In addition to the names listed below, the following people provided useful inputs on many occasions: Paul D. Robertson, Simon J. Mudd. Apologies for any names omitted. 19980105 The compiled-in default value for resolve_smtp_sender was wrong (from the days that it was a boolean), causing smtpd to dump core when the variable was not set in main.cf. The INSTALL instructions now have separate sections for the three basic ways of running vmailer. The INSTALL instructions now have discusses how to deal with chrooted processes. Ported to RedHat 5.0. My, these people have re-organized their include files quite a bit, haven't they. 19980106 On RedHat Linux 4.2/5.0, when a FIFO listener opens the FIFO with mode O_RDONLY, the FIFO remains forever readable after the writer has closed it. Workaround: open the FIFO mode O_RDWR. Test program: util/fifo_rdonly_bug.c Unfortunately, the above fix triggers a bug on BSD/OS 3.1 where opening the FIFO mode O_RDWR causes select() to claim that the FIFO is readable even before any data is written to it, causing read() to block or to fail. Test program: util/fifo_rdwr_bug.c printfck (check arguments of printf-like function calls) found a missing argument in local/command.c Miscellaneous Makefile cleanups that I didn't finish before the first alpha release. 19980107 Sometimes the DNS will claim that a domain does not exist, when in fact it does. Thus, it is a bad idea to reject mail from apparently non-existent domains. I have changed the smtpd so that it produces a soft error responses when a resolve_smtp_sender test fails with HOST_NOT_FOUND. Note: by default, this test is still disabled. The DB and DBM read routines will now automagically figure out if (key, value) pairs were written including a terminating null byte or not. The DB and DBM write routines will use this result to determine how to write, and will fall back to per-system defaults otherwise. Renamed the README to MUSINGS, and wrote up a README that reflects the current status of the software. Added -d (don't disconnect) and -c (show running counter) option to te smtp-source test program. These tools are great torture tests for the mail software, and for the system that it runs on. Turned down the process_limit parameter (# of parallel smtp clients or servers) to avoid unpleasant surprises. You can crank up the process_limit parameter in main.cf. 19980111 Feature: when run by the superuser, mailq now shows the mail queue even when the mail system is down. To this end, mailq (sendmail -bp) runs the showq program directly instead of connecting to the UNIX-domain service socket, and drops privileges etc. as usual. 19980119 Bugfix: Edwin Kremer spotted an oversight in the negated host matching code (for name or address patterns prefixed by !). Bugfix: upon receipt of a SIGHUP signal, the master now disconnects from its child processes, so that the current generation of child processes commits suicide, and so that the next generation of child processes will use the new configuration settings. Bugfix: the smtp server now skips the sender DNS domain lookup test for foo@[address] Bugfix: don't append the local domain to foo@[address] 19980120 Bugfix: old low-priority bug in some list walk code that caused the master to drop core when a service was turned off in master.cf. Robustness: the mail system should be able to start up and to accept local postings even while the naming service is down. For this reason, the mail system no longer uses gethostbyname() to look up its own machine name. Sites that use short hostnames will have to specify their FQDN in main.cf (this will eventually be done by the system installation/configuration procedure). Should the config language support backtics so one can say `domainname`? What about $name stuff between the backtics? Security: the master now creates FIFOs and UNIX-domain sockets as the mail owner instead of as root, for better protection against subverted mail systems. chmod() is susceptible to race conditions. fchmod(), although safer, often does not work on sockets. Portability: anticipate that all major UNIXes will create UNIX-domain sockets with permissions modified by the process umask (required by POSIX). For this reason, we always chmod() UNIX-domain sockets, unless the system allows us to use the safer fchmod() instead. Portability: the semi-resident servers now properly handle EWOULDBLOCK returns from accept() in addition to EGAIN (on some systems, EAGAIN and EWOULDBLOCK have different values). Bugfix: the semi-resident servers now properly handle EINTR returns From accept(). Bugfix: Edwin Kremer found that mynetworks() would compute (32 - mask) instead of mask. 19980121 Feature: /etc/vmailer/relocated is used by the local delivery program and specifies what mail should be bounced with a "user has moved to XXX" message. The main.cf configuration parameter is "relocated_maps". Just like the "virtual_maps" config parameter, this feature is off by default, and the parameter can have values such as "files" or "files, nis" (on hosts equipped with NIS). 19980123 Cleanup: virtual domain support moved from the queue manager to the resolve service, where it belongs. Feature: /etc/vmailer/canonical is used by the rewrite service for all addresses, and maps a canonical address (user@domain) to another address. Typical use is to generate Firstname.Lastname@domain addresses, or to clean up dirty addresses from non-RFC 822 mail systems. The main.cf configuration parameter is "canonical_maps". Just like the "virtual_maps" config parameter, this feature is off by default, and the parameter can have values such as "files" or "files, nis" (on hosts equipped with NIS). 19980124 HPUX10 port and many little fixes from Pieter Schoenmakers. Bugfix: isolated an old mysterious bug that could make the master deaf for new connections while no child process was running. A typical result was that no pickup daemon would be started after the previous one had terminated voluntarily. Bugfix: the NIS lookup code did not mystrdup() the NIS map name and would access free()d memory. 19980125 Bugfix: the vstream routines would sometimes ignore flushing errors. The error would still be reported by vstream_fclose() and vstream_ferror(). Feature: time limit on delivery to shell commands. Config parameter: command_time_limit. Default value: 100 sec. The idea is to prevent one bad .forward file or alias file entry from slowly using up all local delivery process slots. 19980126 Code cleanup: in preparation for SMTP extensions such as SIZE, allow an extended SMTP command to have a variable number of options. 19980127 Bugfix: moved canonical map lookups away from the rewriting module to the cleanup service, so that canonical map lookups do not interfere with address rewriting on behalf of other programs. Back to an older trivial-rewrite program version. Bugfix: moved virtual map lookups away from the resolver back to the queue manager, so that virtual domain lookup does not interfere with address resolution on behalf of other programs. Back to an older qmgr program version. 19980131 Feature: integrated and adapted Guido van Rooij's SIZE option (RFC 1870), carefully avoiding potential problems due to overflow (by multiplying large numbers) or unsigned underflow (by subtracting numbers). Code cleanup: cleaned up the code that parses the server response to the HELO/EHLO command, so that we can more reliably recognize what options a server supports. 19980201 Portability: integrated the IRIX 6 port by Oved Ben-Aroya. Portability: the software now figures out by itself if a server should open its FIFO read-write or read-only, to avoid getting stuck with a FIFO that stays readable forever. Bugfix: the cleanup service would terminate with a fatal vstream_fseek() error when the queue file was too large. Bugfix: the cleanup service could be killed by a signal when the queue file became too large. 19980203 Portability: some systems have statfs(), some have statvfs(), and the relevant include files are in a different place on almost every system. Portability: the makedefs script now nukes the -O compiler flag when building on AIX with IBM's own compiler... 19980204 Portability: HP-UX 9.x support by Pieter Schoenmakers. Portability: added SYSV-style ulimit() file size limit support for HP-UX 9.x. Portability: added some #includes that appeared to be missing according to the Digital UNIX cc compiler. Bugfix: sys_defs.h now correctly specifies NIS support for LINUX2, HPUX9 and HPUX10. Security: fixed a file descriptor leak in the local delivery agent that could give shell commands access to the VMailer IPC streams. This should not cause a vulnerability, given the design and implementation of the mailer, but it would be like asking for trouble. Bugfix: the sendmail -B (body type) option did not take a value. 19980205 Bugfix (SUNOS5): should not have deleted the SVID_GETTOD definition from util/sys_defs.h. Bugfix (HPUX9): forgot to specify whether to use statfs() or statvfs(). Bugfix (HPUX9): don't try to raise the file size ulimit. Bugfix (HPUX9): must specify file size limit in 512-blocks. 19980207 Robustness: the master process now raises the file size limit when it is started with a limit that is less than VMailer's file size limit. File: util/file_limit.c. Security: the dns lookup routines now screen all result names with valid_hostname(). Bad names are treated as transient errors. Feature: qmail compatibility: when the home_mailbox parameter is set, mail is delivered to ~/$home_mailbox instead of to /var[/spool]/mail/username. This hopefully makes it easier to lure people away from qmail :-) Robustness: several testers by accident configured relayhost the same as myhostname. The programs now explicitly check for this mistake. Bugfix: deliver_request_read() would free unallocated memory when it received an incomplete delivery request from the queue manager. Robustness: local_destination_concurrency=1 prevents parallel delivery to the same user (with possibly disastrous effects when that user has an expensive pipeline in the .forward or procmail config file). Each transport can have its own XXX_destination_concurrency parameter, to limit the number of simultaneous deliveries to the same destination. 19980208 Robustness: added "slow open" mode, to gradually increase the number of simultaneous connections to the same site as long as delivery succeeds, and to gradually decrease the number of connections while delivery fails. Brad Knowles provided the inspiration to do this. This also solves the "thundering herd" problem (making a bunch of connections to a dead host when it was time to retry that host). Let's see when other mailers fix this. Feature: Added $smtpd_banner and $mail_version, for those who want to show the world what software version they are running. Bugfix: vmailer-script now properly labels each syslog entry. 19980210 Portability: merged in NEXTSTEP 3 port from Pieter Schoenmakers Bugfix: the local delivery program now checks that a destination is a regular file before locking it. 19980211 Robustness: the local delivery agent sets HOME, LOGNAME, and SHELL when delivering to a user shell command. PATH is always set, and TZ is passed through if it is set. 19980212 Feature: mailq (sendmail -bp) now also lists the maildrop queue (with mail that hasn't been picked up yet). 19980213 Feature: the smtpd now says: 502 HELP not implemented. This should impress the heck out of the competition :-) 19980214 Feature: local delivery to configurable system-wide command (e.g. procmail) avoids the need for per-user ~/.forward shell commands. Config parameter: mailbox_command. 19980215 Performance: avoid running a shell when a command contains no shell magic characters or built-in shell commands. This speeds up delivery to all commands. File: util/exec_command.c. Bugfix: the local delivery agent, after reading EOF from a child process, now sends SIGKILL only when the child does not terminate within a limited amount of time. This avoids some problems with procmail. File: util/timed_wait.c. 19980217 Portability: folded in NetInfo support from Pieter Schoenmakers. 19980218 Feature: new vmlock command to run a command while keeping an exclusive lock on a mailbox. Feature: with "recipient_delimiter = +", mail for local address "user+foo" is delivered to "foo", with a "Delivered-To: user+foo@domain" message header. Files: qmgr/qmgr_message.c, local/recipient.c. This must be the cheapest feature. 19980219 Code cleanup: moved error handling into functions that should always succeed (non_blocking(), close_on_exec()). 19980223 Bugfix: null pointer bug in the cleanup program after processing a From: header with no mail address (or with only a comment). 19980226 Robustness: now detects when getpwnam() returns a name that differs from the requested name. Feature: Added %p support to the vbuf_print formatting module. Code cleanup: revamped the alias/include/.forward loop detection and duplicate suppression code in the local delivery agent. This must be the fourth iteration, and again the code has been simplified. 19980228 Robustness: don't treat anything starting with whitespace as a header record. Instead, explicitly test for leading whitespace where we permit it. Files: global/is_header.c, bounce/bounce_flush_service.c, local/delivered.c. 19980301 Compatibility: the sendmail program now accepts the -N command-line option (delivery status notification) but ignores it entirely, just like many other sendmail options. Bugfix: dns_lookup.c was too conservative with buffer sizes and would incorrectly report "malformed name server reply". 19980302 Bugfix: the local delivery agent was not null-byte clean. 19980307 Feature: integrated Pieter Schoenmaker's code for transport lookup tables that list (transport, nexthop) by destination. 19980309 Bugfix: delivery agents no longer rename corrupt queue files, because programs might fall over each other doing so. Instead, when a delivery agent detects queue file corruption, it chmods the queue file, simulates a soft error, and lets the queue manager take care of the problem. Bugfix: the SMTP server implemented VRFY incorrectly. Feature: first shot at a pipe mailer, which can be used to extend VMailer with external mail transports such as UUCP (provided that the remote site understands domain addressing, because VMailer version 1 does not rewrite addresses). Cleanup: extended the master/child interface so that the service name (from master.cf) is passed on to the child. The pipe mailer needs the service name so it can look up service-specific configuration parameters (privilege level, recipient limit, time limit, and so on). 19980310-12 Cleanup: factored out the pipe_command() code, so it can be shared between pipe mailer and local delivery agent. 19980314 Compatibility: the sendmail program now parses each command-line recipient as if it were an RFC 822 message header; some MUAs specify comma-separated recipients in a command-line argument; and some MUAs even specify "word word
