From: Wietse Venema Date: Mon, 4 Feb 2013 05:00:00 +0000 (-0500) Subject: postfix-2.10.0-RC1 X-Git-Tag: v2.10.0-RC1^0 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=42c4d4d17e46b421f06c01e0ec64e4fd6f5800d6;p=thirdparty%2Fpostfix.git postfix-2.10.0-RC1 --- diff --git a/postfix/RELEASE_NOTES b/postfix/RELEASE_NOTES index ee9348357..ec53dfca6 100644 --- a/postfix/RELEASE_NOTES +++ b/postfix/RELEASE_NOTES @@ -14,48 +14,31 @@ specifies the release date of a stable release or snapshot release. If you upgrade from Postfix 2.8 or earlier, read RELEASE_NOTES-2.9 before proceeding. -Incompatible changes with snapshot 20130203 -=========================================== +Major changes - laptop-friendliness +----------------------------------- -Thanks to OpenSSL documentation, the Postfix 2.9.0..2.9.5 SMTP -client and server computed incorrect TLS certificate PUBLIC-KEY -fingerprints. Support for certificate PUBLIC-KEY finger prints -was introduced with Postfix 2.9; there is no known problem with the -certificate fingerprint algorithms available since Postfix 2.2. +[Incompat 20120924] Postfix no longer uses FIFOs to emulate UNIX-domain +sockets on Solaris 9 (Vintage 2002!) and later. If you install +Postfix for the first time on an older Solaris system, edit the +master.cf file and replace "unix" with "fifo" for the pickup and +qmgr services. -Certificate PUBLIC-KEY finger prints may be used in the Postfix -SMTP server (with "check_ccert_access") and in the Postfix SMTP -client (with the "fingerprint" security level). - -Specify "tls_legacy_public_key_fingerprints = yes" temporarily, -pending a migration from configuration files with incorrect Postfix -2.9.0..2.9.5 certificate PUBLIC-KEY finger prints, to the correct -fingerprints used by Postfix 2.9.6 and later. - -To compute the correct PUBLIC-KEY finger prints: - -# OpenSSL 1.0 with all certificates and SHA-1 fingerprints. -$ openssl x509 -in cert.pem -noout -pubkey | \ - openssl pkey -pubin -outform DER | \ - openssl dgst -sha1 -c - -# OpenSSL 0.9.8 with RSA certificates and MD5 fingerprints. -$ openssl x509 -in cert.pem -noout -pubkey | \ - openssl rsa -pubin -outform DER | \ - openssl dgst -md5 -c +[Feature 20120924] the default master.cf file now uses "unix" instead +of "fifo" for the pickup and qmgr services. This avoids periodic +disk drive spin-up. -Incompatible changes with snapshot 20130201 -=========================================== +Major changes - permit logging +------------------------------ -The "postconf -Mn" feature is withdrawn, in favor of a better design -that not only supports queries but also updates of named properties -of a master.cf service entry. But there is not enough time to finish -that for Postfix 2.10. +[Feature 20120303] [Feature 20120303] New control for "permit" +logging in smtpd_mumble_restrictions (by default, the SMTP server +logs "reject" actions but not "permit" actions). Specify +"smtpd_log_access_permit_actions = static:all" to log all "permit"-style +actions, or specify a list of explicit action names. More details +are in the postconf(5) manpage. Major changes - postconf +------------------------ -Incompatible changes with snapshot 20121224 -=========================================== - -The postconf command produces more warnings: +[Incompat 20121224] The postconf command produces more warnings: - An attempt to modify a read-only parameter (process_name, process_id) in main.cf or master.cf. @@ -63,13 +46,10 @@ The postconf command produces more warnings: - An undefined $name in a parameter value in main.cf or master.cf (except for backwards-compatibility parameters such as $virtual_maps). -Major changes with snapshot 20121224 -==================================== - -The postconf command has been updated to make trouble-shooting (and -support) easier. In summary, use "postconf -Mxf" and "postconf -nxf" -to review master.cf and main.cf parameter settings with expanded -parameter values. +[Feature 20121224] The postconf command has been updated to make +trouble-shooting (and support) easier. In summary, use "postconf +-Mxf" and "postconf -nxf" to review master.cf and main.cf parameter +settings with expanded parameter values. - "postconf -x" now expands $name in main.cf and master.cf parameter values. @@ -81,19 +61,19 @@ parameter values. main.cf or master.cf (except for backwards-compatibility parameters such as $virtual_maps). -Added with snapshot 20121227: +[Feature 20121227] - "postconf -o name=value" overrides main.cf parameter settings. This can be used, for example, to examine stress-dependent settings with "postconf -x -o stress=yes". -Incompatible changes with snapshot 20121123 -=========================================== +Major changes - postscreen +-------------------------- -The postscreen deep protocol tests now log the last command before -a protocol error ("UNIMPLEMENTED" when the last command is not -implemented, "CONNECT" when there was no prior command). The -changed logfile messages are: +[Incompat 20121123] The postscreen deep protocol tests now log the +last command before a protocol error ("UNIMPLEMENTED" when the last +command is not implemented, "CONNECT" when there was no prior +command). The changed logfile messages are: NON-SMTP COMMAND from [address]:port after command: text BARE NEWLINE from [address]:port after command @@ -101,12 +81,36 @@ COMMAND TIME LIMIT from [address]:port after command COMMAND COUNT LIMIT from [address]:port after command COMMAND LENGTH LIMIT from [address]:port after command -Incompatible changes with snapshot 20121007 -=========================================== +Major changes - load-balancer support +------------------------------------- + +[Incompat 20120625] The postscreen(8)-to-smtpd(8) protocol has +changed. To avoid "cannot receive connection attributes" warnings +and dropped connections, execute the command "postfix reload". No +mail will be lost as long as the remote SMTP client tries again +later. + +[Feature 20120625] Support for upstream proxy agent in the postscreen(8) +and