- fixed handling of the 'owner' setting for ezmlm-idx > v5
- updated ezmlm-idx version detection
- allow "@" in the path of a mailing list
- add modules Mail::Ezmlm::GpgKeyRing and Mail::Ezmlm::GpgEzmlm
- fixed issues of Mail::Ezmlm::GpgEzmlm with ezmlm-idx v0.4x lists
- added check for external dependency to the test script
In my experience, pop3 server wasn't crashed but it failed to remove
messages in INBOX.
v2.2.12 2014-02-14 Timo Sirainen <tss@iki.fi>
- pop3 server was crashing in v2.2.11
+ acl plugin: Added an alternative global ACL file that can contain
mailbox patterns. See http://wiki2.dovecot.org/ACL for details.
+ imap proxy: Added proxy_nopipelining passdb setting to work around
other IMAP servers' bugs (MS Exchange 2013 especially).
+ Added %{auth_user}, %{auth_username} and %{auth_domain} variables.
See http://wiki2.dovecot.org/Variables for details.
+ Added support for LZ4 compression.
+ stats: Track also wall clock time for commands.
+ pop3_migration plugin improvements to try harder to match the UIDLs
correctly.
- imap: SEARCH/SORT PARTIAL reponses may have been too large.
- doveadm backup: Fixed assert-crash when syncing mailbox deletion.
The main changes in no particular order are:
* Support for PKI-less TLS server certificate verification with
DANE (DNS-based Authentication of Named Entities) where the CA
public key or the server certificate is identified via DNSSEC
lookup. This requires a DNS resolver that validates DNSSEC
replies. The problem with conventional PKI is that there are
literally hundreds of organizations world-wide that can provide
a certificate in anyone's name. DANE limits trust to the people
who control the target DNS zone and its parent zones.
* Support for LMDB databases. Originally developed as part of
OpenLDAP, LMDB is the first persistent Postfix database that
can be shared among multiple writers such as postscreen daemons
(Postfix already supported shared non-persistent memcached
caches). Postfix currently requires LMDB version 0.9.11 or
later. See LMDB_README for details and limitations.
* A new postscreen_dnsbl_whitelist_threshold feature to allow
clients to skip postscreen tests based on their DNSBL score.
This can eliminate email delays due to "after 220 greeting"
protocol tests, which otherwise require that a client reconnects
before it can deliver mail. Some providers such as Google don't
retry from the same IP address, and that can result in large
email delivery delays.
* The recipient_delimiter feature now supports different delimiters,
for example both "+" and "-". As before, this implementation
recognizes exactly one delimiter character per email address,
and exactly one address extension per email address.
* Advanced master.cf query/update support to access service
attributes as "name = value" pairs. For example to turn off
chroot on all services use "postconf -F '*/*/chroot = n'", and
to change/add a "-o name=value" setting use "postconf -P
smtp/inet/name = value". This was developed primarily to allow
automated tools to manage Postfix systems without having to
parse Postfix configuration files.
minor feature additions.
8.14.8/8.14.8 2014/01/26
Properly initialize all OpenSSL algorithms for versions before
OpenSSL 0.9.8o. Without this SHA2 algorithms may not
work properly, causing for example failures for certs
that use sha256WithRSAEncryption as signature algorithm.
When looking up hostnames, ensure only to return those records
for the requested family (AF_INET or AF_INET6).
On system that have NEEDSGETIPNODE and NETINET6
this may have failed and cause delivery problems.
Problem noted by Kees Cook.
A new mailer flag '!' is available to suppress an MH hack
that drops an explicit From: header if it is the
same as what sendmail would generate.
Add an FFR (for future release) to use uncompressed IPv6 addresses,
i.e., they will not contain "::". For example, instead
of ::1 it will be 0:0:0:0:0:0:0:1. This means that
configuration data (including maps, files, classes,
custom ruleset, etc) have to use the same format.
This will be turned on in 8.15. It can be enabled in 8.14
by compiling with:
APPENDDEF(`conf_sendmail_ENVDEF', `-D_FFR_IPV6_FULL')
in your devtools/Site/site.config.m4 file.
Add an additional case for the WorkAroundBrokenAAAA check when
dealing with broken nameservers by ignoring SERVFAIL
errors returned on T_AAAA (IPv6) lookups at delivery time.
