485 lines
20 KiB
Plaintext
485 lines
20 KiB
Plaintext
Major changes with postfix-19991231-pl08:
|
|
=========================================
|
|
|
|
Specify "body_checks = regexp:/etc/postfix/body_checks" for a quick
|
|
and dirty emergency content filter that looks at non-header lines
|
|
one line at a time (including MIME headers inside the message body).
|
|
Details in conf/sample-filter.cf.
|
|
|
|
Incompatible changes with postfix-19991231-pl07:
|
|
================================================
|
|
|
|
As required by RFC 822, Postfix now inserts a generic destination
|
|
message header when no destination header is present. The text is
|
|
specified via the undisclosed_recipients_header configuration
|
|
parameter (default: "To: undisclosed-recipients:;").
|
|
|
|
Incompatible changes with postfix-19991231-pl06:
|
|
================================================
|
|
|
|
The Postfix sendmail command now treats a line with only `.' as
|
|
the end of input, for the sake of sendmail compatibility. To disable
|
|
this feature, specify the sendmail-compatible `-i' or `-oi' flags
|
|
on the sendmail command line.
|
|
|
|
Incompatible changes with postfix-19991231:
|
|
===========================================
|
|
|
|
- The SMTP server no longer forwards mail from untrusted clients
|
|
with sender-specified routing (stuff[@%!]stuff[@%!]stuff) through
|
|
destinations that are authorized by the relay_domains parameter.
|
|
This closes a loophole that exploits trust relationships between
|
|
hosts. Example: a trusted backup MX host forwards junk mail to
|
|
a primary MX host which forwards the junk to the Internet. Specify
|
|
"allow_untrusted_routing = yes" to restore the old behavior.
|
|
|
|
- The SMTP server no longer forwards mail with sender-specified
|
|
routing (stuff[@%!]stuff[@%!]stuff) through destinations that are
|
|
authorized by the permit_mx_backup feature. This change is under
|
|
control by the allow_untrusted_routing parameter discussed above.
|
|
|
|
- In order to support the above, the data structure and protocol
|
|
of the trivial-rewrite service was changed. This means you must
|
|
re-compile and re-link existing software that uses the Postfix
|
|
resolve_clnt interface.
|
|
|
|
- As a side effect of the above, an address from an untrusted client
|
|
with @ in the localpart (user@remote@here) no longer bounces with
|
|
"user unknown" but instead is rejected with "relay access denied".
|
|
|
|
- Incompatible SMTPD access map changes:
|
|
|
|
An all-numeric right-hand side now means OK. This is for better
|
|
cooperation with out-of-band authentication mechanisms such as
|
|
POP before SMTP etc.
|
|
|
|
An empty right-hand sides still mean OK, but Postfix will log a
|
|
warning in order to discourage such usage.
|
|
|
|
You can no longer use virtual, canonical or aliases tables as
|
|
SMTPD access maps. Use the local_recipient_maps feature instead.
|
|
|
|
- Recipient addresses may no longer begin with `-'. In order to
|
|
get the old behavior, specify "allow_min_user = yes" in main.cf.
|
|
|
|
- Incompatible transport map changes:
|
|
|
|
Transport map entries override mydestination. If you use transport
|
|
maps, it is better to always have explicit entries for all domain
|
|
names you have in $mydestination. See the html/faq.html sections
|
|
for firewalls and intranets.
|
|
|
|
The nexthop information given to a local delivery agent may have
|
|
changed. This information was never intended to be used as a
|
|
next-hop destination.
|
|
|
|
Major changes with postfix-19991231:
|
|
====================================
|
|
|
|
- It is now much more difficult to configure Postfix as an open
|
|
relay. The SMTP server requires that "smtpd_recipient_restrictions"
|
|
contains at least one restriction that by default refuses mail (as
|
|
is the default). There were too many accidents with changes to
|
|
the UCE restrictions.
