Age | Commit message (Collapse) | Author | Files | Lines |
|
Update postfix to 3.5.1.
3.5.0 (2020-03-16)
Postfix stable release 3.5.0 is available. Support has ended for
legacy release Postfix 3.1.
The main changes are below. See the RELEASE_NOTES file for further details.
* Support for the haproxy v2 protocol. The Postfix implementation
supports TCP over IPv4 and IPv6, as well as non-proxied
connections; the latter are typically used for heartbeat tests.
* Support to force-expire email messages. This introduces new
postsuper(1) command-line options to request expiration, and
additional information in mailq(1) or postqueue(1) output.
* The Postfix SMTP and LMTP client support a list of nexthop
destinations separated by comma or whitespace. These destinations
will be tried in the specified order. Examples:
/etc/postfix/main.cf:
relayhost = foo.example, bar.example
default_transport = smtp:foo.example, bar.example
Incompatible changes:
* Logging: Postfix daemon processes now log the from= and to=
addresses in external (quoted) form in non-debug logging (info,
warning, etc.). This means that when an address localpart
contains spaces or other special characters, the localpart will
be quoted, for example:
from=<"name with spaces"@example.com>
Specify "info_log_address_format = internal" for backwards compatibility.
* Postfix now normalizes IP addresses received with XCLIENT,
XFORWARD, or with the HaProxy protocol, for consistency with
direct connections to Postfix. This may change the appearance
of logging, and the way that check_client_access will match
subnets of an IPv6 address.
3.5.1 (2020-04-20)
Postfix versions 3.5.1, 3.4.11, 3.3.9, 3.2.14:
* Bitrot workaround for broken builds after an incompatible change
in GCC 10.
* Bitrot workaround for broken DANE/DNSSEC support after an
incompatible change in GLIBC 2.31. This change avoids the need
for new options in /etc/resolv.conf.
|
|
upstream changes:
-----------------
Fixed in all supported stable releases:
Bug (introduced: Postfix 3.1): smtp_dns_resolver_options were broken while adding support for negative DNS response caching in postscreen. Postfix was inadvertently changed to call res_query() instead of res_search(). Reported by Jaroslav Skarvada.
Bug (introduced: Postfix 2.5): Postfix ignored the CONNECT macro overrides from a Milter application. Postfix now evaluates the Milter macros for an SMTP CONNECT event after the Postfix-to-Milter connection is negotiated. Problem reported by David Bürgin.
Bug (introduced: Postfix 3.0): sanitize (remote) server responses before storing them in the verify database, to avoid Postfix warnings about malformed UTF8. Found during code maintenance.
|
|
pkgsrc changes:
---------------
* change COMMENT to make pkglint happy (inspired by http://www.postfix.org/)
* update PLIST using make print-PLIST (missing @pkgdir)
upstream changes:
-----------------
20181125
Cleanup: dict_file_to_xxx() takes a list of file names
separated by CHARS_COMMA_SP. Shoe-horned into the existing
API, make it nicer when there is time. File: util/dict_file.c.
20181127
Cleanup: encapsulated clumsy 'read into VSTRING' code with
easier-to-use vstream_fread_buf() and vstream_fread_app()
primitives. Files: global/memcache_proto.c, global/record.c,
global/smtp_stream.c, global/smtp_stream.h, global/uxtext.c,
global/xtext.c, milter/milter8.c, util/dict_file.c,
util/hex_quote.c, util/netstring.c, util/vstream.c,
util/vstream.h. Verified with "make tests".
Cleanup: simplified the smtp_fread() API (introduced for
BDAT support), and changed the name to smtp_fread_buf().
Files: global/smtp_stream.c, smtpd/smtpd.c. Verified with
~megabyte BDAT commands.
Cleanup: simplified a tlsproxy-internal API. File:
tlsproxy/tlsproxy.c.
20181128
Initial support for key/certificate chain files that will
replace the proliferation of separate parameters for
RSA/DSA/ECC/etc. key and certificate files. Viktor
Dukhovni.
20181201
Cleanup: replaced the remaining unsafe VSTRING_AT_OFFSET()
calls with safe vstring_set_payload_size() calls, in code
that directly writes into VSTRING. Files: tls/tls_session.c,
tlsmgr/tlsmgr.c, util/casefold.c, util/vstring.c, util/vstring.h,
xsasl/xsasl_cyrus_client.c.
Cleanup: postscreen_command_time_limit did not need to be
a 'raw' parameter. This makes "postconf -x" behavior more
consistent. Files: global/mail_params.h, postscreen/postscreen.c.
Documentation: added text that the following parameter
values are not subject to Postfix parameter $name expansion:
default_rbl_reply, command_execution_directory, luser_relay,
smtpd_reject_footer. These have their own documented $name
substitution mechanism. File: proto/postconf.proto.
20181202
Bugfix: posttls-finger reported an error for UNIX-domain
connections, even if they did not fail. Found by Coverity.
File: posttls-finger/posttls-finger.c.
20181208
Documentation: add even more redundancy to the rate-delay
description. File: proto/postconf.proto.
20181210
Cleanup: code deduplication. File: util/dict_file.c.
20181226
Cleanup: code deduplication and better encapsulation with
PSC_DEL_CLIENT_STATE() and PSC_DEL_SERVER_STATE() macros.
Files: postscreen/postscreen.h, postscreen/postscreen_state.c.
Documentation: POSTSCREEN_README did not describe the
postscreen_post_queue_limit, and attributed the wrong reject
message to the postscreen_pre_queue_limit. Problem reported
by Michael Orlitzky. File: proto/POSTSCREEN_README.html.
(20181226-nonprod) Compatibility: removed support for OpenSSL
1.0.1 (not supported since December 31, 2016) and earlier
releases. This eliminated a large number of #ifdefs with
bitrot workarounds. Viktor Dukhovni. Files: global/mail_params.h,
posttls-finger/posttls-finger.c, tls/tls.h, tls/tls_certkey.c,
tls/tls_client.c, tls/tls_dane.c, tls/tls_dh.c, tls/tls_misc.c,
tls/tls_proxy_client_scan.c, tls/tls_rsa.c, tls/tls_server.c,
tls/tls_session.c.
