specifies the release date of a stable release or snapshot release.
If you upgrade from Postfix 2.11 or earlier, read RELEASE_NOTES-3.0
+before proceeding.
Major changes - address verification safety
-------------------------------------------
parameter. Originally, this was implemented to share the same SMTPD
policy service endpoint among multiple check_policy_service clients.
-Incompatible change with Postfix snapshot 20150721
-==================================================
-
Major changes - tls
-------------------
talk TLS and not plaintext. For details see the
smtp_tls_dane_insecure_mx_policy configuration parameter.
-[Incompat 20150719] The default Diffie-Hellman non-export prime was
-updated from 1024 to 2048 bits, because SMTP clients are starting
-to reject TLS handshakes with primes smaller than 2048 bits.
-
-Historically, this prime size is not negotiable, and each site needs
-to determine which prime size works best for the majority of its
-clients. See FORWARD_SECRECY_README for some hints in the quick-start
-section.
-
[Incompat 20150721] As of the middle of 2015, all supported Postfix
releases no longer enable "export" grade ciphers for opportunistic
TLS, and no longer use the deprecated SSLv2 and SSLv3 protocols for
services in master.cf. Execute the command "postfix reload" to make
the changes effective.
+[Incompat 20150719] The default Diffie-Hellman non-export prime was
+updated from 1024 to 2048 bits, because SMTP clients are starting
+to reject TLS handshakes with primes smaller than 2048 bits.
+
+Historically, this prime size is not negotiable, and each site needs
+to determine which prime size works best for the majority of its
+clients. See FORWARD_SECRECY_README for some hints in the quick-start
+section.
+
# and certificate). After the new certificate and key are
# deployed any obsolete keys and certificates may be removed
# by hand. The \fIkeyfile\fR and \fIcertfile\fR filenames
-# are relative to the Postfix configuration directory.
+# may be relative to the Postfix configuration directory.
# .IP "\fBoutput-server-csr\fR [\fB-k \fIkeyfile\fR] [\fIhostname\fB...\fR]"
# Write to stdout a certificate signing request (CSR) for the
# specified \fIkeyfile\fR.
# .sp
-# Instead of a filename, \fIkeyfile\fR may specify one of the
+# Instead of an absolute pathname or a pathname relative to
+# $config_directory, \fIkeyfile\fR may specify one of the
# supported key algorithm names (see "\fBpostconf -T
# public-key-algorithms\fR"). In that case, the corresponding
# setting from main.cf is used to locate the \fIkeyfile\fR.
# the specified \fIkeyfile\fR values. The default \fIhostname\fR
# is the value of the \fBmyhostname\fR main.cf parameter.
# .sp
-# Instead of filenames, the \fIkeyfile\fR list may specify
+# Instead of absolute pathnames or pathnames relative to
+# $config_directory, the \fIkeyfile\fR list may specify
# names of supported public key algorithms (see "\fBpostconf
# -T public-key-algorithms\fR"). In that case, the actual
# \fIkeyfile\fR list uses the values of the corresponding
to deploy the generated key and certificate). After the new
certificate and key are deployed any obsolete keys and certifi-
cates may be removed by hand. The <i>keyfile</i> and <i>certfile</i> file-
- names are relative to the Postfix configuration directory.
+ names may be relative to the Postfix configuration directory.
<b>output-server-csr</b> [<b>-k</b> <i>keyfile</i>] [<i>hostname</i><b>...</b>]
Write to stdout a certificate signing request (CSR) for the
specified <i>keyfile</i>.
- Instead of a filename, <i>keyfile</i> may specify one of the supported
- key algorithm names (see "<b>postconf -T public-key-algorithms</b>").
- In that case, the corresponding setting from <a href="postconf.5.html">main.cf</a> is used to
+ Instead of an absolute pathname or a pathname relative to $<a href="postconf.5.html#config_directory">con</a>-
+ <a href="postconf.5.html#config_directory">fig_directory</a>, <i>keyfile</i> may specify one of the supported key
+ algorithm names (see "<b>postconf -T public-key-algorithms</b>"). In
+ that case, the corresponding setting from <a href="postconf.5.html">main.cf</a> is used to
locate the <i>keyfile</i>. The default <i>keyfile</i> value is <b>rsa</b>.
