Postfix 3.7.4 (2023-01-22)
* Workaround: with OpenSSL 3 and later always turn on
SSL_OP_IGNORE_UNEXPECTED_EOF, to avoid warning messages and missed
opportunities for TLS session reuse. This is safe because the SMTP
protocol implements application-level framing, and is therefore not
affected by TLS truncation attacks. Fix by Viktor Dukhovni.
* Workaround: OpenSSL 3.x EVP_get_digestbyname() can return
lazily-bound handles for digest implementations. In sufficiently
hostile configurations, Postfix could mistakenly believe that a digest
algorithm is available, and fail when it is not. A similar workaround
may be needed for EVP_get_cipherbyname(). Fix by Viktor Dukhovni.
* Bugfix (bug introduced in Postfix 2.11): the checkok() macro in
tls/tls_fprint.c evaluated its argument unconditionally; it should
evaluate the argument only if there was no prior error. Found during
code review.
* Bugfix (bug introduced in Postfix 2.8): postscreen died with a
segmentation violation when postscreen_dnsbl_threshold < 1. It
should reject such input with a fatal error instead. Discovered by
Benny Pedersen.
* Bitrot: fixes for linker warnings from newer Darwin (MacOS)
versions. Viktor Dukhovni.
* Portability: Linux 6 support.
* Added missing documentation that cidr:, pcre: and regexp: tables
support inline specification only in Postfix 3.7 and later.
3.7.0 (2022-02-07)
* Support to inline the content of small cidr:, pcre:, and regexp:
tables in Postfix parameter values. An example is the new
smtpd_forbidden_commands default value, "CONNECT GET POST
regexp:{{/^[^A-Z]/ Thrash}}", to quickly drop connections from
clients that send garbage.
* To make the maillog_file feature more useful, including stdout
logging from a container, the postlog(1) command is now set-gid
postdrop, so that unprivileged programs can use it to write
logging through the postlogd(8) daemon. This required hardening
the postlog(1) command against privilege escalation attacks.
* Support for library APIs: OpenSSL 3.0.0, PCRE2, Berkeley DB 18.
* Postfix programs now randomize the initial state of in-memory
hash tables, to defend against hash collision attacks involving
a large number of attacker-chosen lookup keys. Presently, the
only known opportunity for such attacks involves remote SMTP
client IPv6 addresses in the anvil(8) service, and requires
making hundreds of short-lived connections per second while
cycling through thousands of different client IP addresses.
* Updated defense against remote clients or servers that 'trickle'
SMTP or LMTP traffic. This replaces the old per-record deadlines
with per-request deadlines and minimum data rates.
* Many typofixes by raf and Wietse.
3.7.1 (2022-04-18)
* (problem introduced: Postfix 2.7) The milter_header_checks maps
are now opened before the cleanup(8) server enters the chroot
jail. Problem reported by Jesper Dybdal.
* In an internal client module, "host or service not found" was
a fatal error, causing the milter_default_action setting to be
ignored. It is now a non-fatal error, just like a failure to
connect. Problem reported by Christian Degenkolb.
* The proxy_read_maps default value was missing up to 27 parameter
names. The corresponding lookup tables were not automatically
authorized for use with the proxymap(8) service. The parameter
names were ending in _checks, _reply_footer, _reply_filter,
_command_filter, and _delivery_status_filter.
* (problem introduced: Postfix 3.0) With dynamic map loading
enabled, an attempt to create a map with "postmap regexp:path"
would result in a bogus error message "Is the postfix-regexp
package installed?" instead of "unsupported map type for this
operation". This happened with all non-dynamic map types (static,
cidr, etc.) that have no 'bulk create' support. Problem reported
by Greg Klanderman.
* In PCRE_README, "pcre2 --libs" should be "pcre2 --libs8". Problem
reported by Carlos Velasco.
* Documented in the postlogd(8) daemon manpage that the Postfix
>= 3.7 postlog(1) command can run with setgid permissions.
3.7.2 (2022-04-28)
This reverts an overly complex change in the postscreen SMTP engine
(made during Postfix 3.7 development), and replaces it with much
simpler code. The bad change was crashing postscreen on some systems
after receiving malformed input (for example, a TLS "hello" message).
upstream changes:
-----------------
Fixed in Postfix 3.6.4, 3.5.14, 3.4.24, 3.3.21:
o Bug introduced in bugfix 20210708: duplicate bounce_notice_recipient
entries in postconf output. This was caused by an incomplete fix to send
SMTP session transcripts to $bounce_notice_recipient. Reported by Vincent
Lefevre.
o Bug introduced in Postfix 3.0: the proxymap daemon did not automatically
authorize proxied maps inside pipemap (example:
pipemap:{proxy:maptype:mapname, ...}) or inside unionmap. Problem reported
by Mirko Vogt.
o Bug introduced in Postfix 2.5: off-by-one error while writing a string
terminator. This code passed all memory corruption tests, presumably
because it wrote over an alignment padding byte, or over an adjacent
character byte that was never read. Reported by Robert Siemer.
Fixed in Postfix 3.6.4, 3.5.14, 3.4.24:
o The proxymap daemon did not automatically authorize map features added
after Postfix 3.3, caused by missing *_maps parameter names in the
proxy_read_maps default value. Found during code maintenance.
Quote from release announce:
Fixed in Postfix 3.6.3, 3.5.13, 3.4.23, 3.3.20:
* (problem introduced in Postfix 2.4, released in 2007): queue
file corruption after a Milter (for example, MIMEDefang) made
a request to replace the message body with a copy of that message
body plus additional text (for example, a SpamAssassin report).
The most likely impacts were a) the queue manager reporting a
fatal error resulting in email delivery delays, or b) the queue
manager reporting the corruption and moving the message to the
corrupt queue for damaged messages.
However, a determined adversary could craft an email message
that would trigger the bug, and insert into its queue file a
content filter destination or a redirect email address. Postfix
would then deliver the message headers there, in most cases
without delivering the message body. With enough experimentation,
an attacker could make Postfix deliver both the message headers
and body.
Some details of a successful attack depend on the Milter
implementation, and on the Postfix and Milter configuration
details; these can be determined remotely through experimentation.
Failed experiments may be detected when the queue manager
terminates with a fatal error, or when the queue manager moves
damaged files to the "corrupt" queue as evidence.
Technical details: when Postfix executes a "replace body" Milter
request it will reuse queue file storage that was used by the
existing email message body. If the new body is larger, Postfix
will append body content to the end of the queue file. The
corruption happened when a Milter (for example, MIMEDefang)
made a request to replace the body of a message with a new body
that contained a copy of the original body plus some new text,
and the original body contained a line longer than $line_length_limit
bytes (for example, an image encoded in base64 without hard or
soft line breaks). In queue files, Postfix stores a long text
line as multiple records with up to $line_length_limit bytes
each. Unfortunately, Postfix's "replace body" support did not
account for the additional queue file space needed to store the
second etc. record headers. And thus, the last record(s) of a
long text line could overwrite one or more queue file records
immediately after the space that was previously occupied by the
original message body.
Problem report by Benoit Panizzon.
* (problem introduced in Postfix 2.10, released in 2012): The
postconf "-x" option could produce incorrect output, because
multiple functions were implicitly sharing a buffer for
intermediate results. Problem report by raf, root cause analysis
by Viktor Dukhovni.
* (problem introduced in Postfix 2.11, released in 2013): The
check_ccert_access feature worked as expected, but produced a
spurious warning when Postfix was built without SASL support.
Fix by Brad Barden.
* Fix for a compiler warning due to a missing 'const' qualifier
when compiling Postfix with OpenSSL 3. Depending on compiler
settings this could cause the build to fail.
