Commit Graph

97 Commits

Author SHA1 Message Date
tron 2803c3e67d There is also no HTML version of "RELEASE_NOTES". 2014-07-20 22:58:02 +00:00
tron f77c13314c Try to fix the build:
There is no "AAAREADME.html". So only attempt to install the ASCII version.

Not sure why my full build didn't catch this problem. Sorry.
2014-07-20 22:43:13 +00:00
tron 37d37f813e Rationalize README file handling:
1.) Install only README files that are relevant to the Postfix binaries
    distributed with NetBSD.
2.) Create a single list of the above files that is used for both the
    text versions and HTML versions.

Problem detected by wizd(8).
2014-07-20 15:58:06 +00:00
christos 645f974306 fix libcrypto 2014-07-08 13:04:07 +00:00
martin 36c3039dfa Add missing libcrypto 2014-07-08 09:58:12 +00:00
tron fbde56e47b Add one more file back. 2014-07-06 21:14:43 +00:00
tron 520748c7fc Add a few files back. 2014-07-06 21:04:10 +00:00
tron ebc1ac3c59 More corrections. 2014-07-06 20:41:56 +00:00
tron 8a2dc72a2c Don't install installation documentation. It is highly irrelevant. 2014-07-06 20:39:13 +00:00
tron fd0c690e3e Don't install files related to other operating systems. 2014-07-06 20:38:34 +00:00
tron 002edac652 Update list of HTML pages. 2014-07-06 20:25:48 +00:00
tron 47e2afe008 Update list of readme files. 2014-07-06 20:18:19 +00:00
tron bd1c9e2779 Build and install posttls-finger(1). 2014-07-06 20:09:26 +00:00
tron 64f47ed06c Adapt makefiles for Postfix 2.11.1. 2014-07-06 19:53:05 +00:00
tron 8fd41761ab Resolve conflicts from last import. 2014-07-06 19:45:50 +00:00
tron 16d67a18c4 Import Postfix 2.11.1. The main changes since version 2.10.* are:
- Support for PKI-less TLS server certificate verification with DANE
  (DNS-based Authentication of Named Entities) where the CA public key
  or the server certificate is identified via DNSSEC lookup. This
  requires a DNS resolver that validates DNSSEC replies. The problem
  with conventional PKI is that there are literally hundreds of
  organizations world-wide that can provide a certificate in anyone's
  name. DANE limits trust to the people who control the target DNS
  zone and its parent zones.
- A new postscreen_dnsbl_whitelist_threshold feature to allow clients
  to skip postscreen tests based on their DNSBL score. This can
  eliminate email delays due to "after 220 greeting" protocol tests,
  which otherwise require that a client reconnects before it can
  deliver mail. Some providers such as Google don't retry from the
  same IP address, and that can result in large email delivery delays.
- The recipient_delimiter feature now supports different delimiters,
  for example both "+" and "-". As before, this implementation
  recognizes exactly one delimiter character per email address, and
  exactly one address extension per email address.
- Advanced master.cf query/update support to access service attributes
  as "name = value" pairs. For example to turn off chroot on all
  services use "postconf -F '*/*/chroot = n'", and to change/add a
  "-o name=value" setting use "postconf -P 'smtp/inet/name = value'".
  This was developed primarily to allow automated tools to manage Postfix
  systems without having to parse Postfix configuration files.
2014-07-06 19:27:32 +00:00
dholland b7b7574d3b Reorg docs, part 1:
Move all the reference manuals to subdirs of /usr/share/doc/reference.
We have subdirs ref1-ref9, corresponding to man page sections 1-9.

Everything that's the reference manual for a program (sections 1, 6,
8), C interface (sections 2, 3), driver or file system (section 4),
format or configuration (section 5), or kernel internal interface
(section 9) belongs in here.

Section 7 is a little less clear: some things that might go in section
7 if they were a man page aren't really reference manuals. So I'm only
putting things in reference section 7 that are (to me) clearly
reference material, rather than e.g. tutorials, guides, FAQs, etc.
This obviously leaves some room for debate, especially without first
editing the docs with this distinction in mind, but if people hate
what I've done things can always be moved again.

