* The postconf(1) master.cf options parser didn't support "clusters"
of daemon command-line option letters.
* The local(8) delivery agent dereferenced a null pointer while
delivering to null command (for example, "|" in a .forward
file). Reported by Gilles Chehade.
* A memory leak fix for tls_misc.c was documented but not included.
Postfix 2.8 and later:
* The postscreen_access_list feature failed to ignore case in the
first character of a command (e.g., permit, reject, etc.).
Reported by Francis Picabia. (This fix is incorrectly listed
in the HISTORY files of earlier releases, and will be removed
with a future patch.)
All supported releases:
* Strip the datalink suffix (e.g., %eth0) from IPv6 addresses
returned by the system getaddrinfo() routine. Such suffixes
break the default mynetworks value, the Postfix SMTP server's
reverse/forward DNS name/address mapping check, and possibly
more.
* To eliminate the possibility of collisions with connection cache
lookup keys, the Postfix LDAP client now computes those lookup
keys by joining the number-valued connection properties with
ASCII null, just like it already did with the string-valued
connection properties.
* There was a memory leak during one-time TLS library initialization
(introduced with Postfix 2.5). Reported by Coverity.
* There was a memory leak in the unused oqmgr(8) program (introduced
with Postfix 2.3). Reported by Coverity.
All supported releases:
* The local(8) delivery agent's BIFF client leaked an unprivileged
UDP socket. Fix by Jaroslav Skarvada. This bug was introduced
19990127.
* The SMTP server did not reject the AUTH command while a MAIL
FROM transaction was in progress. Reported by Timo Sirainen.
This bug was introduced 20000314.
Postfix 2.8 and later:
* The unused "pass" trigger client could close the wrong file
descriptors. This bug was introduced with Postfix 2.8.
Changes from release announce:
* OpenSSL related (all supported Postfix versions).
o Some people have reported program crashes when the OpenSSL
library was updated while Postfix was accessing the Postfix
TLS session cache. To avoid this, the Postfix TLS session
cache ID now includes the OpenSSL library version number.
This cache ID is not shared via the network.
o The OpenSSL workaround introduced with the previous stable
and legacy releases did not compile with older gcc compilers.
These compilers can't handle #ifdef inside a macro invocation
(NOT: definition).
* postscreen(8) related (Postfix 2.9, Postfix 2.8).
o To avoid repeated warnings from postscreen(8) with "connect
to private/dnsblog service: Connection refused" on FreeBSD,
the dnsblog(8) daemon now uses the single_server program
driver instead of the multi_server driver. This one-line
code change has no performance impact for other systems,
and eliminates a high-frequency accept() race on a shared
socket that appears to cause trouble on FreeBSD. The same
single_server program driver has proven itself for many
years in smtpd(8). Problem reported by Sahil Tandon.
* Laptop-friendly support (all supported Postfix versions). A
little-known secret is that Postfix has always had support to
avoid unnecessary disk spin-up for MTIME updates, by doing
s/fifo/unix/ in master.cf (this is currently not supported on
Solaris systems). However, two minor fixes are needed to make
this bullet-proof.
o In laptop-friendly mode, the "postqueue -f" and "sendmail
-q" commands did not wait until their requests had reached
the pickup and qmgr servers before closing their UNIX-domain
request sockets.
o In laptop-friendly mode, the unused postkick command waited
for more than a minute because the event_drain() function
was comparing bitmasks incorrectly on systems with kqueue(2),
epoll(2) or /dev/poll support.
Major changes with Postfix 2.8.10
---------------------------------
This release adds support to turn off the TLSv1.1 and TLSv1.2
protocols. Introduced with OpenSSL version 1.0.1, these are known
to cause inter-operability problems with for example hotmail.
The radical workaround is to temporarily turn off problematic
protocols globally:
/etc/postfix/main.cf:
smtp_tls_protocols = !SSLv2, !TLSv1.1, !TLSv1.2
smtp_tls_mandatory_protocols = !SSLv2, !TLSv1.1, !TLSv1.2
smtpd_tls_protocols = !SSLv2, !TLSv1.1, !TLSv1.2
smtpd_tls_mandatory_protocols = !SSLv2, !TLSv1.1, !TLSv1.2
However, it may be better to temporarily turn off problematic
protocols for broken sites only:
/etc/postfix/main.cf:
smtp_tls_policy_maps = hash:/etc/postfix/tls_policy
/etc/postfix/tls_policy:
example.com may protocols=!SSLv2:!TLSv1.1:!TLSv1.2
Important:
- Note the use of ":" instead of comma or space. Also, note that
there is NO space around the "=" in "protocols=".
