Major changes with postfix-19991231-pl08: ========================================= Specify "body_checks = regexp:/etc/postfix/body_checks" for a quick and dirty emergency content filter that looks at non-header lines one line at a time (including MIME headers inside the message body). Details in conf/sample-filter.cf. Incompatible changes with postfix-19991231-pl07: ================================================ As required by RFC 822, Postfix now inserts a generic destination message header when no destination header is present. The text is specified via the undisclosed_recipients_header configuration parameter (default: "To: undisclosed-recipients:;"). Incompatible changes with postfix-19991231-pl06: ================================================ The Postfix sendmail command now treats a line with only `.' as the end of input, for the sake of sendmail compatibility. To disable this feature, specify the sendmail-compatible `-i' or `-oi' flags on the sendmail command line. Incompatible changes with postfix-19991231: =========================================== - The SMTP server no longer forwards mail from untrusted clients with sender-specified routing (stuff[@%!]stuff[@%!]stuff) through destinations that are authorized by the relay_domains parameter. This closes a loophole that exploits trust relationships between hosts. Example: a trusted backup MX host forwards junk mail to a primary MX host which forwards the junk to the Internet. Specify "allow_untrusted_routing = yes" to restore the old behavior. - The SMTP server no longer forwards mail with sender-specified routing (stuff[@%!]stuff[@%!]stuff) through destinations that are authorized by the permit_mx_backup feature. This change is under control by the allow_untrusted_routing parameter discussed above. - In order to support the above, the data structure and protocol of the trivial-rewrite service was changed. This means you must re-compile and re-link existing software that uses the Postfix resolve_clnt interface. - As a side effect of the above, an address from an untrusted client with @ in the localpart (user@remote@here) no longer bounces with "user unknown" but instead is rejected with "relay access denied". - Incompatible SMTPD access map changes: An all-numeric right-hand side now means OK. This is for better cooperation with out-of-band authentication mechanisms such as POP before SMTP etc. An empty right-hand sides still mean OK, but Postfix will log a warning in order to discourage such usage. You can no longer use virtual, canonical or aliases tables as SMTPD access maps. Use the local_recipient_maps feature instead. - Recipient addresses may no longer begin with `-'. In order to get the old behavior, specify "allow_min_user = yes" in main.cf. - Incompatible transport map changes: Transport map entries override mydestination. If you use transport maps, it is better to always have explicit entries for all domain names you have in $mydestination. See the html/faq.html sections for firewalls and intranets. The nexthop information given to a local delivery agent may have changed. This information was never intended to be used as a next-hop destination. Major changes with postfix-19991231: ==================================== - It is now much more difficult to configure Postfix as an open relay. The SMTP server requires that "smtpd_recipient_restrictions" contains at least one restriction that by default refuses mail (as is the default). There were too many accidents with changes to the UCE restrictions. - The relay_domains parameter no longer needs to contain $virtual_maps. - Overhauled FAQ (html/faq.html) with many more examples. - Updated UCE documentation (html/uce.html) with more examples. More UCE configuration examples in sample configuration files. - Several little improvements to the installation procedure: relative symlinks, configurable directory for scratch files so the installation can be done without write access to the build tree. - Updated LDAP client code (John Hensley). - Updated mysql client code (Scott Cotton). - The SMTP server now rejects mail for unknown users in virtual domains that are defined by Postfix virtual maps. - The SMTP server can reject mail for unknown local users. Specify "local_recipient_maps = $alias_maps, unix:passwd.byname" if your local mail is delivered by a UNIX-style local delivery agent. See example in conf/main.cf. - Use "disable_vrfy_command = yes" to disable the SMTP VRFY command. This prevents some forms of address harvesting. - The sendmail "-f" option now understands and even understands forms with RFC 822-style comments. - New "qmgr_fudge_factor" parameter allows you to balance mailing list performance against response time for one-to-one mail. The fudge factor controls what percentage of delivery resources Postfix will devote to one message. With 100%, delivery of one message does not begin before delivery of the previous message is completed. This is good for list performance, bad for one-to-one mail. With 10%, response time for one-to-one mail improves much, but list performance suffers: in the worst case, people near the start of a mailing list get