|
|
|
|
- The relay_domains parameter no longer needs to contain $virtual_maps.
|
|
|
|
- Overhauled FAQ (html/faq.html) with many more examples.
|
|
|
|
- Updated UCE documentation (html/uce.html) with more examples.
|
|
More UCE configuration examples in sample configuration files.
|
|
|
|
- Several little improvements to the installation procedure:
|
|
relative symlinks, configurable directory for scratch files so the
|
|
installation can be done without write access to the build tree.
|
|
|
|
- Updated LDAP client code (John Hensley).
|
|
|
|
- Updated mysql client code (Scott Cotton).
|
|
|
|
- The SMTP server now rejects mail for unknown users in virtual
|
|
domains that are defined by Postfix virtual maps.
|
|
|
|
- The SMTP server can reject mail for unknown local users. Specify
|
|
"local_recipient_maps = $alias_maps, unix:passwd.byname" if your
|
|
local mail is delivered by a UNIX-style local delivery agent. See
|
|
example in conf/main.cf.
|
|
|
|
- Use "disable_vrfy_command = yes" to disable the SMTP VRFY command.
|
|
This prevents some forms of address harvesting.
|
|
|
|
- The sendmail "-f" option now understands <user> and even understands
|
|
forms with RFC 822-style comments.
|
|
|
|
- New "qmgr_fudge_factor" parameter allows you to balance mailing
|
|
list performance against response time for one-to-one mail. The
|
|
fudge factor controls what percentage of delivery resources Postfix
|
|
will devote to one message. With 100%, delivery of one message
|
|
does not begin before delivery of the previous message is completed.
|
|
This is good for list performance, bad for one-to-one mail. With
|
|
10%, response time for one-to-one mail improves much, but list
|
|
performance suffers: in the worst case, people near the start of a
|
|
mailing list get a burst of postings today, while people near the
|
|
end of the list get that same burst of postings a whole day later.
|
|
|
|
- It is now relatively safe to configure 550 status codes for the
|
|
main.cf unknown_address_reject_code or unknown_client_reject_code
|
|
parameters. The SMTP server now always sends a 450 (try again)
|
|
reply code when an UCE restriction fails due to a soft DNS error,
|
|
regardless of what main.cf specifies.
|
|
|
|
- The RBL checks now show the content of TXT records (Simon J Mudd).
|
|
|
|
- The Postfix SMTP server now understands a wider range of illegal
|
|
address forms in MAIL FROM and RCPT TO commands. In order to disable
|
|
illegal forms, specify "strict_rfc821_envelopes = yes". This also
|
|
disables support for MAIL FROM and RCPT TO addresses without <>.
|
|
|
|
- Per-client/helo/sender/recipient UCE restrictions (fully-recursive
|
|
UCE restriction parser). See the RESTRICTION_CLASS file for details.
|
|
|
|
- Use "postmap -q key" or "postalias -q key" for testing Postfix
|
|
lookup tables or alias files.
|
|
|
|
- Use "postconf -e name=value..." to edit the main.cf file. This
|
|
is easier and safer than editing the main.cf file by hand. The
|
|
edits are done on a temporary copy that is renamed into place.
|
|
|
|
- Use "postconf -m" to display all supported lookup table types
|
|
(Scott Cotton).
|
|
|
|
- New "permit_auth_destination" UCE restriction for finer-grained
|
|
access control (Jesper Skriver).
|
|
|
|
Incompatible changes with postfix-19990906
|
|
==========================================
|
|
|
|
- On systems that use user.lock files to protect system mailboxes
|
|
against simultaneous updates, Postfix now uses /file/name.lock
|
|
files while delivering to files specified in aliases/forward/include
|
|
files. This is a no-op when the recipient lacks directory write
|
|
permission.
|
|
|
|
- The LDAP client code no longer looks up a name containing "*"
|
|
because it could be abused. See the LDAP_README file for how to
|
|
restore previous behavior.
