minix/netbsd
1
0
Fork 0
mirror of https://github.com/Stichting-MINIX-Research-Foundation/netbsd.git synced 2025-09-05 13:15:13 -04:00
Code Issues Packages Projects Releases Wiki Activity
netbsd/external/ibm-public/postfix/dist/HISTORY
Lionel Sambuc 10406efeac 2013/12/1 12:00:00 UTC
2014-01-15 10:53:42 +01:00

18309 lines
628 KiB
Plaintext
Raw Blame History

In addition to the names listed below, the following people provided
useful inputs on many occasions: Paul D. Robertson, Simon J. Mudd.
Apologies for any names omitted.
19980105
The compiled-in default value for resolve_smtp_sender was
wrong (from the days that it was a boolean), causing smtpd
to dump core when the variable was not set in main.cf.
The INSTALL instructions now have separate sections for
the three basic ways of running vmailer.
The INSTALL instructions now have discusses how to deal
with chrooted processes.
Ported to RedHat 5.0. My, these people have re-organized
their include files quite a bit, haven't they.
19980106
On RedHat Linux 4.2/5.0, when a FIFO listener opens the
FIFO with mode O_RDONLY, the FIFO remains forever readable
after the writer has closed it. Workaround: open the FIFO
mode O_RDWR.
Test program: util/fifo_rdonly_bug.c
Unfortunately, the above fix triggers a bug on BSD/OS 3.1
where opening the FIFO mode O_RDWR causes select() to claim
that the FIFO is readable even before any data is written
to it, causing read() to block or to fail.
Test program: util/fifo_rdwr_bug.c
printfck (check arguments of printf-like function calls)
found a missing argument in local/command.c
Miscellaneous Makefile cleanups that I didn't finish before
the first alpha release.
19980107
Sometimes the DNS will claim that a domain does not exist,
when in fact it does. Thus, it is a bad idea to reject mail
from apparently non-existent domains. I have changed the
smtpd so that it produces a soft error responses when a
resolve_smtp_sender test fails with HOST_NOT_FOUND. Note:
by default, this test is still disabled.
The DB and DBM read routines will now automagically figure
out if (key, value) pairs were written including a terminating
null byte or not. The DB and DBM write routines will use
this result to determine how to write, and will fall back
to per-system defaults otherwise.
Renamed the README to MUSINGS, and wrote up a README that
reflects the current status of the software.
Added -d (don't disconnect) and -c (show running counter)
option to te smtp-source test program. These tools are
great torture tests for the mail software, and for the
system that it runs on.
Turned down the process_limit parameter (# of parallel smtp
clients or servers) to avoid unpleasant surprises. You can
crank up the process_limit parameter in main.cf.
19980111
Feature: when run by the superuser, mailq now shows the
mail queue even when the mail system is down. To this end,
mailq (sendmail -bp) runs the showq program directly instead
of connecting to the UNIX-domain service socket, and drops
privileges etc. as usual.
19980119
Bugfix: Edwin Kremer spotted an oversight in the negated
host matching code (for name or address patterns prefixed
by !).
Bugfix: upon receipt of a SIGHUP signal, the master now
disconnects from its child processes, so that the current
generation of child processes commits suicide, and so that
the next generation of child processes will use the new
configuration settings.
Bugfix: the smtp server now skips the sender DNS domain
lookup test for foo@[address]
Bugfix: don't append the local domain to foo@[address]
19980120
Bugfix: old low-priority bug in some list walk code that
caused the master to drop core when a service was turned
off in master.cf.
Robustness: the mail system should be able to start up and
to accept local postings even while the naming service is
down. For this reason, the mail system no longer uses
gethostbyname() to look up its own machine name. Sites
that use short hostnames will have to specify their FQDN
in main.cf (this will eventually be done by the system
installation/configuration procedure). Should the config
language support backticks so one can say `domainname`?
What about $name stuff between the backtics?
Security: the master now creates FIFOs and UNIX-domain
sockets as the mail owner instead of as root, for better
protection against subverted mail systems. chmod() is
susceptible to race conditions. fchmod(), although safer,
often does not work on sockets.
Portability: anticipate that all major UNIXes will create
UNIX-domain sockets with permissions modified by the process
umask (required by POSIX). For this reason, we always
chmod() UNIX-domain sockets, unless the system allows us
to use the safer fchmod() instead.
Portability: the semi-resident servers now properly handle
EWOULDBLOCK returns from accept() in addition to EGAIN
(on some systems, EAGAIN and EWOULDBLOCK have different
values).
Bugfix: the semi-resident servers now properly handle EINTR
returns From accept().
Bugfix: Edwin Kremer found that mynetworks() would compute
(32 - mask) instead of mask.
19980121
Feature: /etc/vmailer/relocated is used by the local delivery
program and specifies what mail should be bounced with a
"user has moved to XXX" message. The main.cf configuration
parameter is "relocated_maps". Just like the "virtual_maps"
config parameter, this feature is off by default, and the
parameter can have values such as "files" or "files, nis"
(on hosts equipped with NIS).
19980123
Cleanup: virtual domain support moved from the queue manager
to the resolve service, where it belongs.
Feature: /etc/vmailer/canonical is used by the rewrite
service for all addresses, and maps a canonical address
(user@domain) to another address. Typical use is to generate
Firstname.Lastname@domain addresses, or to clean up dirty
addresses from non-RFC 822 mail systems. The main.cf
configuration parameter is "canonical_maps". Just like
the "virtual_maps" config parameter, this feature is off
by default, and the parameter can have values such as
"files" or "files, nis" (on hosts equipped with NIS).
19980124
HPUX10 port and many little fixes from Pieter Schoenmakers.
Bugfix: isolated an old mysterious bug that could make the
master deaf for new connections while no child process was
running. A typical result was that no pickup daemon would
be started after the previous one had terminated voluntarily.
Bugfix: the NIS lookup code did not mystrdup() the NIS map
name and would access free()d memory.
19980125
Bugfix: the vstream routines would sometimes ignore flushing
errors. The error would still be reported by vstream_fclose()
and vstream_ferror().
Feature: time limit on delivery to shell commands. Config
parameter: command_time_limit. Default value: 100 sec. The
idea is to prevent one bad .forward file or alias file
entry from slowly using up all local delivery process slots.
19980126
Code cleanup: in preparation for SMTP extensions such as
SIZE, allow an extended SMTP command to have a variable
number of options.
19980127
Bugfix: moved canonical map lookups away from the rewriting
module to the cleanup service, so that canonical map lookups
do not interfere with address rewriting on behalf of other
programs. Back to an older trivial-rewrite program version.
Bugfix: moved virtual map lookups away from the resolver
back to the queue manager, so that virtual domain lookup
does not interfere with address resolution on behalf of
other programs. Back to an older qmgr program version.
19980131
Feature: integrated and adapted Guido van Rooij's SIZE
option (RFC 1870), carefully avoiding potential problems
due to overflow (by multiplying large numbers) or unsigned
underflow (by subtracting numbers).
Code cleanup: cleaned up the code that parses the server
response to the HELO/EHLO command, so that we can more
reliably recognize what options a server supports.
19980201
Portability: integrated the IRIX 6 port by Oved Ben-Aroya.
Portability: the software now figures out by itself if a
server should open its FIFO read-write or read-only, to
avoid getting stuck with a FIFO that stays readable forever.
Bugfix: the cleanup service would terminate with a fatal
vstream_fseek() error when the queue file was too large.
Bugfix: the cleanup service could be killed by a signal
when the queue file became too large.
19980203
Portability: some systems have statfs(), some have statvfs(),
and the relevant include files are in a different place on
almost every system.
Portability: the makedefs script now nukes the -O compiler
flag when building on AIX with IBM's own compiler...
19980204
Portability: HP-UX 9.x support by Pieter Schoenmakers.
Portability: added SYSV-style ulimit() file size limit
support for HP-UX 9.x.
Portability: added some #includes that appeared to be
missing according to the Digital UNIX cc compiler.
Bugfix: sys_defs.h now correctly specifies NIS support for
LINUX2, HPUX9 and HPUX10.
Security: fixed a file descriptor leak in the local delivery
agent that could give shell commands access to the VMailer
IPC streams. This should not cause a vulnerability, given
the design and implementation of the mailer, but it would
be like asking for trouble.
Bugfix: the sendmail -B (body type) option did not take a
value.
19980205
Bugfix (SUNOS5): should not have deleted the SVID_GETTOD
definition from util/sys_defs.h.
Bugfix (HPUX9): forgot to specify whether to use statfs()
or statvfs().
Bugfix (HPUX9): don't try to raise the file size ulimit.
Bugfix (HPUX9): must specify file size limit in 512-blocks.
19980207
Robustness: the master process now raises the file size
limit when it is started with a limit that is less than
VMailer's file size limit. File: util/file_limit.c.
Security: the dns lookup routines now screen all result
names with valid_hostname(). Bad names are treated as
transient errors.
Feature: qmail compatibility: when the home_mailbox parameter
is set, mail is delivered to ~/$home_mailbox instead of to
/var[/spool]/mail/username. This hopefully makes it easier
to lure people away from qmail :-)
Robustness: several testers by accident configured relayhost
the same as myhostname. The programs now explicitly check
for this mistake.
Bugfix: deliver_request_read() would free unallocated memory
when it received an incomplete delivery request from the
queue manager.
Robustness: local_destination_concurrency=1 prevents parallel
delivery to the same user (with possibly disastrous effects
when that user has an expensive pipeline in the .forward
or procmail config file). Each transport can have its own
XXX_destination_concurrency parameter, to limit the number
of simultaneous deliveries to the same destination.
19980208
Robustness: added "slow open" mode, to gradually increase
the number of simultaneous connections to the same site as
long as delivery succeeds, and to gradually decrease the
number of connections while delivery fails. Brad Knowles
provided the inspiration to do this.
This also solves the "thundering herd" problem (making a
bunch of connections to a dead host when it was time to
retry that host). Let's see when other mailers fix this.
Feature: Added $smtpd_banner and $mail_version, for those
who want to show the world what software version they are
running.
Bugfix: vmailer-script now properly labels each syslog
entry.
19980210
Portability: merged in NEXTSTEP 3 port from Pieter Schoenmakers
Bugfix: the local delivery program now checks that a
destination is a regular file before locking it.
19980211
Robustness: the local delivery agent sets HOME, LOGNAME,
and SHELL when delivering to a user shell command. PATH is
always set, and TZ is passed through if it is set.
19980212
Feature: mailq (sendmail -bp) now also lists the maildrop
queue (with mail that hasn't been picked up yet).
19980213
Feature: the smtpd now says: 502 HELP not implemented. This
should impress the heck out of the competition :-)
19980214
Feature: local delivery to configurable system-wide command
(e.g. procmail) avoids the need for per-user ~/.forward
shell commands. Config parameter: mailbox_command.
19980215
Performance: avoid running a shell when a command contains
no shell magic characters or built-in shell commands. This
speeds up delivery to all commands. File: util/exec_command.c.
Bugfix: the local delivery agent, after reading EOF from
a child process, now sends SIGKILL only when the child does
not terminate within a limited amount of time. This avoids
some problems with procmail. File: util/timed_wait.c.
19980217
Portability: folded in NetInfo support from Pieter
Schoenmakers.
19980218
Feature: new vmlock command to run a command while keeping
an exclusive lock on a mailbox.
Feature: with "recipient_delimiter = +", mail for local
address "user+foo" is delivered to "foo", with a "Delivered-To:
user+foo@domain" message header. Files: qmgr/qmgr_message.c,
local/recipient.c. This must be the cheapest feature.
19980219
Code cleanup: moved error handling into functions that
should always succeed (non_blocking(), close_on_exec()).
19980223
Bugfix: null pointer bug in the cleanup program after
processing a From: header with no mail address (or with
only a comment).
19980226
Robustness: now detects when getpwnam() returns a name that
differs from the requested name.
Feature: Added %p support to the vbuf_print formatting
module.
Code cleanup: revamped the alias/include/.forward loop
detection and duplicate suppression code in the local
delivery agent. This must be the fourth iteration, and
again the code has been simplified.
19980228
Robustness: don't treat anything starting with whitespace
as a header record. Instead, explicitly test for leading
whitespace where we permit it. Files: global/is_header.c,
bounce/bounce_flush_service.c, local/delivered.c.
19980301
Compatibility: the sendmail program now accepts the -N
command-line option (delivery status notification) but
ignores it entirely, just like many other sendmail options.
Bugfix: dns_lookup.c was too conservative with buffer sizes
and would incorrectly report "malformed name server reply".
19980302
Bugfix: the local delivery agent was not null-byte clean.
19980307
Feature: integrated Pieter Schoenmaker's code for transport
lookup tables that list (transport, nexthop) by destination.
19980309
Bugfix: delivery agents no longer rename corrupt queue
files, because programs might fall over each other doing
so. Instead, when a delivery agent detects queue file
corruption, it chmods the queue file, simulates a soft
error, and lets the queue manager take care of the problem.
Bugfix: the SMTP server implemented VRFY incorrectly.
Feature: first shot at a pipe mailer, which can be used to
extend VMailer with external mail transports such as UUCP
(provided that the remote site understands domain addressing,
because VMailer version 1 does not rewrite addresses).
Cleanup: extended the master/child interface so that the
service name (from master.cf) is passed on to the child.
The pipe mailer needs the service name so it can look up
service-specific configuration parameters (privilege level,
recipient limit, time limit, and so on).
19980310-12
Cleanup: factored out the pipe_command() code, so it can
be shared between pipe mailer and local delivery agent.
19980314
Compatibility: the sendmail program now parses each
command-line recipient as if it were an RFC 822 message
header; some MUAs specify comma-separated recipients in a
command-line argument; and some MUAs even specify "word
word <address>" forms as command-line arguments.
19980315
Bugfix: VMailer's queue processing randomization wasn't
adequate for unloaded systems with small backlogs.
Bugfix: smtpd now uses double-buffered stream I/O to prevent
loss of input sent ahead of responses.
19980316
Bugfix: the smtpd anti-relay code didn't treat all hosts
listed in $mydestinations as local, so it would accept mail
only for hosts listed in $relay_domains (default: my own
domain).
Bugfix: smtpd now replies with 502 when given an unknown
command.
19980318
Cleanup: resolve/rewrite clients now automatically disconnect
after a configurable amount of idle time (ipc_idle).
19980322
Tolerance: VRFY now permits user@domain, even though the
RFC requires that special characters such as @ be escaped.
19980325
Bugfix: a recipient delimiter of "-" could interfere with
special addresses such as owner-xxx or double-bounce.
Tolerance: the SMTP client now permits blank lines in SMTP
server responses.
Tolerance: the SMTP client now falls back to SMTP when it
apparently mistook an SMTP server as ESMTP capable.
Bugfix: eliminated strtok() calls in favor of mystrtok().
Symptom: master.cf parsing would break if $inet_interfaces
was more than one word.
19980328
Bugfix: user->addr patterns in canonical and virtual tables
matched only $myorigin, not hosts listed in $mydestination
or addresses listed in $inet_interfaces. The man pages
were wrong too. File: global/addr_match.c.
19980401
Robustness: FIFO file permissions now default to 0622. On
some systems, opening a FIFO read-only could deafen the
pickup daemon. Only the listener end (which is opened as
root) needs read access anyway, so there should not be a
loss of functionality by making FIFOs non-readable for
non-mail processes.
19980402
Compatibility: sendmail -I and -c options added.
19980403
Feature: virtual lookups are now recursive. File:
qmgr/qmgr_message.c
19980405
Implemented sendmail -bs (stand-alone) mode. This mode runs
as the user and therefore deposits into the maildrop queue.
19980406
The pickup service now removes malformed maildrop files.
19980407
The pickup service now guards against maildrop files with
time stamps dated into the future.
19980408
Bugfix: in the canonical and virtual maps, foo->address
would match foo@$myorigin only. This has been fixed to also
match hosts listed in main.cf:$mydestination and the
addresses listed in main.cf:$inet_interfaces.
Bugfix: added double buffering support to the VMailer SMTP
server. This makes the SMTP server robust against SMTP
clients that talk ahead of time, and should have been in
there from day one.
19980409
Bugfix: the VMailer SMTP client now recognizes its own
hostname in the SMTP greeting banner only when that name
appears as the first word on the first line.
19980410
Feature: smtpd now logs the local queue ID along with the
client name/address, and pickup now logs the local queue
ID along with the message owner.
Bugfix: still didn't do virtual/canonical lookups right
(code used the non-case-folded key instead of the case
folded one).
19980418
Bugfix: the SMTP server did not flush the "250 OK queued
as XXXX" message from the SMTP conversation history.
19980419
Bugfix: qmgr would not notice that a malformed message has
multiple senders, and would leak memory (Tom Ptacek).
19980421
Portability: in the mantools scripts, the expr pattern no
longer has ^ at the beginning, and the scripts now use the
expand program instead of my own detab utility.
19980425
NetBSD 1.x patch by Soren S. Jorvang.
19980511
Feature: the SMTP server now logs the protocol (SMTP or
ESMTP) as part of the Received: header.
Feature: smtpd now logs the last command when a session is
aborted due to timeout, unexpected EOF, or too many client
errors.
19980514
Bugfix: the queue manager did not update the counter for
in-core message structures, so the in-core message limit
had no effect. This can be bad when you have a large backlog
with many messages eligible for delivery.
Robustness: the queue manager now also limits the total
number of in-core recipient structures, so that it won't
use excessive amounts of memory on sites that have large
mailing lists.
19980518
Bugfix: the SMTP client did not notice that the DNS client
received a truncated response. As a result, a backup MX
host could incorrectly claim that it was the best MX host
and declare a mailer loop.
Added start_msg/stop_msg entries to the vmailer startup
script, for easy installation.
Cleanup: VMailer databases are now explicitly specified as
type:name, for example, hash:/etc/aliases or nis:mail.aliases,
instead of implicitly as "files", "nis" and so on. Test
program: util/dict_open. This change allowed me to
eliminate a lot of redundant code from mkmap_xxx.c, and
from everything that does map lookups.
19980525
Bugfix: local/dotforward.c compared the result of opening
a user's ~/.forward against the wrong error value.
19980526
Bugfix: the smtpd VRFY command could look at free()d memory.
Robustness: the smtpd program had a fixed limit on the
number of token structures. The code now dynamically
allocates token structures.
Bugfix: the queue manager still used the deprecated parameter
name xxx_deliver_concurrency for concurrency control, but
the documentation talks about the preferred parameter name
xxx_destination_concurrency. Fix: try xxx_destination_concurrency
first, then fall back to xxx_deliver_concurrency.
19980621-19980702
Cleanup: the string read routines now report the last
character read or VSTREAM_EOF. This change is necessary
for the implementation of the long SMTP line bugfix.
Bugfix: the smtp server exited the DATA command prematurely
when the client sent long lines. Reason: the smtp server
did not remember that it broke long lines, so that '.'
could appear to be the first character on a line when in
fact it wasn't.
Bugfix: the queue manager made lots of stupid errors while
reading $qmgr_message_recipient_limit chunks of recipients
from a queue file. This code has been restructured.
19980706
Performance: the cleanup program now always adds return-receipt
and errors-to records to a queue file, so that the queue
manager does not have to plow through huge lists of
recipients.
Robustness: the initial destination concurrency now defaults
to 2, so that one bad message or one bad connection does
not stop all mail to a site. The configuration parameter
is called initial_destination_concurrency.
Performance: the per-message recipient limit is now enforced
by the queue manager instead of by the transport. Thus, a
large list of recipients for the same site is now mapped
onto several delivery requests which can be handled in
parallel, instead of being mapped onto one delivery request
that is sent to limited numbers of recipients, one group
after the other.
19980707
Cleanup: the queue manager now does an additional recipient
sort after the recipients have been resolved, so that the
code can do better aggregation of recipients by next hop
destination.
Feature: lines in the master.cf file can now be continued
in the same manner as lines in the main.cf file, i.e. by
starting the next line with whitespace.
Feature: the smtp client now warns that a message may be
delivered multiple times when the response to "." is not
received (the problem described in RFC 1047).
Cleanup: when the queue manager changes its little mind
after contacting a delivery agent (for example, it decides
to skip the host because a transport or host goes bad),
the delivery agent no longer complains about premature EOF.
File: global/deliver_request.c
19980709
Bugfix: when breaking long lines, the SMTP client did not
escape leading dots in secondary etc. line fragments. Fix:
don't break lines. This change makes VMailer line-length
transparent. Files: global/smtp_stream.c, smtp/smtp_proto.c.
19980712
Cleanup: the queue manager to deliver agent protocol now
distinguishes between domain-specific soft errors and
recipient-specific soft errors. Result: many soft errors
with SMTP delivery no longer affect other mail the same
domain.
19980713
Feature: the file modification time stamp of deferred queue
files is set to the nearest wakeup time of their recipient
hosts, or if delivery was deferred due to a non-host problem,
the time stamp is set into the future by the configurable
minimal backoff time.
Bugfix: the SMTP client and the MAILQ command would report
as message size the total queue file size. That would
grossly overestimate the size of a message with many
recipients.
Bugfix: the 19980709 fix screwed up locally-posted mail
that didn't end in newline.
19980714
Robustness: the makedefs script now defaults to no optimization
when compiling for purify.
19980715
Robustness: the makedefs script now defaults to no optimization
when compiling with gcc 2.8, until this compiler is known
to be OK.
Workaround: when sending multiple messages over the same
SMTP connection, some SMTP servers need an RSET command
before the second etc. MAIL FROM command. The VMailer SMTP
client now sends a redundant RSET command just in case.
The queue manager now logs explicitly when delivery is
deferred because of a "dead" message transport.
19980716
Feature: mailq and mail bounces now finally report why mail
was deferred (the reason was logged to the syslog file
only). Changes were made to the bounce service (generalized
to be usable for defer logs), showq service (to show reasons)
and the queue manager.
As a result the defer directory (with one log per deferred
message) may contain many files; also, this directory is
accessed each time a message is let into the active queue,
in order to delete its old defer log. This means that hashed
directories are now a must.
19980718-20
Feature: configurable timeout for establishing smtp
connections. Parameter: smtp_connect_timeout (default 0,
which means use the timeout as wired into the kernel).
Inspired by code from Lamont Jones. For a clean but far
from trivial implementation, see util/timed_connect.c
Cleaned up the interfaces that implement read/write deadlines.
Instead of returning -2, the routines now set errno to
ETIMEDOUT; the readable/writable tests are now separate.
19980722
Feature: the default indexed file type (hash, btree, dbm)
is now configurable with the "database_type" parameter.
The default value for this parameter is system specific.
Feature: selectively turn on verbose logging for hosts that
match the patterns specified via the "debug_peer_list"
config parameter. Syntax is like the "bad_smtp_clients"
parameter (see global/peer_list.c). The verbose logging
level is specified with "debug_peer_level" (default 2).
Security: the local delivery agent no longer delivers to
files that have execute permission enabled.
19980723
Workarounds for Solaris 2.x UNIX-domain sockets: they lose
data when you close them immediately after writing to them.
This could screw up the delivery agent to queue manager
protocol.
19980724
Cleanup: spent most of the day cleaning up queue manager
code that defers mail when a site or transport dies, and
fixed a few obscure problems in the process.
19980726
Feature: the admin can now configure what classes of problems
result in mail to the postmaster. Configuration parameter:
"notify_classes". Default is backwards compatible: bounce,
policy, protocol, resource, and software.
19980726-28
Feature: the admin can now configure what smtp server access
control restrictions must be applied, and in what order.
Configuration parameters: smtpd_client_restrictions,
smtpd_helo_restrictions, smtpd_mail_restrictions and
smtpd_rcpt_restrictions. Defaults are intended to be
backwards compatible. The bad_senders and bad_clients lists
are gone and have become db (dbm, nis, etc) maps. Files:
smtpd/smtpd_check.c, config/main.cf.
19980729-31
Feature: hashed queues. Rewrote parts of the mail queue
API. Configuration parameters: "hash_queue_names" specifies
what queue directories will be hashed (default: the defer
log directory), "hash_queue_depth" specifies the number of
subdirectories used for hashing (default 2).
19980802
Bugfix: the pipe mailer should expand command-line arguments
with $recipient once for every recipient (producing one
command-line argument per recipient), instead of replacing
$recipient by of all recipients (i.e. producing only one
command-line argument). This is required for compatibility
with programs that expect to be run from sendmail, such as
uux. Thanks to Ollivier Robert for helping me to get this
right.
Code cleanup: for the above, cleaned up the macro expansion
code in dict.c and factored out the parsing into a separate
module, mac_parse.c.
19980803
"|command" and /file/name destinations in alias databases
are now executed with the privileges of the database owner
(unless root or vmailer). Thus, with: "alias_maps =
hash:/etc/aliases, hash:/home/majordomo/aliases", and with
/home/majordomo/aliases* owned by the majordomo account,
you no longer need the majordomo set-uid wrapper program,
and you no longer need root privileges in order to install
a new mailing list.
19980804
Added support for the real-time blackhole list. Example:
"client_restrictions = permit_mynetworks, reject_maps_rbl"
All SMTP server "reject" status codes are now configurable:
unknown_client_reject_code, mynetworks_reject_code,
invalid_hostname_reject_code, unknown_hostname_reject_code,
unknown_address_reject_code, relay_domains_reject_code,
access_map_reject_code, maps_rbl_reject_code. Default values
are documented in the smtpd/smtpd_check.c man page.
19980806-8
Code cleanup: after eye balling line-by line diffs, started
deleting code that duplicated functionality because it was
at the wrong abstraction level (smtp_trouble.c), moved
functionality that was in the wrong place (dictionary
reference counts in maps.c instead of dict.c), simplified
code that was too complex (password-file structure cache)
and fixed some code that was just wrong.
19980808
Robustness: the number of queue manager in-core structures
for dead hosts is limited; the limit scales with the limit
on the number of in-core recipient structures. The idea is
to not run out of memory under conditions of stress.
19980809
Feature: mail to files and commands can now be restricted
by class: alias, forward file or include file. The default
restrictions are: "allow_mail_to_files = alias, forward"
and allow_mail_to_commands = alias, forward". The idea is
to protect against buggy mailing list managers that allow
intruders to subscribe /file/name or "|command".
19980810-12
Cleanup: deleted a couple hundred lines of code from the
local delivery agent. It will never be a great program;
sendmail compatibility is asking a severe toll.
19980814
Cleanup: made the program shut up about some benign error
conditions that were reported by Daniel Eisenbud.
19980814-7
Documentation: made a start of HTML docs that describe all
configuration parameters.
Feature: while documenting things, added smtpd_helo_required.
19980817
Bugfix: at startup the queue manager now updates the time
stamps of active queue files some time into the future.
This eliminates duplicate deliveries after "vmailer reload".
Bugfix: the local delivery agent now applies the recipient
delimiter after looking in the alias database, instead of
before.
Documentation bugfixes by Matt Shibla, Tom Limoncelli,
Eilon Gishri.
19980819
GLIBC fixes from Myrdraal.
Bugfix: applied showq buffer reallocation workaround in
the wrong place.
Bugfix: can't use shorts in varargs lists. SunOS 4 has
short uid_t and gid_t. pipe_command() would complain.
Bugfix: can't use signed char in ctype macros. All ctype
arguments are now casted to unsigned char. Thanks, Casper
Dik.
19980820
Bugfix: save the alias lookup result before looking up the
owner. The previous alpha release did this right.
Cleanup: mail_trigger() no longer complains when the trigger
FIFO or socket is unavailable. This change is necessary to
shut up the sendmail mail posting program, so that it can
be used on mail clients that mount their maildrop via NFS.
Experiment: pickup and pipe now run as vmailer most of the
time, and switch to user privileges only temporarily.
Files: util/set_eugid.c global/pipe_command.c pipe/pipe.c
pickup/pickup.c. Is this more secure/ What about someone
manipulating such a process while not root? It still has
ruid == 0.
19980822
Portability: with GNU make, commands such as "(false;true)"
and "while :; do false; done" don't fail. Workaround: use
"set -e" all over the place. Problem found by Jeff Wolfe.
Feature: "check_XXX_access maptype:mapname" (XXX = client,
helo, sender, recipient). Now you can make recipient and
other SPAM restrictions dependent on client or sender access
tables lookup results.
19980823
Bugfix: smtpd access table lookup keys were case sensitive.
Added "permit" and "reject" operators. These are useful at
the end of SPAM restriction lists (smtpd_XXX_restrictions).
Added a first implementation of the permit_mx_backup SPAM
restriction. This permits mail relaying to any domain that
lists this mail system as an MX host (including mail for
the local machine). Thanks to Ollivier Robert for useful
discussions.
19980824
Bugfix: transport table lookup keys were case sensitive.
19980825
Portability: sa_len is some ugly #define on some SGI systems,
so we must rename identifiers (file util/connect.c).
Bugfix: uucp delivery errors are now sent to the sender.
Thanks, Mark Delany.
Bugfix: the pipe delivery agent now replaces empty sender
by the mailer daemon address. Mark Delany, again.
Portability: GNU getopt looks at all command-line arguments.
Fix: insert -- into the pipe/uucp definition in master.cf.
Bugfix: the smtp server command tokenizer silently discarded
the [] around [text], so that HELO [x.x.x.x] was read as
if the client had sent: HELO x.x.x.x. Thanks, Peter Bivesand.
Bugfix: the HELO unknown hostname/bad hostname restrictions
would have treated [text] as a domain name anyway.
Bugfix: the $local_duplicate_filter_limit value was not
picked up by the local delivery agent. This means the local
delivery agent could run out of memory on large mailing
list deliveries.
19980826
Performance: mkmap/mkalias now run with the same speed as
sendmail. VMailer now uses a 4096-entry cache with 1 Mbyte
of memory for DB lookups. File: util/dict_db.c.
19980902
Robustness: the reject_unknown_hostname restriction for
HELO/EHLO hostnames will now permit names that have an MX
record instead of an A record.
19980903
Feature: appending @$myorigin to an unqualified address is
configurable with the boolean append_at_myorigin parameter
(default: yes).
Feature: appending .$mydomain to user@host is configurable
with the boolean append_dot_mydomain parameter (default:
yes).
Feature: site!user is rewritten to user@site, under control
of the boolean parameter swap_bangpath (default: yes).
Feature: permit a naked IP address in HELO commands (i.e.
an address without the enclosing [] as required by the
RFC), by specifying "permit_naked_ip_address" as one of
the restrictions in the "smtpd_helo_restrictions" config
parameter.
19980904
Code cleanup: when an SMTP client aborts a session after
sending MAIL FROM, the cleanup service no longer warns that
it is "skipping further client input". Files: cleanup/*.c.
Thanks, Daniel Eisenbud, for prodding.
Code cleanup: when an SMTP server disconnects in the middle
of a session, don't try to send QUIT over the non-existing
connection. Files: global/smtp_stream.c, smtp/smtp.c.
Thanks, Daniel Eisenbud, for prodding, again.
Code cleanup: the VMailer version number has moved from
mail_params.h (which is included by lots of modules) to a
separate file global/mail_version.h, so that a version
change no longer results in massive recompilation.
Bugfix: Errors-To was flagged as a sender address, so the
address never was picked up.
Code cleanup: support for Errors-To: headers completed.
19980905
Feature: per-message exponential delivery backoff, by
looking at the amount of time a message has been queued.
Thanks, Mark Delany.
19980906
Code cleanup: ripped out the per-host exponential backoff
code. It was broken by 19980818. It was probably a bad idea
anyway, because it required per-host, in-core, state kept
by the queue manager. All we do now is to keep state for
$minimal_backoff_time seconds, but only for a limited number
of hosts. Daniel Eisenbud spotted the problem.
Lost feature: the SMTP session transcripts now show who
said what. This feature was inadvertently dropped during
development. Thanks, Daniel Eisenbud, for reminding.
Documentation: the hard-coded rewriting process of the
trivial-rewrite program is described in html/rewrite.html.
Feature: the local delivery agent now does alias lookups
before and after chopping off the recipient subaddress.
This allows you to forward user-anything to another user,
without losing the ability to redirect specific user-foo
addresses.
19980909
Feature: the smtp client now logs a warning that a server
sends a greeting banner with the client's hostname, which
could imply a mailer loop.
19980910
Feature: separate canonical maps for sender and recipient
address rewriting, so that you can rewrite an ugly sender
address and still forward mail to that same ugly address
without creating a mailer loop. Files: cleanup_envelope.c,
cleanup_message.c, cleanup_rewrite.c.
19980911
Feature: virtual maps now support multiple addresses on
the right-hand side. In the case of virtual domains this
can eliminate the need for address expansion via local
aliases, making virtual domains much easier to administer.
This required that I moved the virtual table lookups from
the queue manager to the cleanup service, so that every
recipient has an on-disk status record. Files: qmgr.c,
qmgr_message.c, cleanup_envelope.c, cleanup_rewrite.c,
cleanup_virtual.c.
Feature: sendmail/mailq/newaliases pass on the -v flag to
the program that they end up running, to make debugging a
little easier.
19980914
Bugfix: some anti-spam measures didn't recognize some
addresses as local and would do too much work. File:
smtpd_check.c.
Bugfix: the smtp sender/recipient table lookup restriction
destroyed global data, so that other restrictions could
break. File: smtpd_check.c.
Bugfix: after vmailer reload, single-threaded servers could
exit before flushing unwritten data to the client. Example:
cleanup would exit before acking success to pickup, so the
message would be delivered twice. Bug reported by Brian
Candler.
Cleanup: removed spurious error output from vmailer-script.
Reported by Brian Candler.
Tolerance: ignore non-numeric SMTP server responses. There's
lot of brain damage out there on the net.
19980915
Feature: the smtp-sink benchmark tool now announces itself
with a neutral name so that it can be run on the same
machine as VMailer, without causing Postfix to complain
about a mailer loop.
Robustness: on LINUX, vmailer-script now does chattr +S to
force synchronous directory updates. Fix developed with
Chris Wedgwood.
19980916
Bugfix: when transforming an RFC 822 address to external
form, there is no need to quote " characters in comments.
This didn't break anything, it just looked ugly. File:
global/tok822_parse.c
19980917
Workaround: with deliveries to /file/name, use fsync() and
ftruncate() only on regular files. File: local/file.c
Workaround: the plumbing code in master_spawn.c didn't
check if it was dup2()/close()ing a descriptor to itself
then closing it. Will have to redo the plumbing later.
19980918
Workaround: on multiprocessor Solaris machines, one-second
rollover appears to happen on different CPUs at slightly
different times. Made the queue manager more tolerant for
such things. Problem reported by Daniel Eisenbud.
Workaround: in preparation for deployment with a network-shared
maildrop directory. make pickup more tolerant against clock
drift between clients and servers.
19980921
New vstream_popen() module that opens a two-way channel
across a socketpair-based pipe. This module isn't being
used yet; it is here only to complete the vstream code.
19980922
Code cleanup: the xxx_server_main() interface for master
child processes now uses a name-value argument list instead
of an ugly and inflexible data structure.
Bugfix: moved the test if a non-interactive process is run
by hand, so that the "don't do this" error message can be
printed to stderr before any significant processing.
Bugfix: smtpd now can talk to unix-domain sockets without
bailing out on a peer lookup problem. Files: smtpd/smtpd.c,
util/peer_name.c.
Safety: by default, the postmaster is no longer informed
of protocol problems, policy violations or bounces.
Safety: the SMTP server now sleeps before sending a [45]xx
error response, in order to prevent clients from hammering
the server with a connect/error/disconnect loop. Parameter:
smtpd_error_sleep_time (default: 5).
Feature: the logging facility is compile-time configurable
(e.g., make makefiles "CCARGS=-DLOG_FACILITY=LOG_LOCAL1").
19980923
Bugfix: changed virtual/canonical map search order from
(user@domain, @domain, user) to (user@domain, user, @domain)
so the search order is most specific to least specific.
File: global/addr_map.c, lots of documentation.
Bugfix: after the change of 19980910, cleanup_message
extracted recipients from Reply-To: etc. headers. Found
by Lamont Jones.
19980925
Bugfix: the change in virtual/canonical map search order
broke @domain entries; they would never be looked up if
the address matched $myorigin or $mydestinations. Found by
Chip Christian who now regrets asking for the change.
Bugfix: cleanup initialized an error mask incorrectly, so
that it would keep writing to a file larger than the queue
file size limit, and so it would treat the error as a
recoverable one instead of sending a bounce. Thanks, Pieter
Schoenmakers.
Bugfix: the "queue file cleanup on fatal error" action was
no longer enabled in the sendmail mail posting agent.
Feature: the sendmail mail posting program now returns
EX_UNAVAILABLE when the size of the input exceeds the queue
file size limit. NB THIS CHANGE HAS BEEN WITHDRAWN.
19980926
Code cleanup: the dotlock file locking routine is no longer
derived from Eric Allman's 4.3BSD port of mail.local.
Code cleanup: the retry strategy of the file locking routines
dot_lockfile() and deliver_flock() is now configurable
(deliver_flock_attempts, deliver_flock_delay, deliver_flock_stale).
Code cleanup: the master.pid lock file is now created with
symlink paranoia, and is properly locked so that PID rollover
will not cause false matches.
Bugfix: the vbuf_print() formatting engine did not know
about the '+' format specifier.
Cleanup: replaced unnecessary instances of stdio calls by
vstream ones.
19980929-19981002
Compatibility: added support for "sendmail -q". This required
a change to the queue manager trigger protocol, and a code
reorganization of the way queue scans were done. The queue
manager socket now has become public.
19981002
SMTPD now logs "lost connection after end-of-message"
instead of "lost connection after DATA".
19981005
More bullet proofing: timeouts on all triggers.
19981006
Bugfix: make the number of cleanup processes unlimited, in
order to avoid deadlock. The number of instances needed is
one per smtp/pickup process, and an indeterminate number
per local delivery agent. Thanks, Thanks, David Miller and
Terry Lorrah for cleueing me in.
Bugfix: "sendmail -t" extracted recipients weren't subjected
to virtual mapping. Daniel Eisenbud strikes again.
19981007
Compatibility: if the first input line ends in CRLF, the
sendmail posting agent will treat all CRLF as LF. Otherwise,
CRLF is left alone. This is a compromise between sendmail
compatibility (all lines end in CRLF) and binary transparency
(some, but not all, lines contain CRLF).
19981008
Robustness: stop recursive virtual expansion when the
left-hand side appears in its own expansion.
19981009
Portability: trigger servers such as pickup and qmgr can
now use either FIFOs or UNIX-domain sockets; hopefully at
least one of them works properly. Trigger clients were
already capable of using either form of local IPC.
19981011
Feature: masquerading. Strip subdomains from domains listed
in $masquerade_domains. Exception: envelope recipients are
left alone, in order to not screw up routing.
19981015
Code cleanup: moved the recipient duplicate filter from
the user-level sendmail posting agent to the semi-resident
cleanup service, so that the filter operates on the output
from address canonicalization and of virtual expansion,
instead of operating on their inputs.
19981016
Bugfix: after kill()ing a bunch of child processes, wait()
sometimes fails before all children have been reaped, and
must be called again, or the master will SIGSEGV later.
Problem reported by Scott Cotton.
Workaround: don't log a complaint when an SMTP client goes
away without sending QUIT.
19981018
Workaround: Solaris 2.5 ioctl SIOCGIFCONF returns a hard
error (EINVAL) when the result buffer is not large enough.
This can happen on systems with many real or virtual
interfaces. File: util/inet_addr_local.c. Problem reported
by Scott Cotton.
Workaround: the optional HELO/EHLO hostname syntax check
now allows a single trailing dot.
Workaround: with UNIX-domain sockets, LINUX connect() blocks
until the server calls accept(). File: qmgr/qmgr_transport.c.
Terry Lorrah and Scott Cotton provided the necessary
evidence.
19981020
Robustness: recursive canonical mapping terminates when
the result stops changing.
Code cleanup: reorganized the address rewriting and mapping
code in the cleanup service, to make it easier to implement
the previous enhancement.
19981022
Code cleanup: more general queue scanning programming
interface, in preparation for hashed queues. File:
qmgr/qmgr_scan.c.
Bugfix: a non-FIFO server with a process limit of 1 has a
too short listen queue. Until now this was not a problem
because only FIFO servers had a process limit of 1, and
FIFOs have no listen queue. Fix: always configure a listen
queue of proc_limit or more. File: master/master_listen.c.
19981023
Feature: by popular request, mail delay is logged when
delivering, bouncing or deferring mail.
19981024
Cleanup: double-bounce mail is now absorbed by the queue
manager, instead of the local delivery agent, so that the
mail system will not go mad when no local delivery agent
is configured.
19981025
Cleanup: moved the relocated table from the local delivery
agent to the queue manager, so that the table can also be
used for virtual addresses.
Code reorg: in order for the queue manager to absorb
recipients, the queue file has to stay open until all
recipients have been assigned to a destination queue.
19981026
vmlogger command, so that vmailer-script logging becomes
consistent with the rest of the VMailer system.
Code reorg: logger interface now can handle multiple output
handlers (e.g. syslog and stderr stream).
Bugfix: a first line starting with whitespace is no longer
treated as an extension of our own Received: header. Files:
smtpd/smtpd.c, pickup/pickup.c.
19981027
Bugfix: the bang-path swapping code went into a loop on an
address consisting of just a single !. Eilon Gishri had
the privilege of finding this one.
Workaround: the non-blocking UNIX-domain socket connect is
now enabled only on systems that need it. It may cause
kernel trouble on Solaris 2.x.
Bugfix: the resolver didn't implement bangpath swapping,
so that mail for site!user@mydomain would be delivered to
a local user named "site!user".
19981028
Cleanup: a VSTREAM can now use different file descriptors
for reading and writing. This was necessary to prevent
"sendmail -bs" and showq from writing to stdin. Eilon Gishri
observed the problem.
19981029
The RFC 822 address manipulation routines no longer give
special attention to 8-bit data. Files: global/tok822_parse.c,
global/quote_822_local.c.
Bugfix: host:port and other non-domain stuff is no longer
allowed in mail addresses. File: qmgr/qmgr_message.c.
Workaround: LINUX accept() wakes up before the three-way
handshake is complete, so it can fail with ECONNRESET.
Files: master/single_server.c, master/multi_server.c.
Feature: when delivering to user+foo, try ~user/.forward+foo
before trying ~user/.forward.
Bugfix: smtpd in "sendmail -bs" (stand-alone) mode didn't
clean up when terminated by a signal.
Bugfix: smtpd in "sendmail -bs" (stand-alone) mode should
not try to enforce spam controls because it cannot access
the address rewriting machinery.
Cleanup: the percent hack (user%domain -> user@domain) is
now configurable (allow_percent_hack, default: yes).
Bugfix: daemons in -S (stand-alone) mode didn't change
directory to the queue. This was no problem with daemons
run by the sendmail compatibility program.
19981030
Feature: when virtual/canonical/relocated lookup fails for
an address that contains the optional recipient delimiter
(e.g., user+foo@domain), the search is done again with the
unextended address (e.g., user@domain). File: global/addr_find.c.
Code reorg: the address searching is now implemented by a
separate module global/addr_find.c, so that the same code
can be used for both (non-mapping) relocated table lookups
and for canonical and virtual mapping. The actual mapping
is still done in the global/addr_map.c module.
Robustness: the SMTP client now skips hosts that don't send
greeting banner text. File: smtp/smtp_connect.c
Feature: preliminary support to disable delivered-to. This
is desirable for mailing list managers that don't want to
advertise internal aliases.
Generic support: when the recipient_feature_delimiter
configuration parameter is set, the local delivery agent
uses it to split the recipient localpart into fields. Any
field that has a known name such as "nodelivered" enables
the corresponding delivery feature.
19981031
Code reorg: address splitting on recipient delimiter is
now centralized in global/split_addr.c, which knows about
all reserved names that should never be split.
Robustness: when a request for an internal service cannot
be satisfied because the master has terminated, terminate
instead of trying to reach the service every 30 seconds.
Safety: the local delivery agent now runs as vmailer most
of the time, just like pickup and pipe. Files: local/local.c,
local/mailbox.c
19981101
Compatibility: the tokenizer for alias/forward/etc.
expansion now updates an optional counter with the number
of destinations found; If no destinations is found in a
.forward file, deliver to the mailbox instead. Thanks,
Daniel Eisenbud, for showing the way to go.
Robustness: the pickup daemon should always include a
posting-time record, even when the sendmail posting agent
didn't. However, just like before, user-provided posting
times will be ignored. Ollivier Robert found this one.
Robustness: duplicate entries in aliases or maps now cause
a warning instead of a fatal error (and an incomplete file).
Robustness: mkmap now prints a warning when an entry is in
"key: value" format, which is the format expected for alias
databases, not for maps.
Portability: on LINUX, prepend "+" to the getopt() options
string so that getopt() will stop at the first non-option
argument. Suggestion by Marco d'Itri.
19981103
Cleaned up the set_eugid() and open_as() implementations,
and added stat_as() and fstat_as() so that the local delivery
agent would look up include files and .forward files with
the right privileges.
19981104
Bugfix: the :include: routine now stat()s/open()s files
included by root-owned aliases as root, not as nobody.
Bugfix: the master crashed when a service with wakeup timer
was disabled or renamed. Fix: eliminate some pathological
coupling between process management and wakeup management.
Feature: partial implementation of ETRN (causes a full
deferred queue scan). Thanks Lamont Jones for reminding me
that things can be useful already before they are perfect.
Cleanup: simplified the SMTPD tokenizer.
Bugfix: sendmail -bs didn't properly notify the mail system
of new mail.
Compatibility: the MAIL FROM and RCPT TO commands now accept
the most common address forms without enclosing <>. The <>
is still needed for addresses that contain a "string", an
[address], or a colon (:).
19981105
Bugfix: "master -t" would claim that the master runs when
in fact the pid directory does not exist, causing trouble
with first time startup (reported by several).
Portability: added a sane_accept() module that maps all
beneficial accept() error results to EAGAIN. According to
private communication with Alan Cox, Linux 2.0.x accept()
can return a variety of error conditions, so we play safe
and allow for any error that may happen because SYN+ACK
could not be sent.
Portability: NETBSD1 uses dotlock files (Perry Metzger).
Bugfix: the local delivery agent did not canonicalize
owner-foo sender addresses, so that local users would see
owner-foo instead of owner-foo@$myorigin (Perry Metzger).
OPENSTEP4 support, similar to NEXTSTEP3 (Gerben Wierda).
19981106
Portability: the master startup would take a long time on
AIX because AIX has a very large per-process open file
limit. Fix is to check the status of only the first couple
hundred file descriptors instead. File: master/master.c.
Bugfix: mail to user@[net.work.addr.ess] was broken because
of a reversed test. File: qmgr/qmgr_message.c.
19981107
Compatibility: don't clobber the envelope sender address
when an alias has no owner-foo alias (problem diagnosed by
Christophe Kalt).
Bugfix: mail to local users in include files would be
delivered directly if the alias didn't have an owner-foo
alias, and if the alias database and include file were
owned by root.
Feature: with user+foo addresses, any +foo address extension
that is not explicitly matched in canonical, virtual or
alias databases is propagated to the table lookup result.
19981108
Bugfix: minor memory leak in the user+foo table lookup
code.
Configurability: specify virtual.domain in the virtual map,
and mail for unknown@virtual.domain will bounce automatically.
The $relay_domains default value now includes $virtual_maps,
so the SMTP server will accept mail for the domain. Marco
d'Itri put me on the right track.
Configurability: The mydestinations configuration parameter
now accepts /file/name expressions and type:name lookup
tables.
Code cleanup: in order to make the previous two enhancements
possible, revised the string/host/address matching engine
so it can handle any mixture of strings, /file/name patterns
and type:name lookup tables. Files: util/match_{list,ops}.c,
global/{domain,namadr,string}_list.c.
19981110
Code cleanup: replaced remaining isxxx() calls by ISXXX().
19981111
Bugfix: the "bounce unknown virtual user" code was in the
wrong place. Problem tackled with help of Chip Christian.
Portability: reportedly, Solaris 2.5.1 can hang waiting
for a UNIX-domain connection to be accepted, so it gets
the same workaround that was designed for LINUX. Problem
reported by Scott Cotton.
19981112
Management: "vmailer stop" now allows delivery agents to
finish what they are doing, like "vmailer reload".
Management; "vmailer abort" causes immediate termination.
Workaround: zombie processes pile up with HP-UX. Reason:
select() does not return upon SIGCHLD when SA_RESTART is
specified to sigaction(). Workaround: shorten the select()
timer to 10 seconds, #ifdef BRAINDEAD_SELECT_RESTARTS.
Thanks, Lamont Jones.
19981117
Rename: VMailer is now Postfix. Sigh.
19981118
Cleanup: generalized the safe_open() routine so that it is
no longer limited to mailbox files, lock files, etc.
Bugfix (found during code review): vstream*printf() could
run off the end of a stream buffer after an I/O error,
because vbuf_print() ignored the result from VBUF_SPACE().
Bugfix (found during code review): resolve_local() could
clobber its argument, but the docs didn't say so.
19981121
Cleanup: the is_header() routine now allows 8-bit data in
header labels.
19981123
Bugfix (found during code review): the mail_queue_enter()
path argument wasn't optional. File: global/mail_queue.c
19981124
Cleanup: eliminated redundant tests for a zero result from
vstream_fdopen(). Unlike the stdio fdopen() routine, the
vstream_fdopen() routine either succeeds or never returns.
Bugfix: the queue manager now looks at the clock before
examining a file time stamp, to avoid spurious complaints
about time warps on busy machines. File: qmgr/qmgr_active.c.
19981125
Compatibility: allow trailing dot at the end of user@domain.
Address canonicalization now strips it off. Issue brought
forward by Eilon Gishri. File: trivial-rewrite/rewrite.c.
Robustness: changed DNS lookup order of MAIL FROM etc.
domains from MX then A to A then MX, just in case the MX
lookup fails with a server error.
Renamed vmcat, vmlock, vmlogger, vmtrigger to postcat,
postlock, postlog, postkick. Also renamed mkmap and mkalias
to postmap and postalias.
19981126
Workaround: Lamont Jones found a way for HP-UX to terminate
select() after SIGCHLD. The code is #ifdef USE_SIG_RETURN.
Files: util/sys_defs.h, master/master_sig.c.
Bugfix: the Delivered-To: loop detection code had stopped
working, when long ago the is_header() routine was changed.
File: local/delivered.c.
19981128
Bugfix: postcat opened queue files read-write, where only
read access was needed. File: postcat/postcat.c.
19981129
Safety: added a sleep(1) to all fatal and panic exits.
File: util/msg.c.
19981201
Robustness: postcat now insists that a file starts with a
time record.
Consistency: added "-c config_dir" command-line options
where appropriate.
19981202
Man pages, on-line version.
19981203
Man pages, html version; overview documentation.
19981206
Sendmail silently accepted the unsupported -qRsite and
-qSsite options. It now prints an error message and
terminates.
Separated the contributed tree from the IBM code; moved
the LDAP and NEXTSTEP/OPENSTEP code to the contributed
source tree because obviously I didn't write it.
19981206-9
Had to write a postconf configuration utility in order to
reliably find out about all configuration parameters and
their defaults.
Documentation bugfixes by Matt Shibla, Scott Drassinower,
Greg A. Woods.
19981209
On machines with short hostnames, postconf -d cored while
reporting a fatal error. It should not report that error
in the first place. Thanks, Eilon Gishri.
Changed the FAQ entry about rejecting mail for *.my.domain
on a firewall. Chip Christian was right, I was wrong.
19981214
Portability: with GNU getopt, optind is not initially 1,
breaking an assumption in sendmail/sendmail.c. Liviu Daia.
Annoyance: on non-networked systems, don't warn that only
one network interface was found. File: global/inet_addr_local.c.
Reported by several.
Bugfix: on non-networked systems, the smtp client assumed
that it was running in virtual host mode, and would bind
to the loopback interface. File smtp/smtp_connect.c. Liviu
Daia, again.
19981220
Robustness: when looking up an A or MX record, do not give
up when the A query fails because of a server error. File
dns/dns_lookup.c. Reported by Scott Drassinower.
19981221
Bugfix: "bounce mail for non-existent virtual user" didn't
work when a non-default relay host was configured in main.cf
or in the transport table. File: qmgr/qmgr_message.c.
Bugfix: the maildrop directory should not be world-readable.
Files: conf/postfix-script, showq/showq.c.
Documentation: fixed several omissions and errors.
Documentation: removed references to the broken recipient
feature delimiter configuration parameter.
Bugfix: write mailbox file as the recipient, so that file
quota work as expected.
Bugfix: pickup would die when it tried to remove a non-file
in the maildrop directory (Jeff Wolfe).
19981222
Sendmail no longer logs the queue ID when it is unable to
notify the pickup daemon. This is a late addition to the
"unreadable maildrop queue" patch.
user.lock files are now created as root, so that postfix
needs no group directory write permission.
19981224
Security: allow queue file link counts > 1, to avoid
non-delivery of maildrop files with links to a non-maildrop
directory. Files: global/mail_open_ok.c, and anything
that calls this code (qmgr, pickup, showq). If multiple
hard links are a problem, see the set-gid "postdrop" utility
below.
19981225
Robustness: the queue manager no longer aborts when a queue
file suddenly disappears (e.g. because the file was removed
by hand).
Feature: when a writable maildrop directory is a problem,
sites can make the new "postdrop" utility set-gid. This
command is never used when the maildrop directory is
world-writable.
Robustness: make the queue file creation routine more
resistant against denial of service race attack. File:
global/mail_queue.c
19981226
New suid_priv module to enable/disable privileges in a
set-uid/gid program. In the end I decided to not use it.
19981228
Robustness: make the pickup daemon more resistant against
non-file race attack.
Cleanup: generic mail_stream.c interface for writing queue
file streams to files, daemons or commands. This simplifies
the code in smtpd and in sendmail that must be able to pipe
mail through the postdrop command. The cleanup daemon has
been modified to use the same interface. Result: less code.
Feature: smtpd now logs the only recipient in Received:
headers.
Feature: separate command and daemon directories. Both
default to $program_directory. Install conf/postfix-script
if you want to use this feature.
19981230
Patch to avoid conflict with non-writable top-level Makefile
(Lamont Jones).
19981231
Portability: port to UnixWare 7 by Ronald Joe Record, SCO.
19990104
Bugfix: fencepost (Jon Ribbens, Oaktree Internet Solutions
Ltd.) Files: quote_82[12]_local.c.
Bugfix: wrong default for relay_domains (Juergen Kirschbaum,
Bayerische Landesbank). File: mail_params.h.
Bugfix: changed 5xx response for "too may recipients" to
4xx. File: smtpd.c.
19990106
Feature: defer_transports specifies the names of transports
that should be used only when "sendmail -q" (or equivalent)
is issued. For example, "defer_transports = smtp" is useful
for sites that are disconnected most of the time. File:
qmgr_message.c.
19990107
Feature: local_command_shell specifies a non-default shell
for delivery to command by the local delivery agent. For
example, "local_command_shell = /some/where/smrsh -c"
restricts what may appear in "|command" destinations.
File: global/pipe_command.c.
19990112-16
Feature: SMTP command pipelining support based on an initial
version by Jon Ribbens, Oaktree Internet Solutions Ltd.
This one took several days of massaging before I felt
comfortable about it. Files: smtp.c, smtp_proto.c.
Bugfix: the SMTP server would flush responses one-by-one,
which caused suboptimal performance with pipelined clients.
The vstream routines now flush the write buffer when the
read() routine is called, instead of flushing when the
application changes from writing to reading. Delayed flush
prevents the SMTP server from flushing responses one-by-one
and thus triggering Nagle's algorithm. File: util/vstream.c.
19990117
Bugfixes and enhancements to the smtpstone tools by Drew
Derbyshire, Kendra Electronic Wonderworks: send helo command,
send message headers, format the message content to lines
< 80, work around NT stacks, make "." recognition more
robust. Files: smtp-source.c, smtp-sink.c.
Strategy: look at the deferred queue only when the incoming
queue is empty; limit the number of recipients read from
a queue file depending on the number of recipients already
in core. Files: qmgr.c, qmgr_message.c.
Feature: postponed anti-UCE restrictions. The decision to
reject junk mail on the basis of the client name/address,
HELO hostname or sender address can now be postponed until
the RCPT TO command (or HELO or MAIL FROM if you like).
File: smtpd_check.c.
19990118
Feature: incremental updates of alias databases and of
other lookup tables. Both postalias and postmap now take
a -i option for incremental updates from standard input.
Files: global/mkmap_*.c, post{map,alias}/post{map,alias}.c.
Compatibility: newaliases can now update multiple alias
databases: list them in the "alias_database" parameter in
main.cf. By the same token, postalias can now update multiple
maps in one command. Files: post{map,alias}/post{map,alias}.c
Feature: mail to <> is now sent to the address specified
with the "empty_address_recipient" configuration parameter
which defaults to MAILER-DAEMON (idea by Lamont Jones,
Hewlett-Packard). File: cleanup/cleanup_envelope.c.
Compatibility: the transport table now uses .domain.name
to match subdomains, just like sendmail mailer tables (patch
by Lamont Jones, Hewlett-Packard).
Feature: mailq now ends with a total queue size summary
(Eilon Gishri, Israel Inter University Computation Center).
19990119
Feature: address masquerade exceptions for user names listed
in the "masquerade_exceptions" configuration parameter.
File: cleanup/cleanup_masquerade.c.
Feature: qmail-style maildir support, based on initial code
by Kevin W. Brown, Quantum Internet Services Inc.
Workaround: Solaris 2.something connect() fails with
ECONNREFUSED when the system is busy (Chris Cappuccio,
Empire Net). File: global/mail_connect.c.
Feature: the cleanup service now adds a Return-Path: header
when none is present. This header is needed for some mail
delivery programs (see below). File: cleanup_message.c.
Feature: the pipe mailer now supports $user, $extension
and $mailbox macros in command-line expansions. This, plus
the Return-Path: header (see above), should be sufficient
to support cyrus IMAP out of the box. Based on initial
code by Joerg Henne, Cogito Informationssysteme GMBH.
File: pipe/pipe.c.
Bugfix: with address extensions enabled, canonical and
virtual lookups now are done in the proper order:
user+foo@domain, user@domain, user+foo, user, @domain.
File: global/mail_addr_find.c.
19990119
Feature: the local mailer now prepends a Received: message
header with the queue ID to forwarded mail, in order to
make message tracing easier. File: local/forward.c.
Cleanup: after "postfix reload", no more broken pipe
complaints from resolve/rewrite clients.
19990121
Feature: pickup (again) logs uid and sender address. On
repeated request by Scott Cotton, Internet Consultants
Group, Inc.
Portability: doze() function for systems without usleep().
Cleanup: clients are now consistently logged as host[address].
19990122
Maildir support changed: specify "home_mailbox = Maildir/".
The magic is the trailing /. Suggested by Daniel Eisenbud,
University of California at Berkeley.
Maildir support from aliases, :include: and .forward files.
Specify /file/name/ - the trailing / is required. Suggested
by Daniel Eisenbud, University of California at Berkeley.
Workaround: watchdog timer to prevent the queue manager
from locking up on some systems.
Bugfix: in Received: headers, the "for <recipient>"
information was in the wrong place. Pointed out by Jon
Ribbens, Oaktree Internet Solutions Ltd.
19990124
Portability: more workarounds for GNU getopt() by Liviu
Daia, Institute of Mathematics, Romanian Academy. File:
sendmail/sendmail.c.
19990125
Bugfix: Postfix should not masquerade recipient addresses
extracted from message headers. Problem reported by David
Blacka, Network Solutions. File: cleanup/cleanup_message.c.
19990126
Feature: smtpd_etrn_restrictions parameter to restrict who
may use ETRN and what domains may be specified. Example:
"smtpd_etrn_restrictions = permit_mynetworks, reject".
Requested by Jon Ribbens, Oaktree Internet Solutions Ltd.
File: smtpd/smtpd_check.c.
19990127
Bugfix: in an attempt to shave some cycles, the anti junk
mail routines would use the wrong resolved address. This
"optimization" is now turned off. Problem reported by Sam
Eaton, Pavilion Internet Plc. File: smtpd/smtpd_check.c.
Feature: BIFF notifications. For compatibility reasons
this feature is on by default. This "protocol" can be a
real performance pig. Specify "biff = no" in main.cf if
your machine has lots of shell users. Feature requested by
Dan Farmer - it's one of the things one does for friends.
Files: local/mailbox.c, local/biff_notify.c.
Bugfix: another case sensitivity problem, this time with
virtual lookups to recognize unknown@virtual.domain.
Problem reported by Bo Kleve, Linkoping University. File:
qmgr/qmgr_message.c.
19990128
Feature: with "soft_bounce = yes", defer delivery instead
of bouncing mail. This is a safety net for configuration
errors with delivery agents. It has no effect on errors in
virtual maps, canonical maps, or in junk mail restrictions.
Feature requested by Bennett Todd. File: global/bounce.c.
19990129
Compatibility: the qmail maildir.5 documentation prescribes
maildir file names of the form time.pid.hostname, which is
wrong because Postfix processes perform multiple deliveries.
Elsewhere the qmail author has documented how maildir files
should be named under such conditions. Postfix has been
changed to be conformant. File: local/maildir.c.
19990131
Feature: special treatment of owner-foo and foo-request
can be turned off. Specify "owner_request_special = no".
Requested by Matthew Green and others. Files: local/alias.c,
global/split_addr.c. This affects canonical, virtual and
alias lookups.
19990204
Portability: signal handling for HP-UX 9 by Lamont Jones
of Hewlett Packard. File: master/master_sig.c.
Robustness: disable random walk inside a per-site queue to
avoid message starvation under heavy load. File: qmgr_entry.c.
Robustness: under some conditions the queue manager could
declare a host dead after just one delivery failure. File:
qmgr_queue.c.
19990212
Feature: skip SMTP servers that greet us with a 4XX status
code. Example: "smtp_skip_4xx_greeting = yes". By default,
the Postfix SMTP client defers delivery when a server
declines talking to us. File: smtp/smtp_connect.c.
Robustness: upon startup the queue manager now moves active
queue files to the incoming queue instead of the deferred
queue, to avoid anomalous delivery delays on systems that
have a huge incoming queue. Files: qmgr/qmgr.c,
qmgr/qmgr_active.c, global/mail_flush.c, conf/postfix-script*
19990213
Robustness: added watchdog timers to avoid getting stuck
on systems with broken select() socket implementations.
File: qmgr_transport.c, qmgr_deliver.c.
19990218
Feature: NFS-friendly delivery to mailbox by avoiding the
use of root privileges as much as possible. With input by
Mike Muus, Army Research Lab, USA.
Feature: the smtp-sink test server now supports SMTP command
pipelining. To this end we had to generalize the timer and
vstream support. Poor performance is fixed 19990222.
Cleanup: timer event routines now have the same interface
as read/write event routines (event type + context). File:
util/events.c.
Feature: new vstream_peek() routine to tell how much unread
data is left in a VSTREAM buffer. This is the vstream
variant of the peekfd() routine for kernel read buffers.
File: util/vstream.c.
Feature: directory scanning support for hashed mail queue
directories. So far the results are disappointing: with
depth = 2 (16 directories with 16 subdirectories), mailq
takes 5 seconds with an empty queue unless all directories
happen to be cached in memory. We need a bit map before
hashed queue directories become practical. Depth=1 hashing
doesn't slow down mailq much, but doesn't help much either.
Files: util/scan_dir.c, global/mail_scan_dir.c.
19990221
Workaround: with "ignore_mx_lookup_error = yes", the SMTP
client always performs an A lookup when an MX lookup could
not be completed, rather than treating MX lookup failure
as a temporary error condition. Unfortunately there are
many broken DNS servers on the Internet. File: smtp/smtp_addr.c.
19990222
Performance: rewrote the guts of the smtp-sink test server
so it can do pipelining without losing performance.
19990223
Workaround: hotmail.com sometimes drops the connection
after "." (causing misleading diagnostics to be logged) or
waits minutes after receiving QUIT. Solution: do not wait
for the response to QUIT. File: smtp/smtp_proto.c. This
is turned off with: "smtp_skip_quit_response = no".
19990224
Feature: the pipe mailer accepts user=username:groupname,
based on code submitted by Philip A. Prindeville, Mirapoint,
Inc., USA. File: pipe/pipe.c.
Workaround: use file locking to prevent multiple processes
from select()ing on the same socket. This causes performance
problems on large BSD systems. Files: master/*_server.c.
19990225
Bugfix: with "inet_interfaces = 127.0.0.1", don't bind to
the loopback interface. Problem reported by Steve Bellovin
of AT&T. File: smtp/smtp_addr.c.
Feature: "postsuper" command to remove stale queue files
to update queues after changes to the queue structure
parameters (hash_queue_names, hash_queue_depth). This
command is to be run from the postfix-script maintenance
shell script.
19990301
Feature: new postconf -h (suppress `name = ' in output)
option to make the program easier to use in, e.g., shell
scripts.
Feature: dict_unix module so you can add the UNIX passwd
table to the SMTPD access control list.
19990302
Feature: "luser_relay = destination" captures mail for
non-existent local recipients. This works only when the
local delivery agent does mailbox delivery (including
delivery via mailbox_command), not when mailbox delivery
is delegated to another message transport.
Feature: new reject_non_fqdn_{hostname,sender,recipient}
restrictions to require fully.qualified.domain forms in
HELO, MAIL FROM and RCPT TO commands (while still allowing
the <> sender address).
19990304
Bugfix: backed out the 19990119 change to always insert
Return-Path: if that header is not present. The pipe and
local agents now are responsible for prepending Return-Path:.
Files: cleanup/cleanup_message.c, global/mail_copy.[hc],
pipe/pipe.c, global/header_opts.c. This causes an incompatible
change to the pipe flags parameter, because Return-Path:
now must be requested explicitly.
19990305
Bugfix: showq (the mailq server) incorrectly assumed that
all recipients of a deferred message are listed in the
corresponding defer logfile. It now lists all recipients.
Files: showq/showq.c, cleanup/cleanup_envelope.c (ensure
that sender records always precede recipient records).
Cleanup: smtpd HELO restrictions validate [numerical] forms.
Files: util/valid_hostname.c, smtpd/smtpd_check.c. Initial
code by Philip A. Prindeville, Mirapoint, Inc., USA.
19990306
Cleanup: re-vamped the valid_hostname module, and added a
maximal label length (63) requirement.
Feature: fallback_relay parameter to specify extra backup
hosts in case the regular relay hosts are not found or not
available. Files: smtp/smtp_addr.c.
Feature: "always_bcc = address" specifies where to send a
copy of each message that enters he system. However, if
that copy bounces, the sender will be informed of the
bounce. Files: smtpd/smtpd.c, pickup/pickup.c
Compatibility: the transport map will now route on top-level
domains, so you can dump all of .bitnet to a bitnet relay.
19990307
Feature: LDAP lookups, updated by Jon Hensley, Merit Network,
USA.
Feature: regular expression (PCRE) support by Andrew
McNamara, connect.com.au Pty. Ltd., Australia. In order to
use this code specify pcre:/file/name. You can use this
anywhere you would use a DB or DBM file, NIS or LDAP. See:
PCRE_README for how to enable this code.
Feature: "delay_warning_time = 4" causes Postfix to send
a "your mail is delayed" notice after approx. 4 hours.
Daniel Eisenbud, University of California at Berkeley.
Files: qmgr/qmgr_active.c, qmgr/qmgr_message. Postmaster
notices for delayed mail are disabled by default. In order
to receive postmaster notices, specify "notify_classes =
... delay ...".
Cleanup: do not send undeliverable bounced mail to postmaster.
This was causing lots of pain with junk mail from bogus
sender addresses to non-existent recipients. This change
was reversed 19990311.
19990308
Bugfix: the dotforward routine was too eager with throwing
away extension information, so that the Delivered-To: info
would differ for \mailbox and |command. Problem reported
by Rafi Sadowski, Open University, Israel.
Bugfix: seems I never got around to fix the btree access
method. I finally did. Problem reported by: Matt Smith,
AvTel Communications Inc., USA.
19990311
Back by popular demand: with "notify_classes = 2bounce ..."
Postfix will send undeliverable bounced mail to postmaster.
The default is to not send double bounces. This change
reverses a change made on 19990307.
19990312
Feature: configurable exit handler for server skeletons.
Philip A. Prindeville, Mirapoint, Inc., USA. Files:
master/*server.c.
Feature: mail_spool_directory configuration parameter to
specify the UNIX mail spool directory. The default setting
is system dependent.
19990313
Cleanup: share file descriptors for resolve and rewrite
client connections. This puts less strain on the trivial-rewrite
service.
Portability: support for UnixWare 2.1 by Dmitry E. Kiselyov,
Nizhny Novgorod City Health Emergency Station.
Feature: configurable delays in the smtpstone test programs.
With input by Philip A. Prindeville, Mirapoint, Inc., USA.
Files: smtpstone/*.c.
Bugfix: a "signal 11" problem in the trivial-rewrite program
that would occasionally happen after "postfix reload".
Reason: some rewrite clients would clobber their input,
and when they had to retransmit the query, the input would
be a zero-length string, which trivial-rewrite isn't supposed
to receive.
19990314
Feature: "mailbox_transport = cyrus" delegates all local
mailbox delivery to a master.cf entry called "cyrus" (the
same trick for procmail), including users not found in the
UNIX passwd database. This gives the flexibility of $name
expansions by the pipe mailer, without losing local aliases
and ~/.forward processing. Result of discussions with Rupa
Schomaker, RS Consulting.
19990315
Feature: the mydestination parameter can now be an empty
string, for hosts that don't receive any mail locally. Be
sure to specify a default route for mail that comes to the
machine or mail will loop.
19990316
Bugfix: the SMTPD check scaffolding didn't apply the same
sanity checks as the production code. Problem reported by
Alain Thivillon, Herve Schauer Consultants, France. File:
smtpd/smtpd_check.c.
Portability: some systems can have more than 59 seconds in
a minute. Based on a fix by Liviu Daia, Institute of
Mathematics, Romanian Academy. File: global/mail_date.c.
Enhancement: include the client network address in the
rejected by RBL response. Lamont Jones, Hewlett-Packard.
Workaround: use fstat() to figure out if the maildrop is
world-writable. access() uses the real uid, which stinks.
Robustness: don't do partial address lookups (user@, domain,
user, @domain) with regexp-style tables.
Security: don't allow regexp-style tables to be used for
aliases. It would be too easy to slip in "|command" or
:include: or /file/name.
19990317
Feature: "fallback_transport = cyrus" delegates non-UNIX
recipients to a master.cf entry called "cyrus", allowing
you to have both UNIX and non-UNIX mailboxes side by side.
19990319
Workaround: on 4.4 BSD derivatives, fstat() can return
EBADF on an open file descriptor. Now, that was a surprise.
This caused std{out,err} from cron commands to not be
delivered.
Bugfix: "local -v" stopped working.
Workaround: more watchdog timers for postfix-unfriendly
systems. By now every Postfix daemon has one. Call it life
insurance.
Robustness: increased the maximal time to receive or deliver
mail from $ipc_timeout (default: 3600 seconds) to the more
generous $daemon_timeout (default: 18000 seconds). We don't
want false alarms.
Portability: IRIX 5.2 does not have usleep().
19990320
Bugfix: \username was broken. Frank Dziuba was the first
to notice.
19990321
Workaround: from now on, Postfix on Solaris uses stream
pipes instead of UNIX-domain sockets. Despite workarounds,
the latter were causing more trouble than anything else on
all systems combined.
19990322
Portability: the makedefs would mis-identify IRIX 6.5.x as
IRIX 5.x. Fix by Brian Truelsen of Maersk Mc-Kinney Moller
Institute for Production Technology, Denmark.
Feature: reject_unknown_recipient_domain restriction for
recipient addresses. For the sake of symmetry, we now also
have reject_unknown_sender_domain. This means the old
reject_unknown_address restriction is being phased out.
Suggested by Rask Ingemann Lambertsen, Denmark Technical
University.
Feature: unknown sender/recipient domain restrictions now
distinguish between soft errors (always: 450) and hard
errors (configurable with the unknown_address_reject_code
parameter, default: 450; use 550 at your own risk).
Feature: no HELO junk mail restrictions means that no syntax
check will be done on HELO/EHLO hostname arguments.
Bugfix: the initial Solaris workaround for UNIX-domain
sockets could cause the queue manager to block if Postfix
ran into a delivery agent process limit. After another code
rewrite that problem is eliminated. Thanks to Chris
Cappuccio, Empire Net, for assistance with testing.
19990323
Bugfix: too much forwarding when users list their own name
in their .forward file (e.g. mail to user@localhost would
go through .forward, would be forwarded to user@$myorigin,
and would go through .forward again). Problem reported by
Roman Dolejsi, Prague University of Economics.
19990324
Bugfix: missing map name in check_xxx_access restrictions
could cause a segmentation error. Lamont Jones, Hewlett-
Packard.
Feature: forward_path configuration parameter (default:
$home/.forward$recipient_delimiter$extension,$home/.forward).
Based on initial code by Philip A. Prindeville, Mirapoint,
Inc., USA. Files: local/dotforward.c.
19990325
Workaround: Solaris NIS alias maps need special entries
(YP_MASTER_NAME, YP_LAST_MODIFIED). What's worse, normal
keys/values include a null byte at the end, but the YP_XXX
ones don't. Problem reported by Walcir Fontanini, state
university of Campinas, Brazil. File: postalias/postalias.c.
Compatibility: Solaris NIS apparently does include a null
byte at the end of keys and values. File: util/sys_defs.h.
Feature: library support for config parameters that are
not $name expanded at program start-up. This was needed
for forward_path, and will also be needed to make message
headers customizable.
Bugfix: pcre didn't handle \\ right. Lamont Jones, Hewlett-
Packard. File: util/dict_pcre.c.
19990326
Compatibility: Postfix now puts two spaces after the sender
in a "From sender date..." header. Found by John A. Martin,
fixed by Lamont Jones, Hewlett-Packard.
Bugfix: when a recipient appeared multiple times in a local
alias or include expansion, the delivery status could be
left uninitialized, causing the mail to be deferred and
delivered again. File: local/recipient.c.
19990327
Cleanup: the dictionary routines now take an extra flag
argument to control such things as warning about duplicates,
and appending null bytes to key/value. The latter was needed
for a clean implementation of NIS master alias maps support.
Feature: POSIX regular expressions by Lamont Jones. See
config/sample-regexp.c. Right now, enabled on *BSD and
LINUX only.
19990328
Code cleanup: dictionaries now have flags that say whether
lookup keys are fixed strings or whether keys are subjected
to pattern matching. This is needed to avoid passing partial
addresses to regexp-based lookup tables (user, @domain,
user@, domain). Files: util/dict*.c.
Bugfix: fixed memory leaks and core dumps in the regexp
and pcre routines (neither handled an empty pattern file).
19990329
Code cleanup: the dictionary I/O routines now do their own
locking depending on dictionary flag settings. This means
that the low-level dict_get() interface can now be used
for safe dictionary lookups. This is needed for 19990328's
partial lookup key support. Files: util/dict*.c. global/maps.c.
Feature: regular expression matches are no longer limited
to user@domain address forms in access/canonical/virtual
maps, but can also be used for domains in transport maps.
