d7d544aee7
check following for list of changes: ftp://ftp.porcupine.org/mirrors/postfix-release/official/postfix-1.1.11.RELEASE_NOTES
6362 lines
213 KiB
Plaintext
6362 lines
213 KiB
Plaintext
In addition to the names listed below, the following people provided
|
|
useful inputs on many occasions: Paul D. Robertson, Simon J. Mudd.
|
|
Apologies for any names omitted.
|
|
|
|
19980105
|
|
|
|
The compiled-in default value for resolve_smtp_sender was
|
|
wrong (from the days that it was a boolean), causing smtpd
|
|
to dump core when the variable was not set in main.cf.
|
|
|
|
The INSTALL instructions now have separate sections for
|
|
the three basic ways of running vmailer.
|
|
|
|
The INSTALL instructions now have discusses how to deal
|
|
with chrooted processes.
|
|
|
|
Ported to RedHat 5.0. My, these people have re-organized
|
|
their include files quite a bit, haven't they.
|
|
|
|
19980106
|
|
|
|
On RedHat Linux 4.2/5.0, when a FIFO listener opens the
|
|
FIFO with mode O_RDONLY, the FIFO remains forever readable
|
|
after the writer has closed it. Workaround: open the FIFO
|
|
mode O_RDWR.
|
|
|
|
Test program: util/fifo_rdonly_bug.c
|
|
|
|
Unfortunately, the above fix triggers a bug on BSD/OS 3.1
|
|
where opening the FIFO mode O_RDWR causes select() to claim
|
|
that the FIFO is readable even before any data is written
|
|
to it, causing read() to block or to fail.
|
|
|
|
Test program: util/fifo_rdwr_bug.c
|
|
|
|
printfck (check arguments of printf-like function calls)
|
|
found a missing argument in local/command.c
|
|
|
|
Miscellaneous Makefile cleanups that I didn't finish before
|
|
the first alpha release.
|
|
|
|
19980107
|
|
|
|
Sometimes the DNS will claim that a domain does not exist,
|
|
when in fact it does. Thus, it is a bad idea to reject mail
|
|
from apparently non-existent domains. I have changed the
|
|
smtpd so that it produces a soft error responses when a
|
|
resolve_smtp_sender test fails with HOST_NOT_FOUND. Note:
|
|
by default, this test is still disabled.
|
|
|
|
The DB and DBM read routines will now automagically figure
|
|
out if (key, value) pairs were written including a terminating
|
|
null byte or not. The DB and DBM write routines will use
|
|
this result to determine how to write, and will fall back
|
|
to per-system defaults otherwise.
|
|
|
|
Renamed the README to MUSINGS, and wrote up a README that
|
|
reflects the current status of the software.
|
|
|
|
Added -d (don't disconnect) and -c (show running counter)
|
|
option to te smtp-source test program. These tools are
|
|
great torture tests for the mail software, and for the
|
|
system that it runs on.
|
|
|
|
Turned down the process_limit parameter (# of parallel smtp
|
|
clients or servers) to avoid unpleasant surprises. You can
|
|
crank up the process_limit parameter in main.cf.
|
|
|
|
19980111
|
|
|
|
Feature: when run by the superuser, mailq now shows the
|
|
mail queue even when the mail system is down. To this end,
|
|
mailq (sendmail -bp) runs the showq program directly instead
|
|
of connecting to the UNIX-domain service socket, and drops
|
|
privileges etc. as usual.
|
|
|
|
19980119
|
|
|
|
Bugfix: Edwin Kremer spotted an oversight in the negated
|
|
host matching code (for name or address patterns prefixed
|
|
by !).
|
|
|
|
Bugfix: upon receipt of a SIGHUP signal, the master now
|
|
disconnects from its child processes, so that the current
|
|
generation of child processes commits suicide, and so that
|
|
the next generation of child processes will use the new
|
|
configuration settings.
|
|
|
|
Bugfix: the smtp server now skips the sender DNS domain
|
|
lookup test for foo@[address]
|
|
|
|
Bugfix: don't append the local domain to foo@[address]
|
|
|
|
19980120
|
|
|
|
Bugfix: old low-priority bug in some list walk code that
|
|
caused the master to drop core when a service was turned
|
|
off in master.cf.
|
|
|
|
Robustness: the mail system should be able to start up and
|
|
to accept local postings even while the naming service is
|
|
down. For this reason, the mail system no longer uses
|
|
gethostbyname() to look up its own machine name. Sites
|
|
that use short hostnames will have to specify their FQDN
|
|
in main.cf (this will eventually be done by the system
|
|
installation/configuration procedure). Should the config
|
|
language support backticks so one can say `domainname`? What
|
|
about $name stuff between the backtics?
|
|
|
|
Security: the master now creates FIFOs and UNIX-domain
|
|
sockets as the mail owner instead of as root, for better
|
|
protection against subverted mail systems. chmod() is
|
|
susceptible to race conditions. fchmod(), although safer,
|
|
often does not work on sockets.
|
|
|
|
Portability: anticipate that all major UNIXes will create
|
|
UNIX-domain sockets with permissions modified by the process
|
|
umask (required by POSIX). For this reason, we always
|
|
chmod() UNIX-domain sockets, unless the system allows us
|
|
to use the safer fchmod() instead.
|
|
|
|
Portability: the semi-resident servers now properly handle
|
|
EWOULDBLOCK returns from accept() in addition to EGAIN
|
|
(on some systems, EAGAIN and EWOULDBLOCK have different
|
|
values).
|
|
|
|
Bugfix: the semi-resident servers now properly handle EINTR
|
|
returns From accept().
|
|
|
|
Bugfix: Edwin Kremer found that mynetworks() would compute
|
|
(32 - mask) instead of mask.
|
|
|
|
19980121
|
|
|
|
Feature: /etc/vmailer/relocated is used by the local delivery
|
|
program and specifies what mail should be bounced with a
|
|
"user has moved to XXX" message. The main.cf configuration
|
|
parameter is "relocated_maps". Just like the "virtual_maps"
|
|
config parameter, this feature is off by default, and the
|
|
parameter can have values such as "files" or "files, nis"
|
|
(on hosts equipped with NIS).
|
|
|
|
19980123
|
|
|
|
Cleanup: virtual domain support moved from the queue manager
|
|
to the resolve service, where it belongs.
|
|
|
|
Feature: /etc/vmailer/canonical is used by the rewrite
|
|
service for all addresses, and maps a canonical address
|
|
(user@domain) to another address. Typical use is to generate
|
|
Firstname.Lastname@domain addresses, or to clean up dirty
|
|
addresses from non-RFC 822 mail systems. The main.cf
|
|
configuration parameter is "canonical_maps". Just like
|
|
the "virtual_maps" config parameter, this feature is off
|
|
by default, and the parameter can have values such as
|
|
"files" or "files, nis" (on hosts equipped with NIS).
|
|
|
|
19980124
|
|
|
|
HPUX10 port and many little fixes from Pieter Schoenmakers.
|
|
|
|
Bugfix: isolated an old mysterious bug that could make the
|
|
master deaf for new connections while no child process was
|
|
running. A typical result was that no pickup daemon would
|
|
be started after the previous one had terminated voluntarily.
|
|
|
|
Bugfix: the NIS lookup code did not mystrdup() the NIS map
|
|
name and would access free()d memory.
|
|
|
|
19980125
|
|
|
|
Bugfix: the vstream routines would sometimes ignore flushing
|
|
errors. The error would still be reported by vstream_fclose()
|
|
and vstream_ferror().
|
|
|
|
Feature: time limit on delivery to shell commands. Config
|
|
parameter: command_time_limit. Default value: 100 sec. The
|
|
idea is to prevent one bad .forward file or alias file
|
|
entry from slowly using up all local delivery process slots.
|
|
|
|
19980126
|
|
|
|
Code cleanup: in preparation for SMTP extensions such as
|
|
SIZE, allow an extended SMTP command to have a variable
|
|
number of options.
|
|
|
|
19980127
|
|
|
|
Bugfix: moved canonical map lookups away from the rewriting
|
|
module to the cleanup service, so that canonical map lookups
|
|
do not interfere with address rewriting on behalf of other
|
|
programs. Back to an older trivial-rewrite program version.
|
|
|
|
Bugfix: moved virtual map lookups away from the resolver
|
|
back to the queue manager, so that virtual domain lookup
|
|
does not interfere with address resolution on behalf of
|
|
other programs. Back to an older qmgr program version.
|
|
|
|
19980131
|
|
|
|
Feature: integrated and adapted Guido van Rooij's SIZE
|
|
option (RFC 1870), carefully avoiding potential problems
|
|
due to overflow (by multiplying large numbers) or unsigned
|
|
underflow (by subtracting numbers).
|
|
|
|
Code cleanup: cleaned up the code that parses the server
|
|
response to the HELO/EHLO command, so that we can more
|
|
reliably recognize what options a server supports.
|
|
|
|
19980201
|
|
|
|
Portability: integrated the IRIX 6 port by Oved Ben-Aroya.
|
|
|
|
Portability: the software now figures out by itself if a
|
|
server should open its FIFO read-write or read-only, to
|
|
avoid getting stuck with a FIFO that stays readable forever.
|
|
|
|
Bugfix: the cleanup service would terminate with a fatal
|
|
vstream_fseek() error when the queue file was too large.
|
|
|
|
Bugfix: the cleanup service could be killed by a signal
|
|
when the queue file became too large.
|
|
|
|
19980203
|
|
|
|
Portability: some systems have statfs(), some have statvfs(),
|
|
and the relevant include files are in a different place on
|
|
almost every system.
|
|
|
|
Portability: the makedefs script now nukes the -O compiler
|
|
flag when building on AIX with IBM's own compiler...
|
|
|
|
19980204
|
|
|
|
Portability: HP-UX 9.x support by Pieter Schoenmakers.
|
|
|
|
Portability: added SYSV-style ulimit() file size limit
|
|
support for HP-UX 9.x.
|
|
|
|
Portability: added some #includes that appeared to be
|
|
missing according to the Digital UNIX cc compiler.
|
|
|
|
Bugfix: sys_defs.h now correctly specifies NIS support for
|
|
LINUX2, HPUX9 and HPUX10.
|
|
|
|
Security: fixed a file descriptor leak in the local delivery
|
|
agent that could give shell commands access to the VMailer
|
|
IPC streams. This should not cause a vulnerability, given
|
|
the design and implementation of the mailer, but it would
|
|
be like asking for trouble.
|
|
|
|
Bugfix: the sendmail -B (body type) option did not take a
|
|
value.
|
|
|
|
19980205
|
|
|
|
Bugfix (SUNOS5): should not have deleted the SVID_GETTOD
|
|
definition from util/sys_defs.h.
|
|
|
|
Bugfix (HPUX9): forgot to specify whether to use statfs()
|
|
or statvfs().
|
|
|
|
Bugfix (HPUX9): don't try to raise the file size ulimit.
|
|
|
|
Bugfix (HPUX9): must specify file size limit in 512-blocks.
|
|
|
|
19980207
|
|
|
|
Robustness: the master process now raises the file size
|
|
limit when it is started with a limit that is less than
|
|
VMailer's file size limit. File: util/file_limit.c.
|
|
|
|
Security: the dns lookup routines now screen all result
|
|
names with valid_hostname(). Bad names are treated as
|
|
transient errors.
|
|
|
|
Feature: qmail compatibility: when the home_mailbox parameter
|
|
is set, mail is delivered to ~/$home_mailbox instead of to
|
|
/var[/spool]/mail/username. This hopefully makes it easier
|
|
to lure people away from qmail :-)
|
|
|
|
Robustness: several testers by accident configured relayhost
|
|
the same as myhostname. The programs now explicitly check
|
|
for this mistake.
|
|
|
|
Bugfix: deliver_request_read() would free unallocated memory
|
|
when it received an incomplete delivery request from the
|
|
queue manager.
|
|
|
|
Robustness: local_destination_concurrency=1 prevents parallel
|
|
delivery to the same user (with possibly disastrous effects
|
|
when that user has an expensive pipeline in the .forward
|
|
or procmail config file). Each transport can have its own
|
|
XXX_destination_concurrency parameter, to limit the number
|
|
of simultaneous deliveries to the same destination.
|
|
|
|
19980208
|
|
|
|
Robustness: added "slow open" mode, to gradually increase
|
|
the number of simultaneous connections to the same site as
|
|
long as delivery succeeds, and to gradually decrease the
|
|
number of connections while delivery fails. Brad Knowles
|
|
provided the inspiration to do this.
|
|
|
|
This also solves the "thundering herd" problem (making a
|
|
bunch of connections to a dead host when it was time to
|
|
retry that host). Let's see when other mailers fix this.
|
|
|
|
Feature: Added $smtpd_banner and $mail_version, for those
|
|
who want to show the world what software version they are
|
|
running.
|
|
|
|
Bugfix: vmailer-script now properly labels each syslog
|
|
entry.
|
|
|
|
19980210
|
|
|
|
Portability: merged in NEXTSTEP 3 port from Pieter Schoenmakers
|
|
|
|
Bugfix: the local delivery program now checks that a
|
|
destination is a regular file before locking it.
|
|
|
|
19980211
|
|
|
|
Robustness: the local delivery agent sets HOME, LOGNAME,
|
|
and SHELL when delivering to a user shell command. PATH is
|
|
always set, and TZ is passed through if it is set.
|
|
|
|
19980212
|
|
|
|
Feature: mailq (sendmail -bp) now also lists the maildrop
|
|
queue (with mail that hasn't been picked up yet).
|
|
|
|
19980213
|
|
|
|
Feature: the smtpd now says: 502 HELP not implemented. This
|
|
should impress the heck out of the competition :-)
|
|
|
|
19980214
|
|
|
|
Feature: local delivery to configurable system-wide command
|
|
(e.g. procmail) avoids the need for per-user ~/.forward
|
|
shell commands. Config parameter: mailbox_command.
|
|
|
|
19980215
|
|
|
|
Performance: avoid running a shell when a command contains
|
|
no shell magic characters or built-in shell commands. This
|
|
speeds up delivery to all commands. File: util/exec_command.c.
|
|
|
|
Bugfix: the local delivery agent, after reading EOF from
|
|
a child process, now sends SIGKILL only when the child does
|
|
not terminate within a limited amount of time. This avoids
|
|
some problems with procmail. File: util/timed_wait.c.
|
|
|
|
19980217
|
|
|
|
Portability: folded in NetInfo support from Pieter
|
|
Schoenmakers.
|
|
|
|
19980218
|
|
|
|
Feature: new vmlock command to run a command while keeping
|
|
an exclusive lock on a mailbox.
|
|
|
|
Feature: with "recipient_delimiter = +", mail for local
|
|
address "user+foo" is delivered to "foo", with a "Delivered-To:
|
|
user+foo@domain" message header. Files: qmgr/qmgr_message.c,
|
|
local/recipient.c. This must be the cheapest feature.
|
|
|
|
19980219
|
|
|
|
Code cleanup: moved error handling into functions that
|
|
should always succeed (non_blocking(), close_on_exec()).
|
|
|
|
19980223
|
|
|
|
Bugfix: null pointer bug in the cleanup program after
|
|
processing a From: header with no mail address (or with
|
|
only a comment).
|
|
|
|
19980226
|
|
|
|
Robustness: now detects when getpwnam() returns a name that
|
|
differs from the requested name.
|
|
|
|
Feature: Added %p support to the vbuf_print formatting
|
|
module.
|
|
|
|
Code cleanup: revamped the alias/include/.forward loop
|
|
detection and duplicate suppression code in the local
|
|
delivery agent. This must be the fourth iteration, and
|
|
again the code has been simplified.
|
|
|
|
19980228
|
|
|
|
Robustness: don't treat anything starting with whitespace
|
|
as a header record. Instead, explicitly test for leading
|
|
whitespace where we permit it. Files: global/is_header.c,
|
|
bounce/bounce_flush_service.c, local/delivered.c.
|
|
|
|
19980301
|
|
|
|
Compatibility: the sendmail program now accepts the -N
|
|
command-line option (delivery status notification) but
|
|
ignores it entirely, just like many other sendmail options.
|
|
|
|
Bugfix: dns_lookup.c was too conservative with buffer sizes
|
|
and would incorrectly report "malformed name server reply".
|
|
|
|
19980302
|
|
|
|
Bugfix: the local delivery agent was not null-byte clean.
|
|
|
|
19980307
|
|
|
|
Feature: integrated Pieter Schoenmaker's code for transport
|
|
lookup tables that list (transport, nexthop) by destination.
|
|
|
|
19980309
|
|
|
|
Bugfix: delivery agents no longer rename corrupt queue
|
|
files, because programs might fall over each other doing
|
|
so. Instead, when a delivery agent detects queue file
|
|
corruption, it chmods the queue file, simulates a soft
|
|
error, and lets the queue manager take care of the problem.
|
|
|
|
Bugfix: the SMTP server implemented VRFY incorrectly.
|
|
|
|
Feature: first shot at a pipe mailer, which can be used to
|
|
extend VMailer with external mail transports such as UUCP
|
|
(provided that the remote site understands domain addressing,
|
|
because VMailer version 1 does not rewrite addresses).
|
|
|
|
Cleanup: extended the master/child interface so that the
|
|
service name (from master.cf) is passed on to the child.
|
|
The pipe mailer needs the service name so it can look up
|
|
service-specific configuration parameters (privilege level,
|
|
recipient limit, time limit, and so on).
|
|
|
|
19980310-12
|
|
|
|
Cleanup: factored out the pipe_command() code, so it can
|
|
be shared between pipe mailer and local delivery agent.
|
|
|
|
19980314
|
|
|
|
Compatibility: the sendmail program now parses each
|
|
command-line recipient as if it were an RFC 822 message
|
|
header; some MUAs specify comma-separated recipients in a
|
|
command-line argument; and some MUAs even specify "word
|
|
word <address>" forms as command-line arguments.
|
|
|
|
19980315
|
|
|
|
Bugfix: VMailer's queue processing randomization wasn't
|
|
adequate for unloaded systems with small backlogs.
|
|
|
|
Bugfix: smtpd now uses double-buffered stream I/O to prevent
|
|
loss of input sent ahead of responses.
|
|
|
|
19980316
|
|
|
|
Bugfix: the smtpd anti-relay code didn't treat all hosts
|
|
listed in $mydestinations as local, so it would accept mail
|
|
only for hosts listed in $relay_domains (default: my own
|
|
domain).
|
|
|
|
Bugfix: smtpd now replies with 502 when given an unknown
|
|
command.
|
|
|
|
19980318
|
|
|
|
Cleanup: resolve/rewrite clients now automatically disconnect
|
|
after a configurable amount of idle time (ipc_idle).
|
|
|
|
19980322
|
|
|
|
Tolerance: VRFY now permits user@domain, even though the
|
|
RFC requires that special characters such as @ be escaped.
|
|
|
|
19980325
|
|
|
|
Bugfix: a recipient delimiter of "-" could interfere with
|
|
special addresses such as owner-xxx or double-bounce.
|
|
|
|
Tolerance: the SMTP client now permits blank lines in SMTP
|
|
server responses.
|
|
|
|
Tolerance: the SMTP client now falls back to SMTP when it
|
|
apparently mistook an SMTP server as ESMTP capable.
|
|
|
|
Bugfix: eliminated strtok() calls in favor of mystrtok().
|
|
Symptom: master.cf parsing would break if $inet_interfaces
|
|
was more than one word.
|
|
|
|
19980328
|
|
|
|
Bugfix: user->addr patterns in canonical and virtual tables
|
|
matched only $myorigin, not hosts listed in $mydestination
|
|
or addresses listed in $inet_interfaces. The man pages
|
|
were wrong too. File: global/addr_match.c.
|
|
|
|
19980401
|
|
|
|
Robustness: FIFO file permissions now default to 0622. On
|
|
some systems, opening a FIFO read-only could deafen the
|
|
pickup daemon. Only the listener end (which is opened as
|
|
root) needs read access anyway, so there should not be a
|
|
loss of functionality by making FIFOs non-readable for
|
|
non-mail processes.
|
|
|
|
19980402
|
|
|
|
Compatibility: sendmail -I and -c options added.
|
|
|
|
19980403
|
|
|
|
Feature: virtual lookups are now recursive. File:
|
|
qmgr/qmgr_message.c
|
|
|
|
19980405
|
|
|
|
Implemented sendmail -bs (stand-alone) mode. This mode runs
|
|
as the user and therefore deposits into the maildrop queue.
|
|
|
|
19980406
|
|
|
|
The pickup service now removes malformed maildrop files.
|
|
|
|
19980407
|
|
|
|
The pickup service now guards against maildrop files with
|
|
time stamps dated into the future.
|
|
|
|
19980408
|
|
|
|
Bugfix: in the canonical and virtual maps, foo->address
|
|
would match foo@$myorigin only. This has been fixed to also
|
|
match hosts listed in main.cf:$mydestination and the
|
|
addresses listed in main.cf:$inet_interfaces.
|
|
|
|
Bugfix: added double buffering support to the VMailer SMTP
|
|
server. This makes the SMTP server robust against SMTP
|
|
clients that talk ahead of time, and should have been in
|
|
there from day one.
|
|
|
|
19980409
|
|
|
|
Bugfix: the VMailer SMTP client now recognizes its own
|
|
hostname in the SMTP greeting banner only when that name
|
|
appears as the first word on the first line.
|
|
|
|
19980410
|
|
|
|
Feature: smtpd now logs the local queue ID along with the
|
|
client name/address, and pickup now logs the local queue
|
|
ID along with the message owner.
|
|
|
|
Bugfix: still didn't do virtual/canonical lookups right
|
|
(code used the non-case-folded key instead of the case
|
|
folded one).
|
|
|
|
19980418
|
|
|
|
Bugfix: the SMTP server did not flush the "250 OK queued
|
|
as XXXX" message from the SMTP conversation history.
|
|
|
|
19980419
|
|
|
|
Bugfix: qmgr would not notice that a malformed message has
|
|
multiple senders, and would leak memory (Tom Ptacek).
|
|
|
|
19980421
|
|
|
|
Portability: in the mantools scripts, the expr pattern no
|
|
longer has ^ at the beginning, and the scripts now use the
|
|
expand program instead of my own detab utility.
|
|
|
|
19980425
|
|
|
|
NetBSD 1.x patch by Soren S. Jorvang.
|
|
|
|
19980511
|
|
|
|
Feature: the SMTP server now logs the protocol (SMTP or
|
|
ESMTP) as part of the Received: header.
|
|
|
|
Feature: smtpd now logs the last command when a session is
|
|
aborted due to timeout, unexpected EOF, or too many client
|
|
errors.
|
|
|
|
19980514
|
|
|
|
Bugfix: the queue manager did not update the counter for
|
|
in-core message structures, so the in-core message limit
|
|
had no effect. This can be bad when you have a large backlog
|
|
with many messages eligible for delivery.
|
|
|
|
Robustness: the queue manager now also limits the total
|
|
number of in-core recipient structures, so that it won't
|
|
use excessive amounts of memory on sites that have large
|
|
mailing lists.
|
|
|
|
19980518
|
|
|
|
Bugfix: the SMTP client did not notice that the DNS client
|
|
received a truncated response. As a result, a backup MX
|
|
host could incorrectly claim that it was the best MX host
|
|
and declare a mailer loop.
|
|
|
|
Added start_msg/stop_msg entries to the vmailer startup
|
|
script, for easy installation.
|
|
|
|
Cleanup: VMailer databases are now explicitly specified as
|
|
type:name, for example, hash:/etc/aliases or nis:mail.aliases,
|
|
instead of implicitly as "files", "nis" and so on. Test
|
|
program: util/dict_open. This change allowed me to
|
|
eliminate a lot of redundant code from mkmap_xxx.c, and
|
|
from everything that does map lookups.
|
|
|
|
19980525
|
|
|
|
Bugfix: local/dotforward.c compared the result of opening
|
|
a user's ~/.forward against the wrong error value.
|
|
|
|
19980526
|
|
|
|
Bugfix: the smtpd VRFY command could look at free()d memory.
|
|
|
|
Robustness: the smtpd program had a fixed limit on the
|
|
number of token structures. The code now dynamically
|
|
allocates token structures.
|
|
|
|
Bugfix: the queue manager still used the deprecated parameter
|
|
name xxx_deliver_concurrency for concurrency control, but
|
|
the documentation talks about the preferred parameter name
|
|
xxx_destination_concurrency. Fix: try xxx_destination_concurrency
|
|
first, then fall back to xxx_deliver_concurrency.
|
|
|
|
19980621-19980702
|
|
|
|
Cleanup: the string read routines now report the last
|
|
character read or VSTREAM_EOF. This change is necessary
|
|
for the implementation of the long SMTP line bugfix.
|
|
|
|
Bugfix: the smtp server exited the DATA command prematurely
|
|
when the client sent long lines. Reason: the smtp server
|
|
did not remember that it broke long lines, so that '.'
|
|
could appear to be the first character on a line when in
|
|
fact it wasn't.
|
|
|
|
Bugfix: the queue manager made lots of stupid errors while
|
|
reading $qmgr_message_recipient_limit chunks of recipients
|
|
from a queue file. This code has been restructured.
|
|
|
|
19980706
|
|
|
|
Performance: the cleanup program now always adds return-receipt
|
|
and errors-to records to a queue file, so that the queue
|
|
manager does not have to plow through huge lists of
|
|
recipients.
|
|
|
|
Robustness: the initial destination concurrency now defaults
|
|
to 2, so that one bad message or one bad connection does
|
|
not stop all mail to a site. The configuration parameter
|
|
is called initial_destination_concurrency.
|
|
|
|
Performance: the per-message recipient limit is now enforced
|
|
by the queue manager instead of by the transport. Thus, a
|
|
large list of recipients for the same site is now mapped
|
|
onto several delivery requests which can be handled in
|
|
parallel, instead of being mapped onto one delivery request
|
|
that is sent to limited numbers of recipients, one group
|
|
after the other.
|
|
|
|
19980707
|
|
|
|
Cleanup: the queue manager now does an additional recipient
|
|
sort after the recipients have been resolved, so that the
|
|
code can do better aggregation of recipients by next hop
|
|
destination.
|
|
|
|
Feature: lines in the master.cf file can now be continued
|
|
in the same manner as lines in the main.cf file, i.e. by
|
|
starting the next line with whitespace.
|
|
|
|
Feature: the smtp client now warns that a message may be
|
|
delivered multiple times when the response to "." is not
|
|
received (the problem described in RFC 1047).
|
|
|
|
Cleanup: when the queue manager changes its little mind
|
|
after contacting a delivery agent (for example, it decides
|
|
to skip the host because a transport or host goes bad),
|
|
the delivery agent no longer complains about premature EOF.
|
|
File: global/deliver_request.c
|
|
|
|
19980709
|
|
|
|
Bugfix: when breaking long lines, the SMTP client did not
|
|
escape leading dots in secondary etc. line fragments. Fix:
|
|
don't break lines. This change makes VMailer line-length
|
|
transparent. Files: global/smtp_stream.c, smtp/smtp_proto.c.
|
|
|
|
19980712
|
|
|
|
Cleanup: the queue manager to deliver agent protocol now
|
|
distinguishes between domain-specific soft errors and
|
|
recipient-specific soft errors. Result: many soft errors
|
|
with SMTP delivery no longer affect other mail the same
|
|
domain.
|
|
|
|
19980713
|
|
|
|
Feature: the file modification time stamp of deferred queue
|
|
files is set to the nearest wakeup time of their recipient
|
|
hosts, or if delivery was deferred due to a non-host problem,
|
|
the time stamp is set into the future by the configurable
|
|
minimal backoff time.
|
|
|
|
Bugfix: the SMTP client and the MAILQ command would report
|
|
as message size the total queue file size. That would
|
|
grossly overestimate the size of a message with many
|
|
recipients.
|
|
|
|
Bugfix: the 19980709 fix screwed up locally-posted mail
|
|
that didn't end in newline.
|
|
|
|
19980714
|
|
|
|
Robustness: the makedefs script now defaults to no optimization
|
|
when compiling for purify.
|
|
|
|
19980715
|
|
|
|
Robustness: the makedefs script now defaults to no optimization
|
|
when compiling with gcc 2.8, until this compiler is known
|
|
to be OK.
|
|
|
|
Workaround: when sending multiple messages over the same
|
|
SMTP connection, some SMTP servers need an RSET command
|
|
before the second etc. MAIL FROM command. The VMailer SMTP
|
|
client now sends a redundant RSET command just in case.
|
|
|
|
The queue manager now logs explicitly when delivery is
|
|
deferred because of a "dead" message transport.
|
|
|
|
19980716
|
|
|
|
Feature: mailq and mail bounces now finally report why mail
|
|
was deferred (the reason was logged to the syslog file
|
|
only). Changes were made to the bounce service (generalized
|
|
to be usable for defer logs), showq service (to show reasons)
|
|
and the queue manager.
|
|
|
|
As a result the defer directory (with one log per deferred
|
|
message) may contain many files; also, this directory is
|
|
accessed each time a message is let into the active queue,
|
|
in order to delete its old defer log. This means that hashed
|
|
directories are now a must.
|
|
|
|
19980718-20
|
|
|
|
Feature: configurable timeout for establishing smtp
|
|
connections. Parameter: smtp_connect_timeout (default 0,
|
|
which means use the timeout as wired into the kernel).
|
|
Inspired by code from Lamont Jones. For a clean but far
|
|
from trivial implementation, see util/timed_connect.c
|
|
|
|
Cleaned up the interfaces that implement read/write deadlines.
|
|
Instead of returning -2, the routines now set errno to
|
|
ETIMEDOUT; the readable/writable tests are now separate.
|
|
|
|
19980722
|
|
|
|
Feature: the default indexed file type (hash, btree, dbm)
|
|
is now configurable with the "database_type" parameter.
|
|
The default value for this parameter is system specific.
|
|
|
|
Feature: selectively turn on verbose logging for hosts that
|
|
match the patterns specified via the "debug_peer_list"
|
|
config parameter. Syntax is like the "bad_smtp_clients"
|
|
parameter (see global/peer_list.c). The verbose logging
|
|
level is specified with "debug_peer_level" (default 2).
|
|
|
|
Security: the local delivery agent no longer delivers to
|
|
files that have execute permission enabled.
|
|
|
|
19980723
|
|
|
|
Workarounds for Solaris 2.x UNIX-domain sockets: they lose
|
|
data when you close them immediately after writing to them.
|
|
This could screw up the delivery agent to queue manager
|
|
protocol.
|
|
|
|
19980724
|
|
|
|
Cleanup: spent most of the day cleaning up queue manager
|
|
code that defers mail when a site or transport dies, and
|
|
fixed a few obscure problems in the process.
|
|
|
|
19980726
|
|
|
|
Feature: the admin can now configure what classes of problems
|
|
result in mail to the postmaster. Configuration parameter:
|
|
"notify_classes". Default is backwards compatible: bounce,
|
|
policy, protocol, resource, and software.
|
|
|
|
19980726-28
|
|
|
|
Feature: the admin can now configure what smtp server access
|
|
control restrictions must be applied, and in what order.
|
|
Configuration parameters: smtpd_client_restrictions,
|
|
smtpd_helo_restrictions, smtpd_mail_restrictions and
|
|
smtpd_rcpt_restrictions. Defaults are intended to be
|
|
backwards compatible. The bad_senders and bad_clients lists
|
|
are gone and have become db (dbm, nis, etc) maps. Files:
|
|
smtpd/smtpd_check.c, config/main.cf.
|
|
|
|
19980729-31
|
|
|
|
Feature: hashed queues. Rewrote parts of the mail queue
|
|
API. Configuration parameters: "hash_queue_names" specifies
|
|
what queue directories will be hashed (default: the defer
|
|
log directory), "hash_queue_depth" specifies the number of
|
|
subdirectories used for hashing (default 2).
|
|
|
|
19980802
|
|
|
|
Bugfix: the pipe mailer should expand command-line arguments
|
|
with $recipient once for every recipient (producing one
|
|
command-line argument per recipient), instead of replacing
|
|
$recipient by of all recipients (i.e. producing only one
|
|
command-line argument). This is required for compatibility
|
|
with programs that expect to be run from sendmail, such as
|
|
uux. Thanks to Ollivier Robert for helping me to get this
|
|
right.
|
|
|
|
Code cleanup: for the above, cleaned up the macro expansion
|
|
code in dict.c and factored out the parsing into a separate
|
|
module, mac_parse.c.