|
|
|
|
- The Postfix to PCRE interface now expects PCRE version 2.08.
|
|
Postfix is no longer compatible with PCRE versions prior to 2.06.
|
|
|
|
Major changes with postfix-19990906
|
|
===================================
|
|
|
|
Several bugfixes, none related to security. See the HISTORY file
|
|
for a complete list of changes.
|
|
|
|
- Postfix is now distributed under IBM Public License Version 1.0
|
|
which does not carry the controversial termination clause. The new
|
|
license does have a requirement that contributors make source code
|
|
available.
|
|
|
|
- INSTALL.sh install/upgrade procedure that replaces existing
|
|
programs and shell scripts instead of overwriting them, and that
|
|
leaves existing queue files and configuration files alone.
|
|
|
|
- The ugly Delivered-To: header can now be turned off selectively.
|
|
The default setting is: "prepend_delivered_header = command, file,
|
|
forward". Turning off the Delivered-To: header when forwarding
|
|
mail is not recommended.
|
|
|
|
- mysql client support by Scott Cotton and Joshua Marcus, Internet
|
|
Consultants Group, Inc. See the file MYSQL_README for instructions.
|
|
|
|
- reject_unauth_destination SMTP recipient restriction that rejects
|
|
destinations not in $relay_domains. Unlike the check_relay_domains
|
|
restriction, reject_unauth_destination ignores the client hostname.
|
|
By Lamont Jones of Hewlett-Packard.
|
|
|
|
- reject_unauth_pipelining SMTP *anything* restriction to stop mail
|
|
from spammers that improperly use SMTP command pipelining to speed
|
|
up their deliveries.
|
|
|
|
- Postfix "sendmail" now issues a warning and drops privileges if
|
|
installed set-uid root.
|
|
|
|
- No more duplicate delivery when "postfix reload" is immediately
|
|
followed by "sendmail -q".
|
|
|
|
- No more "invalid argument" errors when a Postfix daemon opens a
|
|
DB/DBM file while some other process is changing the file.
|
|
|
|
- Portability to the Mac OS X Server, Reliant Unix, AIX 3.2.5 and
|
|
Ultrix 4.3.
|
|
|
|
Incompatible changes with postfix-19990601:
|
|
===========================================
|
|
|
|
- The SMTP server now delays all UCE restrictions until the RCPT
|
|
TO, VRFY or ETRN command. This makes the restrictions more useful,
|
|
because many SMTP clients do not expect negative responses earlier
|
|
in the protocol. In order to restore the old behavior, specify
|
|
"smtpd_delay_reject = no" in /etc/postfix/main.cf.
|
|
|
|
- The Postfix local delivery agent no longer automatically propagates
|
|
address extensions to aliases/include/forward addresses. Specify
|
|
"propagate_unmatched_extensions = canonical, virtual, alias, forward,
|
|
include" to restore the old behavior.
|
|
|
|
- The Postfix local delivery agent no longer does $name expansion
|
|
on words found in the mailbox_command configuration parameter. This
|
|
makes it easier to specify shell syntax. See conf/main.cf.
|
|
|
|
- The luser_relay syntax has changed. You can specify one address;
|
|
it is subjected to $user, etc. expansions. See conf/main.cf.
|
|
|
|
- File system reorganization: daemon executables are now in the
|
|
libexec subdirectory, command executables in the bin subdirectory.
|
|
The INSTALL instructions now recommend installing daemons and
|
|
commands into separate directories.
|
|
|
|
Major changes with postfix-19990601:
|
|
=====================================
|
|
|
|
- New USER, EXTENSION, LOCAL, DOMAIN and RECIPIENT environment
|
|
variables for delivery to command (including mailbox_command) by
|
|
the local delivery agent. As you might expect, the information is
|
|
censored. The list of acceptable characters is specified with the
|
|
command_expansion_filter configuration parameter. Unacceptable
|
|
characters are replaced by underscores. See html/local.8.html.
