If you upgrade from Postfix 2.8 or earlier, read RELEASE_NOTES-2.9
before proceeding.
-Incompatible changes with snapshot 20130203
-===========================================
+Major changes - laptop-friendliness
+-----------------------------------
-Thanks to OpenSSL documentation, the Postfix 2.9.0..2.9.5 SMTP
-client and server computed incorrect TLS certificate PUBLIC-KEY
-fingerprints. Support for certificate PUBLIC-KEY finger prints
-was introduced with Postfix 2.9; there is no known problem with the
-certificate fingerprint algorithms available since Postfix 2.2.
+[Incompat 20120924] Postfix no longer uses FIFOs to emulate UNIX-domain
+sockets on Solaris 9 (Vintage 2002!) and later. If you install
+Postfix for the first time on an older Solaris system, edit the
+master.cf file and replace "unix" with "fifo" for the pickup and
+qmgr services.
-Certificate PUBLIC-KEY finger prints may be used in the Postfix
-SMTP server (with "check_ccert_access") and in the Postfix SMTP
-client (with the "fingerprint" security level).
-
-Specify "tls_legacy_public_key_fingerprints = yes" temporarily,
-pending a migration from configuration files with incorrect Postfix
-2.9.0..2.9.5 certificate PUBLIC-KEY finger prints, to the correct
-fingerprints used by Postfix 2.9.6 and later.
-
-To compute the correct PUBLIC-KEY finger prints:
-
-# OpenSSL 1.0 with all certificates and SHA-1 fingerprints.
-$ openssl x509 -in cert.pem -noout -pubkey | \
- openssl pkey -pubin -outform DER | \
- openssl dgst -sha1 -c
-
-# OpenSSL 0.9.8 with RSA certificates and MD5 fingerprints.
-$ openssl x509 -in cert.pem -noout -pubkey | \
- openssl rsa -pubin -outform DER | \
- openssl dgst -md5 -c
+[Feature 20120924] the default master.cf file now uses "unix" instead
+of "fifo" for the pickup and qmgr services. This avoids periodic
+disk drive spin-up.
-Incompatible changes with snapshot 20130201
-===========================================
+Major changes - permit logging
+------------------------------
-The "postconf -Mn" feature is withdrawn, in favor of a better design
-that not only supports queries but also updates of named properties
-of a master.cf service entry. But there is not enough time to finish
-that for Postfix 2.10.
+[Feature 20120303] [Feature 20120303] New control for "permit"
+logging in smtpd_mumble_restrictions (by default, the SMTP server
+logs "reject" actions but not "permit" actions). Specify
+"smtpd_log_access_permit_actions = static:all" to log all "permit"-style
+actions, or specify a list of explicit action names. More details
+are in the postconf(5) manpage. Major changes - postconf
+------------------------
-Incompatible changes with snapshot 20121224
-===========================================
-
-The postconf command produces more warnings:
+[Incompat 20121224] The postconf command produces more warnings:
- An attempt to modify a read-only parameter (process_name, process_id)
in main.cf or master.cf.
- An undefined $name in a parameter value in main.cf or master.cf
(except for backwards-compatibility parameters such as $virtual_maps).
-Major changes with snapshot 20121224
-====================================
-
-The postconf command has been updated to make trouble-shooting (and
-support) easier. In summary, use "postconf -Mxf" and "postconf -nxf"
-to review master.cf and main.cf parameter settings with expanded
-parameter values.
+[Feature 20121224] The postconf command has been updated to make
+trouble-shooting (and support) easier. In summary, use "postconf
+-Mxf" and "postconf -nxf" to review master.cf and main.cf parameter
+settings with expanded parameter values.
- "postconf -x" now expands $name in main.cf and master.cf parameter
values.
main.cf or master.cf (except for backwards-compatibility parameters
such as $virtual_maps).
-Added with snapshot 20121227:
+[Feature 20121227]
- "postconf -o name=value" overrides main.cf parameter settings.
This can be used, for example, to examine stress-dependent settings
with "postconf -x -o stress=yes".
-Incompatible changes with snapshot 20121123
-===========================================
+Major changes - postscreen
+--------------------------
-The postscreen deep protocol tests now log the last command before
-a protocol error ("UNIMPLEMENTED" when the last command is not
-implemented, "CONNECT" when there was no prior command). The
-changed logfile messages are:
+[Incompat 20121123] The postscreen deep protocol tests now log the
+last command before a protocol error ("UNIMPLEMENTED" when the last
+command is not implemented, "CONNECT" when there was no prior
+command). The changed logfile messages are:
NON-SMTP COMMAND from [address]:port after command: text
BARE NEWLINE from [address]:port after command
COMMAND COUNT LIMIT from [address]:port after command
COMMAND LENGTH LIMIT from [address]:port after command
-Incompatible changes with snapshot 20121007
-===========================================
+Major changes - load-balancer support
+-------------------------------------
+
+[Incompat 20120625] The postscreen(8)-to-smtpd(8) protocol has
+changed. To avoid "cannot receive connection attributes" warnings
+and dropped connections, execute the command "postfix reload". No
+mail will be lost as long as the remote SMTP client tries again
+later.