This needed the partial lookup key support to avoid passing
partial addresses to regexp-based lookup tables (user,
@domain, user@, domain). Files: global/maps.c
global/mail_addr_find.c.
Feature: new dictionary types can be registered with
dict_open_register(). File: util/dict_open.c.
19990330
Bug fix: match_list membership dictionary lookups were case
sensitive when they should not. Patch by Lutz Jaenicke,
BTU Cottbus, Germany.
19990402
Feature: $domain macro support in forward_path. Philip A.
Prindeville, Mirapoint, Inc., USA. File: local/dotforward.c.
Feature: if an address extension (+foo) is explicitly
matched by the .forward+foo file name, do not propagate
the extension to recipient addresses. This is more consistent
with the way aliases are expanded. File: local/dotforward.c.
19990404
Bugfix: after receiving mail, the SMTP server didn't reset
the cleanup error flag, so that multiple deliveries over
the same SMTP session could fail due to errors with previous
deliveries. Found by Lamont Jones, Hewlett-Packard.
19990405
Feature: MIME-encapsulated bounces. Philip A. Prindeville,
Mirapoint, Inc., USA. File: bounce/bounce_notify_service.c
Cleanup: vstreams now properly look at the EOF flag before
attempting to read, eliminating the need for typing Ctrl-D
twice to test programs; the EOF flag is reset after each
unget or seek operation. Files: util/vstream.c, util/vbuf.c.
Feature: in preparation for configurable message headers
the mac_parse() routine now balances the parentheses in
${name} or $(name). We need this in order to support
conditional expressions such as ${name?text} where `text'
contains other ${name} expressions.
19990406
Cleanup: changed MIME header information to make bounces
more RFC 1892 compliant.
19990407
Feature: "best_mx_transport = local" delivers mail locally
if the local machine is the best mail exchanger (by default,
mail is bounced with a "mail loops back to myself" error).
Config: in order to make feature tracking easier the source
code distribution now has a copy of the default settings
in conf/main.cf.default.
Feature: separate configurable postmaster addresses for
single bounces (bounce_notice_recipient), double bounces
(2bounce_notice_recipient), delayed mail (delay_notice_recipient),
and for other mailer errors (error_notice_recipient). The
default for all is "postmaster".
19990408
Workaround: on Solaris 2.x, the master appears to lose its
exclusive lock on the master.pid file, so keep grabbing
the lock each time the master wakes up from select().
Robustness: don't flush VSTREAM buffers after I/O error.
This prevents surprises when calling vstream_fclose() after
truncating a mailbox to its original size.
Portability: on LINUX systems, if <db_185.h> exists, don't
look for <db/db.h>.
Workaround: specify "sun_mailtool_compatibility = yes" to
avoid clashes with the mailtool application. This disables
kernel locks on mailbox files. Use only where needed.
Portability: renamed readline to readlline, to avoid clashes
with mysql.
19990409
Bugfix: ignore temp queue files that aren't old enough.
Problem reported by Vivek Khera, Khera Communications, Inc.
Bugfix: fixed typo in dict_db.c that caused processes to
not release DB shared locks.
Feature: auto-detection of changes to DB or DBM lookup
tables. This avoids the need to run "postfix reload" after
change to the smtp access table and other tables.
Feature: regular expression checks for message headers.
This requires support for POSIX or for PCRE regular
expressions. Specify "header_checks = regexp:/file/name"
or "header_checks = pcre:/file/name", and specify
"/^header-name: badstuff/ REJECT" in the pattern file
(patterns are case-insensitive by default). Code by Lamont
Jones, Hewlett-Packard. It is to be expected that full
content filtering will be delegated to an external command.
19990410
Bugfix: auto-detection of changes to DB or DBM lookup tables
wasn't done for TCP connections.
19990410
Feature: $recipient expansion in forward_path. Philip A.
Prindeville, Mirapoint, Inc., USA. File: local/dotforward.c
Feature: the smtp client consistently treats a numerical
hostname as an address. File: smtp/smtp_addr.c.
19990414
Compatibility: support comment lines starting with # in
$mydestination include files. This makes Postfix more
compatible with sendmail.cw files. File: util/match_list.c.
Feature: if your machines have short host names, specify
"mydomain = domain.name", and you no longer have to specify
"myhostname = host.domain.name". Files: global/mail_params.c,
postconf/postconf.c.
19990420
Cleanup: bounce mail when a mailbox goes over file quota,
instead of deferring delivery. File: local/mailbox.c.
19990421
Feature: auto-detection of changes to DB or DBM lookup
tables now includes the case where a file is unlinked.
Philip A. Prindeville, Mirapoint, Inc., USA. File:
util/dict.c.
19990422
Robustness: Lotus mail sends MAIL FROM: <@> instead of <>.
Problem reported by Erik Toubro Nielsen, IFAD, Denmark.
Files: trivial-rewrite/rewrite.c (@ becomes empty address)
and global/rewrite_clnt.c (allow empty response).
Bugfix: showq could segfault when writing to a broken pipe.
Problem reported by Bryan Fullerton, Canadian Broadcasting
Corporation. Files: util/vbuf_print.c.
Cleanup: got rid of the "fatal: write error: Broken pipe"
message when mailq output is piped into a program that
terminates early.
Cleanup: bounce messages are multipart/mixed with the error
report as part of the first message segment, because users
had trouble extracting the delivery error report from the
attachment.
19990423
Cleanup: the default junk mail reject code is now 554
(service unavailable) rather than 550 (user unknown).
Folded in the updated dict_ldap.c module by John Hensley,
Merit Network, USA.
Folded in the vstream_popen.c updates by Philip A.
Prindeville, Mirapoint, Inc., USA. This copies a lot of
code from pipe_command(); the next step is to trim that
module.
19990425
Workaround: renamed config.h to mail_conf.h etc. in order
to avoid name collisions with LINUX (yes, they have a system
include file called config.h). For compatibility with people
who have written software for Postfix, there's a config.h
that aliases the old names to the new ones. That file will
go away eventually.
19990426
Feature: error mailer, in order to easily bounce mail for
specific destinations. In the transport table, specify:
"host.domain error:host.domain is unavailable". Too bad
that the transport table triggers on destination domain
only; it would be nice to bounce specific users as well.
19990427
Cleanup: "disable_dns_lookups = yes" now should disable
all DNS lookups by the SMTP client.
19990428
Bugfix: with DBM files, Postfix was watching the "dir" file
modification time for changes. It should be watching the
"pag" file instead.
19990429
Cleanup: all callbacks in the master to server API now pass
on the service name and the application-specific argument
vector. Files: master/*server.c.
19990504
Feature: conditional macro expansion. ${name?text} expands
to text when name is defined, otherwise the result is empty.
${name:text} expands to text when name is undefined,
otherwise the result is empty. File: util/mac_expand.c.
Feature: conditional macro expansion of the forward_path
configuration parameters of $user, $home, $shell, $recipient,
$extension, $domain, $mailbox and $recipient_delimiter.
Files: local/dotforward.c, local/local_expand.c.
19990506
Cleanup: eliminated misleading warnings about unknown HELO
etc. SMTPD restrictions when the HELO etc. information is
not available. File: smtpd/smtpd_check.c.
19990507
Feature: all smtpd reject messages now contain the MAIL
FROM and RCPT TO addresses, if available.
19990508
Feature: conditional macro expansion of the luser_relay
configuration parameter. It is no longer possible to specify
/file/name or "|command" destinations. File: local/unknown.c.
Cleanup: changed the mac_parse interface so that the
application callback routine can return status information.
Updated the dict_regexp and dict_pcre modules accordingly.
Cleanup: changed the mac_expand interface so that the caller
provides an attribute lookup routine, instead of having to
provide a copy of all attributes upfront. Files:
util/mac_expand.c, local/local_expand.c.
Feature: control over how address extensions are propagated
to other addresses. By default, propagation of unmatched
address extensions is now restricted to canonical and
virtual mappings. Specify "propagate_unmatched_extensions
= canonical, virtual, alias, forward, include" to restore
previous behavior.
19990509
Feature: USER, EXTENSION, DOMAIN, RECIPIENT (entire address)
and MAILBOX (address localpart) environment variables are
exported to shell commands (including mailbox_command).
Feature: new command_expansion_filter parameter to control
what characters may appear in message attributes that are
exported via environment variables.
Cleanup: SMTPD reject messages are more informative, and
more complete sender/recipient information is logged for
the local sysadmin.
19990510
Bugfix: missing MIME header in postmaster bounce notices.
Found by Samuel Tardieu, Ecole Nationale Superieure des
Telecommunications, France.
Feature: UCE restrictions are always delayed until RCPT
TO, VRFY or ETRN. To change back to the default specify
"smtpd_delay_reject = no" in /etc/postfix/main.cf.
Bugfix: missing duplicate filter call. This caused too many
deliveries when a user is listed multiple times in an alias.
Reported by Hideyuki Suzuki, School of Engineering, University
of Tokyo. Backed out on 19990512 because it caused problems.
Fixed 19990513 but needs further study.
Feature: it is now possible to move queue files back into
the maildrop queue, so that they can benefit from changes
in canonical and virtual mappings. In order to make this
possible, some restrictions on queue file contents were
relaxed. Files: pickup/pickup.c, cleanup/cleanup_extracted.c.
Feature: made a start with integrating Joerg Henne's
dictionary extensions to remove entries and to iterate over
entries. That code is almost four months old by now.
19990511
Feature: added a "undeliverable postmaster notification
discarded" warning when mail is dropped on the floor.
Requested by Michael Hasenstein, SuSE, Germany.
19990517
Bugfix: reject_non_fqdn_sender/recipient would pass
user@[ip_address] regardless of destination. Eric Cholet
had the honor of suffering from this one.
19990527
More SMTP client logging for easier debugging: the smtp
client now logs hostname[ip.addr], and logs every failed
attempt to reach an MX host, not just the last one.
19990601
Bugfix: emit a blank line before a MIME boundary; the line
is part of the boundary. File: bounce/bounce_notify_service.c.
Wolfgang Segmuller, IBM Research.
19990610
Bugfix: the "is this the loopback interface" test was
broken. Reported by Claus Fischer @microworld.com. File:
smtp/smtp_connect.c.
Usability: added helpful warnings about restrictions that
are being ignored after check_relay_domains, etc.
Portability: Reliant Unix support by Gert-Jan Looy, Siemens,
the Netherlands.
19990611
Robustness: the postfix-script start-up procedure now
detects a missing master program, avoiding misleading
warnings that the mail system is already running. Fix
suggested by David E. Smith @technopagan.org.
Portability: Mac OS X Server Port by Mark Miller @swoon.net.
Feature: on systems that use dotlock files for mailbox
locking, the local delivery agent now will attempt to use
dotlock files when delivering to user-specified files.
Dotlock files for user-specified destinations are created
with the privileges of the user. For backwards compatibility,
Postfix will attempt to create dotlocks for user-specified
destinations only when the user has parent directory write
permission.
Feature: specify "expand_owner_alias = yes" in order to
use the right-hand side of an owner- alias, instead of
using the left-hand side address. Needed by Juergen Georgi.
19990622
Bugfix: the local delivery agent did not set user attributes
when delivering to root, so that forward_path did not expand
properly. Found by Jozsef Kadlecsik, KFKI Research Institute
for Particle and Nuclear Physics, Hungary. File:
local/dotforward.c.
Bugfix: the unix:passwd.byname mechanism is not suitable
for smtpd access control - the user name would have to end
in @, or the access control software would have to be
changed. Removed the example from the RELEASE_NOTES file.
19990623
Bugfix: the smtp server did not reset the error flag after
".". Found by James Ponder, Oaktree Internet Solutions Ltd.
File: smtpd/smtpd.c.
Bugfix: fencepost error in the doze() routine (an usleep()
replacement for systems without one). Found by Simon J
Mudd. File: util/doze.c.
19990624
Portability: support for AIX 3.2.5 (!) by Florian Lohoff
@rfc822.org.
Portability: Ultrix 4.3 support by Christian von Roques
@pond.sub.org.
Feature: mysql support by Scott Cotton and Joshua Marcus,
Internet Consultants Group, Inc. Files: util/dict_myqsl.*.
19990627
Bugfix: Postfix is now distributed under the new IBM Public
License (version 1, dated June 14, 1999).
Feature: the Delivered-To: header can be turned off for
delivery to command or file/mailbox. The default setting
is: "prepend_delivered_header = command, file, forward".
Turning off the Delivered-To: header when forwarding mail
is not recommended.
19990628
Feature: the postlock command now returns EX_TEMPFAIL when
the destination file is locked by another process.
19990705
Workaround: in the SMTP client, move the "mail loops back
to myself test" from the 220 greeting to the HELO response.
This change does not weaken the test, and makes Postfix
more robust against broken software that greets with the
client hostname.
19990706
Workaround: in the INSTALL file, use `&&' instead of `;'
in (cd path; tar ...) pipelines because some UNIX re-invented
shells don't bail out when cd fails. Matthias Andree
@stud.uni-dortmund.de.
19990709
Bugfix: $user was not set when delivering to a non-user.
Found by Vladimir Ulogov @ rohan.control.att.com when
configuring a luser_relay that contained $user.
19990714
Robustness: add PATH statement to Solaris2 chroot setup
script to avoid running the ucb commands. Problem found by
Panagiotis Astithas @ ece.ntua.gr.
19990721
Bugfix: don't claim a "mail loops to myself" error when
the best MX host was not found in the DNS. Found by Andrew
McNamara, connect.com.au Pty Ltd. File: smtp/smtp_addr.c.
19990810
Feature: added "-c config_dir" support to the postconf
command. This probably means that "-f file" will never be
implemented.
19990812
Bugfix: showq didn't print properly when listing a maildrop
file. Fix by: Andrew McNamara, connect.com.au Pty Ltd.
File: showq/showq.c.
Feature: added SENDER to the list of parameters exported
to external commands. File: local/command.c. Code by: Lars
Hecking, National Microelectronics Research Centre, Ireland.
19990813
Bugfix: sendmail -t (extract recipients from headers) did
not work when the always_bcc feature was turned on. Reported
by: Denis Shaposhnikov @ neva.vlink.ru.
19990813
Bugfix: "sendmail -bd" returns a bogus exit status (the
child process ID). Fix by Lamont Jones of Hewlett-Packard.
File: sendmail/sendmail.c.
19990824
Bugfix: null pointer dereference while rejecting VRFY before
MAIL FROM. Found by Laurent Wacrenier @ fr.clara.net.
19990826
Portability: more MacOS X Server patches; some NEXTSTEP/OPENSTEP
code that had been removed for the first public beta release;
NEXTSTEP/OPENSTEP now defaults to netinfo for the aliases
database. Submitted by Gerben Wierda.
Portability: workaround for a FreeBSD 3.x active network
interface without IP address by Pierre Beyssac @ enst.fr.
File: inet_addr_local.c.
19990831
Workaround: sendmail now prints a warning when installed
set-uid or when run by a set-uid command. Reportedly, the
linuxconf software turns on the set-uid bit, which could
open up a security loophole. File: sendmail/sendmail.c.
Bugfix: Postfix daemons now temporarily lock DB/DBM files
while opening them, in order to avoid "invalid argument"
errors because some other process is changing the file.
Files: util/dict_db.c, util/dict_dbm.c.
Robustness: Postfix locks queue files during delivery, to
prevent duplicate delivery when "postfix reload" is
immediately followed by "sendmail -q". This involves a
change of the deliver_request interface: delivery agents
no longer need to open and close queue files explicitly.
Files: global/deliver_request.c, pipe/pipe.c, smtp/smtp.c,
local/local.c, qmgr/qmgr_active.c, qmgr/qmgr_message.c.
Feature: reject_unauth_destination SMTP recipient restriction
that rejects destinations not in $relay_domains. By Lamont
Jones of Hewlett-Packard. File: smtpd/smtpd_check.c.
Security: do not allow weird characters in the expansion
of $names that appear in $forward_path. Just like with
shell commands, replace bad characters in expansions by
underscores. Configuration parameter: forward_expansion_filter.
19990902
Documentation: added a sample postfix alias to the examples
in the INSTALL document and in the conf/aliases file.
Reminded by Simon J. Mudd @ alltrading.com.
19990903
Bugfix: in case of some error conditions the pickup daemon
could leak small amounts of memory.
19990905
Bugfix: no more "skipping further client input" warnings
when a message header is rejected.
Feature: reject_unauth_pipelining SMTP restriction that
rejects mail from clients that improperly use SMTP command
pipelining.
Robustness: the LDAP client by default no longer looks up
names containing "*". See the lookup_wildcards feature in
LDAP_README. Update by John Hensley.
Documentation: address masquerading with exceptions FAQ by
Jim Seymour @ jimsun.LinxNet.com.
Bugfix: mysql reconnect after disconnect by Scott Cotton
Internet Consultants Group, Inc. File: util/dict_myqsl.c.
Portability: the Postfix to PCRE interface now expects
version 2.08. Postfix is no longer compatible with PCRE
versions before 2.6.
19990906
Feature: INSTALL.sh script that makes Postfix installation
a bit less painful. This script can be used for installing
and for upgrading Postfix. It replaces files instead of
overwriting them, and leaves existing configuration and
queue files intact.
19990907
Bugfix: reject_non_fqdn_sender used the wrong test to see
if a sender address was given and could dump core. This
must have been broken ever since the UCE tests were moved
to the RCPT TO stage in 19990510.
Bugfix: check_sender_access was recognized as a valid
restriction name only if a sender had been specified.
19990908
Portability: Unixware has <sysexits.h> only after sendmail
is installed. Changed postlock.c to use global/sys_exits.h.
19990909
Performance: added one-entry cache to the address rewriting
client and to the address resolving client. This is because
UCE restrictions tend to produce the same query repeatedly.
Files: global/rewrite_clnt.c, global/resolve_clnt.c.
Feature: the UCE restrictions are now fully recursive so
you can have per-client/helo/sender/recipient restrictions.
Instead of OK, REJECT or [45]xx, you can specify a sequence
of restrictions on the right-hand side of an SMTPD access
table. This means you can no longer use canonical/virtual/alias
maps as SMTPD access tables. But the loss is compensated
for. File: smtpd/smtpd_access.c.
Feature: restriction classes, essentially a short-hand for
restriction lists. These short hands are useful mostly on
the right-hand side of SMTPD access tables. You must use
restriction classes in order to have lookup tables on the
right-hand side of an SMTPD access table. File:
smtpd/smtpd_access.c.
Feature: "permit_recipient_map maptype:mapname" permits a
recipient address when it matches the specified table.
Lookups are done just as with canonical/virtual maps. With
this, you can also use passwd/aliases as SMTPD access maps.
File: smtpd/smtpd_access.c.
19990910
Changed "permit_address_map" into "permit_recipient_map"
and added a test for the case that they specify a lookup
table on the right-hand side of an SMTPD access map. File:
smtpd/smtpd_access.c.
Cleanup: removed spurious sender address checks for <>.
File: smtpd/smtpd_check.c.
Cleanup: the smtp client now consistently logs host[address]
for all connection attempts.
19990919
Feature: in an SMTPD access map, an all-numeric right-hand
side now means OK, for better cooperation with out-of-band
authentication mechanisms.
19990922
Security: recipient addresses must not start with '-', in
order to protect external commands. The old behavior is
re-instated when main.cf specifies: "allow_min_user =
yes". Credits to Mads Kiilerich @ Kiilerich.com. File:
qmgr/qmgr_message.c.
Bugfix: after 19990831, the queue manager would throw away
defer logs after deferring mail to known-to-be-dead hosts
or message transports. This means that in some cases, mailq
would not show why mail is delayed, and that delayed mail
could be sent back with recipients missing from the error
report. Reported by Giulio Orsero @ tiscalinet.it.
19990923
Bugfix: the above bugfix broke bounces of mail with bad
address syntax and relocated users. Problem diagnosed by
Dick Porter @ acm.org.
Documentation: added DO NOT EDIT THIS FILE. EDIT MAIN.CF
INSTEAD notices to the sample-xxx.cf files.
19991007
Compatibility: ignore the sendmail -U (initial user
submission) option. Thomas Quinot @ cuivre.fr.eu.org.
19991103
Code cleanup: don't send postmaster notifications when an
SMTP client sends a DATA command while no recipients were
accepted. This can happen when a pipelined client runs
into an UCE block. File: smtpd/smtpd.c.
19991104
Robustness: do not apply UCE header checks to mail that is
generated by Postfix (bounces, forwarded mail etc.). Files:
smtpd/smtpd.c, pickup/pickup.c, cleanup/cleanup_message.c.
Robustness: new generic watchdog module that can deal with
clocks that jump occasionally. Files: util/watchdog.c,
master/master.c, master/{single,multi,trigger}_server.c.
This hopefully ends the false watchdog alarms that happen
when clocks are set or when laptops are resumed.
Code cleanup: BSMTP requires dot quoting as per RFC 821.
Based on code by Florian Lohoff @ rfc822.org. Files:
global/mail_copy.[hc], pipe/pipe.c.
19991105
Bugfix: the crufty code in inet_addr_local() did not find
IP aliases. File: util/inet_addr_local.c.
Portability: the INSTALL.sh utility did not find users or
groups in NIS or Netinfo tables. The script no longer
searches the /etc/passwd and /etc/group files. Instead it
now queries the unix:passwd.byname and unix:group.byname
maps. For this, a -q (query) option was added to postmap
(and to postalias, for symmetry). Files: util/dict_unix.c,
postalias/postalias.c, postmap/postmap.c, INSTALL.sh.
Bugfix: LDAP lookup timeout settings were ignored. Patch
by John Hensley. File: util/dict_ldap.c.
19991108
Bugfix: when doing a fresh install, INSTALL.sh didn't set
main.cf:mail_owner properly (Simon J. Mudd).
19991109
Bugfix: when doing a fresh install, INSTALL.sh no longer
worked (missing main.cf file). Fix: add "-c" argument to
the postmap commands (Lars Hecking @ nmrc.ucc.ie).
Documentation: removed spurious "do not edit" comments from
the sample pcre and regexp configuration files.
19991110-13
Code cleanup: greatly simplified the SMTPD command parser
and somewhat simplified the code that groks RFC 822-style
address syntax in MAIL FROM and RCPT TO commands.
New parameter: strict_rfc821_envelopes (default: no) to
reject RFC 822 address forms (with comments etc.) in SMTP
envelopes. By default, the Postfix SMTP server only logs
a warning.
19991113
Oops, also updated the SMTP VRFY code in the light of
changes to the SMTPD command parser.
Cleanup: the local delivery agent now explicitly rejects
recipients with an empty username.
19991114
Workaround: with some gawk versions, postconf/extract.awk
reportedly returns a non-zero exit status upon success.
Added an explicit exit(0) statement.
19991115
Feature: DNS TXT record lookup support, based on initial
code by Simon J Mudd. File: dns/dns_lookup.c.
Feature: RBL TXT record lookups, based on initial code by
Simon J Mudd. File: smtpd/smtpd_check.c.
Feature: permit_auth_destination restriction based on code
by Jesper Skriver @ skriver.dk.
Code cleanup: the transport table now can override all
deliveries, including local ones.
19991116
Code cleanup: a new "local_transports" configuration
parameter explicitly lists all transports that deliver mail
locally. The first name listed there is the default local
transport. This is the end of the "empty next-hop hostname"
hack to indicate that a destination is local. Files:
trivial-rewrite/resolve.c, global/local_transport.[hc]
Feature: "postconf -m" shows what lookup table types are
available. Code by Scott Cotton, Internet Consultants
Group, Inc.
Feature: "postconf -e" edits any number of main.cf parameters.
The edit is done on a copy, and the copy is renamed into
the place of the original. File: postconf/postconf.c,
util/readlline.[hc].
19991117
Portability: SunOS 4 has no SA_RESTART. File: util/watchdog.c.
Feature: on systems with h_errno, the "reject_unknown_client"
restriction now distinguishes between soft errors (always
reply with 450) and hard errors (use the user-specified
reply code). This should lessen the load by broken mailers
that re-connect once a minute.
Feature: forward/reverse name/address check for SMTP client
hostnames. This fends off some hypothetical attacks by
spammers who are in control of their own reverse mapping.
Robustness: postconf no longer aborts when it can't figure
out the local domain name; it prints a warning instead.
This allows you to use "postconf -e" to fix the problem.
19991118
Bugfix: the RFC822 address parser would misparse a leading
\ as an atom all by itself. Problem reported by Keith
Stevenson @ louisville.edu. File: global/tok822_parse.c.
19991119
Bugfix: tiny memory leak in pipe_command() when fork()
fails. File: global/pipe_command.c.
19991120
Bugfix: reversed test for all-numerical results in SMTPD
access maps. File: smtpd/smtpd_check.c.
19991121
Robustness: INSTALL.sh no longer uses postmap for sanity
checks.
Feature: INSTALL.sh now has an install_root option.
Bugfix: INSTALL.sh now installs manual pages with proper
permissions and ownership.
Bugfix: the LDAP client did not properly escape special
characters in lookup keys (patch by John Hensley). File:
util/dict_ldap.c.
19991122
Bugfix: missing absolute path in INSTALL.sh broke fresh
install.
19991124
Bugfix: the local delivery agent's recipient duplicate
filter did not work when configured to use unlimited memory
(which is not a recommended setting). Patrik Rak @raxoft.cz.
19991125
Bugfix: postconf didn't have an umask(022) call at the
beginning (problem experienced by Matthias Andree).
19991126
Bugfix: DNS TXT records now have string lengths before text
(Mark Martinec @ nsc.ijs.si).
19991127
Update: the LDAP client code now supports escapes as per
RFC2254 (John Hensley).
19991207
Performance: one message with many recipients no longer
stops other mail from being delivered. The queue manager
now frees in-memory recipients as soon as a message is
delivered to one destination, rather than waiting until
all in-memory destinations of that message have been tried.
Patch by Patrik Rak @ raxoft.cz. Files: qmgr/qmgr_entry.c,
qmgr/qmgr_message.c.
Performance: when delivering mail to a huge list of
recipients, the queue manager now reads more recipients
from the queue file before delivery concurrency drops too
low. Files: qmgr/qmgr_entry.c, qmgr/qmgr_message.c.
19991208
Updated LDAP client code by John Hensley with escape
sequences as per RFC 2254. File: util/dict_ldap.c.
Updated MYSQL client code by Scott Cotton. File: dict_mysql.c.
Feature: added -N/-n options to include/exclude terminating
nulls in keys and values in postmap/postalias DB or DBM
files. Normally, Postfix uses whatever is appropriate for
the host system. A non-default setting can be necessary
for inter-operability with third-party software.
Bugfix: the local delivery agent would deliver to the user
instead of the .forward file when the .forward file was
already visited via some non-recursive path. Patch by Patrik
Rak @ raxoft.cz. Files: global/been_here.c, local/dotforward.c.
Robustness: attempt to deliver all addresses in the expansion
of an alias or .forward file, even when some addresses must
be deferred. File: local/token.c.
19991211
Performance: qmgr_fudge_factor controls what percentage of
delivery resources Postfix will devote to one message.
With 100%, delivery of one message does not begin before
delivery of the previous message is completed. This is good
for list performance, bad for one-to-one mail. With 10%,
response time for one-to-one mail improves much, but list
performance suffers. In the worst case, people near the
start of a mailing list get a burst of postings today,
while people near the end of the list get that same burst
of postings a whole day later. Files: qmgr/qmgr_message.c,
qmgr/qmgr_entry.c.
Bugfix: address rewriting would panic on a lone \ at the
end of a line where an address was expected. Jason Hoos @
thwack.net. File: global/rewrite_clnt.c.
19991215
Bugfix: the strict RFC821 envelope address check should
not be applied to VRFY commands. File: smtpd/smtpd.c.
Cleanup: permit_recipient_maps is gone, because that could
only be used inside UCE restrictions.
19991216
Feature: allow an empty inet_interfaces parameter, just
like an empty mydestination parameter. It's needed for true
null clients and for firewalls that deliver no local mail.
Feature: "disable_vrfy_command = yes" disables some forms
of address harvesting used by spammers.
Workaround: added the alias map parameter definition to
the smtpd code. This is a symptom of a general problem
with parameters that have non-empty default values: unless
a program explicitly defines such a parameter, the parameter
defaults to the empty string when used in other parameters.
There's also a problem with evaluation order.
Feature: the SMTP server rejects mail for unknown users in
virtual domains that are defined by Postfix virtual domain
files. File: smtpd/smtpd_check.c.
Feature: reject mail for unknown local users at the SMTP
port. The local_recipient_maps configuration parameter
specifies maps with all addresses that are local with
respect to $mydestination or $inet_interfaces. Example:
"local_recipient_maps = $alias_maps unix:passwd.byname".
This feature is disabled by default. You may have to copy
the passwd file into the chroot jail. File: smtpd/smtpd_check.c.
Feature: the sendmail -f option now understands '<user>'
and even understands address forms with RFC 822-style
comments.
19991217
Cleanup: no more UCE checks for VRFY commands. It still
reports unknown local/virtual users. File: smtpd/smtpd_check.c.
Robustness: upon Postfix startup, report discrepancies
between system files inside and outside the chroot jail.
Files: conf/postfix-script-nosgid, conf/postfix-script-sgid.
19991218
Cleanup: INSTALL.sh produces relative symlinks, which is
necessary when install_root is not /.
19991219
Documentation: completely reorganized the FAQ and added
many new entries. Rewrote the UCE html documentation.
Cleanup: INSTALL.sh uses a configurable directory for
scratch files, so that it can install from a file system
that is not writable by the super-user.
Cleanup: INSTALL.sh gives helpful hints when the "mv"
command is unable to move symlinks across file system
boundaries.
19991220
Cleanup: it is no longer necessary to list $virtual_maps
as part of the relay_domains definition. The SMTP server
now by default accepts mail for destinations that match
$inet_interfaces, $mydestination or $virtual_maps, whether
or not these are specified in relay_domains. We still need
the ugly "virtual.domain whatever" hack in the virtual
maps. Files: smtpd/smtpd_check.c and lots of documentation
and sample config files.
19991221
Removed cyrus -q flag (ignore quotas) from the sample
master.cf file.
19991223
Bugfix: smtpd should not check for unknown users when
running in stand-alone (sendmail -bs) mode. Problem
experienced by Chuck Mead. File: smtpd/smtpd.c.
Retraction: the "local_transports" configuration parameter
is gone. Adjusted code and documentation accordingly.
Instead, use just one "local_transport" parameter with the
name of the default local transport. Files: smtpd/smtpd_check.c,
qmgr/qmgr_message.c, trivial-rewrite/ resolve.c, local/resolve.c.
Feature: Postfix SMTPD now insists that the smtpd recipient
restrictions contain at least one restriction that by
default rejects mail. This should make it much more difficult
to change Postfix into an open relay. File: smtpd/smtpd_check.c.
Retraction: null-length inet_interfaces is too confusing.
19991224
Bugfix: the relative symlink code in INSTALL.sh computed
the ../ prefix from the wrong pathname.
1999122[5-7]
Feature: "allow_untrusted_routing = no" (default) prevents
forwarding of source-routed mail from untrusted clients to
destinations that are blessed by the relay_domains parameter
(example: user@domain2@domain1 etc.). This plugs a mail
relay loophole where a backup MX host forwards junk mail
to a primary MX host which forwards the junk to the Internet.
Files: global/quote_822_local.c, smtp/quote_821_local.c,
trivial-rewrite/rewrite.c, trivial-rewrite/resolve.c,
smtp/smtpd_check.c.
In order to make this possible, the Postfix resolver data
structure and protocol has changed, so that all resolver
clients need to be re-compiled.
Side effect from the above change: from now on, an address
with @ in the recipient localpart no longer bounces with
"user unknown" but instead is rejected with "relay access
denied" or "source-routed relay access denied".
19991227
Workaround: the BSD/OS "mkdir -p" and "cmp -s" commands
misbehave on boundary cases: directory exists or file does
not exist. Those who re-invent...
19991229
Added the no source routing info requirement to addresses
accepted by the permit_mx_backup UCE restriction.
19991230
Added a spawn daemon (not compiled and installed by default)
to enable LMTP delivery over UNIX-domain sockets. The goal
is to simplify the experimental LMTP delivery agent by
ripping out the privileged code that forks the LMTP server.
20000102
Clarified documentation after early feedback on the 19991231
release by Drew Derbyshire, Ollivier Robert, Khetan Gajjar.
Sanity check: a common error is to list Postfix virtual
domains in the mydestination parameter. This causes the
new optional local_recipient_maps feature to reject mail
for virtual users. The SMTP server now explicitly tests
for this common error and logs a warning instead of refusing
the mail. File: smtpd/smtpd_check.c.
20000104
Bugfix: a case sensitivity bug had slipped through in the
anti-relaying code, causing mail for USER@VIRTUAL.DOMAIN
to be rejected with "relay access denied". This was found
by Jim Maenpaa @ jmm.com.
Questionable feature: set "smtp_skip_5xx_greeting = yes"
to make Postfix more sendmail compatible, even though this
is wrong, IMNSHO. File: smtp/smtp_connect.c.
Portability: Ultrix patch from Simon Burge @ thistledown.com.au.
Portability: Siemens Pyramid (dcosx) patch by Thomas D.
Knox @ vushta.com.
Performance: FreeBSD has bidirectional pipes that are faster
than socketpairs. Anticipating on more platform-specific
optimizations, all duplex pipe plumbing is now isolated in
a duplex_pipe.c module that provides a system-independent
interface.
20000105
Cleanup: the INSTALL.sh script now updates the sample files
in /etc/postfix even when main.cf exists.
20000106
Bugfix: the SMTP server should consult the relocated map
for virtual destinations (Denis Shaposhnikov). Files:
smtpd/smtpd.c smtpd/smtpd_check.c.
20000108
Workaround: rename() over NFS can fail with ENOENT even
when the operation succeeds (Graham Orndorff @ WebTV). This
is not news. Any non-idempotent operation can fail over
NFS when the NFS server's acknowledgment is lost and the
NFS client code retries the operation (other examples are:
create, symlink, link, unlink, mkdir, rmdir). Postfix has
workarounds for the cases where this is most likely to
cause trouble. Files: util/sane_{rename,link}.[hc]. If
you want reliable mail system, do not use NFS.
20000115
Workaround: better detection of bad hardware. Added SIGBUS
to the list of signals that the master will log before
exiting.
20000122
Portability: preliminary SCO5 port Christopher Wong @
csports.com. This still needs to a workaround for "find"
not supporting "-type s" (actually, UNIX-domain sockets
have no unique representation in the file system and show
up as FIFOs).
20000115-22
Bugfix: in case of a too long message header, don't extract
recipients from message headers. With the previous behavior,
Bcc information could be left in the message body, as one
person found out the hard way. Files: cleanup/cleanup.c,
cleanup/cleanup_extracted.c, global/cleanup_user.h.
20000124
Whatever: RFC 1869 amends RFC 821 and specifies that code
555 is to be used when a MAIL FROM or RCPT TO parameter is
not implemented or not recognized. Russ Allbery @stanford.edu.
This reply code is added to the list of reply codes that
cause the Postfix SMTP client to mail a transcript to the
postmaster. File: smtp/smtp_trouble.c.
20000126
Emergency feature: qmgr_site_hog_factor (default: 90 percent)
limits the amount of resources that Postfix devotes to a
single destination. With less than 100, Postfix defers the
excess mail so that one site with a large backlog does not
block other deliveries. Files: qmgr/qmgr.c, qmgr/qmgr_message.c.
20000128
Cleanup: the queue manager no longer replaces the nexthop
field by the recipient localpart when a destination matches
$mydestination/$inet_interfaces. The price is the introduction
of a new parameter local_destination_recipient_limit which
defaults to 1 in order to maintain backwards compatibility.
Files: qmgr/qmgr.c, qmgr/qmgr_message.c.
20000129
Bugfix: extracted recipients were misfiled when a message
was moved back to the maildrop queue. But they still worked
due to a coincidence.
Feature: bounce_recip() bounces a recipient immediately
without accessing a bounce logfile. This is necessary for
VERP bounces, for bounces by delivery agents that change
the sender address, and for bounces that for some reason
must not use temporary logfiles. Files: global/bounce.c,
bounce/bounce_recip_service.c.
20000130
Bugfix: the too long header fix of 20000115-22 lost mail
with too long headers that didn't need to extract recipients
from message headers.
Bugfix: the too long header fix of 20000115-22 lost mail
without (blank line + message body).
Code rewrite: reorganized the cleanup daemon source code
so that the cleanup service can be called one record at a
time (see cleanup/cleanup_api.c); also got rid of the global
state variables and fixed a couple bugs that were introduced
with 20000115-22.
20000204
Feature: in daemon mode, the MAIL FROM size check can be
postponed until RCPT TO so that Postfix can log sender and
recipient. Simon J Mudd. Files: smtpd/smtpd.c
Robustness: limit the number of recipient addresses that
can be extracted from message headers. Parameter:
extract_recipient_limit (default: 10240). Files:
cleanup/cleanup_message.c, cleanup/cleanup_extracted.c.
Cleanup: the message header reject logging now includes
sender and recipient address (if possible), so that the
logging looks more like the other reject logging. File:
cleanup/cleanup_message.c.
Documentation: added sections on regular expression tables
to the access, canonical, virtual, transport and relocated
man pages, and write new man pages that are specific to
regular expressions: pcre_table.5 and regexp_table.5.
20000214
Bugfix: postconf reported some parameters more than once
because the parameter extracting script didn't recognize
lines that differ in whitespace only. File: postconf/extract.awk.
Reported by Kenn Martin.
20000221
Logging: the SMTP client now logs log host+port when it is
unable to connect to a non-MX host, just like it logs
host+port when unable to connect to an MX host.
20000226
Bugfix: the SMTP server's "User unknown" test didn't notice
LDAP etc. dictionary access errors. The code now reports
a 450 status (try again instead of bounce) if the reply is
not definitive. File: smtp/smtpd_check.c.
Robustness: the smtp-source program could stall when making
hundreds of parallel connections to a Postfix system with
only one SMTP server process. The fix is to use non-blocking
connect() calls, very carefully. File: smtpstone/smtp-source.c.
20000303
Feature: with smtp_always_send_ehlo the SMTP client will
send EHLO regardless of the content of the SMTP server's
greeting. File: smtp/smtp_proto.c.
20000304
Feature: DICT_FLAG_SYNC_UPDATE flag for synchronous dictionary
updates, if supported by the underlying mechanism. Files:
util/dict.h, util/dict_open.c, util/dict_db.c.
20000307
Cleanup: the manual pages in Postfix configuration files
no longer contain troff formatting codes. The text is now
generated from prototype files in a new "proto" subdirectory.
Requested by Matthias Andree @ stud.uni-dortmund.de.
20000308
Bugfix: the unused db and dbm "delete" routines would
clobber the per-dictionary flags when called before reading
or writing the table. Files: util/dict_dbm.c, util/dict_db.c.
Lutz Jaenicke @ aet.TU-Cottbus.DE.
Bugfix: the SMTP server would produce a cryptic message
when a queue file write error happened before it had written
any recipients. Keith Stevenson. File: smtpd/smtpd.c.
Robustness: the db and dbm "delete" routines didn't adjust
to dictionaries with/without one trailing null in lookup
keys and values. Did a complete rewrite of the routines.
Files: util/dict_db.c, util/dict_dbm.c.
Feature: specify "-d key" to postalias or postmap in order
to remove one key. This still needs to be generalized to
multi-key removal (read stdin?). Files: postmap/postmap.c,
postalias/postalias.c.
Test: added test targets for the dictionary delete operations.
Files: util/Makefile.in, util/dict_test.{c,in,ref}.
Feature: added data offset and recipient count fields to
the first queue file record output from the cleanup daemon.
The recipient counts provides an initial estimate for a
more advanced queue manager scheduling algorithm. Files:
cleanup/cleanup_envelope.c, cleanup/cleanup_extracted.c.
20000311
Portability: HP-UX awk can't handle bare { in regexps
(Lamont Jones. HP). File: postconf/extract.awk.
Compatibility: sendmail now recognizes '.' as end of input.
File: sendmail/sendmail.c.
20000313
Compatibility: dtcm (CDE desktop calendar manager) leaks
a file descriptor into its child process, and requires that
sendmail closes the descriptor, otherwise mail notification
will hang. These GUI programmers never figured out that
the child process must close the writing end of a pipe.
File: sendmail/sendmail.c.
20000314
Feature: SASL authentication in the SMTP server and client.
Based on code contributed by Till Franke, SuSE. Specify:
"smtpd_sasl_auth_enable = yes" and "smtp_sasl_auth_enable
= yes". The "permit_sasl_authenticated" UCE restriction
gives special treatment to authenticated clients.
20000315
Workaround: added -blibpath option for AIX 4.x, to close
hole in case postdrop needs to be set-gid.
20000320
Portability: FreeBSD 5.x added to the list of supported
systems (Mark Huizer).
20000323
Portability: INSTALL.sh looks if sendmail is in /usr/lib
rather than in /usr/sbin.
20000326
Bugfix: settings in one mysql configuration file would act
as the implicit defaults for the next one, which could be
confusing. Patch by Scott Cotton. File: util/dict_mysql.c.
Robustness: limit the number of "junk" commands that can
be issued in an SMTP session (ex.: NOOP, VRFY, ETRN, RSET).
Problem report by Michael Ju. Tokarev @ tls.msk.ru. Files:
global/mail_params.h, smtpd/smtpd.c.
20000413
Portability: more MacOS X patches by Gerben Wierda.
Bugfix: RFC 822 requires the presence of at least one
destination message header. The cleanup daemon now generates
a generic "To: undisclosed-recipients:;" message header
when no destination header is present. The header content
is specified with the undisclosed_recipients_header parameter.
Problem pointed out by Geoff Gibbs, UK-Human Genome Mapping
Project-Resource Centre.
20000416
Workaround: allow <(comment)> as SMTP MAIL FROM address.
20000417
The SASL authentication in the SMTP server and client works,
but only on Linux and Solaris, neither of which I wish to
run on my laptop.
20000418
Added LMTP support to the smtp-source and smtp-sink utilities
so that I don't have to install Cyrus IMAP just to test
LMTP.
20000419
Bugfix: removed the () from the tokenized representation
of RFC 822 comments, so that comments with \( or \) can be
unparsed correctly. Problem reported by Bodo Moeller.
20000423
Bugfix: mail_copy() could prepend > or . in the middle of
long lines. Found by code inspection.
20000427
New code: unescape module that translates C escape sequences
into their equivalent character values. File: util/unescape.c.
Feature: the pipe mailer now has a way to specify the output
record delimiter (for example, eol=\r\n). This is necessary
for transports that require CRLF instead of UNIX-style LF.
20000502
In order to support timeouts more conveniently, VSTREAMs
now have built into them the concept of timeout. Instead
of calling read() and write(), the low-level VSTREAM
interface now by default uses timed_read() and timed_write()
which receive a timeout parameter; vstream_ctl(stream,
VSTREAM_CTL_TIMEOUT...) sets the timeout deadline on a
stream, and vstream_ftimeout(stream) queries a stream for
timeout errors. This change simplified timeout handling
considerably. Files: util/vbuf.h, util/vstream.[hc],
global/smtp_stream.c, global/timed_ipc.c.
20000504
Added application context to VSTREAMs, which is passed on
transparently to application-provided read/write routines.
vstream_ctl(stream, VSTREAM_CTL_CONTEXT...) sets the context.
Files: util/vstream.[hc].
Added vstream_setjmp() and vstream_longjmp() support to
make exception handling more convenient. Turn on exception
handling with vstream_ctl(stream, VSTREAM_CTL_EXCEPT...).
Files: util/vstream.[hc].
Cleaned up the smtp_stream module further and got rid of
the global state that limited the use of this module to
one stream per process. Files: global/smtp_stream.[hc].
20000505
Bugfix: the SMTP server now flushes unwritten output before
tarpit delays, to avoid protocol timeouts in pipelined
sessions when a client causes lots of errors. Found by
Lamont Jones, HP. File: smtpd/smtpd_chat.c.
Finished the LMTP client, which is based on a modified
version of the SMTP client by Philippe Prindeville, Mirapoint,
Inc., later modified by Amos Gouaux, UTDallas, and then
Wietse ripped it all up again. Currently this talks LMTP
over TCP only.
Feature: override main.cf parameters in master.cf. Specify
"-o parameter=value" after the program name. This allows
you to selectively override myhostname etc. See also the
new smtp_bind_address parameter below.
20000506
Convenience: the LMTP and SMTP clients now append the local
domain to unqualified nexthop destinations. This makes it
more convenient to set up transport maps. Files:
lmtp/lmtp_addr.c, smtp/smtp_addr.c.
Sendmail compatibility: the Postfix SMTP client now skips
servers that greet the client with a 4xx or 5xx status
code. To disable, set both smtp_skip_4xx_greeting and
smtp_skip_5xx_greeting to "no".
20000507
Portability: NetBSD has migrated to /etc/mail/aliases. We
can expect to see this happen more often when systems start
shipping Sendmail 8.10. File: util/sys_defs.h
Updated LDAP code by John Hensley, with support for
dereferencing of LDAP aliases, which have nothing to do
with Postfix aliases.
Feature: "smtp_bind_address=x.x.x.x" specifies the source
IP address for SMTP client connections. Specify in master.cf
as "smtp -o smtp_bind_address=x.x.x.x" in order to give
different delivery agents different source addresses.
20000510
Cleanup: mailbox_transport did not work with the lmtp
delivery agent. This dates back to when Postfix used empty
nexthop information to indicate that a destination was
local. File: global/deliver_pass.c.
Bugfix: configuration parameters for one mysql dictionary
would become default settings for the next one. File:
dict_mysql.c. This patch was merged into Postfix a while
back but apparently that Postfix version was nuked when
other parts were redesigned. Update by Scott Cotton.
Bugfix: some Postfix delivery agents would abort on addresses
of the form `stuff@.' which could be generated only locally.
Found by Patrik Rak. File: trivial-rewrite/resolve.c.
Third-party Berkeley DB support for HP-UX by Lamont Jones.
File: makedefs.
20000511
Bugfix: Postfix would incorrectly reject domain names with
adjacent - characters. File: util/valid_hostname.c.
Bugfix: the 20000505 pipeline tarpit delay flush was wrong
and caused the client and server to get out of phase. Yuck!
20000513
Feature: VSTREAMs now have the concept of last fill/flush
time, which is needed to prevent timeouts with pipelined
SMTP sessions as detailed in the next item.
Bugfix: delayed SMTP command/reply flushing to prevent
sender delays from accumulating too much and causing timeouts
with pipelined sessions. For example, client-side delays
happen when a client does DNS lookups to replace hostname
aliases in MAIL FROM or RCPT TO commands; server-side delays
happen when an UCE restriction involves a time-consuming
DNS lookup, or when a server generates tarpit delays.
Files: lmtp/lmtp_proto.c, smtp/smtp_proto.c, smtpd/smtpd_chat.c.
Portability: define ANAL_CAST for compilation environments
that reject explicit casts between pointers and integral
types. File: util/sys_defs.h, master/*server.c. Upon closer
investigation, this turned out to be the result of someone's
compiler configuration preferences. Therefore the change
is likely to go away after a code cleanup.
20000514
Feature: mysql client support for multi-valued queries
(select email, email2 from aliastbl where username='$local')
By Loic Le Loarer @ m4x.org. File: util/dict_mysql.c.
Finalized the delayed SMTP command/reply flushing code in
the SMTP and LMTP clients after lots of testing and review.
20000520
Robustness: upon receipt of mail, map the mailer-daemon
sender address back into the magic null string. File:
cleanup/cleanup_envelope.c.
20000524
Bugfix: the code for masquerade_exceptions was case sensitive.
Reported by Eduard Vopicka. File: cleanup/cleanup_masquerade.c.
20000526
Feature: experimental queue manager by Patrik Rak with a
fancy pre-emptive scheduling algorithm that improves delivery
performance of mail with few recipients. This queue manager
is made available as "nqmgr".
20000528
Feature: the SMTP client SASL password file can contain
entries for destination domain names (the address remote
part) not just mail server hostnames. File: smtp_sasl_glue.c.
Feature: smtpd_sasl_local_domain parameter (default:
$myhostname) to specify the local SASL authentication realm.
File: smtpd_sasl_glue.c.
Feature: specify "body_checks=regexp:/file/name" for a very
crude one line at a time message body content filter. This
feature uses the same filtering syntax as the header_checks
feature. File: cleanup/cleanup_message.c. See also the
conf/sample-filter.cf file.
20000530
Feature: full content filtering through external software.
This uses existing interfaces for sending mail to the
external content filter and for injecting it back into
Postfix. Details in FILTER_README. Files: pickup/pickup.c,
smtpd/smtpd.c, qmgr/qmgr_message.c.
20000531
More SASL feedback by Liviu Daia, regarding the use of
authentication realms. File smtpd/smtpd_sasl_glue.c.
Added a simple shell-script based content filtering example
to the FILTER_README file.
Content filtering support for nqmgr by Patrik Rak. File:
nqmgr/qmgr_message.c.
Renamed "content inspection" etc. to "content filtering"
in anticipation of a new hook for content inspection that
only inspects mail without re-injecting it into Postfix.
20000601
Feature: limit the size of pipe mailer deliveries with the
size=nnn command-line attribute. Patch by Andrew McNamara.
20000603
Bugfix: don't try to do SASL authentication when running
in stand-alone (sendmail -bs) mode. Fix by Liviu Daia.
Bug: the unauthorized pipelining test fails with single
recipient mail when smtpd_delay_reject = yes.
20000617
Bugfix: conf/sample-ldap.cf was no longer up to date with
reality. Patch by Lamont Jones, HP.
Bugfix: the maildir delivery routine left temporary files
lying around after unsuccessful delivery (problem reported
by Brian Laughton @ Corp.Axxent.Ca).
20000621
AIX 4.x had POSIX regular expression support all the time
I was working on Postfix. Better find out late than never.
20000623
Bugfix: the SMTP server did not reset the so-called junk
command counter after successful delivery (Mark Hoffman @
wallst.com). File: smtpd/smtpd.c.
20000625
Cleanup: remove Content-Length from incoming mail. The
sender has no authority over the format of mail as stored
by the receiving system. File: global/header_opts.h.
Feature: rewrite Mail-Followup-To: as sender. Files:
global/header_opts.[hc].
Cleanup: rewrite Reply-To, Errors-To, Return-Receipt-To as
sender, so that address masquerading works as expected.
Files: global/header_opts.c.
Feature: specify "require_home_directory = yes" to prevent
mail from being delivered to a user whose home directory
is not mounted. File: local/dotforward.c.
Cleanup: the pipe deliver agent no longer appends a blank
line when the F flag (prepend From_ line) is specified.
Specify the B flag if you need that blank line. The local
delivery agent no longer appends a blank line to mail that
is delivered to external command. Files: pipe/pipe.c,
global/mail_copy.[hc].
20000708
Portability: support for NEXT/OPENSTEP requires extra
include file in util/watchdog.c (Masaki Murase).
20000715
Added macros to turn on vstream/vstring/etc. format string
checking by gcc, in addition to the checking that was
already implemented with printfck. File: util/sys_defs.h,
the macros for PRINTFLIKE and SCANFLIKE. Problem - unlike
the printfck tool, gcc finds format argument type mismatches
only in code that isn't #ifdef-ed out.
20000718
Robustness: make_dirs() now continues when a missing
directory is created by another process.
20000720
Feature: the queue manager now logs the number of recipients
when opening a queue file (a zero recipient count is logged
with older queue files). File: global/opened.c.
20000726
Robustness: added watchdog_pat() routine to keep the watchdog
quiet if a client stays connected for a lot of time. Files:
util/watchdog.[hc], smtpd/smtpd.c.
20000729
Robustness: if relayhost is specified but the host does
not exist, defer mail instead of bouncing it (which would
lose the mail if the bounce would have to be delivered to
that same non-existent relayhost). Problem reported by
Chris Cooper @ maths.ox.ac.uk. File: smtp/smtp_connect.c.
20000821
Feature: added -r (replace key+value) option to postalias
and postmap.
Cleanup: smtpd now replies with 555 when the client sends
unrecognized RCPT TO parameters, as required by RFC 1869
(problem report by Robert Norris @ its.monash.edu.au).
File: smtpd/smtpd.c.
20000822
Logging: the SMTP server's SASL code logs the authentication
method along with an authentication failure. Suggested by
Ronald F. Guilmette @ monkeys.com.
Workaround: some systems have file size resource limits
that cannot be represented with the off_t type that is used
by standard functions such as lseek(2). Problem reported
by Blaz Zupan @ amis.net.
20000823
Feature: all this discussion about when to reject mail and
when not made me decide to implement a TCP-based map type
so that it becomes relatively simple to implement dynamic
access controls, for example, hold off mail from an unknown
client or sender until we have completed some investigation,
after which we will either reject or accept.
However, this code is turned off until it is finished.
20000905
Robustness: the dns client now rejects malformed domain
names rather than depending on the DNS to report that the
name does not exist. Linux returns a rather misleading
server failure code as found out by Patrik Rak. File:
dns/dns_lookup.c.
20000911
Feature: added IGNORE keyword to header_checks and body_checks
to pretend that certain data does not exist. File:
cleanup/cleanup_message.c.
20000911
Bugfix: the SASL code did not allow MAIL FROM... AUTH=sender
without prior authentication. The RFC allows this, although
one wonders what the reasoning behind this is. File:
smtpd/smtpd_sasl_proto.c.
20000913
Bugfix: the rmail script did not handle remote UUCP systems
that send a from_ line with unqualified envelope sender.
Reported by Luciano Mannucci.
Compatibility: don't insert Sender: header lines. Sendmail
has not done so for at least 10 years, if it ever did.
Problem reported by Brad Knowles. File: cleanup/cleanup_message.c.
20000916
Bugfix: when propagating an address extension in a virtual
or canonical mapping, cleanup accesses memory that is no
longer allocated. This can happen when the result address
length is more than 100 characters. Problem reported by
Adi Prasaja @ satunet.com. File: global/mail_addr_crunch.c.
Bugfix: fixed a misleading error message when the cleanup
server reaches the queue file size limit. Fix by Robby
Griffin @ MIT.EDU. File: cleanup/cleanup_extracted.c.
20000917
Bugfix: postalias -i would complain about duplicate entries
for the Sendmail-compatible @ entry and for the NIS-compatible
YP_LAST_MODIFIED and YP_MASTER_NAME entries.
20000918
Gross hack: prevent looping on a bad recipient by always
forwarding recipients in :include: files to a new mail
delivery request, even when owner-listname is not set.
File: local/recipient.c.
20000919
Convenience: INSTALL.sh now imports default settings from
the process environment, in order to make scripting easier.
Robustness: INSTALL.sh now systematically skips over CVS,
RCS and SCCS cruft.
Portability: another fix for NEXTSTEP (Masaki MURASE).
File: util/spawn_command.h.
20000920
Cleanup: in a transport table entry, do not ignore port
numbers specified as [host]:port. In fact, this is now
becoming the preferred form, in order to avoid parsing
problems with IPV6 addresses. Postfix supports both forms,
but future versions will print a warning for the old form.
Problem reported by Claus Fischer @ werhats.at
Bugfix: missing initialization for state->sasl_method can
cause permit_sasl_authenticated to always succeed. Report
and fix by Lutz Jaenicke @ aet.TU-Cottbus.DE.
FAQ: added notes about how to delete, copy or restore queue
files in a safe manner.
20000921
File reorganization. No code change except Makefiles. All
sources are pushed down by one directory level to keep file
listings usable. Released as 20000922, so that I have a
reference to run "diff -cr against.
Bugfix: the spawn service was installed without man pages.
Portability: MacOSX hints and tips by Joe Block, University
of Central Florida School of Optics/CREOL
Portability: The MacOSX gcc compiler does not understand
the new printf_like/scanf_like attributes. File: util/sys_defs.h.
20000922
nqmgr update from Patrik Rak for the changed queue manager
to delivery agent protocol.
Lame feature: syslog_facility parameter to control where
syslogd sends Postfix logging (default: syslog_facility =
mail). However, errors during command-line parsing are
still logged with the default syslog facility, as are errors
while processing the main.cf file (surprise). Based on
code by Andrew McNamara.
20000923
Cleanup: new bounce logfile API so that Postfix can change
to an extensible bounce logfile format with per-recipient
sender addresses (needed for VERP and for reporting local
list delivery problems to the list owner) and other
attributes. File: global/bounce_log.[hc].
Cleanup: replaced the ad-hoc logfile parsing code in showq
by something that uses the generic bounce logfile API.
20000924
Feature: Postfix bounced mail and delayed mail notifications
now have the standard RFC 1894 form (DSN). The bounce
service now uses the generic bounce logfile API. File:
bounce/bounce_notify_service.c, bounce/bounce_notify_util.c.
Cleanup: deleted the per-recipient bounce protocol. Future
bounce logfiles will support per-recipient bounce addresses.
Files: global/bounce.c, bounce/bounce_recip_service.
20000925
Workaround: sendmail allows MAIL FROM and RCPT TO envelope
addresses like <the dude <dude@site>> so we will never get
rid of them. To disallow, specify "strict_rfc821_envelopes
= yes". File: smtpd/smtpd.c.
20000926-20001003
Feature: a "flush" server that keeps per-destination records
of deferred mail. It is the basis of a faster ETRN and
"sendmail -qRsite" implementation. This code was rewritten
half a dozen times.
20000928
Bugfix: the stricter dns_lookup() argument checks revealed
that Postfix was doing DNS lookups for domain literals
([ip.address]) when expanding aliases in MAIL FROM and RCPT
TO address parameters. Reported by Jim Littlefield. File:
smtp/smtp_unalias.c.
Documentation: added text on the biff=yes/no parameter to
conf/sample-local.cf (text provided by Paul Wagland,
relational-consultancy.com.
Robustness? Log errors from SASL library code as warnings
not as fatal errors. Files: smtp*/*glue.c.
20001001
Feature: in master.cf, specify ? after wakeup time to avoid
waking up services that aren't being used.
20001003
Feature: the fast flush refresh and purge time interval
parameters can now be specified in user-specified units by
providing an appropriate suffix: s (seconds), m (minutes),
h (hours), d (days), w (weeks). unit. This was needed so
that I could test the flush server code in a reasonable
way (its timeouts are normally specified in days or hours,
and I don't have that much time for testing). Other Postfix
time interval parameters will be migrated as time permits.
Files: conf/sample-flush.cf, global/mail_conf_time.c,
postconf/postconf.c.
Unfeature: qmgr_hog_factor is now disabled by default. It
was just too confusing. If you don't know what this means,
do not worry.
20001005
Cleanup: after "postfix reload" do not penalize mail that
was in the active queue, but make it ready for immediate
delivery so that ETRN etc. works as intended. Files:
*qmgr/qmgr.c, *qmgr/qmgr_active.c.
Portability: Redhat 7 library interfaces have changed
incompatibly, which breaks existing software. File makedefs.
Consistency: the fallback_relay parameter did not understand
the [] or host:port syntax, and there was no way to suppress
MX record lookups. Files: smtp/smtp_addr.c, smtp/smtp_connect.c.
Convenience: you can now specify multiple SMTP destinations
in the relayhost or fallback_relay configuration parameters.
The specified destinations will be tried in the specified
order. File: smtp/smtp_connect.c.
Many typographical corrections by Matthias Andree.
20001024
Documentation: the canonical, virtual etc. manual pages
did not document the effect of leading whitespace.
20001025
Bugfix: virtual map expansion stopped too early with
self-referential aliases. Reported by Michael Douglass @
datafoundry.net. File: cleanup/cleanup_map1n.c.
20001026
Horror: postmap and postalias (newaliases) silently lose
the file lock while building a lookup table with Berkeley
DB 2.x and later on Solaris, HP-UX, IRIX, and UNIXWARE.
The result is that table lookups fail while the table is
being built, so that mail is lost. In order to avoid this
misbehavior one has to use an undocumented feature that is
NOT available with the DB1.85 compatibility interface.
Therefore, Postfix now supports three Berkeley DB programming
interfaces of increasing complexity. File: util/dict_db.c.
Bugfix: some character manipulations were not portable for
signed/unsigned characters. Files: global/quote_821_local.c,
global/quote_822_local.c.
Workaround: apparently, some software sends SMTP mail that
begins with "From sender time-stamp". Sendmail silently
ignores such RFC violating garbage, and therefore Postfix
needs to jump another hoop. File: smtpd/smtpd.c.
20001028
Bugfix: the flush server tried to access config files after
going to the chroot jail. Found by Lutz Jaenicke, TU-Cottbus.DE.
File: flush/flush.c.
Update: revised LDAP module from primary maintainer John
Hensley, with contributions from many other people. Files:
util/dict_ldap.c, LDAP_README.
Update: LINUX2 chroot setup script by Matthias Andree,
uni-dortmund.de.
Feature: specify unix:/path/name for LMTP connections over
UNIX-domain sockets, and specify inet:host or inet:host:port
for IPV4. If no unix: or inet: is specified, IPV4 is assumed.
File: lmtp/lmtp_connect.c.
Feature: added UNIX-domain support to the smtpstone test
programs in order to test the LMTP client UNIX-domain
support.
20001030
Bugfix: further testing in preparation for 19991231-pl10
revealed that the DB map code was now broken for every
platform.
20001031
Performance: the slow start (gradually increase number of
parallel connections to the same site) was too gentle and
Postfix would back off too quickly. Files: qmgr/qmgr_queue.c
and nqmgr/qmgr_queue.c.
20001101
FAQ update by Ralph Hildebrandt.
20001104
Portability: RedHat Linux has changed incompatibly, again.
Fixed with the help of Matthias Andree. File: makedefs.
20001109
Cleanup: changed prototype of internal function that did
not return a useful result. File: src/util/vstream_popen.c.
20001110
Workaround: the Debian post install script passes an open
file descriptor into the master server and waits forever.
Reported by Lamont Jones. File: master/master.c.
20001114
Compatibility: added sendmail -G (gateway submission) option
for compatibility with the sendmail rmail command. Requested
by David Gilbert, Velocet Communications.
20001116
Documentation: added MAILER-DAEMON to the list of sample
masquerade_exceptions settings in conf/sample-rewrite.cf.
Suggested by Karl O. Pinc, pop.artic.edu.
Performance: the slow start (gradually increase number of
parallel connections to the same site) was too gentle and
Postfix would back off too quickly. Files: qmgr/qmgr_queue.c
and nqmgr/qmgr_queue.c. Yup, changed the same code, again.
We now allow for a margin above the actual concurrency,
with the size of the initial destination concurrency.
Final solution by Patrik Rak.
Bugfix: the recipient home directory test broke mailbox_transport
support for non-UNIX recipients. File: local/recipient.c.
20001117
Robustness: additional integrity tests for the nqmgr by
Patrik Rak. File: nqmgr/qmgr_message.c.
20001118
Bugfix: the new LDAP client code did not work properly if
the new ldap_domain parameter was not specified. LaMont
Jones, HP. File: util/dict_ldap.c.
Feature: the soft_bounce safety net is extended to the SMTP
server. With "soft_bounce = yes", The SMTP server changes
all 5xx (reject) replies into 4xx (try again) replies.
Documentation: the virtual(5) man page now documents both
Postfix-style virtual domains and Sendmail-style virtual
domains, including their interaction with local usernames,
aliases and mailing lists. Hopefully, this ends some of
the confusion surrounding virtual domain support. Updated
several FAQ entries concerning virtual domain support.
Documentation: added FAQ entry for the biff service.
20001119
Bugfix: per-destination queue names were case sensitive so
that the same site could have multiple queues. Reported
by Patrik Rak. Files: *qmgr/qmgr_message.c.
20001120
Bugfix: per-destination deferred mail logfiles were case
sensitive so that the same site could have multiple deferred
mail logfiles, so that not all mail would be flushed with
ETRN. Reported by Ralph Hildebrandt. Files: flush/flush.c.
Portability: added (int) casts to printf-like arguments
that specify the width of %*letter conversions. On some
systems, sizeof and pointer difference expressions are
wider than an int. Reported by Valentin Nechayev @ lucky.net.
20001121:
Compatibility: Postfix now retries delivery when an external
command is killed by a signal, because people expect such
behavior from Sendmail. File: global/pipe_command.c.
20001123-30
Feature: mailbox locking is now configurable. The configuration
parameter name is "mailbox_delivery_lock". Depending on
the operating system one can specify one or more of "flock",
"fcntl" and "dotlock". Use "postconf -l" to find out what
locking methods Postfix supports. The default setting is
system dependent. All mailbox file opens are now done by
one central mbox_open() routine. This affects the operation
of the postlock command, and of local delivery to mailbox
or /file/name. Files: util/safe_open.c, util/myflock.c,
global/deliver_flock.c, global/mbox_conf.c, global/mbox_open.c.
local/mailbox.c, local/file.c, postlock/postlock.c.
Compatibility: the old sun_mailtool_compatibility parameter
is being phased out. It still works (by turning off
flock/fcntl locks), but logs a warning as a reminder that
it will go away.
Compatibility: when delivering to /file/name, the local
delivery agent now logs a warning when it is unable to
create a /file/name.lock file, and then delivers the mail
(older Postfix versions would silently deliver).
20001202
Feature: specify "smtp_never_send_ehlo = no" to disable
ESMTP. Someone asked for this long ago. Files: smtp/smtp.c,
smtp/smtp_proto.c.
Feature? Bugfix? The smtp client now skips server replies
that do not start with "CODE SPACE" or with "CODE HYPHEN",
and flags them as protocol errors. Older versions silently
treat "CODE TEXT" as "CODE SPACE TEXT". File: smtp/smtp_chat.c.
20001203
Documentation: postmap(1) and postalias(1) did not document
the process exit status for "-q key".
20001204
Bugfix: the Postfix master daemon no longer imported
MAIL_CONF and some other necessary environment parameters.
Postfix now has explicit "import_environment" and
"export_environment" configuration parameters that control
what environment parameters are shared with non-Postfix
processes. Files: util/clean_env.c, util/spawn_command.c,
util/vstream_popen.c, global/pipe_command.c, and everything
that invokes this code.
20001208
Bugfix: while processing massive amounts of one-recipient
mail, qmgr could deadlock for 10 seconds while sending a
bounce message. All queue manager bounce send requests are
now implemented asynchronously. Files: global/abounce.[hc]
(asynchronous bounce client), qmgr/qmgr_active.c. Problem
reported by El Bunzo (webpower.nl) and Tiger Technologies
(tigertech.com).
20001209
Feature: mailbox_transport and fallback_transport can now
have the form transport:nexthop, with suitable defaults
when either transport or nexthop are omitted, just like in
the Postfix transport map. This allows you to specify for
example, "mailbox_transport = lmtp:unix:/file/name". File:
global/deliver_pass.c.
20001210
Bugfix: the local_destination_concurrency_limit paramater
no longer worked as per-user concurrency limit but instead
worked as per-domain limit, so that the limit of "2" in
the default main.cf files resulted in poor local delivery
performance. Files: qmgr/qmgr_message.c, qmgr/qmgr_deliver.c.
Problem reported by David Schweikert (ee.ethz.ch) and Dallas
Wisehaupt (cynicism.com).
20001210
Feature: support for MYSQL connections over UNIX-domain
sockets by Piotr Klaban. Files: util/dict_mysql.c,
MYSQL_README.
20001211
Small dirt: postconf -m produced too much output due to a
missing "else", and the optional SASL code needed a fix
for the changed name_mask API.
20001212
Workaround: due to an error, record type L for "filter
transport name" was the same as that for the already existing
record type L for "record not ending in newline", causing
the pickup daemon to discard all records not ending in
newline. The code cannot be changed without breaking
compatibility with queued mail, so the pickup server is
changed to discard type L records only from the message
envelope, not from the content. File: pickup/pickup.c.
20001213
Bugfix: dict_ldap did not properly initialize a handle
after connection timeout. Problem reported by Alain Thivillon.
File: util/dict_ldap.c.
20001214
Feature: local_transport and default_transport now also
understand the transport[:destination] notation, so that
all transport config parameters are similar again. File:
trivial-rewrite/resolve.c, trivial-rewrite/transport.c.
Code cleanup: mailbox_transport and fallback_transport no
longer allow the user to omit the transport part of a
transport:destination specification. That just did not make
any sense at all. The :destination part is still optional.
File: global/deliver_pass.c.
Feature: most time-related configuration parameters take
a one-letter suffix that specifies the time unit: s
(second), m (minutes), h (hours), d (days), w (weeks).
"postconf -d" output includes the default time unit. Files:
many.
Code cleanup: in a CONFIG_TIME_TABLE, the default time unit
is now always the last character of a default time value.
It is no longer necessary to specify the default time unit
separately. This change means that it will not be possible
to specify default values in the form of function calls,
but that was unused anyway. Files: global/mail_conf_time.c,
and user code.
20001217
Bugfix: reorganized some code in the MYSQL client to end
a number of memory allocation/deallocation problems. This
code needs more work. File: dict_mysql.c.
20001218
Bugfix: the MYSQL client did not provide function pointers
for unimplemented operations, causing "postmap -d" to dump
core instead if issuing an error message. This is what I
get for accepting code that I cannot test myself.
20001221
Code cleanup: configuration parameters that are $name
expanded at run-time now have their own data type hierarchy
instead of being piggy-backed on top of strings that are
$name expanded at program initialization time. Files:
global/mail_conf.h, global/mail_conf_raw.c, and code that
calls it.
20001230
Update: replaced the default rbl.maps.vix.com setting by
the current blackholes.mail-abuse.org.
20010102
Code cleanup: the queue manager is a bit greedier with
allocating a delivery agent. Problem pointed out by Patrik
Rak. All bugs in the solution are mine. Files:
*qmgr/qmgr_active.c.
20010105
Bugfix: the FILTER_README shell script example did not
correctly pass exit status to the parent.
Bugfix: soft errors in client hostname lookups would be
treated as hard errors. Fix by Michael Herrmann
(informatik.tu-muenchen.de). File: smtpd/smtpd_peer.c.
20010110
Bugfix: the mkdir() EEXIST race condition workaround was
not complete. Matthias Andree, Daniel Roesen. Files:
global/mail_queue.c, util/make_dirs.c.
20010111
Portability: IRIX 6.5.10 defines sa_len as a macro, causing
a name collision with a variable used by Postfix. Roberto
Totaro, enigma.ethz.ch. File: smtpstone/smtp-source.c.
20010116
Bugfix: REJECT by header/body_checks was flagged in smtpd
as a bounce, should be policy, in order to make postmaster
notifications more consistent. File: smtpd/smtpd.c.
Merged updated chroot setup procedure by Matthias Andree.
Files: examples/chroot-setup/LINUX2.
20010117
Formatting: changed the seconds and days formats in the
"your mail is delayed" text so that it does not switch to
scientific notation. File: bounce/bounce_notify_util.c.
20010119
Feature: SASL support for the LMTP client. Recent CYRUS
software requires this for Postfix over TCP sockets.
20010120
Bugfix: the 20001005 revised fallback_relay support caused
Postfix to send mail to the fallback even when the local
machine was an MX host for the final destination. Result:
mailer loop. Found by Laurent Wacrenier (teaser.fr). Files:
smtp/smtp_connect.c, smtp/smtp_addr.c.
20010121
Workaround: specify "broken_sasl_auth_clients = yes" in
order to support old Microsoft clients that implement a
non-standard version of RFC 2554 (AUTH command).
Workaround: Lotus Domino 5.0.4 violates RFC 2554 and replies
to EHLO with AUTH=LOGIN. File: smtp/smtp_proto.c.
20010125
Code cleanup: wrote creator/destructor for dictionary
objects that provides default methods that trap all attempts
to perform an unimplemented operation. Based on an ansatz
by Laurent Wacrenier (teaser.fr). Files: util/dict*.[hc].
Code cleanup: INSTALL.sh does not ask questions when stdin
is not connected to a tty (as in: make install</dev/null).
To automate a customized install, the script imports
environment variables for install_root etc.
20010127
Workaround: randomize the delay between attempts to lock
a file, so that multiple bounce or defer servers are less
likely to retry all at the same time. likely. File:
util/rand_sleep.c, global/deliver_flock.c, global/dot_lockfile.c.
20010128
Code cleanup: complaints about invalid or numeric hostnames
either provide specific context or are removed as redundant.
Files: util/valid_hostname.c dns/dns_lookup.c.
Code cleanup: new mailbox_size_limit parameter (default:
20MB). Until now, the mailbox size limit was the same as
the message size limit, due to artefact of implementation.
Files: global/mail_params.h, local/local.c.
Bugfix: fix for the ldap_domains parameter, both semantics
and documentation by LaMont Jones. Files: LDAP_README,
conf/sample-ldap.cf, util/dict_ldap.c.
Update: merged in the virtual delivery agent by Andrew
McNamara. See VIRTUAL_README for detailed examples.
Update: merged a re-vamped nqmgr by Patrik Rak.
20010129
Tweak: several little nqmgr tweaks by Patrik Rak. Files:
global/mail_params.h, nqmgr/qmgr_job.c.
Bugfix: the virtual delivery agent did not save maps_find()
results timely. J?rgen Thomsen, postfix.jth.net. File:
virtual/mailbox.c.
Security: disallow regexp tables in the virtual delivery
agent. The $1 etc. substitution mechanism gives too much
power to the sender. File: virtual/mailbox.c.
Cleanup: clarified documentation and boundary cases in the
random_sleep() routine.
Bugfix: the MISSING_USLEEP feature was used backwards.
Patrik Rak. File: util/random_sleep.c.
20010130
Workaround: Linux usleep() is void, BSD/Solaris usleep()
returns int, don't use it. File util/random_sleep.c.
Made local maildir bounce/defer handling mode consistent
with local mailbox delivery. File local/maildir.c.
The smtp client now defers delivery when all MX hosts have
no A record. File: smtp/smtp_addr.c
Bundled the man2html and postlink quick hacks so people
can do their own manual page processing. See scripts in
the mantools directory.
Documentation: updated the reference to sendmail in the
html/index.html page.
Documentation: added note about the Cisco PIX "fixup smtp"
bug that causes mail delivery problems when "." and "CRLF"
arrive in separate packets. File: html/faq.html.
20010201
Bugfix: another missing initialization in the mysql client.
File: util/dict_mysql.c.
Sanitized time routine by Patrik Rak, to make his nqmgr
robust against people who set their clock back. Files:
util/sane_time.[hc].
Bumped the default mailbox file size limits to 50MB.
20010202
Bugfix: fixed the way the master resets the file size limit
to avoid problems when a Postfix daemon updates a queue
file. The file size limit is now increased to INT_MAX if
it is smaller than INT_MAX, so that it is less likely to
interfere than the old setting of message_size_limit.
Feature: disable mailbox size limits for the local and
virtual delivery agents by setting mailbox_size_limit or
virtual_mailbox_limit to zero.
20010203
Update: null candidate patch from Patrik Rak. Files:
nqmgr/qmgr_entry.c nqmgr/qmgr_job.c nqmgr/qmgr_message.c.
Cleanup: added one gruesome command to the postlink script
for hyperlinking nroff manual page output. Word abbreviation
broke some <a href...> </a> instances across line boundaries.
sed(1) is an amazing tool. File: mantools/postlink.