a burst of postings today, while people near the end of the list get that same burst of postings a whole day later. - It is now relatively safe to configure 550 status codes for the main.cf unknown_address_reject_code or unknown_client_reject_code parameters. The SMTP server now always sends a 450 (try again) reply code when an UCE restriction fails due to a soft DNS error, regardless of what main.cf specifies. - The RBL checks now show the content of TXT records (Simon J Mudd). - The Postfix SMTP server now understands a wider range of illegal address forms in MAIL FROM and RCPT TO commands. In order to disable illegal forms, specify "strict_rfc821_envelopes = yes". This also disables support for MAIL FROM and RCPT TO addresses without <>. - Per-client/helo/sender/recipient UCE restrictions (fully-recursive UCE restriction parser). See the RESTRICTION_CLASS file for details. - Use "postmap -q key" or "postalias -q key" for testing Postfix lookup tables or alias files. - Use "postconf -e name=value..." to edit the main.cf file. This is easier and safer than editing the main.cf file by hand. The edits are done on a temporary copy that is renamed into place. - Use "postconf -m" to display all supported lookup table types (Scott Cotton). - New "permit_auth_destination" UCE restriction for finer-grained access control (Jesper Skriver). Incompatible changes with postfix-19990906 ========================================== - On systems that use user.lock files to protect system mailboxes against simultaneous updates, Postfix now uses /file/name.lock files while delivering to files specified in aliases/forward/include files. This is a no-op when the recipient lacks directory write permission. - The LDAP client code no longer looks up a name containing "*" because it could be abused. See the LDAP_README file for how to restore previous behavior. - The Postfix to PCRE interface now expects PCRE version 2.08. Postfix is no longer compatible with PCRE versions prior to 2.06. Major changes with postfix-19990906 =================================== Several bugfixes, none related to security. See the HISTORY file for a complete list of changes. - Postfix is now distributed under IBM Public License Version 1.0 which does not carry the controversial termination clause. The new license does have a requirement that contributors make source code available. - INSTALL.sh install/upgrade procedure that replaces existing programs and shell scripts instead of overwriting them, and that leaves existing queue files and configuration files alone. - The ugly Delivered-To: header can now be turned off selectively. The default setting is: "prepend_delivered_header = command, file, forward". Turning off the Delivered-To: header when forwarding mail is not recommended. - mysql client support by Scott Cotton and Joshua Marcus, Internet Consultants Group, Inc. See the file MYSQL_README for instructions. - reject_unauth_destination SMTP recipient restriction that rejects destinations not in $relay_domains. Unlike the check_relay_domains restriction, reject_unauth_destination ignores the client hostname. By Lamont Jones of Hewlett-Packard. - reject_unauth_pipelining SMTP *anything* restriction to stop mail from spammers that improperly use SMTP command pipelining to speed up their deliveries. - Postfix "sendmail" now issues a warning and drops privileges if installed set-uid root. - No more duplicate delivery when "postfix reload" is immediately followed by "sendmail -q". - No more "invalid argument" errors when a Postfix daemon opens a DB/DBM file while some other process is changing the file. - Portability to the Mac OS X Server, Reliant Unix, AIX 3.2.5 and Ultrix 4.3. Incompatible changes with postfix-19990601: =========================================== - The SMTP server now delays all UCE restrictions until the RCPT TO, VRFY or ETRN command. This makes the restrictions more useful, because many SMTP clients do not expect negative responses earlier in the protocol. In order to restore the old behavior, specify "smtpd_delay_reject = no" in /etc/postfix/main.cf. - The Postfix local delivery agent no longer automatically propagates address extensions to aliases/include/forward addresses. Specify "propagate_unmatched_extensions = canonical, virtual, alias, forward, include" to restore the old behavior. - The Postfix local delivery agent no longer does $name expansion on words found in the mailbox_command configuration parameter. This makes it easier to specify shell syntax. See conf/main.cf. - The luser_relay syntax has changed. You can specify one address; it is subjected to $user, etc. expansions. See conf/main.cf. - File system reorganization: daemon executables are now in the libexec subdirectory, command executables in the bin subdirectory. The INSTALL instructions now recommend installing daemons and commands into separate directories. Major changes with postfix-19990601: ===================================== - New USER, EXTENSION, LOCAL, DOMAIN and RECIPIENT environment variables for delivery to command (including mailbox_command) by the local delivery agent. As you might expect, the information is