(20181226-nonprod) Use the OpenSSL 1.0.2 and later API for
setting ECDHE curves. Viktor Dukhovni. Files: tls/tls.h,
tls/tls_client.c, tls/tls_dh.c.
(20181226-nonprod) Documentation update for TLS support.
Viktor Dukhovni. Files: mantools/postlink, proto/TLS_README.html,
proto/postconf.proto, src/sendmail/sendmail.c, src/smtpd/smtpd.c.
20181229
Explicit maps_file_find() and dict_file_lookup() methods
that decode base64 content. Decoding content is not built
into the dict->lookup() method, because that would complicate
the implementation of map nesting (inline, thash), map
composition (pipemap, unionmap), and map proxying. For
consistency, decoding base64 file content is also not built
into the maps_find() method. Files: util/dict.h.
util/dict_file.c, global/maps.[hc], postmap/postmap.c.
20190106
Documentation: documented the SRC_RHS_IS_FILE flag in
dict_open.c, and updated the -F description in the postmap
manpage. Files: util/dict_open.c, postmap/postmap.c.
(20190106-nonprod) Feature: support for files that combine
multiple (key, certificate, trust chain) instances in one
file, to avoid separate files for RSA, DSA, Elliptic Curve,
and so on. Viktor Dukhovni. Files: .indent.pro,
global/mail_params.h, posttls-finger/posttls-finger.c,
smtp/lmtp_params.c, smtp/smtp.c, smtp/smtp_params.c,
smtp/smtp_proto.c, smtpd/smtpd.c, tls/tls.h, tls/tls_certkey.c,
tls/tls_client.c, tls/tls_proxy.h, tls/tls_proxy_client_print.c,
tls/tls_proxy_client_scan.c, tls/tls_proxy_server_print.c,
tls/tls_proxy_server_scan.c, tls/tls_server.c, tlsproxy/tlsproxy.c.
(20190106-nonprod) Create a second, no-key no-cert, SSL_CTX
for use with SNI. Viktor Dukhovni. Files: src/tls/tls.h,
src/tls/tls_client.c, src/tls/tls_misc.c, src/tls/tls_server.c.
(20190106-nonprod) Server-side SNI support. Viktor Dukhovni.
Files: src/global/mail_params.h, src/smtp/smtp.c,
src/smtpd/smtpd.c, src/tls/tls.h, src/tls/tls_certkey.c,
src/tls/tls_misc.c, src/tlsproxy/tlsproxy.c,
(20190106-nonprod) Configurable client-side SNI signal.
Viktor Dukhovni. Files: global/mail_params.h,
posttls-finger/posttls-finger.c, smtp/lmtp_params.c,
smtp/smtp.c, smtp/smtp.h, smtp/smtp_params.c, smtp/smtp_proto.c,
smtp/smtp_tls_policy.c, tls/tls.h, tls/tls_client.c,
tls/tls_proxy.h, tls/tls_proxy_client_print.c,
tls/tls_proxy_client_scan.c.
20190121
Logging: support for internal logging file, without using
syslog (it uses the new postlogd daemon instead). This
solves a usability problem for MacOS, may help getting
around systemd, and solves 99% of the problem for logging
to stdout in a container (hopefully we have 100% soon).
Enable by setting, for example, "maillog_file =
/var/log/postfix.log"). This works fine for daemons, and
with some limitations for non-daemon programs. See
RELEASE_NOTES for more details. Files: conf/master.cf,
conf/post-install, conf/postfix-files, conf/postfix-script,
mantools/postlink, proto/master, proto/postconf.proto,
global/mail_params.c, global/mail_params.h, global/mail_proto.h,
global/maillog_client.c, global/maillog_client.h,
master/dgram_server.c, master/event_server.c, master/mail_server.h,
master/master.c, master/master.h, master/master_ent.c,
master/master_listen.c, master/master_proto.h,
master/master_wakeup.c, master/multi_server.c,
master/single_server.c, master/trigger_server.c,
postalias/postalias.c, postconf/postconf_master.c,
postdrop/postdrop.c, postfix/postfix.c, postkick/postkick.c,
postlog/postlog.c, postlogd/postlogd.c, postmap/postmap.c,
postmulti/postmulti.c, postqueue/postqueue.c,
postsuper/postsuper.c, sendmail/sendmail.c, util/connect.h,
util/listen.h, util/logwriter.c, util/logwriter.h,
util/msg_logger.c, util/msg_logger.h, util/msg_output.c,
util/msg_output.h, util/unix_dgram_connect.c,
util/unix_dgram_listen.c.
Cleanup: cert/key/chain loading, plus unit tests to exercise
non-error and error cases. Viktor Dukhovni. Files: tls/*.pem,
tls*.pem.ref, tls/tls_certkey.c.
20190126
Safety: Postfix programs will log to either syslog or postlog
but not both; and postlogd forwards postlog logging to
syslog, when a configuration change removes the maillog_file
pathname, but some programs still use the old configuration.
Files: util/msg_syslog.[hc], util/msg_logger.c,
global/maillog_client.c, postlogd/postlogd.c,
Bugfix (introduced: Postfix 20110109, Postfix 2.10): watchdog
pipe file descriptor leak. This pipe provides one source
of liveness, data from this pipe is discarded, and therefore
this does not enable privilege escalation or DOS. File:
util/watchdog.c.
Feature: stdout logging support; requires "postfix start-fg"
and "maillog_file = /dev/stdout". Files: master/master.c,
conf/postfix-script.
20190127
Safety: when maillog_file is specified, 'postfix check' now
requires that the postlog service is enabled in master.cf.
Otherwise 'postfix start' etc. will log a fatal error. File:
conf/postfix-script.
Documentation: added policy_context example. File:
proto/SMTPD_POLICY_README.html.
20190128
Testing: run libtls tests under Valgrind. File tls/Makefile.in.
20190129
Safety: require that $maillog_file matches one of the
pathname prefixes specified in $maillog_file_prefixes. The
maillog file is created by root, and the prefixes limit the
damage from a single configuration error. Files:
global/mail_params.[hc], global/maillog_client.c.
