connection target (the PostgreSQL URI parser decides what
is allowed). The dbname setting is now optional if the hosts
setting specifies only URIs. Files: util/valid_uri_scheme.[hc],
- proto/pgsql_table.
+ proto/pgsql_table, global/dict_pgsql.c.
202141026
of sessions per SMTP server process (max_use), and on the
number file handles per process (managed with sysctl).
File: xsasl/xsasl_dovecot_server.c.
+
+20241031
+
+ Logging: the Dovecot SASL client logging for "Invalid
+ authentication mechanism" now includes the name of that
+ mechanism. File: xsasl/xsasl_dovecot_server.c
+
+20241104
+
+ Logging: when a message transaction is canceled (i.e.
+ started but not completed), the cleanup server now logs
+ "queueid: canceled". This provides a clear signal to logfile
+ collation tools. File: cleanup/cleanup_api.c.
+
+20241028
+
+ Documentation: TLSRPT_README, section "Delivering TLSRPT
+ summaries via email". File: proto/TLSRPT_README.html.
+
+20241107
+
+ Documentation: tweaked text for smtpd_delay_open_until_valid_rcpt.
+ File: proto/postconf.proto.
+
+20241111
+
+ Bugfix (defect introduced: Postfix 3.10, date 20241025):
+ dict_pgsql_open() returned NULL when "hosts" specified a
+ non-URI target and "dbname" was not set. Instead, it should
+ return a surrogate dictionary. File: global/dict_pgsql.c.
Options:
- * Do nothing. When TLS security enforcement is required, a persistent
- enforcement failure will delay the delivery of a TLSRPT summary until the
- problem is addressed, or until the message expires in the mail queue. Keep
- in mind that TLSRPT is not a real-time monitoring service; it takes on
- average 12 hours before a failure is reported through TLSRPT.
+ * Do nothing. When TLS security enforcement is required but fails, a TLSRPT
+ summary message will be delayed until the problem is addressed, or until
+ the message expires in the mail queue. Keep in mind that TLSRPT is not a
+ real-time monitoring service; it takes on average 12 hours before a failure
+ is reported through TLSRPT.
- * Exclude the sender of TLSRPT summaries from TLS enforcement. Implement the
- configuration below on outbound MTA instances (replace noreply-smtp-tls-
- reporting@example.com with your actual report generator's sender address):
+ * Exclude the sender of TLSRPT summaries from TLS security enforcement.
+ Implement the configuration below on outbound MTA instances (replace
+ noreply-smtp-tls-reporting@example.com with your actual report generator's
+ sender address):
/etc/postfix/main.cf:
# Limitation: this setting is overruled with transport_maps.
/etc/postfix/master.cf:
# service name type private unpriv chroot wakeup maxproc
command
- allow-plaintext unix - - n - - smtp
+ allow-plaintext unix - - - - - smtp
-o { smtp_tls_security_level = may }
-o { smtp_tls_policy_maps = static:may }
license of their choice. Those who are more comfortable with the
IPL can continue with that license.
+[Feature 20241104]
+
+The cleanup server now logs "queueid: canceled" when a message
+transaction is started but not completed. This provides a clear
+signal to logfile collation tools.
+
[Feature 20240926]
Support for the TLSRPT protocol (defined in RFC 8460). With this,
Add a mail_version chek to each pluggable database client.
- Add an option for a built-in JSON generator. This would
- simplify TLSRPT adoption by eliminating a build-time and
- run-time dependency on the libtlsrpt client library. Prior
- art: this approach was previously used to implement Postfix
- Milter support.
+ relay_recipient_maps empty should default to 'no valid
+ recipients'. Subject to compatibility level.
+
+ Make a reason available for messages placed on 'hold'.
+
+ relay_recipient_maps empty should default to 'no valid
+ recipients'. Subject to compatibility level.
+
+ Add an option for a TLSRPT built-in JSON generator. This
+ would simplify TLSRPT adoption by eliminating a build-time
+ and run-time dependency on the libtlsrpt client library.
+ Prior art: this approach was previously used to implement
+ Postfix Milter support.
Make TLSRPT support pluggable (postfix-tlsrpt.so, like
postfix-ldap.so, postfix-mysql.so and so on). This avods a
hard install-time dependency on sys4 libtlsrpt. The sys4
- code would still be a build-time dependency.
+ code would still be a required build-time dependency, but
+ it would become an optional install-time dependency.
Add smtp_tlsrpt_allow_list feature (default: static:all) to limit
the domains for which Postfix generates TLSRPT daily summaries.