Fixed in Postfix 3.6:
* The known_tcp_ports settings had no effect. It also wasn't fully
implemented. Problem report by Peter.
* Fix for missing space between a hostname and warning text.
All checksums have been double-checked against existing RMD160 and
SHA512 hashes
The following distfiles were unfetchable (possibly fetched
conditionally?):
./mail/qmail/distinfo netqmail-1.05-TAI-leapsecs.patch
* Add blocklist PKG_OPTIONS.
* Fix build problem on no blocklist/blacklist supported system.
(Reported by Matthias Ferdinand on pkgsrc-users@.)
Bump PKGREVISION.
* pkgsrc change: Add supportfor blocklistd(3) (and blacklistd(3)).
* From release annuonce:
Fixed in Postfix 3.6.2, 3.5.12, 3.4.22, 3.3.19:
* In Postfix 3.6, fixed a false "Result too large" (ERANGE) fatal
error in the compatibility_level parser, because there was no
'errno = 0' statement before an strtol() call. In Postfix
3.3-3.5, fixed two older latent bugs of this kind (introduced
in 1999 and in Postfix 2.11). Problem reported by David Bohman.
* (problem introduced in Postfix 3.3) "Null pointer read" error
in the cleanup daemon when "header_from_format = standard" (the
default as of Postfix 3.3), and email was submitted with
/usr/sbin/sendmail without From: header, and an all-space full
name was specified in 1) the password file, 2) with "sendmail
-F", or 3) with the NAME environment variable. Found by Renaud
Metrich.
* (problem introduced in Postfix 2.4) False "too many reverse
jump" warnings in the showq daemon, because loop detection code
was comparing memory addresses instead of queue file names.
Reported by Mehmet Avcioglu.
* (problem introduced in 1999) The Postfix SMTP server was sending
all session transcripts to the error_notice_recipient (default:
postmaster), instead of sending transcripts of bounced mail to
the bounce_notice_recipient (default: postmaster). Reported by
Hans van Zijst.
Fixed in Postfix 3.6.2, 3.5.12, 3.4.22:
* The texthash: map implementation broke tls_server_sni_maps,
because it did not support multi-file inputs. Reported by
Christopher Gurnee, who also found an instance of the missing
code in the "postmap -F" source code. File: util/dict_thash.c.
3.6.1 (2021-06-14)
Fixed in Postfix 3.6.1, 3.5.11, 3.4.21, 3.3.18:
* Bugfix (introduced: Postfix 2.11): the command "postmap
lmdb:/file/name" (create LMDB database from textfile) handled
duplicate input keys ungracefully, discarding entries stored
up to and including the duplicate key, and causing a double
free() call with lmdb versions 0.9.17 and later. Reported by
Adi Prasaja; double free() root cause analysis by Howard Chu.
Fixed in Postfix 3.6.1, 3.5.11, 3.4.21:
* Typo (introduced: Postfix 3.4): silent_discard should be
silent-discard in BDAT_README.
Postfix stable release 3.6.0 is available. This ends the support
for legacy release Postfix 3.2.
The main changes are below. See the RELEASE_NOTES file for further
details.
Incompatible changes:
* This release requires "postfix stop" before updating, or before
backing out to an earlier release, because some internal protocols
have changed. Otherwise, long-running daemons (pickup, qmgr,
verify, tlsproxy, postscreen) may fail to communicate with the
rest of Postfix, causing mail delivery delays until Postfix is
restarted.
* Respectful logging. Postfix version 3.6 deprecates terminology
that implies white is better than black. Instead, Postfix prefers
'allowlist', 'denylist', and variations on those words. This
change affects Postfix documentation, and postscreen parameters
and logging.
To keep the old postscreen logging set "respectful_logging =
no" in main.cf before setting "compatibility_level = 3.6". In
any case, the old postscreen parameter names will keep working
as before.
Other changes:
* The minimum supported OpenSSL version is 1.1.1, which will reach
the end of life by 2023-09-11. Postfix 3.6 is expected to reach
the end of support in 2025. Until then, Postfix will be updated
as needed for compatibility with OpenSSL.
The default fingerprint digest has changed from md5 to sha256
(Postfix 3.6 with compatibility_level >= 3.6). With a lower
compatibility_level setting, Postfix defaults to using md5, and
logs a warning when a Postfix configuration specifies no explicit
digest type.
The export-grade Diffie-Hellman key exchange is no longer
supported, and the tlsproxy_tls_dh512_param_file parameter is
ignored,
* Better error messages when someone configures an incorrect
program in master.cf. To recognize such mistakes, every Postfix
internal service, including the postdrop command, announces the
name of its protocol before doing any other I/O, and every
Postfix client program, including the Postfix sendmail command,
will verify that the protocol name matches what it expects.
* Fine-grained control over the envelope sender address for
submission with the Postfix sendmail (or postdrop) commands.
Example:
/etc/postfix/main.cf:
# Allow root and postfix full control, anyone else can only
# send mail as themselves. Use "uid:" followed by the numerical
# UID when the UID has no entry in the UNIX password file.
local_login_sender_maps =
inline:{ { root = *}, { postfix = * } },
pcre:/etc/postfix/login_senders
/etc/postfix/login_senders:
# Allow both the bare username and the user@domain forms.
/(.+)/ $1 $1@example.com
* Threaded bounces. This allows mail readers to present a
non-delivery, delayed delivery, or successful delivery notification
in the same email thread as the original message.
Unfortunately, this also makes it easy for users to mistakenly
delete the whole email thread (all related messages), instead
of deleting only the delivery status notification.
To enable, specify "enable_threaded_bounces = yes".
* Postfix by default no longer uses the services(5) database to
look up the TCP ports for SMTP and LMTP services. Instead, this
information is configured with the new known_tcp_ports configuration
parameter (default: lmtp=24, smtp=25, smtps=submissions=465,
submission=587). When a service is not specified in known_tcp_ports,
Postfix will still query the services(5) database.
* Starting with Postfix version 3.6, the compatibility level is
"3.6". In future Postfix releases, the compatibility level will
be the Postfix version that introduced the last incompatible
change. The level is formatted as 'major.minor.patch', where
'patch' is usually omitted and defaults to zero. Earlier
compatibility levels are 0, 1 and 2.
This also introduces main.cf and master.cf support for the
<=level, < level, and other operators to compare compatibility
levels. With the standard <=, <, etc. operators, compatibility
level 3.10 would be less than 3.9, which is undesirable.
upstream changes:
-----------------
Fixed in 3.5.10:
o Missing null pointer checks (introduced in Postfix 3.4) after an internal I/O error during the smtp(8) to tlsproxy(8) handshake. Found by Coverity, reported by Jaroslav Skarvada. Based on a fix by Viktor Dukhovni.
o Null pointer bug (introduced in Postfix 3.0) and memory leak (introduced in Postfix 3.4) after an inline: table syntax error in main.cf or master.cf. Found by Coverity, reported by Jaroslav Skarvada. Based on a fix by Viktor Dukhovni.
o Incomplete null pointer check (introduced: Postfix 2.10) after truncated HaProxy version 1 handshake message. Found by Coverity, reported by Jaroslav Skarvada. Fix by Viktor Dukhovni.
o Missing null pointer check (introduced: Postfix alpha) after null argv[0] value.
upstream changes:
-----------------
This update improves the reporting of DNSSEC problems that may affect DANE
security. DNSSEC support may unavailable because of local configuration, libc
incompatibility, or other infrastructure issues. This was backported from
Postfix 3.6.
Background: DNSSEC validation is needed for Postfix DANE support; this ensures
that Postfix receives TLSA records with secure TLS server certificate info.
