20021119
New address_verification_negative_cache = yes/no parameter
- controls whether Postfix stores the result of negatieve
+ controls whether Postfix stores the result of negative
address verification probes. This reduces cache pollution
but causes Postfix to send a probe for each address
verification service query. File: verify/verify.c.
rewrite broken user@ or user@. address forms into even more
broken forms. bother. File: trivial-rewrite/rewrite.c.
- Cleanup: the address resolver code now treates forms ending
+ Cleanup: the address resolver code now treats forms ending
in @ in a more rational manner (because the address rewriting
code no longer messes up by appending .my.domain).
libraries support just SPACE, others SPACE and ",". Postfix
now normalizes the host list into a space separated format.
This is less surprising to Postfix users used to the full
- range of delimeters in other contexts. Implemented by Liviu
+ range of delimiters in other contexts. Implemented by Liviu
Daia. File: util/dict_ldap.c
Bugfix: after returning too old mail, the bounce daemon
20040104
Workaround: MacOSX dumps core on the 20030913 TZ censoring
- code. We explictly set TZ=UTC, which will produce incorrect
+ code. We explicitly set TZ=UTC, which will produce incorrect
results when "mailq" formatting is moved from the showq
daemon to the postqueue command. File: msg_syslog.c.
Cleanup: removed the legacy "tls_info" structure, factored
out common code for peer_CN and issuer_CN lookup, and added
sanity check to not verify subject common names that contain
- nulls or that are execessively long. Patch by Victor Duchovni.
+ nulls or that are excessively long. Patch by Victor Duchovni.
Files: tls_client.c, tls_server.c, tls_session.c, tls_misc.c,
tls_verify.c.
Cleanup: the postscreen daemon now applies the permanent
whitelist first. It is a safety feature that prevents mail
- from being blocked. File: postscreeb/postscreen.c.
+ from being blocked. File: postscreen/postscreen.c.
20091224
This code was started in Postfix 2.1, but it was never
finished due to time constraints. Files: smtpd/smtpd.[hc]
smtpd/smtpd_proxy.c, smtpd/smtpd_sasl_proto.c,
- *qmgr/qmgr_messsage.c, *qmgr/qmgr_deliver.c,
+ *qmgr/qmgr_message.c, *qmgr/qmgr_deliver.c,
global/deliver_request.[hc], global/mail_proto.h,
global/deliver_pass.c, smtp/smtp_proto.c.
Cleaned up and finalized read/write deadline support. Once
this code has been fielded it can go into Postfix 2.8.1,
and made available as optional patch for earlier releases.
- Further refinements have only dimishing returns and can
+ Further refinements have only diminishing returns and can
evolve in the 2.9 release cycle. File: util/vstream.c.
20110128
Cleanup: when multiple DNSBLs block an SMTP client, the
postscreen "reject" message now gives credit to the DNSBL
with the largest weight, instead of the DNSBL that replies
- first. File: postscreen/postscreeb_dnsbl.c.
+ first. File: postscreen/postscreen_dnsbl.c.
Cleanup: memcache_table(5) manpage. File proto/memcache_table.
dict_sockmap.c, dict_regexp.c, dict_pcre.c, dict_lmdb.c,
dict_dbm.c, dict_cidr.c, dict_cdb.c.
- Cleanup: warning message after canonical/virtal/etc.
+ Cleanup: warning message after canonical/virtual/etc.
table lookup error. Files: cleanup/cleanup_addr.c,
cleanup/cleanup_map11.c, cleanup/cleanup_map1n.c,
cleanup/cleanup_masquerade.c, cleanup/cleanup_message.c,
posttls-finger/posttls-finger.c, tls/tls_misc.c, tls/tls_rsa.c.
Cleanup: DANE support: Reduce #ifdef clutter to improve
- redability and maintability. Viktor Dukhovni. File:
+ redability and maintainability. Viktor Dukhovni. File:
tls/tls_dane.c.
