From: Wietse Venema Date: Sun, 22 Dec 2002 05:00:00 +0000 (-0500) Subject: postfix-2.0.0 X-Git-Tag: v2.0.0^0 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=678f102c9b7d109e8d87639d0479f1c55b43b1f1;p=thirdparty%2Fpostfix.git postfix-2.0.0 --- diff --git a/postfix/HISTORY b/postfix/HISTORY index ab10336ee..91d0f73ac 100644 --- a/postfix/HISTORY +++ b/postfix/HISTORY @@ -6597,10 +6597,6 @@ Apologies for any names omitted. with unread data according to ioctl FIONREAD. Incredible. Diagnosis by Max Pashkov. File: smtp/smtp-sink.c. - Weird feature: sender-based routing. This will become more - useful once per-address transport map entries are done. - File: src/*qmgr/qmgr_message.c. - 20020605 Safety: header_address_token_limit limits the amount of @@ -6615,13 +6611,6 @@ Apologies for any names omitted. now was much less painful than it was in the past. Files: global/strip_addr.c, trivial-rewrite/transport.c. -20020610 - - Cleanup: making user@domain transport map lookups work with - sender-based routing was a bit tricky, because the null - address must be handled sensibly. Files: global/resolve_clnt.c, - trivial-rewrite/resolve.c. It ain't perfect yet, but close. - 20020613 Bugfix: postsuper -r was broken as of 20020510. The cleanup @@ -7493,10 +7482,6 @@ Apologies for any names omitted. 20021220 - Bugfix: the reject_multi_recipient_bounce restriction had - an off-by-one error when used in smtpd_data_restrictions. - File: smtpd/smtpd_check.c. - Feature: new check_recipient_maps restriction that gives finer control over when unknown recipients are rejected. As with Postfix 1.1, the default is to do this at the end @@ -7511,6 +7496,12 @@ Apologies for any names omitted. shooting easier but also reveals information that is nobody elses business. +20021221 + + Workaround: don't allow the transport map to override the + virtual alias class (error:User unknown) result. File: + trivial-rewrite/transport.c. + Open problems: Low: after successful delivery, per-queue window += 1/window, diff --git a/postfix/RELEASE_NOTES b/postfix/RELEASE_NOTES index e9f8e9f93..3c95d2bf6 100644 --- a/postfix/RELEASE_NOTES +++ b/postfix/RELEASE_NOTES @@ -1,7 +1,8 @@ -In the text below, incompatible changes are labeled with the Postfix -snapshot that introduced the change. If you upgrade from a later -Postfix version, then you do not have to worry about that particular -incompatibility. +In the text below, changes are labeled with the Postfix snapshot +that introduced the change, and whether the change introduced a +feature, an incompatibility, or whether the feature is obsolete. +If you upgrade from a later Postfix version, then you do not have +to worry about incompatibilities introduced in earlier versions. Official Postfix releases are called a.b.c where a=major release number, b=minor release number, c=patchlevel. Snapshot releases @@ -12,28 +13,26 @@ snapshot release). Patches change the patchlevel and the release date. Snapshots change only the release date, unless they include the same bugfixes as a patch release. -Incompatible changes with Postfix snapshot 1.1.12-20021219 -========================================================== +Major changes with Postfix version 2.0.0 (released 20021222) +============================================================ -The use of the XVERP extension in the SMTP MAIL FROM command is -now limited to SMTP clients that match the hostnames, domains or -networks listed with the authorized_verp_clients parameter (default: -$mynetworks). +First comes the bad news - things that may break when you upgrade +from Postfix 1.1. Then comes the good news - things that evolved +in snapshots over the past year. -Incompatible changes with Postfix snapshot 1.1.12-20021209 -========================================================== +For the release notes of Postfix 1.1 and earlier, see the +RELEASE_NOTES-1.1 file. -This release adds a new "relay" service to the Postfix master.cf -file. If your Postfix is unable to connect to the "relay" service -then you have not properly followed the installation procedure. +Unknown Recipients are now rejected by default +============================================== -The Postfix SMTP server now rejects mail for $mydestination domain -recipients that it does not know about. This keeps undeliverable -mail out of your queue. +[Incompatibility 20021209] The Postfix SMTP server now rejects mail +for $mydestination domain recipients that it does not know about. +This keeps undeliverable mail out of your queue. -To avoid losing mail when upgrading from Postfix 1.1, you need to -review the LOCAL_RECIPIENT_README file if one of the following is -true: +[Incompatibility 20021209] To avoid losing mail when upgrading from +Postfix 1.1, you need to review the LOCAL_RECIPIENT_README file if +one of the following is true: - You define $mydestination domain recipients in files other than /etc/passwd or /etc/aliases. For example, you define $mydestination @@ -45,69 +44,281 @@ true: - You use the fallback_transport feature of the Postfix local delivery agent. - You use the luser_relay feature of the Postfix local delivery agent. -Postfix no longer defaults to the "smtp" transport for all non-local -destinations. This may affect your defer_transports settings. In -particular, Postfix now uses the "relay" mail delivery transport -for delivery to domains matching $relay_domains. The old "smtp" -transport is now the default mail delivery transport for non-local -domains that do not match relay_domains. +Name change of virtual domain tables +==================================== -The "virtual_maps" configuration parameter is now called -"virtual_alias_maps", for consistency with "virtual_mailbox_maps". -Default settings are backwards compatible with Postfix 1.1. +This release introduces separation of lookup tables for addresses +and for domain names of virtual domains. + +[Incompat 20021209] the virtual_maps parameter is replaced by +virtual_alias_maps (for address lookups) and virtual_alias_domains +(for the names of what were formerly called "Postfix-style virtual +domains"). -Postfix-style virtual domains are now called virtual alias domains. -Sendmail-style virtual domains are no longer documented. This part -of Postfix was too confusing. + For backwards compatibility with Postfix version 1.1, the new + virtual_alias_maps parameter defaults to $virtual_maps, and the + new virtual_alias_domains parameter defaults to $virtual_alias_maps. + This means that you can still keep all information about a domain + in one file, just like before. -The default queue directory hash_queue_depth setting is reduced to -1 level of subdirectories per Postfix queue. This improves "mailq" -performance on most systems, but can result in poorer worst-case -performance on systems with lots of mail in the queue. +For details, see the virtual(5) and sample-virtual.cf files. -The "reject_maps_rbl" restriction is going away. The SMTP server -logs a warning and suggests using the more flexible "reject_rbl_client" -instead. +[Incompat 20021209] the virtual_mailbox_maps parameter now has a +companion parameter called virtual_mailbox_domains (for the names +of domains served by the virtual delivery agent). virtual_mailbox_maps +is now used for address lookups only. -The "check_relay_domains" restriction is going away. The SMTP server -logs a warning and suggests using "reject_unauth_destination" -instead. + For backwards compatibility with Postfix version 1.1,, the new + virtual_mailbox_domains parameter defaults to $virtual_mailbox_maps. + This means that you can still keep all information about a domain + in one file, just like before. -The Postfix SMTP client no longer expands CNAMEs in MAIL FROM or -RCPT TO addresses (as permitted by RFC 2821). +For details, see the VIRTUAL_README file. -The Postfix installation procedure no longer sets the "chattr +S" -bit on Linux queue directories. Wietse has gotten too annoyed with -naive reviewers who complain about performance without having a -clue of what they are comparing. +Incompatible queue file format changes +====================================== -Major changes with Postfix snapshot 1.1.12-20021209 -=================================================== +[Incompat 20020527] Queue files created with the header/body_checks +"FILTER" feature are not compatible with "postqueue -r" (move queue +files back to the maildrop directory) of previous Postfix releases. -This release introduces separation of lookup tables for addresses -and for domain names of virtual domains. +[Incompat 20020512] Postfix queue files contain records that are +incompatible with "postqueue -r" on all Postfix versions prior to +1.1 and release candidates. This happens whenever the sender +specifies MIME body type information via the SMTP `MAIL FROM' +command, via the `sendmail -B' command line option, or via the +Content-Transfer-Encoding: message header. -- virtual_maps is replaced by virtual_alias_maps (for address - lookups) and virtual_alias_domains (for the names of what were - formerly called "Postfix-style virtual domains"). +[Incompat 20020512] Postfix queue files may contain records that +are incompatible with "postqueue -r" on previous 1.1 Postfix versions +and release candidates. This happens whenever the sender specifies +the MIME body type only via the Content-Transfer-Encoding: message +header, and not via `MAIL FROM' or `sendmail -B'. + +Features that are going away +============================ + +[Obsolete 20021209] Sendmail-style virtual domains are no longer +documented. This part of Postfix was too confusing. + +[Obsolete 20021209] The "reject_maps_rbl" restriction is going +away. The SMTP server now logs a warning and suggests using the +more flexible "reject_rbl_client" feature instead. + +[Obsolete 20021209] The "check_relay_domains" restriction is going +away. The SMTP server logs a warning and suggests using the more +robust "reject_unauth_destination" instead. + +[Obsolete 20020917] In regexp lookup tables, the form /pattern1/!/pattern2/ +is going away. Use the cleaner and more flexible "if !/pattern2/..endif" +form. The old form still exists but is no longer documented, and +causes a warning (suggesting to use the new format) to be logged. +For details, see "man regexp_table". + +[Obsolete 20020819] The qmgr_site_hog_factor feature is gone (this +would defer mail delivery for sites that occupy too much space in +the active queue, and be a real performance drain due to excessive +disk I/O). The new qmgr_clog_warn_time feature (see below) provides +more useful suggestions for dealing with Postfix congestion. + +[Obsolete 20020819] The "permit_naked_ip_address" restriction on +HELO command syntax is unsafe when used with most smtpd_XXX_restrictions +and will go away. Postfix logs a warning, suggesting to use +"permit_mynetworks" instead. + +MIME support +============ + +[Feature 20020527] Postfix now has real MIME support. This improves +content filtering efficiency and accuracy, and improves inter-operability +with mail systems that cannot receive 8-bit mail. See conf/sample-mime.cf +for details. - For backwards compatibility with Postfix version 1.1, the new - virtual_alias_maps parameter defaults to $virtual_maps, and the - new virtual_alias_domains parameter defaults to $virtual_alias_maps. +[Feature 20020527] Postfix header_checks now properly recognize +MIME headers in attachments. This is much more efficient than +previous versions that recognized MIME headers via body_checks. +MIME headers are now processed one multi-line header at a time, +instead of one body line at a time. To get the the old behavior, +specify "disable_mime_input_processing = yes". More details in +conf/sample-filter.cf. + +[Feature 20020527] Postfix now has three classes of header patterns: +header_checks (for primary message headers except MIME headers), +mime_header_checks (for MIME headers), and nested_header_checks +(for headers of attached email messages except MIME headers). By +default, all headers are matched with header_checks. -- virtual_mailbox_maps now has a companion parameter called - virtual_mailbox_domains (for the names of domains served by the - virtual delivery agent). virtual_mailbox_maps is now used for - address lookups only. +[Feature 20020527] The Postfix SMTP client will now convert 8BITMIME +mail to 7BIT when delivering to an SMTP server that does not announce +8BITMIME support. To disable, specify "disable_mime_output_conversion += yes". However, this conversion is required by RFC standards. - For backwards compatibility with Postfix version 1.1,, the new - virtual_mailbox_domains parameter defaults to $virtual_mailbox_maps. +[Feature 20020528] Postfix can enforce specific aspects of the MIME +standards while receiving mail. + +* Specify "strict_7bit_headers = yes" to disallow 8-bit characters + in message headers. These are always illegal. + +* Specify "strict_8bitmime_body = yes" to block mail with 8-bit + content that is not properly labeled as 8-bit MIME. This blocks + mail from poorly written mail software, including (bounces from + qmail, bounces from Postfix before snapshot 20020514, and Majordomo + approval requests) that contain valid 8BITMIME mail. + +* Specify "strict_8bitmime = yes" to turn on both strict_7bit_headers + and strict_8bitmime_body. + +* Specify "strict_mime_encoding_domain = yes" to block mail from + poorly written mail software. More details in conf/sample-mime.cf. + +[Incompat 20020527] Postfix now rejects mail if the MIME multipart +structure is nested more than mime_nesting_limit levels (default: +100) when MIME input processing is enabled while receiving mail, or +when Postfix is performing 8BITMIME to 7BIT conversion while +delivering mail. + +[Incompat 20020527] Postfix now recognizes "name :" as a valid +message header, but normalizes it to "name:" for consistency +(actually, there is so much code in Postfix that would break with +"name :" that there is little choice, except to not recognize "name +:" headers). + +[Incompat 20020512] Postfix queue files contain records that are +incompatible with "postqueue -r" on all Postfix versions prior to +1.1 and release candidates. This happens whenever the sender +specifies MIME body type information via the SMTP `MAIL FROM' +command, via the `sendmail -B' command line option, or via the +Content-Transfer-Encoding: message header. + +[Incompat 20020512] Postfix queue files may contain records that +are incompatible with "postqueue -r" on previous 1.1 Postfix versions +and release candidates. This happens whenever the sender specifies +the MIME body type only via the Content-Transfer-Encoding: message +header, and not via `MAIL FROM' or `sendmail -B'. + +[Feature 20020512] The Postfix SMTP and LMTP clients now properly +pass on the MIME body type information (7BIT or 8BITMIME), provided +that the sender properly specifies MIME body type information via +the SMTP MAIL FROM command, via the sendmail -B command line option, +or via MIME message headers. This includes mail that is returned +as undeliverable. + +Improved performance +==================== + +[Incompat 20021209] The default queue directory hash_queue_depth +setting is reduced to 1 level of subdirectories per Postfix queue. +This improves "mailq" performance on most systems, but can result +in poorer worst-case performance on systems with lots of mail in +the queue. + +[Incompat 20021209] The Postfix SMTP client no longer expands CNAMEs +in MAIL FROM or RCPT TO addresses (as permitted by RFC 2821). This +eliminates one DNS lookup per sender and recipient, and can make +a dramatic difference when sending mailing list mail via a relayhost. + +[Incompat 20021209] The Postfix installation procedure no longer +sets the "chattr +S" bit on Linux queue directories. Wietse has +gotten too annoyed with naive reviewers who complain about performance +without having a clue of what they are comparing. + +[Feature 20021209] On mail gateway systems, separation of inbound +mail relay traffic from outbound traffic. This eliminates a problem +where inbound mail deliveries could become resource starved in the +presence of a high volume of outbound mail. + +[Feature 20021013] The body_checks_max_size parameter limits the +amount of text per message body segment (or attachment, if you +prefer to use that term) that is subjected to body_checks inspection. +The default limit is 50 kbytes. This speeds up the processing of +mail with large attachments. + +[Feature 20020917] Speedups of regexp table lookups by optimizing +for the $number substitutions that are actually present in the +right-hand side. Based on a suggestion by Liviu Daia. + +[Feature 20020917] Speedups of regexp and pcre tables, using +IF..ENDIF support. Based on an idea by Bert Driehuis. To protect +a block of patterns, use: + + if /pattern1/ + /pattern2/ result2 + /pattern3/ result3 + endif + +IF..ENDIF can nest. Don't specify blanks at the beginning of lines +inside IF..ENDIF, because lines beginning with whitespace are +appended to the previous line. More details about the syntax are +given in the pcre_table(5) and regexp_table(5) manual pages. + +[Feature 20020717] The default timeout for establishing an SMTP +connection has been reduced to 30 seconds, because many systems +have an atrociously large default timeout value. -This release introduces the concept of address domain classes, each -having its own default mail delivery transport: +[Feature 20020505] Finer control over Berkeley DB memory usage, +The parameter "berkeley_db_create_buffer_size" (default: 16 MBytes) +specifies the buffer size for the postmap and postalias commands. +The parameter "berkeley_db_read_buffer_size" (default: 256 kBytes) +speficies the buffer size for all other applications. Specify +"berkeley_db_read_buffer_size = 1048576" to get the old read buffer +size. For more information, see the last paragraphs of the DB_README +file. + +Improved compatibitity +====================== + +[Feature 20020527] The Postfix SMTP client will now convert 8BITMIME +mail to 7BIT when delivering to an SMTP server that does not announce +8BITMIME support. To disable, specify "disable_mime_output_conversion += yes". However, this conversion is required by RFC standards. + +[Feature 20020512] The Postfix SMTP and LMTP clients now properly +pass on the MIME body type information (7BIT or 8BITMIME), provided +that the sender properly specifies MIME body type information via +the SMTP MAIL FROM command, via the sendmail -B command line option, +or via MIME message headers. This includes mail that is returned +as undeliverable. + +[Incompat 20020326] The Postfix SMTP client now breaks message +header or body lines that are longer than $smtp_line_length_limit +characters (default: 990). Earlier Postfix versions broke lines +at $line_length_limit characters (default: 2048). Postfix versions +before 20010611 did not break long lines at all. Reportedly, some +mail servers refuse to receive mail with lines that exceed the 1000 +character limit that is specified by the SMTP standard. + +[Incompat 20020326] The Postfix SMTP client now breaks long message +header or body lines by inserting . Earlier +Postfix versions broke long lines by inserting only. This +broke MIME encapsulation, causing MIME attachments to "disappear" +with Postfix versions after 20010611. + +[Incompat 20020326] Postfix now discards text when a logical message +header exceeds $header_size_limit characters (default: 102400). +Earlier Postfix versions would place excess text, and all following +text, in the message body. The same thing was done when a physical +header line exceeded $line_length_limit characters (default: 2048). +Both behaviors broke MIME encapsulation, causing MIME attachments +to "disappear" with all previous Postfix versions. + +[Incompat 20021015] The Postfix LMTP client no longer lowercases email +addresses in MAIL FROM and RCPT TO commands. + +[Incompat 20021013] The default Linux kernel lock style for mailbox +delivery is changed from flock() to fcntl(). This has no impact if +your system uses procmail for local delivery, if you use maildir-style +mailboxes, or when mailbox access software locks mailboxes with +username.lock files (which is usually the case with non-maildir +mailboxes). + +Address classes +=============== + +[Feature 20021209] This release introduces the concept of address +domain classes, each having its own default mail delivery transport: Destination matches Default transport Default name - -------------------------------------------------------------- + ============================================================== $mydestination or $inet_interfaces $local_transport local $virtual_alias_domains (not applicable) (not applicable) @@ -132,185 +343,82 @@ The benefits of these changes are: See the ADDRESS_CLASS_README file for a description of address classes, their benefits, and their incompatibilities. -Finally, regular expression maps are now allowed with local delivery -agent alias tables and with all virtual delivery agent lookup tables. -However, regular expression substitution of $1 etc. is still -forbidden for security reasons. - -Incompatible changes with Postfix snapshot 1.1.11-20021108 -========================================================== - -The behavior of the SMTP server's defer_if_permit flag has changed, -in order to maximize the opportunity to permanently reject mail -without opening opportunities for losing legitimate mail. - -The flag is still set when an UCE reject restriction fails due to -a temporary (DNS) problem, to prevent unwanted mail from slipping -through. However, the flag is no longer tested at the end of client, -helo or sender restrictions. Instead, the flag is now tested at -the end of the ETRN and