src/dns/ DNS client library
src/global/ Postfix-specific support routines
+ src/milter/ Postfix Milter (mail filter) client
+ src/tls/ TLS client and server support
src/util/ General-purpose support routines
+ src/xsasl/ SASL plug-in API
Command-line utilities:
src/postlock/ Postfix locking for shell scripts
src/postlog/ Postfix logging for shell scripts
src/postmap/ Postfix lookup table management
+ src/postmulti/ Postfix multi-instance manager
src/postqueue/ Postfix queue control program
src/postsuper/ Postfix house keeping program
src/sendmail/ Sendmail compatibility interface
src/bounce/ Bounce or defer mail
src/cleanup/ Canonicalize and enqueue mail
src/discard/ Trivial discard mailer
+ src/dnsblog/ DNS agent for postscreen
src/error/ Trivial error mailer
+ src/flush/ Support for ETRN, sendmail -qI, sendmail -qR
src/local/ Local delivery
src/master/ Postfix resident superserver
src/oqmgr/ Old queue manager
src/pickup/ Local pickup
src/pipe/ Pipe delivery
+ src/postscreen/ Zombie blocker
+ src/proxymap/ Table lookup proxy agent
src/qmgr/ Queue manager
src/qmqpd/ QMQPD server
+ src/scache/ Postfix SMTP session cache
src/showq/ List Postfix queue status
src/smtp/ SMTP and LMTP client
src/smtpd/ SMTP server
src/spawn/ Run non-Postfix server
src/tlsmgr/ TLS session keys and random pool
+ src/tlsproxy/ TLS proxy for postscreen
src/trivial-rewrite/ Address rewriting and resolving
src/verify/ address verification service
src/virtual/ virtual mailbox-only delivery agent
# Note: avoid hash files here. Use btree instead.
address_verify_map = btree:$data_directory/verify_cache
+ # Shared persistent cache (requires Postfix 2.9 or later).
+ address_verify_map = proxy:btree:$data_directory/verify_cache
+ # Disable automatic cache cleanup in all Postfix instances except
+ # for one instance that will be responsible for cache cleanup.
+ # address_verify_cache_cleanup_interval = 0
+
+ # Shared memory cache (requires Postfix 2.9 or later).
+ # See memcache_table(5) for details.
+ address_verify_map = memcache:/etc/postfix/verify-memcache.cf
+
# Default setting for Postfix 2.6 and earlier.
# This uses non-persistent storage only.
address_verify_map =
appear on the permanent access list.
NOTE: To share a postscreen(8) cache between multiple postscreen(8)
- instances, use "postscreen_cache_map = proxy:btree:/path/to/file". This
- requires Postfix 2.9 or later; earlier proxymap(8) implementations don't
- support cache cleanup. For an alternative approach see the memcache_table
- (5) manpage.
+ instances, use "postscreen_cache_map = proxy:btree:$data_directory/
+ postscreen_cache", and disable cache cleanup
+ (postscreen_cache_cleanup_interval = 0) in all postscreen(8) instances
+ except one that is responsible for cache cleanup.
+
+ postscreen(8) cache sharing requires Postfix 2.9 or later; earlier proxymap
+ (8) implementations don't support cache cleanup.
+
+ For an alternative postscreen(8) cache sharing approach see the
+ memcache_table(5) manpage.
When the SMTP client address appears on the temporary whitelist, postscreen(8)
logs this with the client address and port number as:
-The stable Postfix release is called postfix-2.8.x where 2=major
-release number, 8=minor release number, x=patchlevel. The stable
+The stable Postfix release is called postfix-2.9.x where 2=major
+release number, 9=minor release number, x=patchlevel. The stable
release never changes except for patches that address bugs or
emergencies. Patches change the patchlevel and the release date.
New features are developed in snapshot releases. These are called
-postfix-2.9-yyyymmdd where yyyymmdd is the release date (yyyy=year,
+postfix-2.10-yyyymmdd where yyyymmdd is the release date (yyyy=year,
mm=month, dd=day). Patches are never issued for snapshot releases;
instead, a new snapshot is released.
If you upgrade from Postfix 2.7 or earlier, read RELEASE_NOTES-2.8
before proceeding.
-Incompatible changes with snapshot 20120114
-===========================================
-
-Instead of terminating immediately with a "fatal" message when a
-database file can't be opened, a Postfix daemon program now logs
-an "error" message, and continues execution with reduced functionality.
-
-Specify "daemon_table_open_error_is_fatal = yes" to get the
-historical behavior (immediate termination with "fatal" message).
-
-Logfile-based alerting systems may need to be updated to look for
-"error" messages in addition to "fatal" messages.
-
-By default the Postfix SMTP server no longer reports transcripts
-of sessions where a client command is rejected because a table is
-unavailable. To receive such reports, add the new "data" class to
-the notify_classes parameter value. The reports will be sent to the
-error_notice_recipient address as before. This class is also used
-by the Postfix SMTP client to report about sessions that fail because
-a table is unavailable
-
-Major changes with snapshot 20120114
-====================================
-
-Gradual degradation after database file open error. Instead of
-terminating immediately with a "fatal" message, a Postfix daemon
-program logs an "error" message, and continues execution with reduced
-functionality.
-
-Features that don't depend on the unavailable table will keep
-working; features that depend on the table will fail, and will be
-logged with a "warning" message. For the sake of sanity, the number
-of "error"s over the life of a process is limited to 13.
-
-Specify "daemon_table_open_error_is_fatal = yes" to get the
-historical behavior (immediate termination with "fatal" message).
-
-When the notify_classes parameter contains the new "data" class,
-the Postfix SMTP client and server will report transcripts of
-sessions with errors because a table is unavailable.
-
-Major changes with snapshot 20120108
-====================================
-
-The LDAP, *SQL and memcache clients now "catch" table lookup errors
-in the "domain" feature, instead of terminating with a fatal error.
-
-Major changes with snapshot 20120102
-====================================
-
-Degrade gradually when some or all network protocols specified
-with inet_protocols are unavailable, instead of terminating with a
-fatal error. This eliminates build errors on non-standard systems
-where opening an IPv4 socket results in an error, and on non-standard
-systems where opening an IPv6 socket results in an error. In the
-worst case, the master daemon will log a message that it disables
-all type "inet" services. This will still allow local submission
-and local delivery.
-
-Major changes with snapshot 20111222
-====================================
-
-The Postfix SMTP server now "catches" errors with database lookups
-in mynetworks, TLS client certificate tables, debug_peer_list,
+Major changes - critical
+------------------------
+
+[Incompat 20110321] You need to "postfix reload" after upgrade from
+snapshot 20110320 or earlier. The hash_queue_names algorithm was
+changed to provide better performance with long queue IDs.
+
+[Incompat 20110313] Use "postfix reload" after "make upgrade" on a
+running Postfix system. This is needed because the protocol between
+postscreen(8) and dnsblog(8) has changed.
+
+Major changes - library API
+---------------------------
+
+[Incompat 20110130] The VSTREAM error flags are now split into
+separate read and write error flags. As a result of this change,
+all programs that use Postfix VSTREAMs MUST be recompiled.
+
+Major changes - compatibility
+-----------------------------
+
+[Incompat 20111012] For consistency with the SMTP standard, the
+(client-side) smtp_line_length_limit default value was increased
+from 990 characters to 999 (i.e. 1000 characters including <CR><LF>).
+Specify "smtp_line_length_limit = 990" to restore historical Postfix
+behavior.
+
+[Incompat 20111012] To simplify integration with third-party
+applications, the Postfix sendmail command now always transforms
+all input lines ending in <CR><LF> into UNIX format (lines ending
+in <LF>). Specify "sendmail_fix_line_endings = strict" to restore
+historical Postfix behavior (i.e. convert all input lines ending
+in <CR><LF> only if the first line ends in <CR><LF>).
+
+[Incompat 20111106] To work around broken remote SMTP servers, the
+Postfix SMTP client by default no longer appends the "AUTH=<>"
+option to the MAIL FROM command. Specify "smtp_send_dummy_mail_auth
+= yes" to restore the old behavior.
+
+Major changes - gradual degradation
+-----------------------------------
+
+[Incompat 20120114] Logfile-based alerting systems may need to be
+updated to look for "error" messages in addition to "fatal" messages.
+Specify "daemon_table_open_error_is_fatal = yes" to get the historical
+behavior (immediate termination with "fatal" message).
