difference between
	the Postfix LMTP client and the non-Postfix LMTP server.

20011126

	Feature: smtpd_noop_commands specifies a list of commands
	that are treated as NOOP (no operation) commands, without
	syntax check or state change.  File: smtpd/smtpd.c.

	Bugfix: the "mark queue file as corrupt" code did not work
	because it was never used.  Files: global/mark_corrupt.c,
	global/mail_copy.c, global/pipe_command.c, *qmgr/qmgr_active.c,
	local/maildir.c, local/mailbox.c, local/command.c, pipe/pipe.c,
	virtual/mailbox.c, virtual/maildir.c.

	Bugfix: the bounce daemon broke in the unlikely case of a
	non-existing queue file. File: bounce/bounce_notify_util.c.

20011127

	Feature: added WARN command to header/body_checks files as
	proposed by Michael Tokarev. File: cleanup/cleanup_message.c.

	Bugfix: the postdrop program was broken after the change
	of Postfix internal protocols. This broke "sendmail -bs"
	mail submissions with "secure" maildrop directory.  Reported
	by Craig Loomis, apo.nmsu.edu. File: postdrop/postdrop.c.

	Feature: a first start at fault injection for testing
	unlikely error scenarios (such as corrupt queue files).
	Parameter: fault_injection_code, must be left at zero for
	production use.

20011128

	Robustness: add a file size limit to the sendmail and
	postdrop submission programs to stop run-away process
	accidents. This is not a defense against DOS attack.  Files:
	sendmail/sendmail.c, postdrop/postdrop.c.

	That resulted in a considerable amount of work to properly
	propagate "file too large" conditions back to the sendmail
	mail posting user interface. Took the opportunity to express
	other mail submission fatal exits with the <sysexits.h>
	exit status codes.  Files: sendmail/sendmail.c,
	postdrop/postdrop.c.

20011129

	Maintenance: dict_ldap.c wasn't updated after the revision
	of the string matching routines. File: util/dict_ldap.c.

20011208

	Maintenance: LDAP module and documentation from LaMont
	Jones.  This version adds verbose logging for LDAP library
	routines. Files: src/util/dict_ldap.[hc], LDAP_README,
	conf/sample-ldap.cf

	Portability: made memory alignment restrictions configurable.
	File: util/mymalloc.c.

	Bugfix? Avoid surprises with source routed destinations
	and OK entries in SMTPD access maps. File: smtpd/smtpd_access.c.

	Security: "postfix check" looks for damage by well-intended
	but misguided use of "chown -R postfix /var/spool/postfix".
	That would make chrooted Postfix less secure than non-chrooted
	Postfix.  These extra tests may cause complaints with
	third-party patches such as TLS that introduce their own
	files into the jail.

	Feature: static map type that always returns the map name
	as lookup value, regardless of lookup key value. Contributed
	Jeff Miller (jeffm at ghostgun.com)

	Feature: turn off the PIX <CR><LF>.<CR><LF> workaround for
	the first mail delivery attempt, i.e. when mail is queued
	for less than $smtp_pix_workaround_threshold_time (default:
	500) seconds. New parameter $smtp_pix_workaround_delay_time
	to control the delay before sending .<CR><LF> (default: 10
	seconds) when doing the PIX <CR><LF>.<CR><LF> workaround.

20011210

	Bugfix: the 20011128 change in sendmail and postdrop did
	not handle the case of message_size_limit=0. Fix by Will
	Day, Georgia Tech.

20011212

	Compatibility: The SMTP server now accepts <CR><CR><LF> as
	if the client sent <CR><LF>. Reportedly, some badly written
	windows software produces such garbage, and some badly
	written windows anti-VIRUS software cannot handle such
	garbage. File:  global/smtp_stream.c.

20011214

	Bugfix: postmap/postalias queries ignored the -f flag.
	Reported by Hamish Marson.

20011217

	Compatibility: Sendmail now has a -L option to set the
	syslogging label. Postfix sendmail uses syslog_name instead,
	and ignores the -L option.

	Security: subtle hardening of the Postfix chroot jail,
	Postfix queue file permissions and access methods, in case
	someone compromises the postfix account.  Michael Tokarev,
	who received the insights from Solar Designer, who tested
	Postfix with a kernel module that is paranoid about open()
	calls.  Files:  master/master_wakeup.c, util/fifo_trigger.c,
	postfix-script.

	Convenience: issue a warning instead of aborting when the
	local machine name is not in fully-qualified domain form.
	This would otherwise break initial postfix installation
	which needs the postconf command. File: global/mail_params.c.

20011220

	Added more garbage detection to postconf -e input processing.

20011221

	Feature: SMTPD access map lookups of null sender addresses.
	If your access maps cannot store or look up null string
	key values, specify "smtpd_null_access_lookup_key = <>"
	and the null sender address will be looked up as <> instead.
	File:  src/smtpd_access.c.

20011223

	Safety: configuration file comments no longer span multiple
	lines when the next line begins with whitespace; multi-line
	input is no longer terminated by a comment line, by an all
	white space line, or by an empty line. Michael Tokarev made
	the crucial suggestion to simplify the readline routine.
	Files:  util/readlline.c, postconf/postconf.c.

	Cleanup: proper detection of big number overflow in EHLO
	and MAIL FROM size announcements, with input from Victor
	Duchovni, Morgan Stanley. Files: global/off_cvt.c,
	smtpd/smtpd.c, smtp/smtp_proto.c, util/alldig.c.

	Forward compatibility: added queue file record types for
	original recipient and for generic named attributes.

	Cleanup: safe_open() now returns sensible errno values so
	that the fifo_trigger() external interface is restored.

20011225

	Upgrade: PCRE_README now describes PCRE version 3.x.

	Cleanup: flush SMTPD command history upon receipt of EHLO,
	RSET, and upon DATA completion, only if it exceeds
	$smtpd_history_flush_threshold lines (default: 100).
	Distant derivative of code by Michael Tokarev.  File:
	smtpd/smtpd.c.

20011228

	Bugfix: a readlline() error message showed less text than
	intended. Christian von Roques.

	Cleanup: postfix now installs with group-writable maildrop
	directory and with a set-gid postdrop mail submission
	command.  The pickup service is now unprivileged.  The
	world-writable maildrop directory no longer exists.

	The cleanup service is now public, in preparation for local
	sendmail/postdrop mail submission that avoids the maildrop
	queue directory while Postfix is up.

	Cleanup: moved the main.cf/master.cf file editing from the
	postfix-script file to the INSTALL.sh file.

	Cleanup: INSTALL.sh no longer accepts "no" as the destination
	of Postfix manual pages.

20011230

	Cleanup: the code for "mailq", "sendmail -q", and for
	"sendmail -qRsite" was moved from the sendmail command to
	a new set-gid postqueue command. The pickup and qmgr FIFOs
	are no longer world writable. Files: sendmail/sendmail.c,
	postqueue/postqueue.c.

20020101

	Security: new alternate_config_directories parameter that
	specifies what directories a set-gid command will accept
	as its configuration directory. The list must be specified
	in the default main.cf file. File: global/mail_conf.c.

	Cleanup: "sendmail -qRsite" is no longer implemented by
	connecting to the SMTP port. It is now implemented by
	talking to the fast flush service. File: postqueue/postqueue.c.

20020203

	Cleanup: INSTALL.sh now records all installation information
	in the main.cf file. The now obsolete install.cf file is
	used only when upgrading from an older Postfix release.

	Cleanup: INSTALL.sh now takes name=value settings on the
	command line, and has a new "-upgrade" command line option
	to turn on non-interactive installation.

	Security: additional run-time checks to discourage sharing
	of Postfix user/group ID values with other accounts.

20020105

	Cleanup: SMTPD access maps now return DUNNO (undetermined)
	instead of OK when a recipient address contains multiple
	domains (user@dom1@dom2, etcetera).  Victor Duchovni, Morgan
	Stanley.  File:  smtpd/smtpd_check.c.

20020106

	Bugfix: SMTPD access maps did not handle address extensions.
	File: smtpd/smtpd_check.c.

20020107

	Bugfix: postfix-script, when creating a missing maildrop
	queue directory, still referenced install.cf when setting
	maildrop directory group ownership; and the postfix command
	did not export the setgid_group parameter to the postfix-script
	shell script.  Victor Duchovni.

	Bugfix: postfix-script, when creating a missing public
	queue directory, did not set group ownership of the public
	directory.

20020109

	Cleanup: rewrote the Postfix installation procedure again.
	It is now separated into 1) a primary installation script
	(postfix-install) that installs files locally or that builds
	a package for distribution and that stores file owner and
	permission information in /etc/postfix/post-files, and 2)
	a post-installation script (/etc/postfix/post-install) that
	creates missing directories, that sets file/directory
	ownership and permissions, and that upgrades existing
	configuration files if necessary.

20020110

	Workaround: AIX null read() return on an empty but open
	non-blocking pipe. File:  master/master_flow.c.  Report:
	Hamish Marson.

20020111

	Feedback: feedback, bugfixes, and brain-dead shell workarounds
	for the install scripts by Victor Duchovni and Simon Mudd.

20020113

	Rewrote postfix-install. The postfix-files file now controls
	what is installed.  Refined the semantics of many post-install
	operations. post-install now auto-saves settings that
	override main.cf.

20020114

	Bugfix: alternate_config_directories did not take comma or
	whitespace as separators. File: global/mail_conf.c.  Victor
	Duchovni, Morgan Stanley.

	Bugfix: the rewritten postfix-install script did not chattr
	+S the Postfix queue.

20020115

	Cleanup: added sample_directory and readme_directory
	installation parameters for sample configuration files and
	for README files. Files: postconf.c, postfix-install,
	conf/postfix-files, conf/post-install.

	Robustness: the postfix command now exports all installation
	parameter settings, and input filters the environment, so
	that the startup shell scripts produce a consistent result.
	Files: postconf.c.

20020117

	Portability: patch from LaMont Jones for compiling dict_ldap.c
	with the Netscape SDK.

	Feature: added "r" (recursive chown/chgrp) flag to the
	postfix-files database, for more convenient change of
	Postfix queue ownership. Files: conf/postfix-files,
	conf/post-install.

20020122

	Documentation: lots of little fixes.

	Documentation: updates for the VIRTUAL_README file by Victor
	Duchovni, Morgan Stanley.

	Bugfix: postqueue -s dereferenced a null pointer when given
	a numerical domain argument. LaMont Jones, HP.

	Cleanup: smtpd now logs a warning when permit_sasl_authenticated
	is used while SASL authentication is disabled, instead of
	simply ignoring the restriction. LaMont Jones, HP. File:
	smtpd/smtpd.c.

	Safety: when postmap creates a non-existent file, the new
	file inherits group/other read permissions from the source
	file.  Based on code by LaMont Jones, HP.  File:
	postmap/postmap.c.

20020123

	Portability: some Linux systems install libnsl.so without
	libnsl.a file, causing an yp_match undefined reference
	problem.  File: makedefs.

20020124

	Portability: post-install now requests that command_directory
	is given on the command line when the postconf command is
	in an unusual place.

	Safety: extra code to detect and report Berkeley DB version
	mismatches between compile time and run time.  This test
	is limited to mismatches in the major version number only.
	File:  util/dict_db.c. Based on code by Lawrence Greenfield,
	Carnegie-Mellon university.

	Safety: the postfix command and the master daemon abort if
	they are running set-uid.

	Documentation: the postmap manual page described an out of
	date input file format.

20020129

	Workaround: SCO version 3.2 can't ioctl(FIONREAD) a pipe.
	Therefore, input mail flow control is disabled by default.
	Files:  makedefs, global/mail_params.h, conf/main.cf.
	Problem reported by Kurt Andersen, Agilent.

20020201

	Workaround: changed the default smtpd_null_access_lookup_key
	setting to <>, because some Bezerkeloid DB implementations
	can't handle null-length lookup keys.  File: global/mail_params.h.

	Bugfix: backed out a null-length address panic call by
	ignoring the problem, like Postfix did in the past.  File:
	global/resolve_local.c.

	Safety: "postfix check" will now warn if /usr/lib/sendmail
	and /usr/sbin/sendmail differ, and will propose to replace
	one by a symlink to the other. File: conf/postfix-script.

20020204

	Sanity: additional permission checks for "postfix check"
	that warn for setgid_group group ownership mismatches.  by
	Matthias Andree, uni-dortmund.de. File: conf/postfix-script.

	Bugfix: "postfix check" used a too simplistic way to
	recognize file ownership (grepping ls output). It now uses
	the recently discovered "find -prune".  Peter Bieringer,
	Matthias Andree. File: conf/postfix-script.

20020218

	Workaround: log a warning and disconnect when an SMTP client
	ignores our negative replies and starts sending message
	content without permission. File: smtpd/smtpd.c.

20020220

	Bugfix: mismatch in the file being locked by dict_dbm and
	the file being locked by postmap, so that locks did not
	work correctly.  Victor Duchovni, Morgan Stanley.

20020222

	Workaround: Solaris bug 4380626: strcasecmp() and strncasecmp()
	produce incorrect results with 8-bit characters. For example,
	non-ASCII characters could compare equal to ASCII characters,
	and that could result in any number of security problems.
	Files:  util/strcasecmp.c, COPYRIGHT (the BSD license).

	Bugfix: off-by-one error, causing a null byte to be written
	outside dynamically allocated memory in the queue manager
	with addresses of exactly 100 bytes long, resulting in
	SIGSEGV on systems with an "exact fit" malloc routine.
	Experienced by Ralf Hildebrandt; diagnosed by Victor
	Duchovni. Files:  *qmgr/qmgr_message.c.  This is not a
	security problem.

	Bugfix: make all recipient comparisons transitive, because
	Solaris qsort() causes SIGSEGV errors otherwise. Victor
	Duchovni, Morgan Stanley. File: *qmgr/qmgr_message.c.

20020302

	Bugfix: don't strip source route (@domain...:) when the
	result would be an empty address. This avoids problems when
	append_at_myorigin is set to "no" (which is not supported).
	Problem reported by Charles McColgan, Big Fish Communications.
	File:  trivial-rewrite/rewrite.c.

20020304

	Cleanup: postqueue should not not complain when output
	fails with "broken pipe".

20020308

	Bugfix? reply with 550 not 552 when content is rejected.
	552 is reserved for "too much mail".

	Documentation: add note to sendmail manual page that running
	"sendmail -bs" as $mail_owner enables SMTP server UCE and
	access control checks. This is meant for use from inetd
	etc.  Matthias Andree.

20020311

	Bugfix: DBM maps should use different files for locking
	and for change detection.  Problem reported by Victor
	Duchovni, Morgan Stanley.  Files: util/dict.h util/dict.c
	util/dict_db.c util/dict_dbm.c global/mkmap.c local/alias.c.

20020313

	Bugfix: mailq could show addresses with unusual characters
	twice.  Problem reported by Victor Duchovni, Morgan Stanley.
	File: showq/showq.c.

	Bugfix: null recipients weren't properly recorded in
	bounce/defer logfiles. Such recipient addresses are not
	accepted in SMTP mail, but they could appear within locally
	submitted mail.  File: bounce/bounce_append_service.c.

20020318

	Workaround: Berkeley DB can't handle null key lookups,
	which happen with HELO names ending in ".".  Victor Duchovni,
	Morgan Stanley. File: smtpd/smtpd_check.c.

	Logging: log a hint when mail is deferred because the
	soft_bounce parameter is set. People sometimes forget to
	turn it off. File: global/bounce.c.

20020319

	Cleanup: add a msg_warn() call when fork() fails in
	pipe_command(), to make problems easier to investigate.
	Chris Wedgwood. File:  global/pipe_command.c.

20020320

	Feature: smtp_helo_name parameter to specify the hostname
	or [ip.address] in HELO or EHLO commands. Files: smtp/smtp.c
	smtp/smtp_proto.c.

20020324

	Cleanup: more graceful handling of long physical message
	header lines upon input. Physical header lines can now
	extend up to $header_size_limit characters. When a logical
	message header is too long, the excess text is discarded
	and Postfix no longer switches to body mode, to avoid
	breaking MIME encapsulation.  Based on code by Victor
	Duchovni, Morgan Stanley.  Files:  cleanup/cleanup_out.c,
	cleanup/cleanup_message.c.

	Cleanup: more graceful handling of long physical message
	header or body lines upon output by the SMTP client. The
	SMTP client output line length is controlled by a new
	parameter smtp_line_length_limit (default: 990; specify 0
	to disable the limit). Long lines are folded by inserting
	<CR> <LF> <SPACE>, to avoid breaking MIME encapsulation.
	Based on code by Victor Duchovni, Morgan Stanley.  File:
	smtp/smtp_proto.c.

20020325

	Cleanup: allow additional text after a WARN command in a
	header/body_checks pattern file, so that one can change
	REJECT+text into WARN+text and vice versa. Based on code
	by Fredrik Thulin, Stockholm University.

	Cleanup: log a warning when an unknown command is found in
	a header/body_checks pattern file, or when additional text
	is found after a command that does not expect additional
	text. Based on code by Fredrik Thulin, Stockholm University.

	Bugfix: sendmail should not recognize "." as the end of
	input when the current read operation started in the middle
	of a line.  Victor Duchovni, Morgan Stanley. File:
	sendmail/sendmail.c.

20020328

	Portability fix for OPENSTEP and NEXTSTEP by Gerben Wierda.
	File: util/sys_defs.h.

20020329

	Bugfix: defer_transports broke because the flush server
	triggered mail delivery (as if ETRN was sent) while doing
	some internal housekeeping of per-destination logfiles.
	Problem experienced by LaMont Jones, HP. File: flush/flush.c.

	Bugfix: virtual mapping broke for addresses with embedded
	whitespace. Fix by Victor Duchovni, Morgan Stanley. File:
	cleanup/cleanup_map1n.c.

	Feature: configurable service name for the internal services:
	bounce, cleanup, defer, error, flush, pickup, queue, rewrite,
	showq. This allows you to specify, for example, a non-default
	cleanup service (smtpd -o cleanup_service_name=alt_cleanup).
	Files: global/mail_params.[hc].

	Feature: SASL version 2 support by Jason Hoos. Files:
	*/*_sasl_glue.c, SASL_README, conf/sample-auth.cf.

20020330

	Bugfix: postqueue did not pass on non-default configuration
	directory settings when running showq while the mail system
	is down.  The super-user is now exempted from environment
	stripping in postqueue/postqueue.c. Problem reported by
	Victor Duchovni, Morgan Stanley.

20020402

	Workaround: recognize more headers that are sent instead
	of SMTP commands. File: smtpd/smtpd.c.

20020413

	Feature: new pipe delivery agent "D" flag to prepend a
	Delivered-To:  message header. This requires single recipient
	deliveries. Based on code by Matthias Andree. File:
	pipe/pipe.c.

20020414

	Portability: Postfix will no longer attempt to build with
	gdbm support, because gdbm is broken. File:  makedefs.

20020415

	Cleanup: the attribute list IPC code did not distinguish
	between "disconnect" and "timeout" while reading an attribute
	list, making trouble shooting more difficult than necessary.
	Files:  util/attr_scan0.c, util/attr_scan64.c.

	Cleanup: install parameter defaults can now be overruled
	from makedefs: sendmail_path, mailq_path, newaliases_path,
	command_directory, daemon_directory. Based on code by Victor
	Duchovni, Morgan Stanley. File: util/sys_defs.h.

20020411

	Cleanup: Use more robust quoting passing makedefs/Makefile
	settings. This also simplifies the seven backslashes example
	in the INSTALL file.  Victor Duchovni, Morgan Stanley.
	Files: makedefs, INSTALL.

20020417

	Bugfix: the post-install script failed to upgrade master.cf
	settings from private to public if the service was explicitly
	configured as private.

20020418

	Documentation: added CPU saving patterns for quickly skipping
	base 64 encoded text in message bodies.  Liviu Daia.  Files:
	{proto,conf}/pcre_table, {proto,conf}/regexp_table,
	conf/sample_{regexp,pcre}_body.cf.

20020426

	Bugfix: the SMTP client forgot to quote whitespace etc.
	in a sender/recipient address when DNS lookup was turned
	off (disable_dns_lookups = yes). Problem experienced by
	Chip Paswater. Files: smtp/smtp_proto.c.

20020501

	Feature: wildcard lookup in transport maps (lookup key
	"*").  Code developed with Lamont Jones, HP.

	Feature: a null transport:destination transport map entry
	means proceed as if the transport map lookup failed.  Code
	developed with Lamont Jones, HP.

	Feature: more efficient use of cache memory when a process
	opens multiple Berkeley DB tables; and faster performance
	creating large tables by using more buffer memory. Files:
	util/dict_db.[hc], global/mkmap_db.c. Victor Duchovni,
	Morgan Stanley.

20020503

	Cleanup: postqueue silently ignored command-line arguments
	following -p or -f options, instead of complaining; postqueue
	produced an incorrect error message (mail system down) when
	the command was installed with incorrect privileges.  File:
	postqueue/postqueue.c.

	Bugfix: while reporting a domain name or IP address syntax
	error, postqueue could dereference a dangling pointer with
	some getopt() implementations. LaMont Jones, HP.  File:
	postqueue/postqueue.c.

	Safety: postalias and postmap now drop root privileges
	while processing a non-root input file. Thus, the result
	should be writable to the source file owner. Specify the
	-o option if this is a problem. Files: postmap/postmap.c,
	postalias/postalias.c.

	Consistency: just like postmap, postalias now copies file
	permissions from the source file when it creates a new
	table for the first time. File: postalias/postalias.c.

20020504

	Portability: run-time test to avoid GDBM trouble.  File:
	util/dict_dbm.c.

20020505

	Cleanup: revised and simplified the transport map semantics.
	Null transport or nexhop fields now mean: "do not change":
	use what would be used if the transport map did not exist.
	This change eliminated a lot of code. The incompatibility
	is that a null transport field no longer defaults to
	$default_transport, but to $local_transport or $default_transport
	depending on the destination, and that a transport map only
	overrides relayhost when the table specifies explicit
	nexthop information.  Files:  trivial-rewrite/transport.c,
	trivial-rewrite/resolve.c.

	Cleanup: revised the user interface for controlling the
	Berkeley DB create and read buffer size controls. Files:
	util/dict_db.[hc], global/mail_params.[hc], global/mkmap_db.c.

20020507

	Cleanup: simplified the hash/btree cache management code.
	The caches are now per table instead of shared, and the
	default read cache size is reduced to 128 kBytes. File:
	util/dict_db.c.

20020508

	Bugfix: close user@domain@postfix-style.virtual.domain
	source routing relaying loophole involving postfix-style
	virtual domains with @virtual.domain catch-all patterns.
	Problem reported by Victor Duchovni. File:  smtpd/smtpd_check.c.

	Bugfix: mail_addr_map() used the "wrong" @ character in
	addresses with multiple @. Victor Duchovni. File:
	global/mail_addr_map.c.

	Bugfix: for address localpart quoting, now quote @ as a
	special character everywhere, except when resolving addresses.
	Previously, the @ was nowhere quoted as a special character,
	not even in SMTP commands.  Files:  global/quote_82[12]_local.c
	and clients.

20020509

	Safety: don't allow an OK access rule lookup result for
	user@domain@postfix-style.virtual.domain. Suggested by
	Victor Duchovni, Morgan Stanley. File: smtpd/smtpd_check.c.

	Bugfix: quote unquoted address localparts that need quoting.
	Files: global/tok822_parse.c, global/quote_82[12]_local.c.

	Documentation: simplified the advanced content filtering
	example, and included a more advanced example for those
	who want to squeeze out more performance without running
	multiple Postfix instances.  Text by Victor Duchovni, Morgan
	Stanley. File:  README_FILES/FILTER_README.

20020510

	Feature: header/body filters now log the origin of the
	message that is being rejected. Files: smtpd/smtpd.c,
	qmqpd/qmqpd.c, pickup/pickup.c, cleanup/cleanup_envelope.c,
	cleanup/cleanup_message.c.  Requested by Craig Sanders, if
	I remember correctly.

	Feature: the Postfix SMTP client now passes on MIME body
	type information (8bit, 7bit) received via SMTP, via MIME
	headers, or via the sendmail command line. Files:
	global/deliver_request.c, smtpd/smtpd.c, sendmail/sendmail.c,
	cleanup/cleanup_envelope.c, cleanup/cleanup_message.c,
	cleanup/cleanup_extracted.c, *qmgr/qmgr_message.c,
	*qmgr/qmgr_deliver.c, smtp/smtp_proto.c, lmtp/lmtp_proto.c.

20020511

	Feature: bounces now specify the proper MIME encoding (8bit,
	7bit), depending on the MIME body type information received
	via SMTP, via MIME headers, or via the sendmail command
	line. Files: global/bounce.c, global/defer.c, global/abounce.c,
	bounce/bounce_service.c, bounce/bounce_notify_util.c.

20020512

	Cleanup: the SMTP client logged and bounced the CNAME
	expanded recipient address, and thereby complicated trouble
	shooting.  File:  src/smtp_proto.c.

	Bugfix: the SMTP and LMTP clients bounced the quoted
	recipient address, resulting in too much quoting in bounce
	reports.  Files:  src/smtp_proto.c, lmtp/lmtp_proto.c.

20020513

	Bugfix: the LDAP client used the "wrong" @ character in
	addresses with multiple @. LaMont Jones, HP. File:
	util/dict_ldap.c.

	Feature: lots of new LDAP stuff: result_filter (filter to
	expand results from queries), chase_referrals, LaMont Jones,
	HP. The LDAP bind timeout now works thanks to Victor
	Duchovni, Morgan Stanley. File:  util/dict_ldap.c.

	Cleanup: specify "resolve_dequoted_address = no" to prevent
	Postfix from looking inside quotes for extra @ etc. characters
	when resolving an address. This behavior is technically
	more correct, but it opens a mail relay loophole with "user
	@domain"@domain when relaying mail to a Sendmail system.

20020514

	Bugfix: the new code for header address quoting sometimes
	did not null terminate strings so that arbitrary garbage
	could appear at the end of message headers.  Reported by
	Ralf Hildebrandt.  File:  global/tok822_parse.c.

	Safety: user@domain@domain is no longer accepted by the
	permit_mx_backup uce restriction (unless Postfix is configured
	with "resolve_dequoted_address = no"). Victor Duchovni,
	Morgan Stanley. File: smtpd/smtpd_check.c.

20020515

	Workaround: flush the SMTP client output buffer when no
	output has happened for 10+ seconds. This prevents the
	socket from timing out, in case DNS CNAME expansion is
	slow.  Problem experienced by Alex Erdelyi, peregrine.com.
	File:  smtp/smtp_chat.c. We did the same thing for the SMTP
	server years ago, and one wonders why the coin didn't drop
	at the time that the SMTP client could suffer from a similar
	problem.

20020516

	Updated the FILTER_README file to turn off DNS lookups in
	the SMTP client that feeds mail into a content filter.

20020517

	Cleanup: Mailbox-Line: message header labels should be
	X-Mailbox-Line:  labels. Files: smtpd/smtpd.c, qmqpd/qmqpd.c.

20020515-21

	Feature: new MIME parser, written from scratch, that
	recognizes the structure of MIME encapsulated mail. Influenced
	by comments from Victor Duchovni. This code can detect but
	will not decode obscure MIME formats or obscure character
	string encoding that Liviu Daia expresses concern about.

	MIME header scanning now happens in header_checks, and is
	faster than body_checks could ever be. This also eliminates
	the problem with multi-line MIME headers being matched one
	line at a time.  Files:  global/mime_state.[hc],
	cleanup/cleanup_message.c.

20020521-22

	Feature: 8-bit to quoted-printable conversion. First use
	in the Postfix SMTP client. File: smtp/smtp_proto.c.

	Logging: the Postfix SMTP and LMTP clients now report the
	the protocol stage when they report a server reply.  File:
	smtp/smtp_proto.c, lmtp/lmtp_proto.c.

	Bugfix: the SMTP server warned about ignored client attributes
	(these were introduced 20020510) in mail that was submitted
	with "sendmail -bs".  File: smtpd/smtpd.c.

20020525

	Feature: separation of header checks into header_checks
	(all primary headers except MIME related headers),
	mime_header_checks (all MIME headers including MIME headers
	at the start of messages) and nested_header_checks (headers
	of attached messages, except MIME related headers).

	Cleanup: broke out the header value parser from the MIME
	processor so that the code can be reused elsewhere. File:
	global/header_token.c.

	Compatibility: Postfix now recognizes "name :" as a valid
	message header, but normalizes it to "name:" form or else
	lots of things would break all over the place.  Files:
	global/is_header.c, global/mime_state.c.

20020526

	Bugfix: the SMTP server now disallows RCPT TO:<"">, just
	like it disallows RCPT TO:<>.  File: smtpd/smtpd.c.

	Feature: disable_mime_input_processing=yes/no controls
	whether Postfix recognizes (and optionally enforces) MIME
	formats while receiving mail. Default is NO.

	Feature: disable_mime_output_conversion=yes/no controls
	whether Postfix will convert 8BITMIME to 7BIT mail when
	delivering mail to an SMTP server that does not announce
	8BITMIME support.  Default is NO.

	Feature: strict_8bitmime=yes/no controls whether Postfix
	rejects 8-bit characters in headers and 7-bit body parts.
	This blocks mail from poorly written software, including
	majordomo approval requests that contain a valid 8BITMIME
	email message, as well as mail that is piped into ancient
	/bin/mail implementations that do not MIME format 8-bit
	content. Default is NO.

	Feature: strict_mime_encoding_domain=yes/no controls whether
	Postfix rejects illegal content transfer encodings for
	multipart/* and message/*. This blocks mail from poorly
	written software. Default is NO.

20020527

	Feature: "FILTER transport:nexthop" in header/body checks.
	After the message is queued, the message is sent through
	a content filter. This requires different cleanup servers
	before and after the filter, with header/body checks turned
	off in the second cleanup server.

20020528

	Feature: strict_7bit_headers and strict_8bitmime_body are
	now separately available. To to turn on both, use
	strict_8bitmime.

	Cleanup: abandon the use of isspace(3) in the parsing of
	RFC822 message headers. Files: global/lex_822.h and lots
	of little places.

	Documentation: replace domain.name by domain.tld in the
	example config files. The domain exists. They were getting
	mail from poorly configured Postfix boxes.

	Bugfix: The Postfix sendmail command did not export the
	MAIL_CONFIG environment setting to the postdrop command.
	File: global/mail_config.h.

	Incompatibility: by default, turn on the PCRE_DOTALL flag,
	so that PCRE patterns will match multi-line message headers
	without causing pain. Suggested by Michael Tokarev. Also
	documented all those darned undocumented PCRE flags in the
	pcre_table(5) manual page. Files:  util/dict_pcre.c,
	proto/pcre_table.

20020529

	Bugfix: mail rejected due to MIME errors was rejected
	without proper logging. Files: global/mime_state.c,
	cleanup/cleanup_message.c.

20020531

	Bugfix: the SMTP client code that prepends '.' to lines
	starting with '.' had to be moved from its old place to
	after the MIME output conversion. Problem found by Mark
	Martinec.  File: smtp/smtp_proto.c.

20020601

	Bugfix: the deliver_pass() routine needed updating for the
	extra MIME encoding attribute that was introduced 20020510.
	Patch by Sebastian Schaffert @ wastl.net.  File:
	global/deliver_pass.c.

20020604

	Workaround: Solaris non-blocking read() can fail on a socket
	with unread data according to ioctl FIONREAD.  Incredible.
	Diagnosis by Max Pashkov.  File:  smtp/smtp-sink.c.

	Weird feature: sender-based routing. This will become more
	useful once per-address transport map entries are done.
	File:  src/*qmgr/qmgr_message.c.

20020605

	Safety: header_address_token_limit limits the amount of
	memory and CPU that we're willing to spend while parsing
	addresses in message headers. The limit is expressed as a
	number of tokens. File: global/tok822_parse.c

20020608

	Feature: user@domain transport map lookup, based on code
	by Scott Cotton, from several years ago. Adding this code
	now was much less painful than it was in the past. Files:
	global/strip_addr.c, trivial-rewrite/transport.c.

20020610

	Cleanup: making user@domain transport map lookups work with
	sender-based routing was a bit tricky, because the null
	address must be handled sensibly. Files: global/resolve_clnt.c,
	trivial-rewrite/resolve.c. It ain't perfect yet, but close.

20020613

	Bugfix: postsuper -r was broken as of 20020510. The cleanup
	daemon would discard mail with MIME type information. Moved
	a bunch of sanity checks from the cleanup daemon to the
	pickup daemon, so the checks are in one place.  Problem
	experienced by Pavol Luptak. Files: pickup/pickup.c,
	cleanup/cleanup_extracted.c.

20020705

	Safety: log a warning when a domain is listed in mydestination
	and (virtual_maps or virtual_mailbox_maps).  This configuration
	error causes the Postfix SMTP server to reject recipients
	when the local_recipient_maps feature is enabled.  File:
	smtpd/smtpd_check.c.

200207011

	Portability: in the master daemon, the default now is to
	enable the signal handler code that writes a byte into a
	pipe, instead of the signal handler code that sets a global
	flag and hopes that select() will somehow wake up. File:
	master/master_sig.c. This is needed for some IRIX and
	UnixWare versions, but it should also produce a robust
	result on all other supported systems.

	Performance: the default SMTP connection establishment
	timeout is now 30 seconds, instead of the system default
	which can be atrociously large.

20020712

	When DNS lookup fails while delivering mail, report not
	only the domain name but also the DNS record type.  This
	should clue in people who ask why Postfix can't find a
	domain while nslookup can.  File:  dns/dns_lookup.c.

20020713

	Bugfix: undo change made at 20020610 that causes the trivial
	resolver client to loop when an address consists entirely
	of @ and . characters.  File: trivial-rewrite/resolve.c.

	Cleanup: Postfix no longer strips multiple '.' at the end
	of a domain name. One '.' is silently tolerated. Files:
	trivial-rewrite/rewrite.c, trivial-rewrite/resolve.c,
	global/resolve_local.c. This policy is too distributed.

20020715

	Feature: @domain.tld catch-all map entries for the virtual
	mail delivery agent. Files: global/virtual8_maps_find.c,
	virtual/mailbox.c, smtpd/smtpd_check.c.

	Feature: the virtual mail delivery agent now accepts address
	extensions (user+foo@domain.tld), ignores them when looking
	up users in its tables, but displays them in Delivered-To:
	message headers.  File: global/virtual8_maps_find.c.

20020716

	Feature: domain names in a masquerade_domains list can now
	be prefixed with !, in order to disable masquerading for
	that domain name and for its subdomains. File:
	cleanup/cleanup_masquerade.c.

20020717

	Bugfix: Mac OS X niscript (Netinfo) update by Gerben Wierda.
	File: auxiliary/MacOSX/niscript.

	Feature: The SMTP server reject_unknown_whatever restrictions
	now also attempt to look up AAAA (IPV6 address) records.
	Jun-ichiro itojun Hagino, IIJ labs. Files: smtpd/smtpd_check.c,
	dns/dns_lookup.c.

20020718

	Bugfix: unnecessary lookups for extended addresses by the
	virtual8_maps_find() routine. Victor Duchovni. His patch
	did not work, nor did my own, but the present version should
	be OK. File: global/virtual8_maps_find.c.

20020719

	Workaround: log a warning when an SMTP client name->address
	lookup results in a numeric IP address, and set the client
	hostname to "unknown". Some gethostbyname() implementations
	will actually accept such garbage and thereby allow sites
	to defeat the "reject_unknown_client" restriction. Problem
	reported by Wolfgang Rupprecht, fix based on analysis (but
	not code) by Victor Duchovni.

	Bugfix: memory leaks in the LDAP client by Victor Duchovni.
	File: util/dict_ldap.c.

	Bugfix: garbage in verbose "flush" server logging. Victor
	Duchovni.  File: flush/flush.c.

20020723

	Incompatibility: smtpd_sasl_local_domain now defaults to
	the null string. File: smtpd/smtpd.c, smtpd/smtpd_sasl_glue.c.

20020726

	Documentation: added GDB debugging instructions for sites
	that do not have X installed on the Postfix machine. Henrik
	Larsson, spambox.dk.

20020729

	Weird: installed RedHat 3.03 inside VMware, and no change
	was needed to build Postfix, except to recognize the Linux
	version.

	Bugfix: some mailers will announce ESMTP features in their
	HELO (not EHLO) response. Postfix did not ignore them.
	File: smtp/smtp_proto.c.

20020731

	Cleanup: permit_naked_ip_address is unsafe (especially when
	used with smtpd_recipient_restrictions) and will go away.
	Postfix now logs a warning. File: smtpd/smtpd_check.c.

20020801

	Cleanup: the warning message for matched header/body content
	was misleading. File: cleanup/cleanup_message.c.

	Safety: moved the "postsuper -r ALL" operation after the
	"postsuper -s" check that makes queue file names match
	inode numbers. This avoids loss of mail in the unlikely
	case that someone runs "postsuper -sr ALL" on a queue that
	was copied from another place.

	Feature: "postsuper -h" to put mail "on hold" and "postsuper
	-H" to release mail that was placed "on hold". This involves
	a new queue, which is appropriately named "hold".  Files:
	postsuper/postsuper.c, showq/showq.c.

20020803

	Feature: when a Delivered-To: mail delivery loop is detected,
	send the bounce to the mailing list owner. This required
	changes to the local delivery agent, a new bounce client
	stub, and a new bounce server stub and support routines
	for one recipient bouncing. Files: local/recipient.c,
	global/bounce_log.c, global/bounce.c, bounce/bounce.c,
	bounce/bounce_notify_util.c, bounce/bounce_one_service.c.

20020809

	Bugfix: the 20020531 bugfix could prepend '.' to lines when
	it shouldn't (but only when converting 8-bit mail to 7-bit).
	Problem experienced by Ralf Hildebrandt.  File:
	smtp/smtp_proto.c.

	Bugfix: smtpd_sender_login_maps did not do the @domain etc.
	wild-card lookups that were promised. Problem experienced
	by Sven Michels. File: smtpd/smtpd_check.c.

20020810

	Feature: new smtp-sink command-line options to specify the
	SMTP hostname, to disable ESMTP protocol support, to disable
	8BITMIME support, and to syslog selected commands.  File:
	smtpstone/smtp-sink.c.

20020814

	Feature: the queue manager now warns when mail for some
	destination is piling up in the active queue, and suggests
	a variety of remedies.  The qmgr_clog_warn_time parameter
	controls the time between warnings, mainly so that I could
	test the code. To disable these warnings, specify
	"qmgr_clog_warn_time = 0". Files:  *qmgr/qmgr_entry.c.

20020815

	Paranoia: truncate the DNS response length result value in
	case it is larger than the result buffer length (the resolver
	documentation is vague about this). File:  dns/dns_lookup.c.

20020816

	Cleanup: "postqueue -f" now also triggers delivery of mail
	in the maildrop directory. This is needed when the master
	does not frequently wake up the pickup service.  Files:
	global/mail_flush.c, postqueue/postqueue.c.

20020818

	Cleanup: the qmgr_site_hog_factor feature is gone (defer
	mail if a site uses up too much space in the active queue).
	Instead, the qmgr_clog_warn_time feature provides better
	solutions. File: qmgr/qmgr_message.c.

20020819

	Feature: new header/body_checks HOLD pattern that causes
	mail to be placed on the "hold" queue for manual inspection.
	Files: global/hold_message.[hc], cleanup/cleanup_message.c.

20020820

	Bugfix: yesterday's HOLD pattern code did not update the
	cleanup server's idea of the queue file name for error
	recovery and for error reporting purposes, so that incomplete
	or content rejected mail would not be deleted from the
	queue, and so that the bouncer would not find the queue
	file.

	Bugfix: the #ifdef that detects too old LDAP libraries was
	in the wrong place.  Victor Duchovni.  File: util/dict_ldap.c.

	Feature: new header/body_checks DISCARD pattern that causes
	mail to be silently discarded. Files: global/cleanup_user.h,
	cleanup/cleanup_message.c, cleanup/cleanup_api.c.

	Bugfix: the local delivery agent's mailbox duplicate delivery
	eliminator was not updated in the days that address extensions
	were added to Postfix. The other local duplicate eliminators
	probably need revision as well. File: local/mailbox.c.

20020821

	Feature: HOLD and DISCARD actions in SMTPD access tables.
	These requests are propagated to the cleanup daemon.  Files:
	cleanup/cleanup_envelope.c smtpd/smtpd_check.c.

	Cleanup: eliminate unnecessary references to the obsolete
	program_directory configuration parameter (but keep the
	parameter so as to not break existing installations).
	Matthias Andree, many little changes in documentation.

20020822

	Bit Rot: OpenLDAP incompatible change with URL parsing.
	Patches by Will Day, Georgia Tech, and Carsten Hoeger,
	SUSE.  File: util/dict_ldap.c.

20020823

	Bugfix: added a missing memset() call to wipe the lookup
	key in dict_db_delete(). This is needed by some Berkeley
	DB implementations. Patch by Katsu Yamamoto, Fujitsu.

	Bugfix: when permit_mx_backup is unable to make a decision
	due to DNS problems, set the "defer if reject" flag so that
	other restrictions will not cause mail to be rejected.
	File: smtpd/smtpd_check.c.

	Feature: instead of giving up immediately after DNS failure,
	turn on the "defer_if_permit" flag when reject_unknown_hostname,
	reject_unknown_sender_domain or reject_unknown_recipient_domain
	are unable to make a decision, and see if any subsequent
	restrictions would still cause the mail to be rejected.
	File:  smtpd/smtpd_check.c.

	Feature: "FILTER transport:nexthop" is now also available
	in SMTPD access tables.

20020826

	Workaround: HP-UX 11 accept() fails with ENOBUFS when the
	client disconnects early. File: sane_accept.c.

20020901

	Cleanup: postfix-install no longer installs all the manual
	pages under $POSTFIXSOURCE/man, so we can generate manual
	pages for smtp-sink etc.  File: man/Makefile.in.

20020903

	Bugfix: the rmail script should have been updated when
	Postfix sendmail was changed to recognize `.' as the end
	of input.  Problem fix by Christian Kratzer, cksoft.de.
	File:  auxiliary/rmail/rmail.

	Feature: specify "maximal_queue_lifetime = 0" for mail that
	should be returned immediately after the first unsuccessful
	delivery attempt. Files: qmgr/qmgr.c, nqmgr/nqmgr.c.

20020904

	Bugfix: qmail compatibility: qmqpd should support any
	character at the end of the VERP prefix in prefix@host-@[].
	Based on a patch by LaMont Jones, HP.

20020905

	Feature: "smtpd_data_restrictions = reject_unauth_pipelining"
	blocks mail from SMTP clients that send message content
	before Postfix has replied to the DATA command.  File:
	smtpd/smtpd.c, smtpd/smtpd_check.c.

	Bugfix: the LDAP client dumped core in verbose mode.
	Reported by Will Day and others.  File: util/dict_ldap.c.

20020906

	Cleanup: dict_regexp module speedups by avoiding unnecessary
	substring overhead while matching strings. Based on a
	suggestion by Liviu Daia. This involved major rewriting of
	the regexp map code.  File: util/dict_regexp.c.

20020907

	Feature: IF..ENDIF support based on code by Bert Driehuis.
	This involved a further rewrite of the regexp map code.
	File: util/dict_regexp.c.

200209010

	Bugfix: the SMTP client produced suprious warnings about
	trouble with fallback_relay hosts. File:  smtp/smtp_connect.c.

	Robustness: don't wait with detecting broken SMTP connections
	until reading input. Leandro Santi. File: smtpd/smtpd_chat.c.

200209011

	Workaround: IRIX 6 can't do ioctl FIONREAD on pipes. This
	breaks the in_flow_delay feature.  File:  util/sys_defs.h.

20020912

	Bugfix: canonical/virtual mapping core dump with a null
	right-hand side address. Report by Jussi Silvennoinen.
	File: global/mail-addr_crunch.c.

	Feature: IF..ENDIF support based on code by Bert Driehuis.
	This involved a rewrite of the pcre map code similar to
	the regexp map code.  File:  util/dict_pcre.c.

20020917

	Feature: on Linux, support for PCRE lookup tables is now
	compiled in if the PCRE library code is found under
	/usr/include and /usr/lib.  File: makedefs.

20020918

	Documentation: postsuper(1) did not document the -c option.

