From: Wietse Venema <wietse@porcupine.org>
Date: Sat, 6 Jan 2018 05:00:00 +0000 (-0500)
Subject: postfix-3.3-20180106
X-Git-Tag: v3.3.0-RC1~5
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=fb55728de4e3de5b52e7c827869cb0536b0f44dd;p=thirdparty%2Fpostfix.git

postfix-3.3-20180106
---

diff --git a/postfix/HISTORY b/postfix/HISTORY
index 25d5fa870..0d863dd2f 100644
--- a/postfix/HISTORY
+++ b/postfix/HISTORY
@@ -23200,8 +23200,8 @@ Apologies for any names omitted.
 
 	Workaround: reportedly, some res_query(3) implementation
 	can return -1 with h_errno==0. Instead of terminating with
-	a panic, the DNS client now logs a warning and sets h_errno
-	to TRY_AGAIN. File: dns/dns_lookup.c.
+	a panic, the Postfix DNS client now logs a warning and sets
+	h_errno to TRY_AGAIN. File: dns/dns_lookup.c.
 
 	Cleanup: allow XCLIENT before STARTTLS, when TLS is required.
 	File: smtpd/smtpd.c.
@@ -23238,3 +23238,23 @@ Apologies for any names omitted.
 
 	Cleanup: added employer attributions for non-trivial changes
 	after Wietse changed employers.
+
+20180106
+
+	Compatibility: with compatibility_level < 1, the SMTP server
+	now warns for mail that would be blocked by the Postfix
+	2.10 smtpd_relay_restrictions feature. This extends the
+	safety net for sites that upgrade from earlier Postfix
+	versions (questions on the postfix-users list show a steady
+	trickle). Files: proto/COMPATIBILITY_README.html,
+	global/mail_params[hc], smtpd/smtpd_check.c.
+
+	Cleanup: reset compatibility_level warnings after 'postfix
+	reload'. This is relevant primarily for the master daemon.
+	File: global/mail_params.c.
+
+	Cleanup: missing mailbox seek-to-end error check in the
+	local(8) delivery agent. File: local/mailbox.c.
+
+	Cleanup: incorrect mailbox seek-to-end error message in the
+	virtual(8) delivery agent. File: virtual/mailbox.c.
diff --git a/postfix/README_FILES/COMPATIBILITY_README b/postfix/README_FILES/COMPATIBILITY_README
index 83d300cf4..20674ff6c 100644
--- a/postfix/README_FILES/COMPATIBILITY_README
+++ b/postfix/README_FILES/COMPATIBILITY_README
@@ -33,6 +33,9 @@ The following messages may be logged:
 
   * Using backwards-compatible default setting chroot=y
 
+  * Using backwards-compatible default setting smtpd_relay_restrictions =
+    (empty)
+
   * Using backwards-compatible default setting mynetworks_style=subnet
 
   * Using backwards-compatible default setting relay_domains=$mydestination
@@ -49,10 +52,14 @@ described at the end of this document.
 
 UUssiinngg bbaacckkwwaarrddss--ccoommppaattiibbllee ddeeffaauulltt sseettttiinngg aappppeenndd__ddoott__mmyyddoommaaiinn==yyeess
 
-The append_dot_mydomain default value has changed from "yes" to "no". As long
-as the append_dot_mydomain parameter is left at its implicit default value, and
-the backwards-compatible default setting is turned on, Postfix may log one of
-the following messages:
+The append_dot_mydomain default value has changed from "yes" to "no". This
+could result in unexpected non-delivery of email after Postfix is updated from
+an older version. The backwards-compatibility safety net is designed to prevent
+such surprises.
+
+As long as the append_dot_mydomain parameter is left at its implicit default
+value, and the compatibility_level setting is less than 1, Postfix may log one
+of the following messages:
 
   * Messages about missing "localhost" in mydestination or other address class:
 
@@ -81,10 +88,16 @@ the following messages:
 
 UUssiinngg bbaacckkwwaarrddss--ccoommppaattiibbllee ddeeffaauulltt sseettttiinngg cchhrroooott==yy
 
-The master.cf chroot default value has changed from "y" (yes) to "n" (no). As
-long as a master.cf chroot field is left at its implicit default value, and the
-backwards-compatible default setting is turned on, Postfix may log the
-following message while it reads the master.cf file:
+The master.cf chroot default value has changed from "y" (yes) to "n" (no). The
+new default avoids the need for copies of system files under the Postfix queue
+directory. However, sites with strict security requirements may want to keep
+the chroot feature enabled after updating Postfix from an older version. The
+backwards-compatibility safety net is designed allow the administrator to
+choose if they want to keep the old behavior.
+
+As long as a master.cf chroot field is left at its implicit default value, and
+the compatibility_level setting is less than 1, Postfix may log the following
+message while it reads the master.cf file:
 
     postfix/master[27664]: /etc/postfix/master.cf: line 72: using
         backwards-compatible default setting chroot=y
@@ -96,13 +109,45 @@ example, to update the chroot setting for the "smtp inet" service:
     # ppoossttccoonnff --FF ssmmttpp//iinneett//cchhrroooott==yy
     # ppoossttffiixx rreellooaadd
 