- The smtp_tls_policy_maps lookup key must match the "next-hop"
destination that is given to the Postfix SMTP client. If you
override the next-hop destination with transport_maps, relayhost,
sender_dependent_relayhost_maps, or otherwise, you need to specify
the same destination for the smtp_tls_policy_maps lookup key.
Postfix stable release 2.8.9 is available. This contains fixes that
are already part of Postfix 2.9 and 2.10.
* The "change header" milter request could replace the wrong
header. A long header name could match a shorter one, because
a length check was done on the wrong string. Reported by
Vladimir Vassiliev.
* Core dump when postlog emitted the "usage" message, caused
by an extraneous null assignment. Reported by Kant (fnord.hammer).
You can find the updated Postfix source code at the mirrors listed
at http://www.postfix.org/.
- The Postfix sqlite client, introduced with Postfix 2.8, had an
embarassing bug in its quoting routine. As the result of a
last-minute code cleanup before release, this routine returned the
unquoted text instead of the quoted text. The opportunities for
mis-use are limited: Postfix sqlite database files are usually owned
by root, and Postfix daemons usually run with non-root privileges so
they can't corrupt the database. This problem was reported by Rob
McGee (rob0).
- The Postfix 2.8.4 fix for local delivery agent database lookup
errors was incomplete. The fix correctly added new code to detect
database lookup errors with mailbox_transport_maps,
mailbox_command_maps or fallback_transport_maps, but it failed to
log the problem, and to produce a defer logfile record which is
needed for "delayed mail" and "mail too old" delivery status
notifications.
- The trace(8) service, used for DSN SUCCESS notifications, did not
distinguish between notifications for a non-bounce or a bounce
message, causing it to "reply" to mail with the null sender
address. Problem reported by Sabahattin Gucukoglu.
- Support for Dovecot auth over TCP sockets, using code that already
existed for testing purposes. Patrick Koetter kindly provided an
update for the SASL_README file.
- Workaround in the LDAP client for changes in the under-documented
OpenLDAP API, by Victor Duchovni.
Postfix stable release 2.8.7 is available. This contains a workaround
for a problem that is fixed in Postfix 2.9.
* The postscreen daemon, which is not enabled by default, sent
non-compliant SMTP responses (220- followed by 421) when it
could not give a connection to a real smtpd process. These
responses caused some remote SMTP clients to return mail as
undeliverable.
The workaround is to hang up after sending 220- without sending
the 421 "sorry" reply; this is harmless.
The complete fix involves too much change for a stable release:
send the 220 greeting, wait for the EHLO command, then send
the 421 "sorry" reply and hang up.
Postfix stable release 2.8.6, 2.7.7, 2.6.13 and 2.5.16 are available.
These contain fixes that are also included with the Postfix 2.9
experimental release.
* The Postfix SMTP daemon sent "bare" newline characters instead
of <CR><LF> when a header_checks REJECT pattern matched
multi-line header. This bug was introduced with Postfix 1.1.
* The Postfix SMTP daemon sent "bare" newline characters instead
of <CR><LF> when an smtpd_proxy_filter returned a multi-line
response. This bug was introduced with Postfix 2.1.
* For compatibility with future EAI (email address
internationalization) implementations, the Postfix MIME
processor no longer enforces the strict_mime_encoding_domain
check on unknown message subtypes such as message/global*.
This check is disabled by default.
* The Postfix master daemon could report a panic error
("master_spawn: at process limit") after the process limit
for some service was reduced with "postfix reload". This bug
existed in all Postfix versions.
You can find the updated Postfix source code at the mirrors listed
at http://www.postfix.org/.
[An on-line version of this announcement will be available at
http://www.postfix.org/announcements/postfix-2.8.5.html]
Postfix stable release 2.8.5, 2.7.6, 2.6.12, and 2.5.15 are available.
These contain fixes and workarounds for the Postfix Milter client
that were already included with the Postfix 2.9 experimental release.
* The Postfix Milter client logged a "milter miltername: malformed
reply" error when a Milter sent an SMTP response without
enhanced status code (i.e. "XXX Text" instead of "XXX X.X.X
Text").
* The Postfix Milter client sent a random {client_connections}
macro value when the remote SMTP client was not subject to
any smtpd_client_* limit. As a workaround, it now sends a
zero value instead.
Postfix stable release 2.8.4 is available. This contains fixes and
workarounds that were already included with the Postfix 2.9
experimental release. Where applicable these fixes will also be
made available for the legacy releases Postfix 2.5..2.7.
* Performance: a high load of DSN success notification requests
could slow down the queue manager. Solution: make the trace
client asynchronous, just like the bounce and defer clients.