Problem noted by Pavel Timofeev of OCS.
If available, pass LOGIN_SETCPUMASK and LOGIN_SETLOGINCLASS to
setusercontext() on deliveries as a different user.
Patch from Edward Tomasz Napierala from FreeBSD.
Avoid compiler warnings from a change in Cyrus-SASL 2.1.25.
Patch from Hajimu UMEMOTO from FreeBSD.
Add support for DHParameters 2048-bit primes.
CONFIG: Accept IPv6 literals when evaluating the HELO/EHLO argument
in FEATURE(`block_bad_helo'). Suggested by Andrey Chernov.
LIBSMDB: Add a missing check for malloc() in libsmdb/smndbm.c.
Patch from Bill Parker.
LIBSMDB: Fix minor memory leaks in libsmdb/ if allocations
fail. Patch from John Beck of Oracle.
Portability:
Add support for Darwin 12.x and 13.x (Mac OS X 10.8 and 10.9).
On Linux use socklen_t as the type for the 3rd argument
for getsockname/getpeername if the glibc version is at
least 2.1.
Added Files:
devtools/OS/Darwin.12.x
devtools/OS/Darwin.13.x
Rspamd is fast, modular and lightweight spam filter. It is designed to work
with big ammount of mail and can be easily extended with own filters written in
lua.
version 2.04: Thu Sep 12 15:46:28 CEST 2013
Fixes:
- one more localize $_ in ::Types::_read_db()
rt.cpan.org#87856 [Gerda Shank]
version 2.03: Wed Sep 4 17:12:27 CEST 2013
Improvements:
- typo in docs, rt.cpan.org#88394 [Gregor Herrmann, Debian]
- require perl 5.8.8, because <:encoding [cpantesters]
- updated IANA
- a bit more DESCRIPTION
version 2.02: Sun Aug 18 12:49:23 CEST 2013
Fixes:
- localize DB and $_ in ::Types::_read_db()
rt.cpan.org#87856 [Gerda Shank]
Rearranged the test scripts to put them in folders by category. This just
makes the directory listing a little more manageable.
Corrected some typos in the README file. Thanks to John Mendoza for reporting
those.
Fixed a very obscure bug in spamdyke_log(): on Linux systems (possibly only
64-bit systems), vsyslog() occasionally will not print all the variable
arguments. One way was found to trigger this behavior -- when the
rdns-blacklist-dir filter is activated from a configuration directory.
Fixed a bug in find_domain() that could cause segfaults when parsing certain
invalid formats. Thanks to Gary Gendel for reporting this one.
Added a backup/restore feature to the "run" script in the "tests" folder to
save a copy of the most critical system and qmail files before running any
scripts. This is needed because some of the scripts alter those files and,
if they don't run correctly or are cancelled, the originals are lost.
Added a "-skipcompile" flag to the "run" script in the "tests" folder to skip
reconfiguring and recompiling all of the binaries when the script is run.
Changed the "run" script in the "tests" folder to empty qmail's queue before
and after the tests are run.
Changed the "run" script in the "tests" folder to compare the current system
and qmail configuration files to the latest backup after every script
finishes. If they don't match, the latest backup is restored. If they
still don't match, the script stops with an error.
Changed nihdns_query() to accept an optional "preferred" type of response. If
multiple types are queried, it will wait for at least one timeout period for
an answer of that type to arrive instead of always accepting the first
answer to arrive. It will accept a saved answer before resending the
queries, however.
NOT BACKWARDS COMPATIBLE: Changed nihdns_mx() to prefer an MX record over an A
record, if both exist. Given the choice, the MX record will be checked for
validity and the A record will be ignored. Thanks to Bruce Schreiber for
suggesting this one.
Fixed filter_level() and smtp_filter() to disregard whitelisting and require
authentication if the "filter-level" option is set to "require-auth", as the
documentation says it should. Thanks to Arne for reporting this one.
Changed nihdns_create_packet() to strip trailing dots from names before using
them in DNS queries. A trailing dot is the traditional way to tell libc's
resolver not to append the local domain name and many sysadmins expect to
have to use it. Since spamdyke never appends the local domain and doesn't
use libc's resolver, it isn't necessary and causes lookups to fail. Thanks
to Dossy Shiobara for reporting this one.