	Bugfix: possible longjump() before setjmp(). File:
	smtpd/smtpd.c.

	Bugfix: pickup should not preserve INSPECT or FILTER records
	from "postsuper -r". File: pickup/pickup.c.

20020919

	Feature: "reject_rbl <domain>" for client address blacklisting
	by LaMont Jones, including $name expansion for per-domain
	customized response messages. The obsolete reject_maps_rbl
	is now a wrapper that uses the new code.

20020921

	Internal: added caching and factored out common code that
	will be used for both reject_rbl and for the upcoming
	reject_rhsbl restriction.

20020922

	Feature: "reject_rhsbl <domain>" for sender domain
	blacklisting.  Provides the same per-domain customized
	response message mechanisms with $name expansion as
	reject_rbl.

	Safety: the smtpd_expansion_filter parameter controls what
	characters are allowed in the expansion of $name macros in
	template RBL responses.

	Cleanup. In order to make sensible warnings possible when
	expanding a non-existent $name in RBL reply templates,
	mac_expand() had to be changed so that an empty string
	result (i.e. the name does exist) will no longer cause
	${name?text} to succeed.  File:  util/mac_expand.c.

20020923

	Cleanup. Renamed the RBL features according to a scheme
	that was suggested by Liviu Daia in October 2001. The names
	are reject_rbl_client and reject_rhsbl_sender, respectively.
	Added domain name based reject_rhsbl_client and
	reject_rhsbl_recipient restrictions for completeness.  The
	reject_rbl restriction name is still recognized for
	compatibility with systems maintained by LaMont Jones.

20020924

	Bugfix: reject_rhsbl_<mumble> was broken when <mumble> was
	unavailable, causing the restrictions parser to get out if
	sync. Spotted by Ralf Hildebrandt.  File:  smtpd/smtpd_check.c.

20020928

	Bugfix: missing %s in the 20020923 RBL code. This was not
	exploitable because Postfix implements only a safe subset
	of all printf format operators and because memory for the
	result is dynamically allocated.  Victor Duchovni. File:
	smtpd/smtpd_check.c.

20020929

	Updated MacOSX support scripts from Gerben Wierda.  Files:
	auxiliary/MacOSX/*.

20021009

	Bugfix: SIZE errors should be reported at MAIL FROM time,
	and should not be postponed (with smtpd_delay_reject = yes)
	until RCPT TO time. Reported by Jeroen Scheerder, Utrecht
	University. Files: smtpd/smtpd.c smtpd/smtpd_check.c.

20021013

	When Postfix development started, Linux mail delivery
	software such as procmail did not use kernel locks, and
	Postfix picked one that seemed plausible, namely, flock().
	In the mean time, Linux mail delivery software seems to
	have standardized on fcntl() locks. File: util/sys_defs.h.

	Feature: body_checks_size_limit parameter to specify how
	much of a message body segment (or attachment, if you prefer
	to use that term) is subjected to body_checks inspection.
	Default limit:  50 kbytes. Files:  global/mime_state.c,
	cleanup/cleanup_message.c.

20021015

	Bugfix: the code for missing postmaster/mailer-daemon
	aliases had to be moved after the code that implements the
	luser_relay feature. Files: local/alias.c, local/unknown.c.

	Weird? The LMTP client lowercased the MAIL FROM and RCPT
	TO addresses. Some remnant of code that someone put in
	there long ago. File: lmtp/lmtp_proto.c.

20021024

	Feature: proxy_interfaces parameter. Specify your NAT or
	other proxy addresses here to avoid mail delivery loops.
	Files: global/mail_params.[hc] global/own_inet_addr.[hc]
	global/resolve_local.c smtp/smtp_addr.c smtpd/smtpd_check.c.

	Paranoia: defend against a very unlikely false alarm in
	safe_open().

20021025

	Feature: X-Original-To: message headers with the raw original
	envelope recipient.

	Logging: status=sent/deferred/bounced/ logging now includes
	the original recipient address if it differs from the final
	address.

20021026

	Logging: SMTP UCE reject/warn/hold/discard logging now
	includes queue ID. This will break some logfile analyzers.

	Logging: SMTP UCE reject/warn/hold/discard logging now
	includes the protocol name and, if available, the hostname
	given in the SMTP HELO or EHLO command.

	Logging: header/body_checks reject/warn/hold/discard logging
	now includes the protocol name and, if available, the
	hostname given in the SMTP HELO or EHLO command.

20021028

	Bugfix: don't reset state after rejected EHLO. Reset state
	after HELO. Reported by Karthikeyan Bhargavan, upenn.edu.
	Files: smtpd/smtpd.c.

20021029

	Bugfix: local(8) did not prepend an X-Original-To:  message
	header while delivering to command, and local(8) did not
	document the X-Original-To:  message header.

	Workaround: DJBDNS produces a bogus A record when given a
	numerical hostname. File: dns/dns_lookup.c.

20021030

	Portability: support for Berkeley DB version 4.0 but not
	for Berkeley DB version 4.1 (yes, the API is different).
	Postfix is now going to be paranoid about the minor version
	number, too. File:  util/dict_db.c.

	Documentation: updated LMTP_README file by Amos Gouaux.

20021031

	Bugfix: (bug introduced 20021026) log NOQUEUE when rejecting
	ETRN, instead of trying to log a non-existent queue ID.
	Victor Duchovni, Morgan Stanley. File: smtpd/smtpd_check.c.

	Cleanup: allow optional text after commands in SMTPD access
	maps. Based on initial effort by Victor Duchovni, Morgan
	Stanley. File: smtpd/smtpd_check.c.

	Portability: support for Berkeley DB version 4.1.  This
	version refuses to open zero-length files. This complicates
	lock management and requires extra code to remove broken
	files. Files:  util/dict_db.c, global/mkmap*.[hc].

20021101

	Bugfix: don't complain about out-of-order original recipient
	records for finished recipients. Files:  *qmgr/qmgr_message.c,
	cleanup/cleanup_envelope.c, cleanup/cleanup_extracted.c.

	Cleanup: further simplified the mkmap wrapper (used by
	postmap and postalias only) to remove some hurdles for
	Michael Tokarev's CDB support. Files: global/mkmap*.[hc].

20021105

	Postalias now produces YP_LAST_MODIFIED and YP_MASTER_NAME
	records only when NIS support is compiled in. File:
	postalias.c.

20021106

	Postalias now puts $myhostname in the YP_MASTER_NAME record,
	instead of the possibly bogus gethostname() result.  File:
	postalias.c.

	The PCRE map code did not reject non-numeric replacement
	indices in replacement text, and silently treated $text as
	$0. Found by Michael Tokarev. File: dict_pcre.c.

20021108

	Cleanup: the behavior of the SMTP server's defer_if_permit
	flag was changed, in order to maximize the opportunity to
	permanently reject mail without opening opportunities for
	losing legitimate mail. This was done in cooperation with
	Victor Duchovni, Morgan Stanley. File: smtpd/smtpd_check.c.

	The defer_if_permit flag is still set when an UCE reject
	restriction fails due to a temporary (e.g., DNS) problem,
	to prevent unwanted mail from slipping through. However,
	the flag is no longer tested at the end of client, helo or
	sender restrictions.  Instead, the flag is now tested at
	the end of the ETRN and recipient restrictions only.

	The behavior of the warn_if_reject restriction has changed.
	It no longer activates any already made defer_if_permit or
	defer_if_reject decisions (the defer_if_reject flag is set
	when some UCE permit restriction fails due to a temporary
	(DNS) problem, to avoid loss of legitimate mail).

	Bugfix: instead of setting the defer_if_permit flag, a
	failing reject restriction after warn_if_reject now merely
	logs that it would have caused mail to be deferred.

	A failing permit restriction after warn_if_reject still
	raises the defer_if_reject flag, to avoid loss of legitimate
	mail.

20021109

	Bugfix: a misguided change to the .forward macro expansion
	filter broke .forward file lookup.

	Bugfix: missing defer_if_permit test in smtpd_data_restrictions.
	Victor Duchovni. File:  smtpd/smtpd_check.c.

20021112

	Robustness: increase the mime_nesting_limit from 20 to 100,
	so that bounces can't loop. Each bounces increases the MIME
	nesting level by one.  Ralf Hildebrandt and Victor Duchovni.

20021113

	Robustness: reinstated SMTP client command flushing to
	avoid pipeline stalls.  File: smtp/smtp_chat.c.

20021114

	Robustness: distinguish between timeout and "lost connection"
	when the SMTP server is unable to send a reply to the remote
	client. File: smtpd/smtpd_chat.c.

20021115

	Bugfix: initialization error with "*" transport table
	lookup, reported by LaMont Jones. The transport map lookup
	code had grown into a monster and needed to be replaced.
	trivial-rewrite/transport.c.

20021115

	Start implementing recipient verification. For now this is
	done by adding trace flags to queue files. In case of a
	verification request, a delivery agent does not deliver,
	deliver, it just records what would happen.

	This required instrumenting the bounce/defer/sent logging
	routines to send their data to the right place depending
	on the type of delivery request.

20021116

	New trace service. This is used for reporting if a recipient
	is deliverable (sendmail -bv) and for producing a record
	of delivery attempts (sendmail -v). The report is sent via
	email, using the bounce daemon. Files: global/trace.[hc].

	This required replacing the bounce/defer logfile format by
	an extensible name=value format. Files: global/bounce_log.c,
	bounce/bounce_append_service.c.

20021117

	New address verification service with simple expiration
	and refresh policy. Storage can be in-core or in permanent
	table. The daemon is appropriately called "verify". Files:
	global/verify_clnt.[hc], verify/verify.c.

20021118

	Cleaning up the code for tracing and verification. Files:
	global/{log_adhoc,bounce,defer,trace,verify}.[hc].

20021119

	New address_verification_negative_cache = yes/no parameter
	controls whether Postfix stores the result of negatieve
	address verification probes. This reduces cache pollution
	but causes Postfix to send a probe for each address
	verification service query. File: verify/verify.c.

	Added optimistic caching to the verify daemon, so that one
	failed probe will not clobber a known to be good address.
	As long as some probes succeeed, a good address will stay
	cached as OK.

	Cleaning up of the bounce daemon's code for bounce, delayed
	mail warning and trace notification.  Files: bounce/*.[hc],
	global/bounce_log.c.

20021120

	Changed the probe's sender address to "postmaster" so that
	we get better information about the address we're testing.
	File: verify/verify.c.

	Added some paranoia to the routine that reads data from
	the address verification cache. Ignore data that is obviously
	bogus. File: verify/verify.c.

20021121

	Bugfix: garbage in "user@garbage"@domain address forms may
	cause the SMTP or LMTP client to terminate with a fatal
	error exit because garbage/tcp is not an existing service.
	This cannot be abused to cause the SMTP or LMTP client to
	send data into unauthorized ports.  Files: *qmgr/qmgr_message.c,
	trivial-rewrite/resolve.c.

20021124

	Bugfix: don't use same VSTRING buffer for reading and
	writing.  File: verify/verify.c.

20021128

	Feature: hashed hold queue support, with hashing turned on
	by default. Omission spotted by Victor Duchovni, Morgan
	Stanley. Files: global/hold_message.c, global/mail_params.h.

	Bugfix: the LMTP client lost the port(service) information
	when parsing host:port information. Victor Duchovni, Morgan
	Stanley. Fix is to have a new host_port(3) module that does
	the parsing for the SMTP and LMTP clients.

	Cleanup: host_port() routine that parses host/port information
	more consistently than the existing code in the LMTP and
	SMTP clients. Files: smtp/smtp_connect.c, lmtp/lmtp_connect.c,
	util/host_port.[hc].

20021130

	Cleanup: defer mail when recipient verification takes too
	long. File: smtpd/smtpd_proto.c.

	Feature: new reject_multi_recipient_bounce restriction, to
	reject "MAIL FROM: <>" with multiple recipients.  File:
	smtpd/smtpd_check.c.

20021201

	Compatibility: ignore the new Sendmail -A option. File:
	sendmail/sendmail.c.

	Workaround: sendmail -v now produces no output. You need
	to specify -v -v instead. This is to avoid problems when
	people request verbose mail delivery in their mail.rc file.
	File:  sendmail/sendmail.c.

20021202

	Cleanup: hash_queue_depth now defaults to 1 level of
	subdirectories. This makes "mailq" faster on most systems,
	but will result in poorer worst-case performance when lots
	of mail is queued.

	The check_relay_domains restriction is going away. The SMTP
	server logs a warning and suggests using reject_unauth_destination
	instead.

	Cleanup: the local(8) and virtual(8) delivery agents did
	not prepend X-Original-To: addresses to maildir files.
	Omission spotted by Matthias Andree.

	Specify "address_verify_sender=" or "address_verify_sender=<>"
	to use a null sender address while doing address verification
	probes.  Beware, doing so may trigger false negatives
	because some sites reject mail from the null sender, even
	though this is required by RFC standards.

	Bugfix: too many levels of dereferencing while testing for
	missing reject_rbl_mumble domain names. Patrik Rak.  File:
	smtpd/smtpd_check.c.

20021203

	Bugfix: the FILTER access table action included the FILTER
	command in the filter request, where only the transport+destination
	were expected. Noel Jones. File smtpd/smtpd_check.c.

	Cleanup: virtual_maps is now called virtual_alias_maps, in
	order to better distinguish it from virtual_mailbox_maps.
	The default value is $virtual_maps for backwards compatibility.

	New parameters virtual_alias_domains and virtual_mailbox_domains
	for the "domain.tld whatever" lookups.  These use the same
	syntax as the mydestination parameter.  Default settings
	are backwards compatible with Postfix 1.1.

	Concept: just like $mydestination+$inet_interfaces control
	what routes to $local_transport, $virtual_mailbox_domains
	now controls what routes to $virtual_transport (default
	transport:  virtual), and $relay_domains now controls what
	routes to $relay_transport (default transport: relay, a
	clone of the smtp transport).  Everything else routes to
	$default_transport as before.  This eliminates the need
	for transport map entries for every virtual(8) domain, and
	avoids performance problems with inbound relay mail. This
	was improvement was suggested by Victor Duchovni. File:
	trivial-rewrite/resolve.c.

20021206

	Cleanup: do allow regexps in aliases, virtual mailbox maps
	but do not allow regular expression substitutions. Files:
	util/dict.h, util/dict_regexp.c, util/dict_pcre.c.

20021207

	Cleanup: deleted the description of sendmail-style virtual
	domains from the virtual(5) manual page. This part of
	Postfix was too confusing.

	Performance: RFC 2821 blesses the use of CNAME domain names
	in MAIL FROM and RCPT TO. Not having to expand CNAME domain
	names speeds things up a bit.  File:  smtp/smtp_proto.c.

	Workaround: exclude error mailer destinations from transport
	mapping lookups :-(. File: trivial-rewrite/resolve.c.

	Cleanup: relocated_maps lookups are now moved to the
	trivial-rewrite server. As of now, the queue manager no
	longer does any map lookups, so it won't restart when maps
	change. Files:  *qmgr/qmgr_message.c, trivial-rewrite/resolve.c.

	Robustness: because the trivial-rewrite server now does
	many more table lookups, some of which are often LDAP or
	SQL based, trivial-rewrite clients must be be prepared for
	the case that the resolver reports a failure while processing
	a request (when it was unable to access a lookup table).
	Files:  trivial-rewrite/resolve.c, local/resolve.c,
	smtpd/smtpd_check.c.

	Robustness: moving possible LDAP or SQL table lookups into
	the trivial-rewrite server also required that trivial-rewrite
	be running as multiple processes to reduce lookup latencies.
	Files:  master/multi-server.c.

	Workaround: don't discard all the DNS lookup results when
	only one of the results has a malformed name or address.
	File:  dns/dns_lookup.c.

20021208

	Cleanup: with the preliminary address domain classification
	concept as implemented by the trivial-rewrite address
	resolver, a lot of table lookups could be eliminated from
	the SMTP server.  Files: smtpd/smtpd_check.c.

	Feature: new relay_recipient_maps parameter, for optional
	maps with all the recipients in the domains that match
	$relay_domains (so you can reject mail for unknown relay
	recipients). This is for consistency with virtual_xx_maps
	and virtual_xx_domains, and with local_recipient_maps and
	the local delivery agent.  File:  smtpd/smtpd_check.c.

	Cleanup: removed support for obsolete #number domain forms.
	File: smtpd/smtpd_check.c.

20021209

	The Postfix installation procedure no longer sets the
	"chattr +S" bit on Linux queue directories. Wietse has
	gotten too annoyed with naive reviewers who complain about
	performance without having a clue of what they are comparing.

	"Security": local_recipient_maps is now turned on by default,
	to reject mail for non-existent users at the SMTP port.
	See conf/main.cf for instructions, section REJECTING UNKNOWN
	LOCAL USERS.

	Safety: detection of missing or inaccessible passwd file
	database, to prevent massive complaints from people who
	suddenly lose all their mail because local_recipient_maps
	is now turned on by default.

20021210

	Feature: recipient address verification, using the code
	that already implements sender address verification.  Based
	on suggestion by Matthias Andree.  Files: src/smtpd/smtpd.c,
	src/smtpd/smtpd_check.c.

20021211

	Performance: doubled the default process limit (50->100)
	and default queue manager active queue message/recipient
	limits  (10k->20k).  File:  global/mail_params.h.

	Bugfix: the change that begot us multiple trivial-rewrite
	processes (good) also gave us multiple verify daemons (bad).
	File: conf/post-install.

20021212

	Cleanup: allow transport map lookups to override error
	mailer results (to avoid breaking existing installations),
	and do transport map lookups before relocated map lookups.
	Files:  trivial-rewrite/resolve.c, trivial-rewrite/transport.c.

	Shortened the verify server's negative cache refresh time
	from 12 hours to 2 hours. File:  global/mail_params.h.

	Admin friendliness: the SMTP server now reports "User
	unknown in {local recipient | virtual alias | virtual
	mailbox | relay recipient} table". This will make trouble
	shooting a little easier. Files: smtpd/smtpd_check.c,
	trivial-rewrite/resolve.c.

20021213

	Cleanup: transport map entries with null nexthop ignored
	relayhost settings. Making the code simpler also made it
	more correct. Files: trivial-rewrite/resolve.c,
	trivial-rewrite/transport.c.

	Feature: "helpful_warnings" (default: yes) that can be
	turned off if you really know what you're doing and want
	to eliminate some unnecessary work.

	Feature: enforcement of master.cf process limits for
	processes such as qmgr and pickup that must run alone, and
	processes such as cleanup and bounce that must run without
	explicit process count limit. If an incorrect process limit
	is specified in master.cf the service aborts.

20021214

	Cleanup: it looks like we finally get it right with transport
	lookup table entries that either override or specify an
	error transport without updating the nexthop information.
	File:  trivial-rewrite/resolve.c.

	Robustness: don't probe the sender address when probed for
	our own address verification probe sender address. File:
	smtpd/smtpd_check.c.

	Performance: don't do UCE checks (which may result in 4xx
	SMTP reply codes, and thus, repeated delivery attempts)
	when we already know that the recipient does not exist.
	Files:  smtpd/smtpd.c, smtpd/smtpd_check.c.

20021215

	Cleanup: further simplification of transport map handling
	after some really fine hair splitting with Victor Duchovni.
	Files: trivial-rewrite/resolve.c, trivial-rewrite/transport.c.

20021216

	Workaround:  transform the address local-part into unquoted
	form only when the address domain is local and the local-part
	contains routing operators.  Otherwise, we may damage the
	address local-part by inserting space between non-operator
	tokens. Some people use weird addresses and expect them to
	be handled without damage.  File: trivial-rewrite/resolve.c.

	Robustness: scan the resolved recipient address for routing
	operators in the address local-part, even when the local
	MTA does not recognize ! and % as valid operators.  File:
	trivial-rewrite/resolve.c.

	Cleanup: the address rewriting code no longer tries to
	rewrite broken user@ or user@. address forms into even more
	broken forms. bother. File: trivial-rewrite/rewrite.c.

	Cleanup: the address resolver code now treates forms ending
	in @ in a more rational manner (because the address rewriting
	code no longer messes up by appending .my.domain).

	Bugfix: a null address local-part before @domain now is
	properly quoted just like the null address. File:
	global/quote_82[12]_local.c.

20021217

	Cleanup: more work on the trivial-rewrite address rewriting
	and address resolving code. New regression tests for address
	rewriting and resolving that make some assumptions about
	main.cf settings. Files: global/Makefile.in (assumptions),
	global/rewrite_clnt.in, global/rewrite_clnt.ref,
	global/resolve_clnt.in, global/resolve_clnt.ref.

	Safety: configurable SMTPD reject codes for recipients not
	in {local,relay}_recipient,virtual_{alias,mailbox}}_maps,
	aptly named unknown_mumble_reject_code.  Postfix installs
	with unknown_local_recipient_reject_code=450, unless the
	site already ran Postfix with local_recipient_maps enabled.
	Files:  smtpd/smtpd.c, smtpd/smtpd_check.c, conf/post-install.

20021218

	Feature: specify unverified_recipient_reject_code=250 or
	unverified_sender_reject_code=250 to accept mail for an
	address that is known to bounce. File: smtpd/smtpd_check.c.

20021219

	Bugfix: longjmp() while sending "go away" without setjmp()
	in the QMQP server. Patrik Rak. File: qmqpd/qmqpd.c.

	Safety: the XVERP extension is restricted to clients listed
	in the authorized_verp_clients list (default: $mynetworks).
	File: smtpd/smtpd.c.

	Workaround: preliminary IPV6 support in valid_hostliteral().
	File: util/valid_hostname.c.

20021220

	Bugfix: the reject_multi_recipient_bounce restriction had
	an off-by-one error when used in smtpd_data_restrictions.
	File: smtpd/smtpd_check.c.

	Feature: new check_recipient_maps restriction that gives
	finer control over when unknown recipients are rejected.
	As with Postfix 1.1, the default is to do this at the end
	of the recipient restrictions. Sites that want to improve
	performance can put check_recipient_maps at the start of
	the smtpd_client_restrictions list and avoid doing unnecessary
	RBL lookups etc.  File:  smtpd/smtpd_check.c.

	Feature: new show_user_unknown_recipient_table parameter
	controls whether or not to reveal the lookup table name in
	"User unknown" responses. The extra detail makes trouble
	shooting easier but also reveals information that is nobody
	elses business.

20021221

	Workaround: don't allow the transport map to override the
	virtual alias class (error:User unknown) result.  File:
	trivial-rewrite/transport.c.

20030101

	Documentation update: new-style virtual domains broke the
	advanced content filtering example. Files: FILTER_README,
	RELEASE_NOTES-2.0.

20030102

	Cleanup: use different client instances when the same map
	is opened with different flags. File: global/maps.c.

	Feature: proxymap server for Postfix table lookups. This
	helps to consolidate the number of open lookup tables (such
	as MYSQL or LDAP), or to overcome chroot restrictions
	(example: specify proxy:unix:passwd.byname to avoid the
	need for a copy of the UNIX passwd file in chroot jails).
	Files:  global/dict_proxy.[hc], proxymap/proxymap.c

	Cleanup: multiservers such as trivial-rewrite and the new
	proxymap server now enforce the max_use total client number
	limit more agressively, by not accepting new connections
	after the limit is reached.  Based on a patch by Victor
	Duchovni, Morgan Stanley. File:  master/multi_server.c.

20030103

	Cleanup: client stream endpoints not only have an idle time
	limit ($ipc_idle) before a connection is closed, they now
	also have a time to live ($ipc_ttl) to prevent connections
	from becoming too persistent. This allows multi-servers
	such as trivial-rewrite or the proxymap server to refresh
	more frequently on busy systems. File:  global/clnt_stream.c.

20030104

	Cleanup: avoid warnings about flag mismatches when the same
	lookup table is listed under both virtual_alias_maps and
	virtual_mailbox_maps. Files: global/virtual8.h, virtual/virtual.c.

	Bugfix: an obscure memory leak that puzzled me for more
	than a year until I found out how to reproduce it. File:
	util/vstream.c.

20030105

	Cleanup: removed the address syntax check from the queue
	manager, since a better test was implemented recently in
	the trivial-rewrite server. Files: *qmgr/qmgr_message.c.

	Bugfix: redirect bounce/defer to the address verification
	service where appropriate. Files: *qmgr/qmgr_bounce.c,
	*qmgr/qmgr_defer.c.

	Bugfix: "no such file or directory" warnings after "postfix
	reload" when a chrooted smtpd reconnects to the proxy
	service.  Fix: use "private/proxymap" if possible, otherwise
	use "$queue_dir/private/proxymap".  File:  global/dict_proxy.c.

	Robustness: daemons now chdir() to the queue directory
	before running the pre-jail initialization code, so that
	daemons running in stand-alone mode produce more consistent
	results.  Files:  master/single_server.c, master/multi_server.c.
	master/trigger_server.c.

	Bugfix: "sendmail -bs" tried to access the proxymap service.
	It should not try to open any user/domain/uce related tables
	at all. File:  smtpd/smtpd.c.

20030106

	Bugfix: bouncing to owner-alias was broken, i.e. the mail
	kept being deferred, and when that was fixed, another buglet
	came to light. File: bounce/bounce.c.

	Robustness: the master no longer aborts with "address
	already in use" when inet_interfaces specifies the same IP
	address multiple times, or when a TCP service in master.cf
	specifies a hostname for which the same IP address is listed
	multiple times. File: master/master_ent.c.

20030107

	Robustness: check that FILTER actions in SMTPD access maps
	or cleanup header/body_checks have plausible syntax. Files:
	smtpd/smtpd_check.c, cleanup/cleanup_message.c.

20030109

	Cleanup: unnecessary "premature end of file on xxx while
	reading yyy" warnings became exposed after some code
	simplification. Files" global/*_clnt.c, global/dict_proxy.c

	Robustness: undo the change that causes a multi-server
	process to stop accepting new connections while it still
	services existing clients for an extended amount of time.
	We need a better process retirement strategy. File:
	master/multi_server.c.

20030110

	Cleanup: the virtual_mailbox_maps parameter is now optional
	even when virtual_mailbox_domains is. This makes virtual
	mailbox domains more like relay domains and the local
	domain.

	Portability: the makedefs script now uses the pcre-config
	utility to find out where things are installed.

	Bugfix: the SMTP server did not recognize the local built-in
	double bounce address as local. Reported by Matthias Andree.
	For safety sake, threw in the local postmaster address as
	well.  File:  smtpd/smtpd_check.c.

20030113

	Added MAILER-DAEMON to the list of always recognized local
	addresses, since it is generated by Postfix bounces. File:
	smtpd/smtpd_check.c.

20030114

	Bugfix: transport_errno was not reset upon successful
	transport map wildcard lookup after an earlier failure.
	Reported by Victor Duchovni. File:  trivial-rewrite/transport.c.

	Cleanup: unnecessary warnings from the proxymap client
	after proxymap server disconnect. File:  global/dict_proxy.c.

	Cleanup: Patrik Rak found a few more chattr invocations
	that were missed 20021209. Files: postfix-install,
	conf/post-install.

	Cleanup: the pcre-config command can produce null outputs.
	Matthias Andree.  File: makedefs.

	Bugfix: the virtual(8) Makefile included $(AUXLIBS) in the
	dependencies.

20030118

	Typos: some hyperlinks referred to flushd, which is the
	name that was used before the flush service was released.
	Reported by Victor Duchovni.

	Cleanup: smtpd no longer needed to open relocated_maps.

20030119

	Cleanup: bounce messages used "X-Postfix" even when mail_name
	was set to something other than the default "Postfix" name.
	File: bounce/bounce-notify_util.c.

20030120

	Bugfix: wrong FILTER_README instructions for disabling
	virtual alias mapping in the cleanup server before the
	content filter.

	Bugfix: wrong FILTER_README instructions for destination-dependent
	filtering, because relay_domains was specified incorrectly.

20030122

	Bugfix: 20021207 (move relocated table lookup from queue
	manager to trivial-rewrite server) broke relocated table
	lookup results with mail not rejected at the SMTP port.
	Files:  *qmgr/qmgr_deliver.c, *qmgr/qmgr_message.c.

20030123

	Bugfix: a widely used maildir filename algorithm was broken.
	Postfix now uses TIME.DEVICE_INODE.HOST. Files: local/maildir.c,
	virtual/maildir.c.

20030124

	Cleanup: queue structures no longer overload queue name
	and nexthop destination. Files: *qmgr/qmgr_message.c,
	*qmgr/qmgr_queue.c, *qmgr/qmgr_deliver.c.

20030125

	Feature: "REDIRECT user@domain" action in access maps or
	in header/body_checks causes mail to be sent to the specified
	address instead of the intended recipient(s). I would never
	recommend that people use this to redirect (bounced) SPAM
	to the beneficiaries of an advertisement campaign.  Files:
	smtpd/smtpd_check.c, cleanup/cleanup_message.c,
	*qmgr/qmgr_message.c.

20030126

	Update: maildir filename algorithm updated according to
	today's version of http://cr.yp.to/proto/maildir.html.

20030127

	Cleanup: use separate error messages for separate problems
	with computing the list of SASL authentication mechanisms.
	File: smtpd/smtpd_sasl_glue.c.

20030130

	Bugfix: allow $name in default time values. File:
	global/mail_conf_time.c.

20030205

	Feature: allow !, /file/name and map:name in masquerade_exceptions.
	By Liviu Daia.  Files:cleanup_init.c, cleanup.h,
	cleanup_masquerade.c.

20030219

	Bugfix: the local pickup daemon skipped unterminated records,
	since they happened to have the same record type code as
	content filtering instructions. Victor Duchovni.  Files:
	global/rec_type.h, pickup/pickup.c.

	Portability: Postfix could block, and thus not enforce
	command execution time limits, while delivering mail to
	command.  File: global/pipe_command.c.

	Bugfix: command execution time limits were not enforced
	because the child process killing code in pipe_command()
	was running with the wrong privileges. Problem reported by
	Ben Rosengart, Panix. File: global/pipe_command.c.

	Bugfix: duplicate recipient filtering in the cleanup server
	did not eliminate virtual expansion duplicates with the
	same original recipient. File: cleanup/cleanup_out_recipient.c.

20030223

	Cleanup: added postmap/postalias -p option (do not inherit
	the source file permissions when creating a new file), for
	completeness.  A feature that can't be turned off is a bug.
	Files:  postmap/postmap.c, postalias/postalias.c.

	Bugfix: smtpd_hard/soft_error_limit off-by-one error, so
	that the real limit was one larger than the configured
	value.  File: smtpd/smtpd.c, smtpd/smtpd_chat.c.

20030226

	Safety: proxymap server defense against potential deadlock
	when some library routine wants to open a proxied table.
	Instead, proxymap opens the requested table directly. File:
	proxymap/proxymap.c.

	Portability: updated AIX 5.x system dependent definitions.
	File: util/sys_defs.h.

20030227

	Bugfix: added mynetworks to the list of proxy_read_maps
	parameter settings that are pre-authorized to use proxied
	table lookups.  File: global/mail_params.h.

	Cleanup: daemons now log what table has changed before
	restarting. Files: dict.c, and anything that invoked
	dict_changed().

	Cleanup: more consistency in the naming of lookup table
	handles as generated by maps(3) and by match_list(3).

20030305

	Workaround: Postfix removes too long non-address text from
	message headers in order to protect vulnerable Sendmail
	systems against exploitation of the remote buffer overflow
	vulnerability described in CERT advisory CA-2003-07.

20030311-19

	Bugfix: the access map actions HOLD, DISCARD, FILTER and
	REDIRECT were broken with smtpd_delay_reject=no and with
	ETRN.  This required re-architecting of the actions code.
	Files:  smtpd/smtpd.[hc], smtpd/smtpd_check.c, smtpd/smtpd_state.c.

20030315

	Bugfix: the postsuper manual page documented support for
	the -c command line option, but it was not implemented.
	File: postsuper/postsuper.c.

	Bugfix: the Postfix 2.0 recipient map checking code broke
	the VRFY command, causing it to reply with status code 252
	for non-existent addresses. This required re-architecting
	the recipient table lookup code. File:  smtpd/smtpd_check.c.

20030319

	Feature: configurable limit on virtual alias expansion size
	and nesting depth, via the virtual_alias_expansion_limit
	and virtual_alias_recursion_limit parameters. The default
	limits are compatible with past Postfix versions.  Victor
	Duchovni, Morgan Stanley. Files: /sample-resource.cf,
	html/resource.html, cleanup/cleanup.c, cleanup/cleanup_init.c,
	cleanup/cleanup_map1n.c.

	Feature: the installation procedure records build information
	(by default:  in /etc/postfix/makedefs.out).

20030324

	Bugfix: smtp-source flushed too often, causing suboptimal
	performance with smtp-source sending directly into smtp-sink.
	Files: smtpstone/smtp-source.c.

20030410

	Safety: log a fatal error when a net/mask pattern has a
	non-zero host part, so that mail delivery is deferred.
	File: util/match_ops.c.

20030411

	Bugfix: extraneous warning about out-of-order original
	recipient records by Patrik Rak. Files: *qmgr/qmgr_message.c.

20030412

	Workaround: log a warning and reset the queue file time
	stamps when the file system clock is ahead of the local
	clock.  File: global/mail_stream.c.

20030414

	Feature: PostgreSQL client module, adopted by LaMont Jones.
	Files: README_FILES/PGSQL_README, util/dict_pgsql.c,
	util/dict_pgsql.h, conf/sample-pgsql-aliases.cf.

	Cleanup: the generic smtp client/server code in smtp_stream.c
	now has an explicit flush operation, and the smtp-source/sink
	programs are updated to take advantage of this.

	Cleanup: the file system clock drift detection code now
	runs only once per process instance, to minimize the
	performance impact. File: global/mail_stream.c.

	Robustness: avoid TIME_WAIT state with smtp/qmqp-source
	client sockets.  This puts less strain on local system
	resources.

20030415

	Cleanup: the file system clock drift detection code now
	runs only for incoming mail. File: global/mail_stream.c.

20030416

	Bugfix: missing partial last line when 1) someone submits
	8-bit mail not ending in newline via /usr/sbin/sendmail
	and 2) MIME input processing is turned off, and 3) MIME
	8bit->7bit conversion is requested upon delivery via SMTP.

	Cleanup: auto-bcc recipients are now added in one place
	(the cleanup server) instead of by individual front-end
	servers (pickup, smtpd, qmqpd). This makes it easier to
	add auto-bcc features that trigger on sender or recipient
	addresses.

	Cleanup: "sendmail -t" (recipients from headers) is now
	implemented by the sendmail command instead of by the
	cleanup server. This means that the extract_recipient_limit
	configuration parameter is no longer needed.  Files:
	sendmail/sendmail.c, cleanup/cleanup_message.c,
	cleanup/cleanup_extracted.c.

	Compatibility: "sendmail -t" (recipients from headers) now
	accepts command-line recipients instead of complaining.
	The extracted header recipients are added to the command-line
	recipients.

	Feature: sender/recipient_bcc_maps. These are indexed by
	sender/recipient address and are examined when mail enters
	from outside of Postfix. Files: cleanup/cleanup_addr.c.
	cleanup/cleanup_envelope.c cleanup/cleanup_extracted.c.

20030417

	Feature: the SMTP client now falls back to native name
	service lookups (including /etc/hosts) when a host cannot
	be found in the DNS. This is controlled by a new parameter
	smtp_host_lookup (default: dns, native). Files: smtp/smtp.c,
	smtp/smtp_addr.c.

20030418

	Bugfix: "sendmail -t" broke with unrecognized message
	headers.

20030419

	Feature: "postcat -q" searches the queue for the named
	file.

	Cleanup: made postcat "record names" output more consistent.

20030421

	Debugging: added some extra detailed error logging to the
	pipe-to-command delivery, to help folks with bizarre file
	truncation problems. File: global/pipe_command.c.

20030424

	Cleanup: readlline() did not terminate the result before
	complaining about lines starting with whitespace.

	Cleanup: eliminated valid_hostname warning for invalid
	queue file names. File: global/mail_queue.c.

	Bugfix: lost three lines of code when readying the postcat
	command for release, which broke postcat -q. File:
	postcat/postcat.c.

	Bugfix: the Postfix sendmail command applied the message
	size limit when running as newaliases. The limiting code
	is now moved to the message enqueuing branch of the code.
	File: sendmail/sendmail.c.

	Documentation: start of documentation for the algorithm of
	Patrik Rak's clever queue manager scheduler (nqmgr). Files:
	conf/sample-scheduler.cf, README_FILES/SCHEDULER_README.

20030429

	Bugfix: while verifying an address, the LMTP client entered
	a forbidden "next" sender state after the last recipient.
	Fix by Vladimir Davydoff. File: lmtp/lmtp_proto.c.

	Bugfix: "," was not recognized in proxy_read_maps settings.
	Fix by Leandro Santi. File: proxymap/proxymap.c.

20030502

	Bugfix: defer delivery after .forward etc. file read error.
	File: local/token.c. Problem reported by Ben Rosengart,
	Panix.

20030503

	Bugfix: the Postfix LMTP client used the wrong service
	name, causing trouble with SASL 2.1.13.  Daniel Schales,
	Louisiana Tech. File: lmtp/lmtp_sasl_glue.c.

20030518

	Workaround: IRIX select() reports that a non-blocking file
	descriptor is writable while write() transfers zero bytes.
	File:  util/vstream.c. Superseded by change 20030523.

20030520

	Cleanup: future time stamps in Received: headers and negative
	delays in delivery agent logging after "postdrop -r",
	because deferred queue files had future file modification
	times.  File:  src/postsuper/postsuper.c.

20030521

	Cleanup: nqmgr warnings about "recipient count mismatch"
	after "postdrop -r", because the cleanup server did not
	count the "already done" recipients. Problem reported by
	Richard Stockton, Gramma Software. Files:
	cleanup/cleanup_envelope.c, cleanup/cleanup_extracted.c.

20030523

	Workaround: IRIX select() reports that a non-blocking file
	descriptor is writable while write() transfers zero bytes.
	File:  global/pipe_command.c.

20030523-20030605

	Cleanup: rewrote the queue file record processing loops in
	pickup, cleanup and in [n]qmgr. This code had deteriorated
	a lot as the result of small changes over the years. This
	change brings the code closer to "obviously correct". Files:
	cleanup/cleanup_envelope.c, cleanup/cleanup_extracted.c,
	*qmgr/qmgr_message.c.

	Cleanup: Postfix no longer produces queue files with
	backwards compatibility data for Postfix versions < 1.0
	(a.k.a.  20010228). Files: cleanup/cleanup_extracted.c,
	showq/showq.c.

	Performance: the queue manager no longer has to examine
	every queue file record before it can start deliveries.
	This helps to avoid thrashing with very large mailing lists.
	Postfix queue files have an extra field in the size record
	with queue manager processing hints.  This change is backward
	and forward compatible.  Files:  cleanup/cleanup_envelope.c,
	cleanup/cleanup_extracted.c, *qmgr/qmgr_message.c.

20030528

	Compatibility: "sendmail -q<time>" without -bd option now
	exits immediately, instead of waiting for input on the
	standard input stream and screwing up system boot sequences.
	File: sendmail/sendmail.c.

20030530

	Bugfix: client access denied with smtpd_delay_reject=no
	broke "sendmail -bs". Fix by Victor Duchovni, Morgan Stanley.
	File: smtpd/smtpd.c.

20030531

	Compatibility: allow <@site,@site:address> route addresses
	in SMTP commands.  File: smtpd/smtpd.c.

20030605

	Cleanup: input checks moved from the pickup daemon to the
	postdrop mail submission command; this is to prepare for
	direct mail submission from postdrop->cleanup without going
	through the maildrop directory and the pickup service.
	Files: pickup/pickup.c, postdrop/postdrop.c.

	Bugfix: the "dead host" backoff timer in the MySQL client
	didn't work.  Fix by Leandro Santi. File: util/dict_mysql.c.

	Bugfix: same problem in the PostgreSQL client. File:
	util/dict_pgsql.c.

	Workaround: turned off non-blocking write to pipe because
	too many systems give a weird write() result. File:
	global/pipe_command.c.

	Cleanup: added support for vstream_fseek(.., .., SEEK_END).
	File: util/vstream.c.

20030608

	Feature: separate address resolver controls for address
	verification probe messages:  address_verify_{local,virtual,
	relay,default}_transport, address_verify_relayhost, and
	address_verify_transport_maps. The default values are the
	regular versions of the same controls. Files: trivial-rewrite/*,
	global/resolve_clnt.[hc], *qmgr/qmgr_message.c.

20030609

	Workaround: Solaris blocking socket read() may hang.  Hernan
	Perez Masci and Leandro Santi. File: smtpd/smtpd.c.

	Bugfix: the "unread recipient" counter needs to be restored
	after the queue manager has a problem reading a queue file.
	Fix by Patrik Rak. File: nqmgr/qmgr_message.c.

20030610

	Cleanup: the verify server now uses asynchronous submission
	of mail probes, so it will no longer block for in_flow_delay
	seconds when mail arrives faster than it is delivered.
	Still need to make mail_stream_finish() asynchronous in
	order to avoid blocking for trigger_timeout seconds when
	the queue manager is overwhelmed.  Files:  global/post_mail.c,
	verify/verify.c.

	Bugfix: removed extraneous sleep() after the last attempt
	to retrieve address verification status.  File: smtpd/smtpd.c.

20030611

	Bugfix: the stricter postdrop input filter broke "sendmail
	-bs". Found by Lutz Jaenicke. File: smtpd/smtpd.c.

20030614

	Portability: Dropped support for client side LDAP caching.
	As of release 2.1.13 OpenLDAP no longer supports client
	side caching, it has been deprecated for some time, and
	never worked well.  Implemented by Victor Duchovni, Morgan
	Stanley, and further enhanced by Lamont Jones, HP. Files:
	src/util/dict_ldap.c, conf/sample-ldap.cf,
	README_FILES/LDAP_README.

	Safety: Given suitable invalid database contents, LDAP
	lookups can produce too many results, enter an infinite
	loop in the expansion of "special result attributes" (LDAP
	DNs and LDAP URLs) or just consume excessive server resources
	returning large result sets.  Three new (per LDAP map)
	configuration parameters enable one to set limits on
	recursive nesting, result expansion and the server response
	"entry" count. Implemented by Victor Duchovni, Morgan
	Stanley, further enanced by Lamont Jones, HP. Files:
	src/util/dict_ldap.c, conf/sample-ldap.cf,
	README_FILES/LDAP_README.

20030616

	Feature: in mail delivery status reports, report the sender
	address as X-Postfix-Sender. Matthias Andree. File:
	bounce/bounce_notify_util.c.

	Cleanup: in mail delivery status reports, transform the
	original recipient into xtext format as required by RFC
	1891. Files: bounce/bounce_notify_util.c, util/xtext.[hc].

	Cleanup: more accurate "postfix check" warning for files
	that miss one or more of the required mode 02111 execute
	permission bits. Matthias Andree. File: conf/postfix-script.

20030618

	After "postfix reload", the master daemon now warns when
	inet_interfaces has changed, and ignores the change, instead
	of passing incorrect information to the smtp server. File:
	master/master_ent.c.

20030619

	Feature: the Postfix SMTP server can send all mail into a
	proxy server, for example a real-time SPAM filter. This
	proxy is supposed to send the mail into another Postfix
	SMTP server process for normal delivery. Files: smtpd/smtpd.c
	smtpd/smtpd_proxy.[hc].

20030620

	Bugfix: a cut-and-paste error caused the proxy server's
	354 status code to be reported when a proxy connection
	broke during the DATA phase. File: smtpd.c.

20030620

	Bugfix: after the last change to postdrop, postcat no longer
	recognized maildrop files as valid. File: postcat/postcat.c.

	Bugfix: after moving "sendmail -t" address extraction to
	sendmail, "-t" broke multi-line recipient headers.  Victor
	Duchovni, Morgan Stanley. File: sendmail/sendmail.c.

20030621

	Workaround: the safe_open(O_CREAT) race condition exploit
	avoiding code tries a little harder when it encounters a
	race condition. File: util/safe_open.c.

20030624

	Bugfix: reject_unverified_address() set the defer_if_reject
	flag when the verify service was unavailable (which never
	happens). Victor Duchovni, Morgan Stanley. File:
	smtpd/smtpd_check.c.