* The local(8) delivery agent ignored table lookup errors in
mailbox_command_maps, mailbox_transport_maps, fallback_transport_maps
and (while bouncing mail to alias) alias owner lookup.
* Workaround: dbl.spamhaus.org rejects lookups with "No IP
queries" even if the name has an alphanumerical prefix. We
play safe, and skip both RHSBL and RHSWL queries for names
ending in a numerical suffix.
* The "sendmail -t" command reported "protocol error" instead
of "file too large", "no space left on device" etc.
* The Postfix Milter client reported a temporary error instead
of "file too large" in three cases.
* Linux kernel version 3 support. Linus Torvalds has reset the
counters for reasons not related to changes in code.
You can find the updated Postfix source code at the mirrors listed
at http://www.postfix.org/.
* pkgsrc change: remoe mysql4 from PKG_OPTIONS.
Securiy release for Memory corruption in Postfix SMTP server Cyrus SASL
support: http://www.postfix.org/CVE-2011-1720.html
20110411
Cleanup: postscreen(8) and verify(8) daemons now lock their
respective cache file exclusively upon open, to avoid massive
cache corruption by unsupported sharing. Files: util/dict.h,
util/dict_open.c, verify/verify.c, postscreen/postscreen.c.
20110414
Bugfix (introduced with Postfix SASL patch 20000314): don't
reuse a server SASL handle after authentication failure.
Problem reported by Thomas Jarosch of Intra2net AG. File:
smtpd/smtpd_proto.c.
Postfix stable release 2.8.2 is available. This release has minor
fixes that are already in the experimental (2.9) release.
- Bugfix: postscreen DNSBL scoring error. When a client disconnected
and then reconnected before all DNSBL results for the earlier
session arrived, DNSBL results for the earlier session would be
added to the score for the later session. This is very unlikely
to have affected any legitimate mail.
- Workaround: the SMTP client did not support mail to [ipv6:ipv6addr].
- Portability: FreeBSD closefrom() was back-ported to FreeBSD 7,
breaking FreeBSD 7.x support retroactively.
- Portability: the SUN compiler had trouble with a pointer expression
of the form ``("text1" "text2") + constant'' so we don't try to
be so clever.
Postfix stable release 2.8.0 is available. This release continues the
move towards improving code and documentation, and making the system
better prepared for changes in the threat environment.
The postscreen daemon (a zombie blocker in front of Postfix) is now
included with the stable release. postscreen now supports TLS and can
log the rejected sender, recipient and helo information. See the
POSTSCREEN_README file for recommended usage scenarios.
Support for DNS whitelisting (permit_rhswl_client), and for pattern
matching to filter the responses from DNS white/blacklist servers
(e.g., reject_rhsbl_client zen.spamhaus.org=127.0.0.[1..10]).
Improved message tracking across SMTP-based content filters; the
after-filter SMTP server can log the before-filter queue ID (the
XCLIENT protocol was extended).
Read-only support for sqlite databases. See sqlite_table(5) and
SQLITE_README.
Support for 'footers' that are appended to SMTP server "reject"
responses. See "smtpd_reject_footer" in the postconf(5) manpage.
This update was tested by Takahiro Kambe.
- Postfix no longer automatically appends the system default CA
(certificate authority) certificates, when it reads the CA
certificates specified with {smtp, lmtp, smtpd}_tls_CAfile or
with {smtp, lmtp, smtpd}_tls_CApath. This prevents third-party
certificates from getting mail relay permission with the
permit_tls_all_clientcerts feature. Unfortunately, this change
may cause compatibility problems with configurations that rely
on certificate verification for other purposes. To get the old
behavior, specify "tls_append_default_CA = yes".
- A prior fix for compatibility with Postfix < 2.3 was incomplete.
When pipe-to-command delivery fails with a signal, mail is now
correctly deferred, instead of being returned to sender.
- Poor smtpd_proxy_filter TCP performance over loopback (127.0.0.1)
connections was fixed by adapting the output buffer size to the MTU.
- The SMTP server no longer applies the reject_rhsbl_helo feature
to non-domain forms such as network addresses. This would cause
false positives with dbl.spamhaus.org.
- The Postfix SMTP server failed to deliver a "421" response and
hang up the connection after Milter error. Instead, the server
delivered a "503 Access denied" response and left the connection
open, due to some Postfix 1.1 workaround for RFC 2821.
- The milter_header_checks parser failed to enable any of the actions
that have no effect on message delivery (warn, replace, prepend,
ignore, dunno, and ok).
implementation (for SMTP-based content filters), improves robustness,
and has updates for changes in system or library interfaces.