Changed middleman() to always send a "STARTTLS" response to "EHLO" as a
continuation, never as the last line (only when spamdyke is inserting
"STARTTLS"). This works around a bug in the Android mail client, which only
looks for "STARTTLS" as a continuation. Thanks to Jonas Pasche for writing
about how to work around this bug on his blog.
NOT BACKWARDS COMPATIBLE: Changed the meaning of "whitelisted" to only exempt
the connection from spamdyke's spam filters; whitelisting no longer allows
the connection to relay mail. This means spamdyke will now only set the
RELAYCLIENT environment variable if the "relay-level" option is set to
"allow-all". Relaying must now be controlled through tcpserver or xinetd.
Many thanks to Eric Shubert for suggesting and debating this with me.
NOT BACKWARDS COMPATIBLE: Removed the "access-file" and
"rejection-text-access-denied" options because they were only needed for
controlling relaying. Also removed the test scripts that exercised them and
modified many other test scripts that used them.
NOT BACKWARDS COMPATIBLE: Removed the "no-check" value from the "relay-level"
option and changed the meaning of the "normal" value to use the logic
previously assigned to "no-check".
Added the option "reject-sender" to take multiple values. If the value
"not-local" is given, the sender will be rejected if the domain name is not
hosted locally. If the value "authentication-mismatch" is given, the sender
will be rejected if the sender address does not exactly match the username
given during authentication (or if the authentication username is not an
email address, the sender username must match the authentication username).
If the value "authentication-domain-mismatch" is given, the sender will be
rejected if the domain name is not part of the username given during
authentication. Thanks to Mark Frater for suggesting this one.
Added the options "rejection-text-sender-not-local" and
"rejection-text-sender-authentication-mismatch" to set the rejection text
given when the "reject-sender" option's filters are triggered.
NOT BACKWARDS COMPATIBLE: Removed the option "reject-missing-sender-mx" and
folded its filter into the "reject-sender" filter's "no-mx" option.
NOT BACKWARDS COMPATIBLE: Renamed the option
"rejection-text-missing-sender-mx" to "rejection-text-sender-no-mx".
NOT BACKWARDS COMPATIBLE: Renamed the option
"reject-identical-sender-recipient" to "reject-recipient" with the value
"same-as-sender". The functionality remains the same.
NOT BACKWARDS COMPATIBLE: Renamed the option
"rejection-text-identical-sender-recipient" to
"rejection-text-recipient-same-as-sender".
NOT BACKWARDS COMPATIBLE: Renamed the option "local-domains-file" to
"qmail-rcpthosts-file". The naming has always been confusing, since qmail
distinguishes between domains that should be accepted by qmail-smtpd during
SMTP (rcpthosts) and domains that are actually hosted locally with mailboxes
on the local filesystem (locals). These options have always meant the
former, but now that spamdyke needs to know both lists of domains, it's time
to rename them. This option is also now allowed in configuration
directories.
NOT BACKWARDS COMPATIBLE: Removed the option "local-domains-entry" because
supplying domains that can be accepted during SMTP to spamdyke only (but
not qmail) will cause inconsistent results during recipient validation.
If a domain is to be accepted during SMTP, it should be added to the control
files used by both spamdyke and qmail.
Added CDB searching code in cdb.[ch] to read DJB's "constant database" files
during recipient validation. The format of these files is claimed (by DJB)
to be fast and efficient. Don't believe the hype...
Added the option "qmail-morercpthosts-cdb" to allow CDB files to be provided
that contain lists of domains for which mail should be accepted during SMTP.
Does anyone actually use this qmail "feature"?
Poured over qmail's documentation and source code to figure out exactly how
it determines where to deliver a message. The documentation is frequently
in error and extensive testing was required to discover the truth. The
resulting procedure is encapsulated in a flowchart in the documentation
folder.
Added the "generator" program to create test scripts to check every possible
path through the recipient validation flowchart, both with spamdyke in place
and without (to check the flowchart is correct). A program to generate the
scripts was required, since there are nearly 250K possible paths to test.