censored. The list of acceptable characters is specified with the command_expansion_filter configuration parameter. Unacceptable characters are replaced by underscores. See html/local.8.html. - Specify "forward_path = /var/forward/$user" to avoid looking up .forward files in user home directories. The default value is $home/.forward$recipient_delimiter$extension, $home/.forward. Initial code by Philip A. Prindeville, Mirapoint, Inc., USA. - Conditional $name expansion in forward_path and luser_relay. Available names are: $user (bare user name) $shell (user login shell), $home (user home directory), $local (everything to the left of @), $extension (optional address extension), $domain (everything to the right of @), $recipient (the complete address) and $recipient_delimiter. A simple $name expands as usual. ${name?value} expands to value when $name is defined. ${name:value} expands to value when $name is not defined. With ${name?value} and ${name:value}, the value is subject to another iteration of $name expansion. - POSIX regular expression support, enabled by default on 4.4BSD, LINUX, HP-UX, and Solaris 2.5 and later. See conf/sample-regexp.cf. Initial code by Lamont Jones, Hewlett-Packard, borrowing heavily from the PCRE implementation by Andrew McNamara, connect.com.au Pty. Ltd., Australia. - Regular expression checks for message headers. This requires support for POSIX or for PCRE regular expressions. Specify "header_checks = regexp:/file/name" or "header_checks = pcre:/file/name", and specify "/^header-name: badstuff/ REJECT" in the pattern file (patterns are case-insensitive by default). Code by Lamont Jones, Hewlett-Packard. It is to be expected that full content filtering will be delegated to an external command. - Regular expression support for all lookup tables, including access control (full mail addresses only), address rewriting (canonical/virtual, full mail addresses only) and transport tables (full domain names only). However, regular expressions are not allowed for aliases, because that would open up security exposures. - Automatic detection of changes to DB or DBM lookup tables. This eliminates the need to run "postfix reload" after each change to the SMTP access table, or to the canonical, virtual, transport or aliases tables. - New error mailer. Specify ".domain.name error:domain is undeliverable" in the transport table to bounce mail for entire domains. - No more Postfix lockups on Solaris (knock on wood). The code no longer uses Solaris UNIX-domain sockets, because they are still broken, even with Solaris 7. - Workaround for the Solaris mailtool, which keeps an exclusive kernel lock on the mailbox while its window is not iconified (specify "sun_mailtool_compatibility = yes" in main.cf). - Questionable workaround for Solaris, which reportedly loses long-lived exclusive locks that are held by the master daemon. - New reject_unknown_{sender,recipient}_domain restrictions for sender and recipient mail addresses that distinguish between soft errors (always 450) and hard errors (unknown_address_reject_code, default 450). - MIME-encapsulated bounce messages, making it easier to recover bounced mail. Initial implementation by Philip A. Prindeville, Mirapoint, Inc., USA. Support for RFC 1892 (multipart/report) and RFC 1894 (DSN) will have to wait until Postfix internals have been revised to support RFC 1893. - Separately configurable "postmaster" addresses for single bounces (bounce_notice_recipient), double bounces (2bounce_notice_recipient), delayed mail (delay_notice_recipient), and for mailer error reports (error_notice_recipient). See conf/main.cf. - Questionable feature: specify "best_mx_transport = local" if this machine is the best MX host for domains not in mydestinations. Incompatible changes with postfix-19990317: =========================================== - You MUST install the new version of /etc/postfix/postfix-script. - The pipe mailer "flags" syntax has changed. You now explicitly MUST specify the R flag in order to generate a Return-Path: message header (as needed by, for example, cyrus). Major changes with postfix-19990317: ==================================== A detailed record of changes is given in the HISTORY file. - Less postmaster mail. Undeliverable bounce messages (double bounces) are now discarded. Specify "notify_classes = 2bounce..." to get copies of double bounces. Specify "notify_classes = bounce..." to get copies of normal and double bounces. - Improved LDAP client code by John Hensley of Merit Network, USA. See LDAP_README for details. - Perl-compatible regular expression support for lookup maps by Andrew McNamara, connect.com.au Pty. Ltd., Australia.. Example: "check_recipient_access pcre:/etc/postfix/sample-pcre.cf". Regular expressions provide a powerful tool not only for SMTP access control but also for address rewriting. See PCRE_README for details. - Automatic notification of delayed mail (disabled by default). With "delay_warning_time = 4", Postfix informs senders when mail has not been delivered after 4 hours. Initial version of the code by Daniel Eisenbud, University of California at Berkeley. In order to get postmaster