smtpd(8) daemons. To enable the haproxy protocol, specify one +of the following: + + postscreen_upstream_proxy_protocol = haproxy + smtpd_upstream_proxy_protocol = haproxy + +Note 1: smtpd_upstream_proxy_protocol can't be used in smtpd processes +that are behind postscreen. Configure postscreen_upstream_proxy_protocol +instead. + +Note 2: To use the nginx proxy with smtpd(8), enable the XCLIENT +protocol with smtpd_authorized_xclient_hosts. This supports SASL +authentication in the proxy agent (Postfix 2.9 and later). + +Major changes - relay safety +---------------------------- -As part of a forward compatibility safety net, the Postfix installation -procedure adds the following smtpd_relay_restrictions entry to -main.cf when there is none: +[Incompat 20121007] As part of a forward compatibility safety net, +the Postfix installation procedure adds the following +smtpd_relay_restrictions entry to main.cf when there is none: smtpd_relay_restrictions = permit_mynetworks @@ -131,11 +135,9 @@ actions: There is no need to change the value of smtpd_recipient_restrictions. -Major changes with snapshot 20121007 -==================================== - -This version introduces the smtpd_relay_restrictions feature -for mail relay control. The new built-in default settings are: +[Feature 20121007] This version introduces the smtpd_relay_restrictions +feature for mail relay control. The new built-in default settings +are: smtpd_relay_restrictions = permit_mynetworks @@ -195,53 +197,51 @@ surprises when a site upgrades from an earlier Postfix release. to the empty value, and use smtpd_recipient_restrictions exactly as they used it before. -Incompatible changes with snapshot 20120924 -=========================================== - -Postfix no longer uses FIFOs to emulate UNIX-domain sockets on -Solaris 9 (Vintage 2002!) and later. If you install Postfix for -the first time on an older Solaris system, edit the master.cf file -and replace "unix" with "fifo" for the pickup and qmgr services. - -Major changes with snapshot 20120924 -==================================== +Major changes - start-up +------------------------ -Laptop-friendliness: the default master.cf file now uses "unix" -instead of "fifo" for the pickup and qmgr services. This avoids -periodic disk drive spin-up. +[Feature 20120306] New master "-w" option, to wait for master daemon +process initialization to complete. This feature returns an error +exit status if master daemon initialization fails, or if it does +not complete in a reasonable amount of time. The exit status is +used by "postfix start" to provide more accurate information to +system start-up scripts. -Incompatible changes with snapshot 20120625 -=========================================== +Major changes - tls +------------------- -The postscreen(8)-to-smtpd(8) protocol has changed. To avoid "cannot -receive connection attributes" warnings and dropped connections, -execute the command "postfix reload". No mail will be lost as long -as the remote SMTP client tries again later. +[Incompat 20130203] Thanks to OpenSSL documentation, the Postfix +2.9.0..2.9.5 SMTP client and server computed incorrect TLS certificate +PUBLIC-KEY fingerprints. Support for certificate PUBLIC-KEY finger +prints was introduced with Postfix 2.9; there is no known problem +with the certificate fingerprint algorithms available since Postfix +2.2. -Major changes with snapshot 20120625 -==================================== - -Support for upstream proxy agent in the postscreen(8) and smtpd(8) -daemons. To enable the haproxy protocol, specify one of the -following: +Certificate PUBLIC-KEY finger prints may be used in the Postfix +SMTP server (with "check_ccert_access") and in the Postfix SMTP +client (with the "fingerprint" security level). - postscreen_upstream_proxy_protocol = haproxy - smtpd_upstream_proxy_protocol = haproxy +Specify "tls_legacy_public_key_fingerprints = yes" temporarily, +pending a migration from configuration files with incorrect Postfix +2.9.0..2.9.5 certificate PUBLIC-KEY finger prints, to the correct +fingerprints used by Postfix 2.9.6 and later. -Note 1: smtpd_upstream_proxy_protocol can't be used in smtpd processes -that are behind postscreen. Configure postscreen_upstream_proxy_protocol -instead. +To compute the correct PUBLIC-KEY finger prints: -Note 2: To use the nginx proxy with smtpd(8), enable the XCLIENT -protocol with smtpd_authorized_xclient_hosts. This supports SASL -authentication in the proxy agent (Postfix 2.9 and later). +# OpenSSL 1.0 with all certificates and SHA-1 fingerprints. +$ openssl x509 -in cert.pem -noout -pubkey | \ + openssl pkey -pubin -outform DER | \ + openssl dgst -sha1 -c -Major changes with snapshot 20120422 -==================================== +# OpenSSL 0.9.8 with RSA certificates and MD5 fingerprints. +$ openssl x509 -in cert.pem -noout -pubkey | \ + openssl rsa -pubin -outform DER | \ + openssl dgst -md5 -c -This release adds support to turn off the TLSv1.1 and TLSv1.2 -protocols. Introduced with OpenSSL version 1.0.1, these are known -to cause inter-operability problems with for example hotmail. +[Feature 20120422] This release adds support to turn off the TLSv1.1 +and TLSv1.2 protocols. Introduced with OpenSSL version 1.0.1, these +are known to cause inter-operability problems with for example +hotmail. The radical workaround is to temporarily turn off problematic protocols globally: @@ -272,22 +272,3 @@ Important: override the next-hop destination with transport_maps, relayhost, sender_dependent_relayhost_maps, or otherwise, you need to specify the same destination for the smtp_tls_policy_maps lookup key. - -Major changes with snapshot 20120306 -==================================== - -New master "-w" option, to wait for daemon process initialization -to complete. This feature returns an error exit status if master -daemon initialization fails, or if it does not complete in a -reasonable amount of time. The exit status is used by "postfix -start" to provide more accurate information to system start-up -scripts. - -Major changes with snapshot 20120303 -==================================== - -New control for "permit" logging in smtpd_mumble_restrictions (by -default, the SMTP server logs "reject" actions but not "permit" -actions). Specify "smtpd_log_access_permit_actions = static:all" -to log all "permit"-style actions, or specify a list of explicit -action names. More details are in the postconf(5) manpage. diff --git a/postfix/WISHLIST b/postfix/WISHLIST deleted file mode 100644 index 1f5052d1e..000000000 --- a/postfix/WISHLIST +++ /dev/null @@ -1,793 +0,0 @@ -Wish list: - - Things to do before the stable release: - - Remove this file from the stable release. - - Things to do after the stable release: - - Spellcheck and double-word check. - - Don't forget Apple's code donation for fetching mail from - IMAP server. - - Should postconf -o refuse to work without the -x option? - - Make 30s caching (feature 20070414) configurable, such that - 0 means no caching. - - Make errno white/blacklist for getpwnam_r etc. and mailbox - write errors. - - smtpd_muble_restrictions rule names are case-insensitive. - restriction_classes values are case-sensitive but should - be case-insensitive for consistency with smtpd_muble_restrictions. - - Make "rename" the default when postmapping a DB file - (later: use copy+rename for postmap -i, postmap -d). - - Service-name parameters aren't documented in daemon manpages. - - When faking up the DSN ORCPT, don't send bare usernames - from local command-line submission. - - lmtp_assume_final is broken. A 2XX response does not imply - final delivery. The Sieve language implements accept-then-bounce. - - postscreen event-driven plug-in interface to send out a - query in parallel with the Pregreet and DNSBL tests, using - a simplified version of the policy delegation protocol. - - Parallelized queue preprocessing: rip out the queue manager - code to read queue files and resolve recipients, and run - it in parallel processes. The queue manager then processes - their results as they become available. This would eliminate - the qmgr<->trivial-rewrite bottleneck. This can also eliminate - much of the scheduling disadvantage of a single queue manager - compared to hundreds of mail receiving or sending processes - (especially if there is a way to scan the queue in parallel). - - Memory pools for same-type memory objects. This can be - used to either increase memory locality for frequently-allocated - objects (MRU allocation) or to make use-after-free bugs - more detectable (use LRU allocation and wipe the object - immediately after free(). Finally, same-type memory pools - prevent object type errors with use-after-free bugs. - - "no-cache" option for selected postscreen tests? - - Need a new DICT flag to indicate that a map handle supports - locking. If it doesn't (as with memcache or proxymap - handles), then postscreen etc. don't need to close a cache - file after "postfix reload". After a fork() it is OK to - keep using a memcache or proxymap handle, because the parent - exits immediately. For this to work, the memcache client - needs to propagate the flag from a persistent backup map, - but the proxymap protocol should not propagate this to the - client. - - Different TTL values for different DNSBL sources? - - Replace master(8) SIGHUP by very simple socket protocol to - allow reload of a specific service. - - postscreen: in the dummy SMTP engine, log the protocol state - at time of violation (like smtpd, set state->where initially - to CONNECT, then update it with the name of the last "known" - command, or set it to "unimplemented"). - - The discussion of postscreen cache configuration is in the - wrong place (how whitelisting works). Move it to the section - about configuring postscreen. - - Before proxymap can be exposed to the network (primarily - to share postscreen or verify caches), need to enforce - limits on attribute string name and value length in IPC - protocols. 10-20KB seems OK. We need to enforce content - sanity checks (for example, no control characters; Postfix - does not pass around multi-line data in table lookups). The - VSTREAM library already supports read/write deadlines. We - need to use attack-resistant code for numeric conversion. - - move flush_init() etc. from defer service clients to the - bounce daemon? Postfix works best when work can be spread - out over many clients, instead of over a few servers. - - multi_connect() function that takes a list of inet:host:port - and/or unix:pathname specs, with an explicit "inet" prefix - argument to handle applications that use host:port only. - This will simplify multi-host implementation for memcache - client, dovecot client, and other. - - dict_memcache: treat "bad" key as cache miss, i.e. read/write - the backup database as if the cache did not exist. This - does not help because most Postfix maps (virtual, canonical, - access, transport, ...) also don't support spaces in keys. - - postscreen: keep the cache open after "postfix reload" when - it is remote (type memcache: or proxy:). This does not work - because memcache can use a non-proxied file as backup). - - What is the feasibility of adding an mta_name (personality) - attribute that is propagated via queue files and delivery - agent requests? It would default to myhostname. - - Major performance improvement opportunity (that is until - everyone runs Postfix queues on SSDs). Investigate the - viability of a daemon that produces incoming and postdrop - queue files on request (in reality it would maintain a - limited queue of "spare" files). Central queue file allocation - reduces the I/O performance disadvantage that qmgr has when - 100 smtpd processes are receiving mail, or when lots of - mail is submitted with the sendmail command line. When an - smtpd process accepts MAIL FROM, a cleanup daemon requests - a queue file and receives a queue ID + file handle from the - queue file daemon. If the queue file daemon is down, the - cleanup daemon creates the file itself like it does now; - this can be