	New parameters address_verify_poll_{count,delay} that
	control how often to poll the address verification service
	for the completion of an address verification request.
	Specify address_verify_poll_count=1 to implement a crude
	form of greylisting, that is, always defer the first delivery
	attempt for an unknown address.  File: smtpd/smtpd_check.c.

	Bugfix: after the last change to postdrop, postcat no longer
	recognized non-maildrop queue files as valid. File:
	postcat/postcat.c.

20030629

	Cleanup: replaced references to "simulated virtual domains"
	by "virtual alias domains". Victor Duchovni, Morgan Stanley.

20030630

	Feature: smtp_quote_rfc821_envelope=(yes|no) to control
	RFC 821 style quoting of MAIL FROM and RCPT TO addresses.
	Files: global/mail_params.h, smtp/smtp.c, smtp/smtp_proto.c.

20030701

	Bugfix: multi-recipient probes triggered a bug in the SMTP
	client.  File: smtp/smtp_proto.c.

	Feature: enable_original_recipient (default: yes) to control
	whether Postfix keeps track of original recipient address
	information. Victor Duchovni, Morgan Stanley.  Files:
	cleanup/cleanup.c, cleanup/cleanup_init.c,
	cleanup/cleanup_out_recipient.c, global/log_adhoc.c,
	global/mail_copy.c, *qmgr/qmgr_message.c.

	Feature: !/pattern/ support for PCRE lookup tables.  Victor
	Duchovni, Morgan Stanley.  Files: util/dict_pcre.c.

	Cleanup: allow whitespace after patterns in repexp and pcre
	tables. Victor Duchovni, Morgan Stanley.  Files:
	util/dict_pcre.c, util/dict_regexp.c.

20030702

	Feature: CIDR lookup table support, very remotely based on
	code by Jozsef Kadlecsik. Files: proto/cidr_table,
	util/dict_cidr.[hc].

	Feature: TCP lookup table support, finally finished.  Files:
	proto/tcp_table, proto/dict_tcp.[hc].

20030705

	Feature: new receive_override_options parameter controls
	what happens before or after an external content filter:
	rejecting unknown recipients, canonical and virtual address
	mapping, address masquerading, automatic BCC recipients
	and header/body checks. This eliminates the need to configure
	multiple cleanup services in the master.cf file.

20030707

	Feature: context dependent SASL security options (i.e.
	different options when TLS is enabled/disabled). Lutz
	Jaenicke.  Files:  */*sasl_glue.[hc].

20030708

	Hardened the attr_scan routines for exposure to an untrusted
	environment, in preparation for possible use with SMTP
	policy delegation to an external server.

	Feature: address filter for RBL lookups, for use with
	multi-valued RBL services. File: smtpd/smtpd_check.c.

20030709

	Cleanup: use off_t instead of int for VSTREAM file offsets.
	This was needed for mailboxes > 2GB on 32-bit systems.
	Files: util/vstream.c, global/mail_copy.c.

20030710

	Support for multiple A and TXT results in RBL lookups.
	Victor Duchovni, Morgan Stanley.  File: smtpd/smtpd_check.c.

	Support for attribute-based query-reply protocols.  Files:
	util/attr_clnt.[hc], util/auto_clnt.[hc].

20030711

	Support for plain "name=value\n" attribute protocol.  Files:
	util/attr_{scan,print}_plain.c.

	Bugfix: the LMTP session caching code did not reset the
	EHLO server feature list when it needed to reconnect.
	Problem found by Tobias Erbsland.

20030712

	Feature: delegated SMTP policy server. As an example, see
	the greylisting server in examples/smtpd-policy.  Specify
	"check_smtpd_policy_service" in smtpd_mumble_restrictions.
	See SMTPD_POLICY_SERVICE_README for details.

20030716

	Bugfix: in the sample policy server, changed "ok" into
	"dunno" so the server can be used in the middle of a
	restriction list.

	Cleanup: when an RBL reply has multiple TXT records,
	concatenate them up to some reasonable limit, instead of
	selecting one randomly.  File:  smtpd/smtpd_check.c.

	Safety: always truncate SMTP server error replies to 512
	bytes.  File: smtpd/smtpd_check.c.

20030717

	Documentation: added description of policy_time_limit to
	the SMTPD_POLICY_README document.

	Documentation: corrected the command time limit parameter
	syntax in the spawn(8) manual page.

	Feature: defer_if_permit and defer_if_reject actions in
	access tables, mainly for use by the delegated policy
	server. Files: smtpd/smtpd_check.c, proto/access.

20030725

	The dict_pgsql module did not use dict_alloc() and dict_free(),
	causing improper initialization and a memory leak. Leandro
	Santi. File: util/dict_pgsql.c.

	Cleanup: added open_flags sanity checks to the dict_pgsql
	and dict_mysql modules. These maps must be opened in
	read-only mode.

20030731

	Bugfix: virtual(8) was changed to use mail_addr_find()
	instead of virtual8_maps_find(), but the SMTP server's
	virtual mailbox recipient validation was not updated.

20030804

	Bugfix: the 20030712 safety against invalid DNS results
	was broken. Reported by Ralf Hildebrandt. File:
	dns/dns_lookup.c.

20030805-12

	Safety: the pipe daemon now defers delivery with a warning
	when it is given a non-existent command-line macro name.
	File:  pipe/pipe.c.

20030810

	Bugfix: dict_ldap had a few harmless memory leaks.  By
	Liviu Daia.  File: util/dict_ldap.c.

	Feature: support for LDAP URLs in the LDAP parameter
	"server_host", if Postfix is linked against OpenLDAP.  This
	allows Postfix to connect to LDAP SSL sources.  By Liviu
	Daia.  File: util/dict_ldap.c.

20030811

	Cleanup: produce a warning when host:port specifies a badly
	formatted numerical port.  Files:  util/find_inet.c,
	smtp/smtp_connect.c, lmtp/lmtp_connect.c.

20030822

	Feature: the export_environment and import_environment
	parameters now accept name=value information that will be
	entered into the new environment. File: util/clean_env.c.

20030823

	Feature: smtpd_sasl_exceptions_networks parameter to prevent
	Postfix from offering AUTH  to clients that match the listed
	networks. Based on code by Ben Rosengart, Panix. Files:
	conf/sample-auth.cf, smtpd/smtpd.c.

20030902

	Portability: the Postfix master resets the file size to
	the largest possible off_t value when the actual limit
	appears to overflow the off_t range. Files: util/sys_defs.h,
	util/file_limit.c. A fine sample of bit banging.

20030905

	Workaround: Solaris 8 select() claims that a non-blocking
	socket is readable and then read() fails with EAGAIN. Files:
	util/timed_read.c and as precautionary measure,
	util/timed_write.c.

	Bugfix: dict_register() should not be called from dict_open()
	in dict_mysql and dict_pgsql.  Liviu Daia.  Files:
	util/dict_mysql.c, util/dict_pgsql.c.

	Feature: LDAP parameters can now be specified in external
	files.  This makes it possible to securely store bind
	passwords for plain auth outside of main.cf (which is world
	readable).  By Liviu Daia, based on a suggestion by Victor
	Duchovni and Lamont Jones.  File: util/dict_ldap.c.

	Feature: STARTTLS option for LDAP, if Postfix is linked
	against OpenLDAP.  By Liviu Daia, amended by Victor Duchovni.
	File:  util/dict_ldap.c.

	Cleanup: connections to LDAP sources are now postponed
	until they are actually needed.  By Liviu Daia.  File:
	util/dict_ldap.c.

20030908

	The 20030905 Solaris workaround triggers too many warnings.
	TCP sockets are back to blocking, and keepalives are turned
	on to kill off dead sockets, as suggested by Leandro Santi.
	Files: master/{single,multi}_server.c, smtpd/smtpd.c,
	util/sys_defs.h.

20030909

	Bugfix: the LMTP session caching code had problems with
	SASL authentication after the first connection, and pipelining
	was working poorly.  Fix by Victor Duchovni, Morgan Stanley.
	Files: lmtp/lmtp.c, lmtp/lmtp_proto.c.

20030912

	Workaround: besides SMTP server sockets, SMTP client sockets
	can also hang on Solaris, as reported by Leandro Santi. In
	order to deal with this at the root, all connection management
	is now done by sane_accept() and sane_connect().  Both turn
	on keepalives on Solaris.

20030913

	Safety: set-gid commands don't trust TZ.  File: msg_syslog.c.

20030914

	Address extension propagation wasn't documented enough when
	it was added to Postfix. Based on patches by Roman Neuhauser.

	Added clarifying notes to main.cf, master.cf and access by
	Dean Gibson.

	In header/body_checks, DUNNO is now the preferred action
	instead of the now deprecated OK. This may confuse fewer
	people.

	In header/body_checks, allow text after IGNORE and DUNNO,
	suggested by Victor Duchovni, Morgan Stanley.  File:
	src/cleanup/cleanup_message.c.

	Feature: reject_rhsbl_helo. File: smtpd/smtpd_check.c.

	Bugfix? The LMTP and SMTP clients now send "MAIL FROM:<sender>
	AUTH=<>" when SASL authenticated. Suggested by by Victor
	Duchovni, Morgan Stanley. Files: smtp/smtp_proto.c,
	lmtp/lmtp_proto.c.

20030915

	Bugfix: mail rejected by the before-queue content filter
	was mis-labeled as a software error; it should be labeled
	as a policy error instead. File: smtpd/smtpd.c.

	Cleanup: postcat is now null-byte transparent. File:
	postcat/postcat.c.

20030916

	Feature: ``check_{sender,recipient}_mx_access maptype:mapname''
	applies the named Postfix access table to the MX host name
	and IP addresses for the sender or recipient address. If
	no MX record is found, the A record is used instead. File:
	smtpd/smtpd_check.c.

	Feature: ``check_{sender,recipient}_ns_access maptype:mapname''
	applies the named Postfix access table to the DNS server
	hostname and IP addresses for the sender or recipient
	address. If no NS record is found, the parent domain is
	used instead. File: smtpd/smtpd_check.c.

20030917

	Feature: ``check_helo_{ns,mx}_access maptype:mapname'',
	same semantics as sender and recipient.

	Multiple LDAP lookup tables in the one Postfix process now
	share one LDAP connection. Code by Victor Duchovni, Morgan
	Stanley.  File: util/dict_ldap.c.

	Performance: with prefix_domain specified for an LDAP lookup
	table, lookups of @domain are skipped. Code by Victor
	Duchovni, Morgan Stanley.  File: util/dict_ldap.c.

	Safety: check_mumble_{mx,ns}_access refuses to be used for
	whitelisting. The Postfix SMTP server will reject the
	request with "451 server configuration error" and will log
	a warning explaining why. File: smtpd/smtpd_check.c.

20030918

	Bugfix: check_mumble_ns_access did not correctly look up
	NS records of parent domains, causing mail to be deferred
	with a 450 status code. File: smtpd/smtpd_check.c.

20030919

	Robustness: check_mumble_{mx,ns}_access skip over DNS lookup
	failures instead of deferring mail. This is not as bad as
	it appears to be because the restrictions can't be used
	for whitelisting.  File: smtpd/smtpd_check.c.

20030920

	Bugfix: the 20030917 LDAP connection sharing code introduced
	a compilation problem with non-OpenLDAP implementations.
	Fix by Liviu Daia. File: util/dict_ldap.c

	Compatibility: the LDAP server_host parameter now supports
	all the usual Postfix list element delimiters. Some LDAP
	libraries support just SPACE, others SPACE and ",". Postfix
	now normalizes the host list into a space separated format.
	This is less surprising to Postfix users used to the full
	range of delimeters in other contexts. Implemented by Liviu
	Daia. File: util/dict_ldap.c

	Bugfix: after returning too old mail, the bounce daemon
	now locks the original queue file and deletes deferred
	recipients, to avoid repeated bounce notifications when
	the queue manager is restarted. Files:  bounce/*.[hc],
	global/bounce_log.[hc], global/{bounce,defer}.[hc] and
	everything that invokes these routines including queue
	manager and delivery agents.

20030922

	Feature: "XADDR address hostname" SMTP command, for SMTPD
	restriction debugging, and for sites with fetchmail-like
	software that extracts client information from the first
	Received:  header. The smtpd_authorized_xaddr_clients
	parameter specifies what clients are allowed to use XADDR
	(default: none).  Files:  smtpd/smtpd.c.

20031015

	Workaround: smtpd access maps should not apply subdomain
	name magic to numerical hostnames. File: smtpd/smtpd_check.c.

	Safety: the local delivery agent now defers delivery when
	alias lookup produces an empty result. File: local/alias.c.

20031019

	Workaround: disable request/reply size limit in attr_scan*.c
	to prevent mail from getting stuck when rewriting a malformed
	message header.  This limit was turned on with snapshot
	20030715 to harden the protocol that is used by SMTPD policy
	delegation. A "no code change" workaround is to specify
	"header_size_limit = $line_length_limit".  The proper fix
	is to enforce request/reply size limits only for data from
	outside of Postfix. Problem reported by Brandon Mullenberg,
	Dialup USA. Files:  util/attr_scan*.c.

	Feature: "XLOGINFO address hostname" SMTP command, so that
	Postfix daemons behind SMTPD pass-through proxies log useful
	client name/address information instead of localhost[127.0.0.1].
	The smtpd_authorized_xloginfo_clients parameter specifies
	what clients are allowed to use XLOGINFO (default: none).
	Files:  smtpd/smtpd.c.

	Cleanup: renamed the authorized_verp_clients parameter to
	smtpd_authorized_verp_clients for consistency.

20031021

	Workaround: the demo greylist script now uses BTREE instead
	of HASH files for hopefully better stability. The real fix
	is to use a single updater process that serves multiple
	clients. That approach seems to work well with the verify
	daemon. File: examples/smtpd-policy/smtpd-policy.pl.

20031022

	Safety: the SMTP server now warns when the queue_minfree
	value is less than twice the message size limit. File:
	smtpd/smtpd.c.

	Safety:  the SMTP server no longer accepts mail when the
	amount of free space is less than twice the message size
	limit.  File: smtpd/smtpd_check.c.

	Safety: log a warning and defer mail when canonical or
	virtual lookups return a non-address result (like a string
	that contains no address). File: global/mail_addr_map.c.

	Safety: log a warning and defer mail when any map lookup
	returns an empty string result, and explain that "no result"
	is expected in case of a "not found" condition. This happens
	with incorrectly implemented SQL or LDAP tables. File:
	global/maps_find.c.

20031023

	Bugfix: the MYSQL and PGSQL modules invoked dict_register().
	This was fixed a while ago but never made it into the
	distribution. Files: util/dict*sql.c.

	Robustness: added three ISSPACE() calls in the smtpd proxy
	parser. File: smtpd/smtpd_proxy.c.

20031024

	Portability: added localhost to mydestination for sites
	that turn off append_dot_mydomain. File: global/mail_params.h.

20031027

	Portability: MacOS X Bind8 compatibility. File: makedefs.

20031103

	Robustness: flush pipelined "." and "quit" replies to avoid
	repeated deliveries in case of a program crash (you know,
	the kind of thing that happens before Postfix release :-).
	File:  smtpd/smtpd.c.

20031105

	Portability: turn off NETINFO support for MacOS X Panther
	by default. Files: makedefs, util/sys_defs.h.

20031106

	Feature: the sample greylist policy server is now case
	insensitive.  File: examples/smtpd-policy/smtpd-policy.pl.

20031103-20031110

	Feature: preliminary defense against SMTP clients that
	hammer the SMTP server with too many simultaneous or
	successive connection attempts, with a whitelist capability
	to disable the restriction for authorized clients.  Most
	work is implemented by a new "anvil" server.  Parameters:
	smtpd_client_connection_count_limit, smtpd_client_connection-
	_rate_limit, smtpd_client_connection_limit_exceptions, and
	client_connection_rate_time_unit.  Documentation:  smtpd(8),
	anvil(8), sample-smtpd.cf. Files:  smtpd/smtpd.c,
	global/anvil_clnt.[hc], anvil/anvil.c.  The anvil server
	logs peak count and rate information per client when it
	terminates after running out of work or after "postfix
	reload".

20031110

	Cleanup: Postfix now supports the /0 netmask (match every
	address).  This is useful as a catch-all pattern at the
	end of a table.  Files:  util/dict_cidr.c, util/match_ops.c.

	Cleanup: don't report that $queue_directory/etc/filename
	differs from /etc/filename when /etc/filename does not
	exist.  File: conf/postfix-script.

20031112

	Feature: client_connection_status_update_time parameter
	controls periodic logging of maximal connection counts or
	rates.  The default logging interval is 10 minutes.

	Feature: "make makefiles WARN=stuff..." overrides the
	built-in GCC warning options that are used when "make" is
	invoked from within a source subdirectory. Files:  makedefs,
	*/Makefile.in.

20031125

	Feature: qmgr logs "queueid: deleted", just like postsuper,
	when it removes a message from the mail queue.

	Performance: smtpd connects to the cleanup or proxy server
	AFTER the first valid RCPT TO command, instead of after
	the first valid MAIL FROM command. This avoid wasting
	real-time proxy filter resources when mail is stopped by
	the SMTP server's access blocks.  File: smtpd/smtpd.c.

20031126

	Bugfix: "panic: mymalloc: requested length 0" when master.cf
	specified an invalid host name or address.  Postfix now
	logs more specific information. File:  master/master_ent.c.
	Reported by several people.

20031125-20031201

	Feature: XCLIENT support to override the SMTP server's
	client information for logging and/or access control. This
	replaces the short-lived XADDR and XLOGINFO extensions.
	Remotely based on code by Victor Duchovni.  See FILTER_README
	and SMTPD_PROXY_README for usage details. Files:
	smtpd/{smtpd,smtpd_check,smtpd_proxy,smtpd_xclient}.c
	smtp/smtp_smtp_proto.c, *qmgr/qmgr_message.c,
	global/deliver_request.c.

20031202

	Cleanup: postfix-files now has support for files that are
	no longer part of Postfix. When upgrading Postfix, the
	post-install script gives the user a reminder. Files:
	conf/postfix-files, conf/post-install.

20031203

	Support for SMTPD access map actions (FILTER, REDIRECT,
	HOLD or DISCARD) that are delegated to the cleanup server,
	but can trigger before the first valid recipient address
	is accepted (and thus, before a cleanup server connection
	is available).  Files:  smtpd/{smtpd,smtpd_state,smtpd_check}.c.

20031204

	Bugfix: conf/post-install didn't skip non-existent obsolete
	files.  Victor Duchovni.

	Minor cleanups of the xclient error messages; xclient
	command lookup tables. File: smtpd/smtpd.c.

20031206

	Feature: reject_sender_login_mismatch allows multiple owners
	of a sender address.  Code by Liviu Daia.  Files:
	smtpd/smtpd_check.c and documentation.

	reject_sender_login_mismatch is now implemented by elementary
	features reject_unauthenticated_sender_login_mismatch
	(reject if the client is not SASL logged in but the sender
	address has an owner in smtpd_sender_login_maps) and
	reject_authenticated_sender_login_mismatch (reject if the
	client is SASL logged in but does not own the sender
	address).  Code by Liviu Daia.  Files: smtpd/smtpd_check.c
	and documentation.

20031207

	Bugfix: fallback_transport and mailbox_transport were broken
	because the deliver_pass.c module was not updated for the
	changed message delivery protocol.

20031211

	Safety: in dynamically growing data structures, update the
	length info after (instead of before) updating the data
	size. Files:  util/argv.c, util/inet_addrlist.c, util/intv.c,
	util/mvect.c, util/vstring.c, global/recipient_list.c,
	*qmgr/qmgr_rcpt_list.c.

20031212

	Cleanup: separate extensions XCLIENT (impersonate SMTP
	client) and XFORWARD (down-stream logging of up-stream MTA
	and/or message information, not necessarily SMTP related).
	The protocol is extensible: the server advertises what
	attributes XCLIENT or XFORWARD will accept, and it is an
	error to send an unsupported attribute.  No xtext encoding
	is used, since no attribute currently needs it.  See also:
	XCLIENT_README and XFORWARD_README.

20031214

	Feature: XFORWARD support in the LMTP client.

20031215

	Safety: updated mail_queue_id_ok() for long fast flush
	logfile names. File: global/mail_queue.c.

	Robustness: save and restore the resolver _res.options
	settings before and after DNS lookup, to avoid surprises
	in third-party code. This may eliminate some "localhost
	not found" problems. File: dns/dns_lookup.c.

20031216

	Cleanup:  easier to parse mailq output (no more space
	between short queue ID and message status).  File:
	showq/showq.c.

20031216-21

	Cleanup: the SMTP client now moves on to the next MX host
	or fallback relay when delivery fails in the middle of an
	SMTP session. This includes both broken connections and
	4xx SMTP server replies.  Files:  smtp/smtp.c, smtp_rcpt.c,
	smtp/smtp_connect.c, smtp_trouble.c.

	Configuration parameters: smtp_mx_address_limit (limit the
	list of IP addresses from MX lookup), and smtp_mx_session_limit
	(limit the number of actual SMTP sessions per delivery
	attempt, ignoring unusable MX IP addresses).

	The new code centers around a mark-and-sweep algorithm
	(replacing code that twiddled the rcpt->offset structure
	member), with paranoid sanity checks to ensure that every
	recipient is explicitly accounted for.

20031217

	Update: LDAP client logging (Liviu Daia) and LDAP client
	documentation (Victor Duchovni). Files: util/dict_ldap.c,
	conf/sample-ldap.cf, README_FILES/LDAP_README.

20031222

	Cleanup: shaved half the worst-case bits off the cleanup
	duplicate address filter footprint. After discussion with
	Victor Duchovni. File: cleanup/cleanup_out_recipient.c.

	Safety: added "mail loops to myself" logic for destinations
	that don't have an MX host.  File: smtp/smtp_addr.c.

20031223

	Workaround: turn off "mail loops to myself" for non-MX
	destinations because it breaks SMTP-based content filters.
	Fix is to turn off loop detection when a non-default TCP
	port is specified.  File: smtp/smtp_addr.c.

	Bugfix: restore errno after write failure in SIGCHLD handler.
	Leandro Santi (who got the idea from Hernan Perez Masci).
	File: master/master_sig.c.

	Bugfix: the auto_clnt module disconnected too early, causing
	unnecessary work by the anvil server.

	Cleanup: eliminated binary hashes from anvil server. Anvil
	client information is now stored on top of its VSTREAM.

20031226

	Feature: bounce_queue_lifetime parameter (default:
	$maximal_queue_life_time) that bounds the time that
	MAILER-DAEMON messages spend in the queue before they are
	considered undeliverable.

	Feature: disable "mail loops back to myself" protection
	when SMTP mail is sent to a non-standard port. This makes
	setting up content filters less painful.

	Cleanup: disallow bare x.x.x.x numeric IP addresses in
	email addresses. The form user@[x.x.x.x] is still allowed.

	Cleanup: cleaned up the naming of internal symbols in the
	SMTP client.

20031231

	Bugfix: stricter address syntax test broke "sendmail -bs".
	File: smtpd/smtpd.c.

20040101

	Cleanup: the Postfix SMTP server rejects a MAIL FROM address
	that matches a local, virtual or relay domain, while the
	address is not listed in the corresponding local, virtual
	or relay recipient table.

	Feature: the reject_unlisted_sender(recipient) SMTPD access
	restriction rejects an address that matches a local, virtual
	or relay domain, while the address is not listed in the
	corresponding local, virtual or relay recipient table.

	Compatibility: the check_recipient_maps restriction works
	like reject_unlisted_recipient, but will eventually be
	removed from Postfix.

20040102

	Misc documentation cleanup by Loic Minier.

20040104

	Workaround: MacOSX dumps core on the 20030913 TZ censoring
	code. We explictly set TZ=UTC, which will produce incorrect
	results when "mailq" formatting is moved from the showq
	daemon to the postqueue command.   File: msg_syslog.c.

	Feature: after mail is requeued with "postsuper -r", the
	pickup server logs the old queue ID together with the new
	queue ID.  Victor Duchovni. File: pickup/pickup.c.

	Feature: smtpd_sasl_application_name parameter (default:
	smtpd) to control the name of the SASL configuration file
	used by the Postfix SMTP server. Liviu Daia. Files:
	mail_params.h, smtpd.c, smtpd_sasl_glue.c.

	Cleanup: the LDAP client configuration parser is now shared
	between the LDAP, MySQL, and PGSQL clients.  Liviu Daia.
	Files: global/cfgparser.[hc], global/dict_ldap.c,
	global/dict_mysql.c, global/dict_pgsql.c and documentation.

	Cleanup: moved "util" modules with dependencies on higher-level
	"global" code from the util directory to the global directory:
	util/dict_open.c, global/cfgparser.[hc], global/dict_ldap.c,
	global/dict_mysql.c, global/dict_pgsql.c, global/mail_dict.c.

	Cleanup: the new queue manager nqmgr replaces the default
	queue manager qmgr, leaving behind a hard link for backwards
	compatibility. The old queue manager remains available as
	as oqmgr but will eventually be removed.

	Bugfix: vstring_get() etc. now return VSTREAM_EOF when they
	terminate prematurely, instead of returning the last
	character stored.  This avoids mis-leading warnings. File:
	global/vstring_vstream.c.

20040105

	Cleanup: don't bother the flush daemon while deferring mail
	if the destination is not "fast flush" eligible. File:
	global/flush_clnt.c.

	Safety: the SMTP server flushes recipients to the cleanup
	server in order to avoid SMTP timeouts when virtual or
	canonical expansions take a lot of time. File smtpd/smtpd.c.

	Safety: add warnings to postmap and postalias when table
	lookup results in an empty string.

20040110

	Example: script to run qmail-local from Postfix by Ron
	Bickers.

	Change: queue minfree limit is now 1.5 * message size limit.
	File: smtpd/smtpd_check.c.

	Bugfix: apply hostname restriction even when host address
	lookup fails in check_{sender,recipient}_{ns,mx}_access.
	File: smtpd/smtpd_check.c.

20040115

	Performance: allow delivery concurrency to increase even
	while mail is deferred, as long as the delivery agent does
	not report really serious trouble with the destination.
	Files:  *qmgr/qmgr_deliver.c.

	Cleanup: in postfix-files, symbolic links and hard links
	are now first-class citizens with explicit mention of source
	and destination pathnames. Files: postfix-install,
	conf/postfix-files, conf/post-install.

20040116

	Cleanup: sendmail -v caused one mail delivery report upon
	every delivery attempt, not just the first one. The fix is
	to "kill" a queue file record after the first delivery
	attempt. This means a new record type. Files:  *qmgr/qmgr_active.c,
	*qmgr/qmgr_message.c, global/rec_type.c.

	Cleanup: in anticipation of other built-in rate limiters,
	the client_connection_rate_time_unit parameter is renamed
	to client_rate_time_unit.

	Documentation: finished the HOSTING_README file with an
	overview of methods to host domains with Postfix.

20040119

	Bugfix: anvil (count and rate limiting) server race condition
	could result in dangling pointer.  Postfix erases memory
	after allocating and before freeing, so it is extremely
	unlikely that this could be used to bring harmful data into
	the anvil server. File anvil/anvil.c.

20040120

	Cleanup: new header_checks(5) and body_checks(5) manual
	pages.  The sample-regexp* and sample-pcre* files are no
	longer needed and have been removed, as are the default
	*_table configuration files.

	Cleanup: support for the non-standard Errors-To: header is
	removed. File: cleanup/cleanup_message.c.

20040121

	Feature: "PREPEND headername: headervalue" action in Postfix
	access maps, to facilitate external policy servers that
	label mail instead of rejecting it. Files: smtpd/smtpd.c,
	smtpd/smtpd_check.c.

20040122

	UNDO the 20040104 change (vstring_get() etc. return
	VSTREAM_EOF when they terminate prematurely, instead of
	returning the last character stored, to avoid mis-leading
	warnings). File:  global/vstring_vstream.c.

	Portability: test -e is not portable. File: conf/postfix-script.

	Misc. documentation fixes by Victor Duchovni.

	Documentation: the README files are now hyperlinked, and
	are referenced in the on-line manual pages.

	Bugfix: the pickup daemon now strokes the watchdog frequently
	to prevent the watchdog from barking when mail arrives
	faster than it can be picked up. File: pickup/pickup.c.

20040123

	Feature: set smtpd_reject_unlisted_{sender,recipient}=no
	to turn off automatic rejection of non-existent local,
	virtual or relay addresses. This way it can be made
	conditional for local clients, always on for remote clients.
	Files:  global/mail_params.h, smtpd/smtpd.c, smtpd/smtpd_check.c.

20040124

	Feature: PREPEND in header/body_checks, for message tagging.
	File: cleanup/cleanup_message.c.

20040126

	Safety: handle the case that main.cf is updated while it
	is being read. File: util/dict.c.

	Feature: "instance" attribute that links policy etc. queries
	to the same message instance.

	Cleanup: the mynetworks setting may now be empty. File:
	global/mail_params.c.

20040127

	Bugfix: missing flush_init() call. Introduced 20040105.
	File: postqueue/postqueue.c.

20040128

	Cleanup: clnt_stream derived classes now try to detect that
	the server has disconnected before sending data and warning
	about an error. File: global/clnt_stream.c.

20040202

	Bugfix: changed mis-leading warning about text>4096 characters
	into "unexpected end-of-input". File: util/attr_scan0.c.

20040201

	Feature: sasl_method, sasl_username and sasl_sender attributes
	in smtpd policy queries. Files: src/smtpd/smtpd_check.c.

20040204

	Safety: smtpd_soft_error_limit now determines when
	$smtpd_error_sleep_time starts to take effect.

	Cleanup: local(8) and virtual(8) will now create maildirs
	in a world-writable directory. Files: util/make_dirs.c.

	Bugfix: don't panic on a corrupt queue file.  File:
	*qmgr/qmgr_message.c.

20040205

	Cleanup: sample-filter.cf is gone. Better documentation is
	available with "man header_checks".

20040209

	Bugfix: when delivery to smtpd_proxy_filter fails, report
	"451 Queue file write error" instead of repeating the
	previous "354 End data with <CR><LF>.<CR><LF>" response.
	File:  smtpd/smtpd.c.

20040220

	Compatibility: accept and ignore the sendmail -bh and -bH
	mode of operation requests.

20040302

	Bugfix: SMTPD proxy didn't send QUIT as the result of code
	duplication. Evidence reported by Mark Martinec. File:
	smtpd/smtpd.c.

20040311

	Bugfix: bad address syntax was passed to transport map
	lookups.  Problem reported by Andrei Koulik. File:
	util/match_ops.c, trivial-rewrite/resolve.c.

20040324

	Portability: ekkoBSD support by Philip Reynolds.  Files:
	makedefs, util/sys_defs.h.

20040325

	Cleanup: smtp_skip_4xx_greeting and smtp_skip_5xx_greeting
	functionality is moved from connection management to SMTP
	protocol processing, so that Postfix now logs the server
	response when a server refuses to provide service.  Files:
	smtp/smtp_connect.c, smtp/smtp_proto.c.

	Cleanup: smtp_skip_4xx_greeting is no longer configurable;
	it is now permanently turned on.

20040326

	Workaround: in the trivial-rewrite server, turn on the code
	to strip trailing "." while rewriting addresses, and change
	the address resolver to strip trailing "." in a compatible
	manner.  This does not eliminate the problem that the SMTP
	server may use a different address for recipient validation
	than what the cleanup server uses for virtual alias mapping.

20040329

	Bugfix: the SMTP server did not log client (and SASL)
	information with the real-time content filter was enabled.
	Files: smtpd/smtpd.c, smtpd/smtpd_sasl_proto.c.

	Compatibility: smtpd_reject_unlisted_sender is turned off
	by default, to avoid trouble with with in-house software
	that sends out mail software with an unreplyable address.

20040331

	Bugfix: postdrop should not abandon mail submission after
	receiving a SIGHUP signal when SIGHUP was ignored by the
	parent process.  Victor Duchovni, Morgan Stanley.  File:
	postdrop/postdrop.c.

	Bugfix: parsing bug in PgSQL dictionaries causing UNIX
	sockets to be ignored. Liviu Daia. Files: global/dict*sql.c.

	Performance: allow MySQL and PgSQL database connections to
	be closed when idle for more than 1 minute; Liviu Daia.
	Files: global/dict*sql.c.

20040401

	Sanity: the SMTP server no longer accepts sender or recipient
	addresses that end in the "@" null domain, as well as
	addresses that rewrite into such a form.  Specify
	"resolve_null_domain=yes" to get the old behavior back.
	File:  trivial-rewrite/resolve.c.

20040402

	Cleanup: added WARN action support for access maps, for
	consistency with the WARN action in header and body checks.
	File:  smtpd/smtpd_check.c.

20040407

	Bugfix: missing return statement at the end of the
	FREE_MEMORY_AND_RETURN error handling macro. Adi Prasaja.
	File: trivial-rewrite/resolve.c.

20040411

	Future proofing: client_rate_time_unit is renamed to
	anvil_rate_time_unit, so that it is no longer limited to
	clients only. File: src/global/mail_params.h.

	Cleanup: postalias and postmap now log problems to syslogd.
	Files: postalias/postalias.c, postmap/postmap.c.

20040413

	Feature: "postfix set-permissions" (re)sets ownership and
	access permissions of Postfix files and directories.

	Feature: "postfix upgrade-configuration" updates main.cf
	and master.cf. This is for people who people copy over
	their old files after installing a newer Postfix version.

	Feature: HTML files are now optionally installed under
	control of the html_directory configuration parameter.
	Files: postfix-install, conf/postfix-files, conf/post-install.

	Cleanup: README file installation is now optional.  Files:
	postfix-install, conf/postfix-files, conf/post-install.

20040414

	Cleanup: references to sample-mumble.cf files removed,
	conf/mumble_table files removed, new commands added to
	conf/postfix-script.

	Cleanups: function declared int but used as void, missing
	include file, missing const qualifier, unused variable.
	Matthias Andree. Files:  bounce/bounce_notify_util.c,
	bounce/bounce_service.h, postlog/postlog.c, smtpd/smtpd_check.c,
	util/attr_scan64.c.

	Bugfix: more robust version of SIGHUP test of 20040331.
	Victor Duchovni, Morgan Stanley. File: postdrop/postdrop.c.

	Safety: added NOCLOBBER qualifiers to local variables that
	might be clobbered by longjmp(). Files: util/sys_defs.h,
	smtp/smtp_proto.c, lmtp/lmtp_proto.c, smtpd/smtpd_check.c,
	smtpstone/smtp-source.c.

	Bugfix: sub-level Makefiles no longer turned on the extra
	compiler warnings. Files: Makefile.in.*, makedefs.*.

20040415

	Bugfix: the LMTP client attempted to reuse a connection
	after timeout, causing protocol synchronization errors.
	Reported by Rob Mueller. File: lmtp/lmtp.c.

20040416

	Cleanup: non-delivery reports now include the original
	recipient information. File: bounce/bounce_notify_util.c.

20040415-18

	Typos: many documentation fixes by Rob Foehl.

20040418

	Cleanup: "int" versus "const int" prototype mismatch between
	the DICT sequence method prototype and possible implementations.
	Files: util/dict_db.c, util/dict_dbm.c.

20040419

	Bugfix: the code that rejects client/helo RESTRICTIONS with
	smtpd_delay_reject=no looked at the wrong evidence and
	rejected client/helo ACCESS MAP lookups instead. Michael
	Tokarev. Files:  smtpd/smtpd.c, smtpd/smtpd_check.c.

	Bugfix: missing # in master.cf in optional submission
	service.

20040420

	Bugfix: smtpd logged the client too often. Michael Tokarev.
	File: smtpd/smtpd.c.

	Cleanup: client_event_status_update_time renamed to
	anvil_status_update_time. Files: mantools/postlink,
	proto/postconf.proto, anvil/anvil.c.

20040421

	Workaround: allow pipelined SMTP clients to overshoot the
	SMTP server recipient limit without triggering the server
	hard error limit.  The SMTP server does not count "too many
	recipients" towards the hard error limit, as long as the
	number of excess recipients stays within a configurable
	overshoot limit (default: smtpd_recipient_overshoot_limit
	= 1000).  Solution in cooperation with Victor Duchovni.
	Files:  smtpd/smtpd.c, smtpd/smtpd_state.c, smtpd/smtpd.h.

20040502

	Missing test for a never used flag (the problematic and
	thus never completed INSPECT feature that doesn't re-inject
	mail into Postfix).  Victor Duchovni, Morgan Stanley. File:
	virtual/virtual.c.

20040503

	Bugfix: missing "sasl enabled" guard in the SMTPD policy
	client.  File: smtpd/smtpd_check.c.

20040606

	Portability. UnixWare has strcasecmp() in strings.h.  Patch
	by Andreas Winkelmann. File: util/sys_defs.h.

	Portability. The postlink script is transformed from sed(1)
	to perl(1).

20040608

	Portability. Introduced SET_H_ERRNO() macro for compilation
	environments where h_errno can't be used as an lvalue.
	Files:  util/sys_defs.h, dns/dns_lookup.c.

	Portability. Eliminate assumption on bits per byte from
	vbuf_print.c.

20040614

	Bugfix: the SMTP client did not reset per-session EHLO,
	SASL, and history information when opening a connection to
	an alternate SMTP server.  This is the result of abstraction
	no longer matching function. Reported and diagnosed by
	Victor Duchovni, Morgan Stanley.

	Bugfix: non-portable reuse of variadic argument lists.
	Fix by Victor Duchovni, Morgan Stanley. Files:  global/bounce.c,
	global/defer.c, global/sent.c, global/trace.c, global/verify.c.

	Portability: NetBSD 2.0 has changed from statfs to statvfs.
	John Heasley. File: util/sys_defs.h.

	Documentation: typo fixes by IKEDA Nozomu.

20040616

	Bugfix: one missed variadic argument list fix. Victor
	Duchovni, Morgan Stanley. File: global/verify.c.

	Bugfix: the resolver client cache should be context dependent
	because address verification probes may use a different
	route than normal mail deliveries. File: global/resolve_clnt.c.

	Safety: added similar context dependence to the address
	rewriting client in order to avoid trouble when Postfix is
	changed. File: global/rewrite_clnt.c.

	Bugfix: space in HELO commands could end up in XFORWARD
	commands.  File: smtpd/smtpd.c.

20040619

	Code reorganization: in preparation for SMTP session caching,
	the SMTP client data structures were changed from the
	original "one session per delivery request" model to an
	explicit "multiple sessions per delivery request" model.
	This uncovered ESMTP and SASL missing re-initialization
	problems that were fixed in past week.  Design by Victor
	and Wietse, initial implementation by Victor Duchovni.

20040620

	Future proofing: after the reorganization of SMTP request
	state and session state, added code to the smtp client
	error handling routines to more consistently deal with the
	possibility that session information is not available.

20040621

	Feature: directory=pathname option for the pipe(8) delivery
	agent. This allows a command to run from a fixed directory.
	Failure to change directory causes delivery to be deferred.
	Files: pipe/pipe.c.

	Feature: command_execution_directory for local(8) delivery
	to external command. This supports the usual $home etc.
	expansions, subject to filtering with the character set
	specified with $execution_directory_expansion_filter.
	Failure to change directory causes delivery to be deferred.
	Files:  global/mail_params.h, local/command.c.

	Support for external command execution directory. Files:
	global/pipe_command.[hc].

20040622

	Safety: when mail is delivered to a transport with per-delivery
	recipient limit of 1, split the recipient address on the
	recipient delimiter if one is defined, so that extended
	addresses don't get extra delivery concurrency slots.
	Files: *qmgr/qmgr_message.c.

20040623

	Workaround for fragile clients: add microsecond time to
	maildir filename.  Files: virtual/maildir.c, local/maildir.c.

20040628-20040701

	SMTP connection caching work with Victor Duchovni.

	New module (later renamed to global/scache_single.c) for
	protocol-independent session caching.  The initial
	implementation supports in-process, single-session caching
	only.  A later version will support a central session cache
	daemon.  Some more work is needed for passivation/activation
	of session attributes.

	New function vstream_fdclose() to destroy a VSTREAM while
	leaving the underlying file(s) open. Files: util/vstream.[hc].

	New function dns_rr_remove() to remove one record from a
	resource record list. Some more work is needed to turn the
	list into a doubly-linked one. Files: dns/dns.h, dns/dns_rr.c.

	Restructuring of the SMTP protocol engine for session
	caching. File: smtp/smtp_proto.c.

	Restructuring of the connection management module, and
	first implementation of SMTP connection caching.  To enable,
	specify an smtp_connection_cache_time value greater than
	zero. The time unit is seconds. File: smtp/smtp_connect.c.

	New code to passivate and re-activate SMTP_SESSION objects,
	and isolation of session save/lookup in its own module.
	Files: smtp/smtp_session.c, smtp/smtp_reuse.c.

	Refinement: smtp_cache_reuse_limit parameter to bound the
	number of times a session may be reused.

	Refinements: when a session comes from the cache, give it
	back to the cache anyway (even when it will not be listed
	under the next-hop destination name).

	Future refinements should also include a bound on the number
	of consecutive and total non-delivering uses and other
	statistics.

20040714

	Bugfix: the code to eliminate the local MTA from the MX
	address list did not handle the case that inet_interfaces
	produced a less preferred match than proxy_interfaces.
	Victor Duchovni, Morgan Stanley. File: smtp/smtp_addr.c.

20040715

	Resume work on SMTP session caching.  All good sessions
	are now cached under their IP address. As before, only the
	first good session per delivery request is cached under
	the original next-hop destination.

	At this point, SMTP session caching works, with a session
	cache client module that uses in-process session caching.
	This is sufficient to demonstrate that the SMTP client is
	ready for session caching.

20040716

	New modules to send file descriptors from one process into
	another one. This will be needed for implementing a central
	connection cache manager daemon. Most systems use UNIX-domain
	sockets as the transport for this. On Solaris we use streams
	instead.  Applications are supposed to invoke LOCAL_SEND_FD()
	and LOCAL_RECV_FD().  Files: {unix,streams}_{send,recv}_fd.c.

20040717

	First implementation of a session caching client API that
	actually sends to/receives from a caching server process.
	The old in-process, single-session caching functionality
	is preserved as global/scache_single.c, so that we can use
	it for bootstrapping the session cache server. File:
	global/scache_clnt.c.

	First implementation of the scache session cache server,
	using the same in-process session caching code that was
	used to bootstrap the SMTP client.  File: scache/scache.c.

20040718

	Performance: the default RSET timeouts are reduced from
	120s to 20s.  Perhaps there should be different RSET timeout
	for address probes and for session cache checks. File:
	global/mail_params.h.

20040719

	Multi-session connection cache module. Implementing this
	was actually the easiest part of the entire connection
	caching project. File: global/scache_multi.c.

20040720

	Bugfix: event_drain() falsely reported a single-entry timer
	queue as empty.  File: util/events.c.

	Completed the multi-session cache support for SMTP. The
	code can be stress tested with a driver program that reads
	commands from a script. It is not practical to manually
	test the effects of collisions in the time or in name space
	domains. File:  global/scache.c.

20040721

	Feature: the session cache server now logs cache hit and
	miss statistics every $session_cache_status_update_time
	seconds (default: 600s), as well as upon process exit.
	File:  scache/scache.c.

20040722

	Workaround: LINUX 2.4 has trouble with mixed data and file
	descriptor traffic on UNIX-domain stream sockets.
	Specifically, it cannot handle data write (read) followed
	by file descriptor send (receive): the receiver hangs in
	recvmsg(). Workaround is to insert an intervening read
	(write) operation.  Presumably, LINUX 2.4 is confusing the
	data and file descriptor.  Lucky Ralf Hildebrandt.  Files:
	util/sys_defs.h, global/scache_clnt.c, scache/scache.c.

20040723

	Safety: spawn(8) now rejects a user with the -1 UID or GID
	value, so that commands will not end up running as root.
	Files:  util/spawn_command.c, spawn/spawn.c.

	User interface: parameter smtp_connection_cache_domains
	renamed to smtp_connection_cache_destinations. Destinations
	listed here must be specified without [] or :port.  File:
	smtp/smtp_connect.c.

	Bugfix: "421 Timeout exceeded" wasn't guarded by setjmp().
	Victor Duchovni, Morgan Stanley. File: smtpd/smtpd.c.

20040729

	Feature:  enable SMTP session caching temporarily while a
	postfix is able to schedule back-to-back deliveries.
	Parameter:  smtp_connection_cache_on_demand (default:
	yes).  Files:  smtp/smtp_connect.c, *qmgr/qmgr_entry.c,
	*qmgr/qmgr_queue.c, *qmgr/qmgr_deliver.c.

