From: Wietse Venema <wietse@porcupine.org>
Date: Sat, 24 Apr 2021 05:00:00 +0000 (-0500)
Subject: postfix-3.6.0-RC1
X-Git-Tag: v3.6.0-RC1^0
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=705cccba514cbf52288c7bedf51649e32bd5d102;p=thirdparty%2Fpostfix.git

postfix-3.6.0-RC1
---

diff --git a/postfix/HISTORY b/postfix/HISTORY
index 803e2851b..56d3ee3c1 100644
--- a/postfix/HISTORY
+++ b/postfix/HISTORY
@@ -25255,8 +25255,8 @@ Apologies for any names omitted.
 20201031
 
 	Cleanup: don't split a space-comma separated address list
-	on on space or comma inside a quoted string. Files:
-	util/mystrtok.c, util/mystetok.ref, global/login_sender_match.c.
+	on space or comma inside a quoted string. Files: util/mystrtok.c,
+	util/mystrtok.ref, global/login_sender_match.c.
 
 20201101
 
@@ -25547,3 +25547,9 @@ Apologies for any names omitted.
 	proto/MYSQL_README.html, proto/PGSQL_README.html,
 	proto/SASL_README.html, proto/SQLITE_README.html,
 	proto/TLS_README.html.
+
+20210422
+
+	Cleanup: in the Postfix SMTP and LMTP client, prepend Return-Path
+	and other headers in the same order as in other Postfix delivery
+	agents. Adi Prasaja. File: smtp/smtp_proto.c.
diff --git a/postfix/RELEASE_NOTES b/postfix/RELEASE_NOTES
index d96997d68..887464104 100644
--- a/postfix/RELEASE_NOTES
+++ b/postfix/RELEASE_NOTES
@@ -1,13 +1,13 @@
-This is the Postfix 3.6 (experimental) release.
+This is the Postfix 3.6 (stable) release.
 
-The stable Postfix release is called postfix-3.5.x where 3=major
-release number, 5=minor release number, x=patchlevel.  The stable
+The stable Postfix release is called postfix-3.6.x where 3=major
+release number, 6=minor release number, x=patchlevel. The stable
 release never changes except for patches that address bugs or
 emergencies. Patches change the patchlevel and the release date.
 
 New features are developed in snapshot releases. These are called
-postfix-3.6-yyyymmdd where yyyymmdd is the release date (yyyy=year,
-mm=month, dd=day).  Patches are never issued for snapshot releases;
+postfix-3.7-yyyymmdd where yyyymmdd is the release date (yyyy=year,
+mm=month, dd=day). Patches are never issued for snapshot releases;
 instead, a new snapshot is released.
 
 The mail_release_date configuration parameter (format: yyyymmdd)
@@ -25,102 +25,93 @@ more recent Eclipse Public License 2.0. Recipients can choose to take
 the software under the license of their choice. Those who are more
 comfortable with the IPL can continue with that license.
 
-Major changes with snapshot 20210220
-====================================
+Major changes - compatibility level
+-----------------------------------
 
-Postfix version 3.6 deprecates terminology that implies white is
-better than black. Instead, Postfix prefers 'allowlist', 'denylist',
-and variations on those words.
+[Feature 20210109] Starting with Postfix version 3.6, the compatibility
+level is "3.6". In future Postfix releases, the compatibility level will
+be the Postfix version that introduced the last incompatible change. The
+level is formatted as 'major.minor.patch', where 'patch' is usually
+omitted and defaults to zero. Earlier compatibility levels are 0, 1 and 2.
 
-Set "respectful_logging = no" in main.cf to keep using the old
-behavior (parameter names and logging).
+This also introduces main.cf and master.cf support for the <=level,
+<level, and other operators to compare compatibility levels. With the
+standard <=, <, etc. operators, compatibility level 3.10 would be less
+than 3.9. which is undesirable.
 
-Noel Jones assisted with the initial transition.
+Major changes - delivery logging
+--------------------------------
 
-Changes in documentation
-------------------------
-
-Documentation was updated to use 'allowlist', 'denylist', etc.
-These documentation changes do not affect Postfix behavior.
+[Incompat 20200531] Postfix delivery agents now log an explicit record
+when delegating delivery to a different Postfix delivery agent.
 
