| blob | 5f9750b5f9d9c9f880356e045460688c2d387a30 |
1 In addition to the names listed below, the following people provided
2 useful inputs on many occasions: Paul D. Robertson, Simon J. Mudd.
3 Apologies for any names omitted.
5 19980105
7 The compiled-in default value for resolve_smtp_sender was
8 wrong (from the days that it was a boolean), causing smtpd
9 to dump core when the variable was not set in main.cf.
11 The INSTALL instructions now have separate sections for
12 the three basic ways of running vmailer.
14 The INSTALL instructions now have discusses how to deal
15 with chrooted processes.
17 Ported to RedHat 5.0. My, these people have re-organized
18 their include files quite a bit, haven't they.
20 19980106
22 On RedHat Linux 4.2/5.0, when a FIFO listener opens the
23 FIFO with mode O_RDONLY, the FIFO remains forever readable
24 after the writer has closed it. Workaround: open the FIFO
25 mode O_RDWR.
27 Test program: util/fifo_rdonly_bug.c
29 Unfortunately, the above fix triggers a bug on BSD/OS 3.1
30 where opening the FIFO mode O_RDWR causes select() to claim
31 that the FIFO is readable even before any data is written
32 to it, causing read() to block or to fail.
34 Test program: util/fifo_rdwr_bug.c
36 printfck (check arguments of printf-like function calls)
37 found a missing argument in local/command.c
39 Miscellaneous Makefile cleanups that I didn't finish before
40 the first alpha release.
42 19980107
44 Sometimes the DNS will claim that a domain does not exist,
45 when in fact it does. Thus, it is a bad idea to reject mail
46 from apparently non-existent domains. I have changed the
47 smtpd so that it produces a soft error responses when a
48 resolve_smtp_sender test fails with HOST_NOT_FOUND. Note:
49 by default, this test is still disabled.
51 The DB and DBM read routines will now automagically figure
52 out if (key, value) pairs were written including a terminating
53 null byte or not. The DB and DBM write routines will use
54 this result to determine how to write, and will fall back
55 to per-system defaults otherwise.
57 Renamed the README to MUSINGS, and wrote up a README that
58 reflects the current status of the software.
60 Added -d (don't disconnect) and -c (show running counter)
61 option to te smtp-source test program. These tools are
62 great torture tests for the mail software, and for the
63 system that it runs on.
65 Turned down the process_limit parameter (# of parallel smtp
66 clients or servers) to avoid unpleasant surprises. You can
67 crank up the process_limit parameter in main.cf.
69 19980111
71 Feature: when run by the superuser, mailq now shows the
72 mail queue even when the mail system is down. To this end,
73 mailq (sendmail -bp) runs the showq program directly instead
74 of connecting to the UNIX-domain service socket, and drops
75 privileges etc. as usual.
77 19980119
79 Bugfix: Edwin Kremer spotted an oversight in the negated
80 host matching code (for name or address patterns prefixed
81 by !).
83 Bugfix: upon receipt of a SIGHUP signal, the master now
84 disconnects from its child processes, so that the current
85 generation of child processes commits suicide, and so that
86 the next generation of child processes will use the new
87 configuration settings.
89 Bugfix: the smtp server now skips the sender DNS domain
90 lookup test for foo@[address]
92 Bugfix: don't append the local domain to foo@[address]
94 19980120
96 Bugfix: old low-priority bug in some list walk code that
97 caused the master to drop core when a service was turned
98 off in master.cf.
100 Robustness: the mail system should be able to start up and
101 to accept local postings even while the naming service is
102 down. For this reason, the mail system no longer uses
103 gethostbyname() to look up its own machine name. Sites
104 that use short hostnames will have to specify their FQDN
105 in main.cf (this will eventually be done by the system
106 installation/configuration procedure). Should the config
107 language support backticks so one can say `domainname`?
108 What about $name stuff between the backtics?
110 Security: the master now creates FIFOs and UNIX-domain
111 sockets as the mail owner instead of as root, for better
112 protection against subverted mail systems. chmod() is
113 susceptible to race conditions. fchmod(), although safer,
114 often does not work on sockets.
116 Portability: anticipate that all major UNIXes will create
117 UNIX-domain sockets with permissions modified by the process
118 umask (required by POSIX). For this reason, we always
119 chmod() UNIX-domain sockets, unless the system allows us
120 to use the safer fchmod() instead.
122 Portability: the semi-resident servers now properly handle
123 EWOULDBLOCK returns from accept() in addition to EGAIN
124 (on some systems, EAGAIN and EWOULDBLOCK have different
125 values).
127 Bugfix: the semi-resident servers now properly handle EINTR
128 returns From accept().
130 Bugfix: Edwin Kremer found that mynetworks() would compute
131 (32 - mask) instead of mask.
133 19980121
135 Feature: /etc/vmailer/relocated is used by the local delivery
136 program and specifies what mail should be bounced with a
137 "user has moved to XXX" message. The main.cf configuration
138 parameter is "relocated_maps". Just like the "virtual_maps"
139 config parameter, this feature is off by default, and the
140 parameter can have values such as "files" or "files, nis"
141 (on hosts equipped with NIS).
143 19980123
145 Cleanup: virtual domain support moved from the queue manager
146 to the resolve service, where it belongs.
148 Feature: /etc/vmailer/canonical is used by the rewrite
149 service for all addresses, and maps a canonical address
150 (user@domain) to another address. Typical use is to generate
151 Firstname.Lastname@domain addresses, or to clean up dirty
152 addresses from non-RFC 822 mail systems. The main.cf
153 configuration parameter is "canonical_maps". Just like
154 the "virtual_maps" config parameter, this feature is off
155 by default, and the parameter can have values such as
156 "files" or "files, nis" (on hosts equipped with NIS).
158 19980124
160 HPUX10 port and many little fixes from Pieter Schoenmakers.
162 Bugfix: isolated an old mysterious bug that could make the
163 master deaf for new connections while no child process was
164 running. A typical result was that no pickup daemon would
165 be started after the previous one had terminated voluntarily.
167 Bugfix: the NIS lookup code did not mystrdup() the NIS map
168 name and would access free()d memory.
170 19980125
172 Bugfix: the vstream routines would sometimes ignore flushing
173 errors. The error would still be reported by vstream_fclose()
174 and vstream_ferror().
176 Feature: time limit on delivery to shell commands. Config
177 parameter: command_time_limit. Default value: 100 sec. The
178 idea is to prevent one bad .forward file or alias file
179 entry from slowly using up all local delivery process slots.
181 19980126
183 Code cleanup: in preparation for SMTP extensions such as
184 SIZE, allow an extended SMTP command to have a variable
185 number of options.
187 19980127
189 Bugfix: moved canonical map lookups away from the rewriting
190 module to the cleanup service, so that canonical map lookups
191 do not interfere with address rewriting on behalf of other
192 programs. Back to an older trivial-rewrite program version.
194 Bugfix: moved virtual map lookups away from the resolver
195 back to the queue manager, so that virtual domain lookup
196 does not interfere with address resolution on behalf of
197 other programs. Back to an older qmgr program version.
199 19980131
201 Feature: integrated and adapted Guido van Rooij's SIZE
202 option (RFC 1870), carefully avoiding potential problems
203 due to overflow (by multiplying large numbers) or unsigned
204 underflow (by subtracting numbers).
206 Code cleanup: cleaned up the code that parses the server
207 response to the HELO/EHLO command, so that we can more
208 reliably recognize what options a server supports.
210 19980201
212 Portability: integrated the IRIX 6 port by Oved Ben-Aroya.
214 Portability: the software now figures out by itself if a
215 server should open its FIFO read-write or read-only, to
216 avoid getting stuck with a FIFO that stays readable forever.
218 Bugfix: the cleanup service would terminate with a fatal
219 vstream_fseek() error when the queue file was too large.
221 Bugfix: the cleanup service could be killed by a signal
222 when the queue file became too large.
224 19980203
226 Portability: some systems have statfs(), some have statvfs(),
227 and the relevant include files are in a different place on
228 almost every system.
230 Portability: the makedefs script now nukes the -O compiler
231 flag when building on AIX with IBM's own compiler...
233 19980204
235 Portability: HP-UX 9.x support by Pieter Schoenmakers.
237 Portability: added SYSV-style ulimit() file size limit
238 support for HP-UX 9.x.
240 Portability: added some #includes that appeared to be
241 missing according to the Digital UNIX cc compiler.
243 Bugfix: sys_defs.h now correctly specifies NIS support for
244 LINUX2, HPUX9 and HPUX10.
246 Security: fixed a file descriptor leak in the local delivery
247 agent that could give shell commands access to the VMailer
248 IPC streams. This should not cause a vulnerability, given
249 the design and implementation of the mailer, but it would
250 be like asking for trouble.
252 Bugfix: the sendmail -B (body type) option did not take a
253 value.
255 19980205
257 Bugfix (SUNOS5): should not have deleted the SVID_GETTOD
258 definition from util/sys_defs.h.
260 Bugfix (HPUX9): forgot to specify whether to use statfs()
261 or statvfs().
263 Bugfix (HPUX9): don't try to raise the file size ulimit.
265 Bugfix (HPUX9): must specify file size limit in 512-blocks.
267 19980207
269 Robustness: the master process now raises the file size
270 limit when it is started with a limit that is less than
271 VMailer's file size limit. File: util/file_limit.c.
273 Security: the dns lookup routines now screen all result
274 names with valid_hostname(). Bad names are treated as
275 transient errors.
277 Feature: qmail compatibility: when the home_mailbox parameter
278 is set, mail is delivered to ~/$home_mailbox instead of to
279 /var[/spool]/mail/username. This hopefully makes it easier
280 to lure people away from qmail :-)
282 Robustness: several testers by accident configured relayhost
283 the same as myhostname. The programs now explicitly check
284 for this mistake.
286 Bugfix: deliver_request_read() would free unallocated memory
287 when it received an incomplete delivery request from the
288 queue manager.
290 Robustness: local_destination_concurrency=1 prevents parallel
291 delivery to the same user (with possibly disastrous effects
292 when that user has an expensive pipeline in the .forward
293 or procmail config file). Each transport can have its own
294 XXX_destination_concurrency parameter, to limit the number
295 of simultaneous deliveries to the same destination.
297 19980208
299 Robustness: added "slow open" mode, to gradually increase
300 the number of simultaneous connections to the same site as
301 long as delivery succeeds, and to gradually decrease the
302 number of connections while delivery fails. Brad Knowles
303 provided the inspiration to do this.
305 This also solves the "thundering herd" problem (making a
306 bunch of connections to a dead host when it was time to
307 retry that host). Let's see when other mailers fix this.
309 Feature: Added $smtpd_banner and $mail_version, for those
310 who want to show the world what software version they are
311 running.
313 Bugfix: vmailer-script now properly labels each syslog
314 entry.
316 19980210
318 Portability: merged in NEXTSTEP 3 port from Pieter Schoenmakers
320 Bugfix: the local delivery program now checks that a
321 destination is a regular file before locking it.
323 19980211
325 Robustness: the local delivery agent sets HOME, LOGNAME,
326 and SHELL when delivering to a user shell command. PATH is
327 always set, and TZ is passed through if it is set.
329 19980212
331 Feature: mailq (sendmail -bp) now also lists the maildrop
332 queue (with mail that hasn't been picked up yet).
334 19980213
336 Feature: the smtpd now says: 502 HELP not implemented. This
337 should impress the heck out of the competition :-)
339 19980214
341 Feature: local delivery to configurable system-wide command
342 (e.g. procmail) avoids the need for per-user ~/.forward
343 shell commands. Config parameter: mailbox_command.
345 19980215
347 Performance: avoid running a shell when a command contains
348 no shell magic characters or built-in shell commands. This
349 speeds up delivery to all commands. File: util/exec_command.c.
351 Bugfix: the local delivery agent, after reading EOF from
352 a child process, now sends SIGKILL only when the child does
353 not terminate within a limited amount of time. This avoids
354 some problems with procmail. File: util/timed_wait.c.
356 19980217
358 Portability: folded in NetInfo support from Pieter
359 Schoenmakers.
361 19980218
363 Feature: new vmlock command to run a command while keeping
364 an exclusive lock on a mailbox.
366 Feature: with "recipient_delimiter = +", mail for local
367 address "user+foo" is delivered to "foo", with a "Delivered-To:
368 user+foo@domain" message header. Files: qmgr/qmgr_message.c,
369 local/recipient.c. This must be the cheapest feature.
371 19980219
373 Code cleanup: moved error handling into functions that
374 should always succeed (non_blocking(), close_on_exec()).
376 19980223
378 Bugfix: null pointer bug in the cleanup program after
379 processing a From: header with no mail address (or with
380 only a comment).
382 19980226
384 Robustness: now detects when getpwnam() returns a name that
385 differs from the requested name.
387 Feature: Added %p support to the vbuf_print formatting
388 module.
390 Code cleanup: revamped the alias/include/.forward loop
391 detection and duplicate suppression code in the local
392 delivery agent. This must be the fourth iteration, and
393 again the code has been simplified.
395 19980228
397 Robustness: don't treat anything starting with whitespace
398 as a header record. Instead, explicitly test for leading
399 whitespace where we permit it. Files: global/is_header.c,
400 bounce/bounce_flush_service.c, local/delivered.c.
402 19980301
404 Compatibility: the sendmail program now accepts the -N
405 command-line option (delivery status notification) but
406 ignores it entirely, just like many other sendmail options.
408 Bugfix: dns_lookup.c was too conservative with buffer sizes
409 and would incorrectly report "malformed name server reply".
411 19980302
413 Bugfix: the local delivery agent was not null-byte clean.
415 19980307
417 Feature: integrated Pieter Schoenmaker's code for transport
418 lookup tables that list (transport, nexthop) by destination.
420 19980309
422 Bugfix: delivery agents no longer rename corrupt queue
423 files, because programs might fall over each other doing
424 so. Instead, when a delivery agent detects queue file
425 corruption, it chmods the queue file, simulates a soft
426 error, and lets the queue manager take care of the problem.
428 Bugfix: the SMTP server implemented VRFY incorrectly.
430 Feature: first shot at a pipe mailer, which can be used to
431 extend VMailer with external mail transports such as UUCP
432 (provided that the remote site understands domain addressing,
433 because VMailer version 1 does not rewrite addresses).
435 Cleanup: extended the master/child interface so that the
436 service name (from master.cf) is passed on to the child.
437 The pipe mailer needs the service name so it can look up
438 service-specific configuration parameters (privilege level,
439 recipient limit, time limit, and so on).
441 19980310-12
443 Cleanup: factored out the pipe_command() code, so it can
444 be shared between pipe mailer and local delivery agent.
446 19980314
448 Compatibility: the sendmail program now parses each
449 command-line recipient as if it were an RFC 822 message
450 header; some MUAs specify comma-separated recipients in a
451 command-line argument; and some MUAs even specify "word
452 word <address>" forms as command-line arguments.
454 19980315
456 Bugfix: VMailer's queue processing randomization wasn't
457 adequate for unloaded systems with small backlogs.
459 Bugfix: smtpd now uses double-buffered stream I/O to prevent
460 loss of input sent ahead of responses.
462 19980316
464 Bugfix: the smtpd anti-relay code didn't treat all hosts
465 listed in $mydestinations as local, so it would accept mail
466 only for hosts listed in $relay_domains (default: my own
467 domain).
469 Bugfix: smtpd now replies with 502 when given an unknown
470 command.
472 19980318
474 Cleanup: resolve/rewrite clients now automatically disconnect
475 after a configurable amount of idle time (ipc_idle).
477 19980322
479 Tolerance: VRFY now permits user@domain, even though the
480 RFC requires that special characters such as @ be escaped.
482 19980325
484 Bugfix: a recipient delimiter of "-" could interfere with
485 special addresses such as owner-xxx or double-bounce.
487 Tolerance: the SMTP client now permits blank lines in SMTP
488 server responses.
490 Tolerance: the SMTP client now falls back to SMTP when it
491 apparently mistook an SMTP server as ESMTP capable.
493 Bugfix: eliminated strtok() calls in favor of mystrtok().
494 Symptom: master.cf parsing would break if $inet_interfaces
495 was more than one word.
497 19980328
499 Bugfix: user->addr patterns in canonical and virtual tables
500 matched only $myorigin, not hosts listed in $mydestination
501 or addresses listed in $inet_interfaces. The man pages
502 were wrong too. File: global/addr_match.c.
504 19980401
506 Robustness: FIFO file permissions now default to 0622. On
507 some systems, opening a FIFO read-only could deafen the
508 pickup daemon. Only the listener end (which is opened as
509 root) needs read access anyway, so there should not be a
510 loss of functionality by making FIFOs non-readable for
511 non-mail processes.
513 19980402
515 Compatibility: sendmail -I and -c options added.
517 19980403
519 Feature: virtual lookups are now recursive. File:
520 qmgr/qmgr_message.c
522 19980405
524 Implemented sendmail -bs (stand-alone) mode. This mode runs
525 as the user and therefore deposits into the maildrop queue.
527 19980406
529 The pickup service now removes malformed maildrop files.
531 19980407
533 The pickup service now guards against maildrop files with
534 time stamps dated into the future.
536 19980408
538 Bugfix: in the canonical and virtual maps, foo->address
539 would match foo@$myorigin only. This has been fixed to also
540 match hosts listed in main.cf:$mydestination and the
541 addresses listed in main.cf:$inet_interfaces.
543 Bugfix: added double buffering support to the VMailer SMTP
544 server. This makes the SMTP server robust against SMTP
545 clients that talk ahead of time, and should have been in
546 there from day one.
548 19980409
550 Bugfix: the VMailer SMTP client now recognizes its own
551 hostname in the SMTP greeting banner only when that name
552 appears as the first word on the first line.
554 19980410
556 Feature: smtpd now logs the local queue ID along with the
557 client name/address, and pickup now logs the local queue
558 ID along with the message owner.
560 Bugfix: still didn't do virtual/canonical lookups right
561 (code used the non-case-folded key instead of the case
562 folded one).
564 19980418
566 Bugfix: the SMTP server did not flush the "250 OK queued
567 as XXXX" message from the SMTP conversation history.
569 19980419
571 Bugfix: qmgr would not notice that a malformed message has
572 multiple senders, and would leak memory (Tom Ptacek).
574 19980421
576 Portability: in the mantools scripts, the expr pattern no
577 longer has ^ at the beginning, and the scripts now use the
578 expand program instead of my own detab utility.
580 19980425
582 NetBSD 1.x patch by Soren S. Jorvang.
584 19980511
586 Feature: the SMTP server now logs the protocol (SMTP or
587 ESMTP) as part of the Received: header.
589 Feature: smtpd now logs the last command when a session is
590 aborted due to timeout, unexpected EOF, or too many client
591 errors.
593 19980514
595 Bugfix: the queue manager did not update the counter for
596 in-core message structures, so the in-core message limit
597 had no effect. This can be bad when you have a large backlog
598 with many messages eligible for delivery.
600 Robustness: the queue manager now also limits the total
601 number of in-core recipient structures, so that it won't
602 use excessive amounts of memory on sites that have large
603 mailing lists.
605 19980518
607 Bugfix: the SMTP client did not notice that the DNS client
608 received a truncated response. As a result, a backup MX
609 host could incorrectly claim that it was the best MX host
610 and declare a mailer loop.
612 Added start_msg/stop_msg entries to the vmailer startup
613 script, for easy installation.
615 Cleanup: VMailer databases are now explicitly specified as
616 type:name, for example, hash:/etc/aliases or nis:mail.aliases,
617 instead of implicitly as "files", "nis" and so on. Test
618 program: util/dict_open. This change allowed me to
619 eliminate a lot of redundant code from mkmap_xxx.c, and
620 from everything that does map lookups.
622 19980525
624 Bugfix: local/dotforward.c compared the result of opening
625 a user's ~/.forward against the wrong error value.
627 19980526
629 Bugfix: the smtpd VRFY command could look at free()d memory.
631 Robustness: the smtpd program had a fixed limit on the
632 number of token structures. The code now dynamically
633 allocates token structures.
635 Bugfix: the queue manager still used the deprecated parameter
636 name xxx_deliver_concurrency for concurrency control, but
637 the documentation talks about the preferred parameter name
638 xxx_destination_concurrency. Fix: try xxx_destination_concurrency
639 first, then fall back to xxx_deliver_concurrency.
641 19980621-19980702
643 Cleanup: the string read routines now report the last
644 character read or VSTREAM_EOF. This change is necessary
645 for the implementation of the long SMTP line bugfix.
647 Bugfix: the smtp server exited the DATA command prematurely
648 when the client sent long lines. Reason: the smtp server
649 did not remember that it broke long lines, so that '.'
650 could appear to be the first character on a line when in
651 fact it wasn't.
653 Bugfix: the queue manager made lots of stupid errors while
654 reading $qmgr_message_recipient_limit chunks of recipients
655 from a queue file. This code has been restructured.
657 19980706
659 Performance: the cleanup program now always adds return-receipt
660 and errors-to records to a queue file, so that the queue
661 manager does not have to plow through huge lists of
662 recipients.
664 Robustness: the initial destination concurrency now defaults
665 to 2, so that one bad message or one bad connection does
666 not stop all mail to a site. The configuration parameter
667 is called initial_destination_concurrency.
669 Performance: the per-message recipient limit is now enforced
670 by the queue manager instead of by the transport. Thus, a
671 large list of recipients for the same site is now mapped
672 onto several delivery requests which can be handled in
673 parallel, instead of being mapped onto one delivery request
674 that is sent to limited numbers of recipients, one group
675 after the other.
677 19980707
679 Cleanup: the queue manager now does an additional recipient
680 sort after the recipients have been resolved, so that the
681 code can do better aggregation of recipients by next hop
682 destination.
684 Feature: lines in the master.cf file can now be continued
685 in the same manner as lines in the main.cf file, i.e. by
686 starting the next line with whitespace.
688 Feature: the smtp client now warns that a message may be
689 delivered multiple times when the response to "." is not
690 received (the problem described in RFC 1047).
692 Cleanup: when the queue manager changes its little mind
693 after contacting a delivery agent (for example, it decides
694 to skip the host because a transport or host goes bad),
695 the delivery agent no longer complains about premature EOF.
696 File: global/deliver_request.c
698 19980709
700 Bugfix: when breaking long lines, the SMTP client did not
701 escape leading dots in secondary etc. line fragments. Fix:
702 don't break lines. This change makes VMailer line-length
703 transparent. Files: global/smtp_stream.c, smtp/smtp_proto.c.
705 19980712
707 Cleanup: the queue manager to deliver agent protocol now
708 distinguishes between domain-specific soft errors and
709 recipient-specific soft errors. Result: many soft errors
710 with SMTP delivery no longer affect other mail the same
711 domain.
713 19980713
715 Feature: the file modification time stamp of deferred queue
716 files is set to the nearest wakeup time of their recipient
717 hosts, or if delivery was deferred due to a non-host problem,
718 the time stamp is set into the future by the configurable
719 minimal backoff time.
721 Bugfix: the SMTP client and the MAILQ command would report
722 as message size the total queue file size. That would
723 grossly overestimate the size of a message with many
724 recipients.
726 Bugfix: the 19980709 fix screwed up locally-posted mail
727 that didn't end in newline.
729 19980714
731 Robustness: the makedefs script now defaults to no optimization
732 when compiling for purify.
734 19980715
736 Robustness: the makedefs script now defaults to no optimization
737 when compiling with gcc 2.8, until this compiler is known
738 to be OK.
740 Workaround: when sending multiple messages over the same
741 SMTP connection, some SMTP servers need an RSET command
742 before the second etc. MAIL FROM command. The VMailer SMTP
743 client now sends a redundant RSET command just in case.
745 The queue manager now logs explicitly when delivery is
746 deferred because of a "dead" message transport.
748 19980716
750 Feature: mailq and mail bounces now finally report why mail
751 was deferred (the reason was logged to the syslog file
752 only). Changes were made to the bounce service (generalized
753 to be usable for defer logs), showq service (to show reasons)
754 and the queue manager.
756 As a result the defer directory (with one log per deferred
757 message) may contain many files; also, this directory is
758 accessed each time a message is let into the active queue,
759 in order to delete its old defer log. This means that hashed
760 directories are now a must.
762 19980718-20
764 Feature: configurable timeout for establishing smtp
765 connections. Parameter: smtp_connect_timeout (default 0,
766 which means use the timeout as wired into the kernel).
767 Inspired by code from Lamont Jones. For a clean but far
768 from trivial implementation, see util/timed_connect.c
770 Cleaned up the interfaces that implement read/write deadlines.
771 Instead of returning -2, the routines now set errno to
772 ETIMEDOUT; the readable/writable tests are now separate.
774 19980722
776 Feature: the default indexed file type (hash, btree, dbm)
777 is now configurable with the "database_type" parameter.
778 The default value for this parameter is system specific.
780 Feature: selectively turn on verbose logging for hosts that
781 match the patterns specified via the "debug_peer_list"
782 config parameter. Syntax is like the "bad_smtp_clients"
783 parameter (see global/peer_list.c). The verbose logging
784 level is specified with "debug_peer_level" (default 2).
786 Security: the local delivery agent no longer delivers to
787 files that have execute permission enabled.
789 19980723
791 Workarounds for Solaris 2.x UNIX-domain sockets: they lose
792 data when you close them immediately after writing to them.
793 This could screw up the delivery agent to queue manager
794 protocol.
796 19980724
798 Cleanup: spent most of the day cleaning up queue manager
799 code that defers mail when a site or transport dies, and
800 fixed a few obscure problems in the process.
802 19980726
804 Feature: the admin can now configure what classes of problems
805 result in mail to the postmaster. Configuration parameter:
806 "notify_classes". Default is backwards compatible: bounce,
807 policy, protocol, resource, and software.
809 19980726-28
811 Feature: the admin can now configure what smtp server access
812 control restrictions must be applied, and in what order.
813 Configuration parameters: smtpd_client_restrictions,
814 smtpd_helo_restrictions, smtpd_mail_restrictions and
815 smtpd_rcpt_restrictions. Defaults are intended to be
816 backwards compatible. The bad_senders and bad_clients lists
817 are gone and have become db (dbm, nis, etc) maps. Files:
818 smtpd/smtpd_check.c, config/main.cf.
820 19980729-31
822 Feature: hashed queues. Rewrote parts of the mail queue
823 API. Configuration parameters: "hash_queue_names" specifies
824 what queue directories will be hashed (default: the defer
825 log directory), "hash_queue_depth" specifies the number of
826 subdirectories used for hashing (default 2).
828 19980802
830 Bugfix: the pipe mailer should expand command-line arguments
831 with $recipient once for every recipient (producing one
832 command-line argument per recipient), instead of replacing
833 $recipient by of all recipients (i.e. producing only one
834 command-line argument). This is required for compatibility
835 with programs that expect to be run from sendmail, such as
836 uux. Thanks to Ollivier Robert for helping me to get this
837 right.
839 Code cleanup: for the above, cleaned up the macro expansion
840 code in dict.c and factored out the parsing into a separate
841 module, mac_parse.c.
843 19980803
845 "|command" and /file/name destinations in alias databases
846 are now executed with the privileges of the database owner
847 (unless root or vmailer). Thus, with: "alias_maps =
848 hash:/etc/aliases, hash:/home/majordomo/aliases", and with
849 /home/majordomo/aliases* owned by the majordomo account,
850 you no longer need the majordomo set-uid wrapper program,
851 and you no longer need root privileges in order to install
852 a new mailing list.
854 19980804
856 Added support for the real-time blackhole list. Example:
857 "client_restrictions = permit_mynetworks, reject_maps_rbl"
859 All SMTP server "reject" status codes are now configurable:
860 unknown_client_reject_code, mynetworks_reject_code,
861 invalid_hostname_reject_code, unknown_hostname_reject_code,
862 unknown_address_reject_code, relay_domains_reject_code,
863 access_map_reject_code, maps_rbl_reject_code. Default values
864 are documented in the smtpd/smtpd_check.c man page.
866 19980806-8
868 Code cleanup: after eye balling line-by line diffs, started
869 deleting code that duplicated functionality because it was
870 at the wrong abstraction level (smtp_trouble.c), moved
871 functionality that was in the wrong place (dictionary
872 reference counts in maps.c instead of dict.c), simplified
873 code that was too complex (password-file structure cache)
874 and fixed some code that was just wrong.
876 19980808
878 Robustness: the number of queue manager in-core structures
879 for dead hosts is limited; the limit scales with the limit
880 on the number of in-core recipient structures. The idea is
881 to not run out of memory under conditions of stress.
883 19980809
885 Feature: mail to files and commands can now be restricted
886 by class: alias, forward file or include file. The default
887 restrictions are: "allow_mail_to_files = alias, forward"
888 and allow_mail_to_commands = alias, forward". The idea is
889 to protect against buggy mailing list managers that allow
890 intruders to subscribe /file/name or "|command".
892 19980810-12
894 Cleanup: deleted a couple hundred lines of code from the
895 local delivery agent. It will never be a great program;
896 sendmail compatibility is asking a severe toll.
898 19980814
900 Cleanup: made the program shut up about some benign error
901 conditions that were reported by Daniel Eisenbud.
903 19980814-7
905 Documentation: made a start of HTML docs that describe all
906 configuration parameters.
908 Feature: while documenting things, added smtpd_helo_required.
910 19980817
912 Bugfix: at startup the queue manager now updates the time
913 stamps of active queue files some time into the future.
914 This eliminates duplicate deliveries after "vmailer reload".
916 Bugfix: the local delivery agent now applies the recipient
917 delimiter after looking in the alias database, instead of
918 before.
920 Documentation bugfixes by Matt Shibla, Tom Limoncelli,
921 Eilon Gishri.
923 19980819
925 GLIBC fixes from Myrdraal.
927 Bugfix: applied showq buffer reallocation workaround in
928 the wrong place.
930 Bugfix: can't use shorts in varargs lists. SunOS 4 has
931 short uid_t and gid_t. pipe_command() would complain.
933 Bugfix: can't use signed char in ctype macros. All ctype
934 arguments are now casted to unsigned char. Thanks, Casper
935 Dik.
937 19980820
939 Bugfix: save the alias lookup result before looking up the
940 owner. The previous alpha release did this right.
942 Cleanup: mail_trigger() no longer complains when the trigger
943 FIFO or socket is unavailable. This change is necessary to
944 shut up the sendmail mail posting program, so that it can
945 be used on mail clients that mount their maildrop via NFS.
947 Experiment: pickup and pipe now run as vmailer most of the
948 time, and switch to user privileges only temporarily.
949 Files: util/set_eugid.c global/pipe_command.c pipe/pipe.c
950 pickup/pickup.c. Is this more secure/ What about someone
951 manipulating such a process while not root? It still has
952 ruid == 0.
954 19980822
956 Portability: with GNU make, commands such as "(false;true)"
957 and "while :; do false; done" don't fail. Workaround: use
958 "set -e" all over the place. Problem found by Jeff Wolfe.
960 Feature: "check_XXX_access maptype:mapname" (XXX = client,
961 helo, sender, recipient). Now you can make recipient and
962 other SPAM restrictions dependent on client or sender access
963 tables lookup results.
965 19980823
967 Bugfix: smtpd access table lookup keys were case sensitive.
969 Added "permit" and "reject" operators. These are useful at
970 the end of SPAM restriction lists (smtpd_XXX_restrictions).
972 Added a first implementation of the permit_mx_backup SPAM
973 restriction. This permits mail relaying to any domain that
974 lists this mail system as an MX host (including mail for
975 the local machine). Thanks to Ollivier Robert for useful
976 discussions.
978 19980824
980 Bugfix: transport table lookup keys were case sensitive.
982 19980825
984 Portability: sa_len is some ugly #define on some SGI systems,
985 so we must rename identifiers (file util/connect.c).
987 Bugfix: uucp delivery errors are now sent to the sender.
988 Thanks, Mark Delany.
990 Bugfix: the pipe delivery agent now replaces empty sender
991 by the mailer daemon address. Mark Delany, again.
993 Portability: GNU getopt looks at all command-line arguments.
994 Fix: insert -- into the pipe/uucp definition in master.cf.
996 Bugfix: the smtp server command tokenizer silently discarded
997 the [] around [text], so that HELO [x.x.x.x] was read as
998 if the client had sent: HELO x.x.x.x. Thanks, Peter Bivesand.
1000 Bugfix: the HELO unknown hostname/bad hostname restrictions
1001 would have treated [text] as a domain name anyway.
1003 Bugfix: the $local_duplicate_filter_limit value was not
1004 picked up by the local delivery agent. This means the local
1005 delivery agent could run out of memory on large mailing
1006 list deliveries.
1008 19980826
1010 Performance: mkmap/mkalias now run with the same speed as
1011 sendmail. VMailer now uses a 4096-entry cache with 1 Mbyte
1012 of memory for DB lookups. File: util/dict_db.c.
1014 19980902
1016 Robustness: the reject_unknown_hostname restriction for
1017 HELO/EHLO hostnames will now permit names that have an MX
1018 record instead of an A record.
1020 19980903
1022 Feature: appending @$myorigin to an unqualified address is
1023 configurable with the boolean append_at_myorigin parameter
1024 (default: yes).
1026 Feature: appending .$mydomain to user@host is configurable
1027 with the boolean append_dot_mydomain parameter (default:
1028 yes).
1030 Feature: site!user is rewritten to user@site, under control
1031 of the boolean parameter swap_bangpath (default: yes).
1033 Feature: permit a naked IP address in HELO commands (i.e.
1034 an address without the enclosing [] as required by the
1035 RFC), by specifying "permit_naked_ip_address" as one of
1036 the restrictions in the "smtpd_helo_restrictions" config
1037 parameter.
1039 19980904
1041 Code cleanup: when an SMTP client aborts a session after
1042 sending MAIL FROM, the cleanup service no longer warns that
1043 it is "skipping further client input". Files: cleanup/*.c.
1044 Thanks, Daniel Eisenbud, for prodding.
1046 Code cleanup: when an SMTP server disconnects in the middle
1047 of a session, don't try to send QUIT over the non-existing
1048 connection. Files: global/smtp_stream.c, smtp/smtp.c.
1049 Thanks, Daniel Eisenbud, for prodding, again.
1051 Code cleanup: the VMailer version number has moved from
1052 mail_params.h (which is included by lots of modules) to a
1053 separate file global/mail_version.h, so that a version
1054 change no longer results in massive recompilation.
1056 Bugfix: Errors-To was flagged as a sender address, so the
1057 address never was picked up.
1059 Code cleanup: support for Errors-To: headers completed.
1061 19980905
1063 Feature: per-message exponential delivery backoff, by
1064 looking at the amount of time a message has been queued.
1065 Thanks, Mark Delany.
1067 19980906
1069 Code cleanup: ripped out the per-host exponential backoff
1070 code. It was broken by 19980818. It was probably a bad idea
1071 anyway, because it required per-host, in-core, state kept
1072 by the queue manager. All we do now is to keep state for
1073 $minimal_backoff_time seconds, but only for a limited number
1074 of hosts. Daniel Eisenbud spotted the problem.
1076 Lost feature: the SMTP session transcripts now show who
1077 said what. This feature was inadvertently dropped during
1078 development. Thanks, Daniel Eisenbud, for reminding.
1080 Documentation: the hard-coded rewriting process of the
1081 trivial-rewrite program is described in html/rewrite.html.
1083 Feature: the local delivery agent now does alias lookups
1084 before and after chopping off the recipient subaddress.
1085 This allows you to forward user-anything to another user,
1086 without losing the ability to redirect specific user-foo
1087 addresses.
1089 19980909
1091 Feature: the smtp client now logs a warning that a server
1092 sends a greeting banner with the client's hostname, which
1093 could imply a mailer loop.
1095 19980910
1097 Feature: separate canonical maps for sender and recipient
1098 address rewriting, so that you can rewrite an ugly sender
1099 address and still forward mail to that same ugly address
1100 without creating a mailer loop. Files: cleanup_envelope.c,
1101 cleanup_message.c, cleanup_rewrite.c.
1103 19980911
1105 Feature: virtual maps now support multiple addresses on
1106 the right-hand side. In the case of virtual domains this
1107 can eliminate the need for address expansion via local
1108 aliases, making virtual domains much easier to administer.
1109 This required that I moved the virtual table lookups from
1110 the queue manager to the cleanup service, so that every
1111 recipient has an on-disk status record. Files: qmgr.c,
1112 qmgr_message.c, cleanup_envelope.c, cleanup_rewrite.c,
1113 cleanup_virtual.c.
1115 Feature: sendmail/mailq/newaliases pass on the -v flag to
1116 the program that they end up running, to make debugging a
1117 little easier.
1119 19980914
1121 Bugfix: some anti-spam measures didn't recognize some
1122 addresses as local and would do too much work. File:
1123 smtpd_check.c.
1125 Bugfix: the smtp sender/recipient table lookup restriction
1126 destroyed global data, so that other restrictions could
1127 break. File: smtpd_check.c.
1129 Bugfix: after vmailer reload, single-threaded servers could
1130 exit before flushing unwritten data to the client. Example:
1131 cleanup would exit before acking success to pickup, so the
1132 message would be delivered twice. Bug reported by Brian
1133 Candler.
1135 Cleanup: removed spurious error output from vmailer-script.
1136 Reported by Brian Candler.
1138 Tolerance: ignore non-numeric SMTP server responses. There's
1139 lot of brain damage out there on the net.
1141 19980915
1143 Feature: the smtp-sink benchmark tool now announces itself
1144 with a neutral name so that it can be run on the same
1145 machine as VMailer, without causing Postfix to complain
1146 about a mailer loop.
1148 Robustness: on LINUX, vmailer-script now does chattr +S to
1149 force synchronous directory updates. Fix developed with
1150 Chris Wedgwood.
1152 19980916
1154 Bugfix: when transforming an RFC 822 address to external
1155 form, there is no need to quote " characters in comments.
1156 This didn't break anything, it just looked ugly. File:
1157 global/tok822_parse.c
1159 19980917
1161 Workaround: with deliveries to /file/name, use fsync() and
1162 ftruncate() only on regular files. File: local/file.c
1164 Workaround: the plumbing code in master_spawn.c didn't
1165 check if it was dup2()/close()ing a descriptor to itself
1166 then closing it. Will have to redo the plumbing later.
1168 19980918
1170 Workaround: on multiprocessor Solaris machines, one-second
1171 rollover appears to happen on different CPUs at slightly
1172 different times. Made the queue manager more tolerant for
1173 such things. Problem reported by Daniel Eisenbud.
1175 Workaround: in preparation for deployment with a network-shared
1176 maildrop directory. make pickup more tolerant against clock
1177 drift between clients and servers.
1179 19980921
1181 New vstream_popen() module that opens a two-way channel
1182 across a socketpair-based pipe. This module isn't being
1183 used yet; it is here only to complete the vstream code.
1185 19980922
1187 Code cleanup: the xxx_server_main() interface for master
1188 child processes now uses a name-value argument list instead
1189 of an ugly and inflexible data structure.
1191 Bugfix: moved the test if a non-interactive process is run
1192 by hand, so that the "don't do this" error message can be
1193 printed to stderr before any significant processing.
1195 Bugfix: smtpd now can talk to unix-domain sockets without
1196 bailing out on a peer lookup problem. Files: smtpd/smtpd.c,
1197 util/peer_name.c.
1199 Safety: by default, the postmaster is no longer informed
1200 of protocol problems, policy violations or bounces.
1202 Safety: the SMTP server now sleeps before sending a [45]xx
1203 error response, in order to prevent clients from hammering
1204 the server with a connect/error/disconnect loop. Parameter:
1205 smtpd_error_sleep_time (default: 5).
1207 Feature: the logging facility is compile-time configurable
1208 (e.g., make makefiles "CCARGS=-DLOG_FACILITY=LOG_LOCAL1").
1210 19980923
1212 Bugfix: changed virtual/canonical map search order from
1213 (user@domain, @domain, user) to (user@domain, user, @domain)
1214 so the search order is most specific to least specific.
1215 File: global/addr_map.c, lots of documentation.
1217 Bugfix: after the change of 19980910, cleanup_message
1218 extracted recipients from Reply-To: etc. headers. Found
1219 by Lamont Jones.
1221 19980925
1223 Bugfix: the change in virtual/canonical map search order
1224 broke @domain entries; they would never be looked up if
1225 the address matched $myorigin or $mydestinations. Found by
1226 Chip Christian who now regrets asking for the change.
1228 Bugfix: cleanup initialized an error mask incorrectly, so
1229 that it would keep writing to a file larger than the queue
1230 file size limit, and so it would treat the error as a
1231 recoverable one instead of sending a bounce. Thanks, Pieter
1232 Schoenmakers.
1234 Bugfix: the "queue file cleanup on fatal error" action was
1235 no longer enabled in the sendmail mail posting agent.
1237 Feature: the sendmail mail posting program now returns
1238 EX_UNAVAILABLE when the size of the input exceeds the queue
1239 file size limit. NB THIS CHANGE HAS BEEN WITHDRAWN.
1241 19980926
1243 Code cleanup: the dotlock file locking routine is no longer
1244 derived from Eric Allman's 4.3BSD port of mail.local.
1246 Code cleanup: the retry strategy of the file locking routines
1247 dot_lockfile() and deliver_flock() is now configurable
1248 (deliver_flock_attempts, deliver_flock_delay, deliver_flock_stale).
1250 Code cleanup: the master.pid lock file is now created with
1251 symlink paranoia, and is properly locked so that PID rollover
1252 will not cause false matches.
1254 Bugfix: the vbuf_print() formatting engine did not know
1255 about the '+' format specifier.
1257 Cleanup: replaced unnecessary instances of stdio calls by
1258 vstream ones.
1260 19980929-19981002
1262 Compatibility: added support for "sendmail -q". This required
1263 a change to the queue manager trigger protocol, and a code
1264 reorganization of the way queue scans were done. The queue
1265 manager socket now has become public.
1267 19981002
1269 SMTPD now logs "lost connection after end-of-message"
1270 instead of "lost connection after DATA".
1272 19981005
1274 More bullet proofing: timeouts on all triggers.
1276 19981006
1278 Bugfix: make the number of cleanup processes unlimited, in
1279 order to avoid deadlock. The number of instances needed is
1280 one per smtp/pickup process, and an indeterminate number
1281 per local delivery agent. Thanks, Thanks, David Miller and
1282 Terry Lorrah for cleueing me in.
1284 Bugfix: "sendmail -t" extracted recipients weren't subjected
1285 to virtual mapping. Daniel Eisenbud strikes again.
1287 19981007
1289 Compatibility: if the first input line ends in CRLF, the
1290 sendmail posting agent will treat all CRLF as LF. Otherwise,
1291 CRLF is left alone. This is a compromise between sendmail
1292 compatibility (all lines end in CRLF) and binary transparency
1293 (some, but not all, lines contain CRLF).
1295 19981008
1297 Robustness: stop recursive virtual expansion when the
1298 left-hand side appears in its own expansion.
1300 19981009
1302 Portability: trigger servers such as pickup and qmgr can
1303 now use either FIFOs or UNIX-domain sockets; hopefully at
1304 least one of them works properly. Trigger clients were
1305 already capable of using either form of local IPC.
1307 19981011
1309 Feature: masquerading. Strip subdomains from domains listed
1310 in $masquerade_domains. Exception: envelope recipients are
1311 left alone, in order to not screw up routing.
1313 19981015
1315 Code cleanup: moved the recipient duplicate filter from
1316 the user-level sendmail posting agent to the semi-resident
1317 cleanup service, so that the filter operates on the output
1318 from address canonicalization and of virtual expansion,
1319 instead of operating on their inputs.
1321 19981016
1323 Bugfix: after kill()ing a bunch of child processes, wait()
1324 sometimes fails before all children have been reaped, and
1325 must be called again, or the master will SIGSEGV later.
1326 Problem reported by Scott Cotton.
1328 Workaround: don't log a complaint when an SMTP client goes
1329 away without sending QUIT.
1331 19981018
1333 Workaround: Solaris 2.5 ioctl SIOCGIFCONF returns a hard
1334 error (EINVAL) when the result buffer is not large enough.
1335 This can happen on systems with many real or virtual
1336 interfaces. File: util/inet_addr_local.c. Problem reported
1337 by Scott Cotton.
1339 Workaround: the optional HELO/EHLO hostname syntax check
1340 now allows a single trailing dot.
1342 Workaround: with UNIX-domain sockets, LINUX connect() blocks
1343 until the server calls accept(). File: qmgr/qmgr_transport.c.
1344 Terry Lorrah and Scott Cotton provided the necessary
1345 evidence.
1347 19981020
1349 Robustness: recursive canonical mapping terminates when
1350 the result stops changing.
1352 Code cleanup: reorganized the address rewriting and mapping
1353 code in the cleanup service, to make it easier to implement
1354 the previous enhancement.
1356 19981022
1358 Code cleanup: more general queue scanning programming
1359 interface, in preparation for hashed queues. File:
1360 qmgr/qmgr_scan.c.
1362 Bugfix: a non-FIFO server with a process limit of 1 has a
1363 too short listen queue. Until now this was not a problem
1364 because only FIFO servers had a process limit of 1, and
1365 FIFOs have no listen queue. Fix: always configure a listen
1366 queue of proc_limit or more. File: master/master_listen.c.
1368 19981023
1370 Feature: by popular request, mail delay is logged when
1371 delivering, bouncing or deferring mail.
1373 19981024
1375 Cleanup: double-bounce mail is now absorbed by the queue
1376 manager, instead of the local delivery agent, so that the
1377 mail system will not go mad when no local delivery agent
1378 is configured.
1380 19981025
1382 Cleanup: moved the relocated table from the local delivery
1383 agent to the queue manager, so that the table can also be
1384 used for virtual addresses.
1386 Code reorg: in order for the queue manager to absorb
1387 recipients, the queue file has to stay open until all
1388 recipients have been assigned to a destination queue.
1390 19981026
1392 vmlogger command, so that vmailer-script logging becomes
1393 consistent with the rest of the VMailer system.
1395 Code reorg: logger interface now can handle multiple output
1396 handlers (e.g. syslog and stderr stream).
1398 Bugfix: a first line starting with whitespace is no longer
1399 treated as an extension of our own Received: header. Files:
1400 smtpd/smtpd.c, pickup/pickup.c.
1402 19981027
1404 Bugfix: the bang-path swapping code went into a loop on an
1405 address consisting of just a single !. Eilon Gishri had
1406 the privilege of finding this one.
1408 Workaround: the non-blocking UNIX-domain socket connect is
1409 now enabled only on systems that need it. It may cause
1410 kernel trouble on Solaris 2.x.
1412 Bugfix: the resolver didn't implement bangpath swapping,
1413 so that mail for site!user@mydomain would be delivered to
1414 a local user named "site!user".
1416 19981028
1418 Cleanup: a VSTREAM can now use different file descriptors
1419 for reading and writing. This was necessary to prevent
1420 "sendmail -bs" and showq from writing to stdin. Eilon Gishri
1421 observed the problem.
1423 19981029
1425 The RFC 822 address manipulation routines no longer give
1426 special attention to 8-bit data. Files: global/tok822_parse.c,
1427 global/quote_822_local.c.
1429 Bugfix: host:port and other non-domain stuff is no longer
1430 allowed in mail addresses. File: qmgr/qmgr_message.c.
1432 Workaround: LINUX accept() wakes up before the three-way
1433 handshake is complete, so it can fail with ECONNRESET.
1434 Files: master/single_server.c, master/multi_server.c.
1436 Feature: when delivering to user+foo, try ~user/.forward+foo
1437 before trying ~user/.forward.
1439 Bugfix: smtpd in "sendmail -bs" (stand-alone) mode didn't
1440 clean up when terminated by a signal.
1442 Bugfix: smtpd in "sendmail -bs" (stand-alone) mode should
1443 not try to enforce spam controls because it cannot access
1444 the address rewriting machinery.
1446 Cleanup: the percent hack (user%domain -> user@domain) is
1447 now configurable (allow_percent_hack, default: yes).
1449 Bugfix: daemons in -S (stand-alone) mode didn't change
1450 directory to the queue. This was no problem with daemons
1451 run by the sendmail compatibility program.
1453 19981030
1455 Feature: when virtual/canonical/relocated lookup fails for
1456 an address that contains the optional recipient delimiter
1457 (e.g., user+foo@domain), the search is done again with the
1458 unextended address (e.g., user@domain). File: global/addr_find.c.
1460 Code reorg: the address searching is now implemented by a
1461 separate module global/addr_find.c, so that the same code
1462 can be used for both (non-mapping) relocated table lookups
1463 and for canonical and virtual mapping. The actual mapping
1464 is still done in the global/addr_map.c module.
1466 Robustness: the SMTP client now skips hosts that don't send
1467 greeting banner text. File: smtp/smtp_connect.c
1469 Feature: preliminary support to disable delivered-to. This
1470 is desirable for mailing list managers that don't want to
1471 advertise internal aliases.
1473 Generic support: when the recipient_feature_delimiter
1474 configuration parameter is set, the local delivery agent
1475 uses it to split the recipient localpart into fields. Any
1476 field that has a known name such as "nodelivered" enables
1477 the corresponding delivery feature.
1479 19981031
1481 Code reorg: address splitting on recipient delimiter is
1482 now centralized in global/split_addr.c, which knows about
1483 all reserved names that should never be split.
1485 Robustness: when a request for an internal service cannot
1486 be satisfied because the master has terminated, terminate
1487 instead of trying to reach the service every 30 seconds.
1489 Safety: the local delivery agent now runs as vmailer most
1490 of the time, just like pickup and pipe. Files: local/local.c,
1491 local/mailbox.c
1493 19981101
1495 Compatibility: the tokenizer for alias/forward/etc.
1496 expansion now updates an optional counter with the number
1497 of destinations found; If no destinations is found in a
1498 .forward file, deliver to the mailbox instead. Thanks,
1499 Daniel Eisenbud, for showing the way to go.
1501 Robustness: the pickup daemon should always include a
1502 posting-time record, even when the sendmail posting agent
1503 didn't. However, just like before, user-provided posting
1504 times will be ignored. Ollivier Robert found this one.
1506 Robustness: duplicate entries in aliases or maps now cause
1507 a warning instead of a fatal error (and an incomplete file).
1509 Robustness: mkmap now prints a warning when an entry is in
1510 "key: value" format, which is the format expected for alias
1511 databases, not for maps.
1513 Portability: on LINUX, prepend "+" to the getopt() options
1514 string so that getopt() will stop at the first non-option
1515 argument. Suggestion by Marco d'Itri.
1517 19981103
1519 Cleaned up the set_eugid() and open_as() implementations,
1520 and added stat_as() and fstat_as() so that the local delivery
1521 agent would look up include files and .forward files with
1522 the right privileges.
1524 19981104
1526 Bugfix: the :include: routine now stat()s/open()s files
1527 included by root-owned aliases as root, not as nobody.
1529 Bugfix: the master crashed when a service with wakeup timer
1530 was disabled or renamed. Fix: eliminate some pathological
1531 coupling between process management and wakeup management.
1533 Feature: partial implementation of ETRN (causes a full
1534 deferred queue scan). Thanks Lamont Jones for reminding me
1535 that things can be useful already before they are perfect.
1537 Cleanup: simplified the SMTPD tokenizer.
1539 Bugfix: sendmail -bs didn't properly notify the mail system
1540 of new mail.
1542 Compatibility: the MAIL FROM and RCPT TO commands now accept
1543 the most common address forms without enclosing <>. The <>
1544 is still needed for addresses that contain a "string", an
1545 [address], or a colon (:).
1547 19981105
1549 Bugfix: "master -t" would claim that the master runs when
1550 in fact the pid directory does not exist, causing trouble
1551 with first time startup (reported by several).
1553 Portability: added a sane_accept() module that maps all
1554 beneficial accept() error results to EAGAIN. According to
1555 private communication with Alan Cox, Linux 2.0.x accept()
1556 can return a variety of error conditions, so we play safe
1557 and allow for any error that may happen because SYN+ACK
1558 could not be sent.
1560 Portability: NETBSD1 uses dotlock files (Perry Metzger).
1562 Bugfix: the local delivery agent did not canonicalize
1563 owner-foo sender addresses, so that local users would see
1564 owner-foo instead of owner-foo@$myorigin (Perry Metzger).
1566 OPENSTEP4 support, similar to NEXTSTEP3 (Gerben Wierda).
1568 19981106
1570 Portability: the master startup would take a long time on
1571 AIX because AIX has a very large per-process open file
1572 limit. Fix is to check the status of only the first couple
1573 hundred file descriptors instead. File: master/master.c.
1575 Bugfix: mail to user@[net.work.addr.ess] was broken because
1576 of a reversed test. File: qmgr/qmgr_message.c.
1578 19981107
1580 Compatibility: don't clobber the envelope sender address
1581 when an alias has no owner-foo alias (problem diagnosed by
1582 Christophe Kalt).
1584 Bugfix: mail to local users in include files would be
1585 delivered directly if the alias didn't have an owner-foo
1586 alias, and if the alias database and include file were
1587 owned by root.
1589 Feature: with user+foo addresses, any +foo address extension
1590 that is not explicitly matched in canonical, virtual or
1591 alias databases is propagated to the table lookup result.
1593 19981108
1595 Bugfix: minor memory leak in the user+foo table lookup
1596 code.
1598 Configurability: specify virtual.domain in the virtual map,
1599 and mail for unknown@virtual.domain will bounce automatically.
1600 The $relay_domains default value now includes $virtual_maps,
1601 so the SMTP server will accept mail for the domain. Marco
1602 d'Itri put me on the right track.
1604 Configurability: The mydestinations configuration parameter
1605 now accepts /file/name expressions and type:name lookup
1606 tables.
1608 Code cleanup: in order to make the previous two enhancements
1609 possible, revised the string/host/address matching engine
1610 so it can handle any mixture of strings, /file/name patterns
1611 and type:name lookup tables. Files: util/match_{list,ops}.c,
1612 global/{domain,namadr,string}_list.c.
1614 19981110
1616 Code cleanup: replaced remaining isxxx() calls by ISXXX().
1618 19981111
1620 Bugfix: the "bounce unknown virtual user" code was in the
1621 wrong place. Problem tackled with help of Chip Christian.
1623 Portability: reportedly, Solaris 2.5.1 can hang waiting
1624 for a UNIX-domain connection to be accepted, so it gets
1625 the same workaround that was designed for LINUX. Problem
1626 reported by Scott Cotton.
1628 19981112
1630 Management: "vmailer stop" now allows delivery agents to
1631 finish what they are doing, like "vmailer reload".
1633 Management; "vmailer abort" causes immediate termination.
1635 Workaround: zombie processes pile up with HP-UX. Reason:
1636 select() does not return upon SIGCHLD when SA_RESTART is
1637 specified to sigaction(). Workaround: shorten the select()
1638 timer to 10 seconds, #ifdef BRAINDEAD_SELECT_RESTARTS.
1639 Thanks, Lamont Jones.
1641 19981117
1643 Rename: VMailer is now Postfix. Sigh.
1645 19981118
1647 Cleanup: generalized the safe_open() routine so that it is
1648 no longer limited to mailbox files, lock files, etc.
1650 Bugfix (found during code review): vstream*printf() could
1651 run off the end of a stream buffer after an I/O error,
1652 because vbuf_print() ignored the result from VBUF_SPACE().
1654 Bugfix (found during code review): resolve_local() could
1655 clobber its argument, but the docs didn't say so.
1657 19981121
1659 Cleanup: the is_header() routine now allows 8-bit data in
1660 header labels.
1662 19981123
1664 Bugfix (found during code review): the mail_queue_enter()
1665 path argument wasn't optional. File: global/mail_queue.c
1667 19981124
1669 Cleanup: eliminated redundant tests for a zero result from
1670 vstream_fdopen(). Unlike the stdio fdopen() routine, the
1671 vstream_fdopen() routine either succeeds or never returns.
1673 Bugfix: the queue manager now looks at the clock before
1674 examining a file time stamp, to avoid spurious complaints
1675 about time warps on busy machines. File: qmgr/qmgr_active.c.
1677 19981125
1679 Compatibility: allow trailing dot at the end of user@domain.
1680 Address canonicalization now strips it off. Issue brought
1681 forward by Eilon Gishri. File: trivial-rewrite/rewrite.c.
1683 Robustness: changed DNS lookup order of MAIL FROM etc.
1684 domains from MX then A to A then MX, just in case the MX
1685 lookup fails with a server error.
1687 Renamed vmcat, vmlock, vmlogger, vmtrigger to postcat,
1688 postlock, postlog, postkick. Also renamed mkmap and mkalias
1689 to postmap and postalias.
1691 19981126
1693 Workaround: Lamont Jones found a way for HP-UX to terminate
1694 select() after SIGCHLD. The code is #ifdef USE_SIG_RETURN.
1695 Files: util/sys_defs.h, master/master_sig.c.
1697 Bugfix: the Delivered-To: loop detection code had stopped
1698 working, when long ago the is_header() routine was changed.
1699 File: local/delivered.c.
1701 19981128
1703 Bugfix: postcat opened queue files read-write, where only
1704 read access was needed. File: postcat/postcat.c.
1706 19981129
1708 Safety: added a sleep(1) to all fatal and panic exits.
1709 File: util/msg.c.
1711 19981201
1713 Robustness: postcat now insists that a file starts with a
1714 time record.
1716 Consistency: added "-c config_dir" command-line options
1717 where appropriate.
1719 19981202
1721 Man pages, on-line version.
1723 19981203
1725 Man pages, html version; overview documentation.
1727 19981206
1729 Sendmail silently accepted the unsupported -qRsite and
1730 -qSsite options. It now prints an error message and
1731 terminates.
1733 Separated the contributed tree from the IBM code; moved
1734 the LDAP and NEXTSTEP/OPENSTEP code to the contributed
1735 source tree because obviously I didn't write it.
1737 19981206-9
1739 Had to write a postconf configuration utility in order to
1740 reliably find out about all configuration parameters and
1741 their defaults.
1743 Documentation bugfixes by Matt Shibla, Scott Drassinower,
1744 Greg A. Woods.
1746 19981209
1748 On machines with short hostnames, postconf -d cored while
1749 reporting a fatal error. It should not report that error
1750 in the first place. Thanks, Eilon Gishri.
1752 Changed the FAQ entry about rejecting mail for *.my.domain
1753 on a firewall. Chip Christian was right, I was wrong.
1755 19981214
1757 Portability: with GNU getopt, optind is not initially 1,
1758 breaking an assumption in sendmail/sendmail.c. Liviu Daia.
1760 Annoyance: on non-networked systems, don't warn that only
1761 one network interface was found. File: global/inet_addr_local.c.
1762 Reported by several.
1764 Bugfix: on non-networked systems, the smtp client assumed
1765 that it was running in virtual host mode, and would bind
1766 to the loopback interface. File smtp/smtp_connect.c. Liviu
1767 Daia, again.
1769 19981220
1771 Robustness: when looking up an A or MX record, do not give
1772 up when the A query fails because of a server error. File
1773 dns/dns_lookup.c. Reported by Scott Drassinower.
1775 19981221
1777 Bugfix: "bounce mail for non-existent virtual user" didn't
1778 work when a non-default relay host was configured in main.cf
1779 or in the transport table. File: qmgr/qmgr_message.c.
1781 Bugfix: the maildrop directory should not be world-readable.
1782 Files: conf/postfix-script, showq/showq.c.
1784 Documentation: fixed several omissions and errors.
1786 Documentation: removed references to the broken recipient
1787 feature delimiter configuration parameter.
1789 Bugfix: write mailbox file as the recipient, so that file
1790 quota work as expected.
1792 Bugfix: pickup would die when it tried to remove a non-file
1793 in the maildrop directory (Jeff Wolfe).
1795 19981222
1797 Sendmail no longer logs the queue ID when it is unable to
1798 notify the pickup daemon. This is a late addition to the
1799 "unreadable maildrop queue" patch.
1801 user.lock files are now created as root, so that postfix
1802 needs no group directory write permission.
1804 19981224
1806 Security: allow queue file link counts > 1, to avoid
1807 non-delivery of maildrop files with links to a non-maildrop
1808 directory. Files: global/mail_open_ok.c, and anything
1809 that calls this code (qmgr, pickup, showq). If multiple
1810 hard links are a problem, see the set-gid "postdrop" utility
1811 below.
1813 19981225
1815 Robustness: the queue manager no longer aborts when a queue
1816 file suddenly disappears (e.g. because the file was removed
1817 by hand).
1819 Feature: when a writable maildrop directory is a problem,
1820 sites can make the new "postdrop" utility set-gid. This
1821 command is never used when the maildrop directory is
1822 world-writable.
1824 Robustness: make the queue file creation routine more
1825 resistant against denial of service race attack. File:
1826 global/mail_queue.c
1828 19981226
1830 New suid_priv module to enable/disable privileges in a
1831 set-uid/gid program. In the end I decided to not use it.
1833 19981228
1835 Robustness: make the pickup daemon more resistant against
1836 non-file race attack.
1838 Cleanup: generic mail_stream.c interface for writing queue
1839 file streams to files, daemons or commands. This simplifies
1840 the code in smtpd and in sendmail that must be able to pipe
1841 mail through the postdrop command. The cleanup daemon has
1842 been modified to use the same interface. Result: less code.
1844 Feature: smtpd now logs the only recipient in Received:
1845 headers.
1847 Feature: separate command and daemon directories. Both
1848 default to $program_directory. Install conf/postfix-script
1849 if you want to use this feature.
1851 19981230
1853 Patch to avoid conflict with non-writable top-level Makefile
1854 (Lamont Jones).
1856 19981231
1858 Portability: port to UnixWare 7 by Ronald Joe Record, SCO.
1860 19990104
1862 Bugfix: fencepost (Jon Ribbens, Oaktree Internet Solutions
1863 Ltd.) Files: quote_82[12]_local.c.
1865 Bugfix: wrong default for relay_domains (Juergen Kirschbaum,
1866 Bayerische Landesbank). File: mail_params.h.
1868 Bugfix: changed 5xx response for "too may recipients" to
1869 4xx. File: smtpd.c.
1871 19990106
1873 Feature: defer_transports specifies the names of transports
1874 that should be used only when "sendmail -q" (or equivalent)
1875 is issued. For example, "defer_transports = smtp" is useful
1876 for sites that are disconnected most of the time. File:
1877 qmgr_message.c.
1879 19990107
1881 Feature: local_command_shell specifies a non-default shell
1882 for delivery to command by the local delivery agent. For
1883 example, "local_command_shell = /some/where/smrsh -c"
1884 restricts what may appear in "|command" destinations.
1885 File: global/pipe_command.c.
1887 19990112-16
1889 Feature: SMTP command pipelining support based on an initial
1890 version by Jon Ribbens, Oaktree Internet Solutions Ltd.
1891 This one took several days of massaging before I felt
1892 comfortable about it. Files: smtp.c, smtp_proto.c.
1894 Bugfix: the SMTP server would flush responses one-by-one,
1895 which caused suboptimal performance with pipelined clients.
1896 The vstream routines now flush the write buffer when the
1897 read() routine is called, instead of flushing when the
1898 application changes from writing to reading. Delayed flush
1899 prevents the SMTP server from flushing responses one-by-one
1900 and thus triggering Nagle's algorithm. File: util/vstream.c.
1902 19990117
1904 Bugfixes and enhancements to the smtpstone tools by Drew
1905 Derbyshire, Kendra Electronic Wonderworks: send helo command,
1906 send message headers, format the message content to lines
1907 < 80, work around NT stacks, make "." recognition more
1908 robust. Files: smtp-source.c, smtp-sink.c.
1910 Strategy: look at the deferred queue only when the incoming
1911 queue is empty; limit the number of recipients read from
1912 a queue file depending on the number of recipients already
1913 in core. Files: qmgr.c, qmgr_message.c.
1915 Feature: postponed anti-UCE restrictions. The decision to
1916 reject junk mail on the basis of the client name/address,
1917 HELO hostname or sender address can now be postponed until
1918 the RCPT TO command (or HELO or MAIL FROM if you like).
1919 File: smtpd_check.c.
1921 19990118
1923 Feature: incremental updates of alias databases and of
1924 other lookup tables. Both postalias and postmap now take
1925 a -i option for incremental updates from standard input.
1926 Files: global/mkmap_*.c, post{map,alias}/post{map,alias}.c.
1928 Compatibility: newaliases can now update multiple alias
1929 databases: list them in the "alias_database" parameter in
1930 main.cf. By the same token, postalias can now update multiple
1931 maps in one command. Files: post{map,alias}/post{map,alias}.c
1933 Feature: mail to <> is now sent to the address specified
1934 with the "empty_address_recipient" configuration parameter
1935 which defaults to MAILER-DAEMON (idea by Lamont Jones,
1936 Hewlett-Packard). File: cleanup/cleanup_envelope.c.
1938 Compatibility: the transport table now uses .domain.name
1939 to match subdomains, just like sendmail mailer tables (patch
1940 by Lamont Jones, Hewlett-Packard).
1942 Feature: mailq now ends with a total queue size summary
1943 (Eilon Gishri, Israel Inter University Computation Center).
1945 19990119
1947 Feature: address masquerade exceptions for user names listed
1948 in the "masquerade_exceptions" configuration parameter.
1949 File: cleanup/cleanup_masquerade.c.
1951 Feature: qmail-style maildir support, based on initial code
1952 by Kevin W. Brown, Quantum Internet Services Inc.
1954 Workaround: Solaris 2.something connect() fails with
1955 ECONNREFUSED when the system is busy (Chris Cappuccio,
1956 Empire Net). File: global/mail_connect.c.
1958 Feature: the cleanup service now adds a Return-Path: header
1959 when none is present. This header is needed for some mail
1960 delivery programs (see below). File: cleanup_message.c.
1962 Feature: the pipe mailer now supports $user, $extension
1963 and $mailbox macros in command-line expansions. This, plus
1964 the Return-Path: header (see above), should be sufficient
1965 to support cyrus IMAP out of the box. Based on initial
1966 code by Joerg Henne, Cogito Informationssysteme GMBH.
1967 File: pipe/pipe.c.
1969 Bugfix: with address extensions enabled, canonical and
1970 virtual lookups now are done in the proper order:
1971 user+foo@domain, user@domain, user+foo, user, @domain.
1972 File: global/mail_addr_find.c.
1974 19990119
1976 Feature: the local mailer now prepends a Received: message
1977 header with the queue ID to forwarded mail, in order to
1978 make message tracing easier. File: local/forward.c.
1980 Cleanup: after "postfix reload", no more broken pipe
1981 complaints from resolve/rewrite clients.
1983 19990121
1985 Feature: pickup (again) logs uid and sender address. On
1986 repeated request by Scott Cotton, Internet Consultants
1987 Group, Inc.
1989 Portability: doze() function for systems without usleep().
1991 Cleanup: clients are now consistently logged as host[address].
1993 19990122
1995 Maildir support changed: specify "home_mailbox = Maildir/".
1996 The magic is the trailing /. Suggested by Daniel Eisenbud,
1997 University of California at Berkeley.
1999 Maildir support from aliases, :include: and .forward files.
2000 Specify /file/name/ - the trailing / is required. Suggested
2001 by Daniel Eisenbud, University of California at Berkeley.
2003 Workaround: watchdog timer to prevent the queue manager
2004 from locking up on some systems.
2006 Bugfix: in Received: headers, the "for <recipient>"
2007 information was in the wrong place. Pointed out by Jon
2008 Ribbens, Oaktree Internet Solutions Ltd.
2010 19990124
2012 Portability: more workarounds for GNU getopt() by Liviu
2013 Daia, Institute of Mathematics, Romanian Academy. File:
2014 sendmail/sendmail.c.
2016 19990125
2018 Bugfix: Postfix should not masquerade recipient addresses
2019 extracted from message headers. Problem reported by David
2020 Blacka, Network Solutions. File: cleanup/cleanup_message.c.
2022 19990126
2024 Feature: smtpd_etrn_restrictions parameter to restrict who
2025 may use ETRN and what domains may be specified. Example:
2026 "smtpd_etrn_restrictions = permit_mynetworks, reject".
2027 Requested by Jon Ribbens, Oaktree Internet Solutions Ltd.
2028 File: smtpd/smtpd_check.c.
2030 19990127
2032 Bugfix: in an attempt to shave some cycles, the anti junk
2033 mail routines would use the wrong resolved address. This
2034 "optimization" is now turned off. Problem reported by Sam
2035 Eaton, Pavilion Internet Plc. File: smtpd/smtpd_check.c.
2037 Feature: BIFF notifications. For compatibility reasons
2038 this feature is on by default. This "protocol" can be a
2039 real performance pig. Specify "biff = no" in main.cf if
2040 your machine has lots of shell users. Feature requested by
2041 Dan Farmer - it's one of the things one does for friends.
2042 Files: local/mailbox.c, local/biff_notify.c.
2044 Bugfix: another case sensitivity problem, this time with
2045 virtual lookups to recognize unknown@virtual.domain.
2046 Problem reported by Bo Kleve, Linkoping University. File:
2047 qmgr/qmgr_message.c.
2049 19990128
2051 Feature: with "soft_bounce = yes", defer delivery instead
2052 of bouncing mail. This is a safety net for configuration
2053 errors with delivery agents. It has no effect on errors in
2054 virtual maps, canonical maps, or in junk mail restrictions.
2055 Feature requested by Bennett Todd. File: global/bounce.c.
2057 19990129
2059 Compatibility: the qmail maildir.5 documentation prescribes
2060 maildir file names of the form time.pid.hostname, which is
2061 wrong because Postfix processes perform multiple deliveries.
2062 Elsewhere the qmail author has documented how maildir files
2063 should be named under such conditions. Postfix has been
2064 changed to be conformant. File: local/maildir.c.
2066 19990131
2068 Feature: special treatment of owner-foo and foo-request
2069 can be turned off. Specify "owner_request_special = no".
2070 Requested by Matthew Green and others. Files: local/alias.c,
2071 global/split_addr.c. This affects canonical, virtual and
2072 alias lookups.
2074 19990204
2076 Portability: signal handling for HP-UX 9 by Lamont Jones
2077 of Hewlett Packard. File: master/master_sig.c.
2079 Robustness: disable random walk inside a per-site queue to
2080 avoid message starvation under heavy load. File: qmgr_entry.c.
2082 Robustness: under some conditions the queue manager could
2083 declare a host dead after just one delivery failure. File:
2084 qmgr_queue.c.
2086 19990212
2088 Feature: skip SMTP servers that greet us with a 4XX status
2089 code. Example: "smtp_skip_4xx_greeting = yes". By default,
2090 the Postfix SMTP client defers delivery when a server
2091 declines talking to us. File: smtp/smtp_connect.c.
2093 Robustness: upon startup the queue manager now moves active
2094 queue files to the incoming queue instead of the deferred
2095 queue, to avoid anomalous delivery delays on systems that
2096 have a huge incoming queue. Files: qmgr/qmgr.c,
2097 qmgr/qmgr_active.c, global/mail_flush.c, conf/postfix-script*
2099 19990213
2101 Robustness: added watchdog timers to avoid getting stuck
2102 on systems with broken select() socket implementations.
2103 File: qmgr_transport.c, qmgr_deliver.c.
2105 19990218
2107 Feature: NFS-friendly delivery to mailbox by avoiding the
2108 use of root privileges as much as possible. With input by
2109 Mike Muus, Army Research Lab, USA.
2111 Feature: the smtp-sink test server now supports SMTP command
2112 pipelining. To this end we had to generalize the timer and
2113 vstream support. Poor performance is fixed 19990222.
2115 Cleanup: timer event routines now have the same interface
2116 as read/write event routines (event type + context). File:
2117 util/events.c.