* Bugfix (introduced Postfix 2.6) in the XFORWARD implementation,
which sends remote SMTP client attributes through SMTP-based
content filters. The Postfix SMTP client did not skip "unknown"
SMTP client attributes, causing a syntax error when sending
an "unknown" client PORT attribute.
* Robustness: skip LDAP queries with non-ASCII search strings,
instead of failing with a database lookup error.
* Safety: Postfix processes now log a warning when a matchlist
has a #comment at the end of a line (for example mynetworks
or relay_domains).
* Portability: OpenSSL 1.0.0 changes the priority of anonymous
cyphers.
* Portability: Mac OS 10.6.3 requires <arpa/nameser_compat.h>
instead of <nameser8_compat.h>.
* Portability: Berkeley DB 5.x is now supported.
Postfix stable release 2.7.0 is available. For the past several
releases, the focus has moved towards improving the code and
documentation, and updating the system for changing environments.
- Improved before-queue content filter performance. With
"smtpd_proxy_options = speed_adjust", the Postfix SMTP server
receives the entire message before it connects to a before-queue
content filter. Typically, this allows Postfix to handle the same
mail load with fewer content filter processes.
- Improved address verification performance. The verify database
is now persistent by default, and it is automatically cleaned
periodically, Under overload conditions, the Postfix SMTP server
no longer waits up to 6 seconds for an address probe to complete.
- Support for reputation management based on the local SMTP client
IP address. This is typically implemented with "FILTER transportname:"
actions in access maps or header/body checks, and mail delivery
transports in master.cf with unique smtp_bind_address values.
- The postscreen daemon (a zombie-blocker in front of Postfix) is
still too rough for a stable release, and will be made "mature"
in the Postfix 2.8 development cycle (however you can use Postfix
2.7 with the Postfix 2.8 postscreen and dnsblog executables and
master.cf configuration; this code has already proven itself).
No functionality has been removed, but it is a good idea to review
the RELEASE_NOTES file for the usual minor incompatibilities or
limitations.
You can find Postfix version 2.7.0 at the mirrors listed at
http://www.postfix.org/
The same code is also available as Postfix snapshot 2.8-20100213.
Updated versions of Postfix version 2.6, 2.5 and perhaps earlier
will be released with the same fixes that were already included
with Postfix versions 2.7 and 2.8.
The stable release Postfix 2.6.5 addresses the defects described
below (some already addressed with the not-announced Postfix 2.6.3
release). These defects are also addressed in the legacy releases
that are still maintained: Postfix 2.5.9, 2.4.13 and 2.3.19.
Do not use Postfix 2.6.4, 2.5.8, 2.4.12, 2.3.18, 2.7-20090807, and
2.7-20090807-nonprod. These contain a DNS workaround that causes
more trouble than it prevents. It is removed until further notice.
Defects fixed with Postfix 2.6.3, 2.5.9, 2.4.13 and 2.3.19:
- The Postfix Milter client got out of step with a Milter application
after the application sent a "quarantine" request at end-of-message
time. The Milter application would still be in the end-of-message
state, while Postfix would already be working on the next SMTP
event, typically, QUIT or MAIL FROM. In the latter case, Milter
responses for the previously-received email message would be
applied towards the next MAIL FROM transaction. This problem was
diagnosed with help from Alban Deniz.
Defects fixed with Postfix 2.6.5, 2.5.9, 2.4.13 and 2.3.19:
- The Postfix SMTP server would abort with an "unexpected lookup
table" error when an SMTPD policy server was mis-configured in a
particular way.
Postfix stable release 2.6.2 fixes one defect in SASL support.
This does not affect Postfix versions 2.5 and earlier.
With plaintext SMTP sessions AND smtpd_tls_auth_only=yes AND
smtp_sasl_auth_enable=yes, the SMTP server logged warnings for
reject_*_sender_login_mismatch, instead of enforcing them.
You can find Postfix version 2.6.2 at the mirrors listed at
http://www.postfix.org/
The same fix is also available in Postfix snapshot 2.7-20090528.
Postfix versions 2.5 and earlier are not affected.
Postfix stable release 2.6.1 fixes one defect in Milter support.
This does not affect Postfix versions 2.5 and earlier.
- Queue file corruption under very specific conditions: (smtpd_milters
or non_smtpd_milters) enabled, AND delay_warning_time enabled,
AND mail delivery delays, AND short envelope sender addresses
(e.g., sendmail command-line submissions with bare usernames as
the sender, but not bounce messages).
The queue file would be corrupted when the delay_warning_time
record was marked as "done" after sending the "your mail is
delayed" notice. The defect was introduced with Postfix 2.3, but
it could not cause corruption before the change dated 20090427.