-Changes in parameter names
---------------------------
-
-The following parameters replace names that contain 'blacklist' or
-'whitelist':
-
-    postscreen_allowlist_interfaces
-    postscreen_denylist_action
-    postscreen_dnsbl_allowlist_threshold
+For example, with "best_mx_transport = local", an SMTP delivery
+agent will now log when a recipient will be delivered locally. This
+makes the delegating delivery agent visible, where it would otherwise
+have remained invisible, which would complicate troubleshooting.
 
-These new parameters have backwards-compatible default settings
-that support the old parameter names, so that the name change should
-not affect Postfix behavior. This means that existing management tools
-that use the old parameter names should keep working as before.
+  postfix/smtp[pid]: queueid: passing <recipient> to transport=local
 
-This compatibility safety net may break when some management tools
-use the new parameter names, and some use the old names, such that
-different tools will disagree on how Postfix works.
+This will usually be followed by logging for an actual delivery:
 
-Changes in logging
-------------------
+  postfix/local[pid]: queueid: to=<recipient>, relay=local, ...
 
-The following logging replaces forms that contain 'blacklist' or
-'whitelist':
+Other examples: the local delivery agent defers mailbox delivery
+through mailbox_transport or through fallback_transport.
 
-    postfix/postscreen[pid]: ALLOWLIST VETO [address]:port
-    postfix/postscreen[pid]: ALLOWLISTED [address]:port
-    postfix/postscreen[pid]: DENYLISTED [address]:port
+Major changes - dns lookups
+---------------------------
 
-To avoid breaking logfile analysis tools, Postfix keeps logging the old
-forms by default, as long as the compatibility_level parameter setting
-is less than 3.6, and the respectful_logging parameter is not explicitly
-configured. As a reminder, Postfix will log the following:
+[Feature 20200509] The threadsafe resolver API (res_nxxx() calls) is now
+the default, not because the API is threadsafe, but because new features
+are being added there.
 
-    postfix/postscreen[pid]: Using backwards-compatible default setting
-        respectful_logging=no for client [address]:port
+To build old style, build with:
 
-To keep logging the old form, make the setting "respectful_logging =
-no" permanent in main.cf, for example:
+    make makefiles CCARGS="-DNO_RES_NCALLS..."
 
-    # postconf "respectful_logging = no"
-    # postfix reload
+This is also the default for systems that are known not to support
+the threadsafe resolver API.
 
-To stop the reminder, configure the respectful_logging parameter to
-"yes" or "no", or configure "compatibility_level = 3.6".
+Major changes - error logging
+-----------------------------
 
-Major changes with snapshot 20210109
-====================================
+[Incompat 20200531] Postfix programs will now log "Application error"
+instead of "Success" or "Unknown error: 0" when an operation fails with
+errno == 0.
 
-Starting with Postfix version 3.6, the "latest" compatibility level
-is the Postfix version that introduced the last incompatible change.
-The level is formatted as 'major.minor.patch', where 'patch' is
-usually omitted and defaults to zero. Earlier compatibility levels
-are 0, 1 and 2.
+Major changes - internal protocol identification
+------------------------------------------------
 
-This also introduces support for the <=level, <level, and other
-operators to compare compatibility levels. With the standard <=,
-<, etc.  operators, compatibility level 3.10 would be less than 3.9
-which is undesirable.
+[Incompat 20200920] Internal protocols have changed. You need to
+"postfix stop" before updating, or before backing out to an earlier
+release, otherwise long-running daemons (pickup, qmgr, verify, tlsproxy,
+postscreen) may fail to communicate with the rest of Postfix, causing
+warnings or timeouts.
 
-Major changes with snapshot 20201205
-====================================
+The purpose of this change is to produce better error messages, for
+example, when someone configures the discard daemon as a bounce
+service in master.cf, or vice versa.
 
-Support for threaded bounces. This allows mail readers to present
-a non-delivery notification in the same email thread as the original
-message.
+This change will break third-party programs that implement a
+Postfix-internal protocol such as qpsmtpd. This is not a Postfix bug:
+programs that depend on Postfix internal details have never been
+supported.
 
