- Preparation for OpenSSL 1.2 API changes
- The sender_dependent_relayhost_maps feature ignored the relayhost setting
in the case of a DUNNO lookup result. It would use the recipient domain
instead.
- The default TLS settings no longer enable export-grade ciphers, and no
longer enable the SSLv2 and SSLv3 protocols. These ciphers and protocols
have little if any legitimate use today, and have instead become a
vehicle for downgrade attacks.
- Fix a core dump when smtp_policy_maps specifies an invalid TLS level.
- Fix a missing " in \%s\", in postconf(1) fatal error messages, which
violated the C language spec. Reported by Iain Hibbert.
- Stop excessive recursion in the cleanup server while recovering from a
virtual alias expansion loop. Problem found at Two Sigma.
- Stop exponential memory allocation with virtual alias expansion loops.
This came to light after fixing the previous problem.
- Fix for DMARC implementations based on SPF policy plus DKIM Milter. The
PREPEND access/policy action added headers ABOVE Postfix's own Received:
header, exposing Postfix's own Received: header to Milters (protocol
violation) and hiding the PREPENDed header from Milters. PREPENDed
headers are now added BELOW Postfix's own Received: header and remain
visible to Milters.
- The Postfix SMTP server logged an incorrect client name in reject
messages for check_reverse_client_hostname_access and
check_reverse_client_hostname_{mx,ns}_access. They replied with the
verified client name, instead of the name that was rejected.
- The TLS client logged that an anonymous TLS connection was "Untrusted",
instead of "Anonymous".
- Fix for configurations that prepend message headers with Postfix access
maps, policy servers or Milter applications. Postfix now hides its own
Received: header from Milters and exposes prepended headers to Milters,
regardless of the mechanism used to prepend a header. This fix reverts
a partial solution that was released on October 13, 2014, and replaces
it with a complete solution.
1.) Install only README files that are relevant to the Postfix binaries
distributed with NetBSD.
2.) Create a single list of the above files that is used for both the
text versions and HTML versions.
Problem detected by wizd(8).
- Support for PKI-less TLS server certificate verification with DANE
(DNS-based Authentication of Named Entities) where the CA public key
or the server certificate is identified via DNSSEC lookup. This
requires a DNS resolver that validates DNSSEC replies. The problem
with conventional PKI is that there are literally hundreds of
organizations world-wide that can provide a certificate in anyone's
name. DANE limits trust to the people who control the target DNS
zone and its parent zones.
- A new postscreen_dnsbl_whitelist_threshold feature to allow clients
to skip postscreen tests based on their DNSBL score. This can
eliminate email delays due to "after 220 greeting" protocol tests,
which otherwise require that a client reconnects before it can
deliver mail. Some providers such as Google don't retry from the
same IP address, and that can result in large email delivery delays.
- The recipient_delimiter feature now supports different delimiters,
for example both "+" and "-". As before, this implementation
recognizes exactly one delimiter character per email address, and
exactly one address extension per email address.
- Advanced master.cf query/update support to access service attributes
as "name = value" pairs. For example to turn off chroot on all
services use "postconf -F '*/*/chroot = n'", and to change/add a
"-o name=value" setting use "postconf -P 'smtp/inet/name = value'".
This was developed primarily to allow automated tools to manage Postfix
systems without having to parse Postfix configuration files.
Move all the reference manuals to subdirs of /usr/share/doc/reference.
We have subdirs ref1-ref9, corresponding to man page sections 1-9.
Everything that's the reference manual for a program (sections 1, 6,
8), C interface (sections 2, 3), driver or file system (section 4),
format or configuration (section 5), or kernel internal interface
(section 9) belongs in here.
Section 7 is a little less clear: some things that might go in section
7 if they were a man page aren't really reference manuals. So I'm only
putting things in reference section 7 that are (to me) clearly
reference material, rather than e.g. tutorials, guides, FAQs, etc.
This obviously leaves some room for debate, especially without first
editing the docs with this distinction in mind, but if people hate
what I've done things can always be moved again.
Note also that while roff macro man pages traditionally go in section
7, I have put all the roff documentation (macros, tools, etc.) in one
place in reference/ref1/roff. This will make it easier to find and
also easier to edit it into some kind of coherent form.
- Future proofing against OpenSSL library API changes. When support
for a bug workaround is removed from OpenSSL, the corresponding
named bit in tls_disable_workarounds will be ignored instead of
causing existing Postfix configurations to fail.
- The postconf '-#' option reset prior options instead of adding to them.
- Correct an error in MULTI_INSTANCE_README Makefile example.
- Correct an error in SASL_README PostgreSQL example.
- Correct a malformed error message in conf/post-install.
- Separation of relay policy (with smtpd_relay_restrictions) from spam policy
(with smtpd_{client, helo, sender, recipient}_restrictions), which makes
accidental open relay configuration less likely. The default is backwards
compatible.