+UUssiinngg bbaacckkwwaarrddss--ccoommppaattiibbllee ddeeffaauulltt sseettttiinngg ssmmttppdd__rreellaayy__rreessttrriiccttiioonnss == ((eemmppttyy))
+
+The smtpd_relay_restrictions feature was introduced with Postfix version 2.10,
+as a safety mechanism for configuration errors in smtpd_recipient_restrictions
+that could make Postfix an open relay.
+
+The smtpd_relay_restrictions implicit default setting forbids mail to remote
+destinations from clients that don't match permit_mynetworks or
+permit_sasl_authenticated. This could result in unexpected 'Relay access
+denied' errors after Postfix is updated from an older Postfix version. The
+backwards-compatibility safety net is designed to prevent such surprises.
+
+When the compatibility_level less than 1, and the smtpd_relay_restrictions
+parameter is left at its implicit default setting, Postfix may log the
+following message:
+
+    postfix/smtpd[38463]: using backwards-compatible default setting
+        "smtpd_relay_restrictions = (empty)" to avoid "Relay access
+        denied" error for recipient "user@example.com" from client
+        "host.example.net[10.0.0.2]"
+
+If this request should not be blocked, then the system administrator should
+make the backwards-compatible setting "smtpd_relay_restrictions=" (i.e. empty)
+permanent in main.cf:
+
+    # ppoossttccoonnff ssmmttppdd__rreellaayy__rreessttrriiccttiioonnss==
+    # ppoossttffiixx rreellooaadd
+
 UUssiinngg bbaacckkwwaarrddss--ccoommppaattiibbllee ddeeffaauulltt sseettttiinngg mmyynneettwwoorrkkss__ssttyyllee==ssuubbnneett
 
 The mynetworks_style default value has changed from "subnet" to "host". This
-parameter is used to implement the "permit_mynetworks" feature. As long as the
-mynetworks and mynetworks_style parameters are left at their implicit default
-values, and the backwards-compatible default setting is turned on, the Postfix
-SMTP server may log one of the following messages:
+parameter is used to implement the "permit_mynetworks" feature. The change
+could in unexpected 'access denied' errors after Postfix is updated from an
+older version. The backwards-compatibility safety net is designed to prevent
+such surprises.
+
+As long as the mynetworks and mynetworks_style parameters are left at their
+implicit default values, and the compatibility_level setting is less than 2,
+the Postfix SMTP server may log one of the following messages:
 
     postfix/smtpd[17375]: using backwards-compatible default setting
         mynetworks_style=subnet to permit request from client
@@ -122,9 +167,13 @@ permanent in main.cf:
 UUssiinngg bbaacckkwwaarrddss--ccoommppaattiibbllee ddeeffaauulltt sseettttiinngg rreellaayy__ddoommaaiinnss==$$mmyyddeessttiinnaattiioonn
 
 The relay_domains default value has changed from "$mydestination" to the empty
-value. As long as the relay_domains parameter is left at its implicit default
-value, and the backwards-compatible default setting is turned on, Postfix may
-log one of the following messages.
+value. This could result in unexpected 'Relay access denied' errors or ETRN
+errors after Postfix is updated from an older version. The backwards-
+compatibility safety net is designed to prevent such surprises.
+
+As long as the relay_domains parameter is left at its implicit default value,
+and the compatibility_level setting is less than 2, Postfix may log one of the
+following messages.
 
   * Messages about accepting mail for a remote domain:
 
@@ -163,14 +212,14 @@ UUssiinngg bbaacckkwwaarrddss--ccoommppaattiibbllee dd
 
 The smtputf8_enable default value has changed from "no" to "yes. With the new
 "yes" setting, the Postfix SMTP server rejects non-ASCII addresses from clients
-that don't request SMTPUTF8 support. With the old "no" setting, Postfix will
-accept such addresses, even if such addresses are not permitted by traditional
-SMTP standards.
+that don't request SMTPUTF8 support, after Postfix is updated from an older
+version. The backwards-compatibility safety net is designed to prevent such
+surprises.
 