	Feature: smtp-source -N option to generate unique recipient
	addresses for (trivial-rewrite) stress testing. Victor
	Duchovni, Morgan Stanley. File: smtpstone/smtp-source.c.

20040730

	Safety: disallow "opportunistic session caching" when the
	queue manager is unable to schedule back-to-back deliveries.
	File: *qmgr/qmgr_entry.c.

20040731

	Hysteresis: turn on "opportunistic session caching" when
	back-to-back deliveries happen, but don't turn if off
	until both concurrent and back-to-back delivery ends.

20040801

	Workaround: disable session caching for Linux < 2.2 (does
	not work) or Glibc < 2 (does not compile).  Files:
	util/sys_defs.h, util/unix_{recv,send}_fd.c.

	Portability: h_errno is not an lvalue in the UnixWare 7.1
	multi-threaded environment. Olivier PRENANT.

20040812

	Bugfix: update SMTP server error counter when a client is
	denied access with smtpd_delay_reject=no.

20040816

	Bugfix: The smtp_chat_cmd() forced output flushing code in
	the SMTP client could run before an I/O error handler was
	set up.  Problem diagnosed by Victor Duchovni, Morgan
	Stanley. The fix is to disable the smtp_chat_cmd() forced
	output flushing code as it duplicates better code in
	smtp_loop(). File: smtp/smtp_chat.c.

	Safety: set up an I/O error handler before the smtp_loop()
	protocol engine starts; this handler logs a warning in case
	it ever runs, because that means someone broke ESMTP command
	pipelining.  File: smtp/smtp_proto.c.

	Feature: canonical_classes parameter by Kimmo Suominen, to
	control what addresses are rewritten by canonical_maps.
	Files: cleanup/cleanup_addr.c, cleanup/cleanup_message.c.

20040817

	Bugfix: update the vstream I/O time AFTER the completion
	of an I/O request, so that time-sensitive applications
	don't force flush output too soon and possibly trigger
	NAGLE delays.  Problem diagnosed by Victor Duchovni, Morgan
	Stanley. File: util/vstream.c.

	Portability: avoid postmap/postalias test file name clashes
	on Windows.  Ian Lance Taylor (of Taylor UUCP fame).

20040823

	Bugfix: vstream_popen() did not close the child pipe
	after failure to fork(). File: util/vstream_popen.c.

20040826

	Feature: support for systems with closefrom(), and emulation
	for those without. Andrew Brown. Files:  util/sys_defs.h,
	util/sys_compat.c.

20040827

	Feature: {sender,recipient}_canonical_classes parameters,
	which give better control than sender_canonical_classes.
	Files: cleanup/cleanup_addr.c, cleanup/cleanup_message.c.

	Feature: the proxymap client now recognizes when a map
	can't be proxied, and will open it directly instead.  This
	makes proxy maps easier to use for virtual mailbox domains.
	File: global/dict_proxy.c.

	Feature: smtp_sasl_mechanism_filter restricts what remote
	SMTP server mechanism names the Postfix SMTP client passes
	on to the SASL library.  Victor Duchovni, Morgan Stanley.
	Files: smtp/smtp.c.  smtp/smtp_sasl_glue.c, smtp/smtp_sasl_proto.c.

20040828

	User interface: when no recipients are specified, the
	Postfix sendmail command now terminates with status EX_USAGE
	instead of accepting the mail first and bouncing it later.
	This gives more direct feedback in case of a common client
	configuration error. File:  sendmail/sendmail.c.

20040829

	Portability: Solaris closefrom() support didn't work for
	non-SUN compilers. Victor Duchovni, Morgan Stanley.

20040830

	Feature: the scache(8) session cache manager now logs the
	peak counts of destinations, endpoints and sessions. Files:
	scache/scache.c, global/scache*c.

20040831

	Portability: disable session caching support on SCO 5
	because of incompatible sockets API. File: util/sys_defs.h.

20040913

	Bugfix (introduced 20020803): sent the wrong bounce message
	type when a Delivered-To: loop was detected for a mailing
	list alias.  Nicolas Riendeau. File: bounce_notify_util.c.

20040918

	Feature: authorized_flush_users, authorized_mailq_users,
	authorized_submit_users to restrict what users can flush
	the queue, list the queue, or submit mail locally.  Based
	on code by Victor Duchovni, Morgan Stanley. Files:
	sendmail/sendmail.c, postdrop/postdrop.c, postqueue/postqueue.c,
	global/user_acl.[hc].

	Feature: discard(8) mail delivery agent.  Victor Duchovni,
	Morgan Stanley. File: discard/discard.c.

20041002

	Long overdue, a master(5) manual page based on an initial
	version by Magnus Baeck.

	By popular demand, a postfix-manuals.html web page with
	totally useless links to UNIX-style manual pages (the same
	information should already be available simply by typing
	"apropos postfix"). To keep newbies from getting completely
	lost due to information overload, the document starts with
	a list of actually useful pointers to Postfix introductions,
	duplicated from the already existing documents.html.

20041006

	Bugfix: "sendmail -bv" did not reject the -t option.  File:
	sendmail/sendmail.c.

20041007

	Feature: SASL authentication attributes are now stored in
	queue files and passed on to delivery agents, by Leandro
	Santi. Files:  deliver_pass.c, deliver_request.c,
	qmgr_deliver.c, qmgr_message.c, pipe.c, smtpd.c.

20041009

	Feature: per SMTP client message rate limit and recipient
	rate limit, by Ragnar Lonn, GHN network technologies.
	Files: smtpd/smtpd.c, anvil/anvil.c, global/anvil_clnt.[hc].

	Incompatibility: smtpd_client_connection_limit_exceptions
	renamed to smtpd_client_event_limit_exceptions, because it
	now also controls message and recipient rate limit control.

20041013

	Portability: AIX 5.1/GCC.

20041014-23

	Postfix no longer appends the local domain to header
	addresses from remote clients.  Instead, Postfix either
	does not rewrite those headers at all, or it appends the
	domain specified with the new remote_header_rewrite_domain
	parameter.

	Postfix still appends $@myorigin or .$mydomain to headers
	from the Postfix sendmail command, or from clients listed
	with the new local_header_rewrite_clients parameter (default:
	permit_mynetworks, permit_sasl_authenticated).

	These changes affect the SMTP server (including XFORWARD
	support), the cleanup server (do or don't rewrite headers),
	the trivial-rewrite server (append local domain or surrogate
	remote domain to incomplete addresses), the queue manager
	(send additional attributes to delivery agents), the LMTP
	and SMTP clients (XFORWARD support), and the local delivery
	agent (preserve XFORWARD attributes when forwarding mail).

20041016

	Bugfix: attr_clnt_request() did not properly skip hash
	table arguments. Luc Pardon, Skopos Consulting. File:
	util/attr_clnt.c.

20041018

	The NIS+ module by Geoff Gibbs is now part of Postfix.
	Files: util/dict_nisplus.c, proto/nisplus_table.

20041019

	Support for Errors-To: is permanently removed.

20041022

	Bugfix: "smtp_connection_cache_on_demand=no" could crash
	the SMTP client. File: smtp/smtp_connect.c.

	Robustness: extra sanity checks. Files: util/dict_db.c,
	util/dict_dbm.c, dict_nis.c.

20041025

	Initial merge of Lutz Jaenicke's TLS patch. Initial rewrite
	of tlsmgr to eliminate some code duplication and to postpone
	calls into OpenSSL until after dropping privileges.

20041030

	Compatibility: "session cache" renamed to "connection cache"
	to avoid confusion with the TLS session cache.

20041102

	Feature: smtpd_end_of_data_restrictions allow you to specify
	restrictions at the end of the SMTP DATA command. The syntax
	is identical to that of the smtpd_data_restrictions feature.
	This introduces a new END-OF-DATA protocol state for the
	external policy server. Files:  proto/SMTPD_POLICY_README.html,
	proto/SMTPD_ACCESS_README.html, smtpd/smtpd_check.c.

20041111

	Cleanup: terminate the dict_eval() result buffer for verbose
	logging.  Victor Duchovni, Morgan Stanley. File: util/dict.c.

20041112

	Cleanup: be more careful when saving and restoring resolver(3)
	options to avoid problems with an HP-UX security patch
	(change introduced 20031215). File:  dns/dns_lookup.c.

20041115

	Bugfix: the test for "no debugger_command" was wrong.
	Leandro Santi. File: global/debugger_command.c.

20041117

	Robustness: the master-child protocol now includes a process
	generation number besides the child process ID.  The process
	generation number is incremented by one each time the master
	creates a child process. Child-to-master status updates
	with the wrong generation number are ignored, instead of
	triggering a consistency error in the master server.  Files:
	master/*server.c, master/master_status.c, master/master_spawn.c.

20041118

	Bugfix: the "local_header_rewrite_clients" feature (20041023)
	did not recognize "bare" lookup tables as documented.  Victor
	Duchovni, Morgan Stanley. File: smtpd/smtpd_check.c.

	Bugfix: the "local_header_rewrite_clients" feature (20041023)
	was broken because the local delivery agent passed on a
	bogus attribute value when forwarding internally generated
	mail, causing the mail to be rejected by the cleanup server.
	File: local/dotforward.c.

	Bugfix: the "local_header_rewrite_clients" feature (20041023)
	was broken because the pickup server always overwrote origin
	information. Files: pickup/pickup.c, cleanup/cleanup_state.c,
	*qmgr/qmgr_message.c.

	Workaround: enable the "can't write before sending a file
	descriptor" workaround for Solaris. Problem reported by
	Victor Duchovni for Solaris 2.5.1, but we play safe and
	enable it unconditionally.

20041120

	The TLS support routines are moved to a "tls" directory,
	and are published via the "libtls.a" object library.

20041122

	Infrastructure: support for binary attribute values
	(ATTR_TYPE_DATA) in Postfix IPC messages. Files:
	util/attr_scan*c, util/attr_print*c.

20041123-20041205

	TLS support: via a process of gradual transformation,
	decomposed Lutz Jaenicke's pfixtls.c into separate modules
	for clients, servers, certificate verification, session
	caching, and PRNG management. Global variables were eliminated
	so that the code now supports multiple client and/or server
	contexts in the same process.  Files:  tls/*.[hc].

20041205

	TLS support: eliminated shared access (and locking) of the
	TLS PRNG exchange file and TLS session caches. Instead,
	Postfix uses a client-server protocol, and the tlsmgr
	becomes the sole mediator. This eliminated the need for
	1000+ lines of SDBM support, and eliminated the need for
	running a persistent tlsmgr process on systems don't enable
	TLS in main.cf.

20041124

	Feature: configurable list of forbidden SMTP commands
	(default: smtpd_forbidden_commands = CONNECT, GET, POST)
	after which the Postfix SMTP server disconnects immediately.
	The SMTP server always disconnects immediately when the
	client sends a message header instead of an SMTP command.
	Magnus Baeck.  File: smtpd/smtpd.c.

20041207

	CDB support by Michael Tokarev, documentation by Victor
	Duchovni. Files: util/dict_cdb.[hc], global/mkmap_cdb.c.

20041209

	Completed support for the Berkeley DB sequence operator.
	This is needed for finding and deleting old entries in TLS
	session databases. File:  util/dict_db.c.

	Bugfix: the DBM client's sequence operator used exclusive
	locking instead of shared locking. File: util/dict_dbm.c.

	Feature: dump an entire database with the new postmap/postalias
	"-s" option. This works only for database types with Postfix
	sequence operator support: hash, btree, dbm, and sdbm.
	Files:  postmap/postmap.c, postalias/postalias.c.

20041212

	Solaris 10/ix86 chroot setup script update by J.D. Bronson.

	TLS support: cosmetic changes to comments and messages;
	completed the code for the master -> tlsmgr trigger handshake,
	so that the master no longer complains about trigger
	responses timing out.

20041213

	Updated the SDBM dictionary interface. It had fallen behind
	with the Postfix dictionary interfaces that were already
	bundled with Postfix. Files: util/dict_sdbm.[hc].

	Cleanup: "postconf -m" (show all available map types) now
	produces sorted output.  File: util/dict_open.c.

20041215

	No bugfix: tests with the new "postmap -s" feature show
	that SDBM first/next operations never worked with Postfix/TLS
	patch 20040829 (verified with the 20040829 dict_sdbm.c
	module on Linux and FreeBSD).  The code stops after finding
	one database element.  Other SDBM versions found on the
	Internet will find all database entries, but report an I/O
	error after the last database element is found. All this
	would be easy enough to fix, but the SDBM library is not
	part of Postfix, and never will be.

	Bugfix: the sequence operator in the DBM and SDBM clients
	released the shared lock after reading the next key but
	before reading the corresponding value. This was never a
	problem, because the sequence operator was used only in
	the Postfix/TLS patch. This used the SDBM sequence operator
	which didn't work as discussed above. Files:  util/dict_dbm.c,
	util/dict_sdbm.c.

	Feature: the local(8) and pipe(8) delivery agents now make
	the following attributes available upon delivery (with
	local(8) names must be spelled in upper case): client_hostname,
	client_address, client_protocol, client_helo, sasl_method,
	sasl_sender, sasl_username. Files: local/command.c,
	pipe/pipe.c, and lots of documentation.

20041216

	"postcat -o" now prints queue file record offsets; this is
	useful for debugging. File: postcat/postcat.c.

	NON-PRODUCTION Bugfix: (bug introduced while adopting the
	Postfix/TLS patch):  the new TLS certification call-back
	routine expects that the peer hostname is in
	tlscontext->peername_save, but the TLS server code never
	updated this field.  File:  tls/tls_server.c.

20041218

	Feature: selective suppression of SMTP extensions (pipelining,
	starttls, auth, etc.); this is useful to work around broken
	clients or servers.  Specify a list of EHLO keywords with
	the smtp(d)_discard_ehlo_keywords parameters, or specify
	one or more lookup tables, indexed by remote network address,
	with the smtp(d)_discard_ehlo_keyword_address_maps parameters.
	EHLO keyword lists are case insensitive.  Files:
	util/name_mask.[hc], global/ehlo_mask.[hc], smtpd/smtpd.c,
	smtp/smtp.c, smtp/smtp_proto.c.

20041219

	Bugfix: postcat without -o was broken. File: postcat/postcat.c.

20041220

	NON-PRODUCTION Bugfix: (bug introduced while adopting
	Postfix/TLS patch):  don't call smtp_flush() after return
	from vstream_setjmp(), we'll call you.  File: smtpd/smtpd.c.

	Dummy VSTREAM read-write routines. Files: util/dummy_read.c,
	util/dummy_write.c.

20041221

	Fixes for TLS_README by Victor Duchovni. File:
	proto/TLS_README.html.

	NON-PRODUCTION Bugfix: (bug introduced while adopting
	Postfix/TLS patch).  The client code had become too similar
	to the server implementation, and also required a host
	certificate and key. Fix by Victor Duchovni. File:
	tls/tls_client.c.

20041221

	Bugfix: further postcat corner cases.

20041223

	Cosmetic: don't log disconnect events as I/O errors.
	File: tls/tls_bio_ops.c.

20041221-9

	Infrastructure: unified IPv4/IPv6 name/address API so that
	Postfix can support IPv6 without #ifdef INET6 everywhere.
	In particular, we allow #ifdef in libraries but avoid it
	in applications.  Files:  util/myaddrinfo.[hc],
	util/sock_addr.[hc], dns/dns_rr_to_pa.c, dns/dns_sa_to_rr.c,
	dns/dns_rr_eq_sa.c, dns/dns_rr_to_sa.c, inet_proto.[hc].

	Postfix no longer attempts to deliver mail via IPv6 when
	the system has no IPv6 connectivity.  Network protocol
	support is now selected with the "inet_protocols" configuration
	parameter, instead of "inet_interfaces". The "inet_protocols"
	parameter also controls what DNS lookups Postfix will do.

	Infrastructure: eliminated two host/port parsing routines.
	Only one survives: host_port(), in an extended form that
	allows for missing host or missing service information but
	not both. File: util/host_port.c.

20041229

	Milestone: Postfix with the unified IPv4/IPv6 socket/name
	API builds without compiler error on IPv4-only system and
	actually works.

20041228

	Bugfix: SMTPD_PROXY_README incorrectly claimed that ":port"
	in master.cf causes a server to listen only on "localhost"
	without exposing the service to the network.  Instead,
	":port" causes a client to connect to "localhost".

20041231

	Linux workaround:  when mynetworks isn't set, a chrooted
	process could not read the IPv6 address information from
	/proc.  We now invoke own_inet_addr() before chrooting,
	while processing main.cf. File: global/mail_params.c.

20050101

	Workaround for (Linux) systems without IPV6_V6ONLY support
	(RFC 3493).  When Postfix listened on an IPv4 wild-card
	smtp socket, the IPv6 wild-card smtp listener would fail
	with EADDRINUSE (and vice versa).  File: util/myaddrinfo.c.

20050103

	Safety: when the IPV6 netmask can't be determined, assume
	/128 (host only). File: util/inet_addr_local.c.

20050104

	Re-implemented IPv6 support for net/mask pattern matching.
	Files:  util/cidr_match.[hc], util/dict_cidr.c,
	util/match_ops.[hc], proto/cidr_table.

20050105

	Moved mask_addr() to its own module so that it could also
	be called by mynetworks() and inet_addr_local() to remove
	non-zero host bits from IPv6 network/mask patterns. File:
	util/mask_addr.c.

20050108

	Re-implemented IPv6 support for network interface lookup
	via the Linux /proc file system. File:  util/inet_addr_local.c.

20050111

	Feature: specify "inet_interfaces = loopback-only" for
	servers that must listen on local interfaces only, without
	having to specify IPv4 and/or IPv6 addresses in main.cf or
	master.cf.  File:  global/own_inet_addr.c.

	Workaround: AIX 5.1 getaddrinfo() can't handle a null host
	argument with AI_PASSIVE. Instead we specify an explicit
	protocol family, a host of "::" or "0.0.0.0", and turn off
	IPV6_V6ONLY. Files: util_myaddrinfo.c, util/inet_listen.c.

	Workaround: AIX 5.1 getaddrinfo() can't handle a "0" service
	argument. Instead we specify "1".  Files: util/inet_addr_host.c.

20050113

	Cleanup: now that the over-all structure is proving itself,
	clean up some internal APIs to increase robustness and get
	rid of some clumsiness. Mainly, the getaddrinfo(3) interface.

	Start-up performance: the hash_queue_names default setting
	is reduced from eight directories to just defer and deferred.
	This reduces time for checking the Postfix queue. Files:
	conf/post-install, global/mail_params.h.

20050114

	Further cleanup: eliminate duplicate IPv6 results when the
	mynetworks value is generated by Postfix. More documentation
	of the new internal APIs.

	Performance: reduced start-up delay by moving warning-only
	startup checks into the background. File: conf/postfix-script.

20050115

	Further hardening of the IPv6 support: don't trust system
	libraries to protect Postfix against malformed IPv6 address
	literals. Their syntax is complex enough that errors are
	likely. Files: global/resolve_local.c, util/valid_hostname.c.

	Further cleanup: RFC 2821 requires the IPv6: prefix with
	IPv6 address strings.  The smtp and qmqp servers maintain
	separate address instances, the bare address and the RFC
	2821 compatible form, and use each where appropriate.  This
	strict separation simplifies address syntax checks as well
	as the implementation of XCLIENT and XFORWARD.

20050116

	Infrastructure: new valid_mailhost_addr() routine to verify
	that an address literal satisfies RFC 2821. An IPv4 address
	is in dotted-quad decimal form, and an IPv6 address is in
	hexadecimal form, with the "IPv6:" prefix. Files:
	global/valid_mailhost_addr.[hc].

	Further cleanup: valid_hostname() no longer allows network
	addresses or numerical domain names. While it made some
	sense with IPv4 dotted quad decimal forms, with IPv6 it
	just made no sense anymore.  Again, being stricter actually
	simplifies code. Files:  util/valid_hostname.c and a
	surprisingly small number of valid_hostname() callers that
	did not reject numerical forms.

	Bugfix: in the Postfix 2.2 SMTP client, the debug_peer_init()
	call was moved to the after-chroot initialization.

20050117

	Performance: reduced start-up delay by moving warning-only
	startup checks into the background; they now start after
	one minute to allow the system to finish booting. File:
	conf/postfix-script.

	Milestone: first non-non-production snapshot with IPv6.

20050119

	Milestone: first non-non-production snapshot with TLS.

20050124

	Workaround: don't send mail to $fallback_relay if Postfix
	is MX host for the next-hop destination. This is, however,
	a partial solution. The documentation has been updated to
	cover all the cases where a fallback_relay could interfere
	with the operation of a backup or primary MX host. Files:
	smtp/smtp_addr.c, smtp/smtp_connect.c.

20050127

	Configuration: Postfix daemons that need privileged operation
	(such as local, pipe, or spawn) now log a fatal error when
	they are configured in master.cf as unprivileged.

20050130

	Cleanup: simplified the handling of receive_override_options
	settings. Files: pickup/pickup.c, smtpd/smtpd.c, qmqpd/qmqpd.c,
	global/input_transp.c.

	Feature: permit_inet_interfaces allows a request when the
	client matches $inet_interfaces. This is used for generic
	access restrictions and for header address rewriting control.
	Files: global/mail_params.h, smtpd/smtpd_check.c.

	Cleanup: by default, message header address rewriting is
	now enabled only for mail that originates from the machine
	itself. Files: global/mail_params.h, smtpd/smtpd_check.c.

20050131

	Bugfix: when extracting recipients from message headers,
	the Postfix sendmail command produced output records longer
	than $line_length_limit, causing postdrop to reject the
	mail. Diagnosis by Victor Duchovni. File:  sendmail/sendmail.c.

20050202

	Cleanup: explicit Makefile targets for "make package" and
	"make non-interactive-package" to create ready-to-install
	packages for distribution to other systems. Added extra
	sanity checks to prevent attempts to overwrite your running
	Postfix instance. Files:  Makefile.in, proto/PACKAGE_README.

	Cleanup: when bounce_queue_lifetime > maximal_queue_lifetime,
	it is adjusted to maximal_queue_lifetime, and a warning is
	logged. Files:  *qmgr/qmgr.c.

20050203

	Cleanup: trivial-rewrite now restarts more timely after
	changes in lookup tables.  Of the all the alternatives
	tested, the simplest one produces the most bang for the
	buck. The other code is left in place for illustrative
	purposes. File:  trivial-rewrite/trivial-rewrite.c.

	Cleanup: sendmail no longer ignores null command-line
	recipients.  File: sendmail/sendmail.c.

	Cleanup: "postfix start" background checks moved back to
	the foreground so they can be stopped more easily.  File:
	conf/postfix-script.

20050204

	Feature: REPLACE command in header/body_checks (implemented
	as a combination of PREPEND and IGNORE) by Bastiaan Bakker.
	File: cleanup/cleanup_message.c.

	Cleanup: linted the manual pages for consistency in the
	way manuals are referenced, and in the presentation of
	command examples. Files: mantools/manlint, mantools/fixman,
	mantools/postconf2man.

20050205

	Cleanup: updated the mass-deletion example in the postsuper
	manual.

20050206

	Cleanup: don't count a [45]XX SMTP server greeting towards
	the mx_session_limit setting. File: smtp/smtp_connect.c.

	Feature: output address rewriting in the SMTP client. The
	smtp_generic_maps parameter specifies an address mapping
	that happens only when mail is delivered via SMTP. This is
	typically used for hosts without a valid domain name, that
	use something like localdomain.local instead.  This feature
	can replace local mail addresses by valid Internet mail
	addresses when mail needs to go across the Internet, but
	not when mail is sent between accounts on the local machine.
	Files:  smtp/smtp_proto.c, smtp/smtp_map11.c.

	Cleanup: don't panic in mymalloc() when master can't find
	any IP addresses. LaMont Jones. File: master/master_ent.c.

20050207

	Documentation: added a generic(5) manual page for consistency
	with the already existing table driven mechanisms, added
	references to or examples of the new generic mapping.

	Bugfix: the header_checks REPLACE action mis-handled
	multi-line replacement text in message headers, for example:
	/(.*)/ REPLACE X-$1. File:  cleanup/cleanup_message.c.

	Bugfix: the header_checks REPLACE action should not drop
	the input when the action is NOT executed. File:
	cleanup/cleanup_message.c.

	Bugfix? Cleanup? Documentation? main.cf now implements
	${name[?:]value} as promised in the postconf(5) manual.
	Implemented by deleting the macro processor in dict_eval(),
	and using the one in mac_expand() instead.  File: util/dict.c.

20050208

	Feature: check_ccert_access maptype:mapname for access(5)
	control, based on code by Victor Duchovni. File:
	smtpd/smtpd_check.c and documentation.

	Safety: don't allow unlimited message size with limited
	mailbox size. File: local/local.c, virtual/virtual.c.

	Feature: new smtpd policy attributes ccert_subject,
	ccert_issuer and ccert_fingerprint, with TLS client
	certificate information, but only when verification was
	successful.  Files:  src/smtpd/smtpd_check.c.

	Cleanup: corrected the address verification data flow in
	the ADDRESS_VERIFICATION_README illustration.

20050209

	Cleanup: the smtp generic mapping did syntax check on the
	input address instead of the result. These tests were not
	going to be useful in any case, because mail_addr_map()
	canonicalizes the lookup result, including @dom1->@dom2
	mapping. File:  smtp_map11.c.

	Cleanup: made the generic mapping documentation consistent
	with the implementation.

	Cleanup: documented the myorigin/mydomain address rewriting
	in canonical, generic and virtual alias maps.

	Feature: updated LDAP and *SQL query interfaces using a
	common infrastructure so that all have the same feature set
	where possible. Victor Duchovni and many others. This code
	was tested separately and was merged into the main stream
	20050308. Files: global/db_common.[hc], global/dict_ldap.c,
	global/dict_mysql.c, global/dict_pgsql.c, plus documentation.

20050210

	Bugfix: spurious fallback_relay warnings after 20050202.
	Victor Duchovni.  File: smtp/smtp_connect.c.

	Bugfix: (introduced while adopting Postfix/TLS patch) the
	TLS cache scan stopped after expiring one entry.  Victor
	Duchovni.  File: tls/tls_scache.c.

	Safety: delete-behind when removing expired entries from
	TLS session caches. With some maps the enumeration method
	mis-behaves when the current entry is deleted. File:
	tls/tls_scache.c.

20050211

	Cleanup: the "generics" feature (output address rewriting)
	is renamed to "generic", for consistency with "canonical"
	and "virtual".

20050212

	Cleanup: remove old trace(8) logfile before attempting
	delivery (and after locking the message file exclusively).
	Files: *qmgr/qmgr_message.c.

	Cleanup: don't parse-then-regenerate message headers when
	no address is changed by address rewriting operations. This
	behavior was copied from the SMTP client's generic mapping
	code.  Files: cleanup/cleanup_rewrite.c, cleanup/cleanup_map11.c,
	cleanup/cleanup_masquerade.c, cleanup/cleanup_message.c..

20050215

	Bugfix: don't chmod queue files while running "postfix
	set-permissions". This prevents mail from being labeled as
	"corrupt" when a live Postfix system is upgraded.  Found
	by Victor Duchovni.  File: conf/post-install.

20050216

	Feature: in smtpd?_discard_ehlo_keyword(s|_address_maps)
	specify the pseudo keyword "silent-discard" in order to
	avoid logging that some EHLO keyword is being suppressed.
	File: global/ehlo_mask.[hc].

20050217

	Bugfix: typo in tls_server.c, breaking CApath.  Fix by
	Philipp Morger. File: tls/tls_server.c.

20050227

	Bugfix (bug introduced 20040331): with SIGHUP ignored, the
	postdrop signal handler would effectively ignore SIGINT,
	SIGQUIT and SIGTERM.  Simplified the overly-conservative
	protection against nested signals in postdrop, and added
	some future proofing comments.  File:  postdrop/postdrop.c

	Cleanup: when address rewriting is enabled, don't change
	the capitalization of header labels, i.e. don't replace
	FROM: or CC: by From: or Cc:. Files: cleanup/cleanup_message.c,
	smtp/smtp_proto.c.

20050228

	Cleanup/portability: missing #includes and bad prototypes.
	Matthias Andree, Carsten Hoeger, and others.

20050302

	Workaround: make TLS session caching work with perverse
	sites that have multiple servers per hostname or even
	multiple servers per IP address, but no shared TLS session
	cache. The SMTP client TLS session cache is now indexed by
	(server hostname, server address, server port, server helo
	hostname). After an idea by Victor Duchovni. Files:
	smtp/smtp_proto.c, tls/tls_client.c.

20050303

	Bugfix (bug inherited from Postfix/TLS patch): a rare 9kbyte
	memory leak when in-memory TLS session information expires;
	found by setting the expiry time shorter than the time to
	deliver one or two messages with a very slow machine.  This
	was due to a missing SSL_SESSION_free() call in the "new
	session" call-back routines. Found by Victor Duchovni.
	Files: tls/tls_client.c, tls/tls_server.c.

	Workaround: OpenSSL is overly agressive when purging a
	not-yet expired entry from a full in-memory cache: it also
	purges the entry from the on-disk server session cache.
	Workaround is to let only the tlsmgr purge entries from the
	on-disk server session cache.  Found by Victor Duchovni.
	File: tls/tls_server.c.

20050304

	Postfix releases are now signed with Wietse's new PGP key.
	The old key was getting a bit short for today's standards.
	The new public key can be found on the Postfix download
	webpage. As proof of authenticity the new PGP key is signed
	with Wietse's old PGP key.

	Cleanup: check_mumble_{ns,mx}_access no longer attempt to
	do MX or NS lookups for address literals. An address literal
	is treated as its own MX host; there is no meaningful
	equivalent for NS access control. File: smtpd/smtpd_check.c.

20050310

	Bugfix: the AIX and SUN compilers rightfully complained
	about non-portable code in the "new" LDAP/SQL client. File:
	global/db_common.c.

	Workaround: some systems no longer recognize "tail +2" as
	valid command syntax. Instead they require "improved" syntax
	that is not valid on several other systems that Postfix
	builds on.  So we have to stop using the tail command.
	Files: Makefile.in, src/*/Makefile.in.

20050312

	Bugfix: the TLS session cache cleaning code didn't always
	delete the right entry. Problem found by Victor Duchovni,
	more problems found by Wietse. File: tls/tls_scache.c.

20050314

	Portability: Berkeley DB changed API from version 2.5 to
	2.6. Rob Foehl. File: util/dict_db.c.

20050315

	Bugfix: when <unistd.h> is included, read is a reserved
	identifier. File: smtpstone/smtp-source.c.

20050321-27

	Support for RFC 3463 enhanced status codes.  See also the
	ENHANCED_STATUS_README (a hacker's guide) for background.

	New module to pass around (status code + text) instead of
	just text.  File: Files: global/dsn_util.c.

	Status-related lookup tables now have an extra column for
	enhanced status codes.  Files: global/sys_exits.c,
	global/cleanup_strerror.c.

	Cleanup: centralized mapping of errno values to delivery
	status codes after failed delivery to mailbox, maildir, or
	file. Error codes EAGAIN, and ESTALE are 4.2.0 temporary
	errors; ENOSPC is a 4.3.0 temporary error; and EDQUOT and
	EFBIG are 5.2.2 hard errors. For backwards compatibility,
	the result of other errors depends on the delivery agent:
	with local(8) everything else is a 5.2.0 hard error, and
	with virtual(8) everything else is soft 4.2.0 error.  File:
	global/mbox_open.c.

20050324

	Workaround: gcc -W (version 3.4.2 [FreeBSD] 20040728) no
	longer warns about missing return statements. What a time
	waste.

	Workaround: gcc -E (version 3.4.2 [FreeBSD] 20040728) output
	has changed, causing too much "make depend" output.

20050325

	Bugfix: when bouncing mail that was submitted with Postfix
	sendmail, the cleanup daemon ignored the reason specified
	in header/body_checks, and always produced a generic reason.
	File: cleanup/cleanup_api.c.

	Workaround: don't announce pipelining support when the
	smtp-sink test program is configured to fail specific
	commands with -r or -f (the fix is to build a proper SMTP
	state engine into the smtp-sink test program).  File:
	smtpstone/smtp-sink.c.

20050326

	Update: more PCRE error codes. File: util/dict_pcre.c.

20050327

	Bugfix: the SMTP and LMTP clients did not ask the queue
	manager to reduce destination concurrency when "lost
	connection" or "connection timed out" happened AFTER Postfix
	received the server greeting. Files: smtp/smtp_trouble.c,
	lmtp/lmtp-trouble.c.

	Workaround: FreeBSD has incompatibly changed the output
	format from "od", breaking regression test portability.

	The TLS client session cache ID is now derived from the
	server IP address, TCP Port, and server HELO hostname
	if available. File: smtp/smtp_proto.c.

20050328

	Cleanup: the REPLACE action is no longer implemented as
	PREPEND+IGNORE. The result remains in the input stream,
	and is subject to address rewriting and other processing
	where applicable.  File: cleanup/cleanup_message.c.

	Feature: the TLS server name verification status is moved
	out of the TLS session cache. This not only simplifies the
	client-side TLS cache implementation, but also provides
	better cache support for clients that connect to multiple
	independent MTAs under the same DNS hostname or IP address,
	provided that each MTA replies with a unique name in the
	EHLO response. Patch by Victor Duchovni. Files: tlsmgr/tlsmgr.c,
	tls/tls_verify.c, tls/tls_session.c, tls/tls_server.c,
	tls/tls_scache.h, tls/tls_scache.c, tls/tls_misc.c,
	tls/tls_mgr.h, tls/tls_mgr.c, tls/tls_client.c, tls/tls.h,
	smtp/smtp_proto.c.

20050330

	Bugfix: in some compilation environments the SMTP and LMTP
	clients could ignore enhanced status codes in server replies.
	Bug introduced 20050329 while polishing working code.  Files:
	smtp/smtp_chat.c, lmtp/lmtp_chat.c.

	Feature: add enhanced status code support to the smtp-sink
	test program. File: smtpstone/smtp-sink.c.

20050331

	Workarounds for ancient gcc compilers that can't handle
	valid C. Bugs reported by Victor Duchovni. Files:
	util/sys_defs.h, global/dsn_util.h, tls/tls_client.c.

	Bugfix: when delivery to command failed, command output was
	not reported. Fix was to enable format checks for the new
	dsn_vstring_update() module. File: global/dsn_util.h,
	global/pipe_command.c.

20050401

	Cleanup: ignore incorrect enhanced status codes (such as
	5xx reply followed by a 4.x.x status), and don't look for
	enhanced status codes unless the server replies with a
	[245]XX reply.  Files: smtp/smtp_chat.c, lmtp/lmtp_chat.c.

20050402

	Feature: enhanced status code support for errors found by
	the MIME processor. Files: global/mime_state.c,
	cleanup/cleanup_message.c, smtp/smtp_proto.c.

	Cleanup: updated error messages about MIME processing errors
	in the SMTP client. These errors are no longer specific to
	8bit->7bit conversion; they can also happen with generic
	address mapping. File: smtp/smtp_proto.c.

	Safety: SASL 2.1.19 has a version lookup routine that we
	can use to detect compile time / run time version mis-matches
	(also known as DLL hell).  Files: src/smtpd/smtpd_sasl_glue.c,
	src/smtp/smtp_sasl_glue.c, src/lmtp/lmtp_sasl_glue.c.

20050404

	Typo: missing comma after dsn=x.yy.zz logging. File:
	global/log_adhoc.c.

	Feature: specify "smtpd_sasl_authenticated_header = yes"
	to report the SASL login name in the Received: message
	header, so that the login name is shared with the whole
	world. Based on code by Branko F. Gracnar. Files:
	smtpd/smtpd.c, and documentation.

20050407

	@%^!#& Thanks to inadequate SASL documentation the client
	could negotiate a security layer where none was desired.
	Better documentation has become available since Postfix
	SASL support was implemented, and now Postfix needs to be
	fixed. Files: */*_sasl_glue.c.

20050409

	Safety: the CDB map now logs a warning when the source file
	is newer than the indexed file, just like the Berkeley DB
	and DBM maps. Michael Tokarev. File: util/dict_cdb.c.

20040411

	Portability: put the SASL DLL Hell guard after the declarations
	instead of before.  Reported by Marcus Grando. Files:
	smtp/smtp_sasl_glue.c, lmtp/lmtp_sasl_glue.c.

20050412

	Infrastructure: change the disposition or other properties
	of an embryonic queue file. This is currently used only to
	place mail on hold.  After code by Victor Duchovni.  Files:
	global/mail_stream.[hc], cleanup/cleanup_api.c.

	Bugfix: while updating the cleanup_flush() infrastructure
	eliminated a portability problem that was introduced when
	"REJECT text" support was added. File: cleanup/cleanup.c.

20050413

	Portability: don't mix socket message send/receive calls
	with socket stream read/write calls. The fact that you can
	get away with it only on some stacks implies that there is
	no long-term guarantee. Specify -DCAN_WRITE_BEFORE_SENDING_FD
	if you feel brave. File: util/sys_defs.h.

	Robustness: re-compile all object files after the "make
	makefiles" options have changed. Files: src/*/Makefile.in.

	Tweaking: reply with 5.3.4 when the message size exceeds
	the mail system message_size_limit, instead of 5.2.3 which
	is a mailbox specific status. File: smtpd/smtpd_check.c.

20050417

	Safety: don't call syslog from a user-triggered signal
	handler.  File: postdrop/postdrop.c.

20050421

	Bugfix: don't panic when the fall-back relay can't be used
	because the local MTA is MX for the destination.  File:
	smtp/smtp_connect.c.

20050422

	Bugfix: don't panic when the fall-back relay can't be used
	because it was already tried via a cached session. Produce
	a default excuse instead. File: smtp/smtp_connect.c.

	Bugfix: postsuper could lose an error message after reporting
	a fatal error.  File: postsuper/postsuper.c.

20050426

	Bugfix: simplified and improved the 20050422 fall-back relay
	fix. File: smtp/smtp_connect.c.

20050427

	Final solution for the 20050422 fall-back relay problem:
	truncate the fall-back host list when the local MTA is MX
	for some destination. Files: util/argv.c, smtp/smtp_connect.c.

	Cleanup: extra dsn_vstring_update_dsn() routine to shut up
	GCC complaints about valid code. Files: src/global/dsn_util.c,
	src/global/mbox_open.c, src/lmtp/lmtp_addr.c, src/smtp/smtp_addr.c,
	src/smtp/smtp_connect.c.

20050429

	The Postfix SMTP server now announces ENHANCEDSTATUSCODES
	support in the EHLO response, as described in RFC 2034.
	File: smtpd/smtpd.c.

20050503

	Propagate enhanced status code from error(8) mailer to SMTP
	server replies. File: smtpd/smtpd_check.c.

	Cleanup: more consistent format of smtpd warning logging,
	so that it is easier to sort.  Files: smtpd/smtpd.c,
	smtpd/smtpd_check.c.

20050504

	Yikes. People are exposing the smtp-sink test program to
	hostile environments, while it was designed for controlled
	environments. Completed the support for write timeouts,
	added support for read timeouts, and added a missing exception
	handler for the 220 server greeting.  File: smtpstone/smtp-sink.c.

20050506

	Cleanup: with "REJECT 4.X.Y ..." actions in header/body_checks,
	change the SMTP server reply code from 550 into 450, instead
	of having the SMTP server change the DSN into 5.X.Y.  File:
	smtpd/smtpd.c.

20050510

	Usability: when reporting a sender address problem, transform
	a recipient DSN status (e.g., 4.1.1-4.1.6) into the
	corresponding sender DSN status, and vice versa; and when
	reporting a non-address problem, transform a sender or
	recipient DSN status into a generic non-address DSN status
	(e.g., 4.0.0).  This transformation may be needed when the
	same access table or RBL reply template are used for client,
	helo, sender, or recipient restrictions; or when the same
	error mailer information is used for senders or recipients.
	Files: smtpd/smtpd_check.c, smtpd/smtpd_dsn_fix.[hc].

20050512

	Feature: support for more SASL logging call-backs, if these
	are defined in the compile-time environment. Files:
	smtpd/smtpd_sasl_glue.c, smtp/smtp_sasl_glue.c.

20050513

	Workaround: Postfix now uses "localdomain" as the default
	domain name when $myhostname is not in "host.domain" form.
	Files: global/mail_params.[hc].

---------

20050415-20050615

	As of 20050525, DSN support does not involve new queue file
	record types, so you can switch back to older Postfix
	versions. Older non-production releases did introduce queue
	file incompatibilty.

	DSN support is selected via the SMTP port by extra parameters
	to the MAIL FROM and RCPT TO commands, and with the Postfix
	sendmail command with new command-line options: -N (specify
	notification options such as "never", "success", "delay"
	or "failure") and -V (specify an envelope ID that identifies
	the mail submission transaction).  VERP support now uses
	-XV instead of -V.

	The implementation piggy-backs on the trace(8) service that
	was already used for "sendmail -v" (verbose delivery) and
	for "sendmail -bv" (what-if) reports. You can no longer
	requests these functions together with DSN support.

	All this means revision of bounce/defer/trace client
	interfaces, of the bounce service, the record reading loops
	in postdrop, cleanup(8) and qmgr(8), the queue manager to
	delivery agent protocol, and some extra SMTP protocol
	parameters in smtpd(8), lmtp(8) and smtp(8).

	New code module: global/dsn_smtp.[hc] for RFC 3461 related
	information (but this may still change).

	Feature: "sendmail -G" is no longer a no-op.  Message headers
	are treated as if the message has a remote origin. Files:
	sendmail/sendmail.c, postdrop/postdrop.c.

	Feature: automatic BCC senders are now created as if they
	were received with NOTIFY=NEVER, in case it helps. File:
	cleanup/cleanup_addr.c

	Compatibility: with large bounces, send message headers
	only, instead of truncating MIME messages in the middle.

20050517

	Bugfix: in a DSN report, the original recipient should not
	be xtext encoded. File: bounce/bounce_notify_util.c.

20050523

	Bugfix: mymalloc() panic with mistyped server host list.
	File: global/dict_pgsql.c.

20050525

	Feature: specify delay_warning_time=1 to get immediate
	notification of delay. File: qmgr/qmgr_active.c.

20050526

	Reset the Postfix original recipient when delivering to
	mailing list.

20050601

	Modified the master backgrounding procedure to not abort
	when the master is already a process group leader. This
	happens when people bypass or modify the official Postfix
	start-up procedure.  Jacek Konieczny. File: master/master.c.

20050602

	Sanity check: don't report "address in use" when some Postfix
	socket is a directory. File: util/unix_listen.c.

20050613

	Now that the over-all structure of the code is proving
	itself, interfaces can be cleaned up. This means nicer names
	for variables, functions and data structures, and dedicated
	read/write routines for recipient and DSN information.
	These remove a lot of clutter from the bounce client and
	server code.  Files: dsn_print.c dsb_scan.c, rcpt_print.c,
	rcpt_buf.c.

	For Sendmail compatibility, the Postfix sendmail -V option
	no longer controls VERP usage, but is used to specify the
	DSN envelope ID.  In order to provide a smooth transition,
	backwards compatibility code recognizes when -V is being
	used for VERP control.  It will do the right thing, and
	warns the user to use -XV instead. File: sendmail/sendmail.c.

20050614

	The cleanup server writes bounce (delivery failure) and
	trace (success) records, but it no longer requests sender
	notification.  That is now handled by the queue manager.
	The reason is that the cleanup server must be able to abort
	a request including its bounce and trace logfiles, so it
	must not take actions that can't be undone.

20050615

	Cleanup: the SMTP client now sends QUIT when the initial
	HELO handshake fails. it still doesn't send QUIT when the
	server greets with a [45]XX code, as that is handled in the
	connection management code before a session context exists.
	File: smtp/smtp_connect.c.

	Cleanup: made the quote_821_local() routine "const" clean.
	File: global/quote_821_local.[hc].

20050616

	Bugfix: missing or mis-placed va_end() macros, found in
	Postfix 2.3 code review. Files: util/netstring.c,
	util/myaddrinfo.c, util/attr_clnt.c, util/vstream.c.


