- File corruption while executing a Milter "header insert" action
with headers-only mail (found with dk-filter). Delivery agents
would go into an infinite loop because some queue file update
had been done in the wrong order. As a precaution, delivery
agents now detect such loops, and the queue manager now saves
such mail to the "corrupt" directory.
- Segmentation fault in the SMTP client while saving a cached
connection with unsent data. Postfix indexed some table with -1,
because some I/O cleanup had been done in the wrong order. The
same problem should exist in Postfix 2.2.
- Postfix no longer announces its name in delivery status notifications.
All other details of the default bounce text remain unchanged.
The reason for this change is that too many people believe that
Wietse provides a free helpdesk service that solves all their
email problems.
- Corrupted queue file after a request to modify a short message
header, when that header was the last one in the message.
- Panic after spurious Milter request when a client was rejected
with "smtpd_delay_reject = no".
- The Milter client is now more tolerant for redundant "data cleanup"
requests. This avoids panic() calls for harmless conditions.
Main changes in TLS support:
- The Postfix SMTP client enforced mandatory TLS only when talking
to an ESMTP server; enforcement did not happen if Postfix could
somehow be forced to send HELO instead of EHLO. This problem also
exists in Postfix 2.2, where it is is fixed with Postfix 2.2
patch 11. This is minor compared to the DNS spoofing issues that
were fixed with Postfix 2.2.10.
- Workaround for an interoperability problem introduced with Postfix
2.3. Some buggy TLS client implementations were unable to deliver
mail because the Postfix SMTP server didn't send a TLS session
ID. To disable the workaround specify "smtpd_tls_always_issue_session_ids
= no"; this allows non-buggy TLS clients to save some space.
Main changes in Milter support:
- Safety measure. After "postsuper -r", mail is no longer inspected
by the Milters specified with the non_smtpd_milters parameter.
This measure prevents a bad interaction with external content
filters: Milters would receive incorrect SMTP client information,
and could be tricked into signing or allowing untrusted messages.
This change does not affect Milter applications that run behind
an after-queue content filter. The behavior is detailed in the
postsuper(1) manual page.
This is the first version in the 2.3.x series, please see the release notes
for full list of changes since 2.2.x before upgrading your current
installation.
$smtp_sasl_security_options (as documented in postconf(5)) instead of
$var_smtp_sasl_opts, which is never defined. This is a bug that exists
in the Postfix-2.2.x series but has been fixed in the (current)
Postfix-2.3.x series. This fixes PR pkg/29631 by Christoph Badura.
Bump the PKGREVISION to 1.
- "sendmail -t" did not remove the CR from lines ending in CRLF.
- Workaround for fatal errors in PCRE maps when an expression in
() matches empty text (the PCRE library returns an inappropriate
error code).
- Fixes for non-security bugs that Coverity found in code that
handles impossible error conditions.
- install PREFIX/sbin/qshape
Updated postfix to 2.2.9
Most of this patch hardens the TLS implementation against DNS-based
attacks, and eliminates some anomalies from the TLS per-site policy
engine. See the TLS_README document for tips on how to avoid
DNS-based attacks that can change the server hostname that Postfix
uses for logging, for TLS per-site policies, and for server
certificate verification.
The patch also adds a workaround that prevents Postfix from repeatedly
trying to deliver mail to domains with a malformed MX record (for
example, with a null MX hostname). Postfix 2.2.9 bounces such mail
immediately.
Postfix 2.2.8 backs out a workaround for broken servers/firewalls
that created more problems than it solved.
- The Postfix 2.2.6 paranoia about malformed remote server replies
caused "multiple delivery" problems or "no delivery" problems with
broken servers/firewalls. Postfix still logs a warning but no longer
defers delivery.
Postfix 2.2.5 addresses some portability problems with LP64 platforms
that broke SMTP connection caching, and makes SMTP connection
caching more failure tolerant. These fixes are back-ported from
the experimental (2.3) release series.
The connection caching protocol has changed, so you will need to
"postfix reload" after upgrading.
20050517
Bugfix: in a DSN report, the original recipient should not
be xtext encoded. File: bounce/bounce_notify_util.c.
20050523
Bugfix: mymalloc() panic with mistyped server host list.
File: global/dict_pgsql.c.