2119 Feature: new vstream_peek() routine to tell how much unread
2120 data is left in a VSTREAM buffer. This is the vstream
2121 variant of the peekfd() routine for kernel read buffers.
2122 File: util/vstream.c.
2124 Feature: directory scanning support for hashed mail queue
2125 directories. So far the results are disappointing: with
2126 depth = 2 (16 directories with 16 subdirectories), mailq
2127 takes 5 seconds with an empty queue unless all directories
2128 happen to be cached in memory. We need a bit map before
2129 hashed queue directories become practical. Depth=1 hashing
2130 doesn't slow down mailq much, but doesn't help much either.
2131 Files: util/scan_dir.c, global/mail_scan_dir.c.
2133 19990221
2135 Workaround: with "ignore_mx_lookup_error = yes", the SMTP
2136 client always performs an A lookup when an MX lookup could
2137 not be completed, rather than treating MX lookup failure
2138 as a temporary error condition. Unfortunately there are
2139 many broken DNS servers on the Internet. File: smtp/smtp_addr.c.
2141 19990222
2143 Performance: rewrote the guts of the smtp-sink test server
2144 so it can do pipelining without losing performance.
2146 19990223
2148 Workaround: hotmail.com sometimes drops the connection
2149 after "." (causing misleading diagnostics to be logged) or
2150 waits minutes after receiving QUIT. Solution: do not wait
2151 for the response to QUIT. File: smtp/smtp_proto.c. This
2152 is turned off with: "smtp_skip_quit_response = no".
2154 19990224
2156 Feature: the pipe mailer accepts user=username:groupname,
2157 based on code submitted by Philip A. Prindeville, Mirapoint,
2158 Inc., USA. File: pipe/pipe.c.
2160 Workaround: use file locking to prevent multiple processes
2161 from select()ing on the same socket. This causes performance
2162 problems on large BSD systems. Files: master/*_server.c.
2164 19990225
2166 Bugfix: with "inet_interfaces = 127.0.0.1", don't bind to
2167 the loopback interface. Problem reported by Steve Bellovin
2168 of AT&T. File: smtp/smtp_addr.c.
2170 Feature: "postsuper" command to remove stale queue files
2171 to update queues after changes to the queue structure
2172 parameters (hash_queue_names, hash_queue_depth). This
2173 command is to be run from the postfix-script maintenance
2174 shell script.
2176 19990301
2178 Feature: new postconf -h (suppress `name = ' in output)
2179 option to make the program easier to use in, e.g., shell
2180 scripts.
2182 Feature: dict_unix module so you can add the UNIX passwd
2183 table to the SMTPD access control list.
2185 19990302
2187 Feature: "luser_relay = destination" captures mail for
2188 non-existent local recipients. This works only when the
2189 local delivery agent does mailbox delivery (including
2190 delivery via mailbox_command), not when mailbox delivery
2191 is delegated to another message transport.
2193 Feature: new reject_non_fqdn_{hostname,sender,recipient}
2194 restrictions to require fully.qualified.domain forms in
2195 HELO, MAIL FROM and RCPT TO commands (while still allowing
2196 the <> sender address).
2198 19990304
2200 Bugfix: backed out the 19990119 change to always insert
2201 Return-Path: if that header is not present. The pipe and
2202 local agents now are responsible for prepending Return-Path:.
2203 Files: cleanup/cleanup_message.c, global/mail_copy.[hc],
2204 pipe/pipe.c, global/header_opts.c. This causes an incompatible
2205 change to the pipe flags parameter, because Return-Path:
2206 now must be requested explicitly.
2208 19990305
2210 Bugfix: showq (the mailq server) incorrectly assumed that
2211 all recipients of a deferred message are listed in the
2212 corresponding defer logfile. It now lists all recipients.
2213 Files: showq/showq.c, cleanup/cleanup_envelope.c (ensure
2214 that sender records always precede recipient records).
2216 Cleanup: smtpd HELO restrictions validate [numerical] forms.
2217 Files: util/valid_hostname.c, smtpd/smtpd_check.c. Initial
2218 code by Philip A. Prindeville, Mirapoint, Inc., USA.
2220 19990306
2222 Cleanup: re-vamped the valid_hostname module, and added a
2223 maximal label length (63) requirement.
2225 Feature: fallback_relay parameter to specify extra backup
2226 hosts in case the regular relay hosts are not found or not
2227 available. Files: smtp/smtp_addr.c.
2229 Feature: "always_bcc = address" specifies where to send a
2230 copy of each message that enters he system. However, if
2231 that copy bounces, the sender will be informed of the
2232 bounce. Files: smtpd/smtpd.c, pickup/pickup.c
2234 Compatibility: the transport map will now route on top-level
2235 domains, so you can dump all of .bitnet to a bitnet relay.
2237 19990307
2239 Feature: LDAP lookups, updated by Jon Hensley, Merit Network,
2240 USA.
2242 Feature: regular expression (PCRE) support by Andrew
2243 McNamara, connect.com.au Pty. Ltd., Australia. In order to
2244 use this code specify pcre:/file/name. You can use this
2245 anywhere you would use a DB or DBM file, NIS or LDAP. See:
2246 PCRE_README for how to enable this code.
2248 Feature: "delay_warning_time = 4" causes Postfix to send
2249 a "your mail is delayed" notice after approx. 4 hours.
2250 Daniel Eisenbud, University of California at Berkeley.
2251 Files: qmgr/qmgr_active.c, qmgr/qmgr_message. Postmaster
2252 notices for delayed mail are disabled by default. In order
2253 to receive postmaster notices, specify "notify_classes =
2254 ... delay ...".
2256 Cleanup: do not send undeliverable bounced mail to postmaster.
2257 This was causing lots of pain with junk mail from bogus
2258 sender addresses to non-existent recipients. This change
2259 was reversed 19990311.
2261 19990308
2263 Bugfix: the dotforward routine was too eager with throwing
2264 away extension information, so that the Delivered-To: info
2265 would differ for \mailbox and |command. Problem reported
2266 by Rafi Sadowski, Open University, Israel.
2268 Bugfix: seems I never got around to fix the btree access
2269 method. I finally did. Problem reported by: Matt Smith,
2270 AvTel Communications Inc., USA.
2272 19990311
2274 Back by popular demand: with "notify_classes = 2bounce ..."
2275 Postfix will send undeliverable bounced mail to postmaster.
2276 The default is to not send double bounces. This change
2277 reverses a change made on 19990307.
2279 19990312
2281 Feature: configurable exit handler for server skeletons.
2282 Philip A. Prindeville, Mirapoint, Inc., USA. Files:
2283 master/*server.c.
2285 Feature: mail_spool_directory configuration parameter to
2286 specify the UNIX mail spool directory. The default setting
2287 is system dependent.
2289 19990313
2291 Cleanup: share file descriptors for resolve and rewrite
2292 client connections. This puts less strain on the trivial-rewrite
2293 service.
2295 Portability: support for UnixWare 2.1 by Dmitry E. Kiselyov,
2296 Nizhny Novgorod City Health Emergency Station.
2298 Feature: configurable delays in the smtpstone test programs.
2299 With input by Philip A. Prindeville, Mirapoint, Inc., USA.
2300 Files: smtpstone/*.c.
2302 Bugfix: a "signal 11" problem in the trivial-rewrite program
2303 that would occasionally happen after "postfix reload".
2304 Reason: some rewrite clients would clobber their input,
2305 and when they had to retransmit the query, the input would
2306 be a zero-length string, which trivial-rewrite isn't supposed
2307 to receive.
2309 19990314
2311 Feature: "mailbox_transport = cyrus" delegates all local
2312 mailbox delivery to a master.cf entry called "cyrus" (the
2313 same trick for procmail), including users not found in the
2314 UNIX passwd database. This gives the flexibility of $name
2315 expansions by the pipe mailer, without losing local aliases
2316 and ~/.forward processing. Result of discussions with Rupa
2317 Schomaker, RS Consulting.
2319 19990315
2321 Feature: the mydestination parameter can now be an empty
2322 string, for hosts that don't receive any mail locally. Be
2323 sure to specify a default route for mail that comes to the
2324 machine or mail will loop.
2326 19990316
2328 Bugfix: the SMTPD check scaffolding didn't apply the same
2329 sanity checks as the production code. Problem reported by
2330 Alain Thivillon, Herve Schauer Consultants, France. File:
2331 smtpd/smtpd_check.c.
2333 Portability: some systems can have more than 59 seconds in
2334 a minute. Based on a fix by Liviu Daia, Institute of
2335 Mathematics, Romanian Academy. File: global/mail_date.c.
2337 Enhancement: include the client network address in the
2338 rejected by RBL response. Lamont Jones, Hewlett-Packard.
2340 Workaround: use fstat() to figure out if the maildrop is
2341 world-writable. access() uses the real uid, which stinks.
2343 Robustness: don't do partial address lookups (user@, domain,
2344 user, @domain) with regexp-style tables.
2346 Security: don't allow regexp-style tables to be used for
2347 aliases. It would be too easy to slip in "|command" or
2348 :include: or /file/name.
2350 19990317
2352 Feature: "fallback_transport = cyrus" delegates non-UNIX
2353 recipients to a master.cf entry called "cyrus", allowing
2354 you to have both UNIX and non-UNIX mailboxes side by side.
2356 19990319
2358 Workaround: on 4.4 BSD derivatives, fstat() can return
2359 EBADF on an open file descriptor. Now, that was a surprise.
2360 This caused std{out,err} from cron commands to not be
2361 delivered.
2363 Bugfix: "local -v" stopped working.
2365 Workaround: more watchdog timers for postfix-unfriendly
2366 systems. By now every Postfix daemon has one. Call it life
2367 insurance.
2369 Robustness: increased the maximal time to receive or deliver
2370 mail from $ipc_timeout (default: 3600 seconds) to the more
2371 generous $daemon_timeout (default: 18000 seconds). We don't
2372 want false alarms.
2374 Portability: IRIX 5.2 does not have usleep().
2376 19990320
2378 Bugfix: \username was broken. Frank Dziuba was the first
2379 to notice.
2381 19990321
2383 Workaround: from now on, Postfix on Solaris uses stream
2384 pipes instead of UNIX-domain sockets. Despite workarounds,
2385 the latter were causing more trouble than anything else on
2386 all systems combined.
2388 19990322
2390 Portability: the makedefs would mis-identify IRIX 6.5.x as
2391 IRIX 5.x. Fix by Brian Truelsen of Maersk Mc-Kinney Moller
2392 Institute for Production Technology, Denmark.
2394 Feature: reject_unknown_recipient_domain restriction for
2395 recipient addresses. For the sake of symmetry, we now also
2396 have reject_unknown_sender_domain. This means the old
2397 reject_unknown_address restriction is being phased out.
2398 Suggested by Rask Ingemann Lambertsen, Denmark Technical
2399 University.
2401 Feature: unknown sender/recipient domain restrictions now
2402 distinguish between soft errors (always: 450) and hard
2403 errors (configurable with the unknown_address_reject_code
2404 parameter, default: 450; use 550 at your own risk).
2406 Feature: no HELO junk mail restrictions means that no syntax
2407 check will be done on HELO/EHLO hostname arguments.
2409 Bugfix: the initial Solaris workaround for UNIX-domain
2410 sockets could cause the queue manager to block if Postfix
2411 ran into a delivery agent process limit. After another code
2412 rewrite that problem is eliminated. Thanks to Chris
2413 Cappuccio, Empire Net, for assistance with testing.
2415 19990323
2417 Bugfix: too much forwarding when users list their own name
2418 in their .forward file (e.g. mail to user@localhost would
2419 go through .forward, would be forwarded to user@$myorigin,
2420 and would go through .forward again). Problem reported by
2421 Roman Dolejsi, Prague University of Economics.
2423 19990324
2425 Bugfix: missing map name in check_xxx_access restrictions
2426 could cause a segmentation error. Lamont Jones, Hewlett-
2427 Packard.
2429 Feature: forward_path configuration parameter (default:
2430 $home/.forward$recipient_delimiter$extension,$home/.forward).
2431 Based on initial code by Philip A. Prindeville, Mirapoint,
2432 Inc., USA. Files: local/dotforward.c.
2434 19990325
2436 Workaround: Solaris NIS alias maps need special entries
2437 (YP_MASTER_NAME, YP_LAST_MODIFIED). What's worse, normal
2438 keys/values include a null byte at the end, but the YP_XXX
2439 ones don't. Problem reported by Walcir Fontanini, state
2440 university of Campinas, Brazil. File: postalias/postalias.c.
2442 Compatibility: Solaris NIS apparently does include a null
2443 byte at the end of keys and values. File: util/sys_defs.h.
2445 Feature: library support for config parameters that are
2446 not $name expanded at program start-up. This was needed
2447 for forward_path, and will also be needed to make message
2448 headers customizable.
2450 Bugfix: pcre didn't handle \\ right. Lamont Jones, Hewlett-
2451 Packard. File: util/dict_pcre.c.
2453 19990326
2455 Compatibility: Postfix now puts two spaces after the sender
2456 in a "From sender date..." header. Found by John A. Martin,
2457 fixed by Lamont Jones, Hewlett-Packard.
2459 Bugfix: when a recipient appeared multiple times in a local
2460 alias or include expansion, the delivery status could be
2461 left uninitialized, causing the mail to be deferred and
2462 delivered again. File: local/recipient.c.
2464 19990327
2466 Cleanup: the dictionary routines now take an extra flag
2467 argument to control such things as warning about duplicates,
2468 and appending null bytes to key/value. The latter was needed
2469 for a clean implementation of NIS master alias maps support.
2471 Feature: POSIX regular expressions by Lamont Jones. See
2472 config/sample-regexp.c. Right now, enabled on *BSD and
2473 LINUX only.
2475 19990328
2477 Code cleanup: dictionaries now have flags that say whether
2478 lookup keys are fixed strings or whether keys are subjected
2479 to pattern matching. This is needed to avoid passing partial
2480 addresses to regexp-based lookup tables (user, @domain,
2481 user@, domain). Files: util/dict*.c.
2483 Bugfix: fixed memory leaks and core dumps in the regexp
2484 and pcre routines (neither handled an empty pattern file).
2486 19990329
2488 Code cleanup: the dictionary I/O routines now do their own
2489 locking depending on dictionary flag settings. This means
2490 that the low-level dict_get() interface can now be used
2491 for safe dictionary lookups. This is needed for 19990328's
2492 partial lookup key support. Files: util/dict*.c. global/maps.c.
2494 Feature: regular expression matches are no longer limited
2495 to user@domain address forms in access/canonical/virtual
2496 maps, but can also be used for domains in transport maps.
2497 This needed the partial lookup key support to avoid passing
2498 partial addresses to regexp-based lookup tables (user,
2499 @domain, user@, domain). Files: global/maps.c
2500 global/mail_addr_find.c.
2502 Feature: new dictionary types can be registered with
2503 dict_open_register(). File: util/dict_open.c.
2505 19990330
2507 Bug fix: match_list membership dictionary lookups were case
2508 sensitive when they should not. Patch by Lutz Jaenicke,
2509 BTU Cottbus, Germany.
2511 19990402
2513 Feature: $domain macro support in forward_path. Philip A.
2514 Prindeville, Mirapoint, Inc., USA. File: local/dotforward.c.
2516 Feature: if an address extension (+foo) is explicitly
2517 matched by the .forward+foo file name, do not propagate
2518 the extension to recipient addresses. This is more consistent
2519 with the way aliases are expanded. File: local/dotforward.c.
2521 19990404
2523 Bugfix: after receiving mail, the SMTP server didn't reset
2524 the cleanup error flag, so that multiple deliveries over
2525 the same SMTP session could fail due to errors with previous
2526 deliveries. Found by Lamont Jones, Hewlett-Packard.
2528 19990405
2530 Feature: MIME-encapsulated bounces. Philip A. Prindeville,
2531 Mirapoint, Inc., USA. File: bounce/bounce_notify_service.c
2533 Cleanup: vstreams now properly look at the EOF flag before
2534 attempting to read, eliminating the need for typing Ctrl-D
2535 twice to test programs; the EOF flag is reset after each
2536 unget or seek operation. Files: util/vstream.c, util/vbuf.c.
2538 Feature: in preparation for configurable message headers
2539 the mac_parse() routine now balances the parentheses in
2540 ${name} or $(name). We need this in order to support
2541 conditional expressions such as ${name?text} where `text'
2542 contains other ${name} expressions.
2544 19990406
2546 Cleanup: changed MIME header information to make bounces
2547 more RFC 1892 compliant.
2549 19990407
2551 Feature: "best_mx_transport = local" delivers mail locally
2552 if the local machine is the best mail exchanger (by default,
2553 mail is bounced with a "mail loops back to myself" error).
2555 Config: in order to make feature tracking easier the source
2556 code distribution now has a copy of the default settings
2557 in conf/main.cf.default.
2559 Feature: separate configurable postmaster addresses for
2560 single bounces (bounce_notice_recipient), double bounces
2561 (2bounce_notice_recipient), delayed mail (delay_notice_recipient),
2562 and for other mailer errors (error_notice_recipient). The
2563 default for all is "postmaster".
2565 19990408
2567 Workaround: on Solaris 2.x, the master appears to lose its
2568 exclusive lock on the master.pid file, so keep grabbing
2569 the lock each time the master wakes up from select().
2571 Robustness: don't flush VSTREAM buffers after I/O error.
2572 This prevents surprises when calling vstream_fclose() after
2573 truncating a mailbox to its original size.
2575 Portability: on LINUX systems, if <db_185.h> exists, don't
2576 look for <db/db.h>.
2578 Workaround: specify "sun_mailtool_compatibility = yes" to
2579 avoid clashes with the mailtool application. This disables
2580 kernel locks on mailbox files. Use only where needed.
2582 Portability: renamed readline to readlline, to avoid clashes
2583 with mysql.
2585 19990409
2587 Bugfix: ignore temp queue files that aren't old enough.
2588 Problem reported by Vivek Khera, Khera Communications, Inc.
2590 Bugfix: fixed typo in dict_db.c that caused processes to
2591 not release DB shared locks.
2593 Feature: auto-detection of changes to DB or DBM lookup
2594 tables. This avoids the need to run "postfix reload" after
2595 change to the smtp access table and other tables.
2597 Feature: regular expression checks for message headers.
2598 This requires support for POSIX or for PCRE regular
2599 expressions. Specify "header_checks = regexp:/file/name"
2600 or "header_checks = pcre:/file/name", and specify
2601 "/^header-name: badstuff/ REJECT" in the pattern file
2602 (patterns are case-insensitive by default). Code by Lamont
2603 Jones, Hewlett-Packard. It is to be expected that full
2604 content filtering will be delegated to an external command.
2606 19990410
2608 Bugfix: auto-detection of changes to DB or DBM lookup tables
2609 wasn't done for TCP connections.
2611 19990410
2613 Feature: $recipient expansion in forward_path. Philip A.
2614 Prindeville, Mirapoint, Inc., USA. File: local/dotforward.c
2616 Feature: the smtp client consistently treats a numerical
2617 hostname as an address. File: smtp/smtp_addr.c.
2619 19990414
2621 Compatibility: support comment lines starting with # in
2622 $mydestination include files. This makes Postfix more
2623 compatible with sendmail.cw files. File: util/match_list.c.
2625 Feature: if your machines have short host names, specify
2626 "mydomain = domain.name", and you no longer have to specify
2627 "myhostname = host.domain.name". Files: global/mail_params.c,
2628 postconf/postconf.c.
2630 19990420
2632 Cleanup: bounce mail when a mailbox goes over file quota,
2633 instead of deferring delivery. File: local/mailbox.c.
2635 19990421
2637 Feature: auto-detection of changes to DB or DBM lookup
2638 tables now includes the case where a file is unlinked.
2639 Philip A. Prindeville, Mirapoint, Inc., USA. File:
2640 util/dict.c.
2642 19990422
2644 Robustness: Lotus mail sends MAIL FROM: <@> instead of <>.
2645 Problem reported by Erik Toubro Nielsen, IFAD, Denmark.
2646 Files: trivial-rewrite/rewrite.c (@ becomes empty address)
2647 and global/rewrite_clnt.c (allow empty response).
2649 Bugfix: showq could segfault when writing to a broken pipe.
2650 Problem reported by Bryan Fullerton, Canadian Broadcasting
2651 Corporation. Files: util/vbuf_print.c.
2653 Cleanup: got rid of the "fatal: write error: Broken pipe"
2654 message when mailq output is piped into a program that
2655 terminates early.
2657 Cleanup: bounce messages are multipart/mixed with the error
2658 report as part of the first message segment, because users
2659 had trouble extracting the delivery error report from the
2660 attachment.
2662 19990423
2664 Cleanup: the default junk mail reject code is now 554
2665 (service unavailable) rather than 550 (user unknown).
2667 Folded in the updated dict_ldap.c module by John Hensley,
2668 Merit Network, USA.
2670 Folded in the vstream_popen.c updates by Philip A.
2671 Prindeville, Mirapoint, Inc., USA. This copies a lot of
2672 code from pipe_command(); the next step is to trim that
2673 module.
2675 19990425
2677 Workaround: renamed config.h to mail_conf.h etc. in order
2678 to avoid name collisions with LINUX (yes, they have a system
2679 include file called config.h). For compatibility with people
2680 who have written software for Postfix, there's a config.h
2681 that aliases the old names to the new ones. That file will
2682 go away eventually.
2684 19990426
2686 Feature: error mailer, in order to easily bounce mail for
2687 specific destinations. In the transport table, specify:
2688 "host.domain error:host.domain is unavailable". Too bad
2689 that the transport table triggers on destination domain
2690 only; it would be nice to bounce specific users as well.
2692 19990427
2694 Cleanup: "disable_dns_lookups = yes" now should disable
2695 all DNS lookups by the SMTP client.
2697 19990428
2699 Bugfix: with DBM files, Postfix was watching the "dir" file
2700 modification time for changes. It should be watching the
2701 "pag" file instead.
2703 19990429
2705 Cleanup: all callbacks in the master to server API now pass
2706 on the service name and the application-specific argument
2707 vector. Files: master/*server.c.
2709 19990504
2711 Feature: conditional macro expansion. ${name?text} expands
2712 to text when name is defined, otherwise the result is empty.
2713 ${name:text} expands to text when name is undefined,
2714 otherwise the result is empty. File: util/mac_expand.c.
2716 Feature: conditional macro expansion of the forward_path
2717 configuration parameters of $user, $home, $shell, $recipient,
2718 $extension, $domain, $mailbox and $recipient_delimiter.
2719 Files: local/dotforward.c, local/local_expand.c.
2721 19990506
2723 Cleanup: eliminated misleading warnings about unknown HELO
2724 etc. SMTPD restrictions when the HELO etc. information is
2725 not available. File: smtpd/smtpd_check.c.
2727 19990507
2729 Feature: all smtpd reject messages now contain the MAIL
2730 FROM and RCPT TO addresses, if available.
2732 19990508
2734 Feature: conditional macro expansion of the luser_relay
2735 configuration parameter. It is no longer possible to specify
2736 /file/name or "|command" destinations. File: local/unknown.c.
2738 Cleanup: changed the mac_parse interface so that the
2739 application callback routine can return status information.
2740 Updated the dict_regexp and dict_pcre modules accordingly.
2742 Cleanup: changed the mac_expand interface so that the caller
2743 provides an attribute lookup routine, instead of having to
2744 provide a copy of all attributes upfront. Files:
2745 util/mac_expand.c, local/local_expand.c.
2747 Feature: control over how address extensions are propagated
2748 to other addresses. By default, propagation of unmatched
2749 address extensions is now restricted to canonical and
2750 virtual mappings. Specify "propagate_unmatched_extensions
2751 = canonical, virtual, alias, forward, include" to restore
2752 previous behavior.
2754 19990509
2756 Feature: USER, EXTENSION, DOMAIN, RECIPIENT (entire address)
2757 and MAILBOX (address localpart) environment variables are
2758 exported to shell commands (including mailbox_command).
2760 Feature: new command_expansion_filter parameter to control
2761 what characters may appear in message attributes that are
2762 exported via environment variables.
2764 Cleanup: SMTPD reject messages are more informative, and
2765 more complete sender/recipient information is logged for
2766 the local sysadmin.
2768 19990510
2770 Bugfix: missing MIME header in postmaster bounce notices.
2771 Found by Samuel Tardieu, Ecole Nationale Superieure des
2772 Telecommunications, France.
2774 Feature: UCE restrictions are always delayed until RCPT
2775 TO, VRFY or ETRN. To change back to the default specify
2776 "smtpd_delay_reject = no" in /etc/postfix/main.cf.
2778 Bugfix: missing duplicate filter call. This caused too many
2779 deliveries when a user is listed multiple times in an alias.
2780 Reported by Hideyuki Suzuki, School of Engineering, University
2781 of Tokyo. Backed out on 19990512 because it caused problems.
2782 Fixed 19990513 but needs further study.
2784 Feature: it is now possible to move queue files back into
2785 the maildrop queue, so that they can benefit from changes
2786 in canonical and virtual mappings. In order to make this
2787 possible, some restrictions on queue file contents were
2788 relaxed. Files: pickup/pickup.c, cleanup/cleanup_extracted.c.
2790 Feature: made a start with integrating Joerg Henne's
2791 dictionary extensions to remove entries and to iterate over
2792 entries. That code is almost four months old by now.
2794 19990511
2796 Feature: added a "undeliverable postmaster notification
2797 discarded" warning when mail is dropped on the floor.
2798 Requested by Michael Hasenstein, SuSE, Germany.
2800 19990517
2802 Bugfix: reject_non_fqdn_sender/recipient would pass
2803 user@[ip_address] regardless of destination. Eric Cholet
2804 had the honor of suffering from this one.
2806 19990527
2808 More SMTP client logging for easier debugging: the smtp
2809 client now logs hostname[ip.addr], and logs every failed
2810 attempt to reach an MX host, not just the last one.
2812 19990601
2814 Bugfix: emit a blank line before a MIME boundary; the line
2815 is part of the boundary. File: bounce/bounce_notify_service.c.
2816 Wolfgang Segmuller, IBM Research.
2818 19990610
2820 Bugfix: the "is this the loopback interface" test was
2821 broken. Reported by Claus Fischer @microworld.com. File:
2822 smtp/smtp_connect.c.
2824 Usability: added helpful warnings about restrictions that
2825 are being ignored after check_relay_domains, etc.
2827 Portability: Reliant Unix support by Gert-Jan Looy, Siemens,
2828 the Netherlands.
2830 19990611
2832 Robustness: the postfix-script start-up procedure now
2833 detects a missing master program, avoiding misleading
2834 warnings that the mail system is already running. Fix
2835 suggested by David E. Smith @technopagan.org.
2837 Portability: Mac OS X Server Port by Mark Miller @swoon.net.
2839 Feature: on systems that use dotlock files for mailbox
2840 locking, the local delivery agent now will attempt to use
2841 dotlock files when delivering to user-specified files.
2842 Dotlock files for user-specified destinations are created
2843 with the privileges of the user. For backwards compatibility,
2844 Postfix will attempt to create dotlocks for user-specified
2845 destinations only when the user has parent directory write
2846 permission.
2848 Feature: specify "expand_owner_alias = yes" in order to
2849 use the right-hand side of an owner- alias, instead of
2850 using the left-hand side address. Needed by Juergen Georgi.
2852 19990622
2854 Bugfix: the local delivery agent did not set user attributes
2855 when delivering to root, so that forward_path did not expand
2856 properly. Found by Jozsef Kadlecsik, KFKI Research Institute
2857 for Particle and Nuclear Physics, Hungary. File:
2858 local/dotforward.c.
2860 Bugfix: the unix:passwd.byname mechanism is not suitable
2861 for smtpd access control - the user name would have to end
2862 in @, or the access control software would have to be
2863 changed. Removed the example from the RELEASE_NOTES file.
2865 19990623
2867 Bugfix: the smtp server did not reset the error flag after
2868 ".". Found by James Ponder, Oaktree Internet Solutions Ltd.
2869 File: smtpd/smtpd.c.
2871 Bugfix: fencepost error in the doze() routine (an usleep()
2872 replacement for systems without one). Found by Simon J
2873 Mudd. File: util/doze.c.
2875 19990624
2877 Portability: support for AIX 3.2.5 (!) by Florian Lohoff
2878 @rfc822.org.
2880 Portability: Ultrix 4.3 support by Christian von Roques
2881 @pond.sub.org.
2883 Feature: mysql support by Scott Cotton and Joshua Marcus,
2884 Internet Consultants Group, Inc. Files: util/dict_myqsl.*.
2886 19990627
2888 Bugfix: Postfix is now distributed under the new IBM Public
2889 License (version 1, dated June 14, 1999).
2891 Feature: the Delivered-To: header can be turned off for
2892 delivery to command or file/mailbox. The default setting
2893 is: "prepend_delivered_header = command, file, forward".
2894 Turning off the Delivered-To: header when forwarding mail
2895 is not recommended.
2897 19990628
2899 Feature: the postlock command now returns EX_TEMPFAIL when
2900 the destination file is locked by another process.
2902 19990705
2904 Workaround: in the SMTP client, move the "mail loops back
2905 to myself test" from the 220 greeting to the HELO response.
2906 This change does not weaken the test, and makes Postfix
2907 more robust against broken software that greets with the
2908 client hostname.
2910 19990706
2912 Workaround: in the INSTALL file, use `&&' instead of `;'
2913 in (cd path; tar ...) pipelines because some UNIX re-invented
2914 shells don't bail out when cd fails. Matthias Andree
2915 @stud.uni-dortmund.de.
2917 19990709
2919 Bugfix: $user was not set when delivering to a non-user.
2920 Found by Vladimir Ulogov @ rohan.control.att.com when
2921 configuring a luser_relay that contained $user.
2923 19990714
2925 Robustness: add PATH statement to Solaris2 chroot setup
2926 script to avoid running the ucb commands. Problem found by
2927 Panagiotis Astithas @ ece.ntua.gr.
2929 19990721
2931 Bugfix: don't claim a "mail loops to myself" error when
2932 the best MX host was not found in the DNS. Found by Andrew
2933 McNamara, connect.com.au Pty Ltd. File: smtp/smtp_addr.c.
2935 19990810
2937 Feature: added "-c config_dir" support to the postconf
2938 command. This probably means that "-f file" will never be
2939 implemented.
2941 19990812
2943 Bugfix: showq didn't print properly when listing a maildrop
2944 file. Fix by: Andrew McNamara, connect.com.au Pty Ltd.
2945 File: showq/showq.c.
2947 Feature: added SENDER to the list of parameters exported
2948 to external commands. File: local/command.c. Code by: Lars
2949 Hecking, National Microelectronics Research Centre, Ireland.
2951 19990813
2953 Bugfix: sendmail -t (extract recipients from headers) did
2954 not work when the always_bcc feature was turned on. Reported
2955 by: Denis Shaposhnikov @ neva.vlink.ru.
2957 19990813
2958 Bugfix: "sendmail -bd" returns a bogus exit status (the
2959 child process ID). Fix by Lamont Jones of Hewlett-Packard.
2960 File: sendmail/sendmail.c.
2962 19990824
2964 Bugfix: null pointer dereference while rejecting VRFY before
2965 MAIL FROM. Found by Laurent Wacrenier @ fr.clara.net.
2967 19990826
2969 Portability: more MacOS X Server patches; some NEXTSTEP/OPENSTEP
2970 code that had been removed for the first public beta release;
2971 NEXTSTEP/OPENSTEP now defaults to netinfo for the aliases
2972 database. Submitted by Gerben Wierda.
2974 Portability: workaround for a FreeBSD 3.x active network
2975 interface without IP address by Pierre Beyssac @ enst.fr.
2976 File: inet_addr_local.c.
2978 19990831
2980 Workaround: sendmail now prints a warning when installed
2981 set-uid or when run by a set-uid command. Reportedly, the
2982 linuxconf software turns on the set-uid bit, which could
2983 open up a security loophole. File: sendmail/sendmail.c.
2985 Bugfix: Postfix daemons now temporarily lock DB/DBM files
2986 while opening them, in order to avoid "invalid argument"
2987 errors because some other process is changing the file.
2988 Files: util/dict_db.c, util/dict_dbm.c.
2990 Robustness: Postfix locks queue files during delivery, to
2991 prevent duplicate delivery when "postfix reload" is
2992 immediately followed by "sendmail -q". This involves a
2993 change of the deliver_request interface: delivery agents
2994 no longer need to open and close queue files explicitly.
2995 Files: global/deliver_request.c, pipe/pipe.c, smtp/smtp.c,
2996 local/local.c, qmgr/qmgr_active.c, qmgr/qmgr_message.c.
2998 Feature: reject_unauth_destination SMTP recipient restriction
2999 that rejects destinations not in $relay_domains. By Lamont
3000 Jones of Hewlett-Packard. File: smtpd/smtpd_check.c.
3002 Security: do not allow weird characters in the expansion
3003 of $names that appear in $forward_path. Just like with
3004 shell commands, replace bad characters in expansions by
3005 underscores. Configuration parameter: forward_expansion_filter.
3007 19990902
3009 Documentation: added a sample postfix alias to the examples
3010 in the INSTALL document and in the conf/aliases file.
3011 Reminded by Simon J. Mudd @ alltrading.com.
3013 19990903
3015 Bugfix: in case of some error conditions the pickup daemon
3016 could leak small amounts of memory.
3018 19990905
3020 Bugfix: no more "skipping further client input" warnings
3021 when a message header is rejected.
3023 Feature: reject_unauth_pipelining SMTP restriction that
3024 rejects mail from clients that improperly use SMTP command
3025 pipelining.
3027 Robustness: the LDAP client by default no longer looks up
3028 names containing "*". See the lookup_wildcards feature in
3029 LDAP_README. Update by John Hensley.
3031 Documentation: address masquerading with exceptions FAQ by
3032 Jim Seymour @ jimsun.LinxNet.com.
3034 Bugfix: mysql reconnect after disconnect by Scott Cotton
3035 Internet Consultants Group, Inc. File: util/dict_myqsl.c.
3037 Portability: the Postfix to PCRE interface now expects
3038 version 2.08. Postfix is no longer compatible with PCRE
3039 versions before 2.6.
3041 19990906
3043 Feature: INSTALL.sh script that makes Postfix installation
3044 a bit less painful. This script can be used for installing
3045 and for upgrading Postfix. It replaces files instead of
3046 overwriting them, and leaves existing configuration and
3047 queue files intact.
3049 19990907
3051 Bugfix: reject_non_fqdn_sender used the wrong test to see
3052 if a sender address was given and could dump core. This
3053 must have been broken ever since the UCE tests were moved
3054 to the RCPT TO stage in 19990510.
3056 Bugfix: check_sender_access was recognized as a valid
3057 restriction name only if a sender had been specified.
3059 19990908
3061 Portability: Unixware has <sysexits.h> only after sendmail
3062 is installed. Changed postlock.c to use global/sys_exits.h.
3064 19990909
3066 Performance: added one-entry cache to the address rewriting
3067 client and to the address resolving client. This is because
3068 UCE restrictions tend to produce the same query repeatedly.
3069 Files: global/rewrite_clnt.c, global/resolve_clnt.c.
3071 Feature: the UCE restrictions are now fully recursive so
3072 you can have per-client/helo/sender/recipient restrictions.
3073 Instead of OK, REJECT or [45]xx, you can specify a sequence
3074 of restrictions on the right-hand side of an SMTPD access
3075 table. This means you can no longer use canonical/virtual/alias
3076 maps as SMTPD access tables. But the loss is compensated
3077 for. File: smtpd/smtpd_access.c.
3079 Feature: restriction classes, essentially a short-hand for
3080 restriction lists. These short hands are useful mostly on
3081 the right-hand side of SMTPD access tables. You must use
3082 restriction classes in order to have lookup tables on the
3083 right-hand side of an SMTPD access table. File:
3084 smtpd/smtpd_access.c.
3086 Feature: "permit_recipient_map maptype:mapname" permits a
3087 recipient address when it matches the specified table.
3088 Lookups are done just as with canonical/virtual maps. With
3089 this, you can also use passwd/aliases as SMTPD access maps.
3090 File: smtpd/smtpd_access.c.
3092 19990910
3094 Changed "permit_address_map" into "permit_recipient_map"
3095 and added a test for the case that they specify a lookup
3096 table on the right-hand side of an SMTPD access map. File:
3097 smtpd/smtpd_access.c.
3099 Cleanup: removed spurious sender address checks for <>.
3100 File: smtpd/smtpd_check.c.
3102 Cleanup: the smtp client now consistently logs host[address]
3103 for all connection attempts.
3105 19990919
3107 Feature: in an SMTPD access map, an all-numeric right-hand
3108 side now means OK, for better cooperation with out-of-band
3109 authentication mechanisms.
3111 19990922
3113 Security: recipient addresses must not start with '-', in
3114 order to protect external commands. The old behavior is
3115 re-instated when main.cf specifies: "allow_min_user =
3116 yes". Credits to Mads Kiilerich @ Kiilerich.com. File:
3117 qmgr/qmgr_message.c.
3119 Bugfix: after 19990831, the queue manager would throw away
3120 defer logs after deferring mail to known-to-be-dead hosts
3121 or message transports. This means that in some cases, mailq
3122 would not show why mail is delayed, and that delayed mail
3123 could be sent back with recipients missing from the error
3124 report. Reported by Giulio Orsero @ tiscalinet.it.
3126 19990923
3128 Bugfix: the above bugfix broke bounces of mail with bad
3129 address syntax and relocated users. Problem diagnosed by
3130 Dick Porter @ acm.org.
3132 Documentation: added DO NOT EDIT THIS FILE. EDIT MAIN.CF
3133 INSTEAD notices to the sample-xxx.cf files.
3135 19991007
3137 Compatibility: ignore the sendmail -U (initial user
3138 submission) option. Thomas Quinot @ cuivre.fr.eu.org.
3140 19991103
3142 Code cleanup: don't send postmaster notifications when an
3143 SMTP client sends a DATA command while no recipients were
3144 accepted. This can happen when a pipelined client runs
3145 into an UCE block. File: smtpd/smtpd.c.
3147 19991104
3149 Robustness: do not apply UCE header checks to mail that is
3150 generated by Postfix (bounces, forwarded mail etc.). Files:
3151 smtpd/smtpd.c, pickup/pickup.c, cleanup/cleanup_message.c.
3153 Robustness: new generic watchdog module that can deal with
3154 clocks that jump occasionally. Files: util/watchdog.c,
3155 master/master.c, master/{single,multi,trigger}_server.c.
3156 This hopefully ends the false watchdog alarms that happen
3157 when clocks are set or when laptops are resumed.
3159 Code cleanup: BSMTP requires dot quoting as per RFC 821.
3160 Based on code by Florian Lohoff @ rfc822.org. Files:
3161 global/mail_copy.[hc], pipe/pipe.c.
3163 19991105
3165 Bugfix: the crufty code in inet_addr_local() did not find
3166 IP aliases. File: util/inet_addr_local.c.
3168 Portability: the INSTALL.sh utility did not find users or
3169 groups in NIS or Netinfo tables. The script no longer
3170 searches the /etc/passwd and /etc/group files. Instead it
3171 now queries the unix:passwd.byname and unix:group.byname
3172 maps. For this, a -q (query) option was added to postmap
3173 (and to postalias, for symmetry). Files: util/dict_unix.c,
3174 postalias/postalias.c, postmap/postmap.c, INSTALL.sh.
3176 Bugfix: LDAP lookup timeout settings were ignored. Patch
3177 by John Hensley. File: util/dict_ldap.c.
3179 19991108
3181 Bugfix: when doing a fresh install, INSTALL.sh didn't set
3182 main.cf:mail_owner properly (Simon J. Mudd).
3184 19991109
3186 Bugfix: when doing a fresh install, INSTALL.sh no longer
3187 worked (missing main.cf file). Fix: add "-c" argument to
3188 the postmap commands (Lars Hecking @ nmrc.ucc.ie).
3190 Documentation: removed spurious "do not edit" comments from
3191 the sample pcre and regexp configuration files.
3193 19991110-13
3195 Code cleanup: greatly simplified the SMTPD command parser
3196 and somewhat simplified the code that groks RFC 822-style
3197 address syntax in MAIL FROM and RCPT TO commands.
3199 New parameter: strict_rfc821_envelopes (default: no) to
3200 reject RFC 822 address forms (with comments etc.) in SMTP
3201 envelopes. By default, the Postfix SMTP server only logs
3202 a warning.
3204 19991113
3206 Oops, also updated the SMTP VRFY code in the light of
3207 changes to the SMTPD command parser.
3209 Cleanup: the local delivery agent now explicitly rejects
3210 recipients with an empty username.
3212 19991114
3214 Workaround: with some gawk versions, postconf/extract.awk
3215 reportedly returns a non-zero exit status upon success.
3216 Added an explicit exit(0) statement.
3218 19991115
3220 Feature: DNS TXT record lookup support, based on initial
3221 code by Simon J Mudd. File: dns/dns_lookup.c.
3223 Feature: RBL TXT record lookups, based on initial code by
3224 Simon J Mudd. File: smtpd/smtpd_check.c.
3226 Feature: permit_auth_destination restriction based on code
3227 by Jesper Skriver @ skriver.dk.
3229 Code cleanup: the transport table now can override all
3230 deliveries, including local ones.
3232 19991116
3234 Code cleanup: a new "local_transports" configuration
3235 parameter explicitly lists all transports that deliver mail
3236 locally. The first name listed there is the default local
3237 transport. This is the end of the "empty next-hop hostname"
3238 hack to indicate that a destination is local. Files:
3239 trivial-rewrite/resolve.c, global/local_transport.[hc]
3241 Feature: "postconf -m" shows what lookup table types are
3242 available. Code by Scott Cotton, Internet Consultants
3243 Group, Inc.
3245 Feature: "postconf -e" edits any number of main.cf parameters.
3246 The edit is done on a copy, and the copy is renamed into
3247 the place of the original. File: postconf/postconf.c,
3248 util/readlline.[hc].
3250 19991117
3252 Portability: SunOS 4 has no SA_RESTART. File: util/watchdog.c.
3254 Feature: on systems with h_errno, the "reject_unknown_client"
3255 restriction now distinguishes between soft errors (always
3256 reply with 450) and hard errors (use the user-specified
3257 reply code). This should lessen the load by broken mailers
3258 that re-connect once a minute.
3260 Feature: forward/reverse name/address check for SMTP client
3261 hostnames. This fends off some hypothetical attacks by
3262 spammers who are in control of their own reverse mapping.
3264 Robustness: postconf no longer aborts when it can't figure
3265 out the local domain name; it prints a warning instead.
3266 This allows you to use "postconf -e" to fix the problem.
3268 19991118
3270 Bugfix: the RFC822 address parser would misparse a leading
3271 \ as an atom all by itself. Problem reported by Keith
3272 Stevenson @ louisville.edu. File: global/tok822_parse.c.
3274 19991119
3276 Bugfix: tiny memory leak in pipe_command() when fork()
3277 fails. File: global/pipe_command.c.
3279 19991120
3281 Bugfix: reversed test for all-numerical results in SMTPD
3282 access maps. File: smtpd/smtpd_check.c.
3284 19991121
3286 Robustness: INSTALL.sh no longer uses postmap for sanity
3287 checks.
3289 Feature: INSTALL.sh now has an install_root option.
3291 Bugfix: INSTALL.sh now installs manual pages with proper
3292 permissions and ownership.
3294 Bugfix: the LDAP client did not properly escape special
3295 characters in lookup keys (patch by John Hensley). File:
3296 util/dict_ldap.c.
3298 19991122
3300 Bugfix: missing absolute path in INSTALL.sh broke fresh
3301 install.
3303 19991124
3305 Bugfix: the local delivery agent's recipient duplicate
3306 filter did not work when configured to use unlimited memory
3307 (which is not a recommended setting). Patrik Rak @raxoft.cz.
3309 19991125
3311 Bugfix: postconf didn't have an umask(022) call at the
3312 beginning (problem experienced by Matthias Andree).
3314 19991126
3316 Bugfix: DNS TXT records now have string lengths before text
3317 (Mark Martinec @ nsc.ijs.si).
3319 19991127
3321 Update: the LDAP client code now supports escapes as per
3322 RFC2254 (John Hensley).
3324 19991207
3326 Performance: one message with many recipients no longer
3327 stops other mail from being delivered. The queue manager
3328 now frees in-memory recipients as soon as a message is
3329 delivered to one destination, rather than waiting until
3330 all in-memory destinations of that message have been tried.
3331 Patch by Patrik Rak @ raxoft.cz. Files: qmgr/qmgr_entry.c,
3332 qmgr/qmgr_message.c.
3334 Performance: when delivering mail to a huge list of
3335 recipients, the queue manager now reads more recipients
3336 from the queue file before delivery concurrency drops too
3337 low. Files: qmgr/qmgr_entry.c, qmgr/qmgr_message.c.
3339 19991208
3341 Updated LDAP client code by John Hensley with escape
3342 sequences as per RFC 2254. File: util/dict_ldap.c.
3344 Updated MYSQL client code by Scott Cotton. File: dict_mysql.c.
3346 Feature: added -N/-n options to include/exclude terminating
3347 nulls in keys and values in postmap/postalias DB or DBM
3348 files. Normally, Postfix uses whatever is appropriate for
3349 the host system. A non-default setting can be necessary
3350 for inter-operability with third-party software.
3352 Bugfix: the local delivery agent would deliver to the user
3353 instead of the .forward file when the .forward file was
3354 already visited via some non-recursive path. Patch by Patrik
3355 Rak @ raxoft.cz. Files: global/been_here.c, local/dotforward.c.
3357 Robustness: attempt to deliver all addresses in the expansion
3358 of an alias or .forward file, even when some addresses must
3359 be deferred. File: local/token.c.
3361 19991211
3363 Performance: qmgr_fudge_factor controls what percentage of
3364 delivery resources Postfix will devote to one message.
3365 With 100%, delivery of one message does not begin before
3366 delivery of the previous message is completed. This is good
3367 for list performance, bad for one-to-one mail. With 10%,
3368 response time for one-to-one mail improves much, but list
3369 performance suffers. In the worst case, people near the
3370 start of a mailing list get a burst of postings today,
3371 while people near the end of the list get that same burst
3372 of postings a whole day later. Files: qmgr/qmgr_message.c,
3373 qmgr/qmgr_entry.c.
3375 Bugfix: address rewriting would panic on a lone \ at the
3376 end of a line where an address was expected. Jason Hoos @
3377 thwack.net. File: global/rewrite_clnt.c.
3379 19991215
3381 Bugfix: the strict RFC821 envelope address check should
3382 not be applied to VRFY commands. File: smtpd/smtpd.c.
3384 Cleanup: permit_recipient_maps is gone, because that could
3385 only be used inside UCE restrictions.
3387 19991216
3389 Feature: allow an empty inet_interfaces parameter, just
3390 like an empty mydestination parameter. It's needed for true
3391 null clients and for firewalls that deliver no local mail.
3393 Feature: "disable_vrfy_command = yes" disables some forms
3394 of address harvesting used by spammers.
3396 Workaround: added the alias map parameter definition to
3397 the smtpd code. This is a symptom of a general problem
3398 with parameters that have non-empty default values: unless
3399 a program explicitly defines such a parameter, the parameter
3400 defaults to the empty string when used in other parameters.
3401 There's also a problem with evaluation order.
3403 Feature: the SMTP server rejects mail for unknown users in
3404 virtual domains that are defined by Postfix virtual domain
3405 files. File: smtpd/smtpd_check.c.
3407 Feature: reject mail for unknown local users at the SMTP
3408 port. The local_recipient_maps configuration parameter
3409 specifies maps with all addresses that are local with
3410 respect to $mydestination or $inet_interfaces. Example:
3411 "local_recipient_maps = $alias_maps unix:passwd.byname".
3412 This feature is disabled by default. You may have to copy
3413 the passwd file into the chroot jail. File: smtpd/smtpd_check.c.
3415 Feature: the sendmail -f option now understands '<user>'
3416 and even understands address forms with RFC 822-style
3417 comments.
3419 19991217
3421 Cleanup: no more UCE checks for VRFY commands. It still
3422 reports unknown local/virtual users. File: smtpd/smtpd_check.c.
3424 Robustness: upon Postfix startup, report discrepancies
3425 between system files inside and outside the chroot jail.
3426 Files: conf/postfix-script-nosgid, conf/postfix-script-sgid.
3428 19991218
3430 Cleanup: INSTALL.sh produces relative symlinks, which is
3431 necessary when install_root is not /.
3433 19991219
3435 Documentation: completely reorganized the FAQ and added
3436 many new entries. Rewrote the UCE html documentation.
3438 Cleanup: INSTALL.sh uses a configurable directory for
3439 scratch files, so that it can install from a file system
3440 that is not writable by the super-user.
3442 Cleanup: INSTALL.sh gives helpful hints when the "mv"
3443 command is unable to move symlinks across file system
3444 boundaries.
3446 19991220
3448 Cleanup: it is no longer necessary to list $virtual_maps
3449 as part of the relay_domains definition. The SMTP server
3450 now by default accepts mail for destinations that match
3451 $inet_interfaces, $mydestination or $virtual_maps, whether
3452 or not these are specified in relay_domains. We still need
3453 the ugly "virtual.domain whatever" hack in the virtual
3454 maps. Files: smtpd/smtpd_check.c and lots of documentation
3455 and sample config files.
3457 19991221
3459 Removed cyrus -q flag (ignore quotas) from the sample
3460 master.cf file.
3462 19991223
3464 Bugfix: smtpd should not check for unknown users when
3465 running in stand-alone (sendmail -bs) mode. Problem
3466 experienced by Chuck Mead. File: smtpd/smtpd.c.
3468 Retraction: the "local_transports" configuration parameter
3469 is gone. Adjusted code and documentation accordingly.
3470 Instead, use just one "local_transport" parameter with the
3471 name of the default local transport. Files: smtpd/smtpd_check.c,
3472 qmgr/qmgr_message.c, trivial-rewrite/ resolve.c, local/resolve.c.
3474 Feature: Postfix SMTPD now insists that the smtpd recipient
3475 restrictions contain at least one restriction that by
3476 default rejects mail. This should make it much more difficult
3477 to change Postfix into an open relay. File: smtpd/smtpd_check.c.
3479 Retraction: null-length inet_interfaces is too confusing.
3481 19991224
3483 Bugfix: the relative symlink code in INSTALL.sh computed
3484 the ../ prefix from the wrong pathname.
3486 1999122[5-7]
3488 Feature: "allow_untrusted_routing = no" (default) prevents
3489 forwarding of source-routed mail from untrusted clients to
3490 destinations that are blessed by the relay_domains parameter
3491 (example: user@domain2@domain1 etc.). This plugs a mail
3492 relay loophole where a backup MX host forwards junk mail
3493 to a primary MX host which forwards the junk to the Internet.
3494 Files: global/quote_822_local.c, smtp/quote_821_local.c,
3495 trivial-rewrite/rewrite.c, trivial-rewrite/resolve.c,
3496 smtp/smtpd_check.c.
3498 In order to make this possible, the Postfix resolver data
3499 structure and protocol has changed, so that all resolver
3500 clients need to be re-compiled.
3502 Side effect from the above change: from now on, an address
3503 with @ in the recipient localpart no longer bounces with
3504 "user unknown" but instead is rejected with "relay access
3505 denied" or "source-routed relay access denied".
3507 19991227
3509 Workaround: the BSD/OS "mkdir -p" and "cmp -s" commands
3510 misbehave on boundary cases: directory exists or file does
3511 not exist. Those who re-invent...
3513 19991229
3515 Added the no source routing info requirement to addresses
3516 accepted by the permit_mx_backup UCE restriction.
3518 19991230
3520 Added a spawn daemon (not compiled and installed by default)
3521 to enable LMTP delivery over UNIX-domain sockets. The goal
3522 is to simplify the experimental LMTP delivery agent by
3523 ripping out the privileged code that forks the LMTP server.
3525 20000102
3527 Clarified documentation after early feedback on the 19991231
3528 release by Drew Derbyshire, Ollivier Robert, Khetan Gajjar.
3530 Sanity check: a common error is to list Postfix virtual
3531 domains in the mydestination parameter. This causes the
3532 new optional local_recipient_maps feature to reject mail
3533 for virtual users. The SMTP server now explicitly tests
3534 for this common error and logs a warning instead of refusing
3535 the mail. File: smtpd/smtpd_check.c.
3537 20000104
3539 Bugfix: a case sensitivity bug had slipped through in the
3540 anti-relaying code, causing mail for USER@VIRTUAL.DOMAIN
3541 to be rejected with "relay access denied". This was found
3542 by Jim Maenpaa @ jmm.com.
3544 Questionable feature: set "smtp_skip_5xx_greeting = yes"
3545 to make Postfix more sendmail compatible, even though this
3546 is wrong, IMNSHO. File: smtp/smtp_connect.c.
3548 Portability: Ultrix patch from Simon Burge @ thistledown.com.au.
3550 Portability: Siemens Pyramid (dcosx) patch by Thomas D.
3551 Knox @ vushta.com.
3553 Performance: FreeBSD has bidirectional pipes that are faster
3554 than socketpairs. Anticipating on more platform-specific
3555 optimizations, all duplex pipe plumbing is now isolated in
3556 a duplex_pipe.c module that provides a system-independent
3557 interface.
3559 20000105
3561 Cleanup: the INSTALL.sh script now updates the sample files
3562 in /etc/postfix even when main.cf exists.
3564 20000106
3566 Bugfix: the SMTP server should consult the relocated map
3567 for virtual destinations (Denis Shaposhnikov). Files:
3568 smtpd/smtpd.c smtpd/smtpd_check.c.
3570 20000108
3572 Workaround: rename() over NFS can fail with ENOENT even
3573 when the operation succeeds (Graham Orndorff @ WebTV). This
3574 is not news. Any non-idempotent operation can fail over
3575 NFS when the NFS server's acknowledgment is lost and the
3576 NFS client code retries the operation (other examples are:
3577 create, symlink, link, unlink, mkdir, rmdir). Postfix has
3578 workarounds for the cases where this is most likely to
3579 cause trouble. Files: util/sane_{rename,link}.[hc]. If
3580 you want reliable mail system, do not use NFS.
3582 20000115
3584 Workaround: better detection of bad hardware. Added SIGBUS
3585 to the list of signals that the master will log before
3586 exiting.
3588 20000122
3590 Portability: preliminary SCO5 port Christopher Wong @
3591 csports.com. This still needs to a workaround for "find"
3592 not supporting "-type s" (actually, UNIX-domain sockets
3593 have no unique representation in the file system and show
3594 up as FIFOs).
3596 20000115-22
3598 Bugfix: in case of a too long message header, don't extract
3599 recipients from message headers. With the previous behavior,
3600 Bcc information could be left in the message body, as one
3601 person found out the hard way. Files: cleanup/cleanup.c,
3602 cleanup/cleanup_extracted.c, global/cleanup_user.h.
3604 20000124
3606 Whatever: RFC 1869 amends RFC 821 and specifies that code
3607 555 is to be used when a MAIL FROM or RCPT TO parameter is
3608 not implemented or not recognized. Russ Allbery @stanford.edu.
3609 This reply code is added to the list of reply codes that
3610 cause the Postfix SMTP client to mail a transcript to the
3611 postmaster. File: smtp/smtp_trouble.c.
3613 20000126
3615 Emergency feature: qmgr_site_hog_factor (default: 90 percent)
3616 limits the amount of resources that Postfix devotes to a
3617 single destination. With less than 100, Postfix defers the
3618 excess mail so that one site with a large backlog does not
3619 block other deliveries. Files: qmgr/qmgr.c, qmgr/qmgr_message.c.
3621 20000128
3623 Cleanup: the queue manager no longer replaces the nexthop
3624 field by the recipient localpart when a destination matches
3625 $mydestination/$inet_interfaces. The price is the introduction
3626 of a new parameter local_destination_recipient_limit which
3627 defaults to 1 in order to maintain backwards compatibility.
3628 Files: qmgr/qmgr.c, qmgr/qmgr_message.c.
3630 20000129
3632 Bugfix: extracted recipients were misfiled when a message
3633 was moved back to the maildrop queue. But they still worked
3634 due to a coincidence.
3636 Feature: bounce_recip() bounces a recipient immediately
3637 without accessing a bounce logfile. This is necessary for
3638 VERP bounces, for bounces by delivery agents that change
3639 the sender address, and for bounces that for some reason
3640 must not use temporary logfiles. Files: global/bounce.c,
3641 bounce/bounce_recip_service.c.
3643 20000130
3645 Bugfix: the too long header fix of 20000115-22 lost mail
3646 with too long headers that didn't need to extract recipients
3647 from message headers.
3649 Bugfix: the too long header fix of 20000115-22 lost mail
3650 without (blank line + message body).
3652 Code rewrite: reorganized the cleanup daemon source code
3653 so that the cleanup service can be called one record at a
3654 time (see cleanup/cleanup_api.c); also got rid of the global
3655 state variables and fixed a couple bugs that were introduced
3656 with 20000115-22.
3658 20000204
3660 Feature: in daemon mode, the MAIL FROM size check can be
3661 postponed until RCPT TO so that Postfix can log sender and
3662 recipient. Simon J Mudd. Files: smtpd/smtpd.c
3664 Robustness: limit the number of recipient addresses that
3665 can be extracted from message headers. Parameter:
3666 extract_recipient_limit (default: 10240). Files:
3667 cleanup/cleanup_message.c, cleanup/cleanup_extracted.c.
3669 Cleanup: the message header reject logging now includes
3670 sender and recipient address (if possible), so that the
3671 logging looks more like the other reject logging. File:
3672 cleanup/cleanup_message.c.
3674 Documentation: added sections on regular expression tables
3675 to the access, canonical, virtual, transport and relocated
3676 man pages, and write new man pages that are specific to
3677 regular expressions: pcre_table.5 and regexp_table.5.
3679 20000214
3681 Bugfix: postconf reported some parameters more than once
3682 because the parameter extracting script didn't recognize
3683 lines that differ in whitespace only. File: postconf/extract.awk.
3684 Reported by Kenn Martin.
3686 20000221
3688 Logging: the SMTP client now logs log host+port when it is
3689 unable to connect to a non-MX host, just like it logs
3690 host+port when unable to connect to an MX host.
3692 20000226
3694 Bugfix: the SMTP server's "User unknown" test didn't notice
3695 LDAP etc. dictionary access errors. The code now reports
3696 a 450 status (try again instead of bounce) if the reply is
3697 not definitive. File: smtp/smtpd_check.c.
3699 Robustness: the smtp-source program could stall when making
3700 hundreds of parallel connections to a Postfix system with
3701 only one SMTP server process. The fix is to use non-blocking
3702 connect() calls, very carefully. File: smtpstone/smtp-source.c.
3704 20000303
3706 Feature: with smtp_always_send_ehlo the SMTP client will
3707 send EHLO regardless of the content of the SMTP server's
3708 greeting. File: smtp/smtp_proto.c.
3710 20000304
3712 Feature: DICT_FLAG_SYNC_UPDATE flag for synchronous dictionary
3713 updates, if supported by the underlying mechanism. Files:
3714 util/dict.h, util/dict_open.c, util/dict_db.c.
3716 20000307
3718 Cleanup: the manual pages in Postfix configuration files
3719 no longer contain troff formatting codes. The text is now
3720 generated from prototype files in a new "proto" subdirectory.
3721 Requested by Matthias Andree @ stud.uni-dortmund.de.
3723 20000308
3725 Bugfix: the unused db and dbm "delete" routines would
3726 clobber the per-dictionary flags when called before reading
3727 or writing the table. Files: util/dict_dbm.c, util/dict_db.c.
3728 Lutz Jaenicke @ aet.TU-Cottbus.DE.
3730 Bugfix: the SMTP server would produce a cryptic message
3731 when a queue file write error happened before it had written
3732 any recipients. Keith Stevenson. File: smtpd/smtpd.c.
3734 Robustness: the db and dbm "delete" routines didn't adjust
3735 to dictionaries with/without one trailing null in lookup
3736 keys and values. Did a complete rewrite of the routines.
3737 Files: util/dict_db.c, util/dict_dbm.c.
3739 Feature: specify "-d key" to postalias or postmap in order
3740 to remove one key. This still needs to be generalized to
3741 multi-key removal (read stdin?). Files: postmap/postmap.c,
3742 postalias/postalias.c.
3744 Test: added test targets for the dictionary delete operations.
3745 Files: util/Makefile.in, util/dict_test.{c,in,ref}.
3747 Feature: added data offset and recipient count fields to
3748 the first queue file record output from the cleanup daemon.
3749 The recipient counts provides an initial estimate for a
3750 more advanced queue manager scheduling algorithm. Files:
3751 cleanup/cleanup_envelope.c, cleanup/cleanup_extracted.c.
3753 20000311
3755 Portability: HP-UX awk can't handle bare { in regexps
3756 (Lamont Jones. HP). File: postconf/extract.awk.
3758 Compatibility: sendmail now recognizes '.' as end of input.
3759 File: sendmail/sendmail.c.
3761 20000313
3763 Compatibility: dtcm (CDE desktop calendar manager) leaks
3764 a file descriptor into its child process, and requires that
3765 sendmail closes the descriptor, otherwise mail notification
3766 will hang. These GUI programmers never figured out that
3767 the child process must close the writing end of a pipe.
3768 File: sendmail/sendmail.c.
3770 20000314
3772 Feature: SASL authentication in the SMTP server and client.
3773 Based on code contributed by Till Franke, SuSE. Specify:
3774 "smtpd_sasl_auth_enable = yes" and "smtp_sasl_auth_enable
3775 = yes". The "permit_sasl_authenticated" UCE restriction
3776 gives special treatment to authenticated clients.
3778 20000315
3780 Workaround: added -blibpath option for AIX 4.x, to close
3781 hole in case postdrop needs to be set-gid.
3783 20000320
3785 Portability: FreeBSD 5.x added to the list of supported
3786 systems (Mark Huizer).
3788 20000323
3790 Portability: INSTALL.sh looks if sendmail is in /usr/lib
3791 rather than in /usr/sbin.
3793 20000326
3795 Bugfix: settings in one mysql configuration file would act
3796 as the implicit defaults for the next one, which could be
3797 confusing. Patch by Scott Cotton. File: util/dict_mysql.c.
3799 Robustness: limit the number of "junk" commands that can
3800 be issued in an SMTP session (ex.: NOOP, VRFY, ETRN, RSET).
3801 Problem report by Michael Ju. Tokarev @ tls.msk.ru. Files:
3802 global/mail_params.h, smtpd/smtpd.c.
3804 20000413
3806 Portability: more MacOS X patches by Gerben Wierda.
3808 Bugfix: RFC 822 requires the presence of at least one
3809 destination message header. The cleanup daemon now generates
3810 a generic "To: undisclosed-recipients:;" message header
3811 when no destination header is present. The header content
3812 is specified with the undisclosed_recipients_header parameter.
3813 Problem pointed out by Geoff Gibbs, UK-Human Genome Mapping
3814 Project-Resource Centre.
3816 20000416
3818 Workaround: allow <(comment)> as SMTP MAIL FROM address.
3820 20000417
3822 The SASL authentication in the SMTP server and client works,
3823 but only on Linux and Solaris, neither of which I wish to
3824 run on my laptop.
3826 20000418
3828 Added LMTP support to the smtp-source and smtp-sink utilities
3829 so that I don't have to install Cyrus IMAP just to test
3830 LMTP.
3832 20000419
3834 Bugfix: removed the () from the tokenized representation
3835 of RFC 822 comments, so that comments with \( or \) can be
3836 unparsed correctly. Problem reported by Bodo Moeller.
3838 20000423
3840 Bugfix: mail_copy() could prepend > or . in the middle of
3841 long lines. Found by code inspection.
3843 20000427
3845 New code: unescape module that translates C escape sequences
3846 into their equivalent character values. File: util/unescape.c.
3848 Feature: the pipe mailer now has a way to specify the output
3849 record delimiter (for example, eol=\r\n). This is necessary
3850 for transports that require CRLF instead of UNIX-style LF.
3852 20000502
3854 In order to support timeouts more conveniently, VSTREAMs
3855 now have built into them the concept of timeout. Instead
3856 of calling read() and write(), the low-level VSTREAM
3857 interface now by default uses timed_read() and timed_write()
3858 which receive a timeout parameter; vstream_ctl(stream,
3859 VSTREAM_CTL_TIMEOUT...) sets the timeout deadline on a
3860 stream, and vstream_ftimeout(stream) queries a stream for
3861 timeout errors. This change simplified timeout handling
3862 considerably. Files: util/vbuf.h, util/vstream.[hc],
3863 global/smtp_stream.c, global/timed_ipc.c.
3865 20000504
3867 Added application context to VSTREAMs, which is passed on
3868 transparently to application-provided read/write routines.
3869 vstream_ctl(stream, VSTREAM_CTL_CONTEXT...) sets the context.
3870 Files: util/vstream.[hc].
3872 Added vstream_setjmp() and vstream_longjmp() support to
3873 make exception handling more convenient. Turn on exception
3874 handling with vstream_ctl(stream, VSTREAM_CTL_EXCEPT...).
3875 Files: util/vstream.[hc].
3877 Cleaned up the smtp_stream module further and got rid of
3878 the global state that limited the use of this module to
3879 one stream per process. Files: global/smtp_stream.[hc].
3881 20000505
3883 Bugfix: the SMTP server now flushes unwritten output before
3884 tarpit delays, to avoid protocol timeouts in pipelined
3885 sessions when a client causes lots of errors. Found by
3886 Lamont Jones, HP. File: smtpd/smtpd_chat.c.
3888 Finished the LMTP client, which is based on a modified
3889 version of the SMTP client by Philippe Prindeville, Mirapoint,
3890 Inc., later modified by Amos Gouaux, UTDallas, and then
3891 Wietse ripped it all up again. Currently this talks LMTP
3892 over TCP only.
3894 Feature: override main.cf parameters in master.cf. Specify
3895 "-o parameter=value" after the program name. This allows
3896 you to selectively override myhostname etc. See also the
3897 new smtp_bind_address parameter below.
3899 20000506
3901 Convenience: the LMTP and SMTP clients now append the local
3902 domain to unqualified nexthop destinations. This makes it
3903 more convenient to set up transport maps. Files:
3904 lmtp/lmtp_addr.c, smtp/smtp_addr.c.
3906 Sendmail compatibility: the Postfix SMTP client now skips
3907 servers that greet the client with a 4xx or 5xx status
3908 code. To disable, set both smtp_skip_4xx_greeting and
3909 smtp_skip_5xx_greeting to "no".
3911 20000507
3913 Portability: NetBSD has migrated to /etc/mail/aliases. We
3914 can expect to see this happen more often when systems start
3915 shipping Sendmail 8.10. File: util/sys_defs.h
3917 Updated LDAP code by John Hensley, with support for
3918 dereferencing of LDAP aliases, which have nothing to do
3919 with Postfix aliases.
3921 Feature: "smtp_bind_address=x.x.x.x" specifies the source
3922 IP address for SMTP client connections. Specify in master.cf
3923 as "smtp -o smtp_bind_address=x.x.x.x" in order to give
3924 different delivery agents different source addresses.
3926 20000510
3928 Cleanup: mailbox_transport did not work with the lmtp
3929 delivery agent. This dates back to when Postfix used empty
3930 nexthop information to indicate that a destination was
3931 local. File: global/deliver_pass.c.
3933 Bugfix: configuration parameters for one mysql dictionary
3934 would become default settings for the next one. File:
3935 dict_mysql.c. This patch was merged into Postfix a while
3936 back but apparently that Postfix version was nuked when
3937 other parts were redesigned. Update by Scott Cotton.
3939 Bugfix: some Postfix delivery agents would abort on addresses
3940 of the form `stuff@.' which could be generated only locally.
3941 Found by Patrik Rak. File: trivial-rewrite/resolve.c.
3943 Third-party Berkeley DB support for HP-UX by Lamont Jones.
3944 File: makedefs.
3946 20000511
3948 Bugfix: Postfix would incorrectly reject domain names with
3949 adjacent - characters. File: util/valid_hostname.c.
3951 Bugfix: the 20000505 pipeline tarpit delay flush was wrong
3952 and caused the client and server to get out of phase. Yuck!
3954 20000513
3956 Feature: VSTREAMs now have the concept of last fill/flush
3957 time, which is needed to prevent timeouts with pipelined
3958 SMTP sessions as detailed in the next item.
3960 Bugfix: delayed SMTP command/reply flushing to prevent
3961 sender delays from accumulating too much and causing timeouts
3962 with pipelined sessions. For example, client-side delays
3963 happen when a client does DNS lookups to replace hostname
3964 aliases in MAIL FROM or RCPT TO commands; server-side delays
3965 happen when an UCE restriction involves a time-consuming
3966 DNS lookup, or when a server generates tarpit delays.
3967 Files: lmtp/lmtp_proto.c, smtp/smtp_proto.c, smtpd/smtpd_chat.c.
3969 Portability: define ANAL_CAST for compilation environments
3970 that reject explicit casts between pointers and integral
3971 types. File: util/sys_defs.h, master/*server.c. Upon closer
3972 investigation, this turned out to be the result of someone's
3973 compiler configuration preferences. Therefore the change
3974 is likely to go away after a code cleanup.
3976 20000514
3978 Feature: mysql client support for multi-valued queries
3979 (select email, email2 from aliastbl where username='$local')
3980 By Loic Le Loarer @ m4x.org. File: util/dict_mysql.c.
3982 Finalized the delayed SMTP command/reply flushing code in
3983 the SMTP and LMTP clients after lots of testing and review.
3985 20000520
3987 Robustness: upon receipt of mail, map the mailer-daemon
3988 sender address back into the magic null string. File:
3989 cleanup/cleanup_envelope.c.
3991 20000524
3993 Bugfix: the code for masquerade_exceptions was case sensitive.
3994 Reported by Eduard Vopicka. File: cleanup/cleanup_masquerade.c.
3996 20000526
3998 Feature: experimental queue manager by Patrik Rak with a
3999 fancy pre-emptive scheduling algorithm that improves delivery
4000 performance of mail with few recipients. This queue manager
4001 is made available as "nqmgr".
4003 20000528
4005 Feature: the SMTP client SASL password file can contain
4006 entries for destination domain names (the address remote
4007 part) not just mail server hostnames. File: smtp_sasl_glue.c.
4009 Feature: smtpd_sasl_local_domain parameter (default:
4010 $myhostname) to specify the local SASL authentication realm.
4011 File: smtpd_sasl_glue.c.
4013 Feature: specify "body_checks=regexp:/file/name" for a very
4014 crude one line at a time message body content filter. This
4015 feature uses the same filtering syntax as the header_checks
4016 feature. File: cleanup/cleanup_message.c. See also the
4017 conf/sample-filter.cf file.
4019 20000530
4021 Feature: full content filtering through external software.
4022 This uses existing interfaces for sending mail to the
4023 external content filter and for injecting it back into
4024 Postfix. Details in FILTER_README. Files: pickup/pickup.c,
4025 smtpd/smtpd.c, qmgr/qmgr_message.c.
4027 20000531
4029 More SASL feedback by Liviu Daia, regarding the use of
4030 authentication realms. File smtpd/smtpd_sasl_glue.c.
4032 Added a simple shell-script based content filtering example
4033 to the FILTER_README file.
4035 Content filtering support for nqmgr by Patrik Rak. File:
4036 nqmgr/qmgr_message.c.
4038 Renamed "content inspection" etc. to "content filtering"
4039 in anticipation of a new hook for content inspection that
4040 only inspects mail without re-injecting it into Postfix.
4042 20000601
4044 Feature: limit the size of pipe mailer deliveries with the
4045 size=nnn command-line attribute. Patch by Andrew McNamara.