	Bugfix: the SMTP server now separates the message size check
	from the queue space check, so that the size check can be
	done before an SMTPD proxy filter. Files: smtpd/smtpd.c,
	smtpd/smtpd_check.c.

20050617

	Postdrop didn't recognize the new recipient attributes.
	File: postdrop/postdrop.c.

	Feature: configurable MAILER-DAEMON replacement for the
	null sender address that is used by the pipe(8) delivery
	agent on the command line and in message headers. Command-line
	address quoting is disabled when the replacement is empty.
	File: pipe/pipe.c.

20050618

	With virtual aliasing enabled, Postfix would always report
	successful alias expansion, even when no alias was expanded.
	File: cleanup/cleanup_out_recipient.c.

20050621

	Portability: file descriptor passing is available for Tru64
	UNIX, but not for AIX4 and IRIX6.  Albert Chin. File:
	util/sys_defs.h.

20050622

	Cleanup: the DNS lookup code now accommodates name server
	replies longer than 4 kbytes, with a hard upper limit of
	32kbytes. For safety reasons, the number of MX host addresses
	that the SMTP client will try was reduced from unlimited
	to just 5, so that Postfix won't spend forever trying to
	connect to dozens and dozens of bogus MX hosts. Files:
	dns/dns_lookup.c, global/mail_params.h.

	Cleanup: the code that handles a 4xx or 5xx SMTP server
	greeting was moved from the connection management module
	to the protocol engine, for cleaner error handling.  This
	means that the failed session now counts towards the limit
	on the total number of SMTP sessions per domain name (default:
	smtp_mx_session_limit = 2).  Files: smtp/smtp_connect.c,
	smtp/smtp_proto.c.

20050623

	Cleanup: generalized the delegated attribute scan/print
	interfaces, and updated the deliver_pass module with delegated
	attribute scan/print support. Files: util/attr_scan0.c,
	util/attr_print0.c, global/dsb_scan.c, global/dsn_print.c,
	global/rcpt_buf,c global/rcpt_print.c, global/deliver_pass.c.

	Added delegated attribute scan/print function support to
	the base64 and plain attribute I/O encodings. Files:
	util/attr_scan_plain.c util/attr_print_plain.c.

20050624

	Added "." to the list commands that smtp-sink can "break"
	(by disconnecting, or by responding with a 4XX or 5XX reply
	code). File: smtpstone/smtp-sink.c.

20050625

	Safety: allow only 4.x.x and 5.x.x enhanced status codes
	in header/body_checks REJECT actions. File:
	cleanup/cleanup_message.c.

20050627

	Code cleanup: generalized the smtp-sink code that simulates
	server errors. File: smtpstone/smtp-sink.c.

20050629

	Code cleanup: the smtp_mx_session_limit setting (per delivery
	request session count limit) now ignores sessions that fail
	to complete the TCP, SMTP, EHLO or TLS handshake (was: TCP
	and SMTP).  File: smtp/smtp_proto.c.

20050630

	Updated the example spf.pl script to version 1.06.

	Portability: the file descriptor passing code broke on LP64
	systems (inherited from Stevens Network Programming).  Files:
	util/unix_send_fd.c, util/unix_recv_fd.c.

20050706

	Robustness: the SMTP client now disables connection caching
	when it is unable to communicate with the scache(8) server,
	instead of looping forever. File: global/scache_clnt.c.

	Portability: after sending a socket, the scache(8) server
	now waits for an ACK from the connection cache client before
	closing the socket that it just sent. Files: scache/scache.c,
	global/scache_clnt.c.

20050708

	Bugfix: missing returns in 20050706 caching disabling code
	(in error handling code that never executes).  File:
	global/scache_clnt.c.

	Portability: use explicitly unsigned operands when doing
	bit-wise shift operations on data larger than a character.

20050709-15

	Migration of data object sizes and offsets from int->ssize_t
	and unsigned->size_t for better portability to LP64 and
	LLP64 systems where *size_t is 64 bits wide.   This change
	has no effect on 32-bit systems.

	This change not only eliminated some obscure portability
	bugs (see two paragraphs down), it also eliminated many
	unnecessary conversions back and forth between 32-bit and
	64-bit integers, because all relevant system library functions
	take *size_t arguments or return *size_t results.

	Simply changing every data object size or offset to size_t
	(which is unsigned!) would be dangerous.  A lot of code was
	written assuming signed arithmetic and rejects negative
	lengths, which can happen as the result of integer overflow.

	Portability: on LP64 systems, integer expressions are int,
	but sizeof() and pointer difference expressions are larger.
	The above changes fixed a few discrepancies with function
	calls where *size_t was passed while the old code expected
	an int: clean_env() versus argv_addn(), and code that sent
	binary blobs via the TLS session cache manager protocol.

20050711

	Bugfix: don't include <> when auto-generating an ORCPT
	address from a client RCPT TO command. File: smtpd.c.

20050712

	Cleanup: cleanup_out_recipient() still generated DSN records
	that were incompatible with pre-DSN Postfix versions.  File:
	cleanup/cleanup_out_recipient.c.

20050716

	Bugfix: the smtpd_sasl_authenticated_header code did not
	check if SASL was actually enabled. File: smtpd/smtpd.c.

20050720

	Feature: reverse client hostname. This is set at connection
	time with information from the SMTP client address->name
	mapping, and can be overruled with the REVERSE_NAME attribute
	in the XCLIENT command. File: smtpd/smtpd_peer.c.

	Cleanup: renaming of several confusing restriction names:
	reject_unknown_client -> reject_unknown_client_hostname,
	reject_unknown_hostname -> reject_unknown_helo_hostname,
	reject_invalid_hostname -> reject_invalid_helo_hostname,
	and reject_non_fqdn_hostname -> reject_non_fqdn_helo_hostname.
	The old names are still recognized and documented.  Files:
	global/mail_params.h, smtpd/smtpd.c, smtpd/smtpd_check.c.

	Feature: reject_unknown_reverse_client_hostname. This rejects
	clients that have no address to name mapping (unlike the
	reject_unknown_client_hostname feature which requires that
	the address->name and name->address mappings resolve to the
	client IP address).  Files: global/mail_params.h,
	smtpd/smtpd_peer.c, smtpd/smtpd.c, smtpd/smtpd_check.c.

20050726

	Horror: total rewrite of DNS client error handling because
	some misguided proposal attempts to give special meaning
	to some syntactically invalid MX hostname lookup result.
	Not only that, people expect sensible results with
	reject_unknown_sender_domain etc.  Files: dns/dns_lookup.c,
	smtp/smtp_addr.c smtpd/smtpd_check.c, lmtp/lmtp_addr.c.

	Cleanup: HOLD action executes only once, to reduce noise
	in the logfile. Files: cleanup/cleanup_message.c, smtpd/smtpd.c.

20050806

	Workaround: accept(2) fails with EPROTO when the client
	already disconnected (SunOS 5.5.1). File: sane_accept.c.

20050815

	Workaround: old Solaris compilers can't link an archive
	without globally visible symbols. File: tls/tls_misc.c.

20050825

	Feature: message_reject_characters and message_strip_characters
	specify what characters in message content Postfix will
	reject or remove. Based on patch by John Fawcett. Files:
	cleanup/cleanup_message.c, cleanup/cleanup_init.c.

	Safety: when the cleanup server rejects the content of mail
	that is submitted with the Postfix sendmail command, or
	re-queued with "postsuper -r", strip the message body from
	the bounce message to reduce the risks from harmful content.
	Files: cleanup/cleanup_envelope.c, cleanup/cleanup_bounce.c.

	Feature: the smtpd_proxy_filter parameter value can now be
	prefixed with "unix:" (for UNIX-domain socket) and "inet:"
	(for TCP socket). TCP sockets are the default.  Patch by
	Edwin Kremer. File: smtpd/smtpd_proxy.c.

20050828

	Bugfix: after adding DSN support, error notification was
	broken for too large mail that was submitted with the Postfix
	sendmail command, forwarded by the local(8) delivery agent,
	or re-queued with "postsuper -r". The message would be saved
	to the "corrupt" queue.

	The mistake was to leave the truncated message in the
	incoming queue and to ask the queue manager to notify the
	sender; this was not possible because the queue manager
	cannot (and should not) handle truncated queue files.

	The fix is to have the cleanup server send the bounce
	message, just like it did before DSN support was added.  As
	a side effect, Postfix will no longer send DSN_SUCCESS
	notices after virtual aliasing, when the cleanup server
	bounces all the recipients of the message anyway.  This
	could be called a feature.  File: cleanup/cleanup_bounce.c.

	Also needed for this fix: a new vstream_fpurge() routine
	that discards unread/written data from a VSTREAM.  It's
	needed before cleanup_bounce() can seek to the start of the
	queue file after a file size error. File: util/vstream.c.

20050920

	Cleanup: removed the legacy "tls_info" structure, factored
	out common code for peer_CN and issuer_CN lookup, and added
	sanity check to not verify subject common names that contain
	nulls or that are execessively long. Patch by Victor Duchovni.
	Files: tls_client.c, tls_server.c, tls_session.c, tls_misc.c,
	tls_verify.c.

20050922

	Bugfix: the *SQL clients did not uniformly choose the
	database host from the available pool of servers due to an
	off-by-one error, so that the "last" available server was
	not selected. Leandro Santi. Files: dict_mysql.c, dict_pgsql.c.

	Update: common code factored out into db_common.c, and
	adoption of Liviu Daia's connection aware MySQL quoting.
	Patch by Victor Duchovni.  Files: dict_ldap.c, dict_mysql.c,
	dict_pgsql.c, db_common.c.

20050923

	Safety: don't update the local(8) delivery agent's idea of
	the Delivered-To: address while expanding aliases or .forward
	files. When an alias or .forward file changes the Delivered-To:
	address, it ties up one queue file and one cleanup process
	instance while mail is being forwarded.  To get the old
	behavior, specify "frozen_delivered_to = no".  Problem
	reported by Michael Tokarev, but found independently by
	others.  Files: local/local.c, local/aliases.c, local/dotforward.c,
	local/mailbox.c, local/maildir.c.

	Logging: additional SASL debug logging by Andreas Winkelmann.
	Files: */*sasl_glue.c.

20050929

	Paranoia: don't ignore garbage in SMTP or LMTP server replies
	when ESMTP command pipelining is turned on. For example,
	after sending ".<CR><LF>QUIT<CR><LF>", Postfix could recognize
	the server's 2XX QUIT reply as a 2XX END-OF-DATA reply after
	garbage, causing mail to be lost. The SMTP and LMTP clients
	now report a remote protocol error and defer delivery.
	Files: smtp/smtp_chat.c, smtp/smtp_trouble.c, lmtp/lmtp_chat.c,
	lmtp/lmtp_trouble.c.

	Performance: specify "smtpd_peername_lookup = no" to disable
	client hostname lookups in the SMTP server. All clients are
	treated as "unknown". This should be used only under extreme
	conditions where DNS lookup latencies are critical. File:
	smtpd/smtpd_peer.c.

20051010

	Feature: smtpd_client_new_tls_session_rate_limit parameter
	to limit the number of new (i.e. uncached) TLS sessions
	that a remote SMTP client may negotiate per unit time. This
	feature, which is off by default, can limit the CPU load
	due to expensive crypto operations.  Files: global/anvil_clnt.c,
	anvil/anvil.c, smtpd/smtpd.c.

	Cleanup: eliminated massive code duplication in the anvil
	server that resulted from adding similar features one at a
	time.  File: anvil/anvil.c.

20051011

	Bugfix: raise the "policy violation" flag when a client
	request exceeds a concurrency or rate limit.  File:
	smtpd/smtpd.c.

	Bugfix (cut-and-paste error): don't reply with 421 (too
	many MAIL FROM or RCPT TO commands) when we aren't closing
	the connection.  File: smtpd/smtpd.c.

20051012

	Polishing: content of comments and sequence of code blocks
	in the anvil server, TLS request rate error message in the
	smtp server, and documentation, but no changes in code.
	Files: anvil/anvil.c, smtpd/smtpd.c.

20051013

	Horror: some systems have basename() and dirname() and some
	don't; some implementations modify their input and some
	don't; and some implementations use a private buffer that
	is overwritten upon the next call. Postfix will use its own
	safer versions called sane_basename() and sane_dirname().
	These never modify the input, and allow the caller to control
	how memory is allocated for the result.  File:
	util/sane_basename.c.

	Feature: "sendmail -C path-to-main.cf" and "sendmail -C
	config_directory" now do what one would expect. File:
	sendmail/sendmail.c.

	Bugfix: don't do smtpd_end_of_data_restrictions after the
	transaction failed due to, e.g., a write error.  File:
	smtpd/smtpd.c.

	Cleanup: the SMTP server now enforces the message_size_limit
	even when the client did not send SIZE information with the
	MAIL FROM command.  This protects before-queue content
	filters against over-size messages.  File: smtpd/smtpd.c.

20051017

	Bugfix: after DSN support was added, smtp_skip_5xx_greeting
	no longer recognized a 5xx SMTP status as a 4xx one. Found
	by Ralf Hildebrandt. Fix: use the enhanced status code
	instead of the SMTP reply code to choose between permanent
	or transient errors. File: smtp/smtp_trouble.c.

	Feature: smtp-sink can hard-reject, soft-reject or simply
	drop connection requests.  File: smtpstone/smtp-sink.c.

	Documentation: clarified the processing of server replies,
	specifically the reply code and the enhanced status code,
	in smtp_chat.c.

20051024

	Performance: new smtp_connection_reuse_time_limit parameter to
	limit connection reuse by elapsed time, instead of limiting
	the number of deliveries per connection.  Bounding by time
	favors delivery over connections that perform well, while
	bounding by number of deliveries allows slow connections
	to drag down the performance.  Insight and initial
	implementation by Victor Duchovni, Morgan Stanley. Files:
	smtp_connect.c, smtp_session.c,

	Bugfix: the next-hop logical destination information for
	connection caching was reset only after a good non-TLS
	connection, so that cached connections to non-TLS backup
	servers could suck away traffic from TLS primary servers
	(the Postfix SMTP client cannot cache an open TLS connection).
	Found during code review. This is fixed with multi-valued
	connection caching state: expired, cachable, non-cachable,
	and bad.  Files: smtp_connect.c, smtp_trouble.c.

	Bugfix: adding support for "sendmail -C" broke "sendmail
	-q".  File: sendmail/sendmail.c.

20051101

	Migration from a single "arrival time" stamp to a structure
	with time stamps from different stages of message delivery.
	The first iteration merely replaces "arrival time" stamps
	by a structure or pointer to structure, and uses only the
	arrival time field of that structure.  This is an extensive
	but straightforward transformation, based on example by
	Victor Duchovni, Morgan Stanley.  Files: anything that
	invokes bounce_append etc., the log_adhoc module, and
	anything that sends or receives a delivery request.

20051102

	Completion of support for time stamps from different stages
	of message delivery. The information is now logged as
	"delays=a/b/c/d" where a=time before queue manager, including
	message transmission; b=time in queue manager; c=connection
	setup including DNS, HELO and TLS; d=message transmission
	time. Unlike Victor's example which used time differences,
	this implementation uses absolute times. The decision of
	what numbers to subtract actually depends on program history,
	so we want to do it in one place.  Files: global/log_adhoc.c,
	smtp/smtp_connect.c, smtp/smtp_proto.c, smtp/smtp_trouble.c,
	lmtp/lmtp_proto.c, lmtp/lmtp_trouble.c.

20051103

	Refinement of time stamping and delays formatting.  The
	hand-off time is now stamped in the delivery agent, so that
	time is properly attributed when a transport is saturated
	or throttled.  Delays are now logged if larger than 0.01
	second. Files: *qmgr/qmgr_deliver.c, global/deliver_request.c,
	global/log_adhoc.c.

20051104

	New parameter delay_logging_time_resolution (default: 10000
	microseconds, or 0.01 second) that controls the detail in
	the new "delays=a/b/c/d" logging. Specify a power of 10
	in the range from 1 to 100000. File: global/log_adhoc.c.
	Parameter renamed 20051108.

20051105

	All delay logging now has sub-second resolution. This means
	updating all code that reads or updates the records that
	specify when mail arrived, and ensuring that mail submitted
	with older Postfix versions produces sensible results.
	Files: global/post_mail.c, global/mail_timeofday.[hc],
	global/log_adhoc.c, postdrop/postdrop.c, pickup/pickup.c,
	cleanup/cleanup_envelope.c, cleanup/cleanup_message.c,
	smtpd/smtpd.c, qmqpd/qmqpd.c, *qmgr/qmgr_message.c,
	*qmgr/qmgr_active.c, local/forward.c.

20051106

	The SMTP client logs the remote server port in the form of
	relay=hostname[hostaddr]:port to the local maillog file.
	The port number is NOT included in DSN status reports,
	because remote users have no need to know such internal
	information.  Files: smtp/smtp_session.c, smtp/smtp_proto.c,
	smtp/smtp_trouble.c.

	Cleanup: encapsulated queue file time read/write operations
	with a few simple macros, to make future changes in time
	representation less painful.

20051108

	Cleanup: eliminated floating point operations from the
	ad-hoc delay logging code. Files: util/format_tv.[hc],
	global/log_adhoc.c.

	The delay logging resolution is now controlled with the
	delay_logging_resolution_limit parameter, which specifies
	the maximal number of digits after the decimal point.

	Bugfix: two messages could get the same message ID due to
	a race condition. This time window was increased when queue
	file creation was postponed from MAIL FROM until the first
	accepted RCPT TO.  The window is closed again. Found by
	Victor. Files: global/mail_stream.c, global/mail_queue.c,
	cleanup/cleanup_message.c.

20051109

	qshape.pl updated for extra microsecond time field in Postfix
	queue files.

	Cleanup: removed obsolete code that handles rejected/dropped
	connections before the HELO handshake. File: smtp/smtp_connect.c.

	Bugfix: XCLIENT broke when reverse hostname support was added.
	Fix by Tomoyuki Sakurai. File: smtpd/smtpd.c.

20051110

	Workaround: don't set the delay warning timer for messages
	from inside or from outside that have the null sender as
	recipient. This was a waste of time, because the warning
	would always be discarded.  File: cleanup/cleanup_envelope.c.

	Feature: the built-in mail delivery status notification
	text is now implemented by built-in templates. Files:
	bounce/bounce_template.c, bounce/bounce_notify_util.c.

20051112

	Feature: configurable bounce message templates based on
	contribution by Nicolas Riendeau. I kept the general format
	of his templates, but placed them together in one file to
	reduce process initialization overhead (most requests to
	the bounce daemon are not for sending bounce messages).
	Files: bounce/bounce_template.c, bounce/dict_ml.c (to be
	moved to library if useful enough). A sample bounce message
	template file is installed as $config_directory/bounce.cf.default.

20051113

	Feature: "postconf -b filename" to preview the non-default
	bounce message templates with $name expansions in the text.
	The actual work is of course done by the bounce daemon.

20051114

	Feature: -V option to make Postfix daemons to log to stderr.
	This is used when a daemon is invoked in stand-alone mode
	by a (non-daemon) command.

	Feature: "postconf -t" displays DSN templates, headers and
	all; use postconf -t ''" to view built-ins.

	Cleanup: renamed fail_template into failure_template.

20051117

	Cleanup: bounce template code reorg, no functionality change.
	Files: bounce/bounce_template.[hc], bounce/bounce_templates.c,
	bounce/bounce_notify_util.c.

20051118

	Bugfix: new bounce template code did not return after
	template syntax error. File: bounce/bounce_template.c

	Safety: permit_mx_backup now requires that the local MTA
	is not listed as primary MX for the recipient domain. This
	prevents mail loops when someone points the primary MX
	record to Postfix.

20051119

	Workaround: some SMTP servers announce multiple but different
	lists of SASL methods. Postfix now concatenates the lists
	instead of logging a warning and remembering only one. File:
	smtp/smtp_sasl_proto.c.

	Bugfix: the queue manager did not write a per-recipient
	defer logfile record when the delivery agent crashed between
	receiving a delivery request, and reporting the delivery
	status to the queue manager.  Found while redesigning the
	code that handles unavailable transports or destinations.
	Files: *qmgr/qmgr_deliver.c.

20051121

	Workaround: do not build the bounce.cf.default template
	while compiling Postfix  - it breaks when the default
	mail_owner etc. accounts don't exist.  Reported by Liviu
	Daia.

	Compatibility: added permit_auth_destination emulation to
	the permit_mx_backup feature. This avoids surprises with
	sites that used permit_mx_backup to authorize all their
	incoming mail.

20051122-24

	Feature: sender_dependent_relayhost_maps, lookup tables that specify
	a sender-dependent override for the relayhost parameter
	setting.  The lookup is done in the trivial-rewrite server,
	instead of the queue manager where it does not belong.
	Files: global/resolve_clnt.c, global/tok822_resolve.c,
	trivial-rewrite/resolve.c, trivial-rewrite/transport.c,
	*qmgr/qmgr_message.c.

	Also: address_verify_sender_dependent_relayhost_maps for
	completeness.

20051124

	Feature: specify "smtp_sender_dependent_authentication =
	yes" to enable sender-dependent SASL passwords. This disables
	SMTP connection caching to ensure that mail from different
	senders is delivered with the appropriate credentials. This
	is an extended version of a patch by Mathias Hasselmann.
	Files: smtp/smtp_connect.c, smtp/smtp_sasl_glue.c.

20051126

	Workaround: log warning when REDIRECT or FILTER are used
	in smtpd_end_of_data_restrictions. File: smtpd/smtpd_check.c.

	Log warning when REDIRECT, FILTER, HOLD and DISCARD are
	used in smtpd_etrn_restrictions. File: smtpd/smtpd_check.c.

20051128

	Bugfix: moved code around from one place to another to make
	REDIRECT, FILTER, HOLD and DISCARD access(5) table actions
	work in smtpd_end_of_data_restrictions.  PREPEND will not
	be fixed; it must be specified before the message content
	is received.  Files: smtpd/smtpd.c, smtpd/smtpd_check.c,
	cleanup/cleanup_extracted.c, pickup/pickup.c.

	Safety: abort if the SMTP or QMQP server runs with non-postfix
	privileges while it's connected to the network.  Files:
	smtpd/smtpd_peer.c, qmqpd/qmqpd_peer.c.

20051201

	Bugfix: the LMTP client would reuse a session after negative
	reply to the RSET command (which may happen when client and
	server somehow get out of sync). Problem found by Christian
	Theune.  Files: lmtp/lmtp.c, lmtp/lmtp_proto.c.

20051202

	Bugfix: the 20051128 code move for "smtpd_end_of_data_restrictions"
	broke "postsuper -r".

20051202-3

	Cleanup: the SMTP client now also implements the LMTP
	protocol.  Files: smtp/smtp.c, smtp/smtp_connect.c,
	smtp/smtp_proto.c, smtp/smtp_dsn.c, smtp_state.c,
	smtp_sasl_glue.c.

	As before, the LMTP behavior is controlled with parameters
	named lmtp_xxx instead of smtp_xxx.  However there are now
	a lot more lmtp_xxx parameters :-) With few exceptions, all
	SMTP features are now also available with LMTP. The exceptions
	are related to the HELO and EHLO commands, which exist in
	SMTP only. There are equivalent LHLO command parameters
	where it makes sense.

20051206

	SMTP+LMTP client connection management code rewritten to
	support UNIX-domain socket connections.

20051207

	Bugfix: race condition in the connection caching protocol,
	found while adding connection caching for UNIX-domain sockets
	(used for LMTP delivery).  This was introduced with the
	20050706 workaround, and may the same problem that Jussi
	Silvennoinen experienced (in Postfix 2.2.6) with SMTP after
	an upgrade.  Files: scache/scache.c.

	Bugfix: smtp-sink and qmqp-sink didn't ignore SIGPIPE.

20051208

	Robustness: reduced timeouts in the connection caching
	client, so that a malfunctioning service does not prevent
	mail delivery. This uses similar code that already exists
	for the anvil(8) client and the tlsmgr(8) client. Files:
	global/scache_clnt.c, smtp/smtp.c.

	To make reduced connection caching client timeouts possible,
	connection management was moved from the attr_clnt(3) module
	to the auto_clnt(3) module where it belongs. The auto_clnt(3)
	module is now a full alternative for the clnt_stream(3)
	module. Files: util/auto_clnt.c, util/attr_clnt.c.

	Bugfix: the best_mx_transport, mailbox_transport and
	fallback_transport features did not write a per-recipient
	defer logfile record when the target delivery agent was
	broken.  This the analog of queue manager bugfix 20051119.
	Files: global/deliver_pass.c.

20051210

	Cleanup: simplified the SMTP/LMTP connection management
	logic for address list and fallback relay processing.
	Still need to simplify deferred recipient handling.

20051212

	Bugfix: after a failed TLS session, the 20051210 SMTP client
	code cleanup broke sessions with backup servers, causing the
	client to get out of step with the backup server.  This in
	turn exposed a one-year old missing exception handling
	context in the EHLO handstake after sending STARTTLS. Victim
	was Ralf Hildebrandt, detectives Victor Duchovni and Wietse.
	File: smtp/smtp_proto.c.

20051213

	Bugfix: *SQL, proxy and LDAP map types were not defined in
	user-land commands such as postqueue. Leandro Santi. File:
	postqueue/postqueue.c.

20051212-14

	Server-side plug-in interface for SASL authentication. This
	uses Cyrus SASL by default, so nothing has changed except
	error messages may be more informative.  Files:
	smtpd/smtpd_sasl_proto.c smtpd/smtpd_sasl_glue.c,
	xsasl/xsasl_server.[hc], xsasl/cyrus_server.[hc]
	xsasl/cyrus_strerror.c, xsasl/cyrus_log.c, xsasl/cyrus_security.c.

20051215

	Portability: IRIX 6.5.28 defines sa_len as a macro, so it
	can't be used as a variable identifier. Zach McDanel. Files:
	dns/dns_rr_to_sa.c, smtpd/smtpd_peer.c, qmqpd/qmqpd_peer.c.

20051216

	Cleanup: removed some scar tissue that was introduced with
	server-side SASL plug-in support. Files: smtpd_sasl_proto.c,
	smtpd_sasl_glue.c.

	Client-side plug-in interface for SASL authentication. This
	uses Cyrus SASL by default, so nothing has changed except
	error messages may be more informative.  Files: smtp_sasl_glue.c,
	xsasl/xsasl_client.[hc], xsasl/cyrus_client.[hc].

20051217

	Bugfix: when a SASL client password is required by a specific
	server, defer delivery when no server-announced mechanism
	survives the smtp_sasl_mechanism_filter, instead of ignoring
	the SASL announcement and trying to deliver the mail over
	an unauthenticated connection and risking that mail will
	be rejected.  File: smtp/smtp_sasl_proto.c, smtp/smtp_proto.c.

	Portability: zero the "struct msg" just in case. Both purify
	(Linux) and valgrind (FreeBSD) complain about uninitialized
	bits.  Files: util/unix_{send,recv}_fd.c.

20051219

	Cleanup: generic smtpd_sasl_path, smtp_sasl_path and
	lmtp_sasl_path configuration parameters; simplified the
	SASL plug-in API, and made initial provisions for SASL
	session encryption. Files: xsasl/*.[hc].

	Feature: "postconf -a" lists the available SASL server
	plug-in types, and "postconf -A" does the same for the
	client.  Files: postconf.c, xsasl_{client,server}.c.

	Feature: new SMTPD policy attributes "encryption_protocol",
	"encryption_cipher" and "encryption_keysize", to distinguish
	plaintext from encrypted connections.

20051221

	Privacy: the new Cyrus SASL server plug-in replaces "no
	user" errors by "authentication failed" errors.  File:
	xsasl/xsasl_cyrus_server.c.

	Safety: the Postfix SMTP client no longer uses CNAME expanded
	hostnames for logging, SASL password lookup, TLS policy
	decisions, or TLS certificate verification.  Instead it
	uses the name of the recipient domain, or the host or domain
	name specified in Postfix configuration files. Of course
	this won't prevent cheating with hostnames that appear in
	MX lookup results. To avoid that you will have to suppress
	MX lookups with explicit [hostname] entries in transport
	maps. Files: dns/dns_lookup.c, dns/dns_rr.c.

20051222

	Feature: Dovecot SASL authentication (server side) plug-in
	by Timo Sirainen. This builds without external library
	dependencies and is therefore compiled in by default.
	Files: xsasl/xsasl_dovecot_server.[hc].

	Safety: set the default LANG=C, instead of deleting LANG
	from the environment and assuming the right thing will
	happen. File: global/mail_params.h.

	Safety: always add the ISASCII() requirement to the ISXXX()
	macros, because they are used for protocol and policy
	enforcement.  File: util/sys_defs.h.

	Bugfix: null pointer in the 20051219 policy delegation
	crypto attributes.  File: smtpd/smtpd_check.c.

	Compatibility: "resolve_numeric_domain = yes" will accept
	addresses with numeric domains instead of rejecting them as
	invalid. Files: trivial-rewrite/resolve.c, util/vstring.c.

	Bugfix: 20051219 "postconf -A" produced "postconf -a" output.
	Andreas Winkelmann.

20051225

	Bugfix: the regexp map cleverly avoided scanning constant
	lookup results for non-existent $number expressions, but
	failed to subject those results to the necessary $$ -> $
	replacement. Files: util/dict_regexp.c.

	Performance: the pcre map did not optimize constant lookup
	results; they were always scanned for non-existent $number
	expressions.  File: util/dict_pcre.c.

	This round of edits eliminates architectural differences
	between the pcre and regexp table implementations.  The
	remaining difference is that regexp tables still support
	the obsolete "/pattern1/!/pattern2/ action" syntax, for
	backwards compatibility with Postfix 2.0 and earlier.

20051227

	Bugfix: the 20051222 ISASCII paranoia broke the strcasecmp()
	workaround for Solaris. File: util/strcasecmp.c.

	Bitrot: SunOS4 pre-dates size_t, ssize_t, getsid().  File:
	src/util/sys_defs.h. The SunOS4 tests had been suspended
	due to what turned out to be a broken AUI-to-UTP transceiver.

	Bugfix: the 20061226 cosmetic change broke non-IPV6 support
	(example: sockaddr_to_hostaddr: Unknown error: success).
	File: util/myaddrinfo.c.

20051229

	The following workaround was removed 20060103.

	Workaround: when mail is still queued after 3000 seconds,
	the SMTP client no longer pipelines the DOT+QUIT commands.
	The 20050929 paranoia about malformed server replies
	eliminated a rare occurrence of "lost mail" with sites that
	mis-implement DOT+QUIT pipelining, but resulted in a larger
	occurrence of repeated deliveries to sites with a different
	DOT+QUIT pipelining bug. The time threshold is set with the
	smtp_dot_quit_workaround_threshold_time parameter.  Files:
	smtp/smtp_proto.c, smtp/smtp.c.

	Feature: mailbox_transport_maps and fallback_transport_maps
	to search delivery transports by recipient name. Files:
	local/mailbox.c, local/unknown.c.

	Feature: the master daemon now logs a warning when all
	servers are busy that may accept remote connections, and
	suggests to either increase the process count or to reduce
	the service time per client.  Files: master/master_ent.c,
	master/master_avail.c.

20051231

	Bugfix: the anvil server would terminate after "max_idle"
	seconds, even when this was less than the anvil_rate_time_unit
	interval. File: anvil/anvil.c.

20060102

	Deleted the 20051229 dot-quit bug workaround.  Automatically
	deferring delivery created "no delivery" and "repeated
	delivery" problems; and automatically turning off pipelining
	for delayed mail was a bad workaround for a bad workaround.
	The administrator still has the option to turn off pipelining
	by hand if loss of mail is a concern.

20060103

	Bugfix: the 20051217 fix (when a SASL client password is
	found, defer delivery when no server-announced mechanism
	survives the smtp_sasl_mechanism_filter) did the mechanism
	test too early, so that it could trip up with deliveries
	to servers that we don't have a SASL password for.  Files:
	smtp/smtp_sasl_proto.c, smtp/smtp_proto.c.

20060104

	Safety: new "smtp_cname_overrides_servername" parameter.
	The default value ("no") is NOT backwards compatible. This
	avoids surprises with the hostname that is used for logging,
	SASL password lookup, TLS policy decisions, or TLS certificate
	verification.  The change makes the 20051221 behavior more
	configurable.  Files: smtp/smtp_addr.c, smtp/smtp_connect.c,
	proto/postconf.proto.

20060105

	Cleanup: removed the unused DSN "code" attribute; removed
	surrogate SMTP replies for errors that were not reported
	by a remote SMTP server, making several DSN-related functions
	and macros redundant; cleaned up some bizarre code for DSN
	attribute memory management in the SMTP client.

20060106

	Cleanup: eliminated the global smtp_errno variable, which
	had become redundant after introducing DSN support. Files:
	smtp/smtp_addr.c, smtp/smtp_connect.c.

20060107

	Cleanup: removed more bizarre code for DSN attribute memory
	management in the queue manager, bounce server, and in
	delivery agents.

20060109

	Bugfix: smtp_sasl_tls_opts was unimplemented. File:
	smtp/smtp_sasl_proto.c.

	Cleanup: more bounce logfile code cleanup.  Files:
	global/bounce_log.c, bounce/bounce_notify_util.c,
	bounce/bounce.c, bounce/bounce_notify_verp.c,
	bounce/bounce_one_service.c, showq/showq.c

20060110

	Cleanup: more bounce logfile code cleanup.  Files:
	global/bounce_log.c, bounce/bounce_notify_util.c.

	Bugfix: the VERP bouncer never handled the case of a missing
	bounce logfile. Found while doing more logfile code cleanup.
	File: bounce/bounce_notify_verp.c.

	Feature: smtp_sasl_tls_verified_security_options for
	connections where the server certificate passed verification.
	The default value is $smtp_sasl_tls_security_options, which
	in turn defaults to $smtp_sasl_security_options.

20060111

	Optimization: mystrdup() and mystrndup() now return a pointer
	to a fixed read-only memory location instead of allocating
	memory for zero-length null-terminated strings.  This saves
	lots of memory for unused recipient attributes. If this
	change causes problems (for example, you have an ancient
	sscanf() implementation that writes to its input) then
	compile Postfix with -DNO_SHARED_EMPTY_STRINGS.

	Cleanup: eliminated null pointer members in DSN structures.
	Instead we now use the optimized mystrdup() for empty
	strings. For safety sake we keep the tests for null pointers
	in input, but we always produce empty strings on output.
	Files: global/dsn.c, global/dsn.h, global/dsn_buf.h,
	global/dsn_print.c.

	Cleanup: eliminated ad-hoc code for passing recipients in
	the queue manager delivery request protocol. Postfix now
	uses proper object activation/passivation instead. Files:
	*qmgr/qmgr_deliver.c, global/deliver_request.c,
	global/deliver_pass.c.

20060112

	Feature: to simplify debugging the bounce server logs the
	old and new queue ID when notifying the sender or postmaster.
	Files: global/post_mail.c, bounce/bounce_notify_service.c,
	bounce/bounce_one_service.c, bounce/bounce_notify_verp.c,
	bounce/bounce_warn_service.c, bounce/bounce_trace_service.c.

	Fudge: when translating recipient DSN codes into sender DSN
	codes, map sender address problems that have no DSN code
	to *.1.7 (Bad sender's mailbox address syntax) instead of
	*.1.0 (Other address status) because that loses the distinction
	between sender and recipient. File: smtpd/smtpd_dsn_fix.c.

20060113

	Cleanup: preserve upper case information of address localpart
	or extension when mapping one address to another with
	non-regexp/pcre tables.  Files: global/mail_addr_find.c,
	global/maps_find.c.

20060115

	Bugfix: don't ignore the per-site policy when SSL library
	initialization fails. Introduced after adopting the TLS
	patch. File: smtp/smtp_session.c.

20060117

	[withdrawn 20060126] Safety: daemon processes that need no
	privileges now insist that they are configured to run without
	privileges.  Files: master/single_server.c, master/multi_server.c,
	master/trigger_server.c.

	Cleanup: preserve upper case information of address localpart
	or extension when mapping addresses via regexp/pcre tables.
	This requires that Postfix does not case fold the search
	string when searching regexp or pcre tables, so that $number
	substitutions produce the expected result.

	In order to get a consistent handling of table operations,
	the search string case folding logic was moved from the
	application to the individual lookup table modules; the
	application specifies its case folding preference when it
	opens a table, and the table folds the search or update
	string as needed.

	Files: everything that opens a map or multiple maps (to
	specify the case folding preference), and everything that
	contained ad-hoc code to lowercase search strings (which
	is no longer needed).

	Bugfix: as a side effect of this revision of all code that
	opens tables, the postmap/postalias -n/-N options are no
	longer silently ignored when the -q (query) and -d (delete)
	options are specified.  Files: postmap/postmap.c,
	postalias/postalias.c.

	Safety: don't allow $number substitution in transport maps
	or sender-dependent relayhost maps.

	Cleanup: smtp_sasl_passwd_maps lookup keys are folded to
	lowercase before searching tables such as btree:, dbm: or
	hash: that have fixed-case fields. File: smtp/smtp_sasl_glue.c.

	Bugfix: per-sender relayhost maps were not locked for shared
	access.

20060119

	Cleanup: don't look up parent domain substrings in regexp/pcre
	like tables while searching a hostname in a domain/namaddr_list.
	File: util/match_ops.c.

20060120

	Cleanup: multiple boolean variables were replaced by a
	single TLS enforcement level (none, may, encrypt, verify).
	With Victor Duchovni. Files: smtp_session.c, smtp_proto.c,
	smtp.h.

	Cleanup: the SMTP per-site policy table was re-implemented
	in terms of enforcement levels instead of multiple boolean
	variables. This greatly simplified the code and led to the
	elimination of non-intuitive behavior as documented next.
	With Victor Duchovni. Files: smtp_session.c, smtp.h.

	Bugfix: a TLS per-site MUST_NOPEERMATCH policy could not
	override a main.cf MUST (with peer match) policy, while a
	per-site NONE policy could.

	Bugfix: a combined TLS per-site (host, next-hop) policy of
	(NONE, MAY) would change the strongest main.cf MUST policy
	into NONE, while it changed all weaker main.cf policies
	into MAY.  The result is now NONE for all main.cf policy
	settings.

20060123

	Feature: recipient_count attribute in SMTPD policy protocol.
	This is available only in the DATA and END-OF-MESSAGE stage.
	Based on code by Guo Black. Files: smtpd_check.c.

	Cleanup: renamed MUMBLE_NUM to MUMBLE_INT to make type
	discrepancies more explicit.

	Bugfix: change 20051208 broke when a connection could not
	be established. File: util/auto_clnt.c.

20060124

	Bugfix: the virtual(8) delivery agent did not insist on
	privileged operation as it should; this broke change 20060117.
	Ralf Hildebrandt.  File: virtual/virtual.c.

	Bugfix: the TLS sasl security options (change 20060110)
	should also be #ifdef USE_TLS, and not only #ifdef
	USE_SASL_AUTH.  Such feature interference is difficult to
	find in testing.  Liviu Daia. File: smtp/smtp_sasl_proto.c.

20060126

	Undo: change 20060117 (unprivileged operation test) broke
	"sendmail -bs", "postconf -b", "postconf -t", and probably
	more. Files: master/{single,multi,trigger}_server.c.

20060130

	Bugfix: an empty remote_header_rewrite_domain value caused
	trivial-rewrite to dereference a null pointer, but only in
	regression tests, not in production. Envelope addresses are
	by definition rewritten in the local domain context, because
	an address without domain is equivalent to an address in
	the local domain; and header addresses are rewritten in the
	remote context only when remote_header_rewrite_domain is
	non-empty.  File: trivial-rewrite/rewrite.c.

20060131

	Cleanup: regression tests are now separated into "make
	tests" for unprivileged tests, and "make root_tests" for
	tests that require privileges to connect to the Postfix
	internal sockets. Files Makefile.in, src/*/Makefile.in.

20060201

	Bugfix: despite efforts to treat malformed domain names as
	hard errors (change 20050726) they were still processed as
	soft errors. File: dns/dns_lookup.c.

20060203

	Bugfix: smtpd core dump when SASL was compiled in, turned
	off (smtpd_sasl_auth_enable = no) and permit_sasl_authenticated
	was specified in local_header_rewrite_clients. Victor
	Duchovni.  File: smtpd/smtpd_check.c.

	Cleanup: don't complain about useless SASL or TLS "permit"
	restrictions when SASL or TLS aren't compiled in, but do
	reject mail when reject_plaintext_session is specified while
	TLS isn't compiled in. File: smtpd/smtpd_check.c.

20060204

	Bugfix: disable the content_filter feature for user-requested
	"sendmail -bv" probes, just like it is disabled for probes
	generated by Postfix itself.  File: *qmgr/qmgr_message.c.

20060207

	Robustness: place the "do we have TLS" guards within method
	implementations, instead of putting them around method
	invocations.  File: smtpd/smtpd_check.c.

	Bugfix: duplicate the cleanup(8) DSN envelope ID syntax
	check in smtpd(8), so that clients get better error replies.
	File: smtpd/smtpd_check.c.

	Bugfix: change 20060203 broke the reject_plaintext_session
	feature.

	The trivial-rewrite and proxymap multi-server processes now
	terminate soon after all their clients disconnect, instead
	of waiting for another 100 seconds. This allows the processes
	to refresh more frequently on low-traffic systems.

	Cleanup: smtpd_delay_open_until_valid_rcpt (default: yes)
	controls whether Postfix delays the start of a mail transaction
	until after the first valid recipient, or if it starts a
	transaction immediately after MAIL FROM. File: smtpd/smtpd.c.

20060217

	Bugfix: don't terminate with a non-standard exit status
	when the pipe-to-command feature has a problem before it
	executes the command. File: global/pipe_command.c.

20060223

	Bugfix: detect integer overflow when multiplying time values
	with non-trivial time units. File: global/conv_time.c.

20060307

	Bugfix: reset the msg_cleanup() fatal error handler in child
	processes. See also change 20060217. Files: postlock/postlock.c,
	master/multi_server.c, global/mail_run.c, util/vstream_popen.c.

20060310

	Bugfix: the MIME processor assumed that input was null
	terminated. This broke with CRLF input to the "sendmail -t"
	command  in Postfix 2.1 and later (see change 20030416).
	Found by Leandro Santi.  Based on patch by Victor Duchovni.
	Files: global/mime_state.c, global/is_header.c.

20060313

	Cleanup: the message arrival time (start of the receive
	transaction) no longer controls message expiration or
	delivery attempts.  Instead, expiration and delivery are
	now controlled by the time when the cleanup server creates
	a queue file.  This closes a problem that was introduced
	with the 20051104 change that introduced higher-resolution
	delay time keeping: as a result, "postsuper -r" could no
	longer manipulate the mail expiration schedule, so that
	mail "on hold" could expire too soon.

20060315

	Workaround. the PCRE library reports an inappropriate error
	code (invalid substring) when $number refers to a valid ()
	expression that matches the null string. This caused fatal
	run-time errors.  File: dict_pcre.c.

20060324

	Cleanup: eliminated name collisions between global and local
	variables, and other forms of shadowing. Documented switch
	fall-throughs with /* FALLTHROUGH */ where this wasn't
	already done.  Replaced (var = expr) by (var = expr) != 0
	where this wasn't already done.

20060324

	Bugfix: mis-placed parenthesis in a before-filter error
	test. A filter timeout was mis-reported as lost connection.
	Found in code review.  File: smtpd/smtpd_proxy.c.

20060327

	Cleanup: the SQL and LDAP clients now log a warning when
	they skip an empty lookup result, so that humans don't have
	to wonder why Postfix doesn't find all the database entries.
	File: global/db_common.c.

	Moved SMTP/LMTP parameter initialization from global/mail_params.c
	to the combined smtp/lmtp delivery agent. Added missing
	lmtp parameters.

20060328

	Feature: configurable chroot directive for the pipe(8)
	delivery agent, by Przemyslaw Wegrzyn. Files:
	global/pipe_command.c, pipe/pipe.c.

	Bugfix: cut-and-paste error: lmtp_connection_cache_limit
	was left with the name of smtp_connection_cache_limit.
	Reported by Victor? File: src/global/mail_params.h.

20060329

	More extensible interface for TLS client/server library,
	now passes property structures that combine all the relevant
	parameters in one type-safe structure.

	TLS session cache activity logging now takes place at TLS
	log level 2 or greater.