When DNSSEC validation is unavailable, mail deliveries using opportunistic DANE
(security level 'dane') will not be protected by server certificate info in
TLSA records, and mail deliveries using mandatory DANE (security level
'dane-only') will not be made at all.
This update introduces the following behavior: when a process requests DNSSEC
support (typically, for Postfix DANE support), the process may now do a runtime
test to determine if DNSSEC validation is available.
The new dnssec_probe parameter specifies a DNS query type (default: "ns") and
DNS query name (default: ".") that Postfix may use to determine whether DNSSEC
validation is available. Specify an empty value to disable this feature.
When dnssec_probe is enabled, a Postfix process will send a DNSSEC probe after
1) the process made a DNS query that requested DNSSEC validation, 2) the
process did not receive a DNSSEC validated response to this query or to an
earlier query, and 3) the process did not already send a DNSSEC probe.
When the DNSSEC probe has no response, or when the response is not DNSSEC
validated, Postfix logs a warning that DNSSEC validation may be unavailable.
Examples:
warning: DNSSEC validation may be unavailable
warning: reason: dnssec_probe 'ns:.' received a response that is not DNSSEC validated
warning: reason: dnssec_probe 'ns:.' received no response: Server failure
With this update, the Postfix build system will no longer automatically disable
DNSSEC support when it determines that Postfix will use libc-musl. This removes
the earlier libc-musl workaround introduced with Postfix 3.2.15, 3.3.10,
3.4.12, and 3.5.2.
Fixed in Postfix version 3.5.8:
[Postfix 3.5 and later] The Postfix SMTP client inserted <CR><LF> into message headers with lines longer than $line_length_limit (default: 2048), causing all subsequent header content to become message body content. Reported by Andreas Weigel.
Fixed in Postfix versions 3.5.8, 3.4.18, 3.3.15, 3.2.20:
[Postfix 2.8 and later] The postscreen daemon did not save a copy of the postscreen_dnsbl_reply_map lookup result. This has no effect when the recommended texthash: lookup table is used, but it could result in stale data with other lookup tables.
[Postfix 2.3 and later] After deleting a recipient with a Milter, the Postfix recipient duplicate filter was not updated; the filter suppressed requests to add the recipient back. Reported by Mehmet Avcioglu.
[Postfix 2.3 and later] Memory leak: the static: maps did not free their casefolding buffer.
[Postfix 2.2 and later] With "smtpd_tls_wrappermode = yes", the smtps service was waiting for a TLS handshake, after processing an XCLIENT command. Reported by Aki Tuomi.
[Postfix 2.0 and later] The smtp_sasl_mechanism_filter implementation ignored table lookup errors, treating them as 'not found'.
[Postfix alpha and later] The code that looks for Delivered-To: headers ignored headers longer than $line_length_limit (default: 2048).
Changelog:
With "smtp_tls_connection_reuse = yes", tlsproxy(8) was using the wrong global
TLS context for connections that use DANE trust anchors or that use non-DANE
trust anchors. This resulted in a global certificate verify function pointer
race, between TLS handshakes that use trust achors and concurrent TLS
handshakes that use PKI. No memory was corrupted in the course of all this.
Reference: http://www.postfix.org/announcements/postfix-3.5.7.html
upstream changes:
-----------------
Fixed in Postfix versions 3.5.6, 3.4.16, 3.3.14, 3.2.19:
* One fix for memory leaks in the Postfix TLS library was back-ported to the wrong place, resulting in undefined program behavior.
Fixed in Postfix versions 3.5.6, 3.4.16:
* The workaround for allowed TLS protocol versions did not explictly override the system-wide OpenSSL configuration, for sessions where the remote SMTP client sends SNI. It's better to be safe than sorry.
Fixed in Postfix versions 3.5.5, 3.4.15, 3.3.13, 3.2.18:
* Workaround for unexpected TLS interoperability problems when Postfix runs on OS distributions with system-wide OpenSSL configurations.
* Memory leaks in the Postfix TLS library, the largest one involving multiple kBytes per peer certificate.
Update postfix to 3.5.4.
Fixed in Postfix 3.5.4, 3.4.14:
* The connection_reuse attribute in smtp_tls_policy_maps always
resulted in an "invalid attribute name" error. Fix by Thorsten
Habich.
* SMTP over TLS connection reuse always failed for Postfix SMTP
client configurations that specify explicit trust anchors (remote
SMTP server certificates or public keys). Reported by Thorsten
Habich.
Fixed in Postfix versions 3.5.4, 3.4.14, 3.3.12, 3.2.17:
* The Postfix SMTP client's DANE implementation would always send
an SNI option with the name in a destination's MX record, even
if the MX record pointed to a CNAME record. MX records that
point to CNAME records are not conformant with RFC5321, and so
are rare.
Based on the DANE survey of ~2 million hosts it was found that
with the corrected SMTP client behavior, sending SNI with the
CNAME-expanded name, the SMTP server would not send a different
certificate. This fix should therefore be safe.
Update postfix and related pacakges to 3.5.3.
Quote freom release announce.
Postfix 3.5.3, 3.4.13:
* TLS handshake failure in the Postfix SMTP server during SNI
processing, after the server-side TLS engine sent a TLSv1.3
HelloRetryRequest (HRR) to a remote SMTP client. Reported by
J??n M??t??, fixed by Viktor Dukhovni.
Postfix versions 3.5.3, 3.4.13, 3.3.11, 3.2.16:
* The command "postfix tls deploy-server-cert" did not handle a
missing optional argument. This bug was introduced in Postfix
3.1.
upstream changes:
-----------------
Postfix versions 3.5.2, 3.4.12, 3.2.10, 3.2.15:
* A TLS error for a database client caused a false 'lost connection' error for an SMTP over TLS session in the same Postfix process. Reported by Alexander Vasarab, diagnosed by Viktor Dukhovni. This bug was introduced with Postfix 2.2.
* The same bug existed in the tlsproxy(8) daemon, where a TLS error for one TLS session could cause a false 'lost connection' error for a concurrent TLS session in the same process. This bug was introduced with Postfix 2.8.
* The Postfix build now disables DANE support on Linux systems with libc-musl, because libc-musl provides no indication whether DNS responses are authentic. This broke DANE support without a clear explanation.
* Due to implementation changes in the ICU library, some Postfix daemons reported file access errrors (U_FILE_ACCESS_ERROR) after chroot(). This was fixed by initializing the ICU library before making the chroot() call.
* Minor code changes to silence a compiler that special-cases string literals.
Postfix 3.5.2, 3.4.12:
* Segfault in the tlsproxy(8) client role when the server role was disabled. This typically happened on systems that do not receive mail, after configuring connection reuse for outbound SMTP over TLS.
* The date portion of the maillog_file_rotate_suffix default value used the minute (%M) instead of the month (%m). Reported by Larry Stone.
Update postfix to 3.5.1.
3.5.0 (2020-03-16)
Postfix stable release 3.5.0 is available. Support has ended for
legacy release Postfix 3.1.
The main changes are below. See the RELEASE_NOTES file for further details.
* Support for the haproxy v2 protocol. The Postfix implementation
supports TCP over IPv4 and IPv6, as well as non-proxied
connections; the latter are typically used for heartbeat tests.
* Support to force-expire email messages. This introduces new
postsuper(1) command-line options to request expiration, and
additional information in mailq(1) or postqueue(1) output.
* The Postfix SMTP and LMTP client support a list of nexthop
destinations separated by comma or whitespace. These destinations
will be tried in the specified order. Examples:
/etc/postfix/main.cf:
relayhost = foo.example, bar.example
default_transport = smtp:foo.example, bar.example
Incompatible changes:
* Logging: Postfix daemon processes now log the from= and to=
addresses in external (quoted) form in non-debug logging (info,
warning, etc.). This means that when an address localpart
contains spaces or other special characters, the localpart will
be quoted, for example:
from=<"name with spaces"@example.com>
Specify "info_log_address_format = internal" for backwards compatibility.