recipient restrictions only. - -The behavior of the warn_if_reject restriction has changed. It no -longer activates any pending defer_if_permit or defer_if_reject -decisions (the defer_if_reject flag is set when some UCE permit -restriction fails due to a temporary (DNS) problem, to avoid loss -of legitimate mail). - -Instead of setting the defer_if_permit flag, a failing reject -restriction after warn_if_reject now merely logs that it would have -caused mail to be deferred. - -A failing permit restriction after warn_if_reject still raises the -defer_if_reject flag, to avoid loss of legitimate mail. - -Incompatible changes with Postfix snapshot 1.1.11-20021028 -========================================================== - -Logfile formats have changed. This may affect logfile processing -software. The queue file format is still compatible with Postfix -version 1.1 (stable release). - -- The Postfix SMTP server UCE reject etc. logging now includes the -queue ID, the mail protocol (SMTP or ESMTP), and the hostname that -was received with the HELO or EHLO command, if available. - -- The Postfix header/body_checks logging now includes the mail -protocol (SMTP, ESMTP, QMQP) and the hostname that was received -with the SMTP HELO or EHLO command, if available. - -The Postfix status=sent/bounced/deferred logging now shows the -original recipient address (as received before any address rewriting -or aliasing). The original recipient address is logged only when -it differs from the final recipient address. - -Major changes with Postfix snapshot 1.1.11-20021028 -=================================================== - -Postfix logs more information, as described in the "incompatibilities" -section above. - -The local(8) and virtual(8) delivery agents now record the original -recipient address in the X-Original-To: message header. This header -can also be emitted by the pipe(8) delivery agent. - -Major changes with Postfix snapshot 1.1.11-20021024 -=================================================== - -New proxy_interfaces parameter, for sites behind a network address -translation gateway or other type of proxy. Specify all the proxy -network addresses here, to avoid avoid mail delivery loops. - -Incompatible changes with Postfix snapshot 1.1.11-20021015 -========================================================== - -The Postfix LMTP client no longer lowercases email addresses in -MAIL FROM and RCPT TO commands. - -Incompatible changes with Postfix snapshot 1.1.11-20021013 -========================================================== - -The default Linux kernel lock style for mailbox delivery is changed -from flock() to fcntl(). This has no impact if your system uses -procmail for local delivery, if you use maildir-style mailboxes, -or when mailbox access software locks mailboxes with username.lock -files (which is usually the case with non-maildir mailboxes). - -Major changes with Postfix snapshot 1.1.11-20021013 -=================================================== - -The body_checks_max_size parameter limits the amount of text per -message body segment (or attachment, if you prefer to use that -term) that is subjected to body_checks inspection. The default -limit is 50 kbytes. This speeds up the processing of mail with -large attachments. - -Updated MacOS X support by Gerben Wierda. See the auxiliary/MacOSX -directory. - -Incompatible changes with Postfix snapshot 1.1.11-20020923 -========================================================== - -Subtle change in ${name?result} macro expansions: the expansion -no longer happens when $name is an empty string. This probably -makes more sense than the old behavior. - -The default RBL "reject" server reply now includes an indication -of *what* is being rejected: Client host, Helo command, Sender -address, or Recipient address. - -Major changes with Postfix snapshot 1.1.11-20020923 -=================================================== - -Complete rewrite of the RBL blacklisting code. The names of RBL -restrictions are now based on a suggestion that was made by Liviu -Daia in October 2001. See conf/sample-smtpd.cf or html/uce.html -for details. - -Feature: "reject_rbl_client rbl.domain.tld" for client IP address -blacklisting. Based on code by LaMont Jones. The old "reject_maps_rbl" -is now implemented as a wrapper around the reject_rbl_client code. - -Feature: "reject_rhsbl_sender rbl.domain.tld" for sender domain -blacklisting. Also: reject_rhsbl_client and reject_rhsbl_recipient +New relay transport in master.cf +================================ + +[Incompat 20021209] Postfix no longer defaults to the "smtp" +transport for all non-local destinations. In particular, Postfix +now uses the "relay" mail delivery transport for delivery to domains +matching $relay_domains. This may affect your defer_transports +settings. + +On mail gateway systems, this allows us to separate inbound mail +relay traffic from outbound traffic, and thereby eliminate a problem +where inbound mail deliveries could become resource starved in the +presence of a high volume of outbound mail. + +[Incompat 20021209] This release adds a new "relay" service to the +Postfix master.cf file. This is a clone of the "smtp" service. If +your Postfix is unable to connect to the "relay" service then you +have not properly followed the installation procedure. + +Revision of RBL blacklisting code +================================= + +[Feature 20020923] Complete rewrite of the RBL blacklisting code. +The names of RBL restrictions are now based on a suggestion that +was made by Liviu Daia in October 2001. See conf/sample-smtpd.cf +or html/uce.html for details. + +[Feature 20020923] "reject_rbl_client rbl.domain.tld" for client +IP address blacklisting. Based on code by LaMont Jones. The old +"reject_maps_rbl" is now implemented as a wrapper around the +reject_rbl_client code, and logs a warning that "reject_maps_rbl" +is going away. + +[Feature 20020923] "reject_rhsbl_sender rbl.domain.tld" for sender +domain blacklisting. Also: reject_rhsbl_client and reject_rhsbl_recipient for client and recipient domain blacklisting. -"rbl_reply_maps" configuration parameter for lookup tables with -template responses per RBL server. Based on code by LaMont Jones. -If no reply template is found the default template is used as -specified with the default_rbl_reply configuration parameter. The -template responses support $name expansion of client, helo, sender, -recipient and RBL related attributes. - -"smtpd_expansion_filter" configuration parameter to control what -characters are allowed in the expansion of template reply $name -macros. Characters outside the allowed set are replaced by "_". - -Incompatible changes with Postfix snapshot 1.1.11-20020917 -========================================================== - -The relayhost setting now behaves as documented, i.e. you can no -longer specify multiple destinations. +[Feature 20020923] "rbl_reply_maps" configuration parameter for +lookup tables with template responses per RBL server. Based on code +by LaMont Jones. If no reply template is found the default template +is used as specified with the default_rbl_reply configuration +parameter. The template responses support $name expansion of +client, helo, sender, recipient and RBL related attributes. -In regexp lookup tables, the form /pattern1/!/pattern2/ is going -away. Use the cleaner and more flexible "if !/pattern2/..endif" -form. The old form still exists but is no longer documented. +[Incompat 20020923] The default RBL "reject" server reply now +includes an indication of *what* is being rejected: Client host, +Helo command, Sender address, or Recipient address. This also +changes the logfile format. -Major changes with Postfix snapshot 1.1.11-20020917 -=================================================== +[Feature 20020923] "smtpd_expansion_filter" configuration parameter +to control what characters are allowed in the expansion of template +RBL reply $name macros. Characters outside the allowed set are +replaced by "_". -Speedups of regexp table lookups by optimizing for the $number -substitutions that are actually present in the right-hand side. -Based on a suggestion by Liviu Daia. - -Speedups of regexp and pcre tables, using IF..ENDIF support. Based -on an idea by Bert Driehuis. To protect a block of patterns, use: - - if /pattern1/ - /pattern2/ result2 - /pattern3/ result3 - endif - -IF..ENDIF can nest. Don't specify blanks at the beginning of lines -inside IF..ENDIF, because lines beginning with whitespace are -appended to the previous line. More details about the syntax are -given in the pcre_table(5) and regexp_table(5) manual pages. +More sophisticated handling of UCE-related DNS lookup errors +============================================================ -Incompatible changes with Postfix snapshot 1.1.11-20020906 -========================================================== +[Feature 20020906] More sophisticated handling of UCE-related DNS +lookup errors. These cause Postfix to not give up so easily, so +that some deliveries will not have to be deferred after all. -The permit_mx_backup restriction is made more strict. With older -versions, some DNS failures would cause mail to be accepted anyway, -and some DNS failures would cause mail to be rejected by later -restrictions in the same restriction list. The improved version -will defer delivery when Postfix could make the wrong decision. +[Feature 20020906] The SMTP server sets a defer_if_permit flag when +an UCE reject restriction fails due to a temporary (DNS) problem, +to prevent unwanted mail from slipping through. The defer_if_permit +flag is tested at the end of the ETRN and recipient restrictions. -Major changes with Postfix snapshot 1.1.11-20020906 -=================================================== +[Feature 20020906] A similar flag, defer_if_reject, is maintained +to prevent mail from being rejected because a whitelist operation +(such as permit_mx_backup) fails due to a temporary (DNS) problem. -More sophisticated handling of UCE-related DNS lookup errors. -These cause Postfix to not give up so easily, so that some deliveries -will not have to be deferred after all. This affects the following -restrictions: +[Feature 20020906] The permit_mx_backup restriction is made more +strict. With older versions, some DNS failures would cause mail to +be accepted anyway, and some DNS failures would cause mail to be +rejected by later restrictions in the same restriction list. The +improved version will defer delivery when Postfix could make the +wrong decision. - After DNS lookup failure, permit_mx_backup will now accept the request if a subsequent restriction would cause the request to be @@ -324,1483 +432,388 @@ subsequent restriction would cause the request to be rejected anyway, and will defer the request if a subsequent restriction would cause the request to be accepted. -Specify "smtpd_data_restrictions = reject_unauth_pipelining" to -block mail from SMTP clients that send message content before -Postfix has replied to the SMTP DATA command. - -Incompatible changes with Postfix snapshot 1.1.11-20020819 -========================================================== - -The qmgr_site_hog_factor feature is gone (this would defer mail -delivery for sites that occupy too much space in the active queue, -and be a real performance drain due to excessive disk I/O). The -new qmgr_clog_warn_time feature (see below) provides more useful -suggestions for dealing with Postfix congestion. - -LDAP API version 1 is no longer supported. The memory allocation -and deallocation strategy has changed too much to maintain both -version 1 and 2 at the same time. - -In mailq output, the queue ID is followed by the ! character when -the message is in the "hold" queue (see below). This may break -programs that process mailq output. - -The "permit_naked_ip_address" restriction on HELO command syntax -is unsafe when used with most smtpd_XXX_restrictions, and will go -away. The user is now requested to use "permit_mynetworks" instead. - -The smtpd_sasl_local_domain setting now defaults to the null string, -rather than $myhostname. This seems to work better with Cyrus SASL -version 2. This change may cause incompatibility with the saslpasswd2 -command. - -Major changes with Postfix snapshot 1.1.11-20020819 -=================================================== - -When the Postfix local delivery agent detects a mail delivery loop -(usually the result of mis-configured mail pickup software), the -undeliverable mail is now sent to the mailing list owner instead -of the envelope sender address (usually the original poster who -has no guilt, and who cannot fix the problem). - -New "hold" queue for mail that should not be delivered. "postsuper --h" puts mail on hold, and "postsuper -H" releases mail, moving -mail that was "on hold" to the deferred queue. - -New header/body HOLD action that causes mail to be placed on the -"hold" queue. Presently, all you can do with mail "on hold" is to -examine it with postcat, to take it "off hold" with "postsuper -H", -or to destroy it with "postsuper -d". See conf/sample-filter.cf. - -The Postfix queue manager now warns when mail for some destination -is piling up in the active queue, and suggests a variety of remedies -to speed up delivery (increase per-destination concurrency limit, -increase active queue size, use a separate delivery transport, -increase per-transport process limit). The qmgr_clog_warn_time -parameter controls the time between warnings. To disable these -warnings, specify "qmgr_clog_warn_time = 0". - -Incompatible changes with Postfix snapshot 1.1.11-20020717 -========================================================== - -The default timeout for establishing an SMTP connection has been -reduced to 30 seconds, because many systems have an atrociously -large default timeout value. - -The Postfix SMTP client now logs a warning when the same domain is -listed in main.cf:mydestination as well as a Postfix-style virtual -map. Such a mis-configuration may cause mail for users to be rejected -with "user unknown". - -Postfix no longer strips multiple '.' characters from the end of -an email address or domain name. Only one '.' is tolerated. - -The SMTP server reject_unknown_{sender,recipient}_domain etc. -restrictions now also attempt to look up AAAA (IPV6 address) records. - -Major changes with Postfix snapshot 1.1.11-20020717 -=================================================== - -The masquerade_domains feature now supports exceptions. Prepend -a ! character to a domain name in order to not strip its subdomain -structure. More information in conf/sample-rewrite.cf. - -The Postfix virtual delivery agent supports catch-all entries -(@domain.tld) in lookup tables. These match users that do not -have a specific user@domain.tld entry. The virtual delivery agent -now ignores address extensions (user+foo@domain.tld) when searching -its lookup tables, but displays the extensions in Delivered-To: -message headers. - -Incompatible changes with Postfix snapshot 1.1.11-20020610 -========================================================== - -Regexp-based transport maps now see the entire recipient address -instead of only the destination domain name. - -Major changes with Postfix snapshot 1.1.11-20020610 -=================================================== - -A bizarre feature, sender-based routing, that could be useful in -combination with user@domain address lookups in the transport map. - -An actually useful feature, user@domain address lookups in the -transport map. This feature also understands address extensions. -Transport maps still support lookup keys in the form of domain -names, but only with non-regexp tables. Specify <> in order to -match the null address. More in the transport(5) manual page. - -Together with sender-based routing, and a dual Postfix setup. -user@domain transport map lookups could fulfill people's wishes to -have multiple SMTP personalities for sending and receiving mail, -including bounce processing. Details will have to be hammered out -by users, as Wietse is now completely tied up by other business -for the next three weeks. - -Incompatible changes with Postfix snapshot 1.1.11-20020528 -========================================================== - -With PCRE pattern matching, the `.' metacharacter now matches all -characters including newline characters. This makes PCRE pattern -matching more convenient to use with multi-line message headers, -and also makes PCRE more compatible with regexp pattern matching. -The pcre_table(5) manual page has been greatly revised. - -Major changes with Postfix snapshot 1.1.11-20020528 -=================================================== - -Postfix can enforce specific aspects of the MIME standards while -receiving mail. - -* Specify "strict_7bit_headers = yes" to disallow 8-bit characters - in message headers. These are always illegal. - -* Specify "strict_8bitmime_body = yes" to block mail with 8-bit - content that is not properly labeled as 8-bit MIME. This blocks - mail from poorly written mail software, including (bounces from - qmail, bounces from Postfix before snapshot 20020514, and Majordomo - approval requests) that contain valid 8BITMIME mail. - -* Specify "strict_8bitmime = yes" to turn on both strict_7bit_headers - and strict_8bitmime_body. - -* Specify "strict_mime_encoding_domain = yes" to block mail from - poorly written mail software. More details in conf/sample-mime.cf. - -Incompatible changes with Postfix snapshot 1.1.11-20020527 -========================================================== - -Message headers in MIME attachments etc. are no longer matched by -body_checks, one input line at a time. They are now by default -matched by header_checks, one multi-line header at a time. To get -the old behavior, specify "disable_mime_input_processing = yes", -or specify separate patterns for header_checks, mime_header_checks -and nested_header_checks. See conf/sample-mime.cf for details. - -Postfix now rejects mail if the MIME multipart structure is nested -more than mime_nesting_limit levels (default: 20) when MIME input -processing is enabled while receiving mail, or when Postfix is -performing 8BITMIME to 7BIT conversion while delivering mail. - -Postfix now recognizes "name :" as a valid message header, but -normalizes it to "name:" for consistency (actually, there is so -much code in Postfix that would break with "name :" that there is -little choice, except to not recognize "name :" headers). +[Feature 20020906] Specify "smtpd_data_restrictions = +reject_unauth_pipelining" to block mail from SMTP clients that send +message content before Postfix has replied to the SMTP DATA command. + +Other UCE related changes +========================= + +[Feature 20020717] The SMTP server reject_unknown_{sender,recipient}_domain +etc. restrictions now also attempt to look up AAAA (IPV6 address) +records. + +[Incompat 20020513] In order to allow user@domain@domain addresses +from untrusted systems, specify "allow_untrusted_routing = yes" in +main.cf. This opens opportunities for mail relay attacks when +Postfix provides backup MX service for Sendmail systems. + +[Incompat 20020514] For safety reasons, the permit_mx_backup +restriction no longer accepts mail for user@domain@domain. To +recover the old behavior, specify "allow_untrusted_routing = yes" +and live with the risk of becoming a relay victim. + +[Incompat 20020509] The Postfix SMTP server no longer honors OK +access rules for user@domain@postfix-style.virtual.domain, to close +a relaying loophole with postfix-style virtual domains that have +@domain.name catch-all patterns. + +[Incompat 20020201] In Postfix SMTPD access tables, Postfix now +uses <> as the default lookup key for the null address, in order +to work around bugs in some Berkeley DB implementations. This +behavior is controlled with the smtpd_null_access_lookup_key +configuration parameter. + +Changes in transport table lookups +================================== + +[Feature 20020610] user@domain address lookups in the transport +map. This feature also understands address extensions. Transport +maps still support lookup keys in the form of domain names, but +only with non-regexp tables. Specify mailer-daemon@my.host.name +in order to match the null address. More in the transport(5) manual +page. + +[Feature 20020505] Friendlier behavior of Postfix transport tables. +There is a new "*" wildcard pattern that always matches. The +meaning of null delivery transport AND nexhop information field +has changed to "do not modify": use the information that would be +used if the transport table did not exist. This change makes it +easier to route intranet mail (everything under my.domain) directly: +you no longer need to specify explicit "local" transport table +entries for every domain name that resolves to the local machine. +For more information, including examples, see the updated transport(5) +manual page. + +[Incompat 20020610] Regexp/PCRE-based transport maps now see the +entire recipient address instead of only the destination domain +name. + +[Incompat 20020505, 20021215] The meaning of null delivery transport +and nexhop fields has changed incompatibly. + +- A null delivery transport AND nexthop information field means +"do not modify": use the delivery transport or nexthop information +that would be used if no transport table did not exist. + +- The delivery transport is not changed with a null delivery +transport field and non-null nexthop field. + +- The nexthop is reset to the recipient domain with a non-null +transport field and a null nexthop information field. + +Address manipulation changes +============================ + +[Incompat 20020717] Postfix no longer strips multiple '.' characters +from the end of an email address or domain name. Only one '.' is +tolerated. + +[Feature 20020717] The masquerade_domains feature now supports +exceptions. Prepend a ! character to a domain name in order to +not strip its subdomain structure. More information in +conf/sample-rewrite.cf. + +[Feature 20020717] The Postfix virtual delivery agent supports +catch-all entries (@domain.tld) in lookup tables. These match users +that do not have a specific user@domain.tld entry. The virtual +delivery agent now ignores address extensions (user+foo@domain.tld) +when searching its lookup tables, but displays the extensions in +Delivered-To: message headers. + +[Feature 20020610] user@domain address lookups in the transport +map. This feature also understands address extensions. Transport +maps still support lookup keys in the form of domain names, but +only with non-regexp tables. Specify mailer-daemon@my.host.name +in order to match the null address. More in the transport(5) manual +page. + +[Incompat 20020610] Regexp/PCRE-based transport maps now see the +entire recipient address instead of only the destination domain +name. + +[Incompat 20020513] In order to allow user@domain@domain addresses +from untrusted systems, specify "allow_untrusted_routing = yes" in +main.cf. This opens opportunities for mail relay attacks when +Postfix provides backup MX service for Sendmail systems. + +[Incompat 20020509] The Postfix SMTP server no longer honors OK +access rules for user@domain@postfix-style.virtual.domain, to close +a relaying loophole with postfix-style virtual domains that have +@domain.name catch-all patterns. + +[Incompat 20020509] The appearance of user@domain1@domain2 addresses +has changed. In mail headers, such addresses are now properly +quoted as "user@domain1"@domain2. As a side effect, this quoted +form is now also expected on the left-hand side of virtual and +canonical lookup tables, but only by some of the Postfix components. +For now, it is better not to use user@domain1@domain2 address forms +on the left-hand side of lookup tables. + +Regular expression and PCRE related changes +=========================================== -Queue files created with the header/body_checks "FILTER" feature -are not compatible with "postqueue -r" (move queue files back to -the maildrop directory) of previous Postfix releases. +[Feature 20021209] Regular expression maps are now allowed with +local delivery agent alias tables and with all virtual delivery +agent lookup tables. However, regular expression substitution of +$1 etc. is still forbidden for security reasons. + +[Obsolete 20020917] In regexp lookup tables, the form /pattern1/!