 As long as the smtputf8_enable parameter is left at its implicit default value,
-and the backwards-compatible default setting is turned on, Postfix logs a
-warning each time an SMTP command uses a non-ASCII address localpart without
-requesting SMTPUTF8 support:
+and the compatibility_level setting is less than 1, Postfix logs a warning each
+time an SMTP command uses a non-ASCII address localpart without requesting
+SMTPUTF8 support:
 
     postfix/smtpd[27560]: using backwards-compatible default setting
         smtputf8_enable=no to accept non-ASCII sender address
diff --git a/postfix/html/COMPATIBILITY_README.html b/postfix/html/COMPATIBILITY_README.html
index 5772eb9a8..d527e1981 100644
--- a/postfix/html/COMPATIBILITY_README.html
+++ b/postfix/html/COMPATIBILITY_README.html
@@ -48,7 +48,7 @@ continuity of service.  Based on this logging the system administrator
 can decide if any backwards-compatible settings need to be made
 permanent in main.cf or master.cf, before <a href="#turnoff">turning
 off the backwards-compatibility safety net</a> as described at the
-end of this document.  </p>
+end of this document. </p>
 
 <p> The following messages may be logged: </p>
 
@@ -60,6 +60,9 @@ default setting append_dot_mydomain=yes </a> </p>
 <li> <p> <a href="#chroot"> Using backwards-compatible default setting
 chroot=y</a> </p>
 
+<li><p> <a href="#relay_restrictions"> Using backwards-compatible
+default setting smtpd_relay_restrictions = (empty)</a> </p>
+
 <li> <p> <a href="#mynetworks_style"> Using backwards-compatible
 default setting mynetworks_style=subnet </a> </p>
 
@@ -79,15 +82,19 @@ sections that follow. </p>
 <p> When no more backwards-compatible settings need to be made
 permanent, the system administrator should <a href="#turnoff">turn
 off the backwards-compatibility safety net</a> as described at the
-end of this document.  </p>
+end of this document. </p>
 
 <h2> <a name="append_dot_mydomain"> Using backwards-compatible default
 setting append_dot_mydomain=yes</a> </h2>
 
 <p> The <a href="postconf.5.html#append_dot_mydomain">append_dot_mydomain</a> default value has changed from "yes"
-to "no". As long as the <a href="postconf.5.html#append_dot_mydomain">append_dot_mydomain</a> parameter is left at
-its implicit default value, and the backwards-compatible default
-setting is turned on, Postfix may log one of the following messages:</p>
+to "no". This could result in unexpected non-delivery of email after
+Postfix is updated from an older version. The backwards-compatibility
+safety net is designed to prevent such surprises. </p>
+
+<p> As long as the <a href="postconf.5.html#append_dot_mydomain">append_dot_mydomain</a> parameter is left at
+its implicit default value, and the <a href="postconf.5.html#compatibility_level">compatibility_level</a> setting is
+less than 1, Postfix may log one of the following messages:</p>
 
 <ul>
 
@@ -136,9 +143,16 @@ in <a href="postconf.5.html">main.cf</a>: </p>
 setting chroot=y</a> </h2>
 
 <p> The <a href="master.5.html">master.cf</a> chroot default value has changed from "y" (yes)
-to "n" (no). As long as a <a href="master.5.html">master.cf</a> chroot field is left at its
-implicit default value, and the backwards-compatible default setting
-is turned on, Postfix may log the following message while it
+to "n" (no). The new default avoids the need for copies of system
+files under the Postfix queue directory. However, sites with strict
+security requirements may want to keep the chroot feature enabled
+after updating Postfix from an older version. The backwards-compatibility
+safety net is designed allow the administrator to choose if they
+want to keep the old behavior. </p>
+
+<p> As long as a <a href="master.5.html">master.cf</a> chroot field is left at its
+implicit default value, and the <a href="postconf.5.html#compatibility_level">compatibility_level</a> setting
+is less than 1, Postfix may log the following message while it
 reads the <a href="master.5.html">master.cf</a> file: </p>
 
 <blockquote>
@@ -160,15 +174,58 @@ setting for the "smtp inet" service: </p>
 </pre>
 </blockquote>
 