hidden in the mail_stream library module. If - the mail transaction is aborted, then the cleanup daemon - gives the queue file back to the queue file daemon's "spare" - file pool, saving most of the overhead of creating and - deleting a queue file (the file would still need to be - renamed at the start of the next mail transaction). If the - cleanup daemon is unable to give a file back, then it can - delete the file like it does now; this can be hidden in the - mail_stream library module. The whole thing can be - transparently added to Postfix by adding calls to a - queue-file-service client to the mail_queue_enter() and - mail_queue_remove() library routines. Other advantages: - 1) negligible performance hit when queue file allocation - happens earlier, so that logging and milters have a queue - ID for the whole transaction not just the first valid - recipient; 2) by not removing every queue files we get most - of the performance gain of a queue based on append/truncate - instead of the much more expensive create/delete. - - Investigate viability of Sendmail dns maps. - - Check if FILTER_README has the "postsuper -r" workaround - - Bounces without <> in the plaintext section. Apparently, - some software renders the text as HTML (and therefore - does not render addresses and other text inside <> ). - - Make the rules for how to use close-on-exec more explicit. - - Provide separate timeout control for dict_proxy client, - rewrite client, resolve client, cleanup client, and so on. - Perhaps a timeout argument to the mail_connect() routines. - - Trick from amavisd: save listen socket/fifo/etc state, clear - their close-on-exec flags, exec the same program file to - re-initialize (with saved socket state on command line or - in environment), then restore the listen socket/fifo/etc - close-on-exec flags. This could be a way to mitigate the - impact of memory/file leaks, and to implement "postfix - reload" support for master(8) features that currently don't - support this. - - Sub-second time resolution. The first benefit is to make - per-destination rate delays more usable. Other applications - will come up once the support exists. The straightforward - approach is to represent all time intervals in milliseconds, - and to update all code that makes system calls with a time - argument (as well as the compiled-in upper and lower time - parameter bounds, which are currently in seconds). - Unfortunately, that limits he maximum time interval to less - than 25 days on 32-bit systems, and is likely to break - compatibility (for starters, it cannot even deal with the - compiled-in 100d upper bound on the queue file lifetime). - A second option is to have a "compatibility" time base - switch between milliseconds and seconds; this means extra - changes to all code that makes system calls with a time - argument, and the way that the compiled-in upper and lower - bounds are specified. Some of this can be encapsulated in - macros like time_to_sec(t), time_to_msec(t) and sec_to_time(t). - Finally, it is relatively easy to replace the events(3) - interface to use "double" for the time delay arguments, but - it is a major pain to convert all main.cf time parameters - into doubles (converting only some leads to a documentation - nightmare). - - Address verify cache: allow a negative cache "refresh" - result to purge a "positive" cache entry in some safe manner. - Currently, the negative cache "refresh" result is discarded, - address verify cache lookup returns OK, and each lookup - forces a "refresh" probe until the entry expires. - - Some Sendmail configurations trigger sub-optimal behavior - when the postscreen_whitelist_interfaces parameter lists - primary MX addresses only. When postscreen's "deep protocol - tests" are successful on the primary MX address (i.e. they - result in 4XX responses to RCPT TO), some Sendmail - configurations keep the primary MX connection open until - AFTER they finish talking to the backup MX address. The - problem is that the backup connection runs into a WHITELIST - VETO condition because the whitelisting database has not - yet been updated with the PASS NEW result for the primary - MX connection. Unfortunately postscreen can't update the - whitelisting database before the primary MX connection is - closed, because a client may still make a mistake. - - Simplify postscreen logic. Individual "fail" flags help to - avoid repeated testing/logging the same mistake. Individual - "pass" flags provide evidence that the client didn't skip - tests by hanging up early. The current global "noforward" - flag implements the wrong model: instead we need an indicator - that a client has passed all tests or that all mistakes - were forgiven. - - In the SMTP server, check if the connection is closed before - replying to ".", and discard the message if the reply can't - be sent. This reduces the time window for RFC 1047 message - duplication, and may even prevent the delivery of some spam. - http://www.exim.org/lurker/message/20070416.103159.9d5ff0ce.en.html - This requires splitting the SMTP server's commit operation - into two operations: first, a tentative commit operation - that performs most of the I/O and processing in milters and - in the cleanup server; second, a final commit operation - that is executed only if the remote SMTP client hasn't hung - up in the mean time. Unfortunately, SMTP-based before-queue - content filters don't support a tentative commit operation. - - Find out how to reproduce Berkeley DB bogus ENOENT errors. - postscreen does not log this with Berkeley DB 1 (FreeBSD - 4..8), 4.7.25 (Ubuntu 9.04) and 4.8.24 (Ubuntu 10.04). - - postconf command-line option to show the compile-time - settings (CCARGS, AUXLIBS) in case binary packages - don't install the makedefs.out file. - - events.c: cache the side effects of file descriptor event - enable/disable operations in user space, and do bulk kernel - updates at event_loop() time. This can eliminate costly - system calls with successive event disable/enable operations - on