+
+[Feature 20120625] Support for upstream proxy agent in the postscreen(8)
+and smtpd(8) daemons. To enable the haproxy protocol, specify one
+of the following:
+
+ postscreen_upstream_proxy_protocol = haproxy
+ smtpd_upstream_proxy_protocol = haproxy
+
+Note 1: smtpd_upstream_proxy_protocol can't be used in smtpd processes
+that are behind postscreen. Configure postscreen_upstream_proxy_protocol
+instead.
+
+Note 2: To use the nginx proxy with smtpd(8), enable the XCLIENT
+protocol with smtpd_authorized_xclient_hosts. This supports SASL
+authentication in the proxy agent (Postfix 2.9 and later).
+
+Major changes - relay safety
+----------------------------
-As part of a forward compatibility safety net, the Postfix installation
-procedure adds the following smtpd_relay_restrictions entry to
-main.cf when there is none:
+[Incompat 20121007] As part of a forward compatibility safety net,
+the Postfix installation procedure adds the following
+smtpd_relay_restrictions entry to main.cf when there is none:
smtpd_relay_restrictions =
permit_mynetworks
There is no need to change the value of smtpd_recipient_restrictions.
-Major changes with snapshot 20121007
-====================================
-
-This version introduces the smtpd_relay_restrictions feature
-for mail relay control. The new built-in default settings are:
+[Feature 20121007] This version introduces the smtpd_relay_restrictions
+feature for mail relay control. The new built-in default settings
+are:
smtpd_relay_restrictions =
permit_mynetworks
to the empty value, and use smtpd_recipient_restrictions exactly
as they used it before.
-Incompatible changes with snapshot 20120924
-===========================================
-
-Postfix no longer uses FIFOs to emulate UNIX-domain sockets on
-Solaris 9 (Vintage 2002!) and later. If you install Postfix for
-the first time on an older Solaris system, edit the master.cf file
-and replace "unix" with "fifo" for the pickup and qmgr services.
-
-Major changes with snapshot 20120924
-====================================
+Major changes - start-up
+------------------------
-Laptop-friendliness: the default master.cf file now uses "unix"
-instead of "fifo" for the pickup and qmgr services. This avoids
-periodic disk drive spin-up.
+[Feature 20120306] New master "-w" option, to wait for master daemon
+process initialization to complete. This feature returns an error
+exit status if master daemon initialization fails, or if it does
+not complete in a reasonable amount of time. The exit status is
+used by "postfix start" to provide more accurate information to
+system start-up scripts.
-Incompatible changes with snapshot 20120625
-===========================================
+Major changes - tls
+-------------------
-The postscreen(8)-to-smtpd(8) protocol has changed. To avoid "cannot
-receive connection attributes" warnings and dropped connections,
-execute the command "postfix reload". No mail will be lost as long
-as the remote SMTP client tries again later.
+[Incompat 20130203] Thanks to OpenSSL documentation, the Postfix
+2.9.0..2.9.5 SMTP client and server computed incorrect TLS certificate
+PUBLIC-KEY fingerprints. Support for certificate PUBLIC-KEY finger
+prints was introduced with Postfix 2.9; there is no known problem
+with the certificate fingerprint algorithms available since Postfix
+2.2.
-Major changes with snapshot 20120625
-====================================
-
-Support for upstream proxy agent in the postscreen(8) and smtpd(8)
-daemons. To enable the haproxy protocol, specify one of the
-following:
+Certificate PUBLIC-KEY finger prints may be used in the Postfix
+SMTP server (with "check_ccert_access") and in the Postfix SMTP
+client (with the "fingerprint" security level).
- postscreen_upstream_proxy_protocol = haproxy
- smtpd_upstream_proxy_protocol = haproxy
+Specify "tls_legacy_public_key_fingerprints = yes" temporarily,
+pending a migration from configuration files with incorrect Postfix
+2.9.0..2.9.5 certificate PUBLIC-KEY finger prints, to the correct
+fingerprints used by Postfix 2.9.6 and later.
-Note 1: smtpd_upstream_proxy_protocol can't be used in smtpd processes
-that are behind postscreen. Configure postscreen_upstream_proxy_protocol
-instead.
+To compute the correct PUBLIC-KEY finger prints:
-Note 2: To use the nginx proxy with smtpd(8), enable the XCLIENT
-protocol with smtpd_authorized_xclient_hosts. This supports SASL
-authentication in the proxy agent (Postfix 2.9 and later).
+# OpenSSL 1.0 with all certificates and SHA-1 fingerprints.
+$ openssl x509 -in cert.pem -noout -pubkey | \
+ openssl pkey -pubin -outform DER | \
+ openssl dgst -sha1 -c
-Major changes with snapshot 20120422
-====================================
+# OpenSSL 0.9.8 with RSA certificates and MD5 fingerprints.
+$ openssl x509 -in cert.pem -noout -pubkey | \
+ openssl rsa -pubin -outform DER | \
+ openssl dgst -md5 -c
-This release adds support to turn off the TLSv1.1 and TLSv1.2
-protocols. Introduced with OpenSSL version 1.0.1, these are known
-to cause inter-operability problems with for example hotmail.
+[Feature 20120422] This release adds support to turn off the TLSv1.1
+and TLSv1.2 protocols. Introduced with OpenSSL version 1.0.1, these
+are known to cause inter-operability problems with for example
+hotmail.
The radical workaround is to temporarily turn off problematic
protocols globally:
override the next-hop destination with transport_maps, relayhost,
sender_dependent_relayhost_maps, or otherwise, you need to specify
the same destination for the smtp_tls_policy_maps lookup key.