- HAproxy load-balancer support for postscreen(8) and smtpd(8). The nginx
proxy was already supported by Postfix 2.9 smtpd(8), using XCLIENT commands.
- Support for the TLSv1 and TLSv2 protocols, as well as support to turn them
off if needed for inter-operability.
- Laptop-friendly configuration. By default, Postfix now uses UNIX-domain
sockets instead of FIFOs, and thus avoids MTIME file system updates on an
idle mail system.
- Revised postconf(1) command. The "-x" option expands $name in a parameter
value (both main.cf and master.cf); the "-o name=value" option overrides
a main.cf parameter setting; and postconf(1) now warns about a $name that
has no name=value setting.
- Sendmail-style "socketmap" lookup tables.
- Thanks to OpenSSL documentation, the Postfix 2.9.0..2.9.5 SMTP
client and server used an incorrect procedure to compute TLS
certificate PUBLIC-KEY fingerprints (these may be used in the
check_ccert_access and in smtp_tls_policy_maps features). Support
for certificate PUBLIC-KEY finger prints was introduced with Postfix
2.9; there is no known problem with the certificate fingerprint
algorithms available since Postfix 2.2.
Specify "tls_legacy_public_key_fingerprints = yes" temporarily,
pending a migration from configuration files with incorrect Postfix
2.9.0..2.9.5 certificate PUBLIC-KEY finger prints, to the correct
fingerprints used by Postfix 2.9.6 and later.
- Bugfix (introduced: Postfix 2.0): when myhostname is not listed in
mydestination, the trivial-rewrite resolver may log "do not list in both
mydestination and ". The fix is to re-resolve a domain-less address after
adding $myhostname as the surrogate domain, so that it pops out with the
right address-class label. Reported by Quanah Gibson-Mount.
- Bugfix (introduced: Postfix 2.3): don't reuse TCP connections when
smtp_tls_policy_maps is specified. TLS policies may depend on the remote
destination, but the Postfix <2.11 SMTP connection cache client does not
distinguish between different destinations that resolve to the same
IP address. Victor Duchovni. Found during Postfix 2.11 code maintenance.
- Bugfix (introduced: Postfix 2.2): don't reuse TCP connections when
SASL authentication is enabled. SASL passwords may depend on the
remote SMTP server hostname, but the Postfix <2.11 SMTP connection
cache client does not distinguish between different hostnames that
resolve to the same IP address. Found during Postfix 2.11 code
maintenance.
- Support for long, non-repeating, queue IDs (queue file names). The
main benefit of non-repeating names is simpler logfile analysis. See
the description of "enable_long_queue_ids" in postconf(5) for
details.
- Memcache client support, and support to share postscreen(8) and
verify(8) caches via the proxymap server. Details about memcache
support are in memcache_table(5) and MEMCACHE_README.
- Gradual degradation: if a database is unavailable (can't open, most
read or write errors) a Postfix daemon will log a warning and
continue providing the services that don't depend on that table,
instead of immediately terminating with a fatal error. To terminate
immediately when a database file can't be opened, specify
"daemon_table_open_error_is_fatal = yes".
- Revised postconf(1) command. It warns about unused parameter
name=value settings in main.cf or master.cf (likely mistakes),
understands "dynamic" parameter names such as names that depend on
the name of a master.cf entry (finally, "postconf -n" shows all
parameter settings), and it can display main.cf and master.cf in a
more user-friendly format (postconf -nf, postconf -Mf).
- Read/write deadline support in the SMTP client and server to defend
against application-level DOS attacks that very slowly write or read
data one byte at a time.
- The postscreen_access_list feature failed to ignore case in the first
character of a command (e.g., permit, reject, etc.). Reported by Francis
Picabia. (This fix is incorrectly listed in the HISTORY files of earlier
releases, and will be removed with a future patch.)
- Strip the datalink suffix (e.g., %eth0) from IPv6 addresses returned by
the system getaddrinfo() routine. Such suffixes break the default
mynetworks value, the Postfix SMTP server's reverse/forward DNS
name/address mapping check, and possibly more.
- To eliminate the possibility of collisions with connection cache lookup
keys, the Postfix LDAP client now computes those lookup keys by joining
the number-valued connection properties with ASCII null, just like it
already did with the string-valued connection properties.
- There was a memory leak during one-time TLS library initialization
(introduced with Postfix 2.5). Reported by Coverity.
- There was a memory leak in the unused oqmgr(8) program (introduced with
Postfix 2.3). Reported by Coverity.
- The local(8) delivery agent's BIFF client leaked an unprivileged UDP
socket. Fix by Jaroslav Skarvada. This bug was introduced 19990127.