+
+[Feature 20120114] Instead of terminating immediately with a "fatal"
+message when a database file can't be opened, a Postfix daemon
+program now logs an "error" message, and continues execution with
+reduced functionality. For the sake of sanity, the number of
+"errors" over the life of a process is limited to 13.
+
+Features that don't depend on the unavailable table will continue
+to work; attempts to use features that depend on the table will
+fail, and will be logged with a "warning" message.
+
+[Feature 20120108] Instead of terminating with a fatal error, the
+LDAP, *SQL and memcache clients now handle table lookup errors in
+the "domain" feature, instead of terminating with a fatal error.
+
+[Feature 20120102] Degrade gradually when some or all network
+protocols specified with inet_protocols are unavailable, instead
+of terminating with a fatal error. This eliminates build errors on
+non-standard systems where opening an IPv4 socket results in an
+error, and on non-standard systems where opening an IPv6 socket
+results in an error. In the worst case, the master daemon will log
+a message that it disables all type "inet" services. This will still
+allow local submission and local delivery.
+
+[Feature 20111222] Instead of terminating with a fatal error, the
+Postfix SMTP server now handles errors with database lookups in
+mynetworks, TLS client certificate tables, debug_peer_list,
smtpd_client_event_limit_exceptions, permit_mx_backup_networks and
-local_header_rewrite_clients, and reports "server configuration
-error" or "table lookup error" instead of terminating with a fatal
-error.
+local_header_rewrite_clients, and reports "server local data error"
+or "temporary lookup error".
+
+[Feature 20111229] Instead of terminating with a fatal error, the
+trivial-rewrite server now handles errors with database lookups in
+virtual_alias_domains, relay_domains, virtual_mailbox_domains. This
+means fewer occasions where trivial-rewrite clients (such as the
+SMTP server) will appear to hang.
+
+Major changes - long queue IDs
+------------------------------
+
+Postfix 2.9 introduces support for non-repeating queue IDs (also
+used as queue file names). These names are encoded in a mix of upper
+case, lower case and decimal digit characters. Long queue IDs are
+disabled by default to avoid breaking tools that parse logfiles and
+that expect queue IDs with the smaller [A-F0-9] character set.
+
+[Incompat 20110320] If you enable support for long queue file names,
+you need to be aware that these file names are not compatible with
+Postfix <= 2.8. If you must migrate back to Postfix <= 2.8, you
+must first convert all long queue file names into short names,
+otherwise the old Postfix version will complain.
-Major changes with snapshot 20111229
-====================================
-
-The trivial-rewrite server now "catches" errors with database lookups
-in virtual_alias_domains, relay_domains, virtual_mailbox_domains,
-instead of terminating with a fatal error. This means fewer occasions
-where trivial-rewrite clients (such as the SMTP server) will appear
-to hang.
-
-Incompatible changes with snapshot 20111218
-===========================================
+The conversion procedure before migration to Postfix <= 2.8 is:
-To support external SASL authentication, the Postfix SMTP server
-now always checks the smtpd_sender_login_maps table, even without
-having "smtpd_sasl_auth_enable = yes" in main.cf.
+ # postfix stop
+ # postconf enable_long_queue_ids=no
+ # postsuper
-Major changes with snapshot 20111218
-====================================
+Run the postsuper command repeatedly until it no longer reports
+queue file name changes.
-Support for external SASL authentication via the XCLIENT command.
-This is used to accept SASL authentication from an SMTP proxy such
-as NGINX. This support works even without having to specify
-"smtpd_sasl_auth_enable = yes" in main.cf.
+[Feature 20110320] Support for long, non-repeating, queue IDs (queue
+file names). The benefit of non-repeating names is simpler logfile
+analysis, and easier queue migration (if you don't merge different
+queues, there is no need to run "postsuper" to change queue file
+names that don't match their message file inode number).
-Major changes with snapshot 20111213
-====================================
+Specify "enable_long_queue_ids = yes" to enable the feature. This
+does not change the names of existing queue files. See postconf(5)
+or postconf.5.html#enable_long_queue_ids for a detailed description
+of the differences with the old short queue IDs.
-Support for a persistent backup database in the memcache client.
-The memcache client updates the memcache whenever it looks up or
-modifies information in the persistent database.
+This changes new Postfix queue IDs from the short form 0FCEE9247A9
+into the longer form 3Ps0FS1Zhtz1PFjb, and changes new Message-ID
+header values from YYMMDDHHMMSS.queueid@myhostname into the shorter
+form queueid@myhostname.
-Support for proxymap-over-tcp (proxy:maptype:mapname@host:port) is
-under development.
+Major changes - memcache
+------------------------
-Elimination of dependencies on the libmemcache library. Postfix
-memcache support is now compiled in by default.
+[Feature 20111209] memcache lookup and update support. This provides
+a way to share postscreen(8) or verify(8) caches between Postfix
+instances. See MEMCACHE_README and memcache_table(5) for details
+and limitations.
-Major changes with snapshot 20111209
-====================================
+[Feature 20111213] Support for a persistent backup database in the
+memcache client. The memcache client updates the memcache whenever
+it looks up or modifies information in the persistent database.
-memcache lookup and update support. This provides a way to share
-postscreen(8) or verify(8) caches between Postfix instances. The
-Postfix memcache client can't be used for security-sensitive
-information, and it supports only libmemcache version 1.4.0. See
-MEMCACHE_README and memcache_table(5) for details and limitations.
+Major changes - postconf
+------------------------
-Incompatible changes with snapshot 20111205
-===========================================
+The postconf command was restructured - it now warns about unused
+parameter name=value settings in main.cf or master.cf (likely to
+be mistakes), it now understands "dynamic" parameter names such as
+parameters whose name depends on the name of a master.cf entry, and
+it can display main.cf and master.cf in a more user-friendly format.
-Postfix now logs the result of succesful TLS negotiation with TLS
-logging levels of 0. See the smtp_tls_loglevel and smtpd_tls_loglevel
-descriptions in the postconf(5) manpage for other minor differences.
+[Feature 20120117] support for legacy database parameter names
+(main.cf parameter names that are generated by prepending a suffix
+to the database name).
-Major changes with snapshot 20111205
-====================================
+[Feature 20111118] The "postconf -M" (display master.cf) command
+now supports filtering. For example, specify "postconf -M inet"
+to display only services that listen on the network.
-Support for TLS public key fingerprint matching in the Postfix SMTP
-client (in smtp_tls_policy_maps) and server (in check_ccert access
-maps). Public key fingerprints are inherently more specific than
-fingerprints over the entire certificate.
+[Feature 20111113] postconf support to warn about unused "name=value"
+entries in main.cf, and about unused "-o name=value" entries in
+master.cf. This should help to eliminate common errors with mis-typed
+names.
-Revision of Postfix TLS logging. The main difference is that Postfix
-now logs the result of succesful TLS negotiation with TLS logging
-levels of 0. See the smtp_tls_loglevel and smtpd_tls_loglevel
-descriptions in the postconf(5) manpage for other minor differences.
+[Feature 20111108] postconf support for parameter names that are
+generated automatically from master.cf entries (delivery agents,
+spawn services), and for parameter names that are defined with
+main.cf smtpd_restriction_classes.
-Major changes with snapshot 20111203
-====================================
+[Feature 20111106] "postconf -M" support to print master.cf entries,
+and "postconf -f" support to fold long main.cf or master.cf lines
+for human readability.
-Support for time-dependent sender addresses of address verification
-probes. The default address, double-bounce, may end up on spammer
-blacklists. Although Postfix discards mail for this address, such
-mail still uses up network bandwidth and server resources. Specify
-an address_verify_sender_ttl value of several hours or more to
-frustrate address harvesting.
+Major changes - trickle defense
+-------------------------------
-Major changes with snapshot 20111120
-====================================
+[Feature 20110212] Support for per-record deadlines. These change
+the behavior of Postfix timeout parameters, from a time limit per
+read or write system call, to a time limit to send or receive a
+complete record (an SMTP command line, SMTP response line, SMTP
+message content line, or TLS protocol message). This limits the
+impact from hostile peers that trickle data one byte at a time.
-Eliminated the postconf limitation documented on 20111113 as "lack
-of support for per-service parameter name spaces in master.cf,
-meaning that "-o user-defined-name=value" always results in an
-"unused parameter" warning". This brings the total cost of the
-postconf upgrade to some 55 person-hours, 600 lines of code, and
-300 lines of comments or documentation.