" forms as command-line arguments. 19980315 Bugfix: VMailer's queue processing randomization wasn't adequate for unloaded systems with small backlogs. Bugfix: smtpd now uses double-buffered stream I/O to prevent loss of input sent ahead of responses. 19980316 Bugfix: the smtpd anti-relay code didn't treat all hosts listed in $mydestinations as local, so it would accept mail only for hosts listed in $relay_domains (default: my own domain). Bugfix: smtpd now replies with 502 when given an unknown command. 19980318 Cleanup: resolve/rewrite clients now automatically disconnect after a configurable amount of idle time (ipc_idle). 19980322 Tolerance: VRFY now permits user@domain, even though the RFC requires that special characters such as @ be escaped. 19980325 Bugfix: a recipient delimiter of "-" could interfere with special addresses such as owner-xxx or double-bounce. Tolerance: the SMTP client now permits blank lines in SMTP server responses. Tolerance: the SMTP client now falls back to SMTP when it apparently mistook an SMTP server as ESMTP capable. Bugfix: eliminated strtok() calls in favor of mystrtok(). Symptom: master.cf parsing would break if $inet_interfaces was more than one word. 19980328 Bugfix: user->addr patterns in canonical and virtual tables matched only $myorigin, not hosts listed in $mydestination or addresses listed in $inet_interfaces. The man pages were wrong too. File: global/addr_match.c. 19980401 Robustness: FIFO file permissions now default to 0622. On some systems, opening a FIFO read-only could deafen the pickup daemon. Only the listener end (which is opened as root) needs read access anyway, so there should not be a loss of functionality by making FIFOs non-readable for non-mail processes. 19980402 Compatibility: sendmail -I and -c options added. 19980403 Feature: virtual lookups are now recursive. File: qmgr/qmgr_message.c 19980405 Implemented sendmail -bs (stand-alone) mode. This mode runs as the user and therefore deposits into the maildrop queue. 19980406 The pickup service now removes malformed maildrop files. 19980407 The pickup service now guards against maildrop files with time stamps dated into the future. 19980408 Bugfix: in the canonical and virtual maps, foo->address would match foo@$myorigin only. This has been fixed to also match hosts listed in main.cf:$mydestination and the addresses listed in main.cf:$inet_interfaces. Bugfix: added double buffering support to the VMailer SMTP server. This makes the SMTP server robust against SMTP clients that talk ahead of time, and should have been in there from day one. 19980409 Bugfix: the VMailer SMTP client now recognizes its own hostname in the SMTP greeting banner only when that name appears as the first word on the first line. 19980410 Feature: smtpd now logs the local queue ID along with the client name/address, and pickup now logs the local queue ID along with the message owner. Bugfix: still didn't do virtual/canonical lookups right (code used the non-case-folded key instead of the case folded one). 19980418 Bugfix: the SMTP server did not flush the "250 OK queued as XXXX" message from the SMTP conversation history. 19980419 Bugfix: qmgr would not notice that a malformed message has multiple senders, and would leak memory (Tom Ptacek). 19980421 Portability: in the mantools scripts, the expr pattern no longer has ^ at the beginning, and the scripts now use the expand program instead of my own detab utility. 19980425 NetBSD 1.x patch by Soren S. Jorvang. 19980511 Feature: the SMTP server now logs the protocol (SMTP or ESMTP) as part of the Received: header. Feature: smtpd now logs the last command when a session is aborted due to timeout, unexpected EOF, or too many client errors. 19980514 Bugfix: the queue manager did not update the counter for in-core message structures, so the in-core message limit had no effect. This can be bad when you have a large backlog with many messages eligible for delivery. Robustness: the queue manager now also limits the total number of in-core recipient structures, so that it won't use excessive amounts of memory on sites that have large mailing lists. 19980518 Bugfix: the SMTP client did not notice that the DNS client received a truncated response. As a result, a backup MX host could incorrectly claim that it was the best MX host and declare a mailer loop. Added start_msg/stop_msg entries to the vmailer startup script, for easy installation. Cleanup: VMailer databases are now explicitly specified as type:name, for example, hash:/etc/aliases or nis:mail.aliases, instead of implicitly as "files", "nis" and so on. Test program: util/dict_open. This change allowed me to eliminate a lot of redundant code from mkmap_xxx.c, and from everything that does map lookups. 19980525 Bugfix: local/dotforward.c compared the result of opening a user's ~/.forward against the wrong error value. 19980526 Bugfix: the smtpd VRFY command could look at free()d memory. Robustness: the smtpd program had a fixed limit on the number of token structures. The code now dynamically allocates token structures. Bugfix: the queue manager still used the deprecated parameter name xxx_deliver_concurrency for concurrency control, but the documentation talks about the preferred parameter name xxx_destination_concurrency. Fix: try xxx_destination_concurrency first, then fall back to xxx_deliver_concurrency. 19980621-19980702 Cleanup: the string read routines now report the last character read or VSTREAM_EOF. This change is necessary for the implementation of the long SMTP line bugfix. Bugfix: the smtp server exited the DATA command prematurely when the client sent long lines. Reason: the smtp server did not remember that it broke long lines, so that '.' could appear to be the first character on a line when in fact it wasn't. Bugfix: the queue manager made lots of stupid errors while reading $qmgr_message_recipient_limit chunks of recipients from a queue file. This code has been restructured. 19980706 Performance: the cleanup program now always adds return-receipt and errors-to records to a queue file, so that the queue manager does not have to plow through huge lists of recipients. Robustness: the initial destination concurrency now defaults to 2, so that one bad message or one bad connection does not stop all mail to a site. The configuration parameter is called initial_destination_concurrency. Performance: the per-message recipient limit is now enforced by the queue manager instead of by the transport. Thus, a large list of recipients for the same site is now mapped onto several delivery requests which can be handled in parallel, instead of being mapped onto one delivery request that is sent to limited numbers of recipients, one group after the other. 19980707 Cleanup: the queue manager now does an additional recipient sort after the recipients have been resolved, so that the code can do better aggregation of recipients by next hop destination. Feature: lines in the master.cf file can now be continued in the same manner as lines in the main.cf file, i.e. by starting the next line with whitespace. Feature: the smtp client now warns that a message may be delivered multiple times when the response to "." is not received (the problem described in RFC 1047). Cleanup: when the queue manager changes its little mind after contacting a delivery agent (for example, it decides to skip the host because a transport or host goes bad), the delivery agent no longer complains about premature EOF. File: global/deliver_request.c 19980709 Bugfix: when breaking long lines, the SMTP client did not escape leading dots in secondary etc. line fragments. Fix: don't break lines. This change makes VMailer line-length transparent. Files: global/smtp_stream.c, smtp/smtp_proto.c. 19980712 Cleanup: the queue manager to deliver agent protocol now distinguishes between domain-specific soft errors and recipient-specific soft errors. Result: many soft errors with SMTP delivery no longer affect other mail the same domain. 19980713 Feature: the file modification time stamp of deferred queue files is set to the nearest wakeup time of their recipient hosts, or if delivery was deferred due to a non-host problem, the time stamp is set into the future by the configurable minimal backoff time. Bugfix: the SMTP client and the MAILQ command would report as message size the total queue file size. That would grossly overestimate the size of a message with many recipients. Bugfix: the 19980709 fix screwed up locally-posted mail that didn't end in newline. 19980714 Robustness: the makedefs script now defaults to no optimization when compiling for purify. 19980715 Robustness: the makedefs script now defaults to no optimization when compiling with gcc 2.8, until this compiler is known to be OK. Workaround: when sending multiple messages over the same SMTP connection, some SMTP servers need an RSET command before the second etc. MAIL FROM command. The VMailer SMTP client now sends a redundant RSET command just in case. The queue manager now logs explicitly when delivery is deferred because of a "dead" message transport. 19980716 Feature: mailq and mail bounces now finally report why mail was deferred (the reason was logged to the syslog file only). Changes were made to the bounce service (generalized to be usable for defer logs), showq service (to show reasons) and the queue manager. As a result the defer directory (with one log per deferred message) may contain many files; also, this directory is accessed each time a message is let into the active queue, in order to delete its old defer log. This means that hashed directories are now a must. 19980718-20 Feature: configurable timeout for establishing smtp connections. Parameter: smtp_connect_timeout (default 0, which means use the timeout as wired into the kernel). Inspired by code from Lamont Jones. For a clean but far from trivial implementation, see util/timed_connect.c Cleaned up the interfaces that implement read/write deadlines. Instead of returning -2, the routines now set errno to ETIMEDOUT; the readable/writable tests are now separate. 19980722 Feature: the default indexed file type (hash, btree, dbm) is now configurable with the "database_type" parameter. The default value for this parameter is system specific. Feature: selectively turn on verbose logging for hosts that match the patterns specified via the "debug_peer_list" config parameter. Syntax is like the "bad_smtp_clients" parameter (see global/peer_list.c). The verbose logging level is specified with "debug_peer_level" (default 2). Security: the local delivery agent no longer delivers to files that have execute permission enabled. 19980723 Workarounds for Solaris 2.x UNIX-domain sockets: they lose data when you close them immediately after writing to them. This could screw up the delivery agent to queue manager protocol. 19980724 Cleanup: spent most of the day cleaning up queue manager code that defers mail when a site or transport dies, and fixed a few obscure problems in the process. 19980726 Feature: the admin can now configure what classes of problems result in mail to the postmaster. Configuration parameter: "notify_classes". Default is backwards compatible: bounce, policy, protocol, resource, and software. 19980726-28 Feature: the admin can now configure what smtp server access control restrictions must be applied, and in what order. Configuration parameters: smtpd_client_restrictions, smtpd_helo_restrictions, smtpd_mail_restrictions and smtpd_rcpt_restrictions. Defaults are intended to be backwards compatible. The bad_senders and bad_clients lists are gone and have become db (dbm, nis, etc) maps. Files: smtpd/smtpd_check.c, config/main.cf. 19980729-31 Feature: hashed queues. Rewrote parts of the mail queue API. Configuration parameters: "hash_queue_names" specifies what queue directories will be hashed (default: the defer log drectory), "hash_queue_depth" specifies the number of subdirectories used for hashing (default 2). 19980802 Bugfix: the pipe mailer should expand command-line arguments with $recipient once for every recipient (producing one command-line argument per recipient), instead of replacing $recipient by of all recipients (i.e. producing only one command-line argument). This is required for compatibility with programs that expect to be run from sendmail, such as uux. Thanks to Ollivier Robert for helping me to get this right. Code cleanup: for the above, cleaned up the macro expansion code in dict.c and factored out the parsing into a separate module, mac_parse.c. 19980803 "|command" and /file/name destinations in alias databases are now executed with the privileges of the database owner (unless root or vmailer). Thus, with: "alias_maps = hash:/etc/aliases, hash:/home/majordomo/aliases", and with /home/majordomo/aliases* owned by the majordomo account, you no longer need the majordomo set-uid wrapper program, and you no longer need root privileges in order to install a new mailing list. 19980804 Added support for the real-time blackhole list. Example: "client_restrictions = permit_mynetworks, reject_maps_rbl" All SMTP server "reject" status codes are now configurable: unknown_client_reject_code, mynetworks_reject_code, invalid_hostname_reject_code, unknown_hostname_reject_code, unknown_address_reject_code, relay_domains_reject_code, access_map_reject_code, maps_rbl_reject_code. Default values are documented in the smtpd/smtpd_check.c man page. 19980806-8 Code cleanup: after eye balling line-by line diffs, started deleting code that duplicated functionality because it was at the wrong abstraction level (smtp_trouble.c), moved functionality that was in the wrong place (dictionary reference counts in maps.c instead of dict.c), simplified code that was too complex (password-file structure cache) and fixed some code that was just wrong. 19980808 Robustness: the number of queue manager in-core structures for dead hosts is limited; the limit scales with the limit on the number of in-core recipient structures. The idea is to not run out of memory under conditions of stress. 19980809 Feature: mail to files and commands can now be restricted by class: alias, forward file or include file. The default restrictions are: "allow_mail_to_files = alias, forward" and allow_mail_to_commands = alias, forward". The idea is to protect against buggy mailing list managers that allow intruders to subscribe /file/name or "|command". 19980810-12 Cleanup: deleted a couple hundred lines of code from the local delivery agent. It will never be a great program; sendmail compatibility is asking a severe toll. 19980814 Cleanup: made the program shut up about some benign error conditions that were reported by Daniel Eisenbud. 19980814-7 Documentation: made a start of HTML docs that describe all configuration parameters. Feature: while documenting things, added smtpd_helo_required. 19980817 Bugfix: at startup the queue manager now updates the time stamps of active queue files some time into the future. This eliminates duplicate deliveries after "vmailer reload". Bugfix: the local delivery agent now applies the recipient delimiter after looking in the alias database, instead of before. Documentation bugfixes by Matt Shibla, Tom Limoncelli, Eilon Gishri. 19980819 GLIBC fixes from Myrdraal. Bugfix: applied showq buffer reallocation workaround in the wrong place. Bugfix: can't use shorts in varargs lists. SunOS 4 has short uid_t and gid_t. pipe_command() would complain. Bugfix: can't use signed char in ctype macros. All ctype arguments are now casted to unsigned char. Thanks, Casper Dik. 19980820 Bugfix: save the alias lookup result before looking up the owner. The previous alpha release did this right. Cleanup: mail_trigger() no longer complains when the trigger FIFO or socket is unavailable. This change is necessary to shut up the sendmail mail posting program, so that it can be used on mail clients that mount their maildrop via NFS. Experiment: pickup and pipe now run as vmailer most of the time, and switch to user privileges only temporarily. Files: util/set_eugid.c global/pipe_command.c pipe/pipe.c pickup/pickup.c. Is this more secure/ What about someone manipulating such a process while not root? It still has ruid == 0. 