Future proofing: Tolerate disappearance of named bug-workaround
bits without invalidating user configurations. When support
for a bug workaround is removed from OpenSSL, the corresponding
- bit is defined as zero (i.e. NOOP) intstead of causing
+ bit is defined as zero (i.e. NOOP) instead of causing
programs to break. Viktor Dukhovni. File: tls/tls_misc.c.
20131217
libglobal or dynamicmaps maps. File: postdrop/postdrop.c.
Cleanup: moved dynamicmaps initialization from parameter
- inititialization (mail_conf_suck()) to dictionary initialization
+ initialization (mail_conf_suck()) to dictionary initialization
(mail_dict_init()). A benefit of this is that dynamicmaps.cf
is no longer read by programs that don't use Postfix lookup
tables. Files: global/mail_conf.[hc], global/mail_dict.c.
This implements the syntax of SMTP commands and DSN delivery
status notifications. It does not address the problem that
the same domain name may show up in different forms: an
- UTF8-encoded name with non-ASCII charaters, or an IDNA-encoded
+ UTF8-encoded name with non-ASCII characters, or an IDNA-encoded
(xn--mumble) name with ASCII-only characters. This means
that access policies, mydestination, virtual_*_domains and
relay_domans will have to understand both forms in order
20141011
Cleanup: replaced cryptic macros X_SMTP() and SMTP_X() with
- more descripive names: LMTP_SMTP_SUFFIX() and VAR_LMTP_SMTP().
+ more descriptive names: LMTP_SMTP_SUFFIX() and VAR_LMTP_SMTP().
Files: smtp/smtp.c, smtp/smtp.h, smtp/smtp_chat.c,
smtp/smtp_connect.c, smtp/smtp_proto.c, smtp/smtp_sasl_glue.c,
smtp/smtp_sasl_proto.c, smtp/smtp_tls_policy.c.
Cleanup: apply printable() to all bounce(8) service
string-valued protocol fields. File: bounce/bounce.c.
- Apparenly the UCI 4.8 ucasemap_utf8FoldCase() function does
+ Apparently the UCI 4.8 ucasemap_utf8FoldCase() function does
not complain about UTF-8 syntax errors, so we add our own
redundant check. File: util/casefold.c.
configuration directory: the default configuration directory,
a directory that is listed in the default main.cf file with
alternate_config_directories or multi_instance_directories,
- or the command must be invoked with root priveleges. This
+ or the command must be invoked with root privileges. This
mitigates a problem with the PHP mail() function. Files:
global/mail_conf.[hc], sendmail/sendmail.c.
warning if it is not. By default, the probe has type "ns"
and domain name ".". The probe is sent once per process
lifetime. Files: dns/dns.h, dns/dns_lookup.c, dns/dns_sec.c,
- test_dns_lookup.c.
+ test_dns_lookup.c, global/mail_params.[hc], mantools/postlink..
+
+20201003
+
+ The makedefs script no longer disables DNSSEC when Postfix
+ is built with libc-musl. Instead Postfix will rely on the
+ new dnssec_probe feature, and will log a warning when Postfix
+ requests DNSSEC validation, but the infrastructure does not
+ validate DNSSEC signatures. File: makedefs.
+
+ Cleanup: some wordsmithing of warnings when DNSSEC validation
+ is unavailable. File: dns/dns_sec.c.
+
+ Clenaup: add missing warnings for libpostfix version
+ mismatches. This will help folks with build processes that
+ mistakenly run newly-built Postfix installation commands
+ with previously-installed libpostfix files. Files:
+ postcat/postcat.c, postconf/postconf.c, postkick/postkick.c,
+ postlock/postlock.c.
+
+ Documentation: hyperlink occurrences of the info_log_address_format
+ parameter name in daemon manpages.
the software under the license of their choice. Those who are more
comfortable with the IPL can continue with that license.