the same file descriptor. This can also eliminate the - need for tricky code that tries to avoid the expense of - successive disable/enable operations. Such code is likely - to introduce bugs. - - When does it pay off to send domains in the active queue - to a DNS prefetch daemon? Could this generalize to a dynamic - transport map that piggy-backs domains with the same MX - host into the same mail delivery transaction? - - inline table where the "whitespace replacement" character - is specified in-line. Ex: inline:XYname1Xvalue1Yname2Xvalue2 - would instantiate a table with (name1, value1) and (name2, - value2). I'm afraid this is just too ugly. - - tlsproxy(8) should receive TLS preferences from postscreen(8) - and smtpd(8), instead of reading them from main.cf. This - means that many tlsproxy_ parameters become postscreen_ - parameters, and that tls_server_init() parameters move to - to tls_server_start(). That is a significant API change. - It also means tlsproxy can't open all files before chroot(). - - anvil rate limit for sasl_username. - - Encapsulate nbbio buffer access and update by tlsproxy. - - Full-duplex support for tlsproxy(8). This requires updating - events(3) and nbbio(3). - - Register automagic destructor for object attached to VSTREAM. - - Use different ipc time limits for email message transactions - (smtpd, pickup)->cleanup and for quick query/reply transactions - such as address rewriting/resolution. Beware of large time - limits for local or virtual alias expansion. - - permit_tempfail_action (default: defer_if_reject) to be - used as the default value for dnswl_tempfail_action and - rhswl_tempfail_action. Steal liberally from the code that - implements unverified_recipient_tempfail_action etc. - - Support filtering of messages that are generated by Postfix: - This would apply to postmaster notices and bounce messages - (DKIM), and address verification (BATV). - - Consistency: in postconf.proto make
..
tags bold. - - postscreen(8): listen on multiple IP addresses and enforce - that the client contacts the primary MX address first (i.e. - punish hosts that contact the secondary before the primary). - The downside with any approach that relies on temporary - punishment is that it does not scale to configurations - with multiple equal-preference MX hosts. Such hosts would - have to share the postscreen cache, causing an unacceptable - performance bottleneck and a single point of failure. - - According to a paper by Ted Unangst at BSDCON09, kqueue - reports state changes, i.e. kqueue indicates when the socket - becomes readable. Specifically, he writes when kqueue reports - a socket becomes readable but no data is read from that - socket, later kqueue calls won't report the socket as - readable. That's not what happens on FreeBSD 8.0, where - kqueue will keep reporting the socket as readable when - nothing is read. Also, FreeBSD 8.0 kqueue still reports - the socket as readable after a read operation does not empty - the kernel buffer. We need a test program for this that - repeats these tests with OpenBSD and NetBSD (and MacOS X - once they fix their kqueue implementation). - - Would it help if there were different cleanup_service - parameter names for different message paths? smtpd(8) uses - the same cleanup_service value for receiving remote mail - and for submitting postmaster problem reports. Do we need - separate mumble_cleanup_service_name parameters for "inject", - "notify" and "forward" (with backwards compatible defaults)? - - IF/ENDIF support for CIDR tables. - - Need a regular expression table to translate address - verification responses into hard/soft/accept reply codes. - - Is there a way to make sendmail -V work after local alias - expansion? Majordomo-like mailing lists would benefit from - this; the example in VERP_README does not work in the general - case. - - When an alias is a member of an :include: list with owner- - alias, local(8) needs an option to deliver alias or alias->user - indirectly. What happens when an :include: list with owner- - alias includes another list? - - Don't allow empty result values in pcre and regexp maps. - Postfix doesn't allow them anywhere else (check this). - - Make PCRE_MAX_CAPTURE configurable. - - Add some checks for tokens starting with #. A challenge - is to report sensible context from the guts of some low-level - parser, without introducing a great deal of clumsiness. - - Add sendmail macros for {verify} and maybe other TLS info. - - Find out if we are doing the correct thing by looking at - state->milter_reject_text when expanding {rcpt_addr} or - {rcpt_host}. - - Find out why post_mail() etc. block when the qmgr fifo is - full (answer: trigger_timeout). How can this cause delays - in the queue manager? When a recipient bounces during - (transport, nexthop, address) resolution, it is redirected - to the error or retry mailer; and bounce-after-delivery is - asynchrounous so it can't block the queue manager, either. - - How to ensure that proxy_read_maps is processed after all - its dependencies are initialized, or just bite the bullet - and rewrite the parameter initialization code. - - The cleanup virtual alias expansion limit does not really - deliver on its promises. 