Bugfix for Postfix 2.11, 2.10, 2.9 and 2.8:
* Fix for configurations that prepend message headers with Postfix
access maps, policy servers or Milter applications. Postfix now
hides its own Received: header from Milters and exposes prepended
headers to Milters, regardless of the mechanism used to prepend
a header. This fix reverts a partial solution that was released
on October 13, 2014, and replaces it with a complete solution.
Portability fix for Postfix 2.11:
* Portability fix for MacOS X 10.7.x (Darwin 11.x) build procedure.
Bugfixes for Postfix 2.11, 2.10, 2.9 and 2.8:
* Fix for DMARC implementations based on SPF policy plus DKIM
Milter. The PREPEND access/policy action added headers ABOVE
Postfix's own Received: header, exposing Postfix's own Received:
header to Milters (protocol violation) and hiding the PREPENDed
header from Milters. PREPENDed headers are now added BELOW
Postfix's own Received: header and remain visible to Milters.
* The Postfix SMTP server logged an incorrect client name in
reject messages for check_reverse_client_hostname_access and
check_reverse_client_hostname_{mx,ns}_access. They replied with
the verified client name, instead of the name that was rejected.
* The qmqpd daemon crashed with null pointer bug when logging a
lost connection while not in a mail transaction.
Do it for all packages that
* mention perl, or
* have a directory name starting with p5-*, or
* depend on a package starting with p5-
like last time, for 5.18, where this didn't lead to complaints.
Let me know if you have any this time.
Bugfixes (fixed in Postfix 2.11 and Postfix 2.12):
* With connection caching enabled (the default), recipients could
be given to the wrong mail server. The root cause was an incorrect
predicate. Due to this, the Postfix SMTP client could under
rare conditions save and restore plaintext connections that
should not be cached, under a fixed lookup key that did not
distinguish by destination. Problem reported by Sahil Tandon.
* Enforce TLS when TLSA records exist, but all are unusable.
* Don't leak memory when TLSA records exist, but all are unusable.
Workarounds:
* Prepend "-I. -I../../include" to the compiler command-line
options, to avoid name clashes with non-Postfix header files.
Documentation cleanup:
* Corrected postconf(1) manpage for missing version attribution
and incorrect "author" formatting.
* The documentation for Postfix > 2.8 TLS activity logging was
incorrect. Loglevel 0 produces no logging. Instead, information
is logged only with loglevel 1 or higher.
Logging cleanup:
* The TLS client logged that an "Untrusted" TLS connection was
established instead of "Anonymous".
* For consistency, TLS policy lookup errors are now logged as
warnings.
The main changes in no particular order are:
* Support for PKI-less TLS server certificate verification with
DANE (DNS-based Authentication of Named Entities) where the CA
public key or the server certificate is identified via DNSSEC
lookup. This requires a DNS resolver that validates DNSSEC
replies. The problem with conventional PKI is that there are
literally hundreds of organizations world-wide that can provide
a certificate in anyone's name. DANE limits trust to the people
who control the target DNS zone and its parent zones.
* Support for LMDB databases. Originally developed as part of
OpenLDAP, LMDB is the first persistent Postfix database that
can be shared among multiple writers such as postscreen daemons
(Postfix already supported shared non-persistent memcached
caches). Postfix currently requires LMDB version 0.9.11 or
later. See LMDB_README for details and limitations.
* A new postscreen_dnsbl_whitelist_threshold feature to allow
clients to skip postscreen tests based on their DNSBL score.
This can eliminate email delays due to "after 220 greeting"
protocol tests, which otherwise require that a client reconnects
before it can deliver mail. Some providers such as Google don't
retry from the same IP address, and that can result in large
email delivery delays.
* The recipient_delimiter feature now supports different delimiters,
for example both "+" and "-". As before, this implementation
recognizes exactly one delimiter character per email address,
and exactly one address extension per email address.