|
|
|
|
19980803
|
|
|
|
"|command" and /file/name destinations in alias databases
|
|
are now executed with the privileges of the database owner
|
|
(unless root or vmailer). Thus, with: "alias_maps =
|
|
hash:/etc/aliases, hash:/home/majordomo/aliases", and with
|
|
/home/majordomo/aliases* owned by the majordomo account,
|
|
you no longer need the majordomo set-uid wrapper program,
|
|
and you no longer need root privileges in order to install
|
|
a new mailing list.
|
|
|
|
19980804
|
|
|
|
Added support for the real-time blackhole list. Example:
|
|
"client_restrictions = permit_mynetworks, reject_maps_rbl"
|
|
|
|
All SMTP server "reject" status codes are now configurable:
|
|
unknown_client_reject_code, mynetworks_reject_code,
|
|
invalid_hostname_reject_code, unknown_hostname_reject_code,
|
|
unknown_address_reject_code, relay_domains_reject_code,
|
|
access_map_reject_code, maps_rbl_reject_code. Default values
|
|
are documented in the smtpd/smtpd_check.c man page.
|
|
|
|
19980806-8
|
|
|
|
Code cleanup: after eye balling line-by line diffs, started
|
|
deleting code that duplicated functionality because it was
|
|
at the wrong abstraction level (smtp_trouble.c), moved
|
|
functionality that was in the wrong place (dictionary
|
|
reference counts in maps.c instead of dict.c), simplified
|
|
code that was too complex (password-file structure cache)
|
|
and fixed some code that was just wrong.
|
|
|
|
19980808
|
|
|
|
Robustness: the number of queue manager in-core structures
|
|
for dead hosts is limited; the limit scales with the limit
|
|
on the number of in-core recipient structures. The idea is
|
|
to not run out of memory under conditions of stress.
|
|
|
|
19980809
|
|
|
|
Feature: mail to files and commands can now be restricted
|
|
by class: alias, forward file or include file. The default
|
|
restrictions are: "allow_mail_to_files = alias, forward"
|
|
and allow_mail_to_commands = alias, forward". The idea is
|
|
to protect against buggy mailing list managers that allow
|
|
intruders to subscribe /file/name or "|command".
|
|
|
|
19980810-12
|
|
|
|
Cleanup: deleted a couple hundred lines of code from the
|
|
local delivery agent. It will never be a great program;
|
|
sendmail compatibility is asking a severe toll.
|
|
|
|
19980814
|
|
|
|
Cleanup: made the program shut up about some benign error
|
|
conditions that were reported by Daniel Eisenbud.
|
|
|
|
19980814-7
|
|
|
|
Documentation: made a start of HTML docs that describe all
|
|
configuration parameters.
|
|
|
|
Feature: while documenting things, added smtpd_helo_required.
|
|
|
|
19980817
|
|
|
|
Bugfix: at startup the queue manager now updates the time
|
|
stamps of active queue files some time into the future.
|
|
This eliminates duplicate deliveries after "vmailer reload".
|
|
|
|
Bugfix: the local delivery agent now applies the recipient
|
|
delimiter after looking in the alias database, instead of
|
|
before.
|
|
|
|
Documentation bugfixes by Matt Shibla, Tom Limoncelli,
|
|
Eilon Gishri.
|
|
|
|
19980819
|
|
|
|
GLIBC fixes from Myrdraal.
|
|
|
|
Bugfix: applied showq buffer reallocation workaround in
|
|
the wrong place.
|
|
|
|
Bugfix: can't use shorts in varargs lists. SunOS 4 has
|
|
short uid_t and gid_t. pipe_command() would complain.
|
|
|
|
Bugfix: can't use signed char in ctype macros. All ctype
|
|
arguments are now casted to unsigned char. Thanks, Casper
|
|
Dik.
|
|
|
|
19980820
|
|
|
|
Bugfix: save the alias lookup result before looking up the
|
|
owner. The previous alpha release did this right.
|
|
|
|
Cleanup: mail_trigger() no longer complains when the trigger
|
|
FIFO or socket is unavailable. This change is necessary to
|
|
shut up the sendmail mail posting program, so that it can
|
|
be used on mail clients that mount their maildrop via NFS.
|
|
|
|
Experiment: pickup and pipe now run as vmailer most of the
|
|
time, and switch to user privileges only temporarily.
|
|
Files: util/set_eugid.c global/pipe_command.c pipe/pipe.c
|
|
pickup/pickup.c. Is this more secure/ What about someone
|
|
manipulating such a process while not root? It still has
|
|
ruid == 0.
|
|
|
|
19980822
|
|
|
|
Portability: with GNU make, commands such as "(false;true)"
|
|
and "while :; do false; done" don't fail. Workaround: use
|
|
"set -e" all over the place. Problem found by Jeff Wolfe.
|
|
|
|
Feature: "check_XXX_access maptype:mapname" (XXX = client,
|
|
helo, sender, recipient). Now you can make recipient and
|
|
other SPAM restrictions dependent on client or sender access
|
|
tables lookup results.
|
|
|
|
19980823
|
|
|
|
Bugfix: smtpd access table lookup keys were case sensitive.
|
|
|
|
Added "permit" and "reject" operators. These are useful at
|
|
the end of SPAM restriction lists (smtpd_XXX_restrictions).
|
|
|
|
Added a first implementation of the permit_mx_backup SPAM
|
|
restriction. This permits mail relaying to any domain that
|
|
lists this mail system as an MX host (including mail for
|
|
the local machine). Thanks to Ollivier Robert for useful
|
|
discussions.
|
|
|
|
19980824
|
|
|
|
Bugfix: transport table lookup keys were case sensitive.
|
|
|
|
19980825
|
|
|
|
Portability: sa_len is some ugly #define on some SGI systems,
|
|
so we must rename identifiers (file util/connect.c).
|
|
|
|
Bugfix: uucp delivery errors are now sent to the sender.
|
|
Thanks, Mark Delany.
|
|
|
|
Bugfix: the pipe delivery agent now replaces empty sender
|
|
by the mailer daemon address. Mark Delany, again.
|
|
|
|
Portability: GNU getopt looks at all command-line arguments.
|
|
Fix: insert -- into the pipe/uucp definition in master.cf.
|
|
|
|
Bugfix: the smtp server command tokenizer silently discarded
|
|
the [] around [text], so that HELO [x.x.x.x] was read as
|
|
if the client had sent: HELO x.x.x.x. Thanks, Peter Bivesand.
|
|
|
|
Bugfix: the HELO unknown hostname/bad hostname restrictions
|
|
would have treated [text] as a domain name anyway.
|
|
|
|
Bugfix: the $local_duplicate_filter_limit value was not
|
|
picked up by the local delivery agent. This means the local
|
|
delivery agent could run out of memory on large mailing
|
|
list deliveries.
|
|
|
|
19980826
|
|
|
|
Performance: mkmap/mkalias now run with the same speed as
|
|
sendmail. VMailer now uses a 4096-entry cache with 1 Mbyte
|
|
of memory for DB lookups. File: util/dict_db.c.
|
|
|
|
19980902
|
|
|
|
Robustness: the reject_unknown_hostname restriction for
|
|
HELO/EHLO hostnames will now permit names that have an MX
|
|
record instead of an A record.
|
|
|
|
19980903
|
|
|
|
Feature: appending @$myorigin to an unqualified address is
|
|
configurable with the boolean append_at_myorigin parameter
|
|
(default: yes).
|
|
|
|
Feature: appending .$mydomain to user@host is configurable
|
|
with the boolean append_dot_mydomain parameter (default:
|
|
yes).
|
|
|
|
Feature: site!user is rewritten to user@site, under control
|
|
of the boolean parameter swap_bangpath (default: yes).
|
|
|
|
Feature: permit a naked IP address in HELO commands (i.e. an
|
|
address without the enclosing [] as required by the RFC), by
|
|
specifying "permit_naked_ip_address" as one of the restrictions
|
|
in the "smtpd_helo_restrictions" config parameter.
|
|
|
|
19980904
|
|
|
|
Code cleanup: when an SMTP client aborts a session after
|
|
sending MAIL FROM, the cleanup service no longer warns that
|
|
it is "skipping further client input". Files: cleanup/*.c.
|
|
Thanks, Daniel Eisenbud, for prodding.
|
|
|
|
Code cleanup: when an SMTP server disconnects in the middle
|
|
of a session, don't try to send QUIT over the non-existing
|
|
connection. Files: global/smtp_stream.c, smtp/smtp.c.
|
|
Thanks, Daniel Eisenbud, for prodding, again.
|
|
|
|
Code cleanup: the VMailer version number has moved from
|
|
mail_params.h (which is included by lots of modules) to a
|
|
separate file global/mail_version.h, so that a version
|
|
change no longer results in massive recompilation.
|
|
|
|
Bugfix: Errors-To was flagged as a sender address, so
|
|
the address never was picked up.
|
|
|
|
Code cleanup: support for Errors-To: headers completed.
|
|
|
|
19980905
|
|
|
|
Feature: per-message exponential delivery backoff, by
|
|
looking at the amount of time a message has been queued.
|
|
Thanks, Mark Delany.
|
|
|
|
19980906
|
|
|
|
Code cleanup: ripped out the per-host exponential backoff
|
|
code. It was broken by 19980818. It was probably a bad idea
|
|
anyway, because it required per-host, in-core, state kept
|
|
by the queue manager. All we do now is to keep state for
|
|
$minimal_backoff_time seconds, but only for a limited number
|
|
of hosts. Daniel Eisenbud spotted the problem.
|
|
|
|
Lost feature: the SMTP session transcripts now show who
|
|
said what. This feature was inadvertently dropped during
|
|
development. Thanks, Daniel Eisenbud, for reminding.
|
|
|
|
Documentation: the hard-coded rewriting process of the
|
|
trivial-rewrite program is described in html/rewrite.html.
|
|
|
|
Feature: the local delivery agent now does alias lookups
|
|
before and after chopping off the recipient subaddress.
|
|
This allows you to forward user-anything to another user,
|
|
without losing the ability to redirect specific user-foo
|
|
addresses.
|
|
|
|
19980909
|
|
|
|
Feature: the smtp client now logs a warning that a server
|
|
sends a greeting banner with the client's hostname, which
|
|
could imply a mailer loop.
|
|
|
|
19980910
|
|
|
|
Feature: separate canonical maps for sender and recipient
|
|
address rewriting, so that you can rewrite an ugly sender
|
|
address and still forward mail to that same ugly address
|
|
without creating a mailer loop. Files: cleanup_envelope.c,
|
|
cleanup_message.c, cleanup_rewrite.c.
|
|
|
|
19980911
|
|
|
|
Feature: virtual maps now support multiple addresses on
|
|
the right-hand side. In the case of virtual domains this
|
|
can eliminate the need for address expansion via local
|
|
aliases, making virtual domains much easier to administer.
|
|
This required that I moved the virtual table lookups from
|
|
the queue manager to the cleanup service, so that every
|
|
recipient has an on-disk status record. Files: qmgr.c,
|
|
qmgr_message.c, cleanup_envelope.c, cleanup_rewrite.c,
|
|
cleanup_virtual.c.
|
|
|
|
Feature: sendmail/mailq/newaliases pass on the -v flag to
|
|
the program that they end up running, to make debugging a
|
|
little easier.
|
|
|
|
19980914
|
|
|
|
Bugfix: some anti-spam measures didn't recognize some
|
|
addresses as local and would do too much work. File:
|
|
smtpd_check.c.
|
|
|
|
Bugfix: the smtp sender/recipient table lookup restriction
|
|
destroyed global data, so that other restrictions could
|
|
break. File: smtpd_check.c.
|
|
|
|
Bugfix: after vmailer reload, single-threaded servers could
|
|
exit before flushing unwritten data to the client. Example:
|
|
cleanup would exit before acking success to pickup, so the
|
|
message would be delivered twice. Bug reported by Brian Candler.
|
|
|
|
Cleanup: removed spurious error output from vmailer-script.
|
|
Reported by Brian Candler.
|
|
|
|
Tolerance: ignore non-numeric SMTP server responses. There's
|
|
lot of brain damage out there on the net.
|
|
|
|
19980915
|
|
|
|
Feature: the smtp-sink benchmark tool now announces itself
|
|
with a neutral name so that it can be run on the same
|
|
machine as VMailer, without causing Postfix to complain
|
|
about a mailer loop.
|
|
|
|
Robustness: on LINUX, vmailer-script now does chattr +S to
|
|
force synchronous directory updates. Fix developed with
|
|
Chris Wedgwood.
|
|
|
|
19980916
|
|
|
|
Bugfix: when transforming an RFC 822 address to external
|
|
form, there is no need to quote " characters in comments.
|
|
This didn't break anything, it just looked ugly. File:
|
|
global/tok822_parse.c
|
|
|
|
19980917
|
|
|
|
Workaround: with deliveries to /file/name, use fsync() and
|
|
ftruncate() only on regular files. File: local/file.c
|
|
|
|
Workaround: the plumbing code in master_spawn.c didn't
|
|
check if it was dup2()/close()ing a descriptor to itself
|
|
then closing it. Will have to redo the plumbing later.
|
|
|
|
19980918
|
|
|
|
Workaround: on multiprocessor Solaris machines, one-second
|
|
rollover appears to happen on different CPUs at slightly
|
|
different times. Made the queue manager more tolerant for
|
|
such things. Problem reported by Daniel Eisenbud.
|
|
|
|
Workaround: in preparation for deployment with a network-shared
|
|
maildrop directory. make pickup more tolerant against clock
|
|
drift between clients and servers.
|
|
|
|
19980921
|
|
|
|
New vstream_popen() module that opens a two-way channel
|
|
across a socketpair-based pipe. This module isn't being
|
|
used yet; it is here only to complete the vstream code.
|
|
|
|
19980922
|
|
|
|
Code cleanup: the xxx_server_main() interface for master
|
|
child processes now uses a name-value argument list instead
|
|
of an ugly and inflexible data structure.
|
|
|
|
Bugfix: moved the test if a non-interactive process is run
|
|
by hand, so that the "don't do this" error message can be
|
|
printed to stderr before any significant processing.
|
|
|
|
Bugfix: smtpd now can talk to unix-domain sockets without
|
|
bailing out on a peer lookup problem. Files: smtpd/smtpd.c,
|
|
util/peer_name.c.
|
|
|
|
Safety: by default, the postmaster is no longer informed
|
|
of protocol problems, policy violations or bounces.
|
|
|
|
Safety: the SMTP server now sleeps before sending a [45]xx
|
|
error response, in order to prevent clients from hammering
|
|
the server with a connect/error/disconnect loop. Parameter:
|
|
smtpd_error_sleep_time (default: 5).
|
|
|
|
Feature: the logging facility is compile-time configurable
|
|
(e.g., make makefiles "CCARGS=-DLOG_FACILITY=LOG_LOCAL1").
|
|
|
|
19980923
|
|
|
|
Bugfix: changed virtual/canonical map search order from
|
|
(user@domain, @domain, user) to (user@domain, user, @domain)
|
|
so the search order is most specific to least specific.
|
|
File: global/addr_map.c, lots of documentation.
|
|
|
|
Bugfix: after the change of 19980910, cleanup_message
|
|
extracted recipients from Reply-To: etc. headers. Found
|
|
by Lamont Jones.
|
|
|
|
19980925
|
|
|
|
Bugfix: the change in virtual/canonical map search order
|
|
broke @domain entries; they would never be looked up if
|
|
the address matched $myorigin or $mydestinations. Found
|
|
by Chip Christian who now regrets asking for the change.
|
|
|
|
Bugfix: cleanup initialized an error mask incorrectly, so
|
|
that it would keep writing to a file larger than the queue
|
|
file size limit, and so it would treat the error as a
|
|
recoverable one instead of sending a bounce. Thanks, Pieter
|
|
Schoenmakers.
|
|
|
|
Bugfix: the "queue file cleanup on fatal error" action was
|
|
no longer enabled in the sendmail mail posting agent.
|
|
|
|
Feature: the sendmail mail posting program now returns
|
|
EX_UNAVAILABLE when the size of the input exceeds the queue
|
|
file size limit. NB THIS CHANGE HAS BEEN WITHDRAWN.
|
|
|
|
19980926
|
|
|
|
Code cleanup: the dotlock file locking routine is no longer
|
|
derived from Eric Allman's 4.3BSD port of mail.local.
|
|
|
|
Code cleanup: the retry strategy of the file locking routines
|
|
dot_lockfile() and deliver_flock() is now configurable
|
|
(deliver_flock_attempts, deliver_flock_delay, deliver_flock_stale).
|
|
|
|
Code cleanup: the master.pid lock file is now created with
|
|
symlink paranoia, and is properly locked so that PID rollover
|
|
will not cause false matches.
|
|
|
|
Bugfix: the vbuf_print() formatting engine did not know
|
|
about the '+' format specifier.
|
|
|
|
Cleanup: replaced unnecessary instances of stdio calls by
|
|
vstream ones.
|
|
|
|
19980929-19981002
|
|
|
|
Compatibility: added support for "sendmail -q". This required
|
|
a change to the queue manager trigger protocol, and a code
|
|
reorganization of the way queue scans were done. The queue
|
|
manager socket now has become public.
|
|
|
|
10091002
|
|
|
|
SMTPD now logs "lost connection after end-of-message" instead
|
|
of "lost connection after DATA".
|
|
|
|
10091005
|
|
|
|
More bullet proofing: timeouts on all triggers.
|
|
|
|
19981006
|
|
|
|
Bugfix: make the number of cleanup processes unlimited, in
|
|
order to avoid deadlock. The number of instances needed is
|
|
one per smtp/pickup process, and an indeterminate number
|
|
per local delivery agent. Thanks, Thanks, David Miller and
|
|
Terry Lorrah for cleueing me in.
|
|
|
|
Bugfix: "sendmail -t" extracted recipients weren't subjected
|
|
to virtual mapping. Daniel Eisenbud strikes again.
|
|
|
|
19981007
|
|
|
|
Compatibility: if the first input line ends in CRLF, the
|
|
sendmail posting agent will treat all CRLF as LF. Otherwise,
|
|
CRLF is left alone. This is a compromise between sendmail
|
|
compatibility (all lines end in CRLF) and binary transparency
|
|
(some, but not all, lines contain CRLF).
|
|
|
|
19981008
|
|
|
|
Robustness: stop recursive virtual expansion when the
|
|
left-hand side appears in its own expansion.
|
|
|
|
19981009
|
|
|
|
Portability: trigger servers such as pickup and qmgr can
|
|
now use either FIFOs or UNIX-domain sockets; hopefully at
|
|
least one of them works properly. Trigger clients were
|
|
already capable of using either form of local IPC.
|
|
|
|
19981011
|
|
|
|
Feature: masquerading. Strip subdomains from domains listed
|
|
in $masquerade_domains. Exception: envelope recipients are
|
|
left alone, in order to not screw up routing.
|
|
|
|
19981015
|
|
|
|
Code cleanup: moved the recipient duplicate filter from
|
|
the user-level sendmail posting agent to the semi-resident
|
|
cleanup service, so that the filter operates on the output
|
|
from address canonicalization and of virtual expansion,
|
|
instead of operating on their inputs.
|
|
|
|
19981016
|
|
|
|
Bugfix: after kill()ing a bunch of child processes, wait()
|
|
sometimes fails before all children have been reaped, and
|
|
must be called again, or the master will SIGSEGV later.
|
|
Problem reported by Scott Cotton.
|
|
|
|
Workaround: don't log a complaint when an SMTP client goes
|
|
away without sending QUIT.
|
|
|
|
19981018
|
|
|
|
Workaround: Solaris 2.5 ioctl SIOCGIFCONF returns a hard
|
|
error (EINVAL) when the result buffer is not large enough.
|
|
This can happen on systems with many real or virtual
|
|
interfaces. File: util/inet_addr_local.c. Problem reported
|
|
by Scott Cotton.
|
|
|
|
Workaround: the optional HELO/EHLO hostname syntax check
|
|
now allows a single trailing dot.
|
|
|
|
Workaround: with UNIX-domain sockets, LINUX connect() blocks
|
|
until the server calls accept(). File: qmgr/qmgr_transport.c.
|
|
Terry Lorrah and Scott Cotton provided the necessary evidence.
|
|
|
|
19981020
|
|
|
|
Robustness: recursive canonical mapping terminates when
|
|
the result stops changing.
|
|
|
|
Code cleanup: reorganized the address rewriting and mapping
|
|
code in the cleanup service, to make it easier to implement
|
|
the previous enhancement.
|
|
|
|
19981022
|
|
|
|
Code cleanup: more general queue scanning programming
|
|
interface, in preparation for hashed queues. File:
|
|
qmgr/qmgr_scan.c.
|
|
|
|
Bugfix: a non-FIFO server with a process limit of 1 has a
|
|
too short listen queue. Until now this was not a problem
|
|
because only FIFO servers had a process limit of 1, and
|
|
FIFOs have no listen queue. Fix: always configure a listen
|
|
queue of proc_limit or more. File: master/master_listen.c.
|
|
|
|
19981023
|
|
|
|
Feature: by popular request, mail delay is logged when
|
|
delivering, bouncing or deferring mail.
|
|
|
|
19981024
|
|
|
|
Cleanup: double-bounce mail is now absorbed by the queue
|
|
manager, instead of the local delivery agent, so that the
|
|
mail system will not go mad when no local delivery agent
|
|
is configured.
|
|
|
|
19981025
|
|
|
|
Cleanup: moved the relocated table from the local delivery
|
|
agent to the queue manager, so that the table can also be
|
|
used for virtual addresses.
|
|
|
|
Code reorg: in order for the queue manager to absorb
|
|
recipients, the queue file has to stay open until all
|
|
recipients have been assigned to a destination queue.
|
|
|
|
19981026
|
|
|
|
vmlogger command, so that vmailer-script logging becomes
|
|
consistent with the rest of the VMailer system.
|
|
|
|
Code reorg: logger interface now can handle multiple output
|
|
handlers (e.g. syslog and stderr stream).
|
|
|
|
Bugfix: a first line starting with whitespace is no longer
|
|
treated as an extension of our own Received: header. Files:
|
|
smtpd/smtpd.c, pickup/pickup.c.
|
|
|
|
19981027
|
|
|
|
Bugfix: the bang-path swapping code went into a loop on an
|
|
address consisting of just a single !. Eilon Gishri had
|
|
the privilege of finding this one.
|
|
|
|
Workaround: the non-blocking UNIX-domain socket connect is
|
|
now enabled only on systems that need it. It may cause
|
|
kernel trouble on Solaris 2.x.
|
|
|
|
Bugfix: the resolver didn't implement bangpath swapping,
|
|
so that mail for site!user@mydomain would be delivered to
|
|
a local user named "site!user".
|
|
|
|
19981028
|
|
|
|
Cleanup: a VSTREAM can now use different file descriptors
|
|
for reading and writing. This was necessary to prevent
|
|
"sendmail -bs" and showq from writing to stdin. Eilon Gishri
|
|
observed the problem.
|
|
|
|
19981029
|
|
|
|
The RFC 822 address manipulation routines no longer give
|
|
special attention to 8-bit data. Files: global/tok822_parse.c,
|
|
global/quote_822_local.c.
|
|
|
|
Bugfix: host:port and other non-domain stuff is no longer
|
|
allowed in mail addresses. File: qmgr/qmgr_message.c.
|
|
|
|
Workaround: LINUX accept() wakes up before the three-way
|
|
handshake is complete, so it can fail with ECONNRESET.
|
|
Files: master/single_server.c, master/multi_server.c.
|
|
|
|
Feature: when delivering to user+foo, try ~user/.forward+foo
|
|
before trying ~user/.forward.
|
|
|
|
Bugfix: smtpd in "sendmail -bs" (stand-alone) mode didn't
|
|
clean up when terminated by a signal.
|
|
|
|
Bugfix: smtpd in "sendmail -bs" (stand-alone) mode should
|
|
not try to enforce spam controls because it cannot access
|
|
the address rewriting machinery.
|
|
|
|
Cleanup: the percent hack (user%domain -> user@domain) is
|
|
now configurable (allow_percent_hack, default: yes).
|
|
|
|
Bugfix: daemons in -S (stand-alone) mode didn't change
|
|
directory to the queue. This was no problem with daemons
|
|
run by the sendmail compatibility program.
|
|
|
|
19981030
|
|
|
|
Feature: when virtual/canonical/relocated lookup fails for
|
|
an address that contains the optional recipient delimiter
|
|
(e.g., user+foo@domain), the search is done again with the
|
|
unextended address (e.g., user@domain). File: global/addr_find.c.
|
|
|
|
Code reorg: the address searching is now implemented by a
|
|
separate module global/addr_find.c, so that the same code
|
|
can be used for both (non-mapping) relocated table lookups
|
|
and for canonical and virtual mapping. The actual mapping
|
|
is still done in the global/addr_map.c module.
|
|
|
|
Robustness: the SMTP client now skips hosts that don't send
|
|
greeting banner text. File: smtp/smtp_connect.c
|
|
|
|
Feature: preliminary support to disable delivered-to. This
|
|
is desirable for mailing list managers that don't want to
|
|
advertise internal aliases.
|
|
|
|
Generic support: when the recipient_feature_delimiter
|
|
configuration parameter is set, the local delivery agent
|
|
uses it to split the recipient localpart into fields. Any
|
|
field that has a known name such as "nodelivered" enables
|
|
the corresponding delivery feature.
|
|
|
|
19981031
|
|
|
|
Code reorg: address splitting on recipient delimiter is
|
|
now centralized in global/split_addr.c, which knows about
|
|
all reserved names that should never be split.
|
|
|
|
Robustness: when a request for an internal service cannot
|
|
be satisfied because the master has terminated, terminate
|
|
instead of trying to reach the service every 30 seconds.
|
|
|
|
Safety: the local delivery agent now runs as vmailer most
|
|
of the time, just like pickup and pipe. Files: local/local.c,
|
|
local/mailbox.c
|
|
|
|
19981101
|
|
|
|
Compatibility: the tokenizer for alias/forward/etc.
|
|
expansion now updates an optional counter with the number
|
|
of destinations found; If no destinations is found in a
|
|
.forward file, deliver to the mailbox instead. Thanks,
|
|
Daniel Eisenbud, for showing the way to go.
|
|
|
|
Robustness: the pickup daemon should always include a
|
|
posting-time record, even when the sendmail posting agent
|
|
didn't. However, just like before, user-provided posting
|
|
times will be ignored. Ollivier Robert found this one.
|
|
|
|
Robustness: duplicate entries in aliases or maps now cause
|
|
a warning instead of a fatal error (and an incomplete file).
|
|
|
|
Robustness: mkmap now prints a warning when an entry is
|
|
in "key: value" format, which is the format expected for
|
|
alias databases, not for maps.
|
|
|
|
Portability: on LINUX, prepend "+" to the getopt() options
|
|
string so that getopt() will stop at the first non-option
|
|
argument. Suggestion by Marco d'Itri.
|
|
|
|
19981103
|
|
|
|
Cleaned up the set_eugid() and open_as() implementations,
|
|
and added stat_as() and fstat_as() so that the local delivery
|
|
agent would look up include files and .forward files with
|
|
the right privileges.
|
|
|
|
19981104
|
|
|
|
Bugfix: the :include: routine now stat()s/open()s files
|
|
included by root-owned aliases as root, not as nobody.
|
|
|
|
Bugfix: the master crashed when a service with wakeup timer
|
|
was disabled or renamed. Fix: eliminate some pathological
|
|
coupling between process management and wakeup management.
|
|
|
|
Feature: partial implementation of ETRN (causes a full
|
|
deferred queue scan). Thanks Lamont Jones for reminding me
|
|
that things can be useful already before they are perfect.
|
|
|
|
Cleanup: simplified the SMTPD tokenizer.
|
|
|
|
Bugfix: sendmail -bs didn't properly notify the mail system
|
|
of new mail.
|
|
|
|
Compatibility: the MAIL FROM and RCPT TO commands now accept
|
|
the most common address forms without enclosing <>. The <>
|
|
is still needed for addresses that contain a "string", an
|
|
[address], or a colon (:).
|
|
|
|
19981105
|
|
|
|
Bugfix: "master -t" would claim that the master runs when
|
|
in fact the pid directory does not exist, causing trouble
|
|
with first time startup (reported by several).
|
|
|
|
Portability: added a sane_accept() module that maps all
|
|
beneficial accept() error results to EAGAIN. According to
|
|
private communication with Alan Cox, Linux 2.0.x accept()
|
|
can return a variety of error conditions, so we play safe
|
|
and allow for any error that may happen because SYN+ACK
|
|
could not be sent.
|
|
|
|
Portability: NETBSD1 uses dotlock files (Perry Metzger).
|
|
|
|
Bugfix: the local delivery agent did not canonicalize
|
|
owner-foo sender addresses, so that local users would see
|
|
owner-foo instead of owner-foo@$myorigin (Perry Metzger).
|
|
|
|
OPENSTEP4 support, similar to NEXTSTEP3 (Gerben Wierda).
|
|
|
|
19981106
|
|
|
|
Portability: the master startup would take a long time on
|
|
AIX because AIX has a very large per-process open file
|
|
limit. Fix is to check the status of only the first couple
|
|
hundred file descriptors instead. File: master/master.c.
|
|
|
|
Bugfix: mail to user@[net.work.addr.ess] was broken because
|
|
of a reversed test. File: qmgr/qmgr_message.c.
|
|
|
|
19981107
|
|
|
|
Compatibility: don't clobber the envelope sender address
|
|
when an alias has no owner-foo alias (problem diagnosed by
|
|
Christophe Kalt).
|
|
|
|
Bugfix: mail to local users in include files would be
|
|
delivered directly if the alias didn't have an owner-foo
|
|
alias, and if the alias database and include file were
|
|
owned by root.
|
|
|
|
Feature: with user+foo addresses, any +foo address extension
|
|
that is not explicitly matched in canonical, virtual or
|
|
alias databases is propagated to the table lookup result.
|
|
|
|
19981108
|
|
|
|
Bugfix: minor memory leak in the user+foo table lookup code.
|
|
|
|
Configurability: specify virtual.domain in the virtual map,
|
|
and mail for unknown@virtual.domain will bounce automatically.
|
|
The $relay_domains default value now includes $virtual_maps,
|
|
so the SMTP server will accept mail for the domain. Marco
|
|
d'Itri put me on the right track.
|
|
|
|
Configurability: The mydestinations configuration parameter
|
|
now accepts /file/name expressions and type:name lookup tables.
|
|
|
|
Code cleanup: in order to make the previous two enhancements
|
|
possible, revised the string/host/address matching engine
|
|
so it can handle any mixture of strings, /file/name patterns
|
|
and type:name lookup tables. Files: util/match_{list,ops}.c,
|
|
global/{domain,namadr,string}_list.c.
|
|
|
|
19981110
|
|
|
|
Code cleanup: replaced remaining isxxx() calls by ISXXX().
|
|
|
|
19981111
|
|
|
|
Bugfix: the "bounce unknown virtual user" code was in the
|
|
wrong place. Problem tackled with help of Chip Christian.
|
|
|
|
Portability: reportedly, Solaris 2.5.1 can hang waiting
|
|
for a UNIX-domain connection to be accepted, so it gets
|
|
the same workaround that was designed for LINUX. Problem
|
|
reported by Scott Cotton.
|
|
|
|
19981112
|
|
|
|
Management: "vmailer stop" now allows delivery agents to
|
|
finish what they are doing, like "vmailer reload".
|
|
|
|
Management; "vmailer abort" causes immediate termination.
|
|
|
|
Workaround: zombie processes pile up with HP-UX. Reason:
|
|
select() does not return upon SIGCHLD when SA_RESTART is
|
|
specified to sigaction(). Workaround: shorten the select()
|
|
timer to 10 seconds, #ifdef BRAINDEAD_SELECT_RESTARTS.
|
|
Thanks, Lamont Jones.
|
|
|
|
19981117
|
|
|
|
Rename: VMailer is now Postfix. Sigh.
|
|
|
|
19981118
|
|
|
|
Cleanup: generalized the safe_open() routine so that it is
|
|
no longer limited to mailbox files, lock files, etc.
|
|
|
|
Bugfix (found during code review): vstream*printf() could
|
|
run off the end of a stream buffer after an I/O error,
|
|
because vbuf_print() ignored the result from VBUF_SPACE().
|
|
|
|
Bugfix (found during code review): resolve_local() could
|
|
clobber its argument, but the docs didn't say so.
|
|
|
|
19981121
|
|
|
|
Cleanup: the is_header() routine now allows 8-bit data in
|
|
header labels.