20040530
Bugfix: TLS MUST_NOPEERMATCH didn't work (inherited from
TLS patch), and a dangling pointer in the corresponding
error handling. File: smtp/smtp_proto.c.
20050615
Cleanup: the SMTP client now sends QUIT when the initial
HELO handshake fails. it still doesn't send QUIT when the
server greets with a [45]XX code, as that is handled in the
connection management code before a session context exists.
File: smtp/smtp_connect.c.
20050616
Bugfix: missing or mis-placed va_end() macros, found in
Postfix 2.3 code review. Files: util/netstring.c,
util/myaddrinfo.c, util/attr_clnt.c, util/vstream.c.
20050621
Portability: file descriptor passing is available for Tru64
UNIX, but AIX4 and IRIX6 will have to do without. This means
no SMTP connection caching for those platforms. Albert
Chin. File: util/sys_defs.h.
- SASL inter-operability problem causing Sendmail servers to hang up on Postfix.
- Panic when a fall-back relay could not be used for a variety of reasons.
- A more usable REPLACE action in header/body_checks. The old
version produced unexpected results.
- Portability to HP-UX.
- Two harmless defects in the SMTP and LMTP clients that go back
to before the first Postfix release, and that were found while
doing code maintenance on the experimental release.
New features since 2.1.x:
- built-in IPv6 and TLS (we no longer use patches--beware config changes!)
- more sophisticated LDAP/MySQL/PostgreSQL support, with freeform queries
- SMTP client-side connection reuse
- by default, no longer rewrite message headers in mail from remote clients
- can use your ISP account name for mail destined outside your machine
- can selectively turn off ESMTP features in client or server
- remote SMTP client resource control (the anvil server)
- support for CDB, SDBM and NIS+ databases is now built into Postfix
- new SMTP access control features
- and more
Caution:
- You MUST stop 2.1.x and earlier versions before upgrading.
- Use the postfix upgrade program to upgrade your main.cf/master.cf.
type. All platforms now support the "hash" map type as a result.
Remove the explicit dependencies on db4 and db2 on non-Linux and Linux,
respectively. Bump the PKGREVISION.
- The code to eliminate the local MTA from an MX address list did
not handle the case that the local MTA could appear with different
MX preferences in both inet_interfaces and proxy_interfaces.
- The SMTP server's kiss-of-death message "421 Timeout exceeded"
wasn't guarded by setjmp().
- The SMTP server didn't update the per-session error counter when
a client was denied access with smtpd_delay_reject=no.
- The Postfix sendmail command leaked file descriptors when it was
unable to execute the postdrop mail submission command.
- The bounce daemon sent the wrong type of bounce message when a
- Plus some portability, safety and documentation fixes.
<nameser8_compat.h> before <resolv.h> if it's defined.
Along with Johnny's recent buildlink3 fixes, this fixes the build
for me on Mac OS X Server 10.3.4. Should address pkg/26584.
framework and also by explicitly specifying more default values for
Postfix parameters. Also pass -I/usr/pkg/include/sasl to the compiler
when building using Cyrus SASLv2, which allows me to remove the patches
that added an unnecessary USE_SASL2_AUTH check.
* Bugfix: Misplaced myfree() caused a small memory leak.
* Removed the colon (:) from the characters XFORWARD replaces by
a question mark (IPv6 addresses looked like 2001?610?1108?5010?1
in logging).
- The postdrop mail submission command could die with SIGHUP and
abort mail submission. This was observed with mail from cron jobs.
- The MySQL client aborted with complaints about multiple attempts
to register the same lookup table. This was observed in the proxymap
daemon.
- As a workaround for agressive SMTP command pipelining clients,
the Postfix SMTP server now allows SMTP clients to overshoot the
SMTP server recipient limit without triggering the server hard
error limit, as long as the number of excess recipients stays within
a hard-coded overshoot limit of 1000. If you have such clients then
you also need to specify "smtpd_error_sleep_time = 0" or else
performance will be poor.
- The LMTP client attempted to reuse a connection after timeout,
causing protocol synchronization errors.
- The trivial-rewrite server could core dump after temporary table
lookup failure. This was not observed in Postfix 2.0.
- When mail is submitted at a high rate with the Postfix sendmail
command, the pickup daemon is keps busy long enough that it it
terminated by the watchdog timer (a feature that prevents Postfix
from locking up permanently).