20010204
Laid the ground work for logging of table accesses. This
will give more insight into how Postfix uses its lookup
tables. User interface comes later. File: util/dict_debug.c.
20010216
Bugfix: the pipe delivery agent expanded $size as if it
were a recipient, instead of expanding it as $nexthop or
as $sender. Reported by Michael Tokarev. File: pipe/pipe.c.
20010221
Bugfix: poor LMTP performance for domains that are listed
in $mydestination, because Postfix would send one recipient
at a time, with multiple deliveries of recipients of the
same message in parallel; a similar problem could exist
with virus scanning and with firewall relay hosts that
forward mail for $mydestination to an inside machine. This
behavior is now changed to depend on the transport-specific
xxx_destination_recipient_limit parameter. This also means
that you can now get qmail behavior for SMTP deliveries by
setting smtp_destination_recipient_limit=1. File:
{qmgr,nqmgr}/qmgr_message.c.
Workaround: Solaris socketpair() can fail with EINTR. Added
a sane_socketpair.c module that joins the ranks of the
other sane_whatever workarounds. Reported by Andrew McNamara.
File: util/sane_socketpair.[hc]
20010222
Documentation: the default main.cf file has a prominent
warning that mynetworks should be properly configured in
order to reject unauthorized mail relay requests from
strangers.
Documentation: the INSTALL document, section "mandatory
configuration file edits" has a section that explains that
mynetworks should be properly configured in order to reject
unauthorized mail relay requests from strangers.
20010223
Documentation: the basic.html document has a section that
explains that mynetworks should be properly configured in
order to reject unauthorized mail relay requests from
strangers.
Feature: new "mynetworks_style" parameter that controls
how mynetworks (trusted networks) is derived from the
inet_interfaces (machine interfaces) setting. Specify
"class" for entire class A, B, C networks; "subnet" for
the local subnets only; or "host" for maximal privacy.
Files: util/inet_addr_local.[hc], global/own_inet_addr.[hc],
global/mynetworks.[hc], postconf/postconf.c.
Portability: MACOSX patches by Gerben Wierda.
Portability: Solaris /dev/null is a symlink, which tripped
up the code to safely open a file before local delivery.
We now grudgingly allow symlinks owned by root. File:
util/safe_open.c.
20010224
Bugfix: "postconf mynetworks" ignored the inet_interfaces
setting. That was a very old one. File: postconf/postconf.c.
INCOMPATIBLE CHANGE: POSTFIX NO LONGER RELAYS MAIL FOR
CLIENTS IN THE ENTIRE CLASS A/B/C NETWORK. POSTFIX BY
DEFAULT RELAYS MAIL FOR CLIENTS IN THE LOCAL SUBNETWORK.
Specify "mynetworks_style = class" to get the old behavior.
20010225
Portability: master sigchld handler based on writing to a
pipe, so that the master wakes up from select(). Based on
code by Erik Forsberg, Linkoping University, Sweden. File:
master/master_sig.c. Disabled until after the major release.
Code cleanup: Postfix should now run with no alias database.
Code cleanup: local_destination_recipient_limit and
local_destination_concurrency_limit have become first-class
configuration parameters. Files: global/mail_params.h,
*qmgr/qmgr.c, postconf/postconf.c.
20010226
Documentation suggestions by Lars Hecking and Richard
Huxton, Matthias Andree and many others.
Code cleanup: some queue/transport operations need to be
moved, after the code cleanup of the recipient/concurrency
limit handling. Patrik Rak. Files: *qmgr/qmgr_message.c.
20010301
Feature: configurable name in syslog output (default:
"syslog_name = postfix") so that different Postfix instances
can be recognized by their logging. File: global/mail_task.c.
20010313
Workaround for logic mismatch in nqmgr that was exposed
with the introduction of the asynchronous bounce client.
Patrik Rak.
20010313
Bugfix: the RFC 822 untokenizer quoted newlines inside
comments. File: global/tok822_parse.c.
20010316
Cleanup: removed an extraneous warning when a queue file
write error happened.
20010321
Workaround: LMTP connection caching never worked for
destinations starting with unix: or inet:. File:
lmtp/lmtp_connect.c.
20010322
Portability: Solaris <2.6 does not have srandom() and
random() in libc. File: util/rand_sleep.c. It does not have
to be cryptographically strong.
Bugfix: the fast ETRN flush server could not handle [ipaddr]
or domain names with one-character hostname part. This
fix changes the destination to logfile name mapping, so
that you need to populate the new files with "sendmail -q".
The old files go away automatically. File: flush/flush.c.
20010327
Speed up mailq (sendmail -bp) display by flushing output
after each file. File: showq/showq.c.
Portability: missing string.h includes, %p wants (void *),
Lamont Jones, HP.
20010328
Bugfix: swapped logic caused cleanup to stall when the
queue file size exceeded the file size limit by less than
one the VSTREAM buffer size, so that the "file too big"
was detected after flushing the last queue file record.
File: cleanup/cleanup.c.
20010329
Portability: workaround for missing prototype problem in
dict_ldap.c. This module should move to the global directory,
because it depends on Postfix main.cf parameter information.
Workaround: after sending a trigger message over a socket,
do not immediately close the client side, but close it from
a background thread that waits until the server closes the
socket first. This avoids trouble with socket implementations
that destroy a socket when the client closes a socket before
the server has received the client's data. Files:
util/{inet,unix,stream}_trigger.c, util/events.c,
master/master_trigger.c, postkick/postkick.c.
20010403
Workaround: the mysql library can return null pointers
rather than zero-length strings. File: util/dict_mysql.c.
20010404
Ergonomics: log additional information about the reason
why "mail for XXX loops back to myself" when the local
machine is the best MX host. File: smtp/smtp_addr.c.
20010406
Changed some noisy LDAP client warnings into optional
logging. LaMont Jones, util/dict_ldap.c.
20010411
Bugfix: the SMTP server now replies with 550 instead of
503 when it receives the DATA command without having received
a valid recipient address. This is needed for the Sendmail
client-side pipelining implementation. Problem reported by
Lutz Jaenicke. File: smtpd/smtpd.c.
Cleanup: shut up if chattr fails on Reiserfs and other file
systems that do not support the respective attributes.
Files: conf/postfix-script-{no,}sgid.
20010413
Ergonomics: Postfix applications now warn when a DB or DBM
file is out of date, and recommend to rebuild the table.
Files: util/dict_db.c, util/dict_dbm.c.
20010414
Feature: specify a key of "-" to the postmap or postalias
-q or -d option, and the keys will be read from standard
input, one key per line. Files: postmap/postmap.c,
postalias/postalias.c.
Bugfix: with a non-default inet_interfaces setting, the
master ignored host information in master.cf host:port
settings. Fix by Jun-ichiro itojun Hagino @ iijlab.net.
Files: master/master.h, master/master_ent.c.
20010426
Bugfix: the SMTP server did not parse invalid MAIL FROM or
RCPT TO addresses such as <first last <user@domain>> the
way it was supposed to do. I thought this was taken care
of years ago. File: smtpd/smtpd.c.
20010427
Bugfix: smtpd would reject mail instead of replying with
a 4xx temporary error code when, for example, an LDAP or
mysql server was unavailable. Remotely based on a fix by
Robert Kiessling @ de.easynet.net. File: smtpd/smtpd_check.c.
20010429
Feature: the Postfix SMTP client now by default randomly
shuffles destination IP addresses of equal preference.
Specify "smtp_randomize_addresses = no" to disable.
Shuffling code by Elias Levy @ SecurityFocus.com Files:
dns/dns_rr.c, smtp/smtp_addr.c.
20010501
Bugfix: The SMTP server's 550 in reply to DATA should be
a 554 response. And it wasn't Sendmail. Claus Assman.
Bugfix: the INSTALL.sh test for non-interactive upgrade
broke rooted installations that specify settings via the
environment. Simon Mudd.
Bugfix: mailq output is now really flushed one message at
a time. File: sendmail/sendmail.c.
Feature: "postsuper -d queueID" deletes one message queue
file; "postsuper -d -" reads zero or more queue IDs from
standard input, and deletes one instance of each file.
File: postsuper/postsuper.c.
Code cleanup: in order to make postsuper -d safe with a
running Postfix mail system, some routines had to be made
tolerant for sudden queue file disappearances. Files:
global/deliver_request.c, *qmgr/qmgr_move.c.
Code cleanup: in order to make postsuper -d more usable,
the showq command was extended to safely list the possibly
world-writable maildrop directory. File: showq/showq.c.
20010504
Feature: postsuper -d will also delete defer and bounce
logfiles when the named queue file is found.
20010505
RFC 2821 feature: an SMTP server must reset all buffers
upon receipt of EHLO. File: smtpd/smtpd_check.c.
RFC 2821 feature: an SMTP server must accept a recipient
address of "postmaster" without domain name. File:
smtpd/smtpd_check.c.
RFC 2821 recommendation: reply with 503 to commands sent
after 554 greeting. File: smtpd/smtpd.c.
RFC 2821 recommendation: if VRFY is enabled, list it in
the EHLO response. File: smtpd/smtpd.c.
RFC 2821 recommendation: SMTP clients should use EHLO.
The default setting of smtp_always_send_ehlo has changed
from 0 (send EHLO if server greets with ESMTP) to 1 (always
send EHLO). In all cases, Postfix falls back to HELO if
the server does not support EHLO. File: smtp/smtp_proto.c.
20010507
Bugfix: with soft_bounce=yes, the SMTP server would log
5xx replies even though it would send 4xx replies to the
client (Phil Howard, ipal.net). File: smtpd/smtpd_check.c.
20010515
Compatibility: Microsoft sends "AUTH=MBS_BASIC LOGIN".
Updated the parsing code in smtp/smtp_proto.c. Problem
reported by Ralf Tessmann, Godot GmbH.
20010520
Standard: deleted the non-standard "via" portion from
Received: headers generated by Postfix bounce or other
notification processes. File: global/post_mail.c.
Robustness: eliminated stack-based recursion from the RFC
822 address parser. File: global/tok822_parse.c.
Standard: annotated the source code with comments based on
RFC 2821 and 2822. Not all the RFC changes make sense.
RFC 2821 recommendation: treat a RCPT 552 reply as if the
server sent 452. Files: smtp/smtp_proto.c, lmtp/lmtp_proto.c.
Cleanup: moved ownership of the debug_peer parameters from
the applications to the library, so that a Postfix shared
library does not suffer from undefined references. Files:
smtp/smtp.c, lmtp/lmtp.c, smtpd/smtpd.c, global/mail_params.c.
LaMont Jones, for Debian.
20010522
Feature: "postsuper -r queueID" re-queues a message, and
"postsuper -r ALL" re-queues all mail. The message is moved
to the maildrop queue so that the pickup daemon will copy
it to a new queue file, and so that address rewriting will
be done again. This is useful after changes of address
rewriting or virtual mappings.
Feature: "postsuper -d ALL [queue-name]" deletes a bunch
of mail.
20010523
Feature: "postsuper -s" (which is done by default) renames
queue files whose name (queue ID) does not match the message
file inode number.
Bugfix: memory leak in the LDAP client module. Alain
Thivillon, France Teaser - Groupe Firstream.
20010525
Portability: gcc 2.6.3 does not have __attribute__ (Clive
Jones, dgw.co.uk). File: util/sys_defs.h.
Bugfix: the SMTP and LMTP clients claimed that a queue file
needed to be delivered again (even when all recipients were
erased from the queue file) when no QUIT or RSET reply was
received (by default, this does not happen with SMTP mail
because the SMTP client does not wait for QUIT replies and
does not send RSET to deliver mail). As a result of the
same bug the LMTP client followed a dangling pointer when
sending QUIT after process idle timeout while the LMTP
server had disconnected. Files: smtp/smtp_proto.c,
lmtp/lmtp_proto.c.
20010526
newaliases no longer complains when an empty list is
specified with the alias_database configuration parameter.
File: sendmail/sendmail.c.
20010529
Workaround: old PIX firewall code messes up when the final
".<CR><LF>" at the end of DATA spans a packet boundary.
When Postfix detects PIX SMTP fixup mode, Postfix flushes
the output buffers before sending the final ".<CR><LF>".
File: smtp/smtp_proto.c.
20010530
Portability: updated code for Mac OS X, accounting for the
post-Beta changes. Code by Joe Block, UCF School of
Optics/CREOL.
20010601
Safety: postdrop turns off interrupts when cleaning up
after interrupt. The additional safety does not hurt anyone.
File: src/postdrop/postdrop.c.
20010607
Safety: dropped the RFC 2821 compliant code that treats
552 RCPT TO replies as 452. It created more problems than
it solved. Files: smtp/smtp_proto.c, lmtp/lmtp_proto.c.
Logging: the SMTP server now logs a warning if RBL lookups
have problems other than "not found". file: smtpd/smtpd_check.c.
20010610
Feature: address quoting and case folding flags for the
pipe(8) mailer.
20010611
Workaround: some MTAs fall on their face when they receive
unexpectedly long lines. From now on, Postfix defaults to
breaking long lines at 2048 (like Sendmail so it has got
to be right). To get the old, content preserving, behavior
specify "smtp_truncate_lines = no". File: smtp/smtp_proto.c.
20010614
Bugfix: did not really undo 2821 552->452 mapping.
20010628
Bugfix: postfix-script used a hard-coded maildrop group
owner instead of using the install-time specified name
stored in /etc/postfix/install.cf. Problem reported by
David Terrell @ meat.net.
20010701
Feature: mail_spool_directory ending in / causes maildir
style delivery.
Bugfix: the FreeBSD kernel parameters kern.ipc.nmbclusters
and kern.ipc.maxsockets cannot be set with sysctl commands.
File: html/faq.html. Len Conrad @ Go2France.com.
Cleanup: the virtual delivery agent was poorly integrated
so that the SMTP server and queue manager did not reject
mail for unknown users. Files: smtpd/smtpd_check.c.
20010705
Feature: QMQP server, compatible with qmail and the ezmlm
list manager. Files: util/netstring.[hc], qmqpd/qmqpd*.c.
20010706
Feature: QMQP stress test message generator program. Files:
smtpstone/qmqp-source.c, smtpstone/qmqp-sink.c.
20010708
Bugfix: with disable_dns=yes, the SMTP client treated all
host lookup errors as permanent. File: smtp/smtp_addr.c.
20010709
Feature: VERP support, based on a patch by Peng Yong, and
with the missing parts filled in so that the Postfix bounce
daemon can send one VERP bounce per undeliverable recipient.
Files: , sendmail/sendmail.c, smtpd/smtpd.c, qmgr/qmgr_deliver.c,
bounce/bounce_notify_verp.c, qmqpd/qmqpd.c, plus a couple
support routines in the global library.
Cleanup: with recipient_delimiter=+ (or any character other
than -) Postfix will now recognize address extensions even
with owner-foo+extension addresses. This is necessary to
make VERP work for mailing lists.
20010710
Bugfix: potential memory leak in the queue managers with
the new VERP delimiter record. Fix by Patrik Rak.
20010711
Cleanup: you can now specify the VERP delimiter characters
on the sendmail(1) command line, but they are still optional.
Safety: with maildir style delivery and with hashed mailboxes
the system mail spool directory must not be world writable.
20010713
Safety: the verp_delimiter_filter parameter (default: -=+)
limits what characters Postfix accepts as VERP delimiter
characters.
20010714
Logging: the queue manager now logs a "status=expired"
record when it returns a message that is too old. Files:
*qmgr/qmgr_active.c.
20010719
Feature: stiffer coupling between mail receiving rates and
mail delivery rates, using a trivial token-based scheme,
implemented by reading and writing an in-memory pipe. The
queue manager produces one token when it retrieves mail
from the incoming queue. The cleanup daemon consumes one
token when it adds mail to the incoming queue. If no token
is available the cleanup server pauses for $in_flow_delay
seconds and proceeds anyway. The delay allows mail sending
process to catch up and access the disk while not blocking
inbound mail. Valid delays are 0..10 seconds.
20010727
Bugfix: updated LDAP client module from LaMont Jones, HP.
This also introduces new LDAP query filter patterns: %u
(address localpart) and %d (domain part). Files:
conf/sample-ldap.cf, util/dict_ldap.c.
20010729
Bugfix: recursive smtpd_whatever_restrictions clobbered
intermediate results when switching between sender and
recipient address restrictions. Problem found by Victor
Duchovni, morganstanley.com. In order to fix, introduced
address resolver result caching, which should also help to
speed up sender/recipient address restriction processing.
Bugfix: the not yet announced DUNNO access table lookup
result did not prevent lookups with substrings of the same
lookup key. Found by Victor Duchovni, morganstanley.com.
20010730
Robustness: trim trailing whitespace from regexp and pcre
right-hand sides, for consistency with DB/DBM tables.
Files: util/dict_pcre.c, util/dict_regexp.c.
20010731
Robustness: eliminate duplicate IP addresses after expansion
of hostnames in $inet_interfaces, so that Postfix does not
suddenly refuse to start up after someone changes the DNS.
Files: util/inet_addr_list.c global/own_inet_addr.c.
Feature: specify "disable_verp_bounces = yes" to have
Postfix send one RFC-standard, non-VERP, bounce report for
multi-recipient mail, even when VERP style delivery was
requested.
20010801
Bugfix: postconf was using unexpanded values internally
for myhostname, inet_interfaces, and mynetworks_style.
This broke the "postconf -d" mynetworks computation. File:
postconf/postconf.c.
20010803
Feature: masquerade_classes parameter for fine control of
address masquerading. The default setting is backwards
compatible: envelope_sender header_sender header_recipient.
Files: cleanup/whatever.c.
20010822
Code cleanup: the bounce daemon complained about data that
it was not going to send back anyway. Fix: stop reading
the original message when the bounce message reaches the
bounce message size limit. File: bounce/bounce_notify_util.c.
20010826
Logging: postsuper now logs the queue ID when it requeues
a message, or when it deletes a message from the mail queue.
File: postsuper/postsuper.c.
20010830
Safety: the SMTP server now sends a 4xx (try again later)
response when an UCE restriction is misconfigured, instead
of ignoring the bad restriction and possibly accepting mail
that it should not accept. File: smtpd/smtpd_check.c.
20010907
Workaround: the Postfix qmqp-source program produced mail
not ending in newline. qmail-qmqpd accepts such mail, but
qmail-remote is unable to deliver it. Matthias Andree,
uni-dortmund.de. File: smtpstone/qmqp-source.c.
20010910
Bugfix: the smtp-sink stress test program broke when RCPT
TO commands crossed network packet boundaries. Problem
reported by Matthias Andree, uni-dortmund.de. File:
smtpstone/smtp-sink.c.
20010917
Code cleanup: permit_mx_backup implements the old behavior
(accept mail if the local MTA is MX relay), and allows an
additional restriction via the permit_mx_backup_networks
parameter (accept mail only if the primary MX hosts match
the specified list of network blocks). This second restriction
is now entirely optional, for backwards compatibility.
Bugfix: an address extension could be appended multiple
times to the result of a canonical or virtual map lookup.
File: global/mail_addr_map.c. Fix by Victor Duchovni,
Morgan Stanley.
Bugfix: split_addr() would split an address even when there
was no data before the recipient delimiter. In combination
with the above bug, this could cause an address to grow
exponentially in size. Problem reported by Victor Duchovni,
Morgan Stanley. File: global/split_addr.c.
20010918
Bugfix: the mail_addr_map() fix was almost but not quite
right. It took two clever people and several iterations of
email to really fix the mail_addr_map() problem. Thanks
to Victor Duchovni and Liviu Daia.
20011006
Cleanup: Postfix no longer flushes the whole deferred queue
after an ETRN request for a random domain name (i.e. a
domain name not matched by $fast_flush_domains); the SMTP
server instead replies with "459 service unavailable".
Files: smtpd/smtpd.c, global/flush_clnt.c, flush/flush.c.
20011008
Bugfix: there was a minute memory leak when an smtpd access
restriction was misconfigured. File: smtpd/smtpd_check.c.
20011010
Code cleanup: Postfix daemons now print the name of the
UNIX-domain socket (instead of "unknown stream") in case
of a malformed client request. Files: master/*server.c.
20011010-14
Code cleanup: replaced the ugly mail_print() and mail-scan()
protocols by (name,value) attribute lists. This gives better
error detection when we make changes to internal protocols,
and allows new attributes to be introduced without breaking
everything immediately. Files: util/attr_print.c util/attr_scan.c
global/mail_command_server.c global/mail_command_client.c
as wel as most Postfix applications and daemons.
20011015
Put base 64 encoding into place on the replaced internal
protocols. Files: util/base64_code.[hc].
Feature: header/body REJECT rules can now provide text that
is sent to the originator. Files: cleanup/cleanup.c,
cleanup/cleanup_message.c, conf/sample-filter.cf.
20011016
Bugfix: As of 20000625, Errors-To: was broken, because the
code to extract the address was not moved from recipient
address rewriting to sender address rewriting. Problem
reported by Roelof Osinga @ nisser.com. File:
cleanup/cleanup_message.c.
20011029
Bugfix: virtual map expansion terminated early because the
detection of self-referential entries was flawed. File:
cleanup/cleanup_map1n.c.
20011031
Bugfix: mail_date() mis-formatted negative time zone offsets
with fractional hours (-03-30 instead of -0330). Fix by
Chad House, greyfirst.ca. File: global/mail_date.c.
20011102
Feature: new -f option to postmap and postalias (do not
lowercase the lookup key while creating a table). Files:
util/dict.h postmap/postmap.c postalias/postalias.c.
Code cleanup: simplified the attribute print/scan routines,
and removed the never-used support for sending and receiving
integer arrays and string arrays. Files: util/attr_print.c,
util/attr_scan.c.
Bugfix: qmqpd could read past the end of a string while
looking for qmail's VERP magic token in the envelope sender
address. File: qmqpd/qmqpd.c.
Code cleanup: finished testing the new internal protocols.
The only bug was with the flush server, which still needs
to support the old (string + null byte) protocol for triggers
from the Postfix master daemon.
20011103
Bugfix: Postfix would log the wrong error text when locally
submitted mail was deferred due to "soft_bounce = yes".
Bugfix: The LDAP client dropped any entries that don't have
the result_attribute, but errored out when a DN didn't
exist. The behavior is now consistent: treat non-existant
DN's in a special result attribute expansion the same as
DN's with no attribute. LaMont Jones, HP.
20011104
Bugfix: the new smtp-sink -n option (terminate after the
specified number of deliveries) wasn't optional.
Portability: updated Mac OS X documentation and install
scripts by Gerben Wierda.
20011105
Bugfix: missing terminator in new attribute-based function
call caused signal 11. File: src/cleanup/cleanup.c.
Lame workaround for ESTALE errors with mail delivery over
NFS. Additional bandages were added to the local delivery
agent. However, Wietse maintains that Postfix offers no
guarantee for reliable delivery over NFS.
Feature: put "warn_if_reject" before an smtpd restriction,
and that restriction logs warnings without rejecting mail.
This makes it easier to test configurations "live" without
having to lose mail. File: smtpd/smtpd_check.c.
20011107
Workaround: in order to get mail past PIX firewall bugs,
the Postfix SMTP client now blocks until the socket send
buffer is empty before sending the final ".<CR><LF>". Files:
util/sock_empty_wait.c, smtp/smtp_proto.c. Changed into
sleep(10) on 20011119. Sleep suggested by Hobbit.
20011108
Feature: added string-null encoding for internal protocols.
Files: util/attr_print0.c, util/attr_scan0.c.
Feature: configurable parent domain matching for domain
and hostname/address match lists: either .domain or the
domain name itself. Files: util/match_ops.c util/match_list.c
Feature: added pretend-to-be-behind-PIX mode to the smtp-sink
test program, in order to stress test some PIX bug workaround
code.
20011109
Workaround: Linux and Solaris systems have no reasonable
way to block until a socket drains. On these systems Postfix
simply waits for 10 seconds, in order to work around PIX
".<CR><LF>" bugs. File: util/sock_empty_wait.c.
20011114
Bugfix: reset the smtpd command transaction log between
deliveries. File: smtpd/smtpd.c.
20011115
Feature: mailbox_command_maps no longer requires that every
user has an entry. If the user does not have a command
entry, the local delivery agent tries the other delivery
methods (mailbox_command, home_mailbox). File: local/mailbox.c.
Bugfix: reset the smtpd command transaction log between
non-deliveries. File: smtpd/smtpd.c.
20011116
Bugfix: consolidated all the command transaction log resets
and eliminated one missing reset (Victor Duchovni, Morgan
Stanley). File: smtpd/smtpd.c.
20011118
Cleanup: replaced unnecessary match_list wrapper code by
macros. Files: global/{string,domain,namadr}_list.[hc].
20011119
Feature: configurable parent domain matching strategy for
transport map lookups. File: trivial-rewrite/transport.c.
New parent_domain_matches_subdomains parameter. This lists
all the Postfix features where a domain name matches itself
and all its subdomains (instead of requiring ".domain.name"
for subdomain matches). Planning for future backwards
compatibility :-) File: global/match_parent_style.c.
Workaround: simplified the PIX ".<CR><LF>" bug to always
sleep for 10 seconds. File: smtp/smtp_proto.c.
20011120
Workaround: disable attribute string length restriction so
that trivial-rewrite does not refuse to rewrite broken mail
headers. Files: util/attr_scan*.c.
20011121
Bugfix: missing long integer support in the new IPC protocols.
Files: util/attr_scan*.c, util/attr_print*.c.
Portability: AIX5 (Adrian P. van Bloois), MAC OS X 10.1.1
(Gerben Wierda).
20011125
Bugfix: spurious postmaster notifications because some flag
was not reset.
Feature: new parameter smtpd_sender_login_maps that specifies
the (SASL) login name that owns a MAIL FROM address.
Specify a regexp table in order to require a simple one-to-one
mapping. This is used in the reject_sender_login_mismatch
sender anti-spoofing feature.
Feature: restriction reject_sender_login_mismatch refuses
a MAIL FROM address when $smtpd_sender_login_maps specifies
an owner but the client is not (SASL) logged in as the MAIL
FROM address owner, or when a client is (SASL) logged in
but the client login name does not own the MAIL FROM address
according to $smtpd_sender_login_maps. File: smtpd/smpd_check.c.
Documentation: added some redundancy to the LMTP_README
file so people can keep track of the difference between
the Postfix LMTP client and the non-Postfix LMTP server.
20011126
Feature: smtpd_noop_commands specifies a list of commands
that are treated as NOOP (no operation) commands, without
syntax check or state change. File: smtpd/smtpd.c.
Bugfix: the "mark queue file as corrupt" code did not work
because it was never used. Files: global/mark_corrupt.c,
global/mail_copy.c, global/pipe_command.c, *qmgr/qmgr_active.c,
local/maildir.c, local/mailbox.c, local/command.c, pipe/pipe.c,
virtual/mailbox.c, virtual/maildir.c.
Bugfix: the bounce daemon broke in the unlikely case of a
non-existing queue file. File: bounce/bounce_notify_util.c.
20011127
Feature: added WARN command to header/body_checks files as
proposed by Michael Tokarev. File: cleanup/cleanup_message.c.
Bugfix: the postdrop program was broken after the change
of Postfix internal protocols. This broke "sendmail -bs"
mail submissions with "secure" maildrop directory. Reported
by Craig Loomis, apo.nmsu.edu. File: postdrop/postdrop.c.
Feature: a first start at fault injection for testing
unlikely error scenarios (such as corrupt queue files).
Parameter: fault_injection_code, must be left at zero for
production use.
20011128
Robustness: add a file size limit to the sendmail and
postdrop submission programs to stop run-away process
accidents. This is not a defense against DOS attack. Files:
sendmail/sendmail.c, postdrop/postdrop.c.
That resulted in a considerable amount of work to properly
propagate "file too large" conditions back to the sendmail
mail posting user interface. Took the opportunity to express
other mail submission fatal exits with the <sysexits.h>
exit status codes. Files: sendmail/sendmail.c,
postdrop/postdrop.c.
20011129
Maintenance: dict_ldap.c wasn't updated after the revision
of the string matching routines. File: util/dict_ldap.c.
20011208
Maintenance: LDAP module and documentation from LaMont
Jones. This version adds verbose logging for LDAP library
routines. Files: src/util/dict_ldap.[hc], LDAP_README,
conf/sample-ldap.cf
Portability: made memory alignment restrictions configurable.
File: util/mymalloc.c.
Bugfix? Avoid surprises with source routed destinations
and OK entries in SMTPD access maps. File: smtpd/smtpd_access.c.
Security: "postfix check" looks for damage by well-intended
but misguided use of "chown -R postfix /var/spool/postfix".
That would make chrooted Postfix less secure than non-chrooted
Postfix. These extra tests may cause complaints with
third-party patches such as TLS that introduce their own
files into the jail.
Feature: static map type that always returns the map name
as lookup value, regardless of lookup key value. Contributed
Jeff Miller (jeffm at ghostgun.com)
Feature: turn off the PIX <CR><LF>.<CR><LF> workaround for
the first mail delivery attempt, i.e. when mail is queued
for less than $smtp_pix_workaround_threshold_time (default:
500) seconds. New parameter $smtp_pix_workaround_delay_time
to control the delay before sending .<CR><LF> (default: 10
seconds) when doing the PIX <CR><LF>.<CR><LF> workaround.
20011210
Bugfix: the 20011128 change in sendmail and postdrop did
not handle the case of message_size_limit=0. Fix by Will
Day, Georgia Tech.
20011212
Compatibility: The SMTP server now accepts <CR><CR><LF> as
if the client sent <CR><LF>. Reportedly, some badly written
windows software produces such garbage, and some badly
written windows anti-VIRUS software cannot handle such
garbage. File: global/smtp_stream.c.
20011214
Bugfix: postmap/postalias queries ignored the -f flag.
Reported by Hamish Marson.
20011217
Compatibility: Sendmail now has a -L option to set the
syslogging label. Postfix sendmail uses syslog_name instead,
and ignores the -L option.
Security: subtle hardening of the Postfix chroot jail,
Postfix queue file permissions and access methods, in case
someone compromises the postfix account. Michael Tokarev,
who received the insights from Solar Designer, who tested
Postfix with a kernel module that is paranoid about open()
calls. Files: master/master_wakeup.c, util/fifo_trigger.c,
postfix-script.
Convenience: issue a warning instead of aborting when the
local machine name is not in fully-qualified domain form.
This would otherwise break initial postfix installation
which needs the postconf command. File: global/mail_params.c.
20011220
Added more garbage detection to postconf -e input processing.
20011221
Feature: SMTPD access map lookups of null sender addresses.
If your access maps cannot store or look up null string
key values, specify "smtpd_null_access_lookup_key = <>"
and the null sender address will be looked up as <> instead.
File: src/smtpd_access.c.
20011223
Safety: configuration file comments no longer span multiple
lines when the next line begins with whitespace; multi-line
input is no longer terminated by a comment line, by an all
white space line, or by an empty line. Michael Tokarev made
the crucial suggestion to simplify the readline routine.
Files: util/readlline.c, postconf/postconf.c.
Cleanup: proper detection of big number overflow in EHLO
and MAIL FROM size announcements, with input from Victor
Duchovni, Morgan Stanley. Files: global/off_cvt.c,
smtpd/smtpd.c, smtp/smtp_proto.c, util/alldig.c.
Forward compatibility: added queue file record types for
original recipient and for generic named attributes.
Cleanup: safe_open() now returns sensible errno values so
that the fifo_trigger() external interface is restored.
20011225
Upgrade: PCRE_README now describes PCRE version 3.x.
Cleanup: flush SMTPD command history upon receipt of EHLO,
RSET, and upon DATA completion, only if it exceeds
$smtpd_history_flush_threshold lines (default: 100).
Distant derivative of code by Michael Tokarev. File:
smtpd/smtpd.c.
20011228
Bugfix: a readlline() error message showed less text than
intended. Christian von Roques.
Cleanup: postfix now installs with group-writable maildrop
directory and with a set-gid postdrop mail submission
command. The pickup service is now unprivileged. The
world-writable maildrop directory no longer exists.
The cleanup service is now public, in preparation for local
sendmail/postdrop mail submission that avoids the maildrop
queue directory while Postfix is up.
Cleanup: moved the main.cf/master.cf file editing from the
postfix-script file to the INSTALL.sh file.
Cleanup: INSTALL.sh no longer accepts "no" as the destination
of Postfix manual pages.
20011230
Cleanup: the code for "mailq", "sendmail -q", and for
"sendmail -qRsite" was moved from the sendmail command to
a new set-gid postqueue command. The pickup and qmgr FIFOs
are no longer world writable. Files: sendmail/sendmail.c,
postqueue/postqueue.c.
20020101
Security: new alternate_config_directories parameter that
specifies what directories a set-gid command will accept
as its configuration directory. The list must be specified
in the default main.cf file. File: global/mail_conf.c.
Cleanup: "sendmail -qRsite" is no longer implemented by
connecting to the SMTP port. It is now implemented by
talking to the fast flush service. File: postqueue/postqueue.c.
20020203
Cleanup: INSTALL.sh now records all installation information
in the main.cf file. The now obsolete install.cf file is
used only when upgrading from an older Postfix release.
Cleanup: INSTALL.sh now takes name=value settings on the
command line, and has a new "-upgrade" command line option
to turn on non-interactive installation.
Security: additional run-time checks to discourage sharing
of Postfix user/group ID values with other accounts.
20020105
Cleanup: SMTPD access maps now return DUNNO (undetermined)
instead of OK when a recipient address contains multiple
domains (user@dom1@dom2, etcetera). Victor Duchovni, Morgan
Stanley. File: smtpd/smtpd_check.c.
20020106
Bugfix: SMTPD access maps did not handle address extensions.
File: smtpd/smtpd_check.c.
20020107
Bugfix: postfix-script, when creating a missing maildrop
queue directory, still referenced install.cf when setting
maildrop directory group ownership; and the postfix command
did not export the setgid_group parameter to the postfix-script
shell script. Victor Duchovni.
Bugfix: postfix-script, when creating a missing public
queue directory, did not set group ownership of the public
directory.
20020109
Cleanup: rewrote the Postfix installation procedure again.
It is now separated into 1) a primary installation script
(postfix-install) that installs files locally or that builds
a package for distribution and that stores file owner and
permission information in /etc/postfix/post-files, and 2)
a post-installation script (/etc/postfix/post-install) that
creates missing directories, that sets file/directory
ownership and permissions, and that upgrades existing
configuration files if necessary.
20020110
Workaround: AIX null read() return on an empty but open
non-blocking pipe. File: master/master_flow.c. Report:
Hamish Marson.
20020111
Feedback: feedback, bugfixes, and brain-dead shell workarounds
for the install scripts by Victor Duchovni and Simon Mudd.
20020113
Rewrote postfix-install. The postfix-files file now controls
what is installed. Refined the semantics of many post-install
operations. post-install now auto-saves settings that
override main.cf.
20020114
Bugfix: alternate_config_directories did not take comma or
whitespace as separators. File: global/mail_conf.c. Victor
Duchovni, Morgan Stanley.
Bugfix: the rewritten postfix-install script did not chattr
+S the Postfix queue.
20020115
Cleanup: added sample_directory and readme_directory
installation parameters for sample configuration files and
for README files. Files: postconf.c, postfix-install,
conf/postfix-files, conf/post-install.
Robustness: the postfix command now exports all installation
parameter settings, and input filters the environment, so
that the startup shell scripts produce a consistent result.
Files: postconf.c.
20020117
Portability: patch from LaMont Jones for compiling dict_ldap.c
with the Netscape SDK.
Feature: added "r" (recursive chown/chgrp) flag to the
postfix-files database, for more convenient change of
Postfix queue ownership. Files: conf/postfix-files,
conf/post-install.
20020122
Documentation: lots of little fixes.
Documentation: updates for the VIRTUAL_README file by Victor
Duchovni, Morgan Stanley.
Bugfix: postqueue -s dereferenced a null pointer when given
a numerical domain argument. LaMont Jones, HP.
Cleanup: smtpd now logs a warning when permit_sasl_authenticated
is used while SASL authentication is disabled, instead of
simply ignoring the restriction. LaMont Jones, HP. File:
smtpd/smtpd.c.
Safety: when postmap creates a non-existent file, the new
file inherits group/other read permissions from the source
file. Based on code by LaMont Jones, HP. File:
postmap/postmap.c.
20020123
Portability: some Linux systems install libnsl.so without
libnsl.a file, causing an yp_match undefined reference
problem. File: makedefs.
20020124
Portability: post-install now requests that command_directory
is given on the command line when the postconf command is
in an unusual place.
Safety: extra code to detect and report Berkeley DB version
mismatches between compile time and run time. This test
is limited to mismatches in the major version number only.
File: util/dict_db.c. Based on code by Lawrence Greenfield,
Carnegie-Mellon university.
Safety: the postfix command and the master daemon abort if
they are running set-uid.
Documentation: the postmap manual page described an out of
date input file format.
20020129
Workaround: SCO version 3.2 can't ioctl(FIONREAD) a pipe.
Therefore, input mail flow control is disabled by default.
Files: makedefs, global/mail_params.h, conf/main.cf.
Problem reported by Kurt Andersen, Agilent.
20020201
Workaround: changed the default smtpd_null_access_lookup_key
setting to <>, because some Bezerkeloid DB implementations
can't handle null-length lookup keys. File: global/mail_params.h.
Bugfix: backed out a null-length address panic call by
ignoring the problem, like Postfix did in the past. File:
global/resolve_local.c.
Safety: "postfix check" will now warn if /usr/lib/sendmail
and /usr/sbin/sendmail differ, and will propose to replace
one by a symlink to the other. File: conf/postfix-script.
20020204
Sanity: additional permission checks for "postfix check"
that warn for setgid_group group ownership mismatches. by
Matthias Andree, uni-dortmund.de. File: conf/postfix-script.
Bugfix: "postfix check" used a too simplistic way to
recognize file ownership (grepping ls output). It now uses
the recently discovered "find -prune". Peter Bieringer,
Matthias Andree. File: conf/postfix-script.
20020218
Workaround: log a warning and disconnect when an SMTP client
ignores our negative replies and starts sending message
content without permission. File: smtpd/smtpd.c.
20020220
Bugfix: mismatch in the file being locked by dict_dbm and
the file being locked by postmap, so that locks did not
work correctly. Victor Duchovni, Morgan Stanley.
20020222
Workaround: Solaris bug 4380626: strcasecmp() and strncasecmp()
produce incorrect results with 8-bit characters. For example,
non-ASCII characters could compare equal to ASCII characters,
and that could result in any number of security problems.
Files: util/strcasecmp.c, COPYRIGHT (the BSD license).
Bugfix: off-by-one error, causing a null byte to be written
outside dynamically allocated memory in the queue manager
with addresses of exactly 100 bytes long, resulting in
SIGSEGV on systems with an "exact fit" malloc routine.
Experienced by Ralf Hildebrandt; diagnosed by Victor
Duchovni. Files: *qmgr/qmgr_message.c. This is not a
security problem.
Bugfix: make all recipient comparisons transitive, because
Solaris qsort() causes SIGSEGV errors otherwise. Victor
Duchovni, Morgan Stanley. File: *qmgr/qmgr_message.c.
20020302
Bugfix: don't strip source route (@domain...:) when the
result would be an empty address. This avoids problems when
append_at_myorigin is set to "no" (which is not supported).
Problem reported by Charles McColgan, Big Fish Communications.
File: trivial-rewrite/rewrite.c.
20020304
Cleanup: postqueue should not not complain when output
fails with "broken pipe".
20020308
Bugfix? reply with 550 not 552 when content is rejected.
552 is reserved for "too much mail".
Documentation: add note to sendmail manual page that running
"sendmail -bs" as $mail_owner enables SMTP server UCE and
access control checks. This is meant for use from inetd
etc. Matthias Andree.
20020311
Bugfix: DBM maps should use different files for locking
and for change detection. Problem reported by Victor
Duchovni, Morgan Stanley. Files: util/dict.h util/dict.c
util/dict_db.c util/dict_dbm.c global/mkmap.c local/alias.c.
20020313
Bugfix: mailq could show addresses with unusual characters
twice. Problem reported by Victor Duchovni, Morgan Stanley.
File: showq/showq.c.
Bugfix: null recipients weren't properly recorded in
bounce/defer logfiles. Such recipient addresses are not
accepted in SMTP mail, but they could appear within locally
submitted mail. File: bounce/bounce_append_service.c.
20020318
Workaround: Berkeley DB can't handle null key lookups,
which happen with HELO names ending in ".". Victor Duchovni,
Morgan Stanley. File: smtpd/smtpd_check.c.
Logging: log a hint when mail is deferred because the
soft_bounce parameter is set. People sometimes forget to
turn it off. File: global/bounce.c.
20020319
Cleanup: add a msg_warn() call when fork() fails in
pipe_command(), to make problems easier to investigate.
Chris Wedgwood. File: global/pipe_command.c.
20020320
Feature: smtp_helo_name parameter to specify the hostname
or [ip.address] in HELO or EHLO commands. Files: smtp/smtp.c
smtp/smtp_proto.c.
20020324
Cleanup: more graceful handling of long physical message
header lines upon input. Physical header lines can now
extend up to $header_size_limit characters. When a logical
message header is too long, the excess text is discarded
and Postfix no longer switches to body mode, to avoid
breaking MIME encapsulation. Based on code by Victor
Duchovni, Morgan Stanley. Files: cleanup/cleanup_out.c,
cleanup/cleanup_message.c.
Cleanup: more graceful handling of long physical message
header or body lines upon output by the SMTP client. The
SMTP client output line length is controlled by a new
parameter smtp_line_length_limit (default: 990; specify 0
to disable the limit). Long lines are folded by inserting
<CR> <LF> <SPACE>, to avoid breaking MIME encapsulation.
Based on code by Victor Duchovni, Morgan Stanley. File:
smtp/smtp_proto.c.
20020325
Cleanup: allow additional text after a WARN command in a
header/body_checks pattern file, so that one can change
REJECT+text into WARN+text and vice versa. Based on code
by Fredrik Thulin, Stockholm University.
Cleanup: log a warning when an unknown command is found in
a header/body_checks pattern file, or when additional text
is found after a command that does not expect additional
text. Based on code by Fredrik Thulin, Stockholm University.
Bugfix: sendmail should not recognize "." as the end of
input when the current read operation started in the middle
of a line. Victor Duchovni, Morgan Stanley. File:
sendmail/sendmail.c.
20020328
Portability fix for OPENSTEP and NEXTSTEP by Gerben Wierda.
File: util/sys_defs.h.
20020329
Bugfix: defer_transports broke because the flush server
triggered mail delivery (as if ETRN was sent) while doing
some internal housekeeping of per-destination logfiles.
Problem experienced by LaMont Jones, HP. File: flush/flush.c.
Bugfix: virtual mapping broke for addresses with embedded
whitespace. Fix by Victor Duchovni, Morgan Stanley. File:
cleanup/cleanup_map1n.c.
Feature: configurable service name for the internal services:
bounce, cleanup, defer, error, flush, pickup, queue, rewrite,
showq. This allows you to specify, for example, a non-default
cleanup service (smtpd -o cleanup_service_name=alt_cleanup).
Files: global/mail_params.[hc].
Feature: SASL version 2 support by Jason Hoos. Files:
*/*_sasl_glue.c, SASL_README, conf/sample-auth.cf.
20020330
Bugfix: postqueue did not pass on non-default configuration
directory settings when running showq while the mail system
is down. The super-user is now exempted from environment
stripping in postqueue/postqueue.c. Problem reported by
Victor Duchovni, Morgan Stanley.
20020402
Workaround: recognize more headers that are sent instead
of SMTP commands. File: smtpd/smtpd.c.
20020413
Feature: new pipe delivery agent "D" flag to prepend a
Delivered-To: message header. This requires single recipient
deliveries. Based on code by Matthias Andree. File:
pipe/pipe.c.
20020414
Portability: Postfix will no longer attempt to build with
gdbm support, because gdbm is broken. File: makedefs.
20020415
Cleanup: the attribute list IPC code did not distinguish
between "disconnect" and "timeout" while reading an attribute
list, making trouble shooting more difficult than necessary.
Files: util/attr_scan0.c, util/attr_scan64.c.
Cleanup: install parameter defaults can now be overruled
from makedefs: sendmail_path, mailq_path, newaliases_path,
command_directory, daemon_directory. Based on code by Victor
Duchovni, Morgan Stanley. File: util/sys_defs.h.
20020411
Cleanup: Use more robust quoting passing makedefs/Makefile
settings. This also simplifies the seven backslashes example
in the INSTALL file. Victor Duchovni, Morgan Stanley.
Files: makedefs, INSTALL.
20020417
Bugfix: the post-install script failed to upgrade master.cf
settings from private to public if the service was explicitly
configured as private.
20020418
Documentation: added CPU saving patterns for quickly skipping
base 64 encoded text in message bodies. Liviu Daia. Files:
{proto,conf}/pcre_table, {proto,conf}/regexp_table,
conf/sample_{regexp,pcre}_body.cf.
20020426
Bugfix: the SMTP client forgot to quote whitespace etc.
in a sender/recipient address when DNS lookup was turned
off (disable_dns_lookups = yes). Problem experienced by
Chip Paswater. Files: smtp/smtp_proto.c.
20020501
Feature: wildcard lookup in transport maps (lookup key
"*"). Code developed with Lamont Jones, HP.
Feature: a null transport:destination transport map entry
means proceed as if the transport map lookup failed. Code
developed with Lamont Jones, HP.
Feature: more efficient use of cache memory when a process
opens multiple Berkeley DB tables; and faster performance
creating large tables by using more buffer memory. Files:
util/dict_db.[hc], global/mkmap_db.c. Victor Duchovni,
Morgan Stanley.
20020503
Cleanup: postqueue silently ignored command-line arguments
following -p or -f options, instead of complaining; postqueue
produced an incorrect error message (mail system down) when
the command was installed with incorrect privileges. File:
postqueue/postqueue.c.
Bugfix: while reporting a domain name or IP address syntax
error, postqueue could dereference a dangling pointer with
some getopt() implementations. LaMont Jones, HP. File:
postqueue/postqueue.c.
Safety: postalias and postmap now drop root privileges
while processing a non-root input file. Thus, the result
should be writable to the source file owner. Specify the
-o option if this is a problem. Files: postmap/postmap.c,
postalias/postalias.c.
Consistency: just like postmap, postalias now copies file
permissions from the source file when it creates a new
table for the first time. File: postalias/postalias.c.
20020504
Portability: run-time test to avoid GDBM trouble. File:
util/dict_dbm.c.
20020505
Cleanup: revised and simplified the transport map semantics.
Null transport or nexhop fields now mean: "do not change":
use what would be used if the transport map did not exist.
This change eliminated a lot of code. The incompatibility
is that a null transport field no longer defaults to
$default_transport, but to $local_transport or $default_transport
depending on the destination, and that a transport map only
overrides relayhost when the table specifies explicit
nexthop information. Files: trivial-rewrite/transport.c,
trivial-rewrite/resolve.c.
Cleanup: revised the user interface for controlling the
Berkeley DB create and read buffer size controls. Files:
util/dict_db.[hc], global/mail_params.[hc], global/mkmap_db.c.
20020507
Cleanup: simplified the hash/btree cache management code.
The caches are now per table instead of shared, and the
default read cache size is reduced to 128 kBytes. File:
util/dict_db.c.
20020508
Bugfix: close user@domain@postfix-style.virtual.domain
source routing relaying loophole involving postfix-style
virtual domains with @virtual.domain catch-all patterns.
Problem reported by Victor Duchovni. File: smtpd/smtpd_check.c.
Bugfix: mail_addr_map() used the "wrong" @ character in
addresses with multiple @. Victor Duchovni. File:
global/mail_addr_map.c.
Bugfix: for address localpart quoting, now quote @ as a
special character everywhere, except when resolving addresses.
Previously, the @ was nowhere quoted as a special character,
not even in SMTP commands. Files: global/quote_82[12]_local.c
and clients.
20020509
Safety: don't allow an OK access rule lookup result for
user@domain@postfix-style.virtual.domain. Suggested by
Victor Duchovni, Morgan Stanley. File: smtpd/smtpd_check.c.
Bugfix: quote unquoted address localparts that need quoting.
Files: global/tok822_parse.c, global/quote_82[12]_local.c.
Documentation: simplified the advanced content filtering
example, and included a more advanced example for those
who want to squeeze out more performance without running
multiple Postfix instances. Text by Victor Duchovni, Morgan
Stanley. File: README_FILES/FILTER_README.
20020510
Feature: header/body filters now log the origin of the
message that is being rejected. Files: smtpd/smtpd.c,
qmqpd/qmqpd.c, pickup/pickup.c, cleanup/cleanup_envelope.c,
cleanup/cleanup_message.c. Requested by Craig Sanders, if
I remember correctly.
Feature: the Postfix SMTP client now passes on MIME body
type information (8bit, 7bit) received via SMTP, via MIME
headers, or via the sendmail command line. Files:
global/deliver_request.c, smtpd/smtpd.c, sendmail/sendmail.c,
cleanup/cleanup_envelope.c, cleanup/cleanup_message.c,
cleanup/cleanup_extracted.c, *qmgr/qmgr_message.c,
*qmgr/qmgr_deliver.c, smtp/smtp_proto.c, lmtp/lmtp_proto.c.
20020511
Feature: bounces now specify the proper MIME encoding (8bit,
7bit), depending on the MIME body type information received
via SMTP, via MIME headers, or via the sendmail command
line. Files: global/bounce.c, global/defer.c, global/abounce.c,
bounce/bounce_service.c, bounce/bounce_notify_util.c.
20020512
Cleanup: the SMTP client logged and bounced the CNAME
expanded recipient address, and thereby complicated trouble
shooting. File: src/smtp_proto.c.
Bugfix: the SMTP and LMTP clients bounced the quoted
recipient address, resulting in too much quoting in bounce
reports. Files: src/smtp_proto.c, lmtp/lmtp_proto.c.
20020513
Bugfix: the LDAP client used the "wrong" @ character in
addresses with multiple @. LaMont Jones, HP. File:
util/dict_ldap.c.
Feature: lots of new LDAP stuff: result_filter (filter to
expand results from queries), chase_referrals, LaMont Jones,
HP. The LDAP bind timeout now works thanks to Victor
Duchovni, Morgan Stanley. File: util/dict_ldap.c.
Cleanup: specify "resolve_dequoted_address = no" to prevent
Postfix from looking inside quotes for extra @ etc. characters
when resolving an address. This behavior is technically
more correct, but it opens a mail relay loophole with "user
@domain"@domain when relaying mail to a Sendmail system.
20020514
Bugfix: the new code for header address quoting sometimes
did not null terminate strings so that arbitrary garbage
could appear at the end of message headers. Reported by
Ralf Hildebrandt. File: global/tok822_parse.c.
Safety: user@domain@domain is no longer accepted by the
permit_mx_backup uce restriction (unless Postfix is configured
with "resolve_dequoted_address = no"). Victor Duchovni,
Morgan Stanley. File: smtpd/smtpd_check.c.
20020515
Workaround: flush the SMTP client output buffer when no
output has happened for 10+ seconds. This prevents the
socket from timing out, in case DNS CNAME expansion is
slow. Problem experienced by Alex Erdelyi, peregrine.com.
File: smtp/smtp_chat.c. We did the same thing for the SMTP
server years ago, and one wonders why the coin didn't drop
at the time that the SMTP client could suffer from a similar
problem.
20020516
Updated the FILTER_README file to turn off DNS lookups in
the SMTP client that feeds mail into a content filter.
20020517
Cleanup: Mailbox-Line: message header labels should be
X-Mailbox-Line: labels. Files: smtpd/smtpd.c, qmqpd/qmqpd.c.
20020515-21
Feature: new MIME parser, written from scratch, that
recognizes the structure of MIME encapsulated mail. Influenced
by comments from Victor Duchovni. This code can detect but
will not decode obscure MIME formats or obscure character
string encoding that Liviu Daia expresses concern about.
MIME header scanning now happens in header_checks, and is
faster than body_checks could ever be. This also eliminates
the problem with multi-line MIME headers being matched one
line at a time. Files: global/mime_state.[hc],
cleanup/cleanup_message.c.
20020521-22
Feature: 8-bit to quoted-printable conversion. First use
in the Postfix SMTP client. File: smtp/smtp_proto.c.
Logging: the Postfix SMTP and LMTP clients now report the
the protocol stage when they report a server reply. File:
smtp/smtp_proto.c, lmtp/lmtp_proto.c.
Bugfix: the SMTP server warned about ignored client attributes
(these were introduced 20020510) in mail that was submitted
with "sendmail -bs". File: smtpd/smtpd.c.
20020525
Feature: separation of header checks into header_checks
(all primary headers except MIME related headers),
mime_header_checks (all MIME headers including MIME headers
at the start of messages) and nested_header_checks (headers
of attached messages, except MIME related headers).
Cleanup: broke out the header value parser from the MIME
processor so that the code can be reused elsewhere. File:
global/header_token.c.
Compatibility: Postfix now recognizes "name :" as a valid
message header, but normalizes it to "name:" form or else
lots of things would break all over the place. Files:
global/is_header.c, global/mime_state.c.
20020526
Bugfix: the SMTP server now disallows RCPT TO:<"">, just
like it disallows RCPT TO:<>. File: smtpd/smtpd.c.
Feature: disable_mime_input_processing=yes/no controls
whether Postfix recognizes (and optionally enforces) MIME
formats while receiving mail. Default is NO.
Feature: disable_mime_output_conversion=yes/no controls
whether Postfix will convert 8BITMIME to 7BIT mail when
delivering mail to an SMTP server that does not announce
8BITMIME support. Default is NO.
Feature: strict_8bitmime=yes/no controls whether Postfix
rejects 8-bit characters in headers and 7-bit body parts.
This blocks mail from poorly written software, including
majordomo approval requests that contain a valid 8BITMIME
email message, as well as mail that is piped into ancient
/bin/mail implementations that do not MIME format 8-bit
content. Default is NO.
Feature: strict_mime_encoding_domain=yes/no controls whether
Postfix rejects illegal content transfer encodings for
multipart/* and message/*. This blocks mail from poorly
written software. Default is NO.
20020527
Feature: "FILTER transport:nexthop" in header/body checks.
After the message is queued, the message is sent through
a content filter. This requires different cleanup servers
before and after the filter, with header/body checks turned
off in the second cleanup server.
20020528
Feature: strict_7bit_headers and strict_8bitmime_body are
now separately available. To to turn on both, use
strict_8bitmime.
Cleanup: abandon the use of isspace(3) in the parsing of
RFC822 message headers. Files: global/lex_822.h and lots
of little places.
Documentation: replace domain.name by domain.tld in the
example config files. The domain exists. They were getting
mail from poorly configured Postfix boxes.
Bugfix: The Postfix sendmail command did not export the
MAIL_CONFIG environment setting to the postdrop command.
File: global/mail_config.h.
Incompatibility: by default, turn on the PCRE_DOTALL flag,
so that PCRE patterns will match multi-line message headers
without causing pain. Suggested by Michael Tokarev. Also
documented all those darned undocumented PCRE flags in the
pcre_table(5) manual page. Files: util/dict_pcre.c,
proto/pcre_table.
20020529
Bugfix: mail rejected due to MIME errors was rejected
without proper logging. Files: global/mime_state.c,
cleanup/cleanup_message.c.
20020531
Bugfix: the SMTP client code that prepends '.' to lines
starting with '.' had to be moved from its old place to
after the MIME output conversion. Problem found by Mark
Martinec. File: smtp/smtp_proto.c.
20020601
Bugfix: the deliver_pass() routine needed updating for the
extra MIME encoding attribute that was introduced 20020510.
Patch by Sebastian Schaffert @ wastl.net. File:
global/deliver_pass.c.
20020604
Workaround: Solaris non-blocking read() can fail on a socket
with unread data according to ioctl FIONREAD. Incredible.
Diagnosis by Max Pashkov. File: smtp/smtp-sink.c.
Weird feature: sender-based routing. This will become more
useful once per-address transport map entries are done.
File: src/*qmgr/qmgr_message.c.
20020605
Safety: header_address_token_limit limits the amount of
memory and CPU that we're willing to spend while parsing
addresses in message headers. The limit is expressed as a
number of tokens. File: global/tok822_parse.c
20020608
Feature: user@domain transport map lookup, based on code
by Scott Cotton, from several years ago. Adding this code
now was much less painful than it was in the past. Files:
global/strip_addr.c, trivial-rewrite/transport.c.
20020610
Cleanup: making user@domain transport map lookups work with
sender-based routing was a bit tricky, because the null
address must be handled sensibly. Files: global/resolve_clnt.c,
trivial-rewrite/resolve.c. It ain't perfect yet, but close.
20020613
Bugfix: postsuper -r was broken as of 20020510. The cleanup
daemon would discard mail with MIME type information. Moved
a bunch of sanity checks from the cleanup daemon to the
pickup daemon, so the checks are in one place. Problem
experienced by Pavol Luptak. Files: pickup/pickup.c,
cleanup/cleanup_extracted.c.
20020705
Safety: log a warning when a domain is listed in mydestination
and (virtual_maps or virtual_mailbox_maps). This configuration
error causes the Postfix SMTP server to reject recipients
when the local_recipient_maps feature is enabled. File:
smtpd/smtpd_check.c.
200207011
Portability: in the master daemon, the default now is to
enable the signal handler code that writes a byte into a
pipe, instead of the signal handler code that sets a global
flag and hopes that select() will somehow wake up. File:
master/master_sig.c. This is needed for some IRIX and
UnixWare versions, but it should also produce a robust
result on all other supported systems.
Performance: the default SMTP connection establishment
timeout is now 30 seconds, instead of the system default
which can be atrociously large.
20020712
When DNS lookup fails while delivering mail, report not
only the domain name but also the DNS record type. This
should clue in people who ask why Postfix can't find a
domain while nslookup can. File: dns/dns_lookup.c.
20020713
Bugfix: undo change made at 20020610 that causes the trivial
resolver client to loop when an address consists entirely
of @ and . characters. File: trivial-rewrite/resolve.c.
Cleanup: Postfix no longer strips multiple '.' at the end
of a domain name. One '.' is silently tolerated. Files:
trivial-rewrite/rewrite.c, trivial-rewrite/resolve.c,
global/resolve_local.c. This policy is too distributed.
20020715
Feature: @domain.tld catch-all map entries for the virtual
mail delivery agent. Files: global/virtual8_maps_find.c,
virtual/mailbox.c, smtpd/smtpd_check.c.
Feature: the virtual mail delivery agent now accepts address
extensions (user+foo@domain.tld), ignores them when looking
up users in its tables, but displays them in Delivered-To:
message headers. File: global/virtual8_maps_find.c.
20020716
Feature: domain names in a masquerade_domains list can now
be prefixed with !, in order to disable masquerading for
that domain name and for its subdomains. File:
cleanup/cleanup_masquerade.c.
20020717
Bugfix: Mac OS X niscript (Netinfo) update by Gerben Wierda.
File: auxiliary/MacOSX/niscript.
Feature: The SMTP server reject_unknown_whatever restrictions
now also attempt to look up AAAA (IPV6 address) records.
Jun-ichiro itojun Hagino, IIJ labs. Files: smtpd/smtpd_check.c,
dns/dns_lookup.c.
20020718
Bugfix: unnecessary lookups for extended addresses by the
virtual8_maps_find() routine. Victor Duchovni. His patch
did not work, nor did my own, but the present version should
be OK. File: global/virtual8_maps_find.c.
20020719
Workaround: log a warning when an SMTP client name->address
lookup results in a numeric IP address, and set the client
hostname to "unknown". Some gethostbyname() implementations
will actually accept such garbage and thereby allow sites
to defeat the "reject_unknown_client" restriction. Problem
reported by Wolfgang Rupprecht, fix based on analysis (but
not code) by Victor Duchovni.
Bugfix: memory leaks in the LDAP client by Victor Duchovni.
File: util/dict_ldap.c.
Bugfix: garbage in verbose "flush" server logging. Victor
Duchovni. File: flush/flush.c.
20020723
Incompatibility: smtpd_sasl_local_domain now defaults to
the null string. File: smtpd/smtpd.c, smtpd/smtpd_sasl_glue.c.
20020726
Documentation: added GDB debugging instructions for sites
that do not have X installed on the Postfix machine. Henrik
Larsson, spambox.dk.
20020729
Weird: installed RedHat 3.03 inside VMware, and no change
was needed to build Postfix, except to recognize the Linux
version.
Bugfix: some mailers will announce ESMTP features in their
HELO (not EHLO) response. Postfix did not ignore them.
File: smtp/smtp_proto.c.
20020731
Cleanup: permit_naked_ip_address is unsafe (especially when
used with smtpd_recipient_restrictions) and will go away.
Postfix now logs a warning. File: smtpd/smtpd_check.c.
20020801
Cleanup: the warning message for matched header/body content
was misleading. File: cleanup/cleanup_message.c.
Safety: moved the "postsuper -r ALL" operation after the
"postsuper -s" check that makes queue file names match
inode numbers. This avoids loss of mail in the unlikely
case that someone runs "postsuper -sr ALL" on a queue that
was copied from another place.
Feature: "postsuper -h" to put mail "on hold" and "postsuper
-H" to release mail that was placed "on hold". This involves
a new queue, which is appropriately named "hold". Files:
postsuper/postsuper.c, showq/showq.c.
20020803
Feature: when a Delivered-To: mail delivery loop is detected,
send the bounce to the mailing list owner. This required
changes to the local delivery agent, a new bounce client
stub, and a new bounce server stub and support routines
for one recipient bouncing. Files: local/recipient.c,
global/bounce_log.c, global/bounce.c, bounce/bounce.c,
bounce/bounce_notify_util.c, bounce/bounce_one_service.c.
20020809
Bugfix: the 20020531 bugfix could prepend '.' to lines when
it shouldn't (but only when converting 8-bit mail to 7-bit).
Problem experienced by Ralf Hildebrandt. File:
smtp/smtp_proto.c.
Bugfix: smtpd_sender_login_maps did not do the @domain etc.
wild-card lookups that were promised. Problem experienced
by Sven Michels. File: smtpd/smtpd_check.c.
20020810
Feature: new smtp-sink command-line options to specify the
SMTP hostname, to disable ESMTP protocol support, to disable
8BITMIME support, and to syslog selected commands. File:
smtpstone/smtp-sink.c.
20020814
Feature: the queue manager now warns when mail for some
destination is piling up in the active queue, and suggests
a variety of remedies. The qmgr_clog_warn_time parameter
controls the time between warnings, mainly so that I could
test the code. To disable these warnings, specify
"qmgr_clog_warn_time = 0". Files: *qmgr/qmgr_entry.c.
20020815
Paranoia: truncate the DNS response length result value in
case it is larger than the result buffer length (the resolver
documentation is vague about this). File: dns/dns_lookup.c.
20020816
Cleanup: "postqueue -f" now also triggers delivery of mail
in the maildrop directory. This is needed when the master
does not frequently wake up the pickup service. Files:
global/mail_flush.c, postqueue/postqueue.c.
20020818
Cleanup: the qmgr_site_hog_factor feature is gone (defer
mail if a site uses up too much space in the active queue).
Instead, the qmgr_clog_warn_time feature provides better
solutions. File: qmgr/qmgr_message.c.
20020819
Feature: new header/body_checks HOLD pattern that causes
mail to be placed on the "hold" queue for manual inspection.
Files: global/hold_message.[hc], cleanup/cleanup_message.c.
20020820
Bugfix: yesterday's HOLD pattern code did not update the
cleanup server's idea of the queue file name for error
recovery and for error reporting purposes, so that incomplete
or content rejected mail would not be deleted from the
queue, and so that the bouncer would not find the queue
file.
Bugfix: the #ifdef that detects too old LDAP libraries was
in the wrong place. Victor Duchovni. File: util/dict_ldap.c.
Feature: new header/body_checks DISCARD pattern that causes
mail to be silently discarded. Files: global/cleanup_user.h,
cleanup/cleanup_message.c, cleanup/cleanup_api.c.
Bugfix: the local delivery agent's mailbox duplicate delivery
eliminator was not updated in the days that address extensions
were added to Postfix. The other local duplicate eliminators
probably need revision as well. File: local/mailbox.c.
20020821
Feature: HOLD and DISCARD actions in SMTPD access tables.
These requests are propagated to the cleanup daemon. Files:
cleanup/cleanup_envelope.c smtpd/smtpd_check.c.
Cleanup: eliminate unnecessary references to the obsolete
program_directory configuration parameter (but keep the
parameter so as to not break existing installations).
Matthias Andree, many little changes in documentation.
20020822
Bit Rot: OpenLDAP incompatible change with URL parsing.
Patches by Will Day, Georgia Tech, and Carsten Hoeger,
SUSE. File: util/dict_ldap.c.
20020823
Bugfix: added a missing memset() call to wipe the lookup
key in dict_db_delete(). This is needed by some Berkeley
DB implementations. Patch by Katsu Yamamoto, Fujitsu.
Bugfix: when permit_mx_backup is unable to make a decision
due to DNS problems, set the "defer if reject" flag so that
other restrictions will not cause mail to be rejected.
File: smtpd/smtpd_check.c.
Feature: instead of giving up immediately after DNS failure,
turn on the "defer_if_permit" flag when reject_unknown_hostname,
reject_unknown_sender_domain or reject_unknown_recipient_domain
are unable to make a decision, and see if any subsequent
restrictions would still cause the mail to be rejected.
File: smtpd/smtpd_check.c.
Feature: "FILTER transport:nexthop" is now also available
in SMTPD access tables.
20020826
Workaround: HP-UX 11 accept() fails with ENOBUFS when the
client disconnects early. File: sane_accept.c.
20020901
Cleanup: postfix-install no longer installs all the manual
pages under $POSTFIXSOURCE/man, so we can generate manual
pages for smtp-sink etc. File: man/Makefile.in.
20020903
Bugfix: the rmail script should have been updated when
Postfix sendmail was changed to recognize `.' as the end
of input. Problem fix by Christian Kratzer, cksoft.de.
File: auxiliary/rmail/rmail.
Feature: specify "maximal_queue_lifetime = 0" for mail that
should be returned immediately after the first unsuccessful
delivery attempt. Files: qmgr/qmgr.c, nqmgr/nqmgr.c.
20020904
Bugfix: qmail compatibility: qmqpd should support any
character at the end of the VERP prefix in prefix@host-@[].
Based on a patch by LaMont Jones, HP.
20020905
Feature: "smtpd_data_restrictions = reject_unauth_pipelining"
blocks mail from SMTP clients that send message content
before Postfix has replied to the DATA command. File:
smtpd/smtpd.c, smtpd/smtpd_check.c.
Bugfix: the LDAP client dumped core in verbose mode.
Reported by Will Day and others. File: util/dict_ldap.c.
20020906
Cleanup: dict_regexp module speedups by avoiding unnecessary
substring overhead while matching strings. Based on a
suggestion by Liviu Daia. This involved major rewriting of
the regexp map code. File: util/dict_regexp.c.
20020907
Feature: IF..ENDIF support based on code by Bert Driehuis.
This involved a further rewrite of the regexp map code.
File: util/dict_regexp.c.
200209010
Bugfix: the SMTP client produced suprious warnings about
trouble with fallback_relay hosts. File: smtp/smtp_connect.c.
Robustness: don't wait with detecting broken SMTP connections
until reading input. Leandro Santi. File: smtpd/smtpd_chat.c.
200209011
Workaround: IRIX 6 can't do ioctl FIONREAD on pipes. This
breaks the in_flow_delay feature. File: util/sys_defs.h.
20020912
Bugfix: canonical/virtual mapping core dump with a null
right-hand side address. Report by Jussi Silvennoinen.
File: global/mail-addr_crunch.c.
Feature: IF..ENDIF support based on code by Bert Driehuis.
This involved a rewrite of the pcre map code similar to
the regexp map code. File: util/dict_pcre.c.
20020917
Feature: on Linux, support for PCRE lookup tables is now
compiled in if the PCRE library code is found under
/usr/include and /usr/lib. File: makedefs.
20020918
Documentation: postsuper(1) did not document the -c option.
Bugfix: possible longjump() before setjmp(). File:
smtpd/smtpd.c.
Bugfix: pickup should not preserve INSPECT or FILTER records
from "postsuper -r". File: pickup/pickup.c.
20020919
Feature: "reject_rbl <domain>" for client address blacklisting
by LaMont Jones, including $name expansion for per-domain
customized response messages. The obsolete reject_maps_rbl
is now a wrapper that uses the new code.
20020921
Internal: added caching and factored out common code that
will be used for both reject_rbl and for the upcoming
reject_rhsbl restriction.
20020922
Feature: "reject_rhsbl <domain>" for sender domain
blacklisting. Provides the same per-domain customized
response message mechanisms with $name expansion as
reject_rbl.
Safety: the smtpd_expansion_filter parameter controls what
characters are allowed in the expansion of $name macros in
template RBL responses.
Cleanup. In order to make sensible warnings possible when
expanding a non-existent $name in RBL reply templates,
mac_expand() had to be changed so that an empty string
result (i.e. the name does exist) will no longer cause
${name?text} to succeed. File: util/mac_expand.c.
20020923
Cleanup. Renamed the RBL features according to a scheme
that was suggested by Liviu Daia in October 2001. The names
are reject_rbl_client and reject_rhsbl_sender, respectively.
Added domain name based reject_rhsbl_client and
reject_rhsbl_recipient restrictions for completeness. The
reject_rbl restriction name is still recognized for
compatibility with systems maintained by LaMont Jones.
20020924
Bugfix: reject_rhsbl_<mumble> was broken when <mumble> was
unavailable, causing the restrictions parser to get out if
sync. Spotted by Ralf Hildebrandt. File: smtpd/smtpd_check.c.
20020928
Bugfix: missing %s in the 20020923 RBL code. This was not
exploitable because Postfix implements only a safe subset
of all printf format operators and because memory for the
result is dynamically allocated. Victor Duchovni. File:
smtpd/smtpd_check.c.
20020929
Updated MacOSX support scripts from Gerben Wierda. Files:
auxiliary/MacOSX/*.
20021009
Bugfix: SIZE errors should be reported at MAIL FROM time,
and should not be postponed (with smtpd_delay_reject = yes)
until RCPT TO time. Reported by Jeroen Scheerder, Utrecht
University. Files: smtpd/smtpd.c smtpd/smtpd_check.c.
20021013
When Postfix development started, Linux mail delivery
software such as procmail did not use kernel locks, and
Postfix picked one that seemed plausible, namely, flock().
In the mean time, Linux mail delivery software seems to
have standardized on fcntl() locks. File: util/sys_defs.h.
Feature: body_checks_size_limit parameter to specify how
much of a message body segment (or attachment, if you prefer
to use that term) is subjected to body_checks inspection.
Default limit: 50 kbytes. Files: global/mime_state.c,
cleanup/cleanup_message.c.
20021015
Bugfix: the code for missing postmaster/mailer-daemon
aliases had to be moved after the code that implements the
luser_relay feature. Files: local/alias.c, local/unknown.c.
Weird? The LMTP client lowercased the MAIL FROM and RCPT
TO addresses. Some remnant of code that someone put in
there long ago. File: lmtp/lmtp_proto.c.
20021024
Feature: proxy_interfaces parameter. Specify your NAT or
other proxy addresses here to avoid mail delivery loops.
Files: global/mail_params.[hc] global/own_inet_addr.[hc]
global/resolve_local.c smtp/smtp_addr.c smtpd/smtpd_check.c.
Paranoia: defend against a very unlikely false alarm in
safe_open().
20021025
Feature: X-Original-To: message headers with the raw original
envelope recipient.
Logging: status=sent/deferred/bounced/ logging now includes
the original recipient address if it differs from the final
address.
20021026
Logging: SMTP UCE reject/warn/hold/discard logging now
includes queue ID. This will break some logfile analyzers.
Logging: SMTP UCE reject/warn/hold/discard logging now
includes the protocol name and, if available, the hostname
given in the SMTP HELO or EHLO command.
Logging: header/body_checks reject/warn/hold/discard logging
now includes the protocol name and, if available, the
hostname given in the SMTP HELO or EHLO command.
20021028
Bugfix: don't reset state after rejected EHLO. Reset state
after HELO. Reported by Karthikeyan Bhargavan, upenn.edu.
Files: smtpd/smtpd.c.
20021029
Bugfix: local(8) did not prepend an X-Original-To: message
header while delivering to command, and local(8) did not
document the X-Original-To: message header.
Workaround: DJBDNS produces a bogus A record when given a
numerical hostname. File: dns/dns_lookup.c.
20021030
Portability: support for Berkeley DB version 4.0 but not
for Berkeley DB version 4.1 (yes, the API is different).
Postfix is now going to be paranoid about the minor version
number, too. File: util/dict_db.c.
Documentation: updated LMTP_README file by Amos Gouaux.
20021031
Bugfix: (bug introduced 20021026) log NOQUEUE when rejecting
ETRN, instead of trying to log a non-existent queue ID.
Victor Duchovni, Morgan Stanley. File: smtpd/smtpd_check.c.
Cleanup: allow optional text after commands in SMTPD access
maps. Based on initial effort by Victor Duchovni, Morgan
Stanley. File: smtpd/smtpd_check.c.
Portability: support for Berkeley DB version 4.1. This
version refuses to open zero-length files. This complicates
lock management and requires extra code to remove broken
files. Files: util/dict_db.c, global/mkmap*.[hc].
20021101
Bugfix: don't complain about out-of-order original recipient
records for finished recipients. Files: *qmgr/qmgr_message.c,
cleanup/cleanup_envelope.c, cleanup/cleanup_extracted.c.
Cleanup: further simplified the mkmap wrapper (used by
postmap and postalias only) to remove some hurdles for
Michael Tokarev's CDB support. Files: global/mkmap*.[hc].
20021105
Postalias now produces YP_LAST_MODIFIED and YP_MASTER_NAME
records only when NIS support is compiled in. File:
postalias.c.
20021106
Postalias now puts $myhostname in the YP_MASTER_NAME record,
instead of the possibly bogus gethostname() result. File:
postalias.c.
The PCRE map code did not reject non-numeric replacement
indices in replacement text, and silently treated $text as
$0. Found by Michael Tokarev. File: dict_pcre.c.
20021108
Cleanup: the behavior of the SMTP server's defer_if_permit
flag was changed, in order to maximize the opportunity to
permanently reject mail without opening opportunities for
losing legitimate mail. This was done in cooperation with
Victor Duchovni, Morgan Stanley. File: smtpd/smtpd_check.c.
The defer_if_permit flag is still set when an UCE reject
restriction fails due to a temporary (e.g., DNS) problem,
to prevent unwanted mail from slipping through. However,
the flag is no longer tested at the end of client, helo or
sender restrictions. Instead, the flag is now tested at
the end of the ETRN and recipient restrictions only.
The behavior of the warn_if_reject restriction has changed.
It no longer activates any already made defer_if_permit or
defer_if_reject decisions (the defer_if_reject flag is set
when some UCE permit restriction fails due to a temporary
(DNS) problem, to avoid loss of legitimate mail).
Bugfix: instead of setting the defer_if_permit flag, a
failing reject restriction after warn_if_reject now merely
logs that it would have caused mail to be deferred.
A failing permit restriction after warn_if_reject still
raises the defer_if_reject flag, to avoid loss of legitimate
mail.