* Advanced master.cf query/update support to access service
attributes as "name = value" pairs. For example to turn off
chroot on all services use "postconf -F '*/*/chroot = n'", and
to change/add a "-o name=value" setting use "postconf -P
smtp/inet/name = value". This was developed primarily to allow
automated tools to manage Postfix systems without having to
parse Postfix configuration files.
Postfix 2.10.3, 2.9.9, and 2.8.17:
* Future proofing against OpenSSL library API changes. When support
for a bug workaround is removed from OpenSSL, the corresponding
named bit in tls_disable_workarounds will be ignored instead
of causing existing Postfix configurations to fail.
All supported releases:
* Future proofing against PCRE library API changes that introduce
the pcre_free_study() function.
* The postconf '-#' option reset prior options instead of adding
to them.
* Correct an error in MULTI_INSTANCE_README Makefile example.
* Correct an error in SASL_README PostgreSQL example.
* Correct a malformed error message in conf/post-install.
2.10.2
* TLS Interoperability workaround: turn on SHA-2 digests by force. This
improves interoperability with clients and servers that deploy SHA-2 digests
without the required support for TLSv1.2-style digest negotiation.
* TLS Performance workaround: the Postfix SMTP server TLS session cache had
become ineffective because recent OpenSSL versions enable session tickets by
default, resulting in a different ticket encryption key for each smtpd(8)
process. The workaround turns off session tickets. Postfix 2.11 will enable
session tickets properly.
* TLS Interoperability workaround: Debian Exim versions before 4.80-3 may fail
to communicate with Postfix and possibly other MTAs, with the following Exim
SMTP client error message:
TLS error on connection to server-name [server-address]
(gnutls_handshake): The Diffie-Hellman prime sent by the server is not
acceptable (not long enough)
See the RELEASE_NOTES file for a Postfix SMTP server configuration
workaround.
* Bugfix (defect introduced: 1997): memory leak while forwarding mail with the
local(8) delivery agent, in code that handles a cleanup(8) server error.
2.10.1
* Workaround: down-stream maintainers fail to install the new
smtpd_relay_restrictions safety net, causing breakage that could have been
avoided. We now hard-code the safety net instead.
2.10.0
* Separation of relay policy (with smtpd_relay_restrictions) from spam policy
(with smtpd_{client, helo, sender, recipient}_restrictions), which makes
accidental open relay configuration less likely. The default is backwards
compatible.
* HAproxy load-balancer support for postscreen(8) and smtpd(8). The nginx
proxy was already supported by Postfix 2.9 smtpd(8), using XCLIENT commands.
* Support for the TLSv1 and TLSv2 protocols, as well as support to turn them
off if needed for inter-operability.
* Laptop-friendly configuration. By default, Postfix now uses UNIX-domain
sockets instead of FIFOs, and thus avoids MTIME file system updates on an
idle mail system.
* Revised postconf(1) command. The "-x" option expands $name in a parameter
value (both main.cf and master.cf); the "-o name=value" option overrides a
main.cf parameter setting; and postconf(1) now warns about a $name that has
no name=value setting.
* Sendmail-style "socketmap" lookup tables.
Changes:
2.9.8
* TLS Interoperability workaround: turn on SHA-2 digests by force.
This improves interoperability with clients and servers that
deploy SHA-2 digests without the required support for TLSv1.2-style
digest negotiation.
* TLS Performance workaround: the Postfix SMTP server TLS session
cache had become ineffective because recent OpenSSL versions
enable session tickets by default, resulting in a different
ticket encryption key for each smtpd(8) process. The workaround
turns off session tickets. Postfix 2.11 will enable session
tickets properly.
* TLS Interoperability workaround: Debian Exim versions before
4.80-3 may fail to communicate with Postfix and possibly other
MTAs, with the following Exim SMTP client error message:
TLS error on connection to server-name [server-address]
(gnutls_handshake): The Diffie-Hellman prime sent by the
server is not acceptable (not long enough)
See the RELEASE_NOTES file for a Postfix SMTP server configuration
workaround.