- Malformed addresses in SMTP commands could result in table looks
with zero-length search strings, causing trouble with NIS lookups.
- A change in the line reading routines caused unexpected results
with lines ending in EOF. This change is undone.
- A portability problem with the test command ("test -e" is not
supported on older systems, while "test -f" does the job).
- Portability to MacOSX: Bind8 compatibility, core dumps in mailq
and postdrop, and changes in netinfo support.
- Elimination of some DNS lookup problems in third-party library
routines (typically resulting in localhost not being found).
- More agressive delivery to sites that defer a lot of mail.
- Correction of a few obscure error messages.
- Several small documentation fixes.
- Minor fixes for robustness problems that no-one has experienced.
- After "postfix reload", the master daemon now warns when the
inet_interfaces parameter setting has changed, and ignores the
change, instead of passing incorrect information to the smtp
server.
- After the postdrop command change with Postfix 2.0.11, the postcat
command no longer recognized "maildrop" queue files as valid.
- Mail could bounce when two messages were delivered simultaneously
to a non-existent mailbox file. The safe_open() code that prevents
race condition exploits will now try a little harder when it
actually encounters a race condition.
- Updated the IPv6 patch.
- Stricter smtpd input checks rejected invalid addresses starting with @.
- Stricter postdrop input checks broke "sendmail -bs".
- New "postcat -q" (search the queue for the named file) support
from snapshot release because I can no longer see people suffer.
- Allow <@site,@site:address> route addresses in SMTP commands.
This address form was deprecated years ago.
- "sendmail -q<time>" without -bd option now exits immediately,
instead of waiting for input and screwing up system boot sequences.
- The Postfix LMTP client used the wrong service name, causing
trouble with SASL 2.1.13.
- Turned off non-blocking write to pipe because too many systems
gave an unexpected write() result, causing partial delivery of
messages to commands like procmail.
- Ugly but harmless warnings from nqmgr after "postsuper -r" to
requeue files that already had some recipients delivered.
- The proxy_read_maps parameter did not recognize "," as separator.
- The local delibery agent now defers delivery after .forward etc.
file read error.
- The message_size_limit was applied when running "newaliases",
so that the result alias database could be truncated on systems
with very small message size limits.
The official release changes for bugfixes and portability issues only.
as samples, either by the user or by bsd.pkg.install.mk.
- Correctly handle configuration files, that is, avoid touching the conf
directory directly.
- Use OWN_DIRS to handle the spool directory.
- Run post-install through an INSTALL script.
- Sort PLIST after all these changes.
- Bump PKGREVISION to 1.
- The SMTP client did not deliver a partial last line when someone
submitted 8BITMIME mail not ending in newline via /usr/sbin/sendmail
while MIME input processing was turned off, and MIME 8bit->7bit
conversion was requested upon delivery.
- Postfix processes now abort when given a net/mask pattern with
a non-zero host portion (for example, 168.100.189.2/28), instead
of risking to become an open mail relay.
- Workaround for file system clock drift that caused Postfix to
ignore new mail (this could happen with queue file systems mounted
from a server).
Postfix 2.0 patchlevel 6 intends to protect vulnerable Sendmail
systems against exploitation of a remote buffer overflow problem
that is described in CERT advisory CA-2003-07.
- Postfix now truncates non-address information in message address
headers (comments, etc.) to 250 characters per address. This should
rarely present a problem. Reportedly, junk mail from poorly written
software can trigger the protection, but that is no great loss.
- Some little fixes to documentation.
- The SMTP server's hard and soft error limits were off by one.
With "smtpd_hard_error_limit = 1", Postfix will now disconnect
after the first error, instead of the second one.
- The proxymap server could deadlock when the mydestination parameter
setting included a proxymapped lookup table.
- Some little fixes to documentation.
- The format of maildir filenames is synchronized with the present
version of the maildir definition document. This format was already
adopted by the 20030126 snapshot release.
- The time limit on delivery to external commands was not enforced.
This was broken probably some time before the first public Postfix release.
- Duplicate elimination after virtual alias expansion works again.
This was broken with the introduction of the original recipient attribute.
- The local pickup daemon dropped incomplete records from local
submissions. This was broken somewhere in the middle of 2002.
configuration.
