=============================================================== WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING =============================================================== The sender/recipient address verification code is lightly documented and has been tested lightly. The code is proof-of-concept quality and must not be used on high-volume sites. Use at your own risk. =============================================================== WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING =============================================================== In the text below, incompatible changes are labeled with the Postfix snapshot that introduced the change. If you upgrade from a later Postfix version, then you do not have to worry about that particular incompatibility. Official Postfix releases are called a.b.c where a=major release number, b=minor release number, c=patchlevel. Snapshot releases are now called a.b.c-yyyymmdd where yyyymmdd is the release date (yyyy=year, mm=month, dd=day). The mail_release_date configuration parameter contains the release date (both for official release and snapshot release). Patches change the patchlevel and the release date. Snapshots change only the release date, unless they include the same bugfixes as a patch release. Major changes with Postfix snapshot 2.0.16-20030917 =================================================== New check_{helo,sender,recipient}_{ns,mx}_access maptype:mapname restriction that applies the specified access table to the NS or MX hosts of the host/domain given in HELO, EHLO, MAIL FROM or RCPT TO commands. This can be used to block mail from so-called spammer havens, from sender addresses that resolve to Verisign's wild-card mail responder, or from domains that claim to have mail servers in reserved networks such as 127.0.0.1. /etc/postfix/main.cf: smtpd_mumble_restrictions = ... reject_unknown_sender_domain check_sender_mx_access hash:/etc/postfix/mx_access check_sender_mx_access cidr:/etc/postfix/mx_access.cidr ... /etc/postfix/mx_access: spammer.haven.tld reject spammer mx host 64.94.110.11 reject mail server in verisign wild-card domain /etc/postfix/mx_access.cidr: 0.0.0.0/8 reject mail server in broadcast network 10.0.0.0/8 reject mail server in RFC 1918 private network 127.0.0.0/8 reject mail server in loopback network 169.254.0.0/16 reject mail server in link local network 172.16.0.0/12 reject mail server in RFC 1918 private network 192.0.2.0/24 reject mail server in TEST-NET network 192.168.0/16 reject mail server in RFC 1918 private network 224.0.0.0/4 reject mail server in class D multicast network 240.0.0.0/5 reject mail server in class E reserved network 248.0.0.0/5 reject mail server in reserved network Note: OK actions are not allowed for security reasons. Instead of OK, use DUNNO in order to exclude specific hosts from blacklists. If an OK result is found for an NS or MX host, Postfix rejects the SMTP command with "451 Server configuration error". Incompatible changes with Postfix snapshot 2.0.16-20030915 ========================================================== In header/body_checks actions, the OK action is being phased out, and the DUNNO action is being phased in. Both actions still work and do the same thing, but hopefully DUNNO causes less confusion. Major changes with Postfix snapshot 2.0.16-20030915 =================================================== LDAP parameters can now be defined in external files. Specify the LDAP maps in main.cf as ldap:/path/to/ldap.cf and write the LDAP parameters in /path/to/ldap.cf, without the "ldapsource_" prefix. This makes it possible to securely store bind passwords for plain auth outside of main.cf (which must be world readable). The old syntax still works, for backwards compatibility. By Liviu Daia, based on a suggestion by Victor Duchovni and Lamont Jones. Support for LDAP URLs in the LDAP parameter "server_host", if Postfix is linked against OpenLDAP. LDAP hosts, ports, and connection protocols to be used as LDAP sources can be specified as a blank-separated list of LDAP URLs in "server_host". As with OpenLDAP, specifying a port in a LDAP URL overrides "server_port". Examples: server_host = ldap://ldap.itd.umich.edu server_host = ldaps://ldap.itd.umich.edu:636 server_host = ldapi://%2Fsome%2Fpath The LDAP SSL scheme ldaps:// is available if OpenLDAP was compiled with SSL support. New parameters "tls_ca_cert_dir", "tls_ca_cert_file", "tls_cert", "tls_key", "tls_require_cert", "tls_random_file", "tls_cipher_suite" control the certificates, source of random numbers, and cipher suites used for SSL connections. See LDAP_README for further information. By Liviu Daia. Support for STARTTLS command in LDAP, if Postfix is linked against OpenLDAP and OpenLDAP was compiled with SSL support. STARTTLS is controlled by the "start_tls" parameter. The above parameters for certificates, source of random numbers, and cipher suites also apply. See LDAP_README for further information. By Liviu Daia, amended by Victor Duchovni. Major changes with Postfix snapshot 2.0.13-20030715 =================================================== Support for SMTP access policy delegation to an external server. Greylisting is used as an example. See the SMTPD_POLICY_README file for further information. Support for multi-valued RBL lookup results. For example, specify "reject_rbl_client foo.bar.tld=127.0.0.3" to reject clients that are listed with a "127.0.0.3" address record. Major changes with Postfix snapshot 2.0.13-20030706 =================================================== New receive_override_options parameter that eliminates the need for different cleanup service instances before and after an external content filter. One parameter controls what happens before or after the content filter: rejecting unknown recipients, canonical mapping, virtual alias expansion, masquerading, automatic BCC recipients and header/body checks. See sample-filter.cf for details. Incompatible changes with Postfix snapshot 2.0.13-20030704 ========================================================== Support for client side LDAP caching is gone. OpenLDAP 