4047 20000603
4049 Bugfix: don't try to do SASL authentication when running
4050 in stand-alone (sendmail -bs) mode. Fix by Liviu Daia.
4052 Bug: the unauthorized pipelining test fails with single
4053 recipient mail when smtpd_delay_reject = yes.
4055 20000617
4057 Bugfix: conf/sample-ldap.cf was no longer up to date with
4058 reality. Patch by Lamont Jones, HP.
4060 Bugfix: the maildir delivery routine left temporary files
4061 lying around after unsuccessful delivery (problem reported
4062 by Brian Laughton @ Corp.Axxent.Ca).
4064 20000621
4066 AIX 4.x had POSIX regular expression support all the time
4067 I was working on Postfix. Better find out late than never.
4069 20000623
4071 Bugfix: the SMTP server did not reset the so-called junk
4072 command counter after successful delivery (Mark Hoffman @
4073 wallst.com). File: smtpd/smtpd.c.
4075 20000625
4077 Cleanup: remove Content-Length from incoming mail. The
4078 sender has no authority over the format of mail as stored
4079 by the receiving system. File: global/header_opts.h.
4081 Feature: rewrite Mail-Followup-To: as sender. Files:
4082 global/header_opts.[hc].
4084 Cleanup: rewrite Reply-To, Errors-To, Return-Receipt-To as
4085 sender, so that address masquerading works as expected.
4086 Files: global/header_opts.c.
4088 Feature: specify "require_home_directory = yes" to prevent
4089 mail from being delivered to a user whose home directory
4090 is not mounted. File: local/dotforward.c.
4092 Cleanup: the pipe deliver agent no longer appends a blank
4093 line when the F flag (prepend From_ line) is specified.
4094 Specify the B flag if you need that blank line. The local
4095 delivery agent no longer appends a blank line to mail that
4096 is delivered to external command. Files: pipe/pipe.c,
4097 global/mail_copy.[hc].
4099 20000708
4101 Portability: support for NEXT/OPENSTEP requires extra
4102 include file in util/watchdog.c (Masaki Murase).
4104 20000715
4106 Added macros to turn on vstream/vstring/etc. format string
4107 checking by gcc, in addition to the checking that was
4108 already implemented with printfck. File: util/sys_defs.h,
4109 the macros for PRINTFLIKE and SCANFLIKE. Problem - unlike
4110 the printfck tool, gcc finds format argument type mismatches
4111 only in code that isn't #ifdef-ed out.
4113 20000718
4115 Robustness: make_dirs() now continues when a missing
4116 directory is created by another process.
4118 20000720
4120 Feature: the queue manager now logs the number of recipients
4121 when opening a queue file (a zero recipient count is logged
4122 with older queue files). File: global/opened.c.
4124 20000726
4126 Robustness: added watchdog_pat() routine to keep the watchdog
4127 quiet if a client stays connected for a lot of time. Files:
4128 util/watchdog.[hc], smtpd/smtpd.c.
4130 20000729
4132 Robustness: if relayhost is specified but the host does
4133 not exist, defer mail instead of bouncing it (which would
4134 lose the mail if the bounce would have to be delivered to
4135 that same non-existent relayhost). Problem reported by
4136 Chris Cooper @ maths.ox.ac.uk. File: smtp/smtp_connect.c.
4138 20000821
4140 Feature: added -r (replace key+value) option to postalias
4141 and postmap.
4143 Cleanup: smtpd now replies with 555 when the client sends
4144 unrecognized RCPT TO parameters, as required by RFC 1869
4145 (problem report by Robert Norris @ its.monash.edu.au).
4146 File: smtpd/smtpd.c.
4148 20000822
4150 Logging: the SMTP server's SASL code logs the authentication
4151 method along with an authentication failure. Suggested by
4152 Ronald F. Guilmette @ monkeys.com.
4154 Workaround: some systems have file size resource limits
4155 that cannot be represented with the off_t type that is used
4156 by standard functions such as lseek(2). Problem reported
4157 by Blaz Zupan @ amis.net.
4159 20000823
4161 Feature: all this discussion about when to reject mail and
4162 when not made me decide to implement a TCP-based map type
4163 so that it becomes relatively simple to implement dynamic
4164 access controls, for example, hold off mail from an unknown
4165 client or sender until we have completed some investigation,
4166 after which we will either reject or accept.
4168 However, this code is turned off until it is finished.
4170 20000905
4172 Robustness: the dns client now rejects malformed domain
4173 names rather than depending on the DNS to report that the
4174 name does not exist. Linux returns a rather misleading
4175 server failure code as found out by Patrik Rak. File:
4176 dns/dns_lookup.c.
4178 20000911
4180 Feature: added IGNORE keyword to header_checks and body_checks
4181 to pretend that certain data does not exist. File:
4182 cleanup/cleanup_message.c.
4184 20000911
4186 Bugfix: the SASL code did not allow MAIL FROM... AUTH=sender
4187 without prior authentication. The RFC allows this, although
4188 one wonders what the reasoning behind this is. File:
4189 smtpd/smtpd_sasl_proto.c.
4191 20000913
4193 Bugfix: the rmail script did not handle remote UUCP systems
4194 that send a from_ line with unqualified envelope sender.
4195 Reported by Luciano Mannucci.
4197 Compatibility: don't insert Sender: header lines. Sendmail
4198 has not done so for at least 10 years, if it ever did.
4199 Problem reported by Brad Knowles. File: cleanup/cleanup_message.c.
4201 20000916
4203 Bugfix: when propagating an address extension in a virtual
4204 or canonical mapping, cleanup accesses memory that is no
4205 longer allocated. This can happen when the result address
4206 length is more than 100 characters. Problem reported by
4207 Adi Prasaja @ satunet.com. File: global/mail_addr_crunch.c.
4209 Bugfix: fixed a misleading error message when the cleanup
4210 server reaches the queue file size limit. Fix by Robby
4211 Griffin @ MIT.EDU. File: cleanup/cleanup_extracted.c.
4213 20000917
4215 Bugfix: postalias -i would complain about duplicate entries
4216 for the Sendmail-compatible @ entry and for the NIS-compatible
4217 YP_LAST_MODIFIED and YP_MASTER_NAME entries.
4219 20000918
4221 Gross hack: prevent looping on a bad recipient by always
4222 forwarding recipients in :include: files to a new mail
4223 delivery request, even when owner-listname is not set.
4224 File: local/recipient.c.
4226 20000919
4228 Convenience: INSTALL.sh now imports default settings from
4229 the process environment, in order to make scripting easier.
4231 Robustness: INSTALL.sh now systematically skips over CVS,
4232 RCS and SCCS cruft.
4234 Portability: another fix for NEXTSTEP (Masaki MURASE).
4235 File: util/spawn_command.h.
4237 20000920
4239 Cleanup: in a transport table entry, do not ignore port
4240 numbers specified as [host]:port. In fact, this is now
4241 becoming the preferred form, in order to avoid parsing
4242 problems with IPV6 addresses. Postfix supports both forms,
4243 but future versions will print a warning for the old form.
4244 Problem reported by Claus Fischer @ werhats.at
4246 Bugfix: missing initialization for state->sasl_method can
4247 cause permit_sasl_authenticated to always succeed. Report
4248 and fix by Lutz Jaenicke @ aet.TU-Cottbus.DE.
4250 FAQ: added notes about how to delete, copy or restore queue
4251 files in a safe manner.
4253 20000921
4255 File reorganization. No code change except Makefiles. All
4256 sources are pushed down by one directory level to keep file
4257 listings usable. Released as 20000922, so that I have a
4258 reference to run "diff -cr against.
4260 Bugfix: the spawn service was installed without man pages.
4262 Portability: MacOSX hints and tips by Joe Block, University
4263 of Central Florida School of Optics/CREOL
4265 Portability: The MacOSX gcc compiler does not understand
4266 the new printf_like/scanf_like attributes. File: util/sys_defs.h.
4268 20000922
4270 nqmgr update from Patrik Rak for the changed queue manager
4271 to delivery agent protocol.
4273 Lame feature: syslog_facility parameter to control where
4274 syslogd sends Postfix logging (default: syslog_facility =
4275 mail). However, errors during command-line parsing are
4276 still logged with the default syslog facility, as are errors
4277 while processing the main.cf file (surprise). Based on
4278 code by Andrew McNamara.
4280 20000923
4282 Cleanup: new bounce logfile API so that Postfix can change
4283 to an extensible bounce logfile format with per-recipient
4284 sender addresses (needed for VERP and for reporting local
4285 list delivery problems to the list owner) and other
4286 attributes. File: global/bounce_log.[hc].
4288 Cleanup: replaced the ad-hoc logfile parsing code in showq
4289 by something that uses the generic bounce logfile API.
4291 20000924
4293 Feature: Postfix bounced mail and delayed mail notifications
4294 now have the standard RFC 1894 form (DSN). The bounce
4295 service now uses the generic bounce logfile API. File:
4296 bounce/bounce_notify_service.c, bounce/bounce_notify_util.c.
4298 Cleanup: deleted the per-recipient bounce protocol. Future
4299 bounce logfiles will support per-recipient bounce addresses.
4300 Files: global/bounce.c, bounce/bounce_recip_service.
4302 20000925
4304 Workaround: sendmail allows MAIL FROM and RCPT TO envelope
4305 addresses like <the dude <dude@site>> so we will never get
4306 rid of them. To disallow, specify "strict_rfc821_envelopes
4307 = yes". File: smtpd/smtpd.c.
4309 20000926-20001003
4311 Feature: a "flush" server that keeps per-destination records
4312 of deferred mail. It is the basis of a faster ETRN and
4313 "sendmail -qRsite" implementation. This code was rewritten
4314 half a dozen times.
4316 20000928
4318 Bugfix: the stricter dns_lookup() argument checks revealed
4319 that Postfix was doing DNS lookups for domain literals
4320 ([ip.address]) when expanding aliases in MAIL FROM and RCPT
4321 TO address parameters. Reported by Jim Littlefield. File:
4322 smtp/smtp_unalias.c.
4324 Documentation: added text on the biff=yes/no parameter to
4325 conf/sample-local.cf (text provided by Paul Wagland,
4326 relational-consultancy.com.
4328 Robustness? Log errors from SASL library code as warnings
4329 not as fatal errors. Files: smtp*/*glue.c.
4331 20001001
4333 Feature: in master.cf, specify ? after wakeup time to avoid
4334 waking up services that aren't being used.
4336 20001003
4338 Feature: the fast flush refresh and purge time interval
4339 parameters can now be specified in user-specified units by
4340 providing an appropriate suffix: s (seconds), m (minutes),
4341 h (hours), d (days), w (weeks). unit. This was needed so
4342 that I could test the flush server code in a reasonable
4343 way (its timeouts are normally specified in days or hours,
4344 and I don't have that much time for testing). Other Postfix
4345 time interval parameters will be migrated as time permits.
4346 Files: conf/sample-flush.cf, global/mail_conf_time.c,
4347 postconf/postconf.c.
4349 Unfeature: qmgr_hog_factor is now disabled by default. It
4350 was just too confusing. If you don't know what this means,
4351 do not worry.
4353 20001005
4355 Cleanup: after "postfix reload" do not penalize mail that
4356 was in the active queue, but make it ready for immediate
4357 delivery so that ETRN etc. works as intended. Files:
4358 *qmgr/qmgr.c, *qmgr/qmgr_active.c.
4360 Portability: Redhat 7 library interfaces have changed
4361 incompatibly, which breaks existing software. File makedefs.
4363 Consistency: the fallback_relay parameter did not understand
4364 the [] or host:port syntax, and there was no way to suppress
4365 MX record lookups. Files: smtp/smtp_addr.c, smtp/smtp_connect.c.
4367 Convenience: you can now specify multiple SMTP destinations
4368 in the relayhost or fallback_relay configuration parameters.
4369 The specified destinations will be tried in the specified
4370 order. File: smtp/smtp_connect.c.
4372 Many typographical corrections by Matthias Andree.
4374 20001024
4376 Documentation: the canonical, virtual etc. manual pages
4377 did not document the effect of leading whitespace.
4379 20001025
4381 Bugfix: virtual map expansion stopped too early with
4382 self-referential aliases. Reported by Michael Douglass @
4383 datafoundry.net. File: cleanup/cleanup_map1n.c.
4385 20001026
4387 Horror: postmap and postalias (newaliases) silently lose
4388 the file lock while building a lookup table with Berkeley
4389 DB 2.x and later on Solaris, HP-UX, IRIX, and UNIXWARE.
4390 The result is that table lookups fail while the table is
4391 being built, so that mail is lost. In order to avoid this
4392 misbehavior one has to use an undocumented feature that is
4393 NOT available with the DB1.85 compatibility interface.
4394 Therefore, Postfix now supports three Berkeley DB programming
4395 interfaces of increasing complexity. File: util/dict_db.c.
4397 Bugfix: some character manipulations were not portable for
4398 signed/unsigned characters. Files: global/quote_821_local.c,
4399 global/quote_822_local.c.
4401 Workaround: apparently, some software sends SMTP mail that
4402 begins with "From sender time-stamp". Sendmail silently
4403 ignores such RFC violating garbage, and therefore Postfix
4404 needs to jump another hoop. File: smtpd/smtpd.c.
4406 20001028
4408 Bugfix: the flush server tried to access config files after
4409 going to the chroot jail. Found by Lutz Jaenicke, TU-Cottbus.DE.
4410 File: flush/flush.c.
4412 Update: revised LDAP module from primary maintainer John
4413 Hensley, with contributions from many other people. Files:
4414 util/dict_ldap.c, LDAP_README.
4416 Update: LINUX2 chroot setup script by Matthias Andree,
4417 uni-dortmund.de.
4419 Feature: specify unix:/path/name for LMTP connections over
4420 UNIX-domain sockets, and specify inet:host or inet:host:port
4421 for IPV4. If no unix: or inet: is specified, IPV4 is assumed.
4422 File: lmtp/lmtp_connect.c.
4424 Feature: added UNIX-domain support to the smtpstone test
4425 programs in order to test the LMTP client UNIX-domain
4426 support.
4428 20001030
4430 Bugfix: further testing in preparation for 19991231-pl10
4431 revealed that the DB map code was now broken for every
4432 platform.
4434 20001031
4436 Performance: the slow start (gradually increase number of
4437 parallel connections to the same site) was too gentle and
4438 Postfix would back off too quickly. Files: qmgr/qmgr_queue.c
4439 and nqmgr/qmgr_queue.c.
4441 20001101
4443 FAQ update by Ralph Hildebrandt.
4445 20001104
4447 Portability: RedHat Linux has changed incompatibly, again.
4448 Fixed with the help of Matthias Andree. File: makedefs.
4450 20001109
4452 Cleanup: changed prototype of internal function that did
4453 not return a useful result. File: src/util/vstream_popen.c.
4455 20001110
4457 Workaround: the Debian post install script passes an open
4458 file descriptor into the master server and waits forever.
4459 Reported by Lamont Jones. File: master/master.c.
4461 20001114
4463 Compatibility: added sendmail -G (gateway submission) option
4464 for compatibility with the sendmail rmail command. Requested
4465 by David Gilbert, Velocet Communications.
4467 20001116
4469 Documentation: added MAILER-DAEMON to the list of sample
4470 masquerade_exceptions settings in conf/sample-rewrite.cf.
4471 Suggested by Karl O. Pinc, pop.artic.edu.
4473 Performance: the slow start (gradually increase number of
4474 parallel connections to the same site) was too gentle and
4475 Postfix would back off too quickly. Files: qmgr/qmgr_queue.c
4476 and nqmgr/qmgr_queue.c. Yup, changed the same code, again.
4477 We now allow for a margin above the actual concurrency,
4478 with the size of the initial destination concurrency.
4479 Final solution by Patrik Rak.
4481 Bugfix: the recipient home directory test broke mailbox_transport
4482 support for non-UNIX recipients. File: local/recipient.c.
4484 20001117
4486 Robustness: additional integrity tests for the nqmgr by
4487 Patrik Rak. File: nqmgr/qmgr_message.c.
4489 20001118
4491 Bugfix: the new LDAP client code did not work properly if
4492 the new ldap_domain parameter was not specified. LaMont
4493 Jones, HP. File: util/dict_ldap.c.
4495 Feature: the soft_bounce safety net is extended to the SMTP
4496 server. With "soft_bounce = yes", The SMTP server changes
4497 all 5xx (reject) replies into 4xx (try again) replies.
4499 Documentation: the virtual(5) man page now documents both
4500 Postfix-style virtual domains and Sendmail-style virtual
4501 domains, including their interaction with local usernames,
4502 aliases and mailing lists. Hopefully, this ends some of
4503 the confusion surrounding virtual domain support. Updated
4504 several FAQ entries concerning virtual domain support.
4506 Documentation: added FAQ entry for the biff service.
4508 20001119
4510 Bugfix: per-destination queue names were case sensitive so
4511 that the same site could have multiple queues. Reported
4512 by Patrik Rak. Files: *qmgr/qmgr_message.c.
4514 20001120
4516 Bugfix: per-destination deferred mail logfiles were case
4517 sensitive so that the same site could have multiple deferred
4518 mail logfiles, so that not all mail would be flushed with
4519 ETRN. Reported by Ralph Hildebrandt. Files: flush/flush.c.
4521 Portability: added (int) casts to printf-like arguments
4522 that specify the width of %*letter conversions. On some
4523 systems, sizeof and pointer difference expressions are
4524 wider than an int. Reported by Valentin Nechayev @ lucky.net.
4526 20001121:
4528 Compatibility: Postfix now retries delivery when an external
4529 command is killed by a signal, because people expect such
4530 behavior from Sendmail. File: global/pipe_command.c.
4532 20001123-30
4534 Feature: mailbox locking is now configurable. The configuration
4535 parameter name is "mailbox_delivery_lock". Depending on
4536 the operating system one can specify one or more of "flock",
4537 "fcntl" and "dotlock". Use "postconf -l" to find out what
4538 locking methods Postfix supports. The default setting is
4539 system dependent. All mailbox file opens are now done by
4540 one central mbox_open() routine. This affects the operation
4541 of the postlock command, and of local delivery to mailbox
4542 or /file/name. Files: util/safe_open.c, util/myflock.c,
4543 global/deliver_flock.c, global/mbox_conf.c, global/mbox_open.c.
4544 local/mailbox.c, local/file.c, postlock/postlock.c.
4546 Compatibility: the old sun_mailtool_compatibility parameter
4547 is being phased out. It still works (by turning off
4548 flock/fcntl locks), but logs a warning as a reminder that
4549 it will go away.
4551 Compatibility: when delivering to /file/name, the local
4552 delivery agent now logs a warning when it is unable to
4553 create a /file/name.lock file, and then delivers the mail
4554 (older Postfix versions would silently deliver).
4556 20001202
4558 Feature: specify "smtp_never_send_ehlo = no" to disable
4559 ESMTP. Someone asked for this long ago. Files: smtp/smtp.c,
4560 smtp/smtp_proto.c.
4562 Feature? Bugfix? The smtp client now skips server replies
4563 that do not start with "CODE SPACE" or with "CODE HYPHEN",
4564 and flags them as protocol errors. Older versions silently
4565 treat "CODE TEXT" as "CODE SPACE TEXT". File: smtp/smtp_chat.c.
4567 20001203
4569 Documentation: postmap(1) and postalias(1) did not document
4570 the process exit status for "-q key".
4572 20001204
4574 Bugfix: the Postfix master daemon no longer imported
4575 MAIL_CONF and some other necessary environment parameters.
4576 Postfix now has explicit "import_environment" and
4577 "export_environment" configuration parameters that control
4578 what environment parameters are shared with non-Postfix
4579 processes. Files: util/clean_env.c, util/spawn_command.c,
4580 util/vstream_popen.c, global/pipe_command.c, and everything
4581 that invokes this code.
4583 20001208
4585 Bugfix: while processing massive amounts of one-recipient
4586 mail, qmgr could deadlock for 10 seconds while sending a
4587 bounce message. All queue manager bounce send requests are
4588 now implemented asynchronously. Files: global/abounce.[hc]
4589 (asynchronous bounce client), qmgr/qmgr_active.c. Problem
4590 reported by El Bunzo (webpower.nl) and Tiger Technologies
4591 (tigertech.com).
4593 20001209
4595 Feature: mailbox_transport and fallback_transport can now
4596 have the form transport:nexthop, with suitable defaults
4597 when either transport or nexthop are omitted, just like in
4598 the Postfix transport map. This allows you to specify for
4599 example, "mailbox_transport = lmtp:unix:/file/name". File:
4600 global/deliver_pass.c.
4602 20001210
4604 Bugfix: the local_destination_concurrency_limit paramater
4605 no longer worked as per-user concurrency limit but instead
4606 worked as per-domain limit, so that the limit of "2" in
4607 the default main.cf files resulted in poor local delivery
4608 performance. Files: qmgr/qmgr_message.c, qmgr/qmgr_deliver.c.
4609 Problem reported by David Schweikert (ee.ethz.ch) and Dallas
4610 Wisehaupt (cynicism.com).
4612 20001210
4614 Feature: support for MYSQL connections over UNIX-domain
4615 sockets by Piotr Klaban. Files: util/dict_mysql.c,
4616 MYSQL_README.
4618 20001211
4620 Small dirt: postconf -m produced too much output due to a
4621 missing "else", and the optional SASL code needed a fix
4622 for the changed name_mask API.
4624 20001212
4626 Workaround: due to an error, record type L for "filter
4627 transport name" was the same as that for the already existing
4628 record type L for "record not ending in newline", causing
4629 the pickup daemon to discard all records not ending in
4630 newline. The code cannot be changed without breaking
4631 compatibility with queued mail, so the pickup server is
4632 changed to discard type L records only from the message
4633 envelope, not from the content. File: pickup/pickup.c.
4635 20001213
4637 Bugfix: dict_ldap did not properly initialize a handle
4638 after connection timeout. Problem reported by Alain Thivillon.
4639 File: util/dict_ldap.c.
4641 20001214
4643 Feature: local_transport and default_transport now also
4644 understand the transport[:destination] notation, so that
4645 all transport config parameters are similar again. File:
4646 trivial-rewrite/resolve.c, trivial-rewrite/transport.c.
4648 Code cleanup: mailbox_transport and fallback_transport no
4649 longer allow the user to omit the transport part of a
4650 transport:destination specification. That just did not make
4651 any sense at all. The :destination part is still optional.
4652 File: global/deliver_pass.c.
4654 Feature: most time-related configuration parameters take
4655 a one-letter suffix that specifies the time unit: s
4656 (second), m (minutes), h (hours), d (days), w (weeks).
4657 "postconf -d" output includes the default time unit. Files:
4658 many.
4660 Code cleanup: in a CONFIG_TIME_TABLE, the default time unit
4661 is now always the last character of a default time value.
4662 It is no longer necessary to specify the default time unit
4663 separately. This change means that it will not be possible
4664 to specify default values in the form of function calls,
4665 but that was unused anyway. Files: global/mail_conf_time.c,
4666 and user code.
4668 20001217
4670 Bugfix: reorganized some code in the MYSQL client to end
4671 a number of memory allocation/deallocation problems. This
4672 code needs more work. File: dict_mysql.c.
4674 20001218
4676 Bugfix: the MYSQL client did not provide function pointers
4677 for unimplemented operations, causing "postmap -d" to dump
4678 core instead if issuing an error message. This is what I
4679 get for accepting code that I cannot test myself.
4681 20001221
4683 Code cleanup: configuration parameters that are $name
4684 expanded at run-time now have their own data type hierarchy
4685 instead of being piggy-backed on top of strings that are
4686 $name expanded at program initialization time. Files:
4687 global/mail_conf.h, global/mail_conf_raw.c, and code that
4688 calls it.
4690 20001230
4692 Update: replaced the default rbl.maps.vix.com setting by
4693 the current blackholes.mail-abuse.org.
4695 20010102
4697 Code cleanup: the queue manager is a bit greedier with
4698 allocating a delivery agent. Problem pointed out by Patrik
4699 Rak. All bugs in the solution are mine. Files:
4700 *qmgr/qmgr_active.c.
4702 20010105
4704 Bugfix: the FILTER_README shell script example did not
4705 correctly pass exit status to the parent.
4707 Bugfix: soft errors in client hostname lookups would be
4708 treated as hard errors. Fix by Michael Herrmann
4709 (informatik.tu-muenchen.de). File: smtpd/smtpd_peer.c.
4711 20010110
4713 Bugfix: the mkdir() EEXIST race condition workaround was
4714 not complete. Matthias Andree, Daniel Roesen. Files:
4715 global/mail_queue.c, util/make_dirs.c.
4717 20010111
4719 Portability: IRIX 6.5.10 defines sa_len as a macro, causing
4720 a name collision with a variable used by Postfix. Roberto
4721 Totaro, enigma.ethz.ch. File: smtpstone/smtp-source.c.
4723 20010116
4725 Bugfix: REJECT by header/body_checks was flagged in smtpd
4726 as a bounce, should be policy, in order to make postmaster
4727 notifications more consistent. File: smtpd/smtpd.c.
4729 Merged updated chroot setup procedure by Matthias Andree.
4730 Files: examples/chroot-setup/LINUX2.
4732 20010117
4734 Formatting: changed the seconds and days formats in the
4735 "your mail is delayed" text so that it does not switch to
4736 scientific notation. File: bounce/bounce_notify_util.c.
4738 20010119
4740 Feature: SASL support for the LMTP client. Recent CYRUS
4741 software requires this for Postfix over TCP sockets.
4743 20010120
4745 Bugfix: the 20001005 revised fallback_relay support caused
4746 Postfix to send mail to the fallback even when the local
4747 machine was an MX host for the final destination. Result:
4748 mailer loop. Found by Laurent Wacrenier (teaser.fr). Files:
4749 smtp/smtp_connect.c, smtp/smtp_addr.c.
4751 20010121
4753 Workaround: specify "broken_sasl_auth_clients = yes" in
4754 order to support old Microsoft clients that implement a
4755 non-standard version of RFC 2554 (AUTH command).
4757 Workaround: Lotus Domino 5.0.4 violates RFC 2554 and replies
4758 to EHLO with AUTH=LOGIN. File: smtp/smtp_proto.c.
4760 20010125
4762 Code cleanup: wrote creator/destructor for dictionary
4763 objects that provides default methods that trap all attempts
4764 to perform an unimplemented operation. Based on an ansatz
4765 by Laurent Wacrenier (teaser.fr). Files: util/dict*.[hc].
4767 Code cleanup: INSTALL.sh does not ask questions when stdin
4768 is not connected to a tty (as in: make install</dev/null).
4769 To automate a customized install, the script imports
4770 environment variables for install_root etc.
4772 20010127
4774 Workaround: randomize the delay between attempts to lock
4775 a file, so that multiple bounce or defer servers are less
4776 likely to retry all at the same time. likely. File:
4777 util/rand_sleep.c, global/deliver_flock.c, global/dot_lockfile.c.
4779 20010128
4781 Code cleanup: complaints about invalid or numeric hostnames
4782 either provide specific context or are removed as redundant.
4783 Files: util/valid_hostname.c dns/dns_lookup.c.
4785 Code cleanup: new mailbox_size_limit parameter (default:
4786 20MB). Until now, the mailbox size limit was the same as
4787 the message size limit, due to artefact of implementation.
4788 Files: global/mail_params.h, local/local.c.
4790 Bugfix: fix for the ldap_domains parameter, both semantics
4791 and documentation by LaMont Jones. Files: LDAP_README,
4792 conf/sample-ldap.cf, util/dict_ldap.c.
4794 Update: merged in the virtual delivery agent by Andrew
4795 McNamara. See VIRTUAL_README for detailed examples.
4797 Update: merged a re-vamped nqmgr by Patrik Rak.
4799 20010129
4801 Tweak: several little nqmgr tweaks by Patrik Rak. Files:
4802 global/mail_params.h, nqmgr/qmgr_job.c.
4804 Bugfix: the virtual delivery agent did not save maps_find()
4805 results timely. J?rgen Thomsen, postfix.jth.net. File:
4806 virtual/mailbox.c.
4808 Security: disallow regexp tables in the virtual delivery
4809 agent. The $1 etc. substitution mechanism gives too much
4810 power to the sender. File: virtual/mailbox.c.
4812 Cleanup: clarified documentation and boundary cases in the
4813 random_sleep() routine.
4815 Bugfix: the MISSING_USLEEP feature was used backwards.
4816 Patrik Rak. File: util/random_sleep.c.
4818 20010130
4820 Workaround: Linux usleep() is void, BSD/Solaris usleep()
4821 returns int, don't use it. File util/random_sleep.c.
4823 Made local maildir bounce/defer handling mode consistent
4824 with local mailbox delivery. File local/maildir.c.
4826 The smtp client now defers delivery when all MX hosts have
4827 no A record. File: smtp/smtp_addr.c
4829 Bundled the man2html and postlink quick hacks so people
4830 can do their own manual page processing. See scripts in
4831 the mantools directory.
4833 Documentation: updated the reference to sendmail in the
4834 html/index.html page.
4836 Documentation: added note about the Cisco PIX "fixup smtp"
4837 bug that causes mail delivery problems when "." and "CRLF"
4838 arrive in separate packets. File: html/faq.html.
4840 20010201
4842 Bugfix: another missing initialization in the mysql client.
4843 File: util/dict_mysql.c.
4845 Sanitized time routine by Patrik Rak, to make his nqmgr
4846 robust against people who set their clock back. Files:
4847 util/sane_time.[hc].
4849 Bumped the default mailbox file size limits to 50MB.
4851 20010202
4853 Bugfix: fixed the way the master resets the file size limit
4854 to avoid problems when a Postfix daemon updates a queue
4855 file. The file size limit is now increased to INT_MAX if
4856 it is smaller than INT_MAX, so that it is less likely to
4857 interfere than the old setting of message_size_limit.
4859 Feature: disable mailbox size limits for the local and
4860 virtual delivery agents by setting mailbox_size_limit or
4861 virtual_mailbox_limit to zero.
4863 20010203
4865 Update: null candidate patch from Patrik Rak. Files:
4866 nqmgr/qmgr_entry.c nqmgr/qmgr_job.c nqmgr/qmgr_message.c.
4868 Cleanup: added one gruesome command to the postlink script
4869 for hyperlinking nroff manual page output. Word abbreviation
4870 broke some <a href...> </a> instances across line boundaries.
4871 sed(1) is an amazing tool. File: mantools/postlink.
4873 20010204
4875 Laid the ground work for logging of table accesses. This
4876 will give more insight into how Postfix uses its lookup
4877 tables. User interface comes later. File: util/dict_debug.c.
4879 20010216
4881 Bugfix: the pipe delivery agent expanded $size as if it
4882 were a recipient, instead of expanding it as $nexthop or
4883 as $sender. Reported by Michael Tokarev. File: pipe/pipe.c.
4885 20010221
4887 Bugfix: poor LMTP performance for domains that are listed
4888 in $mydestination, because Postfix would send one recipient
4889 at a time, with multiple deliveries of recipients of the
4890 same message in parallel; a similar problem could exist
4891 with virus scanning and with firewall relay hosts that
4892 forward mail for $mydestination to an inside machine. This
4893 behavior is now changed to depend on the transport-specific
4894 xxx_destination_recipient_limit parameter. This also means
4895 that you can now get qmail behavior for SMTP deliveries by
4896 setting smtp_destination_recipient_limit=1. File:
4897 {qmgr,nqmgr}/qmgr_message.c.
4899 Workaround: Solaris socketpair() can fail with EINTR. Added
4900 a sane_socketpair.c module that joins the ranks of the
4901 other sane_whatever workarounds. Reported by Andrew McNamara.
4902 File: util/sane_socketpair.[hc]
4904 20010222
4906 Documentation: the default main.cf file has a prominent
4907 warning that mynetworks should be properly configured in
4908 order to reject unauthorized mail relay requests from
4909 strangers.
4911 Documentation: the INSTALL document, section "mandatory
4912 configuration file edits" has a section that explains that
4913 mynetworks should be properly configured in order to reject
4914 unauthorized mail relay requests from strangers.
4916 20010223
4918 Documentation: the basic.html document has a section that
4919 explains that mynetworks should be properly configured in
4920 order to reject unauthorized mail relay requests from
4921 strangers.
4923 Feature: new "mynetworks_style" parameter that controls
4924 how mynetworks (trusted networks) is derived from the
4925 inet_interfaces (machine interfaces) setting. Specify
4926 "class" for entire class A, B, C networks; "subnet" for
4927 the local subnets only; or "host" for maximal privacy.
4928 Files: util/inet_addr_local.[hc], global/own_inet_addr.[hc],
4929 global/mynetworks.[hc], postconf/postconf.c.
4931 Portability: MACOSX patches by Gerben Wierda.
4933 Portability: Solaris /dev/null is a symlink, which tripped
4934 up the code to safely open a file before local delivery.
4935 We now grudgingly allow symlinks owned by root. File:
4936 util/safe_open.c.
4938 20010224
4940 Bugfix: "postconf mynetworks" ignored the inet_interfaces
4941 setting. That was a very old one. File: postconf/postconf.c.
4943 INCOMPATIBLE CHANGE: POSTFIX NO LONGER RELAYS MAIL FOR
4944 CLIENTS IN THE ENTIRE CLASS A/B/C NETWORK. POSTFIX BY
4945 DEFAULT RELAYS MAIL FOR CLIENTS IN THE LOCAL SUBNETWORK.
4946 Specify "mynetworks_style = class" to get the old behavior.
4948 20010225
4950 Portability: master sigchld handler based on writing to a
4951 pipe, so that the master wakes up from select(). Based on
4952 code by Erik Forsberg, Linkoping University, Sweden. File:
4953 master/master_sig.c. Disabled until after the major release.
4955 Code cleanup: Postfix should now run with no alias database.
4957 Code cleanup: local_destination_recipient_limit and
4958 local_destination_concurrency_limit have become first-class
4959 configuration parameters. Files: global/mail_params.h,
4960 *qmgr/qmgr.c, postconf/postconf.c.
4962 20010226
4964 Documentation suggestions by Lars Hecking and Richard
4965 Huxton, Matthias Andree and many others.
4967 Code cleanup: some queue/transport operations need to be
4968 moved, after the code cleanup of the recipient/concurrency
4969 limit handling. Patrik Rak. Files: *qmgr/qmgr_message.c.
4971 20010301
4973 Feature: configurable name in syslog output (default:
4974 "syslog_name = postfix") so that different Postfix instances
4975 can be recognized by their logging. File: global/mail_task.c.
4977 20010313
4979 Workaround for logic mismatch in nqmgr that was exposed
4980 with the introduction of the asynchronous bounce client.
4981 Patrik Rak.
4983 20010313
4985 Bugfix: the RFC 822 untokenizer quoted newlines inside
4986 comments. File: global/tok822_parse.c.
4988 20010316
4990 Cleanup: removed an extraneous warning when a queue file
4991 write error happened.
4993 20010321
4995 Workaround: LMTP connection caching never worked for
4996 destinations starting with unix: or inet:. File:
4997 lmtp/lmtp_connect.c.
4999 20010322
5001 Portability: Solaris <2.6 does not have srandom() and
5002 random() in libc. File: util/rand_sleep.c. It does not have
5003 to be cryptographically strong.
5005 Bugfix: the fast ETRN flush server could not handle [ipaddr]
5006 or domain names with one-character hostname part. This
5007 fix changes the destination to logfile name mapping, so
5008 that you need to populate the new files with "sendmail -q".
5009 The old files go away automatically. File: flush/flush.c.
5011 20010327
5013 Speed up mailq (sendmail -bp) display by flushing output
5014 after each file. File: showq/showq.c.
5016 Portability: missing string.h includes, %p wants (void *),
5017 Lamont Jones, HP.
5019 20010328
5021 Bugfix: swapped logic caused cleanup to stall when the
5022 queue file size exceeded the file size limit by less than
5023 one the VSTREAM buffer size, so that the "file too big"
5024 was detected after flushing the last queue file record.
5025 File: cleanup/cleanup.c.
5027 20010329
5029 Portability: workaround for missing prototype problem in
5030 dict_ldap.c. This module should move to the global directory,
5031 because it depends on Postfix main.cf parameter information.
5033 Workaround: after sending a trigger message over a socket,
5034 do not immediately close the client side, but close it from
5035 a background thread that waits until the server closes the
5036 socket first. This avoids trouble with socket implementations
5037 that destroy a socket when the client closes a socket before
5038 the server has received the client's data. Files:
5039 util/{inet,unix,stream}_trigger.c, util/events.c,
5040 master/master_trigger.c, postkick/postkick.c.
5042 20010403
5044 Workaround: the mysql library can return null pointers
5045 rather than zero-length strings. File: util/dict_mysql.c.
5047 20010404
5049 Ergonomics: log additional information about the reason
5050 why "mail for XXX loops back to myself" when the local
5051 machine is the best MX host. File: smtp/smtp_addr.c.
5053 20010406
5055 Changed some noisy LDAP client warnings into optional
5056 logging. LaMont Jones, util/dict_ldap.c.
5058 20010411
5060 Bugfix: the SMTP server now replies with 550 instead of
5061 503 when it receives the DATA command without having received
5062 a valid recipient address. This is needed for the Sendmail
5063 client-side pipelining implementation. Problem reported by
5064 Lutz Jaenicke. File: smtpd/smtpd.c.
5066 Cleanup: shut up if chattr fails on Reiserfs and other file
5067 systems that do not support the respective attributes.
5068 Files: conf/postfix-script-{no,}sgid.
5070 20010413
5072 Ergonomics: Postfix applications now warn when a DB or DBM
5073 file is out of date, and recommend to rebuild the table.
5074 Files: util/dict_db.c, util/dict_dbm.c.
5076 20010414
5078 Feature: specify a key of "-" to the postmap or postalias
5079 -q or -d option, and the keys will be read from standard
5080 input, one key per line. Files: postmap/postmap.c,
5081 postalias/postalias.c.
5083 Bugfix: with a non-default inet_interfaces setting, the
5084 master ignored host information in master.cf host:port
5085 settings. Fix by Jun-ichiro itojun Hagino @ iijlab.net.
5086 Files: master/master.h, master/master_ent.c.
5088 20010426
5090 Bugfix: the SMTP server did not parse invalid MAIL FROM or
5091 RCPT TO addresses such as <first last <user@domain>> the
5092 way it was supposed to do. I thought this was taken care
5093 of years ago. File: smtpd/smtpd.c.
5095 20010427
5097 Bugfix: smtpd would reject mail instead of replying with
5098 a 4xx temporary error code when, for example, an LDAP or
5099 mysql server was unavailable. Remotely based on a fix by
5100 Robert Kiessling @ de.easynet.net. File: smtpd/smtpd_check.c.
5102 20010429
5104 Feature: the Postfix SMTP client now by default randomly
5105 shuffles destination IP addresses of equal preference.
5106 Specify "smtp_randomize_addresses = no" to disable.
5107 Shuffling code by Elias Levy @ SecurityFocus.com Files:
5108 dns/dns_rr.c, smtp/smtp_addr.c.
5110 20010501
5112 Bugfix: The SMTP server's 550 in reply to DATA should be
5113 a 554 response. And it wasn't Sendmail. Claus Assman.
5115 Bugfix: the INSTALL.sh test for non-interactive upgrade
5116 broke rooted installations that specify settings via the
5117 environment. Simon Mudd.
5119 Bugfix: mailq output is now really flushed one message at
5120 a time. File: sendmail/sendmail.c.
5122 Feature: "postsuper -d queueID" deletes one message queue
5123 file; "postsuper -d -" reads zero or more queue IDs from
5124 standard input, and deletes one instance of each file.
5125 File: postsuper/postsuper.c.
5127 Code cleanup: in order to make postsuper -d safe with a
5128 running Postfix mail system, some routines had to be made
5129 tolerant for sudden queue file disappearances. Files:
5130 global/deliver_request.c, *qmgr/qmgr_move.c.
5132 Code cleanup: in order to make postsuper -d more usable,
5133 the showq command was extended to safely list the possibly
5134 world-writable maildrop directory. File: showq/showq.c.
5136 20010504
5138 Feature: postsuper -d will also delete defer and bounce
5139 logfiles when the named queue file is found.
5141 20010505
5143 RFC 2821 feature: an SMTP server must reset all buffers
5144 upon receipt of EHLO. File: smtpd/smtpd_check.c.
5146 RFC 2821 feature: an SMTP server must accept a recipient
5147 address of "postmaster" without domain name. File:
5148 smtpd/smtpd_check.c.
5150 RFC 2821 recommendation: reply with 503 to commands sent
5151 after 554 greeting. File: smtpd/smtpd.c.
5153 RFC 2821 recommendation: if VRFY is enabled, list it in
5154 the EHLO response. File: smtpd/smtpd.c.
5156 RFC 2821 recommendation: SMTP clients should use EHLO.
5157 The default setting of smtp_always_send_ehlo has changed
5158 from 0 (send EHLO if server greets with ESMTP) to 1 (always
5159 send EHLO). In all cases, Postfix falls back to HELO if
5160 the server does not support EHLO. File: smtp/smtp_proto.c.
5162 20010507
5164 Bugfix: with soft_bounce=yes, the SMTP server would log
5165 5xx replies even though it would send 4xx replies to the
5166 client (Phil Howard, ipal.net). File: smtpd/smtpd_check.c.
5168 20010515
5170 Compatibility: Microsoft sends "AUTH=MBS_BASIC LOGIN".
5171 Updated the parsing code in smtp/smtp_proto.c. Problem
5172 reported by Ralf Tessmann, Godot GmbH.
5174 20010520
5176 Standard: deleted the non-standard "via" portion from
5177 Received: headers generated by Postfix bounce or other
5178 notification processes. File: global/post_mail.c.
5180 Robustness: eliminated stack-based recursion from the RFC
5181 822 address parser. File: global/tok822_parse.c.
5183 Standard: annotated the source code with comments based on
5184 RFC 2821 and 2822. Not all the RFC changes make sense.
5186 RFC 2821 recommendation: treat a RCPT 552 reply as if the
5187 server sent 452. Files: smtp/smtp_proto.c, lmtp/lmtp_proto.c.
5189 Cleanup: moved ownership of the debug_peer parameters from
5190 the applications to the library, so that a Postfix shared
5191 library does not suffer from undefined references. Files:
5192 smtp/smtp.c, lmtp/lmtp.c, smtpd/smtpd.c, global/mail_params.c.
5193 LaMont Jones, for Debian.
5195 20010522
5197 Feature: "postsuper -r queueID" re-queues a message, and
5198 "postsuper -r ALL" re-queues all mail. The message is moved
5199 to the maildrop queue so that the pickup daemon will copy
5200 it to a new queue file, and so that address rewriting will
5201 be done again. This is useful after changes of address
5202 rewriting or virtual mappings.
5204 Feature: "postsuper -d ALL [queue-name]" deletes a bunch
5205 of mail.
5207 20010523
5209 Feature: "postsuper -s" (which is done by default) renames
5210 queue files whose name (queue ID) does not match the message
5211 file inode number.
5213 Bugfix: memory leak in the LDAP client module. Alain
5214 Thivillon, France Teaser - Groupe Firstream.
5216 20010525
5218 Portability: gcc 2.6.3 does not have __attribute__ (Clive
5219 Jones, dgw.co.uk). File: util/sys_defs.h.
5221 Bugfix: the SMTP and LMTP clients claimed that a queue file
5222 needed to be delivered again (even when all recipients were
5223 erased from the queue file) when no QUIT or RSET reply was
5224 received (by default, this does not happen with SMTP mail
5225 because the SMTP client does not wait for QUIT replies and
5226 does not send RSET to deliver mail). As a result of the
5227 same bug the LMTP client followed a dangling pointer when
5228 sending QUIT after process idle timeout while the LMTP
5229 server had disconnected. Files: smtp/smtp_proto.c,
5230 lmtp/lmtp_proto.c.
5232 20010526
5234 newaliases no longer complains when an empty list is
5235 specified with the alias_database configuration parameter.
5236 File: sendmail/sendmail.c.
5238 20010529
5240 Workaround: old PIX firewall code messes up when the final
5241 ".<CR><LF>" at the end of DATA spans a packet boundary.
5242 When Postfix detects PIX SMTP fixup mode, Postfix flushes
5243 the output buffers before sending the final ".<CR><LF>".
5244 File: smtp/smtp_proto.c.
5246 20010530
5248 Portability: updated code for Mac OS X, accounting for the
5249 post-Beta changes. Code by Joe Block, UCF School of
5250 Optics/CREOL.
5252 20010601
5254 Safety: postdrop turns off interrupts when cleaning up
5255 after interrupt. The additional safety does not hurt anyone.
5256 File: src/postdrop/postdrop.c.
5258 20010607
5260 Safety: dropped the RFC 2821 compliant code that treats
5261 552 RCPT TO replies as 452. It created more problems than
5262 it solved. Files: smtp/smtp_proto.c, lmtp/lmtp_proto.c.
5264 Logging: the SMTP server now logs a warning if RBL lookups
5265 have problems other than "not found". file: smtpd/smtpd_check.c.
5267 20010610
5269 Feature: address quoting and case folding flags for the
5270 pipe(8) mailer.
5272 20010611
5274 Workaround: some MTAs fall on their face when they receive
5275 unexpectedly long lines. From now on, Postfix defaults to
5276 breaking long lines at 2048 (like Sendmail so it has got
5277 to be right). To get the old, content preserving, behavior
5278 specify "smtp_truncate_lines = no". File: smtp/smtp_proto.c.
5280 20010614
5282 Bugfix: did not really undo 2821 552->452 mapping.
5284 20010628
5286 Bugfix: postfix-script used a hard-coded maildrop group
5287 owner instead of using the install-time specified name
5288 stored in /etc/postfix/install.cf. Problem reported by
5289 David Terrell @ meat.net.
5291 20010701
5293 Feature: mail_spool_directory ending in / causes maildir
5294 style delivery.
5296 Bugfix: the FreeBSD kernel parameters kern.ipc.nmbclusters
5297 and kern.ipc.maxsockets cannot be set with sysctl commands.
5298 File: html/faq.html. Len Conrad @ Go2France.com.
5300 Cleanup: the virtual delivery agent was poorly integrated
5301 so that the SMTP server and queue manager did not reject
5302 mail for unknown users. Files: smtpd/smtpd_check.c.
5304 20010705
5306 Feature: QMQP server, compatible with qmail and the ezmlm
5307 list manager. Files: util/netstring.[hc], qmqpd/qmqpd*.c.
5309 20010706
5311 Feature: QMQP stress test message generator program. Files:
5312 smtpstone/qmqp-source.c, smtpstone/qmqp-sink.c.
5314 20010708
5316 Bugfix: with disable_dns=yes, the SMTP client treated all
5317 host lookup errors as permanent. File: smtp/smtp_addr.c.
5319 20010709
5321 Feature: VERP support, based on a patch by Peng Yong, and
5322 with the missing parts filled in so that the Postfix bounce
5323 daemon can send one VERP bounce per undeliverable recipient.
5324 Files: , sendmail/sendmail.c, smtpd/smtpd.c, qmgr/qmgr_deliver.c,
5325 bounce/bounce_notify_verp.c, qmqpd/qmqpd.c, plus a couple
5326 support routines in the global library.
5328 Cleanup: with recipient_delimiter=+ (or any character other
5329 than -) Postfix will now recognize address extensions even
5330 with owner-foo+extension addresses. This is necessary to
5331 make VERP work for mailing lists.
5333 20010710
5335 Bugfix: potential memory leak in the queue managers with
5336 the new VERP delimiter record. Fix by Patrik Rak.
5338 20010711
5340 Cleanup: you can now specify the VERP delimiter characters
5341 on the sendmail(1) command line, but they are still optional.
5343 Safety: with maildir style delivery and with hashed mailboxes
5344 the system mail spool directory must not be world writable.
5346 20010713
5348 Safety: the verp_delimiter_filter parameter (default: -=+)
5349 limits what characters Postfix accepts as VERP delimiter
5350 characters.
5352 20010714
5354 Logging: the queue manager now logs a "status=expired"
5355 record when it returns a message that is too old. Files:
5356 *qmgr/qmgr_active.c.
5358 20010719
5360 Feature: stiffer coupling between mail receiving rates and
5361 mail delivery rates, using a trivial token-based scheme,
5362 implemented by reading and writing an in-memory pipe. The
5363 queue manager produces one token when it retrieves mail
5364 from the incoming queue. The cleanup daemon consumes one
5365 token when it adds mail to the incoming queue. If no token
5366 is available the cleanup server pauses for $in_flow_delay
5367 seconds and proceeds anyway. The delay allows mail sending
5368 process to catch up and access the disk while not blocking
5369 inbound mail. Valid delays are 0..10 seconds.
5371 20010727
5373 Bugfix: updated LDAP client module from LaMont Jones, HP.
5374 This also introduces new LDAP query filter patterns: %u
5375 (address localpart) and %d (domain part). Files:
5376 conf/sample-ldap.cf, util/dict_ldap.c.
5378 20010729
5380 Bugfix: recursive smtpd_whatever_restrictions clobbered
5381 intermediate results when switching between sender and
5382 recipient address restrictions. Problem found by Victor
5383 Duchovni, morganstanley.com. In order to fix, introduced
5384 address resolver result caching, which should also help to
5385 speed up sender/recipient address restriction processing.
5387 Bugfix: the not yet announced DUNNO access table lookup
5388 result did not prevent lookups with substrings of the same
5389 lookup key. Found by Victor Duchovni, morganstanley.com.
5391 20010730
5393 Robustness: trim trailing whitespace from regexp and pcre
5394 right-hand sides, for consistency with DB/DBM tables.
5395 Files: util/dict_pcre.c, util/dict_regexp.c.
5397 20010731
5399 Robustness: eliminate duplicate IP addresses after expansion
5400 of hostnames in $inet_interfaces, so that Postfix does not
5401 suddenly refuse to start up after someone changes the DNS.
5402 Files: util/inet_addr_list.c global/own_inet_addr.c.
5404 Feature: specify "disable_verp_bounces = yes" to have
5405 Postfix send one RFC-standard, non-VERP, bounce report for
5406 multi-recipient mail, even when VERP style delivery was
5407 requested.
5409 20010801
5411 Bugfix: postconf was using unexpanded values internally
5412 for myhostname, inet_interfaces, and mynetworks_style.
5413 This broke the "postconf -d" mynetworks computation. File:
5414 postconf/postconf.c.
5416 20010803
5418 Feature: masquerade_classes parameter for fine control of
5419 address masquerading. The default setting is backwards
5420 compatible: envelope_sender header_sender header_recipient.
5421 Files: cleanup/whatever.c.
5423 20010822
5425 Code cleanup: the bounce daemon complained about data that
5426 it was not going to send back anyway. Fix: stop reading
5427 the original message when the bounce message reaches the
5428 bounce message size limit. File: bounce/bounce_notify_util.c.
5430 20010826
5432 Logging: postsuper now logs the queue ID when it requeues
5433 a message, or when it deletes a message from the mail queue.
5434 File: postsuper/postsuper.c.
5436 20010830
5438 Safety: the SMTP server now sends a 4xx (try again later)
5439 response when an UCE restriction is misconfigured, instead
5440 of ignoring the bad restriction and possibly accepting mail
5441 that it should not accept. File: smtpd/smtpd_check.c.
5443 20010907
5445 Workaround: the Postfix qmqp-source program produced mail
5446 not ending in newline. qmail-qmqpd accepts such mail, but
5447 qmail-remote is unable to deliver it. Matthias Andree,
5448 uni-dortmund.de. File: smtpstone/qmqp-source.c.
5450 20010910
5452 Bugfix: the smtp-sink stress test program broke when RCPT
5453 TO commands crossed network packet boundaries. Problem
5454 reported by Matthias Andree, uni-dortmund.de. File:
5455 smtpstone/smtp-sink.c.
5457 20010917
5459 Code cleanup: permit_mx_backup implements the old behavior
5460 (accept mail if the local MTA is MX relay), and allows an
5461 additional restriction via the permit_mx_backup_networks
5462 parameter (accept mail only if the primary MX hosts match
5463 the specified list of network blocks). This second restriction
5464 is now entirely optional, for backwards compatibility.
5466 Bugfix: an address extension could be appended multiple
5467 times to the result of a canonical or virtual map lookup.
5468 File: global/mail_addr_map.c. Fix by Victor Duchovni,
5469 Morgan Stanley.
5471 Bugfix: split_addr() would split an address even when there
5472 was no data before the recipient delimiter. In combination
5473 with the above bug, this could cause an address to grow
5474 exponentially in size. Problem reported by Victor Duchovni,
5475 Morgan Stanley. File: global/split_addr.c.
5477 20010918
5479 Bugfix: the mail_addr_map() fix was almost but not quite
5480 right. It took two clever people and several iterations of
5481 email to really fix the mail_addr_map() problem. Thanks
5482 to Victor Duchovni and Liviu Daia.
5484 20011006
5486 Cleanup: Postfix no longer flushes the whole deferred queue
5487 after an ETRN request for a random domain name (i.e. a
5488 domain name not matched by $fast_flush_domains); the SMTP
5489 server instead replies with "459 service unavailable".
5490 Files: smtpd/smtpd.c, global/flush_clnt.c, flush/flush.c.
5492 20011008
5494 Bugfix: there was a minute memory leak when an smtpd access
5495 restriction was misconfigured. File: smtpd/smtpd_check.c.
5497 20011010
5499 Code cleanup: Postfix daemons now print the name of the
5500 UNIX-domain socket (instead of "unknown stream") in case
5501 of a malformed client request. Files: master/*server.c.
5503 20011010-14
5505 Code cleanup: replaced the ugly mail_print() and mail-scan()
5506 protocols by (name,value) attribute lists. This gives better
5507 error detection when we make changes to internal protocols,
5508 and allows new attributes to be introduced without breaking
5509 everything immediately. Files: util/attr_print.c util/attr_scan.c
5510 global/mail_command_server.c global/mail_command_client.c
5511 as wel as most Postfix applications and daemons.
5513 20011015
5515 Put base 64 encoding into place on the replaced internal
5516 protocols. Files: util/base64_code.[hc].
5518 Feature: header/body REJECT rules can now provide text that
5519 is sent to the originator. Files: cleanup/cleanup.c,
5520 cleanup/cleanup_message.c, conf/sample-filter.cf.
5522 20011016
5524 Bugfix: As of 20000625, Errors-To: was broken, because the
5525 code to extract the address was not moved from recipient
5526 address rewriting to sender address rewriting. Problem
5527 reported by Roelof Osinga @ nisser.com. File:
5528 cleanup/cleanup_message.c.
5530 20011029
5532 Bugfix: virtual map expansion terminated early because the
5533 detection of self-referential entries was flawed. File:
5534 cleanup/cleanup_map1n.c.
5536 20011031
5538 Bugfix: mail_date() mis-formatted negative time zone offsets
5539 with fractional hours (-03-30 instead of -0330). Fix by
5540 Chad House, greyfirst.ca. File: global/mail_date.c.
5542 20011102
5544 Feature: new -f option to postmap and postalias (do not
5545 lowercase the lookup key while creating a table). Files:
5546 util/dict.h postmap/postmap.c postalias/postalias.c.
5548 Code cleanup: simplified the attribute print/scan routines,
5549 and removed the never-used support for sending and receiving
5550 integer arrays and string arrays. Files: util/attr_print.c,
5551 util/attr_scan.c.
5553 Bugfix: qmqpd could read past the end of a string while
5554 looking for qmail's VERP magic token in the envelope sender
5555 address. File: qmqpd/qmqpd.c.
5557 Code cleanup: finished testing the new internal protocols.
5558 The only bug was with the flush server, which still needs
5559 to support the old (string + null byte) protocol for triggers
5560 from the Postfix master daemon.
5562 20011103
5564 Bugfix: Postfix would log the wrong error text when locally
5565 submitted mail was deferred due to "soft_bounce = yes".
5567 Bugfix: The LDAP client dropped any entries that don't have
5568 the result_attribute, but errored out when a DN didn't
5569 exist. The behavior is now consistent: treat non-existant
5570 DN's in a special result attribute expansion the same as
5571 DN's with no attribute. LaMont Jones, HP.
5573 20011104
5575 Bugfix: the new smtp-sink -n option (terminate after the
5576 specified number of deliveries) wasn't optional.
5578 Portability: updated Mac OS X documentation and install
5579 scripts by Gerben Wierda.
5581 20011105
5583 Bugfix: missing terminator in new attribute-based function
5584 call caused signal 11. File: src/cleanup/cleanup.c.
5586 Lame workaround for ESTALE errors with mail delivery over
5587 NFS. Additional bandages were added to the local delivery
5588 agent. However, Wietse maintains that Postfix offers no
5589 guarantee for reliable delivery over NFS.
5591 Feature: put "warn_if_reject" before an smtpd restriction,
5592 and that restriction logs warnings without rejecting mail.
5593 This makes it easier to test configurations "live" without
5594 having to lose mail. File: smtpd/smtpd_check.c.
5596 20011107
5598 Workaround: in order to get mail past PIX firewall bugs,
5599 the Postfix SMTP client now blocks until the socket send
5600 buffer is empty before sending the final ".<CR><LF>". Files:
5601 util/sock_empty_wait.c, smtp/smtp_proto.c. Changed into
5602 sleep(10) on 20011119. Sleep suggested by Hobbit.
5604 20011108
5606 Feature: added string-null encoding for internal protocols.
5607 Files: util/attr_print0.c, util/attr_scan0.c.
5609 Feature: configurable parent domain matching for domain
5610 and hostname/address match lists: either .domain or the
5611 domain name itself. Files: util/match_ops.c util/match_list.c
5613 Feature: added pretend-to-be-behind-PIX mode to the smtp-sink
5614 test program, in order to stress test some PIX bug workaround
5615 code.
5617 20011109
5619 Workaround: Linux and Solaris systems have no reasonable
5620 way to block until a socket drains. On these systems Postfix
5621 simply waits for 10 seconds, in order to work around PIX
5622 ".<CR><LF>" bugs. File: util/sock_empty_wait.c.
5624 20011114
5626 Bugfix: reset the smtpd command transaction log between
5627 deliveries. File: smtpd/smtpd.c.
5629 20011115
5631 Feature: mailbox_command_maps no longer requires that every
5632 user has an entry. If the user does not have a command
5633 entry, the local delivery agent tries the other delivery
5634 methods (mailbox_command, home_mailbox). File: local/mailbox.c.
5636 Bugfix: reset the smtpd command transaction log between
5637 non-deliveries. File: smtpd/smtpd.c.
5639 20011116
5641 Bugfix: consolidated all the command transaction log resets
5642 and eliminated one missing reset (Victor Duchovni, Morgan
5643 Stanley). File: smtpd/smtpd.c.
5645 20011118
5647 Cleanup: replaced unnecessary match_list wrapper code by
5648 macros. Files: global/{string,domain,namadr}_list.[hc].
5650 20011119
5652 Feature: configurable parent domain matching strategy for
5653 transport map lookups. File: trivial-rewrite/transport.c.
5655 New parent_domain_matches_subdomains parameter. This lists
5656 all the Postfix features where a domain name matches itself
5657 and all its subdomains (instead of requiring ".domain.name"
5658 for subdomain matches). Planning for future backwards
5659 compatibility :-) File: global/match_parent_style.c.
5661 Workaround: simplified the PIX ".<CR><LF>" bug to always
5662 sleep for 10 seconds. File: smtp/smtp_proto.c.
5664 20011120
5666 Workaround: disable attribute string length restriction so
5667 that trivial-rewrite does not refuse to rewrite broken mail
5668 headers. Files: util/attr_scan*.c.
5670 20011121
5672 Bugfix: missing long integer support in the new IPC protocols.
5673 Files: util/attr_scan*.c, util/attr_print*.c.
5675 Portability: AIX5 (Adrian P. van Bloois), MAC OS X 10.1.1
5676 (Gerben Wierda).
5678 20011125
5680 Bugfix: spurious postmaster notifications because some flag
5681 was not reset.
5683 Feature: new parameter smtpd_sender_login_maps that specifies
5684 the (SASL) login name that owns a MAIL FROM address.
5685 Specify a regexp table in order to require a simple one-to-one
5686 mapping. This is used in the reject_sender_login_mismatch
5687 sender anti-spoofing feature.
5689 Feature: restriction reject_sender_login_mismatch refuses
5690 a MAIL FROM address when $smtpd_sender_login_maps specifies
5691 an owner but the client is not (SASL) logged in as the MAIL
5692 FROM address owner, or when a client is (SASL) logged in
5693 but the client login name does not own the MAIL FROM address
5694 according to $smtpd_sender_login_maps. File: smtpd/smpd_check.c.
5696 Documentation: added some redundancy to the LMTP_README
5697 file so people can keep track of the difference between
5698 the Postfix LMTP client and the non-Postfix LMTP server.
5700 20011126
5702 Feature: smtpd_noop_commands specifies a list of commands
5703 that are treated as NOOP (no operation) commands, without
5704 syntax check or state change. File: smtpd/smtpd.c.
5706 Bugfix: the "mark queue file as corrupt" code did not work
5707 because it was never used. Files: global/mark_corrupt.c,
5708 global/mail_copy.c, global/pipe_command.c, *qmgr/qmgr_active.c,
5709 local/maildir.c, local/mailbox.c, local/command.c, pipe/pipe.c,
5710 virtual/mailbox.c, virtual/maildir.c.
5712 Bugfix: the bounce daemon broke in the unlikely case of a
5713 non-existing queue file. File: bounce/bounce_notify_util.c.
5715 20011127
5717 Feature: added WARN command to header/body_checks files as
5718 proposed by Michael Tokarev. File: cleanup/cleanup_message.c.
5720 Bugfix: the postdrop program was broken after the change
5721 of Postfix internal protocols. This broke "sendmail -bs"
5722 mail submissions with "secure" maildrop directory. Reported
5723 by Craig Loomis, apo.nmsu.edu. File: postdrop/postdrop.c.
5725 Feature: a first start at fault injection for testing
5726 unlikely error scenarios (such as corrupt queue files).
5727 Parameter: fault_injection_code, must be left at zero for
5728 production use.
5730 20011128
5732 Robustness: add a file size limit to the sendmail and
5733 postdrop submission programs to stop run-away process
5734 accidents. This is not a defense against DOS attack. Files:
5735 sendmail/sendmail.c, postdrop/postdrop.c.
5737 That resulted in a considerable amount of work to properly
5738 propagate "file too large" conditions back to the sendmail
5739 mail posting user interface. Took the opportunity to express
5740 other mail submission fatal exits with the <sysexits.h>
5741 exit status codes. Files: sendmail/sendmail.c,
5742 postdrop/postdrop.c.
5744 20011129
5746 Maintenance: dict_ldap.c wasn't updated after the revision
5747 of the string matching routines. File: util/dict_ldap.c.
5749 20011208
5751 Maintenance: LDAP module and documentation from LaMont
5752 Jones. This version adds verbose logging for LDAP library
5753 routines. Files: src/util/dict_ldap.[hc], LDAP_README,
5754 conf/sample-ldap.cf
5756 Portability: made memory alignment restrictions configurable.
5757 File: util/mymalloc.c.
5759 Bugfix? Avoid surprises with source routed destinations
5760 and OK entries in SMTPD access maps. File: smtpd/smtpd_access.c.
5762 Security: "postfix check" looks for damage by well-intended
5763 but misguided use of "chown -R postfix /var/spool/postfix".
5764 That would make chrooted Postfix less secure than non-chrooted
5765 Postfix. These extra tests may cause complaints with
5766 third-party patches such as TLS that introduce their own
5767 files into the jail.
5769 Feature: static map type that always returns the map name
5770 as lookup value, regardless of lookup key value. Contributed
5771 Jeff Miller (jeffm at ghostgun.com)
5773 Feature: turn off the PIX <CR><LF>.<CR><LF> workaround for
5774 the first mail delivery attempt, i.e. when mail is queued
5775 for less than $smtp_pix_workaround_threshold_time (default:
5776 500) seconds. New parameter $smtp_pix_workaround_delay_time
5777 to control the delay before sending .<CR><LF> (default: 10
5778 seconds) when doing the PIX <CR><LF>.<CR><LF> workaround.
5780 20011210
5782 Bugfix: the 20011128 change in sendmail and postdrop did
5783 not handle the case of message_size_limit=0. Fix by Will
5784 Day, Georgia Tech.
5786 20011212
5788 Compatibility: The SMTP server now accepts <CR><CR><LF> as
5789 if the client sent <CR><LF>. Reportedly, some badly written
5790 windows software produces such garbage, and some badly
5791 written windows anti-VIRUS software cannot handle such
5792 garbage. File: global/smtp_stream.c.
5794 20011214
5796 Bugfix: postmap/postalias queries ignored the -f flag.
5797 Reported by Hamish Marson.
5799 20011217
5801 Compatibility: Sendmail now has a -L option to set the
5802 syslogging label. Postfix sendmail uses syslog_name instead,
5803 and ignores the -L option.
5805 Security: subtle hardening of the Postfix chroot jail,
5806 Postfix queue file permissions and access methods, in case
5807 someone compromises the postfix account. Michael Tokarev,
5808 who received the insights from Solar Designer, who tested
5809 Postfix with a kernel module that is paranoid about open()
5810 calls. Files: master/master_wakeup.c, util/fifo_trigger.c,
5811 postfix-script.
5813 Convenience: issue a warning instead of aborting when the
5814 local machine name is not in fully-qualified domain form.
5815 This would otherwise break initial postfix installation
5816 which needs the postconf command. File: global/mail_params.c.
5818 20011220
5820 Added more garbage detection to postconf -e input processing.
5822 20011221
5824 Feature: SMTPD access map lookups of null sender addresses.
5825 If your access maps cannot store or look up null string
5826 key values, specify "smtpd_null_access_lookup_key = <>"
5827 and the null sender address will be looked up as <> instead.
5828 File: src/smtpd_access.c.
5830 20011223
5832 Safety: configuration file comments no longer span multiple
5833 lines when the next line begins with whitespace; multi-line
5834 input is no longer terminated by a comment line, by an all
5835 white space line, or by an empty line. Michael Tokarev made
5836 the crucial suggestion to simplify the readline routine.
5837 Files: util/readlline.c, postconf/postconf.c.
5839 Cleanup: proper detection of big number overflow in EHLO
5840 and MAIL FROM size announcements, with input from Victor
5841 Duchovni, Morgan Stanley. Files: global/off_cvt.c,
5842 smtpd/smtpd.c, smtp/smtp_proto.c, util/alldig.c.
5844 Forward compatibility: added queue file record types for
5845 original recipient and for generic named attributes.
5847 Cleanup: safe_open() now returns sensible errno values so
5848 that the fifo_trigger() external interface is restored.
5850 20011225
5852 Upgrade: PCRE_README now describes PCRE version 3.x.
5854 Cleanup: flush SMTPD command history upon receipt of EHLO,
5855 RSET, and upon DATA completion, only if it exceeds
5856 $smtpd_history_flush_threshold lines (default: 100).
5857 Distant derivative of code by Michael Tokarev. File:
5858 smtpd/smtpd.c.
5860 20011228
5862 Bugfix: a readlline() error message showed less text than
5863 intended. Christian von Roques.
5865 Cleanup: postfix now installs with group-writable maildrop
5866 directory and with a set-gid postdrop mail submission
5867 command. The pickup service is now unprivileged. The
5868 world-writable maildrop directory no longer exists.
5870 The cleanup service is now public, in preparation for local
5871 sendmail/postdrop mail submission that avoids the maildrop
5872 queue directory while Postfix is up.
5874 Cleanup: moved the main.cf/master.cf file editing from the
5875 postfix-script file to the INSTALL.sh file.
5877 Cleanup: INSTALL.sh no longer accepts "no" as the destination
5878 of Postfix manual pages.
5880 20011230
5882 Cleanup: the code for "mailq", "sendmail -q", and for
5883 "sendmail -qRsite" was moved from the sendmail command to
5884 a new set-gid postqueue command. The pickup and qmgr FIFOs
5885 are no longer world writable. Files: sendmail/sendmail.c,
5886 postqueue/postqueue.c.
5888 20020101
5890 Security: new alternate_config_directories parameter that
5891 specifies what directories a set-gid command will accept
5892 as its configuration directory. The list must be specified
5893 in the default main.cf file. File: global/mail_conf.c.
5895 Cleanup: "sendmail -qRsite" is no longer implemented by
5896 connecting to the SMTP port. It is now implemented by
5897 talking to the fast flush service. File: postqueue/postqueue.c.
5899 20020203
5901 Cleanup: INSTALL.sh now records all installation information
5902 in the main.cf file. The now obsolete install.cf file is
5903 used only when upgrading from an older Postfix release.
5905 Cleanup: INSTALL.sh now takes name=value settings on the
5906 command line, and has a new "-upgrade" command line option
5907 to turn on non-interactive installation.
5909 Security: additional run-time checks to discourage sharing
5910 of Postfix user/group ID values with other accounts.
5912 20020105
5914 Cleanup: SMTPD access maps now return DUNNO (undetermined)
5915 instead of OK when a recipient address contains multiple
5916 domains (user@dom1@dom2, etcetera). Victor Duchovni, Morgan
5917 Stanley. File: smtpd/smtpd_check.c.
5919 20020106
5921 Bugfix: SMTPD access maps did not handle address extensions.
5922 File: smtpd/smtpd_check.c.
5924 20020107
5926 Bugfix: postfix-script, when creating a missing maildrop
5927 queue directory, still referenced install.cf when setting
5928 maildrop directory group ownership; and the postfix command
5929 did not export the setgid_group parameter to the postfix-script
5930 shell script. Victor Duchovni.
5932 Bugfix: postfix-script, when creating a missing public
5933 queue directory, did not set group ownership of the public
5934 directory.
5936 20020109
5938 Cleanup: rewrote the Postfix installation procedure again.
5939 It is now separated into 1) a primary installation script
5940 (postfix-install) that installs files locally or that builds
5941 a package for distribution and that stores file owner and
5942 permission information in /etc/postfix/post-files, and 2)
5943 a post-installation script (/etc/postfix/post-install) that
5944 creates missing directories, that sets file/directory
5945 ownership and permissions, and that upgrades existing
5946 configuration files if necessary.
5948 20020110
5950 Workaround: AIX null read() return on an empty but open
5951 non-blocking pipe. File: master/master_flow.c. Report:
5952 Hamish Marson.
5954 20020111
5956 Feedback: feedback, bugfixes, and brain-dead shell workarounds
5957 for the install scripts by Victor Duchovni and Simon Mudd.
5959 20020113
5961 Rewrote postfix-install. The postfix-files file now controls
5962 what is installed. Refined the semantics of many post-install
5963 operations. post-install now auto-saves settings that
5964 override main.cf.
5966 20020114
5968 Bugfix: alternate_config_directories did not take comma or
5969 whitespace as separators. File: global/mail_conf.c. Victor
5970 Duchovni, Morgan Stanley.
5972 Bugfix: the rewritten postfix-install script did not chattr
5973 +S the Postfix queue.
5975 20020115
5977 Cleanup: added sample_directory and readme_directory
5978 installation parameters for sample configuration files and
5979 for README files. Files: postconf.c, postfix-install,
5980 conf/postfix-files, conf/post-install.
5982 Robustness: the postfix command now exports all installation
5983 parameter settings, and input filters the environment, so
5984 that the startup shell scripts produce a consistent result.
5985 Files: postconf.c.
5987 20020117
5989 Portability: patch from LaMont Jones for compiling dict_ldap.c
5990 with the Netscape SDK.
5992 Feature: added "r" (recursive chown/chgrp) flag to the
5993 postfix-files database, for more convenient change of
5994 Postfix queue ownership. Files: conf/postfix-files,
5995 conf/post-install.