-
-Major changes with snapshot 20120306
-====================================
-
-New master "-w" option, to wait for daemon process initialization
-to complete. This feature returns an error exit status if master
-daemon initialization fails, or if it does not complete in a
-reasonable amount of time. The exit status is used by "postfix
-start" to provide more accurate information to system start-up
-scripts.
-
-Major changes with snapshot 20120303
-====================================
-
-New control for "permit" logging in smtpd_mumble_restrictions (by
-default, the SMTP server logs "reject" actions but not "permit"
-actions). Specify "smtpd_log_access_permit_actions = static:all"
-to log all "permit"-style actions, or specify a list of explicit
-action names. More details are in the postconf(5) manpage.
+++ /dev/null
-Wish list:
-
- Things to do before the stable release:
-
- Remove this file from the stable release.
-
- Things to do after the stable release:
-
- Spellcheck and double-word check.
-
- Don't forget Apple's code donation for fetching mail from
- IMAP server.
-
- Should postconf -o refuse to work without the -x option?
-
- Make 30s caching (feature 20070414) configurable, such that
- 0 means no caching.
-
- Make errno white/blacklist for getpwnam_r etc. and mailbox
- write errors.
-
- smtpd_muble_restrictions rule names are case-insensitive.
- restriction_classes values are case-sensitive but should
- be case-insensitive for consistency with smtpd_muble_restrictions.
-
- Make "rename" the default when postmapping a DB file
- (later: use copy+rename for postmap -i, postmap -d).
-
- Service-name parameters aren't documented in daemon manpages.
-
- When faking up the DSN ORCPT, don't send bare usernames
- from local command-line submission.
-
- lmtp_assume_final is broken. A 2XX response does not imply
- final delivery. The Sieve language implements accept-then-bounce.
-
- postscreen event-driven plug-in interface to send out a
- query in parallel with the Pregreet and DNSBL tests, using
- a simplified version of the policy delegation protocol.
-
- Parallelized queue preprocessing: rip out the queue manager
- code to read queue files and resolve recipients, and run
- it in parallel processes. The queue manager then processes
- their results as they become available. This would eliminate
- the qmgr<->trivial-rewrite bottleneck. This can also eliminate
- much of the scheduling disadvantage of a single queue manager
- compared to hundreds of mail receiving or sending processes
- (especially if there is a way to scan the queue in parallel).
-
- Memory pools for same-type memory objects. This can be
- used to either increase memory locality for frequently-allocated
- objects (MRU allocation) or to make use-after-free bugs
- more detectable (use LRU allocation and wipe the object
- immediately after free(). Finally, same-type memory pools
- prevent object type errors with use-after-free bugs.
-
- "no-cache" option for selected postscreen tests?
-
- Need a new DICT flag to indicate that a map handle supports
- locking. If it doesn't (as with memcache or proxymap
- handles), then postscreen etc. don't need to close a cache
- file after "postfix reload". After a fork() it is OK to
- keep using a memcache or proxymap handle, because the parent
- exits immediately. For this to work, the memcache client
- needs to propagate the flag from a persistent backup map,
- but the proxymap protocol should not propagate this to the
- client.
-
- Different TTL values for different DNSBL sources?
-
- Replace master(8) SIGHUP by very simple socket protocol to
- allow reload of a specific service.
-
- postscreen: in the dummy SMTP engine, log the protocol state
- at time of violation (like smtpd, set state->where initially
- to CONNECT, then update it with the name of the last "known"
- command, or set it to "unimplemented").
-
- The discussion of postscreen cache configuration is in the
- wrong place (how whitelisting works). Move it to the section
- about configuring postscreen.
-
- Before proxymap can be exposed to the network (primarily
- to share postscreen or verify caches), need to enforce
- limits on attribute string name and value length in IPC
- protocols. 10-20KB seems OK. We need to enforce content
- sanity checks (for example, no control characters; Postfix
- does not pass around multi-line data in table lookups). The
- VSTREAM library already supports read/write deadlines. We
- need to use attack-resistant code for numeric conversion.
-
- move flush_init() etc. from defer service clients to the
- bounce daemon? Postfix works best when work can be spread
- out over many clients, instead of over a few servers.
-
- multi_connect() function that takes a list of inet:host:port
- and/or unix:pathname specs, with an explicit "inet" prefix
- argument to handle applications that use host:port only.
- This will simplify multi-host implementation for memcache
- client, dovecot client, and other.
-
- dict_memcache: treat "bad" key as cache miss, i.e. read/write
- the backup database as if the cache did not exist. This
- does not help because most Postfix maps (virtual, canonical,
- access, transport, ...) also don't support spaces in keys.
-
- postscreen: keep the cache open after "postfix reload" when
- it is remote (type memcache: or proxy:). This does not work
- because memcache can use a non-proxied file as backup).
-
- What is the feasibility of adding an mta_name (personality)
- attribute that is propagated via queue files and delivery
- agent requests? It would default to myhostname.
