| Age | Commit message (Collapse) | Author | Files | Lines |
|---|
|
- Postfix 2.5: the SMTP server did not ask for a client certificate
with "smtpd_tls_req_ccert = yes". Reported by Rob Foehl.
- Postfix 2.5, 2.4 and 2.3: avoid reduced TCP performance when
reusing an SMTP connection with a larger than 4096-byte TCP MSS
value. In practice, this could happen only with loopback (localhost)
connections.
|
|
|
|
|
|
No existing binary packages are affected so I didn't bump the revision...
|
|
|
|
Postfix 2.4 and later, on Linux kernel 2.6, is vulnerable to a
denial of service attack by a local user. There is no breach of
data confidentiality or data integrity. This problem was found by
the Postfix author during routine source code maintenance.
An on-line version of this announcement is available at
http://www.postfix.org/announcements/20080902.html
|
|
|
|
20080804
Bugfix: dangling pointer in vstring_sprintf_prepend().
File: util/vstring.c.
20080814
Security: some systems have changed their link() semantics,
and will hardlink a symlink, contrary to POSIX and XPG4.
Sebastian Krahmer, SuSE. File: util/safe_open.c.
The solution introduces the following incompatible change:
when the target of mail delivery is a symlink, the parent
directory of that symlink must now be writable by root only
(in addition to the already existing requirement that the
symlink itself is owned by root). This change will break
legitimate configurations that deliver mail to a symbolic
link in a directory with less restrictive permissions.
|
|
When a mailbox file is not owned by its recipient, the local and
virtual delivery agents now log a warning and defer delivery.
Specify "strict_mailbox_ownership = no" to ignore such ownership
discrepancies.
[HISTORY]
20080509
Bugfix: null-terminate CN comment string after sanitization.
File: smtpd/smtpd.c.
20080603
Workaround: avoid "bad address pattern" errors with non-address
patterns in namadr_list_match() calls. File: util/match_ops.c.
20080620
Bugfix (introduced 20080207): "cleanup -v" panic because
the new "SMTP reply" request flag did not have a printable
name. File: global/cleanup_strflags.c.
Cleanup: using "Before-queue content filter", RFC3848
information was not added to the headers. Carlos Velasco.
File smtpd/smtpd.c.
20080717
Cleanup: a poorly-implemented integer overflow check for
TCP MSS calculation had the unexpected effect that people
broke Postfix on LP64 systems while attempting to silence
a compiler warning. File: util/vstream_tweak.c.
20080725
Paranoia: defer delivery when a mailbox file is not owned
by the recipient. Requested by Sebastian Krahmer, SuSE.
Specify "strict_mailbox_ownership=no" to ignore ownership
discrepancies. Files: local/mailbox.c, virtual/mailbox.c.
|
|
is read-only but is faster than Berkeley DB and uses less memory. Use the
TinyCDB implementation which is in the public domain and a bit faster than
DJB's original CDB.
|
|
through PLIST_SUBST to the plist module.
|
|
install stage.
It should be fix some problem; running tls and find command's error
on start.
Bump PKGREVISION.
|
|
- TLS (SSL) support was streamlined further, and provides a new security level
based on certificate fingerprints instead of CA signatures. See TLS_README
for details.
- Milter support was updated from the Sendmail 8.13 feature set and now
includes most of the features that were introduced with Sendmail 8.14. See
MILTER_README for details.
- Stress-adaptive configuration was introduced. This allows the Postfix SMTP
server to temporarily adjust its rules under conditions of overload, such as
a malware attack or backscatter flood. See STRESS_README for details.
[pkgsrc: this obsoletes the "postfix-stress" option which provided the same
functionality via a distribution patch]
- The queue manager scheduler was refined. It now provides per-transport
scheduling controls and allows for adjustment of the sensitivity to mail
delivery (non-)errors. See SCHEDULER_README.
- Security was improved by introducing a Postfix-owned data_directory for
storage of randomness, caches and other non-queue data. This change avoids
future security loopholes due to untrusted data sitting in root-owned files
or in root-owned directories. Writes to legacy files in root-owned
directories are automatically redirected to files in the new data_directory.