+Major changes with snapshot 20201003
+====================================
+
+The Postfix build system will no longer automatically disable DNSSEC
+support when it determines that Postfix will use libc-musl. Instead,
+Postfix will rely on the new dnssec_probe feature to determine at
+runtime if DNSSEC validation is available. DNSSEC support may be
+broken for reasons other than compatibility issues with the libc
+implementation.
+
Major changes with snapshot 20200930
====================================
-The dnssec_probe parameter specifies the DNS query type (default:
-"ns") and DNS query name (default: ".") that Postfix may use to
-determine whether DNSSEC validation is available. Specify an empty
-value to disable this feature.
+When a Postfix process requires DNSSEC support (typically, for
+Postfix DANE support), the process may do a one-time test to determine
+if DNSSEC validation is available. DNSSEC support may be broken
+because of local configuration, libc incompatibility, or network
+infrastructure issues.
Background: DNSSEC validation is needed for Postfix DANE support;
this ensures that Postfix receives TLSA records with secure TLS
server certificate info in TLSA records, and mail deliveries using
mandatory DANE will not be made at all.
+The dnssec_probe parameter specifies the DNS query type (default:
+"ns") and DNS query name (default: ".") that Postfix may use to
+determine whether DNSSEC validation is available. Specify an empty
+value to disable this feature.
+
By default, a Postfix process will send a DNSSEC probe after 1) the
process made a DNS query that requested DNSSEC validation, 2) the
process did not receive a DNSSEC validated response to this query
When the DNSSEC probe has no response, or when the response is not
DNSSEC validated, Postfix logs a warning that DNSSEC validation may
-be unavailable.
+be unavailable. Examples:
+
+warning: DNSSEC validation may be unavailable
+warning: reason: dnssec_probe 'ns:.' received a response that is not DNSSEC validated
+warning: reason: dnssec_probe 'ns:.' received no response: Server failure
Incompatible change with snapshot 20200920
==========================================
Does tlsproxy terminate to soon after 'postfix reload'?
- touch all files that contain Binfo_log_address_format
- then re-generate manpages.
+ Understand what happens with DNSSEC related status fields
+ in posttls-finger when resolv.conf points to a host that
+ runs no DNS server.
The documented order of relay/recipient restrictions differs
from the implementation. This may need a new compatibility
Available in Postfix 3.5 and later:
- <b>info_log_address_format (external)</b>
+ <b><a href="postconf.5.html#info_log_address_format">info_log_address_format</a> (external)</b>
The email address form that will be used in non-debug logging
(info, warning, etc.).
<b><a href="postconf.5.html#dnssec_probe">dnssec_probe</a> (ns:.)</b>
The DNS query type (default: "ns") and DNS query name (default:
- ".") that Postfix may use to determine whether DNSSEC is avail-
- able.
+ ".") that Postfix may use to determine whether DNSSEC validation
+ is available.
<b>MIME PROCESSING CONTROLS</b>
Available in Postfix version 2.0 and later:
Available in Postfix 3.5 and later:
- <b>info_log_address_format (external)</b>
+ <b><a href="postconf.5.html#info_log_address_format">info_log_address_format</a> (external)</b>
The email address form that will be used in non-debug logging
(info, warning, etc.).
Available in Postfix 3.5 and later:
- <b>info_log_address_format (external)</b>
+ <b><a href="postconf.5.html#info_log_address_format">info_log_address_format</a> (external)</b>
The email address form that will be used in non-debug logging
(info, warning, etc.).
Available in Postfix 3.5 and later:
- <b>info_log_address_format (external)</b>
+ <b><a href="postconf.5.html#info_log_address_format">info_log_address_format</a> (external)</b>
The email address form that will be used in non-debug logging
(info, warning, etc.).