20060403

	Cleanup: made fcntl/flock handling consistent with respect
	to EINTR (reported by Carlo Contavalli). However, Postfix
	is not meant to be signal safe.  Only the master daemon
	handles signals without terminating, and it uses only a
	small subset of Postfix library routines. File: util/myflock.c.

	Bugfix: the pipe-to-command error message was lost when the
	command could not be executed. File: global/pipe_command.c.

20060404

	Bugfix in sanity check: after reading a record from the
	address verification database, a sanity check did not reject
	a record with all-zero time stamp fields.  Such records are
	never written; the test is there just in case something is
	broken, so that Postfix will not blindly march on and create
	chaos. The sanity check tested pointer values, instead of
	dereferencing the pointers.  Found by Coverity.  File:
	verify/verify.c.

	Bugfix in sanity check: when the maildir delivery routine
	opens an output file it looks up the file attributes via
	the file handle it just got.  There is a sanity check that
	detects if the attribute lookup fails, an error that never
	happens. The code that handles the impossible error did not
	close the output file. This would cause a virtual or local
	delivery agent to waste up to 100 file descriptors.  But
	for that error to happen the system would have to be so
	sick that you would have more serious problems than a file
	descriptor leak.  Found by Coverity.  Files: local/maildir.c,
	virtual/maildir.c.

20060405

	Bugfix: the MIME parser assumed input is null terminated
	when reporting errors. Fix by Leandro Santi. Files:
	global/mime_state.c, cleanup/cleanup_message.c.

20060411

	Bugfix: the SMTP server logged no warning when for some
	reason the TLS engine was unavailable in wrappermode. Victor
	Duchovni.  File: smtpd/smtpd.c.

20060417

	Cleanup: when SMTP access table lookup fails, reply with
	4xx instead of aborting with a fatal run-time error. The
	old behavior assumes local file access, and is inappropriate
	with deployment of LDAP and SQL tables. File: smtpd/smtpd_check.c.

20060423

	Bugfix: postcat did not print the attribute value of records
	containing a named attribute. File: postcat/postcat.c.

20060430

	Bugfix: dangling pointer in a function that has no caller.
	Found by Coverity. File: tls/tls_prng_exch.c.

	Bugfix: the workaround for CA-2003-07 (Sendmail) did not
	null terminate the address before logging a warning. Reported
	by Kris Kennaway. File: global/tok822_parse.c.

20060301-20060515

	Sendmail 8 Milter support, distributed across the smtpd(8)
	server for SMTP commands, and the cleanup(8) server for
	content inspection and manipulation. The code supports all
	requests to add/delete recipients, and to add/delete/replace
	message headers, but does not yet support requests to replace
	the message body.  See MILTER_README for more. Files:
	smtpd/smtpd.c, smtpd/smtpd_milter.c, cleanup/cleanup_api.c,
	cleanup/cleanup_envelope.c, cleanup/cleanup_extracted.c,
	cleanup/cleanup_milter.c, milter/milter.c, milter/milter8.c.

	That's 89 lines in smtpd, 1010 lines in cleanup, and 2449
	lines of library support, comments not included.

	A simple test Milter application for use in regression tests
	is in src/milter/test-milter.c. Queue file modifications are
	tested with a driver at the end src/cleanup/cleanup_milter.c
	that reads commands from a script.

	To make debugging easier, uncomment the "#define msg_verbose
	2" lines at the top of cleanup_milter.c or milter8.c. This
	produces logging without making everything else verbose.

20060510

	Preliminary TLS_README and postconf(5) changes completed.
	Victor Duchovni.

	Added smtp_tls_policy_maps and smtp_tls_protocols features
	to the smtp/lmtp client, changed smtp_tls_cipherlist to
	only apply when TLS is mandatory. Victor Duchovni.

20060512

	Destinations that share a common server may have distinct
	TLS protocol and cipherlist requirements, with mandatory
	TLS add the protocol and cipherlist values to the TLS session
	lookup key. Victor Duchovni.

20060516

	Portability: __float80 alignment, by Albert Chin.  File:
	util/sys_defs.h.

	Further testing of Milter support uncovered typos; a missing
	null pointer test while cleaning up after content miltering;
	the need for a workaround to not bounce+delete local
	submission after it triggers a temporary reject Milter
	action.

	Workaround: don't bounce+delete a local submission after
	it triggers a "reject 4.x.x" action in header/body_checks.
	This means an SMTP client now sees "queue file write error"
	instead of the text from the "reject 4.x.x text" action.
	File: cleanup/cleanup_message.c.

	Workaround: OpenSSL 0.9.8[ab] with zlib support interoperability
	problem. Victor Duchovni. Files: tls/tls_client.c,
	tls/tls_misc.c, tls/tls_server.c.

	Added smtpd_tls_protocols parameter to complement
	smtp_tls_protocols. Victor Duchovni.

20060517

	The smtp_tls_policy_maps table now implements parent domain
	matching for destinations that are bare domains (without
	enclosing [] or optional :port suffix). This allows one to
	set TLS policy for a domain and all sub-domains. Victor
	Duchovni.

20060519

	The same parameter can bind to different variables in
	different daemons. Ignore the variable name when eliminating
	duplicates in extract.awk. Victor Duchovni.

20060523

	Improved handling of smtp_tls_protocols and smtpd_tls_protocols,
	names now processed via name_mask(3) and canonicalized prior
	to use in the SMTP/LMTP client TLS session lookup key. Also
	simplifies the corresponding code in the TLS driver. Victor
	Duchovni.

20060524

	Cleanup: send ETRN command parameter when using check_policy
	in the context of an ETRN command. Joshua Goodall. File:
	smtpd/smtpd_check.c.

20060601

	Bugfix (bug introduced 20051118): permit_mx_backup authorized
	domains without secondary MX records.  Joshua Goodall. File:
	smtpd/smtpd_check.c.

20060601

	Fixed default value of LMTP TLS client certificate parameters,
	using the SMTP values as a default was wrong. Victor Duchovni.

20060603

	Different transports may have different CAfile or CApath
	settings. We need to add the transport name to the TLS
	session lookup key so that sessions verified with one set
	of trusted roots are not inadvertantly considered verified
	for another. Victor Duchovni.

20060604

	Cleanup: minor fluff found with the BEAM source code analyzer.
	Files: global/quote_821_local.c, global/quote_822_local.c,
	master/master_spawn.c, pickup/pickup.c, util/match_ops.c,
	util/safe_open.c, xsasl/xsasl_cyrus_client.c.

20060606

	Safety: mail receiving daemons (smtpd, qmqpd) now pass
	actual client name/addres/helo attributes in addition to
	the attributes used for logging (xforward). This prevents
	Milter applications from treating qmqpd mail as if it
	originated locally, and prevents incorrect Milter decisions
	after "postsuper -r". Files: smtpd/smtpd.c, qmqpd/qmqpd.c,
	cleanup/cleanup_envelope.c, cleanup/cleanup_milter.c,
	cleanup/cleanup_state.c, global/post_mail.c, *qmgr/qmgr_message.c,
	*qmgr/qmgr_deliver.c, global/deliver_request.c,
	global/deliver_pass.c, local/forward.c.

	Bugfix: qmgr panic after queue file corruption by Mailscanner.
	Files: *qmgr/qmgr_message.c.

	Bugfix: XCLIENT didn't work with smtpd_delay_reject=no
	(problem reported by Joshua Goodall).  To make XCLIENT work
	correctly with built-in restrictions and with Milter
	applications, the SMTP server now jumps back to the very
	start (the 220 phase) of an SMTP session.  File: smtpd/smtpd.c.

20060606

	Portability: Some systems no longer support the traditional
	"sort +0 -2 +3". Victor Duchovni.

20060607

	Portability: Found by BEAM static code analyzer. SSL options
	(long) were stored as int.

20060610

	Cleanup: XCLIENT and XFORWARD attribute values are now sent
	as xtext encoded strings. For backwards compatibility,
	Postfix will still accept unencoded attribute values.  Files:
	smtpd/smtpd.c, smtpd/smtpd_proxy.c, smtp/smtp_proto.c.

20060611

	Robustness: additional sanity checks for common database
	routines. Viktor Dukhovni. File: global/db_common.c.

	Portability: LDAP 2.3 API support. Viktor Dukhovni. File:
	global/dict_ldap.c.

	Security: the PostgreSQL client was updated after the
	PostgreSQL developers made major database API changes in
	response to PostgreSQL security issues. This breaks support
	for PGSQL versions prior to 8.1.4, 8.0.8, 7.4.13, and 7.3.15.
	Support for these requires major code changes which are not
	possible in the time that is left for the Postfix 2.3 stable
	release.

	Specific PostgreSQL client changes: use connection-aware
	quoting, and more robust PQexec() result handling.  Previous
	versions of the dict_pgsql driver didn't check the status
	of the result pointer, and certain exceptional events can
	be mis-interpreted as an empty result set.  Fixes by Leandro
	Santi. File: global/dict_pgsql.c.

20060612

	Changed smtp security level parsing and level->name conversion
	to use name_code(3). Victor Duchovni.

	Implemented new smtp_tls_security_level parameter, to replace
	the unnecessarily complex smtp_use_tls, smtp_enforce_tls
	and smtp_tls_enforce_peername parameters. The main.cf
	security level settings are now consistent with the new
	policy table. Victor Duchovni.

	The smtp_sasl_tls_verified_security_options feature is not
	yet complete, added #ifdef SNAPSHOT and changed documentation
	to delay introduction until Postfix 2.4. Victor Duchovni.

20060614

	Merged in Victor's work including the new TLS policy table
	and a complete set of configuration parameters for the LMTP
	personality of the unified SMTP/LMTP client.

	Allow mandatory TLS encryption with LMTP over UNIX-domain
	sockets. Victor Duchovni.

	Safety: improved code to avoid I/O on connections after the
	TLS handshake fails. Victor Duchovni.

20060615

	Cosmetic patch for const strings. Stefan Huehner.

	Other cosmetic changes, mainly whitespace.

20060616

	The qshape.pl script was updated for the pointer records
	that were introduced to support message content modification
	by Milter applications. Victor Duchovni.

20060620

	Feature: Substantially better cipherlist specification
	interface and support for anonymous ciphers when certificates
	are not needed. The primary interface in main.cf and the
	policy table selects one of 5 grades for mandatory TLS with
	smtp(8) or lmtp(8) or for all TLS sessions with smtpd(8).
	The levels are "high", "medium" (or better), "low" (or
	better), "export" (or better) and "null".  The underlying
	definitions of these levels are configurable, but users are
	strongly encouraged to not change those definitions. Victor
	Duchovni.

20060626

	Bugfix: the Milter reply syntax checker was off by one.
	File: milter/milter8.c.

	Workaround: disable SMTP connection cache lookup by server
	IP address when the tls_per_site policy table is enabled.
	This is a workaround for a shortcoming in the SMTP connection
	cache implementation, which retrieves the server hostname
	from the cached connection. Since this server name is not
	obtained in a secure manner, it must not be allowed to
	control the tls_per_site policy. File: smtp/smtp_reuse.c.

20060627

	Cleanup: mumble_mandatory_tls_mumble parameters renamed to
	mumble_tls_mandatory_mumble; added _mandatory_ qualifier
	to names of parameters that affect only mandatory TLS.

20060630

	Features promoted from SNAPSHOT to STABLE: the "sleep"
	pseudo restriction; Postfix daemons now read the local
	timezone file before chrooting; trivial-rewrite now detects
	table changes every 10 seconds, so it restarts more timely.

	Features that stay #ifdef SNAPSHOT: tcp_table,
	lmtp_sasl_tls_verified_security_options, and
	smtp_sasl_tls_verified_security_options.

	Compatibility: Sendmail does not send its own Received:
	header to Milter applications. Offsets in header replace
	requests are relative to the message content as received
	(i.e. without our own Received: header), while offsets in
	header insert requests are relative to the message as
	delivered (i.e. they include our own Received: header).
	This explains why dk-filter would sign our own Received:
	header but place the signature between our own Received:
	header and the rest of the message, violating the draft
	domainkeys spec.

20060702

	Cleanup: more graceful handling of queue file read/write
	errors while processing milter message modification requests.
	Files: cleanup/cleanup_milter.c, milter/milter8.c.

20060703

	Debugging: the Postfix milter client gives more context
	when it experiences trouble while talking to an uncooperative
	Milter application. File: milter/milter8.c.

	Compatibility: with OpenBSD 2.7 and later, the alias file
	is now in /etc/mail/aliases.

20060704

	Bugfix: the Milter client skipped zero-length body lines.
	File: milter/milter8.c.

	Feature (just this one): RFC 3834 "Auto-Submitted:" message
	header in DSNs.  File: bounce/bounce_notify_util.c.

20060705

	Portability: LP64 systems required a few ssize_t->int casts
	in debug logging statements.  Files: milter/test_milter.c,
	cleanup/cleanup_milter.c.

	Cleanup: comments, error messages, and crumbling interfaces.

20060707

	Workaround: apparently, Solaris gettimeofday() can return
	out-of range microsecond values.  File: src/global/log_adhoc.c.

	Robustness: the SMTPD policy client now encodes the
	ccert_subject and ccert-issuer attributes as xtext.  Some
	characters are replaced by +XX, where XX is the two-digit
	hexadecimal code for the character value.  File:
	smtpd/smtpd_check.c.

	Safety: the SMTP/LMTP client now defers delivery when a
	SASL password exists, but the server does not offer SASL
	authentication. Mail could be rejected otherwise. This may
	become an issue now that Postfix retries delivery in plaintext
	after an opportunistic TLS handshake fails. Specify
	"smtp_sasl_auth_enforce = no" to deliver mail anyway.  File:
	smtp/smtp_proto.c. See workaround 20060711 for sender-dependent
	SASL passwords. This was undone with the 20060719 workaround.

20060709

	Cleanup: the new single smtpd_tls_security_level parameter
	obsoletes the multiple smtpd_use_tls and smtpd_enforce_tls
	parameters. This is done for consistency with the Postfix
	SMTP client. In the Postfix SMTP server, the levels "verify"
	and "secure" are currently not applicable, and are treated
	as "encrypt", after logging a warning. Files: smtpd/smtpd.c,
	tls/tls_level.c, smtp/smtp_session.c.

	Compatibility: don't send the first (blank) body line to
	Milter applications.  This broke domain key etc. signatures
	when verified by non-Postfix MTAs.  File: milter/milter8.c.

20060710

	Cleanup: more consistency between smtpd(8) and smtp(8) TLS
	configuration interfaces: smtpd_tls_mandatory_exclude_ciphers,
	smtpd_tls_mandatory_ciphers, smtpd_tls_mandatory_protocols.
	By Victor. Files:smtpd/smtpd.c.

	Cleanup: to support domainkey signing of bounces and
	Postmaster notices, enable content inspection of Postfix-
	generated mail with the new internal_mail_filter_classes
	feature.  This is disabled by default, because it is not
	yet safe enough. Files: global/int_filt.[hc] and everything
	that calls post_mail_fopen*().

20060711

	Cleanup: smtpd_tls_mumble -> smtpd_tls_mandatory_mumble,
	and finer control over the Postfix SMTP server TLS ciphers,
	all this for consistency with the same functionality in the
	Postfix SMTP client. Victor Duchovni.

	Compatibility: Sendmail's milter client handles whitespace
	after the header label and ":" in an interesting manner.
	It eats one space (not tab). File: milter/milter8.c.

	Workaround: if sender-dependent SASL passwords are enabled,
	don't defer delivery when a SASL password exists but the
	server doesn't announce SASL support. File: smtp/smtp_proto.c.
	This was undone with the 20060719 workaround.

	Cleanup: format of cleanup milter reject messages.  File:
	cleanup_milter.c.

	Bugfix: file/memory leak if a transfer of multiple milters
	from smtpd to cleanup broke in the middle.  Found by Coverity.
	File: milter/milter.c.

20060716

	Bugfix: "sendmail -bs" panic caused by a missing
	SMTPD_STATE_ALONE() guard before a milter_abort() call.
	File: smtpd/smtpd.c.

	Bugfix (bug introduced with Postfix 2.2): the Postfix SMTP
	client enforced Mandatory TLS only when talking to an ESMTP
	server; enforcement did not happen if Postfix could somehow
	be forced to send HELO instead of EHLO.  Victor Duchovni.
	File: src/smtp/smtp_proto.c.

20060718

	Bugfix (bug introduced 20060711): null pointer bug when
	rejecting SMTP mail with Milter application.  File:
	cleanup/cleanup_milter.c.

	Workaround (problem introduced in 200605/200606 TLS update):
	the Postfix SMTP server now issues TLS session IDs even
	when TLS session caching is turned off, otherwise MS Outlook
	fails to deliver mail. There may also be interoperability
	issues with other MTAs that we haven't discovered yet.
	Specify "smtpd_tls_always_issue_session_ids = no" to disable
	the workaround. Victor Duchovni. Files: smtpd/smtpd.c,
	tls/tls_server.c.

20060719

	Cleanup: the smtp_sasl_auth_enforce feature is gone. It was
	meant to work around a problem that was introduced with
	plaintext fallback after a failed TLS handshake.  Unfortunately,
	it created more problems than it solved. We now address the
	underlying problem more directly as described next. File:
	smtp/smtp_proto.c.

	Safety: don't fall back to plaintext delivery after failed
	TLS handshake, when the Postfix SMTP client would have
	attempted to log in with SASL after successful TLS handshake.
	This avoids undesirable behavior regardless of whether the
	server does support SASL over plaintext (unexpected password
	disclosure) and whether the server doesn't support SASL
	over plaintext (insufficient mail relay permission).  Files:
	smtp/smtp_connect.c, smtp/smtp_session.c, smtp/smtp_proto.c.

20060720

	Compatibility: replace %% in milter replies by %, and strip
	single (i.e. invalid) % characters. File: milter/milter8.c.

	Compatibility: $_ macro support for Milter applications.
	Files: smtpd/smtpd.c, smtpd/smtpd_milter.c,
	cleanup/cleanup_state.c, cleanup/cleanup_milter.c.

20060721

	Safety: disable Milter processing after "postsuper -r".  If
	the mail has been filtered there is no need to do it again.
	Moreover, when mail has passed through an external content
	filter, we don't have sufficient information to reproduce
	the exact same SMTP events and Sendmail macros that Milters
	received when the mail originally arrived in Postfix.  This
	change does not affect Milter applications that run behind
	an after-queue content filter. File: pickup/pickup.c.

	Bugfix: Milters received a truncated ORCPT=xxx parameter
	due to destructive parsing of something that didn't have
	to be preserved before Milter support was added to Postfix.
	File: smtpd/smtpd.c.

20060724

	Bugfix: when updating the same header multiple times, the
	Postfix Milter client created a queue file that caused
	delivery agents to loop.  File: cleanup/cleanup_milter.c.

20060725

	Bugfix: damaged queue file record after a Milter request
	to modify a message header when 1) it was the last header
	in the unmodified message, and 2) the old header was less
	than 15 characters long.  File: cleanup/cleanup_milter.c.

	Bugfix: don't panic in smtp_rcpt_cleanup() after detecting
	a damaged queue file record. File: smtp/smtp_proto.c.

20060726

	Bugfix: the 20051013 change to enforce the message size
	limit in the SMTP server didn't work for size limits close
	enough to INT_MAX. File: smtpd/smtpd.c.

	Bugfix (introduced Postfix 2.3): after an SMTP client was
	rejected with "smtpd_delay_reject = no", the SMTP server
	would panic as it generated spurious Milter requests for
	unrecognized commands.  File: smtpd/smtpd.c.

20060727

	Cleanup: change redundant milter_abort() and milter_disc_event()
	calls into NO-OPs.  This avoids unnecessary panic() events
	for completely harmless conditions.  File: milter/milter8.c.

20060805

	Bugfix (introduced Postfix 2.3): #ifdef damage caused
	smtp_sasl_start() to be invoked twice. Reported by C-J
	Lofstedt. File: smtp/smtp_sasl_proto.c.

20060806

	Postfix no longer announces its name in delivery status
	notifications.  Users believe that Wietse provides a free
	helpdesk service that solves all their email problems.
	Credits to Jonathan Balester.  File: bounce/bounce_templates.c.

20060807

	Bugfix (introduced Postfix 2.2): when upgrading from Postfix
	< 2.2 with the third-party TLS patch, the post-install
	upgrade procedure didn't put a "?" in the existing tlsmgr
	entry, causing tlsmgr to repeatedly start and exit when TLS
	support was not compiled in.  File: conf/post-install.

20060812

	Bugfix (introduced < Postfix alpha): safety mechanism in
	mail_date() didn't work.  Found in code review.  File:
	global/mail_date.c.

20060817

	Test programs for host address->name and name->address
	lookups to debug name service inconsistencies, typically
	when the Postfix SMTP server claims that a hostname is
	"unknown".  Files: auxiliary/name-addr-test/*.

20060822

	Added missing logging for "message to large" etc.  Files:
	smtpd/smtpd.c, cleanup/cleanup_milter.c.

20060823

	Bugfix (introduced Postfix 2.2): segfault when vstream_fclose()
	attempted to flush unwritten output, after vstream_fdclose()
	had already disconnected the stream from its file descriptor.
	File: util/vstream.c.

	Bugfix (introduced Postfix 2.2): vstream_fdclose() did not
	flush unwritten output before disconnecting a stream from
	its file descriptor(s).  File: util/vstream.c.

	Feature: smtp-sink can capture mail to file, either as one
	individual message per file, or as multiple messages per
	file.  After an initial implementation by Weidong Cui. File:
	smtpstone/smtp-sink.c.

	Bugfix (introduced < Postfix alpha): smtp-sink did not
	correctly recognize DOT-CR-LF immediately after DATA. File:
	smtpstone/smtp-sink.c.

	Cleanup: smtp-sink now requires that MAIL FROM, RCPT TO and
	DATA be send in the correct order. This simplified the
	implementation of the capture to file feature. File:
	smtpstone/smtp-sink.c.

20050824

	Portability: inside functions, GCC 4 refuses forward
	declarations of static functions.  File: smtpstone/smtp-sink.c.

20060825

	Bugfix (introduced Postfix 2.3): with headers-only mail, a
	Milter "header insert" action corrupted the queue file. The
	cleanup server executed some end-of-body action before the
	end-of-header actions. File: cleanup/cleanup_message.c.

	Robustness: mail delivery agents now detect loops in queue
	files. Files with too many backward jumps are saved to the
	"corrupt" directory.  File: global/record.c.

20060831

	Bugfix (introduced with initial implementation): missing
	"dict_errno = 0" caused mis-leading error messages after
	non-error lookup failure.  Victor Duchovni.  File:
	util/dict_cidr.c.

	Robustness: the default TLS cipher lists were changed from
	!foo:ALL into ALL:!foo. Victor Duchovni.  Files:
	global/mail_params.h and documentation.

20060902

	Bugfix (introduced Postfix 2.3): the LMTP client stripped
	"inet": from the next-hop destination, but still used the
	complete next-hop from the delivery request. File:
	smtp/smtp_connect.c.

20060903

	Cleanup: record loop detection.  File: global/record.c.

20060929

	Workaround: AIX 5.[1-3] getaddrinfo() creates socket address
	structures with a non-zero port value. This breaks the
	smtp_bind_address etc. features, and breaks inet_interfaces
	settings with only one IP address.  Problem reported by
	Hamish Marson.  Files: util/sock_addr.[hc], util/myaddrinfo.c.

	Bugfix (introduced with the Postfix TLS patch): memory leak
	in verify_extract_peer(). The OpenSSL documentation provides
	no information on how subjectAltNames are managed.  Sam
	Rushing, ironport.  File: tls/tls_client.c.

	Bugfix (introduced with Postfix 2.2): smtp_generic_maps
	turned on MIME conversion. File: smtp/smtp_proto.c.

	Workaround: don't send SIZE information in the MAIL FROM
	command when message content will be subject to 8bit ->
	quoted-printable conversion.  File: smtp/smtp_proto.c.

20061002

	Compatibility: Sendmail now invokes the Milter connect
	action with the verified hostname instead of the name
	obtained with PTR lookup. File: smtpd/smtpd.c.

20061004

	Cleanup: force space between mailq queueid+status and file
	size items. File: showq/showq.c.

20061005

	Cleanup: make CISCO PIX bug workarounds configurable.  This
	introduces new parameters: smtp_pix_workarounds (default:
	disable_esmtp, delay_dotcrlf) and smtp_pix_workaround_maps
	(workarounds indexed by server IP address).  The default
	settings are backwards compatible. File: smtp/smtp.c,
	smtp/smtp_proto.c.

20061006

	Workaround: include the smtpd(8) service name when searching
	the TLS session cache, to avoid cross-talk between multiple
	master.cf entries. This does not eliminate cross-talk between
	multiple (x)inetd.conf entries. Victor Duchovni. Files:
	smtpd/smtpd.c, tls/tls_server.c.

20061015

	Cleanup: convert the Milter {mail_addr} and {rcpt_addr}
	macro values to external form. File: smtpd/smtpd_milter.c.

	Cleanup: the Milter {mail_addr} and {rcpt_addr} macros are
	now available with non-SMTP mail. File: cleanup/cleanup_milter.c.

	Cleanup: convert addresses in Milter recipient add/delete
	requests to internal form.  File: cleanup/cleanup_milter.c.

	Cleanup: with non-SMTP mail, convert addresses in simulated
	MAIL FROM and RCPT TO events to external form.  File:
	cleanup/cleanup_milter.c.

20061017

	Cleanup: removed spurious warning when the cleanup server
	attempts to bounce mail with soft_bounce=yes. Problem
	reported by Ralf Hildebrandt. File: cleanup/cleanup_bounce.c.

	Bugfix: null pointer bug when receiving a non-protocol
	response on a cached SMTP/LMTP connection.  Report by Brian
	Kantor.  Fix by Victor Duchovni.  File: smtp/smtp_reuse.c.

20061106

	Feature: new retry delivery agent, to avoid the synchronous
	defer service client in the queue manager. This code is
	co-located with the error(8) server. File: error/error.c.

	Performance: the queue manager could spend too much time
	in the synchronous defer service client, causing the watchdog
	timer to go off.  Where possible, the queue manager now
	bounces or defers recipients asynchronously, by routing
	them to the error or the retry delivery agent. Code by
	Wietse and Patrik Rak. Files: global/recipient_list.c,
	*qmgr/qmgr_error.c, *qmgr/qmgr_defer.c, *qmgr/qmgr_entry.c,
	*qmgr/qmgr_deliver.c, *qmgr/qmgr_message.c.

	Performance: refined recipient and job grouping, and more
	agressive early refill of in-memory recipients to prevent
	a worst-case scenario where the queue manager became starved
	until after the last batch of slow in-memory recipients of
	jumbo multi-recipient mail. Code by Patrik Rak.  Files:
	global/mail_conf_time.c, qmgr/qmgr_message.c, qmgr/qmgr.c,
	qmgr/qmgr.h, qmgr/qmgr_entry.c, qmgr/qmgr_job.c,
	qmgr/qmgr_message.c, qmgr/qmgr_transport.c.

20061113

	Bugfix: the Postfix install/upgrade procedure broke with
	non-default config_directory. File: conf/post-install.

20061115

	Bugfix: null pointer bug in end-of-header Milter action
	when the last header line is too large.  Reported by Mark
	Martinec. The root of the problem is that the MIME state
	engine may execute up to three call-back functions when it
	reaches the end of the headers, before it returns to the
	caller; as long as call-backs return no result, each call-back
	has to check for itself if a previous call-back ran into a
	problem.  File: milter/milter8.c.

	Workaround: reduce effective header_size_limit to 60000
	when Milter inspection is enabled, to avoid breaking the
	Milter protocol request length limit. File:
	cleanup/cleanup_message.c.

20061123

	Safety: don't read more than 5000 recipients at a time, to
	avoid spending too much time away from interrupts.  File:
	qmgr/qmgr_message.c.

20061201

	Workaround: don't complain with "Error 0" in the trivial-rewrite,
	verify, proxymap or connection cache client when the server
	exits after the client sends its request. We still complain,
	however, when the problem persists.  Files: global/rewrite_clnt.c,
	global/resolve_clnt.c, global/verify_clnt.c, global/scache_clnt.c,
	global/dict_proxy.c.

	Safety: the header_size_limit is now enforced more strictly,
	to avoid inter-operability problems with the Milter protocol.
	Long headers are truncated at a line boundary if possible,
	otherwise they are cut between line boundaries. File:
	cleanup/cleanup_out.c.

20061203

	Bugfix (introduced with Postfix 2.2): with SMTP server
	tarpit delays of smtp_rset_timeout or larger, the SMTP
	client could get out of sync with the server while reusing
	a connection.  The symptoms were "recipient rejected .. in
	reply to DATA".  Fix by Victor Duchovni and Wietse.  Files:
	smtp/smtp_proto.c, smtp/smtp_connect.c.

	Robustness: the vbuf and vstream documentation claimed that
	their *error() macros reported timeout errors, but they
	didn't really. The implementation was fixed, and redundant
	vstream_ftimeout() calls were removed. As a result, many
	Postfix daemons now properly detect write timeout errors
	on internal connections.  Files: util/vbuf.h.

	Workaround: some broken SMTP servers reply and hang up in
	the middle of DATA. The Postfix SMTP client now stops sending
	and tries to receive the server response. This can help to
	avoid repeated delivery attempts. Initial implementation
	by Wietse, later work by Victor Duchovni. Files:
	smtp/smtp_proto.c, smtpstone/smtp-sink.c, util/vstream.c,
	plus trivial mods for code thatr calls vstream_fpurge().

20061204

	Compatibility: The Postfix installation/upgrade procedure
	no longer sets "unknown_local_recipient_code = 450" in
	main.cf. This was a safety net for upgrades from Postfix
	1.x. Four years later is no longer needed. File:
	conf/post-install.

	Cleanup: removed vstream_fclose() error warning in the code
	that disconnects from a delivery agent. There is no need
	to report errors here because they would already be reported
	earlier.  Files: *qmgr/qmgr_deliver.c.

	Robustness: "kill me after N seconds" feature to ensure
	that a daemon process does not get stuck while preparing
	for exit after signal arrival. File: util/killme_after.[hc],
	util/watchdog.c, master/master_sig.c.

20061206

	Robustness: low-cost re-entrancy guard that allows daemons
	to safely call msg_fatal() etc. from a signal handler,
	without risking memory corruption, or deadlock on Redhat
	Linux.  This works provided that the signal handler terminates
	the process. In that special case we need not guarantee
	after-the-fact consistency of the thread that was interrupted.
	File: util/msg_output.c.

	Robustness: replace exit() calls by _exit(). File: util/msg.c,
	bounce/bounce_cleanup.c.

20061207

	Workaround: on systems with usable futimes() or equivalent
	(Solaris, *BSD, MacOS, but not Linux), always explicitly
	set the queue file last modification time stamps while
	creating a queue file. With this, Postfix can avoid logging
	warnings when the file system clock is ahead of the local
	clock.  Clock skew can be a problem, because Postfix does
	not deliver mail until the local clock catches up with the
	queue file's last modification time stamp.  File:
	global/mail_stream.c.

	Workaround: on systems without usable futimes() or equivalent,
	log a warning when the file system clock is more than 100
	seconds behind the local clock. This does not cause mail
	delivery problems, but it just looks silly in message
	headers. File: global/mail_stream.c.

	On systems without usable futimes() (Linux, and ancient
	versions of Solaris, SunOS and *BSD) Postfix will keep using
	the slower utime() system call to update queue file time
	stamps when the file system clock is off with respect to
	the local system clock.

	Compatibility with Postfix < 2.3: undo the change to bounce
	instead of defer after pipe-to-command delivery fails with
	a signal. File: global/pipe_command.c.

20061208

	Workaround: apparently, some mail software removes or hides
	"<postmaster>" in the Postfix bounce text, because it
	processes the text as if it were HTML. This confuses users.
	The bounce template has been updated to remove the < and
	>.  File: bounce/bounce_templates.c.

	Cleanup: when smtp_generic_maps is turned on, don't parse
	MIME structures in the message body. Victor Duchovni. File:
	smtp/smtp_proto.c.

20061210

	Cleanup: streamline the signal handler reentrancy protections,
	and document under what conditions these protections work,
	with REENTRANCY sections in the relevant man pages. Files:
	util/vbuf_print.c.  util/msg.c, util/msg_output.c.

20061211

	Cleanup: when doing server access control by the remote TLS
	client fingerprint, do not require client certificate
	verification.  Victor Duchovni.  File: smtpd/smtpd_check.c.

	Safety: when the remote TLS client certificate isn't verified,
	don't send ccert_subject and ccert_issuer attributes in
	check_policy_service requests. Victor Duchovni. File:
	smtpd/smtpd_check.c.

	Bugfix: the postconf command still complained about an
	unqualified machine name, because it was not updated with
	the 20050513 change that introduced a default "mydomain =
	localdomain".  File: postconf/postconf.c.

20061213

	Bugfix: race condition in "ETRN site", "sendmail -qRsite"
	and "postqueue -s site". When the command arrived while an
	incoming queue scan was already in progress, mail could
	stay deferred instead of being flushed. The fix was to
	unthrottle the queue manager before moving files from the
	deferred queue to the incoming queue.  Files: flush/flush.c,
	qmgr/qmgr_scan.c.

	Cleanup: the sendmail and postqueue commands no longer
	terminate with a non-standard error status after a run-time
	error in some Postfix internal routine (typically, some
	essential file is not accessible, or the system is out of
	memory). Files: sendmail/sendmail.c, postqueue/postqueue.c.

	Feature: "sendmail -qIqueueid" and "postqueue -i queueid"
	to flush a specific queue file. Files: sendmail/sendmail.c,
	postqueue/postqueue.c, global/flush_clnt.c, flush/flush.c.

20061214

	Performance: "sendmail -qIqueueid" and "postqueue -i queueid"
	unthrottle only the necessary message delivery transports
	and queues. The unthrottle request now is propagated to the
	queue manager via queue file group read permission bits.
	Based on initial implementation by Victor Duchovni.  Files:
	flush/flush.c, *qmgr/qmgr.c, *qmgr/qmgr_scan.c,
	*qmgr/qmgr_active.c, *qmgr/qmgr_message.c.

20061220

	Workaround: PMilter 0.95 does not deliver SMFIC_EOB+data
	to the application as SMFIC_BODY+data followed by SMFIC_EOB.
	To avoid compatibility problems, Postfix now sends
	SMFIC_BODY+data followed by SMFIC_EOB.  File: milter/milter8.c.

	Bugfix (introduced with Postfix 2.3): when inserting
	Milter-generated headers at increasing positions in a
	message, a later header could end up at a previously used
	insertion point.  Thus, inserting headers at positions (N,
	N+M) could work as if (N, N) had been specified. Problem
	reported by Mark Martinec.  File: milter/milter8.c.

20061221

	Feature: time unit suffix support in _command_time_limit.
	Files: pipe/pipe.c, spawn/spawn.c.

20061227

	Bugfix (introduced with Postfix 2.3): the MX hostname syntax
	check was skipped with reject_unknown_helo_hostname and
	reject_unknown_sender/recipient_domain, so that Postfix
	would still accept mail from domains with a zero-length MX
	hostname.  File: smtpd/smtpd_check.c.

20061229

	Cleanup: use separate TLS_LEGACY_README to document the old
	TLS user interface. This will simplify TLS_README dramatically.

	Cleanup: untangled spaghetti code. File: util/inet_listen.c.

20070104

	Bugfix (introduced Postfix 2.3): when creating an alias map
	on a NIS-enabled system, don't case-fold the YP_MASTER_NAME
	and YP_LAST_MODIFIED lookup keys. This requires that an
	application can turn on/off case folding on the fly.  Files:
	postalias/postalias.c, global/dict_mumble.c, util/dict_mumble.c,
	proxymap/proxymap.c.

	Cleanup: after the above revision of the proxymap protocol,
	the proxymap server can now share the same map with clients
	that have only minor differences in dictionary open/access
	options.

20070105

	Performance: pipeline of pending delivery agent connections,
	to improve Linux/Solaris mail delivery performance by another
	10% while going down-hill with the wind from behind. Design
	and implementation Victor and Wietse. Files: *qmgr/qmgr.c,
	*qmgr/qmgr.h, *qmgr/qmgr_transport.c.

20070106

	Cleanup: eliminate the Linux/Solaris "wait for accept()"
	stage from the queue manager to delivery agent protocol.
	This alone achieves 99.99% of the Linux/Solaris speed up
	from the preceding change. The pending connection pipeline
	takes care of the rest.  Tested on Linux kernels dating
	back to 2.0.27 (that's more than 10 years ago).  Files:
	*qmgr/qmgr_transport.c.

20070112

	Bugfix (introduced 20011008): after return from nested
	access restriction, possible longjump into exited stack
	frame upon configuration error or table lookup error. Victor
	Duchovni.  Files: smtpd/smtpd_check.c.

	Workaround: don't insert header/body blank line separator
	in malformed attachments, to avoid breaking digital signatures.
	Switch from header to body state, for robust MIME parsing.
	People concerned about MIME evasion can use a MIME normalizer
	to corrupt their user's legitimate email.  File:
	global/mime_state.c.

20070114

	Feature: body replacement support for Milter applications.
	Postfix 2.3 and older 2.4 versions will be able to deliver
	body-replaced queue files, but will report the message size
	as it was before the body was replaced.  Files: milter/milter8.c,
	cleanup/cleanup_milter.c, cleanup/cleanup_body_region.c.

20070117

	Cleanup: reusable infrastructure for body replacement.
	Files: cleanup/cleanup_body_edit.c, cleanup/cleanup_region.c.

20070118

	Bugfix: match lists didn't implement ![ipv6address].  Problem
	reported by Paulo Pacheco. File: util/match_list.c.

	Cleanup: revised the matchlist "!" support, added support
	for !/file/name, and updated the documentation. File:
	util/match_list.c.

20070119-21

	Cleanup: pad short message headers with a filler record,
	so that the result is never shorter than a pointer record.
	This immensely simplified the support for Milter header
	modification requests: three complex loops could be replaced
	by one simpler loop.  The DTXT record type was re-purposed
	from "deleted header text" to "short header padding", keeping
	the change backwards compatible.  Files: cleanup/cleanup_out.c,
	cleanup/cleanup_milter.c, global/record.c.

	Cleanup: the Milter "add recipient" action always added the
	recipient to the initial envelope segment, causing added
	recipients to be separate from "sendmail -t" recipients.
	This violated design, without impact on delivery (always_bcc
	recipient are always at the end of the queue file even when
	all other recipients are in the initial segment).  File:
	global/rec_types.h.

20070123

	Workaround: OpenSSL falsely concludes that AES256 support
	is present when only AES128 is available.  Code by Victor
	Duchovni.  File: tls/tls_misc.c.

20070125

	Disable workaround pending completion of updated TLS]
	support in non-production releases.

20070131

	Assorted code cleanup, portability fixes/workarounds, and
	minor updates: global/dict_ldap.c, mantools/postlink,
	tlsmgs/tlsmgr.c, conf/master.cf. LaMont Jones.

20070101

	Portability: GNU Hurd support for multiple kernel environments.
	LaMont Jones. Files: util/sys_defs.h, makedefs.

	Cleanup: some default settings were adjusted to better fit
	today's environment: queue_run_delay and minimal_backoff_time
	were reduced from 1000s to 300s, so that deliveries are
	retried earlier after the first failure; ipc_idle was reduced
	from 100s to 5s, so that tlsmgr and scache clients will
	more quickly release unused file handles. Files:
	global/mail_params.h, proto/postconf.5.html

20070202

	Catch-up: FreeBSD kqueue support. File: util/events.c.

20070205

	System-V poll(2) support. This is now the preferred method
	to test a single file descriptor on sufficiently recent
	versions of FreeBSD, NetBSD, OpenBSD, Solaris and Linux;
	other systems will be added as evidence becomes available
	of usable poll(2) implementations. Files: util/read_wait.c,
	util/write_wait.c, util/readble.c, util/writable.c.

	Streamlined the event_enable_read/write implementation to
	speed up smtp-source performance, by eliminating expensive
	kqueue/devpoll/epoll system calls when only the application
	call-back information changes. On FreeBSD, smtp-sink/source
	tests now run 5% faster than with the old select(2) based
	implementation.  File util/events.c.

20070206

	Catch-up: Solaris /dev/poll support. File: util/events.c.

	Bugfix (introduced 20060823): initial state was not in state
	machine, causing memory access outside the lookup table.
	File: smtpstone/smtp-sink.c.

20070210

	Catch-up: Linux epoll support. File: util/events.c.

20070211

	Polished the kqueue/devpoll/epoll support; this is now
	enabled by default on sufficiently recent versions of
	FreeBSD, NetBSD, OpenBSD, Solaris and Linux; other systems
	will be added as evidence becomes available of usable
	implementations. File: util/events.c.

20070212

	Further polish: removed some typos from new code in the
	events.c handler, undid some unnecessary changes to the
	{read,write}{_wait,able}.c modules, and addressed Victor's
	paranoia for multi-client servers with a thousand clients
	while linked with library routines that can't handle file
	descriptors >= FD_SETSIZE.

	Cleanup: while debugging the new events.c handler, removed
	an unnecessary "write after connect" call-back event. File:
	global/post_mail.c.

20070214

	Robustness: in the queue manager keep a number of free file
	descriptor slots at the low end, to work around library
	routines that can't handle file descriptors >= FD_SETSIZE.
	Files: *qmgr/qmgr_transport.c, util/vstream.[hc]

20070215

	Bugfix (introduced 20070114 with Milter body edit support):
	the cleanup server terminated with a fatal error when SMTP
	mail exceeded the message size limit, instead of handling
	it as a non-fatal error. Files: cleanup/cleanup_extracted.c,
	cleanup/cleanup_final.c, cleanup/cleanup_bounce.c,
	cleanup/cleanup_api.c.

20070217

	Streamline the compile time selection of event handling
	styles, replacing multiple on/off macros by just one
	multi-valued macro. Files: util/sys_defs.h, util/events.c,
	master/multi_server.c, *qmgr/qmgr_transport.c.

20070220

	Work-around: Disable SSL/TLS ciphers when the underlying
	symmetric algorithm is not available in the OpenSSL crypto
	library at the required bit strength. Problem observed with
	SunOS 5.10's bundled OpenSSL 0.9.7 and AES 256. Also possible
	with OpenSSL 0.9.8 and CAMELLIA 256. Root cause fixed in
	upcoming OpenSSL 0.9.7m, 0.9.8e and 0.9.9 releases. Victor
	Duchovni, Morgan Stanley. Files: src/smtp/smtp_proto.c,
	src/smtpd/smtpd.c, src/tls/tls.h, src/tls/tls_client.c,
	src/tls/tls_misc.c and src/tls/tls_server.c.

20070222

	Workaround: delayed "postfix reload" with ancient FreeBSD4
	kqueue implementations, causing the first external or
	internal clients after "postfix reload" to experience a
	quick disconnect.  Apparently, these kqueue implementations
	do not deliver a read notification when the master closes
	the per-service shared master/child status pipe (even when
	there is only one child; note that the master keeps a handle
	to both ends of each status pipe).  A child process remains
	ignorant that the status pipe was closed until the arrival
	of the next client request, and then terminates.  The
	workaround is to ignore master status write errors before
	handling a service request.  Files: master/*_server.c.

	Cleanup: fix race condition that caused unnecessary "premature
	end-of-input" warning messages when "postfix reload" was
	issued on a busy mail server. Files: util/attr_scan*c.

20070223

	Cleanup: syslog_name now works as documented with both
	daemons and commands (including set-gid commands).  Files:
	global/mail_task.c postlog/postlog.c, global/mail_version.h,
	sendmail/sendmail.c, postsuper/postsuper.c, postalias/postalias.c,
	postmap/postmap.c, postqueue/postqueue.c, postdrop/postdrop.c,
	master/trigger_server.c, master/single_server.c,
	master/multi_server.c.

20070224

	Workaround: GNU POP3D creates a new mailbox and deletes the
	old one. Postfix now backs off and retries delivery later,
	instead of appending mail to a deleted file.  To minimize
	the use of this workaround, Postfix now by default creates
	mailbox dotlock files on all systems, and creates dotlock
	files before opening mailbox files.  Files: util/sys_defs.h,
	global/mbox_open.c.

20070301

	Workaround: updated workaround for broken Solaris accept().
	File: util/inet_listen.c.