19980822 Portability: with GNU make, commands such as "(false;true)" and "while :; do false; done" don't fail. Workaround: use "set -e" all over the place. Problem found by Jeff Wolfe. Feature: "check_XXX_access maptype:mapname" (XXX = client, helo, sender, recipient). Now you can make recipient and other SPAM restrictions dependent on client or sender access tables lookup results. 19980823 Bugfix: smtpd access table lookup keys were case sensitive. Added "permit" and "reject" operators. These are useful at the end of SPAM restriction lists (smtpd_XXX_restrictions). Added a first implementation of the permit_mx_backup SPAM restriction. This permits mail relaying to any domain that lists this mail system as an MX host (including mail for the local machine). Thanks to Ollivier Robert for useful discussions. 19980824 Bugfix: transport table lookup keys were case sensitive. 19980825 Portability: sa_len is some ugly #define on some SGI systems, so we must rename identifiers (file util/connect.c). Bugfix: uucp delivery errors are now sent to the sender. Thanks, Mark Delany. Bugfix: the pipe delivery agent now replaces empty sender by the mailer daemon address. Mark Delany, again. Portability: GNU getopt looks at all command-line arguments. Fix: insert -- into the pipe/uucp definition in master.cf. Bugfix: the smtp server command tokenizer silently discarded the [] around [text], so that HELO [x.x.x.x] was read as if the client had sent: HELO x.x.x.x. Thanks, Peter Bivesand. Bugfix: the HELO unknown hostname/bad hostname restrictions would have treated [text] as a domain name anyway. Bugfix: the $local_duplicate_filter_limit value was not picked up by the local delivery agent. This means the local delivery agent could run out of memory on large mailing list deliveries. 19980826 Performance: mkmap/mkalias now run with the same speed as sendmail. VMailer now uses a 4096-entry cache with 1 Mbyte of memory for DB lookups. File: util/dict_db.c. 19980902 Robustness: the reject_unknown_hostname restriction for HELO/EHLO hostnames will now permit names that have an MX record instead of an A record. 19980903 Feature: appending @$myorigin to an unqualified address is configurable with the boolean append_at_myorigin parameter (default: yes). Feature: appending .$mydomain to user@host is configurable with the boolean append_dot_mydomain parameter (default: yes). Feature: site!user is rewritten to user@site, under control of the boolean parameter swap_bangpath (default: yes). Feature: permit a naked IP address in HELO commands (i.e. an address without the enclosing [] as required by the RFC), by specifying "permit_naked_ip_address" as one of the restrictions in the "smtpd_helo_restrictions" config parameter. 19980904 Code cleanup: when an SMTP client aborts a session after sending MAIL FROM, the cleanup service no longer warns that it is "skipping further client input". Files: cleanup/*.c. Thanks, Daniel Eisenbud, for prodding. Code cleanup: when an SMTP server disconnects in the middle of a session, don't try to send QUIT over the non-existing connection. Files: global/smtp_stream.c, smtp/smtp.c. Thanks, Daniel Eisenbud, for prodding, again. Code cleanup: the VMailer version number has moved from mail_params.h (which is included by lots of modules) to a separate file global/mail_version.h, so that a version change no longer results in massive recompilation. Bugfix: Errors-To was flagged as a sender address, so the address never was picked up. Code cleanup: support for Errors-To: headers completed. 19980905 Feature: per-message exponential delivery backoff, by looking at the amount of time a message has been queued. Thanks, Mark Delany. 19980906 Code cleanup: ripped out the per-host exponential backoff code. It was broken by 19980818. It was probably a bad idea anyway, because it required per-host, in-core, state kept by the queue manager. All we do now is to keep state for $minimal_backoff_time seconds, but only for a limited number of hosts. Daniel Eisenbud spotted the problem. Lost feature: the SMTP session transcripts now show who said what. This feature was inadvertently dropped during development. Thanks, Daniel Eisenbud, for reminding. Documentation: the hard-coded rewriting process of the trivial-rewrite program is described in html/rewrite.html. Feature: the local delivery agent now does alias lookups before and after chopping off the recipient subaddress. This allows you to forward user-anything to another user, without losing the ability to redirect specific user-foo addresses. 19980909 Feature: the smtp client now logs a warning that a server sends a greeting banner with the client's hostname, which could imply a mailer loop. 19980910 Feature: separate canonical maps for sender and recipient address rewriting, so that you can rewrite an ugly sender address and still forward mail to that same ugly address without creating a mailer loop. Files: cleanup_envelope.c, cleanup_message.c, cleanup_rewrite.c. 19980911 Feature: virtual maps now support multiple addresses on the right-hand side. In the case of virtual domains this can eliminate the need for address expansion via local aliases, making virtual domains much easier to administer. This required that I moved the virtual table lookups from the queue manager to the cleanup service, so that every recipient has an on-disk status record. Files: qmgr.c, qmgr_message.c, cleanup_envelope.c, cleanup_rewrite.c, cleanup_virtual.c. Feature: sendmail/mailq/newaliases pass on the -v flag to the program that they end up running, to make debugging a little easier. 19980914 Bugfix: some anti-spam measures didn't recognize some addresses as local and would do too much work. File: smtpd_check.c. Bugfix: the smtp sender/recipient table lookup restriction destroyed global data, so that other restrictions could break. File: smtpd_check.c. Bugfix: after vmailer reload, single-threaded servers could exit before flushing unwritten data to the client. Example: cleanup would exit before acking success to pickup, so the message would be delivered twice. Bug reported by Brian Candler. Cleanup: removed spurious error output from vmailer-script. Reported by Brian Candler. Tolerance: ignore non-numeric SMTP server responses. There's lot of brain damage out there on the net. 19980915 Feature: the smtp-sink benchmark tool now announces itself with a neutral name so that it can be run on the same machine as VMailer, without causing Postfix to complain about a mailer loop. Robustness: on LINUX, vmailer-script now does chattr +S to force synchronous directory updates. Fix developed with Chris Wedgwood. 19980916 Bugfix: when transforming an RFC 822 address to external form, there is no need to quote " characters in comments. This didn't break anything, it just looked ugly. File: global/tok822_parse.c 19980917 Workaround: with deliveries to /file/name, use fsync() and ftruncate() only on regular files. File: local/file.c Workaround: the plumbing code in master_spawn.c didn't check if it was dup2()/close()ing a descriptor to itself then closing it. Will have to redo the plumbing later. 19980918 Workaround: on multiprocessor Solaris machines, one-second rollover appears to happen on different CPUs at slightly different times. Made the queue manager more tolerant for such things. Problem reported by Daniel Eisenbud. Workaround: in preparation for deployment with a network-shared maildrop directory. make pickup more tolerant against clock drift between clients and servers. 19980921 New vstream_popen() module that opens a two-way channel across a socketpair-based pipe. This module isn't being used yet; it is here only to complete the vstream code. 19980922 Code cleanup: the xxx_server_main() interface for master child processes now uses a name-value argument list instead of an ugly and inflexible data structure. Bugfix: moved the test if a non-interactive process is run by hand, so that the "don't do this" error message can be printed to stderr before any significant processing. Bugfix: smtpd now can talk to unix-domain sockets without bailing out on a peer lookup problem. Files: smtpd/smtpd.c, util/peer_name.c. Safety: by default, the postmaster is no longer informed of protocol problems, policy violations or bounces. Safety: the SMTP server now sleeps before sending a [45]xx error response, in order to prevent clients from hammering the server with a connect/error/disconnect loop. Parameter: smtpd_error_sleep_time (default: 5). Feature: the logging facility is compile-time configurable (e.g., make makefiles "CCARGS=-DLOG_FACILITY=LOG_LOCAL1"). 19980923 Bugfix: changed virtual/canonical map search order from (user@domain, @domain, user) to (user@domain, user, @domain) so the search order is most specific to least specific. File: global/addr_map.c, lots of documentation. Bugfix: after the change of 19980910, cleanup_message extracted recipients from Reply-To: etc. headers. Found by Lamont Jones. 19980925 Bugfix: the change in virtual/canonical map search order broke @domain entries; they would never be looked up if the address matched $myorigin or $mydestinations. Found by Chip Christian who now regrets asking for the change. Bugfix: cleanup initialized an error mask incorrectly, so that it would keep writing to a file larger than the queue file size limit, and so it would treat the error as a recoverable one instead of sending a bounce. Thanks, Pieter Schoenmakers. Bugfix: the "queue file cleanup on fatal error" action was no longer enabled in the sendmail mail posting agent. Feature: the sendmail mail posting program now returns EX_UNAVAILABLE when the size of the input exceeds the queue file size limit. NB THIS CHANGE HAS BEEN WITHDRAWN. 19980926 Code cleanup: the dotlock file locking routine is no longer derived from Eric Allman's 4.3BSD port of mail.local. Code cleanup: the retry strategy of the file locking routines dot_lockfile() and deliver_flock() is now configurable (deliver_flock_attempts, deliver_flock_delay, deliver_flock_stale). Code cleanup: the master.pid lock file is now created with symlink paranoia, and is properly locked so that PID rollover will not cause false matches. Bugfix: the vbuf_print() formatting engine did not know about the '+' format specifier. Cleanup: replaced unnecessary instances of stdio calls by vstream ones. 19980929-19981002 Compatibility: added support for "sendmail -q". This required a change to the queue manager trigger protocol, and a code reorganization of the way queue scans were done. The queue manager socket now has become public. 10091002 SMTPD now logs "lost connection after end-of-message" instead of "lost connection after DATA". 10091005 More bullet proofing: timeouts on all triggers. 19981006 Bugfix: make the number of cleanup processes unlimited, in order to avoid deadlock. The number of instances needed is one per smtp/pickup process, and an indeterminate number per local delivery agent. Thanks, Thanks, David Miller and Terry Lorrah for cleueing me in. Bugfix: "sendmail -t" extracted recipients weren't subjected to virtual mapping. Daniel Eisenbud strikes again. 19981007 Compatibility: if the first input line ends in CRLF, the sendmail posting agent will treat all CRLF as LF. Otherwise, CRLF is left alone. This is a compromise between sendmail compatibility (all lines end in CRLF) and binary transparency (some, but not all, lines contain CRLF). 19981008 Robustness: stop recursive virtual expansion when the left-hand side appears in its own expansion. 19981009 Portability: trigger servers such as pickup and qmgr can now use either FIFOs or UNIX-domain sockets; hopefully at least one of them works properly. Trigger clients were already capable of using either form of local IPC. 19981011 Feature: masquerading. Strip subdomains from domains listed in $masquerade_domains. Exception: envelope recipients are left alone, in order to not screw up routing. 19981015 Code cleanup: moved the recipient duplicate filter from the user-level sendmail posting agent to the semi-resident cleanup service, so that the filter operates on the output from address canonicalization and of virtual expansion, instead of operating on their inputs. 19981016 Bugfix: after kill()ing a bunch of child processes, wait() sometimes fails before all children have been reaped, and must be called again, or the master will SIGSEGV later. Problem reported by Scott Cotton. Workaround: don't log a complaint when an SMTP client goes away without sending QUIT. 19981018 Workaround: Solaris 2.5 ioctl SIOCGIFCONF returns a hard error (EINVAL) when the result buffer is not large enough. This can happen on systems with many real or virtual interfaces. File: util/inet_addr_local.c. Problem reported by Scott Cotton. Workaround: the optional HELO/EHLO hostname syntax check now allows a single trailing dot. Workaround: with UNIX-domain sockets, LINUX connect() blocks until the server calls accept(). File: qmgr/qmgr_transport.c. Terry Lorrah and Scott Cotton provided the necessary evidence. 19981020 Robustness: recursive canonical mapping terminates when the result stops changing. Code cleanup: reorganized the address rewriting and mapping code in the cleanup service, to make it easier to implement the previous enhancement. 19981022 Code cleanup: more general queue scanning programming interface, in preparation for hashed queues. File: qmgr/qmgr_scan.c. Bugfix: a non-FIFO server with a process limit of 1 has a too short listen queue. Until now this was not a problem because only FIFO servers had a process limit of 1, and FIFOs have no listen queue. Fix: always configure a listen queue of proc_limit or more. File: master/master_listen.c. 19981023 Feature: by popular request, mail delay is logged when delivering, bouncing or deferring mail. 19981024 Cleanup: double-bounce mail is now absorbed by the queue manager, instead of the local delivery agent, so that the mail system will not go mad when no local delivery agent is configured. 19981025 Cleanup: moved the relocated table from the local delivery agent to the queue manager, so that the table can also be used for virtual addresses. Code reorg: in order for the queue manager to absorb recipients, the queue file has to stay open until all recipients have been assigned to a destination queue. 19981026 vmlogger command, so that vmailer-script logging becomes consistent with the rest of the VMailer system. Code reorg: logger interface now can handle multiple output handlers (e.g. syslog and stderr stream). Bugfix: a first line starting with whitespace is no longer treated as an extension of our own Received: header. Files: smtpd/smtpd.c, pickup/pickup.c. 19981027 Bugfix: the bang-path swapping code went into a loop on an address consisting of just a single !. Eilon Gishri had the privilege of finding this one. Workaround: the non-blocking UNIX-domain socket connect is now enabled only on systems that need it. It may cause kernel trouble on Solaris 2.x. Bugfix: the resolver didn't implement bangpath swapping, so that mail for site!user@mydomain would be delivered to a local user named "site!user". 