Postfix stable release 2.8.7 is available. This contains a workaround for
a problem that is fixed in Postfix 2.9.
- The postscreen daemon, which is not enabled by default, sent non-compliant
SMTP responses (220- followed by 421) when it could not give a connection
to a real smtpd process. These responses caused some remote SMTP clients
to return mail as undeliverable.
The workaround is to hang up after sending 220- without sending the
421 "sorry" reply; this is harmless.
- The Postfix SMTP daemon sent "bare" newline characters instead of
<CR><LF> when a header_checks REJECT pattern matched multi-line
header. This bug was introduced with Postfix 1.1.
- The Postfix SMTP daemon sent "bare" newline characters instead of
<CR><LF> when an smtpd_proxy_filter returned a multi-line
response. This bug was introduced with Postfix 2.1.
- For compatibility with future EAI (email address
internationalization) implementations, the Postfix MIME processor no
longer enforces the strict_mime_encoding_domain check on unknown
message subtypes such as message/global*. This check is disabled by
default.
- The Postfix master daemon could report a panic error ("master_spawn:
at process limit") after the process limit for some service was
reduced with "postfix reload". This bug existed in all Postfix
versions.
- The Postfix Milter client logged a "milter miltername: malformed reply"
error when a Milter sent an SMTP response without enhanced status code
(i.e. "XXX Text" instead of "XXX X.X.X Text").
- The Postfix Milter client sent a random {client_connections} macro value
when the remote SMTP client was not subject to any smtpd_client_* limit.
As a workaround, it now sends a zero value instead.
- Performance: a high load of DSN success notification requests could
slow down the queue manager. Solution: make the trace client
asynchronous, just like the bounce and defer clients.
- The local(8) delivery agent ignored table lookup errors in
mailbox_command_maps, mailbox_transport_maps, fallback_transport_maps
and (while bouncing mail to alias) alias owner lookup.
- Workaround: dbl.spamhaus.org rejects lookups with "No IP queries" even
if the name has an alphanumerical prefix. We play safe, and skip both
RHSBL and RHSWL queries for names ending in a numerical suffix.
- The "sendmail -t" command reported "protocol error" instead of "file
too large", "no space left on device" etc.
- The Postfix Milter client reported a temporary error instead of
"file too large" in three cases.
Postfix releases 2.8.3, 2.7.4, 2.6.10 and 2.5.13 are available. These contain
a fix for CVE-2011-1720 which affects Postfix SMTP server configurations that
use Cyrus SASL authentication. Besides full releases, patches are available
for Postfix 1.1 and later.
This defect was introduced with the Postfix SASL patch, and is present in all
Postfix versions where the command "postconf mail_release_date" reports a
value of 20000314 (March 14, 2000) or greater.
Note: CVE-2011-1720 does not affect Postfix SMTP servers that use Dovecot
SASL authentication. It also does not affect the common Postfix SMTP server
configurations that use only Cyrus SASL mechanisms PLAIN and LOGIN.
More details will be available at http://www.postfix.org/CVE-2011-1720.html.
- Bugfix: postscreen DNSBL scoring error. When a client disconnected
and then reconnected before all DNSBL results for the earlier
session arrived, DNSBL results for the earlier session would be
added to the score for the later session. This is very unlikely
to have affected any legitimate mail.
- Workaround: the SMTP client did not support mail to [ipv6:ipv6addr].
Postfix stable release 2.8.0 is available. This release continues the
move towards improving code and documentation, and making the system
better prepared for changes in the threat environment.
The postscreen daemon (a zombie blocker in front of Postfix) is now
included with the stable release. postscreen now supports TLS and can
log the rejected sender, recipient and helo information. See the
POSTSCREEN_README file for recommended usage scenarios.
Support for DNS whitelisting (permit_rhswl_client), and for pattern
matching to filter the responses from DNS white/blacklist servers
(e.g., reject_rhsbl_client zen.spamhaus.org=127.0.0.[1..10]).