* Postfix now normalizes IP addresses received with XCLIENT,
XFORWARD, or with the HaProxy protocol, for consistency with
direct connections to Postfix. This may change the appearance
of logging, and the way that check_client_access will match
subnets of an IPv6 address.
3.5.1 (2020-04-20)
Postfix versions 3.5.1, 3.4.11, 3.3.9, 3.2.14:
* Bitrot workaround for broken builds after an incompatible change
in GCC 10.
* Bitrot workaround for broken DANE/DNSSEC support after an
incompatible change in GLIBC 2.31. This change avoids the need
for new options in /etc/resolv.conf.
upstream changes:
-----------------
Fixed in all supported stable releases:
Bug (introduced: Postfix 3.1): smtp_dns_resolver_options were broken while adding support for negative DNS response caching in postscreen. Postfix was inadvertently changed to call res_query() instead of res_search(). Reported by Jaroslav Skarvada.
Bug (introduced: Postfix 2.5): Postfix ignored the CONNECT macro overrides from a Milter application. Postfix now evaluates the Milter macros for an SMTP CONNECT event after the Postfix-to-Milter connection is negotiated. Problem reported by David Bürgin.
Bug (introduced: Postfix 3.0): sanitize (remote) server responses before storing them in the verify database, to avoid Postfix warnings about malformed UTF8. Found during code maintenance.
upstream changes:
-----------------
Fix for an Exim interoperability problem when postscreen after-220 checks
are enabled. Bug introduced in Postfix 3.4: the code that detected
"PIPELINING after BDAT" looked at the wrong variable. The warning now says
"BDAT without valid RCPT", and the error is no longer treated as a command
PIPELINING error, thus allowing mail to be delivered. Meanwhile, Exim has
been fixed to stop sending BDAT commands when postscreen rejects all RCPT
commands.
Usability bug, introduced in Postfix 3.4: the parser for key/certificate
chain files rejected inputs that contain an EC PARAMETERS object. While
this is technically correct (the documentation says what types are allowed)
this is surprising behavior because the legacy cert/key parameters will
accept such inputs. For now, the parser skips object types that it does not
know about for usability, and logs a warning because ignoring inputs is not
kosher.
Bug introduced in Postfix 2.8: don't gratuitously enable all after-220
tests when only one such test is enabled. This made selective tests
impossible with 'good' clients. This will be fixed in older Postfix
versions at some later time.
upstream changes:
-----------------
* Robustness: the tlsproxy(8) daemon could go into a loop, logging a flood of
error messages. Problem reported by Andreas Schulze after enabling SMTP/TLS
connection reuse.
* Workaround: OpenSSL changed an SSL_Shutdown() non-error result value into an
error result value, causing logfile noise.
* Configuration: the new 'TLS fast shutdown' parameter name was implemented
incorrectly. The documentation said "tls_fast_shutdown_enable", but the code
said "tls_fast_shutdown". This was fixed by changing the code, because no-one
is expected to override the default.
* Performance: workaround for poor TCP loopback performance on LINUX, where
getsockopt(..., TCP_MAXSEG, ...) reports a bogus TCP maximal segment size that
is 1/2 to 1/3 of the real MSS. To avoid client-side Nagle delays or
server-side delayed ACKs caused by multiple smaller-than-MSS writes, Postfix
chooses a VSTREAM buffer size that is a small multiple of the reported bogus
MSS. This workaround increases the multiplier from 2x to 4x.
* Robustness: the Postfix Dovecot client could segfault (null pointer read) or
cause an SMTP server assertion to fail when talking to a fake Dovecot server.
The Postfix Dovecot client now logs a proper error instead. Problem reported
by Tim Düsterhus.
pkgsrc changes:
---------------
* change COMMENT to make pkglint happy (inspired by http://www.postfix.org/)
* update PLIST using make print-PLIST (missing @pkgdir)
upstream changes:
-----------------
20181125
Cleanup: dict_file_to_xxx() takes a list of file names
separated by CHARS_COMMA_SP. Shoe-horned into the existing
API, make it nicer when there is time. File: util/dict_file.c.
20181127
Cleanup: encapsulated clumsy 'read into VSTRING' code with
easier-to-use vstream_fread_buf() and vstream_fread_app()
primitives. Files: global/memcache_proto.c, global/record.c,
global/smtp_stream.c, global/smtp_stream.h, global/uxtext.c,
global/xtext.c, milter/milter8.c, util/dict_file.c,
util/hex_quote.c, util/netstring.c, util/vstream.c,
util/vstream.h. Verified with "make tests".
Cleanup: simplified the smtp_fread() API (introduced for
BDAT support), and changed the name to smtp_fread_buf().
Files: global/smtp_stream.c, smtpd/smtpd.c. Verified with
~megabyte BDAT commands.
Cleanup: simplified a tlsproxy-internal API. File:
tlsproxy/tlsproxy.c.
20181128
Initial support for key/certificate chain files that will
replace the proliferation of separate parameters for
RSA/DSA/ECC/etc. key and certificate files. Viktor
Dukhovni.
20181201
Cleanup: replaced the remaining unsafe VSTRING_AT_OFFSET()
calls with safe vstring_set_payload_size() calls, in code
that directly writes into VSTRING. Files: tls/tls_session.c,
tlsmgr/tlsmgr.c, util/casefold.c, util/vstring.c, util/vstring.h,
xsasl/xsasl_cyrus_client.c.
Cleanup: postscreen_command_time_limit did not need to be
a 'raw' parameter. This makes "postconf -x" behavior more
consistent. Files: global/mail_params.h, postscreen/postscreen.c.
Documentation: added text that the following parameter
values are not subject to Postfix parameter $name expansion:
default_rbl_reply, command_execution_directory, luser_relay,
smtpd_reject_footer. These have their own documented $name
substitution mechanism. File: proto/postconf.proto.
20181202
Bugfix: posttls-finger reported an error for UNIX-domain
connections, even if they did not fail. Found by Coverity.
File: posttls-finger/posttls-finger.c.
20181208
Documentation: add even more redundancy to the rate-delay
description. File: proto/postconf.proto.
20181210
Cleanup: code deduplication. File: util/dict_file.c.
20181226
Cleanup: code deduplication and better encapsulation with
PSC_DEL_CLIENT_STATE() and PSC_DEL_SERVER_STATE() macros.
Files: postscreen/postscreen.h, postscreen/postscreen_state.c.
Documentation: POSTSCREEN_README did not describe the
postscreen_post_queue_limit, and attributed the wrong reject
message to the postscreen_pre_queue_limit. Problem reported
by Michael Orlitzky. File: proto/POSTSCREEN_README.html.
(20181226-nonprod) Compatibility: removed support for OpenSSL
1.0.1 (not supported since December 31, 2016) and earlier
releases. This eliminated a large number of #ifdefs with
bitrot workarounds. Viktor Dukhovni. Files: global/mail_params.h,
posttls-finger/posttls-finger.c, tls/tls.h, tls/tls_certkey.c,
tls/tls_client.c, tls/tls_dane.c, tls/tls_dh.c, tls/tls_misc.c,
tls/tls_proxy_client_scan.c, tls/tls_rsa.c, tls/tls_server.c,
tls/tls_session.c.
(20181226-nonprod) Use the OpenSSL 1.0.2 and later API for
setting ECDHE curves. Viktor Dukhovni. Files: tls/tls.h,
tls/tls_client.c, tls/tls_dh.c.
(20181226-nonprod) Documentation update for TLS support.