+<h2> <a name="relay_restrictions"> Using backwards-compatible default
+setting smtpd_relay_restrictions = (empty)</a> </h2>
+
+<p> The <a href="postconf.5.html#smtpd_relay_restrictions">smtpd_relay_restrictions</a> feature was introduced with Postfix
+version 2.10, as a safety mechanism for configuration errors in
+<a href="postconf.5.html#smtpd_recipient_restrictions">smtpd_recipient_restrictions</a> that could make Postfix an open relay.
+</p>
+
+<p> The <a href="postconf.5.html#smtpd_relay_restrictions">smtpd_relay_restrictions</a> implicit default setting forbids
+mail to remote destinations from clients that don't match
+<a href="postconf.5.html#permit_mynetworks">permit_mynetworks</a> or <a href="postconf.5.html#permit_sasl_authenticated">permit_sasl_authenticated</a>. This could result
+in unexpected 'Relay access denied' errors after Postfix is updated
+from an older Postfix version. The backwards-compatibility safety
+net is designed to prevent such surprises. </p>
+
+<p> When the <a href="postconf.5.html#compatibility_level">compatibility_level</a> less than 1, and the
+<a href="postconf.5.html#smtpd_relay_restrictions">smtpd_relay_restrictions</a> parameter is left at its implicit default
+setting, Postfix may log the following message: </p>
+
+<blockquote>
+<pre>
+postfix/smtpd[38463]: using backwards-compatible default setting
+    "<a href="postconf.5.html#smtpd_relay_restrictions">smtpd_relay_restrictions</a> = (empty)" to avoid "Relay access
+    denied" error for recipient "user@example.com" from client
+    "host.example.net[10.0.0.2]"
+</pre>
+</blockquote>
+
+<p> If this request should not be blocked, then the system
+administrator should make the backwards-compatible setting
+"<a href="postconf.5.html#smtpd_relay_restrictions">smtpd_relay_restrictions</a>=" (i.e. empty) permanent in <a href="postconf.5.html">main.cf</a>:
+
+<blockquote>
+<pre>
+# <b>postconf <a href="postconf.5.html#smtpd_relay_restrictions">smtpd_relay_restrictions</a>=</b>
+# <b>postfix reload</b>
+</pre>
+</blockquote>
+
 <h2> <a name="mynetworks_style"> Using backwards-compatible default
 setting mynetworks_style=subnet</a> </h2>
 
 <p> The <a href="postconf.5.html#mynetworks_style">mynetworks_style</a> default value has changed from "subnet"
 to "host". This parameter is used to implement the "<a href="postconf.5.html#permit_mynetworks">permit_mynetworks</a>"
-feature. As long as the <a href="postconf.5.html#mynetworks">mynetworks</a> and <a href="postconf.5.html#mynetworks_style">mynetworks_style</a> parameters
-are left at their implicit default values, and the backwards-compatible
-default setting is turned on, the Postfix SMTP server may log one
-of the following messages: </p>
+feature. The change could in unexpected 'access denied' errors after
+Postfix is updated from an older version. The backwards-compatibility
+safety net is designed to prevent such surprises. </p>
+
+<p> As long as the <a href="postconf.5.html#mynetworks">mynetworks</a> and <a href="postconf.5.html#mynetworks_style">mynetworks_style</a> parameters are
+left at their implicit default values, and the <a href="postconf.5.html#compatibility_level">compatibility_level</a>
+setting is less than 2, the Postfix SMTP server may log one of the
+following messages: </p>
 
 <blockquote>
 <pre>
@@ -201,10 +258,14 @@ administrator should make the backwards-compatible setting
 setting relay_domains=$mydestination </a> </h2>
 
 <p> The <a href="postconf.5.html#relay_domains">relay_domains</a> default value has changed from "$<a href="postconf.5.html#mydestination">mydestination</a>"
-to the empty value. As long as the <a href="postconf.5.html#relay_domains">relay_domains</a> parameter is left
-at its implicit default value, and the backwards-compatible default
-setting is turned on, Postfix may log one of the following messages.
-</p>
+to the empty value. This could result in unexpected 'Relay access
+denied' errors or ETRN errors after Postfix is updated from an older
+version. The backwards-compatibility safety net is designed to
+prevent such surprises. </p>
+
+<p> As long as the <a href="postconf.5.html#relay_domains">relay_domains</a> parameter is left at its implicit
+default value, and the <a href="postconf.5.html#compatibility_level">compatibility_level</a> setting is less than 2,
+Postfix may log one of the following messages.  </p>
 
 <ul>
 
@@ -268,13 +329,13 @@ setting smtputf8_enable=no</a> </h2>
 
 <p> The <a href="postconf.5.html#smtputf8_enable">smtputf8_enable</a> default value has changed from "no" to "yes.
 With the new "yes" setting, the Postfix SMTP server rejects non-ASCII
-addresses from clients that don't request SMTPUTF8 support. With
-the old "no" setting, Postfix will accept such addresses, even if
-such addresses are not permitted by traditional SMTP standards. </p>
+addresses from clients that don't request SMTPUTF8 support, after
+Postfix is updated from an older version. The backwards-compatibility
+safety net is designed to prevent such surprises. </p>
 