- Multi-instance support introduces a new postmulti(1) command to
create/add/remove/etc. additional Postfix instances. The familiar
"postfix start" etc. commands now automatically start multiple
Postfix instances. The good news: nothing changes when you use
only one Postfix instance. See MULTI_INSTANCE_README for details.
- Multi-instance support required that some files be moved from
the non-shared $config_directory to the shared $daemon_directory.
The affected files are postfix-script, postfix-files and post-install.
- TLS (SSL) support was updated for elliptic curve encryption. This
requires OpenSSL version 0.9.9 or later. The SMTP client no longer
uses the SSLv2 protocol by default. See TLS_README for details.
- The Milter client now supports all Sendmail 8.14 Milter requests,
including requests for rejected recipient addresses, and requests
to replace the envelope sender address. See MILTER_README for
details.
- Postfix no longer adds (Resent-) From:, Date:, Message-ID: or To:
headers to email messages with "remote" origins (these are origins
that don't match $local_header_rewrite_clients). Adding such
headers breaks DKIM signatures that explicitly cover non-present
headers. For compatibility with existing logfile processing
software, Postfix will log ``message-id=<>'' for email messages
that have no Message-Id header.
- Stress-adaptive behavior is now enabled by default. This allows
the Postfix SMTP server to temporarily reduce time limits and
error-count limits under conditions of overload, such as a malware
attack or backscatter flood. See STRESS_README for details.
No functionality has been removed, but it is a good idea to review
the RELEASE_NOTES file for the usual minor incompatibilities or
limitations.
- (low) The installation/upgrade procedure did not automatically
create the data_directory.
- (medium) In the "new queue manager", the _destination_rate_delay
code needed to postpone the job scheduler updates after delivery
completion, otherwise the scheduler could loop on blocked jobs.
- (low) The queue manager used <transport>_concurrency_failed_cohort_limit
instead of <transport>_destination_concurrency_failed_cohort_limit
as documented.
- (low) The SMTP client disabled MIME parsing despite non-empty
settings for smtp_header_checks, smtp_mime_header_checks,
smtp_nested_header_checks, or smtp_body_checks.
- (medium) The postsuper command re-enabled the SIGHUP signal when
it was set to "ignore". This could result in random "Postfix
integrity check failed" errors at boot time (POSIX SIGHUP death),
causing Postfix not to start automatically.
- Postfix 2.5: the SMTP server did not ask for a client certificate
with "smtpd_tls_req_ccert = yes". Reported by Rob Foehl.
- Postfix 2.5, 2.4 and 2.3: avoid reduced TCP performance when
reusing an SMTP connection with a larger than 4096-byte TCP MSS
value. In practice, this could happen only with loopback (localhost)
connections.
Postfix 2.4 and later, on Linux kernel 2.6, is vulnerable to a
denial of service attack by a local user. There is no breach of
data confidentiality or data integrity. This problem was found by
the Postfix author during routine source code maintenance.
An on-line version of this announcement is available at
http://www.postfix.org/announcements/20080902.html
20080804
Bugfix: dangling pointer in vstring_sprintf_prepend().
File: util/vstring.c.
20080814
Security: some systems have changed their link() semantics,
and will hardlink a symlink, contrary to POSIX and XPG4.
Sebastian Krahmer, SuSE. File: util/safe_open.c.
The solution introduces the following incompatible change:
when the target of mail delivery is a symlink, the parent
directory of that symlink must now be writable by root only
(in addition to the already existing requirement that the
symlink itself is owned by root). This change will break
legitimate configurations that deliver mail to a symbolic
link in a directory with less restrictive permissions.
When a mailbox file is not owned by its recipient, the local and
virtual delivery agents now log a warning and defer delivery.
Specify "strict_mailbox_ownership = no" to ignore such ownership
discrepancies.
[HISTORY]
20080509
Bugfix: null-terminate CN comment string after sanitization.
File: smtpd/smtpd.c.
20080603
Workaround: avoid "bad address pattern" errors with non-address
patterns in namadr_list_match() calls. File: util/match_ops.c.
20080620
Bugfix (introduced 20080207): "cleanup -v" panic because
the new "SMTP reply" request flag did not have a printable
name. File: global/cleanup_strflags.c.
Cleanup: using "Before-queue content filter", RFC3848
information was not added to the headers. Carlos Velasco.
File smtpd/smtpd.c.
20080717
Cleanup: a poorly-implemented integer overflow check for
TCP MSS calculation had the unexpected effect that people
broke Postfix on LP64 systems while attempting to silence
a compiler warning. File: util/vstream_tweak.c.
20080725
Paranoia: defer delivery when a mailbox file is not owned
by the recipient. Requested by Sebastian Krahmer, SuSE.
