797 lines
35 KiB
Plaintext
797 lines
35 KiB
Plaintext
The stable Postfix release is called postfix-2.3.x where 2=major
|
|
release number, 3=minor release number, x=patchlevel. The stable
|
|
release never changes except for patches that address bugs or
|
|
emergencies. Patches change the patchlevel and the release date.
|
|
|
|
New features are developed in snapshot releases. These are called
|
|
postfix-2.4-yyyymmdd where yyyymmdd is the release date (yyyy=year,
|
|
mm=month, dd=day). Patches are never issued for snapshot releases;
|
|
instead, a new snapshot is released.
|
|
|
|
The mail_release_date configuration parameter (format: yyyymmdd)
|
|
specifies the release date of a stable release or snapshot release.
|
|
|
|
Incompatible changes with Postfix 2.3.7
|
|
---------------------------------------
|
|
|
|
Postfix no longer inserts an empty-line header/body separator into
|
|
malformed MIME attachments, to avoid breaking digital signatures.
|
|
|
|
This change introduces ambiguity. Postfix still treats the remainder
|
|
of the attachment as body content; header_checks rules will therefore
|
|
not detect forbidden MIME types inside a message/rfc822 attachment.
|
|
|
|
With the empty-line header/body separator no longer inserted by
|
|
Postfix, other software may process the malformed attachment
|
|
differently, and thus may become exposed to forbidden MIME types.
|
|
|
|
Incompatible changes with Postfix 2.3.6
|
|
---------------------------------------
|
|
|
|
The check_smtpd_policy client sends TLS certificate attributes
|
|
(client ccert_subject, ccert_issuer) only after successful client
|
|
certificate verification. The reason is that the certification
|
|
verification status itself is not available in the policy request.
|
|
|
|
The check_smtpd_policy client sends TLS certificate fingerprint
|
|
information even when the certificate itself was not verified.
|
|
|
|
The remote SMTP client TLS certificate fingerprint can be used for
|
|
access control even when the certificate itself was not verified.
|
|
|
|
Incompatible changes with Postfix 2.3.3
|
|
---------------------------------------
|
|
|
|
Postfix no longer announces its name in delivery status notifications.
|
|
Users believe that Wietse provides a free help desk service that
|
|
solves all their email problems.
|
|
|
|
Critical notes
|
|
--------------
|
|
|
|
See RELEASE_NOTES_2.2 if you upgrade from Postfix 2.1 or earlier.
|
|
|
|
Some Postfix internal protocols have changed. You need to "postfix
|
|
reload" or restart Postfix, otherwise many servers will log warning
|
|
messages like "unexpected attribute xxx" or "problem talking to
|
|
service yyy", and mail will not be delivered.
|
|
|
|
The Sendmail-compatible Milter support introduces three new queue
|
|
file record types. As long as you leave this feature turned off,
|
|
you can still go back to Postfix version 2.2 without losing mail
|
|
that was received by Postfix 2.3.
|
|
|
|
Major changes - DNS lookups
|
|
---------------------------
|
|
|
|
[Incompat 20050726] Name server replies that contain a malformed
|
|
hostname are now flagged as permanent errors instead of transient
|
|
errors. This change works around a questionable proposal to use
|
|
syntactically invalid hostnames in MX records.
|
|
|
|
Major changes - DSN
|
|
-------------------
|
|
|
|
[Feature 20050615] DSN support as described in RFC 3461 .. RFC 3464.
|
|
This gives senders control over successful and failed delivery
|
|
notifications. DSN involves extra parameters to the SMTP "MAIL
|
|
FROM" and "RCPT TO" commands, as well as extra Postfix sendmail
|
|
command line options for mail submission.
|
|
|
|
See DSN_README for details. Some implementation notes can be found
|
|
in implementation-notes/DSN.
|
|
|
|
[Incompat 20050615] The new DSN support conflicts with VERP support.
|
|
For Sendmail compatibility, Postfix now uses the sendmail -V command
|
|
line option for DSN. To request VERP style delivery, you must now
|
|
specify -XV instead of -V. The Postfix sendmail command will
|
|
recognize if you try to use -V for VERP-style delivery. It will
|
|
usually do the right thing, and remind you of the new syntax.
|
|
|
|
[Incompat 20050828] Postfix no longer sends DSN SUCCESS notification
|
|
after virtual alias expansions when the cleanup server rejects the
|
|
content or size of mail that was submitted with the Postfix sendmail
|
|
command, mail that was forwarded with the local(8) delivery agent,
|
|
or mail that was re-queued with "postsuper -r". Since all the
|
|
recipients are reported as failed, the SUCCESS notification seems
|
|
redundant.
|
|
|
|
Major changes - LMTP client
|
|
---------------------------
|
|
|
|
See the "SASL authentication" and "TLS" sections for changes related
|
|
to SASL authentication and TLS support, respectively.
|
|
|
|
[Feature 20051208] The SMTP client now implements the LMTP protocol.