<ul>
-<li> <p> Do nothing. When TLS security enforcement is required, a
-persistent enforcement failure will delay the delivery of a TLSRPT
-summary until the problem is addressed, or until the message expires
+<li> <p> Do nothing. When TLS security enforcement is required but
+fails, a TLSRPT summary message will be delayed
+until the problem is addressed, or until the message expires
in the mail queue. Keep in mind that TLSRPT is not a real-time
monitoring service; it takes on average 12 hours before a failure
is reported through TLSRPT. </p>
-<li> <p> Exclude the sender of TLSRPT summaries from TLS enforcement.
+<li> <p> Exclude the sender of TLSRPT summaries from TLS security
+enforcement.
Implement the configuration below on outbound MTA instances (replace
noreply-smtp-tls-reporting@example.com with your actual report
generator's sender address): </p>
 
/etc/postfix/<a href="master.5.html">master.cf</a>:
# service name type private unpriv chroot wakeup maxproc command
- allow-plaintext unix - - n - - smtp
+ allow-plaintext unix - - - - - smtp
-o { <a href="postconf.5.html#smtp_tls_security_level">smtp_tls_security_level</a> = may }
-o { <a href="postconf.5.html#smtp_tls_policy_maps">smtp_tls_policy_maps</a> = <a href="DATABASE_README.html#types">static</a>:may }
</pre>
the use of
disk, CPU and memory resources. The downside is that rejected
recipients are logged with NOQUEUE instead of a mail transaction
-ID. This complicates the logfile analysis of multi-recipient mail.
+ID (also known as a queue ID).
</p>
<p> This feature is available in Postfix 2.3 and later. </p>
the use of
disk, CPU and memory resources. The downside is that rejected
recipients are logged with NOQUEUE instead of a mail transaction
-ID. This complicates the logfile analysis of multi\-recipient mail.
+ID (also known as a queue ID).
.PP
This feature is available in Postfix 2.3 and later.
.SH smtpd_delay_reject (default: yes)
<ul>
-<li> <p> Do nothing. When TLS security enforcement is required, a
-persistent enforcement failure will delay the delivery of a TLSRPT
-summary until the problem is addressed, or until the message expires
+<li> <p> Do nothing. When TLS security enforcement is required but
+fails, a TLSRPT summary message will be delayed
+until the problem is addressed, or until the message expires
in the mail queue. Keep in mind that TLSRPT is not a real-time
monitoring service; it takes on average 12 hours before a failure
is reported through TLSRPT. </p>
-<li> <p> Exclude the sender of TLSRPT summaries from TLS enforcement.
+<li> <p> Exclude the sender of TLSRPT summaries from TLS security
+enforcement.
Implement the configuration below on outbound MTA instances (replace
noreply-smtp-tls-reporting@example.com with your actual report
generator's sender address): </p>
 
/etc/postfix/master.cf:
# service name type private unpriv chroot wakeup maxproc command
- allow-plaintext unix - - n - - smtp
+ allow-plaintext unix - - - - - smtp
-o { smtp_tls_security_level = may }
-o { smtp_tls_policy_maps = static:may }
</pre>
the use of
disk, CPU and memory resources. The downside is that rejected
recipients are logged with NOQUEUE instead of a mail transaction
-ID. This complicates the logfile analysis of multi-recipient mail.
+ID (also known as a queue ID).
</p>
<p> This feature is available in Postfix 2.3 and later. </p>
(void) REMOVE(vstring_str(cleanup_trace_path));
if (REMOVE(cleanup_path))
msg_warn("remove %s: %m", cleanup_path);
+ msg_info("%s: canceled", state->queue_id);
}
/*
if (dict_pgsql->pldb->non_uri_target && dict_pgsql->dbname[0] == 0) {
DICT *ret;
- ret == (dict_surrogate(DICT_TYPE_PGSQL, name, open_flags, dict_flags,
+ ret = dict_surrogate(DICT_TYPE_PGSQL, name, open_flags, dict_flags,
"%s:%s host target '%s' requires dbname setting",
- DICT_TYPE_PGSQL, name,
- dict_pgsql->pldb->non_uri_target));
+ DICT_TYPE_PGSQL, name,
+ dict_pgsql->pldb->non_uri_target);
dict_pgsql_close(&dict_pgsql->dict);
return (ret);
}
* Patches change both the patchlevel and the release date. Snapshots have no
* patchlevel; they change the release date only.
*/
-#define MAIL_RELEASE_DATE "20241027"
+#define MAIL_RELEASE_DATE "20241111"
#define MAIL_VERSION_NUMBER "3.10"
#ifdef SNAPSHOT
for (cpp = server->mechanism_argv->argv; /* see below */ ; cpp++) {
if (*cpp == 0) {
- vstring_strcpy(reply, "Invalid authentication mechanism");
+ vstring_sprintf(reply, "Invalid authentication mechanism: '%s'",
+ sasl_method);
+ printable(vstring_str(reply), '?');
return XSASL_AUTH_FAIL;
}
if (strcasecmp(sasl_method, *cpp) == 0)
projects / thirdparty / postfix.git / commitdiff