1) It promises to truncate the - result without aborting delivery, which would be undesirable - anyway, but that is not what it does, so that is good. 2) - It keeps all the recipients from multi-recipient database - lookup, then terminates further recursion when the result - exceeds the expansion limit. This behavior achieves the - original goal that all things shall have a finite size (even - though but we don'really care how large they are) but may - result in surprises when recipients are listed in virtual - alias domains or need expansion for other reasons. In a - phone call with Victor, a reasonable way out is to set the - limit to some large number (100000) and abort delivery when - the result exceeds the limit. - - Should the postscreen save permanent white/black list lookup - results to the temporary cache, and query the temporary - cache first? Skipping white/black list lookups will speed - up the handling of "good" clients without a permanent - whitelist entry. Of course, this means that updates to the - white/black lists do not immediately take effect. Workarounds: - 1) use a shorter temporary cache TTL for clients on the - permanent black/white lists; 2) ignore cached white/black - list lookup results after "postfix reload"; 2) adjust the - logging, for example "WHITELISTED address (cached)" and - "BLACKLISTED address (cached)" to eliminate surprises. - Comparing the cache entry time with the white/blacklist - file modification time is not foolproof: for example, pcre - or CIDR tables are read only once. - - It would be nice if the generic dict_cache(3) cache manager - could postpone process suicide until cache cleanup is - completed (but that is not possible when postscreen forks - into the background to finish already-accepted connections, - and it is not desirable when a host is being shut down). - - When postscreen drops a connection, a 521 "greeting" should - be of the form "521 servername..." and not have an enhanced - status code. The "521 5.7.1" form can be used after EHLO. - Of course no spammer is going to complain about Postfix - SMTP compliance. - - Find a place to document all the mail routing mechanisms - in one place so people can figure out how Postfix works. - - The access map BCC action is marked "not stable", perhaps - because people would also expect BCC actions in header/body_checks. - How much would it take to make the queue file editing code - generally usable? - - Move smtpd_command_filter into smtpd_chat_query() and update - the session transcript (see smtp_chat_reply() for an example). - - SMTP connection caching without storing connections, to - improve TLS mail delivery performance. - - Should not milter8_mail_event() unset the "hold" default - reply? Better, the default reply should not be used for - this purpose. - - Don't send MASTER_STAT_TAKEN/MASTER_STAT_AVAIL when a server - runs with process limit of 1. But this means the master - never learns that the process is successful and will always - pause $service_throttle_time before restarting a failed service. - - Don't bother maintaining a per-service lockfile when a - server runs with process limit of 1. The purpose of the - lockfile is to avoid thundering herd problems when the kernel - wakes up multiple processes for each new client connection. - - Implement PREPEND action for milter_header_checks. Save the - to-be-prepended text to buffer, then emit it along with the - new header. - - Fix the header_body_checks API, so that the name of the map - class (e.g. milter_header_checks) is available for logging. - - Fix the mime_state and header_body_checks APIs, so that - they use VSTRINGs. This simplifies REPLACE actions. - - Update FILTER_README for multi-instance support, and rename - the old document to FILTER_LEGACY_README. - - Need to sign delivery status notifications, to avoid surprises - when eventually people start enforcing DKIM etc. signatures. - - Either document or remove the internal_mail_filter_classes - feature (it's disabled by default). - - Make the "unknown recipient" test configurable as - first|last|never, with "yes"=="last" for backwards - compatibility. The "first" setting is good for performance - (stress=yes) when all users are defined in local files; but - it may perform worse when users are in networked tables. - - Cleanup: make DNSBL query format configurable beyond the - client's reversed IP address. - - With 'final delivery' in the LMTP client, need an option - to also add delivered-to and other pipe(8) features. This - requires making mail_copy() functionality available in - non-mailbox context. - - Cleanup: modernize the "add missing From: header" code, to - ``phrase '' form. Most likely, quote the entire phrase - if it contains any text that is special, then rfc822_externalize - the whole thing. - - SMTP server: make the server_addr and server_port available - to policy server, Dovecot, and perhaps Milters. - - Med: local and remote source port and IP address for smtpd - policy hook. - - Maybe change maps_rbl_reject_code default to 521, and - update wording in STRESS_README. - - Encapsulate time_t comparisons so that they can be made - system dependent (use difftime() where available). - - Encapsulate time_t conversions (e.g. REC_TYPE_TIME) so that - they can be made system dependent. - - Plan for time_t larger than long, or wait for LP64 to - dominate the world? - - Make "AUTH=<>" appendage to MAIL FROM configurable, enabled - by default. - - To support ternary operator without a huge parsing effort, - consider ${value?{xxx}:{yyy}} where ${name} is existing - syntax, and where ?{text} and :{text} are new syntax that - is unlikely to break existing configurations. Or perhaps - it's just too ugly. - - Write delivery rate delay example (which _README?) and auth - failure cache example (SASL_README). Then include them in - SOHO_README. - - Look for alternatives for the use of non_smtpd_milters. - This involves some way to force local submissions to go - through a local SMTP client and server, without triggering - "mail loops back to myself" false alarms. The advantage is - that it makes smtpd_mumble_restrictions available for local - and remote mail; the disadvantage is that it makes local - submissions more dependent on networking. One possibility - is to use "pickup -o content_filter=smtp:127.0.0.1:10025", - or a dedicated SMTP client/server on UNIX-domain sockets; - we could also decide to always suppress "mail loop" detection - for loopback connections. Another option is to have the - pickup or cleanup server drive an SMTP client directly; - this would require extension of the mail_stream() interface, - plus a way to handle bounced/deferred recipients intelligently, - but it would be at odds with Postfix design where delivery - agents access queue files directly; exposing delivery agents - to raw queue