|
|
|
|
19981123
|
|
|
|
Bugfix (found during code review): the mail_queue_enter()
|
|
path argument wasn't optional. File: global/mail_queue.c
|
|
|
|
19981124
|
|
|
|
Cleanup: eliminated redundant tests for a zero result from
|
|
vstream_fdopen(). Unlike the stdio fdopen() routine, the
|
|
vstream_fdopen() routine either succeeds or never returns.
|
|
|
|
Bugfix: the queue manager now looks at the clock before
|
|
examining a file time stamp, to avoid spurious complaints
|
|
about time warps on busy machines. File: qmgr/qmgr_active.c.
|
|
|
|
19981125
|
|
|
|
Compatibility: allow trailing dot at the end of user@domain.
|
|
Address canonicalization now strips it off. Issue brought
|
|
forward by Eilon Gishri. File: trivial-rewrite/rewrite.c.
|
|
|
|
Robustness: changed DNS lookup order of MAIL FROM etc.
|
|
domains from MX then A to A then MX, just in case the MX
|
|
lookup fails with a server error.
|
|
|
|
Renamed vmcat, vmlock, vmlogger, vmtrigger to postcat,
|
|
postlock, postlog, postkick. Also renamed mkmap and mkalias
|
|
to postmap and postalias.
|
|
|
|
19981126
|
|
|
|
Workaround: Lamont Jones found a way for HP-UX to terminate
|
|
select() after SIGCHLD. The code is #ifdef USE_SIG_RETURN.
|
|
Files: util/sys_defs.h, master/master_sig.c.
|
|
|
|
Bugfix: the Delivered-To: loop detection code had stopped
|
|
working, when long ago the is_header() routine was changed.
|
|
File: local/delivered.c.
|
|
|
|
19981128
|
|
|
|
Bugfix: postcat opened queue files read-write, where only
|
|
read access was needed. File: postcat/postcat.c.
|
|
|
|
19981129
|
|
|
|
Safety: added a sleep(1) to all fatal and panic exits.
|
|
File: util/msg.c.
|
|
|
|
19981201
|
|
|
|
Robustness: postcat now insists that a file starts with a
|
|
time record.
|
|
|
|
Consistency: added "-c config_dir" command-line options
|
|
where appropriate.
|
|
|
|
19981202
|
|
|
|
Man pages, on-line version.
|
|
|
|
19981203
|
|
|
|
Man pages, html version; overview documentation.
|
|
|
|
19981206
|
|
|
|
Sendmail silently accepted the unsupported -qRsite and
|
|
-qSsite options. It now prints an error message and
|
|
terminates.
|
|
|
|
Separated the contributed tree from the IBM code; moved
|
|
the LDAP and NEXTSTEP/OPENSTEP code to the contributed
|
|
source tree because obviously I didn't write it.
|
|
|
|
19981206-9
|
|
|
|
Had to write a postconf configuration utility in order to
|
|
reliably find out about all configuration parameters and
|
|
their defaults.
|
|
|
|
Documentation bugfixes by Matt Shibla, Scott Drassinower,
|
|
Greg A. Woods.
|
|
|
|
19981209
|
|
|
|
On machines with short hostnames, postconf -d cored while
|
|
reporting a fatal error. It should not report that error
|
|
in the first place. Thanks, Eilon Gishri.
|
|
|
|
Changed the FAQ entry about rejecting mail for *.my.domain
|
|
on a firewall. Chip Christian was right, I was wrong.
|
|
|
|
19981214
|
|
|
|
Portability: with GNU getopt, optind is not initially 1,
|
|
breaking an assumption in sendmail/sendmail.c. Liviu Daia.
|
|
|
|
Annoyance: on non-networked systems, don't warn that only
|
|
one network interface was found. File: global/inet_addr_local.c.
|
|
Reported by several.
|
|
|
|
Bugfix: on non-networked systems, the smtp client assumed
|
|
that it was running in virtual host mode, and would bind
|
|
to the loopback interface. File smtp/smtp_connect.c. Liviu
|
|
Daia, again.
|
|
|
|
19981220
|
|
|
|
Robustness: when looking up an A or MX record, do not give
|
|
up when the A query fails because of a server error. File
|
|
dns/dns_lookup.c. Reported by Scott Drassinower.
|
|
|
|
19981221
|
|
|
|
Bugfix: "bounce mail for non-existent virtual user" didn't
|
|
work when a non-default relay host was configured in main.cf
|
|
or in the transport table. File: qmgr/qmgr_message.c.
|
|
|
|
Bugfix: the maildrop directory should not be world-readable.
|
|
Files: conf/postfix-script, showq/showq.c.
|
|
|
|
Documentation: fixed several omissions and errors.
|
|
|
|
Documentation: removed references to the broken recipient
|
|
feature delimiter configuration parameter.
|
|
|
|
Bugfix: write mailbox file as the recipient, so that file
|
|
quota work as expected.
|
|
|
|
Bugfix: pickup would die when it tried to remove a non-file
|
|
in the maildrop directory (Jeff Wolfe).
|
|
|
|
19981222
|
|
|
|
Sendmail no longer logs the queue ID when it is unable to
|
|
notify the pickup daemon. This is a late addition to the
|
|
"unreadable maildrop queue" patch.
|
|
|
|
user.lock files are now created as root, so that postfix
|
|
needs no group directory write permission.
|
|
|
|
19981224
|
|
|
|
Security: allow queue file link counts > 1, to avoid
|
|
non-delivery of maildrop files with links to a non-maildrop
|
|
directory. Files: global/mail_open_ok.c, and anything
|
|
that calls this code (qmgr, pickup, showq). If multiple
|
|
hard links are a problem, see the set-gid "postdrop" utility
|
|
below.
|
|
|
|
19981225
|
|
|
|
Robustness: the queue manager no longer aborts when a queue
|
|
file suddenly disappears (e.g. because the file was removed
|
|
by hand).
|
|
|
|
Feature: when a writable maildrop directory is a problem,
|
|
sites can make the new "postdrop" utility set-gid. This command
|
|
is never used when the maildrop directory is world-writable.
|
|
|
|
Robustness: make the queue file creation routine more
|
|
resistant against denial of service race attack. File:
|
|
global/mail_queue.c
|
|
|
|
19981226
|
|
|
|
New suid_priv module to enable/disable privileges in a
|
|
set-uid/gid program. In the end I decided to not use it.
|
|
|
|
19981228
|
|
|
|
Robustness: make the pickup daemon more resistant against
|
|
non-file race attack.
|
|
|
|
Cleanup: generic mail_stream.c interface for writing queue
|
|
file streams to files, daemons or commands. This simplifies
|
|
the code in smtpd and in sendmail that must be able to pipe
|
|
mail through the postdrop command. The cleanup daemon has
|
|
been modified to use the same interface. Result: less code.
|
|
|
|
Feature: smtpd now logs the only recipient in Received:
|
|
headers.
|
|
|
|
Feature: separate command and daemon directories. Both
|
|
default to $program_directory. Install conf/postfix-script
|
|
if you want to use this feature.
|
|
|
|
19981230
|
|
|
|
Patch to avoid conflict with non-writable top-level Makefile
|
|
(Lamont Jones).
|
|
|
|
19981231
|
|
|
|
Portability: port to UnixWare 7 by Ronald Joe Record, SCO.
|
|
|
|
19990104
|
|
|
|
Bugfix: fencepost (Jon Ribbens, Oaktree Internet Solutions
|
|
Ltd.) Files: quote_82[12]_local.c.
|
|
|
|
Bugfix: wrong default for relay_domains (Juergen Kirschbaum,
|
|
Bayerische Landesbank). File: mail_params.h.
|
|
|
|
Bugfix: changed 5xx response for "too may recipients" to
|
|
4xx. File: smtpd.c.
|
|
|
|
19990106
|
|
|
|
Feature: defer_transports specifies the names of transports
|
|
that should be used only when "sendmail -q" (or equivalent)
|
|
is issued. For example, "defer_transports = smtp" is useful
|
|
for sites that are disconnected most of the time. File:
|
|
qmgr_message.c.
|
|
|
|
19990107
|
|
|
|
Feature: local_command_shell specifies a non-default shell
|
|
for delivery to command by the local delivery agent. For
|
|
example, "local_command_shell = /some/where/smrsh -c"
|
|
restricts what may appear in "|command" destinations.
|
|
File: global/pipe_command.c.
|
|
|
|
19990112-16
|
|
|
|
Feature: SMTP command pipelining support based on an initial
|
|
version by Jon Ribbens, Oaktree Internet Solutions Ltd.
|
|
This one took several days of massaging before I felt
|
|
comfortable about it. Files: smtp.c, smtp_proto.c.
|
|
|
|
Bugfix: the SMTP server would flush responses one-by-one,
|
|
which caused suboptimal performance with pipelined clients.
|
|
The vstream routines now flush the write buffer when the
|
|
read() routine is called, instead of flushing when the
|
|
application changes from writing to reading. Delayed flush
|
|
prevents the SMTP server from flushing responses one-by-one
|
|
and thus triggering Nagle's algorithm. File: util/vstream.c.
|
|
|
|
19990117
|
|
|
|
Bugfixes and enhancements to the smtpstone tools by Drew
|
|
Derbyshire, Kendra Electronic Wonderworks: send helo command,
|
|
send message headers, format the message content to lines
|
|
< 80, work around NT stacks, make "." recognition more
|
|
robust. Files: smtp-source.c, smtp-sink.c.
|
|
|
|
Strategy: look at the deferred queue only when the incoming
|
|
queue is empty; limit the number of recipients read from
|
|
a queue file depending on the number of recipients already
|
|
in core. Files: qmgr.c, qmgr_message.c.
|
|
|
|
Feature: postponed anti-UCE restrictions. The decision to
|
|
reject junk mail on the basis of the client name/address,
|
|
HELO hostname or sender address can now be postponed until
|
|
the RCPT TO command (or HELO or MAIL FROM if you like).
|
|
File: smtpd_check.c.
|
|
|
|
19990118
|
|
|
|
Feature: incremental updates of alias databases and of
|
|
other lookup tables. Both postalias and postmap now take
|
|
a -i option for incremental updates from standard input.
|
|
Files: global/mkmap_*.c, post{map,alias}/post{map,alias}.c.
|
|
|
|
Compatibility: newaliases can now update multiple alias
|
|
databases: list them in the "alias_database" parameter in
|
|
main.cf. By the same token, postalias can now update multiple
|
|
maps in one command. Files: post{map,alias}/post{map,alias}.c
|
|
|
|
Feature: mail to <> is now sent to the address specified
|
|
with the "empty_address_recipient" configuration parameter
|
|
which defaults to MAILER-DAEMON (idea by Lamont Jones,
|
|
Hewlett-Packard). File: cleanup/cleanup_envelope.c.
|
|
|
|
Compatibility: the transport table now uses .domain.name
|
|
to match subdomains, just like sendmail mailer tables
|
|
(patch by Lamont Jones, Hewlett-Packard).
|
|
|
|
Feature: mailq now ends with a total queue size summary
|
|
(Eilon Gishri, Israel Inter University Computation Center).
|
|
|
|
19990119
|
|
|
|
Feature: address masquerade exceptions for user names listed
|
|
in the "masquerade_exceptions" configuration parameter.
|
|
File: cleanup/cleanup_masquerade.c.
|
|
|
|
Feature: qmail-style maildir support, based on initial code
|
|
by Kevin W. Brown, Quantum Internet Services Inc.
|
|
|
|
Workaround: Solaris 2.something connect() fails with
|
|
ECONNREFUSED when the system is busy (Chris Cappuccio,
|
|
Empire Net). File: global/mail_connect.c.
|
|
|
|
Feature: the cleanup service now adds a Return-Path: header
|
|
when none is present. This header is needed for some mail
|
|
delivery programs (see below). File: cleanup_message.c.
|
|
|
|
Feature: the pipe mailer now supports $user, $extension
|
|
and $mailbox macros in command-line expansions. This, plus
|
|
the Return-Path: header (see above), should be sufficient
|
|
to support cyrus IMAP out of the box. Based on initial
|
|
code by Joerg Henne, Cogito Informationssysteme GMBH.
|
|
File: pipe/pipe.c.
|
|
|
|
Bugfix: with address extensions enabled, canonical and
|
|
virtual lookups now are done in the proper order:
|
|
user+foo@domain, user@domain, user+foo, user, @domain.
|
|
File: global/mail_addr_find.c.
|
|
|
|
19990119
|
|
|
|
Feature: the local mailer now prepends a Received: message
|
|
header with the queue ID to forwarded mail, in order to
|
|
make message tracing easier. File: local/forward.c.
|
|
|
|
Cleanup: after "postfix reload", no more broken pipe
|
|
complaints from resolve/rewrite clients.
|
|
|
|
19990121
|
|
|
|
Feature: pickup (again) logs uid and sender address.
|
|
On repeated request by Scott Cotton, Internet Consultants
|
|
Group, Inc.
|
|
|
|
Portability: doze() function for systems without usleep().
|
|
|
|
Cleanup: clients are now consistently logged as host[address].
|
|
|
|
19990122
|
|
|
|
Maildir support changed: specify "home_mailbox = Maildir/".
|
|
The magic is the trailing /. Suggested by Daniel Eisenbud,
|
|
University of California at Berkeley.
|
|
|
|
Maildir support from aliases, :include: and .forward files.
|
|
Specify /file/name/ - the trailing / is required. Suggested
|
|
by Daniel Eisenbud, University of California at Berkeley.
|
|
|
|
Workaround: watchdog timer to prevent the queue manager
|
|
from locking up on some systems.
|
|
|
|
Bugfix: in Received: headers, the "for <recipient>"
|
|
information was in the wrong place. Pointed out by Jon
|
|
Ribbens, Oaktree Internet Solutions Ltd.
|
|
|
|
19990124
|
|
|
|
Portability: more workarounds for GNU getopt() by Liviu
|
|
Daia, Institute of Mathematics, Romanian Academy. File:
|
|
sendmail/sendmail.c.
|
|
|
|
19990125
|
|
|
|
Bugfix: Postfix should not masquerade recipient addresses
|
|
extracted from message headers. Problem reported by David
|
|
Blacka, Network Solutions. File: cleanup/cleanup_message.c.
|
|
|
|
19990126
|
|
|
|
Feature: smtpd_etrn_restrictions parameter to restrict who
|
|
may use ETRN and what domains may be specified. Example:
|
|
"smtpd_etrn_restrictions = permit_mynetworks, reject".
|
|
Requested by Jon Ribbens, Oaktree Internet Solutions Ltd.
|
|
File: smtpd/smtpd_check.c.
|
|
|
|
19990127
|
|
|
|
Bugfix: in an attempt to shave some cycles, the anti junk
|
|
mail routines would use the wrong resolved address. This
|
|
"optimization" is now turned off. Problem reported by Sam
|
|
Eaton, Pavilion Internet Plc. File: smtpd/smtpd_check.c.
|
|
|
|
Feature: BIFF notifications. For compatibility reasons
|
|
this feature is on by default. This "protocol" can be a
|
|
real performance pig. Specify "biff = no" in main.cf if
|
|
your machine has lots of shell users. Feature requested by
|
|
Dan Farmer - it's one of the things one does for friends.
|
|
Files: local/mailbox.c, local/biff_notify.c.
|
|
|
|
Bugfix: another case sensitivity problem, this time with
|
|
virtual lookups to recognize unknown@virtual.domain.
|
|
Problem reported by Bo Kleve, Linkoping University. File:
|
|
qmgr/qmgr_message.c.
|
|
|
|
19990128
|
|
|
|
Feature: with "soft_bounce = yes", defer delivery instead
|
|
of bouncing mail. This is a safety net for configuration
|
|
errors with delivery agents. It has no effect on errors in
|
|
virtual maps, canonical maps, or in junk mail restrictions.
|
|
Feature requested by Bennett Todd. File: global/bounce.c.
|
|
|
|
19990129
|
|
|
|
Compatibility: the qmail maildir.5 documentation prescribes
|
|
maildir file names of the form time.pid.hostname, which is
|
|
wrong because Postfix processes perform multiple deliveries.
|
|
Elsewhere the qmail author has documented how maildir files
|
|
should be named under such conditions. Postfix has been
|
|
changed to be conformant. File: local/maildir.c.
|
|
|
|
19990131
|
|
|
|
Feature: special treatment of owner-foo and foo-request
|
|
can be turned off. Specify "owner_request_special = no".
|
|
Requested by Matthew Green and others. Files: local/alias.c,
|
|
global/split_addr.c. This affects canonical, virtual and
|
|
alias lookups.
|
|
|
|
19990204
|
|
|
|
Portability: signal handling for HP-UX 9 by Lamont Jones
|
|
of Hewlett Packard. File: master/master_sig.c.
|
|
|
|
Robustness: disable random walk inside a per-site queue to
|
|
avoid message starvation under heavy load. File: qmgr_entry.c.
|
|
|
|
Robustness: under some conditions the queue manager could
|
|
declare a host dead after just one delivery failure. File:
|
|
qmgr_queue.c.
|
|
|
|
19990212
|
|
|
|
Feature: skip SMTP servers that greet us with a 4XX status
|
|
code. Example: "smtp_skip_4xx_greeting = yes". By default,
|
|
the Postfix SMTP client defers delivery when a server
|
|
declines talking to us. File: smtp/smtp_connect.c.
|
|
|
|
Robustness: upon startup the queue manager now moves active
|
|
queue files to the incoming queue instead of the deferred
|
|
queue, to avoid anomalous delivery delays on systems that
|
|
have a huge incoming queue. Files: qmgr/qmgr.c,
|
|
qmgr/qmgr_active.c, global/mail_flush.c, conf/postfix-script*
|
|
|
|
19990213
|
|
|
|
Robustness: added watchdog timers to avoid getting stuck
|
|
on systems with broken select() socket implementations.
|
|
File: qmgr_transport.c, qmgr_deliver.c.
|
|
|
|
19990218
|
|
|
|
Feature: NFS-friendly delivery to mailbox by avoiding the
|
|
use of root privileges as much as possible. With input by
|
|
Mike Muus, Army Research Lab, USA.
|
|
|
|
Feature: the smtp-sink test server now supports SMTP command
|
|
pipelining. To this end we had to generalize the timer and
|
|
vstream support. Poor performance is fixed 19990222.
|
|
|
|
Cleanup: timer event routines now have the same interface
|
|
as read/write event routines (event type + context). File:
|
|
util/events.c.
|
|
|
|
Feature: new vstream_peek() routine to tell how much unread
|
|
data is left in a VSTREAM buffer. This is the vstream
|
|
variant of the peekfd() routine for kernel read buffers.
|
|
File: util/vstream.c.
|
|
|
|
Feature: directory scanning support for hashed mail queue
|
|
directories. So far the results are disappointing: with
|
|
depth = 2 (16 directories with 16 subdirectories), mailq
|
|
takes 5 seconds with an empty queue unless all directories
|
|
happen to be cached in memory. We need a bit map before
|
|
hashed queue directories become practical. Depth=1 hashing
|
|
doesn't slow down mailq much, but doesn't help much either.
|
|
Files: util/scan_dir.c, global/mail_scan_dir.c.
|
|
|
|
19990221
|
|
|
|
Workaround: with "ignore_mx_lookup_error = yes", the SMTP
|
|
client always performs an A lookup when an MX lookup could
|
|
not be completed, rather than treating MX lookup failure
|
|
as a temporary error condition. Unfortunately there are
|
|
many broken DNS servers on the Internet. File: smtp/smtp_addr.c.
|
|
|
|
19990222
|
|
|
|
Performance: rewrote the guts of the smtp-sink test server
|
|
so it can do pipelining without losing performance.
|
|
|
|
19990223
|
|
|
|
Workaround: hotmail.com sometimes drops the connection
|
|
after "." (causing misleading diagnostics to be logged) or
|
|
waits minutes after receiving QUIT. Solution: do not wait
|
|
for the response to QUIT. File: smtp/smtp_proto.c. This
|
|
is turned off with: "smtp_skip_quit_response = no".
|
|
|
|
19990224
|
|
|
|
Feature: the pipe mailer accepts user=username:groupname,
|
|
based on code submitted by Philip A. Prindeville, Mirapoint,
|
|
Inc., USA. File: pipe/pipe.c.
|
|
|
|
Workaround: use file locking to prevent multiple processes
|
|
from select()ing on the same socket. This causes performance
|
|
problems on large BSD systems. Files: master/*_server.c.
|
|
|
|
19990225
|
|
|
|
Bugfix: with "inet_interfaces = 127.0.0.1", don't bind to
|
|
the loopback interface. Problem reported by Steve Bellovin
|
|
of AT&T. File: smtp/smtp_addr.c.
|
|
|
|
Feature: "postsuper" command to remove stale queue files
|
|
to update queues after changes to the queue structure
|
|
parameters (hash_queue_names, hash_queue_depth). This
|
|
command is to be run from the postfix-script maintenance
|
|
shell script.
|
|
|
|
19990301
|
|
|
|
Feature: new postconf -h (suppress `name = ' in output)
|
|
option to make the program easier to use in, e.g., shell
|
|
scripts.
|
|
|
|
Feature: dict_unix module so you can add the UNIX passwd
|
|
table to the SMTPD access control list.
|
|
|
|
19990302
|
|
|
|
Feature: "luser_relay = destination" captures mail for
|
|
non-existent local recipients. This works only when the
|
|
local delivery agent does mailbox delivery (including
|
|
delivery via mailbox_command), not when mailbox delivery
|
|
is delegated to another message transport.
|
|
|
|
Feature: new reject_non_fqdn_{hostname,sender,recipient}
|
|
restrictions to require fully.qualified.domain forms in
|
|
HELO, MAIL FROM and RCPT TO commands (while still allowing
|
|
the <> sender address).
|
|
|
|
19990304
|
|
|
|
Bugfix: backed out the 19990119 change to always insert
|
|
Return-Path: if that header is not present. The pipe and
|
|
local agents now are responsible for prepending Return-Path:.
|
|
Files: cleanup/cleanup_message.c, global/mail_copy.[hc],
|
|
pipe/pipe.c, global/header_opts.c. This causes an incompatible
|
|
change to the pipe flags parameter, because Return-Path:
|
|
now must be requested explicitly.
|
|
|
|
19990305
|
|
|
|
Bugfix: showq (the mailq server) incorrectly assumed that
|
|
all recipients of a deferred message are listed in the
|
|
corresponding defer logfile. It now lists all recipients.
|
|
Files: showq/showq.c, cleanup/cleanup_envelope.c (ensure
|
|
that sender records always precede recipient records).
|
|
|
|
Cleanup: smtpd HELO restrictions validate [numerical] forms.
|
|
Files: util/valid_hostname.c, smtpd/smtpd_check.c. Initial
|
|
code by Philip A. Prindeville, Mirapoint, Inc., USA.
|
|
|
|
19990306
|
|
|
|
Cleanup: re-vamped the valid_hostname module, and added a
|
|
maximal label length (63) requirement.
|
|
|
|
Feature: fallback_relay parameter to specify extra backup
|
|
hosts in case the regular relay hosts are not found or not
|
|
available. Files: smtp/smtp_addr.c.
|
|
|
|
Feature: "always_bcc = address" specifies where to send a
|
|
copy of each message that enters he system. However, if
|
|
that copy bounces, the sender will be informed of the
|
|
bounce. Files: smtpd/smtpd.c, pickup/pickup.c
|
|
|
|
Compatibility: the transport map will now route on top-level
|
|
domains, so you can dump all of .bitnet to a bitnet relay.
|
|
|
|
19990307
|
|
|
|
Feature: LDAP lookups, updated by Jon Hensley, Merit
|
|
Network, USA.
|
|
|
|
Feature: regular expression (PCRE) support by Andrew
|
|
McNamara, connect.com.au Pty. Ltd., Australia. In order to
|
|
use this code specify pcre:/file/name. You can use this
|
|
anywhere you would use a DB or DBM file, NIS or LDAP.
|
|
See: PCRE_README for how to enable this code.
|
|
|
|
Feature: "delay_warning_time = 4" causes Postfix to send
|
|
a "your mail is delayed" notice after approx. 4 hours.
|
|
Daniel Eisenbud, University of California at Berkeley.
|
|
Files: qmgr/qmgr_active.c, qmgr/qmgr_message. Postmaster
|
|
notices for delayed mail are disabled by default. In order
|
|
to receive postmaster notices, specify "notify_classes =
|
|
... delay ...".
|
|
|
|
Cleanup: do not send undeliverable bounced mail to postmaster.
|
|
This was causing lots of pain with junk mail from bogus
|
|
sender addresses to non-existent recipients. This change
|
|
was reversed 19990311.
|
|
|
|
19990308
|
|
|
|
Bugfix: the dotforward routine was too eager with throwing
|
|
away extension information, so that the Delivered-To: info
|
|
would differ for \mailbox and |command. Problem reported
|
|
by Rafi Sadowski, Open University, Israel.
|
|
|
|
Bugfix: seems I never got around to fix the btree access
|
|
method. I finally did. Problem reported by: Matt Smith,
|
|
AvTel Communications Inc., USA.
|
|
|
|
19990311
|
|
|
|
Back by popular demand: with "notify_classes = 2bounce ..."
|
|
Postfix will send undeliverable bounced mail to postmaster.
|
|
The default is to not send double bounces. This change
|
|
reverses a change made on 19990307.
|
|
|
|
19990312
|
|
|
|
Feature: configurable exit handler for server skeletons.
|
|
Philip A. Prindeville, Mirapoint, Inc., USA. Files:
|
|
master/*server.c.
|
|
|
|
Feature: mail_spool_directory configuration parameter to
|
|
specify the UNIX mail spool directory. The default setting
|
|
is system dependent.
|
|
|
|
19990313
|
|
|
|
Cleanup: share file descriptors for resolve and rewrite
|
|
client connections. This puts less strain on the trivial-rewrite
|
|
service.
|
|
|
|
Portability: support for UnixWare 2.1 by Dmitry E. Kiselyov,
|
|
Nizhny Novgorod City Health Emergency Station.
|
|
|
|
Feature: configurable delays in the smtpstone test programs.
|
|
With input by Philip A. Prindeville, Mirapoint, Inc., USA.
|
|
Files: smtpstone/*.c.
|
|
|
|
Bugfix: a "signal 11" problem in the trivial-rewrite program
|
|
that would occasionally happen after "postfix reload".
|
|
Reason: some rewrite clients would clobber their input,
|
|
and when they had to retransmit the query, the input would
|
|
be a zero-length string, which trivial-rewrite isn't supposed
|
|
to receive.
|
|
|
|
19990314
|
|
|
|
Feature: "mailbox_transport = cyrus" delegates all local
|
|
mailbox delivery to a master.cf entry called "cyrus" (the
|
|
same trick for procmail), including users not found in the
|
|
UNIX passwd database. This gives the flexibility of $name
|
|
expansions by the pipe mailer, without losing local aliases
|
|
and ~/.forward processing. Result of discussions with Rupa
|
|
Schomaker, RS Consulting.
|
|
|
|
19990315
|
|
|
|
Feature: the mydestination parameter can now be an empty
|
|
string, for hosts that don't receive any mail locally. Be
|
|
sure to specify a default route for mail that comes to the
|
|
machine or mail will loop.
|
|
|
|
19990316
|
|
|
|
Bugfix: the SMTPD check scaffolding didn't apply the same
|
|
sanity checks as the production code. Problem reported by
|
|
Alain Thivillon, Herve Schauer Consultants, France. File:
|
|
smtpd/smtpd_check.c.
|
|
|
|
Portability: some systems can have more than 59 seconds in
|
|
a minute. Based on a fix by Liviu Daia, Institute of
|
|
Mathematics, Romanian Academy. File: global/mail_date.c.
|
|
|
|
Enhancement: include the client network address in the
|
|
rejected by RBL response. Lamont Jones, Hewlett-Packard.
|
|
|
|
Workaround: use fstat() to figure out if the maildrop is
|
|
world-writable. access() uses the real uid, which stinks.
|
|
|
|
Robustness: don't do partial address lookups (user@, domain,
|
|
user, @domain) with regexp-style tables.
|
|
|
|
Security: don't allow regexp-style tables to be used for
|
|
aliases. It would be too easy to slip in "|command" or
|
|
:include: or /file/name.
|
|
|
|
19990317
|
|
|
|
Feature: "fallback_transport = cyrus" delegates non-UNIX
|
|
recipients to a master.cf entry called "cyrus", allowing
|
|
you to have both UNIX and non-UNIX mailboxes side by side.
|
|
|
|
19990319
|
|
|
|
Workaround: on 4.4 BSD derivatives, fstat() can return
|
|
EBADF on an open file descriptor. Now, that was a surprise.
|
|
This caused std{out,err} from cron commands to not be
|
|
delivered.
|
|
|
|
Bugfix: "local -v" stopped working.
|
|
|
|
Workaround: more watchdog timers for postfix-unfriendly
|
|
systems. By now every Postfix daemon has one. Call it life
|
|
insurance.
|
|
|
|
Robustness: increased the maximal time to receive or deliver
|
|
mail from $ipc_timeout (default: 3600 seconds) to the more
|
|
generous $daemon_timeout (default: 18000 seconds). We don't
|
|
want false alarms.
|
|
|
|
Portability: IRIX 5.2 does not have usleep().
|
|
|
|
19990320
|
|
|
|
Bugfix: \username was broken. Frank Dziuba was the first
|
|
to notice.
|
|
|
|
19990321
|
|
|
|
Workaround: from now on, Postfix on Solaris uses stream
|
|
pipes instead of UNIX-domain sockets. Despite workarounds,
|
|
the latter were causing more trouble than anything else on
|
|
all systems combined.
|
|
|
|
19990322
|
|
|
|
Portability: the makedefs would mis-identify IRIX 6.5.x as
|
|
IRIX 5.x. Fix by Brian Truelsen of Maersk Mc-Kinney Moller
|
|
Institute for Production Technology, Denmark.
|
|
|
|
Feature: reject_unknown_recipient_domain restriction for
|
|
recipient addresses. For the sake of symmetry, we now also
|
|
have reject_unknown_sender_domain. This means the old
|
|
reject_unknown_address restriction is being phased out.
|
|
Suggested by Rask Ingemann Lambertsen, Denmark Technical
|
|
University.
|
|
|
|
Feature: unknown sender/recipient domain restrictions now
|
|
distinguish between soft errors (always: 450) and hard
|
|
errors (configurable with the unknown_address_reject_code
|
|
parameter, default: 450; use 550 at your own risk).
|
|
|
|
Feature: no HELO junk mail restrictions means that no syntax
|
|
check will be done on HELO/EHLO hostname arguments.
|
|
|
|
Bugfix: the initial Solaris workaround for UNIX-domain
|
|
sockets could cause the queue manager to block if Postfix
|
|
ran into a delivery agent process limit. After another code
|
|
rewrite that problem is eliminated. Thanks to Chris
|
|
Cappuccio, Empire Net, for assistance with testing.
|
|
|
|
19990323
|
|
|
|
Bugfix: too much forwarding when users list their own name
|
|
in their .forward file (e.g. mail to user@localhost would
|
|
go through .forward, would be forwarded to user@$myorigin,
|
|
and would go through .forward again). Problem reported by
|
|
Roman Dolejsi, Prague University of Economics.
|
|
|
|
19990324
|
|
|
|
Bugfix: missing map name in check_xxx_access restrictions
|
|
could cause a segmentation error. Lamont Jones, Hewlett-
|
|
Packard.
|
|
|
|
Feature: forward_path configuration parameter (default:
|
|
$home/.forward$recipient_delimiter$extension,$home/.forward).
|
|
Based on initial code by Philip A. Prindeville, Mirapoint,
|
|
Inc., USA. Files: local/dotforward.c.
|
|
|
|
19990325
|
|
|
|
Workaround: Solaris NIS alias maps need special entries
|
|
(YP_MASTER_NAME, YP_LAST_MODIFIED). What's worse, normal
|
|
keys/values include a null byte at the end, but the YP_XXX
|
|
ones don't. Problem reported by Walcir Fontanini, state
|
|
university of Campinas, Brazil. File: postalias/postalias.c.
|
|
|
|
Compatibility: Solaris NIS apparently does include a null
|
|
byte at the end of keys and values. File: util/sys_defs.h.
|
|
|
|
Feature: library support for config parameters that are
|
|
not $name expanded at program start-up. This was needed
|
|
for forward_path, and will also be needed to make message
|
|
headers customizable.
|
|
|
|
Bugfix: pcre didn't handle \\ right. Lamont Jones, Hewlett-
|
|
Packard. File: util/dict_pcre.c.
