From: Wietse Venema Date: Thu, 29 Apr 2021 05:00:00 +0000 (-0500) Subject: postfix-3.6.0 X-Git-Tag: v3.6.0^0 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=a7a22d8aa87dbdb4fe320a078e247eff4243f3f7;p=thirdparty%2Fpostfix.git postfix-3.6.0 --- diff --git a/postfix/HISTORY b/postfix/HISTORY index 56d3ee3c1..3b6756665 100644 --- a/postfix/HISTORY +++ b/postfix/HISTORY @@ -25553,3 +25553,7 @@ Apologies for any names omitted. Cleanup: in the Postfix SMTP and LMTP client, prepend Return-Path and other headers in the same order as in other Postfix delivery agents. Adi Prasaja. File: smtp/smtp_proto.c. + +20210428 + + Documentation: update by Paul Menzel. File: proto/SASL_README.html. diff --git a/postfix/README_FILES/SASL_README b/postfix/README_FILES/SASL_README index c0e42ad67..0feebc7f5 100644 --- a/postfix/README_FILES/SASL_README +++ b/postfix/README_FILES/SASL_README @@ -1313,7 +1313,7 @@ BBuuiillddiinngg CCyyrruuss SSAASSLL ssuuppppoorrtt BBuuiillddiinngg tthhee CCyyrruuss SSAASSLL lliibbrraarryy Postfix works with cyrus-sasl-1.5.x or cyrus-sasl-2.1.x, which are available -from ftp://ftp.andrew.cmu.edu/pub/cyrus-mail/. +from https://github.com/cyrusimap/cyrus-sasl/releases. IImmppoorrttaanntt diff --git a/postfix/RELEASE_NOTES b/postfix/RELEASE_NOTES index 887464104..d8ac90cc7 100644 --- a/postfix/RELEASE_NOTES +++ b/postfix/RELEASE_NOTES @@ -25,87 +25,77 @@ more recent Eclipse Public License 2.0. Recipients can choose to take the software under the license of their choice. Those who are more comfortable with the IPL can continue with that license. -Major changes - compatibility level ------------------------------------ - -[Feature 20210109] Starting with Postfix version 3.6, the compatibility -level is "3.6". In future Postfix releases, the compatibility level will -be the Postfix version that introduced the last incompatible change. The -level is formatted as 'major.minor.patch', where 'patch' is usually -omitted and defaults to zero. Earlier compatibility levels are 0, 1 and 2. - -This also introduces main.cf and master.cf support for the <=level, - to transport=local - -This will usually be followed by logging for an actual delivery: +Major changes - internal protocol identification +------------------------------------------------ - postfix/local[pid]: queueid: to=, relay=local, ... +[Incompat 20200920] Internal protocols have changed. You need to +"postfix stop" before updating, or before backing out to an earlier +release, otherwise long-running daemons (pickup, qmgr, verify, tlsproxy, +postscreen) may fail to communicate with the rest of Postfix, causing +mail delivery delays until Postfix is restarted. -Other examples: the local delivery agent defers mailbox delivery -through mailbox_transport or through fallback_transport. +This change does not affect message files in Postfix queue directories, +only the communication between running Postfix programs. -Major changes - dns lookups ---------------------------- +With this change, every Postfix internal service, including the postdrop +command, announces the name of its protocol before doing any other I/O. +Every Postfix client program, including the Postfix sendmail command, +will verify that the protocol name matches what it is supposed to be. -[Feature 20200509] The threadsafe resolver API (res_nxxx() calls) is now -the default, not because the API is threadsafe, but because new features -are being added there. +The purpose of this change is to produce better error messages, for +example, when someone configures the discard daemon as a bounce +service in master.cf, or vice versa. -To build old style, build with: +This change may break third-party programs that implement a +Postfix-internal protocol such as qpsmtpd. Such programs have never +been supported. Fortunately, this will be an easy fix: look at the +first data from the cleanup daemon: if it is a protocol announcement, +you're talking to Postfix 3.6 or later. That's the only real change. - make makefiles CCARGS="-DNO_RES_NCALLS..." +Major changes - tls +------------------- -This is also the default for systems that are known not to support -the threadsafe resolver API. +[Incompat 20200705] The minimum supported OpenSSL version is 1.1.1, +which will reach the end of life by 2023-09-11. Postfix 