	Workaround: on some FreeBSD versions, accept(2) can fail
	with a bogus EINVAL error. We now allow accept(2) to fail
	for a limited number of times before terminating the process.
	Files: master/single_server.c, master/multi_server.c.

20070306

	Bugfix (introduced with Postfix 2.3 Milter support): postdrop
	reported "illegal seek" instead of "file too large".  File:
	postdrop/postdrop.c.

20070310

	Cleanup: specify "undisclosed_recipients_header =" to disable
	Postfix's "To: undisclosed-recipients:;" header for mail
	that lists no recipient. The To: header is not required as
	of RFC 2822.  The undisclosed_recipients_header parameter
	value can now be an empty string, a value that was not
	allowed with earlier Postfix versions. With Postfix 2.5 it
	will be empty by default. Files: cleanup/cleanup.c,
	cleanup/cleanup_message.c.

20070312

	Backwards compatibility: don't pad short message header
	records when Milter support is turned off. This maintains
	compatibility with Postfix versions that pre-date Milter
	support. File: cleanup/cleanup_out.c.

20070314

	Bitrot: move the "don't run this daemon by hand" message
	before other tests. Files: master/*server.c.

20070315

	Bitrot: New OpenLDAP APIs deprecate simplified interfaces,
	that are the only ones available in Sun's LDAP SDK. Define
	suitable macros that work with new OpenLDAP and Sun's code.
	Victor Duchovni, Morgan Stanley. File: src/global/dict_ldap.c

	Cleanup: new "leaf" and "terminal" result attributes support
	fine-tuning of LDAP group expansion, and provide a solution
	for the problem case where DN recursion returns both the
	group address and the addresses of the member objects.
	Victor Duchovni, Morgan Stanley.  Files: src/global/dict_ldap.c,
	proto/LDAP_README.html, proto/ldap_table

20070317

	Idioten Sicherheit: stamp every executable file and every
	core dump file with "mail_version=xxxxx". Adding version
	stamps and checks to every IPC message is too much change
	after code freeze, and requires too much time for testing.
	File: src/global/mail_version.h and every main program file.

20070320

	Bugfix (introduced between 20070120 and 20070121): the
	cleanup server stored no "delayed mail warning" queue file
	records with "sendmail -t", and no header_checks filter/redirect
	records or content encoding records with other mail.  File:
	global/rec_type.h.

20070321

	Bugfix (introduced 20070224): local(8) or virtual(8) could
	log a misleading error message after failure to open a
	mailbox file. File: global/mbox_open.c.

	Bugfix (code should have been updated 20070104): the proxymap
	client did not propagate changes in case folding flags.
	Currently, nothing in Postfix uses this functionality.
	File: global/dict_proxy.c.

20070325

	Bugfix: postfix-install didn't work for symlink or hardlink
	targets, when the parent directory had a value of "no".

20070326

	Workaround: Eric Raymond's man page formatters don't handle
	low-level *roff .in or .ti controls. We now use .nf and .fi
	instead. Files: many.

20070331

	Bugfix (introduced Postfix 2.3): segfault with HOLD action
	in access/header_checks/body_checks on 64-bit platforms.
	File: cleanup/cleanup_api.c.

20070402

	Portability (introduced 20070325): the fix for hardlinks
	and symlinks in postfix-install forgot to work around shells
	where "IFS=/ command" makes the IFS setting permanent.  This
	is allowed by some broken standard, and affects Solaris.
	File: postfix-install.

	Portability (introduced 20070212): the workaround for
	non-existent library bugs with descriptors >= FD_SETSIZE
	broke with "fcntl F_DUPFD: Invalid argument" on 64-bit
	Solaris.  Files: master/multi_server.c, *qmgr/qmgr_transport.c.

20070405

	Feature: BCC access/policy action, to demonstrate that this
	is not a good feature. The action's behavior is non-intuitive
	and requires too much documentation to explain.  It's
	therefore snapshot only.  File: smtpd/smtpd_check.c.

20070414

	Cleanup: expire cached results from addres rewriting, address
	resolution, and from transport map lookups.  Results expire
	after 30 seconds; short enough that it doesn't freak out
	people who run the same test repeatedly, and long enough
	that it doesn't upset other people with continuous streams
	of "*" transport map lookups.  Files: global/rewrite_clnt.c,
	global/resolve_clnt.c, trivial-rewrite/transport.c.

20070421

	Cleanup: on (Linux) platforms that cripple signal handlers
	with deadlock, "postfix stop" now forcefully stops all the
	processes in the master's process group, not just the master
	process alone.  File: conf/postfix-script.

20070422

	Cleanup: the "Delivered-To:" loop detection implementation
	was moved from the local(8) delivery agent to the library,
	where it can also be used by other delivery agents. Files:
	global/delivered_hdr.[hc].

	Safety: the "Delivered-To:" loop detection implementation
	keeps state for no more than 1000 "Delivered-To:" headers.

	Feature: $domain command-line macro support, to get access
	to the recipient address domain portion.  Based on code by
	Koen Vermeer. File: pipe/pipe.c.

	Cleanup: support for "Delivered-To:" loop detection in the
	pipe(8) delivery agent. This follows a general principle:
	if a program creates the "Delivered-To:" header, then it
	is also responsible for "Delivered-To:" loop detection.
	File pipe/pipe.c.

20070423

	The cache expiring transport map lookups did not distinguish
	between wildcard transport map entry with an "empty" transport
	field, or no wildcard transport map entry.

20070424

	Cleanup: making hard-coded behavior configurable. In this
	case, extracting 8BITMIME encoding information from
	Content-Transfer-Encoding: message headers.  The default
	behavior, "detect_8bit_encoding_header = yes", is backwards
	compatible. This behavior was introduced to generate
	RFC-compliant bounce messages before Postfix supported the
	8BITMIME option in the MAIL FROM command and on the Postfix
	sendmail command line.  Files: cleanup/cleanup_init.c,
	cleanup/cleanup_message.c, global/mail_params.h.

20070425

	Bugfix: don't falsely report "lost connection from
	localhost[127.0.0.1]" when Postfix is being portscanned.
	Files: smtpd/smtpd_peer.c, qmqpd/qmqpd_peer.c.

20070429

	Feature: "postfix status" to report whether Postfix is
	running.  By Mike Cappella.

	Cleanup: configurable address case folding moved from the
	pipe(8) delivery agent to the library, where it can also
	be used by other delivery agents. Files: global/fold_addr.[hc].

20070430

	Robustness: recommend a "0" process limit for policy servers
	to avoid "connection refused" problems when the smtpd process
	limit exceeds the default process limit.  File:
	proto/SMTPD_POLICY_README.html.

20070501

	Workaround: turn on KEEPALIVE probes to avoided "lost
	connection after sending end-of-data" problems when some
	stateful (NAT) filter expires an idle connection too soon.
	This requires that the kernel's TCP keepalive timer be set
	to a sufficiently short time (perhaps 100s or less).  Files:
	util/sane_accept.c, util/sane_connect.c.

	Safety: when IPv6 (or IPv4) is turned off, don't treat an
	IPv6 (or IPv4) connection from e.g. inetd as if it comes
	from localhost[127.0.0.1]. Files: smtpd/smtpd_peer.c,
	qmqpd/qmqpd_peer.c.

20070502

	Workaround: build without EPOLL support when an epoll-enabled
	kernel sits underneath a retarded libc.  File: makedefs.

	Cleanup: missing support for SASL security properties with
	Dovecot SASL authentication. Based on an initial version
	by Lev A. Serebryakov.  File: xsasl/xsasl_dovecot_server.c.

20070503

	Cleanup: changed the default address verification sender
	from "postmaster" to "double-bounce", so that the Postfix
	SMTP server no longer surprises unsuspecting people by
	excluding "postmaster" from SMTPD access controls.  File:
	global/mail_params.h.

20070508

	Bugfix: Content-Transfer-Encoding: attribute values are
	case insensitive. File: src/cleanup/cleanup_message.c.


20070514

	Bugfix: the makedefs EPOLL workaround broke any attempt to
	build on a 2.6 kernel. And that two weeks after the workaround
	had been posted to the mailing list. File: makedefs.

	Bugfix: mailbox_transport(_maps) and fallback_transport(_maps)
	were broken when used with the error(8) or discard(8)
	transports. Cause: insufficient documentation.  Files:
	error/error.c, discard/discard.c.

20070520

	Bugfix (problem introduced Postfix 2.3): when DSN support
	was introduced it broke "agressive" recipient duplicate
	elimination with "enable_original_recipient = no".  File:
	cleanup/cleanup_out_recipient.c.

20070523

	Feature: cyrus_sasl_config_path to specify a search path
	for Cyrus SASL configuration files (currently used only to
	locate the smtpd.conf file).  Based on code by Victor
	Duchovni. Files: smtpd/smtpd.c xsasl/xsasl_cyrus_server.c,
	(and xsasl/xsasl_cyrus_client.c for future expansion).

20070525

	Bugfix (introduced 20070523): the sasl_set_path() function
	name was mis-speeled.

20070529

	Bugfix (introduced Postfix 2.3): the sendmail/postdrop
	commands would hang when trying to submit a message larger
	than the per-message size limit. File: postdrop/postdrop.c.

20070530

	Sabotage the saboteur who insists on breaking Postfix by
	adding gethostbyname() calls that cause maildir delivery
	to fail when the machine name is not found in /etc/hosts,
	or that cause Postfix processes to hang when the network
	is down.

20070531

	Portability: Victor helpfully pointed out that change
	20070425 broke on non-IPv6 systems. Files: smtpd/smtpd_peer.c,
	qmqpd/qmqpd_peer.c.

20070610

	Isolation: don't allow the pipe(8) delivery agent to leak
	postdrop group privileges with "user=xxx:postdrop". File:
	pipe/pipe.c.

20070613

	Bugfix: the Milter client assumed that a Milter application
	does not modify the message header or envelope, after that
	same Milter application has modified the message body of
	that same email message. This is not a problem with updates
	by different Milter applications.  Problem was triggered
	by Jose-Marcio Martins da Cruz. Also simplified the handling
	of queue file update errors. File: milter/milter8.c.

20070614

	Workaround: some non-Cyrus SASL SMTP servers require SASL
	login without authzid (authoriZation ID), i.e. the client
	must send only the authcid (authentiCation ID) + the authcid's
	password.  In this case the server is supposed to derive
	the authzid from the authcid. This works as expected when
	authenticating to a Cyrus SASL SMTP server.  To get the old
	behavior specify "send_cyrus_sasl_authzid = yes", in which
	case Postfix sends the (authzid, authcid, password), with
	the authzid equal to the authcid. File: xsasl/xsasl_cyrus_client.c.

20070619

	Portability: /dev/poll support for Solaris chroot jail setup
	scripts. Files: examples/chroot-setup/Solaris8,
	examples/chroot-setup/Solaris10.

20070713

	The RFC documents at www.faqs.org are being polluted with
	"feedback" spam. The Postfix hypertext documentation now
	points to tools.ietf.org. File: mantools/postlink.

20070719

	Feature: updated smtp-sink with new options to send a
	pre-formatted message from file, and to handle replies other
	than the expected 2xx or 3xx. File: smtpstone/smtp-source.c.

	Cleanup: Milter client error handling, so that the (Postfix
	SMTP server's Milter client) does not get out of sync with
	Milter applications after the (cleanup server's Milter
	client) encounters some non-recoverable problem.  Files:
	milter/milter8.c, smtpd/smtpd.c.

20070720

	Support for RFC 4954 (SASL AUTH, updates RFC 2554, refines
	some reply codes and introduces DSN enhanced status codes)
	and RFC 3848 ("Received ...  with ESMTPS?A? ...). Currently,
	support for the latter is always on.  Files: smtpd/smtpd.c,
	smtpd/smtpd_sasl_proto.c, smtpd/smtpd_sasl_glue.c.

20070727

	Workaround: the queue manager no longer logs a warning for
	mail sent to the local double-bounce address (normally, the
	this is used as the sender while reporting an undeliverable
	bounce message to the local postmaster).  As of 20070503
	the local double-bounce address is the default sender for
	sender/recipient address verification probes, and it now
	shows up as a spam target. Files: *qmgr/qmgr_message.c.

20070729

	Performance: fix for poor TCP performance for loopback
	(127.0.0.1) connections. Problem reported by Mark Martinec.
	Files: util/vstream.c, util/vstream_tweak.c, milter/milter8.c,
	smtp/smtp_connect.c, smtpstone/*source.c.

20070730

	Bugfix: when a milter replied with ACCEPT at or before the
	first RCPT command, the cleanup server would apply the
	non_smtpd_milters setting as if the message was a local
	submission. Problem reported by Jukka Salmi. Also, the
	cleanup server would get out of sync with the milter when
	a milter replied with ACCEPT at the DATA command. Files:
	cleanup/cleanup_envelope.c, smtpd/smtpd.c, milter/milters.c.

20070811

	Cleanup: unlike smtpd_mumble_restrictions, the Postfix SMTP
	server Milter reject logging did not show the (helo argument,
	sender address, or recipient address) that was being rejected.
	File: smtpd/smtpd.c.

20070824

	Bugfix (introduced snapshot 20070429): the pipe(8) delivery
	agent 'q' flag (quote address local-part) used the same bit
	mask as the 'B' flag (append blank line). Setting one flag
	also turned on the other. File: pipe/pipe.c.

	Feature: specify the 'X' flag to indicate that the pipe(8)
	delivery agent performs final delivery. This changes the
	status in DSN "success" messages from "relayed" into
	"delivered".  File: pipe/pipe.c.

20070904-6

	Feature: stress-adaptive behavior. When a "public" network
	service runs into an "all processes are busy" condition,
	the master(8) daemon logs a warning, restarts the service,
	and runs it with "-o stress=yes" on the command line (normally
	it runs the service with "-o stress=").  This can be used
	to make main.cf parameter settings stress dependent.
	Examples: "smtpd_timeout = ${stress?10}${stress:300}" and
	"smtpd_hard_error_limit = ${stress?1}${stress:20}".  Files:
	master/master_avail.c, master/master_spawn.c, master/master_ent.c.

20070911

	Bugfix (introduced Postfix 2.2.11): TLS client certificate
	with unparsable canonical name caused the SMTP server's
	policy client to allocate zero-length memory, triggering
	an assertion that it shouldn't do such things.  File:
	smtpd/smtpd_check.c.

20070912

	Bugfix (introduced Postfix 2.4) missing initialization of
	event mask in the event_mask_drain() routine (used by the
	obsolete postkick(1) command). Found by Coverity.  File:
	util/events.c.

20070917

	Workaround: the flush daemon forces an access time update
	for the per-destination logfile, to prevent an excessive
	rate of delivery attempts when the queue file system is
	mounted with "noatime".  File: flush/flush.c.

20070923

	Cleanup: don't complain when a "corrupt" queue file is
	deleted before it can be saved to the "corrupt" queue.
	Files: *qmgr/qmgr_active.c.

20071003

	Logging: the Postfix SMTP server now logs the number of
	bytes received after the DATA command when a connection
	breaks before mail delivery completes.  This may help finding
	the cause of the problem: packet loss, MTU, or other. File:
	smtpd/smtpd.c.

20071004

	Logging: all daemons now log the TCP port number of remote
	SMTP or QMQP clients.  The information is overruled with
	the SMTP XCLIENT command, is propagated through SMTP-based
	content filters with XFORWARD, and is sent to Milter
	applications.  Files: smtpd/smtpd_peer.c, smtpd/smtpd.c,
	smtpd/smtpd_proxy.c, smtpd/smtpd_milter.c, qmqpd/qmqpd_peer.c,
	cleanup/cleanup_milter.c, *qmgr/qmgr_message.c,
	*qmgr/qmgr_deliver.c, smtp/smtp_proto.c, pipe/pipe.c,
	global/deliver_request.c, global/deliver_pass.c,
	proto/XFORWARD_README, proto/XCLIENT_README.

	Feature: per-command delays in smtp-sink. File:
	smtpstone/smtp-sink.c.  Victor Duchovni.

20071006

	Cleanup: updated a bunch of hard-coded host[addr] logging
	statements. Files: smtpd/smtpd.c, smtpd/smtpd_chat.c,
	smtpd/smtpd_sasl_glue.c.

	Cleanup: client port logging is now configurable (off by
	default). Parameters: smtpd_client_port_logging and
	qmqpd_client_port_logging. Files: smtpd/smtpd_peer.c,
	qmqpd/qmqpd_peer.c.

	Cleanup: send client port information "0" instead of "unknown"
	to Milter applications. Files: smtpd/smtpd.c, smtpd/smtpd_milter.c,
	cleanup/cleanup_milter.c.

20071025

	Portability: on Linux we no longer need /proc to find out
	local IPv6 interface address information. LaMont Jones.
	Files: util/sys_defs.h.

20071030

	Bugfix (introduced Postfix 2.3): Postfix mistakenly enforced
	the 64kbyte limit (for sending body parts TO Milter
	applications) also while receiving packets FROM Milter
	applications.  The limit is now at least 1GB.  File:
	milter/milter8.c.

20071105

	Feature: ORIGINAL_RECIPIENT environment variable.  Corey
	Hickey. File: local/local.c.

20071108-10

	Feature: general-purpose header/body_checks library module,
	first used in the SMTP client. Actions that change the
	message delivery time or destination can be implemented
	with a simple extension mechanism (they make sense only in
	before-queue filters).  Configuration parameters:
	smtp_header_checks, smtp_mime_header_checks,
	smtp_nested_header_checks, smtp_body_checks. Unlike the
	cleanup server, the mime and nested header checks don't by
	default assume the header_checks value.  Files:
	global/header_body_checks.[hc], smtp/smtp_proto.c,
	smtp/smtp_session.c.

20071110

	Feature: ${original_recipient} command-line macro.  Corey
	Hickey. File: pipe/pipe.c.

	Bugfix (introduced: 20071004) missing exception handling
	in smtp-sink per-command delay feature. Victor Duchovni.
	File: smtpstone/smtp-sink.c.

2007117-20

	Revised queue manager with separate mechanisms for
	per-destination concurrency control and dead destination
	detection.  The concurrency control supports non-integer
	feedback for more gradual concurrency adjustments, and uses
	hysteresis to avoid rapid oscillations.  A destination is
	declared "dead" after a configurable number of pseudo-cohorts
	(number of deliveries equal to a destination's concurrency)
	reports connection or handshake failure. This work began
	with a discussion that Wietse started with Patrik Rak and
	Victor Duchovni late January 2004, and that Victor revived
	late October 2007. To establish a baseline for further
	improvement, Wietse implemented a few simple mechanisms.

	Configuration parameters for debugging, positive/negative
	hysteresis, and positive/negative feedback. Some have since
	been removed or renamed, so no point naming them here.
	Files: global/mail_params.h, qmgr/qmgr_queue.c,
	qmgr/qmgr_deliver.c.

20071121

	Boundary condition: Patrik Rak pointed out that handling
	of negative feedback with concurrency window 1 could
	be improved.

	Feature: support to look up null sender addresses in
	sender-dependent relayhost maps. Parameter name:
	empty_address_relayhost_maps_lookup_key (default; <>).
	Keean Schupke. File: trivial-rewrite/resolve.c.

20071127-9

	Revision 2 of queue manager scheduler interface, allowing
	feedback parameter settings with constants and variables
	such as 1/8 or 1/concurrency.  Some experimental parameters
	were removed and others were renamed. The new names are:
	default_destination_concurrency_negative_feedback,
	default_destination_concurrency_positive_feedback,
	default_destination_concurrency_failed_cohort_limit,
	destination_concurrency_feedback_debug.

	Also available are transport-specific overrides:
	<transport>_initial_destination_concurrency,
	<transport>_destination_concurrency_negative_feedback,
	<transport>_destination_concurrency_positive_feedback,
	<transport>_destination_concurrency_failed_cohort_limit.

	Files: global/mail_params.h, *qmgr/qmgr.c, *qmgr/qmgr_transport.c,
	*qmgr/qmgr_queue.c, *qmgr/qmgr_feedback.c, postconf/auto.awk.

20071202

	Feature: output rate control. For example, specify
	"smtp_destination_rate_delay = 5m" to insert a five-minute
	delay between deliveries. This was an opportunity to define
	the mutually exclusive states that a queue can have, and
	to detect invalid transitions.  This will make adding new
	features code easier.  Files: *qmgr/qmgr_transport.c,
	*qmgr/qmgr_queue.c, *qmgr/qmgr_entry.c.

	Bugfix (introduced Postfix 2.2): don't update the back-to-back
	delivery time stamp while deferring mail. File: *qmgr/qmgr_entry.c.

20071203

	Feature: support for read-write tables in the proxymap
	service. This is implemented with a separate master.cf entry
	named "proxywrite" that should run with process limit of 1
	if you want to update Berkeley DB like tables. This feature
	requires that tables be authorized with the proxy_write_maps
	configuration parameter. Files: global/dict_procy.[hc],
	proxymap/proxymap.c.

	Human factors: the postmap and postalias commands now produce
	nicer diagnostics when asked to do something with a proxied
	map that they can't do. Files: postmap/postmap.c,
	postalias/postalias.c.

	Bugfix: the proxymap client didn't properly propagate user
	options to the proxymap server.  File: util/dict.h.

	Workaround: force synchronous updates in the proxymap server
	so that maps will be in a consistent state between updates.
	File: proxymap/proxymap.c.

	Bugfix: an empty rate-limited queue wasn't removed after
	timer expiry. Files: *qmgr/qmgr_queue.c.

20071204

	Use different sockets for proxymap (read-only) and proxywrite
	(read-write) services in the proxy: client. Victor Duchovni.
	File: global/dict_proxy.c.

	Feature: proxymap delete support by Victor Duchovni.  Files:
	global/dict_proxy.c, proxymap/proxymap.c.

	Feature: proxymap delete support. Files: postmap/postmap.c
	postalias/postalias.c.

	Cleanup: the Postfix sendmail command did not include the
	user (name/uid) information in all error messages. File:
	sendmail/sendmail.c.

	Feature: data_directory configuration parameter for
	Postfix-writable data such as caches and random numbers.
	Files: postfix-install, conf/postfix-files.

20071206

	Security: tlsmgr(8) and verify(8) no longer use root
	privileges when opening their cache files. This avoids a
	potential security loophole where the ownership of a file
	(or directory) does not match the trust level of the content
	of that file (or directory). See RELEASE_NOTES for how to
	use pre-existing data. Files: util/set_eugid.[hc],
	tlsmgr/tlsmgr.c, verify/verify.c.

	Compatibility: as a migration tool, redirect attempts by
	tlsmgr(8) or verify(8) to open files in non-Postfix directories
	to the Postfix-owned data_directory. File: global/data_redirect.c.

	Lots of pathname fixes in the examples of TLS_README and
	postconf(5); -lm library screw-up in queue manager Makefiles.

20071207

	Cleanup: pathname fixes in documentation; unnecessary queue
	scan in the queue manager rate limiter; inverse square root
	feedback in the queue manager concurrency scheduler.  Files:
	mantools/postlink, proto/TLS_README.html, *qmgr/qmgr_queue.c.

	All changes up to this point should be ready for Postfix 2.5.

	Documentation: updated nqmgr preemptive scheduler documentation
	by Patrik Rak. File: proto/SCHEDULER_README.html.

20071211

	Bugfix (introduced 19980315): the "write" equivalent of
	bugfix 20030104. File: util/vstream.c.

20071212

	Feature: "stress=" or "stress=yes" attribute in the SMTPD
	policy delegation protocol. File: smtp/smtpd_check.c.

	Cleanup: allow_min_user now rejects recipients (and senders)
	starting with '-' at SMTP session time. To make this possible
	the feature was moved from qmgr(8) to trivial-rewrite(8).
	Files: *qmgr/qmgr_message.c, trivial-rewrite/resolve.c.

20071213:

	Cleanup: the queue manager and SMTP client now distinguish
	between connection cache store and retrieve hints. Once the
	queue manager enables connection caching (store and load)
	hints on a per-destination queue, it keeps sending connection
	cache retrieve hints to the delivery agent even after it
	stops sending connection cache store hints.  This prevents
	the SMTP client from making a new connection without checking
	the connection cache first. Victor Duchovni.  Files:
	*qmgr/qmgr_entry.c, smtp/smtp_connect.c.

	Bugfix (introduced Postfix 2.3): the SMTP client never
	marked corrupt files as corrupt. Victor Duchovni. File:
	smtp/smtp_proto.c.

	Cleanup: the SMTP client won't mark a destination as
	unavailable when at least one SMTP session was completed
	without connect or handshake error. Victor Duchovni. Files:
	smtp/smtp_connect.c, smtp/smtp_session.c, smtp/smtp_proto.c,
	smtp/smtp_trouble.c.

20071215

	Documentation and code cleanup. Files: global/deliver_request.h,
	*qmgr/qmgr_entry.c, smtp/smtp_connect.c,
	proto/SCHEDULER_README.html.

	Bugfix (introduced snapshot 20071006): qmqpd ignored the
	qmqpd_client_port_logging parameter setting. File:
	qmqpd/qmqpd.c.

20071216

	Cleanup: show the remote SMTP server port in verbose logging,
	warnings and postmaster notices.  Still don't show the port
	in delivery status notifications. Files: smtp/smtp_chat.c,
	smtp/smtp_sasl_glue.c, smtp/smtp_sasl_proto.c.

	The "tls_require_cert" is now compatible with OpenLDAP 2.1
	and later. Victor Duchovni. Files: proto/ldap_table,
	global/dict_ldap.c.

20071218

	Cleanup: removed the "#ifdef USE_LIBMILTER_INCLUDES"
	dependencies on system-installed Milter protocol include
	files. Verified that the object code has not changed. File:
	milter/milter8.c.

	Sanity check: idiot filter to detect attempts to use the
	same database file for different TLS session caches.  File:
	tlsmgr/tlsmgr.c.

	Cleanup: updated the spell check stoplist and the spell
	check script. Files: mantools/spell, proto/stop.

	Cleanup: replaced documentation references to xxgdb by ddd.
	The xxgdb program hasn't been updated in more than 10 years.
	Files: proto/postconf.proto, conf/main.cf.

20071219-20

	Feature: support for all new Sendmail 8.14 Milter features
	except SMFIR_SKIP (skip further events of this type),
	SMFIP_RCPT_REJ (report rejected recipients to the mail
	filter), SMFIR_CHGFROM (replace sender, with optional ESMTP
	command parameters), and SMFIR_ADDRCPT_PAR (add recipient,
	with optional ESMTP command parameters). Files: milter/milters.c,
	milter/milter8.c, milter/test-milter.c, cleanup/cleanup_milter.c.

20071221

	Feature: support for Sendmail 8.14 Milter SMFIR_SKIP (skip
	further events of this type). Files: milter/milter8.c,
	milter/test-milter.c.

	Cleanup: don't try sending HELO after a 421 EHLO reply.
	File: smtp/smtp_proto.c.

20071221-nonprod

	Using 20071221 as reference point.

	Cleanup: Simplified TLS library cipher and protocol API to
	just pass string-valued properties to tls_client_init() and
	tls_client_start(). The client is now agnostic of the
	mechanics of cipher management internal to the library. The
	main.cf parameters used internally in the library are now
	loaded by the library, not the caller. Files:
	src/smtp/lmtp_params.c, src/smtp/smtp.c, src/smtp/smtp.h,
	src/smtp/smtp_params.c, src/smtp/smtp_proto.c,
	src/smtp/smtp_session.c, src/smtpd/smtpd.c, src/tls/tls.h,
	src/tls/tls_client.c, src/tls/tls_level.c, src/tls/tls_misc.c,
	src/tls/tls_server.c, src/tls/tls_session.c, src/tls/tls_verify.c
	and src/tlsmgr/tlsmgr.c

	Cleanup: Client session lookup key "salting" is now handled
	internally in the tls library. Files: src/tls/tls_client.c

	Cleanup: Cipher state is cached, and only updated when
	necessary.  Files: src/tls/tls_misc.c

	Feature: Extended the syntax of protocol selection to allow
	exclusions as well as inclusions. Files: src/tls/tls_misc.c

	Cleanup: Updated default verification depth to match reality:
	default is 9 in OpenSSL and we don't yet override it.  When
	we do (soon), the default will match previous behavior.
	Files: src/global/mail_params.h

	Bugfix: Reference to obsolete "pfixtls" code won't compile
	inside #ifdef for OpenSSL <= 0.9.5a. Using an OpenSSL release
	that old has not been tested for some time, but may now
	work. Files: src/tls/tls_bio_ops.c.

	Replaced "void *" TLS library application handles by explicit
	pointer types, while hiding data structure implementation
	details from the TLS library users. Files: tls/tls_client.c,
	tls/tls_server.c, smtp/smtp.c, smtpd/smtpd.c.

	The TLS library no longer modifies VSTRINGs passed in by
	the caller. Where possible, information is passed as "const"
	from application to library. Files: smtp/smtp_proto.c,
	tls/tls_client.c.

20071227-nonprod

	Replaced explicit initialization of props structures by
	emulating function calls with named parameter lists.  Files:
	tls/tls.h, smtp/smtp.c, smtp/smtp_proto.c, smtpd/smtpd.c.

20071222

	Further polishing of the Milter code and logging. File:
	milter/milter8.c.

20071123

	Further polishing of the Milter code. With SETSYMLIST, each
	Milter can now update its own macros instead of clobbering
	the global copy that is shared with other Milters. Also an
	opportunity to clean up some ad-hoc code for sending macro
	lists from smtpd(8) to cleanup(8). Files: milter/milter.c,
	milter/milter8.c, milter/milter_macros.c.

20071224

	Further polishing of the Milter code. Eliminated unnecessary
	steps from the initial smtpd/cleanup Milter handshake. Files:
	milter/milter.c, milter/milter8.c, milter/milter_macros.c.

	Cleanup: name_code(3) and name_mask(3) now support read-only
	tables. Files: util/name_code.[hc], util/name_mask.[hc].

20071227

	Cleanup: further refinements of the Milter code, allowing
	for multiple macro overrides. The code is now ready for
	serious testing. File: milter/milter8.c.

20071229

	Bugfix: the Milter client did not replace the Postfix-specific
	form for unknown host names by the Sendmail-specific form.
	File: milter/milter8.c.

	Cleanup: when a cleanup milter reports a problem don't log
	generic "4.3.0 Sevice unavailable", but log the text for
	the actual error. File: cleanup/cleanup_milter.c.

20080102-nonprod

	SMTP client fingerprint security level support and configurable
	fingerprint digest algorithm. Victor Duchovni. Files:
	smtp/lmtp_params.c, smtp/smtp.c, smtp/smtp.h,
	src/smtp/smtp_params.c, src/smtp/smtp_proto.c,
	src/smtp/smtp_session.c, tls/tls_client.c, tls/tls_level.c,
	tls/tls_verify.c.

20080103-nonprod

	Missed "invalid TLS configuration" patch for SMTP client.
	Victor Duchovni. File: smtp/smtp_proto.c.

	SMTP server configurable fingerprint digest algorithm.
	Victor Duchovni. Files: smtpd/smtpd.c, tls/tls.h,
	tls/tls_server.c, tls/tls_verify.c.

20080104-nonprod

	Cleanup: finally implemented certificate verification depth
	limit parameters. Prior to Postfix 2.5 these were ignored.
	For backwards compatibility, the default verification depth
	limit is now 9, the OpenSSL default. Victor Duchovni. Files:
	src/tls/tls_client.c, src/tls/tls_server.c, src/tls/tls_verify.c.

	Robustness: Avoid possibility of NULL pointer issues in
	application code that checks certificate names, by providing
	"empty string" values when no data is available.  Victor
	Duchovni.  Files: src/tls/tls_verify.c, src/tls/tls_client.c,
	src/tls/tls_server.c, src/smtpd/smtpd_check.c, src/smtpd/smtpd.c.

	Cleanup: separation of TLS handshake from security level
	enforcement. The library shakes hands; the application
	decides if the resulting security is acceptable. Victor
	Duchovni.  Files: smtpd/smtpd.c, smtpd/smtpd_proto.c,
	tls/tls_server.c, tls/tls_client.c, tls/tls_verify.c.

	Robustness: more robust processing of ASN.1 string attributes
	in x509v3 certificates, plus additional sanity checks (e.g.
	embedded null characters). Victor Duchovni. File:
	src/tls/tls_verify.c.

20080104

	Workaround: minor change to the Dovecot AUTH request to
	prevent dovecot-auth memory wastage. Timo Sirainen.  File:
	xsasl/xsasl_dovecot_server.c.

20080105-nonprod

	Cleanup: renamed TLS-related symbols for consistency (always
	include the init, start, stop prefix in the TLS library
	function and data structure names; consistently distinguish
	between per-application TLS state and per-session TLS state;
	consistently use the fpt prefix for fingerprint related
	variables and structure members; consistent use of monocase
	typedef-ed names).

20080106-nonprod

	Cleanup: consistent use of <pre> and <blockquote> in examples;
	instead of emphasizing new Postfix 2.5 behavior in reference
	documentation, describe the new behavior as "current", with
	historical behavior as a supplemental note.

20080107

	Feature: new "pass" service type (in addition to "inet",
	"unix" and "fifo").  The "pass" service type supports
	front-end daemons that accept all inbound connections and
	that permit only well-behaved clients to talk to the MTA.
	This service type had been sitting in the master daemon for
	years but was disabled by default.  Actual applications for
	this will have to be developed later.  Files: util/upass_connect.c,
	util/upass_trigger.c.

20080108

	Cleanup: where possible, store data structures in read-only
	memory. Besides the security advantage of no write access,
	this also gives slightly better memory utilization when
	many processes execute the same file. Files: pretty much
	everything that has a static table, except for a few tables
	in the benchmark tools with flags that are controlled by
	command-line information.

20080109

	Cleanup: more read-only data. Files: everything that passes
	around a HEADER_OPTS pointer.

20080112

	Safety: optional lookup table to prevent the Postfix SMTP
	client from making repeated SASL login failures with the
	same hostname, username and password.  This introduces new
	parameters: smtp_sasl_auth_cache_name, smtp_sasl_auth_cache_time.
	Based on code by Keean Schupke.  Files: smtp/smtp_sasl_glue.c,
	smtp/smtp_sasl_auth_cache.c.

	Safety: the Postfix SMTP client now by default defers mail
	after the server rejects a SASL login attempt with a 535
	status code.  Specify "smtp_sasl_auth_soft_bounce = no" to
	get the earlier behavior.  Based on code by Keean Schupke.
	Files: smtp/smtp_sasl_glue.c.

20080114

	Safety: the smtpd_client_new_tls_session_rate_limit setting
	now also limits the number of failed TLS handshakes. This
	limits the impact of broken configurations. File: smtpd/smtpd.c.

20080115

	Bugfix (introduced 20080112): Patrik Rak found two bugs
	that largely canceled each other out, causing Postfix not
	to complain about a missing "proxy:" prefix with the new
	smtp_sasl_auth_cache_name parameter setting. File:
	smtp/smtp_sasl_glue.c.

	Documentation: new SOHO_README file for small/home offices.
	The text is automatically generated from bits and pieces of
	information that are scattered across other documents.
	File: mantools/make_soho_readme.

20080116

	Bugfix (introduced 20080112): missing #ifdef for the SASL
	login failure cache. File: smtp/smtp_sasl_auth_cache.h.

20080123

	Name fix: renamed the mumble_delivery_rate_delay parameter
	to mumble_destination_rate_delay, because it really is a
	per-destination feature. With this change we keep the option
	of implementing a future per-transport rate delay.

20080125

	Bugfix (introduced 20071216): missing {} in the LDAP client
	broke OpenLDAP TLS.  The setting tls_require_cert=no was
	further broken because Postfix used OpenLDAP incorrectly.
	Victor Duchovni.  This broke tls_require_cert=no File:
	global/dict_ldap.c.

20080126

	Cleanup: the post-install script now requires that it is
	invoked via the postfix(1) command. This was the intended
	use since Postfix 2.1, but it was never enforced.  The
	documentation for package maintainers has been updated
	accordingly. File: conf/post-install.

20080130

	Bugfix (introduced 20071204): wrong proxywrite process limit
	in the default master.cf file.  File: conf/master.cf.

20080131

	Bugfix (introduced 20080126): the new "do not execute
	directly" test in post-install got broken during code
	cleanup.  File: conf/post-install.

20080201

	Workaround: undo the changes that require that post-install
	is invoked via the postfix command, because this breaks
	when "postfix start" is invoked with an obsolete postfix
	command that doesn't export the new data_directory parameter.

	Workaround: pick up a missing data_directory setting from
	main.cf when "postfix start" is invoked with an obsolete
	postfix command. File: conf/post-install.

20080207

	Cleanup: soft_bounce support for multi-line Milter replies.
	File: src/milter/milter8.c.

	Cleanup: preserve multi-line format of header/body Milter
	replies. Files: cleanup/cleanup_milter.c, smtpd/smtpd.c.

	Cleanup: multi-line support in SMTP server replies.  File:
	smtpd/smtpd_chat.c.

	SAFETY: postfix-script, postfix-files and post-install are
	moved away from /etc/postfix to $daemon_directory. There
	were too many accidents where people clobbered these files
	with versions from an older Postfix release and ended up
	with an unusable Postfix setup.  Files: postfix-install,
	Makefile.in, postfix/postfix.c, conf/postfix-files,
	conf/postfix-script, conf/post-install.

20080212

	Feature: check_reverse_client_hostname_access, to make
	access decisions based on the unverified client hostname.
	For safety reasons an OK result is not allowed.  Noel Jones.
	Files: smtpd/smtpd_check.c plus header files and documentation.

20080215

	Safety: break SASL loop in case both the SASL library and
	the remote SMTP server are confused. File: smtp/smtp_sasl_glue.c.

20080220

	Safety: the master daemon now sets an exclusive lock on a
	file $data_directory/master.lock, so that the data directory
	can't be shared between multiple Postfix instances.  This
	would corrupt files that rely on single-writer updates
	(examples: verify(8) cache, tlsmgr(8) caches, etc.). File:
	master/master.c.

20080226

	Cleanup: the postfix command did not set argv[0] to a sane
	value when invoking postfix-script. Reported by Victor
	Duchovni. File: postfix/postfix.c.

20080228

	Bugfix: bounce(8) segfault on one-line template text.
	Problem found by Sacha Chlytor. File: bounce/bounce_template.c.

20080310

	Safety: the SMTP server's Dovecot authentication client now
	enforces the SASL mechanism output filter also on client
	command input. File: src/xsasl/xsasl_dovecot_server.c.

20080311

	Bugfix (introduced 20070811): the MAIL and RCPT Milter
	application call-backs no longer received {mail_addr} or
	{rcpt_addr} information. Problem reported by Anton Yuzhaninov.
	File: smtpd/smtpd.c.

	Bugfix (introduced 20080207): "cleanup -v" panic because
	the new "SMTP reply" request flag did not have a printable
	name. File: global/cleanup_strflags.c.

20080318

	Human factors: the PCRE and regexp maps now give more
	comprehensible error messages when people make the common
	mistake of indenting if/endif blocks. Files: util/dict_pcre.c,
	util/dict_regexp.c.

20080324

	Cleanup: the event_drain() function is now a proper event
	processing loop. File: util/events.c

	Feature: when the "postmap -q -" command reads lookup keys
	from standard input, it now understands RFC822 and MIME
	message format. Specify -h or -b to use headers or body
	lines as lookup keys, and specify -hm or -bm to simulate
	header_checks or body_checks.  The postmap -h option (without
	-m) will be compatible with a future postcat -h option.
	File: postmap/postmap.c.

20080411

	Bugfix (introduced Postfix 2.0): after "warn_if_reject
	reject_unlisted_recipient/sender", the SMTP server mistakenly
	remembered that recipient/sender validation was already
	done. File: smtpd/smtpd_check.c.

	Bugfix (introduced Postfix 2.3): the queue manager would
	initialize missing client logging attributes (from xforward)
	with real client attributes. Fix: enable this backwards
	compatibility feature only with queue files that don't
	contain logging attributes. Problem reported by Liviu Daia.
	Files *qmgr/qmgr_message.c.

20080424

	Cleanup: some warning messages said "regexp" or "regexp
	map" instead of "pcre map". File: util/dict_pcre.c.

20080426

	Feature: finer control over address verification error
	handling and amount of information disclosed in the SMTP
	reject message.  Parameters: unverified_recipient_defer_code,
	unverified_recipient_reject_reason, unverified_sender_defer_code,
	unverified_sender_reject_reason. If I don't do this properly,
	then someone will do it anyway. File: src/smtpd/smtpd_check.c.

20080428

	Cleanup: the proxy_read_maps (Postfix 2.0) default setting
	was not updated when adding sender/recipient_bcc_maps
	(Postfix 2.1) and smtp/lmtp_generic_maps (Postfix 2.3).
	File: global/mail_params.h.

	Cleanup: the SMTP server's XFORWARD and XCLIENT support was
	not updated when the smtpd_client_port_logging configuration
	parameter was added. Code by Victor Duchovni. Files:
	smtpd/smtpd.c, smtpd/smtpd_peer.c.

20080508

	Cleanup: delivery status notifications now prepend a
	Return-Path: message header to the returned message.
	File: bounce/bounce_notify_util.c.

20080509

	Bugfix: null-terminate CN comment string after sanitization.
	File: smtpd/smtpd.c.

20080510

	Cleanup: when extracting peer and issuer common name from
	TLS certificates, convert the result into UTF-8, and use
	RFC 2047 encoding when logging these as Received: header
	comment fields. Based remotely on code by Victor Duchovni.
	Files: smtpd/smtpd.c, tls/tls_verify.c.

20080511

	Cleanup: the RFC 2047 encoding of RFC*822 comments is too
	problematic.  The text that explains the problems is as
	long as the code itself.  That is usually a good indication
	that code is not ready for use.  File: smtpd/smtpd.c.

	Cleanup: block non-printable ASCII text in UTF8 encoded TLS
	peer and issuer common names.  File: tls/tls_verify.c.

20080602

	Workaround: avoid watchdog timeout in the local pickup
	daemon when the cleanup server expands a very large virtual
	alias list. Files: master/trigger_server.c, pickup/pickup.c.

20080603

	Workaround: avoid "bad address pattern" errors with non-address
	patterns in namadr_list_match() calls. File: util/match_ops.c.

	Feature: print fsstone elapsed time with sub-second time
	resolution.  Kenji Kikuchi. File: fsstone/fsstone.c.

20080606

	Bitrot: "make test" was broken due to recent changes in
	code and due to recent changes at mail-abuse.org.

20080618

	Add a note to SMTP session transcript email messages that
	other details may be found in the maillog file.  Files:
	smtpd/smtpd_chat.c, smtp/smtp_chat.c.

20080620

	Cleanup: with the "Before-queue content filter", RFC3848
	information was not added to the headers. Carlos Velasco.
	File smtpd/smtpd.c.

20080621

	Cleanup: include unread byte count in the SMTP server's "lost
	connection after DATA (xx bytes)" logging. Files: smtpd/smtpd.c.

20080629

	Bugfix (introduced Postfix 2.2): multiple inconsistencies
	in SASL support after introduction of TLS.  The Postfix
	SMTP server 1) complained about plain-text SASL configuration
	details when SASL was forbidden for plain-text sessions,
	and 2) ignored the smtpd_tls_auth_only parameter setting
	when built without TLS support.  Files: smtpd/smtpd.c,
	smtpd/smtpd_check.c, smtpd/smtpd_sasl_glue.[hc],
	smtpd/smtpd_state.c.

	Some clarification about recipient address versus domain,
	and recipients per message versus session. File:
	proto/postconf.proto.

	The description of SASL authentication attributes was
	garbled.  File: pipe/pipe.c.

	Information: the master(8) server now logs the version
	besides the configuration directory upon "postfix reload".
	File: master/master.c.

20080717

	Cleanup: a poorly-implemented integer overflow check for
	TCP MSS calculation had the unexpected effect that people
	broke Postfix on LP64 systems while attempting to silence
	a compiler warning.  File: util/vstream_tweak.c.

20080721

	The cleanup server now rejects undisclosed_recipients_header
	parameter values with invalid message header syntax.
	File: cleanup/cleanup_message.c.

20080725

	Paranoia: defer delivery when a mailbox file is not owned
	by the recipient. Sebastian Krahmer, SuSE.  Files:
	local/mailbox.c, virtual/mailbox.c.