Improved message tracking across SMTP-based content filters; the
after-filter SMTP server can log the before-filter queue ID (the
XCLIENT protocol was extended).
Read-only support for sqlite databases. See sqlite_table(5) and
SQLITE_README.
Support for 'footers' that are appended to SMTP server "reject"
responses. See "smtpd_reject_footer" in the postconf(5) manpage.
- Postfix no longer automatically appends the system default CA
(certificate authority) certificates, when it reads the CA
certificates specified with {smtp, lmtp, smtpd}_tls_CAfile or
with {smtp, lmtp, smtpd}_tls_CApath. This prevents third-party
certificates from getting mail relay permission with the
permit_tls_all_clientcerts feature. Unfortunately, this change
may cause compatibility problems with configurations that rely
on certificate verification for other purposes. To get the old
behavior, specify "tls_append_default_CA = yes".
- A prior fix for compatibility with Postfix < 2.3 was incomplete.
When pipe-to-command delivery fails with a signal, mail is now
correctly deferred, instead of being returned to sender.
- Poor smtpd_proxy_filter TCP performance over loopback (127.0.0.1)
connections was fixed by adapting the output buffer size to the
MTU.
- The SMTP server no longer applies the reject_rhsbl_helo feature
to non-domain forms such as network addresses. This would cause
false positives with dbl.spamhaus.org.
- The Postfix SMTP server failed to deliver a "421" response and
hang up the connection after Milter error. Instead, the server
delivered a "503 Access denied" response and left the connection
open, due to some Postfix 1.1 workaround for RFC 2821.
- The milter_header_checks parser failed to enable any of the actions
that have no effect on message delivery (warn, replace, prepend,
ignore, dunno, and ok).
- Improved before-queue content filter performance. With
"smtpd_proxy_options = speed_adjust", the Postfix SMTP server
receives the entire message before it connects to a before-queue
content filter. Typically, this allows Postfix to handle the same
mail load with fewer content filter processes.
- Improved address verification performance. The verify database is now
persistent by default, and it is automatically cleaned periodically. Under
overload conditions, the Postfix SMTP server no longer waits up to 6 seconds
for an address probe to complete.
- Support for reputation management based on the local SMTP client IP address.
This is typically implemented with "FILTER transportname:" actions in access
maps or header/body checks, and mail delivery transports in master.cf with
unique smtp_bind_address values.
- "postmulti -p command" did not skip disabled instances.
- In the multi_instance_wrapper parameter, the expansion of
$command_directory and $daemon_directory was broken.
- The address_verify_poll_count parameter value was not made
stress-dependent by default. This defeated the purpose of making other
settings stress-dependent by default with Postfix 2.6.
- Milter applications would hang up after receiving an unexpected
SMFIC_HEADER (mail header) command. This problem happened with Milters
that (legitimately) do not send replies for SMFIC_RCPT (recipient
address) or SMFIC_DATA (start of message) commands.
- Core dump while an printing error message for a malformed %<letter>
sequence in LDAP, MySQL or PostgreSQL lookup table configuration.
- Mail with zero recipients was forever stuck in the queue. This happened
when "postsuper -r" was run after all the recipients of a message were
delivered (or bounced), but before the message was deleted from the queue.
- With hostnames such as 1-2-3-4, the valid_hostname() fuction did not
recognize the '-' as a non-numeric character, causing a legitimate name
to be rejected as "invalid".
- The VRFY command did not accept a mailbox address inside <>.
- The Postfix Milter client got out of step with a Milter application
after the application sent a "quarantine" request at end-of-message
time. The Milter application would still be in the end-of-message
state, while Postfix would already be working on the next SMTP
event, typically, QUIT or MAIL FROM. In the latter case, Milter
responses for the previously-received email message would be applied
towards the next MAIL FROM transaction. This problem was diagnosed
with help from Alban Deniz.
- The Postfix SMTP server would abort with an "unexpected lookup table"
error when an SMTPD policy server was mis-configured in a particular way.
