- Bugfix: postscreen DNSBL scoring error. When a client disconnected
and then reconnected before all DNSBL results for the earlier
session arrived, DNSBL results for the earlier session would be
added to the score for the later session. This is very unlikely
to have affected any legitimate mail.
- Workaround: the SMTP client did not support mail to [ipv6:ipv6addr].
Postfix stable release 2.8.0 is available. This release continues the
move towards improving code and documentation, and making the system
better prepared for changes in the threat environment.
The postscreen daemon (a zombie blocker in front of Postfix) is now
included with the stable release. postscreen now supports TLS and can
log the rejected sender, recipient and helo information. See the
POSTSCREEN_README file for recommended usage scenarios.
Support for DNS whitelisting (permit_rhswl_client), and for pattern
matching to filter the responses from DNS white/blacklist servers
(e.g., reject_rhsbl_client zen.spamhaus.org=127.0.0.[1..10]).
Improved message tracking across SMTP-based content filters; the
after-filter SMTP server can log the before-filter queue ID (the
XCLIENT protocol was extended).
Read-only support for sqlite databases. See sqlite_table(5) and
SQLITE_README.
Support for 'footers' that are appended to SMTP server "reject"
responses. See "smtpd_reject_footer" in the postconf(5) manpage.
1) libsaslc is an SASL client only.
2) dovecot is an SASL server only.
3) cyrus-sasl is both a client and a server.
4) postfix allows us to have multiple SASL servers and clients.
5) The SASL server to use at runtime is determined by the setting of
"smtpd_sasl_type" in main.cf (note that is smtpd_ not smtp_). If
that is not set, then it defaults to the value of
DEF_SERVER_SASL_TYPE at build time, which if not set, defaults to
"cyrus". See postfix/dist/src/global/mail_params.h.
6) The SASL client to use at runtime is determined by the setting of
"smtp_sasl_type" in main.cf. If that is not set, then it defaults
to the value of DEF_CLIENT_SASL_TYPE at build time, which if not
set, defaults to "cyrus". See postfix/dist/src/global/mail_params.h.
7) If MKCRYPTO is "no", libsaslc will not link as it requires the
crypto libraries, so libsaslc cannot be enabled (as it was before)
without crypto.
8) I have made the definition of DEF_CLIENT_SASL_TYPE conditional on
MKCRYPTO due to (7). Without crypto it will default to cyrus.
9) HAVE_CYRUS_SASL is _never_ defined during a normal build and _never_
should be! It is there for the convenience of users who wish to
install cyrus-sasl and rebuild postfix with it. It is also very
useful for testing if it is suspected that something might be wrong
with libsaslc. PLEASE DO NOT REMOVE IT!
- Postfix no longer automatically appends the system default CA
(certificate authority) certificates, when it reads the CA
certificates specified with {smtp, lmtp, smtpd}_tls_CAfile or
with {smtp, lmtp, smtpd}_tls_CApath. This prevents third-party
certificates from getting mail relay permission with the
permit_tls_all_clientcerts feature. Unfortunately, this change
may cause compatibility problems with configurations that rely
on certificate verification for other purposes. To get the old
behavior, specify "tls_append_default_CA = yes".
- A prior fix for compatibility with Postfix < 2.3 was incomplete.
When pipe-to-command delivery fails with a signal, mail is now
correctly deferred, instead of being returned to sender.
- Poor smtpd_proxy_filter TCP performance over loopback (127.0.0.1)
connections was fixed by adapting the output buffer size to the
MTU.
- The SMTP server no longer applies the reject_rhsbl_helo feature
to non-domain forms such as network addresses. This would cause
false positives with dbl.spamhaus.org.
- The Postfix SMTP server failed to deliver a "421" response and
hang up the connection after Milter error. Instead, the server
delivered a "503 Access denied" response and left the connection
open, due to some Postfix 1.1 workaround for RFC 2821.
- The milter_header_checks parser failed to enable any of the actions
that have no effect on message delivery (warn, replace, prepend,
ignore, dunno, and ok).
- Improved before-queue content filter performance. With
"smtpd_proxy_options = speed_adjust", the Postfix SMTP server
receives the entire message before it connects to a before-queue
content filter. Typically, this allows Postfix to handle the same
mail load with fewer content filter processes.
- Improved address verification performance. The verify database is now
persistent by default, and it is automatically cleaned periodically. Under
overload conditions, the Postfix SMTP server no longer waits up to 6 seconds
for an address probe to complete.
- Support for reputation management based on the local SMTP client IP address.
This is typically implemented with "FILTER transportname:" actions in access
maps or header/body checks, and mail delivery transports in master.cf with
unique smtp_bind_address values.
- "postmulti -p command" did not skip disabled instances.
- In the multi_instance_wrapper parameter, the expansion of
$command_directory and $daemon_directory was broken.
- The address_verify_poll_count parameter value was not made
stress-dependent by default. This defeated the purpose of making other
settings stress-dependent by default with Postfix 2.6.
- Milter applications would hang up after receiving an unexpected
SMFIC_HEADER (mail header) command. This problem happened with Milters
that (legitimately) do not send replies for SMFIC_RCPT (recipient
address) or SMFIC_DATA (start of message) commands.
- Core dump while an printing error message for a malformed %<letter>
sequence in LDAP, MySQL or PostgreSQL lookup table configuration.
- Mail with zero recipients was forever stuck in the queue. This happened
when "postsuper -r" was run after all the recipients of a message were
delivered (or bounced), but before the message was deleted from the queue.
- With hostnames such as 1-2-3-4, the valid_hostname() fuction did not
recognize the '-' as a non-numeric character, causing a legitimate name
to be rejected as "invalid".
- The VRFY command did not accept a mailbox address inside <>.
- The Postfix Milter client got out of step with a Milter application
after the application sent a "quarantine" request at end-of-message
time. The Milter application would still be in the end-of-message
state, while Postfix would already be working on the next SMTP
event, typically, QUIT or MAIL FROM. In the latter case, Milter
responses for the previously-received email message would be applied
towards the next MAIL FROM transaction. This problem was diagnosed
with help from Alban Deniz.
- The Postfix SMTP server would abort with an "unexpected lookup table"
error when an SMTPD policy server was mis-configured in a particular way.
tron