+The new configuration parameters and their default settings are:
+smtpd_per_record_deadline (normal: no, overload: yes),
+smtp_per_record_deadline (no), and lmtp_per_record_deadline (no).
-Major changes with snapshot 20111118
-====================================
+Note: when per-record deadlines are enabled, a short time limit may
+cause problems with TLS over very slow network connections. The
+reason is that a TLS protocol message can be up to 16 kbytes long
+(with TLSv1), and that an entire TLS protocol message must be sent
+or received within the per-record deadline.
-The "postconf -M" (display master.cf) command now supports filtering.
-For example, specify "postconf -M inet" to display only services
-that listen on the network.
+Per-record deadlines were introduced with postscreen(8) in Postfix
+2.8. This program does not receive mail, and therefore it has no
+problems with TLS over slow connections.
-Incompatible changes with snapshot 20111113
-===========================================
+Major changes - postscreen
+--------------------------
-The postconf command now logs warnings about unused "name=value"
-entries in main.cf, and about unused "-o name=value" entries in
-master.cf. Such entries are the result of feature creep in Postfix,
-and of mis-typed names. Once the configurations are cleaned up,
-Postfix configuration changes will be more robust.
+[Feature 20111211] The proxymap(8) server can now be used to share
+postscreen(8) or verify(8) caches between Postfix instances. Support
+for proxymap-over-TCP, to share a Postfix database between hosts,
+is expected to be completed in the Postfix 2.10 development cycle.
-Major changes with snapshot 20111113
-====================================
+[Feature 20111209] memcache lookup and update support. This provides
+a way to share postscreen(8) or verify(8) caches between Postfix
+instances.
-postconf support to warn about unused "name=value" entries in
-main.cf, and about unused "-o name=value" entries in master.cf.
-This should help to eliminate common errors with mis-typed names.
+[Feature 20110228] postscreen(8) support to force remote SMTP clients
+to implement proper MX lookup policy. By listening on both primary
+and backup MX addresses, postscreen(8) can deny the temporary
+whitelist status to clients that connect only to backup MX hosts,
+and prevent them from talking to a Postfix SMTP server process.
-The only known limitation is lack of support for per-service parameter
-name spaces in master.cf, meaning that "-o user-defined-name=value"
-always results in an "unused parameter" warning.
+Example: when 1.2.3.4 is a local backup IP address, specify
+"postscreen_whitelist_interfaces = !1.2.3.4 static:all".
-This completes an effort that expanded postconf.c by 553 lines of
-code that were designed, written, tested and documented (in 250
-lines) at the cost of 35 person-hours, spread out over 7 days.
+Major changes - tls
+-------------------
-Major changes with snapshot 20111108
-====================================
+[Incompat 20111205] Postfix now logs the result of successful TLS
+negotiation with TLS logging levels of 0. See the smtp_tls_loglevel
+and smtpd_tls_loglevel descriptions in the postconf(5) manpage for
+other minor differences.
-postconf support for parameter names that are generated automatically
-from master.cf entries (delivery agents, spawn services), and for
-parameter names that are defined with main.cf smtpd_restriction_classes.
-This increases the postconf output size with 70 lines or more.
+[Feature 20111205] Support for TLS public key fingerprint matching
+in the Postfix SMTP client (in smtp_tls_policy_maps) and server (in
+check_ccert access maps). Public key fingerprints are inherently
+more specific than fingerprints over the entire certificate.
-Major changes with snapshot 20111106
-====================================
+[Feature 20111205] Revision of Postfix TLS logging. The main
+difference is that Postfix now logs the result of successful TLS
+negotiation with TLS logging levels of 0. See the smtp_tls_loglevel
+and smtpd_tls_loglevel descriptions in the postconf(5) manpage for
+other minor differences.
-"postconf -M" support to print master.cf entries, and "postconf -f"
-support to fold long main.cf or master.cf lines for human readability.
+Major changes - sasl authentication
+-----------------------------------
-Incompatible changes with snapshot 20111106
-===========================================
+[Incompat 20111218] To support external SASL authentication, e.g.,
+in an NGINX proxy daemon, the Postfix SMTP server now always checks
+the smtpd_sender_login_maps table, even without having
+"smtpd_sasl_auth_enable = yes" in main.cf.
-To work around broken remote SMTP servers, the Postfix SMTP client
-by default no longer appends the "AUTH=<>" option to the MAIL FROM
-command. Specify "smtp_send_dummy_mail_auth = yes" to restore the
-old behavior.
+[Feature 20111218] Support for external SASL authentication via the
+XCLIENT command. This is used to accept SASL authentication from
+an SMTP proxy such as NGINX. This support works even without having
+to specify "smtpd_sasl_auth_enable = yes" in main.cf.
-Incompatible changes with snapshot 20111012
-===========================================
+[Incompat 20111106] To work around broken remote SMTP servers, the
+Postfix SMTP client by default no longer appends the "AUTH=<>"
+option to the MAIL FROM command. Specify "smtp_send_dummy_mail_auth
+= yes" to restore the old behavior.
-For consistency with the SMTP standard, the smtp_line_length_limit
-default value was increased from 990 characters to 998 (i.e. 1000
-characters including <CR><LF>). Specify "smtp_line_length_limit =
-990" to restore historical Postfix behavior.
+Major changes - large file support
+----------------------------------
-To simplify integration with third-party applications, the Postfix
-sendmail command now always transforms all input lines ending in
-<CR><LF> into UNIX format (lines ending in <LF>). Specify
-"sendmail_fix_line_endings = strict" to restore historical Postfix
-behavior (i.e. convert all input lines ending in <CR><LF> only if
-the first line ends in <CR><LF>).
+[Feature 20110219] Postfix now uses long integers for message_size_limit,
+mailbox_size_limit and virtual_mailbox_limit. On LP64 systems (64-bit
+long and pointer, but 32-bit integer), these limits can now exceed
+2GB.
-Incompatible changes with snapshot 20110918
-===========================================
+Major changes - ipv6
+--------------------
-The following changes were made in default settings, in preparation
-for general availability of IPv6:
+[Incompat 20110918] The following changes were made in default
+settings, in preparation for general availability of IPv6:
- The default inet_protocols value is now "all" instead of "ipv4",
- meaning use both IPv4 and IPv6. As a compatibility workaround
- for sites without global IPv6 connectivity, the commands "make
- upgrade" and "postfix upgrade-configuration" append "inet_protocols
- = ipv4" to main.cf when no explicit inet_protocols setting is
- present. This workaround will be removed in a future release.
+ meaning use both IPv4 and IPv6.
+
+ To avoid an unexpected loss of performance for sites without
+ global IPv6 connectivity, the commands "make upgrade" and "postfix
+ upgrade-configuration" now append "inet_protocols = ipv4" to
+ main.cf when no explicit inet_protocols setting is already present.
+ This workaround will be removed in a future release.
- The default smtp_address_preference value is now "any" instead
of "ipv6", meaning choose randomly between IPv6 and IPv4. With
this the Postfix SMTP client will have more success delivering
mail to sites that have problematic IPv6 configurations.
-Incompatible changes with snapshot 20110321
-===========================================
-
-You need to "postfix reload" after upgrade from snapshot 20110320.
-The hash_queue_names algorithm was changed for better performance
-with long queue IDs.
-
-Incompatible changes with snapshot 20110320
-===========================================
-
-If you enable support for long queue file names, you need to be
-aware that these file names are not compatible with Postfix <= 2.8.
-If you must migrate to Postfix <= 2.8, you must first convert all
-long queue file names into short names, otherwise the old Postfix
-version will complain.
-
-The conversion procedure before migration to Postfix <= 2.8 is:
-
- # postfix stop
- # postconf enable_long_queue_ids=no
- # postsuper
-
-Run the postsuper command repeatedly until it no longer reports
-queue file name changes.
-
-Major changes with snapshot 20110320
-====================================
-
-Support for long, non-repeating, queue IDs (queue file names). The
-benefit of non-repeating names is simpler logfile analysis, and
-easier queue migration (there is no need to run "postsuper" to
-change queue file names that don't match their message file inode
-number).
-
-Specify "enable_long_queue_ids = yes" to enable the feature. This
-does not change the names of existing queue files. See postconf(5)
-or postconf.5.html#enable_long_queue_ids for a detailed description
-of the differences with the old short queue IDs.
-
-This changes new Postfix queue IDs from the short form 0FCEE9247A9
-into the longer form 3Ps0FS1Zhtz1PFjb, and changes new Message-ID
-header values from YYMMDDHHMMSS.queueid@myhostname into the shorter
-form queueid@myhostname.
