pre-release-checks stop filters. Files: RELEASE_NOTES,
HISTORY, stop.spell-history, stop.double-history,
stop.spell-proto-html, postqueue.1, postqueue.1.html.
+
+20221008
+
+ Cleanup: in the default master.cf file, unconditionally
+ enable header rewriting and missing header insertion, for
+ the submission and smtps services. Dan Mahoney. File
+ conf/master.cf.
+
+20221017
+
+ Robustness: unconditionally disable a CPU resource attack
+ requesting TLS renegotiation. There's no good reason to
+ support this in the middle of an SMTP connection. Viktor
+ Dukhovni. File: tls/tls_misc.c.
+
+20221023
+
+ Documentation: describe limitations of smtpd(8) features
+ that cannot work with smtpd_proxy_filter. File:
+ proto/SMTPD_PROXY_README.html.
+
+ Documentation: the local_header_rewrite_clients and
+ remote_header_rewrite_domain features also enable adding
+ missing headers. File: proto/postconf.proto.
sender (which is usually forged anyway). Mail that is not accepted remains
the responsibility of the remote SMTP client.
+ * Con: The smtpd(8) service before the smtpd_proxy_filter cannot support
+ features that involve header or body access, or that involve queue file
+ manipulation (i.e., anything that involves processing by the cleanup(8)
+ service).
+
+ o No support for HOLD actions in Postfix smtpd access(5) restrictions.
+
+ o No support for smtpd_milters features that involve message header or
+ body content.
+
+ o No support for receive_override_options.
+
+ Instead, specify those features with the smtpd(8) service behind the
+ smtpd_proxy_filter. In some cases, it may be possible to combine a before-
+ filter PREPEND action that emits a unique pattern (for example containing
+ the MTA domain name), with an after-filter header_checks action that does
+ what you want, and with an smtp_header_checks IGNORE action that deletes
+ the prepended header from transit mail.
+
* Con: The remote SMTP client expects an SMTP reply within a deadline. As the
system load increases, fewer and fewer CPU cycles remain available to
answer within the deadline, and eventually you either have to stop
Bugfix for messages not delivered after "warning: Unexpected record type 'X'
============================================================================
-Due to a bug introduced in Postfix 3.7, a message could falsely
+Due to a bug introduced in Postfix 3.7.0, a message could falsely
be flagged as corrupt with "warning: Unexpected record type 'X'".
Such messages were moved to the "corrupt" queue directory, where
they may still be found. See below for instructions to deal with
these falsely flagged messages.
-This could happen for messages with 5000 or more recipients, or
-with fewer recipients on a busy mail server. The problem was first
-reported by Frank Brendel, reproduced by John Alex.
+This problem could happen for messages with 5000 or more recipients,
+or with fewer recipients on a busy mail server. The problem was
+first reported by Frank Brendel, and the error conditions were
+reproduced by John Alex.
-A file in the "corrupt" queue directory may be inspected with the
-command "postcat /var/spool/postfix/corrupt/<filename>. If delivery
-of the file is still desired, the file can be moved back to
-/var/spool/postfix/incoming after updating Postfix and executing
-"postfix reload".
+Please see https://www.postfix.org/announcements/postfix-3.7.3 for
+instructions to identify falsely flagged messages in the Postfix
+queue, and what actions may be taken.
Incompatible changes with snapshot 20220507
===========================================
Scan Postfix code with github.com/googleprojectzero/weggli
(depends on "rust").
+ Consider renaming local_header_rewrite_clients to
+ local_header_canonicalize_clients, as a more accurate name.
+ Optionally support "local_header_canonicalize_classes =
+ rewrite_addresses, add_missing_headers" (default setting).
+
+ And ditto for remote_header_rewrite_domain, whether it
+ should rewrite address, add missing headers, or both.
+
Migrate masquerade_domains from ARGV to STRING_LIST, or
deprecate this feature because it breaks table-driven address
validation.