20021109
Bugfix: a misguided change to the .forward macro expansion
filter broke .forward file lookup.
Bugfix: missing defer_if_permit test in smtpd_data_restrictions.
Victor Duchovni. File: smtpd/smtpd_check.c.
20021112
Robustness: increase the mime_nesting_limit from 20 to 100,
so that bounces can't loop. Each bounces increases the MIME
nesting level by one. Ralf Hildebrandt and Victor Duchovni.
20021113
Robustness: reinstated SMTP client command flushing to
avoid pipeline stalls. File: smtp/smtp_chat.c.
20021114
Robustness: distinguish between timeout and "lost connection"
when the SMTP server is unable to send a reply to the remote
client. File: smtpd/smtpd_chat.c.
20021115
Bugfix: initialization error with "*" transport table
lookup, reported by LaMont Jones. The transport map lookup
code had grown into a monster and needed to be replaced.
trivial-rewrite/transport.c.
20021115
Start implementing recipient verification. For now this is
done by adding trace flags to queue files. In case of a
verification request, a delivery agent does not deliver,
deliver, it just records what would happen.
This required instrumenting the bounce/defer/sent logging
routines to send their data to the right place depending
on the type of delivery request.
20021116
New trace service. This is used for reporting if a recipient
is deliverable (sendmail -bv) and for producing a record
of delivery attempts (sendmail -v). The report is sent via
email, using the bounce daemon. Files: global/trace.[hc].
This required replacing the bounce/defer logfile format by
an extensible name=value format. Files: global/bounce_log.c,
bounce/bounce_append_service.c.
20021117
New address verification service with simple expiration
and refresh policy. Storage can be in-core or in permanent
table. The daemon is appropriately called "verify". Files:
global/verify_clnt.[hc], verify/verify.c.
20021118
Cleaning up the code for tracing and verification. Files:
global/{log_adhoc,bounce,defer,trace,verify}.[hc].
20021119
New address_verification_negative_cache = yes/no parameter
controls whether Postfix stores the result of negatieve
address verification probes. This reduces cache pollution
but causes Postfix to send a probe for each address
verification service query. File: verify/verify.c.
Added optimistic caching to the verify daemon, so that one
failed probe will not clobber a known to be good address.
As long as some probes succeeed, a good address will stay
cached as OK.
Cleaning up of the bounce daemon's code for bounce, delayed
mail warning and trace notification. Files: bounce/*.[hc],
global/bounce_log.c.
20021120
Changed the probe's sender address to "postmaster" so that
we get better information about the address we're testing.
File: verify/verify.c.
Added some paranoia to the routine that reads data from
the address verification cache. Ignore data that is obviously
bogus. File: verify/verify.c.
20021121
Bugfix: garbage in "user@garbage"@domain address forms may
cause the SMTP or LMTP client to terminate with a fatal
error exit because garbage/tcp is not an existing service.
This cannot be abused to cause the SMTP or LMTP client to
send data into unauthorized ports. Files: *qmgr/qmgr_message.c,
trivial-rewrite/resolve.c.
20021124
Bugfix: don't use same VSTRING buffer for reading and
writing. File: verify/verify.c.
20021128
Feature: hashed hold queue support, with hashing turned on
by default. Omission spotted by Victor Duchovni, Morgan
Stanley. Files: global/hold_message.c, global/mail_params.h.
Bugfix: the LMTP client lost the port(service) information
when parsing host:port information. Victor Duchovni, Morgan
Stanley. Fix is to have a new host_port(3) module that does
the parsing for the SMTP and LMTP clients.
Cleanup: host_port() routine that parses host/port information
more consistently than the existing code in the LMTP and
SMTP clients. Files: smtp/smtp_connect.c, lmtp/lmtp_connect.c,
util/host_port.[hc].
20021130
Cleanup: defer mail when recipient verification takes too
long. File: smtpd/smtpd_proto.c.
Feature: new reject_multi_recipient_bounce restriction, to
reject "MAIL FROM: <>" with multiple recipients. File:
smtpd/smtpd_check.c.
20021201
Compatibility: ignore the new Sendmail -A option. File:
sendmail/sendmail.c.
Workaround: sendmail -v now produces no output. You need
to specify -v -v instead. This is to avoid problems when
people request verbose mail delivery in their mail.rc file.
File: sendmail/sendmail.c.
20021202
Cleanup: hash_queue_depth now defaults to 1 level of
subdirectories. This makes "mailq" faster on most systems,
but will result in poorer worst-case performance when lots
of mail is queued.
The check_relay_domains restriction is going away. The SMTP
server logs a warning and suggests using reject_unauth_destination
instead.
Cleanup: the local(8) and virtual(8) delivery agents did
not prepend X-Original-To: addresses to maildir files.
Omission spotted by Matthias Andree.
Specify "address_verify_sender=" or "address_verify_sender=<>"
to use a null sender address while doing address verification
probes. Beware, doing so may trigger false negatives
because some sites reject mail from the null sender, even
though this is required by RFC standards.
Bugfix: too many levels of dereferencing while testing for
missing reject_rbl_mumble domain names. Patrik Rak. File:
smtpd/smtpd_check.c.
20021203
Bugfix: the FILTER access table action included the FILTER
command in the filter request, where only the transport+destination
were expected. Noel Jones. File smtpd/smtpd_check.c.
Cleanup: virtual_maps is now called virtual_alias_maps, in
order to better distinguish it from virtual_mailbox_maps.
The default value is $virtual_maps for backwards compatibility.
New parameters virtual_alias_domains and virtual_mailbox_domains
for the "domain.tld whatever" lookups. These use the same
syntax as the mydestination parameter. Default settings
are backwards compatible with Postfix 1.1.
Concept: just like $mydestination+$inet_interfaces control
what routes to $local_transport, $virtual_mailbox_domains
now controls what routes to $virtual_transport (default
transport: virtual), and $relay_domains now controls what
routes to $relay_transport (default transport: relay, a
clone of the smtp transport). Everything else routes to
$default_transport as before. This eliminates the need
for transport map entries for every virtual(8) domain, and
avoids performance problems with inbound relay mail. This
was improvement was suggested by Victor Duchovni. File:
trivial-rewrite/resolve.c.
20021206
Cleanup: do allow regexps in aliases, virtual mailbox maps
but do not allow regular expression substitutions. Files:
util/dict.h, util/dict_regexp.c, util/dict_pcre.c.
20021207
Cleanup: deleted the description of sendmail-style virtual
domains from the virtual(5) manual page. This part of
Postfix was too confusing.
Performance: RFC 2821 blesses the use of CNAME domain names
in MAIL FROM and RCPT TO. Not having to expand CNAME domain
names speeds things up a bit. File: smtp/smtp_proto.c.
Workaround: exclude error mailer destinations from transport
mapping lookups :-(. File: trivial-rewrite/resolve.c.
Cleanup: relocated_maps lookups are now moved to the
trivial-rewrite server. As of now, the queue manager no
longer does any map lookups, so it won't restart when maps
change. Files: *qmgr/qmgr_message.c, trivial-rewrite/resolve.c.
Robustness: because the trivial-rewrite server now does
many more table lookups, some of which are often LDAP or
SQL based, trivial-rewrite clients must be be prepared for
the case that the resolver reports a failure while processing
a request (when it was unable to access a lookup table).
Files: trivial-rewrite/resolve.c, local/resolve.c,
smtpd/smtpd_check.c.
Robustness: moving possible LDAP or SQL table lookups into
the trivial-rewrite server also required that trivial-rewrite
be running as multiple processes to reduce lookup latencies.
Files: master/multi-server.c.
Workaround: don't discard all the DNS lookup results when
only one of the results has a malformed name or address.
File: dns/dns_lookup.c.
20021208
Cleanup: with the preliminary address domain classification
concept as implemented by the trivial-rewrite address
resolver, a lot of table lookups could be eliminated from
the SMTP server. Files: smtpd/smtpd_check.c.
Feature: new relay_recipient_maps parameter, for optional
maps with all the recipients in the domains that match
$relay_domains (so you can reject mail for unknown relay
recipients). This is for consistency with virtual_xx_maps
and virtual_xx_domains, and with local_recipient_maps and
the local delivery agent. File: smtpd/smtpd_check.c.
Cleanup: removed support for obsolete #number domain forms.
File: smtpd/smtpd_check.c.
20021209
The Postfix installation procedure no longer sets the
"chattr +S" bit on Linux queue directories. Wietse has
gotten too annoyed with naive reviewers who complain about
performance without having a clue of what they are comparing.
"Security": local_recipient_maps is now turned on by default,
to reject mail for non-existent users at the SMTP port.
See conf/main.cf for instructions, section REJECTING UNKNOWN
LOCAL USERS.
Safety: detection of missing or inaccessible passwd file
database, to prevent massive complaints from people who
suddenly lose all their mail because local_recipient_maps
is now turned on by default.
20021210
Feature: recipient address verification, using the code
that already implements sender address verification. Based
on suggestion by Matthias Andree. Files: src/smtpd/smtpd.c,
src/smtpd/smtpd_check.c.
20021211
Performance: doubled the default process limit (50->100)
and default queue manager active queue message/recipient
limits (10k->20k). File: global/mail_params.h.
Bugfix: the change that begot us multiple trivial-rewrite
processes (good) also gave us multiple verify daemons (bad).
File: conf/post-install.
20021212
Cleanup: allow transport map lookups to override error
mailer results (to avoid breaking existing installations),
and do transport map lookups before relocated map lookups.
Files: trivial-rewrite/resolve.c, trivial-rewrite/transport.c.
Shortened the verify server's negative cache refresh time
from 12 hours to 2 hours. File: global/mail_params.h.
Admin friendliness: the SMTP server now reports "User
unknown in {local recipient | virtual alias | virtual
mailbox | relay recipient} table". This will make trouble
shooting a little easier. Files: smtpd/smtpd_check.c,
trivial-rewrite/resolve.c.
20021213
Cleanup: transport map entries with null nexthop ignored
relayhost settings. Making the code simpler also made it
more correct. Files: trivial-rewrite/resolve.c,
trivial-rewrite/transport.c.
Feature: "helpful_warnings" (default: yes) that can be
turned off if you really know what you're doing and want
to eliminate some unnecessary work.
Feature: enforcement of master.cf process limits for
processes such as qmgr and pickup that must run alone, and
processes such as cleanup and bounce that must run without
explicit process count limit. If an incorrect process limit
is specified in master.cf the service aborts.
20021214
Cleanup: it looks like we finally get it right with transport
lookup table entries that either override or specify an
error transport without updating the nexthop information.
File: trivial-rewrite/resolve.c.
Robustness: don't probe the sender address when probed for
our own address verification probe sender address. File:
smtpd/smtpd_check.c.
Performance: don't do UCE checks (which may result in 4xx
SMTP reply codes, and thus, repeated delivery attempts)
when we already know that the recipient does not exist.
Files: smtpd/smtpd.c, smtpd/smtpd_check.c.
20021215
Cleanup: further simplification of transport map handling
after some really fine hair splitting with Victor Duchovni.
Files: trivial-rewrite/resolve.c, trivial-rewrite/transport.c.
20021216
Workaround: transform the address local-part into unquoted
form only when the address domain is local and the local-part
contains routing operators. Otherwise, we may damage the
address local-part by inserting space between non-operator
tokens. Some people use weird addresses and expect them to
be handled without damage. File: trivial-rewrite/resolve.c.
Robustness: scan the resolved recipient address for routing
operators in the address local-part, even when the local
MTA does not recognize ! and % as valid operators. File:
trivial-rewrite/resolve.c.
Cleanup: the address rewriting code no longer tries to
rewrite broken user@ or user@. address forms into even more
broken forms. bother. File: trivial-rewrite/rewrite.c.
Cleanup: the address resolver code now treates forms ending
in @ in a more rational manner (because the address rewriting
code no longer messes up by appending .my.domain).
Bugfix: a null address local-part before @domain now is
properly quoted just like the null address. File:
global/quote_82[12]_local.c.
20021217
Cleanup: more work on the trivial-rewrite address rewriting
and address resolving code. New regression tests for address
rewriting and resolving that make some assumptions about
main.cf settings. Files: global/Makefile.in (assumptions),
global/rewrite_clnt.in, global/rewrite_clnt.ref,
global/resolve_clnt.in, global/resolve_clnt.ref.
Safety: configurable SMTPD reject codes for recipients not
in {local,relay}_recipient,virtual_{alias,mailbox}}_maps,
aptly named unknown_mumble_reject_code. Postfix installs
with unknown_local_recipient_reject_code=450, unless the
site already ran Postfix with local_recipient_maps enabled.
Files: smtpd/smtpd.c, smtpd/smtpd_check.c, conf/post-install.
20021218
Feature: specify unverified_recipient_reject_code=250 or
unverified_sender_reject_code=250 to accept mail for an
address that is known to bounce. File: smtpd/smtpd_check.c.
20021219
Bugfix: longjmp() while sending "go away" without setjmp()
in the QMQP server. Patrik Rak. File: qmqpd/qmqpd.c.
Safety: the XVERP extension is restricted to clients listed
in the authorized_verp_clients list (default: $mynetworks).
File: smtpd/smtpd.c.
Workaround: preliminary IPV6 support in valid_hostliteral().
File: util/valid_hostname.c.
20021220
Bugfix: the reject_multi_recipient_bounce restriction had
an off-by-one error when used in smtpd_data_restrictions.
File: smtpd/smtpd_check.c.
Feature: new check_recipient_maps restriction that gives
finer control over when unknown recipients are rejected.
As with Postfix 1.1, the default is to do this at the end
of the recipient restrictions. Sites that want to improve
performance can put check_recipient_maps at the start of
the smtpd_client_restrictions list and avoid doing unnecessary
RBL lookups etc. File: smtpd/smtpd_check.c.
Feature: new show_user_unknown_recipient_table parameter
controls whether or not to reveal the lookup table name in
"User unknown" responses. The extra detail makes trouble
shooting easier but also reveals information that is nobody
elses business.
20021221
Workaround: don't allow the transport map to override the
virtual alias class (error:User unknown) result. File:
trivial-rewrite/transport.c.
20030101
Documentation update: new-style virtual domains broke the
advanced content filtering example. Files: FILTER_README,
RELEASE_NOTES-2.0.
20030102
Cleanup: use different client instances when the same map
is opened with different flags. File: global/maps.c.
Feature: proxymap server for Postfix table lookups. This
helps to consolidate the number of open lookup tables (such
as MYSQL or LDAP), or to overcome chroot restrictions
(example: specify proxy:unix:passwd.byname to avoid the
need for a copy of the UNIX passwd file in chroot jails).
Files: global/dict_proxy.[hc], proxymap/proxymap.c
Cleanup: multiservers such as trivial-rewrite and the new
proxymap server now enforce the max_use total client number
limit more agressively, by not accepting new connections
after the limit is reached. Based on a patch by Victor
Duchovni, Morgan Stanley. File: master/multi_server.c.
20030103
Cleanup: client stream endpoints not only have an idle time
limit ($ipc_idle) before a connection is closed, they now
also have a time to live ($ipc_ttl) to prevent connections
from becoming too persistent. This allows multi-servers
such as trivial-rewrite or the proxymap server to refresh
more frequently on busy systems. File: global/clnt_stream.c.
20030104
Cleanup: avoid warnings about flag mismatches when the same
lookup table is listed under both virtual_alias_maps and
virtual_mailbox_maps. Files: global/virtual8.h, virtual/virtual.c.
Bugfix: an obscure memory leak that puzzled me for more
than a year until I found out how to reproduce it. File:
util/vstream.c.
20030105
Cleanup: removed the address syntax check from the queue
manager, since a better test was implemented recently in
the trivial-rewrite server. Files: *qmgr/qmgr_message.c.
Bugfix: redirect bounce/defer to the address verification
service where appropriate. Files: *qmgr/qmgr_bounce.c,
*qmgr/qmgr_defer.c.
Bugfix: "no such file or directory" warnings after "postfix
reload" when a chrooted smtpd reconnects to the proxy
service. Fix: use "private/proxymap" if possible, otherwise
use "$queue_dir/private/proxymap". File: global/dict_proxy.c.
Robustness: daemons now chdir() to the queue directory
before running the pre-jail initialization code, so that
daemons running in stand-alone mode produce more consistent
results. Files: master/single_server.c, master/multi_server.c.
master/trigger_server.c.
Bugfix: "sendmail -bs" tried to access the proxymap service.
It should not try to open any user/domain/uce related tables
at all. File: smtpd/smtpd.c.
20030106
Bugfix: bouncing to owner-alias was broken, i.e. the mail
kept being deferred, and when that was fixed, another buglet
came to light. File: bounce/bounce.c.
Robustness: the master no longer aborts with "address
already in use" when inet_interfaces specifies the same IP
address multiple times, or when a TCP service in master.cf
specifies a hostname for which the same IP address is listed
multiple times. File: master/master_ent.c.
20030107
Robustness: check that FILTER actions in SMTPD access maps
or cleanup header/body_checks have plausible syntax. Files:
smtpd/smtpd_check.c, cleanup/cleanup_message.c.
20030109
Cleanup: unnecessary "premature end of file on xxx while
reading yyy" warnings became exposed after some code
simplification. Files" global/*_clnt.c, global/dict_proxy.c
Robustness: undo the change that causes a multi-server
process to stop accepting new connections while it still
services existing clients for an extended amount of time.
We need a better process retirement strategy. File:
master/multi_server.c.
20030110
Cleanup: the virtual_mailbox_maps parameter is now optional
even when virtual_mailbox_domains is. This makes virtual
mailbox domains more like relay domains and the local
domain.
Portability: the makedefs script now uses the pcre-config
utility to find out where things are installed.
Bugfix: the SMTP server did not recognize the local built-in
double bounce address as local. Reported by Matthias Andree.
For safety sake, threw in the local postmaster address as
well. File: smtpd/smtpd_check.c.
20030113
Added MAILER-DAEMON to the list of always recognized local
addresses, since it is generated by Postfix bounces. File:
smtpd/smtpd_check.c.
20030114
Bugfix: transport_errno was not reset upon successful
transport map wildcard lookup after an earlier failure.
Reported by Victor Duchovni. File: trivial-rewrite/transport.c.
Cleanup: unnecessary warnings from the proxymap client
after proxymap server disconnect. File: global/dict_proxy.c.
Cleanup: Patrik Rak found a few more chattr invocations
that were missed 20021209. Files: postfix-install,
conf/post-install.
Cleanup: the pcre-config command can produce null outputs.
Matthias Andree. File: makedefs.
Bugfix: the virtual(8) Makefile included $(AUXLIBS) in the
dependencies.
20030118
Typos: some hyperlinks referred to flushd, which is the
name that was used before the flush service was released.
Reported by Victor Duchovni.
Cleanup: smtpd no longer needed to open relocated_maps.
20030119
Cleanup: bounce messages used "X-Postfix" even when mail_name
was set to something other than the default "Postfix" name.
File: bounce/bounce-notify_util.c.
20030120
Bugfix: wrong FILTER_README instructions for disabling
virtual alias mapping in the cleanup server before the
content filter.
Bugfix: wrong FILTER_README instructions for destination-dependent
filtering, because relay_domains was specified incorrectly.
20030122
Bugfix: 20021207 (move relocated table lookup from queue
manager to trivial-rewrite server) broke relocated table
lookup results with mail not rejected at the SMTP port.
Files: *qmgr/qmgr_deliver.c, *qmgr/qmgr_message.c.
20030123
Bugfix: a widely used maildir filename algorithm was broken.
Postfix now uses TIME.DEVICE_INODE.HOST. Files: local/maildir.c,
virtual/maildir.c.
20030124
Cleanup: queue structures no longer overload queue name
and nexthop destination. Files: *qmgr/qmgr_message.c,
*qmgr/qmgr_queue.c, *qmgr/qmgr_deliver.c.
20030125
Feature: "REDIRECT user@domain" action in access maps or
in header/body_checks causes mail to be sent to the specified
address instead of the intended recipient(s). I would never
recommend that people use this to redirect (bounced) SPAM
to the beneficiaries of an advertisement campaign. Files:
smtpd/smtpd_check.c, cleanup/cleanup_message.c,
*qmgr/qmgr_message.c.
20030126
Update: maildir filename algorithm updated according to
today's version of http://cr.yp.to/proto/maildir.html.
20030127
Cleanup: use separate error messages for separate problems
with computing the list of SASL authentication mechanisms.
File: smtpd/smtpd_sasl_glue.c.
20030130
Bugfix: allow $name in default time values. File:
global/mail_conf_time.c.
20030205
Feature: allow !, /file/name and map:name in masquerade_exceptions.
By Liviu Daia. Files:cleanup_init.c, cleanup.h,
cleanup_masquerade.c.
20030219
Bugfix: the local pickup daemon skipped unterminated records,
since they happened to have the same record type code as
content filtering instructions. Victor Duchovni. Files:
global/rec_type.h, pickup/pickup.c.
Portability: Postfix could block, and thus not enforce
command execution time limits, while delivering mail to
command. File: global/pipe_command.c.
Bugfix: command execution time limits were not enforced
because the child process killing code in pipe_command()
was running with the wrong privileges. Problem reported by
Ben Rosengart, Panix. File: global/pipe_command.c.
Bugfix: duplicate recipient filtering in the cleanup server
did not eliminate virtual expansion duplicates with the
same original recipient. File: cleanup/cleanup_out_recipient.c.
20030223
Cleanup: added postmap/postalias -p option (do not inherit
the source file permissions when creating a new file), for
completeness. A feature that can't be turned off is a bug.
Files: postmap/postmap.c, postalias/postalias.c.
Bugfix: smtpd_hard/soft_error_limit off-by-one error, so
that the real limit was one larger than the configured
value. File: smtpd/smtpd.c, smtpd/smtpd_chat.c.
20030226
Safety: proxymap server defense against potential deadlock
when some library routine wants to open a proxied table.
Instead, proxymap opens the requested table directly. File:
proxymap/proxymap.c.
Portability: updated AIX 5.x system dependent definitions.
File: util/sys_defs.h.
20030227
Bugfix: added mynetworks to the list of proxy_read_maps
parameter settings that are pre-authorized to use proxied
table lookups. File: global/mail_params.h.
Cleanup: daemons now log what table has changed before
restarting. Files: dict.c, and anything that invoked
dict_changed().
Cleanup: more consistency in the naming of lookup table
handles as generated by maps(3) and by match_list(3).
20030305
Workaround: Postfix removes too long non-address text from
message headers in order to protect vulnerable Sendmail
systems against exploitation of the remote buffer overflow
vulnerability described in CERT advisory CA-2003-07.
20030311-19
Bugfix: the access map actions HOLD, DISCARD, FILTER and
REDIRECT were broken with smtpd_delay_reject=no and with
ETRN. This required re-architecting of the actions code.
Files: smtpd/smtpd.[hc], smtpd/smtpd_check.c, smtpd/smtpd_state.c.
20030315
Bugfix: the postsuper manual page documented support for
the -c command line option, but it was not implemented.
File: postsuper/postsuper.c.
Bugfix: the Postfix 2.0 recipient map checking code broke
the VRFY command, causing it to reply with status code 252
for non-existent addresses. This required re-architecting
the recipient table lookup code. File: smtpd/smtpd_check.c.
20030319
Feature: configurable limit on virtual alias expansion size
and nesting depth, via the virtual_alias_expansion_limit
and virtual_alias_recursion_limit parameters. The default
limits are compatible with past Postfix versions. Victor
Duchovni, Morgan Stanley. Files: /sample-resource.cf,
html/resource.html, cleanup/cleanup.c, cleanup/cleanup_init.c,
cleanup/cleanup_map1n.c.
Feature: the installation procedure records build information
(by default: in /etc/postfix/makedefs.out).
20030324
Bugfix: smtp-source flushed too often, causing suboptimal
performance with smtp-source sending directly into smtp-sink.
Files: smtpstone/smtp-source.c.
20030410
Safety: log a fatal error when a net/mask pattern has a
non-zero host part, so that mail delivery is deferred.
File: util/match_ops.c.
20030411
Bugfix: extraneous warning about out-of-order original
recipient records by Patrik Rak. Files: *qmgr/qmgr_message.c.
20030412
Workaround: log a warning and reset the queue file time
stamps when the file system clock is ahead of the local
clock. File: global/mail_stream.c.
20030414
Feature: PostgreSQL client module, adopted by LaMont Jones.
Files: README_FILES/PGSQL_README, util/dict_pgsql.c,
util/dict_pgsql.h, conf/sample-pgsql-aliases.cf.
Cleanup: the generic smtp client/server code in smtp_stream.c
now has an explicit flush operation, and the smtp-source/sink
programs are updated to take advantage of this.
Cleanup: the file system clock drift detection code now
runs only once per process instance, to minimize the
performance impact. File: global/mail_stream.c.
Robustness: avoid TIME_WAIT state with smtp/qmqp-source
client sockets. This puts less strain on local system
resources.
20030415
Cleanup: the file system clock drift detection code now
runs only for incoming mail. File: global/mail_stream.c.
20030416
Bugfix: missing partial last line when 1) someone submits
8-bit mail not ending in newline via /usr/sbin/sendmail
and 2) MIME input processing is turned off, and 3) MIME
8bit->7bit conversion is requested upon delivery via SMTP.
Cleanup: auto-bcc recipients are now added in one place
(the cleanup server) instead of by individual front-end
servers (pickup, smtpd, qmqpd). This makes it easier to
add auto-bcc features that trigger on sender or recipient
addresses.
Cleanup: "sendmail -t" (recipients from headers) is now
implemented by the sendmail command instead of by the
cleanup server. This means that the extract_recipient_limit
configuration parameter is no longer needed. Files:
sendmail/sendmail.c, cleanup/cleanup_message.c,
cleanup/cleanup_extracted.c.
Compatibility: "sendmail -t" (recipients from headers) now
accepts command-line recipients instead of complaining.
The extracted header recipients are added to the command-line
recipients.
Feature: sender/recipient_bcc_maps. These are indexed by
sender/recipient address and are examined when mail enters
from outside of Postfix. Files: cleanup/cleanup_addr.c.
cleanup/cleanup_envelope.c cleanup/cleanup_extracted.c.
20030417
Feature: the SMTP client now falls back to native name
service lookups (including /etc/hosts) when a host cannot
be found in the DNS. This is controlled by a new parameter
smtp_host_lookup (default: dns, native). Files: smtp/smtp.c,
smtp/smtp_addr.c.
20030418
Bugfix: "sendmail -t" broke with unrecognized message
headers.
20030419
Feature: "postcat -q" searches the queue for the named
file.
Cleanup: made postcat "record names" output more consistent.
20030421
Debugging: added some extra detailed error logging to the
pipe-to-command delivery, to help folks with bizarre file
truncation problems. File: global/pipe_command.c.
20030424
Cleanup: readlline() did not terminate the result before
complaining about lines starting with whitespace.
Cleanup: eliminated valid_hostname warning for invalid
queue file names. File: global/mail_queue.c.
Bugfix: lost three lines of code when readying the postcat
command for release, which broke postcat -q. File:
postcat/postcat.c.
Bugfix: the Postfix sendmail command applied the message
size limit when running as newaliases. The limiting code
is now moved to the message enqueuing branch of the code.
File: sendmail/sendmail.c.
Documentation: start of documentation for the algorithm of
Patrik Rak's clever queue manager scheduler (nqmgr). Files:
conf/sample-scheduler.cf, README_FILES/SCHEDULER_README.
20030429
Bugfix: while verifying an address, the LMTP client entered
a forbidden "next" sender state after the last recipient.
Fix by Vladimir Davydoff. File: lmtp/lmtp_proto.c.
Bugfix: "," was not recognized in proxy_read_maps settings.
Fix by Leandro Santi. File: proxymap/proxymap.c.
20030502
Bugfix: defer delivery after .forward etc. file read error.
File: local/token.c. Problem reported by Ben Rosengart,
Panix.
20030503
Bugfix: the Postfix LMTP client used the wrong service
name, causing trouble with SASL 2.1.13. Daniel Schales,
Louisiana Tech. File: lmtp/lmtp_sasl_glue.c.
20030518
Workaround: IRIX select() reports that a non-blocking file
descriptor is writable while write() transfers zero bytes.
File: util/vstream.c. Superseded by change 20030523.
20030520
Cleanup: future time stamps in Received: headers and negative
delays in delivery agent logging after "postdrop -r",
because deferred queue files had future file modification
times. File: src/postsuper/postsuper.c.
20030521
Cleanup: nqmgr warnings about "recipient count mismatch"
after "postdrop -r", because the cleanup server did not
count the "already done" recipients. Problem reported by
Richard Stockton, Gramma Software. Files:
cleanup/cleanup_envelope.c, cleanup/cleanup_extracted.c.
20030523
Workaround: IRIX select() reports that a non-blocking file
descriptor is writable while write() transfers zero bytes.
File: global/pipe_command.c.
20030523-20030605
Cleanup: rewrote the queue file record processing loops in
pickup, cleanup and in [n]qmgr. This code had deteriorated
a lot as the result of small changes over the years. This
change brings the code closer to "obviously correct". Files:
cleanup/cleanup_envelope.c, cleanup/cleanup_extracted.c,
*qmgr/qmgr_message.c.
Cleanup: Postfix no longer produces queue files with
backwards compatibility data for Postfix versions < 1.0
(a.k.a. 20010228). Files: cleanup/cleanup_extracted.c,
showq/showq.c.
Performance: the queue manager no longer has to examine
every queue file record before it can start deliveries.
This helps to avoid thrashing with very large mailing lists.
Postfix queue files have an extra field in the size record
with queue manager processing hints. This change is backward
and forward compatible. Files: cleanup/cleanup_envelope.c,
cleanup/cleanup_extracted.c, *qmgr/qmgr_message.c.
20030528
Compatibility: "sendmail -q<time>" without -bd option now
exits immediately, instead of waiting for input on the
standard input stream and screwing up system boot sequences.
File: sendmail/sendmail.c.
20030530
Bugfix: client access denied with smtpd_delay_reject=no
broke "sendmail -bs". Fix by Victor Duchovni, Morgan Stanley.
File: smtpd/smtpd.c.
20030531
Compatibility: allow <@site,@site:address> route addresses
in SMTP commands. File: smtpd/smtpd.c.
20030605
Cleanup: input checks moved from the pickup daemon to the
postdrop mail submission command; this is to prepare for
direct mail submission from postdrop->cleanup without going
through the maildrop directory and the pickup service.
Files: pickup/pickup.c, postdrop/postdrop.c.
Bugfix: the "dead host" backoff timer in the MySQL client
didn't work. Fix by Leandro Santi. File: util/dict_mysql.c.
Bugfix: same problem in the PostgreSQL client. File:
util/dict_pgsql.c.
Workaround: turned off non-blocking write to pipe because
too many systems give a weird write() result. File:
global/pipe_command.c.
Cleanup: added support for vstream_fseek(.., .., SEEK_END).
File: util/vstream.c.
20030608
Feature: separate address resolver controls for address
verification probe messages: address_verify_{local,virtual,
relay,default}_transport, address_verify_relayhost, and
address_verify_transport_maps. The default values are the
regular versions of the same controls. Files: trivial-rewrite/*,
global/resolve_clnt.[hc], *qmgr/qmgr_message.c.
20030609
Workaround: Solaris blocking socket read() may hang. Hernan
Perez Masci and Leandro Santi. File: smtpd/smtpd.c.
Bugfix: the "unread recipient" counter needs to be restored
after the queue manager has a problem reading a queue file.
Fix by Patrik Rak. File: nqmgr/qmgr_message.c.
20030610
Cleanup: the verify server now uses asynchronous submission
of mail probes, so it will no longer block for in_flow_delay
seconds when mail arrives faster than it is delivered.
Still need to make mail_stream_finish() asynchronous in
order to avoid blocking for trigger_timeout seconds when
the queue manager is overwhelmed. Files: global/post_mail.c,
verify/verify.c.
Bugfix: removed extraneous sleep() after the last attempt
to retrieve address verification status. File: smtpd/smtpd.c.
20030611
Bugfix: the stricter postdrop input filter broke "sendmail
-bs". Found by Lutz Jaenicke. File: smtpd/smtpd.c.
20030614
Portability: Dropped support for client side LDAP caching.
As of release 2.1.13 OpenLDAP no longer supports client
side caching, it has been deprecated for some time, and
never worked well. Implemented by Victor Duchovni, Morgan
Stanley, and further enhanced by Lamont Jones, HP. Files:
src/util/dict_ldap.c, conf/sample-ldap.cf,
README_FILES/LDAP_README.
Safety: Given suitable invalid database contents, LDAP
lookups can produce too many results, enter an infinite
loop in the expansion of "special result attributes" (LDAP
DNs and LDAP URLs) or just consume excessive server resources
returning large result sets. Three new (per LDAP map)
configuration parameters enable one to set limits on
recursive nesting, result expansion and the server response
"entry" count. Implemented by Victor Duchovni, Morgan
Stanley, further enanced by Lamont Jones, HP. Files:
src/util/dict_ldap.c, conf/sample-ldap.cf,
README_FILES/LDAP_README.
20030616
Feature: in mail delivery status reports, report the sender
address as X-Postfix-Sender. Matthias Andree. File:
bounce/bounce_notify_util.c.
Cleanup: in mail delivery status reports, transform the
original recipient into xtext format as required by RFC
1891. Files: bounce/bounce_notify_util.c, util/xtext.[hc].
Cleanup: more accurate "postfix check" warning for files
that miss one or more of the required mode 02111 execute
permission bits. Matthias Andree. File: conf/postfix-script.
20030618
After "postfix reload", the master daemon now warns when
inet_interfaces has changed, and ignores the change, instead
of passing incorrect information to the smtp server. File:
master/master_ent.c.
20030619
Feature: the Postfix SMTP server can send all mail into a
proxy server, for example a real-time SPAM filter. This
proxy is supposed to send the mail into another Postfix
SMTP server process for normal delivery. Files: smtpd/smtpd.c
smtpd/smtpd_proxy.[hc].
20030620
Bugfix: a cut-and-paste error caused the proxy server's
354 status code to be reported when a proxy connection
broke during the DATA phase. File: smtpd.c.
20030620
Bugfix: after the last change to postdrop, postcat no longer
recognized maildrop files as valid. File: postcat/postcat.c.
Bugfix: after moving "sendmail -t" address extraction to
sendmail, "-t" broke multi-line recipient headers. Victor
Duchovni, Morgan Stanley. File: sendmail/sendmail.c.
20030621
Workaround: the safe_open(O_CREAT) race condition exploit
avoiding code tries a little harder when it encounters a
race condition. File: util/safe_open.c.
20030624
Bugfix: reject_unverified_address() set the defer_if_reject
flag when the verify service was unavailable (which never
happens). Victor Duchovni, Morgan Stanley. File:
smtpd/smtpd_check.c.
New parameters address_verify_poll_{count,delay} that
control how often to poll the address verification service
for the completion of an address verification request.
Specify address_verify_poll_count=1 to implement a crude
form of greylisting, that is, always defer the first delivery
attempt for an unknown address. File: smtpd/smtpd_check.c.
Bugfix: after the last change to postdrop, postcat no longer
recognized non-maildrop queue files as valid. File:
postcat/postcat.c.
20030629
Cleanup: replaced references to "simulated virtual domains"
by "virtual alias domains". Victor Duchovni, Morgan Stanley.
20030630
Feature: smtp_quote_rfc821_envelope=(yes|no) to control
RFC 821 style quoting of MAIL FROM and RCPT TO addresses.
Files: global/mail_params.h, smtp/smtp.c, smtp/smtp_proto.c.
20030701
Bugfix: multi-recipient probes triggered a bug in the SMTP
client. File: smtp/smtp_proto.c.
Feature: enable_original_recipient (default: yes) to control
whether Postfix keeps track of original recipient address
information. Victor Duchovni, Morgan Stanley. Files:
cleanup/cleanup.c, cleanup/cleanup_init.c,
cleanup/cleanup_out_recipient.c, global/log_adhoc.c,
global/mail_copy.c, *qmgr/qmgr_message.c.
Feature: !/pattern/ support for PCRE lookup tables. Victor
Duchovni, Morgan Stanley. Files: util/dict_pcre.c.
Cleanup: allow whitespace after patterns in repexp and pcre
tables. Victor Duchovni, Morgan Stanley. Files:
util/dict_pcre.c, util/dict_regexp.c.
20030702
Feature: CIDR lookup table support, very remotely based on
code by Jozsef Kadlecsik. Files: proto/cidr_table,
util/dict_cidr.[hc].
Feature: TCP lookup table support, finally finished. Files:
proto/tcp_table, proto/dict_tcp.[hc].
20030705
Feature: new receive_override_options parameter controls
what happens before or after an external content filter:
rejecting unknown recipients, canonical and virtual address
mapping, address masquerading, automatic BCC recipients
and header/body checks. This eliminates the need to configure
multiple cleanup services in the master.cf file.
20030707
Feature: context dependent SASL security options (i.e.
different options when TLS is enabled/disabled). Lutz
Jaenicke. Files: */*sasl_glue.[hc].
20030708
Hardened the attr_scan routines for exposure to an untrusted
environment, in preparation for possible use with SMTP
policy delegation to an external server.
Feature: address filter for RBL lookups, for use with
multi-valued RBL services. File: smtpd/smtpd_check.c.
20030709
Cleanup: use off_t instead of int for VSTREAM file offsets.
This was needed for mailboxes > 2GB on 32-bit systems.
Files: util/vstream.c, global/mail_copy.c.
20030710
Support for multiple A and TXT results in RBL lookups.
Victor Duchovni, Morgan Stanley. File: smtpd/smtpd_check.c.
Support for attribute-based query-reply protocols. Files:
util/attr_clnt.[hc], util/auto_clnt.[hc].
20030711
Support for plain "name=value\n" attribute protocol. Files:
util/attr_{scan,print}_plain.c.
Bugfix: the LMTP session caching code did not reset the
EHLO server feature list when it needed to reconnect.
Problem found by Tobias Erbsland.
20030712
Feature: delegated SMTP policy server. As an example, see
the greylisting server in examples/smtpd-policy. Specify
"check_smtpd_policy_service" in smtpd_mumble_restrictions.
See SMTPD_POLICY_SERVICE_README for details.
20030716
Bugfix: in the sample policy server, changed "ok" into
"dunno" so the server can be used in the middle of a
restriction list.
Cleanup: when an RBL reply has multiple TXT records,
concatenate them up to some reasonable limit, instead of
selecting one randomly. File: smtpd/smtpd_check.c.
Safety: always truncate SMTP server error replies to 512
bytes. File: smtpd/smtpd_check.c.
20030717
Documentation: added description of policy_time_limit to
the SMTPD_POLICY_README document.
Documentation: corrected the command time limit parameter
syntax in the spawn(8) manual page.
Feature: defer_if_permit and defer_if_reject actions in
access tables, mainly for use by the delegated policy
server. Files: smtpd/smtpd_check.c, proto/access.
20030725
The dict_pgsql module did not use dict_alloc() and dict_free(),
causing improper initialization and a memory leak. Leandro
Santi. File: util/dict_pgsql.c.
Cleanup: added open_flags sanity checks to the dict_pgsql
and dict_mysql modules. These maps must be opened in
read-only mode.
20030731
Bugfix: virtual(8) was changed to use mail_addr_find()
instead of virtual8_maps_find(), but the SMTP server's
virtual mailbox recipient validation was not updated.
20030804
Bugfix: the 20030712 safety against invalid DNS results
was broken. Reported by Ralf Hildebrandt. File:
dns/dns_lookup.c.
20030805-12
Safety: the pipe daemon now defers delivery with a warning
when it is given a non-existent command-line macro name.
File: pipe/pipe.c.
20030810
Bugfix: dict_ldap had a few harmless memory leaks. By
Liviu Daia. File: util/dict_ldap.c.
Feature: support for LDAP URLs in the LDAP parameter
"server_host", if Postfix is linked against OpenLDAP. This
allows Postfix to connect to LDAP SSL sources. By Liviu
Daia. File: util/dict_ldap.c.
20030811
Cleanup: produce a warning when host:port specifies a badly
formatted numerical port. Files: util/find_inet.c,
smtp/smtp_connect.c, lmtp/lmtp_connect.c.
20030822
Feature: the export_environment and import_environment
parameters now accept name=value information that will be
entered into the new environment. File: util/clean_env.c.
20030823
Feature: smtpd_sasl_exceptions_networks parameter to prevent
Postfix from offering AUTH to clients that match the listed
networks. Based on code by Ben Rosengart, Panix. Files:
conf/sample-auth.cf, smtpd/smtpd.c.
20030902
Portability: the Postfix master resets the file size to
the largest possible off_t value when the actual limit
appears to overflow the off_t range. Files: util/sys_defs.h,
util/file_limit.c. A fine sample of bit banging.
20030905
Workaround: Solaris 8 select() claims that a non-blocking
socket is readable and then read() fails with EAGAIN. Files:
util/timed_read.c and as precautionary measure,
util/timed_write.c.
Bugfix: dict_register() should not be called from dict_open()
in dict_mysql and dict_pgsql. Liviu Daia. Files:
util/dict_mysql.c, util/dict_pgsql.c.
Feature: LDAP parameters can now be specified in external
files. This makes it possible to securely store bind
passwords for plain auth outside of main.cf (which is world
readable). By Liviu Daia, based on a suggestion by Victor
Duchovni and Lamont Jones. File: util/dict_ldap.c.
Feature: STARTTLS option for LDAP, if Postfix is linked
against OpenLDAP. By Liviu Daia, amended by Victor Duchovni.
File: util/dict_ldap.c.
Cleanup: connections to LDAP sources are now postponed
until they are actually needed. By Liviu Daia. File:
util/dict_ldap.c.
20030908
The 20030905 Solaris workaround triggers too many warnings.
TCP sockets are back to blocking, and keepalives are turned
on to kill off dead sockets, as suggested by Leandro Santi.
Files: master/{single,multi}_server.c, smtpd/smtpd.c,
util/sys_defs.h.
20030909
Bugfix: the LMTP session caching code had problems with
SASL authentication after the first connection, and pipelining
was working poorly. Fix by Victor Duchovni, Morgan Stanley.
Files: lmtp/lmtp.c, lmtp/lmtp_proto.c.
20030912
Workaround: besides SMTP server sockets, SMTP client sockets
can also hang on Solaris, as reported by Leandro Santi. In
order to deal with this at the root, all connection management
is now done by sane_accept() and sane_connect(). Both turn
on keepalives on Solaris.
20030913
Safety: set-gid commands don't trust TZ. File: msg_syslog.c.
20030914
Address extension propagation wasn't documented enough when
it was added to Postfix. Based on patches by Roman Neuhauser.
Added clarifying notes to main.cf, master.cf and access by
Dean Gibson.
In header/body_checks, DUNNO is now the preferred action
instead of the now deprecated OK. This may confuse fewer
people.
In header/body_checks, allow text after IGNORE and DUNNO,
suggested by Victor Duchovni, Morgan Stanley. File:
src/cleanup/cleanup_message.c.
Feature: reject_rhsbl_helo. File: smtpd/smtpd_check.c.
Bugfix? The LMTP and SMTP clients now send "MAIL FROM:<sender>
AUTH=<>" when SASL authenticated. Suggested by by Victor
Duchovni, Morgan Stanley. Files: smtp/smtp_proto.c,
lmtp/lmtp_proto.c.
20030915
Bugfix: mail rejected by the before-queue content filter
was mis-labeled as a software error; it should be labeled
as a policy error instead. File: smtpd/smtpd.c.
Cleanup: postcat is now null-byte transparent. File:
postcat/postcat.c.
20030916
Feature: ``check_{sender,recipient}_mx_access maptype:mapname''
applies the named Postfix access table to the MX host name
and IP addresses for the sender or recipient address. If
no MX record is found, the A record is used instead. File:
smtpd/smtpd_check.c.
Feature: ``check_{sender,recipient}_ns_access maptype:mapname''
applies the named Postfix access table to the DNS server
hostname and IP addresses for the sender or recipient
address. If no NS record is found, the parent domain is
used instead. File: smtpd/smtpd_check.c.
20030917
Feature: ``check_helo_{ns,mx}_access maptype:mapname'',
same semantics as sender and recipient.
Multiple LDAP lookup tables in the one Postfix process now
share one LDAP connection. Code by Victor Duchovni, Morgan
Stanley. File: util/dict_ldap.c.
Performance: with prefix_domain specified for an LDAP lookup
table, lookups of @domain are skipped. Code by Victor
Duchovni, Morgan Stanley. File: util/dict_ldap.c.
Safety: check_mumble_{mx,ns}_access refuses to be used for
whitelisting. The Postfix SMTP server will reject the
request with "451 server configuration error" and will log
a warning explaining why. File: smtpd/smtpd_check.c.
20030918
Bugfix: check_mumble_ns_access did not correctly look up
NS records of parent domains, causing mail to be deferred
with a 450 status code. File: smtpd/smtpd_check.c.
20030919
Robustness: check_mumble_{mx,ns}_access skip over DNS lookup
failures instead of deferring mail. This is not as bad as
it appears to be because the restrictions can't be used
for whitelisting. File: smtpd/smtpd_check.c.
20030920
Bugfix: the 20030917 LDAP connection sharing code introduced
a compilation problem with non-OpenLDAP implementations.
Fix by Liviu Daia. File: util/dict_ldap.c
Compatibility: the LDAP server_host parameter now supports
all the usual Postfix list element delimiters. Some LDAP
libraries support just SPACE, others SPACE and ",". Postfix
now normalizes the host list into a space separated format.
This is less surprising to Postfix users used to the full
range of delimeters in other contexts. Implemented by Liviu
Daia. File: util/dict_ldap.c
Bugfix: after returning too old mail, the bounce daemon
now locks the original queue file and deletes deferred
recipients, to avoid repeated bounce notifications when
the queue manager is restarted. Files: bounce/*.[hc],
global/bounce_log.[hc], global/{bounce,defer}.[hc] and
everything that invokes these routines including queue
manager and delivery agents.
20030922
Feature: "XADDR address hostname" SMTP command, for SMTPD
restriction debugging, and for sites with fetchmail-like
software that extracts client information from the first
Received: header. The smtpd_authorized_xaddr_clients
parameter specifies what clients are allowed to use XADDR
(default: none). Files: smtpd/smtpd.c.
20031015
Workaround: smtpd access maps should not apply subdomain
name magic to numerical hostnames. File: smtpd/smtpd_check.c.
Safety: the local delivery agent now defers delivery when
alias lookup produces an empty result. File: local/alias.c.
20031019
Workaround: disable request/reply size limit in attr_scan*.c
to prevent mail from getting stuck when rewriting a malformed
message header. This limit was turned on with snapshot
20030715 to harden the protocol that is used by SMTPD policy
delegation. A "no code change" workaround is to specify
"header_size_limit = $line_length_limit". The proper fix
is to enforce request/reply size limits only for data from
outside of Postfix. Problem reported by Brandon Mullenberg,
Dialup USA. Files: util/attr_scan*.c.
Feature: "XLOGINFO address hostname" SMTP command, so that
Postfix daemons behind SMTPD pass-through proxies log useful
client name/address information instead of localhost[127.0.0.1].
The smtpd_authorized_xloginfo_clients parameter specifies
what clients are allowed to use XLOGINFO (default: none).
Files: smtpd/smtpd.c.
Cleanup: renamed the authorized_verp_clients parameter to
smtpd_authorized_verp_clients for consistency.
20031021
Workaround: the demo greylist script now uses BTREE instead
of HASH files for hopefully better stability. The real fix
is to use a single updater process that serves multiple
clients. That approach seems to work well with the verify
daemon. File: examples/smtpd-policy/smtpd-policy.pl.
20031022
Safety: the SMTP server now warns when the queue_minfree
value is less than twice the message size limit. File:
smtpd/smtpd.c.
Safety: the SMTP server no longer accepts mail when the
amount of free space is less than twice the message size
limit. File: smtpd/smtpd_check.c.
Safety: log a warning and defer mail when canonical or
virtual lookups return a non-address result (like a string
that contains no address). File: global/mail_addr_map.c.
Safety: log a warning and defer mail when any map lookup
returns an empty string result, and explain that "no result"
is expected in case of a "not found" condition. This happens
with incorrectly implemented SQL or LDAP tables. File:
global/maps_find.c.
20031023
Bugfix: the MYSQL and PGSQL modules invoked dict_register().
This was fixed a while ago but never made it into the
distribution. Files: util/dict*sql.c.
Robustness: added three ISSPACE() calls in the smtpd proxy
parser. File: smtpd/smtpd_proxy.c.
20031024
Portability: added localhost to mydestination for sites
that turn off append_dot_mydomain. File: global/mail_params.h.
20031027
Portability: MacOS X Bind8 compatibility. File: makedefs.
20031103
Robustness: flush pipelined "." and "quit" replies to avoid
repeated deliveries in case of a program crash (you know,
the kind of thing that happens before Postfix release :-).
File: smtpd/smtpd.c.
20031105
Portability: turn off NETINFO support for MacOS X Panther
by default. Files: makedefs, util/sys_defs.h.
20031106
Feature: the sample greylist policy server is now case
insensitive. File: examples/smtpd-policy/smtpd-policy.pl.
20031103-20031110
Feature: preliminary defense against SMTP clients that
hammer the SMTP server with too many simultaneous or
successive connection attempts, with a whitelist capability
to disable the restriction for authorized clients. Most
work is implemented by a new "anvil" server. Parameters:
smtpd_client_connection_count_limit, smtpd_client_connection-
_rate_limit, smtpd_client_connection_limit_exceptions, and
client_connection_rate_time_unit. Documentation: smtpd(8),
anvil(8), sample-smtpd.cf. Files: smtpd/smtpd.c,
global/anvil_clnt.[hc], anvil/anvil.c. The anvil server
logs peak count and rate information per client when it
terminates after running out of work or after "postfix
reload".
20031110
Cleanup: Postfix now supports the /0 netmask (match every
address). This is useful as a catch-all pattern at the
end of a table. Files: util/dict_cidr.c, util/match_ops.c.
Cleanup: don't report that $queue_directory/etc/filename
differs from /etc/filename when /etc/filename does not
exist. File: conf/postfix-script.
20031112
Feature: client_connection_status_update_time parameter
controls periodic logging of maximal connection counts or
rates. The default logging interval is 10 minutes.
Feature: "make makefiles WARN=stuff..." overrides the
built-in GCC warning options that are used when "make" is
invoked from within a source subdirectory. Files: makedefs,
*/Makefile.in.
20031125
Feature: qmgr logs "queueid: deleted", just like postsuper,
when it removes a message from the mail queue.
Performance: smtpd connects to the cleanup or proxy server
AFTER the first valid RCPT TO command, instead of after
the first valid MAIL FROM command. This avoid wasting
real-time proxy filter resources when mail is stopped by
the SMTP server's access blocks. File: smtpd/smtpd.c.
20031126
Bugfix: "panic: mymalloc: requested length 0" when master.cf
specified an invalid host name or address. Postfix now
logs more specific information. File: master/master_ent.c.
Reported by several people.
20031125-20031201
Feature: XCLIENT support to override the SMTP server's
client information for logging and/or access control. This
replaces the short-lived XADDR and XLOGINFO extensions.
Remotely based on code by Victor Duchovni. See FILTER_README
and SMTPD_PROXY_README for usage details. Files:
smtpd/{smtpd,smtpd_check,smtpd_proxy,smtpd_xclient}.c
smtp/smtp_smtp_proto.c, *qmgr/qmgr_message.c,
global/deliver_request.c.
20031202
Cleanup: postfix-files now has support for files that are
no longer part of Postfix. When upgrading Postfix, the
post-install script gives the user a reminder. Files:
conf/postfix-files, conf/post-install.
20031203
Support for SMTPD access map actions (FILTER, REDIRECT,
HOLD or DISCARD) that are delegated to the cleanup server,
but can trigger before the first valid recipient address
is accepted (and thus, before a cleanup server connection
is available). Files: smtpd/{smtpd,smtpd_state,smtpd_check}.c.
20031204
Bugfix: conf/post-install didn't skip non-existent obsolete
files. Victor Duchovni.
Minor cleanups of the xclient error messages; xclient
command lookup tables. File: smtpd/smtpd.c.
20031206
Feature: reject_sender_login_mismatch allows multiple owners
of a sender address. Code by Liviu Daia. Files:
smtpd/smtpd_check.c and documentation.
reject_sender_login_mismatch is now implemented by elementary
features reject_unauthenticated_sender_login_mismatch
(reject if the client is not SASL logged in but the sender
address has an owner in smtpd_sender_login_maps) and
reject_authenticated_sender_login_mismatch (reject if the
client is SASL logged in but does not own the sender
address). Code by Liviu Daia. Files: smtpd/smtpd_check.c
and documentation.
20031207
Bugfix: fallback_transport and mailbox_transport were broken
because the deliver_pass.c module was not updated for the
changed message delivery protocol.
20031211
Safety: in dynamically growing data structures, update the
length info after (instead of before) updating the data
size. Files: util/argv.c, util/inet_addrlist.c, util/intv.c,
util/mvect.c, util/vstring.c, global/recipient_list.c,
*qmgr/qmgr_rcpt_list.c.
20031212
Cleanup: separate extensions XCLIENT (impersonate SMTP
client) and XFORWARD (down-stream logging of up-stream MTA
and/or message information, not necessarily SMTP related).
The protocol is extensible: the server advertises what
attributes XCLIENT or XFORWARD will accept, and it is an
error to send an unsupported attribute. No xtext encoding
is used, since no attribute currently needs it. See also:
XCLIENT_README and XFORWARD_README.
20031214
Feature: XFORWARD support in the LMTP client.
20031215
Safety: updated mail_queue_id_ok() for long fast flush
logfile names. File: global/mail_queue.c.
Robustness: save and restore the resolver _res.options
settings before and after DNS lookup, to avoid surprises
in third-party code. This may eliminate some "localhost
not found" problems. File: dns/dns_lookup.c.
20031216
Cleanup: easier to parse mailq output (no more space
between short queue ID and message status). File:
showq/showq.c.
20031216-21
Cleanup: the SMTP client now moves on to the next MX host
or fallback relay when delivery fails in the middle of an
SMTP session. This includes both broken connections and
4xx SMTP server replies. Files: smtp/smtp.c, smtp_rcpt.c,
smtp/smtp_connect.c, smtp_trouble.c.
Configuration parameters: smtp_mx_address_limit (limit the
list of IP addresses from MX lookup), and smtp_mx_session_limit
(limit the number of actual SMTP sessions per delivery
attempt, ignoring unusable MX IP addresses).
The new code centers around a mark-and-sweep algorithm
(replacing code that twiddled the rcpt->offset structure
member), with paranoid sanity checks to ensure that every
recipient is explicitly accounted for.
20031217
Update: LDAP client logging (Liviu Daia) and LDAP client
documentation (Victor Duchovni). Files: util/dict_ldap.c,
conf/sample-ldap.cf, README_FILES/LDAP_README.
20031222
Cleanup: shaved half the worst-case bits off the cleanup
duplicate address filter footprint. After discussion with
Victor Duchovni. File: cleanup/cleanup_out_recipient.c.
Safety: added "mail loops to myself" logic for destinations
that don't have an MX host. File: smtp/smtp_addr.c.
20031223
Workaround: turn off "mail loops to myself" for non-MX
destinations because it breaks SMTP-based content filters.
Fix is to turn off loop detection when a non-default TCP
port is specified. File: smtp/smtp_addr.c.
Bugfix: restore errno after write failure in SIGCHLD handler.
Leandro Santi (who got the idea from Hernan Perez Masci).
File: master/master_sig.c.
Bugfix: the auto_clnt module disconnected too early, causing
unnecessary work by the anvil server.
Cleanup: eliminated binary hashes from anvil server. Anvil
client information is now stored on top of its VSTREAM.
20031226
Feature: bounce_queue_lifetime parameter (default:
$maximal_queue_life_time) that bounds the time that
MAILER-DAEMON messages spend in the queue before they are
considered undeliverable.
Feature: disable "mail loops back to myself" protection
when SMTP mail is sent to a non-standard port. This makes
setting up content filters less painful.
Cleanup: disallow bare x.x.x.x numeric IP addresses in
email addresses. The form user@[x.x.x.x] is still allowed.
Cleanup: cleaned up the naming of internal symbols in the
SMTP client.
20031231
Bugfix: stricter address syntax test broke "sendmail -bs".
File: smtpd/smtpd.c.
20040101
Cleanup: the Postfix SMTP server rejects a MAIL FROM address
that matches a local, virtual or relay domain, while the
address is not listed in the corresponding local, virtual
or relay recipient table.
Feature: the reject_unlisted_sender(recipient) SMTPD access
restriction rejects an address that matches a local, virtual
or relay domain, while the address is not listed in the
corresponding local, virtual or relay recipient table.
Compatibility: the check_recipient_maps restriction works
like reject_unlisted_recipient, but will eventually be
removed from Postfix.
20040102
Misc documentation cleanup by Loic Minier.
20040104
Workaround: MacOSX dumps core on the 20030913 TZ censoring
code. We explictly set TZ=UTC, which will produce incorrect
results when "mailq" formatting is moved from the showq
daemon to the postqueue command. File: msg_syslog.c.
Feature: after mail is requeued with "postsuper -r", the
pickup server logs the old queue ID together with the new
queue ID. Victor Duchovni. File: pickup/pickup.c.
Feature: smtpd_sasl_application_name parameter (default:
smtpd) to control the name of the SASL configuration file
used by the Postfix SMTP server. Liviu Daia. Files:
mail_params.h, smtpd.c, smtpd_sasl_glue.c.
Cleanup: the LDAP client configuration parser is now shared
between the LDAP, MySQL, and PGSQL clients. Liviu Daia.
Files: global/cfgparser.[hc], global/dict_ldap.c,
global/dict_mysql.c, global/dict_pgsql.c and documentation.
Cleanup: moved "util" modules with dependencies on higher-level
"global" code from the util directory to the global directory:
util/dict_open.c, global/cfgparser.[hc], global/dict_ldap.c,
global/dict_mysql.c, global/dict_pgsql.c, global/mail_dict.c.
Cleanup: the new queue manager nqmgr replaces the default
queue manager qmgr, leaving behind a hard link for backwards
compatibility. The old queue manager remains available as
as oqmgr but will eventually be removed.
Bugfix: vstring_get() etc. now return VSTREAM_EOF when they
terminate prematurely, instead of returning the last
character stored. This avoids mis-leading warnings. File:
global/vstring_vstream.c.
20040105
Cleanup: don't bother the flush daemon while deferring mail
if the destination is not "fast flush" eligible. File:
global/flush_clnt.c.
Safety: the SMTP server flushes recipients to the cleanup
server in order to avoid SMTP timeouts when virtual or
canonical expansions take a lot of time. File smtpd/smtpd.c.
Safety: add warnings to postmap and postalias when table
lookup results in an empty string.
20040110
Example: script to run qmail-local from Postfix by Ron
Bickers.
Change: queue minfree limit is now 1.5 * message size limit.
File: smtpd/smtpd_check.c.
Bugfix: apply hostname restriction even when host address
lookup fails in check_{sender,recipient}_{ns,mx}_access.
File: smtpd/smtpd_check.c.
20040115
Performance: allow delivery concurrency to increase even
while mail is deferred, as long as the delivery agent does
not report really serious trouble with the destination.
Files: *qmgr/qmgr_deliver.c.
Cleanup: in postfix-files, symbolic links and hard links
are now first-class citizens with explicit mention of source
and destination pathnames. Files: postfix-install,
conf/postfix-files, conf/post-install.
20040116
Cleanup: sendmail -v caused one mail delivery report upon
every delivery attempt, not just the first one. The fix is
to "kill" a queue file record after the first delivery
attempt. This means a new record type. Files: *qmgr/qmgr_active.c,
*qmgr/qmgr_message.c, global/rec_type.c.
Cleanup: in anticipation of other built-in rate limiters,
the client_connection_rate_time_unit parameter is renamed
to client_rate_time_unit.
Documentation: finished the HOSTING_README file with an
overview of methods to host domains with Postfix.
20040119
Bugfix: anvil (count and rate limiting) server race condition
could result in dangling pointer. Postfix erases memory
after allocating and before freeing, so it is extremely
unlikely that this could be used to bring harmful data into
the anvil server. File anvil/anvil.c.
20040120
Cleanup: new header_checks(5) and body_checks(5) manual
pages. The sample-regexp* and sample-pcre* files are no
longer needed and have been removed, as are the default
*_table configuration files.
Cleanup: support for the non-standard Errors-To: header is
removed. File: cleanup/cleanup_message.c.
20040121
Feature: "PREPEND headername: headervalue" action in Postfix
access maps, to facilitate external policy servers that
label mail instead of rejecting it. Files: smtpd/smtpd.c,
smtpd/smtpd_check.c.
20040122
UNDO the 20040104 change (vstring_get() etc. return
VSTREAM_EOF when they terminate prematurely, instead of
returning the last character stored, to avoid mis-leading
warnings). File: global/vstring_vstream.c.
Portability: test -e is not portable. File: conf/postfix-script.
Misc. documentation fixes by Victor Duchovni.
Documentation: the README files are now hyperlinked, and
are referenced in the on-line manual pages.
Bugfix: the pickup daemon now strokes the watchdog frequently
to prevent the watchdog from barking when mail arrives
faster than it can be picked up. File: pickup/pickup.c.
20040123
Feature: set smtpd_reject_unlisted_{sender,recipient}=no
to turn off automatic rejection of non-existent local,
virtual or relay addresses. This way it can be made
conditional for local clients, always on for remote clients.
Files: global/mail_params.h, smtpd/smtpd.c, smtpd/smtpd_check.c.
20040124
Feature: PREPEND in header/body_checks, for message tagging.
File: cleanup/cleanup_message.c.
20040126
Safety: handle the case that main.cf is updated while it
is being read. File: util/dict.c.
Feature: "instance" attribute that links policy etc. queries
to the same message instance.
Cleanup: the mynetworks setting may now be empty. File:
global/mail_params.c.
20040127
Bugfix: missing flush_init() call. Introduced 20040105.
File: postqueue/postqueue.c.
20040128
Cleanup: clnt_stream derived classes now try to detect that
the server has disconnected before sending data and warning
about an error. File: global/clnt_stream.c.
20040202
Bugfix: changed mis-leading warning about text>4096 characters
into "unexpected end-of-input". File: util/attr_scan0.c.
20040201
Feature: sasl_method, sasl_username and sasl_sender attributes
in smtpd policy queries. Files: src/smtpd/smtpd_check.c.
20040204
Safety: smtpd_soft_error_limit now determines when
$smtpd_error_sleep_time starts to take effect.
Cleanup: local(8) and virtual(8) will now create maildirs
in a world-writable directory. Files: util/make_dirs.c.
Bugfix: don't panic on a corrupt queue file. File:
*qmgr/qmgr_message.c.
20040205
Cleanup: sample-filter.cf is gone. Better documentation is
available with "man header_checks".
20040209
Bugfix: when delivery to smtpd_proxy_filter fails, report
"451 Queue file write error" instead of repeating the
previous "354 End data with <CR><LF>.<CR><LF>" response.
File: smtpd/smtpd.c.
20040220
Compatibility: accept and ignore the sendmail -bh and -bH
mode of operation requests.
20040302
Bugfix: SMTPD proxy didn't send QUIT as the result of code
duplication. Evidence reported by Mark Martinec. File:
smtpd/smtpd.c.
20040311
Bugfix: bad address syntax was passed to transport map
lookups. Problem reported by Andrei Koulik. File:
util/match_ops.c, trivial-rewrite/resolve.c.
20040324
Portability: ekkoBSD support by Philip Reynolds. Files:
makedefs, util/sys_defs.h.
20040325
Cleanup: smtp_skip_4xx_greeting and smtp_skip_5xx_greeting
functionality is moved from connection management to SMTP
protocol processing, so that Postfix now logs the server
response when a server refuses to provide service. Files:
smtp/smtp_connect.c, smtp/smtp_proto.c.
Cleanup: smtp_skip_4xx_greeting is no longer configurable;
it is now permanently turned on.
20040326
Workaround: in the trivial-rewrite server, turn on the code
to strip trailing "." while rewriting addresses, and change
the address resolver to strip trailing "." in a compatible
manner. This does not eliminate the problem that the SMTP
server may use a different address for recipient validation
than what the cleanup server uses for virtual alias mapping.
20040329
Bugfix: the SMTP server did not log client (and SASL)
information with the real-time content filter was enabled.
Files: smtpd/smtpd.c, smtpd/smtpd_sasl_proto.c.
Compatibility: smtpd_reject_unlisted_sender is turned off
by default, to avoid trouble with with in-house software
that sends out mail software with an unreplyable address.
20040331
Bugfix: postdrop should not abandon mail submission after
receiving a SIGHUP signal when SIGHUP was ignored by the
parent process. Victor Duchovni, Morgan Stanley. File:
postdrop/postdrop.c.
Bugfix: parsing bug in PgSQL dictionaries causing UNIX
sockets to be ignored. Liviu Daia. Files: global/dict*sql.c.
Performance: allow MySQL and PgSQL database connections to
be closed when idle for more than 1 minute; Liviu Daia.
Files: global/dict*sql.c.
20040401
Sanity: the SMTP server no longer accepts sender or recipient
addresses that end in the "@" null domain, as well as
addresses that rewrite into such a form. Specify
"resolve_null_domain=yes" to get the old behavior back.
File: trivial-rewrite/resolve.c.
20040402
Cleanup: added WARN action support for access maps, for
consistency with the WARN action in header and body checks.
File: smtpd/smtpd_check.c.
20040407
Bugfix: missing return statement at the end of the
FREE_MEMORY_AND_RETURN error handling macro. Adi Prasaja.
File: trivial-rewrite/resolve.c.
20040411
Future proofing: client_rate_time_unit is renamed to
anvil_rate_time_unit, so that it is no longer limited to
clients only. File: src/global/mail_params.h.
Cleanup: postalias and postmap now log problems to syslogd.
Files: postalias/postalias.c, postmap/postmap.c.
20040413
Feature: "postfix set-permissions" (re)sets ownership and
access permissions of Postfix files and directories.
Feature: "postfix upgrade-configuration" updates main.cf
and master.cf. This is for people who people copy over
their old files after installing a newer Postfix version.
Feature: HTML files are now optionally installed under
control of the html_directory configuration parameter.
Files: postfix-install, conf/postfix-files, conf/post-install.
Cleanup: README file installation is now optional. Files:
postfix-install, conf/postfix-files, conf/post-install.
20040414
Cleanup: references to sample-mumble.cf files removed,
conf/mumble_table files removed, new commands added to
conf/postfix-script.
Cleanups: function declared int but used as void, missing
include file, missing const qualifier, unused variable.
Matthias Andree. Files: bounce/bounce_notify_util.c,
bounce/bounce_service.h, postlog/postlog.c, smtpd/smtpd_check.c,
util/attr_scan64.c.
Bugfix: more robust version of SIGHUP test of 20040331.
Victor Duchovni, Morgan Stanley. File: postdrop/postdrop.c.
Safety: added NOCLOBBER qualifiers to local variables that
might be clobbered by longjmp(). Files: util/sys_defs.h,
smtp/smtp_proto.c, lmtp/lmtp_proto.c, smtpd/smtpd_check.c,
smtpstone/smtp-source.c.
Bugfix: sub-level Makefiles no longer turned on the extra
compiler warnings. Files: Makefile.in.*, makedefs.*.
20040415
Bugfix: the LMTP client attempted to reuse a connection
after timeout, causing protocol synchronization errors.
Reported by Rob Mueller. File: lmtp/lmtp.c.
20040416
Cleanup: non-delivery reports now include the original
recipient information. File: bounce/bounce_notify_util.c.
20040415-18
Typos: many documentation fixes by Rob Foehl.
20040418
Cleanup: "int" versus "const int" prototype mismatch between
the DICT sequence method prototype and possible implementations.
Files: util/dict_db.c, util/dict_dbm.c.
20040419
Bugfix: the code that rejects client/helo RESTRICTIONS with
smtpd_delay_reject=no looked at the wrong evidence and
rejected client/helo ACCESS MAP lookups instead. Michael
Tokarev. Files: smtpd/smtpd.c, smtpd/smtpd_check.c.
Bugfix: missing # in master.cf in optional submission
service.
20040420
Bugfix: smtpd logged the client too often. Michael Tokarev.
File: smtpd/smtpd.c.
Cleanup: client_event_status_update_time renamed to
anvil_status_update_time. Files: mantools/postlink,
proto/postconf.proto, anvil/anvil.c.
20040421
Workaround: allow pipelined SMTP clients to overshoot the
SMTP server recipient limit without triggering the server
hard error limit. The SMTP server does not count "too many
recipients" towards the hard error limit, as long as the
number of excess recipients stays within a configurable
overshoot limit (default: smtpd_recipient_overshoot_limit
= 1000). Solution in cooperation with Victor Duchovni.
Files: smtpd/smtpd.c, smtpd/smtpd_state.c, smtpd/smtpd.h.
20040502
Missing test for a never used flag (the problematic and
thus never completed INSPECT feature that doesn't re-inject
mail into Postfix). Victor Duchovni, Morgan Stanley. File:
virtual/virtual.c.
20040503
Bugfix: missing "sasl enabled" guard in the SMTPD policy
client. File: smtpd/smtpd_check.c.
20040606
Portability. UnixWare has strcasecmp() in strings.h. Patch
by Andreas Winkelmann. File: util/sys_defs.h.
Portability. The postlink script is transformed from sed(1)
to perl(1).
20040608
Portability. Introduced SET_H_ERRNO() macro for compilation
environments where h_errno can't be used as an lvalue.
Files: util/sys_defs.h, dns/dns_lookup.c.
Portability. Eliminate assumption on bits per byte from
vbuf_print.c.
20040614
Bugfix: the SMTP client did not reset per-session EHLO,
SASL, and history information when opening a connection to
an alternate SMTP server. This is the result of abstraction
no longer matching function. Reported and diagnosed by
Victor Duchovni, Morgan Stanley.
Bugfix: non-portable reuse of variadic argument lists.
Fix by Victor Duchovni, Morgan Stanley. Files: global/bounce.c,
global/defer.c, global/sent.c, global/trace.c, global/verify.c.
Portability: NetBSD 2.0 has changed from statfs to statvfs.
John Heasley. File: util/sys_defs.h.
Documentation: typo fixes by IKEDA Nozomu.
20040616
Bugfix: one missed variadic argument list fix. Victor
Duchovni, Morgan Stanley. File: global/verify.c.
Bugfix: the resolver client cache should be context dependent
because address verification probes may use a different
route than normal mail deliveries. File: global/resolve_clnt.c.
Safety: added similar context dependence to the address
rewriting client in order to avoid trouble when Postfix is
changed. File: global/rewrite_clnt.c.
Bugfix: space in HELO commands could end up in XFORWARD
commands. File: smtpd/smtpd.c.
20040619
Code reorganization: in preparation for SMTP session caching,
the SMTP client data structures were changed from the
original "one session per delivery request" model to an
explicit "multiple sessions per delivery request" model.
This uncovered ESMTP and SASL missing re-initialization
problems that were fixed in past week. Design by Victor
and Wietse, initial implementation by Victor Duchovni.
20040620
Future proofing: after the reorganization of SMTP request
state and session state, added code to the smtp client
error handling routines to more consistently deal with the
possibility that session information is not available.
20040621
Feature: directory=pathname option for the pipe(8) delivery
agent. This allows a command to run from a fixed directory.
Failure to change directory causes delivery to be deferred.
Files: pipe/pipe.c.
Feature: command_execution_directory for local(8) delivery
to external command. This supports the usual $home etc.
expansions, subject to filtering with the character set
specified with $execution_directory_expansion_filter.
Failure to change directory causes delivery to be deferred.
Files: global/mail_params.h, local/command.c.
Support for external command execution directory. Files:
global/pipe_command.[hc].
20040622
Safety: when mail is delivered to a transport with per-delivery
recipient limit of 1, split the recipient address on the
recipient delimiter if one is defined, so that extended
addresses don't get extra delivery concurrency slots.
Files: *qmgr/qmgr_message.c.
20040623
Workaround for fragile clients: add microsecond time to
maildir filename. Files: virtual/maildir.c, local/maildir.c.
20040628-20040701
SMTP connection caching work with Victor Duchovni.
New module (later renamed to global/scache_single.c) for
protocol-independent session caching. The initial
implementation supports in-process, single-session caching
only. A later version will support a central session cache
daemon. Some more work is needed for passivation/activation
of session attributes.
New function vstream_fdclose() to destroy a VSTREAM while
leaving the underlying file(s) open. Files: util/vstream.[hc].
New function dns_rr_remove() to remove one record from a
resource record list. Some more work is needed to turn the
list into a doubly-linked one. Files: dns/dns.h, dns/dns_rr.c.
Restructuring of the SMTP protocol engine for session
caching. File: smtp/smtp_proto.c.
Restructuring of the connection management module, and
first implementation of SMTP connection caching. To enable,
specify an smtp_connection_cache_time value greater than
zero. The time unit is seconds. File: smtp/smtp_connect.c.
New code to passivate and re-activate SMTP_SESSION objects,
and isolation of session save/lookup in its own module.
Files: smtp/smtp_session.c, smtp/smtp_reuse.c.
Refinement: smtp_cache_reuse_limit parameter to bound the
number of times a session may be reused.
Refinements: when a session comes from the cache, give it
back to the cache anyway (even when it will not be listed
under the next-hop destination name).
Future refinements should also include a bound on the number
of consecutive and total non-delivering uses and other
statistics.
20040714
Bugfix: the code to eliminate the local MTA from the MX
address list did not handle the case that inet_interfaces
produced a less preferred match than proxy_interfaces.
Victor Duchovni, Morgan Stanley. File: smtp/smtp_addr.c.
20040715
Resume work on SMTP session caching. All good sessions
are now cached under their IP address. As before, only the
first good session per delivery request is cached under
the original next-hop destination.
At this point, SMTP session caching works, with a session
cache client module that uses in-process session caching.
This is sufficient to demonstrate that the SMTP client is
ready for session caching.
20040716
New modules to send file descriptors from one process into
another one. This will be needed for implementing a central
connection cache manager daemon. Most systems use UNIX-domain
sockets as the transport for this. On Solaris we use streams
instead. Applications are supposed to invoke LOCAL_SEND_FD()
and LOCAL_RECV_FD(). Files: {unix,streams}_{send,recv}_fd.c.
20040717
First implementation of a session caching client API that
actually sends to/receives from a caching server process.
The old in-process, single-session caching functionality
is preserved as global/scache_single.c, so that we can use
it for bootstrapping the session cache server. File:
global/scache_clnt.c.
First implementation of the scache session cache server,
using the same in-process session caching code that was
used to bootstrap the SMTP client. File: scache/scache.c.
20040718
Performance: the default RSET timeouts are reduced from
120s to 20s. Perhaps there should be different RSET timeout
for address probes and for session cache checks. File:
global/mail_params.h.
20040719
Multi-session connection cache module. Implementing this
was actually the easiest part of the entire connection
caching project. File: global/scache_multi.c.
20040720
Bugfix: event_drain() falsely reported a single-entry timer
queue as empty. File: util/events.c.