|
|
|
|
19990326
|
|
|
|
Compatibility: Postfix now puts two spaces after the sender
|
|
in a "From sender date..." header. Found by John A. Martin,
|
|
fixed by Lamont Jones, Hewlett-Packard.
|
|
|
|
Bugfix: when a recipient appeared multiple times in a local
|
|
alias or include expansion, the delivery status could be
|
|
left uninitialized, causing the mail to be deferred and
|
|
delivered again. File: local/recipient.c.
|
|
|
|
19990327
|
|
|
|
Cleanup: the dictionary routines now take an extra flag
|
|
argument to control such things as warning about duplicates,
|
|
and appending null bytes to key/value. The latter was needed
|
|
for a clean implementation of NIS master alias maps support.
|
|
|
|
Feature: POSIX regular expressions by Lamont Jones. See
|
|
config/sample-regexp.c. Right now, enabled on *BSD and
|
|
LINUX only.
|
|
|
|
19990328
|
|
|
|
Code cleanup: dictionaries now have flags that say whether
|
|
lookup keys are fixed strings or whether keys are subjected
|
|
to pattern matching. This is needed to avoid passing partial
|
|
addresses to regexp-based lookup tables (user, @domain,
|
|
user@, domain). Files: util/dict*.c.
|
|
|
|
Bugfix: fixed memory leaks and core dumps in the regexp
|
|
and pcre routines (neither handled an empty pattern file).
|
|
|
|
19990329
|
|
|
|
Code cleanup: the dictionary I/O routines now do their own
|
|
locking depending on dictionary flag settings. This means
|
|
that the low-level dict_get() interface can now be used
|
|
for safe dictionary lookups. This is needed for 19990328's
|
|
partial lookup key support. Files: util/dict*.c. global/maps.c.
|
|
|
|
Feature: regular expression matches are no longer limited
|
|
to user@domain address forms in access/canonical/virtual
|
|
maps, but can also be used for domains in transport maps.
|
|
This needed the partial lookup key support to avoid passing
|
|
partial addresses to regexp-based lookup tables (user,
|
|
@domain, user@, domain). Files: global/maps.c
|
|
global/mail_addr_find.c.
|
|
|
|
Feature: new dictionary types can be registered with
|
|
dict_open_register(). File: util/dict_open.c.
|
|
|
|
19990330
|
|
|
|
Bug fix: match_list membership dictionary lookups were case
|
|
sensitive when they should not. Patch by Lutz Jaenicke,
|
|
BTU Cottbus, Germany.
|
|
|
|
19990402
|
|
|
|
Feature: $domain macro support in forward_path. Philip A.
|
|
Prindeville, Mirapoint, Inc., USA. File: local/dotforward.c.
|
|
|
|
Feature: if an address extension (+foo) is explicitly
|
|
matched by the .forward+foo file name, do not propagate
|
|
the extension to recipient addresses. This is more consistent
|
|
with the way aliases are expanded. File: local/dotforward.c.
|
|
|
|
19990404
|
|
|
|
Bugfix: after receiving mail, the SMTP server didn't reset
|
|
the cleanup error flag, so that multiple deliveries over
|
|
the same SMTP session could fail due to errors with previous
|
|
deliveries. Found by Lamont Jones, Hewlett-Packard.
|
|
|
|
19990405
|
|
|
|
Feature: MIME-encapsulated bounces. Philip A. Prindeville,
|
|
Mirapoint, Inc., USA. File: bounce/bounce_notify_service.c
|
|
|
|
Cleanup: vstreams now properly look at the EOF flag before
|
|
attempting to read, eliminating the need for typing Ctrl-D
|
|
twice to test programs; the EOF flag is reset after each
|
|
unget or seek operation. Files: util/vstream.c, util/vbuf.c.
|
|
|
|
Feature: in preparation for configurable message headers
|
|
the mac_parse() routine now balances the parentheses in
|
|
${name} or $(name). We need this in order to support
|
|
conditional expressions such as ${name?text} where `text'
|
|
contains other ${name} expressions.
|
|
|
|
19990406
|
|
|
|
Cleanup: changed MIME header information to make bounces
|
|
more RFC 1892 compliant.
|
|
|
|
19990407
|
|
|
|
Feature: "best_mx_transport = local" delivers mail locally
|
|
if the local machine is the best mail exchanger (by default,
|
|
mail is bounced with a "mail loops back to myself" error).
|
|
|
|
Config: in order to make feature tracking easier the source
|
|
code distribution now has a copy of the default settings in
|
|
conf/main.cf.default.
|
|
|
|
Feature: separate configurable postmaster addresses for
|
|
single bounces (bounce_notice_recipient), double bounces
|
|
(2bounce_notice_recipient), delayed mail (delay_notice_recipient),
|
|
and for other mailer errors (error_notice_recipient). The
|
|
default for all is "postmaster".
|
|
|
|
19990408
|
|
|
|
Workaround: on Solaris 2.x, the master appears to lose its
|
|
exclusive lock on the master.pid file, so keep grabbing
|
|
the lock each time the master wakes up from select().
|
|
|
|
Robustness: don't flush VSTREAM buffers after I/O error.
|
|
This prevents surprises when calling vstream_fclose() after
|
|
truncating a mailbox to its original size.
|
|
|
|
Portability: on LINUX systems, if <db_185.h> exists, don't
|
|
look for <db/db.h>.
|
|
|
|
Workaround: specify "sun_mailtool_compatibility = yes" to
|
|
avoid clashes with the mailtool application. This disables
|
|
kernel locks on mailbox files. Use only where needed.
|
|
|
|
Portability: renamed readline to readlline, to avoid clashes
|
|
with mysql.
|
|
|
|
19990409
|
|
|
|
Bugfix: ignore temp queue files that aren't old enough.
|
|
Problem reported by Vivek Khera, Khera Communications, Inc.
|
|
|
|
Bugfix: fixed typo in dict_db.c that caused processes to
|
|
not release DB shared locks.
|
|
|
|
Feature: auto-detection of changes to DB or DBM lookup
|
|
tables. This avoids the need to run "postfix reload" after
|
|
change to the smtp access table and other tables.
|
|
|
|
Feature: regular expression checks for message headers.
|
|
This requires support for POSIX or for PCRE regular
|
|
expressions. Specify "header_checks = regexp:/file/name"
|
|
or "header_checks = pcre:/file/name", and specify
|
|
"/^header-name: badstuff/ REJECT" in the pattern file
|
|
(patterns are case-insensitive by default). Code by Lamont
|
|
Jones, Hewlett-Packard. It is to be expected that full
|
|
content filtering will be delegated to an external command.
|
|
|
|
19990410
|
|
|
|
Bugfix: auto-detection of changes to DB or DBM lookup
|
|
tables wasn't done for TCP connections.
|
|
|
|
19990410
|
|
|
|
Feature: $recipient expansion in forward_path. Philip A.
|
|
Prindeville, Mirapoint, Inc., USA. File: local/dotforward.c
|
|
|
|
Feature: the smtp client consistently treats a numerical
|
|
hostname as an address. File: smtp/smtp_addr.c.
|
|
|
|
19990414
|
|
|
|
Compatibility: support comment lines starting with # in
|
|
$mydestination include files. This makes Postfix more
|
|
compatible with sendmail.cw files. File: util/match_list.c.
|
|
|
|
Feature: if your machines have short host names, specify
|
|
"mydomain = domain.name", and you no longer have to specify
|
|
"myhostname = host.domain.name". Files: global/mail_params.c,
|
|
postconf/postconf.c.
|
|
|
|
19990420
|
|
|
|
Cleanup: bounce mail when a mailbox goes over file quota,
|
|
instead of deferring delivery. File: local/mailbox.c.
|
|
|
|
19990421
|
|
|
|
Feature: auto-detection of changes to DB or DBM lookup
|
|
tables now includes the case where a file is unlinked.
|
|
Philip A. Prindeville, Mirapoint, Inc., USA. File:
|
|
util/dict.c.
|
|
|
|
19990422
|
|
|
|
Robustness: Lotus mail sends MAIL FROM: <@> instead of <>.
|
|
Problem reported by Erik Toubro Nielsen, IFAD, Denmark.
|
|
Files: trivial-rewrite/rewrite.c (@ becomes empty address)
|
|
and global/rewrite_clnt.c (allow empty response).
|
|
|
|
Bugfix: showq could segfault when writing to a broken pipe.
|
|
Problem reported by Bryan Fullerton, Canadian Broadcasting
|
|
Corporation. Files: util/vbuf_print.c.
|
|
|
|
Cleanup: got rid of the "fatal: write error: Broken pipe"
|
|
message when mailq output is piped into a program that
|
|
terminates early.
|
|
|
|
Cleanup: bounce messages are multipart/mixed with the error
|
|
report as part of the first message segment, because users
|
|
had trouble extracting the delivery error report from the
|
|
attachment.
|
|
|
|
19990423
|
|
|
|
Cleanup: the default junk mail reject code is now 554
|
|
(service unavailable) rather than 550 (user unknown).
|
|
|
|
Folded in the updated dict_ldap.c module by John Hensley,
|
|
Merit Network, USA.
|
|
|
|
Folded in the vstream_popen.c updates by Philip A.
|
|
Prindeville, Mirapoint, Inc., USA. This copies a lot of
|
|
code from pipe_command(); the next step is to trim that
|
|
module.
|
|
|
|
19990425
|
|
|
|
Workaround: renamed config.h to mail_conf.h etc. in order
|
|
to avoid name collisions with LINUX (yes, they have a system
|
|
include file called config.h). For compatibility with people
|
|
who have written software for Postfix, there's a config.h
|
|
that aliases the old names to the new ones. That file will
|
|
go away eventually.
|
|
|
|
19990426
|
|
|
|
Feature: error mailer, in order to easily bounce mail for
|
|
specific destinations. In the transport table, specify:
|
|
"host.domain error:host.domain is unavailable". Too bad
|
|
that the transport table triggers on destination domain
|
|
only; it would be nice to bounce specific users as well.
|
|
|
|
19990427
|
|
|
|
Cleanup: "disable_dns_lookups = yes" now should disable
|
|
all DNS lookups by the SMTP client.
|
|
|
|
19990428
|
|
|
|
Bugfix: with DBM files, Postfix was watching the "dir" file
|
|
modification time for changes. It should be watching the
|
|
"pag" file instead.
|
|
|
|
19990429
|
|
|
|
Cleanup: all callbacks in the master to server API now pass
|
|
on the service name and the application-specific argument
|
|
vector. Files: master/*server.c.
|
|
|
|
19990504
|
|
|
|
Feature: conditional macro expansion. ${name?text} expands
|
|
to text when name is defined, otherwise the result is empty.
|
|
${name:text} expands to text when name is undefined,
|
|
otherwise the result is empty. File: util/mac_expand.c.
|
|
|
|
Feature: conditional macro expansion of the forward_path
|
|
configuration parameters of $user, $home, $shell, $recipient,
|
|
$extension, $domain, $mailbox and $recipient_delimiter.
|
|
Files: local/dotforward.c, local/local_expand.c.
|
|
|
|
19990506
|
|
|
|
Cleanup: eliminated misleading warnings about unknown HELO
|
|
etc. SMTPD restrictions when the HELO etc. information is
|
|
not available. File: smtpd/smtpd_check.c.
|
|
|
|
19990507
|
|
|
|
Feature: all smtpd reject messages now contain the MAIL
|
|
FROM and RCPT TO addresses, if available.
|
|
|
|
19990508
|
|
|
|
Feature: conditional macro expansion of the luser_relay
|
|
configuration parameter. It is no longer possible to specify
|
|
/file/name or "|command" destinations. File: local/unknown.c.
|
|
|
|
Cleanup: changed the mac_parse interface so that the
|
|
application callback routine can return status information.
|
|
Updated the dict_regexp and dict_pcre modules accordingly.
|
|
|
|
Cleanup: changed the mac_expand interface so that the caller
|
|
provides an attribute lookup routine, instead of having to
|
|
provide a copy of all attributes upfront. Files:
|
|
util/mac_expand.c, local/local_expand.c.
|
|
|
|
Feature: control over how address extensions are propagated
|
|
to other addresses. By default, propagation of unmatched
|
|
address extensions is now restricted to canonical and
|
|
virtual mappings. Specify "propagate_unmatched_extensions
|
|
= canonical, virtual, alias, forward, include" to restore
|
|
previous behavior.
|
|
|
|
19990509
|
|
|
|
Feature: USER, EXTENSION, DOMAIN, RECIPIENT (entire address)
|
|
and MAILBOX (address localpart) environment variables are
|
|
exported to shell commands (including mailbox_command).
|
|
|
|
Feature: new command_expansion_filter parameter to control
|
|
what characters may appear in message attributes that are
|
|
exported via environment variables.
|
|
|
|
Cleanup: SMTPD reject messages are more informative, and
|
|
more complete sender/recipient information is logged for
|
|
the local sysadmin.
|
|
|
|
19990510
|
|
|
|
Bugfix: missing MIME header in postmaster bounce notices.
|
|
Found by Samuel Tardieu, Ecole Nationale Superieure des
|
|
Telecommunications, France.
|
|
|
|
Feature: UCE restrictions are always delayed until RCPT
|
|
TO, VRFY or ETRN. To change back to the default specify
|
|
"smtpd_delay_reject = no" in /etc/postfix/main.cf.
|
|
|
|
Bugfix: missing duplicate filter call. This caused too many
|
|
deliveries when a user is listed multiple times in an alias.
|
|
Reported by Hideyuki Suzuki, School of Engineering, University
|
|
of Tokyo. Backed out on 19990512 because it caused problems.
|
|
Fixed 19990513 but needs further study.
|
|
|
|
Feature: it is now possible to move queue files back into
|
|
the maildrop queue, so that they can benefit from changes
|
|
in canonical and virtual mappings. In order to make this
|
|
possible, some restrictions on queue file contents were
|
|
relaxed. Files: pickup/pickup.c, cleanup/cleanup_extracted.c.
|
|
|
|
Feature: made a start with integrating Joerg Henne's
|
|
dictionary extensions to remove entries and to iterate over
|
|
entries. That code is almost four months old by now.
|
|
|
|
19990511
|
|
|
|
Feature: added a "undeliverable postmaster notification
|
|
discarded" warning when mail is dropped on the floor.
|
|
Requested by Michael Hasenstein, SuSE, Germany.
|
|
|
|
19990517
|
|
|
|
Bugfix: reject_non_fqdn_sender/recipient would pass
|
|
user@[ip_address] regardless of destination. Eric Cholet
|
|
had the honor of suffering from this one.
|
|
|
|
19990527
|
|
|
|
More SMTP client logging for easier debugging: the smtp
|
|
client now logs hostname[ip.addr], and logs every failed
|
|
attempt to reach an MX host, not just the last one.
|
|
|
|
19990601
|
|
|
|
Bugfix: emit a blank line before a MIME boundary; the line
|
|
is part of the boundary. File: bounce/bounce_notify_service.c.
|
|
Wolfgang Segmuller, IBM Research.
|
|
|
|
19990610
|
|
|
|
Bugfix: the "is this the loopback interface" test was
|
|
broken. Reported by Claus Fischer @microworld.com.
|
|
File: smtp/smtp_connect.c.
|
|
|
|
Usability: added helpful warnings about restrictions that
|
|
are being ignored after check_relay_domains, etc.
|
|
|
|
Portability: Reliant Unix support by Gert-Jan Looy, Siemens,
|
|
the Netherlands.
|
|
|
|
19990611
|
|
|
|
Robustness: the postfix-script start-up procedure now
|
|
detects a missing master program, avoiding misleading
|
|
warnings that the mail system is already running. Fix
|
|
suggested by David E. Smith @technopagan.org.
|
|
|
|
Portability: Mac OS X Server Port by Mark Miller @swoon.net.
|
|
|
|
Feature: on systems that use dotlock files for mailbox
|
|
locking, the local delivery agent now will attempt to use
|
|
dotlock files when delivering to user-specified files.
|
|
Dotlock files for user-specified destinations are created
|
|
with the privileges of the user. For backwards compatibility,
|
|
Postfix will attempt to create dotlocks for user-specified
|
|
destinations only when the user has parent directory write
|
|
permission.
|
|
|
|
Feature: specify "expand_owner_alias = yes" in order to
|
|
use the right-hand side of an owner- alias, instead of
|
|
using the left-hand side address. Needed by Juergen Georgi.
|
|
|
|
19990622
|
|
|
|
Bugfix: the local delivery agent did not set user attributes
|
|
when delivering to root, so that forward_path did not expand
|
|
properly. Found by Jozsef Kadlecsik, KFKI Research Institute
|
|
for Particle and Nuclear Physics, Hungary. File:
|
|
local/dotforward.c.
|
|
|
|
Bugfix: the unix:passwd.byname mechanism is not suitable
|
|
for smtpd access control - the user name would have to end
|
|
in @, or the access control software would have to be
|
|
changed. Removed the example from the RELEASE_NOTES file.
|
|
|
|
19990623
|
|
|
|
Bugfix: the smtp server did not reset the error flag after
|
|
".". Found by James Ponder, Oaktree Internet Solutions Ltd.
|
|
File: smtpd/smtpd.c.
|
|
|
|
Bugfix: fencepost error in the doze() routine (an usleep()
|
|
replacement for systems without one). Found by Simon J Mudd.
|
|
File: util/doze.c.
|
|
|
|
19990624
|
|
|
|
Portability: support for AIX 3.2.5 (!) by Florian Lohoff
|
|
@rfc822.org.
|
|
|
|
Portability: Ultrix 4.3 support by Christian von Roques
|
|
@pond.sub.org.
|
|
|
|
Feature: mysql support by Scott Cotton and Joshua Marcus,
|
|
Internet Consultants Group, Inc. Files: util/dict_myqsl.*.
|
|
|
|
19990627
|
|
|
|
Bugfix: Postfix is now distributed under the new IBM Public
|
|
License (version 1, dated June 14, 1999).
|
|
|
|
Feature: the Delivered-To: header can be turned off for
|
|
delivery to command or file/mailbox. The default setting
|
|
is: "prepend_delivered_header = command, file, forward".
|
|
Turning off the Delivered-To: header when forwarding mail
|
|
is not recommended.
|
|
|
|
19990628
|
|
|
|
Feature: the postlock command now returns EX_TEMPFAIL
|
|
when the destination file is locked by another process.
|
|
|
|
19990705
|
|
|
|
Workaround: in the SMTP client, move the "mail loops back
|
|
to myself test" from the 220 greeting to the HELO response.
|
|
This change does not weaken the test, and makes Postfix
|
|
more robust against broken software that greets with the
|
|
client hostname.
|
|
|
|
19990706
|
|
|
|
Workaround: in the INSTALL file, use `&&' instead of `;'
|
|
in (cd path; tar ...) pipelines because some UNIX re-invented
|
|
shells don't bail out when cd fails. Matthias Andree
|
|
@stud.uni-dortmund.de.
|
|
|
|
19990709
|
|
|
|
Bugfix: $user was not set when delivering to a non-user.
|
|
Found by Vladimir Ulogov @ rohan.control.att.com when
|
|
configuring a luser_relay that contained $user.
|
|
|
|
19990714
|
|
|
|
Robustness: add PATH statement to Solaris2 chroot setup
|
|
script to avoid running the ucb commands. Problem found
|
|
by Panagiotis Astithas @ ece.ntua.gr.
|
|
|
|
19990721
|
|
|
|
Bugfix: don't claim a "mail loops to myself" error when
|
|
the best MX host was not found in the DNS. Found by Andrew
|
|
McNamara, connect.com.au Pty Ltd. File: smtp/smtp_addr.c.
|
|
|
|
19990810
|
|
|
|
Feature: added "-c config_dir" support to the postconf
|
|
command. This probably means that "-f file" will never be
|
|
implemented.
|
|
|
|
19990812
|
|
|
|
Bugfix: showq didn't print properly when listing a maildrop
|
|
file. Fix by: Andrew McNamara, connect.com.au Pty Ltd.
|
|
File: showq/showq.c.
|
|
|
|
Feature: added SENDER to the list of parameters exported
|
|
to external commands. File: local/command.c. Code by: Lars
|
|
Hecking, National Microelectronics Research Centre, Ireland.
|
|
|
|
19990813
|
|
|
|
Bugfix: sendmail -t (extract recipients from headers) did not
|
|
work when the always_bcc feature was turned on. Reported
|
|
by: Denis Shaposhnikov @ neva.vlink.ru.
|
|
|
|
19990813
|
|
Bugfix: "sendmail -bd" returns a bogus exit status (the child
|
|
process ID). Fix by Lamont Jones of Hewlett-Packard. File:
|
|
sendmail/sendmail.c.
|
|
|
|
19990824
|
|
|
|
Bugfix: null pointer dereference while rejecting VRFY before
|
|
MAIL FROM. Found by Laurent Wacrenier @ fr.clara.net.
|
|
|
|
19990826
|
|
|
|
Portability: more MacOS X Server patches; some NEXTSTEP/OPENSTEP
|
|
code that had been removed for the first public beta release;
|
|
NEXTSTEP/OPENSTEP now defaults to netinfo for the aliases
|
|
database. Submitted by Gerben Wierda.
|
|
|
|
Portability: workaround for a FreeBSD 3.x active network
|
|
interface without IP address by Pierre Beyssac @ enst.fr.
|
|
File: inet_addr_local.c.
|
|
|
|
19990831
|
|
|
|
Workaround: sendmail now prints a warning when installed
|
|
set-uid or when run by a set-uid command. Reportedly, the
|
|
linuxconf software turns on the set-uid bit, which could
|
|
open up a security loophole. File: sendmail/sendmail.c.
|
|
|
|
Bugfix: Postfix daemons now temporarily lock DB/DBM files
|
|
while opening them, in order to avoid "invalid argument"
|
|
errors because some other process is changing the file.
|
|
Files: util/dict_db.c, util/dict_dbm.c.
|
|
|
|
Robustness: Postfix locks queue files during delivery, to
|
|
prevent duplicate delivery when "postfix reload" is
|
|
immediately followed by "sendmail -q". This involves a
|
|
change of the deliver_request interface: delivery agents
|
|
no longer need to open and close queue files explicitly.
|
|
Files: global/deliver_request.c, pipe/pipe.c, smtp/smtp.c,
|
|
local/local.c, qmgr/qmgr_active.c, qmgr/qmgr_message.c.
|
|
|
|
Feature: reject_unauth_destination SMTP recipient restriction
|
|
that rejects destinations not in $relay_domains. By Lamont
|
|
Jones of Hewlett-Packard. File: smtpd/smtpd_check.c.
|
|
|
|
Security: do not allow weird characters in the expansion
|
|
of $names that appear in $forward_path. Just like with
|
|
shell commands, replace bad characters in expansions by
|
|
underscores. Configuration parameter: forward_expansion_filter.
|
|
|
|
19990902
|
|
|
|
Documentation: added a sample postfix alias to the examples
|
|
in the INSTALL document and in the conf/aliases file.
|
|
Reminded by Simon J. Mudd @ alltrading.com.
|
|
|
|
19990903
|
|
|
|
Bugfix: in case of some error conditions the pickup daemon
|
|
could leak small amounts of memory.
|
|
|
|
19990905
|
|
|
|
Bugfix: no more "skipping further client input" warnings
|
|
when a message header is rejected.
|
|
|
|
Feature: reject_unauth_pipelining SMTP restriction that
|
|
rejects mail from clients that improperly use SMTP command
|
|
pipelining.
|
|
|
|
Robustness: the LDAP client by default no longer looks up
|
|
names containing "*". See the lookup_wildcards feature in
|
|
LDAP_README. Update by John Hensley.
|
|
|
|
Documentation: address masquerading with exceptions FAQ by
|
|
Jim Seymour @ jimsun.LinxNet.com.
|
|
|
|
Bugfix: mysql reconnect after disconnect by Scott Cotton
|
|
Internet Consultants Group, Inc. File: util/dict_myqsl.c.
|
|
|
|
Portability: the Postfix to PCRE interface now expects
|
|
version 2.08. Postfix is no longer compatible with PCRE
|
|
versions before 2.6.
|
|
|
|
19990906
|
|
|
|
Feature: INSTALL.sh script that makes Postfix installation
|
|
a bit less painful. This script can be used for installing
|
|
and for upgrading Postfix. It replaces files instead of
|
|
overwriting them, and leaves existing configuration and
|
|
queue files intact.
|
|
|
|
19990907
|
|
|
|
Bugfix: reject_non_fqdn_sender used the wrong test to see
|
|
if a sender address was given and could dump core. This
|
|
must have been broken ever since the UCE tests were moved
|
|
to the RCPT TO stage in 19990510.
|
|
|
|
Bugfix: check_sender_access was recognized as a valid
|
|
restriction name only if a sender had been specified.
|
|
|
|
19990908
|
|
|
|
Portability: Unixware has <sysexits.h> only after sendmail
|
|
is installed. Changed postlock.c to use global/sys_exits.h.
|
|
|
|
19990909
|
|
|
|
Performance: added one-entry cache to the address rewriting
|
|
client and to the address resolving client. This is because
|
|
UCE restrictions tend to produce the same query repeatedly.
|
|
Files: global/rewrite_clnt.c, global/resolve_clnt.c.
|
|
|
|
Feature: the UCE restrictions are now fully recursive so
|
|
you can have per-client/helo/sender/recipient restrictions.
|
|
Instead of OK, REJECT or [45]xx, you can specify a sequence
|
|
of restrictions on the right-hand side of an SMTPD access
|
|
table. This means you can no longer use canonical/virtual/alias
|
|
maps as SMTPD access tables. But the loss is compensated
|
|
for. File: smtpd/smtpd_access.c.
|
|
|
|
Feature: restriction classes, essentially a short-hand for
|
|
restriction lists. These short hands are useful mostly on
|
|
the right-hand side of SMTPD access tables. You must use
|
|
restriction classes in order to have lookup tables on the
|
|
right-hand side of an SMTPD access table. File:
|
|
smtpd/smtpd_access.c.
|
|
|
|
Feature: "permit_recipient_map maptype:mapname" permits a
|
|
recipient address when it matches the specified table.
|
|
Lookups are done just as with canonical/virtual maps. With
|
|
this, you can also use passwd/aliases as SMTPD access maps.
|
|
File: smtpd/smtpd_access.c.
|
|
|
|
19990910
|
|
|
|
Changed "permit_address_map" into "permit_recipient_map"
|
|
and added a test for the case that they specify a lookup
|
|
table on the right-hand side of an SMTPD access map.
|
|
File: smtpd/smtpd_access.c.
|
|
|
|
Cleanup: removed spurious sender address checks for <>.
|
|
File: smtpd/smtpd_check.c.
|
|
|
|
Cleanup: the smtp client now consistently logs host[address]
|
|
for all connection attempts.
|
|
|
|
19990919
|
|
|
|
Feature: in an SMTPD access map, an all-numeric right-hand
|
|
side now means OK, for better cooperation with out-of-band
|
|
authentication mechanisms.
|
|
|
|
19990922
|
|
|
|
Security: recipient addresses must not start with '-', in
|
|
order to protect external commands. The old behavior is
|
|
re-instated when main.cf specifies: "allow_min_user =
|
|
yes". Credits to Mads Kiilerich @ Kiilerich.com. File:
|
|
qmgr/qmgr_message.c.
|
|
|
|
Bugfix: after 19990831, the queue manager would throw away
|
|
defer logs after deferring mail to known-to-be-dead hosts
|
|
or message transports. This means that in some cases, mailq
|
|
would not show why mail is delayed, and that delayed mail
|
|
could be sent back with recipients missing from the error
|
|
report. Reported by Giulio Orsero @ tiscalinet.it.
|
|
|
|
19990923
|
|
|
|
Bugfix: the above bugfix broke bounces of mail with bad
|
|
address syntax and relocated users. Problem diagnosed by
|
|
Dick Porter @ acm.org.
|
|
|
|
Documentation: added DO NOT EDIT THIS FILE. EDIT MAIN.CF
|
|
INSTEAD notices to the sample-xxx.cf files.
|
|
|
|
19991007
|
|
|
|
Compatibility: ignore the sendmail -U (initial user
|
|
submission) option. Thomas Quinot @ cuivre.fr.eu.org.
|
|
|
|
19991103
|
|
|
|
Code cleanup: don't send postmaster notifications when an
|
|
SMTP client sends a DATA command while no recipients were
|
|
accepted. This can happen when a pipelined client runs
|
|
into an UCE block. File: smtpd/smtpd.c.
|
|
|
|
19991104
|
|
|
|
Robustness: do not apply UCE header checks to mail that is
|
|
generated by Postfix (bounces, forwarded mail etc.). Files:
|
|
smtpd/smtpd.c, pickup/pickup.c, cleanup/cleanup_message.c.
|
|
|
|
Robustness: new generic watchdog module that can deal with
|
|
clocks that jump occasionally. Files: util/watchdog.c,
|
|
master/master.c, master/{single,multi,trigger}_server.c.
|
|
This hopefully ends the false watchdog alarms that happen
|
|
when clocks are set or when laptops are resumed.
|
|
|
|
Code cleanup: BSMTP requires dot quoting as per RFC 821.
|
|
Based on code by Florian Lohoff @ rfc822.org. Files:
|
|
global/mail_copy.[hc], pipe/pipe.c.
|
|
|
|
19991105
|
|
|
|
Bugfix: the crufty code in inet_addr_local() did not find
|
|
IP aliases. File: util/inet_addr_local.c.
|
|
|
|
Portability: the INSTALL.sh utility did not find users or
|
|
groups in NIS or Netinfo tables. The script no longer
|
|
searches the /etc/passwd and /etc/group files. Instead it
|
|
now queries the unix:passwd.byname and unix:group.byname
|
|
maps. For this, a -q (query) option was added to postmap
|
|
(and to postalias, for symmetry). Files: util/dict_unix.c,
|
|
postalias/postalias.c, postmap/postmap.c, INSTALL.sh.
|
|
|
|
Bugfix: LDAP lookup timeout settings were ignored. Patch
|
|
by John Hensley. File: util/dict_ldap.c.
|
|
|
|
19991108
|
|
|
|
Bugfix: when doing a fresh install, INSTALL.sh didn't set
|
|
main.cf:mail_owner properly (Simon J. Mudd).
|
|
|
|
19991109
|
|
|
|
Bugfix: when doing a fresh install, INSTALL.sh no longer
|
|
worked (missing main.cf file). Fix: add "-c" argument to
|
|
the postmap commands (Lars Hecking @ nmrc.ucc.ie).
|
|
|
|
Documentation: removed spurious "do not edit" comments from
|
|
the sample pcre and regexp configuration files.
|
|
|
|
19991110-13
|
|
|
|
Code cleanup: greatly simplified the SMTPD command parser
|
|
and somewhat simplified the code that groks RFC 822-style
|
|
address syntax in MAIL FROM and RCPT TO commands.
|
|
|
|
New parameter: strict_rfc821_envelopes (default: no) to
|
|
reject RFC 822 address forms (with comments etc.) in SMTP
|
|
envelopes. By default, the Postfix SMTP server only logs
|
|
a warning.
|
|
|
|
19991113
|
|
|
|
Oops, also updated the SMTP VRFY code in the light of
|
|
changes to the SMTPD command parser.
|
|
|
|
Cleanup: the local delivery agent now explicitly rejects
|
|
recipients with an empty username.
|
|
|
|
19991114
|
|
|
|
Workaround: with some gawk versions, postconf/extract.awk
|
|
reportedly returns a non-zero exit status upon success.
|
|
Added an explicit exit(0) statement.
|
|
|
|
19991115
|
|
|
|
Feature: DNS TXT record lookup support, based on initial
|
|
code by Simon J Mudd. File: dns/dns_lookup.c.
|
|
|
|
Feature: RBL TXT record lookups, based on initial code by
|
|
Simon J Mudd. File: smtpd/smtpd_check.c.
|
|
|
|
Feature: permit_auth_destination restriction based on code
|
|
by Jesper Skriver @ skriver.dk.
|
|
|
|
Code cleanup: the transport table now can override all
|
|
deliveries, including local ones.
|
|
|
|
19991116
|
|
|
|
Code cleanup: a new "local_transports" configuration
|
|
parameter explicitly lists all transports that deliver mail
|
|
locally. The first name listed there is the default local
|
|
transport. This is the end of the "empty next-hop hostname"
|
|
hack to indicate that a destination is local. Files:
|
|
trivial-rewrite/resolve.c, global/local_transport.[hc]
|
|
|
|
Feature: "postconf -m" shows what lookup table types are
|
|
available. Code by Scott Cotton, Internet Consultants
|
|
Group, Inc.