-
- Major performance improvement opportunity (that is until
- everyone runs Postfix queues on SSDs). Investigate the
- viability of a daemon that produces incoming and postdrop
- queue files on request (in reality it would maintain a
- limited queue of "spare" files). Central queue file allocation
- reduces the I/O performance disadvantage that qmgr has when
- 100 smtpd processes are receiving mail, or when lots of
- mail is submitted with the sendmail command line. When an
- smtpd process accepts MAIL FROM, a cleanup daemon requests
- a queue file and receives a queue ID + file handle from the
- queue file daemon. If the queue file daemon is down, the
- cleanup daemon creates the file itself like it does now;
- this can be hidden in the mail_stream library module. If
- the mail transaction is aborted, then the cleanup daemon
- gives the queue file back to the queue file daemon's "spare"
- file pool, saving most of the overhead of creating and
- deleting a queue file (the file would still need to be
- renamed at the start of the next mail transaction). If the
- cleanup daemon is unable to give a file back, then it can
- delete the file like it does now; this can be hidden in the
- mail_stream library module. The whole thing can be
- transparently added to Postfix by adding calls to a
- queue-file-service client to the mail_queue_enter() and
- mail_queue_remove() library routines. Other advantages:
- 1) negligible performance hit when queue file allocation
- happens earlier, so that logging and milters have a queue
- ID for the whole transaction not just the first valid
- recipient; 2) by not removing every queue files we get most
- of the performance gain of a queue based on append/truncate
- instead of the much more expensive create/delete.
-
- Investigate viability of Sendmail dns maps.
-
- Check if FILTER_README has the "postsuper -r" workaround
-
- Bounces without <> in the plaintext section. Apparently,
- some software renders the text as HTML (and therefore
- does not render addresses and other text inside <> ).
-
- Make the rules for how to use close-on-exec more explicit.
-
- Provide separate timeout control for dict_proxy client,
- rewrite client, resolve client, cleanup client, and so on.
- Perhaps a timeout argument to the mail_connect() routines.
-
- Trick from amavisd: save listen socket/fifo/etc state, clear
- their close-on-exec flags, exec the same program file to
- re-initialize (with saved socket state on command line or
- in environment), then restore the listen socket/fifo/etc
- close-on-exec flags. This could be a way to mitigate the
- impact of memory/file leaks, and to implement "postfix
- reload" support for master(8) features that currently don't
- support this.
-
- Sub-second time resolution. The first benefit is to make
- per-destination rate delays more usable. Other applications
- will come up once the support exists. The straightforward
- approach is to represent all time intervals in milliseconds,
- and to update all code that makes system calls with a time
- argument (as well as the compiled-in upper and lower time
- parameter bounds, which are currently in seconds).
- Unfortunately, that limits he maximum time interval to less
- than 25 days on 32-bit systems, and is likely to break
- compatibility (for starters, it cannot even deal with the
- compiled-in 100d upper bound on the queue file lifetime).
- A second option is to have a "compatibility" time base
- switch between milliseconds and seconds; this means extra
- changes to all code that makes system calls with a time
- argument, and the way that the compiled-in upper and lower
- bounds are specified. Some of this can be encapsulated in
- macros like time_to_sec(t), time_to_msec(t) and sec_to_time(t).
- Finally, it is relatively easy to replace the events(3)
- interface to use "double" for the time delay arguments, but
- it is a major pain to convert all main.cf time parameters
- into doubles (converting only some leads to a documentation
- nightmare).
-
- Address verify cache: allow a negative cache "refresh"
- result to purge a "positive" cache entry in some safe manner.
- Currently, the negative cache "refresh" result is discarded,
- address verify cache lookup returns OK, and each lookup
- forces a "refresh" probe until the entry expires.
-
- Some Sendmail configurations trigger sub-optimal behavior
- when the postscreen_whitelist_interfaces parameter lists
- primary MX addresses only. When postscreen's "deep protocol
- tests" are successful on the primary MX address (i.e. they
- result in 4XX responses to RCPT TO), some Sendmail
- configurations keep the primary MX connection open until
- AFTER they finish talking to the backup MX address. The
- problem is that the backup connection runs into a WHITELIST
- VETO condition because the whitelisting database has not
- yet been updated with the PASS NEW result for the primary
- MX connection. Unfortunately postscreen can't update the
- whitelisting database before the primary MX connection is
- closed, because a client may still make a mistake.
-
- Simplify postscreen logic. Individual "fail" flags help to
- avoid repeated testing/logging the same mistake. Individual
- "pass" flags provide evidence that the client didn't skip
- tests by hanging up early. The current global "noforward"
- flag implements the wrong model: instead we need an indicator
- that a client has passed all tests or that all mistakes
- were forgiven.
-
- In the SMTP server, check if the connection is closed before
- replying to ".", and discard the message if the reply can't
- be sent. This reduces the time window for RFC 1047 message
- duplication, and may even prevent the delivery of some spam.
- http://www.exim.org/lurker/message/20070416.103159.9d5ff0ce.en.html
- This requires splitting the SMTP server's commit operation
- into two operations: first, a tentative commit operation
- that performs most of the I/O and processing in milters and
- in the cleanup server; second, a final commit operation
- that is executed only if the remote SMTP client hasn't hung
- up in the mean time. Unfortunately, SMTP-based before-queue
- content filters don't support a tentative commit operation.
-
- Find out how to reproduce Berkeley DB bogus ENOENT errors.
- postscreen does not log this with Berkeley DB 1 (FreeBSD
- 4..8), 4.7.25 (Ubuntu 9.04) and 4.8.24 (Ubuntu 10.04).
-
- postconf command-line option to show the compile-time
- settings (CCARGS, AUXLIBS) in case binary packages
- don't install the makedefs.out file.