Viktor Dukhovni. Files: mantools/postlink, proto/TLS_README.html,
proto/postconf.proto, src/sendmail/sendmail.c, src/smtpd/smtpd.c.
20181229
Explicit maps_file_find() and dict_file_lookup() methods
that decode base64 content. Decoding content is not built
into the dict->lookup() method, because that would complicate
the implementation of map nesting (inline, thash), map
composition (pipemap, unionmap), and map proxying. For
consistency, decoding base64 file content is also not built
into the maps_find() method. Files: util/dict.h.
util/dict_file.c, global/maps.[hc], postmap/postmap.c.
20190106
Documentation: documented the SRC_RHS_IS_FILE flag in
dict_open.c, and updated the -F description in the postmap
manpage. Files: util/dict_open.c, postmap/postmap.c.
(20190106-nonprod) Feature: support for files that combine
multiple (key, certificate, trust chain) instances in one
file, to avoid separate files for RSA, DSA, Elliptic Curve,
and so on. Viktor Dukhovni. Files: .indent.pro,
global/mail_params.h, posttls-finger/posttls-finger.c,
smtp/lmtp_params.c, smtp/smtp.c, smtp/smtp_params.c,
smtp/smtp_proto.c, smtpd/smtpd.c, tls/tls.h, tls/tls_certkey.c,
tls/tls_client.c, tls/tls_proxy.h, tls/tls_proxy_client_print.c,
tls/tls_proxy_client_scan.c, tls/tls_proxy_server_print.c,
tls/tls_proxy_server_scan.c, tls/tls_server.c, tlsproxy/tlsproxy.c.
(20190106-nonprod) Create a second, no-key no-cert, SSL_CTX
for use with SNI. Viktor Dukhovni. Files: src/tls/tls.h,
src/tls/tls_client.c, src/tls/tls_misc.c, src/tls/tls_server.c.
(20190106-nonprod) Server-side SNI support. Viktor Dukhovni.
Files: src/global/mail_params.h, src/smtp/smtp.c,
src/smtpd/smtpd.c, src/tls/tls.h, src/tls/tls_certkey.c,
src/tls/tls_misc.c, src/tlsproxy/tlsproxy.c,
(20190106-nonprod) Configurable client-side SNI signal.
Viktor Dukhovni. Files: global/mail_params.h,
posttls-finger/posttls-finger.c, smtp/lmtp_params.c,
smtp/smtp.c, smtp/smtp.h, smtp/smtp_params.c, smtp/smtp_proto.c,
smtp/smtp_tls_policy.c, tls/tls.h, tls/tls_client.c,
tls/tls_proxy.h, tls/tls_proxy_client_print.c,
tls/tls_proxy_client_scan.c.
20190121
Logging: support for internal logging file, without using
syslog (it uses the new postlogd daemon instead). This
solves a usability problem for MacOS, may help getting
around systemd, and solves 99% of the problem for logging
to stdout in a container (hopefully we have 100% soon).
Enable by setting, for example, "maillog_file =
/var/log/postfix.log"). This works fine for daemons, and
with some limitations for non-daemon programs. See
RELEASE_NOTES for more details. Files: conf/master.cf,
conf/post-install, conf/postfix-files, conf/postfix-script,
mantools/postlink, proto/master, proto/postconf.proto,
global/mail_params.c, global/mail_params.h, global/mail_proto.h,
global/maillog_client.c, global/maillog_client.h,
master/dgram_server.c, master/event_server.c, master/mail_server.h,
master/master.c, master/master.h, master/master_ent.c,
master/master_listen.c, master/master_proto.h,
master/master_wakeup.c, master/multi_server.c,
master/single_server.c, master/trigger_server.c,
postalias/postalias.c, postconf/postconf_master.c,
postdrop/postdrop.c, postfix/postfix.c, postkick/postkick.c,
postlog/postlog.c, postlogd/postlogd.c, postmap/postmap.c,
postmulti/postmulti.c, postqueue/postqueue.c,
postsuper/postsuper.c, sendmail/sendmail.c, util/connect.h,
util/listen.h, util/logwriter.c, util/logwriter.h,
util/msg_logger.c, util/msg_logger.h, util/msg_output.c,
util/msg_output.h, util/unix_dgram_connect.c,
util/unix_dgram_listen.c.
Cleanup: cert/key/chain loading, plus unit tests to exercise
non-error and error cases. Viktor Dukhovni. Files: tls/*.pem,
tls*.pem.ref, tls/tls_certkey.c.
20190126
Safety: Postfix programs will log to either syslog or postlog
but not both; and postlogd forwards postlog logging to
syslog, when a configuration change removes the maillog_file
pathname, but some programs still use the old configuration.
Files: util/msg_syslog.[hc], util/msg_logger.c,
global/maillog_client.c, postlogd/postlogd.c,
Bugfix (introduced: Postfix 20110109, Postfix 2.10): watchdog
pipe file descriptor leak. This pipe provides one source
of liveness, data from this pipe is discarded, and therefore
this does not enable privilege escalation or DOS. File:
util/watchdog.c.
Feature: stdout logging support; requires "postfix start-fg"
and "maillog_file = /dev/stdout". Files: master/master.c,
conf/postfix-script.
20190127
Safety: when maillog_file is specified, 'postfix check' now
requires that the postlog service is enabled in master.cf.
Otherwise 'postfix start' etc. will log a fatal error. File:
conf/postfix-script.
Documentation: added policy_context example. File:
proto/SMTPD_POLICY_README.html.
20190128
Testing: run libtls tests under Valgrind. File tls/Makefile.in.
20190129
Safety: require that $maillog_file matches one of the
pathname prefixes specified in $maillog_file_prefixes. The
maillog file is created by root, and the prefixes limit the
damage from a single configuration error. Files:
global/mail_params.[hc], global/maillog_client.c.
20191201
Feature: "postfix logrotate" command with configurable
compression program and datestamp filename suffix. File:
conf/postfix-script.
20190202
Cleanup: log a warning when the client sends a malformed
SNI; log an info message when the client sends a valid SNI
that does not match the SNI lookup tables; update the
FORWARD_SECRECY_README logging examples. Viktor Dukhovni.
Files: proto/FORWARD_SECRECY_README.html, tls/tls.h,
tls/tls_client.c, tls/tls_misc.c.
20190208
Debugging: the master(8) daemon now logs a warning if a
master.cf entry is defined multiple times. File:
src/master/master_conf.c.
20190209
Debugging: tlsproxy(8) now logs more details about unexpected
configuration differences between the Postfix SMTP client
and the tlsproxy(8) daemon.
20190210
Documentation: Postfix 3.4.0 RELEASE NOTES.
Documentation: added BDAT_README.
Documentation: global TLS settings. Files: mantools/postlink,
smtp/smtp.c, tlsproxy/tlsproxy.c.
20190211
Cleanup: removed obsolete parameters: tls_dane_digest_agility,
tls_dane_trust_anchor_digest_enable; removed openssl_path
parameter from configuration difference checks in tlsproxy.
Files: global/mail_params.h, tls/tls_misc.c,
tls/tls_proxy_client_misc.c, tls/tls_proxy_client_print.c,
tls/tls_proxy_client_scan.c, tls/tls_proxy.h.
20190212
Cleanup: missing #ifdef USE_TLS. Files: smtp/smtp_session.c,
posttls-finger/posttls-finger.c.
20190217
Cleanup: when the master daemon runs with PID=1 (init mode),
reap orhpan processes from non-Postfix code running in the
same container, instead of terminating with a panic. File:
master/master_spawn.c.
20190218
Bugfix: tlsproxy did not enable DANE-style PKI because
libtls seems to have to accreted multiple init functions
instead of reusing the tls_client_init() and tls_client_start()
API. And some functions that do initialization don't even
have init in their name! Problem report by Andreas Schulze.