Note also that while roff macro man pages traditionally go in section
7, I have put all the roff documentation (macros, tools, etc.) in one
place in reference/ref1/roff. This will make it easier to find and
also easier to edit it into some kind of coherent form.
2014-07-05 19:22:41 +00:00
tron 62ad86dede Update Postfix to version 2.10.3. Changes since version 2.10.2:
- Future proofing against OpenSSL library API changes. When support
  for a bug workaround is removed from OpenSSL, the corresponding
  named bit in tls_disable_workarounds will be ignored instead of
  causing existing Postfix configurations to fail.
- The postconf '-#' option reset prior options instead of adding to them.
- Correct an error in MULTI_INSTANCE_README Makefile example.
- Correct an error in SASL_README PostgreSQL example.
- Correct a malformed error message in conf/post-install.
2014-01-18 17:04:03 +00:00
christos 901b1f0b31 miminize diff to original. 2013-11-14 02:27:29 +00:00
christos 7524cd91bf CID 1102804: Memory leak 2013-11-14 01:39:26 +00:00
christos 13df76e42e 1102805: Memory leak 2013-11-14 01:36:00 +00:00
tron 463da012c6 Update list of generated header files. 2013-09-25 19:39:47 +00:00
tron 51c5f9b7c2 Update list of source files after import of Postfix 2.10.2. 2013-09-25 19:25:08 +00:00
tron cf7fbdea1a Resolve conflicts from last import. 2013-09-25 19:12:34 +00:00
tron e6ca80d439 Import Postfix 2.10.2. Major changes since version 2.9.* are:
- Separation of relay policy (with smtpd_relay_restrictions) from spam policy
  (with smtpd_{client, helo, sender, recipient}_restrictions), which makes
  accidental open relay configuration less likely. The default is backwards
  compatible.
- HAproxy load-balancer support for postscreen(8) and smtpd(8). The nginx
  proxy was already supported by Postfix 2.9 smtpd(8), using XCLIENT commands.
- Support for the TLSv1 and TLSv2 protocols, as well as support to turn them
  off if needed for inter-operability.
- Laptop-friendly configuration. By default, Postfix now uses UNIX-domain
  sockets instead of FIFOs, and thus avoids MTIME file system updates on an
  idle mail system.
- Revised postconf(1) command. The "-x" option expands $name in a parameter
  value (both main.cf and master.cf); the "-o name=value" option overrides
  a main.cf parameter setting; and postconf(1) now warns about a $name that
  has no name=value setting.
- Sendmail-style "socketmap" lookup tables.
2013-09-25 19:06:17 +00:00
joerg ac35abab0f Drop now redundant assignment from the MKPIC=no case. 2013-09-11 09:59:13 +00:00
joerg 912713b9c5 Explicitly link against liblber as various symbols from it are used. 2013-09-11 09:58:02 +00:00
tron 5ffceba539 esolve conflicts from last import. 2013-08-21 20:12:30 +00:00
tron d6384a751f Import Postfix 2.9.7. Changes since version 2.9.5:
- Thanks to OpenSSL documentation, the Postfix 2.9.0..2.9.5 SMTP
  client and server used an incorrect procedure to compute TLS
  certificate PUBLIC-KEY fingerprints (these may be used in the
  check_ccert_access and in smtp_tls_policy_maps features). Support
  for certificate PUBLIC-KEY finger prints was introduced with Postfix
  2.9; there is no known problem with the certificate fingerprint
  algorithms available since Postfix 2.2.
  Specify "tls_legacy_public_key_fingerprints = yes" temporarily,
  pending a migration from configuration files with incorrect Postfix
  2.9.0..2.9.5 certificate PUBLIC-KEY finger prints, to the correct
  fingerprints used by Postfix 2.9.6 and later.
- Bugfix (introduced: Postfix 2.0): when myhostname is not listed in
  mydestination, the trivial-rewrite resolver may log "do not list in both
  mydestination and ". The fix is to re-resolve a domain-less address after
  adding $myhostname as the surrogate domain, so that it pops out with the
  right address-class label. Reported by Quanah Gibson-Mount.
- Bugfix (introduced: Postfix 2.3): don't reuse TCP connections when
  smtp_tls_policy_maps is specified. TLS policies may depend on the remote
  destination, but the Postfix <2.11 SMTP connection cache client does not
  distinguish between different destinations that resolve to the same
  IP address. Victor Duchovni. Found during Postfix 2.11 code maintenance.
- Bugfix (introduced: Postfix 2.2): don't reuse TCP connections when
  SASL authentication is enabled. SASL passwords may depend on the
  remote SMTP server hostname, but the Postfix <2.11 SMTP connection
  cache client does not distinguish between different hostnames that
  resolve to the same IP address. Found during Postfix 2.11 code
  maintenance.
2013-08-21 20:09:37 +00:00
tron aa2dcc1a61 Comment out "inet_protocols = ipv4" line which came from up-stream.
We want Postfix to support IPv6 out of the box.