-
-See the note on "Incompatible changes" for a backwards migration
-procedure to convert long queue file names into a form that is
-compatible with Postfix <= 2.8.
-
-Incompatible changes with snapshot 20110313
-===========================================
-
-Use "postfix reload" after "make upgrade" on a running Postfix
-system. This is needed because the protocol between postscreen(8)
-and dnsblog(8) has changed.
-
-Major changes with snapshot 20110228
-====================================
-
-postscreen(8) support to force remote SMTP clients to implement
-proper MX lookup policy. By listening on both primary and backup
-MX addresses, postscreen(8) can deny the temporary whitelist status
-to clients that connect only to backup MX hosts, and prevent them
-from talking to a Postfix SMTP server process.
-
-Example: when 1.2.3.4 is a local backup IP address, specify
-"postscreen_whitelist_interfaces = !1.2.3.4 static:all".
-
-Incompatible changes with snapshot 20110219
-===========================================
-
-The Postfix SMTP and QMQP servers now log "hostname X does not
-resolve to address Y", when a "reverse hostname" lookup result does
-not resolve to the client IP address. Until now these servers logged
-"Y: hostname X verification failed" or "Y: address not listed for
-hostname X" depending on the details of the error.
-
-Major changes with snapshot 20110219
-====================================
-
-Postfix now uses long integers for message_size_limit, mailbox_size_limit
-and virtual_mailbox_limit. On LP64 systems (64-bit long and pointer,
-but 32-bit integer), these limits can now exceed 2GB.
-
-Major changes with snapshot 20110212
-====================================
-
-Support for per-record deadlines. These change the behavior of
-Postfix timeout parameters, from a time limit per read or write
-system call, to a time limit to send or receive a complete record
-(an SMTP command line, SMTP response line, SMTP message content
-line, or TLS protocol message). This limits the impact from hostile
-peers that trickle data one byte at a time.
-
-The new configuration parameters and their default settings are:
-smtpd_per_record_deadline (normal: no, overload: yes),
-smtp_per_record_deadline (no), and lmtp_per_record_deadline (no).
-
-Note: when per-record deadlines are enabled, a short timeout may
-cause problems with TLS over very slow network connections. The
-reasons are that a TLS protocol message can be up to 16 kbytes long
-(with TLSv1), and that an entire TLS protocol message must be sent
-or received within the per-record deadline.
-
-Per-record deadlines were introduced with postscreen(8). This program
-does not receive mail, and therefore has no problems with TLS over
-slow connections.
-
-Incompatible changes with snapshot 20110130
-===========================================
-
-The VSTREAM error flags are now split into separate read and write
-error flags. As a result of this change, all programs that use
-VSTREAMs MUST be recompiled.
+Major changes - address verification
+------------------------------------
+
+[Feature 20111211] The proxymap(8) server can now be used to share
+postscreen(8) or verify(8) caches between Postfix instances. Support
+for proxymap-over-TCP, to share a Postfix database between hosts,
+is expected to be completed in the Postfix 2.10 development cycle.
+
+[Feature 20111209] memcache lookup and update support. This provides
+a way to share postscreen(8) or verify(8) caches between Postfix
+instances.
+
+[Feature 20111203] Support for time-dependent sender addresses
+of address verification probes. The default address, double-bounce,
+may end up on spammer blacklists. Although Postfix discards mail
+for this address, such mail still uses up network bandwidth and
+server resources. Specify an address_verify_sender_ttl value of
+several hours or more to frustrate address harvesting.
+
+Major changes - session transcript notification
+-----------------------------------------------
+
+[Incompat 20120114] By default the Postfix SMTP server no longer
+reports transcripts of sessions where a client command is rejected
+because a lookup table is unavailable. Postfix now implements gradual
+degradation, for example, the SMTP server keeps running instead of
+terminating with a fatal error. This change in error handling would
+result in a very large number of "transcript of session" email
+notifications when an LDAP or *SQL server goes down).
+
+To receive such reports, add the new "data" class to the notify_classes
+parameter value. The reports will be sent to the error_notice_recipient
+address as before. This class is also used by the Postfix SMTP
+client to report about sessions that fail because a table is
+unavailable.
+
+Major changes - logging
+----------------------------------------
+
+[Incompat 20111205] Postfix now logs the result of successful TLS
+negotiation with TLS logging levels of 0. See the smtp_tls_loglevel
+and smtpd_tls_loglevel descriptions in the postconf(5) manpage for
+other minor differences.
+
+[Incompat 20110219] The Postfix SMTP and QMQP servers now log
+"hostname X does not resolve to address Y", when a "reverse hostname"
+lookup result does not resolve to the client IP address. Until now
+these servers logged "Y: hostname X verification failed" or "Y:
+address not listed for hostname X" which people found confusing.
+++ /dev/null
-Wish list:
-
- Things to do before the stable release:
-
- Remove this file from the stable release.
-
- Things to do after the stable release:
-
- Before proxymap can be exposed to the network to share,
- e.g., postscreen or verify caches, need to enforce limits
- on attribute string length in IPC protocols. 10-20KB seems
- OK. The VSTREAM library already supports read/write deadlines.
-
- move flush_init() etc. from defer service clients to the
- bounce daemon?
-
- multi_connect() function that takes a list of inet:host:port
- and/or unix:pathname specs, with an explicit "inet" prefix
- argument to handle applications that use host:port only.
- This will simplify multi-host implementation for memcache
- client, dovecot client, and other.
-
- dict_memcache: treat "bad" key as cache miss, i.e. read/write
- the backup database as if the cache did not exist. This
- does not help because most Postfix maps (virtual, canonical,
- access, transport, ...) also don't support spaces in keys.
-
- postscreen: keep the cache open after "postfix reload" when
- it is remote (type memcache: or proxy:). This does not work
- because memcache can use a non-proxied file as backup).
-
- What is the feasibility of adding an mta_name (personality)
- attribute that is propagated via queue files and delivery
- agent requests? It would default to myhostname.
-
- Major performance improvement opportunity (that is until
- everyone runs Postfix queues on SSDs). Investigate the
- viability of a daemon that produces incoming and postdrop
- queue files on request (in reality it would maintain a
- limited queue of "spare" files). Central queue file allocation
- reduces the I/O performance disadvantage that qmgr has when
- 100 smtpd processes are receiving mail, or when lots of
- mail is submitted with the sendmail command line. When an
- smtpd process accepts MAIL FROM, a cleanup daemon requests
- a queue file and receives a queue ID + file handle from the
- queue file daemon. If the queue file daemon is down, the
- cleanup daemon creates the file itself like it does now;
- this can be hidden in the mail_stream library module. If
- the mail transaction is aborted, then the cleanup daemon
- gives the queue file back to the queue file daemon's "spare"
- file pool, saving most of the overhead of creating and
- deleting a queue file (the file would still need to be
- renamed at the start of the next mail transaction). If the
- cleanup daemon is unable to give a file back, then it can
- delete the file like it does now; this can be hidden in the
- mail_stream library module. The whole thing can be
- transparently added to Postfix by adding calls to a
- queue-file-service client to the mail_queue_enter() and
- mail_queue_remove() library routines. Other advantages:
- 1) negligible performance hit when queue file allocation
- happens earlier, so that logging and milters have a queue
- ID for the whole transaction not just the first valid
- recipient; 2) by not removing every queue files we get most
- of the performance gain of a queue based on append/truncate
- instead of the much more expensive create/delete.
-
- Investigate viability of Sendmail socket maps (the moral
- equivalent of tcp_table(5)), and dns maps.
-
- Check if FILTER_README has the "postsuper -r" workaround
-
- Bounces without <> in the plaintext section. Apparently,
- some software renders the text as HTML (and therefore
- does not render addresses and other text inside <> ).
-
- Make the rules for how to use close-on-exec more explicit.
-
- Provide separate timeout control for dict_proxy client,
- rewrite client, resolve client, cleanup client, and so on.
- Perhaps a timeout argument to the mail_connect() routines.
-
- Trick from amavisd: save listen socket/fifo/etc state, clear
- their close-on-exec flags, exec the same program file to
- re-initialize (with saved socket state on command line or
- in environment), then restore the listen socket/fifo/etc
- close-on-exec flags. This could be a way to mitigate the
- impact of memory/file leaks, and to implement "postfix
- reload" support for master(8) features that currently don't
- support this.