19981028 Cleanup: a VSTREAM can now use different file descriptors for reading and writing. This was necessary to prevent "sendmail -bs" and showq from writing to stdin. Eilon Gishri observed the problem. 19981029 The RFC 822 address manipulation routines no longer give special attention to 8-bit data. Files: global/tok822_parse.c, global/quote_822_local.c. Bugfix: host:port and other non-domain stuff is no longer allowed in mail addresses. File: qmgr/qmgr_message.c. Workaround: LINUX accept() wakes up before the three-way handshake is complete, so it can fail with ECONNRESET. Files: master/single_server.c, master/multi_server.c. Feature: when delivering to user+foo, try ~user/.forward+foo before trying ~user/.forward. Bugfix: smtpd in "sendmail -bs" (stand-alone) mode didn't clean up when terminated by a signal. Bugfix: smtpd in "sendmail -bs" (stand-alone) mode should not try to enforce spam controls because it cannot access the address rewriting machinery. Cleanup: the percent hack (user%domain -> user@domain) is now configurable (allow_percent_hack, default: yes). Bugfix: daemons in -S (stand-alone) mode didn't change directory to the queue. This was no problem with daemons run by the sendmail compatibility program. 19981030 Feature: when virtual/canonical/relocated lookup fails for an address that contains the optional recipient delimiter (e.g., user+foo@domain), the search is done again with the unextended address (e.g., user@domain). File: global/addr_find.c. Code reorg: the address searching is now implemented by a separate module global/addr_find.c, so that the same code can be used for both (non-mapping) relocated table lookups and for canonical and virtual mapping. The actual mapping is still done in the global/addr_map.c module. Robustness: the SMTP client now skips hosts that don't send greeting banner text. File: smtp/smtp_connect.c Feature: preliminary support to disable delivered-to. This is desirable for mailing list managers that don't want to advertise internal aliases. Generic support: when the recipient_feature_delimiter configuration parameter is set, the local delivery agent uses it to split the recipient localpart into fields. Any field that has a known name such as "nodelivered" enables the corresponding delivery feature. 19981031 Code reorg: address splitting on recipient delimiter is now centralized in global/split_addr.c, which knows about all reserved names that should never be split. Robustness: when a request for an internal service cannot be satisfied because the master has terminated, terminate instead of trying to reach the service every 30 seconds. Safety: the local delivery agent now runs as vmailer most of the time, just like pickup and pipe. Files: local/local.c, local/mailbox.c 19981101 Compatibility: the tokenizer for alias/forward/etc. expansion now updates an optional counter with the number of destinations found; If no destinations is found in a .forward file, deliver to the mailbox instead. Thanks, Daniel Eisenbud, for showing the way to go. Robustness: the pickup daemon should always include a posting-time record, even when the sendmail posting agent didn't. However, just like before, user-provided posting times will be ignored. Ollivier Robert found this one. Robustness: duplicate entries in aliases or maps now cause a warning instead of a fatal error (and an incomplete file). Robustness: mkmap now prints a warning when an entry is in "key: value" format, which is the format expected for alias databases, not for maps. Portability: on LINUX, prepend "+" to the getopt() options string so that getopt() will stop at the first non-option argument. Suggestion by Marco d'Itri. 19981103 Cleaned up the set_eugid() and open_as() implementations, and added stat_as() and fstat_as() so that the local delivery agent would look up include files and .forward files with the right privileges. 19981104 Bugfix: the :include: routine now stat()s/open()s files included by root-owned aliases as root, not as nobody. Bugfix: the master crashed when a service with wakeup timer was disabled or renamed. Fix: eliminate some pathological coupling between process management and wakeup management. Feature: partial implementation of ETRN (causes a full deferred queue scan). Thanks Lamont Jones for reminding me that things can be useful already before they are perfect. Cleanup: simplified the SMTPD tokenizer. Bugfix: sendmail -bs didn't properly notify the mail system of new mail. Compatibility: the MAIL FROM and RCPT TO commands now accept the most common address forms without enclosing <>. The <> is still needed for addresses that contain a "string", an [address], or a colon (:). 19981105 Bugfix: "master -t" would claim that the master runs when in fact the pid directory does not exist, causing trouble with first time startup (reported by several). Portability: added a sane_accept() module that maps all beneficial accept() error results to EAGAIN. According to private communication with Alan Cox, Linux 2.0.x accept() can return a variety of error conditions, so we play safe and allow for any error that may happen because SYN+ACK could not be sent. Portability: NETBSD1 uses dotlock files (Perry Metzger). Bugfix: the local delivery agent did not canonicalize owner-foo sender addresses, so that local users would see owner-foo instead of owner-foo@$myorigin (Perry Metzger). OPENSTEP4 support, similar to NEXTSTEP3 (Gerben Wierda). 19981106 Portability: the master startup would take a long time on AIX because AIX has a very large per-process open file limit. Fix is to check the status of only the first couple hundred file descriptors instead. File: master/master.c. Bugfix: mail to user@[net.work.addr.ess] was broken because of a reversed test. File: qmgr/qmgr_message.c. 19981107 Compatibility: don't clobber the envelope sender address when an alias has no owner-foo alias (problem diagnosed by Christophe Kalt). Bugfix: mail to local users in include files would be delivered directly if the alias didn't have an owner-foo alias, and if the alias database and include file were owned by root. Feature: with user+foo addresses, any +foo address extension that is not explicitly matched in canonical, virtual or alias databases is propagated to the table lookup result. 19981108 Bugfix: minor memory leak in the user+foo table lookup code. Configurability: specify virtual.domain in the virtual map, and mail for unknown@virtual.domain will bounce automatically. The $relay_domains default value now includes $virtual_maps, so the SMTP server will accept mail for the domain. Marco d'Itri put me on the right track. Configurability: The mydestinations configuration parameter now accepts /file/name expressions and type:name lookup tables. Code cleanup: in order to make the previous two enhancements possible, revised the string/host/address matching engine so it can handle any mixture of strings, /file/name patterns and type:name lookup tables. Files: util/match_{list,ops}.c, global/{domain,namadr,string}_list.c. 19981110 Code cleanup: replaced remaining isxxx() calls by ISXXX(). 19981111 Bugfix: the "bounce unknown virtual user" code was in the wrong place. Problem tackled with help of Chip Christian. Portability: reportedly, Solaris 2.5.1 can hang waiting for a UNIX-domain connection to be accepted, to it gets the same workaround that was designed for LINUX. Problem reported by Scott Cotton. 19981112 Management: "vmailer stop" now allows delivery agents to finish what they are doing, like "vmailer reload". Management; "vmailer abort" causes immediate termination. Workaround: zombie processes pile up with HP-UX. Reason: select() does not return upon SIGCHLD when SA_RESTART is specified to sigaction(). Workaround: shorten the select() timer to 10 seconds, #ifdef BRAINDEAD_SELECT_RESTARTS. Thanks, Lamont Jones. 19981117 Rename: VMailer is now Postfix. Sigh. 19981118 Cleanup: generalized the safe_open() routine so that it is no longer limited to mailbox files, lock files, etc. Bugfix (found during code review): vstream*printf() could run off the end of a stream buffer after an I/O error, because vbuf_print() ignored the result from VBUF_SPACE(). Bugfix (found during code review): resolve_local() could clobber its argument, but the docs didn't say so. 19981121 Cleanup: the is_header() routine now allows 8-bit data in header labels. 19981123 Bugfix (found during code review): the mail_queue_enter() path argument wasn't optional. File: global/mail_queue.c 19981124 Cleanup: eliminated redundant tests for a zero result from vstream_fdopen(). Unlike the stdio fdopen() routine, the vstream_fdopen() routine either succeeds or never returns. Bugfix: the queue manager now looks at the clock before examining a file time stamp, to avoid spurious complaints about time warps on busy machines. File: qmgr/qmgr_active.c. 19981125 Compatibility: allow trailing dot at the end of user@domain. Address canonicalization now strips it off. Issue brought forward by Eilon Gishri. File: trivial-rewrite/rewrite.c. Robustness: changed DNS lookup order of MAIL FROM etc. domains from MX then A to A then MX, just in case the MX lookup fails with a server error. Renamed vmcat, vmlock, vmlogger, vmtrigger to postcat, postlock, postlog, postkick. Also renamed mkmap and mkalias to postmap and postalias. 19981126 Workaround: Lamont Jones found a way for HP-UX to terminate select() after SIGCHLD. The code is #ifdef USE_SIG_RETURN. Files: util/sys_defs.h, master/master_sig.c. Bugfix: the Delivered-To: loop detection code had stopped working, when long ago the is_header() routine was changed. File: local/delivered.c. 19981128 Bugfix: postcat opened queue files read-write, where only read access was needed. File: postcat/postcat.c. 19981129 Safety: added a sleep(1) to all fatal and panic exits. File: util/msg.c. 19981201 Robustness: postcat now insists that a file starts with a time record. Consistency: added "-c config_dir" command-line options where appropriate. 19981202 Man pages, on-line version. 19981203 Man pages, html version; overview documentation. 19981206 Sendmail silently accepted the unsupported -qRsite and -qSsite options. It now prints an error message and terminates. Separated the contributed tree from the IBM code; moved the LDAP and NEXTSTEP/OPENSTEP code to the contributed source tree because obviously I didn't write it. 19981206-9 Had to write a postconf configuration utility in order to reliably find out about all configuration parameters and their defaults. Documentation bugfixes by Matt Shibla, Scott Drassinower, Greg A. Woods. 19981209 On machines with short hostnames, postconf -d cored while reporting a fatal error. It should not report that error in the first place. Thanks, Eilon Gishri. Changed the FAQ entry about rejecting mail for *.my.domain on a firewall. Chip Christian was right, I was wrong. 19981214 Portability: with GNU getopt, optind is not initially 1, breaking an assumption in sendmail/sendmail.c. Liviu Daia. Annoyance: on non-networked systems, don't warn that only one network interface was found. File: global/inet_addr_local.c. Reported by several. Bugfix: on non-networked systems, the smtp client assumed that it was running in virtual host mode, and would bind to the loopback interface. File smtp/smtp_connect.c. Liviu Daia, again. 19981220 Robustness: when looking up an A or MX record, do not give up when the A query fails because of a server error. File dns/dns_lookup.c. Reported by Scott Drassinower. 19981221 Bugfix: "bounce mail for non-existent virtual user" didn't work when a non-default relay host was configured in main.cf or in the transport table. File: qmgr/qmgr_message.c. Bugfix: the maildrop directory should not be world-readable. Files: conf/postfix-script, showq/showq.c. Documentation: fixed several omissions and errors. Documentation: removed references to the broken recipient feature delimiter configuration parameter. Bugfix: write mailbox file as the recipient, so that file quota work as expected. Bugfix: pickup would die when it tried to remove a non-file in the maildrop directory (Jeff Wolfe). 19981222 Sendmail no longer logs the queue ID when it is unable to notify the pickup daemon. This is a late addition to the "unreadable maildrop queue" patch. user.lock files are now created as root, so that postfix needs no group directory write permission. 19981224 Security: allow queue file link counts > 1, to avoid non-delivery of maildrop files with links to a non-maildrop directory. Files: global/mail_open_ok.c, and anything that calls this code (qmgr, pickup, showq). If multiple hard links are a problem, see the set-gid "postdrop" utility below. 19981225 Robustness: the queue manager no longer aborts when a queue file suddenly disappears (e.g. because the file was removed by hand). Feature: when a writable maildrop directory is a problem, sites can make the new "postdrop" utility set-gid. This command is never used when the maildrop directory is world-writable. Robustness: make the queue file creation routine more resistant against denial of service race attack. File: global/mail_queue.c 19981226 New suid_priv module to enable/disable privileges in a set-uid/gid program. In the end I decided to not use it. 19981228 Robustness: make the pickup daemon more resistant against non-file race attack. Cleanup: generic mail_stream.c interface for writing queue file streams to files, daemons or commands. This simplifies the code in smtpd and in sendmail that must be able to pipe mail through the postdrop command. The cleanup daemon has been modified to use the same interface. Result: less code. Feature: smtpd now logs the only recipient in Received: headers. Feature: separate command and daemon directories. Both default to $program_directory. Install conf/postfix-script if you want to use this feature. 19981230 Patch to avoid conflict with non-writable top-level Makefile (Lamont Jones). 