|
|
|
|
- Specify "forward_path = /var/forward/$user" to avoid looking up
|
|
.forward files in user home directories. The default value is
|
|
$home/.forward$recipient_delimiter$extension, $home/.forward.
|
|
Initial code by Philip A. Prindeville, Mirapoint, Inc., USA.
|
|
|
|
- Conditional $name expansion in forward_path and luser_relay.
|
|
Available names are: $user (bare user name) $shell (user login
|
|
shell), $home (user home directory), $local (everything to the left
|
|
of @), $extension (optional address extension), $domain (everything
|
|
to the right of @), $recipient (the complete address) and
|
|
$recipient_delimiter. A simple $name expands as usual. ${name?value}
|
|
expands to value when $name is defined. ${name:value} expands to
|
|
value when $name is not defined. With ${name?value} and ${name:value},
|
|
the value is subject to another iteration of $name expansion.
|
|
|
|
- POSIX regular expression support, enabled by default on 4.4BSD,
|
|
LINUX, HP-UX, and Solaris 2.5 and later. See conf/sample-regexp.cf.
|
|
Initial code by Lamont Jones, Hewlett-Packard, borrowing heavily
|
|
from the PCRE implementation by Andrew McNamara, connect.com.au
|
|
Pty. Ltd., Australia.
|
|
|
|
- Regular expression checks for message headers. This requires
|
|
support for POSIX or for PCRE regular expressions. Specify
|
|
"header_checks = regexp:/file/name" or "header_checks = pcre:/file/name",
|
|
and specify "/^header-name: badstuff/ REJECT" in the pattern file
|
|
(patterns are case-insensitive by default). Code by Lamont Jones,
|
|
Hewlett-Packard. It is to be expected that full content filtering
|
|
will be delegated to an external command.
|
|
|
|
- Regular expression support for all lookup tables, including access
|
|
control (full mail addresses only), address rewriting (canonical/virtual,
|
|
full mail addresses only) and transport tables (full domain names
|
|
only). However, regular expressions are not allowed for aliases,
|
|
because that would open up security exposures.
|
|
|
|
- Automatic detection of changes to DB or DBM lookup tables. This
|
|
eliminates the need to run "postfix reload" after each change to
|
|
the SMTP access table, or to the canonical, virtual, transport or
|
|
aliases tables.
|
|
|
|
- New error mailer. Specify ".domain.name error:domain is undeliverable"
|
|
in the transport table to bounce mail for entire domains.
|
|
|
|
- No more Postfix lockups on Solaris (knock on wood). The code no
|
|
longer uses Solaris UNIX-domain sockets, because they are still
|
|
broken, even with Solaris 7.
|
|
|
|
- Workaround for the Solaris mailtool, which keeps an exclusive
|
|
kernel lock on the mailbox while its window is not iconified (specify
|
|
"sun_mailtool_compatibility = yes" in main.cf).
|
|
|
|
- Questionable workaround for Solaris, which reportedly loses
|
|
long-lived exclusive locks that are held by the master daemon.
|
|
|
|
- New reject_unknown_{sender,recipient}_domain restrictions for
|
|
sender and recipient mail addresses that distinguish between soft
|
|
errors (always 450) and hard errors (unknown_address_reject_code,
|
|
default 450).
|
|
|
|
- MIME-encapsulated bounce messages, making it easier to recover
|
|
bounced mail. Initial implementation by Philip A. Prindeville,
|
|
Mirapoint, Inc., USA. Support for RFC 1892 (multipart/report) and
|
|
RFC 1894 (DSN) will have to wait until Postfix internals have been
|
|
revised to support RFC 1893.
|
|
|
|
- Separately configurable "postmaster" addresses for single bounces
|
|
(bounce_notice_recipient), double bounces (2bounce_notice_recipient),
|
|
delayed mail (delay_notice_recipient), and for mailer error reports
|
|
(error_notice_recipient). See conf/main.cf.