-
- Sub-second time resolution. The first benefit is to make
- per-destination rate delays more usable. Other applications
- will come up once the support exists. The straightforward
- approach is to represent all time intervals in milliseconds,
- and to update all code that makes system calls with a time
- argument (as well as the compiled-in upper and lower time
- parameter bounds, which are currently in seconds).
- Unfortunately, that limits he maximum time interval to less
- than 25 days on 32-bit systems, and is likely to break
- compatibility (for starters, it cannot even deal with the
- compiled-in 100d upper bound on the queue file lifetime).
- A second option is to have a "compatibility" time base
- switch between milliseconds and seconds; this means extra
- changes to all code that makes system calls with a time
- argument, and the way that the compiled-in upper and lower
- bounds are specified. Some of this can be encapsulated in
- macros like time_to_sec(t), time_to_msec(t) and sec_to_time(t).
- Finally, it is relatively easy to replace the events(3)
- interface to use "double" for the time delay arguments, but
- it is a major pain to convert all main.cf time parameters
- into doubles (converting only some leads to a documentation
- nightmare).
-
- Address verify cache: allow a negative cache "refresh"
- result to purge a "positive" cache entry in some safe manner.
- Currently, the negative cache "refresh" result is discarded,
- address verify cache lookup returns OK, and each lookup
- forces a "refresh" probe until the entry expires.
-
- Some Sendmail configurations trigger sub-optimal behavior
- when the postscreen_whitelist_interfaces parameter lists
- primary MX addresses only. When postscreen's "deep protocol
- tests" are successful on the primary MX address (i.e. they
- result in 4XX responses to RCPT TO), some Sendmail
- configurations keep the primary MX connection open until
- AFTER they finish talking to the backup MX address. The
- problem is that the backup connection runs into a WHITELIST
- VETO condition because the whitelisting database has not
- yet been updated with the PASS NEW result for the primary
- MX connection. Unfortunately postscreen can't update the
- whitelisting database before the primary MX connection is
- closed, because a client may still make a mistake.
-
- Don't forget Apple's code donation for fetching mail from
- IMAP server.
-
- Simplify postscreen logic. Individual "fail" flags help to
- avoid repeated testing/logging the same mistake. Individual
- "pass" flags provide evidence that the client didn't skip
- tests by hanging up early. The current global "noforward"
- flag implements the wrong model: instead we need an indicator
- that a client has passed all tests or that all mistakes
- were forgiven.
-
- In the SMTP server, check if the connection is closed before
- replying to ".", and discard the message if the reply can't
- be sent. This reduces the time window for RFC 1047 message
- duplication, and may even prevent the delivery of some spam.
- http://www.exim.org/lurker/message/20070416.103159.9d5ff0ce.en.html
- This requires splitting the SMTP server's commit operation
- into two operations: first, a tentative commit operation
- that performs most of the I/O and processing in milters and
- in the cleanup server; second, a final commit operation
- that is executed only if the remote SMTP client hasn't hung
- up in the mean time. Unfortunately, SMTP-based before-queue
- content filters don't support a tentative commit operation.
-
- Find out how to reproduce Berkeley DB bogus ENOENT errors.
- postscreen does not log this with Berkeley DB 1 (FreeBSD
- 4..8), 4.7.25 (Ubuntu 9.04) and 4.8.24 (Ubuntu 10.04).
-
- postconf command-line option to show the compile-time
- settings (CCARGS, AUXLIBS) in case binary packages
- don't install the makedefs.out file.
-
- events.c: cache the side effects of file descriptor event
- enable/disable operations in user space, and do bulk kernel
- updates at event_loop() time. This can eliminate costly
- system calls with successive event disable/enable operations
- on the same file descriptor. This can also eliminate the
- need for tricky code that tries to avoid the expense of
- successive disable/enable operations. Such code is likely
- to introduce bugs.
-
- When does it pay off to send domains in the active queue
- to a DNS prefetch daemon? Could this generalize to a dynamic
- transport map that piggy-backs domains with the same MX
- host into the same mail delivery transaction?
-
- inline table where the "whitespace replacement" character
- is specified in-line. Ex: inline:XYname1Xvalue1Yname2Xvalue2
- would instantiate a table with (name1, value1) and (name2,
- value2). I'm afraid this is just too ugly.
-
- tlsproxy(8) should receive TLS preferences from postscreen(8)
- and smtpd(8), instead of reading them from main.cf. This
- means that many tlsproxy_ parameters become postscreen_
- parameters, and that tls_server_init() parameters move to
- to tls_server_start(). That is a significant API change.
- It also means tlsproxy can't open all files before chroot().
-
- anvil rate limit for sasl_username.
-
- Encapsulate nbbio buffer access and update by tlsproxy.
-
- Full-duplex support for tlsproxy(8). This requires updating
- events(3) and nbbio(3).
-
- Register automagic destructor for object attached to VSTREAM.
-
- smtpd xclient option for sasl_username.
-
- Use different ipc time limits for email message transactions
- (smtpd, pickup)->cleanup and for quick query/reply transactions
- such as address rewriting/resolution. Beware of large time
- limits for local or virtual alias expansion.
-
- permit_tempfail_action (default: defer_if_reject) to be
- used as the default value for dnswl_tempfail_action and
- rhswl_tempfail_action. Steal liberally from the code that
- implements unverified_recipient_tempfail_action etc.
-
- Support filtering of messages that are generated by Postfix:
- This would apply to postmaster notices and bounce messages
- (DKIM), and address verification (BATV).
-
- Consistency: in postconf.proto make <dt>..</dt> tags bold.
-
- postscreen(8): listen on multiple IP addresses and enforce
- that the client contacts the primary MX address first (i.e.
- punish hosts that contact the secondary before the primary).
- The downside with any approach that relies on temporary
- punishment is that it does not scale to configurations
- with multiple equal-preference MX hosts. Such hosts would
- have to share the postscreen cache, causing an unacceptable
- performance bottleneck and a single point of failure.
-
- According to a paper by Ted Unangst at BSDCON09, kqueue
- reports state changes, i.e. kqueue indicates when the socket
- becomes readable. Specifically, he writes when kqueue reports
- a socket becomes readable but no data is read from that
- socket, later kqueue calls won't report the socket as
- readable. That's not what happens on FreeBSD 8.0, where
- kqueue will keep reporting the socket as readable when
- nothing is read. Also, FreeBSD 8.0 kqueue still reports
- the socket as readable after a read operation does not empty
- the kernel buffer. We need a test program for this that
- repeats these tests with OpenBSD and NetBSD (and MacOS X
- once they fix their kqueue implementation).
-
- Would it help if there were different cleanup_service
- parameter names for different message paths? smtpd(8) uses
- the same cleanup_service value for receiving remote mail
- and for submitting postmaster problem reports. Do we need
- separate mumble_cleanup_service_name parameters for "inject",
- "notify" and "forward" (with backwards compatible defaults)?
-
- IF/ENDIF support for CIDR tables.
-
- Make postconf aware of local_, smtp_, etc. parameter names
- that have prefixes derived from mail delivery transport
- names, LDAP/SQL table names, spawn(8) services, and so on.
- Clearly, it is wrong to assume that all "unix" master.cf
- entries are delivery agents (though it may be OK for postconf
- to peek in master.cf when given a parameter with an unknown
- prefix). This requires a new main.cf parameter (delivery_prefixes?)
- that lists all known mail delivery transport names. postconf
- can safely ignore names that don't exist in master.cf, and
- qmgr_transport_create() can safely warn about a name that
- isn't listed in that new main.cf parameter. A similar
- parameter would be needed for spawn(8) services (spawn_prefixes?)
- and for legacy-style database "sources" (database_prefixes?).
- The spawn(8) daemon could warn if the service name is not
- listed in main.cf, and the LDAP/SQL/etc. drivers could
- warn if a legacy-style database source is not listed in
- main.cf.
-
- Need a regular expression table to translate address
- verification responses into hard/soft/accept reply codes.
-
- Is there a way to make sendmail -V work after local alias
- expansion? Majordomo-like mailing lists would benefit from
- this; the example in VERP_README does not work in the general
- case.
-
- When an alias is a member of an :include: list with owner-
- alias, local(8) needs an option to deliver alias or alias->user
- indirectly. What happens when an :include: list with owner-
- alias includes another list?
-
- Don't allow empty result values in pcre and regexp maps.
- Postfix doesn't allow them anywhere else (check this).