-Unfortunately, this also makes it easy for users to mistakenly delete
-the whole email thread (all related messages), instead of deleting
-only the non-delivery notification.
+Major changes - known tcp ports
+-------------------------------
 
-To enable, specify "enable_threaded_bounces = yes".
+[Feature 20210418] The new "known_tcp_ports" configuration parameter
+reduces Postfix dependency on the services(5) database. On some systems
+the port 465 service is called "smtps", and on other systems it is called
+"submissions". The default known_tcp_ports value is "lmtp=24, smtp=25,
+smtps=submissions=465, submission=587".
 
-Major changes with snapshot 20201025
-====================================
+Major changes - local_login_sender_maps
+---------------------------------------
 
-Fine-grained control over the envelope sender address for submission
-with the Postfix sendmail (or postdrop) commands.
+[Feature 20201025] Fine-grained control over the envelope sender address
+for submission with the Postfix sendmail (or postdrop) commands.
 
 The local_login_sender_maps parameter (default: static:*) specifies
 a list of lookup tables that are searched by the UNIX login name, and
@@ -128,8 +119,9 @@ that return a list of allowed envelope sender patterns separated by
 space or comma. The default is backwards-compatible: every user may
 specify any sender envelope address.
 
-When no UNIX login name is available, the Postfix postdrop command
-will prepend "uid:" to the numerical UID and use that instead.
+This feature is enforced by the postdrop command. When no UNIX login
+name is available, the Postfix postdrop command will prepend "uid:"
+to the numerical UID and use that instead.
 
 This feature ignores address extensions in the user-specified
 envelope sender address.
@@ -153,119 +145,120 @@ Example:
    # Allow both the bare username and the user@domain forms.
     /(.+)/ $1 $1@example.com
 
-Major changes with snapshot 20201003
-====================================
-
-The Postfix build system will no longer automatically disable DNSSEC
-support when it determines that Postfix will use libc-musl. Instead,
-Postfix will rely on the new dnssec_probe feature to determine at
-runtime if DNSSEC validation is available. DNSSEC support may be
-broken for reasons other than compatibility issues with the libc
-implementation.
-
-Major changes with snapshot 20200930
-====================================
-
-When a Postfix process requests DNSSEC support (typically, for
-Postfix DANE support), the process may do a one-time test to determine
-if DNSSEC validation is available. DNSSEC support may be broken
-because of local configuration, libc incompatibility, or network
-infrastructure issues.
-
-Background: DNSSEC validation is needed for Postfix DANE support;
-this ensures that Postfix receives TLSA records with secure TLS
-server certificate info. When DNSSEC validation is unavailable,
-mail deliveries using opportunistic DANE will not be protected by
-server certificate info in TLSA records, and mail deliveries using
-mandatory DANE will not be made at all.
-
-The dnssec_probe parameter specifies the DNS query type (default:
-"ns") and DNS query name (default: ".") that Postfix may use to
-determine whether DNSSEC validation is available. Specify an empty
-value to disable this feature.
-
-By default, a Postfix process will send a DNSSEC probe after 1) the
-process made a DNS query that requested DNSSEC validation, 2) the
-process did not receive a DNSSEC validated response to this query
-or to an earlier query, and 3) the process did not already send a
-DNSSEC probe.
-
-When the DNSSEC probe has no response, or when the response is not
-DNSSEC validated, Postfix logs a warning that DNSSEC validation may
-be unavailable. Examples:
-
-warning: DNSSEC validation may be unavailable
-warning: reason: dnssec_probe 'ns:.' received a response that is not DNSSEC validated
-warning: reason: dnssec_probe 'ns:.' received no response: Server failure
-
-Incompatible change with snapshot 20200920
-==========================================
-
-Internal protocols have changed. You need to "postfix stop" before
-updating, or before backing out to an earlier release, otherwise
-long-running daemons (pickup, qmgr, verify, tlsproxy, postscreen)
-may fail to communicate with the rest of Postfix (warnings, timeouts).
+Major changes - order of relay and recipient restrictions
+---------------------------------------------------------
 
-The purpose of this change is to produce better error messages, for
-example, when someone configures the discard daemon as a bounce
-service in master.cf, or vice versa.
+[Incompat 20210131] With smtpd_relay_before_recipient_restrictions=yes,
+the Postfix SMTP server will evaluate smtpd_relay_restrictions before
+smtpd_recipient_restrictions. This is the default behavior with
+compatibility_level >= 3.6.
 