* Bugfix (defect introduced: 1997): memory leak while forwarding
mail with the local(8) delivery agent, in code that handles a
cleanup(8) server error.
2.9.7
* Bugfix (introduced: Postfix 2.0): when myhostname is not listed in
mydestination, the trivial-rewrite resolver may log "do not list in both
mydestination and ". The fix is to re-resolve a domain-less address after
adding $myhostname as the surrogate domain, so that it pops out with the
right address-class label. Reported by Quanah Gibson-Mount.
* Bugfix (introduced: Postfix 2.3): don't reuse TCP connections when
smtp_tls_policy_maps is specified. TLS policies may depend on the remote
destination, but the Postfix <2.11 SMTP connection cache client does not
distinguish between different destinations that resolve to the same IP
address. Victor Duchovni. Found during Postfix 2.11 code maintenance.
* Bugfix (introduced: Postfix 2.2): don't reuse TCP connections when SASL
authentication is enabled. SASL passwords may depend on the remote SMTP
server hostname, but the Postfix <2.11 SMTP connection cache client does not
distinguish between different hostnames that resolve to the same IP
address. Found during Postfix 2.11 code maintenance.
a) refer 'perl' in their Makefile, or
b) have a directory name of p5-*, or
c) have any dependency on any p5-* package
Like last time, where this caused no complaints.
* The postconf(1) master.cf options parser didn't support "clusters"
of daemon command-line option letters.
* The local(8) delivery agent dereferenced a null pointer while
delivering to null command (for example, "|" in a .forward
file). Reported by Gilles Chehade.
* A memory leak fix for tls_misc.c was documented but not included.
Postfix 2.8 and later:
* The postscreen_access_list feature failed to ignore case in the
first character of a command (e.g., permit, reject, etc.).
Reported by Francis Picabia. (This fix is incorrectly listed
in the HISTORY files of earlier releases, and will be removed
with a future patch.)
All supported releases:
* Strip the datalink suffix (e.g., %eth0) from IPv6 addresses
returned by the system getaddrinfo() routine. Such suffixes
break the default mynetworks value, the Postfix SMTP server's
reverse/forward DNS name/address mapping check, and possibly
more.
* To eliminate the possibility of collisions with connection cache
lookup keys, the Postfix LDAP client now computes those lookup
keys by joining the number-valued connection properties with
ASCII null, just like it already did with the string-valued
connection properties.
* There was a memory leak during one-time TLS library initialization
(introduced with Postfix 2.5). Reported by Coverity.
* There was a memory leak in the unused oqmgr(8) program (introduced
with Postfix 2.3). Reported by Coverity.
All supported releases:
* The local(8) delivery agent's BIFF client leaked an unprivileged
UDP socket. Fix by Jaroslav Skarvada. This bug was introduced
19990127.
* The SMTP server did not reject the AUTH command while a MAIL
FROM transaction was in progress. Reported by Timo Sirainen.
This bug was introduced 20000314.
Postfix 2.8 and later:
* The unused "pass" trigger client could close the wrong file
descriptors. This bug was introduced with Postfix 2.8.
Changes from release announce:
* OpenSSL related (all supported Postfix versions).
o Some people have reported program crashes when the OpenSSL
library was updated while Postfix was accessing the Postfix
TLS session cache. To avoid this, the Postfix TLS session
cache ID now includes the OpenSSL library version number.
This cache ID is not shared via the network.
o The OpenSSL workaround introduced with the previous stable
and legacy releases did not compile with older gcc compilers.
These compilers can't handle #ifdef inside a macro invocation
(NOT: definition).