20191201
Feature: "postfix logrotate" command with configurable
compression program and datestamp filename suffix. File:
conf/postfix-script.
20190202
Cleanup: log a warning when the client sends a malformed
SNI; log an info message when the client sends a valid SNI
that does not match the SNI lookup tables; update the
FORWARD_SECRECY_README logging examples. Viktor Dukhovni.
Files: proto/FORWARD_SECRECY_README.html, tls/tls.h,
tls/tls_client.c, tls/tls_misc.c.
20190208
Debugging: the master(8) daemon now logs a warning if a
master.cf entry is defined multiple times. File:
src/master/master_conf.c.
20190209
Debugging: tlsproxy(8) now logs more details about unexpected
configuration differences between the Postfix SMTP client
and the tlsproxy(8) daemon.
20190210
Documentation: Postfix 3.4.0 RELEASE NOTES.
Documentation: added BDAT_README.
Documentation: global TLS settings. Files: mantools/postlink,
smtp/smtp.c, tlsproxy/tlsproxy.c.
20190211
Cleanup: removed obsolete parameters: tls_dane_digest_agility,
tls_dane_trust_anchor_digest_enable; removed openssl_path
parameter from configuration difference checks in tlsproxy.
Files: global/mail_params.h, tls/tls_misc.c,
tls/tls_proxy_client_misc.c, tls/tls_proxy_client_print.c,
tls/tls_proxy_client_scan.c, tls/tls_proxy.h.
20190212
Cleanup: missing #ifdef USE_TLS. Files: smtp/smtp_session.c,
posttls-finger/posttls-finger.c.
20190217
Cleanup: when the master daemon runs with PID=1 (init mode),
reap orhpan processes from non-Postfix code running in the
same container, instead of terminating with a panic. File:
master/master_spawn.c.
20190218
Bugfix: tlsproxy did not enable DANE-style PKI because
libtls seems to have to accreted multiple init functions
instead of reusing the tls_client_init() and tls_client_start()
API. And some functions that do initialization don't even
have init in their name! Problem report by Andreas Schulze.
Viktor Dukhovni. Files: tls/tls_misc.c, tlsproxy/tlsproxy.c.
Workaround: Postfix libtls makes DANE-specific changes to
the shared SSL_CTX. To avoid false sharing, tlsproxy needs
to label the SSL_CTX cache with DANE bits until we can
remove the code that modifies SSL_CTX. File: tlsproxy/tlsproxy.c.
Cleanup: Postfix libtls changed the shared SSL_CTX to
override ciphers. instead of changing the SSL handle. To
avoid false sharing in tlsproxy, the changes are now made
to the SSL handle. Viktor Dukhovni. Files: tls/tls.h,
tls/tls_client.c, tls/tls_misc.c, tls/tls_server.c.
20190219
Bugfix: in the Postfix SMTP client, TLS wrappermode was not
tested in tlsproxy mode. It needed some setup for buffering
and timeouts. Problem report by Andreas Schulze. File:
smtp/smtp_proto.c.
20190304
Bugfix: a reversed test broke TLS configurations that specify
the same filename for a private key and certificate. Reported
by Mike Kazantsev. Fix by Viktor Dukhovni. Wietse fixed the
test. Files: tls/tls_certkey.c, tls/Makefile.in.
20190310
Bitrot: LINUX5s support, after some sanity checks with a
rawhide prerelease version. Files: makedefs, util/sys_defs.h.
Bugfix (introduced: 20181226): broken DANE trust anchor
file support, caused by left-over debris from the 20181226
TLS library overhaul. By intrigeri. File: tls/tls_dane.c.
Bugfix (introduced: Postfix-1.0.1): null pointer read, while
logging a warning after a corrupted bounce log file. File:
global/bounce_log.c.
Bugfix (introduced: Postfix-2.9.0): null pointer read, while
logging a warning after a postscreen_command_filter read
error. File: postscreen/postscreen_smtpd.c. global/bounce_log.c
20190312
Bugfix (introduced: Postfix 2.2): reject_multi_recipient_bounce
has been producing false rejects starting with the Postfix
2.2 smtpd_end_of_data_restrictons, and for the same reasons,
does the same with the Postfix 3.4 BDAT command. The latter
was reported by Andreas Schulze. File: smtpd/smtpd_check.c.
20190319
With message_size_limit=0 (which is NOT DOCUMENTED), BDAT
chunks were always rejected as too large. File: smtpd/smtpd.c
20190328
Bugfix (introduced: Postfix 3.0): LMTP connections over
UNIX-domain sockets were cached but not reused, due to a
cache lookup key mismatch. Therefore, idle cached connections
could exhaust LMTP server resources, resulting in two-second
pauses between email deliveries. This problem was investigated
by Juliana Rodrigueiro. File: smtp/smtp_connect.c.
20190331
Documentation: tlsext_padding is not a tls_ssl_options
feature. File: proto/postconf.proto.
20190401
Portability: added "#undef sun" to util/unix_dgram_connect.c.
20190403
Bugfix (introduced: Postfix 2.3): a censoring filter broke
multiline Milter responses for header/body events. Problem
report by Andreas Thienemann. Files: util/printable.c,
util/stringops.h, smtpd/smtpd.c
Bugfix (introduced: Postfix 3.3): "smtp_mx_address_limit =
0" no longer meant 'unlimited'. Problem report by Luc Pardon.
File: smtp/smtp_addr.c.
20190615
Documentation: updated the BUGS section in the smtp(8) manpage
about TLS connection reuse. File: smtp/smtp.c.
Workaround for implementations that hang Postfix while
shutting down a TLS session, until Postfix times out. With
"tls_fast_shutdown_enable = yes" (the default), Postfix no
longer waits for the TLS peer to respond to a TLS 'close'
request. This is recommended with TLSv1.0 and later. Files:
global/mail_params.h, tls/tls_session.c, and documentation.
20190621
Bugfix (introduced: Postfix 3.0): the code to reset Postfix
SMTP server command counts was not called after a HaProxy
handshake failure, causing stale numbers to be reported.
The command counts are now reset in the function that reports
the counts. File: smtpd/smtpd.c.
|
|
Update mail/postfix to 3.2.5.