Available in Postfix 3.5 and later:
- <b>info_log_address_format (external)</b>
+ <b><a href="postconf.5.html#info_log_address_format">info_log_address_format</a> (external)</b>
The email address form that will be used in non-debug logging
(info, warning, etc.).
not DNSSEC validated, Postfix logs a warning that DNSSEC validation
may be unavailable. </p>
+<p> Example: </p>
+
+<pre>
+warning: DNSSEC validation may be unavailable
+warning: reason: <a href="postconf.5.html#dnssec_probe">dnssec_probe</a> 'ns:.' received a response that is not DNSSEC validated
+warning: reason: <a href="postconf.5.html#dnssec_probe">dnssec_probe</a> 'ns:.' received no response: Server failure
+</pre>
+
<p> Possible reasons why DNSSEC validation may be unavailable: </p>
<ul>
Available in Postfix 3.5 and later:
- <b>info_log_address_format (external)</b>
+ <b><a href="postconf.5.html#info_log_address_format">info_log_address_format</a> (external)</b>
The email address form that will be used in non-debug logging
(info, warning, etc.).
Available in Postfix 3.5 and later:
- <b>info_log_address_format (external)</b>
+ <b><a href="postconf.5.html#info_log_address_format">info_log_address_format</a> (external)</b>
The email address form that will be used in non-debug logging
(info, warning, etc.).
<b><a href="postconf.5.html#dnssec_probe">dnssec_probe</a> (ns:.)</b>
The DNS query type (default: "ns") and DNS query name (default:
- ".") that Postfix may use to determine whether DNSSEC is avail-
- able.
+ ".") that Postfix may use to determine whether DNSSEC validation
+ is available.
<b>MIME PROCESSING CONTROLS</b>
Available in Postfix version 2.0 and later:
Available in Postfix 3.5 and later:
- <b>info_log_address_format (external)</b>
+ <b><a href="postconf.5.html#info_log_address_format">info_log_address_format</a> (external)</b>
The email address form that will be used in non-debug logging
(info, warning, etc.).
Available in Postfix 3.5 and later:
- <b>info_log_address_format (external)</b>
+ <b><a href="postconf.5.html#info_log_address_format">info_log_address_format</a> (external)</b>
The email address form that will be used in non-debug logging
(info, warning, etc.).
*) echo usage: $0 [system release] 1>&2; exit 1;;
esac
-case "$SYSTEM" in
- Linux)
- case "`PATH=/bin:/usr/bin ldd /bin/sh`" in
- *-musl-*)
- case "$CCARGS" in
- *-DNO_DNSSEC*) ;;
- *) echo Warning: libc-musl breaks DANE/TLSA security. 1>&2
- echo This build will not support DANE/TLSA. 1>&2
- CCARGS="$CCARGS -DNO_DNSSEC";;
- esac;;
- esac;;
-esac
-
case "$SYSTEM.$RELEASE" in
SCO_SV.3.2) SYSTYPE=SCO5
# Use the native compiler by default
not DNSSEC validated, Postfix logs a warning that DNSSEC validation
may be unavailable.
.PP
+Example:
+.PP
+.nf
+.na
+.ft C
+warning: DNSSEC validation may be unavailable
+warning: reason: dnssec_probe 'ns:.' received a response that is not DNSSEC validated
+warning: reason: dnssec_probe 'ns:.' received no response: Server failure
+.fi
+.ad
+.ft R
+.PP
Possible reasons why DNSSEC validation may be unavailable:
.IP \(bu
The local /etc/resolv.conf file specifies a DNS resolver that
Available in Postfix 3.6 and later:
.IP "\fBdnssec_probe (ns:.)\fR"
The DNS query type (default: "ns") and DNS query name (default:
-".") that Postfix may use to determine whether DNSSEC is available.
+".") that Postfix may use to determine whether DNSSEC validation
+is available.