# -o smtpd_tls_security_level=encrypt
# -o smtpd_sasl_auth_enable=yes
# -o smtpd_tls_auth_only=yes
+# -o local_header_rewrite_clients=static:all
# -o smtpd_reject_unlisted_recipient=no
# Instead of specifying complex smtpd_<xxx>_restrictions here,
# specify "smtpd_<xxx>_restrictions=$mua_<xxx>_restrictions"
# -o syslog_name=postfix/submissions
# -o smtpd_tls_wrappermode=yes
# -o smtpd_sasl_auth_enable=yes
+# -o local_header_rewrite_clients=static:all
# -o smtpd_reject_unlisted_recipient=no
# Instead of specifying complex smtpd_<xxx>_restrictions here,
# specify "smtpd_<xxx>_restrictions=$mua_<xxx>_restrictions"
that is not accepted remains the responsibility of the remote SMTP
client. </p>
+<li> <p> Con: The <a href="smtpd.8.html">smtpd(8)</a> service before the <a href="postconf.5.html#smtpd_proxy_filter">smtpd_proxy_filter</a>
+cannot support features that involve header or body access, or that
+involve queue file manipulation (i.e., anything that involves
+processing by the <a href="cleanup.8.html">cleanup(8)</a> service). </p>
+
+<ul>
+
+<li> <p> No support for HOLD actions in Postfix smtpd <a href="access.5.html">access(5)</a>
+restrictions. </p>
+
+<li> <p> No support for <a href="postconf.5.html#smtpd_milters">smtpd_milters</a> features that involve message
+header or body content. </p>
+
+<li> <p> No support for <a href="postconf.5.html#receive_override_options">receive_override_options</a>.
+
+</ul>
+
+<p> Instead, specify those features with the <a href="smtpd.8.html">smtpd(8)</a> service behind
+the <a href="postconf.5.html#smtpd_proxy_filter">smtpd_proxy_filter</a>. In some cases, it may be possible to combine
+a before-filter PREPEND action that emits a unique pattern (for
+example containing the MTA domain name), with an after-filter
+<a href="postconf.5.html#header_checks">header_checks</a> action that does what you want, and with an
+<a href="postconf.5.html#smtp_header_checks">smtp_header_checks</a> IGNORE action that deletes the prepended header
+from transit mail. </p>
+
<li> <p> Con: The remote SMTP client expects an SMTP reply within
a deadline. As the system load increases, fewer and fewer CPU
cycles remain available to answer within the deadline, and eventually
<DT><b><a name="local_header_rewrite_clients">local_header_rewrite_clients</a>
(default: <a href="postconf.5.html#permit_inet_interfaces">permit_inet_interfaces</a>)</b></DT><DD>
-<p> Rewrite message header addresses in mail from these clients and
-update incomplete addresses with the domain name in $<a href="postconf.5.html#myorigin">myorigin</a> or
-$<a href="postconf.5.html#mydomain">mydomain</a>; either don't rewrite message headers from other clients
-at all, or rewrite message headers and update incomplete addresses
-with the domain specified in the <a href="postconf.5.html#remote_header_rewrite_domain">remote_header_rewrite_domain</a>
-parameter. </p>
+<p> Rewrite or add message headers in mail from these clients,
+updating incomplete addresses with the domain name in $<a href="postconf.5.html#myorigin">myorigin</a> or
+$<a href="postconf.5.html#mydomain">mydomain</a>, and adding missing headers. </p>
<p> See the <a href="postconf.5.html#append_at_myorigin">append_at_myorigin</a> and <a href="postconf.5.html#append_dot_mydomain">append_dot_mydomain</a> parameters
for details of how domain names are appended to incomplete addresses.
</p>
+<p> See <a href="postconf.5.html#remote_header_rewrite_domain">remote_header_rewrite_domain</a> to optionally rewrite or add
+message headers in mail from other clients. </p>
+
<p> Specify a list of zero or more of the following: </p>
<dl>
<DT><b><a name="remote_header_rewrite_domain">remote_header_rewrite_domain</a>
(default: empty)</b></DT><DD>
-<p> Don't rewrite message headers from remote clients at all when
-this parameter is empty; otherwise, rewrite message headers and
-append the specified domain name to incomplete addresses. The
+<p> Rewrite or add message headers in mail from remote clients if
+the <a href="postconf.5.html#remote_header_rewrite_domain">remote_header_rewrite_domain</a> parameter value is non-empty,
+updating incomplete addresses with the domain specified in the
+<a href="postconf.5.html#remote_header_rewrite_domain">remote_header_rewrite_domain</a> parameter, and adding missing headers.
+</p>
+
+<p> The
<a href="postconf.5.html#local_header_rewrite_clients">local_header_rewrite_clients</a> parameter controls what clients Postfix
considers local. </p>
local_destination_concurrency_limit from concurrency per recipient
into concurrency per domain.
.SH local_header_rewrite_clients (default: permit_inet_interfaces)
-Rewrite message header addresses in mail from these clients and
-update incomplete addresses with the domain name in $myorigin or
-$mydomain; either don't rewrite message headers from other clients
-at all, or rewrite message headers and update incomplete addresses
-with the domain specified in the remote_header_rewrite_domain
-parameter.