[An on-line version of this announcement will be available at
http://www.postfix.org/announcements/postfix-3.2.4.html]
This announcement concerns fixes for problems that were introduced
with Postfix 3.0 and later. Older supported releases are unaffected.
Fixed in Postfix 3.1 and later:
* DANE interoperability. Postfix builds with OpenSSL 1.0.0 or
1.0.1 failed to send email to some sites with "TLSA 2 X X" DNS
records associated with an intermediate CA certificate. Problem
report and initial fix by Erwan Legrand.
Fixed in Postfix 3.0 and later:
* Missing dynamicmaps support in the Postfix sendmail command.
This broke authorized_submit_users settings that use a
dynamically-loaded map type. Problem reported by Ulrich Zehl.
|
|
Checks are against __NetBSD__Version__ anyway.
Fixes NetBSD 8.99.1 build
|
|
pkgsrc change: Add support for NetBSD 8.
This announcement (June 13, 2017) includes changes that were released
with an earlier update (June 10, 2017). The announcement was postponed
to avoid confusion due to repeated notification.
Fixed in all supported releases:
* Security: Berkeley DB versions 2 and later try to read settings
from a file DB_CONFIG in the current directory. This undocumented
feature may introduce undisclosed vulnerabilities resulting in
privilege escalation with Postfix set-gid programs (postdrop,
postqueue) before they chdir to the Postfix queue directory,
and with the postmap and postalias commands depending on whether
the user's current directory is writable by other users. This
fix does not change Postfix behavior for Berkeley DB versions
< 3, but it does reduce postmap and postalias 'create' performance
with Berkeley DB versions 3.0 .. 4.6.
Fixed in Postfix 3.2 and later:
* The SMTP server receive_override_options were not restored at
the end of an SMTP session, after the options were modified by
an smtpd_milter_maps setting of "DISABLE". Milter support
remained disabled for the life time of the smtpd process.
* After the Postfix 3.2 address/domain table lookup overhaul, the
check_sender_access and check_recipient_access features ignored
a non-default parent_domain_matches_subdomains setting.
|
|
- Elliptic curve negotiation with OpenSSL >= 1.0.2. This changes the
default smtpd_tls_eecdh_grade setting to "auto", and introduces a
new parameter tls_eecdh_auto_curves with the names of curves that may
be negotiated.
- Stored-procedure support for MySQL databases.
- Cidr: table support for if/endif and negation (by prepending ! to a
pattern), just like regexp: and pcre: tables. See the cidr_table(5)
manpage for details.
- The postmap command and the inline: and texthash: maps now support
spaces in left-hand field of lookup table source text. Use double
quotes (") around a left-hand field that contains spaces, and use
backslash (\) to protect quotes in a left-hand field.
- Support for per-client Milter configuration (smtpd_milter_maps) that
overrides the main.cf smtpd_milters setting, and that has the same
syntax. A lookup result of "DISABLE" turns off Milter support for that
client.
- The local SMTP server IP address and port are available in the
policy delegation protocol (attribute names: server_address,
server_port), in the Milter protocol (macro names: {daemon_addr},
{daemon_port}), and in the XCLIENT protocol (attribute names:
DESTADDR, DESTPORT).
- For safety reasons, the Postfix sendmail -C option must specify an
authorized directory: the default configuration directory, a
directory that is listed in the default main.cf file with
alternate_config_directories or multi_instance_directories, otherwise
the command must be invoked with root privileges. This mitigates a
recurring "jail break" problem with the PHP mail() function.
- "PASS" and "STRIP" actions in header/body_checks. "STRIP" is similar
to "IGNORE" but also logs the action, and "PASS" disables header,
body, and Milter inspection for the remainder of the message content.
- The collate.pl script by Viktor Dukhovni for grouping Postfix
logfile records into "sessions" based on queue ID and process ID
information, in the auxiliary/collate directory of the Postfix source
tree.
Disabled or removed behavior:
- SMTPUTF8 support: Postfix 3.2 disables the 'transitional'
compatibility between the IDNA2003 and IDNA2008 standards for
internationalized domain names (domain names beyond the limits of
US-ASCII). This makes Postfix behavior consistent with contemporary
web browsers.
- Postfix 3.2 removes tentative features that were implemented before
the DANE spec was finalized: support for certificate usage
PKIX-EE(1), the ability to disable digest agility, and the ability to
disable support for "TLSA 2 [01] [12]" records that specify the digest
of a trust anchor.
|
|
LD_LIBRARY_PATH is not propagated when set with env, e.g.:
env LD_LIBRARY_PATH=path/to/lib ./script.sh
will not work (other variable names work correctly).
|
|
|
|
and ldflags. should help PR pkg/51354: mail/postfix eai option does not
work because of test in makedef.
bump PKGREVISION
|
|
3.1.0
The main changes in no particular order are:
* "postfix tls" command to simplify setup of opportunistic TLS,
and to simplify SMTP server key/certificate management.
* Positive and negative DNS reply TTL support in postscreen(8).
* SASL AUTH rate limit in the Postfix SMTP server.
* A safety limit on the number of address verify requests.
* JSON-format Postfix queue listing.
* Destination-independent delivery rate delay
For details, see the RELEASE_NOTES file.
3.1.1
Fixed in all supported releases:
* The Milter "replace sender" (SMFIR_CHGFROM) request lost an
address that was added with sender_bcc_maps, resulting in a
"rcpt count mismatch" warning. Reported by Joerg Backschues.
This defect was introduced with Postfix 2.6.
* The "bad filetype" example in the header_checks(5) manpage
falsely rejected Content- headers with ``name="example";
x-apple-part-url="example.com"''. Reported by Cedric Knight.
This defect was introduced with Postfix 2.6.
3.1.2
Fixed with Postfix 3.1.2:
* Changes to make Postfix build with OpenSSL 1.1.0.
Fixed with Postfix 3.1.2 and 3.0.6:
* The makedefs script ignored readme_directory=pathname overrides.
Fix by Todd C. Olson.