5997 20020122
5999 Documentation: lots of little fixes.
6001 Documentation: updates for the VIRTUAL_README file by Victor
6002 Duchovni, Morgan Stanley.
6004 Bugfix: postqueue -s dereferenced a null pointer when given
6005 a numerical domain argument. LaMont Jones, HP.
6007 Cleanup: smtpd now logs a warning when permit_sasl_authenticated
6008 is used while SASL authentication is disabled, instead of
6009 simply ignoring the restriction. LaMont Jones, HP. File:
6010 smtpd/smtpd.c.
6012 Safety: when postmap creates a non-existent file, the new
6013 file inherits group/other read permissions from the source
6014 file. Based on code by LaMont Jones, HP. File:
6015 postmap/postmap.c.
6017 20020123
6019 Portability: some Linux systems install libnsl.so without
6020 libnsl.a file, causing an yp_match undefined reference
6021 problem. File: makedefs.
6023 20020124
6025 Portability: post-install now requests that command_directory
6026 is given on the command line when the postconf command is
6027 in an unusual place.
6029 Safety: extra code to detect and report Berkeley DB version
6030 mismatches between compile time and run time. This test
6031 is limited to mismatches in the major version number only.
6032 File: util/dict_db.c. Based on code by Lawrence Greenfield,
6033 Carnegie-Mellon university.
6035 Safety: the postfix command and the master daemon abort if
6036 they are running set-uid.
6038 Documentation: the postmap manual page described an out of
6039 date input file format.
6041 20020129
6043 Workaround: SCO version 3.2 can't ioctl(FIONREAD) a pipe.
6044 Therefore, input mail flow control is disabled by default.
6045 Files: makedefs, global/mail_params.h, conf/main.cf.
6046 Problem reported by Kurt Andersen, Agilent.
6048 20020201
6050 Workaround: changed the default smtpd_null_access_lookup_key
6051 setting to <>, because some Bezerkeloid DB implementations
6052 can't handle null-length lookup keys. File: global/mail_params.h.
6054 Bugfix: backed out a null-length address panic call by
6055 ignoring the problem, like Postfix did in the past. File:
6056 global/resolve_local.c.
6058 Safety: "postfix check" will now warn if /usr/lib/sendmail
6059 and /usr/sbin/sendmail differ, and will propose to replace
6060 one by a symlink to the other. File: conf/postfix-script.
6062 20020204
6064 Sanity: additional permission checks for "postfix check"
6065 that warn for setgid_group group ownership mismatches. by
6066 Matthias Andree, uni-dortmund.de. File: conf/postfix-script.
6068 Bugfix: "postfix check" used a too simplistic way to
6069 recognize file ownership (grepping ls output). It now uses
6070 the recently discovered "find -prune". Peter Bieringer,
6071 Matthias Andree. File: conf/postfix-script.
6073 20020218
6075 Workaround: log a warning and disconnect when an SMTP client
6076 ignores our negative replies and starts sending message
6077 content without permission. File: smtpd/smtpd.c.
6079 20020220
6081 Bugfix: mismatch in the file being locked by dict_dbm and
6082 the file being locked by postmap, so that locks did not
6083 work correctly. Victor Duchovni, Morgan Stanley.
6085 20020222
6087 Workaround: Solaris bug 4380626: strcasecmp() and strncasecmp()
6088 produce incorrect results with 8-bit characters. For example,
6089 non-ASCII characters could compare equal to ASCII characters,
6090 and that could result in any number of security problems.
6091 Files: util/strcasecmp.c, COPYRIGHT (the BSD license).
6093 Bugfix: off-by-one error, causing a null byte to be written
6094 outside dynamically allocated memory in the queue manager
6095 with addresses of exactly 100 bytes long, resulting in
6096 SIGSEGV on systems with an "exact fit" malloc routine.
6097 Experienced by Ralf Hildebrandt; diagnosed by Victor
6098 Duchovni. Files: *qmgr/qmgr_message.c. This is not a
6099 security problem.
6101 Bugfix: make all recipient comparisons transitive, because
6102 Solaris qsort() causes SIGSEGV errors otherwise. Victor
6103 Duchovni, Morgan Stanley. File: *qmgr/qmgr_message.c.
6105 20020302
6107 Bugfix: don't strip source route (@domain...:) when the
6108 result would be an empty address. This avoids problems when
6109 append_at_myorigin is set to "no" (which is not supported).
6110 Problem reported by Charles McColgan, Big Fish Communications.
6111 File: trivial-rewrite/rewrite.c.
6113 20020304
6115 Cleanup: postqueue should not not complain when output
6116 fails with "broken pipe".
6118 20020308
6120 Bugfix? reply with 550 not 552 when content is rejected.
6121 552 is reserved for "too much mail".
6123 Documentation: add note to sendmail manual page that running
6124 "sendmail -bs" as $mail_owner enables SMTP server UCE and
6125 access control checks. This is meant for use from inetd
6126 etc. Matthias Andree.
6128 20020311
6130 Bugfix: DBM maps should use different files for locking
6131 and for change detection. Problem reported by Victor
6132 Duchovni, Morgan Stanley. Files: util/dict.h util/dict.c
6133 util/dict_db.c util/dict_dbm.c global/mkmap.c local/alias.c.
6135 20020313
6137 Bugfix: mailq could show addresses with unusual characters
6138 twice. Problem reported by Victor Duchovni, Morgan Stanley.
6139 File: showq/showq.c.
6141 Bugfix: null recipients weren't properly recorded in
6142 bounce/defer logfiles. Such recipient addresses are not
6143 accepted in SMTP mail, but they could appear within locally
6144 submitted mail. File: bounce/bounce_append_service.c.
6146 20020318
6148 Workaround: Berkeley DB can't handle null key lookups,
6149 which happen with HELO names ending in ".". Victor Duchovni,
6150 Morgan Stanley. File: smtpd/smtpd_check.c.
6152 Logging: log a hint when mail is deferred because the
6153 soft_bounce parameter is set. People sometimes forget to
6154 turn it off. File: global/bounce.c.
6156 20020319
6158 Cleanup: add a msg_warn() call when fork() fails in
6159 pipe_command(), to make problems easier to investigate.
6160 Chris Wedgwood. File: global/pipe_command.c.
6162 20020320
6164 Feature: smtp_helo_name parameter to specify the hostname
6165 or [ip.address] in HELO or EHLO commands. Files: smtp/smtp.c
6166 smtp/smtp_proto.c.
6168 20020324
6170 Cleanup: more graceful handling of long physical message
6171 header lines upon input. Physical header lines can now
6172 extend up to $header_size_limit characters. When a logical
6173 message header is too long, the excess text is discarded
6174 and Postfix no longer switches to body mode, to avoid
6175 breaking MIME encapsulation. Based on code by Victor
6176 Duchovni, Morgan Stanley. Files: cleanup/cleanup_out.c,
6177 cleanup/cleanup_message.c.
6179 Cleanup: more graceful handling of long physical message
6180 header or body lines upon output by the SMTP client. The
6181 SMTP client output line length is controlled by a new
6182 parameter smtp_line_length_limit (default: 990; specify 0
6183 to disable the limit). Long lines are folded by inserting
6184 <CR> <LF> <SPACE>, to avoid breaking MIME encapsulation.
6185 Based on code by Victor Duchovni, Morgan Stanley. File:
6186 smtp/smtp_proto.c.
6188 20020325
6190 Cleanup: allow additional text after a WARN command in a
6191 header/body_checks pattern file, so that one can change
6192 REJECT+text into WARN+text and vice versa. Based on code
6193 by Fredrik Thulin, Stockholm University.
6195 Cleanup: log a warning when an unknown command is found in
6196 a header/body_checks pattern file, or when additional text
6197 is found after a command that does not expect additional
6198 text. Based on code by Fredrik Thulin, Stockholm University.
6200 Bugfix: sendmail should not recognize "." as the end of
6201 input when the current read operation started in the middle
6202 of a line. Victor Duchovni, Morgan Stanley. File:
6203 sendmail/sendmail.c.
6205 20020328
6207 Portability fix for OPENSTEP and NEXTSTEP by Gerben Wierda.
6208 File: util/sys_defs.h.
6210 20020329
6212 Bugfix: defer_transports broke because the flush server
6213 triggered mail delivery (as if ETRN was sent) while doing
6214 some internal housekeeping of per-destination logfiles.
6215 Problem experienced by LaMont Jones, HP. File: flush/flush.c.
6217 Bugfix: virtual mapping broke for addresses with embedded
6218 whitespace. Fix by Victor Duchovni, Morgan Stanley. File:
6219 cleanup/cleanup_map1n.c.
6221 Feature: configurable service name for the internal services:
6222 bounce, cleanup, defer, error, flush, pickup, queue, rewrite,
6223 showq. This allows you to specify, for example, a non-default
6224 cleanup service (smtpd -o cleanup_service_name=alt_cleanup).
6225 Files: global/mail_params.[hc].
6227 Feature: SASL version 2 support by Jason Hoos. Files:
6228 */*_sasl_glue.c, SASL_README, conf/sample-auth.cf.
6230 20020330
6232 Bugfix: postqueue did not pass on non-default configuration
6233 directory settings when running showq while the mail system
6234 is down. The super-user is now exempted from environment
6235 stripping in postqueue/postqueue.c. Problem reported by
6236 Victor Duchovni, Morgan Stanley.
6238 20020402
6240 Workaround: recognize more headers that are sent instead
6241 of SMTP commands. File: smtpd/smtpd.c.
6243 20020413
6245 Feature: new pipe delivery agent "D" flag to prepend a
6246 Delivered-To: message header. This requires single recipient
6247 deliveries. Based on code by Matthias Andree. File:
6248 pipe/pipe.c.
6250 20020414
6252 Portability: Postfix will no longer attempt to build with
6253 gdbm support, because gdbm is broken. File: makedefs.
6255 20020415
6257 Cleanup: the attribute list IPC code did not distinguish
6258 between "disconnect" and "timeout" while reading an attribute
6259 list, making trouble shooting more difficult than necessary.
6260 Files: util/attr_scan0.c, util/attr_scan64.c.
6262 Cleanup: install parameter defaults can now be overruled
6263 from makedefs: sendmail_path, mailq_path, newaliases_path,
6264 command_directory, daemon_directory. Based on code by Victor
6265 Duchovni, Morgan Stanley. File: util/sys_defs.h.
6267 20020411
6269 Cleanup: Use more robust quoting passing makedefs/Makefile
6270 settings. This also simplifies the seven backslashes example
6271 in the INSTALL file. Victor Duchovni, Morgan Stanley.
6272 Files: makedefs, INSTALL.
6274 20020417
6276 Bugfix: the post-install script failed to upgrade master.cf
6277 settings from private to public if the service was explicitly
6278 configured as private.
6280 20020418
6282 Documentation: added CPU saving patterns for quickly skipping
6283 base 64 encoded text in message bodies. Liviu Daia. Files:
6284 {proto,conf}/pcre_table, {proto,conf}/regexp_table,
6285 conf/sample_{regexp,pcre}_body.cf.
6287 20020426
6289 Bugfix: the SMTP client forgot to quote whitespace etc.
6290 in a sender/recipient address when DNS lookup was turned
6291 off (disable_dns_lookups = yes). Problem experienced by
6292 Chip Paswater. Files: smtp/smtp_proto.c.
6294 20020501
6296 Feature: wildcard lookup in transport maps (lookup key
6297 "*"). Code developed with Lamont Jones, HP.
6299 Feature: a null transport:destination transport map entry
6300 means proceed as if the transport map lookup failed. Code
6301 developed with Lamont Jones, HP.
6303 Feature: more efficient use of cache memory when a process
6304 opens multiple Berkeley DB tables; and faster performance
6305 creating large tables by using more buffer memory. Files:
6306 util/dict_db.[hc], global/mkmap_db.c. Victor Duchovni,
6307 Morgan Stanley.
6309 20020503
6311 Cleanup: postqueue silently ignored command-line arguments
6312 following -p or -f options, instead of complaining; postqueue
6313 produced an incorrect error message (mail system down) when
6314 the command was installed with incorrect privileges. File:
6315 postqueue/postqueue.c.
6317 Bugfix: while reporting a domain name or IP address syntax
6318 error, postqueue could dereference a dangling pointer with
6319 some getopt() implementations. LaMont Jones, HP. File:
6320 postqueue/postqueue.c.
6322 Safety: postalias and postmap now drop root privileges
6323 while processing a non-root input file. Thus, the result
6324 should be writable to the source file owner. Specify the
6325 -o option if this is a problem. Files: postmap/postmap.c,
6326 postalias/postalias.c.
6328 Consistency: just like postmap, postalias now copies file
6329 permissions from the source file when it creates a new
6330 table for the first time. File: postalias/postalias.c.
6332 20020504
6334 Portability: run-time test to avoid GDBM trouble. File:
6335 util/dict_dbm.c.
6337 20020505
6339 Cleanup: revised and simplified the transport map semantics.
6340 Null transport or nexhop fields now mean: "do not change":
6341 use what would be used if the transport map did not exist.
6342 This change eliminated a lot of code. The incompatibility
6343 is that a null transport field no longer defaults to
6344 $default_transport, but to $local_transport or $default_transport
6345 depending on the destination, and that a transport map only
6346 overrides relayhost when the table specifies explicit
6347 nexthop information. Files: trivial-rewrite/transport.c,
6348 trivial-rewrite/resolve.c.
6350 Cleanup: revised the user interface for controlling the
6351 Berkeley DB create and read buffer size controls. Files:
6352 util/dict_db.[hc], global/mail_params.[hc], global/mkmap_db.c.
6354 20020507
6356 Cleanup: simplified the hash/btree cache management code.
6357 The caches are now per table instead of shared, and the
6358 default read cache size is reduced to 128 kBytes. File:
6359 util/dict_db.c.
6361 20020508
6363 Bugfix: close user@domain@postfix-style.virtual.domain
6364 source routing relaying loophole involving postfix-style
6365 virtual domains with @virtual.domain catch-all patterns.
6366 Problem reported by Victor Duchovni. File: smtpd/smtpd_check.c.
6368 Bugfix: mail_addr_map() used the "wrong" @ character in
6369 addresses with multiple @. Victor Duchovni. File:
6370 global/mail_addr_map.c.
6372 Bugfix: for address localpart quoting, now quote @ as a
6373 special character everywhere, except when resolving addresses.
6374 Previously, the @ was nowhere quoted as a special character,
6375 not even in SMTP commands. Files: global/quote_82[12]_local.c
6376 and clients.
6378 20020509
6380 Safety: don't allow an OK access rule lookup result for
6381 user@domain@postfix-style.virtual.domain. Suggested by
6382 Victor Duchovni, Morgan Stanley. File: smtpd/smtpd_check.c.
6384 Bugfix: quote unquoted address localparts that need quoting.
6385 Files: global/tok822_parse.c, global/quote_82[12]_local.c.
6387 Documentation: simplified the advanced content filtering
6388 example, and included a more advanced example for those
6389 who want to squeeze out more performance without running
6390 multiple Postfix instances. Text by Victor Duchovni, Morgan
6391 Stanley. File: README_FILES/FILTER_README.
6393 20020510
6395 Feature: header/body filters now log the origin of the
6396 message that is being rejected. Files: smtpd/smtpd.c,
6397 qmqpd/qmqpd.c, pickup/pickup.c, cleanup/cleanup_envelope.c,
6398 cleanup/cleanup_message.c. Requested by Craig Sanders, if
6399 I remember correctly.
6401 Feature: the Postfix SMTP client now passes on MIME body
6402 type information (8bit, 7bit) received via SMTP, via MIME
6403 headers, or via the sendmail command line. Files:
6404 global/deliver_request.c, smtpd/smtpd.c, sendmail/sendmail.c,
6405 cleanup/cleanup_envelope.c, cleanup/cleanup_message.c,
6406 cleanup/cleanup_extracted.c, *qmgr/qmgr_message.c,
6407 *qmgr/qmgr_deliver.c, smtp/smtp_proto.c, lmtp/lmtp_proto.c.
6409 20020511
6411 Feature: bounces now specify the proper MIME encoding (8bit,
6412 7bit), depending on the MIME body type information received
6413 via SMTP, via MIME headers, or via the sendmail command
6414 line. Files: global/bounce.c, global/defer.c, global/abounce.c,
6415 bounce/bounce_service.c, bounce/bounce_notify_util.c.
6417 20020512
6419 Cleanup: the SMTP client logged and bounced the CNAME
6420 expanded recipient address, and thereby complicated trouble
6421 shooting. File: src/smtp_proto.c.
6423 Bugfix: the SMTP and LMTP clients bounced the quoted
6424 recipient address, resulting in too much quoting in bounce
6425 reports. Files: src/smtp_proto.c, lmtp/lmtp_proto.c.
6427 20020513
6429 Bugfix: the LDAP client used the "wrong" @ character in
6430 addresses with multiple @. LaMont Jones, HP. File:
6431 util/dict_ldap.c.
6433 Feature: lots of new LDAP stuff: result_filter (filter to
6434 expand results from queries), chase_referrals, LaMont Jones,
6435 HP. The LDAP bind timeout now works thanks to Victor
6436 Duchovni, Morgan Stanley. File: util/dict_ldap.c.
6438 Cleanup: specify "resolve_dequoted_address = no" to prevent
6439 Postfix from looking inside quotes for extra @ etc. characters
6440 when resolving an address. This behavior is technically
6441 more correct, but it opens a mail relay loophole with "user
6442 @domain"@domain when relaying mail to a Sendmail system.
6444 20020514
6446 Bugfix: the new code for header address quoting sometimes
6447 did not null terminate strings so that arbitrary garbage
6448 could appear at the end of message headers. Reported by
6449 Ralf Hildebrandt. File: global/tok822_parse.c.
6451 Safety: user@domain@domain is no longer accepted by the
6452 permit_mx_backup uce restriction (unless Postfix is configured
6453 with "resolve_dequoted_address = no"). Victor Duchovni,
6454 Morgan Stanley. File: smtpd/smtpd_check.c.
6456 20020515
6458 Workaround: flush the SMTP client output buffer when no
6459 output has happened for 10+ seconds. This prevents the
6460 socket from timing out, in case DNS CNAME expansion is
6461 slow. Problem experienced by Alex Erdelyi, peregrine.com.
6462 File: smtp/smtp_chat.c. We did the same thing for the SMTP
6463 server years ago, and one wonders why the coin didn't drop
6464 at the time that the SMTP client could suffer from a similar
6465 problem.
6467 20020516
6469 Updated the FILTER_README file to turn off DNS lookups in
6470 the SMTP client that feeds mail into a content filter.
6472 20020517
6474 Cleanup: Mailbox-Line: message header labels should be
6475 X-Mailbox-Line: labels. Files: smtpd/smtpd.c, qmqpd/qmqpd.c.
6477 20020515-21
6479 Feature: new MIME parser, written from scratch, that
6480 recognizes the structure of MIME encapsulated mail. Influenced
6481 by comments from Victor Duchovni. This code can detect but
6482 will not decode obscure MIME formats or obscure character
6483 string encoding that Liviu Daia expresses concern about.
6485 MIME header scanning now happens in header_checks, and is
6486 faster than body_checks could ever be. This also eliminates
6487 the problem with multi-line MIME headers being matched one
6488 line at a time. Files: global/mime_state.[hc],
6489 cleanup/cleanup_message.c.
6491 20020521-22
6493 Feature: 8-bit to quoted-printable conversion. First use
6494 in the Postfix SMTP client. File: smtp/smtp_proto.c.
6496 Logging: the Postfix SMTP and LMTP clients now report the
6497 the protocol stage when they report a server reply. File:
6498 smtp/smtp_proto.c, lmtp/lmtp_proto.c.
6500 Bugfix: the SMTP server warned about ignored client attributes
6501 (these were introduced 20020510) in mail that was submitted
6502 with "sendmail -bs". File: smtpd/smtpd.c.
6504 20020525
6506 Feature: separation of header checks into header_checks
6507 (all primary headers except MIME related headers),
6508 mime_header_checks (all MIME headers including MIME headers
6509 at the start of messages) and nested_header_checks (headers
6510 of attached messages, except MIME related headers).
6512 Cleanup: broke out the header value parser from the MIME
6513 processor so that the code can be reused elsewhere. File:
6514 global/header_token.c.
6516 Compatibility: Postfix now recognizes "name :" as a valid
6517 message header, but normalizes it to "name:" form or else
6518 lots of things would break all over the place. Files:
6519 global/is_header.c, global/mime_state.c.
6521 20020526
6523 Bugfix: the SMTP server now disallows RCPT TO:<"">, just
6524 like it disallows RCPT TO:<>. File: smtpd/smtpd.c.
6526 Feature: disable_mime_input_processing=yes/no controls
6527 whether Postfix recognizes (and optionally enforces) MIME
6528 formats while receiving mail. Default is NO.
6530 Feature: disable_mime_output_conversion=yes/no controls
6531 whether Postfix will convert 8BITMIME to 7BIT mail when
6532 delivering mail to an SMTP server that does not announce
6533 8BITMIME support. Default is NO.
6535 Feature: strict_8bitmime=yes/no controls whether Postfix
6536 rejects 8-bit characters in headers and 7-bit body parts.
6537 This blocks mail from poorly written software, including
6538 majordomo approval requests that contain a valid 8BITMIME
6539 email message, as well as mail that is piped into ancient
6540 /bin/mail implementations that do not MIME format 8-bit
6541 content. Default is NO.
6543 Feature: strict_mime_encoding_domain=yes/no controls whether
6544 Postfix rejects illegal content transfer encodings for
6545 multipart/* and message/*. This blocks mail from poorly
6546 written software. Default is NO.
6548 20020527
6550 Feature: "FILTER transport:nexthop" in header/body checks.
6551 After the message is queued, the message is sent through
6552 a content filter. This requires different cleanup servers
6553 before and after the filter, with header/body checks turned
6554 off in the second cleanup server.
6556 20020528
6558 Feature: strict_7bit_headers and strict_8bitmime_body are
6559 now separately available. To to turn on both, use
6560 strict_8bitmime.
6562 Cleanup: abandon the use of isspace(3) in the parsing of
6563 RFC822 message headers. Files: global/lex_822.h and lots
6564 of little places.
6566 Documentation: replace domain.name by domain.tld in the
6567 example config files. The domain exists. They were getting
6568 mail from poorly configured Postfix boxes.
6570 Bugfix: The Postfix sendmail command did not export the
6571 MAIL_CONFIG environment setting to the postdrop command.
6572 File: global/mail_config.h.
6574 Incompatibility: by default, turn on the PCRE_DOTALL flag,
6575 so that PCRE patterns will match multi-line message headers
6576 without causing pain. Suggested by Michael Tokarev. Also
6577 documented all those darned undocumented PCRE flags in the
6578 pcre_table(5) manual page. Files: util/dict_pcre.c,
6579 proto/pcre_table.
6581 20020529
6583 Bugfix: mail rejected due to MIME errors was rejected
6584 without proper logging. Files: global/mime_state.c,
6585 cleanup/cleanup_message.c.
6587 20020531
6589 Bugfix: the SMTP client code that prepends '.' to lines
6590 starting with '.' had to be moved from its old place to
6591 after the MIME output conversion. Problem found by Mark
6592 Martinec. File: smtp/smtp_proto.c.
6594 20020601
6596 Bugfix: the deliver_pass() routine needed updating for the
6597 extra MIME encoding attribute that was introduced 20020510.
6598 Patch by Sebastian Schaffert @ wastl.net. File:
6599 global/deliver_pass.c.
6601 20020604
6603 Workaround: Solaris non-blocking read() can fail on a socket
6604 with unread data according to ioctl FIONREAD. Incredible.
6605 Diagnosis by Max Pashkov. File: smtp/smtp-sink.c.
6607 Weird feature: sender-based routing. This will become more
6608 useful once per-address transport map entries are done.
6609 File: src/*qmgr/qmgr_message.c.
6611 20020605
6613 Safety: header_address_token_limit limits the amount of
6614 memory and CPU that we're willing to spend while parsing
6615 addresses in message headers. The limit is expressed as a
6616 number of tokens. File: global/tok822_parse.c
6618 20020608
6620 Feature: user@domain transport map lookup, based on code
6621 by Scott Cotton, from several years ago. Adding this code
6622 now was much less painful than it was in the past. Files:
6623 global/strip_addr.c, trivial-rewrite/transport.c.
6625 20020610
6627 Cleanup: making user@domain transport map lookups work with
6628 sender-based routing was a bit tricky, because the null
6629 address must be handled sensibly. Files: global/resolve_clnt.c,
6630 trivial-rewrite/resolve.c. It ain't perfect yet, but close.
6632 20020613
6634 Bugfix: postsuper -r was broken as of 20020510. The cleanup
6635 daemon would discard mail with MIME type information. Moved
6636 a bunch of sanity checks from the cleanup daemon to the
6637 pickup daemon, so the checks are in one place. Problem
6638 experienced by Pavol Luptak. Files: pickup/pickup.c,
6639 cleanup/cleanup_extracted.c.
6641 20020705
6643 Safety: log a warning when a domain is listed in mydestination
6644 and (virtual_maps or virtual_mailbox_maps). This configuration
6645 error causes the Postfix SMTP server to reject recipients
6646 when the local_recipient_maps feature is enabled. File:
6647 smtpd/smtpd_check.c.
6649 200207011
6651 Portability: in the master daemon, the default now is to
6652 enable the signal handler code that writes a byte into a
6653 pipe, instead of the signal handler code that sets a global
6654 flag and hopes that select() will somehow wake up. File:
6655 master/master_sig.c. This is needed for some IRIX and
6656 UnixWare versions, but it should also produce a robust
6657 result on all other supported systems.
6659 Performance: the default SMTP connection establishment
6660 timeout is now 30 seconds, instead of the system default
6661 which can be atrociously large.
6663 20020712
6665 When DNS lookup fails while delivering mail, report not
6666 only the domain name but also the DNS record type. This
6667 should clue in people who ask why Postfix can't find a
6668 domain while nslookup can. File: dns/dns_lookup.c.
6670 20020713
6672 Bugfix: undo change made at 20020610 that causes the trivial
6673 resolver client to loop when an address consists entirely
6674 of @ and . characters. File: trivial-rewrite/resolve.c.
6676 Cleanup: Postfix no longer strips multiple '.' at the end
6677 of a domain name. One '.' is silently tolerated. Files:
6678 trivial-rewrite/rewrite.c, trivial-rewrite/resolve.c,
6679 global/resolve_local.c. This policy is too distributed.
6681 20020715
6683 Feature: @domain.tld catch-all map entries for the virtual
6684 mail delivery agent. Files: global/virtual8_maps_find.c,
6685 virtual/mailbox.c, smtpd/smtpd_check.c.
6687 Feature: the virtual mail delivery agent now accepts address
6688 extensions (user+foo@domain.tld), ignores them when looking
6689 up users in its tables, but displays them in Delivered-To:
6690 message headers. File: global/virtual8_maps_find.c.
6692 20020716
6694 Feature: domain names in a masquerade_domains list can now
6695 be prefixed with !, in order to disable masquerading for
6696 that domain name and for its subdomains. File:
6697 cleanup/cleanup_masquerade.c.
6699 20020717
6701 Bugfix: Mac OS X niscript (Netinfo) update by Gerben Wierda.
6702 File: auxiliary/MacOSX/niscript.
6704 Feature: The SMTP server reject_unknown_whatever restrictions
6705 now also attempt to look up AAAA (IPV6 address) records.
6706 Jun-ichiro itojun Hagino, IIJ labs. Files: smtpd/smtpd_check.c,
6707 dns/dns_lookup.c.
6709 20020718
6711 Bugfix: unnecessary lookups for extended addresses by the
6712 virtual8_maps_find() routine. Victor Duchovni. His patch
6713 did not work, nor did my own, but the present version should
6714 be OK. File: global/virtual8_maps_find.c.
6716 20020719
6718 Workaround: log a warning when an SMTP client name->address
6719 lookup results in a numeric IP address, and set the client
6720 hostname to "unknown". Some gethostbyname() implementations
6721 will actually accept such garbage and thereby allow sites
6722 to defeat the "reject_unknown_client" restriction. Problem
6723 reported by Wolfgang Rupprecht, fix based on analysis (but
6724 not code) by Victor Duchovni.
6726 Bugfix: memory leaks in the LDAP client by Victor Duchovni.
6727 File: util/dict_ldap.c.
6729 Bugfix: garbage in verbose "flush" server logging. Victor
6730 Duchovni. File: flush/flush.c.
6732 20020723
6734 Incompatibility: smtpd_sasl_local_domain now defaults to
6735 the null string. File: smtpd/smtpd.c, smtpd/smtpd_sasl_glue.c.
6737 20020726
6739 Documentation: added GDB debugging instructions for sites
6740 that do not have X installed on the Postfix machine. Henrik
6741 Larsson, spambox.dk.
6743 20020729
6745 Weird: installed RedHat 3.03 inside VMware, and no change
6746 was needed to build Postfix, except to recognize the Linux
6747 version.
6749 Bugfix: some mailers will announce ESMTP features in their
6750 HELO (not EHLO) response. Postfix did not ignore them.
6751 File: smtp/smtp_proto.c.
6753 20020731
6755 Cleanup: permit_naked_ip_address is unsafe (especially when
6756 used with smtpd_recipient_restrictions) and will go away.
6757 Postfix now logs a warning. File: smtpd/smtpd_check.c.
6759 20020801
6761 Cleanup: the warning message for matched header/body content
6762 was misleading. File: cleanup/cleanup_message.c.
6764 Safety: moved the "postsuper -r ALL" operation after the
6765 "postsuper -s" check that makes queue file names match
6766 inode numbers. This avoids loss of mail in the unlikely
6767 case that someone runs "postsuper -sr ALL" on a queue that
6768 was copied from another place.
6770 Feature: "postsuper -h" to put mail "on hold" and "postsuper
6771 -H" to release mail that was placed "on hold". This involves
6772 a new queue, which is appropriately named "hold". Files:
6773 postsuper/postsuper.c, showq/showq.c.
6775 20020803
6777 Feature: when a Delivered-To: mail delivery loop is detected,
6778 send the bounce to the mailing list owner. This required
6779 changes to the local delivery agent, a new bounce client
6780 stub, and a new bounce server stub and support routines
6781 for one recipient bouncing. Files: local/recipient.c,
6782 global/bounce_log.c, global/bounce.c, bounce/bounce.c,
6783 bounce/bounce_notify_util.c, bounce/bounce_one_service.c.
6785 20020809
6787 Bugfix: the 20020531 bugfix could prepend '.' to lines when
6788 it shouldn't (but only when converting 8-bit mail to 7-bit).
6789 Problem experienced by Ralf Hildebrandt. File:
6790 smtp/smtp_proto.c.
6792 Bugfix: smtpd_sender_login_maps did not do the @domain etc.
6793 wild-card lookups that were promised. Problem experienced
6794 by Sven Michels. File: smtpd/smtpd_check.c.
6796 20020810
6798 Feature: new smtp-sink command-line options to specify the
6799 SMTP hostname, to disable ESMTP protocol support, to disable
6800 8BITMIME support, and to syslog selected commands. File:
6801 smtpstone/smtp-sink.c.
6803 20020814
6805 Feature: the queue manager now warns when mail for some
6806 destination is piling up in the active queue, and suggests
6807 a variety of remedies. The qmgr_clog_warn_time parameter
6808 controls the time between warnings, mainly so that I could
6809 test the code. To disable these warnings, specify
6810 "qmgr_clog_warn_time = 0". Files: *qmgr/qmgr_entry.c.
6812 20020815
6814 Paranoia: truncate the DNS response length result value in
6815 case it is larger than the result buffer length (the resolver
6816 documentation is vague about this). File: dns/dns_lookup.c.
6818 20020816
6820 Cleanup: "postqueue -f" now also triggers delivery of mail
6821 in the maildrop directory. This is needed when the master
6822 does not frequently wake up the pickup service. Files:
6823 global/mail_flush.c, postqueue/postqueue.c.
6825 20020818
6827 Cleanup: the qmgr_site_hog_factor feature is gone (defer
6828 mail if a site uses up too much space in the active queue).
6829 Instead, the qmgr_clog_warn_time feature provides better
6830 solutions. File: qmgr/qmgr_message.c.
6832 20020819
6834 Feature: new header/body_checks HOLD pattern that causes
6835 mail to be placed on the "hold" queue for manual inspection.
6836 Files: global/hold_message.[hc], cleanup/cleanup_message.c.
6838 20020820
6840 Bugfix: yesterday's HOLD pattern code did not update the
6841 cleanup server's idea of the queue file name for error
6842 recovery and for error reporting purposes, so that incomplete
6843 or content rejected mail would not be deleted from the
6844 queue, and so that the bouncer would not find the queue
6845 file.
6847 Bugfix: the #ifdef that detects too old LDAP libraries was
6848 in the wrong place. Victor Duchovni. File: util/dict_ldap.c.
6850 Feature: new header/body_checks DISCARD pattern that causes
6851 mail to be silently discarded. Files: global/cleanup_user.h,
6852 cleanup/cleanup_message.c, cleanup/cleanup_api.c.
6854 Bugfix: the local delivery agent's mailbox duplicate delivery
6855 eliminator was not updated in the days that address extensions
6856 were added to Postfix. The other local duplicate eliminators
6857 probably need revision as well. File: local/mailbox.c.
6859 20020821
6861 Feature: HOLD and DISCARD actions in SMTPD access tables.
6862 These requests are propagated to the cleanup daemon. Files:
6863 cleanup/cleanup_envelope.c smtpd/smtpd_check.c.
6865 Cleanup: eliminate unnecessary references to the obsolete
6866 program_directory configuration parameter (but keep the
6867 parameter so as to not break existing installations).
6868 Matthias Andree, many little changes in documentation.
6870 20020822
6872 Bit Rot: OpenLDAP incompatible change with URL parsing.
6873 Patches by Will Day, Georgia Tech, and Carsten Hoeger,
6874 SUSE. File: util/dict_ldap.c.
6876 20020823
6878 Bugfix: added a missing memset() call to wipe the lookup
6879 key in dict_db_delete(). This is needed by some Berkeley
6880 DB implementations. Patch by Katsu Yamamoto, Fujitsu.
6882 Bugfix: when permit_mx_backup is unable to make a decision
6883 due to DNS problems, set the "defer if reject" flag so that
6884 other restrictions will not cause mail to be rejected.
6885 File: smtpd/smtpd_check.c.
6887 Feature: instead of giving up immediately after DNS failure,
6888 turn on the "defer_if_permit" flag when reject_unknown_hostname,
6889 reject_unknown_sender_domain or reject_unknown_recipient_domain
6890 are unable to make a decision, and see if any subsequent
6891 restrictions would still cause the mail to be rejected.
6892 File: smtpd/smtpd_check.c.
6894 Feature: "FILTER transport:nexthop" is now also available
6895 in SMTPD access tables.
6897 20020826
6899 Workaround: HP-UX 11 accept() fails with ENOBUFS when the
6900 client disconnects early. File: sane_accept.c.
6902 20020901
6904 Cleanup: postfix-install no longer installs all the manual
6905 pages under $POSTFIXSOURCE/man, so we can generate manual
6906 pages for smtp-sink etc. File: man/Makefile.in.
6908 20020903
6910 Bugfix: the rmail script should have been updated when
6911 Postfix sendmail was changed to recognize `.' as the end
6912 of input. Problem fix by Christian Kratzer, cksoft.de.
6913 File: auxiliary/rmail/rmail.
6915 Feature: specify "maximal_queue_lifetime = 0" for mail that
6916 should be returned immediately after the first unsuccessful
6917 delivery attempt. Files: qmgr/qmgr.c, nqmgr/nqmgr.c.
6919 20020904
6921 Bugfix: qmail compatibility: qmqpd should support any
6922 character at the end of the VERP prefix in prefix@host-@[].
6923 Based on a patch by LaMont Jones, HP.
6925 20020905
6927 Feature: "smtpd_data_restrictions = reject_unauth_pipelining"
6928 blocks mail from SMTP clients that send message content
6929 before Postfix has replied to the DATA command. File:
6930 smtpd/smtpd.c, smtpd/smtpd_check.c.
6932 Bugfix: the LDAP client dumped core in verbose mode.
6933 Reported by Will Day and others. File: util/dict_ldap.c.
6935 20020906
6937 Cleanup: dict_regexp module speedups by avoiding unnecessary
6938 substring overhead while matching strings. Based on a
6939 suggestion by Liviu Daia. This involved major rewriting of
6940 the regexp map code. File: util/dict_regexp.c.
6942 20020907
6944 Feature: IF..ENDIF support based on code by Bert Driehuis.
6945 This involved a further rewrite of the regexp map code.
6946 File: util/dict_regexp.c.
6948 200209010
6950 Bugfix: the SMTP client produced suprious warnings about
6951 trouble with fallback_relay hosts. File: smtp/smtp_connect.c.
6953 Robustness: don't wait with detecting broken SMTP connections
6954 until reading input. Leandro Santi. File: smtpd/smtpd_chat.c.
6956 200209011
6958 Workaround: IRIX 6 can't do ioctl FIONREAD on pipes. This
6959 breaks the in_flow_delay feature. File: util/sys_defs.h.
6961 20020912
6963 Bugfix: canonical/virtual mapping core dump with a null
6964 right-hand side address. Report by Jussi Silvennoinen.
6965 File: global/mail-addr_crunch.c.
6967 Feature: IF..ENDIF support based on code by Bert Driehuis.
6968 This involved a rewrite of the pcre map code similar to
6969 the regexp map code. File: util/dict_pcre.c.
6971 20020917
6973 Feature: on Linux, support for PCRE lookup tables is now
6974 compiled in if the PCRE library code is found under
6975 /usr/include and /usr/lib. File: makedefs.
6977 20020918
6979 Documentation: postsuper(1) did not document the -c option.
6981 Bugfix: possible longjump() before setjmp(). File:
6982 smtpd/smtpd.c.
6984 Bugfix: pickup should not preserve INSPECT or FILTER records
6985 from "postsuper -r". File: pickup/pickup.c.
6987 20020919
6989 Feature: "reject_rbl <domain>" for client address blacklisting
6990 by LaMont Jones, including $name expansion for per-domain
6991 customized response messages. The obsolete reject_maps_rbl
6992 is now a wrapper that uses the new code.
6994 20020921
6996 Internal: added caching and factored out common code that
6997 will be used for both reject_rbl and for the upcoming
6998 reject_rhsbl restriction.
7000 20020922
7002 Feature: "reject_rhsbl <domain>" for sender domain
7003 blacklisting. Provides the same per-domain customized
7004 response message mechanisms with $name expansion as
7005 reject_rbl.
7007 Safety: the smtpd_expansion_filter parameter controls what
7008 characters are allowed in the expansion of $name macros in
7009 template RBL responses.
7011 Cleanup. In order to make sensible warnings possible when
7012 expanding a non-existent $name in RBL reply templates,
7013 mac_expand() had to be changed so that an empty string
7014 result (i.e. the name does exist) will no longer cause
7015 ${name?text} to succeed. File: util/mac_expand.c.
7017 20020923
7019 Cleanup. Renamed the RBL features according to a scheme
7020 that was suggested by Liviu Daia in October 2001. The names
7021 are reject_rbl_client and reject_rhsbl_sender, respectively.
7022 Added domain name based reject_rhsbl_client and
7023 reject_rhsbl_recipient restrictions for completeness. The
7024 reject_rbl restriction name is still recognized for
7025 compatibility with systems maintained by LaMont Jones.
7027 20020924
7029 Bugfix: reject_rhsbl_<mumble> was broken when <mumble> was
7030 unavailable, causing the restrictions parser to get out if
7031 sync. Spotted by Ralf Hildebrandt. File: smtpd/smtpd_check.c.
7033 20020928
7035 Bugfix: missing %s in the 20020923 RBL code. This was not
7036 exploitable because Postfix implements only a safe subset
7037 of all printf format operators and because memory for the
7038 result is dynamically allocated. Victor Duchovni. File:
7039 smtpd/smtpd_check.c.
7041 20020929
7043 Updated MacOSX support scripts from Gerben Wierda. Files:
7044 auxiliary/MacOSX/*.
7046 20021009
7048 Bugfix: SIZE errors should be reported at MAIL FROM time,
7049 and should not be postponed (with smtpd_delay_reject = yes)
7050 until RCPT TO time. Reported by Jeroen Scheerder, Utrecht
7051 University. Files: smtpd/smtpd.c smtpd/smtpd_check.c.
7053 20021013
7055 When Postfix development started, Linux mail delivery
7056 software such as procmail did not use kernel locks, and
7057 Postfix picked one that seemed plausible, namely, flock().
7058 In the mean time, Linux mail delivery software seems to
7059 have standardized on fcntl() locks. File: util/sys_defs.h.
7061 Feature: body_checks_size_limit parameter to specify how
7062 much of a message body segment (or attachment, if you prefer
7063 to use that term) is subjected to body_checks inspection.
7064 Default limit: 50 kbytes. Files: global/mime_state.c,
7065 cleanup/cleanup_message.c.
7067 20021015
7069 Bugfix: the code for missing postmaster/mailer-daemon
7070 aliases had to be moved after the code that implements the
7071 luser_relay feature. Files: local/alias.c, local/unknown.c.
7073 Weird? The LMTP client lowercased the MAIL FROM and RCPT
7074 TO addresses. Some remnant of code that someone put in
7075 there long ago. File: lmtp/lmtp_proto.c.
7077 20021024
7079 Feature: proxy_interfaces parameter. Specify your NAT or
7080 other proxy addresses here to avoid mail delivery loops.
7081 Files: global/mail_params.[hc] global/own_inet_addr.[hc]
7082 global/resolve_local.c smtp/smtp_addr.c smtpd/smtpd_check.c.
7084 Paranoia: defend against a very unlikely false alarm in
7085 safe_open().
7087 20021025
7089 Feature: X-Original-To: message headers with the raw original
7090 envelope recipient.
7092 Logging: status=sent/deferred/bounced/ logging now includes
7093 the original recipient address if it differs from the final
7094 address.
7096 20021026
7098 Logging: SMTP UCE reject/warn/hold/discard logging now
7099 includes queue ID. This will break some logfile analyzers.
7101 Logging: SMTP UCE reject/warn/hold/discard logging now
7102 includes the protocol name and, if available, the hostname
7103 given in the SMTP HELO or EHLO command.
7105 Logging: header/body_checks reject/warn/hold/discard logging
7106 now includes the protocol name and, if available, the
7107 hostname given in the SMTP HELO or EHLO command.
7109 20021028
7111 Bugfix: don't reset state after rejected EHLO. Reset state
7112 after HELO. Reported by Karthikeyan Bhargavan, upenn.edu.
7113 Files: smtpd/smtpd.c.
7115 20021029
7117 Bugfix: local(8) did not prepend an X-Original-To: message
7118 header while delivering to command, and local(8) did not
7119 document the X-Original-To: message header.
7121 Workaround: DJBDNS produces a bogus A record when given a
7122 numerical hostname. File: dns/dns_lookup.c.
7124 20021030
7126 Portability: support for Berkeley DB version 4.0 but not
7127 for Berkeley DB version 4.1 (yes, the API is different).
7128 Postfix is now going to be paranoid about the minor version
7129 number, too. File: util/dict_db.c.
7131 Documentation: updated LMTP_README file by Amos Gouaux.
7133 20021031
7135 Bugfix: (bug introduced 20021026) log NOQUEUE when rejecting
7136 ETRN, instead of trying to log a non-existent queue ID.
7137 Victor Duchovni, Morgan Stanley. File: smtpd/smtpd_check.c.
7139 Cleanup: allow optional text after commands in SMTPD access
7140 maps. Based on initial effort by Victor Duchovni, Morgan
7141 Stanley. File: smtpd/smtpd_check.c.
7143 Portability: support for Berkeley DB version 4.1. This
7144 version refuses to open zero-length files. This complicates
7145 lock management and requires extra code to remove broken
7146 files. Files: util/dict_db.c, global/mkmap*.[hc].
7148 20021101
7150 Bugfix: don't complain about out-of-order original recipient
7151 records for finished recipients. Files: *qmgr/qmgr_message.c,
7152 cleanup/cleanup_envelope.c, cleanup/cleanup_extracted.c.
7154 Cleanup: further simplified the mkmap wrapper (used by
7155 postmap and postalias only) to remove some hurdles for
7156 Michael Tokarev's CDB support. Files: global/mkmap*.[hc].
7158 20021105
7160 Postalias now produces YP_LAST_MODIFIED and YP_MASTER_NAME
7161 records only when NIS support is compiled in. File:
7162 postalias.c.
7164 20021106
7166 Postalias now puts $myhostname in the YP_MASTER_NAME record,
7167 instead of the possibly bogus gethostname() result. File:
7168 postalias.c.
7170 The PCRE map code did not reject non-numeric replacement
7171 indices in replacement text, and silently treated $text as
7172 $0. Found by Michael Tokarev. File: dict_pcre.c.
7174 20021108
7176 Cleanup: the behavior of the SMTP server's defer_if_permit
7177 flag was changed, in order to maximize the opportunity to
7178 permanently reject mail without opening opportunities for
7179 losing legitimate mail. This was done in cooperation with
7180 Victor Duchovni, Morgan Stanley. File: smtpd/smtpd_check.c.
7182 The defer_if_permit flag is still set when an UCE reject
7183 restriction fails due to a temporary (e.g., DNS) problem,
7184 to prevent unwanted mail from slipping through. However,
7185 the flag is no longer tested at the end of client, helo or
7186 sender restrictions. Instead, the flag is now tested at
7187 the end of the ETRN and recipient restrictions only.
7189 The behavior of the warn_if_reject restriction has changed.
7190 It no longer activates any already made defer_if_permit or
7191 defer_if_reject decisions (the defer_if_reject flag is set
7192 when some UCE permit restriction fails due to a temporary
7193 (DNS) problem, to avoid loss of legitimate mail).
7195 Bugfix: instead of setting the defer_if_permit flag, a
7196 failing reject restriction after warn_if_reject now merely
7197 logs that it would have caused mail to be deferred.
7199 A failing permit restriction after warn_if_reject still
7200 raises the defer_if_reject flag, to avoid loss of legitimate
7201 mail.
7203 20021109
7205 Bugfix: a misguided change to the .forward macro expansion
7206 filter broke .forward file lookup.
7208 Bugfix: missing defer_if_permit test in smtpd_data_restrictions.
7209 Victor Duchovni. File: smtpd/smtpd_check.c.
7211 20021112
7213 Robustness: increase the mime_nesting_limit from 20 to 100,
7214 so that bounces can't loop. Each bounces increases the MIME
7215 nesting level by one. Ralf Hildebrandt and Victor Duchovni.
7217 20021113
7219 Robustness: reinstated SMTP client command flushing to
7220 avoid pipeline stalls. File: smtp/smtp_chat.c.
7222 20021114
7224 Robustness: distinguish between timeout and "lost connection"
7225 when the SMTP server is unable to send a reply to the remote
7226 client. File: smtpd/smtpd_chat.c.
7228 20021115
7230 Bugfix: initialization error with "*" transport table
7231 lookup, reported by LaMont Jones. The transport map lookup
7232 code had grown into a monster and needed to be replaced.
7233 trivial-rewrite/transport.c.
7235 20021115
7237 Start implementing recipient verification. For now this is
7238 done by adding trace flags to queue files. In case of a
7239 verification request, a delivery agent does not deliver,
7240 deliver, it just records what would happen.
7242 This required instrumenting the bounce/defer/sent logging
7243 routines to send their data to the right place depending
7244 on the type of delivery request.
7246 20021116
7248 New trace service. This is used for reporting if a recipient
7249 is deliverable (sendmail -bv) and for producing a record
7250 of delivery attempts (sendmail -v). The report is sent via
7251 email, using the bounce daemon. Files: global/trace.[hc].
7253 This required replacing the bounce/defer logfile format by
7254 an extensible name=value format. Files: global/bounce_log.c,
7255 bounce/bounce_append_service.c.
7257 20021117
7259 New address verification service with simple expiration
7260 and refresh policy. Storage can be in-core or in permanent
7261 table. The daemon is appropriately called "verify". Files:
7262 global/verify_clnt.[hc], verify/verify.c.
7264 20021118
7266 Cleaning up the code for tracing and verification. Files:
7267 global/{log_adhoc,bounce,defer,trace,verify}.[hc].
7269 20021119
7271 New address_verification_negative_cache = yes/no parameter
7272 controls whether Postfix stores the result of negatieve
7273 address verification probes. This reduces cache pollution
7274 but causes Postfix to send a probe for each address
7275 verification service query. File: verify/verify.c.
7277 Added optimistic caching to the verify daemon, so that one
7278 failed probe will not clobber a known to be good address.
7279 As long as some probes succeeed, a good address will stay
7280 cached as OK.
7282 Cleaning up of the bounce daemon's code for bounce, delayed
7283 mail warning and trace notification. Files: bounce/*.[hc],
7284 global/bounce_log.c.
7286 20021120
7288 Changed the probe's sender address to "postmaster" so that
7289 we get better information about the address we're testing.
7290 File: verify/verify.c.
7292 Added some paranoia to the routine that reads data from
7293 the address verification cache. Ignore data that is obviously
7294 bogus. File: verify/verify.c.
7296 20021121
7298 Bugfix: garbage in "user@garbage"@domain address forms may
7299 cause the SMTP or LMTP client to terminate with a fatal
7300 error exit because garbage/tcp is not an existing service.
7301 This cannot be abused to cause the SMTP or LMTP client to
7302 send data into unauthorized ports. Files: *qmgr/qmgr_message.c,
7303 trivial-rewrite/resolve.c.
7305 20021124
7307 Bugfix: don't use same VSTRING buffer for reading and
7308 writing. File: verify/verify.c.
7310 20021128
7312 Feature: hashed hold queue support, with hashing turned on
7313 by default. Omission spotted by Victor Duchovni, Morgan
7314 Stanley. Files: global/hold_message.c, global/mail_params.h.
7316 Bugfix: the LMTP client lost the port(service) information
7317 when parsing host:port information. Victor Duchovni, Morgan
7318 Stanley. Fix is to have a new host_port(3) module that does
7319 the parsing for the SMTP and LMTP clients.
7321 Cleanup: host_port() routine that parses host/port information
7322 more consistently than the existing code in the LMTP and
7323 SMTP clients. Files: smtp/smtp_connect.c, lmtp/lmtp_connect.c,
7324 util/host_port.[hc].
7326 20021130
7328 Cleanup: defer mail when recipient verification takes too
7329 long. File: smtpd/smtpd_proto.c.
7331 Feature: new reject_multi_recipient_bounce restriction, to
7332 reject "MAIL FROM: <>" with multiple recipients. File:
7333 smtpd/smtpd_check.c.
7335 20021201
7337 Compatibility: ignore the new Sendmail -A option. File:
7338 sendmail/sendmail.c.
7340 Workaround: sendmail -v now produces no output. You need
7341 to specify -v -v instead. This is to avoid problems when
7342 people request verbose mail delivery in their mail.rc file.
7343 File: sendmail/sendmail.c.
7345 20021202
7347 Cleanup: hash_queue_depth now defaults to 1 level of
7348 subdirectories. This makes "mailq" faster on most systems,
7349 but will result in poorer worst-case performance when lots
7350 of mail is queued.
7352 The check_relay_domains restriction is going away. The SMTP
7353 server logs a warning and suggests using reject_unauth_destination
7354 instead.
7356 Cleanup: the local(8) and virtual(8) delivery agents did
7357 not prepend X-Original-To: addresses to maildir files.
7358 Omission spotted by Matthias Andree.
7360 Specify "address_verify_sender=" or "address_verify_sender=<>"
7361 to use a null sender address while doing address verification
7362 probes. Beware, doing so may trigger false negatives
7363 because some sites reject mail from the null sender, even
7364 though this is required by RFC standards.
7366 Bugfix: too many levels of dereferencing while testing for
7367 missing reject_rbl_mumble domain names. Patrik Rak. File:
7368 smtpd/smtpd_check.c.
7370 20021203
7372 Bugfix: the FILTER access table action included the FILTER
7373 command in the filter request, where only the transport+destination
7374 were expected. Noel Jones. File smtpd/smtpd_check.c.
7376 Cleanup: virtual_maps is now called virtual_alias_maps, in
7377 order to better distinguish it from virtual_mailbox_maps.
7378 The default value is $virtual_maps for backwards compatibility.
7380 New parameters virtual_alias_domains and virtual_mailbox_domains
7381 for the "domain.tld whatever" lookups. These use the same
7382 syntax as the mydestination parameter. Default settings
7383 are backwards compatible with Postfix 1.1.
7385 Concept: just like $mydestination+$inet_interfaces control
7386 what routes to $local_transport, $virtual_mailbox_domains
7387 now controls what routes to $virtual_transport (default
7388 transport: virtual), and $relay_domains now controls what
7389 routes to $relay_transport (default transport: relay, a
7390 clone of the smtp transport). Everything else routes to
7391 $default_transport as before. This eliminates the need
7392 for transport map entries for every virtual(8) domain, and
7393 avoids performance problems with inbound relay mail. This
7394 was improvement was suggested by Victor Duchovni. File:
7395 trivial-rewrite/resolve.c.
7397 20021206
7399 Cleanup: do allow regexps in aliases, virtual mailbox maps
7400 but do not allow regular expression substitutions. Files:
7401 util/dict.h, util/dict_regexp.c, util/dict_pcre.c.
7403 20021207
7405 Cleanup: deleted the description of sendmail-style virtual
7406 domains from the virtual(5) manual page. This part of
7407 Postfix was too confusing.
7409 Performance: RFC 2821 blesses the use of CNAME domain names
7410 in MAIL FROM and RCPT TO. Not having to expand CNAME domain
7411 names speeds things up a bit. File: smtp/smtp_proto.c.
7413 Workaround: exclude error mailer destinations from transport
7414 mapping lookups :-(. File: trivial-rewrite/resolve.c.
7416 Cleanup: relocated_maps lookups are now moved to the
7417 trivial-rewrite server. As of now, the queue manager no
7418 longer does any map lookups, so it won't restart when maps
7419 change. Files: *qmgr/qmgr_message.c, trivial-rewrite/resolve.c.
7421 Robustness: because the trivial-rewrite server now does
7422 many more table lookups, some of which are often LDAP or
7423 SQL based, trivial-rewrite clients must be be prepared for
7424 the case that the resolver reports a failure while processing
7425 a request (when it was unable to access a lookup table).
7426 Files: trivial-rewrite/resolve.c, local/resolve.c,
7427 smtpd/smtpd_check.c.
7429 Robustness: moving possible LDAP or SQL table lookups into
7430 the trivial-rewrite server also required that trivial-rewrite
7431 be running as multiple processes to reduce lookup latencies.
7432 Files: master/multi-server.c.
7434 Workaround: don't discard all the DNS lookup results when
7435 only one of the results has a malformed name or address.
7436 File: dns/dns_lookup.c.
7438 20021208
7440 Cleanup: with the preliminary address domain classification
7441 concept as implemented by the trivial-rewrite address
7442 resolver, a lot of table lookups could be eliminated from
7443 the SMTP server. Files: smtpd/smtpd_check.c.
7445 Feature: new relay_recipient_maps parameter, for optional
7446 maps with all the recipients in the domains that match
7447 $relay_domains (so you can reject mail for unknown relay
7448 recipients). This is for consistency with virtual_xx_maps
7449 and virtual_xx_domains, and with local_recipient_maps and
7450 the local delivery agent. File: smtpd/smtpd_check.c.
7452 Cleanup: removed support for obsolete #number domain forms.
7453 File: smtpd/smtpd_check.c.
7455 20021209
7457 The Postfix installation procedure no longer sets the
7458 "chattr +S" bit on Linux queue directories. Wietse has
7459 gotten too annoyed with naive reviewers who complain about
7460 performance without having a clue of what they are comparing.
7462 "Security": local_recipient_maps is now turned on by default,
7463 to reject mail for non-existent users at the SMTP port.
7464 See conf/main.cf for instructions, section REJECTING UNKNOWN
7465 LOCAL USERS.
7467 Safety: detection of missing or inaccessible passwd file
7468 database, to prevent massive complaints from people who
7469 suddenly lose all their mail because local_recipient_maps
7470 is now turned on by default.
7472 20021210
7474 Feature: recipient address verification, using the code
7475 that already implements sender address verification. Based
7476 on suggestion by Matthias Andree. Files: src/smtpd/smtpd.c,
7477 src/smtpd/smtpd_check.c.
7479 20021211
7481 Performance: doubled the default process limit (50->100)
7482 and default queue manager active queue message/recipient
7483 limits (10k->20k). File: global/mail_params.h.
7485 Bugfix: the change that begot us multiple trivial-rewrite
7486 processes (good) also gave us multiple verify daemons (bad).
7487 File: conf/post-install.
7489 20021212
7491 Cleanup: allow transport map lookups to override error
7492 mailer results (to avoid breaking existing installations),
7493 and do transport map lookups before relocated map lookups.
7494 Files: trivial-rewrite/resolve.c, trivial-rewrite/transport.c.
7496 Shortened the verify server's negative cache refresh time
7497 from 12 hours to 2 hours. File: global/mail_params.h.
7499 Admin friendliness: the SMTP server now reports "User
7500 unknown in {local recipient | virtual alias | virtual
7501 mailbox | relay recipient} table". This will make trouble
7502 shooting a little easier. Files: smtpd/smtpd_check.c,
7503 trivial-rewrite/resolve.c.
7505 20021213
7507 Cleanup: transport map entries with null nexthop ignored
7508 relayhost settings. Making the code simpler also made it
7509 more correct. Files: trivial-rewrite/resolve.c,
7510 trivial-rewrite/transport.c.
7512 Feature: "helpful_warnings" (default: yes) that can be
7513 turned off if you really know what you're doing and want
7514 to eliminate some unnecessary work.
7516 Feature: enforcement of master.cf process limits for
7517 processes such as qmgr and pickup that must run alone, and
7518 processes such as cleanup and bounce that must run without
7519 explicit process count limit. If an incorrect process limit
7520 is specified in master.cf the service aborts.
7522 20021214
7524 Cleanup: it looks like we finally get it right with transport
7525 lookup table entries that either override or specify an
7526 error transport without updating the nexthop information.
7527 File: trivial-rewrite/resolve.c.
7529 Robustness: don't probe the sender address when probed for
7530 our own address verification probe sender address. File:
7531 smtpd/smtpd_check.c.
7533 Performance: don't do UCE checks (which may result in 4xx
7534 SMTP reply codes, and thus, repeated delivery attempts)
7535 when we already know that the recipient does not exist.
7536 Files: smtpd/smtpd.c, smtpd/smtpd_check.c.
7538 20021215
7540 Cleanup: further simplification of transport map handling
7541 after some really fine hair splitting with Victor Duchovni.
7542 Files: trivial-rewrite/resolve.c, trivial-rewrite/transport.c.
7544 20021216
7546 Workaround: transform the address local-part into unquoted
7547 form only when the address domain is local and the local-part
7548 contains routing operators. Otherwise, we may damage the
7549 address local-part by inserting space between non-operator
7550 tokens. Some people use weird addresses and expect them to
7551 be handled without damage. File: trivial-rewrite/resolve.c.
7553 Robustness: scan the resolved recipient address for routing
7554 operators in the address local-part, even when the local
7555 MTA does not recognize ! and % as valid operators. File:
7556 trivial-rewrite/resolve.c.
7558 Cleanup: the address rewriting code no longer tries to
7559 rewrite broken user@ or user@. address forms into even more
7560 broken forms. bother. File: trivial-rewrite/rewrite.c.
7562 Cleanup: the address resolver code now treates forms ending
7563 in @ in a more rational manner (because the address rewriting
7564 code no longer messes up by appending .my.domain).
7566 Bugfix: a null address local-part before @domain now is
7567 properly quoted just like the null address. File:
7568 global/quote_82[12]_local.c.
7570 20021217
7572 Cleanup: more work on the trivial-rewrite address rewriting
7573 and address resolving code. New regression tests for address
7574 rewriting and resolving that make some assumptions about
7575 main.cf settings. Files: global/Makefile.in (assumptions),
7576 global/rewrite_clnt.in, global/rewrite_clnt.ref,
7577 global/resolve_clnt.in, global/resolve_clnt.ref.
7579 Safety: configurable SMTPD reject codes for recipients not
7580 in {local,relay}_recipient,virtual_{alias,mailbox}}_maps,
7581 aptly named unknown_mumble_reject_code. Postfix installs
7582 with unknown_local_recipient_reject_code=450, unless the
7583 site already ran Postfix with local_recipient_maps enabled.
7584 Files: smtpd/smtpd.c, smtpd/smtpd_check.c, conf/post-install.
7586 20021218
7588 Feature: specify unverified_recipient_reject_code=250 or
7589 unverified_sender_reject_code=250 to accept mail for an
7590 address that is known to bounce. File: smtpd/smtpd_check.c.
7592 20021219
7594 Bugfix: longjmp() while sending "go away" without setjmp()
7595 in the QMQP server. Patrik Rak. File: qmqpd/qmqpd.c.
7597 Safety: the XVERP extension is restricted to clients listed
7598 in the authorized_verp_clients list (default: $mynetworks).
7599 File: smtpd/smtpd.c.
7601 Workaround: preliminary IPV6 support in valid_hostliteral().
7602 File: util/valid_hostname.c.
7604 20021220
7606 Bugfix: the reject_multi_recipient_bounce restriction had
7607 an off-by-one error when used in smtpd_data_restrictions.
7608 File: smtpd/smtpd_check.c.
7610 Feature: new check_recipient_maps restriction that gives
7611 finer control over when unknown recipients are rejected.
7612 As with Postfix 1.1, the default is to do this at the end
7613 of the recipient restrictions. Sites that want to improve
7614 performance can put check_recipient_maps at the start of
7615 the smtpd_client_restrictions list and avoid doing unnecessary
7616 RBL lookups etc. File: smtpd/smtpd_check.c.
7618 Feature: new show_user_unknown_recipient_table parameter
7619 controls whether or not to reveal the lookup table name in
7620 "User unknown" responses. The extra detail makes trouble
7621 shooting easier but also reveals information that is nobody
7622 elses business.
7624 20021221
7626 Workaround: don't allow the transport map to override the
7627 virtual alias class (error:User unknown) result. File:
7628 trivial-rewrite/transport.c.
7630 20030101
7632 Documentation update: new-style virtual domains broke the
7633 advanced content filtering example. Files: FILTER_README,
7634 RELEASE_NOTES-2.0.
7636 20030102
7638 Cleanup: use different client instances when the same map
7639 is opened with different flags. File: global/maps.c.
7641 Feature: proxymap server for Postfix table lookups. This
7642 helps to consolidate the number of open lookup tables (such
7643 as MYSQL or LDAP), or to overcome chroot restrictions
7644 (example: specify proxy:unix:passwd.byname to avoid the
7645 need for a copy of the UNIX passwd file in chroot jails).
7646 Files: global/dict_proxy.[hc], proxymap/proxymap.c
7648 Cleanup: multiservers such as trivial-rewrite and the new
7649 proxymap server now enforce the max_use total client number
7650 limit more agressively, by not accepting new connections
7651 after the limit is reached. Based on a patch by Victor
7652 Duchovni, Morgan Stanley. File: master/multi_server.c.
7654 20030103
7656 Cleanup: client stream endpoints not only have an idle time
7657 limit ($ipc_idle) before a connection is closed, they now
7658 also have a time to live ($ipc_ttl) to prevent connections
7659 from becoming too persistent. This allows multi-servers
7660 such as trivial-rewrite or the proxymap server to refresh
7661 more frequently on busy systems. File: global/clnt_stream.c.
7663 20030104
7665 Cleanup: avoid warnings about flag mismatches when the same
7666 lookup table is listed under both virtual_alias_maps and
7667 virtual_mailbox_maps. Files: global/virtual8.h, virtual/virtual.c.
7669 Bugfix: an obscure memory leak that puzzled me for more
7670 than a year until I found out how to reproduce it. File:
7671 util/vstream.c.
7673 20030105
7675 Cleanup: removed the address syntax check from the queue
7676 manager, since a better test was implemented recently in
7677 the trivial-rewrite server. Files: *qmgr/qmgr_message.c.
7679 Bugfix: redirect bounce/defer to the address verification
7680 service where appropriate. Files: *qmgr/qmgr_bounce.c,
7681 *qmgr/qmgr_defer.c.
7683 Bugfix: "no such file or directory" warnings after "postfix
7684 reload" when a chrooted smtpd reconnects to the proxy
7685 service. Fix: use "private/proxymap" if possible, otherwise
7686 use "$queue_dir/private/proxymap". File: global/dict_proxy.c.
7688 Robustness: daemons now chdir() to the queue directory
7689 before running the pre-jail initialization code, so that
7690 daemons running in stand-alone mode produce more consistent
7691 results. Files: master/single_server.c, master/multi_server.c.
7692 master/trigger_server.c.
7694 Bugfix: "sendmail -bs" tried to access the proxymap service.
7695 It should not try to open any user/domain/uce related tables
7696 at all. File: smtpd/smtpd.c.
7698 20030106
7700 Bugfix: bouncing to owner-alias was broken, i.e. the mail
7701 kept being deferred, and when that was fixed, another buglet
7702 came to light. File: bounce/bounce.c.
7704 Robustness: the master no longer aborts with "address
7705 already in use" when inet_interfaces specifies the same IP
7706 address multiple times, or when a TCP service in master.cf
7707 specifies a hostname for which the same IP address is listed
7708 multiple times. File: master/master_ent.c.
7710 20030107
7712 Robustness: check that FILTER actions in SMTPD access maps
7713 or cleanup header/body_checks have plausible syntax. Files:
7714 smtpd/smtpd_check.c, cleanup/cleanup_message.c.
7716 20030109
7718 Cleanup: unnecessary "premature end of file on xxx while
7719 reading yyy" warnings became exposed after some code
7720 simplification. Files" global/*_clnt.c, global/dict_proxy.c
7722 Robustness: undo the change that causes a multi-server
7723 process to stop accepting new connections while it still
7724 services existing clients for an extended amount of time.
7725 We need a better process retirement strategy. File:
7726 master/multi_server.c.
7728 20030110
7730 Cleanup: the virtual_mailbox_maps parameter is now optional
7731 even when virtual_mailbox_domains is. This makes virtual
7732 mailbox domains more like relay domains and the local
7733 domain.
7735 Portability: the makedefs script now uses the pcre-config
7736 utility to find out where things are installed.
7738 Bugfix: the SMTP server did not recognize the local built-in
7739 double bounce address as local. Reported by Matthias Andree.
7740 For safety sake, threw in the local postmaster address as
7741 well. File: smtpd/smtpd_check.c.
7743 20030113
7745 Added MAILER-DAEMON to the list of always recognized local
7746 addresses, since it is generated by Postfix bounces. File:
7747 smtpd/smtpd_check.c.
7749 20030114
7751 Bugfix: transport_errno was not reset upon successful
7752 transport map wildcard lookup after an earlier failure.
7753 Reported by Victor Duchovni. File: trivial-rewrite/transport.c.
7755 Cleanup: unnecessary warnings from the proxymap client
7756 after proxymap server disconnect. File: global/dict_proxy.c.
7758 Cleanup: Patrik Rak found a few more chattr invocations
7759 that were missed 20021209. Files: postfix-install,
7760 conf/post-install.
7762 Cleanup: the pcre-config command can produce null outputs.
7763 Matthias Andree. File: makedefs.
7765 Bugfix: the virtual(8) Makefile included $(AUXLIBS) in the
7766 dependencies.
7768 20030118
7770 Typos: some hyperlinks referred to flushd, which is the
7771 name that was used before the flush service was released.
7772 Reported by Victor Duchovni.
7774 Cleanup: smtpd no longer needed to open relocated_maps.
7776 20030119
7778 Cleanup: bounce messages used "X-Postfix" even when mail_name
7779 was set to something other than the default "Postfix" name.
7780 File: bounce/bounce-notify_util.c.
7782 20030120
7784 Bugfix: wrong FILTER_README instructions for disabling
7785 virtual alias mapping in the cleanup server before the
7786 content filter.
7788 Bugfix: wrong FILTER_README instructions for destination-dependent
7789 filtering, because relay_domains was specified incorrectly.
7791 20030122
7793 Bugfix: 20021207 (move relocated table lookup from queue
7794 manager to trivial-rewrite server) broke relocated table
7795 lookup results with mail not rejected at the SMTP port.
7796 Files: *qmgr/qmgr_deliver.c, *qmgr/qmgr_message.c.
7798 20030123
7800 Bugfix: a widely used maildir filename algorithm was broken.
7801 Postfix now uses TIME.DEVICE_INODE.HOST. Files: local/maildir.c,
7802 virtual/maildir.c.
7804 20030124
7806 Cleanup: queue structures no longer overload queue name
7807 and nexthop destination. Files: *qmgr/qmgr_message.c,
7808 *qmgr/qmgr_queue.c, *qmgr/qmgr_deliver.c.
7810 20030125
7812 Feature: "REDIRECT user@domain" action in access maps or
7813 in header/body_checks causes mail to be sent to the specified
7814 address instead of the intended recipient(s). I would never
7815 recommend that people use this to redirect (bounced) SPAM
7816 to the beneficiaries of an advertisement campaign. Files:
7817 smtpd/smtpd_check.c, cleanup/cleanup_message.c,
7818 *qmgr/qmgr_message.c.
7820 20030126
7822 Update: maildir filename algorithm updated according to
7823 today's version of http://cr.yp.to/proto/maildir.html.
7825 20030127
7827 Cleanup: use separate error messages for separate problems
7828 with computing the list of SASL authentication mechanisms.
7829 File: smtpd/smtpd_sasl_glue.c.
7831 20030130
7833 Bugfix: allow $name in default time values. File:
7834 global/mail_conf_time.c.
7836 20030205
7838 Feature: allow !, /file/name and map:name in masquerade_exceptions.
7839 By Liviu Daia. Files:cleanup_init.c, cleanup.h,
7840 cleanup_masquerade.c.
7842 20030219
7844 Bugfix: the local pickup daemon skipped unterminated records,
7845 since they happened to have the same record type code as
7846 content filtering instructions. Victor Duchovni. Files:
7847 global/rec_type.h, pickup/pickup.c.
7849 Portability: Postfix could block, and thus not enforce
7850 command execution time limits, while delivering mail to
7851 command. File: global/pipe_command.c.
7853 Bugfix: command execution time limits were not enforced
7854 because the child process killing code in pipe_command()
7855 was running with the wrong privileges. Problem reported by
7856 Ben Rosengart, Panix. File: global/pipe_command.c.
7858 Bugfix: duplicate recipient filtering in the cleanup server
7859 did not eliminate virtual expansion duplicates with the
7860 same original recipient. File: cleanup/cleanup_out_recipient.c.
7862 20030223
7864 Cleanup: added postmap/postalias -p option (do not inherit
7865 the source file permissions when creating a new file), for
7866 completeness. A feature that can't be turned off is a bug.
7867 Files: postmap/postmap.c, postalias/postalias.c.
7869 Bugfix: smtpd_hard/soft_error_limit off-by-one error, so
7870 that the real limit was one larger than the configured
7871 value. File: smtpd/smtpd.c, smtpd/smtpd_chat.c.
7873 20030226
7875 Safety: proxymap server defense against potential deadlock
7876 when some library routine wants to open a proxied table.
7877 Instead, proxymap opens the requested table directly. File:
7878 proxymap/proxymap.c.
7880 Portability: updated AIX 5.x system dependent definitions.
7881 File: util/sys_defs.h.
7883 20030227
7885 Bugfix: added mynetworks to the list of proxy_read_maps
7886 parameter settings that are pre-authorized to use proxied
7887 table lookups. File: global/mail_params.h.