-This change will break third-party code that implements a
-Postfix-internal protocol such as qpsmtpd. Programs that depend on
-Postfix internal details are not supported.
+This change makes the implemented behavior consistent with existing
+documentation. There is a backwards-compatibility warning that allows
+users to freeze historical behavior. See COMPATIBILITY_README for
+details.
 
-Incompatible change with snapshot 20200705
-==========================================
+Major changes - respectful logging
+----------------------------------
 
-The minimum OpenSSL version is 1.1.1, which will reach the end
-of life by 2023-09-11.
+[Feature 20210220] Postfix version 3.6 deprecates terminology
+that implies white is better than black. Instead, Postfix prefers
+'allowlist', 'denylist', and variations on those words. This change
+affects Postfix documentation, and postscreen parameters and logging.
 
-The default digest has changed from md5 to sha256 (Postfix 3.6 with
-compatibility_level >= 3). With a lower compatibility_level setting,
-Postfix defaults to using md5, and logs a warning when a Postfix
-configuration specifies no explicit digest type.
+To keep the old postscreen logging set "respectful_logging = no"
+in main.cf.
 
-Export-grade Diffie-Hellman key exchange is no longer supported,
-and the tlsproxy_tls_dh512_param_file parameter is ignored,
+Noel Jones assisted with the initial transition.
 
-Incompatible change with snapshot 20200531
-==========================================
+Changes in documentation
+------------------------
 
-Postfix delivery agents now log an explicit record when delegating
-delivery to a different Postfix delivery agent.
+Postfix documentation was updated to use 'allowlist', 'denylist', etc.
+These documentation changes do not affect Postfix behavior.
 
-For example, with "best_mx_transport = local", an SMTP delivery
-agent will now log when a recipient will be delivered locally. This
-makes the delegating delivery agent visible, where it would otherwise
-have remained invisible, which would complicate troubleshooting.
+Changes in parameter names
+--------------------------
 
-  postfix/smtp[pid]: queueid: passing <recipient> to transport=local
+The following postscreen parameters replace names that contain 'blacklist'
+or 'whitelist':
 
-This will usually be followed by logging for an actual delivery:
+    postscreen_allowlist_interfaces
+    postscreen_denylist_action
+    postscreen_dnsbl_allowlist_threshold
 
-  postfix/local[pid]: queueid: to=<recipient>, relay=local, ...
+These new parameters have backwards-compatible default settings
+that support the old parameter names, so that the name change should
+not affect Postfix behavior. This means that existing management tools
+that use the old parameter names should keep working as before.
 
-Other examples: the local delivery agent defers mailbox delivery
-through mailbox_transport or through fallback_transport.
+This compatibility safety net may break when some management tools
+use the new parameter names, and some use the old names, such that
+different tools will disagree on how Postfix works.
 
-Major changes with snapshot 20200509
-====================================
+Changes in logging
+------------------
 
-The threadsafe resolver API (res_nxxx() calls) is now the default,
-not because the API is threadsafe, but because new features are
-being added there.
+The following logging replaces forms that contain 'blacklist' or
+'whitelist':
 
-To build old style, build with:
+    postfix/postscreen[pid]: ALLOWLIST VETO [address]:port
+    postfix/postscreen[pid]: ALLOWLISTED [address]:port
+    postfix/postscreen[pid]: DENYLISTED [address]:port
 
-    make makefiles CCARGS="-DNO_RES_NCALLS..."
+To avoid breaking logfile analysis tools, Postfix keeps logging the old
+forms by default, as long as the compatibility_level parameter setting
+is less than 3.6, and the respectful_logging parameter is not explicitly
+configured. As a reminder, Postfix will log the following:
 