-
- events.c: cache the side effects of file descriptor event
- enable/disable operations in user space, and do bulk kernel
- updates at event_loop() time. This can eliminate costly
- system calls with successive event disable/enable operations
- on the same file descriptor. This can also eliminate the
- need for tricky code that tries to avoid the expense of
- successive disable/enable operations. Such code is likely
- to introduce bugs.
-
- When does it pay off to send domains in the active queue
- to a DNS prefetch daemon? Could this generalize to a dynamic
- transport map that piggy-backs domains with the same MX
- host into the same mail delivery transaction?
-
- inline table where the "whitespace replacement" character
- is specified in-line. Ex: inline:XYname1Xvalue1Yname2Xvalue2
- would instantiate a table with (name1, value1) and (name2,
- value2). I'm afraid this is just too ugly.
-
- tlsproxy(8) should receive TLS preferences from postscreen(8)
- and smtpd(8), instead of reading them from main.cf. This
- means that many tlsproxy_ parameters become postscreen_
- parameters, and that tls_server_init() parameters move to
- to tls_server_start(). That is a significant API change.
- It also means tlsproxy can't open all files before chroot().
-
- anvil rate limit for sasl_username.
-
- Encapsulate nbbio buffer access and update by tlsproxy.
-
- Full-duplex support for tlsproxy(8). This requires updating
- events(3) and nbbio(3).
-
- Register automagic destructor for object attached to VSTREAM.
-
- Use different ipc time limits for email message transactions
- (smtpd, pickup)->cleanup and for quick query/reply transactions
- such as address rewriting/resolution. Beware of large time
- limits for local or virtual alias expansion.
-
- permit_tempfail_action (default: defer_if_reject) to be
- used as the default value for dnswl_tempfail_action and
- rhswl_tempfail_action. Steal liberally from the code that
- implements unverified_recipient_tempfail_action etc.
-
- Support filtering of messages that are generated by Postfix:
- This would apply to postmaster notices and bounce messages
- (DKIM), and address verification (BATV).
-
- Consistency: in postconf.proto make <dt>..</dt> tags bold.
-
- postscreen(8): listen on multiple IP addresses and enforce
- that the client contacts the primary MX address first (i.e.
- punish hosts that contact the secondary before the primary).
- The downside with any approach that relies on temporary
- punishment is that it does not scale to configurations
- with multiple equal-preference MX hosts. Such hosts would
- have to share the postscreen cache, causing an unacceptable
- performance bottleneck and a single point of failure.
-
- According to a paper by Ted Unangst at BSDCON09, kqueue
- reports state changes, i.e. kqueue indicates when the socket
- becomes readable. Specifically, he writes when kqueue reports
- a socket becomes readable but no data is read from that
- socket, later kqueue calls won't report the socket as
- readable. That's not what happens on FreeBSD 8.0, where
- kqueue will keep reporting the socket as readable when
- nothing is read. Also, FreeBSD 8.0 kqueue still reports
- the socket as readable after a read operation does not empty
- the kernel buffer. We need a test program for this that
- repeats these tests with OpenBSD and NetBSD (and MacOS X
- once they fix their kqueue implementation).
-
- Would it help if there were different cleanup_service
- parameter names for different message paths? smtpd(8) uses
- the same cleanup_service value for receiving remote mail
- and for submitting postmaster problem reports. Do we need
- separate mumble_cleanup_service_name parameters for "inject",
- "notify" and "forward" (with backwards compatible defaults)?
-
- IF/ENDIF support for CIDR tables.
-
- Need a regular expression table to translate address
- verification responses into hard/soft/accept reply codes.
-
- Is there a way to make sendmail -V work after local alias
- expansion? Majordomo-like mailing lists would benefit from
- this; the example in VERP_README does not work in the general
- case.
-
- When an alias is a member of an :include: list with owner-
- alias, local(8) needs an option to deliver alias or alias->user
- indirectly. What happens when an :include: list with owner-
- alias includes another list?
-
- Don't allow empty result values in pcre and regexp maps.
- Postfix doesn't allow them anywhere else (check this).
-
- Make PCRE_MAX_CAPTURE configurable.
-
- Add some checks for tokens starting with #. A challenge
- is to report sensible context from the guts of some low-level
- parser, without introducing a great deal of clumsiness.
-
- Add sendmail macros for {verify} and maybe other TLS info.
-
- Find out if we are doing the correct thing by looking at
- state->milter_reject_text when expanding {rcpt_addr} or
- {rcpt_host}.
-
- Find out why post_mail() etc. block when the qmgr fifo is
- full (answer: trigger_timeout). How can this cause delays
- in the queue manager? When a recipient bounces during
- (transport, nexthop, address) resolution, it is redirected
- to the error or retry mailer; and bounce-after-delivery is
- asynchrounous so it can't block the queue manager, either.
-
- How to ensure that proxy_read_maps is processed after all
- its dependencies are initialized, or just bite the bullet
- and rewrite the parameter initialization code.
-
- The cleanup virtual alias expansion limit does not really
- deliver on its promises. 1) It promises to truncate the
- result without aborting delivery, which would be undesirable
- anyway, but that is not what it does, so that is good. 2)
- It keeps all the recipients from multi-recipient database
- lookup, then terminates further recursion when the result
- exceeds the expansion limit. This behavior achieves the
- original goal that all things shall have a finite size (even
- though but we don'really care how large they are) but may
- result in surprises when recipients are listed in virtual
- alias domains or need expansion for other reasons. In a
- phone call with Victor, a reasonable way out is to set the
- limit to some large number (100000) and abort delivery when
- the result exceeds the limit.