7889 Cleanup: daemons now log what table has changed before
7890 restarting. Files: dict.c, and anything that invoked
7891 dict_changed().
7893 Cleanup: more consistency in the naming of lookup table
7894 handles as generated by maps(3) and by match_list(3).
7896 20030305
7898 Workaround: Postfix removes too long non-address text from
7899 message headers in order to protect vulnerable Sendmail
7900 systems against exploitation of the remote buffer overflow
7901 vulnerability described in CERT advisory CA-2003-07.
7903 20030311-19
7905 Bugfix: the access map actions HOLD, DISCARD, FILTER and
7906 REDIRECT were broken with smtpd_delay_reject=no and with
7907 ETRN. This required re-architecting of the actions code.
7908 Files: smtpd/smtpd.[hc], smtpd/smtpd_check.c, smtpd/smtpd_state.c.
7910 20030315
7912 Bugfix: the postsuper manual page documented support for
7913 the -c command line option, but it was not implemented.
7914 File: postsuper/postsuper.c.
7916 Bugfix: the Postfix 2.0 recipient map checking code broke
7917 the VRFY command, causing it to reply with status code 252
7918 for non-existent addresses. This required re-architecting
7919 the recipient table lookup code. File: smtpd/smtpd_check.c.
7921 20030319
7923 Feature: configurable limit on virtual alias expansion size
7924 and nesting depth, via the virtual_alias_expansion_limit
7925 and virtual_alias_recursion_limit parameters. The default
7926 limits are compatible with past Postfix versions. Victor
7927 Duchovni, Morgan Stanley. Files: /sample-resource.cf,
7928 html/resource.html, cleanup/cleanup.c, cleanup/cleanup_init.c,
7929 cleanup/cleanup_map1n.c.
7931 Feature: the installation procedure records build information
7932 (by default: in /etc/postfix/makedefs.out).
7934 20030324
7936 Bugfix: smtp-source flushed too often, causing suboptimal
7937 performance with smtp-source sending directly into smtp-sink.
7938 Files: smtpstone/smtp-source.c.
7940 20030410
7942 Safety: log a fatal error when a net/mask pattern has a
7943 non-zero host part, so that mail delivery is deferred.
7944 File: util/match_ops.c.
7946 20030411
7948 Bugfix: extraneous warning about out-of-order original
7949 recipient records by Patrik Rak. Files: *qmgr/qmgr_message.c.
7951 20030412
7953 Workaround: log a warning and reset the queue file time
7954 stamps when the file system clock is ahead of the local
7955 clock. File: global/mail_stream.c.
7957 20030414
7959 Feature: PostgreSQL client module, adopted by LaMont Jones.
7960 Files: README_FILES/PGSQL_README, util/dict_pgsql.c,
7961 util/dict_pgsql.h, conf/sample-pgsql-aliases.cf.
7963 Cleanup: the generic smtp client/server code in smtp_stream.c
7964 now has an explicit flush operation, and the smtp-source/sink
7965 programs are updated to take advantage of this.
7967 Cleanup: the file system clock drift detection code now
7968 runs only once per process instance, to minimize the
7969 performance impact. File: global/mail_stream.c.
7971 Robustness: avoid TIME_WAIT state with smtp/qmqp-source
7972 client sockets. This puts less strain on local system
7973 resources.
7975 20030415
7977 Cleanup: the file system clock drift detection code now
7978 runs only for incoming mail. File: global/mail_stream.c.
7980 20030416
7982 Bugfix: missing partial last line when 1) someone submits
7983 8-bit mail not ending in newline via /usr/sbin/sendmail
7984 and 2) MIME input processing is turned off, and 3) MIME
7985 8bit->7bit conversion is requested upon delivery via SMTP.
7987 Cleanup: auto-bcc recipients are now added in one place
7988 (the cleanup server) instead of by individual front-end
7989 servers (pickup, smtpd, qmqpd). This makes it easier to
7990 add auto-bcc features that trigger on sender or recipient
7991 addresses.
7993 Cleanup: "sendmail -t" (recipients from headers) is now
7994 implemented by the sendmail command instead of by the
7995 cleanup server. This means that the extract_recipient_limit
7996 configuration parameter is no longer needed. Files:
7997 sendmail/sendmail.c, cleanup/cleanup_message.c,
7998 cleanup/cleanup_extracted.c.
8000 Compatibility: "sendmail -t" (recipients from headers) now
8001 accepts command-line recipients instead of complaining.
8002 The extracted header recipients are added to the command-line
8003 recipients.
8005 Feature: sender/recipient_bcc_maps. These are indexed by
8006 sender/recipient address and are examined when mail enters
8007 from outside of Postfix. Files: cleanup/cleanup_addr.c.
8008 cleanup/cleanup_envelope.c cleanup/cleanup_extracted.c.
8010 20030417
8012 Feature: the SMTP client now falls back to native name
8013 service lookups (including /etc/hosts) when a host cannot
8014 be found in the DNS. This is controlled by a new parameter
8015 smtp_host_lookup (default: dns, native). Files: smtp/smtp.c,
8016 smtp/smtp_addr.c.
8018 20030418
8020 Bugfix: "sendmail -t" broke with unrecognized message
8021 headers.
8023 20030419
8025 Feature: "postcat -q" searches the queue for the named
8026 file.
8028 Cleanup: made postcat "record names" output more consistent.
8030 20030421
8032 Debugging: added some extra detailed error logging to the
8033 pipe-to-command delivery, to help folks with bizarre file
8034 truncation problems. File: global/pipe_command.c.
8036 20030424
8038 Cleanup: readlline() did not terminate the result before
8039 complaining about lines starting with whitespace.
8041 Cleanup: eliminated valid_hostname warning for invalid
8042 queue file names. File: global/mail_queue.c.
8044 Bugfix: lost three lines of code when readying the postcat
8045 command for release, which broke postcat -q. File:
8046 postcat/postcat.c.
8048 Bugfix: the Postfix sendmail command applied the message
8049 size limit when running as newaliases. The limiting code
8050 is now moved to the message enqueuing branch of the code.
8051 File: sendmail/sendmail.c.
8053 Documentation: start of documentation for the algorithm of
8054 Patrik Rak's clever queue manager scheduler (nqmgr). Files:
8055 conf/sample-scheduler.cf, README_FILES/SCHEDULER_README.
8057 20030429
8059 Bugfix: while verifying an address, the LMTP client entered
8060 a forbidden "next" sender state after the last recipient.
8061 Fix by Vladimir Davydoff. File: lmtp/lmtp_proto.c.
8063 Bugfix: "," was not recognized in proxy_read_maps settings.
8064 Fix by Leandro Santi. File: proxymap/proxymap.c.
8066 20030502
8068 Bugfix: defer delivery after .forward etc. file read error.
8069 File: local/token.c. Problem reported by Ben Rosengart,
8070 Panix.
8072 20030503
8074 Bugfix: the Postfix LMTP client used the wrong service
8075 name, causing trouble with SASL 2.1.13. Daniel Schales,
8076 Louisiana Tech. File: lmtp/lmtp_sasl_glue.c.
8078 20030518
8080 Workaround: IRIX select() reports that a non-blocking file
8081 descriptor is writable while write() transfers zero bytes.
8082 File: util/vstream.c. Superseded by change 20030523.
8084 20030520
8086 Cleanup: future time stamps in Received: headers and negative
8087 delays in delivery agent logging after "postdrop -r",
8088 because deferred queue files had future file modification
8089 times. File: src/postsuper/postsuper.c.
8091 20030521
8093 Cleanup: nqmgr warnings about "recipient count mismatch"
8094 after "postdrop -r", because the cleanup server did not
8095 count the "already done" recipients. Problem reported by
8096 Richard Stockton, Gramma Software. Files:
8097 cleanup/cleanup_envelope.c, cleanup/cleanup_extracted.c.
8099 20030523
8101 Workaround: IRIX select() reports that a non-blocking file
8102 descriptor is writable while write() transfers zero bytes.
8103 File: global/pipe_command.c.
8105 20030523-20030605
8107 Cleanup: rewrote the queue file record processing loops in
8108 pickup, cleanup and in [n]qmgr. This code had deteriorated
8109 a lot as the result of small changes over the years. This
8110 change brings the code closer to "obviously correct". Files:
8111 cleanup/cleanup_envelope.c, cleanup/cleanup_extracted.c,
8112 *qmgr/qmgr_message.c.
8114 Cleanup: Postfix no longer produces queue files with
8115 backwards compatibility data for Postfix versions < 1.0
8116 (a.k.a. 20010228). Files: cleanup/cleanup_extracted.c,
8117 showq/showq.c.
8119 Performance: the queue manager no longer has to examine
8120 every queue file record before it can start deliveries.
8121 This helps to avoid thrashing with very large mailing lists.
8122 Postfix queue files have an extra field in the size record
8123 with queue manager processing hints. This change is backward
8124 and forward compatible. Files: cleanup/cleanup_envelope.c,
8125 cleanup/cleanup_extracted.c, *qmgr/qmgr_message.c.
8127 20030528
8129 Compatibility: "sendmail -q<time>" without -bd option now
8130 exits immediately, instead of waiting for input on the
8131 standard input stream and screwing up system boot sequences.
8132 File: sendmail/sendmail.c.
8134 20030530
8136 Bugfix: client access denied with smtpd_delay_reject=no
8137 broke "sendmail -bs". Fix by Victor Duchovni, Morgan Stanley.
8138 File: smtpd/smtpd.c.
8140 20030531
8142 Compatibility: allow <@site,@site:address> route addresses
8143 in SMTP commands. File: smtpd/smtpd.c.
8145 20030605
8147 Cleanup: input checks moved from the pickup daemon to the
8148 postdrop mail submission command; this is to prepare for
8149 direct mail submission from postdrop->cleanup without going
8150 through the maildrop directory and the pickup service.
8151 Files: pickup/pickup.c, postdrop/postdrop.c.
8153 Bugfix: the "dead host" backoff timer in the MySQL client
8154 didn't work. Fix by Leandro Santi. File: util/dict_mysql.c.
8156 Bugfix: same problem in the PostgreSQL client. File:
8157 util/dict_pgsql.c.
8159 Workaround: turned off non-blocking write to pipe because
8160 too many systems give a weird write() result. File:
8161 global/pipe_command.c.
8163 Cleanup: added support for vstream_fseek(.., .., SEEK_END).
8164 File: util/vstream.c.
8166 20030608
8168 Feature: separate address resolver controls for address
8169 verification probe messages: address_verify_{local,virtual,
8170 relay,default}_transport, address_verify_relayhost, and
8171 address_verify_transport_maps. The default values are the
8172 regular versions of the same controls. Files: trivial-rewrite/*,
8173 global/resolve_clnt.[hc], *qmgr/qmgr_message.c.
8175 20030609
8177 Workaround: Solaris blocking socket read() may hang. Hernan
8178 Perez Masci and Leandro Santi. File: smtpd/smtpd.c.
8180 Bugfix: the "unread recipient" counter needs to be restored
8181 after the queue manager has a problem reading a queue file.
8182 Fix by Patrik Rak. File: nqmgr/qmgr_message.c.
8184 20030610
8186 Cleanup: the verify server now uses asynchronous submission
8187 of mail probes, so it will no longer block for in_flow_delay
8188 seconds when mail arrives faster than it is delivered.
8189 Still need to make mail_stream_finish() asynchronous in
8190 order to avoid blocking for trigger_timeout seconds when
8191 the queue manager is overwhelmed. Files: global/post_mail.c,
8192 verify/verify.c.
8194 Bugfix: removed extraneous sleep() after the last attempt
8195 to retrieve address verification status. File: smtpd/smtpd.c.
8197 20030611
8199 Bugfix: the stricter postdrop input filter broke "sendmail
8200 -bs". Found by Lutz Jaenicke. File: smtpd/smtpd.c.
8202 20030614
8204 Portability: Dropped support for client side LDAP caching.
8205 As of release 2.1.13 OpenLDAP no longer supports client
8206 side caching, it has been deprecated for some time, and
8207 never worked well. Implemented by Victor Duchovni, Morgan
8208 Stanley, and further enhanced by Lamont Jones, HP. Files:
8209 src/util/dict_ldap.c, conf/sample-ldap.cf,
8210 README_FILES/LDAP_README.
8212 Safety: Given suitable invalid database contents, LDAP
8213 lookups can produce too many results, enter an infinite
8214 loop in the expansion of "special result attributes" (LDAP
8215 DNs and LDAP URLs) or just consume excessive server resources
8216 returning large result sets. Three new (per LDAP map)
8217 configuration parameters enable one to set limits on
8218 recursive nesting, result expansion and the server response
8219 "entry" count. Implemented by Victor Duchovni, Morgan
8220 Stanley, further enanced by Lamont Jones, HP. Files:
8221 src/util/dict_ldap.c, conf/sample-ldap.cf,
8222 README_FILES/LDAP_README.
8224 20030616
8226 Feature: in mail delivery status reports, report the sender
8227 address as X-Postfix-Sender. Matthias Andree. File:
8228 bounce/bounce_notify_util.c.
8230 Cleanup: in mail delivery status reports, transform the
8231 original recipient into xtext format as required by RFC
8232 1891. Files: bounce/bounce_notify_util.c, util/xtext.[hc].
8234 Cleanup: more accurate "postfix check" warning for files
8235 that miss one or more of the required mode 02111 execute
8236 permission bits. Matthias Andree. File: conf/postfix-script.
8238 20030618
8240 After "postfix reload", the master daemon now warns when
8241 inet_interfaces has changed, and ignores the change, instead
8242 of passing incorrect information to the smtp server. File:
8243 master/master_ent.c.
8245 20030619
8247 Feature: the Postfix SMTP server can send all mail into a
8248 proxy server, for example a real-time SPAM filter. This
8249 proxy is supposed to send the mail into another Postfix
8250 SMTP server process for normal delivery. Files: smtpd/smtpd.c
8251 smtpd/smtpd_proxy.[hc].
8253 20030620
8255 Bugfix: a cut-and-paste error caused the proxy server's
8256 354 status code to be reported when a proxy connection
8257 broke during the DATA phase. File: smtpd.c.
8259 20030620
8261 Bugfix: after the last change to postdrop, postcat no longer
8262 recognized maildrop files as valid. File: postcat/postcat.c.
8264 Bugfix: after moving "sendmail -t" address extraction to
8265 sendmail, "-t" broke multi-line recipient headers. Victor
8266 Duchovni, Morgan Stanley. File: sendmail/sendmail.c.
8268 20030621
8270 Workaround: the safe_open(O_CREAT) race condition exploit
8271 avoiding code tries a little harder when it encounters a
8272 race condition. File: util/safe_open.c.
8274 20030624
8276 Bugfix: reject_unverified_address() set the defer_if_reject
8277 flag when the verify service was unavailable (which never
8278 happens). Victor Duchovni, Morgan Stanley. File:
8279 smtpd/smtpd_check.c.
8281 New parameters address_verify_poll_{count,delay} that
8282 control how often to poll the address verification service
8283 for the completion of an address verification request.
8284 Specify address_verify_poll_count=1 to implement a crude
8285 form of greylisting, that is, always defer the first delivery
8286 attempt for an unknown address. File: smtpd/smtpd_check.c.
8288 Bugfix: after the last change to postdrop, postcat no longer
8289 recognized non-maildrop queue files as valid. File:
8290 postcat/postcat.c.
8292 20030629
8294 Cleanup: replaced references to "simulated virtual domains"
8295 by "virtual alias domains". Victor Duchovni, Morgan Stanley.
8297 20030630
8299 Feature: smtp_quote_rfc821_envelope=(yes|no) to control
8300 RFC 821 style quoting of MAIL FROM and RCPT TO addresses.
8301 Files: global/mail_params.h, smtp/smtp.c, smtp/smtp_proto.c.
8303 20030701
8305 Bugfix: multi-recipient probes triggered a bug in the SMTP
8306 client. File: smtp/smtp_proto.c.
8308 Feature: enable_original_recipient (default: yes) to control
8309 whether Postfix keeps track of original recipient address
8310 information. Victor Duchovni, Morgan Stanley. Files:
8311 cleanup/cleanup.c, cleanup/cleanup_init.c,
8312 cleanup/cleanup_out_recipient.c, global/log_adhoc.c,
8313 global/mail_copy.c, *qmgr/qmgr_message.c.
8315 Feature: !/pattern/ support for PCRE lookup tables. Victor
8316 Duchovni, Morgan Stanley. Files: util/dict_pcre.c.
8318 Cleanup: allow whitespace after patterns in repexp and pcre
8319 tables. Victor Duchovni, Morgan Stanley. Files:
8320 util/dict_pcre.c, util/dict_regexp.c.
8322 20030702
8324 Feature: CIDR lookup table support, very remotely based on
8325 code by Jozsef Kadlecsik. Files: proto/cidr_table,
8326 util/dict_cidr.[hc].
8328 Feature: TCP lookup table support, finally finished. Files:
8329 proto/tcp_table, proto/dict_tcp.[hc].
8331 20030705
8333 Feature: new receive_override_options parameter controls
8334 what happens before or after an external content filter:
8335 rejecting unknown recipients, canonical and virtual address
8336 mapping, address masquerading, automatic BCC recipients
8337 and header/body checks. This eliminates the need to configure
8338 multiple cleanup services in the master.cf file.
8340 20030707
8342 Feature: context dependent SASL security options (i.e.
8343 different options when TLS is enabled/disabled). Lutz
8344 Jaenicke. Files: */*sasl_glue.[hc].
8346 20030708
8348 Hardened the attr_scan routines for exposure to an untrusted
8349 environment, in preparation for possible use with SMTP
8350 policy delegation to an external server.
8352 Feature: address filter for RBL lookups, for use with
8353 multi-valued RBL services. File: smtpd/smtpd_check.c.
8355 20030709
8357 Cleanup: use off_t instead of int for VSTREAM file offsets.
8358 This was needed for mailboxes > 2GB on 32-bit systems.
8359 Files: util/vstream.c, global/mail_copy.c.
8361 20030710
8363 Support for multiple A and TXT results in RBL lookups.
8364 Victor Duchovni, Morgan Stanley. File: smtpd/smtpd_check.c.
8366 Support for attribute-based query-reply protocols. Files:
8367 util/attr_clnt.[hc], util/auto_clnt.[hc].
8369 20030711
8371 Support for plain "name=value\n" attribute protocol. Files:
8372 util/attr_{scan,print}_plain.c.
8374 Bugfix: the LMTP session caching code did not reset the
8375 EHLO server feature list when it needed to reconnect.
8376 Problem found by Tobias Erbsland.
8378 20030712
8380 Feature: delegated SMTP policy server. As an example, see
8381 the greylisting server in examples/smtpd-policy. Specify
8382 "check_smtpd_policy_service" in smtpd_mumble_restrictions.
8383 See SMTPD_POLICY_SERVICE_README for details.
8385 20030716
8387 Bugfix: in the sample policy server, changed "ok" into
8388 "dunno" so the server can be used in the middle of a
8389 restriction list.
8391 Cleanup: when an RBL reply has multiple TXT records,
8392 concatenate them up to some reasonable limit, instead of
8393 selecting one randomly. File: smtpd/smtpd_check.c.
8395 Safety: always truncate SMTP server error replies to 512
8396 bytes. File: smtpd/smtpd_check.c.
8398 20030717
8400 Documentation: added description of policy_time_limit to
8401 the SMTPD_POLICY_README document.
8403 Documentation: corrected the command time limit parameter
8404 syntax in the spawn(8) manual page.
8406 Feature: defer_if_permit and defer_if_reject actions in
8407 access tables, mainly for use by the delegated policy
8408 server. Files: smtpd/smtpd_check.c, proto/access.
8410 20030725
8412 The dict_pgsql module did not use dict_alloc() and dict_free(),
8413 causing improper initialization and a memory leak. Leandro
8414 Santi. File: util/dict_pgsql.c.
8416 Cleanup: added open_flags sanity checks to the dict_pgsql
8417 and dict_mysql modules. These maps must be opened in
8418 read-only mode.
8420 20030731
8422 Bugfix: virtual(8) was changed to use mail_addr_find()
8423 instead of virtual8_maps_find(), but the SMTP server's
8424 virtual mailbox recipient validation was not updated.
8426 20030804
8428 Bugfix: the 20030712 safety against invalid DNS results
8429 was broken. Reported by Ralf Hildebrandt. File:
8430 dns/dns_lookup.c.
8432 20030805-12
8434 Safety: the pipe daemon now defers delivery with a warning
8435 when it is given a non-existent command-line macro name.
8436 File: pipe/pipe.c.
8438 20030810
8440 Bugfix: dict_ldap had a few harmless memory leaks. By
8441 Liviu Daia. File: util/dict_ldap.c.
8443 Feature: support for LDAP URLs in the LDAP parameter
8444 "server_host", if Postfix is linked against OpenLDAP. This
8445 allows Postfix to connect to LDAP SSL sources. By Liviu
8446 Daia. File: util/dict_ldap.c.
8448 20030811
8450 Cleanup: produce a warning when host:port specifies a badly
8451 formatted numerical port. Files: util/find_inet.c,
8452 smtp/smtp_connect.c, lmtp/lmtp_connect.c.
8454 20030822
8456 Feature: the export_environment and import_environment
8457 parameters now accept name=value information that will be
8458 entered into the new environment. File: util/clean_env.c.
8460 20030823
8462 Feature: smtpd_sasl_exceptions_networks parameter to prevent
8463 Postfix from offering AUTH to clients that match the listed
8464 networks. Based on code by Ben Rosengart, Panix. Files:
8465 conf/sample-auth.cf, smtpd/smtpd.c.
8467 20030902
8469 Portability: the Postfix master resets the file size to
8470 the largest possible off_t value when the actual limit
8471 appears to overflow the off_t range. Files: util/sys_defs.h,
8472 util/file_limit.c. A fine sample of bit banging.
8474 20030905
8476 Workaround: Solaris 8 select() claims that a non-blocking
8477 socket is readable and then read() fails with EAGAIN. Files:
8478 util/timed_read.c and as precautionary measure,
8479 util/timed_write.c.
8481 Bugfix: dict_register() should not be called from dict_open()
8482 in dict_mysql and dict_pgsql. Liviu Daia. Files:
8483 util/dict_mysql.c, util/dict_pgsql.c.
8485 Feature: LDAP parameters can now be specified in external
8486 files. This makes it possible to securely store bind
8487 passwords for plain auth outside of main.cf (which is world
8488 readable). By Liviu Daia, based on a suggestion by Victor
8489 Duchovni and Lamont Jones. File: util/dict_ldap.c.
8491 Feature: STARTTLS option for LDAP, if Postfix is linked
8492 against OpenLDAP. By Liviu Daia, amended by Victor Duchovni.
8493 File: util/dict_ldap.c.
8495 Cleanup: connections to LDAP sources are now postponed
8496 until they are actually needed. By Liviu Daia. File:
8497 util/dict_ldap.c.
8499 20030908
8501 The 20030905 Solaris workaround triggers too many warnings.
8502 TCP sockets are back to blocking, and keepalives are turned
8503 on to kill off dead sockets, as suggested by Leandro Santi.
8504 Files: master/{single,multi}_server.c, smtpd/smtpd.c,
8505 util/sys_defs.h.
8507 20030909
8509 Bugfix: the LMTP session caching code had problems with
8510 SASL authentication after the first connection, and pipelining
8511 was working poorly. Fix by Victor Duchovni, Morgan Stanley.
8512 Files: lmtp/lmtp.c, lmtp/lmtp_proto.c.
8514 20030912
8516 Workaround: besides SMTP server sockets, SMTP client sockets
8517 can also hang on Solaris, as reported by Leandro Santi. In
8518 order to deal with this at the root, all connection management
8519 is now done by sane_accept() and sane_connect(). Both turn
8520 on keepalives on Solaris.
8522 20030913
8524 Safety: set-gid commands don't trust TZ. File: msg_syslog.c.
8526 20030914
8528 Address extension propagation wasn't documented enough when
8529 it was added to Postfix. Based on patches by Roman Neuhauser.
8531 Added clarifying notes to main.cf, master.cf and access by
8532 Dean Gibson.
8534 In header/body_checks, DUNNO is now the preferred action
8535 instead of the now deprecated OK. This may confuse fewer
8536 people.
8538 In header/body_checks, allow text after IGNORE and DUNNO,
8539 suggested by Victor Duchovni, Morgan Stanley. File:
8540 src/cleanup/cleanup_message.c.
8542 Feature: reject_rhsbl_helo. File: smtpd/smtpd_check.c.
8544 Bugfix? The LMTP and SMTP clients now send "MAIL FROM:<sender>
8545 AUTH=<>" when SASL authenticated. Suggested by by Victor
8546 Duchovni, Morgan Stanley. Files: smtp/smtp_proto.c,
8547 lmtp/lmtp_proto.c.
8549 20030915
8551 Bugfix: mail rejected by the before-queue content filter
8552 was mis-labeled as a software error; it should be labeled
8553 as a policy error instead. File: smtpd/smtpd.c.
8555 Cleanup: postcat is now null-byte transparent. File:
8556 postcat/postcat.c.
8558 20030916
8560 Feature: ``check_{sender,recipient}_mx_access maptype:mapname''
8561 applies the named Postfix access table to the MX host name
8562 and IP addresses for the sender or recipient address. If
8563 no MX record is found, the A record is used instead. File:
8564 smtpd/smtpd_check.c.
8566 Feature: ``check_{sender,recipient}_ns_access maptype:mapname''
8567 applies the named Postfix access table to the DNS server
8568 hostname and IP addresses for the sender or recipient
8569 address. If no NS record is found, the parent domain is
8570 used instead. File: smtpd/smtpd_check.c.
8572 20030917
8574 Feature: ``check_helo_{ns,mx}_access maptype:mapname'',
8575 same semantics as sender and recipient.
8577 Multiple LDAP lookup tables in the one Postfix process now
8578 share one LDAP connection. Code by Victor Duchovni, Morgan
8579 Stanley. File: util/dict_ldap.c.
8581 Performance: with prefix_domain specified for an LDAP lookup
8582 table, lookups of @domain are skipped. Code by Victor
8583 Duchovni, Morgan Stanley. File: util/dict_ldap.c.
8585 Safety: check_mumble_{mx,ns}_access refuses to be used for
8586 whitelisting. The Postfix SMTP server will reject the
8587 request with "451 server configuration error" and will log
8588 a warning explaining why. File: smtpd/smtpd_check.c.
8590 20030918
8592 Bugfix: check_mumble_ns_access did not correctly look up
8593 NS records of parent domains, causing mail to be deferred
8594 with a 450 status code. File: smtpd/smtpd_check.c.
8596 20030919
8598 Robustness: check_mumble_{mx,ns}_access skip over DNS lookup
8599 failures instead of deferring mail. This is not as bad as
8600 it appears to be because the restrictions can't be used
8601 for whitelisting. File: smtpd/smtpd_check.c.
8603 20030920
8605 Bugfix: the 20030917 LDAP connection sharing code introduced
8606 a compilation problem with non-OpenLDAP implementations.
8607 Fix by Liviu Daia. File: util/dict_ldap.c
8609 Compatibility: the LDAP server_host parameter now supports
8610 all the usual Postfix list element delimiters. Some LDAP
8611 libraries support just SPACE, others SPACE and ",". Postfix
8612 now normalizes the host list into a space separated format.
8613 This is less surprising to Postfix users used to the full
8614 range of delimeters in other contexts. Implemented by Liviu
8615 Daia. File: util/dict_ldap.c
8617 Bugfix: after returning too old mail, the bounce daemon
8618 now locks the original queue file and deletes deferred
8619 recipients, to avoid repeated bounce notifications when
8620 the queue manager is restarted. Files: bounce/*.[hc],
8621 global/bounce_log.[hc], global/{bounce,defer}.[hc] and
8622 everything that invokes these routines including queue
8623 manager and delivery agents.
8625 20030922
8627 Feature: "XADDR address hostname" SMTP command, for SMTPD
8628 restriction debugging, and for sites with fetchmail-like
8629 software that extracts client information from the first
8630 Received: header. The smtpd_authorized_xaddr_clients
8631 parameter specifies what clients are allowed to use XADDR
8632 (default: none). Files: smtpd/smtpd.c.
8634 20031015
8636 Workaround: smtpd access maps should not apply subdomain
8637 name magic to numerical hostnames. File: smtpd/smtpd_check.c.
8639 Safety: the local delivery agent now defers delivery when
8640 alias lookup produces an empty result. File: local/alias.c.
8642 20031019
8644 Workaround: disable request/reply size limit in attr_scan*.c
8645 to prevent mail from getting stuck when rewriting a malformed
8646 message header. This limit was turned on with snapshot
8647 20030715 to harden the protocol that is used by SMTPD policy
8648 delegation. A "no code change" workaround is to specify
8649 "header_size_limit = $line_length_limit". The proper fix
8650 is to enforce request/reply size limits only for data from
8651 outside of Postfix. Problem reported by Brandon Mullenberg,
8652 Dialup USA. Files: util/attr_scan*.c.
8654 Feature: "XLOGINFO address hostname" SMTP command, so that
8655 Postfix daemons behind SMTPD pass-through proxies log useful
8656 client name/address information instead of localhost[127.0.0.1].
8657 The smtpd_authorized_xloginfo_clients parameter specifies
8658 what clients are allowed to use XLOGINFO (default: none).
8659 Files: smtpd/smtpd.c.
8661 Cleanup: renamed the authorized_verp_clients parameter to
8662 smtpd_authorized_verp_clients for consistency.
8664 20031021
8666 Workaround: the demo greylist script now uses BTREE instead
8667 of HASH files for hopefully better stability. The real fix
8668 is to use a single updater process that serves multiple
8669 clients. That approach seems to work well with the verify
8670 daemon. File: examples/smtpd-policy/smtpd-policy.pl.
8672 20031022
8674 Safety: the SMTP server now warns when the queue_minfree
8675 value is less than twice the message size limit. File:
8676 smtpd/smtpd.c.
8678 Safety: the SMTP server no longer accepts mail when the
8679 amount of free space is less than twice the message size
8680 limit. File: smtpd/smtpd_check.c.
8682 Safety: log a warning and defer mail when canonical or
8683 virtual lookups return a non-address result (like a string
8684 that contains no address). File: global/mail_addr_map.c.
8686 Safety: log a warning and defer mail when any map lookup
8687 returns an empty string result, and explain that "no result"
8688 is expected in case of a "not found" condition. This happens
8689 with incorrectly implemented SQL or LDAP tables. File:
8690 global/maps_find.c.
8692 20031023
8694 Bugfix: the MYSQL and PGSQL modules invoked dict_register().
8695 This was fixed a while ago but never made it into the
8696 distribution. Files: util/dict*sql.c.
8698 Robustness: added three ISSPACE() calls in the smtpd proxy
8699 parser. File: smtpd/smtpd_proxy.c.
8701 20031024
8703 Portability: added localhost to mydestination for sites
8704 that turn off append_dot_mydomain. File: global/mail_params.h.
8706 20031027
8708 Portability: MacOS X Bind8 compatibility. File: makedefs.
8710 20031103
8712 Robustness: flush pipelined "." and "quit" replies to avoid
8713 repeated deliveries in case of a program crash (you know,
8714 the kind of thing that happens before Postfix release :-).
8715 File: smtpd/smtpd.c.
8717 20031105
8719 Portability: turn off NETINFO support for MacOS X Panther
8720 by default. Files: makedefs, util/sys_defs.h.
8722 20031106
8724 Feature: the sample greylist policy server is now case
8725 insensitive. File: examples/smtpd-policy/smtpd-policy.pl.
8727 20031103-20031110
8729 Feature: preliminary defense against SMTP clients that
8730 hammer the SMTP server with too many simultaneous or
8731 successive connection attempts, with a whitelist capability
8732 to disable the restriction for authorized clients. Most
8733 work is implemented by a new "anvil" server. Parameters:
8734 smtpd_client_connection_count_limit, smtpd_client_connection-
8735 _rate_limit, smtpd_client_connection_limit_exceptions, and
8736 client_connection_rate_time_unit. Documentation: smtpd(8),
8737 anvil(8), sample-smtpd.cf. Files: smtpd/smtpd.c,
8738 global/anvil_clnt.[hc], anvil/anvil.c. The anvil server
8739 logs peak count and rate information per client when it
8740 terminates after running out of work or after "postfix
8741 reload".
8743 20031110
8745 Cleanup: Postfix now supports the /0 netmask (match every
8746 address). This is useful as a catch-all pattern at the
8747 end of a table. Files: util/dict_cidr.c, util/match_ops.c.
8749 Cleanup: don't report that $queue_directory/etc/filename
8750 differs from /etc/filename when /etc/filename does not
8751 exist. File: conf/postfix-script.
8753 20031112
8755 Feature: client_connection_status_update_time parameter
8756 controls periodic logging of maximal connection counts or
8757 rates. The default logging interval is 10 minutes.
8759 Feature: "make makefiles WARN=stuff..." overrides the
8760 built-in GCC warning options that are used when "make" is
8761 invoked from within a source subdirectory. Files: makedefs,
8762 */Makefile.in.
8764 20031125
8766 Feature: qmgr logs "queueid: deleted", just like postsuper,
8767 when it removes a message from the mail queue.
8769 Performance: smtpd connects to the cleanup or proxy server
8770 AFTER the first valid RCPT TO command, instead of after
8771 the first valid MAIL FROM command. This avoid wasting
8772 real-time proxy filter resources when mail is stopped by
8773 the SMTP server's access blocks. File: smtpd/smtpd.c.
8775 20031126
8777 Bugfix: "panic: mymalloc: requested length 0" when master.cf
8778 specified an invalid host name or address. Postfix now
8779 logs more specific information. File: master/master_ent.c.
8780 Reported by several people.
8782 20031125-20031201
8784 Feature: XCLIENT support to override the SMTP server's
8785 client information for logging and/or access control. This
8786 replaces the short-lived XADDR and XLOGINFO extensions.
8787 Remotely based on code by Victor Duchovni. See FILTER_README
8788 and SMTPD_PROXY_README for usage details. Files:
8789 smtpd/{smtpd,smtpd_check,smtpd_proxy,smtpd_xclient}.c
8790 smtp/smtp_smtp_proto.c, *qmgr/qmgr_message.c,
8791 global/deliver_request.c.
8793 20031202
8795 Cleanup: postfix-files now has support for files that are
8796 no longer part of Postfix. When upgrading Postfix, the
8797 post-install script gives the user a reminder. Files:
8798 conf/postfix-files, conf/post-install.
8800 20031203
8802 Support for SMTPD access map actions (FILTER, REDIRECT,
8803 HOLD or DISCARD) that are delegated to the cleanup server,
8804 but can trigger before the first valid recipient address
8805 is accepted (and thus, before a cleanup server connection
8806 is available). Files: smtpd/{smtpd,smtpd_state,smtpd_check}.c.
8808 20031204
8810 Bugfix: conf/post-install didn't skip non-existent obsolete
8811 files. Victor Duchovni.
8813 Minor cleanups of the xclient error messages; xclient
8814 command lookup tables. File: smtpd/smtpd.c.
8816 20031206
8818 Feature: reject_sender_login_mismatch allows multiple owners
8819 of a sender address. Code by Liviu Daia. Files:
8820 smtpd/smtpd_check.c and documentation.
8822 reject_sender_login_mismatch is now implemented by elementary
8823 features reject_unauthenticated_sender_login_mismatch
8824 (reject if the client is not SASL logged in but the sender
8825 address has an owner in smtpd_sender_login_maps) and
8826 reject_authenticated_sender_login_mismatch (reject if the
8827 client is SASL logged in but does not own the sender
8828 address). Code by Liviu Daia. Files: smtpd/smtpd_check.c
8829 and documentation.
8831 20031207
8833 Bugfix: fallback_transport and mailbox_transport were broken
8834 because the deliver_pass.c module was not updated for the
8835 changed message delivery protocol.
8837 20031211
8839 Safety: in dynamically growing data structures, update the
8840 length info after (instead of before) updating the data
8841 size. Files: util/argv.c, util/inet_addrlist.c, util/intv.c,
8842 util/mvect.c, util/vstring.c, global/recipient_list.c,
8843 *qmgr/qmgr_rcpt_list.c.
8845 20031212
8847 Cleanup: separate extensions XCLIENT (impersonate SMTP
8848 client) and XFORWARD (down-stream logging of up-stream MTA
8849 and/or message information, not necessarily SMTP related).
8850 The protocol is extensible: the server advertises what
8851 attributes XCLIENT or XFORWARD will accept, and it is an
8852 error to send an unsupported attribute. No xtext encoding
8853 is used, since no attribute currently needs it. See also:
8854 XCLIENT_README and XFORWARD_README.
8856 20031214
8858 Feature: XFORWARD support in the LMTP client.
8860 20031215
8862 Safety: updated mail_queue_id_ok() for long fast flush
8863 logfile names. File: global/mail_queue.c.
8865 Robustness: save and restore the resolver _res.options
8866 settings before and after DNS lookup, to avoid surprises
8867 in third-party code. This may eliminate some "localhost
8868 not found" problems. File: dns/dns_lookup.c.
8870 20031216
8872 Cleanup: easier to parse mailq output (no more space
8873 between short queue ID and message status). File:
8874 showq/showq.c.
8876 20031216-21
8878 Cleanup: the SMTP client now moves on to the next MX host
8879 or fallback relay when delivery fails in the middle of an
8880 SMTP session. This includes both broken connections and
8881 4xx SMTP server replies. Files: smtp/smtp.c, smtp_rcpt.c,
8882 smtp/smtp_connect.c, smtp_trouble.c.
8884 Configuration parameters: smtp_mx_address_limit (limit the
8885 list of IP addresses from MX lookup), and smtp_mx_session_limit
8886 (limit the number of actual SMTP sessions per delivery
8887 attempt, ignoring unusable MX IP addresses).
8889 The new code centers around a mark-and-sweep algorithm
8890 (replacing code that twiddled the rcpt->offset structure
8891 member), with paranoid sanity checks to ensure that every
8892 recipient is explicitly accounted for.
8894 20031217
8896 Update: LDAP client logging (Liviu Daia) and LDAP client
8897 documentation (Victor Duchovni). Files: util/dict_ldap.c,
8898 conf/sample-ldap.cf, README_FILES/LDAP_README.
8900 20031222
8902 Cleanup: shaved half the worst-case bits off the cleanup
8903 duplicate address filter footprint. After discussion with
8904 Victor Duchovni. File: cleanup/cleanup_out_recipient.c.
8906 Safety: added "mail loops to myself" logic for destinations
8907 that don't have an MX host. File: smtp/smtp_addr.c.
8909 20031223
8911 Workaround: turn off "mail loops to myself" for non-MX
8912 destinations because it breaks SMTP-based content filters.
8913 Fix is to turn off loop detection when a non-default TCP
8914 port is specified. File: smtp/smtp_addr.c.
8916 Bugfix: restore errno after write failure in SIGCHLD handler.
8917 Leandro Santi (who got the idea from Hernan Perez Masci).
8918 File: master/master_sig.c.
8920 Bugfix: the auto_clnt module disconnected too early, causing
8921 unnecessary work by the anvil server.
8923 Cleanup: eliminated binary hashes from anvil server. Anvil
8924 client information is now stored on top of its VSTREAM.
8926 20031226
8928 Feature: bounce_queue_lifetime parameter (default:
8929 $maximal_queue_life_time) that bounds the time that
8930 MAILER-DAEMON messages spend in the queue before they are
8931 considered undeliverable.
8933 Feature: disable "mail loops back to myself" protection
8934 when SMTP mail is sent to a non-standard port. This makes
8935 setting up content filters less painful.
8937 Cleanup: disallow bare x.x.x.x numeric IP addresses in
8938 email addresses. The form user@[x.x.x.x] is still allowed.
8940 Cleanup: cleaned up the naming of internal symbols in the
8941 SMTP client.
8943 20031231
8945 Bugfix: stricter address syntax test broke "sendmail -bs".
8946 File: smtpd/smtpd.c.
8948 20040101
8950 Cleanup: the Postfix SMTP server rejects a MAIL FROM address
8951 that matches a local, virtual or relay domain, while the
8952 address is not listed in the corresponding local, virtual
8953 or relay recipient table.
8955 Feature: the reject_unlisted_sender(recipient) SMTPD access
8956 restriction rejects an address that matches a local, virtual
8957 or relay domain, while the address is not listed in the
8958 corresponding local, virtual or relay recipient table.
8960 Compatibility: the check_recipient_maps restriction works
8961 like reject_unlisted_recipient, but will eventually be
8962 removed from Postfix.
8964 20040102
8966 Misc documentation cleanup by Loic Minier.
8968 20040104
8970 Workaround: MacOSX dumps core on the 20030913 TZ censoring
8971 code. We explictly set TZ=UTC, which will produce incorrect
8972 results when "mailq" formatting is moved from the showq
8973 daemon to the postqueue command. File: msg_syslog.c.
8975 Feature: after mail is requeued with "postsuper -r", the
8976 pickup server logs the old queue ID together with the new
8977 queue ID. Victor Duchovni. File: pickup/pickup.c.
8979 Feature: smtpd_sasl_application_name parameter (default:
8980 smtpd) to control the name of the SASL configuration file
8981 used by the Postfix SMTP server. Liviu Daia. Files:
8982 mail_params.h, smtpd.c, smtpd_sasl_glue.c.
8984 Cleanup: the LDAP client configuration parser is now shared
8985 between the LDAP, MySQL, and PGSQL clients. Liviu Daia.
8986 Files: global/cfgparser.[hc], global/dict_ldap.c,
8987 global/dict_mysql.c, global/dict_pgsql.c and documentation.
8989 Cleanup: moved "util" modules with dependencies on higher-level
8990 "global" code from the util directory to the global directory:
8991 util/dict_open.c, global/cfgparser.[hc], global/dict_ldap.c,
8992 global/dict_mysql.c, global/dict_pgsql.c, global/mail_dict.c.
8994 Cleanup: the new queue manager nqmgr replaces the default
8995 queue manager qmgr, leaving behind a hard link for backwards
8996 compatibility. The old queue manager remains available as
8997 as oqmgr but will eventually be removed.
8999 Bugfix: vstring_get() etc. now return VSTREAM_EOF when they
9000 terminate prematurely, instead of returning the last
9001 character stored. This avoids mis-leading warnings. File:
9002 global/vstring_vstream.c.
9004 20040105
9006 Cleanup: don't bother the flush daemon while deferring mail
9007 if the destination is not "fast flush" eligible. File:
9008 global/flush_clnt.c.
9010 Safety: the SMTP server flushes recipients to the cleanup
9011 server in order to avoid SMTP timeouts when virtual or
9012 canonical expansions take a lot of time. File smtpd/smtpd.c.
9014 Safety: add warnings to postmap and postalias when table
9015 lookup results in an empty string.
9017 20040110
9019 Example: script to run qmail-local from Postfix by Ron
9020 Bickers.
9022 Change: queue minfree limit is now 1.5 * message size limit.
9023 File: smtpd/smtpd_check.c.
9025 Bugfix: apply hostname restriction even when host address
9026 lookup fails in check_{sender,recipient}_{ns,mx}_access.
9027 File: smtpd/smtpd_check.c.
9029 20040115
9031 Performance: allow delivery concurrency to increase even
9032 while mail is deferred, as long as the delivery agent does
9033 not report really serious trouble with the destination.
9034 Files: *qmgr/qmgr_deliver.c.
9036 Cleanup: in postfix-files, symbolic links and hard links
9037 are now first-class citizens with explicit mention of source
9038 and destination pathnames. Files: postfix-install,
9039 conf/postfix-files, conf/post-install.
9041 20040116
9043 Cleanup: sendmail -v caused one mail delivery report upon
9044 every delivery attempt, not just the first one. The fix is
9045 to "kill" a queue file record after the first delivery
9046 attempt. This means a new record type. Files: *qmgr/qmgr_active.c,
9047 *qmgr/qmgr_message.c, global/rec_type.c.
9049 Cleanup: in anticipation of other built-in rate limiters,
9050 the client_connection_rate_time_unit parameter is renamed
9051 to client_rate_time_unit.
9053 Documentation: finished the HOSTING_README file with an
9054 overview of methods to host domains with Postfix.
9056 20040119
9058 Bugfix: anvil (count and rate limiting) server race condition
9059 could result in dangling pointer. Postfix erases memory
9060 after allocating and before freeing, so it is extremely
9061 unlikely that this could be used to bring harmful data into
9062 the anvil server. File anvil/anvil.c.
9064 20040120
9066 Cleanup: new header_checks(5) and body_checks(5) manual
9067 pages. The sample-regexp* and sample-pcre* files are no
9068 longer needed and have been removed, as are the default
9069 *_table configuration files.
9071 Cleanup: support for the non-standard Errors-To: header is
9072 removed. File: cleanup/cleanup_message.c.
9074 20040121
9076 Feature: "PREPEND headername: headervalue" action in Postfix
9077 access maps, to facilitate external policy servers that
9078 label mail instead of rejecting it. Files: smtpd/smtpd.c,
9079 smtpd/smtpd_check.c.
9081 20040122
9083 UNDO the 20040104 change (vstring_get() etc. return
9084 VSTREAM_EOF when they terminate prematurely, instead of
9085 returning the last character stored, to avoid mis-leading
9086 warnings). File: global/vstring_vstream.c.
9088 Portability: test -e is not portable. File: conf/postfix-script.
9090 Misc. documentation fixes by Victor Duchovni.
9092 Documentation: the README files are now hyperlinked, and
9093 are referenced in the on-line manual pages.
9095 Bugfix: the pickup daemon now strokes the watchdog frequently
9096 to prevent the watchdog from barking when mail arrives
9097 faster than it can be picked up. File: pickup/pickup.c.
9099 20040123
9101 Feature: set smtpd_reject_unlisted_{sender,recipient}=no
9102 to turn off automatic rejection of non-existent local,
9103 virtual or relay addresses. This way it can be made
9104 conditional for local clients, always on for remote clients.
9105 Files: global/mail_params.h, smtpd/smtpd.c, smtpd/smtpd_check.c.
9107 20040124
9109 Feature: PREPEND in header/body_checks, for message tagging.
9110 File: cleanup/cleanup_message.c.
9112 20040126
9114 Safety: handle the case that main.cf is updated while it
9115 is being read. File: util/dict.c.
9117 Feature: "instance" attribute that links policy etc. queries
9118 to the same message instance.
9120 Cleanup: the mynetworks setting may now be empty. File:
9121 global/mail_params.c.
9123 20040127
9125 Bugfix: missing flush_init() call. Introduced 20040105.
9126 File: postqueue/postqueue.c.
9128 20040128
9130 Cleanup: clnt_stream derived classes now try to detect that
9131 the server has disconnected before sending data and warning
9132 about an error. File: global/clnt_stream.c.
9134 20040202
9136 Bugfix: changed mis-leading warning about text>4096 characters
9137 into "unexpected end-of-input". File: util/attr_scan0.c.
9139 20040201
9141 Feature: sasl_method, sasl_username and sasl_sender attributes
9142 in smtpd policy queries. Files: src/smtpd/smtpd_check.c.
9144 20040204
9146 Safety: smtpd_soft_error_limit now determines when
9147 $smtpd_error_sleep_time starts to take effect.
9149 Cleanup: local(8) and virtual(8) will now create maildirs
9150 in a world-writable directory. Files: util/make_dirs.c.
9152 Bugfix: don't panic on a corrupt queue file. File:
9153 *qmgr/qmgr_message.c.
9155 20040205
9157 Cleanup: sample-filter.cf is gone. Better documentation is
9158 available with "man header_checks".
9160 20040209
9162 Bugfix: when delivery to smtpd_proxy_filter fails, report
9163 "451 Queue file write error" instead of repeating the
9164 previous "354 End data with <CR><LF>.<CR><LF>" response.
9165 File: smtpd/smtpd.c.
9167 20040220
9169 Compatibility: accept and ignore the sendmail -bh and -bH
9170 mode of operation requests.
9172 20040302
9174 Bugfix: SMTPD proxy didn't send QUIT as the result of code
9175 duplication. Evidence reported by Mark Martinec. File:
9176 smtpd/smtpd.c.
9178 20040311
9180 Bugfix: bad address syntax was passed to transport map
9181 lookups. Problem reported by Andrei Koulik. File:
9182 util/match_ops.c, trivial-rewrite/resolve.c.
9184 20040324
9186 Portability: ekkoBSD support by Philip Reynolds. Files:
9187 makedefs, util/sys_defs.h.
9189 20040325
9191 Cleanup: smtp_skip_4xx_greeting and smtp_skip_5xx_greeting
9192 functionality is moved from connection management to SMTP
9193 protocol processing, so that Postfix now logs the server
9194 response when a server refuses to provide service. Files:
9195 smtp/smtp_connect.c, smtp/smtp_proto.c.
9197 Cleanup: smtp_skip_4xx_greeting is no longer configurable;
9198 it is now permanently turned on.
9200 20040326
9202 Workaround: in the trivial-rewrite server, turn on the code
9203 to strip trailing "." while rewriting addresses, and change
9204 the address resolver to strip trailing "." in a compatible
9205 manner. This does not eliminate the problem that the SMTP
9206 server may use a different address for recipient validation
9207 than what the cleanup server uses for virtual alias mapping.
9209 20040329
9211 Bugfix: the SMTP server did not log client (and SASL)
9212 information with the real-time content filter was enabled.
9213 Files: smtpd/smtpd.c, smtpd/smtpd_sasl_proto.c.
9215 Compatibility: smtpd_reject_unlisted_sender is turned off
9216 by default, to avoid trouble with with in-house software
9217 that sends out mail software with an unreplyable address.
9219 20040331
9221 Bugfix: postdrop should not abandon mail submission after
9222 receiving a SIGHUP signal when SIGHUP was ignored by the
9223 parent process. Victor Duchovni, Morgan Stanley. File:
9224 postdrop/postdrop.c.
9226 Bugfix: parsing bug in PgSQL dictionaries causing UNIX
9227 sockets to be ignored. Liviu Daia. Files: global/dict*sql.c.
9229 Performance: allow MySQL and PgSQL database connections to
9230 be closed when idle for more than 1 minute; Liviu Daia.
9231 Files: global/dict*sql.c.
9233 20040401
9235 Sanity: the SMTP server no longer accepts sender or recipient
9236 addresses that end in the "@" null domain, as well as
9237 addresses that rewrite into such a form. Specify
9238 "resolve_null_domain=yes" to get the old behavior back.
9239 File: trivial-rewrite/resolve.c.
9241 20040402
9243 Cleanup: added WARN action support for access maps, for
9244 consistency with the WARN action in header and body checks.
9245 File: smtpd/smtpd_check.c.
9247 20040407
9249 Bugfix: missing return statement at the end of the
9250 FREE_MEMORY_AND_RETURN error handling macro. Adi Prasaja.
9251 File: trivial-rewrite/resolve.c.
9253 20040411
9255 Future proofing: client_rate_time_unit is renamed to
9256 anvil_rate_time_unit, so that it is no longer limited to
9257 clients only. File: src/global/mail_params.h.
9259 Cleanup: postalias and postmap now log problems to syslogd.
9260 Files: postalias/postalias.c, postmap/postmap.c.
9262 20040413
9264 Feature: "postfix set-permissions" (re)sets ownership and
9265 access permissions of Postfix files and directories.
9267 Feature: "postfix upgrade-configuration" updates main.cf
9268 and master.cf. This is for people who people copy over
9269 their old files after installing a newer Postfix version.
9271 Feature: HTML files are now optionally installed under
9272 control of the html_directory configuration parameter.
9273 Files: postfix-install, conf/postfix-files, conf/post-install.
9275 Cleanup: README file installation is now optional. Files:
9276 postfix-install, conf/postfix-files, conf/post-install.
9278 20040414
9280 Cleanup: references to sample-mumble.cf files removed,
9281 conf/mumble_table files removed, new commands added to
9282 conf/postfix-script.
9284 Cleanups: function declared int but used as void, missing
9285 include file, missing const qualifier, unused variable.
9286 Matthias Andree. Files: bounce/bounce_notify_util.c,
9287 bounce/bounce_service.h, postlog/postlog.c, smtpd/smtpd_check.c,
9288 util/attr_scan64.c.
9290 Bugfix: more robust version of SIGHUP test of 20040331.
9291 Victor Duchovni, Morgan Stanley. File: postdrop/postdrop.c.
9293 Safety: added NOCLOBBER qualifiers to local variables that
9294 might be clobbered by longjmp(). Files: util/sys_defs.h,
9295 smtp/smtp_proto.c, lmtp/lmtp_proto.c, smtpd/smtpd_check.c,
9296 smtpstone/smtp-source.c.
9298 Bugfix: sub-level Makefiles no longer turned on the extra
9299 compiler warnings. Files: Makefile.in.*, makedefs.*.
9301 20040415
9303 Bugfix: the LMTP client attempted to reuse a connection
9304 after timeout, causing protocol synchronization errors.
9305 Reported by Rob Mueller. File: lmtp/lmtp.c.
9307 20040416
9309 Cleanup: non-delivery reports now include the original
9310 recipient information. File: bounce/bounce_notify_util.c.
9312 20040415-18
9314 Typos: many documentation fixes by Rob Foehl.
9316 20040418
9318 Cleanup: "int" versus "const int" prototype mismatch between
9319 the DICT sequence method prototype and possible implementations.
9320 Files: util/dict_db.c, util/dict_dbm.c.
9322 20040419
9324 Bugfix: the code that rejects client/helo RESTRICTIONS with
9325 smtpd_delay_reject=no looked at the wrong evidence and
9326 rejected client/helo ACCESS MAP lookups instead. Michael
9327 Tokarev. Files: smtpd/smtpd.c, smtpd/smtpd_check.c.
9329 Bugfix: missing # in master.cf in optional submission
9330 service.
9332 20040420
9334 Bugfix: smtpd logged the client too often. Michael Tokarev.
9335 File: smtpd/smtpd.c.
9337 Cleanup: client_event_status_update_time renamed to
9338 anvil_status_update_time. Files: mantools/postlink,
9339 proto/postconf.proto, anvil/anvil.c.
9341 20040421
9343 Workaround: allow pipelined SMTP clients to overshoot the
9344 SMTP server recipient limit without triggering the server
9345 hard error limit. The SMTP server does not count "too many
9346 recipients" towards the hard error limit, as long as the
9347 number of excess recipients stays within a configurable
9348 overshoot limit (default: smtpd_recipient_overshoot_limit
9349 = 1000). Solution in cooperation with Victor Duchovni.
9350 Files: smtpd/smtpd.c, smtpd/smtpd_state.c, smtpd/smtpd.h.
9352 20040502
9354 Missing test for a never used flag (the problematic and
9355 thus never completed INSPECT feature that doesn't re-inject
9356 mail into Postfix). Victor Duchovni, Morgan Stanley. File:
9357 virtual/virtual.c.
9359 20040503
9361 Bugfix: missing "sasl enabled" guard in the SMTPD policy
9362 client. File: smtpd/smtpd_check.c.
9364 20040606
9366 Portability. UnixWare has strcasecmp() in strings.h. Patch
9367 by Andreas Winkelmann. File: util/sys_defs.h.
9369 Portability. The postlink script is transformed from sed(1)
9370 to perl(1).
9372 20040608
9374 Portability. Introduced SET_H_ERRNO() macro for compilation
9375 environments where h_errno can't be used as an lvalue.
9376 Files: util/sys_defs.h, dns/dns_lookup.c.
9378 Portability. Eliminate assumption on bits per byte from
9379 vbuf_print.c.
9381 20040614
9383 Bugfix: the SMTP client did not reset per-session EHLO,
9384 SASL, and history information when opening a connection to
9385 an alternate SMTP server. This is the result of abstraction
9386 no longer matching function. Reported and diagnosed by
9387 Victor Duchovni, Morgan Stanley.
9389 Bugfix: non-portable reuse of variadic argument lists.
9390 Fix by Victor Duchovni, Morgan Stanley. Files: global/bounce.c,
9391 global/defer.c, global/sent.c, global/trace.c, global/verify.c.
9393 Portability: NetBSD 2.0 has changed from statfs to statvfs.
9394 John Heasley. File: util/sys_defs.h.
9396 Documentation: typo fixes by IKEDA Nozomu.
9398 20040616
9400 Bugfix: one missed variadic argument list fix. Victor
9401 Duchovni, Morgan Stanley. File: global/verify.c.
9403 Bugfix: the resolver client cache should be context dependent
9404 because address verification probes may use a different
9405 route than normal mail deliveries. File: global/resolve_clnt.c.
9407 Safety: added similar context dependence to the address
9408 rewriting client in order to avoid trouble when Postfix is
9409 changed. File: global/rewrite_clnt.c.
9411 Bugfix: space in HELO commands could end up in XFORWARD
9412 commands. File: smtpd/smtpd.c.
9414 20040619
9416 Code reorganization: in preparation for SMTP session caching,
9417 the SMTP client data structures were changed from the
9418 original "one session per delivery request" model to an
9419 explicit "multiple sessions per delivery request" model.
9420 This uncovered ESMTP and SASL missing re-initialization
9421 problems that were fixed in past week. Design by Victor
9422 and Wietse, initial implementation by Victor Duchovni.
9424 20040620
9426 Future proofing: after the reorganization of SMTP request
9427 state and session state, added code to the smtp client
9428 error handling routines to more consistently deal with the
9429 possibility that session information is not available.
9431 20040621
9433 Feature: directory=pathname option for the pipe(8) delivery
9434 agent. This allows a command to run from a fixed directory.
9435 Failure to change directory causes delivery to be deferred.
9436 Files: pipe/pipe.c.
9438 Feature: command_execution_directory for local(8) delivery
9439 to external command. This supports the usual $home etc.
9440 expansions, subject to filtering with the character set
9441 specified with $execution_directory_expansion_filter.
9442 Failure to change directory causes delivery to be deferred.
9443 Files: global/mail_params.h, local/command.c.
9445 Support for external command execution directory. Files:
9446 global/pipe_command.[hc].
9448 20040622
9450 Safety: when mail is delivered to a transport with per-delivery
9451 recipient limit of 1, split the recipient address on the
9452 recipient delimiter if one is defined, so that extended
9453 addresses don't get extra delivery concurrency slots.
9454 Files: *qmgr/qmgr_message.c.
9456 20040623
9458 Workaround for fragile clients: add microsecond time to
9459 maildir filename. Files: virtual/maildir.c, local/maildir.c.
9461 20040628-20040701
9463 SMTP connection caching work with Victor Duchovni.
9465 New module (later renamed to global/scache_single.c) for
9466 protocol-independent session caching. The initial
9467 implementation supports in-process, single-session caching
9468 only. A later version will support a central session cache
9469 daemon. Some more work is needed for passivation/activation
9470 of session attributes.
9472 New function vstream_fdclose() to destroy a VSTREAM while
9473 leaving the underlying file(s) open. Files: util/vstream.[hc].
9475 New function dns_rr_remove() to remove one record from a
9476 resource record list. Some more work is needed to turn the
9477 list into a doubly-linked one. Files: dns/dns.h, dns/dns_rr.c.
9479 Restructuring of the SMTP protocol engine for session
9480 caching. File: smtp/smtp_proto.c.
9482 Restructuring of the connection management module, and
9483 first implementation of SMTP connection caching. To enable,
9484 specify an smtp_connection_cache_time value greater than
9485 zero. The time unit is seconds. File: smtp/smtp_connect.c.
9487 New code to passivate and re-activate SMTP_SESSION objects,
9488 and isolation of session save/lookup in its own module.
9489 Files: smtp/smtp_session.c, smtp/smtp_reuse.c.
9491 Refinement: smtp_cache_reuse_limit parameter to bound the
9492 number of times a session may be reused.
9494 Refinements: when a session comes from the cache, give it
9495 back to the cache anyway (even when it will not be listed
9496 under the next-hop destination name).
9498 Future refinements should also include a bound on the number
9499 of consecutive and total non-delivering uses and other
9500 statistics.
9502 20040714
9504 Bugfix: the code to eliminate the local MTA from the MX
9505 address list did not handle the case that inet_interfaces
9506 produced a less preferred match than proxy_interfaces.
9507 Victor Duchovni, Morgan Stanley. File: smtp/smtp_addr.c.
9509 20040715
9511 Resume work on SMTP session caching. All good sessions
9512 are now cached under their IP address. As before, only the
9513 first good session per delivery request is cached under
9514 the original next-hop destination.
9516 At this point, SMTP session caching works, with a session
9517 cache client module that uses in-process session caching.
9518 This is sufficient to demonstrate that the SMTP client is
9519 ready for session caching.
9521 20040716
9523 New modules to send file descriptors from one process into
9524 another one. This will be needed for implementing a central
9525 connection cache manager daemon. Most systems use UNIX-domain
9526 sockets as the transport for this. On Solaris we use streams
9527 instead. Applications are supposed to invoke LOCAL_SEND_FD()
9528 and LOCAL_RECV_FD(). Files: {unix,streams}_{send,recv}_fd.c.
9530 20040717
9532 First implementation of a session caching client API that
9533 actually sends to/receives from a caching server process.
9534 The old in-process, single-session caching functionality
9535 is preserved as global/scache_single.c, so that we can use
9536 it for bootstrapping the session cache server. File:
9537 global/scache_clnt.c.
9539 First implementation of the scache session cache server,
9540 using the same in-process session caching code that was
9541 used to bootstrap the SMTP client. File: scache/scache.c.
9543 20040718
9545 Performance: the default RSET timeouts are reduced from
9546 120s to 20s. Perhaps there should be different RSET timeout
9547 for address probes and for session cache checks. File:
9548 global/mail_params.h.
9550 20040719
9552 Multi-session connection cache module. Implementing this
9553 was actually the easiest part of the entire connection
9554 caching project. File: global/scache_multi.c.
9556 20040720
9558 Bugfix: event_drain() falsely reported a single-entry timer
9559 queue as empty. File: util/events.c.
9561 Completed the multi-session cache support for SMTP. The
9562 code can be stress tested with a driver program that reads
9563 commands from a script. It is not practical to manually
9564 test the effects of collisions in the time or in name space
9565 domains. File: global/scache.c.
9567 20040721
9569 Feature: the session cache server now logs cache hit and
9570 miss statistics every $session_cache_status_update_time
9571 seconds (default: 600s), as well as upon process exit.
9572 File: scache/scache.c.
9574 20040722
9576 Workaround: LINUX 2.4 has trouble with mixed data and file
9577 descriptor traffic on UNIX-domain stream sockets.
9578 Specifically, it cannot handle data write (read) followed
9579 by file descriptor send (receive): the receiver hangs in
9580 recvmsg(). Workaround is to insert an intervening read
9581 (write) operation. Presumably, LINUX 2.4 is confusing the
9582 data and file descriptor. Lucky Ralf Hildebrandt. Files:
9583 util/sys_defs.h, global/scache_clnt.c, scache/scache.c.
9585 20040723
9587 Safety: spawn(8) now rejects a user with the -1 UID or GID
9588 value, so that commands will not end up running as root.
9589 Files: util/spawn_command.c, spawn/spawn.c.
9591 User interface: parameter smtp_connection_cache_domains
9592 renamed to smtp_connection_cache_destinations. Destinations
9593 listed here must be specified without [] or :port. File:
9594 smtp/smtp_connect.c.
9596 Bugfix: "421 Timeout exceeded" wasn't guarded by setjmp().
9597 Victor Duchovni, Morgan Stanley. File: smtpd/smtpd.c.
9599 20040729
9601 Feature: enable SMTP session caching temporarily while a
9602 postfix is able to schedule back-to-back deliveries.
9603 Parameter: smtp_connection_cache_on_demand (default:
9604 yes). Files: smtp/smtp_connect.c, *qmgr/qmgr_entry.c,
9605 *qmgr/qmgr_queue.c, *qmgr/qmgr_deliver.c.
9607 Feature: smtp-source -N option to generate unique recipient
9608 addresses for (trivial-rewrite) stress testing. Victor
9609 Duchovni, Morgan Stanley. File: smtpstone/smtp-source.c.
9611 20040730
9613 Safety: disallow "opportunistic session caching" when the
9614 queue manager is unable to schedule back-to-back deliveries.
9615 File: *qmgr/qmgr_entry.c.
9617 20040731
9619 Hysteresis: turn on "opportunistic session caching" when
9620 back-to-back deliveries happen, but don't turn if off
9621 until both concurrent and back-to-back delivery ends.
9623 20040801
9625 Workaround: disable session caching for Linux < 2.2 (does
9626 not work) or Glibc < 2 (does not compile). Files:
9627 util/sys_defs.h, util/unix_{recv,send}_fd.c.
9629 Portability: h_errno is not an lvalue in the UnixWare 7.1
9630 multi-threaded environment. Olivier PRENANT.
9632 20040812
9634 Bugfix: update SMTP server error counter when a client is
9635 denied access with smtpd_delay_reject=no.
9637 20040816
9639 Bugfix: The smtp_chat_cmd() forced output flushing code in
9640 the SMTP client could run before an I/O error handler was
9641 set up. Problem diagnosed by Victor Duchovni, Morgan
9642 Stanley. The fix is to disable the smtp_chat_cmd() forced
9643 output flushing code as it duplicates better code in
9644 smtp_loop(). File: smtp/smtp_chat.c.
9646 Safety: set up an I/O error handler before the smtp_loop()
9647 protocol engine starts; this handler logs a warning in case
9648 it ever runs, because that means someone broke ESMTP command
9649 pipelining. File: smtp/smtp_proto.c.
9651 Feature: canonical_classes parameter by Kimmo Suominen, to
9652 control what addresses are rewritten by canonical_maps.
9653 Files: cleanup/cleanup_addr.c, cleanup/cleanup_message.c.
9655 20040817
9657 Bugfix: update the vstream I/O time AFTER the completion
9658 of an I/O request, so that time-sensitive applications
9659 don't force flush output too soon and possibly trigger
9660 NAGLE delays. Problem diagnosed by Victor Duchovni, Morgan
9661 Stanley. File: util/vstream.c.
9663 Portability: avoid postmap/postalias test file name clashes
9664 on Windows. Ian Lance Taylor (of Taylor UUCP fame).
9666 20040823
9668 Bugfix: vstream_popen() did not close the child pipe
9669 after failure to fork(). File: util/vstream_popen.c.
9671 20040826
9673 Feature: support for systems with closefrom(), and emulation
9674 for those without. Andrew Brown. Files: util/sys_defs.h,
9675 util/sys_compat.c.
9677 20040827
9679 Feature: {sender,recipient}_canonical_classes parameters,
9680 which give better control than sender_canonical_classes.
9681 Files: cleanup/cleanup_addr.c, cleanup/cleanup_message.c.
9683 Feature: the proxymap client now recognizes when a map
9684 can't be proxied, and will open it directly instead. This
9685 makes proxy maps easier to use for virtual mailbox domains.
9686 File: global/dict_proxy.c.
9688 Feature: smtp_sasl_mechanism_filter restricts what remote
9689 SMTP server mechanism names the Postfix SMTP client passes
9690 on to the SASL library. Victor Duchovni, Morgan Stanley.
9691 Files: smtp/smtp.c. smtp/smtp_sasl_glue.c, smtp/smtp_sasl_proto.c.
9693 20040828
9695 User interface: when no recipients are specified, the
9696 Postfix sendmail command now terminates with status EX_USAGE
9697 instead of accepting the mail first and bouncing it later.
9698 This gives more direct feedback in case of a common client
9699 configuration error. File: sendmail/sendmail.c.
9701 20040829
9703 Portability: Solaris closefrom() support didn't work for
9704 non-SUN compilers. Victor Duchovni, Morgan Stanley.
9706 20040830
9708 Feature: the scache(8) session cache manager now logs the
9709 peak counts of destinations, endpoints and sessions. Files:
9710 scache/scache.c, global/scache*c.
9712 20040831
9714 Portability: disable session caching support on SCO 5
9715 because of incompatible sockets API. File: util/sys_defs.h.
9717 20040913
9719 Bugfix (introduced 20020803): sent the wrong bounce message
9720 type when a Delivered-To: loop was detected for a mailing
9721 list alias. Nicolas Riendeau. File: bounce_notify_util.c.
9723 20040918
9725 Feature: authorized_flush_users, authorized_mailq_users,
9726 authorized_submit_users to restrict what users can flush
9727 the queue, list the queue, or submit mail locally. Based
9728 on code by Victor Duchovni, Morgan Stanley. Files:
9729 sendmail/sendmail.c, postdrop/postdrop.c, postqueue/postqueue.c,
9730 global/user_acl.[hc].
9732 Feature: discard(8) mail delivery agent. Victor Duchovni,
9733 Morgan Stanley. File: discard/discard.c.
9735 20041002
9737 Long overdue, a master(5) manual page based on an initial
9738 version by Magnus Baeck.
9740 By popular demand, a postfix-manuals.html web page with
9741 totally useless links to UNIX-style manual pages (the same
9742 information should already be available simply by typing
9743 "apropos postfix"). To keep newbies from getting completely
9744 lost due to information overload, the document starts with
9745 a list of actually useful pointers to Postfix introductions,
9746 duplicated from the already existing documents.html.
9748 20041006
9750 Bugfix: "sendmail -bv" did not reject the -t option. File:
9751 sendmail/sendmail.c.
9753 20041007
9755 Feature: SASL authentication attributes are now stored in
9756 queue files and passed on to delivery agents, by Leandro
9757 Santi. Files: deliver_pass.c, deliver_request.c,
9758 qmgr_deliver.c, qmgr_message.c, pipe.c, smtpd.c.
9760 20041009
9762 Feature: per SMTP client message rate limit and recipient
9763 rate limit, by Ragnar Lonn, GHN network technologies.
9764 Files: smtpd/smtpd.c, anvil/anvil.c, global/anvil_clnt.[hc].
9766 Incompatibility: smtpd_client_connection_limit_exceptions
9767 renamed to smtpd_client_event_limit_exceptions, because it
9768 now also controls message and recipient rate limit control.
9770 20041013
9772 Portability: AIX 5.1/GCC.
9774 20041014-23
9776 Postfix no longer appends the local domain to header
9777 addresses from remote clients. Instead, Postfix either
9778 does not rewrite those headers at all, or it appends the
9779 domain specified with the new remote_header_rewrite_domain
9780 parameter.
9782 Postfix still appends $@myorigin or .$mydomain to headers
9783 from the Postfix sendmail command, or from clients listed
9784 with the new local_header_rewrite_clients parameter (default:
9785 permit_mynetworks, permit_sasl_authenticated).
9787 These changes affect the SMTP server (including XFORWARD
9788 support), the cleanup server (do or don't rewrite headers),
9789 the trivial-rewrite server (append local domain or surrogate
9790 remote domain to incomplete addresses), the queue manager
9791 (send additional attributes to delivery agents), the LMTP
9792 and SMTP clients (XFORWARD support), and the local delivery
9793 agent (preserve XFORWARD attributes when forwarding mail).
9795 20041016
9797 Bugfix: attr_clnt_request() did not properly skip hash
9798 table arguments. Luc Pardon, Skopos Consulting. File:
9799 util/attr_clnt.c.
9801 20041018
9803 The NIS+ module by Geoff Gibbs is now part of Postfix.
9804 Files: util/dict_nisplus.c, proto/nisplus_table.
9806 20041019
9808 Support for Errors-To: is permanently removed.
9810 20041022
9812 Bugfix: "smtp_connection_cache_on_demand=no" could crash
9813 the SMTP client. File: smtp/smtp_connect.c.
9815 Robustness: extra sanity checks. Files: util/dict_db.c,
9816 util/dict_dbm.c, dict_nis.c.