 <p> As long as the <a href="postconf.5.html#smtputf8_enable">smtputf8_enable</a> parameter is left at its implicit
-default value, and the backwards-compatible default setting is
-turned on, Postfix logs a warning each time an SMTP command uses a
+default value, and the <a href="postconf.5.html#compatibility_level">compatibility_level</a> setting is
+less than 1, Postfix logs a warning each time an SMTP command uses a
 non-ASCII address localpart without requesting SMTPUTF8 support: </p>
 
 <blockquote>
diff --git a/postfix/proto/COMPATIBILITY_README.html b/postfix/proto/COMPATIBILITY_README.html
index e8a3a60da..291979d98 100644
--- a/postfix/proto/COMPATIBILITY_README.html
+++ b/postfix/proto/COMPATIBILITY_README.html
@@ -48,7 +48,7 @@ continuity of service.  Based on this logging the system administrator
 can decide if any backwards-compatible settings need to be made
 permanent in main.cf or master.cf, before <a href="#turnoff">turning
 off the backwards-compatibility safety net</a> as described at the
-end of this document.  </p>
+end of this document. </p>
 
 <p> The following messages may be logged: </p>
 
@@ -60,6 +60,9 @@ default setting append_dot_mydomain=yes </a> </p>
 <li> <p> <a href="#chroot"> Using backwards-compatible default setting
 chroot=y</a> </p>
 
+<li><p> <a href="#relay_restrictions"> Using backwards-compatible
+default setting smtpd_relay_restrictions = (empty)</a> </p>
+
 <li> <p> <a href="#mynetworks_style"> Using backwards-compatible
 default setting mynetworks_style=subnet </a> </p>
 
@@ -79,15 +82,19 @@ sections that follow. </p>
 <p> When no more backwards-compatible settings need to be made
 permanent, the system administrator should <a href="#turnoff">turn
 off the backwards-compatibility safety net</a> as described at the
-end of this document.  </p>
+end of this document. </p>
 
 <h2> <a name="append_dot_mydomain"> Using backwards-compatible default
 setting append_dot_mydomain=yes</a> </h2>
 
 <p> The append_dot_mydomain default value has changed from "yes"
-to "no". As long as the append_dot_mydomain parameter is left at
-its implicit default value, and the backwards-compatible default
-setting is turned on, Postfix may log one of the following messages:</p>
+to "no". This could result in unexpected non-delivery of email after
+Postfix is updated from an older version. The backwards-compatibility
+safety net is designed to prevent such surprises. </p>
+
+<p> As long as the append_dot_mydomain parameter is left at
+its implicit default value, and the compatibility_level setting is
+less than 1, Postfix may log one of the following messages:</p>
 
 <ul>
 
@@ -136,9 +143,16 @@ in main.cf: </p>
 setting chroot=y</a> </h2>
 
 <p> The master.cf chroot default value has changed from "y" (yes)
-to "n" (no). As long as a master.cf chroot field is left at its
-implicit default value, and the backwards-compatible default setting
-is turned on, Postfix may log the following message while it
+to "n" (no). The new default avoids the need for copies of system
+files under the Postfix queue directory. However, sites with strict
+security requirements may want to keep the chroot feature enabled
+after updating Postfix from an older version. The backwards-compatibility
+safety net is designed allow the administrator to choose if they
+want to keep the old behavior. </p>
+
+<p> As long as a master.cf chroot field is left at its
+implicit default value, and the compatibility_level setting
+is less than 1, Postfix may log the following message while it
 reads the master.cf file: </p>
 
 <blockquote>
@@ -160,15 +174,58 @@ setting for the "smtp inet" service: </p>
 </pre>
 </blockquote>
 
+<h2> <a name="relay_restrictions"> Using backwards-compatible default
+setting smtpd_relay_restrictions = (empty)</a> </h2>
+
+<p> The smtpd_relay_restrictions feature was introduced with Postfix
+version 2.10, as a safety mechanism for configuration errors in
+smtpd_recipient_restrictions that could make Postfix an open relay.
+</p>
+
+<p> The smtpd_relay_restrictions implicit default setting forbids
+mail to remote destinations from clients that don't match
+permit_mynetworks or permit_sasl_authenticated. This could result
+in unexpected 'Relay access denied' errors after Postfix is updated
+from an older Postfix version. The backwards-compatibility safety
+net is designed to prevent such surprises. </p>
+
+<p> When the compatibility_level less than 1, and the
+smtpd_relay_restrictions parameter is left at its implicit default
+setting, Postfix may log the following message: </p>
+
+<blockquote>
+<pre>
+postfix/smtpd[38463]: using backwards-compatible default setting
+    "smtpd_relay_restrictions = (empty)" to avoid "Relay access
+    denied" error for recipient "user@example.com" from client
+    "host.example.net[10.0.0.2]"
+</pre>
+</blockquote>
+
+<p> If this request should not be blocked, then the system
+administrator should make the backwards-compatible setting
+"smtpd_relay_restrictions=" (i.e. empty) permanent in main.cf:
+
+<blockquote>
+<pre>
+# <b>postconf smtpd_relay_restrictions=</b>
+# <b>postfix reload</b>
+</pre>
+</blockquote>
+
 <h2> <a name="mynetworks_style"> Using backwards-compatible default
 setting mynetworks_style=subnet</a> </h2>
 