/pattern2/ +is going away. Use the cleaner and more flexible "if !/pattern2/..endif" +form. The old form still exists but is no longer documented, and +causes a warning (suggesting to use the new format) to be logged. + +[Incompat 20020610] Regexp/PCRE-based transport maps now see the +entire recipient address instead of only the destination domain +name. + +[Incompat 20020528] With PCRE pattern matching, the `.' metacharacter +now matches all characters including newline characters. This makes +PCRE pattern matching more convenient to use with multi-line message +headers, and also makes PCRE more compatible with regexp pattern +matching. The pcre_table(5) manual page has been greatly revised. + +New mail "HOLD" action and "hold" queue +======================================= + +[Feature 20020819] New "hold" queue for mail that should not be +delivered. "postsuper -h" puts mail on hold, and "postsuper -H" +releases mail, moving mail that was "on hold" to the deferred queue. + +[Feature 20020821] HOLD and DISCARD actions in SMTPD access tables. +As with the header/body version of the same, these actions apply +to all recipients of the same queue file. + +[Feature 20020819] New header/body HOLD action that causes mail to +be placed on the "hold" queue. Presently, all you can do with mail +"on hold" is to examine it with postcat, to take it "off hold" with +"postsuper -H", or to destroy it with "postsuper -d". See +conf/sample-filter.cf. + +[Incompat 20020819] In mailq output, the queue ID is followed by +the ! character when the message is in the "hold" queue (see below). +This may break programs that process mailq output. + +Content filtering +================= + +[Feature 20020823] Selective content filtering. In in SMTPD access +tables, specify "FILTER transport:nexthop" for mail that needs +filtering. More info about content filtering is in the Postfix +FILTER_README file. This feature overrides the main.cf content_filter +setting. Presently, this applies to all the recipients of a queue +file. -Major changes with Postfix snapshot 1.1.11-20020527 -=================================================== +[Feature 20020527] Selective content filtering. In header/body_check +patterns, specify "FILTER transport:nexthop" for mail that needs +filtering. This requires different cleanup servers before and after +the filter, with header/body checks turned off in the second cleanup +server. More info about content filtering is in the Postfix +FILTER_README file. This feature overrides the main.cf content_filter +setting. Presently, this applies to all the recipients of a queue +file. -Postfix now has real MIME support. This improves content filtering -efficiency and accuracy, and improves inter-operability with mail -systems that cannot receive 8-bit mail. See conf/sample-mime.cf +[Feature 20020527] Postfix now has real MIME support. This improves +content filtering efficiency and accuracy, and improves inter-operability +with mail systems that cannot receive 8-bit mail. See conf/sample-mime.cf for details. -Postfix header_checks now properly recognize MIME headers in -attachments. This is much more efficient than previous versions -that recognized MIME headers via body_checks. MIME headers are -now processed one multi-line header at a time, instead of one body -line at a time. +[Feature 20020527] Postfix header_checks now properly recognize +MIME headers in attachments. This is much more efficient than +previous versions that recognized MIME headers via body_checks. +MIME headers are now processed one multi-line header at a time, +instead of one body line at a time. To get the the old behavior, +specify "disable_mime_input_processing = yes". More details in +conf/sample-filter.cf. -In fact, Postfix now has three classes of header patterns: +[Feature 20020527] Postfix now has three classes of header patterns: header_checks (for primary message headers except MIME headers), mime_header_checks (for MIME headers), and nested_header_checks (for headers of attached email messages except MIME headers). By -default, all headers are matched with header_checks. To get the -the old behavior, specify "disable_mime_input_processing = yes". -More details in conf/sample-filter.cf. - -Selective content filtering. In header/body_check patterns, specify -"FILTER transport:nexthop" for mail that needs filtering. This -requires different cleanup servers before and after the filter, -with header/body checks turned off in the second cleanup server. -More info about content filtering is in the Postfix FILTER_README -file. Examples for this new feature still need to be developed. -This feature overrides the main.cf content_filter setting. - -The Postfix SMTP client will now convert 8BITMIME mail to 7BIT when -delivering to an SMTP server that does not announce 8BITMIME support. -To disable, specify "disable_mime_output_conversion = yes". However, -this conversion is required by RFC standards. - -Incompatible changes with Postfix snapshot 1.1.10-20020514 -========================================================== - -For safety reasons, the permit_mx_backup restriction no longer -accepts mail for user@domain@domain. To recover the old behavior, -specify "resolve_dequoted_address = no" which opens up a completely -different can of worms as described a few paragraphs down in this -document. - -Major changes with Postfix snapshot 1.1.9-20020513 -================================================== - -Updated LDAP client module with better handling of dead LDAP servers, -and with configurable filtering of query results. - -In order to allow user@domain@domain addresses from untrusted -systems, specify "resolve_dequoted_address = no" in main.cf (when -resolving mail, quote the address localpart as per RFC 822, so that -@ or % or ! operators in the address localpart remain invisible). -Although this behavior is technically more correct, it also opens -opportunities for mail relay attacks when Postfix provides backup -MX service for Sendmail systems. - -Incompatible changes with Postfix snapshot 1.1.9-20020512 -========================================================= - -The Postfix SMTP client no longer uses the CNAME expanded recipient -address when logging delivery or when bouncing mail. This makes -trouble shooting somewhat easier. - -Postfix snapshot 1.1.9-20020512 queue files contain records that -are incompatible with "postqueue -r" on all Postfix versions prior -to 1.1 and release candidates. This happens whenever the sender -specifies MIME body type information via the SMTP `MAIL FROM' -command, via the `sendmail -B' command line option, or via the -Content-Transfer-Encoding: message header. +default, all headers are matched with header_checks. -Postfix snapshot 1.1.9-20020512 queue files may contain records -that are incompatible with "postqueue -r" on previous 1.1 Postfix -versions and release candidates. This happens whenever the sender -specifies the MIME body type only via the Content-Transfer-Encoding: -message header, and not via `MAIL FROM' or `sendmail -B'. - -Major changes with Postfix snapshot 1.1.9-20020512 -================================================== - -The Postfix SMTP and LMTP clients now properly pass on the MIME -body type information (7BIT or 8BITMIME), provided that the sender -properly specifies MIME body type information via the SMTP MAIL -FROM command, via the sendmail -B command line option, or via MIME -message headers. This includes mail that is returned as undeliverable. -Implementing MIME body type propagation was a low priority because -qmail didn't implement this, either. However, Postfix will not -convert 8BITMIME content into 7BIT, and probably never will. - -Incompatible changes with Postfix snapshot 1.1.9-20020509 -========================================================= - -The Postfix SMTP server no longer honors OK access rules for -user@domain@postfix-style.virtual.domain, to close a relaying -loophole with postfix-style virtual domains that have @domain.name -catch-all patterns. - -The appearance of user@domain1@domain2 addresses has changed. In -mail headers, such addresses are now properly quoted as -"user@domain1"@domain2. As a side effect, this quoted form is now -also expected on the left-hand side of virtual and canonical lookup -tables, but only by some of the Postfix components. For now, it -is better not to use user@domain1@domain2 address forms on the -left-hand side of lookup tables. - -Incompatible changes with Postfix snapshot 1.1.8-20020508 -========================================================= - -The Postfix SMTP server by default no longer accepts mail for -user@domain@postfix-style.virtual.domain, to close a relaying -loophole with postfix-style virtual domains that have @domain.name -catch-all patterns. - -Incompatible changes with Postfix snapshot 1.1.8-20020505 -========================================================= - -In the Postfix transport table, the meaning of null delivery -transport and nexhop information fields has changed. As of now, a -null delivery transport or nexthop information field means "do not -modify": use the delivery transport or nexthop information that -would be used if no transport table did not exist. This change -results in the following incompatible changes in behavior: - -- A null delivery transport field no longer defaults to -$default_transport. It now defaults to $local_transport or -$default_transport depending on the destination. - -- A null nexthop information field no longer overrides the main.cf -relayhost setting. To override the relayhost, specify explicit -nexthop information in the Postfix transport table. - -The postalias command now copies the source file read permissions -to the result file when creating a table for the first time. Until -now, the result file was created with default read permissions. -This change makes postalias more similar to postmap. - -The postalias and postmap commands now drop super-user privileges -when processing a non-root source file. The file is now processed -as the source file owner, and the owner must therefore have permission -to update the result file. Specify the "-o" flag to get the old -behavior (process non-root files with root privileges). - -The read buffer size for Berkeley DB lookup tables was decreased -from 1MByte to 256kByte. Specify "berkeley_db_read_buffer_size = -1048576" to get the old read buffer size. - -Major changes with Postfix snapshot 1.1.8-20020505 -================================================== - -Friendlier behavior of Postfix transport tables. There is a new -"*" wildcard pattern that matches any domain. The meaning of a null -delivery transport or nexhop information field has changed to "do -not modify": use the information that would be used if the transport -table did not exist. This change makes it easier to route internal -mail (everything under my.domain) directly: you no longer need to -specify explicit "local" transport table entries for the local -machine. For more information, including examples, see the updated -transport(5) manual page. - -Finer control over Berkeley DB memory usage, and more efficient -usage of memory in applications that open lots of tables. The -parameter "berkeley_db_create_buffer_size" (default: 16 MBytes) -specifies the buffer size for the postmap and postalias commands. -The parameter "berkeley_db_read_buffer_size" (default: 256 kBytes) -speficies the buffer size for all other applications. For more -information, see the last paragraphs of the DB_README file. - -Major changes with Postfix snapshot 1.1.7-20020331 -================================================== +[Feature 20021013] The body_checks_max_size parameter limits the +amount of text per message body segment (or attachment, if you +prefer to use that term) that is subjected to body_checks inspection. +The default limit is 50 kbytes. This speeds up the processing of +mail with large attachments. -Support for the Cyrus SASL version 2 library, contributed by Jason -Hoos. This adds some new functionality that was not available in -Cyrus SASL version 1, and provides bit-rot insurance for the time -when Cyrus SASL version 1 eventually stops working. +[Feature 20020917] Speedups of regexp table lookups by optimizing +for the $number substitutions that are actually present in the +right-hand side. Based on a suggestion by Liviu Daia. -A new smtp_helo_name parameter that specifies the hostname to be -used in HELO or EHLO commands; this can be more convenient than -changing the myhostname parameter setting. +[Feature 20020917] Speedups of regexp and pcre tables, using +IF..ENDIF support. Based on an idea by Bert Driehuis. To protect +a block of patterns, use: -Choice between multiple instances of internal services: bounce, -cleanup, defer, error, flush, pickup, queue, rewrite, showq. This -allows you to use different cleanup server settings for different -SMTP server instances. For example, specify in the master.cf file: - - localhost:10025 ... smtpd -o cleanup_service_name=cleanup2 ... - cleanup2 ... cleanup -o header_checks= body_checks= ... - -Incompatible changes with Postfix version 1.1.6 (released 20020326) -=================================================================== - -The Postfix SMTP client now breaks message header or body lines -that are longer than $smtp_line_length_limit characters (default: -990). Earlier Postfix versions broke lines at $line_length_limit -characters (default: 2048). Postfix versions before 20010611 did -not break long lines at all. Reportedly, some mail servers refuse -to receive mail with lines that exceed the 1000 character limit -that is specified by the SMTP standard. - -The Postfix SMTP client now breaks long message header or body -lines by inserting . Earlier Postfix versions -broke long lines by inserting only. This broke MIME -encapsulation, causing MIME attachments to "disappear" with Postfix -versions after 20010611. - -Postfix now discards text when a logical message header exceeds -$header_size_limit characters (default: 102400). Earlier Postfix -versions would place excess text, and all following text, in the -message body. The same thing was done when a physical header line -exceeded $line_length_limit characters (default: 2048). Both -behaviors broke MIME encapsulation, causing MIME attachments to -"disappear" with all previous Postfix versions. - -Incompatible changes with Postfix version 1.1.3 (released 20020201) -=================================================================== - -In Postfix SMTPD access tables, Postfix now uses <> as the default -lookup key for the null address, in order to work around bugs in -some Berkeley DB implementations. This behavior is controlled with -the smtpd_null_access_lookup_key configuration parameter. - -On SCO 3.2 UNIX, the input rate flow control is now turned off by -default, because of limitations in the SCO UNIX kernel. - -Incompatible changes with Postfix version 1.1.2 (released 20020125) -=================================================================== - -Postfix now detects if the run-time Berkeley DB library routines -do not match the major version number of the compile-time include -file that was used for compiling Postfix. The software issues a -warning and aborts in case of a discrepancy. If it didn't, the -software was certain to crash with a segmentation violation. - -Incompatible changes with Postfix version 1.1.1 (released 20020122) -=================================================================== - -When the postmap command creates a non-existent result file, the -new file inherits the group/other read permissions of the source -file. + if /pattern1/ + /pattern2/ result2 + /pattern3/ result3 + endif -Incompatible changes with Postfix version 1.1.0 (released 20020117) -=================================================================== - -Changes are listed in order of decreasing importance, not release -date. - -[snapshot-20010709] This release introduces a new queue file record -type that is used only for messages that actually use VERP (variable -envelope return path) support. With this sole exception, the queue -file format is entirely backwards compatible with the previous -official Postfix release (20010228, a.k.a. Postfix 1.0.0). - -[snapshot-20020106] This release modifies the existing master.cf -file. The local pickup service is now unprivileged, and the cleanup -and flush service are now "public". Should you have to back out to -a previous release, then you must 1) edit the master.cf file, make -the pickup service "privileged", and make the cleanup and flush -services "private"; 2) "chmod 755 /var/spool/postfix/public". To -revert to a world-writable mail submission directory, "chmod 1733 -/var/spool/postfix/maildrop". - -[snapshot-20020106, snapshot-20010808, snapshot-20011103, -snapshot-20011121] You must stop and restart Postfix because of -incompatible changes in the local Postfix security model and in -the Postfix internal protocols. Old and new components will not -work together. - -[snapshot-20020106] Simpler local Postfix security model. - -- No world-writable maildrop directory. Postfix now always uses - the set-gid postdrop command for local mail submissions. The - local mail pickup daemon is now an unprivileged process. - -- No world-accessible pickup and queue manager server FIFOs. - -- New set-gid postqueue command for the queue list/flush operations - that used to implemented by the Postfix sendmail command. - -[snapshot-20020106..15] Simpler Postfix installation and upgrading. - -- All installation settings are now kept in the main.cf file, and - better default settings are now generated for system dependent - pathnames such as sendmail_path etc. The install.cf file is no - longer used, except when upgrading from an older Postfix version. - -- Non-default installation parameter settings can (but do not have - to) be specified on the "make install" or "make upgrade" command - line as name=value arguments. - -- New postfix-files database (in /etc/postfix) with (pathname, - owner, permission) information about all Postfix-related files. - -- New postfix-install script replaces the awkward INSTALL.sh script. - This is driven by the postfix-files database. It has better - support for building packages for distribution to other systems. - See PACKAGE_README for details. - -- New post-install script (in /etc/postfix) for post-installation - maintenance of directory/file permissions and ownership (this is - used by "postfix check"). Example: - - # postfix stop - # post-install set-permissions mail_owner=username setgid_group=groupname - # postfix start - -[snapshot-20020106] Postfix will not run if it detects that the -postfix user or group ID are shared with other accounts on the -system. The checks aren't exhaustive (that would be too resource -consuming) but should be sufficient to encourage packagers and -developers to do the right thing. To fix the problem, use the above -post-install command, after you have created the appropriate new -mail_owner or setgid_group user or group IDs. - -[snapshot-20020106] If you