Pointed out by Dieter Roelants on "current-users" mailing list.
2013-01-06 13:58:24 +00:00
tron a536ee5124 Install documentation and manual pages for Postfix's memcache client support. 2013-01-02 22:33:19 +00:00
tron d561406f71 Fix build of Postfix 2.9.5. 2013-01-02 19:45:48 +00:00
tron cf33639979 Resolve conflicts from last import. 2013-01-02 19:18:29 +00:00
tron a30b880ed6 Import Postfix 2.9.5. Major changes since version 2.8.x:
- Support for long, non-repeating, queue IDs (queue file names). The
  main benefit of non-repeating names is simpler logfile analysis. See
  the description of "enable_long_queue_ids" in postconf(5) for
  details.
- Memcache client support, and support to share postscreen(8) and
  verify(8) caches via the proxymap server. Details about memcache
  support are in memcache_table(5) and MEMCACHE_README.
- Gradual degradation: if a database is unavailable (can't open, most
  read or write errors) a Postfix daemon will log a warning and
  continue providing the services that don't depend on that table,
  instead of immediately terminating with a fatal error. To terminate
  immediately when a database file can't be opened, specify
  "daemon_table_open_error_is_fatal = yes".
- Revised postconf(1) command. It warns about unused parameter
  name=value settings in main.cf or master.cf (likely mistakes),
  understands "dynamic" parameter names such as names that depend on
  the name of a master.cf entry (finally, "postconf -n" shows all
  parameter settings), and it can display main.cf and master.cf in a
  more user-friendly format (postconf -nf, postconf -Mf).
- Read/write deadline support in the SMTP client and server to defend
  against application-level DOS attacks that very slowly write or read
  data one byte at a time.
2013-01-02 18:58:23 +00:00
tron 28fbdc7c77 Resolve conflicts from last import. 2012-12-18 09:10:32 +00:00
tron c6536f46b6 Import Postfix 2.8.13. Changes since version 2.8.12:
- The postscreen_access_list feature failed to ignore case in the first
  character of a command (e.g., permit, reject, etc.). Reported by Francis
  Picabia. (This fix is incorrectly listed in the HISTORY files of earlier
  releases, and will be removed with a future patch.)
- Strip the datalink suffix (e.g., %eth0) from IPv6 addresses returned by
  the system getaddrinfo() routine. Such suffixes break the default
  mynetworks value, the Postfix SMTP server's reverse/forward DNS
  name/address mapping check, and possibly more.
- To eliminate the possibility of collisions with connection cache lookup
  keys, the Postfix LDAP client now computes those lookup keys by joining
  the number-valued connection properties with ASCII null, just like it
  already did with the string-valued connection properties.
- There was a memory leak during one-time TLS library initialization
  (introduced with Postfix 2.5). Reported by Coverity.
- There was a memory leak in the unused oqmgr(8) program (introduced with
  Postfix 2.3). Reported by Coverity.
2012-12-18 09:01:39 +00:00
tron 56c94b646c Import Postfix 2.8.12. Changes since version 2.8.11:
- The local(8) delivery agent's BIFF client leaked an unprivileged UDP
  socket. Fix by Jaroslav Skarvada. This bug was introduced 19990127.
- The SMTP server did not reject the AUTH command while a MAIL FROM
  transaction was in progress. Reported by Timo Sirainen.
  This bug was introduced 20000314.
- The unused "pass" trigger client could close the wrong file descriptors.
  This bug was introduced with Postfix 2.8.
2012-08-10 12:35:15 +00:00
christos 347727af99 use the modern resolver functions if available. 2012-07-05 17:40:11 +00:00
tron 03f0339393 Resolve conflicts from last import. 2012-06-09 11:32:19 +00:00
tron b26355a362 Import Postfix 2.8.11. Changes since version 2.8.8:
- The "change header" milter request could replace the wrong header. A long
  header name could match a shorter one, because a length check was done on
  the wrong string. Reported by Vladimir Vassiliev.
- Core dump when postlog emitted the "usage" message, caused by an extraneous
  null assignment. Reported by Kant (fnord.hammer).
- These releases add support to turn off the TLSv1.1 and TLSv1.2 protocols.
  Introduced with OpenSSL version 1.0.1, these protocols are known to cause
  inter-operability problems, for example with some hotmail services.
  The radical workaround is to temporarily turn off problematic protocols
  globally:

	/etc/postfix/main.cf:
	    smtp_tls_protocols = !SSLv2, !TLSv1.1, !TLSv1.2
	    smtp_tls_mandatory_protocols = !SSLv2, !TLSv1.1, !TLSv1.2

	    smtpd_tls_protocols = !SSLv2, !TLSv1.1, !TLSv1.2
	    smtpd_tls_mandatory_protocols = !SSLv2, !TLSv1.1, !TLSv1.2

  However, it may be better to temporarily turn off problematic protocols for
  broken sites only:

	/etc/postfix/main.cf:
	    smtp_tls_policy_maps = hash:/etc/postfix/tls_policy

	/etc/postfix/tls_policy:
	    example.com         may protocols=!SSLv2:!TLSv1.1:!TLSv1.2

  Notes:

  Note the use of ":" instead of comma or space. Also, note that there is NO
  space around the "=" in "protocols=".

  The smtp_tls_policy_maps lookup key must match the "next-hop" destination
  that is given to the Postfix SMTP client. If you override the next-hop
  destination with transport_maps, relayhost, sender_dependent_relayhost_maps,
  or otherwise, you need to specify the same destination for the
  smtp_tls_policy_maps lookup key.
- OpenSSL related (all supported Postfix versions).
  Some people have reported program crashes when the OpenSSL library was
  updated while Postfix was accessing the Postfix TLS session cache. To avoid
  this, the Postfix TLS session cache ID now includes the OpenSSL library
  version number. This cache ID is not shared via the network.
- The OpenSSL workaround introduced with the previous stable and legacy
  releases did not compile with older gcc compilers. These compilers can't
  handle #ifdef inside a macro invocation (NOT: definition).
- To avoid repeated warnings from postscreen(8) with "connect to
  private/dnsblog service: Connection refused" on FreeBSD, the dnsblog(8)
  daemon now uses the single_server program driver instead of the multi_server
  driver. This one-line code change has no performance impact for other
  systems, and eliminates a high-frequency accept() race on a shared socket
  that appears to cause trouble on FreeBSD. The same single_server program
  driver has proven itself for many years in smtpd(8). Problem reported by
  Sahil Tandon.
- Laptop-friendly support (all supported Postfix versions). A little-known
  secret is that Postfix has always had support to avoid unnecessary disk
  spin-up for MTIME updates, by doing s/fifo/unix/ in master.cf (this is
  currently not supported on Solaris systems). However, two minor fixes are
  needed to make this bullet-proof.
- In laptop-friendly mode, the "postqueue -f" and "sendmail -q" commands did
  not wait until their requests had reached the pickup and qmgr servers before
  closing their UNIX-domain request sockets.
- In laptop-friendly mode, the unused postkick command waited for more than
  a minute because the event_drain() function was comparing bitmasks
  incorrectly on systems with kqueue(2), epoll(2) or /dev/poll support.
2012-06-09 11:26:39 +00:00
tron afa136001d Add support for SQLite look-up tables to postfix(1), see sqlite_table(5)
for more details.