* The tls_session_ticket_cipher documentation says that the default
cipher for TLS session tickets is aes-256-cbc, but the implemented
default was aes-128-cbc. Note that TLS session ticket keys are
rotated after 1/2 hour, to limit the impact of attacks on session
ticket keys.
|
|
Very surprisingly, postfix's build hard-codes shared library behavior
in a giant case statement not only per OS but per version, essentially
open-coding libtool while not being complete. This commit copies the
netbsd-6 flags to netbsd-5, as a minimal change during the freeze to
let this build on netbsd-5 (where it then works fine).
|
|
Database and regexp map functionality is now split into separate packages:
- postfix-cdb
- postfix-ldap
- postfix-lmdb
- postfix-mysql
- postfix-pcre
- postfix-pgsql
- postfix-sqlite
Upstream changelog follows.
Postfix 3.0.2
-------------
No delta against 2.11.6.
Postfix 3.0.1
-------------
- Build error when compiling the Postfix SMTP server with SASL support
but no TLS support.
- The DNS "resource record to text" converter, used for xxx_dns_reply_filter
pattern matching, appended a '.' to TXT record resource values.
- The postscreen(8) manpage specified an incorrect Postfix version number
for the postscreen_dnsbl_timeout parameter.
- The postfix-install script expanded macros in parameter values when
trying to detect parameter overrides, causing unnecessary main.cf updates
during "postfix start" etc.
- Some low-level cleanup of UTF-8 string handling with no visible change
in behavior (besides better performance).
Postfix 3.0.0
-------------
- SMTPUTF8 support for internationalized domain names and address
localparts as defined in RFC 6530 and related documents.
- Support for Postfix dynamically-linked libraries and database plugins.
- An OPT-IN safety net for the selective adoption of new Postfix default
settings. If you do nothing, the old Postfix default settings *should*
remain in effect (complain to your downstream maintainer if that is not
the case).
- Support for operations on multiple lookup tables. The
pipemap:{map1,map2...} database type implements a pipeline of lookup
tables where the result from one lookup table becomes a query for
the next table; the unionmap:{map1,map2,...} database type sends the
|
|
With all supported Postfix releases, the default settings have been
updated so that they no longer enable export-grade ciphers, and no
longer enable the SSLv2 and SSLv3 protocols. These ciphers and
protocols have little if any legitimate use today, and have instead
become a vehicle for downgrade attacks. There are no other code
changes.
Postfix documentation has been updated to reflect the new default
settings and their rationale; the RELEASE_NOTES give suggestions
for how to enable the old ciphers and protocols if your infrastructure
requires them.
Finally, abandoning deprecated ciphers and protocols does not really
improve TLS security without measures to better authenticate remote
servers. Secure DNS and TLSA are steps in that direction.
|
|
|
|
The main changes in no particular order are:
* Support for PKI-less TLS server certificate verification with
DANE (DNS-based Authentication of Named Entities) where the CA
public key or the server certificate is identified via DNSSEC
lookup. This requires a DNS resolver that validates DNSSEC
replies. The problem with conventional PKI is that there are
literally hundreds of organizations world-wide that can provide
a certificate in anyone's name. DANE limits trust to the people
who control the target DNS zone and its parent zones.
* Support for LMDB databases. Originally developed as part of
OpenLDAP, LMDB is the first persistent Postfix database that
can be shared among multiple writers such as postscreen daemons
(Postfix already supported shared non-persistent memcached
caches). Postfix currently requires LMDB version 0.9.11 or
later. See LMDB_README for details and limitations.
* A new postscreen_dnsbl_whitelist_threshold feature to allow
clients to skip postscreen tests based on their DNSBL score.
This can eliminate email delays due to "after 220 greeting"
protocol tests, which otherwise require that a client reconnects
before it can deliver mail. Some providers such as Google don't
retry from the same IP address, and that can result in large
email delivery delays.
* The recipient_delimiter feature now supports different delimiters,
for example both "+" and "-". As before, this implementation
recognizes exactly one delimiter character per email address,
and exactly one address extension per email address.
* Advanced master.cf query/update support to access service
attributes as "name = value" pairs. For example to turn off
chroot on all services use "postconf -F '*/*/chroot = n'", and
to change/add a "-o name=value" setting use "postconf -P
smtp/inet/name = value". This was developed primarily to allow
automated tools to manage Postfix systems without having to
parse Postfix configuration files.
|
|
2.10.2
* TLS Interoperability workaround: turn on SHA-2 digests by force. This
improves interoperability with clients and servers that deploy SHA-2 digests
without the required support for TLSv1.2-style digest negotiation.
* TLS Performance workaround: the Postfix SMTP server TLS session cache had
become ineffective because recent OpenSSL versions enable session tickets by
default, resulting in a different ticket encryption key for each smtpd(8)
process. The workaround turns off session tickets. Postfix 2.11 will enable
session tickets properly.
* TLS Interoperability workaround: Debian Exim versions before 4.80-3 may fail
to communicate with Postfix and possibly other MTAs, with the following Exim
SMTP client error message:
TLS error on connection to server-name [server-address]
(gnutls_handshake): The Diffie-Hellman prime sent by the server is not
acceptable (not long enough)
See the RELEASE_NOTES file for a Postfix SMTP server configuration
workaround.
* Bugfix (defect introduced: 1997): memory leak while forwarding mail with the
local(8) delivery agent, in code that handles a cleanup(8) server error.
2.10.1
* Workaround: down-stream maintainers fail to install the new
smtpd_relay_restrictions safety net, causing breakage that could have been
avoided. We now hard-code the safety net instead.
2.10.0
* Separation of relay policy (with smtpd_relay_restrictions) from spam policy
(with smtpd_{client, helo, sender, recipient}_restrictions), which makes
accidental open relay configuration less likely. The default is backwards
compatible.
* HAproxy load-balancer support for postscreen(8) and smtpd(8). The nginx
proxy was already supported by Postfix 2.9 smtpd(8), using XCLIENT commands.
* Support for the TLSv1 and TLSv2 protocols, as well as support to turn them
off if needed for inter-operability.
* Laptop-friendly configuration. By default, Postfix now uses UNIX-domain
sockets instead of FIFOs, and thus avoids MTIME file system updates on an
idle mail system.