 <p> The mynetworks_style default value has changed from "subnet"
 to "host". This parameter is used to implement the "permit_mynetworks"
-feature. As long as the mynetworks and mynetworks_style parameters
-are left at their implicit default values, and the backwards-compatible
-default setting is turned on, the Postfix SMTP server may log one
-of the following messages: </p>
+feature. The change could in unexpected 'access denied' errors after
+Postfix is updated from an older version. The backwards-compatibility
+safety net is designed to prevent such surprises. </p>
+
+<p> As long as the mynetworks and mynetworks_style parameters are
+left at their implicit default values, and the compatibility_level
+setting is less than 2, the Postfix SMTP server may log one of the
+following messages: </p>
 
 <blockquote>
 <pre>
@@ -201,10 +258,14 @@ administrator should make the backwards-compatible setting
 setting relay_domains=$mydestination </a> </h2>
 
 <p> The relay_domains default value has changed from "$mydestination"
-to the empty value. As long as the relay_domains parameter is left
-at its implicit default value, and the backwards-compatible default
-setting is turned on, Postfix may log one of the following messages.
-</p>
+to the empty value. This could result in unexpected 'Relay access
+denied' errors or ETRN errors after Postfix is updated from an older
+version. The backwards-compatibility safety net is designed to
+prevent such surprises. </p>
+
+<p> As long as the relay_domains parameter is left at its implicit
+default value, and the compatibility_level setting is less than 2,
+Postfix may log one of the following messages.  </p>
 
 <ul>
 
@@ -268,13 +329,13 @@ setting smtputf8_enable=no</a> </h2>
 
 <p> The smtputf8_enable default value has changed from "no" to "yes.
 With the new "yes" setting, the Postfix SMTP server rejects non-ASCII
-addresses from clients that don't request SMTPUTF8 support. With
-the old "no" setting, Postfix will accept such addresses, even if
-such addresses are not permitted by traditional SMTP standards. </p>
+addresses from clients that don't request SMTPUTF8 support, after
+Postfix is updated from an older version. The backwards-compatibility
+safety net is designed to prevent such surprises. </p>
 
 <p> As long as the smtputf8_enable parameter is left at its implicit
-default value, and the backwards-compatible default setting is
-turned on, Postfix logs a warning each time an SMTP command uses a
+default value, and the compatibility_level setting is
+less than 1, Postfix logs a warning each time an SMTP command uses a
 non-ASCII address localpart without requesting SMTPUTF8 support: </p>
 
 <blockquote>
diff --git a/postfix/src/global/mail_params.c b/postfix/src/global/mail_params.c
index a1bf336c1..8e69b9622 100644
--- a/postfix/src/global/mail_params.c
+++ b/postfix/src/global/mail_params.c
@@ -139,6 +139,7 @@
 /*	int	warn_compat_break_app_dot_mydomain;
 /*	int	warn_compat_break_smtputf8_enable;
 /*	int	warn_compat_break_chroot;
+/*	int	warn_compat_break_relay_restrictions;
 /*
 /*	int	warn_compat_break_relay_domains;
 /*	int	warn_compat_break_flush_domains;
@@ -360,6 +361,7 @@ int     warn_compat_break_mynetworks_style;
 int     warn_compat_break_app_dot_mydomain;
 int     warn_compat_break_smtputf8_enable;
 int     warn_compat_break_chroot;
+int     warn_compat_break_relay_restrictions;
 
 /* check_myhostname - lookup hostname and validate */
 
@@ -613,6 +615,10 @@ static void check_legacy_defaults(void)
 	if (mail_conf_lookup(VAR_MYNETWORKS) == 0
 	    && mail_conf_lookup(VAR_MYNETWORKS_STYLE) == 0)
 	    warn_compat_break_mynetworks_style = 1;
+    } else {					/* for 'postfix reload' */
+	warn_compat_break_relay_domains = 0;
+	warn_compat_break_flush_domains = 0;
+	warn_compat_break_mynetworks_style = 0;
     }
 