-This is also the default for systems that are known not to support
-the threadsafe resolver API, such systems that use libc-musl.
+    postfix/postscreen[pid]: Using backwards-compatible default setting
+        respectful_logging=no for client [address]:port
+
+To keep logging the old form, make the setting "respectful_logging =
+no" permanent in main.cf, for example:
+
+    # postconf "respectful_logging = no"
+    # postfix reload
+
+To stop the reminder, configure the respectful_logging parameter to
+"yes" or "no", or configure "compatibility_level = 3.6".
+
+Major changes - smtpd_sasl_mechanism_list
+-----------------------------------------
+
+[Feature 20200906] The smtpd_sasl_mechanism_list parameter (default:
+!external, static:rest) prevents confusing errors when a SASL backend
+announces EXTERNAL support which Postfix does not support.
+
+Major changes - threaded bounces
+--------------------------------
+
+[Feature 20201205] Support for threaded bounces. This allows mail readers
+to present a bounce, delay, or success delivery notification in the same
+email thread as the original message.
+
+Unfortunately, this also makes it easy for users to mistakenly delete
+the whole email thread (all related messages), instead of deleting
+only the delivery status notification.
+
+To enable, specify "enable_threaded_bounces = yes".
+
+Major changes - tls
+-------------------
+
+[Incompat 20200705] The minimum OpenSSL version is 1.1.1, which will
+reach the end of life by 2023-09-11.
+
+The default digest has changed from md5 to sha256 (Postfix 3.6 with
+compatibility_level >= 3). With a lower compatibility_level setting,
+Postfix defaults to using md5, and logs a warning when a Postfix
+configuration specifies no explicit digest type.
+
+Export-grade Diffie-Hellman key exchange is no longer supported,
+and the tlsproxy_tls_dh512_param_file parameter is ignored,
 
-Incompatible changes with snapshot 20200416
-===========================================
+[Feature 20200906] The tlstype.pl helper script by Viktor Dukhovni
+reports TLS information per message delivery. This processes output
+from the collate.pl script. See auxiliary/collate/README.tlstype and
+auxiliary/collate/tlstype.pl.
 
-Security: this release disables DANE support on Linux systems with
-libc-musl, because libc-musl provides no indication whether DNS
-responses are authentic. This broke DANE support without a clear
-explanation.
diff --git a/postfix/WISHLIST b/postfix/WISHLIST
index 30b15c962..3c6c7fbd2 100644
--- a/postfix/WISHLIST
+++ b/postfix/WISHLIST
@@ -5,11 +5,17 @@ Wish list:
 	Make smtpd_relay_before_recipient_restrictions settable
 	in smtpd_checks tests.
 
-	Make the DNS resolver library pluggable, so that we can
+	Make the DNS resolver library pluggable, so that we can a)
 	plug in a fake resolver library for DNS-related regression
-	tests to make DNS tests hermetic (no external dependency).
-	After the resolver library is pluggable, the migration to
-	non-libbind resolvers becomes a practical option.
+	tests and make DNS tests hermetic (no external dependency;
+	b) add support for non-libbind resolvers. Gracefully handle
+	requests for unsupported functionality; return an error status,
+	instead of terminating.
+
+	Inline regexp/pcre/cidr table support. If the table name is
+	a string inside {}, then split the string on comma (ignoring
+	commas inside {}), write each resulting fragment as one line to
+	a VSTRING buffer, and open that buffer as a memory file.
 
 	Add a robust dnssec_probe regression test (success and fail)
 	that does not break existing regression tests.
@@ -33,17 +39,23 @@ Wish list:
 	More accurate address verification: do a quota check before
 	reporting that a local(8) or virtual(8) recipient is deliverable.
 
-	Eliminate duplicate user_acl check from sendmail, and pass
-	the result through the postdrop-to-sendmail protocol. This
-	requires that postdrop reads all inputs before responding.
-	Then we can also consider to save input to dead.letter (drop
-	setgid privilege, use safe_open() to avoid clobbering files).
+	Eliminate duplicate mail submission permission checks from
+	sendmail, so that they happen in postdrop only. Then, pass the
+	result through the postdrop-to-sendmail protocol. This requires
+	that postdrop reads all inputs before responding (the
+	local_login_sender_maps check depends on the envelope
+	sender). Then sendmail can save input to dead.letter (no setgid
+	privilege, but it would still have to use safe_open() to avoid
+	clobbering files).
 
 	Consider removing compat_level_from_numbers() and aliases,
 	because they are no longer used anywhere.
 