- The SMTP server did not reject the AUTH command while a MAIL FROM
transaction was in progress. Reported by Timo Sirainen.
This bug was introduced 20000314.
- The unused "pass" trigger client could close the wrong file descriptors.
This bug was introduced with Postfix 2.8.
- The "change header" milter request could replace the wrong header. A long
header name could match a shorter one, because a length check was done on
the wrong string. Reported by Vladimir Vassiliev.
- Core dump when postlog emitted the "usage" message, caused by an extraneous
null assignment. Reported by Kant (fnord.hammer).
- These releases add support to turn off the TLSv1.1 and TLSv1.2 protocols.
Introduced with OpenSSL version 1.0.1, these protocols are known to cause
inter-operability problems, for example with some hotmail services.
The radical workaround is to temporarily turn off problematic protocols
globally:
/etc/postfix/main.cf:
smtp_tls_protocols = !SSLv2, !TLSv1.1, !TLSv1.2
smtp_tls_mandatory_protocols = !SSLv2, !TLSv1.1, !TLSv1.2
smtpd_tls_protocols = !SSLv2, !TLSv1.1, !TLSv1.2
smtpd_tls_mandatory_protocols = !SSLv2, !TLSv1.1, !TLSv1.2
However, it may be better to temporarily turn off problematic protocols for
broken sites only:
/etc/postfix/main.cf:
smtp_tls_policy_maps = hash:/etc/postfix/tls_policy
/etc/postfix/tls_policy:
example.com may protocols=!SSLv2:!TLSv1.1:!TLSv1.2
Notes:
Note the use of ":" instead of comma or space. Also, note that there is NO
space around the "=" in "protocols=".
The smtp_tls_policy_maps lookup key must match the "next-hop" destination
that is given to the Postfix SMTP client. If you override the next-hop
destination with transport_maps, relayhost, sender_dependent_relayhost_maps,
or otherwise, you need to specify the same destination for the
smtp_tls_policy_maps lookup key.
- OpenSSL related (all supported Postfix versions).
Some people have reported program crashes when the OpenSSL library was
updated while Postfix was accessing the Postfix TLS session cache. To avoid
this, the Postfix TLS session cache ID now includes the OpenSSL library
version number. This cache ID is not shared via the network.
- The OpenSSL workaround introduced with the previous stable and legacy
releases did not compile with older gcc compilers. These compilers can't
handle #ifdef inside a macro invocation (NOT: definition).
- To avoid repeated warnings from postscreen(8) with "connect to
private/dnsblog service: Connection refused" on FreeBSD, the dnsblog(8)
daemon now uses the single_server program driver instead of the multi_server
driver. This one-line code change has no performance impact for other
systems, and eliminates a high-frequency accept() race on a shared socket
that appears to cause trouble on FreeBSD. The same single_server program
driver has proven itself for many years in smtpd(8). Problem reported by
Sahil Tandon.
- Laptop-friendly support (all supported Postfix versions). A little-known
secret is that Postfix has always had support to avoid unnecessary disk
spin-up for MTIME updates, by doing s/fifo/unix/ in master.cf (this is
currently not supported on Solaris systems). However, two minor fixes are
needed to make this bullet-proof.
- In laptop-friendly mode, the "postqueue -f" and "sendmail -q" commands did
not wait until their requests had reached the pickup and qmgr servers before
closing their UNIX-domain request sockets.
- In laptop-friendly mode, the unused postkick command waited for more than
a minute because the event_drain() function was comparing bitmasks
incorrectly on systems with kqueue(2), epoll(2) or /dev/poll support.
- The Postfix sqlite client, introduced with Postfix 2.8, had an
embarassing bug in its quoting routine. As the result of a
last-minute code cleanup before release, this routine returned the
unquoted text instead of the quoted text. The opportunities for
mis-use are limited: Postfix sqlite database files are usually owned
by root, and Postfix daemons usually run with non-root privileges so
they can't corrupt the database. This problem was reported by Rob
McGee (rob0).
- The Postfix 2.8.4 fix for local delivery agent database lookup
errors was incomplete. The fix correctly added new code to detect
database lookup errors with mailbox_transport_maps,
mailbox_command_maps or fallback_transport_maps, but it failed to
log the problem, and to produce a defer logfile record which is
needed for "delayed mail" and "mail too old" delivery status
notifications.
- The trace(8) service, used for DSN SUCCESS notifications, did not
distinguish between notifications for a non-bounce or a bounce
message, causing it to "reply" to mail with the null sender
address. Problem reported by Sabahattin Gucukoglu.
- Support for Dovecot auth over TCP sockets, using code that already
existed for testing purposes. Patrick Koetter kindly provided an
update for the SASL_README file.
- Workaround in the LDAP client for changes in the under-documented
OpenLDAP API, by Victor Duchovni.
tron