-
- Should the postscreen save permanent white/black list lookup
- results to the temporary cache, and query the temporary
- cache first? Skipping white/black list lookups will speed
- up the handling of "good" clients without a permanent
- whitelist entry. Of course, this means that updates to the
- white/black lists do not immediately take effect. Workarounds:
- 1) use a shorter temporary cache TTL for clients on the
- permanent black/white lists; 2) ignore cached white/black
- list lookup results after "postfix reload"; 2) adjust the
- logging, for example "WHITELISTED address (cached)" and
- "BLACKLISTED address (cached)" to eliminate surprises.
- Comparing the cache entry time with the white/blacklist
- file modification time is not foolproof: for example, pcre
- or CIDR tables are read only once.
-
- It would be nice if the generic dict_cache(3) cache manager
- could postpone process suicide until cache cleanup is
- completed (but that is not possible when postscreen forks
- into the background to finish already-accepted connections,
- and it is not desirable when a host is being shut down).
-
- When postscreen drops a connection, a 521 "greeting" should
- be of the form "521 servername..." and not have an enhanced
- status code. The "521 5.7.1" form can be used after EHLO.
- Of course no spammer is going to complain about Postfix
- SMTP compliance.
-
- Find a place to document all the mail routing mechanisms
- in one place so people can figure out how Postfix works.
-
- The access map BCC action is marked "not stable", perhaps
- because people would also expect BCC actions in header/body_checks.
- How much would it take to make the queue file editing code
- generally usable?
-
- Move smtpd_command_filter into smtpd_chat_query() and update
- the session transcript (see smtp_chat_reply() for an example).
-
- SMTP connection caching without storing connections, to
- improve TLS mail delivery performance.
-
- Should not milter8_mail_event() unset the "hold" default
- reply? Better, the default reply should not be used for
- this purpose.
-
- Don't send MASTER_STAT_TAKEN/MASTER_STAT_AVAIL when a server
- runs with process limit of 1. But this means the master
- never learns that the process is successful and will always
- pause $service_throttle_time before restarting a failed service.
-
- Don't bother maintaining a per-service lockfile when a
- server runs with process limit of 1. The purpose of the
- lockfile is to avoid thundering herd problems when the kernel
- wakes up multiple processes for each new client connection.
-
- Implement PREPEND action for milter_header_checks. Save the
- to-be-prepended text to buffer, then emit it along with the
- new header.
-
- Fix the header_body_checks API, so that the name of the map
- class (e.g. milter_header_checks) is available for logging.
-
- Fix the mime_state and header_body_checks APIs, so that
- they use VSTRINGs. This simplifies REPLACE actions.
-
- Update FILTER_README for multi-instance support, and rename
- the old document to FILTER_LEGACY_README.
-
- Need to sign delivery status notifications, to avoid surprises
- when eventually people start enforcing DKIM etc. signatures.
-
- Either document or remove the internal_mail_filter_classes
- feature (it's disabled by default).
-
- Make the "unknown recipient" test configurable as
- first|last|never, with "yes"=="last" for backwards
- compatibility. The "first" setting is good for performance
- (stress=yes) when all users are defined in local files; but
- it may perform worse when users are in networked tables.
-
- Cleanup: make DNSBL query format configurable beyond the
- client's reversed IP address.
-
- With 'final delivery' in the LMTP client, need an option
- to also add delivered-to and other pipe(8) features. This
- requires making mail_copy() functionality available in
- non-mailbox context.
-
- Cleanup: modernize the "add missing From: header" code, to
- ``phrase <addr>'' form. Most likely, quote the entire phrase
- if it contains any text that is special, then rfc822_externalize
- the whole thing.
-
- SMTP server: make the server_addr and server_port available
- to policy server, Dovecot, and perhaps Milters.
-
- Med: local and remote source port and IP address for smtpd
- policy hook.
-
- Maybe change maps_rbl_reject_code default to 521, and
- update wording in STRESS_README.
-
- Encapsulate time_t comparisons so that they can be made
- system dependent (use difftime() where available).
-
- Encapsulate time_t conversions (e.g. REC_TYPE_TIME) so that
- they can be made system dependent.
-
- Plan for time_t larger than long, or wait for LP64 to
- dominate the world?
-
- Make "AUTH=<>" appendage to MAIL FROM configurable, enabled
- by default.
-
- To support ternary operator without a huge parsing effort,
- consider ${value?{xxx}:{yyy}} where ${name} is existing
- syntax, and where ?{text} and :{text} are new syntax that
- is unlikely to break existing configurations. Or perhaps
- it's just too ugly.
-
- Write delivery rate delay example (which _README?) and auth
- failure cache example (SASL_README). Then include them in
- SOHO_README.
-
- Look for alternatives for the use of non_smtpd_milters.