+ Document how to use /etc/rc.conf.d/postfix on NetBSD 1.5 and newer
to start /usr/pkg/sbin/postfix instead of /usr/sbin/postfix
+ Ensure that the postfix user and the postfix & maildrop groups exist.
Adds Darwin support, and prevents a working NetBSD postfix setup from being
broken on a "make install" of this package because the package used to
change /etc/postfix/{post-install,postfix-files,postfix-script}.
These changes are mostly from Amitai Schlair <schmonz@netbsd.org>,
with some tweaks by me. (Thanks Amitai!)
- Postfix 2.0 broke relocated table lookup results with mail not
rejected at the SMTP port, causing "User has moved to" text to be deleted.
- A widely used maildir filename generating algorithm was broken.
This affects all Postfix versions with maildir support. Instead of
TIME.PID_COUNT.HOST Postfix now uses TIME.DEVICE_INODE.HOST.
- Postfix 2.0 gave incorrect FILTER_README instructions for sites
that wish to disable virtual alias mapping before the content filter.
- Added MAILER-DAEMON to the list of always recognized local
addresses, since it is generated by Postfix bounces.
- Bugfix: transport_errno was not reset upon successful
transport map wildcard lookup after an earlier failure.
- Cleanup: unnecessary warnings from the proxymap client
after proxymap server disconnect.
- Cleanup: Patrik Rak found a few more chattr invocations
that were missed 20021209. Files: postfix-install,
conf/post-install.
- Cleanup: the pcre-config command can produce null outputs.
- Bugfix: the virtual(8) Makefile included $(AUXLIBS) in the
dependencies.
- Bugfix: fixed in the snapshots 20030105 but missed in the
stable release. "sendmail -bs" tried to access the proxymap
service. It should not try to open any user/domain/uce
related tables at all.
IMPORTANT: read the documents in /usr/pkg/share/doc/postfix/ before
upgrading from Postfix 1.1.
Hightlights:
- MIME support (including 8bit->7bit conversion and more
accurate matching of MIME headers in message bodies)
- completely rewritten RBL client code
- smarter handling of DNS lookup errors in UCE restrictions
- virtual delivery agent without transport map for every domain
- a long list of other things that are meant to improve performance
or functionality without compromising what already existed.
- The garbage in "user@garbage"@domain address forms may cause the
SMTP or LMTP client to terminate with a fatal error exit because
garbage/tcp is not an existing service. This cannot be abused
to cause the SMTP or LMTP client to send data into unauthorized
ports.
* Cleanup: Mailbox-Line: message header labels should be X-Mailbox-Line: labels
* The SMTP server now disallows RCPT TO:<"">, just like it disallows RCPT TO:<>
* Replace domain.name by domain.tld in the example config files
* The Postfix sendmail command did not export the MAIL_CONFIG environment
setting to the postdrop command
- Bugfix: the new code for header address quoting sometimes did
not null terminate strings so that arbitrary garbage could appear
at the end of message headers.
- Safety: user@domain@domain is no longer accepted by the
permit_mx_backup UCE restriction (unless Postfix is configured
with "resolve_dequoted_address = no").
* add a MESSAGE file to describe how to activate postfix (pkg/13335)
Changes:
* Close user@domain@postfix-style.virtual.domain source routing relaying
loophole involving postfix-style virtual domains with @virtual.domain
catch-all patterns
* mail_addr_map() used the "wrong" @ character in addresses with multiple @.
* For address localpart quoting, now quote @ as a special character
everywhere, except when resolving addresses. Previously, the @ was nowhere
quoted as a special character, not even in SMTP commands.
* Don't allow an OK access rule lookup result for
user@domain@postfix-style.virtual.domain.
* Quote unquoted address localparts that need quoting.
* The SMTP client logged and bounced the CNAME expanded recipient address,
and thereby complicated trouble shooting.
* The SMTP and LMTP clients bounced the quoted recipient address, resulting
in too much quoting in bounce reports.
* The LDAP client used the "wrong" @ character in addresses with multiple @.
* Forwards "postqueue -r" compatibility with the additional queue file
records that are stored by snapshot 20050512.
* Specify "resolve_dequoted_address = no" to prevent Postfix from looking
inside quotes for extra @ etc. characters when resolving an address.