     /*
@@ -631,6 +637,17 @@ static void check_legacy_defaults(void)
 	if (mail_conf_lookup(VAR_SMTPUTF8_ENABLE) == 0)
 	    warn_compat_break_smtputf8_enable = 1;
 	warn_compat_break_chroot = 1;
+
+	/*
+	 * Grandfathered in to help sites migrating from Postfix <2.10.
+	 */
+	if (mail_conf_lookup(VAR_RELAY_CHECKS) == 0)
+	    warn_compat_break_relay_restrictions = 1;
+    } else {					/* for 'postfix reload' */
+	warn_compat_break_app_dot_mydomain = 0;
+	warn_compat_break_smtputf8_enable = 0;
+	warn_compat_break_chroot = 0;
+	warn_compat_break_relay_restrictions = 0;
     }
 }
 
diff --git a/postfix/src/global/mail_params.h b/postfix/src/global/mail_params.h
index be6970a28..d156d29c7 100644
--- a/postfix/src/global/mail_params.h
+++ b/postfix/src/global/mail_params.h
@@ -55,6 +55,7 @@ extern int var_compat_level;
 extern int warn_compat_break_app_dot_mydomain;
 extern int warn_compat_break_smtputf8_enable;
 extern int warn_compat_break_chroot;
+extern int warn_compat_break_relay_restrictions;	/* Postfix 2.10. */
 
 extern int warn_compat_break_relay_domains;
 extern int warn_compat_break_flush_domains;
@@ -2072,11 +2073,20 @@ extern char *var_helo_checks;
 extern char *var_mail_checks;
 
 #define VAR_RELAY_CHECKS	"smtpd_relay_restrictions"
-#define DEF_RELAY_CHECKS	PERMIT_MYNETWORKS ", " \
+#define DEF_RELAY_CHECKS	"${{$compatibility_level} < {1} ? " \
+				"{} : {" PERMIT_MYNETWORKS ", " \
 				PERMIT_SASL_AUTH ", " \
-				DEFER_UNAUTH_DEST
+				DEFER_UNAUTH_DEST "}}"
 extern char *var_relay_checks;
 
+ /*
+  * For warn_compat_break_relay_domains check. Same as DEF_RELAY_CHECKS
+  * except that it evaluates to DUNNO instead of REJECT.
+  */
+#define FAKE_RELAY_CHECKS	PERMIT_MYNETWORKS ", " \
+				PERMIT_SASL_AUTH ", " \
+				PERMIT_AUTH_DEST
+
 #define VAR_RCPT_CHECKS		"smtpd_recipient_restrictions"
 #define DEF_RCPT_CHECKS		""
 extern char *var_rcpt_checks;
@@ -3301,6 +3311,7 @@ extern char *var_smtpd_milters;
 #define VAR_SMTPD_MILTER_MAPS		"smtpd_milter_maps"
 #define DEF_SMTPD_MILTER_MAPS		""
 extern char *var_smtpd_milter_maps;
+
 #define SMTPD_MILTERS_DISABLE		"DISABLE"
 
 #define VAR_CLEANUP_MILTERS		"non_smtpd_milters"
diff --git a/postfix/src/global/mail_version.h b/postfix/src/global/mail_version.h
index d7e69da27..cdcd3308c 100644
--- a/postfix/src/global/mail_version.h
+++ b/postfix/src/global/mail_version.h
@@ -20,7 +20,7 @@
   * Patches change both the patchlevel and the release date. Snapshots have no
   * patchlevel; they change the release date only.
   */
-#define MAIL_RELEASE_DATE	"20171229"
+#define MAIL_RELEASE_DATE	"20180106"
 #define MAIL_VERSION_NUMBER	"3.3"
 