|
|
Most but not all smtp_xxx parameters now have an lmtp_xxx equivalent.
|
|
This means there are lot of new LMTP features, including support
|
|
for TLS and for the shared connection cache. See the "SMTP client"
|
|
section for details.
|
|
|
|
[Incompat 20051208] The LMTP client now reports the server as
|
|
"myhostname[/path/name]". With the real server hostname in delivery
|
|
status reports, the information will be more useful.
|
|
|
|
Major changes - Milter support
|
|
------------------------------
|
|
|
|
[Feature 20060515] Milter (mail filter) application support,
|
|
compatible with Sendmail version 8.13.6 and earlier. This allows
|
|
you to run a large number of plug-ins to reject unwanted mail, and
|
|
to sign mail with for example domain keys. All Milter functions are
|
|
implemented except replacing the message body, which will be added
|
|
later. Milters are before-queue filters, so they don't change the
|
|
queue ID.
|
|
|
|
See the MILTER_README document for a discussion of how to use Milter
|
|
support with Postfix, and limitations of the current implementation.
|
|
|
|
The Sendmail-compatible Milter support introduces three new queue
|
|
file record types. As long as you leave this feature turned off,
|
|
you can still go back to Postfix version 2.2 without losing mail
|
|
that was received by Postfix 2.3.
|
|
|
|
[Incompat 20060515] Milter support introduces new logfile event
|
|
types: milter-reject, milter-discard and milter-hold, that identify
|
|
actions from Milter applications. This may affect logfile processing
|
|
software.
|
|
|
|
Major changes - SASL authentication
|
|
-----------------------------------
|
|
|
|
[Feature 20051220] Plug-in support for SASL authentication in the
|
|
SMTP server and in the SMTP/LMTP client. With this, Postfix can
|
|
support multiple SASL implementations without source code patches.
|
|
Some distributors may even make SASL support a run-time linking
|
|
option, just like they already do with Postfix lookup tables.
|
|
|
|
Hints and tips for plug-in developers are in the xsasl/README file.
|
|
|
|
For backwards compatibility the default plug-in type is Cyrus SASL,
|
|
so everything should behave like it did before. Some error messages
|
|
are slightly different, but these are generally improvements.
|
|
|
|
The "postconf -a" command shows what plug-in implementations are
|
|
available for the SMTP server, and "postconf -A" does the same for
|
|
the SMTP/LMTP client. Plug-in implementations are selected with
|
|
the smtpd_sasl_type, smtp_sasl_type and lmtp_sasl_type configuration
|
|
parameters.
|
|
|
|
Other new configuration parameters are smtpd_sasl_path, smtp_sasl_path
|
|
and lmtp_sasl_path. These are better left alone; they are introduced
|
|
for the convenience of other SASL implementations.
|
|
|
|
[Feature 20051222] Dovecot SASL support (SMTP server only). Details
|
|
can be found in the SASL_README document.
|
|
|
|
[Incompat 20051220] The Postfix-with-Cyrus-SASL build procedure has
|
|
changed. You now need to specify -DUSE_CYRUS_SASL in addition to
|
|
-DUSE_SASL_AUTH or else you end up without any Cyrus SASL support.
|
|
The error messages are:
|
|
|
|
unsupported SASL server implementation: cyrus
|
|
unsupported SASL client implementation: cyrus
|
|
|
|
[Feature 20051125] This snapshot adds support for sender-dependent
|
|
ISP accounts.
|
|
|
|
- Sender-dependent smarthost lookup tables. The maps are searched
|
|
with the sender address and with the sender @domain. The result
|
|
overrides the global relayhost setting, but otherwise has identical
|
|
behavior. See the postconf(5) manual page for more details.
|
|
|
|
Example:
|
|
/etc/postfix/main.cf:
|
|
sender_dependent_relayhost_maps = hash:/etc/postfix/sender_relay
|
|
|
|
- Sender-dependent SASL authentication support. This disables SMTP
|
|
connection caching to ensure that mail from different senders
|
|
will use the correct authentication credentials. The SMTP SASL
|
|
password file is first searched by sender address, and then by
|
|
the remote domain and hostname as usual.
|
|
|
|
Example:
|
|
/etc/postfix/main.cf:
|
|
smtp_sasl_auth_enable = yes
|
|
smtp_sender_dependent_authentication = yes
|
|
smtp_sasl_password_maps = hash:/etc/postfix/sasl_pass
|
|
|
|
[Incompat 20060707] The SMTP/LMTP client now defers delivery when
|
|
a SASL password exists but the server does not announce support for
|
|
SASL authentication. This can happen with servers that announce
|
|
SASL support only when TLS is turned on. When an opportunistic TLS
|
|
handshake fails, Postfix >= 2.3 retries delivery in plaintext, and
|
|
the remote server rejects mail from the unauthenticated client.
|
|
Specify "smtp_sasl_auth_enforce = no" to deliver mail anyway.