* Revised postconf(1) command. The "-x" option expands $name in a parameter
value (both main.cf and master.cf); the "-o name=value" option overrides a
main.cf parameter setting; and postconf(1) now warns about a $name that has
no name=value setting.
* Sendmail-style "socketmap" lookup tables.
|
|
Changes:
2.9.8
* TLS Interoperability workaround: turn on SHA-2 digests by force.
This improves interoperability with clients and servers that
deploy SHA-2 digests without the required support for TLSv1.2-style
digest negotiation.
* TLS Performance workaround: the Postfix SMTP server TLS session
cache had become ineffective because recent OpenSSL versions
enable session tickets by default, resulting in a different
ticket encryption key for each smtpd(8) process. The workaround
turns off session tickets. Postfix 2.11 will enable session
tickets properly.
* TLS Interoperability workaround: Debian Exim versions before
4.80-3 may fail to communicate with Postfix and possibly other
MTAs, with the following Exim SMTP client error message:
TLS error on connection to server-name [server-address]
(gnutls_handshake): The Diffie-Hellman prime sent by the
server is not acceptable (not long enough)
See the RELEASE_NOTES file for a Postfix SMTP server configuration
workaround.
* Bugfix (defect introduced: 1997): memory leak while forwarding
mail with the local(8) delivery agent, in code that handles a
cleanup(8) server error.
2.9.7
* Bugfix (introduced: Postfix 2.0): when myhostname is not listed in
mydestination, the trivial-rewrite resolver may log "do not list in both
mydestination and ". The fix is to re-resolve a domain-less address after
adding $myhostname as the surrogate domain, so that it pops out with the
right address-class label. Reported by Quanah Gibson-Mount.
* Bugfix (introduced: Postfix 2.3): don't reuse TCP connections when
smtp_tls_policy_maps is specified. TLS policies may depend on the remote
destination, but the Postfix <2.11 SMTP connection cache client does not
distinguish between different destinations that resolve to the same IP
address. Victor Duchovni. Found during Postfix 2.11 code maintenance.
* Bugfix (introduced: Postfix 2.2): don't reuse TCP connections when SASL
authentication is enabled. SASL passwords may depend on the remote SMTP
server hostname, but the Postfix <2.11 SMTP connection cache client does not
distinguish between different hostnames that resolve to the same IP
address. Found during Postfix 2.11 code maintenance.
|
|
of DB support (like mysql, postgres, etc). Also fixes PR43637
Tested by me.
|
|
Changes from 2.8.14 are too many to write here, please refer RELEASE_NOTES.
|
|
Postfix 2.8 and later:
* The postscreen_access_list feature failed to ignore case in the
first character of a command (e.g., permit, reject, etc.).
Reported by Francis Picabia. (This fix is incorrectly listed
in the HISTORY files of earlier releases, and will be removed
with a future patch.)
All supported releases:
* Strip the datalink suffix (e.g., %eth0) from IPv6 addresses
returned by the system getaddrinfo() routine. Such suffixes
break the default mynetworks value, the Postfix SMTP server's
reverse/forward DNS name/address mapping check, and possibly
more.
* To eliminate the possibility of collisions with connection cache
lookup keys, the Postfix LDAP client now computes those lookup
keys by joining the number-valued connection properties with
ASCII null, just like it already did with the string-valued
connection properties.
* There was a memory leak during one-time TLS library initialization
(introduced with Postfix 2.5). Reported by Coverity.
* There was a memory leak in the unused oqmgr(8) program (introduced
with Postfix 2.3). Reported by Coverity.
|
|
|
|
Postfix stable release 2.8.7 is available. This contains a workaround
for a problem that is fixed in Postfix 2.9.
* The postscreen daemon, which is not enabled by default, sent
non-compliant SMTP responses (220- followed by 421) when it
could not give a connection to a real smtpd process. These
responses caused some remote SMTP clients to return mail as
undeliverable.
The workaround is to hang up after sending 220- without sending
the 421 "sorry" reply; this is harmless.
The complete fix involves too much change for a stable release:
send the 220 greeting, wait for the EHLO command, then send
the 421 "sorry" reply and hang up.
|
|
Postfix stable release 2.8.2 is available. This release has minor
fixes that are already in the experimental (2.9) release.
- Bugfix: postscreen DNSBL scoring error. When a client disconnected
and then reconnected before all DNSBL results for the earlier
session arrived, DNSBL results for the earlier session would be
added to the score for the later session. This is very unlikely
to have affected any legitimate mail.
- Workaround: the SMTP client did not support mail to [ipv6:ipv6addr].
- Portability: FreeBSD closefrom() was back-ported to FreeBSD 7,
breaking FreeBSD 7.x support retroactively.
- Portability: the SUN compiler had trouble with a pointer expression
of the form ``("text1" "text2") + constant'' so we don't try to
be so clever.
|
|
Postfix stable release 2.8.0 is available. This release continues the
move towards improving code and documentation, and making the system
better prepared for changes in the threat environment.
The postscreen daemon (a zombie blocker in front of Postfix) is now
included with the stable release. postscreen now supports TLS and can
log the rejected sender, recipient and helo information. See the
POSTSCREEN_README file for recommended usage scenarios.
Support for DNS whitelisting (permit_rhswl_client), and for pattern
matching to filter the responses from DNS white/blacklist servers
(e.g., reject_rhsbl_client zen.spamhaus.org=127.0.0.[1..10]).
Improved message tracking across SMTP-based content filters; the
after-filter SMTP server can log the before-filter queue ID (the
XCLIENT protocol was extended).
Read-only support for sqlite databases. See sqlite_table(5) and
SQLITE_README.
Support for 'footers' that are appended to SMTP server "reject"
responses. See "smtpd_reject_footer" in the postconf(5) manpage.
This update was tested by Takahiro Kambe.
|
|
|
|
Postfix stable release 2.7.0 is available. For the past several
releases, the focus has moved towards improving the code and
documentation, and updating the system for changing environments.
- Improved before-queue content filter performance. With
"smtpd_proxy_options = speed_adjust", the Postfix SMTP server
receives the entire message before it connects to a before-queue
content filter. Typically, this allows Postfix to handle the same
mail load with fewer content filter processes.