Added the value "invalid" to the option "reject-recipient" to check if a local
recipient address exists before accepting a message. This validation
process uses the same logic as qmail when deciding whether/where to deliver
a message, so no extra steps are needed to make this work (e.g. maintaining
a list of valid addresses in a separate file). If this process determines
a local address is valid, delivery is guaranteed. This option should
eliminate qmail's habit of sending backscatter spam.
Added the value "unavailable" to the option "reject-recipient" to check if a
local recipient is accepting mail at the moment. Probably as a holdover
from the elder days when people actually edited .qmail files by hand, qmail
checks file permissions on files and folders before delivering a message.
If they are set to certain values, qmail will queue the message until the
permissions are fixed or bounce the message if is queued too long. In these
enlightened times, such permissions are more likely to be due to an error or
oversight than deliberate intent.
Added the options "qmail-assign-cdb", "qmail-defaultdelivery-file",
"qmail-envnoathost-file", "qmail-locals-file", "qmail-me-file",
"qmail-percenthack-file" and "qmail-virtualdomains-file" to allow spamdyke
to use different control files than qmail. It's very unlikely anyone will
ever need these options (and it would be unwise to use them), but they're
available just in case.
Added the option "rejection-text-recipient-invalid" to set the rejection text
when the "invalid" filter on "reject-recipient" is triggered.
Added the option "rejection-text-recipient-unavailable" to set the rejection
text when the "unavailable" filter on "reject-recipient" is triggered.
Removed the function filter_recipient_local() and moved its logic into
filter_recipient_valid().
Removed the function filter_recipient_relay() and moved its logic into
filter_recipient_valid().
Changed the "help" option to just show a listing of available options without
help text.
Added the "more-help" option to show the full listing of options with all help
text.
Added the options "ip-relay-entry", "ip-relay-file", "rdns-relay-entry" and
"rdns-relay-file" to allow relaying from specific IPs and/or rDNS names,
since whitelisting no longer implies the ability to relay. If any of these
options are matched, the RELAYCLIENT variable will be set before qmail is
started.
Created the "create_cdb" program to generate CDB files of arbitrary size,
filled with random data, for testing spamdyke's CDB validation routines.
create_cdb also has the ability to corrupt the generated CDB in seven ways;
this makes for more specific testing than simply using a file of random
garbage.
Removed all uses of the TESTSD_* environment variables from the test scripts
and replaced them with appropriate invocations of dnsdummy. This allows the
test scripts to run without potential interference from external DNS
changes and without needing a running spamdyke server to find example
values.
Fixed smtp_filter() and middleman() to clear the list of saved recipient
addresses after printing the log messages. This prevents duplicate log
messages when multiple email messages are delivered in the same connection.
Thanks to Teodor Milkov and David Davidov for reporting this one.
Added the "-skippatched" and "-skipunpatched" flags to the "run" scripts to
skip any tests that require a patched or unpatched version of qmail,
respectively.
Fixed a minor bug in find_username() that would truncate the last character
of the username when no domain is given. This hasn't been a problem since
spamdyke rejects recipient addresses without domain names anyway, but one
of the recipient validation test scripts found it.
Added the option "tls-dhparams-file" option to read DH params from a file
for creating ephemeral keys during SSL/TLS key negotiation. Thanks to
Marc Gregel for suggesting this one.
Changed all error messages to output the filename, function name and line
number that generated them, just like the debug and excessive messages.
Added a new log level, LOG_LEVEL_CONFIG_TEST, for config-test error messages.
The level is treated much the same as LOG_LEVEL_ERROR except the filename,
function name and line numbers are not printed.
Added a new decision level, FILTER_DECISION_AUTHENTICATED for authenticated
connections. The filter routines use this level to distinguish between
connections that should be unfiltered due to authentication versus
whitelisting.
Added a new config option type: CONFIG_TYPE_ALIAS. Options of this type are
aliases for other options. This eliminates the duplication of values and
potential for oversights in the graylist/greylist options.
Added some code to the "run" script in the "tests" directory to try to detect
core dumps. Some of the tests will declare success even if spamdyke
segfaults and cuts off the output prematurely.
Removed the unused functions reset_rejection() and skip_cfws().
Discovered spamdyke cannot read all the files it needs for recipient
validation during normal operation because they are owned by different users
with restrictive permissions and spamdyke does not run as root. I'm not
sure how I missed that, but it completely moots more than a year of work.