- Zero or more <i>hostname</i> values can be specified. The default
+ Zero or more <i>hostname</i> values can be specified. The default
<i>hostname</i> is the value of <b><a href="postconf.5.html#myhostname">myhostname</a></b> <a href="postconf.5.html">main.cf</a> parameter.
<b>output-server-tlsa</b> [<b>-h</b> <i>hostname</i>] [<i>keyfile</i><b>...</b>]
- Write to stdout a DANE TLSA RRset suitable for a port 25 SMTP
+ Write to stdout a DANE TLSA RRset suitable for a port 25 SMTP
server on host <i>hostname</i> with keys from any of the specified <i>key-</i>
- <i>file</i> values. The default <i>hostname</i> is the value of the <b>myhost-</b>
+ <i>file</i> values. The default <i>hostname</i> is the value of the <b>myhost-</b>
<b>name</b> <a href="postconf.5.html">main.cf</a> parameter.
- Instead of filenames, the <i>keyfile</i> list may specify names of sup-
- ported public key algorithms (see "<b>postconf -T public-key-algo-</b>
- <b>rithms</b>"). In that case, the actual <i>keyfile</i> list uses the values
- of the corresponding Postfix server TLS key file parameters. If
- a parameter value is empty or equal to <b>none</b>, then no TLSA record
+ Instead of absolute pathnames or pathnames relative to $<a href="postconf.5.html#config_directory">con</a>-
+ <a href="postconf.5.html#config_directory">fig_directory</a>, the <i>keyfile</i> list may specify names of supported
+ public key algorithms (see "<b>postconf -T public-key-algorithms</b>").
+ In that case, the actual <i>keyfile</i> list uses the values of the
+ corresponding Postfix server TLS key file parameters. If a
+ parameter value is empty or equal to <b>none</b>, then no TLSA record
is output for that algorithm.
The default <i>keyfile</i> list consists of the two supported algo-
and certificate). After the new certificate and key are
deployed any obsolete keys and certificates may be removed
by hand. The \fIkeyfile\fR and \fIcertfile\fR filenames
-are relative to the Postfix configuration directory.
+may be relative to the Postfix configuration directory.
.IP "\fBoutput\-server\-csr\fR [\fB\-k \fIkeyfile\fR] [\fIhostname\fB...\fR]"
Write to stdout a certificate signing request (CSR) for the
specified \fIkeyfile\fR.
.sp
-Instead of a filename, \fIkeyfile\fR may specify one of the
+Instead of an absolute pathname or a pathname relative to
+$config_directory, \fIkeyfile\fR may specify one of the
supported key algorithm names (see "\fBpostconf \-T
public\-key\-algorithms\fR"). In that case, the corresponding
setting from main.cf is used to locate the \fIkeyfile\fR.
the specified \fIkeyfile\fR values. The default \fIhostname\fR
is the value of the \fBmyhostname\fR main.cf parameter.
.sp
-Instead of filenames, the \fIkeyfile\fR list may specify
+Instead of absolute pathnames or pathnames relative to
+$config_directory, the \fIkeyfile\fR list may specify
names of supported public key algorithms (see "\fBpostconf
\-T public\-key\-algorithms\fR"). In that case, the actual
\fIkeyfile\fR list uses the values of the corresponding
* Patches change both the patchlevel and the release date. Snapshots have no
* patchlevel; they change the release date only.
*/
-#define MAIL_RELEASE_DATE "20160221"
-#define MAIL_VERSION_NUMBER "3.1.0-RC1"
+#define MAIL_RELEASE_DATE "20160224"
+#define MAIL_VERSION_NUMBER "3.1.0"
#ifdef SNAPSHOT
#define MAIL_VERSION_DATE "-" MAIL_RELEASE_DATE
projects / thirdparty / postfix.git / commitdiff