- Improved address verification performance. The verify database
is now persistent by default, and it is automatically cleaned
periodically, Under overload conditions, the Postfix SMTP server
no longer waits up to 6 seconds for an address probe to complete.
- Support for reputation management based on the local SMTP client
IP address. This is typically implemented with "FILTER transportname:"
actions in access maps or header/body checks, and mail delivery
transports in master.cf with unique smtp_bind_address values.
- The postscreen daemon (a zombie-blocker in front of Postfix) is
still too rough for a stable release, and will be made "mature"
in the Postfix 2.8 development cycle (however you can use Postfix
2.7 with the Postfix 2.8 postscreen and dnsblog executables and
master.cf configuration; this code has already proven itself).
No functionality has been removed, but it is a good idea to review
the RELEASE_NOTES file for the usual minor incompatibilities or
limitations.
You can find Postfix version 2.7.0 at the mirrors listed at
http://www.postfix.org/
The same code is also available as Postfix snapshot 2.8-20100213.
Updated versions of Postfix version 2.6, 2.5 and perhaps earlier
will be released with the same fixes that were already included
with Postfix versions 2.7 and 2.8.
|
|
- Multi-instance support introduces a new postmulti(1) command to
create/add/remove/etc. additional Postfix instances. The familiar
"postfix start" etc. commands now automatically start multiple
Postfix instances. The good news: nothing changes when you use
only one Postfix instance. See MULTI_INSTANCE_README for details.
- Multi-instance support required that some files be moved from
the non-shared $config_directory to the shared $daemon_directory.
The affected files are postfix-script, postfix-files and post-install.
- TLS (SSL) support was updated for elliptic curve encryption. This
requires OpenSSL version 0.9.9 or later. The SMTP client no longer
uses the SSLv2 protocol by default. See TLS_README for details.
- The Milter client now supports all Sendmail 8.14 Milter requests,
including requests for rejected recipient addresses, and requests
to replace the envelope sender address. See MILTER_README for
details.
- Postfix no longer adds (Resent-) From:, Date:, Message-ID: or To:
headers to email messages with "remote" origins (these are origins
that don't match $local_header_rewrite_clients). Adding such
headers breaks DKIM signatures that explicitly cover non-present
headers. For compatibility with existing logfile processing
software, Postfix will log ``message-id=<>'' for email messages
that have no Message-Id header.
- Stress-adaptive behavior is now enabled by default. This allows
the Postfix SMTP server to temporarily reduce time limits and
error-count limits under conditions of overload, such as a malware
attack or backscatter flood. See STRESS_README for details.
No functionality has been removed, but it is a good idea to review
the RELEASE_NOTES file for the usual minor incompatibilities or
limitations.
|
|
|
|
No existing binary packages are affected so I didn't bump the revision...
|
|
|
|
Postfix 2.4 and later, on Linux kernel 2.6, is vulnerable to a
denial of service attack by a local user. There is no breach of
data confidentiality or data integrity. This problem was found by
the Postfix author during routine source code maintenance.
An on-line version of this announcement is available at
http://www.postfix.org/announcements/20080902.html
|
|
- TLS (SSL) support was streamlined further, and provides a new security level
based on certificate fingerprints instead of CA signatures. See TLS_README
for details.
- Milter support was updated from the Sendmail 8.13 feature set and now
includes most of the features that were introduced with Sendmail 8.14. See
MILTER_README for details.
- Stress-adaptive configuration was introduced. This allows the Postfix SMTP
server to temporarily adjust its rules under conditions of overload, such as
a malware attack or backscatter flood. See STRESS_README for details.
[pkgsrc: this obsoletes the "postfix-stress" option which provided the same
functionality via a distribution patch]
- The queue manager scheduler was refined. It now provides per-transport
scheduling controls and allows for adjustment of the sensitivity to mail
delivery (non-)errors. See SCHEDULER_README.
- Security was improved by introducing a Postfix-owned data_directory for
storage of randomness, caches and other non-queue data. This change avoids
future security loopholes due to untrusted data sitting in root-owned files
or in root-owned directories. Writes to legacy files in root-owned
directories are automatically redirected to files in the new data_directory.
No functionality has been removed, but it is a good idea to review the
RELEASE_NOTES file for the usual minor incompatibilities or limitations.
|
|
20070425
Bugfix: don't falsely report "lost connection from
localhost[127.0.0.1]" when Postfix is being portscanned.
Files: smtpd/smtpd_peer.c, qmqpd/qmqpd_peer.c.
20070430
Robustness: recommend a "0" process limit for policy servers
to avoid "connection refused" problems when the smtpd
process limit exceeds the default process limit. File:
proto/SMTPD_POLICY_README.html.
20070501
Safety: when IPv6 (or IPv4) is turned off, don't treat an
IPv6 (or IPv4) connection from e.g. inetd as if it comes
from localhost[127.0.0.1]. Files: smtpd/smtpd_peer.c,
qmqpd/qmqpd_peer.c.
20070508
Bugfix: Content-Transfer-Encoding: attribute values are
case insensitive. File: src/cleanup/cleanup_message.c.
20070514
Bugfix: mailbox_transport(_maps) and fallback_transport(_maps)
were broken when used with the error(8) or discard(8)
transports. Cause: insufficient documentation. Files:
error/error.c, discard/discard.c.
20070520
Bugfix (problem introduced Postfix 2.3): when DSN support
was introduced it broke "agressive" recipient duplicate
elimination with "enable_original_recipient = no". File:
cleanup/cleanup_out_recipient.c.
20070529
Bugfix (introduced Postfix 2.3): the sendmail/postdrop
commands would hang when trying to submit a message larger
than the per-message size limit. File: postdrop/postdrop.c.
20070530
Sabotage the saboteur who insists on breaking Postfix by
adding gethostbyname() calls that cause maildir delivery
to fail when the machine name is not found in /etc/hosts,
or that cause Postfix processes to hang when the network
is down.
20070531
Portability: Victor helpfully pointed out that change
20070425 broke on non-IPv6 systems. Files: smtpd/smtpd_peer.c,
qmqpd/qmqpd_peer.c.
|
|
The footprint of new features with Postfix 2.4.0 is significantly
smaller than with earlier releases. And that is the whole point of
approaching completeness: fewer visible changes.