|
|
|
|
- Questionable feature: specify "best_mx_transport = local" if
|
|
this machine is the best MX host for domains not in mydestinations.
|
|
|
|
Incompatible changes with postfix-19990317:
|
|
===========================================
|
|
|
|
- You MUST install the new version of /etc/postfix/postfix-script.
|
|
|
|
- The pipe mailer "flags" syntax has changed. You now explicitly
|
|
MUST specify the R flag in order to generate a Return-Path: message
|
|
header (as needed by, for example, cyrus).
|
|
|
|
Major changes with postfix-19990317:
|
|
====================================
|
|
|
|
A detailed record of changes is given in the HISTORY file.
|
|
|
|
- Less postmaster mail. Undeliverable bounce messages (double
|
|
bounces) are now discarded. Specify "notify_classes = 2bounce..."
|
|
to get copies of double bounces. Specify "notify_classes = bounce..."
|
|
to get copies of normal and double bounces.
|
|
|
|
- Improved LDAP client code by John Hensley of Merit Network, USA.
|
|
See LDAP_README for details.
|
|
|
|
- Perl-compatible regular expression support for lookup maps by
|
|
Andrew McNamara, connect.com.au Pty. Ltd., Australia.. Example:
|
|
"check_recipient_access pcre:/etc/postfix/sample-pcre.cf". Regular
|
|
expressions provide a powerful tool not only for SMTP access control
|
|
but also for address rewriting. See PCRE_README for details.
|
|
|
|
- Automatic notification of delayed mail (disabled by default).
|
|
With "delay_warning_time = 4", Postfix informs senders when mail
|
|
has not been delivered after 4 hours. Initial version of the code
|
|
by Daniel Eisenbud, University of California at Berkeley. In order
|
|
to get postmaster copies of such warnings, specify "notify_classes
|
|
= delay...".
|
|
|
|
- More configurable local delivery: "mail_spool_directory" to
|
|
specify the UNIX mail spool directory; "mailbox_transport" to
|
|
delegate all mailbox delivery to, for example, cyrus, and
|
|
"fallback_transport" to delegate delivery of only non-UNIX users.
|
|
And all this without losing local aliases and local .forward
|
|
processing. See config/main.cf and config/master.cf.
|
|
|
|
- Several changes to improve Postfix behavior under worst-case
|
|
conditions (frequent Postfix restarts/reloads combined with lots
|
|
if inbound mail, intermittent connectivity problems, SMTP servers
|
|
that become comatose after receiving QUIT).
|
|
|
|
- More NFS-friendly mailbox delivery. The local delivery agent
|
|
now avoids using root privileges where possible.
|
|
|
|
- For sites that do not receive mail at all, mydestination can now
|
|
be an empty string. Be sure to set up a transport table entry to
|
|
prevent mail from looping.
|
|
|
|
- New "postsuper" utility to clean up stale files from Postfix
|
|
queues.
|
|
|
|
- Workaround for BSD select() collisions that cause performance
|
|
problems on large BSD systems.
|
|
|
|
- Several questionable but useful features to capture mail:
|
|
"always_bcc = address" to capture a copy of every message that
|
|
enters the system, and "luser_relay = address" to capture mail for
|
|
unknown recipients (does not work when mailbox_transport or
|
|
fallback_transport are being used).
|
|
|
|
- Junk mail controls: new reject_non_fqdn_{hostname,sender,recipient}
|
|
restrictions to reject non-FQDN arguments in HELO, MAIL FROM and
|
|
RCPT TO commands, and stricter checking of numeric HELO arguments.
|
|
|
|
- "fallback_relay" feature for sites that use DNS but that can't
|
|
talk to the entire world. The fall-back relay gets the mail when
|
|
a destination is not found in the DNS or when the destination is
|
|
found but not reachable.