Specify "strict_mailbox_ownership=no" to ignore ownership
discrepancies. Files: local/mailbox.c, virtual/mailbox.c.
- TLS (SSL) support was streamlined further, and provides a new security level
based on certificate fingerprints instead of CA signatures. See TLS_README
for details.
- Milter support was updated from the Sendmail 8.13 feature set and now
includes most of the features that were introduced with Sendmail 8.14. See
MILTER_README for details.
- Stress-adaptive configuration was introduced. This allows the Postfix SMTP
server to temporarily adjust its rules under conditions of overload, such as
a malware attack or backscatter flood. See STRESS_README for details.
[pkgsrc: this obsoletes the "postfix-stress" option which provided the same
functionality via a distribution patch]
- The queue manager scheduler was refined. It now provides per-transport
scheduling controls and allows for adjustment of the sensitivity to mail
delivery (non-)errors. See SCHEDULER_README.
- Security was improved by introducing a Postfix-owned data_directory for
storage of randomness, caches and other non-queue data. This change avoids
future security loopholes due to untrusted data sitting in root-owned files
or in root-owned directories. Writes to legacy files in root-owned
directories are automatically redirected to files in the new data_directory.
No functionality has been removed, but it is a good idea to review the
RELEASE_NOTES file for the usual minor incompatibilities or limitations.
(disabled by default). This functionality will be included in Postfix 2.5 but
has been proven very succesful on the mailing lists so Wietse provided a patch
for Postfix 2.3 and 2.4.
See http://www.postfix.org/STRESS_README.html#adapt for configuration details.
- A remote SMTP client TLS certificate with an unparsable canonical
name triggered a panic error in the Postfix SMTP server (attempt
to allocate zero-length memory) while sending a request to an
SMTPD policy server.
- On backup MX servers where the queue file system is mounted with
"atime" (file read/execute access time) updates disabled, the
flush daemon would trigger mail delivery attempts once every 1000
seconds, thus rendering the maximal_backoff_time setting useless
for backup MX service.
MILTER bugfix:
When a milter replied with ACCEPT at or before the first RCPT
command, the cleanup server would apply the non_smtpd_milters
setting as if the message was a local submission. Problem
reported by Jukka Salmi.
MILTER bugfix:
Problem with header updates after body updates. Reported by
Jose-Marcio Martins da Cruz.
MILTER robustness:
Assorted cleanups to harden error handling in the Postfix Milter
client.
SASL workaround for Postfix SMTP client:
Some non-Cyrus SASL SMTP servers require SASL login without
authzid (authoriZation ID), i.e. the client must send only the
authcid (authentiCation ID) + the authcid's password. This is
now the default Postfix SMTP client behavior.
Loopback TCP performance workaround:
Some systems exhibited poor SMTP and Milter performance with
loopback (127.0.0.1) connections. Problem reported by Mark
Martinec.
MILTER bugfix:
When a milter replied with ACCEPT at or before the first RCPT
command, the cleanup server would apply the non_smtpd_milters
setting as if the message was a local submission. Problem
reported by Jukka Salmi.
MILTER bugfix:
Problem with header updates after body updates. Reported by
Jose-Marcio Martins da Cruz.
MILTER robustness:
Assorted cleanups to harden error handling in the Postfix Milter
client.
SASL workaround for Postfix SMTP client:
Some non-Cyrus SASL SMTP servers require SASL login without
authzid (authoriZation ID), i.e. the client must send only the
20070425
Bugfix: don't falsely report "lost connection from
localhost[127.0.0.1]" when Postfix is being portscanned.
Files: smtpd/smtpd_peer.c, qmqpd/qmqpd_peer.c.
20070430
Robustness: recommend a "0" process limit for policy servers
to avoid "connection refused" problems when the smtpd
process limit exceeds the default process limit. File:
proto/SMTPD_POLICY_README.html.
20070501
Safety: when IPv6 (or IPv4) is turned off, don't treat an
IPv6 (or IPv4) connection from e.g. inetd as if it comes
from localhost[127.0.0.1]. Files: smtpd/smtpd_peer.c,
qmqpd/qmqpd_peer.c.
20070508
Bugfix: Content-Transfer-Encoding: attribute values are
case insensitive. File: src/cleanup/cleanup_message.c.
20070514
Bugfix: mailbox_transport(_maps) and fallback_transport(_maps)
were broken when used with the error(8) or discard(8)
transports. Cause: insufficient documentation. Files:
error/error.c, discard/discard.c.
20070520
Bugfix (problem introduced Postfix 2.3): when DSN support
was introduced it broke "agressive" recipient duplicate
elimination with "enable_original_recipient = no". File:
cleanup/cleanup_out_recipient.c.