run multiple Postfix instances on the -same machine you now have to specify their configuration directories -in the default main.cf file as "alternate_config_directories = -/dir1 /dir2 ...". Otherwise, some Postfix commands will no longer -work: the set-group ID postdrop command for mail submission and -the set-group ID postqueue command for queue listing/flushing. - -[snapshot-20010808] The default setting for the maps_rbl_domains -parameter is now "empty", because mail-abuse.org has become a -subscription-based service. The names of the RBL parameters haven't -changed. - -[snapshot-20020106] Postfix SMTP access maps will no longer return -OK for non-local multi-domain recipient mail addresses (user@dom1@dom2, -user%dom1@dom2, etcetera); the lookup now returns DUNNO (undetermined). -Non-local multi-domain recipient addresses were already prohibited -from matching the permit_mx_backup and the relay_domains-based -restrictions. - -[snapshot-20011210] Stricter checking of Postfix chroot configurations. -The Postfix startup procedure now warns if "system" directories -(etc, bin, lib, usr) under the Postfix top-level queue directory -are not owned by the super-user (usually the result of well-intended, -but misguided, applications of "chown -R postfix /var/spool/postfix). - -[snapshot-20011008] The Postfix SMTP server now rejects requests -with a generic "try again later" status (451 Server configuration -error) when it detects an error in smtp_{client, helo, sender, -recipient, etrn}_restrictions settings. More details about the -problem are logged to the syslogd; sending such information to -random clients would be inappropriate. - -[snapshot-20011008] Postfix no longer flushes the entire mail queue -after receiving an ETRN request for a random domain name. Requests -for domains that do not match $fast_flush_domains are now rejected -instead. - -[snapshot-20011226] Postfix configuration file comments no longer -continue on the next line when that next line starts with whitespace. -This change avoids surprises, but it may cause unexpected behavior -with existing, improperly formatted, configuration files. Caveat -user. Comment lines are allowed to begin with whitespace. Multi-line -input is no longer terminated by a comment line, by an all whitespace -line, or by an empty line. - -[snapshot-20010714] Postfix delivery agents now refuse to create -a missing maildir or mail spool subdirectory when its parent -directory is world writable. This is necessary to prevent security -problems with maildirs or with hashed mailboxes under a world -writable mail spool directory. - -[snapshot-20010525] As per RFC 2821, the Postfix SMTP client now -always sends EHLO at the beginning of an SMTP session. Specify -"smtp_always_send_ehlo = no" for the old behavior, which is to send -EHLO only when the server greeting banner contains the word ESMTP. - -[snapshot-20010525] As per RFC 2821, an EHLO command in the middle -of an SMTP session resets the Postfix SMTP server state just like -RSET. This behavior cannot be disabled. - -[snapshot-20010709] The SMTP client now by default breaks lines > -2048 characters, to avoid mail delivery problems with fragile SMTP -server software. To get the old behavior back, specify "smtp_break_lines -= no" in the Postfix main.cf file. - -[snapshot-20010709] With recipient_delimiter=+ (or any character -other than -) Postfix will now recognize address extensions even -with owner-foo+extension addresses. This change was necessary to -make VERP useful for mailing list bounce processing. - -[snapshot-20010610] The Postfix pipe delivery agent no longer -automatically case-folds the expansion of $user, $extension or -$mailbox command-line macros. Specify the 'u' flag to get the old -behavior. - -[snapshot-20011210] The Postfix sendmail command no longer exits -with status 1 when mail submission fails, but instead returns a -sendmail-compatible status code as defined in /usr/include/sysexits.h. - -Major changes with Postfix version 1.1.0 (Released 20020117) -============================================================ +IF..ENDIF can nest. Don't specify blanks at the beginning of lines +inside IF..ENDIF, because lines beginning with whitespace are +appended to the previous line. More details about the syntax are +given in the pcre_table(5) and regexp_table(5) manual pages. -Changes are listed in order of decreasing importance, not release -date. - -The nqmgr queue manager is now bundled with Postfix. It implements -a smarter scheduling strategy that allows ordinary mail to slip -past mailing list mail, resulting in better response. This queue -manager is expected to become the default queue manager shortly. - -[snapshot-20010709, snapshot-20010808] VERP (variable envelope -return path) support. This is enabled by default, including in -the SMTP server. See the VERP_README file for instructions. Specify -"disable_verp_bounces = yes" to have Postfix send one RFC-standard, -non-VERP, bounce report for multi-recipient mail, even when VERP -style delivery was requested. This reduces the explosive behavior -of bounces when sending mail to a list. - -[snapshot-20010709] QMQP server support, so that Postfix can be -used as a backend mailer for the ezmlm-idx mailing list manager. -You still need qmail to drive ezmlm and to process mailing list -bounces. The QMQP service is disabled by default. To enable, follow -the instructions in the QMQP_README file. - -[snapshot-20010709] You can now reject unknown virtual(8) recipients -at the SMTP port by specifying a "domain.name whatever" entry in -the tables specified with virtual_mailbox_maps, similar to Postfix -virtual(5) domains. [virtual(8) is the Postfix virtual delivery -agent, virtual(5) is the Postfix virtual map. The two implement -virtual domains in a very different manner.] - -[snapshot-20011121] Configurable host/domain name wildcard matching -behavior: choice between "pattern `domain.name' matches string -`host.domain.name'" (this is to be deprecated in the future) and -"pattern `.domain.name' matches string `host.domain.name'" (this -is to be preferred in the future). The configuration parameter -"parent_domain_matches_subdomains" specifies which Postfix features -use the behavior that will become deprecated. - -[snapshot-20010808] Variable coupling between message receiving -rates and message delivery rates. When the message receiving rate -exceeds the message delivery rate, an SMTP server will pause for -$in_flow_delay seconds before accepting a message. This delay -gives Postfix a chance catch up and access the disk, while still -allowing new mail to arrive. This feature currently has effect -only when mail arrives via a small number of SMTP clients. - -[snapshot-20010610, snapshot-20011121, snapshot-20011210] Workarounds -for a bug in old versions of the CISCO PIX firewall software that -caused mail to be resent repeatedly. The workaround has no effect -for other mail deliveries. The workaround is turned off when mail -is queued for less than $smtp_pix_workaround_threshold_time seconds -(default: 500 seconds) so that the workaround is normally enabled -only for deferred mail. The delay before sending . is now -controlled by the $smtp_pix_workaround_delay_time setting (default: -10 seconds). - -[snapshot-20011226] Postfix will now do null address lookups in -SMTPD access maps. If your access maps cannot store or look up -null string key values, specify "smtpd_null_access_lookup_key = -<>" and the null sender address will be looked up as <> instead. - -[snapshot-20011210] More usable virtual delivery agent, thanks to -a new "static" map type by Jeff Miller that always returns its map -name as the lookup result. This eliminates the need for per-recipient -user ID and group ID tables. See the VIRTUAL_README file for more -details. - -[snapshot-20011125] Anti-sender spoofing. New main.cf parameter -smtpd_sender_login_maps that specifies the (SASL) login name that -owns a MAIL FROM sender address. Specify a regexp table in order -to require a simple one-to-one mapping. New SMTPD restriction -reject_sender_login_mismatch that refuses a MAIL FROM address when -$smtpd_sender_login_maps specifies an owner but the client is not -(SASL) logged in as the MAIL FROM address owner, or when a client -is (SASL) logged in but does not own the address according to -$smtpd_sender_login_maps. - -[snapshot-20011121] The mailbox_command_maps parameter allows you -to configure the external delivery command per user (local delivery -agent only). This feature has precedence over the mailbox_command -and home_mailbox settings. - -[snapshot-20011121] New "warn_if_reject" smtpd UCE restriction that -only warns if the restriction that follows would reject mail. Look -for file records that contain the string "reject_warning". - -[snapshot-20011127] New header/body_check result "WARN" to make -Postfix log a warning about a header/body line without rejecting -the content. - -[snapshot-20011103] In header/body_check files, REJECT can now be -followed by text that is sent to the originator. That feature was -stuck waiting for years, pending the internal protocol revision. - -[snapshot-20011008] The permit_mx_backup feature allows you to -specify network address blocks via the permit_mx_backup_networks -parameter. This requires that the primary MX hosts for the given -destination match the specified network blocks. When no value is -given for permit_mx_backup_networks, Postfix will accept mail -whenever the local MTA is listed in the DNS as an MX relay host -for a destination, even when you never gave permission to do so. - -[snapshot-20010709] Specify "mail_spool_directory = /var/mail/" -(note the trailing "/" character) to enable maildir format for -/var/mail/username. - -[snapshot-20010808] Finer control over address masquerading. The -masquerade_classes parameter now controls header and envelope sender -and recipient addresses. With earlier Postfix versions, address -masquerading rewrote all addresses except for the envelope recipient. - -[snapshot-20010610] The pipe mail delivery agent now supports proper -quoting of white space and other special characters in the expansions -of the $sender and $recipient command-line macros. This was necessary -for correct operation of the "simple" content filter, and is also -recommended for delivery via UUCP or BSMTP. - -[snapshot-20010610] The pipe mail delivery agent now supports case -folding the localpart and/or domain part of expansions of the -$nexthop, $recipient, $user, $extension or $mailbox command-line -macros. This is recommended for mail delivery via UUCP. Bug: $nexthop -is always case folded because of problems in the queue manager -code. - -[snapshot-20010525] This release contains many little revisions of -little details in the light of the new RFC 2821 and RFC 2822 -standards. Changes that may affect interoperability are listed -above under "incompatible changes". Other little details are -discussed in comments in the source code. - -[snapshot-20010502] The Postfix SMTP client now by default randomly -shuffles destination IP addresses of equal preference (whether -obtained via MX lookup or otherwise). Reportedly, this is needed -for sites that use Bernstein's dnscache program. Specify -"smtp_randomize_addresses = no" to disable this behavior. Based on -shuffling code by Aleph1. - -[snapshot-20011127] New parameter smtpd_noop_commands to specify -a list of commands that the Postfix SMTP server treats as NOOP -commands (no syntax check, no state change). This is a workaround -for misbehaving clients that send unsupported commands such as -ONEX. - -[snapshot-20010502] "postmap -q -" and "postmap -d -" read key -values from standard input, which makes it easier to drive them -from another program. The same feature was added to the postalias -command. - -[snapshot-20010502] The postsuper command now has a command-line -option to delete queue files. In principle this command can be -used while Postfix is running, but there is a possibility of deleting -the wrong queue file when Postfix deletes a queue file and reuses -the queue ID for a new message. In that case, postsuper will delete -the new message. - -[snapshot-20010525] The postsuper queue maintenance tool now renames -files whose name (queue ID) does not match the message file inode -number. This is necessary after a Postfix mail queue is restored -from another machine or from backups. The feature is selected with -the -s option, which is the default, and runs whenever Postfix is -started. - -[snapshot-20010525] The postsuper queue maintenance tool has a new --r (requeue) option for subjecting some or all queue files to -another iteration of address rewriting. This is useful after the -virtual or canonical maps have changed. - -[snapshot-20010525] The postsuper queue maintenance tool was extended -with options to read queue IDs from standard input. This makes the -tool easier to drive from scripts. - -[snapshot-20010329] Better support for running multiple Postfix -instances on one machine. Each instance can be recognized by its -logging (defaults: "syslog_name = postfix", "syslog_facility = -mail"). - -Major incompatible changes with release-20010228 Patch 01 (a.k.a. Postfix 1.0.1) -================================================================================ - -This release changes the names of the "fast ETRN" logfiles with -delayed mail per destination. These files are maintained by the -Postfix "fast flush" daemon. The old scheme failed with addresses -of the form user@[ip.address] and user@a.domain.name. In order to -populate the new "fast ETRN" logfiles, execute the command "sendmail --q". The old "fast ETRN" logfiles go away by themselves (default: -after 7 days). - -Major incompatible changes with release-20010228 (a.k.a. Postfix 1.0.0) -======================================================================= - -[snapshot-20010225] POSTFIX NO LONGER RELAYS MAIL FOR CLIENTS IN -THE ENTIRE CLASS A/B/C NETWORK. To get the old behavior, specify -"mynetworks_style = class" in the main.cf file. The default -(mynetworks_style = subnet) is to relay for clients in the local -IP subnet. See conf/main.cf. - -[snapshot-20001005, snapshot-20010225] You must execute "postfix -stop" before installing this release. Some recommended parameter -settings have changed, and a new entry must be added to the master.cf -file before you can start Postfix again. - -1 - The recommended Postfix configuration no longer uses flat - directories for the "incoming" "active", "bounce", and "defer" - queue directories. The "flush" directory for the new "flush" - service directory should not be flat either. - - Upon start-up, Postfix checks if the hash_queue_names configuration - parameter is properly set up, and will add any queue directory - names that are missing. - -2 - In order to improve performance of one-to-one mail deliveries - the queue manager will now look at up to 10000 queue files - (was: 1000). The default qmgr_message_active_limit setting - was changed accordingly. - - If you have a non-default qmgr_message_active_limit in main.cf, - you may want adjust it. - -3 - The new "flush" service needs to be configured in master.cf. - - Upon start-up, Postfix checks if the new "flush" service is - configured in the master.cf file, and will add an entry if it - is missing. - -Should you wish to back out to a previous Postfix release there is -no need to undo the above queue configuration changes. - -[snapshot-20000921] The protocol between queue manager and delivery -agents has changed. This means that you cannot mix the Postfix -queue manager or delivery agents with those of Postfix versions -prior to 20000921. This change does not affect Postfix queue file -formats. - -[snapshot-20000529] This release introduces an incompatible queue -file format change ONLY when content filtering is enabled (see text -in FILTER_README). Old Postfix queue files will work fine, but -queue files with the new content filtering info will not work with -Postfix versions before 20000529. Postfix logs a warning and moves -incompatible queue files to the "corrupt" mail queue subdirectory. - -Minor incompatible changes with release-20010228 -================================================ - -[snapshot-20010225] The incoming and deferred queue directories -are now hashed by default. This improves the performance considerably -under heavy load, at the cost of a small but noticeable slowdown -when one runs "mailq" on an unloaded system. - -[snapshot-20010222] Postfix no longer automatically delivers -recipients one at a time when their domain is listed in $mydestination. -This change solves delivery performance problems with delivery via -LMTP, with virus scanning, and with firewall relays that forward -all mail for $mydestination to an inside host. - -The "one recipient at a time" delivery behavior is now controlled -by the per-transport recipient limit (xxx_destination_recipient_limit, -where xxx is the name of the delivery mechanism). This parameter -controls the number of recipients that can be sent in one delivery -(surprise). - -The setting of the per-transport recipient limit also controls the -meaning of the per-transport destination concurrency limit (named -xxx_destination_concurrency_limit, where xxx is again the name of -the delivery mechanism): - - 1) When the per-transport recipient limit is 1 (i.e., send one - recipient per delivery), the per-transport destination concurrency - limit controls the number of simultaneous deliveries to the - same recipient. This is the default behavior for delivery via - the Postfix local delivery agent. - - 2) When the per-transport recipient limit is > 1 (i.e., send - multiple recipients per delivery), the per-transport destination - concurrency limit controls the number of simultaneous deliveries - to the same domain. This is the default behavior for all other - Postfix delivery agents. - -[snapshot-20010128] The Postfix local delivery agent now enforces -mailbox file size limits (default: mailbox_size_limit = 51200000). -This limit affects all file write access by the local delivery -agent or by a process run by the local delivery agent. The purpose -of this parameter is to act as a safety for run-away software. It -cannot be a substitute for a file quota management system. Specify -a limit of 0 to disable. - -[snapshot-20010128] REJECT in header/body_checks is now flagged as -policy violation rather than bounce, for consistency in postmaster -notifications. - -[snapshot-20010128] The default RBL (real-time blackhole lists) -domain examples have been changed from *.vix.com to *.mail-abuse.org. - -[snapshot-20001210] Several interfaces of libutil and libglobal -routines have changed. This may break third-party code written -for Postfix. In particular, the safe_open() routine has changed, -the way the preferred locking method is specified in the sys_defs.h -file, as well as all routines that perform file locking. When -compiling third-party code written for Postfix, the incompatibilities -will be detected by the compiler provided that #include file -dependencies are properly maintained. - -[snapshot-20001210] When delivering to /file/name (as directed in -an alias or .forward file), the local delivery agent now logs a -warning when it is unable to create a /file/name.lock file. Mail -is still delivered as before. - -[snapshot-20001210] The "sun_mailtool_compatibility" feature is -going away (a compatibility mode that turns off kernel locks on -mailbox files). It still works, but a warning is logged. Instead -of using "sun_mailtool_compatibility", specify the mailbox locking -strategy as "mailbox_delivery_lock = dotlock". - -[snapshot-20001210] The Postfix SMTP client now skips SMTP server -replies that do not start with "CODE SPACE" or with "CODE HYPHEN" -and flags them as protocol errors. Older Postfix SMTP clients -silently treated "CODE TEXT" as "CODE SPACE TEXT", i.e. as a valid -SMTP reply. - -[snapshot-20001121] On RedHat Linux 7.0, you must install the -db3-devel RPM before you can compile the Postfix source code. - -[snapshot-20000924] The postmaster address in the "sorry" text at -the top of bounced mail is now just postmaster, not postmaster@machine. -The idea is to refer users to their own postmaster. - -[snapshot-20000921] The notation of [host:port] in transport tables -etc. is going away but it is still supported. The preferred form -is now [host]:port. This change is necessary to support IPV6 -address forms which use ":" as part of a numeric IP address. In a -future release, Postfix will log a warning when it encounters the -[host:port] form. - -[snapshot-20000921] In mail headers, Errors-To:, Reply-To: and -Return-Receipt: addresses are now rewritten as a sender address -(was: recipient). - -[snapshot-20000921] Postfix no longer inserts Sender: message -headers. - -[snapshot-20000921] The queue manager now logs the original number -of recipients when opening a queue file (example: from=<>, size=3502, -nrcpt=1). - -[snapshot-20000921] The local delivery agent no longer appends a -blank line to mail that is delivered to external command. - -[snapshot-20000921] The pipe delivery agent no longer appends a -blank line when the F flag is specified (in the master.cf file). -Specify the B flag if you need that blank line. - -[snapshot-20000507] As required by RFC 822, Postfix now inserts a -generic destination message header when no destination header is -present. The text is specified via the undisclosed_recipients_header -configuration parameter (default: "To: undisclosed-recipients:;"). - -[snapshot-20000507] The Postfix sendmail command treats a line with -only `.' as the end of input, for the sake of sendmail compatibility. -To disable this feature, specify