|
|
|
|
- Several questionable controls that can help to keep mail going:
|
|
specify "smtp_skip_4xx_greeting = yes" to skip SMTP servers that
|
|
greet with 4XX, "ignore_mx_lookup_error = yes" to look up an A
|
|
record when a DNS server does not respond to an MX query.
|
|
|
|
Incompatible changes with postfix-beta-19990122-pl01:
|
|
=====================================================
|
|
|
|
None.
|
|
|
|
Major changes with postfix-beta-19990122-pl01:
|
|
==============================================
|
|
|
|
- Restrict who may use ETRN and what domains may be specified.
|
|
Example: "smtpd_etrn_restrictions = permit_mynetworks, reject".
|
|
|
|
- BIFF notifications. For compatibility reasons this feature is
|
|
on by default. Specify "biff = no" in main.cf if your machine has
|
|
lots of shell users.
|
|
|
|
- With "soft_bounce = yes", defer delivery instead of bouncing
|
|
mail. This is a safety net for configuration errors with delivery
|
|
agents. It has no effect on errors in virtual maps, canonical maps,
|
|
or in junk mail restrictions.
|
|
|
|
- Specify "owner_request_special = no" to turn off special treatment
|
|
of owner-foo and foo-request addresses.
|
|
|
|
Incompatible changes with postfix-beta-19990122:
|
|
================================================
|
|
|
|
- The syntax of the transport table has changed. An entry like:
|
|
|
|
customer.org smtp:[gateway.customer.org]
|
|
|
|
no longer forwards mail for anything.customer.org. For that you
|
|
need to specify:
|
|
|
|
customer.org smtp:[gateway.customer.org]
|
|
.customer.org smtp:[gateway.customer.org]
|
|
|
|
This change makes tranport tables more compatible with
|
|
sendmail mailer tables.
|
|
|
|
- The format of syslog records has changed. A client is now always
|
|
logged as hostname[address]; the pickup daemon logs queue file uid
|
|
and sender address.
|
|
|
|
Major changes with postfix-beta-19990122:
|
|
=========================================
|
|
|
|
- Junk mail restrictions can now be postoned to the RCPT TO command.
|
|
Specify: "smtpd_recipient_restrictions = reject_maps_rbl...".
|
|
|
|
- More flexible interface for delivery to e.g., cyrus IMAP without
|
|
need for PERL scripts to munge recipient addresses. In addition to
|
|
$sender, $nexthop and $recipient, the pipe mailer now also supports
|
|
$user, $extension and $mailbox.
|
|
|
|
- New mail now has precedence over deferred mail, plus some other
|
|
tweaks to make bulk mail go faster. But it ain't no cure for massive
|
|
network outages.
|
|
|
|
- Watchdog timer for systems that cause the Postfix queue manager
|
|
to lock up, so it recovers without human intervention.
|
|
|
|
- Delivery to qmail-style maildir files, which is good for NFS
|
|
environments. Specify "home_mailbox = Maildir/", or specify
|
|
/file/name/ in aliases or in .forward files. The trailing / is
|
|
required to turn on maildir delivery.
|
|
|
|
- Incremental updates of aliases and maps. Specify "postmap -i
|
|
mapname" and it will read new entries from stdin.
|
|
|
|
- Newaliases will now update more than one alias database.
|
|
Specify the names with the main.cf "alias_database" parameter.
|
|
|
|
- Address masquerading exceptions to prevent users from being
|
|
masqueraded. Specify "masquerade_exceptions = root".
|
|
|
|
- A pipelined SMTP client. Deliveries to Postfix, qmail, LSOFT,
|
|
zmailer, and exim (once it's fixed) speed up by some 30% for short
|
|
messages with one recipient, with more for multi-recipient mails.
|
|
|
|
- Hook for local delivery to "|command" via the smrsh restricted
|
|
shell, to restrict what commands may be used in .forward etc. files.
|
|
Specify "local_command_shell = /some/where/smrsh -c".
|