|
|
|
|
Feature: "postconf -e" edits any number of main.cf parameters.
|
|
The edit is done on a copy, and the copy is renamed into
|
|
the place of the original. File: postconf/postconf.c,
|
|
util/readlline.[hc].
|
|
|
|
19991117
|
|
|
|
Portability: SunOS 4 has no SA_RESTART. File: util/watchdog.c.
|
|
|
|
Feature: on systems with h_errno, the "reject_unknown_client"
|
|
restriction now distinguishes between soft errors (always
|
|
reply with 450) and hard errors (use the user-specified
|
|
reply code). This should lessen the load by broken mailers
|
|
that re-connect once a minute.
|
|
|
|
Feature: forward/reverse name/address check for SMTP client
|
|
hostnames. This fends off some hypothetical attacks by
|
|
spammers who are in control of their own reverse mapping.
|
|
|
|
Robustness: postconf no longer aborts when it can't figure
|
|
out the local domain name; it prints a warning instead.
|
|
This allows you to use "postconf -e" to fix the problem.
|
|
|
|
19991118
|
|
|
|
Bugfix: the RFC822 address parser would misparse a leading
|
|
\ as an atom all by itself. Problem reported by Keith
|
|
Stevenson @ louisville.edu. File: global/tok822_parse.c.
|
|
|
|
19991119
|
|
|
|
Bugfix: tiny memory leak in pipe_command() when fork()
|
|
fails. File: global/pipe_command.c.
|
|
|
|
19991120
|
|
|
|
Bugfix: reversed test for all-numerical results in SMTPD
|
|
access maps. File: smtpd/smtpd_check.c.
|
|
|
|
19991121
|
|
|
|
Robustness: INSTALL.sh no longer uses postmap for sanity
|
|
checks.
|
|
|
|
Feature: INSTALL.sh now has an install_root option.
|
|
|
|
Bugfix: INSTALL.sh now installs manual pages with proper
|
|
permissions and ownership.
|
|
|
|
Bugfix: the LDAP client did not properly escape special
|
|
characters in lookup keys (patch by John Hensley). File:
|
|
util/dict_ldap.c.
|
|
|
|
19991122
|
|
|
|
Bugfix: missing absolute path in INSTALL.sh broke fresh
|
|
install.
|
|
|
|
19991124
|
|
|
|
Bugfix: the local delivery agent's recipient duplicate
|
|
filter did not work when configured to use unlimited memory
|
|
(which is not a recommended setting). Patrik Rak @raxoft.cz.
|
|
|
|
19991125
|
|
|
|
Bugfix: postconf didn't have an umask(022) call at the
|
|
beginning (problem experienced by Matthias Andree).
|
|
|
|
19991126
|
|
|
|
Bugfix: DNS TXT records now have string lengths before text
|
|
(Mark Martinec @ nsc.ijs.si).
|
|
|
|
19991127
|
|
|
|
Update: the LDAP client code now supports escapes as per
|
|
RFC2254 (John Hensley).
|
|
|
|
19991207
|
|
|
|
Performance: one message with many recipients no longer
|
|
stops other mail from being delivered. The queue manager
|
|
now frees in-memory recipients as soon as a message is
|
|
delivered to one destination, rather than waiting until
|
|
all in-memory destinations of that message have been tried.
|
|
Patch by Patrik Rak @ raxoft.cz. Files: qmgr/qmgr_entry.c,
|
|
qmgr/qmgr_message.c.
|
|
|
|
Performance: when delivering mail to a huge list of
|
|
recipients, the queue manager now reads more recipients
|
|
from the queue file before delivery concurrency drops too
|
|
low. Files: qmgr/qmgr_entry.c, qmgr/qmgr_message.c.
|
|
|
|
19991208
|
|
|
|
Updated LDAP client code by John Hensley with escape
|
|
sequences as per RFC 2254. File: util/dict_ldap.c.
|
|
|
|
Updated MYSQL client code by Scott Cotton. File: dict_mysql.c.
|
|
|
|
Feature: added -N/-n options to include/exclude terminating
|
|
nulls in keys and values in postmap/postalias DB or DBM
|
|
files. Normally, Postfix uses whatever is appropriate for
|
|
the host system. A non-default setting can be necessary
|
|
for inter-operability with third-party software.
|
|
|
|
Bugfix: the local delivery agent would deliver to the user
|
|
instead of the .forward file when the .forward file was
|
|
already visited via some non-recursive path. Patch by Patrik
|
|
Rak @ raxoft.cz. Files: global/been_here.c, local/dotforward.c.
|
|
|
|
Robustness: attempt to deliver all addresses in the expansion
|
|
of an alias or .forward file, even when some addresses must
|
|
be deferred. File: local/token.c.
|
|
|
|
19991211
|
|
|
|
Performance: qmgr_fudge_factor controls what percentage of
|
|
delivery resources Postfix will devote to one message.
|
|
With 100%, delivery of one message does not begin before
|
|
delivery of the previous message is completed. This is good
|
|
for list performance, bad for one-to-one mail. With 10%,
|
|
response time for one-to-one mail improves much, but list
|
|
performance suffers. In the worst case, people near the
|
|
start of a mailing list get a burst of postings today,
|
|
while people near the end of the list get that same burst
|
|
of postings a whole day later. Files: qmgr/qmgr_message.c,
|
|
qmgr/qmgr_entry.c.
|
|
|
|
Bugfix: address rewriting would panic on a lone \ at the
|
|
end of a line where an address was expected. Jason Hoos @
|
|
thwack.net. File: global/rewrite_clnt.c.
|
|
|
|
19991215
|
|
|
|
Bugfix: the strict RFC821 envelope address check should
|
|
not be applied to VRFY commands. File: smtpd/smtpd.c.
|
|
|
|
Cleanup: permit_recipient_maps is gone, because that could
|
|
only be used inside UCE restrictions.
|
|
|
|
19991216
|
|
|
|
Feature: allow an empty inet_interfaces parameter, just
|
|
like an empty mydestination parameter. It's needed for true
|
|
null clients and for firewalls that deliver no local mail.
|
|
|
|
Feature: "disable_vrfy_command = yes" disables some forms
|
|
of address harvesting used by spammers.
|
|
|
|
Workaround: added the alias map parameter definition to
|
|
the smtpd code. This is a symptom of a general problem
|
|
with parameters that have non-empty default values: unless
|
|
a program explicitly defines such a parameter, the parameter
|
|
defaults to the empty string when used in other parameters.
|
|
There's also a problem with evaluation order.
|
|
|
|
Feature: the SMTP server rejects mail for unknown users in
|
|
virtual domains that are defined by Postfix virtual domain
|
|
files. File: smtpd/smtpd_check.c.
|
|
|
|
Feature: reject mail for unknown local users at the SMTP
|
|
port. The local_recipient_maps configuration parameter
|
|
specifies maps with all addresses that are local with
|
|
respect to $mydestination or $inet_interfaces. Example:
|
|
"local_recipient_maps = $alias_maps unix:passwd.byname".
|
|
This feature is disabled by default. You may have to copy
|
|
the passwd file into the chroot jail. File: smtpd/smtpd_check.c.
|
|
|
|
Feature: the sendmail -f option now understands '<user>'
|
|
and even understands address forms with RFC 822-style
|
|
comments.
|
|
|
|
19991217
|
|
|
|
Cleanup: no more UCE checks for VRFY commands. It still
|
|
reports unknown local/virtual users. File: smtpd/smtpd_check.c.
|
|
|
|
Robustness: upon Postfix startup, report discrepancies
|
|
between system files inside and outside the chroot jail.
|
|
Files: conf/postfix-script-nosgid, conf/postfix-script-sgid.
|
|
|
|
19991218
|
|
|
|
Cleanup: INSTALL.sh produces relative symlinks, which is
|
|
necessary when install_root is not /.
|
|
|
|
19991219
|
|
|
|
Documentation: completely reorganized the FAQ and added
|
|
many new entries. Rewrote the UCE html documentation.
|
|
|
|
Cleanup: INSTALL.sh uses a configurable directory for
|
|
scratch files, so that it can install from a file system
|
|
that is not writable by the super-user.
|
|
|
|
Cleanup: INSTALL.sh gives helpful hints when the "mv"
|
|
command is unable to move symlinks across file system
|
|
boundaries.
|
|
|
|
19991220
|
|
|
|
Cleanup: it is no longer necessary to list $virtual_maps
|
|
as part of the relay_domains definition. The SMTP server
|
|
now by default accepts mail for destinations that match
|
|
$inet_interfaces, $mydestination or $virtual_maps, whether
|
|
or not these are specified in relay_domains. We still need
|
|
the ugly "virtual.domain whatever" hack in the virtual
|
|
maps. Files: smtpd/smtpd_check.c and lots of documentation
|
|
and sample config files.
|
|
|
|
19991221
|
|
|
|
Removed cyrus -q flag (ignore quotas) from the sample
|
|
master.cf file.
|
|
|
|
19991223
|
|
|
|
Bugfix: smtpd should not check for unknown users when
|
|
running in stand-alone (sendmail -bs) mode. Problem
|
|
experienced by Chuck Mead. File: smtpd/smtpd.c.
|
|
|
|
Retraction: the "local_transports" configuration parameter
|
|
is gone. Adjusted code and documentation accordingly.
|
|
Instead, use just one "local_transport" parameter with the
|
|
name of the default local transport. Files: smtpd/smtpd_check.c,
|
|
qmgr/qmgr_message.c, trivial-rewrite/ resolve.c, local/resolve.c.
|
|
|
|
Feature: Postfix SMTPD now insists that the smtpd recipient
|
|
restrictions contain at least one restriction that by
|
|
default rejects mail. This should make it much more difficult
|
|
to change Postfix into an open relay. File: smtpd/smtpd_check.c.
|
|
|
|
Retraction: null-length inet_interfaces is too confusing.
|
|
|
|
19991224
|
|
|
|
Bugfix: the relative symlink code in INSTALL.sh computed
|
|
the ../ prefix from the wrong pathname.
|
|
|
|
1999122[5-7]
|
|
|
|
Feature: "allow_untrusted_routing = no" (default) prevents
|
|
forwarding of source-routed mail from untrusted clients to
|
|
destinations that are blessed by the relay_domains parameter
|
|
(example: user@domain2@domain1 etc.). This plugs a mail
|
|
relay loophole where a backup MX host forwards junk mail
|
|
to a primary MX host which forwards the junk to the Internet.
|
|
Files: global/quote_822_local.c, smtp/quote_821_local.c,
|
|
trivial-rewrite/rewrite.c, trivial-rewrite/resolve.c,
|
|
smtp/smtpd_check.c.
|
|
|
|
In order to make this possible, the Postfix resolver data
|
|
structure and protocol has changed, so that all resolver
|
|
clients need to be re-compiled.
|
|
|
|
Side effect from the above change: from now on, an address
|
|
with @ in the recipient localpart no longer bounces with
|
|
"user unknown" but instead is rejected with "relay access
|
|
denied" or "source-routed relay access denied".
|
|
|
|
19991227
|
|
|
|
Workaround: the BSD/OS "mkdir -p" and "cmp -s" commands
|
|
misbehave on boundary cases: directory exists or file does
|
|
not exist. Those who re-invent...
|
|
|
|
19991229
|
|
|
|
Added the no source routing info requirement to addresses
|
|
accepted by the permit_mx_backup UCE restriction.
|
|
|
|
19991230
|
|
|
|
Added a spawn daemon (not compiled and installed by default)
|
|
to enable LMTP delivery over UNIX-domain sockets. The goal
|
|
is to simplify the experimental LMTP delivery agent by
|
|
ripping out the privileged code that forks the LMTP server.
|
|
|
|
20000102
|
|
|
|
Clarified documentation after early feedback on the 19991231
|
|
release by Drew Derbyshire, Ollivier Robert, Khetan Gajjar.
|
|
|
|
Sanity check: a common error is to list Postfix virtual
|
|
domains in the mydestination parameter. This causes the
|
|
new optional local_recipient_maps feature to reject mail
|
|
for virtual users. The SMTP server now explicitly tests
|
|
for this common error and logs a warning instead of refusing
|
|
the mail. File: smtpd/smtpd_check.c.
|
|
|
|
20000104
|
|
|
|
Bugfix: a case sensitivity bug had slipped through in the
|
|
anti-relaying code, causing mail for USER@VIRTUAL.DOMAIN
|
|
to be rejected with "relay access denied". This was found
|
|
by Jim Maenpaa @ jmm.com.
|
|
|
|
Questionable feature: set "smtp_skip_5xx_greeting = yes"
|
|
to make Postfix more sendmail compatible, even though this
|
|
is wrong, IMNSHO. File: smtp/smtp_connect.c.
|
|
|
|
Portability: Ultrix patch from Simon Burge @ thistledown.com.au.
|
|
|
|
Portability: Siemens Pyramid (dcosx) patch by Thomas D.
|
|
Knox @ vushta.com.
|
|
|
|
Performance: FreeBSD has bidirectional pipes that are faster
|
|
than socketpairs. Anticipating on more platform-specific
|
|
optimizations, all duplex pipe plumbing is now isolated in
|
|
a duplex_pipe.c module that provides a system-independent
|
|
interface.
|
|
|
|
20000105
|
|
|
|
Cleanup: the INSTALL.sh script now updates the sample files
|
|
in /etc/postfix even when main.cf exists.
|
|
|
|
20000106
|
|
|
|
Bugfix: the SMTP server should consult the relocated map
|
|
for virtual destinations (Denis Shaposhnikov). Files:
|
|
smtpd/smtpd.c smtpd/smtpd_check.c.
|
|
|
|
20000108
|
|
|
|
Workaround: rename() over NFS can fail with ENOENT even
|
|
when the operation succeeds (Graham Orndorff @ WebTV). This
|
|
is not news. Any non-idempotent operation can fail over
|
|
NFS when the NFS server's acknowledgment is lost and the
|
|
NFS client code retries the operation (other examples are:
|
|
create, symlink, link, unlink, mkdir, rmdir). Postfix has
|
|
workarounds for the cases where this is most likely to
|
|
cause trouble. Files: util/sane_{rename,link}.[hc]. If
|
|
you want reliable mail system, do not use NFS.
|
|
|
|
20000115
|
|
|
|
Workaround: better detection of bad hardware. Added SIGBUS
|
|
to the list of signals that the master will log before
|
|
exiting.
|
|
|
|
20000122
|
|
|
|
Portability: preliminary SCO5 port Christopher Wong @
|
|
csports.com. This still needs to a workaround for "find"
|
|
not supporting "-type s" (actually, UNIX-domain sockets
|
|
have no unique representation in the file system and show
|
|
up as FIFOs).
|
|
|
|
20000115-22
|
|
|
|
Bugfix: in case of a too long message header, don't extract
|
|
recipients from message headers. With the previous behavior,
|
|
Bcc information could be left in the message body, as one
|
|
person found out the hard way. Files: cleanup/cleanup.c,
|
|
cleanup/cleanup_extracted.c, global/cleanup_user.h.
|
|
|
|
20000124
|
|
|
|
Whatever: RFC 1869 amends RFC 821 and specifies that code
|
|
555 is to be used when a MAIL FROM or RCPT TO parameter is
|
|
not implemented or not recognized. Russ Allbery @stanford.edu.
|
|
This reply code is added to the list of reply codes that
|
|
cause the Postfix SMTP client to mail a transcript to the
|
|
postmaster. File: smtp/smtp_trouble.c.
|
|
|
|
20000126
|
|
|
|
Emergency feature: qmgr_site_hog_factor (default: 90 percent)
|
|
limits the amount of resources that Postfix devotes to a
|
|
single destination. With less than 100, Postfix defers the
|
|
excess mail so that one site with a large backlog does not
|
|
block other deliveries. Files: qmgr/qmgr.c, qmgr/qmgr_message.c.
|
|
|
|
20000128
|
|
|
|
Cleanup: the queue manager no longer replaces the nexthop
|
|
field by the recipient localpart when a destination matches
|
|
$mydestination/$inet_interfaces. The price is the introduction
|
|
of a new parameter local_destination_recipient_limit which
|
|
defaults to 1 in order to maintain backwards compatibility.
|
|
Files: qmgr/qmgr.c, qmgr/qmgr_message.c.
|
|
|
|
20000129
|
|
|
|
Bugfix: extracted recipients were misfiled when a message
|
|
was moved back to the maildrop queue. But they still worked
|
|
due to a coincidence.
|
|
|
|
Feature: bounce_recip() bounces a recipient immediately
|
|
without accessing a bounce logfile. This is necessary for
|
|
VERP bounces, for bounces by delivery agents that change
|
|
the sender address, and for bounces that for some reason
|
|
must not use temporary logfiles. Files: global/bounce.c,
|
|
bounce/bounce_recip_service.c.
|
|
|
|
20000130
|
|
|
|
Bugfix: the too long header fix of 20000115-22 lost mail
|
|
with too long headers that didn't need to extract recipients
|
|
from message headers.
|
|
|
|
Bugfix: the too long header fix of 20000115-22 lost mail
|
|
without (blank line + message body).
|
|
|
|
Code rewrite: reorganized the cleanup daemon source code
|
|
so that the cleanup service can be called one record at a
|
|
time (see cleanup/cleanup_api.c); also got rid of the global
|
|
state variables and fixed a couple bugs that were introduced
|
|
with 20000115-22.
|
|
|
|
20000204
|
|
|
|
Feature: in daemon mode, the MAIL FROM size check can be
|
|
postponed until RCPT TO so that Postfix can log sender and
|
|
recipient. Simon J Mudd. Files: smtpd/smtpd.c
|
|
|
|
Robustness: limit the number of recipient addresses that
|
|
can be extracted from message headers. Parameter:
|
|
extract_recipient_limit (default: 10240). Files:
|
|
cleanup/cleanup_message.c, cleanup/cleanup_extracted.c.
|
|
|
|
Cleanup: the message header reject logging now includes
|
|
sender and recipient address (if possible), so that the
|
|
logging looks more like the other reject logging. File:
|
|
cleanup/cleanup_message.c.
|
|
|
|
Documentation: added sections on regular expression tables
|
|
to the access, canonical, virtual, transport and relocated
|
|
man pages, and write new man pages that are specific to
|
|
regular expressions: pcre_table.5 and regexp_table.5.
|
|
|
|
20000214
|
|
|
|
Bugfix: postconf reported some parameters more than once
|
|
because the parameter extracting script didn't recognize
|
|
lines that differ in whitespace only. File: postconf/extract.awk.
|
|
Reported by Kenn Martin.
|
|
|
|
20000221
|
|
|
|
Logging: the SMTP client now logs log host+port when it is
|
|
unable to connect to a non-MX host, just like it logs
|
|
host+port when unable to connect to an MX host.
|
|
|
|
20000226
|
|
|
|
Bugfix: the SMTP server's "User unknown" test didn't notice
|
|
LDAP etc. dictionary access errors. The code now reports
|
|
a 450 status (try again instead of bounce) if the reply is
|
|
not definitive. File: smtp/smtpd_check.c.
|
|
|
|
Robustness: the smtp-source program could stall when making
|
|
hundreds of parallel connections to a Postfix system with
|
|
only one SMTP server process. The fix is to use non-blocking
|
|
connect() calls, very carefully. File: smtpstone/smtp-source.c.
|
|
|
|
20000303
|
|
|
|
Feature: with smtp_always_send_ehlo the SMTP client will
|
|
send EHLO regardless of the content of the SMTP server's
|
|
greeting. File: smtp/smtp_proto.c.
|
|
|
|
20000304
|
|
|
|
Feature: DICT_FLAG_SYNC_UPDATE flag for synchronous dictionary
|
|
updates, if supported by the underlying mechanism. Files:
|
|
util/dict.h, util/dict_open.c, util/dict_db.c.
|
|
|
|
20000307
|
|
|
|
Cleanup: the manual pages in Postfix configuration files
|
|
no longer contain troff formatting codes. The text is now
|
|
generated from prototype files in a new "proto" subdirectory.
|
|
Requested by Matthias Andree @ stud.uni-dortmund.de.
|
|
|
|
20000308
|
|
|
|
Bugfix: the unused db and dbm "delete" routines would
|
|
clobber the per-dictionary flags when called before reading
|
|
or writing the table. Files: util/dict_dbm.c, util/dict_db.c.
|
|
Lutz Jaenicke @ aet.TU-Cottbus.DE.
|
|
|
|
Bugfix: the SMTP server would produce a cryptic message
|
|
when a queue file write error happened before it had written
|
|
any recipients. Keith Stevenson. File: smtpd/smtpd.c.
|
|
|
|
Robustness: the db and dbm "delete" routines didn't adjust
|
|
to dictionaries with/without one trailing null in lookup
|
|
keys and values. Did a complete rewrite of the routines.
|
|
Files: util/dict_db.c, util/dict_dbm.c.
|
|
|
|
Feature: specify "-d key" to postalias or postmap in order
|
|
to remove one key. This still needs to be generalized to
|
|
multi-key removal (read stdin?). Files: postmap/postmap.c,
|
|
postalias/postalias.c.
|
|
|
|
Test: added test targets for the dictionary delete operations.
|
|
Files: util/Makefile.in, util/dict_test.{c,in,ref}.
|
|
|
|
Feature: added data offset and recipient count fields to
|
|
the first queue file record output from the cleanup daemon.
|
|
The recipient counts provides an initial estimate for a
|
|
more advanced queue manager scheduling algorithm. Files:
|
|
cleanup/cleanup_envelope.c, cleanup/cleanup_extracted.c.
|
|
|
|
20000311
|
|
|
|
Portability: HP-UX awk can't handle bare { in regexps
|
|
(Lamont Jones. HP). File: postconf/extract.awk.
|
|
|
|
Compatibility: sendmail now recognizes '.' as end of input.
|
|
File: sendmail/sendmail.c.
|
|
|
|
20000313
|
|
|
|
Compatibility: dtcm (CDE desktop calendar manager) leaks
|
|
a file descriptor into its child process, and requires that
|
|
sendmail closes the descriptor, otherwise mail notification
|
|
will hang. These GUI programmers never figured out that
|
|
the child process must close the writing end of a pipe.
|
|
File: sendmail/sendmail.c.
|
|
|
|
20000314
|
|
|
|
Feature: SASL authentication in the SMTP server and client.
|
|
Based on code contributed by Till Franke, SuSE. Specify:
|
|
"smtpd_sasl_auth_enable = yes" and "smtp_sasl_auth_enable
|
|
= yes". The "permit_sasl_authenticated" UCE restriction
|
|
gives special treatment to authenticated clients.
|
|
|
|
20000315
|
|
|
|
Workaround: added -blibpath option for AIX 4.x, to close
|
|
hole in case postdrop needs to be set-gid.
|
|
|
|
20000320
|
|
|
|
Portability: FreeBSD 5.x added to the list of supported
|
|
systems (Mark Huizer).
|
|
|
|
20000323
|
|
|
|
Portability: INSTALL.sh looks if sendmail is in /usr/lib
|
|
rather than in /usr/sbin.
|
|
|
|
20000326
|
|
|
|
Bugfix: settings in one mysql configuration file would act
|
|
as the implicit defaults for the next one, which could be
|
|
confusing. Patch by Scott Cotton. File: util/dict_mysql.c.
|
|
|
|
Robustness: limit the number of "junk" commands that can
|
|
be issued in an SMTP session (ex.: NOOP, VRFY, ETRN, RSET).
|
|
Problem report by Michael Ju. Tokarev @ tls.msk.ru. Files:
|
|
global/mail_params.h, smtpd/smtpd.c.
|
|
|
|
20000413
|
|
|
|
Portability: more MacOS X patches by Gerben Wierda.
|
|
|
|
Bugfix: RFC 822 requires the presence of at least one
|
|
destination message header. The cleanup daemon now generates
|
|
a generic "To: undisclosed-recipients:;" message header
|
|
when no destination header is present. The header content
|
|
is specified with the undisclosed_recipients_header parameter.
|
|
Problem pointed out by Geoff Gibbs, UK-Human Genome Mapping
|
|
Project-Resource Centre.
|
|
|
|
20000416
|
|
|
|
Workaround: allow <(comment)> as SMTP MAIL FROM address.
|
|
|
|
20000417
|
|
|
|
The SASL authentication in the SMTP server and client works,
|
|
but only on Linux and Solaris, neither of which I wish to
|
|
run on my laptop.
|
|
|
|
20000418
|
|
|
|
Added LMTP support to the smtp-source and smtp-sink utilities
|
|
so that I don't have to install Cyrus IMAP just to test
|
|
LMTP.
|
|
|
|
20000419
|
|
|
|
Bugfix: removed the () from the tokenized representation
|
|
of RFC 822 comments, so that comments with \( or \) can be
|
|
unparsed correctly. Problem reported by Bodo Moeller.
|
|
|
|
20000423
|
|
|
|
Bugfix: mail_copy() could prepend > or . in the middle of
|
|
long lines. Found by code inspection.
|
|
|
|
20000427
|
|
|
|
New code: unescape module that translates C escape sequences
|
|
into their equivalent character values. File: util/unescape.c.
|
|
|
|
Feature: the pipe mailer now has a way to specify the output
|
|
record delimiter (for example, eol=\r\n). This is necessary
|
|
for transports that require CRLF instead of UNIX-style LF.
|
|
|
|
20000502
|
|
|
|
In order to support timeouts more conveniently, VSTREAMs
|
|
now have built into them the concept of timeout. Instead
|
|
of calling read() and write(), the low-level VSTREAM
|
|
interface now by default uses timed_read() and timed_write()
|
|
which receive a timeout parameter; vstream_ctl(stream,
|
|
VSTREAM_CTL_TIMEOUT...) sets the timeout deadline on a
|
|
stream, and vstream_ftimeout(stream) queries a stream for
|
|
timeout errors. This change simplified timeout handling
|
|
considerably. Files: util/vbuf.h, util/vstream.[hc],
|
|
global/smtp_stream.c, global/timed_ipc.c.
|
|
|
|
20000504
|
|
|
|
Added application context to VSTREAMs, which is passed on
|
|
transparently to application-provided read/write routines.
|
|
vstream_ctl(stream, VSTREAM_CTL_CONTEXT...) sets the context.
|
|
Files: util/vstream.[hc].
|
|
|
|
Added vstream_setjmp() and vstream_longjmp() support to
|
|
make exception handling more convenient. Turn on exception
|
|
handling with vstream_ctl(stream, VSTREAM_CTL_EXCEPT...).
|
|
Files: util/vstream.[hc].
|
|
|
|
Cleaned up the smtp_stream module further and got rid of
|
|
the global state that limited the use of this module to
|
|
one stream per process. Files: global/smtp_stream.[hc].
|
|
|
|
20000505
|
|
|
|
Bugfix: the SMTP server now flushes unwritten output before
|
|
tarpit delays, to avoid protocol timeouts in pipelined
|
|
sessions when a client causes lots of errors. Found by
|
|
Lamont Jones, HP. File: smtpd/smtpd_chat.c.
|
|
|
|
Finished the LMTP client, which is based on a modified
|
|
version of the SMTP client by Philippe Prindeville, Mirapoint,
|
|
Inc., later modified by Amos Gouaux, UTDallas, and then
|
|
Wietse ripped it all up again. Currently this talks LMTP
|
|
over TCP only.
|
|
|
|
Feature: override main.cf parameters in master.cf. Specify
|
|
"-o parameter=value" after the program name. This allows
|
|
you to selectively override myhostname etc. See also the
|
|
new smtp_bind_address parameter below.
|
|
|
|
20000506
|
|
|
|
Convenience: the LMTP and SMTP clients now append the local
|
|
domain to unqualified nexthop destinations. This makes it
|
|
more convenient to set up transport maps. Files:
|
|
lmtp/lmtp_addr.c, smtp/smtp_addr.c.
|
|
|
|
Sendmail compatibility: the Postfix SMTP client now skips
|
|
servers that greet the client with a 4xx or 5xx status
|
|
code. To disable, set both smtp_skip_4xx_greeting and
|
|
smtp_skip_5xx_greeting to "no".
|
|
|
|
20000507
|
|
|
|
Portability: NetBSD has migrated to /etc/mail/aliases. We
|
|
can expect to see this happen more often when systems start
|
|
shipping Sendmail 8.10. File: util/sys_defs.h
|
|
|
|
Updated LDAP code by John Hensley, with support for
|
|
dereferencing of LDAP aliases, which have nothing to do
|
|
with Postfix aliases.
|
|
|
|
Feature: "smtp_bind_address=x.x.x.x" specifies the source
|
|
IP address for SMTP client connections. Specify in master.cf
|
|
as "smtp -o smtp_bind_address=x.x.x.x" in order to give
|
|
different delivery agents different source addresses.
|
|
|
|
20000510
|
|
|
|
Cleanup: mailbox_transport did not work with the lmtp
|
|
delivery agent. This dates back to when Postfix used empty
|
|
nexthop information to indicate that a destination was
|
|
local. File: global/deliver_pass.c.
|
|
|
|
Bugfix: configuration parameters for one mysql dictionary
|
|
would become default settings for the next one. File:
|
|
dict_mysql.c. This patch was merged into Postfix a while
|
|
back but apparently that Postfix version was nuked when
|
|
other parts were redesigned. Update by Scott Cotton.
|
|
|
|
Bugfix: some Postfix delivery agents would abort on addresses
|
|
of the form `stuff@.' which could be generated only locally.
|
|
Found by Patrik Rak. File: trivial-rewrite/resolve.c.
|
|
|
|
Third-party Berkeley DB support for HP-UX by Lamont Jones.
|
|
File: makedefs.
|
|
|
|
20000511
|
|
|
|
Bugfix: Postfix would incorrectly reject domain names with
|
|
adjacent - characters. File: util/valid_hostname.c.
|
|
|
|
Bugfix: the 20000505 pipeline tarpit delay flush was wrong
|
|
and caused the client and server to get out of phase. Yuck!
|
|
|
|
20000513
|
|
|
|
Feature: VSTREAMs now have the concept of last fill/flush
|
|
time, which is needed to prevent timeouts with pipelined
|
|
SMTP sessions as detailed in the next item.
|
|
|
|
Bugfix: delayed SMTP command/reply flushing to prevent
|
|
sender delays from accumulating too much and causing timeouts
|
|
with pipelined sessions. For example, client-side delays
|
|
happen when a client does DNS lookups to replace hostname
|
|
aliases in MAIL FROM or RCPT TO commands; server-side delays
|
|
happen when an UCE restriction involves a time-consuming
|
|
DNS lookup, or when a server generates tarpit delays.
|
|
Files: lmtp/lmtp_proto.c, smtp/smtp_proto.c, smtpd/smtpd_chat.c.
|
|
|
|
Portability: define ANAL_CAST for compilation environments
|
|
that reject explicit casts between pointers and integral
|
|
types. File: util/sys_defs.h, master/*server.c. Upon closer
|
|
investigation, this turned out to be the result of someone's
|
|
compiler configuration preferences. Therefore the change
|
|
is likely to go away after a code cleanup.
|
|
|
|
20000514
|
|
|
|
Feature: mysql client support for multi-valued queries
|
|
(select email, email2 from aliastbl where username='$local')
|
|
By Loic Le Loarer @ m4x.org. File: util/dict_mysql.c.
|
|
|
|
Finalized the delayed SMTP command/reply flushing code in
|
|
the SMTP and LMTP clients after lots of testing and review.
|
|
|
|
20000520
|
|
|
|
Robustness: upon receipt of mail, map the mailer-daemon
|
|
sender address back into the magic null string. File:
|
|
cleanup/cleanup_envelope.c.
|
|
|
|
20000524
|
|
|
|
Bugfix: the code for masquerade_exceptions was case sensitive.
|
|
Reported by Eduard Vopicka. File: cleanup/cleanup_masquerade.c.
|
|
|
|
20000526
|
|
|
|
Feature: experimental queue manager by Patrik Rak with a
|
|
fancy pre-emptive scheduling algorithm that improves delivery
|
|
performance of mail with few recipients. This queue manager
|
|
is made available as "nqmgr".
|
|
|
|
20000528
|
|
|
|
Feature: the SMTP client SASL password file can contain
|
|
entries for destination domain names (the address remote
|
|
part) not just mail server hostnames. File: smtp_sasl_glue.c.
|
|
|
|
Feature: smtpd_sasl_local_domain parameter (default:
|
|
$myhostname) to specify the local SASL authentication realm.
|
|
File: smtpd_sasl_glue.c.