This behavior is technically more correct, but it opens a mail relay
loophole with "user @domain"@domain when relaying mail to a Sendmail system.
- Postfix no longer attempts to build with GDBM support
- The Postfix SMTP client forgot to quote whitespace etc. in a
sender or recipient address when DNS lookup was turned off
- Better error reporting in the postqueue command
- Violation of the defer_transports setting: the flush server could
trigger mail delivery (as if ETRN was sent) while doing some internal
housekeeping of per-destination logfiles.
- Virtual mapping was broken for addresses with embedded whitespace
in the recipient local part.
- When the super-user runs "mailq" or "postqueue -p" (list mail
queue) while the mail system is down, the postqueue command runs
the showq command directly. However, postqueue did not pass on
non-default configuration directory settings to the showq command,
so that showq would report the default mail queue instead.
- The new code avoids problems with SMTP servers that will not
receive mail with lines longer than the 1000 characters that are
allowed by the SMTP standard.
- The new code is more graceful in the handling of abnormally long
message headers. It will no longer switch from "message header"
to "message body" mode in the middle of an abnormally long message
header line.
- With patch 04, automatic change detection of DBM files was slightly
broken (incremental updates would no longer be detected). The
fix is to use separate file handles for locking and for change
detection.
- The trivial-rewrite server could dereference a dangling pointer
after stripping a source route (@domain,domain:) from an address
while append_at_myorigin=no. Although this setting is unsupported,
Postfix should not SIGSEGV anyway.
- The SMTP server replied with 552 (too much mail) when rejecting
mail content. The SMTP standard defines no reply code for this
situation, but one could argue that 550 is more appropriate. And
so it shall be.
Major changes with release-20010228
===================================
Postfix produces DSN formatted bounced/delayed mail notifications.
The human-readable text still exists, so that users will not have
to be unnecessarily confused by all the ugliness of RFC 1894. Full
DSN support will be later.
This release introduces full content filtering through an external
process. This involves an incompatible change in queue file format.
Mail is delivered to content filtering software via an existing
mail delivery agent, and is re-injected into Postfix via an existing
mail submission agent. See examples in the FILTER_README file.
Depending on how the filter is implemented, you can expect to lose
a factor of 2 to 4 in delivery performance of SMTP transit mail,
more if the content filtering software needs lots of CPU or memory.
Specify "body_checks = regexp:/etc/postfix/body_checks" for a quick
and dirty emergency content filter that looks at non-header lines
one line at a time (including MIME headers inside the message body).
Details in conf/sample-filter.cf.
The header_checks and body_checks features can be used to strip
out unwanted data. Specify IGNORE on the right-hand side and the
data will disappear from the mail.
Support for SASL (RFC 2554) authentication in the SMTP server and
in the SMTP and LMTP clients. See the SASL_README file for more
details. This file still needs better examples.
Postfix now ships with an LMTP delivery agent that can deliver over
local/remote TCP sockets and over local UNIX-domain sockets. The
LMTP_README file gives example, but still needs to be revised.
Fast "ETRN" and "sendmail -qR". Postfix maintains per-destination
logfiles with information about what mail is queued for selected
destinations. See the file ETRN_README for details.
The mailbox locking style is now fully configurable at runtime.
The new configuration parameter is called "mailbox_delivery_lock".
Depending on the operating system type, mailboxes can be locked
with one or more of "flock", "fcntl" or "dotlock". The command
"postconf -l" shows the available locking styles. The default
mailbox locking style is system dependent. This change affects
all mailbox and all "/file/name" deliveries by the Postfix local
delivery agent.
20010917
Bugfix: an address extension could be appended multiple
times to the result of a canonical or virtual map lookup.
File: global/mail_addr_map.c. Fix by Victor Duchovni,
Morgan Stanley.
Bugfix: because split_addr() would split an address even
when there was no data before the recipient delimiter, the
above bug could cause an address to grow exponentially in
size. Problem reported by Victor Duchovni, Morgan Stanley.
File: global/split_addr.c.
20010918
Bugfix: the mail_addr_map() fix was almost but not quite
right. It took two clever people and several iterations of
email to really fix the mail_addr_map() problem. Thanks
to Victor Duchovni and Liviu Daia.