* postscreen(8) related (Postfix 2.9, Postfix 2.8).
o To avoid repeated warnings from postscreen(8) with "connect
to private/dnsblog service: Connection refused" on FreeBSD,
the dnsblog(8) daemon now uses the single_server program
driver instead of the multi_server driver. This one-line
code change has no performance impact for other systems,
and eliminates a high-frequency accept() race on a shared
socket that appears to cause trouble on FreeBSD. The same
single_server program driver has proven itself for many
years in smtpd(8). Problem reported by Sahil Tandon.
* Laptop-friendly support (all supported Postfix versions). A
little-known secret is that Postfix has always had support to
avoid unnecessary disk spin-up for MTIME updates, by doing
s/fifo/unix/ in master.cf (this is currently not supported on
Solaris systems). However, two minor fixes are needed to make
this bullet-proof.
o In laptop-friendly mode, the "postqueue -f" and "sendmail
-q" commands did not wait until their requests had reached
the pickup and qmgr servers before closing their UNIX-domain
request sockets.
o In laptop-friendly mode, the unused postkick command waited
for more than a minute because the event_drain() function
was comparing bitmasks incorrectly on systems with kqueue(2),
epoll(2) or /dev/poll support.
Major changes with Postfix 2.8.10
---------------------------------
This release adds support to turn off the TLSv1.1 and TLSv1.2
protocols. Introduced with OpenSSL version 1.0.1, these are known
to cause inter-operability problems with for example hotmail.
The radical workaround is to temporarily turn off problematic
protocols globally:
/etc/postfix/main.cf:
smtp_tls_protocols = !SSLv2, !TLSv1.1, !TLSv1.2
smtp_tls_mandatory_protocols = !SSLv2, !TLSv1.1, !TLSv1.2
smtpd_tls_protocols = !SSLv2, !TLSv1.1, !TLSv1.2
smtpd_tls_mandatory_protocols = !SSLv2, !TLSv1.1, !TLSv1.2
However, it may be better to temporarily turn off problematic
protocols for broken sites only:
/etc/postfix/main.cf:
smtp_tls_policy_maps = hash:/etc/postfix/tls_policy
/etc/postfix/tls_policy:
example.com may protocols=!SSLv2:!TLSv1.1:!TLSv1.2
Important:
- Note the use of ":" instead of comma or space. Also, note that
there is NO space around the "=" in "protocols=".
- The smtp_tls_policy_maps lookup key must match the "next-hop"
destination that is given to the Postfix SMTP client. If you
override the next-hop destination with transport_maps, relayhost,
sender_dependent_relayhost_maps, or otherwise, you need to specify
the same destination for the smtp_tls_policy_maps lookup key.
Postfix stable release 2.8.9 is available. This contains fixes that
are already part of Postfix 2.9 and 2.10.
* The "change header" milter request could replace the wrong
header. A long header name could match a shorter one, because
a length check was done on the wrong string. Reported by
Vladimir Vassiliev.
* Core dump when postlog emitted the "usage" message, caused
by an extraneous null assignment. Reported by Kant (fnord.hammer).
You can find the updated Postfix source code at the mirrors listed
at http://www.postfix.org/.
- The Postfix sqlite client, introduced with Postfix 2.8, had an
embarassing bug in its quoting routine. As the result of a
last-minute code cleanup before release, this routine returned the
unquoted text instead of the quoted text. The opportunities for
mis-use are limited: Postfix sqlite database files are usually owned
by root, and Postfix daemons usually run with non-root privileges so
they can't corrupt the database. This problem was reported by Rob
McGee (rob0).
- The Postfix 2.8.4 fix for local delivery agent database lookup
errors was incomplete. The fix correctly added new code to detect
database lookup errors with mailbox_transport_maps,
mailbox_command_maps or fallback_transport_maps, but it failed to
log the problem, and to produce a defer logfile record which is
needed for "delayed mail" and "mail too old" delivery status
notifications.