2.1.13 and later no longer support it, and the feature never worked well. Postfix now ignores cache controlling parameters in an LDAP configuration file and logs a warning. Credits to Victor Duchovni and Lamont Jones. Major changes with Postfix snapshot 2.0.13-20030704 =================================================== The Postfix SMTP server can be configured to send all mail into a proxy server, for example a real-time SPAM filter. This proxy is expected to send the mail into another Postfix SMTP server process for normal delivery. See the SMTPD_PROXY_README file for details. Improved LDAP client robustness. Given suitable invalid database contents, LDAP lookups can produce too many results, enter an infinite loop in the expansion of "special result attributes" (LDAP DNs and LDAP URLs) or can simply consume excessive server resources. Credits to Victor Duchovni and Lamont Jones. New CIDR-based lookup table, remotely based on code by Jozsef Kadlecsik. For details and examples, see "man cidr_table". The TCP-based table lookup protocol is finished. For details and examples, see "man tcp_table". This will allow you to implement your own greylisting, or to do your own open proxy tests before accepting mail. Support for !/pattern/ (negative matches) in PCRE lookup tables by Victor Duchovni. See "man pcre_table" for more. New enable_original_recipient parameter (default: yes) to control whether Postfix keeps track of original recipient address information. If this is turned off Postfix produces no X-Original-To: headers and ignores the original recipient when eliminating duplicates after virtual alias expansion. Code by Victor Duchovni. Finer control over how long Postfix SMTPD waits for completion of address verification probes: the address_verify_poll_{count,delay} parameters control how often to query the verify server and how long to wait between queries. Specify address_verify_poll_count=1 to implement a crude form of greylisting. Major changes with Postfix snapshot 2.0.11-20030611 =================================================== Better verify server performance on busy servers by avoiding some operations that can block the verify server process temporarily. Probe messages are no longer subject to cleanup server in_flow_delay settings when message arrival rates exceed message delivery rates. However, probe messages are still subject to trigger_timeout delays when the queue manager FIFO fills up; this is hopefully very rare. Major changes with Postfix snapshot 2.0.11-20030609 =================================================== Address verification probes can now follow a different route than ordinary mail. To make this possible, the address resolver supports multiple personalities. The regular personality is used for regular mail, and the alternate personality is used for address verification probes. The alternate personality is controlled by parameters named address_verify_X with X = relayhost, transport_maps, local_transport, virtual_transport, relay_transport, and default_transport. These alternate parameters have by default the same values as the regular parameters. For more detail see the ADDRESS_VERIFICATION_README file. Major changes with Postfix snapshot 2.0.11-20030606 =================================================== Complete rewrite of the queue file record reading loops in the pickup, cleanup and in the queue manager daemons. This code had deteriorated over time. The new code eliminates an old problem where the queue manager had to read most queue file records twice in the case of an alias/include file expansion with more than qmgr_message_recipient_limit recipients. Incompatible changes with Postfix snapshot 2.0.8-20030417 ========================================================= "sendmail -t" no longer complains when recipients are given on the command line. Instead, it now adds recipients from headers to the recipients from the command-line. Major changes with Postfix snapshot 2.0.8-20030417 ================================================== Automatic BCC recipients depending on sender or recipient address. The configuration parameters in question are "sender_bcc_maps" and "recipient_bcc_maps". See conf/sample-misc.cf for details. Support for sending mail to hosts not in the DNS, without having to turn off DNS lookups. The "smtp_host_lookup" parameter controls how the Postfix SMTP client looks up hosts. The default is to use DNS and then the native mechanism. See conf/sample-smtp.cf. Incompatible changes with Postfix snapshot 2.0.8-20040415 ========================================================= Too many people mess up their net/mask patterns, causing open mail relay problems. Postfix processes now abort when given a net/mask pattern with a non-zero host portion (for example, 168.100.189.2/28), and suggest to specify the proper net/mask pattern instead (for example, 168.100.189.0/28). Major changes with Postfix snapshot 2.0.8-20040415 ================================================== PostgreSQL table lookups. Specify "pgsql:/file/name" where "/file/name" defines the database. See the sample-pgsql-aliases.cf file for examples, and the PGSQL_README file for general information. Workaround for file system clock drift that caused Postfix to ignore new mail (this could happen with file systems mounted from a server). Postfix now logs a warning and proceeds with only slightly reduced performance, instead of ignoring new mail. Incompatible changes with Postfix snapshot 2.0.6-20030305 ========================================================= Postfix truncates non-address information in message address headers (comments, etc.) to 250 characters per address, in order to protect vulnerable Sendmail systems against exploitation of a remote buffer overflow problem (CERT advisory CA-2003-07). Incompatible changes with Postfix snapshot 2.0.3-20030227 ========================================================= The smtpd_hard_error_limit and smtpd_soft_error_limit values now behave as documented, that is, smtpd_hard_error_limit=1 causes Postfix to disconnect upon the first client error. Previously, there was an