the sendmail-compatible `-i' or -`-oi' flags on the sendmail command line. - -[snapshot-20000507] For the sake of Sendmail compatibility, the -Postfix SMTP client skips over SMTP servers that greet with a 4XX -or 5XX reply code, treating them as unreachable servers. To obtain -prior behavior (4XX=retry, 5XX=bounce), specify "smtp_skip_4xx_greeting -= no" and "smtp_skip_5xx_greeting = no". - -Major changes with release-20010228 -=================================== - -Postfix produces DSN formatted bounced/delayed mail notifications. -The human-readable text still exists, so that users will not have -to be unnecessarily confused by all the ugliness of RFC 1894. Full -DSN support will be later. - -This release introduces full content filtering through an external -process. This involves an incompatible change in queue file format. -Mail is delivered to content filtering software via an existing -mail delivery agent, and is re-injected into Postfix via an existing -mail submission agent. See examples in the FILTER_README file. -Depending on how the filter is implemented, you can expect to lose -a factor of 2 to 4 in delivery performance of SMTP transit mail, -more if the content filtering software needs lots of CPU or memory. - -Specify "body_checks = regexp:/etc/postfix/body_checks" for a quick -and dirty emergency content filter that looks at non-header lines -one line at a time (including MIME headers inside the message body). -Details in conf/sample-filter.cf. - -The header_checks and body_checks features can be used to strip -out unwanted data. Specify IGNORE on the right-hand side and the -data will disappear from the mail. - -Support for SASL (RFC 2554) authentication in the SMTP server and -in the SMTP and LMTP clients. See the SASL_README file for more -details. This file still needs better examples. - -Postfix now ships with an LMTP delivery agent that can deliver over -local/remote TCP sockets and over local UNIX-domain sockets. The -LMTP_README file gives example, but still needs to be revised. - -Fast "ETRN" and "sendmail -qR". Postfix maintains per-destination -logfiles with information about what mail is queued for selected -destinations. See the file ETRN_README for details. - -The mailbox locking style is now fully configurable at runtime. -The new configuration parameter is called "mailbox_delivery_lock". -Depending on the operating system type, mailboxes can be locked -with one or more of "flock", "fcntl" or "dotlock". The command -"postconf -l" shows the available locking styles. The default -mailbox locking style is system dependent. This change affects -all mailbox and all "/file/name" deliveries by the Postfix local -delivery agent. - -Minor changes with release-20010228 -=================================== - -You can now specify multiple SMTP destinations in the relayhost -and fallback_relay configuration parameters. The destinations are -tried in the specified order. Specify host or host:port (perform -MX record lookups), [host] or [host]:port (no MX record lookups), -[address] or [address]:port (numerical IP address). - -The "mailbox_transport" and "fallback_transport" parameters now -understand the form "transport:nexthop", with suitable defaults -when either transport or nexthop are omitted, just like in the -Postfix transport map. This allows you to specify for example, -"mailbox_transport = lmtp:unix:/file/name". - -The local_transport and default_transport configuration parameters -can now be specified in transport:destination notation, just like -the mailbox_transport and fallback_transport parameters. The -:destination part is optional. However, these parameters take only -one destination, unlike relayhost and fallback-relay which take -any number of destinations. - -More general virtual domain support. Postfix now supports both -Sendmail-style virtual domains and Postfix-style virtual domains. -Details and examples are given in the revised virtual manual page. - -- With Sendmail-style virtual domains, local users/aliases/mailing - lists are visible as localname@virtual.domain. This is convenient - if you want to host mailing lists under virtual domains. - -- With Postfix-style virtual domains, local users/aliases/mailing - lists are not visible as localname@virtual.domain. Each virtual - domain has its own separate name space. - -More general "soft bounce" feature. Specify "soft_bounce = yes" -in main.cf to prevent the SMTP server from bouncing mail while you -are testing configurations. Until this release the SMTP server was -not aware of soft bounces. - -Workarounds for non-standard RFC 2554 (AUTH command) implementations. -Specify "broken_sasl_auth_clients = yes" to enable SMTP server -support for old Microsoft client applications. The Postfix SMTP -client supports non-standard RFC 2554 servers by default. - -All time-related configuration parameters now accept a one-letter -suffix to indicate the time unit (s: second, m: minute, h: hour, -d: day, w: week). The exceptions are the LDAP and MYSQL modules -which are maintained separately. - -New "import_environment" and "export_environment" configuration -parameters provide explicit control over what environment variables -Postfix will import, and what environment variables Postfix will -pass on to a non-Postfix process. - -In order to improve performance of one-to-one deliveries, Postfix -by default now looks at up to 10000 messages at a time (was: 1000). - -Specify "syslog_facility = log_local1" etc. to separate the logging -from multiple Postfix instances. However, a non-default logging -facility takes effect only after process initialization. Errors -during command-line parsing are still logged with the default syslog -facility, as are errors while processing the main.cf file. - -Postfix now strips out Content-Length: headers in incoming mail to -avoid confusion in mail user agents. - -Specify "require_home_directory = yes" to prevent mail from being -delivered to a user whose home directory is not mounted. This -feature is implemented by the Postfix local delivery agent. - -The pipe mailer has a size limit (size=nnn) command-line argument. - -The pipe delivery agent has a configurable end-of-line attribute. -Specify "pipe ... eol=\r\n" for delivery mechanisms that require -CRLF record delimiters. The eol attribute understands the following -C-style escape sequences: \a \b \f \n \r \t \v \nnn \\. - -In master.cf you can selectively override main.cf configuration -parameters, for example: "smtpd -o myhostname=foo.com". - -In main.cf, specify "smtp_bind_address=x.x.x.x" to bind SMTP -connections to a specific local interface. Or override the default -setting in master.cf with "smtp -o smtp_bind_address=x.x.x.x". -For now, you must specify a numeric IP address. - -Questionable feature: with "smtp_always_send_ehlo = yes", the SMTP -client sends EHLO regardless of the content of the SMTP server's -greeting. - -Specify "-d key" to postalias or postmap in order to remove one -key. This still needs to be generalized to multi-key removal (e.g., -read keys from stdin). - -Comments in Postfix configuration files no longer contain troff -formatting codes. The text is now generated from prototype files -in a new "proto" subdirectory. - -Major changes with postfix-19991231: +Postmap/postalias/newaliases changes ==================================== -- It is now much more difficult to configure Postfix as an open -relay. The SMTP server requires that "smtpd_recipient_restrictions" -contains at least one restriction that by default refuses mail (as -is the default). There were too many accidents with changes to -the UCE restrictions. - -- The relay_domains parameter no longer needs to contain $virtual_maps. - -- Overhauled FAQ (html/faq.html) with many more examples. - -- Updated UCE documentation (html/uce.html) with more examples. -More UCE configuration examples in sample configuration files. - -- Several little improvements to the installation procedure: -relative symlinks, configurable directory for scratch files so the -installation can be done without write access to the build tree. - -- Updated LDAP client code (John Hensley). - -- Updated mysql client code (Scott Cotton). - -- The SMTP server now rejects mail for unknown users in virtual -domains that are defined by Postfix virtual maps. - -- The SMTP server can reject mail for unknown local users. Specify -"local_recipient_maps = $alias_maps, unix:passwd.byname" if your -local mail is delivered by a UNIX-style local delivery agent. See -example in conf/main.cf. - -- Use "disable_vrfy_command = yes" to disable the SMTP VRFY command. -This prevents some forms of address harvesting. - -- The sendmail "-f" option now understands and even understands -forms with RFC 822-style comments. - -- New "qmgr_fudge_factor" parameter allows you to balance mailing -list performance against response time for one-to-one mail. The -fudge factor controls what percentage of delivery resources Postfix -will devote to one message. With 100%, delivery of one message -does not begin before delivery of the previous message is completed. -This is good for list performance, bad for one-to-one mail. With -10%, response time for one-to-one mail improves much, but list -performance suffers: in the worst case, people near the start of a -mailing list get a burst of postings today, while people near the -end of the list get that same burst of postings a whole day later. - -- It is now relatively safe to configure 550 status codes for the -main.cf unknown_address_reject_code or unknown_client_reject_code -parameters. The SMTP server now always sends a 450 (try again) -reply code when an UCE restriction fails due to a soft DNS error, -regardless of what main.cf specifies. - -- The RBL checks now show the content of TXT records (Simon J Mudd). - -- The Postfix SMTP server now understands a wider range of illegal -address forms in MAIL FROM and RCPT TO commands. In order to disable -illegal forms, specify "strict_rfc821_envelopes = yes". This also -disables support for MAIL FROM and RCPT TO addresses without <>. - -- Per-client/helo/sender/recipient UCE restrictions (fully-recursive -UCE restriction parser). See the RESTRICTION_CLASS file for details. - -- Use "postmap -q key" or "postalias -q key" for testing Postfix -lookup tables or alias files. - -- Use "postconf -e name=value..." to edit the main.cf file. This -is easier and safer than editing the main.cf file by hand. The -edits are done on a temporary copy that is renamed into place. - -- Use "postconf -m" to display all supported lookup table types -(Scott Cotton). +[Incompat 20020505] The postalias command now copies the source +file read permissions to the result file when creating a table for +the first time. Until now, the result file was created with default +read permissions. This change makes postalias more similar to +postmap. + +[Incompat 20020505] The postalias and postmap commands now drop +super-user privileges when processing a non-root source file. The +file is now processed as the source file owner, and the owner must +therefore have permission to update the result file. Specify the +"-o" flag to get the old behavior (process non-root files with root +privileges). + +[Incompat 20020122] When the postmap command creates a non-existent +result file, the new file inherits the group/other read permissions +of the source file. + +Assorted changes +================ + +[Feature 20021028] The local(8) and virtual(8) delivery agents now record +the original recipient address in the X-Original-To: message header. +This header can also be emitted by the pipe(8) delivery agent. + +[Feature 20021024] New proxy_interfaces parameter, for sites behind a +network address translation gateway or other type of proxy. You +should specify all the proxy network addresses here, to avoid avoid +mail delivery loops. + +[Feature 20021013] Updated MacOS X support by Gerben Wierda. See +the auxiliary/MacOSX directory. + +[Incompat 20021013] Subtle change in ${name?result} macro expansions: +the expansion no longer happens when $name is an empty string. This +probably makes more sense than the old behavior. + +[Incompat 20020917] The relayhost setting now behaves as documented, +i.e. you can no longer specify multiple destinations. + +[Incompatibility 20021219] The use of the XVERP extension in the +SMTP MAIL FROM command is now restricted to SMTP clients that match +the hostnames, domains or networks listed with the authorized_verp_clients +parameter (default: $mynetworks). + +[Feature 20020819] When the Postfix local delivery agent detects +a mail delivery loop (usually the result of mis-configured mail +pickup software), the undeliverable mail is now sent to the mailing +list owner instead of the envelope sender address (usually the +original poster who has no guilt, and who cannot fix the problem). + +[Warning 20020819] The Postfix queue manager now warns when mail +for some destination is piling up in the active queue, and suggests +a variety of remedies to speed up delivery (increase per-destination +concurrency limit, increase active queue size, use a separate +delivery transport, increase per-transport process limit). The +qmgr_clog_warn_time parameter controls the time between warnings. +To disable these warnings, specify "qmgr_clog_warn_time = 0". + +[Warning 20020717] The Postfix SMTP client now logs a warning when +the same domain is listed in main.cf:mydestination as well as a +Postfix-style virtual map. Such a mis-configuration may cause mail +for users to be rejected with "user unknown". + +[Feature 20020331] A new smtp_helo_name parameter that specifies +the hostname to be used in HELO or EHLO commands; this can be more +convenient than changing the myhostname parameter setting. + +[Feature 20020331] Choice between multiple instances of internal +services: bounce, cleanup, defer, error, flush, pickup, queue, +rewrite, showq. This allows you to use different cleanup server +settings for different SMTP server instances. For example, specify +in the master.cf file: -- New "permit_auth_destination" UCE restriction for finer-grained -access control (Jesper Skriver). - -Incompatible changes with postfix-19990906 -========================================== - -- On systems that use user.lock files to protect system mailboxes -against simultaneous updates, Postfix now uses /file/name.lock -files while delivering to files specified in aliases/forward/include -files. This is a no-op when the recipient lacks directory write -permission. - -- The LDAP client code no longer looks up a name containing "*" -because it could be abused. See the LDAP_README file for how to -restore previous behavior. - -- The Postfix to PCRE interface now expects PCRE version 2.08. -Postfix is no longer compatible with PCRE versions prior to 2.06. + localhost:10025 ... smtpd -o cleanup_service_name=cleanup2 ... + cleanup2 ... cleanup -o header_checks= body_checks= ... -Major changes with postfix-19990906 -=================================== +Logfile format changes +====================== -Several bugfixes, none related to security. See the HISTORY file -for a complete list of changes. +[Incompat 20021209] The Postfix SMTP client no longer expands CNAMEs +in MAIL FROM addresses (as permitted by RFC 2821) before logging +the recipient address. -- Postfix is now distributed under IBM Public License Version 1.0 -which does not carry the controversial termination clause. The new -license does have a requirement that contributors make source code +[Incompat 20021028] The Postfix SMTP server UCE reject etc. logging +now includes the queue ID, the mail protocol (SMTP or ESMTP), and +the hostname that was received with the HELO or EHLO command, if available. -- INSTALL.sh install/upgrade procedure that replaces existing -programs and shell scripts instead of overwriting them, and that -leaves existing queue files and configuration files alone. - -- The ugly Delivered-To: header can now be turned off selectively. -The default setting is: "prepend_delivered_header = command, file, -forward". Turning off the Delivered-To: header when forwarding -mail is not recommended. - -- mysql client support by Scott Cotton and Joshua Marcus, Internet -Consultants Group, Inc. See the file MYSQL_README for instructions. - -- reject_unauth_destination SMTP recipient restriction that rejects -destinations not in $relay_domains. Unlike the check_relay_domains -restriction, reject_unauth_destination ignores the client hostname. -By Lamont Jones of Hewlett-Packard. - -- reject_unauth_pipelining SMTP *anything* restriction to stop mail -from spammers that improperly use SMTP command pipelining to speed -up their deliveries. - -- Postfix "sendmail" now issues a warning and drops privileges if -installed set-uid root. - -- No more duplicate delivery when "postfix reload" is immediately -followed by "sendmail -q". - -- No more "invalid argument" errors when a Postfix daemon opens a -DB/DBM file while some other process is changing the file. - -- Portability to the Mac OS X Server, Reliant Unix, AIX 3.2.5 and -Ultrix 4.3. - -Incompatible changes with postfix-19990601: -=========================================== - -- The SMTP server now delays all UCE restrictions until the RCPT -TO, VRFY or ETRN command. This makes the restrictions more useful, -because many SMTP clients do not expect negative responses earlier -in the protocol. In order to restore the old behavior, specify -"smtpd_delay_reject = no" in /etc/postfix/main.cf. - -- The Postfix local delivery agent no longer automatically propagates -address extensions to aliases/include/forward addresses. Specify -"propagate_unmatched_extensions = canonical, virtual, alias, forward, -include" to restore the old behavior. - -- The Postfix local delivery agent no longer does $name expansion -on words found in the mailbox_command configuration parameter. This -makes it easier to specify shell syntax. See conf/main.cf. - -- The luser_relay syntax has changed. You can specify one address; -it is subjected to $user, etc. expansions. See conf/main.cf. - -- File system reorganization: daemon executables are now in the -libexec subdirectory, command executables in the bin subdirectory. -The INSTALL instructions now recommend installing daemons and -commands into separate directories. - -Major changes with postfix-19990601: -===================================== - -- New USER, EXTENSION, LOCAL, DOMAIN and RECIPIENT environment -variables for delivery to command (including mailbox_command) by -the local delivery agent. As you might expect, the information is -censored. The list of acceptable characters is specified with the -command_expansion_filter configuration parameter. Unacceptable -characters are replaced by underscores. See html/local.8.html. - -- Specify "forward_path = /var/forward/$user" to avoid looking up -.forward files in user home directories. The default value is -$home/.forward$recipient_delimiter$extension, $home/.forward. -Initial code by Philip A. Prindeville, Mirapoint, Inc., USA. - -- Conditional $name expansion in forward_path and luser_relay. -Available names are: $user (bare user name) $shell (user login -shell), $home (user home directory), $local (everything to the left -of @), $extension (optional address extension), $domain (everything -to the right of @), $recipient (the complete address) and -$recipient_delimiter. A simple $name expands as usual. ${name?value} -expands to value when $name is defined. ${name:value} expands to -value when $name is not defined. With ${name?value} and ${name:value}, -the value is subject to another iteration of $name expansion. - -- POSIX regular expression support, enabled by default on 4.4BSD, -LINUX, HP-UX, and Solaris 2.5 and later. See conf/sample-regexp.cf. -Initial code by Lamont Jones, Hewlett-Packard, borrowing heavily -from the PCRE implementation by Andrew McNamara, connect.com.au -Pty. Ltd., Australia. - -- Regular expression checks for message headers. This requires -support for POSIX or for PCRE regular expressions. Specify -"header_checks = regexp:/file/name" or "header_checks = pcre:/file/name", -and specify "/^header-name: badstuff/ REJECT" in the pattern file -(patterns are case-insensitive by default). Code by Lamont Jones, -Hewlett-Packard. It is to be expected that full content filtering -will be delegated to an external command. - -- Regular expression support for all lookup tables, including access -control (full mail addresses only), address rewriting (canonical/virtual, -full mail addresses only) and transport tables (full domain names -only). However, regular expressions are not allowed for aliases, -because that would open up security exposures. - -- Automatic detection of changes to DB or DBM lookup tables. This -eliminates the need to run "postfix reload" after each change to -the SMTP access table, or to the canonical, virtual, transport or -aliases tables. - -- New error mailer. Specify ".domain.name error:domain is undeliverable" -in the transport table to bounce mail for entire domains. - -- No more Postfix lockups on Solaris (knock on wood). The code no -longer uses Solaris UNIX-domain sockets, because they are still -broken, even with Solaris 7. - -- Workaround for the Solaris mailtool, which keeps an exclusive -kernel lock on the mailbox while its window is not iconified (specify -"sun_mailtool_compatibility = yes" in main.cf). - -- Questionable workaround for Solaris, which reportedly loses -long-lived exclusive locks that are held by the master daemon. - -- New reject_unknown_{sender,recipient}_domain restrictions for -sender and recipient mail addresses that distinguish between soft -errors (always 450) and hard errors (unknown_address_reject_code, -default 450). - -- MIME-encapsulated