Completed the multi-session cache support for SMTP. The
code can be stress tested with a driver program that reads
commands from a script. It is not practical to manually
test the effects of collisions in the time or in name space
domains. File: global/scache.c.
20040721
Feature: the session cache server now logs cache hit and
miss statistics every $session_cache_status_update_time
seconds (default: 600s), as well as upon process exit.
File: scache/scache.c.
20040722
Workaround: LINUX 2.4 has trouble with mixed data and file
descriptor traffic on UNIX-domain stream sockets.
Specifically, it cannot handle data write (read) followed
by file descriptor send (receive): the receiver hangs in
recvmsg(). Workaround is to insert an intervening read
(write) operation. Presumably, LINUX 2.4 is confusing the
data and file descriptor. Lucky Ralf Hildebrandt. Files:
util/sys_defs.h, global/scache_clnt.c, scache/scache.c.
20040723
Safety: spawn(8) now rejects a user with the -1 UID or GID
value, so that commands will not end up running as root.
Files: util/spawn_command.c, spawn/spawn.c.
User interface: parameter smtp_connection_cache_domains
renamed to smtp_connection_cache_destinations. Destinations
listed here must be specified without [] or :port. File:
smtp/smtp_connect.c.
Bugfix: "421 Timeout exceeded" wasn't guarded by setjmp().
Victor Duchovni, Morgan Stanley. File: smtpd/smtpd.c.
20040729
Feature: enable SMTP session caching temporarily while a
postfix is able to schedule back-to-back deliveries.
Parameter: smtp_connection_cache_on_demand (default:
yes). Files: smtp/smtp_connect.c, *qmgr/qmgr_entry.c,
*qmgr/qmgr_queue.c, *qmgr/qmgr_deliver.c.
Feature: smtp-source -N option to generate unique recipient
addresses for (trivial-rewrite) stress testing. Victor
Duchovni, Morgan Stanley. File: smtpstone/smtp-source.c.
20040730
Safety: disallow "opportunistic session caching" when the
queue manager is unable to schedule back-to-back deliveries.
File: *qmgr/qmgr_entry.c.
20040731
Hysteresis: turn on "opportunistic session caching" when
back-to-back deliveries happen, but don't turn if off
until both concurrent and back-to-back delivery ends.
20040801
Workaround: disable session caching for Linux < 2.2 (does
not work) or Glibc < 2 (does not compile). Files:
util/sys_defs.h, util/unix_{recv,send}_fd.c.
Portability: h_errno is not an lvalue in the UnixWare 7.1
multi-threaded environment. Olivier PRENANT.
20040812
Bugfix: update SMTP server error counter when a client is
denied access with smtpd_delay_reject=no.
20040816
Bugfix: The smtp_chat_cmd() forced output flushing code in
the SMTP client could run before an I/O error handler was
set up. Problem diagnosed by Victor Duchovni, Morgan
Stanley. The fix is to disable the smtp_chat_cmd() forced
output flushing code as it duplicates better code in
smtp_loop(). File: smtp/smtp_chat.c.
Safety: set up an I/O error handler before the smtp_loop()
protocol engine starts; this handler logs a warning in case
it ever runs, because that means someone broke ESMTP command
pipelining. File: smtp/smtp_proto.c.
Feature: canonical_classes parameter by Kimmo Suominen, to
control what addresses are rewritten by canonical_maps.
Files: cleanup/cleanup_addr.c, cleanup/cleanup_message.c.
20040817
Bugfix: update the vstream I/O time AFTER the completion
of an I/O request, so that time-sensitive applications
don't force flush output too soon and possibly trigger
NAGLE delays. Problem diagnosed by Victor Duchovni, Morgan
Stanley. File: util/vstream.c.
Portability: avoid postmap/postalias test file name clashes
on Windows. Ian Lance Taylor (of Taylor UUCP fame).
20040823
Bugfix: vstream_popen() did not close the child pipe
after failure to fork(). File: util/vstream_popen.c.
20040826
Feature: support for systems with closefrom(), and emulation
for those without. Andrew Brown. Files: util/sys_defs.h,
util/sys_compat.c.
20040827
Feature: {sender,recipient}_canonical_classes parameters,
which give better control than sender_canonical_classes.
Files: cleanup/cleanup_addr.c, cleanup/cleanup_message.c.
Feature: the proxymap client now recognizes when a map
can't be proxied, and will open it directly instead. This
makes proxy maps easier to use for virtual mailbox domains.
File: global/dict_proxy.c.
Feature: smtp_sasl_mechanism_filter restricts what remote
SMTP server mechanism names the Postfix SMTP client passes
on to the SASL library. Victor Duchovni, Morgan Stanley.
Files: smtp/smtp.c. smtp/smtp_sasl_glue.c, smtp/smtp_sasl_proto.c.
20040828
User interface: when no recipients are specified, the
Postfix sendmail command now terminates with status EX_USAGE
instead of accepting the mail first and bouncing it later.
This gives more direct feedback in case of a common client
configuration error. File: sendmail/sendmail.c.
20040829
Portability: Solaris closefrom() support didn't work for
non-SUN compilers. Victor Duchovni, Morgan Stanley.
20040830
Feature: the scache(8) session cache manager now logs the
peak counts of destinations, endpoints and sessions. Files:
scache/scache.c, global/scache*c.
20040831
Portability: disable session caching support on SCO 5
because of incompatible sockets API. File: util/sys_defs.h.
20040913
Bugfix (introduced 20020803): sent the wrong bounce message
type when a Delivered-To: loop was detected for a mailing
list alias. Nicolas Riendeau. File: bounce_notify_util.c.
20040918
Feature: authorized_flush_users, authorized_mailq_users,
authorized_submit_users to restrict what users can flush
the queue, list the queue, or submit mail locally. Based
on code by Victor Duchovni, Morgan Stanley. Files:
sendmail/sendmail.c, postdrop/postdrop.c, postqueue/postqueue.c,
global/user_acl.[hc].
Feature: discard(8) mail delivery agent. Victor Duchovni,
Morgan Stanley. File: discard/discard.c.
20041002
Long overdue, a master(5) manual page based on an initial
version by Magnus Baeck.
By popular demand, a postfix-manuals.html web page with
totally useless links to UNIX-style manual pages (the same
information should already be available simply by typing
"apropos postfix"). To keep newbies from getting completely
lost due to information overload, the document starts with
a list of actually useful pointers to Postfix introductions,
duplicated from the already existing documents.html.
20041006
Bugfix: "sendmail -bv" did not reject the -t option. File:
sendmail/sendmail.c.
20041007
Feature: SASL authentication attributes are now stored in
queue files and passed on to delivery agents, by Leandro
Santi. Files: deliver_pass.c, deliver_request.c,
qmgr_deliver.c, qmgr_message.c, pipe.c, smtpd.c.
20041009
Feature: per SMTP client message rate limit and recipient
rate limit, by Ragnar Lonn, GHN network technologies.
Files: smtpd/smtpd.c, anvil/anvil.c, global/anvil_clnt.[hc].
Incompatibility: smtpd_client_connection_limit_exceptions
renamed to smtpd_client_event_limit_exceptions, because it
now also controls message and recipient rate limit control.
20041013
Portability: AIX 5.1/GCC.
20041014-23
Postfix no longer appends the local domain to header
addresses from remote clients. Instead, Postfix either
does not rewrite those headers at all, or it appends the
domain specified with the new remote_header_rewrite_domain
parameter.
Postfix still appends $@myorigin or .$mydomain to headers
from the Postfix sendmail command, or from clients listed
with the new local_header_rewrite_clients parameter (default:
permit_mynetworks, permit_sasl_authenticated).
These changes affect the SMTP server (including XFORWARD
support), the cleanup server (do or don't rewrite headers),
the trivial-rewrite server (append local domain or surrogate
remote domain to incomplete addresses), the queue manager
(send additional attributes to delivery agents), the LMTP
and SMTP clients (XFORWARD support), and the local delivery
agent (preserve XFORWARD attributes when forwarding mail).
20041016
Bugfix: attr_clnt_request() did not properly skip hash
table arguments. Luc Pardon, Skopos Consulting. File:
util/attr_clnt.c.
20041018
The NIS+ module by Geoff Gibbs is now part of Postfix.
Files: util/dict_nisplus.c, proto/nisplus_table.
20041019
Support for Errors-To: is permanently removed.
20041022
Bugfix: "smtp_connection_cache_on_demand=no" could crash
the SMTP client. File: smtp/smtp_connect.c.
Robustness: extra sanity checks. Files: util/dict_db.c,
util/dict_dbm.c, dict_nis.c.
20041025
Initial merge of Lutz Jaenicke's TLS patch. Initial rewrite
of tlsmgr to eliminate some code duplication and to postpone
calls into OpenSSL until after dropping privileges.
20041030
Compatibility: "session cache" renamed to "connection cache"
to avoid confusion with the TLS session cache.
20041102
Feature: smtpd_end_of_data_restrictions allow you to specify
restrictions at the end of the SMTP DATA command. The syntax
is identical to that of the smtpd_data_restrictions feature.
This introduces a new END-OF-DATA protocol state for the
external policy server. Files: proto/SMTPD_POLICY_README.html,
proto/SMTPD_ACCESS_README.html, smtpd/smtpd_check.c.
20041111
Cleanup: terminate the dict_eval() result buffer for verbose
logging. Victor Duchovni, Morgan Stanley. File: util/dict.c.
20041112
Cleanup: be more careful when saving and restoring resolver(3)
options to avoid problems with an HP-UX security patch
(change introduced 20031215). File: dns/dns_lookup.c.
20041115
Bugfix: the test for "no debugger_command" was wrong.
Leandro Santi. File: global/debugger_command.c.
20041117
Robustness: the master-child protocol now includes a process
generation number besides the child process ID. The process
generation number is incremented by one each time the master
creates a child process. Child-to-master status updates
with the wrong generation number are ignored, instead of
triggering a consistency error in the master server. Files:
master/*server.c, master/master_status.c, master/master_spawn.c.
20041118
Bugfix: the "local_header_rewrite_clients" feature (20041023)
did not recognize "bare" lookup tables as documented. Victor
Duchovni, Morgan Stanley. File: smtpd/smtpd_check.c.
Bugfix: the "local_header_rewrite_clients" feature (20041023)
was broken because the local delivery agent passed on a
bogus attribute value when forwarding internally generated
mail, causing the mail to be rejected by the cleanup server.
File: local/dotforward.c.
Bugfix: the "local_header_rewrite_clients" feature (20041023)
was broken because the pickup server always overwrote origin
information. Files: pickup/pickup.c, cleanup/cleanup_state.c,
*qmgr/qmgr_message.c.
Workaround: enable the "can't write before sending a file
descriptor" workaround for Solaris. Problem reported by
Victor Duchovni for Solaris 2.5.1, but we play safe and
enable it unconditionally.
20041120
The TLS support routines are moved to a "tls" directory,
and are published via the "libtls.a" object library.
20041122
Infrastructure: support for binary attribute values
(ATTR_TYPE_DATA) in Postfix IPC messages. Files:
util/attr_scan*c, util/attr_print*c.
20041123-20041205
TLS support: via a process of gradual transformation,
decomposed Lutz Jaenicke's pfixtls.c into separate modules
for clients, servers, certificate verification, session
caching, and PRNG management. Global variables were eliminated
so that the code now supports multiple client and/or server
contexts in the same process. Files: tls/*.[hc].
20041205
TLS support: eliminated shared access (and locking) of the
TLS PRNG exchange file and TLS session caches. Instead,
Postfix uses a client-server protocol, and the tlsmgr
becomes the sole mediator. This eliminated the need for
1000+ lines of SDBM support, and eliminated the need for
running a persistent tlsmgr process on systems don't enable
TLS in main.cf.
20041124
Feature: configurable list of forbidden SMTP commands
(default: smtpd_forbidden_commands = CONNECT, GET, POST)
after which the Postfix SMTP server disconnects immediately.
The SMTP server always disconnects immediately when the
client sends a message header instead of an SMTP command.
Magnus Baeck. File: smtpd/smtpd.c.
20041207
CDB support by Michael Tokarev, documentation by Victor
Duchovni. Files: util/dict_cdb.[hc], global/mkmap_cdb.c.
20041209
Completed support for the Berkeley DB sequence operator.
This is needed for finding and deleting old entries in TLS
session databases. File: util/dict_db.c.
Bugfix: the DBM client's sequence operator used exclusive
locking instead of shared locking. File: util/dict_dbm.c.
Feature: dump an entire database with the new postmap/postalias
"-s" option. This works only for database types with Postfix
sequence operator support: hash, btree, dbm, and sdbm.
Files: postmap/postmap.c, postalias/postalias.c.
20041212
Solaris 10/ix86 chroot setup script update by J.D. Bronson.
TLS support: cosmetic changes to comments and messages;
completed the code for the master -> tlsmgr trigger handshake,
so that the master no longer complains about trigger
responses timing out.
20041213
Updated the SDBM dictionary interface. It had fallen behind
with the Postfix dictionary interfaces that were already
bundled with Postfix. Files: util/dict_sdbm.[hc].
Cleanup: "postconf -m" (show all available map types) now
produces sorted output. File: util/dict_open.c.
20041215
No bugfix: tests with the new "postmap -s" feature show
that SDBM first/next operations never worked with Postfix/TLS
patch 20040829 (verified with the 20040829 dict_sdbm.c
module on Linux and FreeBSD). The code stops after finding
one database element. Other SDBM versions found on the
Internet will find all database entries, but report an I/O
error after the last database element is found. All this
would be easy enough to fix, but the SDBM library is not
part of Postfix, and never will be.
Bugfix: the sequence operator in the DBM and SDBM clients
released the shared lock after reading the next key but
before reading the corresponding value. This was never a
problem, because the sequence operator was used only in
the Postfix/TLS patch. This used the SDBM sequence operator
which didn't work as discussed above. Files: util/dict_dbm.c,
util/dict_sdbm.c.
Feature: the local(8) and pipe(8) delivery agents now make
the following attributes available upon delivery (with
local(8) names must be spelled in upper case): client_hostname,
client_address, client_protocol, client_helo, sasl_method,
sasl_sender, sasl_username. Files: local/command.c,
pipe/pipe.c, and lots of documentation.
20041216
"postcat -o" now prints queue file record offsets; this is
useful for debugging. File: postcat/postcat.c.
NON-PRODUCTION Bugfix: (bug introduced while adopting the
Postfix/TLS patch): the new TLS certification call-back
routine expects that the peer hostname is in
tlscontext->peername_save, but the TLS server code never
updated this field. File: tls/tls_server.c.
20041218
Feature: selective suppression of SMTP extensions (pipelining,
starttls, auth, etc.); this is useful to work around broken
clients or servers. Specify a list of EHLO keywords with
the smtp(d)_discard_ehlo_keywords parameters, or specify
one or more lookup tables, indexed by remote network address,
with the smtp(d)_discard_ehlo_keyword_address_maps parameters.
EHLO keyword lists are case insensitive. Files:
util/name_mask.[hc], global/ehlo_mask.[hc], smtpd/smtpd.c,
smtp/smtp.c, smtp/smtp_proto.c.
20041219
Bugfix: postcat without -o was broken. File: postcat/postcat.c.
20041220
NON-PRODUCTION Bugfix: (bug introduced while adopting
Postfix/TLS patch): don't call smtp_flush() after return
from vstream_setjmp(), we'll call you. File: smtpd/smtpd.c.
Dummy VSTREAM read-write routines. Files: util/dummy_read.c,
util/dummy_write.c.
20041221
Fixes for TLS_README by Victor Duchovni. File:
proto/TLS_README.html.
NON-PRODUCTION Bugfix: (bug introduced while adopting
Postfix/TLS patch). The client code had become too similar
to the server implementation, and also required a host
certificate and key. Fix by Victor Duchovni. File:
tls/tls_client.c.
20041221
Bugfix: further postcat corner cases.
20041223
Cosmetic: don't log disconnect events as I/O errors.
File: tls/tls_bio_ops.c.
20041221-9
Infrastructure: unified IPv4/IPv6 name/address API so that
Postfix can support IPv6 without #ifdef INET6 everywhere.
In particular, we allow #ifdef in libraries but avoid it
in applications. Files: util/myaddrinfo.[hc],
util/sock_addr.[hc], dns/dns_rr_to_pa.c, dns/dns_sa_to_rr.c,
dns/dns_rr_eq_sa.c, dns/dns_rr_to_sa.c, inet_proto.[hc].
Postfix no longer attempts to deliver mail via IPv6 when
the system has no IPv6 connectivity. Network protocol
support is now selected with the "inet_protocols" configuration
parameter, instead of "inet_interfaces". The "inet_protocols"
parameter also controls what DNS lookups Postfix will do.
Infrastructure: eliminated two host/port parsing routines.
Only one survives: host_port(), in an extended form that
allows for missing host or missing service information but
not both. File: util/host_port.c.
20041229
Milestone: Postfix with the unified IPv4/IPv6 socket/name
API builds without compiler error on IPv4-only system and
actually works.
20041228
Bugfix: SMTPD_PROXY_README incorrectly claimed that ":port"
in master.cf causes a server to listen only on "localhost"
without exposing the service to the network. Instead,
":port" causes a client to connect to "localhost".
20041231
Linux workaround: when mynetworks isn't set, a chrooted
process could not read the IPv6 address information from
/proc. We now invoke own_inet_addr() before chrooting,
while processing main.cf. File: global/mail_params.c.
20050101
Workaround for (Linux) systems without IPV6_V6ONLY support
(RFC 3493). When Postfix listened on an IPv4 wild-card
smtp socket, the IPv6 wild-card smtp listener would fail
with EADDRINUSE (and vice versa). File: util/myaddrinfo.c.
20050103
Safety: when the IPV6 netmask can't be determined, assume
/128 (host only). File: util/inet_addr_local.c.
20050104
Re-implemented IPv6 support for net/mask pattern matching.
Files: util/cidr_match.[hc], util/dict_cidr.c,
util/match_ops.[hc], proto/cidr_table.
20050105
Moved mask_addr() to its own module so that it could also
be called by mynetworks() and inet_addr_local() to remove
non-zero host bits from IPv6 network/mask patterns. File:
util/mask_addr.c.
20050108
Re-implemented IPv6 support for network interface lookup
via the Linux /proc file system. File: util/inet_addr_local.c.
20050111
Feature: specify "inet_interfaces = loopback-only" for
servers that must listen on local interfaces only, without
having to specify IPv4 and/or IPv6 addresses in main.cf or
master.cf. File: global/own_inet_addr.c.
Workaround: AIX 5.1 getaddrinfo() can't handle a null host
argument with AI_PASSIVE. Instead we specify an explicit
protocol family, a host of "::" or "0.0.0.0", and turn off
IPV6_V6ONLY. Files: util_myaddrinfo.c, util/inet_listen.c.
Workaround: AIX 5.1 getaddrinfo() can't handle a "0" service
argument. Instead we specify "1". Files: util/inet_addr_host.c.
20050113
Cleanup: now that the over-all structure is proving itself,
clean up some internal APIs to increase robustness and get
rid of some clumsiness. Mainly, the getaddrinfo(3) interface.
Start-up performance: the hash_queue_names default setting
is reduced from eight directories to just defer and deferred.
This reduces time for checking the Postfix queue. Files:
conf/post-install, global/mail_params.h.
20050114
Further cleanup: eliminate duplicate IPv6 results when the
mynetworks value is generated by Postfix. More documentation
of the new internal APIs.
Performance: reduced start-up delay by moving warning-only
startup checks into the background. File: conf/postfix-script.
20050115
Further hardening of the IPv6 support: don't trust system
libraries to protect Postfix against malformed IPv6 address
literals. Their syntax is complex enough that errors are
likely. Files: global/resolve_local.c, util/valid_hostname.c.
Further cleanup: RFC 2821 requires the IPv6: prefix with
IPv6 address strings. The smtp and qmqp servers maintain
separate address instances, the bare address and the RFC
2821 compatible form, and use each where appropriate. This
strict separation simplifies address syntax checks as well
as the implementation of XCLIENT and XFORWARD.
20050116
Infrastructure: new valid_mailhost_addr() routine to verify
that an address literal satisfies RFC 2821. An IPv4 address
is in dotted-quad decimal form, and an IPv6 address is in
hexadecimal form, with the "IPv6:" prefix. Files:
global/valid_mailhost_addr.[hc].
Further cleanup: valid_hostname() no longer allows network
addresses or numerical domain names. While it made some
sense with IPv4 dotted quad decimal forms, with IPv6 it
just made no sense anymore. Again, being stricter actually
simplifies code. Files: util/valid_hostname.c and a
surprisingly small number of valid_hostname() callers that
did not reject numerical forms.
Bugfix: in the Postfix 2.2 SMTP client, the debug_peer_init()
call was moved to the after-chroot initialization.
20050117
Performance: reduced start-up delay by moving warning-only
startup checks into the background; they now start after
one minute to allow the system to finish booting. File:
conf/postfix-script.
Milestone: first non-non-production snapshot with IPv6.
20050119
Milestone: first non-non-production snapshot with TLS.
20050124
Workaround: don't send mail to $fallback_relay if Postfix
is MX host for the next-hop destination. This is, however,
a partial solution. The documentation has been updated to
cover all the cases where a fallback_relay could interfere
with the operation of a backup or primary MX host. Files:
smtp/smtp_addr.c, smtp/smtp_connect.c.
20050127
Configuration: Postfix daemons that need privileged operation
(such as local, pipe, or spawn) now log a fatal error when
they are configured in master.cf as unprivileged.
20050130
Cleanup: simplified the handling of receive_override_options
settings. Files: pickup/pickup.c, smtpd/smtpd.c, qmqpd/qmqpd.c,
global/input_transp.c.
Feature: permit_inet_interfaces allows a request when the
client matches $inet_interfaces. This is used for generic
access restrictions and for header address rewriting control.
Files: global/mail_params.h, smtpd/smtpd_check.c.
Cleanup: by default, message header address rewriting is
now enabled only for mail that originates from the machine
itself. Files: global/mail_params.h, smtpd/smtpd_check.c.
20050131
Bugfix: when extracting recipients from message headers,
the Postfix sendmail command produced output records longer
than $line_length_limit, causing postdrop to reject the
mail. Diagnosis by Victor Duchovni. File: sendmail/sendmail.c.
20050202
Cleanup: explicit Makefile targets for "make package" and
"make non-interactive-package" to create ready-to-install
packages for distribution to other systems. Added extra
sanity checks to prevent attempts to overwrite your running
Postfix instance. Files: Makefile.in, proto/PACKAGE_README.
Cleanup: when bounce_queue_lifetime > maximal_queue_lifetime,
it is adjusted to maximal_queue_lifetime, and a warning is
logged. Files: *qmgr/qmgr.c.
20050203
Cleanup: trivial-rewrite now restarts more timely after
changes in lookup tables. Of the all the alternatives
tested, the simplest one produces the most bang for the
buck. The other code is left in place for illustrative
purposes. File: trivial-rewrite/trivial-rewrite.c.
Cleanup: sendmail no longer ignores null command-line
recipients. File: sendmail/sendmail.c.
Cleanup: "postfix start" background checks moved back to
the foreground so they can be stopped more easily. File:
conf/postfix-script.
20050204
Feature: REPLACE command in header/body_checks (implemented
as a combination of PREPEND and IGNORE) by Bastiaan Bakker.
File: cleanup/cleanup_message.c.
Cleanup: linted the manual pages for consistency in the
way manuals are referenced, and in the presentation of
command examples. Files: mantools/manlint, mantools/fixman,
mantools/postconf2man.
20050205
Cleanup: updated the mass-deletion example in the postsuper
manual.
20050206
Cleanup: don't count a [45]XX SMTP server greeting towards
the mx_session_limit setting. File: smtp/smtp_connect.c.
Feature: output address rewriting in the SMTP client. The
smtp_generic_maps parameter specifies an address mapping
that happens only when mail is delivered via SMTP. This is
typically used for hosts without a valid domain name, that
use something like localdomain.local instead. This feature
can replace local mail addresses by valid Internet mail
addresses when mail needs to go across the Internet, but
not when mail is sent between accounts on the local machine.
Files: smtp/smtp_proto.c, smtp/smtp_map11.c.
Cleanup: don't panic in mymalloc() when master can't find
any IP addresses. LaMont Jones. File: master/master_ent.c.
20050207
Documentation: added a generic(5) manual page for consistency
with the already existing table driven mechanisms, added
references to or examples of the new generic mapping.
Bugfix: the header_checks REPLACE action mis-handled
multi-line replacement text in message headers, for example:
/(.*)/ REPLACE X-$1. File: cleanup/cleanup_message.c.
Bugfix: the header_checks REPLACE action should not drop
the input when the action is NOT executed. File:
cleanup/cleanup_message.c.
Bugfix? Cleanup? Documentation? main.cf now implements
${name[?:]value} as promised in the postconf(5) manual.
Implemented by deleting the macro processor in dict_eval(),
and using the one in mac_expand() instead. File: util/dict.c.
20050208
Feature: check_ccert_access maptype:mapname for access(5)
control, based on code by Victor Duchovni. File:
smtpd/smtpd_check.c and documentation.
Safety: don't allow unlimited message size with limited
mailbox size. File: local/local.c, virtual/virtual.c.
Feature: new smtpd policy attributes ccert_subject,
ccert_issuer and ccert_fingerprint, with TLS client
certificate information, but only when verification was
successful. Files: src/smtpd/smtpd_check.c.
Cleanup: corrected the address verification data flow in
the ADDRESS_VERIFICATION_README illustration.
20050209
Cleanup: the smtp generic mapping did syntax check on the
input address instead of the result. These tests were not
going to be useful in any case, because mail_addr_map()
canonicalizes the lookup result, including @dom1->@dom2
mapping. File: smtp_map11.c.
Cleanup: made the generic mapping documentation consistent
with the implementation.
Cleanup: documented the myorigin/mydomain address rewriting
in canonical, generic and virtual alias maps.
Feature: updated LDAP and *SQL query interfaces using a
common infrastructure so that all have the same feature set
where possible. Victor Duchovni and many others. This code
was tested separately and was merged into the main stream
20050308. Files: global/db_common.[hc], global/dict_ldap.c,
global/dict_mysql.c, global/dict_pgsql.c, plus documentation.
20050210
Bugfix: spurious fallback_relay warnings after 20050202.
Victor Duchovni. File: smtp/smtp_connect.c.
Bugfix: (introduced while adopting Postfix/TLS patch) the
TLS cache scan stopped after expiring one entry. Victor
Duchovni. File: tls/tls_scache.c.
Safety: delete-behind when removing expired entries from
TLS session caches. With some maps the enumeration method
mis-behaves when the current entry is deleted. File:
tls/tls_scache.c.
20050211
Cleanup: the "generics" feature (output address rewriting)
is renamed to "generic", for consistency with "canonical"
and "virtual".
20050212
Cleanup: remove old trace(8) logfile before attempting
delivery (and after locking the message file exclusively).
Files: *qmgr/qmgr_message.c.
Cleanup: don't parse-then-regenerate message headers when
no address is changed by address rewriting operations. This
behavior was copied from the SMTP client's generic mapping
code. Files: cleanup/cleanup_rewrite.c, cleanup/cleanup_map11.c,
cleanup/cleanup_masquerade.c, cleanup/cleanup_message.c..
20050215
Bugfix: don't chmod queue files while running "postfix
set-permissions". This prevents mail from being labeled as
"corrupt" when a live Postfix system is upgraded. Found
by Victor Duchovni. File: conf/post-install.
20050216
Feature: in smtpd?_discard_ehlo_keyword(s|_address_maps)
specify the pseudo keyword "silent-discard" in order to
avoid logging that some EHLO keyword is being suppressed.
File: global/ehlo_mask.[hc].
20050217
Bugfix: typo in tls_server.c, breaking CApath. Fix by
Philipp Morger. File: tls/tls_server.c.
20050227
Bugfix (bug introduced 20040331): with SIGHUP ignored, the
postdrop signal handler would effectively ignore SIGINT,
SIGQUIT and SIGTERM. Simplified the overly-conservative
protection against nested signals in postdrop, and added
some future proofing comments. File: postdrop/postdrop.c
Cleanup: when address rewriting is enabled, don't change
the capitalization of header labels, i.e. don't replace
FROM: or CC: by From: or Cc:. Files: cleanup/cleanup_message.c,
smtp/smtp_proto.c.
20050228
Cleanup/portability: missing #includes and bad prototypes.
Matthias Andree, Carsten Hoeger, and others.
20050302
Workaround: make TLS session caching work with perverse
sites that have multiple servers per hostname or even
multiple servers per IP address, but no shared TLS session
cache. The SMTP client TLS session cache is now indexed by
(server hostname, server address, server port, server helo
hostname). After an idea by Victor Duchovni. Files:
smtp/smtp_proto.c, tls/tls_client.c.
20050303
Bugfix (bug inherited from Postfix/TLS patch): a rare 9kbyte
memory leak when in-memory TLS session information expires;
found by setting the expiry time shorter than the time to
deliver one or two messages with a very slow machine. This
was due to a missing SSL_SESSION_free() call in the "new
session" call-back routines. Found by Victor Duchovni.
Files: tls/tls_client.c, tls/tls_server.c.
Workaround: OpenSSL is overly agressive when purging a
not-yet expired entry from a full in-memory cache: it also
purges the entry from the on-disk server session cache.
Workaround is to let only the tlsmgr purge entries from the
on-disk server session cache. Found by Victor Duchovni.
File: tls/tls_server.c.
20050304
Postfix releases are now signed with Wietse's new PGP key.
The old key was getting a bit short for today's standards.
The new public key can be found on the Postfix download
webpage. As proof of authenticity the new PGP key is signed
with Wietse's old PGP key.
Cleanup: check_mumble_{ns,mx}_access no longer attempt to
do MX or NS lookups for address literals. An address literal
is treated as its own MX host; there is no meaningful
equivalent for NS access control. File: smtpd/smtpd_check.c.
20050310
Bugfix: the AIX and SUN compilers rightfully complained
about non-portable code in the "new" LDAP/SQL client. File:
global/db_common.c.
Workaround: some systems no longer recognize "tail +2" as
valid command syntax. Instead they require "improved" syntax
that is not valid on several other systems that Postfix
builds on. So we have to stop using the tail command.
Files: Makefile.in, src/*/Makefile.in.
20050312
Bugfix: the TLS session cache cleaning code didn't always
delete the right entry. Problem found by Victor Duchovni,
more problems found by Wietse. File: tls/tls_scache.c.
20050314
Portability: Berkeley DB changed API from version 2.5 to
2.6. Rob Foehl. File: util/dict_db.c.
20050315
Bugfix: when <unistd.h> is included, read is a reserved
identifier. File: smtpstone/smtp-source.c.
20050321-27
Support for RFC 3463 enhanced status codes. See also the
ENHANCED_STATUS_README (a hacker's guide) for background.
New module to pass around (status code + text) instead of
just text. File: Files: global/dsn_util.c.
Status-related lookup tables now have an extra column for
enhanced status codes. Files: global/sys_exits.c,
global/cleanup_strerror.c.
Cleanup: centralized mapping of errno values to delivery
status codes after failed delivery to mailbox, maildir, or
file. Error codes EAGAIN, and ESTALE are 4.2.0 temporary
errors; ENOSPC is a 4.3.0 temporary error; and EDQUOT and
EFBIG are 5.2.2 hard errors. For backwards compatibility,
the result of other errors depends on the delivery agent:
with local(8) everything else is a 5.2.0 hard error, and
with virtual(8) everything else is soft 4.2.0 error. File:
global/mbox_open.c.
20050324
Workaround: gcc -W (version 3.4.2 [FreeBSD] 20040728) no
longer warns about missing return statements. What a time
waste.
Workaround: gcc -E (version 3.4.2 [FreeBSD] 20040728) output
has changed, causing too much "make depend" output.
20050325
Bugfix: when bouncing mail that was submitted with Postfix
sendmail, the cleanup daemon ignored the reason specified
in header/body_checks, and always produced a generic reason.
File: cleanup/cleanup_api.c.
Workaround: don't announce pipelining support when the
smtp-sink test program is configured to fail specific
commands with -r or -f (the fix is to build a proper SMTP
state engine into the smtp-sink test program). File:
smtpstone/smtp-sink.c.
20050326
Update: more PCRE error codes. File: util/dict_pcre.c.
20050327
Bugfix: the SMTP and LMTP clients did not ask the queue
manager to reduce destination concurrency when "lost
connection" or "connection timed out" happened AFTER Postfix
received the server greeting. Files: smtp/smtp_trouble.c,
lmtp/lmtp-trouble.c.
Workaround: FreeBSD has incompatibly changed the output
format from "od", breaking regression test portability.
The TLS client session cache ID is now derived from the
server IP address, TCP Port, and server HELO hostname
if available. File: smtp/smtp_proto.c.
20050328
Cleanup: the REPLACE action is no longer implemented as
PREPEND+IGNORE. The result remains in the input stream,
and is subject to address rewriting and other processing
where applicable. File: cleanup/cleanup_message.c.
Feature: the TLS server name verification status is moved
out of the TLS session cache. This not only simplifies the
client-side TLS cache implementation, but also provides
better cache support for clients that connect to multiple
independent MTAs under the same DNS hostname or IP address,
provided that each MTA replies with a unique name in the
EHLO response. Patch by Victor Duchovni. Files: tlsmgr/tlsmgr.c,
tls/tls_verify.c, tls/tls_session.c, tls/tls_server.c,
tls/tls_scache.h, tls/tls_scache.c, tls/tls_misc.c,
tls/tls_mgr.h, tls/tls_mgr.c, tls/tls_client.c, tls/tls.h,
smtp/smtp_proto.c.
20050330
Bugfix: in some compilation environments the SMTP and LMTP
clients could ignore enhanced status codes in server replies.
Bug introduced 20050329 while polishing working code. Files:
smtp/smtp_chat.c, lmtp/lmtp_chat.c.
Feature: add enhanced status code support to the smtp-sink
test program. File: smtpstone/smtp-sink.c.
20050331
Workarounds for ancient gcc compilers that can't handle
valid C. Bugs reported by Victor Duchovni. Files:
util/sys_defs.h, global/dsn_util.h, tls/tls_client.c.
Bugfix: when delivery to command failed, command output was
not reported. Fix was to enable format checks for the new
dsn_vstring_update() module. File: global/dsn_util.h,
global/pipe_command.c.
20050401
Cleanup: ignore incorrect enhanced status codes (such as
5xx reply followed by a 4.x.x status), and don't look for
enhanced status codes unless the server replies with a
[245]XX reply. Files: smtp/smtp_chat.c, lmtp/lmtp_chat.c.
20050402
Feature: enhanced status code support for errors found by
the MIME processor. Files: global/mime_state.c,
cleanup/cleanup_message.c, smtp/smtp_proto.c.
Cleanup: updated error messages about MIME processing errors
in the SMTP client. These errors are no longer specific to
8bit->7bit conversion; they can also happen with generic
address mapping. File: smtp/smtp_proto.c.
Safety: SASL 2.1.19 has a version lookup routine that we
can use to detect compile time / run time version mis-matches
(also known as DLL hell). Files: src/smtpd/smtpd_sasl_glue.c,
src/smtp/smtp_sasl_glue.c, src/lmtp/lmtp_sasl_glue.c.
20050404
Typo: missing comma after dsn=x.yy.zz logging. File:
global/log_adhoc.c.
Feature: specify "smtpd_sasl_authenticated_header = yes"
to report the SASL login name in the Received: message
header, so that the login name is shared with the whole
world. Based on code by Branko F. Gracnar. Files:
smtpd/smtpd.c, and documentation.
20050407
@%^!#& Thanks to inadequate SASL documentation the client
could negotiate a security layer where none was desired.
Better documentation has become available since Postfix
SASL support was implemented, and now Postfix needs to be
fixed. Files: */*_sasl_glue.c.
20050409
Safety: the CDB map now logs a warning when the source file
is newer than the indexed file, just like the Berkeley DB
and DBM maps. Michael Tokarev. File: util/dict_cdb.c.
20040411
Portability: put the SASL DLL Hell guard after the declarations
instead of before. Reported by Marcus Grando. Files:
smtp/smtp_sasl_glue.c, lmtp/lmtp_sasl_glue.c.
20050412
Infrastructure: change the disposition or other properties
of an embryonic queue file. This is currently used only to
place mail on hold. After code by Victor Duchovni. Files:
global/mail_stream.[hc], cleanup/cleanup_api.c.
Bugfix: while updating the cleanup_flush() infrastructure
eliminated a portability problem that was introduced when
"REJECT text" support was added. File: cleanup/cleanup.c.
20050413
Portability: don't mix socket message send/receive calls
with socket stream read/write calls. The fact that you can
get away with it only on some stacks implies that there is
no long-term guarantee. Specify -DCAN_WRITE_BEFORE_SENDING_FD
if you feel brave. File: util/sys_defs.h.
Robustness: re-compile all object files after the "make
makefiles" options have changed. Files: src/*/Makefile.in.
Tweaking: reply with 5.3.4 when the message size exceeds
the mail system message_size_limit, instead of 5.2.3 which
is a mailbox specific status. File: smtpd/smtpd_check.c.
20050417
Safety: don't call syslog from a user-triggered signal
handler. File: postdrop/postdrop.c.
20050421
Bugfix: don't panic when the fall-back relay can't be used
because the local MTA is MX for the destination. File:
smtp/smtp_connect.c.
20050422
Bugfix: don't panic when the fall-back relay can't be used
because it was already tried via a cached session. Produce
a default excuse instead. File: smtp/smtp_connect.c.
Bugfix: postsuper could lose an error message after reporting
a fatal error. File: postsuper/postsuper.c.
20050426
Bugfix: simplified and improved the 20050422 fall-back relay
fix. File: smtp/smtp_connect.c.
20050427
Final solution for the 20050422 fall-back relay problem:
truncate the fall-back host list when the local MTA is MX
for some destination. Files: util/argv.c, smtp/smtp_connect.c.
Cleanup: extra dsn_vstring_update_dsn() routine to shut up
GCC complaints about valid code. Files: src/global/dsn_util.c,
src/global/mbox_open.c, src/lmtp/lmtp_addr.c, src/smtp/smtp_addr.c,
src/smtp/smtp_connect.c.
20050429
The Postfix SMTP server now announces ENHANCEDSTATUSCODES
support in the EHLO response, as described in RFC 2034.
File: smtpd/smtpd.c.
20050503
Propagate enhanced status code from error(8) mailer to SMTP
server replies. File: smtpd/smtpd_check.c.
Cleanup: more consistent format of smtpd warning logging,
so that it is easier to sort. Files: smtpd/smtpd.c,
smtpd/smtpd_check.c.
20050504
Yikes. People are exposing the smtp-sink test program to
hostile environments, while it was designed for controlled
environments. Completed the support for write timeouts,
added support for read timeouts, and added a missing exception
handler for the 220 server greeting. File: smtpstone/smtp-sink.c.
20050506
Cleanup: with "REJECT 4.X.Y ..." actions in header/body_checks,
change the SMTP server reply code from 550 into 450, instead
of having the SMTP server change the DSN into 5.X.Y. File:
smtpd/smtpd.c.
20050510
Usability: when reporting a sender address problem, transform
a recipient DSN status (e.g., 4.1.1-4.1.6) into the
corresponding sender DSN status, and vice versa; and when
reporting a non-address problem, transform a sender or
recipient DSN status into a generic non-address DSN status
(e.g., 4.0.0). This transformation may be needed when the
same access table or RBL reply template are used for client,
helo, sender, or recipient restrictions; or when the same
error mailer information is used for senders or recipients.
Files: smtpd/smtpd_check.c, smtpd/smtpd_dsn_fix.[hc].
20050512
Feature: support for more SASL logging call-backs, if these
are defined in the compile-time environment. Files:
smtpd/smtpd_sasl_glue.c, smtp/smtp_sasl_glue.c.
20050513
Workaround: Postfix now uses "localdomain" as the default
domain name when $myhostname is not in "host.domain" form.
Files: global/mail_params.[hc].
---------
20050415-20050615
As of 20050525, DSN support does not involve new queue file
record types, so you can switch back to older Postfix
versions. Older non-production releases did introduce queue
file incompatibilty.
DSN support is selected via the SMTP port by extra parameters
to the MAIL FROM and RCPT TO commands, and with the Postfix
sendmail command with new command-line options: -N (specify
notification options such as "never", "success", "delay"
or "failure") and -V (specify an envelope ID that identifies
the mail submission transaction). VERP support now uses
-XV instead of -V.
The implementation piggy-backs on the trace(8) service that
was already used for "sendmail -v" (verbose delivery) and
for "sendmail -bv" (what-if) reports. You can no longer
requests these functions together with DSN support.
All this means revision of bounce/defer/trace client
interfaces, of the bounce service, the record reading loops
in postdrop, cleanup(8) and qmgr(8), the queue manager to
delivery agent protocol, and some extra SMTP protocol
parameters in smtpd(8), lmtp(8) and smtp(8).
New code module: global/dsn_smtp.[hc] for RFC 3461 related
information (but this may still change).
Feature: "sendmail -G" is no longer a no-op. Message headers
are treated as if the message has a remote origin. Files:
sendmail/sendmail.c, postdrop/postdrop.c.
Feature: automatic BCC senders are now created as if they
were received with NOTIFY=NEVER, in case it helps. File:
cleanup/cleanup_addr.c
Compatibility: with large bounces, send message headers
only, instead of truncating MIME messages in the middle.
20050517
Bugfix: in a DSN report, the original recipient should not
be xtext encoded. File: bounce/bounce_notify_util.c.
20050523
Bugfix: mymalloc() panic with mistyped server host list.
File: global/dict_pgsql.c.
20050525
Feature: specify delay_warning_time=1 to get immediate
notification of delay. File: qmgr/qmgr_active.c.
20050526
Reset the Postfix original recipient when delivering to
mailing list.
20050601
Modified the master backgrounding procedure to not abort
when the master is already a process group leader. This
happens when people bypass or modify the official Postfix
start-up procedure. Jacek Konieczny. File: master/master.c.
20050602
Sanity check: don't report "address in use" when some Postfix
socket is a directory. File: util/unix_listen.c.
20050613
Now that the over-all structure of the code is proving
itself, interfaces can be cleaned up. This means nicer names
for variables, functions and data structures, and dedicated
read/write routines for recipient and DSN information.
These remove a lot of clutter from the bounce client and
server code. Files: dsn_print.c dsb_scan.c, rcpt_print.c,
rcpt_buf.c.
For Sendmail compatibility, the Postfix sendmail -V option
no longer controls VERP usage, but is used to specify the
DSN envelope ID. In order to provide a smooth transition,
backwards compatibility code recognizes when -V is being
used for VERP control. It will do the right thing, and
warns the user to use -XV instead. File: sendmail/sendmail.c.
20050614
The cleanup server writes bounce (delivery failure) and
trace (success) records, but it no longer requests sender
notification. That is now handled by the queue manager.
The reason is that the cleanup server must be able to abort
a request including its bounce and trace logfiles, so it
must not take actions that can't be undone.
20050615
Cleanup: the SMTP client now sends QUIT when the initial
HELO handshake fails. it still doesn't send QUIT when the
server greets with a [45]XX code, as that is handled in the
connection management code before a session context exists.
File: smtp/smtp_connect.c.
Cleanup: made the quote_821_local() routine "const" clean.
File: global/quote_821_local.[hc].
20050616
Bugfix: missing or mis-placed va_end() macros, found in
Postfix 2.3 code review. Files: util/netstring.c,
util/myaddrinfo.c, util/attr_clnt.c, util/vstream.c.
Bugfix: the SMTP server now separates the message size check
from the queue space check, so that the size check can be
done before an SMTPD proxy filter. Files: smtpd/smtpd.c,
smtpd/smtpd_check.c.
20050617
Postdrop didn't recognize the new recipient attributes.
File: postdrop/postdrop.c.
Feature: configurable MAILER-DAEMON replacement for the
null sender address that is used by the pipe(8) delivery
agent on the command line and in message headers. Command-line
address quoting is disabled when the replacement is empty.
File: pipe/pipe.c.
20050618
With virtual aliasing enabled, Postfix would always report
successful alias expansion, even when no alias was expanded.
File: cleanup/cleanup_out_recipient.c.
20050621
Portability: file descriptor passing is available for Tru64
UNIX, but not for AIX4 and IRIX6. Albert Chin. File:
util/sys_defs.h.
20050622
Cleanup: the DNS lookup code now accommodates name server
replies longer than 4 kbytes, with a hard upper limit of
32kbytes. For safety reasons, the number of MX host addresses
that the SMTP client will try was reduced from unlimited
to just 5, so that Postfix won't spend forever trying to
connect to dozens and dozens of bogus MX hosts. Files:
dns/dns_lookup.c, global/mail_params.h.
Cleanup: the code that handles a 4xx or 5xx SMTP server
greeting was moved from the connection management module
to the protocol engine, for cleaner error handling. This
means that the failed session now counts towards the limit
on the total number of SMTP sessions per domain name (default:
smtp_mx_session_limit = 2). Files: smtp/smtp_connect.c,
smtp/smtp_proto.c.
20050623
Cleanup: generalized the delegated attribute scan/print
interfaces, and updated the deliver_pass module with delegated
attribute scan/print support. Files: util/attr_scan0.c,
util/attr_print0.c, global/dsb_scan.c, global/dsn_print.c,
global/rcpt_buf,c global/rcpt_print.c, global/deliver_pass.c.
Added delegated attribute scan/print function support to
the base64 and plain attribute I/O encodings. Files:
util/attr_scan_plain.c util/attr_print_plain.c.
20050624
Added "." to the list commands that smtp-sink can "break"
(by disconnecting, or by responding with a 4XX or 5XX reply
code). File: smtpstone/smtp-sink.c.
20050625
Safety: allow only 4.x.x and 5.x.x enhanced status codes
in header/body_checks REJECT actions. File:
cleanup/cleanup_message.c.
20050627
Code cleanup: generalized the smtp-sink code that simulates
server errors. File: smtpstone/smtp-sink.c.
20050629
Code cleanup: the smtp_mx_session_limit setting (per delivery
request session count limit) now ignores sessions that fail
to complete the TCP, SMTP, EHLO or TLS handshake (was: TCP
and SMTP). File: smtp/smtp_proto.c.
20050630
Updated the example spf.pl script to version 1.06.
Portability: the file descriptor passing code broke on LP64
systems (inherited from Stevens Network Programming). Files:
util/unix_send_fd.c, util/unix_recv_fd.c.
20050706
Robustness: the SMTP client now disables connection caching
when it is unable to communicate with the scache(8) server,
instead of looping forever. File: global/scache_clnt.c.
Portability: after sending a socket, the scache(8) server
now waits for an ACK from the connection cache client before
closing the socket that it just sent. Files: scache/scache.c,
global/scache_clnt.c.
20050708
Bugfix: missing returns in 20050706 caching disabling code
(in error handling code that never executes). File:
global/scache_clnt.c.
Portability: use explicitly unsigned operands when doing
bit-wise shift operations on data larger than a character.
20050709-15
Migration of data object sizes and offsets from int->ssize_t
and unsigned->size_t for better portability to LP64 and
LLP64 systems where *size_t is 64 bits wide. This change
has no effect on 32-bit systems.
This change not only eliminated some obscure portability
bugs (see two paragraphs down), it also eliminated many
unnecessary conversions back and forth between 32-bit and
64-bit integers, because all relevant system library functions
take *size_t arguments or return *size_t results.
Simply changing every data object size or offset to size_t
(which is unsigned!) would be dangerous. A lot of code was
written assuming signed arithmetic and rejects negative
lengths, which can happen as the result of integer overflow.
Portability: on LP64 systems, integer expressions are int,
but sizeof() and pointer difference expressions are larger.
The above changes fixed a few discrepancies with function
calls where *size_t was passed while the old code expected
an int: clean_env() versus argv_addn(), and code that sent
binary blobs via the TLS session cache manager protocol.
20050711
Bugfix: don't include <> when auto-generating an ORCPT
address from a client RCPT TO command. File: smtpd.c.
20050712
Cleanup: cleanup_out_recipient() still generated DSN records
that were incompatible with pre-DSN Postfix versions. File:
cleanup/cleanup_out_recipient.c.
20050716
Bugfix: the smtpd_sasl_authenticated_header code did not
check if SASL was actually enabled. File: smtpd/smtpd.c.
20050720
Feature: reverse client hostname. This is set at connection
time with information from the SMTP client address->name
mapping, and can be overruled with the REVERSE_NAME attribute
in the XCLIENT command. File: smtpd/smtpd_peer.c.
Cleanup: renaming of several confusing restriction names:
reject_unknown_client -> reject_unknown_client_hostname,
reject_unknown_hostname -> reject_unknown_helo_hostname,
reject_invalid_hostname -> reject_invalid_helo_hostname,
and reject_non_fqdn_hostname -> reject_non_fqdn_helo_hostname.
The old names are still recognized and documented. Files:
global/mail_params.h, smtpd/smtpd.c, smtpd/smtpd_check.c.
Feature: reject_unknown_reverse_client_hostname. This rejects
clients that have no address to name mapping (unlike the
reject_unknown_client_hostname feature which requires that
the address->name and name->address mappings resolve to the
client IP address). Files: global/mail_params.h,
smtpd/smtpd_peer.c, smtpd/smtpd.c, smtpd/smtpd_check.c.
20050726
Horror: total rewrite of DNS client error handling because
some misguided proposal attempts to give special meaning
to some syntactically invalid MX hostname lookup result.
Not only that, people expect sensible results with
reject_unknown_sender_domain etc. Files: dns/dns_lookup.c,
smtp/smtp_addr.c smtpd/smtpd_check.c, lmtp/lmtp_addr.c.
Cleanup: HOLD action executes only once, to reduce noise
in the logfile. Files: cleanup/cleanup_message.c, smtpd/smtpd.c.
20050806
Workaround: accept(2) fails with EPROTO when the client
already disconnected (SunOS 5.5.1). File: sane_accept.c.
20050815
Workaround: old Solaris compilers can't link an archive
without globally visible symbols. File: tls/tls_misc.c.
20050825
Feature: message_reject_characters and message_strip_characters
specify what characters in message content Postfix will
reject or remove. Based on patch by John Fawcett. Files:
cleanup/cleanup_message.c, cleanup/cleanup_init.c.
Safety: when the cleanup server rejects the content of mail
that is submitted with the Postfix sendmail command, or
re-queued with "postsuper -r", strip the message body from
the bounce message to reduce the risks from harmful content.
Files: cleanup/cleanup_envelope.c, cleanup/cleanup_bounce.c.
Feature: the smtpd_proxy_filter parameter value can now be
prefixed with "unix:" (for UNIX-domain socket) and "inet:"
(for TCP socket). TCP sockets are the default. Patch by
Edwin Kremer. File: smtpd/smtpd_proxy.c.
20050828
Bugfix: after adding DSN support, error notification was
broken for too large mail that was submitted with the Postfix
sendmail command, forwarded by the local(8) delivery agent,
or re-queued with "postsuper -r". The message would be saved
to the "corrupt" queue.
The mistake was to leave the truncated message in the
incoming queue and to ask the queue manager to notify the
sender; this was not possible because the queue manager
cannot (and should not) handle truncated queue files.
The fix is to have the cleanup server send the bounce
message, just like it did before DSN support was added. As
a side effect, Postfix will no longer send DSN_SUCCESS
notices after virtual aliasing, when the cleanup server
bounces all the recipients of the message anyway. This
could be called a feature. File: cleanup/cleanup_bounce.c.
Also needed for this fix: a new vstream_fpurge() routine
that discards unread/written data from a VSTREAM. It's
needed before cleanup_bounce() can seek to the start of the
queue file after a file size error. File: util/vstream.c.
20050920
Cleanup: removed the legacy "tls_info" structure, factored
out common code for peer_CN and issuer_CN lookup, and added
sanity check to not verify subject common names that contain
nulls or that are execessively long. Patch by Victor Duchovni.
Files: tls_client.c, tls_server.c, tls_session.c, tls_misc.c,
tls_verify.c.
20050922
Bugfix: the *SQL clients did not uniformly choose the
database host from the available pool of servers due to an
off-by-one error, so that the "last" available server was
not selected. Leandro Santi. Files: dict_mysql.c, dict_pgsql.c.
Update: common code factored out into db_common.c, and
adoption of Liviu Daia's connection aware MySQL quoting.
Patch by Victor Duchovni. Files: dict_ldap.c, dict_mysql.c,
dict_pgsql.c, db_common.c.
20050923
Safety: don't update the local(8) delivery agent's idea of
the Delivered-To: address while expanding aliases or .forward
files. When an alias or .forward file changes the Delivered-To:
address, it ties up one queue file and one cleanup process
instance while mail is being forwarded. To get the old
behavior, specify "frozen_delivered_to = no". Problem
reported by Michael Tokarev, but found independently by
others. Files: local/local.c, local/aliases.c, local/dotforward.c,
local/mailbox.c, local/maildir.c.
Logging: additional SASL debug logging by Andreas Winkelmann.
Files: */*sasl_glue.c.
20050929
Paranoia: don't ignore garbage in SMTP or LMTP server replies
when ESMTP command pipelining is turned on. For example,
after sending ".<CR><LF>QUIT<CR><LF>", Postfix could recognize
the server's 2XX QUIT reply as a 2XX END-OF-DATA reply after
garbage, causing mail to be lost. The SMTP and LMTP clients
now report a remote protocol error and defer delivery.
Files: smtp/smtp_chat.c, smtp/smtp_trouble.c, lmtp/lmtp_chat.c,
lmtp/lmtp_trouble.c.
Performance: specify "smtpd_peername_lookup = no" to disable
client hostname lookups in the SMTP server. All clients are
treated as "unknown". This should be used only under extreme
conditions where DNS lookup latencies are critical. File:
smtpd/smtpd_peer.c.
20051010
Feature: smtpd_client_new_tls_session_rate_limit parameter
to limit the number of new (i.e. uncached) TLS sessions
that a remote SMTP client may negotiate per unit time. This
feature, which is off by default, can limit the CPU load
due to expensive crypto operations. Files: global/anvil_clnt.c,
anvil/anvil.c, smtpd/smtpd.c.
Cleanup: eliminated massive code duplication in the anvil
server that resulted from adding similar features one at a
time. File: anvil/anvil.c.
20051011
Bugfix: raise the "policy violation" flag when a client
request exceeds a concurrency or rate limit. File:
smtpd/smtpd.c.
Bugfix (cut-and-paste error): don't reply with 421 (too
many MAIL FROM or RCPT TO commands) when we aren't closing
the connection. File: smtpd/smtpd.c.
20051012
Polishing: content of comments and sequence of code blocks
in the anvil server, TLS request rate error message in the
smtp server, and documentation, but no changes in code.
Files: anvil/anvil.c, smtpd/smtpd.c.
20051013
Horror: some systems have basename() and dirname() and some
don't; some implementations modify their input and some
don't; and some implementations use a private buffer that
is overwritten upon the next call. Postfix will use its own
safer versions called sane_basename() and sane_dirname().
These never modify the input, and allow the caller to control
how memory is allocated for the result. File:
util/sane_basename.c.
Feature: "sendmail -C path-to-main.cf" and "sendmail -C
config_directory" now do what one would expect. File:
sendmail/sendmail.c.
Bugfix: don't do smtpd_end_of_data_restrictions after the
transaction failed due to, e.g., a write error. File:
smtpd/smtpd.c.
Cleanup: the SMTP server now enforces the message_size_limit
even when the client did not send SIZE information with the
MAIL FROM command. This protects before-queue content
filters against over-size messages. File: smtpd/smtpd.c.
20051017
Bugfix: after DSN support was added, smtp_skip_5xx_greeting
no longer recognized a 5xx SMTP status as a 4xx one. Found
by Ralf Hildebrandt. Fix: use the enhanced status code
instead of the SMTP reply code to choose between permanent
or transient errors. File: smtp/smtp_trouble.c.
Feature: smtp-sink can hard-reject, soft-reject or simply
drop connection requests. File: smtpstone/smtp-sink.c.
Documentation: clarified the processing of server replies,
specifically the reply code and the enhanced status code,
in smtp_chat.c.
20051024
Performance: new smtp_connection_reuse_time_limit parameter to
limit connection reuse by elapsed time, instead of limiting
the number of deliveries per connection. Bounding by time
favors delivery over connections that perform well, while
bounding by number of deliveries allows slow connections
to drag down the performance. Insight and initial
implementation by Victor Duchovni, Morgan Stanley. Files:
smtp_connect.c, smtp_session.c,
Bugfix: the next-hop logical destination information for
connection caching was reset only after a good non-TLS
connection, so that cached connections to non-TLS backup
servers could suck away traffic from TLS primary servers
(the Postfix SMTP client cannot cache an open TLS connection).
Found during code review. This is fixed with multi-valued
connection caching state: expired, cachable, non-cachable,
and bad. Files: smtp_connect.c, smtp_trouble.c.
Bugfix: adding support for "sendmail -C" broke "sendmail
-q". File: sendmail/sendmail.c.
20051101
Migration from a single "arrival time" stamp to a structure
with time stamps from different stages of message delivery.
The first iteration merely replaces "arrival time" stamps
by a structure or pointer to structure, and uses only the
arrival time field of that structure. This is an extensive
but straightforward transformation, based on example by
Victor Duchovni, Morgan Stanley. Files: anything that
invokes bounce_append etc., the log_adhoc module, and
anything that sends or receives a delivery request.
20051102
Completion of support for time stamps from different stages
of message delivery. The information is now logged as
"delays=a/b/c/d" where a=time before queue manager, including
message transmission; b=time in queue manager; c=connection
setup including DNS, HELO and TLS; d=message transmission
time. Unlike Victor's example which used time differences,
this implementation uses absolute times. The decision of
what numbers to subtract actually depends on program history,
so we want to do it in one place. Files: global/log_adhoc.c,
smtp/smtp_connect.c, smtp/smtp_proto.c, smtp/smtp_trouble.c,
lmtp/lmtp_proto.c, lmtp/lmtp_trouble.c.
20051103
Refinement of time stamping and delays formatting. The
hand-off time is now stamped in the delivery agent, so that
time is properly attributed when a transport is saturated
or throttled. Delays are now logged if larger than 0.01
second. Files: *qmgr/qmgr_deliver.c, global/deliver_request.c,
global/log_adhoc.c.
20051104
New parameter delay_logging_time_resolution (default: 10000
microseconds, or 0.01 second) that controls the detail in
the new "delays=a/b/c/d" logging. Specify a power of 10
in the range from 1 to 100000. File: global/log_adhoc.c.
Parameter renamed 20051108.
20051105
All delay logging now has sub-second resolution. This means
updating all code that reads or updates the records that
specify when mail arrived, and ensuring that mail submitted
with older Postfix versions produces sensible results.
Files: global/post_mail.c, global/mail_timeofday.[hc],
global/log_adhoc.c, postdrop/postdrop.c, pickup/pickup.c,
cleanup/cleanup_envelope.c, cleanup/cleanup_message.c,
smtpd/smtpd.c, qmqpd/qmqpd.c, *qmgr/qmgr_message.c,
*qmgr/qmgr_active.c, local/forward.c.
20051106
The SMTP client logs the remote server port in the form of
relay=hostname[hostaddr]:port to the local maillog file.
The port number is NOT included in DSN status reports,
because remote users have no need to know such internal
information. Files: smtp/smtp_session.c, smtp/smtp_proto.c,
smtp/smtp_trouble.c.
Cleanup: encapsulated queue file time read/write operations
with a few simple macros, to make future changes in time
representation less painful.
20051108
Cleanup: eliminated floating point operations from the
ad-hoc delay logging code. Files: util/format_tv.[hc],
global/log_adhoc.c.
The delay logging resolution is now controlled with the
delay_logging_resolution_limit parameter, which specifies
the maximal number of digits after the decimal point.
Bugfix: two messages could get the same message ID due to
a race condition. This time window was increased when queue
file creation was postponed from MAIL FROM until the first
accepted RCPT TO. The window is closed again. Found by
Victor. Files: global/mail_stream.c, global/mail_queue.c,
cleanup/cleanup_message.c.
20051109
qshape.pl updated for extra microsecond time field in Postfix
queue files.
Cleanup: removed obsolete code that handles rejected/dropped
connections before the HELO handshake. File: smtp/smtp_connect.c.
Bugfix: XCLIENT broke when reverse hostname support was added.
Fix by Tomoyuki Sakurai. File: smtpd/smtpd.c.
20051110
Workaround: don't set the delay warning timer for messages
from inside or from outside that have the null sender as
recipient. This was a waste of time, because the warning
would always be discarded. File: cleanup/cleanup_envelope.c.
Feature: the built-in mail delivery status notification
text is now implemented by built-in templates. Files:
bounce/bounce_template.c, bounce/bounce_notify_util.c.
20051112
Feature: configurable bounce message templates based on
contribution by Nicolas Riendeau. I kept the general format
of his templates, but placed them together in one file to
reduce process initialization overhead (most requests to
the bounce daemon are not for sending bounce messages).
Files: bounce/bounce_template.c, bounce/dict_ml.c (to be
moved to library if useful enough). A sample bounce message
template file is installed as $config_directory/bounce.cf.default.
20051113
Feature: "postconf -b filename" to preview the non-default
bounce message templates with $name expansions in the text.
The actual work is of course done by the bounce daemon.
20051114
Feature: -V option to make Postfix daemons to log to stderr.
This is used when a daemon is invoked in stand-alone mode
by a (non-daemon) command.
Feature: "postconf -t" displays DSN templates, headers and
all; use postconf -t ''" to view built-ins.
Cleanup: renamed fail_template into failure_template.
20051117
Cleanup: bounce template code reorg, no functionality change.
Files: bounce/bounce_template.[hc], bounce/bounce_templates.c,
bounce/bounce_notify_util.c.
20051118
Bugfix: new bounce template code did not return after
template syntax error. File: bounce/bounce_template.c
Safety: permit_mx_backup now requires that the local MTA
is not listed as primary MX for the recipient domain. This
prevents mail loops when someone points the primary MX
record to Postfix.
20051119
Workaround: some SMTP servers announce multiple but different
lists of SASL methods. Postfix now concatenates the lists
instead of logging a warning and remembering only one. File:
smtp/smtp_sasl_proto.c.
Bugfix: the queue manager did not write a per-recipient
defer logfile record when the delivery agent crashed between
receiving a delivery request, and reporting the delivery
status to the queue manager. Found while redesigning the
code that handles unavailable transports or destinations.
Files: *qmgr/qmgr_deliver.c.
20051121
Workaround: do not build the bounce.cf.default template
while compiling Postfix - it breaks when the default
mail_owner etc. accounts don't exist. Reported by Liviu
Daia.
Compatibility: added permit_auth_destination emulation to
the permit_mx_backup feature. This avoids surprises with
sites that used permit_mx_backup to authorize all their
incoming mail.
20051122-24
Feature: sender_dependent_relayhost_maps, lookup tables that specify
a sender-dependent override for the relayhost parameter
setting. The lookup is done in the trivial-rewrite server,
instead of the queue manager where it does not belong.
Files: global/resolve_clnt.c, global/tok822_resolve.c,
trivial-rewrite/resolve.c, trivial-rewrite/transport.c,
*qmgr/qmgr_message.c.
Also: address_verify_sender_dependent_relayhost_maps for
completeness.
20051124
Feature: specify "smtp_sender_dependent_authentication =
yes" to enable sender-dependent SASL passwords. This disables
SMTP connection caching to ensure that mail from different
senders is delivered with the appropriate credentials. This
is an extended version of a patch by Mathias Hasselmann.
Files: smtp/smtp_connect.c, smtp/smtp_sasl_glue.c.
20051126
Workaround: log warning when REDIRECT or FILTER are used
in smtpd_end_of_data_restrictions. File: smtpd/smtpd_check.c.
Log warning when REDIRECT, FILTER, HOLD and DISCARD are
used in smtpd_etrn_restrictions. File: smtpd/smtpd_check.c.
20051128
Bugfix: moved code around from one place to another to make
REDIRECT, FILTER, HOLD and DISCARD access(5) table actions
work in smtpd_end_of_data_restrictions. PREPEND will not
be fixed; it must be specified before the message content
is received. Files: smtpd/smtpd.c, smtpd/smtpd_check.c,
cleanup/cleanup_extracted.c, pickup/pickup.c.
Safety: abort if the SMTP or QMQP server runs with non-postfix
privileges while it's connected to the network. Files:
smtpd/smtpd_peer.c, qmqpd/qmqpd_peer.c.
20051201
Bugfix: the LMTP client would reuse a session after negative
reply to the RSET command (which may happen when client and
server somehow get out of sync). Problem found by Christian
Theune. Files: lmtp/lmtp.c, lmtp/lmtp_proto.c.
20051202
Bugfix: the 20051128 code move for "smtpd_end_of_data_restrictions"
broke "postsuper -r".
20051202-3
Cleanup: the SMTP client now also implements the LMTP
protocol. Files: smtp/smtp.c, smtp/smtp_connect.c,
smtp/smtp_proto.c, smtp/smtp_dsn.c, smtp_state.c,
smtp_sasl_glue.c.
As before, the LMTP behavior is controlled with parameters
named lmtp_xxx instead of smtp_xxx. However there are now
a lot more lmtp_xxx parameters :-) With few exceptions, all
SMTP features are now also available with LMTP. The exceptions
are related to the HELO and EHLO commands, which exist in
SMTP only. There are equivalent LHLO command parameters
where it makes sense.
20051206
SMTP+LMTP client connection management code rewritten to
support UNIX-domain socket connections.
20051207
Bugfix: race condition in the connection caching protocol,
found while adding connection caching for UNIX-domain sockets
(used for LMTP delivery). This was introduced with the
20050706 workaround, and may the same problem that Jussi
Silvennoinen experienced (in Postfix 2.2.6) with SMTP after
an upgrade. Files: scache/scache.c.
Bugfix: smtp-sink and qmqp-sink didn't ignore SIGPIPE.
20051208
Robustness: reduced timeouts in the connection caching
client, so that a malfunctioning service does not prevent
mail delivery. This uses similar code that already exists
for the anvil(8) client and the tlsmgr(8) client. Files:
global/scache_clnt.c, smtp/smtp.c.
To make reduced connection caching client timeouts possible,
connection management was moved from the attr_clnt(3) module
to the auto_clnt(3) module where it belongs. The auto_clnt(3)
module is now a full alternative for the clnt_stream(3)
module. Files: util/auto_clnt.c, util/attr_clnt.c.
Bugfix: the best_mx_transport, mailbox_transport and
fallback_transport features did not write a per-recipient
defer logfile record when the target delivery agent was
broken. This the analog of queue manager bugfix 20051119.
Files: global/deliver_pass.c.
20051210
Cleanup: simplified the SMTP/LMTP connection management
logic for address list and fallback relay processing.
Still need to simplify deferred recipient handling.
20051212
Bugfix: after a failed TLS session, the 20051210 SMTP client
code cleanup broke sessions with backup servers, causing the
client to get out of step with the backup server. This in
turn exposed a one-year old missing exception handling
context in the EHLO handstake after sending STARTTLS. Victim
was Ralf Hildebrandt, detectives Victor Duchovni and Wietse.
File: smtp/smtp_proto.c.
20051213
Bugfix: *SQL, proxy and LDAP map types were not defined in
user-land commands such as postqueue. Leandro Santi. File:
postqueue/postqueue.c.
20051212-14
Server-side plug-in interface for SASL authentication. This
uses Cyrus SASL by default, so nothing has changed except
error messages may be more informative. Files:
smtpd/smtpd_sasl_proto.c smtpd/smtpd_sasl_glue.c,
xsasl/xsasl_server.[hc], xsasl/cyrus_server.[hc]
xsasl/cyrus_strerror.c, xsasl/cyrus_log.c, xsasl/cyrus_security.c.
20051215
Portability: IRIX 6.5.28 defines sa_len as a macro, so it
can't be used as a variable identifier. Zach McDanel. Files:
dns/dns_rr_to_sa.c, smtpd/smtpd_peer.c, qmqpd/qmqpd_peer.c.
20051216
Cleanup: removed some scar tissue that was introduced with
server-side SASL plug-in support. Files: smtpd_sasl_proto.c,
smtpd_sasl_glue.c.
Client-side plug-in interface for SASL authentication. This
uses Cyrus SASL by default, so nothing has changed except
error messages may be more informative. Files: smtp_sasl_glue.c,
xsasl/xsasl_client.[hc], xsasl/cyrus_client.[hc].
20051217
Bugfix: when a SASL client password is required by a specific
server, defer delivery when no server-announced mechanism
survives the smtp_sasl_mechanism_filter, instead of ignoring
the SASL announcement and trying to deliver the mail over
an unauthenticated connection and risking that mail will
be rejected. File: smtp/smtp_sasl_proto.c, smtp/smtp_proto.c.
Portability: zero the "struct msg" just in case. Both purify
(Linux) and valgrind (FreeBSD) complain about uninitialized
bits. Files: util/unix_{send,recv}_fd.c.
20051219
Cleanup: generic smtpd_sasl_path, smtp_sasl_path and
lmtp_sasl_path configuration parameters; simplified the
SASL plug-in API, and made initial provisions for SASL
session encryption. Files: xsasl/*.[hc].
Feature: "postconf -a" lists the available SASL server
plug-in types, and "postconf -A" does the same for the
client. Files: postconf.c, xsasl_{client,server}.c.
Feature: new SMTPD policy attributes "encryption_protocol",
"encryption_cipher" and "encryption_keysize", to distinguish
plaintext from encrypted connections.
20051221
Privacy: the new Cyrus SASL server plug-in replaces "no
user" errors by "authentication failed" errors. File:
xsasl/xsasl_cyrus_server.c.
Safety: the Postfix SMTP client no longer uses CNAME expanded
hostnames for logging, SASL password lookup, TLS policy
decisions, or TLS certificate verification. Instead it
uses the name of the recipient domain, or the host or domain
name specified in Postfix configuration files. Of course
this won't prevent cheating with hostnames that appear in
MX lookup results. To avoid that you will have to suppress
MX lookups with explicit [hostname] entries in transport
maps. Files: dns/dns_lookup.c, dns/dns_rr.c.
20051222
Feature: Dovecot SASL authentication (server side) plug-in
by Timo Sirainen. This builds without external library
dependencies and is therefore compiled in by default.
Files: xsasl/xsasl_dovecot_server.[hc].
Safety: set the default LANG=C, instead of deleting LANG
from the environment and assuming the right thing will
happen. File: global/mail_params.h.
Safety: always add the ISASCII() requirement to the ISXXX()
macros, because they are used for protocol and policy
enforcement. File: util/sys_defs.h.
Bugfix: null pointer in the 20051219 policy delegation
crypto attributes. File: smtpd/smtpd_check.c.
Compatibility: "resolve_numeric_domain = yes" will accept
addresses with numeric domains instead of rejecting them as
invalid. Files: trivial-rewrite/resolve.c, util/vstring.c.
Bugfix: 20051219 "postconf -A" produced "postconf -a" output.
Andreas Winkelmann.
20051225
Bugfix: the regexp map cleverly avoided scanning constant
lookup results for non-existent $number expressions, but
failed to subject those results to the necessary $$ -> $
replacement. Files: util/dict_regexp.c.
Performance: the pcre map did not optimize constant lookup
results; they were always scanned for non-existent $number
expressions. File: util/dict_pcre.c.
This round of edits eliminates architectural differences
between the pcre and regexp table implementations. The
remaining difference is that regexp tables still support
the obsolete "/pattern1/!/pattern2/ action" syntax, for
backwards compatibility with Postfix 2.0 and earlier.
20051227
Bugfix: the 20051222 ISASCII paranoia broke the strcasecmp()
workaround for Solaris. File: util/strcasecmp.c.
Bitrot: SunOS4 pre-dates size_t, ssize_t, getsid(). File:
src/util/sys_defs.h. The SunOS4 tests had been suspended
due to what turned out to be a broken AUI-to-UTP transceiver.
Bugfix: the 20061226 cosmetic change broke non-IPV6 support
(example: sockaddr_to_hostaddr: Unknown error: success).
File: util/myaddrinfo.c.
20051229
The following workaround was removed 20060103.
Workaround: when mail is still queued after 3000 seconds,
the SMTP client no longer pipelines the DOT+QUIT commands.
The 20050929 paranoia about malformed server replies
eliminated a rare occurrence of "lost mail" with sites that
mis-implement DOT+QUIT pipelining, but resulted in a larger
occurrence of repeated deliveries to sites with a different
DOT+QUIT pipelining bug. The time threshold is set with the
smtp_dot_quit_workaround_threshold_time parameter. Files:
smtp/smtp_proto.c, smtp/smtp.c.
Feature: mailbox_transport_maps and fallback_transport_maps
to search delivery transports by recipient name. Files:
local/mailbox.c, local/unknown.c.
Feature: the master daemon now logs a warning when all
servers are busy that may accept remote connections, and
suggests to either increase the process count or to reduce
the service time per client. Files: master/master_ent.c,
master/master_avail.c.
20051231
Bugfix: the anvil server would terminate after "max_idle"
seconds, even when this was less than the anvil_rate_time_unit
interval. File: anvil/anvil.c.
20060102
Deleted the 20051229 dot-quit bug workaround. Automatically
deferring delivery created "no delivery" and "repeated
delivery" problems; and automatically turning off pipelining
for delayed mail was a bad workaround for a bad workaround.
The administrator still has the option to turn off pipelining
by hand if loss of mail is a concern.
20060103
Bugfix: the 20051217 fix (when a SASL client password is
found, defer delivery when no server-announced mechanism
survives the smtp_sasl_mechanism_filter) did the mechanism
test too early, so that it could trip up with deliveries
to servers that we don't have a SASL password for. Files:
smtp/smtp_sasl_proto.c, smtp/smtp_proto.c.
20060104
Safety: new "smtp_cname_overrides_servername" parameter.
The default value ("no") is NOT backwards compatible. This
avoids surprises with the hostname that is used for logging,
SASL password lookup, TLS policy decisions, or TLS certificate
verification. The change makes the 20051221 behavior more
configurable. Files: smtp/smtp_addr.c, smtp/smtp_connect.c,
proto/postconf.proto.
20060105
Cleanup: removed the unused DSN "code" attribute; removed
surrogate SMTP replies for errors that were not reported
by a remote SMTP server, making several DSN-related functions
and macros redundant; cleaned up some bizarre code for DSN
attribute memory management in the SMTP client.
20060106
Cleanup: eliminated the global smtp_errno variable, which
had become redundant after introducing DSN support. Files:
smtp/smtp_addr.c, smtp/smtp_connect.c.
20060107
Cleanup: removed more bizarre code for DSN attribute memory
management in the queue manager, bounce server, and in
delivery agents.
20060109
Bugfix: smtp_sasl_tls_opts was unimplemented. File:
smtp/smtp_sasl_proto.c.
Cleanup: more bounce logfile code cleanup. Files:
global/bounce_log.c, bounce/bounce_notify_util.c,
bounce/bounce.c, bounce/bounce_notify_verp.c,
bounce/bounce_one_service.c, showq/showq.c
20060110
Cleanup: more bounce logfile code cleanup. Files:
global/bounce_log.c, bounce/bounce_notify_util.c.