.SH "MIME PROCESSING CONTROLS"
.na
.nf
not DNSSEC validated, Postfix logs a warning that DNSSEC validation
may be unavailable. </p>
+<p> Example: </p>
+
+<pre>
+warning: DNSSEC validation may be unavailable
+warning: reason: dnssec_probe 'ns:.' received a response that is not DNSSEC validated
+warning: reason: dnssec_probe 'ns:.' received no response: Server failure
+</pre>
+
<p> Possible reasons why DNSSEC validation may be unavailable: </p>
<ul>
why = vstring_alloc(100);
dns_status = dns_lookup(qname, qtype, rflags, &rrlist, (char) 0, why);
+ if (!DNS_SEC_STATS_TEST(DNS_SEC_FLAG_AVAILABLE))
+ msg_warn("DNSSEC validation may be unavailable");
+ else if (msg_verbose)
+ msg_info(VAR_DNSSEC_PROBE
+ " '%s' received a response that is DNSSEC validated",
+ var_dnssec_probe);
switch (dns_status) {
default:
if (!DNS_SEC_STATS_TEST(DNS_SEC_FLAG_AVAILABLE))
- msg_warn(VAR_DNSSEC_PROBE
- " '%s' got a response that is not DNSSEC validated",
+ msg_warn("reason: " VAR_DNSSEC_PROBE
+ " '%s' received a response that is not DNSSEC validated",
var_dnssec_probe);
if (rrlist)
dns_rr_free(rrlist);
break;
- case DNS_POLICY:
- msg_warn(VAR_DNSSEC_PROBE
- " '%s' response was deleted by DNS reply filter",
- var_dnssec_probe);
- break;
case DNS_RETRY:
case DNS_FAIL:
- msg_warn(VAR_DNSSEC_PROBE " '%s' got no response: %s",
+ msg_warn("reason: " VAR_DNSSEC_PROBE " '%s' received no response: %s",
var_dnssec_probe, vstring_str(why));
break;
}
- if (!DNS_SEC_STATS_TEST(DNS_SEC_FLAG_AVAILABLE))
- msg_warn("DNSSEC support may be unavailable");
- else if (msg_verbose)
- msg_info(VAR_DNSSEC_PROBE
- " '%s' got a response that is DNSSEC validated",
- var_dnssec_probe);
myfree(saved_dnssec_probe);
vstring_free(why);
}
* Patches change both the patchlevel and the release date. Snapshots have no
* patchlevel; they change the release date only.
*/
-#define MAIL_RELEASE_DATE "20200930"
+#define MAIL_RELEASE_DATE "20201003"
#define MAIL_VERSION_NUMBER "3.6"
#ifdef SNAPSHOT
*/
msg_vstream_init(argv[0], VSTREAM_ERR);
+ /*
+ * Check the Postfix library version as soon as we enable logging.
+ */
+ MAIL_VERSION_CHECK;
+
/*
* Parse JCL.
*/
*/
msg_vstream_init(argv[0], VSTREAM_ERR);
+ /*
+ * Check the Postfix library version as soon as we enable logging.
+ */
+ MAIL_VERSION_CHECK;
+
/*
* Parse JCL.
*/
msg_vstream_init(argv[0], VSTREAM_ERR);
set_mail_conf_str(VAR_PROCNAME, var_procname = mystrdup(argv[0]));
+ /*
+ * Check the Postfix library version as soon as we enable logging.
+ */
+ MAIL_VERSION_CHECK;
+
/*
* Parse JCL.
*/
msg_vstream_init(argv[0], VSTREAM_ERR);
msg_cleanup(fatal_exit);
+ /*
+ * Check the Postfix library version as soon as we enable logging.
+ */
+ MAIL_VERSION_CHECK;
+
/*
* Parse JCL.
*/
/* Available in Postfix 3.6 and later:
/* .IP "\fBdnssec_probe (ns:.)\fR"
/* The DNS query type (default: "ns") and DNS query name (default:
-/* ".") that Postfix may use to determine whether DNSSEC is available.
+/* ".") that Postfix may use to determine whether DNSSEC validation
+/* is available.
/* MIME PROCESSING CONTROLS
/* .ad
/* .fi
projects / thirdparty / postfix.git / commitdiff