files violates another Postfix design principle. - - Consolidate duplicated code in *_server_accept_{pass,inet}(). - - Consolidate duplicated code in {inet,unix,upass}_trigger.c. - - In the SMTP client, handle 421 replies in smtp_loop() by - having the input function raise a flag after detecting 421 - (kill connection caching and be sure to do the right thing - with RSET probes), leave the smtp_loop() per-command reply - handlers unchanged, and have the smtp_loop() reader loop - bail out with smtp_site_fail("server disconnected after - %s", where), but only in the case that it isn't already in - the final state. But first we need to clean up the handling - of do/don't cache, expired, bad and dead sessions. - - Combine smtpd_peer.c and qmqpd_peer.c into a single function - that produces a client context object, and provide attribute - print/scan routines that pass these client context objects - around. With this, we no longer have to update multiple - pieces of code when a client attribute is added. Ditto for - SASL and TLS context. - - Don't log "warning: XXXXX: undeliverable postmaster - notification discarded" for spam from outside. - - Really need a cleanup driver that allows testing against - Milter applications instead of synthetic events. This would - have to provide stubs for clients that talk to Postfix - daemon processes. See if this approach can also be used for - other daemons. - - smtpd(8) exempts $address_verify_sender from access controls, - but it doesn't know whether cleanup(8) or delivery agents - modify the sender. Would it be possible to "calibrate" this - exemption, perhaps by having delivery agents pass the probe - sender to the verify server, keeping in mind that the probe - sender may differ per delivery agent due to output rewriting. - - Update attr_print/scan() so they can send/receive file - descriptors. This simplifies kludgy code in many daemons. - - Would there be a problem adding $smtpd_mumble_restrictions - and $smtpd_sender_login_maps to the default proxy_read_maps - settings? - - Remove defer(8) and trace(8) references and man pages. These - are services not program names. On the other hand we have - man pages for lmtp(8) and smtp(8), but not for relay(8). - Likewise, retry(8) does not have a man page. - - Bind all deliveries to the same local delivery process, - making Postfix perform as poorly as monolithic mailers, but - giving a possibility to eliminate duplicate deliveries. - - Maybe declare loop when resolve_local(mxhost) is true? - - Update message content length when adding/removing headers. - - Need scache size limit. - - REDIRECT should override original recipient info, and - probably override DSN as well. - - Update FILTER_README with mailing list suggestions to tag - with a badness indicator and then filter down-stream. - - Make null local-part handling configurable: either expand - into mailer-daemon (current bahavior) or disallow (strict - behavior, currently implemented only in the SMTP server). - - The type of var_message_limit (and other file size/offset - configuration parameters or internal protocol attributes) - should be changed from int to off_t. This also requires - checking all expressions in which var_message_limit etc. - appears: qmqpd, netstring, deliver_request, ... - - Add M flag (enable multi-recipient delivery) to pipe daemon. - - The usage of TLScontext->cache_type is unclear. It specifies - a TLS session cache type (smtpd, smtp, or lmtp), but it is - sometimes used as an indicator that TLS session caching is - unavailable. In reality, that decision is made by not - registering call-back functions for cache maintenance. - - Postfix TLS library code should copy any strings that it - receives from the application, instead of passing them - around as pointers. TLScontext->cache_type is a case in - point. - - Are transport:nexthop null fields the same as in the case - of default_transport etc. parameters? - - Don't lose bits when converting st_dev into maildir file - name. It's 64 bits on Linux. Found with the BEAM source - code analyzer. Is this really a problem, or are they just - using 64 bits for upwards compatibility with LP64 systems? - - Do or don't introduce unknown_reverse_client_reject_code. - - Check that "UINT32 == unsigned int" choice is ok (i.e. LP64 - UNIX). - - Tempfail when a Milter application tries to negotiate content - access, while it is configured in an SMTP server that runs - before the smtpd_proxy filter. - - Log DSN original recipient when rejecting mail. - - Keep whitespace between label and ":"? - - Make the map case folding/locking options configurable, if - not at run-time then at least at compile time so we get - consistent behavior across applications. - - Investigate what it would take to eliminate oqmgr, and to - make the old behavior configurable in a unified queue - manager. This would shave another 2.7 KLOC from the source - footprint. - - Document the case folding strategy for match_list like - features. - - Eliminate the (incoming,deferred)->active rename operation. - This requires an in-memory hash of queue file names to avoid - duplicate open() operations. - - Softbounce fallback-to-ISP for SOHO users. This heuristic - assumes that when direct-to-MX delivery fails with 5XX, - delivery via the ISP may still succeed. This could be - implemented by enabling soft bounces for destinations other - than the smtp_fallback_relay. So the only benefit of this - over the existing soft_bounce feature is that it has no - effect on smtp_fallback_relay deliveries. - - Centralize main.cf parameter input so that defaults work - consistently. What about parameter names that are prefixed - with mail delivery transport names? - - Fix default time unit handling so that we can have a default - bounce lifetime of $maximal_queue_lifetime, without causing - panics when a non-default maximal_queue_lifetime setting - includes no time unit. - - After the 20051222 ISASCII paranoia, lowercase() lowercases - ASCII text only. - - Privacy: remove local command/pathname details