Below is a brief summary of what has changed. See the RELEASE_NOTES
file for more, including compatibility issues that may affect your
site. The HISTORY file gives a blow-by-blow account of what happened
over the past year.
Wietse
- Postfix can now manage thousands of connections without needing
special main.cf, master.cf, or compile-time tweaks, on systems with
BSD kqueue, Solaris /dev/poll, or Linux epoll support.
- Milter support for message body replacement. The resulting queue
files are backwards compatible with Postfix 2.3. The existing Milter
support for message header manipulations was revised and is now
implemented by much simpler code.
- Minor improvements in TLS session cache management and in the
implementation of certificate fingerprint based authentication. A
more extensive revision of TLS internals will appear first in Postfix
2.5 snapshots.
- Improvements in queue manager performance when deferring large
amounts of mail, or when delivering mail with lots of recipients.
- Workarounds for SMTP servers that reply and hang up prematurely,
for file system clocks that are out of sync, and for broken kernel
lock management in POP servers.
|
|
Postfix 2.3 Patch 04 fixes minor problems as detailed in the change
history below. The patch as well as complete source code tarballs
were uploaded last week to the mirrors listed at http://www.postfix.org/
20060831
Bugfix (introduced with initial implementation): missing
"dict_errno = 0" caused mis-leading error messages after
non-error lookup failure. Victor Duchovni. File:
util/dict_cidr.c.
Robustness: the default TLS cipher lists were changed from
!foo:ALL into ALL:!foo. Victor Duchovni. Files:
global/mail_params.h and documentation.
20060902
Bugfix (introduced Postfix 2.3): the LMTP client stripped
"inet": from the next-hop destination, but still used the
complete next-hop from the delivery request. File:
smtp/smtp_connect.c.
20060903
Cleanup: record loop detection. File: global/record.c.
20060929
Workaround: AIX 5.[1-3] getaddrinfo() creates socket address
structures with a non-zero port value. This breaks the
smtp_bind_address etc. features, and breaks inet_interfaces
settings with only one IP address. Problem reported by
Hamish Marson. Files: util/sock_addr.[hc], util/myaddrinfo.c.
Bugfix (introduced with the Postfix TLS patch): memory leak
in verify_extract_peer(). The OpenSSL documentation provides
no information on how subjectAltNames are managed. Sam
Rushing, ironport. File: tls/tls_client.c.
Bugfix (introduced with Postfix 2.2): smtp_generic_maps
turned on MIME conversion. File: smtp/smtp_proto.c.
Workaround: don't send SIZE information in the MAIL FROM
command when message content will be subject to 8bit ->
quoted-printable conversion. File: smtp/smtp_proto.c.
20061002
Compatibility: Sendmail now invokes the Milter connect
action with the verified hostname instead of the name
obtained with PTR lookup. File: smtpd/smtpd.c.
20061004
Cleanup: force space between mailq queueid+status and file
size items. File: showq/showq.c.
20061015
Cleanup: convert the Milter {mail_addr} and {rcpt_addr}
macro values to external form. File: smtpd/smtpd_milter.c.
Cleanup: the Milter {mail_addr} and {rcpt_addr} macros are
now available with non-SMTP mail. File: cleanup/cleanup_milter.c.
Cleanup: convert addresses in Milter recipient add/delete
requests to internal form. File: cleanup/cleanup_milter.c.
Cleanup: with non-SMTP mail, convert addresses in simulated
MAIL FROM and RCPT TO events to external form. File:
cleanup/cleanup_milter.c.
20061017
Cleanup: removed spurious warning when the cleanup server
attempts to bounce mail with soft_bounce=yes. Problem
reported by Ralf Hildebrandt. File: cleanup/cleanup_bounce.c.
Bugfix: null pointer bug when receiving a non-protocol
response on a cached SMTP/LMTP connection. Report by Brian
Kantor. Fix by Victor Duchovni. File: smtp/smtp_reuse.c.
|
|
in post-extract.
I exchanges few mails with Wietse and he refused to fix the "==" lines and
instructed me to simply remove the offending file. Instead of having a patch
for a file which is not used by pkgsrc I think it makes sense to remove it.
|
|
|
|
|
|
- File corruption while executing a Milter "header insert" action
with headers-only mail (found with dk-filter). Delivery agents
would go into an infinite loop because some queue file update
had been done in the wrong order. As a precaution, delivery
agents now detect such loops, and the queue manager now saves
such mail to the "corrupt" directory.
- Segmentation fault in the SMTP client while saving a cached
connection with unsent data. Postfix indexed some table with -1,
because some I/O cleanup had been done in the wrong order. The
same problem should exist in Postfix 2.2.
- Postfix no longer announces its name in delivery status notifications.
All other details of the default bounce text remain unchanged.
The reason for this change is that too many people believe that
Wietse provides a free helpdesk service that solves all their
email problems.
|
|
Bump PKGREVISION.
|
|
This is the first version in the 2.3.x series, please see the release notes
for full list of changes since 2.2.x before upgrading your current
installation.
|
|
$smtp_sasl_security_options (as documented in postconf(5)) instead of
$var_smtp_sasl_opts, which is never defined. This is a bug that exists
in the Postfix-2.2.x series but has been fixed in the (current)
Postfix-2.3.x series. This fixes PR pkg/29631 by Christoph Badura.
Bump the PKGREVISION to 1.
|
|
Postfix 2.2.8 backs out a workaround for broken servers/firewalls
that created more problems than it solved.
- The Postfix 2.2.6 paranoia about malformed remote server replies
caused "multiple delivery" problems or "no delivery" problems with
broken servers/firewalls. Postfix still logs a warning but no longer
defers delivery.
|
|
Postfix 2.2 patch 06 catches up with minor fixes that were fielded
earlier in the experimental Postfix 2.3 snapshots.
|
|
be used) according to Wietse Venema.
PKGREVISION++
|
|
|
|
version bump. Fixes pkg/31952.
|
|
|
|
No pkgrevision bumps needed.
|