19981231 Portability: port to UnixWare 7 by Ronald Joe Record, SCO. 19990104 Bugfix: fencepost (Jon Ribbens, Oaktree Internet Solutions Ltd.) Files: quote_82[12]_local.c. Bugfix: wrong default for relay_domains (Juergen Kirschbaum, Bayerische Landesbank). File: mail_params.h. Bugfix: changed 5xx response for "too may recipients" to 4xx. File: smtpd.c. 19990106 Feature: defer_transports specifies the names of transports that should be used only when "sendmail -q" (or equivalent) is issued. For example, "defer_transports = smtp" is useful for sites that are disconnected most of the time. File: qmgr_message.c. 19990107 Feature: local_command_shell specifies a non-default shell for delivery to command by the local delivery agent. For example, "local_command_shell = /some/where/smrsh -c" restricts what may appear in "|command" destinations. File: global/pipe_command.c. 19990112-16 Feature: SMTP command pipelining support based on an initial version by Jon Ribbens, Oaktree Internet Solutions Ltd. This one took several days of massaging before I felt comfortable about it. Files: smtp.c, smtp_proto.c. Bugfix: the SMTP server would flush responses one-by-one, which caused suboptimal performance with pipelined clients. The vstream routines now flush the write buffer when the read() routine is called, instead of flushing when the application changes from writing to reading. Delayed flush prevents the SMTP server from flushing responses one-by-one and thus triggering Nagle's algorithm. File: util/vstream.c. 19990117 Bugfixes and enhancements to the smtpstone tools by Drew Derbyshire, Kendra Electronic Wonderworks: send helo command, send message headers, format the message content to lines < 80, work around NT stacks, make "." recognition more robust. Files: smtp-source.c, smtp-sink.c. Strategy: look at the deferred queue only when the incoming queue is empty; limit the number of recipients read from a queue file depending on the number of recipients already in core. Files: qmgr.c, qmgr_message.c. Feature: postponed anti-UCE restrictions. The decision to reject junk mail on the basis of the client name/address, HELO hostname or sender address can now be postponed until the RCPT TO command (or HELO or MAIL FROM if you like). File: smtpd_check.c. 19990118 Feature: incremental updates of alias databases and of other lookup tables. Both postalias and postmap now take a -i option for incremental updates from standard input. Files: global/mkmap_*.c, post{map,alias}/post{map,alias}.c. Compatibility: newaliases can now update multiple alias databases: list them in the "alias_database" parameter in main.cf. By the same token, postalias can now update multiple maps in one command. Files: post{map,alias}/post{map,alias}.c Feature: mail to <> is now sent to the address specified with the "empty_address_recipient" configuration parameter which defaults to MAILER-DAEMON (idea by Lamont Jones, Hewlett-Packard). File: cleanup/cleanup_envelope.c. Compatibility: the transport table now uses .domain.name to match subdomains, just like sendmail mailer tables (patch by Lamont Jones, Hewlett-Packard). Feature: mailq now ends with a total queue size summary (Eilon Gishri, Israel Inter University Computation Center). 19990119 Feature: address masquerade exceptions for user names listed in the "masquerade_exceptions" configuration parameter. File: cleanup/cleanup_masquerade.c. Feature: qmail-style maildir support, based on initial code by Kevin W. Brown, Quantum Internet Services Inc. Workaround: Solaris 2.something connect() fails with ECONNREFUSED when the system is busy (Chris Cappuccio, Empire Net). File: global/mail_connect.c. Feature: the cleanup service now adds a Return-Path: header when none is present. This header is needed for some mail delivery programs (see below). File: cleanup_message.c. Feature: the pipe mailer now supports $user, $extension and $mailbox macros in command-line expansions. This, plus the Return-Path: header (see above), should be sufficient to support cyrus IMAP out of the box. Based on initial code by Joerg Henne, Cogito Informationssysteme GMBH. File: pipe/pipe.c. Bugfix: with address extensions enabled, canonical and virtual lookups now are done in the proper order: user+foo@domain, user@domain, user+foo, user, @domain. File: global/mail_addr_find.c. 19990119 Feature: the local mailer now prepends a Received: message header with the queue ID to forwarded mail, in order to make message tracing easier. File: local/forward.c. Cleanup: after "postfix reload", no more broken pipe complaints from resolve/rewrite clients. 19990121 Feature: pickup (again) logs uid and sender address. On repeated request by Scott Cotton, Internet Consultants Group, Inc. Portability: doze() function for systems without usleep(). Cleanup: clients are now consistently logged as host[address]. 19990122 Maildir support changed: specify "home_mailbox = Maildir/". The magic is the trailing /. Suggested by Daniel Eisenbud, University of California at Berkeley. Maildir support from aliases, :include: and .forward files. Specify /file/name/ - the trailing / is required. Suggested by Daniel Eisenbud, University of California at Berkeley. Workaround: watchdog timer to prevent the queue manager from locking up on some systems. Bugfix: in Received: headers, the "for " information was in the wrong place. Pointed out by Jon Ribbens, Oaktree Internet Solutions Ltd. 19990124 Portability: more workarounds for GNU getopt() by Liviu Daia, Institute of Mathematics, Romanian Academy. File: sendmail/sendmail.c. 19990125 Bugfix: Postfix should not masquerade recipient addresses extracted from message headers. Problem reported by David Blacka, Network Solutions. File: cleanup/cleanup_message.c. 19990126 Feature: smtpd_etrn_restrictions parameter to restrict who may use ETRN and what domains may be specified. Example: "smtpd_etrn_restrictions = permit_mynetworks, reject". Requested by Jon Ribbens, Oaktree Internet Solutions Ltd. File: smtpd/smtpd_check.c. 19990127 Bugfix: in an attempt to shave some cycles, the anti junk mail routines would use the wrong resolved address. This "optimization" is now turned off. Problem reported by Sam Eaton, Pavilion Internet Plc. File: smtpd/smtpd_check.c. Feature: BIFF notifications. For compatibility reasons this feature is on by default. This "protocol" can be a real performance pig. Specify "biff = no" in main.cf if your machine has lots of shell users. Feature requested by Dan Farmer - it's one of the things one does for friends. Files: local/mailbox.c, local/biff_notify.c. Bugfix: another case sensitivity problem, this time with virtual lookups to recognize unknown@virtual.domain. Problem reported by Bo Kleve, Linkoping University. File: qmgr/qmgr_message.c. 19990128 Feature: with "soft_bounce = yes", defer delivery instead of bouncing mail. This is a safety net for configuration errors with delivery agents. It has no effect on errors in virtual maps, canonical maps, or in junk mail restrictions. Feature requested by Bennett Todd. File: global/bounce.c. 19990129 Compatibility: the qmail maildir.5 documentation prescribes maildir file names of the form time.pid.hostname, which is wrong because Postfix processes perform multiple deliveries. Elsewhere the qmail author has documented how maildir files should be named under such conditions. Postfix has been changed to be conformant. File: local/maildir.c. 19990131 Feature: special treatment of owner-foo and foo-request can be turned off. Specify "owner_request_special = no". Requested by Matthew Green and others. Files: local/alias.c, global/split_addr.c. This affects canonical, virtual and alias lookups. 19990204 Portability: signal handling for HP-UX 9 by Lamont Jones of Hewlett Packard. File: master/master_sig.c. Robustness: disable random walk inside a per-site queue to avoid message starvation under heavy load. File: qmgr_entry.c. Robustness: under some conditions the queue manager could declare a host dead after just one delivery failure. File: qmgr_queue.c. 19990212 Feature: skip SMTP servers that greet us with a 4XX status code. Example: "smtp_skip_4xx_greeting = yes". By default, the Postfix SMTP client defers delivery when a server declines talking to us. File: smtp/smtp_connect.c. Robustness: upon startup the queue manager now moves active queue files to the incoming queue instead of the deferred queue, to avoid anomalous delivery delays on systems that have a huge incoming queue. Files: qmgr/qmgr.c, qmgr/qmgr_active.c, global/mail_flush.c, conf/postfix-script* 19990213 Robustness: added watchdog timers to avoid getting stuck on systems with broken select() socket implementations. File: qmgr_transport.c, qmgr_deliver.c. 19990218 Feature: NFS-friendly delivery to mailbox by avoiding the use of root privileges as much as possible. With input by Mike Muus, Army Research Lab, USA. Feature: the smtp-sink test server now supports SMTP command pipelining. To this end we had to generalize the timer and vstream support. Poor performance is fixed 19990222. Cleanup: timer event routines now have the same interface as read/write event routines (event type + context). File: util/events.c. Feature: new vstream_peek() routine to tell how much unread data is left in a VSTREAM buffer. This is the vstream variant of the peekfd() routine for kernel read buffers. File: util/vstream.c. Feature: directory scanning support for hashed mail queue directories. So far the results are disappointing: with depth = 2 (16 directories with 16 subdirectories), mailq takes 5 seconds with an empty queue unless all directories happen to be cached in memory. We need a bit map before hashed queue directories become practical. Depth=1 hashing doesn't slow down mailq much, but doesn't help much either. Files: util/scan_dir.c, global/mail_scan_dir.c. 19990221 Workaround: with "ignore_mx_lookup_error = yes", the SMTP client always performs an A lookup when an MX lookup could not be completed, rather than treating MX lookup failure as a temporary error condition. Unfortunately there are many broken DNS servers on the Internet. File: smtp/smtp_addr.c. 19990222 Performance: rewrote the guts of the smtp-sink test server so it can do pipelining without losing performance. 19990223 Workaround: hotmail.com sometimes drops the connection after "." (causing misleading diagnostics to be logged) or waits minutes after receiving QUIT. Solution: do not wait for the response to QUIT. File: smtp/smtp_proto.c. This is turned off with: "smtp_skip_quit_response = no". 19990224 Feature: the pipe mailer accepts user=username:groupname, based on code submitted by Philip A. Prindeville, Mirapoint, Inc., USA. File: pipe/pipe.c. Workaround: use file locking to prevent multiple processes from select()ing on the same socket. This causes performance problems on large BSD systems. Files: master/*_server.c. 19990225 Bugfix: with "inet_interfaces = 127.0.0.1", don't bind to the loopback interface. Problem reported by Steve Bellovin of AT&T. File: smtp/smtp_addr.c. Feature: "postsuper" command to remove stale queue files to update queues after changes to the queue structure parameters (hash_queue_names, hash_queue_depth). This command is to be run from the postfix-script maintenance shell script. 19990301 Feature: new postconf -h (suppress `name = ' in output) option to make the program easier to use in, e.g., shell scripts. Feature: dict_unix module so you can add the UNIX passwd table to the SMTPD access control list. 19990302 Feature: "luser_relay = destination" captures mail for non-existent local recipients. This works only when the local delivery agent does mailbox delivery (including delivery via mailbox_command), not when mailbox delivery is delegated to another message transport. Feature: new reject_non_fqdn_{hostname,sender,recipient} restrictions to require fully.qualified.domain forms in HELO, MAIL FROM and RCPT TO commands (while still allowing the <> sender address). 19990304 Bugfix: backed out the 19990119 change to always insert Return-Path: if that header is not present. The pipe and local agents now are responsible for prepending Return-Path:. Files: cleanup/cleanup_message.c, global/mail_copy.[hc], pipe/pipe.c, global/header_opts.c. This causes an incompatible change to the pipe flags parameter, because Return-Path: now must be requested explicitly. 19990305 Bugfix: showq (the mailq server) incorrectly assumed that all recipients of a deferred message are listed in the corresponding defer logfile. It now lists all recipients. Files: showq/showq.c, cleanup/cleanup_envelope.c (ensure that sender records always precede recipient records). Cleanup: smtpd HELO restrictions validate [numerical] forms. Files: util/valid_hostname.c, smtpd/smtpd_check.c. Initial code by Philip A. Prindeville, Mirapoint, Inc., USA. 19990306 Cleanup: re-vamped the valid_hostname module, and added a maximal label length (63) requirement. Feature: fallback_relay parameter to specify extra backup hosts in case the regular relay hosts are not found or not available. Files: smtp/smtp_addr.c. Feature: "always_bcc = address" specifies where to send a copy of each message that enters he system. However, if that copy bounces, the sender will be informed of the bounce. Files: smtpd/smtpd.c, pickup/pickup.c Compatibility: the transport map will now route on top-level domains, so you can dump all of .bitnet to a bitnet relay. 19990307 Feature: LDAP lookups, updated by Jon Hensley, Merit Network, USA. Feature: regular expression (PCRE) support by Andrew McNamara, connect.com.au Pty. Ltd., Australia. In order to use this code specify pcre:/file/name. You can use this anywhere you would use a DB or DBM file, NIS or LDAP. See: PCRE_README for how to enable this code. Feature: "delay_warning_time = 4" causes Postfix to send a "your mail is delayed" notice after approx. 4 hours. Daniel Eisenbud, University of California at Berkeley. Files: qmgr/qmgr_active.c, qmgr/qmgr_message. Postmaster notices for delayed mail are disabled by default. In order to receive postmaster notices, specify "notify_classes = ... delay ...". Cleanup: do not send undeliverable bounced mail to postmaster. This was causing lots of pain with junk mail from bogus sender addresses to non-existent recipients. This change was reversed 19990311. 19990308 Bugfix: the dotforward routine was too eager with throwing away extension information, so that the Delivered-To: info would differ for \mailbox and |command. Problem reported by Rafi Sadowski, Open University, Israel. Bugfix: seems I never got around to fix the btree access method. I finally did. Problem reported by: Matt Smith, AvTel Communications Inc., USA. 19990311 Back by popular demand: with "notify_classes = 2bounce ..." Postfix will send undeliverable bounced mail to postmaster. The default is to not send double bounces. This change reverses a change made on 19990307. 19990312 Feature: configurable exit handler for server skeletons. Philip A. Prindeville, Mirapoint, Inc., USA. Files: master/*server.c. Feature: mail_spool_directory configuration parameter to specify the UNIX mail spool directory. The default setting is system dependent. 19990313 Cleanup: share file descriptors for resolve and rewrite client connections. This puts less strain on the trivial-rewrite service. Portability: support for UnixWare 2.1 by Dmitry E. Kiselyov, Nizhny Novgorod City Health Emergency Station. Feature: configurable delays in the smtpstone test programs. With input by Philip A. Prindeville, Mirapoint, Inc., USA. Files: smtpstone/*.c. Bugfix: a "signal 11" problem in the trivial-rewrite program that would occasionally happen after "postfix reload". Reason: some rewrite clients would clobber their input, and when they had to retransmit the query, the input would be a zero-length string, which trivial-rewrite isn't supposed to receive. 19990314 Feature: "mailbox_transport = cyrus" delegates all local mailbox delivery to a master.cf entry called "cyrus" (the same trick for procmail), including users not found in the UNIX passwd database. This gives the flexibility of $name expansions by the pipe mailer, without losing local aliases and ~/.forward processing. Result of discussions with Rupa Schomaker, RS Consulting. 