Viktor Dukhovni. Files: tls/tls_misc.c, tlsproxy/tlsproxy.c.
Workaround: Postfix libtls makes DANE-specific changes to
the shared SSL_CTX. To avoid false sharing, tlsproxy needs
to label the SSL_CTX cache with DANE bits until we can
remove the code that modifies SSL_CTX. File: tlsproxy/tlsproxy.c.
Cleanup: Postfix libtls changed the shared SSL_CTX to
override ciphers. instead of changing the SSL handle. To
avoid false sharing in tlsproxy, the changes are now made
to the SSL handle. Viktor Dukhovni. Files: tls/tls.h,
tls/tls_client.c, tls/tls_misc.c, tls/tls_server.c.
20190219
Bugfix: in the Postfix SMTP client, TLS wrappermode was not
tested in tlsproxy mode. It needed some setup for buffering
and timeouts. Problem report by Andreas Schulze. File:
smtp/smtp_proto.c.
20190304
Bugfix: a reversed test broke TLS configurations that specify
the same filename for a private key and certificate. Reported
by Mike Kazantsev. Fix by Viktor Dukhovni. Wietse fixed the
test. Files: tls/tls_certkey.c, tls/Makefile.in.
20190310
Bitrot: LINUX5s support, after some sanity checks with a
rawhide prerelease version. Files: makedefs, util/sys_defs.h.
Bugfix (introduced: 20181226): broken DANE trust anchor
file support, caused by left-over debris from the 20181226
TLS library overhaul. By intrigeri. File: tls/tls_dane.c.
Bugfix (introduced: Postfix-1.0.1): null pointer read, while
logging a warning after a corrupted bounce log file. File:
global/bounce_log.c.
Bugfix (introduced: Postfix-2.9.0): null pointer read, while
logging a warning after a postscreen_command_filter read
error. File: postscreen/postscreen_smtpd.c. global/bounce_log.c
20190312
Bugfix (introduced: Postfix 2.2): reject_multi_recipient_bounce
has been producing false rejects starting with the Postfix
2.2 smtpd_end_of_data_restrictons, and for the same reasons,
does the same with the Postfix 3.4 BDAT command. The latter
was reported by Andreas Schulze. File: smtpd/smtpd_check.c.
20190319
With message_size_limit=0 (which is NOT DOCUMENTED), BDAT
chunks were always rejected as too large. File: smtpd/smtpd.c
20190328
Bugfix (introduced: Postfix 3.0): LMTP connections over
UNIX-domain sockets were cached but not reused, due to a
cache lookup key mismatch. Therefore, idle cached connections
could exhaust LMTP server resources, resulting in two-second
pauses between email deliveries. This problem was investigated
by Juliana Rodrigueiro. File: smtp/smtp_connect.c.
20190331
Documentation: tlsext_padding is not a tls_ssl_options
feature. File: proto/postconf.proto.
20190401
Portability: added "#undef sun" to util/unix_dgram_connect.c.
20190403
Bugfix (introduced: Postfix 2.3): a censoring filter broke
multiline Milter responses for header/body events. Problem
report by Andreas Thienemann. Files: util/printable.c,
util/stringops.h, smtpd/smtpd.c
Bugfix (introduced: Postfix 3.3): "smtp_mx_address_limit =
0" no longer meant 'unlimited'. Problem report by Luc Pardon.
File: smtp/smtp_addr.c.
20190615
Documentation: updated the BUGS section in the smtp(8) manpage
about TLS connection reuse. File: smtp/smtp.c.
Workaround for implementations that hang Postfix while
shutting down a TLS session, until Postfix times out. With
"tls_fast_shutdown_enable = yes" (the default), Postfix no
longer waits for the TLS peer to respond to a TLS 'close'
request. This is recommended with TLSv1.0 and later. Files:
global/mail_params.h, tls/tls_session.c, and documentation.
20190621
Bugfix (introduced: Postfix 3.0): the code to reset Postfix
SMTP server command counts was not called after a HaProxy
handshake failure, causing stale numbers to be reported.
The command counts are now reset in the function that reports
the counts. File: smtpd/smtpd.c.
This announcement concerns fixes for problems that were introduced
with Postfix 3.0 and later. This is the final update for Postfix
3.0.
Fixed in Postfix 3.3 and later:
* When the master daemon runs with PID=1 (init mode), it will now
reap child processes from non-Postfix code running in the same
container, instead of terminating with a panic. Reported by
Tamas Gerczei.
Fixed in Postfix 3.0 and later:
* With smtputf8_enable=yes, table lookups could casefold the
search string when searching a lookup table that does not use
fixed-string keys (regexp, pcre, tcp, etc.).
* With the posttls-finger test program, connections to unix-domain
servers always resulted in "Failed to establish session" even
after a connection was established. Reported by Jaroslav Skarva.
Changes for all supported stable releases:
* Support for OpenSSL 1.1.1, and support for TLSv1.3-specific
features.
- Updated Postfix TLS documentation examples for TLSv1.3. See
FORWARD_SECRECY_README.
- New TLSv1.3-specific attributes in Postfix logging and in
Postfix "Received:" message headers: key exchange, server
signature, client signature.
- New option to selectively disable TLSv1.3 in *_tls_protocols
settings.
- New server-side support to avoid issuing multiple session
tickets.
- New support to allow OpenSSL >= 1.1.0 run-time micro version
bumps without logging Postfix warnings about library version
mismatches.
Fixed in all stable releases:
* Bugfix: smtpd_discard_ehlo_keywords could not disable "SMTPUTF8",
because some lookup table was using "EHLO_MASK_SMTPUTF8" instead.
* Bugfix: minor memory leak in DANE support when minting issuer
certs. This affects a tiny minority of use cases.
Fixed in Postfix 3.3.2:
* Bugfix: the Postfix build did not abort if the m4 command was
not installed, resulting in a broken postconf command.
[An on-line version of this announcement will be available at
http://www.postfix.org/announcements/postfix-3.3.1.html]
Fixed in Postfix 3.3:
* Postfix did not support running as a PID=1 process, which
complicated Postfix deployment in containers. The "postfix
start-fg" command will now run the Postfix master daemon as a
PID=1 process if possible. Thanks for inputs from Andreas
Schulze, Eray Aslan, and Viktor Dukhovni.
* Segfault in the postconf(1) command after it could not open a
Postfix database configuration file due to a file permission
error (dereferencing a null pointer). Reported by Andreas
Hasenack, fixed by Viktor Dukhovni.
Fixed in Postfix 3.3, 3.2, 3.1, 3.0:
* The luser_relay feature became a black hole, when the luser_relay
parameter was set to a non-existent local address (i.e. mail
disappeared silently). Reported by J?rgen Thomsen.
* Missing error propagation in the tlsproxy(8) daemon could result
in a segfault after TLS handshake error (dereferencing a
0xffff...ffff pointer). This daemon handles the TLS protocol
when a non-whitelisted client sends a STARTTLS command to
postscreen(8).
Postfix stable release 3.3.0 is available. This release ends support
for legacy release Postfix 2.11.
The main changes are:
* Dual license: in addition to the historical IBM Public License
1.0, Postfix is now also distributed with the more recent Eclipse
Public License 2.0. Recipients can choose to take the software
under the license of their choice. Those who are more comfortable
with the IPL can continue with that license.
* The postconf command now warns about unknown parameter names
in a Postfix database configuration file. As with other unknown
parameter names, these warnings can help to find typos early.
* Container support: Postfix 3.3 will run in the foreground with
"postfix start-fg". This requires that Postfix multi-instance
support is disabled (the default). To collect Postfix syslog
information on the container's host, mount the host's /dev/log
socket into the container, for example with "docker run -v
/dev/log:/dev/log ...other options...", and specify a distinct
Postfix syslog_name setting in the container (for example with
"postconf syslog_name=the-name-here").