20070529
Bugfix (introduced Postfix 2.3): the sendmail/postdrop
commands would hang when trying to submit a message larger
than the per-message size limit. File: postdrop/postdrop.c.
20070530
Sabotage the saboteur who insists on breaking Postfix by
adding gethostbyname() calls that cause maildir delivery
to fail when the machine name is not found in /etc/hosts,
or that cause Postfix processes to hang when the network
is down.
20070531
Portability: Victor helpfully pointed out that change
20070425 broke on non-IPv6 systems. Files: smtpd/smtpd_peer.c,
qmqpd/qmqpd_peer.c.
20070331
Bugfix (introduced Postfix 2.3): segfault with HOLD action
in access/header_checks/body_checks on 64-bit platforms.
File: cleanup/cleanup_api.c.
20070402
Portability (introduced 20070325): the fix for hardlinks
and symlinks in postfix-install forgot to work around shells
where "IFS=/ command" makes the IFS setting permanent. This
is allowed by some broken standard, and affects Solaris.
File: postfix-install.
Portability (introduced 20070212): the workaround for
non-existent library bugs with descriptors >= FD_SETSIZE
broke with "fcntl F_DUPFD: Invalid argument" on 64-bit
Solaris. Files: master/multi_server.c, *qmgr/qmgr_transport.c.
20070421
Cleanup: on (Linux) platforms that cripple signal handlers
with deadlock, "postfix stop" now forcefully stops all the
processes in the master's process group, not just the master
process alone. File: conf/postfix-script.
The footprint of new features with Postfix 2.4.0 is significantly
smaller than with earlier releases. And that is the whole point of
approaching completeness: fewer visible changes.
Below is a brief summary of what has changed. See the RELEASE_NOTES
file for more, including compatibility issues that may affect your
site. The HISTORY file gives a blow-by-blow account of what happened
over the past year.
Wietse
- Postfix can now manage thousands of connections without needing
special main.cf, master.cf, or compile-time tweaks, on systems with
BSD kqueue, Solaris /dev/poll, or Linux epoll support.
- Milter support for message body replacement. The resulting queue
files are backwards compatible with Postfix 2.3. The existing Milter
support for message header manipulations was revised and is now
implemented by much simpler code.
- Minor improvements in TLS session cache management and in the
implementation of certificate fingerprint based authentication. A
more extensive revision of TLS internals will appear first in Postfix
2.5 snapshots.
- Improvements in queue manager performance when deferring large
amounts of mail, or when delivering mail with lots of recipients.
- Workarounds for SMTP servers that reply and hang up prematurely,
for file system clocks that are out of sync, and for broken kernel
lock management in POP servers.
- postmap support for NIS maps was broken with Postfix 2.3.
- Workaround to avoid breaking digital signatures for malformed
MIME attachments.
- Incorrect handling of ![address] forms in match lists. such as
mynetworks, inet_interfaces etc.
- On Redhat Linux, a Postfix daemon could lock up while logging a
warning from a signal handler before exiting. This is remedied
by a low-cost re-entrancy guard for signal handlers that never
return.
- Message headers longer than 65535 broke the Milter protocol. To
make matters worse the cleanup server could then dereference a
null pointer. When Milter support is enabled, the length of each
message header is now limited to 60000.
- Several fixes to improve worst-case behavior of the (new) queue
manager with multi-recipient mail. The queue manager now reads
new recipients earlier from the queue file, instead of becoming
starved while waiting for the slowest in-memory recipients to
complete; and it now reads recipients in smaller chunks to avoid
spending too much time not talking to delivery agents.
- With remote SMTP server tarpit delays larger than the Postfix
SMTP client's smtp_rset_timeout (default: 20s), the client would
get out of sync with the server while reusing a connection. The
symptoms were "recipient rejected .. in reply to DATA".
- On FreeBSD 6.2, some Postfix daemon processes would complain once
with "Error 0" after "postfix reload" and then recover. This
warning is now logged only when the problem persists.
Postfix 2.3 Patch 04 fixes minor problems as detailed in the change
history below. The patch as well as complete source code tarballs
were uploaded last week to the mirrors listed at http://www.postfix.org/
20060831
Bugfix (introduced with initial implementation): missing
"dict_errno = 0" caused mis-leading error messages after
non-error lookup failure. Victor Duchovni. File:
util/dict_cidr.c.
Robustness: the default TLS cipher lists were changed from
!foo:ALL into ALL:!foo. Victor Duchovni. Files:
global/mail_params.h and documentation.