- The trace(8) service, used for DSN SUCCESS notifications, did not
distinguish between notifications for a non-bounce or a bounce
message, causing it to "reply" to mail with the null sender
address. Problem reported by Sabahattin Gucukoglu.
- Support for Dovecot auth over TCP sockets, using code that already
existed for testing purposes. Patrick Koetter kindly provided an
update for the SASL_README file.
- Workaround in the LDAP client for changes in the under-documented
OpenLDAP API, by Victor Duchovni.
Postfix stable release 2.8.7 is available. This contains a workaround
for a problem that is fixed in Postfix 2.9.
* The postscreen daemon, which is not enabled by default, sent
non-compliant SMTP responses (220- followed by 421) when it
could not give a connection to a real smtpd process. These
responses caused some remote SMTP clients to return mail as
undeliverable.
The workaround is to hang up after sending 220- without sending
the 421 "sorry" reply; this is harmless.
The complete fix involves too much change for a stable release:
send the 220 greeting, wait for the EHLO command, then send
the 421 "sorry" reply and hang up.
Postfix stable release 2.8.6, 2.7.7, 2.6.13 and 2.5.16 are available.
These contain fixes that are also included with the Postfix 2.9
experimental release.
* The Postfix SMTP daemon sent "bare" newline characters instead
of <CR><LF> when a header_checks REJECT pattern matched
multi-line header. This bug was introduced with Postfix 1.1.
* The Postfix SMTP daemon sent "bare" newline characters instead
of <CR><LF> when an smtpd_proxy_filter returned a multi-line
response. This bug was introduced with Postfix 2.1.
* For compatibility with future EAI (email address
internationalization) implementations, the Postfix MIME
processor no longer enforces the strict_mime_encoding_domain
check on unknown message subtypes such as message/global*.
This check is disabled by default.
* The Postfix master daemon could report a panic error
("master_spawn: at process limit") after the process limit
for some service was reduced with "postfix reload". This bug
existed in all Postfix versions.
You can find the updated Postfix source code at the mirrors listed
at http://www.postfix.org/.
[An on-line version of this announcement will be available at
http://www.postfix.org/announcements/postfix-2.8.5.html]
Postfix stable release 2.8.5, 2.7.6, 2.6.12, and 2.5.15 are available.
These contain fixes and workarounds for the Postfix Milter client
that were already included with the Postfix 2.9 experimental release.
* The Postfix Milter client logged a "milter miltername: malformed
reply" error when a Milter sent an SMTP response without
enhanced status code (i.e. "XXX Text" instead of "XXX X.X.X
Text").
* The Postfix Milter client sent a random {client_connections}
macro value when the remote SMTP client was not subject to
any smtpd_client_* limit. As a workaround, it now sends a
zero value instead.
Postfix stable release 2.8.4 is available. This contains fixes and
workarounds that were already included with the Postfix 2.9
experimental release. Where applicable these fixes will also be
made available for the legacy releases Postfix 2.5..2.7.
* Performance: a high load of DSN success notification requests
could slow down the queue manager. Solution: make the trace
client asynchronous, just like the bounce and defer clients.
* The local(8) delivery agent ignored table lookup errors in
mailbox_command_maps, mailbox_transport_maps, fallback_transport_maps
and (while bouncing mail to alias) alias owner lookup.
* Workaround: dbl.spamhaus.org rejects lookups with "No IP
queries" even if the name has an alphanumerical prefix. We
play safe, and skip both RHSBL and RHSWL queries for names
ending in a numerical suffix.
* The "sendmail -t" command reported "protocol error" instead
of "file too large", "no space left on device" etc.
* The Postfix Milter client reported a temporary error instead
of "file too large" in three cases.
* Linux kernel version 3 support. Linus Torvalds has reset the
counters for reasons not related to changes in code.
You can find the updated Postfix source code at the mirrors listed
at http://www.postfix.org/.
* pkgsrc change: remoe mysql4 from PKG_OPTIONS.