|
|
|
|
Major changes - SMTP client
|
|
---------------------------
|
|
|
|
See the "SASL authentication" and "TLS" sections for changes related
|
|
to SASL authentication and TLS support, respectively.
|
|
|
|
[Feature 20051208] The SMTP client now implements the LMTP protocol.
|
|
Most but not all smtp_xxx parameters now have an lmtp_xxx equivalent.
|
|
This means there are lot of new LMTP features, including support
|
|
for TLS and for the shared connection cache.
|
|
|
|
[Incompat 20060112] The Postfix SMTP/LMTP client by default no
|
|
longer allows DNS CNAME records to override the server hostname
|
|
that is used for logging, SASL password lookup, TLS policy selection
|
|
and TLS server certificate verification. Specify
|
|
"smtp_cname_overrides_servername = yes" to get the old behavior.
|
|
|
|
[Incompat 20060103] The Postfix SMTP/LMTP client no longer defers
|
|
mail delivery when it receives a malformed SMTP server reply in a
|
|
session with command pipelining. When helpful warnings are enabled,
|
|
it will suggest that command pipelining be disabled for the affected
|
|
destination.
|
|
|
|
[Incompat 20051208] The fallback_relay feature is renamed to
|
|
smtp_fallback_relay, to make clear that the combined SMTP/LMTP
|
|
client uses this setting only for SMTP deliveries. The old name
|
|
still works.
|
|
|
|
[Incompat 20051106] The relay=... logging has changed and now
|
|
includes the remote SMTP server port number as hostname[hostaddr]:port.
|
|
|
|
[Incompat 20051026] The smtp_connection_cache_reuse_limit parameter
|
|
(which limits the number of deliveries per SMTP connection) is
|
|
replaced by the new smtp_connection_reuse_time_limit parameter (the
|
|
time after which a connection is no longer stored into the connection
|
|
cache).
|
|
|
|
[Feature 20051026] This snapshot addresses a performance stability
|
|
problem with remote SMTP servers. The problem is not specific to
|
|
Postfix: it can happen when any MTA sends large amounts of SMTP
|
|
email to a site that has multiple MX hosts. The insight that led
|
|
to the solution, as well as an initial implementation, are due to
|
|
Victor Duchovni.
|
|
|
|
The problem starts when one of a set of MX hosts becomes slower
|
|
than the rest. Even though SMTP clients connect to fast and slow
|
|
MX hosts with equal probability, the slow MX host ends up with more
|
|
simultaneous inbound connections than the faster MX hosts, because
|
|
the slow MX host needs more time to serve each client request.
|
|
|
|
The slow MX host becomes a connection attractor. If one MX host
|
|
becomes N times slower than the rest, it dominates mail delivery
|
|
latency unless there are more than N fast MX hosts to counter the
|
|
effect. And if the number of MX hosts is smaller than N, the mail
|
|
delivery latency becomes effectively that of the slowest MX host
|
|
divided by the total number of MX hosts.
|
|
|
|
The solution uses connection caching in a way that differs from
|
|
Postfix 2.2. By limiting the amount of time during which a connection
|
|
can be used repeatedly (instead of limiting the number of deliveries
|
|
over that connection), Postfix not only restores fairness in the
|
|
distribution of simultaneous connections across a set of MX hosts,
|
|
it also favors deliveries over connections that perform well, which
|
|
is exactly what we want.
|
|
|
|
The smtp_connection_reuse_time_limit feature implements the connection
|
|
reuse time limit as discussed above. It limits the amount of time
|
|
after which an SMTP connection is no longer stored into the connection
|
|
cache. The default limit, 300s, can result in a huge number of
|
|
deliveries over a single connection.
|
|
|
|
This solution will be complete when Postfix logging is updated to
|
|
include information about the number of times that a connection was
|
|
used. This information is needed to diagnose inter-operability
|
|
problems with servers that exhibit bugs when they receive multiple
|
|
messages over the same connection.
|
|
|
|
[Incompat 20050627] The Postfix SMTP client no longer applies the
|
|
smtp_mx_session_limit to non-permanent errors during the TCP, SMTP,
|
|
HELO or TLS handshake. Previous versions did that only with TCP
|
|
and SMTP handshake errors.
|
|
|
|
[Incompat 20050622] The Postfix SMTP client by default limits the
|
|
number of MX server addresses to smtp_mx_address_limit=5. Previously
|
|
this limit was disabled by default. The new limit prevents Postfix
|
|
from spending lots of time trying to connect to lots of bogus MX
|
|
servers.
|
|
|
|
Major changes - SMTP server
|
|
---------------------------
|
|
|
|
See the "SASL authentication" and "TLS" sections for changes related
|
|
to SASL authentication and TLS support, respectively.
|
|
|
|
[Feature 20051222] To accept the non-compliant user@ipaddress form,
|
|
specify "resolve_numeric_domain = yes". Postfix will deliver the
|
|
mail to user@[ipaddress] instead.