No functionality has been removed, but it is a good idea to review the
RELEASE_NOTES file for the usual minor incompatibilities or limitations.
|
|
|
|
on packages that are affected by the switch from the openssl 0.9.7
branch to the 0.9.8 branch. ok jlam@
|
|
|
|
default (this doesn't actually depend on Dovecot for building, the code is
shipped with Postfix).
Set the default value for smtpd_sasl_type to "dovecot" unless cyrus SASL is
enabled, too. This ensures backwards compatibility for most cases.
Ok with martti, joerg.
|
|
(disabled by default). This functionality will be included in Postfix 2.5 but
has been proven very succesful on the mailing lists so Wietse provided a patch
for Postfix 2.3 and 2.4.
See http://www.postfix.org/STRESS_README.html#adapt for configuration details.
|
|
because it doesn't exist unless sasl is defined, causing building with
options dovecot-sasl and not sasl to fail.
|
|
I'll re-activate this later when the global license stuff is activated.
|
|
|
|
- A remote SMTP client TLS certificate with an unparsable canonical
name triggered a panic error in the Postfix SMTP server (attempt
to allocate zero-length memory) while sending a request to an
SMTPD policy server.
- On backup MX servers where the queue file system is mounted with
"atime" (file read/execute access time) updates disabled, the
flush daemon would trigger mail delivery attempts once every 1000
seconds, thus rendering the maximal_backoff_time setting useless
for backup MX service.
|
|
|
|
MILTER bugfix:
When a milter replied with ACCEPT at or before the first RCPT
command, the cleanup server would apply the non_smtpd_milters
setting as if the message was a local submission. Problem
reported by Jukka Salmi.
MILTER bugfix:
Problem with header updates after body updates. Reported by
Jose-Marcio Martins da Cruz.
MILTER robustness:
Assorted cleanups to harden error handling in the Postfix Milter
client.
SASL workaround for Postfix SMTP client:
Some non-Cyrus SASL SMTP servers require SASL login without
authzid (authoriZation ID), i.e. the client must send only the
authcid (authentiCation ID) + the authcid's password. This is
now the default Postfix SMTP client behavior.
Loopback TCP performance workaround:
Some systems exhibited poor SMTP and Milter performance with
loopback (127.0.0.1) connections. Problem reported by Mark
Martinec.
MILTER bugfix:
When a milter replied with ACCEPT at or before the first RCPT
command, the cleanup server would apply the non_smtpd_milters
setting as if the message was a local submission. Problem
reported by Jukka Salmi.
MILTER bugfix:
Problem with header updates after body updates. Reported by
Jose-Marcio Martins da Cruz.
MILTER robustness:
Assorted cleanups to harden error handling in the Postfix Milter
client.
SASL workaround for Postfix SMTP client:
Some non-Cyrus SASL SMTP servers require SASL login without
authzid (authoriZation ID), i.e. the client must send only the
|
|
|
|
20070425
Bugfix: don't falsely report "lost connection from
localhost[127.0.0.1]" when Postfix is being portscanned.
Files: smtpd/smtpd_peer.c, qmqpd/qmqpd_peer.c.
20070430
Robustness: recommend a "0" process limit for policy servers
to avoid "connection refused" problems when the smtpd
process limit exceeds the default process limit. File:
proto/SMTPD_POLICY_README.html.
20070501
Safety: when IPv6 (or IPv4) is turned off, don't treat an
IPv6 (or IPv4) connection from e.g. inetd as if it comes
from localhost[127.0.0.1]. Files: smtpd/smtpd_peer.c,
qmqpd/qmqpd_peer.c.
20070508
Bugfix: Content-Transfer-Encoding: attribute values are
case insensitive. File: src/cleanup/cleanup_message.c.
20070514
Bugfix: mailbox_transport(_maps) and fallback_transport(_maps)
were broken when used with the error(8) or discard(8)
transports. Cause: insufficient documentation. Files:
error/error.c, discard/discard.c.
20070520
Bugfix (problem introduced Postfix 2.3): when DSN support
was introduced it broke "agressive" recipient duplicate
elimination with "enable_original_recipient = no". File:
cleanup/cleanup_out_recipient.c.