Bugfix: the VERP bouncer never handled the case of a missing
bounce logfile. Found while doing more logfile code cleanup.
File: bounce/bounce_notify_verp.c.
Feature: smtp_sasl_tls_verified_security_options for
connections where the server certificate passed verification.
The default value is $smtp_sasl_tls_security_options, which
in turn defaults to $smtp_sasl_security_options.
20060111
Optimization: mystrdup() and mystrndup() now return a pointer
to a fixed read-only memory location instead of allocating
memory for zero-length null-terminated strings. This saves
lots of memory for unused recipient attributes. If this
change causes problems (for example, you have an ancient
sscanf() implementation that writes to its input) then
compile Postfix with -DNO_SHARED_EMPTY_STRINGS.
Cleanup: eliminated null pointer members in DSN structures.
Instead we now use the optimized mystrdup() for empty
strings. For safety sake we keep the tests for null pointers
in input, but we always produce empty strings on output.
Files: global/dsn.c, global/dsn.h, global/dsn_buf.h,
global/dsn_print.c.
Cleanup: eliminated ad-hoc code for passing recipients in
the queue manager delivery request protocol. Postfix now
uses proper object activation/passivation instead. Files:
*qmgr/qmgr_deliver.c, global/deliver_request.c,
global/deliver_pass.c.
20060112
Feature: to simplify debugging the bounce server logs the
old and new queue ID when notifying the sender or postmaster.
Files: global/post_mail.c, bounce/bounce_notify_service.c,
bounce/bounce_one_service.c, bounce/bounce_notify_verp.c,
bounce/bounce_warn_service.c, bounce/bounce_trace_service.c.
Fudge: when translating recipient DSN codes into sender DSN
codes, map sender address problems that have no DSN code
to *.1.7 (Bad sender's mailbox address syntax) instead of
*.1.0 (Other address status) because that loses the distinction
between sender and recipient. File: smtpd/smtpd_dsn_fix.c.
20060113
Cleanup: preserve upper case information of address localpart
or extension when mapping one address to another with
non-regexp/pcre tables. Files: global/mail_addr_find.c,
global/maps_find.c.
20060115
Bugfix: don't ignore the per-site policy when SSL library
initialization fails. Introduced after adopting the TLS
patch. File: smtp/smtp_session.c.
20060117
[withdrawn 20060126] Safety: daemon processes that need no
privileges now insist that they are configured to run without
privileges. Files: master/single_server.c, master/multi_server.c,
master/trigger_server.c.
Cleanup: preserve upper case information of address localpart
or extension when mapping addresses via regexp/pcre tables.
This requires that Postfix does not case fold the search
string when searching regexp or pcre tables, so that $number
substitutions produce the expected result.
In order to get a consistent handling of table operations,
the search string case folding logic was moved from the
application to the individual lookup table modules; the
application specifies its case folding preference when it
opens a table, and the table folds the search or update
string as needed.
Files: everything that opens a map or multiple maps (to
specify the case folding preference), and everything that
contained ad-hoc code to lowercase search strings (which
is no longer needed).
Bugfix: as a side effect of this revision of all code that
opens tables, the postmap/postalias -n/-N options are no
longer silently ignored when the -q (query) and -d (delete)
options are specified. Files: postmap/postmap.c,
postalias/postalias.c.
Safety: don't allow $number substitution in transport maps
or sender-dependent relayhost maps.
Cleanup: smtp_sasl_passwd_maps lookup keys are folded to
lowercase before searching tables such as btree:, dbm: or
hash: that have fixed-case fields. File: smtp/smtp_sasl_glue.c.
Bugfix: per-sender relayhost maps were not locked for shared
access.
20060119
Cleanup: don't look up parent domain substrings in regexp/pcre
like tables while searching a hostname in a domain/namaddr_list.
File: util/match_ops.c.
20060120
Cleanup: multiple boolean variables were replaced by a
single TLS enforcement level (none, may, encrypt, verify).
With Victor Duchovni. Files: smtp_session.c, smtp_proto.c,
smtp.h.
Cleanup: the SMTP per-site policy table was re-implemented
in terms of enforcement levels instead of multiple boolean
variables. This greatly simplified the code and led to the
elimination of non-intuitive behavior as documented next.
With Victor Duchovni. Files: smtp_session.c, smtp.h.
Bugfix: a TLS per-site MUST_NOPEERMATCH policy could not
override a main.cf MUST (with peer match) policy, while a
per-site NONE policy could.
Bugfix: a combined TLS per-site (host, next-hop) policy of
(NONE, MAY) would change the strongest main.cf MUST policy
into NONE, while it changed all weaker main.cf policies
into MAY. The result is now NONE for all main.cf policy
settings.
20060123
Feature: recipient_count attribute in SMTPD policy protocol.
This is available only in the DATA and END-OF-MESSAGE stage.
Based on code by Guo Black. Files: smtpd_check.c.
Cleanup: renamed MUMBLE_NUM to MUMBLE_INT to make type
discrepancies more explicit.
Bugfix: change 20051208 broke when a connection could not
be established. File: util/auto_clnt.c.
20060124
Bugfix: the virtual(8) delivery agent did not insist on
privileged operation as it should; this broke change 20060117.
Ralf Hildebrandt. File: virtual/virtual.c.
Bugfix: the TLS sasl security options (change 20060110)
should also be #ifdef USE_TLS, and not only #ifdef
USE_SASL_AUTH. Such feature interference is difficult to
find in testing. Liviu Daia. File: smtp/smtp_sasl_proto.c.
20060126
Undo: change 20060117 (unprivileged operation test) broke
"sendmail -bs", "postconf -b", "postconf -t", and probably
more. Files: master/{single,multi,trigger}_server.c.
20060130
Bugfix: an empty remote_header_rewrite_domain value caused
trivial-rewrite to dereference a null pointer, but only in
regression tests, not in production. Envelope addresses are
by definition rewritten in the local domain context, because
an address without domain is equivalent to an address in
the local domain; and header addresses are rewritten in the
remote context only when remote_header_rewrite_domain is
non-empty. File: trivial-rewrite/rewrite.c.
20060131
Cleanup: regression tests are now separated into "make
tests" for unprivileged tests, and "make root_tests" for
tests that require privileges to connect to the Postfix
internal sockets. Files Makefile.in, src/*/Makefile.in.
20060201
Bugfix: despite efforts to treat malformed domain names as
hard errors (change 20050726) they were still processed as
soft errors. File: dns/dns_lookup.c.
20060203
Bugfix: smtpd core dump when SASL was compiled in, turned
off (smtpd_sasl_auth_enable = no) and permit_sasl_authenticated
was specified in local_header_rewrite_clients. Victor
Duchovni. File: smtpd/smtpd_check.c.
Cleanup: don't complain about useless SASL or TLS "permit"
restrictions when SASL or TLS aren't compiled in, but do
reject mail when reject_plaintext_session is specified while
TLS isn't compiled in. File: smtpd/smtpd_check.c.
20060204
Bugfix: disable the content_filter feature for user-requested
"sendmail -bv" probes, just like it is disabled for probes
generated by Postfix itself. File: *qmgr/qmgr_message.c.
20060207
Robustness: place the "do we have TLS" guards within method
implementations, instead of putting them around method
invocations. File: smtpd/smtpd_check.c.
Bugfix: duplicate the cleanup(8) DSN envelope ID syntax
check in smtpd(8), so that clients get better error replies.
File: smtpd/smtpd_check.c.
Bugfix: change 20060203 broke the reject_plaintext_session
feature.
The trivial-rewrite and proxymap multi-server processes now
terminate soon after all their clients disconnect, instead
of waiting for another 100 seconds. This allows the processes
to refresh more frequently on low-traffic systems.
Cleanup: smtpd_delay_open_until_valid_rcpt (default: yes)
controls whether Postfix delays the start of a mail transaction
until after the first valid recipient, or if it starts a
transaction immediately after MAIL FROM. File: smtpd/smtpd.c.
20060217
Bugfix: don't terminate with a non-standard exit status
when the pipe-to-command feature has a problem before it
executes the command. File: global/pipe_command.c.
20060223
Bugfix: detect integer overflow when multiplying time values
with non-trivial time units. File: global/conv_time.c.
20060307
Bugfix: reset the msg_cleanup() fatal error handler in child
processes. See also change 20060217. Files: postlock/postlock.c,
master/multi_server.c, global/mail_run.c, util/vstream_popen.c.
20060310
Bugfix: the MIME processor assumed that input was null
terminated. This broke with CRLF input to the "sendmail -t"
command in Postfix 2.1 and later (see change 20030416).
Found by Leandro Santi. Based on patch by Victor Duchovni.
Files: global/mime_state.c, global/is_header.c.
20060313
Cleanup: the message arrival time (start of the receive
transaction) no longer controls message expiration or
delivery attempts. Instead, expiration and delivery are
now controlled by the time when the cleanup server creates
a queue file. This closes a problem that was introduced
with the 20051104 change that introduced higher-resolution
delay time keeping: as a result, "postsuper -r" could no
longer manipulate the mail expiration schedule, so that
mail "on hold" could expire too soon.
20060315
Workaround. the PCRE library reports an inappropriate error
code (invalid substring) when $number refers to a valid ()
expression that matches the null string. This caused fatal
run-time errors. File: dict_pcre.c.
20060324
Cleanup: eliminated name collisions between global and local
variables, and other forms of shadowing. Documented switch
fall-throughs with /* FALLTHROUGH */ where this wasn't
already done. Replaced (var = expr) by (var = expr) != 0
where this wasn't already done.
20060324
Bugfix: mis-placed parenthesis in a before-filter error
test. A filter timeout was mis-reported as lost connection.
Found in code review. File: smtpd/smtpd_proxy.c.
20060327
Cleanup: the SQL and LDAP clients now log a warning when
they skip an empty lookup result, so that humans don't have
to wonder why Postfix doesn't find all the database entries.
File: global/db_common.c.
Moved SMTP/LMTP parameter initialization from global/mail_params.c
to the combined smtp/lmtp delivery agent. Added missing
lmtp parameters.
20060328
Feature: configurable chroot directive for the pipe(8)
delivery agent, by Przemyslaw Wegrzyn. Files:
global/pipe_command.c, pipe/pipe.c.
Bugfix: cut-and-paste error: lmtp_connection_cache_limit
was left with the name of smtp_connection_cache_limit.
Reported by Victor? File: src/global/mail_params.h.
20060329
More extensible interface for TLS client/server library,
now passes property structures that combine all the relevant
parameters in one type-safe structure.
TLS session cache activity logging now takes place at TLS
log level 2 or greater.
20060403
Cleanup: made fcntl/flock handling consistent with respect
to EINTR (reported by Carlo Contavalli). However, Postfix
is not meant to be signal safe. Only the master daemon
handles signals without terminating, and it uses only a
small subset of Postfix library routines. File: util/myflock.c.
Bugfix: the pipe-to-command error message was lost when the
command could not be executed. File: global/pipe_command.c.
20060404
Bugfix in sanity check: after reading a record from the
address verification database, a sanity check did not reject
a record with all-zero time stamp fields. Such records are
never written; the test is there just in case something is
broken, so that Postfix will not blindly march on and create
chaos. The sanity check tested pointer values, instead of
dereferencing the pointers. Found by Coverity. File:
verify/verify.c.
Bugfix in sanity check: when the maildir delivery routine
opens an output file it looks up the file attributes via
the file handle it just got. There is a sanity check that
detects if the attribute lookup fails, an error that never
happens. The code that handles the impossible error did not
close the output file. This would cause a virtual or local
delivery agent to waste up to 100 file descriptors. But
for that error to happen the system would have to be so
sick that you would have more serious problems than a file
descriptor leak. Found by Coverity. Files: local/maildir.c,
virtual/maildir.c.
20060405
Bugfix: the MIME parser assumed input is null terminated
when reporting errors. Fix by Leandro Santi. Files:
global/mime_state.c, cleanup/cleanup_message.c.
20060411
Bugfix: the SMTP server logged no warning when for some
reason the TLS engine was unavailable in wrappermode. Victor
Duchovni. File: smtpd/smtpd.c.
20060417
Cleanup: when SMTP access table lookup fails, reply with
4xx instead of aborting with a fatal run-time error. The
old behavior assumes local file access, and is inappropriate
with deployment of LDAP and SQL tables. File: smtpd/smtpd_check.c.
20060423
Bugfix: postcat did not print the attribute value of records
containing a named attribute. File: postcat/postcat.c.
20060430
Bugfix: dangling pointer in a function that has no caller.
Found by Coverity. File: tls/tls_prng_exch.c.
Bugfix: the workaround for CA-2003-07 (Sendmail) did not
null terminate the address before logging a warning. Reported
by Kris Kennaway. File: global/tok822_parse.c.
20060301-20060515
Sendmail 8 Milter support, distributed across the smtpd(8)
server for SMTP commands, and the cleanup(8) server for
content inspection and manipulation. The code supports all
requests to add/delete recipients, and to add/delete/replace
message headers, but does not yet support requests to replace
the message body. See MILTER_README for more. Files:
smtpd/smtpd.c, smtpd/smtpd_milter.c, cleanup/cleanup_api.c,
cleanup/cleanup_envelope.c, cleanup/cleanup_extracted.c,
cleanup/cleanup_milter.c, milter/milter.c, milter/milter8.c.
That's 89 lines in smtpd, 1010 lines in cleanup, and 2449
lines of library support, comments not included.
A simple test Milter application for use in regression tests
is in src/milter/test-milter.c. Queue file modifications are
tested with a driver at the end src/cleanup/cleanup_milter.c
that reads commands from a script.
To make debugging easier, uncomment the "#define msg_verbose
2" lines at the top of cleanup_milter.c or milter8.c. This
produces logging without making everything else verbose.
20060510
Preliminary TLS_README and postconf(5) changes completed.
Victor Duchovni.
Added smtp_tls_policy_maps and smtp_tls_protocols features
to the smtp/lmtp client, changed smtp_tls_cipherlist to
only apply when TLS is mandatory. Victor Duchovni.
20060512
Destinations that share a common server may have distinct
TLS protocol and cipherlist requirements, with mandatory
TLS add the protocol and cipherlist values to the TLS session
lookup key. Victor Duchovni.
20060516
Portability: __float80 alignment, by Albert Chin. File:
util/sys_defs.h.
Further testing of Milter support uncovered typos; a missing
null pointer test while cleaning up after content miltering;
the need for a workaround to not bounce+delete local
submission after it triggers a temporary reject Milter
action.
Workaround: don't bounce+delete a local submission after
it triggers a "reject 4.x.x" action in header/body_checks.
This means an SMTP client now sees "queue file write error"
instead of the text from the "reject 4.x.x text" action.
File: cleanup/cleanup_message.c.
Workaround: OpenSSL 0.9.8[ab] with zlib support interoperability
problem. Victor Duchovni. Files: tls/tls_client.c,
tls/tls_misc.c, tls/tls_server.c.
Added smtpd_tls_protocols parameter to complement
smtp_tls_protocols. Victor Duchovni.
20060517
The smtp_tls_policy_maps table now implements parent domain
matching for destinations that are bare domains (without
enclosing [] or optional :port suffix). This allows one to
set TLS policy for a domain and all sub-domains. Victor
Duchovni.
20060519
The same parameter can bind to different variables in
different daemons. Ignore the variable name when eliminating
duplicates in extract.awk. Victor Duchovni.
20060523
Improved handling of smtp_tls_protocols and smtpd_tls_protocols,
names now processed via name_mask(3) and canonicalized prior
to use in the SMTP/LMTP client TLS session lookup key. Also
simplifies the corresponding code in the TLS driver. Victor
Duchovni.
20060524
Cleanup: send ETRN command parameter when using check_policy
in the context of an ETRN command. Joshua Goodall. File:
smtpd/smtpd_check.c.
20060601
Bugfix (bug introduced 20051118): permit_mx_backup authorized
domains without secondary MX records. Joshua Goodall. File:
smtpd/smtpd_check.c.
20060601
Fixed default value of LMTP TLS client certificate parameters,
using the SMTP values as a default was wrong. Victor Duchovni.
20060603
Different transports may have different CAfile or CApath
settings. We need to add the transport name to the TLS
session lookup key so that sessions verified with one set
of trusted roots are not inadvertantly considered verified
for another. Victor Duchovni.
20060604
Cleanup: minor fluff found with the BEAM source code analyzer.
Files: global/quote_821_local.c, global/quote_822_local.c,
master/master_spawn.c, pickup/pickup.c, util/match_ops.c,
util/safe_open.c, xsasl/xsasl_cyrus_client.c.
20060606
Safety: mail receiving daemons (smtpd, qmqpd) now pass
actual client name/addres/helo attributes in addition to
the attributes used for logging (xforward). This prevents
Milter applications from treating qmqpd mail as if it
originated locally, and prevents incorrect Milter decisions
after "postsuper -r". Files: smtpd/smtpd.c, qmqpd/qmqpd.c,
cleanup/cleanup_envelope.c, cleanup/cleanup_milter.c,
cleanup/cleanup_state.c, global/post_mail.c, *qmgr/qmgr_message.c,
*qmgr/qmgr_deliver.c, global/deliver_request.c,
global/deliver_pass.c, local/forward.c.
Bugfix: qmgr panic after queue file corruption by Mailscanner.
Files: *qmgr/qmgr_message.c.
Bugfix: XCLIENT didn't work with smtpd_delay_reject=no
(problem reported by Joshua Goodall). To make XCLIENT work
correctly with built-in restrictions and with Milter
applications, the SMTP server now jumps back to the very
start (the 220 phase) of an SMTP session. File: smtpd/smtpd.c.
20060606
Portability: Some systems no longer support the traditional
"sort +0 -2 +3". Victor Duchovni.
20060607
Portability: Found by BEAM static code analyzer. SSL options
(long) were stored as int.
20060610
Cleanup: XCLIENT and XFORWARD attribute values are now sent
as xtext encoded strings. For backwards compatibility,
Postfix will still accept unencoded attribute values. Files:
smtpd/smtpd.c, smtpd/smtpd_proxy.c, smtp/smtp_proto.c.
20060611
Robustness: additional sanity checks for common database
routines. Viktor Dukhovni. File: global/db_common.c.
Portability: LDAP 2.3 API support. Viktor Dukhovni. File:
global/dict_ldap.c.
Security: the PostgreSQL client was updated after the
PostgreSQL developers made major database API changes in
response to PostgreSQL security issues. This breaks support
for PGSQL versions prior to 8.1.4, 8.0.8, 7.4.13, and 7.3.15.
Support for these requires major code changes which are not
possible in the time that is left for the Postfix 2.3 stable
release.
Specific PostgreSQL client changes: use connection-aware
quoting, and more robust PQexec() result handling. Previous
versions of the dict_pgsql driver didn't check the status
of the result pointer, and certain exceptional events can
be mis-interpreted as an empty result set. Fixes by Leandro
Santi. File: global/dict_pgsql.c.
20060612
Changed smtp security level parsing and level->name conversion
to use name_code(3). Victor Duchovni.
Implemented new smtp_tls_security_level parameter, to replace
the unnecessarily complex smtp_use_tls, smtp_enforce_tls
and smtp_tls_enforce_peername parameters. The main.cf
security level settings are now consistent with the new
policy table. Victor Duchovni.
The smtp_sasl_tls_verified_security_options feature is not
yet complete, added #ifdef SNAPSHOT and changed documentation
to delay introduction until Postfix 2.4. Victor Duchovni.
20060614
Merged in Victor's work including the new TLS policy table
and a complete set of configuration parameters for the LMTP
personality of the unified SMTP/LMTP client.
Allow mandatory TLS encryption with LMTP over UNIX-domain
sockets. Victor Duchovni.
Safety: improved code to avoid I/O on connections after the
TLS handshake fails. Victor Duchovni.
20060615
Cosmetic patch for const strings. Stefan Huehner.
Other cosmetic changes, mainly whitespace.
20060616
The qshape.pl script was updated for the pointer records
that were introduced to support message content modification
by Milter applications. Victor Duchovni.
20060620
Feature: Substantially better cipherlist specification
interface and support for anonymous ciphers when certificates
are not needed. The primary interface in main.cf and the
policy table selects one of 5 grades for mandatory TLS with
smtp(8) or lmtp(8) or for all TLS sessions with smtpd(8).
The levels are "high", "medium" (or better), "low" (or
better), "export" (or better) and "null". The underlying
definitions of these levels are configurable, but users are
strongly encouraged to not change those definitions. Victor
Duchovni.
20060626
Bugfix: the Milter reply syntax checker was off by one.
File: milter/milter8.c.
Workaround: disable SMTP connection cache lookup by server
IP address when the tls_per_site policy table is enabled.
This is a workaround for a shortcoming in the SMTP connection
cache implementation, which retrieves the server hostname
from the cached connection. Since this server name is not
obtained in a secure manner, it must not be allowed to
control the tls_per_site policy. File: smtp/smtp_reuse.c.
20060627
Cleanup: mumble_mandatory_tls_mumble parameters renamed to
mumble_tls_mandatory_mumble; added _mandatory_ qualifier
to names of parameters that affect only mandatory TLS.
20060630
Features promoted from SNAPSHOT to STABLE: the "sleep"
pseudo restriction; Postfix daemons now read the local
timezone file before chrooting; trivial-rewrite now detects
table changes every 10 seconds, so it restarts more timely.
Features that stay #ifdef SNAPSHOT: tcp_table,
lmtp_sasl_tls_verified_security_options, and
smtp_sasl_tls_verified_security_options.
Compatibility: Sendmail does not send its own Received:
header to Milter applications. Offsets in header replace
requests are relative to the message content as received
(i.e. without our own Received: header), while offsets in
header insert requests are relative to the message as
delivered (i.e. they include our own Received: header).
This explains why dk-filter would sign our own Received:
header but place the signature between our own Received:
header and the rest of the message, violating the draft
domainkeys spec.
20060702
Cleanup: more graceful handling of queue file read/write
errors while processing milter message modification requests.
Files: cleanup/cleanup_milter.c, milter/milter8.c.
20060703
Debugging: the Postfix milter client gives more context
when it experiences trouble while talking to an uncooperative
Milter application. File: milter/milter8.c.
Compatibility: with OpenBSD 2.7 and later, the alias file
is now in /etc/mail/aliases.
20060704
Bugfix: the Milter client skipped zero-length body lines.
File: milter/milter8.c.
Feature (just this one): RFC 3834 "Auto-Submitted:" message
header in DSNs. File: bounce/bounce_notify_util.c.
20060705
Portability: LP64 systems required a few ssize_t->int casts
in debug logging statements. Files: milter/test_milter.c,
cleanup/cleanup_milter.c.
Cleanup: comments, error messages, and crumbling interfaces.
20060707
Workaround: apparently, Solaris gettimeofday() can return
out-of range microsecond values. File: src/global/log_adhoc.c.
Robustness: the SMTPD policy client now encodes the
ccert_subject and ccert-issuer attributes as xtext. Some
characters are replaced by +XX, where XX is the two-digit
hexadecimal code for the character value. File:
smtpd/smtpd_check.c.
Safety: the SMTP/LMTP client now defers delivery when a
SASL password exists, but the server does not offer SASL
authentication. Mail could be rejected otherwise. This may
become an issue now that Postfix retries delivery in plaintext
after an opportunistic TLS handshake fails. Specify
"smtp_sasl_auth_enforce = no" to deliver mail anyway. File:
smtp/smtp_proto.c. See workaround 20060711 for sender-dependent
SASL passwords. This was undone with the 20060719 workaround.
20060709
Cleanup: the new single smtpd_tls_security_level parameter
obsoletes the multiple smtpd_use_tls and smtpd_enforce_tls
parameters. This is done for consistency with the Postfix
SMTP client. In the Postfix SMTP server, the levels "verify"
and "secure" are currently not applicable, and are treated
as "encrypt", after logging a warning. Files: smtpd/smtpd.c,
tls/tls_level.c, smtp/smtp_session.c.
Compatibility: don't send the first (blank) body line to
Milter applications. This broke domain key etc. signatures
when verified by non-Postfix MTAs. File: milter/milter8.c.
20060710
Cleanup: more consistency between smtpd(8) and smtp(8) TLS
configuration interfaces: smtpd_tls_mandatory_exclude_ciphers,
smtpd_tls_mandatory_ciphers, smtpd_tls_mandatory_protocols.
By Victor. Files:smtpd/smtpd.c.
Cleanup: to support domainkey signing of bounces and
Postmaster notices, enable content inspection of Postfix-
generated mail with the new internal_mail_filter_classes
feature. This is disabled by default, because it is not
yet safe enough. Files: global/int_filt.[hc] and everything
that calls post_mail_fopen*().
20060711
Cleanup: smtpd_tls_mumble -> smtpd_tls_mandatory_mumble,
and finer control over the Postfix SMTP server TLS ciphers,
all this for consistency with the same functionality in the
Postfix SMTP client. Victor Duchovni.
Compatibility: Sendmail's milter client handles whitespace
after the header label and ":" in an interesting manner.
It eats one space (not tab). File: milter/milter8.c.
Workaround: if sender-dependent SASL passwords are enabled,
don't defer delivery when a SASL password exists but the
server doesn't announce SASL support. File: smtp/smtp_proto.c.
This was undone with the 20060719 workaround.
Cleanup: format of cleanup milter reject messages. File:
cleanup_milter.c.
Bugfix: file/memory leak if a transfer of multiple milters
from smtpd to cleanup broke in the middle. Found by Coverity.
File: milter/milter.c.
20060716
Bugfix: "sendmail -bs" panic caused by a missing
SMTPD_STATE_ALONE() guard before a milter_abort() call.
File: smtpd/smtpd.c.
Bugfix (bug introduced with Postfix 2.2): the Postfix SMTP
client enforced Mandatory TLS only when talking to an ESMTP
server; enforcement did not happen if Postfix could somehow
be forced to send HELO instead of EHLO. Victor Duchovni.
File: src/smtp/smtp_proto.c.
20060718
Bugfix (bug introduced 20060711): null pointer bug when
rejecting SMTP mail with Milter application. File:
cleanup/cleanup_milter.c.
Workaround (problem introduced in 200605/200606 TLS update):
the Postfix SMTP server now issues TLS session IDs even
when TLS session caching is turned off, otherwise MS Outlook
fails to deliver mail. There may also be interoperability
issues with other MTAs that we haven't discovered yet.
Specify "smtpd_tls_always_issue_session_ids = no" to disable
the workaround. Victor Duchovni. Files: smtpd/smtpd.c,
tls/tls_server.c.
20060719
Cleanup: the smtp_sasl_auth_enforce feature is gone. It was
meant to work around a problem that was introduced with
plaintext fallback after a failed TLS handshake. Unfortunately,
it created more problems than it solved. We now address the
underlying problem more directly as described next. File:
smtp/smtp_proto.c.
Safety: don't fall back to plaintext delivery after failed
TLS handshake, when the Postfix SMTP client would have
attempted to log in with SASL after successful TLS handshake.
This avoids undesirable behavior regardless of whether the
server does support SASL over plaintext (unexpected password
disclosure) and whether the server doesn't support SASL
over plaintext (insufficient mail relay permission). Files:
smtp/smtp_connect.c, smtp/smtp_session.c, smtp/smtp_proto.c.
20060720
Compatibility: replace %% in milter replies by %, and strip
single (i.e. invalid) % characters. File: milter/milter8.c.
Compatibility: $_ macro support for Milter applications.
Files: smtpd/smtpd.c, smtpd/smtpd_milter.c,
cleanup/cleanup_state.c, cleanup/cleanup_milter.c.
20060721
Safety: disable Milter processing after "postsuper -r". If
the mail has been filtered there is no need to do it again.
Moreover, when mail has passed through an external content
filter, we don't have sufficient information to reproduce
the exact same SMTP events and Sendmail macros that Milters
received when the mail originally arrived in Postfix. This
change does not affect Milter applications that run behind
an after-queue content filter. File: pickup/pickup.c.
Bugfix: Milters received a truncated ORCPT=xxx parameter
due to destructive parsing of something that didn't have
to be preserved before Milter support was added to Postfix.
File: smtpd/smtpd.c.
20060724
Bugfix: when updating the same header multiple times, the
Postfix Milter client created a queue file that caused
delivery agents to loop. File: cleanup/cleanup_milter.c.
20060725
Bugfix: damaged queue file record after a Milter request
to modify a message header when 1) it was the last header
in the unmodified message, and 2) the old header was less
than 15 characters long. File: cleanup/cleanup_milter.c.
Bugfix: don't panic in smtp_rcpt_cleanup() after detecting
a damaged queue file record. File: smtp/smtp_proto.c.
20060726
Bugfix: the 20051013 change to enforce the message size
limit in the SMTP server didn't work for size limits close
enough to INT_MAX. File: smtpd/smtpd.c.
Bugfix (introduced Postfix 2.3): after an SMTP client was
rejected with "smtpd_delay_reject = no", the SMTP server
would panic as it generated spurious Milter requests for
unrecognized commands. File: smtpd/smtpd.c.
20060727
Cleanup: change redundant milter_abort() and milter_disc_event()
calls into NO-OPs. This avoids unnecessary panic() events
for completely harmless conditions. File: milter/milter8.c.
20060805
Bugfix (introduced Postfix 2.3): #ifdef damage caused
smtp_sasl_start() to be invoked twice. Reported by C-J
Lofstedt. File: smtp/smtp_sasl_proto.c.
20060806
Postfix no longer announces its name in delivery status
notifications. Users believe that Wietse provides a free
helpdesk service that solves all their email problems.
Credits to Jonathan Balester. File: bounce/bounce_templates.c.
20060807
Bugfix (introduced Postfix 2.2): when upgrading from Postfix
< 2.2 with the third-party TLS patch, the post-install
upgrade procedure didn't put a "?" in the existing tlsmgr
entry, causing tlsmgr to repeatedly start and exit when TLS
support was not compiled in. File: conf/post-install.
20060812
Bugfix (introduced < Postfix alpha): safety mechanism in
mail_date() didn't work. Found in code review. File:
global/mail_date.c.
20060817
Test programs for host address->name and name->address
lookups to debug name service inconsistencies, typically
when the Postfix SMTP server claims that a hostname is
"unknown". Files: auxiliary/name-addr-test/*.
20060822
Added missing logging for "message to large" etc. Files:
smtpd/smtpd.c, cleanup/cleanup_milter.c.
20060823
Bugfix (introduced Postfix 2.2): segfault when vstream_fclose()
attempted to flush unwritten output, after vstream_fdclose()
had already disconnected the stream from its file descriptor.
File: util/vstream.c.
Bugfix (introduced Postfix 2.2): vstream_fdclose() did not
flush unwritten output before disconnecting a stream from
its file descriptor(s). File: util/vstream.c.
Feature: smtp-sink can capture mail to file, either as one
individual message per file, or as multiple messages per
file. After an initial implementation by Weidong Cui. File:
smtpstone/smtp-sink.c.
Bugfix (introduced < Postfix alpha): smtp-sink did not
correctly recognize DOT-CR-LF immediately after DATA. File:
smtpstone/smtp-sink.c.
Cleanup: smtp-sink now requires that MAIL FROM, RCPT TO and
DATA be send in the correct order. This simplified the
implementation of the capture to file feature. File:
smtpstone/smtp-sink.c.
20050824
Portability: inside functions, GCC 4 refuses forward
declarations of static functions. File: smtpstone/smtp-sink.c.
20060825
Bugfix (introduced Postfix 2.3): with headers-only mail, a
Milter "header insert" action corrupted the queue file. The
cleanup server executed some end-of-body action before the
end-of-header actions. File: cleanup/cleanup_message.c.
Robustness: mail delivery agents now detect loops in queue
files. Files with too many backward jumps are saved to the
"corrupt" directory. File: global/record.c.
20060831
Bugfix (introduced with initial implementation): missing
"dict_errno = 0" caused mis-leading error messages after
non-error lookup failure. Victor Duchovni. File:
util/dict_cidr.c.
Robustness: the default TLS cipher lists were changed from
!foo:ALL into ALL:!foo. Victor Duchovni. Files:
global/mail_params.h and documentation.
20060902
Bugfix (introduced Postfix 2.3): the LMTP client stripped
"inet": from the next-hop destination, but still used the
complete next-hop from the delivery request. File:
smtp/smtp_connect.c.
20060903
Cleanup: record loop detection. File: global/record.c.
20060929
Workaround: AIX 5.[1-3] getaddrinfo() creates socket address
structures with a non-zero port value. This breaks the
smtp_bind_address etc. features, and breaks inet_interfaces
settings with only one IP address. Problem reported by
Hamish Marson. Files: util/sock_addr.[hc], util/myaddrinfo.c.
Bugfix (introduced with the Postfix TLS patch): memory leak
in verify_extract_peer(). The OpenSSL documentation provides
no information on how subjectAltNames are managed. Sam
Rushing, ironport. File: tls/tls_client.c.
Bugfix (introduced with Postfix 2.2): smtp_generic_maps
turned on MIME conversion. File: smtp/smtp_proto.c.
Workaround: don't send SIZE information in the MAIL FROM
command when message content will be subject to 8bit ->
quoted-printable conversion. File: smtp/smtp_proto.c.
20061002
Compatibility: Sendmail now invokes the Milter connect
action with the verified hostname instead of the name
obtained with PTR lookup. File: smtpd/smtpd.c.
20061004
Cleanup: force space between mailq queueid+status and file
size items. File: showq/showq.c.
20061005
Cleanup: make CISCO PIX bug workarounds configurable. This
introduces new parameters: smtp_pix_workarounds (default:
disable_esmtp, delay_dotcrlf) and smtp_pix_workaround_maps
(workarounds indexed by server IP address). The default
settings are backwards compatible. File: smtp/smtp.c,
smtp/smtp_proto.c.
20061006
Workaround: include the smtpd(8) service name when searching
the TLS session cache, to avoid cross-talk between multiple
master.cf entries. This does not eliminate cross-talk between
multiple (x)inetd.conf entries. Victor Duchovni. Files:
smtpd/smtpd.c, tls/tls_server.c.
20061015
Cleanup: convert the Milter {mail_addr} and {rcpt_addr}
macro values to external form. File: smtpd/smtpd_milter.c.
Cleanup: the Milter {mail_addr} and {rcpt_addr} macros are
now available with non-SMTP mail. File: cleanup/cleanup_milter.c.
Cleanup: convert addresses in Milter recipient add/delete
requests to internal form. File: cleanup/cleanup_milter.c.
Cleanup: with non-SMTP mail, convert addresses in simulated
MAIL FROM and RCPT TO events to external form. File:
cleanup/cleanup_milter.c.
20061017
Cleanup: removed spurious warning when the cleanup server
attempts to bounce mail with soft_bounce=yes. Problem
reported by Ralf Hildebrandt. File: cleanup/cleanup_bounce.c.
Bugfix: null pointer bug when receiving a non-protocol
response on a cached SMTP/LMTP connection. Report by Brian
Kantor. Fix by Victor Duchovni. File: smtp/smtp_reuse.c.
20061106
Feature: new retry delivery agent, to avoid the synchronous
defer service client in the queue manager. This code is
co-located with the error(8) server. File: error/error.c.
Performance: the queue manager could spend too much time
in the synchronous defer service client, causing the watchdog
timer to go off. Where possible, the queue manager now
bounces or defers recipients asynchronously, by routing
them to the error or the retry delivery agent. Code by
Wietse and Patrik Rak. Files: global/recipient_list.c,
*qmgr/qmgr_error.c, *qmgr/qmgr_defer.c, *qmgr/qmgr_entry.c,
*qmgr/qmgr_deliver.c, *qmgr/qmgr_message.c.
Performance: refined recipient and job grouping, and more
agressive early refill of in-memory recipients to prevent
a worst-case scenario where the queue manager became starved
until after the last batch of slow in-memory recipients of
jumbo multi-recipient mail. Code by Patrik Rak. Files:
global/mail_conf_time.c, qmgr/qmgr_message.c, qmgr/qmgr.c,
qmgr/qmgr.h, qmgr/qmgr_entry.c, qmgr/qmgr_job.c,
qmgr/qmgr_message.c, qmgr/qmgr_transport.c.
20061113
Bugfix: the Postfix install/upgrade procedure broke with
non-default config_directory. File: conf/post-install.
20061115
Bugfix: null pointer bug in end-of-header Milter action
when the last header line is too large. Reported by Mark
Martinec. The root of the problem is that the MIME state
engine may execute up to three call-back functions when it
reaches the end of the headers, before it returns to the
caller; as long as call-backs return no result, each call-back
has to check for itself if a previous call-back ran into a
problem. File: milter/milter8.c.
Workaround: reduce effective header_size_limit to 60000
when Milter inspection is enabled, to avoid breaking the
Milter protocol request length limit. File:
cleanup/cleanup_message.c.
20061123
Safety: don't read more than 5000 recipients at a time, to
avoid spending too much time away from interrupts. File:
qmgr/qmgr_message.c.
20061201
Workaround: don't complain with "Error 0" in the trivial-rewrite,
verify, proxymap or connection cache client when the server
exits after the client sends its request. We still complain,
however, when the problem persists. Files: global/rewrite_clnt.c,
global/resolve_clnt.c, global/verify_clnt.c, global/scache_clnt.c,
global/dict_proxy.c.
Safety: the header_size_limit is now enforced more strictly,
to avoid inter-operability problems with the Milter protocol.
Long headers are truncated at a line boundary if possible,
otherwise they are cut between line boundaries. File:
cleanup/cleanup_out.c.
20061203
Bugfix (introduced with Postfix 2.2): with SMTP server
tarpit delays of smtp_rset_timeout or larger, the SMTP
client could get out of sync with the server while reusing
a connection. The symptoms were "recipient rejected .. in
reply to DATA". Fix by Victor Duchovni and Wietse. Files:
smtp/smtp_proto.c, smtp/smtp_connect.c.
Robustness: the vbuf and vstream documentation claimed that
their *error() macros reported timeout errors, but they
didn't really. The implementation was fixed, and redundant
vstream_ftimeout() calls were removed. As a result, many
Postfix daemons now properly detect write timeout errors
on internal connections. Files: util/vbuf.h.
Workaround: some broken SMTP servers reply and hang up in
the middle of DATA. The Postfix SMTP client now stops sending
and tries to receive the server response. This can help to
avoid repeated delivery attempts. Initial implementation
by Wietse, later work by Victor Duchovni. Files:
smtp/smtp_proto.c, smtpstone/smtp-sink.c, util/vstream.c,
plus trivial mods for code thatr calls vstream_fpurge().
20061204
Compatibility: The Postfix installation/upgrade procedure
no longer sets "unknown_local_recipient_code = 450" in
main.cf. This was a safety net for upgrades from Postfix
1.x. Four years later is no longer needed. File:
conf/post-install.
Cleanup: removed vstream_fclose() error warning in the code
that disconnects from a delivery agent. There is no need
to report errors here because they would already be reported
earlier. Files: *qmgr/qmgr_deliver.c.
Robustness: "kill me after N seconds" feature to ensure
that a daemon process does not get stuck while preparing
for exit after signal arrival. File: util/killme_after.[hc],
util/watchdog.c, master/master_sig.c.
20061206
Robustness: low-cost re-entrancy guard that allows daemons
to safely call msg_fatal() etc. from a signal handler,
without risking memory corruption, or deadlock on Redhat
Linux. This works provided that the signal handler terminates
the process. In that special case we need not guarantee
after-the-fact consistency of the thread that was interrupted.
File: util/msg_output.c.
Robustness: replace exit() calls by _exit(). File: util/msg.c,
bounce/bounce_cleanup.c.
20061207
Workaround: on systems with usable futimes() or equivalent
(Solaris, *BSD, MacOS, but not Linux), always explicitly
set the queue file last modification time stamps while
creating a queue file. With this, Postfix can avoid logging
warnings when the file system clock is ahead of the local
clock. Clock skew can be a problem, because Postfix does
not deliver mail until the local clock catches up with the
queue file's last modification time stamp. File:
global/mail_stream.c.
Workaround: on systems without usable futimes() or equivalent,
log a warning when the file system clock is more than 100
seconds behind the local clock. This does not cause mail
delivery problems, but it just looks silly in message
headers. File: global/mail_stream.c.
On systems without usable futimes() (Linux, and ancient
versions of Solaris, SunOS and *BSD) Postfix will keep using
the slower utime() system call to update queue file time
stamps when the file system clock is off with respect to
the local system clock.
Compatibility with Postfix < 2.3: undo the change to bounce
instead of defer after pipe-to-command delivery fails with
a signal. File: global/pipe_command.c.
20061208
Workaround: apparently, some mail software removes or hides
"<postmaster>" in the Postfix bounce text, because it
processes the text as if it were HTML. This confuses users.
The bounce template has been updated to remove the < and
>. File: bounce/bounce_templates.c.
Cleanup: when smtp_generic_maps is turned on, don't parse
MIME structures in the message body. Victor Duchovni. File:
smtp/smtp_proto.c.
20061210
Cleanup: streamline the signal handler reentrancy protections,
and document under what conditions these protections work,
with REENTRANCY sections in the relevant man pages. Files:
util/vbuf_print.c. util/msg.c, util/msg_output.c.
20061211
Cleanup: when doing server access control by the remote TLS
client fingerprint, do not require client certificate
verification. Victor Duchovni. File: smtpd/smtpd_check.c.
Safety: when the remote TLS client certificate isn't verified,
don't send ccert_subject and ccert_issuer attributes in
check_policy_service requests. Victor Duchovni. File:
smtpd/smtpd_check.c.
Bugfix: the postconf command still complained about an
unqualified machine name, because it was not updated with
the 20050513 change that introduced a default "mydomain =
localdomain". File: postconf/postconf.c.
20061213
Bugfix: race condition in "ETRN site", "sendmail -qRsite"
and "postqueue -s site". When the command arrived while an
incoming queue scan was already in progress, mail could
stay deferred instead of being flushed. The fix was to
unthrottle the queue manager before moving files from the
deferred queue to the incoming queue. Files: flush/flush.c,
qmgr/qmgr_scan.c.
Cleanup: the sendmail and postqueue commands no longer
terminate with a non-standard error status after a run-time
error in some Postfix internal routine (typically, some
essential file is not accessible, or the system is out of
memory). Files: sendmail/sendmail.c, postqueue/postqueue.c.
Feature: "sendmail -qIqueueid" and "postqueue -i queueid"
to flush a specific queue file. Files: sendmail/sendmail.c,
postqueue/postqueue.c, global/flush_clnt.c, flush/flush.c.
20061214
Performance: "sendmail -qIqueueid" and "postqueue -i queueid"
unthrottle only the necessary message delivery transports
and queues. The unthrottle request now is propagated to the
queue manager via queue file group read permission bits.
Based on initial implementation by Victor Duchovni. Files:
flush/flush.c, *qmgr/qmgr.c, *qmgr/qmgr_scan.c,
*qmgr/qmgr_active.c, *qmgr/qmgr_message.c.
20061220
Workaround: PMilter 0.95 does not deliver SMFIC_EOB+data
to the application as SMFIC_BODY+data followed by SMFIC_EOB.
To avoid compatibility problems, Postfix now sends
SMFIC_BODY+data followed by SMFIC_EOB. File: milter/milter8.c.
Bugfix (introduced with Postfix 2.3): when inserting
Milter-generated headers at increasing positions in a
message, a later header could end up at a previously used
insertion point. Thus, inserting headers at positions (N,
N+M) could work as if (N, N) had been specified. Problem
reported by Mark Martinec. File: milter/milter8.c.
20061221
Feature: time unit suffix support in _command_time_limit.
Files: pipe/pipe.c, spawn/spawn.c.
20061227
Bugfix (introduced with Postfix 2.3): the MX hostname syntax
check was skipped with reject_unknown_helo_hostname and
reject_unknown_sender/recipient_domain, so that Postfix
would still accept mail from domains with a zero-length MX
hostname. File: smtpd/smtpd_check.c.
20061229
Cleanup: use separate TLS_LEGACY_README to document the old
TLS user interface. This will simplify TLS_README dramatically.
Cleanup: untangled spaghetti code. File: util/inet_listen.c.
20070104
Bugfix (introduced Postfix 2.3): when creating an alias map
on a NIS-enabled system, don't case-fold the YP_MASTER_NAME
and YP_LAST_MODIFIED lookup keys. This requires that an
application can turn on/off case folding on the fly. Files:
postalias/postalias.c, global/dict_mumble.c, util/dict_mumble.c,
proxymap/proxymap.c.
Cleanup: after the above revision of the proxymap protocol,
the proxymap server can now share the same map with clients
that have only minor differences in dictionary open/access
options.
20070105
Performance: pipeline of pending delivery agent connections,
to improve Linux/Solaris mail delivery performance by another
10% while going down-hill with the wind from behind. Design
and implementation Victor and Wietse. Files: *qmgr/qmgr.c,
*qmgr/qmgr.h, *qmgr/qmgr_transport.c.
20070106
Cleanup: eliminate the Linux/Solaris "wait for accept()"
stage from the queue manager to delivery agent protocol.
This alone achieves 99.99% of the Linux/Solaris speed up
from the preceding change. The pending connection pipeline
takes care of the rest. Tested on Linux kernels dating
back to 2.0.27 (that's more than 10 years ago). Files:
*qmgr/qmgr_transport.c.
20070112
Bugfix (introduced 20011008): after return from nested
access restriction, possible longjump into exited stack
frame upon configuration error or table lookup error. Victor
Duchovni. Files: smtpd/smtpd_check.c.
Workaround: don't insert header/body blank line separator
in malformed attachments, to avoid breaking digital signatures.
Switch from header to body state, for robust MIME parsing.
People concerned about MIME evasion can use a MIME normalizer
to corrupt their user's legitimate email. File:
global/mime_state.c.
20070114
Feature: body replacement support for Milter applications.
Postfix 2.3 and older 2.4 versions will be able to deliver
body-replaced queue files, but will report the message size
as it was before the body was replaced. Files: milter/milter8.c,
cleanup/cleanup_milter.c, cleanup/cleanup_body_region.c.
20070117
Cleanup: reusable infrastructure for body replacement.
Files: cleanup/cleanup_body_edit.c, cleanup/cleanup_region.c.
20070118
Bugfix: match lists didn't implement ![ipv6address]. Problem
reported by Paulo Pacheco. File: util/match_list.c.
Cleanup: revised the matchlist "!" support, added support
for !/file/name, and updated the documentation. File:
util/match_list.c.
20070119-21
Cleanup: pad short message headers with a filler record,
so that the result is never shorter than a pointer record.
This immensely simplified the support for Milter header
modification requests: three complex loops could be replaced
by one simpler loop. The DTXT record type was re-purposed
from "deleted header text" to "short header padding", keeping
the change backwards compatible. Files: cleanup/cleanup_out.c,
cleanup/cleanup_milter.c, global/record.c.
Cleanup: the Milter "add recipient" action always added the
recipient to the initial envelope segment, causing added
recipients to be separate from "sendmail -t" recipients.
This violated design, without impact on delivery (always_bcc
recipient are always at the end of the queue file even when
all other recipients are in the initial segment). File:
global/rec_types.h.
20070123
Workaround: OpenSSL falsely concludes that AES256 support
is present when only AES128 is available. Code by Victor
Duchovni. File: tls/tls_misc.c.
20070125
Disable workaround pending completion of updated TLS]
support in non-production releases.
20070131
Assorted code cleanup, portability fixes/workarounds, and
minor updates: global/dict_ldap.c, mantools/postlink,
tlsmgs/tlsmgr.c, conf/master.cf. LaMont Jones.
20070101
Portability: GNU Hurd support for multiple kernel environments.
LaMont Jones. Files: util/sys_defs.h, makedefs.
Cleanup: some default settings were adjusted to better fit
today's environment: queue_run_delay and minimal_backoff_time
were reduced from 1000s to 300s, so that deliveries are
retried earlier after the first failure; ipc_idle was reduced
from 100s to 5s, so that tlsmgr and scache clients will
more quickly release unused file handles. Files:
global/mail_params.h, proto/postconf.5.html
20070202
Catch-up: FreeBSD kqueue support. File: util/events.c.
20070205
System-V poll(2) support. This is now the preferred method
to test a single file descriptor on sufficiently recent
versions of FreeBSD, NetBSD, OpenBSD, Solaris and Linux;
other systems will be added as evidence becomes available
of usable poll(2) implementations. Files: util/read_wait.c,
util/write_wait.c, util/readble.c, util/writable.c.
Streamlined the event_enable_read/write implementation to
speed up smtp-source performance, by eliminating expensive
kqueue/devpoll/epoll system calls when only the application
call-back information changes. On FreeBSD, smtp-sink/source
tests now run 5% faster than with the old select(2) based
implementation. File util/events.c.
20070206
Catch-up: Solaris /dev/poll support. File: util/events.c.
Bugfix (introduced 20060823): initial state was not in state
machine, causing memory access outside the lookup table.
File: smtpstone/smtp-sink.c.
20070210
Catch-up: Linux epoll support. File: util/events.c.
20070211
Polished the kqueue/devpoll/epoll support; this is now
enabled by default on sufficiently recent versions of
FreeBSD, NetBSD, OpenBSD, Solaris and Linux; other systems
will be added as evidence becomes available of usable
implementations. File: util/events.c.
20070212
Further polish: removed some typos from new code in the
events.c handler, undid some unnecessary changes to the
{read,write}{_wait,able}.c modules, and addressed Victor's
paranoia for multi-client servers with a thousand clients
while linked with library routines that can't handle file
descriptors >= FD_SETSIZE.
Cleanup: while debugging the new events.c handler, removed
an unnecessary "write after connect" call-back event. File:
global/post_mail.c.
20070214
Robustness: in the queue manager keep a number of free file
descriptor slots at the low end, to work around library
routines that can't handle file descriptors >= FD_SETSIZE.
Files: *qmgr/qmgr_transport.c, util/vstream.[hc]
20070215
Bugfix (introduced 20070114 with Milter body edit support):
the cleanup server terminated with a fatal error when SMTP
mail exceeded the message size limit, instead of handling
it as a non-fatal error. Files: cleanup/cleanup_extracted.c,
cleanup/cleanup_final.c, cleanup/cleanup_bounce.c,
cleanup/cleanup_api.c.
20070217
Streamline the compile time selection of event handling
styles, replacing multiple on/off macros by just one
multi-valued macro. Files: util/sys_defs.h, util/events.c,
master/multi_server.c, *qmgr/qmgr_transport.c.
20070220
Work-around: Disable SSL/TLS ciphers when the underlying
symmetric algorithm is not available in the OpenSSL crypto
library at the required bit strength. Problem observed with
SunOS 5.10's bundled OpenSSL 0.9.7 and AES 256. Also possible
with OpenSSL 0.9.8 and CAMELLIA 256. Root cause fixed in
upcoming OpenSSL 0.9.7m, 0.9.8e and 0.9.9 releases. Victor
Duchovni, Morgan Stanley. Files: src/smtp/smtp_proto.c,
src/smtpd/smtpd.c, src/tls/tls.h, src/tls/tls_client.c,
src/tls/tls_misc.c and src/tls/tls_server.c.
20070222
Workaround: delayed "postfix reload" with ancient FreeBSD4
kqueue implementations, causing the first external or
internal clients after "postfix reload" to experience a
quick disconnect. Apparently, these kqueue implementations
do not deliver a read notification when the master closes
the per-service shared master/child status pipe (even when
there is only one child; note that the master keeps a handle
to both ends of each status pipe). A child process remains
ignorant that the status pipe was closed until the arrival
of the next client request, and then terminates. The
workaround is to ignore master status write errors before
handling a service request. Files: master/*_server.c.
Cleanup: fix race condition that caused unnecessary "premature
end-of-input" warning messages when "postfix reload" was
issued on a busy mail server. Files: util/attr_scan*c.
20070223
Cleanup: syslog_name now works as documented with both
daemons and commands (including set-gid commands). Files:
global/mail_task.c postlog/postlog.c, global/mail_version.h,
sendmail/sendmail.c, postsuper/postsuper.c, postalias/postalias.c,
postmap/postmap.c, postqueue/postqueue.c, postdrop/postdrop.c,
master/trigger_server.c, master/single_server.c,
master/multi_server.c.
20070224
Workaround: GNU POP3D creates a new mailbox and deletes the
old one. Postfix now backs off and retries delivery later,
instead of appending mail to a deleted file. To minimize
the use of this workaround, Postfix now by default creates
mailbox dotlock files on all systems, and creates dotlock
files before opening mailbox files. Files: util/sys_defs.h,
global/mbox_open.c.
20070301
Workaround: updated workaround for broken Solaris accept().
File: util/inet_listen.c.
Workaround: on some FreeBSD versions, accept(2) can fail
with a bogus EINVAL error. We now allow accept(2) to fail
for a limited number of times before terminating the process.
Files: master/single_server.c, master/multi_server.c.
20070306
Bugfix (introduced with Postfix 2.3 Milter support): postdrop
reported "illegal seek" instead of "file too large". File:
postdrop/postdrop.c.
20070310
Cleanup: specify "undisclosed_recipients_header =" to disable
Postfix's "To: undisclosed-recipients:;" header for mail
that lists no recipient. The To: header is not required as
of RFC 2822. The undisclosed_recipients_header parameter
value can now be an empty string, a value that was not
allowed with earlier Postfix versions. With Postfix 2.5 it
will be empty by default. Files: cleanup/cleanup.c,
cleanup/cleanup_message.c.
20070312
Backwards compatibility: don't pad short message header
records when Milter support is turned off. This maintains
compatibility with Postfix versions that pre-date Milter
support. File: cleanup/cleanup_out.c.
20070314
Bitrot: move the "don't run this daemon by hand" message
before other tests. Files: master/*server.c.
20070315
Bitrot: New OpenLDAP APIs deprecate simplified interfaces,
that are the only ones available in Sun's LDAP SDK. Define
suitable macros that work with new OpenLDAP and Sun's code.
Victor Duchovni, Morgan Stanley. File: src/global/dict_ldap.c
Cleanup: new "leaf" and "terminal" result attributes support
fine-tuning of LDAP group expansion, and provide a solution
for the problem case where DN recursion returns both the
group address and the addresses of the member objects.
Victor Duchovni, Morgan Stanley. Files: src/global/dict_ldap.c,
proto/LDAP_README.html, proto/ldap_table
20070317
Idioten Sicherheit: stamp every executable file and every
core dump file with "mail_version=xxxxx". Adding version
stamps and checks to every IPC message is too much change
after code freeze, and requires too much time for testing.
File: src/global/mail_version.h and every main program file.
20070320
Bugfix (introduced between 20070120 and 20070121): the
cleanup server stored no "delayed mail warning" queue file
records with "sendmail -t", and no header_checks filter/redirect
records or content encoding records with other mail. File:
global/rec_type.h.
20070321
Bugfix (introduced 20070224): local(8) or virtual(8) could
log a misleading error message after failure to open a
mailbox file. File: global/mbox_open.c.
Bugfix (code should have been updated 20070104): the proxymap
client did not propagate changes in case folding flags.
Currently, nothing in Postfix uses this functionality.
File: global/dict_proxy.c.
20070325
Bugfix: postfix-install didn't work for symlink or hardlink
targets, when the parent directory had a value of "no".
20070326
Workaround: Eric Raymond's man page formatters don't handle
low-level *roff .in or .ti controls. We now use .nf and .fi
instead. Files: many.
20070331
Bugfix (introduced Postfix 2.3): segfault with HOLD action
in access/header_checks/body_checks on 64-bit platforms.
File: cleanup/cleanup_api.c.
20070402
Portability (introduced 20070325): the fix for hardlinks
and symlinks in postfix-install forgot to work around shells
where "IFS=/ command" makes the IFS setting permanent. This
is allowed by some broken standard, and affects Solaris.
File: postfix-install.
Portability (introduced 20070212): the workaround for
non-existent library bugs with descriptors >= FD_SETSIZE
broke with "fcntl F_DUPFD: Invalid argument" on 64-bit
Solaris. Files: master/multi_server.c, *qmgr/qmgr_transport.c.
20070405
Feature: BCC access/policy action, to demonstrate that this
is not a good feature. The action's behavior is non-intuitive
and requires too much documentation to explain. It's
therefore snapshot only. File: smtpd/smtpd_check.c.
20070414
Cleanup: expire cached results from addres rewriting, address
resolution, and from transport map lookups. Results expire
after 30 seconds; short enough that it doesn't freak out
people who run the same test repeatedly, and long enough
that it doesn't upset other people with continuous streams
of "*" transport map lookups. Files: global/rewrite_clnt.c,
global/resolve_clnt.c, trivial-rewrite/transport.c.
20070421
Cleanup: on (Linux) platforms that cripple signal handlers
with deadlock, "postfix stop" now forcefully stops all the
processes in the master's process group, not just the master
process alone. File: conf/postfix-script.
20070422
Cleanup: the "Delivered-To:" loop detection implementation
was moved from the local(8) delivery agent to the library,
where it can also be used by other delivery agents. Files:
global/delivered_hdr.[hc].
Safety: the "Delivered-To:" loop detection implementation
keeps state for no more than 1000 "Delivered-To:" headers.
Feature: $domain command-line macro support, to get access
to the recipient address domain portion. Based on code by
Koen Vermeer. File: pipe/pipe.c.
Cleanup: support for "Delivered-To:" loop detection in the
pipe(8) delivery agent. This follows a general principle:
if a program creates the "Delivered-To:" header, then it
is also responsible for "Delivered-To:" loop detection.
File pipe/pipe.c.
20070423
The cache expiring transport map lookups did not distinguish
between wildcard transport map entry with an "empty" transport
field, or no wildcard transport map entry.
20070424
Cleanup: making hard-coded behavior configurable. In this
case, extracting 8BITMIME encoding information from
Content-Transfer-Encoding: message headers. The default
behavior, "detect_8bit_encoding_header = yes", is backwards
compatible. This behavior was introduced to generate
RFC-compliant bounce messages before Postfix supported the
8BITMIME option in the MAIL FROM command and on the Postfix
sendmail command line. Files: cleanup/cleanup_init.c,
cleanup/cleanup_message.c, global/mail_params.h.
20070425
Bugfix: don't falsely report "lost connection from
localhost[127.0.0.1]" when Postfix is being portscanned.
Files: smtpd/smtpd_peer.c, qmqpd/qmqpd_peer.c.
20070429
Feature: "postfix status" to report whether Postfix is
running. By Mike Cappella.
Cleanup: configurable address case folding moved from the
pipe(8) delivery agent to the library, where it can also
be used by other delivery agents. Files: global/fold_addr.[hc].
20070430
Robustness: recommend a "0" process limit for policy servers
to avoid "connection refused" problems when the smtpd process
limit exceeds the default process limit. File:
proto/SMTPD_POLICY_README.html.
20070501
Workaround: turn on KEEPALIVE probes to avoided "lost
connection after sending end-of-data" problems when some
stateful (NAT) filter expires an idle connection too soon.
This requires that the kernel's TCP keepalive timer be set
to a sufficiently short time (perhaps 100s or less). Files:
util/sane_accept.c, util/sane_connect.c.
Safety: when IPv6 (or IPv4) is turned off, don't treat an
IPv6 (or IPv4) connection from e.g. inetd as if it comes
from localhost[127.0.0.1]. Files: smtpd/smtpd_peer.c,
qmqpd/qmqpd_peer.c.
20070502
Workaround: build without EPOLL support when an epoll-enabled
kernel sits underneath a retarded libc. File: makedefs.
Cleanup: missing support for SASL security properties with
Dovecot SASL authentication. Based on an initial version
by Lev A. Serebryakov. File: xsasl/xsasl_dovecot_server.c.
20070503
Cleanup: changed the default address verification sender
from "postmaster" to "double-bounce", so that the Postfix
SMTP server no longer surprises unsuspecting people by
excluding "postmaster" from SMTPD access controls. File:
global/mail_params.h.
20070508
Bugfix: Content-Transfer-Encoding: attribute values are
case insensitive. File: src/cleanup/cleanup_message.c.
20070514
Bugfix: the makedefs EPOLL workaround broke any attempt to
build on a 2.6 kernel. And that two weeks after the workaround
had been posted to the mailing list. File: makedefs.
Bugfix: mailbox_transport(_maps) and fallback_transport(_maps)
were broken when used with the error(8) or discard(8)
transports. Cause: insufficient documentation. Files:
error/error.c, discard/discard.c.
20070520
Bugfix (problem introduced Postfix 2.3): when DSN support
was introduced it broke "agressive" recipient duplicate
elimination with "enable_original_recipient = no". File:
cleanup/cleanup_out_recipient.c.
20070523
Feature: cyrus_sasl_config_path to specify a search path
for Cyrus SASL configuration files (currently used only to
locate the smtpd.conf file). Based on code by Victor
Duchovni. Files: smtpd/smtpd.c xsasl/xsasl_cyrus_server.c,
(and xsasl/xsasl_cyrus_client.c for future expansion).
20070525
Bugfix (introduced 20070523): the sasl_set_path() function
name was mis-speeled.
20070529
Bugfix (introduced Postfix 2.3): the sendmail/postdrop
commands would hang when trying to submit a message larger
than the per-message size limit. File: postdrop/postdrop.c.
20070530
Sabotage the saboteur who insists on breaking Postfix by
adding gethostbyname() calls that cause maildir delivery
to fail when the machine name is not found in /etc/hosts,
or that cause Postfix processes to hang when the network
is down.
20070531
Portability: Victor helpfully pointed out that change
20070425 broke on non-IPv6 systems. Files: smtpd/smtpd_peer.c,
qmqpd/qmqpd_peer.c.
20070610
Isolation: don't allow the pipe(8) delivery agent to leak
postdrop group privileges with "user=xxx:postdrop". File:
pipe/pipe.c.
20070613
Bugfix: the Milter client assumed that a Milter application
does not modify the message header or envelope, after that
same Milter application has modified the message body of
that same email message. This is not a problem with updates
by different Milter applications. Problem was triggered
by Jose-Marcio Martins da Cruz. Also simplified the handling
of queue file update errors. File: milter/milter8.c.
20070614
Workaround: some non-Cyrus SASL SMTP servers require SASL
login without authzid (authoriZation ID), i.e. the client
must send only the authcid (authentiCation ID) + the authcid's
password. In this case the server is supposed to derive
the authzid from the authcid. This works as expected when
authenticating to a Cyrus SASL SMTP server. To get the old
behavior specify "send_cyrus_sasl_authzid = yes", in which
case Postfix sends the (authzid, authcid, password), with
the authzid equal to the authcid. File: xsasl/xsasl_cyrus_client.c.
20070619
Portability: /dev/poll support for Solaris chroot jail setup
scripts. Files: examples/chroot-setup/Solaris8,
examples/chroot-setup/Solaris10.
20070713
The RFC documents at www.faqs.org are being polluted with
"feedback" spam. The Postfix hypertext documentation now
points to tools.ietf.org. File: mantools/postlink.
20070719
Feature: updated smtp-sink with new options to send a
pre-formatted message from file, and to handle replies other
than the expected 2xx or 3xx. File: smtpstone/smtp-source.c.
Cleanup: Milter client error handling, so that the (Postfix
SMTP server's Milter client) does not get out of sync with
Milter applications after the (cleanup server's Milter
client) encounters some non-recoverable problem. Files:
milter/milter8.c, smtpd/smtpd.c.
20070720
Support for RFC 4954 (SASL AUTH, updates RFC 2554, refines
some reply codes and introduces DSN enhanced status codes)
and RFC 3848 ("Received ... with ESMTPS?A? ...). Currently,
support for the latter is always on. Files: smtpd/smtpd.c,
smtpd/smtpd_sasl_proto.c, smtpd/smtpd_sasl_glue.c.
20070727
Workaround: the queue manager no longer logs a warning for
mail sent to the local double-bounce address (normally, the
this is used as the sender while reporting an undeliverable
bounce message to the local postmaster). As of 20070503
the local double-bounce address is the default sender for
sender/recipient address verification probes, and it now
shows up as a spam target. Files: *qmgr/qmgr_message.c.
20070729
Performance: fix for poor TCP performance for loopback
(127.0.0.1) connections. Problem reported by Mark Martinec.
Files: util/vstream.c, util/vstream_tweak.c, milter/milter8.c,
smtp/smtp_connect.c, smtpstone/*source.c.
20070730
Bugfix: when a milter replied with ACCEPT at or before the
first RCPT command, the cleanup server would apply the
non_smtpd_milters setting as if the message was a local
submission. Problem reported by Jukka Salmi. Also, the
cleanup server would get out of sync with the milter when
a milter replied with ACCEPT at the DATA command. Files:
cleanup/cleanup_envelope.c, smtpd/smtpd.c, milter/milters.c.
20070811
Cleanup: unlike smtpd_mumble_restrictions, the Postfix SMTP
server Milter reject logging did not show the (helo argument,
sender address, or recipient address) that was being rejected.
File: smtpd/smtpd.c.
20070824
Bugfix (introduced snapshot 20070429): the pipe(8) delivery
agent 'q' flag (quote address local-part) used the same bit
mask as the 'B' flag (append blank line). Setting one flag
also turned on the other. File: pipe/pipe.c.
Feature: specify the 'X' flag to indicate that the pipe(8)
delivery agent performs final delivery. This changes the
status in DSN "success" messages from "relayed" into
"delivered". File: pipe/pipe.c.
20070904-6
Feature: stress-adaptive behavior. When a "public" network
service runs into an "all processes are busy" condition,
the master(8) daemon logs a warning, restarts the service,
and runs it with "-o stress=yes" on the command line (normally
it runs the service with "-o stress="). This can be used
to make main.cf parameter settings stress dependent.
Examples: "smtpd_timeout = ${stress?10}${stress:300}" and
"smtpd_hard_error_limit = ${stress?1}${stress:20}". Files:
master/master_avail.c, master/master_spawn.c, master/master_ent.c.
20070911
Bugfix (introduced Postfix 2.2.11): TLS client certificate
with unparsable canonical name caused the SMTP server's
policy client to allocate zero-length memory, triggering
an assertion that it shouldn't do such things. File:
smtpd/smtpd_check.c.
20070912
Bugfix (introduced Postfix 2.4) missing initialization of
event mask in the event_mask_drain() routine (used by the
obsolete postkick(1) command). Found by Coverity. File:
util/events.c.
20070917
Workaround: the flush daemon forces an access time update
for the per-destination logfile, to prevent an excessive
rate of delivery attempts when the queue file system is
mounted with "noatime". File: flush/flush.c.
20070923
Cleanup: don't complain when a "corrupt" queue file is
deleted before it can be saved to the "corrupt" queue.
Files: *qmgr/qmgr_active.c.
20071003
Logging: the Postfix SMTP server now logs the number of
bytes received after the DATA command when a connection
breaks before mail delivery completes. This may help finding
the cause of the problem: packet loss, MTU, or other. File:
smtpd/smtpd.c.
20071004
Logging: all daemons now log the TCP port number of remote
SMTP or QMQP clients. The information is overruled with
the SMTP XCLIENT command, is propagated through SMTP-based
content filters with XFORWARD, and is sent to Milter
applications. Files: smtpd/smtpd_peer.c, smtpd/smtpd.c,
smtpd/smtpd_proxy.c, smtpd/smtpd_milter.c, qmqpd/qmqpd_peer.c,
cleanup/cleanup_milter.c, *qmgr/qmgr_message.c,
*qmgr/qmgr_deliver.c, smtp/smtp_proto.c, pipe/pipe.c,
global/deliver_request.c, global/deliver_pass.c,
proto/XFORWARD_README, proto/XCLIENT_README.
Feature: per-command delays in smtp-sink. File:
smtpstone/smtp-sink.c. Victor Duchovni.
20071006
Cleanup: updated a bunch of hard-coded host[addr] logging
statements. Files: smtpd/smtpd.c, smtpd/smtpd_chat.c,
smtpd/smtpd_sasl_glue.c.
Cleanup: client port logging is now configurable (off by
default). Parameters: smtpd_client_port_logging and
qmqpd_client_port_logging. Files: smtpd/smtpd_peer.c,
qmqpd/qmqpd_peer.c.
Cleanup: send client port information "0" instead of "unknown"
to Milter applications. Files: smtpd/smtpd.c, smtpd/smtpd_milter.c,
cleanup/cleanup_milter.c.
20071025
Portability: on Linux we no longer need /proc to find out
local IPv6 interface address information. LaMont Jones.
Files: util/sys_defs.h.
20071030
Bugfix (introduced Postfix 2.3): Postfix mistakenly enforced
the 64kbyte limit (for sending body parts TO Milter
applications) also while receiving packets FROM Milter
applications. The limit is now at least 1GB. File:
milter/milter8.c.
20071105
Feature: ORIGINAL_RECIPIENT environment variable. Corey
Hickey. File: local/local.c.
20071108-10
Feature: general-purpose header/body_checks library module,
first used in the SMTP client. Actions that change the
message delivery time or destination can be implemented
with a simple extension mechanism (they make sense only in
before-queue filters). Configuration parameters:
smtp_header_checks, smtp_mime_header_checks,
smtp_nested_header_checks, smtp_body_checks. Unlike the
cleanup server, the mime and nested header checks don't by
default assume the header_checks value. Files:
global/header_body_checks.[hc], smtp/smtp_proto.c,
smtp/smtp_session.c.
20071110
Feature: ${original_recipient} command-line macro. Corey
Hickey. File: pipe/pipe.c.
Bugfix (introduced: 20071004) missing exception handling
in smtp-sink per-command delay feature. Victor Duchovni.
File: smtpstone/smtp-sink.c.
2007117-20
Revised queue manager with separate mechanisms for
per-destination concurrency control and dead destination
detection. The concurrency control supports non-integer
feedback for more gradual concurrency adjustments, and uses
hysteresis to avoid rapid oscillations. A destination is
declared "dead" after a configurable number of pseudo-cohorts
(number of deliveries equal to a destination's concurrency)
reports connection or handshake failure. This work began
with a discussion that Wietse started with Patrik Rak and
Victor Duchovni late January 2004, and that Victor revived
late October 2007. To establish a baseline for further
improvement, Wietse implemented a few simple mechanisms.
Configuration parameters for debugging, positive/negative
hysteresis, and positive/negative feedback. Some have since
been removed or renamed, so no point naming them here.
Files: global/mail_params.h, qmgr/qmgr_queue.c,
qmgr/qmgr_deliver.c.
20071121
Boundary condition: Patrik Rak pointed out that handling
of negative feedback with concurrency window 1 could
be improved.
Feature: support to look up null sender addresses in
sender-dependent relayhost maps. Parameter name:
empty_address_relayhost_maps_lookup_key (default; <>).
Keean Schupke. File: trivial-rewrite/resolve.c.
20071127-9
Revision 2 of queue manager scheduler interface, allowing
feedback parameter settings with constants and variables
such as 1/8 or 1/concurrency. Some experimental parameters
were removed and others were renamed. The new names are:
default_destination_concurrency_negative_feedback,
default_destination_concurrency_positive_feedback,
default_destination_concurrency_failed_cohort_limit,
destination_concurrency_feedback_debug.
Also available are transport-specific overrides:
<transport>_initial_destination_concurrency,
<transport>_destination_concurrency_negative_feedback,
<transport>_destination_concurrency_positive_feedback,
<transport>_destination_concurrency_failed_cohort_limit.
Files: global/mail_params.h, *qmgr/qmgr.c, *qmgr/qmgr_transport.c,
*qmgr/qmgr_queue.c, *qmgr/qmgr_feedback.c, postconf/auto.awk.
20071202
Feature: output rate control. For example, specify
"smtp_destination_rate_delay = 5m" to insert a five-minute
delay between deliveries. This was an opportunity to define
the mutually exclusive states that a queue can have, and
to detect invalid transitions. This will make adding new
features code easier. Files: *qmgr/qmgr_transport.c,
*qmgr/qmgr_queue.c, *qmgr/qmgr_entry.c.
Bugfix (introduced Postfix 2.2): don't update the back-to-back
delivery time stamp while deferring mail. File: *qmgr/qmgr_entry.c.
20071203
Feature: support for read-write tables in the proxymap
service. This is implemented with a separate master.cf entry
named "proxywrite" that should run with process limit of 1
if you want to update Berkeley DB like tables. This feature
requires that tables be authorized with the proxy_write_maps
configuration parameter. Files: global/dict_procy.[hc],
proxymap/proxymap.c.
Human factors: the postmap and postalias commands now produce
nicer diagnostics when asked to do something with a proxied
map that they can't do. Files: postmap/postmap.c,
postalias/postalias.c.
Bugfix: the proxymap client didn't properly propagate user
options to the proxymap server. File: util/dict.h.
Workaround: force synchronous updates in the proxymap server
so that maps will be in a consistent state between updates.
File: proxymap/proxymap.c.
Bugfix: an empty rate-limited queue wasn't removed after
timer expiry. Files: *qmgr/qmgr_queue.c.
20071204
Use different sockets for proxymap (read-only) and proxywrite
(read-write) services in the proxy: client. Victor Duchovni.
File: global/dict_proxy.c.
Feature: proxymap delete support by Victor Duchovni. Files:
global/dict_proxy.c, proxymap/proxymap.c.
Feature: proxymap delete support. Files: postmap/postmap.c
postalias/postalias.c.
Cleanup: the Postfix sendmail command did not include the
user (name/uid) information in all error messages. File:
sendmail/sendmail.c.
Feature: data_directory configuration parameter for
Postfix-writable data such as caches and random numbers.
Files: postfix-install, conf/postfix-files.
20071206
Security: tlsmgr(8) and verify(8) no longer use root
privileges when opening their cache files. This avoids a
potential security loophole where the ownership of a file
(or directory) does not match the trust level of the content
of that file (or directory). See RELEASE_NOTES for how to
use pre-existing data. Files: util/set_eugid.[hc],
tlsmgr/tlsmgr.c, verify/verify.c.
Compatibility: as a migration tool, redirect attempts by
tlsmgr(8) or verify(8) to open files in non-Postfix directories
to the Postfix-owned data_directory. File: global/data_redirect.c.
Lots of pathname fixes in the examples of TLS_README and
postconf(5); -lm library screw-up in queue manager Makefiles.
20071207
Cleanup: pathname fixes in documentation; unnecessary queue
scan in the queue manager rate limiter; inverse square root
feedback in the queue manager concurrency scheduler. Files:
mantools/postlink, proto/TLS_README.html, *qmgr/qmgr_queue.c.
All changes up to this point should be ready for Postfix 2.5.
Documentation: updated nqmgr preemptive scheduler documentation
by Patrik Rak. File: proto/SCHEDULER_README.html.
20071211
Bugfix (introduced 19980315): the "write" equivalent of
bugfix 20030104. File: util/vstream.c.
20071212
Feature: "stress=" or "stress=yes" attribute in the SMTPD
policy delegation protocol. File: smtp/smtpd_check.c.
Cleanup: allow_min_user now rejects recipients (and senders)
starting with '-' at SMTP session time. To make this possible
the feature was moved from qmgr(8) to trivial-rewrite(8).
Files: *qmgr/qmgr_message.c, trivial-rewrite/resolve.c.
20071213:
Cleanup: the queue manager and SMTP client now distinguish
between connection cache store and retrieve hints. Once the
queue manager enables connection caching (store and load)
hints on a per-destination queue, it keeps sending connection
cache retrieve hints to the delivery agent even after it
stops sending connection cache store hints. This prevents
the SMTP client from making a new connection without checking
the connection cache first. Victor Duchovni. Files:
*qmgr/qmgr_entry.c, smtp/smtp_connect.c.