from remote - delivery status reports, and log them via local msg_warn(). - - Is it safe to cache a connection after it has been used for - more than some number of address verification probes? - - Try to recognize that Resent- headers appear in blocks, - newest block first. But don't break on incorrect header - block organization. - - Hard limits on cache sizes (anvil, specifically). - - Laptop friendliness: make the qmgr remember when the next - deferred queue scan needs to be done, and have the pickup - server stat() the maildrop directory before searching it. - - Low: replace_sender/replace_recipient actions in access - maps, so they can be used in policy servers? - - Low: configurable order of local(8) delivery methods. - - Med: smtp_connect_timeout_budget (default: 3x smtp_connect_timeout) - to limit the total time spent trying to connect. - - Med: transform IPv4-in-IPv6 address literals to IPv4 form - when comparing against local IP addresses? - - Med: transform IPv4-in-IPv6 address literals to IPv4 form - when eliminating MX mailer loops? - - Med: Postfix requires [] around IPv6 address information - in match lists such as mynetworks, debug_peer_list etc., - but the [] must not be specified in access(5) maps. Other - places don't care. For now, this gotcha is documented in - IPV6_README and in postconf(5) with each feature that may - use IPv6 address information. The general recommendation - is not to use [] unless absolutely necessary. - - Med: the partial address matching of IPv6 addresses in - access(5) maps is a bit lame: it repeatedly truncates the - last ":octetpair" from the printable address representation - until a match is found or until truncation is no longer - possible. Since one or more ":" are usually omitted from - the printable IPv6 address representation, this does not - really try all the possibilities that one might expect to - be tried. For now, this gotcha is documented in access(5). - - Low: reject HELO with any domain name or IP address that - this MTA is the final destination for. - - Low: should the Delivered-To: test in local(8) be configurable? - - Low: make mail_addr_find() lookup configurable. - - Low: update events.c so that 1-second timer requests do not - suffer from rounding errors. This is needed for 1-second - SMTP session caching time limits. A 1-second interval would - become arbitrarily short when an event is scheduled just - before the current second rolls over. - - Low: configurable internal/system locking method. - - Low: add INSTALL section for pre-existing Postfix systems. - - Low: add INSTALL section for pre-existing RPM Postfixes. - - Low: disallow smtpd_recipient_limit < 100 (the RFC minimum). - - Low: noise filter: allow smtp(8) to retry immediately if - all MXes return a quick ECONNRESET or 4xx reply during the - initial handshake. Retry once? How many times? - - Low: make post-install a "postfix-only script" so it can - take data from the environment instead of main.cf. - - Low: randomize deferred mail backoff. - - Med: separate ulimit for delivery to command? - - Med: postsuper -r should do something with recipients in - bounce logfiles, to make sure the sender will be notified. - To be perfectly safe, no process other than the queue manager - should move a queue file away from the active queue. - - This could involve tagging a queue file, and use up another - permission bit (postsuper tags a "hot" file, qmgr requeues it). - - Low: postsuper re-run after renaming files, but only a - limited number of times. - - Low: smtp-source may block when sending large test messages. - - Med: find a way to log the sender address when MAIL FROM - is rejected due to lack of disk space. - - Low: revise other local delivery agent duplicate filters. - - Low: all table lookups should consistently use internalized - (unquoted) or externalized (quoted) forms as lookup keys. - smtpd, qmgr, local, etc. use unquoted address forms as keys. - cleanup uses quoted forms. - - Low: have a configurable list of errno values for mailbox - or maildir delivery that result in deferral rather than - bouncing mail. What about "killed by signal" exits? - - Low: after reorganizing configuration parameters, add flags - to all parameters whose value can be read from file. - - Medium: need in-process caching for map lookups. LDAP servers - seem to need this in particular. Need a way to expire cached - results that are too old. - - Low: generic showq protocol, to allow for more intelligent - processing than just mailq. Maybe marry this with postsuper. - - Low: default domain for appending to unqualified recipients, - so that unqualified names can be delivered locally. - - Low: The $process_id_directory setting is not used anywhere - in Postfix. Problem reported by Michael Smith, texas.net. - This should be documented, or better, the code should warn - about attempts to set read-only parameters. - - Low: while converting 8bit text to quoted-printable, perhaps - use =46rom to avoid having to produce >From when delivering - to mailbox. - - virtual_mailbox_path expression like forward_path, so that - people can specify prefix and suffix. diff --git a/postfix/makedefs b/postfix/makedefs index f0151f35d..93b59497c 100644 --- a/postfix/makedefs +++ b/postfix/makedefs @@ -664,7 +664,7 @@ ${WARN='-Wall -Wno-comment -Wformat -Wimplicit -Wmissing-prototypes \ export SYSTYPE AR ARFL RANLIB SYSLIBS CC OPT DEBUG AWK OPTS # Snapshot only. -CCARGS="$CCARGS -DSNAPSHOT" +#CCARGS="$CCARGS -DSNAPSHOT" # Non-production: needs thorough testing, or major changes are still # needed before the code stabilizes. diff --git a/postfix/src/global/mail_version.h b/postfix/src/global/mail_version.h index 6a7ba6be8..ae2b38692 100644 --- a/postfix/src/global/mail_version.h +++ b/postfix/src/global/mail_version.h @@ -21,7 +21,7 @@ * patchlevel; they change the release date only. */ #define MAIL_RELEASE_DATE "20130204" -#define MAIL_VERSION_NUMBER "2.10" +#define MAIL_VERSION_NUMBER "2.10-RC1" #ifdef SNAPSHOT # define MAIL_VERSION_DATE "-" MAIL_RELEASE_DATE