|
|
|
|
Feature: specify "body_checks=regexp:/file/name" for a very
|
|
crude one line at a time message body content filter. This
|
|
feature uses the same filtering syntax as the header_checks
|
|
feature. File: cleanup/cleanup_message.c. See also the
|
|
conf/sample-filter.cf file.
|
|
|
|
20000530
|
|
|
|
Feature: full content filtering through external software.
|
|
This uses existing interfaces for sending mail to the
|
|
external content filter and for injecting it back into
|
|
Postfix. Details in FILTER_README. Files: pickup/pickup.c,
|
|
smtpd/smtpd.c, qmgr/qmgr_message.c.
|
|
|
|
20000531
|
|
|
|
More SASL feedback by Liviu Daia, regarding the use of
|
|
authentication realms. File smtpd/smtpd_sasl_glue.c.
|
|
|
|
Added a simple shell-script based content filtering example
|
|
to the FILTER_README file.
|
|
|
|
Content filtering support for nqmgr by Patrik Rak. File:
|
|
nqmgr/qmgr_message.c.
|
|
|
|
Renamed "content inspection" etc. to "content filtering"
|
|
in anticipation of a new hook for content inspection that
|
|
only inspects mail without re-injecting it into Postfix.
|
|
|
|
20000601
|
|
|
|
Feature: limit the size of pipe mailer deliveries with the
|
|
size=nnn command-line attribute. Patch by Andrew McNamara.
|
|
|
|
20000603
|
|
|
|
Bugfix: don't try to do SASL authentication when running
|
|
in stand-alone (sendmail -bs) mode. Fix by Liviu Daia.
|
|
|
|
Bug: the unauthorized pipelining test fails with single
|
|
recipient mail when smtpd_delay_reject = yes.
|
|
|
|
20000617
|
|
|
|
Bugfix: conf/sample-ldap.cf was no longer up to date with
|
|
reality. Patch by Lamont Jones, HP.
|
|
|
|
Bugfix: the maildir delivery routine left temporary files
|
|
lying around after unsuccessful delivery (problem reported
|
|
by Brian Laughton @ Corp.Axxent.Ca).
|
|
|
|
20000621
|
|
|
|
AIX 4.x had POSIX regular expression support all the time
|
|
I was working on Postfix. Better find out late than never.
|
|
|
|
20000623
|
|
|
|
Bugfix: the SMTP server did not reset the so-called junk
|
|
command counter after successful delivery (Mark Hoffman
|
|
@ wallst.com). File: smtpd/smtpd.c.
|
|
|
|
20000625
|
|
|
|
Cleanup: remove Content-Length from incoming mail. The
|
|
sender has no authority over the format of mail as stored
|
|
by the receiving system. File: global/header_opts.h.
|
|
|
|
Feature: rewrite Mail-Followup-To: as sender. Files:
|
|
global/header_opts.[hc].
|
|
|
|
Cleanup: rewrite Reply-To, Errors-To, Return-Receipt-To as
|
|
sender, so that address masquerading works as expected.
|
|
Files: global/header_opts.c.
|
|
|
|
Feature: specify "require_home_directory = yes" to prevent
|
|
mail from being delivered to a user whose home directory
|
|
is not mounted. File: local/dotforward.c.
|
|
|
|
Cleanup: the pipe deliver agent no longer appends a blank
|
|
line when the F flag (prepend From_ line) is specified.
|
|
Specify the B flag if you need that blank line. The local
|
|
delivery agent no longer appends a blank line to mail that
|
|
is delivered to external command. Files: pipe/pipe.c,
|
|
global/mail_copy.[hc].
|
|
|
|
20000708
|
|
|
|
Portability: support for NEXT/OPENSTEP requires extra
|
|
include file in util/watchdog.c (Masaki Murase).
|
|
|
|
20000715
|
|
|
|
Added macros to turn on vstream/vstring/etc. format string
|
|
checking by gcc, in addition to the checking that was
|
|
already implemented with printfck. File: util/sys_defs.h,
|
|
the macros for PRINTFLIKE and SCANFLIKE. Problem - unlike
|
|
the printfck tool, gcc finds format argument type mismatches
|
|
only in code that isn't #ifdef-ed out.
|
|
|
|
20000718
|
|
|
|
Robustness: make_dirs() now continues when a missing
|
|
directory is created by another process.
|
|
|
|
20000720
|
|
|
|
Feature: the queue manager now logs the number of recipients
|
|
when opening a queue file (a zero recipient count is logged
|
|
with older queue files). File: global/opened.c.
|
|
|
|
20000726
|
|
|
|
Robustness: added watchdog_pat() routine to keep the watchdog
|
|
quiet if a client stays connected for a lot of time. Files:
|
|
util/watchdog.[hc], smtpd/smtpd.c.
|
|
|
|
20000729
|
|
|
|
Robustness: if relayhost is specified but the host does
|
|
not exist, defer mail instead of bouncing it (which would
|
|
lose the mail if the bounce would have to be delivered to
|
|
that same non-existent relayhost). Problem reported by
|
|
Chris Cooper @ maths.ox.ac.uk. File: smtp/smtp_connect.c.
|
|
|
|
20000821
|
|
|
|
Feature: added -r (replace key+value) option to postalias
|
|
and postmap.
|
|
|
|
Cleanup: smtpd now replies with 555 when the client sends
|
|
unrecognized RCPT TO parameters, as required by RFC 1869
|
|
(problem report by Robert Norris @ its.monash.edu.au).
|
|
File: smtpd/smtpd.c.
|
|
|
|
20000822
|
|
|
|
Logging: the SMTP server's SASL code logs the authentication
|
|
method along with an authentication failure. Suggested by
|
|
Ronald F. Guilmette @ monkeys.com.
|
|
|
|
Workaround: some systems have file size resource limits
|
|
that cannot be represented with the off_t type that is used
|
|
by standard functions such as lseek(2). Problem reported
|
|
by Blaz Zupan @ amis.net.
|
|
|
|
20000823
|
|
|
|
Feature: all this discussion about when to reject mail and
|
|
when not made me decide to implement a TCP-based map type
|
|
so that it becomes relatively simple to implement dynamic
|
|
access controls, for example, hold off mail from an unknown
|
|
client or sender until we have completed some investigation,
|
|
after which we will either reject or accept.
|
|
|
|
However, this code is turned off until it is finished.
|
|
|
|
20000905
|
|
|
|
Robustness: the dns client now rejects malformed domain
|
|
names rather than depending on the DNS to report that the
|
|
name does not exist. Linux returns a rather misleading
|
|
server failure code as found out by Patrik Rak. File:
|
|
dns/dns_lookup.c.
|
|
|
|
20000911
|
|
|
|
Feature: added IGNORE keyword to header_checks and body_checks
|
|
to pretend that certain data does not exist. File:
|
|
cleanup/cleanup_message.c.
|
|
|
|
20000911
|
|
|
|
Bugfix: the SASL code did not allow MAIL FROM... AUTH=sender
|
|
without prior authentication. The RFC allows this, although
|
|
one wonders what the reasoning behind this is. File:
|
|
smtpd/smtpd_sasl_proto.c.
|
|
|
|
20000913
|
|
|
|
Bugfix: the rmail script did not handle remote UUCP systems
|
|
that send a from_ line with unqualified envelope sender.
|
|
Reported by Luciano Mannucci.
|
|
|
|
Compatibility: don't insert Sender: header lines. Sendmail
|
|
has not done so for at least 10 years, if it ever did.
|
|
Problem reported by Brad Knowles. File: cleanup/cleanup_message.c.
|
|
|
|
20000916
|
|
|
|
Bugfix: when propagating an address extension in a virtual
|
|
or canonical mapping, cleanup accesses memory that is no
|
|
longer allocated. This can happen when the result address
|
|
length is more than 100 characters. Problem reported by
|
|
Adi Prasaja @ satunet.com. File: global/mail_addr_crunch.c.
|
|
|
|
Bugfix: fixed a misleading error message when the cleanup
|
|
server reaches the queue file size limit. Fix by Robby
|
|
Griffin @ MIT.EDU. File: cleanup/cleanup_extracted.c.
|
|
|
|
20000917
|
|
|
|
Bugfix: postalias -i would complain about duplicate entries
|
|
for the Sendmail-compatible @ entry and for the NIS-compatible
|
|
YP_LAST_MODIFIED and YP_MASTER_NAME entries.
|
|
|
|
20000918
|
|
|
|
Gross hack: prevent looping on a bad recipient by always
|
|
forwarding recipients in :include: files to a new mail
|
|
delivery request, even when owner-listname is not set.
|
|
File: local/recipient.c.
|
|
|
|
20000919
|
|
|
|
Convenience: INSTALL.sh now imports default settings from
|
|
the process environment, in order to make scripting easier.
|
|
|
|
Robustness: INSTALL.sh now systematically skips over CVS,
|
|
RCS and SCCS cruft.
|
|
|
|
Portability: another fix for NEXTSTEP (Masaki MURASE).
|
|
File: util/spawn_command.h.
|
|
|
|
20000920
|
|
|
|
Cleanup: in a transport table entry, do not ignore port
|
|
numbers specified as [host]:port. In fact, this is now
|
|
becoming the preferred form, in order to avoid parsing
|
|
problems with IPV6 addresses. Postfix supports both forms,
|
|
but future versions will print a warning for the old form.
|
|
Problem reported by Claus Fischer @ werhats.at
|
|
|
|
Bugfix: missing initialization for state->sasl_method can
|
|
cause permit_sasl_authenticated to always succeed. Report
|
|
and fix by Lutz Jaenicke @ aet.TU-Cottbus.DE.
|
|
|
|
FAQ: added notes about how to delete, copy or restore queue
|
|
files in a safe manner.
|
|
|
|
20000921
|
|
|
|
File reorganization. No code change except Makefiles. All
|
|
sources are pushed down by one directory level to keep file
|
|
listings usable. Released as 20000922, so that I have a
|
|
reference to run "diff -cr against.
|
|
|
|
Bugfix: the spawn service was installed without man pages.
|
|
|
|
Portability: MacOSX hints and tips by Joe Block, University
|
|
of Central Florida School of Optics/CREOL
|
|
|
|
Portability: The MacOSX gcc compiler does not understand
|
|
the new printf_like/scanf_like attributes. File: util/sys_defs.h.
|
|
|
|
20000922
|
|
|
|
nqmgr update from Patrik Rak for the changed queue manager
|
|
to delivery agent protocol.
|
|
|
|
Lame feature: syslog_facility parameter to control where
|
|
syslogd sends Postfix logging (default: syslog_facility =
|
|
mail). However, errors during command-line parsing are
|
|
still logged with the default syslog facility, as are errors
|
|
while processing the main.cf file (surprise). Based on
|
|
code by Andrew McNamara.
|
|
|
|
20000923
|
|
|
|
Cleanup: new bounce logfile API so that Postfix can change
|
|
to an extensible bounce logfile format with per-recipient
|
|
sender addresses (needed for VERP and for reporting local
|
|
list delivery problems to the list owner) and other
|
|
attributes. File: global/bounce_log.[hc].
|
|
|
|
Cleanup: replaced the ad-hoc logfile parsing code in showq
|
|
by something that uses the generic bounce logfile API.
|
|
|
|
20000924
|
|
|
|
Feature: Postfix bounced mail and delayed mail notifications
|
|
now have the standard RFC 1894 form (DSN). The bounce
|
|
service now uses the generic bounce logfile API. File:
|
|
bounce/bounce_notify_service.c, bounce/bounce_notify_util.c.
|
|
|
|
Cleanup: deleted the per-recipient bounce protocol. Future
|
|
bounce logfiles will support per-recipient bounce addresses.
|
|
Files: global/bounce.c, bounce/bounce_recip_service.
|
|
|
|
20000925
|
|
|
|
Workaround: sendmail allows MAIL FROM and RCPT TO envelope
|
|
addresses like <the dude <dude@site>> so we will never get
|
|
rid of them. To disallow, specify "strict_rfc821_envelopes
|
|
= yes". File: smtpd/smtpd.c.
|
|
|
|
20000926-20001003
|
|
|
|
Feature: a "flush" server that keeps per-destination records
|
|
of deferred mail. It is the basis of a faster ETRN and
|
|
"sendmail -qRsite" implementation. This code was rewritten
|
|
half a dozen times.
|
|
|
|
20000928
|
|
|
|
Bugfix: the stricter dns_lookup() argument checks revealed
|
|
that Postfix was doing DNS lookups for domain literals
|
|
([ip.address]) when expanding aliases in MAIL FROM and RCPT
|
|
TO address parameters. Reported by Jim Littlefield. File:
|
|
smtp/smtp_unalias.c.
|
|
|
|
Documentation: added text on the biff=yes/no parameter to
|
|
conf/sample-local.cf (text provided by Paul Wagland,
|
|
relational-consultancy.com.
|
|
|
|
Robustness? Log errors from SASL library code as warnings
|
|
not as fatal errors. Files: smtp*/*glue.c.
|
|
|
|
20001001
|
|
|
|
Feature: in master.cf, specify ? after wakeup time to avoid
|
|
waking up services that aren't being used.
|
|
|
|
20001003
|
|
|
|
Feature: the fast flush refresh and purge time interval
|
|
parameters can now be specified in user-specified units by
|
|
providing an appropriate suffix: s (seconds), m (minutes),
|
|
h (hours), d (days), w (weeks). unit. This was needed so
|
|
that I could test the flush server code in a reasonable
|
|
way (its timeouts are normally specified in days or hours,
|
|
and I don't have that much time for testing). Other Postfix
|
|
time interval parameters will be migrated as time permits.
|
|
Files: conf/sample-flush.cf, global/mail_conf_time.c,
|
|
postconf/postconf.c.
|
|
|
|
Unfeature: qmgr_hog_factor is now disabled by default. It
|
|
was just too confusing. If you don't know what this means,
|
|
do not worry.
|
|
|
|
20001005
|
|
|
|
Cleanup: after "postfix reload" do not penalize mail that
|
|
was in the active queue, but make it ready for immediate
|
|
delivery so that ETRN etc. works as intended. Files:
|
|
*qmgr/qmgr.c, *qmgr/qmgr_active.c.
|
|
|
|
Portability: Redhat 7 library interfaces have changed
|
|
incompatibly, which breaks existing software. File makedefs.
|
|
|
|
Consistency: the fallback_relay parameter did not understand
|
|
the [] or host:port syntax, and there was no way to suppress
|
|
MX record lookups. Files: smtp/smtp_addr.c, smtp/smtp_connect.c.
|
|
|
|
Convenience: you can now specify multiple SMTP destinations
|
|
in the relayhost or fallback_relay configuration parameters.
|
|
The specified destinations will be tried in the specified
|
|
order. File: smtp/smtp_connect.c.
|
|
|
|
Many typographical corrections by Matthias Andree.
|
|
|
|
20001024
|
|
|
|
Documentation: the canonical, virtual etc. manual pages
|
|
did not document the effect of leading whitespace.
|
|
|
|
20001025
|
|
|
|
Bugfix: virtual map expansion stopped too early with
|
|
self-referential aliases. Reported by Michael Douglass
|
|
@ datafoundry.net. File: cleanup/cleanup_map1n.c.
|
|
|
|
20001026
|
|
|
|
Horror: postmap and postalias (newaliases) silently lose
|
|
the file lock while building a lookup table with Berkeley
|
|
DB 2.x and later on Solaris, HP-UX, IRIX, and UNIXWARE.
|
|
The result is that table lookups fail while the table is
|
|
being built, so that mail is lost. In order to avoid this
|
|
misbehavior one has to use an undocumented feature that is
|
|
NOT available with the DB1.85 compatibility interface.
|
|
Therefore, Postfix now supports three Berkeley DB programming
|
|
interfaces of increasing complexity. File: util/dict_db.c.
|
|
|
|
Bugfix: some character manipulations were not portable for
|
|
signed/unsigned characters. Files: global/quote_821_local.c,
|
|
global/quote_822_local.c.
|
|
|
|
Workaround: apparently, some software sends SMTP mail that
|
|
begins with "From sender time-stamp". Sendmail silently
|
|
ignores such RFC violating garbage, and therefore Postfix
|
|
needs to jump another hoop. File: smtpd/smtpd.c.
|
|
|
|
20001028
|
|
|
|
Bugfix: the flush server tried to access config files after
|
|
going to the chroot jail. Found by Lutz Jaenicke, TU-Cottbus.DE.
|
|
File: flush/flush.c.
|
|
|
|
Update: revised LDAP module from primary maintainer John
|
|
Hensley, with contributions from many other people. Files:
|
|
util/dict_ldap.c, LDAP_README.
|
|
|
|
Update: LINUX2 chroot setup script by Matthias Andree,
|
|
uni-dortmund.de.
|
|
|
|
Feature: specify unix:/path/name for LMTP connections over
|
|
UNIX-domain sockets, and specify inet:host or inet:host:port
|
|
for IPV4. If no unix: or inet: is specified, IPV4 is assumed.
|
|
File: lmtp/lmtp_connect.c.
|
|
|
|
Feature: added UNIX-domain support to the smtpstone test
|
|
programs in order to test the LMTP client UNIX-domain
|
|
support.
|
|
|
|
20001030
|
|
|
|
Bugfix: further testing in preparation for 19991231-pl10
|
|
revealed that the DB map code was now broken for every
|
|
platform.
|
|
|
|
20001031
|
|
|
|
Performance: the slow start (gradually increase number of
|
|
parallel connections to the same site) was too gentle and
|
|
Postfix would back off too quickly. Files: qmgr/qmgr_queue.c
|
|
and nqmgr/qmgr_queue.c.
|
|
|
|
20001101
|
|
|
|
FAQ update by Ralph Hildebrandt.
|
|
|
|
20001104
|
|
|
|
Portability: RedHat Linux has changed incompatibly, again.
|
|
Fixed with the help of Matthias Andree. File: makedefs.
|
|
|
|
20001109
|
|
|
|
Cleanup: changed prototype of internal function that did
|
|
not return a useful result. File: src/util/vstream_popen.c.
|
|
|
|
20001110
|
|
|
|
Workaround: the Debian post install script passes an open
|
|
file descriptor into the master server and waits forever.
|
|
Reported by Lamont Jones. File: master/master.c.
|
|
|
|
20001114
|
|
|
|
Compatibility: added sendmail -G (gateway submission) option
|
|
for compatibility with the sendmail rmail command. Requested
|
|
by David Gilbert, Velocet Communications.
|
|
|
|
20001116
|
|
|
|
Documentation: added MAILER-DAEMON to the list of sample
|
|
masquerade_exceptions settings in conf/sample-rewrite.cf.
|
|
Suggested by Karl O. Pinc, pop.artic.edu.
|
|
|
|
Performance: the slow start (gradually increase number of
|
|
parallel connections to the same site) was too gentle and
|
|
Postfix would back off too quickly. Files: qmgr/qmgr_queue.c
|
|
and nqmgr/qmgr_queue.c. Yup, changed the same code, again.
|
|
We now allow for a margin above the actual concurrency,
|
|
with the size of the initial destination concurrency.
|
|
Final solution by Patrik Rak.
|
|
|
|
Bugfix: the recipient home directory test broke mailbox_transport
|
|
support for non-UNIX recipients. File: local/recipient.c.
|
|
|
|
20001117
|
|
|
|
Robustness: additional integrity tests for the nqmgr by
|
|
Patrik Rak. File: nqmgr/qmgr_message.c.
|
|
|
|
20001118
|
|
|
|
Bugfix: the new LDAP client code did not work properly if
|
|
the new ldap_domain parameter was not specified. LaMont
|
|
Jones, HP. File: util/dict_ldap.c.
|
|
|
|
Feature: the soft_bounce safety net is extended to the SMTP
|
|
server. With "soft_bounce = yes", The SMTP server changes
|
|
all 5xx (reject) replies into 4xx (try again) replies.
|
|
|
|
Documentation: the virtual(5) man page now documents both
|
|
Postfix-style virtual domains and Sendmail-style virtual
|
|
domains, including their interaction with local usernames,
|
|
aliases and mailing lists. Hopefully, this ends some of
|
|
the confusion surrounding virtual domain support. Updated
|
|
several FAQ entries concerning virtual domain support.
|
|
|
|
Documentation: added FAQ entry for the biff service.
|
|
|
|
20001119
|
|
|
|
Bugfix: per-destination queue names were case sensitive so
|
|
that the same site could have multiple queues. Reported
|
|
by Patrik Rak. Files: *qmgr/qmgr_message.c.
|
|
|
|
20001120
|
|
|
|
Bugfix: per-destination deferred mail logfiles were case
|
|
sensitive so that the same site could have multiple deferred
|
|
mail logfiles, so that not all mail would be flushed with
|
|
ETRN. Reported by Ralph Hildebrandt. Files: flush/flush.c.
|
|
|
|
Portability: added (int) casts to printf-like arguments
|
|
that specify the width of %*letter conversions. On some
|
|
systems, sizeof and pointer difference expressions are
|
|
wider than an int. Reported by Valentin Nechayev @ lucky.net.
|
|
|
|
20001121:
|
|
|
|
Compatibility: Postfix now retries delivery when an external
|
|
command is killed by a signal, because people expect such
|
|
behavior from Sendmail. File: global/pipe_command.c.
|
|
|
|
20001123-30
|
|
|
|
Feature: mailbox locking is now configurable. The configuration
|
|
parameter name is "mailbox_delivery_lock". Depending on
|
|
the operating system one can specify one or more of "flock",
|
|
"fcntl" and "dotlock". Use "postconf -l" to find out what
|
|
locking methods Postfix supports. The default setting is
|
|
system dependent. All mailbox file opens are now done by
|
|
one central mbox_open() routine. This affects the operation
|
|
of the postlock command, and of local delivery to mailbox
|
|
or /file/name. Files: util/safe_open.c, util/myflock.c,
|
|
global/deliver_flock.c, global/mbox_conf.c, global/mbox_open.c.
|
|
local/mailbox.c, local/file.c, postlock/postlock.c.
|
|
|
|
Compatibility: the old sun_mailtool_compatibility parameter
|
|
is being phased out. It still works (by turning off
|
|
flock/fcntl locks), but logs a warning as a reminder that
|
|
it will go away.
|
|
|
|
Compatibility: when delivering to /file/name, the local
|
|
delivery agent now logs a warning when it is unable to
|
|
create a /file/name.lock file, and then delivers the mail
|
|
(older Postfix versions would silently deliver).
|
|
|
|
20001202
|
|
|
|
Feature: specify "smtp_never_send_ehlo = no" to disable
|
|
ESMTP. Someone asked for this long ago. Files: smtp/smtp.c,
|
|
smtp/smtp_proto.c.
|
|
|
|
Feature? Bugfix? The smtp client now skips server replies
|
|
that do not start with "CODE SPACE" or with "CODE HYPHEN",
|
|
and flags them as protocol errors. Older versions silently
|
|
treat "CODE TEXT" as "CODE SPACE TEXT". File: smtp/smtp_chat.c.
|
|
|
|
20001203
|
|
|
|
Documentation: postmap(1) and postalias(1) did not document
|
|
the process exit status for "-q key".
|
|
|
|
20001204
|
|
|
|
Bugfix: the Postfix master daemon no longer imported
|
|
MAIL_CONF and some other necessary environment parameters.
|
|
Postfix now has explicit "import_environment" and
|
|
"export_environment" configuration parameters that control
|
|
what environment parameters are shared with non-Postfix
|
|
processes. Files: util/clean_env.c, util/spawn_command.c,
|
|
util/vstream_popen.c, global/pipe_command.c, and everything
|
|
that invokes this code.
|
|
|
|
20001208
|
|
|
|
Bugfix: while processing massive amounts of one-recipient
|
|
mail, qmgr could deadlock for 10 seconds while sending a
|
|
bounce message. All queue manager bounce send requests are
|
|
now implemented asynchronously. Files: global/abounce.[hc]
|
|
(asynchronous bounce client), qmgr/qmgr_active.c. Problem
|
|
reported by El Bunzo (webpower.nl) and Tiger Technologies
|
|
(tigertech.com).
|
|
|
|
20001209
|
|
|
|
Feature: mailbox_transport and fallback_transport can now
|
|
have the form transport:nexthop, with suitable defaults
|
|
when either transport or nexthop are omitted, just like in
|
|
the Postfix transport map. This allows you to specify for
|
|
example, "mailbox_transport = lmtp:unix:/file/name". File:
|
|
global/deliver_pass.c.
|
|
|
|
20001210
|
|
|
|
Bugfix: the local_destination_concurrency_limit paramater
|
|
no longer worked as per-user concurrency limit but instead
|
|
worked as per-domain limit, so that the limit of "2" in
|
|
the default main.cf files resulted in poor local delivery
|
|
performance. Files: qmgr/qmgr_message.c, qmgr/qmgr_deliver.c.
|
|
Problem reported by David Schweikert (ee.ethz.ch) and Dallas
|
|
Wisehaupt (cynicism.com).
|
|
|
|
20001210
|
|
|
|
Feature: support for MYSQL connections over UNIX-domain
|
|
sockets by Piotr Klaban. Files: util/dict_mysql.c,
|
|
MYSQL_README.
|
|
|
|
20001211
|
|
|
|
Small dirt: postconf -m produced too much output due to a
|
|
missing "else", and the optional SASL code needed a fix
|
|
for the changed name_mask API.
|
|
|
|
20001212
|
|
|
|
Workaround: due to an error, record type L for "filter
|
|
transport name" was the same as that for the already existing
|
|
record type L for "record not ending in newline", causing
|
|
the pickup daemon to discard all records not ending in
|
|
newline. The code cannot be changed without breaking
|
|
compatibility with queued mail, so the pickup server is
|
|
changed to discard type L records only from the message
|
|
envelope, not from the content. File: pickup/pickup.c.
|
|
|
|
20001213
|
|
|
|
Bugfix: dict_ldap did not properly initialize a handle
|
|
after connection timeout. Problem reported by Alain Thivillon.
|
|
File: util/dict_ldap.c.
|
|
|
|
20001214
|
|
|
|
Feature: local_transport and default_transport now also
|
|
understand the transport[:destination] notation, so that
|
|
all transport config parameters are similar again. File:
|
|
trivial-rewrite/resolve.c, trivial-rewrite/transport.c.
|
|
|
|
Code cleanup: mailbox_transport and fallback_transport no
|
|
longer allow the user to omit the transport part of a
|
|
transport:destination specification. That just did not make
|
|
any sense at all. The :destination part is still optional.
|
|
File: global/deliver_pass.c.
|
|
|
|
Feature: most time-related configuration parameters take
|
|
a one-letter suffix that specifies the time unit: s
|
|
(second), m (minutes), h (hours), d (days), w (weeks).
|
|
"postconf -d" output includes the default time unit. Files:
|
|
many.
|
|
|
|
Code cleanup: in a CONFIG_TIME_TABLE, the default time unit
|
|
is now always the last character of a default time value.
|
|
It is no longer necessary to specify the default time unit
|
|
separately. This change means that it will not be possible
|
|
to specify default values in the form of function calls,
|
|
but that was unused anyway. Files: global/mail_conf_time.c,
|
|
and user code.
|
|
|
|
20001217
|
|
|
|
Bugfix: reorganized some code in the MYSQL client to end
|
|
a number of memory allocation/deallocation problems.
|
|
This code needs more work. File: dict_mysql.c.
|
|
|
|
20001218
|
|
|
|
Bugfix: the MYSQL client did not provide function pointers
|
|
for unimplemented operations, causing "postmap -d" to dump
|
|
core instead if issuing an error message. This is what I
|
|
get for accepting code that I cannot test myself.
|
|
|
|
20001221
|
|
|
|
Code cleanup: configuration parameters that are $name
|
|
expanded at run-time now have their own data type hierarchy
|
|
instead of being piggy-backed on top of strings that are
|
|
$name expanded at program initialization time. Files:
|
|
global/mail_conf.h, global/mail_conf_raw.c, and code that
|
|
calls it.
|
|
|
|
20001230
|
|
|
|
Update: replaced the default rbl.maps.vix.com setting by
|
|
the current blackholes.mail-abuse.org.
|
|
|
|
20010102
|
|
|
|
Code cleanup: the queue manager is a bit greedier with
|
|
allocating a delivery agent. Problem pointed out by Patrik
|
|
Rak. All bugs in the solution are mine. Files:
|
|
*qmgr/qmgr_active.c.
|
|
|
|
20010105
|
|
|
|
Bugfix: the FILTER_README shell script example did not
|
|
correctly pass exit status to the parent.
|
|
|
|
Bugfix: soft errors in client hostname lookups would be
|
|
treated as hard errors. Fix by Michael Herrmann
|
|
(informatik.tu-muenchen.de). File: smtpd/smtpd_peer.c.
|
|
|
|
20010110
|
|
|
|
Bugfix: the mkdir() EEXIST race condition workaround was
|
|
not complete. Matthias Andree, Daniel Roesen. Files:
|
|
global/mail_queue.c, util/make_dirs.c.
|
|
|
|
20010111
|
|
|
|
Portability: IRIX 6.5.10 defines sa_len as a macro, causing
|
|
a name collision with a variable used by Postfix. Roberto
|
|
Totaro, enigma.ethz.ch. File: smtpstone/smtp-source.c.
|
|
|
|
20010116
|
|
|
|
Bugfix: REJECT by header/body_checks was flagged in smtpd
|
|
as a bounce, should be policy, in order to make postmaster
|
|
notifications more consistent. File: smtpd/smtpd.c.
|
|
|
|
Merged updated chroot setup procedure by Matthias Andree.
|
|
Files: examples/chroot-setup/LINUX2.
|
|
|
|
20010117
|
|
|
|
Formatting: changed the seconds and days formats in the
|
|
"your mail is delayed" text so that it does not switch to
|
|
scientific notation. File: bounce/bounce_notify_util.c.
|
|
|
|
20010119
|
|
|
|
Feature: SASL support for the LMTP client. Recent CYRUS
|
|
software requires this for Postfix over TCP sockets.
|
|
|
|
20010120
|
|
|
|
Bugfix: the 20001005 revised fallback_relay support caused
|
|
Postfix to send mail to the fallback even when the local
|
|
machine was an MX host for the final destination. Result:
|
|
mailer loop. Found by Laurent Wacrenier (teaser.fr). Files:
|
|
smtp/smtp_connect.c, smtp/smtp_addr.c.
|
|
|
|
20010121
|
|
|
|
Workaround: specify "broken_sasl_auth_clients = yes" in
|
|
order to support old Microsoft clients that implement
|
|
a non-standard version of RFC 2554 (AUTH command).
|
|
|
|
Workaround: Lotus Domino 5.0.4 violates RFC 2554 and replies
|
|
to EHLO with AUTH=LOGIN. File: smtp/smtp_proto.c.
|
|
|
|
20010125
|
|
|
|
Code cleanup: wrote creator/destructor for dictionary
|
|
objects that provides default methods that trap all attempts
|
|
to perform an unimplemented operation. Based on an ansatz
|
|
by Laurent Wacrenier (teaser.fr). Files: util/dict*.[hc].
|
|
|
|
Code cleanup: INSTALL.sh does not ask questions when stdin
|
|
is not connected to a tty (as in: make install</dev/null).
|
|
To automate a customized install, the script imports
|
|
environment variables for install_root etc.
|
|
|
|
20010127
|
|
|
|
Workaround: randomize the delay between attempts to lock
|
|
a file, so that multiple bounce or defer servers are less
|
|
likely to retry all at the same time. likely. File:
|
|
util/rand_sleep.c, global/deliver_flock.c, global/dot_lockfile.c.
|
|
|
|
20010128
|
|
|
|
Code cleanup: complaints about invalid or numeric hostnames
|
|
either provide specific context or are removed as redundant.
|
|
Files: util/valid_hostname.c dns/dns_lookup.c.
|
|
|
|
Code cleanup: new mailbox_size_limit parameter (default:
|
|
20MB). Until now, the mailbox size limit was the same as
|
|
the message size limit, due to artefact of implementation.
|
|
Files: global/mail_params.h, local/local.c.
|
|
|
|
Bugfix: fix for the ldap_domains parameter, both semantics
|
|
and documentation by LaMont Jones. Files: LDAP_README,
|
|
conf/sample-ldap.cf, util/dict_ldap.c.
|
|
|
|
Update: merged in the virtual delivery agent by Andrew
|
|
McNamara. See VIRTUAL_README for detailed examples.
|
|
|
|
Update: merged a re-vamped nqmgr by Patrik Rak.
|
|
|
|
20010129
|
|
|
|
Tweak: several little nqmgr tweaks by Patrik Rak. Files:
|
|
global/mail_params.h, nqmgr/qmgr_job.c.