Bugfix (introduced Postfix 2.3): the SMTP client never
marked corrupt files as corrupt. Victor Duchovni. File:
smtp/smtp_proto.c.
Cleanup: the SMTP client won't mark a destination as
unavailable when at least one SMTP session was completed
without connect or handshake error. Victor Duchovni. Files:
smtp/smtp_connect.c, smtp/smtp_session.c, smtp/smtp_proto.c,
smtp/smtp_trouble.c.
20071215
Documentation and code cleanup. Files: global/deliver_request.h,
*qmgr/qmgr_entry.c, smtp/smtp_connect.c,
proto/SCHEDULER_README.html.
Bugfix (introduced snapshot 20071006): qmqpd ignored the
qmqpd_client_port_logging parameter setting. File:
qmqpd/qmqpd.c.
20071216
Cleanup: show the remote SMTP server port in verbose logging,
warnings and postmaster notices. Still don't show the port
in delivery status notifications. Files: smtp/smtp_chat.c,
smtp/smtp_sasl_glue.c, smtp/smtp_sasl_proto.c.
The "tls_require_cert" is now compatible with OpenLDAP 2.1
and later. Victor Duchovni. Files: proto/ldap_table,
global/dict_ldap.c.
20071218
Cleanup: removed the "#ifdef USE_LIBMILTER_INCLUDES"
dependencies on system-installed Milter protocol include
files. Verified that the object code has not changed. File:
milter/milter8.c.
Sanity check: idiot filter to detect attempts to use the
same database file for different TLS session caches. File:
tlsmgr/tlsmgr.c.
Cleanup: updated the spell check stoplist and the spell
check script. Files: mantools/spell, proto/stop.
Cleanup: replaced documentation references to xxgdb by ddd.
The xxgdb program hasn't been updated in more than 10 years.
Files: proto/postconf.proto, conf/main.cf.
20071219-20
Feature: support for all new Sendmail 8.14 Milter features
except SMFIR_SKIP (skip further events of this type),
SMFIP_RCPT_REJ (report rejected recipients to the mail
filter), SMFIR_CHGFROM (replace sender, with optional ESMTP
command parameters), and SMFIR_ADDRCPT_PAR (add recipient,
with optional ESMTP command parameters). Files: milter/milters.c,
milter/milter8.c, milter/test-milter.c, cleanup/cleanup_milter.c.
20071221
Feature: support for Sendmail 8.14 Milter SMFIR_SKIP (skip
further events of this type). Files: milter/milter8.c,
milter/test-milter.c.
Cleanup: don't try sending HELO after a 421 EHLO reply.
File: smtp/smtp_proto.c.
20071221-nonprod
Using 20071221 as reference point.
Cleanup: Simplified TLS library cipher and protocol API to
just pass string-valued properties to tls_client_init() and
tls_client_start(). The client is now agnostic of the
mechanics of cipher management internal to the library. The
main.cf parameters used internally in the library are now
loaded by the library, not the caller. Files:
src/smtp/lmtp_params.c, src/smtp/smtp.c, src/smtp/smtp.h,
src/smtp/smtp_params.c, src/smtp/smtp_proto.c,
src/smtp/smtp_session.c, src/smtpd/smtpd.c, src/tls/tls.h,
src/tls/tls_client.c, src/tls/tls_level.c, src/tls/tls_misc.c,
src/tls/tls_server.c, src/tls/tls_session.c, src/tls/tls_verify.c
and src/tlsmgr/tlsmgr.c
Cleanup: Client session lookup key "salting" is now handled
internally in the tls library. Files: src/tls/tls_client.c
Cleanup: Cipher state is cached, and only updated when
necessary. Files: src/tls/tls_misc.c
Feature: Extended the syntax of protocol selection to allow
exclusions as well as inclusions. Files: src/tls/tls_misc.c
Cleanup: Updated default verification depth to match reality:
default is 9 in OpenSSL and we don't yet override it. When
we do (soon), the default will match previous behavior.
Files: src/global/mail_params.h
Bugfix: Reference to obsolete "pfixtls" code won't compile
inside #ifdef for OpenSSL <= 0.9.5a. Using an OpenSSL release
that old has not been tested for some time, but may now
work. Files: src/tls/tls_bio_ops.c.
Replaced "void *" TLS library application handles by explicit
pointer types, while hiding data structure implementation
details from the TLS library users. Files: tls/tls_client.c,
tls/tls_server.c, smtp/smtp.c, smtpd/smtpd.c.
The TLS library no longer modifies VSTRINGs passed in by
the caller. Where possible, information is passed as "const"
from application to library. Files: smtp/smtp_proto.c,
tls/tls_client.c.
20071227-nonprod
Replaced explicit initialization of props structures by
emulating function calls with named parameter lists. Files:
tls/tls.h, smtp/smtp.c, smtp/smtp_proto.c, smtpd/smtpd.c.
20071222
Further polishing of the Milter code and logging. File:
milter/milter8.c.
20071123
Further polishing of the Milter code. With SETSYMLIST, each
Milter can now update its own macros instead of clobbering
the global copy that is shared with other Milters. Also an
opportunity to clean up some ad-hoc code for sending macro
lists from smtpd(8) to cleanup(8). Files: milter/milter.c,
milter/milter8.c, milter/milter_macros.c.
20071224
Further polishing of the Milter code. Eliminated unnecessary
steps from the initial smtpd/cleanup Milter handshake. Files:
milter/milter.c, milter/milter8.c, milter/milter_macros.c.
Cleanup: name_code(3) and name_mask(3) now support read-only
tables. Files: util/name_code.[hc], util/name_mask.[hc].
20071227
Cleanup: further refinements of the Milter code, allowing
for multiple macro overrides. The code is now ready for
serious testing. File: milter/milter8.c.
20071229
Bugfix: the Milter client did not replace the Postfix-specific
form for unknown host names by the Sendmail-specific form.
File: milter/milter8.c.
Cleanup: when a cleanup milter reports a problem don't log
generic "4.3.0 Sevice unavailable", but log the text for
the actual error. File: cleanup/cleanup_milter.c.
20080102-nonprod
SMTP client fingerprint security level support and configurable
fingerprint digest algorithm. Victor Duchovni. Files:
smtp/lmtp_params.c, smtp/smtp.c, smtp/smtp.h,
src/smtp/smtp_params.c, src/smtp/smtp_proto.c,
src/smtp/smtp_session.c, tls/tls_client.c, tls/tls_level.c,
tls/tls_verify.c.
20080103-nonprod
Missed "invalid TLS configuration" patch for SMTP client.
Victor Duchovni. File: smtp/smtp_proto.c.
SMTP server configurable fingerprint digest algorithm.
Victor Duchovni. Files: smtpd/smtpd.c, tls/tls.h,
tls/tls_server.c, tls/tls_verify.c.
20080104-nonprod
Cleanup: finally implemented certificate verification depth
limit parameters. Prior to Postfix 2.5 these were ignored.
For backwards compatibility, the default verification depth
limit is now 9, the OpenSSL default. Victor Duchovni. Files:
src/tls/tls_client.c, src/tls/tls_server.c, src/tls/tls_verify.c.
Robustness: Avoid possibility of NULL pointer issues in
application code that checks certificate names, by providing
"empty string" values when no data is available. Victor
Duchovni. Files: src/tls/tls_verify.c, src/tls/tls_client.c,
src/tls/tls_server.c, src/smtpd/smtpd_check.c, src/smtpd/smtpd.c.
Cleanup: separation of TLS handshake from security level
enforcement. The library shakes hands; the application
decides if the resulting security is acceptable. Victor
Duchovni. Files: smtpd/smtpd.c, smtpd/smtpd_proto.c,
tls/tls_server.c, tls/tls_client.c, tls/tls_verify.c.
Robustness: more robust processing of ASN.1 string attributes
in x509v3 certificates, plus additional sanity checks (e.g.
embedded null characters). Victor Duchovni. File:
src/tls/tls_verify.c.
20080104
Workaround: minor change to the Dovecot AUTH request to
prevent dovecot-auth memory wastage. Timo Sirainen. File:
xsasl/xsasl_dovecot_server.c.
20080105-nonprod
Cleanup: renamed TLS-related symbols for consistency (always
include the init, start, stop prefix in the TLS library
function and data structure names; consistently distinguish
between per-application TLS state and per-session TLS state;
consistently use the fpt prefix for fingerprint related
variables and structure members; consistent use of monocase
typedef-ed names).
20080106-nonprod
Cleanup: consistent use of <pre> and <blockquote> in examples;
instead of emphasizing new Postfix 2.5 behavior in reference
documentation, describe the new behavior as "current", with
historical behavior as a supplemental note.
20080107
Feature: new "pass" service type (in addition to "inet",
"unix" and "fifo"). The "pass" service type supports
front-end daemons that accept all inbound connections and
that permit only well-behaved clients to talk to the MTA.
This service type had been sitting in the master daemon for
years but was disabled by default. Actual applications for
this will have to be developed later. Files: util/upass_connect.c,
util/upass_trigger.c.
20080108
Cleanup: where possible, store data structures in read-only
memory. Besides the security advantage of no write access,
this also gives slightly better memory utilization when
many processes execute the same file. Files: pretty much
everything that has a static table, except for a few tables
in the benchmark tools with flags that are controlled by
command-line information.
20080109
Cleanup: more read-only data. Files: everything that passes
around a HEADER_OPTS pointer.
20080112
Safety: optional lookup table to prevent the Postfix SMTP
client from making repeated SASL login failures with the
same hostname, username and password. This introduces new
parameters: smtp_sasl_auth_cache_name, smtp_sasl_auth_cache_time.
Based on code by Keean Schupke. Files: smtp/smtp_sasl_glue.c,
smtp/smtp_sasl_auth_cache.c.
Safety: the Postfix SMTP client now by default defers mail
after the server rejects a SASL login attempt with a 535
status code. Specify "smtp_sasl_auth_soft_bounce = no" to
get the earlier behavior. Based on code by Keean Schupke.
Files: smtp/smtp_sasl_glue.c.
20080114
Safety: the smtpd_client_new_tls_session_rate_limit setting
now also limits the number of failed TLS handshakes. This
limits the impact of broken configurations. File: smtpd/smtpd.c.
20080115
Bugfix (introduced 20080112): Patrik Rak found two bugs
that largely canceled each other out, causing Postfix not
to complain about a missing "proxy:" prefix with the new
smtp_sasl_auth_cache_name parameter setting. File:
smtp/smtp_sasl_glue.c.
Documentation: new SOHO_README file for small/home offices.
The text is automatically generated from bits and pieces of
information that are scattered across other documents.
File: mantools/make_soho_readme.
20080116
Bugfix (introduced 20080112): missing #ifdef for the SASL
login failure cache. File: smtp/smtp_sasl_auth_cache.h.
20080123
Name fix: renamed the mumble_delivery_rate_delay parameter
to mumble_destination_rate_delay, because it really is a
per-destination feature. With this change we keep the option
of implementing a future per-transport rate delay.
20080125
Bugfix (introduced 20071216): missing {} in the LDAP client
broke OpenLDAP TLS. The setting tls_require_cert=no was
further broken because Postfix used OpenLDAP incorrectly.
Victor Duchovni. This broke tls_require_cert=no File:
global/dict_ldap.c.
20080126
Cleanup: the post-install script now requires that it is
invoked via the postfix(1) command. This was the intended
use since Postfix 2.1, but it was never enforced. The
documentation for package maintainers has been updated
accordingly. File: conf/post-install.
20080130
Bugfix (introduced 20071204): wrong proxywrite process limit
in the default master.cf file. File: conf/master.cf.
20080131
Bugfix (introduced 20080126): the new "do not execute
directly" test in post-install got broken during code
cleanup. File: conf/post-install.
20080201
Workaround: undo the changes that require that post-install
is invoked via the postfix command, because this breaks
when "postfix start" is invoked with an obsolete postfix
command that doesn't export the new data_directory parameter.
Workaround: pick up a missing data_directory setting from
main.cf when "postfix start" is invoked with an obsolete
postfix command. File: conf/post-install.
20080207
Cleanup: soft_bounce support for multi-line Milter replies.
File: src/milter/milter8.c.
Cleanup: preserve multi-line format of header/body Milter
replies. Files: cleanup/cleanup_milter.c, smtpd/smtpd.c.
Cleanup: multi-line support in SMTP server replies. File:
smtpd/smtpd_chat.c.
SAFETY: postfix-script, postfix-files and post-install are
moved away from /etc/postfix to $daemon_directory. There
were too many accidents where people clobbered these files
with versions from an older Postfix release and ended up
with an unusable Postfix setup. Files: postfix-install,
Makefile.in, postfix/postfix.c, conf/postfix-files,
conf/postfix-script, conf/post-install.
20080212
Feature: check_reverse_client_hostname_access, to make
access decisions based on the unverified client hostname.
For safety reasons an OK result is not allowed. Noel Jones.
Files: smtpd/smtpd_check.c plus header files and documentation.
20080215
Safety: break SASL loop in case both the SASL library and
the remote SMTP server are confused. File: smtp/smtp_sasl_glue.c.
20080220
Safety: the master daemon now sets an exclusive lock on a
file $data_directory/master.lock, so that the data directory
can't be shared between multiple Postfix instances. This
would corrupt files that rely on single-writer updates
(examples: verify(8) cache, tlsmgr(8) caches, etc.). File:
master/master.c.
20080226
Cleanup: the postfix command did not set argv[0] to a sane
value when invoking postfix-script. Reported by Victor
Duchovni. File: postfix/postfix.c.
20080228
Bugfix: bounce(8) segfault on one-line template text.
Problem found by Sacha Chlytor. File: bounce/bounce_template.c.
20080310
Safety: the SMTP server's Dovecot authentication client now
enforces the SASL mechanism output filter also on client
command input. File: src/xsasl/xsasl_dovecot_server.c.
20080311
Bugfix (introduced 20070811): the MAIL and RCPT Milter
application call-backs no longer received {mail_addr} or
{rcpt_addr} information. Problem reported by Anton Yuzhaninov.
File: smtpd/smtpd.c.
Bugfix (introduced 20080207): "cleanup -v" panic because
the new "SMTP reply" request flag did not have a printable
name. File: global/cleanup_strflags.c.
20080318
Human factors: the PCRE and regexp maps now give more
comprehensible error messages when people make the common
mistake of indenting if/endif blocks. Files: util/dict_pcre.c,
util/dict_regexp.c.
20080324
Cleanup: the event_drain() function is now a proper event
processing loop. File: util/events.c
Feature: when the "postmap -q -" command reads lookup keys
from standard input, it now understands RFC822 and MIME
message format. Specify -h or -b to use headers or body
lines as lookup keys, and specify -hm or -bm to simulate
header_checks or body_checks. The postmap -h option (without
-m) will be compatible with a future postcat -h option.
File: postmap/postmap.c.
20080411
Bugfix (introduced Postfix 2.0): after "warn_if_reject
reject_unlisted_recipient/sender", the SMTP server mistakenly
remembered that recipient/sender validation was already
done. File: smtpd/smtpd_check.c.
Bugfix (introduced Postfix 2.3): the queue manager would
initialize missing client logging attributes (from xforward)
with real client attributes. Fix: enable this backwards
compatibility feature only with queue files that don't
contain logging attributes. Problem reported by Liviu Daia.
Files *qmgr/qmgr_message.c.
20080424
Cleanup: some warning messages said "regexp" or "regexp
map" instead of "pcre map". File: util/dict_pcre.c.
20080426
Feature: finer control over address verification error
handling and amount of information disclosed in the SMTP
reject message. Parameters: unverified_recipient_defer_code,
unverified_recipient_reject_reason, unverified_sender_defer_code,
unverified_sender_reject_reason. If I don't do this properly,
then someone will do it anyway. File: src/smtpd/smtpd_check.c.
20080428
Cleanup: the proxy_read_maps (Postfix 2.0) default setting
was not updated when adding sender/recipient_bcc_maps
(Postfix 2.1) and smtp/lmtp_generic_maps (Postfix 2.3).
File: global/mail_params.h.
Cleanup: the SMTP server's XFORWARD and XCLIENT support was
not updated when the smtpd_client_port_logging configuration
parameter was added. Code by Victor Duchovni. Files:
smtpd/smtpd.c, smtpd/smtpd_peer.c.
20080508
Cleanup: delivery status notifications now prepend a
Return-Path: message header to the returned message.
File: bounce/bounce_notify_util.c.
20080509
Bugfix: null-terminate CN comment string after sanitization.
File: smtpd/smtpd.c.
20080510
Cleanup: when extracting peer and issuer common name from
TLS certificates, convert the result into UTF-8, and use
RFC 2047 encoding when logging these as Received: header
comment fields. Based remotely on code by Victor Duchovni.
Files: smtpd/smtpd.c, tls/tls_verify.c.
20080511
Cleanup: the RFC 2047 encoding of RFC*822 comments is too
problematic. The text that explains the problems is as
long as the code itself. That is usually a good indication
that code is not ready for use. File: smtpd/smtpd.c.
Cleanup: block non-printable ASCII text in UTF8 encoded TLS
peer and issuer common names. File: tls/tls_verify.c.
20080602
Workaround: avoid watchdog timeout in the local pickup
daemon when the cleanup server expands a very large virtual
alias list. Files: master/trigger_server.c, pickup/pickup.c.
20080603
Workaround: avoid "bad address pattern" errors with non-address
patterns in namadr_list_match() calls. File: util/match_ops.c.
Feature: print fsstone elapsed time with sub-second time
resolution. Kenji Kikuchi. File: fsstone/fsstone.c.
20080606
Bitrot: "make test" was broken due to recent changes in
code and due to recent changes at mail-abuse.org.
20080618
Add a note to SMTP session transcript email messages that
other details may be found in the maillog file. Files:
smtpd/smtpd_chat.c, smtp/smtp_chat.c.
20080620
Cleanup: with the "Before-queue content filter", RFC3848
information was not added to the headers. Carlos Velasco.
File smtpd/smtpd.c.
20080621
Cleanup: include unread byte count in the SMTP server's "lost
connection after DATA (xx bytes)" logging. Files: smtpd/smtpd.c.
20080629
Bugfix (introduced Postfix 2.2): multiple inconsistencies
in SASL support after introduction of TLS. The Postfix
SMTP server 1) complained about plain-text SASL configuration
details when SASL was forbidden for plain-text sessions,
and 2) ignored the smtpd_tls_auth_only parameter setting
when built without TLS support. Files: smtpd/smtpd.c,
smtpd/smtpd_check.c, smtpd/smtpd_sasl_glue.[hc],
smtpd/smtpd_state.c.
Some clarification about recipient address versus domain,
and recipients per message versus session. File:
proto/postconf.proto.
The description of SASL authentication attributes was
garbled. File: pipe/pipe.c.
Information: the master(8) server now logs the version
besides the configuration directory upon "postfix reload".
File: master/master.c.
20080717
Cleanup: a poorly-implemented integer overflow check for
TCP MSS calculation had the unexpected effect that people
broke Postfix on LP64 systems while attempting to silence
a compiler warning. File: util/vstream_tweak.c.
20080721
The cleanup server now rejects undisclosed_recipients_header
parameter values with invalid message header syntax.
File: cleanup/cleanup_message.c.
20080725
Paranoia: defer delivery when a mailbox file is not owned
by the recipient. Sebastian Krahmer, SuSE. Files:
local/mailbox.c, virtual/mailbox.c.
20080804
Bugfix: dangling pointer in vstring_sprintf_prepend().
File: util/vstring.c.
20080814
Security: some systems have changed their link() semantics,
and will hardlink a symlink, contrary to POSIX and XPG4.
Sebastian Krahmer, SuSE. File: util/safe_open.c.
The solution introduces the following incompatible change:
when the target of mail delivery is a symlink, the parent
directory of that symlink must now be writable by root only
(in addition to the already existing requirement that the
symlink itself is owned by root). This change will break
legitimate configurations that deliver mail to a symbolic
link in a directory with less restrictive permissions.
20080815
Feature: the milter_default_action parameter now accepts
the "quarantine" action. This works like "accept" but also
freezes the mail in the "hold" queue. File: milter/milter8.c.
Robustness: transition from setjmp()/longjmp() to the signal
mask saving/restoring versions sigsetjmp()/siglongjmp().
These functions have been around for 15 years, but they
have had bugs on supported platforms, so makedefs tests for
them. Files: makedefs, util/sys_defs.h, util/vstream.h.
20080822
Cleanup: the proxymap_service_name and proxywrite_service_name
parameters make the proxymap service names configurable.
This paves the way for a future option where the proxymap
services are accessible via TCP so that they can be shared
among multiple Postfix hosts. File: global/dict_proxy.c.
Feature: MacOS X support for kqueue style event handling,
with workaround for broken MacOS X versions. Files:
util/sys_defs.h, makedefs.
Cleanup: the makedefs script now keeps its test programs
in a directory makedefs.d, instead of inlining them as
fragile "here documents". Files: makedefs, makedefs.d/*.
20080823
Feature: IPv6 dns blocklist lookup. File: smtpd/smtpd_check.c.
20080824
Cleanup: untangled the MacOS X version dependent sections
in the makedefs script, to make future updates easier. File:
makedefs.
Cleanup: don't log multiple Milter "hold" actions for the
same email message. File: cleanup/cleanup_milter.c.
20080826
Cleanup: moving test programs from makedefs into a makedefs.d
directory brought more pain than gain.
Cleanup: untangled the Linux version dependent sections in
the makedefs script, to make future updates easier. File:
makedefs.
Documentation: MacOS process limit configuration by Quanah
Gibson-Mount. File: proto/TUNING_README.html.
Feature: smtp-sink -M option to terminate after receiving
a specified number of messages. Laurent Gentil. File:
smtpstone/smtp-sink.c.
Bugfix (introduced Postfix 2.4): epoll file descriptor leak.
With Postfix >= 2.4 on Linux >= 2.6, Postfix has an epoll
file descriptor leak when it executes non-Postfix commands
in, for example, user-controlled $HOME/.forward files. A
local user can access a leaked epoll file descriptor to
implement a denial of service attack on Postfix. Data
confidentiality and integrity are not affected. File:
util/events.c.
20080903
Don't enable kqueue (which requires poll) support on
MacOS X. File: makedefs.
Cleanup: remove obsolete Rhapsody and MacOS targets from
makedefs.
20080929
Workaround: don't log "file has 2 links" warnings when the
condition appears to be temporary. As kernels have evolved
from non-interruptible system calls towards fine-grained
locks, the showq command has become likely to observe a
file while the queue manager is in the middle of a rename
operation, when the file has links to both the old and new
name. File: global/mail_open_ok.c.
Workaround: don't loop forever when write() fails with a
persistent EAGAIN error on a writable file descriptor.
File: util/write_buf.c.
20081003
Bugfix (introduced Postfix 2.1): when XFORWARD support was
introduced with Postfix 2.1, the specification failed to
clearly distinguish between missing and non-existent client
information. This ambiguity affected the implementation:
in $name expansions by delivery agents, unknown client
hostnames could became empty strings (as if a submission
was local), and local submissions could appear to originate
from an SMTP-based content filter. This was fixed with a
a minor semantic change to the XFORWARD protocol. Files:
smtpd/smtpd.c, qmqpd/qmqpd.c, smtp/smtp_proto.c,
cleanup/cleanup_envelope.c, proto/XFORWARD.html. Note: the
changes to propagate local submission details were undone
20082012.
Feature: a DUNNO lookup result in per_sender_relayhost_maps
stops the search without replacing the next-hop destination.
File: trivial-rewrite/resolve.c.
20081005
Bugfix: further refinements to the handling of missing or
non-existent remote client attributes. Files: smtpd/smtpd.c,
smtpd/smtpd.h.
Documentation: the XFORWARD specification of the ADDR
attribute did not agree with the actual on-the-wire protocol.
Since we can't change already existing deployments, the
spec has been updated. File: proto/XFORWARD_README.html.
20081006
Bugfix: further refinements to the handling of remote client
attributes. Introduced a dummy "we have forwarded client
info" record, to eliminate the need for the backwards
incompatible queue file change that was introduced 20081003.
Files: smtpd/smtpd.c, cleanup/cleanup_envelope.c,
*qmgr/qmgr_message.c.
Security: hardened the proxymap client, in case it ever
ends up in a set-gid program. File: global/dict_proxy.c.
20081007
Workaround: undo the proxymap client change. It broke
chrooted servers when they attempted to reconnect to the
proxy read/write service. File: global/dict_proxy.c.
20081008
Safety: added checks that $queue_directory/pid is owned by
root, and that $queue_directory/saved is owned by $mail_owner.
File: conf/postfix-script.
20081010
Feature: controls for opportunistic TLS protocols and
ciphers. The smtp_tls_protocols, smtp_tls_ciphers, and
equivalent parameters for lmtp and smtpd provide global
settings; the SMTP client TLS policy table provides ciphers
and protocols settings for specific peers. Code by Victor
Duchovni. Files: smtp/smtp.c, smtp/smtp_session.c, smtpd/smtpd.c
and documentation.
20081012
Cleanup: simplify the 20081003 changes and don't try to
propagate local submission information through XFORWARD.
Files: smtpd/smtpd.c, qmqpd/qmqpd.c, smtp/smtp_proto.c,
cleanup/cleanup_envelope.c, proto/XFORWARD.html.
20081015
Bugfix: GLIBC API version detection. Rob Foehl. File:
util/sys_defs.h.
20081022
Documentation: removed inapplicable daemon_timeout reference
from qmgr(8), oqmgr(8), pickup(8). These daemons need to
use a much shorter watchdog timer.
20081108
Feature: smtp_sasl_tls_verified_security_options is no
longer #ifdef SNAPSHOT.
Feature: elliptic curve support. This requires OpenSSL
version 0.9.9 or later. Victor Duchovni. Files: TLS_README,
smtpd/smtpd.c, smtp/smtp.c, tls/tls_dh.c, tls/tls_certkey.c,
tls/tls_server.c, tls/tls_client.c, tls/tls.h, tls/tls_misc.c.
Bugfix (introduced Postfix 2.5): the Postfix SMTP server
did not ask for a client certificate with "smtpd_tls_req_ccert
= yes". Reported by Rob Foehl. File: smtpd/smtpd.c.
20081109
Cleanup: confusing names of variables. File: smtpd/smtpd.c.
20081126
Documentation: pcre_table(5) incorrectly claimed that the
'x' flag supports #comment after text. File: proto/pcre_table.
20081202
Cleanup: vstream_bufstat() provides a more systematic
approach to get information about VSTREAM buffers. The
vstream_peek() function is now a backwards compatibility
wrapper. Files: util/vstream.[hc].
Cleanup: the SMTP server should warn about "lost connection
after QUIT" only when the "." reply was pipelined together
with the "QUIT" reply. File: smtpd/smtpd.c.
Cleanup: the SMTP client's code was duplicating buffer
management that was already done in the VSTREAM module.
File: smtp/smtp_proto.c.
20081203
Cleanup: adjust the VSTREAM buffer strategy when reusing
an SMTP connection with a large TCP MSS value. File:
smtp/smtp_reuse.c.
20081204
Cleanup: state the SMTP client PIPELINING implementation's
dependency on monotonic VSTREAM buffer size behavior, and
add some checks for boundary cases with VSTREAM buffer size
change requests. Files: util/vstream.c, smtp/smtp_proto.c.
20081205
Fix 20081202 flush code. Victor Duchovni. File: smtpd/smtpd.c.
Safety: add another check to "postfix check", in this case
for group or other writable queue_directory. File:
conf/postfix-script.
20081217
Debugging: ad-hoc code to log the TLS error stack after
VSTREAM read/write error. File: tls/tls_bio_ops.c. In a
better implementation, each I/O "object" would provide an
optional error reporting method (besides timed_read and
timed_write) that could be queried via the vstream module.
20081222
Documentation: log the "*" pattern as the last transport
map lookup. File: proto/transport.
20090103
Documentation: rewrote NFS_README, to clarify the support
status of Postfix and NFS, and to describe the NFS workarounds
that Postfix actually implements.
20090106
Feature: "postconf -# parametername ..." to comment out
named parameter entries. Victor Duchovni. File:
postconf/postconf.c.
20090107
Library: edit_file(3) module for cooperative editing of a
file. Inspired by the postconf command, this creates a new
version under a deterministic temporary name and renames
it into place. The implementation uses an open/lock/stat
protocol before updating the new file, and rename/unlock/close
afterwards. Based on pieces of code by Victor Duchovni,
with minor improvements by Wietse. Files: util/edit_file.[hc].
Cleanup: the postconf command now uses the edit_file(3)
module to manage collisions when multiple processes attempt
to update the main.cf file.
20090108
Feature: master_service_disable parameter (default: empty)
to easily turn off/on master.cf services by type or by name
and type. For example, to turn off the main SMTP listener
use "master_service_disable = smtp.inet", and to turn off
all TCP/IP listeners use "master_service_disable = inet".
This immediately terminates all processes that provide the
specified services. The master_service_disable feature does
not distinguish services by their privacy property; some
day, clients will not need to specify that anymore. Files:
global/mail_params.h, master/master.c, master/master_vars.c,
master/master_ent.c.
Bugfix (introduced May 19, 1997): removing a parameter
setting from main.cf did not reset the parameter to its
default value. This was a problem only in the master daemon.
File: global/mail_conf.c, master/master_vars.c.
20090109
Cleanup: "defer" action in access maps, and a corresponding
access_map_defer_code parameter. No idea what was behind
this omission. Files: global/mail_params.h, smtpd/smtpd.c,
smtpd/smtpd_check.c, proto/access.
Workaround: specify "tcp_windowsize = 65535" (or less) to
work around broken TCP window scaling implementations. This
is perhaps easier than collecting tcpdump output and tuning
kernel parameters by hand. See RELEASE_NOTES for how to
change this setting without stopping Postfix. Files:
util/inet_connect.c, inet_listen.c, global/mail_params.[hc].
20090110
Cleanup: create separate code modules for TCP window size
handling, master.cf service name matching, and main.cf
change monitoring. Files: util/inet_windowsize.c,
global/match_service.c, master/master_watch.c.
Feature: TCP window size override for the Postfix SMTP/LMTP
client, and for the smtp-source and smtp-sink test programs.
Files: smtp/smtp_connect.c, smtpstone/smtp-source.c,
smtpstone/smtp-sink.c.
20090114
Bugfix: VERP now uses the Postfix original recipient, if
available, because that is what the VERP consumer expects.
Files: *qmgr/qmgr_deliver.c, bounce/bounce_notify_verp.c.
Safety: extra check for broken third-party patches that
allow file size limit < message size limit. This can cause
mail to be stuck in the queue forever.
Invisible change, in preparation for multi-instance support.
Except for main.cf and master.cf, all files are optional
for non-default Postfix configuration directories. File:
conf/postfix-files.
20090115
Cleanup: rewrote the 20090114 VERP bugfix, to replace code
that "works" by code that is "right". Files: *qmgr/qmgr_deliver.c,
bounce/bounce_notify_verp.c, global/verp_sender.c.
20090118
Documentation: some URLs to enable/disable client-side TLS
jumped into the middle of an enumeration. File:
proto/TLS_README.html.
20090119-21
Feature: multi-instance manager plug-in API. A sample
multi-instance manager with instructions is available as
$daemon_directory/postfix-wrapper. The plug-in API itself
is described in postfix-wrapper(5). Files: postfix/postfix.c,
global/mail_params.[hc], proto/postfix-wrapper,
conf/postfix-wrapper, conf/postfix-script, conf/postfix-files.
Support to check/update shared files only in the context
of the default Postfix instance. Files: conf/post-install,
conf/postfix-script.
20090122
Refinements: the multi-instance manager always replaces
"start" by "check" when a Postfix instance is multi-instance
disabled, so that problems will still be reported; polish
documentation; delete unnecessary multi_instance_order
parameter. Files: conf/postfix-wrapper, proto/postfix-wrapper,
global/mail_params.[hc] and documentation.
Bugfix: the data_directory was not automatically created!
File: conf/postfix-files.
20090123
More little fixes in the "trivial but useful" postfix-wrapper
including instructions. It's ready for testing in the field.
File: conf/postfix-wrapper.
20090125
Documentation: more precise description of multi-instance
manager API, and minor edits of the example program. Files:
conf/postfix-wrapper, proto/postfix-wrapper.
20090208
Cleanup: enable multi-instance shared-file logic only when
the instance is listed in multi_instance_directories. Files:
conf/post-install, conf/postfix-script.
20090210
Feature: specify "reject_tempfail_action = defer" to
immediately defer a remote SMTP client request after a
reject-type restriction fails with a temporary error. Based
on code by Rob Foehl. File: smtpd/smtpd_check.c.
Feature: finer control of reject_tempfail_action with
unknown_address_tempfail_action, unverified_sender_tempfail_action
unverified_recipient_tempfail_action, and
unknown_helo_hostname_tempfail_action. See documentation
for details. File: smtpd/smtpd_check.c.
20090211
Workaround: pass the SMTP server socket's local and remote
peer address information to the Dovecot authentication server.
This is incomplete code: it ignores XCLIENT server address
overrides. File: xsasl/xsasl_dovecot_server.c.
20090212
Testing revealed that with mumble_tempfail_action=defer,
the "defer" action was ignored. Cause: the DEFER_IF_PERMIT[0-9]
macros lost the SMTPD_CHECK_REJECT result value. File:
smtpd/smtpd_check.c.
Feature: stress-dependent smtpd_timeout (normal: 300s,
overload: 10s), smtpd_hard_error_limit (normal: 20, overload:
1) and smtpd_junk_command_limit (normal: 100, overload: 1).
Files: global/mail_params.h, global/mail_conf_nint.c,
master/*_server.c, smtpd/smtpd.c.
20090213
Fine tuning: don't enforce smtpd_junk_command_limit for
XCLIENT and XFORWARD commands. These commands can be issued
only by authorized clients. File: src/smtpd/smtpd.c.
20090215
Feature: the Postfix SMTP server hangs up after replying
with "521". This makes overload handling more effective.
See also RFC 1846. File: smtpd/smtpd.c.
Feature: postmulti mult-instance manager command, very
lightly tested. The MULTI_INSTANCE_README still needs to
be proofread. Originally by Victor Duchovni. Files:
src/postmulti/*, proto/MULTI_INSTANCE_README.html,
conf/postmulti-script.
20090216-24
Cleanup: assorted code cleanups in postmulti. File:
src/postmulti/postmulti.c.
20090223
Cleanup: multiple instances of the same global. Files:
util/inet_windowsize.c, util/inet_listen.c.
20090228
Cleanup: the Postfix SMTP server now maintains a per-session
"improper command pipelining detected" flag. This flag can
be tested at any time with reject_unauth_pipelining, and
is raised whenever a client command is followed by unexpected
commands or message content. Files: smtpd/smtpd.c,
smtpd/smtpd_check.c.
Logging: the Postfix SMTP server now logs the first command
pipelining transgression as "improper command pipelining
after <command> from <hostname>[<hostaddress>]".
Cleanup: after DATA command failure, log "(approximately
XX bytes)" only if Postfix actually accepted the DATA
command. File: smtpd/smtpd.c.
20090303
Cleanup: word smithing of "sendmail -bv" probe message.
File: sendmail/sendmail.c.
Cleanup: OpenLDAP now provides a sane solution for conflicts
with PAM ldap-over-tls. Victor Duchovni. File: global/dict_ldap.c.
20090304
Cleanup: skip over suspended or throttled queues while
looking for delivery requests. File: *qmgr/qmgr_transport.c.
20090305
Bugfix: in the "new queue manager", the _destination_rate_delay
code needed to postpone the job scheduler updates after
delivery completion, otherwise the scheduler could loop on
blocked jobs. Victor & Wietse. File: qmgr/qmgr_entry.c,
qmgr/qmgr_queue.c, qmgr/qmgr_job.c.
Cleanup: report a "queue file write error", instead of
passing though bogus 2xx replies from proxy filters to SMTP
clients. File: smtpd/smtpd_proxy.c.
20090307
Cleanup: with "lmtp_assume_final = yes", the Postfix LMTP
delivery agent assumes that delivery is final when talking
to an LMTP server that announces no DSN support. Otherwise,
the Postfix LMTP delivery agent assumes that delivery is
"relayed", to maintain compatibility with simple LMTP-based
content filters. Based on code by Michel Sebastien, ATOS
Origin. File: smtp/smtp_rcpt.c.
20090310
Bugfix: Postfix used mumble_concurrency_failed_cohort_limit
instead of mumble_destination_concurrency_failed_cohort_limit
as documented. File: global/mail_params.h.
20090330
Cleanup: add (Resent-) From:, Date:, Message-ID: or To:
headers only when clients match $local_header_rewrite_clients.
Specify "always_add_missing_headers = yes" for backwards
compatibility. Adding such headers to remote mail can break
DKIM signatures that cover headers that are not present.
File: cleanup/cleanup_message.c.
20090415
Workaround: to avoid unnecessary "fatal" delivery agent
exits, delivery agents retry getting a shared lock on a
queue file. This is necessary since the queue manager's
behavior was changed years ago to refill the in-memory
recipient list before it was completely empty. File:
global/deliver_request.c.
Documentation: updated STRESS_README.
20090416
Workaround: some AWK implementations have a limit of 10
output files and lack a working close() function. It is too
much trouble to find out what systems have this limitation,
and where, if any, such systems store their XPG4-compatible
AWK program. So instead we generate a stream of here
documents and let the shell split the stream into files.
File: postconf/extract.awk.
Documentation: clarification of certificate file usage.
Victor Duchovni. Files: proto/postconf.proto,
proto/TLS_README.html.
Feature: pass a "TLS is active" flag to the server-side
SASL support. Based on code by Timo Sirainen, except that
the implementation uses an extensible API so that it will
be less painful to add more attributes in future Postfix
versions. Files: xsasl/xsasl.h, xsasl/xsasl_*server.c,
smtpd/smtpd_sasl_glue.c.
20090417
Documentation: re-generate READMEs and manpages for updated
hyperlinks.
Documentation: missing hyperlinks and missing parameters
in manpages. File: mantools/postlink, mantools/check-postlink.
20090418
Cleanup: use the extensible API to pass SMTP client address
information to the dovecot SASL plugin, and prepare for
passing server address information. Files: xsasl/xsasl.h,
xsasl/xsasl_dovecot_server.c, smtpd/smtpd_sasl_glue.c.
Same extensible API transformation for the SASL client-side
code to make future extensions less painful. Files:
xsasl/xsasl.h, xsasl/xsasl*client.c, smtp/smtp_sasl_glue.c.
More postlink fixes. File: mantools/postlink.
20090419
Bugfix: don't re-enable SIGHUP if it is ignored in the
parent. This may cause random "Postfix integrity check
failed" errors at boot time (POSIX SIGHUP death), causing
Postfix not to start. We duplicate code from postdrop and
thus avoid past mistakes. File: postsuper/postsuper.c.
Robustness: don't re-enable SIGTERM if it is ignored in the
parent. Files: postsuper/postsuper.c, postdrop/postdrop.c.
20090422
Undo delivery agent change 20090415. The queue manager never
locks a queue file to read additional recipients into memory,
so if a delivery agent runs into a locked file, then something
is seriously wrong. File: global/deliver_request.c.
20090424
Compatibility: the Postfix SMTP client no longer uses the
obsolete SSLv2 by default for opportunistic encryption.
This has nothing to do with security (we're willing to send
plaintext over an unauthenticated connection) but with the
loss of advanced options that give better performance.
Victor Duchovni. Files: proto/postconf.proto, global/mail_params.h.
20090426
Feature: more accurate support for Milter macros {mail_addr}
and {rcpt_addr}, and new support for Milter macros {mail_host},
{mail_mailer}, {rcpt_host}, and {rcpt_mailer}. Files:
milter/milter.[hc], smtpd/smtpd.[hc], smtpd/smtpd_milter.c,
smtpd/smtpd_resolve.c.
Feature: support to report rejected recipients to Milters
(SMFIP_RCPT_REJ). Postfix reports the event as decribed in
Sendmail 8.14.0 documentation: {rcpt_mailer} = "error",
{rcpt_host} = enhanced status code (e.g., "5.7.1"), and
{rcpt_addr} = reason to reject (e.g., "Relay access denied").
Files: milter/milter.[hc], milter/milter8.c, smtpd/smtpd.[hc],
smtpd/smtpd_milter.c.
20090427
Feature: Milter support for replacing the envelope sender
and adding recipients (SMFIR_CHGFROM, SMFIR_ADDRCPT_PAR).
This support currently ignores ESMTP command parameters.
Files: milter/milter8.c, cleanup/cleanup_milter.c.
20090428
Compatibility: to make all the new Milter features usable,
raise the default milter_protocol setting from 2 to 6.
This has been tested with a Sendmail 8.14 libmilter.
File: global/mail_params.h.
Bugfix: don't disable MIME parsing with smtp_header_checks,
smtp_mime_header_checks, smtp_nested_header_checks or with
smtp_body_checks. Bug reported by Victor. File: smtp/smtp_proto.c.
Code cleanups: respect VSTRING invariants by using VSTRING_RESET
and VSTRING_TERMINATE instead of directly groping the
underlying character buffer. Files: global/dsn_buf.c,
milter/milter8.c.
20090507
main.cf:tls_random_source now defaults to /dev/arandom on
OpenBSD. This device was introduced before Postfix development
began. Files: util/sys_defs.h, global/mail_params.h.
20090510
Code cleanups: while emulating SMTP client requests for
Milter applications, use user@domain form addresses as
required by the SMTP protocol, instead of bare usernames.
This avoids hard to debug errors from some Milter applications.
Files: cleanup/cleanup_envelope.c, cleanup/cleanup_extracted.c,
cleanup/cleanup_addr.c.
20090511
Code cleanups: don't clobber -o command-line arguments so
that Linux people can debug daemon command lines more easily.
Files: master/*server.c.
20090513
Code cleanups: better parsing of Postfix daemon "-o"
command-line options, with better error handling. Files:
master/*server.c.
20090518
Documentation: missing dummy entries for lmtp_mumble_checks.
File: proto/postconf.proto.
20090519
Bugfix (introduced: Postfix 2.3, but did not cause trouble
until 20090427). Queue file corruption with (smtpd_milters
or non_smtpd_milters) enabled, AND with delay_warning_time
enabled, AND with short envelope sender addresses (e.g.,
local submissions with bare usernames, but not bounces).
The queue file would be corrupted when the delay_warning_time
record was marked as "done" after sending the "your mail
is delayed" notice. File: qmgr/qmgr_message.c.
20090522
Bugfix (introduced: Postfix 2.3). The cleanup server
rejected mail with records of type REC_TYPE_DRCP (recipient
deleted by Milter), but such records could be present in
mail re-submitted with "postsuper -r". Found during code
review. Files: global/record.h, cleanup/cleanup_envelope.c.
20090524
Feature: new postcat options: -e (print envelope), -h (print
header), and -b (print body). Specify "postcat -bh" to
suppress information about envelope records, and "postcat
-h" to get the message header only. With large messages,
"postcat -h" is much faster than manually stripping the
message body from the output. File: postcat/postcat.c.
20090528
Bugfix (introduced: Postfix 2.6 change 20080629): with
plaintext sessions, smtpd_tls_auth_only=yes caused spurious
warnings with reject_authenticated_sender_login_mismatch,
and broke reject_unauthenticated_sender_login_mismatch and
reject_sender_login_mismatch. Based on fix by Victor
Duchovni. File: smtpd/smtpd_check.c.
20090603
Cleanup: Postfix 2.3 adopted a file descriptor passing
workaround for OpenBSD. This workaround was hard-coded for
all platforms because there were no have adverse effects.
This is no longer the case: OpenBSD is fixed, and NetBSD
does not like the workaround. We now default back to the
non-workaround code and turn on the workaround dynamically.
Files: util/unix_send_fd.c, unix_recv_fd.c, unix_pass_fd_fix.c.
20090605
Portability: modern kernels below ancient user-land. File:
makedefs.
20090606
Feature: post-Milter header checks, with all actions except
PREPEND. To enable, specify for example "milter_header_checks
= pcre:/path/to/file". Files: cleanup/cleanup_init.c,
cleanup/cleanup_milter.c, cleanup/cleanup_extracted.c,
cleanup/cleanup_state.c.
Bugfix: non-portable command pathname in postmulti-script.
Safety: "postmulti -e destroy" no longer attempts to remove
files that are created AFTER "postmulti -e create". Rationale:
by design, postfix queue/data directories are not trusted;
actions within those directory trees must not affect files
outside those those trees (e.g. by symlink race attacks).
We don't want to be nailed with a bunch of CVEs for unsafe
pathname handling. File: conf/postmulti-script.
20090607
Cleanup: revise milter_header_checks action implementation,
and avoid redundant logging and work when milter_header_checks
and Milters make redundant or conflicting decisions. File:
cleanup_milter.c.
20090614
Preliminary postscreen triage server for all inbound SMTP
connections. This is not a proxy: it rejects bad clients
and forwards the rest of the connections to a real Postfix
SMTP server. The initial version does a simple "friend or
foe" based on whether the client starts talking too soon.
Decisions are cached, so "good" clients have no overhead.
File: postscreen/postscreen.c.
Cleanup: more robust code for receiving file descriptors
via the "pass" master service protocol. File:
util/upass_listen.c.
20090617
Temporary helper daemon that does parallel DNSBL lookups
for postscreen(8). It logs successful lookups to the maillog
file without blocking the client. postscreen(8) will use
the results in a later non-production version. To enable
DNSBL lookups, specify "postscreen_dnsbl_sites = name,
name, etc". and restart postscreen(8) with "postfix reload".
File: src/dnsblog/dnblog.c.
20090618
postscreen(8) logging and actions are now documented in the
postscreen(8) manpage. When a client is listed in DNSBLs
specified with postscreen_dnsbl_sites, it is no longer
whitelisted. Instead the number of blocklist hits is logged.
File: postscreen/postscreen.c.
20090619
postscreen(8) by default no longer immediately drops
connections. Specify "postscreen_greet_action = drop" and
"postscreen_hangup_action = drop" for the old behavior.
There is also a new postscreen_dnsbl_action parameter, for
completeness. File: postscreen/postscreen.c.
20090708
Portability: FreeBSD 8 has closefrom(). File: uti/sys_defs.h.
20090710
Bugfix (introduced Postfix 2.3): Postfix got out of sync
with a Milter application after the application sent a
"quarantine" request at end-of-message time. The milter
application would still be in the end-of-message state,
while Postfix would already be working on the next SMTP
event (typically, QUIT or MAIL FROM). Problem diagnosed
with help from Alban Deniz. File: milter/milter8.c.
20090711-2
New "event_server" Postfix server framework. It is similar
to the "multi_server" framework but does not manage client
I/O events. This framework is suitable for servers such
as postscreen that have complex event management requirements.
File: master/event_server.c.
New event_fork() primitive to resume event processing in a
child process after it is created with fork(). This is
needed by postscreen to complete work-in-progress in the
background after "postfix reload". File: util/events.c.
Cleanup: postscreen migrated to the "event_server" framework.
File: postscreen/postscreen.c.
20090712
Cleanup: ${multi_instance_name:postfix}${multi_instance_name
?$multi_instance_name} garbage in Postfix logging is now
hopefully gone. File: global/mail_task.c.
20090715
Documentation: as of Postfix 2.6, the reject_unauth_pipelining
feature can be used meaningfully at any protocol stage.
File: proto/postconf.proto.
20090717
Cleanup: postscreen PREGREET detection now uses non-destructive
read, so that the real SMTP server can still receive the
HELO command (apparently some sites allow pregreeters to
talk to their servers). File: postscreen/postscreen.c.
20090805
Bugfix: don't panic when an unexpected smtpd access map is
specified. File: smtpd/smtpd_check.c.
20090918
Bugfix (introduced Postfix 2.3): with Milter RCPT TO replies
turned off, there was no automatic flush-before-read on the
smtpd-to-milter stream, because the read was done on the
cleanup-to-milter stream. Problem reported by Stephen Warren.
File: milter/milter8.c.
20091005
Bugfix: core dump while printing error message for malformed
%<letter> sequence in LDAP, MySQL or PostgreSQL configuration.
File: global/db_common.c. Fix by Victor Duchovni.
20091006
Feature: "postscreen_whitelist_networks = $mynetworks" (the
default) to avoid problems with buggy SMTP implementations
in network appliances. Note: this feature never uses the
remote SMTP client hostname. Files: global/addr_match_list.[hc],
postscreen/postscreen.c.
Feature: postscreen_blacklist_networks (default: empty) to
permanently blacklist hosts or networks. Address syntax is
as with mynetworks. Note: this feature never uses the remote
SMTP client hostname. File: postscreen/postscreen.c.
Feature: postscreen_blacklist_action (default: continue)
to control what happens with a permanently blacklisted
client. File: postscreen/postscreen.c.
20091007
Feature: hostname-based check_client_{mx,ns}_access,
check_reverse_client_hostname_{mx,ns}_access (the client
IP address is not used). Rob Foehl. Files: smtpd/smtpd_check.c,
global/mail_params.h, proto/postconf.proto, mantools/postlink.
20091008
Documentation: restructured the postscreen(8) manpage
as a sequence of tests. File: postscreen/postscreen.c.
20091012
Bugfix: postmulti did not skip commands with -p. Luca
Berra. File: postmulti/postmulti.c.
20091023
Feature: specify "smtpd_command_filter = pcre:/file/name"
to replace remote SMTP client commands before they are
executed by the Postfix SMTP server. This a last-resort
tool to fix inter-operability problems. See examples in
the postconf(5) manual page. File: smtpd/smtpd.c.
20091026
Cleanup: changed parameter evaluation order so that the
multi_instance_wrapper parameter value is evaluated after
the command and daemon directory parameters. File:
global/mail_params.h.
20091101
Performance: specify "smtpd_proxy_options = speed_adjust"
to receive an entire message before sending it through a
before-queue content filter. This reduces the number of
simultaneous content filtering processes, and thus, the
system memory requirements. Files: smtpd/smtpd.[hc],
smtpd/smtpd_proxy.[hc].
20091103-4
Cleaned up the speed-adjust code, streamlined the error
handling, and updated documentation. Files: smtpd/smtpd.[hc],
smtpd/smtpd_proxy.[hc], proto/SMTPD_PROXY_README.html.
20091105
Cleaning up after speed_adjust introduction: smtpd segfault
caused by an incomplete API change; refined the queue space
check; release scratch space immediately after delivering
mail to the before-queue filter. Files: smtpd.c, smtpd_proxy.c.
20091110
Workaround: specify "smtp_tls_block_early_mail_reply = yes"
to detect a mail hijacking attack based on a TLS protocol
vulnerability (CVE-2009-3555). The attack involves prepending
malicious HELO/MAIL/RCPT/DATA commands to a Postfix SMTP
client TLS session. The attack would succeed with non-Postfix
SMTP servers that reply to the malicious commands after
negotiating the Postfix SMTP client TLS session. File:
smtp/smtp_proto.c.
20091113
Workaround: skip interfaces without netmask, to avoid
segfaults (reported by Dmitry Karasik). Don't supply a dummy
null netmask, as that would turn Postfix into an open relay
(mynetworks = 0.0.0.0/0). File: util/inet_addr_local.c.
Bugfix: forgot to flush output to the smtpd_proxy speed-adjust
buffer before truncating the file. Reported by Mark Martinec,
fix by Victor Duchovni. File: smtpd/smtpd_proxy.c.
20091114
Feature: specify "smtp_reply_filter = pcre:/file/name" to
replace remote SMTP server reply lines before they are
parsed by the Postfix SMTP client. This a last-resort tool
to fix inter-operability problems. See examples in the
postconf(5) manual page. File: smtp/smtp_chat.c.
Safety: don't send postmaster notifications to report
problems delivering (possible) postmaster notifications.
File: smtp/smtp_connect.c.
20091121
Feature: sender_dependent_default_transport_maps, to override
the default transport in a sender-dependent manner. This
is not a transport_maps override, and therefore it does not
use the transport_maps syntax for null transport, null
nexthop, or null email address.
20091127
Usability: the Postfix SMTP client now logs a warning that
wrappermode TLS is not supported, when configured to connect
to port smtps/465. File: smtp/smtp_connect.c.
20091203
Safety: the postscreen daemon logs a warning when table
lookup is slow. Slow lookups cause postscreen to fall behind,
and worse, to catch up in bursts, which results in overload
elsewhere. File: postscreen/postscreen.c.
20091206
Feature: by popular demand, the Postfix SMTP server now
logs the before-queue content filter's end-of-message
accept/reject response. File: smtpd/smtpd.c.
20091209
Portability: as the result of continuous improvement,
Berkeley DB no longer allows fork-then-close. File:
postscreen/postscreen.c.
Bugfix: sender_dependent_relayhost_maps did not reject an
empty lookup result, and did not recognize lookup errors,
thus treating errors as "not found". Problem found during
code maintenance. File: trivial-rewrite/resolve.c.
Cleanup: the postscreen daemon now applies the permanent
whitelist first. It is a safety feature that prevents mail
from being blocked. File: postscreeb/postscreen.c.
20091224
Bugfix (introduced 20041215): dict_dbm_sequence() did not
release the shared lock when the end of the sequence was
reached. File: util/dict_dbm.c.
20091227
Cleanup: postscreen and verify periodic cache cleanup
(default: 12 hours after the previous cache cleanup run).
This is based on a new dict_cache(3) module that implements
a generalized version of the tlsmgr(8) cache maintenance
code. Once the new dict_cache(3) code is burned in, the
tlsmgr(8) will be migrated to it. See the RELEASE_NOTES for
user interface details. Files: util/htable.[hc], util/dict_ht.c,
util/dict_cache.[hc], postscreen/postscreen.c, verify/verify.c.
Bugfix: the event handler starved I/O events when a timer
call-back routine scheduled a zero-delay timer request.
This bug was exposed when adding the new dict_cache(3)
module for cache expiration. File: util/events.c.
20091228
Cleanup: postscreen and verify periodic cache cleanup is
now optional (specify a null time interval between cache
cleanup runs).
20091229
Cleanup: the address_verify_poll_count default parameter
value is now stress-dependent, so that the Postfix SMTP
server will not wait (up to 6 seconds) for the address
verification result. File: global/mail_params.h.
Final solution for the I/O event starvation problem when a
timer call-back schedules a zero-delay timer request. File:
util/events.c.
20091231
Cleanup: the non-shared, in-memory hash table is now
accessible as the "internal:" map type. This simplifies
code by eliminating some special cases. Files: util/dict_ht.c,
util/dict_open.c, and documentation.
20100101
Bugfix: the mantools/postlink script applied hyperlinks
for the "virtual:" transport to "/etc/postfix/virtual:".
Symptom reported by Christoph Anton Mitterer.
20100102
Workaround: don't report bogus Berkeley DB close errors as
fatal errors. All operations before close are already error
checked, so the data is known to be safe. File: util/dict_db.c.
20100107
Documentation: the access(5) manual page did not document
the "send 521 and disconnect" behavior in the Postfix SMTP
server (introduced with Postfix 2.6). File: proto/access.
Bugfix: the pickup daemon did not discard messages that
were requeued after all recipients were delivered (or
bounced), and the cleanup server tried to bounce such
messages. Files: pickup/pickup.c, global/cleanup_user.h.
Future proofing: redundant code in postdrop to reject a
submission without recipient record. File: postdrop/postdrop.c.
20100109
Cleanup: "postcat -q" will now access files in the "saved"
queue directory (for corrupted queue files). As before, the
"postsuper" command will not, to avoid suddenly deleting
such files. Files: global/mail_queue.h postcat/postcat.c.
20100113
Cleanup: don't supply the "-o stress" command-line option
with a single-process service. File: master/master_ent.c.
20100115
Bugfix: the valid_hostname() fuction did not set the
"non-numeric" flag after encountering the '-' character.
Reported by Jan Schampera. File: util/valid_hostname.c.
20100116
Documentation: the content_filter and FILTER features never
supported the special cases of transport_maps. References
to transport_maps syntax are now removed from content filter
discussions. Files: proto/postconf.proto, proto/FILTER_README.
Workaround: as of Postfix 2.3 the VRFY command did not allow
a mailbox address inside <>, which broke expectations. RFC
2821 (and 5321) is vague about the VRFY request format, but
spends lots of text on the reply format. File: smtpd/smtpd.c.
20100117
Cleanup: when a content_filter parameter or FILTER command
specifies an empty next-hop destination, the queue manager
now uses the recipient domain instead of $myhostname. Specify
"default_filter_nexthop = $myhostname" for compatibility
with Postfix 2.6 and earlier, or specify a non-empty next-hop
filter destination. Files: *qmgr/qmgr_message.c proto/access,
proto/header_checks, proto/postconf.proto, proto/FILTER_README.
20100120
Cleanup: detect illegal pipelining after HELO, EHLO. File:
smtpd/smtpd.c.
20100128
Documentation: streamlined the decriptions of protocol and
cipher tweaks. Victor Duchovni. Files: proto/TLS_README,
proto/postconf.proto.
20100131
Documentation: the address verification database is now
persistent by default. This, combined with the now default
stress-dependent configuration, improves the performance
limits and simplifies database maintenance. Files:
proto/ADDRESS_VERIFICATION_README, verify/verify.c.
Cleanup: undo the proxymap and trivial-rewrite max_idle=1s
override that was introduced with Postfix 2.3. It did not
help to retire long-lived proxymap or trivial-rewrite
processes on busy servers, and worsened performance on
low-traffic servers. The reduced ipc_ttl value (introduced
with Postfix 2.4) already solves the problem of retiring
long-lived proxymap or trivial-rewrite processes. Files:
proxymap/proxymap.c, trivial-rewrite/trivial-rewrite.c.
20100202
Documentation: major revision of SASL_README with many
details on how to configure Cyrus SASL internals. Patrick
Koetter. File: proto/SASL_README.html
20100204
Feature: added "forward_secrecy" option for Cyrus SASL.
File: xsasl/xsasl_cyrus_security.c.
20100206
Bugfix (from day zero): the local delivery agent returned
undeliverable mail to the envelope sender instead of the
owner- alias, when delivering to command or file. This
reuses the workaround that was implemented to report a
Delivered-To: loop. Files: local/file.c, local/command.c,
local/recipient.c, local/bounce_workaround.c.
20100209
The tcp_table(5) interface is now part of the stable release.
The last protocol change was in Postfix 2.1. File:
util/dict_open.c.
20100305
Feature: reject_rhsbl_reverse_client, to reject a remote
SMTP client based on its unverified reverse hostname. Code
by Noel Jones. Files: smtpd/smtpd_check.c, proto/postconf.proto.
Feature: smtp_address_preference (default: ipv6) to control
the order in which the Postfix SMTP client will connect to
a destination that has IPv6 and IPv4 addresses with equal
MX preference. Files: global/mail_params.h, smtp/smtp.c,
smtp/smtp_params.c, smtp/smtp_addr.c, dns/dns_rr.c,
and documentation.
20100321
Feature: allow Milter applications to use a lower protocol
version than the version that Postfix is configured for.
Based on an idea by Kouhei Sutou. File: milter/milter8.c.
20100322
Bugfix (introduced 20100305) the new smtp_address_preference
feature was not tested with LMTP support. Problem reported
by Stefan Foerster. File: smtp/smtp.c.
20100407
Bugfix (introduced 20100305): reject_rhsbl_reverse_client
was skipped if the forward-confirmed reverse DNS (FCRDNS)
remote SMTP client hostname was "unknown". Victor Duchovni.
File: smtpd/smtpd_check.c.
20100422
Workaround (introduced: postfix-19990906 a.k.a. Postfix
0.8.0). The Postfix local delivery agent did not properly
distinguish between "address has no extension" and "address
has an extension, but the extension is invalid". In both
cases it would run only the full recipient local-part through
the alias maps. Instead, it now drops the faulty extension
from the recipient address local-part (it would be too
error-prone to replace all tests for "no extension" by tests
for "no valid extension". File: local/recipient.c.
20100430
Feature: customized hard/soft reject responses by Jason
Parsons. File: smtpstone/smtp-sink.c.
20100515
Bugfix (introduced Postfix 2.6): the Postfix SMTP client
XFORWARD implementation did not skip "unknown" SMTP client
attributes, causing a syntax error when sending a PORT
attribute. Reported by Victor Duchovni. File: smtp/smtp_proto.c.
20100526
Cleanup: a unit-test driver was not updated after an internal
API change. Vesa-Matti J Kari File: milter/milter.c.
20100529
Portability: OpenSSL 1.0.0 changes the priority of anonymous
cyphers. Victor Duchovni. Files: postconf.proto,
global/mail_params.h, tls/tls_certkey.c, tls/tls_client.c,
tls/tls_dh.c, tls/tls_server.c.
Portability: Mac OS 10.6.3 requires <arpa/nameser_compat.h>
instead of <nameser8_compat.h>. Files: makedefs, util/sys_defs.h,
dns/dns.h.
20100531
Robustness: skip LDAP queries with non-UTF-8 search strings
(in anticipation of UTF8SMTP support). File: global/dict_ldap.c.
Strict UTF-8 validator per RFC 3629. File: util/valid_utf_8.c.
20100601
Cleanup: Postfix LDAP client support for RFC 2255 LDAP URLs.
Victor Duchovni. Files: proto/ldap_table global/dict_ldap.c.
Safety: Postfix processes log a warning when a matchlist
has a #comment at the end of a line (for example mynetworks
or relay_domains). File: util/match_list.c.
Portability: Berkeley DB 5.x has the same API as Berkeley
DB 4.1 and later. File: util/dict_db.c.
20100610
Bugfix (introduced Postfix 2.2): Postfix no longer appends
the system default CA certificates to the lists specified
with *_tls_CAfile or with *_tls_CApath. This prevents
third-party certificates from getting mail relay permission
with the permit_tls_all_clientcerts feature. Unfortunately
this may cause compatibility problems with configurations
that rely on certificate verification for other purposes.
To get the old behavior, specify "tls_append_default_CA =
yes". Files: tls/tls_certkey.c, tls/tls_misc.c,
global/mail_params.h. proto/postconf.proto, mantools/postlink.
20100615
Cleanup: the master no longer logs "process P killed with
signal S" when it shuts down a running service (for example,
the service is removed from master.cf, or the service is
disabled via the main.cf master_service_disable parameter).
File: master/master_spawn.c.
20100617
Feature: read-only sqlite support based on code by Axel
Steiner and documentation by Jesus Garcia Crespo. Files:
conf/postfix-files, mantools/postlink, proto/DATABASE_README.html,
proto/Makefile.in, proto/INSTALL.html, proto/mysql_table,
proto/pgsql_table, proto/sqlite_table, proto/SQLITE_README.html,
global/Makefile.in, global/mail_dict.c, global/dict_sqlite.c,
global/dict_sqlite.h, postconf/postconf.c, postfix/postfix.c.
20100618
Cleanup: SQLite read-only driver and documentation. Files:
global/dict_sqlite.c, proto/mysql_table, proto/SQLITE_README.html.
20100707
Completed the 20100610 bugfix. File: tls/tls_misc.c.
20100714
Compatibility with Postfix < 2.3: fix 20061207 was incomplete
(undoing the change to bounce instead of defer after
pipe-to-command delivery fails with a signal). Fix by Thomas
Arnett. File: global/pipe_command.c.
20100715
Convenience: "postconf name=value ..." is now equivalent to
"postconf -e name=value ...". File: postconf/postconf.c.
20100724
Feature: INFO header/body_checks action for non-warning
messages (for example, to log all Milter-inserted headers).
File: global/header_body_checks.c, proto/header_checks.
Cleanup: after-filter Postfix SMTP servers now log before-filter
queue IDs. For this, the XFORWARD protocol was extended
with an IDENT attribute for the before-filter queue ID.
This code was started in Postfix 2.1, but it was never
finished due to time constraints. Files: smtpd/smtpd.[hc]
smtpd/smtpd_proxy.c, smtpd/smtpd_sasl_proto.c,
*qmgr/qmgr_messsage.c, *qmgr/qmgr_deliver.c,
global/deliver_request.[hc], global/mail_proto.h,
global/deliver_pass.c, smtp/smtp_proto.c.
20100727
Bugfix: the milter_header_checks parser provided only the
actions that change the message flow (reject, filter,
discard, redirect) but disabled the non-flow actions (warn,
replace, prepend, ignore, dunno, ok). File:
cleanup/cleanup_milter.c.
20100827
Performance: fix for poor smtpd_proxy_filter TCP performance
over loopback (127.0.0.1) connections. Problem reported by
Mark Martinec. Files: smtpd/smtpd_proxy.c.
Bugfix: the Postfix SMTP client no longer appends the local
domain when looking up a DNS name without ".". Specify
"smtp_dns_resolver_options = res_defnames" to get the old
behavior, which can produce unexpected results. Files:
smtp/smtp.c, smtp/smtp_params.c, smtp/smtp_addr.c.
20100828
Refactoring: postscreen source code broken up into multiple
files, and identifiers updated to match changes in their
purpose. This will be the baseline for adding support for
DNSBL weighting, then a dummy engine to collect forensic
evidence with the option of future protocol checks. Files:
postscreen/*.[hc], Makefile.in.
20100829
Postscreen DNSBL support for optional fixed-string filters
and optional integral weight factors (use negative weights
for whitelisting). See RELEASE_NOTES and postconf(5) for
details. Files: postscreen/postscreen_dnsbl.c,
proto/postconf.proto, mantools.postlink, global/mail_params.h.
Incompatibility: the postscreen-to-dnsblog protocol was
changed to support DNSBL query result filters. Use "postfix
reload" after installing the new version otherwise the
dnsblog(8) server may complain.
20100830
Polished the postscreen documentation and comments to clarify
the user interface and implementation. No code changes.
20100831-910
Restructured postscreen and added support for a dummy SMTP
protocol engine. This engine logs rejected attempts to
deliver mail with helo/sender/recipient information, and
implements deep protocol tests. The first deep protocol
test is for command pipelining, where a client sends multiple
commands instead of waiting for the server to respond to
each command. The second one implements the Postfix SMTP
server's smtpd_forbidden_commands feature. Files:
postscreen/*.[hc]. See RELEASE_NOTES, postconf(5) and
postscreen(8) for incompatibilities, features, and configuration
parameters.
20100910
Feature: boolean configuration parameters with string-valued
defaults, so that they can be subject to macro expansions.
This was needed to make some postscreen parameter defaults
to the values of the corresponding smtpd parameters. Files:
global/mail_conf.h, global/mail_conf_nbool.c,
master/event_server.c, master/mail_server.h, master/multi_server.c,
master/single_server.c, master/trigger_server.c,
postconf/extract.awk, postconf/postconf.c.
20100911
Feature: texthash read-only database. This is similar to
hash: files, except that you don't need to run the postmap(1)
command before you can use the file, and that it does not
detect changes after the file is read. All information is
read into memory. Files: util/dict_open.c, util/dict_thash.[hc],
proto/DATABASE_README.html, postconf/postconf.c
20100912
Feature: bare newline detection in postscreen. Real spambots
don't make this mistake anymore, but poorly-written software
still does. File: postscreen/smtpd.c.
Documentation: POSTSCREEN_README including instructions for
turning postscreen(8) on without blocking mail, and more.
Trimmed the text in the postscreen(8) manpage. File:
proto/POSTSCREEN_README.html, postscreen/postscreen.c.
20100914
Cleanup: the "postscreen_greet_wait" delay now ends as soon
as both the pregreet and DNSBL tests complete (the postscreen
documentation mentions in history/credits that the program
started as a crude prototype). The default postscreen_dnsbl_ttl
caching time is now reduced to 1h from 24h, allowing
postscreen to catch up on DNSBL updates more quickly. If
this increases the database update frequency too much then
we'll need to make dnsbl result non-cachable. Files:
postscreen/postscreen_dnsbl.c, global/mail_params.h.
20100915
Bugfix (introduced 20100914): missing precondition for
call-back notification. File: postscreen/postscreen_dnsbl.c.
Bugfix (introduced 20100914): the "postscreen_greet_wait"
delay speedup worked only for DNSBL listed sites. File:
postscreen/postscreen_dnsbl.c.
Workaround: better handling of pregreeting spambots. The
postscreen built-in SMTP engine no longer sends a 220 banner
to a client that falls into the pregreet trap. This eliminates
many "NON-SMTP COMMAND" records in postscreen logging, as
the SMTP client and server no longer get out of sync. It
also results in better logging of sender/recipient information.
File: postscreen/postscreen_smtpd.c.
20100916
Cleanup: postscreen now uses the first responding DNSBL
name in the "5.7.1 Service unavailable" reply, instead of
the last responding one. File: postscreen/postscreen_dnsbl.c.
Cleanup: the 20100914 "postscreen_greet_wait" speedup did
not happen as often as it should, because some older code
still turned on PREGREET tests gratuitously, causing a full
greet-wait delay. File: postscreen/postscreen_tests.c.
Cleanup: to avoid "address in use" problems, postscreen now
closes the listening socket after "postfix stop". It also
closes the socket after "postfix reload" but that does not
hurt. Files: master/event_server.c, master/multi_server.c.
Cleanup: postscreen now logs CONNECT and DISCONNECT events.
Files: postscreen/postscreen.c, postscreen/postscreen_misc.c.
20100917
Bugfix: cut-and-paste error. Postscreen used pregreet_ttl
instead of dnsbnl_ttl. File: postscreen/postscreen_early.c.
20100920
Cleanup: minor cleanups and invisible fixes. Files:
postscreen/postscreen_misc.c, postscreen/postscreen.h,
postscreen/postscreen_tests.c.
Feature: preliminary postscreen penalty mechanism. Basic
idea: when a client exceeds some threshold, don't allow it
to pass any tests until the penalty expires. Penalties
provide a way to slow down clients without blocking mail
permanently. Files: postscreen/postscreen_misc.c,
postscreen/postscreen_tests.c, postscreen/postscreen.c.
A first application of the postscreen penalty mechanism
triggers on clients that make brief connections to find out
if the mail server is up. With "postscreen_early_hangup_penalty
= 600" they will disqualify themselves for 10 minutes.
Unfortunately, this behavior is used by legitimate bulk
mail services. This application was removed 20101103. The
penalty mechanism itself is left in place as #ifdef NONPROD.
20100923
Cleanup: renamed MUMBLE_FLAG_MUMBLE aggregates to
MUMBLE_MASK_MUMBLE for consistency with other Postfix code.
Files: postscreen/*.[hc].
20100930
Cleanup: flag PIPELINING errors with NOOP and VRFY. File:
smtpd/smtpd.c.
20101006
Bugfix (introduced: 20100914) dangling pointer when a client
makes N > 1 simultaneous connections and closes M < N
connections before postscreen has delivered the DNSBL score
to the corresponding pseudothreads. In practice the pointer
will refer to a block of 0xff bytes; the program terminates
with a segmentation violation, and is restarted immediately
by the master daemon. Files: postscreen/postscreen_early.c,
postscreen/postscreen_dnsbl.c.
Cleanup: avoid repeated delivery to mailing list members
with pathological nested alias configurations. The local(8)
delivery agent now keeps the owner-alias attribute of the
parent alias, when delivering mail to a child alias that
does not have its own owner alias. With this change, local
addresses from that child alias will be written to a new
queue file, and a temporary error with one local address
will no longer result in repeated delivery to other mailing
list members. Specify "reset_owner_alias = yes" for the
older behavior. File: local/alias.c.
20101007
Bugfix (introduced: 2100923): duplicate "PASS OLD" logging.
File: postscreen/postscreen_misc.c.
20101008
Cleanup: dnsblog now logs "addr X listed by domain Y as Z"
instead of "addr X blocked by domain Y as Z", because the
service may be used for whitelist lookups. File:
dnsblog/dnsblog.c.
20101023
Cleanup: don't apply reject_rhsbl_helo to non-domain forms
such as network addresses. This would cause false positives
with dbl.spamhaus.org. File: smtpd/smtpd_check.c.
20101103
Cleanup: new qmgr_ipc_timeout parameter (default: 60s) to
override the system-wide ipc_timeout setting (default:
3600s). The shorter timeout allows the queue manager to
reset a deadlocked IPC connection before the watchdog timer
goes off. Files: *qmgr/qmgr.c.
Cleanup: new qmgr_daemon_timeout parameter (default: 1000s)
to make the hard-coded 1000s watchdog timeout configurable.
Files: *qmgr/qmgr.c.
Cleanup: request default DSN notification when adding a
recipient with smfi_addrcpt, instead of requesting "never
notify" as with Postfix automatically-added BCC recipients.
Files: cleanup/cleanup_addr.c, cleanup/cleanup.h,
cleanup/cleanup_milter.c.
20101105
Feature: DNS whitelist support in the Postfix SMTP server.
permit_dnswl_client whitelists a client by IP address, and
permit_rhswl_client whitelists a client by its hostname.
The syntax is the same as reject_rbl_client etc., but the
result is PERMIT instead of REJECT. For safety reasons,
permit_xxx_client are silently ignored when they would
override reject_unauth_destination. The result is
DEFER_IF_REJECT when DNSWL lookup fails. The implementation
is based on a design documented by Noel Jones (August 2010).
File: smtpd/smtpd_check.c.
20101108
Workaround: strip off IPv6 datalink suffix from peer address
to avoid problems with strict address checking code. Files:
smtpd/smtpd_peer.c, qmqpd/qmqpd_peer.c.
20101114
Robustness: postscreen(8) now implements a time limit on
reading an entire command, instead of a time limit for
reading individual characters. File: postscreen/postscreen_smtpd.c.
20101023
Cleanup: don't apply reject_rhsbl_helo to non-domain forms
such as network addresses. This would cause false positives
with dbl.spamhaus.org. File: smtpd/smtpd_check.c.
20101117
Bugfix: the "421" reply after Milter error was overruled
by Postfix 1.1 code that replied with "503" for RFC 2821
compliance. We now make an exception for "final" replies,
as permitted by RFC. Solution by Victor Duchovni. File:
smtpd/smtpd.c.
20101124-6
Feature: pattern matching for DNSWL/DNSBL responses. For
example, with "reject_rbl_client example.com=d.d.d.d", each
"d" can now be a pattern inside "[]" that contains one or
more comma-separated decimal numbers or number..number
ranges. Files: smtpd/smtpd_check.c, postscreen/postscreen_dnsbl.c,
util/ip_match.c, util/ip_match.h.
20101126
Cleanup: don't log "blocked using example.com=127.0.0.1",
just log the domain name. File: smtpd/smtpd_check.c.
20101129
Cleanup: postscreen_client_connection_count_limit (default:
$smtpd_client_connection_count_limit) to limit the number
of connections from the same IP address to the postscreen(8)
daemon. Files: postscreen/postscreen.c, postscreen/postscreen.h,
postscreen/postscreen_state.c.
20101130
Cleanup: all postscreen(8) logging now reports the client
as [address]:port. This requires an update of tools that
process postscreen logging. Files: postscreen/*.c,
proto/POSTSCREEN_README.html.
Cleanup: polishing recent documentation and code. Files:
postscreen/postscreen_dnsbl.c, util/ip_match.c.