- This involves some way to force local submissions to go
- through a local SMTP client and server, without triggering
- "mail loops back to myself" false alarms. The advantage is
- that it makes smtpd_mumble_restrictions available for local
- and remote mail; the disadvantage is that it makes local
- submissions more dependent on networking. One possibility
- is to use "pickup -o content_filter=smtp:127.0.0.1:10025",
- or a dedicated SMTP client/server on UNIX-domain sockets;
- we could also decide to always suppress "mail loop" detection
- for loopback connections. Another option is to have the
- pickup or cleanup server drive an SMTP client directly;
- this would require extension of the mail_stream() interface,
- plus a way to handle bounced/deferred recipients intelligently,
- but it would be at odds with Postfix design where delivery
- agents access queue files directly; exposing delivery agents
- to raw queue files violates another Postfix design principle.
-
- Consolidate duplicated code in *_server_accept_{pass,inet}().
-
- Consolidate duplicated code in {inet,unix,upass}_trigger.c.
-
- In the SMTP client, handle 421 replies in smtp_loop() by
- having the input function raise a flag after detecting 421
- (kill connection caching and be sure to do the right thing
- with RSET probes), leave the smtp_loop() per-command reply
- handlers unchanged, and have the smtp_loop() reader loop
- bail out with smtp_site_fail("server disconnected after
- %s", where), but only in the case that it isn't already in
- the final state. But first we need to clean up the handling
- of do/don't cache, expired, bad and dead sessions.
-
- Combine smtpd_peer.c and qmqpd_peer.c into a single function
- that produces a client context object, and provide attribute
- print/scan routines that pass these client context objects
- around. With this, we no longer have to update multiple
- pieces of code when a client attribute is added. Ditto for
- SASL and TLS context.
-
- Don't log "warning: XXXXX: undeliverable postmaster
- notification discarded" for spam from outside.
-
- Really need a cleanup driver that allows testing against
- Milter applications instead of synthetic events. This would
- have to provide stubs for clients that talk to Postfix
- daemon processes. See if this approach can also be used for
- other daemons.
-
- smtpd(8) exempts $address_verify_sender from access controls,
- but it doesn't know whether cleanup(8) or delivery agents
- modify the sender. Would it be possible to "calibrate" this
- exemption, perhaps by having delivery agents pass the probe
- sender to the verify server, keeping in mind that the probe
- sender may differ per delivery agent due to output rewriting.
-
- Update attr_print/scan() so they can send/receive file
- descriptors. This simplifies kludgy code in many daemons.
-
- Would there be a problem adding $smtpd_mumble_restrictions
- and $smtpd_sender_login_maps to the default proxy_read_maps
- settings?
-
- Remove defer(8) and trace(8) references and man pages. These
- are services not program names. On the other hand we have
- man pages for lmtp(8) and smtp(8), but not for relay(8).
- Likewise, retry(8) does not have a man page.
-
- Bind all deliveries to the same local delivery process,
- making Postfix perform as poorly as monolithic mailers, but
- giving a possibility to eliminate duplicate deliveries.
-
- Maybe declare loop when resolve_local(mxhost) is true?
-
- Update message content length when adding/removing headers.
-
- Need scache size limit.
-
- REDIRECT should override original recipient info, and
- probably override DSN as well.
-
- Update FILTER_README with mailing list suggestions to tag
- with a badness indicator and then filter down-stream.
-
- Make null local-part handling configurable: either expand
- into mailer-daemon (current bahavior) or disallow (strict
- behavior, currently implemented only in the SMTP server).
-
- The type of var_message_limit (and other file size/offset
- configuration parameters or internal protocol attributes)
- should be changed from int to off_t. This also requires
- checking all expressions in which var_message_limit etc.
- appears: qmqpd, netstring, deliver_request, ...
-
- Add M flag (enable multi-recipient delivery) to pipe daemon.
-
- The usage of TLScontext->cache_type is unclear. It specifies
- a TLS session cache type (smtpd, smtp, or lmtp), but it is
- sometimes used as an indicator that TLS session caching is
- unavailable. In reality, that decision is made by not
- registering call-back functions for cache maintenance.
-
- Postfix TLS library code should copy any strings that it
- receives from the application, instead of passing them
- around as pointers. TLScontext->cache_type is a case in
- point.
-
- Are transport:nexthop null fields the same as in the case
- of default_transport etc. parameters?
-
- Don't lose bits when converting st_dev into maildir file
- name. It's 64 bits on Linux. Found with the BEAM source
- code analyzer. Is this really a problem, or are they just
- using 64 bits for upwards compatibility with LP64 systems?
-
- Do or don't introduce unknown_reverse_client_reject_code.
-
- Check that "UINT32 == unsigned int" choice is ok (i.e. LP64
- UNIX).
-
- Tempfail when a Milter application tries to negotiate content
- access, while it is configured in an SMTP server that runs
- before the smtpd_proxy filter.
-
- Log DSN original recipient when rejecting mail.
-
- Keep whitespace between label and ":"?
-
- Make the map case folding/locking options configurable, if
- not at run-time then at least at compile time so we get
- consistent behavior across applications.
-
- Investigate what it would take to eliminate oqmgr, and to
- make the old behavior configurable in a unified queue
- manager. This would shave another 2.7 KLOC from the source
- footprint.
-
- Document the case folding strategy for match_list like
- features.
-
- Eliminate the (incoming,deferred)->active rename operation.
- This requires an in-memory hash of queue file names to avoid
- duplicate open() operations.
-
- Softbounce fallback-to-ISP for SOHO users. This heuristic
- assumes that when direct-to-MX delivery fails with 5XX,
- delivery via the ISP may still succeed. This could be
- implemented by enabling soft bounces for destinations other
- than the smtp_fallback_relay. So the only benefit of this
- over the existing soft_bounce feature is that it has no
- effect on smtp_fallback_relay deliveries.