Moved all the recipient valiation code into an external program named
"spamdyke-qrv". This program is meant to only perform recipient validation
and nothing else, so it should be safe to run as root (at least safer than
running spamdyke as root).
Removed the options "qmail-assign-cdb", "qmail-defaultdelivery-file",
"qmail-envnoathost-file", "qmail-locals-file", "qmail-me-file" and
"qmail-percenthack-file" from spamdyke, since the recipient validation code
is gone.
Added the option "recipient-validation-command" for passing the path to
spamdyke-qrv, which will be called when recipient validation is needed.
either because they themselves are not ready or because a
dependency isn't. This is annotated by
PYTHON_VERSIONS_INCOMPATIBLE= 33 # not yet ported as of x.y.z
or
PYTHON_VERSIONS_INCOMPATIBLE= 33 # py-foo, py-bar
respectively, please use the same style for other packages,
and check during updates.
Use versioned_dependencies.mk where applicable.
Use REPLACE_PYTHON instead of handcoded alternatives, where applicable.
Reorder Makefile sections into standard order, where applicable.
Remove PYTHON_VERSIONS_INCLUDE_3X lines since that will be default
with the next commit.
Whitespace cleanups and other nits corrected, where necessary.
== [release-2-0-1] 2.0.1: 2014-01-24
A bug fix release of 2.0.0.
=== milter manager
==== Improvements
* Support SIGUSR1 signal to reopen log file
==== Fixes
* Drop functionality to report stack trace on crash.
Because it is unsafe for all users. [GitHub #38]
=== milter-core
==== Improvements
* Support log output by MILTER_LOG_PATH environment variable.
=== milter-client
==== Improvements
* Support --log-path option.
=== Ruby milter
==== Improvements
* Support --log-path option.
* Support SIGUSR1 signal to reopen log file.
=== Package
==== Improvements
* Drop Ubuntu Lucid (10.04) support.
* Add Ubuntu Saucy (13.10) support.
* deb: Support Ruby 2.0.0 detection on Debian.
* rpm: Update Ruby1.9.3 package for CentOS6 to Ruby1.9.3-p484.
* Remove auto-generated files from distribution archive.
[Reported by Youhei SASAKI][milter-manager-users-ja:00225]
=== Document
==== Improvements
* Update to the latest milter-greylist RPM.
[Reported by ishizaka tadanori][milter-manager-users-ja:00220]
* Improve English version reference manual.
[GitHub #17]
=== Thanks
* Youhei SASAKI
* ishizaka tadanori
- Comment out master site and home page URL as they don't work anymore.
- Define a license.
- Fix "pkglint warnings.
- Fix build on IRIX by correcting the mistake in the fix for PR pkg/28818.
Bump package revision because binary changed.
+ auth: passdb/userdb dict rewrite to support much more complex
setups. See doc/example-config/dovecot-dict-auth.conf.ext.
The old settings will continue to work.
+ auth: Added userdb result_success/failure/tempfail and skip
settings, similar to passdb's. See
http://wiki2.dovecot.org/UserDatabase
+ imap: Implemented SETQUOTA command for admin user when quota_set is
configured. See http://master.wiki2.dovecot.org/Quota/Configuration
+ quota: Support "*" and "?" wildcards in mailbox names in quota_rules
+ mysql: Added ssl_verify_server_cert=no|yes parameter. This currently
defaults to "no" to make sure nothing breaks, but likely will become
"yes" in Dovecot v2.3.
+ ldap: Added blocking=yes setting to use auth worker processes for
ldap lookups. This is a workaround for now to be able to use multiple
simultaneous LDAP connections.
+ pop3c+dsync performance improvements
- quota-status: quota_grace was ignored
- ldap: Fixed memory leak with auth_bind=yes and without
auth_bind_userdn.
- imap: Don't send HIGHESTMODSEQ anymore on SELECT/EXAMINE when
CONDSTORE/QRESYNC has never before been enabled for the mailbox.
- imap: Fixes to handling mailboxes without permanent modseqs.
(When [NOMODSEQ] is returned by SELECT, mainly with in-memory
indexes.)
- imap: Various fixes to METADATA support.
- stats plugin: Processes that only temporarily dropped privileges
(e.g. indexer-worker) may have been logging errors about not being
able to open /proc/self/io.