20060902
Bugfix (introduced Postfix 2.3): the LMTP client stripped
"inet": from the next-hop destination, but still used the
complete next-hop from the delivery request. File:
smtp/smtp_connect.c.
20060903
Cleanup: record loop detection. File: global/record.c.
20060929
Workaround: AIX 5.[1-3] getaddrinfo() creates socket address
structures with a non-zero port value. This breaks the
smtp_bind_address etc. features, and breaks inet_interfaces
settings with only one IP address. Problem reported by
Hamish Marson. Files: util/sock_addr.[hc], util/myaddrinfo.c.
Bugfix (introduced with the Postfix TLS patch): memory leak
in verify_extract_peer(). The OpenSSL documentation provides
no information on how subjectAltNames are managed. Sam
Rushing, ironport. File: tls/tls_client.c.
Bugfix (introduced with Postfix 2.2): smtp_generic_maps
turned on MIME conversion. File: smtp/smtp_proto.c.
Workaround: don't send SIZE information in the MAIL FROM
command when message content will be subject to 8bit ->
quoted-printable conversion. File: smtp/smtp_proto.c.
20061002
Compatibility: Sendmail now invokes the Milter connect
action with the verified hostname instead of the name
obtained with PTR lookup. File: smtpd/smtpd.c.
20061004
Cleanup: force space between mailq queueid+status and file
size items. File: showq/showq.c.
20061015
Cleanup: convert the Milter {mail_addr} and {rcpt_addr}
macro values to external form. File: smtpd/smtpd_milter.c.
Cleanup: the Milter {mail_addr} and {rcpt_addr} macros are
now available with non-SMTP mail. File: cleanup/cleanup_milter.c.
Cleanup: convert addresses in Milter recipient add/delete
requests to internal form. File: cleanup/cleanup_milter.c.
Cleanup: with non-SMTP mail, convert addresses in simulated
MAIL FROM and RCPT TO events to external form. File:
cleanup/cleanup_milter.c.
20061017
Cleanup: removed spurious warning when the cleanup server
attempts to bounce mail with soft_bounce=yes. Problem
reported by Ralf Hildebrandt. File: cleanup/cleanup_bounce.c.
Bugfix: null pointer bug when receiving a non-protocol
response on a cached SMTP/LMTP connection. Report by Brian
Kantor. Fix by Victor Duchovni. File: smtp/smtp_reuse.c.
in post-extract.
I exchanges few mails with Wietse and he refused to fix the "==" lines and
instructed me to simply remove the offending file. Instead of having a patch
for a file which is not used by pkgsrc I think it makes sense to remove it.
- File corruption while executing a Milter "header insert" action
with headers-only mail (found with dk-filter). Delivery agents
would go into an infinite loop because some queue file update
had been done in the wrong order. As a precaution, delivery
agents now detect such loops, and the queue manager now saves
such mail to the "corrupt" directory.
- Segmentation fault in the SMTP client while saving a cached
connection with unsent data. Postfix indexed some table with -1,
because some I/O cleanup had been done in the wrong order. The
same problem should exist in Postfix 2.2.
- Postfix no longer announces its name in delivery status notifications.
All other details of the default bounce text remain unchanged.
The reason for this change is that too many people believe that
Wietse provides a free helpdesk service that solves all their
email problems.
- Corrupted queue file after a request to modify a short message
header, when that header was the last one in the message.
- Panic after spurious Milter request when a client was rejected
with "smtpd_delay_reject = no".
- The Milter client is now more tolerant for redundant "data cleanup"
requests. This avoids panic() calls for harmless conditions.
Main changes in TLS support:
- The Postfix SMTP client enforced mandatory TLS only when talking
to an ESMTP server; enforcement did not happen if Postfix could
somehow be forced to send HELO instead of EHLO. This problem also
exists in Postfix 2.2, where it is is fixed with Postfix 2.2
patch 11. This is minor compared to the DNS spoofing issues that
were fixed with Postfix 2.2.10.
- Workaround for an interoperability problem introduced with Postfix
2.3. Some buggy TLS client implementations were unable to deliver
mail because the Postfix SMTP server didn't send a TLS session
ID. To disable the workaround specify "smtpd_tls_always_issue_session_ids
= no"; this allows non-buggy TLS clients to save some space.
Main changes in Milter support:
- Safety measure. After "postsuper -r", mail is no longer inspected
by the Milters specified with the non_smtpd_milters parameter.
This measure prevents a bad interaction with external content
filters: Milters would receive incorrect SMTP client information,
and could be tricked into signing or allowing untrusted messages.
This change does not affect Milter applications that run behind
an after-queue content filter. The behavior is detailed in the
postsuper(1) manual page.