+Rewrite or add message headers in mail from these clients,
+updating incomplete addresses with the domain name in $myorigin or
+$mydomain, and adding missing headers.
.PP
See the append_at_myorigin and append_dot_mydomain parameters
for details of how domain names are appended to incomplete addresses.
.PP
+See remote_header_rewrite_domain to optionally rewrite or add
+message headers in mail from other clients.
+.PP
Specify a list of zero or more of the following:
.IP "\fBpermit_inet_interfaces\fR"
Append the domain name in $myorigin or $mydomain when the
.ad
.ft R
.SH remote_header_rewrite_domain (default: empty)
-Don't rewrite message headers from remote clients at all when
-this parameter is empty; otherwise, rewrite message headers and
-append the specified domain name to incomplete addresses. The
+Rewrite or add message headers in mail from remote clients if
+the remote_header_rewrite_domain parameter value is non\-empty,
+updating incomplete addresses with the domain specified in the
+remote_header_rewrite_domain parameter, and adding missing headers.
+.PP
+The
local_header_rewrite_clients parameter controls what clients Postfix
considers local.
.PP
that is not accepted remains the responsibility of the remote SMTP
client. </p>
+<li> <p> Con: The smtpd(8) service before the smtpd_proxy_filter
+cannot support features that involve header or body access, or that
+involve queue file manipulation (i.e., anything that involves
+processing by the cleanup(8) service). </p>
+
+<ul>
+
+<li> <p> No support for HOLD actions in Postfix smtpd access(5)
+restrictions. </p>
+
+<li> <p> No support for smtpd_milters features that involve message
+header or body content. </p>
+
+<li> <p> No support for receive_override_options.
+
+</ul>
+
+<p> Instead, specify those features with the smtpd(8) service behind
+the smtpd_proxy_filter. In some cases, it may be possible to combine
+a before-filter PREPEND action that emits a unique pattern (for
+example containing the MTA domain name), with an after-filter
+header_checks action that does what you want, and with an
+smtp_header_checks IGNORE action that deletes the prepended header
+from transit mail. </p>
+
<li> <p> Con: The remote SMTP client expects an SMTP reply within
a deadline. As the system load increases, fewer and fewer CPU
cycles remain available to answer within the deadline, and eventually
%PARAM remote_header_rewrite_domain
-<p> Don't rewrite message headers from remote clients at all when
-this parameter is empty; otherwise, rewrite message headers and
-append the specified domain name to incomplete addresses. The
+<p> Rewrite or add message headers in mail from remote clients if
+the remote_header_rewrite_domain parameter value is non-empty,
+updating incomplete addresses with the domain specified in the
+remote_header_rewrite_domain parameter, and adding missing headers.
+</p>
+
+<p> The
local_header_rewrite_clients parameter controls what clients Postfix
considers local. </p>
%PARAM local_header_rewrite_clients permit_inet_interfaces
-<p> Rewrite message header addresses in mail from these clients and
-update incomplete addresses with the domain name in $myorigin or
-$mydomain; either don't rewrite message headers from other clients
-at all, or rewrite message headers and update incomplete addresses
-with the domain specified in the remote_header_rewrite_domain
-parameter. </p>
+<p> Rewrite or add message headers in mail from these clients,
+updating incomplete addresses with the domain name in $myorigin or
+$mydomain, and adding missing headers. </p>
<p> See the append_at_myorigin and append_dot_mydomain parameters
for details of how domain names are appended to incomplete addresses.
</p>
+<p> See remote_header_rewrite_domain to optionally rewrite or add
+message headers in mail from other clients. </p>
+
<p> Specify a list of zero or more of the following: </p>
<dl>
fnvz
hc
mkmap
+Brendel
+Bugfix
+https
Amma
Jesper
Pau
+Mahoney
+manpages
* Patches change both the patchlevel and the release date. Snapshots have no
* patchlevel; they change the release date only.
*/
-#define MAIL_RELEASE_DATE "20221007"
+#define MAIL_RELEASE_DATE "20221023"
#define MAIL_VERSION_NUMBER "3.8"
#ifdef SNAPSHOT
* options just in case.
*/
bits |= SSL_OP_SINGLE_ECDH_USE | SSL_OP_SINGLE_DH_USE;
+
+ /*
+ * Unconditionally disable a CPU resource attack. There's no good reason
+ * to enable TLS renegotiation in the middle of an SMTP connection.
+ */
+ bits |= SSL_OP_NO_RENEGOTIATION;
return (bits);
}
projects / thirdparty / postfix.git / commitdiff