-
- Make PCRE_MAX_CAPTURE configurable.
-
- Add some checks for tokens starting with #. A challenge
- is to report sensible context from the guts of some low-level
- parser, without introducing a great deal of clumsiness.
-
- Add sendmail macros for {verify} and maybe other TLS info.
-
- Find out if we are doing the correct thing by looking at
- state->milter_reject_text when expanding {rcpt_addr} or
- {rcpt_host}.
-
- Find out why post_mail() etc. block when the qmgr fifo is
- full (answer: trigger_timeout). How can this cause delays
- in the queue manager? When a recipient bounces during
- (transport, nexthop, address) resolution, it is redirected
- to the error or retry mailer; and bounce-after-delivery is
- asynchrounous so it can't block the queue manager, either.
-
- Add smtpd_sender_login_maps to proxy_read_maps, and make
- sure that defaults are set before proxy_read_maps is
- evaluated. What other parameters are worthy of being
- whitelisted for proxy access? Is there a way to automate
- this decision?
-
- How to ensure that proxy_read_maps is processed after all
- its dependencies are initialized, or just bite the bullet
- and rewrite the parameter initialization code.
-
- The cleanup virtual alias expansion limit does not really
- deliver on its promises. 1) It promises to truncate the
- result without aborting delivery, which would be undesirable
- anyway, but that is not what it does, so that is good. 2)
- It keeps all the recipients from multi-recipient database
- lookup, then terminates further recursion when the result
- exceeds the expansion limit. This behavior achieves the
- original goal that all things shall have a finite size (even
- though but we don'really care how large they are) but may
- result in surprises when recipients are listed in virtual
- alias domains or need expansion for other reasons. In a
- phone call with Victor, a reasonable way out is to set the
- limit to some large number (100000) and abort delivery when
- the result exceeds the limit.
-
- Should the postscreen save permanent white/black list lookup
- results to the temporary cache, and query the temporary
- cache first? Skipping white/black list lookups will speed
- up the handling of "good" clients without a permanent
- whitelist entry. Of course, this means that updates to the
- white/black lists do not immediately take effect. Workarounds:
- 1) use a shorter temporary cache TTL for clients on the
- permanent black/white lists; 2) ignore cached white/black
- list lookup results after "postfix reload"; 2) adjust the
- logging, for example "WHITELISTED address (cached)" and
- "BLACKLISTED address (cached)" to eliminate surprises.
- Comparing the cache entry time with the white/blacklist
- file modification time is not foolproof: for example, pcre
- or CIDR tables are read only once.
-
- It would be nice if the generic dict_cache(3) cache manager
- could postpone process suicide until cache cleanup is
- completed (but that is not possible when postscreen forks
- into the background to finish already-accepted connections,
- and it is not desirable when a host is being shut down).
-
- When postscreen drops a connection, a 521 "greeting" should
- be of the form "521 servername..." and not have an enhanced
- status code. The "521 5.7.1" form can be used after EHLO.
- Of course no spammer is going to complain about Postfix
- SMTP compliance.
-
- Find a place to document all the mail routing mechanisms
- in one place so people can figure out how Postfix works.
-
- The access map BCC action is marked "not stable", perhaps
- because people would also expect BCC actions in header/body_checks.
- How much would it take to make the queue file editing code
- generally usable?
-
- Move smtpd_command_filter into smtpd_chat_query() and update
- the session transcript (see smtp_chat_reply() for an example).
-
- SMTP connection caching without storing connections, to
- improve TLS mail delivery performance.
-
- postscreen has separate socket budgets for whitelisted
- clients and for other clients. If we add a dummy SMTP engine
- then we extend the session length for non-whitelisted clients
- and need to increase the socket budget (or create a new
- budget class, which complicates the user interface).
-
- Should not milter8_mail_event() unset the "hold" default
- reply? Better, the default reply should not be used for
- this purpose.
-
- Unescape the pregreeter's HELO command argument so that
- <CR><LF> don't show up as ??.
-
- Make postscreen logging easier. Always log connect, then log
- why the connection is or is not forwarded.
-
- Don't send MASTER_STAT_TAKEN/MASTER_STAT_AVAIL when a server
- runs with process limit of 1. But this means the master
- never learns that the process is successful and will always
- pause $service_throttle_time before restarting a failed service.
-
- Don't bother maintaining a per-service lockfile when a
- server runs with process limit of 1. The purpose of the
- lockfile is to avoid thundering herd problems when the kernel
- wakes up multiple processes for each new client connection.
-
- Concurrency/speed-matching: invoke a before-queue (smtpd_proxy)
- filter after the entire message is received, so that fewer
- filter processes will be running simultaneously. In some
- parts of the world, after-queue filtering is problematic.
-
- This is different than the MailChannels patented solution
- to multiplex many slow SMTP connections over a few fast
- SMTP connections. We simply postpone opening the connection
- to the filter, and rely on the before-filter SMTP server
- to reject invalid recipients. MailChannels uses one
- connection-to-MTA to discover invalid recipients, receives
- the email message with a potentially reduced bitrate, and
- then uses another connection-to-MTA to deliver the message
- quickly.
-
- Implement PREPEND action for milter_header_checks. Save the
- to-be-prepended text to buffer, then emit it along with the
- new header.
-
- Fix the header_body_checks API, so that the name of the map
- class (e.g. milter_header_checks) is available for logging.
-
- Fix the mime_state and header_body_checks APIs, so that
- they use VSTRINGs. This simplifies REPLACE actions.
-
- Update FILTER_README for multi-instance support, and rename
- the old document to FILTER_LEGACY_README.
-
- Need to sign delivery status notifications, to avoid surprises
- when eventually people start enforcing DKIM etc. signatures.
-
- Either document or remove the internal_mail_filter_classes
- feature (it's disabled by default).
-
- "postconf -N" option to print user-defined parameter names
- (these have no defaults, since they exist only when
- specified in main.cf or with "-o name=value").
-
- Make the "unknown recipient" test configurable as
- first|last|never, with "yes"=="last" for backwards
- compatibility. The "first" setting is good for performance
- (stress=yes) when all users are defined in local files; but
- it may perform worse when users are in networked tables.
-
- Cleanup: make DNSBL query format configurable beyond the
- client's reversed IP address.
-
- With 'final delivery' in the LMTP client, need an option
- to also add delivered-to and other pipe(8) features. This
- requires making mail_copy() functionality available in
- non-mailbox context.
-
- Cleanup: modernize the "add missing From: header" code, to
- ``phrase <addr>'' form. Most likely, quote the entire phrase
- if it contains any text that is special, then rfc822_externalize
- the whole thing.
-
- SMTP server: make the server_addr and server_port available
- to policy server, Dovecot, and perhaps Milters.
-
- Med: local and remote source port and IP address for smtpd
- policy hook.
-
- Maybe change maps_rbl_reject_code default to 521, and
- update wording in STRESS_README.
-
- Encapsulate time_t comparisons so that they can be made
- system dependent (use difftime() where available).
-
- Encapsulate time_t conversions (e.g. REC_TYPE_TIME) so that
- they can be made system dependent.
-
- Plan for time_t larger than long, or wait for LP64 to
- dominate the world?
-
- Make "AUTH=<>" appendage to MAIL FROM configurable, enabled
- by default.
-
- To support ternary operator without a huge parsing effort,
- consider ${value?{xxx}:{yyy}} where ${name} is existing
- syntax, and where ?{text} and :{text} are new syntax that
- is unlikely to break existing configurations. Or perhaps
- it's just too ugly.
-
- Write delivery rate delay example (which _README?) and auth
- failure cache example (SASL_README). Then include them in
- SOHO_README.
-
- Look for alternatives for the use of non_smtpd_milters.
- This involves some way to force local submissions to go
- through a local SMTP client and server, without triggering
- "mail loops back to myself" false alarms. The advantage is
- that it makes smtpd_mumble_restrictions available for local
- and remote mail; the disadvantage is that it makes local
- submissions more dependent on networking. One possibility
- is to use "pickup -o content_filter=smtp:127.0.0.1:10025",
- or a dedicated SMTP client/server on UNIX-domain sockets;
- we could also decide to always suppress "mail loop" detection
- for loopback connections. Another option is to have the
- pickup or cleanup server drive an SMTP client directly;
- this would require extension of the mail_stream() interface,
- plus a way to handle bounced/deferred recipients intelligently,
- but it would be at odds with Postfix design where delivery
- agents access queue files directly; exposing delivery agents
- to raw queue files violates another Postfix design principle.