* Milter support: applications can now send RET and ENVID parameters
in SMFIR_CHGFROM (change envelope sender) requests.
* Postfix-generated From: headers with 'full name' information
are now formatted as "From: name <address>" by default. Specify
"header_from_format = obsolete" to get the earlier form "From:
address (name)".
* Interoperability: when Postfix IPv6 and IPv4 support are both
enabled, the Postfix SMTP client will now relax MX preferences
and attempt to schedule similar numbers of IPv4 and IPv6
addresses. This works around mail delivery problems when a
destination announces lots of primary MX addresses on IPv6, but
is reachable only over IPv4 (or vice versa). The new behavior
is controlled with the smtp_balance_mx_inet_protocols parameter.
* Compatibility safety net: with compatibility_level < 1, the
Postfix SMTP server now warns for mail that would be blocked
by the Postfix 2.10 smtpd_relay_restrictions feature, without
blocking that mail. There still is a steady trickle of sites
that upgrade from an earlier Postfix version.
Update mail/postfix to 3.2.5.
[An on-line version of this announcement will be available at
http://www.postfix.org/announcements/postfix-3.2.4.html]
This announcement concerns fixes for problems that were introduced
with Postfix 3.0 and later. Older supported releases are unaffected.
Fixed in Postfix 3.1 and later:
* DANE interoperability. Postfix builds with OpenSSL 1.0.0 or
1.0.1 failed to send email to some sites with "TLSA 2 X X" DNS
records associated with an intermediate CA certificate. Problem
report and initial fix by Erwan Legrand.
Fixed in Postfix 3.0 and later:
* Missing dynamicmaps support in the Postfix sendmail command.
This broke authorized_submit_users settings that use a
dynamically-loaded map type. Problem reported by Ulrich Zehl.
[An on-line version of this announcement will be available at
http://www.postfix.org/announcements/postfix-3.2.4.html]
This announcement concerns fixes for problems that were introduced
with Postfix 3.0 and later. Older supported releases are unaffected.
Fixed in Postfix 3.1 and later:
* DANE interoperability. Postfix builds with OpenSSL 1.0.0 or
1.0.1 failed to send email to some sites with "TLSA 2 X X" DNS
records associated with an intermediate CA certificate. Problem
report and initial fix by Erwan Legrand.
Fixed in Postfix 3.0 and later:
* Missing dynamicmaps support in the Postfix sendmail command.
This broke authorized_submit_users settings that use a
dynamically-loaded map type. Problem reported by Ulrich Zehl.
[An on-line version of this announcement will be available at
http://www.postfix.org/announcements/postfix-3.2.3.html]
This announcement concerns fixes for problems that were introduced
with Postfix 3.2. Older releases are unaffected.
Fixed in Postfix 3.2 and later:
* Extension propagation was broken with "recipient_delimiter = .".
This change reverts a change that was trying to be too clever.
* The postqueue command would abort with a panic message after it
experienced an output write error while listing the mail queue.
This change restores a write error check that was lost with the
Postfix 3.2 rewrite of the vbuf_print formatter.
* Restored sanity checks for dynamically-specified width and precision
in format strings (%*, %.*, and %*.*). These checks were lost with
the Postfix 3.2 rewrite of the vbuf_print formatter.
pkgsrc change: Add support for NetBSD 8.
This announcement (June 13, 2017) includes changes that were released
with an earlier update (June 10, 2017). The announcement was postponed
to avoid confusion due to repeated notification.
Fixed in all supported releases:
* Security: Berkeley DB versions 2 and later try to read settings
from a file DB_CONFIG in the current directory. This undocumented
feature may introduce undisclosed vulnerabilities resulting in
privilege escalation with Postfix set-gid programs (postdrop,
postqueue) before they chdir to the Postfix queue directory,
and with the postmap and postalias commands depending on whether
the user's current directory is writable by other users. This
fix does not change Postfix behavior for Berkeley DB versions
< 3, but it does reduce postmap and postalias 'create' performance
with Berkeley DB versions 3.0 .. 4.6.
Fixed in Postfix 3.2 and later:
* The SMTP server receive_override_options were not restored at
the end of an SMTP session, after the options were modified by
an smtpd_milter_maps setting of "DISABLE". Milter support
remained disabled for the life time of the smtpd process.
* After the Postfix 3.2 address/domain table lookup overhaul, the
check_sender_access and check_recipient_access features ignored
a non-default parent_domain_matches_subdomains setting.
- Elliptic curve negotiation with OpenSSL >= 1.0.2. This changes the
default smtpd_tls_eecdh_grade setting to "auto", and introduces a
new parameter tls_eecdh_auto_curves with the names of curves that may
be negotiated.
- Stored-procedure support for MySQL databases.
- Cidr: table support for if/endif and negation (by prepending ! to a
pattern), just like regexp: and pcre: tables. See the cidr_table(5)
manpage for details.
- The postmap command and the inline: and texthash: maps now support
spaces in left-hand field of lookup table source text. Use double
quotes (") around a left-hand field that contains spaces, and use
backslash (\) to protect quotes in a left-hand field.
- Support for per-client Milter configuration (smtpd_milter_maps) that
overrides the main.cf smtpd_milters setting, and that has the same
syntax. A lookup result of "DISABLE" turns off Milter support for that
client.
- The local SMTP server IP address and port are available in the
policy delegation protocol (attribute names: server_address,
server_port), in the Milter protocol (macro names: {daemon_addr},
{daemon_port}), and in the XCLIENT protocol (attribute names:
DESTADDR, DESTPORT).
- For safety reasons, the Postfix sendmail -C option must specify an
authorized directory: the default configuration directory, a
directory that is listed in the default main.cf file with
alternate_config_directories or multi_instance_directories, otherwise
the command must be invoked with root privileges. This mitigates a
recurring "jail break" problem with the PHP mail() function.
- "PASS" and "STRIP" actions in header/body_checks. "STRIP" is similar
to "IGNORE" but also logs the action, and "PASS" disables header,
body, and Milter inspection for the remainder of the message content.
- The collate.pl script by Viktor Dukhovni for grouping Postfix
logfile records into "sessions" based on queue ID and process ID
information, in the auxiliary/collate directory of the Postfix source
tree.
Disabled or removed behavior:
- SMTPUTF8 support: Postfix 3.2 disables the 'transitional'
compatibility between the IDNA2003 and IDNA2008 standards for
internationalized domain names (domain names beyond the limits of
US-ASCII). This makes Postfix behavior consistent with contemporary
web browsers.
- Postfix 3.2 removes tentative features that were implemented before
the DANE spec was finalized: support for certificate usage
PKIX-EE(1), the ability to disable digest agility, and the ability to
disable support for "TLSA 2 [01] [12]" records that specify the digest
of a trust anchor.
LD_LIBRARY_PATH is not propagated when set with env, e.g.:
env LD_LIBRARY_PATH=path/to/lib ./script.sh
will not work (other variable names work correctly).
Postfix stable release 3.1.4 is available, as well as legacy releases
3.0.8 and 2.11.9. There will be no further updates for Postfix 2.10.
Fixed with Postfix 3.1.4, 3.0.8, and 2.11.9:
* The postscreen daemon did not merge the client test status
information for concurrent sessions from the same IP address.
Thus, after one session recorded its successful tests in the
postscreen cache, a concurrent session from that same IP address
that passed fewer tests could later "wipe out" some of that
progress in the postscreen cache. The fix has proven itself for
five months in the development release, and should be safe to
use in the stable releases.