|
|
|
|
[Incompat 20051202] The Postfix SMTP server now refuses to receive
|
|
mail from the network if it isn't running with postfix mail_owner
|
|
privileges. This prevents surprises when, for example, "sendmail
|
|
-bs" is configured to run as root from xinetd.
|
|
|
|
[Incompat 20051121] Although the permit_mx_backup feature still
|
|
accepts mail for authorized destinations (see permit_mx_backup for
|
|
definition), with all other destinations it now requires that the
|
|
local MTA is listed as non-primary MX server. This prevents mail
|
|
loop problems when someone points their primary MX record at a
|
|
Postfix system.
|
|
|
|
[Feature 20051011] Optional suppression of remote SMTP client
|
|
hostname lookup and hostname verification. Specify "smtpd_peername_lookup
|
|
= no" to eliminate DNS lookup latencies, but do so only under extreme
|
|
conditions, as it makes Postfix logging less informative.
|
|
|
|
[Feature 20050724] SMTPD Access control based on the existence of
|
|
an address->name mapping, with reject_unknown_reverse_client_hostname.
|
|
There is no corresponding access table lookup feature, because the
|
|
name is not validated in any way (except that it has proper syntax).
|
|
|
|
Several confusing SMTPD access restrictions were renamed:
|
|
|
|
reject_unknown_client -> reject_unknown_client_hostname,
|
|
reject_unknown_hostname -> reject_unknown_helo_hostname,
|
|
reject_invalid_hostname -> reject_invalid_helo_hostname,
|
|
reject_non_fqdn_hostname -> reject_non_fqdn_helo_hostname.
|
|
|
|
The old names are still recognized and documented.
|
|
|
|
Major changes - TLS
|
|
-------------------
|
|
|
|
Major revisions were made to Postfix TLS support; see TLS_README
|
|
for the details. For backwards compatibility, the old TLS policy
|
|
user interface will be kept intact for a few releases so that sites
|
|
can upgrade Postfix without being forced to use a different TLS
|
|
policy mechanism.
|
|
|
|
[Feature 20060614] New concept: TLS security levels ("none", "may",
|
|
"encrypt", "verify" or "secure") in the Postfix SMTP client. You
|
|
can specify the TLS security level via the smtp_tls_security_level
|
|
parameter. This is more convenient than controlling TLS with the
|
|
multiple smtp_use_tls, smtp_enforce_tls, and smtp_tls_enforce_peername,
|
|
parameters.
|
|
|
|
[Feature 20060709] TLS security levels ("none", "may", "encrypt")
|
|
in the Postfix SMTP server. You specify the security level with the
|
|
smtpd_tls_security_level parameter. This overrides the multiple
|
|
smtpd_use_tls and smtpd_enforce_tls parameters. When one of the
|
|
unimplemented "verify" or "secure" levels is specified, the Postfix
|
|
SMTP server logs a warning and uses "encrypt" instead.
|
|
|
|
[Feature 20060123] A new per-site TLS policy mechanism for the
|
|
Postfix SMTP client that supports the new TLS security levels,
|
|
and that eliminates DNS spoofing attacks more effectively.
|
|
|
|
[Feature 20060626] Both the Postfix SMTP client and server can be
|
|
configured without a client or server certificate. An SMTP server
|
|
without certificate can use only anonymous ciphers, and will not
|
|
inter-operate with most clients.
|
|
|
|
The Postfix SMTP server supports anonymous ciphers when 1) no client
|
|
certificates are requested or required, and 2) the administrator
|
|
has not excluded the "aNULL" OpenSSL cipher type with the
|
|
smtpd_tls_exclude_ciphers parameter.
|
|
|
|
The Postfix SMTP client supports anonymous ciphers when 1) no server
|
|
certificate is required and 2) the administrator has not excluded
|
|
the "aNULL" OpenSSL cipher type with the smtp_tls_exclude_ciphers
|
|
parameter.
|
|
|
|
[Incompat 20060707] The SMTPD policy client now encodes the
|
|
ccert_subject and ccert_issuer attributes as xtext. Some characters
|
|
are represented by +XX, where XX is the two-digit hexadecimal
|
|
representation of the character value.
|
|
|
|
[Feature 20060614] The smtpd_tls_protocols parameter restricts the
|
|
list of TLS protocols supported by the SMTP server. This is
|
|
recommended for use with MSA configurations only. It should not
|
|
be used with MX hosts that receive mail from the Internet, as it
|
|
reduces inter-operability.
|
|
|
|
[Incompat 20060614] The smtp_tls_cipherlist parameter only applies
|
|
when TLS is mandatory. It is ignored with opportunistic TLS sessions.
|
|
|
|
[Incompat 20060614] At (lmtp|smtp|smtpd)_tls_loglevel >= 2, Postfix
|
|
now also logs TLS session cache activity. Use level 2 and higher
|
|
for debugging only; use levels 0 or 1 as production settings.