-	Allow '}' at the beginning of a line. This would make
-	multi-line configuration settings easier to enter.
+	Allow '}' at the beginning of a line. This would make multi-line
+	configuration settings easier to enter. This may be true
+	for main.cf, master.cf and similar files (such as database
+	configuration files, but not necessarily elsewhere). So it
+	would have to be a readlline flag.
 
 	Understand what happens with DNSSEC related status fields 
 	in posttls-finger when resolv.conf points to a host that
@@ -68,14 +80,8 @@ Wish list:
 	Update makedefs and sys-defs.h for current Linux kernels and
 	*BSD releases.
 
-	DNS wrapper class, like XSASL, to support different stub
-	resolvers without contaminating Postfix programs with the
-	idiosyncracies of stub resolvers. Handle differences in
-	resolver feature sets gracefully: an unsupported request
-	will result in an error status, not program termination.
-
 	When a secondary instance has no multi_instance_name set,
-`	postmulti -i won't be able to find it.
+	postmulti -i won't be able to find it.
 
 	Read http://mmogilvi.users.sourceforge.net/software/oauthbearer.html
 	and see how we can improve on the Postfix side.
diff --git a/postfix/makedefs b/postfix/makedefs
index 280339750..3448c1e54 100644
--- a/postfix/makedefs
+++ b/postfix/makedefs
@@ -889,7 +889,7 @@ case "$CC" in
 esac
 
 # Snapshot only.
-CCARGS="$CCARGS -DSNAPSHOT"
+#CCARGS="$CCARGS -DSNAPSHOT"
 
 # Non-production: needs thorough testing, or major changes are still
 # needed before the code stabilizes.
diff --git a/postfix/src/global/mail_version.h b/postfix/src/global/mail_version.h
index f5967bf12..925d87c41 100644
--- a/postfix/src/global/mail_version.h
+++ b/postfix/src/global/mail_version.h
@@ -20,8 +20,8 @@
   * Patches change both the patchlevel and the release date. Snapshots have no
   * patchlevel; they change the release date only.
   */
-#define MAIL_RELEASE_DATE	"20210422"
-#define MAIL_VERSION_NUMBER	"3.6"
+#define MAIL_RELEASE_DATE	"20210424"
+#define MAIL_VERSION_NUMBER	"3.6.0-RC1"
 
 #ifdef SNAPSHOT
 #define MAIL_VERSION_DATE	"-" MAIL_RELEASE_DATE
diff --git a/postfix/src/smtp/smtp_proto.c b/postfix/src/smtp/smtp_proto.c
index 2bb3d3ca6..9287d3198 100644
--- a/postfix/src/smtp/smtp_proto.c
+++ b/postfix/src/smtp/smtp_proto.c
@@ -1430,17 +1430,18 @@ static int smtp_out_add_header(SMTP_STATE *state, const char *label,
 
 static int smtp_out_add_headers(SMTP_STATE *state)
 {
-    if (smtp_cli_attr.flags & SMTP_CLI_FLAG_DELIVERED_TO)
-	if (smtp_out_add_header(state, "Delivered-To", "",
-			   state->request->rcpt_list.info->address, "") < 0)
+    /* Prepend headers in the same order as mail_copy.c. */
+    if (smtp_cli_attr.flags & SMTP_CLI_FLAG_RETURN_PATH)
+	if (smtp_out_add_header(state, "Return-Path", "<",
+				state->request->sender, ">") < 0)
 	    return (-1);
     if (smtp_cli_attr.flags & SMTP_CLI_FLAG_ORIG_RCPT)
 	if (smtp_out_add_header(state, "X-Original-To", "",
 			 state->request->rcpt_list.info->orig_addr, "") < 0)
 	    return (-1);
-    if (smtp_cli_attr.flags & SMTP_CLI_FLAG_RETURN_PATH)
-	if (smtp_out_add_header(state, "Return-Path", "<",
-				state->request->sender, ">") < 0)
+    if (smtp_cli_attr.flags & SMTP_CLI_FLAG_DELIVERED_TO)
+	if (smtp_out_add_header(state, "Delivered-To", "",
+			   state->request->rcpt_list.info->address, "") < 0)
 	    return (-1);
     return (0);
 }