While here stop installation of pcre_table(5) as this table type
is not supported.
2012-03-04 16:12:24 +00:00
tron a30206eafe Include "defer.h" to get the prototype for defer_append(). 2012-02-17 09:17:22 +00:00
tron b8a7952854 Import Postfix 2.8.8. Changes since Postfix 2.8.7:
- The Postfix sqlite client, introduced with Postfix 2.8, had an
  embarassing bug in its quoting routine. As the result of a
  last-minute code cleanup before release, this routine returned the
  unquoted text instead of the quoted text. The opportunities for
  mis-use are limited: Postfix sqlite database files are usually owned
  by root, and Postfix daemons usually run with non-root privileges so
  they can't corrupt the database. This problem was reported by Rob
  McGee (rob0).
- The Postfix 2.8.4 fix for local delivery agent database lookup
  errors was incomplete. The fix correctly added new code to detect
  database lookup errors with mailbox_transport_maps,
  mailbox_command_maps or fallback_transport_maps, but it failed to
  log the problem, and to produce a defer logfile record which is
  needed for "delayed mail" and "mail too old" delivery status
  notifications.
- The trace(8) service, used for DSN SUCCESS notifications, did not
  distinguish between notifications for a non-bounce or a bounce
  message, causing it to "reply" to mail with the null sender
  address. Problem reported by Sabahattin Gucukoglu.
- Support for Dovecot auth over TCP sockets, using code that already
  existed for testing purposes. Patrick Koetter kindly provided an
  update for the SASL_README file.
- Workaround in the LDAP client for changes in the under-documented
  OpenLDAP API, by Victor Duchovni.
2012-02-17 08:35:39 +00:00
joerg dee7beafd2 Reflect reality, the LDAP man page is installed 2012-01-23 01:28:56 +00:00
joerg e8bec33be1 Change CMSG_SPACE and CMSG_LEN to provide Integer Constant Expressions
again. This was changed in sys/socket.h r1.51 to work around fallout
from the IPv6 aux data migration. It broke the historic ABI on some
platforms. This commit restores compatibility for netbsd32 code on such
platforms and provides a template for future changes to the CMSG_*
alignment. Revert PCC/Clang workarounds in postfix and tmux.
2012-01-20 14:08:04 +00:00
tron bb4b748000 Don't build postscreen(8) if "MKCRYPTO" is set to "no". It cannot be
built without TLS support, at least not without major surgery.
I've only tested this by building with "MKCRYPTO" set to "yes"
because the build fails much ealier otherwise.

Problem reported by Nick Hudson in private e-mail.
2011-11-28 16:22:14 +00:00
tron 37141b1254 Resolve conflicts from last import. 2011-11-09 19:06:34 +00:00
tron c3d89ca464 Import Postfix 2.8.7. Changes since version 2.8.6:
Postfix stable release 2.8.7 is available. This contains a workaround for
a problem that is fixed in Postfix 2.9.
- The postscreen daemon, which is not enabled by default, sent non-compliant
  SMTP responses (220- followed by 421) when it could not give a connection
  to a real smtpd process. These responses caused some remote SMTP clients
  to return mail as undeliverable.

  The workaround is to hang up after sending 220- without sending the
  421 "sorry" reply; this is harmless.
2011-11-09 18:58:43 +00:00
joerg 2405db5059 Just because IPV6 support is disabled doesn't mean inet_ntop are not
present. Since the local prototype conflicts, use the system version.
2011-11-08 22:21:30 +00:00
tron a1f7ffadc0 Resolve conflicts from last import. 2011-10-28 07:12:17 +00:00