20070529
Bugfix (introduced Postfix 2.3): the sendmail/postdrop
commands would hang when trying to submit a message larger
than the per-message size limit. File: postdrop/postdrop.c.
20070530
Sabotage the saboteur who insists on breaking Postfix by
adding gethostbyname() calls that cause maildir delivery
to fail when the machine name is not found in /etc/hosts,
or that cause Postfix processes to hang when the network
is down.
20070531
Portability: Victor helpfully pointed out that change
20070425 broke on non-IPv6 systems. Files: smtpd/smtpd_peer.c,
qmqpd/qmqpd_peer.c.
|
|
|
|
20070331
Bugfix (introduced Postfix 2.3): segfault with HOLD action
in access/header_checks/body_checks on 64-bit platforms.
File: cleanup/cleanup_api.c.
20070402
Portability (introduced 20070325): the fix for hardlinks
and symlinks in postfix-install forgot to work around shells
where "IFS=/ command" makes the IFS setting permanent. This
is allowed by some broken standard, and affects Solaris.
File: postfix-install.
Portability (introduced 20070212): the workaround for
non-existent library bugs with descriptors >= FD_SETSIZE
broke with "fcntl F_DUPFD: Invalid argument" on 64-bit
Solaris. Files: master/multi_server.c, *qmgr/qmgr_transport.c.
20070421
Cleanup: on (Linux) platforms that cripple signal handlers
with deadlock, "postfix stop" now forcefully stops all the
processes in the master's process group, not just the master
process alone. File: conf/postfix-script.
|
|
|
|
|
|
The footprint of new features with Postfix 2.4.0 is significantly
smaller than with earlier releases. And that is the whole point of
approaching completeness: fewer visible changes.
Below is a brief summary of what has changed. See the RELEASE_NOTES
file for more, including compatibility issues that may affect your
site. The HISTORY file gives a blow-by-blow account of what happened
over the past year.
Wietse
- Postfix can now manage thousands of connections without needing
special main.cf, master.cf, or compile-time tweaks, on systems with
BSD kqueue, Solaris /dev/poll, or Linux epoll support.
- Milter support for message body replacement. The resulting queue
files are backwards compatible with Postfix 2.3. The existing Milter
support for message header manipulations was revised and is now
implemented by much simpler code.
- Minor improvements in TLS session cache management and in the
implementation of certificate fingerprint based authentication. A
more extensive revision of TLS internals will appear first in Postfix
2.5 snapshots.
- Improvements in queue manager performance when deferring large
amounts of mail, or when delivering mail with lots of recipients.
- Workarounds for SMTP servers that reply and hang up prematurely,
for file system clocks that are out of sync, and for broken kernel
lock management in POP servers.
|
|
|
|
|
|
- postmap support for NIS maps was broken with Postfix 2.3.
- Workaround to avoid breaking digital signatures for malformed
MIME attachments.
- Incorrect handling of ![address] forms in match lists. such as
mynetworks, inet_interfaces etc.
|
|
- On Redhat Linux, a Postfix daemon could lock up while logging a
warning from a signal handler before exiting. This is remedied
by a low-cost re-entrancy guard for signal handlers that never
return.
- Message headers longer than 65535 broke the Milter protocol. To
make matters worse the cleanup server could then dereference a
null pointer. When Milter support is enabled, the length of each
message header is now limited to 60000.
- Several fixes to improve worst-case behavior of the (new) queue
manager with multi-recipient mail. The queue manager now reads
new recipients earlier from the queue file, instead of becoming
starved while waiting for the slowest in-memory recipients to
complete; and it now reads recipients in smaller chunks to avoid
spending too much time not talking to delivery agents.
- With remote SMTP server tarpit delays larger than the Postfix
SMTP client's smtp_rset_timeout (default: 20s), the client would
get out of sync with the server while reusing a connection. The
symptoms were "recipient rejected .. in reply to DATA".
- On FreeBSD 6.2, some Postfix daemon processes would complain once
with "Error 0" after "postfix reload" and then recover. This
warning is now logged only when the problem persists.
|
|
configuration variables look exactly like the ones produced by the
configure scripts.