Securiy release for Memory corruption in Postfix SMTP server Cyrus SASL
support: http://www.postfix.org/CVE-2011-1720.html
20110411
Cleanup: postscreen(8) and verify(8) daemons now lock their
respective cache file exclusively upon open, to avoid massive
cache corruption by unsupported sharing. Files: util/dict.h,
util/dict_open.c, verify/verify.c, postscreen/postscreen.c.
20110414
Bugfix (introduced with Postfix SASL patch 20000314): don't
reuse a server SASL handle after authentication failure.
Problem reported by Thomas Jarosch of Intra2net AG. File:
smtpd/smtpd_proto.c.
Postfix stable release 2.8.2 is available. This release has minor
fixes that are already in the experimental (2.9) release.
- Bugfix: postscreen DNSBL scoring error. When a client disconnected
and then reconnected before all DNSBL results for the earlier
session arrived, DNSBL results for the earlier session would be
added to the score for the later session. This is very unlikely
to have affected any legitimate mail.
- Workaround: the SMTP client did not support mail to [ipv6:ipv6addr].
- Portability: FreeBSD closefrom() was back-ported to FreeBSD 7,
breaking FreeBSD 7.x support retroactively.
- Portability: the SUN compiler had trouble with a pointer expression
of the form ``("text1" "text2") + constant'' so we don't try to
be so clever.
Postfix stable release 2.8.0 is available. This release continues the
move towards improving code and documentation, and making the system
better prepared for changes in the threat environment.
The postscreen daemon (a zombie blocker in front of Postfix) is now
included with the stable release. postscreen now supports TLS and can
log the rejected sender, recipient and helo information. See the
POSTSCREEN_README file for recommended usage scenarios.
Support for DNS whitelisting (permit_rhswl_client), and for pattern
matching to filter the responses from DNS white/blacklist servers
(e.g., reject_rhsbl_client zen.spamhaus.org=127.0.0.[1..10]).
Improved message tracking across SMTP-based content filters; the
after-filter SMTP server can log the before-filter queue ID (the
XCLIENT protocol was extended).
Read-only support for sqlite databases. See sqlite_table(5) and
SQLITE_README.
Support for 'footers' that are appended to SMTP server "reject"
responses. See "smtpd_reject_footer" in the postconf(5) manpage.
This update was tested by Takahiro Kambe.
- Postfix no longer automatically appends the system default CA
(certificate authority) certificates, when it reads the CA
certificates specified with {smtp, lmtp, smtpd}_tls_CAfile or
with {smtp, lmtp, smtpd}_tls_CApath. This prevents third-party
certificates from getting mail relay permission with the
permit_tls_all_clientcerts feature. Unfortunately, this change
may cause compatibility problems with configurations that rely
on certificate verification for other purposes. To get the old
behavior, specify "tls_append_default_CA = yes".
- A prior fix for compatibility with Postfix < 2.3 was incomplete.
When pipe-to-command delivery fails with a signal, mail is now
correctly deferred, instead of being returned to sender.
- Poor smtpd_proxy_filter TCP performance over loopback (127.0.0.1)
connections was fixed by adapting the output buffer size to the MTU.
- The SMTP server no longer applies the reject_rhsbl_helo feature
to non-domain forms such as network addresses. This would cause
false positives with dbl.spamhaus.org.
- The Postfix SMTP server failed to deliver a "421" response and
hang up the connection after Milter error. Instead, the server
delivered a "503 Access denied" response and left the connection
open, due to some Postfix 1.1 workaround for RFC 2821.
- The milter_header_checks parser failed to enable any of the actions
that have no effect on message delivery (warn, replace, prepend,
ignore, dunno, and ok).
from postfix-license, of the same level of importance as changing the
name of the copyright holder, rather than in the nature of the terms.
Everyone believes that postfix is Open Source, and this causes postfix
to fall under DEFAULT_ACCEPTABLE_LICENSES.
ok martti@