9818 20041025
9820 Initial merge of Lutz Jaenicke's TLS patch. Initial rewrite
9821 of tlsmgr to eliminate some code duplication and to postpone
9822 calls into OpenSSL until after dropping privileges.
9824 20041030
9826 Compatibility: "session cache" renamed to "connection cache"
9827 to avoid confusion with the TLS session cache.
9829 20041102
9831 Feature: smtpd_end_of_data_restrictions allow you to specify
9832 restrictions at the end of the SMTP DATA command. The syntax
9833 is identical to that of the smtpd_data_restrictions feature.
9834 This introduces a new END-OF-DATA protocol state for the
9835 external policy server. Files: proto/SMTPD_POLICY_README.html,
9836 proto/SMTPD_ACCESS_README.html, smtpd/smtpd_check.c.
9838 20041111
9840 Cleanup: terminate the dict_eval() result buffer for verbose
9841 logging. Victor Duchovni, Morgan Stanley. File: util/dict.c.
9843 20041112
9845 Cleanup: be more careful when saving and restoring resolver(3)
9846 options to avoid problems with an HP-UX security patch
9847 (change introduced 20031215). File: dns/dns_lookup.c.
9849 20041115
9851 Bugfix: the test for "no debugger_command" was wrong.
9852 Leandro Santi. File: global/debugger_command.c.
9854 20041117
9856 Robustness: the master-child protocol now includes a process
9857 generation number besides the child process ID. The process
9858 generation number is incremented by one each time the master
9859 creates a child process. Child-to-master status updates
9860 with the wrong generation number are ignored, instead of
9861 triggering a consistency error in the master server. Files:
9862 master/*server.c, master/master_status.c, master/master_spawn.c.
9864 20041118
9866 Bugfix: the "local_header_rewrite_clients" feature (20041023)
9867 did not recognize "bare" lookup tables as documented. Victor
9868 Duchovni, Morgan Stanley. File: smtpd/smtpd_check.c.
9870 Bugfix: the "local_header_rewrite_clients" feature (20041023)
9871 was broken because the local delivery agent passed on a
9872 bogus attribute value when forwarding internally generated
9873 mail, causing the mail to be rejected by the cleanup server.
9874 File: local/dotforward.c.
9876 Bugfix: the "local_header_rewrite_clients" feature (20041023)
9877 was broken because the pickup server always overwrote origin
9878 information. Files: pickup/pickup.c, cleanup/cleanup_state.c,
9879 *qmgr/qmgr_message.c.
9881 Workaround: enable the "can't write before sending a file
9882 descriptor" workaround for Solaris. Problem reported by
9883 Victor Duchovni for Solaris 2.5.1, but we play safe and
9884 enable it unconditionally.
9886 20041120
9888 The TLS support routines are moved to a "tls" directory,
9889 and are published via the "libtls.a" object library.
9891 20041122
9893 Infrastructure: support for binary attribute values
9894 (ATTR_TYPE_DATA) in Postfix IPC messages. Files:
9895 util/attr_scan*c, util/attr_print*c.
9897 20041123-20041205
9899 TLS support: via a process of gradual transformation,
9900 decomposed Lutz Jaenicke's pfixtls.c into separate modules
9901 for clients, servers, certificate verification, session
9902 caching, and PRNG management. Global variables were eliminated
9903 so that the code now supports multiple client and/or server
9904 contexts in the same process. Files: tls/*.[hc].
9906 20041205
9908 TLS support: eliminated shared access (and locking) of the
9909 TLS PRNG exchange file and TLS session caches. Instead,
9910 Postfix uses a client-server protocol, and the tlsmgr
9911 becomes the sole mediator. This eliminated the need for
9912 1000+ lines of SDBM support, and eliminated the need for
9913 running a persistent tlsmgr process on systems don't enable
9914 TLS in main.cf.
9916 20041124
9918 Feature: configurable list of forbidden SMTP commands
9919 (default: smtpd_forbidden_commands = CONNECT, GET, POST)
9920 after which the Postfix SMTP server disconnects immediately.
9921 The SMTP server always disconnects immediately when the
9922 client sends a message header instead of an SMTP command.
9923 Magnus Baeck. File: smtpd/smtpd.c.
9925 20041207
9927 CDB support by Michael Tokarev, documentation by Victor
9928 Duchovni. Files: util/dict_cdb.[hc], global/mkmap_cdb.c.
9930 20041209
9932 Completed support for the Berkeley DB sequence operator.
9933 This is needed for finding and deleting old entries in TLS
9934 session databases. File: util/dict_db.c.
9936 Bugfix: the DBM client's sequence operator used exclusive
9937 locking instead of shared locking. File: util/dict_dbm.c.
9939 Feature: dump an entire database with the new postmap/postalias
9940 "-s" option. This works only for database types with Postfix
9941 sequence operator support: hash, btree, dbm, and sdbm.
9942 Files: postmap/postmap.c, postalias/postalias.c.
9944 20041212
9946 Solaris 10/ix86 chroot setup script update by J.D. Bronson.
9948 TLS support: cosmetic changes to comments and messages;
9949 completed the code for the master -> tlsmgr trigger handshake,
9950 so that the master no longer complains about trigger
9951 responses timing out.
9953 20041213
9955 Updated the SDBM dictionary interface. It had fallen behind
9956 with the Postfix dictionary interfaces that were already
9957 bundled with Postfix. Files: util/dict_sdbm.[hc].
9959 Cleanup: "postconf -m" (show all available map types) now
9960 produces sorted output. File: util/dict_open.c.
9962 20041215
9964 No bugfix: tests with the new "postmap -s" feature show
9965 that SDBM first/next operations never worked with Postfix/TLS
9966 patch 20040829 (verified with the 20040829 dict_sdbm.c
9967 module on Linux and FreeBSD). The code stops after finding
9968 one database element. Other SDBM versions found on the
9969 Internet will find all database entries, but report an I/O
9970 error after the last database element is found. All this
9971 would be easy enough to fix, but the SDBM library is not
9972 part of Postfix, and never will be.
9974 Bugfix: the sequence operator in the DBM and SDBM clients
9975 released the shared lock after reading the next key but
9976 before reading the corresponding value. This was never a
9977 problem, because the sequence operator was used only in
9978 the Postfix/TLS patch. This used the SDBM sequence operator
9979 which didn't work as discussed above. Files: util/dict_dbm.c,
9980 util/dict_sdbm.c.
9982 Feature: the local(8) and pipe(8) delivery agents now make
9983 the following attributes available upon delivery (with
9984 local(8) names must be spelled in upper case): client_hostname,
9985 client_address, client_protocol, client_helo, sasl_method,
9986 sasl_sender, sasl_username. Files: local/command.c,
9987 pipe/pipe.c, and lots of documentation.
9989 20041216
9991 "postcat -o" now prints queue file record offsets; this is
9992 useful for debugging. File: postcat/postcat.c.
9994 NON-PRODUCTION Bugfix: (bug introduced while adopting the
9995 Postfix/TLS patch): the new TLS certification call-back
9996 routine expects that the peer hostname is in
9997 tlscontext->peername_save, but the TLS server code never
9998 updated this field. File: tls/tls_server.c.
10000 20041218
10002 Feature: selective suppression of SMTP extensions (pipelining,
10003 starttls, auth, etc.); this is useful to work around broken
10004 clients or servers. Specify a list of EHLO keywords with
10005 the smtp(d)_discard_ehlo_keywords parameters, or specify
10006 one or more lookup tables, indexed by remote network address,
10007 with the smtp(d)_discard_ehlo_keyword_address_maps parameters.
10008 EHLO keyword lists are case insensitive. Files:
10009 util/name_mask.[hc], global/ehlo_mask.[hc], smtpd/smtpd.c,
10010 smtp/smtp.c, smtp/smtp_proto.c.
10012 20041219
10014 Bugfix: postcat without -o was broken. File: postcat/postcat.c.
10016 20041220
10018 NON-PRODUCTION Bugfix: (bug introduced while adopting
10019 Postfix/TLS patch): don't call smtp_flush() after return
10020 from vstream_setjmp(), we'll call you. File: smtpd/smtpd.c.
10022 Dummy VSTREAM read-write routines. Files: util/dummy_read.c,
10023 util/dummy_write.c.
10025 20041221
10027 Fixes for TLS_README by Victor Duchovni. File:
10028 proto/TLS_README.html.
10030 NON-PRODUCTION Bugfix: (bug introduced while adopting
10031 Postfix/TLS patch). The client code had become too similar
10032 to the server implementation, and also required a host
10033 certificate and key. Fix by Victor Duchovni. File:
10034 tls/tls_client.c.
10036 20041221
10038 Bugfix: further postcat corner cases.
10040 20041223
10042 Cosmetic: don't log disconnect events as I/O errors.
10043 File: tls/tls_bio_ops.c.
10045 20041221-9
10047 Infrastructure: unified IPv4/IPv6 name/address API so that
10048 Postfix can support IPv6 without #ifdef INET6 everywhere.
10049 In particular, we allow #ifdef in libraries but avoid it
10050 in applications. Files: util/myaddrinfo.[hc],
10051 util/sock_addr.[hc], dns/dns_rr_to_pa.c, dns/dns_sa_to_rr.c,
10052 dns/dns_rr_eq_sa.c, dns/dns_rr_to_sa.c, inet_proto.[hc].
10054 Postfix no longer attempts to deliver mail via IPv6 when
10055 the system has no IPv6 connectivity. Network protocol
10056 support is now selected with the "inet_protocols" configuration
10057 parameter, instead of "inet_interfaces". The "inet_protocols"
10058 parameter also controls what DNS lookups Postfix will do.
10060 Infrastructure: eliminated two host/port parsing routines.
10061 Only one survives: host_port(), in an extended form that
10062 allows for missing host or missing service information but
10063 not both. File: util/host_port.c.
10065 20041229
10067 Milestone: Postfix with the unified IPv4/IPv6 socket/name
10068 API builds without compiler error on IPv4-only system and
10069 actually works.
10071 20041228
10073 Bugfix: SMTPD_PROXY_README incorrectly claimed that ":port"
10074 in master.cf causes a server to listen only on "localhost"
10075 without exposing the service to the network. Instead,
10076 ":port" causes a client to connect to "localhost".
10078 20041231
10080 Linux workaround: when mynetworks isn't set, a chrooted
10081 process could not read the IPv6 address information from
10082 /proc. We now invoke own_inet_addr() before chrooting,
10083 while processing main.cf. File: global/mail_params.c.
10085 20050101
10087 Workaround for (Linux) systems without IPV6_V6ONLY support
10088 (RFC 3493). When Postfix listened on an IPv4 wild-card
10089 smtp socket, the IPv6 wild-card smtp listener would fail
10090 with EADDRINUSE (and vice versa). File: util/myaddrinfo.c.
10092 20050103
10094 Safety: when the IPV6 netmask can't be determined, assume
10095 /128 (host only). File: util/inet_addr_local.c.
10097 20050104
10099 Re-implemented IPv6 support for net/mask pattern matching.
10100 Files: util/cidr_match.[hc], util/dict_cidr.c,
10101 util/match_ops.[hc], proto/cidr_table.
10103 20050105
10105 Moved mask_addr() to its own module so that it could also
10106 be called by mynetworks() and inet_addr_local() to remove
10107 non-zero host bits from IPv6 network/mask patterns. File:
10108 util/mask_addr.c.
10110 20050108
10112 Re-implemented IPv6 support for network interface lookup
10113 via the Linux /proc file system. File: util/inet_addr_local.c.
10115 20050111
10117 Feature: specify "inet_interfaces = loopback-only" for
10118 servers that must listen on local interfaces only, without
10119 having to specify IPv4 and/or IPv6 addresses in main.cf or
10120 master.cf. File: global/own_inet_addr.c.
10122 Workaround: AIX 5.1 getaddrinfo() can't handle a null host
10123 argument with AI_PASSIVE. Instead we specify an explicit
10124 protocol family, a host of "::" or "0.0.0.0", and turn off
10125 IPV6_V6ONLY. Files: util_myaddrinfo.c, util/inet_listen.c.
10127 Workaround: AIX 5.1 getaddrinfo() can't handle a "0" service
10128 argument. Instead we specify "1". Files: util/inet_addr_host.c.
10130 20050113
10132 Cleanup: now that the over-all structure is proving itself,
10133 clean up some internal APIs to increase robustness and get
10134 rid of some clumsiness. Mainly, the getaddrinfo(3) interface.
10136 Start-up performance: the hash_queue_names default setting
10137 is reduced from eight directories to just defer and deferred.
10138 This reduces time for checking the Postfix queue. Files:
10139 conf/post-install, global/mail_params.h.
10141 20050114
10143 Further cleanup: eliminate duplicate IPv6 results when the
10144 mynetworks value is generated by Postfix. More documentation
10145 of the new internal APIs.
10147 Performance: reduced start-up delay by moving warning-only
10148 startup checks into the background. File: conf/postfix-script.
10150 20050115
10152 Further hardening of the IPv6 support: don't trust system
10153 libraries to protect Postfix against malformed IPv6 address
10154 literals. Their syntax is complex enough that errors are
10155 likely. Files: global/resolve_local.c, util/valid_hostname.c.
10157 Further cleanup: RFC 2821 requires the IPv6: prefix with
10158 IPv6 address strings. The smtp and qmqp servers maintain
10159 separate address instances, the bare address and the RFC
10160 2821 compatible form, and use each where appropriate. This
10161 strict separation simplifies address syntax checks as well
10162 as the implementation of XCLIENT and XFORWARD.
10164 20050116
10166 Infrastructure: new valid_mailhost_addr() routine to verify
10167 that an address literal satisfies RFC 2821. An IPv4 address
10168 is in dotted-quad decimal form, and an IPv6 address is in
10169 hexadecimal form, with the "IPv6:" prefix. Files:
10170 global/valid_mailhost_addr.[hc].
10172 Further cleanup: valid_hostname() no longer allows network
10173 addresses or numerical domain names. While it made some
10174 sense with IPv4 dotted quad decimal forms, with IPv6 it
10175 just made no sense anymore. Again, being stricter actually
10176 simplifies code. Files: util/valid_hostname.c and a
10177 surprisingly small number of valid_hostname() callers that
10178 did not reject numerical forms.
10180 Bugfix: in the Postfix 2.2 SMTP client, the debug_peer_init()
10181 call was moved to the after-chroot initialization.
10183 20050117
10185 Performance: reduced start-up delay by moving warning-only
10186 startup checks into the background; they now start after
10187 one minute to allow the system to finish booting. File:
10188 conf/postfix-script.
10190 Milestone: first non-non-production snapshot with IPv6.
10192 20050119
10194 Milestone: first non-non-production snapshot with TLS.
10196 20050124
10198 Workaround: don't send mail to $fallback_relay if Postfix
10199 is MX host for the next-hop destination. This is, however,
10200 a partial solution. The documentation has been updated to
10201 cover all the cases where a fallback_relay could interfere
10202 with the operation of a backup or primary MX host. Files:
10203 smtp/smtp_addr.c, smtp/smtp_connect.c.
10205 20050127
10207 Configuration: Postfix daemons that need privileged operation
10208 (such as local, pipe, or spawn) now log a fatal error when
10209 they are configured in master.cf as unprivileged.
10211 20050130
10213 Cleanup: simplified the handling of receive_override_options
10214 settings. Files: pickup/pickup.c, smtpd/smtpd.c, qmqpd/qmqpd.c,
10215 global/input_transp.c.
10217 Feature: permit_inet_interfaces allows a request when the
10218 client matches $inet_interfaces. This is used for generic
10219 access restrictions and for header address rewriting control.
10220 Files: global/mail_params.h, smtpd/smtpd_check.c.
10222 Cleanup: by default, message header address rewriting is
10223 now enabled only for mail that originates from the machine
10224 itself. Files: global/mail_params.h, smtpd/smtpd_check.c.
10226 20050131
10228 Bugfix: when extracting recipients from message headers,
10229 the Postfix sendmail command produced output records longer
10230 than $line_length_limit, causing postdrop to reject the
10231 mail. Diagnosis by Victor Duchovni. File: sendmail/sendmail.c.
10233 20050202
10235 Cleanup: explicit Makefile targets for "make package" and
10236 "make non-interactive-package" to create ready-to-install
10237 packages for distribution to other systems. Added extra
10238 sanity checks to prevent attempts to overwrite your running
10239 Postfix instance. Files: Makefile.in, proto/PACKAGE_README.
10241 Cleanup: when bounce_queue_lifetime > maximal_queue_lifetime,
10242 it is adjusted to maximal_queue_lifetime, and a warning is
10243 logged. Files: *qmgr/qmgr.c.
10245 20050203
10247 Cleanup: trivial-rewrite now restarts more timely after
10248 changes in lookup tables. Of the all the alternatives
10249 tested, the simplest one produces the most bang for the
10250 buck. The other code is left in place for illustrative
10251 purposes. File: trivial-rewrite/trivial-rewrite.c.
10253 Cleanup: sendmail no longer ignores null command-line
10254 recipients. File: sendmail/sendmail.c.
10256 Cleanup: "postfix start" background checks moved back to
10257 the foreground so they can be stopped more easily. File:
10258 conf/postfix-script.
10260 20050204
10262 Feature: REPLACE command in header/body_checks (implemented
10263 as a combination of PREPEND and IGNORE) by Bastiaan Bakker.
10264 File: cleanup/cleanup_message.c.
10266 Cleanup: linted the manual pages for consistency in the
10267 way manuals are referenced, and in the presentation of
10268 command examples. Files: mantools/manlint, mantools/fixman,
10269 mantools/postconf2man.
10271 20050205
10273 Cleanup: updated the mass-deletion example in the postsuper
10274 manual.
10276 20050206
10278 Cleanup: don't count a [45]XX SMTP server greeting towards
10279 the mx_session_limit setting. File: smtp/smtp_connect.c.
10281 Feature: output address rewriting in the SMTP client. The
10282 smtp_generic_maps parameter specifies an address mapping
10283 that happens only when mail is delivered via SMTP. This is
10284 typically used for hosts without a valid domain name, that
10285 use something like localdomain.local instead. This feature
10286 can replace local mail addresses by valid Internet mail
10287 addresses when mail needs to go across the Internet, but
10288 not when mail is sent between accounts on the local machine.
10289 Files: smtp/smtp_proto.c, smtp/smtp_map11.c.
10291 Cleanup: don't panic in mymalloc() when master can't find
10292 any IP addresses. LaMont Jones. File: master/master_ent.c.
10294 20050207
10296 Documentation: added a generic(5) manual page for consistency
10297 with the already existing table driven mechanisms, added
10298 references to or examples of the new generic mapping.
10300 Bugfix: the header_checks REPLACE action mis-handled
10301 multi-line replacement text in message headers, for example:
10302 /(.*)/ REPLACE X-$1. File: cleanup/cleanup_message.c.
10304 Bugfix: the header_checks REPLACE action should not drop
10305 the input when the action is NOT executed. File:
10306 cleanup/cleanup_message.c.
10308 Bugfix? Cleanup? Documentation? main.cf now implements
10309 ${name[?:]value} as promised in the postconf(5) manual.
10310 Implemented by deleting the macro processor in dict_eval(),
10311 and using the one in mac_expand() instead. File: util/dict.c.
10313 20050208
10315 Feature: check_ccert_access maptype:mapname for access(5)
10316 control, based on code by Victor Duchovni. File:
10317 smtpd/smtpd_check.c and documentation.
10319 Safety: don't allow unlimited message size with limited
10320 mailbox size. File: local/local.c, virtual/virtual.c.
10322 Feature: new smtpd policy attributes ccert_subject,
10323 ccert_issuer and ccert_fingerprint, with TLS client
10324 certificate information, but only when verification was
10325 successful. Files: src/smtpd/smtpd_check.c.
10327 Cleanup: corrected the address verification data flow in
10328 the ADDRESS_VERIFICATION_README illustration.
10330 20050209
10332 Cleanup: the smtp generic mapping did syntax check on the
10333 input address instead of the result. These tests were not
10334 going to be useful in any case, because mail_addr_map()
10335 canonicalizes the lookup result, including @dom1->@dom2
10336 mapping. File: smtp_map11.c.
10338 Cleanup: made the generic mapping documentation consistent
10339 with the implementation.
10341 Cleanup: documented the myorigin/mydomain address rewriting
10342 in canonical, generic and virtual alias maps.
10344 Feature: updated LDAP and *SQL query interfaces using a
10345 common infrastructure so that all have the same feature set
10346 where possible. Victor Duchovni and many others. This code
10347 was tested separately and was merged into the main stream
10348 20050308. Files: global/db_common.[hc], global/dict_ldap.c,
10349 global/dict_mysql.c, global/dict_pgsql.c, plus documentation.
10351 20050210
10353 Bugfix: spurious fallback_relay warnings after 20050202.
10354 Victor Duchovni. File: smtp/smtp_connect.c.
10356 Bugfix: (introduced while adopting Postfix/TLS patch) the
10357 TLS cache scan stopped after expiring one entry. Victor
10358 Duchovni. File: tls/tls_scache.c.
10360 Safety: delete-behind when removing expired entries from
10361 TLS session caches. With some maps the enumeration method
10362 mis-behaves when the current entry is deleted. File:
10363 tls/tls_scache.c.
10365 20050211
10367 Cleanup: the "generics" feature (output address rewriting)
10368 is renamed to "generic", for consistency with "canonical"
10369 and "virtual".
10371 20050212
10373 Cleanup: remove old trace(8) logfile before attempting
10374 delivery (and after locking the message file exclusively).
10375 Files: *qmgr/qmgr_message.c.
10377 Cleanup: don't parse-then-regenerate message headers when
10378 no address is changed by address rewriting operations. This
10379 behavior was copied from the SMTP client's generic mapping
10380 code. Files: cleanup/cleanup_rewrite.c, cleanup/cleanup_map11.c,
10381 cleanup/cleanup_masquerade.c, cleanup/cleanup_message.c..
10383 20050215
10385 Bugfix: don't chmod queue files while running "postfix
10386 set-permissions". This prevents mail from being labeled as
10387 "corrupt" when a live Postfix system is upgraded. Found
10388 by Victor Duchovni. File: conf/post-install.
10390 20050216
10392 Feature: in smtpd?_discard_ehlo_keyword(s|_address_maps)
10393 specify the pseudo keyword "silent-discard" in order to
10394 avoid logging that some EHLO keyword is being suppressed.
10395 File: global/ehlo_mask.[hc].
10397 20050217
10399 Bugfix: typo in tls_server.c, breaking CApath. Fix by
10400 Philipp Morger. File: tls/tls_server.c.
10402 20050227
10404 Bugfix (bug introduced 20040331): with SIGHUP ignored, the
10405 postdrop signal handler would effectively ignore SIGINT,
10406 SIGQUIT and SIGTERM. Simplified the overly-conservative
10407 protection against nested signals in postdrop, and added
10408 some future proofing comments. File: postdrop/postdrop.c
10410 Cleanup: when address rewriting is enabled, don't change
10411 the capitalization of header labels, i.e. don't replace
10412 FROM: or CC: by From: or Cc:. Files: cleanup/cleanup_message.c,
10413 smtp/smtp_proto.c.
10415 20050228
10417 Cleanup/portability: missing #includes and bad prototypes.
10418 Matthias Andree, Carsten Hoeger, and others.
10420 20050302
10422 Workaround: make TLS session caching work with perverse
10423 sites that have multiple servers per hostname or even
10424 multiple servers per IP address, but no shared TLS session
10425 cache. The SMTP client TLS session cache is now indexed by
10426 (server hostname, server address, server port, server helo
10427 hostname). After an idea by Victor Duchovni. Files:
10428 smtp/smtp_proto.c, tls/tls_client.c.
10430 20050303
10432 Bugfix (bug inherited from Postfix/TLS patch): a rare 9kbyte
10433 memory leak when in-memory TLS session information expires;
10434 found by setting the expiry time shorter than the time to
10435 deliver one or two messages with a very slow machine. This
10436 was due to a missing SSL_SESSION_free() call in the "new
10437 session" call-back routines. Found by Victor Duchovni.
10438 Files: tls/tls_client.c, tls/tls_server.c.
10440 Workaround: OpenSSL is overly agressive when purging a
10441 not-yet expired entry from a full in-memory cache: it also
10442 purges the entry from the on-disk server session cache.
10443 Workaround is to let only the tlsmgr purge entries from the
10444 on-disk server session cache. Found by Victor Duchovni.
10445 File: tls/tls_server.c.
10447 20050304
10449 Postfix releases are now signed with Wietse's new PGP key.
10450 The old key was getting a bit short for today's standards.
10451 The new public key can be found on the Postfix download
10452 webpage. As proof of authenticity the new PGP key is signed
10453 with Wietse's old PGP key.
10455 Cleanup: check_mumble_{ns,mx}_access no longer attempt to
10456 do MX or NS lookups for address literals. An address literal
10457 is treated as its own MX host; there is no meaningful
10458 equivalent for NS access control. File: smtpd/smtpd_check.c.
10460 20050310
10462 Bugfix: the AIX and SUN compilers rightfully complained
10463 about non-portable code in the "new" LDAP/SQL client. File:
10464 global/db_common.c.
10466 Workaround: some systems no longer recognize "tail +2" as
10467 valid command syntax. Instead they require "improved" syntax
10468 that is not valid on several other systems that Postfix
10469 builds on. So we have to stop using the tail command.
10470 Files: Makefile.in, src/*/Makefile.in.
10472 20050312
10474 Bugfix: the TLS session cache cleaning code didn't always
10475 delete the right entry. Problem found by Victor Duchovni,
10476 more problems found by Wietse. File: tls/tls_scache.c.
10478 20050314
10480 Portability: Berkeley DB changed API from version 2.5 to
10481 2.6. Rob Foehl. File: util/dict_db.c.
10483 20050315
10485 Bugfix: when <unistd.h> is included, read is a reserved
10486 identifier. File: smtpstone/smtp-source.c.
10488 20050321-27
10490 Support for RFC 3463 enhanced status codes. See also the
10491 ENHANCED_STATUS_README (a hacker's guide) for background.
10493 New module to pass around (status code + text) instead of
10494 just text. File: Files: global/dsn_util.c.
10496 Status-related lookup tables now have an extra column for
10497 enhanced status codes. Files: global/sys_exits.c,
10498 global/cleanup_strerror.c.
10500 Cleanup: centralized mapping of errno values to delivery
10501 status codes after failed delivery to mailbox, maildir, or
10502 file. Error codes EAGAIN, and ESTALE are 4.2.0 temporary
10503 errors; ENOSPC is a 4.3.0 temporary error; and EDQUOT and
10504 EFBIG are 5.2.2 hard errors. For backwards compatibility,
10505 the result of other errors depends on the delivery agent:
10506 with local(8) everything else is a 5.2.0 hard error, and
10507 with virtual(8) everything else is soft 4.2.0 error. File:
10508 global/mbox_open.c.
10510 20050324
10512 Workaround: gcc -W (version 3.4.2 [FreeBSD] 20040728) no
10513 longer warns about missing return statements. What a time
10514 waste.
10516 Workaround: gcc -E (version 3.4.2 [FreeBSD] 20040728) output
10517 has changed, causing too much "make depend" output.
10519 20050325
10521 Bugfix: when bouncing mail that was submitted with Postfix
10522 sendmail, the cleanup daemon ignored the reason specified
10523 in header/body_checks, and always produced a generic reason.
10524 File: cleanup/cleanup_api.c.
10526 Workaround: don't announce pipelining support when the
10527 smtp-sink test program is configured to fail specific
10528 commands with -r or -f (the fix is to build a proper SMTP
10529 state engine into the smtp-sink test program). File:
10530 smtpstone/smtp-sink.c.
10532 20050326
10534 Update: more PCRE error codes. File: util/dict_pcre.c.
10536 20050327
10538 Bugfix: the SMTP and LMTP clients did not ask the queue
10539 manager to reduce destination concurrency when "lost
10540 connection" or "connection timed out" happened AFTER Postfix
10541 received the server greeting. Files: smtp/smtp_trouble.c,
10542 lmtp/lmtp-trouble.c.
10544 Workaround: FreeBSD has incompatibly changed the output
10545 format from "od", breaking regression test portability.
10547 The TLS client session cache ID is now derived from the
10548 server IP address, TCP Port, and server HELO hostname
10549 if available. File: smtp/smtp_proto.c.
10551 20050328
10553 Cleanup: the REPLACE action is no longer implemented as
10554 PREPEND+IGNORE. The result remains in the input stream,
10555 and is subject to address rewriting and other processing
10556 where applicable. File: cleanup/cleanup_message.c.
10558 Feature: the TLS server name verification status is moved
10559 out of the TLS session cache. This not only simplifies the
10560 client-side TLS cache implementation, but also provides
10561 better cache support for clients that connect to multiple
10562 independent MTAs under the same DNS hostname or IP address,
10563 provided that each MTA replies with a unique name in the
10564 EHLO response. Patch by Victor Duchovni. Files: tlsmgr/tlsmgr.c,
10565 tls/tls_verify.c, tls/tls_session.c, tls/tls_server.c,
10566 tls/tls_scache.h, tls/tls_scache.c, tls/tls_misc.c,
10567 tls/tls_mgr.h, tls/tls_mgr.c, tls/tls_client.c, tls/tls.h,
10568 smtp/smtp_proto.c.
10570 20050330
10572 Bugfix: in some compilation environments the SMTP and LMTP
10573 clients could ignore enhanced status codes in server replies.
10574 Bug introduced 20050329 while polishing working code. Files:
10575 smtp/smtp_chat.c, lmtp/lmtp_chat.c.
10577 Feature: add enhanced status code support to the smtp-sink
10578 test program. File: smtpstone/smtp-sink.c.
10580 20050331
10582 Workarounds for ancient gcc compilers that can't handle
10583 valid C. Bugs reported by Victor Duchovni. Files:
10584 util/sys_defs.h, global/dsn_util.h, tls/tls_client.c.
10586 Bugfix: when delivery to command failed, command output was
10587 not reported. Fix was to enable format checks for the new
10588 dsn_vstring_update() module. File: global/dsn_util.h,
10589 global/pipe_command.c.
10591 20050401
10593 Cleanup: ignore incorrect enhanced status codes (such as
10594 5xx reply followed by a 4.x.x status), and don't look for
10595 enhanced status codes unless the server replies with a
10596 [245]XX reply. Files: smtp/smtp_chat.c, lmtp/lmtp_chat.c.
10598 20050402
10600 Feature: enhanced status code support for errors found by
10601 the MIME processor. Files: global/mime_state.c,
10602 cleanup/cleanup_message.c, smtp/smtp_proto.c.
10604 Cleanup: updated error messages about MIME processing errors
10605 in the SMTP client. These errors are no longer specific to
10606 8bit->7bit conversion; they can also happen with generic
10607 address mapping. File: smtp/smtp_proto.c.
10609 Safety: SASL 2.1.19 has a version lookup routine that we
10610 can use to detect compile time / run time version mis-matches
10611 (also known as DLL hell). Files: src/smtpd/smtpd_sasl_glue.c,
10612 src/smtp/smtp_sasl_glue.c, src/lmtp/lmtp_sasl_glue.c.
10614 20050404
10616 Typo: missing comma after dsn=x.yy.zz logging. File:
10617 global/log_adhoc.c.
10619 Feature: specify "smtpd_sasl_authenticated_header = yes"
10620 to report the SASL login name in the Received: message
10621 header, so that the login name is shared with the whole
10622 world. Based on code by Branko F. Gracnar. Files:
10623 smtpd/smtpd.c, and documentation.
10625 20050407
10627 @%^!#& Thanks to inadequate SASL documentation the client
10628 could negotiate a security layer where none was desired.
10629 Better documentation has become available since Postfix
10630 SASL support was implemented, and now Postfix needs to be
10631 fixed. Files: */*_sasl_glue.c.
10633 20050409
10635 Safety: the CDB map now logs a warning when the source file
10636 is newer than the indexed file, just like the Berkeley DB
10637 and DBM maps. Michael Tokarev. File: util/dict_cdb.c.
10639 20040411
10641 Portability: put the SASL DLL Hell guard after the declarations
10642 instead of before. Reported by Marcus Grando. Files:
10643 smtp/smtp_sasl_glue.c, lmtp/lmtp_sasl_glue.c.
10645 20050412
10647 Infrastructure: change the disposition or other properties
10648 of an embryonic queue file. This is currently used only to
10649 place mail on hold. After code by Victor Duchovni. Files:
10650 global/mail_stream.[hc], cleanup/cleanup_api.c.
10652 Bugfix: while updating the cleanup_flush() infrastructure
10653 eliminated a portability problem that was introduced when
10654 "REJECT text" support was added. File: cleanup/cleanup.c.
10656 20050413
10658 Portability: don't mix socket message send/receive calls
10659 with socket stream read/write calls. The fact that you can
10660 get away with it only on some stacks implies that there is
10661 no long-term guarantee. Specify -DCAN_WRITE_BEFORE_SENDING_FD
10662 if you feel brave. File: util/sys_defs.h.
10664 Robustness: re-compile all object files after the "make
10665 makefiles" options have changed. Files: src/*/Makefile.in.
10667 Tweaking: reply with 5.3.4 when the message size exceeds
10668 the mail system message_size_limit, instead of 5.2.3 which
10669 is a mailbox specific status. File: smtpd/smtpd_check.c.
10671 20050417
10673 Safety: don't call syslog from a user-triggered signal
10674 handler. File: postdrop/postdrop.c.
10676 20050421
10678 Bugfix: don't panic when the fall-back relay can't be used
10679 because the local MTA is MX for the destination. File:
10680 smtp/smtp_connect.c.
10682 20050422
10684 Bugfix: don't panic when the fall-back relay can't be used
10685 because it was already tried via a cached session. Produce
10686 a default excuse instead. File: smtp/smtp_connect.c.
10688 Bugfix: postsuper could lose an error message after reporting
10689 a fatal error. File: postsuper/postsuper.c.
10691 20050426
10693 Bugfix: simplified and improved the 20050422 fall-back relay
10694 fix. File: smtp/smtp_connect.c.
10696 20050427
10698 Final solution for the 20050422 fall-back relay problem:
10699 truncate the fall-back host list when the local MTA is MX
10700 for some destination. Files: util/argv.c, smtp/smtp_connect.c.
10702 Cleanup: extra dsn_vstring_update_dsn() routine to shut up
10703 GCC complaints about valid code. Files: src/global/dsn_util.c,
10704 src/global/mbox_open.c, src/lmtp/lmtp_addr.c, src/smtp/smtp_addr.c,
10705 src/smtp/smtp_connect.c.
10707 20050429
10709 The Postfix SMTP server now announces ENHANCEDSTATUSCODES
10710 support in the EHLO response, as described in RFC 2034.
10711 File: smtpd/smtpd.c.
10713 20050503
10715 Propagate enhanced status code from error(8) mailer to SMTP
10716 server replies. File: smtpd/smtpd_check.c.
10718 Cleanup: more consistent format of smtpd warning logging,
10719 so that it is easier to sort. Files: smtpd/smtpd.c,
10720 smtpd/smtpd_check.c.
10722 20050504
10724 Yikes. People are exposing the smtp-sink test program to
10725 hostile environments, while it was designed for controlled
10726 environments. Completed the support for write timeouts,
10727 added support for read timeouts, and added a missing exception
10728 handler for the 220 server greeting. File: smtpstone/smtp-sink.c.
10730 20050506
10732 Cleanup: with "REJECT 4.X.Y ..." actions in header/body_checks,
10733 change the SMTP server reply code from 550 into 450, instead
10734 of having the SMTP server change the DSN into 5.X.Y. File:
10735 smtpd/smtpd.c.
10737 20050510
10739 Usability: when reporting a sender address problem, transform
10740 a recipient DSN status (e.g., 4.1.1-4.1.6) into the
10741 corresponding sender DSN status, and vice versa; and when
10742 reporting a non-address problem, transform a sender or
10743 recipient DSN status into a generic non-address DSN status
10744 (e.g., 4.0.0). This transformation may be needed when the
10745 same access table or RBL reply template are used for client,
10746 helo, sender, or recipient restrictions; or when the same
10747 error mailer information is used for senders or recipients.
10748 Files: smtpd/smtpd_check.c, smtpd/smtpd_dsn_fix.[hc].
10750 20050512
10752 Feature: support for more SASL logging call-backs, if these
10753 are defined in the compile-time environment. Files:
10754 smtpd/smtpd_sasl_glue.c, smtp/smtp_sasl_glue.c.
10756 20050513
10758 Workaround: Postfix now uses "localdomain" as the default
10759 domain name when $myhostname is not in "host.domain" form.
10760 Files: global/mail_params.[hc].
10762 ---------
10764 20050415-20050615
10766 As of 20050525, DSN support does not involve new queue file
10767 record types, so you can switch back to older Postfix
10768 versions. Older non-production releases did introduce queue
10769 file incompatibilty.
10771 DSN support is selected via the SMTP port by extra parameters
10772 to the MAIL FROM and RCPT TO commands, and with the Postfix
10773 sendmail command with new command-line options: -N (specify
10774 notification options such as "never", "success", "delay"
10775 or "failure") and -V (specify an envelope ID that identifies
10776 the mail submission transaction). VERP support now uses
10777 -XV instead of -V.
10779 The implementation piggy-backs on the trace(8) service that
10780 was already used for "sendmail -v" (verbose delivery) and
10781 for "sendmail -bv" (what-if) reports. You can no longer
10782 requests these functions together with DSN support.
10784 All this means revision of bounce/defer/trace client
10785 interfaces, of the bounce service, the record reading loops
10786 in postdrop, cleanup(8) and qmgr(8), the queue manager to
10787 delivery agent protocol, and some extra SMTP protocol
10788 parameters in smtpd(8), lmtp(8) and smtp(8).
10790 New code module: global/dsn_smtp.[hc] for RFC 3461 related
10791 information (but this may still change).
10793 Feature: "sendmail -G" is no longer a no-op. Message headers
10794 are treated as if the message has a remote origin. Files:
10795 sendmail/sendmail.c, postdrop/postdrop.c.
10797 Feature: automatic BCC senders are now created as if they
10798 were received with NOTIFY=NEVER, in case it helps. File:
10799 cleanup/cleanup_addr.c
10801 Compatibility: with large bounces, send message headers
10802 only, instead of truncating MIME messages in the middle.
10804 20050517
10806 Bugfix: in a DSN report, the original recipient should not
10807 be xtext encoded. File: bounce/bounce_notify_util.c.
10809 20050523
10811 Bugfix: mymalloc() panic with mistyped server host list.
10812 File: global/dict_pgsql.c.
10814 20050525
10816 Feature: specify delay_warning_time=1 to get immediate
10817 notification of delay. File: qmgr/qmgr_active.c.
10819 20050526
10821 Reset the Postfix original recipient when delivering to
10822 mailing list.
10824 20050601
10826 Modified the master backgrounding procedure to not abort
10827 when the master is already a process group leader. This
10828 happens when people bypass or modify the official Postfix
10829 start-up procedure. Jacek Konieczny. File: master/master.c.
10831 20050602
10833 Sanity check: don't report "address in use" when some Postfix
10834 socket is a directory. File: util/unix_listen.c.
10836 20050613
10838 Now that the over-all structure of the code is proving
10839 itself, interfaces can be cleaned up. This means nicer names
10840 for variables, functions and data structures, and dedicated
10841 read/write routines for recipient and DSN information.
10842 These remove a lot of clutter from the bounce client and
10843 server code. Files: dsn_print.c dsb_scan.c, rcpt_print.c,
10844 rcpt_buf.c.
10846 For Sendmail compatibility, the Postfix sendmail -V option
10847 no longer controls VERP usage, but is used to specify the
10848 DSN envelope ID. In order to provide a smooth transition,
10849 backwards compatibility code recognizes when -V is being
10850 used for VERP control. It will do the right thing, and
10851 warns the user to use -XV instead. File: sendmail/sendmail.c.
10853 20050614
10855 The cleanup server writes bounce (delivery failure) and
10856 trace (success) records, but it no longer requests sender
10857 notification. That is now handled by the queue manager.
10858 The reason is that the cleanup server must be able to abort
10859 a request including its bounce and trace logfiles, so it
10860 must not take actions that can't be undone.
10862 20050615
10864 Cleanup: the SMTP client now sends QUIT when the initial
10865 HELO handshake fails. it still doesn't send QUIT when the
10866 server greets with a [45]XX code, as that is handled in the
10867 connection management code before a session context exists.
10868 File: smtp/smtp_connect.c.
10870 Cleanup: made the quote_821_local() routine "const" clean.
10871 File: global/quote_821_local.[hc].
10873 20050616
10875 Bugfix: missing or mis-placed va_end() macros, found in
10876 Postfix 2.3 code review. Files: util/netstring.c,
10877 util/myaddrinfo.c, util/attr_clnt.c, util/vstream.c.
10880 Bugfix: the SMTP server now separates the message size check
10881 from the queue space check, so that the size check can be
10882 done before an SMTPD proxy filter. Files: smtpd/smtpd.c,
10883 smtpd/smtpd_check.c.
10885 20050617
10887 Postdrop didn't recognize the new recipient attributes.
10888 File: postdrop/postdrop.c.
10890 Feature: configurable MAILER-DAEMON replacement for the
10891 null sender address that is used by the pipe(8) delivery
10892 agent on the command line and in message headers. Command-line
10893 address quoting is disabled when the replacement is empty.
10894 File: pipe/pipe.c.
10896 20050618
10898 With virtual aliasing enabled, Postfix would always report
10899 successful alias expansion, even when no alias was expanded.
10900 File: cleanup/cleanup_out_recipient.c.
10902 20050621
10904 Portability: file descriptor passing is available for Tru64
10905 UNIX, but not for AIX4 and IRIX6. Albert Chin. File:
10906 util/sys_defs.h.
10908 20050622
10910 Cleanup: the DNS lookup code now accommodates name server
10911 replies longer than 4 kbytes, with a hard upper limit of
10912 32kbytes. For safety reasons, the number of MX host addresses
10913 that the SMTP client will try was reduced from unlimited
10914 to just 5, so that Postfix won't spend forever trying to
10915 connect to dozens and dozens of bogus MX hosts. Files:
10916 dns/dns_lookup.c, global/mail_params.h.
10918 Cleanup: the code that handles a 4xx or 5xx SMTP server
10919 greeting was moved from the connection management module
10920 to the protocol engine, for cleaner error handling. This
10921 means that the failed session now counts towards the limit
10922 on the total number of SMTP sessions per domain name (default:
10923 smtp_mx_session_limit = 2). Files: smtp/smtp_connect.c,
10924 smtp/smtp_proto.c.
10926 20050623
10928 Cleanup: generalized the delegated attribute scan/print
10929 interfaces, and updated the deliver_pass module with delegated
10930 attribute scan/print support. Files: util/attr_scan0.c,
10931 util/attr_print0.c, global/dsb_scan.c, global/dsn_print.c,
10932 global/rcpt_buf,c global/rcpt_print.c, global/deliver_pass.c.
10934 Added delegated attribute scan/print function support to
10935 the base64 and plain attribute I/O encodings. Files:
10936 util/attr_scan_plain.c util/attr_print_plain.c.
10938 20050624
10940 Added "." to the list commands that smtp-sink can "break"
10941 (by disconnecting, or by responding with a 4XX or 5XX reply
10942 code). File: smtpstone/smtp-sink.c.
10944 20050625
10946 Safety: allow only 4.x.x and 5.x.x enhanced status codes
10947 in header/body_checks REJECT actions. File:
10948 cleanup/cleanup_message.c.
10950 20050627
10952 Code cleanup: generalized the smtp-sink code that simulates
10953 server errors. File: smtpstone/smtp-sink.c.
10955 20050629
10957 Code cleanup: the smtp_mx_session_limit setting (per delivery
10958 request session count limit) now ignores sessions that fail
10959 to complete the TCP, SMTP, EHLO or TLS handshake (was: TCP
10960 and SMTP). File: smtp/smtp_proto.c.
10962 20050630
10964 Updated the example spf.pl script to version 1.06.
10966 Portability: the file descriptor passing code broke on LP64
10967 systems (inherited from Stevens Network Programming). Files:
10968 util/unix_send_fd.c, util/unix_recv_fd.c.
10970 20050706
10972 Robustness: the SMTP client now disables connection caching
10973 when it is unable to communicate with the scache(8) server,
10974 instead of looping forever. File: global/scache_clnt.c.
10976 Portability: after sending a socket, the scache(8) server
10977 now waits for an ACK from the connection cache client before
10978 closing the socket that it just sent. Files: scache/scache.c,
10979 global/scache_clnt.c.
10981 20050708
10983 Bugfix: missing returns in 20050706 caching disabling code
10984 (in error handling code that never executes). File:
10985 global/scache_clnt.c.
10987 Portability: use explicitly unsigned operands when doing
10988 bit-wise shift operations on data larger than a character.
10990 20050709-15
10992 Migration of data object sizes and offsets from int->ssize_t
10993 and unsigned->size_t for better portability to LP64 and
10994 LLP64 systems where *size_t is 64 bits wide. This change
10995 has no effect on 32-bit systems.
10997 This change not only eliminated some obscure portability
10998 bugs (see two paragraphs down), it also eliminated many
10999 unnecessary conversions back and forth between 32-bit and
11000 64-bit integers, because all relevant system library functions
11001 take *size_t arguments or return *size_t results.
11003 Simply changing every data object size or offset to size_t
11004 (which is unsigned!) would be dangerous. A lot of code was
11005 written assuming signed arithmetic and rejects negative
11006 lengths, which can happen as the result of integer overflow.
11008 Portability: on LP64 systems, integer expressions are int,
11009 but sizeof() and pointer difference expressions are larger.
11010 The above changes fixed a few discrepancies with function
11011 calls where *size_t was passed while the old code expected
11012 an int: clean_env() versus argv_addn(), and code that sent
11013 binary blobs via the TLS session cache manager protocol.
11015 20050711
11017 Bugfix: don't include <> when auto-generating an ORCPT
11018 address from a client RCPT TO command. File: smtpd.c.
11020 20050712
11022 Cleanup: cleanup_out_recipient() still generated DSN records
11023 that were incompatible with pre-DSN Postfix versions. File:
11024 cleanup/cleanup_out_recipient.c.
11026 20050716
11028 Bugfix: the smtpd_sasl_authenticated_header code did not
11029 check if SASL was actually enabled. File: smtpd/smtpd.c.
11031 20050720
11033 Feature: reverse client hostname. This is set at connection
11034 time with information from the SMTP client address->name
11035 mapping, and can be overruled with the REVERSE_NAME attribute
11036 in the XCLIENT command. File: smtpd/smtpd_peer.c.
11038 Cleanup: renaming of several confusing restriction names:
11039 reject_unknown_client -> reject_unknown_client_hostname,
11040 reject_unknown_hostname -> reject_unknown_helo_hostname,
11041 reject_invalid_hostname -> reject_invalid_helo_hostname,
11042 and reject_non_fqdn_hostname -> reject_non_fqdn_helo_hostname.
11043 The old names are still recognized and documented. Files:
11044 global/mail_params.h, smtpd/smtpd.c, smtpd/smtpd_check.c.
11046 Feature: reject_unknown_reverse_client_hostname. This rejects
11047 clients that have no address to name mapping (unlike the
11048 reject_unknown_client_hostname feature which requires that
11049 the address->name and name->address mappings resolve to the
11050 client IP address). Files: global/mail_params.h,
11051 smtpd/smtpd_peer.c, smtpd/smtpd.c, smtpd/smtpd_check.c.
11053 20050726
11055 Horror: total rewrite of DNS client error handling because
11056 some misguided proposal attempts to give special meaning
11057 to some syntactically invalid MX hostname lookup result.
11058 Not only that, people expect sensible results with
11059 reject_unknown_sender_domain etc. Files: dns/dns_lookup.c,
11060 smtp/smtp_addr.c smtpd/smtpd_check.c, lmtp/lmtp_addr.c.
11062 Cleanup: HOLD action executes only once, to reduce noise
11063 in the logfile. Files: cleanup/cleanup_message.c, smtpd/smtpd.c.
11065 20050806
11067 Workaround: accept(2) fails with EPROTO when the client
11068 already disconnected (SunOS 5.5.1). File: sane_accept.c.
11070 20050815
11072 Workaround: old Solaris compilers can't link an archive
11073 without globally visible symbols. File: tls/tls_misc.c.
11075 20050825
11077 Feature: message_reject_characters and message_strip_characters
11078 specify what characters in message content Postfix will
11079 reject or remove. Based on patch by John Fawcett. Files:
11080 cleanup/cleanup_message.c, cleanup/cleanup_init.c.
11082 Safety: when the cleanup server rejects the content of mail
11083 that is submitted with the Postfix sendmail command, or
11084 re-queued with "postsuper -r", strip the message body from
11085 the bounce message to reduce the risks from harmful content.
11086 Files: cleanup/cleanup_envelope.c, cleanup/cleanup_bounce.c.
11088 Feature: the smtpd_proxy_filter parameter value can now be
11089 prefixed with "unix:" (for UNIX-domain socket) and "inet:"
11090 (for TCP socket). TCP sockets are the default. Patch by
11091 Edwin Kremer. File: smtpd/smtpd_proxy.c.
11093 20050828
11095 Bugfix: after adding DSN support, error notification was
11096 broken for too large mail that was submitted with the Postfix
11097 sendmail command, forwarded by the local(8) delivery agent,
11098 or re-queued with "postsuper -r". The message would be saved
11099 to the "corrupt" queue.
11101 The mistake was to leave the truncated message in the
11102 incoming queue and to ask the queue manager to notify the
11103 sender; this was not possible because the queue manager
11104 cannot (and should not) handle truncated queue files.
11106 The fix is to have the cleanup server send the bounce
11107 message, just like it did before DSN support was added. As
11108 a side effect, Postfix will no longer send DSN_SUCCESS
11109 notices after virtual aliasing, when the cleanup server
11110 bounces all the recipients of the message anyway. This
11111 could be called a feature. File: cleanup/cleanup_bounce.c.
11113 Also needed for this fix: a new vstream_fpurge() routine
11114 that discards unread/written data from a VSTREAM. It's
11115 needed before cleanup_bounce() can seek to the start of the
11116 queue file after a file size error. File: util/vstream.c.
11118 20050920
11120 Cleanup: removed the legacy "tls_info" structure, factored
11121 out common code for peer_CN and issuer_CN lookup, and added
11122 sanity check to not verify subject common names that contain
11123 nulls or that are execessively long. Patch by Victor Duchovni.
11124 Files: tls_client.c, tls_server.c, tls_session.c, tls_misc.c,
11125 tls_verify.c.
11127 20050922
11129 Bugfix: the *SQL clients did not uniformly choose the
11130 database host from the available pool of servers due to an
11131 off-by-one error, so that the "last" available server was
11132 not selected. Leandro Santi. Files: dict_mysql.c, dict_pgsql.c.
11134 Update: common code factored out into db_common.c, and
11135 adoption of Liviu Daia's connection aware MySQL quoting.
11136 Patch by Victor Duchovni. Files: dict_ldap.c, dict_mysql.c,
11137 dict_pgsql.c, db_common.c.
11139 20050923
11141 Safety: don't update the local(8) delivery agent's idea of
11142 the Delivered-To: address while expanding aliases or .forward
11143 files. When an alias or .forward file changes the Delivered-To:
11144 address, it ties up one queue file and one cleanup process
11145 instance while mail is being forwarded. To get the old
11146 behavior, specify "frozen_delivered_to = no". Problem
11147 reported by Michael Tokarev, but found independently by
11148 others. Files: local/local.c, local/aliases.c, local/dotforward.c,
11149 local/mailbox.c, local/maildir.c.
11151 Logging: additional SASL debug logging by Andreas Winkelmann.
11152 Files: */*sasl_glue.c.
11154 20050929
11156 Paranoia: don't ignore garbage in SMTP or LMTP server replies
11157 when ESMTP command pipelining is turned on. For example,
11158 after sending ".<CR><LF>QUIT<CR><LF>", Postfix could recognize
11159 the server's 2XX QUIT reply as a 2XX END-OF-DATA reply after
11160 garbage, causing mail to be lost. The SMTP and LMTP clients
11161 now report a remote protocol error and defer delivery.
11162 Files: smtp/smtp_chat.c, smtp/smtp_trouble.c, lmtp/lmtp_chat.c,
11163 lmtp/lmtp_trouble.c.
11165 Performance: specify "smtpd_peername_lookup = no" to disable
11166 client hostname lookups in the SMTP server. All clients are
11167 treated as "unknown". This should be used only under extreme
11168 conditions where DNS lookup latencies are critical. File:
11169 smtpd/smtpd_peer.c.
11171 20051010
11173 Feature: smtpd_client_new_tls_session_rate_limit parameter
11174 to limit the number of new (i.e. uncached) TLS sessions
11175 that a remote SMTP client may negotiate per unit time. This
11176 feature, which is off by default, can limit the CPU load
11177 due to expensive crypto operations. Files: global/anvil_clnt.c,
11178 anvil/anvil.c, smtpd/smtpd.c.
11180 Cleanup: eliminated massive code duplication in the anvil
11181 server that resulted from adding similar features one at a
11182 time. File: anvil/anvil.c.
11184 20051011
11186 Bugfix: raise the "policy violation" flag when a client
11187 request exceeds a concurrency or rate limit. File:
11188 smtpd/smtpd.c.
11190 Bugfix (cut-and-paste error): don't reply with 421 (too
11191 many MAIL FROM or RCPT TO commands) when we aren't closing
11192 the connection. File: smtpd/smtpd.c.
11194 20051012
11196 Polishing: content of comments and sequence of code blocks
11197 in the anvil server, TLS request rate error message in the
11198 smtp server, and documentation, but no changes in code.
11199 Files: anvil/anvil.c, smtpd/smtpd.c.
11201 20051013
11203 Horror: some systems have basename() and dirname() and some
11204 don't; some implementations modify their input and some
11205 don't; and some implementations use a private buffer that
11206 is overwritten upon the next call. Postfix will use its own
11207 safer versions called sane_basename() and sane_dirname().
11208 These never modify the input, and allow the caller to control
11209 how memory is allocated for the result. File:
11210 util/sane_basename.c.
11212 Feature: "sendmail -C path-to-main.cf" and "sendmail -C
11213 config_directory" now do what one would expect. File:
11214 sendmail/sendmail.c.
11216 Bugfix: don't do smtpd_end_of_data_restrictions after the
11217 transaction failed due to, e.g., a write error. File:
11218 smtpd/smtpd.c.
11220 Cleanup: the SMTP server now enforces the message_size_limit
11221 even when the client did not send SIZE information with the
11222 MAIL FROM command. This protects before-queue content
11223 filters against over-size messages. File: smtpd/smtpd.c.
11225 20051017
11227 Bugfix: after DSN support was added, smtp_skip_5xx_greeting
11228 no longer recognized a 5xx SMTP status as a 4xx one. Found
11229 by Ralf Hildebrandt. Fix: use the enhanced status code
11230 instead of the SMTP reply code to choose between permanent
11231 or transient errors. File: smtp/smtp_trouble.c.
11233 Feature: smtp-sink can hard-reject, soft-reject or simply
11234 drop connection requests. File: smtpstone/smtp-sink.c.
11236 Documentation: clarified the processing of server replies,
11237 specifically the reply code and the enhanced status code,
11238 in smtp_chat.c.
11240 20051024
11242 Performance: new smtp_connection_reuse_time_limit parameter to
11243 limit connection reuse by elapsed time, instead of limiting
11244 the number of deliveries per connection. Bounding by time
11245 favors delivery over connections that perform well, while
11246 bounding by number of deliveries allows slow connections
11247 to drag down the performance. Insight and initial
11248 implementation by Victor Duchovni, Morgan Stanley. Files:
11249 smtp_connect.c, smtp_session.c,
11251 Bugfix: the next-hop logical destination information for
11252 connection caching was reset only after a good non-TLS
11253 connection, so that cached connections to non-TLS backup
11254 servers could suck away traffic from TLS primary servers
11255 (the Postfix SMTP client cannot cache an open TLS connection).
11256 Found during code review. This is fixed with multi-valued
11257 connection caching state: expired, cachable, non-cachable,
11258 and bad. Files: smtp_connect.c, smtp_trouble.c.
11260 Bugfix: adding support for "sendmail -C" broke "sendmail
11261 -q". File: sendmail/sendmail.c.
11263 20051101
11265 Migration from a single "arrival time" stamp to a structure
11266 with time stamps from different stages of message delivery.
11267 The first iteration merely replaces "arrival time" stamps
11268 by a structure or pointer to structure, and uses only the
11269 arrival time field of that structure. This is an extensive
11270 but straightforward transformation, based on example by
11271 Victor Duchovni, Morgan Stanley. Files: anything that
11272 invokes bounce_append etc., the log_adhoc module, and
11273 anything that sends or receives a delivery request.
11275 20051102
11277 Completion of support for time stamps from different stages
11278 of message delivery. The information is now logged as
11279 "delays=a/b/c/d" where a=time before queue manager, including
11280 message transmission; b=time in queue manager; c=connection
11281 setup including DNS, HELO and TLS; d=message transmission
11282 time. Unlike Victor's example which used time differences,
11283 this implementation uses absolute times. The decision of
11284 what numbers to subtract actually depends on program history,
11285 so we want to do it in one place. Files: global/log_adhoc.c,
11286 smtp/smtp_connect.c, smtp/smtp_proto.c, smtp/smtp_trouble.c,
11287 lmtp/lmtp_proto.c, lmtp/lmtp_trouble.c.
11289 20051103
11291 Refinement of time stamping and delays formatting. The
11292 hand-off time is now stamped in the delivery agent, so that
11293 time is properly attributed when a transport is saturated
11294 or throttled. Delays are now logged if larger than 0.01
11295 second. Files: *qmgr/qmgr_deliver.c, global/deliver_request.c,
11296 global/log_adhoc.c.
11298 20051104
11300 New parameter delay_logging_time_resolution (default: 10000
11301 microseconds, or 0.01 second) that controls the detail in
11302 the new "delays=a/b/c/d" logging. Specify a power of 10
11303 in the range from 1 to 100000. File: global/log_adhoc.c.
11304 Parameter renamed 20051108.
11306 20051105
11308 All delay logging now has sub-second resolution. This means
11309 updating all code that reads or updates the records that
11310 specify when mail arrived, and ensuring that mail submitted
11311 with older Postfix versions produces sensible results.
11312 Files: global/post_mail.c, global/mail_timeofday.[hc],
11313 global/log_adhoc.c, postdrop/postdrop.c, pickup/pickup.c,
11314 cleanup/cleanup_envelope.c, cleanup/cleanup_message.c,
11315 smtpd/smtpd.c, qmqpd/qmqpd.c, *qmgr/qmgr_message.c,
11316 *qmgr/qmgr_active.c, local/forward.c.
11318 20051106
11320 The SMTP client logs the remote server port in the form of
11321 relay=hostname[hostaddr]:port to the local maillog file.
11322 The port number is NOT included in DSN status reports,
11323 because remote users have no need to know such internal
11324 information. Files: smtp/smtp_session.c, smtp/smtp_proto.c,
11325 smtp/smtp_trouble.c.
11327 Cleanup: encapsulated queue file time read/write operations
11328 with a few simple macros, to make future changes in time
11329 representation less painful.
11331 20051108
11333 Cleanup: eliminated floating point operations from the
11334 ad-hoc delay logging code. Files: util/format_tv.[hc],
11335 global/log_adhoc.c.
11337 The delay logging resolution is now controlled with the
11338 delay_logging_resolution_limit parameter, which specifies
11339 the maximal number of digits after the decimal point.
11341 Bugfix: two messages could get the same message ID due to
11342 a race condition. This time window was increased when queue
11343 file creation was postponed from MAIL FROM until the first
11344 accepted RCPT TO. The window is closed again. Found by
11345 Victor. Files: global/mail_stream.c, global/mail_queue.c,
11346 cleanup/cleanup_message.c.
11348 20051109
11350 qshape.pl updated for extra microsecond time field in Postfix
11351 queue files.
11353 Cleanup: removed obsolete code that handles rejected/dropped
11354 connections before the HELO handshake. File: smtp/smtp_connect.c.
11356 Bugfix: XCLIENT broke when reverse hostname support was added.
11357 Fix by Tomoyuki Sakurai. File: smtpd/smtpd.c.
11359 20051110
11361 Workaround: don't set the delay warning timer for messages
11362 from inside or from outside that have the null sender as
11363 recipient. This was a waste of time, because the warning
11364 would always be discarded. File: cleanup/cleanup_envelope.c.
11366 Feature: the built-in mail delivery status notification
11367 text is now implemented by built-in templates. Files:
11368 bounce/bounce_template.c, bounce/bounce_notify_util.c.
11370 20051112
11372 Feature: configurable bounce message templates based on
11373 contribution by Nicolas Riendeau. I kept the general format
11374 of his templates, but placed them together in one file to
11375 reduce process initialization overhead (most requests to
11376 the bounce daemon are not for sending bounce messages).
11377 Files: bounce/bounce_template.c, bounce/dict_ml.c (to be
11378 moved to library if useful enough). A sample bounce message
11379 template file is installed as $config_directory/bounce.cf.default.
11381 20051113
11383 Feature: "postconf -b filename" to preview the non-default
11384 bounce message templates with $name expansions in the text.
11385 The actual work is of course done by the bounce daemon.
11387 20051114
11389 Feature: -V option to make Postfix daemons to log to stderr.
11390 This is used when a daemon is invoked in stand-alone mode
11391 by a (non-daemon) command.
11393 Feature: "postconf -t" displays DSN templates, headers and
11394 all; use postconf -t ''" to view built-ins.
11396 Cleanup: renamed fail_template into failure_template.
11398 20051117
11400 Cleanup: bounce template code reorg, no functionality change.
11401 Files: bounce/bounce_template.[hc], bounce/bounce_templates.c,
11402 bounce/bounce_notify_util.c.
11404 20051118
11406 Bugfix: new bounce template code did not return after
11407 template syntax error. File: bounce/bounce_template.c
11409 Safety: permit_mx_backup now requires that the local MTA
11410 is not listed as primary MX for the recipient domain. This
11411 prevents mail loops when someone points the primary MX
11412 record to Postfix.
11414 20051119
11416 Workaround: some SMTP servers announce multiple but different
11417 lists of SASL methods. Postfix now concatenates the lists
11418 instead of logging a warning and remembering only one. File:
11419 smtp/smtp_sasl_proto.c.
11421 Bugfix: the queue manager did not write a per-recipient
11422 defer logfile record when the delivery agent crashed between
11423 receiving a delivery request, and reporting the delivery
11424 status to the queue manager. Found while redesigning the
11425 code that handles unavailable transports or destinations.
11426 Files: *qmgr/qmgr_deliver.c.
11428 20051121
11430 Workaround: do not build the bounce.cf.default template
11431 while compiling Postfix - it breaks when the default
11432 mail_owner etc. accounts don't exist. Reported by Liviu
11433 Daia.
11435 Compatibility: added permit_auth_destination emulation to
11436 the permit_mx_backup feature. This avoids surprises with
11437 sites that used permit_mx_backup to authorize all their
11438 incoming mail.
11440 20051122-24
11442 Feature: sender_dependent_relayhost_maps, lookup tables that specify
11443 a sender-dependent override for the relayhost parameter
11444 setting. The lookup is done in the trivial-rewrite server,
11445 instead of the queue manager where it does not belong.
11446 Files: global/resolve_clnt.c, global/tok822_resolve.c,
11447 trivial-rewrite/resolve.c, trivial-rewrite/transport.c,
11448 *qmgr/qmgr_message.c.
11450 Also: address_verify_sender_dependent_relayhost_maps for
11451 completeness.
11453 20051124
11455 Feature: specify "smtp_sender_dependent_authentication =
11456 yes" to enable sender-dependent SASL passwords. This disables
11457 SMTP connection caching to ensure that mail from different
11458 senders is delivered with the appropriate credentials. This
11459 is an extended version of a patch by Mathias Hasselmann.
11460 Files: smtp/smtp_connect.c, smtp/smtp_sasl_glue.c.
11462 20051126
11464 Workaround: log warning when REDIRECT or FILTER are used
11465 in smtpd_end_of_data_restrictions. File: smtpd/smtpd_check.c.
11467 Log warning when REDIRECT, FILTER, HOLD and DISCARD are
11468 used in smtpd_etrn_restrictions. File: smtpd/smtpd_check.c.
11470 20051128
11472 Bugfix: moved code around from one place to another to make
11473 REDIRECT, FILTER, HOLD and DISCARD access(5) table actions
11474 work in smtpd_end_of_data_restrictions. PREPEND will not
11475 be fixed; it must be specified before the message content
11476 is received. Files: smtpd/smtpd.c, smtpd/smtpd_check.c,
11477 cleanup/cleanup_extracted.c, pickup/pickup.c.
11479 Safety: abort if the SMTP or QMQP server runs with non-postfix
11480 privileges while it's connected to the network. Files:
11481 smtpd/smtpd_peer.c, qmqpd/qmqpd_peer.c.
11483 20051201
11485 Bugfix: the LMTP client would reuse a session after negative
11486 reply to the RSET command (which may happen when client and
11487 server somehow get out of sync). Problem found by Christian
11488 Theune. Files: lmtp/lmtp.c, lmtp/lmtp_proto.c.
11490 20051202
11492 Bugfix: the 20051128 code move for "smtpd_end_of_data_restrictions"
11493 broke "postsuper -r".
11495 20051202-3
11497 Cleanup: the SMTP client now also implements the LMTP
11498 protocol. Files: smtp/smtp.c, smtp/smtp_connect.c,
11499 smtp/smtp_proto.c, smtp/smtp_dsn.c, smtp_state.c,
11500 smtp_sasl_glue.c.
11502 As before, the LMTP behavior is controlled with parameters
11503 named lmtp_xxx instead of smtp_xxx. However there are now
11504 a lot more lmtp_xxx parameters :-) With few exceptions, all
11505 SMTP features are now also available with LMTP. The exceptions
11506 are related to the HELO and EHLO commands, which exist in
11507 SMTP only. There are equivalent LHLO command parameters
11508 where it makes sense.
11510 20051206
11512 SMTP+LMTP client connection management code rewritten to
11513 support UNIX-domain socket connections.
11515 20051207
11517 Bugfix: race condition in the connection caching protocol,
11518 found while adding connection caching for UNIX-domain sockets
11519 (used for LMTP delivery). This was introduced with the
11520 20050706 workaround, and may the same problem that Jussi
11521 Silvennoinen experienced (in Postfix 2.2.6) with SMTP after
11522 an upgrade. Files: scache/scache.c.
11524 Bugfix: smtp-sink and qmqp-sink didn't ignore SIGPIPE.
11526 20051208
11528 Robustness: reduced timeouts in the connection caching
11529 client, so that a malfunctioning service does not prevent
11530 mail delivery. This uses similar code that already exists
11531 for the anvil(8) client and the tlsmgr(8) client. Files:
11532 global/scache_clnt.c, smtp/smtp.c.
11534 To make reduced connection caching client timeouts possible,
11535 connection management was moved from the attr_clnt(3) module
11536 to the auto_clnt(3) module where it belongs. The auto_clnt(3)
11537 module is now a full alternative for the clnt_stream(3)
11538 module. Files: util/auto_clnt.c, util/attr_clnt.c.
11540 Bugfix: the best_mx_transport, mailbox_transport and
11541 fallback_transport features did not write a per-recipient
11542 defer logfile record when the target delivery agent was
11543 broken. This the analog of queue manager bugfix 20051119.
11544 Files: global/deliver_pass.c.
11546 20051210
11548 Cleanup: simplified the SMTP/LMTP connection management
11549 logic for address list and fallback relay processing.
11550 Still need to simplify deferred recipient handling.
11552 20051212
11554 Bugfix: after a failed TLS session, the 20051210 SMTP client
11555 code cleanup broke sessions with backup servers, causing the
11556 client to get out of step with the backup server. This in
11557 turn exposed a one-year old missing exception handling
11558 context in the EHLO handstake after sending STARTTLS. Victim
11559 was Ralf Hildebrandt, detectives Victor Duchovni and Wietse.
11560 File: smtp/smtp_proto.c.
11562 20051213
11564 Bugfix: *SQL, proxy and LDAP map types were not defined in
11565 user-land commands such as postqueue. Leandro Santi. File:
11566 postqueue/postqueue.c.
11568 20051212-14
11570 Server-side plug-in interface for SASL authentication. This
11571 uses Cyrus SASL by default, so nothing has changed except
11572 error messages may be more informative. Files:
11573 smtpd/smtpd_sasl_proto.c smtpd/smtpd_sasl_glue.c,
11574 xsasl/xsasl_server.[hc], xsasl/cyrus_server.[hc]
11575 xsasl/cyrus_strerror.c, xsasl/cyrus_log.c, xsasl/cyrus_security.c.
11577 20051215
11579 Portability: IRIX 6.5.28 defines sa_len as a macro, so it
11580 can't be used as a variable identifier. Zach McDanel. Files:
11581 dns/dns_rr_to_sa.c, smtpd/smtpd_peer.c, qmqpd/qmqpd_peer.c.
11583 20051216
11585 Cleanup: removed some scar tissue that was introduced with
11586 server-side SASL plug-in support. Files: smtpd_sasl_proto.c,
11587 smtpd_sasl_glue.c.
11589 Client-side plug-in interface for SASL authentication. This
11590 uses Cyrus SASL by default, so nothing has changed except
11591 error messages may be more informative. Files: smtp_sasl_glue.c,
11592 xsasl/xsasl_client.[hc], xsasl/cyrus_client.[hc].
11594 20051217
11596 Bugfix: when a SASL client password is required by a specific
11597 server, defer delivery when no server-announced mechanism
11598 survives the smtp_sasl_mechanism_filter, instead of ignoring
11599 the SASL announcement and trying to deliver the mail over
11600 an unauthenticated connection and risking that mail will
11601 be rejected. File: smtp/smtp_sasl_proto.c, smtp/smtp_proto.c.
11603 Portability: zero the "struct msg" just in case. Both purify
11604 (Linux) and valgrind (FreeBSD) complain about uninitialized
11605 bits. Files: util/unix_{send,recv}_fd.c.
11607 20051219
11609 Cleanup: generic smtpd_sasl_path, smtp_sasl_path and
11610 lmtp_sasl_path configuration parameters; simplified the
11611 SASL plug-in API, and made initial provisions for SASL
11612 session encryption. Files: xsasl/*.[hc].
11614 Feature: "postconf -a" lists the available SASL server
11615 plug-in types, and "postconf -A" does the same for the
11616 client. Files: postconf.c, xsasl_{client,server}.c.
11618 Feature: new SMTPD policy attributes "encryption_protocol",
11619 "encryption_cipher" and "encryption_keysize", to distinguish
11620 plaintext from encrypted connections.
11622 20051221
11624 Privacy: the new Cyrus SASL server plug-in replaces "no
11625 user" errors by "authentication failed" errors. File:
11626 xsasl/xsasl_cyrus_server.c.
11628 Safety: the Postfix SMTP client no longer uses CNAME expanded
11629 hostnames for logging, SASL password lookup, TLS policy
11630 decisions, or TLS certificate verification. Instead it
11631 uses the name of the recipient domain, or the host or domain
11632 name specified in Postfix configuration files. Of course
11633 this won't prevent cheating with hostnames that appear in
11634 MX lookup results. To avoid that you will have to suppress
11635 MX lookups with explicit [hostname] entries in transport
11636 maps. Files: dns/dns_lookup.c, dns/dns_rr.c.
11638 20051222
11640 Feature: Dovecot SASL authentication (server side) plug-in
11641 by Timo Sirainen. This builds without external library
11642 dependencies and is therefore compiled in by default.