|
|
|
|
[Incompat 20060207] The Postfix SMTP server no longer complains
|
|
when TLS support is not compiled in while permit_tls_clientcerts,
|
|
permit_tls_all_clientcerts, or check_ccert_access are specified in
|
|
main.cf. These features now are effectively ignored. However, the
|
|
reject_plaintext_session feature is not ignored and will reject
|
|
plain-text mail.
|
|
|
|
[Feature 20060123] Some obscure behavior was eliminated from the
|
|
smtp_tls_per_site feature, without changes to the user interface.
|
|
Some Postfix internals had to be re-structured for the new TLS
|
|
policy mechanism; for this, smtp_tls_per_site had to be re-implemented.
|
|
The obscure behavior was found during compatibility testing.
|
|
|
|
[Feature 20051011] Optional protection against SMTP clients that
|
|
hammer the server with too many new (i.e. uncached) SMTP-over-TLS
|
|
sessions. Cached sessions are much less expensive in terms of CPU
|
|
cycles. Use the smtpd_client_new_tls_session_rate_limit parameter
|
|
to specify a limit that is at least the inbound client concurrency
|
|
limit, or else you may deny legitimate service requests.
|
|
|
|
Major changes - VERP
|
|
--------------------
|
|
|
|
[Incompat 20050615] The new DSN support conflicts with VERP support.
|
|
For Sendmail compatibility, Postfix now uses the sendmail -V command
|
|
line option for DSN. In order to request VERP style delivery, you
|
|
must now specify -XV instead of -V. The Postfix sendmail command
|
|
will recognize if you try to use -V for VERP-style delivery. It
|
|
will do the right thing and will remind you of the new syntax.
|
|
|
|
Major changes - XCLIENT and XFORWARD
|
|
------------------------------------
|
|
|
|
[Incompat 20060611] The SMTP server XCLIENT implementation has
|
|
changed. The SMTP server now resets state to the initial server
|
|
greeting stage, immediately before the EHLO/HELO greeting. This
|
|
was needed to correctly simulate the effect of connection-level
|
|
access restrictions. Without this change, XCLIENT would not work
|
|
at all with Milter applications.
|
|
|
|
[Incompat 20060611] The SMTP server XCLIENT and XFORWARD commands
|
|
now expect that attributes are xtext encoded (RFC 1891). For backwards
|
|
compatibility they will also accept unencoded attribute values. The
|
|
XFORWARD client code in the SMTP client and in the SMTPD_PROXY
|
|
client now always encode attribute values. This change will have a
|
|
visible effect only for malformed hostname and helo parameter values.
|
|
|
|
For more details, see the XCLIENT_README and XFORWARD_README
|
|
documents.
|
|
|
|
Major changes - address manipulation
|
|
------------------------------------
|
|
|
|
[Incompat 20060123] Postfix now preserves uppercase information
|
|
while mapping addresses with canonical, virtual, relocated or generic
|
|
maps; this happens even with $number substitutions in regular
|
|
expression maps. However, the local(8) and virtual(8) delivery
|
|
agents still fold addresses to lower case.
|
|
|
|
As a side effect, Postfix now also does a better job at being case
|
|
insensitive where it should be, for example while searching per-host
|
|
TLS policies or SASL passwords.
|
|
|
|
By default, Postfix now folds the search string to lowercase only
|
|
with tables that have fixed-case lookup fields such as btree:,
|
|
hash:, dbm:, ldap:, or *sql:. The search string is no longer case
|
|
folded with tables whose lookup fields can match both upper or lower
|
|
case, such as regexp:, pcre:, or cidr:.
|
|
|
|
For safety reasons, Postfix no longer allows $number substitution
|
|
in regexp: or pcre: transport tables or per-sender relayhost tables.
|
|
|
|
Major changes - bounce message templates
|
|
----------------------------------------
|
|
|
|
[Feature 20051113] Configurable bounce messages, based on a format
|
|
that was developed by Nicolas Riendeau. The file with templates is
|
|
specified with the bounce_template_file parameter. Details are in
|
|
the bounce(5) manual page, and examples of the built-in templates
|
|
can be found in $config_directory/bounce.cf.default. The template
|
|
for the default bounce message looks like this:
|
|
|
|
failure_template = <<EOF
|
|
Charset: us-ascii
|
|
From: MAILER-DAEMON (Mail Delivery System)
|
|
Subject: Undelivered Mail Returned to Sender
|
|
Postmaster-Subject: Postmaster Copy: Undelivered Mail
|
|
|
|
This is the $mail_name program at host $myhostname.
|
|
|
|
I'm sorry to have to inform you that your message could not
|
|
be delivered to one or more recipients. It's attached below.
|
|
|
|
For further assistance, please send mail to <postmaster>
|
|
|
|
If you do so, please include this problem report. You can
|
|
delete your own text from the attached returned message.
|
|
|
|
The $mail_name program
|
|
EOF
|
|
|
|
Major changes - built-in filters
|
|
--------------------------------
|
|
|
|
[Feature 20050828] Configurable filters to reject or remove unwanted
|
|
characters in email content. The message_reject_characters and
|
|
message_strip_characters parameters understand the usual C-like
|
|
escape sequences: \a \b \f \n \r \t \v \ddd (up to three octal
|
|
digits) and \\.