copies of such warnings, specify "notify_classes = delay...". - More configurable local delivery: "mail_spool_directory" to specify the UNIX mail spool directory; "mailbox_transport" to delegate all mailbox delivery to, for example, cyrus, and "fallback_transport" to delegate delivery of only non-UNIX users. And all this without losing local aliases and local .forward processing. See config/main.cf and config/master.cf. - Several changes to improve Postfix behavior under worst-case conditions (frequent Postfix restarts/reloads combined with lots if inbound mail, intermittent connectivity problems, SMTP servers that become comatose after receiving QUIT). - More NFS-friendly mailbox delivery. The local delivery agent now avoids using root privileges where possible. - For sites that do not receive mail at all, mydestination can now be an empty string. Be sure to set up a transport table entry to prevent mail from looping. - New "postsuper" utility to clean up stale files from Postfix queues. - Workaround for BSD select() collisions that cause performance problems on large BSD systems. - Several questionable but useful features to capture mail: "always_bcc = address" to capture a copy of every message that enters the system, and "luser_relay = address" to capture mail for unknown recipients (does not work when mailbox_transport or fallback_transport are being used). - Junk mail controls: new reject_non_fqdn_{hostname,sender,recipient} restrictions to reject non-FQDN arguments in HELO, MAIL FROM and RCPT TO commands, and stricter checking of numeric HELO arguments. - "fallback_relay" feature for sites that use DNS but that can't talk to the entire world. The fall-back relay gets the mail when a destination is not found in the DNS or when the destination is found but not reachable. - Several questionable controls that can help to keep mail going: specify "smtp_skip_4xx_greeting = yes" to skip SMTP servers that greet with 4XX, "ignore_mx_lookup_error = yes" to look up an A record when a DNS server does not respond to an MX query. Incompatible changes with postfix-beta-19990122-pl01: ===================================================== None. Major changes with postfix-beta-19990122-pl01: ============================================== - Restrict who may use ETRN and what domains may be specified. Example: "smtpd_etrn_restrictions = permit_mynetworks, reject". - BIFF notifications. For compatibility reasons this feature is on by default. Specify "biff = no" in main.cf if your machine has lots of shell users. - With "soft_bounce = yes", defer delivery instead of bouncing mail. This is a safety net for configuration errors with delivery agents. It has no effect on errors in virtual maps, canonical maps, or in junk mail restrictions. - Specify "owner_request_special = no" to turn off special treatment of owner-foo and foo-request addresses. Incompatible changes with postfix-beta-19990122: ================================================ - The syntax of the transport table has changed. An entry like: customer.org smtp:[gateway.customer.org] no longer forwards mail for anything.customer.org. For that you need to specify: customer.org smtp:[gateway.customer.org] .customer.org smtp:[gateway.customer.org] This change makes tranport tables more compatible with sendmail mailer tables. - The format of syslog records has changed. A client is now always logged as hostname[address]; the pickup daemon logs queue file uid and sender address. Major changes with postfix-beta-19990122: ========================================= - Junk mail restrictions can now be postoned to the RCPT TO command. Specify: "smtpd_recipient_restrictions = reject_maps_rbl...". - More flexible interface for delivery to e.g., cyrus IMAP without need for PERL scripts to munge recipient addresses. In addition to $sender, $nexthop and $recipient, the pipe mailer now also supports $user, $extension and $mailbox. - New mail now has precedence over deferred mail, plus some other tweaks to make bulk mail go faster. But it ain't no cure for massive network outages. - Watchdog timer for systems that cause the Postfix queue manager to lock up, so it recovers without human intervention. - Delivery to qmail-style maildir files, which is good for NFS environments. Specify "home_mailbox = Maildir/", or specify /file/name/ in aliases or in .forward files. The trailing / is required to turn on maildir delivery. - Incremental updates of aliases and maps. Specify "postmap -i mapname" and it will read new entries from stdin. - Newaliases will now update more than one alias database. Specify the names with the main.cf "alias_database" parameter. - Address masquerading exceptions to prevent users from being masqueraded. Specify "masquerade_exceptions = root". - A pipelined SMTP client. Deliveries to Postfix, qmail, LSOFT, zmailer, and exim (once it's fixed) speed up by some 30% for short messages with one recipient, with more for multi-recipient mails. - Hook for local delivery to "|command" via the smrsh restricted shell, to restrict what commands may be used in .forward etc. files. Specify "local_command_shell = /some/where/smrsh -c".