11643 Files: xsasl/xsasl_dovecot_server.[hc].
11645 Safety: set the default LANG=C, instead of deleting LANG
11646 from the environment and assuming the right thing will
11647 happen. File: global/mail_params.h.
11649 Safety: always add the ISASCII() requirement to the ISXXX()
11650 macros, because they are used for protocol and policy
11651 enforcement. File: util/sys_defs.h.
11653 Bugfix: null pointer in the 20051219 policy delegation
11654 crypto attributes. File: smtpd/smtpd_check.c.
11656 Compatibility: "resolve_numeric_domain = yes" will accept
11657 addresses with numeric domains instead of rejecting them as
11658 invalid. Files: trivial-rewrite/resolve.c, util/vstring.c.
11660 Bugfix: 20051219 "postconf -A" produced "postconf -a" output.
11661 Andreas Winkelmann.
11663 20051225
11665 Bugfix: the regexp map cleverly avoided scanning constant
11666 lookup results for non-existent $number expressions, but
11667 failed to subject those results to the necessary $$ -> $
11668 replacement. Files: util/dict_regexp.c.
11670 Performance: the pcre map did not optimize constant lookup
11671 results; they were always scanned for non-existent $number
11672 expressions. File: util/dict_pcre.c.
11674 This round of edits eliminates architectural differences
11675 between the pcre and regexp table implementations. The
11676 remaining difference is that regexp tables still support
11677 the obsolete "/pattern1/!/pattern2/ action" syntax, for
11678 backwards compatibility with Postfix 2.0 and earlier.
11680 20051227
11682 Bugfix: the 20051222 ISASCII paranoia broke the strcasecmp()
11683 workaround for Solaris. File: util/strcasecmp.c.
11685 Bitrot: SunOS4 pre-dates size_t, ssize_t, getsid(). File:
11686 src/util/sys_defs.h. The SunOS4 tests had been suspended
11687 due to what turned out to be a broken AUI-to-UTP transceiver.
11689 Bugfix: the 20061226 cosmetic change broke non-IPV6 support
11690 (example: sockaddr_to_hostaddr: Unknown error: success).
11691 File: util/myaddrinfo.c.
11693 20051229
11695 The following workaround was removed 20060103.
11697 Workaround: when mail is still queued after 3000 seconds,
11698 the SMTP client no longer pipelines the DOT+QUIT commands.
11699 The 20050929 paranoia about malformed server replies
11700 eliminated a rare occurrence of "lost mail" with sites that
11701 mis-implement DOT+QUIT pipelining, but resulted in a larger
11702 occurrence of repeated deliveries to sites with a different
11703 DOT+QUIT pipelining bug. The time threshold is set with the
11704 smtp_dot_quit_workaround_threshold_time parameter. Files:
11705 smtp/smtp_proto.c, smtp/smtp.c.
11707 Feature: mailbox_transport_maps and fallback_transport_maps
11708 to search delivery transports by recipient name. Files:
11709 local/mailbox.c, local/unknown.c.
11711 Feature: the master daemon now logs a warning when all
11712 servers are busy that may accept remote connections, and
11713 suggests to either increase the process count or to reduce
11714 the service time per client. Files: master/master_ent.c,
11715 master/master_avail.c.
11717 20051231
11719 Bugfix: the anvil server would terminate after "max_idle"
11720 seconds, even when this was less than the anvil_rate_time_unit
11721 interval. File: anvil/anvil.c.
11723 20060102
11725 Deleted the 20051229 dot-quit bug workaround. Automatically
11726 deferring delivery created "no delivery" and "repeated
11727 delivery" problems; and automatically turning off pipelining
11728 for delayed mail was a bad workaround for a bad workaround.
11729 The administrator still has the option to turn off pipelining
11730 by hand if loss of mail is a concern.
11732 20060103
11734 Bugfix: the 20051217 fix (when a SASL client password is
11735 found, defer delivery when no server-announced mechanism
11736 survives the smtp_sasl_mechanism_filter) did the mechanism
11737 test too early, so that it could trip up with deliveries
11738 to servers that we don't have a SASL password for. Files:
11739 smtp/smtp_sasl_proto.c, smtp/smtp_proto.c.
11741 20060104
11743 Safety: new "smtp_cname_overrides_servername" parameter.
11744 The default value ("no") is NOT backwards compatible. This
11745 avoids surprises with the hostname that is used for logging,
11746 SASL password lookup, TLS policy decisions, or TLS certificate
11747 verification. The change makes the 20051221 behavior more
11748 configurable. Files: smtp/smtp_addr.c, smtp/smtp_connect.c,
11749 proto/postconf.proto.
11751 20060105
11753 Cleanup: removed the unused DSN "code" attribute; removed
11754 surrogate SMTP replies for errors that were not reported
11755 by a remote SMTP server, making several DSN-related functions
11756 and macros redundant; cleaned up some bizarre code for DSN
11757 attribute memory management in the SMTP client.
11759 20060106
11761 Cleanup: eliminated the global smtp_errno variable, which
11762 had become redundant after introducing DSN support. Files:
11763 smtp/smtp_addr.c, smtp/smtp_connect.c.
11765 20060107
11767 Cleanup: removed more bizarre code for DSN attribute memory
11768 management in the queue manager, bounce server, and in
11769 delivery agents.
11771 20060109
11773 Bugfix: smtp_sasl_tls_opts was unimplemented. File:
11774 smtp/smtp_sasl_proto.c.
11776 Cleanup: more bounce logfile code cleanup. Files:
11777 global/bounce_log.c, bounce/bounce_notify_util.c,
11778 bounce/bounce.c, bounce/bounce_notify_verp.c,
11779 bounce/bounce_one_service.c, showq/showq.c
11781 20060110
11783 Cleanup: more bounce logfile code cleanup. Files:
11784 global/bounce_log.c, bounce/bounce_notify_util.c.
11786 Bugfix: the VERP bouncer never handled the case of a missing
11787 bounce logfile. Found while doing more logfile code cleanup.
11788 File: bounce/bounce_notify_verp.c.
11790 Feature: smtp_sasl_tls_verified_security_options for
11791 connections where the server certificate passed verification.
11792 The default value is $smtp_sasl_tls_security_options, which
11793 in turn defaults to $smtp_sasl_security_options.
11795 20060111
11797 Optimization: mystrdup() and mystrndup() now return a pointer
11798 to a fixed read-only memory location instead of allocating
11799 memory for zero-length null-terminated strings. This saves
11800 lots of memory for unused recipient attributes. If this
11801 change causes problems (for example, you have an ancient
11802 sscanf() implementation that writes to its input) then
11803 compile Postfix with -DNO_SHARED_EMPTY_STRINGS.
11805 Cleanup: eliminated null pointer members in DSN structures.
11806 Instead we now use the optimized mystrdup() for empty
11807 strings. For safety sake we keep the tests for null pointers
11808 in input, but we always produce empty strings on output.
11809 Files: global/dsn.c, global/dsn.h, global/dsn_buf.h,
11810 global/dsn_print.c.
11812 Cleanup: eliminated ad-hoc code for passing recipients in
11813 the queue manager delivery request protocol. Postfix now
11814 uses proper object activation/passivation instead. Files:
11815 *qmgr/qmgr_deliver.c, global/deliver_request.c,
11816 global/deliver_pass.c.
11818 20060112
11820 Feature: to simplify debugging the bounce server logs the
11821 old and new queue ID when notifying the sender or postmaster.
11822 Files: global/post_mail.c, bounce/bounce_notify_service.c,
11823 bounce/bounce_one_service.c, bounce/bounce_notify_verp.c,
11824 bounce/bounce_warn_service.c, bounce/bounce_trace_service.c.
11826 Fudge: when translating recipient DSN codes into sender DSN
11827 codes, map sender address problems that have no DSN code
11828 to *.1.7 (Bad sender's mailbox address syntax) instead of
11829 *.1.0 (Other address status) because that loses the distinction
11830 between sender and recipient. File: smtpd/smtpd_dsn_fix.c.
11832 20060113
11834 Cleanup: preserve upper case information of address localpart
11835 or extension when mapping one address to another with
11836 non-regexp/pcre tables. Files: global/mail_addr_find.c,
11837 global/maps_find.c.
11839 20060115
11841 Bugfix: don't ignore the per-site policy when SSL library
11842 initialization fails. Introduced after adopting the TLS
11843 patch. File: smtp/smtp_session.c.
11845 20060117
11847 [withdrawn 20060126] Safety: daemon processes that need no
11848 privileges now insist that they are configured to run without
11849 privileges. Files: master/single_server.c, master/multi_server.c,
11850 master/trigger_server.c.
11852 Cleanup: preserve upper case information of address localpart
11853 or extension when mapping addresses via regexp/pcre tables.
11854 This requires that Postfix does not case fold the search
11855 string when searching regexp or pcre tables, so that $number
11856 substitutions produce the expected result.
11858 In order to get a consistent handling of table operations,
11859 the search string case folding logic was moved from the
11860 application to the individual lookup table modules; the
11861 application specifies its case folding preference when it
11862 opens a table, and the table folds the search or update
11863 string as needed.
11865 Files: everything that opens a map or multiple maps (to
11866 specify the case folding preference), and everything that
11867 contained ad-hoc code to lowercase search strings (which
11868 is no longer needed).
11870 Bugfix: as a side effect of this revision of all code that
11871 opens tables, the postmap/postalias -n/-N options are no
11872 longer silently ignored when the -q (query) and -d (delete)
11873 options are specified. Files: postmap/postmap.c,
11874 postalias/postalias.c.
11876 Safety: don't allow $number substitution in transport maps
11877 or sender-dependent relayhost maps.
11879 Cleanup: smtp_sasl_passwd_maps lookup keys are folded to
11880 lowercase before searching tables such as btree:, dbm: or
11881 hash: that have fixed-case fields. File: smtp/smtp_sasl_glue.c.
11883 Bugfix: per-sender relayhost maps were not locked for shared
11884 access.
11886 20060119
11888 Cleanup: don't look up parent domain substrings in regexp/pcre
11889 like tables while searching a hostname in a domain/namaddr_list.
11890 File: util/match_ops.c.
11892 20060120
11894 Cleanup: multiple boolean variables were replaced by a
11895 single TLS enforcement level (none, may, encrypt, verify).
11896 With Victor Duchovni. Files: smtp_session.c, smtp_proto.c,
11897 smtp.h.
11899 Cleanup: the SMTP per-site policy table was re-implemented
11900 in terms of enforcement levels instead of multiple boolean
11901 variables. This greatly simplified the code and led to the
11902 elimination of non-intuitive behavior as documented next.
11903 With Victor Duchovni. Files: smtp_session.c, smtp.h.
11905 Bugfix: a TLS per-site MUST_NOPEERMATCH policy could not
11906 override a main.cf MUST (with peer match) policy, while a
11907 per-site NONE policy could.
11909 Bugfix: a combined TLS per-site (host, next-hop) policy of
11910 (NONE, MAY) would change the strongest main.cf MUST policy
11911 into NONE, while it changed all weaker main.cf policies
11912 into MAY. The result is now NONE for all main.cf policy
11913 settings.
11915 20060123
11917 Feature: recipient_count attribute in SMTPD policy protocol.
11918 This is available only in the DATA and END-OF-MESSAGE stage.
11919 Based on code by Guo Black. Files: smtpd_check.c.
11921 Cleanup: renamed MUMBLE_NUM to MUMBLE_INT to make type
11922 discrepancies more explicit.
11924 Bugfix: change 20051208 broke when a connection could not
11925 be established. File: util/auto_clnt.c.
11927 20060124
11929 Bugfix: the virtual(8) delivery agent did not insist on
11930 privileged operation as it should; this broke change 20060117.
11931 Ralf Hildebrandt. File: virtual/virtual.c.
11933 Bugfix: the TLS sasl security options (change 20060110)
11934 should also be #ifdef USE_TLS, and not only #ifdef
11935 USE_SASL_AUTH. Such feature interference is difficult to
11936 find in testing. Liviu Daia. File: smtp/smtp_sasl_proto.c.
11938 20060126
11940 Undo: change 20060117 (unprivileged operation test) broke
11941 "sendmail -bs", "postconf -b", "postconf -t", and probably
11942 more. Files: master/{single,multi,trigger}_server.c.
11944 20060130
11946 Bugfix: an empty remote_header_rewrite_domain value caused
11947 trivial-rewrite to dereference a null pointer, but only in
11948 regression tests, not in production. Envelope addresses are
11949 by definition rewritten in the local domain context, because
11950 an address without domain is equivalent to an address in
11951 the local domain; and header addresses are rewritten in the
11952 remote context only when remote_header_rewrite_domain is
11953 non-empty. File: trivial-rewrite/rewrite.c.
11955 20060131
11957 Cleanup: regression tests are now separated into "make
11958 tests" for unprivileged tests, and "make root_tests" for
11959 tests that require privileges to connect to the Postfix
11960 internal sockets. Files Makefile.in, src/*/Makefile.in.
11962 20060201
11964 Bugfix: despite efforts to treat malformed domain names as
11965 hard errors (change 20050726) they were still processed as
11966 soft errors. File: dns/dns_lookup.c.
11968 20060203
11970 Bugfix: smtpd core dump when SASL was compiled in, turned
11971 off (smtpd_sasl_auth_enable = no) and permit_sasl_authenticated
11972 was specified in local_header_rewrite_clients. Victor
11973 Duchovni. File: smtpd/smtpd_check.c.
11975 Cleanup: don't complain about useless SASL or TLS "permit"
11976 restrictions when SASL or TLS aren't compiled in, but do
11977 reject mail when reject_plaintext_session is specified while
11978 TLS isn't compiled in. File: smtpd/smtpd_check.c.
11980 20060204
11982 Bugfix: disable the content_filter feature for user-requested
11983 "sendmail -bv" probes, just like it is disabled for probes
11984 generated by Postfix itself. File: *qmgr/qmgr_message.c.
11986 20060207
11988 Robustness: place the "do we have TLS" guards within method
11989 implementations, instead of putting them around method
11990 invocations. File: smtpd/smtpd_check.c.
11992 Bugfix: duplicate the cleanup(8) DSN envelope ID syntax
11993 check in smtpd(8), so that clients get better error replies.
11994 File: smtpd/smtpd_check.c.
11996 Bugfix: change 20060203 broke the reject_plaintext_session
11997 feature.
11999 The trivial-rewrite and proxymap multi-server processes now
12000 terminate soon after all their clients disconnect, instead
12001 of waiting for another 100 seconds. This allows the processes
12002 to refresh more frequently on low-traffic systems.
12004 Cleanup: smtpd_delay_open_until_valid_rcpt (default: yes)
12005 controls whether Postfix delays the start of a mail transaction
12006 until after the first valid recipient, or if it starts a
12007 transaction immediately after MAIL FROM. File: smtpd/smtpd.c.
12009 20060217
12011 Bugfix: don't terminate with a non-standard exit status
12012 when the pipe-to-command feature has a problem before it
12013 executes the command. File: global/pipe_command.c.
12015 20060223
12017 Bugfix: detect integer overflow when multiplying time values
12018 with non-trivial time units. File: global/conv_time.c.
12020 20060307
12022 Bugfix: reset the msg_cleanup() fatal error handler in child
12023 processes. See also change 20060217. Files: postlock/postlock.c,
12024 master/multi_server.c, global/mail_run.c, util/vstream_popen.c.
12026 20060310
12028 Bugfix: the MIME processor assumed that input was null
12029 terminated. This broke with CRLF input to the "sendmail -t"
12030 command in Postfix 2.1 and later (see change 20030416).
12031 Found by Leandro Santi. Based on patch by Victor Duchovni.
12032 Files: global/mime_state.c, global/is_header.c.
12034 20060313
12036 Cleanup: the message arrival time (start of the receive
12037 transaction) no longer controls message expiration or
12038 delivery attempts. Instead, expiration and delivery are
12039 now controlled by the time when the cleanup server creates
12040 a queue file. This closes a problem that was introduced
12041 with the 20051104 change that introduced higher-resolution
12042 delay time keeping: as a result, "postsuper -r" could no
12043 longer manipulate the mail expiration schedule, so that
12044 mail "on hold" could expire too soon.
12046 20060315
12048 Workaround. the PCRE library reports an inappropriate error
12049 code (invalid substring) when $number refers to a valid ()
12050 expression that matches the null string. This caused fatal
12051 run-time errors. File: dict_pcre.c.
12053 20060324
12055 Cleanup: eliminated name collisions between global and local
12056 variables, and other forms of shadowing. Documented switch
12057 fall-throughs with /* FALLTHROUGH */ where this wasn't
12058 already done. Replaced (var = expr) by (var = expr) != 0
12059 where this wasn't already done.
12061 20060324
12063 Bugfix: mis-placed parenthesis in a before-filter error
12064 test. A filter timeout was mis-reported as lost connection.
12065 Found in code review. File: smtpd/smtpd_proxy.c.
12067 20060327
12069 Cleanup: the SQL and LDAP clients now log a warning when
12070 they skip an empty lookup result, so that humans don't have
12071 to wonder why Postfix doesn't find all the database entries.
12072 File: global/db_common.c.
12074 Moved SMTP/LMTP parameter initialization from global/mail_params.c
12075 to the combined smtp/lmtp delivery agent. Added missing
12076 lmtp parameters.
12078 20060328
12080 Feature: configurable chroot directive for the pipe(8)
12081 delivery agent, by Przemyslaw Wegrzyn. Files:
12082 global/pipe_command.c, pipe/pipe.c.
12084 Bugfix: cut-and-paste error: lmtp_connection_cache_limit
12085 was left with the name of smtp_connection_cache_limit.
12086 Reported by Victor? File: src/global/mail_params.h.
12088 20060329
12090 More extensible interface for TLS client/server library,
12091 now passes property structures that combine all the relevant
12092 parameters in one type-safe structure.
12094 TLS session cache activity logging now takes place at TLS
12095 log level 2 or greater.
12097 20060403
12099 Cleanup: made fcntl/flock handling consistent with respect
12100 to EINTR (reported by Carlo Contavalli). However, Postfix
12101 is not meant to be signal safe. Only the master daemon
12102 handles signals without terminating, and it uses only a
12103 small subset of Postfix library routines. File: util/myflock.c.
12105 Bugfix: the pipe-to-command error message was lost when the
12106 command could not be executed. File: global/pipe_command.c.
12108 20060404
12110 Bugfix in sanity check: after reading a record from the
12111 address verification database, a sanity check did not reject
12112 a record with all-zero time stamp fields. Such records are
12113 never written; the test is there just in case something is
12114 broken, so that Postfix will not blindly march on and create
12115 chaos. The sanity check tested pointer values, instead of
12116 dereferencing the pointers. Found by Coverity. File:
12117 verify/verify.c.
12119 Bugfix in sanity check: when the maildir delivery routine
12120 opens an output file it looks up the file attributes via
12121 the file handle it just got. There is a sanity check that
12122 detects if the attribute lookup fails, an error that never
12123 happens. The code that handles the impossible error did not
12124 close the output file. This would cause a virtual or local
12125 delivery agent to waste up to 100 file descriptors. But
12126 for that error to happen the system would have to be so
12127 sick that you would have more serious problems than a file
12128 descriptor leak. Found by Coverity. Files: local/maildir.c,
12129 virtual/maildir.c.
12131 20060405
12133 Bugfix: the MIME parser assumed input is null terminated
12134 when reporting errors. Fix by Leandro Santi. Files:
12135 global/mime_state.c, cleanup/cleanup_message.c.
12137 20060411
12139 Bugfix: the SMTP server logged no warning when for some
12140 reason the TLS engine was unavailable in wrappermode. Victor
12141 Duchovni. File: smtpd/smtpd.c.
12143 20060417
12145 Cleanup: when SMTP access table lookup fails, reply with
12146 4xx instead of aborting with a fatal run-time error. The
12147 old behavior assumes local file access, and is inappropriate
12148 with deployment of LDAP and SQL tables. File: smtpd/smtpd_check.c.
12150 20060423
12152 Bugfix: postcat did not print the attribute value of records
12153 containing a named attribute. File: postcat/postcat.c.
12155 20060430
12157 Bugfix: dangling pointer in a function that has no caller.
12158 Found by Coverity. File: tls/tls_prng_exch.c.
12160 Bugfix: the workaround for CA-2003-07 (Sendmail) did not
12161 null terminate the address before logging a warning. Reported
12162 by Kris Kennaway. File: global/tok822_parse.c.
12164 20060301-20060515
12166 Sendmail 8 Milter support, distributed across the smtpd(8)
12167 server for SMTP commands, and the cleanup(8) server for
12168 content inspection and manipulation. The code supports all
12169 requests to add/delete recipients, and to add/delete/replace
12170 message headers, but does not yet support requests to replace
12171 the message body. See MILTER_README for more. Files:
12172 smtpd/smtpd.c, smtpd/smtpd_milter.c, cleanup/cleanup_api.c,
12173 cleanup/cleanup_envelope.c, cleanup/cleanup_extracted.c,
12174 cleanup/cleanup_milter.c, milter/milter.c, milter/milter8.c.
12176 That's 89 lines in smtpd, 1010 lines in cleanup, and 2449
12177 lines of library support, comments not included.
12179 A simple test Milter application for use in regression tests
12180 is in src/milter/test-milter.c. Queue file modifications are
12181 tested with a driver at the end src/cleanup/cleanup_milter.c
12182 that reads commands from a script.
12184 To make debugging easier, uncomment the "#define msg_verbose
12185 2" lines at the top of cleanup_milter.c or milter8.c. This
12186 produces logging without making everything else verbose.
12188 20060510
12190 Preliminary TLS_README and postconf(5) changes completed.
12191 Victor Duchovni.
12193 Added smtp_tls_policy_maps and smtp_tls_protocols features
12194 to the smtp/lmtp client, changed smtp_tls_cipherlist to
12195 only apply when TLS is mandatory. Victor Duchovni.
12197 20060512
12199 Destinations that share a common server may have distinct
12200 TLS protocol and cipherlist requirements, with mandatory
12201 TLS add the protocol and cipherlist values to the TLS session
12202 lookup key. Victor Duchovni.
12204 20060516
12206 Portability: __float80 alignment, by Albert Chin. File:
12207 util/sys_defs.h.
12209 Further testing of Milter support uncovered typos; a missing
12210 null pointer test while cleaning up after content miltering;
12211 the need for a workaround to not bounce+delete local
12212 submission after it triggers a temporary reject Milter
12213 action.
12215 Workaround: don't bounce+delete a local submission after
12216 it triggers a "reject 4.x.x" action in header/body_checks.
12217 This means an SMTP client now sees "queue file write error"
12218 instead of the text from the "reject 4.x.x text" action.
12219 File: cleanup/cleanup_message.c.
12221 Workaround: OpenSSL 0.9.8[ab] with zlib support interoperability
12222 problem. Victor Duchovni. Files: tls/tls_client.c,
12223 tls/tls_misc.c, tls/tls_server.c.
12225 Added smtpd_tls_protocols parameter to complement
12226 smtp_tls_protocols. Victor Duchovni.
12228 20060517
12230 The smtp_tls_policy_maps table now implements parent domain
12231 matching for destinations that are bare domains (without
12232 enclosing [] or optional :port suffix). This allows one to
12233 set TLS policy for a domain and all sub-domains. Victor
12234 Duchovni.
12236 20060519
12238 The same parameter can bind to different variables in
12239 different daemons. Ignore the variable name when eliminating
12240 duplicates in extract.awk. Victor Duchovni.
12242 20060523
12244 Improved handling of smtp_tls_protocols and smtpd_tls_protocols,
12245 names now processed via name_mask(3) and canonicalized prior
12246 to use in the SMTP/LMTP client TLS session lookup key. Also
12247 simplifies the corresponding code in the TLS driver. Victor
12248 Duchovni.
12250 20060524
12252 Cleanup: send ETRN command parameter when using check_policy
12253 in the context of an ETRN command. Joshua Goodall. File:
12254 smtpd/smtpd_check.c.
12256 20060601
12258 Bugfix (bug introduced 20051118): permit_mx_backup authorized
12259 domains without secondary MX records. Joshua Goodall. File:
12260 smtpd/smtpd_check.c.
12262 20060601
12264 Fixed default value of LMTP TLS client certificate parameters,
12265 using the SMTP values as a default was wrong. Victor Duchovni.
12267 20060603
12269 Different transports may have different CAfile or CApath
12270 settings. We need to add the transport name to the TLS
12271 session lookup key so that sessions verified with one set
12272 of trusted roots are not inadvertantly considered verified
12273 for another. Victor Duchovni.
12275 20060604
12277 Cleanup: minor fluff found with the BEAM source code analyzer.
12278 Files: global/quote_821_local.c, global/quote_822_local.c,
12279 master/master_spawn.c, pickup/pickup.c, util/match_ops.c,
12280 util/safe_open.c, xsasl/xsasl_cyrus_client.c.
12282 20060606
12284 Safety: mail receiving daemons (smtpd, qmqpd) now pass
12285 actual client name/addres/helo attributes in addition to
12286 the attributes used for logging (xforward). This prevents
12287 Milter applications from treating qmqpd mail as if it
12288 originated locally, and prevents incorrect Milter decisions
12289 after "postsuper -r". Files: smtpd/smtpd.c, qmqpd/qmqpd.c,
12290 cleanup/cleanup_envelope.c, cleanup/cleanup_milter.c,
12291 cleanup/cleanup_state.c, global/post_mail.c, *qmgr/qmgr_message.c,
12292 *qmgr/qmgr_deliver.c, global/deliver_request.c,
12293 global/deliver_pass.c, local/forward.c.
12295 Bugfix: qmgr panic after queue file corruption by Mailscanner.
12296 Files: *qmgr/qmgr_message.c.
12298 Bugfix: XCLIENT didn't work with smtpd_delay_reject=no
12299 (problem reported by Joshua Goodall). To make XCLIENT work
12300 correctly with built-in restrictions and with Milter
12301 applications, the SMTP server now jumps back to the very
12302 start (the 220 phase) of an SMTP session. File: smtpd/smtpd.c.
12304 20060606
12306 Portability: Some systems no longer support the traditional
12307 "sort +0 -2 +3". Victor Duchovni.
12309 20060607
12311 Portability: Found by BEAM static code analyzer. SSL options
12312 (long) were stored as int.
12314 20060610
12316 Cleanup: XCLIENT and XFORWARD attribute values are now sent
12317 as xtext encoded strings. For backwards compatibility,
12318 Postfix will still accept unencoded attribute values. Files:
12319 smtpd/smtpd.c, smtpd/smtpd_proxy.c, smtp/smtp_proto.c.
12321 20060611
12323 Robustness: additional sanity checks for common database
12324 routines. Viktor Dukhovni. File: global/db_common.c.
12326 Portability: LDAP 2.3 API support. Viktor Dukhovni. File:
12327 global/dict_ldap.c.
12329 Security: the PostgreSQL client was updated after the
12330 PostgreSQL developers made major database API changes in
12331 response to PostgreSQL security issues. This breaks support
12332 for PGSQL versions prior to 8.1.4, 8.0.8, 7.4.13, and 7.3.15.
12333 Support for these requires major code changes which are not
12334 possible in the time that is left for the Postfix 2.3 stable
12335 release.
12337 Specific PostgreSQL client changes: use connection-aware
12338 quoting, and more robust PQexec() result handling. Previous
12339 versions of the dict_pgsql driver didn't check the status
12340 of the result pointer, and certain exceptional events can
12341 be mis-interpreted as an empty result set. Fixes by Leandro
12342 Santi. File: global/dict_pgsql.c.
12344 20060612
12346 Changed smtp security level parsing and level->name conversion
12347 to use name_code(3). Victor Duchovni.
12349 Implemented new smtp_tls_security_level parameter, to replace
12350 the unnecessarily complex smtp_use_tls, smtp_enforce_tls
12351 and smtp_tls_enforce_peername parameters. The main.cf
12352 security level settings are now consistent with the new
12353 policy table. Victor Duchovni.
12355 The smtp_sasl_tls_verified_security_options feature is not
12356 yet complete, added #ifdef SNAPSHOT and changed documentation
12357 to delay introduction until Postfix 2.4. Victor Duchovni.
12359 20060614
12361 Merged in Victor's work including the new TLS policy table
12362 and a complete set of configuration parameters for the LMTP
12363 personality of the unified SMTP/LMTP client.
12365 Allow mandatory TLS encryption with LMTP over UNIX-domain
12366 sockets. Victor Duchovni.
12368 Safety: improved code to avoid I/O on connections after the
12369 TLS handshake fails. Victor Duchovni.
12371 20060615
12373 Cosmetic patch for const strings. Stefan Huehner.
12375 Other cosmetic changes, mainly whitespace.
12377 20060616
12379 The qshape.pl script was updated for the pointer records
12380 that were introduced to support message content modification
12381 by Milter applications. Victor Duchovni.
12383 20060620
12385 Feature: Substantially better cipherlist specification
12386 interface and support for anonymous ciphers when certificates
12387 are not needed. The primary interface in main.cf and the
12388 policy table selects one of 5 grades for mandatory TLS with
12389 smtp(8) or lmtp(8) or for all TLS sessions with smtpd(8).
12390 The levels are "high", "medium" (or better), "low" (or
12391 better), "export" (or better) and "null". The underlying
12392 definitions of these levels are configurable, but users are
12393 strongly encouraged to not change those definitions. Victor
12394 Duchovni.
12396 20060626
12398 Bugfix: the Milter reply syntax checker was off by one.
12399 File: milter/milter8.c.
12401 Workaround: disable SMTP connection cache lookup by server
12402 IP address when the tls_per_site policy table is enabled.
12403 This is a workaround for a shortcoming in the SMTP connection
12404 cache implementation, which retrieves the server hostname
12405 from the cached connection. Since this server name is not
12406 obtained in a secure manner, it must not be allowed to
12407 control the tls_per_site policy. File: smtp/smtp_reuse.c.
12409 20060627
12411 Cleanup: mumble_mandatory_tls_mumble parameters renamed to
12412 mumble_tls_mandatory_mumble; added _mandatory_ qualifier
12413 to names of parameters that affect only mandatory TLS.
12415 20060630
12417 Features promoted from SNAPSHOT to STABLE: the "sleep"
12418 pseudo restriction; Postfix daemons now read the local
12419 timezone file before chrooting; trivial-rewrite now detects
12420 table changes every 10 seconds, so it restarts more timely.
12422 Features that stay #ifdef SNAPSHOT: tcp_table,
12423 lmtp_sasl_tls_verified_security_options, and
12424 smtp_sasl_tls_verified_security_options.
12426 Compatibility: Sendmail does not send its own Received:
12427 header to Milter applications. Offsets in header replace
12428 requests are relative to the message content as received
12429 (i.e. without our own Received: header), while offsets in
12430 header insert requests are relative to the message as
12431 delivered (i.e. they include our own Received: header).
12432 This explains why dk-filter would sign our own Received:
12433 header but place the signature between our own Received:
12434 header and the rest of the message, violating the draft
12435 domainkeys spec.
12437 20060702
12439 Cleanup: more graceful handling of queue file read/write
12440 errors while processing milter message modification requests.
12441 Files: cleanup/cleanup_milter.c, milter/milter8.c.
12443 20060703
12445 Debugging: the Postfix milter client gives more context
12446 when it experiences trouble while talking to an uncooperative
12447 Milter application. File: milter/milter8.c.
12449 Compatibility: with OpenBSD 2.7 and later, the alias file
12450 is now in /etc/mail/aliases.
12452 20060704
12454 Bugfix: the Milter client skipped zero-length body lines.
12455 File: milter/milter8.c.
12457 Feature (just this one): RFC 3834 "Auto-Submitted:" message
12458 header in DSNs. File: bounce/bounce_notify_util.c.
12460 20060705
12462 Portability: LP64 systems required a few ssize_t->int casts
12463 in debug logging statements. Files: milter/test_milter.c,
12464 cleanup/cleanup_milter.c.
12466 Cleanup: comments, error messages, and crumbling interfaces.
12468 20060707
12470 Workaround: apparently, Solaris gettimeofday() can return
12471 out-of range microsecond values. File: src/global/log_adhoc.c.
12473 Robustness: the SMTPD policy client now encodes the
12474 ccert_subject and ccert-issuer attributes as xtext. Some
12475 characters are replaced by +XX, where XX is the two-digit
12476 hexadecimal code for the character value. File:
12477 smtpd/smtpd_check.c.
12479 Safety: the SMTP/LMTP client now defers delivery when a
12480 SASL password exists, but the server does not offer SASL
12481 authentication. Mail could be rejected otherwise. This may
12482 become an issue now that Postfix retries delivery in plaintext
12483 after an opportunistic TLS handshake fails. Specify
12484 "smtp_sasl_auth_enforce = no" to deliver mail anyway. File:
12485 smtp/smtp_proto.c. See workaround 20060711 for sender-dependent
12486 SASL passwords. This was undone with the 20060719 workaround.
12488 20060709
12490 Cleanup: the new single smtpd_tls_security_level parameter
12491 obsoletes the multiple smtpd_use_tls and smtpd_enforce_tls
12492 parameters. This is done for consistency with the Postfix
12493 SMTP client. In the Postfix SMTP server, the levels "verify"
12494 and "secure" are currently not applicable, and are treated
12495 as "encrypt", after logging a warning. Files: smtpd/smtpd.c,
12496 tls/tls_level.c, smtp/smtp_session.c.
12498 Compatibility: don't send the first (blank) body line to
12499 Milter applications. This broke domain key etc. signatures
12500 when verified by non-Postfix MTAs. File: milter/milter8.c.
12502 20060710
12504 Cleanup: more consistency between smtpd(8) and smtp(8) TLS
12505 configuration interfaces: smtpd_tls_mandatory_exclude_ciphers,
12506 smtpd_tls_mandatory_ciphers, smtpd_tls_mandatory_protocols.
12507 By Victor. Files:smtpd/smtpd.c.
12509 Cleanup: to support domainkey signing of bounces and
12510 Postmaster notices, enable content inspection of Postfix-
12511 generated mail with the new internal_mail_filter_classes
12512 feature. This is disabled by default, because it is not
12513 yet safe enough. Files: global/int_filt.[hc] and everything
12514 that calls post_mail_fopen*().
12516 20060711
12518 Cleanup: smtpd_tls_mumble -> smtpd_tls_mandatory_mumble,
12519 and finer control over the Postfix SMTP server TLS ciphers,
12520 all this for consistency with the same functionality in the
12521 Postfix SMTP client. Victor Duchovni.
12523 Compatibility: Sendmail's milter client handles whitespace
12524 after the header label and ":" in an interesting manner.
12525 It eats one space (not tab). File: milter/milter8.c.
12527 Workaround: if sender-dependent SASL passwords are enabled,
12528 don't defer delivery when a SASL password exists but the
12529 server doesn't announce SASL support. File: smtp/smtp_proto.c.
12530 This was undone with the 20060719 workaround.
12532 Cleanup: format of cleanup milter reject messages. File:
12533 cleanup_milter.c.
12535 Bugfix: file/memory leak if a transfer of multiple milters
12536 from smtpd to cleanup broke in the middle. Found by Coverity.
12537 File: milter/milter.c.
12539 20060716
12541 Bugfix: "sendmail -bs" panic caused by a missing
12542 SMTPD_STATE_ALONE() guard before a milter_abort() call.
12543 File: smtpd/smtpd.c.
12545 Bugfix (bug introduced with Postfix 2.2): the Postfix SMTP
12546 client enforced Mandatory TLS only when talking to an ESMTP
12547 server; enforcement did not happen if Postfix could somehow
12548 be forced to send HELO instead of EHLO. Victor Duchovni.
12549 File: src/smtp/smtp_proto.c.
12551 20060718
12553 Bugfix (bug introduced 20060711): null pointer bug when
12554 rejecting SMTP mail with Milter application. File:
12555 cleanup/cleanup_milter.c.
12557 Workaround (problem introduced in 200605/200606 TLS update):
12558 the Postfix SMTP server now issues TLS session IDs even
12559 when TLS session caching is turned off, otherwise MS Outlook
12560 fails to deliver mail. There may also be interoperability
12561 issues with other MTAs that we haven't discovered yet.
12562 Specify "smtpd_tls_always_issue_session_ids = no" to disable
12563 the workaround. Victor Duchovni. Files: smtpd/smtpd.c,
12564 tls/tls_server.c.
12566 20060719
12568 Cleanup: the smtp_sasl_auth_enforce feature is gone. It was
12569 meant to work around a problem that was introduced with
12570 plaintext fallback after a failed TLS handshake. Unfortunately,
12571 it created more problems than it solved. We now address the
12572 underlying problem more directly as described next. File:
12573 smtp/smtp_proto.c.
12575 Safety: don't fall back to plaintext delivery after failed
12576 TLS handshake, when the Postfix SMTP client would have
12577 attempted to log in with SASL after successful TLS handshake.
12578 This avoids undesirable behavior regardless of whether the
12579 server does support SASL over plaintext (unexpected password
12580 disclosure) and whether the server doesn't support SASL
12581 over plaintext (insufficient mail relay permission). Files:
12582 smtp/smtp_connect.c, smtp/smtp_session.c, smtp/smtp_proto.c.
12584 20060720
12586 Compatibility: replace %% in milter replies by %, and strip
12587 single (i.e. invalid) % characters. File: milter/milter8.c.
12589 Compatibility: $_ macro support for Milter applications.
12590 Files: smtpd/smtpd.c, smtpd/smtpd_milter.c,
12591 cleanup/cleanup_state.c, cleanup/cleanup_milter.c.
12593 20060721
12595 Safety: disable Milter processing after "postsuper -r". If
12596 the mail has been filtered there is no need to do it again.
12597 Moreover, when mail has passed through an external content
12598 filter, we don't have sufficient information to reproduce
12599 the exact same SMTP events and Sendmail macros that Milters
12600 received when the mail originally arrived in Postfix. This
12601 change does not affect Milter applications that run behind
12602 an after-queue content filter. File: pickup/pickup.c.
12604 Bugfix: Milters received a truncated ORCPT=xxx parameter
12605 due to destructive parsing of something that didn't have
12606 to be preserved before Milter support was added to Postfix.
12607 File: smtpd/smtpd.c.
12609 20060724
12611 Bugfix: when updating the same header multiple times, the
12612 Postfix Milter client created a queue file that caused
12613 delivery agents to loop. File: cleanup/cleanup_milter.c.
12615 20060725
12617 Bugfix: damaged queue file record after a Milter request
12618 to modify a message header when 1) it was the last header
12619 in the unmodified message, and 2) the old header was less
12620 than 15 characters long. File: cleanup/cleanup_milter.c.
12622 Bugfix: don't panic in smtp_rcpt_cleanup() after detecting
12623 a damaged queue file record. File: smtp/smtp_proto.c.
12625 20060726
12627 Bugfix: the 20051013 change to enforce the message size
12628 limit in the SMTP server didn't work for size limits close
12629 enough to INT_MAX. File: smtpd/smtpd.c.
12631 Bugfix (introduced Postfix 2.3): after an SMTP client was
12632 rejected with "smtpd_delay_reject = no", the SMTP server
12633 would panic as it generated spurious Milter requests for
12634 unrecognized commands. File: smtpd/smtpd.c.
12636 20060727
12638 Cleanup: change redundant milter_abort() and milter_disc_event()
12639 calls into NO-OPs. This avoids unnecessary panic() events
12640 for completely harmless conditions. File: milter/milter8.c.
12642 20060805
12644 Bugfix (introduced Postfix 2.3): #ifdef damage caused
12645 smtp_sasl_start() to be invoked twice. Reported by C-J
12646 Lofstedt. File: smtp/smtp_sasl_proto.c.
12648 20060806
12650 Postfix no longer announces its name in delivery status
12651 notifications. Users believe that Wietse provides a free
12652 helpdesk service that solves all their email problems.
12653 Credits to Jonathan Balester. File: bounce/bounce_templates.c.
12655 20060807
12657 Bugfix (introduced Postfix 2.2): when upgrading from Postfix
12658 < 2.2 with the third-party TLS patch, the post-install
12659 upgrade procedure didn't put a "?" in the existing tlsmgr
12660 entry, causing tlsmgr to repeatedly start and exit when TLS
12661 support was not compiled in. File: conf/post-install.
12663 20060812
12665 Bugfix (introduced < Postfix alpha): safety mechanism in
12666 mail_date() didn't work. Found in code review. File:
12667 global/mail_date.c.
12669 20060817
12671 Test programs for host address->name and name->address
12672 lookups to debug name service inconsistencies, typically
12673 when the Postfix SMTP server claims that a hostname is
12674 "unknown". Files: auxiliary/name-addr-test/*.
12676 20060822
12678 Added missing logging for "message to large" etc. Files:
12679 smtpd/smtpd.c, cleanup/cleanup_milter.c.
12681 20060823
12683 Bugfix (introduced Postfix 2.2): segfault when vstream_fclose()
12684 attempted to flush unwritten output, after vstream_fdclose()
12685 had already disconnected the stream from its file descriptor.
12686 File: util/vstream.c.
12688 Bugfix (introduced Postfix 2.2): vstream_fdclose() did not
12689 flush unwritten output before disconnecting a stream from
12690 its file descriptor(s). File: util/vstream.c.
12692 Feature: smtp-sink can capture mail to file, either as one
12693 individual message per file, or as multiple messages per
12694 file. After an initial implementation by Weidong Cui. File:
12695 smtpstone/smtp-sink.c.
12697 Bugfix (introduced < Postfix alpha): smtp-sink did not
12698 correctly recognize DOT-CR-LF immediately after DATA. File:
12699 smtpstone/smtp-sink.c.
12701 Cleanup: smtp-sink now requires that MAIL FROM, RCPT TO and
12702 DATA be send in the correct order. This simplified the
12703 implementation of the capture to file feature. File:
12704 smtpstone/smtp-sink.c.
12706 20050824
12708 Portability: inside functions, GCC 4 refuses forward
12709 declarations of static functions. File: smtpstone/smtp-sink.c.
12711 20060825
12713 Bugfix (introduced Postfix 2.3): with headers-only mail, a
12714 Milter "header insert" action corrupted the queue file. The
12715 cleanup server executed some end-of-body action before the
12716 end-of-header actions. File: cleanup/cleanup_message.c.
12718 Robustness: mail delivery agents now detect loops in queue
12719 files. Files with too many backward jumps are saved to the
12720 "corrupt" directory. File: global/record.c.
12722 20060831
12724 Bugfix (introduced with initial implementation): missing
12725 "dict_errno = 0" caused mis-leading error messages after
12726 non-error lookup failure. Victor Duchovni. File:
12727 util/dict_cidr.c.
12729 Robustness: the default TLS cipher lists were changed from
12730 !foo:ALL into ALL:!foo. Victor Duchovni. Files:
12731 global/mail_params.h and documentation.
12733 20060902
12735 Bugfix (introduced Postfix 2.3): the LMTP client stripped
12736 "inet": from the next-hop destination, but still used the
12737 complete next-hop from the delivery request. File:
12738 smtp/smtp_connect.c.
12740 20060903
12742 Cleanup: record loop detection. File: global/record.c.
12744 20060929
12746 Workaround: AIX 5.[1-3] getaddrinfo() creates socket address
12747 structures with a non-zero port value. This breaks the
12748 smtp_bind_address etc. features, and breaks inet_interfaces
12749 settings with only one IP address. Problem reported by
12750 Hamish Marson. Files: util/sock_addr.[hc], util/myaddrinfo.c.
12752 Bugfix (introduced with the Postfix TLS patch): memory leak
12753 in verify_extract_peer(). The OpenSSL documentation provides
12754 no information on how subjectAltNames are managed. Sam
12755 Rushing, ironport. File: tls/tls_client.c.
12757 Bugfix (introduced with Postfix 2.2): smtp_generic_maps
12758 turned on MIME conversion. File: smtp/smtp_proto.c.
12760 Workaround: don't send SIZE information in the MAIL FROM
12761 command when message content will be subject to 8bit ->
12762 quoted-printable conversion. File: smtp/smtp_proto.c.
12764 20061002
12766 Compatibility: Sendmail now invokes the Milter connect
12767 action with the verified hostname instead of the name
12768 obtained with PTR lookup. File: smtpd/smtpd.c.
12770 20061004
12772 Cleanup: force space between mailq queueid+status and file
12773 size items. File: showq/showq.c.
12775 20061005
12777 Cleanup: make CISCO PIX bug workarounds configurable. This
12778 introduces new parameters: smtp_pix_workarounds (default:
12779 disable_esmtp, delay_dotcrlf) and smtp_pix_workaround_maps
12780 (workarounds indexed by server IP address). The default
12781 settings are backwards compatible. File: smtp/smtp.c,
12782 smtp/smtp_proto.c.
12784 20061006
12786 Workaround: include the smtpd(8) service name when searching
12787 the TLS session cache, to avoid cross-talk between multiple
12788 master.cf entries. This does not eliminate cross-talk between
12789 multiple (x)inetd.conf entries. Victor Duchovni. Files:
12790 smtpd/smtpd.c, tls/tls_server.c.
12792 20061015
12794 Cleanup: convert the Milter {mail_addr} and {rcpt_addr}
12795 macro values to external form. File: smtpd/smtpd_milter.c.
12797 Cleanup: the Milter {mail_addr} and {rcpt_addr} macros are
12798 now available with non-SMTP mail. File: cleanup/cleanup_milter.c.
12800 Cleanup: convert addresses in Milter recipient add/delete
12801 requests to internal form. File: cleanup/cleanup_milter.c.
12803 Cleanup: with non-SMTP mail, convert addresses in simulated
12804 MAIL FROM and RCPT TO events to external form. File:
12805 cleanup/cleanup_milter.c.
12807 20061017
12809 Cleanup: removed spurious warning when the cleanup server
12810 attempts to bounce mail with soft_bounce=yes. Problem
12811 reported by Ralf Hildebrandt. File: cleanup/cleanup_bounce.c.
12813 Bugfix: null pointer bug when receiving a non-protocol
12814 response on a cached SMTP/LMTP connection. Report by Brian
12815 Kantor. Fix by Victor Duchovni. File: smtp/smtp_reuse.c.
12817 20061106
12819 Feature: new retry delivery agent, to avoid the synchronous
12820 defer service client in the queue manager. This code is
12821 co-located with the error(8) server. File: error/error.c.
12823 Performance: the queue manager could spend too much time
12824 in the synchronous defer service client, causing the watchdog
12825 timer to go off. Where possible, the queue manager now
12826 bounces or defers recipients asynchronously, by routing
12827 them to the error or the retry delivery agent. Code by
12828 Wietse and Patrik Rak. Files: global/recipient_list.c,
12829 *qmgr/qmgr_error.c, *qmgr/qmgr_defer.c, *qmgr/qmgr_entry.c,
12830 *qmgr/qmgr_deliver.c, *qmgr/qmgr_message.c.
12832 Performance: refined recipient and job grouping, and more
12833 agressive early refill of in-memory recipients to prevent
12834 a worst-case scenario where the queue manager became starved
12835 until after the last batch of slow in-memory recipients of
12836 jumbo multi-recipient mail. Code by Patrik Rak. Files:
12837 global/mail_conf_time.c, qmgr/qmgr_message.c, qmgr/qmgr.c,
12838 qmgr/qmgr.h, qmgr/qmgr_entry.c, qmgr/qmgr_job.c,
12839 qmgr/qmgr_message.c, qmgr/qmgr_transport.c.
12841 20061113
12843 Bugfix: the Postfix install/upgrade procedure broke with
12844 non-default config_directory. File: conf/post-install.
12846 20061115
12848 Bugfix: null pointer bug in end-of-header Milter action
12849 when the last header line is too large. Reported by Mark
12850 Martinec. The root of the problem is that the MIME state
12851 engine may execute up to three call-back functions when it
12852 reaches the end of the headers, before it returns to the
12853 caller; as long as call-backs return no result, each call-back
12854 has to check for itself if a previous call-back ran into a
12855 problem. File: milter/milter8.c.
12857 Workaround: reduce effective header_size_limit to 60000
12858 when Milter inspection is enabled, to avoid breaking the
12859 Milter protocol request length limit. File:
12860 cleanup/cleanup_message.c.
12862 20061123
12864 Safety: don't read more than 5000 recipients at a time, to
12865 avoid spending too much time away from interrupts. File:
12866 qmgr/qmgr_message.c.
12868 20061201
12870 Workaround: don't complain with "Error 0" in the trivial-rewrite,
12871 verify, proxymap or connection cache client when the server
12872 exits after the client sends its request. We still complain,
12873 however, when the problem persists. Files: global/rewrite_clnt.c,
12874 global/resolve_clnt.c, global/verify_clnt.c, global/scache_clnt.c,
12875 global/dict_proxy.c.
12877 Safety: the header_size_limit is now enforced more strictly,
12878 to avoid inter-operability problems with the Milter protocol.
12879 Long headers are truncated at a line boundary if possible,
12880 otherwise they are cut between line boundaries. File:
12881 cleanup/cleanup_out.c.
12883 20061203
12885 Bugfix (introduced with Postfix 2.2): with SMTP server
12886 tarpit delays of smtp_rset_timeout or larger, the SMTP
12887 client could get out of sync with the server while reusing
12888 a connection. The symptoms were "recipient rejected .. in
12889 reply to DATA". Fix by Victor Duchovni and Wietse. Files:
12890 smtp/smtp_proto.c, smtp/smtp_connect.c.
12892 Robustness: the vbuf and vstream documentation claimed that
12893 their *error() macros reported timeout errors, but they
12894 didn't really. The implementation was fixed, and redundant
12895 vstream_ftimeout() calls were removed. As a result, many
12896 Postfix daemons now properly detect write timeout errors
12897 on internal connections. Files: util/vbuf.h.
12899 Workaround: some broken SMTP servers reply and hang up in
12900 the middle of DATA. The Postfix SMTP client now stops sending
12901 and tries to receive the server response. This can help to
12902 avoid repeated delivery attempts. Initial implementation
12903 by Wietse, later work by Victor Duchovni. Files:
12904 smtp/smtp_proto.c, smtpstone/smtp-sink.c, util/vstream.c,
12905 plus trivial mods for code thatr calls vstream_fpurge().
12907 20061204
12909 Compatibility: The Postfix installation/upgrade procedure
12910 no longer sets "unknown_local_recipient_code = 450" in
12911 main.cf. This was a safety net for upgrades from Postfix
12912 1.x. Four years later is no longer needed. File:
12913 conf/post-install.
12915 Cleanup: removed vstream_fclose() error warning in the code
12916 that disconnects from a delivery agent. There is no need
12917 to report errors here because they would already be reported
12918 earlier. Files: *qmgr/qmgr_deliver.c.
12920 Robustness: "kill me after N seconds" feature to ensure
12921 that a daemon process does not get stuck while preparing
12922 for exit after signal arrival. File: util/killme_after.[hc],
12923 util/watchdog.c, master/master_sig.c.
12925 20061206
12927 Robustness: low-cost re-entrancy guard that allows daemons
12928 to safely call msg_fatal() etc. from a signal handler,
12929 without risking memory corruption, or deadlock on Redhat
12930 Linux. This works provided that the signal handler terminates
12931 the process. In that special case we need not guarantee
12932 after-the-fact consistency of the thread that was interrupted.
12933 File: util/msg_output.c.
12935 Robustness: replace exit() calls by _exit(). File: util/msg.c,
12936 bounce/bounce_cleanup.c.
12938 20061207
12940 Workaround: on systems with usable futimes() or equivalent
12941 (Solaris, *BSD, MacOS, but not Linux), always explicitly
12942 set the queue file last modification time stamps while
12943 creating a queue file. With this, Postfix can avoid logging
12944 warnings when the file system clock is ahead of the local
12945 clock. Clock skew can be a problem, because Postfix does
12946 not deliver mail until the local clock catches up with the
12947 queue file's last modification time stamp. File:
12948 global/mail_stream.c.
12950 Workaround: on systems without usable futimes() or equivalent,
12951 log a warning when the file system clock is more than 100
12952 seconds behind the local clock. This does not cause mail
12953 delivery problems, but it just looks silly in message
12954 headers. File: global/mail_stream.c.
12956 On systems without usable futimes() (Linux, and ancient
12957 versions of Solaris, SunOS and *BSD) Postfix will keep using
12958 the slower utime() system call to update queue file time
12959 stamps when the file system clock is off with respect to
12960 the local system clock.
12962 Compatibility with Postfix < 2.3: undo the change to bounce
12963 instead of defer after pipe-to-command delivery fails with
12964 a signal. File: global/pipe_command.c.
12966 20061208
12968 Workaround: apparently, some mail software removes or hides
12969 "<postmaster>" in the Postfix bounce text, because it
12970 processes the text as if it were HTML. This confuses users.
12971 The bounce template has been updated to remove the < and
12972 >. File: bounce/bounce_templates.c.
12974 Cleanup: when smtp_generic_maps is turned on, don't parse
12975 MIME structures in the message body. Victor Duchovni. File:
12976 smtp/smtp_proto.c.
12978 20061210
12980 Cleanup: streamline the signal handler reentrancy protections,
12981 and document under what conditions these protections work,
12982 with REENTRANCY sections in the relevant man pages. Files:
12983 util/vbuf_print.c. util/msg.c, util/msg_output.c.
12985 20061211
12987 Cleanup: when doing server access control by the remote TLS
12988 client fingerprint, do not require client certificate
12989 verification. Victor Duchovni. File: smtpd/smtpd_check.c.
12991 Safety: when the remote TLS client certificate isn't verified,
12992 don't send ccert_subject and ccert_issuer attributes in
12993 check_policy_service requests. Victor Duchovni. File:
12994 smtpd/smtpd_check.c.
12996 Bugfix: the postconf command still complained about an
12997 unqualified machine name, because it was not updated with
12998 the 20050513 change that introduced a default "mydomain =
12999 localdomain". File: postconf/postconf.c.
13001 20061213
13003 Bugfix: race condition in "ETRN site", "sendmail -qRsite"
13004 and "postqueue -s site". When the command arrived while an
13005 incoming queue scan was already in progress, mail could
13006 stay deferred instead of being flushed. The fix was to
13007 unthrottle the queue manager before moving files from the
13008 deferred queue to the incoming queue. Files: flush/flush.c,
13009 qmgr/qmgr_scan.c.
13011 Cleanup: the sendmail and postqueue commands no longer
13012 terminate with a non-standard error status after a run-time
13013 error in some Postfix internal routine (typically, some
13014 essential file is not accessible, or the system is out of
13015 memory). Files: sendmail/sendmail.c, postqueue/postqueue.c.
13017 Feature: "sendmail -qIqueueid" and "postqueue -i queueid"
13018 to flush a specific queue file. Files: sendmail/sendmail.c,
13019 postqueue/postqueue.c, global/flush_clnt.c, flush/flush.c.
13021 20061214
13023 Performance: "sendmail -qIqueueid" and "postqueue -i queueid"
13024 unthrottle only the necessary message delivery transports
13025 and queues. The unthrottle request now is propagated to the
13026 queue manager via queue file group read permission bits.
13027 Based on initial implementation by Victor Duchovni. Files:
13028 flush/flush.c, *qmgr/qmgr.c, *qmgr/qmgr_scan.c,
13029 *qmgr/qmgr_active.c, *qmgr/qmgr_message.c.
13031 20061220
13033 Workaround: PMilter 0.95 does not deliver SMFIC_EOB+data
13034 to the application as SMFIC_BODY+data followed by SMFIC_EOB.
13035 To avoid compatibility problems, Postfix now sends
13036 SMFIC_BODY+data followed by SMFIC_EOB. File: milter/milter8.c.
13038 Bugfix (introduced with Postfix 2.3): when inserting
13039 Milter-generated headers at increasing positions in a
13040 message, a later header could end up at a previously used
13041 insertion point. Thus, inserting headers at positions (N,
13042 N+M) could work as if (N, N) had been specified. Problem
13043 reported by Mark Martinec. File: milter/milter8.c.
13045 20061221
13047 Feature: time unit suffix support in _command_time_limit.
13048 Files: pipe/pipe.c, spawn/spawn.c.
13050 20061227
13052 Bugfix (introduced with Postfix 2.3): the MX hostname syntax
13053 check was skipped with reject_unknown_helo_hostname and
13054 reject_unknown_sender/recipient_domain, so that Postfix
13055 would still accept mail from domains with a zero-length MX
13056 hostname. File: smtpd/smtpd_check.c.
13058 20061229
13060 Cleanup: use separate TLS_LEGACY_README to document the old
13061 TLS user interface. This will simplify TLS_README dramatically.
13063 Cleanup: untangled spaghetti code. File: util/inet_listen.c.
13065 20070104
13067 Bugfix (introduced Postfix 2.3): when creating an alias map
13068 on a NIS-enabled system, don't case-fold the YP_MASTER_NAME
13069 and YP_LAST_MODIFIED lookup keys. This requires that an
13070 application can turn on/off case folding on the fly. Files:
13071 postalias/postalias.c, global/dict_mumble.c, util/dict_mumble.c,
13072 proxymap/proxymap.c.
13074 Cleanup: after the above revision of the proxymap protocol,
13075 the proxymap server can now share the same map with clients
13076 that have only minor differences in dictionary open/access
13077 options.
13079 20070105
13081 Performance: pipeline of pending delivery agent connections,
13082 to improve Linux/Solaris mail delivery performance by another
13083 10% while going down-hill with the wind from behind. Design
13084 and implementation Victor and Wietse. Files: *qmgr/qmgr.c,
13085 *qmgr/qmgr.h, *qmgr/qmgr_transport.c.
13087 20070106
13089 Cleanup: eliminate the Linux/Solaris "wait for accept()"
13090 stage from the queue manager to delivery agent protocol.
13091 This alone achieves 99.99% of the Linux/Solaris speed up
13092 from the preceding change. The pending connection pipeline
13093 takes care of the rest. Tested on Linux kernels dating
13094 back to 2.0.27 (that's more than 10 years ago). Files:
13095 *qmgr/qmgr_transport.c.
13097 20070112
13099 Bugfix (introduced 20011008): after return from nested
13100 access restriction, possible longjump into exited stack
13101 frame upon configuration error or table lookup error. Victor
13102 Duchovni. Files: smtpd/smtpd_check.c.
13104 Workaround: don't insert header/body blank line separator
13105 in malformed attachments, to avoid breaking digital signatures.
13106 Switch from header to body state, for robust MIME parsing.
13107 People concerned about MIME evasion can use a MIME normalizer
13108 to corrupt their user's legitimate email. File:
13109 global/mime_state.c.
13111 20070114
13113 Feature: body replacement support for Milter applications.
13114 Postfix 2.3 and older 2.4 versions will be able to deliver
13115 body-replaced queue files, but will report the message size
13116 as it was before the body was replaced. Files: milter/milter8.c,
13117 cleanup/cleanup_milter.c, cleanup/cleanup_body_region.c.
13119 20070117
13121 Cleanup: reusable infrastructure for body replacement.
13122 Files: cleanup/cleanup_body_edit.c, cleanup/cleanup_region.c.
13124 20070118
13126 Bugfix: match lists didn't implement ![ipv6address]. Problem
13127 reported by Paulo Pacheco. File: util/match_list.c.
13129 Cleanup: revised the matchlist "!" support, added support
13130 for !/file/name, and updated the documentation. File:
13131 util/match_list.c.
13133 20070119-21
13135 Cleanup: pad short message headers with a filler record,
13136 so that the result is never shorter than a pointer record.
13137 This immensely simplified the support for Milter header
13138 modification requests: three complex loops could be replaced
13139 by one simpler loop. The DTXT record type was re-purposed
13140 from "deleted header text" to "short header padding", keeping
13141 the change backwards compatible. Files: cleanup/cleanup_out.c,
13142 cleanup/cleanup_milter.c, global/record.c.
13144 Cleanup: the Milter "add recipient" action always added the
13145 recipient to the initial envelope segment, causing added
13146 recipients to be separate from "sendmail -t" recipients.
13147 This violated design, without impact on delivery (always_bcc
13148 recipient are always at the end of the queue file even when
13149 all other recipients are in the initial segment). File:
13150 global/rec_types.h.
13152 20070123
13154 Workaround: OpenSSL falsely concludes that AES256 support
13155 is present when only AES128 is available. Code by Victor
13156 Duchovni. File: tls/tls_misc.c.
13158 20070125
13160 Disable workaround pending completion of updated TLS]
13161 support in non-production releases.
13163 20070131
13165 Assorted code cleanup, portability fixes/workarounds, and
13166 minor updates: global/dict_ldap.c, mantools/postlink,
13167 tlsmgs/tlsmgr.c, conf/master.cf. LaMont Jones.
13169 20070101
13171 Portability: GNU Hurd support for multiple kernel environments.
13172 LaMont Jones. Files: util/sys_defs.h, makedefs.
13174 Cleanup: some default settings were adjusted to better fit
13175 today's environment: queue_run_delay and minimal_backoff_time
13176 were reduced from 1000s to 300s, so that deliveries are
13177 retried earlier after the first failure; ipc_idle was reduced
13178 from 100s to 5s, so that tlsmgr and scache clients will
13179 more quickly release unused file handles. Files:
13180 global/mail_params.h, proto/postconf.5.html
13182 20070202
13184 Catch-up: FreeBSD kqueue support. File: util/events.c.
13186 20070205
13188 System-V poll(2) support. This is now the preferred method
13189 to test a single file descriptor on sufficiently recent
13190 versions of FreeBSD, NetBSD, OpenBSD, Solaris and Linux;
13191 other systems will be added as evidence becomes available
13192 of usable poll(2) implementations. Files: util/read_wait.c,
13193 util/write_wait.c, util/readble.c, util/writable.c.
13195 Streamlined the event_enable_read/write implementation to
13196 speed up smtp-source performance, by eliminating expensive
13197 kqueue/devpoll/epoll system calls when only the application
13198 call-back information changes. On FreeBSD, smtp-sink/source
13199 tests now run 5% faster than with the old select(2) based
13200 implementation. File util/events.c.
13202 20070206
13204 Catch-up: Solaris /dev/poll support. File: util/events.c.
13206 Bugfix (introduced 20060823): initial state was not in state
13207 machine, causing memory access outside the lookup table.
13208 File: smtpstone/smtp-sink.c.
13210 20070210
13212 Catch-up: Linux epoll support. File: util/events.c.
13214 20070211
13216 Polished the kqueue/devpoll/epoll support; this is now
13217 enabled by default on sufficiently recent versions of
13218 FreeBSD, NetBSD, OpenBSD, Solaris and Linux; other systems
13219 will be added as evidence becomes available of usable
13220 implementations. File: util/events.c.
13222 20070212
13224 Further polish: removed some typos from new code in the
13225 events.c handler, undid some unnecessary changes to the
13226 {read,write}{_wait,able}.c modules, and addressed Victor's
13227 paranoia for multi-client servers with a thousand clients
13228 while linked with library routines that can't handle file
13229 descriptors >= FD_SETSIZE.
13231 Cleanup: while debugging the new events.c handler, removed
13232 an unnecessary "write after connect" call-back event. File:
13233 global/post_mail.c.
13235 20070214
13237 Robustness: in the queue manager keep a number of free file
13238 descriptor slots at the low end, to work around library
13239 routines that can't handle file descriptors >= FD_SETSIZE.
13240 Files: *qmgr/qmgr_transport.c, util/vstream.[hc]
13242 20070215
13244 Bugfix (introduced 20070114 with Milter body edit support):
13245 the cleanup server terminated with a fatal error when SMTP
13246 mail exceeded the message size limit, instead of handling
13247 it as a non-fatal error. Files: cleanup/cleanup_extracted.c,
13248 cleanup/cleanup_final.c, cleanup/cleanup_bounce.c,
13249 cleanup/cleanup_api.c.
13251 20070217
13253 Streamline the compile time selection of event handling
13254 styles, replacing multiple on/off macros by just one
13255 multi-valued macro. Files: util/sys_defs.h, util/events.c,
13256 master/multi_server.c, *qmgr/qmgr_transport.c.
13258 20070220
13260 Work-around: Disable SSL/TLS ciphers when the underlying
13261 symmetric algorithm is not available in the OpenSSL crypto
13262 library at the required bit strength. Problem observed with
13263 SunOS 5.10's bundled OpenSSL 0.9.7 and AES 256. Also possible
13264 with OpenSSL 0.9.8 and CAMELLIA 256. Root cause fixed in
13265 upcoming OpenSSL 0.9.7m, 0.9.8e and 0.9.9 releases. Victor
13266 Duchovni, Morgan Stanley. Files: src/smtp/smtp_proto.c,
13267 src/smtpd/smtpd.c, src/tls/tls.h, src/tls/tls_client.c,
13268 src/tls/tls_misc.c and src/tls/tls_server.c.
13270 20070222
13272 Workaround: delayed "postfix reload" with ancient FreeBSD4
13273 kqueue implementations, causing the first external or
13274 internal clients after "postfix reload" to experience a
13275 quick disconnect. Apparently, these kqueue implementations
13276 do not deliver a read notification when the master closes
13277 the per-service shared master/child status pipe (even when
13278 there is only one child; note that the master keeps a handle
13279 to both ends of each status pipe). A child process remains
13280 ignorant that the status pipe was closed until the arrival
13281 of the next client request, and then terminates. The
13282 workaround is to ignore master status write errors before
13283 handling a service request. Files: master/*_server.c.
13285 Cleanup: fix race condition that caused unnecessary "premature
13286 end-of-input" warning messages when "postfix reload" was
13287 issued on a busy mail server. Files: util/attr_scan*c.
13289 20070223
13291 Cleanup: syslog_name now works as documented with both
13292 daemons and commands (including set-gid commands). Files:
13293 global/mail_task.c postlog/postlog.c, global/mail_version.h,
13294 sendmail/sendmail.c, postsuper/postsuper.c, postalias/postalias.c,
13295 postmap/postmap.c, postqueue/postqueue.c, postdrop/postdrop.c,
13296 master/trigger_server.c, master/single_server.c,
13297 master/multi_server.c.
13299 20070224
13301 Workaround: GNU POP3D creates a new mailbox and deletes the
13302 old one. Postfix now backs off and retries delivery later,
13303 instead of appending mail to a deleted file. To minimize
13304 the use of this workaround, Postfix now by default creates
13305 mailbox dotlock files on all systems, and creates dotlock
13306 files before opening mailbox files. Files: util/sys_defs.h,
13307 global/mbox_open.c.
13309 20070301
13311 Workaround: updated workaround for broken Solaris accept().
13312 File: util/inet_listen.c.
13314 Workaround: on some FreeBSD versions, accept(2) can fail
13315 with a bogus EINVAL error. We now allow accept(2) to fail
13316 for a limited number of times before terminating the process.
13317 Files: master/single_server.c, master/multi_server.c.
13319 20070306
13321 Bugfix (introduced with Postfix 2.3 Milter support): postdrop
13322 reported "illegal seek" instead of "file too large". File:
13323 postdrop/postdrop.c.
13325 20070310
13327 Cleanup: specify "undisclosed_recipients_header =" to disable
13328 Postfix's "To: undisclosed-recipients:;" header for mail
13329 that lists no recipient. The To: header is not required as
13330 of RFC 2822. The undisclosed_recipients_header parameter
13331 value can now be an empty string, a value that was not
13332 allowed with earlier Postfix versions. With Postfix 2.5 it
13333 will be empty by default. Files: cleanup/cleanup.c,
13334 cleanup/cleanup_message.c.
13336 20070312
13338 Backwards compatibility: don't pad short message header
13339 records when Milter support is turned off. This maintains
13340 compatibility with Postfix versions that pre-date Milter
13341 support. File: cleanup/cleanup_out.c.
13343 20070314
13345 Bitrot: move the "don't run this daemon by hand" message
13346 before other tests. Files: master/*server.c.
13348 20070315
13350 Bitrot: New OpenLDAP APIs deprecate simplified interfaces,
13351 that are the only ones available in Sun's LDAP SDK. Define
13352 suitable macros that work with new OpenLDAP and Sun's code.
13353 Victor Duchovni, Morgan Stanley. File: src/global/dict_ldap.c
13355 Cleanup: new "leaf" and "terminal" result attributes support
13356 fine-tuning of LDAP group expansion, and provide a solution
13357 for the problem case where DN recursion returns both the
13358 group address and the addresses of the member objects.
13359 Victor Duchovni, Morgan Stanley. Files: src/global/dict_ldap.c,
13360 proto/LDAP_README.html, proto/ldap_table
13362 20070317
13364 Idioten Sicherheit: stamp every executable file and every
13365 core dump file with "mail_version=xxxxx". Adding version
13366 stamps and checks to every IPC message is too much change
13367 after code freeze, and requires too much time for testing.
13368 File: src/global/mail_version.h and every main program file.
13370 20070320
13372 Bugfix (introduced between 20070120 and 20070121): the
13373 cleanup server stored no "delayed mail warning" queue file
13374 records with "sendmail -t", and no header_checks filter/redirect
13375 records or content encoding records with other mail. File:
13376 global/rec_type.h.
13378 20070321
13380 Bugfix (introduced 20070224): local(8) or virtual(8) could
13381 log a misleading error message after failure to open a
13382 mailbox file. File: global/mbox_open.c.
13384 Bugfix (code should have been updated 20070104): the proxymap
13385 client did not propagate changes in case folding flags.
13386 Currently, nothing in Postfix uses this functionality.
13387 File: global/dict_proxy.c.
13389 20070325
13391 Bugfix: postfix-install didn't work for symlink or hardlink
13392 targets, when the parent directory had a value of "no".
13394 20070326
13396 Workaround: Eric Raymond's man page formatters don't handle
13397 low-level *roff .in or .ti controls. We now use .nf and .fi
13398 instead. Files: many.
13400 20070331
13402 Bugfix (introduced Postfix 2.3): segfault with HOLD action
13403 in access/header_checks/body_checks on 64-bit platforms.
13404 File: cleanup/cleanup_api.c.
13406 20070402
13408 Portability (introduced 20070325): the fix for hardlinks
13409 and symlinks in postfix-install forgot to work around shells
13410 where "IFS=/ command" makes the IFS setting permanent. This
13411 is allowed by some broken standard, and affects Solaris.
13412 File: postfix-install.
13414 Portability (introduced 20070212): the workaround for
13415 non-existent library bugs with descriptors >= FD_SETSIZE
13416 broke with "fcntl F_DUPFD: Invalid argument" on 64-bit
13417 Solaris. Files: master/multi_server.c, *qmgr/qmgr_transport.c.
13419 20070405
13421 Feature: BCC access/policy action, to demonstrate that this
13422 is not a good feature. The action's behavior is non-intuitive
13423 and requires too much documentation to explain. It's
13424 therefore snapshot only. File: smtpd/smtpd_check.c.
13426 20070414
13428 Cleanup: expire cached results from addres rewriting, address
13429 resolution, and from transport map lookups. Results expire
13430 after 30 seconds; short enough that it doesn't freak out
13431 people who run the same test repeatedly, and long enough
13432 that it doesn't upset other people with continuous streams
13433 of "*" transport map lookups. Files: global/rewrite_clnt.c,
13434 global/resolve_clnt.c, trivial-rewrite/transport.c.
13436 20070421
13438 Cleanup: on (Linux) platforms that cripple signal handlers
13439 with deadlock, "postfix stop" now forcefully stops all the
13440 processes in the master's process group, not just the master
13441 process alone. File: conf/postfix-script.
13443 20070422
13445 Cleanup: the "Delivered-To:" loop detection implementation
13446 was moved from the local(8) delivery agent to the library,
13447 where it can also be used by other delivery agents. Files:
13448 global/delivered_hdr.[hc].
13450 Safety: the "Delivered-To:" loop detection implementation
13451 keeps state for no more than 1000 "Delivered-To:" headers.