-
- Consolidate duplicated code in *_server_accept_{pass,inet}().
-
- Consolidate duplicated code in {inet,unix,upass}_trigger.c.
-
- In the SMTP client, handle 421 replies in smtp_loop() by
- having the input function raise a flag after detecting 421
- (kill connection caching and be sure to do the right thing
- with RSET probes), leave the smtp_loop() per-command reply
- handlers unchanged, and have the smtp_loop() reader loop
- bail out with smtp_site_fail("server disconnected after
- %s", where), but only in the case that it isn't already in
- the final state. But first we need to clean up the handling
- of do/don't cache, expired, bad and dead sessions.
-
- Combine smtpd_peer.c and qmqpd_peer.c into a single function
- that produces a client context object, and provide attribute
- print/scan routines that pass these client context objects
- around. With this, we no longer have to update multiple
- pieces of code when a client attribute is added. Ditto for
- SASL and TLS context.
-
- Make TLS_BIO_BUFSIZE run-time adjustable, to future-proof
- Postfix for remote connections with MSS > 8 kbytes.
-
- Don't log "warning: XXXXX: undeliverable postmaster
- notification discarded" for spam from outside.
-
- Really need a cleanup driver that allows testing against
- Milter applications instead of synthetic events. This would
- have to provide stubs for clients that talk to Postfix
- daemon processes. See if this approach can also be used for
- other daemons.
-
- smtpd(8) exempts $address_verify_sender from access controls,
- but it doesn't know whether cleanup(8) or delivery agents
- modify the sender. Would it be possible to "calibrate" this
- exemption, perhaps by having delivery agents pass the probe
- sender to the verify server, keeping in mind that the probe
- sender may differ per delivery agent due to output rewriting.
-
- Update attr_print/scan() so they can send/receive file
- descriptors. This simplifies kludgy code in many daemons.
-
- Would there be a problem adding $smtpd_mumble_restrictions
- and $smtpd_sender_login_maps to the default proxy_read_maps
- settings?
-
- Remove defer(8) and trace(8) references and man pages. These
- are services not program names. On the other hand we have
- man pages for lmtp(8) and smtp(8), but not for relay(8).
- Likewise, retry(8) does not have a man page.
-
- Bind all deliveries to the same local delivery process,
- making Postfix perform as poorly as monolithic mailers, but
- giving a possibility to eliminate duplicate deliveries.
-
- Maybe declare loop when resolve_local(mxhost) is true?
-
- Update message content length when adding/removing headers.
-
- Need scache size limit.
-
- Make postcat header/body aware so people can grep headers.
- What headers? primary, mime, nested? What body? Does it
- include the mime and attached headers?
-
- REDIRECT should override original recipient info, and
- probably override DSN as well.
-
- Find out if with Sendmail, a Milter "add recipient" request
- results in NOTIFY=NONE as Postfix does now.
-
- Update FILTER_README with mailing list suggestions to tag
- with a badness indicator and then filter down-stream.
-
- Make null local-part handling configurable: either expand
- into mailer-daemon (current bahavior) or disallow (strict
- behavior, currently implemented only in the SMTP server).
-
- The type of var_message_limit (and other file size/offset
- configuration parameters or internal protocol attributes)
- should be changed from int to off_t. This also requires
- checking all expressions in which var_message_limit etc.
- appears: qmqpd, netstring, deliver_request, ...
-
- Add M flag (enable multi-recipient delivery) to pipe daemon.
-
- The usage of TLScontext->cache_type is unclear. It specifies
- a TLS session cache type (smtpd, smtp, or lmtp), but it is
- sometimes used as an indicator that TLS session caching is
- unavailable. In reality, that decision is made by not
- registering call-back functions for cache maintenance.
-
- Postfix TLS library code should copy any strings that it
- receives from the application, instead of passing them
- around as pointers. TLScontext->cache_type is a case in
- point.
-
- Are transport:nexthop null fields the same as in the case
- of default_transport etc. parameters?
-
- Don't lose bits when converting st_dev into maildir file
- name. It's 64 bits on Linux. Found with the BEAM source
- code analyzer. Is this really a problem, or are they just
- using 64 bits for upwards compatibility with LP64 systems?
-
- Do or don't introduce unknown_reverse_client_reject_code.
-
- Check that "UINT32 == unsigned int" choice is ok (i.e. LP64
- UNIX).
-
- Tempfail when a Milter application tries to negotiate content
- access, while it is configured in an SMTP server that runs
- before the smtpd_proxy filter.
-
- Log DSN original recipient when rejecting mail.
-
- Keep whitespace between label and ":"?
-
- Make the map case folding/locking options configurable, if
- not at run-time then at least at compile time so we get
- consistent behavior across applications.
-
- Investigate what it would take to eliminate oqmgr, and to
- make the old behavior configurable in a unified queue
- manager. This would shave another 2.7 KLOC from the source
- footprint.
-
- Document the case folding strategy for match_list like
- features.
-
- Eliminate the (incoming,deferred)->active rename operation.
- This requires an in-memory hash of queue file names to avoid
- duplicate open() operations.
-
- Softbounce fallback-to-ISP for SOHO users. This heuristic
- assumes that when direct-to-MX delivery fails with 5XX,
- delivery via the ISP may still succeed. This could be
- implemented by enabling soft bounces for destinations other
- than the smtp_fallback_relay. So the only benefit of this
- over the existing soft_bounce feature is that it has no
- effect on smtp_fallback_relay deliveries.
-
- Centralize main.cf parameter input so that defaults work
- consistently. What about parameter names that are prefixed
- with mail delivery transport names?
-
- Fix default time unit handling so that we can have a default
- bounce lifetime of $maximal_queue_lifetime, without causing
- panics when a non-default maximal_queue_lifetime setting
- includes no time unit.
-
- After the 20051222 ISASCII paranoia, lowercase() lowercases
- ASCII text only.
-
- Privacy: remove local command/pathname details from remote
- delivery status reports, and log them via local msg_warn().
-
- Is it safe to cache a connection after it has been used for
- more than some number of address verification probes?
-
- Try to recognize that Resent- headers appear in blocks,
- newest block first. But don't break on incorrect header
- block organization.
-
- Hard limits on cache sizes (anvil, specifically).
-
- Laptop friendliness: make the qmgr remember when the next
- deferred queue scan needs to be done, and have the pickup
- server stat() the maildrop directory before searching it.
-
- Low: replace_sender/replace_recipient actions in access
- maps, so they can be used in policy servers?
-
- Low: configurable order of local(8) delivery methods.
-
- Med: smtp_connect_timeout_budget (default: 3x smtp_connect_timeout)
- to limit the total time spent trying to connect.
-
- Med: transform IPv4-in-IPv6 address literals to IPv4 form
- when comparing against local IP addresses?
-
- Med: transform IPv4-in-IPv6 address literals to IPv4 form
- when eliminating MX mailer loops?
-
- Med: Postfix requires [] around IPv6 address information
- in match lists such as mynetworks, debug_peer_list etc.,
- but the [] must not be specified in access(5) maps. Other
- places don't care. For now, this gotcha is documented in
- IPV6_README and in postconf(5) with each feature that may
- use IPv6 address information. The general recommendation
- is not to use [] unless absolutely necessary.
-
- Med: the partial address matching of IPv6 addresses in
- access(5) maps is a bit lame: it repeatedly truncates the
- last ":octetpair" from the printable address representation
- until a match is found or until truncation is no longer
- possible. Since one or more ":" are usually omitted from
- the printable IPv6 address representation, this does not
- really try all the possibilities that one might expect to
- be tried. For now, this gotcha is documented in access(5).
-
- Low: reject HELO with any domain name or IP address that
- this MTA is the final destination for.
-
- Low: should the Delivered-To: test in local(8) be configurable?
-
- Low: make mail_addr_find() lookup configurable.
-
- Low: update events.c so that 1-second timer requests do not
- suffer from rounding errors. This is needed for 1-second
- SMTP session caching time limits. A 1-second interval would
- become arbitrarily short when an event is scheduled just
- before the current second rolls over.
-
- Low: configurable internal/system locking method.
-
- Low: add INSTALL section for pre-existing Postfix systems.
-
- Low: add INSTALL section for pre-existing RPM Postfixes.
-
- Low: disallow smtpd_recipient_limit < 100 (the RFC minimum).