 #ifdef SNAPSHOT
diff --git a/postfix/src/local/mailbox.c b/postfix/src/local/mailbox.c
index 887333c62..1fbbd9c77 100644
--- a/postfix/src/local/mailbox.c
+++ b/postfix/src/local/mailbox.c
@@ -97,7 +97,7 @@ static int deliver_mailbox_file(LOCAL_STATE state, USER_ATTR usr_attr)
     int     deliver_status;
     int     copy_flags;
     VSTRING *biff;
-    long    end;
+    off_t    end;
     struct stat st;
     uid_t   spool_uid;
     gid_t   spool_gid;
@@ -202,7 +202,8 @@ static int deliver_mailbox_file(LOCAL_STATE state, USER_ATTR usr_attr)
 	    msg_warn("specify \"%s = no\" to ignore mailbox ownership mismatch",
 		     VAR_STRICT_MBOX_OWNER);
 	} else {
-	    end = vstream_fseek(mp->fp, (off_t) 0, SEEK_END);
+	    if ((end = vstream_fseek(mp->fp, (off_t) 0, SEEK_END)) < 0) 
+		msg_fatal("seek mailbox file %s: %m", myname, mailbox);
 	    mail_copy_status = mail_copy(COPY_ATTR(state.msg_attr), mp->fp,
 					 copy_flags, "\n", why);
 	}
diff --git a/postfix/src/smtpd/smtpd_check.c b/postfix/src/smtpd/smtpd_check.c
index e16152238..94e8c0181 100644
--- a/postfix/src/smtpd/smtpd_check.c
+++ b/postfix/src/smtpd/smtpd_check.c
@@ -335,6 +335,7 @@ static ARGV *client_restrctions;
 static ARGV *helo_restrctions;
 static ARGV *mail_restrctions;
 static ARGV *relay_restrctions;
+static ARGV *fake_relay_restrctions;
 static ARGV *rcpt_restrctions;
 static ARGV *etrn_restrctions;
 static ARGV *data_restrctions;
@@ -845,6 +846,9 @@ void    smtpd_check_init(void)
 					 var_mail_checks);
     relay_restrctions = smtpd_check_parse(SMTPD_CHECK_PARSE_ALL,
 					  var_relay_checks);
+    if (warn_compat_break_relay_restrictions)
+	fake_relay_restrctions = smtpd_check_parse(SMTPD_CHECK_PARSE_ALL,
+						   FAKE_RELAY_CHECKS);
     rcpt_restrctions = smtpd_check_parse(SMTPD_CHECK_PARSE_ALL,
 					 var_rcpt_checks);
     etrn_restrctions = smtpd_check_parse(SMTPD_CHECK_PARSE_ALL,
@@ -4958,15 +4962,31 @@ char   *smtpd_check_rcpt(SMTPD_STATE *state, char *recipient)
      * Apply restrictions in the order as specified. We allow relay
      * restrictions to be empty, for sites that require backwards
      * compatibility.
+     * 
+     * If compatibility_level < 1 and smtpd_relay_restrictions is left at its
+     * default value, find out if the new smtpd_relay_restrictions default
+     * value would block the request, without logging REJECT messages.
+     * Approach: evaluate fake relay restrictions (permit_mynetworks,
+     * permit_sasl_authenticated, permit_auth_destination) and log a warning
+     * if the result is DUNNO instead of OK, i.e. a reject_unauth_destinatin
+     * at the end would have blocked the request.
      */
     SMTPD_CHECK_RESET();
-    restrctions[0] = relay_restrctions;
-    restrctions[1] = rcpt_restrctions;
+    restrctions[0] = rcpt_restrctions;
+    restrctions[1] = warn_compat_break_relay_restrictions ?
+	fake_relay_restrctions : relay_restrctions;
     for (n = 0; n < 2; n++) {
 	status = setjmp(smtpd_check_buf);
 	if (status == 0 && restrctions[n]->argc)
 	    status = generic_checks(state, restrctions[n],
 			  recipient, SMTPD_NAME_RECIPIENT, CHECK_RECIP_ACL);
+	if (n == 1 && warn_compat_break_relay_restrictions
+	    && status == SMTPD_CHECK_DUNNO) {
+	    msg_info("using backwards-compatible default setting \""
+		     VAR_RELAY_CHECKS " = (empty)\" to avoid \"Relay "
+		     "access denied\" error for recipient \"%s\" from "
+		     "client \"%s\"", state->recipient, state->namaddr);
+	}
 	if (status == SMTPD_CHECK_REJECT)
 	    break;
     }
diff --git a/postfix/src/virtual/mailbox.c b/postfix/src/virtual/mailbox.c
index 9e826a0b8..19afca877 100644
--- a/postfix/src/virtual/mailbox.c
+++ b/postfix/src/virtual/mailbox.c
@@ -137,7 +137,7 @@ static int deliver_mailbox_file(LOCAL_STATE state, USER_ATTR usr_attr)
 		     VAR_STRICT_MBOX_OWNER);
 	} else {
 	    if (vstream_fseek(mp->fp, (off_t) 0, SEEK_END) < 0)
-		msg_fatal("%s: seek queue file %s: %m",
+		msg_fatal("%s: seek mailbox file %s: %m",
 			  myname, VSTREAM_PATH(mp->fp));
 	    mail_copy_status = mail_copy(COPY_ATTR(state.msg_attr), mp->fp,
 					 copy_flags, "\n", why);