* The Postfix SMTP server falsely rejected a sender address when
validating a sender address with "smtpd_reject_unlisted_recipient
= yes" or with "reject_unlisted_sender". Cause: the address
validation code did not query sender_canonical_maps.
* The virtual delivery agent did not detect failure to skip to
the end of a mailbox file, so that mail would be delivered to
the beginning of the file. This could happen when a mailbox
file was already larger than the virtual mailbox size limit.
* The postsuper command logged an incorrect rename operation count
after creating a missing directory.
Fixed with Postfix 3.1.4 and 3.0.8:
* The Postfix SMTP server falsely rejected mail when a sender-dependent
"error" transport was configured. Cause: the SMTP server address
validation code was not updated when the
sender_dependent_default_transport_maps feature was introduced.
The fix has proven itself for six months in the development
release, and should be safe to use in the stable releases.
Unfortunately, Postfix 2.11 is too different to benefit from
the same fix.
* The Postfix SMTP server falsely rejected an SMTPUTF8 sender
address, when "smtpd_delay_reject = no".
Fixed with Postfix 3.1.4:
* The "postfix tls deploy-server-cert" command used the wrong
certificate and key file. This was caused by a cut-and-paste
error in the postfix-tls-script file.
Fixed with Postfix 3.1.3 and 3.0.7:
* The Postfix SMTP server did not reset a previous session's
failed/total command counts before rejecting a client that
exceeds request or concurrency rates. This resulted in incorrect
failed/total command counts being logged at the end of the
rejected session.
* The unionmap multi-table interface did not propagate table
lookup errors, resulting in false "user unknown" responses.
* The documentation was updated with a workaround for false "not
found" errors with MySQL map queries that contain UTF8-encoded
text. The workaround is to specify "option_group = client" in
Postfix MySQL configuration files. This will be the default
setting with Postfix 3.2 and later.
3.1.0
The main changes in no particular order are:
* "postfix tls" command to simplify setup of opportunistic TLS,
and to simplify SMTP server key/certificate management.
* Positive and negative DNS reply TTL support in postscreen(8).
* SASL AUTH rate limit in the Postfix SMTP server.
* A safety limit on the number of address verify requests.
* JSON-format Postfix queue listing.
* Destination-independent delivery rate delay
For details, see the RELEASE_NOTES file.
3.1.1
Fixed in all supported releases:
* The Milter "replace sender" (SMFIR_CHGFROM) request lost an
address that was added with sender_bcc_maps, resulting in a
"rcpt count mismatch" warning. Reported by Joerg Backschues.
This defect was introduced with Postfix 2.6.
* The "bad filetype" example in the header_checks(5) manpage
falsely rejected Content- headers with ``name="example";
x-apple-part-url="example.com"''. Reported by Cedric Knight.
This defect was introduced with Postfix 2.6.
3.1.2
Fixed with Postfix 3.1.2:
* Changes to make Postfix build with OpenSSL 1.1.0.
Fixed with Postfix 3.1.2 and 3.0.6:
* The makedefs script ignored readme_directory=pathname overrides.
Fix by Todd C. Olson.
* The tls_session_ticket_cipher documentation says that the default
cipher for TLS session tickets is aes-256-cbc, but the implemented
default was aes-128-cbc. Note that TLS session ticket keys are
rotated after 1/2 hour, to limit the impact of attacks on session
ticket keys.
Very surprisingly, postfix's build hard-codes shared library behavior
in a giant case statement not only per OS but per version, essentially
open-coding libtool while not being complete. This commit copies the
netbsd-6 flags to netbsd-5, as a minimal change during the freeze to
let this build on netbsd-5 (where it then works fine).
Database and regexp map functionality is now split into separate packages:
- postfix-cdb
- postfix-ldap
- postfix-lmdb
- postfix-mysql
- postfix-pcre
- postfix-pgsql
- postfix-sqlite
Upstream changelog follows.
Postfix 3.0.2
-------------
No delta against 2.11.6.
Postfix 3.0.1
-------------
- Build error when compiling the Postfix SMTP server with SASL support
but no TLS support.
- The DNS "resource record to text" converter, used for xxx_dns_reply_filter
pattern matching, appended a '.' to TXT record resource values.
- The postscreen(8) manpage specified an incorrect Postfix version number
for the postscreen_dnsbl_timeout parameter.
- The postfix-install script expanded macros in parameter values when
trying to detect parameter overrides, causing unnecessary main.cf updates
during "postfix start" etc.
- Some low-level cleanup of UTF-8 string handling with no visible change
in behavior (besides better performance).
Postfix 3.0.0
-------------
- SMTPUTF8 support for internationalized domain names and address
localparts as defined in RFC 6530 and related documents.
- Support for Postfix dynamically-linked libraries and database plugins.
- An OPT-IN safety net for the selective adoption of new Postfix default
settings. If you do nothing, the old Postfix default settings *should*
remain in effect (complain to your downstream maintainer if that is not
the case).
- Support for operations on multiple lookup tables. The
pipemap:{map1,map2...} database type implements a pipeline of lookup
tables where the result from one lookup table becomes a query for
the next table; the unionmap:{map1,map2,...} database type sends the
With all supported Postfix releases, the default settings have been
updated so that they no longer enable export-grade ciphers, and no
longer enable the SSLv2 and SSLv3 protocols. These ciphers and
protocols have little if any legitimate use today, and have instead
become a vehicle for downgrade attacks. There are no other code
changes.
Postfix documentation has been updated to reflect the new default
settings and their rationale; the RELEASE_NOTES give suggestions
for how to enable the old ciphers and protocols if your infrastructure
requires them.
Finally, abandoning deprecated ciphers and protocols does not really
improve TLS security without measures to better authenticate remote
servers. Secure DNS and TLSA are steps in that direction.
Fixed in Postfix 3.0 and 2.11:
* Preparation for OpenSSL 1.2 API changes.
Fixed in all supported releases:
* The sender_dependent_relayhost_maps feature ignored the relayhost
setting in the case of a DUNNO lookup result. It would use the
recipient domain instead.
Postfix 2.11.4 only:
* Fix a core dump when smtp_policy_maps specifies an invalid TLS
level.
* Fix a missing " in \%s\", in postconf(1) fatal error messages,
which violated the C language spec. Reported by Iain Hibbert.
All supported releases:
* Stop excessive recursion in the cleanup server while recovering
from a virtual alias expansion loop. Problem found at Two Sigma.
* Stop exponential memory allocation with virtual alias expansion
loops. This came to light after fixing the previous problem.
Bugfix for Postfix 2.11, 2.10, 2.9 and 2.8:
* Fix for configurations that prepend message headers with Postfix
access maps, policy servers or Milter applications. Postfix now
hides its own Received: header from Milters and exposes prepended
headers to Milters, regardless of the mechanism used to prepend
a header. This fix reverts a partial solution that was released
on October 13, 2014, and replaces it with a complete solution.
Portability fix for Postfix 2.11:
* Portability fix for MacOS X 10.7.x (Darwin 11.x) build procedure.
Bugfixes for Postfix 2.11, 2.10, 2.9 and 2.8:
* Fix for DMARC implementations based on SPF policy plus DKIM
Milter. The PREPEND access/policy action added headers ABOVE
Postfix's own Received: header, exposing Postfix's own Received:
header to Milters (protocol violation) and hiding the PREPENDed
header from Milters. PREPENDed headers are now added BELOW
Postfix's own Received: header and remain visible to Milters.
* The Postfix SMTP server logged an incorrect client name in
reject messages for check_reverse_client_hostname_access and
check_reverse_client_hostname_{mx,ns}_access. They replied with
the verified client name, instead of the name that was rejected.
* The qmqpd daemon crashed with null pointer bug when logging a
lost connection while not in a mail transaction.