3.6 is +expected to reach the end of support in 2025. Until then, Postfix +will be updated as needed for compatibility with OpenSSL. -Major changes - error logging ------------------------------ +The default fingerprint digest has changed from md5 to sha256 (Postfix +3.6 with compatibility_level >= 3.6). With a lower compatibility_level +setting, Postfix defaults to using md5, and logs a warning when a Postfix +configuration specifies no explicit digest type. -[Incompat 20200531] Postfix programs will now log "Application error" -instead of "Success" or "Unknown error: 0" when an operation fails with -errno == 0. +Export-grade Diffie-Hellman key exchange is no longer supported, +and the tlsproxy_tls_dh512_param_file parameter is ignored, -Major changes - internal protocol identification ------------------------------------------------- +[Feature 20200906] The tlstype.pl helper script by Viktor Dukhovni +reports TLS information per message delivery. This processes output +from the collate.pl script. See auxiliary/collate/README.tlstype and +auxiliary/collate/tlstype.pl. -[Incompat 20200920] Internal protocols have changed. You need to -"postfix stop" before updating, or before backing out to an earlier -release, otherwise long-running daemons (pickup, qmgr, verify, tlsproxy, -postscreen) may fail to communicate with the rest of Postfix, causing -warnings or timeouts. +Major changes - compatibility level +----------------------------------- -The purpose of this change is to produce better error messages, for -example, when someone configures the discard daemon as a bounce -service in master.cf, or vice versa. +[Feature 20210109] Starting with Postfix version 3.6, the compatibility +level is "3.6". In future Postfix releases, the compatibility level will +be the Postfix version that introduced the last incompatible change. The +level is formatted as 'major.minor.patch', where 'patch' is usually +omitted and defaults to zero. Earlier compatibility levels are 0, 1 and 2. -This change will break third-party programs that implement a -Postfix-internal protocol such as qpsmtpd. This is not a Postfix bug: -programs that depend on Postfix internal details have never been -supported. +This also introduces main.cf and master.cf support for the <=level, + to transport=local -Major changes - tls -------------------- +This will usually be followed by logging for an actual delivery: -[Incompat 20200705] The minimum OpenSSL version is 1.1.1, which will -reach the end of life by 2023-09-11. + postfix/local[pid]: queueid: to=, relay=local, ... -The default digest has changed from md5 to sha256 (Postfix 3.6 with -compatibility_level >= 3). With a lower compatibility_level setting, -Postfix defaults to using md5, and logs a warning when a Postfix -configuration specifies no explicit digest type. +Other examples: the local delivery agent will log a record that it +defers mailbox delivery through mailbox_transport or through +fallback_transport. -Export-grade Diffie-Hellman key exchange is no longer supported, -and the tlsproxy_tls_dh512_param_file parameter is ignored, +Other changes - error logging +----------------------------- -[Feature 20200906] The tlstype.pl helper script by Viktor Dukhovni -reports TLS information per message delivery. This processes output -from the collate.pl script. See auxiliary/collate/README.tlstype and -auxiliary/collate/tlstype.pl. +[Incompat 20200531] Postfix programs will now log "Application error" +instead of "Success" or "Unknown error: 0" when an operation fails with +errno == 0, i.e., the error originates from non-kernel code. + +Other changes - dns lookups +--------------------------- + +[Feature 20200509] The threadsafe resolver API (res_nxxx() calls) +is now the default, not because the API is threadsafe, but because +this is the API where new features are being added. + +To build old style, build with: + + make makefiles CCARGS="-DNO_RES_NCALLS..." +This is the default for systems that are known not to support the +threadsafe resolver API. diff --git a/postfix/html/SASL_README.html b/postfix/html/SASL_README.html index 8fe305110..82407e7fa 100644 --- a/postfix/html/SASL_README.html +++ b/postfix/html/SASL_README.html @@ -2077,7 +2077,7 @@ options into the above command line; see the LDAP_REA