off-by-one error causing Postfix to change behavior after smtpd_hard/soft_error_limit+1 errors. Incompatible changes with Postfix snapshot 2.0.3-20030125 ========================================================= This release adds a new queue file record type for the address specified in "REDIRECT user@domain" actions in access maps or header/body_checks. Major changes with Postfix snapshot 2.0.3-20030125 ================================================== Code cleanup up of queue manager internals. Queue names are no longer mixed up with the next-hop destination, and the address resolver loop is now easier to understand. New "REDIRECT user@domain" action for access maps and header/body_checks that overrides all the originally specified recipients of a message. I would never recommend that people use this to redirect (bounced) SPAM to the beneficiaries of an advertisement campaign. It would have helped when someone began spamming the network with sender addresses in one of my domains, and I got all the bounces. Incompatible changes with Postfix snapshot 2.0.3-20030126 ========================================================= The maildir file naming algorithm has changed in accordance with an updated version of http://cr.yp.to/proto/maildir.html. The name is now TIME.VdevIinum.HOST Incompatible changes with Postfix snapshot 2.0.3-20030124 ========================================================= The maildir file naming algorithm has changed. Pending a usable version of http://cr.yp.to/proto/maildir.html, the name is now TIME.DEV_INUM.HOST. Incompatible changes with Postfix snapshot 2.0.1-20030112 ========================================================= The Postfix build procedure now uses the pcre-config utility (part of PCRE version 3) to find out the pathnames of the PCRE include file and object library, instead of probing /usr/include and/or /usr/lib. To build with PCRE version 2 support you will have to specify pathnames as described in PCRE_README. To build without PCRE support, specify: make Makefiles CCARGS="-DNO_PRCE". Incompatible changes with Postfix snapshot 2.0.0-20030104 ========================================================= This release adds the new proxymap service (table lookup via a proxy process) to the master.cf file. If you get warnings about problems connecting to the proxymap service, then you did not properly upgrade Postfix. Major changes with Postfix snapshot 2.0.0-20030104 ================================================== This release introduces the proxymap service for Postfix lookup table access. This can be used to overcome chroot restrictions in the Postfix SMTP server (specify proxy:unix:passwd.byname for password file lookup through the proxymap server) and can be used to consolidate the number of open tables by sharing one open table among multiple processes (specify proxy:mysql:/file/name to avoid "too many connections" conditions). The proxy_read_maps parameter specifies what maps are approved for access via the proxy service (only map references starting with "proxy:" are considered approved). Multi-server daemons (servers that accept simultaneous connections from multiple clients) will now stop accepting new connections after serving $max_use clients. This allows multi-server daemons to automatically restart even on busy mail systems. Clients of multi-server daemons such as trivial-rewrite and the new proxymap service now automatically disconnect after $ipc_ttl seconds of activity (default: 1000s). This allows multi-server daemons to automatically restart even on busy mail systems. Incompatible changes with Postfix snapshot 1.1.11-trace-20021119 ================================================================ After upgrading an existing system you must use "postfix reload". This is because many internal protocols have changed. The file format of bounce/defer logfiles has changed from the old one-line ad-hoc format to a more structured multi-line format. For backwards compatibility, Postfix now creates bounce/defer logfile entries that contain both the old and the new format, so that you can go back to an older Postfix release without losing information. Old Postfix versions will warn about malformed logfile entries, but should work properly. To disable backwards compatibility specify "backwards_bounce_logfile_compatibility = no" in main.cf. The behavior of "sendmail -v" has changed. One -v option now sends an email report with the status of each delivery attempt. Multiple -v options behave as before: turn on verbose logging in the sendmail and postdrop commands. The Postfix upgrade procedure will add two new services to your master.cf file: "trace" and "verify". These servers can run inside a chroot jail, have no interaction with users, and don't talk to the network. Major changes with Postfix snapshot 1.1.11-trace-20021119 ========================================================= New sender address verification blocks mail from addresses that are not deliverable. This is turned on with the reject_unverified_sender UCE restriction. Addresses are verified by probing, that is, by sending mail that is not actually delivered (SMTP interruptus). Detailed information is in the SENDER_VERIFICATION_README file and sample-verify.cf. Address verification uses the new "verify" daemon that maintains a database. The necessary entry is automatically added to master.cf when you upgrade. New "sendmail -bv" option. Postfix probes the specified recipient addresses without actually delivering mail, and sends back an email delivery report. This is useful for testing address rewriting and address routing of both envelope and header addresses. This feature currently does not access or update the sender address verification database. Improved "sendmail -v" behavior. Postfix delivers mail as usual, and emails a report of all the delivery attempts to the originator. Bounce reports now show the original recipient information in addition to the final recipient that was already available. Both "sendmail -bv" and "sendmail -v" use the new "trace" daemon that is automatically added to master.cf when you upgrade.