bounce messages, making it easier to recover -bounced mail. Initial implementation by Philip A. Prindeville, -Mirapoint, Inc., USA. Support for RFC 1892 (multipart/report) and -RFC 1894 (DSN) will have to wait until Postfix internals have been -revised to support RFC 1893. - -- Separately configurable "postmaster" addresses for single bounces -(bounce_notice_recipient), double bounces (2bounce_notice_recipient), -delayed mail (delay_notice_recipient), and for mailer error reports -(error_notice_recipient). See conf/main.cf. - -- Questionable feature: specify "best_mx_transport = local" if -this machine is the best MX host for domains not in mydestinations. - -Incompatible changes with postfix-19990317: -=========================================== - -- You MUST install the new version of /etc/postfix/postfix-script. - -- The pipe mailer "flags" syntax has changed. You now explicitly -MUST specify the R flag in order to generate a Return-Path: message -header (as needed by, for example, cyrus). - -Major changes with postfix-19990317: -==================================== - -A detailed record of changes is given in the HISTORY file. - -- Less postmaster mail. Undeliverable bounce messages (double -bounces) are now discarded. Specify "notify_classes = 2bounce..." -to get copies of double bounces. Specify "notify_classes = bounce..." -to get copies of normal and double bounces. - -- Improved LDAP client code by John Hensley of Merit Network, USA. -See LDAP_README for details. - -- Perl-compatible regular expression support for lookup maps by -Andrew McNamara, connect.com.au Pty. Ltd., Australia.. Example: -"check_recipient_access pcre:/etc/postfix/sample-pcre.cf". Regular -expressions provide a powerful tool not only for SMTP access control -but also for address rewriting. See PCRE_README for details. - -- Automatic notification of delayed mail (disabled by default). -With "delay_warning_time = 4", Postfix informs senders when mail -has not been delivered after 4 hours. Initial version of the code -by Daniel Eisenbud, University of California at Berkeley. In order -to get postmaster copies of such warnings, specify "notify_classes -= delay...". +[Incompat 20021028] The Postfix header/body_checks logging now +includes the mail protocol (SMTP, ESMTP, QMQP) and the hostname +that was received with the SMTP HELO or EHLO command, if available. -- More configurable local delivery: "mail_spool_directory" to -specify the UNIX mail spool directory; "mailbox_transport" to -delegate all mailbox delivery to, for example, cyrus, and -"fallback_transport" to delegate delivery of only non-UNIX users. -And all this without losing local aliases and local .forward -processing. See config/main.cf and config/master.cf. +[Incompat 20021028] The Postfix status=sent/bounced/deferred logging +now shows the original recipient address (as received before any +address rewriting or aliasing). The original recipient address is +logged only when it differs from the final recipient address. -- Several changes to improve Postfix behavior under worst-case -conditions (frequent Postfix restarts/reloads combined with lots -if inbound mail, intermittent connectivity problems, SMTP servers -that become comatose after receiving QUIT). +[Incompat 20020923] The default RBL "reject" server reply now +includes an indication of *what* is being rejected: Client host, +Helo command, Sender address, or Recipient address. This also +changes the logfile format. -- More NFS-friendly mailbox delivery. The local delivery agent -now avoids using root privileges where possible. +LDAP related changes +==================== -- For sites that do not receive mail at all, mydestination can now -be an empty string. Be sure to set up a transport table entry to -prevent mail from looping. +[Incompat 20020819] LDAP API version 1 is no longer supported. The +memory allocation and deallocation strategy has changed too much +to maintain both version 1 and 2 at the same time. -- New "postsuper" utility to clean up stale files from Postfix -queues. +[Feature 20020513] Updated LDAP client module with better handling +of dead LDAP servers, and with configurable filtering of query +results. -- Workaround for BSD select() collisions that cause performance -problems on large BSD systems. +SASL related changes +==================== -- Several questionable but useful features to capture mail: -"always_bcc = address" to capture a copy of every message that -enters the system, and "luser_relay = address" to capture mail for -unknown recipients (does not work when mailbox_transport or -fallback_transport are being used). +[Incompat 20020819] The smtpd_sasl_local_domain setting now defaults +to the null string, rather than $myhostname. This seems to work +better with Cyrus SASL version 2. This change may cause incompatibility +with the saslpasswd2 command. -- Junk mail controls: new reject_non_fqdn_{hostname,sender,recipient} -restrictions to reject non-FQDN arguments in HELO, MAIL FROM and -RCPT TO commands, and stricter checking of numeric HELO arguments. +[Feature 20020331] Support for the Cyrus SASL version 2 library, +contributed by Jason Hoos. This adds some new functionality that +was not available in Cyrus SASL version 1, and provides bit-rot +insurance for the time when Cyrus SASL version 1 eventually stops +working. -- "fallback_relay" feature for sites that use DNS but that can't -talk to the entire world. The fall-back relay gets the mail when -a destination is not found in the DNS or when the destination is -found but not reachable. +Berkeley DB related changes +=========================== -- Several questionable controls that can help to keep mail going: -specify "smtp_skip_4xx_greeting = yes" to skip SMTP servers that -greet with 4XX, "ignore_mx_lookup_error = yes" to look up an A -record when a DNS server does not respond to an MX query. - -Incompatible changes with postfix-beta-19990122-pl01: -===================================================== - -None. - -Major changes with postfix-beta-19990122-pl01: -============================================== - -- Restrict who may use ETRN and what domains may be specified. -Example: "smtpd_etrn_restrictions = permit_mynetworks, reject". - -- BIFF notifications. For compatibility reasons this feature is -on by default. Specify "biff = no" in main.cf if your machine has -lots of shell users. - -- With "soft_bounce = yes", defer delivery instead of bouncing -mail. This is a safety net for configuration errors with delivery -agents. It has no effect on errors in virtual maps, canonical maps, -or in junk mail restrictions. - -- Specify "owner_request_special = no" to turn off special treatment -of owner-foo and foo-request addresses. - -Incompatible changes with postfix-beta-19990122: -================================================ - -- The syntax of the transport table has changed. An entry like: - - customer.org smtp:[gateway.customer.org] - - no longer forwards mail for anything.customer.org. For that you - need to specify: - - customer.org smtp:[gateway.customer.org] - .customer.org smtp:[gateway.customer.org] - - This change makes transport tables more compatible with - sendmail mailer tables. - -- The format of syslog records has changed. A client is now always -logged as hostname[address]; the pickup daemon logs queue file uid -and sender address. - -Major changes with postfix-beta-19990122: -========================================= - -- Junk mail restrictions can now be postponed to the RCPT TO command. -Specify: "smtpd_recipient_restrictions = reject_maps_rbl...". - -- More flexible interface for delivery to e.g., cyrus IMAP without -need for PERL scripts to munge recipient addresses. In addition to -$sender, $nexthop and $recipient, the pipe mailer now also supports -$user, $extension and $mailbox. - -- New mail now has precedence over deferred mail, plus some other -tweaks to make bulk mail go faster. But it ain't no cure for massive -network outages. - -- Watchdog timer for systems that cause the Postfix queue manager -to lock up, so it recovers without human intervention. - -- Delivery to qmail-style maildir files, which is good for NFS -environments. Specify "home_mailbox = Maildir/", or specify -/file/name/ in aliases or in .forward files. The trailing / is -required to turn on maildir delivery. - -- Incremental updates of aliases and maps. Specify "postmap -i -mapname" and it will read new entries from stdin. - -- Newaliases will now update more than one alias database. -Specify the names with the main.cf "alias_database" parameter. - -- Address masquerading exceptions to prevent users from being -masqueraded. Specify "masquerade_exceptions = root". - -- A pipelined SMTP client. Deliveries to Postfix, qmail, LSOFT, -zmailer, and exim (once it's fixed) speed up by some 30% for short -messages with one recipient, with more for multi-recipient mails. +[Feature 20020505] Finer control over Berkeley DB memory usage, +The parameter "berkeley_db_create_buffer_size" (default: 16 MBytes) +specifies the buffer size for the postmap and postalias commands. +The parameter "berkeley_db_read_buffer_size" (default: 256 kBytes) +speficies the buffer size for all other applications. Specify +"berkeley_db_read_buffer_size = 1048576" to get the old read buffer +size. For more information, see the last paragraphs of the DB_README +file. -- Hook for local delivery to "|command" via the smrsh restricted -shell, to restrict what commands may be used in .forward etc. files. -Specify "local_command_shell = /some/where/smrsh -c". +[Incompat 20020201] In Postfix SMTPD access tables, Postfix now +uses <> as the default lookup key for the null address, in order +to work around bugs in some Berkeley DB implementations. This +behavior is controlled with the smtpd_null_access_lookup_key +configuration parameter. + +[Incompat 20020201] Postfix now detects if the run-time Berkeley +DB library routines do not match the major version number of the +compile-time include file that was used for compiling Postfix. The +software issues a warning and aborts in case of a discrepancy. If +it didn't, the software was certain to crash with a segmentation +violation. + +Assorted workarounds +==================== + +[Incompat 20020201] On SCO 3.2 UNIX, the input rate flow control +is now turned off by default, because of limitations in the SCO +UNIX kernel. diff --git a/postfix/RELEASE_NOTES-1.1 b/postfix/RELEASE_NOTES-1.1 new file mode 100644 index 000000000..c6f4611d5 --- /dev/null +++ b/postfix/RELEASE_NOTES-1.1 @@ -0,0 +1,1087 @@ +In the text below, incompatible changes are labeled with the Postfix +snapshot that introduced the change. If you upgrade from a later +Postfix version, then you do not have to worry about that particular +incompatibility. + +Official Postfix releases are called a.b.c where a=major release +number, b=minor release number, c=patchlevel. Snapshot releases +are now called a.b.c-yyyymmdd where yyyymmdd is the release date +(yyyy=year, mm=month, dd=day). The mail_release_date configuration +parameter contains the release date (both for official release and +snapshot release). Patches change the patchlevel and the release +date. Snapshots change only the release date, unless they include +the same bugfixes as a patch release. + +Incompatible changes with Postfix version 1.1.0 (released 20020117) +=================================================================== + +Changes are listed in order of decreasing importance, not release +date. + +[snapshot-20010709] This release introduces a new queue file record +type that is used only for messages that actually use VERP (variable +envelope return path) support. With this sole exception, the queue +file format is entirely backwards compatible with the previous +official Postfix release (20010228, a.k.a. Postfix 1.0.0). + +[snapshot-20020106] This release modifies the existing master.cf +file. The local pickup service is now unprivileged, and the cleanup +and flush service are now "public". Should you have to back out to +a previous release, then you must 1) edit the master.cf file, make +the pickup service "privileged", and make the cleanup and flush +services "private"; 2) "chmod 755 /var/spool/postfix/public". To +revert to a world-writable mail submission directory, "chmod 1733 +/var/spool/postfix/maildrop". + +[snapshot-20020106, snapshot-20010808, snapshot-20011103, +snapshot-20011121] You must stop and restart Postfix because of +incompatible changes in the local Postfix security model and in +the Postfix internal protocols. Old and new components will not +work together. + +[snapshot-20020106] Simpler local Postfix security model. + +- No world-writable maildrop directory. Postfix now always uses + the set-gid postdrop command for local mail submissions. The + local mail pickup daemon is now an unprivileged process. + +- No world-accessible pickup and queue manager server FIFOs. + +- New set-gid postqueue command for the queue list/flush operations + that used to implemented by the Postfix sendmail command. + +[snapshot-20020106..15] Simpler Postfix installation and upgrading. + +- All installation settings are now kept in the main.cf file, and + better default settings are now generated for system dependent + pathnames such as sendmail_path etc. The install.cf file is no + longer used, except when upgrading from an older Postfix version. + +- Non-default installation parameter settings can (but do not have + to) be specified on the "make install" or "make upgrade" command + line as name=value arguments. + +- New postfix-files database (in /etc/postfix) with (pathname, + owner, permission) information about all Postfix-related files. + +- New postfix-install script replaces the awkward INSTALL.sh script. + This is driven by the postfix-files database. It has better + support for building packages for distribution to other systems. + See PACKAGE_README for details. + +- New post-install script (in /etc/postfix) for post-installation + maintenance of directory/file permissions and ownership (this is + used by "postfix check"). Example: + + # postfix stop + # post-install set-permissions mail_owner=username setgid_group=groupname + # postfix start + +[snapshot-20020106] Postfix will not run if it detects that the +postfix user or group ID are shared with other accounts on the +system. The checks aren't exhaustive (that would be too resource +consuming) but should be sufficient to encourage packagers and +developers to do the right thing. To fix the problem, use the above +post-install command, after you have created the appropriate new +mail_owner or setgid_group user or group IDs. + +[snapshot-20020106] If you run multiple Postfix instances on the +same machine you now have to specify their configuration directories +in the default main.cf file as "alternate_config_directories = +/dir1 /dir2 ...". Otherwise, some Postfix commands will no longer +work: the set-group ID postdrop command for mail submission and +the set-group ID postqueue command for queue listing/flushing. + +[snapshot-20010808] The default setting for the maps_rbl_domains +parameter is now "empty", because mail-abuse.org has become a +subscription-based service. The names of the RBL parameters haven't +changed. + +[snapshot-20020106] Postfix SMTP access maps will no longer return +OK for non-local multi-domain recipient mail addresses (user@dom1@dom2, +user%dom1@dom2, etcetera); the lookup now returns DUNNO (undetermined). +Non-local multi-domain recipient addresses were already prohibited +from matching the permit_mx_backup and the relay_domains-based +restrictions. + +[snapshot-20011210] Stricter checking of Postfix chroot configurations. +The Postfix startup procedure now warns if "system" directories +(etc, bin, lib, usr) under the Postfix top-level queue directory +are not owned by the super-user (usually the result of well-intended, +but misguided, applications of "chown -R postfix /var/spool/postfix). + +[snapshot-20011008] The Postfix SMTP server now rejects requests +with a generic "try again later" status (451 Server configuration +error) when it detects an error in smtp_{client, helo, sender, +recipient, etrn}_restrictions settings. More details about the +problem are logged to the syslogd; sending such information to +random clients would be inappropriate. + +[snapshot-20011008] Postfix no longer flushes the entire mail queue +after receiving an ETRN request for a random domain name. Requests +for domains that do not match $fast_flush_domains are now rejected +instead. + +[snapshot-20011226] Postfix configuration file comments no longer +continue on the next line when that next line starts with whitespace. +This change avoids surprises, but it may cause unexpected behavior +with existing, improperly formatted, configuration files. Caveat +user. Comment lines are allowed to begin with whitespace. Multi-line +input is no longer terminated by a comment line, by an all whitespace +line, or by an empty line. + +[snapshot-20010714] Postfix delivery agents now refuse to create +a missing maildir or mail spool subdirectory when its parent +directory is world writable. This is necessary to prevent security +problems with maildirs or with hashed mailboxes under a world +writable mail spool directory. + +[snapshot-20010525] As per RFC 2821, the Postfix SMTP client now +always sends EHLO at the beginning of an SMTP session. Specify +"smtp_always_send_ehlo = no" for the old behavior, which is to send +EHLO only when the server greeting banner contains the word ESMTP. + +[snapshot-20010525] As per RFC 2821, an EHLO command in the middle +of an SMTP session resets the Postfix SMTP server state just like +RSET. This behavior cannot be disabled. + +[snapshot-20010709] The SMTP client now by default breaks lines > +2048 characters, to avoid mail delivery problems with fragile SMTP +server software. To get the old behavior back, specify "smtp_break_lines += no" in the Postfix main.cf file. + +[snapshot-20010709] With recipient_delimiter=+ (or any character +other than -) Postfix will now recognize address extensions even +with owner-foo+extension addresses. This change was necessary to +make VERP useful for mailing list bounce processing. + +[snapshot-20010610] The Postfix pipe delivery agent no longer +automatically case-folds the expansion of $user, $extension or +$mailbox command-line macros. Specify the 'u' flag to get the old +behavior. + +[snapshot-20011210] The Postfix sendmail command no longer exits +with status 1 when mail submission fails, but instead returns a +sendmail-compatible status code as defined in /usr/include/sysexits.h. + +Major changes with Postfix version 1.1.0 (Released 20020117) +============================================================ + +Changes are listed in order of decreasing importance, not release +date. + +The nqmgr queue manager is now bundled with Postfix. It implements +a smarter scheduling strategy that allows ordinary mail to slip +past mailing list mail, resulting in better response. This queue +manager is expected to become the default queue manager shortly. + +[snapshot-20010709, snapshot-20010808] VERP (variable envelope +return path) support. This is enabled by default, including in +the SMTP server. See the VERP_README file for instructions. Specify +"disable_verp_bounces = yes" to have Postfix send one RFC-standard, +non-VERP, bounce report for multi-recipient mail, even when VERP +style delivery was requested. This reduces the explosive behavior +of bounces when sending mail to a list. + +[snapshot-20010709] QMQP server support, so that Postfix can be +used as a backend mailer for the ezmlm-idx mailing list manager. +You still need qmail to drive ezmlm and to process mailing list +bounces. The QMQP service is disabled by default. To enable, follow +the instructions in the QMQP_README file. + +[snapshot-20010709] You can now reject unknown virtual(8) recipients +at the SMTP port by specifying a "domain.name whatever" entry in +the tables specified with virtual_mailbox_maps, similar to Postfix +virtual(5) domains. [virtual(8) is the Postfix virtual delivery +agent, virtual(5) is the Postfix virtual map. The two implement +virtual domains in a very different manner.] + +[snapshot-20011121] Configurable host/domain name wildcard matching +behavior: choice between "pattern `domain.name' matches string +`host.domain.name'" (this is to be deprecated in the future) and +"pattern `.domain.name' matches string `host.domain.name'" (this +is to be preferred in the future). The configuration parameter +"parent_domain_matches_subdomains" specifies which Postfix features +use the behavior that will become deprecated. + +[snapshot-20010808] Variable coupling between message receiving +rates and message delivery rates. When the message receiving rate +exceeds the message delivery rate, an SMTP server will pause for +$in_flow_delay seconds before accepting a message. This delay +gives Postfix a chance catch up and access the disk, while still +allowing new mail to arrive. This feature currently has effect +only when mail arrives via a small number of SMTP clients. + +[snapshot-20010610, snapshot-20011121, snapshot-20011210] Workarounds +for a bug in old versions of the CISCO PIX firewall software that +caused mail to be resent repeatedly. The workaround has no effect +for other mail deliveries. The workaround is turned off when mail +is queued for less than $smtp_pix_workaround_threshold_time seconds +(default: 500 seconds) so that the workaround is normally enabled +only for deferred mail. The delay before sending . is now +controlled by the $smtp_pix_workaround_delay_time setting (default: +10 seconds). + +[snapshot-20011226] Postfix will now do null address lookups in +SMTPD