20101201
Bugfix (introduced 20101129): broken default value for
postscreen_client_connection_count_limit if the
smtpd_client_connection_count_limit parameter was left at
its default. File: postscreen/postscreen.c.
Workaround: BSD-ish mkdir() ignores the effective GID
and copies group ownership from the parent directory.
File: util/make_dirs.c.
20101202
Feature: the LDAP client can now authenticate to LDAP servers
via SASL. This is tested with SASL GSSAPI and Kerberos 5.
Original code by Quanah Gibson-Mount adapted by Victor
Duchovni. Files: global/dict_ldap.c, proto/LDAP_README.html,
proto/ldap_table.
Cleanup: the cleanup server now reports a temporary delivery
error when it reaches the virtual_alias_expansion_limit or
virtual_alias_recursion_limit. Previously, it would silently
ignore the excess recipients and deliver the message. File:
cleanup/cleanup_map1n.c.
20101205
Cleanup: sache_clnt_create() had an unnecessary data
dependency on the non-library var_scache_service variable,
causing problems with shared library builds. Instead, it
should use its service argument (which has the same value).
File: global/scache.c.
Cleanup: pipe_command.c had an unnecessary data dependency
on the non-library var_command_maxtime variable, causing
problems with shared library builds. The dependency was not
necessary because the callers already specify an explicit
time limit. File: global/pipe_command.c.
20101206
Bugfix (introduced 20101205): postscreen hung up due to
incorrect output error test. File: postscreen/postscreen_send.c.
20101207
Cleanup: the undisclosed_recipients_header default value
is now the empty string. The Internet mail RFCs have supported
messages without recipient header for almost 10 years now.
File: global/mail_params.h.
Cleanup: use strtol() instead of sscanf() for consistent
handling of out-of-range numbers. Files: global/cfg_parser.c,
global/conv_time.c, global/mail_conf_int.c,
global/mail_conf_long.c, global/mail_conf_nint.c.
20101217
Cleanup: eliminated the code that copied TLS protocol
messages between the OpenSSL TLS engine and the network.
This change hopefully simplifies the TLS library enough
that it can be used in an event-driven TLS proxy in front
of postscreen. Files: tls/tls_bio.c, tls/tls_server.c,
tls/tls_client.c.
This change eliminates an obscure bug where the SMTP server
would wait for another $smtpd_timeout seconds after sending
the "421 Error: timeout exceeded" message to the client.
20101221
Cleanup: simplified the VSTREAM "large buffer" support by
dropping the Postfix 2.4 "binary compatibility" requirement.
Files: util/vstream.c, util/vstream.h.
20101222
Cleanup: the SMTP client PIPELINING code did not account
for TLS protocol overhead. This could (only in theory)
result in deadlock when the remote SMTP server announces a
very small receive window after the client and server have
synchronized their SMTP state. Victor Duchovni. File:
smtp/smtp_proto.c.
20101223
Feature: with "tls_preempt_cipherlist = yes" the Postfix
SMTP server will preempt the remote SMTP client's cipher
preference order. This requires OpenSSL 0.9.7 and later.
Victor Duchovni. Files: src/smtpd/smtpd.c, src/tls/tls_server.c,
proto/TLS_README.html, proto/postconf.proto.
Future proofing: specify "tls_disable_workarounds = a list
or bit-mask of OpenSSL bug work-arounds to disable". This
may become necessary when a bug workaround is found to cause
problems (security or interoperability). Victor Duchovni.
Files: tls/tls_misc.c, proto/TLS_README.html, proto/postconf.proto.
Infrastructure: extended name_mask module feature set with
extensive documentation and 32-bit regression tests. Victor
and Wietse. File: util/name_mask.[hc].
20101224
Cleanup: sanitized the name_mask API so that errors will be
ignored only upon explicit request. Files: util/name_mask.[hc],
src/global/ehlo_mask.c, src/smtp/smtp_proto.c,
src/util/name_mask.c, src/xsasl/xsasl_dovecot_server.c.
Cleanup: more TLS overhead horrors for the SMTP client's
PIPELINING engine. Wietse and Victor. File: smtp/smtp_proto.c.
20101226
Cleanup: the SMTP client logic for pipelining the "." and
"QUIT" commands was bogus - the pipelining engine could not
know how much unacknowledged data is pending in the local
TCP stack. We now ignore the buffer check for sending
"QUIT" after ".". Wietse and Victor. File: smtp/smtp_proto.c.
20110101
Cleanup: the Postfix SMTP server now always refreshes the
SASL authentication mechanism list after STARTTLS. Some
Dovecot versions may change their responses when they know
that the SMTP connection is encrypted. File: smtpd/smtpd.c.
Cleanup: the smtpd_starttls_timeout default value is now
stress-dependent. Files: global/mail_params.h,
proto/postconf.proto.
Compatibility: postscreen_discard_ehlo_keyword(s|maps)
support for compatibility with smtpd_discard_ehlo_keyword(s|maps).
Files: postscreen/postscreen_smtpd.c.
20110102
Feature: STARTTLS support for the postscreen(8) daemon.
With early testing feedback from Victor Duchovni and Ralf
Hildebrandt. Files: postscreen/postscreen_smtpd,
postscreen/postscreen_starttls.c.
Feature: event-driven tlsproxy(8) daemon that translates
TLS <=> plaintext for postscreen(8). One tlsproxy(8) process
can translate traffic for multiple remote SMTP clients.
With early testing feedback from Victor Duchovni and Christian
Roessner. Files: util/nbbio.[hc], tlsproxy/*.[hc],
postscreen/postscreen_starttlsd.c, postscreen/postscreen_smtpd.c.
20110103
Cleanup: missing tls_level support in tlsproxy (it has no
way to send plaintext, but perhaps an informative error
message is in order anyway). File: tlsproxy/tlsproxy.c.
Cleanup: simplified the handling of throttled output (i.e.
output that can't be sent because the receiver tries to be
nasty). File: postscreen/postscreen_send.c.
20110104
Feature: add contact information to each SMTP server reject
message. For example, "smtpd_reject_footer = call 800-555-0101
for assistance", with macro expansion and with multi-line
support. Files: global/mail_params.h, mantools/postlink,
proto/postconf.proto, smtpd/smtpd.c, smtpd/smtpd_chat.c,
smtpd/smtpd_expand.[hc], util/mac_expand.[hc].
20110105
Cleanup: the forest of TLS-related booleans was shrunk.
Victor Duchovni. Files: smtpd/smtpd.c, postscreen/postscreen.c,
postscreen/postscreen_smtpd.c, tlsproxy/tlsproxy.c.
Non-production: tlsproxy support in the Postfix SMTP server
for stress testing of the tlsproxy daemon (#ifdef TLSPROXY).
Seen from outside, Postfix works just as if it has TLS
support built into in smtpd(8). Files: smtpd/smtpd.c,
tls/tls_proxy*.[hc], tlsproxy/tlsproxy.c, util/vstream.[hc].
Bugfix (introduced with the Postfix TLS patch): discard
plaintext following the STARTTLS command or response. This
matters only for the minority of SMTP clients that actually
verify server certificates. Files: smtpd/smtpd.c,
smtp/smtp_proto.c.
20110106
Non-production: cleaned up the tlsproxy support in the
Postfix SMTP server for stress testing of the tlsproxy
daemon (still #ifdef TLSPROXY). File: smtpd/smtpd.c.
20110107
Cleanup: smtpd_reject_contact_information is renamed to
smtpd_reject_footer, because it can be used for non-contact
information.
Compatibility: postscreen_reject_footer support for
compatibility with smtpd_reject_footer. Files:
global/smtp_reply_footer.[hc], global/mail_conf.[hc],
postscreen/postscreen_expand.c, postscreen/postscreen_send.c,
postscreen/postscreen.c, smtpd/smtpd_chat.c.
Compatibility: postscreen_command_filter support for
compatibility with smtpd_command_filter. Files:
postscreen/postscreen_dict.c, postscreen/postscreen_smtpd.c
20110108
Cleanup: postscreen(8) now displays control characters in
PREGREET responses as C-style \letter escapes, instead of
"?". File: postscreen/postscreen_early.c.
20110109
Cleanup: Solaris support for "pass" (file descriptor passing
based) services in master.cf. This was needed by postscreen(8).
Also, renamed upass_xxx.c to unix_pass_xxx.c. One-character
prefixes are too short. Removed upass_connect.c because it
was useless code. Files: util/stream_pass_connect.c,
util/unix_pass_listen.c, util/unix_pass_trigger.c.
Bugfix (introduced Postfix 2.4): on Solaris the Postfix
event engine was deaf for SIGHUP and SIGALRM signals after
the switch to /dev/poll. Symptoms were delayed "postfix
reload" response, and killed processes when the watchdog
timeout was less than max_idle. The fix is to set up SIGHUP
and SIGALRM handlers that write to a pipe, and to monitor
that pipe for read events via the Postfix event engine.
Files: master/master_sig.c, util/watchdog.c, util/sys_defs.h.
20110111
Cleanup: replaced the postscreen(8) separate blacklist and
whitelist lookup tables by one postscreen_access_list table.
See postconf(5) and POSTSCREEN_README for examples. Files:
postscreen/postscreen_access.c, postscreen/postscreen.c,
proto/postconf.proto, proto/POSTSCREEN_README.html.
20110112
Cleanup: suspend/resume logic for postscreen(8) SMTP sessions
that temporarily switch control to an external program such
as tlsproxy, or perhaps a future policy plugin. Files:
postscreen/postscreen_smtpd, postscreen/postscreen_starttls.c.
20110113
Cleanup: ps_cache and psc_cache are now postscreen_cache.
There is no need for obscure name abbrevations. File:
src/global/mail_params.h.
20110115
Workaround: malloc fuzz (safety margin for malloc requests).
Files: util/sys_defs.h, util/mymalloc.c.
Cleanup: dnsblog_service_name and tlsproxy_service_name are
now configurable, in case someone needs this. Files:
global/mail_params.h, postscreen/postscreen.c, mantools/postlink,
proto/postconf.proto.
20110116
Cleanup: soft_bounce support for postscreen(8). Files:
postscreen/postscreen_smtpd.c, postscreen/postscreen_send.c.
Cleanup: for smtpd(8) compatibility, postscreen(8) now
strips deprecated route address prefixes from email addresses
(@here,@there:user@example becomes user@example). This is
primarily to make postscreen(8) logging more similar to
that of smtpd(8). File: postscreen/postscreen_smtpd.c.
Cleanup: documentation, in preparation for the Postfix 2.8
stable release.
20110117
Bugfix (introduced Postfix alpha, or thereabouts): on HP-UX
the Postfix event engine was deaf for SIGALRM signals.
Symptoms were killed processes when the watchdog timeout
was less than max_idle. The fix is the same as Solaris fix
20110109. Since we can't know what other systems need this,
the workaround is enabled by default. Files: util/sys_defs.h.
Cleanup: "smtpd_tls_eecdh_grade = strong" by default, instead
of snapshot-only. File: global/mail_params.h, proto/postconf.proto.
Cleanup: missing "#include <errno.h>" in util/watchdog.c.
Bugfix: when compiled without -DUSE_TLS, tlsproxy used the
wrong server skeleton (multi_server instead of event_server).
File: tlsproxy/tlsproxy.c.
Workaround: added a panic check for code that is mis-compiled
by the HP-UX compiler. File: postscreen/postscreen.c,
postscreen/postscreen.h, postscreen/postscreen_state.c.
20110118
Bugfix: the tls_disable_workarounds word list only included
workarounds in SSL_OP_ALL. Problem report by Steve Jenkins,
problem fix by Victor Duchovni. File: tls/tls_misc.c.
Last-minute incompatible syntax change: Postfix now uses
";" instead of "," to separate DNSBL/DNSWL address filter
fields inside "[]". The compatibility break is not an issue,
because the syntax never worked in main.cf. Problem reported
by Mark Martinec. Files: util/ip_match.c, util/ip_match.in,
util/ip_match.ref, proto/postconf.proto.
Cleanup: postscreen now monitors the AVERAGE latency of
table access, and complains at most once per minute. File:
postscreen/postscreen_dict.c.
Bugfix: support for the "dunno" command somehow disappeared
from the postscreen_access_list implementation. File:
postscreen/postscreen_access.c.
20110123
Feature: read/write deadlines. Deadlines were introduced
with postscreen's dummy SMTP engine. In the Postfix SMTP
client and server, deadlines limit the total amount of time
to read or write one command line, one response line, or
one line of message content. This reduces the impact of
application exhaustion attacks that trickle data one byte
at a time. Files: util/vstream.[hc], global/smtp_stream.c.
Cleanup: remove #ifdef MIGRATION_WARNING transitional code
from postscreen. File: postscreen/postscreen.c.
20110125
Cleaned up and finalized read/write deadline support. Once
this code has been fielded it can go into Postfix 2.8.1,
and made available as optional patch for earlier releases.
Further refinements have only dimishing returns and can
evolve in the 2.9 release cycle. File: util/vstream.c.
20110128
Infrastructure: separate VSTREAM flags for read or write
errors. Files: util/vbuf.[hc], util/vstream.[hc].
Cleanup: after write error, the smtp_stream routines now
disable further network writes. This eliminates the need
for clumsy code to avoid unwanted I/O while shutting down
a TLS engine or closing a VSTREAM. File: util/smtp_stream.c.
20110201
Cleanup: when verifying that the client_address->client_name
lookup result resolves to the client_address, request
hostname->address lookup with the same protocol family (IPv4
or IPv6) as the client_address. Files: util/myaddrinfo.[hc],
smtpd/smtpd_peer.c, qmqpd/qmqpd_peer.c.
20110205
Infrastructure: vstream_peek_data() primitive to look ahead
at buffered input. Use vstream_peek() to find out how much,
and escape() for human presentation. Files: util/vstream.[hc].
Cleanup: smtpd(8) and postscreen(8) now log the input that
triggers an SMTP command pipelining violation. File:
postscreen/postscreen_smtpd.c, smtpd/smtpd.c.
Infrastructure: smtp_get() option to skip over input in
excess of the line length limit. Files: smtp/smtp_stream.[hc].
Cleanup: handle excessively-long client requests and server
responses more gracefully, i.e. without losing synchronization.
Files: smtpd/smtpd_chat.c, smtpd/smtpd_proxy.c, smtp/smtp_chat.c,
smtpstone/smtp-source.c.
20110207
Bugfix (introduced Postfix 2.8): segfault with smtpd_tls_loglevel
>= 3. Files: tls/tls_server.c, tls.h, smtpd.c, tlsproxy.c.
Cleanup: read/write deadline support for single_server TLS
applications (i.e. smtpd(8), smtp(8)). File: tls/tls_bio_ops.c.
20110212
Infrastructure: run-time switch for read/write deadline
support. Files: util/vstream.[hc], global/smtp_stream.[hc],
tls/tls_bio_ops.c.
Cleanup: configurable read/write deadline support with
smtpd_per_record_deadline (normal: "no", overload: "yes")
and smtp_per_record_deadline (default: "no"). Files:
global/mail_params.h, smtpd/smtpd.c, smtp/smtp.c,
smtp/smtp_proto.c, proto/postconf.proto, mantools/postlink.
20110213
Workaround: the TLS library passes the same information via
different function arguments, and this same information is
maintained by different functions, so things get out of
step when code is updated. As of 20110212, tls_client_start()
needs to set the VSTREAM property of the TLS session object.
File: tls/tls_client.c.
20110215
Human factors: the FCRDNS (forward-confirmed reverse DNS)
checking code now logs "hostname X does not resolve to
address Y", when a "reverse hostname" lookup result does
not resolve to the client IP address. Files: smtpd/smtpd_peer.c,
qmqpr/qmqpd_peer.c.
20110216
Cleanup: don't log a "connection reset by peer" error when
postscreen(8) tries to send a server response. File:
postscreen/postscreen_send.c.
20110218
Cleanup: Postfix now uses long integers for message_size_limit,
mailbox_size_limit and virtual_mailbox_limit. On LP64 (64-bit
long and pointer, but 32-bit integer) systems, these message
and mailbox limits can now exceed 2GB. Files: global/mail_params.c
global/mail_params.h local/local.c master/event_server.c
master/mail_server.h master/multi_server.c master/single_server.c
master/trigger_server.c virtual/virtual.c postconf/extract.awk
postconf/postconf.c.
20110220
Cleanup: compiler gripe. File: util/vstream.c.
20110223
Cleanup: Debian build tool gripe. File: smtpstone/smtp-sink.c.
20110224
postscreen(8) support to enforce proper client MX lookup
policy. Some spambots connect first to a backup MX address
in the hope that the server has a weaker anti-spam policy.
By listening on both primary and backup MX addresses,
postscreen(8) can deny the temporary whitelist status to
clients that connect only to backup MX hosts, and prevent
them from talking to a Postfix SMTP server process.
For example, when 1.2.3.4 is a local backup IP address,
specify "postscreen_whitelist_interfaces = !1.2.3.4 static:all"
to disable dynamic whitelisting for clients that connect
(only) to the backup MX address. Files: mantools/postlink,
proto/postconf.proto, proto/POSTSCREEN_README.html,
global/mail_params.h, postscreen/postscreen.c,
postscreen/postscreen.h, postscreen/postscreen_state.c.
20110225
Workaround (problem introduced with IPv6 support in Postfix
2.2): the SMTP client did not support mail to [ipv6:ipv6addr].
Fix based on a patch by Gurusamy Sarathy (Sophos). File:
util/host_port.c and regression test files.
20110227
Portability: FreeBSD closefrom() support time window. Sahil
Tandon. File: util/sys_defs.h.
Cleanup: each lookup table now has an owner status and UID
attributes for provenance purposes, even memory-resident
tables such as pcre, regexp and cidr. This fixes a problem
where local(8) ignored the non-root ownership of a regular
expression-based aliases(5) file. The table owner status
is TRUSTED (data straight from root-owned configuration
file), UNKNOWN (unauthenticated data from proxy or tcp) or
KNOWN (we actually have an owner UID). With most tables,
the owner UID is the file owner UID. With LDAP and *SQL,
the owner UID is the Postfix configuration file owner.
Files: src/util/dict_unix.c src/util/dict_thash.c
src/util/dict_static.c src/util/dict_sdbm.c src/util/dict_regexp.c
src/util/dict_pcre.c src/util/dict_nisplus.c src/util/dict_nis.c
src/util/dict_ni.c src/util/dict_ht.c src/util/dict_env.c
src/util/dict_dbm.c src/util/dict_db.c src/util/dict_cidr.c
src/util/dict_cdb.c src/util/dict_alloc.c src/util/dict.h
src/util/dict.c src/local/alias.c src/global/dict_sqlite.c
src/global/dict_pgsql.c src/global/dict_mysql.c
src/global/dict_ldap.c src/global/cfg_parser.h
src/global/cfg_parser.c.
20110311
Feature: Base 32 encoder/decoder per RFC 4648. This code
was going to be used for long queue IDs, but plans were
changed. Files: src/util/base32_code.[hc].
20110313
Bugfix (introduced Postfix 2.8): postscreen DNSBL scoring
error. When a client disconnected and then reconnected
before all DNSBL results for the earlier session arrived,
DNSBL results for the earlier session would be added to the
score for the later session. Problem report by Larry Vaden.
Files: dnsblog/dnsblog.c, postscreen/postscreen_dnsbl.c.
Cleanup: protocol description in dnsblog(8) manpage. File:
dnsblog/dnsblog.c.
20110314
Portability: the SUN compiler had trouble with a pointer
expression of the form ``("text1" "text2") + constant'' so
we don't try to be so clever. Fix by Victor Duchovni. File:
global/mail_params.h.
20110320
Feature: specify "enable_long_queue_ids = yes" to enable
support for non-repeating queue IDs (also used as queue
file names). These queue IDs encode the time and inode
number with a safe alphabet of the 52 characters 0-9B-Zb-z.
The alphabet excludes vowels (AEIOUaeiou) to avoid creating
real words. The queue ID format is: time in seconds, time
in microseconds, 'z', inode number (the inode number is
encoded without using the 'z' character of the safe alphabet).
Turning on long queue IDs changes the width of the first
output column of the mailq (postqueue -p) command, and
changes the appearance of Postfix Message-ID headers to
queueID@myhostname. Files: global/file_id.[hc],
global/safe_ultostr.[hc], global/mail_queue.[hc],
postsuper/postsuper.c, showq/showq.c
20110321
Performance: with long queue file names, queue hashing now
produces the same result as with short names. Postfix uses
the hexadecimal representation of the file creation time
in microseconds, instead of the beginning of the file name
which changes once every year or so, a problem that was
reported by Victor Duchovni. The base 16 encoding gives
finer control over the number of directories than possible
with base 52 encoding. Files: global/mail_queue.[hc]. This
change requires "postfix reload".
20110322
Cleanup: preserve the microseconds value when renaming
long->short or short->short queue file names. As a side
benefit, renaming long->short queue IDs will not change the
result from queue hashing. File: postsuper/postsuper.c.
20110323
Bitrot: qshape regexp pattern for long queue file names.
Ralf Hildebrandt. File: auxiliary/qshape/qshape.pl.
Bitrot: text about queue ID reuse in the postsuper manpage.
File: postsuper/postsuper.c.
20110328
Cleanup: don't log warnings about socket shutdown() errors
after a connection breaks. Postfix calls shutdown() to avoid
unnecessary socket write timeouts. This is only an optimization,
and failure is not critical. File: global/smtp_stream.c.
20110411
Cleanup: postscreen(8) and verify(8) daemons now lock their
respective cache file exclusively upon open, to avoid massive
cache corruption by unsupported sharing. Files: util/dict.h,
util/dict_open.c, verify/verify.c, postscreen/postscreen.c.
20110414
Bugfix (introduced with Postfix SASL patch 20000314): don't
reuse a server Cyrus SASL handle after authentication
failure. File: smtpd/smtpd_proto.c.
20110418
Bugfix (introduced Postfix 2.3 and Postfix 2.7): the Milter
client reported some "file too large" errors as temporary
errors. Problem reported by Michael Tokarev. Files:
milter/milter8.c, cleanup/cleanup_milter.c.
20110420
Performance: a high load of DSN success notification requests
could stall the queue manager. Solution: make the trace
client asynchronous, just like the bounce and defer clients.
Problem reported by Eduardo M. Stelmaszczyk of terra.com.br.
Files: global/abounce.[hc], *qmgr/qmgr_active.c (the
qmgr_active.c files are identical).
20110421
Cleanup: updated abounce warning message, and added a safety
timeout to abounce() etc. requests. File: global/abounce.c.
20110426
Bugfix (introduced in Postfix 1.1, duplicated in Postfix
2.3, unrelated mistake in Postfix 2.7): the local(8) delivery
agent ignored table lookup errors in mailbox_command_maps,
mailbox_transport_maps, fallback_transport_maps and (while
bouncing mail to alias) alias owner lookup. Problem reported
by William Ono. Files: local/command.c, local/mailbox.c,
local/unknown.c, local/bounce_workaround.c.
20110516
Update the warning when permit_naked_ip_address is used,
and add permit_sasl_authenticated to the list of suggested
alternatives. File: smtpd/smtpd_check.c.
20110601
Bugfix (introduced Postfix 2.6 with master_service_disable)
loop control error when parsing a malformed master.cf file.
Found by Coverity. File: master/master_ent.c.
20110602
Bugfix (introduced: Postfix 2.7): "sendmail -t" reported
"protocol error" after queue file write error. File:
postdrop/postdrop.c.
20110605
Cleanup: removed the PSC_STATE_FLAG_CACHE_EXPIRED flag.
Nothing uses this anymore. Files: postscreen/postscreen.h,
postscreen/postscreen_state.c, postscreen/postscreen_tests.c.
20110614
Linux kernel version 3 support. Linus Torvalds has reset
the counters for reasons not related to changes in code.
Files: makedefs, util/sys_defs.h.
20110615
Workaround: some Spamhaus RHSBL rejects lookups with "No
IP queries" even if the name has an alphanumerical prefix.
We play safe, and skip both RHSBL and RHSWL queries for
names ending in a numerical suffix. File: smtpd/smtpd_check.c.
20110624
Cleanup: added error checks for smtpd access primitives
that don't automatically terminate the program after table
lookup error: these primitives are permit_tls_clientcerts,
permit_tls_all_clientcerts, and check_address_map (the last
one is used in local_header_rewrite_clients only). File:
smtpd/smtpd_check.c.
20110729
Workaround: some getpwnam() and getpwuid() implementations
cause mail to bounce ("user unknown") after LDAP etc. lookup
error. Postfix now uses POSIX getpwnam_r() and getpwuid_r()
where available. Initially, this workaround supports FreeBSD,
Solaris and Linux. Files: makedefs, util/sys_defs.h,
global/mypwd.[hc], local/alias.c, local/dotforward.c,
local/include.c, local/mailbox.c, local/recipient.c.
20110731
MacOS X 10.5 supports POSIX getpwnam_r() and getpwuid_r()
(source: MacOS manpages at www.freebsd.org). If MacOS turns
out to make a false promise, then we will undo this change.
Files: makedefs, util/sys_defs.h.
20110810
Cleanup: optimize an optimization to avoid uid->name lookup
when all users are authorized with authorized_submit_users,
authorized_mailq_users, authorized_flush_users. File:
global/user_acl.c.
20110811
Workaround: report a {client_connections} Milter macro value
of zero instead of garbage, when the remote SMTP client is
not subject to any smtpd_client_* limits. Problem reported
by Christian Roessner. Files: smtpd/smtpd_state.c,
proto/MILTER_README.html.
20110817
Cleanup: avoid misleading error messages after future code
change. The tls_bio_ops(3) module now returns non-zero errno
values only when requests fail due to a system-call error.
File: tls/tls_bio_ops.c.
Cleanup: TLS handshake error messages. The SMTP client and
server now report STARTTLS network errors as "connection
timed out", "connection reset by peer", etc., instead of
reporting TLS error number 0. Files: tls/tls_bio_ops.c,
tls/tls_server.c, tls/tls_client.c.
20110818
Cleanup: VSTREAM-over-TLS error return values, for robustness
against future change. For consistency with VSTREAM internal
interfaces, the tls_stream(3) read/write routines now return
-1 instead of unspecified negative OpenSSL results. File:
tls/tls_stream.c.
20110819
Cleanup: further TLS code cleanups, for robustness against
future change. Unexpected TLS errors are no longer silently
treated as ordinary errors, and one corner-case error in TLS
timeout handling was fixed before it could cause trouble.
File: tls/tls_bio_ops.c.
20110821-24
Cleanup: simplified the TLS read/write deadline implementation,
and documented why this same simplification is not possible
higher-up, at the VSTREAM level. Files: tls/tls_bio_ops.c,
util/vstream.c.
20110831
Bugfix: allow for Milters that send an SMTP server reply
without RFC 3463 enhanced status code. Reported by Vladimir
Vassiliev. File: milter/milter8.c.
20110902
Cleanup: don't log vstream_tweak "connection reset by peer"
errors. File: util/vstream_tweak.c.
20110904-7
Bugfix: master daemon panic with "master_spawn: at process
limit", when "postfix reload" reduces the process limit
from (a value larger than the current process count for
some service) to (a value <= the current process count),
and then a new connection is made to that service. This
structural solution centralizes the decision to monitor a
service port (or not). To improve robustness against future
code changes, it clarifies some of the internal dependencies
that exist inside the master daemon. Files: master/master.h,
master/master_avail.c, master/master_conf.c,
master/master_service.c, master/master_spawn.c.
20110911
Debugging: report the request size when memory allocation
fails. File util/mymalloc.c.
20110914
Incompatibility: the default inet_protocols value is now
"all" instead of "ipv4", meaning use both IPv4 and IPv6.
As a compatibility workaround for sites without global IPv6
connectivity, the commands "make upgrade" and "postfix
upgrade-configuration" append "inet_protocols = ipv4" to
main.cf when no explicit setting is present. This compatibility
workaround will be phased out in a future release. Files:
util/sys_defs.h, conf/post-install, proto/postconf.proto.
Incompatibility: the default smtp_address_preference value
is now "any" instead of "ipv6", meaning choose randomly
between IPv6 and IPv4. With this the Postfix SMTP client
will have more success delivering mail to sites that have
problematic IPv6 configurations. Files: global/mail_params.h,
proto/postconf.proto.
20110918
Workaround for multiple ancient FreeBSD getsockopt() bugs
after non-blocking connect fails with 'host unreachable'
that resulted in a unreasonable memory allocation request.
File: util/vstream_tweak.c.
20110921
Bugfix (introduced: Postfix 1.1): smtpd(8) did not sanitize
newline characters in cleanup(8) REJECT messages, causing
them to be sent out via SMTP as bare newline characters.
This happened when a REJECT pattern matched multi-line
header text. Discovered by Kevin Locke. File: smtpd/smtpd.c.
20110922
Bugfix (introduced: Postfix 2.1): smtpd(8) sent multi-line
responses from a before-queue content filter as text with
bare <LF> instead of <CR><LF>. Found during code maintenance.
File: smtpd/smtpd_proxy.c.
20111011
Cleanup: for consistency with the SMTP standard, the
smtp_line_length_limit default value was increased from 990
characters to 998 (i.e. 1000 characters including <CR><LF>).
File: global/mail_params.h, proto/postconf.proto.
Cleanup: the Postfix sendmail command now always transforms
all input lines ending in <CR><LF> into UNIX format (lines
ending in <LF>). This simplifies integration with third-party
mail generating applications. Specify "sendmail_fix_line_endings
= strict" to restore historical Postfix behavior (i.e. convert
all input lines ending in <CR><LF> only if the first input
line ends in <CR><LF>). Files: sendmail/sendmail.c,
global/mail_params.h, proto/postconf.proto.
20111017
Cleanup: refined the heuristic that automagically transforms
legacy "sendmail -V" VERP requests into contemporary "sendmail
-XV" syntax. File: sendmail/sendmail.c.
Cleanup: when the cleanup daemon goes into discard mode,
don't get stuck when it runs onto milter file descriptor
information. File: cleanup/cleanup.c.
20111020
EAI Future-proofing: don't apply strict_mime_encoding_domain
checks to unknown message subtypes such as message/global*.
File: global/mime_state.c.
20111025
Bugfix (introduced: Postfix 2.8): postscreen sent non-compliant
SMTP responses (220- followed by 421) when it could not
hand off a connection to a real smtpd process, causing some
remote SMTP clients to bounce mail. The fix redirects the
client to the dummy SMTP engine which sends the 421 reply
at the first legitimate opportunity. Problem reported by
Ralf Hildebrandt. Files: postscreen/postscreen_send.c,
postscreen/postscreen_smtpd.c, postscreen/postscreen.h.
20111102
Workaround: to improve inter-operability with broken remote
SMTP servers, the Postfix SMTP client by default no longer
appends the "AUTH=<>" option to the MAIL FROM command.
Specify "smtp_send_dummy_mail_auth = yes" to restore the
old behavior.
20111106
Feature: "postconf -M" support to show Postfix's idea of
what is in the master.cf file. File: postconf/postconf.c.
Feature: postconf "-f" option to "nicely" format long lines
from main.cf or master.cf. File: postconf/postconf.c.
20111108
Cleanup: postconf finally supports dynamic configuration
parameter names: parameters whose name depend on a mail
delivery transport or spawn service in master.cf, and
parameters whose names are specified with smtpd_restriction_classes
in main.cf. This adds 70 parameters to the "postconf" output,
more if additional mail delivery transports are defined in
master.cf. File: postconf/postconf.c.
20111109
Cleanup: account for "," in smtpd_restriction_classes
value (Victor Duchovni). File: postconf/postconf.c.
20111112
Cleanup: postconf finally warns about possible mis-typed
main.cf and master.cf parameter names (i.e. parameters that
aren't used anywhere), and it finally displays user-defined
main.cf parameters that *are* used. File: postconf/postconf.c.
20111113
Portability: specify ``make makefiles "CCARGS=-DNO_NIS
..."'' to build on systems without NIS support. Files:
makedefs, util/sys_defs.h.
Cleanup: documented the postconf algorithms and their
limitations, and added regression tests to speed up future
development. File: postconf/postconf.c
20111117
Cleanup: postconf didn't "bless" type "inet" service names.
Cleanup: with pipelined sessions, smtp-sink flushed the
output too often. Reported by Mark Martinec. File:
smtpstone/smtp-sink.c.
Workaround: don't use IPv6 at build time. File: conf/main.cf.
Workaround: don't abort when IPv6 is present but busted.
File: util/inet_proto.c.
Portability: the Dovecot 2.0 authentication server supports
more socket types for its authentication server. File:
xsasl/xsasl_dovecot_server.c.
Documentation: the Dovecot 2.0 authentication server supports
communication over TCP sockets. Patrick Ben Koetter. File:
proto/SASL_README.html.
20111118
Cleanup: "postconf -M" now supports filtering. For example,
"postconf -M inet" shows only services that listen on the
network, and "postconf -M smtp.unix" shows the SMTP delivery
agent. File: postconf.c.
20111119
Cleanup: "postconf" commands in postfix-install needed to
be updated before master.cf was installed. Reported by
Sahil Tandon. File: postfix-install.
20111120
Cleanup: support for parameter name spaces for master.cf
entries. With this, postconf should no longer log false
warnings for "-o user-defined-name=value" in master.cf. As
a benefit, it will warn for user-defined parameters with
"name=value" entries that are unused because they are hidden
by master.cf "-o name=value" entries with the same parameter
name. File: postconf/postconf.c.
20111121
Cleanup: documentation fixes. File: postconf/postconf.c.
Cleanup: in postconf "main.cf management" mode, errors
opening master.cf are non-fatal. File: postconf/postconf.c.
20111122
Documentation: examples to request VERP-style delivery at
SMTP time with the smtpd_command_filter feature. Files:
proto/VERP_README.html, proto/postconf.proto.
Feature: TLS certificate public-key fingerprint matching
(SMTP server and client), and TLS logging cleanup. Victor
Duchovni. Files: proto/SMTPD_POLICY_README.html,
proto/TLS_README.html, proto/postconf.proto, global/mail_proto.h,
smtpd/smtpd_check.c, tls/tls.h, tls/tls_client.c, tls/tls_misc.c,
tls/tls_proxy_print.c, tls/tls_proxy_scan.c, tls/tls_server.c,
tls/tls_stream.c, tls/tls_verify.c.
Documentation: complete list of "make makefiles" overrides.
File: proto/INSTALL.html.
Cleanup: postscreen now logs more than the first word of
non-SMTP commands. File: postscreen/postscreen_smtpd.c.
20111124
Cleanup: eliminated false postconf "unused parameter"
warnings with legacy parameters such as $virtual_maps, and
with non-default parameter values for smtpd_expansion_filter
that can contain legitimate "$" without a macro name.
Cleanup: split postconf source into separate modules.
Files: postconf/postconf.c, postconf/postconf_builtin.c,
postconf/postconf_edit.c, postconf/postconf_main.c,
postconf/postconf_master.c, postconf/postconf_misc.c,
postconf/postconf_node.c, postconf/postconf_other.c,
postconf/postconf_service.c postconf/postconf_unused.c,
postconf/postconf_user.c, postconf/postconf.h.
20111126
Bitrot: changes in error reporting to the under-documented
OpenLDAP API. Problem reported by Quanah Gibson-Mount. Fix
by Viktor Dukhovni. File: global/dict_ldap.c.
Cleanup: four-space indentation had become a tab character.
Files: postconf/postconf.h, postconf/test20.ref,
postconf/test21.ref.
20111127
Cleanup: documented <transport>_suffix parameters that don't
show in postconf command output of earlier Postfix versions.
Files: proto/SMTPD_POLICY_README.html, proto/postconf.proto,
proto/SCHEDULER_README.html.
Cleanup: added the pipe(8) delivery agent to the list of
programs that implement transport_time_limit parameters.
File: postconf/postconf_service.c, postconf/test6.ref,
postconf/test22.ref.
20111128
Feature: "postconf -C class,..." support to print parameters
in one or more classes (builtin= built-in parameter names,
service=service-defined parameter names, user=user-defined
parameter names). Files: postconf/postconf.c, postconf/postconf.h,
postconf_service.c, postconf/postconf_user.c.
20111129
Cleanup: TLS logging level configuration. Files:
global/mail_params.h, smtp/lmtp_params.c, smtp/smtp.c,
smtp/smtp_params.c, smtp/smtp_proto.c, smtpd/smtpd.c,
tls/tls.h, tls/tls_client.c, tls/tls_misc.c, tls/tls_server.c,
tlsmgr/tlsmgr.c, tlsproxy/tlsproxy.c.
20111203
Cleanup: time-dependent sender addresses of address
verification probes. Specify an address_verify_sender_ttl
value of several hours or more to frustrate address harvesting.
Files: global/verify_sender_addr.[hc], smtpd/smtpd.c,
smtpd/smtpd_check.c, verify/verify.c, proto/postconf.proto,
proto/ADDRESS_VERIFICATION_README.html.
20111204
Cleanup: removed the log_level arguments from tls_client_start()
and tls_server_start() calls. This information is already
given to tls_client_init() and tls_server_init(). Files:
smtpd/smtpd.c, tlsproxy/tlsproxy.c, smtp/smtp_proto.c,
tls/tls.h, tls/tls_client.c, tls/tls_server.c, tls/tls_misc.c.
20111205
Documentation: made the postconf(5) manpage more precise
in its use of "client" and "server"; reorganized the
TLS_README presentation of client configuration so that
most relevant information is presented earlier. Files:
proto/postconf.proto, proto/TLS_README.html.
Bugfix: tlsproxy(8) stored TLS sessions with a serverID of
"tlsproxy" instead of "smtpd", wasting an opportunity for
session reuse. File: tlsproxy/tlsproxy.c.
20111206
Documentation: removed descriptions of Postfix < 2.3 user
interface from TLS_README. Users of earlier releases are
referred to TLS_LEGACY_README. File: proto/TLS_README.html.
20111207
Cleanup: tlsproxy(8) now receives the session cache serverID
from its client (postscreen(8)). Files: global/mail_proto.h,
postscreen/postscreen_starttls.c, tlsproxy/tlsproxy.[hc],
tlsproxy_state.c.
Cleanup: the postscreen(8) daemon did not support a zero
cache cleanup interval. This is needed for memcache support.
File: postscreen/postscreen.c.
Bugfix (introduced: 20110227): null pointer bug while
updating dictionary owner attributes, after reading an empty
(database) configuration file. File: util/dict.c.
20111208
Cleanup: db_common_parse_domain() could not be called without
preceding db_common_parse() call. Files: global/db_common.[hc].
20111209
Feature: memcache client support. This implementation is
based on the under-documented libmemcache library, and
therefore supports only libmemcache version 1.4.0. Files:
conf/postfix-files, global/dict_memcache.[hc], global/mail_dict.c,
html/index.html, mantools/postlink, postconf/postconf.c,
postfix/postfix.c, proto/DATABASE_README.html,
proto/MEMCACHE_README.html, proto/memcache_table.
20111209
Cleanup: support for scripted and manual database tests with
LDAP, *SQL, and memcache. Files: util/dict_test.c, util/dict.c,
global/mail_dict.c.
Workaround: apparently, some distributions use Postfix
shared libraries without proper so-number versioning. This
causes programs to fail mysteriously, after an update
replaces the Postfix library but not the program (someone
experienced this with an extra copy of the Postfix SMTP
server). Files: global/mail_version.[hc], master/*server.c,
master/master.c, src/postalias/postalias.c,
src/postdrop/postdrop.c, src/postfix/postfix.c,
src/postlog/postlog.c, src/postmap/postmap.c,
src/postmulti/postmulti.c, src/postqueue/postqueue.c,
src/postsuper/postsuper.c, src/sendmail/sendmail.c.
20111211
Feature: first/next (sequence) support in the proxymap
protocol. This is needed for cache cleanup of a proxied
postscreen or verify persistent cache. Files:
global/dict_proxy.[hc], proxymap/proxymap.c.
Feature: memcache client support without libmemcache
dependencies. Files: global/memcache_proto.[hc],
global/dict_memcache.c.
Bugfix: missing lookup table entry and terminator, causing
proxymap(8) server segfault when postscreen(8) or verify(8)
attempted to access their cache via the proxymap(8) server.
This could never have worked anyway, because the Postfix
proxymap protocol did not support cache cleanup. File
util/dict.c.
Feature: support for persistent backup database in the
memcache client. The database can be shared with the proxymap
service, but it needs to be listed as "proxy:maptype:mapname"
in the proxy_read_maps or proxy_write_maps parameter value
(depending on whether the access is read-only or read-write).
Support for proxymap-over-tcp (proxy:maptype:mapname@host:port)
is under development. File: global/dict_memcache.c.
20111214
Documentation: updated the submission and smtps examples
in the sample master.cf file, so that their logging is
easier to recognize. File: conf/master.cf.
20111215
Documentation: use different hosts to separate MUA "port
25" traffic from the "port 25" MX service. Files:
postscreen/postscreen.c, proto/POSTSCREEN_README.html.
20111216
Cleanup: the proxymap client did not correctly propagate
the "open_lock" flag, causing the proxymap service to open
postscreen(8) and verify(8) caches twice, instead of once.
File: global/dict_proxy.c.
Cleanup: the verify and postscreen caches were not listed
as "authorized" for access via the proxywrite service. File:
global/mail_params.h.
Refactoring: the postscreen permanent access list code is
now a library module, so that it can be also used for remote
access to the proxymap server. Files: global/server_acl.[hc].
Hardening: read/write deadlines, to make the proxymap server
suitable for remote access. File: proxymap/proxymap.c.
20111217
Cleanup: more orthogonal definition of when the proxymap
server can/cannot share a single map instance among multiple
requestors, and corresponding code cleanup in the proxymap
client and server. Files: util/dict.h, util/dict_test.c,
global/dict_proxy.c, proxymap/proxymap.c.
Human factors: the postscreen/verify cache manager now logs
the full database name including the proxy: prefix, to avoid
WTF surprises. File: util/dict_cache.c.
20111218
Cleanup: more configurable memcache client error handling.
Files: global/dict_memcache.c, proto/memcache_table.
Feature: the Postfix SMTP server XCLIENT command now supports
the LOGIN attribute (e.g., login information from nginx).
Based on the nginx:xclient-login-patch from citrin.ru (Anton
Yuzhis). The patch was further enhanced to support SASL
login information everywhere in the Postfix SMTP server
without having to specify "smtpd_sasl_auth_enable = yes"
in main.cf. Files: smtpd.[hc], smtpd_sasl_glue.[hc],
smtpd_check.c, smtpd_sasl_proto.[hc], smtpd_state.c,
proto/XCLIENT_README.html.
Incompatibility: the Postfix SMTP server now always checks
the smtpd_sender_login_maps table, even without having
"smtpd_sasl_auth_enable = yes" in main.cf.
20111219
Cleanup: the match_list-based primitives now provide an
option to return an error result instead of terminating the
process with a fatal error. Files: util/match_ops.[hc],
util/match_list.c, global/addr_list_match.c, domain_list.c,
string_list.c, namadr_list.c.
Cleanup: a "fail:" database type that reliably fails all
requests. The lookup table name specifies the internal error
result code. having this table facilitates a systematic
review of all Postfix table lookup error handling.
Cleanup: trivial-rewrite now "catches" errors with implicit
database lookups in virtual_alias_domains, relay_domains,
virtual_mailbox_domains, just like it already caught explicit
database lookup errors. This means there are fewer occasions
where trivial-rewrite clients will appear to hang. File:
trivial-rewrite/resolve.c.
Cleanup: a broken relay_domains table would cause many
Postfix processes to terminate with fatal error as they
initialized the flush() client (used by defer_append()
etc.). Postfix now logs a warning instead. File:
global/flush_clnt.c.
Cleanup: the Postfix SMTP server now "catches" errors with
implicit database lookups in mynetworks, TLS client certificate
tables, and local_header_rewrite_clients, and reports "server
configuration error" or "table lookup error" instead of
terminating with a fatal error. This is work in progress;
errors with opening a database may be covered later. Files:
smtpd/smtpd.c, smtpd/smtpd_check.c.
20111220
Cleanup: the Postfix SMTP server now "catches" errors with
implicit database lookups in mynetworks, debug_peer_list,
smtpd_client_event_limit_exceptions, permit_mx_backup_networks.
This continues work started 20111219, and does not cover
errors with opening a database. Files: smtpd/smtpd.c,
smtpd/smtpd_checks.c, smtpd/smtpd_error.in, smtpd/smtpd_error.ref.
Cleanup: memory leak testing of error handling. File:
util/name_mask.c.
20111222
Cleanup: memory leak testing of error handling. File:
util/name_mask.c.
Cleanup: simplified the match_list error reporting, thereby
reducing the footprint of the changes to "catch" errors
with implicit database lookups in mynetworks, and other
lists. Files: util/match_ops.[hc], util/match_list.c,
global/addr_list_match.c, domain_list.c, string_list.c,
namadr_list.c, trivial-rewrite/resolve.c, smtpd/smtpd.c,
smtpd/smtpd_check.c, global/flush_clnt.c, flush/flush.c.
20111224
Cleanup: eliminated the global dict_errno variable that
made error reporting convenient but not necessarily precise.
This was a straightforward change except in the few modules
that propagate errors from one dictionary API to another:
dict_cache.c, dict_debug.c, maps.c, dict_memcache.c. Files:
src/cleanup/cleanup_map11.c, src/cleanup/cleanup_map1n.c,
src/global/addr_match_list.c, src/global/dict_ldap.c,
src/global/dict_memcache.c, src/global/dict_mysql.c,
src/global/dict_pgsql.c, src/global/dict_proxy.c,
src/global/dict_sqlite.c, src/global/domain_list.c,
src/global/flush_clnt.c, src/global/mail_addr_find.c,
src/global/mail_addr_map.c, src/global/maps.c, src/global/maps.h,
src/global/match_parent_style.h, src/global/namadr_list.c,
src/global/resolve_local.c, src/global/resolve_local.h,
src/global/server_acl.c, src/global/string_list.c,
src/local/alias.c, src/local/bounce_workaround.c,
src/local/mailbox.c, src/local/unknown.c, src/proxymap/proxymap.c,
src/qmqpd/qmqpd.c, src/smtp/smtp_map11.c, src/smtpd/smtpd_check.c,
src/trivial-rewrite/resolve.c, src/trivial-rewrite/transport.c,
src/util/dict.h, src/util/dict_alloc.c, src/util/dict_cache.c,
src/util/dict_cidr.c, src/util/dict_db.c, src/util/dict_debug.c,
src/util/dict_env.c, src/util/dict_fail.c, src/util/dict_ht.c,
src/util/dict_pcre.c, src/util/dict_regexp.c,
src/util/dict_static.c, src/util/dict_tcp.c, src/util/dict_test.c,
src/util/dict_thash.c, src/util/dict_unix.c, src/util/match_list.c,
src/util/match_list.h, src/util/match_ops.c, src/virtual/mailbox.c.
20111226
Bugfix (introduced 20110426): after lookup error with
mailbox_transport_maps, mailbox_command_maps or
fallback_transport_maps, the local delivery agent did not
log the problem before deferring mail, and produced no defer
logfile record. Files: local/mailbox.c, local/unknown.c.
20120102
Workaround: degrade gracefully when the network protocols
specified with inet_protocols are unavailable. Files:
global/mail_params.c, global/mynetworks.c, global/own_inet_addr.c
master/master_ent.c, master/master_vars.c, postscreen/postscreen.c,
qmqpd/qmqpd.c, smtp/smtp_connect.c, smtpd/smtpd.c,
util/inet_proto.c.
20120107
Workaround: degrade gracefully when the "domain" feature
of LDAP, *SQL and memcache databases has a table lookup
problem. Files: global/db_common.c, global/dict_ldap.c,
global/dict*sql*.c, global/dict_memcache.c.
Cleanup: fixed memcache client error handling for things
that never happen. global/dict_memcache.c.
Future proofing: prepare postmap/postalias error logging
for future changes to database code. Files: postalias/postalias.c,
postmap/postmap.c.
20120108
Cleanup: the postscreen(8) and verify(8) cache managers log
warnings at a reduced rate of one per second per cache
operation, to avoid logging large numbers of warnings about
a problem with low-value information. File: util/msg_rate_delay.c,
util/dict_cache.c.
20120110
Cleanup: added logging for failed table lookups, and replaced
some "fatal" errors by warnings. Files: cleanup/cleanup_addr.c,
cleanup/cleanup_message.c, cleanup/cleanup_milter.c,
cleanup/cleanup_masquerade.c, global/header_body_checks.c,
global/smtp_stream.c, postscreen/postscreen_dnsbl.c,
postscreen/postscreen_smtpd.c, smtp/smtp_chat.c,
smtp/smtp_proto.c, smtp/smtp_sasl_auth_cache.c,
smtp/smtp_sasl_glue.c, smtp/smtp_session.c, smtp/smtp_trouble.c,
smtpd/smtpd.c, smtpd/smtpd_check.c.
20120114
Cleanup: gradual degradation after database file open errors.
Instead of terminating immediately with a "fatal" error, a
Postfix daemon logs an error and continues execution with
reduced functionality. In other words, features that don't
depend on the unavailable table will keep working. However,
for the sake of sanity, the number of such errors over the
life of a process is limited to 13. Files:
src/global/cfg_parser.c, src/util/dict_thash.c,
src/util/dict_cidr.c, src/util/dict_nis.c, src/util/dict_nisplus.c,
src/global/dict_ldap.c, src/global/dict_mysql.c,
src/global/dict_pgsql.c, src/global/dict_sqlite.c,
src/postconf/postconf_main.c, src/global/mail_conf.c,
src/util/dict.h, src/util/dict.c, src/global/dict_memcache.c,
src/util/dict_tcp.c, src/util/dict_unix.c, src/util/dict_pcre.c,
src/util/dict_regexp.c, src/master/trigger_server.c,
src/master/single_server.c, src/master/multi_server.c,
src/master/event_server.c, src/util/dict_test.c,
src/util/dict_surrogate.c, src/util/dict_alloc.c, src/util/msg.c,
src/util/dict_cdb.c, src/util/dict_dbm.c, src/util/msg.h,
src/util/dict_db.c.
Incompatibility: the Postfix SMTP server no longer reports
transcripts of sessions where a client command is rejected
because a table is unavailable. To receive such reports,
add the new "data" class to the notify_classes parameter
value. The reports will be sent to the error_notice_recipient
address as before. This class is also used by the Postfix
SMTP client to report about sessions that fail because a
table is unavailable. Files: global/mail_error.[hc],
smtpd/smtpd_check.c, smtp/smtp_trouble.c.
20120115
Fine tuning: SMTP server error messages. File: smtpd/smtpd.c.
Fine tuning: documentation. Files: proto/MEMCACHE_README.html.
proto/memcache_table.html.
Apply "gradual degradation" also when an unsupported database
*type* is specified. File: util/dict_open.c.
Cleanup: tiny memory leaks after surrogate database opens.
Files: util/dict_cidr.c, util/dict_db.c.
20120117
Cleanup: support for legacy-style database configuration
where parameter names are generated by appending suffixes
to the database name. Files: postconf/postconf_dbms.c.
Other: build without Berkeley DB support (make makefiles
"CCARGS=$CCARGS -DNO_DB"). Files: makedefs, util/sys_defs.h,
proto/DB_README.html, proto/INSTALL.html.
20120120
Compatibility: added file pflogsumm_quickfix.txt with quick
patches for pflogsumm that handle the new default master.cf
entries for the submission and smtps services.
20120121
Cleanup: getopt(3) compatibility in the postconf(1) master.cf
parser. Process "--" as the end-of-options indicator, and
process "-oname=value" as "-o name=value". Files:
util/argv.[hc], postconf/postconf_master.cf,
postconf/postconf_user.c.
20120122
Workaround: log a warning and suggested solution for common
stat()/fstat()/lstat() problems caused by 32-bit overflow.
This is a real stinker that causes Postfix to fail without
any prior warning. File: util/warn_stat.[hc], and everything
that directly calls stat(), fstat() or lstat().
20120127
Bugfix (introduced: Postfix 2.8): the Postfix client sqlite
quoting routine returned the unquoted result instead of the
quoted text. The opportunities for misuse are limited,
because Postfix sqlite files are usually owned by root, and
Postfix daemons usually run with non-root privileges so
they can't corrupt the database. Problem reported by Rob
McGee (rob0). File: global/dict_sqlite.c.
20120130
Bugfix (introduced: Postfix 2.3): the trace service did not
distinguish between DSN SUCCESS notifications for a non-bounce
or a bounce message. This code pre-dates DSN support and
should have been updated when it was re-purposed to handle
DSN SUCCESS notifications. Problem reported by Sabahattin
Gucukoglu. File: bounce/bounce_trace_service.c.
20120202
Bugfix (introduced: Postfix 2.3): the "change header" milter
request could replace the wrong header. A long header name
could match a shorter one, because a length check was done
on the wrong string. Reported by Vladimir Vassiliev. File:
cleanup/cleanup_milter.c.
20120214
Bugfix (introduced: Postfix 2.4): extraneous null assignment
caused core dump when postlog emitted the "usage" message.
Reported by Kant (fnord.hammer). File: postlog/postlog.c.
20120217
Bugfix (introduced 20111219): sendmail -bs segfault, due
to a missing guard statement after an smtpd_check_rewrite()
call was moved closer to the command processor loop. Fix
by Bartek Szady. File: smtpd/smtpd.c.
20120220
Cleanup: documentation of how to use only system-supplied
certificates with *CAfile and *CApath. File: proto/postconf.proto.
Cleanup: documentation of smtp_sasl_mechanism_filter. File:
proto/postconf.proto.
20120222
Cleanup: when multiple DNSBLs block an SMTP client, the
postscreen "reject" message now gives credit to the DNSBL
with the largest weight, instead of the DNSBL that replies
first. File: postscreen/postscreeb_dnsbl.c.
Cleanup: memcache_table(5) manpage. File proto/memcache_table.
20120225
Cleanup: eliminated the build-time Perl dependency. File:
bounce/annotate.sh.
Cleanup: when -DNO_DB support was added, the makedefs script
was not updated to skip the Linux Berkeley DB tests.
FreeBSD9 is now a supported platform. Files: makedefs,
util/sys_defs.h.
20120226
Cleanup: documentation in postfix-install.
20120229
Feature: smtpd_log_access_permit_actions to enable logging
of specific permit-like actions in Postfix SMTP server
access lists. Files: mantools/postlink, proto/postconf.proto,
global/mail_params.h, smtpd/smtpd.c, smtpd/smtpd_check.c.
20120306
To improve the interaction with start-up scripts, "postfix
start" now waits for master daemon process initialization
to complete, and returns a non-zero exit status if daemon
initialization failed or if it did not complete in a
reasonable amount of time. This involves a new "-w" master
option. Files: conf/postfix-script, master/master.c,
master/master.h. master/master_monitor.c.
20120307
postconf -X option to exclude parameters from main.cf
(require two-finger action, because this is irreversible).
Files: postconf/postconf.[hc], postconf/postconf_edit.c.
20120317
Feature: Sendmail-style socketmap. Files: util/dict_sockmap.[hc],
util/netstring.[hc], proto/DATABASE_README.html,
postconf/postconf.c.
20120330
Workaround: specify "\c" at the start of an smtp_reject_footer
template to suppress the line break between the reply text
and the footer text. Files: global/smtp_reply_footer.c,
proto/postconf.proto.
20120401
Bugfix (introduced Postfix 2.6): irrelevant memory leak
that was introduced with postconf -#. File:
postconf/postconf_edit.c.
Bitrot: shut up useless warnings about Cyrus SASL call-back
function pointer type mis-matches. Files: xsasl/xsasl_cyrus.h,
xsasl/xsasl_cyrus_server.c, xsasl/xsasl_client.c.
20120404
Cleanup: added smtpd_sender_login_maps to the default
proxy_read_maps value. Files: global/mail_params.h,
proxymap/proxymap.c.
Cleanup: weed out stale TODO's from the WISHLIST, and moved
some CYA text from WISHLIST into the code. Files: WISHLIST,
smtpd/smtpd_proxy.c.
20120407
Bugfix (introduced: 20120330): don't replace <reply-code>
<space> by <reply-code> <hyphen> when a reply footer starts
with \c and contains no \n. File: global/smtp_reply_footer.c.
20120422
Bit-rot: OpenSSL 1.0.1 introduces new protocols. Update the
known TLS protocol list so that protocols can be turned off
selectively to work around implementation bugs. Based on
a patch by Victor Duchovni. Files: proto/TLS_README.html,
proto/postconf.proto, tls/tls.h, tls/tls_misc.c, tls/tls_client.c,
tls/tls_server.c.
20120425
Workaround: bugs in 10-year old gcc versions break compilation
with #ifdef inside a macro invocation (NOT: definition).
Files: tls/tls.h, tls/tls_client.c, tls/tls_server.c.
20120426
Bugfix (introduced Postfix 2.9): the postconf command flagged
parameters defined in master.cf as "unused" when they were
used only in main.cf. Problem reported by Michael Tokarev.
Files: postconf/postconf_user.c, postconf/test4b.ref,
postconf Makefile.in.
20120513
Cleanup: report both the first and last line number when a
malformed main.cf entry spans multiple lines, instead of
reporting the last line number only. File: util/dict.c,
util/line_number.[hc].
20120516
Workaround: apparently, FreeBSD 8.3 kqueue notifications
sometimes break when a dnsblog(8) process loses an accept()
race on a shared socket, resulting in repeated "connect to
private/dnsblog service: Connection refused" warnings. This
condition is unique to dnsblog(8). The postscreen(8) daemon
closes a postscreen-to-dnsblog connection as soon as it
receives a dnsblog(8) reply, resulting in hundreds or
thousands of connection requests per second. All other
multi-server daemons such as anvil(8) or proxymap(8) have
connection lifetimes ranging from 5s to 1000s depending on
server load. The workaround is for dnsblog to use the
single_server driver instead of the multi_server driver.
This one-line code change eliminates the accept() race
without any Postfix performance impact. Problem reported
by Sahil Tandon. File: dnsblog/dnsblog.c.
Logging: postscreen now logs a warning when a dnsblog(8)
request takes longer than the hard-coded time limit of 10s.
File: postscreen/postscreen_dnsbl.c.
20120517
Workaround: to avoid crashes when the OpenSSL library is
updated without "postfix reload", the Postfix TLS session
cache ID now includes the OpenSSL library version number.
Note: this problem cannot be fixed in tlsmgr(8). Code by
Victor Duchovni. Files: tls/tls_server.c, tls_client.c.
20120520
Bugfix (introduced Postfix 2.4): the event_drain() function
was comparing bitmasks incorrectly causing the program to
always wait for the full time limit. This error affected
the unused postkick command, but only after s/fifo/unix/
in master.cf. File: util/events.c.
Cleanup: laptop users have always been able to avoid
unnecessary disk spin-up by doing s/fifo/unix/ in master.cf
(this is currently not supported on Solaris systems).
However, to make this work reliably, the "postqueue -f"
command must wait until its requests have reached the pickup
and qmgr servers before closing the UNIX-domain request
sockets. Files: postqueue/postqueue.c, postqueue/Makefile.in.
20120522
Robustness: set LC_ALL=C in post-install to avoid surprises
when parsing output from Postfix or non-Postfix commands.
File: postfix-install.
20120611
Bugfix (introduced: 20031216-21): with soft_bounce=yes, the
SMTP client did not move on to the next MX host or fallback
relay after a 5xx reply. File: smtp/smtp_trouble.c.
20120527-8
Infrastructure: limited support to shrink VSTREAM buffers.
The change takes place when reading from (a stream for the
first time | an empty buffer) or when writing to (a stream
for the first time | a full buffer). TODO: the change should
also happen after purging or flushing a buffer. File:
util/vstream.c.
20120531-617
Feature: haproxy support in postscreen(8) and smtpd(8). To
enable, specify "smtpd_upstream_proxy_protocol = haproxy"
or "postscreen_upstream_proxy_protocol = haproxy". Files:
mantools/postlink, proto/postconf.proto, global/Makefile.in,
global/haproxy_srvr.c, global/haproxy_srvr.h, global/mail_params.h,
global/mail_proto.h, master/single_server.c, master/multi_server.c,
master/event_server.c, postscreen/Makefile.in,
postscreen/postscreen.c, postscreen/postscreen.h,
postscreen/postscreen_endpt.c, postscreen/postscreen_haproxy.c,
postscreen/postscreen_haproxy.h, postscreen/postscreen_send.c,
postscreen/postscreen_state.c, smtpd/Makefile.in, smtpd/smtpd.h,
smtpd/smtpd_peer.c, smtpd/smtpd_sasl_glue.c, smtpd/smtpd_haproxy.c,
util/Makefile.in, util/listen.h, util/recv_pass_attr.c,
util/stream_listen.c, util/sys_defs.h, util/unix_pass_listen.c.
20120618
Cleanup: made the postscreen-to-smtpd haproxy attribute
transmission more robust for Solaris. Files: util/sys_defs.h,
util/connect.h, util/steam_listen.c, postscreen/postscreen_send.c.
Cleanup: simplified the "stream used" workaround. Files:
util/vstream.h, master/event_server.c, master/multi_server.c.
20120621
Cleanup: simplified workarounds for Solaris streams versus
UNIX-domain sockets. Files: util/pass_accept.c (new),
util/pass_trigger.c (new), util/stream_pass_connect.c
(deleted), util/unix_pass_listen.c (deleted),
util/unix_pass_trigger.c (deleted), updated header files,
and replaced PASS_XXX macros by pass_xxx function calls.
Cleanup: don't clobber errno when logging a problem.
File util/msg_output.c.
20120627
Bugfix (introduced: 20120531-617): in the postscreen module
for HAproxy sypport, a VSTREAM buffer size request was not
LP64-clean. File: postscreen/postscreen_haproxy.c.
Cleanup: avoid single-character reads in the postscreen
HAproxy module. File: postscreen/postscreen_haproxy.c.
20120628
Workaround: heuristic to detect missing (ssize_t) type-cast
in VSTREAM buffer size requests. File: util/vstream.c.
20120629
Workaround: "sendmail -bl" emulation. File: sendmail/sendmail.c.
20120630
Cleanup: sub-optimal hash performance on systems where the
"char" type is signed. Files: util/htable.c, util/binhash.c.
20120702
Bugfix (introduced: 19990127): the BIFF client leaked an
unprivileged UDP socket. Fix by Jaroslav Skarvada. File:
local/biff_notify.c.
20120713
Bugfix (introduced: 20120527-8): infrastructure to specify
a smaller-than-default VSTREAM buffer, without the complex
run-time checks. File: util/vstream.c, vstream_tweak.c.
20120714
Cleanup: semantics of requests to query or modify the VSTREAM
buffer size that will be used with the next read(2) or
write(2) operation. Files: util/vstream.c, util/vstream.h,
util/vstream_tweak.c.
20120717
Documentation: update to RFC5321.
20120730
Bugfix (introduced: 20000314): AUTH is not allowed after
MAIL. Timo Sirainen. Files: smtpd/smtpd.c, smtpd/smtpd.h,
smtpd/smtpd_sasl_proto.c.
20120801
Documentation: point of what virtual_xxx parameters are
specific to the virtual(8) delivery agent, and will have
no effect when mail is delivered with a different program.
Files: proto/postconf.proto, proto/VIRTUAL_README.html.
20120824
Feature: support for "sendmail -R hdrs|full". Jan Kundr<64>t.
File: sendmail/sendmail.c.
20120902
Documentation: updated TUNING_README with new pointers to
the STRESS_README and POSTSCREEN_README documents. Miscellaneous
documentation clarifications based on postfix-users discussions.
20120903
Bugfix (introduced 20120317): the socketmap client should
not share unrelated client endpoint handles. File:
util/dict_sockmap.c.
20120907
Cleanup (for change 20120824): the DSN RET attribute should
not be stored once per recipient. It is a message property
just like DSN ENVID. File: sendmail/sendmail.c.
20120911
Documentation: more explicit enumeration of what happens
when setting a per-destination recipient limit value to 1.
File: proto/postconf.proto.
20120918
Documentation: clarified the bounce/queue_life-time parameter
descriptions. File: proto/postconf.proto.
20120920
Documentation: the postscreen_whitelist_interfaces parameter
syntax was defined only by example. File: proto/postconf.proto.
20120923
Infrastructure: cleaned up the support for database
lock-on-open. This is needed for databases that are not
multi-updater safe. Files: util/dict_alloc.c, util/dict.c,
util/dict_open.c, util/dict.h. tls/tls_scache.c.
20120924
Documentation: some people are read-challenged distribute
their own incorrect understanding of master.cf syntax.
File: proto/master.
Cleanup: don't emulate UNIX-domain sockets over FIFOs on
Solaris systems less than 10 years old. This allows us to
globally s/fifo/unix/ in master.cf. Files: makedefs,
util/sys_defs.h.
Laptop-friendliness: avoid disk spin-up on idle systems by
s/fifo/unix/ in master.cf. Files: conf/master.cf.
20120928-30
Feature: smtpd_relay_restrictions, proposed long ago by
Victor. The idea is to separate the mail relay policy from
the spam blocking policy, so that a permissive spam blocking
policy under smtpd_recipient_restrictions will no longer
unexpectedly result in a permissive mail relay policy.
This involves a change in default settings. Similar to the
way that local_recipient_maps was introduced, there is a
safety net that prevents unexpected mail bounces when a
site upgrades to Postfix 2.10 or later, and there is no
change in documented smtpd_recipient_restrictions behavior.
See the RELEASE_NOTES file for details. Files:
global/mail_params.h, smtpd/smtpd.c, smtpd/smtpd_check.c,
proto/postconf.proto, proto/SMTPD_ACCESS_README.html,
mantools/postlink, conf/post-install, RELEASE_NOTES.
20120931-1001
Documentation: updated the remainder of the README files
and manual pages that discuss smtpd_recipient_restrictions.
20121001
Cleanup: prepend 5.1.1 status code to "User unknown in
virtual alias table". File: trivial-rewrite/resolve.c.
20121003
Bugfix: the postscreen_access_list feature was case-sensitive
in the first character of permit, reject, etc. Reported by
Francis Picabia. File: global/server_acl.c.
20121009
Documentation: interaction between delay_warning_time,
notify_classes and delay_notice_recipient. File:
proto/postconf.proto.
20101009
Human factors: log a warning that the postcat option -m
without -h or -b has no effect. File: postcat/postcat.c.
20121010
Bugfix (introduced: Postfix 2.5): memory leak in program
initialization. Reported by Coverity. File: tls/tls_misc.c.
Bugfix (introduced: Postfix 2.3): memory leak in the unused
oqmgr program. Reported by Coverity. File: oqmgr/qmgr_message.c.
20121011
Documentation: how to enable /etc/hosts multi-record lookups
with main.cf settings. File: proto/LINUX_README.html.
Documentation: clarified the postscreen-tlsproxy interface.
File: tlsproxy/tlsproxy.c.
20121012
Documentation: a simpler null-client example. File:
proto/STANDARD_CONFIGURATION_README.html
20121013
Cleanup: to compute the LDAP connection cache lookup key,
join the numeric fields with null, just like string fields.
Viktor Dukhovni. File: global/dict_ldap.c.
20121015
Documentation: added section on regular-expression tables
to the aliases(5) manpage. File: proto/aliases.
Documentation: why "smtp_address_preference = any" is the
preferred setting. File: proto/postconf.proto.
20121022
Bugfix (introduced 20101009) don't complain about stray -m
option if none of -[bhm] is specified. Ralf Hildebrandt.
File: postmap/postmap.c.
20121029
Workaround: strip datalink suffix from IPv6 addresses
returned by the system getaddrinfo() routine. Such suffixes
mess up the default mynetworks value, host name/address
verification and possibly more. This change obsoletes the
20101108 change that removes datalink suffixes in the SMTP
and QMQP servers. Files: util/myaddrinfo.c, smtpd/smtpd_peer.c,
qmqpd/qmqpd_peer.c.
20121031
Bugfix: smtpd_relay_restrictions compatibility shim did not
detect "empty" value. Sahil Tandon. The same problem existed
with the inet_protocols shim. File: conf/post-install.
20121105
Cleanup: the postscreen(8) "deep protocol" tests now log
the SMTP command that precedes a protocol violation. Files:
postscreen/postscreen_smtpd.c, proto/POSTSCREEN_README.html.
Bugfix (introduced: Postfix 1.1): wrong string termination
when handling an MBOX From_ line at the start of a message.
File: qmqpd/qmqpd.c.
20121110
Cleanup: specify $(WARN) on the MacOS X compiler command
line to suppress "nested comment" and possibly other unwanted
warnings. Problem reported by Jim Reid. File: makedefs,
Makefile.in.
20121119
Documentation: added a note that key_format is required
when postscreen(8) and verify(8) share the same memcache
(with different persistent backup databases, or course)
otherwise automatic cache cleanup breaks due to a name
collision for the "last cache cleanup" database record.
File: proto/memcache.
20121122
Cleanup: the safety-check for smtpd_recipient_restrictions
and smtpd_relay_restrictions now detects permit before
reject. File: smtpd/smtpd_check.c.
Cleanup: the safety-check for smtpd_recipient_restrictions
and smtpd_relay_restrictions is no longer case-sensitive.
File: smtpd/smtpd_check.c.
20121123
Cleanup: consistent escaping of commands in postscreen deep
protocol test logging. File: postscreen/postscreen_smtpd.c.
20121124
Documentation: the bounce behavior for automatically-added
BCC recipients has changed with Postfix 2.3 when DSN support
was introduced. File: proto/postconf.proto.
20121203
Documentation: added explicit example for -o name=value.
File: proto/master.
20121210
Bugfix (introduced: Postfix 2.9) nesting count error while
stripping the optional [] around a DNS[BW]L address pattern.
This part of the code is not documented and had escaped
testing. Files: util/ip_match.c, util/ip_match.in,
util/ip_match.ref.
20121215
Bugfix (introduced: 19980218, when recipient_delimiter
support was added): The error message for unknown local
users (or missing required aliases) should report the user
name instead of the full localpart which may contain an
address extension. Problem reported by Christian Holler.
File: local/unknown.c.
20121221
Feature: "postconf -x" support to expand $name in main.cf
parameter values. Files: postconf/postconf_main.c,
postconf/postconf.h, postconf/postconf_node.c, postconf/postconf.c.
20121222
Feature: postconf support to warn about an attempt to modify
a read-only parameter (process_name etc.) in main.cf or
master.cf. Files: postconf/postconf_readonly.c,
postconf/postconf_builtin.c.
20121223
Feature: postconf support to warn about an undefined $name
in a parameter value in main.cf or master.cf (except for
backwards-compatibility parameters such as $virtual_maps)
Files: postconf/postconf_user.c, postconf_dbms.c,
postconf_builtin.c, util/dict_ht.c, util/htable.c.
Feature: "postconf -Mx" support to expand $name in master.cf
parameter values. Files: postconf/postconf_master.c,
postconf/postconf_lookup.c, postconf/postconf_main.c,
postconf/postconf.c.
20121224
Feature: "postconf -Mn" support to print only master.cf
entries that have "-o name=value" parameter setttings.
Files: postconf/postconf_master.c.
20121226
Miscellaneous cleanups of postconf internal APIs, identifiers
and comments. No changes in behavior.
Bugfix (omission in feature 20111203): the SMTP server only
supported time-dependent address-verification sender addresses
with RCPT TO but not with MAIL FROM. File: smtpd/smtpd.c.
20121227
Feature: "postconf -o name=value" support to override main.cf
settings (for example, "postconf -x -o stress=whatever"
shows effective settings under overload). Files:
postconf/postconf.c, postconf/postconf_main.c.
20121230
Cleanup: postconf(1) master.cf options parser. Files:
postconf/postconf_master.c, postconf/postconf_user.c.
Bugfix (omission in feature 20111106): the postconf(1)
master.cf options parser didn't support "clusters" of
command-line option letters. Files: postconf/postconf_master.c,
postconf/test40.ref.
20130105
Undo a change made around 20121224, and always whitelist
configuration parameter names for legacy-style proxy:ldap:prefix
etc. lookup tables. Files: postconf/postconf_dbms.c,
postconf/test28.ref, postconf/test29.ref, postconf/Makefile.in.
20130107
Factor out the master.cf line parser so that it can be
reused for "postconf -Me". File: postconf/postconf_master.c.
20130121
Bugfix (introduced 20120307): the postconf -X option erased
other options. File: postconf/postconf.c.
20130131
Bugfix: the local(8) delivery agent dereferenced a null
pointer while delivering to null command (for example, "|"
in a .forward file). Reported by Gilles Chehade.
20130203
Bugfix: the undocumented OpenSSL X509_pubkey_digest()
function is unsuitable for computing certificate PUBLIC KEY
fingerprints. Postfix now provides a correct procedure
that accounts for the algorithm and parameters in addition
to the key data. Specify "tls_legacy_public_key_fingerprints
= yes" if you need backwards compatibility. Fix by Victor
Duchovni, BC added by Wietse. Files: tls/tls_verify.c,
tls/tls_misc.c, proto/TLS_README.html, global/mail_params.h.
20130210
Bugfix: an error handler for smtp_tls_policy_maps lookups
was never invoked. File: smtp/smtp_session.c.
20130403
Bugfix (introduced: Postfix 2.3): don't reuse TCP connections
when smtp_tls_policy_maps is specified. Victor Duchovni.
Found during Postfix 2.11 code maintenance. File:
smtp/smtp_reuse.c.
20130423
Bugfix (introduced: Postfix 2.0): when myhostname is not
listed in mydestination, the trivial-rewrite resolver may
log "do not list <myhostname value> in both mydestination
and <name of non-mydestination domain list>". The fix is
to re-resolve a domain-less address after adding $myhostname
as the surrogate domain, so that it pops out with the right
address-class label. Problem reported by Quanah Gibson-Mount.
File: trivial-rewrite/resolve.c.
20130425
Bugfix (introduced: Postfix 2.2): don't reuse TCP connections
when SASL authentication is enabled. SASL passwords may
depend on the remote SMTP server hostname, but the Postfix
<2.11 SMTP connection cache client does not distinguish
between different hostnames that resolve to the same IP
address. Found during Postfix 2.11 code maintenance. File:
smtp/smtp_connect.c.
20130518
Bugfix (introduced: 1997): memory leak after error while
forwarding mail through the cleanup server. Viktor found
one, Wietse eliminated the rest. File: local/forward.c.
20130613
Workaround: unhelpful down-stream maintainers fail to install
the new smtpd_relay_restrictions safety net, causing breakage
that could have been avoided. We now hard-code the safety
net instead. Files: global/mail_params.h, conf/post-install,
RELEASE_NOTES.
20130615
TLS Interoperability: turn on SHA-2 digests by force. This
improves interoperability with clients and servers that
deploy SHA-2 digests without the required support for
TLSv1.2-style digest negotiation. Based on patch by Viktor
Dukhovni. Files: tls/tls_client.c, tls/tls_server.c.
20130616
TLS Performance: the Postfix SMTP server TLS session cache
was ineffective because recent OpenSSL versions enable
session tickets by default, resulting in a different ticket
encryption key for each smtpd(8) process. The workaround
turns off session tickets. In 2.11 we'll enable session
tickets properly. Viktor Dukhovni. File: tls/tls_server.c.
Reference in New Issue View Git Blame Copy Permalink