-
- Low: noise filter: allow smtp(8) to retry immediately if
- all MXes return a quick ECONNRESET or 4xx reply during the
- initial handshake. Retry once? How many times?
-
- Low: make post-install a "postfix-only script" so it can
- take data from the environment instead of main.cf.
-
- Low: randomize deferred mail backoff.
-
- Med: separate ulimit for delivery to command?
-
- Med: postsuper -r should do something with recipients in
- bounce logfiles, to make sure the sender will be notified.
- To be perfectly safe, no process other than the queue manager
- should move a queue file away from the active queue.
-
- This could involve tagging a queue file, and use up another
- permission bit (postsuper tags a "hot" file, qmgr requeues it).
-
- Low: postsuper re-run after renaming files, but only a
- limited number of times.
-
- Low: smtp-source may block when sending large test messages.
-
- Med: find a way to log the sender address when MAIL FROM
- is rejected due to lack of disk space.
-
- Low: revise other local delivery agent duplicate filters.
-
- Low: all table lookups should consistently use internalized
- (unquoted) or externalized (quoted) forms as lookup keys.
- smtpd, qmgr, local, etc. use unquoted address forms as keys.
- cleanup uses quoted forms.
-
- Low: have a configurable list of errno values for mailbox
- or maildir delivery that result in deferral rather than
- bouncing mail. What about "killed by signal" exits?
-
- Low: after reorganizing configuration parameters, add flags
- to all parameters whose value can be read from file.
-
- Medium: need in-process caching for map lookups. LDAP servers
- seem to need this in particular. Need a way to expire cached
- results that are too old.
-
- Low: generic showq protocol, to allow for more intelligent
- processing than just mailq. Maybe marry this with postsuper.
-
- Low: default domain for appending to unqualified recipients,
- so that unqualified names can be delivered locally.
-
- Low: The $process_id_directory setting is not used anywhere
- in Postfix. Problem reported by Michael Smith, texas.net.
- This should be documented, or better, the code should warn
- about attempts to set read-only parameters.
-
- Low: postconf -e edits parameters that postconf won't list.
-
- Low: while converting 8bit text to quoted-printable, perhaps
- use =46rom to avoid having to produce >From when delivering
- to mailbox.
-
- virtual_mailbox_path expression like forward_path, so that
- people can specify prefix and suffix.
}
# Postfix 2.9.
- # Safety net for incompatible changes in IPv6 defaults. This
- # requires that the default is "inet_protocols = ipv4" when
- # IPv6 support is not compiled in. See util/sys_defs.h.
+ # Safety net for incompatible changes in IPv6 defaults.
+ # PLEASE DO NOT REMOVE THIS CODE. ITS PURPOSE IS TO AVOID AN
+ # UNEXPECTED DROP IN PERFORMANCE AFTER UPGRADING FROM POSTFIX
+ # BEFORE 2.9.
+ # This code assumes that the default is "inet_protocols = ipv4"
+ # when IPv6 support is not compiled in. See util/sys_defs.h.
test "`$POSTCONF -dh inet_protocols`" = "ipv4" ||
test -n "`$POSTCONF -c $config_directory -nh inet_protocols`" || {
# Note: avoid hash files here. Use btree instead.
<a href="postconf.5.html#address_verify_map">address_verify_map</a> = btree:$<a href="postconf.5.html#data_directory">data_directory</a>/verify_cache
+ # Shared persistent cache (requires Postfix 2.9 or later).
+ <a href="postconf.5.html#address_verify_map">address_verify_map</a> = <a href="proxymap.8.html">proxy</a>:btree:$<a href="postconf.5.html#data_directory">data_directory</a>/verify_cache
+ # Disable automatic cache cleanup in all Postfix instances except
+ # for one instance that will be responsible for cache cleanup.
+ # <a href="postconf.5.html#address_verify_cache_cleanup_interval">address_verify_cache_cleanup_interval</a> = 0
+
+ # Shared memory cache (requires Postfix 2.9 or later).
+ # See <a href="memcache_table.5.html">memcache_table(5)</a> for details.
+ <a href="postconf.5.html#address_verify_map">address_verify_map</a> = <a href="memcache_table.5.html">memcache</a>:/etc/postfix/verify-memcache.cf
+
# Default setting for Postfix 2.6 and earlier.
# This uses non-persistent storage only.
<a href="postconf.5.html#address_verify_map">address_verify_map</a> =
<blockquote> <p> NOTE: To share a <a href="postscreen.8.html">postscreen(8)</a> cache between
multiple <a href="postscreen.8.html">postscreen(8)</a> instances, use "<tt><a href="postconf.5.html#postscreen_cache_map">postscreen_cache_map</a> =
-<a href="proxymap.8.html">proxy</a>:btree:/path/to/file</tt>". This requires Postfix 2.9 or
-later; earlier <a href="proxymap.8.html">proxymap(8)</a> implementations don't support cache
-cleanup. For an alternative approach see the <a href="memcache_table.5.html">memcache_table(5)</a>
-manpage. </p> </blockquote>
+<a href="proxymap.8.html">proxy</a>:btree:$<a href="postconf.5.html#data_directory">data_directory</a>/postscreen_cache</tt>", and disable
+cache cleanup (<a href="postconf.5.html#postscreen_cache_cleanup_interval">postscreen_cache_cleanup_interval</a> = 0) in all
+<a href="postscreen.8.html">postscreen(8)</a> instances except one that is responsible for cache
+cleanup. </p> <p> <a href="postscreen.8.html">postscreen(8)</a> cache sharing requires Postfix 2.9
+or later; earlier <a href="proxymap.8.html">proxymap(8)</a> implementations don't support cache
+cleanup. </p> <p> For an alternative <a href="postscreen.8.html">postscreen(8)</a> cache sharing
+approach see the <a href="memcache_table.5.html">memcache_table(5)</a> manpage. </p> </blockquote>
<p> When the SMTP client address appears on the temporary
whitelist, <a href="postscreen.8.html">postscreen(8)</a> logs this with the client address and port
export SYSTYPE AR ARFL RANLIB SYSLIBS CC OPT DEBUG AWK OPTS
# Snapshot only.
-CCARGS="$CCARGS -DSNAPSHOT"
+#CCARGS="$CCARGS -DSNAPSHOT"
# Non-production: needs thorough testing, or major changes are still
# needed before the code stabilizes.
# Note: avoid hash files here. Use btree instead.
address_verify_map = btree:$data_directory/verify_cache
+ # Shared persistent cache (requires Postfix 2.9 or later).
+ address_verify_map = proxy:btree:$data_directory/verify_cache
+ # Disable automatic cache cleanup in all Postfix instances except
+ # for one instance that will be responsible for cache cleanup.
+ # address_verify_cache_cleanup_interval = 0
+
+ # Shared memory cache (requires Postfix 2.9 or later).
+ # See memcache_table(5) for details.
+ address_verify_map = memcache:/etc/postfix/verify-memcache.cf
+
# Default setting for Postfix 2.6 and earlier.
# This uses non-persistent storage only.
address_verify_map =
<blockquote> <p> NOTE: To share a postscreen(8) cache between
multiple postscreen(8) instances, use "<tt>postscreen_cache_map =
-proxy:btree:/path/to/file</tt>". This requires Postfix 2.9 or
-later; earlier proxymap(8) implementations don't support cache
-cleanup. For an alternative approach see the memcache_table(5)
-manpage. </p> </blockquote>
+proxy:btree:$data_directory/postscreen_cache</tt>", and disable
+cache cleanup (postscreen_cache_cleanup_interval = 0) in all
+postscreen(8) instances except one that is responsible for cache
+cleanup. </p> <p> postscreen(8) cache sharing requires Postfix 2.9
+or later; earlier proxymap(8) implementations don't support cache
+cleanup. </p> <p> For an alternative postscreen(8) cache sharing
+approach see the memcache_table(5) manpage. </p> </blockquote>
<p> When the SMTP client address appears on the temporary
whitelist, postscreen(8) logs this with the client address and port
* Patches change both the patchlevel and the release date. Snapshots have no
* patchlevel; they change the release date only.
*/
-#define MAIL_RELEASE_DATE "20120117"
-#define MAIL_VERSION_NUMBER "2.9"
+#define MAIL_RELEASE_DATE "20120118"
+#define MAIL_VERSION_NUMBER "2.9-RC1"
#ifdef SNAPSHOT
# define MAIL_VERSION_DATE "-" MAIL_RELEASE_DATE
projects / thirdparty / postfix.git / commitdiff