|
|
|
|
[Incompat 20050828] When a header/body_checks rule or when
|
|
message_reject_characters rejects mail that was submitted with the
|
|
Postfix sendmail command (or re-queued with "postsuper -r"), the
|
|
returned message is now limited to just the message headers, to
|
|
avoid the risk of exposure to harmful content in the message body
|
|
or attachments.
|
|
|
|
Major changes - database support
|
|
--------------------------------
|
|
|
|
[Incompat 20060611] The PostgreSQL client was updated after the
|
|
PostgreSQL developers made major database API changes in response
|
|
to SQL injection problems. This breaks support for PGSQL versions
|
|
prior to 8.1.4, 8.0.8, 7.4.13, and 7.3.15. Support for these requires
|
|
major code changes which are not possible in the time that is left
|
|
for completing the Postfix 2.3 stable release.
|
|
|
|
Major changes - enhanced status codes
|
|
-------------------------------------
|
|
|
|
[Feature 20050328] This release introduces support for RFC 3463
|
|
enhanced status codes. For example, status code 5.1.1 means
|
|
"recipient unknown". Postfix recognizes enhanced status codes in
|
|
remote server replies, generates enhanced status codes while handling
|
|
email, and reports enhanced status codes in non-delivery notifications.
|
|
This improves the user experience with mail clients that translate
|
|
enhanced status codes into text in the user's own language.
|
|
|
|
You can, but don't have to, specify RFC 3463 enhanced status codes
|
|
in the output from commands that receive mail from a pipe. If a
|
|
command terminates with non-zero exit status, and an enhanced status
|
|
code is present at the beginning of the command output, then that
|
|
status code takes precedence over the non-zero exit status.
|
|
|
|
You can, but don't have to, specify RFC 3463 enhanced status codes
|
|
in Postfix access maps, header/body_checks REJECT actions, or in
|
|
RBL replies. For example:
|
|
|
|
REJECT 5.7.1 You can't go here from there
|
|
|
|
The status 5.7.1 means "no authorization, message refused", and is
|
|
the default for access maps, header/body_checks REJECT actions, and
|
|
for RBL replies.
|
|
|
|
[Feature 20050328] If you specify your own enhanced status code,
|
|
the Postfix SMTP server will automatically change a leading '5'
|
|
digit (hard error) into '4' where appropriate. This is needed, for
|
|
example, with soft_bounce=yes.
|
|
|
|
[Feature 20050510] This release improves usability of enhanced
|
|
status codes in Postfix access tables, RBL reply templates and in
|
|
transport maps that use the error(8) delivery agent.
|
|
|
|
- When the SMTP server rejects a sender address, it transforms a
|
|
recipient DSN status (e.g., 4.1.1-4.1.6) into the corresponding
|
|
sender DSN status, and vice versa.
|
|
|
|
- When the SMTP server rejects non-address information (such as the
|
|
HELO command parameter or the client hostname/address), it
|
|
transforms a sender or recipient DSN status into a generic
|
|
non-address DSN status (e.g., 4.0.0).
|
|
|
|
These transformations are needed when the same access table or RBL
|
|
reply template are used for client, helo, sender, or recipient
|
|
restrictions; or when the same error(8) mailer information is used
|
|
for both senders and recipients.
|
|
|
|
Major changes - local alias expansion
|
|
-------------------------------------
|
|
|
|
[Incompat 20051011] The Postfix local(8) delivery agent no longer
|
|
updates its idea of the Delivered-To: address while it expands
|
|
aliases or .forward files. With deeply nested aliases or .forward
|
|
files, this can greatly reduce the number of queue files and cleanup
|
|
process instances. To get the earlier behavior, specify
|
|
"frozen_delivered_to = no".
|
|
|
|
The frozen_delivered_to feature can help to alleviate a long-standing
|
|
problem with multiple deliveries to recipients that are listed
|
|
multiple times in a hierarchy of nested aliases. For this to work,
|
|
only the top-level alias should have an owner- alias, and none of
|
|
the subordinate aliases.
|
|
|
|
Major changes - logging
|
|
-----------------------
|
|
|
|
[Incompat 20060515] Milter support introduces new logfile event
|
|
types: milter-reject, milter-discard and milter-hold, that identify
|
|
actions from Milter applications. This may affect logfile processing
|
|
software.
|
|
|
|
[Incompat 20051106] The relay=... logging has changed and now
|
|
includes the remote SMTP server port number as hostname[hostaddr]:port.
|
|
|
|
[Incompat 20060112] The Postfix SMTP/LMTP client by default no
|
|
longer allows DNS CNAME records to override the server hostname
|
|
that is used for logging, SASL password lookup, TLS policy selection
|
|
and TLS server certificate verification. Specify
|
|
"smtp_cname_overrides_servername = yes" to get the old behavior.