19990315 Feature: the mydestination parameter can now be an empty string, for hosts that don't receive any mail locally. Be sure to specify a default route for mail that comes to the machine or mail will loop. 19990316 Bugfix: the SMTPD check scaffolding didn't apply the same sanity checks as the production code. Problem reported by Alain Thivillon, Hervé Schauer Consultants, France. File: smtpd/smtpd_check.c. Portability: some systems can have more than 59 seconds in a minute. Based on a fix by Liviu Daia, Institute of Mathematics, Romanian Academy. File: global/mail_date.c. Enhancement: include the client network address in the rejected by RBL response. Lamont Jones, Hewlett-Packard. Workaround: use fstat() to figure out if the maildrop is world-writable. access() uses the real uid, which stinks. Robustness: don't do partial address lookups (user@, domain, user, @domain) with regexp-style tables. Security: don't allow regexp-style tables to be used for aliases. It would be too easy to slip in "|command" or :include: or /file/name. 19990317 Feature: "fallback_transport = cyrus" delegates non-UNIX recipients to a master.cf entry called "cyrus", allowing you to have both UNIX and non-UNIX mailboxes side by side. 19990319 Workaround: on 4.4 BSD derivatives, fstat() can return EBADF on an open file descriptor. Now, that was a surprise. This caused std{out,err} from cron commands to not be delivered. Bugfix: "local -v" stopped working. Workaround: more watchdog timers for postfix-unfriendly systems. By now every Postfix daemon has one. Call it life insurance. Robustness: increased the maximal time to receive or deliver mail from $ipc_timeout (default: 3600 seconds) to the more generous $daemon_timeout (default: 18000 seconds). We don't want false alarms. Portability: IRIX 5.2 does not have usleep(). 19990320 Bugfix: \username was broken. Frank Dziuba was the first to notice. 19990321 Workaround: from now on, Postfix on Solaris uses stream pipes instead of UNIX-domain sockets. Despite workarounds, the latter were causing more trouble than anything else on all systems combined. 19990322 Portability: the makedefs would mis-identify IRIX 6.5.x as IRIX 5.x. Fix by Brian Truelsen of Maersk Mc-Kinney Moller Institute for Production Technology, Denmark. Feature: reject_unknown_recipient_domain restriction for recipient addresses. For the sake of symmetry, we now also have reject_unknown_sender_domain. This means the old reject_unknown_address restriction is being phased out. Suggested by Rask Ingemann Lambertsen, Denmark Technical University. Feature: unknown sender/recipient domain restrictions now distinguish between soft errors (always: 450) and hard errors (configurable with the unknown_address_reject_code parameter, default: 450; use 550 at your own risk). Feature: no HELO junk mail restrictions means that no syntax check will be done on HELO/EHLO hostname arguments. Bugfix: the initial Solaris workaround for UNIX-domain sockets could cause the queue manager to block if Postfix ran into a delivery agent process limit. After another code rewrite that problem is eliminated. Thanks to Chris Cappuccio, Empire Net, for assistance with testing. 19990323 Bugfix: too much forwarding when users list their own name in their .forward file (e.g. mail to user@localhost would go through .forward, would be forwarded to user@$myorigin, and would go through .forward again). Problem reported by Roman Dolejsi, Prague University of Economics. 19990324 Bugfix: missing map name in check_xxx_access restrictions could cause a segmentation error. Lamont Jones, Hewlett- Packard. Feature: forward_path configuration parameter (default: $home/.forward$recipient_delimiter$extension,$home/.forward). Based on initial code by Philip A. Prindeville, Mirapoint, Inc., USA. Files: local/dotforward.c. 19990325 Workaround: Solaris NIS alias maps need special entries (YP_MASTER_NAME, YP_LAST_MODIFIED). What's worse, normal keys/values include a null byte at the end, but the YP_XXX ones don't. Problem reported by Walcir Fontanini, state university of Campinas, Brazil. File: postalias/postalias.c. Compatibility: Solaris NIS apparently does include a null byte at the end of keys and values. File: util/sys_defs.h. Feature: library support for config parameters that are not $name expanded at program start-up. This was needed for forward_path, and will also be needed to make message headers customizable. Bugfix: pcre didn't handle \\ right. Lamont Jones, Hewlett- Packard. File: util/dict_pcre.c. 19990326 Compatibility: Postfix now puts two spaces after the sender in a "From sender date..." header. Found by John A. Martin, fixed by Lamont Jones, Hewlett-Packard. Bugfix: when a recipient appeared multiple times in a local alias or include expansion, the delivery status could be left uninitialized, causing the mail to be deferred and delivered again. File: local/recipient.c. 19990327 Cleanup: the dictionary routines now take an extra flag argument to control such things as warning about duplicates, and appending null bytes to key/value. The latter was needed for a clean implementation of NIS master alias maps support. Feature: POSIX regular expressions by Lamont Jones. See config/sample-regexp.c. Right now, enabled on *BSD and LINUX only. 19990328 Code cleanup: dictionaries now have flags that say whether lookup keys are fixed strings or whether keys are subjected to pattern matching. This is needed to avoid passing partial addresses to regexp-based lookup tables (user, @domain, user@, domain). Files: util/dict*.c. Bugfix: fixed memory leaks and core dumps in the regexp and pcre routines (neither handled an empty pattern file). 19990329 Code cleanup: the dictionary I/O routines now do their own locking depending on dictionary flag settings. This means that the low-level dict_get() interface can now be used for safe dictionary lookups. This is needed for 19990328's partial lookup key support. Files: util/dict*.c. global/maps.c. Feature: regular expression matches are no longer limited to user@domain address forms in access/canonical/virtual maps, but can also be used for domains in transport maps. This needed the partial lookup key support to avoid passing partial addresses to regexp-based lookup tables (user, @domain, user@, domain). Files: global/maps.c globl/mail_addr_find.c. Feature: new dictionary types can be registered with dict_open_register(). File: util/dict_open.c. 19990330 Bug fix: match_list membership dictionary lookups were case sensitive when they should not. Patch by Lutz Jaenicke, BTU Cottbus, Germany. 19990402 Feature: $domain macro support in forward_path. Philip A. Prindeville, Mirapoint, Inc., USA. File: local/dotforward.c. Feature: if an address extension (+foo) is explicitly matched by the .forward+foo file name, do not propagate the extension to recipient addresses. This is more consistent with the way aliases are expanded. File: local/dotforward.c. 19990404 Bugfix: after receiving mail, the SMTP server didn't reset the cleanup error flag, so that multiple deliveries over the same SMTP session could fail due to errors with previous deliveries. Found by Lamont Jones, Hewlett-Packard. 19990405 Feature: MIME-encapsulated bounces. Philip A. Prindeville, Mirapoint, Inc., USA. File: bounce/bounce_notify_service.c Cleanup: vstreams now properly look at the EOF flag before attempting to read, eliminating the need for typing Ctrl-D twice to test programs; the EOF flag is reset after each unget or seek operation. Files: util/vstream.c, util/vbuf.c. Feature: in preparation for configurable message headers the mac_parse() routine now balances the parentheses in ${name} or $(name). We need this in order to support conditional expressions such as ${name?text} where `text' contains other ${name} expressions. 19990406 Cleanup: changed MIME header information to make bounces more RFC 1892 compliant. 19990407 Feature: "best_mx_transport = local" delivers mail locally if the local machine is the best mail exchanger (by default, mail is bounced with a "mail loops back to myself" error). Config: in order to make feature tracking easier the source code distribution now has a copy of the default settings in conf/main.cf.default. Feature: separate configurable postmaster addresses for single bounces (bounce_notice_recipient), double bounces (2bounce_notice_recipient), delayed mail (delay_notice_recipient), and for other mailer errors (error_notice_recipient). The default for all is "postmaster". 19990408 Workaround: on Solaris 2.x, the master appears to lose its exclusive lock on the master.pid file, so keep grabbing the lock each time the master wakes up from select(). Robustness: don't flush VSTREAM buffers after I/O error. This prevents surprises when calling vstream_fclose() after truncating a mailbox to its original size. Portability: on LINUX systems, if exists, don't look for . Workaround: specify "sun_mailtool_compatibility = yes" to avoid clashes with the mailtool application. This disables kernel locks on mailbox files. Use only where needed. Portability: renamed readline to readlline, to avoid clashes with mysql. 19990409 Bugfix: ignore temp queue files that aren't old enough. Problem reported by Vivek Khera, Khera Communications, Inc. Bugfix: fixed typo in dict_db.c that caused processes to not release DB shared locks. Feature: auto-detection of changes to DB or DBM lookup tables. This avoids the need to run "postfix reload" after change to the smtp access table and other tables. Feature: regular expression checks for message headers. This requires support for POSIX or for PCRE regular expressions. Specify "header_checks = regexp:/file/name" or "header_checks = pcre:/file/name", and specify "/^header-name: badstuff/ REJECT" in the pattern file (patterns are case-insensitive by default). Code by Lamont Jones, Hewlett-Packard. It is to be expected that full content filtering will be delegated to an external command. 19990410 Bugfix: auto-detection of changes to DB or DBM lookup tables wasn't done for TCP connections. 19990410 Feature: $recipient expansion in forward_path. Philip A. Prindeville, Mirapoint, Inc., USA. File: local/dotforward.c Feature: the smtp client consistently treats a numerical hostname as an address. File: smtp/smtp_addr.c. 19990414 Compatibility: support comment lines starting with # in $mydestination include files. This makes Postfix more compatible with sendmail.cw files. File: util/match_list.c. Feature: if your machines have short host names, specify "mydomain = domain.name", and you no longer have to specify "myhostname = host.domain.name". Files: global/mail_params.c, postconf/postconf.c. 19990420 Cleanup: bounce mail when a mailbox goes over file quota, instead of deferring delivery. File: local/mailbox.c. 19990421 Feature: auto-detection of changes to DB or DBM lookup tables now includes the case where a file is unlinked. Philip A. Prindeville, Mirapoint, Inc., USA. File: util/dict.c. 19990422 Robustness: Lotus mail sends MAIL FROM: <@> instead of <>. Problem reported by Erik Toubro Nielsen, IFAD, Denmark. Files: trivial-rewrite/rewrite.c (@ becomes empty address) and global/rewrite_clnt.c (allow empty response). Bugfix: showq could segfault when writing to a broken pipe. Problem reported by Bryan Fullerton, Canadian Broadcasting Corporation. Files: util/vbuf_print.c. Cleanup: got rid of the "fatal: write error: Broken pipe" message when mailq output is piped into a program that terminates early. Cleanup: bounce messages are multipart/mixed with the error report as part of the first message segment, because users had trouble extracting the delivery error report from the attachment. 19990423 Cleanup: the default junk mail reject code is now 554 (service unavailable) rather than 550 (user unknown). Folded in the updated dict_ldap.c module by John Hensley, Merit Network, USA. Folded in the vstream_popen.c updates by Philip A. Prindeville, Mirapoint, Inc., USA. This copies a lot of code from pipe_command(); the next step is to trim that module. 19990425 Workaround: renamed config.h to mail_conf.h etc. in order to avoid name collisions with LINUX (yes, they have a system include file calle config.h). For compatibility with people who have written software for Postfix, there's a config.h that aliases the old names to the new ones. That file will go away eventually. 19990426 Feature: error mailer, in order to easily bounce mail for specific destinations. In the transport table, specify: "host.domain error:host.domain is unavailable". Too bad that the transport table triggers on destination domain only; it would be nice to bounce specific users as well. 19990427 Cleanup: "disable_dns_lookups = yes" now should disable all DNS lookups by the SMTP client. 19990428 Bugfix: with DBM files, Postfix was watching the "dir" file modification time for changes. It should be watching the "pag" file instead. 19990429 Cleanup: all callbacks in the master to server API now pass on the service name and the application-specific argument vector. Files: master/*server.c. 19990504 Feature: conditional macro expansion. ${name?text} expands to text when name is defined, otherwise the result is empty. ${name:text} expands to text when name is undefined, otherwise the result is empty. File: util/mac_expand.c. Feature: conditional macro expansion of the forward_path configuration parameters of $user, $home, $shell, $recipient, $extension, $domain, $mailbox and $recipient_delimiter. Files: local/dotforward.c, local/local_expand.c. 19990506 Cleanup: eliminated misleading warnings about unknown HELO etc. SMTPD restrictions when the HELO etc. information is not available. File: smtpd/smtpd_check.c. 19990507 Feature: all smtpd reject messages now contain the MAIL FROM and RCPT TO addresses, if available. 19990508 Feature: conditional macro expansion of the luser_relay configuration parameter. It is no longer possible to specify /file/name or "|command" destinations. File: local/unknown.c. Cleanup: changed the mac_parse interface so that the application callback routine can return status information. Updated the dict_regexp and dict_pcre modules accordingly. Cleanup: changed the mac_expand interface so that the caller provides an attribute lookup routine, instead of having to provide a copy of all attributes upfront. Files: util/mac_expand.c, local/local_expand.c. Feature: control over how address extensions are propagated to other addresses. By default, propagation of unmatched address extensions is now restricted to canonical and virtual mappings. Specify "propagate_unmatched_extensions = canonical, virtual, alias, forward, include" to restore previous behavior. 19990509 Feature: USER, EXTENSION, DOMAIN, RECIPIENT (entire address) and MAILBOX (address localpart) environment variables are exported to shell commands (including mailbox_command). Feature: new command_expansion_filter parameter to control what characters may appear in message attributes that are exported via environment variables. Cleanup: SMTPD reject messages are more informative, and more complete sender/recipient information is logged for the local sysadmin. 19990510 Bugfix: missing MIME header in postmaster bounce notices. Found by Samuel Tardieu, Ecole Nationale Superieure des Telecommunications, France. Feature: UCE restrictions are always delayed until RCPT TO, VRFY or ETRN. To change back to the default specify "smtpd_delay_reject = no" in /etc/postfix/main.cf. Bugfix: missing duplicate filter call. This caused too many deliveries when a user is listed multiple times in an alias. Reported by Hideyuki Suzuki, School of Engineering, University of Tokyo. Backed out on 19990512 because it caused problems. Fixed 19990513 but needs further study. Feature: it is now possible to move queue files back into the maildrop queue, so that they can benefit from changes in canonical and virtual mappings. In order to make this possible, some restrictions on queue file contents were relaxed. Files: pickup/pickup.c, cleanup/cleanup_extracted.c. Feature: made a start with integrating Joerg Henne's dictionary extensions to remove entries and to iterate over entries. That code is almost four months old by now. 19990511 Feature: added a "undeliverable postmaster notification discarded" warning when mail is dropped on the floor. Requested by Michael Hasenstein, SuSE, Germany. 