-
- Centralize main.cf parameter input so that defaults work
- consistently. What about parameter names that are prefixed
- with mail delivery transport names?
-
- Fix default time unit handling so that we can have a default
- bounce lifetime of $maximal_queue_lifetime, without causing
- panics when a non-default maximal_queue_lifetime setting
- includes no time unit.
-
- After the 20051222 ISASCII paranoia, lowercase() lowercases
- ASCII text only.
-
- Privacy: remove local command/pathname details from remote
- delivery status reports, and log them via local msg_warn().
-
- Is it safe to cache a connection after it has been used for
- more than some number of address verification probes?
-
- Try to recognize that Resent- headers appear in blocks,
- newest block first. But don't break on incorrect header
- block organization.
-
- Hard limits on cache sizes (anvil, specifically).
-
- Laptop friendliness: make the qmgr remember when the next
- deferred queue scan needs to be done, and have the pickup
- server stat() the maildrop directory before searching it.
-
- Low: replace_sender/replace_recipient actions in access
- maps, so they can be used in policy servers?
-
- Low: configurable order of local(8) delivery methods.
-
- Med: smtp_connect_timeout_budget (default: 3x smtp_connect_timeout)
- to limit the total time spent trying to connect.
-
- Med: transform IPv4-in-IPv6 address literals to IPv4 form
- when comparing against local IP addresses?
-
- Med: transform IPv4-in-IPv6 address literals to IPv4 form
- when eliminating MX mailer loops?
-
- Med: Postfix requires [] around IPv6 address information
- in match lists such as mynetworks, debug_peer_list etc.,
- but the [] must not be specified in access(5) maps. Other
- places don't care. For now, this gotcha is documented in
- IPV6_README and in postconf(5) with each feature that may
- use IPv6 address information. The general recommendation
- is not to use [] unless absolutely necessary.
-
- Med: the partial address matching of IPv6 addresses in
- access(5) maps is a bit lame: it repeatedly truncates the
- last ":octetpair" from the printable address representation
- until a match is found or until truncation is no longer
- possible. Since one or more ":" are usually omitted from
- the printable IPv6 address representation, this does not
- really try all the possibilities that one might expect to
- be tried. For now, this gotcha is documented in access(5).
-
- Low: reject HELO with any domain name or IP address that
- this MTA is the final destination for.
-
- Low: should the Delivered-To: test in local(8) be configurable?
-
- Low: make mail_addr_find() lookup configurable.
-
- Low: update events.c so that 1-second timer requests do not
- suffer from rounding errors. This is needed for 1-second
- SMTP session caching time limits. A 1-second interval would
- become arbitrarily short when an event is scheduled just
- before the current second rolls over.
-
- Low: configurable internal/system locking method.
-
- Low: add INSTALL section for pre-existing Postfix systems.
-
- Low: add INSTALL section for pre-existing RPM Postfixes.
-
- Low: disallow smtpd_recipient_limit < 100 (the RFC minimum).
-
- Low: noise filter: allow smtp(8) to retry immediately if
- all MXes return a quick ECONNRESET or 4xx reply during the
- initial handshake. Retry once? How many times?
-
- Low: make post-install a "postfix-only script" so it can
- take data from the environment instead of main.cf.
-
- Low: randomize deferred mail backoff.
-
- Med: separate ulimit for delivery to command?
-
- Med: postsuper -r should do something with recipients in
- bounce logfiles, to make sure the sender will be notified.
- To be perfectly safe, no process other than the queue manager
- should move a queue file away from the active queue.
-
- This could involve tagging a queue file, and use up another
- permission bit (postsuper tags a "hot" file, qmgr requeues it).
-
- Low: postsuper re-run after renaming files, but only a
- limited number of times.
-
- Low: smtp-source may block when sending large test messages.
-
- Med: find a way to log the sender address when MAIL FROM
- is rejected due to lack of disk space.
-
- Low: revise other local delivery agent duplicate filters.
-
- Low: all table lookups should consistently use internalized
- (unquoted) or externalized (quoted) forms as lookup keys.
- smtpd, qmgr, local, etc. use unquoted address forms as keys.
- cleanup uses quoted forms.
-
- Low: have a configurable list of errno values for mailbox
- or maildir delivery that result in deferral rather than
- bouncing mail. What about "killed by signal" exits?
-
- Low: after reorganizing configuration parameters, add flags
- to all parameters whose value can be read from file.
-
- Medium: need in-process caching for map lookups. LDAP servers
- seem to need this in particular. Need a way to expire cached
- results that are too old.
-
- Low: generic showq protocol, to allow for more intelligent
- processing than just mailq. Maybe marry this with postsuper.
-
- Low: default domain for appending to unqualified recipients,
- so that unqualified names can be delivered locally.
-
- Low: The $process_id_directory setting is not used anywhere
- in Postfix. Problem reported by Michael Smith, texas.net.
- This should be documented, or better, the code should warn
- about attempts to set read-only parameters.
-
- Low: while converting 8bit text to quoted-printable, perhaps
- use =46rom to avoid having to produce >From when delivering
- to mailbox.
-
- virtual_mailbox_path expression like forward_path, so that
- people can specify prefix and suffix.
projects / thirdparty / postfix.git / commitdiff