|
|
|
|
Bugfix: the virtual delivery agent did not save maps_find()
|
|
results timely. J?rgen Thomsen, postfix.jth.net. File:
|
|
virtual/mailbox.c.
|
|
|
|
Security: disallow regexp tables in the virtual delivery
|
|
agent. The $1 etc. substitution mechanism gives too much
|
|
power to the sender. File: virtual/mailbox.c.
|
|
|
|
Cleanup: clarified documentation and boundary cases in the
|
|
random_sleep() routine.
|
|
|
|
Bugfix: the MISSING_USLEEP feature was used backwards.
|
|
Patrik Rak. File: util/random_sleep.c.
|
|
|
|
20010130
|
|
|
|
Workaround: Linux usleep() is void, BSD/Solaris usleep()
|
|
returns int, don't use it. File util/random_sleep.c.
|
|
|
|
Made local maildir bounce/defer handling mode consistent
|
|
with local mailbox delivery. File local/maildir.c.
|
|
|
|
The smtp client now defers delivery when all MX hosts have
|
|
no A record. File: smtp/smtp_addr.c
|
|
|
|
Bundled the man2html and postlink quick hacks so people
|
|
can do their own manual page processing. See scripts in
|
|
the mantools directory.
|
|
|
|
Documentation: updated the reference to sendmail in the
|
|
html/index.html page.
|
|
|
|
Documentation: added note about the Cisco PIX "fixup smtp"
|
|
bug that causes mail delivery problems when "." and "CRLF"
|
|
arrive in separate packets. File: html/faq.html.
|
|
|
|
20010201
|
|
|
|
Bugfix: another missing initialization in the mysql client.
|
|
File: util/dict_mysql.c.
|
|
|
|
Sanitized time routine by Patrik Rak, to make his nqmgr
|
|
robust against people who set their clock back. Files:
|
|
util/sane_time.[hc].
|
|
|
|
Bumped the default mailbox file size limits to 50MB.
|
|
|
|
20010202
|
|
|
|
Bugfix: fixed the way the master resets the file size limit
|
|
to avoid problems when a Postfix daemon updates a queue
|
|
file. The file size limit is now increased to INT_MAX if
|
|
it is smaller than INT_MAX, so that it is less likely to
|
|
interfere than the old setting of message_size_limit.
|
|
|
|
Feature: disable mailbox size limits for the local and
|
|
virtual delivery agents by setting mailbox_size_limit or
|
|
virtual_mailbox_limit to zero.
|
|
|
|
20010203
|
|
|
|
Update: null candidate patch from Patrik Rak. Files:
|
|
nqmgr/qmgr_entry.c nqmgr/qmgr_job.c nqmgr/qmgr_message.c.
|
|
|
|
Cleanup: added one gruesome command to the postlink script
|
|
for hyperlinking nroff manual page output. Word abbreviation
|
|
broke some <a href...> </a> instances across line boundaries.
|
|
sed(1) is an amazing tool. File: mantools/postlink.
|
|
|
|
20010204
|
|
|
|
Laid the ground work for logging of table accesses. This
|
|
will give more insight into how Postfix uses its lookup
|
|
tables. User interface comes later. File: util/dict_debug.c.
|
|
|
|
20010216
|
|
|
|
Bugfix: the pipe delivery agent expanded $size as if it
|
|
were a recipient, instead of expanding it as $nexthop or
|
|
as $sender. Reported by Michael Tokarev. File: pipe/pipe.c.
|
|
|
|
20010221
|
|
|
|
Bugfix: poor LMTP performance for domains that are listed
|
|
in $mydestination, because Postfix would send one recipient
|
|
at a time, with multiple deliveries of recipients of the
|
|
same message in parallel; a similar problem could exist
|
|
with virus scanning and with firewall relay hosts that
|
|
forward mail for $mydestination to an inside machine. This
|
|
behavior is now changed to depend on the transport-specific
|
|
xxx_destination_recipient_limit parameter. This also means
|
|
that you can now get qmail behavior for SMTP deliveries by
|
|
setting smtp_destination_recipient_limit=1. File:
|
|
{qmgr,nqmgr}/qmgr_message.c.
|
|
|
|
Workaround: Solaris socketpair() can fail with EINTR. Added
|
|
a sane_socketpair.c module that joins the ranks of the other
|
|
sane_whatever workarounds. Reported by Andrew McNamara.
|
|
File: util/sane_socketpair.[hc]
|
|
|
|
20010222
|
|
|
|
Documentation: the default main.cf file has a prominent
|
|
warning that mynetworks should be properly configured in
|
|
order to reject unauthorized mail relay requests from
|
|
strangers.
|
|
|
|
Documentation: the INSTALL document, section "mandatory
|
|
configuration file edits" has a section that explains that
|
|
mynetworks should be properly configured in order to reject
|
|
unauthorized mail relay requests from strangers.
|
|
|
|
20010223
|
|
|
|
Documentation: the basic.html document has a section that
|
|
explains that mynetworks should be properly configured in
|
|
order to reject unauthorized mail relay requests from
|
|
strangers.
|
|
|
|
Feature: new "mynetworks_style" parameter that controls
|
|
how mynetworks (trusted networks) is derived from the
|
|
inet_interfaces (machine interfaces) setting. Specify
|
|
"class" for entire class A, B, C networks; "subnet" for
|
|
the local subnets only; or "host" for maximal privacy.
|
|
Files: util/inet_addr_local.[hc], global/own_inet_addr.[hc],
|
|
global/mynetworks.[hc], postconf/postconf.c.
|
|
|
|
Portability: MACOSX patches by Gerben Wierda.
|
|
|
|
Portability: Solaris /dev/null is a symlink, which tripped
|
|
up the code to safely open a file before local delivery. We now
|
|
grudgingly allow symlinks owned by root. File: util/safe_open.c.
|
|
|
|
20010224
|
|
|
|
Bugfix: "postconf mynetworks" ignored the inet_interfaces
|
|
setting. That was a very old one. File: postconf/postconf.c.
|
|
|
|
INCOMPATIBLE CHANGE: POSTFIX NO LONGER RELAYS MAIL FOR
|
|
CLIENTS IN THE ENTIRE CLASS A/B/C NETWORK. POSTFIX BY
|
|
DEFAULT RELAYS MAIL FOR CLIENTS IN THE LOCAL SUBNETWORK.
|
|
Specify "mynetworks_style = class" to get the old behavior.
|
|
|
|
20010225
|
|
|
|
Portability: master sigchld handler based on writing to a
|
|
pipe, so that the master wakes up from select(). Based on
|
|
code by Erik Forsberg, Linkoping University, Sweden. File:
|
|
master/master_sig.c. Disabled until after the major release.
|
|
|
|
Code cleanup: Postfix should now run with no alias database.
|
|
|
|
Code cleanup: local_destination_recipient_limit and
|
|
local_destination_concurrency_limit have become first-class
|
|
configuration parameters. Files: global/mail_params.h,
|
|
*qmgr/qmgr.c, postconf/postconf.c.
|
|
|
|
20010226
|
|
|
|
Documentation suggestions by Lars Hecking and Richard
|
|
Huxton, Matthias Andree and many others.
|
|
|
|
Code cleanup: some queue/transport operations need to be
|
|
moved, after the code cleanup of the recipient/concurrency
|
|
limit handling. Patrik Rak. Files: *qmgr/qmgr_message.c.
|
|
|
|
20010301
|
|
|
|
Feature: configurable name in syslog output (default:
|
|
"syslog_name = postfix") so that different Postfix instances
|
|
can be recognized by their logging. File: global/mail_task.c.
|
|
|
|
20010313
|
|
|
|
Workaround for logic mismatch in nqmgr that was exposed
|
|
with the introduction of the asynchronous bounce client.
|
|
Patrik Rak.
|
|
|
|
20010313
|
|
|
|
Bugfix: the RFC 822 untokenizer quoted newlines inside
|
|
comments. File: global/tok822_parse.c.
|
|
|
|
20010316
|
|
|
|
Cleanup: removed an extraneous warning when a queue file
|
|
write error happened.
|
|
|
|
20010321
|
|
|
|
Workaround: LMTP connection caching never worked for
|
|
destinations starting with unix: or inet:. File:
|
|
lmtp/lmtp_connect.c.
|
|
|
|
20010322
|
|
|
|
Portability: Solaris <2.6 does not have srandom() and
|
|
random() in libc. File: util/rand_sleep.c. It does not have
|
|
to be cryptographically strong.
|
|
|
|
Bugfix: the fast ETRN flush server could not handle [ipaddr]
|
|
or domain names with one-character hostname part. This
|
|
fix changes the destination to logfile name mapping, so
|
|
that you need to populate the new files with "sendmail -q".
|
|
The old files go away automatically. File: flush/flush.c.
|
|
|
|
20010327
|
|
|
|
Speed up mailq (sendmail -bp) display by flushing output
|
|
after each file. File: showq/showq.c.
|
|
|
|
Portability: missing string.h includes, %p wants (void *),
|
|
Lamont Jones, HP.
|
|
|
|
20010328
|
|
|
|
Bugfix: swapped logic caused cleanup to stall when the
|
|
queue file size exceeded the file size limit by less than
|
|
one the VSTREAM buffer size, so that the "file too big"
|
|
was detected after flushing the last queue file record.
|
|
File: cleanup/cleanup.c.
|
|
|
|
20010329
|
|
|
|
Portability: workaround for missing prototype problem in
|
|
dict_ldap.c. This module should move to the global directory,
|
|
because it depends on Postfix main.cf parameter information.
|
|
|
|
Workaround: after sending a trigger message over a socket,
|
|
do not immediately close the client side, but close it from
|
|
a background thread that waits until the server closes the
|
|
socket first. This avoids trouble with socket implementations
|
|
that destroy a socket when the client closes a socket
|
|
before the server has received the client's data. Files:
|
|
util/{inet,unix,stream}_trigger.c, util/events.c,
|
|
master/master_trigger.c, postkick/postkick.c.
|
|
|
|
20010403
|
|
|
|
Workaround: the mysql library can return null pointers
|
|
rather than zero-length strings. File: util/dict_mysql.c.
|
|
|
|
20010404
|
|
|
|
Ergonomics: log additional information about the reason
|
|
why "mail for XXX loops back to myself" when the local
|
|
machine is the best MX host. File: smtp/smtp_addr.c.
|
|
|
|
20010406
|
|
|
|
Changed some noisy LDAP client warnings into optional
|
|
logging. LaMont Jones, util/dict_ldap.c.
|
|
|
|
20010411
|
|
|
|
Bugfix: the SMTP server now replies with 550 instead of
|
|
503 when it receives the DATA command without having received
|
|
a valid recipient address. This is needed for the Sendmail
|
|
client-side pipelining implementation. Problem reported by
|
|
Lutz Jaenicke. File: smtpd/smtpd.c.
|
|
|
|
Cleanup: shut up if chattr fails on Reiserfs and other file
|
|
systems that do not support the respective attributes.
|
|
Files: conf/postfix-script-{no,}sgid.
|
|
|
|
20010413
|
|
|
|
Ergonomics: Postfix applications now warn when a DB or DBM
|
|
file is out of date, and recommend to rebuild the table.
|
|
Files: util/dict_db.c, util/dict_dbm.c.
|
|
|
|
20010414
|
|
|
|
Feature: specify a key of "-" to the postmap or postalias
|
|
-q or -d option, and the keys will be read from standard
|
|
input, one key per line. Files: postmap/postmap.c,
|
|
postalias/postalias.c.
|
|
|
|
Bugfix: with a non-default inet_interfaces setting, the
|
|
master ignored host information in master.cf host:port
|
|
settings. Fix by Jun-ichiro itojun Hagino @ iijlab.net.
|
|
Files: master/master.h, master/master_ent.c.
|
|
|
|
20010426
|
|
|
|
Bugfix: the SMTP server did not parse invalid MAIL FROM or
|
|
RCPT TO addresses such as <first last <user@domain>> the
|
|
way it was supposed to do. I thought this was taken care
|
|
of years ago. File: smtpd/smtpd.c.
|
|
|
|
20010427
|
|
|
|
Bugfix: smtpd would reject mail instead of replying with
|
|
a 4xx temporary error code when, for example, an LDAP or
|
|
mysql server was unavailable. Remotely based on a fix by
|
|
Robert Kiessling @ de.easynet.net. File: smtpd/smtpd_check.c.
|
|
|
|
20010429
|
|
|
|
Feature: the Postfix SMTP client now by default randomly
|
|
shuffles destination IP addresses of equal preference.
|
|
Specify "smtp_randomize_addresses = no" to disable.
|
|
Shuffling code by Elias Levy @ SecurityFocus.com Files:
|
|
dns/dns_rr.c, smtp/smtp_addr.c.
|
|
|
|
20010501
|
|
|
|
Bugfix: The SMTP server's 550 in reply to DATA should be
|
|
a 554 response. And it wasn't Sendmail. Claus Assman.
|
|
|
|
Bugfix: the INSTALL.sh test for non-interactive upgrade
|
|
broke rooted installations that specify settings via the
|
|
environment. Simon Mudd.
|
|
|
|
Bugfix: mailq output is now really flushed one message at
|
|
a time. File: sendmail/sendmail.c.
|
|
|
|
Feature: "postsuper -d queueID" deletes one message queue
|
|
file; "postsuper -d -" reads zero or more queue IDs from
|
|
standard input, and deletes one instance of each file.
|
|
File: postsuper/postsuper.c.
|
|
|
|
Code cleanup: in order to make postsuper -d safe with a
|
|
running Postfix mail system, some routines had to be made
|
|
tolerant for sudden queue file disappearances. Files:
|
|
global/deliver_request.c, *qmgr/qmgr_move.c.
|
|
|
|
Code cleanup: in order to make postsuper -d more usable,
|
|
the showq command was extended to safely list the possibly
|
|
world-writable maildrop directory. File: showq/showq.c.
|
|
|
|
20010504
|
|
|
|
Feature: postsuper -d will also delete defer and bounce
|
|
logfiles when the named queue file is found.
|
|
|
|
20010505
|
|
|
|
RFC 2821 feature: an SMTP server must reset all buffers
|
|
upon receipt of EHLO. File: smtpd/smtpd_check.c.
|
|
|
|
RFC 2821 feature: an SMTP server must accept a recipient
|
|
address of "postmaster" without domain name. File:
|
|
smtpd/smtpd_check.c.
|
|
|
|
RFC 2821 recommendation: reply with 503 to commands sent
|
|
after 554 greeting. File: smtpd/smtpd.c.
|
|
|
|
RFC 2821 recommendation: if VRFY is enabled, list it in
|
|
the EHLO response. File: smtpd/smtpd.c.
|
|
|
|
RFC 2821 recommendation: SMTP clients should use EHLO.
|
|
The default setting of smtp_always_send_ehlo has changed
|
|
from 0 (send EHLO if server greets with ESMTP) to 1 (always
|
|
send EHLO). In all cases, Postfix falls back to HELO if
|
|
the server does not support EHLO. File: smtp/smtp_proto.c.
|
|
|
|
20010507
|
|
|
|
Bugfix: with soft_bounce=yes, the SMTP server would log
|
|
5xx replies even though it would send 4xx replies to the
|
|
client (Phil Howard, ipal.net). File: smtpd/smtpd_check.c.
|
|
|
|
20010515
|
|
|
|
Compatibility: Microsoft sends "AUTH=MBS_BASIC LOGIN".
|
|
Updated the parsing code in smtp/smtp_proto.c. Problem
|
|
reported by Ralf Tessmann, Godot GmbH.
|
|
|
|
20010520
|
|
|
|
Standard: deleted the non-standard "via" portion from
|
|
Received: headers generated by Postfix bounce or other
|
|
notification processes. File: global/post_mail.c.
|
|
|
|
Robustness: eliminated stack-based recursion from the RFC
|
|
822 address parser. File: global/tok822_parse.c.
|
|
|
|
Standard: annotated the source code with comments based on
|
|
RFC 2821 and 2822. Not all the RFC changes make sense.
|
|
|
|
RFC 2821 recommendation: treat a RCPT 552 reply as if the
|
|
server sent 452. Files: smtp/smtp_proto.c, lmtp/lmtp_proto.c.
|
|
|
|
Cleanup: moved ownership of the debug_peer parameters from
|
|
the applications to the library, so that a Postfix shared
|
|
library does not suffer from undefined references. Files:
|
|
smtp/smtp.c, lmtp/lmtp.c, smtpd/smtpd.c, global/mail_params.c.
|
|
LaMont Jones, for Debian.
|
|
|
|
20010522
|
|
|
|
Feature: "postsuper -r queueID" re-queues a message, and
|
|
"postsuper -r ALL" re-queues all mail. The message is moved
|
|
to the maildrop queue so that the pickup daemon will copy
|
|
it to a new queue file, and so that address rewriting will
|
|
be done again. This is useful after changes of address
|
|
rewriting or virtual mappings.
|
|
|
|
Feature: "postsuper -d ALL [queue-name]" deletes a bunch
|
|
of mail.
|
|
|
|
20010523
|
|
|
|
Feature: "postsuper -s" (which is done by default) renames
|
|
queue files whose name (queue ID) does not match the message
|
|
file inode number.
|
|
|
|
Bugfix: memory leak in the LDAP client module. Alain
|
|
Thivillon, France Teaser - Groupe Firstream.
|
|
|
|
20010525
|
|
|
|
Portability: gcc 2.6.3 does not have __attribute__ (Clive
|
|
Jones, dgw.co.uk). File: util/sys_defs.h.
|
|
|
|
Bugfix: the SMTP and LMTP clients claimed that a queue file
|
|
needed to be delivered again (even when all recipients were
|
|
erased from the queue file) when no QUIT or RSET reply was
|
|
received (by default, this does not happen with SMTP mail
|
|
because the SMTP client does not wait for QUIT replies and
|
|
does not send RSET to deliver mail). As a result of the
|
|
same bug the LMTP client followed a dangling pointer when
|
|
sending QUIT after process idle timeout while the LMTP
|
|
server had disconnected. Files: smtp/smtp_proto.c,
|
|
lmtp/lmtp_proto.c.
|
|
|
|
20010526
|
|
|
|
newaliases no longer complains when an empty list is
|
|
specified with the alias_database configuration parameter.
|
|
File: sendmail/sendmail.c.
|
|
|
|
20010529
|
|
|
|
Workaround: old PIX firewall code messes up when the final
|
|
".<CR><LF>" at the end of DATA spans a packet boundary.
|
|
When Postfix detects PIX SMTP fixup mode, Postfix flushes
|
|
the output buffers before sending the final ".<CR><LF>".
|
|
File: smtp/smtp_proto.c.
|
|
|
|
20010530
|
|
|
|
Portability: updated code for Mac OS X, accounting for the
|
|
post-Beta changes. Code by Joe Block, UCF School of
|
|
Optics/CREOL.
|
|
|
|
20010601
|
|
|
|
Safety: postdrop turns off interrupts when cleaning up
|
|
after interrupt. The additional safety does not hurt anyone.
|
|
File: src/postdrop/postdrop.c.
|
|
|
|
20010607
|
|
|
|
Safety: dropped the RFC 2821 compliant code that treats
|
|
552 RCPT TO replies as 452. It created more problems than
|
|
it solved. Files: smtp/smtp_proto.c, lmtp/lmtp_proto.c.
|
|
|
|
Logging: the SMTP server now logs a warning if RBL lookups
|
|
have problems other than "not found". file: smtpd/smtpd_check.c.
|
|
|
|
20010610
|
|
|
|
Feature: address quoting and case folding flags for the
|
|
pipe(8) mailer.
|
|
|
|
20010611
|
|
|
|
Workaround: some MTAs fall on their face when they receive
|
|
unexpectedly long lines. From now on, Postfix defaults to
|
|
breaking long lines at 2048 (like Sendmail so it has got to
|
|
be right). To get the old, content preserving, behavior
|
|
specify "smtp_truncate_lines = no". File: smtp/smtp_proto.c.
|
|
|
|
20010614
|
|
|
|
Bugfix: did not really undo 2821 552->452 mapping.
|
|
|
|
20010628
|
|
|
|
Bugfix: postfix-script used a hard-coded maildrop group
|
|
owner instead of using the install-time specified name
|
|
stored in /etc/postfix/install.cf. Problem reported by
|
|
David Terrell @ meat.net.
|
|
|
|
20010701
|
|
|
|
Feature: mail_spool_directory ending in / causes maildir
|
|
style delivery.
|
|
|
|
Bugfix: the FreeBSD kernel parameters kern.ipc.nmbclusters
|
|
and kern.ipc.maxsockets cannot be set with sysctl commands.
|
|
File: html/faq.html. Len Conrad @ Go2France.com.
|
|
|
|
Cleanup: the virtual delivery agent was poorly integrated
|
|
so that the SMTP server and queue manager did not reject
|
|
mail for unknown users. Files: smtpd/smtpd_check.c.
|
|
|
|
20010705
|
|
|
|
Feature: QMQP server, compatible with qmail and the ezmlm
|
|
list manager. Files: util/netstring.[hc], qmqpd/qmqpd*.c.
|
|
|
|
20010706
|
|
|
|
Feature: QMQP stress test message generator program. Files:
|
|
smtpstone/qmqp-source.c, smtpstone/qmqp-sink.c.
|
|
|
|
20010708
|
|
|
|
Bugfix: with disable_dns=yes, the SMTP client treated all
|
|
host lookup errors as permanent. File: smtp/smtp_addr.c.
|
|
|
|
20010709
|
|
|
|
Feature: VERP support, based on a patch by Peng Yong, and
|
|
with the missing parts filled in so that the Postfix bounce
|
|
daemon can send one VERP bounce per undeliverable recipient.
|
|
Files: , sendmail/sendmail.c, smtpd/smtpd.c, qmgr/qmgr_deliver.c,
|
|
bounce/bounce_notify_verp.c, qmqpd/qmqpd.c, plus a couple
|
|
support routines in the global library.
|
|
|
|
Cleanup: with recipient_delimiter=+ (or any character other
|
|
than -) Postfix will now recognize address extensions even
|
|
with owner-foo+extension addresses. This is necessary to
|
|
make VERP work for mailing lists.
|
|
|
|
20010710
|
|
|
|
Bugfix: potential memory leak in the queue managers with
|
|
the new VERP delimiter record. Fix by Patrik Rak.
|
|
|
|
20010711
|
|
|
|
Cleanup: you can now specify the VERP delimiter characters
|
|
on the sendmail(1) command line, but they are still optional.
|
|
|
|
Safety: with maildir style delivery and with hashed mailboxes
|
|
the system mail spool directory must not be world writable.
|
|
|
|
20010713
|
|
|
|
Safety: the verp_delimiter_filter parameter (default: -=+)
|
|
limits what characters Postfix accepts as VERP delimiter
|
|
characters.
|
|
|
|
20010714
|
|
|
|
Logging: the queue manager now logs a "status=expired"
|
|
record when it returns a message that is too old. Files:
|
|
*qmgr/qmgr_active.c.
|
|
|
|
20010719
|
|
|
|
Feature: stiffer coupling between mail receiving rates and
|
|
mail delivery rates, using a trivial token-based scheme,
|
|
implemented by reading and writing an in-memory pipe. The
|
|
queue manager produces one token when it retrieves mail
|
|
from the incoming queue. The cleanup daemon consumes one
|
|
token when it adds mail to the incoming queue. If no token
|
|
is available the cleanup server pauses for $in_flow_delay
|
|
seconds and proceeds anyway. The delay allows mail sending
|
|
process to catch up and access the disk while not blocking
|
|
inbound mail. Valid delays are 0..10 seconds.
|
|
|
|
20010727
|
|
|
|
Bugfix: updated LDAP client module from LaMont Jones, HP.
|
|
This also introduces new LDAP query filter patterns: %u
|
|
(address localpart) and %d (domain part). Files:
|
|
conf/sample-ldap.cf, util/dict_ldap.c.
|
|
|
|
20010729
|
|
|
|
Bugfix: recursive smtpd_whatever_restrictions clobbered
|
|
intermediate results when switching between sender and
|
|
recipient address restrictions. Problem found by Victor
|
|
Duchovni, morganstanley.com. In order to fix, introduced
|
|
address resolver result caching, which should also help to
|
|
speed up sender/recipient address restriction processing.
|
|
|
|
Bugfix: the not yet announced DUNNO access table lookup
|
|
result did not prevent lookups with substrings of the same
|
|
lookup key. Found by Victor Duchovni, morganstanley.com.
|
|
|
|
20010730
|
|
|
|
Robustness: trim trailing whitespace from regexp and pcre
|
|
right-hand sides, for consistency with DB/DBM tables.
|
|
Files: util/dict_pcre.c, util/dict_regexp.c.
|
|
|
|
20010731
|
|
|
|
Robustness: eliminate duplicate IP addresses after expansion
|
|
of hostnames in $inet_interfaces, so that Postfix does not
|
|
suddenly refuse to start up after someone changes the DNS.
|
|
Files: util/inet_addr_list.c global/own_inet_addr.c.
|
|
|
|
Feature: specify "disable_verp_bounces = yes" to have
|
|
Postfix send one RFC-standard, non-VERP, bounce report for
|
|
multi-recipient mail, even when VERP style delivery was
|
|
requested.
|
|
|
|
20010801
|
|
|
|
Bugfix: postconf was using unexpanded values internally
|
|
for myhostname, inet_interfaces, and mynetworks_style.
|
|
This broke the "postconf -d" mynetworks computation. File:
|
|
postconf/postconf.c.
|
|
|
|
20010803
|
|
|
|
Feature: masquerade_classes parameter for fine control of
|
|
address masquerading. The default setting is backwards
|
|
compatible: envelope_sender header_sender header_recipient.
|
|
Files: cleanup/whatever.c.
|
|
|
|
20010822
|
|
|
|
Code cleanup: the bounce daemon complained about data that
|
|
it was not going to send back anyway. Fix: stop reading
|
|
the original message when the bounce message reaches the
|
|
bounce message size limit. File: bounce/bounce_notify_util.c.
|
|
|
|
20010826
|
|
|
|
Logging: postsuper now logs the queue ID when it requeues
|
|
a message, or when it deletes a message from the mail queue.
|
|
File: postsuper/postsuper.c.
|
|
|
|
20010830
|
|
|
|
Safety: the SMTP server now sends a 4xx (try again later)
|
|
response when an UCE restriction is misconfigured, instead
|
|
of ignoring the bad restriction and possibly accepting mail
|
|
that it should not accept. File: smtpd/smtpd_check.c.
|
|
|
|
20010907
|
|
|
|
Workaround: the Postfix qmqp-source program produced mail
|
|
not ending in newline. qmail-qmqpd accepts such mail, but
|
|
qmail-remote is unable to deliver it. Matthias Andree,
|
|
uni-dortmund.de. File: smtpstone/qmqp-source.c.
|
|
|
|
20010910
|
|
|
|
Bugfix: the smtp-sink stress test program broke when RCPT
|
|
TO commands crossed network packet boundaries. Problem
|
|
reported by Matthias Andree, uni-dortmund.de. File:
|
|
smtpstone/smtp-sink.c.
|
|
|
|
20010917
|
|
|
|
Code cleanup: permit_mx_backup implements the old behavior
|
|
(accept mail if the local MTA is MX relay), and allows an
|
|
additional restriction via the permit_mx_backup_networks
|
|
parameter (accept mail only if the primary MX hosts match
|
|
the specified list of network blocks). This second restriction
|
|
is now entirely optional, for backwards compatibility.
|
|
|
|
Bugfix: an address extension could be appended multiple
|
|
times to the result of a canonical or virtual map lookup.
|
|
File: global/mail_addr_map.c. Fix by Victor Duchovni,
|
|
Morgan Stanley.
|
|
|
|
Bugfix: split_addr() would split an address even when there
|
|
was no data before the recipient delimiter. In combination
|
|
with the above bug, this could cause an address to grow
|
|
exponentially in size. Problem reported by Victor Duchovni,
|
|
Morgan Stanley. File: global/split_addr.c.
|
|
|
|
20010918
|
|
|
|
Bugfix: the mail_addr_map() fix was almost but not quite
|
|
right. It took two clever people and several iterations of
|
|
email to really fix the mail_addr_map() problem. Thanks
|
|
to Victor Duchovni and Liviu Daia.
|
|
|
|
20011006
|
|
|
|
Cleanup: Postfix no longer flushes the whole deferred queue
|
|
after an ETRN request for a random domain name (i.e. a
|
|
domain name not matched by $fast_flush_domains); the SMTP
|
|
server instead replies with "459 service unavailable".
|
|
Files: smtpd/smtpd.c, global/flush_clnt.c, flush/flush.c.
|
|
|
|
20011008
|
|
|
|
Bugfix: there was a minute memory leak when an smtpd access
|
|
restriction was misconfigured. File: smtpd/smtpd_check.c.
|
|
|
|
20011010
|
|
|
|
Code cleanup: Postfix daemons now print the name of the
|
|
UNIX-domain socket (instead of "unknown stream") in case
|
|
of a malformed client request. Files: master/*server.c.
|
|
|
|
20011010-14
|
|
|
|
Code cleanup: replaced the ugly mail_print() and mail-scan()
|
|
protocols by (name,value) attribute lists. This gives better
|
|
error detection when we make changes to internal protocols,
|
|
and allows new attributes to be introduced without breaking
|
|
everything immediately. Files: util/attr_print.c util/attr_scan.c
|
|
global/mail_command_server.c global/mail_command_client.c
|
|
as wel as most Postfix applications and daemons.
|
|
|
|
20011015
|
|
|
|
Put base 64 encoding into place on the replaced internal
|
|
protocols. Files: util/base64_code.[hc].
|
|
|
|
Feature: header/body REJECT rules can now provide text that
|
|
is sent to the originator. Files: cleanup/cleanup.c,
|
|
cleanup/cleanup_message.c, conf/sample-filter.cf.
|
|
|
|
20011016
|
|
|
|
Bugfix: As of 20000625, Errors-To: was broken, because the
|
|
code to extract the address was not moved from recipient
|
|
address rewriting to sender address rewriting. Problem
|
|
reported by Roelof Osinga @ nisser.com. File:
|
|
cleanup/cleanup_message.c.
|
|
|
|
20011029
|
|
|
|
Bugfix: virtual map expansion terminated early because the
|
|
detection of self-referential entries was flawed. File:
|
|
cleanup/cleanup_map1n.c.
|
|
|
|
20011031
|
|
|
|
Bugfix: mail_date() mis-formatted negative time zone offsets
|
|
with fractional hours (-03-30 instead of -0330). Fix by
|
|
Chad House, greyfirst.ca. File: global/mail_date.c.
|
|
|
|
20011102
|
|
|
|
Feature: new -f option to postmap and postalias (do not
|
|
lowercase the lookup key while creating a table). Files:
|
|
util/dict.h postmap/postmap.c postalias/postalias.c.
|
|
|
|
Code cleanup: simplified the attribute print/scan routines,
|
|
and removed the never-used support for sending and receiving
|
|
integer arrays and string arrays. Files: util/attr_print.c,
|
|
util/attr_scan.c.
|
|
|
|
Bugfix: qmqpd could read past the end of a string while
|
|
looking for qmail's VERP magic token in the envelope sender
|
|
address. File: qmqpd/qmqpd.c.
|
|
|
|
Code cleanup: finished testing the new internal protocols.
|
|
The only bug was with the flush server, which still needs
|
|
to support the old (string + null byte) protocol for triggers
|
|
from the Postfix master daemon.
|
|
|
|
20011103
|
|
|
|
Bugfix: Postfix would log the wrong error text when locally
|
|
submitted mail was deferred due to "soft_bounce = yes".
|
|
|
|
Bugfix: The LDAP client dropped any entries that don't have
|
|
the result_attribute, but errored out when a DN didn't
|
|
exist. The behavior is now consistent: treat non-existant
|
|
DN's in a special result attribute expansion the same as
|
|
DN's with no attribute. LaMont Jones, HP.
|
|
|
|
20011104
|
|
|
|
Bugfix: the new smtp-sink -n option (terminate after the
|
|
specified number of deliveries) wasn't optional.
|
|
|
|
Portability: updated Mac OS X documentation and install
|
|
scripts by Gerben Wierda.
|
|
|
|
20011105
|
|
|
|
Bugfix: missing terminator in new attribute-based function
|
|
call caused signal 11. File: src/cleanup/cleanup.c.
|
|
|
|
Lame workaround for ESTALE errors with mail delivery over
|
|
NFS. Additional bandages were added to the local delivery
|
|
agent. However, Wietse maintains that Postfix offers no
|
|
guarantee for reliable delivery over NFS.