19990517 Bugfix: reject_non_fqdn_sender/recipient would pass user@[ip_address] regardless of destination. Eric Cholet had the honor of suffering from this one. 19990527 More SMTP client logging for easier debugging: the smtp client now logs hostname[ip.addr], and logs every failed attempt to reach an MX host, not just the last one. 19990601 Bugfix: emit a blank line before a MIME boundary; the line is part of the boundary. File: bounce/bounce_notify_service.c. Wolfgang Segmuller, IBM Research. 19990610 Bugfix: the "is this the loopback interface" test was broken. Reported by Claus Fischer @microworld.com. File: smtp/smtp_connect.c. Usability: added helpful warnings about restrictions that are being ignored after check_relay_domains, etc. Portability: Reliant Unix support by Gert-Jan Looy, Siemens, the Netherlands. 19990611 Robustness: the postfix-script start-up procedure now detects a missing master program, avoiding misleading warnings that the mail system is already running. Fix suggested by David E. Smith @technopagan.org. Portability: Mac OS X Server Port by Mark Miller @swoon.net. Feature: on systems that use dotlock files for mailbox locking, the local delivery agent now will attempt to use dotlock files when delivering to user-specified files. Dotlock files for user-specified destinations are created with the privileges of the user. For backwards compatibility, Postfix will attempt to create dotlocks for user-specified destinations only when the user has parent directory write permission. Feature: specify "expand_owner_alias = yes" in order to use the right-hand side of an owner- alias, instead of using the left-hand side address. Needed by Juergen Georgi. 19990622 Bugfix: the local delivery agent did not set user attributes when delivering to root, so that forward_path did not expand properly. Found by Jozsef Kadlecsik, KFKI Research Institute for Particle and Nuclear Physics, Hungary. File: local/dotforward.c. Bugfix: the unix:passwd.byname mechanism is not suitable for smtpd access control - the user name would have to end in @, or the access control software would have to be changed. Removed the example from the RELEASE_NOTES file. 19990623 Bugfix: the smtp server did not reset the error flag after ".". Found by James Ponder, Oaktree Internet Solutions Ltd. File: smtpd/smtpd.c. Bugfix: fencepost error in the doze() routine (an usleep() replacement for systems without one). Found by Simon J Mudd. File: util/doze.c. 19990624 Portability: support for AIX 3.2.5 (!) by Florian Lohoff @rfc822.org. Portability: Ultrix 4.3 support by Christian von Roques @pond.sub.org. Feature: mysql support by Scott Cotton and Joshua Marcus, Internet Consultants Group, Inc. Files: util/dict_myqsl.*. 19990627 Bugfix: Postfix is now distributed under the new IBM Public License (version 1, dated June 14, 1999). Feature: the Delivered-To: header can be turned off for delivery to command or file/mailbox. The default setting is: "prepend_delivered_header = command, file, forward". Turning off the Delivered-To: header when forwarding mail is not recommended. 19990628 Feature: the postlock command now returns EX_TEMPFAIL when the destination file is locked by another process. 19990705 Workaround: in the SMTP client, move the "mail loops back to myself test" from the 220 greeting to the HELO response. This change does not weaken the test, and makes Postfix more robust against broken software that greets with the client hostname. 19990706 Workaround: in the INSTALL file, use `&&' instead of `;' in (cd path; tar ...) pipelines because some UNIX re-invented shells don't bail out when cd fails. Matthias Andree @dosis.uni-dortmund.de. 19990709 Bugfix: $user was not set when delivering to a non-user. Found by Vladimir Ulogov @ rohan.control.att.com when configuring a luser_relay that contained $user. 19990714 Robustness: add PATH statement to Solaris2 chroot setup script to avoid running the ucb commands. Problem found by Panagiotis Astithas @ ece.ntua.gr. 19990721 Bugfix: don't claim a "mail loops to myself" error when the best MX host was not found in the DNS. Found by Andrew McNamara, connect.com.au Pty Ltd. File: smtp/smtp_addr.c. 19990810 Feature: added "-c config_dir" support to the postconf command. This probably means that "-f file" will never be implemented. 19990812 Bugfix: showq didn't print properly when listing a maildrop file. Fix by: Andrew McNamara, connect.com.au Pty Ltd. File: showq/showq.c. Feature: added SENDER to the list of parameters exported to external commands. File: local/command.c. Code by: Lars Hecking, National Microelectronics Research Centre, Ireland. 19990813 Bugfix: sendmail -t (extract recipients from headers) did not work when the always_bcc feature was turned on. Reported by: Denis Shaposhnikov @ neva.vlink.ru. 19990813 Bugfix: "sendmail -bd" returns a bogus exit status (the child process ID). Fix by Lamont Jones of Hewlett-Packard. File: sendmail/sendmail.c. 19990824 Bugfix: null pointer dereference while rejecting VRFY before MAIL FROM. Found by Laurent Wacrenier @ fr.clara.net. 19990826 Portability: more MacOS X Server patches; some NEXTSTEP/OPENSTEP code that had been removed for the first public beta release; NEXTSTEP/OPENSTEP now defaults to netinfo for the aliases database. Submitted by Gerben Wierda. Portability: workaround for a FreeBSD 3.x active network interface without IP address by Pierre Beyssac @ enst.fr. File: inet_addr_local.c. 19990831 Workaround: sendmail now prints a warning when installed set-uid or when run by a set-uid command. Reportedly, the linuxconf software turns on the set-uid bit, which could open up a security loophole. File: sendmail/sendmail.c. Bugfix: Postfix daemons now temporarily lock DB/DBM files while opening them, in order to avoid "invalid argument" errors because some other process is changing the file. Files: util/dict_db.c, util/dict_dbm.c. Robustness: Postfix locks queue files during delivery, to prevent duplicate delivery when "postfix reload" is immediately followed by "sendmail -q". This involves a change of the deliver_request interface: delivery agents no longer need to open and close queue files explicitly. Files: global/deliver_request.c, pipe/pipe.c, smtp/smtp.c, local/local.c, qmgr/qmgr_active.c, qmgr/qmgr_message.c. Feature: reject_unauth_destination SMTP recipient restriction that rejects destinations not in $relay_domains. By Lamont Jones of Hewlett-Packard. File: smtpd/smtpd_check.c. Security: do not allow weird characters in the expansion of $names that appear in $forward_path. Just like with shell commands, replace bad characters in expansions by underscores. Configuration parameter: forward_expansion_filter. 19990902 Documentation: added a sample postfix alias to the examples in the INSTALL document and in the conf/aliases file. Reminded by Simon J. Mudd @ alltrading.com. 19990903 Bugfix: in case of some error conditions the pickup daemon could leak small amounts of memory. 19990905 Bugfix: no more "skipping further client input" warnings when a message header is rejected. Feature: reject_unauth_pipelining SMTP restriction that rejects mail from clients that improperly use SMTP command pipelining. Robustness: the LDAP client by default no longer looks up names containing "*". See the lookup_wildcards feature in LDAP_README. Update by John Hensley. Documentation: address masquerading with exceptions FAQ by Jim Seymour @ jimsun.LinxNet.com. Bugfix: mysql reconnect after disconnect by Scott Cotton Internet Consultants Group, Inc. File: util/dict_myqsl.c. Portability: the Postfix to PCRE interface now expects version 2.08. Postfix is no longer compatible with PCRE versions before 2.6. 19990906 Feature: INSTALL.sh script that makes Postfix installation a bit less painful. This script can be used for installing and for upgrading Postfix. It replaces files instead of overwriting them, and leaves existing configuration and queue files intact. 19990907 Bugfix: reject_non_fqdn_sender used the wrong test to see if a sender address was given and could dump core. This must have been broken ever since the UCE tests were moved to the RCPT TO stage in 19990510. Bugfix: check_sender_access was recognized as a valid restriction name only if a sender had been specified. 19990908 Portability: Unixware has only after sendmail is installed. Changed postlock.c to use global/sys_exits.h. 19990909 Performance: added one-entry cache to the address rewriting client and to the address resolving client. This is because UCE restrictions tend to produce the same query repeatedly. Files: global/rewrite_clnt.c, global/resolve_clnt.c. Feature: the UCE restrictions are now fully recursive so you can have per-client/helo/sender/recipient restrictions. Instead of OK, REJECT or [45]xx, you can specify a sequence of restrictions on the right-hand side of an SMTPD access table. This means you can no longer use canonical/virtual/alias maps as SMTPD access tables. But the loss is compensated for. File: smtpd/smtpd_access.c. Feature: restriction classes, essentially a short-hand for restriction lists. These short hands are useful mostly on the right-hand side of SMTPD access tables. You must use restriction classes in order to have lookup tables on the right-hand side of an SMTPD access table. File: smtpd/smtpd_access.c. Feature: "permit_recipient_map maptype:mapname" permits a recipient address when it matches the specified table. Lookups are done just as with canonical/virtual maps. With this, you can also use passwd/aliases as SMTPD access maps. File: smtpd/smtpd_access.c. 19990910 Changed "permit_address_map" into "permit_recipient_map" and added a test for the case that they specify a lookup table on the right-hand side of an SMTPD access map. File: smtpd/smtpd_access.c. Cleanup: removed spurious sender address checks for <>. File: smtpd/smtpd_check.c. Cleanup: the smtp client now consistently logs host[address] for all connection attempts. 19990919 Feature: in an SMTPD access map, an all-numeric right-hand side now means OK, for better cooperation with out-of-band authentication mechanisms. 19990922 Security: recipient addresses must not start with '-', in order to protect external commands. The old behavior is re-instated when main.cf specifies: "allow_min_user = yes". Credits to Mads Kiilerich @ Kiilerich.com. File: qmgr/qmgr_message.c. Bugfix: after 19990831, the queue manager would throw away defer logs after deferring mail to known-to-be-dead hosts or message transports. This means that in some cases, mailq would not show why mail is delayed, and that delayed mail could be sent back with recipients missing from the error report. Reported by Giulio Orsero @ tiscalinet.it. 19990923 Bugfix: the above bugfix broke bounces of mail with bad address syntax and relocated users. Problem diagnosed by Dick Porter @ acm.org. Documentation: added DO NOT EDIT THIS FILE. EDIT MAIN.CF INSTEAD notices to the sample-xxx.cf files. 19991007 Compatibility: ignore the sendmail -U (initial user submission) option. Thomas Quinot @ cuivre.fr.eu.org. 19991103 Code cleanup: don't send postmaster notifications when an SMTP client sends a DATA command while no recipients were accepted. This can happen when a pipelined client runs into an UCE block. File: smtpd/smtpd.c. 19991104 Robustness: do not apply UCE header checks to mail that is generated by Postfix (bounces, forwarded mail etc.). Files: smtpd/smtpd.c, pickup/pickup.c, cleanup/cleanup_message.c. Robustness: new generic watchdog module that can deal with clocks that jump occasionally. Files: util/watchdog.c, master/master.c, master/{single,multi,trigger}_server.c. This hopefully ends the false watchdog alarms that happen when clocks are set or when laptops are resumed. Code cleanup: BSMTP requires dot quoting as per RFC 821. Based on code by Florian Lohoff @ rfc822.org. Files: global/mail_copy.[hc], pipe/pipe.c. 19991105 Bugfix: the crufty code in inet_addr_local() did not find IP aliases. File: util/inet_addr_local.c. Portability: the INSTALL.sh utility did not find users or groups in NIS or Netinfo tables. The script no longer searches the /etc/passwd and /etc/group files. Instead it now queries the unix:passwd.byname and unix:group.byname maps. For this, a -q (query) option was added to postmap (and to postalias, for symmetry). Files: util/dict_unix.c, postalias/postalias.c, postmap/postmap.c, INSTALL.sh. Bugfix: LDAP lookup timeout settings were ignored. Patch by John Hensley. File: util/dict_ldap.c. 19991108 Bugfix: when doing a fresh install, INSTALL.sh didn't set main.cf:mail_owner properly (Simon J. Mudd). 19991109 Bugfix: when doing a fresh install, INSTALL.sh no longer worked (missing main.cf file). Fix: add "-c" argument to the postmap commands (Lars Hecking @ nmrc.ucc.ie). Documentation: removed spurious "do not edit" comments from the sample pcre and regexp configuration files. 19991110-13 Code cleanup: greatly simplified the SMTPD command parser and somewhat simplified the code that groks RFC 822-style address syntax in MAIL FROM and RCPT TO commands. New parameter: strict_rfc821_envelopes (default: no) to reject RFC 822 address forms (with comments etc.) in SMTP envelopes. By default, the Postfix SMTP server only logs a warning. 19991113 Oops, also updated the SMTP VRFY code in the light of changes to the SMTPD command parser. Cleanup: the local delivery agent now explicitly rejects recipients with an empty username. 19991114 Workaround: with some gawk versions, postconf/extract.awk reportedly returns a non-zero exit status upon success. Added an explicit exit(0) statement. 19991115 Feature: DNS TXT record lookup support, based on initial code by Simon J Mudd. File: dns/dns_lookup.c. Feature: RBL TXT record lookups, based on initial code by Simon J Mudd. File: smtpd/smtpd_check.c. Feature: permit_auth_destination restriction based on code by Jesper Skriver @ skriver.dk. Code cleanup: the transport table now can override all deliveries, including local ones. 19991116 Code cleanup: a new "local_transports" configuration parameter explicitly lists all transports that deliver mail locally. The first name listed there is the default local transport. This is the end of the "empty next-hop hostname" hack to indicate that a destination is local. Files: trivial-rewrite/resolve.c, global/local_transport.[hc] Feature: "postconf -m" shows what lookup table types are available. Code by Scott Cotton, Internet Consultants Group, Inc. Feature: "postconf -e" edits any number of main.cf parameters. The edit is done on a copy, and the copy is renamed into the place of the original. File: postconf/postconf.c, util/readlline.[hc]. 19991117 Portability: SunOS 4 has no SA_RESTART. File: util/watchdog.c. Feature: on systems with h_errno, the "reject_unknown_client" restriction now distinguishes between soft errors (always reply with 450) and hard errors (use the user-specified reply code). This should lessen the load by broken mailers that re-connect once a minute. Feature: forward/reverse name/address check for SMTP client hostnames. This fends off some hypothetical attacks by spammers who are in control of their own reverse mapping. Robustness: postconf no longer aborts when it can't figure out the local domain name; it prints a warning instead. This allows you to use "postconf -e" to fix the problem. 