20011016
Bugfix: As of 20000625, Errors-To: was broken, because the
code to extract the address was not moved from recipient
address rewriting to sender address rewriting. Problem
reported by Roelof Osinga @ nisser.com. File:
cleanup/cleanup_message.c.
20011023
Bugfix: the FILTER_README content filtering example had
not been updated to include the sendmail "-i" command line
option.
20011029
Bugfix: virtual map expansion terminated early because the
detection of self-referential entries was flawed. File:
cleanup/cleanup_map1n.c.
20011031
Bugfix: mail_date() mis-formatted negative time zone offsets
with fractional hours (-03-30 instead of -0330). Fix by
Chad House, greyfirst.ca. File: global/mail_date.c.
20011103
Bugfix: Postfix would log the wrong error text when locally
submitted mail was deferred due to "soft_bounce = yes".
Bugfix: The LDAP client dropped any entries that don't have
the result_attribute, but errored out when a DN didn't
exist. The behavior is now consistent: treat non-existant
DN's in a special result attribute expansion the same as
DN's with no attribute. LaMont Jones, HP.
20011114
Bugfix: reset the smtpd command transaction log between
deliveries. File: smtpd/smtpd.c.
20011115
Bugfix: reset the smtpd command transaction log between
non-deliveries. File: smtpd/smtpd.c.
changes since pl02:
20010501
Bugfix: The SMTP server's 550 in reply to DATA should be
a 554 response. And it wasn't Sendmail. Claus Assman.
Bugfix: the INSTALL.sh test for non-interactive upgrade
broke rooted installations that specify settings via the
environment. Simon Mudd.
Bugfix: mailq output is now really flushed one message at
a time. File: sendmail/sendmail.c.
20010507
Bugfix: with soft_bounce=yes, the SMTP server would log
5xx replies even though it would send 4xx replies to the
client (Phil Howard, ipal.net). File: smtpd/smtpd_check.c.
20010523
Bugfix: postsuper's temporary file detection logic needed
fixing.
Bugfix: memory leak in the LDAP client module. Alain
Thivillon, France Teaser - Groupe Firstream.
20010525
Bugfix: the SMTP and LMTP clients claimed that a queue file
needed to be delivered again (even when all recipients were
erased from the queue file) when no QUIT or RSET reply was
received (by default, this does not happen with SMTP mail
because the SMTP client does not wait for QUIT replies and
does not send RSET to deliver mail). As a result of the
same bug the LMTP client followed a dangling pointer when
sending QUIT after process idle timeout while the LMTP
server had disconnected. Files: smtp/smtp_proto.c,
lmtp/lmtp_proto.c.
20010403
Workaround: the mysql library can return null pointers
rather than zero-length strings.
20010404
Ergonomics: log additional information about the reason
why "mail for XXX loops back to myself", when the local
machine is the best MX host. File: smtp/smtp_addr.c.
20010406
Changed some noisy LDAP client warnings into optional
logging. LaMont Jones, util/dict_ldap.c.
20010411
Bugfix: the SMTP server now replies with 550 instead of
503 when it receives the DATA command without having received
a valid recipient address. This is needed for the Sendmail
client-side pipelining implementation. Problem reported by
Lutz Jaenicke. File: smtpd/smtpd.c.
Cleanup: shut up if chattr fails on Reiserfs and other file
systems that do not support the respective attributes.
Files: conf/postfix-script-{no,}sgid.
20010413
Ergonomics: Postfix applications now warn when a DB or DBM
file is out of date, and recommend to rebuild the table.
Files: util/dict_db.c, util/dict_dbm.c.
20010414
Bugfix: with a non-default inet_interfaces setting, the
master ignored host information in master.cf host:port
settings. Fix by Jun-ichiro itojun Hagino @ iijlab.net.
Files: master/master.h, master/master_ent.c.
20010426
Bugfix: the SMTP server did not parse invalid MAIL FROM or
RCPT TO addresses such as <first last <user@domain>> the
way it was supposed to do. I thought this was taken care
of years ago. File: smtpd/smtpd.c.
20010427
Bugfix: smtpd would reject mail instead of replying with
a 4xx temporary error code when, for example, an LDAP or
mysql server was unavailable. Remotely based on a fix by
Robert Kiessling @ de.easynet.net. File: smtpd/smtpd_check.c.