access maps. If your access maps cannot store or look up +null string key values, specify "smtpd_null_access_lookup_key = +<>" and the null sender address will be looked up as <> instead. + +[snapshot-20011210] More usable virtual delivery agent, thanks to +a new "static" map type by Jeff Miller that always returns its map +name as the lookup result. This eliminates the need for per-recipient +user ID and group ID tables. See the VIRTUAL_README file for more +details. + +[snapshot-20011125] Anti-sender spoofing. New main.cf parameter +smtpd_sender_login_maps that specifies the (SASL) login name that +owns a MAIL FROM sender address. Specify a regexp table in order +to require a simple one-to-one mapping. New SMTPD restriction +reject_sender_login_mismatch that refuses a MAIL FROM address when +$smtpd_sender_login_maps specifies an owner but the client is not +(SASL) logged in as the MAIL FROM address owner, or when a client +is (SASL) logged in but does not own the address according to +$smtpd_sender_login_maps. + +[snapshot-20011121] The mailbox_command_maps parameter allows you +to configure the external delivery command per user (local delivery +agent only). This feature has precedence over the mailbox_command +and home_mailbox settings. + +[snapshot-20011121] New "warn_if_reject" smtpd UCE restriction that +only warns if the restriction that follows would reject mail. Look +for file records that contain the string "reject_warning". + +[snapshot-20011127] New header/body_check result "WARN" to make +Postfix log a warning about a header/body line without rejecting +the content. + +[snapshot-20011103] In header/body_check files, REJECT can now be +followed by text that is sent to the originator. That feature was +stuck waiting for years, pending the internal protocol revision. + +[snapshot-20011008] The permit_mx_backup feature allows you to +specify network address blocks via the permit_mx_backup_networks +parameter. This requires that the primary MX hosts for the given +destination match the specified network blocks. When no value is +given for permit_mx_backup_networks, Postfix will accept mail +whenever the local MTA is listed in the DNS as an MX relay host +for a destination, even when you never gave permission to do so. + +[snapshot-20010709] Specify "mail_spool_directory = /var/mail/" +(note the trailing "/" character) to enable maildir format for +/var/mail/username. + +[snapshot-20010808] Finer control over address masquerading. The +masquerade_classes parameter now controls header and envelope sender +and recipient addresses. With earlier Postfix versions, address +masquerading rewrote all addresses except for the envelope recipient. + +[snapshot-20010610] The pipe mail delivery agent now supports proper +quoting of white space and other special characters in the expansions +of the $sender and $recipient command-line macros. This was necessary +for correct operation of the "simple" content filter, and is also +recommended for delivery via UUCP or BSMTP. + +[snapshot-20010610] The pipe mail delivery agent now supports case +folding the localpart and/or domain part of expansions of the +$nexthop, $recipient, $user, $extension or $mailbox command-line +macros. This is recommended for mail delivery via UUCP. Bug: $nexthop +is always case folded because of problems in the queue manager +code. + +[snapshot-20010525] This release contains many little revisions of +little details in the light of the new RFC 2821 and RFC 2822 +standards. Changes that may affect interoperability are listed +above under "incompatible changes". Other little details are +discussed in comments in the source code. + +[snapshot-20010502] The Postfix SMTP client now by default randomly +shuffles destination IP addresses of equal preference (whether +obtained via MX lookup or otherwise). Reportedly, this is needed +for sites that use Bernstein's dnscache program. Specify +"smtp_randomize_addresses = no" to disable this behavior. Based on +shuffling code by Aleph1. + +[snapshot-20011127] New parameter smtpd_noop_commands to specify +a list of commands that the Postfix SMTP server treats as NOOP +commands (no syntax check, no state change). This is a workaround +for misbehaving clients that send unsupported commands such as +ONEX. + +[snapshot-20010502] "postmap -q -" and "postmap -d -" read key +values from standard input, which makes it easier to drive them +from another program. The same feature was added to the postalias +command. + +[snapshot-20010502] The postsuper command now has a command-line +option to delete queue files. In principle this command can be +used while Postfix is running, but there is a possibility of deleting +the wrong queue file when Postfix deletes a queue file and reuses +the queue ID for a new message. In that case, postsuper will delete +the new message. + +[snapshot-20010525] The postsuper queue maintenance tool now renames +files whose name (queue ID) does not match the message file inode +number. This is necessary after a Postfix mail queue is restored +from another machine or from backups. The feature is selected with +the -s option, which is the default, and runs whenever Postfix is +started. + +[snapshot-20010525] The postsuper queue maintenance tool has a new +-r (requeue) option for subjecting some or all queue files to +another iteration of address rewriting. This is useful after the +virtual or canonical maps have changed. + +[snapshot-20010525] The postsuper queue maintenance tool was extended +with options to read queue IDs from standard input. This makes the +tool easier to drive from scripts. + +[snapshot-20010329] Better support for running multiple Postfix +instances on one machine. Each instance can be recognized by its +logging (defaults: "syslog_name = postfix", "syslog_facility = +mail"). + +Major incompatible changes with release-20010228 Patch 01 (a.k.a. Postfix 1.0.1) +================================================================================ + +This release changes the names of the "fast ETRN" logfiles with +delayed mail per destination. These files are maintained by the +Postfix "fast flush" daemon. The old scheme failed with addresses +of the form user@[ip.address] and user@a.domain.name. In order to +populate the new "fast ETRN" logfiles, execute the command "sendmail +-q". The old "fast ETRN" logfiles go away by themselves (default: +after 7 days). + +Major incompatible changes with release-20010228 (a.k.a. Postfix 1.0.0) +======================================================================= + +[snapshot-20010225] POSTFIX NO LONGER RELAYS MAIL FOR CLIENTS IN +THE ENTIRE CLASS A/B/C NETWORK. To get the old behavior, specify +"mynetworks_style = class" in the main.cf file. The default +(mynetworks_style = subnet) is to relay for clients in the local +IP subnet. See conf/main.cf. + +[snapshot-20001005, snapshot-20010225] You must execute "postfix +stop" before installing this release. Some recommended parameter +settings have changed, and a new entry must be added to the master.cf +file before you can start Postfix again. + +1 - The recommended Postfix configuration no longer uses flat + directories for the "incoming" "active", "bounce", and "defer" + queue directories. The "flush" directory for the new "flush" + service directory should not be flat either. + + Upon start-up, Postfix checks if the hash_queue_names configuration + parameter is properly set up, and will add any queue directory + names that are missing. + +2 - In order to improve performance of one-to-one mail deliveries + the queue manager will now look at up to 10000 queue files + (was: 1000). The default qmgr_message_active_limit setting + was changed accordingly. + + If you have a non-default qmgr_message_active_limit in main.cf, + you may want adjust it. + +3 - The new "flush" service needs to be configured in master.cf. + + Upon start-up, Postfix checks if the new "flush" service is + configured in the master.cf file, and will add an entry if it + is missing. + +Should you wish to back out to a previous Postfix release there is +no need to undo the above queue configuration changes. + +[snapshot-20000921] The protocol between queue manager and delivery +agents has changed. This means that you cannot mix the Postfix +queue manager or delivery agents with those of Postfix versions +prior to 20000921. This change does not affect Postfix queue file +formats. + +[snapshot-20000529] This release introduces an incompatible queue +file format change ONLY when content filtering is enabled (see text +in FILTER_README). Old Postfix queue files will work fine, but +queue files with the new content filtering info will not work with +Postfix versions before 20000529. Postfix logs a warning and moves +incompatible queue files to the "corrupt" mail queue subdirectory. + +Minor incompatible changes with release-20010228 +================================================ + +[snapshot-20010225] The incoming and deferred queue directories +are now hashed by default. This improves the performance considerably +under heavy load, at the cost of a small but noticeable slowdown +when one runs "mailq" on an unloaded system. + +[snapshot-20010222] Postfix no longer automatically delivers +recipients one at a time when their domain is listed in $mydestination. +This change solves delivery performance problems with delivery via +LMTP, with virus scanning, and with firewall relays that forward +all mail for $mydestination to an inside host. + +The "one recipient at a time" delivery behavior is now controlled +by the per-transport recipient limit (xxx_destination_recipient_limit, +where xxx is the name of the delivery mechanism). This parameter +controls the number of recipients that can be sent in one delivery +(surprise). + +The setting of the per-transport recipient limit also controls the +meaning of the per-transport destination concurrency limit (named +xxx_destination_concurrency_limit, where xxx is again the name of +the delivery mechanism): + + 1) When the per-transport recipient limit is 1 (i.e., send one + recipient per delivery), the per-transport destination concurrency + limit controls the number of simultaneous deliveries to the + same recipient. This is the default behavior for delivery via + the Postfix local delivery agent. + + 2) When the per-transport recipient limit is > 1 (i.e., send + multiple recipients per delivery), the per-transport destination + concurrency limit controls the number of simultaneous deliveries + to the same domain. This is the default behavior for all other + Postfix delivery agents. + +[snapshot-20010128] The Postfix local delivery agent now enforces +mailbox file size limits (default: mailbox_size_limit = 51200000). +This limit affects all file write access by the local delivery +agent or by a process run by the local delivery agent. The purpose +of this parameter is to act as a safety for run-away software. It +cannot be a substitute for a file quota management system. Specify +a limit of 0 to disable. + +[snapshot-20010128] REJECT in header/body_checks is now flagged as +policy violation rather than bounce, for consistency in postmaster +notifications. + +[snapshot-20010128] The default RBL (real-time blackhole lists) +domain examples have been changed from *.vix.com to *.mail-abuse.org. + +[snapshot-20001210] Several interfaces of libutil and libglobal +routines have changed. This may break third-party code written +for Postfix. In particular, the safe_open() routine has changed, +the way the preferred locking method is specified in the sys_defs.h +file, as well as all routines that perform file locking. When +compiling third-party code written for Postfix, the incompatibilities +will be detected by the compiler provided that #include file +dependencies are properly maintained. + +[snapshot-20001210] When delivering to /file/name (as directed in +an alias or .forward file), the local delivery agent now logs a +warning when it is unable to create a /file/name.lock file. Mail +is still delivered as before. + +[snapshot-20001210] The "sun_mailtool_compatibility" feature is +going away (a compatibility mode that turns off kernel locks on +mailbox files). It still works, but a warning is logged. Instead +of using "sun_mailtool_compatibility", specify the mailbox locking +strategy as "mailbox_delivery_lock = dotlock". + +[snapshot-20001210] The Postfix SMTP client now skips SMTP server +replies that do not start with "CODE SPACE" or with "CODE HYPHEN" +and flags them as protocol errors. Older Postfix SMTP clients +silently treated "CODE TEXT" as "CODE SPACE TEXT", i.e. as a valid +SMTP reply. + +[snapshot-20001121] On RedHat Linux 7.0, you must install the +db3-devel RPM before you can compile the Postfix source code. + +[snapshot-20000924] The postmaster address in the "sorry" text at +the top of bounced mail is now just postmaster, not postmaster@machine. +The idea is to refer users to their own postmaster. + +[snapshot-20000921] The notation of [host:port] in transport tables +etc. is going away but it is still supported. The preferred form +is now [host]:port. This change is necessary to support IPV6 +address forms which use ":" as part of a numeric IP address. In a +future release, Postfix will log a warning when it encounters the +[host:port] form. + +[snapshot-20000921] In mail headers, Errors-To:, Reply-To: and +Return-Receipt: addresses are now rewritten as a sender address +(was: recipient). + +[snapshot-20000921] Postfix no longer inserts Sender: message +headers. + +[snapshot-20000921] The queue manager now logs the original number +of recipients when opening a queue file (example: from=<>, size=3502, +nrcpt=1). + +[snapshot-20000921] The local delivery agent no longer appends a +blank line to mail that is delivered to external command. + +[snapshot-20000921] The pipe delivery agent no longer appends a +blank line when the F flag is specified (in the master.cf file). +Specify the B flag if you need that blank line. + +[snapshot-20000507] As required by RFC 822, Postfix now inserts a +generic destination message header when no destination header is +present. The text is specified via the undisclosed_recipients_header +configuration parameter (default: "To: undisclosed-recipients:;"). + +[snapshot-20000507] The Postfix sendmail command treats a line with +only `.' as the end of input, for the sake of sendmail compatibility. +To disable this feature, specify the sendmail-compatible `-i' or +`-oi' flags on the sendmail command line. + +[snapshot-20000507] For the sake of Sendmail compatibility, the +Postfix SMTP client skips over SMTP servers that greet with a 4XX +or 5XX reply code, treating them as unreachable servers. To obtain +prior behavior (4XX=retry, 5XX=bounce), specify "smtp_skip_4xx_greeting += no" and "smtp_skip_5xx_greeting = no". + +Major changes with release-20010228 +=================================== + +Postfix produces DSN formatted bounced/delayed mail notifications. +The human-readable text still exists, so that users will not have +to be unnecessarily confused by all the ugliness of RFC 1894. Full +DSN support will be later. + +This release introduces full content filtering through an external +process. This involves an incompatible change in queue file format. +Mail is delivered to content filtering software via an existing +mail delivery agent, and is re-injected into Postfix via an existing +mail submission agent. See examples in the FILTER_README file. +Depending on how the filter is implemented, you can expect to lose +a factor of 2 to 4 in delivery performance of SMTP transit mail, +more if the content filtering software needs lots of CPU or memory. + +Specify "body_checks = regexp:/etc/postfix/body_checks" for a quick +and dirty emergency content filter that looks at non-header lines +one line at a time (including MIME headers inside the message body). +Details in conf/sample-filter.cf. + +The header_checks and body_checks features can be used to strip +out unwanted data. Specify IGNORE on the right-hand side and the +data will disappear from the mail. + +Support for SASL (RFC 2554) authentication in the SMTP server and +in the SMTP and LMTP clients. See the SASL_README file for more +details. This file still needs better examples. + +Postfix now ships with an LMTP delivery agent that can deliver over +local/remote TCP sockets and over local UNIX-domain sockets. The +LMTP_README file gives example, but still needs to be revised. + +Fast "ETRN" and "sendmail -qR". Postfix maintains per-destination +logfiles with information about what mail is queued for selected +destinations. See the file ETRN_README for details. + +The mailbox locking style is now fully configurable at runtime. +The new configuration parameter is called "mailbox_delivery_lock". +Depending on the operating system type, mailboxes can be locked +with one or more of "flock", "fcntl" or "dotlock". The command +"postconf -l" shows the available locking styles. The default +mailbox locking style is system dependent. This change affects +all mailbox and all "/file/name" deliveries by the Postfix local +delivery agent. + +Minor changes with release-20010228 +=================================== + +You can now specify multiple SMTP destinations in the relayhost +and fallback_relay configuration parameters. The destinations are +tried in the specified order. Specify host or host:port (perform +MX record lookups), [host] or [host]:port (no MX record lookups), +[address] or [address]:port (numerical IP address). + +The "mailbox_transport" and "fallback_transport" parameters now +understand the form "transport:nexthop", with suitable defaults +when either transport or nexthop are omitted, just like in the +Postfix transport map. This allows you to specify for example, +"mailbox_transport = lmtp:unix:/file/name". + +The local_transport and default_transport configuration parameters +can now be specified in transport:destination notation, just like +the mailbox_transport and fallback_transport parameters. The +:destination part is optional. However, these parameters take only +one destination, unlike relayhost and fallback-relay which take +any number of destinations. + +More general virtual domain support. Postfix now supports both +Sendmail-style virtual domains and Postfix-style virtual domains. +Details and examples are given in the revised virtual manual page. + +- With Sendmail-style virtual domains, local users/aliases/mailing + lists are visible as localname@virtual.domain. This is convenient + if you want to host mailing lists under virtual domains. + +- With Postfix-style virtual domains, local users/aliases/mailing + lists are not visible as localname@virtual.domain. Each virtual + domain has its own separate name space. + +More general "soft bounce" feature. Specify "soft_bounce = yes" +in main.cf to prevent the SMTP server from bouncing mail while you +are testing configurations. Until this release the SMTP server was +not aware of soft bounces. + +Workarounds for non-standard RFC 2554 (AUTH command) implementations. +Specify "broken_sasl_auth_clients = yes" to enable SMTP server +support for old Microsoft client applications. The Postfix SMTP +client supports non-standard RFC 2554 servers by default. + +All time-related configuration parameters now accept a one-letter +suffix to indicate the time unit (s: second, m: minute, h: hour, +d: day, w: week). The exceptions are the LDAP and MYSQL modules +which are maintained separately. + +New "import_environment" and "export_environment" configuration +parameters provide explicit control over what environment variables +Postfix will import, and what environment variables Postfix will +pass on to a non-Postfix process. + +In order to improve performance of one-to-one deliveries, Postfix +by default now looks at up to 10000 messages at a time (was: 1000). + +Specify "syslog_facility = log_local1" etc. to separate the logging +from multiple Postfix instances. However, a non-default logging +facility takes effect only after process initialization. Errors +during command-line parsing are still logged with the default syslog +facility, as are errors while processing the main.cf file. + +Postfix now strips out Content-Length: headers in incoming mail to +avoid confusion in mail user agents. + +Specify "require_home_directory = yes" to prevent mail from being +delivered to a user whose home directory is not mounted. This +feature is implemented by the Postfix local delivery agent. + +The pipe mailer has a size limit (size=nnn) command-line argument. + +The pipe delivery agent has a configurable end-of-line attribute. +Specify "pipe ... eol=\r\n" for delivery mechanisms that require +CRLF record delimiters. The eol attribute understands the following +C-style escape sequences: \a \b \f \n \r \t \v \nnn \\. + +In master.cf you can selectively override main.cf configuration +parameters, for example: "smtpd -o myhostname=foo.com". + +In main.cf, specify "smtp_bind_address=x.x.x.x" to bind SMTP +connections to a specific local interface. Or override the default +setting in master.cf with "smtp -o smtp_bind_address=x.x.x.x". +For now, you must specify a numeric IP address. + +Questionable feature: with "smtp_always_send_ehlo = yes", the SMTP +client sends EHLO regardless of the content of the SMTP server's +greeting. + +Specify "-d key" to postalias or postmap in order to remove one +key. This still needs to be generalized to multi-key removal (e.g., +read keys from stdin). + +Comments in Postfix configuration files no longer contain troff +formatting codes. The text is now generated from prototype files +in a new "proto" subdirectory. + +Major changes with postfix-19991231: +==================================== + +- It is now much more difficult