Building the Cyrus SASL library

Postfix works with cyrus-sasl-1.5.x or cyrus-sasl-2.1.x, which are -available from ftp://ftp.andrew.cmu.edu/pub/cyrus-mail/.

+available from https://github.com/cyrusimap/cyrus-sasl/releases.

diff --git a/postfix/html/postconf.5.html b/postfix/html/postconf.5.html index 1b8f72f16..2d1875aa5 100644 --- a/postfix/html/postconf.5.html +++ b/postfix/html/postconf.5.html @@ -11330,7 +11330,7 @@ href="https://tools.ietf.org/html/rfc7672">DANE is not applicable to hosts resolved via "native" lookups.

As mentioned above, Postfix is not a validating stub +href="https://tools.ietf.org/html/rfc4035#section-4.9">stub resolver; it relies on the system's configured DNSSEC-validating recursive nameserver to perform all DNSSEC validation. Since this @@ -18768,7 +18768,7 @@ whitespace. Each digest name may be followed by an optional "=<number>" suffix. For example, "sha512" may instead be specified as "sha512=2" and "sha256" may instead be specified as "sha256=1". The optional number must match the https://www.iana.org/assignments/dane-parameters/dane-parameters.xhtml#matching-types" >IANA assigned TLSA matching type number the algorithm in question. Postfix will check this constraint for the algorithms it knows about. Additional matching type algorithms registered with IANA can be added @@ -18935,7 +18935,7 @@ is unwise to choose an "bleeding-edge" curve supported by only a small subset of clients.

The default "strong" curve is rated in NSA Suite +href="https://web.archive.org/web/20160330034144/https://www.nsa.gov/ia/programs/suiteb_cryptography/">Suite B for information classified up to SECRET.

Note: elliptic curve names are poorly standardized; different @@ -18976,7 +18976,7 @@ curve must be implemented by OpenSSL (as reported by ecparam(1) with the of RFC 4492. You should not generally change this setting.

This default "ultra" curve is rated in NSA Suite +href="https://web.archive.org/web/20160330034144/https://www.nsa.gov/ia/programs/suiteb_cryptography/">Suite B for information classified up to TOP SECRET.

If you want to take maximal advantage of ciphers that offer ) { # Hyperlink URLs and RFC documents - s/(http:\/\/[^ ,"\(\)]*[^ ,"\(\):;!?.])/$1<\/a>/; + s/(https?:\/\/[^ ,"\(\)]*[^ ,"\(\):;!?.])/$1<\/a>/; s/(ftp:\/\/[^ ,"\(\)]*[^ ,"\(\):;!?.])/$1<\/a>/; s/\bRFC\s*([1-9]\d*)/$&<\/a>/g; diff --git a/postfix/proto/SASL_README.html b/postfix/proto/SASL_README.html index 89a9162a6..932ef727b 100644 --- a/postfix/proto/SASL_README.html +++ b/postfix/proto/SASL_README.html @@ -2077,7 +2077,7 @@ TLS_README for details.

Building the Cyrus SASL library

Postfix works with cyrus-sasl-1.5.x or cyrus-sasl-2.1.x, which are -available from ftp://ftp.andrew.cmu.edu/pub/cyrus-mail/.

+available from https://github.com/cyrusimap/cyrus-sasl/releases.

diff --git a/postfix/src/global/mail_version.h b/postfix/src/global/mail_version.h index 925d87c41..979123038 100644 --- a/postfix/src/global/mail_version.h +++ b/postfix/src/global/mail_version.h @@ -20,8 +20,8 @@ * Patches change both the patchlevel and the release date. Snapshots have no * patchlevel; they change the release date only. */ -#define MAIL_RELEASE_DATE "20210424" -#define MAIL_VERSION_NUMBER "3.6.0-RC1" +#define MAIL_RELEASE_DATE "20210429" +#define MAIL_VERSION_NUMBER "3.6.0" #ifdef SNAPSHOT #define MAIL_VERSION_DATE "-" MAIL_RELEASE_DATE