19991118 Bugfix: the RFC822 address parser would misparse a leading \ as an atom all by itself. Problem reported by Keith Stevenson @ louisville.edu. File: global/tok822_parse.c. 19991119 Bugfix: tiny memory leak in pipe_command() when fork() fails. File: global/pipe_command.c. 19991120 Bugfix: reversed test for all-numerical results in SMTPD access maps. File: smtpd/smtpd_check.c. 19991121 Robustness: INSTALL.sh no longer uses postmap for sanity checks. Feature: INSTALL.sh now has an install_root option. Bugfix: INSTALL.sh now installs manual pages with proper permissions and ownership. Bugfix: the LDAP client did not properly escape special characters in lookup keys (patch by John Hensley). File: util/dict_ldap.c. 19991122 Bugfix: missing absolute path in INSTALL.sh broke fresh install. 19991124 Bugfix: the local delivery agent's recipient duplicate filter did not work when configured to use unlimited memory (which is not a recommended setting). Patrik Rak @raxoft.cz. 19991125 Bugfix: postconf didn't have an umask(022) call at the beginning (problem experienced by Matthias Andree). 19991126 Bugfix: DNS TXT records now have string lengths before text (Mark Martinec @ nsc.ijs.si). 19991127 Update: the LDAP client code now supports escapes as per RFC2254 (John Hensley). 19991207 Performance: one message with many recipients no longer stops other mail from being delivered. The queue manager now frees in-memory recipients as soon as a message is delivered to one destination, rather than waiting until all in-memory destinations of that message have been tried. Patch by Patrik Rak @ raxoft.cz. Files: qmgr/qmgr_entry.c, qmgr/qmgr_message.c. Performance: when delivering mail to a huge list of recipients, the queue manager now reads more recipients from the queue file before delivery concurrency drops too low. Files: qmgr/qmgr_entry.c, qmgr/qmgr_message.c. 19991208 Updated LDAP client code by John Hensley with escape sequences as per RFC 2254. File: util/dict_ldap.c. Updated MYSQL client code by Scott Cotton. File: dict_mysql.c. Feature: added -N/-n options to include/exclude terminating nulls in keys and values in postmap/postalias DB or DBM files. Normally, Postfix uses whatever is appropriate for the host system. A non-default setting can be necessary for inter-operability with third-party software. Bugfix: the local delivery agent would deliver to the user instead of the .forward file when the .forward file was already visited via some non-recursive path. Patch by Patrik Rak @ raxoft.cz. Files: global/been_here.c, local/dotforward.c. Robustness: attempt to deliver all addresses in the expansion of an alias or .forward file, even when some addresses must be deferred. File: local/token.c. 19991211 Performance: qmgr_fudge_factor controls what percentage of delivery resources Postfix will devote to one message. With 100%, delivery of one message does not begin before delivery of the previous message is completed. This is good for list performance, bad for one-to-one mail. With 10%, response time for one-to-one mail improves much, but list performance suffers. In the worst case, people near the start of a mailing list get a burst of postings today, while people near the end of the list get that same burst of postings a whole day later. Files: qmgr/qmgr_message.c, qmgr/qmgr_entry.c. Bugfix: address rewriting would panic on a lone \ at the end of a line where an address was expected. Jason Hoos @ thwack.net. File: global/rewrite_clnt.c. 19991215 Bugfix: the strict RFC821 envelope address check should not be applied to VRFY commands. File: smtpd/smtpd.c. Cleanup: permit_recipient_maps is gone, because that could only be used inside UCE restrictions. 19991216 Feature: allow an empty inet_interfaces parameter, just like an empty mydestination parameter. It's needed for true null clients and for firewalls that deliver no local mail. Feature: "disable_vrfy_command = yes" disables some forms of address harvesting used by spammers. Workaround: added the alias map parameter definition to the smtpd code. This is a symptom of a general problem with parameters that have non-empty default values: unless a program explicitly defines such a parameter, the parameter defaults to the empty string when used in other parameters. There's also a problem with evaluation order. Feature: the SMTP server rejects mail for unknown users in virtual domains that are defined by Postfix virtual domain files. File: smtpd/smtpd_check.c. Feature: reject mail for unknown local users at the SMTP port. The local_recipient_maps configuration parameter specifies maps with all addresses that are local with respect to $mydestination or $inet_interfaces. Example: "local_recipient_maps = $alias_maps unix:passwd.byname". This feature is disabled by default. You may have to copy the passwd file into the chroot jail. File: smtpd/smtpd_check.c. Feature: the sendmail -f option now understands '' and even understands address forms with RFC 822-style comments. 19991217 Cleanup: no more UCE checks for VRFY commands. It still reports unknown local/virtual users. File: smtpd/smtpd_check.c. Robustness: upon Postfix startup, report discrepancies between system files inside and outside the chroot jail. Files: conf/postfix-script-nosgid, conf/postfix-script-sgid. 19991218 Cleanup: INSTALL.sh produces relative symlinks, which is necessary when install_root is not /. 19991219 Documentation: completely reorganized the FAQ and added many new entries. Rewrote the UCE html documentation. Cleanup: INSTALL.sh uses a configurable directory for scratch files, so that it can install from a file system that is not writable by the super-user. Cleanup: INSTALL.sh gives helpful hints when the "mv" command is unable to move symlinks across file system boundaries. 19991220 Cleanup: it is no longer necessary to list $virtual_maps as part of the relay_domains definition. The SMTP server now by default accepts mail for destinations that match $inet_interfaces, $mydestination or $virtual_maps, whether or not these are specified in relay_domains. We still need the ugly "virtual.domain whatever" hack in the virtual maps. Files: smtpd/smtpd_check.c and lots of documentation and sample config files. 19991221 Removed cyrus -q flag (ignore quotas) from the sample master.cf file. 19991223 Bugfix: smtpd should not check for unknown users when running in stand-alone (sendmail -bs) mode. Problem experienced by Chuck Mead. File: smtpd/smtpd.c. Retraction: the "local_transports" configuration parameter is gone. Adjusted code and documentation accordingly. Instead, use just one "local_transport" parameter with the name of the default local transport. Files: smtpd/smtpd_check.c, qmgr/qmgr_message.c, trivial-rewrite/ resolve.c, local/resolve.c. Feature: Postfix SMTPD now insists that the smtpd recipient restrictions contain at least one restriction that by default rejects mail. This should make it much more difficult to change Postfix into an open relay. File: smtpd/smtpd_check.c. Retraction: null-length inet_interfaces is too confusing. 19991224 Bugfix: the relative symlink code in INSTALL.sh computed the ../ prefix from the wrong pathname. 1999122[5-7] Feature: "allow_untrusted_routing = no" (default) prevents forwarding of source-routed mail from untrusted clients to destinations that are blessed by the relay_domains parameter (example: user@domain2@domain1 etc.). This plugs a mail relay loophole where a backup MX host forwards junk mail to a primary MX host which forwards the junk to the Internet. Files: global/quote_822_local.c, smtp/quote_821_local.c, trivial-rewrite/rewrite.c, trivial-rewrite/resolve.c, smtp/smtpd_check.c. In order to make this possible, the Postfix resolver data structure and protocol has changed, so that all resolver clients need to be re-compiled. Side effect from the above change: from now on, an address with @ in the recipient localpart no longer bounces with "user unknown" but instead is rejected with "relay access denied" or "source-routed relay access denied". 19991227 Workaround: the BSD/OS "mkdir -p" and "cmp -s" commands misbehave on boundary cases: directory exists or file does not exist. Those who re-invent... 19991229 Added the no source routing info requirement to addresses accepted by the permit_mx_backup UCE restriction. 19991230 Added a spawn daemon (not compiled and installed by default) to enable LMTP delivery over UNIX-domain sockets. The goal is to simplify the experimental LMTP delivery agent by ripping out the privileged code that forks the LMTP server. 20000102 Clarified documentation after early feedback on the 19991231 release by Drew Derbyshire, Ollivier Robert, Khetan Gajjar. Sanity check: a common error is to list Postfix virtual domains in the mydestination parameter. This causes the new optional local_recipient_maps feature to reject mail for virtual users. The SMTP server now explicitly tests for this common error and logs a warning instead of refusing the mail. File: smtpd/smtpd_check.c. 20000104 Bugfix: a case sensitivity bug had slipped through in the anti-relaying code, causing mail for USER@VIRTUAL.DOMAIN to be rejected with "relay access denied". This was found by Jim Maenpaa @ jmm.com. Portability: Ultrix patch from Simon Burge @ thistledown.com.au. Portability: Siemens Pyramid (dcosx) patch by Thomas D. Knox @ vushta.com. 20000105 Cleanup: the INSTALL.sh script now updates the sample files in /etc/postfix even when main.cf exists. 20000106 Bugfix: the SMTP server should consult the relocated map for virtual destinations (Denis Shaposhnikov). Files: smtpd/smtpd.c smtpd/smtpd_check.c. 20000108 Workaround: rename() over NFS can fail with ENOENT even when the operation succeeds (Graham Orndorff @ WebTV). This is not news. Any non-idempotent operation can fail over NFS when the NFS server's acknowledgement is lost and the NFS client code retries the operation (other examples are: create, symlink, link, unlink, mkdir, rmdir). Postfix has workarounds for the cases where this is most likely to cause trouble. Files: util/sane_{rename,link}.[hc]. If you want reliable mail system, do not use NFS. 20000115 Workaround: better detection of bad hardware. Added SIGBUS to the list of signals that the master will log before exiting. 20000122 Portability: preliminary SCO5 port Christopher Wong @ csports.com. This still needs to a workaround for "find" not supporting "-type s" (actually, UNIX-domain sockets have no unique representation in the file system and show up as FIFOs). 20000115-22 Bugfix: in case of a too long message header, don't extract recipients from message headers. With the previous behavior, Bcc information could be left in the message body, as one person found out the hard way. Files: cleanup/cleanup.c, cleanup/cleanup_extracted.c, global/cleanup_user.h. 20000124 Whatever: RFC 1869 amends RFC 821 and specifies that code 555 is to be used when a MAIL FROM or RCPT TO parameter is not implemented or not recognized. Russ Allbery @stanford.edu. This reply code is added to the list of reply codes that cause the Postfix SMTP client to mail a transcript to the postmaster. File: smtp/smtp_trouble.c. 20000126 Emergency feature: qmgr_site_hog_factor (default: 90 percent) limits the amount of resources that Postfix devotes to a single destination. With less than 100, Postfix defers the excess mail so that one site with a large backlog does not block other deliveries. Files: qmgr/qmgr.c, qmgr/qmgr_message.c. 20000129 Bugfix: extracted recipients were misfiled when a message was moved back to the maildrop queue. But they still worked due to a coincidence. 20000130 Bugfix: the too long header fix of 20000115-22 lost mail with too long headers that didn't need to extract recipients from message headers. Bugfix: the too long header fix of 20000115-22 lost mail without (blank line + message body). 20000214 Bugfix: postconf reported some parameters more than once because the parameter extracting script didn't recognize lines that differ in whitespace only. File: postconf/extract.awk. Reported by Kenn Martin. 20000221 Logging: the SMTP client now logs log host+port when it is unable to connect to a non-MX host, just like it logs host+port when unable to connect to an MX host. 20000226 Bugfix: the SMTP server's "User unknown" test didn't notice LDAP etc. dictionary access errors. The code now reports a 450 status (try again instead of bounce) if the reply is not definitive. File: smtp/smtpd_check.c. 20000308 Bugfix: the SMTP server would produce a cryptic message when a queue file write error happened before it had written any recipients. Keith Stevenson. File: smtpd/smtpd.c. 20000311 Portability: HP-UX awk can't handle bare { in regexps (Lamont Jones. HP). File: postconf/extract.awk. Compatibility: sendmail now recognizes '.' as end of input. File: sendmail/sendmail.c. 20000313 Compatibility: dtcm (CDE desktop calendar manager) leaks a file descriptor into its child process, and requires that sendmail closes the descriptor, otherwise mail notification will hang. These GUI programmers never figured out that the child process must close the writing end of a pipe. File: sendmail/sendmail.c. 20000326 Bugfix: settings in one mysql configuration file would act as the implicit defaults for the next one, which could be confusing. Patch by Scott Cotton. File: util/dict_mysql.c. Robustness: limit the number of "junk" commands that can be issued in an SMTP session (ex.: NOOP, VRFY, ETRN, RSET). Problem report by Michael Ju. Tokarev @ tls.msk.ru. Files: global/mail_params.h, smtpd/smtpd.c. 20000413 Bugfix: RFC 822 requires the presence of at least one destination message header. The cleanup daemon now generates a generic "To: undisclosed-recipients:;" message header when no destination header is present. The header content is specified with the undisclosed_recipients_header parameter. Problem pointed out by Geoff Gibbs, UK-Human Genome Mapping Project-Resource Centre. 20000416 Workaround: allow <(comment)> as SMTP MAIL FROM address. 20000423 Bugfix: mail_copy() could prepend > or . in the middle of long lines. Found by code inspection. 20000505 Bugfix: the SMTP server now flushes unwritten output before tarpit delays, to avoid protocol timeouts in pipelined sessions when a client causes lots of errors. Found by Lamont Jones, HP. File: smtpd/smtpd_chat.c. 20000510 Bugfix: configuration parameters for one mysql dictionary would become default settings for the next one. File: dict_mysql.c. This patch was merged into Postfix a while back but apparently that Postfix version was nuked when other parts were redesigned. Update by Scott Cotton. Bugfix: some Postfix delivery agents would abort on addresses of the form `stuff@.' which could be generated only locally. Found by Patrik Rak. File: trivial-rewrite/resolve.c. 20000511 Bugfix: Postfix would incorrectly reject domain names with adjacent - characters. File: util/valid_hostname.c. 20000520 Robustness: upon receipt of mail, map the mailer-daemon sender address back into the magic null string. File: cleanup/cleanup_envelope.c. 20000524 Bugfix: the code for masquerade_exceptions was case sensitive. Reported by Eduard Vopicka. File: cleanup/cleanup_masquerade.c. 20000528 Feature: specify "body_checks=regexp:/file/name" for a very crude one line at a time message body content filter. This feature uses the same filtering syntax as the header_checks feature. File: cleanup/cleanup_message.c. See also the conf/sample-filter.cf file.