to configure Postfix as an open +relay. The SMTP server requires that "smtpd_recipient_restrictions" +contains at least one restriction that by default refuses mail (as +is the default). There were too many accidents with changes to +the UCE restrictions. + +- The relay_domains parameter no longer needs to contain $virtual_maps. + +- Overhauled FAQ (html/faq.html) with many more examples. + +- Updated UCE documentation (html/uce.html) with more examples. +More UCE configuration examples in sample configuration files. + +- Several little improvements to the installation procedure: +relative symlinks, configurable directory for scratch files so the +installation can be done without write access to the build tree. + +- Updated LDAP client code (John Hensley). + +- Updated mysql client code (Scott Cotton). + +- The SMTP server now rejects mail for unknown users in virtual +domains that are defined by Postfix virtual maps. + +- The SMTP server can reject mail for unknown local users. Specify +"local_recipient_maps = $alias_maps, unix:passwd.byname" if your +local mail is delivered by a UNIX-style local delivery agent. See +example in conf/main.cf. + +- Use "disable_vrfy_command = yes" to disable the SMTP VRFY command. +This prevents some forms of address harvesting. + +- The sendmail "-f" option now understands and even understands +forms with RFC 822-style comments. + +- New "qmgr_fudge_factor" parameter allows you to balance mailing +list performance against response time for one-to-one mail. The +fudge factor controls what percentage of delivery resources Postfix +will devote to one message. With 100%, delivery of one message +does not begin before delivery of the previous message is completed. +This is good for list performance, bad for one-to-one mail. With +10%, response time for one-to-one mail improves much, but list +performance suffers: in the worst case, people near the start of a +mailing list get a burst of postings today, while people near the +end of the list get that same burst of postings a whole day later. + +- It is now relatively safe to configure 550 status codes for the +main.cf unknown_address_reject_code or unknown_client_reject_code +parameters. The SMTP server now always sends a 450 (try again) +reply code when an UCE restriction fails due to a soft DNS error, +regardless of what main.cf specifies. + +- The RBL checks now show the content of TXT records (Simon J Mudd). + +- The Postfix SMTP server now understands a wider range of illegal +address forms in MAIL FROM and RCPT TO commands. In order to disable +illegal forms, specify "strict_rfc821_envelopes = yes". This also +disables support for MAIL FROM and RCPT TO addresses without <>. + +- Per-client/helo/sender/recipient UCE restrictions (fully-recursive +UCE restriction parser). See the RESTRICTION_CLASS file for details. + +- Use "postmap -q key" or "postalias -q key" for testing Postfix +lookup tables or alias files. + +- Use "postconf -e name=value..." to edit the main.cf file. This +is easier and safer than editing the main.cf file by hand. The +edits are done on a temporary copy that is renamed into place. + +- Use "postconf -m" to display all supported lookup table types +(Scott Cotton). + +- New "permit_auth_destination" UCE restriction for finer-grained +access control (Jesper Skriver). + +Incompatible changes with postfix-19990906 +========================================== + +- On systems that use user.lock files to protect system mailboxes +against simultaneous updates, Postfix now uses /file/name.lock +files while delivering to files specified in aliases/forward/include +files. This is a no-op when the recipient lacks directory write +permission. + +- The LDAP client code no longer looks up a name containing "*" +because it could be abused. See the LDAP_README file for how to +restore previous behavior. + +- The Postfix to PCRE interface now expects PCRE version 2.08. +Postfix is no longer compatible with PCRE versions prior to 2.06. + +Major changes with postfix-19990906 +=================================== + +Several bugfixes, none related to security. See the HISTORY file +for a complete list of changes. + +- Postfix is now distributed under IBM Public License Version 1.0 +which does not carry the controversial termination clause. The new +license does have a requirement that contributors make source code +available. + +- INSTALL.sh install/upgrade procedure that replaces existing +programs and shell scripts instead of overwriting them, and that +leaves existing queue files and configuration files alone. + +- The ugly Delivered-To: header can now be turned off selectively. +The default setting is: "prepend_delivered_header = command, file, +forward". Turning off the Delivered-To: header when forwarding +mail is not recommended. + +- mysql client support by Scott Cotton and Joshua Marcus, Internet +Consultants Group, Inc. See the file MYSQL_README for instructions. + +- reject_unauth_destination SMTP recipient restriction that rejects +destinations not in $relay_domains. Unlike the check_relay_domains +restriction, reject_unauth_destination ignores the client hostname. +By Lamont Jones of Hewlett-Packard. + +- reject_unauth_pipelining SMTP *anything* restriction to stop mail +from spammers that improperly use SMTP command pipelining to speed +up their deliveries. + +- Postfix "sendmail" now issues a warning and drops privileges if +installed set-uid root. + +- No more duplicate delivery when "postfix reload" is immediately +followed by "sendmail -q". + +- No more "invalid argument" errors when a Postfix daemon opens a +DB/DBM file while some other process is changing the file. + +- Portability to the Mac OS X Server, Reliant Unix, AIX 3.2.5 and +Ultrix 4.3. + +Incompatible changes with postfix-19990601: +=========================================== + +- The SMTP server now delays all UCE restrictions until the RCPT +TO, VRFY or ETRN command. This makes the restrictions more useful, +because many SMTP clients do not expect negative responses earlier +in the protocol. In order to restore the old behavior, specify +"smtpd_delay_reject = no" in /etc/postfix/main.cf. + +- The Postfix local delivery agent no longer automatically propagates +address extensions to aliases/include/forward addresses. Specify +"propagate_unmatched_extensions = canonical, virtual, alias, forward, +include" to restore the old behavior. + +- The Postfix local delivery agent no longer does $name expansion +on words found in the mailbox_command configuration parameter. This +makes it easier to specify shell syntax. See conf/main.cf. + +- The luser_relay syntax has changed. You can specify one address; +it is subjected to $user, etc. expansions. See conf/main.cf. + +- File system reorganization: daemon executables are now in the +libexec subdirectory, command executables in the bin subdirectory. +The INSTALL instructions now recommend installing daemons and +commands into separate directories. + +Major changes with postfix-19990601: +===================================== + +- New USER, EXTENSION, LOCAL, DOMAIN and RECIPIENT environment +variables for delivery to command (including mailbox_command) by +the local delivery agent. As you might expect, the information is +censored. The list of acceptable characters is specified with the +command_expansion_filter configuration parameter. Unacceptable +characters are replaced by underscores. See html/local.8.html. + +- Specify "forward_path = /var/forward/$user" to avoid looking up +.forward files in user home directories. The default value is +$home/.forward$recipient_delimiter$extension, $home/.forward. +Initial code by Philip A. Prindeville, Mirapoint, Inc., USA. + +- Conditional $name expansion in forward_path and luser_relay. +Available names are: $user (bare user name) $shell (user login +shell), $home (user home directory), $local (everything to the left +of @), $extension (optional address extension), $domain (everything +to the right of @), $recipient (the complete address) and +$recipient_delimiter. A simple $name expands as usual. ${name?value} +expands to value when $name is defined. ${name:value} expands to +value when $name is not defined. With ${name?value} and ${name:value}, +the value is subject to another iteration of $name expansion. + +- POSIX regular expression support, enabled by default on 4.4BSD, +LINUX, HP-UX, and Solaris 2.5 and later. See conf/sample-regexp.cf. +Initial code by Lamont Jones, Hewlett-Packard, borrowing heavily +from the PCRE implementation by Andrew McNamara, connect.com.au +Pty. Ltd., Australia. + +- Regular expression checks for message headers. This requires +support for POSIX or for PCRE regular expressions. Specify +"header_checks = regexp:/file/name" or "header_checks = pcre:/file/name", +and specify "/^header-name: badstuff/ REJECT" in the pattern file +(patterns are case-insensitive by default). Code by Lamont Jones, +Hewlett-Packard. It is to be expected that full content filtering +will be delegated to an external command. + +- Regular expression support for all lookup tables, including access +control (full mail addresses only), address rewriting (canonical/virtual, +full mail addresses only) and transport tables (full domain names +only). However, regular expressions are not allowed for aliases, +because that would open up security exposures. + +- Automatic detection of changes to DB or DBM lookup tables. This +eliminates the need to run "postfix reload" after each change to +the SMTP access table, or to the canonical, virtual, transport or +aliases tables. + +- New error mailer. Specify ".domain.name error:domain is undeliverable" +in the transport table to bounce mail for entire domains. + +- No more Postfix lockups on Solaris (knock on wood). The code no +longer uses Solaris UNIX-domain sockets, because they are still +broken, even with Solaris 7. + +- Workaround for the Solaris mailtool, which keeps an exclusive +kernel lock on the mailbox while its window is not iconified (specify +"sun_mailtool_compatibility = yes" in main.cf). + +- Questionable workaround for Solaris, which reportedly loses +long-lived exclusive locks that are held by the master daemon. + +- New reject_unknown_{sender,recipient}_domain restrictions for +sender and recipient mail addresses that distinguish between soft +errors (always 450) and hard errors (unknown_address_reject_code, +default 450). + +- MIME-encapsulated bounce messages, making it easier to recover +bounced mail. Initial implementation by Philip A. Prindeville, +Mirapoint, Inc., USA. Support for RFC 1892 (multipart/report) and +RFC 1894 (DSN) will have to wait until Postfix internals have been +revised to support RFC 1893. + +- Separately configurable "postmaster" addresses for single bounces +(bounce_notice_recipient), double bounces (2bounce_notice_recipient), +delayed mail (delay_notice_recipient), and for mailer error reports +(error_notice_recipient). See conf/main.cf. + +- Questionable feature: specify "best_mx_transport = local" if +this machine is the best MX host for domains not in mydestinations. + +Incompatible changes with postfix-19990317: +=========================================== + +- You MUST install the new version of /etc/postfix/postfix-script. + +- The pipe mailer "flags" syntax has changed. You now explicitly +MUST specify the R flag in order to generate a Return-Path: message +header (as needed by, for example, cyrus). + +Major changes with postfix-19990317: +==================================== + +A detailed record of changes is given in the HISTORY file. + +- Less postmaster mail. Undeliverable bounce messages (double +bounces) are now discarded. Specify "notify_classes = 2bounce..." +to get copies of double bounces. Specify "notify_classes = bounce..." +to get copies of normal and double bounces. + +- Improved LDAP client code by John Hensley of Merit Network, USA. +See LDAP_README for details. + +- Perl-compatible regular expression support for lookup maps by +Andrew McNamara, connect.com.au Pty. Ltd., Australia.. Example: +"check_recipient_access pcre:/etc/postfix/sample-pcre.cf". Regular +expressions provide a powerful tool not only for SMTP access control +but also for address rewriting. See PCRE_README for details. + +- Automatic notification of delayed mail (disabled by default). +With "delay_warning_time = 4", Postfix informs senders when mail +has not been delivered after 4 hours. Initial version of the code +by Daniel Eisenbud, University of California at Berkeley. In order +to get postmaster copies of such warnings, specify "notify_classes += delay...". + +- More configurable local delivery: "mail_spool_directory" to +specify the UNIX mail spool directory; "mailbox_transport" to +delegate all mailbox delivery to, for example, cyrus, and +"fallback_transport" to delegate delivery of only non-UNIX users. +And all this without losing local aliases and local .forward +processing. See config/main.cf and config/master.cf. + +- Several changes to improve Postfix behavior under worst-case +conditions (frequent Postfix restarts/reloads combined with lots +if inbound mail, intermittent connectivity problems, SMTP servers +that become comatose after receiving QUIT). + +- More NFS-friendly mailbox delivery. The local delivery agent +now avoids using root privileges where possible. + +- For sites that do not receive mail at all, mydestination can now +be an empty string. Be sure to set up a transport table entry to +prevent mail from looping. + +- New "postsuper" utility to clean up stale files from Postfix +queues. + +- Workaround for BSD select() collisions that cause performance +problems on large BSD systems. + +- Several questionable but useful features to capture mail: +"always_bcc = address" to capture a copy of every message that +enters the system, and "luser_relay = address" to capture mail for +unknown recipients (does not work when mailbox_transport or +fallback_transport are being used). + +- Junk mail controls: new reject_non_fqdn_{hostname,sender,recipient} +restrictions to reject non-FQDN arguments in HELO, MAIL FROM and +RCPT TO commands, and stricter checking of numeric HELO arguments. + +- "fallback_relay" feature for sites that use DNS but that can't +talk to the entire world. The fall-back relay gets the mail when +a destination is not found in the DNS or when the destination is +found but not reachable. + +- Several questionable controls that can help to keep mail going: +specify "smtp_skip_4xx_greeting = yes" to skip SMTP servers that +greet with 4XX, "ignore_mx_lookup_error = yes" to look up an A +record when a DNS server does not respond to an MX query. + +Incompatible changes with postfix-beta-19990122-pl01: +===================================================== + +None. + +Major changes with postfix-beta-19990122-pl01: +============================================== + +- Restrict who may use ETRN and what domains may be specified. +Example: "smtpd_etrn_restrictions = permit_mynetworks, reject". + +- BIFF notifications. For compatibility reasons this feature is +on by default. Specify "biff = no" in main.cf if your machine has +lots of shell users. + +- With "soft_bounce = yes", defer delivery instead of bouncing +mail. This is a safety net for configuration errors with delivery +agents. It has no effect on errors in virtual maps, canonical maps, +or in junk mail restrictions. + +- Specify "owner_request_special = no" to turn off special treatment +of owner-foo and foo-request addresses. + +Incompatible changes with postfix-beta-19990122: +================================================ + +- The syntax of the transport table has changed. An entry like: + + customer.org smtp:[gateway.customer.org] + + no longer forwards mail for anything.customer.org. For that you + need to specify: + + customer.org smtp:[gateway.customer.org] + .customer.org smtp:[gateway.customer.org] + + This change makes transport tables more compatible with + sendmail mailer tables. + +- The format of syslog records has changed. A client is now always +logged as hostname[address]; the pickup daemon logs queue file uid +and sender address. + +Major changes with postfix-beta-19990122: +========================================= + +- Junk mail restrictions can now be postponed to the RCPT TO command. +Specify: "smtpd_recipient_restrictions = reject_maps_rbl...". + +- More flexible interface for delivery to e.g., cyrus IMAP without +need for PERL scripts to munge recipient addresses. In addition to +$sender, $nexthop and $recipient, the pipe mailer now also supports +$user, $extension and $mailbox. + +- New mail now has precedence over deferred mail, plus some other +tweaks to make bulk mail go faster. But it ain't no cure for massive +network outages. + +- Watchdog timer for systems that cause the Postfix queue manager +to lock up, so it recovers without human intervention. + +- Delivery to qmail-style maildir files, which is good for NFS +environments. Specify "home_mailbox = Maildir/", or specify +/file/name/ in aliases or in .forward files. The trailing / is +required to turn on maildir delivery. + +- Incremental updates of aliases and maps. Specify "postmap -i +mapname" and it will read new entries from stdin. + +- Newaliases will now update more than one alias database. +Specify the names with the main.cf "alias_database" parameter. + +- Address masquerading exceptions to prevent users from being +masqueraded. Specify "masquerade_exceptions = root". + +- A pipelined SMTP client. Deliveries to Postfix, qmail, LSOFT, +zmailer, and exim (once it's fixed) speed up by some 30% for short +messages with one recipient, with more for multi-recipient mails. + +- Hook for local delivery to "|command" via the smrsh restricted +shell, to restrict what commands may be used in .forward etc. files. +Specify "local_command_shell = /some/where/smrsh -c". diff --git a/postfix/conf/post-install b/postfix/conf/post-install index 88fae3a76..626177fad 100644 --- a/postfix/conf/post-install +++ b/postfix/conf/post-install @@ -531,7 +531,7 @@ EOF if [ -z "$has_lrm" -a -z "$has_lrjc" ] then echo SAFETY: editing main.cf, setting $unknown_local=450. - echo See the RELEASE_NOTES and $config_directory/main.cf for details. + echo See the RELEASE_NOTES and LOCAL_RECIPIENT_README files for details. $POSTCONF -e "$unknown_local = 450" || exit 1 fi diff --git a/postfix/src/global/mail_version.h b/postfix/src/global/mail_version.h index d27282ccd..fe5a02e62 100644 --- a/postfix/src/global/mail_version.h +++ b/postfix/src/global/mail_version.h @@ -20,10 +20,10 @@ * Patches change the patchlevel and the release date. Snapshots change the * release date only, unless they include the same bugfix as a patch release. */ -#define MAIL_RELEASE_DATE "20021221" +#define MAIL_RELEASE_DATE "20021222" #define VAR_MAIL_VERSION "mail_version" -#define DEF_MAIL_VERSION "1.1.12-" MAIL_RELEASE_DATE +#define DEF_MAIL_VERSION "2.0.0" extern char *var_mail_version; /* diff --git a/postfix/src/nqmgr/qmgr.c b/postfix/src/nqmgr/qmgr.c index cd1e72b1e..c608bb6c2 100644 --- a/postfix/src/nqmgr/qmgr.c +++ b/postfix/src/nqmgr/qmgr.c @@ -552,7 +552,6 @@ int main(int argc, char **argv) static CONFIG_BOOL_TABLE bool_table[] = { VAR_ALLOW_MIN_USER, DEF_ALLOW_MIN_USER, &var_allow_min_user, VAR_VERP_BOUNCE_OFF, DEF_VERP_BOUNCE_OFF, &var_verp_bounce_off, - VAR_SENDER_ROUTING, DEF_SENDER_ROUTING, &var_sender_routing, 0, }; diff --git a/postfix/src/qmgr/qmgr.c b/postfix/src/qmgr/qmgr.c index 9ecfa116b..251566359 100644 --- a/postfix/src/qmgr/qmgr.c +++ b/postfix/src/qmgr/qmgr.c @@ -498,7 +498,6 @@ int main(int argc, char **argv) static CONFIG_BOOL_TABLE bool_table[] = { VAR_ALLOW_MIN_USER, DEF_ALLOW_MIN_USER, &var_allow_min_user, VAR_VERP_BOUNCE_OFF, DEF_VERP_BOUNCE_OFF, &var_verp_bounce_off, - VAR_SENDER_ROUTING, DEF_SENDER_ROUTING, &var_sender_routing, 0, }; diff --git a/postfix/src/trivial-rewrite/resolve.c b/postfix/src/trivial-rewrite/resolve.c index 7a579df88..0be7fb623 100644 --- a/postfix/src/trivial-rewrite/resolve.c +++ b/postfix/src/trivial-rewrite/resolve.c @@ -537,8 +537,10 @@ void resolve_addr(char *addr, VSTRING *channel, VSTRING *nexthop, * Subtle note: reset nexthop even when the transport table does not change * the transport. Otherwise it is hard to get rid of main.cf specified * nexthop information. + * + * XXX Don't override the virtual alias class (error:User unknown) result. */ - if (*var_transport_maps) { + if (*var_transport_maps && !(*flags & RESOLVE_CLASS_ALIAS)) { if (transport_lookup(STR(nextrcpt), rcpt_domain, channel, nexthop) == 0 && dict_errno != 0) { msg_warn("%s lookup failure", VAR_TRANSPORT_MAPS); diff --git a/postfix/src/trivial-rewrite/transport.c b/postfix/src/trivial-rewrite/transport.c index fa6080258..504a777d0 100644 --- a/postfix/src/trivial-rewrite/transport.c +++ b/postfix/src/trivial-rewrite/transport.c @@ -76,6 +76,7 @@ static MAPS *transport_path; static int transport_match_parent_style; static VSTRING *wildcard_channel; static VSTRING *wildcard_nexthop; +static int transport_errno; #define STR(x) vstring_str(x) @@ -195,8 +196,7 @@ void transport_wildcard_init(void) msg_info("wildcard_{chan:hop}={%s:%s}", vstring_str(wildcard_channel), vstring_str(wildcard_nexthop)); } else { - if (dict_errno != 0) - msg_fatal("transport table initialization problem."); + transport_errno = dict_errno; vstring_free(channel); vstring_free(nexthop); } @@ -294,7 +294,10 @@ int transport_lookup(const char *addr, const char *rcpt_domain, /* * Fall back to the wild-card entry. */ - if (wildcard_channel) { + if (transport_errno) { + dict_errno = transport_errno; + RETURN_FREE(NOTFOUND); + } else if (wildcard_channel) { update_entry(STR(wildcard_channel), STR(wildcard_nexthop), rcpt_domain, channel, nexthop); RETURN_FREE(FOUND);