|
|
|
|
[Incompat 20051105] All delay logging now has sub-second resolution,
|
|
including the over-all "delay=nnn" logging. A patch is available
|
|
for pflogsumm (pflogsumm-conn-delays-dsn-patch). The qshape script
|
|
has been updated (auxiliary/qshape/qshape.pl).
|
|
|
|
[Feature 20051103] This release makes a beginning with a series of
|
|
new attributes in Postfix logfile records.
|
|
|
|
- Better insight into the nature of performance bottle necks, with
|
|
detailed logging of delays in various stages of message delivery.
|
|
Postfix logs additional delay information as "delays=a/b/c/d"
|
|
where a=time before queue manager, including message transmission;
|
|
b=time in queue manager; c=connection setup time including DNS,
|
|
HELO and TLS; d=message transmission time.
|
|
|
|
- Logging of the connection reuse count when SMTP connections are
|
|
used for more than one message delivery. This information is
|
|
needed because Postfix can now reuse connections hundreds of times
|
|
or more. Logging of the connection reuse count can help to diagnose
|
|
inter-operability problems with servers that suffer from memory
|
|
leaks or other resource leaks.
|
|
|
|
At this point the Postfix logging for a recipient looks like this:
|
|
|
|
Nov 3 16:04:31 myname postfix/smtp[30840]: 19B6B2900FE:
|
|
to=<wietse@test.example.com>, orig_to=<wietse@test>,
|
|
relay=mail.example.com[1.2.3.4], conn_use=2, delay=0,
|
|
delays=0/0.01/0.05/0.1, dsn=2.0.0, status=sent (250 2.0.0 Ok)
|
|
|
|
The following two logfile fields may or may not be present:
|
|
|
|
orig_to This is omitted when the address did not change.
|
|
conn_use This is omitted when a connection is used once.
|
|
|
|
[Incompat 20050503] The format of some "warning:" messages in the
|
|
maillog has changed so that they are easier to sort:
|
|
|
|
- The logging now talks about "access table", instead of using three
|
|
different expressions "access table", "access map" and "SMTPD
|
|
access map" for the same thing.
|
|
|
|
- "non-SMTP command" is now logged BEFORE the client name/address
|
|
and the offending client input, instead of at the end.
|
|
|
|
[Incompat 20050328] The logging format has changed. Postfix delivery
|
|
agents now log the RFC 3463 enhanced status code as "dsn=x.y.z"
|
|
where y and z can be up to three digits each.
|
|
|
|
[Incompat 20051208] The LMTP client now reports the server as
|
|
"myhostname[/path/name]". With the real server hostname in delivery
|
|
status reports, the information will be more useful.
|
|
|
|
Major changes - performance
|
|
---------------------------
|
|
|
|
[Incompat 20051105] All delay logging now has sub-second resolution,
|
|
including the over-all "delay=nnn" logging. A patch is available
|
|
for pflogsumm (pflogsumm-conn-delays-dsn-patch). The qshape script
|
|
has been updated (auxiliary/qshape/qshape.pl).
|
|
|
|
[Incompat 20050622] The Postfix SMTP client by default limits the
|
|
number of MX server addresses to smtp_mx_address_limit=5. Previously
|
|
this limit was disabled by default. The new limit prevents Postfix
|
|
from spending lots of time trying to connect to lots of bogus MX
|
|
servers.
|
|
|
|
[Feature 20051026] This snapshot addresses a performance stability
|
|
problem with remote SMTP servers. The problem is not specific to
|
|
Postfix: it can happen when any MTA sends large amounts of SMTP
|
|
email to a site that has multiple MX hosts. The insight that led
|
|
to the solution, as well as an initial implementation, are due to
|
|
Victor Duchovni.
|
|
|
|
The problem starts when one of a set of MX hosts becomes slower
|
|
than the rest. Even though SMTP clients connect to fast and slow
|
|
MX hosts with equal probability, the slow MX host ends up with more
|
|
simultaneous inbound connections than the faster MX hosts, because
|
|
the slow MX host needs more time to serve each client request.
|
|
|
|
The slow MX host becomes a connection attractor. If one MX host
|
|
becomes N times slower than the rest, it dominates mail delivery
|
|
latency unless there are more than N fast MX hosts to counter the
|
|
effect. And if the number of MX hosts is smaller than N, the mail
|
|
delivery latency becomes effectively that of the slowest MX host
|
|
divided by the total number of MX hosts.
|
|
|
|
The solution uses connection caching in a way that differs from
|
|
Postfix 2.2. By limiting the amount of time during which a connection
|
|
can be used repeatedly (instead of limiting the number of deliveries
|
|
over that connection), Postfix not only restores fairness in the
|
|
distribution of simultaneous connections across a set of MX hosts,
|
|
it also favors deliveries over connections that perform well, which
|
|
is exactly what we want.