|
|
|
|
Feature: put "warn_if_reject" before an smtpd restriction,
|
|
and that restriction logs warnings without rejecting mail.
|
|
This makes it easier to test configurations "live" without
|
|
having to lose mail. File: smtpd/smtpd_check.c.
|
|
|
|
20011107
|
|
|
|
Workaround: in order to get mail past PIX firewall bugs,
|
|
the Postfix SMTP client now blocks until the socket send
|
|
buffer is empty before sending the final ".<CR><LF>". Files:
|
|
util/sock_empty_wait.c, smtp/smtp_proto.c. Changed into
|
|
sleep(10) on 20011119. Sleep suggested by Hobbit.
|
|
|
|
20011108
|
|
|
|
Feature: added string-null encoding for internal protocols.
|
|
Files: util/attr_print0.c, util/attr_scan0.c.
|
|
|
|
Feature: configurable parent domain matching for domain
|
|
and hostname/address match lists: either .domain or the
|
|
domain name itself. Files: util/match_ops.c util/match_list.c
|
|
|
|
Feature: added pretend-to-be-behind-PIX mode to the smtp-sink
|
|
test program, in order to stress test some PIX bug workaround
|
|
code.
|
|
|
|
20011109
|
|
|
|
Workaround: Linux and Solaris systems have no reasonable
|
|
way to block until a socket drains. On these systems Postfix
|
|
simply waits for 10 seconds, in order to work around PIX
|
|
".<CR><LF>" bugs. File: util/sock_empty_wait.c.
|
|
|
|
20011114
|
|
|
|
Bugfix: reset the smtpd command transaction log between
|
|
deliveries. File: smtpd/smtpd.c.
|
|
|
|
20011115
|
|
|
|
Feature: mailbox_command_maps no longer requires that every
|
|
user has an entry. If the user does not have a command
|
|
entry, the local delivery agent tries the other delivery
|
|
methods (mailbox_command, home_mailbox). File: local/mailbox.c.
|
|
|
|
Bugfix: reset the smtpd command transaction log between
|
|
non-deliveries. File: smtpd/smtpd.c.
|
|
|
|
20011116
|
|
|
|
Bugfix: consolidated all the command transaction log resets
|
|
and eliminated one missing reset (Victor Duchovni, Morgan
|
|
Stanley). File: smtpd/smtpd.c.
|
|
|
|
20011118
|
|
|
|
Cleanup: replaced unnecessary match_list wrapper code by
|
|
macros. Files: global/{string,domain,namadr}_list.[hc].
|
|
|
|
20011119
|
|
|
|
Feature: configurable parent domain matching strategy for
|
|
transport map lookups. File: trivial-rewrite/transport.c.
|
|
|
|
New parent_domain_matches_subdomains parameter. This lists
|
|
all the Postfix features where a domain name matches itself
|
|
and all its subdomains (instead of requiring ".domain.name"
|
|
for subdomain matches). Planning for future backwards
|
|
compatibility :-) File: global/match_parent_style.c.
|
|
|
|
Workaround: simplified the PIX ".<CR><LF>" bug to always
|
|
sleep for 10 seconds. File: smtp/smtp_proto.c.
|
|
|
|
20011120
|
|
|
|
Workaround: disable attribute string length restriction so
|
|
that trivial-rewrite does not refuse to rewrite broken mail
|
|
headers. Files: util/attr_scan*.c.
|
|
|
|
20011121
|
|
|
|
Bugfix: missing long integer support in the new IPC protocols.
|
|
Files: util/attr_scan*.c, util/attr_print*.c.
|
|
|
|
Portability: AIX5 (Adrian P. van Bloois), MAC OS X 10.1.1
|
|
(Gerben Wierda).
|
|
|
|
20011125
|
|
|
|
Bugfix: spurious postmaster notifications because some flag
|
|
was not reset.
|
|
|
|
Feature: new parameter smtpd_sender_login_maps that specifies
|
|
the (SASL) login name that owns a MAIL FROM address.
|
|
Specify a regexp table in order to require a simple one-to-one
|
|
mapping. This is used in the reject_sender_login_mismatch
|
|
sender anti-spoofing feature.
|
|
|
|
Feature: restriction reject_sender_login_mismatch refuses
|
|
a MAIL FROM address when $smtpd_sender_login_maps specifies
|
|
an owner but the client is not (SASL) logged in as the MAIL
|
|
FROM address owner, or when a client is (SASL) logged in
|
|
but the client login name does not own the MAIL FROM address
|
|
according to $smtpd_sender_login_maps. File: smtpd/smpd_check.c.
|
|
|
|
Documentation: added some redundancy to the LMTP_README
|
|
file so people can keep track of the difference between
|
|
the Postfix LMTP client and the non-Postfix LMTP server.
|
|
|
|
20011126
|
|
|
|
Feature: smtpd_noop_commands specifies a list of commands
|
|
that are treated as NOOP (no operation) commands, without
|
|
syntax check or state change. File: smtpd/smtpd.c.
|
|
|
|
Bugfix: the "mark queue file as corrupt" code did not work
|
|
because it was never used. Files: global/mark_corrupt.c,
|
|
global/mail_copy.c, global/pipe_command.c, *qmgr/qmgr_active.c,
|
|
local/maildir.c, local/mailbox.c, local/command.c, pipe/pipe.c,
|
|
virtual/mailbox.c, virtual/maildir.c.
|
|
|
|
Bugfix: the bounce daemon broke in the unlikely case of a
|
|
non-existing queue file. File: bounce/bounce_notify_util.c.
|
|
|
|
20011127
|
|
|
|
Feature: added WARN command to header/body_checks files as
|
|
proposed by Michael Tokarev. File: cleanup/cleanup_message.c.
|
|
|
|
Bugfix: the postdrop program was broken after the change
|
|
of Postfix internal protocols. This broke "sendmail -bs"
|
|
mail submissions with "secure" maildrop directory. Reported
|
|
by Craig Loomis, apo.nmsu.edu. File: postdrop/postdrop.c.
|
|
|
|
Feature: a first start at fault injection for testing
|
|
unlikely error scenarios (such as corrupt queue files).
|
|
Parameter: fault_injection_code, must be left at zero for
|
|
production use.
|
|
|
|
20011128
|
|
|
|
Robustness: add a file size limit to the sendmail and
|
|
postdrop submission programs to stop run-away process
|
|
accidents. This is not a defense against DOS attack.
|
|
Files: sendmail/sendmail.c, postdrop/postdrop.c.
|
|
|
|
That resulted in a considerable amount of work to properly
|
|
propagate "file too large" conditions back to the sendmail
|
|
mail posting user interface. Took the opportunity to express
|
|
other mail submission fatal exits with the <sysexits.h>
|
|
exit status codes. Files: sendmail/sendmail.c,
|
|
postdrop/postdrop.c.
|
|
|
|
20011129
|
|
|
|
Maintenance: dict_ldap.c wasn't updated after the revision
|
|
of the string matching routines. File: util/dict_ldap.c.
|
|
|
|
20011208
|
|
|
|
Maintenance: LDAP module and documentation from LaMont
|
|
Jones. This version adds verbose logging for LDAP library
|
|
routines. Files: src/util/dict_ldap.[hc], LDAP_README,
|
|
conf/sample-ldap.cf
|
|
|
|
Portability: made memory alignment restrictions configurable.
|
|
File: util/mymalloc.c.
|
|
|
|
Bugfix? Avoid surprises with source routed destinations
|
|
and OK entries in SMTPD access maps. File: smtpd/smtpd_access.c.
|
|
|
|
Security: "postfix check" looks for damage by well-intended
|
|
but misguided use of "chown -R postfix /var/spool/postfix".
|
|
That would make chrooted Postfix less secure than non-chrooted
|
|
Postfix. These extra tests may cause complaints with
|
|
third-party patches such as TLS that introduce their own
|
|
files into the jail.
|
|
|
|
Feature: static map type that always returns the map name
|
|
as lookup value, regardless of lookup key value. Contributed
|
|
Jeff Miller (jeffm at ghostgun.com)
|
|
|
|
Feature: turn off the PIX <CR><LF>.<CR><LF> workaround for
|
|
the first mail delivery attempt, i.e. when mail is queued
|
|
for less than $smtp_pix_workaround_threshold_time (default:
|
|
500) seconds. New parameter $smtp_pix_workaround_delay_time
|
|
to control the delay before sending .<CR><LF> (default: 10
|
|
seconds) when doing the PIX <CR><LF>.<CR><LF> workaround.
|
|
|
|
20011210
|
|
|
|
Bugfix: the 20011128 change in sendmail and postdrop did
|
|
not handle the case of message_size_limit=0. Fix by Will
|
|
Day, Georgia Tech.
|
|
|
|
20011212
|
|
|
|
Compatibility: The SMTP server now accepts <CR><CR><LF> as
|
|
if the client sent <CR><LF>. Reportedly, some badly written
|
|
windows software produces such garbage, and some badly
|
|
written windows anti-VIRUS software cannot handle such
|
|
garbage. File: global/smtp_stream.c.
|
|
|
|
20011214
|
|
|
|
Bugfix: postmap/postalias queries ignored the -f flag.
|
|
Reported by Hamish Marson.
|
|
|
|
20011217
|
|
|
|
Compatibility: Sendmail now has a -L option to set the
|
|
syslogging label. Postfix sendmail uses syslog_name instead,
|
|
and ignores the -L option.
|
|
|
|
Security: subtle hardening of the Postfix chroot jail,
|
|
Postfix queue file permissions and access methods, in case
|
|
someone compromises the postfix account. Michael Tokarev,
|
|
who received the insights from Solar Designer, who tested
|
|
Postfix with a kernel module that is paranoid about open()
|
|
calls. Files: master/master_wakeup.c, util/fifo_trigger.c,
|
|
postfix-script.
|
|
|
|
Convenience: issue a warning instead of aborting when the
|
|
local machine name is not in fully-qualified domain form.
|
|
This would otherwise break initial postfix installation
|
|
which needs the postconf command. File: global/mail_params.c.
|
|
|
|
20011220
|
|
|
|
Added more garbage detection to postconf -e input processing.
|
|
|
|
20011221
|
|
|
|
Feature: SMTPD access map lookups of null sender addresses.
|
|
If your access maps cannot store or look up null string
|
|
key values, specify "smtpd_null_access_lookup_key = <>"
|
|
and the null sender address will be looked up as <> instead.
|
|
File: src/smtpd_access.c.
|
|
|
|
20011223
|
|
|
|
Safety: configuration file comments no longer span multiple
|
|
lines when the next line begins with whitespace; multi-line
|
|
input is no longer terminated by a comment line, by an all
|
|
white space line, or by an empty line. Michael Tokarev made
|
|
the crucial suggestion to simplify the readline routine.
|
|
Files: util/readlline.c, postconf/postconf.c.
|
|
|
|
Cleanup: proper detection of big number overflow in EHLO
|
|
and MAIL FROM size announcements, with input from Victor
|
|
Duchovni, Morgan Stanley. Files: global/off_cvt.c,
|
|
smtpd/smtpd.c, smtp/smtp_proto.c, util/alldig.c.
|
|
|
|
Forward compatibility: added queue file record types for
|
|
original recipient and for generic named attributes.
|
|
|
|
Cleanup: safe_open() now returns sensible errno values so
|
|
that the fifo_trigger() external interface is restored.
|
|
|
|
20011225
|
|
|
|
Upgrade: PCRE_README now describes PCRE version 3.x.
|
|
|
|
Cleanup: flush SMTPD command history upon receipt of EHLO,
|
|
RSET, and upon DATA completion, only if it exceeds
|
|
$smtpd_history_flush_threshold lines (default: 100).
|
|
Distant derivative of code by Michael Tokarev. File:
|
|
smtpd/smtpd.c.
|
|
|
|
20011228
|
|
|
|
Bugfix: a readlline() error message showed less text than
|
|
intended. Christian von Roques.
|
|
|
|
Cleanup: postfix now installs with group-writable maildrop
|
|
directory and with a set-gid postdrop mail submission
|
|
command. The pickup service is now unprivileged. The
|
|
world-writable maildrop directory no longer exists.
|
|
|
|
The cleanup service is now public, in preparation for local
|
|
sendmail/postdrop mail submission that avoids the maildrop
|
|
queue directory while Postfix is up.
|
|
|
|
Cleanup: moved the main.cf/master.cf file editing from the
|
|
postfix-script file to the INSTALL.sh file.
|
|
|
|
Cleanup: INSTALL.sh no longer accepts "no" as the destination
|
|
of Postfix manual pages.
|
|
|
|
20011230
|
|
|
|
Cleanup: the code for "mailq", "sendmail -q", and for
|
|
"sendmail -qRsite" was moved from the sendmail command to
|
|
a new set-gid postqueue command. The pickup and qmgr FIFOs
|
|
are no longer world writable. Files: sendmail/sendmail.c,
|
|
postqueue/postqueue.c.
|
|
|
|
20020101
|
|
|
|
Security: new alternate_config_directories parameter that
|
|
specifies what directories a set-gid command will accept
|
|
as its configuration directory. The list must be specified
|
|
in the default main.cf file. File: global/mail_conf.c.
|
|
|
|
Cleanup: "sendmail -qRsite" is no longer implemented by
|
|
connecting to the SMTP port. It is now implemented by
|
|
talking to the fast flush service. File: postqueue/postqueue.c.
|
|
|
|
20020203
|
|
|
|
Cleanup: INSTALL.sh now records all installation information
|
|
in the main.cf file. The now obsolete install.cf file is
|
|
used only when upgrading from an older Postfix release.
|
|
|
|
Cleanup: INSTALL.sh now takes name=value settings on the
|
|
command line, and has a new "-upgrade" command line option
|
|
to turn on non-interactive installation.
|
|
|
|
Security: additional run-time checks to discourage sharing
|
|
of Postfix user/group ID values with other accounts.
|
|
|
|
20020105
|
|
|
|
Cleanup: SMTPD access maps now return DUNNO (undetermined)
|
|
instead of OK when a recipient address contains multiple
|
|
domains (user@dom1@dom2, etcetera). Victor Duchovni, Morgan
|
|
Stanley. File: smtpd/smtpd_check.c.
|
|
|
|
20020106
|
|
|
|
Bugfix: SMTPD access maps did not handle address extensions.
|
|
File: smtpd/smtpd_check.c.
|
|
|
|
20020107
|
|
|
|
Bugfix: postfix-script, when creating a missing maildrop
|
|
queue directory, still referenced install.cf when setting
|
|
maildrop directory group ownership; and the postfix command
|
|
did not export the setgid_group parameter to the postfix-script
|
|
shell script. Victor Duchovni.
|
|
|
|
Bugfix: postfix-script, when creating a missing public
|
|
queue directory, did not set group ownership of the public
|
|
directory.
|
|
|
|
20020109
|
|
|
|
Cleanup: rewrote the Postfix installation procedure again.
|
|
It is now separated into 1) a primary installation script
|
|
(postfix-install) that installs files locally or that builds
|
|
a package for distribution and that stores file owner and
|
|
permission information in /etc/postfix/post-files, and 2)
|
|
a post-installation script (/etc/postfix/post-install) that
|
|
creates missing directories, that sets file/directory
|
|
ownership and permissions, and that upgrades existing
|
|
configuration files if necessary.
|
|
|
|
20020110
|
|
|
|
Workaround: AIX null read() return on an empty but open
|
|
non-blocking pipe. File: master/master_flow.c. Report:
|
|
Hamish Marson.
|
|
|
|
20020111
|
|
|
|
Feedback: feedback, bugfixes, and brain-dead shell workarounds
|
|
for the install scripts by Victor Duchovni and Simon Mudd.
|
|
|
|
20020113
|
|
|
|
Rewrote postfix-install. The postfix-files file now controls
|
|
what is installed. Refined the semantics of many post-install
|
|
operations. post-install now auto-saves settings that
|
|
override main.cf.
|
|
|
|
20020114
|
|
|
|
Bugfix: alternate_config_directories did not take comma
|
|
or whitespace as separators. File: global/mail_conf.c.
|
|
Victor Duchovni, Morgan Stanley.
|
|
|
|
Bugfix: the rewritten postfix-install script did not chattr
|
|
+S the Postfix queue.
|
|
|
|
20020115
|
|
|
|
Cleanup: added sample_directory and readme_directory
|
|
installation parameters for sample configuration files and
|
|
for README files. Files: postconf.c, postfix-install,
|
|
conf/postfix-files, conf/post-install.
|
|
|
|
Robustness: the postfix command now exports all installation
|
|
parameter settings, and input filters the environment, so
|
|
that the startup shell scripts produce a consistent result.
|
|
Files: postconf.c.
|
|
|
|
20020117
|
|
|
|
Portability: patch from LaMont Jones for compiling dict_ldap.c
|
|
with the Netscape SDK.
|
|
|
|
Feature: added "r" (recursive chown/chgrp) flag to the
|
|
postfix-files database, for more convenient change of
|
|
Postfix queue ownership. Files: conf/postfix-files,
|
|
conf/post-install.
|
|
|
|
20020122
|
|
|
|
Documentation: lots of little fixes.
|
|
|
|
Documentation: updates for the VIRTUAL_README file by Victor
|
|
Duchovni, Morgan Stanley.
|
|
|
|
Bugfix: postqueue -s dereferenced a null pointer when given
|
|
a numerical domain argument. LaMont Jones, HP.
|
|
|
|
Cleanup: smtpd now logs a warning when permit_sasl_authenticated
|
|
is used while SASL authentication is disabled, instead of
|
|
simply ignoring the restriction. LaMont Jones, HP. File:
|
|
smtpd/smtpd.c.
|
|
|
|
Safety: when postmap creates a non-existent file, the new
|
|
file inherits group/other read permissions from the source
|
|
file. Based on code by LaMont Jones, HP. File:
|
|
postmap/postmap.c.
|
|
|
|
20020123
|
|
|
|
Portability: some Linux systems install libnsl.so without
|
|
libnsl.a file, causing an yp_match undefined reference
|
|
problem. File: makedefs.
|
|
|
|
20020124
|
|
|
|
Portability: post-install now requests that command_directory
|
|
is given on the command line when the postconf command is
|
|
in an unusual place.
|
|
|
|
Safety: extra code to detect and report Berkeley DB version
|
|
mismatches between compile time and run time. This test
|
|
is limited to mismatches in the major version number only.
|
|
File: util/dict_db.c. Based on code by Lawrence Greenfield,
|
|
Carnegie-Mellon university.
|
|
|
|
Safety: the postfix command and the master daemon abort if
|
|
they are running set-uid.
|
|
|
|
Documentation: the postmap manual page described an out of
|
|
date input file format.
|
|
|
|
20020129
|
|
|
|
Workaround: SCO version 3.2 can't ioctl(FIONREAD) a pipe.
|
|
Therefore, input mail flow control is disabled by default.
|
|
Files: makedefs, global/mail_params.h, conf/main.cf.
|
|
Problem reported by Kurt Andersen, Agilent.
|
|
|
|
20020201
|
|
|
|
Workaround: changed the default smtpd_null_access_lookup_key
|
|
setting to <>, because some Bezerkeloid DB implementations
|
|
can't handle null-length lookup keys. File: global/mail_params.h.
|
|
|
|
Bugfix: backed out a null-length address panic call by
|
|
ignoring the problem, like Postfix did in the past. File:
|
|
global/resolve_local.c.
|
|
|
|
Safety: "postfix check" will now warn if /usr/lib/sendmail
|
|
and /usr/sbin/sendmail differ, and will propose to replace
|
|
one by a symlink to the other. File: conf/postfix-script.
|
|
|
|
20020204
|
|
|
|
Sanity: additional permission checks for "postfix check"
|
|
that warn for setgid_group group ownership mismatches. by
|
|
Matthias Andree, uni-dortmund.de. File: conf/postfix-script.
|
|
|
|
Bugfix: "postfix check" used a too simplistic way to
|
|
recognize file ownership (grepping ls output). It now uses
|
|
the recently discovered "find -prune". Peter Bieringer,
|
|
Matthias Andree. File: conf/postfix-script.
|
|
|
|
20020218
|
|
|
|
Workaround: log a warning and disconnect when an SMTP client
|
|
ignores our negative replies and starts sending message
|
|
content without permission. File: smtpd/smtpd.c.
|
|
|
|
20020220
|
|
|
|
Bugfix: mismatch in the file being locked by dict_dbm and
|
|
the file being locked by postmap, so that locks did not
|
|
work correctly. Victor Duchovni, Morgan Stanley.
|
|
|
|
20020222
|
|
|
|
Workaround: Solaris bug 4380626: strcasecmp() and strncasecmp()
|
|
produce incorrect results with 8-bit characters. For example,
|
|
non-ASCII characters could compare equal to ASCII characters,
|
|
and that could result in any number of security problems.
|
|
Files: util/strcasecmp.c, COPYRIGHT (the BSD license).
|
|
|
|
Bugfix: off-by-one error, causing a null byte to be written
|
|
outside dynamically allocated memory in the queue manager
|
|
with addresses of exactly 100 bytes long, resulting in
|
|
SIGSEGV on systems with an "exact fit" malloc routine.
|
|
Experienced by Ralf Hildebrandt; diagnosed by Victor
|
|
Duchovny. Files: *qmgr/qmgr_message.c. This is not a
|
|
security problem.
|
|
|
|
Bugfix: make all recipient comparisons transitive, because
|
|
Solaris qsort() causes SIGSEGV errors otherwise. Victor
|
|
Duchovny, Morgan Stanley. File: *qmgr/qmgr_message.c.
|
|
|
|
20020302
|
|
|
|
Bugfix: don't strip source route (@domain...:) when the
|
|
result would be an empty address. This avoids problems when
|
|
append_at_myorigin is set to "no" (which is not supported).
|
|
Problem reported by Charles McColgan, Big Fish Communications.
|
|
File: trivial-rewrite/rewrite.c.
|
|
|
|
20020304
|
|
|
|
Cleanup: postqueue should not not complain when output
|
|
fails with "broken pipe".
|
|
|
|
20020308
|
|
|
|
Bugfix? reply with 550 not 552 when content is rejected.
|
|
552 is reserved for "too much mail".
|
|
|
|
Documentation: add note to sendmail manual page that running
|
|
"sendmail -bs" as $mail_owner enables SMTP server UCE and
|
|
access control checks. This is meant for use from inetd etc.
|
|
Matthias Andree.
|
|
|
|
20020311
|
|
|
|
Bugfix: DBM maps should use different files for locking
|
|
and for change detection. Problem reported by Victor
|
|
Duchovny, Morgan Stanley. Files: util/dict.h util/dict.c
|
|
util/dict_db.c util/dict_dbm.c global/mkmap.c local/alias.c.
|
|
|
|
20020313
|
|
|
|
Bugfix: mailq could show addresses with unusual characters
|
|
twice. Problem reported by Victor Duchovny, Morgan Stanley.
|
|
File: showq/showq.c.
|
|
|
|
Bugfix: null recipients weren't properly recorded in
|
|
bounce/defer logfiles. Such recipient addresses are not
|
|
accepted in SMTP mail, but they could appear within locally
|
|
submitted mail. File: bounce/bounce_append_service.c.
|
|
|
|
20020318
|
|
|
|
Workaround: Berkeley DB can't handle null key lookups,
|
|
which happen with HELO names ending in ".". Victor Duchovni,
|
|
Morgan Stanley. File: smtpd/smtpd_check.c.
|
|
|
|
Logging: log a hint when mail is deferred because the
|
|
soft_bounce parameter is set. People sometimes forget to
|
|
turn it off. File: global/bounce.c.
|
|
|
|
20020319
|
|
|
|
Cleanup: add a msg_warn() call when fork() fails in
|
|
pipe_command(), to make problems easier to investigate.
|
|
Chris Wedgwood. File: global/pipe_command.c.
|
|
|
|
20020324
|
|
|
|
Cleanup: more graceful handling of long physical message
|
|
header lines upon input. Physical header lines can now
|
|
extend up to $header_size_limit characters. When a logical
|
|
message header is too long, the excess text is discarded
|
|
and Postfix no longer switches to body mode, to avoid
|
|
breaking MIME encapsulation. Based on code by Victor
|
|
Duchovni, Morgan Stanley. Files: cleanup/cleanup_out.c,
|
|
cleanup/cleanup_message.c.
|
|
|
|
Cleanup: more graceful handling of long physical message
|
|
header or body lines upon output by the SMTP client. The
|
|
SMTP client output line length is controlled by a new
|
|
parameter smtp_line_length_limit (default: 990; specify 0
|
|
to disable the limit). Long lines are folded by inserting
|
|
<CR> <LF> <SPACE>, to avoid breaking MIME encapsulation.
|
|
Based on code by Victor Duchovni, Morgan Stanley. File:
|
|
smtp/smtp_proto.c.
|
|
|
|
20020325
|
|
|
|
Cleanup: allow additional text after a WARN command in a
|
|
header/body_checks pattern file, so that one can change
|
|
REJECT+text into WARN+text and vice versa. Based on code
|
|
by Fredrik Thulin, Stockholm University.
|
|
|
|
Cleanup: log a warning when an unknown command is found in
|
|
a header/body_checks pattern file, or when additional text
|
|
is found after a command that does not expect additional
|
|
text. Based on code by Fredrik Thulin, Stockholm University.
|
|
|
|
Bugfix: sendmail should not recognize "." as the end of
|
|
input when the current read operation started in the middle
|
|
of a line. Victor Duchovni, Morgan Stanley. File:
|
|
sendmail/sendmail.c.
|
|
|
|
20020328
|
|
|
|
Portability fix for OPENSTEP and NEXTSTEP by Gerben Wierda.
|
|
File: util/sys_defs.h.
|
|
|
|
20020329
|
|
|
|
Bugfix: defer_transports broke because the flush server
|
|
triggered mail delivery (as if ETRN was sent) while doing
|
|
some internal housekeeping of per-destination logfiles.
|
|
Problem experienced by LaMont Jones, HP. File: flush/flush.c.
|
|
|
|
Bugfix: virtual mapping broke for addresses with embedded
|
|
whitespace. Fix by Victor Duchovni, Morgan Stanley. File:
|
|
cleanup/cleanup_map1n.c.
|
|
|
|
20020330
|
|
|
|
Bugfix: postqueue did not pass on non-default configuration
|
|
directory settings when running showq while the mail system
|
|
is down. The super-user is now exempted from environment
|
|
stripping in postqueue/postqueue.c. Problem reported by
|
|
Victor Duchovni, Morgan Stanley.
|
|
|
|
20020414
|
|
|
|
Portability: Postfix will no longer attempt to build with
|
|
gdbm support, because gdbm is broken. File: makedefs.
|
|
|
|
20020417
|
|
|
|
Bugfix: the post-install script failed to upgrade master.cf
|
|
settings from private to public if the service was explicitly
|
|
configured as private.
|
|
|
|
20020426
|
|
|
|
Bugfix: the SMTP client forgot to quote whitespace etc.
|
|
in a sender/recipient address when DNS lookup was turned
|
|
off (disable_dns_lookups = yes). Problem experienced by
|
|
Chip Paswater. Files: smtp/smtp_proto.c.
|
|
|
|
20020503
|
|
|
|
Cleanup: postqueue silently ignored command-line arguments
|
|
following -p or -f options, instead of complaining; postqueue
|
|
produced an incorrect error message (mail system down) when
|
|
the command was installed with incorrect privileges. File:
|
|
postqueue/postqueue.c.
|
|
|
|
Bugfix: while reporting a domain name or IP address syntax
|
|
error, postqueue could dereference a dangling pointer with
|
|
some getopt() implementations. LaMont Jones, HP. File:
|
|
postqueue/postqueue.c.
|
|
|
|
20020504
|
|
|
|
Portability: run-time test to avoid GDBM trouble. File:
|
|
util/dict_dbm.c.
|
|
|
|
20020508
|
|
|
|
Bugfix: close user@domain@postfix-style.virtual.domain
|
|
source routing relaying loophole involving postfix-style
|
|
virtual domains with @virtual.domain catch-all patterns.
|
|
Problem reported by Victor Duchovny. File: smtpd/smtpd_check.c.
|
|
|
|
Bugfix: mail_addr_map() used the "wrong" @ character in
|
|
addresses with multiple @. Victor Duchovny. File:
|
|
global/mail_addr_map.c.
|
|
|
|
Bugfix: for address localpart quoting, now quote @ as a
|
|
special character everywhere, except when resolving addresses.
|
|
Previously, the @ was nowhere quoted as a special character,
|
|
not even in SMTP commands. Files: global/quote_82[12]_local.c
|
|
and some clients.
|
|
|
|
20020509
|
|
|
|
Safety: don't allow an OK access rule lookup result for
|
|
user@domain@postfix-style.virtual.domain. Suggested by
|
|
Victor Duchovny, Morgan Stanley. File: smtpd/smtpd_check.c.
|
|
|
|
Bugfix: quote unquoted address localparts that need quoting.
|
|
Files: global/tok822_parse.c, global/quote_82[12]_local.c.
|
|
|
|
20020512
|
|
|
|
Cleanup: the SMTP client logged and bounced the CNAME
|
|
expanded recipient address, and thereby complicated trouble
|
|
shooting. File: src/smtp_proto.c.
|
|
|
|
Bugfix: the SMTP and LMTP clients bounced the quoted
|
|
recipient address, resulting in too much quoting in bounce
|
|
reports. Files: src/smtp_proto.c, lmtp/lmtp_proto.c.
|
|
|
|
20020513
|
|
|
|
Bugfix: the LDAP client used the "wrong" @ character in
|
|
addresses with multiple @. LaMont Jones, HP. File:
|
|
util/dict_ldap.c.
|
|
|
|
Compatibility: forwards "postqueue -r" compatibility with
|
|
the additional queue file records that are stored by snapshot
|
|
20050512.
|
|
|
|
Cleanup: specify "resolve_dequoted_address = no" to prevent
|
|
Postfix from looking inside quotes for extra @ etc. characters
|
|
when resolving an address. This behavior is technically
|
|
more correct, but it opens a mail relay loophole with "user
|
|
@domain"@domain when relaying mail to a Sendmail system.
|
|
|
|
20020514
|
|
|
|
Bugfix: the new code for header address quoting sometimes
|
|
did not null terminate strings so that arbitrary garbage
|
|
could appear at the end of message headers. Reported by
|
|
Ralf Hildebrandt. File: global/tok822_parse.c.
|
|
|
|
Safety: user@domain@domain is no longer accepted by the
|
|
permit_mx_backup uce restriction (unless Postfix is configured
|
|
with "resolve_dequoted_address = no"). Victor Duchovny,
|
|
Morgan Stanley. File: smtpd/smtpd_check.c.
|
|
|
|
20020517
|
|
|
|
Cleanup: Mailbox-Line: message header labels should be
|
|
X-Mailbox-Line: labels. Files: smtpd/smtpd.c, qmqpd/qmqpd.c.
|
|
|
|
20020526
|
|
|
|
Bugfix: the SMTP server now disallows RCPT TO:<"">, just
|
|
like it disallows RCPT TO:<>. File: smtpd/smtpd.c.
|
|
|
|
Documentation: replace domain.name by domain.tld in the
|
|
example config files. The domain exists. They were getting
|
|
mail from poorly configured Postfix boxes.
|
|
|
|
Bugfix: The Postfix sendmail command did not export the
|
|
MAIL_CONFIG environment setting to the postdrop command.
|
|
File: global/mail_config.h.
|
|
|
|
Open problems:
|
|
|
|
Low: sendmail does not store null command-line recipients.
|
|
|
|
Low: don't do user@domain and @domain lookups in
|
|
local_recipient_maps queries.
|
|
|
|
Low: after reorganizing configuration parameters, add flags
|
|
to all parameters whose value can be read from file.
|
|
|
|
Medium: need in-process caching for map lookups. LDAP
|
|
servers seem to need this in particular. Need a way to
|
|
expire cached results that are too old.
|
|
|
|
Medium: make address rewriting on/off configurable for
|
|
envelopes and/or headers.
|
|
|
|
Low: generic showq protocol, to allow for more intelligent
|
|
processing than just mailq. Maybe marry this with postsuper.
|
|
|
|
Low: default domain for appending to unqualified recipients.
|
|
|
|
Low: The $process_id_directory setting is not used anywhere
|
|
in Postfix. Problem reported by Michael Smith, texas.net.
|
|
This should be documented, or better, the code should warn
|
|
about attempts to set read-only parameters.
|
|
|
|
Low: postconf -e edits parameters that postconf won't list.
|