Added POSTFIX_QUEUE_DIR to BUILD_DEFS to make it visible why VARBASE can
be configured.
|
|
Postfix 2.3 Patch 04 fixes minor problems as detailed in the change
history below. The patch as well as complete source code tarballs
were uploaded last week to the mirrors listed at http://www.postfix.org/
20060831
Bugfix (introduced with initial implementation): missing
"dict_errno = 0" caused mis-leading error messages after
non-error lookup failure. Victor Duchovni. File:
util/dict_cidr.c.
Robustness: the default TLS cipher lists were changed from
!foo:ALL into ALL:!foo. Victor Duchovni. Files:
global/mail_params.h and documentation.
20060902
Bugfix (introduced Postfix 2.3): the LMTP client stripped
"inet": from the next-hop destination, but still used the
complete next-hop from the delivery request. File:
smtp/smtp_connect.c.
20060903
Cleanup: record loop detection. File: global/record.c.
20060929
Workaround: AIX 5.[1-3] getaddrinfo() creates socket address
structures with a non-zero port value. This breaks the
smtp_bind_address etc. features, and breaks inet_interfaces
settings with only one IP address. Problem reported by
Hamish Marson. Files: util/sock_addr.[hc], util/myaddrinfo.c.
Bugfix (introduced with the Postfix TLS patch): memory leak
in verify_extract_peer(). The OpenSSL documentation provides
no information on how subjectAltNames are managed. Sam
Rushing, ironport. File: tls/tls_client.c.
Bugfix (introduced with Postfix 2.2): smtp_generic_maps
turned on MIME conversion. File: smtp/smtp_proto.c.
Workaround: don't send SIZE information in the MAIL FROM
command when message content will be subject to 8bit ->
quoted-printable conversion. File: smtp/smtp_proto.c.
20061002
Compatibility: Sendmail now invokes the Milter connect
action with the verified hostname instead of the name
obtained with PTR lookup. File: smtpd/smtpd.c.
20061004
Cleanup: force space between mailq queueid+status and file
size items. File: showq/showq.c.
20061015
Cleanup: convert the Milter {mail_addr} and {rcpt_addr}
macro values to external form. File: smtpd/smtpd_milter.c.
Cleanup: the Milter {mail_addr} and {rcpt_addr} macros are
now available with non-SMTP mail. File: cleanup/cleanup_milter.c.
Cleanup: convert addresses in Milter recipient add/delete
requests to internal form. File: cleanup/cleanup_milter.c.
Cleanup: with non-SMTP mail, convert addresses in simulated
MAIL FROM and RCPT TO events to external form. File:
cleanup/cleanup_milter.c.
20061017
Cleanup: removed spurious warning when the cleanup server
attempts to bounce mail with soft_bounce=yes. Problem
reported by Ralf Hildebrandt. File: cleanup/cleanup_bounce.c.
Bugfix: null pointer bug when receiving a non-protocol
response on a cached SMTP/LMTP connection. Report by Brian
Kantor. Fix by Victor Duchovni. File: smtp/smtp_reuse.c.
|
|
|
|
in post-extract.
I exchanges few mails with Wietse and he refused to fix the "==" lines and
instructed me to simply remove the offending file. Instead of having a patch
for a file which is not used by pkgsrc I think it makes sense to remove it.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
- File corruption while executing a Milter "header insert" action
with headers-only mail (found with dk-filter). Delivery agents
would go into an infinite loop because some queue file update
had been done in the wrong order. As a precaution, delivery
agents now detect such loops, and the queue manager now saves
such mail to the "corrupt" directory.
- Segmentation fault in the SMTP client while saving a cached
connection with unsent data. Postfix indexed some table with -1,
because some I/O cleanup had been done in the wrong order. The
same problem should exist in Postfix 2.2.
- Postfix no longer announces its name in delivery status notifications.
All other details of the default bounce text remain unchanged.
The reason for this change is that too many people believe that
Wietse provides a free helpdesk service that solves all their
email problems.
|
|
Bump PKGREVISION.
|
|
- Corrupted queue file after a request to modify a short message
header, when that header was the last one in the message.
- Panic after spurious Milter request when a client was rejected
with "smtpd_delay_reject = no".
- The Milter client is now more tolerant for redundant "data cleanup"
requests. This avoids panic() calls for harmless conditions.
|
|
Ok'ed martti@
|