13453 Feature: $domain command-line macro support, to get access
13454 to the recipient address domain portion. Based on code by
13455 Koen Vermeer. File: pipe/pipe.c.
13457 Cleanup: support for "Delivered-To:" loop detection in the
13458 pipe(8) delivery agent. This follows a general principle:
13459 if a program creates the "Delivered-To:" header, then it
13460 is also responsible for "Delivered-To:" loop detection.
13461 File pipe/pipe.c.
13463 20070423
13465 The cache expiring transport map lookups did not distinguish
13466 between wildcard transport map entry with an "empty" transport
13467 field, or no wildcard transport map entry.
13469 20070424
13471 Cleanup: making hard-coded behavior configurable. In this
13472 case, extracting 8BITMIME encoding information from
13473 Content-Transfer-Encoding: message headers. The default
13474 behavior, "detect_8bit_encoding_header = yes", is backwards
13475 compatible. This behavior was introduced to generate
13476 RFC-compliant bounce messages before Postfix supported the
13477 8BITMIME option in the MAIL FROM command and on the Postfix
13478 sendmail command line. Files: cleanup/cleanup_init.c,
13479 cleanup/cleanup_message.c, global/mail_params.h.
13481 20070425
13483 Bugfix: don't falsely report "lost connection from
13484 localhost[127.0.0.1]" when Postfix is being portscanned.
13485 Files: smtpd/smtpd_peer.c, qmqpd/qmqpd_peer.c.
13487 20070429
13489 Feature: "postfix status" to report whether Postfix is
13490 running. By Mike Cappella.
13492 Cleanup: configurable address case folding moved from the
13493 pipe(8) delivery agent to the library, where it can also
13494 be used by other delivery agents. Files: global/fold_addr.[hc].
13496 20070430
13498 Robustness: recommend a "0" process limit for policy servers
13499 to avoid "connection refused" problems when the smtpd process
13500 limit exceeds the default process limit. File:
13501 proto/SMTPD_POLICY_README.html.
13503 20070501
13505 Workaround: turn on KEEPALIVE probes to avoided "lost
13506 connection after sending end-of-data" problems when some
13507 stateful (NAT) filter expires an idle connection too soon.
13508 This requires that the kernel's TCP keepalive timer be set
13509 to a sufficiently short time (perhaps 100s or less). Files:
13510 util/sane_accept.c, util/sane_connect.c.
13512 Safety: when IPv6 (or IPv4) is turned off, don't treat an
13513 IPv6 (or IPv4) connection from e.g. inetd as if it comes
13514 from localhost[127.0.0.1]. Files: smtpd/smtpd_peer.c,
13515 qmqpd/qmqpd_peer.c.
13517 20070502
13519 Workaround: build without EPOLL support when an epoll-enabled
13520 kernel sits underneath a retarded libc. File: makedefs.
13522 Cleanup: missing support for SASL security properties with
13523 Dovecot SASL authentication. Based on an initial version
13524 by Lev A. Serebryakov. File: xsasl/xsasl_dovecot_server.c.
13526 20070503
13528 Cleanup: changed the default address verification sender
13529 from "postmaster" to "double-bounce", so that the Postfix
13530 SMTP server no longer surprises unsuspecting people by
13531 excluding "postmaster" from SMTPD access controls. File:
13532 global/mail_params.h.
13534 20070508
13536 Bugfix: Content-Transfer-Encoding: attribute values are
13537 case insensitive. File: src/cleanup/cleanup_message.c.
13540 20070514
13542 Bugfix: the makedefs EPOLL workaround broke any attempt to
13543 build on a 2.6 kernel. And that two weeks after the workaround
13544 had been posted to the mailing list. File: makedefs.
13546 Bugfix: mailbox_transport(_maps) and fallback_transport(_maps)
13547 were broken when used with the error(8) or discard(8)
13548 transports. Cause: insufficient documentation. Files:
13549 error/error.c, discard/discard.c.
13551 20070520
13553 Bugfix (problem introduced Postfix 2.3): when DSN support
13554 was introduced it broke "agressive" recipient duplicate
13555 elimination with "enable_original_recipient = no". File:
13556 cleanup/cleanup_out_recipient.c.
13558 20070523
13560 Feature: cyrus_sasl_config_path to specify a search path
13561 for Cyrus SASL configuration files (currently used only to
13562 locate the smtpd.conf file). Based on code by Victor
13563 Duchovni. Files: smtpd/smtpd.c xsasl/xsasl_cyrus_server.c,
13564 (and xsasl/xsasl_cyrus_client.c for future expansion).
13566 20070525
13568 Bugfix (introduced 20070523): the sasl_set_path() function
13569 name was mis-speeled.
13571 20070529
13573 Bugfix (introduced Postfix 2.3): the sendmail/postdrop
13574 commands would hang when trying to submit a message larger
13575 than the per-message size limit. File: postdrop/postdrop.c.
13577 20070530
13579 Sabotage the saboteur who insists on breaking Postfix by
13580 adding gethostbyname() calls that cause maildir delivery
13581 to fail when the machine name is not found in /etc/hosts,
13582 or that cause Postfix processes to hang when the network
13583 is down.
13585 20070531
13587 Portability: Victor helpfully pointed out that change
13588 20070425 broke on non-IPv6 systems. Files: smtpd/smtpd_peer.c,
13589 qmqpd/qmqpd_peer.c.
13591 20070610
13593 Isolation: don't allow the pipe(8) delivery agent to leak
13594 postdrop group privileges with "user=xxx:postdrop". File:
13595 pipe/pipe.c.
13597 20070613
13599 Bugfix: the Milter client assumed that a Milter application
13600 does not modify the message header or envelope, after that
13601 same Milter application has modified the message body of
13602 that same email message. This is not a problem with updates
13603 by different Milter applications. Problem was triggered
13604 by Jose-Marcio Martins da Cruz. Also simplified the handling
13605 of queue file update errors. File: milter/milter8.c.
13607 20070614
13609 Workaround: some non-Cyrus SASL SMTP servers require SASL
13610 login without authzid (authoriZation ID), i.e. the client
13611 must send only the authcid (authentiCation ID) + the authcid's
13612 password. In this case the server is supposed to derive
13613 the authzid from the authcid. This works as expected when
13614 authenticating to a Cyrus SASL SMTP server. To get the old
13615 behavior specify "send_cyrus_sasl_authzid = yes", in which
13616 case Postfix sends the (authzid, authcid, password), with
13617 the authzid equal to the authcid. File: xsasl/xsasl_cyrus_client.c.
13619 20070619
13621 Portability: /dev/poll support for Solaris chroot jail setup
13622 scripts. Files: examples/chroot-setup/Solaris8,
13623 examples/chroot-setup/Solaris10.
13625 20070713
13627 The RFC documents at www.faqs.org are being polluted with
13628 "feedback" spam. The Postfix hypertext documentation now
13629 points to tools.ietf.org. File: mantools/postlink.
13631 20070719
13633 Feature: updated smtp-sink with new options to send a
13634 pre-formatted message from file, and to handle replies other
13635 than the expected 2xx or 3xx. File: smtpstone/smtp-source.c.
13637 Cleanup: Milter client error handling, so that the (Postfix
13638 SMTP server's Milter client) does not get out of sync with
13639 Milter applications after the (cleanup server's Milter
13640 client) encounters some non-recoverable problem. Files:
13641 milter/milter8.c, smtpd/smtpd.c.
13643 20070720
13645 Support for RFC 4954 (SASL AUTH, updates RFC 2554, refines
13646 some reply codes and introduces DSN enhanced status codes)
13647 and RFC 3848 ("Received ... with ESMTPS?A? ...). Currently,
13648 support for the latter is always on. Files: smtpd/smtpd.c,
13649 smtpd/smtpd_sasl_proto.c, smtpd/smtpd_sasl_glue.c.
13651 20070727
13653 Workaround: the queue manager no longer logs a warning for
13654 mail sent to the local double-bounce address (normally, the
13655 this is used as the sender while reporting an undeliverable
13656 bounce message to the local postmaster). As of 20070503
13657 the local double-bounce address is the default sender for
13658 sender/recipient address verification probes, and it now
13659 shows up as a spam target. Files: *qmgr/qmgr_message.c.
13661 20070729
13663 Performance: fix for poor TCP performance for loopback
13664 (127.0.0.1) connections. Problem reported by Mark Martinec.
13665 Files: util/vstream.c, util/vstream_tweak.c, milter/milter8.c,
13666 smtp/smtp_connect.c, smtpstone/*source.c.
13668 20070730
13670 Bugfix: when a milter replied with ACCEPT at or before the
13671 first RCPT command, the cleanup server would apply the
13672 non_smtpd_milters setting as if the message was a local
13673 submission. Problem reported by Jukka Salmi. Also, the
13674 cleanup server would get out of sync with the milter when
13675 a milter replied with ACCEPT at the DATA command. Files:
13676 cleanup/cleanup_envelope.c, smtpd/smtpd.c, milter/milters.c.
13678 20070811
13680 Cleanup: unlike smtpd_mumble_restrictions, the Postfix SMTP
13681 server Milter reject logging did not show the (helo argument,
13682 sender address, or recipient address) that was being rejected.
13683 File: smtpd/smtpd.c.
13685 20070824
13687 Bugfix (introduced snapshot 20070429): the pipe(8) delivery
13688 agent 'q' flag (quote address local-part) used the same bit
13689 mask as the 'B' flag (append blank line). Setting one flag
13690 also turned on the other. File: pipe/pipe.c.
13692 Feature: specify the 'X' flag to indicate that the pipe(8)
13693 delivery agent performs final delivery. This changes the
13694 status in DSN "success" messages from "relayed" into
13695 "delivered". File: pipe/pipe.c.
13697 20070904-6
13699 Feature: stress-adaptive behavior. When a "public" network
13700 service runs into an "all processes are busy" condition,
13701 the master(8) daemon logs a warning, restarts the service,
13702 and runs it with "-o stress=yes" on the command line (normally
13703 it runs the service with "-o stress="). This can be used
13704 to make main.cf parameter settings stress dependent.
13705 Examples: "smtpd_timeout = ${stress?10}${stress:300}" and
13706 "smtpd_hard_error_limit = ${stress?1}${stress:20}". Files:
13707 master/master_avail.c, master/master_spawn.c, master/master_ent.c.
13709 20070911
13711 Bugfix (introduced Postfix 2.2.11): TLS client certificate
13712 with unparsable canonical name caused the SMTP server's
13713 policy client to allocate zero-length memory, triggering
13714 an assertion that it shouldn't do such things. File:
13715 smtpd/smtpd_check.c.
13717 20070912
13719 Bugfix (introduced Postfix 2.4) missing initialization of
13720 event mask in the event_mask_drain() routine (used by the
13721 obsolete postkick(1) command). Found by Coverity. File:
13722 util/events.c.
13724 20070917
13726 Workaround: the flush daemon forces an access time update
13727 for the per-destination logfile, to prevent an excessive
13728 rate of delivery attempts when the queue file system is
13729 mounted with "noatime". File: flush/flush.c.
13731 20070923
13733 Cleanup: don't complain when a "corrupt" queue file is
13734 deleted before it can be saved to the "corrupt" queue.
13735 Files: *qmgr/qmgr_active.c.
13737 20071003
13739 Logging: the Postfix SMTP server now logs the number of
13740 bytes received after the DATA command when a connection
13741 breaks before mail delivery completes. This may help finding
13742 the cause of the problem: packet loss, MTU, or other. File:
13743 smtpd/smtpd.c.
13745 20071004
13747 Logging: all daemons now log the TCP port number of remote
13748 SMTP or QMQP clients. The information is overruled with
13749 the SMTP XCLIENT command, is propagated through SMTP-based
13750 content filters with XFORWARD, and is sent to Milter
13751 applications. Files: smtpd/smtpd_peer.c, smtpd/smtpd.c,
13752 smtpd/smtpd_proxy.c, smtpd/smtpd_milter.c, qmqpd/qmqpd_peer.c,
13753 cleanup/cleanup_milter.c, *qmgr/qmgr_message.c,
13754 *qmgr/qmgr_deliver.c, smtp/smtp_proto.c, pipe/pipe.c,
13755 global/deliver_request.c, global/deliver_pass.c,
13756 proto/XFORWARD_README, proto/XCLIENT_README.
13758 Feature: per-command delays in smtp-sink. File:
13759 smtpstone/smtp-sink.c. Victor Duchovni.
13761 20071006
13763 Cleanup: updated a bunch of hard-coded host[addr] logging
13764 statements. Files: smtpd/smtpd.c, smtpd/smtpd_chat.c,
13765 smtpd/smtpd_sasl_glue.c.
13767 Cleanup: client port logging is now configurable (off by
13768 default). Parameters: smtpd_client_port_logging and
13769 qmqpd_client_port_logging. Files: smtpd/smtpd_peer.c,
13770 qmqpd/qmqpd_peer.c.
13772 Cleanup: send client port information "0" instead of "unknown"
13773 to Milter applications. Files: smtpd/smtpd.c, smtpd/smtpd_milter.c,
13774 cleanup/cleanup_milter.c.
13776 20071025
13778 Portability: on Linux we no longer need /proc to find out
13779 local IPv6 interface address information. LaMont Jones.
13780 Files: util/sys_defs.h.
13782 20071030
13784 Bugfix (introduced Postfix 2.3): Postfix mistakenly enforced
13785 the 64kbyte limit (for sending body parts TO Milter
13786 applications) also while receiving packets FROM Milter
13787 applications. The limit is now at least 1GB. File:
13788 milter/milter8.c.
13790 20071105
13792 Feature: ORIGINAL_RECIPIENT environment variable. Corey
13793 Hickey. File: local/local.c.
13795 20071108-10
13797 Feature: general-purpose header/body_checks library module,
13798 first used in the SMTP client. Actions that change the
13799 message delivery time or destination can be implemented
13800 with a simple extension mechanism (they make sense only in
13801 before-queue filters). Configuration parameters:
13802 smtp_header_checks, smtp_mime_header_checks,
13803 smtp_nested_header_checks, smtp_body_checks. Unlike the
13804 cleanup server, the mime and nested header checks don't by
13805 default assume the header_checks value. Files:
13806 global/header_body_checks.[hc], smtp/smtp_proto.c,
13807 smtp/smtp_session.c.
13809 20071110
13811 Feature: ${original_recipient} command-line macro. Corey
13812 Hickey. File: pipe/pipe.c.
13814 Bugfix (introduced: 20071004) missing exception handling
13815 in smtp-sink per-command delay feature. Victor Duchovni.
13816 File: smtpstone/smtp-sink.c.
13818 2007117-20
13820 Revised queue manager with separate mechanisms for
13821 per-destination concurrency control and dead destination
13822 detection. The concurrency control supports non-integer
13823 feedback for more gradual concurrency adjustments, and uses
13824 hysteresis to avoid rapid oscillations. A destination is
13825 declared "dead" after a configurable number of pseudo-cohorts
13826 (number of deliveries equal to a destination's concurrency)
13827 reports connection or handshake failure. This work began
13828 with a discussion that Wietse started with Patrik Rak and
13829 Victor Duchovni late January 2004, and that Victor revived
13830 late October 2007. To establish a baseline for further
13831 improvement, Wietse implemented a few simple mechanisms.
13833 Configuration parameters for debugging, positive/negative
13834 hysteresis, and positive/negative feedback. Some have since
13835 been removed or renamed, so no point naming them here.
13836 Files: global/mail_params.h, qmgr/qmgr_queue.c,
13837 qmgr/qmgr_deliver.c.
13839 20071121
13841 Boundary condition: Patrik Rak pointed out that handling
13842 of negative feedback with concurrency window 1 could
13843 be improved.
13845 Feature: support to look up null sender addresses in
13846 sender-dependent relayhost maps. Parameter name:
13847 empty_address_relayhost_maps_lookup_key (default; <>).
13848 Keean Schupke. File: trivial-rewrite/resolve.c.
13850 20071127-9
13852 Revision 2 of queue manager scheduler interface, allowing
13853 feedback parameter settings with constants and variables
13854 such as 1/8 or 1/concurrency. Some experimental parameters
13855 were removed and others were renamed. The new names are:
13856 default_destination_concurrency_negative_feedback,
13857 default_destination_concurrency_positive_feedback,
13858 default_destination_concurrency_failed_cohort_limit,
13859 destination_concurrency_feedback_debug.
13861 Also available are transport-specific overrides:
13862 <transport>_initial_destination_concurrency,
13863 <transport>_destination_concurrency_negative_feedback,
13864 <transport>_destination_concurrency_positive_feedback,
13865 <transport>_destination_concurrency_failed_cohort_limit.
13867 Files: global/mail_params.h, *qmgr/qmgr.c, *qmgr/qmgr_transport.c,
13868 *qmgr/qmgr_queue.c, *qmgr/qmgr_feedback.c, postconf/auto.awk.
13870 20071202
13872 Feature: output rate control. For example, specify
13873 "smtp_destination_rate_delay = 5m" to insert a five-minute
13874 delay between deliveries. This was an opportunity to define
13875 the mutually exclusive states that a queue can have, and
13876 to detect invalid transitions. This will make adding new
13877 features code easier. Files: *qmgr/qmgr_transport.c,
13878 *qmgr/qmgr_queue.c, *qmgr/qmgr_entry.c.
13880 Bugfix (introduced Postfix 2.2): don't update the back-to-back
13881 delivery time stamp while deferring mail. File: *qmgr/qmgr_entry.c.
13883 20071203
13885 Feature: support for read-write tables in the proxymap
13886 service. This is implemented with a separate master.cf entry
13887 named "proxywrite" that should run with process limit of 1
13888 if you want to update Berkeley DB like tables. This feature
13889 requires that tables be authorized with the proxy_write_maps
13890 configuration parameter. Files: global/dict_procy.[hc],
13891 proxymap/proxymap.c.
13893 Human factors: the postmap and postalias commands now produce
13894 nicer diagnostics when asked to do something with a proxied
13895 map that they can't do. Files: postmap/postmap.c,
13896 postalias/postalias.c.
13898 Bugfix: the proxymap client didn't properly propagate user
13899 options to the proxymap server. File: util/dict.h.
13901 Workaround: force synchronous updates in the proxymap server
13902 so that maps will be in a consistent state between updates.
13903 File: proxymap/proxymap.c.
13905 Bugfix: an empty rate-limited queue wasn't removed after
13906 timer expiry. Files: *qmgr/qmgr_queue.c.
13908 20071204
13910 Use different sockets for proxymap (read-only) and proxywrite
13911 (read-write) services in the proxy: client. Victor Duchovni.
13912 File: global/dict_proxy.c.
13914 Feature: proxymap delete support by Victor Duchovni. Files:
13915 global/dict_proxy.c, proxymap/proxymap.c.
13917 Feature: proxymap delete support. Files: postmap/postmap.c
13918 postalias/postalias.c.
13920 Cleanup: the Postfix sendmail command did not include the
13921 user (name/uid) information in all error messages. File:
13922 sendmail/sendmail.c.
13924 Feature: data_directory configuration parameter for
13925 Postfix-writable data such as caches and random numbers.
13926 Files: postfix-install, conf/postfix-files.
13928 20071206
13930 Security: tlsmgr(8) and verify(8) no longer use root
13931 privileges when opening their cache files. This avoids a
13932 potential security loophole where the ownership of a file
13933 (or directory) does not match the trust level of the content
13934 of that file (or directory). See RELEASE_NOTES for how to
13935 use pre-existing data. Files: util/set_eugid.[hc],
13936 tlsmgr/tlsmgr.c, verify/verify.c.
13938 Compatibility: as a migration tool, redirect attempts by
13939 tlsmgr(8) or verify(8) to open files in non-Postfix directories
13940 to the Postfix-owned data_directory. File: global/data_redirect.c.
13942 Lots of pathname fixes in the examples of TLS_README and
13943 postconf(5); -lm library screw-up in queue manager Makefiles.
13945 20071207
13947 Cleanup: pathname fixes in documentation; unnecessary queue
13948 scan in the queue manager rate limiter; inverse square root
13949 feedback in the queue manager concurrency scheduler. Files:
13950 mantools/postlink, proto/TLS_README.html, *qmgr/qmgr_queue.c.
13952 All changes up to this point should be ready for Postfix 2.5.
13954 Documentation: updated nqmgr preemptive scheduler documentation
13955 by Patrik Rak. File: proto/SCHEDULER_README.html.
13957 20071211
13959 Bugfix (introduced 19980315): the "write" equivalent of
13960 bugfix 20030104. File: util/vstream.c.
13962 20071212
13964 Feature: "stress=" or "stress=yes" attribute in the SMTPD
13965 policy delegation protocol. File: smtp/smtpd_check.c.
13967 Cleanup: allow_min_user now rejects recipients (and senders)
13968 starting with '-' at SMTP session time. To make this possible
13969 the feature was moved from qmgr(8) to trivial-rewrite(8).
13970 Files: *qmgr/qmgr_message.c, trivial-rewrite/resolve.c.
13972 20071213:
13974 Cleanup: the queue manager and SMTP client now distinguish
13975 between connection cache store and retrieve hints. Once the
13976 queue manager enables connection caching (store and load)
13977 hints on a per-destination queue, it keeps sending connection
13978 cache retrieve hints to the delivery agent even after it
13979 stops sending connection cache store hints. This prevents
13980 the SMTP client from making a new connection without checking
13981 the connection cache first. Victor Duchovni. Files:
13982 *qmgr/qmgr_entry.c, smtp/smtp_connect.c.
13984 Bugfix (introduced Postfix 2.3): the SMTP client never
13985 marked corrupt files as corrupt. Victor Duchovni. File:
13986 smtp/smtp_proto.c.
13988 Cleanup: the SMTP client won't mark a destination as
13989 unavailable when at least one SMTP session was completed
13990 without connect or handshake error. Victor Duchovni. Files:
13991 smtp/smtp_connect.c, smtp/smtp_session.c, smtp/smtp_proto.c,
13992 smtp/smtp_trouble.c.
13994 20071215
13996 Documentation and code cleanup. Files: global/deliver_request.h,
13997 *qmgr/qmgr_entry.c, smtp/smtp_connect.c,
13998 proto/SCHEDULER_README.html.
14000 Bugfix (introduced snapshot 20071006): qmqpd ignored the
14001 qmqpd_client_port_logging parameter setting. File:
14002 qmqpd/qmqpd.c.
14004 20071216
14006 Cleanup: show the remote SMTP server port in verbose logging,
14007 warnings and postmaster notices. Still don't show the port
14008 in delivery status notifications. Files: smtp/smtp_chat.c,
14009 smtp/smtp_sasl_glue.c, smtp/smtp_sasl_proto.c.
14011 The "tls_require_cert" is now compatible with OpenLDAP 2.1
14012 and later. Victor Duchovni. Files: proto/ldap_table,
14013 global/dict_ldap.c.
14015 20071218
14017 Cleanup: removed the "#ifdef USE_LIBMILTER_INCLUDES"
14018 dependencies on system-installed Milter protocol include
14019 files. Verified that the object code has not changed. File:
14020 milter/milter8.c.
14022 Sanity check: idiot filter to detect attempts to use the
14023 same database file for different TLS session caches. File:
14024 tlsmgr/tlsmgr.c.
14026 Cleanup: updated the spell check stoplist and the spell
14027 check script. Files: mantools/spell, proto/stop.
14029 Cleanup: replaced documentation references to xxgdb by ddd.
14030 The xxgdb program hasn't been updated in more than 10 years.
14031 Files: proto/postconf.proto, conf/main.cf.
14033 20071219-20
14035 Feature: support for all new Sendmail 8.14 Milter features
14036 except SMFIR_SKIP (skip further events of this type),
14037 SMFIP_RCPT_REJ (report rejected recipients to the mail
14038 filter), SMFIR_CHGFROM (replace sender, with optional ESMTP
14039 command parameters), and SMFIR_ADDRCPT_PAR (add recipient,
14040 with optional ESMTP command parameters). Files: milter/milters.c,
14041 milter/milter8.c, milter/test-milter.c, cleanup/cleanup_milter.c.
14043 20071221
14045 Feature: support for Sendmail 8.14 Milter SMFIR_SKIP (skip
14046 further events of this type). Files: milter/milter8.c,
14047 milter/test-milter.c.
14049 Cleanup: don't try sending HELO after a 421 EHLO reply.
14050 File: smtp/smtp_proto.c.
14052 20071221-nonprod
14054 Using 20071221 as reference point.
14056 Cleanup: Simplified TLS library cipher and protocol API to
14057 just pass string-valued properties to tls_client_init() and
14058 tls_client_start(). The client is now agnostic of the
14059 mechanics of cipher management internal to the library. The
14060 main.cf parameters used internally in the library are now
14061 loaded by the library, not the caller. Files:
14062 src/smtp/lmtp_params.c, src/smtp/smtp.c, src/smtp/smtp.h,
14063 src/smtp/smtp_params.c, src/smtp/smtp_proto.c,
14064 src/smtp/smtp_session.c, src/smtpd/smtpd.c, src/tls/tls.h,
14065 src/tls/tls_client.c, src/tls/tls_level.c, src/tls/tls_misc.c,
14066 src/tls/tls_server.c, src/tls/tls_session.c, src/tls/tls_verify.c
14067 and src/tlsmgr/tlsmgr.c
14069 Cleanup: Client session lookup key "salting" is now handled
14070 internally in the tls library. Files: src/tls/tls_client.c
14072 Cleanup: Cipher state is cached, and only updated when
14073 necessary. Files: src/tls/tls_misc.c
14075 Feature: Extended the syntax of protocol selection to allow
14076 exclusions as well as inclusions. Files: src/tls/tls_misc.c
14078 Cleanup: Updated default verification depth to match reality:
14079 default is 9 in OpenSSL and we don't yet override it. When
14080 we do (soon), the default will match previous behavior.
14081 Files: src/global/mail_params.h
14083 Bugfix: Reference to obsolete "pfixtls" code won't compile
14084 inside #ifdef for OpenSSL <= 0.9.5a. Using an OpenSSL release
14085 that old has not been tested for some time, but may now
14086 work. Files: src/tls/tls_bio_ops.c.
14088 Replaced "void *" TLS library application handles by explicit
14089 pointer types, while hiding data structure implementation
14090 details from the TLS library users. Files: tls/tls_client.c,
14091 tls/tls_server.c, smtp/smtp.c, smtpd/smtpd.c.
14093 The TLS library no longer modifies VSTRINGs passed in by
14094 the caller. Where possible, information is passed as "const"
14095 from application to library. Files: smtp/smtp_proto.c,
14096 tls/tls_client.c.
14098 20071227-nonprod
14100 Replaced explicit initialization of props structures by
14101 emulating function calls with named parameter lists. Files:
14102 tls/tls.h, smtp/smtp.c, smtp/smtp_proto.c, smtpd/smtpd.c.
14104 20071222
14106 Further polishing of the Milter code and logging. File:
14107 milter/milter8.c.
14109 20071123
14111 Further polishing of the Milter code. With SETSYMLIST, each
14112 Milter can now update its own macros instead of clobbering
14113 the global copy that is shared with other Milters. Also an
14114 opportunity to clean up some ad-hoc code for sending macro
14115 lists from smtpd(8) to cleanup(8). Files: milter/milter.c,
14116 milter/milter8.c, milter/milter_macros.c.
14118 20071224
14120 Further polishing of the Milter code. Eliminated unnecessary
14121 steps from the initial smtpd/cleanup Milter handshake. Files:
14122 milter/milter.c, milter/milter8.c, milter/milter_macros.c.
14124 Cleanup: name_code(3) and name_mask(3) now support read-only
14125 tables. Files: util/name_code.[hc], util/name_mask.[hc].
14127 20071227
14129 Cleanup: further refinements of the Milter code, allowing
14130 for multiple macro overrides. The code is now ready for
14131 serious testing. File: milter/milter8.c.
14133 20071229
14135 Bugfix: the Milter client did not replace the Postfix-specific
14136 form for unknown host names by the Sendmail-specific form.
14137 File: milter/milter8.c.
14139 Cleanup: when a cleanup milter reports a problem don't log
14140 generic "4.3.0 Sevice unavailable", but log the text for
14141 the actual error. File: cleanup/cleanup_milter.c.
14143 20080102-nonprod
14145 SMTP client fingerprint security level support and configurable
14146 fingerprint digest algorithm. Victor Duchovni. Files:
14147 smtp/lmtp_params.c, smtp/smtp.c, smtp/smtp.h,
14148 src/smtp/smtp_params.c, src/smtp/smtp_proto.c,
14149 src/smtp/smtp_session.c, tls/tls_client.c, tls/tls_level.c,
14150 tls/tls_verify.c.
14152 20080103-nonprod
14154 Missed "invalid TLS configuration" patch for SMTP client.
14155 Victor Duchovni. File: smtp/smtp_proto.c.
14157 SMTP server configurable fingerprint digest algorithm.
14158 Victor Duchovni. Files: smtpd/smtpd.c, tls/tls.h,
14159 tls/tls_server.c, tls/tls_verify.c.
14161 20080104-nonprod
14163 Cleanup: finally implemented certificate verification depth
14164 limit parameters. Prior to Postfix 2.5 these were ignored.
14165 For backwards compatibility, the default verification depth
14166 limit is now 9, the OpenSSL default. Victor Duchovni. Files:
14167 src/tls/tls_client.c, src/tls/tls_server.c, src/tls/tls_verify.c.
14169 Robustness: Avoid possibility of NULL pointer issues in
14170 application code that checks certificate names, by providing
14171 "empty string" values when no data is available. Victor
14172 Duchovni. Files: src/tls/tls_verify.c, src/tls/tls_client.c,
14173 src/tls/tls_server.c, src/smtpd/smtpd_check.c, src/smtpd/smtpd.c.
14175 Cleanup: separation of TLS handshake from security level
14176 enforcement. The library shakes hands; the application
14177 decides if the resulting security is acceptable. Victor
14178 Duchovni. Files: smtpd/smtpd.c, smtpd/smtpd_proto.c,
14179 tls/tls_server.c, tls/tls_client.c, tls/tls_verify.c.
14181 Robustness: more robust processing of ASN.1 string attributes
14182 in x509v3 certificates, plus additional sanity checks (e.g.
14183 embedded null characters). Victor Duchovni. File:
14184 src/tls/tls_verify.c.
14186 20080104
14188 Workaround: minor change to the Dovecot AUTH request to
14189 prevent dovecot-auth memory wastage. Timo Sirainen. File:
14190 xsasl/xsasl_dovecot_server.c.
14192 20080105-nonprod
14194 Cleanup: renamed TLS-related symbols for consistency (always
14195 include the init, start, stop prefix in the TLS library
14196 function and data structure names; consistently distinguish
14197 between per-application TLS state and per-session TLS state;
14198 consistently use the fpt prefix for fingerprint related
14199 variables and structure members; consistent use of monocase
14200 typedef-ed names).
14202 20080106-nonprod
14204 Cleanup: consistent use of <pre> and <blockquote> in examples;
14205 instead of emphasizing new Postfix 2.5 behavior in reference
14206 documentation, describe the new behavior as "current", with
14207 historical behavior as a supplemental note.
14209 20080107
14211 Feature: new "pass" service type (in addition to "inet",
14212 "unix" and "fifo"). The "pass" service type supports
14213 front-end daemons that accept all inbound connections and
14214 that permit only well-behaved clients to talk to the MTA.
14215 This service type had been sitting in the master daemon for
14216 years but was disabled by default. Actual applications for
14217 this will have to be developed later. Files: util/upass_connect.c,
14218 util/upass_trigger.c.
14220 20080108
14222 Cleanup: where possible, store data structures in read-only
14223 memory. Besides the security advantage of no write access,
14224 this also gives slightly better memory utilization when
14225 many processes execute the same file. Files: pretty much
14226 everything that has a static table, except for a few tables
14227 in the benchmark tools with flags that are controlled by
14228 command-line information.
14230 20080109
14232 Cleanup: more read-only data. Files: everything that passes
14233 around a HEADER_OPTS pointer.
14235 20080112
14237 Safety: optional lookup table to prevent the Postfix SMTP
14238 client from making repeated SASL login failures with the
14239 same hostname, username and password. This introduces new
14240 parameters: smtp_sasl_auth_cache_name, smtp_sasl_auth_cache_time.
14241 Based on code by Keean Schupke. Files: smtp/smtp_sasl_glue.c,
14242 smtp/smtp_sasl_auth_cache.c.
14244 Safety: the Postfix SMTP client now by default defers mail
14245 after the server rejects a SASL login attempt with a 535
14246 status code. Specify "smtp_sasl_auth_soft_bounce = no" to
14247 get the earlier behavior. Based on code by Keean Schupke.
14248 Files: smtp/smtp_sasl_glue.c.
14250 20080114
14252 Safety: the smtpd_client_new_tls_session_rate_limit setting
14253 now also limits the number of failed TLS handshakes. This
14254 limits the impact of broken configurations. File: smtpd/smtpd.c.
14256 20080115
14258 Bugfix (introduced 20080112): Patrik Rak found two bugs
14259 that largely canceled each other out, causing Postfix not
14260 to complain about a missing "proxy:" prefix with the new
14261 smtp_sasl_auth_cache_name parameter setting. File:
14262 smtp/smtp_sasl_glue.c.
14264 Documentation: new SOHO_README file for small/home offices.
14265 The text is automatically generated from bits and pieces of
14266 information that are scattered across other documents.
14267 File: mantools/make_soho_readme.
14269 20080116
14271 Bugfix (introduced 20080112): missing #ifdef for the SASL
14272 login failure cache. File: smtp/smtp_sasl_auth_cache.h.
14274 20080123
14276 Name fix: renamed the mumble_delivery_rate_delay parameter
14277 to mumble_destination_rate_delay, because it really is a
14278 per-destination feature. With this change we keep the option
14279 of implementing a future per-transport rate delay.
14281 20080125
14283 Bugfix (introduced 20071216): missing {} in the LDAP client
14284 broke OpenLDAP TLS. The setting tls_require_cert=no was
14285 further broken because Postfix used OpenLDAP incorrectly.
14286 Victor Duchovni. This broke tls_require_cert=no File:
14287 global/dict_ldap.c.
14289 20080126
14291 Cleanup: the post-install script now requires that it is
14292 invoked via the postfix(1) command. This was the intended
14293 use since Postfix 2.1, but it was never enforced. The
14294 documentation for package maintainers has been updated
14295 accordingly. File: conf/post-install.
14297 20080130
14299 Bugfix (introduced 20071204): wrong proxywrite process limit
14300 in the default master.cf file. File: conf/master.cf.
14302 20080131
14304 Bugfix (introduced 20080126): the new "do not execute
14305 directly" test in post-install got broken during code
14306 cleanup. File: conf/post-install.
14308 20080201
14310 Workaround: undo the changes that require that post-install
14311 is invoked via the postfix command, because this breaks
14312 when "postfix start" is invoked with an obsolete postfix
14313 command that doesn't export the new data_directory parameter.
14315 Workaround: pick up a missing data_directory setting from
14316 main.cf when "postfix start" is invoked with an obsolete
14317 postfix command. File: conf/post-install.
14319 20080207
14321 Cleanup: soft_bounce support for multi-line Milter replies.
14322 File: src/milter/milter8.c.
14324 Cleanup: preserve multi-line format of header/body Milter
14325 replies. Files: cleanup/cleanup_milter.c, smtpd/smtpd.c.
14327 Cleanup: multi-line support in SMTP server replies. File:
14328 smtpd/smtpd_chat.c.
14330 SAFETY: postfix-script, postfix-files and post-install are
14331 moved away from /etc/postfix to $daemon_directory. There
14332 were too many accidents where people clobbered these files
14333 with versions from an older Postfix release and ended up
14334 with an unusable Postfix setup. Files: postfix-install,
14335 Makefile.in, postfix/postfix.c, conf/postfix-files,
14336 conf/postfix-script, conf/post-install.
14338 20080212
14340 Feature: check_reverse_client_hostname_access, to make
14341 access decisions based on the unverified client hostname.
14342 For safety reasons an OK result is not allowed. Noel Jones.
14343 Files: smtpd/smtpd_check.c plus header files and documentation.
14345 20080215
14347 Safety: break SASL loop in case both the SASL library and
14348 the remote SMTP server are confused. File: smtp/smtp_sasl_glue.c.
14350 20080220
14352 Safety: the master daemon now sets an exclusive lock on a
14353 file $data_directory/master.lock, so that the data directory
14354 can't be shared between multiple Postfix instances. This
14355 would corrupt files that rely on single-writer updates
14356 (examples: verify(8) cache, tlsmgr(8) caches, etc.). File:
14357 master/master.c.
14359 20080226
14361 Cleanup: the postfix command did not set argv[0] to a sane
14362 value when invoking postfix-script. Reported by Victor
14363 Duchovni. File: postfix/postfix.c.
14365 20080228
14367 Bugfix: bounce(8) segfault on one-line template text.
14368 Problem found by Sacha Chlytor. File: bounce/bounce_template.c.
14370 20080310
14372 Safety: the SMTP server's Dovecot authentication client now
14373 enforces the SASL mechanism output filter also on client
14374 command input. File: src/xsasl/xsasl_dovecot_server.c.
14376 20080311
14378 Bugfix (introduced 20070811): the MAIL and RCPT Milter
14379 application call-backs no longer received {mail_addr} or
14380 {rcpt_addr} information. Problem reported by Anton Yuzhaninov.
14381 File: smtpd/smtpd.c.
14383 Bugfix (introduced 20080207): "cleanup -v" panic because
14384 the new "SMTP reply" request flag did not have a printable
14385 name. File: global/cleanup_strflags.c.
14387 20080318
14389 Human factors: the PCRE and regexp maps now give more
14390 comprehensible error messages when people make the common
14391 mistake of indenting if/endif blocks. Files: util/dict_pcre.c,
14392 util/dict_regexp.c.
14394 20080324
14396 Cleanup: the event_drain() function is now a proper event
14397 processing loop. File: util/events.c
14399 Feature: when the "postmap -q -" command reads lookup keys
14400 from standard input, it now understands RFC822 and MIME
14401 message format. Specify -h or -b to use headers or body
14402 lines as lookup keys, and specify -hm or -bm to simulate
14403 header_checks or body_checks. The postmap -h option (without
14404 -m) will be compatible with a future postcat -h option.
14405 File: postmap/postmap.c.
14407 20080411
14409 Bugfix (introduced Postfix 2.0): after "warn_if_reject
14410 reject_unlisted_recipient/sender", the SMTP server mistakenly
14411 remembered that recipient/sender validation was already
14412 done. File: smtpd/smtpd_check.c.
14414 Bugfix (introduced Postfix 2.3): the queue manager would
14415 initialize missing client logging attributes (from xforward)
14416 with real client attributes. Fix: enable this backwards
14417 compatibility feature only with queue files that don't
14418 contain logging attributes. Problem reported by Liviu Daia.
14419 Files *qmgr/qmgr_message.c.
14421 20080424
14423 Cleanup: some warning messages said "regexp" or "regexp
14424 map" instead of "pcre map". File: util/dict_pcre.c.
14426 20080426
14428 Feature: finer control over address verification error
14429 handling and amount of information disclosed in the SMTP
14430 reject message. Parameters: unverified_recipient_defer_code,
14431 unverified_recipient_reject_reason, unverified_sender_defer_code,
14432 unverified_sender_reject_reason. If I don't do this properly,
14433 then someone will do it anyway. File: src/smtpd/smtpd_check.c.
14435 20080428
14437 Cleanup: the proxy_read_maps (Postfix 2.0) default setting
14438 was not updated when adding sender/recipient_bcc_maps
14439 (Postfix 2.1) and smtp/lmtp_generic_maps (Postfix 2.3).
14440 File: global/mail_params.h.
14442 Cleanup: the SMTP server's XFORWARD and XCLIENT support was
14443 not updated when the smtpd_client_port_logging configuration
14444 parameter was added. Code by Victor Duchovni. Files:
14445 smtpd/smtpd.c, smtpd/smtpd_peer.c.
14447 20080508
14449 Cleanup: delivery status notifications now prepend a
14450 Return-Path: message header to the returned message.
14451 File: bounce/bounce_notify_util.c.
14453 20080509
14455 Bugfix: null-terminate CN comment string after sanitization.
14456 File: smtpd/smtpd.c.
14458 20080510
14460 Cleanup: when extracting peer and issuer common name from
14461 TLS certificates, convert the result into UTF-8, and use
14462 RFC 2047 encoding when logging these as Received: header
14463 comment fields. Based remotely on code by Victor Duchovni.
14464 Files: smtpd/smtpd.c, tls/tls_verify.c.
14466 20080511
14468 Cleanup: the RFC 2047 encoding of RFC*822 comments is too
14469 problematic. The text that explains the problems is as
14470 long as the code itself. That is usually a good indication
14471 that code is not ready for use. File: smtpd/smtpd.c.
14473 Cleanup: block non-printable ASCII text in UTF8 encoded TLS
14474 peer and issuer common names. File: tls/tls_verify.c.
14476 20080602
14478 Workaround: avoid watchdog timeout in the local pickup
14479 daemon when the cleanup server expands a very large virtual
14480 alias list. Files: master/trigger_server.c, pickup/pickup.c.
14482 20080603
14484 Workaround: avoid "bad address pattern" errors with non-address
14485 patterns in namadr_list_match() calls. File: util/match_ops.c.
14487 Feature: print fsstone elapsed time with sub-second time
14488 resolution. Kenji Kikuchi. File: fsstone/fsstone.c.
14490 20080606
14492 Bitrot: "make test" was broken due to recent changes in
14493 code and due to recent changes at mail-abuse.org.
14495 20080618
14497 Add a note to SMTP session transcript email messages that
14498 other details may be found in the maillog file. Files:
14499 smtpd/smtpd_chat.c, smtp/smtp_chat.c.
14501 20080620
14503 Cleanup: with the "Before-queue content filter", RFC3848
14504 information was not added to the headers. Carlos Velasco.
14505 File smtpd/smtpd.c.
14507 20080621
14509 Cleanup: include unread byte count in the SMTP server's "lost
14510 connection after DATA (xx bytes)" logging. Files: smtpd/smtpd.c.
14512 20080629
14514 Bugfix (introduced Postfix 2.2): multiple inconsistencies
14515 in SASL support after introduction of TLS. The Postfix
14516 SMTP server 1) complained about plain-text SASL configuration
14517 details when SASL was forbidden for plain-text sessions,
14518 and 2) ignored the smtpd_tls_auth_only parameter setting
14519 when built without TLS support. Files: smtpd/smtpd.c,
14520 smtpd/smtpd_check.c, smtpd/smtpd_sasl_glue.[hc],
14521 smtpd/smtpd_state.c.
14523 Some clarification about recipient address versus domain,
14524 and recipients per message versus session. File:
14525 proto/postconf.proto.
14527 The description of SASL authentication attributes was
14528 garbled. File: pipe/pipe.c.
14530 Information: the master(8) server now logs the version
14531 besides the configuration directory upon "postfix reload".
14532 File: master/master.c.
14534 20080717
14536 Cleanup: a poorly-implemented integer overflow check for
14537 TCP MSS calculation had the unexpected effect that people
14538 broke Postfix on LP64 systems while attempting to silence
14539 a compiler warning. File: util/vstream_tweak.c.
14541 20080721
14543 The cleanup server now rejects undisclosed_recipients_header
14544 parameter values with invalid message header syntax.
14545 File: cleanup/cleanup_message.c.
14547 20080725
14549 Paranoia: defer delivery when a mailbox file is not owned
14550 by the recipient. Sebastian Krahmer, SuSE. Files:
14551 local/mailbox.c, virtual/mailbox.c.
14553 20080804
14555 Bugfix: dangling pointer in vstring_sprintf_prepend().
14556 File: util/vstring.c.
14558 20080814
14560 Security: some systems have changed their link() semantics,
14561 and will hardlink a symlink, contrary to POSIX and XPG4.
14562 Sebastian Krahmer, SuSE. File: util/safe_open.c.
14564 The solution introduces the following incompatible change:
14565 when the target of mail delivery is a symlink, the parent
14566 directory of that symlink must now be writable by root only
14567 (in addition to the already existing requirement that the
14568 symlink itself is owned by root). This change will break
14569 legitimate configurations that deliver mail to a symbolic
14570 link in a directory with less restrictive permissions.
14572 20080815
14574 Feature: the milter_default_action parameter now accepts
14575 the "quarantine" action. This works like "accept" but also
14576 freezes the mail in the "hold" queue. File: milter/milter8.c.
14578 Robustness: transition from setjmp()/longjmp() to the signal
14579 mask saving/restoring versions sigsetjmp()/siglongjmp().
14580 These functions have been around for 15 years, but they
14581 have had bugs on supported platforms, so makedefs tests for
14582 them. Files: makedefs, util/sys_defs.h, util/vstream.h.
14584 20080822
14586 Cleanup: the proxymap_service_name and proxywrite_service_name
14587 parameters make the proxymap service names configurable.
14588 This paves the way for a future option where the proxymap
14589 services are accessible via TCP so that they can be shared
14590 among multiple Postfix hosts. File: global/dict_proxy.c.
14592 Feature: MacOS X support for kqueue style event handling,
14593 with workaround for broken MacOS X versions. Files:
14594 util/sys_defs.h, makedefs.
14596 Cleanup: the makedefs script now keeps its test programs
14597 in a directory makedefs.d, instead of inlining them as
14598 fragile "here documents". Files: makedefs, makedefs.d/*.
14600 20080823
14602 Feature: IPv6 dns blocklist lookup. File: smtpd/smtpd_check.c.
14604 20080824
14606 Cleanup: untangled the MacOS X version dependent sections
14607 in the makedefs script, to make future updates easier. File:
14608 makedefs.
14610 Cleanup: don't log multiple Milter "hold" actions for the
14611 same email message. File: cleanup/cleanup_milter.c.
14613 20080826
14615 Cleanup: moving test programs from makedefs into a makedefs.d
14616 directory brought more pain than gain.
14618 Cleanup: untangled the Linux version dependent sections in
14619 the makedefs script, to make future updates easier. File:
14620 makedefs.
14622 Documentation: MacOS process limit configuration by Quanah
14623 Gibson-Mount. File: proto/TUNING_README.html.
14625 Feature: smtp-sink -M option to terminate after receiving
14626 a specified number of messages. Laurent Gentil. File:
14627 smtpstone/smtp-sink.c.
14629 Bugfix (introduced Postfix 2.4): epoll file descriptor leak.
14630 With Postfix >= 2.4 on Linux >= 2.6, Postfix has an epoll
14631 file descriptor leak when it executes non-Postfix commands
14632 in, for example, user-controlled $HOME/.forward files. A
14633 local user can access a leaked epoll file descriptor to
14634 implement a denial of service attack on Postfix. Data
14635 confidentiality and integrity are not affected. File:
14636 util/events.c.
14638 20080903
14640 Don't enable kqueue (which requires poll) support on
14641 MacOS X. File: makedefs.
14643 Cleanup: remove obsolete Rhapsody and MacOS targets from
14644 makedefs.
14646 20080929
14648 Workaround: don't log "file has 2 links" warnings when the
14649 condition appears to be temporary. As kernels have evolved
14650 from non-interruptible system calls towards fine-grained
14651 locks, the showq command has become likely to observe a
14652 file while the queue manager is in the middle of a rename
14653 operation, when the file has links to both the old and new
14654 name. File: global/mail_open_ok.c.
14656 Workaround: don't loop forever when write() fails with a
14657 persistent EAGAIN error on a writable file descriptor.
14658 File: util/write_buf.c.
14660 20081003
14662 Bugfix (introduced Postfix 2.1): when XFORWARD support was
14663 introduced with Postfix 2.1, the specification failed to
14664 clearly distinguish between missing and non-existent client
14665 information. This ambiguity affected the implementation:
14666 in $name expansions by delivery agents, unknown client
14667 hostnames could became empty strings (as if a submission
14668 was local), and local submissions could appear to originate
14669 from an SMTP-based content filter. This was fixed with a
14670 a minor semantic change to the XFORWARD protocol. Files:
14671 smtpd/smtpd.c, qmqpd/qmqpd.c, smtp/smtp_proto.c,
14672 cleanup/cleanup_envelope.c, proto/XFORWARD.html. Note: the
14673 changes to propagate local submission details were undone
14674 20082012.
14676 Feature: a DUNNO lookup result in per_sender_relayhost_maps
14677 stops the search without replacing the next-hop destination.
14678 File: trivial-rewrite/resolve.c.
14680 20081005
14682 Bugfix: further refinements to the handling of missing or
14683 non-existent remote client attributes. Files: smtpd/smtpd.c,
14684 smtpd/smtpd.h.
14686 Documentation: the XFORWARD specification of the ADDR
14687 attribute did not agree with the actual on-the-wire protocol.
14688 Since we can't change already existing deployments, the
14689 spec has been updated. File: proto/XFORWARD_README.html.
14691 20081006
14693 Bugfix: further refinements to the handling of remote client
14694 attributes. Introduced a dummy "we have forwarded client
14695 info" record, to eliminate the need for the backwards
14696 incompatible queue file change that was introduced 20081003.
14697 Files: smtpd/smtpd.c, cleanup/cleanup_envelope.c,
14698 *qmgr/qmgr_message.c.
14700 Security: hardened the proxymap client, in case it ever
14701 ends up in a set-gid program. File: global/dict_proxy.c.
14703 20081007
14705 Workaround: undo the proxymap client change. It broke
14706 chrooted servers when they attempted to reconnect to the
14707 proxy read/write service. File: global/dict_proxy.c.
14709 20081008
14711 Safety: added checks that $queue_directory/pid is owned by
14712 root, and that $queue_directory/saved is owned by $mail_owner.
14713 File: conf/postfix-script.
14715 20081010
14717 Feature: controls for opportunistic TLS protocols and
14718 ciphers. The smtp_tls_protocols, smtp_tls_ciphers, and
14719 equivalent parameters for lmtp and smtpd provide global
14720 settings; the SMTP client TLS policy table provides ciphers
14721 and protocols settings for specific peers. Code by Victor
14722 Duchovni. Files: smtp/smtp.c, smtp/smtp_session.c, smtpd/smtpd.c
14723 and documentation.
14725 20081012
14727 Cleanup: simplify the 20081003 changes and don't try to
14728 propagate local submission information through XFORWARD.
14729 Files: smtpd/smtpd.c, qmqpd/qmqpd.c, smtp/smtp_proto.c,
14730 cleanup/cleanup_envelope.c, proto/XFORWARD.html.
14732 20081015
14734 Bugfix: GLIBC API version detection. Rob Foehl. File:
14735 util/sys_defs.h.
14737 20081022
14739 Documentation: removed inapplicable daemon_timeout reference
14740 from qmgr(8), oqmgr(8), pickup(8). These daemons need to
14741 use a much shorter watchdog timer.
14743 20081108
14745 Feature: smtp_sasl_tls_verified_security_options is no
14746 longer #ifdef SNAPSHOT.
14748 Feature: elliptic curve support. This requires OpenSSL
14749 version 0.9.9 or later. Victor Duchovni. Files: TLS_README,
14750 smtpd/smtpd.c, smtp/smtp.c, tls/tls_dh.c, tls/tls_certkey.c,
14751 tls/tls_server.c, tls/tls_client.c, tls/tls.h, tls/tls_misc.c.
14753 Bugfix (introduced Postfix 2.5): the Postfix SMTP server
14754 did not ask for a client certificate with "smtpd_tls_req_ccert
14755 = yes". Reported by Rob Foehl. File: smtpd/smtpd.c.
14757 20081109
14759 Cleanup: confusing names of variables. File: smtpd/smtpd.c.
14761 20081126
14763 Documentation: pcre_table(5) incorrectly claimed that the
14764 'x' flag supports #comment after text. File: proto/pcre_table.
14766 20081202
14768 Cleanup: vstream_bufstat() provides a more systematic
14769 approach to get information about VSTREAM buffers. The
14770 vstream_peek() function is now a backwards compatibility
14771 wrapper. Files: util/vstream.[hc].
14773 Cleanup: the SMTP server should warn about "lost connection
14774 after QUIT" only when the "." reply was pipelined together
14775 with the "QUIT" reply. File: smtpd/smtpd.c.
14777 Cleanup: the SMTP client's code was duplicating buffer
14778 management that was already done in the VSTREAM module.
14779 File: smtp/smtp_proto.c.
14781 20081203
14783 Cleanup: adjust the VSTREAM buffer strategy when reusing
14784 an SMTP connection with a large TCP MSS value. File:
14785 smtp/smtp_reuse.c.
14787 20081204
14789 Cleanup: state the SMTP client PIPELINING implementation's
14790 dependency on monotonic VSTREAM buffer size behavior, and
14791 add some checks for boundary cases with VSTREAM buffer size
14792 change requests. Files: util/vstream.c, smtp/smtp_proto.c.
14794 20081205
14796 Fix 20081202 flush code. Victor Duchovni. File: smtpd/smtpd.c.
14798 Safety: add another check to "postfix check", in this case
14799 for group or other writable queue_directory. File:
14800 conf/postfix-script.
14802 20081217
14804 Debugging: ad-hoc code to log the TLS error stack after
14805 VSTREAM read/write error. File: tls/tls_bio_ops.c. In a
14806 better implementation, each I/O "object" would provide an
14807 optional error reporting method (besides timed_read and
14808 timed_write) that could be queried via the vstream module.
14810 20081222
14812 Documentation: log the "*" pattern as the last transport
14813 map lookup. File: proto/transport.
14815 20090103
14817 Documentation: rewrote NFS_README, to clarify the support
14818 status of Postfix and NFS, and to describe the NFS workarounds
14819 that Postfix actually implements.
14821 20090106
14823 Feature: "postconf -# parametername ..." to comment out
14824 named parameter entries. Victor Duchovni. File:
14825 postconf/postconf.c.
14827 20090107
14829 Library: edit_file(3) module for cooperative editing of a
14830 file. Inspired by the postconf command, this creates a new
14831 version under a deterministic temporary name and renames
14832 it into place. The implementation uses an open/lock/stat
14833 protocol before updating the new file, and rename/unlock/close
14834 afterwards. Based on pieces of code by Victor Duchovni,
14835 with minor improvements by Wietse. Files: util/edit_file.[hc].
14837 Cleanup: the postconf command now uses the edit_file(3)
14838 module to manage collisions when multiple processes attempt
14839 to update the main.cf file.
14841 20090108
14843 Feature: master_service_disable parameter (default: empty)
14844 to easily turn off/on master.cf services by type or by name
14845 and type. For example, to turn off the main SMTP listener
14846 use "master_service_disable = smtp.inet", and to turn off
14847 all TCP/IP listeners use "master_service_disable = inet".
14848 This immediately terminates all processes that provide the
14849 specified services. The master_service_disable feature does
14850 not distinguish services by their privacy property; some
14851 day, clients will not need to specify that anymore. Files:
14852 global/mail_params.h, master/master.c, master/master_vars.c,
14853 master/master_ent.c.
14855 Bugfix (introduced May 19, 1997): removing a parameter
14856 setting from main.cf did not reset the parameter to its
14857 default value. This was a problem only in the master daemon.
14858 File: global/mail_params.c, master/master_vars.c.
14860 20090109
14862 Cleanup: "defer" action in access maps, and a corresponding
14863 access_map_defer_code parameter. No idea what was behind
14864 this omission. Files: global/mail_params.h, smtpd/smtpd.c,
14865 smtpd/smtpd_check.c, proto/access.
14867 Workaround: specify "tcp_windowsize = 65535" (or less) to
14868 work around broken TCP window scaling implementations. This
14869 is perhaps easier than collecting tcpdump output and tuning
14870 kernel parameters by hand. See RELEASE_NOTES for how to
14871 change this setting without stopping Postfix. Files:
14872 util/inet_connect.c, inet_listen.c, global/mail_params.[hc].
14874 20090110
14876 Cleanup: create separate code modules for TCP window size
14877 handling, master.cf service name matching, and main.cf
14878 change monitoring. Files: util/inet_windowsize.c,
14879 global/match_service.c, master/master_watch.c.
14881 Feature: TCP window size override for the Postfix SMTP/LMTP
14882 client, and for the smtp-source and smtp-sink test programs.
14883 Files: smtp/smtp_connect.c, smtpstone/smtp-source.c,
14884 smtpstone/smtp-sink.c.
14886 20090114
14888 Bugfix: VERP now uses the Postfix original recipient, if
14889 available, because that is what the VERP consumer expects.
14890 Files: *qmgr/qmgr_deliver.c, bounce/bounce_notify_verp.c.
14892 Safety: extra check for broken third-party patches that
14893 allow file size limit < message size limit. This can cause
14894 mail to be stuck in the queue forever.
14896 Invisible change, in preparation for multi-instance support.
14897 Except for main.cf and master.cf, all files are optional
14898 for non-default Postfix configuration directories. File:
14899 conf/postfix-files.
14901 20090115
14903 Cleanup: rewrote the 20090114 VERP bugfix, to replace code
14904 that "works" by code that is "right". Files: *qmgr/qmgr_deliver.c,
14905 bounce/bounce_notify_verp.c, global/verp_sender.c.
14907 20090118
14909 Documentation: some URLs to enable/disable client-side TLS
14910 jumped into the middle of an enumeration. File:
14911 proto/TLS_README.html.
14913 20090119-21
14915 Feature: multi-instance manager plug-in API. A sample
14916 multi-instance manager with instructions is available as
14917 $daemon_directory/postfix-wrapper. The plug-in API itself
14918 is described in postfix-wrapper(5). Files: postfix/postfix.c,
14919 global/mail_params.[hc], proto/postfix-wrapper,
14920 conf/postfix-wrapper, conf/postfix-script, conf/postfix-files.
14922 Support to check/update shared files only in the context
14923 of the default Postfix instance. Files: conf/post-install,
14924 conf/postfix-script.
14926 20090122
14928 Refinements: the multi-instance manager always replaces
14929 "start" by "check" when a Postfix instance is multi-instance
14930 disabled, so that problems will still be reported; polish
14931 documentation; delete unnecessary multi_instance_order
14932 parameter. Files: conf/postfix-wrapper, proto/postfix-wrapper,
14933 global/mail_params.[hc] and documentation.
14935 Bugfix: the data_directory was not automatically created!
14936 File: conf/postfix-files.
14938 20090123
14940 More little fixes in the "trivial but useful" postfix-wrapper
14941 including instructions. It's ready for testing in the field.
14942 File: conf/postfix-wrapper.
14944 20090125
14946 Documentation: more precise description of multi-instance
14947 manager API, and minor edits of the example program. Files:
14948 conf/postfix-wrapper, proto/postfix-wrapper.
14950 20090208
14952 Cleanup: enable multi-instance shared-file logic only when
14953 the instance is listed in multi_instance_directories. Files:
14954 conf/post-install, conf/postfix-script.
14956 20090210
14958 Feature: specify "reject_tempfail_action = defer" to
14959 immediately defer a remote SMTP client request after a
14960 reject-type restriction fails with a temporary error. Based
14961 on code by Rob Foehl. File: smtpd/smtpd_check.c.
14963 Feature: finer control of reject_tempfail_action with
14964 unknown_address_tempfail_action, unverified_sender_tempfail_action
14965 unverified_recipient_tempfail_action, and
14966 unknown_helo_hostname_tempfail_action. See documentation
14967 for details. File: smtpd/smtpd_check.c.
14969 20090211
14971 Workaround: pass the SMTP server socket's local and remote
14972 peer address information to the Dovecot authentication server.
14973 This is incomplete code: it ignores XCLIENT server address
14974 overrides. File: xsasl/xsasl_dovecot_server.c.
14976 20090212
14978 Testing revealed that with mumble_tempfail_action=defer,
14979 the "defer" action was ignored. Cause: the DEFER_IF_PERMIT[0-9]
14980 macros lost the SMTPD_CHECK_REJECT result value. File:
14981 smtpd/smtpd_check.c.
14983 Feature: stress-dependent smtpd_timeout (normal: 300s,
14984 overload: 10s), smtpd_hard_error_limit (normal: 20, overload:
14985 1) and smtpd_junk_command_limit (normal: 100, overload: 1).
14986 Files: global/mail_params.h, global/mail_conf_nint.c,
14987 master/*_server.c, smtpd/smtpd.c.
14989 20090213
14991 Fine tuning: don't enforce smtpd_junk_command_limit for
14992 XCLIENT and XFORWARD commands. These commands can be issued
14993 only by authorized clients. File: src/smtpd/smtpd.c.
14995 20090215
14997 Feature: the Postfix SMTP server hangs up after replying
14998 with "521". This makes overload handling more effective.
14999 See also RFC 1846. File: smtpd/smtpd.c.
15001 Feature: postmulti mult-instance manager command, very
15002 lightly tested. The MULTI_INSTANCE_README still needs to
15003 be proofread. Originally by Victor Duchovni. Files:
15004 src/postmulti/*, proto/MULTI_INSTANCE_README.html,
15005 conf/postmulti-script.
15007 20090216-24
15009 Cleanup: assorted code cleanups in postmulti. File:
15010 src/postmulti/postmulti.c.
15012 20090223
15014 Cleanup: multiple instances of the same global. Files:
15015 util/inet_windowsize.c, util/inet_listen.c.
15017 20090228
15019 Cleanup: the Postfix SMTP server now maintains a per-session
15020 "improper command pipelining detected" flag. This flag can
15021 be tested at any time with reject_unauth_pipelining, and
15022 is raised whenever a client command is followed by unexpected
15023 commands or message content. Files: smtpd/smtpd.c,
15024 smtpd/smtpd_check.c.
15026 Logging: the Postfix SMTP server now logs the first command
15027 pipelining transgression as "improper command pipelining
15028 after <command> from <hostname>[<hostaddress>]".
15030 Cleanup: after DATA command failure, log "(approximately
15031 XX bytes)" only if Postfix actually accepted the DATA
15032 command. File: smtpd/smtpd.c.
15034 20090303
15036 Cleanup: word smithing of "sendmail -bv" probe message.
15037 File: sendmail/sendmail.c.
15039 Cleanup: OpenLDAP now provides a sane solution for conflicts
15040 with PAM ldap-over-tls. Victor Duchovni. File: global/dict_ldap.c.
15042 20090304
15044 Cleanup: skip over suspended or throttled queues while
15045 looking for delivery requests. File: *qmgr/qmgr_transport.c.
15047 20090305
15049 Bugfix: in the "new queue manager", the _destination_rate_delay
15050 code needed to postpone the job scheduler updates after
15051 delivery completion, otherwise the scheduler could loop on
15052 blocked jobs. Victor & Wietse. File: qmgr/qmgr_entry.c,
15053 qmgr/qmgr_queue.c, qmgr/qmgr_job.c.
15055 Cleanup: report a "queue file write error", instead of
15056 passing though bogus 2xx replies from proxy filters to SMTP
15057 clients. File: smtpd/smtpd_proxy.c.
15059 20090307
15061 Cleanup: with "lmtp_assume_final = yes", the Postfix LMTP
15062 delivery agent assumes that delivery is final when talking
15063 to an LMTP server that announces no DSN support. Otherwise,
15064 the Postfix LMTP delivery agent assumes that delivery is
15065 "relayed", to maintain compatibility with simple LMTP-based
15066 content filters. Based on code by Michel Sebastien, ATOS
15067 Origin. File: smtp/smtp_rcpt.c.
15069 20090310
15071 Bugfix: Postfix used mumble_concurrency_failed_cohort_limit
15072 instead of mumble_destination_concurrency_failed_cohort_limit
15073 as documented. File: global/mail_params.h.
15075 20090330
15077 Cleanup: add (Resent-) From:, Date:, Message-ID: or To:
15078 headers only when clients match $local_header_rewrite_clients.
15079 Specify "always_add_missing_headers = yes" for backwards
15080 compatibility. Adding such headers to remote mail can break
15081 DKIM signatures that cover headers that are not present.
15082 File: cleanup/cleanup_message.c.
15084 20090415
15086 Workaround: to avoid unnecessary "fatal" delivery agent
15087 exits, delivery agents retry getting a shared lock on a
15088 queue file. This is necessary since the queue manager's
15089 behavior was changed years ago to refill the in-memory
15090 recipient list before it was completely empty. File:
15091 global/deliver_request.c.
15093 Documentation: updated STRESS_README.
15095 20090416
15097 Workaround: some AWK implementations have a limit of 10
15098 output files and lack a working close() function. It is too
15099 much trouble to find out what systems have this limitation,
15100 and where, if any, such systems store their XPG4-compatible
15101 AWK program. So instead we generate a stream of here
15102 documents and let the shell split the stream into files.
15103 File: postconf/extract.awk.
15105 Documentation: clarification of certificate file usage.
15106 Victor Duchovni. Files: proto/postconf.proto,
15107 proto/TLS_README.html.
15109 Feature: pass a "TLS is active" flag to the server-side
15110 SASL support. Based on code by Timo Sirainen, except that
15111 the implementation uses an extensible API so that it will
15112 be less painful to add more attributes in future Postfix
15113 versions. Files: xsasl/xsasl.h, xsasl/xsasl_*server.c,
15114 smtpd/smtpd_sasl_glue.c.
15116 20090417
15118 Documentation: re-generate READMEs and manpages for updated
15119 hyperlinks.
15121 Documentation: missing hyperlinks and missing parameters
15122 in manpages. File: mantools/postlink, mantools/check-postlink.
15124 20090418
15126 Cleanup: use the extensible API to pass SMTP client address
15127 information to the dovecot SASL plugin, and prepare for
15128 passing server address information. Files: xsasl/xsasl.h,
15129 xsasl/xsasl_dovecot_server.c, smtpd/smtpd_sasl_glue.c.
15131 Same extensible API transformation for the SASL client-side
15132 code to make future extensions less painful. Files:
15133 xsasl/xsasl.h, xsasl/xsasl*client.c, smtp/smtp_sasl_glue.c.
15135 More postlink fixes. File: mantools/postlink.
15137 20090419
15139 Bugfix: don't re-enable SIGHUP if it is ignored in the
15140 parent. This may cause random "Postfix integrity check
15141 failed" errors at boot time (POSIX SIGHUP death), causing
15142 Postfix not to start. We duplicate code from postdrop and
15143 thus avoid past mistakes. File: postsuper/postsuper.c.
15145 Robustness: don't re-enable SIGTERM if it is ignored in the
15146 parent. Files: postsuper/postsuper.c, postdrop/postdrop.c.
15148 20090422
15150 Undo delivery agent change 20090415. The queue manager never
15151 locks a queue file to read additional recipients into memory,
15152 so if a delivery agent runs into a locked file, then something
15153 is seriously wrong. File: global/deliver_request.c.
15155 20090424
15157 Compatibility: the Postfix SMTP client no longer uses the
15158 obsolete SSLv2 by default for opportunistic encryption.
15159 This has nothing to do with security (we're willing to send
15160 plaintext over an unauthenticated connection) but with the
15161 loss of advanced options that give better performance.
15162 Victor Duchovni. Files: proto/postconf.proto, global/mail_params.h.
15164 20090426
15166 Feature: more accurate support for Milter macros {mail_addr}
15167 and {rcpt_addr}, and new support for Milter macros {mail_host},
15168 {mail_mailer}, {rcpt_host}, and {rcpt_mailer}. Files:
15169 milter/milter.[hc], smtpd/smtpd.[hc], smtpd/smtpd_milter.c,
15170 smtpd/smtpd_resolve.c.
15172 Feature: support to report rejected recipients to Milters
15173 (SMFIP_RCPT_REJ). Postfix reports the event as decribed in
15174 Sendmail 8.14.0 documentation: {rcpt_mailer} = "error",
15175 {rcpt_host} = enhanced status code (e.g., "5.7.1"), and
15176 {rcpt_addr} = reason to reject (e.g., "Relay access denied").
15177 Files: milter/milter.[hc], milter/milter8.c, smtpd/smtpd.[hc],
15178 smtpd/smtpd_milter.c.
15180 20090427
15182 Feature: Milter support for replacing the envelope sender
15183 and adding recipients (SMFIR_CHGFROM, SMFIR_ADDRCPT_PAR).
15184 This support currently ignores ESMTP command parameters.
15185 Files: milter/milter8.c, cleanup/cleanup_milter.c.
15187 20090428
15189 Compatibility: to make all the new Milter features usable,
15190 raise the default milter_protocol setting from 2 to 6.
15191 This has been tested with a Sendmail 8.14 libmilter.
15192 File: global/mail_params.h.
15194 Bugfix: don't disable MIME parsing with smtp_header_checks,
15195 smtp_mime_header_checks, smtp_nested_header_checks or with
15196 smtp_body_checks. Bug reported by Victor. File: smtp/smtp_proto.c.
15198 Code cleanups: respect VSTRING invariants by using VSTRING_RESET
15199 and VSTRING_TERMINATE instead of directly groping the
15200 underlying character buffer. Files: global/dsn_buf.c,
15201 milter/milter8.c.
15203 20090507
15205 main.cf:tls_random_source now defaults to /dev/arandom on
15206 OpenBSD. This device was introduced before Postfix development
15207 began. Files: util/sys_defs.h, global/mail_params.h.
15209 20090510
15211 Code cleanups: while emulating SMTP client requests for
15212 Milter applications, use user@domain form addresses as
15213 required by the SMTP protocol, instead of bare usernames.
15214 This avoids hard to debug errors from some Milter applications.
15215 Files: cleanup/cleanup_envelope.c, cleanup/cleanup_extracted.c,
15216 cleanup/cleanup_addr.c.
15218 20090511
15220 Code cleanups: don't clobber -o command-line arguments so
15221 that Linux people can debug daemon command lines more easily.
15222 Files: master/*server.c.
15224 20090519
15226 Bugfix (introduced: Postfix 2.3, but did not cause trouble
15227 until 20090427). Queue file corruption, with (smtpd_milters
15228 or non_smtpd_milters) enabled, AND with delay_warning_time
15229 enabled, AND with short envelope sender addresses e.g.,
15230 local submissions with bare usernames, but not bounces).
15231 The queue file would be corrupted when the delay_warning_time
15232 record was marked as "done" after sending the "your mail
15233 is delayed" notice. File: qmgr/qmgr_message.c.
15235 20090528
15237 Bugfix (introduced: Postfix 2.6 change 20080629): with
15238 plaintext sessions, smtpd_tls_auth_only=yes caused spurious
15239 warnings with reject_authenticated_sender_login_mismatch,
15240 and broke reject_unauthenticated_sender_login_mismatch and
15241 reject_sender_login_mismatch. Based on fix by Victor
15242 Duchovni. File: smtpd/smtpd_check.c.
15244 20090605
15246 Bugfix: "postmulti -e destroy" used hard-coded /bin/env
15247 command. Simplified the "destroy" procedure to destroy only
15248 known safe names without "/". File: conf/postmulti-script.
15250 20090710
15252 Bugfix (introduced Postfix 2.3): Postfix got out of sync
15253 with a Milter application after the application sent a
15254 "quarantine" request at end-of-message time. The milter
15255 application would still be in the end-of-message state,
15256 while Postfix would already be working on the next SMTP
15257 event (typically, QUIT or MAIL FROM). Problem diagnosed
15258 with help from Alban Deniz. File: milter/milter8.c.
15260 20090712
15262 Bugfix (garbage introduced Postfix 2.6): the ugly
15263 ${multi_instance_name:postfix}${multi_instance_name
15264 ?$multi_instance_name} garbage in Postfix logging is now
15265 hopefully gone. File: global/mail_task.c.
15267 20090715
15269 Documentation: as of Postfix 2.6, the reject_unauth_pipelining
15270 feature can be used meaningfully at any protocol stage.
15271 File: proto/postconf.proto.
15273 20090805
15275 Bugfix: don't panic when an unexpected smtpd access map is
15276 specified. File: smtpd/smtpd_check.c.