20080804

	Bugfix: dangling pointer in vstring_sprintf_prepend().
	File: util/vstring.c.

20080814

	Security: some systems have changed their link() semantics,
	and will hardlink a symlink, contrary to POSIX and XPG4.
	Sebastian Krahmer, SuSE. File: util/safe_open.c.

	The solution introduces the following incompatible change:
	when the target of mail delivery is a symlink, the parent
	directory of that symlink must now be writable by root only
	(in addition to the already existing requirement that the
	symlink itself is owned by root).  This change will break
	legitimate configurations that deliver mail to a symbolic
	link in a directory with less restrictive permissions.

20080815

	Feature: the milter_default_action parameter now accepts
	the "quarantine" action. This works like "accept" but also
	freezes the mail in the "hold" queue. File: milter/milter8.c.

	Robustness: transition from setjmp()/longjmp() to the signal
	mask saving/restoring versions sigsetjmp()/siglongjmp().
	These functions have been around for 15 years, but they
	have had bugs on supported platforms, so makedefs tests for
	them.  Files: makedefs, util/sys_defs.h, util/vstream.h.

20080822

	Cleanup: the proxymap_service_name and proxywrite_service_name
	parameters make the proxymap service names configurable.
	This paves the way for a future option where the proxymap
	services are accessible via TCP so that they can be shared
	among multiple Postfix hosts.  File: global/dict_proxy.c.

	Feature: MacOS X support for kqueue style event handling,
	with workaround for broken MacOS X versions.  Files:
	util/sys_defs.h, makedefs.

	Cleanup: the makedefs script now keeps its test programs
	in a directory makedefs.d, instead of inlining them as
	fragile "here documents". Files: makedefs, makedefs.d/*.

20080823

	Feature: IPv6 dns blocklist lookup. File: smtpd/smtpd_check.c.

20080824

	Cleanup: untangled the MacOS X version dependent sections
	in the makedefs script, to make future updates easier. File:
	makedefs.

	Cleanup: don't log multiple Milter "hold" actions for the
	same email message. File: cleanup/cleanup_milter.c.

20080826

	Cleanup: moving test programs from makedefs into a makedefs.d
	directory brought more pain than gain.

	Cleanup: untangled the Linux version dependent sections in
	the makedefs script, to make future updates easier. File:
	makedefs.

	Documentation: MacOS process limit configuration by Quanah
	Gibson-Mount.  File: proto/TUNING_README.html.

	Feature: smtp-sink -M option to terminate after receiving
	a specified number of messages. Laurent Gentil. File:
	smtpstone/smtp-sink.c.

	Bugfix (introduced Postfix 2.4): epoll file descriptor leak.
	With Postfix >= 2.4 on Linux >= 2.6, Postfix has an epoll
	file descriptor leak when it executes non-Postfix commands
	in, for example, user-controlled $HOME/.forward files.  A
	local user can access a leaked epoll file descriptor to
	implement a denial of service attack on Postfix. Data
	confidentiality and integrity are not affected.  File:
	util/events.c.

20080903

	Don't enable kqueue (which requires poll) support on
	MacOS X. File: makedefs.

	Cleanup: remove obsolete Rhapsody and MacOS targets from
	makedefs.

20080929

	Workaround: don't log "file has 2 links" warnings when the
	condition appears to be temporary. As kernels have evolved
	from non-interruptible system calls towards fine-grained
	locks, the showq command has become likely to observe a
	file while the queue manager is in the middle of a rename
	operation, when the file has links to both the old and new
	name.  File: global/mail_open_ok.c.

	Workaround: don't loop forever when write() fails with a
	persistent EAGAIN error on a writable file descriptor.
	File: util/write_buf.c.

20081003

	Bugfix (introduced Postfix 2.1): when XFORWARD support was
	introduced with Postfix 2.1, the specification failed to
	clearly distinguish between missing and non-existent client
	information. This ambiguity affected the implementation:
	in $name expansions by delivery agents, unknown client
	hostnames could became empty strings (as if a submission
	was local), and local submissions could appear to originate
	from an SMTP-based content filter.  This was fixed with a
	a minor semantic change to the XFORWARD protocol.  Files:
	smtpd/smtpd.c, qmqpd/qmqpd.c, smtp/smtp_proto.c,
	cleanup/cleanup_envelope.c, proto/XFORWARD.html. Note: the
	changes to propagate local submission details were undone
	20082012.

	Feature: a DUNNO lookup result in per_sender_relayhost_maps
	stops the search without replacing the next-hop destination.
	File: trivial-rewrite/resolve.c.

20081005

	Bugfix: further refinements to the handling of missing or
	non-existent remote client attributes. Files: smtpd/smtpd.c,
	smtpd/smtpd.h.

	Documentation: the XFORWARD specification of the ADDR
	attribute did not agree with the actual on-the-wire protocol.
	Since we can't change already existing deployments, the
	spec has been updated. File: proto/XFORWARD_README.html.

20081006

	Bugfix: further refinements to the handling of remote client
	attributes.  Introduced a dummy "we have forwarded client
	info" record, to eliminate the need for the backwards
	incompatible queue file change that was introduced 20081003.
	Files: smtpd/smtpd.c, cleanup/cleanup_envelope.c,
	*qmgr/qmgr_message.c.

	Security: hardened the proxymap client, in case it ever
	ends up in a set-gid program. File: global/dict_proxy.c.

20081007

	Workaround: undo the proxymap client change. It broke
	chrooted servers when they attempted to reconnect to the
	proxy read/write service. File: global/dict_proxy.c.

20081008

	Safety: added checks that $queue_directory/pid is owned by
	root, and that $queue_directory/saved is owned by $mail_owner.
	File: conf/postfix-script.

20081010

	Feature: controls for opportunistic TLS protocols and
	ciphers. The smtp_tls_protocols, smtp_tls_ciphers, and
	equivalent parameters for lmtp and smtpd provide global
	settings; the SMTP client TLS policy table provides ciphers
	and protocols settings for specific peers.  Code by Victor
	Duchovni. Files: smtp/smtp.c, smtp/smtp_session.c, smtpd/smtpd.c
	and documentation.

20081012

	Cleanup: simplify the 20081003 changes and don't try to
	propagate local submission information through XFORWARD.
	Files: smtpd/smtpd.c, qmqpd/qmqpd.c, smtp/smtp_proto.c,
	cleanup/cleanup_envelope.c, proto/XFORWARD.html.

20081015

	Bugfix: GLIBC API version detection. Rob Foehl. File:
	util/sys_defs.h.

20081022

	Documentation: removed inapplicable daemon_timeout reference
	from qmgr(8), oqmgr(8), pickup(8). These daemons need to
	use a much shorter watchdog timer.

20081108

	Feature: smtp_sasl_tls_verified_security_options is no
	longer #ifdef SNAPSHOT.

	Feature: elliptic curve support. This requires OpenSSL
	version 0.9.9 or later. Victor Duchovni. Files: TLS_README,
	smtpd/smtpd.c, smtp/smtp.c, tls/tls_dh.c, tls/tls_certkey.c,
	tls/tls_server.c, tls/tls_client.c, tls/tls.h, tls/tls_misc.c.

	Bugfix (introduced Postfix 2.5): the Postfix SMTP server
	did not ask for a client certificate with "smtpd_tls_req_ccert
	= yes". Reported by Rob Foehl. File: smtpd/smtpd.c.

20081109

	Cleanup: confusing names of variables. File: smtpd/smtpd.c.

20081126

	Documentation: pcre_table(5) incorrectly claimed that the
	'x' flag supports #comment after text. File: proto/pcre_table.

20081202

	Cleanup: vstream_bufstat() provides a more systematic
	approach to get information about VSTREAM buffers. The
	vstream_peek() function is now a backwards compatibility
	wrapper.  Files: util/vstream.[hc].

	Cleanup: the SMTP server should warn about "lost connection
	after QUIT" only when the "." reply was pipelined together
	with the "QUIT" reply. File: smtpd/smtpd.c.

	Cleanup: the SMTP client's code was duplicating buffer
	management that was already done in the VSTREAM module.
	File: smtp/smtp_proto.c.

20081203

	Cleanup: adjust the VSTREAM buffer strategy when reusing
	an SMTP connection with a large TCP MSS value. File:
	smtp/smtp_reuse.c.

20081204

	Cleanup: state the SMTP client PIPELINING implementation's
	dependency on monotonic VSTREAM buffer size behavior, and
	add some checks for boundary cases with VSTREAM buffer size
	change requests. Files: util/vstream.c, smtp/smtp_proto.c.

20081205

	Fix 20081202 flush code. Victor Duchovni. File: smtpd/smtpd.c.

	Safety: add another check to "postfix check", in this case
	for group or other writable queue_directory. File:
	conf/postfix-script.

20081217

	Debugging: ad-hoc code to log the TLS error stack after
	VSTREAM read/write error.  File: tls/tls_bio_ops.c. In a
	better implementation, each I/O "object" would provide an
	optional error reporting method (besides timed_read and
	timed_write) that could be queried via the vstream module.

20081222

	Documentation: log the "*" pattern as the last transport
	map lookup. File: proto/transport.

20090103

	Documentation: rewrote NFS_README, to clarify the support
	status of Postfix and NFS, and to describe the NFS workarounds
	that Postfix actually implements.

20090106

	Feature: "postconf -# parametername ..." to comment out
	named parameter entries. Victor Duchovni.  File:
	postconf/postconf.c.

20090107

	Library: edit_file(3) module for cooperative editing of a
	file. Inspired by the postconf command, this creates a new
	version under a deterministic temporary name and renames
	it into place. The implementation uses an open/lock/stat
	protocol before updating the new file, and rename/unlock/close
	afterwards.  Based on pieces of code by Victor Duchovni,
	with minor improvements by Wietse.  Files: util/edit_file.[hc].

	Cleanup: the postconf command now uses the edit_file(3)
	module to manage collisions when multiple processes attempt
	to update the main.cf file.

20090108

	Feature: master_service_disable parameter (default: empty)
	to easily turn off/on master.cf services by type or by name
	and type. For example, to turn off the main SMTP listener
	use "master_service_disable = smtp.inet", and to turn off
	all TCP/IP listeners use "master_service_disable = inet".
	This immediately terminates all processes that provide the
	specified services. The master_service_disable feature does
	not distinguish services by their privacy property; some
	day, clients will not need to specify that anymore.  Files:
	global/mail_params.h, master/master.c, master/master_vars.c,
	master/master_ent.c.

	Bugfix (introduced May 19, 1997): removing a parameter
	setting from main.cf did not reset the parameter to its
	default value. This was a problem only in the master daemon.
	File: global/mail_conf.c, master/master_vars.c.

20090109

	Cleanup: "defer" action in access maps, and a corresponding
	access_map_defer_code parameter. No idea what was behind
	this omission.  Files: global/mail_params.h, smtpd/smtpd.c,
	smtpd/smtpd_check.c, proto/access.

	Workaround: specify "tcp_windowsize = 65535" (or less) to
	work around broken TCP window scaling implementations.  This
	is perhaps easier than collecting tcpdump output and tuning
	kernel parameters by hand.  See RELEASE_NOTES for how to
	change this setting without stopping Postfix.  Files:
	util/inet_connect.c, inet_listen.c, global/mail_params.[hc].

20090110

	Cleanup: create separate code modules for TCP window size
	handling, master.cf service name matching, and main.cf
	change monitoring.  Files: util/inet_windowsize.c,
	global/match_service.c, master/master_watch.c.

	Feature: TCP window size override for the Postfix SMTP/LMTP
	client, and for the smtp-source and smtp-sink test programs.
	Files: smtp/smtp_connect.c, smtpstone/smtp-source.c,
	smtpstone/smtp-sink.c.

20090114

	Bugfix: VERP now uses the Postfix original recipient, if
	available, because that is what the VERP consumer expects.
	Files: *qmgr/qmgr_deliver.c, bounce/bounce_notify_verp.c.

	Safety: extra check for broken third-party patches that
	allow file size limit < message size limit. This can cause
	mail to be stuck in the queue forever.

	Invisible change, in preparation for multi-instance support.
	Except for main.cf and master.cf, all files are optional
	for non-default Postfix configuration directories. File:
	conf/postfix-files.

20090115

	Cleanup: rewrote the 20090114 VERP bugfix, to replace code
	that "works" by code that is "right". Files: *qmgr/qmgr_deliver.c,
	bounce/bounce_notify_verp.c, global/verp_sender.c.

20090118

	Documentation: some URLs to enable/disable client-side TLS
	jumped into the middle of an enumeration.  File:
	proto/TLS_README.html.

20090119-21

	Feature: multi-instance manager plug-in API.  A sample
	multi-instance manager with instructions is available as
	$daemon_directory/postfix-wrapper. The plug-in API itself
	is described in postfix-wrapper(5).  Files: postfix/postfix.c,
	global/mail_params.[hc], proto/postfix-wrapper,
	conf/postfix-wrapper, conf/postfix-script, conf/postfix-files.

	Support to check/update shared files only in the context
	of the default Postfix instance. Files: conf/post-install,
	conf/postfix-script.

20090122

	Refinements: the multi-instance manager always replaces
	"start" by "check" when a Postfix instance is multi-instance
	disabled, so that problems will still be reported; polish
	documentation; delete unnecessary multi_instance_order
	parameter.  Files: conf/postfix-wrapper, proto/postfix-wrapper,
	global/mail_params.[hc] and documentation.

	Bugfix: the data_directory was not automatically created!
	File: conf/postfix-files.

20090123

	More little fixes in the "trivial but useful" postfix-wrapper
	including instructions. It's ready for testing in the field.
	File: conf/postfix-wrapper.

20090125

	Documentation: more precise description of multi-instance
	manager API, and minor edits of the example program. Files:
	conf/postfix-wrapper, proto/postfix-wrapper.

20090208

	Cleanup: enable multi-instance shared-file logic only when
	the instance is listed in multi_instance_directories.  Files:
	conf/post-install, conf/postfix-script.

20090210

	Feature: specify "reject_tempfail_action = defer" to
	immediately defer a remote SMTP client request after a
	reject-type restriction fails with a temporary error.  Based
	on code by Rob Foehl. File: smtpd/smtpd_check.c.

	Feature: finer control of reject_tempfail_action with
	unknown_address_tempfail_action, unverified_sender_tempfail_action
	unverified_recipient_tempfail_action, and
	unknown_helo_hostname_tempfail_action. See documentation
	for details.  File: smtpd/smtpd_check.c.

20090211

	Workaround: pass the SMTP server socket's local and remote
	peer address information to the Dovecot authentication server.
	This is incomplete code: it ignores XCLIENT server address
	overrides.  File: xsasl/xsasl_dovecot_server.c.

20090212

	Testing revealed that with mumble_tempfail_action=defer,
	the "defer" action was ignored.  Cause: the DEFER_IF_PERMIT[0-9]
	macros lost the SMTPD_CHECK_REJECT result value.  File:
	smtpd/smtpd_check.c.

	Feature: stress-dependent smtpd_timeout (normal: 300s,
	overload: 10s), smtpd_hard_error_limit (normal: 20, overload:
	1) and smtpd_junk_command_limit (normal: 100, overload: 1).
	Files: global/mail_params.h, global/mail_conf_nint.c,
	master/*_server.c, smtpd/smtpd.c.

20090213

	Fine tuning: don't enforce smtpd_junk_command_limit for
	XCLIENT and XFORWARD commands.  These commands can be issued
	only by authorized clients. File: src/smtpd/smtpd.c.

20090215

	Feature: the Postfix SMTP server hangs up after replying
	with "521". This makes overload handling more effective.
	See also RFC 1846.  File: smtpd/smtpd.c.

	Feature: postmulti mult-instance manager command, very
	lightly tested. The MULTI_INSTANCE_README still needs to
	be proofread.  Originally by Victor Duchovni.  Files:
	src/postmulti/*, proto/MULTI_INSTANCE_README.html,
	conf/postmulti-script.

20090216-24

	Cleanup: assorted code cleanups in postmulti.  File:
	src/postmulti/postmulti.c.

20090223

	Cleanup: multiple instances of the same global.  Files:
	util/inet_windowsize.c, util/inet_listen.c.

20090228

	Cleanup: the Postfix SMTP server now maintains a per-session
	"improper command pipelining detected" flag. This flag can
	be tested at any time with reject_unauth_pipelining, and
	is raised whenever a client command is followed by unexpected
	commands or message content.  Files: smtpd/smtpd.c,
	smtpd/smtpd_check.c.

	Logging: the Postfix SMTP server now logs the first command
	pipelining transgression as "improper command pipelining
	after <command> from <hostname>[<hostaddress>]".

	Cleanup: after DATA command failure, log "(approximately
	XX bytes)" only if Postfix actually accepted the DATA
	command.  File: smtpd/smtpd.c.

20090303

	Cleanup: word smithing of "sendmail -bv" probe message.
	File: sendmail/sendmail.c.

	Cleanup: OpenLDAP now provides a sane solution for conflicts
	with PAM ldap-over-tls. Victor Duchovni.  File: global/dict_ldap.c.

20090304

	Cleanup: skip over suspended or throttled queues while
	looking for delivery requests. File: *qmgr/qmgr_transport.c.

20090305

	Bugfix: in the "new queue manager", the _destination_rate_delay
	code needed to postpone the job scheduler updates after
	delivery completion, otherwise the scheduler could loop on
	blocked jobs.  Victor & Wietse.  File: qmgr/qmgr_entry.c,
	qmgr/qmgr_queue.c, qmgr/qmgr_job.c.

	Cleanup: report a "queue file write error", instead of
	passing though bogus 2xx replies from proxy filters to SMTP
	clients.  File: smtpd/smtpd_proxy.c.

20090307

	Cleanup: with "lmtp_assume_final = yes", the Postfix LMTP
	delivery agent assumes that delivery is final when talking
	to an LMTP server that announces no DSN support.  Otherwise,
	the Postfix LMTP delivery agent assumes that delivery is
	"relayed", to maintain compatibility with simple LMTP-based
	content filters.  Based on code by Michel Sebastien, ATOS
	Origin.  File: smtp/smtp_rcpt.c.

20090310

	Bugfix: Postfix used mumble_concurrency_failed_cohort_limit
	instead of mumble_destination_concurrency_failed_cohort_limit
	as documented. File: global/mail_params.h.

20090330

	Cleanup: add (Resent-) From:, Date:, Message-ID: or To:
	headers only when clients match $local_header_rewrite_clients.
	Specify "always_add_missing_headers = yes" for backwards
	compatibility.  Adding such headers to remote mail can break
	DKIM signatures that cover headers that are not present.
	File: cleanup/cleanup_message.c.

20090415

	Workaround: to avoid unnecessary "fatal" delivery agent
	exits, delivery agents retry getting a shared lock on a
	queue file.  This is necessary since the queue manager's
	behavior was changed years ago to refill the in-memory
	recipient list before it was completely empty.  File:
	global/deliver_request.c.

	Documentation: updated STRESS_README.

20090416

	Workaround: some AWK implementations have a limit of 10
	output files and lack a working close() function. It is too
	much trouble to find out what systems have this limitation,
	and where, if any, such systems store their XPG4-compatible
	AWK program.  So instead we generate a stream of here
	documents and let the shell split the stream into files.
	File: postconf/extract.awk.

	Documentation: clarification of certificate file usage.
	Victor Duchovni.  Files: proto/postconf.proto,
	proto/TLS_README.html.

	Feature: pass a "TLS is active" flag to the server-side
	SASL support.  Based on code by Timo Sirainen, except that
	the implementation uses an extensible API so that it will
	be less painful to add more attributes in future Postfix
	versions.  Files: xsasl/xsasl.h, xsasl/xsasl_*server.c,
	smtpd/smtpd_sasl_glue.c.

20090417

	Documentation: re-generate READMEs and manpages for updated
	hyperlinks.

	Documentation: missing hyperlinks and missing parameters
	in manpages. File: mantools/postlink, mantools/check-postlink.

20090418

	Cleanup: use the extensible API to pass SMTP client address
	information to the dovecot SASL plugin, and prepare for
	passing server address information. Files: xsasl/xsasl.h,
	xsasl/xsasl_dovecot_server.c, smtpd/smtpd_sasl_glue.c.

	Same extensible API transformation for the SASL client-side
	code to make future extensions less painful. Files:
	xsasl/xsasl.h, xsasl/xsasl*client.c, smtp/smtp_sasl_glue.c.

	More postlink fixes. File: mantools/postlink.

20090419

	Bugfix: don't re-enable SIGHUP if it is ignored in the
	parent. This may cause random "Postfix integrity check
	failed" errors at boot time (POSIX SIGHUP death), causing
	Postfix not to start. We duplicate code from postdrop and
	thus avoid past mistakes.  File: postsuper/postsuper.c.

	Robustness: don't re-enable SIGTERM if it is ignored in the
	parent. Files: postsuper/postsuper.c, postdrop/postdrop.c.

20090422

	Undo delivery agent change 20090415. The queue manager never
	locks a queue file to read additional recipients into memory,
	so if a delivery agent runs into a locked file, then something
	is seriously wrong. File: global/deliver_request.c.

20090424

	Compatibility: the Postfix SMTP client no longer uses the
	obsolete SSLv2 by default for opportunistic encryption.
	This has nothing to do with security (we're willing to send
	plaintext over an unauthenticated connection) but with the
	loss of advanced options that give better performance.
	Victor Duchovni. Files: proto/postconf.proto, global/mail_params.h.

20090426

	Feature: more accurate support for Milter macros {mail_addr}
	and {rcpt_addr}, and new support for Milter macros {mail_host},
	{mail_mailer}, {rcpt_host}, and {rcpt_mailer}.  Files:
	milter/milter.[hc], smtpd/smtpd.[hc], smtpd/smtpd_milter.c,
	smtpd/smtpd_resolve.c.

	Feature: support to report rejected recipients to Milters
	(SMFIP_RCPT_REJ). Postfix reports the event as decribed in
	Sendmail 8.14.0 documentation: {rcpt_mailer} = "error",
	{rcpt_host} = enhanced status code (e.g., "5.7.1"), and
	{rcpt_addr} = reason to reject (e.g., "Relay access denied").
	Files: milter/milter.[hc], milter/milter8.c, smtpd/smtpd.[hc],
	smtpd/smtpd_milter.c.

20090427

	Feature: Milter support for replacing the envelope sender
	and adding recipients (SMFIR_CHGFROM, SMFIR_ADDRCPT_PAR).
	This support currently ignores ESMTP command parameters.
	Files: milter/milter8.c, cleanup/cleanup_milter.c.

20090428

	Compatibility: to make all the new Milter features usable,
	raise the default milter_protocol setting from 2 to 6.
	This has been tested with a Sendmail 8.14 libmilter.
	File: global/mail_params.h.

	Bugfix: don't disable MIME parsing with smtp_header_checks,
	smtp_mime_header_checks, smtp_nested_header_checks or with
	smtp_body_checks. Bug reported by Victor. File: smtp/smtp_proto.c.

	Code cleanups: respect VSTRING invariants by using VSTRING_RESET
	and VSTRING_TERMINATE instead of directly groping the
	underlying character buffer. Files: global/dsn_buf.c,
	milter/milter8.c.

20090507

	main.cf:tls_random_source now defaults to /dev/arandom on
	OpenBSD.  This device was introduced before Postfix development
	began. Files: util/sys_defs.h, global/mail_params.h.

20090510

	Code cleanups: while emulating SMTP client requests for
	Milter applications, use user@domain form addresses as
	required by the SMTP protocol, instead of bare usernames.
	This avoids hard to debug errors from some Milter applications.
	Files: cleanup/cleanup_envelope.c, cleanup/cleanup_extracted.c,
	cleanup/cleanup_addr.c.

20090511

	Code cleanups: don't clobber -o command-line arguments so
	that Linux people can debug daemon command lines more easily.
	Files: master/*server.c.

20090513

	Code cleanups: better parsing of Postfix daemon "-o"
	command-line options, with better error handling.  Files:
	master/*server.c.

20090518

	Documentation: missing dummy entries for lmtp_mumble_checks.
	File: proto/postconf.proto.

20090519

	Bugfix (introduced: Postfix 2.3, but did not cause trouble
	until 20090427).  Queue file corruption with (smtpd_milters
	or non_smtpd_milters) enabled, AND with delay_warning_time
	enabled, AND with short envelope sender addresses (e.g.,
	local submissions with bare usernames, but not bounces).
	The queue file would be corrupted when the delay_warning_time
	record was marked as "done" after sending the "your mail
	is delayed" notice.  File: qmgr/qmgr_message.c.

20090522

	Bugfix (introduced: Postfix 2.3).  The cleanup server
	rejected mail with records of type REC_TYPE_DRCP (recipient
	deleted by Milter), but such records could be present in
	mail re-submitted with "postsuper -r". Found during code
	review. Files: global/record.h, cleanup/cleanup_envelope.c.

20090524

	Feature: new postcat options: -e (print envelope), -h (print
	header), and -b (print body). Specify "postcat -bh" to
	suppress information about envelope records, and "postcat
	-h" to get the message header only. With large messages,
	"postcat -h" is much faster than manually stripping the
	message body from the output. File: postcat/postcat.c.

20090528

	Bugfix (introduced: Postfix 2.6 change 20080629): with
	plaintext sessions, smtpd_tls_auth_only=yes caused spurious
	warnings with reject_authenticated_sender_login_mismatch,
	and broke reject_unauthenticated_sender_login_mismatch and
	reject_sender_login_mismatch.  Based on fix by Victor
	Duchovni. File: smtpd/smtpd_check.c.

20090603

	Cleanup: Postfix 2.3 adopted a file descriptor passing
	workaround for OpenBSD. This workaround was hard-coded for
	all platforms because there were no have adverse effects.
	This is no longer the case: OpenBSD is fixed, and NetBSD
	does not like the workaround. We now default back to the
	non-workaround code and turn on the workaround dynamically.
	Files: util/unix_send_fd.c, unix_recv_fd.c, unix_pass_fd_fix.c.

20090605

	Portability: modern kernels below ancient user-land. File:
	makedefs.

20090606

	Feature: post-Milter header checks, with all actions except
	PREPEND. To enable, specify for example "milter_header_checks
	= pcre:/path/to/file".  Files: cleanup/cleanup_init.c,
	cleanup/cleanup_milter.c, cleanup/cleanup_extracted.c,
	cleanup/cleanup_state.c.

	Bugfix: non-portable command pathname in postmulti-script.

	Safety: "postmulti -e destroy" no longer attempts to remove
	files that are created AFTER "postmulti -e create". Rationale:
	by design, postfix queue/data directories are not trusted;
	actions within those directory trees must not affect files
	outside those those trees (e.g. by symlink race attacks).
	We don't want to be nailed with a bunch of CVEs for unsafe
	pathname handling.  File: conf/postmulti-script.

20090607

	Cleanup: revise milter_header_checks action implementation,
	and avoid redundant logging and work when milter_header_checks
	and Milters make redundant or conflicting decisions. File:
	cleanup_milter.c.

20090614

	Preliminary postscreen triage server for all inbound SMTP
	connections.  This is not a proxy: it rejects bad clients
	and forwards the rest of the connections to a real Postfix
	SMTP server. The initial version does a simple "friend or
	foe" based on whether the client starts talking too soon.
	Decisions are cached, so "good" clients have no overhead.
	File: postscreen/postscreen.c.

	Cleanup: more robust code for receiving file descriptors
	via the "pass" master service protocol.  File:
	util/upass_listen.c.

20090617

	Temporary helper daemon that does parallel DNSBL lookups
	for postscreen(8). It logs successful lookups to the maillog
	file without blocking the client. postscreen(8) will use
	the results in a later non-production version. To enable
	DNSBL lookups, specify "postscreen_dnsbl_sites = name,
	name, etc". and restart postscreen(8) with "postfix reload".
	File: src/dnsblog/dnblog.c.

20090618

	postscreen(8) logging and actions are now documented in the
	postscreen(8) manpage. When a client is listed in DNSBLs
	specified with postscreen_dnsbl_sites, it is no longer
	whitelisted. Instead the number of blocklist hits is logged.
	File: postscreen/postscreen.c.

20090619

	postscreen(8) by default no longer immediately drops
	connections. Specify "postscreen_greet_action = drop" and
	"postscreen_hangup_action = drop" for the old behavior.
	There is also a new postscreen_dnsbl_action parameter, for
	completeness.  File: postscreen/postscreen.c.

20090708

	Portability: FreeBSD 8 has closefrom(). File: uti/sys_defs.h.

20090710

	Bugfix (introduced Postfix 2.3): Postfix got out of sync
	with a Milter application after the application sent a
	"quarantine" request at end-of-message time. The milter
	application would still be in the end-of-message state,
	while Postfix would already be working on the next SMTP
	event (typically, QUIT or MAIL FROM).  Problem diagnosed
	with help from Alban Deniz. File: milter/milter8.c.

20090711-2

	New "event_server" Postfix server framework. It is similar
	to the "multi_server" framework but does not manage client
	I/O events.  This framework is suitable for servers such
	as postscreen that have complex event management requirements.
	File: master/event_server.c.

	New event_fork() primitive to resume event processing in a
	child process after it is created with fork(). This is
	needed by postscreen to complete work-in-progress in the
	background after "postfix reload". File: util/events.c.

	Cleanup: postscreen migrated to the "event_server" framework.
	File: postscreen/postscreen.c.

20090712

	Cleanup: ${multi_instance_name:postfix}${multi_instance_name
	?$multi_instance_name} garbage in Postfix logging is now
	hopefully gone.  File: global/mail_task.c.

20090715

	Documentation: as of Postfix 2.6, the reject_unauth_pipelining
	feature can be used meaningfully at any protocol stage.
	File: proto/postconf.proto.

20090717

	Cleanup: postscreen PREGREET detection now uses non-destructive
	read, so that the real SMTP server can still receive the
	HELO command (apparently some sites allow pregreeters to
	talk to their servers).  File: postscreen/postscreen.c.

20090805

	Bugfix: don't panic when an unexpected smtpd access map is
	specified. File: smtpd/smtpd_check.c.

20090918

	Bugfix (introduced Postfix 2.3): with Milter RCPT TO replies
	turned off, there was no automatic flush-before-read on the
	smtpd-to-milter stream, because the read was done on the
	cleanup-to-milter stream. Problem reported by Stephen Warren.
	File: milter/milter8.c.

20091005

	Bugfix: core dump while printing error message for malformed
	%<letter> sequence in LDAP, MySQL or PostgreSQL configuration.
	File: global/db_common.c. Fix by Victor Duchovni.

20091006

	Feature: "postscreen_whitelist_networks = $mynetworks" (the
	default) to avoid problems with buggy SMTP implementations
	in network appliances.  Note: this feature never uses the
	remote SMTP client hostname.  Files: global/addr_match_list.[hc],
	postscreen/postscreen.c.

	Feature: postscreen_blacklist_networks (default: empty) to
	permanently blacklist hosts or networks. Address syntax is
	as with mynetworks. Note: this feature never uses the remote
	SMTP client hostname.  File: postscreen/postscreen.c.

	Feature: postscreen_blacklist_action (default: continue)
	to control what happens with a permanently blacklisted
	client. File: postscreen/postscreen.c.

20091007

	Feature: hostname-based check_client_{mx,ns}_access,
	check_reverse_client_hostname_{mx,ns}_access (the client
	IP address is not used). Rob Foehl.  Files: smtpd/smtpd_check.c,
	global/mail_params.h, proto/postconf.proto, mantools/postlink.

20091008

	Documentation: restructured the postscreen(8) manpage
	as a sequence of tests. File: postscreen/postscreen.c.

20091012

	Bugfix: postmulti did not skip commands with -p.  Luca
	Berra. File: postmulti/postmulti.c.

20091023

	Feature: specify "smtpd_command_filter = pcre:/file/name"
	to replace remote SMTP client commands before they are
	executed by the Postfix SMTP server. This a last-resort
	tool to fix inter-operability problems.  See examples in
	the postconf(5) manual page.  File: smtpd/smtpd.c.

20091026

	Cleanup: changed parameter evaluation order so that the
	multi_instance_wrapper parameter value is evaluated after
	the command and daemon directory parameters. File:
	global/mail_params.h.

20091101

	Performance: specify "smtpd_proxy_options = speed_adjust"
	to receive an entire message before sending it through a
	before-queue content filter. This reduces the number of
	simultaneous content filtering processes, and thus, the
	system memory requirements.  Files: smtpd/smtpd.[hc],
	smtpd/smtpd_proxy.[hc].

20091103-4

	Cleaned up the speed-adjust code, streamlined the error
	handling, and updated documentation. Files: smtpd/smtpd.[hc],
	smtpd/smtpd_proxy.[hc], proto/SMTPD_PROXY_README.html.

20091105

	Cleaning up after speed_adjust introduction: smtpd segfault
	caused by an incomplete API change; refined the queue space
	check; release scratch space immediately after delivering
	mail to the before-queue filter. Files: smtpd.c, smtpd_proxy.c.

20091110

	Workaround: specify "smtp_tls_block_early_mail_reply = yes"
	to detect a mail hijacking attack based on a TLS protocol
	vulnerability (CVE-2009-3555). The attack involves prepending
	malicious HELO/MAIL/RCPT/DATA commands to a Postfix SMTP
	client TLS session. The attack would succeed with non-Postfix
	SMTP servers that reply to the malicious commands after
	negotiating the Postfix SMTP client TLS session. File:
	smtp/smtp_proto.c.

20091113

	Workaround: skip interfaces without netmask, to avoid
	segfaults (reported by Dmitry Karasik). Don't supply a dummy
	null netmask, as that would turn Postfix into an open relay
	(mynetworks = 0.0.0.0/0). File: util/inet_addr_local.c.

	Bugfix: forgot to flush output to the smtpd_proxy speed-adjust
	buffer before truncating the file. Reported by Mark Martinec,
	fix by Victor Duchovni. File: smtpd/smtpd_proxy.c.

20091114

	Feature: specify "smtp_reply_filter = pcre:/file/name" to
	replace remote SMTP server reply lines before they are
	parsed by the Postfix SMTP client. This a last-resort tool
	to fix inter-operability problems.  See examples in the
	postconf(5) manual page.  File: smtp/smtp_chat.c.

	Safety: don't send postmaster notifications to report
	problems delivering (possible) postmaster notifications.
	File: smtp/smtp_connect.c.

20091121

	Feature: sender_dependent_default_transport_maps, to override
	the default transport in a sender-dependent manner. This
	is not a transport_maps override, and therefore it does not
	use the transport_maps syntax for null transport, null
	nexthop, or null email address.

20091127

	Usability: the Postfix SMTP client now logs a warning that
	wrappermode TLS is not supported, when configured to connect
	to port smtps/465. File: smtp/smtp_connect.c.

20091203

	Safety: the postscreen daemon logs a warning when table
	lookup is slow. Slow lookups cause postscreen to fall behind,
	and worse, to catch up in bursts, which results in overload
	elsewhere.  File: postscreen/postscreen.c.

20091206

	Feature: by popular demand, the Postfix SMTP server now
	logs the before-queue content filter's end-of-message
	accept/reject response.  File: smtpd/smtpd.c.

20091209

	Portability: as the result of continuous improvement,
	Berkeley DB no longer allows fork-then-close. File:
	postscreen/postscreen.c.

	Bugfix: sender_dependent_relayhost_maps did not reject an
	empty lookup result, and did not recognize lookup errors,
	thus treating errors as "not found". Problem found during
	code maintenance. File: trivial-rewrite/resolve.c.

	Cleanup: the postscreen daemon now applies the permanent
	whitelist first. It is a safety feature that prevents mail
	from being blocked. File: postscreeb/postscreen.c.

20091224

	Bugfix (introduced 20041215): dict_dbm_sequence() did not
	release the shared lock when the end of the sequence was
	reached. File: util/dict_dbm.c.

20091227

	Cleanup: postscreen and verify periodic cache cleanup
	(default: 12 hours after the previous cache cleanup run).
	This is based on a new dict_cache(3) module that implements
	a generalized version of the tlsmgr(8) cache maintenance
	code.  Once the new dict_cache(3) code is burned in, the
	tlsmgr(8) will be migrated to it. See the RELEASE_NOTES for
	user interface details. Files: util/htable.[hc], util/dict_ht.c,
	util/dict_cache.[hc], postscreen/postscreen.c, verify/verify.c.

	Bugfix: the event handler starved I/O events when a timer
	call-back routine scheduled a zero-delay timer request.
	This bug was exposed when adding the new dict_cache(3)
	module for cache expiration.  File: util/events.c.

20091228

	Cleanup: postscreen and verify periodic cache cleanup is
	now optional (specify a null time interval between cache
	cleanup runs).

20091229

	Cleanup: the address_verify_poll_count default parameter
	value is now stress-dependent, so that the Postfix SMTP
	server will not wait (up to 6 seconds) for the address
	verification result. File: global/mail_params.h.

	Final slution for the I/O event starvation problem when a
	timer call-back schedules a zero-delay timer request.  File:
	util/events.c.

20091231

	Cleanup: the non-shared, in-memory hash table is now
	accessible as the "internal:" map type. This simplifies
	code by eliminating some special cases. Files: util/dict_ht.c,
	util/dict_open.c, and documentation.

20100101

	Bugfix: the mantools/postlink script applied hyperlinks
	for the "virtual:" transport to "/etc/postfix/virtual:".
	Symptom reported by Christoph Anton Mitterer.

20200102

	Workaround: don't report bogus Berkeley DB close errors as
	fatal errors. All operations before close are already error
	checked, so the data is known to be safe.  File: util/dict_db.c.

20100107

	Documentation: the access(5) manual page did not document
	the "send 521 and disconnect" behavior in the Postfix SMTP
	server (introduced with Postfix 2.6). File: proto/access.

	Bugfix: the pickup daemon did not discard messages that
	were requeued after all recipients were delivered (or
	bounced), and the cleanup server tried to bounce such
	messages. Files: pickup/pickup.c, global/cleanup_user.h.

	Future proofing: redundant code in postdrop to reject a
	submission without recipient record. File: postdrop/postdrop.c.

20100109

	Cleanup: "postcat -q" will now access files in the "saved"
	queue directory (for corrupted queue files). As before, the
	"postsuper" command will not, to avoid suddenly deleting
	such files. Files: global/mail_queue.h postcat/postcat.c.

20100113

	Cleanup: don't supply the "-o stress" command-line option
	with a single-process service. File: master/master_ent.c.

20100115

	Bugfix: the valid_hostname() fuction did not set the
	"non-numeric" flag after encountering the '-' character.
	Reported by Jan Schampera.  File: util/valid_hostname.c.

20100116

	Documentation: the content_filter and FILTER features never
	supported the special cases of transport_maps. References
	to transport_maps syntax are now removed from content filter
	discussions.  Files: proto/postconf.proto, proto/FILTER_README.

	Workaround: as of Postfix 2.3 the VRFY command did not allow
	a mailbox address inside <>, which broke expectations.  RFC
	2821 (and 5321) is vague about the VRFY request format, but
	spends lots of text on the reply format.  File: smtpd/smtpd.c.

20010117

	Cleanup: when a content_filter parameter or FILTER command
	specifies an empty next-hop destination, the queue manager
	now uses the recipient domain instead of $myhostname. Specify
	"default_filter_nexthop = $myhostname" for compatibility
	with Postfix 2.6 and earlier, or specify a non-empty next-hop
	filter destination.  Files: *qmgr/qmgr_message.c proto/access,
	proto/header_checks, proto/postconf.proto, proto/FILTER_README.

20100120

	Cleanup: detect illegal pipelining after HELO, EHLO.  File:
	smtpd/smtpd.c.

20100128

	Documentation: streamlined the decriptions of protocol and
	cipher tweaks. Victor Duchovni. Files: proto/TLS_README,
	proto/postconf.proto.

20100131

	Documentation: the address verification database is now
	persistent by default. This, combined with the now default
	stress-dependent configuration, improves the performance
	limits and simplifies database maintenance.  Files:
	proto/ADDRESS_VERIFICATION_README, verify/verify.c.

	Cleanup: undo the proxymap and trivial-rewrite max_idle=1s
	override that was introduced with Postfix 2.3. It did not
	help to retire long-lived proxymap or trivial-rewrite
	processes on busy servers, and worsened performance on
	low-traffic servers. The reduced ipc_ttl value (introduced
	with Postfix 2.4) already solves the problem of retiring
	long-lived proxymap or trivial-rewrite processes.  Files:
	proxymap/proxymap.c, trivial-rewrite/trivial-rewrite.c.

20100202

	Documentation: major revision of SASL_README with many
	details on how to configure Cyrus SASL internals. Patrick
	Koetter.  File: proto/SASL_README.html

20100204

	Feature: added "forward_secrecy" option for Cyrus SASL.
	File: xsasl/xsasl_cyrus_security.c.

20100206

	Bugfix (from day zero): the local delivery agent returned
	undeliverable mail to the envelope sender instead of the
	owner- alias, when delivering to command or file. This
	reuses the workaround that was implemented to report a
	Delivered-To: loop. Files: local/file.c, local/command.c,
	local/recipient.c, local/bounce_workaround.c.

20100209

	The tcp_table(5) interface is now part of the stable release.
	The last protocol change was in Postfix 2.1. File:
	util/dict_open.c.

20100515

	Bugfix (introduced Postfix 2.6): the Postfix SMTP client
	XFORWARD implementation did not skip "unknown" SMTP client
	attributes, causing a syntax error when sending a PORT
	attribute. Reported by Victor Duchovni. File: smtp/smtp_proto.c.

20100526

	Cleanup: a unit-test driver (for stand-alone tests) was not
	updated after an internal API change. Vesa-Matti J Kari
	File: milter/milter.c.

20100529

	Portability: OpenSSL 1.0.0 changes the priority of anonymous
	cyphers. Victor Duchovni. Files: postconf.proto,
	global/mail_params.h, tls/tls_certkey.c, tls/tls_client.c,
	tls/tls_dh.c, tls/tls_server.c.

	Portability: Mac OS 10.6.3 requires <arpa/nameser_compat.h>
	instead of <nameser8_compat.h>. Files: makedefs, util/sys_defs.h,
	dns/dns.h.

20100531

	Robustness: skip LDAP queries with non-ASCII search strings.
	The LDAP library requires well-formed UTF-8.  Victor Duchovni.
	File: global/dict_ldap.c.

20100601

	Safety: Postfix processes log a warning when a matchlist
	has a #comment at the end of a line (for example mynetworks
	or relay_domains).  File: util/match_list.c.

	Portability: Berkeley DB 5.x has the same API as Berkeley
	DB 4.1 and later. File: util/dict_db.c.

20100610

	Bugfix (introduced Postfix 2.2): Postfix no longer appends
	the system default CA certificates to the lists specified
	with *_tls_CAfile or with *_tls_CApath.  This prevents
	third-party certificates from getting mail relay permission
	with the permit_tls_all_clientcerts feature.  Unfortunately
	this may cause compatibility problems with configurations
	that rely on certificate verification for other purposes.
	To get the old behavior, specify "tls_append_default_CA =
	yes".  Files: tls/tls_certkey.c, tls/tls_misc.c,
	global/mail_params.h.  proto/postconf.proto, mantools/postlink.

20100714

	Compatibility with Postfix < 2.3: fix 20061207 was incomplete
	(undoing the change to bounce instead of defer after
	pipe-to-command delivery fails with a signal). Fix by Thomas
	Arnett. File: global/pipe_command.c.

20100727

	Bugfix: the milter_header_checks parser provided only the
	actions that change the message flow (reject, filter,
	discard, redirect) but disabled the non-flow actions (warn,
	replace, prepend, ignore, dunno, ok).  File:
	cleanup/cleanup_milter.c.

20100827

	Performance: fix for poor smtpd_proxy_filter TCP performance
	over loopback (127.0.0.1) connections. Problem reported by
	Mark Martinec.  Files: smtpd/smtpd_proxy.c.

20101023

	Cleanup: don't apply reject_rhsbl_helo to non-domain forms
	such as network addresses.  This would cause false positives
	with dbl.spamhaus.org.  File: smtpd/smtpd_check.c.

20101117

	Bugfix: the "421" reply after Milter error was overruled
	by Postfix 1.1 code that replied with "503" for RFC 2821
	compliance. We now make an exception for "final" replies,
	as permitted by RFC. Solution by Victor Duchovni. File:
	smtpd/smtpd.c.