|
|
|
|
The smtp_connection_reuse_time_limit feature implements the connection
|
|
reuse time limit as discussed above. It limits the amount of time
|
|
after which an SMTP connection is no longer stored into the connection
|
|
cache. The default limit, 300s, can result in a huge number of
|
|
deliveries over a single connection.
|
|
|
|
This solution will be complete when Postfix logging is updated to
|
|
include information about the number of times that a connection was
|
|
used. This information is needed to diagnose inter-operability
|
|
problems with servers that exhibit bugs when they receive multiple
|
|
messages over the same connection.
|
|
|
|
[Feature 20051011] Optional protection against SMTP clients that
|
|
hammer the server with too many new (i.e. uncached) SMTP-over-TLS
|
|
sessions. Cached sessions are much less expensive in terms of CPU
|
|
cycles. Use the smtpd_client_new_tls_session_rate_limit parameter
|
|
to specify a limit that is at least the inbound client concurrency
|
|
limit, or else you may deny legitimate service requests.
|
|
|
|
[Feature 20051011] Optional suppression of remote SMTP client
|
|
hostname lookup and hostname verification. Specify "smtpd_peername_lookup
|
|
= no" to eliminate DNS lookup latencies, but do so only under extreme
|
|
conditions, as it makes Postfix logging less informative.
|
|
|
|
Major changes - portability
|
|
---------------------------
|
|
|
|
[Incompat 20050716] Internal interfaces have changed; this may break
|
|
third-party patches because the types of function arguments and of
|
|
result values have changed. The types of buffer lengths and offsets
|
|
were changed from "int" or "unsigned int" (32 bit on 32-bit and
|
|
LP64 systems) to "ssize_t" or "size_t" (64 bit on LP64 systems, 32
|
|
bit on 32-bit systems).
|
|
|
|
This change makes no difference in Postfix behavior on 32-bit
|
|
systems. On LP64 systems, however, this change not only eliminates
|
|
some obscure portability bugs, it also eliminates unnecessary
|
|
conversions between 32/64 bit integer types, because many system
|
|
library routines take "(s)size_t" arguments or return "(s)size_t"
|
|
values.
|
|
|
|
This change may break software on LP64 systems 1) when Postfix is
|
|
linked with pre-compiled code that was compiled with old Postfix
|
|
interface definitions and 2) when compiling Postfix source that was
|
|
modified by a third-party patch: incorrect code will be generated
|
|
when the patch passes the wrong integer argument type in contexts
|
|
that disable automatic argument type conversions. Examples of such
|
|
contexts are formatting with printf-like arguments, and invoking
|
|
functions that write Postfix request or reply attributes across
|
|
inter-process communication channels. Unfortunately, gcc reports
|
|
"(unsigned) int" versus "(s)size_t" format string argument mis-matches
|
|
only on LP64 systems.
|
|
|
|
Major changes - safety
|
|
----------------------
|
|
|
|
[Incompat 20051121] Although the permit_mx_backup feature still
|
|
accepts mail for authorized destinations (see permit_mx_backup for
|
|
definition), with all other destinations it now requires that the
|
|
local MTA is listed as non-primary MX. This prevents mail loop
|
|
problems when someone points the primary MX record at a Postfix
|
|
system.
|
|
|
|
[Incompat 20051011] The Postfix local(8) delivery agent no longer
|
|
updates its idea of the Delivered-To: address while it expands
|
|
aliases or .forward files. With deeply nested aliases or .forward
|
|
files, this can greatly reduce the number of queue files and cleanup
|
|
process instances. To get the earlier behavior, specify
|
|
"frozen_delivered_to = no".
|
|
|
|
The frozen_delivered_to feature can help to alleviate a long-standing
|
|
problem with multiple deliveries to recipients that are listed
|
|
multiple times in a hierarchy of nested aliases. For this to work,
|
|
only the top-level alias should have an owner- alias, and none of
|
|
the subordinate aliases.
|
|
|
|
[Incompat 20050828] When a header/body_checks rule or when
|
|
message_reject_characters rejects mail that was submitted with the
|
|
Postfix sendmail command (or re-queued with "postsuper -r"), the
|
|
returned message is now limited to just the message headers, to
|
|
avoid the risk of exposure to harmful content in the message body
|
|
or attachments.
|
|
|
|
[Incompat 20051202] The Postfix SMTP server now refuses to receive
|
|
mail from the network if it isn't running with postfix mail_owner
|
|
privileges. This prevents surprises when, for example, "sendmail
|
|
-bs" is configured to run as root from xinetd.
|
|
|
|
[Incompat 20060123] For safety reasons, Postfix no longer allows
|
|
$number substitution in regexp: or pcre: transport tables or
|
|
per-sender relayhost tables.
|
|
|
|
[Incompat 20060112] The Postfix SMTP/LMTP client by default no
|
|
longer allows DNS CNAME records to override the server hostname
|
|
that is used for logging, SASL password lookup, TLS policy selection
|
|
and TLS server certificate verification. Specify
|
|
"smtp_cname_overrides_servername = yes" to get the old behavior.
|